fix: add skip_for_metrics option to bypass auth on /metrics endpoint

The /metrics endpoint returns 401 when using rh-identity or k8s auth
modules because only /readiness and /liveness are covered by
skip_for_health_probes. Prometheus and other scrapers hit /metrics
without auth headers, causing noisy logs and failed scrapes.

Add a new skip_for_metrics config option (default: false) to
AuthenticationConfiguration that allows skipping auth on /metrics,
following the same pattern as skip_for_health_probes.

RSPEED-2934

Signed-off-by: Major Hayden <major@redhat.com>

Author: major

src/authentication/k8s.py

@@ -441,6 +441,10 @@ async def __call__(self, request: Request) -> tuple[str, str, bool, str]:
             if configuration.authentication_configuration.skip_for_health_probes:
                 if request.url.path in ("/readiness", "/liveness"):
                     return NO_AUTH_TUPLE
+            # Skip auth for metrics endpoint when configured
+            if configuration.authentication_configuration.skip_for_metrics:
+                if request.url.path in ("/metrics",):
+                    return NO_AUTH_TUPLE
 
         token = extract_user_token(request.headers)
         user_info = get_user_info(token)

src/authentication/rh_identity.py

@@ -307,6 +307,10 @@ async def __call__(self, request: Request) -> AuthTuple:
             if request.url.path.endswith(("/readiness", "/liveness")):
                 if configuration.authentication_configuration.skip_for_health_probes:
                     return NO_AUTH_TUPLE
+            # Skip auth for metrics endpoint when configured
+            if request.url.path.endswith("/metrics"):
+                if configuration.authentication_configuration.skip_for_metrics:
+                    return NO_AUTH_TUPLE
             logger.warning("Missing x-rh-identity header")
             raise HTTPException(status_code=401, detail="Missing x-rh-identity header")
 

src/models/config.py

@@ -1181,6 +1181,11 @@ class AuthenticationConfiguration(ConfigurationBase):
         title="Skip authorization for probes",
         description="Skip authorization for readiness and liveness probes",
     )
+    skip_for_metrics: bool = Field(
+        False,
+        title="Skip authorization for metrics",
+        description="Skip authorization for the /metrics endpoint",
+    )
     k8s_cluster_api: Optional[AnyHttpUrl] = None
     k8s_ca_cert_path: Optional[FilePath] = None
     jwk_config: Optional[JwkConfiguration] = None
@@ -1873,7 +1878,8 @@ class Configuration(ConfigurationBase):
 
     authentication: AuthenticationConfiguration = Field(
         default_factory=lambda: AuthenticationConfiguration(
-            skip_for_health_probes=False
+            skip_for_health_probes=False,
+            skip_for_metrics=False,
         ),
         title="Authentication configuration",
         description="Authentication configuration",

tests/unit/authentication/test_k8s.py

@@ -1,6 +1,6 @@
 """Unit tests for authentication/k8s module."""
 
-# pylint: disable=too-many-arguments,too-many-positional-arguments,too-few-public-methods,protected-access
+# pylint: disable=too-many-arguments,too-many-positional-arguments,too-few-public-methods,protected-access,too-many-lines
 
 import os
 from http import HTTPStatus
@@ -481,6 +481,143 @@ async def test_auth_dependency_no_token_normal_endpoints(
         assert detail["cause"] == "No Authorization header found"
 
 
+@pytest.mark.asyncio
+async def test_auth_dependency_no_token_metrics_endpoint_skip_enabled(
+    mocker: MockerFixture,
+) -> None:
+    """Test the auth dependency without a token for the metrics endpoint.
+
+    When skip_for_metrics is True, the /metrics endpoint should bypass auth.
+    """
+    config_dict = {
+        "name": "test",
+        "service": {
+            "host": "localhost",
+            "port": 8080,
+            "auth_enabled": False,
+            "workers": 1,
+            "color_log": True,
+            "access_log": True,
+        },
+        "llama_stack": {
+            "api_key": "test-key",
+            "url": "http://test.com:1234",
+            "use_as_library_client": False,
+        },
+        "authentication": {
+            "module": "k8s",
+            "skip_for_metrics": True,
+        },
+        "user_data_collection": {
+            "feedback_enabled": False,
+            "feedback_storage": ".",
+            "transcripts_enabled": False,
+            "transcripts_storage": ".",
+        },
+    }
+    cfg = AppConfig()
+    cfg.init_from_dict(config_dict)
+    mocker.patch("authentication.k8s.configuration", cfg)
+
+    dependency = K8SAuthDependency()
+
+    # Mock the Kubernetes API calls
+    mock_authn_api = mocker.patch("authentication.k8s.K8sClientSingleton.get_authn_api")
+    mock_authz_api = mocker.patch("authentication.k8s.K8sClientSingleton.get_authz_api")
+
+    # Setup mock responses for invalid token
+    mock_authn_api.return_value.create_token_review.return_value = MockK8sResponse(
+        authenticated=False
+    )
+    mock_authz_api.return_value.create_subject_access_review.return_value = (
+        MockK8sResponse(allowed=False)
+    )
+
+    request = Request(
+        scope={
+            "type": "http",
+            "headers": [],
+            "path": "/metrics",
+        }
+    )
+
+    user_uid, username, skip_userid_check, token = await dependency(request)
+
+    assert user_uid == "00000000-0000-0000-0000-000"
+    assert username == "lightspeed-user"
+    assert skip_userid_check is True
+    assert token == ""
+
+
+@pytest.mark.asyncio
+async def test_auth_dependency_no_token_metrics_endpoint_skip_disabled(
+    mocker: MockerFixture,
+) -> None:
+    """Test the auth dependency without a token for the metrics endpoint.
+
+    When skip_for_metrics is False, the /metrics endpoint should require auth.
+    """
+    config_dict = {
+        "name": "test",
+        "service": {
+            "host": "localhost",
+            "port": 8080,
+            "auth_enabled": False,
+            "workers": 1,
+            "color_log": True,
+            "access_log": True,
+        },
+        "llama_stack": {
+            "api_key": "test-key",
+            "url": "http://test.com:1234",
+            "use_as_library_client": False,
+        },
+        "authentication": {
+            "module": "k8s",
+            "skip_for_metrics": False,
+        },
+        "user_data_collection": {
+            "feedback_enabled": False,
+            "feedback_storage": ".",
+            "transcripts_enabled": False,
+            "transcripts_storage": ".",
+        },
+    }
+    cfg = AppConfig()
+    cfg.init_from_dict(config_dict)
+    mocker.patch("authentication.k8s.configuration", cfg)
+
+    dependency = K8SAuthDependency()
+
+    # Mock the Kubernetes API calls
+    mock_authn_api = mocker.patch("authentication.k8s.K8sClientSingleton.get_authn_api")
+    mock_authz_api = mocker.patch("authentication.k8s.K8sClientSingleton.get_authz_api")
+
+    # Setup mock responses for invalid token
+    mock_authn_api.return_value.create_token_review.return_value = MockK8sResponse(
+        authenticated=False
+    )
+    mock_authz_api.return_value.create_subject_access_review.return_value = (
+        MockK8sResponse(allowed=False)
+    )
+
+    request = Request(
+        scope={
+            "type": "http",
+            "headers": [],
+            "path": "/metrics",
+        }
+    )
+
+    with pytest.raises(HTTPException) as exc_info:
+        await dependency(request)
+
+    assert exc_info.value.status_code == 401
+    detail = cast(dict[str, str], exc_info.value.detail)
+    assert detail["response"] == ("Missing or invalid credentials provided by client")
+    assert detail["cause"] == "No Authorization header found"
+
+
 @pytest.mark.asyncio
 async def test_cluster_id_is_used_for_kube_admin(mocker: MockerFixture) -> None:
     """Test the cluster id is used as user_id when user is kube:admin."""

tests/unit/authentication/test_rh_identity.py

@@ -565,6 +565,80 @@ async def test_non_probe_paths_require_auth_when_skip_enabled(
         assert exc_info.value.status_code == 401
 
 
+class TestRHIdentityMetricsSkip:
+    """Test suite for metrics endpoint skip functionality in RH Identity auth."""
+
+    @staticmethod
+    def _mock_configuration(mocker: MockerFixture, skip_for_metrics: bool) -> None:
+        """Patch the configuration singleton with a mock for metrics skip tests.
+
+        Parameters:
+            skip_for_metrics (bool): Value to assign to the mocked
+            configuration's authentication_configuration.skip_for_metrics flag.
+        """
+        mock_config = mocker.MagicMock()
+        mock_config.authentication_configuration.skip_for_metrics = skip_for_metrics
+        # Ensure health probe skip is disabled so it doesn't interfere
+        mock_config.authentication_configuration.skip_for_health_probes = False
+        mocker.patch("authentication.rh_identity.configuration", mock_config)
+
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize(
+        "path",
+        [
+            "/metrics",
+            "/api/lightspeed/metrics",
+        ],
+    )
+    async def test_metrics_path_skips_auth_when_enabled(
+        self, mocker: MockerFixture, path: str
+    ) -> None:
+        """Test metrics paths bypass auth when skip_for_metrics is True."""
+        self._mock_configuration(mocker, skip_for_metrics=True)
+
+        auth_dep = RHIdentityAuthDependency()
+        request = Request(scope={"type": "http", "headers": [], "path": path})
+
+        result = await auth_dep(request)
+        assert result == NO_AUTH_TUPLE
+
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize(
+        "path",
+        [
+            "/metrics",
+            "/api/lightspeed/metrics",
+        ],
+    )
+    async def test_metrics_path_requires_auth_when_disabled(
+        self, mocker: MockerFixture, path: str
+    ) -> None:
+        """Test metrics paths still require auth when skip_for_metrics is False."""
+        self._mock_configuration(mocker, skip_for_metrics=False)
+
+        auth_dep = RHIdentityAuthDependency()
+        request = Request(scope={"type": "http", "headers": [], "path": path})
+
+        with pytest.raises(HTTPException) as exc_info:
+            await auth_dep(request)
+        assert exc_info.value.status_code == 401
+
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize("path", ["/", "/v1/query"])
+    async def test_non_metrics_paths_require_auth_when_skip_enabled(
+        self, mocker: MockerFixture, path: str
+    ) -> None:
+        """Test non-metrics paths still require auth even when skip_for_metrics is True."""
+        self._mock_configuration(mocker, skip_for_metrics=True)
+
+        auth_dep = RHIdentityAuthDependency()
+        request = Request(scope={"type": "http", "headers": [], "path": path})
+
+        with pytest.raises(HTTPException) as exc_info:
+            await auth_dep(request)
+        assert exc_info.value.status_code == 401
+
+
 class TestRHIdentityHeaderSizeLimit:
     """Test suite for x-rh-identity header size limit enforcement."""
 

tests/unit/models/config/test_authentication_configuration.py

@@ -32,13 +32,15 @@ def test_authentication_configuration() -> None:
         module=AUTH_MOD_NOOP,
         skip_tls_verification=False,
         skip_for_health_probes=False,
+        skip_for_metrics=False,
         k8s_ca_cert_path=None,
         k8s_cluster_api=None,
     )
     assert auth_config is not None
     assert auth_config.module == AUTH_MOD_NOOP
     assert auth_config.skip_tls_verification is False
     assert auth_config.skip_for_health_probes is False
+    assert auth_config.skip_for_metrics is False
     assert auth_config.k8s_ca_cert_path is None
     assert auth_config.k8s_cluster_api is None
     assert auth_config.rh_identity_config is None