{{- define "security-default.yaml.tpl" }}
# These policy and destination rules effectively enable mTLS for all services in the mesh. For now,
# they are added to Istio installation yaml for backward compatible. In future, they should be in
# a separated yaml file so that customer can enable mTLS independent from installation.

# Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh.
apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy"
metadata:
  name: "default"
  labels:
    app: {{ template "security.name" . }}
    chart: {{ template "security.chart" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
spec:
  peers:
  - mtls: {}
---
# Corresponding destination rule to configure client side to use mutual TLS when talking to
# any service (host) in the mesh.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: "default"
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ template "security.name" . }}
    chart: {{ template "security.chart" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
spec:
  host: "*.local"
  {{- if .Values.global.defaultConfigVisibilitySettings }}
  exportTo:
  - '*'
  {{- end }}
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
---
# Destination rule to disable (m)TLS when talking to API server, as API server doesn't have sidecar.
# Customer should add similar destination rules for other services that don't have sidecar.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: "api-server"
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ template "security.name" . }}
    chart: {{ template "security.chart" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
spec:
  host: "kubernetes.default.svc.{{ .Values.global.proxy.clusterDomain }}"
  {{- if .Values.global.defaultConfigVisibilitySettings }}
  exportTo:
  - '*'
  {{- end }}
  trafficPolicy:
    tls:
      mode: DISABLE
{{- end }}