feat: vmetrics admin token (#314)

immich-app · Dec 20, 2024 · 58b29d4 · 58b29d4
1 parent 794c473
commit 58b29d4
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 0 deletions.
diff --git a/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/admin.yaml b/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/admin.yaml
@@ -0,0 +1,25 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: vmetrics-admin-token
+  namespace: monitoring-dev
+spec:
+  itemPath: "vaults/Kubernetes/items/vmetrics_admin_token"
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMUser
+metadata:
+  name: admin
+  namespace: monitoring-dev
+  labels:
+    vm-user: "admin"
+spec:
+  tokenRef:
+    name: vmetrics-admin-token
+    key: token
+  targetRefs:
+    - crd:
+        kind: VMSingle
+        name: vmetrics-dev
+        namespace: monitoring-dev
+      paths: ["/api/v1/admin"]
diff --git a/kubernetes/apps/monitoring/victoria-metrics/ingress/admin.yaml b/kubernetes/apps/monitoring/victoria-metrics/ingress/admin.yaml
@@ -0,0 +1,25 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: vmetrics-admin-token
+  namespace: monitoring
+spec:
+  itemPath: "vaults/Kubernetes/items/vmetrics_admin_token"
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMUser
+metadata:
+  name: admin
+  namespace: monitoring
+  labels:
+    vm-user: "admin"
+spec:
+  tokenRef:
+    name: vmetrics-admin-token
+    key: token
+  targetRefs:
+    - crd:
+        kind: VMSingle
+        name: vmetrics
+        namespace: monitoring
+      paths: ["/api/v1/admin"]
diff --git a/tf/deployment/modules/1password/account/k8s-secrets.tf b/tf/deployment/modules/1password/account/k8s-secrets.tf
@@ -62,6 +62,28 @@ resource "onepassword_item" "grafana_admin_credentials" {
   }
 }
 
+resource "random_password" "vmetrics_admin_token" {
+  length  = 40
+  special = false
+}
+
+resource "onepassword_item" "vmetrics_admin_token" {
+  for_each = { for vault in [data.onepassword_vault.kubernetes, data.onepassword_vault.tf_dev, data.onepassword_vault.tf_prod] : vault.name => vault }
+  vault    = each.value.uuid
+  title    = "vmetrics_admin_token"
+  category = "secure_note"
+
+  section {
+    label = "Victoria Metrics admin token"
+
+    field {
+      label = "token"
+      type  = "CONCEALED"
+      value = random_password.vmetrics_admin_token.result
+    }
+  }
+}
+
 resource "random_password" "vmetrics_write_token" {
   length  = 40
   special = false