IstioD cannot request jwks from service with MTLS enabled


I have a mesh with mesh-wide strict mTLS. In this mesh I have a Key-Management-Service (KMS) that provides JWKS. Unfortunately istiod cannot make requests to the KMS and receives a 53: connection refused.

When I execute CURL from the istiod container it also fails, but when I CURL from a sleep container in the namespace it succeeds.

I have uploaded relevant config files and log file to this gist:

I assume that istiod does not apply mTLS when making jwks request to an internal service.

Can I enable this, or is there a way I can make an mTLS exception only for istiod <—> KMS ?

Thanks for your time.

Tim van Osch



I’ve asked the same question previously. At that time it was not supported:

Maybe there’s basis for making a feature request.

/ Lasse

Thanks for your response!
I think it would make sense that the Istio Pilot is able to identify itself through mTLS, however I am not all too familiar with the inner workings of Istio.

For now I have decided to allow all access to public JWKS endpoints: (endpoint looks like /<public|private>/<identifier>

    - to:
      - operation:
          methods: ["GET"]
            - "/public*"