From 2e41bd1ef33c59fbfa84aae1ce20c07b57ea7811 Mon Sep 17 00:00:00 2001
From: Travis Raines <571832+rainest@users.noreply.github.com>
Date: Mon, 23 Oct 2023 10:22:18 -0700
Subject: [PATCH] feat: exclude controller to admin comms from mesh

---
 charts/ingress/CHANGELOG.md | 8 ++++++++
 charts/ingress/values.yaml  | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/charts/ingress/CHANGELOG.md b/charts/ingress/CHANGELOG.md
index 9e3cbe660..ec9f0f8f9 100644
--- a/charts/ingress/CHANGELOG.md
+++ b/charts/ingress/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Changelog
 
+## Unreleased
+
+### Improvements
+
+- Controller Pods now include annotations to exempt the gateway admin API port
+  from Kuma and Istio mesh interception. Controller to admin API configuration
+  uses its own mTLS configuration, which is not compatible with mesh mTLS.
+
 ## 0.7.0
 
 - Bumped dependency `kong/kong` minimum to `2.28.1`. Review the [kong chart
diff --git a/charts/ingress/values.yaml b/charts/ingress/values.yaml
index f067adb0e..4b64c9c8f 100644
--- a/charts/ingress/values.yaml
+++ b/charts/ingress/values.yaml
@@ -19,6 +19,14 @@ controller:
       enabled: true
       generateAdminApiService: true
 
+  podAnnotations:
+    kuma.io/gateway: enabled
+    # This port must match your Kong admin API port. 8444 is the default.
+    # If you set gateway.admin.tls.containerPort, change these annotations
+    # to use that value.
+    traffic.kuma.io/exclude-outbound-ports: "8444"
+    traffic.sidecar.istio.io/excludeOutboundPorts: "8444"
+
 gateway:
   enabled: true
   deployment: