Operatorless Istio with CORE packages only SKIP UPGRADE DEBUG

49b82d89 · Greg M · Michael Martin · 3ef346fc · 49b82d89 · 49b82d89
Commit 49b82d89 authored 1 month ago by Greg M Committed by Michael Martin 1 month ago
--- a/chart/templates/istio-gateway-passthrough/helmrelease.yaml
+++ b/chart/templates/istio-gateway-passthrough/helmrelease.yaml
+{{- $fluxSettingsIstioGatewayPassthrough := merge .Values.istioGatewayPassthrough.flux .Values.flux -}}
+{{- if and .Values.istioCore.enabled .Values.istioGatewayPassthrough.enabled }}
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: passthrough-ingressgateway
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: istio-gateway
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" $ | nindent 4}}
+  annotations:
+    checksum/bigbang-values: {{ include (print $.Template.BasePath "/istio-gateway-passthrough/values.yaml") $ | sha256sum }}
+spec:
+  releaseName: passthrough-ingressgateway
+  targetNamespace: istio-gateway
+  chart:
+    spec:
+      {{- if eq $.Values.istioGatewayPassthrough.sourceType "git" }}
+      chart: {{ $.Values.istioGatewayPassthrough.git.path }}
+      sourceRef:
+        kind: GitRepository
+        name: istio-gateway-passthrough
+        namespace: {{ $.Release.Namespace }}
+      {{- else }}
+      chart: {{ $.Values.istioGatewayPassthrough.helmRepo.chartName }}
+      version: {{ $.Values.istioGatewayPassthrough.helmRepo.tag }}
+      sourceRef:
+        kind: HelmRepository
+        name: {{ $.Values.istioGatewayPassthrough.helmRepo.repoName }}
+        namespace: {{ $.Release.Namespace }}
+      {{- $repoType := include "getRepoType" (dict "repoName" $.Values.istioGatewayPassthrough.helmRepo.repoName "allRepos" $.Values.helmRepositories) -}}
+      {{- if (and $.Values.istioGatewayPassthrough.helmRepo.cosignVerify (eq $repoType "oci")) }} # Needs to be an OCI repo
+      verify:
+        provider: cosign
+        secretRef:
+          name: {{ printf "%s-cosign-pub" $.Values.istioGatewayPassthrough.helmRepo.repoName }}
+      {{- end }}
+      {{- end }}
+      interval: 5m
+
+  {{- toYaml $fluxSettingsIstioGatewayPassthrough | nindent 2 }}
+
+  {{- if $.Values.istioGatewayPassthrough.postRenderers }}
+  postRenderers:
+  {{ toYaml $.Values.istioGatewayPassthrough.postRenderers | nindent 4 }}
+  {{- end }}
+  valuesFrom:
+    - name: {{ $.Release.Name }}-istio-gateway-passthrough-values
+      kind: Secret
+      valuesKey: "common"
+    - name: {{ $.Release.Name }}-istio-gateway-passthrough-values
+      kind: Secret
+      valuesKey: "defaults"
+    - name: {{ $.Release.Name }}-istio-gateway-passthrough-values
+      kind: Secret
+      valuesKey: "overlays"
+
+  dependsOn:
+    - name: istio-core
+      namespace: {{ $.Release.Namespace }}
+    {{- if $.Values.gatekeeper.enabled }}
+    - name: gatekeeper
+      namespace: {{ $.Release.Namespace }}
+    {{- end }}
+    {{- if $.Values.kyvernoPolicies.enabled }}
+    - name: kyverno-policies
+      namespace: {{ $.Release.Namespace }}
+    {{- end }}
+{{- end }}
--- a/chart/templates/istio-gateway-passthrough/imagepullsecret.yaml
+++ b/chart/templates/istio-gateway-passthrough/imagepullsecret.yaml
+{{- if and .Values.istioGatewayPassthrough.enabled ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-registry-passthrough
+  namespace: istio-gateway
+  labels:
+    app.kubernetes.io/name: istio-gateway-passthrough
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
--- a/chart/templates/istio-gateway-passthrough/values.yaml
+++ b/chart/templates/istio-gateway-passthrough/values.yaml
+{{- $pkg := "istioGatewayPassthrough" }}
+
+{{- /* Create secret */ -}}
+{{- if (get .Values $pkg).enabled }}
+{{- include "values-secret" (dict "root" $ "package" (get .Values $pkg) "name" ($pkg | kebabcase) "defaults" (include (printf "bigbang.defaults.%s" $pkg | kebabcase) .)) }}
+{{- end }}
+
+{{- define "bigbang.defaults.istio-gateway-passthrough" -}}
+createNamespace: true
+
+imagePullPolicy: {{ .Values.imagePullPolicy }}
+
+imagePullSecrets:
+  - name: private-registry-passthrough
+
+networkPolicies:
+  enabled: {{ .Values.networkPolicies.enabled }}
+  istioNamespaceSelector:
+  {{ include "istioNamespaceSelector" . | nindent 4 }}
+  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+
+labels:
+  istio: ingressgateway
+
+monitoring:
+  enabled: {{ .Values.monitoring.enabled }}
+
+gateway:
+  servers:
+  - hosts:
+    - '*.{{ .Values.domain }}'
+    port:
+      name: http
+      number: 8080
+      protocol: HTTP
+    tls:
+      httpsRedirect: true
+  - hosts:
+    - '*.{{ .Values.domain }}'
+    port:
+      name: https
+      number: 8443
+      protocol: HTTPS
+    tls:
+      mode: PASSTHROUGH
+{{- end -}}
\ No newline at end of file
--- a/chart/templates/istio-gateway-public/git-credentials.yaml
+++ b/chart/templates/istio-gateway-public/git-credentials.yaml
+{{- $gitCredsSecretDict := dict
+  "name" "istioGatewayPublic"
+  "targetScope" .Values.istioGatewayPublic
+  "releaseName" .Release.Name
+  "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}
--- a/chart/templates/istio-gateway-public/gitrepository.yaml
+++ b/chart/templates/istio-gateway-public/gitrepository.yaml
+{{- if and (eq .Values.istioGatewayPublic.sourceType "git") (not .Values.offline) .Values.istioGatewayPublic.enabled }}
+{{- $gitCredsDict := dict
+  "name" "istioGatewayPublic"
+  "packageGitScope" .Values.istioGatewayPublic.git
+  "rootScope" .
+  "releaseName" .Release.Name
+}}
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: istio-gateway-public
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: istio-gateway-public
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  interval: {{ .Values.flux.interval }}
+  url: {{ .Values.istioGatewayPublic.git.repo }}
+  ref:
+    {{- include "validRef" .Values.istioGatewayPublic.git | nindent 4 }}
+  {{ include "gitIgnore" . }}
+  {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
+{{- end }}
--- a/chart/templates/istio-gateway-public/helmrelease.yaml
+++ b/chart/templates/istio-gateway-public/helmrelease.yaml
+{{- $fluxSettingsIstioGatewayPublic := merge .Values.istioGatewayPublic.flux .Values.flux -}}
+{{- if and .Values.istioCore.enabled .Values.istioGatewayPublic.enabled }}
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: public-ingressgateway
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: istio-gateway
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" $ | nindent 4}}
+  annotations:
+    checksum/bigbang-values: {{ include (print $.Template.BasePath "/istio-gateway-public/values.yaml") $ | sha256sum }}
+spec:
+  releaseName: public-ingressgateway
+  targetNamespace: istio-gateway
+  chart:
+    spec:
+      {{- if eq $.Values.istioGatewayPublic.sourceType "git" }}
+      chart: {{ $.Values.istioGatewayPublic.git.path }}
+      sourceRef:
+        kind: GitRepository
+        name: istio-gateway-public
+        namespace: {{ $.Release.Namespace }}
+      {{- else }}
+      chart: {{ $.Values.istioGatewayPublic.helmRepo.chartName }}
+      version: {{ $.Values.istioGatewayPublic.helmRepo.tag }}
+      sourceRef:
+        kind: HelmRepository
+        name: {{ $.Values.istioGatewayPublic.helmRepo.repoName }}
+        namespace: {{ $.Release.Namespace }}
+      {{- $repoType := include "getRepoType" (dict "repoName" $.Values.istioGatewayPublic.helmRepo.repoName "allRepos" $.Values.helmRepositories) -}}
+      {{- if (and $.Values.istioGatewayPublic.helmRepo.cosignVerify (eq $repoType "oci")) }} # Needs to be an OCI repo
+      verify:
+        provider: cosign
+        secretRef:
+          name: {{ printf "%s-cosign-pub" $.Values.istioGatewayPublic.helmRepo.repoName }}
+      {{- end }}
+      {{- end }}
+      interval: 5m
+
+  {{- toYaml $fluxSettingsIstioGatewayPublic | nindent 2 }}
+
+  {{- if $.Values.istioGatewayPublic.postRenderers }}
+  postRenderers:
+  {{ toYaml $.Values.istioGatewayPublic.postRenderers | nindent 4 }}
+  {{- end }}
+  valuesFrom:
+    - name: {{ $.Release.Name }}-istio-gateway-public-values
+      kind: Secret
+      valuesKey: "common"
+    - name: {{ $.Release.Name }}-istio-gateway-public-values
+      kind: Secret
+      valuesKey: "defaults"
+    - name: {{ $.Release.Name }}-istio-gateway-public-values
+      kind: Secret
+      valuesKey: "overlays"
+
+  dependsOn:
+    - name: istio-core
+      namespace: {{ $.Release.Namespace }}
+    {{- if $.Values.gatekeeper.enabled }}
+    - name: gatekeeper
+      namespace: {{ $.Release.Namespace }}
+    {{- end }}
+    {{- if $.Values.kyvernoPolicies.enabled }}
+    - name: kyverno-policies
+      namespace: {{ $.Release.Namespace }}
+    {{- end }}
+    {{- if $.Values.istioGatewayPassthrough.enabled }}
+    - name: passthrough-ingressgateway
+      namespace: {{ $.Release.Namespace }}
+    {{- end }}
+{{- end }}
--- a/chart/templates/istio-gateway-public/imagepullsecret.yaml
+++ b/chart/templates/istio-gateway-public/imagepullsecret.yaml
+{{- if and .Values.istioGatewayPublic.enabled ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-registry-public
+  namespace: istio-gateway
+  labels:
+    app.kubernetes.io/name: istio-gateway-public
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
--- a/chart/templates/istio-gateway-public/secret-tls.yaml
+++ b/chart/templates/istio-gateway-public/secret-tls.yaml
+{{- if and .Values.istioCore.enabled .Values.istioGatewayPublic.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: public-cert
+  namespace: istio-gateway
+  labels:
+    app.kubernetes.io/name: istio-gateway
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" $ | nindent 4}}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ .Values.istioGatewayPublic.tls.cert | b64enc }}
+  tls.key: {{ .Values.istioGatewayPublic.tls.key | b64enc }}
+  {{- if .Values.istioGatewayPublic.tls.ca }}
+  ca.crt: {{ .Values.istioGatewayPublic.tls.ca | b64enc }}
+  {{- end }}
+---
+{{- end }}
--- a/chart/templates/istio-gateway-public/values.yaml
+++ b/chart/templates/istio-gateway-public/values.yaml
+{{- $pkg := "istioGatewayPublic" }}
+
+{{- /* Create secret */ -}}
+{{- if (get .Values $pkg).enabled }}
+{{- include "values-secret" (dict "root" $ "package" (get .Values $pkg) "name" ($pkg | kebabcase) "defaults" (include (printf "bigbang.defaults.%s" $pkg | kebabcase) .)) }}
+{{- end }}
+
+{{- define "bigbang.defaults.istio-gateway-public" -}}
+createNamespace: true
+
+imagePullPolicy: {{ .Values.imagePullPolicy }}
+
+imagePullSecrets:
+  - name: private-registry-public
+
+networkPolicies:
+  enabled: {{ .Values.networkPolicies.enabled }}
+  istioNamespaceSelector:
+  {{ include "istioNamespaceSelector" . | nindent 4 }}
+  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+
+labels:
+  istio: ingressgateway
+
+monitoring:
+  enabled: {{ .Values.monitoring.enabled }}
+
+gateway:
+  servers:
+  - hosts:
+    - '*.{{ .Values.domain }}'
+    port:
+      name: http
+      number: 8080
+      protocol: HTTP
+    tls:
+      httpsRedirect: true
+  - hosts:
+    - '*.{{ .Values.domain }}'
+    port:
+      name: https
+      number: 8443
+      protocol: HTTPS
+    tls:
+      credentialName: public-cert
+      mode: SIMPLE
+{{- end -}}
\ No newline at end of file
--- a/chart/templates/jaeger/helmrelease.yaml
+++ b/chart/templates/jaeger/helmrelease.yaml
@@ -57,11 +57,15 @@ spec:
      kind: Secret
      valuesKey: "overlays"

-  {{ if or .Values.istio.enabled .Values.monitoring.enabled .Values.jaeger.sso.enabled .Values.elasticsearchKibana.enabled }}
+  {{ if or (include "istioEnabled" .) .Values.monitoring.enabled .Values.jaeger.sso.enabled .Values.elasticsearchKibana.enabled }}
  dependsOn:
  {{- if .Values.istio.enabled }}
    - name: istio
      namespace: {{ .Release.Namespace }}
+  {{- end }}
+    {{- if .Values.istioCore.enabled }}
+    - name: istio-core
+      namespace: {{ .Release.Namespace }}
  {{- end }}
  {{- if .Values.monitoring.enabled }}
    - name: monitoring

--- a/chart/templates/jaeger/namespace.yaml
+++ b/chart/templates/jaeger/namespace.yaml
@@ -4,7 +4,7 @@ kind: Namespace
 metadata:
  name: jaeger
  labels:
-    istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.jaeger) "enabled")) }}
+    istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.jaeger) "enabled")) }}
    app.kubernetes.io/name: jaeger
    app.kubernetes.io/component: "core"
    {{- include "commonLabels" . | nindent 4}}

--- a/chart/templates/jaeger/values.yaml
+++ b/chart/templates/jaeger/values.yaml
@@ -15,18 +15,18 @@ hostname: {{ $domainName }}
 domain: {{ $domainName }}

 istio:
-  enabled: {{ .Values.istio.enabled }}
+  enabled: {{ include "istioEnabled" . }}
  hardened:
    enabled: {{ or
      (dig "istio" "hardened" "enabled" false .Values.jaeger.values)
      (dig "hardened" "enabled" false .Values.istio.values)
    }}
  jaeger:
-    enabled: {{ .Values.istio.enabled }}
+    enabled: {{ include "istioEnabled" . }}
    gateways:
-    - istio-system/{{ default "public" .Values.jaeger.ingress.gateway }}
+    - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.jaeger.ingress.gateway }}

-{{- if .Values.istio.enabled }}
+{{- if include "istioEnabled" . }}
 annotations:
  {{ include "istioAnnotation" . }}
 {{- end }}
@@ -34,7 +34,7 @@ annotations:
 monitoring:
  enabled: {{ .Values.monitoring.enabled }}
  # conditional passes only for default istio: enabled, mTLS: SCRICT
-  {{- if and .Values.istio.enabled (eq (dig "istio" "mtls" "mode" "STRICT" .Values.jaeger.values) "STRICT") }}
+  {{- if and (include "istioEnabled" . ) (eq (dig "istio" "mtls" "mode" "STRICT" .Values.jaeger.values) "STRICT") }}
  serviceMonitor:
    scheme: https
    tlsConfig:
@@ -51,10 +51,10 @@ sso:
  enabled: {{ .Values.jaeger.sso.enabled }}


-{{- if or .Values.jaeger.sso.enabled .Values.istio.enabled .Values.kiali.enabled }}
+{{- if or .Values.jaeger.sso.enabled (include "istioEnabled" .) .Values.kiali.enabled }}
 jaeger:
  spec:
-    {{- if or .Values.jaeger.sso.enabled .Values.istio.enabled }}
+    {{- if or .Values.jaeger.sso.enabled (include "istioEnabled" .) }}
    {{- $jaegerAuthserviceKey := (dig "selector" "key" "protect" .Values.addons.authservice.values) }}
    {{- $jaegerAuthserviceValue := (dig "selector" "value" "keycloak" .Values.addons.authservice.values) }}
    allInOne:
@@ -62,7 +62,7 @@ jaeger:
      labels:
        {{ $jaegerAuthserviceKey }}: {{ $jaegerAuthserviceValue }}
      {{- end }}
-      {{- if .Values.istio.enabled }}
+      {{- if include "istioEnabled" . }}
      annotations:
        {{ include "istioAnnotation" . }}
      {{- end }}
@@ -71,12 +71,12 @@ jaeger:
      labels:
        {{ $jaegerAuthserviceKey }}: {{ $jaegerAuthserviceValue }}
      {{- end }}
-      {{- if .Values.istio.enabled }}
+      {{- if include "istioEnabled" . }}
      annotations:
        {{ include "istioAnnotation" . }}
      {{- end }}
    {{- end }}
-    {{- if .Values.istio.enabled }}
+    {{- if include "istioEnabled" . }}
    agent:
      annotations:
        {{ include "istioAnnotation" . }}
@@ -92,6 +92,8 @@ openshift:
  enabled: {{ .Values.openshift }}
 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
+  istioNamespaceSelector:
+  {{ include "istioNamespaceSelector" . | nindent 4 }}
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
  ingressLabels:
    {{- $gateway := default "public" .Values.jaeger.ingress.gateway }}

--- a/chart/templates/keycloak/helmrelease.yaml
+++ b/chart/templates/keycloak/helmrelease.yaml
@@ -59,7 +59,7 @@ spec:
      kind: Secret
      valuesKey: "overlays"

-  {{- if or .Values.gatekeeper.enabled .Values.istio.enabled .Values.kyvernoPolicies.enabled .Values.monitoring.enabled }}
+  {{- if or .Values.gatekeeper.enabled (include "istioEnabled" .) .Values.kyvernoPolicies.enabled .Values.monitoring.enabled }}
  dependsOn:
  {{- if .Values.gatekeeper.enabled }}
  - name: gatekeeper
@@ -69,6 +69,10 @@ spec:
  - name: istio
    namespace: {{ .Release.Namespace }}
  {{- end }}
+  {{- if .Values.istioCore.enabled }}
+  - name: istio-core
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
  {{- if .Values.kyvernoPolicies.enabled }}
  - name: kyverno-policies
    namespace: {{ .Release.Namespace }}

--- a/chart/templates/keycloak/namespace.yaml
+++ b/chart/templates/keycloak/namespace.yaml
@@ -5,7 +5,7 @@ kind: Namespace
 metadata:
  name: {{ $name }}
  labels:
-    istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.addons.keycloak) "enabled")) }}
+    istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.addons.keycloak) "enabled")) }}
    app.kubernetes.io/name: {{ $name }}
    app.kubernetes.io/component: "security-tools"
    {{- include "commonLabels" . | nindent 4 }}

--- a/chart/templates/keycloak/values.yaml
+++ b/chart/templates/keycloak/values.yaml
@@ -18,10 +18,10 @@ domain: {{ $domainName }}

 openshift: {{ .Values.openshift }}

-{{- $istioInjection := (and (eq (dig "istio" "injection" "enabled" .Values.addons.keycloak) "enabled") .Values.istio.enabled) }}
+{{- $istioInjection := (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.addons.keycloak) "enabled")) }}

 istio:
-  enabled: {{ .Values.istio.enabled }}
+  enabled: {{ include "istioEnabled" . }}
  hardened:
    enabled: {{ or
      (dig "istio" "hardened" "enabled" false .Values.addons.keycloak.values)
@@ -31,7 +31,7 @@ istio:
  keycloak:
    enabled: true
    gateways:
-    - istio-system/{{ default "public" .Values.addons.keycloak.ingress.gateway }}
+    - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPassthroughGateway" . ) .Values.addons.keycloak.ingress.gateway }}

 {{- if $istioInjection }}
 podAnnotations:
@@ -41,6 +41,8 @@ podAnnotations:
 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+  istioNamespaceSelector:
+  {{ include "istioNamespaceSelector" . | nindent 4 }}
  ingressLabels:
    {{- $gateway := default "passthrough" .Values.addons.keycloak.ingress.gateway }}
    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}

--- a/chart/templates/kiali/helmrelease.yaml
+++ b/chart/templates/kiali/helmrelease.yaml
@@ -55,11 +55,15 @@ spec:
      kind: Secret
      valuesKey: "overlays"

-  {{ if or .Values.istio.enabled .Values.monitoring.enabled }}
+  {{ if or (include "istioEnabled" . ) .Values.monitoring.enabled }}
  dependsOn:
  {{- if .Values.istio.enabled }}
    - name: istio
      namespace: {{ .Release.Namespace }}
+  {{- end }}    
+  {{- if .Values.istioCore.enabled }}
+    - name: istio-core
+      namespace: {{ .Release.Namespace }}
  {{- end }}
  {{- if .Values.monitoring.enabled }}
    - name: monitoring

--- a/chart/templates/kiali/namespace.yaml
+++ b/chart/templates/kiali/namespace.yaml
@@ -4,7 +4,7 @@ kind: Namespace
 metadata:
  name: kiali
  labels:
-    istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.kiali) "enabled")) }}
+    istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.kiali) "enabled")) }}
    app.kubernetes.io/name: kiali
    app.kubernetes.io/component: "core"
    {{- include "commonLabels" . | nindent 4}}

--- a/chart/templates/kiali/values.yaml
+++ b/chart/templates/kiali/values.yaml
@@ -16,7 +16,7 @@ image:
  pullPolicy: {{ .Values.imagePullPolicy }}

 istio:
-  enabled: {{ .Values.istio.enabled }}
+  enabled: {{ include "istioEnabled" . }}
  hardened:
    enabled: {{ or
      (dig "istio" "hardened" "enabled" false .Values.kiali.values)
@@ -26,9 +26,9 @@ istio:
      enabled: {{ .Values.monitoring.enabled }}
  kiali:
    gateways:
-    - istio-system/{{ default "public" .Values.kiali.ingress.gateway }}
+    - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.kiali.ingress.gateway }}

-{{- if .Values.istio.enabled }}
+{{- if include "istioEnabled" . }}
 podAnnotations:
  {{ include "istioAnnotation" . }}
 {{- end }}
@@ -43,9 +43,12 @@ elasticsearch:
  enabled: {{ .Values.elasticsearchKibana.enabled }}
 cr:
  spec:
+    {{- if .Values.istioCore.enabled }}
+    istio_namespace: istio-system
+    {{- end}}
    deployment:
      image_pull_policy: {{ .Values.imagePullPolicy }}
-      {{- if .Values.istio.enabled }}
+      {{- if include "istioEnabled" . }}
      pod_annotations:
        {{ include "istioAnnotation" . }}
      {{- end }}
@@ -97,6 +100,7 @@ cr:
            - app_label: istiod
              is_core: true
              is_proxy: false
+            {{- if .Values.istio.enabled }}
            {{- range $name, $values := .Values.istio.ingressGateways }}
            {{ if ne $values.enabled false }}
            - app_label: {{ $name }}
@@ -111,6 +115,23 @@ cr:
              is_proxy: true
            {{- end }}
            {{- end }}
+            {{- end }}
+            {{- if .Values.istioGatewayPublic.enabled }}
+            - app_label: public-ingressgateway
+              is_core: true
+              is_proxy: true
+              namespace: istio-gateway
+            {{- end }}
+            {{- if .Values.istioGatewayPassthrough.enabled }}
+            - app_label: passthrough-ingressgateway
+              is_core: true
+              is_proxy: true
+              namespace: istio-gateway
+            {{- end }}
+        {{- if .Values.istioCore.enabled }}
+        ingress_gateway_namespace: istio-gateway
+        egress_gateway_namespace: istio-gateway
+        {{- end }}
    api:
      namespaces:
        # bigbang watches all!
@@ -118,8 +139,16 @@ cr:
 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+  istioNamespaceSelector:
+  {{ include "istioNamespaceSelector" . | nindent 4 }}
  ingressLabels:
+    {{- if .Values.istio.enabled }}
    {{- $gateway := default "public" .Values.kiali.ingress.gateway }}
    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
+    {{- end }}
+    {{- if .Values.istioCore.enabled }}
+    app: public-ingressgateway
+    istio: ingressgateway
+    {{- end }}
 {{- end -}}
--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -55,7 +55,7 @@ policies:
  # Istio services (istio ingress) can create type: NodePort services
  disallow-nodeport-services:
    validationFailureAction: Enforce
-    {{- if $nodePortIngressGateways }}
+    {{- if or $nodePortIngressGateways .Values.istioCore.enabled }}
    exclude:
      any:
      - resources:
@@ -67,6 +67,20 @@ policies:
          {{- end }}
          namespaces:
          - "istio-system"
+      {{- if .Values.istioCore.enabled }}
+      - resources:
+          kinds:
+          - Service
+          names:
+          {{- if .Values.istioGatewayPassthrough.enabled }}
+          - "istio-gateway-passthrough-ingressgateway"
+          {{- end }}
+          {{- if .Values.istioGatewayPublic }}
+          - "public-ingressgateway"
+          {{- end }}
+          namespaces:
+          - "istio-gateway"
+      {{- end }}
    {{- end }}

  disallow-image-tags:
@@ -74,13 +88,14 @@ policies:
    validationFailureAction: Enforce

  disallow-istio-injection-bypass:
-    enabled: {{ .Values.istio.enabled }}
+    enabled: {{ include "istioEnabled" . }}
    exclude:
      any:
      # Istio does not inject itself
      - resources:
          namespaces:
          - istio-system
+          - istio-gateway

  disallow-namespaces:
    enabled: true
@@ -268,7 +283,7 @@ policies:
      - app.kubernetes.io/version
      
  require-istio-on-namespaces:
-    enabled: {{ .Values.istio.enabled }}
+    enabled: {{ include "istioEnabled" . }}
    exclude:
      any:
      - resources:
@@ -285,6 +300,7 @@ policies:
          # Istio does not inject itself
          - istio-operator
          - istio-system
+          - istio-gateway

  add-default-securitycontext:
    validationFailureAction: Enforce
@@ -380,7 +396,7 @@ policies:

  require-non-root-group:
    validationFailureAction: Enforce
-    {{ if .Values.istio.enabled }}
+    {{ if include "istioEnabled" . }}
    parameters:
      excludeContainers:
        - istio-init
@@ -398,6 +414,13 @@ policies:
      - resources:
          namespaces:
          - kube-system
+      {{ if .Values.istioCore.enabled }}
+      - resources:
+          namespaces:
+          - istio-system
+          names:
+          - istiod*
+      {{- end }}
      {{- if $deployNodeAgent }}
      # Velero.  The node agent backup tool requires root group access to see the host's runtime pod directory which is
      # mounted inside velero/node agent pods.
@@ -462,7 +485,7 @@ policies:

  require-non-root-user:
    validationFailureAction: Enforce
-    {{ if .Values.istio.enabled }}
+    {{ if include "istioEnabled" . }}
    parameters:
      excludeContainers:
        - istio-init
@@ -586,7 +609,7 @@ policies:
      allow:
      # Defaults from https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
      - NET_BIND_SERVICE
-      {{- if .Values.istio.enabled }}
+      {{- if include "istioEnabled" . }}
      # Istio requires NET_ADMIN and NET_RAW for sidecar init: https://istio.io/latest/docs/ops/deployment/requirements/#pod-requirements
      # It uses these permissions to setup iptables for network routing
      # Cannot create exclusion since sidecar is injected in most containers, so allow the capabilities globally
@@ -1128,7 +1151,7 @@ policies:
          - gitlab-runner-*

 istio:
-  enabled: {{ .Values.istio.enabled }}
+  enabled: {{ include "istioEnabled" . }}

 {{- end }}


--- a/chart/templates/kyverno-reporter/values.yaml
+++ b/chart/templates/kyverno-reporter/values.yaml
@@ -67,6 +67,8 @@ openshift: {{ .Values.openshift }}

 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
+  istioNamespaceSelector:
+  {{ include "istioNamespaceSelector" . | nindent 4 }}
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}

 {{- end -}}