Deploy Two Istio Ingress Controller

UNix3 · January 20, 2020, 10:29am

Hi,
I have deployed in my production environment Istio 1.4.1, it seems to work fine. Now I want to activate the JWT Authentication only for some service. In particular I want to activate JWT authentication only for external calls, but I don’t want to have JWT authentication when services invoke each other from within the inside mesh. I try to explain me better from:

Internet-->IngressController-->GW-->Virtual Service-->Service-A with JWT

Service-B(inside mesh)-->Service-A without JWT

I read from documentation that JWT Policy is applied for Service, so initially I thought to create two services:

Service-A
Service-A-no-jwt

So I tried to make a call from Service-B to Service-A-no-Jwt but I have got “Origin authentication failed” message

So I tried to modify Service A to add a new port that it point to same targetport, I give you an example:

apiVersion: v1
kind: Service
metadata:
  labels:
    app: data-layer
  name: data-layer 
spec:
  ports:
  - name: http-data-layer
    port: 8888
    targetPort: 8888
    name: http-data-layer-no-jwt
    port: 9000
    targetPort: 8888
  selector:
    app: data-layer

So I modified the JWT policy specifying the port number in the “targets” field:

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "data-layer"
spec:
  targets:
  - name: data-layer
    ports:
    - number: 8888

I tried to call from Service-B the Service-A on 9000 port, but again I have got “Origin authentication failed” message.

As far as I understand there is not way to call Service-A without JWT Authentication, because when I have activated the JWT policy on Service-A the istio-proxy injects this rule in related POD.

So I have thought to Activate the JWT policy on “istio-ingressgateway” service, it allows me to have JWT policy from outside but in the same time it allows me to call Service from inside without JWT Authentication.

Now the issue is that in this way all services required from external the JWT, but I have some service as Jenkins, Gogs, Nexus and so on for which I don’t want to have JWT.

In order to resolve this issue, I have thought to duplicate the “istio-ingressgateway”(of course using different nodePorts) service and istio-ingressgateway deployment and call it “istio-ingressgateway-custom”, the next step would be to change the Gateway and VirtualService for those services(Gogs, Jenkins, Nexus,…) to point to this ingress.

I don’t know if this is the best solution to deploy a custom ingress-controller or to resolve this issue

Could you help me?

Regards,
Domenico

Topic		Replies	Views
End User Auth for external use and MTLS for internal service-service communication? Security	17	2521	December 3, 2020
Jwt origin auth on ingress for some hosts but not for others Security	5	1389	December 22, 2020
Use of JWT Token in service to service authentication Security security	0	456	March 12, 2023
Jwt Authentication for a specific service results in "upstream connect error or disconnect/reset before headers" Security	8	3308	June 19, 2019
Istio UX improvements you'd like to see User Experience	1	861	November 29, 2019

Deploy Two Istio Ingress Controller

Related topics