From 1f03dfe7e036e2e38920d70ae2ec738a01ba11cd Mon Sep 17 00:00:00 2001
From: Ryan Garcia <garcia.ryan@solute.us>
Date: Mon, 17 Oct 2022 21:05:37 +0000
Subject: [PATCH] Adding necessary mTLS passthrough values for each Gitlab
 serviceMonitor

---
 chart/templates/gitlab/values.yaml | 69 ++++++++++++++++++++++++++++++
 chart/values.yaml                  |  2 +-
 2 files changed, 70 insertions(+), 1 deletion(-)

diff --git a/chart/templates/gitlab/values.yaml b/chart/templates/gitlab/values.yaml
index 374138a197..7abb2c84ad 100644
--- a/chart/templates/gitlab/values.yaml
+++ b/chart/templates/gitlab/values.yaml
@@ -84,6 +84,17 @@ registry:
     {{ include "istioAnnotation" . }}
     {{- end }}
   {{- end }}
+  {{- if and (eq (dig "istio" "mtls" "mode" "STRICT" .Values.addons.gitlab.values) "STRICT") $istioInjection }}
+  metrics:
+    serviceMonitor:
+      endpointConfig:
+        scheme: https
+        tlsConfig:
+          caFile: /etc/prom-certs/root-cert.pem
+          certFile: /etc/prom-certs/cert-chain.pem
+          keyFile: /etc/prom-certs/key.pem
+          insecureSkipVerify: true  # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
+  {{- end }}
 {{- end }}
 
 gitlab:
@@ -113,8 +124,42 @@ gitlab:
       annotations:
         {{ include "istioAnnotation" . }}
     {{- end }}
+    {{- if and (eq (dig "istio" "mtls" "mode" "STRICT" .Values.addons.gitlab.values) "STRICT") $istioInjection }}
+    metrics:
+      serviceMonitor:
+        endpointConfig:
+          scheme: https
+          tlsConfig:
+            caFile: /etc/prom-certs/root-cert.pem
+            certFile: /etc/prom-certs/cert-chain.pem
+            keyFile: /etc/prom-certs/key.pem
+            insecureSkipVerify: true  # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
+    {{- end }}
+
   {{- if or $iamProfile $istioInjection }}
   webservice:
+  {{- if and (eq (dig "istio" "mtls" "mode" "STRICT" .Values.addons.gitlab.values) "STRICT") $istioInjection }}
+    metrics:
+      serviceMonitor:
+        endpointConfig:
+          scheme: https
+          tlsConfig:
+            caFile: /etc/prom-certs/root-cert.pem
+            certFile: /etc/prom-certs/cert-chain.pem
+            keyFile: /etc/prom-certs/key.pem
+            insecureSkipVerify: true  # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
+    workhorse:
+      metrics:
+        serviceMonitor:
+          endpointConfig:
+            scheme: https
+            tlsConfig:
+              caFile: /etc/prom-certs/root-cert.pem
+              certFile: /etc/prom-certs/cert-chain.pem
+              keyFile: /etc/prom-certs/key.pem
+              insecureSkipVerify: true  # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
+  {{- end }}
+  {{- if or $iamProfile $istioInjection }}
     annotations: 
       {{- if $iamProfile }}
       iam.amazonaws.com/role: {{ .Values.addons.gitlab.objectStorage.iamProfile }}
@@ -131,6 +176,7 @@ gitlab:
       {{ include "istioAnnotation" . }}
       {{- end }}
   {{- end }}
+  {{- end }}
 {{- if $istioInjection }}
   migrations:
     annotations:
@@ -138,9 +184,32 @@ gitlab:
   gitaly:
     annotations:
       {{ include "istioAnnotation" . }}
+    {{- if and (eq (dig "istio" "mtls" "mode" "STRICT" .Values.addons.gitlab.values) "STRICT") $istioInjection }}
+    metrics:
+      serviceMonitor:
+        endpointConfig:
+          scheme: https
+          tlsConfig:
+            caFile: /etc/prom-certs/root-cert.pem
+            certFile: /etc/prom-certs/cert-chain.pem
+            keyFile: /etc/prom-certs/key.pem
+            insecureSkipVerify: true  # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
+    {{- end }}
   gitlab-shell:
     annotations:
       {{ include "istioAnnotation" . }}
+    {{- if and (eq (dig "istio" "mtls" "mode" "STRICT" .Values.addons.gitlab.values) "STRICT") $istioInjection }}
+    metrics:
+      serviceMonitor:
+        endpointConfig:
+          scheme: https
+          tlsConfig:
+            caFile: /etc/prom-certs/root-cert.pem
+            certFile: /etc/prom-certs/cert-chain.pem
+            keyFile: /etc/prom-certs/key.pem
+            insecureSkipVerify: true  # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
+    {{- end }}
+
   praefect:
     annotations:
       {{ include "istioAnnotation" . }}
diff --git a/chart/values.yaml b/chart/values.yaml
index f09a47cb2d..caa17c3165 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -870,7 +870,7 @@ addons:
     git:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git
       path: "./chart"
-      tag: "6.4.1-bb.0"
+      tag: "6.4.1-bb.1"
 
     # -- Flux reconciliation overrides specifically for the Gitlab Package
     flux: {}
-- 
GitLab