I have a mesh with mesh-wide strict mTLS. In this mesh I have a Key-Management-Service (KMS) that provides JWKS. Unfortunately istiod cannot make requests to the KMS and receives a 53: connection refused.
When I execute CURL from the istiod container it also fails, but when I CURL from a sleep container in the namespace it succeeds.
I have uploaded relevant config files and log file to this gist: https://gist.github.com/TimVosch/b258d68cd869954a2383fb7a80d79c3d
I assume that istiod does not apply mTLS when making jwks request to an internal service.
Can I enable this, or is there a way I can make an mTLS exception only for istiod <—> KMS ?
Thanks for your time.
Tim van Osch