Add vm auth (read loadbalancer)

YuryHrytsuk · YuryHrytsuk · commit 3e83321884a4 · 2025-10-29T16:51:19.000+01:00
diff --git a/charts/traefik/values.common.yaml.gotmpl b/charts/traefik/values.common.yaml.gotmpl
@@ -133,6 +133,16 @@ extraObjects:
         - 172.16.0.0/12
         - 192.168.0.0/16
 
+- apiVersion: traefik.io/v1alpha1
+  kind: Middleware
+  metadata:
+    name: metrics-strip-prefix
+    namespace: {{.Release.Namespace}}
+  spec:
+    stripPrefix:
+      prefixes:
+      - /metrics
+
 - apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
diff --git a/charts/victoria-metrics-stack/Chart.lock b/charts/victoria-metrics-stack/Chart.lock
@@ -2,8 +2,11 @@ dependencies:
 - name: victoria-metrics-single
   repository: https://victoriametrics.github.io/helm-charts/
   version: 0.25.2
+- name: victoria-metrics-auth
+  repository: https://victoriametrics.github.io/helm-charts/
+  version: 0.19.7
 - name: victoria-metrics-agent
   repository: https://victoriametrics.github.io/helm-charts/
   version: 0.26.2
-digest: sha256:e9a8c4ed4495ecfcf9962a6aa7fc9f6a6e8813e69a20daa9bb38b2d9a018c50e
-generated: "2025-10-26T12:42:21.158234622+01:00"
+digest: sha256:1b9f1ec96dee105d9ac83f78883e6ee5b8558fad9bac4e41b71d37a69dd5c745
+generated: "2025-10-29T15:55:10.919914456+01:00"
diff --git a/charts/victoria-metrics-stack/Chart.yaml b/charts/victoria-metrics-stack/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.0.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -29,9 +29,10 @@ dependencies:
     repository: &victoria-metrics-repo "https://victoriametrics.github.io/helm-charts/"
     condition: victoria-metrics-single.enabled
 
-  # - name: victoria-metrics-auth
-  #   version: 0.19.7
-  #   repository: *victoria-metrics-repo
+  - name: victoria-metrics-auth
+    version: 0.19.7
+    repository: *victoria-metrics-repo
+    condition: victoria-metrics-auth.enabled
 
   - name: victoria-metrics-agent
     version: 0.26.2
diff --git a/charts/victoria-metrics-stack/namespace.yaml b/charts/victoria-metrics-stack/namespace.yaml
@@ -10,6 +10,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: monitoring
+  name: victoria-metrics-stack
   labels:
     pod-security.kubernetes.io/enforce: restricted
diff --git a/charts/victoria-metrics-stack/templates/networkpolicies/vm-agent.yaml b/charts/victoria-metrics-stack/templates/networkpolicies/vm-agent.yaml
@@ -1,20 +1,3 @@
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
-  name: vm-server-network-policy
-spec:
-  selector: >-
-    app.kubernetes.io/name == "victoria-metrics-single"
-    && app.kubernetes.io/instance == "{{ .Release.Name }}"
-  ingress:
-    - action: Allow
-      protocol: TCP
-      destination:
-        ports:
-          - {{ index .Values "victoria-metrics-single" "server" "service" "servicePort" }}
-
----
-
 apiVersion: projectcalico.org/v3
 kind: NetworkPolicy
 metadata:
diff --git a/charts/victoria-metrics-stack/templates/networkpolicies/vm-auth.yaml b/charts/victoria-metrics-stack/templates/networkpolicies/vm-auth.yaml
@@ -0,0 +1,20 @@
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: vm-auth-network-policy
+spec:
+  selector: >-
+    app.kubernetes.io/name == "victoria-metrics-auth"
+    && app.kubernetes.io/instance == "{{ .Release.Name }}"
+  ingress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - {{ index .Values "victoria-metrics-auth" "service" "servicePort" }}
+  egress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - {{ index .Values "victoria-metrics-single" "server" "service" "servicePort" }}
diff --git a/charts/victoria-metrics-stack/templates/networkpolicies/vm-server.yaml b/charts/victoria-metrics-stack/templates/networkpolicies/vm-server.yaml
@@ -0,0 +1,14 @@
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: vm-server-network-policy
+spec:
+  selector: >-
+    app.kubernetes.io/name == "victoria-metrics-single"
+    && app.kubernetes.io/instance == "{{ .Release.Name }}"
+  ingress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - {{ index .Values "victoria-metrics-single" "server" "service" "servicePort" }}
diff --git a/charts/victoria-metrics-stack/values.yaml.gotmpl b/charts/victoria-metrics-stack/values.yaml.gotmpl
@@ -48,3 +48,39 @@ victoria-metrics-agent:
 
 
 victoria-metrics-auth:
+  enabled: true
+  fullnameOverride: vm-auth
+
+  service:
+    servicePort: 8427
+
+  ingress:
+    enabled: true
+    annotations:
+      namespace: {{ .Release.Namespace }}
+      traefik.ingress.kubernetes.io/router.tls: "true"
+      traefik.ingress.kubernetes.io/router.middlewares: traefik-metrics-strip-prefix@kubernetescrd,traefik-traefik-basic-auth@kubernetescrd
+      traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    hosts:
+      - name: {{ requiredEnv "K8S_MONITORING_FQDN" }}
+        path:
+          - /metrics
+        port: http
+
+  podSecurityContext: *restrictedPodSecurityContext
+  securityContext: *restrictedSecurityContext
+
+  resources:
+    limits:
+      cpu: 0.5
+      memory: 256Mi
+    requests:
+      cpu: 100m
+      memory: 128Mi
+
+  config:
+    unauthorized_user:
+      url_prefix:
+        - "http://vm-server-0.vm-server.{{ .Release.Namespace }}.svc.cluster.local:8428/"
+        - "http://vm-server-1.vm-server.{{ .Release.Namespace }}.svc.cluster.local:8428/"
+      load_balancing_policy: first_available
