2022-01-21 11:05:58 +01:00
---
2023-10-02 14:50:08 +02:00
weight: 7
2023-01-11 16:38:18 +01:00
title: Authorization and exposing components
2023-10-05 12:43:28 +02:00
menu:
docs:
parent: "operator"
weight: 7
2023-11-22 12:59:07 +01:00
aliases:
2024-08-16 16:32:25 +02:00
- /operator/auth/
- /operator/auth/index.html
2022-01-21 11:05:58 +01:00
---
## Exposing components
2023-10-02 14:50:08 +02:00
CRD objects doesn't have `ingress` configuration.
2024-08-16 16:32:25 +02:00
Instead, you can use [VMAuth ](https://docs.victoriametrics.com/operator/resources/vmauth/ ) as proxy between ingress-controller and VictoriaMetrics components.
2022-01-21 11:05:58 +01:00
2023-10-02 14:50:08 +02:00
It adds missing authorization and access control features and enforces it.
2022-01-21 11:05:58 +01:00
2024-08-16 16:32:25 +02:00
Access can be given with [VMUser ](https://docs.victoriametrics.com/operator/resources/vmuser/ ) definition.
2023-10-02 14:50:08 +02:00
It supports basic auth and bearer token authentication:
2022-01-21 11:05:58 +01:00
```yaml
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMAuth
metadata:
name: main-router
spec:
userNamespaceSelector: {}
userSelector: {}
ingress: {}
2023-10-02 14:50:08 +02:00
unauthorizedAccessConfig: []
2022-01-21 11:05:58 +01:00
```
2023-10-02 14:50:08 +02:00
Advanced configuration with cert-manager annotations:
2022-01-21 11:05:58 +01:00
```yaml
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMAuth
metadata:
2023-10-02 14:50:08 +02:00
name: router-main
2022-01-21 11:05:58 +01:00
spec:
2023-10-02 14:50:08 +02:00
podMetadata:
labels:
component: vmauth
userSelector: {}
userNamespaceSelector: {}
replicaCount: 2
resources:
requests:
cpu: "250m"
memory: "350Mi"
limits:
cpu: "500m"
memory: "850Mi"
ingress:
tlsSecretName: vmauth-tls
annotations:
cert-manager.io/cluster-issuer: base
class_name: nginx
tlsHosts:
- vm-access.example.com
2022-01-21 11:05:58 +01:00
```
2023-10-02 14:50:08 +02:00
Simple static routing with read-only access to vmagent for username - `user-1` with password `Asafs124142` :
2022-01-21 11:05:58 +01:00
```yaml
# curl vmauth:8427/metrics -u 'user-1:Asafs124142'
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
name: user-1
spec:
password: Asafs124142
targetRefs:
- static:
url: http://vmagent-base.default.svc:8429
paths: ["/targets/api/v1","/targets","/metrics"]
```
2023-10-02 14:50:08 +02:00
With bearer token access:
2022-01-21 11:05:58 +01:00
```yaml
# curl vmauth:8427/metrics -H 'Authorization: Bearer Asafs124142'
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
name: user-2
spec:
bearerToken: Asafs124142
targetRefs:
- static:
url: http://vmagent-base.default.svc:8429
paths: ["/targets/api/v1","/targets","/metrics"]
```
2023-10-02 14:50:08 +02:00
It's also possible to use service discovery for objects:
2022-01-21 11:05:58 +01:00
```yaml
# curl vmauth:8427/metrics -H 'Authorization: Bearer Asafs124142'
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
name: user-3
spec:
bearerToken: Asafs124142
targetRefs:
- crd:
kind: VMAgent
name: base
namespace: default
paths: ["/targets/api/v1","/targets","/metrics"]
```
2023-10-02 14:50:08 +02:00
Cluster components supports auto path generation for single tenant view:
2022-01-21 11:05:58 +01:00
```yaml
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
name: vmuser-tenant-1
spec:
bearerToken: some-token
targetRefs:
- crd:
kind: VMCluster/vminsert
name: test-persistent
namespace: default
target_path_suffix: "/insert/1"
- crd:
kind: VMCluster/vmselect
name: test-persistent
namespace: default
target_path_suffix: "/select/1"
- static:
url: http://vmselect-test-persistent.default.svc:8481/
paths:
- /internal/resetRollupResultCache
```
2023-10-02 14:50:08 +02:00
For each `VMUser` operator generates corresponding secret with username/password or bearer token at the same namespace as `VMUser` .
2022-01-21 11:05:58 +01:00
## Basic auth for targets
2024-08-16 16:32:25 +02:00
To authenticate a `VMServiceScrape` s over a metrics endpoint use [`basicAuth` ](https://docs.victoriametrics.com/operator/api/#basicauth ):
2022-01-21 11:05:58 +01:00
```yaml
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMServiceScrape
metadata:
labels:
k8s-apps: basic-auth-example
name: basic-auth-example
spec:
endpoints:
- basicAuth:
password:
name: basic-auth
key: password
username:
name: basic-auth
key: user
port: metrics
selector:
matchLabels:
app: myapp
2023-10-02 14:50:08 +02:00
---
2022-01-21 11:05:58 +01:00
apiVersion: v1
kind: Secret
metadata:
name: basic-auth
data:
password: dG9vcg== # toor
user: YWRtaW4= # admin
type: Opaque
```
2023-10-02 14:50:08 +02:00
## Unauthorized access
You can expose some routes without authorization with `unauthorizedAccessConfig` .
2024-08-16 16:32:25 +02:00
Check more details in [VMAuth docs -> Unauthorized access ](https://docs.victoriametrics.com/operator/resources/vmauth/#unauthorized-access ).
2023-10-02 14:50:08 +02:00
More details about features of `VMAuth` and `VMUser` you can read in:
2024-08-16 16:32:25 +02:00
- [VMAuth docs ](https://docs.victoriametrics.com/operator/resources/vmauth/ ),
- [VMUser docs ](https://docs.victoriametrics.com/operator/resources/vmuser/ ).
