324c2f4fed
fix(metrics): don't expose pprof by default
...
pprof[1] is the Go standard library profiling toolkit. It is invaluable
for diagnosing how Go programs perform in the wild. However it also is
able to expose secret data set with command line flags. This is not
ideal and should be mitigated by correctly configured firewall rules. We
don't live in a world where people correctly configure firewall rules,
so we have to fix things for people. Welcome to 2026.
[1]: https://pkg.go.dev/runtime/pprof
Ref: AWOO-001
Signed-off-by: Xe Iaso <me@xeiaso.net >
2026-05-18 20:54:28 -04:00
ebf9a30878
fix(metrics): bind to the right network/bindhost ( #1606 )
...
Whoops!
Closes : #1605
Signed-off-by: Xe Iaso <me@xeiaso.net >
2026-04-30 18:18:01 -04:00
681c2cc2ed
feat(metrics): basic auth support ( #1579 )
...
* feat(internal): add basic auth HTTP middleware
Signed-off-by: Xe Iaso <me@xeiaso.net >
* feat(config): add HTTP basic auth for metrics
Signed-off-by: Xe Iaso <me@xeiaso.net >
* feat(metrics): wire up basic auth
Signed-off-by: Xe Iaso <me@xeiaso.net >
* doc: document HTTP basic auth for metrics server
Signed-off-by: Xe Iaso <me@xeiaso.net >
* chore: spelling
Signed-off-by: Xe Iaso <me@xeiaso.net >
* docs(admin/policies): give people a python command
Signed-off-by: Xe Iaso <me@xeiaso.net >
---------
Signed-off-by: Xe Iaso <me@xeiaso.net >
2026-04-23 00:17:09 -04:00
8f8ae76d56
feat(metrics): enable TLS/mTLS serving support ( #1576 )
...
* feat(config): add metrics TLS configuration
Signed-off-by: Xe Iaso <me@xeiaso.net >
* feat(metrics): add naive TLS serving for metrics
Signed-off-by: Xe Iaso <me@xeiaso.net >
* feat(metrics): import keypairreloader from a private project
Signed-off-by: Xe Iaso <me@xeiaso.net >
* fix(metrics): properly surface errors with the metrics server
Signed-off-by: Xe Iaso <me@xeiaso.net >
* feat(config): add CA certificate config value
Signed-off-by: Xe Iaso <me@xeiaso.net >
* feat(metrics): enable mTLS support
Signed-off-by: Xe Iaso <me@xeiaso.net >
* doc(default-config): document how to set up TLS and mTLS
Signed-off-by: Xe Iaso <me@xeiaso.net >
* doc: document metrics TLS and mTLS
Signed-off-by: Xe Iaso <me@xeiaso.net >
* chore: spelling
Signed-off-by: Xe Iaso <me@xeiaso.net >
---------
Signed-off-by: Xe Iaso <me@xeiaso.net >
2026-04-22 19:55:09 -04:00
d5ccf9c670
feat: move metrics server config to the policy file ( #1572 )
...
* feat(config): add metrics bind config to policy file with flag hack
Signed-off-by: Xe Iaso <me@xeiaso.net >
* feat(internal): move SetupListener from main
Signed-off-by: Xe Iaso <me@xeiaso.net >
* fix(main): use internal.SetupListener
Signed-off-by: Xe Iaso <me@xeiaso.net >
* fix(config): add metrics socket mode
Signed-off-by: Xe Iaso <me@xeiaso.net >
* feat: move metrics server to a dedicated package
Signed-off-by: Xe Iaso <me@xeiaso.net >
* doc: add metrics server configuration docs
Signed-off-by: Xe Iaso <me@xeiaso.net >
* doc(default-config): add vague references to metrics server
Signed-off-by: Xe Iaso <me@xeiaso.net >
* chore: spelling
Signed-off-by: Xe Iaso <me@xeiaso.net >
---------
Signed-off-by: Xe Iaso <me@xeiaso.net >
2026-04-21 15:36:11 -04:00
Xe Iaso