mTLS update

080f044d · Chris Hayter · b1591f73 · 080f044d · 080f044d · 080f044d
Commit 080f044d authored 1 year ago by Chris Hayter
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,10 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

 ---
+## [7.10.0-bb.3] - 2023-05-24
+### Added
+- Added mTLS to mattermost
+
 ## [7.10.0-bb.2] - 2023-05-17
 ### Updated
 - Updated chart/values.yaml hostname key to domain

--- a/README.md
+++ b/README.md
 # mattermost

-![Version: 7.10.0-bb.2](https://img.shields.io/badge/Version-7.10.0--bb.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 7.10.0](https://img.shields.io/badge/AppVersion-7.10.0-informational?style=flat-square)
+![Version: 7.10.0-bb.3](https://img.shields.io/badge/Version-7.10.0--bb.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 7.10.0](https://img.shields.io/badge/AppVersion-7.10.0-informational?style=flat-square)

 Deployment of mattermost

@@ -34,15 +34,18 @@ helm install mattermost chart/
 |-----|------|---------|-------------|
 | domain | string | `"bigbang.dev"` |  |
 | istio.enabled | bool | `false` | Toggle istio integration |
+| istio.mtls.mode | string | `"STRICT"` | STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic |
 | istio.chat.enabled | bool | `true` |  |
 | istio.chat.annotations | object | `{}` |  |
 | istio.chat.labels | object | `{}` |  |
 | istio.chat.gateways[0] | string | `"istio-system/main"` |  |
-| istio.chat.hosts[0] | string | `"chat.{{ .Values.hostname }}"` |  |
+| istio.chat.hosts[0] | string | `"chat.{{ .Values.domain }}"` |  |
 | istio.injection | string | `"disabled"` |  |
 | ingress | object | `{"annotations":{},"enabled":false,"host":"","tlsSecret":""}` | Specification to configure an Ingress with Mattermost |
 | monitoring.enabled | bool | `false` |  |
 | monitoring.namespace | string | `"monitoring"` |  |
+| monitoring.serviceMonitor.scheme | string | `""` |  |
+| monitoring.serviceMonitor.tlsConfig | object | `{}` |  |
 | networkPolicies.enabled | bool | `false` |  |
 | networkPolicies.ingressLabels.app | string | `"istio-ingressgateway"` |  |
 | networkPolicies.ingressLabels.istio | string | `"ingressgateway"` |  |

--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -2,7 +2,7 @@
 apiVersion: v2
 name: mattermost
 type: application
-version: 7.10.0-bb.2
+version: 7.10.0-bb.3
 appVersion: 7.10.0
 description: "Deployment of mattermost"
 keywords:

--- a/chart/templates/peer-authentication/peer-authentication.yaml
+++ b/chart/templates/peer-authentication/peer-authentication.yaml
+{{- if .Values.istio.enabled }}
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: default-mattermost
+  namespace: {{ .Release.Namespace }}
+spec:
+  mtls:
+    mode: {{ .Values.istio.mtls.mode }}
+{{- end }}
--- a/chart/templates/peer-authentication/postgres-exception.yaml
+++ b/chart/templates/peer-authentication/postgres-exception.yaml
+{{ if and .Values.istio.enabled (eq .Values.istio.mtls.mode "STRICT") }}
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: mattermost-postgresql-exception
+  namespace: {{ .Release.Namespace }}
+spec:
+  mtls:
+    mode: {{ .Values.istio.mtls.mode }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: postgresql
+  portLevelMtls:
+    "5432":
+      mode: PERMISSIVE
+{{- end }}
--- a/chart/templates/service-monitor.yaml
+++ b/chart/templates/service-monitor.yaml
@@ -19,6 +19,12 @@ spec:
  endpoints:
    - interval: 30s
      port: metrics
-      scheme: http
+      {{- if .Values.monitoring.serviceMonitor.scheme }}
+      scheme: {{ .Values.monitoring.serviceMonitor.scheme }}
+      {{- end }}
+      {{- if .Values.monitoring.serviceMonitor.tlsConfig }}
+      tlsConfig:
+        {{- toYaml .Values.monitoring.serviceMonitor.tlsConfig | nindent 6 }}
+      {{- end }}
  jobLabel: mattermost
 {{- end }}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -3,6 +3,10 @@ domain: bigbang.dev
 istio:
  # -- Toggle istio integration
  enabled: false
+  mtls:
+    # -- STRICT = Allow only mutual TLS traffic,
+    # PERMISSIVE = Allow both plain text and mutual TLS traffic
+    mode: STRICT
  chat:
    # Toggle vs creation
    enabled: true
@@ -26,6 +30,10 @@ monitoring:
  enabled: false
  namespace: monitoring

+  serviceMonitor:
+    scheme: http
+    tlsConfig: {}
+
 networkPolicies:
  enabled: false
  ingressLabels: