feat: exclude controller to admin comms from mesh (#913)

Kong · Oct 24, 2023 · 824d022 · 824d022
1 parent 9cea84e
commit 824d022
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/charts/ingress/CHANGELOG.md b/charts/ingress/CHANGELOG.md
@@ -1,5 +1,14 @@
 # Changelog
 
+## Unreleased
+
+### Improvements
+
+- Controller Pods now include annotations to exempt the gateway admin API port
+  from Kuma and Istio mesh interception. Controller to admin API configuration
+  uses its own mTLS configuration, which is not compatible with mesh mTLS.
+  [#913](https://github.com/Kong/charts/pull/913)
+
 ## 0.7.0
 
 - Bumped dependency `kong/kong` minimum to `2.28.1`. Review the [kong chart

diff --git a/charts/ingress/values.yaml b/charts/ingress/values.yaml
@@ -19,6 +19,14 @@ controller:
       enabled: true
       generateAdminApiService: true
 
+  podAnnotations:
+    kuma.io/gateway: enabled
+    # This port must match your Kong admin API port. 8444 is the default.
+    # If you set gateway.admin.tls.containerPort, change these annotations
+    # to use that value.
+    traffic.kuma.io/exclude-outbound-ports: "8444"
+    traffic.sidecar.istio.io/excludeOutboundPorts: "8444"
+
 gateway:
   enabled: true
   deployment: