vmuser: support multiple objects of same kind instead of multiple kinds for a single backend

[AndrewChubatiuk]

this PR introduces targetRefs[*].crds, which was basically needed for vmdistributed, now proposing to add targetsRefs[*].crd.objects instead. multiple objects of a single kind most likely have same path prefixes and endpoints, which is important to get predictable response while querying given backend.

additionally given below changes fix issue #1840:

• added vmauth spec.defaultTargetRefs that can be referenced in VMUser spec
• disabled unauthorized access in vmdistributed by default

---

Summary by cubic

VMUser now supports multiple same‑kind targets per backend via targetRefs[*].crd.objects. VMAuth adds spec.defaultTargetRefs so VMUser and unauthorized access can reference shared read/write backends by name; VMDistributed predefines these and disables unauthorized access by default.

• Migration
  • Replace targetRefs[*].crds with targetRefs[*].crd.objects; keep crd.kind and list each object as {name, namespace}.
  • For a single target, crd.name and crd.namespace still work.
  • Use targetRefs[*].name to reference VMAuth.spec.defaultTargetRefs; inline fields override defaults. UnauthorizedUserAccessSpec.targetRefs also supports names.
  • Validation still requires exactly one of crd or static per TargetRef; CRD schema, examples, docs, and controller/tests are updated.

^{Written for commit 047667b. Summary will update on new commits.}

[cubic-dev-ai]

5 issues found across 10 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="docs/api.md">

<violation number="1" location="docs/api.md:2230">
P3: The new `NamespacedName` field descriptions are misleadingly CRD-specific; they should describe generic Kubernetes object references to match the section definition.</violation>
</file>

<file name="api/operator/v1beta1/vmuser_types.go">

<violation number="1" location="api/operator/v1beta1/vmuser_types.go:163">
P1: `crd.objects` entries are not validated for empty name/namespace, so invalid objects can be accepted and then fail later at reconcile time.</violation>
</file>

<file name="internal/controller/operator/factory/vmauth/vmusers_config.go">

<violation number="1" location="internal/controller/operator/factory/vmauth/vmusers_config.go:320">
P1: Cache-hit handling returns from `updateCache` too early, skipping remaining CRD objects in the same ref.</violation>
</file>

<file name="docs/CHANGELOG.md">

<violation number="1" location="docs/CHANGELOG.md:21">
P3: The new changelog sentence is unclear due to duplicated wording ("multiple referencing multiple"), which reduces documentation quality and can confuse users about the feature behavior.</violation>

<violation number="2" location="docs/CHANGELOG.md:21">
P1: Custom agent: **Changelog Review Agent**

Changelog entry is missing the mandatory issue/PR reference required by the changelog structure (Required structure §4: References).</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Custom agent: Changelog Review Agent

Changelog entry is missing the mandatory issue/PR reference required by the changelog structure (Required structure §4: References).

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At docs/CHANGELOG.md, line 21:

<comment>Changelog entry is missing the mandatory issue/PR reference required by the changelog structure (Required structure §4: References).</comment>

<file context>
@@ -18,7 +18,7 @@ aliases:
 * FEATURE: [vmsingle](https://docs.victoriametrics.com/operator/resources/vmsingle/): VMSingle reuses vmagent implementation to allow scraping and relabelling. See [#1694](https://github.com/VictoriaMetrics/operator/issues/1694)
 * FEATURE: [vmoperator](https://docs.victoriametrics.com/operator/): perform statefulset pods deletion instead of eviction when maxUnavailable set to 100%, which is important for [minimum downtime strategy](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/#minimum-downtime-strategy). See [#1706](https://github.com/VictoriaMetrics/operator/issues/1706).
-* FEATURE: [vmuser](https://docs.victoriametrics.com/operator/resources/vmuser/): support `targetRefs[*].crds` to place multiple CRD objects behind a single backend
+* FEATURE: [vmuser](https://docs.victoriametrics.com/operator/resources/vmuser/): support multiple referencing multiple targets of same kind at `targetRefs[*].crd.objects`.
 
 * BUGFIX: [vmoperator](https://docs.victoriametrics.com/operator/): VMPodScrape for VLAgent and VMAgent now uses the correct port; previously it used the wrong port and could cause scrape failures. See [#1887](https://github.com/VictoriaMetrics/operator/issues/1887).
</file context>

[cubic-dev-ai]

5 issues found across 10 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="internal/controller/operator/factory/vmauth/vmusers_config.go">

<violation number="1" location="internal/controller/operator/factory/vmauth/vmusers_config.go:105">
P1: Default backend merges are applied to range-variable copies, so merged TargetRef values are not persisted for config generation.</violation>
</file>

<file name="config/crd/overlay/crd.yaml">

<violation number="1" location="config/crd/overlay/crd.yaml:25437">
P1: `crd.objects` is introduced, but schema validation still requires `crd.name` and `crd.namespace`, preventing object-list-only configurations.</violation>
</file>

<file name="docs/api.md">

<violation number="1" location="docs/api.md:2961">
P2: `TargetRef.name` is documented as required, but it is only required for `spec.defaultTargetRefs` and optional in regular `targetRefs`.</violation>

<violation number="2" location="docs/api.md:3729">
P2: `VMAuth.spec.defaultTargetRefs` is documented as required, but the API defines it as optional.</violation>
</file>

<file name="api/operator/v1beta1/vmauth_types.go">

<violation number="1" location="api/operator/v1beta1/vmauth_types.go:453">
P2: Default targetRef retry validation uses the wrong global retry source, causing incorrect acceptance/rejection of configs.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[vrutkovs]

I don't think this ever made it to a released version, right?

[AndrewChubatiuk]

it was in 0.69 rc

[vrutkovs]

Are these hardcoded names in VMDistributed? We should add those to the docs

[AndrewChubatiuk]

right, added to VMAuth spec.defaultTargetRefs property, which allows to add predefined backends, that can be referenced in unanauthorized user section and VMUser as well. for VMDistributed this list has two items with read and write names

let's mentioned it in docs.

this change is kind a breaking, as it requires existing VMDistributed users to update CR manuallly, but suppose it's fine since CRD is in alpha

[AndrewChubatiuk]

added authorization section to VMDistributed docs and section about predefined backends to VMAuth

[vrutkovs]

Why not swap it on call time?

[AndrewChubatiuk]

before in merge result was stored to base and in case of repeated parameters override had higher priority, with this change still want to store merge result to base, but change priorities

[vrutkovs]

ah, yes, we mutate the vars here.