Skip to content
actor-ts
English

ManagementRoutesSettings

Defined in: src/management/HttpManagement.ts:22

Properties

Section titled “Properties”

auth?

Section titled “auth?”

readonly optional auth?: Middleware

Defined in: src/management/HttpManagement.ts:53

Optional authentication middleware applied to the privileged subset of management routes (#312). When set, every privileged endpoint requires the auth — typically BearerTokenAuth({...}) or a stack composed via nested withMiddleware.

Privileged = /cluster/leave, /cluster/down. The membership read-only routes (/cluster/members, /cluster/leader, /cluster/shards) are also covered. Health-check probes (/health, /ready) are deliberately exempt — Kubernetes liveness/readiness probes cannot easily attach an Authorization header.

auth: BearerTokenAuth({ tokens: [process.env.MGMT_TOKEN!] })

authProtectHealth?

Section titled “authProtectHealth?”

readonly optional authProtectHealth?: boolean

Defined in: src/management/HttpManagement.ts:70

Set to true to apply the auth middleware to /health and /ready as well (#312). Default: false — those endpoints are standard liveness/readiness probes and should answer anonymously. Flip this only when the deployment guarantees the probes can present credentials.

enableDownEndpoint?

Section titled “enableDownEndpoint?”

readonly optional enableDownEndpoint?: boolean

Defined in: src/management/HttpManagement.ts:31

Set to true to allow POST /cluster/down (#56). Operator-initiated force-down of a remote member by address. Off by default — production deployments typically gate this behind an auth proxy because it’s a destructive action.

enableLeaveEndpoint?

Section titled “enableLeaveEndpoint?”

readonly optional enableLeaveEndpoint?: boolean

Defined in: src/management/HttpManagement.ts:24

Set to true to allow POST /cluster/leave (requires cluster).

enableMetricsEndpoint?

Section titled “enableMetricsEndpoint?”

readonly optional enableMetricsEndpoint?: boolean

Defined in: src/management/HttpManagement.ts:37

Set to true to expose GET /metrics in Prometheus text format (#56). Reads from the system’s MetricsRegistry. Off by default because most deployments scrape metrics from a separate port.

ipAllowlist?

Section titled “ipAllowlist?”

readonly optional ipAllowlist?: Middleware

Defined in: src/management/HttpManagement.ts:62

Optional IP-allowlist middleware applied to every management endpoint INCLUDING /health and /ready (#312). Use this for network-level isolation: only allow probes from inside the cluster’s pod CIDR or from the operator’s bastion.

ipAllowlist: IpAllowlist({ allow: ['10.0.0.0/8', '127.0.0.1/32'] })