name: http-envoy-prom
        {{- if not $gateway.runAsRoot }}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
        {{- end }}
          resources:
{{- if $gateway.resources }}
{{ toYaml $gateway.resources | indent 12 }}
{{- else }}

              name: http-envoy-prom
        {{- if not $gateway.runAsRoot }}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
        {{- end }}
          resources:
{{- if $gateway.resources }}
{{ toYaml $gateway.resources | indent 12 }}
{{- else }}

  # Enable debug for the `gradle-build-action` cache operations
  GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true

permissions: {}

jobs:
  build:
    name: "Compile All"
    permissions:
      contents: read
    runs-on: ubuntu-latest
    steps:
      - name: git clone
        uses: actions/checkout@v4
      - id: setup-matrix

      matrix:
        go-version: [1.21.x]
        ldap: ["", "localhost:389"]
        etcd: ["", "http://localhost:2379"]
        openid: ["", "http://127.0.0.1:5556/dex"]
        exclude:
          # exclude combos where all are empty.
          - ldap: ""
            etcd: ""
            openid: ""
          # exclude combos where both ldap and openid IDPs are specified.
          - ldap: "localhost:389"

Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).

However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
We can then merge the profile onto the defaults, then the user settings onto that.
Finally, we can set all of that under .Values so the chart behaves without awareness.
*/}}
{{- $defaults := $.Values.defaults }}
{{- $_ := unset $.Values "defaults" }}

{{- /* Core defines the common configuration used by all webhook segments */}}
{{/* Copy just what we need to avoid expensive deepCopy */}}
{{- $whv := dict
 "revision" .Values.revision
  "injectionPath" .Values.istiodRemote.injectionPath
  "injectionURL" .Values.istiodRemote.injectionURL
  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
  "caBundle" .Values.istiodRemote.injectionCABundle
  "namespace" .Release.Namespace }}

# Copyright 2022 The TensorFlow Authors. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,

  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
  schedule:
    - cron: '45 9 * * 0'
  push:
    branches: [ "master" ]

# Declare default permissions as read only.
permissions: read-all

jobs:
  analysis:
    name: Scorecard analysis
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write

      - uses: actions/upload-artifact@v3
        with:
          name: docs-site
          path: ./site/**

  # https://github.com/marketplace/actions/alls-green#why
  docs-all-green:  # This job does nothing and is only used for the branch protection
    if: always()
    needs:
      - build-docs
    runs-on: ubuntu-latest
    steps:

          timeoutSeconds: 1
        securityContext:
          privileged: false
          runAsGroup: 1337
          runAsUser: 0
          capabilities:
            drop:
            - ALL
        volumeMounts:
        - name: workload-socket
          mountPath: /var/run/secrets/workload-spiffe-uds
        - mountPath: /var/run/secrets/istio
          name: istiod-ca-cert