feat(cluster): Add tls management for monitoring

wanix · wanix · commit 6b2c76c185ba · 2026-05-20T17:56:23.000+02:00
Signed-off-by: Erwan SEITE &lt;925205+wanix@users.noreply.github.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -20,7 +20,11 @@ charts/**/charts/*.tgz
 .idea
 *.swp
 *.swo
+.vscode
 *~
 
 # macOS
 .DS_Store
+
+# Tooling for local development
+mise.local.toml
diff --git a/README.md b/README.md
@@ -3,11 +3,9 @@
 [![Stack Overflow](https://img.shields.io/badge/stackoverflow-cloudnative--pg-blue?logo=stackoverflow&logoColor=%23F48024&link=https%3A%2F%2Fstackoverflow.com%2Fquestions%2Ftagged%2Fcloudnative-pg)][stackoverflow]
 [![GitHub License](https://img.shields.io/github/license/cloudnative-pg/charts)][license]
 
-
 [![GitHub Release](https://img.shields.io/github/v/release/cloudnative-pg/charts?filter=cloudnative-pg-*)](https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg)
 [![GitHub Release](https://img.shields.io/github/v/release/cloudnative-pg/charts?filter=cluster-*)](https://github.com/cloudnative-pg/charts/tree/main/charts/cluster)
 
-
 ## Operator chart
 
 Helm chart to install the
@@ -16,6 +14,7 @@ Helm chart to install the
 running in private, public, or hybrid cloud environments.
 
 **NOTE**: supports only the latest point release of the CloudNativePG operator.
+
 ```console
 helm repo add cnpg https://cloudnative-pg.github.io/charts
 helm upgrade --install cnpg \
diff --git a/charts/cluster/README.md b/charts/cluster/README.md
@@ -180,6 +180,7 @@ Kubernetes: `>=1.29.0-0`
 | cluster.monitoring.podMonitor.relabelings | list | `[]` | The list of relabelings for the PodMonitor. Applied to samples before scraping. |
 | cluster.monitoring.prometheusRule.enabled | bool | `true` | Whether to enable the PrometheusRule automated alerts |
 | cluster.monitoring.prometheusRule.excludeRules | list | `[]` | Exclude specified rules |
+| cluster.monitoring.tls.enabled | bool | `false` | Whether to enable tls on the metrics port. |
 | cluster.podSecurityContext | object | `{}` | Configure the Pod Security Context. See: https://cloudnative-pg.io/documentation/preview/security/ |
 | cluster.postgresGID | int | `-1` | The GID of the postgres user inside the image, defaults to 26 |
 | cluster.postgresUID | int | `-1` | The UID of the postgres user inside the image, defaults to 26 |
diff --git a/charts/cluster/templates/cluster.yaml b/charts/cluster/templates/cluster.yaml
@@ -138,6 +138,8 @@ spec:
       {{- toYaml . | nindent 6 }}
     {{ end }}
     {{- end }}
+    tls:
+      enabled: {{ .Values.cluster.monitoring.tls.enabled }}
   {{ include "cluster.bootstrap" . | nindent 2 }}
   {{ include "cluster.externalClusters" . | nindent 2 }}
   {{ include "cluster.backup" . | nindent 2 }}
diff --git a/charts/cluster/templates/podmonitor-cluster.yaml b/charts/cluster/templates/podmonitor-cluster.yaml
@@ -21,6 +21,15 @@ spec:
       cnpg.io/podRole: instance
   podMetricsEndpoints:
     - port: metrics
+      {{- if .Values.cluster.monitoring.tls.enabled }}
+      scheme: https
+      tlsConfig:
+        ca:
+          secret:
+            name: {{ include "cluster.fullname" . }}-ca
+            key: ca.crt
+        serverName: {{ include "cluster.fullname" . }}-rw
+      {{- end }}
       {{- with .Values.cluster.monitoring.podMonitor.relabelings }}
       relabelings:
         {{- toYaml . | nindent 8 }}
diff --git a/charts/cluster/test/monitoring/01-monitoring_cluster-assert.yaml b/charts/cluster/test/monitoring/01-monitoring_cluster-assert.yaml
@@ -12,6 +12,8 @@ spec:
     size: 256Mi
     storageClass: standard
   monitoring:
+      tls:
+        enabled: true
       disableDefaultQueries: true
       customQueriesConfigMap:
         - name: monitoring-cluster-monitoring
@@ -31,7 +33,15 @@ spec:
       cnpg.io/cluster: monitoring-cluster
       cnpg.io/podRole: instance
   podMetricsEndpoints:
-    - relabelings:
+    - port: metrics
+      scheme: https
+      tlsConfig:
+        ca:
+          secret:
+            name: monitoring-cluster-ca
+            key: ca.crt
+        serverName: monitoring-cluster-rw
+      relabelings:
         - targetLabel: environment
           replacement: test
         - targetLabel: team
diff --git a/charts/cluster/test/monitoring/01-monitoring_cluster.yaml b/charts/cluster/test/monitoring/01-monitoring_cluster.yaml
@@ -8,6 +8,8 @@ cluster:
   monitoring:
     enabled: true
     disableDefaultQueries: true
+    tls:
+      enabled: true
     customQueries:
       - name: "pg_cache_hit_ratio"
         query: "SELECT current_database() as datname, sum(heap_blks_hit) / (sum(heap_blks_hit) + sum(heap_blks_read)) as ratio FROM pg_statio_user_tables;"
diff --git a/charts/cluster/values.schema.json b/charts/cluster/values.schema.json
@@ -278,6 +278,14 @@
                                     "type": "array"
                                 }
                             }
+                        },
+                        "tls": {
+                            "type": "object",
+                            "properties": {
+                                "enabled": {
+                                    "type": "boolean"
+                                }
+                            }
                         }
                     }
                 },
diff --git a/charts/cluster/values.yaml b/charts/cluster/values.yaml
@@ -349,6 +349,9 @@ cluster:
     customQueriesSecret: []
     #  - name: custom-queries-secret
     #    key: custom-queries
+    tls:
+      # -- Whether to enable tls on the metrics port.
+      enabled: false
 
   postgresql:
     # -- PostgreSQL configuration options (postgresql.conf)

Original file line number	Diff line number	Diff line change
`@@ -278,6 +278,14 @@`
`278`	`278`	`"type": "array"`
`279`	`279`	`}`
`280`	`280`	`}`
	`281`	`+ },`
	`282`	`+ "tls": {`
	`283`	`+ "type": "object",`
	`284`	`+ "properties": {`
	`285`	`+ "enabled": {`
	`286`	`+ "type": "boolean"`
	`287`	`+ }`
	`288`	`+ }`
`281`	`289`	`}`
`282`	`290`	`}`
`283`	`291`	`},`