expose victoriametrics public with auth

[DaMandal0rian]

PR Type

Enhancement, Configuration changes

---

Description

• Added HTTP authentication for VictoriaMetrics using .env variables.

• Configured Traefik labels for VictoriaMetrics and Grafana services.

• Introduced a new Docker network vm_net for service isolation.

• Updated Grafana container name and Traefik routing rules.

---

Changes walkthrough 📝

	Relevant files
Configuration changes	.env.sample Add sample `.env` file for authentication                                logging/victoriametrics/deployment/docker/.env.sample Added sample .env file for HTTP authentication. Included placeholders for username and password. +3/-0
Enhancement	docker-compose.yml Update Docker Compose for authentication and Traefik          logging/victoriametrics/deployment/docker/docker-compose.yml Added HTTP authentication for VictoriaMetrics using .env variables. Configured Traefik labels for VictoriaMetrics and Grafana. Introduced vm_net network and updated service networks. Renamed Grafana container to grafanavm and updated routing rules. +36/-2

---

Need help?

Type /help how to ... in the comments thread for any questions about PR-Agent usage.

Check out the documentation for more information.

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 Security concerns Sensitive information exposure: The .env.sample file includes placeholders for authentication credentials. Ensure that the actual .env file is not committed to the repository and is properly secured. Additionally, verify that the HTTP authentication implementation does not introduce vulnerabilities such as weak password policies or improper handling of credentials.

⚡ Recommended focus areas for review Sensitive Information Exposure The .env.sample file includes placeholder values for HTTP_AUTH_USERNAME and HTTP_AUTH_PASSWORD. Ensure that sensitive information is not accidentally committed or exposed in the .env file. #change the values and rename the file to .env HTTP_AUTH_USERNAME=username HTTP_AUTH_PASSWORD=password Configuration Validation The added Traefik labels and network configurations should be validated to ensure they work as intended, particularly for routing and service isolation. labels: - traefik.enable=true - traefik.http.services.victoriametrics.loadbalancer.server.port=8428 - traefik.http.routers.victoriametrics.rule=Host(`vmetrics.subspace.network`) - traefik.http.routers.victoriametrics.tls.certresolver=le - traefik.http.routers.victoriametrics.entrypoints=websecure - traefik.docker.network=traefik-proxy networks: - vm_net - traefik-proxy Authentication Configuration The new HTTP authentication parameters for VictoriaMetrics should be tested to confirm they are correctly applied and functional. - "--httpAuth.username=${HTTP_AUTH_USERNAME}" - "--httpAuth.password=${HTTP_AUTH_PASSWORD}"

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Replace hardcoded credentials with placeholders Avoid using hardcoded default credentials in the .env.sample file to prevent accidental exposure of sensitive information. Use placeholders like HTTP_AUTH_USERNAME= and HTTP_AUTH_PASSWORD= instead. logging/victoriametrics/deployment/docker/.env.sample [2-3] -HTTP_AUTH_USERNAME=username -HTTP_AUTH_PASSWORD=password +HTTP_AUTH_USERNAME=<your-username> +HTTP_AUTH_PASSWORD=<your-password> Suggestion importance[1-10]: 9 __ Why: Replacing hardcoded credentials with placeholders significantly improves security by reducing the risk of accidental exposure of sensitive information. This is a critical improvement for environments where the .env.sample file might be shared or exposed.	High
	Prevent sensitive data exposure in logs Ensure that sensitive environment variables like HTTP_AUTH_USERNAME and HTTP_AUTH_PASSWORD are not logged or exposed in container logs to prevent credential leakage. logging/victoriametrics/deployment/docker/docker-compose.yml [43-44] - "--httpAuth.username=${HTTP_AUTH_USERNAME}" - "--httpAuth.password=${HTTP_AUTH_PASSWORD}" +logging: + driver: "none" Suggestion importance[1-10]: 7 __ Why: Adding a logging driver configuration to prevent sensitive environment variables from being logged is a good security measure. However, the suggestion does not fully address how to implement this securely across all services, which slightly reduces its impact.	Medium
General	Add health check for service reliability Add a health check for the victoriametrics service to ensure the container is functioning correctly and can recover from failures. logging/victoriametrics/deployment/docker/docker-compose.yml [24-25] victoriametrics: container_name: victoriametrics + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:8428/health"] + interval: 30s + timeout: 10s + retries: 3 ... Suggestion importance[1-10]: 8 __ Why: Adding a health check to the victoriametrics service improves reliability by ensuring the container is functioning correctly and can recover from failures. This is a valuable enhancement for maintaining service uptime.	Medium
	Verify Traefik network configuration correctness Validate that the traefik.docker.network and networks configurations are correctly set up and match the external Traefik network to avoid runtime connectivity issues. logging/victoriametrics/deployment/docker/docker-compose.yml [52-55] +- traefik.docker.network=traefik-proxy +networks: + - vm_net + - traefik-proxy - Suggestion importance[1-10]: 5 __ Why: The suggestion to validate network configurations is useful for avoiding runtime connectivity issues. However, it is not actionable as it only asks for verification without proposing specific changes or improvements.	Low