1. Answers
  2. Implementing Auth for Prometheus Long-Term Storage with VMAuth

How do I implement auth for Prometheus long-term storage with VMAuth?

This guide will show you how to implement authentication for Prometheus long-term storage using VMAuth on Kubernetes. We will set up a Kubernetes cluster, deploy Prometheus, and configure VMAuth to secure access to Prometheus metrics.

Key Points

  • Deploy a Kubernetes cluster.
  • Install Prometheus for monitoring.
  • Set up VMAuth to secure Prometheus long-term storage.

Implementation

import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";

// Create a Kubernetes namespace for Prometheus
const prometheusNamespace = new k8s.core.v1.Namespace("prometheus", {
    metadata: { name: "prometheus" },
});

// Deploy Prometheus using a Helm chart
const prometheus = new k8s.helm.v3.Chart("prometheus", {
    chart: "prometheus",
    version: "14.11.1",
    namespace: prometheusNamespace.metadata.name,
    fetchOpts: {
        repo: "https://prometheus-community.github.io/helm-charts",
    },
    values: {
        alertmanager: {
            enabled: false,
        },
        pushgateway: {
            enabled: false,
        },
        server: {
            persistentVolume: {
                enabled: true,
                size: "8Gi",
            },
        },
    },
});

// Define VMAuth deployment
const vmauthDeployment = new k8s.apps.v1.Deployment("vmauth", {
    metadata: {
        namespace: prometheusNamespace.metadata.name,
    },
    spec: {
        selector: { matchLabels: { app: "vmauth" } },
        replicas: 1,
        template: {
            metadata: { labels: { app: "vmauth" } },
            spec: {
                containers: [{
                    name: "vmauth",
                    image: "victoriametrics/vmauth:latest",
                    ports: [{ containerPort: 8427 }],
                    volumeMounts: [{
                        name: "config-volume",
                        mountPath: "/config",
                    }],
                    args: ["-configPath=/config/vmauth.yaml"],
                }],
                volumes: [{
                    name: "config-volume",
                    configMap: {
                        name: "vmauth-config",
                    },
                }],
            },
        },
    },
});

// Create ConfigMap for VMAuth configuration
const vmauthConfig = new k8s.core.v1.ConfigMap("vmauth-config", {
    metadata: {
        namespace: prometheusNamespace.metadata.name,
    },
    data: {
        "vmauth.yaml": `
users:
  - url_prefix: "http://prometheus-server.prometheus.svc.cluster.local:80"
    username: "prometheus_user"
    password: "secure_password"
`,
    },
});

// Expose VMAuth via a Service
const vmauthService = new k8s.core.v1.Service("vmauth", {
    metadata: {
        namespace: prometheusNamespace.metadata.name,
    },
    spec: {
        selector: { app: "vmauth" },
        ports: [{ port: 80, targetPort: 8427 }],
    },
});

// Export the VMAuth service URL
export const vmauthUrl = pulumi.interpolate`http://${vmauthService.metadata.name}.${prometheusNamespace.metadata.name}.svc.cluster.local`;

Summary

In this guide, we created a Kubernetes namespace for Prometheus, deployed Prometheus using a Helm chart, and set up VMAuth to secure Prometheus long-term storage. We configured VMAuth with a ConfigMap and exposed it via a Kubernetes Service. This setup ensures that access to Prometheus metrics is secured using the credentials specified in the VMAuth configuration.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up