I would like to enable a policy to enforce jwt origin authentication for requests hitting the ingressgateway, but only for requests for certain hosts. i.e., requests to https://secure.example.com should require jwt origin authentication, but https://www.example.com should not.
The use case is that I have services running in the mesh that serve static content for React apps which need to be accessed without origin authentication, but service calls to API endpoints running in the mesh need jwt origin authentication. Also, some of the API services need to talk to each other with just peer authentication (for periodic tasks that do not have an external origin).
I know I could add path based exclusion rules in my policies, but that doesn’t scale very well and would be hard to maintain.
One option I am considering is to create a custom ingress gateway similar to https://istio.io/blog/2019/custom-ingress-gateway/ and and only apply the Policy object requiring jwt origin authentication to traffic targeting the custom gateway, and then use the default “istio-ingressgateway” for services that do not require jwt origin authentication.
Does anyone know of a simpler way to accomplish this without using two different ingress gateways?