{{- if .Values.experimental.stableValidationPolicy }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:
        - security.istio.io
        - networking.istio.io
        - telemetry.istio.io
        - extensions.istio.io
      apiVersions: ["*"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["*"]
    objectSelector:
      matchExpressions:
        - key: istio.io/rev
          operator: In
          values:
          {{- if (eq .Values.revision "") }}
          - "default"
          {{- else }}
          - "{{ .Values.revision }}"
          {{- end }}
  variables:
    - name: isEnvoyFilter
      expression: "object.kind == 'EnvoyFilter'"
    - name: isWasmPlugin
      expression: "object.kind == 'WasmPlugin'"
    - name: isProxyConfig
      expression: "object.kind == 'ProxyConfig'"
    - name: isTelemetry
      expression: "object.kind == 'Telemetry'"
  validations:
    - expression: "!variables.isEnvoyFilter"
    - expression: "!variables.isWasmPlugin"
    - expression: "!variables.isProxyConfig"
    - expression: |
        !(
          variables.isTelemetry && (
            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
          )
        )
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
spec:
  policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
  validationActions: [Deny]
{{- end }}