Exposing components #

CRD objects doesn’t have ingress configuration. Instead, you can use VMAuth as proxy between ingress-controller and VictoriaMetrics components.

It adds missing authorization and access control features and enforces it.

Access can be given with VMUser definition.

It supports basic auth and bearer token authentication:

      apiVersion: operator.victoriametrics.com/v1beta1
kind: VMAuth
metadata:
  name: main-router
spec:
  userNamespaceSelector: {}
  userSelector: {}
  ingress: {}
    

Advanced configuration with cert-manager annotations:

      apiVersion: operator.victoriametrics.com/v1beta1
kind: VMAuth
metadata:
  name: router-main
spec:
  podMetadata:
    labels:
      component: vmauth
  userSelector: {}
  userNamespaceSelector: {}
  replicaCount: 2
  resources:
    requests:
      cpu: "250m"
      memory: "350Mi"
    limits:
      cpu: "500m"
      memory: "850Mi"
  ingress:
    tlsSecretName: vmauth-tls
    annotations:
      cert-manager.io/cluster-issuer: base
    class_name: nginx
    tlsHosts:
      - vm-access.example.com
    

Simple static routing with read-only access to vmagent for username - user-1 with password Asafs124142:

      # curl vmauth:8427/metrics -u 'user-1:Asafs124142'
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
  name: user-1
spec:
  password: Asafs124142
  targetRefs:
    - static:
        url: http://vmagent-base.default.svc:8429
      paths: ["/targets/api/v1","/targets","/metrics"]
    

With bearer token access:

      # curl vmauth:8427/metrics -H 'Authorization: Bearer Asafs124142'
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
  name: user-2
spec:
  bearerToken: Asafs124142
  targetRefs:
    - static:
        url: http://vmagent-base.default.svc:8429
      paths: ["/targets/api/v1","/targets","/metrics"]
    

It’s also possible to use service discovery for objects:

      # curl vmauth:8427/metrics -H 'Authorization: Bearer Asafs124142'
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
  name: user-3
spec:
  bearerToken: Asafs124142
  targetRefs:
    - crd:
        kind: VMAgent
        name: base
        namespace: default
      paths: ["/targets/api/v1","/targets","/metrics"]
    

VMCluster #

VMCluster exposes two user-facing services — vminsert (write path, port 8480) and vmselect (read path, port 8481). Both can be routed through a single VMAuth ingress using VMUser objects. See VMCluster — Services and URLs for the full list of service names and ports.

The example below exposes VMUI and the query API (tenant 0) for public read-only access via ingress, and write access for an authenticated user:

      apiVersion: operator.victoriametrics.com/v1beta1
kind: VMAuth
metadata:
  name: cluster-proxy
  namespace: default
spec:
  selectAllByDefault: true
  ingress:
    class_name: nginx                      # change to your ingress class
    host: victoriametrics.example.org
  unauthorizedUserAccessSpec:
    targetRefs:
      - crd:
          kind: VMCluster/vmselect
          name: example
          namespace: default
        target_path_suffix: "/select/0"
        paths:
          - "/prometheus/.*"
          - "/vmui.*"
---
# Write access: Prometheus remote write
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
  name: cluster-writer
  namespace: default
spec:
  username: writer
  generatePassword: true
  targetRefs:
    - crd:
        kind: VMCluster/vminsert
        name: example
        namespace: default
      target_path_suffix: "/insert/0"
      paths:
        - "/prometheus/.*"
    

Cluster components also support auto path generation for multi-tenant setups:

      apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
 name: vmuser-tenant-1
spec:
 bearerToken: some-token
 targetRefs:
  - crd:
     kind: VMCluster/vminsert
     name: test-persistent
     namespace: default
    paths:
      - /
    target_path_suffix: "/insert/1"
    query_args:
      - name: extra_filters
        values:
          - '{__name__!="service_info"}'
  - crd:
     kind: VMCluster/vmselect
     name: test-persistent
     namespace: default
    paths:
      - /
    target_path_suffix: "/select/1"
  - static:
     url: http://vmselect-test-persistent.default.svc:8481/
    paths:
     - /internal/resetRollupResultCache
    

For each VMUser operator generates corresponding secret with username/password or bearer token at the same namespace as VMUser.

VLCluster #

VLCluster exposes two user-facing services — vlinsert (write path, port 9481) and vlselect (read path, port 9471). Both can be routed through a single VMAuth ingress using VMUser objects. See VLCluster — Services and URLs for the full list of service names and ports.

      apiVersion: operator.victoriametrics.com/v1beta1
kind: VMAuth
metadata:
  name: logs-proxy
  namespace: default
spec:
  selectAllByDefault: true
  ingress:
    class_name: nginx                      # change to your ingress class
    host: victorialogs.example.org
  unauthorizedUserAccessSpec:
    targetRefs:
      - crd:
          kind: VLCluster/vlselect
          name: example
          namespace: default
        paths:
          - "/select/.*"
---
# Write access for log shippers (Fluentbit, Alloy, etc.)
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
  name: logs-writer
  namespace: default
spec:
  username: writer
  generatePassword: true
  targetRefs:
    - crd:
        kind: VLCluster/vlinsert
        name: example
        namespace: default
      paths:
        - "/insert/.*"
    

VTCluster #

VTCluster exposes two user-facing services — vtinsert (write path, port 10481) and vtselect (read path, port 10471). Both can be routed through a single VMAuth ingress using VMUser objects. See VTCluster — Services and URLs for the full list of service names and ports.

      apiVersion: operator.victoriametrics.com/v1beta1
kind: VMAuth
metadata:
  name: traces-proxy
  namespace: default
spec:
  selectAllByDefault: true
  ingress:
    class_name: nginx                      # change to your ingress class
    host: victoriatraces.example.org
  unauthorizedUserAccessSpec:
    targetRefs:
      - crd:
          kind: VTCluster/vtselect
          name: example
          namespace: default
        paths:
          - "/select/.*"
---
# Write access for OpenTelemetry collectors
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
  name: traces-writer
  namespace: default
spec:
  username: writer
  generatePassword: true
  targetRefs:
    - crd:
        kind: VTCluster/vtinsert
        name: example
        namespace: default
      paths:
        - "/insert/.*"
    

Basic auth for targets #

To authenticate a VMServiceScrapes over a metrics endpoint use basicAuth :

      apiVersion: operator.victoriametrics.com/v1beta1
kind: VMServiceScrape
metadata:
  labels:
    k8s-apps: basic-auth-example
  name: basic-auth-example
spec:
  endpoints:
  - basicAuth:
      password:
        name: basic-auth
        key: password
      username:
        name: basic-auth
        key: user
    port: metrics
  selector:
    matchLabels:
      app: myapp

---

apiVersion: v1
kind: Secret
metadata:
  name: basic-auth
data:
  password: dG9vcg== # toor
  user: YWRtaW4= # admin
type: Opaque
    

Create VMUser using an existing secret #

Bearer Token #

      apiVersion: v1
kind: Secret
metadata:
  name: victoria-reader-password # Name of the secret
  namespace: vm # Ensure this matches the namespace of your VMUser
type: Opaque
data:
  token: dmljdG9yaWEtaXMtY29vbA== # Base64 encoded value of 'victoria-is-cool'
---
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
  name: victoria-reader
spec:
  name: victoria-reader
  bearerTokenSecret:
    name: victoria-reader-token
    key: token
  targetRefs:
    - crd:
        kind: VMCluster/vmselect
        name: victoriametrics-cluster
        namespace: vm
      target_path_suffix: '/select/1'
      paths:
        - '/prometheus/.*'
---
    

Username and Password #

      ---
apiVersion: v1
kind: Secret
metadata:
  name: victoria-reader-token # Name of the secret
  namespace: vm # Ensure this matches the namespace of your VMUser
type: Opaque
data:
  password: dmljdG9yaWEtaXMtY29vbA== # Base64 encoded value of 'victoria-is-cool'
---
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
  name: victoria-reader-basic
spec:
  name: victoria-reader-basic
  username: victoria-reader
  passwordRef:
    name: victoria-reader-password
    key: password
  targetRefs:
    - crd:
        kind: VMCluster/vmselect
        name: victoriametrics-cluster
        namespace: vm
      target_path_suffix: '/select/1'
      paths:
        - '/prometheus/.*'
    

Unauthorized access #

You can expose some routes without authorization with unauthorizedUserAccessSpec.

Check more details in VMAuth docs -> Unauthorized access .

More details about features of VMAuth and VMUser you can read in: