# If we are not using the default, assume its private and we need to authenticate
if [[ "${ISTIO_ZTUNNEL_BASE_URL}" != "https://storage.googleapis.com/istio-build/ztunnel" ]]; then
  AUTH_HEADER="Authorization: Bearer $(gcloud auth print-access-token)"
  export AUTH_HEADER
fi

ZTUNNEL_REPO_SHA="${ZTUNNEL_REPO_SHA:-$(grep ZTUNNEL_REPO_SHA istio.deps  -A 4 | grep lastStableSHA | cut -f 4 -d '"')}"

# If we are not using the default, assume its private and we need to authenticate
if [[ "${ISTIO_ENVOY_BASE_URL}" != "https://storage.googleapis.com/istio-build/proxy" ]]; then
  AUTH_HEADER="Authorization: Bearer $(gcloud auth print-access-token)"
  export AUTH_HEADER
fi

SIDECAR="${SIDECAR:-envoy}"

# OS-neutral vars. These currently only work for linux.
ISTIO_ENVOY_VERSION="${ISTIO_ENVOY_VERSION:-${PROXY_REPO_SHA}}"

  //  "key encipherment",
  //  "key agreement",
  //  "data encipherment",
  //  "cert sign",
  //  "crl sign",
  //  "encipher only",
  //  "decipher only",
  //  "any",
  //  "server auth",
  //  "client auth",
  //  "code signing",
  //  "email protection",
  //  "s/mime",
  //  "ipsec end system",
  //  "ipsec tunnel",
  //  "ipsec user",
  //  "timestamping",
  //  "ocsp signing",

# We set up anonymous authentication as this is for demos.
auth:
  strategy: anonymous
deployment:
  pod_labels:
    sidecar.istio.io/inject: "false"
  accessible_namespaces:
  - '**'
  ingress_enabled: false
login_token:
  signing_key: CHANGEME00000000
external_services:
  # Kiali will not start up without tracing service. We don't want to require it.
  tracing:

  //   Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
  //
  // More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
  //
  // Custom signerNames can also be specified. The signer defines:

# use single binary and filesystem storage for test
# do not use in production
loki:
  useTestSchema: true
  auth_enabled: false
  commonConfig:
    replication_factor: 1
  storage:
    type: 'filesystem'
test:
  enabled: false
lokiCanary:
  enabled: false
monitoring:
  dashboards:
    enabled: false
  rules:
    enabled: false
    alerting: false
  serviceMonitor:
    enabled: false
    metricsInstance:

  // a URL. You may use the path to pass an arbitrary string to the
  // webhook, for example, a cluster identifier.
  //
  // Attempting to use a user or basic auth e.g. "user:password@" is not
  // allowed. Fragments ("#...") and query parameters ("?...") are not
  // allowed, either.
  //
  // +optional
  optional string url = 3;

  // a URL. You may use the path to pass an arbitrary string to the
  // webhook, for example, a cluster identifier.
  //
  // Attempting to use a user or basic auth e.g. "user:password@" is not
  // allowed. Fragments ("#...") and query parameters ("?...") are not
  // allowed, either.
  //
  // +optional
  optional string url = 3;

                type: string
              passwordSecret:
                description: passwordSecret is name of the authentication secret for
                  BGP Peer. the secret must be of type "kubernetes.io/basic-auth",
                  and created in the same namespace as the MetalLB deployment. The
                  password is stored in the secret as the key "password".
                properties:
                  name:

                description: |-
                  Determines where in the filter chain this `WasmPlugin` is to be injected.

                  Valid Options: AUTHN, AUTHZ, STATS
                enum:
                - UNSPECIFIED_PHASE
                - AUTHN
                - AUTHZ
                - STATS
                type: string
              pluginConfig: