From 1e1bd90cb7bc4ed0ddf4109e9c03e91e1e917d5e Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Thu, 21 May 2026 14:30:48 +0545
Subject: [PATCH] prometheus canary mTLS

---
 .../docs/reference/1-prometheus.mdx           | 62 +++++++++++++++++--
 mission-control-chart                         |  2 +-
 modules/canary-checker                        |  2 +-
 modules/config-db                             |  2 +-
 modules/duty                                  |  2 +-
 modules/mission-control                       |  2 +-
 modules/mission-control-chart                 |  2 +-
 modules/mission-control-registry              |  2 +-
 8 files changed, 63 insertions(+), 13 deletions(-)

diff --git a/canary-checker/docs/reference/1-prometheus.mdx b/canary-checker/docs/reference/1-prometheus.mdx
index c060e589..40be58e1 100644
--- a/canary-checker/docs/reference/1-prometheus.mdx
+++ b/canary-checker/docs/reference/1-prometheus.mdx
@@ -40,10 +40,53 @@ The Prometheus Check connects to the Prometheus host, performs the desired query
       description: 'Bearer token to use for authentication',
       scheme: 'EnvVar'
     },
-    { field: 'oauth', scheme: '[OAuth](#oauth)' }
+    { field: 'oauth', scheme: '[OAuth](#oauth)' },
+    {
+      field: 'tls',
+      description: 'TLS and mutual TLS configuration',
+      scheme: '[TLSConfig](#tls-config)'
+    }
+  ]}
+/>
+
+## TLS Config
+
+Use `tls.ca` to verify Prometheus with a custom CA. Add `tls.cert` and `tls.key` for mutual TLS.
+
+<Fields
+  rows={[
+    {
+      field: 'ca',
+      description:
+        'PEM encoded CA certificate to verify the Prometheus server certificate',
+      scheme: 'EnvVar'
+    },
+    {
+      field: 'cert',
+      description: 'PEM encoded client certificate',
+      scheme: 'EnvVar'
+    },
+    {
+      field: 'key',
+      description: 'PEM encoded client private key',
+      scheme: 'EnvVar'
+    },
+    {
+      field: 'handshakeTimeout',
+      description: 'TLS handshake timeout. Defaults to 10 seconds',
+      scheme: 'Duration'
+    },
+    {
+      field: 'insecureSkipVerify',
+      description:
+        'Skip verification of the server certificate chain and host name',
+      scheme: 'bool'
+    }
   ]}
 />
 
+
+
 ## OAuth
 
 <Fields
@@ -62,21 +105,28 @@ The Prometheus Check connects to the Prometheus host, performs the desired query
 
 ## Result Variables
 
-| Name         | Description             | Scheme                      |
-| ------------ | ----------------------- | --------------------------- |
-| `value`      |                         | _float_                     |
-| `firstValue` | Number of rows returned | _int_                       |
+| Name         | Description             | Scheme                     |
+| ------------ | ----------------------- | -------------------------- |
+| `value`      |                         | _float_                    |
+| `firstValue` | Number of rows returned | _int_                      |
 | `results`    | A list of results       | _[]map[string]interface{}_ |
 
-
 ## Examples
 
 ### Create a check per prometheus job using a transform
 
 ```yaml title="jobs.yaml"  file=<rootDir>/modules/canary-checker/fixtures/prometheus/jobs.yaml
+
 ```
 
 ### Create a check per failing job only
 
 ```yaml title="jobs.yaml"  file=<rootDir>/modules/canary-checker/fixtures/prometheus/jobs-fail-only.yaml
+
 ```
+
+### Prometheus with mutual TLS
+
+```yaml title="prometheus-mtls.yaml" file=<rootDir>/modules/canary-checker/fixtures/datasources/prometheus_mtls.yaml
+
+```
\ No newline at end of file
diff --git a/mission-control-chart b/mission-control-chart
index a4af8ea3..fb6fe4a4 160000
--- a/mission-control-chart
+++ b/mission-control-chart
@@ -1 +1 @@
-Subproject commit a4af8ea32a5b066f2fa1f899807076067ad93ee0
+Subproject commit fb6fe4a4b98f54fdbf322ff1b0d85fd7469bfec5
diff --git a/modules/canary-checker b/modules/canary-checker
index fa5910c0..cb7214ad 160000
--- a/modules/canary-checker
+++ b/modules/canary-checker
@@ -1 +1 @@
-Subproject commit fa5910c0cf6bc43debcb422a644db9017ac90047
+Subproject commit cb7214ad82fb344bb910458c2d12e6f19dfff562
diff --git a/modules/config-db b/modules/config-db
index 71d2456e..96960c71 160000
--- a/modules/config-db
+++ b/modules/config-db
@@ -1 +1 @@
-Subproject commit 71d2456e82ac5b60a79044c089e46ff115c3c7bb
+Subproject commit 96960c71e57caec1fc618dd2cddb8b5da6ffee27
diff --git a/modules/duty b/modules/duty
index 12f15eed..b4d8a784 160000
--- a/modules/duty
+++ b/modules/duty
@@ -1 +1 @@
-Subproject commit 12f15eed830aa58278c140b1bf52fb3972d57ab3
+Subproject commit b4d8a7845ccd361c7704486d2ccfacf1fe9f20bd
diff --git a/modules/mission-control b/modules/mission-control
index 5d0f4e5f..3b906d69 160000
--- a/modules/mission-control
+++ b/modules/mission-control
@@ -1 +1 @@
-Subproject commit 5d0f4e5f62d3e58396dac712ee9a260a9727df18
+Subproject commit 3b906d69ae3cbc419479208efd4dd3ec3403b856
diff --git a/modules/mission-control-chart b/modules/mission-control-chart
index a4af8ea3..fb6fe4a4 160000
--- a/modules/mission-control-chart
+++ b/modules/mission-control-chart
@@ -1 +1 @@
-Subproject commit a4af8ea32a5b066f2fa1f899807076067ad93ee0
+Subproject commit fb6fe4a4b98f54fdbf322ff1b0d85fd7469bfec5
diff --git a/modules/mission-control-registry b/modules/mission-control-registry
index 7a95cd9f..0e5c5a9f 160000
--- a/modules/mission-control-registry
+++ b/modules/mission-control-registry
@@ -1 +1 @@
-Subproject commit 7a95cd9f3224a0665d13b7d05bfc08123382a9fe
+Subproject commit 0e5c5a9ff21f5160dbc18d3c9653f42c68cf1a90