add ui.metrics.pathAllowlist to values.yaml

this field can be configured to override `ui_config.metrics.path_allowlist` in the server ui configuration when `ui.metrics.enabled` is set to `true`
hashicorp · Dec 17, 2024 · 6cd90ed · 6cd90ed
1 parent 19ab7e0
commit 6cd90ed
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 4 deletions.
diff --git a/.changelog/4445.txt b/.changelog/4445.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+helm: adds `ui.metrics.pathAllowlist` field which can be configured to override `ui_config.metrics.path_allowlist` in the server ui config when `ui.metrics.enabled` is set to `true`.
+```
diff --git a/charts/consul/templates/server-config-configmap.yaml b/charts/consul/templates/server-config-configmap.yaml
@@ -163,7 +163,8 @@ data:
         {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }}
         "metrics_provider": "{{ .Values.ui.metrics.provider }}",
         "metrics_proxy": {
-          "base_url": "{{ .Values.ui.metrics.baseURL }}"
+          "base_url": "{{ .Values.ui.metrics.baseURL }}",
+          "path_allowlist": {{ .Values.ui.metrics.pathAllowlist | toJson }}
         },
         {{- end }}
         {{- if .Values.ui.dashboardURLTemplates.service }}

diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
@@ -1926,7 +1926,7 @@ dns:
 
     # Refers to an existing Kubernetes secret that contains an ACL token
     # for your Consul cluster. This token provides permissions for the DNS
-    # proxy. This field is required when `global.acls.manageSystemACLs` 
+    # proxy. This field is required when `global.acls.manageSystemACLs`
     # is set to `false` to enable manual ACL management in a Consul cluster.
     # node_prefix "" {
     #   policy = "read"
@@ -2071,6 +2071,15 @@ ui:
     # @type: string
     baseURL: http://prometheus-server
 
+    # pathAllowlist specifies the paths that may be proxied to when appended to
+    # baseURL. This limits exposure of the metrics backend to consul.
+    # Refer to [`path_allowlist`](https://developer.hashicorp.com/consul/docs/connect/observability/ui-visualization#path-allowlist)
+    # This value is only used if `ui.enabled` is set to true.
+    # @type: string
+    pathAllowlist:
+      - /api/v1/query_range
+      - /api/v1/query
+
   # Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates)
   # configuration.
   dashboardURLTemplates:
@@ -2220,7 +2229,7 @@ syncCatalog:
   # Set this to false to skip syncing ClusterIP services.
   syncClusterIPServices: true
 
-  # If true, LoadBalancer service endpoints instead of ingress addresses will be synced to Consul. 
+  # If true, LoadBalancer service endpoints instead of ingress addresses will be synced to Consul.
   # If false, LoadBalancer endpoints are not synced to Consul.
   syncLoadBalancerEndpoints: false
 
@@ -2475,7 +2484,7 @@ connectInject:
         # This value sets the path to use for scraping gateway metrics via prometheus, defaults to /metrics if not set.
         # @type: string
         path: null
-        
+
       # The resource settings for Pods handling traffic for Gateway API.
       # @recurse: false
       # @type: map