I have a sample helloweb service deployed in default namespace that I can access through ingress-gateway
If I set a jwtPolicy for the whole ingress-gateway I can see the JWT validation happens fine and with a valid Jwt token I can get access to this service.
What’s your TLS setting for helloweb-backend? Did you enable mTLS in the auth policy by default? If that’s the case, you need to modify your “helloweb-policy” to include the mTLS setting as well (or you can modify the destination rule to exclude the helloweb-backend from mTLS)
I am working with @chaturvedia. mTLS is enabled. However, when we add mTLS setting to the helloweb-policy (as shown below), all requests go through, even without a JWT token.
I think @chaturvedia solved this by naming the service port according to Istio guidelines, could you double check if this applies to you? And you can also check your authentication policy to make sure it has both mTLS and JWT spec.
Can you send us both the destination rules and policy in your system? Does it work if you keep the policy but remove the origins (jwt) part, or remove the policy completely?
My theory is the destination rule may have incorrect TLS settings.