tests/integration/security/testdata/authz/v1beta1-conditions.yaml.tmpl - dubbo-go-pixiu - Git at Google

 # The following policy enables mTLS for server side workload.

 apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
   name: mtls
   namespace: "{{ .NamespaceC }}"
 spec:
   selector:
     matchLabels:
       app: {{ .cSet }}
   mtls:
     mode: STRICT
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
   name: mtls
   namespace: "{{ .NamespaceC }}"
 spec:
   host: "{{ .cSet }}.{{ .NamespaceC }}.svc.cluster.local"
   trafficPolicy:
     tls:
       mode: ISTIO_MUTUAL
 ---

 # Each of the following authorization policy uses a different condition on the given path.

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: condition-request-headers
   namespace: "{{ .NamespaceC }}"
 spec:
   selector:
     matchLabels:
       app: {{ .cSet }}
   rules:
   - to:
     - operation:
         paths: ["/request-headers"]
     when:
     - key: request.headers[x-foo]
       values: ["foo"]
 ---

 # Each of the following authorization policy uses a different condition on the given path.

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: condition-request-headers-notvalues
   namespace: "{{ .NamespaceC }}"
 spec:
   selector:
     matchLabels:
       app: {{ .cSet }}
   rules:
   - to:
     - operation:
         paths: ["/request-headers-notValues-bar"]
     when:
     - key: request.headers[x-foo]
       notValues: ["bar"]
 ---

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: condition-source-ip
   namespace: "{{ .NamespaceC }}"
 spec:
   selector:
     matchLabels:
       app: {{ .cSet }}
   rules:
   - to:
     - operation:
         paths: ["/source-ip-{{ .a }}"]
     when:
     - key: source.ip
       values: {{ toJson .ipA }}
   - to:
     - operation:
         paths: ["/source-ip-{{ .b }}"]
     when:
     - key: source.ip
       values: {{ toJson .ipB }}
 ---

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: condition-source-ip-notvalues
   namespace: "{{ .NamespaceC }}"
 spec:
   selector:
     matchLabels:
       app: {{ .cSet }}
   rules:
   - to:
     - operation:
         paths: ["/source-ip-notValues-{{ .b }}"]
     when:
     - key: source.ip
       notValues: {{ toJson .ipB }}
 ---

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: condition-source-namespace
   namespace: "{{ .NamespaceC }}"
 spec:
   selector:
     matchLabels:
       app: {{ .cSet }}
   rules:
   - to:
     - operation:
         paths: ["/source-namespace-{{ .a }}"]
     when:
     - key: source.namespace
       values: ["{{ .NamespaceA }}"]
   - to:
     - operation:
         paths: ["/source-namespace-{{ .b }}"]
     when:
     - key: source.namespace
       values: ["{{ .NamespaceB }}"]
 ---

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: condition-source-namespace-notvalues
   namespace: "{{ .NamespaceC }}"
 spec:
   selector:
     matchLabels:
       app: {{ .cSet }}
   rules:
   - to:
     - operation:
         paths: ["/source-namespace-notValues-{{ .b }}"]
     when:
     - key: source.namespace
       notValues: ["{{ .NamespaceB }}"]
 ---

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: condition-source-principal
   namespace: "{{ .NamespaceC }}"
 spec:
   selector:
     matchLabels:
       app: {{ .cSet }}
   rules:
   - to:
     - operation:
         paths: ["/source-principal-{{ .a }}"]
     when:
     - key: source.principal
       values: ["cluster.local/ns/{{ .NamespaceA }}/sa/{{ .a }}"]
   - to:
     - operation:
         paths: ["/source-principal-{{ .b }}"]
     when:
     - key: source.principal
       values: ["cluster.local/ns/{{ .NamespaceB }}/sa/{{ .b }}"]
 ---

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: condition-source-principal-notvalues
   namespace: "{{ .NamespaceC }}"
 spec:
   selector:
     matchLabels:
       app: {{ .cSet }}
   rules:
   - to:
     - operation:
         paths: ["/source-principal-notValues-{{ .b }}"]
     when:
     - key: source.principal
       notValues: ["cluster.local/ns/{{ .NamespaceB }}/sa/{{ .b }}"]
 ---

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: condition-destination-ip
   namespace: "{{ .NamespaceC }}"
 spec:
   selector:
     matchLabels:
       app: {{ .cSet }}
   rules:
   - to:
     - operation:
         paths: ["/destination-ip-good"]
     when:
     - key: destination.ip
       values: {{ toJson .ipC }}
   - to:
     - operation:
         paths: ["/destination-ip-bad"]
     when:
     - key: destination.ip
       values: ["1.2.3.4"]
 ---

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: condition-destination-ip-notvalues
   namespace: "{{ .NamespaceC }}"
 spec:
   selector:
     matchLabels:
       app: {{ .cSet }}
   rules:
   - to:
     - operation:
         paths: ["/destination-ip-notValues-{{ .a }}-or-{{ .b }}"]
     when:
     - key: destination.ip
       notValues: {{ concat .ipA .ipB | toJson }}
   - to:
     - operation:
         paths: ["/destination-ip-notValues-{{ .a }}-or-{{ .b }}-or-{{ .cSet }}"]
     when:
     - key: destination.ip
       notValues: {{ concat .ipA .ipB .ipC | toJson }}
 ---

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: condition-destination-port
   namespace: "{{ .NamespaceC }}"
 spec:
   selector:
     matchLabels:
       app: {{ .cSet }}
   rules:
   - to:
     - operation:
         paths: ["/destination-port-good"]
     when:
     - key: destination.port
       values: ["{{ .portC }}"]
   - to:
     - operation:
         paths: ["/destination-port-bad"]
     when:
     - key: destination.port
       values: ["1"]
 ---

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: condition-destination-port-notvalues
   namespace: "{{ .NamespaceC }}"
 spec:
   selector:
     matchLabels:
       app: {{ .cSet }}
   rules:
   - to:
     - operation:
         paths: ["/destination-port-notValues-{{ .cSet }}"]
     when:
     - key: destination.port
       notValues: ["{{ .portC }}"]
 ---

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: condition-connection-sni
   namespace: "{{ .NamespaceC }}"
 spec:
   selector:
     matchLabels:
       app: {{ .cSet }}
   rules:
   - to:
     - operation:
         paths: ["/connection-sni-good"]
     when:
     - key: connection.sni
       values: ["*.{{ .cSet }}.{{ .NamespaceC }}.svc.cluster.local"]
   - to:
     - operation:
         paths: ["/connection-sni-bad"]
     when:
     - key: connection.sni
       values: ["never-matched"]
 ---

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: condition-connection-sni-notvalues
   namespace: "{{ .NamespaceC }}"
 spec:
   selector:
     matchLabels:
       app: {{ .cSet }}
   rules:
   - to:
     - operation:
         paths: ["/connection-sni-notValues-{{ .a }}-or-{{ .b }}"]
     when:
     - key: connection.sni
       notValues: ["*.{{ .a }}.{{ .NamespaceA }}.svc.cluster.local", "*.{{ .b }}.{{ .NamespaceB }}.svc.cluster.local"]
   - to:
     - operation:
         paths: ["/connection-sni-notValues-{{ .a }}-or-{{ .b }}-or-{{ .cSet }}"]
     when:
     - key: connection.sni
       notValues: ["*.{{ .a }}.{{ .NamespaceA }}.svc.cluster.local", "*.{{ .b }}.{{ .NamespaceB }}.svc.cluster.local", "*.{{ .cSet }}.{{ .NamespaceC }}.svc.cluster.local"]
 ---
	# The following policy enables mTLS for server side workload.

	apiVersion: security.istio.io/v1beta1
	kind: PeerAuthentication
	metadata:
	name: mtls
	namespace: "{{ .NamespaceC }}"
	spec:
	selector:
	matchLabels:
	app: {{ .cSet }}
	mtls:
	mode: STRICT
	---
	apiVersion: networking.istio.io/v1alpha3
	kind: DestinationRule
	metadata:
	name: mtls
	namespace: "{{ .NamespaceC }}"
	spec:
	host: "{{ .cSet }}.{{ .NamespaceC }}.svc.cluster.local"
	trafficPolicy:
	tls:
	mode: ISTIO_MUTUAL
	---

	# Each of the following authorization policy uses a different condition on the given path.

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: condition-request-headers
	namespace: "{{ .NamespaceC }}"
	spec:
	selector:
	matchLabels:
	app: {{ .cSet }}
	rules:
	- to:
	- operation:
	paths: ["/request-headers"]
	when:
	- key: request.headers[x-foo]
	values: ["foo"]
	---

	# Each of the following authorization policy uses a different condition on the given path.

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: condition-request-headers-notvalues
	namespace: "{{ .NamespaceC }}"
	spec:
	selector:
	matchLabels:
	app: {{ .cSet }}
	rules:
	- to:
	- operation:
	paths: ["/request-headers-notValues-bar"]
	when:
	- key: request.headers[x-foo]
	notValues: ["bar"]
	---

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: condition-source-ip
	namespace: "{{ .NamespaceC }}"
	spec:
	selector:
	matchLabels:
	app: {{ .cSet }}
	rules:
	- to:
	- operation:
	paths: ["/source-ip-{{ .a }}"]
	when:
	- key: source.ip
	values: {{ toJson .ipA }}
	- to:
	- operation:
	paths: ["/source-ip-{{ .b }}"]
	when:
	- key: source.ip
	values: {{ toJson .ipB }}
	---

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: condition-source-ip-notvalues
	namespace: "{{ .NamespaceC }}"
	spec:
	selector:
	matchLabels:
	app: {{ .cSet }}
	rules:
	- to:
	- operation:
	paths: ["/source-ip-notValues-{{ .b }}"]
	when:
	- key: source.ip
	notValues: {{ toJson .ipB }}
	---

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: condition-source-namespace
	namespace: "{{ .NamespaceC }}"
	spec:
	selector:
	matchLabels:
	app: {{ .cSet }}
	rules:
	- to:
	- operation:
	paths: ["/source-namespace-{{ .a }}"]
	when:
	- key: source.namespace
	values: ["{{ .NamespaceA }}"]
	- to:
	- operation:
	paths: ["/source-namespace-{{ .b }}"]
	when:
	- key: source.namespace
	values: ["{{ .NamespaceB }}"]
	---

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: condition-source-namespace-notvalues
	namespace: "{{ .NamespaceC }}"
	spec:
	selector:
	matchLabels:
	app: {{ .cSet }}
	rules:
	- to:
	- operation:
	paths: ["/source-namespace-notValues-{{ .b }}"]
	when:
	- key: source.namespace
	notValues: ["{{ .NamespaceB }}"]
	---

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: condition-source-principal
	namespace: "{{ .NamespaceC }}"
	spec:
	selector:
	matchLabels:
	app: {{ .cSet }}
	rules:
	- to:
	- operation:
	paths: ["/source-principal-{{ .a }}"]
	when:
	- key: source.principal
	values: ["cluster.local/ns/{{ .NamespaceA }}/sa/{{ .a }}"]
	- to:
	- operation:
	paths: ["/source-principal-{{ .b }}"]
	when:
	- key: source.principal
	values: ["cluster.local/ns/{{ .NamespaceB }}/sa/{{ .b }}"]
	---

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: condition-source-principal-notvalues
	namespace: "{{ .NamespaceC }}"
	spec:
	selector:
	matchLabels:
	app: {{ .cSet }}
	rules:
	- to:
	- operation:
	paths: ["/source-principal-notValues-{{ .b }}"]
	when:
	- key: source.principal
	notValues: ["cluster.local/ns/{{ .NamespaceB }}/sa/{{ .b }}"]
	---

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: condition-destination-ip
	namespace: "{{ .NamespaceC }}"
	spec:
	selector:
	matchLabels:
	app: {{ .cSet }}
	rules:
	- to:
	- operation:
	paths: ["/destination-ip-good"]
	when:
	- key: destination.ip
	values: {{ toJson .ipC }}
	- to:
	- operation:
	paths: ["/destination-ip-bad"]
	when:
	- key: destination.ip
	values: ["1.2.3.4"]
	---

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: condition-destination-ip-notvalues
	namespace: "{{ .NamespaceC }}"
	spec:
	selector:
	matchLabels:
	app: {{ .cSet }}
	rules:
	- to:
	- operation:
	paths: ["/destination-ip-notValues-{{ .a }}-or-{{ .b }}"]
	when:
	- key: destination.ip
	notValues: {{ concat .ipA .ipB \| toJson }}
	- to:
	- operation:
	paths: ["/destination-ip-notValues-{{ .a }}-or-{{ .b }}-or-{{ .cSet }}"]
	when:
	- key: destination.ip
	notValues: {{ concat .ipA .ipB .ipC \| toJson }}
	---

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: condition-destination-port
	namespace: "{{ .NamespaceC }}"
	spec:
	selector:
	matchLabels:
	app: {{ .cSet }}
	rules:
	- to:
	- operation:
	paths: ["/destination-port-good"]
	when:
	- key: destination.port
	values: ["{{ .portC }}"]
	- to:
	- operation:
	paths: ["/destination-port-bad"]
	when:
	- key: destination.port
	values: ["1"]
	---

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: condition-destination-port-notvalues
	namespace: "{{ .NamespaceC }}"
	spec:
	selector:
	matchLabels:
	app: {{ .cSet }}
	rules:
	- to:
	- operation:
	paths: ["/destination-port-notValues-{{ .cSet }}"]
	when:
	- key: destination.port
	notValues: ["{{ .portC }}"]
	---

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: condition-connection-sni
	namespace: "{{ .NamespaceC }}"
	spec:
	selector:
	matchLabels:
	app: {{ .cSet }}
	rules:
	- to:
	- operation:
	paths: ["/connection-sni-good"]
	when:
	- key: connection.sni
	values: ["*.{{ .cSet }}.{{ .NamespaceC }}.svc.cluster.local"]
	- to:
	- operation:
	paths: ["/connection-sni-bad"]
	when:
	- key: connection.sni
	values: ["never-matched"]
	---

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: condition-connection-sni-notvalues
	namespace: "{{ .NamespaceC }}"
	spec:
	selector:
	matchLabels:
	app: {{ .cSet }}
	rules:
	- to:
	- operation:
	paths: ["/connection-sni-notValues-{{ .a }}-or-{{ .b }}"]
	when:
	- key: connection.sni
	notValues: [".{{ .a }}.{{ .NamespaceA }}.svc.cluster.local", ".{{ .b }}.{{ .NamespaceB }}.svc.cluster.local"]
	- to:
	- operation:
	paths: ["/connection-sni-notValues-{{ .a }}-or-{{ .b }}-or-{{ .cSet }}"]
	when:
	- key: connection.sni
	notValues: [".{{ .a }}.{{ .NamespaceA }}.svc.cluster.local", ".{{ .b }}.{{ .NamespaceB }}.svc.cluster.local", "*.{{ .cSet }}.{{ .NamespaceC }}.svc.cluster.local"]
	---