docs: ADMIN_PORT config and security hardening

[ankurs]

Summary

• Add ADMIN_PORT to config reference (Server section)
• Add dedicated admin port as preferred security hardening approach in production howto, with Kubernetes NetworkPolicy example
• Update architecture page port binding description and built-in endpoints diagram
• Note in debugging howto that pprof serves on admin port when configured
• Add tip on homepage linking to security hardening

Depends on go-coldbrew/core#78 (admin port feature).

Test plan

• Playwright tests pass (57/57)
• Config reference table renders correctly
• Security hardening section has NetworkPolicy example
• Architecture diagram updated

Summary by CodeRabbit

• Documentation
  • Added ADMIN_PORT doc and callout recommending a dedicated admin port for metrics, profiling, and Swagger.
  • Updated production and debugging guides with examples, request-lifecycle text, and Kubernetes NetworkPolicy guidance for isolating admin endpoints.
  • Clarified where /metrics and /debug/pprof/ are served when ADMIN_PORT is enabled vs. disabled.

[coderabbitai]

Warning

Rate limit exceeded

@ankurs has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 15 minutes and 3 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 15 minutes and 3 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 84b15dbd-2c2c-4351-950d-3199f006509e

📥 Commits

Reviewing files that changed from the base of the PR and between 92e631f and ee212d6.

📒 Files selected for processing (1)

• howto/production.md

📝 Walkthrough

Walkthrough

This PR documents an optional ADMIN_PORT that isolates admin endpoints (pprof, metrics, swagger) onto a dedicated port; docs updated across architecture, config reference, debugging, and production guides to reflect endpoint locations and Kubernetes/networking guidance.

Changes

Cohort / File(s)	Summary
Core docs & architecture index.md, architecture.md	Adds a tip and updates port-binding description to introduce an optional ADMIN_PORT for admin endpoint isolation; moves /metrics to an “Admin Endpoints” block in diagrams and notes scraping options.
Configuration reference config-reference.md	Adds ADMIN_PORT config entry (int, default 0 meaning disabled) documenting that admin endpoints are served on this port when non-zero.
Debugging guide howto/Debugging.md	Clarifies /debug/pprof/ location when ADMIN_PORT is set and updates go tool pprof example commands to show both default and admin-port URLs.
Production guidance howto/production.md	Adds “Dedicated admin port (recommended)” section, updates /metrics and public-facing services guidance, and includes a Kubernetes NetworkPolicy example restricting admin-port ingress.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Client as External Client
participant App as Application (HTTP_PORT)
participant Admin as Admin Server (ADMIN_PORT)
participant Prom as Prometheus
Note over App,Admin: Admin endpoints (pprof/metrics/swagger) served on ADMIN_PORT when configured; otherwise on HTTP_PORT
Client->>App: App API requests
Client->>App: Health / Ready checks
Prom->>Admin: Scrape /metrics
Admin->>Admin: Serve pprof /swagger /metrics
alt ADMIN_PORT = 0
Prom->>App: Scrape /metrics on HTTP_PORT
App->>App: Serve metrics on HTTP_PORT
end

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A little port, snug and small,
Keeps metrics and pprof from the public hall.
Swagger tucked in a quiet bay,
Health stays open, hops along the way.
A rabbit cheers for safe display!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: documentation additions for ADMIN_PORT configuration and security hardening recommendations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/admin-port-docs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates ColdBrew documentation to introduce ADMIN_PORT as a production security-hardening mechanism by isolating admin endpoints onto a dedicated listener, and aligns multiple docs pages to reference this new deployment model.

Changes:

• Add ADMIN_PORT to the configuration reference and link it to security hardening guidance.
• Expand the production how-to with a recommended dedicated admin port approach and a Kubernetes NetworkPolicy example.
• Update architecture/homepage/debugging docs to mention the admin port and adjust port-binding guidance/diagrams.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
Index.md	Adds a homepage tip pointing readers to ADMIN_PORT for security isolation.
howto/production.md	Adds recommended dedicated admin port guidance and a NetworkPolicy example; updates public-facing service hardening guidance.
howto/Debugging.md	Notes that pprof moves to the admin port when ADMIN_PORT is configured.
config-reference.md	Documents the new ADMIN_PORT environment variable in the Server config table.
architecture.md	Updates port binding principle, adds an ADMIN_PORT tip, and adjusts the built-in endpoints diagram.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

architecture.md (1)

177-182: ⚠️ Potential issue | 🟠 Major

Endpoint mapping is inconsistent: health checks should not be implied as movable to ADMIN_PORT.

This line currently implies all listed built-ins (including /healthcheck and /readycheck) can move to ADMIN_PORT, which conflicts with the rest of this PR’s admin-endpoint definition.

Suggested fix

-  │  Built-in Endpoints (movable to ADMIN_PORT):      │
-  │    /metrics        - Prometheus                  │
-  │    /healthcheck    - Liveness probe              │
-  │    /readycheck     - Readiness probe             │
-  │    /debug/pprof/   - Go profiling                │
-  │    /swagger/       - OpenAPI docs                │
+  │  Built-in Endpoints:                              │
+  │    /healthcheck    - Liveness probe (HTTP port)  │
+  │    /readycheck     - Readiness probe (HTTP port) │
+  │    /metrics        - Prometheus (movable to ADMIN_PORT) │
+  │    /debug/pprof/   - Go profiling (movable to ADMIN_PORT)│
+  │    /swagger/       - OpenAPI docs (movable to ADMIN_PORT)│

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@architecture.md` around lines 177 - 182, The documentation line grouping
built-in endpoints with "movable to ADMIN_PORT" is incorrect for health probes;
update the doc so only admin-safe endpoints (e.g., /metrics, /debug/pprof/,
/swagger/) are marked as movable to ADMIN_PORT and explicitly state that
/healthcheck and /readycheck must remain on the main application port (not
ADMIN_PORT). Edit the listed block to separate or annotate the two categories
(movable admin endpoints vs. mandatory main-port probes) and reference the exact
endpoint names (/metrics, /debug/pprof/, /swagger/, /healthcheck, /readycheck,
ADMIN_PORT) to make the intended mapping unambiguous.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@howto/Debugging.md`:
- Line 18: Update the profiling command examples to make clear that the pprof
endpoint path (/debug/pprof/) may be served on the configured ADMIN_PORT instead
of the default 9091: add a short note near the profiling commands referencing
ADMIN_PORT and the DisableDebug option (DisableDebug=false enables the endpoint)
and replace or annotate any hardcoded 9091 examples to say "9091 (or ADMIN_PORT
if configured)"; reference the /debug/pprof/ endpoint and
ADMIN_PORT/DisableDebug names so reviewers can find and update the examples
consistently.

In `@howto/production.md`:
- Around line 463-466: The line for "Port 9091 (HTTP): gRPC-gateway only — safe
to expose externally" is too absolute; update the wording for Port 9091 to
soften exposure guidance by saying it may be exposed externally only with proper
access controls (e.g., network policies, reverse proxy, or path whitelisting)
and explicitly recommend whitelisting only the required API paths/endpoints
rather than opening the entire port; ensure the new text replaces the phrase
"safe to expose externally" and references Port 9091 and the gRPC-gateway so
readers know which service the guidance applies to.

---

Outside diff comments:
In `@architecture.md`:
- Around line 177-182: The documentation line grouping built-in endpoints with
"movable to ADMIN_PORT" is incorrect for health probes; update the doc so only
admin-safe endpoints (e.g., /metrics, /debug/pprof/, /swagger/) are marked as
movable to ADMIN_PORT and explicitly state that /healthcheck and /readycheck
must remain on the main application port (not ADMIN_PORT). Edit the listed block
to separate or annotate the two categories (movable admin endpoints vs.
mandatory main-port probes) and reference the exact endpoint names (/metrics,
/debug/pprof/, /swagger/, /healthcheck, /readycheck, ADMIN_PORT) to make the
intended mapping unambiguous.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f6758455-4bcc-48c4-99f8-28c0de53c0ee

📥 Commits

Reviewing files that changed from the base of the PR and between 07f0360 and d8bbee7.

📒 Files selected for processing (5)

• Index.md
• architecture.md
• config-reference.md
• howto/Debugging.md
• howto/production.md

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

howto/production.md (1)

486-490: ⚠️ Potential issue | 🟠 Major

Avoid absolute “no app-level auth needed” wording.

“Network isolation handles it” is too strong for a security guide. Please soften this to “can reduce need for app-level auth” and keep defense-in-depth framing.

Suggested wording tweak

 This approach is better than disabling endpoints entirely because:
 - Prometheus can still scrape `/metrics` on the admin port
 - Operations can still access pprof for production debugging
-- No application-level auth needed — network isolation handles it
+- Reduced application-level auth surface for admin endpoints — enforce isolation with NetworkPolicy and other defense-in-depth controls

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@howto/production.md` around lines 486 - 490, Update the phrasing that
currently states "No application-level auth needed — network isolation handles
it" to a softened security guidance: replace it with something like "Can reduce
the need for application-level auth — network isolation can help, but maintain
defense-in-depth and consider app-level controls where appropriate" so the doc
now says network isolation can reduce the need for app auth but does not absolve
application-level protections.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@howto/production.md`:
- Around line 467-484: The NetworkPolicy named restrict-admin-port currently
selects pods (podSelector.matchLabels.app: my-service) and only allows ingress
from the monitoring namespace to port 9092, which will deny other app traffic;
update the doc to either (a) add a clear note above the YAML stating that this
policy will block all non-9092 ingress unless companion rules are present and
list example allowed app ports (e.g., 9090/9091), or (b) modify the example
NetworkPolicy spec to include additional ingress rules that explicitly allow
normal app ports (9090/9091) from the appropriate sources while keeping the
monitoring-only 9092 rule; reference the NetworkPolicy resource (kind:
NetworkPolicy, metadata.name: restrict-admin-port) in the text so readers know
which YAML needs companion rules.

---

Duplicate comments:
In `@howto/production.md`:
- Around line 486-490: Update the phrasing that currently states "No
application-level auth needed — network isolation handles it" to a softened
security guidance: replace it with something like "Can reduce the need for
application-level auth — network isolation can help, but maintain
defense-in-depth and consider app-level controls where appropriate" so the doc
now says network isolation can reduce the need for app auth but does not absolve
application-level protections.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5ccf1b68-8511-4b66-8126-e1b16f08990f

📥 Commits

Reviewing files that changed from the base of the PR and between d8bbee7 and 92e631f.

📒 Files selected for processing (3)

• architecture.md
• howto/Debugging.md
• howto/production.md

🚧 Files skipped from review as they are similar to previous changes (2)

• howto/Debugging.md
• architecture.md

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.