From 1e1fd7541e1a6419ebe41990292ca413b95f32b0 Mon Sep 17 00:00:00 2001 From: Andrii Chubatiuk Date: Sat, 23 Nov 2024 21:13:30 +0200 Subject: [PATCH] k8s-stack: updated vmauth configuration generation --- .../victoria-metrics-distributed/CHANGELOG.md | 2 +- .../victoria-metrics-k8s-stack/CHANGELOG.md | 3 + charts/victoria-metrics-k8s-stack/README.md | 96 +++++++++---------- .../README.md.gotmpl | 37 +++++++ .../templates/_helpers.tpl | 72 +++----------- charts/victoria-metrics-k8s-stack/values.yaml | 34 ++----- 6 files changed, 108 insertions(+), 136 deletions(-) diff --git a/charts/victoria-metrics-distributed/CHANGELOG.md b/charts/victoria-metrics-distributed/CHANGELOG.md index 396ce1292..288d6ad1c 100644 --- a/charts/victoria-metrics-distributed/CHANGELOG.md +++ b/charts/victoria-metrics-distributed/CHANGELOG.md @@ -9,7 +9,7 @@ ![AppVersion: v1.106.1](https://img.shields.io/static/v1?label=AppVersion&message=v1.106.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) -**Update note**: This release contains breaking changes. please follow [upgrade guide](../#upgrade-to-050) +**Update note**: This release contains breaking changes. please follow [upgrade guide](./#upgrade-to-050) - set default DNS domain to `cluster.local.` - added `.Values.zoneTpl` to define a default configuration for each `.Values.availabilityZones` diff --git a/charts/victoria-metrics-k8s-stack/CHANGELOG.md b/charts/victoria-metrics-k8s-stack/CHANGELOG.md index 8a413997a..1b253d94c 100644 --- a/charts/victoria-metrics-k8s-stack/CHANGELOG.md +++ b/charts/victoria-metrics-k8s-stack/CHANGELOG.md @@ -1,8 +1,11 @@ ## Next release +**Update note**: This release contains breaking changes. please follow [upgrade guide](./#upgrade-to-0290) + - fixed ability to override CR names using `.name`. See [this issue](https://github.com/VictoriaMetrics/helm-charts/issues/1778) - updated common dependency 0.0.28 -> 0.0.29 - bump operator chart version to 0.38.0 +- replaced all `.vmauth` params to `vmauth.spec` to provide more flexibility in vmauth configuration. See [this issue](https://github.com/VictoriaMetrics/helm-charts/issues/1793) ## 0.28.4 diff --git a/charts/victoria-metrics-k8s-stack/README.md b/charts/victoria-metrics-k8s-stack/README.md index ea05a633a..16f1825b5 100644 --- a/charts/victoria-metrics-k8s-stack/README.md +++ b/charts/victoria-metrics-k8s-stack/README.md @@ -348,6 +348,44 @@ $ helm show crds vm/victoria-metrics-k8s-stack --version [YOUR_CHART_VERSION] | All other manual actions upgrades listed below: +### Upgrade to 0.29.0 + +To provide more flexibility for VMAuth configuration all `.vmauth` params were moved to `vmauth.spec`. +Also `.vm.write` and `.vm.read` variables are available in `vmauth.spec`, which represent `vmsingle`, `vminsert`, `externalVM.write` and `vmsingle`, `vmselect`, `externalVM.read` parsed URLs respectively. + +If your configuration in version < 0.29.0 looked like below: + +``` +vmcluster: + vmauth: + vmselect: + - src_paths: + - /select/.* + url_prefix: + - / + vminsert: + - src_paths: + - /insert/.* + url_prefix: + - / +``` + +In 0.29.0 it should look like: + +``` +vmauth: + spec: + unauthorizedAccessConfig: + - src_paths: + - '{{ .vm.read.path }}/.*' + url_prefix: + - '{{ urlJoin (omit .vm.read "path") }}/' + - src_paths: + - '{{ .vm.write.path }}/.*' + url_prefix: + - '{{ urlJoin (omit .vm.write "path") }}/' +``` + ### Upgrade to 0.13.0 - node-exporter starting from version 4.0.0 is using the Kubernetes recommended labels. Therefore you have to delete the daemonset before you upgrade. @@ -1249,43 +1287,12 @@ vmsingle: 
 read:
     url: ""
-vmauth:
-    read:
-        - src_paths:
-            - /select/.*
-          url_prefix:
-            - /
-    write:
-        - src_paths:
-            - /insert/.*
-          url_prefix:
-            - /
 write:
     url: ""

External VM read and write URLs

- - - - externalVM.vmauth - object - 
-read:
-    - src_paths:
-        - /select/.*
-      url_prefix:
-        - /
-write:
-    - src_paths:
-        - /insert/.*
-      url_prefix:
-        - /
-
-
- -

Custom VMAuth config, url_prefix requires only path, which will be appended to a read and write base URL. To disable auth for read or write empty list for component config externalVM.vmauth.<component>: []

@@ -2408,10 +2415,15 @@ selectAllByDefault: true 
 discover_backend_ips: true
 port: "8427"
+unauthorizedAccessConfig:
+    - src_paths:
+        - '{{ .vm.read.path }}/.*'
+      url_prefix:
+        - '{{ urlJoin (omit .vm.read "path") }}/'
-

Full spec for VMAuth CRD. Allowed values described here

+

Full spec for VMAuth CRD. Allowed values described here It’s possible to use given below predefined variables in spec: * {{ .vm.read }} - parsed vmselect, vmsingle or externalVM.read URL * {{ .vm.write }} - parsed vminsert, vmsingle or externalVM.write URL

@@ -2781,26 +2793,6 @@ vmstorage:

Data retention period. Possible units character: h(ours), d(ays), w(eeks), y(ears), if no unit character specified - month. The minimum retention period is 24h. See these docs

- - - - vmcluster.vmauth - object - 
-vminsert:
-    - src_paths:
-        - /insert/.*
-      url_prefix:
-        - /
-vmselect:
-    - src_paths:
-        - /select/.*
-      url_prefix:
-        - /
-
-
- -

Custom VMAuth config, url_prefix requires only path, which will be appended to a select and insert base URL. To disable auth for vmselect or vminsert empty list for component config vmcluster.vmauth.<component>: []

diff --git a/charts/victoria-metrics-k8s-stack/README.md.gotmpl b/charts/victoria-metrics-k8s-stack/README.md.gotmpl index f8218a9c2..0c656f09c 100644 --- a/charts/victoria-metrics-k8s-stack/README.md.gotmpl +++ b/charts/victoria-metrics-k8s-stack/README.md.gotmpl @@ -265,6 +265,43 @@ $ helm show crds vm/victoria-metrics-k8s-stack --version [YOUR_CHART_VERSION] | All other manual actions upgrades listed below: +### Upgrade to 0.29.0 + +To provide more flexibility for VMAuth configuration all `.vmauth` params were moved to `vmauth.spec`. +Also `.vm.write` and `.vm.read` variables are available in `vmauth.spec`, which represent `vmsingle`, `vminsert`, `externalVM.write` and `vmsingle`, `vmselect`, `externalVM.read` parsed URLs respectively. + +If your configuration in version < 0.29.0 looked like below: + +``` +vmcluster: + vmauth: + vmselect: + - src_paths: + - /select/.* + url_prefix: + - / + vminsert: + - src_paths: + - /insert/.* + url_prefix: + - / +``` + +In 0.29.0 it should look like: + +``` +vmauth: + spec: + unauthorizedAccessConfig: + - src_paths: + - '{{"{{"}} .vm.read.path {{"}}"}}/.*' + url_prefix: + - '{{"{{"}} urlJoin (omit .vm.read "path") {{"}}"}}/' + - src_paths: + - '{{"{{"}} .vm.write.path {{"}}"}}/.*' + url_prefix: + - '{{"{{"}} urlJoin (omit .vm.write "path") {{"}}"}}/' +``` ### Upgrade to 0.13.0 diff --git a/charts/victoria-metrics-k8s-stack/templates/_helpers.tpl b/charts/victoria-metrics-k8s-stack/templates/_helpers.tpl index 8dcb7edcc..bbb1e19e9 100644 --- a/charts/victoria-metrics-k8s-stack/templates/_helpers.tpl +++ b/charts/victoria-metrics-k8s-stack/templates/_helpers.tpl @@ -29,11 +29,7 @@ {{- $baseURL := include "vm.url" . -}} {{- $_ := set $endpoint "url" (printf "%s/api/v1/write" $baseURL) -}} {{- else if $Values.vmcluster.enabled -}} - {{- if $Values.vmauth.enabled -}} - {{- $_ := set . "appKey" (list "vmauth" "spec") -}} - {{- else -}} - {{- $_ := set . "appKey" (list "vmcluster" "spec" "vminsert") -}} - {{- end -}} + {{- $_ := set . "appKey" (list "vmcluster" "spec" "vminsert") -}} {{- $baseURL := include "vm.url" . -}} {{- $tenant := $Values.tenant | default 0 -}} {{- $_ := set $endpoint "url" (printf "%s/insert/%d/prometheus/api/v1/write" $baseURL (int $tenant)) -}} @@ -160,67 +156,29 @@ {{- /* VMAuth spec */ -}} {{- define "vm.auth.spec" -}} {{- $Values := (.helm).Values | default .Values }} - {{- $unauthorizedAccessConfig := default list }} {{- $_ := set . "style" "managed" -}} {{- if $Values.vmsingle.enabled -}} {{- $_ := set . "appKey" (list "vmsingle" "spec") -}} - {{- $url := include "vm.url" . }} - {{- $srcPath := clean (printf "%s/.*" (urlParse $url).path) }} - {{- $unauthorizedAccessConfig = append $unauthorizedAccessConfig (dict "src_paths" (list $srcPath) "url_prefix" (list $url)) }} + {{- $url := urlParse (include "vm.url" .) -}} + {{- $_ := set . "vm" (dict "read" $url "write" $url) }} {{- else if $Values.vmcluster.enabled -}} - {{- $authConfig := ($Values.vmcluster).vmauth }} {{- $_ := set . "appKey" (list "vmcluster" "spec" "vminsert") -}} - {{- $writeAuths := $authConfig.vminsert }} - {{- $writeUrl := include "vm.url" . }} - {{- range $writeAuth := $writeAuths }} - {{- $urls := default list }} - {{- range $prefix := $writeAuth.url_prefix }} - {{- $urls = append $urls (printf "%s%s" (trimSuffix (urlParse $writeUrl).path $writeUrl) $prefix) }} - {{- end }} - {{- $_ := set $writeAuth "url_prefix" $urls}} - {{- $unauthorizedAccessConfig = append $unauthorizedAccessConfig $writeAuth -}} - {{- end }} + {{- $writeURL := urlParse (include "vm.url" .) -}} + {{- $_ := set $writeURL "path" (printf "%s/insert" $writeURL.path) -}} {{- $_ := set . "appKey" (list "vmcluster" "spec" "vmselect") -}} - {{- $readAuths := $authConfig.vmselect }} - {{- $readUrl := include "vm.url" . }} - {{- range $readAuth := $readAuths }} - {{- $urls := default list }} - {{- range $prefix := $readAuth.url_prefix }} - {{- $urls = append $urls (printf "%s%s" (trimSuffix (urlParse $readUrl).path $readUrl) $prefix) }} - {{- end }} - {{- $_ := set $readAuth "url_prefix" $urls}} - {{- $unauthorizedAccessConfig = append $unauthorizedAccessConfig $readAuth -}} - {{- end -}} - {{- else if or $Values.externalVM.read.url $Values.externalVM.write.url }} - {{- with $Values.externalVM.read.url }} - {{- $authConfig := ($Values.externalVM).vmauth }} - {{- $readAuths := $authConfig.read }} - {{- $readUrl := . }} - {{- range $readAuth := $readAuths }} - {{- $urls := default list }} - {{- range $prefix := $readAuth.url_prefix }} - {{- $urls = append $urls (printf "%s%s" (trimSuffix (urlParse $readUrl).path $readUrl) $prefix) }} - {{- end }} - {{- $_ := set $readAuth "url_prefix" $urls}} - {{- $unauthorizedAccessConfig = append $unauthorizedAccessConfig $readAuth -}} - {{- end -}} + {{- $readURL := urlParse (include "vm.url" .) -}} + {{- $_ := set $readURL "path" (printf "%s/select" $readURL.path) -}} + {{- $_ := set . "vm" (dict "read" $readURL "write" $writeURL) -}} + {{- else if or $Values.externalVM.read.url $Values.externalVM.write.url -}} + {{- $_ := set . "vm" (default dict) -}} + {{- with $Values.externalVM.read.url -}} + {{- $_ := set $.vm "read" (urlParse .) -}} {{- end -}} - {{- with $Values.externalVM.write.url }} - {{- $authConfig := ($Values.externalVM).vmauth }} - {{- $writeAuths := $authConfig.write }} - {{- $writeUrl := . }} - {{- range $writeAuth := $writeAuths }} - {{- $urls := default list }} - {{- range $prefix := $writeAuth.url_prefix }} - {{- $urls = append $urls (printf "%s%s" (trimSuffix (urlParse $writeUrl).path $writeUrl) $prefix) }} - {{- end }} - {{- $_ := set $writeAuth "url_prefix" $urls}} - {{- $unauthorizedAccessConfig = append $unauthorizedAccessConfig $writeAuth -}} - {{- end -}} + {{- with $Values.externalVM.write.url -}} + {{- $_ := set $.vm "write" (urlParse .) -}} {{- end -}} {{- end -}} {{- $spec := $Values.vmauth.spec }} - {{- $_ := set $spec "unauthorizedAccessConfig" (concat $unauthorizedAccessConfig ($spec.unauthorizedAccessConfig | default list)) }} {{- with (include "vm.license.global" .) -}} {{- $_ := set $spec "license" (fromYaml .) -}} {{- end -}} @@ -319,7 +277,7 @@ {{- $ctx := . }} {{- $Values := (.helm).Values | default .Values }} {{- $datasources := $Values.defaultDatasources.extra | default list -}} - {{- if or $Values.vmsingle.enabled $Values.vmcluster.enabled -}} + {{- if or $Values.vmsingle.enabled $Values.vmcluster.enabled $Values.externalVM.read -}} {{- $readEndpoint:= include "vm.read.endpoint" $ctx | fromYaml -}} {{- $defaultDatasources := default list -}} {{- range $ds := $Values.defaultDatasources.victoriametrics.datasources }} diff --git a/charts/victoria-metrics-k8s-stack/values.yaml b/charts/victoria-metrics-k8s-stack/values.yaml index 5f59ffc68..d83670d2b 100644 --- a/charts/victoria-metrics-k8s-stack/values.yaml +++ b/charts/victoria-metrics-k8s-stack/values.yaml @@ -239,19 +239,6 @@ additionalVictoriaMetricsMap: # -- External VM read and write URLs externalVM: - # -- Custom VMAuth config, url_prefix requires only path, which will be appended to a read and write base URL. - # To disable auth for read or write empty list for component config `externalVM.vmauth.: []` - vmauth: - read: - - src_paths: - - /select/.* - url_prefix: - - / - write: - - src_paths: - - /insert/.* - url_prefix: - - / read: url: "" # bearerTokenSecret: @@ -323,19 +310,6 @@ vmcluster: enabled: false # -- VMCluster annotations annotations: {} - # -- Custom VMAuth config, url_prefix requires only path, which will be appended to a select and insert base URL. - # To disable auth for vmselect or vminsert empty list for component config `vmcluster.vmauth.: []` - vmauth: - vmselect: - - src_paths: - - /select/.* - url_prefix: - - / - vminsert: - - src_paths: - - /insert/.* - url_prefix: - - / # -- Full spec for VMCluster CRD. Allowed values described [here](https://docs.victoriametrics.com/operator/api#vmclusterspec) spec: # -- Data retention period. Possible units character: h(ours), d(ays), w(eeks), y(ears), if no unit character specified - month. The minimum retention period is 24h. See these [docs](https://docs.victoriametrics.com/single-server-victoriametrics/#retention) @@ -746,9 +720,17 @@ vmauth: # -- VMAuth annotations annotations: {} # -- (object) Full spec for VMAuth CRD. Allowed values described [here](https://docs.victoriametrics.com/operator/api#vmauthspec) + # It's possible to use given below predefined variables in spec: + # * `{{ .vm.read }}` - parsed vmselect, vmsingle or externalVM.read URL + # * `{{ .vm.write }}` - parsed vminsert, vmsingle or externalVM.write URL spec: discover_backend_ips: true port: "8427" + unauthorizedAccessConfig: + - src_paths: + - '{{ .vm.read.path }}/.*' + url_prefix: + - '{{ urlJoin (omit .vm.read "path") }}/' vmagent: # -- Create VMAgent CR