feat: add authentication wrapper for debug endpoints (#3318)

pkg/bootstrap/server.go

@@ -16,12 +16,13 @@ package bootstrap
 
 import (
 	"fmt"
-	"istio.io/istio/pkg/config/mesh/meshwatcher"
-	"istio.io/istio/pkg/kube/krt"
 	"net"
 	"net/http"
 	"time"
 
+	"istio.io/istio/pkg/config/mesh/meshwatcher"
+	"istio.io/istio/pkg/kube/krt"
+
 	prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/reflection"
@@ -436,10 +437,17 @@ func (s *Server) initHttpServer() error {
 	}
 	s.xdsServer.AddDebugHandlers(s.httpMux, nil, true, nil)
 	s.httpMux.HandleFunc("/ready", s.readyHandler)
-	s.httpMux.HandleFunc("/registry/watcherStatus", s.registryWatcherStatusHandler)
+	s.httpMux.HandleFunc("/registry/watcherStatus", s.withConditionalAuth(s.registryWatcherStatusHandler))
 	return nil
 }
 
+func (s *Server) withConditionalAuth(handler http.HandlerFunc) http.HandlerFunc {
+	if features.DebugAuth {
+		return s.xdsServer.AllowAuthenticatedOrLocalhost(handler)
+	}
+	return handler
+}
+
 // readyHandler checks whether the http server is ready
 func (s *Server) readyHandler(w http.ResponseWriter, _ *http.Request) {
 	for name, fn := range s.readinessProbes {