From 1aae28dd001fb68fd5173de39023de5845b6ac97 Mon Sep 17 00:00:00 2001
From: Gladkov Alexey <agladkov@redhat.com>
Date: Tue, 25 Apr 2017 15:42:27 +0200
Subject: [PATCH] Force to specify not empty secret for metrics endpoint

Signed-off-by: Gladkov Alexey <agladkov@redhat.com>
---
 images/dockerregistry/config.yml         | 5 ++++-
 pkg/cmd/dockerregistry/dockerregistry.go | 3 +++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/images/dockerregistry/config.yml b/images/dockerregistry/config.yml
index 289ce46c0c65..0a9083a9a2ee 100644
--- a/images/dockerregistry/config.yml
+++ b/images/dockerregistry/config.yml
@@ -39,4 +39,7 @@ openshift:
   version: 1.0
   metrics:
     enabled: false
-    secret: TopSecretToken
+    # secret is used to authenticate to metrics endpoint. It cannot be empty.
+    # Attention! A weak secret can lead to the leakage of private data.
+    #
+    # secret: TopSecretLongToken
diff --git a/pkg/cmd/dockerregistry/dockerregistry.go b/pkg/cmd/dockerregistry/dockerregistry.go
index 534ae147de07..5126d0997b33 100644
--- a/pkg/cmd/dockerregistry/dockerregistry.go
+++ b/pkg/cmd/dockerregistry/dockerregistry.go
@@ -125,6 +125,9 @@ func Execute(configFile io.Reader) {
 
 	// Registry extensions endpoint provides prometheus metrics.
 	if extraConfig.Metrics.Enabled {
+		if len(extraConfig.Metrics.Secret) == 0 {
+			context.GetLogger(app).Fatalf("openshift.metrics.secret field cannot be empty when metrics are enabled")
+		}
 		server.RegisterMetricHandler(app)
 	}