feat: add victoriametrics read endpoint (#296)

* chore: refactor vmetrics endpoint configuration to single file

* chore: clean up vm endpoint configuration

* feat: add victoriametrics read endpoint

kubernetes/apps/monitoring-dev/victoria-metrics/ingress/kustomization.yaml

@@ -2,6 +2,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./secret.yaml
-  - ./vmuser.yaml
-  - ./vmauth.yaml
+  - ./write.yaml
+  - ./read.yaml

kubernetes/apps/monitoring-dev/victoria-metrics/ingress/read.yaml

@@ -0,0 +1,42 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: vmetrics-read-token
+  namespace: monitoring-dev
+spec:
+  itemPath: "vaults/Kubernetes/items/vmetrics_read_token"
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMUser
+metadata:
+  name: read
+  namespace: monitoring-dev
+  labels:
+    vm-user: "read"
+spec:
+  tokenRef:
+    name: vmetrics-read-token
+    key: token
+  targetRefs:
+    - crd:
+        kind: VMSingle
+        name: vmetrics-dev
+        namespace: monitoring-dev
+      paths: ["/targets/api/v1","/targets","/metrics"]
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMAuth
+metadata:
+  name: vmetrics-read-ingress
+  namespace: monitoring-dev
+spec:
+  userSelector:
+    matchLabels:
+      vm-user: "read"
+  ingress:
+    tlsSecretName: vmetrics-read-tls
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-production
+    class_name: nginx
+    tlsHosts:
+      - read.monitoring.dev.immich.cloud

kubernetes/apps/monitoring-dev/victoria-metrics/ingress/write.yaml

@@ -0,0 +1,43 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: vmetrics-write-token
+  namespace: monitoring-dev
+spec:
+  itemPath: "vaults/Kubernetes/items/vmetrics_write_token"
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMUser
+metadata:
+  name: write
+  namespace: monitoring-dev
+  labels:
+    vm-user: "write"
+spec:
+  tokenRef:
+    name: vmetrics-write-token
+    key: token
+  targetRefs:
+    - crd:
+        kind: VMSingle
+        name: vmetrics-dev
+        namespace: monitoring-dev
+      paths: ["/write"]
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMAuth
+metadata:
+  name: vmetrics-write-ingress
+  namespace: monitoring-dev
+spec:
+  userSelector:
+    matchLabels:
+      vm-user: "write"
+  ingress:
+    tlsSecretName: vmetrics-write-tls
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-production
+    class_name: nginx
+    tlsHosts:
+      - write.monitoring.dev.immich.cloud
+      - cf-workers.monitoring.dev.immich.cloud

kubernetes/apps/monitoring/victoria-metrics/ingress/kustomization.yaml

@@ -2,6 +2,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./secret.yaml
-  - ./vmuser.yaml
-  - ./vmauth.yaml
+  - ./write.yaml
+  - ./read.yaml

kubernetes/apps/monitoring/victoria-metrics/ingress/read.yaml

@@ -0,0 +1,42 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: vmetrics-read-token
+  namespace: monitoring
+spec:
+  itemPath: "vaults/Kubernetes/items/vmetrics_read_token"
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMUser
+metadata:
+  name: read
+  namespace: monitoring
+  labels:
+    vm-user: "read"
+spec:
+  tokenRef:
+    name: vmetrics-read-token
+    key: token
+  targetRefs:
+    - crd:
+        kind: VMSingle
+        name: vmetrics
+        namespace: monitoring
+      paths: ["/targets/api/v1","/targets","/metrics"]
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMAuth
+metadata:
+  name: vmetrics-read-ingress
+  namespace: monitoring
+spec:
+  userSelector:
+    matchLabels:
+      vm-user: "read"
+  ingress:
+    tlsSecretName: vmetrics-read-tls
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-production
+    class_name: nginx
+    tlsHosts:
+      - read.monitoring.immich.cloud

kubernetes/apps/monitoring/victoria-metrics/ingress/write.yaml

@@ -0,0 +1,43 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: vmetrics-write-token
+  namespace: monitoring
+spec:
+  itemPath: "vaults/Kubernetes/items/vmetrics_write_token"
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMUser
+metadata:
+  name: write
+  namespace: monitoring
+  labels:
+    vm-user: "write"
+spec:
+  tokenRef:
+    name: vmetrics-write-token
+    key: token
+  targetRefs:
+    - crd:
+        kind: VMSingle
+        name: vmetrics
+        namespace: monitoring
+      paths: ["/write"]
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMAuth
+metadata:
+  name: vmetrics-write-ingress
+  namespace: monitoring
+spec:
+  userSelector:
+    matchLabels:
+      vm-user: "write"
+  ingress:
+    tlsSecretName: vmetrics-write-tls
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-production
+    class_name: nginx
+    tlsHosts:
+      - write.monitoring.immich.cloud
+      - cf-workers.monitoring.immich.cloud

tf/deployment/modules/1password/account/k8s-secrets.tf

@@ -89,6 +89,28 @@ resource "onepassword_item" "vmetrics_write_token" {
   }
 }
 
+resource "random_password" "vmetrics_read_token" {
+  length  = 40
+  special = false
+}
+
+resource "onepassword_item" "vmetrics_read_token" {
+  for_each = { for vault in [data.onepassword_vault.kubernetes, data.onepassword_vault.tf_dev, data.onepassword_vault.tf_prod] : vault.name => vault }
+  vault    = each.value.uuid
+  title    = "vmetrics_read_token"
+  category = "secure_note"
+
+  section {
+    label = "Victoria Metrics read token"
+
+    field {
+      label = "token"
+      type  = "CONCEALED"
+      value = random_password.vmetrics_read_token.result
+    }
+  }
+}
+
 resource "random_password" "bot_github_webhook_slug" {
   length  = 40
   special = false