diff --git a/src/istio/chart/templates/tls-validation-job.yaml b/src/istio/chart/templates/tls-validation-job.yaml new file mode 100644 index 000000000..7e7608cef --- /dev/null +++ b/src/istio/chart/templates/tls-validation-job.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ .Release.Name }}-tls-validation-sa" + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-6" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + labels: + {{- include "uds-istio-config.labels" . | nindent 4 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Name }}-tls-validator + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-6" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +rules: + - apiGroups: [""] + resources: ["services"] + verbs: ["get"] + resourceNames: ["{{ .Values.name }}-ingressgateway"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-tls-validator + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-6" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +subjects: + - kind: ServiceAccount + name: "{{ .Release.Name }}-tls-validation-sa" + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Name }}-tls-validator + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ .Release.Name }}-tls-validation" + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + labels: + {{- include "uds-istio-config.labels" . | nindent 4 }} +spec: + template: + metadata: + name: "{{ .Release.Name }}-tls-validation" + labels: + {{- include "uds-istio-config.labels" . | nindent 8 }} + spec: + serviceAccountName: "{{ .Release.Name }}-tls-validation-sa" + restartPolicy: Never + containers: + - name: tls-validation + image: bitnami/kubectl:1.31.3 + command: + - /bin/sh + - -c + - | + if [ "{{ .Values.tls.enabled }}" != "true" ]; then + # Check if the tenant gateway service has required annotations + ANNOTATIONS=$(kubectl get service -n {{ .Release.Namespace }} {{ .Values.name }}-ingressgateway -o jsonpath='{.metadata.annotations}') + + if ! echo "$ANNOTATIONS" | grep -q "service.beta.kubernetes.io/aws-load-balancer-backend-protocol"; then + echo "Error: Missing required annotation: service.beta.kubernetes.io/aws-load-balancer-backend-protocol" + exit 1 + fi + + if ! echo "$ANNOTATIONS" | grep -q "service.beta.kubernetes.io/aws-load-balancer-ssl-cert"; then + echo "Error: Missing required annotation: service.beta.kubernetes.io/aws-load-balancer-ssl-cert" + exit 1 + fi + + if ! echo "$ANNOTATIONS" | grep -q "service.beta.kubernetes.io/aws-load-balancer-ssl-ports"; then + echo "Error: Missing required annotation: service.beta.kubernetes.io/aws-load-balancer-ssl-ports" + exit 1 + fi + fi + + exit 0 diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml index 21bae304e..60ddcb3e4 100644 --- a/src/istio/zarf.yaml +++ b/src/istio/zarf.yaml @@ -69,6 +69,8 @@ components: namespace: istio-admin-gateway valuesFiles: - "values/config-admin.yaml" + images: + - bitnami/kubectl:1.31.3 - name: istio-tenant-gateway required: true @@ -84,6 +86,8 @@ components: namespace: istio-tenant-gateway valuesFiles: - "values/config-tenant.yaml" + images: + - bitnami/kubectl:1.31.3 - name: istio-passthrough-gateway required: false @@ -99,3 +103,5 @@ components: namespace: istio-passthrough-gateway valuesFiles: - "values/config-passthrough.yaml" + images: + - bitnami/kubectl:1.31.3