Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

agent: introduce path allow list for requests going through the metrics proxy #9059

Merged
merged 3 commits into from
Oct 30, 2020
Merged

agent: introduce path allow list for requests going through the metrics proxy #9059

merged 3 commits into from
Oct 30, 2020

Conversation

rboyer
Copy link
Member

@rboyer rboyer commented Oct 28, 2020
edited
Loading

Added a new option ui_config.metrics_proxy.path_allowlist. This defaults to ["/api/v1/query", "/api/v1/query_range"] when the metrics provider is set to prometheus.

Requests that do not use one of the allow-listed paths (via exact match) get a 403 Forbidden response instead.

checklist

  • Add the field to the Config struct (or an appropriate sub-struct) in
    agent/config/config.go.
  • Add the field to the actual RuntimeConfig struct in
    agent/config/runtime.go.
  • Add an appropriate parser/setter in agent/config/builder.go to
    translate.
  • Add the new field with a random value to both the JSON and HCL blobs in
    TestFullConfig in agent/config/runtime_test.go, it should fail now, then
    add the same random value to the expected struct in that test so it passes
    again.
  • Add the new field and it's default value to TestSanitize in the same
    file. (Running the test first gives you a nice diff which can save working
    out where etc.)
  • If your new config field needed some validation as it's only valid in
    some cases or with some values (often true).
    • Add validation to Validate in agent/config/builder.go.
    • Add a test case to the table test TestConfigFlagsAndEdgeCases in
      agent/config/runtime_test.go.
  • If your new config field needs a non-zero-value default.
    • Add that to DefaultSource in agent/config/defaults.go.
    • Add a test case to the table test TestConfigFlagsAndEdgeCases in
      agent/config/runtime_test.go.
  • If your config should take effect on a reload/HUP.
    • Add necessary code to to trigger a safe (locked or atomic) update to
      any state the feature needs changing. This needs to be added to one or
      more of the following places:
      • ReloadConfig in agent/agent.go if it needs to affect the local
        client state or another client agent component.
      • ReloadConfig in agent/consul/client.go if it needs to affect
        state for client agent's RPC client.
    • Add a test to agent/agent_test.go similar to others with prefix
      TestAgent_reloadConfig*.
  • Add documentation to website/pages/docs/agent/options.mdx.

@rboyer rboyer added this to the 1.9.0-beta2 milestone Oct 28, 2020
@rboyer rboyer requested review from banks and a team October 28, 2020 19:54
@rboyer rboyer self-assigned this Oct 28, 2020
@github-actions github-actions bot added the theme/config Relating to Consul Agent configuration, including reloading label Oct 28, 2020
banks
banks approved these changes Oct 29, 2020
View reviewed changes
Copy link
Member

@banks banks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Great job on the tests and validation 👍

@rboyer rboyer merged commit a66c459 into master Oct 30, 2020
@rboyer rboyer deleted the metrics-allowlist branch October 30, 2020 21:49
@hashicorp-ci
Copy link
Contributor

🍒✅ Cherry pick of commit a66c459 onto release/1.9.x succeeded!

hashicorp-ci pushed a commit that referenced this pull request Oct 30, 2020
@rboyer @hashicorp-ci
agent: introduce path allow list for requests going through the metri…
d6e7bf4 
…cs proxy (#9059)

Added a new option `ui_config.metrics_proxy.path_allowlist`. This defaults to `["/api/v1/query", "/api/v1/query_range"]` when the metrics provider is set to `prometheus`.

Requests that do not use one of the allow-listed paths (via exact match) get a 403 Forbidden response instead.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@banks banks banks approved these changes

Assignees

@rboyer rboyer

Labels
theme/config Relating to Consul Agent configuration, including reloading
Projects
None yet
Milestone
1.9.0-beta2
Development

Successfully merging this pull request may close these issues.
4 participants
@rboyer @hashicorp-ci @banks @hashibot-web