Add optional TLS support to /metrics endpoint (#7255)

* Use exporter-toolkit to enable optional TLS encryption on /metrics endpoint Signed-off-by: peppi-lotta <peppi-lotta.saari@est.tech> * Implement startup listener to signal server readiness Signed-off-by: peppi-lotta <peppi-lotta.saari@est.tech> --------- Signed-off-by: peppi-lotta <peppi-lotta.saari@est.tech>
2026-04-05 11:45:33 -04:00 · 2026-03-12 22:49:00 +02:00
parent a8c802e1b3
commit 7ff001dca7
13 changed files with 553 additions and 8 deletions
--- a/plugin/metrics/setup.go
+++ b/plugin/metrics/setup.go
@@ -9,12 +9,10 @@ import (
 	"github.com/coredns/coredns/coremain"
 	"github.com/coredns/coredns/plugin"
 	"github.com/coredns/coredns/plugin/metrics/vars"
-	clog "github.com/coredns/coredns/plugin/pkg/log"
 	"github.com/coredns/coredns/plugin/pkg/uniq"
 )

 var (
-	log      = clog.NewWithPlugin("prometheus")
 	u        = uniq.New()
 	registry = newReg()
 )
@@ -97,6 +95,27 @@ func parse(c *caddy.Controller) (*Metrics, error) {
 		default:
 			return met, c.ArgErr()
 		}
+
+		// Parse TLS block if present
+		for c.NextBlock() {
+			switch c.Val() {
+			case "tls":
+				if met.tlsConfigPath != "" {
+					return nil, c.Err("tls block already specified")
+				}
+
+				// Get cert and key files as positional arguments
+				args := c.RemainingArgs()
+				if len(args) != 1 {
+					return nil, c.ArgErr()
+				}
+				tlsCfgPath := args[0]
+
+				met.tlsConfigPath = tlsCfgPath
+			default:
+				return nil, c.Errf("unknown option: %s", c.Val())
+			}
+		}
 	}
 	return met, nil
 }