Enable mTLS for Neuvector metrics

488f89f2 · Brett Charrier · Ryan Garcia · b7c77312 · 488f89f2 · 488f89f2
Commit 488f89f2 authored 2 years ago by Brett Charrier Committed by Ryan Garcia 2 years ago
--- a/chart/templates/neuvector/values.yaml
+++ b/chart/templates/neuvector/values.yaml
@@ -15,8 +15,6 @@ istio:
    gateways:
    - istio-system/{{ default "public" .Values.neuvector.ingress.gateway }}
  injection: {{ ternary "enabled" "disabled" $istioInjection }}
-  mtls:
-    mode: PERMISSIVE

 {{- if .Values.monitoring.enabled }}
 monitoring:
@@ -43,6 +41,15 @@ monitor:
    enabled: true
    serviceMonitor:
      enabled: true
+      # conditional passes only for default istio: enabled, mTLS: SCRICT
+      {{- if and $istioInjection (eq (dig "istio" "mtls" "mode" "STRICT" .Values.neuvector.values) "STRICT") }}
+      scheme: https
+      tlsConfig:
+        caFile: /etc/prom-certs/root-cert.pem
+        certFile: /etc/prom-certs/cert-chain.pem
+        keyFile: /etc/prom-certs/key.pem
+        insecureSkipVerify: true  # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
+      {{- end }}
    svc:
      enabled: true
      type: ClusterIP

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -590,7 +590,7 @@ neuvector:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/neuvector.git
    path: "./chart"
-    tag: "2.4.2-bb.2"
+    tag: "2.4.2-bb.3"

  # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
  ingress: