-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathhttpbin-auth.yaml
60 lines (60 loc) · 1.31 KB
/
httpbin-auth.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# This will overwrite the existing VirtualService for httpbin, changing it to
# point at the oauth2-proxy instead.
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
namespace: httpbin
spec:
hosts:
- "*"
gateways:
- istio-system/httpbin
http:
- match:
- port: 80
route:
- destination:
port:
number: 80
host: oauth2-proxy
---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: httpbin
namespace: httpbin
spec:
selector:
matchLabels:
app: httpbin
# TODO: Change to GitHub details.
jwtRules:
- issuer: https://accounts.google.com
jwksUri: https://www.googleapis.com/oauth2/v3/certs
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: httpbin
spec:
action: ALLOW
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: ["*"]
to:
- operation:
paths: ["*"]
# TODO: Test this more.
# This should allow access to the /forms/post endpoint without going through
# OIDC. This could be a useful pattern for apps that expose some endpoint that
# other cluster workloads need direct access to, for example metrics.
- to:
- operation:
paths: ["/forms/post"]
---