We have two pods say A and B, both in same namespace with istio injected. Now pod A wants to authenticate itself to pod B using x509 certificate. Fom pod A, in the curl command, if we provide the,
- https in URL and certificate provided explicitly (not by istio proxy but by the main container within pod A), the webserver running within the main container of pod B receives this certificate, and it works on it.
- http in URL and we depend on pod A’s istio-proxy to wrap it using the right certificate, the https traffic origibating now from this proxy is received by istio-proxy running within pod B however webserver of B still receives http traffic (without certificate)
Questions are:-
- How can webserver from pod B receives https call as is without istio-proxy converting it to http?
- Still want to make sure that traffic is originating as http within pod A’s main container and istio-proxy of pod A is converting it into https
- How
DestinationRule,PeerAuthentication,SidecarandServiceEntrycan help in the process ?
The curl command using from pod A :-
curl --location --request POST 'http://keycloak-http/auth/realms/sample/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=Test_certAuth' \
--data-urlencode 'grant_type=client_credentials' -k -v --key /etc/certs/tls.key --cert /etc/certs/tls.crt
Error getting in the pod B main container is :-
2023-08-29 05:32:44,181 TRACE [org.infinispan.container.impl.EntryFactoryImpl] (executor-thread-291) Wrap 156ca09f-5c85-4536-b0d1-07a634fbd965 for read. Entry=Re peatableReadEntry(2dd00e1c){key=156ca09f-5c85-4536-b0d1-07a634fbd965, value=0, oldValue=0, isCreated=false, isChanged=false, isRemoved=false, isExpired=false, is Commited=false, skipLookup=false, metadata=EmbeddedMetadata{version=null}, oldMetadata=EmbeddedMetadata{version=null}, internalMetadata=null}
2023-08-29 05:32:44,182 TRACE [org.infinispan.interceptors.impl.CallInterceptor] (executor-thread-291) Invoking: GetKeyValueCommand
2023-08-29 05:32:44,182 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (executor-thread-291) client by id cache hit: Test_certAuth
2023-08-29 05:32:44,182 DEBUG [org.keycloak.services] (executor-thread-291) [X509ClientCertificateAuthenticator:authenticate] **x509 client certificate is not avai lable for mutual SSL.**
2023-08-29 05:32:44,182 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-291) client authenticator ATTEMPTED: client-x509
2023-08-29 05:32:44,182 ERROR [org.keycloak.services] (executor-thread-291) KC-SERVICES0017: Unknown result status
2023-08-29 05:32:44,182 DEBUG [org.keycloak.services] (executor-thread-291) KC-SERVICES0014: Failed client authentication: org.keycloak.authentication.Authentica tionFlowException
at org.keycloak.authentication.ClientAuthenticationFlow.processResult(ClientAuthenticationFlow.java:173)
Expected output :- Keycloak should receive the certificate.