Skip to content

feat(metricprovider): support custom CA cert for Prometheus over TLS#4810

Open
ifnotabhielse wants to merge 1 commit into
argoproj:masterfrom
ifnotabhielse:feat/prometheus-custom-ca-2298
Open

feat(metricprovider): support custom CA cert for Prometheus over TLS#4810
ifnotabhielse wants to merge 1 commit into
argoproj:masterfrom
ifnotabhielse:feat/prometheus-custom-ca-2298

Conversation

@ifnotabhielse

Copy link
Copy Markdown

What

Adds a caCert field to the Prometheus AnalysisTemplate metric provider. When set (inline PEM), the metric provider's HTTP client verifies the Prometheus server certificate against the supplied CA in addition to the system roots.

provider:
  prometheus:
    address: https://prometheus.example.com:9090
    caCert: "{{ args.prometheus-ca }}"   # PEM, typically sourced from a Secret via args
    query: ...

Why

Prometheus endpoints hosted in-cluster commonly use self-signed / internal-CA certs. Today the only option is insecure: true, which disables verification entirely (MITM-exposed). caCert lets users keep verification on while trusting their private CA — matching the maintainer-proposed design in the issue.

Notes

  • Fully backward compatible: empty caCert keeps the existing shared secure/insecure transports — no behavior change. caCert and insecure are independent (insecure: true still takes precedence).
  • Invalid PEM surfaces an error rather than silently skipping verification.
  • Generated artifacts (protobuf, openapi, CRDs, install manifests, docs schema) regenerated via the repo's make codegen targets; docs updated.

Testing

  • New unit tests in metricproviders/prometheus/: default (no TLS config), insecure:true, valid custom CA, and invalid-PEM error path.
  • go build ./..., package tests, go vet, and golangci-lint (v2.11.1, matching CI) all pass.

Fixes #2298

🤖 Generated with Claude Code

@ifnotabhielse ifnotabhielse requested review from a team as code owners June 29, 2026 05:40
var secureTransport *http.Transport = newHTTPTransport(false)
var insecureTransport *http.Transport = newHTTPTransport(true)
var secureTransport *http.Transport = newHTTPTransport(&tls.Config{InsecureSkipVerify: false})
var insecureTransport *http.Transport = newHTTPTransport(&tls.Config{InsecureSkipVerify: true})
@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Published E2E Test Results

  4 files    4 suites   3h 47m 52s ⏱️
122 tests 110 ✅  7 💤 5 ❌
496 runs  460 ✅ 28 💤 8 ❌

For more details on these failures, see this check.

Results for commit 5c7fa0f.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Published Unit Test Results

2 510 tests   2 510 ✅  3m 21s ⏱️
  130 suites      0 💤
    1 files        0 ❌

Results for commit 5c7fa0f.

♻️ This comment has been updated with latest results.

@ifnotabhielse ifnotabhielse changed the title feat(metricproviders): support custom CA cert for Prometheus over TLS feat(metricprovider): support custom CA cert for Prometheus over TLS Jun 29, 2026
Add a `caCert` field to the Prometheus AnalysisTemplate metric provider so
it can talk to a Prometheus endpoint served with a self-signed or internal-CA
TLS certificate without disabling verification via `insecure: true`.

When `caCert` (inline PEM) is set, the HTTP client verifies the server
certificate against the supplied CA in addition to the system roots. When it
is empty, the existing shared secure/insecure transports are used, so default
behavior is unchanged.

Generated artifacts (protobuf, openapi, CRDs, install manifests, swagger,
UI model, docs schema) regenerated via codegen. Docs updated with the new
field and an example.

Fixes argoproj#2298

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: as229615 <as229615@gmail.com>
@ifnotabhielse ifnotabhielse force-pushed the feat/prometheus-custom-ca-2298 branch from 37337d5 to 5c7fa0f Compare June 29, 2026 07:14
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
D Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

var secureTransport *http.Transport = newHTTPTransport(false)
var insecureTransport *http.Transport = newHTTPTransport(true)
var secureTransport *http.Transport = newHTTPTransport(&tls.Config{InsecureSkipVerify: false})
var insecureTransport *http.Transport = newHTTPTransport(&tls.Config{InsecureSkipVerify: true})
var secureTransport *http.Transport = newHTTPTransport(false)
var insecureTransport *http.Transport = newHTTPTransport(true)
var secureTransport *http.Transport = newHTTPTransport(&tls.Config{InsecureSkipVerify: false})
var insecureTransport *http.Transport = newHTTPTransport(&tls.Config{InsecureSkipVerify: true})
@codecov

codecov Bot commented Jun 29, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 89.47368% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.95%. Comparing base (b38491a) to head (5c7fa0f).

Files with missing lines Patch % Lines
metricproviders/prometheus/prometheus.go 89.47% 1 Missing and 1 partial ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master    #4810      +/-   ##
==========================================
- Coverage   85.03%   84.95%   -0.09%     
==========================================
  Files         166      166              
  Lines       19089    19105      +16     
==========================================
- Hits        16232    16230       -2     
- Misses       2007     2016       +9     
- Partials      850      859       +9     
Flag Coverage Δ
e2e 52.73% <10.52%> (-0.16%) ⬇️
unit-tests 81.36% <89.47%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@kostis-codefresh kostis-codefresh left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this a duplicate of #4635 ?

@ifnotabhielse

Copy link
Copy Markdown
Author

@kostis-codefresh good catch — #4635 does predate this and targets the same issue (#2298).

The one difference: #4635 uses caPath (a file path to a PEM file); this uses an inline caCert string (templatable from a Secret via args), matching the original proposal in #2298.

Happy to close this in favor of #4635, or contribute the inline variant there as a follow-up — whichever you all prefer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Prometheus metrics should support self-signed certs.

3 participants