feat: optionally serve metrics over TLS

deploy/helm/grafana-operator/README.md

@@ -111,6 +111,7 @@ It's easier to just manage this configuration outside of the operator.
 | metricsService.annotations | object | `{}` | annotations on the metrics service |
 | metricsService.metricsPort | int | `9090` | metrics service port |
 | metricsService.pprofPort | int | `8888` | port for the pprof profiling endpoint |
+| metricsService.secure | bool | `false` | metrics serve https |
 | metricsService.type | string | `"ClusterIP"` | metrics service type |
 | nameOverride | string | `""` | Overrides the name of the chart. |
 | namespaceOverride | string | `""` | Overrides the namespace name. |
@@ -139,6 +140,7 @@ It's easier to just manage this configuration outside of the operator.
 | serviceMonitor.scrapeTimeout | string | `"10s"` | Set timeout for scrape |
 | serviceMonitor.targetLabels | list | `[]` | Set of labels to transfer from the Kubernetes Service onto the target |
 | serviceMonitor.telemetryPath | string | `"/metrics"` | Set path to metrics path |
+| serviceMonitor.tlsConfig | object | `{}` | Set the tlsConfig for the scrape. Only valid if `.metricsService.secure=true` |
 | tolerations | list | `[]` | pod tolerations |
 | watchLabelSelectors | string | `""` | Sets the `WATCH_LABEL_SELECTORS` environment variable, it defines which CRs are watched according to their labels. By default, the operator watches all CRs. To make it watch only a subset of CRs, define the variable as a *stringified label selector*. See also: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ Beware: Always label Grafana CRs before enabling to ensure labels are inherited. # Existing Secrets/ConfigMaps referenced in CRs also need to be labeled to continue working. |
 | watchNamespaceSelector | string | `""` | Sets the `WATCH_NAMESPACE_SELECTOR` environment variable, it defines which namespaces the operator should be listening for based on a namespace label (e.g. `"environment: dev"`). By default, the operator watches all namespaces. To make it watch only its own namespace, check out `namespaceScope` option instead. When combined with "namespaceScope" users must manually create the `RoleBindings` for the matched namespaces. |

deploy/helm/grafana-operator/templates/deployment.yaml

@@ -69,6 +69,7 @@ spec:
           args:
             - --health-probe-bind-address=:8081
             - --metrics-bind-address=0.0.0.0:{{ .Values.metricsService.metricsPort }}
+            - --metrics-serve-secure={{ .Values.metricsService.serveSecure }}
             - --pprof-addr=0.0.0.0:{{ .Values.metricsService.pprofPort }}
             - --zap-encoder={{ .Values.logging.encoder }}
             - --zap-log-level={{ .Values.logging.level }}

deploy/helm/grafana-operator/templates/servicemonitor.yaml

@@ -35,6 +35,13 @@ spec:
       relabelings:
       {{- toYaml .Values.serviceMonitor.relabelings | nindent 8 }}
       {{- end }}
+      {{- if .Values.metricsService.secure }}
+      scheme: https
+      {{- if .Values.serviceMonitor.tlsConfig }}
+      tlsConfig:
+      {{- toYaml .Values.serviceMonitor.tlsConfig | nindent 8 }}
+      {{- end }}
+      {{- end }}
   {{- if .Values.serviceMonitor.targetLabels }}
   targetLabels:
   {{- range .Values.serviceMonitor.targetLabels }}

deploy/helm/grafana-operator/values.yaml

@@ -133,6 +133,8 @@ metricsService:
   type: ClusterIP
   # -- metrics service port
   metricsPort: 9090
+  # -- metrics serve https
+  secure: false
   # -- port for the pprof profiling endpoint
   pprofPort: 8888
   # -- annotations on the metrics service
@@ -218,6 +220,8 @@ serviceMonitor:
   metricRelabelings: []
   # -- Set relabel_configs as per https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config
   relabelings: []
+  # -- Set the tlsConfig for the scrape. Only valid if `.metricsService.secure=true`
+  tlsConfig: {}
 
 dashboard:
   # -- Whether to create a ConfigMap containing a dashboard monitoring the operator metrics.

main.go

@@ -87,6 +87,7 @@ var operatorConfig struct {
 	CachingLevel           string `env:"ENFORCE_CACHE_LABELS"     default:"safe" enum:"all,safe,off" help:"Configure cache limits. Valid values are 'off', 'safe' and 'all'"`
 
 	MetricsAddr             string        `name:"metrics-bind-address"      default:":8080"                                 help:"The address the metric endpoint binds to."`
+	MetricsSecure           bool          `name:"metrics-serve-secure"      default:"false"                                 help:"Serve the metrics endpoint over HTTPS."`
 	ProbeAddr               string        `name:"health-probe-bind-address" default:":8081"                                 help:"The address the probe endpoint binds to."`
 	PprofAddr               string        `name:"pprof-addr"                                                                help:"The address to expose the pprof server. Empty string disables the pprof server."`
 	EnableLeaderElection    bool          `name:"leader-elect"              default:"false" env:"ENABLE_LEADER_ELECTION"    help:"Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager."`
@@ -221,7 +222,7 @@ func main() { //nolint:gocyclo
 
 	mgrOptions := ctrl.Options{
 		Scheme:                 scheme,
-		Metrics:                metricsserver.Options{BindAddress: operatorConfig.MetricsAddr},
+		Metrics:                metricsserver.Options{BindAddress: operatorConfig.MetricsAddr, SecureServing: operatorConfig.MetricsSecure},
 		WebhookServer:          webhook.NewServer(webhook.Options{Port: 9443}),
 		HealthProbeBindAddress: operatorConfig.ProbeAddr,
 		LeaderElection:         operatorConfig.EnableLeaderElection,