istio

1
apiVersion: security.istio.io/v1beta1
2
kind: RequestAuthentication
3
metadata:
4
  name: default-{{ .To.ServiceName }}
5
spec:
6
  targetRef:
7
    kind: Gateway
8
    group: gateway.networking.k8s.io
9
    name: waypoint
10
  jwtRules:
11
  - issuer: "test-issuer-1@istio.io"
12
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
13
  - issuer: "test-issuer-2@istio.io"
14
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
15
---
16
apiVersion: security.istio.io/v1beta1
17
kind: RequestAuthentication
18
metadata:
19
  name: ignored-{{ .To.ServiceName }}
20
spec:
21
  selector:
22
    matchLabels:
23
      gateway.networking.k8s.io/gateway-name: waypoint # This should be ignored because it's not a targetRef
24
  jwtRules:
25
  - issuer: "test-issuer-3@istio.io"
26
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
27
---
28
apiVersion: security.istio.io/v1beta1
29
kind: AuthorizationPolicy
30
metadata:
31
  name: authz-gateway-{{ .To.ServiceName }}
32
spec:
33
  selector:
34
    matchLabels:
35
      gateway.networking.k8s.io/gateway-name: waypoint # TODO: Replace this with a targetRef after https://github.com/istio/istio/pull/46560 merges
36
  rules:
37
  - from:
38
    - source:
39
        requestPrincipals: ["test-issuer-1@istio.io/sub-1"]
40
    - source:
41
        requestPrincipals: ["test-issuer-3@istio.io/sub-1"]
42
  - to:
43
    - operation:
44
        paths: ["/healthz"]
45