Teach -httpAuth.username to read content of a file

[ptimofee]

Is your feature request related to a problem? Please describe

v1.97.0 release brought a nice feature for all VictoriaMetrics components:

• FEATURE: all VictoriaMetrics components: add ability to dynamically re-read auth keys and passwords from files and urls when using file:///path/to/file or http://host/path syntax for the following command-line flags: -configAuthKey, -deleteAuthKey, -flagsAuthKey, -forceMergeAuthKey, -forceFlushAuthKey, -httpAuth.password, -metricsAuthKey, -pprofAuthKey, -reloadAuthKey, -search.resetCacheAuthKey, -snapshotAuthKey. For example, -httpAuth.password=file:///path/to/password. See these docs for details.

It is really helpful in modern world. Nowadays it's quiet a common security requirement to implement authentication between all components in your system.

I'd like to describe the problem taking VMAlert running in k8s under victoria-metrics-operator control as an example. Using OSS version.

This particular feature helps you to rotate basic auth password stored in a file where -httpAuth.password is pointed to.
This is how you would make vmalert read the password from a file in k8s:

• create a k8s secret with password
• mount this secret to vmalert via secrets option in VMAlertSpec
• add httpAuth.password: file:///path/to/secret to extraArgs in VMAlertSpec
• hardcode username to static httpAuth.username: my-fancy-user string in extraArgs in VMAlertSpec

Also we have VMAuth with a bunch of VMUser resources since we have multiple tenants and multiple VMAlerts/VMAgent/etc components. With the VMUser resource vmauth decides what tenant to route the incoming request to based on provided credentials. This is done via username and passwordRef/tokenRef/etc in VMUserSpec.
Now when routing is decided VMAuth has to contact the backend component. In our case it's VMAlert which is using its own basic auth configured via -httpAuth.username and -httpAuth.password. So to contact this backend VMAuth has to attach those credentials to the requests.
Fortunately you can attach credentials by referencing k8s secret in the VMUser object via TargetRefBasicAuth. This is a k8s secret selector.

So you can reference one shared k8s secret for both VMAlert and VMUser to make it work.

But VMUser gets both username and password from that secret. While VMAlert can only get password from the same secret since username can only be hardcoded via cmd params.

Describe the solution you'd like

Teach -httpAuth.username to read content of a file so that both username and password could be stored in one k8s secret. This would ease username rotation as well as password.
Also many components will be in sync in terms of username/password strings.

Describe alternatives you've considered

• Create a k8s secret with both username and password.
• Reference this secret for username and password using targetRefBasicAuth in VMUserSpec.
• On vmalert side hardcode username with via -httpAuth.username. Use the way described in the first section of this github issue to propagate password from a file.
• Implement k8s secret rotation, but only password part inside. Do not touch username in the secret as there is no direct mapping to the VMAlert parameter.

Additional information

A different solution would be to provide an alternative to targetRefBasicAuth for VMUser to reference a k8s secret for password only. Username would be hardcoded somewhere in the VMUserSpec.

[AndrewChubatiuk]

Hi @ptimofee
added PR with usernameFile argument for vmalert

[ptimofee]

Thanks, but I'm not sure why to introduce new parameter. And why only for vmalert.

vmalert here is just an example. So what I would love to see that all VictoriaMetrics components will be able to read a file via httpAuth.username. Just like it was done for httpAuth.password in the v1.97.0 announcement I quoted above

[ptimofee]

I. e. what was suggested in the PR won't really change anything for me

[ptimofee]

I think it makes sense to remove vmalert from Labels list