istio/authservice: use extauthz custom action

chart/templates/istio/controlplane/values.yaml

@@ -15,6 +15,9 @@ imagePullSecrets:
 
 openshift: {{ .Values.openshift }}
 
+authservice:
+  enabled: {{ .Values.addons.authservice.enabled }}
+
 monitoring:
   enabled: {{ .Values.monitoring.enabled }}
 

chart/values.yaml

@@ -115,7 +115,7 @@ istio:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git
     path: "./chart"
-    tag: "1.10.4-bb.1"
+    tag: "1.10.4-bb.3"
 
   # Ingress gateways are created based on the key name.  Adding more keys will add ingress gateways.
   # Ingress gateways are setup in a Horizontal Pod Autoscaler with 1 to 5 replicas
@@ -516,7 +516,7 @@ addons:
     git:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/authservice.git
       path: "./chart"
-      tag: "0.4.0-bb.15"
+      tag: "0.4.0-bb.16"
 
     # -- Flux reconciliation overrides specifically for the Authservice Package
     flux: {}

charter/packages/authservice/Architecture.md

@@ -53,6 +53,24 @@ Authservice provides OIDC Single Sign On capabilities for apps that don't have n
 
 Pods just need to have istio-injection, a single label which by default is `protect=keycloak` applied to the pods, and a corresponding chain to load into authservice.
 
+```yaml
+spec:
+  template:
+    metadata:
+      labels:
+        protect: keycloak
+```
+
+If you need to guarantee that authservice protects everything behind istio-ingressgateway, you can label ingressgateway instead of individual applications.
+
+```yaml
+istio:
+  ingressGateways:
+    public-ingressgateway:
+      extraLabels:
+        protect: keycloak
+```
+
 This label can be adjusted via following values in the Big Bang chart:
 
 ```yaml