Landscape Charm

Merge lp://qastaging/~ack/landscape-charm/block-metrics-through-haproxy into lp://qastaging/~landscape/landscape-charm/trunk

  1. block-metrics-through-haproxy
  2. Merge into trunk
Proposed by Alberto Donato
Status: Merged
Approved by: Alberto Donato
Approved revision: 386
Merged at revision: 384
Proposed branch: lp://qastaging/~ack/landscape-charm/block-metrics-through-haproxy
Merge into: lp://qastaging/~landscape/landscape-charm/trunk
Diff against target: 319 lines (+8/-255)
6 files modified
config/vhost.tmpl (+0/-66)
config/vhost.tmpl.legacy (+0/-66)
config/vhostssl.tmpl (+0/-62)
config/vhostssl.tmpl.legacy (+0/-61)
lib/relations/haproxy.py (+2/-0)
lib/relations/tests/test_haproxy.py (+6/-0)
To merge this branch: bzr merge lp://qastaging/~ack/landscape-charm/block-metrics-through-haproxy
Reviewer Review Type Date Requested Status
Francis Ginther (community) Approve
Adam Collard (community) Approve
🤖 Landscape Builder test results Approve
Review via email: mp+320342@code.qastaging.launchpad.net

Commit message

Change the haproxy configuration to prevent access to the /metrics endpoint on the landscape unit.

Description of the change

Change the haproxy configuration to prevent access to the /metrics endpoint on the landscape unit.

Testing instructions:

- CHARM_BRANCH='lp:~ack/landscape-charm/block-metrics-through-haproxy' make stage-landscape-charm
- deploy
- accesssing https://<url>/metrics should give a 403 error

To post a comment you must log in.
Revision history for this message
Alberto Donato (ack) :
Revision history for this message
🤖 Landscape Builder (landscape-builder) :
review: Abstain (executing tests)
Revision history for this message
🤖 Landscape Builder (landscape-builder) wrote :

Command: make ci-test
Result: Success
Revno: 386
Branch: lp:~ack/landscape-charm/block-metrics-through-haproxy
Jenkins: https://ci.lscape.net/job/latch-test-xenial/3640/

review: Approve (test results)
Revision history for this message
Adam Collard (adam-collard) wrote :

LGTM, +1

review: Approve
Revision history for this message
Francis Ginther (fginther) wrote :

As this endpoint is only exposed on hosted deployments, this is sufficient to block it via the haproxy. So +1 on the change.

If/When we want to expose this for OPL deployments, we should have a way to turn it off for customers not wishing to expose this data unauthenticated. Probably worth a bug unless we already have some other way of tracking this.

review: Approve
Revision history for this message
Alberto Donato (ack) wrote :

> As this endpoint is only exposed on hosted deployments, this is sufficient to
> block it via the haproxy. So +1 on the change.
>
> If/When we want to expose this for OPL deployments, we should have a way to
> turn it off for customers not wishing to expose this data unauthenticated.
> Probably worth a bug unless we already have some other way of tracking this.

On OPL deployments we would tell the user to deploy prometheus in the model, and expose it.
There's no need to expose metrics through haproxy (and it's actually bad because it would prevent prometheus from scraping endpoints individually, which is a problem for unit metrics).

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
The diff is not available at this time. You can reload the page or download it.

Subscribers

People subscribed via source and target branches