{{/*
# Copyright © 2024 Tata Communication Limited (TCL), Deutsche Telekom AG
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
{{- if .Values.ingressAuthentication.enabled }}
---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: {{ .Release.Name }}-request-auth
  namespace: istio-ingress
spec:
  selector:
    matchLabels:
      istio: ingress
  jwtRules:
  {{- $dot := . }}
  {{- range $index, $realm := .Values.realmSettings }}
  - issuer: "https://{{ include "ingress.config.host" (dict "dot" $dot "baseaddr" "keycloak-ui") }}/{{ $dot.Values.keycloak.relativePath }}realms/{{ $realm.name }}"
    jwksUri: {{ $dot.Values.keycloak.intURL }}realms/{{ $realm.name }}/protocol/openid-connect/certs
  {{- end }}
  - issuer: "https://{{ include "ingress.config.host" (dict "dot" $dot "baseaddr" "keycloak-ui") }}/{{ .Values.keycloak.relativePath }}realms/master"
    jwksUri: {{ .Values.keycloak.intURL }}realms/master/protocol/openid-connect/certs
    forwardOriginalToken: true
{{- end }}