BUG/MEDIUM: prometheus: remove prometheus from user defined mapping

oktalz · oktalz · commit cbe0530a1cd9 · 2025-08-13T15:49:30.000+02:00
prometheus should only be allowed to be read from controller admin port, not on the same frontent as normal traffic
diff --git a/go.mod b/go.mod
@@ -3,6 +3,7 @@ module github.com/haproxytech/kubernetes-ingress
 go 1.24.0
 
 require (
+	github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5
 	github.com/Masterminds/semver/v3 v3.4.0
 	github.com/fasthttp/router v1.5.4
 	github.com/go-openapi/swag v0.23.1
@@ -38,6 +39,7 @@ require (
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/go-faker/faker/v4 v4.6.1 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
 	github.com/go-openapi/errors v0.22.1 // indirect
@@ -75,14 +77,14 @@ require (
 	go.mongodb.org/mongo-driver v1.17.4 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/net v0.41.0 // indirect
+	golang.org/x/net v0.42.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/term v0.32.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/sys v0.34.0 // indirect
+	golang.org/x/term v0.33.0 // indirect
+	golang.org/x/text v0.27.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.34.0 // indirect
+	golang.org/x/tools v0.35.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
diff --git a/go.sum b/go.sum
@@ -1,3 +1,5 @@
+github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 h1:IEjq88XO4PuBDcvmjQJcQGg+w+UaafSy8G5Kcb5tBhI=
+github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5/go.mod h1:exZ0C/1emQJAw5tHOaUDyY1ycttqBAPcxuzf7QbY6ec=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
@@ -22,8 +24,8 @@ github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU=
 github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/go-faker/faker/v4 v4.5.0 h1:ARzAY2XoOL9tOUK+KSecUQzyXQsUaZHefjyF8x6YFHc=
-github.com/go-faker/faker/v4 v4.5.0/go.mod h1:p3oq1GRjG2PZ7yqeFFfQI20Xm61DoBDlCA8RiSyZ48M=
+github.com/go-faker/faker/v4 v4.6.1 h1:xUyVpAjEtB04l6XFY0V/29oR332rOSPWV4lU8RwDt4k=
+github.com/go-faker/faker/v4 v4.6.1/go.mod h1:arSdxNCSt7mOhdk8tEolvHeIJ7eX4OX80wXjKKvkKBY=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
@@ -173,34 +175,34 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
-golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
+golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
 golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
-golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
+golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
+golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg=
+golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
+golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
-golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
+golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
+golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/pkg/controller/builder.go b/pkg/controller/builder.go
@@ -15,10 +15,15 @@
 package controller
 
 import (
+	"bytes"
+	"encoding/base64"
 	"errors"
+	"log"
 	"os"
 	"strconv"
 
+	"github.com/GehirnInc/crypt"
+	_ "github.com/GehirnInc/crypt/sha256_crypt"
 	"github.com/fasthttp/router"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/valyala/fasthttp"
@@ -209,7 +214,7 @@ func addControllerMetricData(builder *Builder, chShutdown chan struct{}) {
 		runningServices += " pprof"
 	}
 	if builder.osArgs.PrometheusEnabled {
-		rtr.GET(handler.PROMETHEUS_URL_PATH, fasthttpadaptor.NewFastHTTPHandler(promhttp.Handler()))
+		rtr.GET(handler.PROMETHEUS_URL_PATH, prometheusHandler())
 		runningServices += ", prometheus"
 	}
 	rtr.GET("/healtz", requestHandler)
@@ -268,3 +273,62 @@ func requestHandler(ctx *fasthttp.RequestCtx) {
 		ctx.Response.Header.Set("X-HAProxy-Ingress-Controller", "healtz")
 	}
 }
+
+func prometheusHandler() func(ctx *fasthttp.RequestCtx) {
+	prometheusHandler := fasthttpadaptor.NewFastHTTPHandler(promhttp.Handler())
+	return func(ctx *fasthttp.RequestCtx) {
+		authActive := handler.PrometheusAuthActive()
+		if !authActive {
+			prometheusHandler(ctx)
+			return
+		}
+
+		auth := ctx.Request.Header.Peek("Authorization")
+		if auth == nil {
+			ctx.Response.Header.Set("WWW-Authenticate", `Basic realm="Restricted"`)
+			ctx.SetStatusCode(fasthttp.StatusUnauthorized)
+			return
+		}
+
+		const prefix = "Basic "
+		if !bytes.HasPrefix(auth, []byte(prefix)) {
+			ctx.SetStatusCode(fasthttp.StatusUnauthorized)
+			return
+		}
+
+		encoded := auth[len(prefix):]
+		decoded, err := base64.StdEncoding.DecodeString(string(encoded))
+		if err != nil {
+			ctx.SetStatusCode(fasthttp.StatusUnauthorized)
+			return
+		}
+
+		parts := bytes.SplitN(decoded, []byte{':'}, 2)
+		if len(parts) != 2 {
+			ctx.SetStatusCode(fasthttp.StatusUnauthorized)
+			return
+		}
+
+		crypter := crypt.SHA256.New()
+		users := handler.PrometheusAuthUsers()
+		userOK := false
+		for user, passwordData := range users {
+			if user != string(parts[0]) {
+				continue
+			}
+			computed, err := crypter.Generate(parts[1], []byte(passwordData.Salt))
+			if err != nil {
+				log.Printf("Error during comparison: %v", err)
+			}
+			if computed == passwordData.Password {
+				userOK = true
+				break
+			}
+		}
+		if !userOK {
+			ctx.SetStatusCode(fasthttp.StatusUnauthorized)
+			return
+		}
+		prometheusHandler(ctx)
+	}
+}
diff --git a/pkg/handler/prometheus.go b/pkg/handler/prometheus.go
@@ -3,10 +3,10 @@ package handler
 import (
 	"fmt"
 	"strings"
+	"sync"
 
 	"github.com/haproxytech/kubernetes-ingress/pkg/annotations"
 	"github.com/haproxytech/kubernetes-ingress/pkg/haproxy"
-	"github.com/haproxytech/kubernetes-ingress/pkg/haproxy/instance"
 	k8ssync "github.com/haproxytech/kubernetes-ingress/pkg/k8s/sync"
 	"github.com/haproxytech/kubernetes-ingress/pkg/store"
 )
@@ -16,29 +16,69 @@ type PrometheusEndpoint struct {
 	PodNs     string
 }
 
+var (
+	prometheusUsers       map[string]prometheusAuthUser
+	prometheusUsersActive bool
+	prometheusMu          sync.RWMutex
+)
+
 //nolint:golint, stylecheck
 const (
 	PROMETHEUS_URL_PATH     = "/metrics"
 	PROMETHEUS_SERVICE_NAME = "prometheus"
 )
 
+type prometheusAuthUser struct {
+	Password string
+	Salt     string
+}
+
+func PrometheusAuthUsers() map[string]prometheusAuthUser {
+	prometheusMu.RLock()
+	defer prometheusMu.RUnlock()
+	users := make(map[string]prometheusAuthUser, len(prometheusUsers))
+	for user, passwordData := range prometheusUsers {
+		users[user] = prometheusAuthUser{
+			Password: passwordData.Password,
+			Salt:     passwordData.Salt,
+		}
+	}
+	return users
+}
+
+func PrometheusAuthActive() bool {
+	prometheusMu.RLock()
+	defer prometheusMu.RUnlock()
+	return prometheusUsersActive
+}
+
 func (handler PrometheusEndpoint) Update(k store.K8s, h haproxy.HAProxy, a annotations.Annotations) (err error) {
 	if handler.PodNs == "" {
-		return
+		return nil
 	}
 
-	prometheusSvcName := "prometheus"
-	prometheusBackendName := fmt.Sprintf("%s_svc_%s_http", handler.PodNs, PROMETHEUS_SERVICE_NAME)
-
-	status := store.EMPTY
 	var secret *store.Secret
-	_, errBackend := h.BackendGet(prometheusBackendName)
-	backendExists := errBackend == nil
 
 	annSecret := annotations.String("prometheus-endpoint-auth-secret", k.ConfigMaps.Main.Annotations)
-	var secretExists, secretChanged, userListChanged bool
-	userListExists, _ := h.UserListExistsByGroup("haproxy-controller-prometheus")
+	prometheusMu.RLock()
+	prometheusUsersActiveLocal := prometheusUsersActive
+	prometheusMu.RUnlock()
+
+	if annSecret != "" && !prometheusUsersActiveLocal {
+		prometheusMu.Lock()
+		prometheusUsersActive = true
+		prometheusMu.Unlock()
+	} else if annSecret == "" && prometheusUsersActiveLocal {
+		prometheusMu.Lock()
+		prometheusUsersActive = false
+		prometheusUsers = nil
+		prometheusMu.Unlock()
+	}
+	if annSecret == "" {
+		return nil
+	}
 
+	var secretExists bool
 	// Does the secret exist in store ? ...
 	if annSecret != "" {
 		secretFQN := strings.Split(annSecret, "/")
@@ -47,87 +87,34 @@ func (handler PrometheusEndpoint) Update(k store.K8s, h haproxy.HAProxy, a annot
 			if ns != nil {
 				secret = ns.Secret[secretFQN[1]]
 				secretExists = secret != nil && secret.Status != store.DELETED
-				secretChanged = secret.Status == store.MODIFIED
 			}
 		}
-		userListChanged = secretChanged || !userListExists
-	} else {
-		userListChanged = userListExists
-	}
-
-	if !backendExists {
-		status = store.ADDED
-	}
-
-	if !userListChanged && status == store.EMPTY && (!secretExists || (secretExists && secret.Status == store.EMPTY)) {
-		return
-	}
-
-	svc := &store.Service{
-		Namespace:   handler.PodNs,
-		Name:        prometheusSvcName,
-		Status:      status,
-		Annotations: k.ConfigMaps.Main.Annotations,
-		Ports: []store.ServicePort{
-			{
-				Name:     "http",
-				Protocol: "http",
-				Port:     8765,
-				Status:   status,
-			},
-		},
-		Faked: true,
-	}
-	endpoints := &store.Endpoints{
-		Namespace: handler.PodNs,
-		Service:   prometheusSvcName,
-		SliceName: prometheusSvcName,
-		Status:    status,
-		Ports: map[string]*store.PortEndpoints{
-			"http": {
-				Port:      int64(h.Env.ControllerPort),
-				Addresses: map[string]struct{}{"127.0.0.1": {}},
-			},
-		},
-	}
-
-	if status != store.EMPTY {
-		k.EventService(k.GetNamespace(svc.Namespace), svc)
-		k.EventEndpoints(k.GetNamespace(endpoints.Namespace), endpoints, func(*store.RuntimeBackend, bool) error { return nil })
-	}
-
-	ing := &store.Ingress{
-		Status: status,
-		Faked:  true,
-		IngressCore: store.IngressCore{
-			Namespace: handler.PodNs,
-			Name:      "prometheus",
-			Rules: map[string]*store.IngressRule{"": {
-				Paths: map[string]*store.IngressPath{
-					PROMETHEUS_URL_PATH: {
-						SvcNamespace:  svc.Namespace,
-						SvcName:       svc.Name,
-						Path:          PROMETHEUS_URL_PATH,
-						SvcPortString: "http",
-						PathTypeMatch: store.PATH_TYPE_IMPLEMENTATION_SPECIFIC,
-					},
-				},
-			}},
-		},
 	}
 
 	if secretExists {
-		ing.Annotations = map[string]string{
-			"auth-type":   "basic-auth",
-			"auth-secret": annSecret,
+		// first see if we need to do something
+		prometheusMu.RLock()
+		// prometheusUsers != nil, not len, there is a diff in logic
+		if secret.Status == store.EMPTY && prometheusUsers != nil {
+			prometheusMu.RUnlock()
+			return nil
 		}
+		prometheusMu.RUnlock()
+
+		// then fill users if needed
+		prometheusMu.Lock()
+		prometheusUsers = make(map[string]prometheusAuthUser)
+		for user, password := range secret.Data {
+			partsPass := strings.Split(string(password), "$")
+			salt := fmt.Sprintf("$%s$%s$", partsPass[1], partsPass[2])
+			prometheusUsers[user] = prometheusAuthUser{
+				Password: string(password),
+				Salt:     salt,
+			}
+			logger.Debugf("Adding prometheus user '%s' from secret '%s'", user, annSecret)
+		}
+		prometheusUsersActive = true
+		prometheusMu.Unlock()
 	}
-
-	if userListChanged || status != store.EMPTY || secretExists && secret.Status != store.EMPTY {
-		k.EventIngress(k.GetNamespace(ing.Namespace), ing, "fakeUID", "fakeResourceVersion")
-	}
-
-	instance.ReloadIf(status != store.EMPTY, "creation/modification of prometheus endpoint")
-
 	return nil
 }
