Victoria Metrics Gateway - Auth & Rate-Limitting proxy for Victoria Metrics
Table of Content
- Prerequisites
- Chart Details
- How to Install
- How to Uninstall
- How to use JWT signature verification
- Documentation of Helm Chart
Prerequisites #
- Install the follow packages:
git,kubectl,helm,helm-docs. See this tutorial. - PV support on underlying infrastructure
Chart Details #
This chart will do the following:
- Rollout victoria metrics gateway
How to install #
Access a Kubernetes cluster.
Setup chart repository (can be omitted for OCI repositories) #
Add a chart helm repository with follow commands:
helm repo add vm https://victoriametrics.github.io/helm-charts/
helm repo update
List versions of vm/victoria-metrics-gateway chart available to installation:
helm search repo vm/victoria-metrics-gateway -l
Install victoria-metrics-gateway chart
#
Export default values of victoria-metrics-gateway chart to file values.yaml:
For HTTPS repository
helm show values vm/victoria-metrics-gateway > values.yamlFor OCI repository
helm show values oci://ghcr.io/victoriametrics/helm-charts/victoria-metrics-gateway > values.yaml
Change the values according to the need of the environment in values.yaml file.
Test the installation with command:
For HTTPS repository
helm install vmg vm/victoria-metrics-gateway -f values.yaml -n NAMESPACE --debug --dry-runFor OCI repository
helm install vmg oci://ghcr.io/victoriametrics/helm-charts/victoria-metrics-gateway -f values.yaml -n NAMESPACE --debug --dry-run
Install chart with command:
For HTTPS repository
helm install vmg vm/victoria-metrics-gateway -f values.yaml -n NAMESPACEFor OCI repository
helm install vmg oci://ghcr.io/victoriametrics/helm-charts/victoria-metrics-gateway -f values.yaml -n NAMESPACE
Get the pods lists by running this commands:
kubectl get pods -A | grep 'vmg'
Get the application by running this command:
helm list -f vmg -n NAMESPACE
See the history of versions of vmg application with command.
helm history vmg -n NAMESPACE
How to use JWT signature verification
Kubernetes best-practice is to store sensitive configuration parts in secrets. For example, 2 keys will be stored as:
apiVersion: v1
data:
key: "<<KEY_DATA>>"
kind: Secret
metadata:
name: key1
---
apiVersion: v1
data:
key: "<<KEY_DATA>>"
kind: Secret
metadata:
name: key2
In order to use those secrets it is needed to:
- mount secrets into pod
- provide flag pointing to secret on disk
Here is an example values.yml file configuration to achieve this:
auth:
enable: true
extraVolumes:
- name: key1
secret:
secretName: key1
- name: key2
secret:
secretName: key2
extraVolumeMounts:
- name: key1
mountPath: /key1
- name: key2
mountPath: /key2
extraArgs:
envflag.enable: "true"
envflag.prefix: VM_
loggerFormat: json
auth.publicKeyFiles: "/key1/key,/key2/key"
Note that in this configuration all secret keys will be mounted and accessible to pod. Please, refer to this doc to see all available secret source options.
How to uninstall #
Remove application with command.
helm uninstall vmg -n NAMESPACE
Documentation of Helm Chart #
Install helm-docs following the instructions on this tutorial.
Generate docs with helm-docs command.
cd charts/victoria-metrics-gateway
helm-docs
The markdown generation is entirely go template driven. The tool parses metadata from charts and generates a number of sub-templates that can be referenced in a template file (by default README.md.gotmpl). If no template file is provided, the tool has a default internal template that will generate a reasonably formatted README.
Parameters #
The following tables lists the configurable parameters of the chart and their default values.
Change the values according to the need of the environment in victoria-metrics-gateway/values.yaml file.
| Key | Type | Default | Description |
|---|---|---|---|
| affinity | object |
{}
| Affinity configurations |
| annotations | object |
{}
| Annotations to be added to the deployment |
| auth | object |
enabled: false
| Access Control configuration. https://docs.victoriametrics.com/vmgateway#access-control |
| auth.enabled | bool | false | Enable/Disable access-control |
| clusterMode | bool | false | Specify to True if the source for rate-limiting, reading and writing as a VictoriaMetrics Cluster. Must be true for rate limiting |
| configMap | string | "" | Use existing configmap if specified otherwise .config values will be used. Ref: https://docs.victoriametrics.com/vmgateway |
| containerWorkingDir | string | / | |
| env | list |
[]
| Additional environment variables (ex.: secret tokens, flags) https://github.com/VictoriaMetrics/VictoriaMetrics#environment-variables |
| envFrom | list |
[]
| |
| extraArgs."envflag.enable" | string | "true" | |
| extraArgs."envflag.prefix" | string | VM_ | |
| extraArgs.loggerFormat | string | json | |
| extraContainers | list |
[]
| |
| extraHostPathMounts | list |
[]
| Additional hostPath mounts |
| extraVolumeMounts | list |
[]
| Extra Volume Mounts for the container |
| extraVolumes | list |
[]
| Extra Volumes for the pod |
| fullnameOverride | string | "" | |
| global.compatibility.openshift.adaptSecurityContext | string | auto | |
| global.image.registry | string | "" | |
| global.imagePullSecrets | list |
[]
| |
| image.pullPolicy | string | IfNotPresent | Pull policy of Docker image |
| image.registry | string | "" | Victoria Metrics gateway Docker registry |
| image.repository | string | victoriametrics/vmgateway | Victoria Metrics gateway Docker repository and image name |
| image.tag | string | "" | Tag of Docker image override Chart.AppVersion |
| image.variant | string | "" | |
| imagePullSecrets | list |
[]
| |
| ingress.annotations | object |
{}
| |
| ingress.enabled | bool | false | |
| ingress.extraLabels | object |
{}
| |
| ingress.hosts | list |
[]
| |
| ingress.pathType | string | Prefix | pathType is only for k8s >= 1.1= |
| ingress.tls | list |
[]
| |
| license | object |
key: ""
secret:
key: ""
name: ""
| Enterprise license key configuration for VictoriaMetrics enterprise. Required only for VictoriaMetrics enterprise. Documentation - https://docs.victoriametrics.com/enterprise, for more information, visit https://victoriametrics.com/products/enterprise/ . To request a trial license, go to https://victoriametrics.com/products/enterprise/trial/ Supported starting from VictoriaMetrics v1.94.0 |
| license.key | string | "" | License key |
| license.secret | object |
key: ""
name: ""
| Use existing secret with license key |
| license.secret.key | string | "" | Key in secret with license key |
| license.secret.name | string | "" | Existing secret name |
| nameOverride | string | "" | |
| nodeSelector | object |
{}
| NodeSelector configurations. Ref: https://kubernetes.io/docs/user-guide/node-selection/ |
| podAnnotations | object |
{}
| Annotations to be added to pod |
| podDisruptionBudget | object |
enabled: false
labels: {}
| See |
| podSecurityContext.enabled | bool | true | |
| probe.liveness | object |
initialDelaySeconds: 5
periodSeconds: 15
tcpSocket: {}
timeoutSeconds: 5
| liveness probe |
| probe.readiness | object |
httpGet: {}
initialDelaySeconds: 5
periodSeconds: 15
| readiness probe |
| probe.startup | object |
{}
| startup probe |
| rateLimiter | object |
config: {}
datasource:
url: ""
enabled: false
| Rate limiter configuration. Docs https://docs.victoriametrics.com/vmgateway#rate-limiter |
| rateLimiter.datasource.url | string | "" | Datasource VictoriaMetrics or vmselects. Required. Example http://victoroametrics:8428 or http://vmselect:8481/select/0/prometheus |
| rateLimiter.enabled | bool | false | Enable/Disable rate-limiting |
| read.url | string | "" | Read endpoint without suffixes, victoriametrics or vmselect. Example http://victoroametrics:8428 or http://vmselect:8481 |
| replicaCount | int | 1 | Number of replicas of vmgateway |
| resources | object |
{}
| We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after ‘resources:’. |
| securityContext | object |
enabled: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
| Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
| service.annotations | object |
{}
| |
| service.clusterIP | string | "" | |
| service.enabled | bool | true | |
| service.externalIPs | list |
[]
| |
| service.extraLabels | object |
{}
| |
| service.ipFamilies | list |
[]
| |
| service.ipFamilyPolicy | string | "" | |
| service.loadBalancerIP | string | "" | |
| service.loadBalancerSourceRanges | list |
[]
| |
| service.servicePort | int | 8431 | |
| service.type | string | ClusterIP | |
| serviceAccount.annotations | object |
{}
| Annotations to add to the service account |
| serviceAccount.create | bool | true | Specifies whether a service account should be created |
| serviceAccount.name | string | null | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| serviceMonitor.annotations | object |
{}
| Service Monitor annotations |
| serviceMonitor.basicAuth | object |
{}
| Basic auth params for Service Monitor |
| serviceMonitor.enabled | bool | false | Enable deployment of Service Monitor for server component. This is Prometheus operator object |
| serviceMonitor.extraLabels | object |
{}
| Service Monitor labels |
| serviceMonitor.metricRelabelings | list |
[]
| Service Monitor metricRelabelings |
| serviceMonitor.relabelings | list |
[]
| Service Monitor relabelings |
| tolerations | list |
[]
| Tolerations configurations. Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
| write.url | string | "" | Write endpoint without suffixes, victoriametrics or vminsert. Example http://victoroametrics:8428 or http://vminsert:8480 |