prometheus: disable web.enable-lifecycle and web.enable-admin-api outside of dev by bobheadxi · Pull Request #46393 · sourcegraph/sourcegraph-public-snapshot

bobheadxi · 2023-01-12T18:53:51Z

Closes https://github.com/sourcegraph/security-issues/issues/329 - we only need the reload API in development, in deployments the Prometheus configuration should never change.

Test plan

In separate tabs:

sg run prometheus
sg run grafana
sg run monitoring-generator

In logs, look for Prometheus reload working:

[monitoring-...r] INFO generate.prometheus monitoring/generator.go:298 Reloaded Prometheus instance {"instance": "http://127.0.0.1:9090"}

Then run directly:

docker run -p 0.0.0.0:9090:9090 sourcegraph/prometheus:dev

Reload API no longer works:

$ sg run monitoring-generator
 generate: Unexpected status code 403 while reloading Prometheus rules

…side of dev

evict

Nice!

prometheus: disable web.enable-lifecycle and web.enable-admin-api out…

150cabe

…side of dev

bobheadxi requested review from a team January 12, 2023 18:53

cla-bot Bot added the cla-signed label Jan 12, 2023

changelog

7edb01d

michaellzc approved these changes Jan 12, 2023

View reviewed changes

bobheadxi merged commit 46187b8 into main Jan 13, 2023

bobheadxi deleted the prometheus-no-admin-api-and-lifecycle branch January 13, 2023 01:44

evict reviewed Jan 14, 2023

View reviewed changes