Automated changes by [create-pull-request](https://github.com/peter-evans/create-pull-request) GitHub action Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: f41gh7 <nik@victoriametrics.com>
5.2 KiB
weight | title | menu | aliases | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
15 | VMUser |
|
|
The VMUser
CRD describes user configuration, its authentication methods basic auth
or Authorization
header.
User access permissions, with possible routing information.
User can define routing target with static
config, by entering target url
, or with CRDRef
, in this case,
operator queries kubernetes API, retrieves information about CRD and builds proper url.
Specification
You can see the full actual specification of the VMUser
resource in
the API docs -> VMUser.
Also, you can check out the examples section.
Authentication methods
There are two authentication mechanisms: "Bearer token" and "Basic auth" with username
and password
.
Only one of them can be used with VMUser
at one time.
Operator creates Secret
for every VMUser
with name - vmuser-{VMUser.metadata.name}
.
It places username
+ password
or bearerToken
into data
section.
Bearer token
Bearer token is a way to authenticate user with Authorization
header.
User defines token
field in auth
section.
Also, you can check out the examples section.
Basic auth
Basic auth is the simplest way to authenticate user. User defines username
and password
fields in auth
section.
If username
is empty, metadata.name
from VMUser
used as username
.
You can automatically generate password
if:
- Set
generatePassword: true
field - Don't fill
password
field
Operator generates random password for this VMUser
,
this password will be added to the Secret
for this VMUser
at data.password
field.
Also, you can check out the examples section.
Routing
You can define routes for user in targetRefs
section.
For every entry in targetRefs
you can define routing target with static
config, by entering target url
,
or with crd
, in this case, operator queries kubernetes API, retrieves information about CRD and builds proper url.
Here are details about other fields in targetRefs
:
paths
is the same assrc_paths
from auth configheaders
is the same asheaders
from auth configtargetPathSuffix
is the suffix forurl_prefix
(target URL) from auth config
Static
The static
field is the same as url_prefix
(target URL) from auth config,
it allows you to set a specific static URL.
CRDRef
The crd
field is a more convenient form for specifying the components handled by the operator as auth targets.
User can define routing target with crd
config, by entering kind
, name
and namespace
of CRD.
Operator supports following kinds in kind
field:
VMAgent
for VMAgentVMAlert
for VMAlertVMAlertmanager
for VMAlertmanagerVMSingle
for VMSingleVMCluster/vmselect
,VMCluster/vminsert
andVMCluster/vmstorage
for VMCluster
Also, you can check out the examples section.
Additional fields like path
and scheme
can be added to CRDRef
config.
Enterprise features
Custom resource VMUser
supports feature IP filters
from VictoriaMetrics Enterprise.
IP Filters
For using IP filters you need to enable VMAuth Enterprise.
After that you can add ip_filters
field to VMUser
:
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
name: vmuser-ent-example
spec:
username: simple-user
password: simple-password
# using enterprise features: ip filters for vmuser
# more details about ip filters you can read in https://docs.victoriametrics.com/operator/resources/vmuser#enterprise-features
ip_filters:
allow_list:
- 10.0.0.0/24
- 1.2.3.4
deny_list:
- 5.6.7.8
Examples
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
name: example
spec:
username: simple-user
password: simple-password
targetRefs:
- crd:
kind: VMSingle
name: example
namespace: default
paths: ["/.*"]
- static:
url: http://vmalert-example.default.svc:8080
paths: ["/api/v1/groups","/api/v1/alerts"]
More examples see on Authorization and exposing components page and in Quickstart guide.