Closed seanocca closed 1 month ago
Hello @seanocca , I can't seem to reproduce it by creating vmauth like
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMAuth
metadata:
name: test
spec:
extraArgs:
discoverBackendIPs: "true"
logInvalidAuthTokens: "true"
image:
tag: v1.101.0
replicaCount: 1
unauthorizedAccessConfig:
- src_paths:
- /insert/.*
url_prefix:
- http://vminsert:8480
Could you please provide an example here?
Hi @Haleygo This is the config we are using to deploy the VMUser and VMAuth
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMAuth
metadata:
name: vmauth-main
spec:
selectAllByDefault: true
ingress:
host: your.url.com
image:
repository: victoriametrics/vmauth
pullPolicy: IfNotPresent
tag: v1.101.0
replicaCount: 1
resources:
requests:
cpu: "250m"
memory: "350Mi"
limits:
cpu: "500m"
memory: "850Mi"
---
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
name: test-user
spec:
username: "test-user"
passwordRef:
name: test-auth-secret
key: password
targetRefs:
- paths:
- /api/v1/write
static:
url: http://vminsert:8480/insert/0/prometheus
@seanocca Did you set env VM_USECUSTOMCONFIGRELOADER = true
inside vm-operator like https://github.com/VictoriaMetrics/operator/pull/964 describes?
@Haleygo
The config forVM_USECUSTOMCONFIGRELOADER
is set to true
in the operator.
If we set this to false
would the config that gets created by the operator (with values from VMAuth and VMuser) be setup and used correctly? Or does having this set to true
mean the config should have been managed by the operator?
If we set this to false would the config that gets created by the operator (with values from VMAuth and VMuser) be setup and used correctly?
Yes. There was a bug on volumeMounts on customer config reloader and fixed in https://github.com/VictoriaMetrics/operator/pull/964, will be included in next release.
This bug has been an error since the 0.42.0 release. When you create a VMAuth and VMUser CR the operator fails to connect the managed secret to the deployment. The error is
cannot create or update vmauth deploy: cannot update deployment for app: vmauth-main, err: Deployment.apps "vmauth-main" is invalid: spec.template.spec.containers[0].volumeMounts[1].name: Not found: "config"
The VMAuth CR creates the secret but the deployment searches for a configSecretRef value that does not exist.
This requires us to import and create our own secret with the potential to leak our username and password.
Why can we set the username, password, or passwordRef (with a password imported from another secret) on the VMUser CR, if those values don't build a secret that is to be used by the VMAuth deployment?
We have implemented the suggested work around by creating our own secret with the
config.yaml
file in the secret and changing the VMAuthconfigSecret
setting to point to that. However the old method of the operator creating the secret and managing it is much more preferred. As it also won't require further config-reloader settings to be required.Steps to reproduce: Operator Deploy method: VM Operator Helm Chart (0.31.1) into Kubernetes (1.28) VMAuth/VMUser Deployment Method: Manual CR's created and deployed