Hi! I’m really struggling with JWT auth config. I have two seperate apps in different namespaces that are using the same istio-ingress gateway (Gateway resource) with seperate virtual services. One of the apps need JWT authentication while the other one does not which does not allow me to use the approach mentioned in the docs that uses a RequestAuthentication/AuthorizationPolicy pair in the istio-system namepsace, attached to the ingress gateway directly.
What I wanted to do and I thought was possible, is to use workload labels, as mentioned in the docs. Both my apps have app
labels assigned with their respective values. However when I deploy the following manifest along with my app that requires JWT auth, it is not taking any effect. No matter what I type in to the issuer, requestPrincipals field - it seems that envoy is not picking up this config at all even though the resources are created properly, in the apps namespace.
When I tried applying the “root” RequestAuthentication/AuthorizationPolicy pair attached to the istio Gateway resource that resides in the istio-system namespace the JWT auth seemed to work as I received an RBAC: access denied message on my other app.
Any idea what I am missing? Do I need some labels in my VirtualService resource? I attached my VirtualService config as well in case I messed something up there.
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: "test-vs"
spec:
hosts:
- "test.test.cloud"
gateways:
- istio-system/gateway
http:
- name: "test-users-api-route"
match:
- uri:
prefix: "/api/test"
route:
- destination:
host: "test-users.default.svc.cluster.local"
port:
number: 4000
---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: "test-jwt"
spec:
selector:
matchLabels:
app: "test-users"
jwtRules:
- issuer: https://test-keycloak.test.cloud/auth/realms/test
jwksUri: https://test-keycloak.test.cloud/auth/realms/test/protocol/openid-connect/certs
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: "test-jwt"
spec:
selector:
matchLabels:
app: "test-users"
rules:
- from:
- source:
requestPrincipals: ["*"]