From dceab61719acac8fdf9ea2999f896784cb485e6a Mon Sep 17 00:00:00 2001
From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com>
Date: Wed, 10 Jan 2024 05:52:19 -0700
Subject: [PATCH] chore: fix istio mTLS stopping traffic to webhook.

---
 ...{cert-manager-namespace.yaml => namespace.yaml} |  0
 manifests/peerauth.yaml                            | 14 ++++++++++++++
 values/registry1-values.yaml                       |  1 -
 values/upstream-values.yaml                        |  8 ++++----
 zarf.yaml                                          |  9 ++++++---
 5 files changed, 24 insertions(+), 8 deletions(-)
 rename manifests/{cert-manager-namespace.yaml => namespace.yaml} (100%)
 create mode 100644 manifests/peerauth.yaml

diff --git a/manifests/cert-manager-namespace.yaml b/manifests/namespace.yaml
similarity index 100%
rename from manifests/cert-manager-namespace.yaml
rename to manifests/namespace.yaml
diff --git a/manifests/peerauth.yaml b/manifests/peerauth.yaml
new file mode 100644
index 0000000..210507a
--- /dev/null
+++ b/manifests/peerauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: cert-manager-webhook-exception
+  namespace: cert-manager
+spec:
+  mtls:
+    mode: STRICT
+  portLevelMtls:
+    10250:
+      mode: PERMISSIVE
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: webhook
diff --git a/values/registry1-values.yaml b/values/registry1-values.yaml
index 26ea5c7..da38991 100644
--- a/values/registry1-values.yaml
+++ b/values/registry1-values.yaml
@@ -16,7 +16,6 @@ startupapicheck:
   image:
     repository: registry1.dso.mil/ironbank/jetstack/cert-manager-ctl
     tag: "v1.13.2"
-
   podLabels:
     sidecar.istio.io/inject: "false"
 
diff --git a/values/upstream-values.yaml b/values/upstream-values.yaml
index 3095291..f070a97 100644
--- a/values/upstream-values.yaml
+++ b/values/upstream-values.yaml
@@ -1,7 +1,3 @@
-startupapicheck:
-  podLabels:
-    sidecar.istio.io/inject: "false"
-
 installCRDs: true
 
 # delete secret if certificate is deleted
@@ -14,3 +10,7 @@ securityContext:
 prometheus:
   servicemonitor:
     enabled: true
+
+startupapicheck:
+  podLabels:
+    sidecar.istio.io/inject: "false"
\ No newline at end of file
diff --git a/zarf.yaml b/zarf.yaml
index 1223cf9..e0d0b84 100644
--- a/zarf.yaml
+++ b/zarf.yaml
@@ -24,12 +24,15 @@ variables:
     autoIndent: true
 
 components:
-  - name: namespace-istio-injection
+  - name: istio-configuration
     required: true
     manifests:
-      - name: cert-manager-namespace
+      - name: namespace-injection
         files:
-          - manifests/cert-manager-namespace.yaml
+          - manifests/namespace.yaml
+      - name: webhook-peer-auth-exception
+        files:
+          - manifests/peerauth.yaml
     actions:
       onDeploy:
         before: