Hey @DougTrajana, thanks for the quick reply.
I don’t have the opportunity to have an oauth2-proxy in each cluster as I don’t have the hand on Okta. So Okta has a single callback url to the single expose oauth2-proxy, ie istio-auth.my-domain.com.
Having a “https://…” service in meshConfig gave me an error (service not part of Istio registry) so I created a ServiceEntry like this:
namespace : istio-system
- number: 443
And use the ServiceEntry host
- name: "oauth2-proxy"
But now instead of having a simple “RBAC : Access denied” message on the browser I have a simple 403 and no logs in oauth2-proxy so it’s never reached.
BTW, when in the cluster where oauth2-proxy resides and setting the envoyExtAuthzHttp service to the internal DNS of the svc, it works. But then it works only on the one cluster with oauth2-proxy, not the others.