58 lines
1.4 KiB
YAML
58 lines
1.4 KiB
YAML
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
|
|
{{- if .Values.istio.mtls -}}
|
|
# enforce mTLS to openfaas control plane
|
|
apiVersion: authentication.istio.io/v1alpha1
|
|
kind: Policy
|
|
metadata:
|
|
name: default
|
|
namespace: {{ .Release.Namespace }}
|
|
spec:
|
|
peers:
|
|
- mtls: {}
|
|
---
|
|
# enforce mTLS to openfaas control plane
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: DestinationRule
|
|
metadata:
|
|
name: default
|
|
namespace: {{ .Release.Namespace }}
|
|
spec:
|
|
host: "*.{{ .Release.Namespace }}.svc.cluster.local"
|
|
trafficPolicy:
|
|
tls:
|
|
mode: ISTIO_MUTUAL
|
|
---
|
|
# enforce mTLS to functions
|
|
apiVersion: authentication.istio.io/v1alpha1
|
|
kind: Policy
|
|
metadata:
|
|
name: default
|
|
namespace: {{ $functionNs }}
|
|
spec:
|
|
peers:
|
|
- mtls: {}
|
|
---
|
|
# enforce mTLS to functions
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: DestinationRule
|
|
metadata:
|
|
name: default
|
|
namespace: {{ $functionNs | quote }}
|
|
spec:
|
|
host: "*.{{ $functionNs }}.svc.cluster.local"
|
|
trafficPolicy:
|
|
tls:
|
|
mode: ISTIO_MUTUAL
|
|
---
|
|
# disable mTLS to nats, the nats protocol is not supported by Istio
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: DestinationRule
|
|
metadata:
|
|
name: "nats-no-mtls"
|
|
namespace: {{ .Release.Namespace }}
|
|
spec:
|
|
host: "nats.{{ .Release.Namespace }}.svc.cluster.local"
|
|
trafficPolicy:
|
|
tls:
|
|
mode: DISABLE
|
|
{{- end -}} |