apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: dikastes
  namespace: istio-system
spec:
  hosts:
  - dikastes.calico.cluster.local
  ports:
  - name: grpc
    protocol: grpc
    number: 1
  resolution: STATIC
  location: MESH_EXTERNAL
  endpoints:
  - address: unix:///var/run/dikastes/dikastes.sock
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: dikastes-mtls
  namespace: istio-system
spec:
  host: dikastes.calico.cluster.local
  trafficPolicy:
    tls:
      mode: DISABLE
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ext-authz
  namespace: istio-system
spec:
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        filterChain:
          filter:
            name: envoy.filters.network.tcp_proxy
    patch:
      operation: INSERT_BEFORE
      value:
        name: envoy.filters.network.ext_authz
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.ext_authz.v3.ExtAuthz
          transport_api_version: V3
          stat_prefix: dikastes
          grpc_service:
            envoy_grpc:
              cluster_name: "outbound|1||dikastes.calico.cluster.local"
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        filterChain:
          filter:
            name: envoy.filters.network.http_connection_manager
            subFilter:
              name: envoy.filters.http.router
    patch:
      operation: INSERT_BEFORE
      value:
        name: envoy.filters.http.ext_authz
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
          transport_api_version: V3
          grpc_service:
            envoy_grpc:
              cluster_name: "outbound|1||dikastes.calico.cluster.local"