feat: 引入 vmauth 鉴权与严格多租户

- 对外端口统一为 18428（vmauth 入口），VM 不再直接暴露宿主机端口 - 边缘 vmagent 与中央 Prometheus remote_write 增加 basic auth - 支持 tenants.csv 驱动的 per-tenant 写入/查询隔离，并提供管理员跨租户只读查询 - 更新 Grafana provisioning 与部署/文档 Made-with: Cursor
2026-04-22 11:41:13 +00:00
parent ab1515dffb
commit c4825c2d27
21 changed files with 278 additions and 37 deletions
--- a/edge-agent/deploy.sh
+++ b/edge-agent/deploy.sh
@@ -14,7 +14,7 @@ if [ "$1" = "--local" ]; then
    [ ! -f .env ] && [ -f env.example ] && cp env.example .env
    sed -i 's/^CENTRAL_SERVER_HOST=.*/CENTRAL_SERVER_HOST=host.docker.internal/' .env 2>/dev/null || \
        echo 'CENTRAL_SERVER_HOST=host.docker.internal' >> .env
-    grep -q '^CENTRAL_SERVER_PORT=' .env || echo 'CENTRAL_SERVER_PORT=8428' >> .env
+    grep -q '^CENTRAL_SERVER_PORT=' .env || echo 'CENTRAL_SERVER_PORT=18428' >> .env
 fi

 # Docker 环境
--- a/edge-agent/docker-compose.yml
+++ b/edge-agent/docker-compose.yml
@@ -10,7 +10,9 @@ services:
    restart: unless-stopped
    environment:
      - CENTRAL_SERVER_HOST=${CENTRAL_SERVER_HOST:-192.168.1.10}
-      - CENTRAL_SERVER_PORT=${CENTRAL_SERVER_PORT:-8428}
+      - CENTRAL_SERVER_PORT=${CENTRAL_SERVER_PORT:-18428}
+      - VMAUTH_WRITE_USER=${VMAUTH_WRITE_USER:-vm_write}
+      - VMAUTH_WRITE_PASSWORD=${VMAUTH_WRITE_PASSWORD:-change-me-strong-write}
    volumes:
      - vmagent-cache-data:/cache
      - ./config/vmagent/vmagent-scrape.yml.template:/etc/vmagent/scrape.yml:ro
@@ -25,6 +27,8 @@ services:
    command:
      - -promscrape.config=/etc/vmagent/scrape.yml
      - -remoteWrite.url=http://${CENTRAL_SERVER_HOST}:${CENTRAL_SERVER_PORT}/api/v1/write
+      - -remoteWrite.basicAuth.username=${VMAUTH_WRITE_USER}
+      - -remoteWrite.basicAuth.password=${VMAUTH_WRITE_PASSWORD}
      - -remoteWrite.tmpDataPath=/cache/remotewrite
      - -remoteWrite.maxDiskUsagePerURL=512MB
      - -memory.allowedPercent=80
--- a/edge-agent/env.example
+++ b/edge-agent/env.example
@@ -5,19 +5,23 @@ CENTRAL_SERVER_HOST=192.168.1.10
 # 本机同机: CENTRAL_SERVER_HOST=host.docker.internal

 # 中央服务器端口
-CENTRAL_SERVER_PORT=8428
+CENTRAL_SERVER_PORT=18428
 # 常用端口说明:
-# 8428 - VictoriaMetrics (推荐)
+# 18428 - VictoriaMetrics (推荐)
 # 9090 - Prometheus
 # 8080 - 自定义端口

 # 边缘节点标识
 EDGE_NODE_ID=workernode_1

+# vmauth 写入账号（需与中央 central-server/.env 保持一致）
+VMAUTH_WRITE_USER=vm_write
+VMAUTH_WRITE_PASSWORD=change-me-strong-write
+
 # 远程写入配置
 # 边缘节点会将数据推送到中央服务器的VictoriaMetrics
 # 格式: http://域名或IP:端口/api/v1/write
-# 默认端口: 8428 (VictoriaMetrics)
+# 默认端口: 18428 (VictoriaMetrics)

 # 边缘缓存：docker-compose 使用 vmagent，含内存+磁盘缓存，详见 doc/EDGE_AGENT_CONFIG.md