2022-01-21 10:05:58 +00:00
|
|
|
---
|
2023-10-02 12:50:08 +00:00
|
|
|
sort: 7
|
|
|
|
weight: 7
|
2023-01-11 15:38:18 +00:00
|
|
|
title: Authorization and exposing components
|
2023-10-04 13:27:40 +00:00
|
|
|
menu:
|
|
|
|
docs:
|
|
|
|
parent: "operator"
|
|
|
|
weight: 7
|
2022-01-21 10:05:58 +00:00
|
|
|
---
|
|
|
|
|
|
|
|
# Authorization and exposing components
|
|
|
|
|
|
|
|
## Exposing components
|
|
|
|
|
2023-10-02 12:50:08 +00:00
|
|
|
CRD objects doesn't have `ingress` configuration.
|
|
|
|
Instead, you can use [VMAuth](./resources/vmauth.md) as proxy between ingress-controller and VictoriaMetrics components.
|
2022-01-21 10:05:58 +00:00
|
|
|
|
2023-10-02 12:50:08 +00:00
|
|
|
It adds missing authorization and access control features and enforces it.
|
2022-01-21 10:05:58 +00:00
|
|
|
|
2023-10-02 12:50:08 +00:00
|
|
|
Access can be given with [VMUser](./resources/vmuser.md) definition.
|
|
|
|
|
|
|
|
It supports basic auth and bearer token authentication:
|
2022-01-21 10:05:58 +00:00
|
|
|
|
|
|
|
```yaml
|
|
|
|
apiVersion: operator.victoriametrics.com/v1beta1
|
|
|
|
kind: VMAuth
|
|
|
|
metadata:
|
|
|
|
name: main-router
|
|
|
|
spec:
|
|
|
|
userNamespaceSelector: {}
|
|
|
|
userSelector: {}
|
|
|
|
ingress: {}
|
2023-10-02 12:50:08 +00:00
|
|
|
unauthorizedAccessConfig: []
|
2022-01-21 10:05:58 +00:00
|
|
|
```
|
|
|
|
|
2023-10-02 12:50:08 +00:00
|
|
|
Advanced configuration with cert-manager annotations:
|
|
|
|
|
2022-01-21 10:05:58 +00:00
|
|
|
```yaml
|
|
|
|
apiVersion: operator.victoriametrics.com/v1beta1
|
|
|
|
kind: VMAuth
|
|
|
|
metadata:
|
2023-10-02 12:50:08 +00:00
|
|
|
name: router-main
|
2022-01-21 10:05:58 +00:00
|
|
|
spec:
|
2023-10-02 12:50:08 +00:00
|
|
|
podMetadata:
|
|
|
|
labels:
|
|
|
|
component: vmauth
|
|
|
|
userSelector: {}
|
|
|
|
userNamespaceSelector: {}
|
|
|
|
replicaCount: 2
|
|
|
|
resources:
|
|
|
|
requests:
|
|
|
|
cpu: "250m"
|
|
|
|
memory: "350Mi"
|
|
|
|
limits:
|
|
|
|
cpu: "500m"
|
|
|
|
memory: "850Mi"
|
|
|
|
ingress:
|
|
|
|
tlsSecretName: vmauth-tls
|
|
|
|
annotations:
|
|
|
|
cert-manager.io/cluster-issuer: base
|
|
|
|
class_name: nginx
|
|
|
|
tlsHosts:
|
|
|
|
- vm-access.example.com
|
2022-01-21 10:05:58 +00:00
|
|
|
```
|
|
|
|
|
2023-10-02 12:50:08 +00:00
|
|
|
Simple static routing with read-only access to vmagent for username - `user-1` with password `Asafs124142`:
|
|
|
|
|
2022-01-21 10:05:58 +00:00
|
|
|
```yaml
|
|
|
|
# curl vmauth:8427/metrics -u 'user-1:Asafs124142'
|
|
|
|
apiVersion: operator.victoriametrics.com/v1beta1
|
|
|
|
kind: VMUser
|
|
|
|
metadata:
|
|
|
|
name: user-1
|
|
|
|
spec:
|
|
|
|
password: Asafs124142
|
|
|
|
targetRefs:
|
|
|
|
- static:
|
|
|
|
url: http://vmagent-base.default.svc:8429
|
|
|
|
paths: ["/targets/api/v1","/targets","/metrics"]
|
|
|
|
```
|
|
|
|
|
2023-10-02 12:50:08 +00:00
|
|
|
With bearer token access:
|
2022-01-21 10:05:58 +00:00
|
|
|
|
|
|
|
```yaml
|
|
|
|
# curl vmauth:8427/metrics -H 'Authorization: Bearer Asafs124142'
|
|
|
|
apiVersion: operator.victoriametrics.com/v1beta1
|
|
|
|
kind: VMUser
|
|
|
|
metadata:
|
|
|
|
name: user-2
|
|
|
|
spec:
|
|
|
|
bearerToken: Asafs124142
|
|
|
|
targetRefs:
|
|
|
|
- static:
|
|
|
|
url: http://vmagent-base.default.svc:8429
|
|
|
|
paths: ["/targets/api/v1","/targets","/metrics"]
|
|
|
|
```
|
|
|
|
|
2023-10-02 12:50:08 +00:00
|
|
|
It's also possible to use service discovery for objects:
|
|
|
|
|
2022-01-21 10:05:58 +00:00
|
|
|
```yaml
|
|
|
|
# curl vmauth:8427/metrics -H 'Authorization: Bearer Asafs124142'
|
|
|
|
apiVersion: operator.victoriametrics.com/v1beta1
|
|
|
|
kind: VMUser
|
|
|
|
metadata:
|
|
|
|
name: user-3
|
|
|
|
spec:
|
|
|
|
bearerToken: Asafs124142
|
|
|
|
targetRefs:
|
|
|
|
- crd:
|
|
|
|
kind: VMAgent
|
|
|
|
name: base
|
|
|
|
namespace: default
|
|
|
|
paths: ["/targets/api/v1","/targets","/metrics"]
|
|
|
|
```
|
|
|
|
|
2023-10-02 12:50:08 +00:00
|
|
|
Cluster components supports auto path generation for single tenant view:
|
|
|
|
|
2022-01-21 10:05:58 +00:00
|
|
|
```yaml
|
|
|
|
apiVersion: operator.victoriametrics.com/v1beta1
|
|
|
|
kind: VMUser
|
|
|
|
metadata:
|
|
|
|
name: vmuser-tenant-1
|
|
|
|
spec:
|
|
|
|
bearerToken: some-token
|
|
|
|
targetRefs:
|
|
|
|
- crd:
|
|
|
|
kind: VMCluster/vminsert
|
|
|
|
name: test-persistent
|
|
|
|
namespace: default
|
|
|
|
target_path_suffix: "/insert/1"
|
|
|
|
- crd:
|
|
|
|
kind: VMCluster/vmselect
|
|
|
|
name: test-persistent
|
|
|
|
namespace: default
|
|
|
|
target_path_suffix: "/select/1"
|
|
|
|
- static:
|
|
|
|
url: http://vmselect-test-persistent.default.svc:8481/
|
|
|
|
paths:
|
|
|
|
- /internal/resetRollupResultCache
|
|
|
|
```
|
|
|
|
|
2023-10-02 12:50:08 +00:00
|
|
|
For each `VMUser` operator generates corresponding secret with username/password or bearer token at the same namespace as `VMUser`.
|
2022-01-21 10:05:58 +00:00
|
|
|
|
|
|
|
## Basic auth for targets
|
|
|
|
|
2023-10-02 12:50:08 +00:00
|
|
|
To authenticate a `VMServiceScrape`s over a metrics endpoint use [`basicAuth`](./api.md#basicauth):
|
2022-01-21 10:05:58 +00:00
|
|
|
|
|
|
|
```yaml
|
|
|
|
apiVersion: operator.victoriametrics.com/v1beta1
|
|
|
|
kind: VMServiceScrape
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
k8s-apps: basic-auth-example
|
|
|
|
name: basic-auth-example
|
|
|
|
spec:
|
|
|
|
endpoints:
|
|
|
|
- basicAuth:
|
|
|
|
password:
|
|
|
|
name: basic-auth
|
|
|
|
key: password
|
|
|
|
username:
|
|
|
|
name: basic-auth
|
|
|
|
key: user
|
|
|
|
port: metrics
|
|
|
|
selector:
|
|
|
|
matchLabels:
|
|
|
|
app: myapp
|
|
|
|
|
2023-10-02 12:50:08 +00:00
|
|
|
---
|
|
|
|
|
2022-01-21 10:05:58 +00:00
|
|
|
apiVersion: v1
|
|
|
|
kind: Secret
|
|
|
|
metadata:
|
|
|
|
name: basic-auth
|
|
|
|
data:
|
|
|
|
password: dG9vcg== # toor
|
|
|
|
user: YWRtaW4= # admin
|
|
|
|
type: Opaque
|
|
|
|
```
|
2023-10-02 12:50:08 +00:00
|
|
|
|
|
|
|
## Unauthorized access
|
|
|
|
|
|
|
|
You can expose some routes without authorization with `unauthorizedAccessConfig`.
|
|
|
|
|
|
|
|
Check more details in [VMAuth docs -> Unauthorized access](./resources/vmauth.md#unauthorized-access).
|
|
|
|
|
|
|
|
More details about features of `VMAuth` and `VMUser` you can read in:
|
|
|
|
- [VMAuth docs](./resources/vmauth.md),
|
|
|
|
- [VMUser docs](./resources/vmuser.md).
|