[blockscout-stack] Whitelist for metrics paths to avoid public access…

… in secure environment (#42)
blockscout · Oct 30, 2024 · 96df411 · 96df411
1 parent 1fcdc51
commit 96df411
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 1 deletion.
diff --git a/charts/blockscout-stack/CHANGELOG.md b/charts/blockscout-stack/CHANGELOG.md
@@ -1,5 +1,11 @@
 # ChangeLog
 
+## 1.7.0
+
+### Feature
+
+- Whitelist for metrics paths to avoid public access in secure environment
+
 ## 1.6.11
 
 ### Fix

diff --git a/charts/blockscout-stack/Chart.yaml b/charts/blockscout-stack/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.6.11
+version: 1.7.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/blockscout-stack/templates/frontend-ingress.yaml b/charts/blockscout-stack/templates/frontend-ingress.yaml
@@ -55,5 +55,53 @@ spec:
               servicePort: {{ $svcPort }}
               {{- end }}
           {{- end }}
+---
+{{- if .Values.config.prometheus.ingressWhitelist.enabled }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-frontend-metrics-ingress
+  labels:
+    {{- include "blockscout-stack.labels" . | nindent 4 }}
+  annotations:
+  {{- with .Values.config.prometheus.ingressWhitelist.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.frontend.ingress.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.frontend.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.frontend.ingress.className }}
+  {{- end }}
+  {{- if .Values.frontend.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ .Values.frontend.ingress.hostname | quote }}
+      secretName: {{ .Values.frontend.ingress.tls.secretName | default (printf "%s-frontend-tls" $fullName) }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.frontend.ingress.hostname | quote }}
+      http:
+        paths:
+          - path: /node-api/metrics
+            pathType: Prefix
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}-frontend-svc
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}-frontend-svc
+              servicePort: {{ $svcPort }}
+              {{- end }}
+{{- end }}
 {{- end }}
 {{- end }}
diff --git a/charts/blockscout-stack/values.yaml b/charts/blockscout-stack/values.yaml
@@ -36,6 +36,11 @@ config:
   ##
   prometheus:
     enabled: true
+  ## Whitelist metrics path on ingress to make metrics non-public
+    ingressWhitelist:
+      enabled: true
+      annotations:
+        nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
 ## Configuration options for backend
 ##
 blockscout: