Initial Argo STRICT mTLS updates

marked this merge request as draft

marked this merge request as ready

Related to this issue: https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/1041

requested review from @micah.nagel

Configured a gravity deployment to use this branch. Argo deploys, mtls strict is applied on the argocd namespace. argocd working as expected.

requested review from @runyontr

requested review from @andrew.greene

resolved all threads

Did you happen to test with Prometheus scraping? With the STRICT mTLS I'm seeing all of the targets show an EOF error. We noticed the same with other packages that have been set to STRICT.

I've dug a little into this, and there's some config we can do on the monitoring side and to the serviceMonitor that should allow STRICT to work, but that's a bit beyond the scope of these initial issues (issue just says to add exceptions where needed). The exception I have added to other packages looks like:

# Conditional with the normal conditional + only apply the exception when set to STRICT mode
#   In this case, also added the condition on redis since the exception is for redis
{{- if and .Values.istio.enabled .Values.redis.enabled (eq .Values.istio.mtls.mode "STRICT") }}
apiVersion: "security.istio.io/v1beta1"
kind: PeerAuthentication
metadata:
  # Name with the package, "description", and exception
  name: authservice-redis-metrics-exception
  namespace: {{ .Release.Namespace }}
spec:
  mtls:
    # Default here is still `mtls.mode`, this allows us to set `PERMISSIVE` just for the metrics port
    mode: {{ .Values.istio.mtls.mode }}
  selector:
    matchLabels:
      # Label selector to ONLY the pods that need the exception
      app.kubernetes.io/name: redis-bb
  portLevelMtls:
    # Port number (in quotes due to Flux getting angry about a number as a yaml key)
    "9121":
      mode: PERMISSIVE
{{- end }}

Attempted to document the PeerAuthentication so that it hopefully makes sense. Let me know if you have questions and if you've able to reproduce the same issue with monitoring.

added 1 commit

8a1d156d - PeerAuthentication Updates

Compare with previous version

added 1 commit

52edcc44 - Fix filename error

Compare with previous version

added 1 commit

aaf1a01a - More file fixes

Compare with previous version

added 1 commit

bc18c9dc - Fix argocd-repo-server peerauth mtls exception

Compare with previous version

Awesome, thanks for the changes @anthonywendt . Best practice for the BB MRs... when they're ready add the statusreview label and assign reviewers (in general anyone in the CODEOWNERS file will have the permissions to approve and merge). In this case Branden and Evan are from the BB team and will be your best bets for a timely review. Hope that helps! I also float around and try to review these mTLS tickets since my team was assigned to the epic.