I have an IDP (keycloak) running in an istio-enabled namespace. The service has a policy like this:
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: keycloak-jwt-policy namespace: public spec: peers: - mtls: mode: STRICT targets: - name: keycloak ports: - containerPort: 8080 name: http
The cluster-default DestinationRule is:
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: default namespace: istio-system spec: host: '*.local' trafficPolicy: tls: mode: ISTIO_MUTUAL
Istio is installed using helm and has
However I’m seeing a lot of errors from discovery when fetching JWKS certs from keycloak
Failed to fetch public key from ... which comes from this file: https://github.com/istio/istio/blob/f2222fe2c3c1543cb90562fa03d7887191b37844/pilot/pkg/model/jwks_resolver.go#L242
My hunch is that Pilot is not using mTLS to fetch the JWKS certs - and indeed if I exec into the pilot pod I’m not able to fetch the certificates.
If I use mTLS: PERMISSIVE for keycloak then Pilot can fetch the certificates, but I would rather avoid this.
How should my DestinationRule, Policy and MeshPolicy to instruct Pilot to use mTLS?