From 9b2175400b97c86ae9ce90427cda16640fee643a Mon Sep 17 00:00:00 2001
From: Stanislav Bondarenko <stas@tetrate.io>
Date: Sat, 4 Sep 2021 17:34:43 -0400
Subject: [PATCH] Adds authservice as extension provider

---
 CHANGELOG.md                      | 4 ++++
 chart/Chart.yaml                  | 2 +-
 chart/templates/controlplane.yaml | 7 +++++++
 chart/values.yaml                 | 5 +++++
 4 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 47fcdfc..40ebe1e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.10.4-bb.1]
+### Changed
+- Added authservice as extension provider
+
 ## [1.10.4-bb.0]
 ### Changed
 - Update to Istio 1.10.4
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index 0843c24..76fe62f 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -1,3 +1,3 @@
 apiVersion: v2
 name: istio
-version: 1.10.4-bb.0
+version: 1.10.4-bb.1
diff --git a/chart/templates/controlplane.yaml b/chart/templates/controlplane.yaml
index 281edcd..e3e9d61 100644
--- a/chart/templates/controlplane.yaml
+++ b/chart/templates/controlplane.yaml
@@ -74,6 +74,13 @@ spec:
   meshConfig:
     accessLogFile: /dev/stdout
     enableTracing: {{ .Values.tracing.enabled }}
+    {{- if .Values.authservice.enabled }}
+    extensionProviders:
+      - name: "authservice"
+        envoyExtAuthzGrpc:
+          service: "authservice.authservice.svc.cluster.local"
+          port: "10003"
+    {{- end }}
     defaultConfig:
       tracing:
         sampling: {{ .Values.tracing.sampling }}
diff --git a/chart/values.yaml b/chart/values.yaml
index d0034e8..769b631 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -17,6 +17,11 @@ imagePullSecrets: []
 monitoring:
   enabled: false
 
+# If authservice is enabled, it will be added to extension providers as an external authorization system.
+# https://istio.io/latest/docs/tasks/security/authorization/authz-custom/
+authservice:
+  enabled: false
+
 # Ingress gateways
 # The following items are automatically set for every ingress gateway:
 # - label: "app: {name of ingress gateway}"
-- 
GitLab