diff --git a/.gitignore b/.gitignore index 3b1fd25c17..0796a926e7 100644 --- a/.gitignore +++ b/.gitignore @@ -20,7 +20,11 @@ charts/**/charts/*.tgz .idea *.swp *.swo +.vscode *~ # macOS .DS_Store + +# Tooling for local development +mise.local.toml diff --git a/README.md b/README.md index 93b1e0aef2..5a8e50f0f1 100644 --- a/README.md +++ b/README.md @@ -3,11 +3,9 @@ [![Stack Overflow](https://img.shields.io/badge/stackoverflow-cloudnative--pg-blue?logo=stackoverflow&logoColor=%23F48024&link=https%3A%2F%2Fstackoverflow.com%2Fquestions%2Ftagged%2Fcloudnative-pg)][stackoverflow] [![GitHub License](https://img.shields.io/github/license/cloudnative-pg/charts)][license] - [![GitHub Release](https://img.shields.io/github/v/release/cloudnative-pg/charts?filter=cloudnative-pg-*)](https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg) [![GitHub Release](https://img.shields.io/github/v/release/cloudnative-pg/charts?filter=cluster-*)](https://github.com/cloudnative-pg/charts/tree/main/charts/cluster) - ## Operator chart Helm chart to install the @@ -16,6 +14,7 @@ Helm chart to install the running in private, public, or hybrid cloud environments. **NOTE**: supports only the latest point release of the CloudNativePG operator. + ```console helm repo add cnpg https://cloudnative-pg.github.io/charts helm upgrade --install cnpg \ diff --git a/charts/cluster/README.md b/charts/cluster/README.md index af64bcdaef..b089ccbdb2 100644 --- a/charts/cluster/README.md +++ b/charts/cluster/README.md @@ -180,6 +180,7 @@ Kubernetes: `>=1.29.0-0` | cluster.monitoring.podMonitor.relabelings | list | `[]` | The list of relabelings for the PodMonitor. Applied to samples before scraping. | | cluster.monitoring.prometheusRule.enabled | bool | `true` | Whether to enable the PrometheusRule automated alerts | | cluster.monitoring.prometheusRule.excludeRules | list | `[]` | Exclude specified rules | +| cluster.monitoring.tls.enabled | bool | `false` | Whether to enable tls on the metrics port. | | cluster.podSecurityContext | object | `{}` | Configure the Pod Security Context. See: https://cloudnative-pg.io/documentation/preview/security/ | | cluster.postgresGID | int | `-1` | The GID of the postgres user inside the image, defaults to 26 | | cluster.postgresUID | int | `-1` | The UID of the postgres user inside the image, defaults to 26 | diff --git a/charts/cluster/templates/cluster.yaml b/charts/cluster/templates/cluster.yaml index 4a17479773..0aa22c2288 100644 --- a/charts/cluster/templates/cluster.yaml +++ b/charts/cluster/templates/cluster.yaml @@ -138,6 +138,8 @@ spec: {{- toYaml . | nindent 6 }} {{ end }} {{- end }} + tls: + enabled: {{ .Values.cluster.monitoring.tls.enabled }} {{ include "cluster.bootstrap" . | nindent 2 }} {{ include "cluster.externalClusters" . | nindent 2 }} {{ include "cluster.backup" . | nindent 2 }} diff --git a/charts/cluster/templates/podmonitor-cluster.yaml b/charts/cluster/templates/podmonitor-cluster.yaml index 6e4c0f8d99..6fe115268b 100644 --- a/charts/cluster/templates/podmonitor-cluster.yaml +++ b/charts/cluster/templates/podmonitor-cluster.yaml @@ -21,6 +21,15 @@ spec: cnpg.io/podRole: instance podMetricsEndpoints: - port: metrics + {{- if .Values.cluster.monitoring.tls.enabled }} + scheme: https + tlsConfig: + ca: + secret: + name: {{ include "cluster.fullname" . }}-ca + key: ca.crt + serverName: {{ include "cluster.fullname" . }}-rw + {{- end }} {{- with .Values.cluster.monitoring.podMonitor.relabelings }} relabelings: {{- toYaml . | nindent 8 }} diff --git a/charts/cluster/test/monitoring/01-monitoring_cluster-assert.yaml b/charts/cluster/test/monitoring/01-monitoring_cluster-assert.yaml index ee4f9ea19a..96335fca46 100644 --- a/charts/cluster/test/monitoring/01-monitoring_cluster-assert.yaml +++ b/charts/cluster/test/monitoring/01-monitoring_cluster-assert.yaml @@ -12,6 +12,8 @@ spec: size: 256Mi storageClass: standard monitoring: + tls: + enabled: true disableDefaultQueries: true customQueriesConfigMap: - name: monitoring-cluster-monitoring @@ -31,7 +33,15 @@ spec: cnpg.io/cluster: monitoring-cluster cnpg.io/podRole: instance podMetricsEndpoints: - - relabelings: + - port: metrics + scheme: https + tlsConfig: + ca: + secret: + name: monitoring-cluster-ca + key: ca.crt + serverName: monitoring-cluster-rw + relabelings: - targetLabel: environment replacement: test - targetLabel: team diff --git a/charts/cluster/test/monitoring/01-monitoring_cluster.yaml b/charts/cluster/test/monitoring/01-monitoring_cluster.yaml index 9e07374dc9..c453138088 100644 --- a/charts/cluster/test/monitoring/01-monitoring_cluster.yaml +++ b/charts/cluster/test/monitoring/01-monitoring_cluster.yaml @@ -8,6 +8,8 @@ cluster: monitoring: enabled: true disableDefaultQueries: true + tls: + enabled: true customQueries: - name: "pg_cache_hit_ratio" query: "SELECT current_database() as datname, sum(heap_blks_hit) / (sum(heap_blks_hit) + sum(heap_blks_read)) as ratio FROM pg_statio_user_tables;" diff --git a/charts/cluster/values.schema.json b/charts/cluster/values.schema.json index 85645a49a7..b44671ec74 100644 --- a/charts/cluster/values.schema.json +++ b/charts/cluster/values.schema.json @@ -278,6 +278,14 @@ "type": "array" } } + }, + "tls": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } } } }, diff --git a/charts/cluster/values.yaml b/charts/cluster/values.yaml index 2c7e8b5c15..6e5ad2c36d 100644 --- a/charts/cluster/values.yaml +++ b/charts/cluster/values.yaml @@ -349,6 +349,9 @@ cluster: customQueriesSecret: [] # - name: custom-queries-secret # key: custom-queries + tls: + # -- Whether to enable tls on the metrics port. + enabled: false postgresql: # -- PostgreSQL configuration options (postgresql.conf)