apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: oauth-policy
spec:
  targetRefs:
    - name: istio-ingressgateway
      kind: Gateway
      group: gateway.networking.k8s.io
  action: CUSTOM
  provider:
    name: oauth2-proxy
  rules:
  - to:
    - operation:
        hosts:
        - argo.k8s.io
        - monitoring.prow.k8s.io
    # we want to force auth to atlantis.k8s.io/* except /events
    - operation:
        hosts:
        - atlantis.k8s.io
        notPaths:
        - "/events"