You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe
v1.97.0 release brought a nice feature for all VictoriaMetrics components:
FEATURE: all VictoriaMetrics components: add ability to dynamically re-read auth keys and passwords from files and urls when using file:///path/to/file or http://host/path syntax for the following command-line flags: -configAuthKey, -deleteAuthKey, -flagsAuthKey, -forceMergeAuthKey, -forceFlushAuthKey, -httpAuth.password, -metricsAuthKey, -pprofAuthKey, -reloadAuthKey, -search.resetCacheAuthKey, -snapshotAuthKey. For example, -httpAuth.password=file:///path/to/password. See these docs for details.
It is really helpful in modern world. Nowadays it's quiet a common security requirement to implement authentication between all components in your system.
I'd like to describe the problem taking VMAlert running in k8s under victoria-metrics-operator control as an example. Using OSS version.
This particular feature helps you to rotate basic auth password stored in a file where -httpAuth.password is pointed to.
This is how you would make vmalert read the password from a file in k8s:
create a k8s secret with password
mount this secret to vmalert via secrets option in VMAlertSpec
add httpAuth.password: file:///path/to/secret to extraArgs in VMAlertSpec
hardcode username to static httpAuth.username: my-fancy-user string in extraArgs in VMAlertSpec
Also we have VMAuth with a bunch of VMUser resources since we have multiple tenants and multiple VMAlerts/VMAgent/etc components. With the VMUser resource vmauth decides what tenant to route the incoming request to based on provided credentials. This is done via username and passwordRef/tokenRef/etc in VMUserSpec.
Now when routing is decided VMAuth has to contact the backend component. In our case it's VMAlert which is using its own basic auth configured via -httpAuth.username and -httpAuth.password. So to contact this backend VMAuth has to attach those credentials to the requests.
Fortunately you can attach credentials by referencing k8s secret in the VMUser object via TargetRefBasicAuth. This is a k8s secret selector.
So you can reference one shared k8s secret for both VMAlert and VMUser to make it work.
But VMUser gets both username and password from that secret. While VMAlert can only get password from the same secret since username can only be hardcoded via cmd params.
Describe the solution you'd like
Teach -httpAuth.username to read content of a file so that both username and password could be stored in one k8s secret. This would ease username rotation as well as password.
Also many components will be in sync in terms of username/password strings.
Describe alternatives you've considered
Create a k8s secret with both username and password.
Reference this secret for username and password using targetRefBasicAuth in VMUserSpec.
On vmalert side hardcode username with via -httpAuth.username. Use the way described in the first section of this github issue to propagate password from a file.
Implement k8s secret rotation, but only password part inside. Do not touch username in the secret as there is no direct mapping to the VMAlert parameter.
Additional information
A different solution would be to provide an alternative to targetRefBasicAuth for VMUser to reference a k8s secret for password only. Username would be hardcoded somewhere in the VMUserSpec.
The text was updated successfully, but these errors were encountered:
Thanks, but I'm not sure why to introduce new parameter. And why only for vmalert.
vmalert here is just an example. So what I would love to see that all VictoriaMetrics components will be able to read a file via httpAuth.username. Just like it was done for httpAuth.password in the v1.97.0 announcement I quoted above
Is your feature request related to a problem? Please describe
v1.97.0 release brought a nice feature for all VictoriaMetrics components:
file:///path/to/file
orhttp://host/path
syntax for the following command-line flags:-configAuthKey
,-deleteAuthKey
,-flagsAuthKey
,-forceMergeAuthKey
,-forceFlushAuthKey
,-httpAuth.password
,-metricsAuthKey
,-pprofAuthKey
,-reloadAuthKey
,-search.resetCacheAuthKey
,-snapshotAuthKey
. For example,-httpAuth.password=file:///path/to/password
. See these docs for details.It is really helpful in modern world. Nowadays it's quiet a common security requirement to implement authentication between all components in your system.
I'd like to describe the problem taking
VMAlert
running in k8s under victoria-metrics-operator control as an example. Using OSS version.This particular feature helps you to rotate basic auth password stored in a file where
-httpAuth.password
is pointed to.This is how you would make vmalert read the password from a file in k8s:
secrets
option in VMAlertSpechttpAuth.password: file:///path/to/secret
toextraArgs
in VMAlertSpechttpAuth.username: my-fancy-user
string inextraArgs
in VMAlertSpecAlso we have
VMAuth
with a bunch ofVMUser
resources since we have multiple tenants and multiple VMAlerts/VMAgent/etc components. With theVMUser
resource vmauth decides what tenant to route the incoming request to based on provided credentials. This is done via username and passwordRef/tokenRef/etc in VMUserSpec.Now when routing is decided VMAuth has to contact the backend component. In our case it's VMAlert which is using its own basic auth configured via
-httpAuth.username
and-httpAuth.password
. So to contact this backend VMAuth has to attach those credentials to the requests.Fortunately you can attach credentials by referencing k8s secret in the VMUser object via TargetRefBasicAuth. This is a k8s secret selector.
So you can reference one shared k8s secret for both VMAlert and VMUser to make it work.
But VMUser gets both username and password from that secret. While VMAlert can only get password from the same secret since username can only be hardcoded via cmd params.
Describe the solution you'd like
Teach
-httpAuth.username
to read content of a file so that both username and password could be stored in one k8s secret. This would ease username rotation as well as password.Also many components will be in sync in terms of username/password strings.
Describe alternatives you've considered
targetRefBasicAuth
in VMUserSpec.-httpAuth.username
. Use the way described in the first section of this github issue to propagate password from a file.Additional information
A different solution would be to provide an alternative to
targetRefBasicAuth
forVMUser
to reference a k8s secret for password only. Username would be hardcoded somewhere in theVMUserSpec
.The text was updated successfully, but these errors were encountered: