apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- ../../base

components:
- ../../components/cluster-jwks-proxy
- ../../components/istio-external-auth
- ../../components/istio-m2m

configMapGenerator:
- name: oauth2-proxy-parameters
  behavior: merge
  literals:
  # Configs for oauth2-proxy
  - ALLOW_SELF_SIGNED_ISSUER=true

patches:
# patch the 'm2m-token-issuer' RequestAuthentication with correct `issuer` and `jwksUri`
# NOTE: we are using kustomize components, so we can't use the outer `configMapGenerator` to
#       patch the inner one, so we are stuck with using a `patch` instead
- patch: |-
    - op: replace
      path: /spec/jwtRules/0/issuer
      value: https://kubernetes.default.svc.cluster.local
    - op: replace
      path: /spec/jwtRules/0/jwksUri
      value: http://cluster-jwks-proxy.istio-system.svc.cluster.local/openid/v1/jwks
  target:
    group: security.istio.io
    version: v1beta1
    kind: RequestAuthentication
    name: m2m-token-issuer
    namespace: istio-system

- patch: |-
    - op: add
      path: /spec/jwtRules/-
      value:
        issuer: "https://kubernetes.default.svc"
        jwksUri: "http://cluster-jwks-proxy.istio-system.svc.cluster.local/openid/v1/jwks"
        forwardOriginalToken: true
        outputClaimToHeaders:
        - header: kubeflow-userid
          claim: sub
        - header: kubeflow-groups
          claim: groups
        fromHeaders:
        - name: Authorization
          prefix: "Bearer "
  target:
    group: security.istio.io
    version: v1beta1
    kind: RequestAuthentication
    name: m2m-token-issuer
    namespace: istio-system