Documentation
¶
Overview ¶
Package proxy implements an authenticated PromQL query proxy. The portal's observability views query Prometheus through this proxy so the browser never talks to Prometheus directly: it reuses the platform's auth and persona model, keeps Prometheus on the internal network, and audits every query. The proxy forwards the read-only /api/v1/query and /api/v1/query_range endpoints and returns the upstream response body unchanged.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Authorizer ¶
Authorizer authorizes a proxy request from its context (the request token is on the context, placed there by the auth middleware).
type Config ¶
type Config struct {
URL string
Timeout time.Duration
BasicAuthUser string
BasicAuthPass string
RateLimitPerSecond int
}
Config configures the PromQL proxy. At the proxy-package level an empty URL leaves the proxy unconfigured (every endpoint returns 503). In the running server the cmd layer supplies an auto-discovered default when the URL is unset, so an empty config value resolves to the default Prometheus rather than disabling the proxy.
type Decision ¶
type Decision struct {
Authenticated bool // a valid token was presented
Allowed bool // the caller's persona grants observability:read
UserID string
Email string
Persona string
}
Decision is the result of authorizing an inbound proxy request. The platform supplies an Authorizer that authenticates the request token, checks the observability:read capability, and resolves the persona; the proxy package stays free of auth/persona imports.
Source Files