feat(metricprovider): support custom CA cert for Prometheus over TLS#4810
feat(metricprovider): support custom CA cert for Prometheus over TLS#4810ifnotabhielse wants to merge 1 commit into
Conversation
| var secureTransport *http.Transport = newHTTPTransport(false) | ||
| var insecureTransport *http.Transport = newHTTPTransport(true) | ||
| var secureTransport *http.Transport = newHTTPTransport(&tls.Config{InsecureSkipVerify: false}) | ||
| var insecureTransport *http.Transport = newHTTPTransport(&tls.Config{InsecureSkipVerify: true}) |
Published E2E Test Results 4 files 4 suites 3h 47m 52s ⏱️ For more details on these failures, see this check. Results for commit 5c7fa0f. ♻️ This comment has been updated with latest results. |
Published Unit Test Results2 510 tests 2 510 ✅ 3m 21s ⏱️ Results for commit 5c7fa0f. ♻️ This comment has been updated with latest results. |
Add a `caCert` field to the Prometheus AnalysisTemplate metric provider so it can talk to a Prometheus endpoint served with a self-signed or internal-CA TLS certificate without disabling verification via `insecure: true`. When `caCert` (inline PEM) is set, the HTTP client verifies the server certificate against the supplied CA in addition to the system roots. When it is empty, the existing shared secure/insecure transports are used, so default behavior is unchanged. Generated artifacts (protobuf, openapi, CRDs, install manifests, swagger, UI model, docs schema) regenerated via codegen. Docs updated with the new field and an example. Fixes argoproj#2298 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: as229615 <as229615@gmail.com>
37337d5 to
5c7fa0f
Compare
|
| var secureTransport *http.Transport = newHTTPTransport(false) | ||
| var insecureTransport *http.Transport = newHTTPTransport(true) | ||
| var secureTransport *http.Transport = newHTTPTransport(&tls.Config{InsecureSkipVerify: false}) | ||
| var insecureTransport *http.Transport = newHTTPTransport(&tls.Config{InsecureSkipVerify: true}) |
| var secureTransport *http.Transport = newHTTPTransport(false) | ||
| var insecureTransport *http.Transport = newHTTPTransport(true) | ||
| var secureTransport *http.Transport = newHTTPTransport(&tls.Config{InsecureSkipVerify: false}) | ||
| var insecureTransport *http.Transport = newHTTPTransport(&tls.Config{InsecureSkipVerify: true}) |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #4810 +/- ##
==========================================
- Coverage 85.03% 84.95% -0.09%
==========================================
Files 166 166
Lines 19089 19105 +16
==========================================
- Hits 16232 16230 -2
- Misses 2007 2016 +9
- Partials 850 859 +9
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
kostis-codefresh
left a comment
There was a problem hiding this comment.
Isn't this a duplicate of #4635 ?
|
@kostis-codefresh good catch — #4635 does predate this and targets the same issue (#2298). The one difference: #4635 uses Happy to close this in favor of #4635, or contribute the inline variant there as a follow-up — whichever you all prefer. |




What
Adds a
caCertfield to the Prometheus AnalysisTemplate metric provider. When set (inline PEM), the metric provider's HTTP client verifies the Prometheus server certificate against the supplied CA in addition to the system roots.Why
Prometheus endpoints hosted in-cluster commonly use self-signed / internal-CA certs. Today the only option is
insecure: true, which disables verification entirely (MITM-exposed).caCertlets users keep verification on while trusting their private CA — matching the maintainer-proposed design in the issue.Notes
caCertkeeps the existing shared secure/insecure transports — no behavior change.caCertandinsecureare independent (insecure: truestill takes precedence).makecodegen targets; docs updated.Testing
metricproviders/prometheus/: default (no TLS config),insecure:true, valid custom CA, and invalid-PEM error path.go build ./..., package tests,go vet, andgolangci-lint(v2.11.1, matching CI) all pass.Fixes #2298
🤖 Generated with Claude Code