fix: gate systemmetrics/systemlogs/systemtracing behind OIDC auth

Prometheus, Loki, and Tempo external endpoints were publicly accessible with no authentication. Add auth_request to all three routes using Hydra's userinfo endpoint (same pattern as admin APIs).
2026-03-24 13:48:27 +00:00
parent 1147b1a5aa
commit 0498d1c6b3
1 changed files with 16 additions and 0 deletions
--- a/base/ingress/pingora-config.yaml
+++ b/base/ingress/pingora-config.yaml
@@ -222,18 +222,34 @@ data:
    host_prefix = "metrics"
    backend     = "http://kube-prometheus-stack-grafana.monitoring.svc.cluster.local:80"

+    # Observability APIs — gated behind OIDC auth_request.
    [[routes]]
    host_prefix = "systemmetrics"
    backend     = "http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090"

+      [[routes.paths]]
+      prefix       = "/"
+      backend      = "http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090"
+      auth_request = "http://hydra-public.ory.svc.cluster.local:4444/userinfo"
+
    [[routes]]
    host_prefix = "systemlogs"
    backend     = "http://loki-gateway.monitoring.svc.cluster.local:80"

+      [[routes.paths]]
+      prefix       = "/"
+      backend      = "http://loki-gateway.monitoring.svc.cluster.local:80"
+      auth_request = "http://hydra-public.ory.svc.cluster.local:4444/userinfo"
+
    [[routes]]
    host_prefix = "systemtracing"
    backend     = "http://tempo.monitoring.svc.cluster.local:3200"

+      [[routes.paths]]
+      prefix       = "/"
+      backend      = "http://tempo.monitoring.svc.cluster.local:3200"
+      auth_request = "http://hydra-public.ory.svc.cluster.local:4444/userinfo"
+
    [[routes]]
    host_prefix = "livekit"
    backend     = "http://livekit-server.media.svc.cluster.local:80"