feat: add MTLS.permitMetrics to optionally enable Istio permissive mo…

…de on the metrics port

api/v1beta1/temporalcluster_types.go

@@ -715,6 +715,11 @@ type MTLSSpec struct {
 	// Useless if mTLS provider is not cert-manager.
 	// +optional
 	RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`
+	// PermitMetrics allows insecure HTTP requests to the metrics endpoint.
+	// This is handy if the metrics collector does not support mTLS.
+	// Useless if mTLS provider is not istio
+	// +optional
+	PermitMetrics bool `json:"permitMetrics"`
 }
 
 func (m *MTLSSpec) InternodeEnabled() bool {

config/crd/bases/temporal.io_temporalclusters.yaml

@@ -643,6 +643,12 @@ spec:
                           description: Enabled defines if the operator should enable mTLS for network between cluster nodes.
                           type: boolean
                       type: object
+                    permitMetrics:
+                      description: |-
+                        PermitMetrics allows insecure HTTP requests to the metrics endpoint.
+                        This is handy if the metrics collector does not support mTLS.
+                        Useless if mTLS provider is not istio
+                      type: boolean
                     provider:
                       default: cert-manager
                       description: Provider defines the tool used to manage mTLS certificates.

docs/api/v1beta1.md

@@ -2056,6 +2056,20 @@ issued certificate’s duration. Minimum accepted value is 5 minutes.
 Useless if mTLS provider is not cert-manager.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>permitMetrics</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>PermitMetrics allows insecure HTTP requests to the metrics endpoint.
+This is handy if the metrics collector does not support mTLS.
+Useless if mTLS provider is not istio</p>
+</td>
+</tr>
 </tbody>
 </table>
 </div>
@@ -2388,7 +2402,7 @@ map[string]string
 <td>
 <code>override</code><br>
 <em>
-<a href="https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.ServiceMonitorSpec">
+<a href="https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.ServiceMonitorSpec">
 github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1.ServiceMonitorSpec
 </a>
 </em>
@@ -2403,7 +2417,7 @@ All fields can be overwritten except &ldquo;endpoints&rdquo;, &ldquo;selector&rd
 <td>
 <code>metricRelabelings</code><br>
 <em>
-<a href="https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.RelabelConfig">
+<a href="https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.RelabelConfig">
 []github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1.RelabelConfig
 </a>
 </em>

docs/features/mtls/istio.md

@@ -16,4 +16,17 @@ spec:
 # [...]
 ```
 
-The Operator creates for each temporal services a `DestinationRule` and a `PeerAuthentication`. They both ensure mutual and strict mTLS.
+The Operator creates for each temporal services a `DestinationRule` and a `PeerAuthentication`. They both ensure mutual and strict mTLS.
+
+# Allowing permissive mTLS for metrics
+
+If your metrics collector isn't using Istio or is otherwise unable to connect using mTLS, you can enable permissive mode for the metrics port.
+
+```yaml
+spec:
+# [...]
+  mTLS:
+    provider: istio
+    permitMetrics: true
+# [...]
+```

internal/resource/mtls/istio/peer_authentication_builder.go

@@ -78,6 +78,14 @@ func (b *PeerAuthenticationBuilder) Update(object client.Object) error {
 		},
 	}
 
+	if b.instance.Spec.Metrics.IsEnabled() && b.instance.Spec.MTLS.PermitMetrics {
+		pa.Spec.PortLevelMtls = map[uint32]*istioapisecurityv1beta1.PeerAuthentication_MutualTLS{
+			uint32(*b.instance.Spec.Metrics.Prometheus.ListenPort): {
+				Mode: istioapisecurityv1beta1.PeerAuthentication_MutualTLS_PERMISSIVE,
+			},
+		}
+	}
+
 	if err := controllerutil.SetControllerReference(b.instance, pa, b.scheme); err != nil {
 		return fmt.Errorf("failed setting controller reference: %w", err)
 	}