authentik/website/docs/providers/proxy/_envoy_istio.md

Set the following settings on the _IstioOperator_ resource:

```yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
    name: istio
    namespace: istio-system
spec:
    meshConfig:
        extensionProviders:
            - name: "authentik"
              envoyExtAuthzHttp:
                  # Replace with <service-name>.<namespace>.svc.cluster.local
                  service: "ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local"
                  port: "9000"
                  pathPrefix: "/outpost.goauthentik.io/auth/envoy"
                  headersToDownstreamOnAllow:
                      - cookie
                  headersToUpstreamOnAllow:
                      - set-cookie
                      - x-authentik-*
                  includeRequestHeadersInCheck:
                      - cookie
```

Afterwards, you can create _AuthorizationPolicy_ resources to protect your applications like this:

```yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
    name: authentik-policy
    namespace: istio-system
spec:
    selector:
        matchLabels:
            istio: ingressgateway
    action: CUSTOM
    provider:
        name: "authentik"
    rules:
        - to:
              - operation:
                    hosts:
                        # You can create a single resource and list all Domain names here, or create multiple resources
                        - "app.company"
```
outposts/proxyv2: add basic envoy support (#3026) * outposts/proxyv2: add basic envoy support Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * don't crash when backend is not available Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add envoy tests and docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-06-02 22:06:09 +00:00			`Set the following settings on the _IstioOperator_ resource:`

			```yaml
			`apiVersion: install.istio.io/v1alpha1`
			`kind: IstioOperator`
			`metadata:`
			`name: istio`
			`namespace: istio-system`
			`spec:`
			`meshConfig:`
			`extensionProviders:`
			`- name: "authentik"`
			`envoyExtAuthzHttp:`
			`# Replace with <service-name>.<namespace>.svc.cluster.local`
			`service: "ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local"`
			`port: "9000"`
providers/proxy: envoy v2 (#3029) * add path prefix Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * use prefix correctly Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * only set redirect if session doesn't have a redirect yet Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-06-03 08:32:52 +00:00			`pathPrefix: "/outpost.goauthentik.io/auth/envoy"`
outposts/proxyv2: add basic envoy support (#3026) * outposts/proxyv2: add basic envoy support Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * don't crash when backend is not available Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add envoy tests and docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-06-02 22:06:09 +00:00			`headersToDownstreamOnAllow:`
			`- cookie`
			`headersToUpstreamOnAllow:`
			`- set-cookie`
			`- x-authentik-*`
			`includeRequestHeadersInCheck:`
			`- cookie`
			```

			`Afterwards, you can create _AuthorizationPolicy_ resources to protect your applications like this:`

			```yaml
			`apiVersion: security.istio.io/v1beta1`
			`kind: AuthorizationPolicy`
			`metadata:`
			`name: authentik-policy`
			`namespace: istio-system`
			`spec:`
			`selector:`
			`matchLabels:`
			`istio: ingressgateway`
			`action: CUSTOM`
			`provider:`
			`name: "authentik"`
			`rules:`
			`- to:`
			`- operation:`
			`hosts:`
			`# You can create a single resource and list all Domain names here, or create multiple resources`
			`- "app.company"`
			```