feat: add chart hook for tls validation

src/istio/chart/templates/tls-validation-job.yaml

@@ -0,0 +1,92 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "{{ .Release.Name }}-tls-validation-sa"
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade
+    "helm.sh/hook-weight": "-6"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+  labels:
+    {{- include "uds-istio-config.labels" . | nindent 4 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Release.Name }}-tls-validator
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade
+    "helm.sh/hook-weight": "-6"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+rules:
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get"]
+    resourceNames: ["{{ .Values.name }}-ingressgateway"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Release.Name }}-tls-validator
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade
+    "helm.sh/hook-weight": "-6"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+subjects:
+  - kind: ServiceAccount
+    name: "{{ .Release.Name }}-tls-validation-sa"
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ .Release.Name }}-tls-validator
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ .Release.Name }}-tls-validation"
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+  labels:
+    {{- include "uds-istio-config.labels" . | nindent 4 }}
+spec:
+  template:
+    metadata:
+      name: "{{ .Release.Name }}-tls-validation"
+      labels:
+        {{- include "uds-istio-config.labels" . | nindent 8 }}
+    spec:
+      serviceAccountName: "{{ .Release.Name }}-tls-validation-sa"
+      restartPolicy: Never
+      containers:
+        - name: tls-validation
+          image: bitnami/kubectl:1.31.3
+          command:
+            - /bin/sh
+            - -c
+            - |
+              if [ "{{ .Values.tls.enabled }}" != "true" ]; then
+                # Check if the tenant gateway service has required annotations
+                ANNOTATIONS=$(kubectl get service -n {{ .Release.Namespace }} {{ .Values.name }}-ingressgateway -o jsonpath='{.metadata.annotations}')
+
+                if ! echo "$ANNOTATIONS" | grep -q "service.beta.kubernetes.io/aws-load-balancer-backend-protocol"; then
+                  echo "Error: Missing required annotation: service.beta.kubernetes.io/aws-load-balancer-backend-protocol"
+                  exit 1
+                fi
+
+                if ! echo "$ANNOTATIONS" | grep -q "service.beta.kubernetes.io/aws-load-balancer-ssl-cert"; then
+                  echo "Error: Missing required annotation: service.beta.kubernetes.io/aws-load-balancer-ssl-cert"
+                  exit 1
+                fi
+
+                if ! echo "$ANNOTATIONS" | grep -q "service.beta.kubernetes.io/aws-load-balancer-ssl-ports"; then
+                  echo "Error: Missing required annotation: service.beta.kubernetes.io/aws-load-balancer-ssl-ports"
+                  exit 1
+                fi
+              fi
+
+              exit 0

src/istio/zarf.yaml

@@ -69,6 +69,8 @@ components:
         namespace: istio-admin-gateway
         valuesFiles:
           - "values/config-admin.yaml"
+    images:
+      - bitnami/kubectl:1.31.3
 
   - name: istio-tenant-gateway
     required: true
@@ -84,6 +86,8 @@ components:
         namespace: istio-tenant-gateway
         valuesFiles:
           - "values/config-tenant.yaml"
+    images:
+      - bitnami/kubectl:1.31.3
 
   - name: istio-passthrough-gateway
     required: false
@@ -99,3 +103,5 @@ components:
         namespace: istio-passthrough-gateway
         valuesFiles:
           - "values/config-passthrough.yaml"
+    images:
+      - bitnami/kubectl:1.31.3