Can't reasonably load Querier UI with prom-label-proxy

[bill3tt]

Since #48 was merged, users are required to explicitly state an allowlist of endpoints (unsafe-passthrough-paths) that any tenant can retrieve without interference of prom-label-proxy.

This means that any UI components require explicit whitelisting to work, which often have complex URIs.

Configuring prom-label-proxy to serve the Thanos Querier UI required the following docker command:

docker run --net=host --rm \
    --name prom-label-proxy \
    quay.io/prometheuscommunity/prom-label-proxy:v0.3.0 \
    -label tenant \
    -upstream http://127.0.0.1:29090 \
    -insecure-listen-address 0.0.0.0:39090 \
    -enable-label-apis \
    -unsafe-passthrough-paths=/api/v1/stores,/api/v1/status/flags,/graph,/status,/api/v1/status/buildinfo,/api/v1/status/runtimeinfo,/flags,/static/css/2.a92efa4c.chunk.css,/static/css/main.e1aaea6d.chunk.css,/static/js/2.2de83b5e.chunk.js,/static/js/main.a767bdbf.chunk.js,/manifest.json

It worked 🤷‍♂️ but the UX was terrible. Each downstream UI component version will require a carefully constructed set of unsafe-passthrough-paths.

Personally, I have no requirements other than attempting to fix the tutorial (thanos-io/thanos#4309). However, this is a reasonable enough use-case for others to require.

Safe-defaults were mentioned in #48 (comment), but does not appear to have been implemented.

[simonpasquier]

I would assume that /static/* endpoints are "safe" but the rest is more problematic IMHO. IIRC we decided on exact paths to avoid users shooting themselves in the foot but maybe it's fine to allow things like --unsafe-passthrough-paths=/static/*?

[yeya24]

Can we pass through all paths (other than the API endpoints specified explicitly) by default?

[simonpasquier]

it was discussed in #48 (comment) but dismissed as being insecure (at least as long the legacy UI exists since the targets and configuration pages may expose sensitive informatoin).