feat(prometheus_exporter sink): add SAR auth strategy

[jcantrill]

Add Subject Access Review (SAR) authentication strategy to the prometheus_exporter sink. fixes #25409

Summary

This PR:

• Adds auth.strategy 'sar' (SubjectAccessReview) to the prometheus export sink
• Allows the sink to be protected by a well-known kubernetes pattern

Vector configuration

    [sinks.prometheus_output.auth]
    strategy = "sar"
    path = "/metrics"
    verb = "get"

How did you test this PR?

• Deploy the collector as a pod on an OpenShift cluster
• Bound the pod serviceaccount to the following role

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
    name: vector-token-validator
rules:
- apiGroups: ["authentication.k8s.io"]
 resources: ["tokenreviews"]
 verbs: ["create"]
 - apiGroups: ["authorization.k8s.io"]
   resources: ["subjectaccessreviews"]
    verbs: ["create"]

• Inspect prometheus or create a serviceaccount and bind it to a cluster role that can "get /metrics"

Change Type

• Bug fix
• [x ] New feature
• Dependencies
• Non-functional (chore, refactoring, docs)
• Performance

Is this a breaking change?

• Yes
• [ x] No

Does this PR include user facing changes?

No

• Yes. Please add a changelog fragment based on our guidelines.
• No. A maintainer will apply the no-changelog label to this PR.

References

• Closes: feat(sink/prometheus_exporter) Restrict access by SubjectAccessReview to authorized clients in Kubernetes environment #25409

Notes

• Please read our Vector contributor resources.
• Do not hesitate to use @vectordotdev/vector to reach out to us regarding this PR.
• Some CI checks run only after we manually approve them.
  • We recommend adding a pre-push hook, please see this template.
  • Alternatively, we recommend running the following locally before pushing to the remote branch:
    • make fmt
    • make check-clippy (if there are failures it's possible some of them can be fixed with make clippy-fix)
    • make test
• After a review is requested, please avoid force pushes to help us review incrementally.
  • Feel free to push as many commits as you want. They will be squashed into one before merging.
  • For example, you can run git merge origin master and git push.
• If this PR introduces changes Vector dependencies (modifies Cargo.lock), please
  run make build-licenses to regenerate the license inventory and commit the changes (if any). More details on the dd-rust-license-tool.

[github-actions]

Thank you for your contribution! Before we can merge this PR, please sign our Contributor License Agreement.

To sign, copy and post the phrase below as a new comment on this PR.

Note: If the bot says your username was not found, the email used in your git commit may not be linked to your GitHub account. Fix this at github.com/settings/emails, then comment recheck to retry.

---

I have read the CLA Document and I hereby sign the CLA

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.}

[jcantrill]

cc @vparfonov

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0e8f2bbf67

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Short-circuit non-metrics routes before SAR checks

In Handler::handle, authorization is awaited before route matching, so with auth.strategy = "sar" every request (including POST /, health probes, and random 404 paths) triggers TokenReview + SubjectAccessReview calls. This turns invalid-path traffic into Kubernetes API load even though only GET /metrics can succeed, making it easy to amplify load on the API server from outside. Please gate SAR evaluation to the /metrics route (and method) so non-metrics requests return immediately.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Fail fast on invalid SAR one-of path/resource settings

The path/resource exclusivity is enforced only at request time, where invalid combinations return an error from validate_token_with_sar. That means a sink configured with strategy = "sar" but with both fields set (or neither set) still starts, then denies all scrapes at runtime. This should be validated during config/build so misconfiguration is surfaced immediately instead of silently breaking metrics after deployment.

Useful? React with 👍 / 👎.