Skip to content

Instantly share code, notes, and snippets.

@TimVosch

TimVosch/MTLS.yaml

Created August 10, 2020 09:04
Show Gist options
  • Save TimVosch/b258d68cd869954a2383fb7a80d79c3d to your computer and use it in GitHub Desktop.
Save TimVosch/b258d68cd869954a2383fb7a80d79c3d to your computer and use it in GitHub Desktop.
Download ZIP
Istio mTLS jwksUri fail
Raw
logs
2020-08-10T09:01:58.708530Z error model Failed to fetch public key from "http://sb-key-management.default.svc.cluster.local/public/user-jwt/": Get "http://sb-key-management.default.svc.cluster.local/public/user-jwt/": read tcp 10.1.2.121:38606->10.110.136.13:80: read: connection reset by peer
2020-08-10T09:01:58.708559Z error Failed to fetch jwt public key from "http://sb-key-management.default.svc.cluster.local/public/user-jwt/": Get "http://sb-key-management.default.svc.cluster.local/public/user-jwt/": read tcp 10.1.2.121:38606->10.110.136.13:80: read: connection reset by peer
2020-08-10T09:01:58.709086Z error authorization skipped rule ns[default]-policy[sb-allow-identity]-rule[0]: :method must not be used in TCP
2020-08-10T09:01:58.709114Z error authorization skipped rule ns[default]-policy[sb-allow-identity]-rule[1]: request.auth.principal must not be used in TCP
2020-08-10T09:01:58.709839Z info ads LDS: PUSH for node:sb-identity-fc598598d-qzv26.default listeners:29
2020-08-10T09:01:58.710193Z info ads RDS: PUSH for node:sb-identity-fc598598d-qzv26.default routes:19
2020-08-10T09:01:58.730382Z warn ads ADS:LDS: ACK ERROR sidecar~10.1.2.119~sb-identity-fc598598d-qzv26.default~default.svc.cluster.local-14 Internal:Error adding/updating listener(s) virtualInbound: Proto constraint validation failed (JwtAuthenticationValidationError.Providers[key]: ["embedded message failed validation"] | caused by JwtProviderValidationError.LocalJwks: ["embedded message failed validation"] | caused by DataSourceValidationError.InlineString: ["value length must be at least " '\x01' " bytes"]): providers {
key: "origins-0"
value {
issuer: "identity"
local_jwks {
inline_string: ""
}
forward: true
payload_in_metadata: "identity"
}
}
rules {
match {
prefix: "/"
}
requires {
requires_any {
requirements {
provider_name: "origins-0"
}
requirements {
allow_missing {
}
}
}
}
}
Raw
management-authz.yaml
#
# This is a service that requires JWT authentication
# because a RequestAuthentication resource is created with a jwksUri,
# istiod will make a request to that uri, but fails (see logs)
#
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: sb-auth-management
annotations:
helm.sh/hook: post-install,post-upgrade
spec:
selector:
matchLabels:
app: sb-management
jwtRules:
- issuer: "identity"
jwksUri: "http://sb-key-management.default.svc.cluster.local/public/user-jwt/"
# forwardOriginalToken: true
---
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: sb-allow-management
spec:
selector:
matchLabels:
app: sb-management
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["*"]
Raw
MTLS.yaml
#
# Enable mTLS mesh-wide
#
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: STRICT
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: default
namespace: istio-system
spec:
host: "*.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment