/metrics endpoint on a different port

[matt-matt-tmatt]

Hey, I'd like to propose exposing the /metrics endpoint to a different port. The current setup makes it impossible to enforce mTLS in Istio while scrapping metrics using basic authentication. This seems to be a common pattern on other apps like Karpenter or Argo Workflows

With this feature implemented, only metrics traffic could bypass the Envoy proxy on the metrics port while maintaining encrypted traffic for incoming webhooks on a different port. This would be ideal considering the high amount of privileges Atlantis usually has.

This is unfortunately above my Go knowledge to open a PR, but I'd like to open the discussion at least.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

[matt-matt-tmatt]

Another option could be to have /metrics as unprotected. Istio can merge application metrics and expose them on port 15020. I couldn't find any Istio documentation regarding using merging on a protected endpoint but should work with this change implemented according to the docs at least. Thoughts?