feat: add authentication wrapper for debug endpoints (#3318)

2026-03-07 18:10:54 +08:00 · 2026-01-14 09:30:51 +08:00
parent 5e787b3258
commit e7010256fe
2 changed files with 12 additions and 4 deletions
--- a/istio/istio
+++ b/istio/istio
--- a/pkg/bootstrap/server.go
+++ b/pkg/bootstrap/server.go
@@ -16,12 +16,13 @@ package bootstrap

 import (
 	"fmt"
-	"istio.io/istio/pkg/config/mesh/meshwatcher"
-	"istio.io/istio/pkg/kube/krt"
 	"net"
 	"net/http"
 	"time"

+	"istio.io/istio/pkg/config/mesh/meshwatcher"
+	"istio.io/istio/pkg/kube/krt"
+
 	prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/reflection"
@@ -436,10 +437,17 @@ func (s *Server) initHttpServer() error {
 	}
 	s.xdsServer.AddDebugHandlers(s.httpMux, nil, true, nil)
 	s.httpMux.HandleFunc("/ready", s.readyHandler)
-	s.httpMux.HandleFunc("/registry/watcherStatus", s.registryWatcherStatusHandler)
+	s.httpMux.HandleFunc("/registry/watcherStatus", s.withConditionalAuth(s.registryWatcherStatusHandler))
 	return nil
 }

+func (s *Server) withConditionalAuth(handler http.HandlerFunc) http.HandlerFunc {
+	if features.DebugAuth {
+		return s.xdsServer.AllowAuthenticatedOrLocalhost(handler)
+	}
+	return handler
+}
+
 // readyHandler checks whether the http server is ready
 func (s *Server) readyHandler(w http.ResponseWriter, _ *http.Request) {
 	for name, fn := range s.readinessProbes {