diff --git a/api/v1beta1/temporalcluster_types.go b/api/v1beta1/temporalcluster_types.go
index 555c405b..1b418b65 100644
--- a/api/v1beta1/temporalcluster_types.go
+++ b/api/v1beta1/temporalcluster_types.go
@@ -715,6 +715,11 @@ type MTLSSpec struct {
// Useless if mTLS provider is not cert-manager.
// +optional
RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`
+ // PermitMetrics allows insecure HTTP requests to the metrics endpoint.
+ // This is handy if the metrics collector does not support mTLS.
+ // Useless if mTLS provider is not istio
+ // +optional
+ PermitMetrics bool `json:"permitMetrics"`
}
func (m *MTLSSpec) InternodeEnabled() bool {
diff --git a/config/crd/bases/temporal.io_temporalclusters.yaml b/config/crd/bases/temporal.io_temporalclusters.yaml
index f4afcd5a..31932584 100644
--- a/config/crd/bases/temporal.io_temporalclusters.yaml
+++ b/config/crd/bases/temporal.io_temporalclusters.yaml
@@ -643,6 +643,12 @@ spec:
description: Enabled defines if the operator should enable mTLS for network between cluster nodes.
type: boolean
type: object
+ permitMetrics:
+ description: |-
+ PermitMetrics allows insecure HTTP requests to the metrics endpoint.
+ This is handy if the metrics collector does not support mTLS.
+ Useless if mTLS provider is not istio
+ type: boolean
provider:
default: cert-manager
description: Provider defines the tool used to manage mTLS certificates.
diff --git a/docs/api/v1beta1.md b/docs/api/v1beta1.md
index 1a4c6147..4465d7da 100644
--- a/docs/api/v1beta1.md
+++ b/docs/api/v1beta1.md
@@ -2056,6 +2056,20 @@ issued certificate’s duration. Minimum accepted value is 5 minutes.
Useless if mTLS provider is not cert-manager.
+
+
+permitMetrics
+
+bool
+
+ |
+
+(Optional)
+ PermitMetrics allows insecure HTTP requests to the metrics endpoint.
+This is handy if the metrics collector does not support mTLS.
+Useless if mTLS provider is not istio
+ |
+
@@ -2388,7 +2402,7 @@ map[string]string
override
-
+
github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1.ServiceMonitorSpec
@@ -2403,7 +2417,7 @@ All fields can be overwritten except “endpoints”, “selector&rd
|
metricRelabelings
-
+
[]github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1.RelabelConfig
diff --git a/docs/features/mtls/istio.md b/docs/features/mtls/istio.md
index cd58c674..61d9c186 100644
--- a/docs/features/mtls/istio.md
+++ b/docs/features/mtls/istio.md
@@ -16,4 +16,17 @@ spec:
# [...]
```
-The Operator creates for each temporal services a `DestinationRule` and a `PeerAuthentication`. They both ensure mutual and strict mTLS.
\ No newline at end of file
+The Operator creates for each temporal services a `DestinationRule` and a `PeerAuthentication`. They both ensure mutual and strict mTLS.
+
+# Allowing permissive mTLS for metrics
+
+If your metrics collector isn't using Istio or is otherwise unable to connect using mTLS, you can enable permissive mode for the metrics port.
+
+```yaml
+spec:
+# [...]
+ mTLS:
+ provider: istio
+ permitMetrics: true
+# [...]
+```
\ No newline at end of file
diff --git a/internal/resource/mtls/istio/peer_authentication_builder.go b/internal/resource/mtls/istio/peer_authentication_builder.go
index 8777f15a..e711b886 100644
--- a/internal/resource/mtls/istio/peer_authentication_builder.go
+++ b/internal/resource/mtls/istio/peer_authentication_builder.go
@@ -78,6 +78,14 @@ func (b *PeerAuthenticationBuilder) Update(object client.Object) error {
},
}
+ if b.instance.Spec.Metrics.IsEnabled() && b.instance.Spec.MTLS.PermitMetrics {
+ pa.Spec.PortLevelMtls = map[uint32]*istioapisecurityv1beta1.PeerAuthentication_MutualTLS{
+ uint32(*b.instance.Spec.Metrics.Prometheus.ListenPort): {
+ Mode: istioapisecurityv1beta1.PeerAuthentication_MutualTLS_PERMISSIVE,
+ },
+ }
+ }
+
if err := controllerutil.SetControllerReference(b.instance, pa, b.scheme); err != nil {
return fmt.Errorf("failed setting controller reference: %w", err)
}
|