You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm still somewhat new to Istio and have a bit of a weird setup that is mostly working. I would like to use my Istio service mesh to as a DB proxy (that part works), where I'm stuck is getting JWT working with Keycloak.
Pretty sure the RequestAuthentication and AuthorizationPolicy are the issue. If I remove the AuthorizationPolicy, traffic works without authentication. If I enable it, it fails.
It's possible that it has the correct config, but potentially the issue is where I'm trying to add JWT to a header that is TCP and not HTTP(s). From the examples I've see, to enable the packet to be respected by the AuthorizationPolicy, it needs to have the JWT token in the header. But I'm not sure I have a way of embedding the token with Postgres.
Notes:
I can query and pull the Keycloak token via curl to the API using client-id and secret.
Python test script shows a successful auth to Keycloak but fails on DB connection.
If I remove the AuthorizationPolicy it works.
Works with a regular http service, like a plain website.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Overview
I'm still somewhat new to Istio and have a bit of a weird setup that is mostly working. I would like to use my Istio service mesh to as a DB proxy (that part works), where I'm stuck is getting JWT working with Keycloak.
Pretty sure the RequestAuthentication and AuthorizationPolicy are the issue. If I remove the AuthorizationPolicy, traffic works without authentication. If I enable it, it fails.
It's possible that it has the correct config, but potentially the issue is where I'm trying to add JWT to a header that is TCP and not HTTP(s). From the examples I've see, to enable the packet to be respected by the AuthorizationPolicy, it needs to have the JWT token in the header. But I'm not sure I have a way of embedding the token with Postgres.
Notes:
Any ideas would be appreciated!
Testing Script:
Beta Was this translation helpful? Give feedback.
All reactions