{{- if .Values.enableRequestAuthentication }} {{- $tenantId := .Values.azure.tenantId -}} {{- $appId := .Values.azure.appId -}} {{- $clientId := .Values.azure.clientId -}} apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: req-authn-for-all namespace: istio-system spec: jwtRules: - issuer: "https://sts.windows.net/{{ $tenantId }}/" jwksUri: "https://login.microsoftonline.com/common/discovery/v2.0/keys" audiences: - "{{ $appId }}" - "{{ $clientId }}" - "https://management.azure.com" outputPayloadToHeader: "x-payload" forwardOriginalToken: true fromHeaders: - name: Authorization prefix: "Bearer " - issuer: "https://login.microsoftonline.com/{{ $tenantId }}/v2.0" jwksUri: "https://login.microsoftonline.com/common/discovery/v2.0/keys" audiences: - "{{ $appId }}" - "{{ $clientId }}" outputPayloadToHeader: "x-payload" forwardOriginalToken: true fromHeaders: - name: Authorization prefix: "Bearer " {{- end }}