Jwt Authentication for a specific service results in "upstream connect error or disconnect/reset before headers"


#1

I have a sample helloweb service deployed in default namespace that I can access through ingress-gateway

If I set a jwtPolicy for the whole ingress-gateway I can see the JWT validation happens fine and with a valid Jwt token I can get access to this service.

Policy (Global JWT Policy works)

apiVersion: “authentication.istio.io/v1alpha1
kind: “Policy”
metadata:
name: “ingressgateway”
namespace: istio-system
spec:
targets:

If however I try to set a Policy for just this service I get “upstream connect error or disconnect/reset before headers”

Policy for just that service like below (does not work)

apiVersion: “authentication.istio.io/v1alpha1
kind: “Policy”
metadata:
name: “helloweb-policy”
spec:
targets:

Looking at the container logs of istio-proxy for helloweb-backend does not show any details.


#2

What’s your TLS setting for helloweb-backend? Did you enable mTLS in the auth policy by default? If that’s the case, you need to modify your “helloweb-policy” to include the mTLS setting as well (or you can modify the destination rule to exclude the helloweb-backend from mTLS)

cc @diemtvu


#3

I am working with @chaturvedia. mTLS is enabled. However, when we add mTLS setting to the helloweb-policy (as shown below), all requests go through, even without a JWT token.

apiVersion: “authentication.istio.io/v1alpha1
kind: “Policy”
metadata:
name: “helloweb-policy”
spec:
targets:


#4

Update on this issue. Service port needs name to be specified as per Istio guidelines. Once the service port name is added jwt auth works fine