type: object
                    rewrite:
                      description: Rewrite HTTP URIs and Authority headers.
                      properties:
                        authority:
                          description: rewrite the Authority/Host header with this
                            value.
                          type: string
                        uri:

                      type: object
                    rewrite:
                      description: Rewrite HTTP URIs and Authority headers.
                      properties:
                        authority:
                          description: rewrite the Authority/Host header with this
                            value.
                          type: string
                        uri:

outputClaimToHeaders: description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. items: properties: claim: description: The name of the claim to be copied from. type: string header: description: The name of the header to be created. type: string type: object type: array outputPayloadToHeade: description: This field specifies the header name to output a successfully verified JWT payload to the backend. type: string required: - issuer type:...

    - advanced/additional-status-codes.md
    - advanced/response-directly.md
    - advanced/custom-response.md
    - advanced/additional-responses.md
    - advanced/response-cookies.md
    - advanced/response-headers.md
    - advanced/response-change-status-code.md
    - advanced/advanced-dependencies.md
    - Advanced Security:
      - advanced/security/index.md
      - advanced/security/oauth2-scopes.md

{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
  labels:
    app: istio-reader
    release: {{ .Release.Name }}
rules:
  - apiGroups:
      - "config.istio.io"
      - "security.istio.io"
      - "networking.istio.io"

          # The "digest" that allows us to pull an image is not the digest as
          # returned by the API, but a sha256sum of the entire chunk of image
          # metadata. gcr.io helpfully includes it in the header of the response
          # as docker-content-digest: sha256:[digest]. Note we use egrep to
          # match exactly sha256:<hash> because curl may include a ^M symbol at
          # the end of the line.

{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
  labels:
    app: istio-reader
    release: {{ .Release.Name }}
rules:
  - apiGroups:
      - "config.istio.io"
      - "security.istio.io"
      - "networking.istio.io"