{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.istio.mtls -}}
# enforce mTLS to openfaas control plane
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
    name: default
    namespace: {{ .Release.Namespace }}
spec:
    peers:
        - mtls: {}
---
# enforce mTLS to openfaas control plane
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
    name: default
    namespace: {{ .Release.Namespace }}
spec:
    host: "*.{{ .Release.Namespace }}.svc.cluster.local"
    trafficPolicy:
        tls:
            mode: ISTIO_MUTUAL
---
# enforce mTLS to functions
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
    name: default
    namespace: {{ $functionNs }}
spec:
    peers:
        - mtls: {}
---
# enforce mTLS to functions
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
    name: default
    namespace: {{ $functionNs | quote }}
spec:
    host: "*.{{ $functionNs }}.svc.cluster.local"
    trafficPolicy:
        tls:
            mode: ISTIO_MUTUAL
---
# disable mTLS to nats, the nats protocol is not supported by Istio
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
    name: "nats-no-mtls"
    namespace: {{ .Release.Namespace }}
spec:
    host: "nats.{{ .Release.Namespace }}.svc.cluster.local"
    trafficPolicy:
        tls:
            mode: DISABLE
{{- end -}}