WithAuthz(jwt.TokenIssuer1).
								Build()
							opts.Check = check.OK()
						},
					},
					{
						name: "deny with sub-1 token due to ignored RequestAuthentication",
						customizeCall: func(opts *echo.CallOptions, to echo.Target) {
							opts.HTTP.Path = "/"
							opts.HTTP.Headers = headers.New().
								WithHost(fmt.Sprintf("example.%s.com", to.ServiceName())).

// Map of all configs that do not impact EDS
var skippedEdsConfigs = sets.New(
	kind.Gateway,
	kind.VirtualService,
	kind.WorkloadGroup,
	kind.AuthorizationPolicy,
	kind.RequestAuthentication,
	kind.Secret,
	kind.Telemetry,
	kind.WasmPlugin,
	kind.ProxyConfig,
	kind.DNSName,

	kind.KubernetesGateway,
	kind.HTTPRoute,
	kind.TCPRoute,
	kind.TLSRoute,
	kind.GRPCRoute,
)

	).Get()

	JwksFetchMode = func() jwt.JwksFetchMode {
		v := env.Register(
			"PILOT_JWT_ENABLE_REMOTE_JWKS",
			"false",
			"Mode of fetching JWKs from JwksUri in RequestAuthentication. Supported value: "+
				"istiod, false, hybrid, true, envoy. The client fetching JWKs is as following: "+
				"istiod/false - Istiod; hybrid/true - Envoy and fallback to Istiod if JWKs server is external; "+

spec:
  action: DENY
  rules:
  - to:
    - operation:
        paths: ["/private/secret.html"]
`
	jwtTool            = "jwttool"
	requestAuthnPolicy = `
apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
  name: jwt
spec:
  jwtRules:
  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.10/tests/common/jwt/jwks.json"

								WithAuthz(jwt.TokenIssuer1).
								Build()
							opts.Check = check.OK()
						},
					},
					{
						name: "allow with sub-1 token despite \"ignored\" RequestAuthentication (enableGatewayAPISelectorPolicies flag = true)",
						customizeCall: func(opts *echo.CallOptions, to echo.Target) {
							opts.HTTP.Path = "/"
							opts.HTTP.Headers = headers.New().

		}
	}
	// add services from RequestAuthentication.JwtRules.JwksUri
	if features.JwksFetchMode != jwt.Istiod {
		forWorkload := PolicyMatcherForProxy(proxy)
		jwtPolicies := ps.AuthnPolicies.GetJwtPoliciesForWorkload(forWorkload)
		for _, cfg := range jwtPolicies {
			rules := cfg.Spec.(*v1beta1.RequestAuthentication).JwtRules
			for _, r := range rules {

	{
		name:       "KubernetesGatewaySelector",
		inputFiles: []string{"testdata/k8sgateway-selector.yaml"},
		analyzer:   &k8sgateway.SelectorAnalyzer{},
		expected: []message{
			{msg.IneffectiveSelector, "RequestAuthentication default/ra-ineffective"},
			{msg.IneffectiveSelector, "AuthorizationPolicy default/ap-ineffective"},
			{msg.IneffectiveSelector, "WasmPlugin default/wasmplugin-ineffective"},

	// they will be applied to all namespaces within the cluster.
	clusterScopedKnownConfigTypes = sets.New(
		kind.EnvoyFilter,
		kind.AuthorizationPolicy,
		kind.RequestAuthentication,
		kind.WasmPlugin,
	)
)

type hostClassification struct {
	exactHosts sets.Set[host.Name]
	allHosts   []host.Name
}

o"},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"max(pilot_k8s_cfg_events{type=\"RequestAuthentication\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"RequestAuthentication\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"title":"RequestAuthentication Policies","type":"stat"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"fixedColor":"rgb(31,...

var ValidateRequestAuthentication = RegisterValidateFunc("ValidateRequestAuthentication",
	func(cfg config.Config) (Warning, error) {
		in, ok := cfg.Spec.(*security_beta.RequestAuthentication)
		if !ok {
			return nil, errors.New("cannot cast to RequestAuthentication")
		}

		errs := Validation{}
		errs = AppendValidation(errs,
			validateOneOfSelectorType(in.GetSelector(), in.GetTargetRef(), in.GetTargetRefs()),