Istio RequestAuthentication blocks envoy sidecar's Ready status

Question

Could you please help me in understanding RequestAuthentication? when I apply simple RequestAuthentication and restart Pod, envoy sidecar's ready state is false, and logs throw warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 1 successful, 0 rejected; lds updates: 0 successful, 1 rejected as soon I delete RequestAuthentication and recreate pod - works OK
Istio 1.8.3

apiVersion: 'security.istio.io/v1beta1'
kind: RequestAuthentication
metadata:
  name: jwt-validator
spec:
  selector:
    matchLabels:
      role: api
  jwtRules:
  - issuer: "https://mykeycloak.com/auth/realms/myrealm"

When proxy is in LDS stale state the following log is shown in istiod

2021-04-10T17:30:53.326877Z    warn    ads    ADS:LDS: ACK ERROR sidecar~10.238.2.69~PODNAME.NS~NS.svc.cluster.local-60 Internal:Error adding/updating listener(s) vi ││ rtualInbound: Issuer 'MY_JWT_ISSUER_URL' in jwt_authn config has invalid local jwks: Jwks RSA [n] or [e] field is missing or has a parse error

Resolved
Issuer here is not just a string to match in JWT, but the real URL that must be accessible from istiod, and with a valid SSL certificate

Answer 1

I'm placing this answer for better visibility.

---

As @Yegor Lopatin mentioned in edit, the issue was solved by fixing the issuer:

Issuer here is not just a string to match in JWT, but the real URL that must be accessible from istiod, and with a valid SSL certificate

issuer must be a valid and accessible link. I thought it is just an string, which you compare with when reading JWT

e.g.

jwtRules:
  - issuer: "testing@secure.istio.io"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.5/security/tools/jwt/samples/jwks.json"

There are tutorials you might refer to when you're seting up JWT with istio:

• https://www.istiobyexample.dev/jwt
• https://istio.io/latest/docs/tasks/security/authorization/authz-jwt/