This example demonstrates how to deploy SQL Exporter with TLS encryption for the metrics endpoint, without basic authentication.
- You want encrypted metrics transport (HTTPS)
- Authentication is handled at the network/infrastructure level (e.g., network policies, service mesh, ingress controller)
- Simplest security configuration
values-example.yaml- Helm values file configuring TLS-onlysecret-tls.yaml- Complete guide for creating TLS secrets (multiple methods)
Create a Kubernetes secret with TLS certificates:
kubectl create secret tls sql-exporter-tls \
--cert=path/to/cert.crt \
--key=path/to/cert.key \
--namespace=your-namespaceFor more options (cert-manager, self-signed, YAML manifest, CA certificates), see secret-tls.yaml.
helm install sql-exporter ../../helm -f values-example.yaml- HTTPS metrics endpoint with TLS 1.3
- Health probes automatically use HTTPS with certificate validation skip
- Static configuration with inline collectors
- Compatible with Prometheus ServiceMonitor (native HTTPS support)
# Check pod status
kubectl get pods -l app.kubernetes.io/name=sql-exporter
# Test metrics endpoint (with TLS)
kubectl port-forward svc/sql-exporter 9399:9399
curl -k https://localhost:9399/metricsEdit values-example.yaml to customize TLS settings:
- Change TLS secret name:
webConfig.tls.secretName - Use different key names in secret:
webConfig.tls.certKeyandwebConfig.tls.keyKey - Change projected filenames:
webConfig.tls.certFileandwebConfig.tls.keyFile - Customize TLS config template: Override
webConfig.templateto specify different:min_version:TLS10,TLS11,TLS12, orTLS13(default)cipher_suites: Custom cipher suite listprefer_server_cipher_suites: Server vs client cipher preference
- Certificates must be in PEM format
- The secret must be in the same namespace as the deployment
- For production, use proper CA-signed certificates or cert-manager
- Kubernetes httpGet probes natively support HTTPS and skip certificate validation