Hi,
I have deployed in my production environment Istio 1.4.1, it seems to work fine. Now I want to activate the JWT Authentication only for some service. In particular I want to activate JWT authentication only for external calls, but I don’t want to have JWT authentication when services invoke each other from within the inside mesh. I try to explain me better from:
Internet-->IngressController-->GW-->Virtual Service-->Service-A with JWT
Service-B(inside mesh)-->Service-A without JWT
I read from documentation that JWT Policy is applied for Service, so initially I thought to create two services:
- Service-A
- Service-A-no-jwt
So I tried to make a call from Service-B to Service-A-no-Jwt but I have got “Origin authentication failed” message
So I tried to modify Service A to add a new port that it point to same targetport, I give you an example:
apiVersion: v1
kind: Service
metadata:
labels:
app: data-layer
name: data-layer
spec:
ports:
- name: http-data-layer
port: 8888
targetPort: 8888
name: http-data-layer-no-jwt
port: 9000
targetPort: 8888
selector:
app: data-layer
So I modified the JWT policy specifying the port number in the “targets” field:
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "data-layer"
spec:
targets:
- name: data-layer
ports:
- number: 8888
I tried to call from Service-B the Service-A on 9000 port, but again I have got “Origin authentication failed” message.
As far as I understand there is not way to call Service-A without JWT Authentication, because when I have activated the JWT policy on Service-A the istio-proxy injects this rule in related POD.
So I have thought to Activate the JWT policy on “istio-ingressgateway” service, it allows me to have JWT policy from outside but in the same time it allows me to call Service from inside without JWT Authentication.
Now the issue is that in this way all services required from external the JWT, but I have some service as Jenkins, Gogs, Nexus and so on for which I don’t want to have JWT.
In order to resolve this issue, I have thought to duplicate the “istio-ingressgateway”(of course using different nodePorts) service and istio-ingressgateway deployment and call it “istio-ingressgateway-custom”, the next step would be to change the Gateway and VirtualService for those services(Gogs, Jenkins, Nexus,…) to point to this ingress.
I don’t know if this is the best solution to deploy a custom ingress-controller or to resolve this issue
Could you help me?
Regards,
Domenico