{{- if .Values.istio.enabled }}
{{- if .Values.istio.ipBlocks }}
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: argocd-deny-not-in-ipblocks
  namespace: istio-system
  labels:
    {{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: DENY
  rules:
  - from:
    - source:
        notIpBlocks:
        {{- toYaml .Values.istio.ipBlocks | nindent 8 }}
    to:
    - operation:
        hosts: [{{ index .Values "argo-cd" "configs" "cm" "url" | quote }}]
    when:
    - key: connection.sni
      values:
      - '*'
{{- end }}
{{- end }}