istio-controlplane.yaml

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
  name: istiocontrolplane
spec:
  profile: minimal
  components:
    ingressGateways:
    - name: ingressgateway
      namespace: istio-system
      enabled: true
      label:
        # Set a unique label for the gateway. This is required to ensure Gateways
        # can select this workload
        istio: ingressgateway
      k8s:
        service:
          type: LoadBalancer
          # Change ip to ip of loadbalancer
          externalIPs:
            - 10.10.10.1
          loadBalancerIP: 10.10.10.1

          # type: NodePort
          # ports:
          # - port: 80
          #   targetPort: 8080
          #   nodePort: 30080
          #   name: http
          # - port: 443
          #   targetPort: 8443
          #   nodePort: 30443
          #   name: https
    pilot:
      enabled: true
  meshConfig:
    extensionProviders:
    - name: "oauth2-proxy"
      envoyExtAuthzHttp:
        service: "oauth2-proxy.demo.svc.cluster.local"
        port: "80"
        headersToDownstreamOnDeny:
          - content-type
          - set-cookie
        headersToUpstreamOnAllow:
          - authorization
          - cookie
          - path
          - x-auth-request-access-token
          - x-forwarded-access-token
        includeHeadersInCheck:
          - "cookie"
          - "x-forwarded-access-token"
          - "x-forwarded-user"
          - "x-forwarded-email"
          - "authorization"
          - "x-forwarded-proto"
          - "proxy-authorization"
          - "user-agent"
          - "x-forwarded-host"
          - "from"
          - "x-forwarded-for"
          - "accept"
        includeAdditionalHeadersInCheck:
          authorization: '%REQ(x-auth-request-access-token)%'
  values:
    gateways:
      istio-ingressgateway:
        # Enable gateway injection
        injectionTemplate: gateway