diff --git a/docs/guides/grafana-vmgateway-openid-configuration/README.md b/docs/guides/grafana-vmgateway-openid-configuration/README.md
index d5496f0827..063d9b7016 100644
--- a/docs/guides/grafana-vmgateway-openid-configuration/README.md
+++ b/docs/guides/grafana-vmgateway-openid-configuration/README.md
@@ -9,6 +9,7 @@ to restrict access to metrics to only those that belong to the tenant.
* [Grafana](https://grafana.com/)
* VictoriaMetrics single-node or cluster version
* [vmgateway](https://docs.victoriametrics.com/vmgateway/)
+* An active license key. You can obtain a trial license key [here](https://victoriametrics.com/products/enterprise/trial/).
## Configure identity service
@@ -96,7 +97,8 @@ Now starting vmgateway with enabled authentication is as simple as adding the `-
In order to enable multi-tenant access, you must also specify the `-clusterMode=true` flag.
```sh
-./bin/vmgateway -eula \
+./bin/vmgateway \
+ -licenseFile=./vm-license.key
-enable.auth=true \
-clusterMode=true \
-write.url=http://localhost:8480 \
@@ -162,7 +164,8 @@ vmgateway.
To do this by using OpenID Connect discovery endpoint you need to specify the `-auth.oidcDiscoveryEndpoints` flag. For example:
```sh
-./bin/vmgateway -eula \
+./bin/vmgateway \
+ -licenseFile=./vm-license.key
-enable.auth=true \
-clusterMode=true \
-write.url=http://localhost:8480 \
@@ -226,34 +229,34 @@ services:
KEYCLOAK_ADMIN_PASSWORD: change_me
grafana:
- image: grafana/grafana-oss:9.4.3
+ image: grafana/grafana:10.4.2
network_mode: host
volumes:
- ./grafana.ini:/etc/grafana/grafana.ini
- grafana_data:/var/lib/grafana/
vmsingle:
- image: victoriametrics/victoria-metrics:v1.91.0
+ image: victoriametrics/victoria-metrics:v1.105.0
command:
- -httpListenAddr=0.0.0.0:8429
vmstorage:
- image: victoriametrics/vmstorage:v1.91.0-cluster
+ image: victoriametrics/vmstorage:v1.105.0-cluster
vminsert:
- image: victoriametrics/vminsert:v1.91.0-cluster
+ image: victoriametrics/vminsert:v1.105.0-cluster
command:
- -storageNode=vmstorage:8400
- -httpListenAddr=0.0.0.0:8480
vmselect:
- image: victoriametrics/vmselect:v1.91.0-cluster
+ image: victoriametrics/vmselect:v1.105.0-cluster
command:
- -storageNode=vmstorage:8401
- -httpListenAddr=0.0.0.0:8481
vmagent:
- image: victoriametrics/vmagent:v1.91.0
+ image: victoriametrics/vmagent:v1.105.0
volumes:
- ./scrape.yaml:/etc/vmagent/config.yaml
command:
@@ -262,11 +265,14 @@ services:
- -remoteWrite.url=http://vmsingle:8429/api/v1/write
vmgateway-cluster:
- image: victoriametrics/vmgateway:v1.91.0-enterprise
+ image: victoriametrics/vmgateway:v1.105.0-enterprise
ports:
- 8431:8431
+ volumes:
+ - ./vm-license.key:/opt/vm-license.key
command:
- - -eula
+ - -licenseFile=/opt/vm-license.key
+ - -license.forceOffline=true
- -enable.auth=true
- -clusterMode=true
- -write.url=http://vminsert:8480
@@ -275,11 +281,13 @@ services:
- -auth.oidcDiscoveryEndpoints=http://keycloak:8080/realms/master/.well-known/openid-configuration
vmgateway-single:
- image: victoriametrics/vmgateway:v1.91.0-enterprise
+ image: victoriametrics/vmgateway:v1.105.0-enterprise
ports:
- 8432:8431
+ volumes:
+ - ./vm-license.key:/opt/vm-license.key
command:
- - -eula
+ - -licenseFile=/opt/vm-license.key
- -enable.auth=true
- -write.url=http://vmsingle:8429
- -read.url=http://vmsingle:8429
@@ -337,3 +345,69 @@ Both cluster and single node datasources now return metrics for `team=admin`.
![Admin cluster data](admin-cluster-data.webp)
![Admin single data](admin-single-data.webp)
+
+## Using oAuth for remote write with vmagent
+
+vmagent can be configured to use oAuth for remote write. This is in order to add authentication to the write requests.
+
+In order to create a client for vmagent to use, follow the steps below:
+
+1. Log in with admin credentials to your Keycloak instance
+1. Go to `Clients` -> `Create`.
+ Use `OpenID Connect` as `Client Type`.
+ Specify `vmagent` as `Client ID`.
+ Click `Next`.
+ ![Create client 1](vmagent-create-client-1.webp)
+1. Enable `Client authentication`.
+ Enable `Authorization`.
+ ![Create client 2](vmagent-create-client-2.webp)
+ Click `Next`.
+1. Leave URLs section empty as vmagent will not use any.
+ ![Create client 3](vmagent-create-client-3.webp)
+ Click `Save`.
+1. Go to `Clients` -> `vmagent` -> `Credentials`.
+ ![Client secret](vmagent-client-secret.webp)
+ Copy the value of `Client secret`. It will be used later in vmagent configuration.
+1. Go to `Clients` -> `vmagent` -> `Client scopes`.
+ Click at `vmagent-dedicated` -> `Add mapper` -> `By configuration` -> `User attribute`.
+ ![Create mapper 1](create-mapper-1.webp)
+ ![Create mapper 2](create-mapper-2.webp)
+ Configure the mapper as follows
+ - `Name` as `vm_access`.
+ - `Token Claim Name` as `vm_access`.
+ - `User Attribute` as `vm_access`.
+ - `Claim JSON Type` as `JSON`.
+ Enable `Add to ID token` and `Add to access token`.
+
+ ![Create mapper 3](create-mapper-3.webp)
+ Click `Save`.
+1. Go to `Service account roles` -> click on `service-account-vmagent`.
+ ![vmagent service account](vmagent-sa.webp)
+1. Go to `Attributes` tab and add an attribute.
+ Specify `vm_access` as `Key`.
+ Specify `{"tenant_id" : {"account_id": 0, "project_id": 0 }}` as a value.
+ ![User attributes](vmagent-sa-attributes.webp)
+ Click `Save`.
+
+Once iDP configuration is done, vmagent configuration needs to be updated to use oAuth for remote write:
+
+```yaml
+ vmagent:
+ image: victoriametrics/vmagent:v1.105.0
+ volumes:
+ - ./scrape.yaml:/etc/vmagent/config.yaml
+ - ./vmagent-client-secret:/etc/vmagent/oauth2-client-secret
+ command:
+ - -promscrape.config=/etc/vmagent/config.yaml
+ - -remoteWrite.url=http://vmgateway-cluster:8431/api/v1/write
+ - -remoteWrite.url=http://vmgateway-single:8431/api/v1/write
+ - -remoteWrite.oauth2.clientID={CLIENT_ID}
+ - -remoteWrite.oauth2.clientSecretFile=/etc/vmagent/oauth2-client-secret
+ - -remoteWrite.oauth2.tokenUrl=http://keycloak:8080/realms/master/protocol/openid-connect/token
+ - -remoteWrite.oauth2.scopes=openid
+```
+
+It is required to replace `{CLIENT_ID}` with the client ID and provide the client secret in `vmagent-client-secret` file.
+Note that vmagent will use the same token for both single-node and cluster vmgateway. vmgateway running in cluster mode
+will use tenant information from the token to route the request to the correct tenant. vmgateway running in single-node mode
+will just verify token validity.
diff --git a/docs/guides/grafana-vmgateway-openid-configuration/grafana-datasource-prometheus.webp b/docs/guides/grafana-vmgateway-openid-configuration/grafana-datasource-prometheus.webp
index a00411be98..fb797d992d 100644
Binary files a/docs/guides/grafana-vmgateway-openid-configuration/grafana-datasource-prometheus.webp and b/docs/guides/grafana-vmgateway-openid-configuration/grafana-datasource-prometheus.webp differ
diff --git a/docs/guides/grafana-vmgateway-openid-configuration/vmagent-client-secret.webp b/docs/guides/grafana-vmgateway-openid-configuration/vmagent-client-secret.webp
new file mode 100644
index 0000000000..21100202b7
Binary files /dev/null and b/docs/guides/grafana-vmgateway-openid-configuration/vmagent-client-secret.webp differ
diff --git a/docs/guides/grafana-vmgateway-openid-configuration/vmagent-create-client-1.webp b/docs/guides/grafana-vmgateway-openid-configuration/vmagent-create-client-1.webp
new file mode 100644
index 0000000000..93408f9e8a
Binary files /dev/null and b/docs/guides/grafana-vmgateway-openid-configuration/vmagent-create-client-1.webp differ
diff --git a/docs/guides/grafana-vmgateway-openid-configuration/vmagent-create-client-2.webp b/docs/guides/grafana-vmgateway-openid-configuration/vmagent-create-client-2.webp
new file mode 100644
index 0000000000..beeb96318d
Binary files /dev/null and b/docs/guides/grafana-vmgateway-openid-configuration/vmagent-create-client-2.webp differ
diff --git a/docs/guides/grafana-vmgateway-openid-configuration/vmagent-create-client-3.webp b/docs/guides/grafana-vmgateway-openid-configuration/vmagent-create-client-3.webp
new file mode 100644
index 0000000000..63d0ce9db1
Binary files /dev/null and b/docs/guides/grafana-vmgateway-openid-configuration/vmagent-create-client-3.webp differ
diff --git a/docs/guides/grafana-vmgateway-openid-configuration/vmagent-sa-attributes.webp b/docs/guides/grafana-vmgateway-openid-configuration/vmagent-sa-attributes.webp
new file mode 100644
index 0000000000..f3bff75ccf
Binary files /dev/null and b/docs/guides/grafana-vmgateway-openid-configuration/vmagent-sa-attributes.webp differ
diff --git a/docs/guides/grafana-vmgateway-openid-configuration/vmagent-sa.webp b/docs/guides/grafana-vmgateway-openid-configuration/vmagent-sa.webp
new file mode 100644
index 0000000000..fa7ea91e50
Binary files /dev/null and b/docs/guides/grafana-vmgateway-openid-configuration/vmagent-sa.webp differ