api/vmauth: add new field useProxyProtocol

f41gh7 · f41gh7 · commit 70bdbe5621b2 · 2025-04-15T19:36:16.000+02:00
It instructs vmauth to use proxy protocol v2 for incoming requests. It's useful for vmauth installations behind TCP load balancers. If this option is set, vmauth starts using TCP readiness and liveness probes and disables vmservice scrape creation. Unless it has internalListenPort configured (which is recommended). Related issue: #1309
diff --git a/api/operator/v1beta1/vmauth_types.go b/api/operator/v1beta1/vmauth_types.go
@@ -120,6 +120,10 @@ type VMAuthSpec struct {
 	// related doc https://docs.victoriametrics.com/vmauth/#security
 	// +optional
 	InternalListenPort string `json:"internalListenPort,omitempty"`
+
+	// UseProxyProtocol enables proxy protocol for vmauth
+	// https://www.haproxy.org/download/2.3/doc/proxy-protocol.txt
+	UseProxyProtocol bool `json:"useProxyProtocol,omitempty"`
 }
 
 // VMAuthUnauthorizedUserAccessSpec defines unauthorized_user section configuration for vmauth
diff --git a/api/operator/v1beta1/vmextra_types.go b/api/operator/v1beta1/vmextra_types.go
@@ -375,15 +375,6 @@ func (ss *AdditionalServiceSpec) NameOrDefault(defaultName string) string {
 	return defaultName + "-additional-service"
 }
 
-// MaybeEnableProxyProtocol conditionally adds proxy protocol for custom config-reloader image
-// useful for vmagent and vmauth
-func MaybeEnableProxyProtocol(args []string, extaArgs map[string]string) []string {
-	if v, ok := extaArgs["httpListenAddr.useProxyProtocol"]; ok && v == "true" {
-		args = append(args, "--reload-use-proxy-protocol")
-	}
-	return args
-}
-
 // BuildReloadPathWithPort builds reload api path for given args
 func BuildReloadPathWithPort(extraArgs map[string]string, port string) string {
 	proto := protoFromFlags(extraArgs)
diff --git a/config/crd/overlay/crd.yaml b/config/crd/overlay/crd.yaml
@@ -16074,6 +16074,11 @@ spec:
                   UseDefaultResources controls resource settings
                   By default, operator sets built-in resource requirements
                 type: boolean
+              useProxyProtocol:
+                description: |-
+                  UseProxyProtocol enables proxy protocol for vmauth
+                  https://www.haproxy.org/download/2.3/doc/proxy-protocol.txt
+                type: boolean
               useStrictSecurity:
                 description: |-
                   UseStrictSecurity enables strict security mode for component
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -20,6 +20,8 @@ aliases:
 
 * FEATURE: [operator](https://docs.victoriametrics.com/operator): support `VM_METRICS_VERSION` and `VM_LOGS_VERSION` env variables as a source for all VM and VL related CR image versions
 * FEATURE: [vmauth](https://docs.victoriametrics.com/operator/resources/vmauth/): add new field `internalListenPort` for serving internal routes. See [this issue](https://github.com/VictoriaMetrics/operator/issues/1302) and this [docs](https://docs.victoriametrics.com/vmauth/#security).
+* FEATURE: [vmauth](https://docs.victoriametrics.com/operator/resources/vmauth/): add new field `useProxyProtocol` for enabling [proxy protocol](https://www.haproxy.org/download/2.3/doc/proxy-protocol.txt
+) for vmauth. See [this issue](https://github.com/VictoriaMetrics/operator/issues/1309).
 * FEATURE: [vmalertmanager](https://docs.victoriametrics.com/operator/resources/vmalertmanager): add runtime configuration validation. See [this issue](https://github.com/VictoriaMetrics/operator/issues/1299) for details.
 * FEATURE: [operator](https://docs.victoriametrics.com/operator): add `StatefulSet` volumeMounts name validation. See [this issue](https://github.com/VictoriaMetrics/operator/issues/1303) for details.
 
diff --git a/docs/api.md b/docs/api.md
@@ -3434,6 +3434,7 @@ _Appears in:_
 | <a href="#vmauthspec-unauthorizedaccessconfig"><code id="vmauthspec-unauthorizedaccessconfig">unauthorizedAccessConfig</code></a><br/>_[UnauthorizedAccessConfigURLMap](#unauthorizedaccessconfigurlmap) array_ | UnauthorizedAccessConfig configures access for un authorized users<br /><br />Deprecated, use unauthorizedUserAccessSpec instead<br />will be removed at v1.0 release |
 | <a href="#vmauthspec-unauthorizeduseraccessspec"><code id="vmauthspec-unauthorizeduseraccessspec">unauthorizedUserAccessSpec</code></a><br/>_[VMAuthUnauthorizedUserAccessSpec](#vmauthunauthorizeduseraccessspec)_ | _(Optional)_<br/>UnauthorizedUserAccessSpec defines unauthorized_user config section of vmauth config |
 | <a href="#vmauthspec-usedefaultresources"><code id="vmauthspec-usedefaultresources">useDefaultResources</code></a><br/>_boolean_ | _(Optional)_<br/>UseDefaultResources controls resource settings<br />By default, operator sets built-in resource requirements |
+| <a href="#vmauthspec-useproxyprotocol"><code id="vmauthspec-useproxyprotocol">useProxyProtocol</code></a><br/>_boolean_ | UseProxyProtocol enables proxy protocol for vmauth<br />https://www.haproxy.org/download/2.3/doc/proxy-protocol.txt |
 | <a href="#vmauthspec-usestrictsecurity"><code id="vmauthspec-usestrictsecurity">useStrictSecurity</code></a><br/>_boolean_ | _(Optional)_<br/>UseStrictSecurity enables strict security mode for component<br />it restricts disk writes access<br />uses non-root user out of the box<br />drops not needed security permissions |
 | <a href="#vmauthspec-usevmconfigreloader"><code id="vmauthspec-usevmconfigreloader">useVMConfigReloader</code></a><br/>_boolean_ | _(Optional)_<br/>UseVMConfigReloader replaces prometheus-like config-reloader<br />with vm one. It uses secrets watch instead of file watch<br />which greatly increases speed of config updates |
 | <a href="#vmauthspec-usernamespaceselector"><code id="vmauthspec-usernamespaceselector">userNamespaceSelector</code></a><br/>_[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#labelselector-v1-meta)_ | _(Optional)_<br/>UserNamespaceSelector Namespaces to be selected for  VMAuth discovery.<br />Works in combination with Selector.<br />NamespaceSelector nil - only objects at VMAuth namespace.<br />Selector nil - only objects at NamespaceSelector namespaces.<br />If both nil - behaviour controlled by selectAllByDefault |
diff --git a/docs/env.md b/docs/env.md
@@ -3,7 +3,7 @@
 | --- | --- | --- | --- |
 | VM_USECUSTOMCONFIGRELOADER | false | false | enables custom config reloader for vmauth and vmagent, it should speed-up config reloading process. |
 | VM_CONTAINERREGISTRY | - | false | container registry name prefix, e.g. docker.io |
-| VM_CUSTOMCONFIGRELOADERIMAGE | victoriametrics/operator:config-reloader-v0.48.4 | false |  |
+| VM_CUSTOMCONFIGRELOADERIMAGE | victoriametrics/operator:config-reloader-v0.56.0 | false |  |
 | VM_PSPAUTOCREATEENABLED | false | false |  |
 | VM_CONFIG_RELOADER_LIMIT_CPU | unlimited | false | defines global resource.limits.cpu for all config-reloader containers |
 | VM_CONFIG_RELOADER_LIMIT_MEMORY | unlimited | false | defines global resource.limits.memory for all config-reloader containers |
diff --git a/internal/controller/operator/factory/vmagent/vmagent.go b/internal/controller/operator/factory/vmagent/vmagent.go
@@ -1526,9 +1526,6 @@ func buildConfigReloaderArgs(cr *vmv1beta1.VMAgent) []string {
 	if cr.HasAnyRelabellingConfigs() {
 		args = append(args, fmt.Sprintf("--%s=%s", dirsArg, vmv1beta1.RelabelingConfigDir))
 	}
-	if useVMConfigReloader {
-		args = vmv1beta1.MaybeEnableProxyProtocol(args, cr.Spec.ExtraArgs)
-	}
 	if len(cr.Spec.ConfigReloaderExtraArgs) > 0 {
 		for idx, arg := range args {
 			cleanArg := strings.Split(strings.TrimLeft(arg, "-"), "=")[0]
diff --git a/internal/controller/operator/factory/vmauth/vmauth.go b/internal/controller/operator/factory/vmauth/vmauth.go
@@ -68,7 +68,9 @@ func CreateOrUpdateVMAuth(ctx context.Context, cr *vmv1beta1.VMAuth, rclient cli
 	if err := createOrUpdateVMAuthIngress(ctx, rclient, cr); err != nil {
 		return fmt.Errorf("cannot create or update ingress for vmauth: %w", err)
 	}
-	if !ptr.Deref(cr.Spec.DisableSelfServiceScrape, false) {
+	if !ptr.Deref(cr.Spec.DisableSelfServiceScrape, false) &&
+		!useProxyProtocol(cr) &&
+		len(cr.Spec.InternalListenPort) != 0 {
 		if err := reconcile.VMServiceScrapeForCRD(ctx, rclient, buildServiceScrape(svc, cr)); err != nil {
 			return err
 		}
@@ -146,6 +148,9 @@ func makeSpecForVMAuth(cr *vmv1beta1.VMAuth) (*corev1.PodTemplateSpec, error) {
 	}
 	args = append(args, fmt.Sprintf("-auth.config=%s", configPath))
 
+	if cr.Spec.UseProxyProtocol {
+		args = append(args, "-httpListenAddr.useProxyProtocol=true")
+	}
 	if cr.Spec.LogLevel != "" {
 		args = append(args, fmt.Sprintf("-loggerLevel=%s", cr.Spec.LogLevel))
 	}
@@ -303,7 +308,7 @@ func makeSpecForVMAuth(cr *vmv1beta1.VMAuth) (*corev1.PodTemplateSpec, error) {
 		TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
 		ImagePullPolicy:          cr.Spec.Image.PullPolicy,
 	}
-	vmauthContainer = build.Probe(vmauthContainer, cr)
+	vmauthContainer = addVMAuthProbes(cr, vmauthContainer)
 
 	// move vmauth container to the 0 index
 	operatorContainers = append([]corev1.Container{vmauthContainer}, operatorContainers...)
@@ -508,8 +513,8 @@ func buildVMAuthConfigReloaderContainer(cr *vmv1beta1.VMAuth) corev1.Container {
 	useVMConfigReloader := ptr.Deref(cr.Spec.UseVMConfigReloader, false)
 	if useVMConfigReloader {
 		configReloaderArgs = append(configReloaderArgs, fmt.Sprintf("--config-secret-name=%s/%s", cr.Namespace, cr.ConfigSecretName()))
-		if len(cr.Spec.InternalListenPort) == 0 {
-			configReloaderArgs = vmv1beta1.MaybeEnableProxyProtocol(configReloaderArgs, cr.Spec.ExtraArgs)
+		if len(cr.Spec.InternalListenPort) == 0 && useProxyProtocol(cr) {
+			configReloaderArgs = append(configReloaderArgs, "--reload-use-proxy-protocol")
 		}
 	} else {
 		configReloaderArgs = append(configReloaderArgs, fmt.Sprintf("--config-file=%s", path.Join(vmAuthConfigMountGz, vmAuthConfigNameGz)))
@@ -708,3 +713,40 @@ func buildServiceScrape(svc *corev1.Service, cr *vmv1beta1.VMAuth) *vmv1beta1.VM
 	}
 	return b
 }
+
+func useProxyProtocol(cr *vmv1beta1.VMAuth) bool {
+	if cr.Spec.UseProxyProtocol {
+		return true
+	}
+	if v, ok := cr.Spec.ExtraArgs["httpListenAddr.useProxyProtocol"]; ok && v == "true" {
+		return true
+	}
+
+	return false
+}
+
+func addVMAuthProbes(cr *vmv1beta1.VMAuth, vmauthContainer corev1.Container) corev1.Container {
+	if useProxyProtocol(cr) &&
+		len(cr.Spec.InternalListenPort) == 0 &&
+		cr.Spec.EmbeddedProbes == nil {
+		probePort := intstr.Parse(cr.ProbePort())
+		cr.Spec.EmbeddedProbes = &vmv1beta1.EmbeddedProbes{
+			ReadinessProbe: &corev1.Probe{
+				ProbeHandler: corev1.ProbeHandler{
+					TCPSocket: &corev1.TCPSocketAction{
+						Port: probePort,
+					},
+				},
+			},
+			LivenessProbe: &corev1.Probe{
+				ProbeHandler: corev1.ProbeHandler{
+					TCPSocket: &corev1.TCPSocketAction{
+						Port: probePort,
+					},
+				},
+			},
+		}
+	}
+	vmauthContainer = build.Probe(vmauthContainer, cr)
+	return vmauthContainer
+}
diff --git a/test/e2e/vmauth_test.go b/test/e2e/vmauth_test.go
@@ -509,25 +509,7 @@ var _ = Describe("test vmauth Controller", func() {
 					},
 					testStep{
 						modify: func(cr *v1beta1vm.VMAuth) {
-							cr.Spec.ExtraArgs = map[string]string{
-								"httpListenAddr.useProxyProtocol": "true",
-							}
-							cr.Spec.EmbeddedProbes = &v1beta1vm.EmbeddedProbes{
-								LivenessProbe: &corev1.Probe{
-									ProbeHandler: corev1.ProbeHandler{
-										TCPSocket: &corev1.TCPSocketAction{
-											Port: intstr.FromInt32(8427),
-										},
-									},
-								},
-								ReadinessProbe: &corev1.Probe{
-									ProbeHandler: corev1.ProbeHandler{
-										TCPSocket: &corev1.TCPSocketAction{
-											Port: intstr.FromInt32(8427),
-										},
-									},
-								},
-							}
+							cr.Spec.UseProxyProtocol = true
 						},
 						verify: func(cr *v1beta1vm.VMAuth) {},
 					},
