feat(operator,metrics): add TLS support for metrics server by armru · Pull Request #8997 · cloudnative-pg/cloudnative-pg
This PR changes 100-499 lines, ignoring generated files.
label
Oct 29, 2025
armru
changed the title
feat: add TLS support for manager metrics server
feat(operator,metrics): add TLS support for metrics server
Add optional TLS support for the operator metrics server (port 8080) to enhance security when exposing Prometheus metrics. The feature is opt-in and controlled entirely by the METRICS_CERT_DIR environment variable. When set, the operator will: - Enable TLS (SecureServing) for the metrics server - Look for certificates at the specified path - Use standard Kubernetes TLS secret naming (tls.crt/tls.key) When METRICS_CERT_DIR is not set (default), the metrics server continues to operate without TLS, ensuring no breaking changes to existing deployments. Usage: 1. Create a Kubernetes secret with TLS certificates (tls.crt and tls.key) 2. Mount the secret to the operator pod (e.g., /run/secrets/cnpg.io/metrics) 3. Set METRICS_CERT_DIR environment variable to the mount path 4. Update monitoring configuration (e.g., PodMonitor) to use HTTPS Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters