tests/integration/security/testdata/authz/v1beta1-egress-gateway.yaml.tmpl

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: "default"
  namespace: "{{ .RootNamespace }}"
spec:
  jwtRules:
  - issuer: "test-issuer-1@istio.io"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
  - issuer: "test-issuer-2@istio.io"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: egressgateway
  namespace: "{{ .RootNamespace }}"
spec:
  selector:
    matchLabels:
      app: istio-egressgateway
  rules:
    - to: # only allow /allow for company.com
        - operation:
            paths: ["/allow"]
            hosts: ["www.company.com"]
    - to: # checks only a call 443 over istio mutual without JWT
      - operation:
          hosts: ["{{ .a }}-only.com"]
      from:
      - source:
          principals: ["cluster.local/ns/{{ .Namespace }}/sa/{{ .a }}"]
    - to: # checks workload can call 443 over istio mutual with JWT
      - operation:
          hosts: ["jwt-only.com"]
      from:
      - source:
          requestPrincipals: ["test-issuer-1@istio.io/sub-1"]
    - to: # checks only a can call 443 over istio mutual with JWT
      - operation:
          hosts: ["jwt-and-{{ .a }}-only.com"]
      from:
      - source:
          requestPrincipals: ["test-issuer-1@istio.io/sub-1"]
          principals: ["cluster.local/ns/{{ .Namespace }}/sa/{{ .a }}"]
---

# The following policy redirects the request through egress gateway.

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: test-egress
  namespace: {{ .Namespace }}
spec:
  selector:
    istio: egressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "www.company.com"
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
         mode: ISTIO_MUTUAL
      hosts:
        - "*"
---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: route-via-egressgateway
  namespace: {{ .Namespace }}
spec:
  hosts:
  - "www.company.com"
  gateways:
  - test-egress
  - mesh
  http:
    - match:
      - gateways:
        - mesh
        port: 80
      route:
      - destination:
          host: istio-egressgateway.{{ .RootNamespace }}.svc.cluster.local
          port:
            number: 80
        weight: 100
    - match:
      - gateways:
        - test-egress
        port: 80
      route:
      - destination:
          host: b.{{ .Namespace }}.svc.cluster.local
          port:
            number: 8095
        weight: 100
      headers:
        request:
          add:
            x-egress-test: "handled-by-egress-gateway"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: route-via-egressgateway-2
  namespace: {{ .Namespace }}
spec:
  hosts:
  - "{{ .a }}-only.com"
  - "jwt-only.com"
  - "jwt-and-{{ .a }}-only.com"
  gateways:
  - test-egress
  - mesh
  http:
    - match:
      - gateways:
        - mesh
        port: 80
      route:
      - destination:
          host: istio-egressgateway.{{ .RootNamespace }}.svc.cluster.local
          port:
            number: 443
        weight: 100
    - match:
      - gateways:
        - test-egress
        port: 443
      route:
      - destination:
          host: b.{{ .Namespace }}.svc.cluster.local
          port:
            number: 8095
        weight: 100
      headers:
        request:
          add:
            x-egress-test: "handled-by-egress-gateway"
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: "test-egress"
  namespace: {{ .Namespace }}
spec:
  host: "istio-egressgateway.{{ .RootNamespace }}.svc.cluster.local"
  trafficPolicy:
    portLevelSettings:
    - port:
        number: 443
      tls:
        mode: ISTIO_MUTUAL
---