mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2024-12-18 14:40:26 +01:00
886f545f81
### Describe Your Changes
Trimming content which is loaded from an external pass leads to obscure
issues in case user-defined input contained trimmed chars. For example.
user-defined password "foo\n" will become "foo" while user will expect
it to contain a new line.
---
For example, a user defines a password which ends with `\n`. This often
happens when user Kubernetes secrets and manually encodes value as
base64-encoded string.
In this case vmauth configuration might look like:
```
users:
- url_prefix:
- http://vminsert:8480/insert/0/prometheus/api/v1/write
name: foo
username: foo
password: "foobar\n"
```
vmagent configuration for this setup will use the following flags:
```
-remoteWrite.url=http://vmauth:8427/
-remoteWrite.basicAuth.passwordFile=/tmp/vmagent-password
-remoteWrite.basicAuth.username="foo"
```
Where `/tmp/vmagent-password` is a file with `foobar\n` password.
Before this change such configuration will result in `401 Unauthorized`
response received by vmagent since after file content will become
`foobar`.
---
An example with Kubernetes operator which uses a secret to reference the
same password in multiple configurations.
<details>
<summary>See full manifests</summary>
`Secret`:
```
apiVersion: v1
data:
name: Zm9v # foo
password: Zm9vYmFy # foobar\n
username: Zm9v= # foo
kind: Secret
metadata:
name: vmuser
```
`VMUser`:
```
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
name: vmagents
spec:
generatePassword: false
name: vmagents
targetRefs:
- crd:
kind: VMAgent
name: some-other-agent
namespace: example
username: foo
# note - the secret above is referenced to provide password
passwordRef:
name: vmagent
key: password
```
`VMAgent`:
```
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMAgent
metadata:
name: example
spec:
selectAllByDefault: true
scrapeInterval: 5s
replicaCount: 1
remoteWrite:
- url: "http://vmauth-vmauth-example:8427/api/v1/write"
# note - the secret above is referenced as well
basicAuth:
username:
name: vmagent
key: username
password:
name: vmagent
key: password
```
</details>
Since both config target exactly the same `Secret` object it is expected
to work, but apparently the result will be `401 Unauthrized` error.
### Checklist
The following checks are **mandatory**:
- [x] My change adheres [VictoriaMetrics contributing
guidelines](https://docs.victoriametrics.com/contributing/).
---------
Signed-off-by: Zakhar Bessarab <z.bessarab@victoriametrics.com>
Signed-off-by: hagen1778 <roman@victoriametrics.com>
Co-authored-by: hagen1778 <roman@victoriametrics.com>
(cherry picked from commit
|
||
---|---|---|
.. | ||
appmetrics | ||
auth | ||
awsapi | ||
backup | ||
blockcache | ||
bloomfilter | ||
bufferedwriter | ||
buildinfo | ||
bytesutil | ||
cgroup | ||
consts | ||
decimal | ||
encoding | ||
envflag | ||
envtemplate | ||
fastnum | ||
fasttime | ||
filestream | ||
flagutil | ||
formatutil | ||
fs | ||
handshake | ||
htmlcomponents | ||
httpserver | ||
httputils | ||
influxutils | ||
ingestserver | ||
leveledbytebufferpool | ||
logger | ||
logstorage | ||
lrucache | ||
memory | ||
mergeset | ||
metricsql | ||
netutil | ||
persistentqueue | ||
procutil | ||
promauth | ||
prompb | ||
prompbmarshal | ||
promrelabel | ||
promscrape | ||
promutils | ||
protoparser | ||
proxy | ||
pushmetrics | ||
querytracer | ||
ratelimiter | ||
regexutil | ||
slicesutil | ||
snapshot | ||
storage | ||
streamaggr | ||
stringsutil | ||
syncwg | ||
tenantmetrics | ||
timerpool | ||
timeutil | ||
uint64set | ||
vmselectapi | ||
workingsetcache | ||
writeconcurrencylimiter |