Clarification for istio authentication policy with origin and peer mtls authentication

#1

I am using istio deployed in a minikube cluster. I have created and deployed two services in the default namespace, an ‘entitlements’ service and an ‘organizations’ service. The ‘organizations’ service exposes and endpoint meant to be hit publicly. When that endpoint is called, organizations calls into the ‘entitlements’ service to get some information.

I want to have an authentication policy that requires origin authentication for requests coming from outside the cluster, and mtls for all requests machine-to-machine (peer authentication: orgs ->; entitlemlents).

end_user -> organizations (origin jwt authentication) -> entitlements (mtls authentication)

This is the policy I have:

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "default"
  namespace: "default"
spec:
  origins:
  - jwt:
      issuer: "https://login-dev.solutionreach.com/oauth2/aushjaeb7yvgghqOU0h7"
      jwksUri: "https://solutionreach-test.oktapreview.com/oauth2/aushjaeb7yvgghqOU0h7/v1/keys"
      audiences:
      - "https://api.dev.srconnect.io"
  peers:
  - mtls: {}
  principalBinding: USE_ORIGIN

Before I added the ‘peers’ section of the config, I was able to make a request to the public endpoint fine using curl. However, once I added ‘peers’ into the Policy config, I started getting 503 responses with upstream connect error or disconnect/reset before headers in the body.

I expected that with that configuration, I would be able to make origin-authenticated calls, and that service-to-service calls would be authenticated via mtls, but what I think is happening is that now my origin-calls from outside the cluster are required to use mtls as well, is that correct?

How would I go about configuring origin authentication for requests coming from outside the cluster, and mtls for maching-to-machine authentication inside the cluster?

0 Likes