{{- range $name, $service := .Values.istio }}

{{- if and $service.enabled $service.ipBlocks }}
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: {{ $name }}-deny-not-in-ipblocks
  namespace: istio-system
  labels:
{{ include "kubezero-lib.labels" $ | indent 4 }}
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: DENY
  rules:
  - from:
    - source:
        notIpBlocks:
        {{- toYaml $service.ipBlocks | nindent 8 }}
    to:
    - operation:
        hosts: ["{{ $service.url }}"]
---
{{- end }}
{{- end }}