When working with Istio you can expect to run into the following issues:
Cause The istio-proxy sidecar caches JWKS with a TTL of 20 minutes. The TTL is a hardcoded parameter (
JwtPubKeyRefreshInterval) and cannot be configured. By redeploing keycloak
alg can change, thus JWKS that is cached by istio-proxy sidecar is not valid anymore.
Solution Either wait 20 minutes, so JWKS is refreshed or kill all pods that are referenced by a RequestAuthentication resource. All services that have
authz.workload set will have one (see: core.yaml).
When you see errors in the logs like such:
These are not real errors, but logged incorrectly: https://github.com/istio/istio/issues/24701#issuecomment-649719089