diff --git a/Makefile b/Makefile index 40b73b32c..26d1ef422 100644 --- a/Makefile +++ b/Makefile @@ -198,7 +198,7 @@ fix_crd_nulls_yaml: doc: install-develop-tools - cat hack/doc_header.md > doc_api.md + cat hack/doc_header.md > docs/api.md doc-print --paths=\ $(APIS_BASE_PATH)/vmalertmanager_types.go,\ $(APIS_BASE_PATH)/vmalertmanagerconfig_types.go,\ @@ -216,7 +216,7 @@ doc: install-develop-tools $(APIS_BASE_PATH)/vmstaticscrape_types.go,\ $(APIS_BASE_PATH)/vmprobe_types.go \ --owner VictoriaMetrics \ - >> doc_api.md + >> docs/api.md operator-conf: install-develop-tools cat hack/doc_vars_header.md > vars.md diff --git a/docs/api.md b/docs/api.md index 9949b7c3c..a0edbbd2f 100644 --- a/docs/api.md +++ b/docs/api.md @@ -7,7 +7,7 @@ menu: parent: "operator" weight: 12 aliases: - - /operator/api.html + - /operator/api.html --- @@ -65,6 +65,8 @@ This Document documents the types introduced by the VictoriaMetrics to be consum * [EmbeddedPodDisruptionBudgetSpec](#embeddedpoddisruptionbudgetspec) * [EmbeddedProbes](#embeddedprobes) * [HTTPAuth](#httpauth) +* [KeyValue](#keyvalue) +* [License](#license) * [ServiceSpec](#servicespec) * [StorageSpec](#storagespec) * [StreamAggrConfig](#streamaggrconfig) @@ -124,12 +126,14 @@ This Document documents the types introduced by the VictoriaMetrics to be consum * [StaticRef](#staticref) * [TargetRef](#targetref) * [VMUser](#vmuser) +* [VMUserIPFilters](#vmuseripfilters) * [VMUserList](#vmuserlist) * [VMUserSpec](#vmuserspec) * [EmbeddedIngress](#embeddedingress) * [VMAuth](#vmauth) * [VMAuthList](#vmauthlist) * [VMAuthSpec](#vmauthspec) +* [VMAuthUnauthorizedPath](#vmauthunauthorizedpath) * [TargetEndpoint](#targetendpoint) * [VMStaticScrape](#vmstaticscrape) * [VMStaticScrapeList](#vmstaticscrapelist) @@ -226,6 +230,7 @@ VMAlertmanagerSpec is a specification of the desired behavior of the VMAlertmana | terminationGracePeriodSeconds | TerminationGracePeriodSeconds period for container graceful termination | *int64 | false | | readinessGates | ReadinessGates defines pod readiness gates | []v1.PodReadinessGate | false | | claimTemplates | ClaimTemplates allows adding additional VolumeClaimTemplates for StatefulSet | [][v1.PersistentVolumeClaim](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#persistentvolumeclaim-v1-core) | false | +| useStrictSecurity | UseStrictSecurity enables strict security mode for component it restricts disk writes access uses non-root user out of the box drops not needed security permissions | *bool | false | [Back to TOC](#table-of-contents) @@ -258,7 +263,7 @@ EmailConfig configures notifications via Email. | auth_password | AuthPassword defines secret name and key at CRD namespace. | *[v1.SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#secretkeyselector-v1-core) | false | | auth_secret | AuthSecret defines secrent name and key at CRD namespace. It must contain the CRAM-MD5 secret. | *[v1.SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#secretkeyselector-v1-core) | false | | auth_identity | The identity to use for authentication. | string | false | -| headers | Further headers email header key/value pairs. Overrides any headers previously set by the notification implementation. | map[string]string | false | +| headers | Further headers email header key/value pairs. Overrides any headers previously set by the notification implementation. | EmailConfigHeaders | false | | html | The HTML body of the email notification. | string | false | | text | The text body of the email notification. | string | false | | require_tls | The SMTP TLS requirement. Note that Go does not support unencrypted connections to remote SMTP endpoints. | *bool | false | @@ -506,7 +511,7 @@ SlackConfirmationField protect users from destructive actions or particularly di ## SlackField -See https://api.slack.com/docs/message-attachments#fields for more information. +SlackField configures a single Slack field that is sent with each notification. See https://api.slack.com/docs/message-attachments#fields for more information. | Field | Description | Scheme | Required | | ----- | ----------- | ------ | -------- | @@ -694,7 +699,7 @@ VMAgentRemoteWriteSettings - defines global settings for all remoteWrite urls. | showURL | Whether to show -remoteWrite.url in the exported metrics. It is hidden by default, since it can contain sensitive auth info | *bool | false | | tmpDataPath | Path to directory where temporary data for remote write component is stored (default vmagent-remotewrite-data) | *string | false | | flushInterval | Interval for flushing the data to remote storage. (default 1s) | *string | false | -| label | Optional labels in the form 'name=value' to add to all the metrics before sending them | map[string]string | false | +| label | Labels in the form 'name=value' to add to all the metrics before sending them. This overrides the label if it already exists. | map[string]string | false | | useMultiTenantMode | Configures vmagent in multi-tenant mode with direct cluster support docs https://docs.victoriametrics.com/vmagent.html#multitenancy it's global setting and affects all remote storage configurations | bool | false | [Back to TOC](#table-of-contents) @@ -804,12 +809,14 @@ VMAgentSpec defines the desired state of VMAgent | statefulRollingUpdateStrategy | StatefulRollingUpdateStrategy allows configuration for strategyType set it to RollingUpdate for disabling operator statefulSet rollingUpdate | [appsv1.StatefulSetUpdateStrategyType](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#statefulsetupdatestrategy-v1-apps) | false | | readinessGates | ReadinessGates defines pod readiness gates | []v1.PodReadinessGate | false | | claimTemplates | ClaimTemplates allows adding additional VolumeClaimTemplates for VMAgent in StatefulMode | [][v1.PersistentVolumeClaim](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#persistentvolumeclaim-v1-core) | false | +| useStrictSecurity | UseStrictSecurity enables strict security mode for component it restricts disk writes access uses non-root user out of the box drops not needed security permissions | *bool | false | +| license | License allows to configure license key to be used for enterprise features. Using license key is supported starting from VictoriaMetrics v1.94.0. See: https://docs.victoriametrics.com/enterprise.html | *[License](#license) | false | [Back to TOC](#table-of-contents) ## VMAgentStatus -VmAgentStatus defines the observed state of VmAgent +VMAgentStatus defines the observed state of VMAgent | Field | Description | Scheme | Required | | ----- | ----------- | ------ | -------- | @@ -840,7 +847,7 @@ BearerAuth defines auth with bearer token | Field | Description | Scheme | Required | | ----- | ----------- | ------ | -------- | -| bearerTokenFilePath | | string | false | +| bearerTokenFile | Path to bearer token file | string | false | | bearerTokenSecret | Optional bearer auth token to use for -remoteWrite.url | *[v1.SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#secretkeyselector-v1-core) | false | [Back to TOC](#table-of-contents) @@ -934,14 +941,36 @@ HTTPAuth generic auth used with http protocols | Field | Description | Scheme | Required | | ----- | ----------- | ------ | -------- | | basicAuth | | *[BasicAuth](#basicauth) | false | -| OAuth2 | | *[OAuth2](#oauth2) | false | +| oauth2 | | *[OAuth2](#oauth2) | false | | tlsConfig | | *[TLSConfig](#tlsconfig) | false | -| bearerTokenFilePath | | string | false | +| bearerTokenFile | Path to bearer token file | string | false | | bearerTokenSecret | Optional bearer auth token to use for -remoteWrite.url | *[v1.SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#secretkeyselector-v1-core) | false | | headers | Headers allow configuring custom http headers Must be in form of semicolon separated header with value e.g. headerName:headerValue vmalert supports it since 1.79.0 version | []string | false | [Back to TOC](#table-of-contents) +## KeyValue + +KeyValue defines a (key, value) tuple. + +| Field | Description | Scheme | Required | +| ----- | ----------- | ------ | -------- | +| key | Key of the tuple. | string | true | +| value | Value of the tuple. | string | true | + +[Back to TOC](#table-of-contents) + +## License + +License holds license key for enterprise features. Using license key is supported starting from VictoriaMetrics v1.94.0 See: https://docs.victoriametrics.com/enterprise.html + +| Field | Description | Scheme | Required | +| ----- | ----------- | ------ | -------- | +| key | Enterprise license key. This flag is available only in VictoriaMetrics enterprise. Documentation - https://docs.victoriametrics.com/enterprise.html for more information, visit https://victoriametrics.com/products/enterprise/ . To request a trial license, go to https://victoriametrics.com/products/enterprise/trial/ | *string | false | +| keyRef | KeyRef is reference to secret with license key for enterprise features. | *[v1.SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#secretkeyselector-v1-core) | false | + +[Back to TOC](#table-of-contents) + ## ServiceSpec ServiceSpec defines additional service for CRD with user-defined params. by default, some of fields can be inherited from default service definition for the CRD: labels,selector, ports. if metadata.name is not defined, service will have format {{CRD_TYPE}}-{{CRD_NAME}}-additional-service. @@ -973,6 +1002,7 @@ StreamAggrConfig defines the stream aggregation config | ----- | ----------- | ------ | -------- | | rules | Stream aggregation rules | [][StreamAggrRule](#streamaggrrule) | true | | keepInput | Allows writing both raw and aggregate data | bool | false | +| dropInput | Allow drop all the input samples after the aggregation | bool | false | | dedupInterval | Allows setting different de-duplication intervals per each configured remote storage | string | false | [Back to TOC](#table-of-contents) @@ -983,8 +1013,9 @@ StreamAggrRule defines the rule in stream aggregation config | Field | Description | Scheme | Required | | ----- | ----------- | ------ | -------- | -| match | Match is a label selector for filtering time series for the given selector.\n\nIf the match isn't set, then all the input time series are processed. | string | false | +| match | Match is a label selector (or list of label selectors) for filtering time series for the given selector.\n\nIf the match isn't set, then all the input time series are processed. | StringOrArray | false | | interval | Interval is the interval between aggregations. | string | true | +| staleness_interval | StalenessInterval defines an interval after which the series state will be reset if no samples have been sent during it. | string | false | | outputs | Outputs is a list of output aggregate functions to produce.\n\nThe following names are allowed:\n\n- total - aggregates input counters - increase - counts the increase over input counters - count_series - counts the input series - count_samples - counts the input samples - sum_samples - sums the input samples - last - the last biggest sample value - min - the minimum sample value - max - the maximum sample value - avg - the average value across all the samples - stddev - standard deviation across all the samples - stdvar - standard variance across all the samples - histogram_bucket - creates VictoriaMetrics histogram for input samples - quantiles(phi1, ..., phiN) - quantiles' estimation for phi in the range [0..1]\n\nThe output time series will have the following names:\n\n input_name:aggr_<interval>_<output> | []string | true | | by | By is an optional list of labels for grouping input series.\n\nSee also Without.\n\nIf neither By nor Without are set, then the Outputs are calculated individually per each input time series. | []string | false | | without | Without is an optional list of labels, which must be excluded when grouping input series.\n\nSee also By.\n\nIf neither By nor Without are set, then the Outputs are calculated individually per each input time series. | []string | false | @@ -1007,15 +1038,15 @@ VMAlert executes a list of given alerting or recording rules against configured ## VMAlertDatasourceSpec -VMAgentRemoteReadSpec defines the remote storage configuration for VmAlert to read alerts from +VMAlertDatasourceSpec defines the remote storage configuration for VmAlert to read alerts from | Field | Description | Scheme | Required | | ----- | ----------- | ------ | -------- | | url | Victoria Metrics or VMSelect url. Required parameter. E.g. http://127.0.0.1:8428 | string | true | | basicAuth | | *[BasicAuth](#basicauth) | false | -| OAuth2 | | *[OAuth2](#oauth2) | false | +| oauth2 | | *[OAuth2](#oauth2) | false | | tlsConfig | | *[TLSConfig](#tlsconfig) | false | -| bearerTokenFilePath | | string | false | +| bearerTokenFile | Path to bearer token file | string | false | | bearerTokenSecret | Optional bearer auth token to use for -remoteWrite.url | *[v1.SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#secretkeyselector-v1-core) | false | | headers | Headers allow configuring custom http headers Must be in form of semicolon separated header with value e.g. headerName:headerValue vmalert supports it since 1.79.0 version | []string | false | @@ -1041,9 +1072,9 @@ VMAlertNotifierSpec defines the notifier url for sending information about alert | url | AlertManager url. E.g. http://127.0.0.1:9093 | string | false | | selector | Selector allows service discovery for alertmanager in this case all matched vmalertmanager replicas will be added into vmalert notifier.url as statefulset pod.fqdn | *[DiscoverySelector](#discoveryselector) | false | | basicAuth | | *[BasicAuth](#basicauth) | false | -| OAuth2 | | *[OAuth2](#oauth2) | false | +| oauth2 | | *[OAuth2](#oauth2) | false | | tlsConfig | | *[TLSConfig](#tlsconfig) | false | -| bearerTokenFilePath | | string | false | +| bearerTokenFile | Path to bearer token file | string | false | | bearerTokenSecret | Optional bearer auth token to use for -remoteWrite.url | *[v1.SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#secretkeyselector-v1-core) | false | | headers | Headers allow configuring custom http headers Must be in form of semicolon separated header with value e.g. headerName:headerValue vmalert supports it since 1.79.0 version | []string | false | @@ -1051,16 +1082,16 @@ VMAlertNotifierSpec defines the notifier url for sending information about alert ## VMAlertRemoteReadSpec -VMAgentRemoteReadSpec defines the remote storage configuration for VmAlert to read alerts from +VMAlertRemoteReadSpec defines the remote storage configuration for VmAlert to read alerts from | Field | Description | Scheme | Required | | ----- | ----------- | ------ | -------- | | url | URL of the endpoint to send samples to. | string | true | | lookback | Lookback defines how far to look into past for alerts timeseries. For example, if lookback=1h then range from now() to now()-1h will be scanned. (default 1h0m0s) Applied only to RemoteReadSpec | *string | false | | basicAuth | | *[BasicAuth](#basicauth) | false | -| OAuth2 | | *[OAuth2](#oauth2) | false | +| oauth2 | | *[OAuth2](#oauth2) | false | | tlsConfig | | *[TLSConfig](#tlsconfig) | false | -| bearerTokenFilePath | | string | false | +| bearerTokenFile | Path to bearer token file | string | false | | bearerTokenSecret | Optional bearer auth token to use for -remoteWrite.url | *[v1.SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#secretkeyselector-v1-core) | false | | headers | Headers allow configuring custom http headers Must be in form of semicolon separated header with value e.g. headerName:headerValue vmalert supports it since 1.79.0 version | []string | false | @@ -1068,7 +1099,7 @@ VMAgentRemoteReadSpec defines the remote storage configuration for VmAlert to re ## VMAlertRemoteWriteSpec -VMAgentRemoteWriteSpec defines the remote storage configuration for VmAlert +VMAlertRemoteWriteSpec defines the remote storage configuration for VmAlert | Field | Description | Scheme | Required | | ----- | ----------- | ------ | -------- | @@ -1078,9 +1109,9 @@ VMAgentRemoteWriteSpec defines the remote storage configuration for VmAlert | maxBatchSize | Defines defines max number of timeseries to be flushed at once (default 1000) | *int32 | false | | maxQueueSize | Defines the max number of pending datapoints to remote write endpoint (default 100000) | *int32 | false | | basicAuth | | *[BasicAuth](#basicauth) | false | -| OAuth2 | | *[OAuth2](#oauth2) | false | +| oauth2 | | *[OAuth2](#oauth2) | false | | tlsConfig | | *[TLSConfig](#tlsconfig) | false | -| bearerTokenFilePath | | string | false | +| bearerTokenFile | Path to bearer token file | string | false | | bearerTokenSecret | Optional bearer auth token to use for -remoteWrite.url | *[v1.SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#secretkeyselector-v1-core) | false | | headers | Headers allow configuring custom http headers Must be in form of semicolon separated header with value e.g. headerName:headerValue vmalert supports it since 1.79.0 version | []string | false | @@ -1116,14 +1147,14 @@ VMAlertSpec defines the desired state of VMAlert | hostNetwork | HostNetwork controls whether the pod may use the node network namespace | bool | false | | dnsPolicy | DNSPolicy sets DNS policy for the pod | [v1.DNSPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#pod-v1-core) | false | | topologySpreadConstraints | TopologySpreadConstraints embedded kubernetes pod configuration option, controls how pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ | [][v1.TopologySpreadConstraint](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) | false | -| evaluationInterval | EvaluationInterval how often evalute rules by default | string | false | +| evaluationInterval | EvaluationInterval defines how often to evaluate rules by default | string | false | | enforcedNamespaceLabel | EnforcedNamespaceLabel enforces adding a namespace label of origin for each alert and metric that is user created. The label value will always be the namespace of the object that is being created. | string | false | | selectAllByDefault | SelectAllByDefault changes default behavior for empty CRD selectors, such RuleSelector. with selectAllByDefault: true and empty serviceScrapeSelector and RuleNamespaceSelector Operator selects all exist serviceScrapes with selectAllByDefault: false - selects nothing | bool | false | | ruleSelector | RuleSelector selector to select which VMRules to mount for loading alerting rules from. Works in combination with NamespaceSelector. If both nil - behaviour controlled by selectAllByDefault NamespaceSelector nil - only objects at VMAlert namespace. | *[metav1.LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#labelselector-v1-meta) | false | | ruleNamespaceSelector | RuleNamespaceSelector to be selected for VMRules discovery. Works in combination with Selector. If both nil - behaviour controlled by selectAllByDefault NamespaceSelector nil - only objects at VMAlert namespace. | *[metav1.LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#labelselector-v1-meta) | false | | port | Port for listen | string | false | -| notifier | Notifier prometheus alertmanager endpoint spec. Required at least one of notifier or notifiers. e.g. http://127.0.0.1:9093 If specified both notifier and notifiers, notifier will be added as last element to notifiers. only one of notifier options could be chosen: notifierConfigRef or notifiers + notifier | *[VMAlertNotifierSpec](#vmalertnotifierspec) | false | -| notifiers | Notifiers prometheus alertmanager endpoints. Required at least one of notifier or notifiers. e.g. http://127.0.0.1:9093 If specified both notifier and notifiers, notifier will be added as last element to notifiers. only one of notifier options could be chosen: notifierConfigRef or notifiers + notifier | [][VMAlertNotifierSpec](#vmalertnotifierspec) | false | +| notifier | Notifier prometheus alertmanager endpoint spec. Required at least one of notifier or notifiers when there are alerting rules. e.g. http://127.0.0.1:9093 If specified both notifier and notifiers, notifier will be added as last element to notifiers. only one of notifier options could be chosen: notifierConfigRef or notifiers + notifier | *[VMAlertNotifierSpec](#vmalertnotifierspec) | false | +| notifiers | Notifiers prometheus alertmanager endpoints. Required at least one of notifier or notifiers when there are alerting rules. e.g. http://127.0.0.1:9093 If specified both notifier and notifiers, notifier will be added as last element to notifiers. only one of notifier options could be chosen: notifierConfigRef or notifiers + notifier | [][VMAlertNotifierSpec](#vmalertnotifierspec) | false | | notifierConfigRef | NotifierConfigRef reference for secret with notifier configuration for vmalert only one of notifier options could be chosen: notifierConfigRef or notifiers + notifier | *[v1.SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#secretkeyselector-v1-core) | false | | remoteWrite | RemoteWrite Optional URL to remote-write compatible storage to persist vmalert state and rule results to. Rule results will be persisted according to each rule. Alerts state will be persisted in the form of time series named ALERTS and ALERTS_FOR_STATE see -remoteWrite.url docs in vmalerts for details. E.g. http://127.0.0.1:8428 | *[VMAlertRemoteWriteSpec](#vmalertremotewritespec) | false | | remoteRead | RemoteRead Optional URL to read vmalert state (persisted via RemoteWrite) This configuration only makes sense if alerts state has been successfully persisted (via RemoteWrite) before. see -remoteRead.url docs in vmalerts for details. E.g. http://127.0.0.1:8428 | *[VMAlertRemoteReadSpec](#vmalertremotereadspec) | false | @@ -1144,12 +1175,14 @@ VMAlertSpec defines the desired state of VMAlert | terminationGracePeriodSeconds | TerminationGracePeriodSeconds period for container graceful termination | *int64 | false | | dnsConfig | Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy. | *v1.PodDNSConfig | false | | readinessGates | ReadinessGates defines pod readiness gates | []v1.PodReadinessGate | false | +| useStrictSecurity | UseStrictSecurity enables strict security mode for component it restricts disk writes access uses non-root user out of the box drops not needed security permissions | *bool | false | +| license | License allows to configure license key to be used for enterprise features. Using license key is supported starting from VictoriaMetrics v1.94.0. See: https://docs.victoriametrics.com/enterprise.html | *[License](#license) | false | [Back to TOC](#table-of-contents) ## VMAlertStatus -VmAlertStatus defines the observed state of VmAlert +VMAlertStatus defines the observed state of VMAlert | Field | Description | Scheme | Required | | ----- | ----------- | ------ | -------- | @@ -1223,6 +1256,7 @@ VMSingleSpec defines the desired state of VMSingle | removePvcAfterDelete | RemovePvcAfterDelete - if true, controller adds ownership to pvc and after VMSingle objest deletion - pvc will be garbage collected by controller manager | bool | false | | retentionPeriod | RetentionPeriod for the stored metrics Note VictoriaMetrics has data/ and indexdb/ folders metrics from data/ removed eventually as soon as partition leaves retention period reverse index data at indexdb rotates once at the half of configured retention period https://docs.victoriametrics.com/Single-server-VictoriaMetrics.html#retention | string | true | | vmBackup | VMBackup configuration for backup | *[VMBackup](#vmbackup) | false | +| license | License allows to configure license key to be used for enterprise features. Using license key is supported starting from VictoriaMetrics v1.94.0. See: https://docs.victoriametrics.com/enterprise.html | *[License](#license) | false | | extraArgs | ExtraArgs that will be passed to VMSingle pod for example remoteWrite.tmpDataPath: /tmp | map[string]string | false | | extraEnvs | ExtraEnvs that will be added to VMSingle pod | [][v1.EnvVar](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#envvar-v1-core) | false | | serviceSpec | ServiceSpec that will be added to vmsingle service spec | *[ServiceSpec](#servicespec) | false | @@ -1234,6 +1268,7 @@ VMSingleSpec defines the desired state of VMSingle | terminationGracePeriodSeconds | TerminationGracePeriodSeconds period for container graceful termination | *int64 | false | | readinessGates | ReadinessGates defines pod readiness gates | []v1.PodReadinessGate | false | | streamAggrConfig | StreamAggrConfig defines stream aggregation configuration for VMSingle | *[StreamAggrConfig](#streamaggrconfig) | false | +| useStrictSecurity | UseStrictSecurity enables strict security mode for component it restricts disk writes access uses non-root user out of the box drops not needed security permissions | *bool | false | [Back to TOC](#table-of-contents) @@ -1243,10 +1278,12 @@ VMSingleStatus defines the observed state of VMSingle | Field | Description | Scheme | Required | | ----- | ----------- | ------ | -------- | -| replicas | ReplicaCount Total number of non-terminated pods targeted by this VMAlert cluster (their labels match the selector). | int32 | true | -| updatedReplicas | UpdatedReplicas Total number of non-terminated pods targeted by this VMAlert cluster that have the desired version spec. | int32 | true | -| availableReplicas | AvailableReplicas Total number of available pods (ready for at least minReadySeconds) targeted by this VMAlert cluster. | int32 | true | -| unavailableReplicas | UnavailableReplicas Total number of unavailable pods targeted by this VMAlert cluster. | int32 | true | +| replicas | ReplicaCount Total number of non-terminated pods targeted by this VMSingle. | int32 | true | +| updatedReplicas | UpdatedReplicas Total number of non-terminated pods targeted by this VMSingle. | int32 | true | +| availableReplicas | AvailableReplicas Total number of available pods (ready for at least minReadySeconds) targeted by this VMSingle. | int32 | true | +| unavailableReplicas | UnavailableReplicas Total number of unavailable pods targeted by this VMSingle. | int32 | true | +| singleStatus | | SingleStatus | true | +| reason | | string | false | [Back to TOC](#table-of-contents) @@ -1261,8 +1298,10 @@ Rule describes an alerting or recording rule. | expr | Expr is query, that will be evaluated at dataSource | string | true | | debug | Debug enables logging for rule it useful for tracking | *bool | false | | for | For evaluation interval in time.Duration format 30s, 1m, 1h or nanoseconds | string | false | +| keep_firing_for | KeepFiringFor will make alert continue firing for this long even when the alerting expression no longer has results. Use time.Duration format, 30s, 1m, 1h or nanoseconds | string | false | | labels | Labels will be added to rule configuration | map[string]string | false | | annotations | Annotations will be added to rule configuration | map[string]string | false | +| update_entries_limit | UpdateEntriesLimit defines max number of rule's state updates stored in memory. Overrides `-rule.updateEntriesLimit` in vmalert. | *int | false | [Back to TOC](#table-of-contents) @@ -1283,6 +1322,7 @@ RuleGroup is a list of sequentially evaluated recording and alerting rules. | params | Params optional HTTP URL parameters added to each rule request | url.Values | false | | type | Type defines datasource type for enterprise version of vmalert possible values - prometheus,graphite | string | false | | headers | Headers contains optional HTTP headers added to each rule request Must be in form `header-name: value` For example:\n headers:\n - \"CustomHeader: foo\"\n - \"CustomHeader2: bar\" | []string | false | +| notifier_headers | NotifierHeaders contains optional HTTP headers added to each alert request which will send to notifier Must be in form `header-name: value` For example:\n headers:\n - \"CustomHeader: foo\"\n - \"CustomHeader2: bar\" | []string | false | [Back to TOC](#table-of-contents) @@ -1442,7 +1482,7 @@ RelabelConfig allows dynamic rewriting of the label set, being applied to sample | modulus | Modulus to take of the hash of the source label values. | uint64 | false | | replacement | Replacement value against which a regex replace is performed if the regular expression matches. Regex capture groups are available. Default is '$1' | string | false | | action | Action to perform based on regex matching. Default is 'replace' | string | false | -| if | If represents metricsQL match expression: '{__name__=~\"foo_.*\"}' | string | false | +| if | If represents metricsQL match expression (or list of expressions): '{__name__=~\"foo_.*\"}' | StringOrArray | false | | match | Match is used together with Labels for `action: graphite` | string | false | | labels | Labels is used together with Match for `action: graphite` | map[string]string | false | @@ -1574,6 +1614,7 @@ PodMetricsEndpoint defines a scrapeable endpoint of a Kubernetes Pod serving Pro | authorization | Authorization with http header Authorization | *[Authorization](#authorization) | false | | vm_scrape_params | VMScrapeParams defines VictoriaMetrics specific scrape parametrs | *[VMScrapeParams](#vmscrapeparams) | false | | attach_metadata | AttachMetadata configures metadata attaching from service discovery | [AttachMetadata](#attachmetadata) | false | +| filterRunning | FilterRunning applies filter with pod status == running it prevents from scrapping metrics at failed or succeed state pods. enabled by default | *bool | false | [Back to TOC](#table-of-contents) @@ -1646,7 +1687,7 @@ Image defines docker image settings | Field | Description | Scheme | Required | | ----- | ----------- | ------ | -------- | -| acceptEULA | AcceptEULA accepts enterprise feature usage, must be set to true. otherwise backupmanager cannot be added to single/cluster version. https://victoriametrics.com/legal/eula/ | bool | true | +| acceptEULA | AcceptEULA accepts enterprise feature usage, must be set to true. otherwise backupmanager cannot be added to single/cluster version. https://victoriametrics.com/legal/esa/ | bool | true | | snapshotCreateURL | SnapshotCreateURL overwrites url for snapshot create | string | false | | snapshotDeleteURL | SnapShotDeleteURL overwrites url for snapshot delete | string | false | | concurrency | Defines number of concurrent workers. Higher concurrency may reduce backup duration (default 10) | *int32 | false | @@ -1705,9 +1746,11 @@ VMClusterSpec defines the desired state of VMCluster | serviceAccountName | ServiceAccountName is the name of the ServiceAccount to use to run the VMSelect, VMStorage and VMInsert Pods. | string | false | | clusterVersion | ClusterVersion defines default images tag for all components. it can be overwritten with component specific image.tag value. | string | false | | imagePullSecrets | ImagePullSecrets An optional list of references to secrets in the same namespace to use for pulling images from registries see https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod | [][v1.LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#localobjectreference-v1-core) | false | +| license | License allows to configure license key to be used for enterprise features. Using license key is supported starting from VictoriaMetrics v1.94.0. See: https://docs.victoriametrics.com/enterprise.html | *[License](#license) | false | | vmselect | | *[VMSelect](#vmselect) | false | | vminsert | | *[VMInsert](#vminsert) | false | | vmstorage | | *[VMStorage](#vmstorage) | false | +| useStrictSecurity | UseStrictSecurity enables strict security mode for component it restricts disk writes access uses non-root user out of the box drops not needed security permissions | *bool | false | [Back to TOC](#table-of-contents) @@ -1820,9 +1863,9 @@ VMClusterStatus defines the observed state of VMCluster | dnsPolicy | DNSPolicy sets DNS policy for the pod | [v1.DNSPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#pod-v1-core) | false | | dnsConfig | Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy. | *v1.PodDNSConfig | false | | topologySpreadConstraints | TopologySpreadConstraints embedded kubernetes pod configuration option, controls how pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ | [][v1.TopologySpreadConstraint](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) | false | -| cacheMountPath | CacheMountPath allows to add cache persistent for VMSelect | string | false | +| cacheMountPath | CacheMountPath allows to add cache persistent for VMSelect, will use \"/cache\" as default if not specified. | string | false | | persistentVolume | Storage - add persistent volume for cacheMounthPath its useful for persistent cache use storage instead of persistentVolume. | *[StorageSpec](#storagespec) | false | -| storage | StorageSpec - add persistent volume claim for cacheMounthPath its needed for persistent cache | *[StorageSpec](#storagespec) | false | +| storage | StorageSpec - add persistent volume claim for cacheMountPath its needed for persistent cache | *[StorageSpec](#storagespec) | false | | extraEnvs | ExtraEnvs that will be added to VMSelect pod | [][v1.EnvVar](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#envvar-v1-core) | false | | extraArgs | | map[string]string | false | | port | Port listen port | string | false | @@ -1971,7 +2014,8 @@ StaticRef - user-defined routing host address. | Field | Description | Scheme | Required | | ----- | ----------- | ------ | -------- | -| url | URL http url for given staticRef. | string | true | +| url | URL http url for given staticRef. | string | false | +| urls | URLs allows setting multiple urls for load-balancing at vmauth-side. | []string | false | [Back to TOC](#table-of-contents) @@ -1986,6 +2030,8 @@ TargetRef describes target for user traffic forwarding. one of target types can | paths | Paths - matched path to route. | []string | false | | target_path_suffix | QueryParams []string `json:\"queryParams,omitempty\"` TargetPathSuffix allows to add some suffix to the target path It allows to hide tenant configuration from user with crd as ref. it also may contain any url encoded params. | string | false | | headers | Headers represent additional http headers, that vmauth uses in form of [\"header_key: header_value\"] multiple values for header key: [\"header_key: value1,value2\"] it's available since 1.68.0 version of vmauth | []string | false | +| response_headers | ResponseHeaders represent additional http headers, that vmauth adds for request response in form of [\"header_key: header_value\"] multiple values for header key: [\"header_key: value1,value2\"] it's available since 1.93.0 version of vmauth | []string | false | +| retry_status_codes | RetryStatusCodes defines http status codes in numeric format for request retries Can be defined per target or at VMUser.spec level e.g. [429,503] | []int | false | [Back to TOC](#table-of-contents) @@ -2001,6 +2047,17 @@ VMUser is the Schema for the vmusers API [Back to TOC](#table-of-contents) +## VMUserIPFilters + +VMUserIPFilters defines filters for IP addresses supported only with enterprise version of vmauth https://docs.victoriametrics.com/vmauth.html#ip-filters + +| Field | Description | Scheme | Required | +| ----- | ----------- | ------ | -------- | +| deny_list | | []string | false | +| allow_list | | []string | false | + +[Back to TOC](#table-of-contents) + ## VMUserList VMUserList contains a list of VMUser @@ -2026,6 +2083,13 @@ VMUserSpec defines the desired state of VMUser | generatePassword | GeneratePassword instructs operator to generate password for user if spec.password if empty. | bool | false | | bearerToken | BearerToken Authorization header value for accessing protected endpoint. | *string | false | | targetRefs | TargetRefs - reference to endpoints, which user may access. | [][TargetRef](#targetref) | true | +| default_url | DefaultURLs backend url for non-matching paths filter usually used for default backend with error message | []string | false | +| ip_filters | IPFilters defines per target src ip filters supported only with enterprise version of vmauth https://docs.victoriametrics.com/vmauth.html#ip-filters | [VMUserIPFilters](#vmuseripfilters) | false | +| headers | Headers represent additional http headers, that vmauth uses in form of [\"header_key: header_value\"] multiple values for header key: [\"header_key: value1,value2\"] it's available since 1.68.0 version of vmauth | []string | false | +| response_headers | ResponseHeaders represent additional http headers, that vmauth adds for request response in form of [\"header_key: header_value\"] multiple values for header key: [\"header_key: value1,value2\"] it's available since 1.93.0 version of vmauth | []string | false | +| retry_status_codes | RetryStatusCodes defines http status codes in numeric format for request retries e.g. [429,503] | []int | false | +| max_concurrent_requests | MaxConcurrentRequests defines max concurrent requests per user 300 is default value for vmauth | *int | false | +| disable_secret_creation | DisableSecretCreation skips related secret creation for vmuser | bool | false | [Back to TOC](#table-of-contents) @@ -2108,7 +2172,7 @@ VMAuthSpec defines the desired state of VMAuth | userNamespaceSelector | UserNamespaceSelector Namespaces to be selected for VMAuth discovery. Works in combination with Selector. NamespaceSelector nil - only objects at VMAuth namespace. Selector nil - only objects at NamespaceSelector namespaces. If both nil - behaviour controlled by selectAllByDefault | *[metav1.LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#labelselector-v1-meta) | false | | extraArgs | ExtraArgs that will be passed to VMAuth pod for example remoteWrite.tmpDataPath: /tmp | map[string]string | false | | extraEnvs | ExtraEnvs that will be added to VMAuth pod | [][v1.EnvVar](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#envvar-v1-core) | false | -| serviceSpec | ServiceSpec that will be added to vmauth service spec | *[ServiceSpec](#servicespec) | false | +| serviceSpec | ServiceSpec that will be added to vmsingle service spec | *[ServiceSpec](#servicespec) | false | | serviceScrapeSpec | ServiceScrapeSpec that will be added to vmauth VMServiceScrape spec | *[VMServiceScrapeSpec](#vmservicescrapespec) | false | | podDisruptionBudget | PodDisruptionBudget created by operator | *[EmbeddedPodDisruptionBudgetSpec](#embeddedpoddisruptionbudgetspec) | false | | ingress | Ingress enables ingress configuration for VMAuth. | *[EmbeddedIngress](#embeddedingress) | false | @@ -2118,6 +2182,21 @@ VMAuthSpec defines the desired state of VMAuth | nodeSelector | NodeSelector Define which Nodes the Pods are scheduled on. | map[string]string | false | | terminationGracePeriodSeconds | TerminationGracePeriodSeconds period for container graceful termination | *int64 | false | | readinessGates | ReadinessGates defines pod readiness gates | []v1.PodReadinessGate | false | +| unauthorizedAccessConfig | UnauthorizedAccessConfig configures access for un authorized users | [][VMAuthUnauthorizedPath](#vmauthunauthorizedpath) | false | +| useStrictSecurity | UseStrictSecurity enables strict security mode for component it restricts disk writes access uses non-root user out of the box drops not needed security permissions | *bool | false | +| license | License allows to configure license key to be used for enterprise features. Using license key is supported starting from VictoriaMetrics v1.94.0. See: https://docs.victoriametrics.com/enterprise.html | *[License](#license) | false | + +[Back to TOC](#table-of-contents) + +## VMAuthUnauthorizedPath + +VMAuthUnauthorizedPath defines url_map for unauthorized access + +| Field | Description | Scheme | Required | +| ----- | ----------- | ------ | -------- | +| src_paths | Paths src request paths | []string | false | +| url_prefix | URLs defines url_prefix for dst routing | []string | false | +| ip_filters | IPFilters defines filter for src ip address enterprise only | [VMUserIPFilters](#vmuseripfilters) | false | [Back to TOC](#table-of-contents) @@ -2202,7 +2281,7 @@ ProbeTargetIngress defines the set of Ingress objects considered for probing. ## VMProbe -\n VMProbe defines a probe for targets, that will be executed with prober,\n like blackbox exporter.\nIt helps to monitor reachability of target with various checks. +VMProbe defines a probe for targets, that will be executed with prober, like blackbox exporter. It helps to monitor reachability of target with various checks. | Field | Description | Scheme | Required | | ----- | ----------- | ------ | -------- | diff --git a/hack/doc_header.md b/hack/doc_header.md index aa7c9218e..ec49e2086 100644 --- a/hack/doc_header.md +++ b/hack/doc_header.md @@ -6,6 +6,8 @@ menu: docs: parent: "operator" weight: 12 +aliases: + - /operator/api.html ---