From 4859100ef282dcf73257dfb60e6b5a20d5955c68 Mon Sep 17 00:00:00 2001
From: Remy <remy@huggingface.co>
Date: Wed, 18 Sep 2024 06:02:08 +0100
Subject: [PATCH] fix(chart): block admin metrics exposition (#3061)

---
 chart/env/prod.yaml                         |  1 +
 chart/templates/services/admin/ingress.yaml | 12 ++++++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/chart/env/prod.yaml b/chart/env/prod.yaml
index cb64f6fde0..7eb9ac6b83 100644
--- a/chart/env/prod.yaml
+++ b/chart/env/prod.yaml
@@ -296,6 +296,7 @@ admin:
     annotations:
       alb.ingress.kubernetes.io/group.order: "1"
       alb.ingress.kubernetes.io/target-node-labels: role-datasets-server=true
+      alb.ingress.kubernetes.io/actions.metrics-unauthorized: '{"type":"fixed-response","fixedResponseConfig":{"contentType":"text/plain","statusCode":"401","messageBody":"401 Unauthorized"}}'
   resources:
     requests:
       cpu: 1
diff --git a/chart/templates/services/admin/ingress.yaml b/chart/templates/services/admin/ingress.yaml
index ff187a7895..a6cfe20339 100644
--- a/chart/templates/services/admin/ingress.yaml
+++ b/chart/templates/services/admin/ingress.yaml
@@ -13,12 +13,20 @@ spec:
       http:
         paths:
           - path: /admin
+            pathType: Prefix
             backend:
               service:
                 name: "{{ include "name" . }}-admin"
                 port:
                   name: http
-
-            pathType: Prefix
+          {{- if hasKey $annotations "alb.ingress.kubernetes.io/actions.metrics-unauthorized" }}
+          - path: /admin/metrics
+            pathType: Exact
+            backend:
+              service:
+                name: metrics-unauthorized
+                port:
+                  name: use-annotation
+          {{- end -}}
 {{- include "ingress.tls" (merge (dict "annotations" $annotations) $ ) | indent 2}}
 {{- end }}