VictoriaMetrics/docs/operator/auth.md

---
sort: 7
weight: 7
title: Authorization and exposing components
menu:
  docs:
    parent: "operator"
    weight: 7
aliases:
  - /operator/auth.html
---

# Authorization and exposing components

## Exposing components

CRD objects doesn't have `ingress` configuration. 
Instead, you can use [VMAuth](./resources/vmauth.md) as proxy between ingress-controller and VictoriaMetrics components.

It adds missing authorization and access control features and enforces it.

Access can be given with [VMUser](./resources/vmuser.md) definition. 

It supports basic auth and bearer token authentication:

```yaml
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMAuth
metadata:
  name: main-router
spec:
  userNamespaceSelector: {}
  userSelector: {}
  ingress: {}
  unauthorizedAccessConfig: []
```

Advanced configuration with cert-manager annotations:

```yaml
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMAuth
metadata:
  name: router-main
spec:
  podMetadata:
    labels:
      component: vmauth
  userSelector: {}
  userNamespaceSelector: {}
  replicaCount: 2
  resources:
    requests:
      cpu: "250m"
      memory: "350Mi"
    limits:
      cpu: "500m"
      memory: "850Mi"
  ingress:
    tlsSecretName: vmauth-tls
    annotations:
      cert-manager.io/cluster-issuer: base
    class_name: nginx
    tlsHosts:
      - vm-access.example.com
```

Simple static routing with read-only access to vmagent for username - `user-1` with password `Asafs124142`:

```yaml
# curl vmauth:8427/metrics -u 'user-1:Asafs124142'
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
  name: user-1
spec:
  password: Asafs124142
  targetRefs:
    - static:
        url: http://vmagent-base.default.svc:8429
      paths: ["/targets/api/v1","/targets","/metrics"]
```

With bearer token access:

```yaml
# curl vmauth:8427/metrics -H 'Authorization: Bearer Asafs124142'
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
  name: user-2
spec:
  bearerToken: Asafs124142
  targetRefs:
    - static:
        url: http://vmagent-base.default.svc:8429
      paths: ["/targets/api/v1","/targets","/metrics"]
```

It's also possible to use service discovery for objects:

```yaml
# curl vmauth:8427/metrics -H 'Authorization: Bearer Asafs124142'
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
  name: user-3
spec:
  bearerToken: Asafs124142
  targetRefs:
    - crd:
        kind: VMAgent
        name: base
        namespace: default
      paths: ["/targets/api/v1","/targets","/metrics"]
```

Cluster components supports auto path generation for single tenant view:

```yaml
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
 name: vmuser-tenant-1
spec:
 bearerToken: some-token
 targetRefs:
  - crd:
     kind: VMCluster/vminsert
     name: test-persistent
     namespace: default
    target_path_suffix: "/insert/1"
  - crd:
     kind: VMCluster/vmselect
     name: test-persistent
     namespace: default
    target_path_suffix: "/select/1"
  - static:
     url: http://vmselect-test-persistent.default.svc:8481/
    paths:
     - /internal/resetRollupResultCache
```

For each `VMUser` operator generates corresponding secret with username/password or bearer token at the same namespace as `VMUser`.

## Basic auth for targets

To authenticate a `VMServiceScrape`s over a metrics endpoint use [`basicAuth`](./api.md#basicauth):

```yaml
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMServiceScrape
metadata:
  labels:
    k8s-apps: basic-auth-example
  name: basic-auth-example
spec:
  endpoints:
  - basicAuth:
      password:
        name: basic-auth
        key: password
      username:
        name: basic-auth
        key: user
    port: metrics
  selector:
    matchLabels:
      app: myapp

---

apiVersion: v1
kind: Secret
metadata:
  name: basic-auth
data:
  password: dG9vcg== # toor
  user: YWRtaW4= # admin
type: Opaque
```

## Unauthorized access

You can expose some routes without authorization with `unauthorizedAccessConfig`.

Check more details in [VMAuth docs -> Unauthorized access](./resources/vmauth.md#unauthorized-access).

More details about features of `VMAuth` and `VMUser` you can read in:
- [VMAuth docs](./resources/vmauth.md),
- [VMUser docs](./resources/vmuser.md).
Created Operator folder in docs (#2034) * Created Operator folder in docs Transferred Operator documentation * Removed Contributing and Release * Changed sort numbering * Renamed folder Operator -> operator * 1 1 * Name change Operator -> operator * Removed colon symbol * Useful links transformed to links style * "updated at..." is no longer a header * delete manager patch.yaml * delete kustomization.yaml * removed part with links * community and contributions part removed * Delete readme * Docs navigation removed 2022-01-21 11:05:58 +01:00			`---`
Automatic update operator docs from VictoriaMetrics/operator@c7125bd (#5102) 2023-10-02 14:50:08 +02:00			`sort: 7`
			`weight: 7`
docs: prepare operator docs to migration Signed-off-by: Artem Navoiev <tenmozes@gmail.com> 2023-01-11 16:38:18 +01:00			`title: Authorization and exposing components`
Automatic update operator docs from VictoriaMetrics/operator@26d1b3b (#5130) 2023-10-05 12:43:28 +02:00			`menu:`
			`docs:`
			`parent: "operator"`
			`weight: 7`
Automatic update operator docs from VictoriaMetrics/operator@b96131b (#5371) 2023-11-22 12:59:07 +01:00			`aliases:`
			`- /operator/auth.html`
Created Operator folder in docs (#2034) * Created Operator folder in docs Transferred Operator documentation * Removed Contributing and Release * Changed sort numbering * Renamed folder Operator -> operator * 1 1 * Name change Operator -> operator * Removed colon symbol * Useful links transformed to links style * "updated at..." is no longer a header * delete manager patch.yaml * delete kustomization.yaml * removed part with links * community and contributions part removed * Delete readme * Docs navigation removed 2022-01-21 11:05:58 +01:00			`---`

			`# Authorization and exposing components`

			`## Exposing components`

Automatic update operator docs from VictoriaMetrics/operator@c7125bd (#5102) 2023-10-02 14:50:08 +02:00			CRD objects doesn't have `ingress` configuration.
			`Instead, you can use [VMAuth](./resources/vmauth.md) as proxy between ingress-controller and VictoriaMetrics components.`
Created Operator folder in docs (#2034) * Created Operator folder in docs Transferred Operator documentation * Removed Contributing and Release * Changed sort numbering * Renamed folder Operator -> operator * 1 1 * Name change Operator -> operator * Removed colon symbol * Useful links transformed to links style * "updated at..." is no longer a header * delete manager patch.yaml * delete kustomization.yaml * removed part with links * community and contributions part removed * Delete readme * Docs navigation removed 2022-01-21 11:05:58 +01:00
Automatic update operator docs from VictoriaMetrics/operator@c7125bd (#5102) 2023-10-02 14:50:08 +02:00			`It adds missing authorization and access control features and enforces it.`
Created Operator folder in docs (#2034) * Created Operator folder in docs Transferred Operator documentation * Removed Contributing and Release * Changed sort numbering * Renamed folder Operator -> operator * 1 1 * Name change Operator -> operator * Removed colon symbol * Useful links transformed to links style * "updated at..." is no longer a header * delete manager patch.yaml * delete kustomization.yaml * removed part with links * community and contributions part removed * Delete readme * Docs navigation removed 2022-01-21 11:05:58 +01:00
Automatic update operator docs from VictoriaMetrics/operator@c7125bd (#5102) 2023-10-02 14:50:08 +02:00			`Access can be given with [VMUser](./resources/vmuser.md) definition.`

			`It supports basic auth and bearer token authentication:`
Created Operator folder in docs (#2034) * Created Operator folder in docs Transferred Operator documentation * Removed Contributing and Release * Changed sort numbering * Renamed folder Operator -> operator * 1 1 * Name change Operator -> operator * Removed colon symbol * Useful links transformed to links style * "updated at..." is no longer a header * delete manager patch.yaml * delete kustomization.yaml * removed part with links * community and contributions part removed * Delete readme * Docs navigation removed 2022-01-21 11:05:58 +01:00
			```yaml
			`apiVersion: operator.victoriametrics.com/v1beta1`
			`kind: VMAuth`
			`metadata:`
			`name: main-router`
			`spec:`
			`userNamespaceSelector: {}`
			`userSelector: {}`
			`ingress: {}`
Automatic update operator docs from VictoriaMetrics/operator@c7125bd (#5102) 2023-10-02 14:50:08 +02:00			`unauthorizedAccessConfig: []`
Created Operator folder in docs (#2034) * Created Operator folder in docs Transferred Operator documentation * Removed Contributing and Release * Changed sort numbering * Renamed folder Operator -> operator * 1 1 * Name change Operator -> operator * Removed colon symbol * Useful links transformed to links style * "updated at..." is no longer a header * delete manager patch.yaml * delete kustomization.yaml * removed part with links * community and contributions part removed * Delete readme * Docs navigation removed 2022-01-21 11:05:58 +01:00			```

Automatic update operator docs from VictoriaMetrics/operator@c7125bd (#5102) 2023-10-02 14:50:08 +02:00			`Advanced configuration with cert-manager annotations:`

Created Operator folder in docs (#2034) * Created Operator folder in docs Transferred Operator documentation * Removed Contributing and Release * Changed sort numbering * Renamed folder Operator -> operator * 1 1 * Name change Operator -> operator * Removed colon symbol * Useful links transformed to links style * "updated at..." is no longer a header * delete manager patch.yaml * delete kustomization.yaml * removed part with links * community and contributions part removed * Delete readme * Docs navigation removed 2022-01-21 11:05:58 +01:00			```yaml
			`apiVersion: operator.victoriametrics.com/v1beta1`
			`kind: VMAuth`
			`metadata:`
Automatic update operator docs from VictoriaMetrics/operator@c7125bd (#5102) 2023-10-02 14:50:08 +02:00			`name: router-main`
Created Operator folder in docs (#2034) * Created Operator folder in docs Transferred Operator documentation * Removed Contributing and Release * Changed sort numbering * Renamed folder Operator -> operator * 1 1 * Name change Operator -> operator * Removed colon symbol * Useful links transformed to links style * "updated at..." is no longer a header * delete manager patch.yaml * delete kustomization.yaml * removed part with links * community and contributions part removed * Delete readme * Docs navigation removed 2022-01-21 11:05:58 +01:00			`spec:`
Automatic update operator docs from VictoriaMetrics/operator@c7125bd (#5102) 2023-10-02 14:50:08 +02:00			`podMetadata:`
			`labels:`
			`component: vmauth`
			`userSelector: {}`
			`userNamespaceSelector: {}`
			`replicaCount: 2`
			`resources:`
			`requests:`
			`cpu: "250m"`
			`memory: "350Mi"`
			`limits:`
			`cpu: "500m"`
			`memory: "850Mi"`
			`ingress:`
			`tlsSecretName: vmauth-tls`
			`annotations:`
			`cert-manager.io/cluster-issuer: base`
			`class_name: nginx`
			`tlsHosts:`
			`- vm-access.example.com`
Created Operator folder in docs (#2034) * Created Operator folder in docs Transferred Operator documentation * Removed Contributing and Release * Changed sort numbering * Renamed folder Operator -> operator * 1 1 * Name change Operator -> operator * Removed colon symbol * Useful links transformed to links style * "updated at..." is no longer a header * delete manager patch.yaml * delete kustomization.yaml * removed part with links * community and contributions part removed * Delete readme * Docs navigation removed 2022-01-21 11:05:58 +01:00			```

Automatic update operator docs from VictoriaMetrics/operator@c7125bd (#5102) 2023-10-02 14:50:08 +02:00			Simple static routing with read-only access to vmagent for username - `user-1` with password `Asafs124142`:

Created Operator folder in docs (#2034) * Created Operator folder in docs Transferred Operator documentation * Removed Contributing and Release * Changed sort numbering * Renamed folder Operator -> operator * 1 1 * Name change Operator -> operator * Removed colon symbol * Useful links transformed to links style * "updated at..." is no longer a header * delete manager patch.yaml * delete kustomization.yaml * removed part with links * community and contributions part removed * Delete readme * Docs navigation removed 2022-01-21 11:05:58 +01:00			```yaml
			`# curl vmauth:8427/metrics -u 'user-1:Asafs124142'`
			`apiVersion: operator.victoriametrics.com/v1beta1`
			`kind: VMUser`
			`metadata:`
			`name: user-1`
			`spec:`
			`password: Asafs124142`
			`targetRefs:`
			`- static:`
			`url: http://vmagent-base.default.svc:8429`
			`paths: ["/targets/api/v1","/targets","/metrics"]`
			```

Automatic update operator docs from VictoriaMetrics/operator@c7125bd (#5102) 2023-10-02 14:50:08 +02:00			`With bearer token access:`
Created Operator folder in docs (#2034) * Created Operator folder in docs Transferred Operator documentation * Removed Contributing and Release * Changed sort numbering * Renamed folder Operator -> operator * 1 1 * Name change Operator -> operator * Removed colon symbol * Useful links transformed to links style * "updated at..." is no longer a header * delete manager patch.yaml * delete kustomization.yaml * removed part with links * community and contributions part removed * Delete readme * Docs navigation removed 2022-01-21 11:05:58 +01:00
			```yaml
			`# curl vmauth:8427/metrics -H 'Authorization: Bearer Asafs124142'`
			`apiVersion: operator.victoriametrics.com/v1beta1`
			`kind: VMUser`
			`metadata:`
			`name: user-2`
			`spec:`
			`bearerToken: Asafs124142`
			`targetRefs:`
			`- static:`
			`url: http://vmagent-base.default.svc:8429`
			`paths: ["/targets/api/v1","/targets","/metrics"]`
			```

Automatic update operator docs from VictoriaMetrics/operator@c7125bd (#5102) 2023-10-02 14:50:08 +02:00			`It's also possible to use service discovery for objects:`

Created Operator folder in docs (#2034) * Created Operator folder in docs Transferred Operator documentation * Removed Contributing and Release * Changed sort numbering * Renamed folder Operator -> operator * 1 1 * Name change Operator -> operator * Removed colon symbol * Useful links transformed to links style * "updated at..." is no longer a header * delete manager patch.yaml * delete kustomization.yaml * removed part with links * community and contributions part removed * Delete readme * Docs navigation removed 2022-01-21 11:05:58 +01:00			```yaml
			`# curl vmauth:8427/metrics -H 'Authorization: Bearer Asafs124142'`
			`apiVersion: operator.victoriametrics.com/v1beta1`
			`kind: VMUser`
			`metadata:`
			`name: user-3`
			`spec:`
			`bearerToken: Asafs124142`
			`targetRefs:`
			`- crd:`
			`kind: VMAgent`
			`name: base`
			`namespace: default`
			`paths: ["/targets/api/v1","/targets","/metrics"]`
			```

Automatic update operator docs from VictoriaMetrics/operator@c7125bd (#5102) 2023-10-02 14:50:08 +02:00			`Cluster components supports auto path generation for single tenant view:`

Created Operator folder in docs (#2034) * Created Operator folder in docs Transferred Operator documentation * Removed Contributing and Release * Changed sort numbering * Renamed folder Operator -> operator * 1 1 * Name change Operator -> operator * Removed colon symbol * Useful links transformed to links style * "updated at..." is no longer a header * delete manager patch.yaml * delete kustomization.yaml * removed part with links * community and contributions part removed * Delete readme * Docs navigation removed 2022-01-21 11:05:58 +01:00			```yaml
			`apiVersion: operator.victoriametrics.com/v1beta1`
			`kind: VMUser`
			`metadata:`
			`name: vmuser-tenant-1`
			`spec:`
			`bearerToken: some-token`
			`targetRefs:`
			`- crd:`
			`kind: VMCluster/vminsert`
			`name: test-persistent`
			`namespace: default`
			`target_path_suffix: "/insert/1"`
			`- crd:`
			`kind: VMCluster/vmselect`
			`name: test-persistent`
			`namespace: default`
			`target_path_suffix: "/select/1"`
			`- static:`
			`url: http://vmselect-test-persistent.default.svc:8481/`
			`paths:`
			`- /internal/resetRollupResultCache`
			```

Automatic update operator docs from VictoriaMetrics/operator@c7125bd (#5102) 2023-10-02 14:50:08 +02:00			For each `VMUser` operator generates corresponding secret with username/password or bearer token at the same namespace as `VMUser`.
Created Operator folder in docs (#2034) * Created Operator folder in docs Transferred Operator documentation * Removed Contributing and Release * Changed sort numbering * Renamed folder Operator -> operator * 1 1 * Name change Operator -> operator * Removed colon symbol * Useful links transformed to links style * "updated at..." is no longer a header * delete manager patch.yaml * delete kustomization.yaml * removed part with links * community and contributions part removed * Delete readme * Docs navigation removed 2022-01-21 11:05:58 +01:00
			`## Basic auth for targets`

Automatic update operator docs from VictoriaMetrics/operator@c7125bd (#5102) 2023-10-02 14:50:08 +02:00			To authenticate a `VMServiceScrape`s over a metrics endpoint use [`basicAuth`](./api.md#basicauth):
Created Operator folder in docs (#2034) * Created Operator folder in docs Transferred Operator documentation * Removed Contributing and Release * Changed sort numbering * Renamed folder Operator -> operator * 1 1 * Name change Operator -> operator * Removed colon symbol * Useful links transformed to links style * "updated at..." is no longer a header * delete manager patch.yaml * delete kustomization.yaml * removed part with links * community and contributions part removed * Delete readme * Docs navigation removed 2022-01-21 11:05:58 +01:00
			```yaml
			`apiVersion: operator.victoriametrics.com/v1beta1`
			`kind: VMServiceScrape`
			`metadata:`
			`labels:`
			`k8s-apps: basic-auth-example`
			`name: basic-auth-example`
			`spec:`
			`endpoints:`
			`- basicAuth:`
			`password:`
			`name: basic-auth`
			`key: password`
			`username:`
			`name: basic-auth`
			`key: user`
			`port: metrics`
			`selector:`
			`matchLabels:`
			`app: myapp`

Automatic update operator docs from VictoriaMetrics/operator@c7125bd (#5102) 2023-10-02 14:50:08 +02:00			`---`

Created Operator folder in docs (#2034) * Created Operator folder in docs Transferred Operator documentation * Removed Contributing and Release * Changed sort numbering * Renamed folder Operator -> operator * 1 1 * Name change Operator -> operator * Removed colon symbol * Useful links transformed to links style * "updated at..." is no longer a header * delete manager patch.yaml * delete kustomization.yaml * removed part with links * community and contributions part removed * Delete readme * Docs navigation removed 2022-01-21 11:05:58 +01:00			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: basic-auth`
			`data:`
			`password: dG9vcg== # toor`
			`user: YWRtaW4= # admin`
			`type: Opaque`
			```
Automatic update operator docs from VictoriaMetrics/operator@c7125bd (#5102) 2023-10-02 14:50:08 +02:00
			`## Unauthorized access`

			You can expose some routes without authorization with `unauthorizedAccessConfig`.

			`Check more details in [VMAuth docs -> Unauthorized access](./resources/vmauth.md#unauthorized-access).`

			More details about features of `VMAuth` and `VMUser` you can read in:
			`- [VMAuth docs](./resources/vmauth.md),`
			`- [VMUser docs](./resources/vmuser.md).`