I am building a simple test system that keeps track of Smoke Detector Batteries.
The database entity is simple: Smoke Detector location (in the house) and date of battery install.
In Istio, I have three services:
 Smoke-Detector-Service (provides a list of all smoke detectors - providing name and date of install, also has methods to CRUD detectors)
 Alert-Email-Service (everyday it calls the Smoke-Detector-List service and sends an email alert for the detectors with a battery older than 11 months)
 Web-Interface (provides a webpage to access smoke detectors and create/update/delete records)
Istio Configuration (Gateway/VirtualService)
[A] Web-Interface and Smoke-Detector-Service are exposed publicly via Gateway/VirtualService
[B]  Alert-Email-Service is not exposed publicly
The Web-Interface calls the Smoke-Detector-Service and it works beautifully until I try to secure the Smoke-Detector-Service.
I secure it () by using an Authentication/Policy-Origins-JWT and it works so far.
The user has to login to the web-app, uses keycloak to get the auth-token, then calls the secured Smoke-Detector-Service with the token and works well.
The problem is that, when I enable the Authentication/Policy-Origins-JWT for the Smoke-Detector-Service then the internal Alert-Email-Service cannot access it.
How do I secure a service using Authentication/Policy-Origins-JWT but allow it to be called from inside the mesh (without using JWT inside the mesh).
Basically I want a mesh where all internal services are trusted - no jwt needed, but services available internally and also exposed to the Internet (Public) are secured from outside via JWT.
Was I clear in what I am looking for?
Is Istio capable of this? How to configure it?
Any help is greatly appreciated…