diff --git a/.changelog/4445.txt b/.changelog/4445.txt new file mode 100644 index 0000000000..20aa0a8599 --- /dev/null +++ b/.changelog/4445.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +helm: adds `ui.metrics.pathAllowlist` field which can be configured to override `ui_config.metrics.path_allowlist` in the server ui config when `ui.metrics.enabled` is set to `true`. +``` diff --git a/charts/consul/templates/server-config-configmap.yaml b/charts/consul/templates/server-config-configmap.yaml index 8c74364a29..9027f3cb1b 100644 --- a/charts/consul/templates/server-config-configmap.yaml +++ b/charts/consul/templates/server-config-configmap.yaml @@ -163,7 +163,8 @@ data: {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }} "metrics_provider": "{{ .Values.ui.metrics.provider }}", "metrics_proxy": { - "base_url": "{{ .Values.ui.metrics.baseURL }}" + "base_url": "{{ .Values.ui.metrics.baseURL }}", + "path_allowlist": {{ .Values.ui.metrics.pathAllowlist | toJson }} }, {{- end }} {{- if .Values.ui.dashboardURLTemplates.service }} diff --git a/charts/consul/test/unit/server-config-configmap.bats b/charts/consul/test/unit/server-config-configmap.bats index 45b8f09518..a4e49b5b88 100755 --- a/charts/consul/test/unit/server-config-configmap.bats +++ b/charts/consul/test/unit/server-config-configmap.bats @@ -269,6 +269,19 @@ load _helpers [ "${actual}" = "http://foo.bar" ] } +@test "server/ConfigMap: updates ui config with .ui.metrics.pathAllowlist" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-config-configmap.yaml \ + --set 'ui.enabled=true' \ + --set 'ui.metrics.enabled=true' \ + --set 'ui.metrics.pathAllowlist[0]=/consul/api/v1/query_range' \ + --set 'ui.metrics.pathAllowlist[1]=/consul/api/v1/query' \ + . | tee /dev/stderr | + yq -r '.data["ui-config.json"]' | yq -r '.ui_config.metrics_proxy.path_allowlist' | tee /dev/stderr) + [ "${actual}" = '["/consul/api/v1/query_range","/consul/api/v1/query"]' ] +} + #-------------------------------------------------------------------- # ui.dashboardURLTemplates.service @@ -1256,7 +1269,7 @@ load _helpers local actual=$(echo $object | jq -r .audit.sink.MySink1.path | tee /dev/stderr) [ "${actual}" = "/tmp/audit.json" ] - + local actual=$(echo $object | jq -r .audit.sink.MySink3.path | tee /dev/stderr) [ "${actual}" = "/tmp/audit-3.json" ] diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 13615e716c..88e98debcf 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -1926,7 +1926,7 @@ dns: # Refers to an existing Kubernetes secret that contains an ACL token # for your Consul cluster. This token provides permissions for the DNS - # proxy. This field is required when `global.acls.manageSystemACLs` + # proxy. This field is required when `global.acls.manageSystemACLs` # is set to `false` to enable manual ACL management in a Consul cluster. # node_prefix "" { # policy = "read" @@ -2071,6 +2071,15 @@ ui: # @type: string baseURL: http://prometheus-server + # pathAllowlist specifies the paths that may be proxied to when appended to + # baseURL. This limits exposure of the metrics backend to consul. + # Refer to [`path_allowlist`](https://developer.hashicorp.com/consul/docs/connect/observability/ui-visualization#path-allowlist) + # This value is only used if `ui.enabled` is set to true. + # @type: string + pathAllowlist: + - /api/v1/query_range + - /api/v1/query + # Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates) # configuration. dashboardURLTemplates: @@ -2220,7 +2229,7 @@ syncCatalog: # Set this to false to skip syncing ClusterIP services. syncClusterIPServices: true - # If true, LoadBalancer service endpoints instead of ingress addresses will be synced to Consul. + # If true, LoadBalancer service endpoints instead of ingress addresses will be synced to Consul. # If false, LoadBalancer endpoints are not synced to Consul. syncLoadBalancerEndpoints: false @@ -2475,7 +2484,7 @@ connectInject: # This value sets the path to use for scraping gateway metrics via prometheus, defaults to /metrics if not set. # @type: string path: null - + # The resource settings for Pods handling traffic for Gateway API. # @recurse: false # @type: map