CVO protects /metrics with authorization

openshift · openshift-merge-bot · Aug 6, 2025 · Jul 22, 2025 · Jul 22, 2025 · Jul 22, 2025
commit 313f8fb0e9c00fd9ccc980178a328bfe85ad9974
diff --git a/pkg/cvo/metrics.go b/pkg/cvo/metrics.go
@@ -12,6 +12,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"
 
 	"github.com/prometheus/client_golang/prometheus"
@@ -128,14 +129,35 @@ type asyncResult struct {
 }
 
 func createHttpServer() *http.Server {
+	auth := authHandler{downstream: promhttp.Handler()}
 	handler := http.NewServeMux()
-	handler.Handle("/metrics", promhttp.Handler())
+	handler.Handle("/metrics", &auth)
 	server := &http.Server{
 		Handler: handler,
 	}
 	return server
 }
 
+type authHandler struct {
+	downstream http.Handler
+}
+
+func (a *authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	authHeader := r.Header.Get("Authorization")
+	if authHeader == "" {
+		http.Error(w, "failed to get the Authorization header", http.StatusUnauthorized)
+		return
+	}
+	token := strings.TrimPrefix(authHeader, "Bearer ")
+	if token == authHeader {
+		http.Error(w, "failed to get the Bearer token", http.StatusUnauthorized)
+		return
+	}
+
+	// TODO use the token
+	a.downstream.ServeHTTP(w, r)
+}
+
 func shutdownHttpServer(parentCtx context.Context, svr *http.Server) {
 	ctx, cancel := context.WithTimeout(parentCtx, 5*time.Second)
 	defer cancel()