operator icon indicating copy to clipboard operation
operator copied to clipboard

Published 20 hours ago verified publisher icon VictoriaMetrics

Allow `aws.*` configuration inside ` remoteWrite`

Open 5nafu opened this issue 1 year ago • 3 comments

As a user of the operator I would like to configure IAM based authentication inside my remoteWrite configuration so that I don't need to (ab-)use extraArgs to use it.

The vmagent supports using IAM authentication by setting (for example) -remoteWrite.aws.roleARN et.al but the operator does not accept it as parameter yet. While it would be possible to use extraArgs to set these parameters, if used together with (for example) inlineUrlRelabelConfig one would need to generate a configmap outside of the general operator (helm) configuration and attach it to the agent. It would be better to have everything in one place.

5nafu avatar Apr 18 '24 08:04 5nafu

Hello @5nafu .

It would be better to have everything in one place.

What do you mean by "have everything in one place"? Do you have any perferred proposal?

Haleygo avatar Apr 25 '24 07:04 Haleygo

Hi @Haleygo,

Currently, if you have one or multiple remote-writes with at lease one IAM auth, your vmagent object might look like (only the relevant parts):

remoteWrite:
  - url: http://vmsingle-victoria-stack.victoria.svc:8429/api/v1/write
  - url: https://vmingest.basic.auth.url/api/v1/write
    basicAuth:
      password:
        key: password
        name: victoria-credentials
      username:
        key: username
        name: victoria-credentials
    inlineUrlRelabelConfig:
    - action: labeldrop
      regex: source_.*|destination_service_.*|destination_can.*|destination_principal
    # ... 
  - url: https://victoria.i.am.auth.url/insert/123/prometheus/api/v1/write
    inlineUrlRelabelConfig:
    - action: drop
      regex: ^kube_.*;kubecost-cost-analyzer$
      source_labels:
      - __name__
      - job
    # ...
extraArgs:
    # ...
    remoteWrite.aws.region: ',,eu-central-1'
    remoteWrite.aws.roleARN: ',,arn:aws:iam::AccountID:role/Role'
    remoteWrite.aws.service: ',,execute-api'
    remoteWrite.aws.useSigv4: false,false,true

Notice the need to add the appropriate amount of comma (and boolean values) for each remote write. It is even worse when using the helm chart, as there will be an additional "local" write that the user does not configure.

It would be better for the user if one could use a configuration similar to the basicAuth like:

remoteWrite:
  - url: http://vmsingle-victoria-stack.victoria.svc:8429/api/v1/write
  - url: https://vmingest.basic.auth.url/api/v1/write
    basicAuth:
      password:
        key: password
        name: victoria-credentials
      username:
        key: username
        name: victoria-credentials
    inlineUrlRelabelConfig:
    - action: labeldrop
      regex: source_.*|destination_service_.*|destination_can.*|destination_principal
    # ... 
  - url: https://victoria.i.am.auth.url/insert/123/prometheus/api/v1/write
    aws:
      region: 'eu-central-1'
      roleARN: 'arn:aws:iam::AccountID:role/Role'
      service: 'execute-api'
      useSigv4: true
    inlineUrlRelabelConfig:
    - action: drop
      regex: ^kube_.*;kubecost-cost-analyzer$
      source_labels:
      - __name__
      - job
    # ...

5nafu avatar Apr 25 '24 09:04 5nafu

I agree, your example with separate aws spec looks better. I think we should add more configuration params to the remoteWrite defintion. It makes configuration easy to understand without extraArgs comma-madness syntax.

f41gh7 avatar Jul 30 '24 09:07 f41gh7

The feature was included into v0.61.0 release

However, AWS credentials cannot be configured via YAML. It's only possible to use any kind of native AWS sdk authorization.

f41gh7 avatar Jul 16 '25 08:07 f41gh7