# Istio mTLS configuration for the veylant namespace (E10-01).
# Enforces STRICT mutual TLS for all service-to-service communication.
# Prerequisites: Istio installed with sidecar injection enabled on the namespace.
#   kubectl label namespace veylant istio-injection=enabled
# Apply: kubectl apply -f deploy/k8s/istio/peer-auth.yaml
---
# STRICT PeerAuthentication: all inbound connections must use mTLS.
# Pods without a valid certificate will be rejected.
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: veylant
spec:
  mtls:
    mode: STRICT

---
# DestinationRule: require mTLS for traffic to the proxy.
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: veylant-proxy-mtls
  namespace: veylant
spec:
  host: veylant-proxy.veylant.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

---
# DestinationRule: require mTLS for traffic to the PII service.
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: pii-service-mtls
  namespace: veylant
spec:
  host: pii-service.veylant.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

---
# DestinationRule: require mTLS for traffic to PostgreSQL.
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: postgres-mtls
  namespace: veylant
spec:
  host: postgres.veylant.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

---
# DestinationRule: require mTLS for traffic to Redis.
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: redis-mtls
  namespace: veylant
spec:
  host: redis.veylant.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

---
# DestinationRule: require mTLS for traffic to ClickHouse.
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: clickhouse-mtls
  namespace: veylant
spec:
  host: clickhouse.veylant.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL