DIY — Istio —validate JWT

In this DIY article, we will see how Istio can help us protect an application that is not designed to support security.

This article is more about introducing Istio than as a valid solution to set in production.

What will we do?

We will deploy an application that exposes a service with no security.

Then we will use Istio and configure its ingress gateway to ensure every call contains JWT from a trusted issuer in an HTTP header.

The last section shows the terraform files to deploy the target system on your local k8s instance.

What do we need?

You must have docker and Istio installed on your machine. You have to enable Kubernetes on your docker installation. This tutorial works with OrbStack and Docker Desktop.

We need a simple server application. You can find a small Go application that exposes /hello in the following GitHub repository.

We also need an OIDC server. You can use a Keycloak instance or any other implementation. If you don’t have any available, I have implemented the minimum set of OIDC protocols used in this tutorial in an application available here. You can download it and use it for this article. I will assume the OIDC server runs on the local machine.

Initial setup

Launch your OIDC server.