From 99c57dcba33b621958caa53dd270280f5c65120b Mon Sep 17 00:00:00 2001
From: Micah Nagel <micah.nagel@defenseunicorns.com>
Date: Tue, 15 Aug 2023 00:31:41 +0000
Subject: [PATCH] Add support for ca.crt for MUTUAL gateways

---
 chart/templates/istio/secret-tls.yaml | 24 ++++++++++++------------
 chart/values.yaml                     | 12 ++++++++++++
 2 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/chart/templates/istio/secret-tls.yaml b/chart/templates/istio/secret-tls.yaml
index b734dee997..423b482737 100644
--- a/chart/templates/istio/secret-tls.yaml
+++ b/chart/templates/istio/secret-tls.yaml
@@ -1,14 +1,8 @@
 {{- if .Values.istio.enabled }}
-
-{{/*
-For backwards compatibility, get key/cert from .Values.istio.ingress
-*/}}
-{{- $default := .Values.istio.ingress | default dict -}}
-
 {{- range $name, $values := .Values.istio.gateways }}
 {{- if $values.servers }}
 {{- range $index, $servervalues := $values.servers }}
-{{- if or (and (dig "tls" "cert" "" $servervalues) (dig "tls" "key" "" $servervalues)) (and $default.cert $default.key) }}
+{{- if and (dig "tls" "cert" "" $servervalues) (dig "tls" "key" "" $servervalues) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -20,15 +14,18 @@ metadata:
     {{- include "commonLabels" $ | nindent 4}}
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ default $default.cert $servervalues.tls.cert | b64enc }}
-  tls.key: {{ default $default.key $servervalues.tls.key | b64enc }}
+  tls.crt: {{ $servervalues.tls.cert | b64enc }}
+  tls.key: {{ $servervalues.tls.key | b64enc }}
+  {{- if $servervalues.tls.ca }}
+  ca.crt: {{ $servervalues.tls.ca | b64enc }}
+  {{- end }}
 ---
 {{- end }}
 {{- end }}
 {{/*
 For backwards compatibility, get certificate and key from .Values.istio.gateways.<gateway>.tls
 */}}
-{{- else if or (and (dig "tls" "cert" "" $values) (dig "tls" "key" "" $values)) (and $default.cert $default.key) }}
+{{- else if and (dig "tls" "cert" "" $values) (dig "tls" "key" "" $values) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -40,8 +37,11 @@ metadata:
     {{- include "commonLabels" $ | nindent 4}}
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ default $default.cert $values.tls.cert | b64enc }}
-  tls.key: {{ default $default.key $values.tls.key | b64enc }}
+  tls.crt: {{ $values.tls.cert | b64enc }}
+  tls.key: {{ $values.tls.key | b64enc }}
+  {{- if $values.tls.ca }}
+  ca.crt: {{ $values.tls.ca | b64enc }}
+  {{- end }}
 ---
 {{- end }}
 {{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
index 16aa05ecba..46e5c9139b 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -270,6 +270,18 @@ istio:
     #     enabled: true
     #   tls:
     #     mode: "PASSTHROUGH"
+    # mutual:
+    #   ingressGateway: "mutual-ingressgateway"
+    #   hosts:
+    #   - "*.{{ .Values.domain }}"
+    #   # -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect.
+    #   autoHttpRedirect:
+    #     enabled: true
+    #   tls:
+    #     mode: MUTUAL
+    #     cert: ""
+    #     key: ""
+    #     ca: ""
 
   # -- Flux reconciliation overrides specifically for the Istio Package
   flux: {}
-- 
GitLab