hashicorp · agrahamlincoln · Dec 17, 2024
@@ -0,0 +1,3 @@
+```release-note:enhancement
+helm: adds `ui.metrics.pathAllowlist` field which can be configured to override `ui_config.metrics.path_allowlist` in the server ui config when `ui.metrics.enabled` is set to `true`.
+```
@@ -163,7 +163,8 @@ data:
         {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }}
         "metrics_provider": "{{ .Values.ui.metrics.provider }}",
         "metrics_proxy": {
-          "base_url": "{{ .Values.ui.metrics.baseURL }}"
+          "base_url": "{{ .Values.ui.metrics.baseURL }}",
+          "path_allowlist": {{ .Values.ui.metrics.pathAllowlist | toJson }}
         },
         {{- end }}
         {{- if .Values.ui.dashboardURLTemplates.service }}

@@ -269,6 +269,19 @@ load _helpers
   [ "${actual}" = "http://foo.bar" ]
 }
 
+@test "server/ConfigMap: updates ui config with .ui.metrics.pathAllowlist" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/server-config-configmap.yaml  \
+      --set 'ui.enabled=true' \
+      --set 'ui.metrics.enabled=true' \
+      --set 'ui.metrics.pathAllowlist[0]=/consul/api/v1/query_range' \
+      --set 'ui.metrics.pathAllowlist[1]=/consul/api/v1/query' \
+      . | tee /dev/stderr |
+      yq -r '.data["ui-config.json"]' | yq -r '.ui_config.metrics_proxy.path_allowlist' | tee /dev/stderr)
+  [ "${actual}" = '["/consul/api/v1/query_range","/consul/api/v1/query"]' ]
+}
+
 #--------------------------------------------------------------------
 # ui.dashboardURLTemplates.service
 
@@ -1256,7 +1269,7 @@ load _helpers
 
   local actual=$(echo $object |  jq -r .audit.sink.MySink1.path | tee /dev/stderr)
   [ "${actual}" = "/tmp/audit.json" ]
-  
+
   local actual=$(echo $object |  jq -r .audit.sink.MySink3.path | tee /dev/stderr)
   [ "${actual}" = "/tmp/audit-3.json" ]
 

@@ -1926,7 +1926,7 @@ dns:
 
     # Refers to an existing Kubernetes secret that contains an ACL token
     # for your Consul cluster. This token provides permissions for the DNS
-    # proxy. This field is required when `global.acls.manageSystemACLs` 
+    # proxy. This field is required when `global.acls.manageSystemACLs`
     # is set to `false` to enable manual ACL management in a Consul cluster.
     # node_prefix "" {
     #   policy = "read"
@@ -2071,6 +2071,15 @@ ui:
     # @type: string
     baseURL: http://prometheus-server
 
+    # pathAllowlist specifies the paths that may be proxied to when appended to
+    # baseURL. This limits exposure of the metrics backend to consul.
+    # Refer to [`path_allowlist`](https://developer.hashicorp.com/consul/docs/connect/observability/ui-visualization#path-allowlist)
+    # This value is only used if `ui.enabled` is set to true.
+    # @type: string
+    pathAllowlist:
+      - /api/v1/query_range
+      - /api/v1/query
+
   # Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates)
   # configuration.
   dashboardURLTemplates:
@@ -2220,7 +2229,7 @@ syncCatalog:
   # Set this to false to skip syncing ClusterIP services.
   syncClusterIPServices: true
 
-  # If true, LoadBalancer service endpoints instead of ingress addresses will be synced to Consul. 
+  # If true, LoadBalancer service endpoints instead of ingress addresses will be synced to Consul.
   # If false, LoadBalancer endpoints are not synced to Consul.
   syncLoadBalancerEndpoints: false
 
@@ -2475,7 +2484,7 @@ connectInject:
         # This value sets the path to use for scraping gateway metrics via prometheus, defaults to /metrics if not set.
         # @type: string
         path: null
-        
+
       # The resource settings for Pods handling traffic for Gateway API.
       # @recurse: false
       # @type: map