helm-charts/openfaas/templates/istio-mtls.yaml

{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.istio.mtls -}}
# enforce mTLS to openfaas control plane
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
    name: default
    namespace: {{ .Release.Namespace }}
spec:
    peers:
        - mtls: {}
---
# enforce mTLS to openfaas control plane
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
    name: default
    namespace: {{ .Release.Namespace }}
spec:
    host: "*.{{ .Release.Namespace }}.svc.cluster.local"
    trafficPolicy:
        tls:
            mode: ISTIO_MUTUAL
---
# enforce mTLS to functions
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
    name: default
    namespace: {{ $functionNs }}
spec:
    peers:
        - mtls: {}
---
# enforce mTLS to functions
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
    name: default
    namespace: {{ $functionNs | quote }}
spec:
    host: "*.{{ $functionNs }}.svc.cluster.local"
    trafficPolicy:
        tls:
            mode: ISTIO_MUTUAL
---
# disable mTLS to nats, the nats protocol is not supported by Istio
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
    name: "nats-no-mtls"
    namespace: {{ .Release.Namespace }}
spec:
    host: "nats.{{ .Release.Namespace }}.svc.cluster.local"
    trafficPolicy:
        tls:
            mode: DISABLE
{{- end -}}
GHP publish 2021-01-17 01:09:41 +00:00			`{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}`
			`{{- if .Values.istio.mtls -}}`
			`# enforce mTLS to openfaas control plane`
			`apiVersion: authentication.istio.io/v1alpha1`
			`kind: Policy`
			`metadata:`
			`name: default`
			`namespace: {{ .Release.Namespace }}`
			`spec:`
			`peers:`
			`- mtls: {}`
			`---`
			`# enforce mTLS to openfaas control plane`
			`apiVersion: networking.istio.io/v1alpha3`
			`kind: DestinationRule`
			`metadata:`
			`name: default`
			`namespace: {{ .Release.Namespace }}`
			`spec:`
			`host: "*.{{ .Release.Namespace }}.svc.cluster.local"`
			`trafficPolicy:`
			`tls:`
			`mode: ISTIO_MUTUAL`
			`---`
			`# enforce mTLS to functions`
			`apiVersion: authentication.istio.io/v1alpha1`
			`kind: Policy`
			`metadata:`
			`name: default`
			`namespace: {{ $functionNs }}`
			`spec:`
			`peers:`
			`- mtls: {}`
			`---`
			`# enforce mTLS to functions`
			`apiVersion: networking.istio.io/v1alpha3`
			`kind: DestinationRule`
			`metadata:`
			`name: default`
			`namespace: {{ $functionNs \| quote }}`
			`spec:`
			`host: "*.{{ $functionNs }}.svc.cluster.local"`
			`trafficPolicy:`
			`tls:`
			`mode: ISTIO_MUTUAL`
			`---`
			`# disable mTLS to nats, the nats protocol is not supported by Istio`
			`apiVersion: networking.istio.io/v1alpha3`
			`kind: DestinationRule`
			`metadata:`
			`name: "nats-no-mtls"`
			`namespace: {{ .Release.Namespace }}`
			`spec:`
			`host: "nats.{{ .Release.Namespace }}.svc.cluster.local"`
			`trafficPolicy:`
			`tls:`
			`mode: DISABLE`
			`{{- end -}}`