Deploy Two Istio Ingress Controller

I have deployed in my production environment Istio 1.4.1, it seems to work fine. Now I want to activate the JWT Authentication only for some service. In particular I want to activate JWT authentication only for external calls, but I don’t want to have JWT authentication when services invoke each other from within the inside mesh. I try to explain me better from:

Internet-->IngressController-->GW-->Virtual Service-->Service-A with JWT

Service-B(inside mesh)-->Service-A without JWT

I read from documentation that JWT Policy is applied for Service, so initially I thought to create two services:

  • Service-A
  • Service-A-no-jwt

So I tried to make a call from Service-B to Service-A-no-Jwt but I have got “Origin authentication failed” message

So I tried to modify Service A to add a new port that it point to same targetport, I give you an example:

apiVersion: v1
kind: Service
    app: data-layer
  name: data-layer 
  - name: http-data-layer
    port: 8888
    targetPort: 8888
    name: http-data-layer-no-jwt
    port: 9000
    targetPort: 8888
    app: data-layer 

So I modified the JWT policy specifying the port number in the “targets” field:

apiVersion: ""
kind: "Policy"
  name: "data-layer"
  - name: data-layer
    - number: 8888

I tried to call from Service-B the Service-A on 9000 port, but again I have got “Origin authentication failed” message.

As far as I understand there is not way to call Service-A without JWT Authentication, because when I have activated the JWT policy on Service-A the istio-proxy injects this rule in related POD.

So I have thought to Activate the JWT policy on “istio-ingressgateway” service, it allows me to have JWT policy from outside but in the same time it allows me to call Service from inside without JWT Authentication.

Now the issue is that in this way all services required from external the JWT, but I have some service as Jenkins, Gogs, Nexus and so on for which I don’t want to have JWT.

In order to resolve this issue, I have thought to duplicate the “istio-ingressgateway”(of course using different nodePorts) service and istio-ingressgateway deployment and call it “istio-ingressgateway-custom”, the next step would be to change the Gateway and VirtualService for those services(Gogs, Jenkins, Nexus,…) to point to this ingress.

I don’t know if this is the best solution to deploy a custom ingress-controller or to resolve this issue

Could you help me?