github.com/replicatedcom/ship@v0.50.0/integration/init/istio-1.0.3/expected/.ship/upstream/charts/security/templates/enable-mesh-mtls.yaml (about) 1 {{ define "security-default.yaml.tpl" }} 2 # These policy and destination rules effectively enable mTLS for all services in the mesh. For now, 3 # they are added to Istio installation yaml for backward compatible. In future, they should be in 4 # a separated yaml file so that customer can enable mTLS independent from installation. 5 6 # Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh. 7 apiVersion: "authentication.istio.io/v1alpha1" 8 kind: "MeshPolicy" 9 metadata: 10 name: "default" 11 labels: 12 app: istio-security 13 chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 14 release: {{ .Release.Name }} 15 heritage: {{ .Release.Service }} 16 spec: 17 peers: 18 - mtls: {} 19 --- 20 # Corresponding destination rule to configure client side to use mutual TLS when talking to 21 # any service (host) in the mesh. 22 apiVersion: networking.istio.io/v1alpha3 23 kind: DestinationRule 24 metadata: 25 name: "default" 26 labels: 27 app: istio-security 28 chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 29 release: {{ .Release.Name }} 30 heritage: {{ .Release.Service }} 31 spec: 32 host: "*.local" 33 trafficPolicy: 34 tls: 35 mode: ISTIO_MUTUAL 36 --- 37 # Destination rule to dislabe (m)TLS when talking to API server, as API server doesn't have sidecar. 38 # Customer should add similar destination rules for other services that dont' have sidecar. 39 apiVersion: networking.istio.io/v1alpha3 40 kind: DestinationRule 41 metadata: 42 name: "api-server" 43 labels: 44 app: istio-security 45 chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 46 release: {{ .Release.Name }} 47 heritage: {{ .Release.Service }} 48 spec: 49 host: "kubernetes.default.svc.cluster.local" 50 trafficPolicy: 51 tls: 52 mode: DISABLE 53 {{- end }}