I have a configuration where all my own services require JWT authentication. There are a few exceptions though; I do have an elastic appsearch in my cluster (same namespace) as well. That one cares about authentication itself. I had it running outside of istio for some time because it really wanted to care about its own certificates. That requirement is gone since a few releases, and I’m moving it into the service mesh.
Elastic Appsearch uses its own
Bearer tokens, but those are not JWT tokens at all. Seems that although I deactivated JWT checking through an
AuthorizationPolicy (does it work like that? Other q&as seem to suggest that), istio tries to parse that header as JWT. This is the error message:
Jwt is not in the form of Header.Payload.Signature with two dots and 3 sections, which is true (the tokens look like
search-abcdefghijklmnopqrstuvwxyz). Maybe I’m doing something wrong in another place as well, but those are the resources I currently do think come into play here:
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: generic-request-authentication namespace: apps spec: jwtRules: - audiences: - some-audience forwardOriginalToken: true issuer: https://some-issuer jwksUri: >- https://some-jwks-uri
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: app: search-and-tag-service-appsearch name: search-and-tag-service-appsearch-allow-all namespace: apps spec: action: ALLOW rules: - from: - source: namespaces: - apps - source: namespaces: - elastic-system selector: matchLabels: app: search-and-tag-service-appsearch
Appsearch pods do have the label
app: search-and-tag-service-appsearch set.
I hoped my
AuthorizationPolicy already allows requests from the same namespace.
It might even let the request pass if it did not have any It does, just tested.
Authorization header, but appsearch would then reject it.
How can I make istio not try to parse those