Skip to content

feat(operator,metrics): add TLS support for metrics server#8997

Merged
gbartolini merged 5 commits intomainfrom
dev/5070
Nov 6, 2025
Merged

feat(operator,metrics): add TLS support for metrics server#8997
gbartolini merged 5 commits intomainfrom
dev/5070

Conversation

@armru
Copy link
Member

@armru armru commented Oct 29, 2025
edited by gbartolini
Loading

Add optional TLS support for the operator metrics server (port 8080) to enhance security when exposing Prometheus metrics.

The feature is opt-in and controlled entirely by the METRICS_CERT_DIR environment variable. When set, the operator will:

  • Enable TLS (SecureServing) for the metrics server
  • Look for certificates at the specified path
  • Use standard Kubernetes TLS secret naming (tls.crt/tls.key)

When METRICS_CERT_DIR is not set (default), the metrics server continues to operate without TLS, ensuring no breaking changes to existing deployments.

Usage:

  1. Create a Kubernetes secret with TLS certificates (tls.crt and tls.key)
  2. Mount the secret into the operator pod (e.g., /run/secrets/cnpg.io/metrics)
  3. Set METRICS_CERT_DIR environment variable to the mount path
  4. Update monitoring configuration (e.g., PodMonitor) to use HTTPS

Closes #5070

@armru armru requested review from a team and jsilvela as code owners October 29, 2025 15:16
@dosubot dosubot bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Oct 29, 2025
@cnpg-bot cnpg-bot added backport-requested ◀️ This pull request should be backported to all supported releases release-1.25 release-1.26 release-1.27 labels Oct 29, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Oct 29, 2025

❗ By default, the pull request is configured to backport to all release branches.

  • To stop backporting this pr, remove the label: backport-requested ◀️ or add the label 'do not backport'
  • To stop backporting this pr to a certain release branch, remove the specific branch label: release-x.y

@dosubot dosubot bot added enhancement 🪄 New feature or request observability 🔍 Observability, Monitoring, Logging labels Oct 29, 2025
@armru armru changed the title feat: add TLS support for manager metrics server feat(operator,metrics): add TLS support for metrics server Oct 29, 2025
@armru armru added do not backport This PR must not be backported - it will be in the next minor release and removed backport-requested ◀️ This pull request should be backported to all supported releases release-1.25 release-1.26 release-1.27 labels Oct 29, 2025
@armru
Copy link
Member Author

armru commented Oct 29, 2025

/test

@github-actions
Copy link
Contributor

github-actions bot commented Oct 29, 2025

@armru, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/18916760779

@cnpg-bot cnpg-bot added the ok to merge 👌 This PR can be merged label Oct 29, 2025
@NiccoloFei NiccoloFei force-pushed the dev/5070 branch 3 times, most recently from fbb8742 to 9b89804 Compare November 4, 2025 15:44
@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Nov 4, 2025
armru and others added 3 commits November 6, 2025 15:09
@armru @gbartolini
feat: add TLS support for manager metrics server
3efedf2 
Add optional TLS support for the operator metrics server (port 8080) to
enhance security when exposing Prometheus metrics.

The feature is opt-in and controlled entirely by the METRICS_CERT_DIR
environment variable. When set, the operator will:
- Enable TLS (SecureServing) for the metrics server
- Look for certificates at the specified path
- Use standard Kubernetes TLS secret naming (tls.crt/tls.key)

When METRICS_CERT_DIR is not set (default), the metrics server continues
to operate without TLS, ensuring no breaking changes to existing deployments.

Usage:
1. Create a Kubernetes secret with TLS certificates (tls.crt and tls.key)
2. Mount the secret to the operator pod (e.g., /run/secrets/cnpg.io/metrics)
3. Set METRICS_CERT_DIR environment variable to the mount path
4. Update monitoring configuration (e.g., PodMonitor) to use HTTPS

Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@NiccoloFei @gbartolini
chore: align variable type
391b604 
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
@NiccoloFei @gbartolini
docs: align secretName in the example with our default naming pattern
a2e2f29 
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
mnencia and others added 2 commits November 6, 2025 15:09
@mnencia @gbartolini
docs: move the TLS doc after the generic one
d08d289 
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
@gbartolini
docs: review
8b4fe52 
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
@gbartolini gbartolini merged commit cee4a6e into main Nov 6, 2025
30 checks passed
@gbartolini gbartolini deleted the dev/5070 branch November 6, 2025 14:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mnencia mnencia mnencia approved these changes

@gbartolini gbartolini gbartolini approved these changes

@NiccoloFei NiccoloFei NiccoloFei approved these changes

@jsilvela jsilvela Awaiting requested review from jsilvela jsilvela is a code owner

Assignees

No one assigned

Labels

do not backport This PR must not be backported - it will be in the next minor release enhancement 🪄 New feature or request lgtm This PR has been approved by a maintainer observability 🔍 Observability, Monitoring, Logging ok to merge 👌 This PR can be merged size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature]: add TLS support in the operator metrics port

5 participants

@armru @mnencia @gbartolini @NiccoloFei @cnpg-bot