Add support for ca.crt for MUTUAL gateways

99c57dcb · Micah Nagel · Christopher O'Connell · 2f368ef2 · 99c57dcb · 99c57dcb
Commit 99c57dcb authored 1 year ago by Micah Nagel Committed by Christopher O'Connell 1 year ago
--- a/chart/templates/istio/secret-tls.yaml
+++ b/chart/templates/istio/secret-tls.yaml
 {{- if .Values.istio.enabled }}
-
-{{/*
-For backwards compatibility, get key/cert from .Values.istio.ingress
-*/}}
-{{- $default := .Values.istio.ingress | default dict -}}
-
 {{- range $name, $values := .Values.istio.gateways }}
 {{- if $values.servers }}
 {{- range $index, $servervalues := $values.servers }}
-{{- if or (and (dig "tls" "cert" "" $servervalues) (dig "tls" "key" "" $servervalues)) (and $default.cert $default.key) }}
+{{- if and (dig "tls" "cert" "" $servervalues) (dig "tls" "key" "" $servervalues) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -20,15 +14,18 @@ metadata:
    {{- include "commonLabels" $ | nindent 4}}
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ default $default.cert $servervalues.tls.cert | b64enc }}
-  tls.key: {{ default $default.key $servervalues.tls.key | b64enc }}
+  tls.crt: {{ $servervalues.tls.cert | b64enc }}
+  tls.key: {{ $servervalues.tls.key | b64enc }}
+  {{- if $servervalues.tls.ca }}
+  ca.crt: {{ $servervalues.tls.ca | b64enc }}
+  {{- end }}
 ---
 {{- end }}
 {{- end }}
 {{/*
 For backwards compatibility, get certificate and key from .Values.istio.gateways.<gateway>.tls
 */}}
-{{- else if or (and (dig "tls" "cert" "" $values) (dig "tls" "key" "" $values)) (and $default.cert $default.key) }}
+{{- else if and (dig "tls" "cert" "" $values) (dig "tls" "key" "" $values) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -40,8 +37,11 @@ metadata:
    {{- include "commonLabels" $ | nindent 4}}
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ default $default.cert $values.tls.cert | b64enc }}
-  tls.key: {{ default $default.key $values.tls.key | b64enc }}
+  tls.crt: {{ $values.tls.cert | b64enc }}
+  tls.key: {{ $values.tls.key | b64enc }}
+  {{- if $values.tls.ca }}
+  ca.crt: {{ $values.tls.ca | b64enc }}
+  {{- end }}
 ---
 {{- end }}
 {{- end }}

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -270,6 +270,18 @@ istio:
    #     enabled: true
    #   tls:
    #     mode: "PASSTHROUGH"
+    # mutual:
+    #   ingressGateway: "mutual-ingressgateway"
+    #   hosts:
+    #   - "*.{{ .Values.domain }}"
+    #   # -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect.
+    #   autoHttpRedirect:
+    #     enabled: true
+    #   tls:
+    #     mode: MUTUAL
+    #     cert: ""
+    #     key: ""
+    #     ca: ""

  # -- Flux reconciliation overrides specifically for the Istio Package
  flux: {}