-
Dependency: vmoperator: Updated default versions for VM apps to v1.147.0 version
-
Dependency: vmoperator: Updated default versions for VL apps to v1.51.0.
-
Dependency: vmoperator: Updated default versions for VT apps to v0.9.4 version.
-
SECURITY: vmagent, vmsingle: remove cluster-wide
secretsandconfigmapspermissions from the operator-managedClusterRole. Secret access for the config-reloader is now granted via a namespace-scopedRolelimited to the single operator-managed config secret. Forvmsinglein ingest-only mode (the default), no secret or configmap permissions are granted at all. -
FEATURE: vmuser, vmauth: add
access_logfield support. See docs and #2359. -
FEATURE: vmuser: add
useExtraServiceboolean field tocrd.namespacedNameandcrd.objectsentries inVMUsertarget references. When set totrue, the operator resolves the target URL using the CR's additional service (configured viaspec.serviceSpec) instead of the default service. This lets you route VMAuth traffic to a dedicated service with different port mappings or service type without changing the primary service. See related types:CRDRef,NamespacedName. See #2333. -
FEATURE: vmoperator: add
useLegacyNamingfield to all operator CRs. When enabled, managed resources are named using the standalone Helm chart convention (CR name directly for single-component CRs;<name>-<component>for cluster CRs) instead of the default operator prefix convention. Useful when migrating from standalone charts to operator-managed resources without recreating existing resources. -
FEATURE: vmdistributed: support using
VMSinglebackends alongsideVMClusterbackends in separate zones. -
FEATURE: vmoperator: add
VM_OPENSHIFT_COMPATIBILITYenv var (OpenshiftCompatibilityModeconfig field, defaultauto) to enable OpenShift-specific compatibility features for managed pods. Inautomode the operator detects OpenShift at startup via presence ofsecurity.openshift.io/v1API group. Currently covers automatic mounting of theopenshift-service-ca.crtConfigMap intoVMAgentandVMSinglepods at/etc/ssl/certs/openshift-service-ca/service-ca.crt, so that targets signed with the OpenShift service signing CA could be verified without additional TLS config. Supported values:auto,enabled,disabled. See #2971. -
BUGFIX: vmcluster: fix CR getting permanently stuck in
expandingstatus after an image update when HPA is enabled onvminsert,vmselect, orvmstorage. The operator was comparing a stale replica count (captured at reconcile start) against live status fields, so the readiness check could never pass once HPA changed the replica count mid-rollout. The same issue affectedVMAuth,VLCluster, andVTClustercomponents with HPA enabled. See #2324. -
BUGFIX: config-reloader: fix possible panic on Secret watch events when the informer's local cache fell out of sync and Kubernetes delivered a stale tombstone entry instead of the Secret object. The config-reloader now unwraps tombstones correctly and logs an error for any other unexpected types.
-
BUGFIX: vmanomaly: add missing
scatter_infer_jobsfield to the periodic scheduler config struct. See #2328. -
BUGFIX: vmoperator: switch default app probes to
tcpSocketstartupProbewhen TLS is enabled on the managed HTTP endpoint. This avoids broken kubelethttpGetchecks against TLS and mTLS-protected workloads. See #1824. -
BUGFIX: vmagent, vmsingle: create a
RoleandRoleBindingin each namespace listed inWATCH_NAMESPACESso that vmagent/vmsingle can perform service discovery in all watched namespaces, not only its own. Previously, in namespaced mode, vmagent/vmsingle could only scrape targets from its own namespace due to missing RBAC in other watched namespaces. -
BUGFIX: vmagent: fix missing credential secret and config-reloader setup in
ingestOnlyModewhen remote write entries carry authentication secrets (basicAuth.password,bearerTokenSecret, oroauth2.clientSecret). Previously the operator-managed secret containing the credential files was never created in ingest-only mode, causing vmagent to start with dangling file references. The secret is now reconciled and the config-reloader is configured to watch it for credential rotation.