Add a new configuration for the authorization of Prometheus (#159)

* Add a new configuration for the Prometheus auth secret

* Add the doc

Author: Noah Hanjun Lee

cmd/server/config.go

@@ -14,6 +14,7 @@ type (
 		Github
 		Slack
 		Webhook
+		Prometheus
 	}
 
 	Server struct {
@@ -57,6 +58,10 @@ type (
 	Webhook struct {
 		WebhookSecret string `split_words:"true"`
 	}
+
+	Prometheus struct {
+		PrometheusAuthSecret string `split_words:"true"`
+	}
 )
 
 func NewConfigFromEnv() (*Config, error) {

cmd/server/main.go

@@ -91,11 +91,12 @@ func newServerConfig(c *Config) *server.ServerConfig {
 	}
 
 	return &server.ServerConfig{
-		Host:          c.ServerHost,
-		Proto:         c.ServerProto,
-		ProxyHost:     proxyHost,
-		ProxyProto:    proxyProto,
-		WebhookSecret: c.WebhookSecret,
+		Host:                 c.ServerHost,
+		Proto:                c.ServerProto,
+		ProxyHost:            proxyHost,
+		ProxyProto:           proxyProto,
+		WebhookSecret:        c.WebhookSecret,
+		PrometheusAuthSecret: c.PrometheusAuthSecret,
 	}
 }
 

docs/references/GITPLOY_PROMETHEUS_AUTH_SECRET.md

@@ -0,0 +1,7 @@
+# GITPLOY_PROMETHEUS_AUTH_SECRET
+
+Optional string value to authorize the scrape request from the Prometheus. *It authorizes with the `Authorization` header on request.* 
+
+```
+GITPLOY_PROMETHEUS_AUTH_SECRET=92e6c41f002e71bf84e6c6b02e4c1e1b
+```

docs/references/GITPLOY_WEBHOOK_SECRET.md

@@ -3,5 +3,5 @@
 Optional string value to create an http-signature for the webhook. The webhook recipient use this secret to verify request authenticity.
 
 ```
-GITPLOY_WEBHOOK_SECRET=asd212fuas2lfjxye
+GITPLOY_WEBHOOK_SECRET=ae354839ad94078b9ea125eec4874370
 ```

docs/references/configurations.md

@@ -9,6 +9,7 @@ Index of server configuration settings:
 * [GITPLOY_GITHUB_SCOPES](./GITPLOY_GITHUB_SCOPES.md)
 * [GITPLOY_LICENSE](./GITPLOY_LICENSE.md)
 * [GITPLOY_MEMBER_ENTRIES](./GITPLOY_MEMBER_ENTRIES.md)
+* [GITPLOY_PROMETHEUS_AUTH_SECRET](./GITPLOY_PROMETHEUS_AUTH_SECRET.md)
 * [GITPLOY_ORGANIZATION_ENTRIES](./GITPLOY_ORGANIZATION_ENTRIES.md)
 * [GITPLOY_PROXY_SERVER_HOST](./GITPLOY_PROXY_SERVER_HOST.md)
 * [GITPLOY_PROXY_SERVER_PROTO](./GITPLOY_PROXY_SERVER_PROTO.md)

internal/server/metrics/metrics.go

@@ -2,6 +2,8 @@ package metrics
 
 import (
 	"context"
+	"net/http"
+	"strings"
 	"time"
 
 	"github.com/gin-gonic/gin"
@@ -12,11 +14,18 @@ import (
 	"github.com/gitploy-io/gitploy/ent"
 )
 
+const (
+	headerAuth = "Authorization"
+)
+
 type (
-	Metric struct{}
+	Metric struct {
+		prometheusAuthSecret string
+	}
 
 	MetricConfig struct {
 		Interactor
+		PrometheusAuthSecret string
 	}
 
 	collector struct {
@@ -34,10 +43,22 @@ func NewMetric(c *MetricConfig) *Metric {
 		newCollector(c.Interactor),
 	)
 
-	return &Metric{}
+	return &Metric{
+		prometheusAuthSecret: c.PrometheusAuthSecret,
+	}
 }
 
 func (m *Metric) CollectMetrics(c *gin.Context) {
+	if m.prometheusAuthSecret != "" {
+		if value := strings.TrimPrefix(
+			c.GetHeader(headerAuth),
+			"Bearer ",
+		); m.prometheusAuthSecret != value {
+			c.Status(http.StatusUnauthorized)
+			return
+		}
+	}
+
 	h := promhttp.Handler()
 	h.ServeHTTP(c.Writer, c.Request)
 }

internal/server/router.go

@@ -41,7 +41,8 @@ type (
 		ProxyHost  string
 		ProxyProto string
 
-		WebhookSecret string
+		WebhookSecret        string
+		PrometheusAuthSecret string
 	}
 
 	SCMType string
@@ -196,9 +197,10 @@ func NewRouter(c *RouterConfig) *gin.Engine {
 	metricsapi := r.Group("/metrics")
 	{
 		m := metrics.NewMetric(&metrics.MetricConfig{
-			Interactor: c.Interactor,
+			Interactor:           c.Interactor,
+			PrometheusAuthSecret: c.PrometheusAuthSecret,
 		})
-		metricsapi.GET("", mw.OnlyAuthorized(), m.CollectMetrics)
+		metricsapi.GET("", m.CollectMetrics)
 	}
 
 	r.HEAD("/slack", func(gc *gin.Context) {