Add PostgreSQL observability telemetry exposure

[DmytroPI-dev]

Description

Adds PostgreSQL observability telemetry for PostgresCluster using Prometheus pod-annotation-based scraping. Metrics are exposed by CNPG's built-in exporters on PostgreSQL pods (port 9187) and PgBouncer pooler pods (port 9127). The operator controls whether annotations are injected via class- and cluster-level configuration, with no dedicated metrics Service or ServiceMonitor required for PostgreSQL or PgBouncer scraping.

A ServiceMonitor is still supported for operator-controller metrics as an optional step.

Key Changes

api/v4/postgresclusterclass_types.go
Added class-level observability configuration (monitoring.postgresqlMetrics.enabled, monitoring.connectionPoolerMetrics.enabled) that controls whether scrape annotations are injected into CNPG pods.

api/v4/postgrescluster_types.go
Added cluster-level disable-only overrides (spec.monitoring.postgresqlMetrics.disabled, spec.monitoring.connectionPoolerMetrics.disabled) allowing per-cluster opt-out without changing the class.

pkg/postgresql/cluster/core/cluster.go
Wired observability flag resolution into PostgresCluster reconciliation. When enabled, sets InheritedMetadata.Annotations on the CNPG Cluster (for PostgreSQL pods) and Template.ObjectMeta.Annotations on CNPG Pooler resources (for PgBouncer pods).

pkg/postgresql/cluster/core/monitoring.go
Added isPostgreSQLMetricsEnabled / isConnectionPoolerMetricsEnabled flag resolution helpers.
Added buildPostgresScrapeAnnotations / buildPoolerScrapeAnnotations annotation builders.
Added removeScrapeAnnotations for the disable path.

pkg/postgresql/cluster/core/monitoring_unit_test.go
Added unit tests for flag resolution, scrape annotation builders, and annotation removal.

internal/controller/postgrescluster_controller_test.go
Added integration tests verifying that InheritedMetadata annotations are set on the CNPG Cluster when monitoring is enabled and removed when disabled by cluster override.

docs/PostgreSQLObservabilityDashboard.json
Reference Grafana dashboard covering PostgreSQL target count, RW/RO PgBouncer availability, WAL activity, database sizes, PgBouncer client load, controller reconcile metrics, and domain fleet metrics.

docs/postgresSQLMonitoring-e2e.md
End-to-end validation guide for the annotation-based scraping flow on KIND.

Testing and Verification

Added unit tests in pkg/postgresql/cluster/core/monitoring_unit_test.go for:

• class/cluster observability enablement logic
• scrape annotation builders for PostgreSQL (port 9187) and PgBouncer (port 9127)
• annotation removal on the disable path

Added integration tests in internal/controller/postgrescluster_controller_test.go verifying:

• InheritedMetadata.Annotations presence when monitoring is enabled
• annotation removal when disabled by cluster-level override

Related Issues

CPI-1853 — related JIRA ticket.

Grafana screenshot:

PR Checklist

• Code changes adhere to the project's coding standards.
• Relevant unit and integration tests are included.
• Documentation has been updated accordingly.
• All tests pass locally.
• The PR description follows the project's guidelines.

[limak9182]

It's another block for our reconciliation metric, maybe it's worth to emit event in case of success? or issue?

[mploski]

also what about extending our status with information if this failed/succeeded i.e add new condition?

[DmytroPI-dev]

Updated with adding new conditions on that.

[github-actions]

CLA Assistant Lite bot:
Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contribution License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment with the exact sentence copied from below.

---

I have read the CLA Document and I hereby sign the CLA

---

1 out of 2 committers have signed the CLA.
✅ @DmytroPI-dev
❌ @limak9182
_{You can retrigger this bot by commenting recheck in this Pull Request}

[mploski]

PostgresObservabilityOverride we should follow the same pattern we have for ConnectionPoolerEnabled
So maybe ConnectionPoolerMetricsEnabled and PostgreSQLMetricsEnabled?

[mploski]

in other provider we might not have pgbouncer ( aws for example) lets call it generic way ( connectionPooler). Also we should probably have CEL logic that doesnt allow connection pooler metrics enabled if connection pooler itself is disabled

[mploski]

Similar to previous comment :-)

[DmytroPI-dev]

Didn't get you correctly 😞 , what previous comment do you mean? This one?

[mploski]

this check shouldnt be a part of this function I believe

[mploski]

should this function be a part of connection pooler not monitoring?

[DmytroPI-dev]

We don't need it at all, as we have poolerEnabled in cluster.go

[mploski]

Out of curiosity why we need to create k8s service to expose those information? Service is effectively a load balancer that use round robin. If we have many postgres instances every call to that endpoint can fetch metrics from different instance, which can be different depending how users are connected. Is my understanding correct?

[DmytroPI-dev]

As per the Prometheus configuration docs , the dedicated Service here is mainly a stable discovery contract for Prometheus Operator, not a client-style load balancer for metrics consumers.

Prometheus’ Kubernetes service discovery docs distinguish between service-level and endpoint-level discovery:

• For service discovery: “The address will be set to the Kubernetes DNS name of the service and respective service port.”
• For endpoints discovery: “The endpoints role discovers targets from listed endpoints of a service. For each endpoint address one target is discovered per port.”
• For endpointslice discovery: “The endpointslice role discovers targets from existing endpointslices. For each endpoint address referenced in the endpointslice object one target is discovered.”

So the intent here is not “scrape one Service and round-robin across instances”. The ServiceMonitor uses the Service as the discovery entry point, and Prometheus then discovers/scrapes the backing endpoints separately. That gives us per-instance targets, which is what we want for PostgreSQL metrics.

That is also why we'd need to create new Services instead using the existing client-facing Services by default: they are built for application traffic, may not expose the metrics port at all, and don’t provide an explicit observability contract.
Does this makes sense?

[mploski]

It does thank you! This reveal different discussion though. We cannot enforce usage of prometheus operator and it seems we are adding this as a dependency by using Service Monitor. The reason is that, the platform will be responsible for scrapping AND SOK aim to use otel collector for this. In that model we discover endpoints to be scrapped by providing appropiate annotiation to the PODs: https://www.dash0.com/guides/opentelemetry-prometheus-receiver#scrapeconfigs. So it seems we could simplify this code, by removing ServiceMonitor/Service but only populate requested annotiations so otel collector can scrape it. Let's discuss it offline :-)

[mploski]

why do we need this, cant we use desired directly?

[DmytroPI-dev]

Using desired directly would mix desired state with server-populated/immutable Service fields like clusterIP ipFamilies, resourceVersion and related defaults, which can cause unnecessary diffs or update failures, so we should use a minimal object instead. For Service specifically, this matters more than for ConfigMap or ServiceMonitor, because Service has immutable/defaulted networking fields we'd not want to stomp.