---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: modsecurity-crs
  namespace: clover-gateway
spec:
  replicas: 1
  selector:
    matchLabels:
      app: modsecurity-crs
  template:
    metadata:
      labels:
        app: modsecurity-crs
    spec:
      containers:
        - name: modsecurity-crs
          image: opnfv/clover-ns-modsecurity-crs
          ports:
            - containerPort: 80
          env:
            - name: PARANOIA
              value: '1'
---
apiVersion: v1
kind: Service
metadata:
  name: modsecurity-crs
  namespace: clover-gateway
spec:
  type: NodePort
  ports:
  - port: 80
    name: http-modsecurity-crs
    protocol: TCP
    targetPort: 80
  selector:
    app: modsecurity-crs
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ext-authz
  namespace: clover-gateway
spec:
  workloadLabels:
    app: istio-ingressgateway
  filters:
  - insertPosition:
      index: FIRST
    listenerMatch:
      portNumber: 80
      listenerType: GATEWAY
      listenerProtocol: HTTP
    filterType: HTTP
    filterName: "envoy.ext_authz"
    filterConfig:
      http_service:
        server_uri:
          uri: "http://modsecurity-crs.clover-gateway.svc.cluster.local"
          cluster: "outbound|80||modsecurity-crs.clover-gateway.svc.cluster.local"
          timeout: 0.5s
      failure_mode_allow: false
---