feat(monitor): operator Prometheus metrics with mTLS by rene-dekker · Pull Request #4558 · tigera/operator

rene-dekker · 2026-03-16T23:15:31Z

Summary

Add configurable Prometheus metrics endpoint to the operator via METRICS_HOST, METRICS_PORT, and METRICS_SCHEME env vars
mTLS support when METRICS_SCHEME=https: server cert from tigera-operator-tls, client auth trusts tigera-ca-private CA
Monitor controller creates Service, ServiceMonitor, and server TLS cert for automatic Prometheus discovery
Custom Prometheus collector exposes operator_installation_status and operator_tigera_status gauges

Test plan

make build passes
make ut UT_DIR=./pkg/controller/metrics — 10 tests pass
make ut UT_DIR=./pkg/render/monitor — 20 tests pass
make ut UT_DIR=./pkg/controller/monitor — 17 tests pass
Manual: deploy with METRICS_HOST/METRICS_PORT set, verify metrics scraped
Manual: deploy with METRICS_SCHEME=https, verify mTLS handshake with Prometheus

🤖 Generated with Claude Code

Example alerts:

Example metrics:

$ curl --cert client.crt --key client.key --cacert ca.crt https://tigera-operator-metrics.tigera-operator:9484/metrics | grep tigera_operator_tls_certificate
tigera_operator_tls_certificate_expiry_timestamp_seconds Unix timestamp of certificate expiry for operator-managed TLS secrets.
# TYPE tigera_operator_tls_certificate_expiry_timestamp_seconds gauge
tigera_operator_tls_certificate_expiry_timestamp_seconds{issuer="byo-signer",name="calico-apiserver-certs",namespace="calico-system"} 1.774828114e+09
tigera_operator_tls_certificate_expiry_timestamp_seconds{issuer="tigera-operator-signer",name="calico-apiserver-certs",namespace="tigera-operator"} 1.844609326e+09

$ curl --cert client.crt --key client.key --cacert ca.crt https://tigera-operator-metrics.tigera-operator:9484/metrics | grep tigera_operator_component_status
tigera_operator_component_status{component="apiserver",condition="available"} 1
tigera_operator_component_status{component="apiserver",condition="degraded"} 0
tigera_operator_component_status{component="apiserver",condition="progressing"} 0
tigera_operator_component_status{component="calico",condition="available"} 1
tigera_operator_component_status{component="calico",condition="degraded"} 0
tigera_operator_component_status{component="calico",condition="progressing"} 0


$ curl --cert client.crt --key client.key --cacert ca.crt https://tigera-operator-metrics.tigera-operator:9484/metrics | grep tigera_operator_license
tigera_operator_license_expiry_timestamp_seconds{package="Enterprise"} 2.051337599e+09
# HELP tigera_operator_license_valid Whether the Tigera license is valid (including grace period). 1 = valid, 0 = invalid.
tigera_operator_license_valid{package="Enterprise"} 1

Adds new prometheus metrics to the operator for managing TLS expiry, License expiry and TigeraStatus monitoring. When METRICS_SCHEME is set to https, the operator will create its own TLS secret, which you can replace with your own, as is possible for all TLS secrets in the operator namespace.
Breaking: To enable metrics, you now need to set the METRICS_ENABLED environment variable to true.

rene-dekker · 2026-03-17T23:35:13Z

+		rules = append(rules,
+			monitoringv1.Rule{
+				Alert:  "TLSCertExpiringWarning",
+				Expr:   intstr.FromString("tigera_operator_tls_certificate_expiry_timestamp_seconds - time() < 29 * 24 * 3600"),


I picked 29 days, because we automatically renew our own certs 30d before expiry. I wanted to exclude that day to generate fewer alerts.

caseydavenport · 2026-03-27T18:24:56Z


+// metricsEnabled returns true when the operator metrics endpoint is enabled.
+func metricsEnabled() bool {
+	return strings.EqualFold(os.Getenv("METRICS_ENABLED"), "true")


Technically a breaking change, since someone might be using metrics today without this set?

But probably not a big deal - easy fix.

Yes, my rationale was that it is better to be explicit in the enablement, it can be reverted if desired. I would not think that there are that many users of prometheus as there were no metrics other than the out-of-the-box ones before this PR.

caseydavenport · 2026-03-27T18:26:52Z

+// dynamicCertLoader dynamically loads TLS certificates from Kubernetes secrets
+// for the metrics endpoint. The monitor controller creates the server cert, and
+// the client CA is loaded from the Prometheus client TLS secret.
+type dynamicCertLoader struct {


I wonder, do we need all of this complexity?

Couldn't we just use an optional secret file mount, and have kubelet auto-load changes to the mounted paths?

I agree it is a better approach, even though it will cause a restart of the container. Based on my reading the kubelet may take up to a minute to trigger the restart, so for the first little bit after deploying the operator you would not have metrics, but I think for overall simplicity it is better, will do. Thanks.

rene-dekker · 2026-04-01T17:45:10Z

+// dynamicCertLoader dynamically loads TLS certificates from Kubernetes secrets
+// for the metrics endpoint. The monitor controller creates the server cert, and
+// the client CA is loaded from the Prometheus client TLS secret.
+type dynamicCertLoader struct {


I agree it is a better approach, even though it will cause a restart of the container. Based on my reading the kubelet may take up to a minute to trigger the restart, so for the first little bit after deploying the operator you would not have metrics, but I think for overall simplicity it is better, will do. Thanks.

Add operator metrics endpoint with configurable mTLS via METRICS_SCHEME, METRICS_HOST, and METRICS_PORT env vars. The monitor controller creates a server cert, Service, and ServiceMonitor for Prometheus integration. Client auth trusts the tigera-ca-private CA rather than individual leaf certs. Includes a custom Prometheus collector for operator status gauges. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Replace the implicit metrics-enabled detection (METRICS_HOST/PORT set) with an explicit METRICS_ENABLED=true env var. Default METRICS_HOST to 0.0.0.0 and METRICS_PORT to 8484 when enabled. Log a helpful message when mTLS is enabled but the server certificate is not yet available. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Use port 9484 instead of 8484 to reduce the chance of conflicts on host-networked nodes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Set SecureServing: true so controller-runtime actually serves TLS instead of plain HTTP when METRICS_SCHEME=https. Add egress rule in calicoSystemPrometheusPolicy to allow Prometheus to reach the operator metrics Service. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Gate the tigera-operator-tls keypair creation on METRICS_SCHEME=https rather than METRICS_ENABLED=true. The Service and ServiceMonitor are still created whenever metrics are enabled, but the TLS certificate is only needed when mTLS is active. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

- Add METRICS_CLIENT_AUTH and TLS_MIN_VERSION env vars for configurable mTLS client auth and TLS version (aligned with calico-private) - Extract metrics helpers into cmd/metrics.go - Replace dynamic cert loader with file-based TLS loading via volume mounts - Move MetricsEnabled/MetricsTLSEnabled to pkg/common for shared use - Export certificate annotation constants from certificatemanagement package - Rename OperatorMetricsSecretName to OperatorTLSSecretName - Fix inconsistent method naming (serviceOperatorMetrics) - Simplify conditionLabel to strings.ToLower - Add debug log for unparseable cert expiry annotations - Skip license API calls on OSS clusters (check CRD at startup) - Remove legacy "team: network-operators" label from all ServiceMonitors - Build ./cmd/ package instead of single file Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

- Move MetricsEnabled/MetricsTLSEnabled to pkg/common/metrics.go - Move ParseTLSVersion and ParseClientAuthType to pkg/tls/tls.go - Fix stale comment on license error path Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Remove duplicate prometheus/client_golang dependency entry after rebasing on latest master. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

marvin-tigera added this to the v1.42.0 milestone Mar 16, 2026

marvin-tigera added docs-pr-required release-note-required labels Mar 16, 2026

rene-dekker commented Mar 17, 2026

View reviewed changes

rene-dekker force-pushed the EV-6493 branch from 0ab85f9 to 69c317f Compare March 18, 2026 00:01

danudey modified the milestones: v1.42.0, v1.43.0 Mar 20, 2026

rene-dekker force-pushed the EV-6493 branch from 69c317f to 606be04 Compare March 27, 2026 18:19

rene-dekker marked this pull request as ready for review March 27, 2026 18:19

rene-dekker requested a review from a team as a code owner March 27, 2026 18:19