Merge branch 'enable-mtls-for-neuvector-metrics' into 'master'

Enable mTLS for Neuvector metrics

Closes big-bang/product/packages/neuvector#38

See merge request !2564

chart/templates/neuvector/values.yaml

@@ -15,8 +15,6 @@ istio:
     gateways:
     - istio-system/{{ default "public" .Values.neuvector.ingress.gateway }}
   injection: {{ ternary "enabled" "disabled" $istioInjection }}
-  mtls:
-    mode: PERMISSIVE
 
 {{- if .Values.monitoring.enabled }}
 monitoring:
@@ -43,6 +41,15 @@ monitor:
     enabled: true
     serviceMonitor:
       enabled: true
+      # conditional passes only for default istio: enabled, mTLS: SCRICT
+      {{- if and $istioInjection (eq (dig "istio" "mtls" "mode" "STRICT" .Values.neuvector.values) "STRICT") }}
+      scheme: https
+      tlsConfig:
+        caFile: /etc/prom-certs/root-cert.pem
+        certFile: /etc/prom-certs/cert-chain.pem
+        keyFile: /etc/prom-certs/key.pem
+        insecureSkipVerify: true  # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
+      {{- end }}
     svc:
       enabled: true
       type: ClusterIP

chart/values.yaml

@@ -590,7 +590,7 @@ neuvector:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/neuvector.git
     path: "./chart"
-    tag: "2.4.2-bb.2"
+    tag: "2.4.2-bb.3"
 
   # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
   ingress: