feat: 引入 vmauth 鉴权与严格多租户

- 对外端口统一为 18428（vmauth 入口），VM 不再直接暴露宿主机端口
- 边缘 vmagent 与中央 Prometheus remote_write 增加 basic auth
- 支持 tenants.csv 驱动的 per-tenant 写入/查询隔离，并提供管理员跨租户只读查询
- 更新 Grafana provisioning 与部署/文档

Made-with: Cursor

central-server/config/prometheus/prometheus.yml

@@ -21,7 +21,10 @@ global:
 # 远程写入：将中央 Prometheus 抓取到的本地服务指标推送到 VictoriaMetrics
 # （边缘节点由 vmagent 直接 remote_write 到 VictoriaMetrics）
 remote_write:
-  - url: http://victoria-metrics:8428/api/v1/write
+  - url: http://vmauth:8427/api/v1/write
+    basic_auth:
+      username: ${VMAUTH_WRITE_USER}
+      password: ${VMAUTH_WRITE_PASSWORD}
     queue_config:
       max_samples_per_send: 10000
       capacity: 20000

central-server/config/prometheus/prometheus.yml.template

@@ -21,7 +21,10 @@ global:
 # 远程写入：将中央 Prometheus 抓取到的本地服务指标推送到 VictoriaMetrics
 # （边缘节点由 vmagent 直接 remote_write 到 VictoriaMetrics）
 remote_write:
-  - url: http://victoria-metrics:${VICTORIAMETRICS_PORT}/api/v1/write
+  - url: http://vmauth:8427/api/v1/write
+    basic_auth:
+      username: ${VMAUTH_WRITE_USER}
+      password: ${VMAUTH_WRITE_PASSWORD}
     queue_config:
       max_samples_per_send: ${PROMETHEUS_REMOTE_WRITE_MAX_SAMPLES}
       capacity: ${PROMETHEUS_REMOTE_WRITE_CAPACITY}
@@ -40,7 +43,7 @@ scrape_configs:
     scrape_interval: ${PROMETHEUS_SCRAPE_INTERVAL}s
     metrics_path: '/metrics'
     static_configs:
-      - targets: ['victoria-metrics:${VICTORIAMETRICS_PORT}']
+      - targets: ['victoria-metrics:8428']
 
   # 抓取Alertmanager
   - job_name: 'alertmanager'