You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
However, istiod fails to pull the public cert because it's blocked by the AuthorizationPolicy:
Failed to refresh JWT public key from "http://keycloak.foo:80/realms/bar/pr
otocol/openid-connect/certs": status 403, message "RBAC: access denied"
In the logs for the keycloak's envoy I can see that the istiod call trying to pull the cert doesn't have a principal populated, and so isn't using a cert.
If I switch the AuthenticationPolicy to allow internal traffic, it works:
However, this feels wrong. I feel like I should be able to use a principal, or in general that istiod should act like it's part of its own mesh. I've seen other issues about not being able to use STRICT MTLs mode for the JWKS source which seems related. Does anyone know of a smarter way of allowing istiod to pull the cert without overly exposing the keycloak instance?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I have a keycloak instance inside the mesh with an authorizationPolicy:
and a requestAuthentication which pulls from this server internally:
However, istiod fails to pull the public cert because it's blocked by the AuthorizationPolicy:
In the logs for the keycloak's envoy I can see that the istiod call trying to pull the cert doesn't have a principal populated, and so isn't using a cert.
If I switch the AuthenticationPolicy to allow internal traffic, it works:
However, this feels wrong. I feel like I should be able to use a principal, or in general that istiod should act like it's part of its own mesh. I've seen other issues about not being able to use STRICT MTLs mode for the JWKS source which seems related. Does anyone know of a smarter way of allowing istiod to pull the cert without overly exposing the keycloak instance?
Beta Was this translation helpful? Give feedback.
All reactions