From 6cd90ede8205137e8e0dbd0847596ec5e9b40493 Mon Sep 17 00:00:00 2001 From: Graham Rounds Date: Tue, 17 Dec 2024 12:13:49 -0700 Subject: [PATCH] add ui.metrics.pathAllowlist to values.yaml this field can be configured to override `ui_config.metrics.path_allowlist` in the server ui configuration when `ui.metrics.enabled` is set to `true` --- .changelog/4445.txt | 3 +++ .../consul/templates/server-config-configmap.yaml | 3 ++- charts/consul/values.yaml | 15 ++++++++++++--- 3 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 .changelog/4445.txt diff --git a/.changelog/4445.txt b/.changelog/4445.txt new file mode 100644 index 0000000000..20aa0a8599 --- /dev/null +++ b/.changelog/4445.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +helm: adds `ui.metrics.pathAllowlist` field which can be configured to override `ui_config.metrics.path_allowlist` in the server ui config when `ui.metrics.enabled` is set to `true`. +``` diff --git a/charts/consul/templates/server-config-configmap.yaml b/charts/consul/templates/server-config-configmap.yaml index 8c74364a29..9027f3cb1b 100644 --- a/charts/consul/templates/server-config-configmap.yaml +++ b/charts/consul/templates/server-config-configmap.yaml @@ -163,7 +163,8 @@ data: {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }} "metrics_provider": "{{ .Values.ui.metrics.provider }}", "metrics_proxy": { - "base_url": "{{ .Values.ui.metrics.baseURL }}" + "base_url": "{{ .Values.ui.metrics.baseURL }}", + "path_allowlist": {{ .Values.ui.metrics.pathAllowlist | toJson }} }, {{- end }} {{- if .Values.ui.dashboardURLTemplates.service }} diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 13615e716c..88e98debcf 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -1926,7 +1926,7 @@ dns: # Refers to an existing Kubernetes secret that contains an ACL token # for your Consul cluster. This token provides permissions for the DNS - # proxy. This field is required when `global.acls.manageSystemACLs` + # proxy. This field is required when `global.acls.manageSystemACLs` # is set to `false` to enable manual ACL management in a Consul cluster. # node_prefix "" { # policy = "read" @@ -2071,6 +2071,15 @@ ui: # @type: string baseURL: http://prometheus-server + # pathAllowlist specifies the paths that may be proxied to when appended to + # baseURL. This limits exposure of the metrics backend to consul. + # Refer to [`path_allowlist`](https://developer.hashicorp.com/consul/docs/connect/observability/ui-visualization#path-allowlist) + # This value is only used if `ui.enabled` is set to true. + # @type: string + pathAllowlist: + - /api/v1/query_range + - /api/v1/query + # Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates) # configuration. dashboardURLTemplates: @@ -2220,7 +2229,7 @@ syncCatalog: # Set this to false to skip syncing ClusterIP services. syncClusterIPServices: true - # If true, LoadBalancer service endpoints instead of ingress addresses will be synced to Consul. + # If true, LoadBalancer service endpoints instead of ingress addresses will be synced to Consul. # If false, LoadBalancer endpoints are not synced to Consul. syncLoadBalancerEndpoints: false @@ -2475,7 +2484,7 @@ connectInject: # This value sets the path to use for scraping gateway metrics via prometheus, defaults to /metrics if not set. # @type: string path: null - + # The resource settings for Pods handling traffic for Gateway API. # @recurse: false # @type: map