feat: set Istio gateway TLS from Kubernetes secret (#982)

## Description
Adds the ability to set Istio gateway TLS from Kubernetes secret

## Related Issue

Fixes #976 

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed

---------

Co-authored-by: Micah Nagel <[email protected]>

docs/reference/configuration/ingress.md

@@ -99,3 +99,32 @@ variables:
 :::note
 If you are using Private PKI or self-signed certificates for your tenant certificates it is necessary to additionally configure `UDS_CA_CERT` with additional [trusted certificate authorities](https://uds.defenseunicorns.com/reference/configuration/uds-operator/#trusted-certificate-authority).
 :::
+
+#### Configuring TLS from a Secret
+
+As an alternative to specifying individual certificate, key, and CA certificate values, you can set `tls.credentialName` in the gateway configuration. This field specifies the name of a Kubernetes secret containing the TLS certificate, key, and optional CA certificate for the gateway. When `tls.credentialName` is set, it will override `tls.cert`, `tls.key`, and `tls.cacert` values, simplifying the configuration by allowing a direct reference to a Kubernetes TLS secret. This secret should be placed in the same namespace as the gateway resource. See [Gateway ServerTLSSettings](https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings) for all required and available secret keys.
+
+This approach is useful if you already have a Kubernetes secret that holds the necessary TLS data and want to use it directly.
+
+```yaml
+kind: UDSBundle
+metadata:
+  name: core-with-credentialName
+  description: A UDS example bundle for packaging UDS core with a custom TLS credentialName
+  version: "0.0.1"
+
+packages:
+  - name: core
+    repository: oci://ghcr.io/defenseunicorns/packages/uds/core
+    ref: 0.23.0-upstream
+    overrides:
+      istio-admin-gateway:
+        uds-istio-config:
+          values:
+            - path: tls.credentialName
+              value: admin-gateway-tls-secret # Reference to the Kubernetes secret for the admin gateway's TLS certificate
+      istio-tenant-gateway:
+        uds-istio-config:
+          values:
+            - path: tls.credentialName
+              value: tenant-gateway-tls-secret # Reference to the Kubernetes secret for the tenant gateway's TLS certificate

src/istio/chart/templates/gateway.yaml

@@ -34,7 +34,7 @@ spec:
       tls:
         mode: {{ $server.mode }}
         {{- if ne $server.mode "PASSTHROUGH" }}
-        credentialName: gateway-tls
+        credentialName: {{ $.Values.tls.credentialName | default "gateway-tls" | quote }}
         # if supportTLSV1_2 is both defined and true, use TLSV1_2, otherwise use TLSV1_3
         minProtocolVersion: {{ if $.Values.tls.supportTLSV1_2 }}TLSV1_2{{ else }}TLSV1_3{{ end }}
         {{- end }}

src/istio/chart/templates/tls-cert.yaml

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 {{- $tls := .Values.tls }}
-{{ if $tls.cert }}
+{{ if and $tls.cert (not $tls.credentialName) }}
 apiVersion: v1
 kind: Secret
 metadata:

src/istio/chart/values.yaml

@@ -17,6 +17,9 @@ domain: "###ZARF_VAR_DOMAIN###"
 #   # The CA certificate for the gateway when using `MUTUAL' or 'OPTIONAL_MUTUAL' (base64 encoded)
 #   cacert: ""
 
+#   # The name of the secret containing the TLS certificate to use for this gateway, this will override cert, key and cacert
+#   credentialName: ""
+
 #   # Map of gateway server entries
 #   servers:
 #     # Name of the gateway port to use for TLS, this is effectively a "list" in map form