We implemented security between the pods to allow only named pods to be able to talk to each other. This was done using both an AuthorisationPolicy and a NetworkPolicy.

Here's the AuthorisationPolicy:

{{ $env := .Values.global.env }}
{{ $ns := .Release.Namespace }}
{{- if .Values.allowedServices }}
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy …

You can define a ConfigMap in the Helm chart which will provide a file to the Kubernetes Deployment docker image. An example of this is apache config:

{{ $env := .Values.global.env }}
apiVersion: v1
kind: ConfigMap
metadata:
  name: "{{ $env }}-{{ .Chart.Name }}-apache-config"
data:
  my-app-apache.conf: |
    <VirtualHost *:80>
        ServerName my-app …

I wanted to document the approach taken to to various bits of the Helm charts that I've authored. This is the Helm chart for deployment of a pod which includes Istio, Apache and PHP-FPM in separate docker containers.

{{ $env := .Values.global.env }}
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ …