Anthony Wendt · 63d5bdfa · bc18c9dc · aaf1a01a · 52edcc44 · 8a1d156d
--- a/chart/templates/bigbang/peerauthentication/exceptions/application-controller-metrics-exception-peer-authentication.yaml 0 → 100644

+ 22

− 0
+++ b/chart/templates/bigbang/peerauthentication/exceptions/application-controller-metrics-exception-peer-authentication.yaml 0 → 100644

+ 22

− 0
+# Conditional with the normal conditional + only apply the exception when set to STRICT mode
+{{- if and .Values.istio.enabled (eq .Values.istio.mtls.mode "STRICT") }}
+apiVersion: "security.istio.io/v1beta1"
+kind: PeerAuthentication
+metadata:
+  # Name with the package, "description", and exception
+  name: argocd-application-controller-metrcis-exception
+  namespace: {{ .Release.Namespace }}
+spec:
+  mtls:
+    # Default here is still `mtls.mode`, this allows us to set `PERMISSIVE` just for the metrics port
+    mode: {{ .Values.istio.mtls.mode }}
+  selector:
+    matchLabels:
+      # Label selector to ONLY the pods that need the exception
+      app.kubernetes.io/name: argocd-application-controller
+  # Allow permissive mTLS to application controller metrics
+  portLevelMtls:
+    # Port number (in quotes due to Flux getting angry about a number as a yaml key)
+    "8082":
+      mode: PERMISSIVE
+{{- end }}