From 3e4be77bdc8b23600cfb1ec4ff81d139327cb5c3 Mon Sep 17 00:00:00 2001
From: polarctos <polarctos@users.noreply.github.com>
Date: Fri, 22 Aug 2025 16:32:59 +0200
Subject: [PATCH] Serve metrics optionally with TLS via HTTPS

---
 internal/cmd/run.go       |  1 +
 internal/server/config.go |  1 +
 internal/server/server.go | 13 ++++++++++---
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/internal/cmd/run.go b/internal/cmd/run.go
index 0a70655e..f15ef99c 100644
--- a/internal/cmd/run.go
+++ b/internal/cmd/run.go
@@ -28,6 +28,7 @@ func newRunCommand() *runCommand {
 	runCommand.cmd.Flags().IntVar(&globalConfig.HttpPort, "http-port", getEnvInt("HTTP_PORT", server.DefaultHttpPort), "Port to serve HTTP traffic on")
 	runCommand.cmd.Flags().IntVar(&globalConfig.HttpsPort, "https-port", getEnvInt("HTTPS_PORT", server.DefaultHttpsPort), "Port to serve HTTPS traffic on")
 	runCommand.cmd.Flags().IntVar(&globalConfig.MetricsPort, "metrics-port", getEnvInt("METRICS_PORT", 0), "Publish metrics on the specified port (default zero to disable)")
+	runCommand.cmd.Flags().BoolVar(&globalConfig.MetricsTls, "metrics-tls", getEnvBool("METRICS_TLS", false), "Enable TLS for the metrics port (default false for HTTP)")
 	runCommand.cmd.Flags().BoolVar(&globalConfig.HTTP3Enabled, "http3", false, "Enable HTTP/3")
 
 	return runCommand
diff --git a/internal/server/config.go b/internal/server/config.go
index 03148253..2b9d6381 100644
--- a/internal/server/config.go
+++ b/internal/server/config.go
@@ -17,6 +17,7 @@ type Config struct {
 	HttpPort     int
 	HttpsPort    int
 	MetricsPort  int
+	MetricsTls   bool
 	HTTP3Enabled bool
 
 	AlternateConfigDir string
diff --git a/internal/server/server.go b/internal/server/server.go
index 4b336de3..a4a0b91e 100644
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -196,10 +196,17 @@ func (s *Server) startMetricsServer() error {
 		Addr:    addr,
 		Handler: handler,
 	}
+	if s.config.MetricsTls {
+		s.metricsServer.TLSConfig = &tls.Config{
+			MinVersion:     tls.VersionTLS13,
+			GetCertificate: s.router.GetCertificate,
+		}
+		go s.metricsServer.ServeTLS(s.metricsListener, "", "")
+	} else {
+		go s.metricsServer.Serve(s.metricsListener)
+	}
 
-	go s.metricsServer.Serve(s.metricsListener)
-
-	slog.Info("Metrics enabled", "address", addr)
+	slog.Info("Metrics enabled", "port", s.config.MetricsPort, "TLS", s.config.MetricsTls)
 
 	return nil
 }