chore: fix istio mTLS stopping traffic to webhook.

defenseunicorns · Jan 10, 2024 · dceab61 · dceab61
1 parent 504b759
commit dceab61
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 8 deletions.
diff --git a/manifests/cert-manager-namespace.yaml → manifests/namespace.yaml b/manifests/cert-manager-namespace.yaml → manifests/namespace.yaml
diff --git a/manifests/peerauth.yaml b/manifests/peerauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: cert-manager-webhook-exception
+  namespace: cert-manager
+spec:
+  mtls:
+    mode: STRICT
+  portLevelMtls:
+    10250:
+      mode: PERMISSIVE
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: webhook
diff --git a/values/registry1-values.yaml b/values/registry1-values.yaml
@@ -16,7 +16,6 @@ startupapicheck:
   image:
     repository: registry1.dso.mil/ironbank/jetstack/cert-manager-ctl
     tag: "v1.13.2"
-
   podLabels:
     sidecar.istio.io/inject: "false"
 

diff --git a/values/upstream-values.yaml b/values/upstream-values.yaml
@@ -1,7 +1,3 @@
-startupapicheck:
-  podLabels:
-    sidecar.istio.io/inject: "false"
-
 installCRDs: true
 
 # delete secret if certificate is deleted
@@ -14,3 +10,7 @@ securityContext:
 prometheus:
   servicemonitor:
     enabled: true
+
+startupapicheck:
+  podLabels:
+    sidecar.istio.io/inject: "false"
diff --git a/zarf.yaml b/zarf.yaml
@@ -24,12 +24,15 @@ variables:
     autoIndent: true
 
 components:
-  - name: namespace-istio-injection
+  - name: istio-configuration
     required: true
     manifests:
-      - name: cert-manager-namespace
+      - name: namespace-injection
         files:
-          - manifests/cert-manager-namespace.yaml
+          - manifests/namespace.yaml
+      - name: webhook-peer-auth-exception
+        files:
+          - manifests/peerauth.yaml
     actions:
       onDeploy:
         before: