removed blackboxExporter exception peerauth
General MR
Summary
This MR removes blackboxExporter peer authentication from Monitoring to allow mtls enabled function.
For context and testing, please see:
When blackbox exporter was initially moved to monitoring, the connection from prometheues->blackboxexporter was not mtls -- as part of this effort, the prometheus-blackbox-exporter-exception was added to allow non-https/PERMISIVE connections ( see https://repo1.dso.mil/big-bang/product/packages/monitoring/-/blob/main/docs/istio-mtls-metrics.md?ref_type=heads )
With the changes to remove blackbox-exporter from headlamp, @michaelmartin added in changes to use mtls for prometheues->blackboxexporter ( see referenced MRs above). In order for this to work, we need to remove this PERMISSIVE port exception from monitoring -- it is no longer necessary. It's existence will actually break prometheus->blackbox-exporter mtls connections now with istio hardening enable, as the port exception disables our isio allow-in-namespace authorization policy from being applied, as authz policies with namespace matching require mtls.
the blackbox-exporter is only used for headlamp at the moment, and we've confirmed it is working as expected now with mtls.
We will probably want to coordinate pulling this into BB umbrella with the other changes in a release cycle.
Relevant logs/screenshots
With the PeerAuthentication in:
With the PeerAuthentication removed:
See Verification info for changes working with these changes: big-bang/bigbang!6868 (merged)
Linked Issue
issue Remove blackbox-exporter (#55) · Issue · big-bang/product/packages/headlamp
Upgrade Notices
n/a