reverify for istio 1.21; add certs; easier jwt validation; verify thi…

…ngs still work
salrashid123 · Apr 4, 2024 · 89b015a · 89b015a
1 parent 08146f9
commit 89b015a
Show file tree

Hide file tree

Showing 25 changed files with 475 additions and 458 deletions.
diff --git a/README.md b/README.md
diff --git a/all-gke.yaml b/all-gke.yaml
@@ -1,8 +1,8 @@
 ---
 apiVersion: v1
 data:
-  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlEempDQ0FyYWdBd0lCQWdJQlZEQU5CZ2txaGtpRzl3MEJBUXNGQURCM01Rc3dDUVlEVlFRR0V3SlZVekVUDQpNQkVHQTFVRUNCTUtRMkZzYVdadmNtNXBZVEVXTUJRR0ExVUVCeE1OVFc5MWJuUmhhVzRnVm1sbGR6RVBNQTBHDQpBMVVFQ2hNR1IyOXZaMnhsTVJNd0VRWURWUVFMRXdwRmJuUmxjbkJ5YVhObE1SVXdFd1lEVlFRREV3eFVaWE4wDQpRMEZtYjNKRlUwOHdIaGNOTVRjeE1qSTBNVGd4TnpRMldoY05NakF3TmpFeE1UZ3hOelEyV2pCd01Rc3dDUVlEDQpWUVFHRXdKVlV6RVRNQkVHQTFVRUNCTUtRMkZzYVdadmNtNXBZVEVQTUEwR0ExVUVDaE1HUjI5dloyeGxNUk13DQpFUVlEVlFRTEV3cEZiblJsY25CeWFYTmxNU1l3SkFZRFZRUURFeDFuYTJVdVpHVm1ZWFZzZEM1emRtTXVZMngxDQpjM1JsY2k1c2IyTmhiRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNQmF0WDQ3DQpVbzJjNUYyNXUrN2VlQ3Y2Vk1nVUtJN3Q1ZElldmtVWDAwY2tzby8yOXRkTmV4TkJJTE1za2VzOXRHaUQyVGRwDQppVWZrakRwUHYzalFnQlZUamIvSkl0eXN0NHNJc3VNbExGZGNTeDJUdDBNbWJrTCtLcU4wQVUxTlZUVGJVS2VlDQpkSWVXaGM1cE5nbUF4NHN4dldIVFNQTmpXNHBXYlB3RHVmdDJQVXFmaVR1cmFwaCs0M1lySnNIcjJhTWNxK0NZDQpodXZ4bFFCRWdjcGZydnFyUXU5a0wwN1dBcDhTUi9LcE9CUzZGNmQyQ3lCUnB0eU9jODYxR1BWa3lkRGhUQ0VGDQo3cWY3L2lUU2VEelB3aW10VlBiYjVhNkcyZFczQlpwVlNsZzlza2k0VHRrNGNiQk85bk5iOWVYVUd0bjkyWmlRDQptb09sSFFpRlo1NytvcVVDQXdFQUFhTnNNR293Q1FZRFZSMFRCQUl3QURBc0JnbGdoa2dCaHZoQ0FRMEVIeFlkDQpUM0JsYmxOVFRDQkhaVzVsY21GMFpXUWdRMlZ5ZEdsbWFXTmhkR1V3SWdZRFZSMFJCQnN3R1lJWGJXbHVaWEpoDQpiQzVsYzI5a1pXMXZZWEJ3TWk1amIyMHdDd1lEVlIwUEJBUURBZ1hnTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCDQpBUUNPZGJ0aEVseStoU2ZzbnpiTkk2N21xbnhoWXppWWVYZzR0ZTFCZmtxam43QUVnU2NuNm1UWVVCQ1JjUUxNDQpPVlQ2b0JwVUZtZkJtOUlsWVFGYU1VUzVPUDNyVEZQU21DUFBDRnhJdzQvZlJWSVZnL3BjM244MEU1QlZ4bWZEDQpBM1FnZ0RiSWlUWDVCbis4RG16M0swb2szWUZpRkIxNHhFMzlnVkYzMWVyaHY2cWdXNWFuMyt4SUhRRmh2Yk1yDQppWG1RamcyeFIzNmFmMTYvdmFPN2ErNlJSZDhteS95Z04rT2l3RUNuTTdqQ1Z5R0NDQ1UrYjRXd1VKS2hUbmZVDQp2SDBUcWxtT1dsTmticDV6bUVqMWl1emJlYkw4MUI3czNhUjNXdnBIQjY2LzBkeGNTU0dXTkhvR0xhZmc2YldlDQphS29wZjVqQzEwRXdhbkRza09TV3g1T2kNCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
-  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ0KTUlJRXBBSUJBQUtDQVFFQXdGcTFmanRTalp6a1hibTc3dDU0Sy9wVXlCUW9qdTNsMGg2K1JSZlRSeVN5ai9iMg0KMTAxN0UwRWdzeXlSNnoyMGFJUFpOMm1KUitTTU9rKy9lTkNBRlZPTnY4a2kzS3kzaXdpeTR5VXNWMXhMSFpPMw0KUXladVF2NHFvM1FCVFUxVk5OdFFwNTUwaDVhRnptazJDWURIaXpHOVlkTkk4Mk5iaWxacy9BTzUrM1k5U3ArSg0KTzZ0cW1IN2pkaXNtd2V2Wm94eXI0SmlHNi9HVkFFU0J5bCt1K3F0QzcyUXZUdFlDbnhKSDhxazRGTG9YcDNZTA0KSUZHbTNJNXp6clVZOVdUSjBPRk1JUVh1cC92K0pOSjRQTS9DS2ExVTl0dmxyb2JaMWJjRm1sVktXRDJ5U0xoTw0KMlRoeHNFNzJjMXYxNWRRYTJmM1ptSkNhZzZVZENJVm5udjZpcFFJREFRQUJBb0lCQVFDTFNlUTlHWFlKS0FCUw0KUW1udGFsbTQ5dGduM2prVWJ2N0o3Z3MzK3kyNlNiK244bDBDd1krSy9ORlNEY2RJZ25FK2NhTjh0Y1o4TWVxOQ0KV3Z3NjN6aXd1TVZmaUtYZkNJOE1kZXNjQXRJZUhLNGtKOUJBSnZjWE9mZmtUdCtXZTVaazVSOTlrWWV1bTNnZg0KWlI2Rk9TVEdEZW1taWhvOGJNbGYzbitpNm92bG81RzZnMFh4RmdzMkRJdGtmS3o5b1VIelpKTkdMZ01WKzREWQ0KRDh4UEdiNHpUaEFxYkx3ODFpTkpJWTVvNlBpQlpTWnkvcnl0RjRKdjdtMWhURXVvNmd6YzV1c3h0OGFHVjJhYg0KS0ZiT29scDc3NlRFYlhmQ09lbndMWVQ0dWFURkdZY0pnZ1llZUNuTU9EN1RkaFhRRUVSVmVIUllFQkJNN2ZHOA0KUVF0c014b2hBb0dCQVBNb3FTT3hWZ3o0c0FrSDI2UTA1aFA4a0FWRG9LaUNZMjNzUzZHZWlkaUVtOXkrcktnLw0KTVNUZmtZTlJyRjRaTGdrT3MrOWV0NkpyVTIzSVRWdHgvWU11Wm9CNkRZYzRDSk1FSXBvaDB5NGxKRDNISkZRUw0KUG51ZE5rTTd3Nkh5VmYvNm53ci9RekFxNjUzUHdueDJINDhXdlVxaW5wb09CTWxOUlVxOXdtMFpBb0dCQU1xRA0KTk9DRTI3ZEo2NTUwemhZQ1phTXdHNnIyVzBrTnE0YWVySDYyUVJUUjFwdzVFc09nT0xiT0E4R2ZKczBaVWdaKw0KWE5Zblh0MkpLK1FEM0dDV3hxL21nbE5WUXgxVm11OWpqNlcxSW9takxXNW01OHg1c01EY2h0Wi85T3dPTTdhSw0KR1l3dElHK3pOK0kzNUErSE0rQ3FlTDNlQk9iVFZmSXpUWlF3M29kdEFvR0JBTHJVYkJrcm9iVjN3ekk5SW1zcA0KNWZwSFhaVmQzK3g1dXRIejlDeXJOcmp4TXh6S09MbFJUSDVMZFcvVDZqK20wek5NWTc2eEpTR2JtMC9Iem9CTA0KdG9EN3Z2QktWMmlsQ2htRDNONVd6UDh3dElidkl4K2hvUGF6MWNTVS8vekh5WUpVVzYxRWNxaG80ZjZ3YW52Yw0KK3VTamtTL3VnVFJYUHlBNHlkdmlyNmZKQW9HQVY0MnVXTHRYK3NCY3U5OG9FbC9xN1VpcFRackJFSzUyVC9kZQ0KQUZKdmhMN01HREtjcURNbkVmR3pzZ3hLekRWOFB3NTJ1S2ZBM2VxbUxTaDJLTlJIQmxtVVVzN3orMFM5ZlczLw0KOXRaL0hoNk1UOFR4eG5kK01ZT21VQ3AyQzNDQWJ4VDV3cDduL1NMd3NEOFZ2SmpwbHVKYzNVbVZ1TzM1cElNRg0Kc1dJSGMya0NnWUJpYStScXVaYSsrZzE3KzVvRG5IRy94N0svOWlwZVBmTTU4T2w5Nk8xSjhUazkzdlhpNTZWeg0KNlBMUjRnL2JEWThSTmlvRHhCRnhrOXpIZG4vZ2UwditOZ0E0bllhYmRNTDB5eXo1Z3lRZHlmM2ZFdi81K0VxNg0KdzNYWmwrNEhrVXl3Z0NTc1pORGtiTVNXWEdPZmdQTm9YOGdHQ3F3WHRtelVMUENJdFk1S09RPT0NCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLekNDQXhPZ0F3SUJBZ0lCRFRBTkJna3Foa2lHOXcwQkFRc0ZBREJNTVFzd0NRWURWUVFHRXdKVlV6RVAKTUEwR0ExVUVDZ3dHUjI5dloyeGxNUk13RVFZRFZRUUxEQXBGYm5SbGNuQnlhWE5sTVJjd0ZRWURWUVFEREE1VAphVzVuYkdVZ1VtOXZkQ0JEUVRBZUZ3MHlOREEwTURNeE16UXdNRFJhRncwek5EQTBNRE14TXpRd01EUmFNRTR4CkN6QUpCZ05WQkFZVEFsVlRNUTh3RFFZRFZRUUtEQVpIYjI5bmJHVXhFekFSQmdOVkJBc01Da1Z1ZEdWeWNISnAKYzJVeEdUQVhCZ05WQkFNTUVHbHpkR2x2TG1SdmJXRnBiaTVqYjIwd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQQpBNElCRHdBd2dnRUtBb0lCQVFEU0lWZjJuNVgvN1VlYWlFWUVjOE1DWHlCa3pxZjkzdkR0RXVtbWtjMDNtOU9CCkE2VjU4cFlDR3owemUyc2NYVUFieUdyQ2l2N1FQMXZZdkFkMmpFMHlmbHV3aXBiUmJrNW1pdnZHOHZWR2xqUlkKZ0JrSkc1OExkNXZVaG45cjF1VTdtTjFCSkh4MTkvTVdPbEtsc1pmM3U0bXZFR3ZZUThJbW9yY2FDNXVlK0Fqcgp4eFc3WHQxZms3QkRKY3V5SlRHTm5sdmsyeGlBdGZ1d2tvbmxBUjR1WW4rQ2JDWVZ1aG5oK2NIYmpHVlh5SnNhClVnNWYrTDg4V0poU2YzL0F1cXpuMDhWclNOc01sL1JJcUN3ak16WU5pei9FMUJMSFprZzNLSmE2SGsySWx1YkUKemhGZHNvcVc4d05ISEdsbkN3LzRMOCtubW1qenUxUDI1bkVSZUhLVkFnTUJBQUdqZ2dFVU1JSUJFREFPQmdOVgpIUThCQWY4RUJBTUNCNEF3Q1FZRFZSMFRCQUl3QURBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFUQWRCZ05WCkhRNEVGZ1FVMDByeTlHNkhOSTRYL1BCZ0FZbFVsUkhyU0Vvd0h3WURWUjBqQkJnd0ZvQVU3UERxVTFNL255UGMKd1E0eEVEY0gzdDduYnZNd1JRWUlLd1lCQlFVSEFRRUVPVEEzTURVR0NDc0dBUVVGQnpBQ2hpbG9kSFJ3T2k4dgpjR3RwTG1WemIyUmxiVzloY0hBeUxtTnZiUzlqWVM5eWIyOTBMV05oTG1ObGNqQTZCZ05WSFI4RU16QXhNQytnCkxhQXJoaWxvZEhSd09pOHZjR3RwTG1WemIyUmxiVzloY0hBeUxtTnZiUzlqWVM5eWIyOTBMV05oTG1OeWJEQWIKQmdOVkhSRUVGREFTZ2hCcGMzUnBieTVrYjIxaGFXNHVZMjl0TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBVwplR0hLN2RYZkpzRGxjT2JLR012UXFZbnhid2FpQ25YZGFqZk8zUGZjYWVqM3Z4NTZCRVd1K1BJOUJNTy9zcWtVClNrUWwyS1RzbXJ0S1NwOThkck13WHNCRWZUZm9ocUhqRTdvYUJlNUpOZEFNMHdHdzJkR0NoU2t5WXhlVDFkU0YKVTFFQmxkNXVrZFpBMGpPZnkxeExGSVNGdFRldEQ1ZjZMdXFOYXl2eUQ1VFJZZkE4NTc0dFlDOC9IWS9QcDRRNwpNWXpETGwxUCtxUFBGVXY2bUFjZzM1SHBFYlQ5WWxoQ1hEZ2MwdzBpRWR6bnk5QXN4QWp2bitkYm81M1U4REtyCnVPRnRDVVg5YnFNYjk3Q3p2bUp5SFJFbGF3SjFUY2J0SjhJVVYyTWJNZHVmeUJ6eS92R21QVXo0bk94UVFDcUgKYXFoOUlXOHJhdTJ3ZFZFd3A4NnYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRRFNJVmYybjVYLzdVZWEKaUVZRWM4TUNYeUJrenFmOTN2RHRFdW1ta2MwM205T0JBNlY1OHBZQ0d6MHplMnNjWFVBYnlHckNpdjdRUDF2WQp2QWQyakUweWZsdXdpcGJSYms1bWl2dkc4dlZHbGpSWWdCa0pHNThMZDV2VWhuOXIxdVU3bU4xQkpIeDE5L01XCk9sS2xzWmYzdTRtdkVHdllROEltb3JjYUM1dWUrQWpyeHhXN1h0MWZrN0JESmN1eUpUR05ubHZrMnhpQXRmdXcKa29ubEFSNHVZbitDYkNZVnVobmgrY0hiakdWWHlKc2FVZzVmK0w4OFdKaFNmMy9BdXF6bjA4VnJTTnNNbC9SSQpxQ3dqTXpZTml6L0UxQkxIWmtnM0tKYTZIazJJbHViRXpoRmRzb3FXOHdOSEhHbG5Ddy80TDgrbm1tanp1MVAyCjVuRVJlSEtWQWdNQkFBRUNnZ0VBWDJlVE5CN3Q4R2FQc1pwNHk5R3hjelMwbFFCOUpwZGY1UXZHdVFHTzN0WXAKdC9Sclg4eGtEbTNHb2tiQmNYM25PeFlLWHV6VDE4SkVsY2w5Uy9aVW9IM2RiSERvSEF1TW5pTXhRSG1VSW1uVgpOMjlscm94emNEWHNzeGdqNTFjSStqK2tDVTBqRXo2eUNHQVBvVHBhYUxpbHdTM2dBUzkyaWFzc0hpK3lCd0Q5CkVuNGt0Sld2K01halNzVHViWlpMYXBTeUJhczl2WG5YNHIrZ0g0a1dTZzJIUFQweitObDhkUFppVDhQTEZybXUKczFlU2YzNlRaazJacm1rT1lnKzNTa3Q1dGQ4eXJlcG5neTFHTnBaZ1grK044STcxN1dHdU55Zm5zQzFjSXRGaQphRTNDTmNJQUJybEVDUDJ1N3dYMVNHRk83TWJIYjIzelkwUUZTS2NHK3dLQmdRRHBUK1ZkcUhlM1JSN2pPOVg4Cml5S1VZdXJRYXhuNnZwZWxCZGNkWG1hcm4rbm1NZ0dUNkRHdC9BVnJtOGRxcjNJaE5hOGFUV25NSGw5b0srQWYKVG11Rm9BYjk4QUE1ZkFoRUN4VTVySWl3NHJ4dlNUNlJBbWtpcmlJc3VVRlV6V1dyd1A3dGtERE5DaVQydVM5UQpuUmlwVmlKV1N5SG11eCtNdVp1WUdEMGUzd0tCZ1FEbWtGc0VkQXk2YlZxWEF6a2pMR3lXUUMzTWlsWFN5VExNCmVqMFp2Zk9wbUkwMTBrNnhxb0hLTmJGT0dKYWpUV0U0OVZaNWNtbkNBNUNxTmxXd29USjRodTRFdytrWkV3S3AKU2NuWHB1NUJaMXdNdWpvQ1kxMVQvSmdjVGcyTVhXczNRZ0s2OXh0akZCaVBzZEZnallJeEt4TWcwb2FLQVdXWApUSlBDNmE3QkN3S0JnRWNoQUlCSk9CWTdrR3NlZHVLRFdJdDhqTEgxdFBubzJUcUtTVWErM1BZOXpvVkxnWWVpCkptTXdqa1o4TzVPZTRXQ1dpVWV2aWkyY3BPR1JYc2FzbGNNclFuWndrT0QxbTErRE1YbGZ6RnlCQTRtNS9zVWUKd3dhN3A5ZVNzd1F6aW1lT2N5bmg1NzdhOU9Iekd5V3NmelJBK2o3c3NPMHk1eTl6OXFlcjNCWnBBb0dBUkRZLwpCMEZDSnNHRmhKbnFoSkozQ2JpeEZBdDFPcWhWeEJNQ0VxU1UrdjdzQUJsWk9Nem1HeW5wYTk1d2FwM1EvcVh1CjBIMWQ5bzFSZGxvZTNlUEM1OCtiaVlOZ2FnK3F3T1RZdDFsbXNhamZuZEJXcXpBMGcwMSt2eGtFZnh1QVJkZmMKc08yOGg0S0JoYm1vNVRUWWFLMkN1am91blpPdU42WHJMVVl2Y21NQ2dZRUFqSzBENkVCU3NDbkNjdXdFeWdtZgpKM0JaN1VqRHhXeHpUVWFLVTl1T0lsUklJUkpvcCsxdnFWYUU0dWh2MVBjd1J0V1YvRXByeXNLVHdHbUt0a1l4CmpaRkJDRkloTzl2M1lncTNMcW1hUEE1Tk5BT0ZSZ2tJUCtCNEs4NkNwR1ZIcE1SYVBaWFBKRFFELzJidjRaSm4KMXNMVUtVSEZZM0VoRUZXd0UwUEZLK2c9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
 kind: Secret
 metadata:
   name: istio-ingress-certs

diff --git a/auth_rbac_policy/alice.tmpl b/auth_rbac_policy/alice.tmpl
@@ -0,0 +1,7 @@
+{
+  "iss": "https://idp-on-cloud-run-3kdezruzua-uc.a.run.app",
+  "exp": $EXP,
+  "iat": $IAT,
+  "sub": "alice",
+  "aud": "https://svc1.example.com"
+}
diff --git a/auth_rbac_policy/auth-policy.yaml.tmpl → auth_rbac_policy/auth-policy.yaml b/auth_rbac_policy/auth-policy.yaml.tmpl → auth_rbac_policy/auth-policy.yaml
@@ -25,12 +25,12 @@ spec:
     matchLabels:
       app: istio-ingressgateway
   jwtRules:
-  - issuer: "$SA_EMAIL"
+  - issuer: "https://idp-on-cloud-run-3kdezruzua-uc.a.run.app"
     audiences:
     - "https://foo.bar"
     - "https://svc1.example.com"
     - "https://svc2.example.com"       
-    jwksUri: "https://www.googleapis.com/service_accounts/v1/jwk/$SA_EMAIL" 
+    jwksUri: "https://idp-on-cloud-run-3kdezruzua-uc.a.run.app/certs" 
     forwardOriginalToken: true
 ---
 apiVersion: security.istio.io/v1beta1
@@ -48,7 +48,7 @@ spec:
        methods: ["GET"]
    when:
    - key: request.auth.claims[iss]
-     values: ["[email protected]"]
+     values: ["https://idp-on-cloud-run-3kdezruzua-uc.a.run.app"]
 ---
 apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
@@ -59,10 +59,10 @@ spec:
     matchLabels:
       app: svc1
   jwtRules:
-  - issuer: "$SA_EMAIL"
+  - issuer: "https://idp-on-cloud-run-3kdezruzua-uc.a.run.app"
     audiences:
     - "https://svc1.example.com"
-    jwksUri: "https://www.googleapis.com/service_accounts/v1/jwk/$SA_EMAIL" 
+    jwksUri: "https://idp-on-cloud-run-3kdezruzua-uc.a.run.app/certs" 
 ---
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -79,7 +79,7 @@ spec:
        methods: ["GET"]
    when:
    - key: request.auth.claims[iss]
-     values: ["$SA_EMAIL"]
+     values: ["https://idp-on-cloud-run-3kdezruzua-uc.a.run.app"]
    - key: request.auth.claims[aud]
      values: ["https://svc1.example.com"]       
 ---
@@ -92,10 +92,10 @@ spec:
     matchLabels:
       app: svc2
   jwtRules:
-  - issuer: "$SA_EMAIL"
+  - issuer: "https://idp-on-cloud-run-3kdezruzua-uc.a.run.app"
     audiences:
     - "https://svc2.example.com"
-    jwksUri: "https://www.googleapis.com/service_accounts/v1/jwk/$SA_EMAIL" 
+    jwksUri: "https://idp-on-cloud-run-3kdezruzua-uc.a.run.app/certs" 
 ---
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -115,7 +115,7 @@ spec:
   #      principals: ["cluster.local/ns/default/sa/svc1-sa"] 
    when:
    - key: request.auth.claims[iss]
-     values: ["$SA_EMAIL"]
+     values: ["https://idp-on-cloud-run-3kdezruzua-uc.a.run.app"]
    - key: request.auth.claims[aud]
      values: ["https://svc2.example.com"]
   # - key: request.auth.claims[groups]

diff --git a/auth_rbac_policy/bob.tmpl b/auth_rbac_policy/bob.tmpl
@@ -0,0 +1,11 @@
+{
+  "groups": [
+    "group1",
+    "group2"
+  ],
+  "sub": "bob",
+  "exp": $EXP,
+  "iat": $IAT,
+  "iss": "https://idp-on-cloud-run-3kdezruzua-uc.a.run.app",
+  "aud": "https://svc2.example.com"
+}
diff --git a/auth_rbac_policy/bob_no_groups.tmpl b/auth_rbac_policy/bob_no_groups.tmpl
@@ -0,0 +1,7 @@
+{
+  "sub": "bob",
+  "exp": $EXP,
+  "iat": $IAT,
+  "iss": "https://idp-on-cloud-run-3kdezruzua-uc.a.run.app",
+  "aud": "https://svc2.example.com"
+}
diff --git a/auth_rbac_policy/firebase_cli/auth-policy-fb.yaml b/auth_rbac_policy/firebase_cli/auth-policy-fb.yaml
diff --git a/auth_rbac_policy/firebase_cli/fb_token.py b/auth_rbac_policy/firebase_cli/fb_token.py
diff --git a/auth_rbac_policy/firebase_cli/requirements.txt b/auth_rbac_policy/firebase_cli/requirements.txt
diff --git a/auth_rbac_policy/istio-fe-svc1-fe-svc2.yaml b/auth_rbac_policy/istio-fe-svc1-fe-svc2.yaml
@@ -1,4 +1,4 @@
-apiVersion: networking.istio.io/v1alpha3
+apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
   name: svc1-virtualservice
@@ -13,7 +13,7 @@ spec:
     - destination:
         host: svc1      
 ---
-apiVersion: networking.istio.io/v1alpha3
+apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
   name: svc1-destination
@@ -25,7 +25,7 @@ spec:
     loadBalancer:
       simple: ROUND_ROBIN      
 ---
-apiVersion: networking.istio.io/v1alpha3
+apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
   name: svc2-virtualservice
@@ -40,7 +40,7 @@ spec:
     - destination:
         host: svc2    
 ---
-apiVersion: networking.istio.io/v1alpha3
+apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
   name: svc2-destination

diff --git a/auth_rbac_policy/jwt_cli/main.py b/auth_rbac_policy/jwt_cli/main.py
diff --git a/auth_rbac_policy/jwt_cli/requirements.txt b/auth_rbac_policy/jwt_cli/requirements.txt