watchdog: make metrics rate limit configurable; document env vars

Signed-off-by: NotAShelf <raf@notashelf.dev> Change-Id: I01033406c32bd4e31a76e676be97af046a6a6964
2026-04-15 06:44:20 +00:00 · 2026-03-10 10:00:01 +03:00 · 2026-03-10 10:00:01 +03:00 · 9c8f91ef27
commit 9c8f91ef27
parent ac24734e8f
2 changed files with 21 additions and 9 deletions
--- a/cmd/watchdog/root.go
+++ b/cmd/watchdog/root.go
@ -90,9 +90,15 @@ func Run(cfg *config.Config) error {
 		)
 	}

-	// Add rate limiting to metrics endpoint (30 requests per minute)
-	metricsRateLimiter := ratelimit.NewTokenBucket(30, 30, time.Minute)
-	metricsHandler = rateLimitMiddleware(metricsHandler, metricsRateLimiter)
+	// Add rate limiting to metrics endpoint
+	if cfg.Limits.MaxMetricsPerMinute > 0 {
+		metricsRateLimiter := ratelimit.NewTokenBucket(
+			cfg.Limits.MaxMetricsPerMinute,
+			cfg.Limits.MaxMetricsPerMinute,
+			time.Minute,
+		)
+		metricsHandler = rateLimitMiddleware(metricsHandler, metricsRateLimiter)
+	}

 	mux.Handle(cfg.Server.MetricsPath, metricsHandler)

--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -45,11 +45,12 @@ type PathConfig struct {

 // Cardinality limits
 type LimitsConfig struct {
-	MaxPaths           int          `yaml:"max_paths"`
-	MaxEventsPerMinute int          `yaml:"max_events_per_minute"`
-	MaxSources         int          `yaml:"max_sources"`
-	MaxCustomEvents    int          `yaml:"max_custom_events"`
-	DeviceBreakpoints  DeviceBreaks `yaml:"device_breakpoints"`
+	MaxPaths            int          `yaml:"max_paths"`
+	MaxEventsPerMinute  int          `yaml:"max_events_per_minute"`
+	MaxSources          int          `yaml:"max_sources"`
+	MaxCustomEvents     int          `yaml:"max_custom_events"`
+	DeviceBreakpoints   DeviceBreaks `yaml:"device_breakpoints"`
+	MaxMetricsPerMinute int          `yaml:"max_metrics_per_minute"` // rate limit for metrics endpoint
 }

 // Device classification breakpoints
@ -72,10 +73,11 @@ type CORSConfig struct {
 }

 // Authentication for metrics endpoint
+// Password can be set via environment variable: WATCHDOG_SECURITY_METRICS_AUTH_PASSWORD
 type AuthConfig struct {
 	Enabled  bool   `yaml:"enabled"`
 	Username string `yaml:"username"`
-	Password string `yaml:"password"`
+	Password string `yaml:"password"` // can use env var WATCHDOG_SECURITY_METRICS_AUTH_PASSWORD
 }

 // Server endpoints
@ -149,6 +151,10 @@ func (c *Config) Validate() error {
 		c.Limits.MaxCustomEvents = 100 // Default
 	}

+	if c.Limits.MaxMetricsPerMinute <= 0 {
+		c.Limits.MaxMetricsPerMinute = 30 // Default: 30 requests per minute
+	}
+
 	if c.Site.Path.MaxSegments < 0 {
 		return fmt.Errorf("site.path.max_segments cannot be negative")
 	}