I am building a simple test system that keeps track of Smoke Detector Batteries.
The database entity is simple: Smoke Detector location (in the house) and date of battery install.
In Istio, I have three services:
[1] Smoke-Detector-Service (provides a list of all smoke detectors - providing name and date of install, also has methods to CRUD detectors)
[2] Alert-Email-Service (everyday it calls the Smoke-Detector-List service and sends an email alert for the detectors with a battery older than 11 months)
[3] Web-Interface (provides a webpage to access smoke detectors and create/update/delete records)
Istio Configuration (Gateway/VirtualService)
[A] [3]Web-Interface and [1]Smoke-Detector-Service are exposed publicly via Gateway/VirtualService
[B] [2] Alert-Email-Service is not exposed publicly
The [3]Web-Interface calls the [1]Smoke-Detector-Service and it works beautifully until I try to secure the [1]Smoke-Detector-Service.
I secure it ([1]) by using an Authentication/Policy-Origins-JWT and it works so far.
The user has to login to the web-app, uses keycloak to get the auth-token, then calls the secured [1]Smoke-Detector-Service with the token and works well.
The Problem:
The problem is that, when I enable the Authentication/Policy-Origins-JWT for the [1]Smoke-Detector-Service then the internal [2]Alert-Email-Service cannot access it.
How do I secure a service using Authentication/Policy-Origins-JWT but allow it to be called from inside the mesh (without using JWT inside the mesh).
Basically I want a mesh where all internal services are trusted - no jwt needed, but services available internally and also exposed to the Internet (Public) are secured from outside via JWT.
Was I clear in what I am looking for?
Is Istio capable of this? How to configure it?
Any help is greatly appreciated…