forgejo_admin/pal-e-platform
1
0
Fork 1
Code Issues 38 Pull requests Projects Releases Packages Wiki Activity Actions

fix: replace deprecated CNPG enablePodMonitor with TLS-configured PodMonitor #103

New issue
Closed
opened 2026-03-17 04:31:26 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-03-17 04:31:26 +00:00
Owner
Copy link

Lineage

todo-cnpg-metrics-exporter (no plan ancestry)

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want CNPG postgres metrics scraped reliably by Prometheus
So that database observability is not silently broken by a deprecated auto-generated PodMonitor

Context

The CNPG operator's enablePodMonitor: true auto-generates a PodMonitor that is missing TLS configuration, causing Prometheus to drop the CNPG metrics target on port 9187. The port IS listening and serving metrics, but the scrape target stays down. Additionally, enablePodMonitor is deprecated in CNPG 1.28 and will be removed in a future release. The fix is to set enablePodMonitor = false and create a manual PodMonitor resource with the correct selector labels. The CA cert exists in the woodpecker-db-ca secret in the woodpecker namespace.

File Targets

Files the agent should modify:

  • terraform/main.tf -- change enablePodMonitor = true to false, add new kubernetes_manifest resource for the manual PodMonitor

Files the agent should NOT touch:

  • Any other terraform files -- this is scoped to the CNPG monitoring block only

Acceptance Criteria

  • When I run tofu plan, then the CNPG cluster shows monitoring.enablePodMonitor changing to false
  • When I run tofu plan, then a new PodMonitor resource woodpecker-db is created
  • When I run kubectl get podmonitor -n woodpecker after apply, then woodpecker-db appears
  • When I check Prometheus targets after apply, then the CNPG postgres target shows UP

Test Expectations

  • tofu fmt -check -recursive passes
  • tofu validate passes (requires state, CI-only)
  • Run command: cd terraform && tofu fmt -check -recursive

Constraints

  • Start with plain HTTP PodMonitor (no TLS in podMetricsEndpoints) -- port 9187 serves HTTP by default
  • Add TLS config in a follow-up if needed after verifying the manual PodMonitor works
  • Place the new resource between woodpecker_postgres and woodpecker_postgres_scheduled_backup

Checklist

  • PR opened
  • Tests pass
  • No unrelated changes

Related

  • todo-cnpg-metrics-exporter
  • pal-e-platform -- project this affects
### Lineage `todo-cnpg-metrics-exporter` (no plan ancestry) ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want CNPG postgres metrics scraped reliably by Prometheus So that database observability is not silently broken by a deprecated auto-generated PodMonitor ### Context The CNPG operator's `enablePodMonitor: true` auto-generates a PodMonitor that is missing TLS configuration, causing Prometheus to drop the CNPG metrics target on port 9187. The port IS listening and serving metrics, but the scrape target stays down. Additionally, `enablePodMonitor` is deprecated in CNPG 1.28 and will be removed in a future release. The fix is to set `enablePodMonitor = false` and create a manual `PodMonitor` resource with the correct selector labels. The CA cert exists in the `woodpecker-db-ca` secret in the woodpecker namespace. ### File Targets Files the agent should modify: - `terraform/main.tf` -- change `enablePodMonitor = true` to `false`, add new `kubernetes_manifest` resource for the manual PodMonitor Files the agent should NOT touch: - Any other terraform files -- this is scoped to the CNPG monitoring block only ### Acceptance Criteria - [ ] When I run `tofu plan`, then the CNPG cluster shows monitoring.enablePodMonitor changing to false - [ ] When I run `tofu plan`, then a new PodMonitor resource `woodpecker-db` is created - [ ] When I run `kubectl get podmonitor -n woodpecker` after apply, then `woodpecker-db` appears - [ ] When I check Prometheus targets after apply, then the CNPG postgres target shows UP ### Test Expectations - [ ] `tofu fmt -check -recursive` passes - [ ] `tofu validate` passes (requires state, CI-only) - Run command: `cd terraform && tofu fmt -check -recursive` ### Constraints - Start with plain HTTP PodMonitor (no TLS in podMetricsEndpoints) -- port 9187 serves HTTP by default - Add TLS config in a follow-up if needed after verifying the manual PodMonitor works - Place the new resource between `woodpecker_postgres` and `woodpecker_postgres_scheduled_backup` ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `todo-cnpg-metrics-exporter` - `pal-e-platform` -- project this affects
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-platform#103
No description provided.