UNCLASSIFIED - NO CUI

SKIP UPGRADE Remove layer 7 auth policies and remove unused istio config values

Dax McDonaldrequested to merge
remove-layer-4 into main

General MR

Summary

Refactored Monitoring’s Istio/authz surface to align with bb-common migration goals and remove legacy policy behavior.

  • Removed legacy/custom L7 authorization policy configuration from chart values and dropped related test coverage (alloy_prometheus_authz_test.yaml).
  • Simplified PeerAuthentication handling by removing the Prometheus-specific exception template and updating remaining exceptions/ tests to rely on istio.sidecar.enabled gates (instead of legacy injection-based behavior).
  • Removed the standalone shared-monitoring-authz-policy template and its associated values/test fixtures (monitoringAuthorizationPolicies, shared_monitoring_authz_test.yaml, shared-monitoring-authz.yaml) after review showed it was no longer needed in the current model.
  • Added/normalized ServiceMonitor tlsConfig fields in values to support mTLS-oriented scrape configuration (Alertmanager, Grafana, Thanos service monitor, Thanos ruler service monitor paths).
  • Cleaned up legacy Istio keys in package values (istio.namespace, istio.injection) and updated tests/readme/changelog accordingly.
  • Schema generation was attempted (values.schema.json + helper script) but later reverted, so no schema file changes remain in final branch state.
  • Updated package metadata/docs for the resulting behavior (chart version/changelog/readme).

Relevant logs/screenshots 

 monitoring      allow-ingress-to-alertmanager-tcp-port-9093-from-ns-alloy-pod-alloy-logs
 monitoring      allow-ingress-to-grafana-port-3000-from-gateway
 monitoring      allow-ingress-to-kube-prometheus-stack-prometheus-operator-tcp-port-10250-from-anywhere
+monitoring      allow-ingress-to-monitoring-alertmanager-9093-from-ns-istio-gateway-pod-public-ingressgateway
+monitoring      allow-ingress-to-monitoring-prometheus-9090-from-ns-istio-gateway-pod-public-ingressgateway
 monitoring      allow-ingress-to-prometheus-port-9090-from-gateway
 monitoring      allow-ingress-to-prometheus-tcp-port-9090-from-ns-alloy-pod-alloy-logs
 monitoring      default-egress-allow-all-in-ns
 istio-gateway   default-passthrough-ingressgateway
 istio-gateway   default-public-ingressgateway
 istio-system    default
+monitoring      default-peer-auth
+monitoring      monitoring-webhook-exception

Linked Issue

#341 (closed)

Upgrade Notices

This is part of the migration to bb-common. As part of this, we are focusing on layer 4 auth policies. Any layer 7 policies are being removed in favor of layer 4 policies which work in a broader number of environments

Umbrella Branch

bb-common-monitoring

Edited by Dax McDonald

Merge request reports

UNCLASSIFIED - NO CUI