Add '/metrics' to commonPaths in auth middleware

[sthwang-metal]

Skip Auth for /metrics endpoint

Currently can't the /metrics endpoint without auth. This change makes this consistent with the middlewareSkipper configured here:

nebraska/backend/pkg/server/server.go

Line 37 in 52c5f0e

return custommiddleware.MatchesOneOfPatterns(c.Request().URL.Path, "/health", "/metrics", "/config", "/v1/update", "/flatcar/*", "/assets/*")

How to use

Spin up nebraska and go to /metrics endpoint without auth (like with curl)

Testing done

[Describe the testing you have done before submitting this PR. Please include both the commands you issued as well as the output you got.]

• Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)
• Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

[ervcz]

Thanks for the PR @sthwang-metal! Could you share a bit more about the use case you want to cover?

Since /metrics exposes internal data (app versions, DB stats, potentially business insights), I would prefer keeping it protected by default. However, I can imagine a scenario where this is useful and justified, for example:

If your Prometheus instance runs in the same private network (e.g., same VPC or Kubernetes cluster) as Nebraska:

• You could set a flag like public-metrics: true.
• Ensure your firewall/Ingress blocks external access to /metrics.
• Let Prometheus access /metrics over the internal network without auth.

To support this safely, could you please make it configurable (opt-in)?