{{- if and .Values.keycloak.enabled .Values.keycloak.istio.admin.enabled }}
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: {{ .Release.Name }}-keycloak-admin-deny-not-in-ipblocks
  namespace: istio-system
  labels:
    {{- include "kubezero-lib.labels" $ | nindent 4 }}
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: DENY
  rules:
  # block access to metrics via Ingress
  - to:
    - operation:
        hosts: ["{{ .Values.keycloak.istio.admin.url }}"]
        paths: ["/metrics", "/realms/*/metrics"]
    when:
    - key: connection.sni
      values:
      - '*'
  {{- if .Values.keycloak.istio.admin.ipBlocks }}
  - from:
    - source:
        notIpBlocks:
        {{- toYaml .Values.keycloak.istio.admin.ipBlocks | nindent 8 }}
    to:
    - operation:
        hosts: ["{{ .Values.keycloak.istio.admin.url }}"]
    when:
    - key: connection.sni
      values:
      - '*'
  {{- end }}
{{- end }}