-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Teach -httpAuth.username to read content of a file #6283
Comments
Hi @ptimofee |
Thanks, but I'm not sure why to introduce new parameter. And why only for vmalert. vmalert here is just an example. So what I would love to see that all VictoriaMetrics components will be able to read a file via httpAuth.username. Just like it was done for httpAuth.password in the v1.97.0 announcement I quoted above |
I. e. what was suggested in the PR won't really change anything for me |
I think it makes sense to remove |
Is your feature request related to a problem? Please describe
v1.97.0 release brought a nice feature for all VictoriaMetrics components:
file:///path/to/file
orhttp://host/path
syntax for the following command-line flags:-configAuthKey
,-deleteAuthKey
,-flagsAuthKey
,-forceMergeAuthKey
,-forceFlushAuthKey
,-httpAuth.password
,-metricsAuthKey
,-pprofAuthKey
,-reloadAuthKey
,-search.resetCacheAuthKey
,-snapshotAuthKey
. For example,-httpAuth.password=file:///path/to/password
. See these docs for details.It is really helpful in modern world. Nowadays it's quiet a common security requirement to implement authentication between all components in your system.
I'd like to describe the problem taking
VMAlert
running in k8s under victoria-metrics-operator control as an example. Using OSS version.This particular feature helps you to rotate basic auth password stored in a file where
-httpAuth.password
is pointed to.This is how you would make vmalert read the password from a file in k8s:
secrets
option in VMAlertSpechttpAuth.password: file:///path/to/secret
toextraArgs
in VMAlertSpechttpAuth.username: my-fancy-user
string inextraArgs
in VMAlertSpecAlso we have
VMAuth
with a bunch ofVMUser
resources since we have multiple tenants and multiple VMAlerts/VMAgent/etc components. With theVMUser
resource vmauth decides what tenant to route the incoming request to based on provided credentials. This is done via username and passwordRef/tokenRef/etc in VMUserSpec.Now when routing is decided VMAuth has to contact the backend component. In our case it's VMAlert which is using its own basic auth configured via
-httpAuth.username
and-httpAuth.password
. So to contact this backend VMAuth has to attach those credentials to the requests.Fortunately you can attach credentials by referencing k8s secret in the VMUser object via TargetRefBasicAuth. This is a k8s secret selector.
So you can reference one shared k8s secret for both VMAlert and VMUser to make it work.
But VMUser gets both username and password from that secret. While VMAlert can only get password from the same secret since username can only be hardcoded via cmd params.
Describe the solution you'd like
Teach
-httpAuth.username
to read content of a file so that both username and password could be stored in one k8s secret. This would ease username rotation as well as password.Also many components will be in sync in terms of username/password strings.
Describe alternatives you've considered
targetRefBasicAuth
in VMUserSpec.-httpAuth.username
. Use the way described in the first section of this github issue to propagate password from a file.Additional information
A different solution would be to provide an alternative to
targetRefBasicAuth
forVMUser
to reference a k8s secret for password only. Username would be hardcoded somewhere in theVMUserSpec
.The text was updated successfully, but these errors were encountered: