chore: reverting some local changes against main

src/istio/chart/templates/gateway.yaml

@@ -34,7 +34,7 @@ spec:
       tls:
         mode: {{ $server.mode }}
         {{- if ne $server.mode "PASSTHROUGH" }}
-        credentialName: gateway-tls
+        credentialName: {{ $.Values.tls.credentialName | default "gateway-tls" | quote }}
         # if supportTLSV1_2 is both defined and true, use TLSV1_2, otherwise use TLSV1_3
         minProtocolVersion: {{ if $.Values.tls.supportTLSV1_2 }}TLSV1_2{{ else }}TLSV1_3{{ end }}
         {{- end }}

src/istio/chart/templates/tls-cert.yaml

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 {{- $tls := .Values.tls }}
-{{ if $tls.cert }}
+{{ if and $tls.cert (not $tls.credentialName) }}
 apiVersion: v1
 kind: Secret
 metadata:

src/istio/chart/values.yaml

@@ -17,6 +17,9 @@ domain: "###ZARF_VAR_DOMAIN###"
 #   # The CA certificate for the gateway when using `MUTUAL' or 'OPTIONAL_MUTUAL' (base64 encoded)
 #   cacert: ""
 
+#   # The name of the secret containing the TLS certificate to use for this gateway, this will override cert, key and cacert
+#   credentialName: ""
+
 #   # Map of gateway server entries
 #   servers:
 #     # Name of the gateway port to use for TLS, this is effectively a "list" in map form

src/istio/common/chart/templates/envoy-filters.yaml

@@ -40,6 +40,7 @@ spec:
                 end
               end
 ---
+# Source: istio/templates/envoyfilter.yaml
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:

src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml

@@ -9,7 +9,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
 spec:
   mtls:
-    mode: PERMISSIVE 
+    mode: STRICT
   selector:
     matchLabels:
       app.kubernetes.io/name: metrics-server