IstioD cannot request jwks from service with MTLS enabled

Hi,

I have a mesh with mesh-wide strict mTLS. In this mesh I have a Key-Management-Service (KMS) that provides JWKS. Unfortunately istiod cannot make requests to the KMS and receives a 53: connection refused.

When I execute CURL from the istiod container it also fails, but when I CURL from a sleep container in the namespace it succeeds.

I have uploaded relevant config files and log file to this gist: https://gist.github.com/TimVosch/b258d68cd869954a2383fb7a80d79c3d

I assume that istiod does not apply mTLS when making jwks request to an internal service.

Can I enable this, or is there a way I can make an mTLS exception only for istiod <—> KMS ?

Thanks for your time.

Sincerely,
Tim van Osch

2 Likes

Hi,

I’ve asked the same question previously. At that time it was not supported:


Maybe there’s basis for making a feature request.

/ Lasse

Thanks for your response!
I think it would make sense that the Istio Pilot is able to identify itself through mTLS, however I am not all too familiar with the inner workings of Istio.

For now I have decided to allow all access to public JWKS endpoints: (endpoint looks like /<public|private>/<identifier>

  rules:
    - to:
      - operation:
          methods: ["GET"]
          paths:
            - "/public*"