search

istio / istio

Connect, secure, control, and observe services.
https://istio.io
Apache License 2.0
35.65k stars 7.68k forks source link

Istio-ingressgateway with RequestAuthentication applied segfaults in Envoy if JWKS fails to return a valid payload #29212

Closed arcivanov closed 3 years ago

arcivanov commented 3 years ago

In istio 1.7.3, istio-ingressgateway with RequestAuthentication applied segfaults in Envoy and fails to come up if JWKS fails to return a valid payload.

There are three scenarios that all fail identically:

  1. jwtRules.issuer refers to a URL that is either behind the ingress itself or is otherwise unavailable, causing OIDC .well-known/openid-configuration lookup to fail and thus no JWKS being available.
  2. jwtRules.jwksUri is specified but is similarly unavailable as in [1].
  3. jwtRules.jwksUri has a typo causing JWKS to not be available.

This is related to #25578 

$ kubectl logs istio-ingressgateway-794688f8d5-5rgjs -n istio-system -f
2020-11-26T10:16:06.670354Z     info    FLAG: --concurrency="0"
2020-11-26T10:16:06.670392Z     info    FLAG: --disableInternalTelemetry="false"
2020-11-26T10:16:06.670397Z     info    FLAG: --domain="istio-system.svc.cluster.local"
2020-11-26T10:16:06.670400Z     info    FLAG: --help="false"
2020-11-26T10:16:06.670402Z     info    FLAG: --id=""
2020-11-26T10:16:06.670405Z     info    FLAG: --ip=""
2020-11-26T10:16:06.670407Z     info    FLAG: --log_as_json="false"
2020-11-26T10:16:06.670409Z     info    FLAG: --log_caller=""
2020-11-26T10:16:06.670412Z     info    FLAG: --log_output_level="default:info"
2020-11-26T10:16:06.670414Z     info    FLAG: --log_rotate=""
2020-11-26T10:16:06.670416Z     info    FLAG: --log_rotate_max_age="30"
2020-11-26T10:16:06.670419Z     info    FLAG: --log_rotate_max_backups="1000"
2020-11-26T10:16:06.670431Z     info    FLAG: --log_rotate_max_size="104857600"
2020-11-26T10:16:06.670434Z     info    FLAG: --log_stacktrace_level="default:none"
2020-11-26T10:16:06.670441Z     info    FLAG: --log_target="[stdout]"
2020-11-26T10:16:06.670444Z     info    FLAG: --meshConfig="./etc/istio/config/mesh"
2020-11-26T10:16:06.670446Z     info    FLAG: --mixerIdentity=""
2020-11-26T10:16:06.670448Z     info    FLAG: --outlierLogPath=""
2020-11-26T10:16:06.670450Z     info    FLAG: --proxyComponentLogLevel="misc:error"
2020-11-26T10:16:06.670453Z     info    FLAG: --proxyLogLevel="warning"
2020-11-26T10:16:06.670455Z     info    FLAG: --serviceCluster="istio-ingressgateway"
2020-11-26T10:16:06.670457Z     info    FLAG: --serviceregistry="Kubernetes"
2020-11-26T10:16:06.670460Z     info    FLAG: --stsPort="0"
2020-11-26T10:16:06.670462Z     info    FLAG: --templateFile=""
2020-11-26T10:16:06.670465Z     info    FLAG: --tokenManagerPlugin="GoogleTokenExchange"
2020-11-26T10:16:06.670467Z     info    FLAG: --trust-domain="cluster.local"
2020-11-26T10:16:06.670491Z     info    Version 1.7.3-9686754643d0939c1f4dd0ee20443c51183f3589-Clean
2020-11-26T10:16:06.670628Z     info    Obtained private IP [100.122.123.77]
2020-11-26T10:16:06.670704Z     info    Apply mesh config from file accessLogEncoding: JSON
accessLogFile: /dev/stdout
defaultConfig:
  discoveryAddress: istiod.istio-system.svc:15012
  proxyMetadata:
    DNS_AGENT: ""
  tracing:
    zipkin:
      address: zipkin.istio-system:9411
disableMixerHttpReports: true
enablePrometheusMerge: true
rootNamespace: istio-system
trustDomain: cluster.local
2020-11-26T10:16:06.672273Z     info    Effective config: binaryPath: /usr/local/bin/envoy
concurrency: 0
configPath: ./etc/istio/proxy
controlPlaneAuthPolicy: MUTUAL_TLS
discoveryAddress: istiod.istio-system.svc:15012
drainDuration: 45s
envoyAccessLogService: {}
envoyMetricsService: {}
parentShutdownDuration: 60s
proxyAdminPort: 15000
proxyMetadata:
  DNS_AGENT: ""
serviceCluster: istio-ingressgateway
statNameLength: 189
statusPort: 15020
terminationDrainDuration: 5s
tracing:
  zipkin:
    address: zipkin.istio-system:9411

2020-11-26T10:16:06.672329Z     info    Proxy role: &model.Proxy{Type:"router", IPAddresses:[]string{"100.122.123.77"}, ID:"istio-ingressgateway-794688f8d5-5rgjs.istio-system", Locality:(*envoy_config_core_v3.Locality)(nil), DNSDomain:"istio-system.svc.cluster.local", ConfigNamespace:"", Metadata:(*model.NodeMetadata)(nil), SidecarScope:(*model.SidecarScope)(nil), PrevSidecarScope:(*model.SidecarScope)(nil), MergedGateway:(*model.MergedGateway)(nil), ServiceInstances:[]*model.ServiceInstance(nil), IstioVersion:(*model.IstioVersion)(nil), ipv6Support:false, ipv4Support:false, GlobalUnicastIP:"", XdsResourceGenerator:model.XdsResourceGenerator(nil), Active:map[string]*model.WatchedResource(nil), ActiveExperimental:map[string]*model.WatchedResource(nil), RequestedTypes:struct { CDS string; EDS string; RDS string; LDS string }{CDS:"", EDS:"", RDS:"", LDS:""}}
2020-11-26T10:16:06.672333Z     info    JWT policy is first-party-jwt
2020-11-26T10:16:06.672377Z     info    PilotSAN []string{"istiod.istio-system.svc"}
2020-11-26T10:16:06.672381Z     info    MixerSAN []string{"spiffe://cluster.local/ns/istio-system/sa/istio-mixer-service-account"}
2020-11-26T10:16:06.672413Z     info    sa.serverOptions.CAEndpoint == istiod.istio-system.svc:15012
2020-11-26T10:16:06.672417Z     info    Using user-configured CA istiod.istio-system.svc:15012
2020-11-26T10:16:06.672419Z     info    istiod uses self-issued certificate
2020-11-26T10:16:06.672469Z     info    the CA cert of istiod is: -----BEGIN CERTIFICATE-----
snip
-----END CERTIFICATE-----

2020-11-26T10:16:06.725201Z     info    Starting gateway SDS
2020-11-26T10:16:06.827298Z     info    sds     SDS gRPC server for workload UDS starts, listening on "./etc/istio/proxy/SDS" 

2020-11-26T10:16:06.827531Z     info    sds     Start SDS grpc server
2020-11-26T10:16:06.827800Z     info    sds     SDS gRPC server for gateway controller starts, listening on "./var/run/ingress_gateway/sds" 

2020-11-26T10:16:06.827891Z     info    Starting proxy agent
2020-11-26T10:16:06.827889Z     info    sds     Start SDS grpc server for ingress gateway proxy
2020-11-26T10:16:06.827912Z     info    Opening status port 15020

2020-11-26T10:16:06.827936Z     info    Received new config, creating new Envoy epoch 0
2020-11-26T10:16:06.828498Z     info    Epoch 0 starting
2020-11-26T10:16:06.833885Z     info    Envoy command: [-c etc/istio/proxy/envoy-rev0.json --restart-epoch 0 --drain-time-s 45 --parent-shutdown-time-s 60 --service-cluster istio-ingressgateway --service-node router~100.122.123.77~istio-ingressgateway-794688f8d5-5rgjs.istio-system~istio-system.svc.cluster.local --local-address-ip-version v4 --log-format-prefix-with-location 0 --log-format %Y-%m-%dT%T.%fZ    %l      envoy %n        %v -l warning --component-log-level misc:error]
2020-11-26T10:16:06.874608Z     warning envoy runtime   Unable to use runtime singleton for feature envoy.reloadable_features.activate_fds_next_event_loop
2020-11-26T10:16:06.910158Z     warning envoy config    StreamAggregatedResources gRPC config stream closed: 14, no healthy upstream
2020-11-26T10:16:06.910363Z     warning envoy config    Unable to establish new stream
2020-11-26T10:16:06.921254Z     info    sds     resource:default new connection
2020-11-26T10:16:06.921341Z     info    sds     Skipping waiting for gateway secret
2020-11-26T10:16:07.590133Z     info    cache   Root cert has changed, start rotating root cert for SDS clients
2020-11-26T10:16:07.590270Z     info    cache   GenerateSecret default
2020-11-26T10:16:07.590846Z     info    sds     resource:default pushed key/cert pair to proxy
2020-11-26T10:16:07.593224Z     warning envoy main      there is no configured limit to the number of allowed active connections. Set a limit via the runtime key overload.global_downstream_max_connections
2020-11-26T10:16:07.709195Z     info    sds     resource:ROOTCA new connection
2020-11-26T10:16:07.709383Z     info    sds     Skipping waiting for gateway secret
2020-11-26T10:16:07.709413Z     info    cache   Loaded root cert from certificate ROOTCA
2020-11-26T10:16:07.709601Z     info    sds     resource:ROOTCA pushed root cert to proxy
2020-11-26T10:16:07.775109Z     warning envoy config    gRPC config for type.googleapis.com/envoy.config.listener.v3.Listener rejected: Error adding/updating listener(s) 0.0.0.0_8080: Proto constraint validation failed (JwtAuthenticationValidationError.Providers[key]: ["embedded message failed validation"] | caused by JwtProviderValidationError.LocalJwks: ["embedded message failed validation"] | caused by DataSourceValidationError.InlineString: ["value length must be at least " '\x01' " bytes"]): providers {
  key: "origins-0"
  value {
    issuer: "http://keycloak-http.keycloak.svc.cluster.local:8080/auth/realms/realm1"
    local_jwks {
      inline_string: "{\"keys\":[{\"kid\":\"snip\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"snip\"],\"x5t\":\"snip\",\"x5t#S256\":\"snip\"}]}"
    }
    forward: true
    payload_in_metadata: "http://keycloak-http.keycloak.svc.cluster.local:8080/auth/realms/realm1"
  }
}
providers {
  key: "origins-1"
  value {
    issuer: "http://keycloak-http.keycloak.svc.cluster.local:8080/auth/realms/realm2"
    local_jwks {
      inline_string: "{\"keys\":[{\"kid\":\"snip\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"snip"],\"x5t\":\"snip\",\"x5t#S256\":\"snip\"}]}"
    }
    forward: true
    payload_in_metadata: "http://keycloak-http.keycloak.svc.cluster.local:8080/auth/realms/realm2"
  }
}
providers {
  key: "origins-2"
  value {
    issuer: "https://dev.example.com/bad/url/oauth"
    local_jwks {
      inline_string: ""
    }
    forward: true
    payload_in_metadata: "https://dev.example.com/bad/url/oauth"
  }
}
rules {
  match {
    prefix: "/"
  }
  requires {
    requires_any {
      requirements {
        provider_name: "origins-0"
      }
      requirements {
        provider_name: "origins-1"
      }
      requirements {
        provider_name: "origins-2"
      }
      requirements {
        requires_all {
          requirements {
            requires_any {
              requirements {
                provider_name: "origins-0"
              }
              requirements {
                allow_missing {
                }
              }
            }
          }
          requirements {
            requires_any {
              requirements {
                provider_name: "origins-1"
              }
              requirements {
                allow_missing {
                }
              }
            }
          }
          requirements {
            requires_any {
              requirements {
                provider_name: "origins-2"
              }
              requirements {
                allow_missing {
                }
              }
            }
          }
        }
      }
    }
  }
}

0.0.0.0_8443: Proto constraint validation failed (JwtAuthenticationValidationError.Providers[key]: ["embedded message failed validation"] | caused by JwtProviderValidationError.LocalJwks: ["embedded message failed validation"] | caused by DataSourceValidationError.InlineString: ["value length must be at least " '\x01' " bytes"]): providers {
  key: "origins-0"
  value {
    issuer: "http://keycloak-http.keycloak.svc.cluster.local:8080/auth/realms/realm1"
    local_jwks {
      inline_string: "{\"keys\":[{\"kid\":\"snip\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"snip\"],\"x5t\":\"snip\",\"x5t#S256\":\"snip\"}]}"
    }
    forward: true
    payload_in_metadata: "http://keycloak-http.keycloak.svc.cluster.local:8080/auth/realms/realm1"
  }
}
providers {
  key: "origins-1"
  value {
    issuer: "http://keycloak-http.keycloak.svc.cluster.local:8080/auth/realms/realm2"
    local_jwks {
      inline_string: "{\"keys\":[{\"kid\":\"snip\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"snip\",\"e\":\"AQAB\",\"x5c\":[\"snip\",\"x5t#S256\":\"snip\"}]}"
    }
    forward: true
    payload_in_metadata: "http://keycloak-http.keycloak.svc.cluster.local:8080/auth/realms/realm2"
  }
}
providers {
  key: "origins-2"
  value {
    issuer: "https://dev.example.com/bad/url/oauth"
    local_jwks {
      inline_string: ""
    }
    forward: true
    payload_in_metadata: "https://dev.example.com/bad/url/oauth"
  }
}
rules {
  match {
    prefix: "/"
  }
  requires {
    requires_any {
      requirements {
        provider_name: "origins-0"
      }
      requirements {
        provider_name: "origins-1"
      }
      requirements {
        provider_name: "origins-2"
      }
      requirements {
        requires_all {
          requirements {
            requires_any {
              requirements {
                provider_name: "origins-0"
              }
              requirements {
                allow_missing {
                }
              }
            }
          }
          requirements {
            requires_any {
              requirements {
                provider_name: "origins-1"
              }
              requirements {
                allow_missing {
                }
              }
            }
          }
          requirements {
            requires_any {
              requirements {
                provider_name: "origins-2"
              }
              requirements {
                allow_missing {
                }
              }
            }
          }
        }
      }
    }
  }
}

2020-11-26T10:16:07.793476Z     critical        envoy backtrace Caught Segmentation fault, suspect faulting address 0x558b4aca3890
2020-11-26T10:16:07.793507Z     critical        envoy backtrace Backtrace (use tools/stack_decode.py to get line numbers):
2020-11-26T10:16:07.793511Z     critical        envoy backtrace Envoy version: dc78069b10cc94fa07bb974b7101dd1b42e2e7bf/1.15.1-dev/Clean/RELEASE/BoringSSL
2020-11-26T10:16:07.793736Z     critical        envoy backtrace #0: __restore_rt [0x7f639d7468a0]
2020-11-26T10:16:08.029367Z     info    sds     resource:default connection is terminated: rpc error: code = Canceled desc = context canceled
2020-11-26T10:16:08.029403Z     error   sds     Remote side closed connection
2020-11-26T10:16:08.029386Z     info    sds     resource:ROOTCA connection is terminated: rpc error: code = Canceled desc = context canceled
2020-11-26T10:16:08.029444Z     error   sds     Remote side closed connection
2020-11-26T10:16:08.029931Z     error   Epoch 0 exited with error: signal: segmentation fault (core dumped)
2020-11-26T10:16:08.029950Z     info    No more active epochs, terminating

[ ] Docs [ ] Installation [X] Networking [ ] Performance and Scalability [ ] Extensions and Telemetry [X] Security [ ] Test and Release [ ] User Experience [ ] Developer Infrastructure [X] Upgrade

Expected behavior

No segfault, Ingress comes up, eventually obtains JWKS denying access until it is resolved.

Steps to reproduce the bug

  1. To istio-ingressgateway add RequestAuthentication with either 1.1. issuer that has a URL that when inferred points to inaccessible (permanently or temporarily, including due to starting ingress traversal requirement) openid-configuration 1.2. jwksUri that has a URL that points to inaccessible (permanently or temporarily, including due to starting ingress traversal requirement)

Version (include the output of istioctl version --remote and kubectl version --short and helm version if you used Helm)

$ istioctl version --remote
client version: 1.7.3
control plane version: 1.7.3
data plane version: 1.7.3 (83 proxies)
$ kubectl version --short
Client Version: v1.18.5
Server Version: v1.18.10

How was Istio installed?

N/A

Environment where bug was observed (cloud vendor, OS, etc)

AWS/Ubuntu 20.04 LTS

Additionally, please consider running istioctl bug-report and attach the generated cluster-state tarball to this issue. Refer cluster state archive for more details.

howardjohn commented 3 years ago

cc @yangminzhu

yangminzhu commented 3 years ago

This should be fixed by https://github.com/istio/istio/pull/25934, but that PR is only in 1.8.

@xulingqing could we cherry-pick the fix to 1.7?

howardjohn commented 3 years ago

@yangminzhu what is the expectation? It still NACKs with that PR

yangminzhu commented 3 years ago

@yangminzhu what is the expectation? It still NACKs with that PR

The expectation is to accept the config but the JWT verification will always fail due to the use of the fake jwks.

It shouldn't NACK but if it did, should look into the PR to see why it's not working as expected, John, how did you reproduce the NACK?

howardjohn commented 3 years ago 
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "default"
  namespace: "istio-system"
spec:
  jwtRules:
  - issuer: "test-issuer-1@istio.io"
    jwksUri: "https://httpbin.org/get"
  - issuer: "test-issuer-2@istio.io"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: egressgateway
  namespace: "istio-system"
spec:
  selector:
    matchLabels:
      app: istio-egressgateway
  rules:
    - to: # only allow /allow for company.com
        - operation:
            paths: ["/allow"]
            hosts: ["www.company.com"]
    - to: # checks only a call 443 over istio mutual without JWT
      - operation:
          hosts: ["a-only.com"]
      from:
      - source:
          principals: ["cluster.local/ns/default/sa/a"]
    - to: # checks a and c can call 443 over istio mutual with JWT
      - operation:
          hosts: ["jwt-only.com"]
      from:
      - source:
          requestPrincipals: ["test-issuer-1@istio.io/sub-1"]
    - to: # checks only a can call 443 over istio mutual with JWT
      - operation:
          hosts: ["jwt-and-a-only.com"]
      from:
      - source:
          requestPrincipals: ["test-issuer-1@istio.io/sub-1"]
          principals: ["cluster.local/ns/default/sa/a"]
---

# The following policy redirects the request through egress gateway.

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: test-egress
  namespace: default
spec:
  selector:
    istio: egressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "www.company.com"
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
         mode: ISTIO_MUTUAL
      hosts:
        - "*"
---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: route-via-egressgateway
  namespace: default
spec:
  hosts:
  - "www.company.com"
  gateways:
  - test-egress
  - mesh
  http:
    - match:
      - gateways:
        - mesh
        port: 80
      route:
      - destination:
          host: istio-egressgateway.istio-system.svc.cluster.local
          port:
            number: 80
        weight: 100
    - match:
      - gateways:
        - test-egress
        port: 80
      route:
      - destination:
          host: b.default.svc.cluster.local
          port:
            number: 8090
        weight: 100
      headers:
        request:
          add:
            x-egress-test: "handled-by-egress-gateway"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: route-via-egressgateway-2
  namespace: default
spec:
  hosts:
  - "a-only.com"
  - "jwt-only.com"
  - "jwt-and-a-only.com"
  gateways:
  - test-egress
  - mesh
  http:
    - match:
      - gateways:
        - mesh
        port: 80
      route:
      - destination:
          host: istio-egressgateway.istio-system.svc.cluster.local
          port:
            number: 443
        weight: 100
    - match:
      - gateways:
        - test-egress
        port: 443
      route:
      - destination:
          host: b.default.svc.cluster.local
          port:
            number: 8090
        weight: 100
      headers:
        request:
          add:
            x-egress-test: "handled-by-egress-gateway"
---
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
  name: "test-egress"
  namespace: default
spec:
  host: "istio-egressgateway.istio-system.svc.cluster.local"
  trafficPolicy:
    portLevelSettings:
    - port:
        number: 443
      tls:
        mode: ISTIO_MUTUAL
---

Maybe the difference is 404 vs 200 but without a valid JWKS response?

yangminzhu commented 3 years ago

Maybe the difference is 404 vs 200 but without a valid JWKS response?

Yes, the PR only addresses the 404 case. It could be improved to try to address the 200 with invalid JWKS case, istiod could do some basic validation even it might just be a subset of the validation done by Envoy.

howardjohn commented 3 years ago

not stale

MirtoBusico commented 3 years ago

Using k3s v1.21.1 and istio 1.10.1 if the RequestAuthentication fails the istio-ingressgateway never starts. Example ra

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name:  p01ra
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: "https://k6k.p01.net/auth/realms/p01project"
    jwksUri: "https://k6k.p01.net/auth/realms/p01project/protocol/openid-connect/certs"
    forwardOriginalToken: true
    outputPayloadToHeader: x-jwt-payload

Here k6k.p01.net was not resolved

istio-proxy@istio-ingressgateway-7749f5c9df-nhk45:/$ curl https://k6k.p01.net/auth/realms/p01project/protocol/openid-connect/certs
curl: (6) Could not resolve host: k6k.p01.net
istio-proxy@istio-ingressgateway-7749f5c9df-nhk45:/$

and the istio-ingressgateway never starts and log say

2021-06-17T14:50:11.416751Z warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 17 successful, 0 rejected; lds updates: 0 successful, 17 rejected
2021-06-17T14:50:13.417443Z warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 17 successful, 0 rejected; lds updates: 0 successful, 17 rejected

The only solution to start the istio-ingressgateway is to delete the ra

aliabbasjaffri commented 3 years ago

@MirtoBusico I am currently having the same problem, and the resolution that you suggested worked like a charm! But this cannot be accepted as a resolution to this issue. Is there any update on this issue from the istio team?

MirtoBusico commented 3 years ago

Well I've found a solution. See issues 29366 and 32421

To recap: create al privata CA and install istio using istio operator inserting the CA pem Create a certificate signed by this CA for keycloak (here k6k.m.net) The configuration file (istio-operator) contains

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
  name: example-istiocontrolplane
spec:
  profile: demo
  meshConfig:
    accessLogEncoding: TEXT
    accessLogFile: "/dev/stdout"
    accessLogFormat: ""
    outboundTrafficPolicy:
      mode: ALLOW_ANY
  values:
    pilot:
      jwksResolverExtraRootCA: |
        -----BEGIN CERTIFICATE-----
        MIIEKTCCAxGgAwIBAgIUNjT4liTyGcGTewYUb2NZj4oWMGowDQYJKoZIhvcNAQEL
        BQAwgaMxCzAJBgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UEBwwEUm9t
        ZTEcMBoGA1UECgwTQnVzaWNvIE1pcnRvIFNpbHZpbzETMBEGA1UECwwKTGFib3Jh
        dG9yeTEcMBoGA1UEAwwTQnVzaWNvIE1pcnRvIFNpbHZpbzEkMCIGCSqGSIb3DQEJ
        ARYVbWlydG9idXNpY29AZ21haWwuY29tMB4XDTIxMDIxOTExNDA1N1oXDTMxMDIx
        NzExNDA1N1owgaMxCzAJBgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UE
        BwwEUm9tZTEcMBoGA1UECgwTQnVzaWNvIE1pcnRvIFNpbHZpbzETMBEGA1UECwwK
        TGFib3JhdG9yeTEcMBoGA1UEAwwTQnVzaWNvIE1pcnRvIFNpbHZpbzEkMCIGCSqG
        SIb3DQEJARYVbWlydG9idXNpY29AZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEF
        AAOCAQ8AMIIBCgKCAQEAtt+v2C9p60rx1Q/yOQsgsis/dBNAo4efFlyN0Ibs9ts4
        a0LRQp4EwZpv9+tysVqGZvN4fJ99mdyiJHiFlchMfq4t+OzOHnym7Yi5khHS5/rv
        TwvwD+1igMny1FybVOxSlfdZGF5mhgRFD6mQod/hix5QJgegmygEhj0VV/i2rZhH
        FW0oMR1smLfALQQZhGJ//TgCjNlpK2D6zlxEXIr+QLyAje+kQyyqkJefY/Vggg9m
        gRFV7gu3MKKGE5B+ESfqhZbUqsKz/rsxs2L23Selp3FM+DhKIC8DM06dgAh7DYUQ
        IeIe9HT7+RTTs3KM7ArDXrF+BF+D8O/a4D3YBDhHswIDAQABo1MwUTAdBgNVHQ4E
        FgQUGHqUwQ6vRxvpB7+MCUEAwmUgbtAwHwYDVR0jBBgwFoAUGHqUwQ6vRxvpB7+M
        CUEAwmUgbtAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAVThR
        2NmNuey07twCW4/B8v6zOCeO/n8Z+waRw1XK9XmA+QPUTi+bLKvfx+7RVgaZD6SR
        EQHMCshGD7In5PbSBsrp6ocmCvcopd2iqvt2GLvJHuZy7hI+RgaMgQo9hhThHf9e
        FoW3C41Mm3ofvUubIKLEFKnCvxOsD+Ayyg69pGwNM+PQK1XvXWWYm8eroPICxriq
        8ULUgAc+leGiHbAKSXGLj6U/njyRzkxAmXzkierT1DFDHa9sZst7nCaSycKY7rBj
        GU2xRTOpYrQHcsaBZBjTT8/ag2IasCzFVeZ5+bMmTaDus5QT3tIubR8ukTx5jf0S
        BiQTL+/xni6Fxkrl3Q==
        -----END CERTIFICATE-----

And I installed with:

kubectl create ns istio-system
kubectl apply -f istio-operator

Now I can use the authentication file

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name:  m-ra
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: "https://k6k.m.net/auth/realms/m-project"
    jwksUri: "https://k6k.m.net/auth/realms/m-project/protocol/openid-connect/certs"
    forwardOriginalToken: true
    outputPayloadToHeader: x-jwt-payload

With this everything works as expected

istio-policy-bot commented 3 years ago

🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2021-05-18. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.