app/vmctl: print init auth config error

app/vmctl: allow basic auth without password
docs/changelog: add changelog
2026-06-10 20:33:53 +03:00 · 2026-06-10 18:21:51 +03:00 · 2026-06-10 18:17:09 +03:00 · 2026-06-10 17:56:15 +03:00 · 2026-06-10 17:29:46 +03:00
5 changed files with 39 additions and 24 deletions
--- a/app/vmctl/auth/auth.go
+++ b/app/vmctl/auth/auth.go
@@ -131,16 +131,13 @@ func (ac *authContext) initFromBasicAuthConfig(ba *BasicAuthConfig) error {
 	if ba.Username == "" {
 		return fmt.Errorf("missing `username` in `basic_auth` section")
 	}
-	if ba.Password != "" {
-		ac.getAuthHeader = func() string {
-			// See https://en.wikipedia.org/wiki/Basic_access_authentication
-			token := ba.Username + ":" + ba.Password
-			token64 := base64.StdEncoding.EncodeToString([]byte(token))
-			return "Basic " + token64
-		}
-		ac.authDigest = fmt.Sprintf("basic(username=%q, password=%q)", ba.Username, ba.Password)
-		return nil
+	ac.getAuthHeader = func() string {
+		// See https://en.wikipedia.org/wiki/Basic_access_authentication
+		token := ba.Username + ":" + ba.Password
+		token64 := base64.StdEncoding.EncodeToString([]byte(token))
+		return "Basic " + token64
 	}
+	ac.authDigest = fmt.Sprintf("basic(username=%q, password=%q)", ba.Username, ba.Password)
 	return nil
 }

--- a/app/vmctl/flags.go
+++ b/app/vmctl/flags.go
@@ -69,6 +69,8 @@ const (
 	vmAddr               = "vm-addr"
 	vmUser               = "vm-user"
 	vmPassword           = "vm-password"
+	vmHeaders            = "vm-headers"
+	vmBearerToken        = "vm-bearer-token"
 	vmAccountID          = "vm-account-id"
 	vmConcurrency        = "vm-concurrency"
 	vmCompress           = "vm-compress"
@@ -112,6 +114,16 @@ var (
 			Usage:   "VictoriaMetrics password for basic auth",
 			EnvVars: []string{"VM_PASSWORD"},
 		},
+		&cli.StringFlag{
+			Name: vmHeaders,
+			Usage: "Optional HTTP headers to send with each request to the corresponding destination address. \n" +
+				"For example, --vm-headers='My-Auth:foobar' would send 'My-Auth: foobar' HTTP header with every request to the corresponding destination address. \n" +
+				"Multiple headers must be delimited by '^^': --vm-headers='header1:value1^^header2:value2'",
+		},
+		&cli.StringFlag{
+			Name:  vmBearerToken,
+			Usage: "Optional bearer auth token to use for the corresponding --vm-addr",
+		},
 		&cli.StringFlag{
 			Name: vmAccountID,
 			Usage: "AccountID is an arbitrary 32-bit integer identifying namespace for data ingestion (aka tenant). \n" +
--- a/app/vmctl/main.go
+++ b/app/vmctl/main.go
@@ -457,7 +457,7 @@ func main() {
 						auth.WithBearer(c.String(vmNativeDstBearerToken)),
 						auth.WithHeaders(c.String(vmNativeDstHeaders)))
 					if err != nil {
-						return fmt.Errorf("error initialize auth config for destination: %s", dstAddr)
+						return fmt.Errorf("error initialize auth config for destination: %s: %s", dstAddr, err)
 					}

 					// create TLS config
@@ -596,11 +596,18 @@ func initConfigVM(c *cli.Context) (vm.Config, error) {
 		return vm.Config{}, fmt.Errorf("failed to create backoff object: %w", err)
 	}

+	authCfg, err := auth.Generate(
+		auth.WithBasicAuth(c.String(vmUser), c.String(vmPassword)),
+		auth.WithBearer(c.String(vmBearerToken)),
+		auth.WithHeaders(c.String(vmHeaders)))
+	if err != nil {
+		return vm.Config{}, fmt.Errorf("error initialize auth config for destination: %s: %s", addr, err)
+	}
+
 	return vm.Config{
 		Addr:               addr,
 		Transport:          tr,
-		User:               c.String(vmUser),
-		Password:           c.String(vmPassword),
+		AuthCfg:            authCfg,
 		Concurrency:        uint8(c.Int(vmConcurrency)),
 		Compress:           c.Bool(vmCompress),
 		AccountID:          c.String(vmAccountID),
--- a/app/vmctl/vm/vm.go
+++ b/app/vmctl/vm/vm.go
@@ -12,6 +12,7 @@ import (
 	"sync"
 	"time"

+	"github.com/VictoriaMetrics/VictoriaMetrics/app/vmctl/auth"
 	"github.com/VictoriaMetrics/metrics"

 	"github.com/VictoriaMetrics/VictoriaMetrics/app/vmctl/backoff"
@@ -27,6 +28,8 @@ type Config struct {
 	//   --httpListenAddr value for single node version
 	//   --httpListenAddr value of vmselect  component for cluster version
 	Addr string
+
+	AuthCfg *auth.Config
 	// Transport allows specifying custom http.Transport
 	Transport *http.Transport
 	// Concurrency defines number of worker
@@ -40,10 +43,6 @@ type Config struct {
 	// BatchSize defines how many samples
 	// importer collects before sending the import request
 	BatchSize int
-	// User name for basic auth
-	User string
-	// Password for basic auth
-	Password string
 	// SignificantFigures defines the number of significant figures to leave
 	// in metric values before importing.
 	// Zero value saves all the significant decimal places
@@ -65,11 +64,10 @@ type Config struct {
 // see https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#how-to-import-time-series-data
 type Importer struct {
 	addr       string
+	authCfg    *auth.Config
 	client     *http.Client
 	importPath string
 	compress   bool
-	user       string
-	password   string

 	close  chan struct{}
 	input  chan *TimeSeries
@@ -148,8 +146,7 @@ func NewImporter(ctx context.Context, cfg Config) (*Importer, error) {
 		client:     client,
 		importPath: importPath,
 		compress:   cfg.Compress,
-		user:       cfg.User,
-		password:   cfg.Password,
+		authCfg:    cfg.AuthCfg,
 		rl:         limiter.NewLimiter(cfg.RateLimit),
 		close:      make(chan struct{}),
 		input:      make(chan *TimeSeries, cfg.Concurrency*4),
@@ -304,8 +301,8 @@ func (im *Importer) Ping() error {
 	if err != nil {
 		return fmt.Errorf("cannot create request to %q: %w", im.addr, err)
 	}
-	if im.user != "" {
-		req.SetBasicAuth(im.user, im.password)
+	if im.authCfg != nil {
+		im.authCfg.SetHeaders(req, true)
 	}
 	resp, err := im.client.Do(req)
 	if err != nil {
@@ -334,8 +331,8 @@ func (im *Importer) Import(tsBatch []*TimeSeries) error {
 		im.importRequestsErrorsTotal.Inc()
 		return fmt.Errorf("cannot create request to %q: %w", im.addr, err)
 	}
-	if im.user != "" {
-		req.SetBasicAuth(im.user, im.password)
+	if im.authCfg != nil {
+		im.authCfg.SetHeaders(req, true)
 	}
 	if im.compress {
 		req.Header.Set("Content-Encoding", "gzip")
--- a/docs/victoriametrics/changelog/CHANGELOG.md
+++ b/docs/victoriametrics/changelog/CHANGELOG.md
@@ -26,6 +26,8 @@ See also [LTS releases](https://docs.victoriametrics.com/victoriametrics/lts-rel

 ## tip

+* FEATURE: [vmctl](https://docs.victoriametrics.com/victoriametrics/vmctl/): add `-vm-headers` and `-vm-bearer-token` flags for authenticating requests to the VictoriaMetrics import destination. The flags are available in `opentsdb`, `influx`, `remote-read`, `prometheus`, `mimir`, and `thanos` vmctl sub-commands. See [#8897](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/8897).
+
 * BUGFIX: [stream aggregation](https://docs.victoriametrics.com/victoriametrics/stream-aggregation/): fix issue with producing aggregated samples with identical timestamps between flushes. See PR [#10808](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/10808) for details.

 ## [v1.145.0](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.145.0)
Author	SHA1	Message	Date
Max Kotliar	f00f4c816c	app/vmctl: print init auth config error	2026-06-10 18:21:51 +03:00
Max Kotliar	a47ffcca12	app/vmctl: allow basic auth without password	2026-06-10 18:17:09 +03:00
Max Kotliar	ba650b7436	docs/changelog: add changelog	2026-06-10 17:56:15 +03:00
Max Kotliar	5bf6dcc982	app/vmctl: add headers and bearer token flags for vm import destination Commit adds --vm-headers and --vm-bearer-token flags. This is useful when vmctl imports data to a VictoriaMetrics instance protected by authentication. Previously, to work around this limitation, a vmagent with remote write auth configured had to be spun up, and vmctl would write via it. This change allows vmctl to write directly. The flags are added to opentsdb, influx, remote-read, prometheus, mimir, thanos vmctl sub-commands. vm-native sub-command already supports such flags. See https://github.com/VictoriaMetrics/VictoriaMetrics/issues/8897	2026-06-10 17:29:46 +03:00