Merge branch 'istio-sandbox' into 'master'

Operatorless Istio with CORE packages only SKIP UPGRADE DEBUG

Closes #2256

See merge request !4906

chart/ingress-certs.yaml

+istioGatewayPublic:
+  tls:
+    key: |
+      -----BEGIN PRIVATE KEY-----
+      MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDCkz9rWBxaiDui
+      uw8vF49lTKtShFTu3tAkWiyp3IwzSH3F/HeSZ8pMTl7reCiRbhXHSmqiCyVVFkg7
+      eG6gA1fJNhJI26zoTSaN+seV1N4qgQIa4vkVgUEumPo6L+X93n7X7rH1GwVilYFo
+      5MpYZkGoTLp8JtZRsUAXmooRa2URUoX11Wx4aegPR55gKkhXKnTl5a7cln93zOZb
+      6QKG/UOmSIJe5C5JKQYhpQlv5DWi7Zf6ZqJABT27Lu8U/DY4qCv4pVphxdcZZqGl
+      8GbBRmZ3pEHKS9KzlffHRE4xl/xy1cSdG60jlpBL8f8PO+bGEnqCMr8LXJqoU1Lp
+      Samg9AuJAgMBAAECggEAG8CLzaA6HxGKS/oZPtLB8aVfVDwqrw1Zq62u7CVYW+It
+      ikUputiR6pNNB5HSW3fTpGKxVd54Gyw77juNr8X6Sekr73dhsJp8csi/mdfMPky7
+      Q6F2/IG8jcxk+FKnn6+R8POLL1YEzRxc4lyrnbMsDziuapHRhMJezV8N7VEfj7ox
+      HbZDv00sLdwlIpnG6llJysq+S48s86l8CYBzpTk33XNOwWahrwZBGmpRBwdj2niP
+      8UVZMD2GPSX+RevWEM5l3TkU6YbaFgOFthXmP3KcQjUHFkPRZq8iEcJnFixcaOGK
+      ySm3SbRr2kdHzuIpWTm4Yro9/9Jj3y5bfg3uo29jhwKBgQDydCIIeglxVaZgx06x
+      o7LdZpRQvVp3/Es6KTppqDeYwrFAZNTiP6aH4ZXpnyL7jrMn2iqSvBJ9/WnadKyc
+      gvgxBPBj+b84a7mVN/5AILzmcSxqHgEju0Ql+NuAuY1YHINtqgfNM9u68/JYw9s9
+      OeK81rja99CID1JNSmKM30zGxwKBgQDNckx/rhuSgiKI55WIQ7//yOtgRvzOWArH
+      vGlb2N+8zyfJd+D0tZyB39ZIvGGROm95rMNW/jmyEgiF8TkMLvjFMB/EpCWT58LG
+      I0WvkPizCd62tGoiBdIJ3tQi8RDwTVcLrzZsv7b039kkHpnFg0io93i4g/zOUear
+      wK/MiycLLwKBgQDFL8iCJmbJo0RGz7Jj7WRKhuQ3allK3ol8Sw2z4tkcx7OLULaH
+      MAdL2h+nuwKjn2J8FgasAoPzrgfKYTwFqssaaw7r8LIhvBNalgiVtUqNDRx3TeHV
+      YrfBPk2fusmHEOGfbjscHIIn4cGHifskJ5ENzoDXrdcO4Y8pR0cxlWcG/wKBgCRY
+      ViQ4XvRaRVXG8nM62RqdJtbPeCXg+XdAY7s18M7sLvO7W3avMlLfkH8ppHEWz2XN
+      JHmdXAOeoRdhB2CaZrQrwVL+Xw99br2yu79FfFngIyBbZnNCaFgKrajI0OBSLlYI
+      1y4B9JH5j+aN61I/2Xja3uZ1oyG054P3AKLE81FNAoGAHVV7TcyVwi8OJo/1YGHq
+      ybWK0UvWTKJ4YgpMO3Asn3MzwadoxY5E6p0RpqQSDCV+txAPX1QqHNRuCcKmPHSF
+      6E7oWeFD09vcOcaPQSTw7NfGUktoMLDzjfiHHGLGKH3PeB7qgPIfnHvOa4iJjyQp
+      gBaI0ROebBfbZ5pUyr/NEx4=
+      -----END PRIVATE KEY-----
+    cert: |
+      -----BEGIN CERTIFICATE-----
+      MIIE9DCCA9ygAwIBAgISBLhHLRR5idjuJooPRuDdhyFaMA0GCSqGSIb3DQEBCwUA
+      MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
+      EwNSMTEwHhcNMjUwMjEyMTcxNzU4WhcNMjUwNTEzMTcxNzU3WjAcMRowGAYDVQQD
+      DBEqLmRldi5iaWdiYW5nLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+      ggEBAMKTP2tYHFqIO6K7Dy8Xj2VMq1KEVO7e0CRaLKncjDNIfcX8d5JnykxOXut4
+      KJFuFcdKaqILJVUWSDt4bqADV8k2EkjbrOhNJo36x5XU3iqBAhri+RWBQS6Y+jov
+      5f3eftfusfUbBWKVgWjkylhmQahMunwm1lGxQBeaihFrZRFShfXVbHhp6A9HnmAq
+      SFcqdOXlrtyWf3fM5lvpAob9Q6ZIgl7kLkkpBiGlCW/kNaLtl/pmokAFPbsu7xT8
+      NjioK/ilWmHF1xlmoaXwZsFGZnekQcpL0rOV98dETjGX/HLVxJ0brSOWkEvx/w87
+      5sYSeoIyvwtcmqhTUulJqaD0C4kCAwEAAaOCAhcwggITMA4GA1UdDwEB/wQEAwIF
+      oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
+      BgNVHQ4EFgQUbbIRs2GOo9GYzktU5Url5c9dSzIwHwYDVR0jBBgwFoAUxc9GpOr0
+      w8B6bJXELbBeki8m47kwVwYIKwYBBQUHAQEESzBJMCIGCCsGAQUFBzABhhZodHRw
+      Oi8vcjExLm8ubGVuY3Iub3JnMCMGCCsGAQUFBzAChhdodHRwOi8vcjExLmkubGVu
+      Y3Iub3JnLzAcBgNVHREEFTATghEqLmRldi5iaWdiYW5nLm1pbDATBgNVHSAEDDAK
+      MAgGBmeBDAECATCCAQYGCisGAQQB1nkCBAIEgfcEgfQA8gB3AHMgIg8IFor588Sm
+      iwqyappKAO71d4WKCE0FANSlQkRZAAABlPtgcQIAAAQDAEgwRgIhAKLzkKto2f2R
+      l3TrYZ+fLvW9qXRSVN8x3ilaKdcS+dEKAiEAg408cpgsAv88HOx9lLI9jJmLXm/7
+      hUhT22LkL1JaVgMAdwCi4wrkRe+9rZt+OO1HZ3dT14JbhJTXK14bLMS5UKRH5wAA
+      AZT7YHjfAAAEAwBIMEYCIQDWMGhLWcUeAP8YZSMvwD7eiJ2IWlpbvtBIEswIYPg7
+      BAIhAL8JoxIMP6GTmvGGd8Fmx6kUC/fTx5odro0Z1eag731hMA0GCSqGSIb3DQEB
+      CwUAA4IBAQAH2I9lef1qGbjAwa92YU95l8G+DvQZ1nEJVADqcXZ/EGW0r4St5t7j
+      y0wFEweo8PZmQG81wemsGWKPGwtL/+ow29RjSmHL+Wg3cY+WrtYuAwFwJguIBDoU
+      8nU7x29lHZy2E0i5fPL0lfHATvjNdhaycrg50Oc2/osOusTSzR5GPtIqFnQt0hKj
+      EvotDUCxlFD+tmgEdYDfAhD+PM2r/qXI5U/1mmXqmQF2YwzXsxZzS/PqhGnD2Day
+      jSTELbgAtsPMW8yh0Js20deOZ3aT6Wj1s8OpzgoIMb4Ztw9sLD9IcgdzVvgaBYQf
+      nJNGNWiG+v+1Lp2rEnEbN3R/f34JteTG
+      -----END CERTIFICATE-----
+      -----BEGIN CERTIFICATE-----
+      MIIFBjCCAu6gAwIBAgIRAIp9PhPWLzDvI4a9KQdrNPgwDQYJKoZIhvcNAQELBQAw
+      TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+      cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
+      WhcNMjcwMzEyMjM1OTU5WjAzMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+      RW5jcnlwdDEMMAoGA1UEAxMDUjExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+      CgKCAQEAuoe8XBsAOcvKCs3UZxD5ATylTqVhyybKUvsVAbe5KPUoHu0nsyQYOWcJ
+      DAjs4DqwO3cOvfPlOVRBDE6uQdaZdN5R2+97/1i9qLcT9t4x1fJyyXJqC4N0lZxG
+      AGQUmfOx2SLZzaiSqhwmej/+71gFewiVgdtxD4774zEJuwm+UE1fj5F2PVqdnoPy
+      6cRms+EGZkNIGIBloDcYmpuEMpexsr3E+BUAnSeI++JjF5ZsmydnS8TbKF5pwnnw
+      SVzgJFDhxLyhBax7QG0AtMJBP6dYuC/FXJuluwme8f7rsIU5/agK70XEeOtlKsLP
+      Xzze41xNG/cLJyuqC0J3U095ah2H2QIDAQABo4H4MIH1MA4GA1UdDwEB/wQEAwIB
+      hjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwEgYDVR0TAQH/BAgwBgEB
+      /wIBADAdBgNVHQ4EFgQUxc9GpOr0w8B6bJXELbBeki8m47kwHwYDVR0jBBgwFoAU
+      ebRZ5nu25eQBc4AIiMgaWPbpm24wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAC
+      hhZodHRwOi8veDEuaS5sZW5jci5vcmcvMBMGA1UdIAQMMAowCAYGZ4EMAQIBMCcG
+      A1UdHwQgMB4wHKAaoBiGFmh0dHA6Ly94MS5jLmxlbmNyLm9yZy8wDQYJKoZIhvcN
+      AQELBQADggIBAE7iiV0KAxyQOND1H/lxXPjDj7I3iHpvsCUf7b632IYGjukJhM1y
+      v4Hz/MrPU0jtvfZpQtSlET41yBOykh0FX+ou1Nj4ScOt9ZmWnO8m2OG0JAtIIE38
+      01S0qcYhyOE2G/93ZCkXufBL713qzXnQv5C/viOykNpKqUgxdKlEC+Hi9i2DcaR1
+      e9KUwQUZRhy5j/PEdEglKg3l9dtD4tuTm7kZtB8v32oOjzHTYw+7KdzdZiw/sBtn
+      UfhBPORNuay4pJxmY/WrhSMdzFO2q3Gu3MUBcdo27goYKjL9CTF8j/Zz55yctUoV
+      aneCWs/ajUX+HypkBTA+c8LGDLnWO2NKq0YD/pnARkAnYGPfUDoHR9gVSp/qRx+Z
+      WghiDLZsMwhN1zjtSC0uBWiugF3vTNzYIEFfaPG7Ws3jDrAMMYebQ95JQ+HIBD/R
+      PBuHRTBpqKlyDnkSHDHYPiNX3adPoPAcgdF3H2/W0rmoswMWgTlLn1Wu0mrks7/q
+      pdWfS6PJ1jty80r2VKsM/Dj3YIDfbjXKdaFU5C+8bhfJGqU3taKauuz0wHVGT3eo
+      6FlWkWYtbt4pgdamlwVeZEW+LM7qZEJEsMNPrfC03APKmZsJgpWCDWOKZvkZcvjV
+      uYkQ4omYCTX5ohy+knMjdOmdH9c7SpqEWBDC86fiNex+O0XOMEZSa8DA
+      -----END CERTIFICATE-----
+
 istio:
   gateways:
     public:
@@ -271,4 +362,4 @@ addons:
         pdWfS6PJ1jty80r2VKsM/Dj3YIDfbjXKdaFU5C+8bhfJGqU3taKauuz0wHVGT3eo
         6FlWkWYtbt4pgdamlwVeZEW+LM7qZEJEsMNPrfC03APKmZsJgpWCDWOKZvkZcvjV
         uYkQ4omYCTX5ohy+knMjdOmdH9c7SpqEWBDC86fiNex+O0XOMEZSa8DA
-        -----END CERTIFICATE-----
+        -----END CERTIFICATE-----
\ No newline at end of file

chart/templates/_helpers.tpl

@@ -438,4 +438,45 @@ data:
   {{- end -}}
 {{- end -}}
 
+{{- /* Returns namespace of istio gateways */ -}}
+{{- define "istioGatewayNamespace" -}}
+{{- if .Values.istio.enabled -}}
+  {{- print "istio-system" -}}
+{{- else -}}
+  {{- print "istio-gateway" -}}
+{{- end -}}
+{{- end -}}
+
+{{- /* Returns name of istio public gateway */ -}}
+{{- define "istioPublicGateway" -}}
+{{- if .Values.istio.enabled -}}
+  {{- print "public" -}}
+{{- else -}}
+  {{- print "public-ingressgateway" -}}
+{{- end -}}
+{{- end -}}
 
+{{- /* Returns name of istio passthrough gateway */ -}}
+{{- define "istioPassthroughGateway" -}}
+{{- if .Values.istio.enabled -}}
+  {{- print "passthrough" -}}
+{{- else -}}
+  {{- print "passthrough-ingressgateway" -}}
+{{- end -}}
+{{- end -}}
+
+{{- /* Returns true if either istio or istioCore is enabled */ -}}
+{{- define "istioEnabled" -}}
+{{ or .Values.istio.enabled .Values.istioCore.enabled }}
+{{- end -}}
+
+{{- /* Returns name of istio Namespace Selector*/ -}}
+{{- define "istioNamespaceSelector" -}}
+{{- if .Values.istioCore.enabled -}}
+ingress: istio-gateway
+egress: istio-core
+{{- else -}}
+ingress: istio-controlplane
+egress: istio-controlplane
+{{- end -}}
+{{- end -}}
\ No newline at end of file

chart/templates/argocd/namespace.yaml

@@ -6,6 +6,6 @@ metadata:
     app.kubernetes.io/name: argocd
     app.kubernetes.io/component: "core"
     {{- include "commonLabels" . | nindent 4}}
-    istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.addons.argocd) "enabled")) }}
+    istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.addons.argocd) "enabled")) }}
   name: argocd
-{{- end }}
+{{- end }}
\ No newline at end of file

chart/templates/argocd/values.yaml

@@ -142,7 +142,7 @@ repoServer:
   {{- end }}
 
 istio:
-  enabled: {{ .Values.istio.enabled }}
+  enabled: {{ include "istioEnabled" . }}
   hardened:
     enabled: {{ or
       (dig "istio" "hardened" "enabled" false .Values.addons.argocd.values)
@@ -151,13 +151,15 @@ istio:
   injection: {{ dig "istio" "injection" "enabled" .Values.addons.argocd }}
   argocd:
     gateways:
-    - istio-system/{{ default "public" .Values.addons.argocd.ingress.gateway }}
+    - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.addons.argocd.ingress.gateway }}
 
 monitoring:
   enabled: {{ .Values.monitoring.enabled }}
 
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
+  istioNamespaceSelector:
+  {{ include "istioNamespaceSelector" . | nindent 4 }}
   controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
   ingressLabels:
     {{- $gateway := default "public" .Values.addons.argocd.ingress.gateway }}

chart/templates/authservice/gitrepository.yaml

-{{- if and .Values.istio.enabled (eq .Values.addons.authservice.sourceType "git") (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
+{{- if and (include "istioEnabled" .) (eq .Values.addons.authservice.sourceType "git") (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
 {{- $gitCredsDict := dict
   "name" "authservice"
   "packageGitScope" .Values.addons.authservice.git

chart/templates/authservice/helmrelease.yaml

 {{- $fluxSettingsAuthservice := merge .Values.addons.authservice.flux .Values.flux -}}
-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
+{{- if and (include "istioEnabled" .) (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -65,4 +65,8 @@ spec:
   - name: monitoring
     namespace: {{ .Release.Namespace }}
   {{- end }}
+  {{- if .Values.istioCore.enabled }}
+  - name: istio-core
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
 {{- end }}

chart/templates/authservice/imagepullsecret.yaml

-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
+{{- if and (include "istioEnabled" .) (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
 {{- if ( include "imagePullSecret" . ) }}
 apiVersion: v1
 kind: Secret

chart/templates/authservice/namespace.yaml

-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
+{{- if and (include "istioEnabled" .) (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
 apiVersion: v1
 kind: Namespace
 metadata:
   name: authservice
   labels:
-    istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.addons.authservice) "enabled")) }}
+    istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.addons.authservice) "enabled")) }}
     app.kubernetes.io/name: authservice
     app.kubernetes.io/component: "core"
     {{- include "commonLabels" . | nindent 4}}

chart/templates/authservice/values.yaml

-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled) (and .Values.addons.thanos.enabled .Values.addons.thanos.sso.enabled) (and .Values.addons.holocron.enabled .Values.addons.holocron.sso.enabled)) }}
+{{- if and (include "istioEnabled" .) (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled) (and .Values.addons.thanos.enabled .Values.addons.thanos.sso.enabled) (and .Values.addons.holocron.enabled .Values.addons.holocron.sso.enabled)) }}
 {{- include "values-secret" (dict "root" $ "package" .Values.addons.authservice "name" "authservice" "defaults" (include "bigbang.defaults.authservice" .)) }}
 {{- end }}
 
@@ -16,7 +16,7 @@
 }}
 
 istio:
-  enabled: {{ .Values.istio.enabled | default false }}
+  enabled: {{ (include "istioEnabled" .) | default false }}
   hardened:
     enabled: {{ $authServiceHardened }}
   clusterWideHardenedEnabled: {{ dig "hardened" "enabled" false .Values.istio.values }}
@@ -37,6 +37,8 @@ monitoring:
 
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled | default false }}
+  istioNamespaceSelector:
+  {{ include "istioNamespaceSelector" . | nindent 4 }}
   ingressLabels:
     {{- $gateway := default "public" .Values.addons.haproxy.ingress.gateway }}
     {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
@@ -63,7 +65,7 @@ redis-bb:
       selector: 
         app.kubernetes.io/name: redis-bb
         app.kubernetes.io/instance: authservice-authservice
-      {{- if and .Values.istio.enabled (eq (dig "istio" "mtls" "mode" "STRICT" .Values.addons.authservice.values) "STRICT") }}
+      {{- if and (include "istioEnabled" .) (eq (dig "istio" "mtls" "mode" "STRICT" .Values.addons.authservice.values) "STRICT") }}
       scheme: https
       tlsConfig:
         caFile: /etc/prom-certs/root-cert.pem

chart/templates/grafana/helmrelease.yaml

@@ -58,12 +58,16 @@ spec:
       valuesKey: "overlays"
 
   # TODO: DRY this up
-  {{- if or .Values.gatekeeper.enabled .Values.istio.enabled .Values.kyvernoPolicies.enabled .Values.monitoring.enabled }}
+  {{- if or .Values.gatekeeper.enabled (include "istioEnabled" .) .Values.kyvernoPolicies.enabled .Values.monitoring.enabled }}
   dependsOn:
   {{- if .Values.istio.enabled }}
     - name: istio
       namespace: {{ .Release.Namespace }}
   {{- end }}
+  {{- if .Values.istioCore.enabled }}
+    - name: istio-core
+      namespace: {{ .Release.Namespace }}
+  {{- end }}
   {{- if .Values.gatekeeper.enabled }}
     - name: gatekeeper
       namespace: {{ .Release.Namespace }}

chart/templates/grafana/namespace.yaml

@@ -7,6 +7,5 @@ metadata:
     app.kubernetes.io/name: monitoring
     app.kubernetes.io/component: "core"
     {{- include "commonLabels" . | nindent 4}}
-    istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.grafana) "enabled")) }}
+    istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.grafana) "enabled")) }}
 {{- end }}
-

chart/templates/grafana/values.yaml

@@ -8,7 +8,7 @@
 hostname: {{ $domainName }}
 domain: {{ $domainName }}
 
-{{- $istioInjection := (and (eq (dig "istio" "injection" "enabled" .Values.grafana) "enabled") .Values.istio.enabled) }}
+{{- $istioInjection := (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.grafana) "enabled")) }}
 {{- $gitlabRedis := (and (ne .Values.addons.gitlab.redis.password "" ) (or .Values.addons.gitlab.enabled .Values.addons.gitlabRunner.enabled)) }}
 {{- $authserviceRedisEnabled := (and (dig "values" "redis" "enabled" false .Values.addons.authservice) .Values.addons.authservice.enabled) }}
 {{- $redisDatasource := (or $gitlabRedis .Values.addons.argocd.enabled $authserviceRedisEnabled) }}
@@ -18,6 +18,8 @@ flux:
 
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
+  istioNamespaceSelector:
+  {{ include "istioNamespaceSelector" . | nindent 4 }}
   controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
   ingressLabels:
     {{- $gateway := default "public" .Values.grafana.ingress.gateway }}
@@ -34,7 +36,7 @@ gitlabRunner:
 
 istio:
   {{- $grafanaInjection := dig "istio" "injection" "enabled" .Values.grafana }}
-  enabled: {{ .Values.istio.enabled }}
+  enabled: {{ include "istioEnabled" . }}
   hardened:
     enabled: {{ or
       (dig "istio" "hardened" "enabled" false .Values.monitoring.values)
@@ -48,7 +50,7 @@ istio:
   grafana:
     enabled: true
     gateways:
-    - istio-system/{{ default "public" .Values.grafana.ingress.gateway }}
+    - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.grafana.ingress.gateway }}
   injection: {{ dig "istio" "injection" "enabled" .Values.grafana }}
 
 anchore:
@@ -237,7 +239,7 @@ datasources:
 {{- end }}
 
 grafana.ini:
-  {{- if .Values.istio.enabled }}
+  {{- if include "istioEnabled" . }}
   server:
     root_url: https://grafana.{{ $domainName }}/
   {{- end }}

chart/templates/istio-core/git-credentials.yaml

+{{- $gitCredsSecretDict := dict
+  "name" "istioCore"
+  "targetScope" .Values.istioCore
+  "releaseName" .Release.Name
+  "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}

chart/templates/istio-core/gitrepository.yaml

+{{- if and (eq .Values.istioCore.sourceType "git") (not .Values.offline) .Values.istioCore.enabled }}
+{{- $gitCredsDict := dict
+  "name" "istioCore"
+  "packageGitScope" .Values.istioCore.git
+  "rootScope" .
+  "releaseName" .Release.Name
+}}
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: istio-core
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: istio-core
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  interval: {{ .Values.flux.interval }}
+  url: {{ .Values.istioCore.git.repo }}
+  ref:
+    {{- include "validRef" .Values.istioCore.git | nindent 4 }}
+  {{ include "gitIgnore" . }}
+  {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
+{{- end }}

chart/templates/istio-core/helmrelease.yaml

+{{- $fluxSettingsIstioCore := merge .Values.istioCore.flux .Values.flux -}}
+{{- if and .Values.istioCore.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: istio-core
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: istio-core
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+  annotations:
+    checksum/bigbang-values: {{ include (print $.Template.BasePath "/istio-core/values.yaml") . | sha256sum }}
+spec:
+  targetNamespace: istio-system
+  chart:
+    spec:
+      {{- if eq .Values.istioCore.sourceType "git" }}
+      chart: {{ .Values.istioCore.git.path }}
+      sourceRef:
+        kind: GitRepository
+        name: istio-core
+        namespace: {{ .Release.Namespace }}
+      {{- else }}
+      chart: {{ .Values.istioCore.helmRepo.chartName }}
+      version: {{ .Values.istioCore.helmRepo.tag }}
+      sourceRef:
+        kind: HelmRepository
+        name: {{ .Values.istioCore.helmRepo.repoName }}
+        namespace: {{ .Release.Namespace }}
+      {{- $repoType := include "getRepoType" (dict "repoName" .Values.istioCore.helmRepo.repoName "allRepos" $.Values.helmRepositories) -}}
+      {{- if (and .Values.istioCore.helmRepo.cosignVerify (eq $repoType "oci")) }} # Needs to be an OCI repo
+      verify:
+        provider: cosign
+        secretRef:
+          name: {{ printf "%s-cosign-pub" .Values.istioCore.helmRepo.repoName }}
+      {{- end }}
+      {{- end }}
+      interval: 5m
+
+  {{- toYaml $fluxSettingsIstioCore | nindent 2 }}
+
+  {{- if .Values.istioCore.postRenderers }}
+  postRenderers:
+  {{ toYaml .Values.istioCore.postRenderers | nindent 4 }}
+  {{- end }}
+  valuesFrom:
+    - name: {{ .Release.Name }}-istio-core-values
+      kind: Secret
+      valuesKey: "common"
+    - name: {{ .Release.Name }}-istio-core-values
+      kind: Secret
+      valuesKey: "defaults"
+    - name: {{ .Release.Name }}-istio-core-values
+      kind: Secret
+      valuesKey: "overlays"
+
+  {{- if or .Values.gatekeeper.enabled .Values.kyvernoPolicies.enabled }}
+  dependsOn:
+    {{- if .Values.gatekeeper.enabled }}
+    - name: gatekeeper
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
+    {{- if .Values.kyvernoPolicies.enabled }}
+    - name: kyverno-policies
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
+  {{- end }}
+{{- end }}

chart/templates/istio-core/imagepullsecret.yaml

+{{- if .Values.istioCore.enabled }}
+{{- if ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-registry
+  namespace: istio-system
+  labels:
+    app.kubernetes.io/name: istio-core
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+{{- end }}
\ No newline at end of file

chart/templates/istio-core/namespace.yaml

+{{- if .Values.istioCore.enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-system
+  labels:
+    istio-base-managed: Reconcile
+    istio-injection: disabled
+    app.kubernetes.io/name: istio-core
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+{{- if or .Values.istioGatewayPublic.enabled .Values.istioGatewayPassthrough.enabled }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-gateway
+  labels:
+    istio-gateway-managed: Reconcile
+    istio-injection: enabled
+    app.kubernetes.io/name: istio-gateway
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+{{- end }}
+{{- end }}

chart/templates/istio-core/values.yaml

+{{- $pkg := "istioCore" }}
+
+{{- /* Create secret */ -}}
+{{- if (get .Values $pkg).enabled }}
+{{- include "values-secret" (dict "root" $ "package" (get .Values $pkg) "name" ($pkg | kebabcase) "defaults" (include (printf "bigbang.defaults.%s" $pkg | kebabcase) .)) }}
+{{- end }}
+
+{{- define "bigbang.defaults.istio-core" -}}
+createNamespace: true
+
+enterprise: {{ .Values.istioCore.enterprise }}
+imagePullPolicy: {{ .Values.imagePullPolicy }}
+
+imagePullSecrets:
+  - private-registry
+
+istiod:
+  networkPolicies:
+    enabled: {{ .Values.networkPolicies.enabled }}
+    controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+
+  monitoring:
+    enabled: {{ .Values.monitoring.enabled }}
+    
+{{- if .Values.addons.authservice.enabled }}
+  meshConfig:
+    extensionProviders:
+      - name: "authservice"
+        envoyExtAuthzGrpc:
+          service: "authservice.authservice.svc.cluster.local"
+          port: "10003"
+{{- end }}
+
+{{- end }}

chart/templates/istio-gateway-passthrough/git-credentials.yaml

+{{- $gitCredsSecretDict := dict
+  "name" "istioGatewayPassthrough"
+  "targetScope" .Values.istioGatewayPassthrough
+  "releaseName" .Release.Name
+  "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}

chart/templates/istio-gateway-passthrough/gitrepository.yaml

+{{- if and (eq .Values.istioGatewayPassthrough.sourceType "git") (not .Values.offline) .Values.istioGatewayPassthrough.enabled }}
+{{- $gitCredsDict := dict
+  "name" "istioGatewayPassthrough"
+  "packageGitScope" .Values.istioGatewayPassthrough.git
+  "rootScope" .
+  "releaseName" .Release.Name
+}}
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: istio-gateway-passthrough
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: istio-gateway-passthrough
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  interval: {{ .Values.flux.interval }}
+  url: {{ .Values.istioGatewayPassthrough.git.repo }}
+  ref:
+    {{- include "validRef" .Values.istioGatewayPassthrough.git | nindent 4 }}
+  {{ include "gitIgnore" . }}
+  {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
+{{- end }}