Example: `  # Check AuthorizationPolicy applied to pod httpbin-88ddbcfdd-nt5jb:
  istioctl x authz check httpbin-88ddbcfdd-nt5jb

  # Check AuthorizationPolicy applied to one pod under a deployment
  istioctl x authz check deployment/productpage-v1

  # Check AuthorizationPolicy from Envoy config dump file:
  istioctl x authz check -f httpbin_config_dump.json`,
		Args: func(cmd *cobra.Command, args []string) error {

Mikalai Radchuk <******@****.***> 1714565943 +0200

#   limitations under the License.

# Example configurations for deploying ext-authz server locally with the application container in the same pod.

# Define the service entry for the local ext-authz service on port 8000.
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: httpbin-ext-authz-http
spec:
  hosts:
  - "ext-authz-http.local"
  endpoints:
  - address: "127.0.0.1"
  ports:
  - name: http

  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
--- 
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: authz-gateway-{{ .To.ServiceName }}
spec:
  targetRef:
    name: {{ .To.ServiceName }}-gateway
    kind: Gateway
    group: gateway.networking.k8s.io
  action: ALLOW
  rules:
  - to:
    - operation:

## Usage

1. Deploy the Ext Authz service in a dedicated pod:

    ```console
    $ kubectl apply -f ext-authz.yaml
    service/ext-authz created
    deployment.apps/ext-authz created
    ```

    Note, you can also deploy the Ext Authz service locally with the application container in the same pod, see the example in `local-ext-authz.yaml`.

)

const (
	httpName = "ext-authz-http"
	grpcName = "ext-authz-grpc"
	httpPort = 8000
	grpcPort = 9000

	providerTemplate = `
extensionProviders:
- name: "{{ .httpName }}"
  envoyExtAuthzHttp:
    service: "{{ .fqdn }}"
    port: {{ .httpPort }}
    headersToUpstreamOnAllow: ["x-ext-authz-*"]
    headersToDownstreamOnDeny: ["x-ext-authz-*"]
    includeRequestHeadersInCheck: ["x-ext-authz"]

      
      * Metadata Exchange
      * CUSTOM Authz
      * WASM Authn
      * Authn
      * WASM Authz
      * Authz
      * WASM Stats
      * Stats
      * WASM unspecified
      
      This changes the following areas:
      * Inbound TCP filters now place Metadata Exchange before Authn.

    path:
    - key: istio_ext_authz_shadow_effective_policy_id
    value:
      stringMatch:
        prefix: istio-ext-authz
  grpcService:
    envoyGrpc:
      authority: my-custom-ext-authz.foo.svc.cluster.local
      clusterName: outbound|9000||my-custom-ext-authz.foo.svc.cluster.local
    timeout: 0.002s
  statusOnError:
    code: Forbidden
  transportApiVersion: V3
  withRequestBody:

)

var (
	// Namespaces
	echo1NS  namespace.Instance
	serverNS namespace.Instance

	// Servers
	apps             deployment.SingleNamespaceView
	authzServer      authz.Server
	localAuthzServer authz.Server
	jwtServer        jwt.Server

	i istio.Instance
)

func TestMain(m *testing.M) {
	framework.
		NewSuite(m).
		Label(label.CustomSetup).

    path:
    - key: istio_ext_authz_shadow_effective_policy_id
    value:
      stringMatch:
        prefix: istio-ext-authz
  grpcService:
    envoyGrpc:
      authority: my-custom-ext-authz.foo.svc.cluster.local
      clusterName: outbound|9000||my-custom-ext-authz.foo.svc.cluster.local
    timeout: 600s
  statusOnError:
    code: Forbidden