我正在尝试配置Istio身份验证策略来验证我们的JWT。
我设定了政策,可以看到它生效了。但是它不允许任何连接。在应用策略时,如果我检查istio-pilot日志,我可以看到它无法检索签名密钥,从而出现证书错误。
2018-10-24T03:22:41.052354Z error model Failed to fetch pubkey from "https://iam.company.com.au/oauth2/jwks": Get https://iam.company.com.au/oauth2/jwks: x509: certificate signed by unknown authority
2018-10-24T03:22:41.052371Z warn Failed to fetch jwt public key from "https://iam.company.com.au/oauth2/jwks "
我假设这将是由于此服务器使用由我们的公司CA签署的TLS证书。
我如何获得istio-pilot来信任来自我们CAN的证书?我已经尝试在Ubuntu证书中安装ca-certificates并包含我们的CA公钥,但它仍然无法正常工作。
政策:
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "our-service-jwt-example"
spec:
targets:
- name: our-service
origins:
- jwt:
issuer: iam.company.com.au
audiences:
- YRhT8xWtcLrOQmqJUGPA1p6O6mUa
jwksUri: "https://iam.company.com.au/oauth2/jwks"
principalBinding: USE_ORIGIN
飞行员为特使解决了问题。在这种情况下,飞行员需要拥有CA证书。目前,除非您在istio中部署试验时添加证书,否则无法向试用版添加CA证书。 https://github.com/istio/istio/blob/master/pilot/pkg/model/jwks_resolver.go