Resolve "Enable mTLS for Twistlock metrics"

704c9233 · Brett Charrier · Micah Nagel · 0690fbbc · 704c9233 · 704c9233
Commit 704c9233 authored 2 years ago by Brett Charrier Committed by Micah Nagel 2 years ago
--- a/chart/templates/twistlock/values.yaml
+++ b/chart/templates/twistlock/values.yaml
@@ -10,6 +10,17 @@ openshift: {{ .Values.openshift }}

 monitoring:
  enabled: {{ .Values.monitoring.enabled }}
+  serviceMonitor:
+    enabled: {{ .Values.monitoring.enabled }}
+    # conditional passes only for default istio: enabled, mTLS: SCRICT
+    {{- if and .Values.istio.enabled (eq (dig "istio" "mtls" "mode" "STRICT" .Values.twistlock.values) "STRICT") }}
+    scheme: https
+    tlsConfig:
+      caFile: /etc/prom-certs/root-cert.pem
+      certFile: /etc/prom-certs/cert-chain.pem
+      keyFile: /etc/prom-certs/key.pem
+      insecureSkipVerify: true  # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
+    {{- end }}

 imagePullSecrets:
 - name: private-registry

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -675,7 +675,7 @@ twistlock:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git
    path: "./chart"
-    tag: "0.10.0-bb.1"
+    tag: "0.10.0-bb.2"

  # -- Flux reconciliation overrides specifically for the Twistlock Package
  flux: {}