I have 2 k8s clusters with istio 1.5 authentication and jwt token enabled.
Authentication works with JWT tokens custom headers x-jwt-cluster1/x-jwt-cluster2.
I need to make an external call to app1 in cluster1,
then app1 should call app2 in cluster2.
But when I use in single call 2 jwt tokens with headers x-jwt-cluster1 and x-jwt-cluster2 and I call app1 (cluster1) which then has to call -> app2 (cluster2) I get 500/403 RBAC permission denied error
Please suggest how it’s possible to deal with this case. I know it’s possible to use EnvoyFilter to propagate headers between services, but I’d prefer to step on something more istio-like/standard solution
Also an option with using
forwardOriginalToken didn’t work
jwtRules: - fromHeaders: - name: x-jwt-cluster1 issuer: firstname.lastname@example.org jwks: MYPARAMS jwtHeaders: - x-jwt-cluster1 selector: matchLabels: app: my-app