How do I implement auth for Prometheus long-term storage with VMAuth?
This guide will show you how to implement authentication for Prometheus long-term storage using VMAuth on Kubernetes. We will set up a Kubernetes cluster, deploy Prometheus, and configure VMAuth to secure access to Prometheus metrics.
Key Points
- Deploy a Kubernetes cluster.
- Install Prometheus for monitoring.
- Set up VMAuth to secure Prometheus long-term storage.
Implementation
import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";
// Create a Kubernetes namespace for Prometheus
const prometheusNamespace = new k8s.core.v1.Namespace("prometheus", {
metadata: { name: "prometheus" },
});
// Deploy Prometheus using a Helm chart
const prometheus = new k8s.helm.v3.Chart("prometheus", {
chart: "prometheus",
version: "14.11.1",
namespace: prometheusNamespace.metadata.name,
fetchOpts: {
repo: "https://prometheus-community.github.io/helm-charts",
},
values: {
alertmanager: {
enabled: false,
},
pushgateway: {
enabled: false,
},
server: {
persistentVolume: {
enabled: true,
size: "8Gi",
},
},
},
});
// Define VMAuth deployment
const vmauthDeployment = new k8s.apps.v1.Deployment("vmauth", {
metadata: {
namespace: prometheusNamespace.metadata.name,
},
spec: {
selector: { matchLabels: { app: "vmauth" } },
replicas: 1,
template: {
metadata: { labels: { app: "vmauth" } },
spec: {
containers: [{
name: "vmauth",
image: "victoriametrics/vmauth:latest",
ports: [{ containerPort: 8427 }],
volumeMounts: [{
name: "config-volume",
mountPath: "/config",
}],
args: ["-configPath=/config/vmauth.yaml"],
}],
volumes: [{
name: "config-volume",
configMap: {
name: "vmauth-config",
},
}],
},
},
},
});
// Create ConfigMap for VMAuth configuration
const vmauthConfig = new k8s.core.v1.ConfigMap("vmauth-config", {
metadata: {
namespace: prometheusNamespace.metadata.name,
},
data: {
"vmauth.yaml": `
users:
- url_prefix: "http://prometheus-server.prometheus.svc.cluster.local:80"
username: "prometheus_user"
password: "secure_password"
`,
},
});
// Expose VMAuth via a Service
const vmauthService = new k8s.core.v1.Service("vmauth", {
metadata: {
namespace: prometheusNamespace.metadata.name,
},
spec: {
selector: { app: "vmauth" },
ports: [{ port: 80, targetPort: 8427 }],
},
});
// Export the VMAuth service URL
export const vmauthUrl = pulumi.interpolate`http://${vmauthService.metadata.name}.${prometheusNamespace.metadata.name}.svc.cluster.local`;
Summary
In this guide, we created a Kubernetes namespace for Prometheus, deployed Prometheus using a Helm chart, and set up VMAuth to secure Prometheus long-term storage. We configured VMAuth with a ConfigMap and exposed it via a Kubernetes Service. This setup ensures that access to Prometheus metrics is secured using the credentials specified in the VMAuth configuration.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.