From 0498d1c6b30606574c9ec8e188059577623fede3 Mon Sep 17 00:00:00 2001 From: Sienna Meridian Satterwhite Date: Tue, 24 Mar 2026 13:48:27 +0000 Subject: [PATCH] fix: gate systemmetrics/systemlogs/systemtracing behind OIDC auth Prometheus, Loki, and Tempo external endpoints were publicly accessible with no authentication. Add auth_request to all three routes using Hydra's userinfo endpoint (same pattern as admin APIs). --- base/ingress/pingora-config.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/base/ingress/pingora-config.yaml b/base/ingress/pingora-config.yaml index ef498f8..62e0b0b 100644 --- a/base/ingress/pingora-config.yaml +++ b/base/ingress/pingora-config.yaml @@ -222,18 +222,34 @@ data: host_prefix = "metrics" backend = "http://kube-prometheus-stack-grafana.monitoring.svc.cluster.local:80" + # Observability APIs — gated behind OIDC auth_request. [[routes]] host_prefix = "systemmetrics" backend = "http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090" + [[routes.paths]] + prefix = "/" + backend = "http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090" + auth_request = "http://hydra-public.ory.svc.cluster.local:4444/userinfo" + [[routes]] host_prefix = "systemlogs" backend = "http://loki-gateway.monitoring.svc.cluster.local:80" + [[routes.paths]] + prefix = "/" + backend = "http://loki-gateway.monitoring.svc.cluster.local:80" + auth_request = "http://hydra-public.ory.svc.cluster.local:4444/userinfo" + [[routes]] host_prefix = "systemtracing" backend = "http://tempo.monitoring.svc.cluster.local:3200" + [[routes.paths]] + prefix = "/" + backend = "http://tempo.monitoring.svc.cluster.local:3200" + auth_request = "http://hydra-public.ory.svc.cluster.local:4444/userinfo" + [[routes]] host_prefix = "livekit" backend = "http://livekit-server.media.svc.cluster.local:80"