istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/testdata/authz/egress-gateway.yaml.tmpl (about) 1 apiVersion: security.istio.io/v1beta1 2 kind: RequestAuthentication 3 metadata: 4 name: default 5 namespace: {{ .SystemNamespace.Name }} 6 spec: 7 jwtRules: 8 - issuer: "test-issuer-1@istio.io" 9 jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json" 10 - issuer: "test-issuer-2@istio.io" 11 jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json" 12 --- 13 apiVersion: security.istio.io/v1beta1 14 kind: AuthorizationPolicy 15 metadata: 16 name: {{ .EgressGatewayIstioLabel | default "egressgateway" }} 17 namespace: {{ .EgressGatewayServiceNamespace | default .SystemNamespace.Name }} 18 spec: 19 selector: 20 matchLabels: 21 app: {{ .EgressGatewayServiceName | default "istio-egressgateway" }} 22 rules: 23 - to: # only allow /allow for company.com 24 - operation: 25 paths: [ "/allow" ] 26 hosts: [ "www.company.com" ] 27 - to: # checks only a call 443 over istio mutual without JWT 28 - operation: 29 hosts: [ "{{ .Allowed.ServiceName }}-{{ .Allowed.NamespaceName }}-only.com" ] 30 from: 31 - source: 32 principals: [ "{{ .Allowed.ServiceAccountName }}" ] 33 - to: # checks workload can call 443 over istio mutual with JWT 34 - operation: 35 hosts: [ "jwt-only.com" ] 36 from: 37 - source: 38 requestPrincipals: [ "test-issuer-1@istio.io/sub-1" ] 39 - to: # checks only a can call 443 over istio mutual with JWT 40 - operation: 41 hosts: [ "jwt-and-{{ .Allowed.ServiceName }}-{{ .Allowed.NamespaceName }}-only.com" ] 42 from: 43 - source: 44 requestPrincipals: [ "test-issuer-1@istio.io/sub-1" ] 45 principals: [ "{{ .Allowed.ServiceAccountName }}" ] 46 --- 47 # The following policy redirects the request through egress gateway. 48 49 apiVersion: networking.istio.io/v1beta1 50 kind: Gateway 51 metadata: 52 name: test-egress 53 namespace: {{ .From.NamespaceName }} 54 spec: 55 selector: 56 istio: {{ .EgressGatewayIstioLabel | default "egressgateway" }} 57 servers: 58 - port: 59 number: 80 60 name: http 61 protocol: HTTP 62 hosts: 63 - "www.company.com" 64 - port: 65 number: 443 66 name: https 67 protocol: HTTPS 68 tls: 69 mode: ISTIO_MUTUAL 70 hosts: 71 - "*" 72 --- 73 74 apiVersion: networking.istio.io/v1beta1 75 kind: VirtualService 76 metadata: 77 name: route-via-egressgateway 78 namespace: {{ .From.NamespaceName }} 79 spec: 80 hosts: 81 - "www.company.com" 82 gateways: 83 - test-egress 84 - mesh 85 http: 86 - match: 87 - gateways: 88 - mesh 89 port: 80 90 route: 91 - destination: 92 host: "{{ .EgressGatewayServiceName | default "istio-egressgateway" }}.{{ .EgressGatewayServiceNamespace | default .SystemNamespace.Name }}.svc.cluster.local" 93 port: 94 number: 80 95 weight: 100 96 - match: 97 - gateways: 98 - test-egress 99 port: 80 100 route: 101 - destination: 102 host: "{{ .To.ClusterLocalFQDN }}" 103 port: 104 number: {{ (.To.PortForName "http").ServicePort }} 105 weight: 100 106 headers: 107 request: 108 add: 109 x-egress-test: "handled-by-egress-gateway" 110 --- 111 apiVersion: networking.istio.io/v1beta1 112 kind: VirtualService 113 metadata: 114 name: route-via-egressgateway-2 115 namespace: {{ .From.NamespaceName }} 116 spec: 117 hosts: 118 - "{{ .Allowed.ServiceName }}-{{ .Allowed.NamespaceName }}-only.com" 119 - "jwt-only.com" 120 - "jwt-and-{{ .Allowed.ServiceName }}-{{ .Allowed.NamespaceName }}-only.com" 121 gateways: 122 - test-egress 123 - mesh 124 http: 125 - match: 126 - gateways: 127 - mesh 128 port: 80 129 route: 130 - destination: 131 host: "{{ .EgressGatewayServiceName | default "istio-egressgateway" }}.{{ .EgressGatewayServiceNamespace | default .SystemNamespace.Name }}.svc.cluster.local" 132 port: 133 number: 443 134 weight: 100 135 - match: 136 - gateways: 137 - test-egress 138 port: 443 139 route: 140 - destination: 141 host: "{{ .To.ClusterLocalFQDN }}" 142 port: 143 number: {{ (.To.PortForName "http").ServicePort }} 144 weight: 100 145 headers: 146 request: 147 add: 148 x-egress-test: "handled-by-egress-gateway" 149 --- 150 apiVersion: networking.istio.io/v1beta1 151 kind: DestinationRule 152 metadata: 153 name: test-egress 154 namespace: {{ .From.NamespaceName }} 155 spec: 156 host: "{{ .EgressGatewayServiceName | default "istio-egressgateway" }}.{{ .EgressGatewayServiceNamespace | default .SystemNamespace.Name }}.svc.cluster.local" 157 trafficPolicy: 158 portLevelSettings: 159 - port: 160 number: 443 161 tls: 162 mode: ISTIO_MUTUAL 163 --- 164 # TODO(nmittler): Shouldn't need this. Workaround for https://github.com/istio/istio/issues/38704. 165 apiVersion: networking.istio.io/v1beta1 166 kind: DestinationRule 167 metadata: 168 name: test-egress 169 namespace: {{ .SystemNamespace.Name }} 170 spec: 171 host: "{{ .EgressGatewayServiceName | default "istio-egressgateway" }}.{{ .EgressGatewayServiceNamespace | default .SystemNamespace.Name }}.svc.cluster.local" 172 trafficPolicy: 173 portLevelSettings: 174 - port: 175 number: 443 176 tls: 177 mode: ISTIO_MUTUAL 178 ---