VictoriaMetrics · AndrewChubatiuk · Dec 11, 2025 · Dec 5, 2025 · Dec 5, 2025 · Dec 6, 2025
@@ -1256,7 +1256,8 @@ func (hc *HTTPConfig) validate() error {
 	return nil
 }
 
-func (r *VMAlertmanagerConfig) AsKey() string {
+// AsKey returns unique key for object
+func (r *VMAlertmanagerConfig) AsKey(_ bool) string {
 	return fmt.Sprintf("%s/%s", r.Namespace, r.Name)
 }
 

@@ -87,6 +87,11 @@ func (cr *VMNodeScrape) GetStatusMetadata() *StatusMetadata {
 	return &cr.Status.StatusMetadata
 }
 
+// AsKey returns unique key for object
+func (cr *VMNodeScrape) AsKey(_ bool) string {
+	return cr.Namespace + "/" + cr.Name
+}
+
 func init() {
 	SchemeBuilder.Register(&VMNodeScrape{}, &VMNodeScrapeList{})
 }
@@ -142,6 +142,11 @@ func (cr *VMPodScrape) Validate() error {
 	return nil
 }
 
+// AsKey returns unique key for object
+func (cr *VMPodScrape) AsKey(_ bool) string {
+	return cr.Namespace + "/" + cr.Name
+}
+
 // GetStatusMetadata implements reconcile.objectWithStatus interface
 func (cr *VMPodScrape) GetStatusMetadata() *StatusMetadata {
 	return &cr.Status.StatusMetadata

@@ -141,6 +141,11 @@ func (cr *VMProbe) GetStatusMetadata() *StatusMetadata {
 	return &cr.Status.StatusMetadata
 }
 
+// AsKey returns unique key for object
+func (cr *VMProbe) AsKey(_ bool) string {
+	return cr.Namespace + "/" + cr.Name
+}
+
 // Validate returns error if CR is invalid
 func (cr *VMProbe) Validate() error {
 	if MustSkipCRValidation(cr) {

@@ -144,6 +144,11 @@ func (cr *VMRule) GetStatusMetadata() *StatusMetadata {
 	return &cr.Status.StatusMetadata
 }
 
+// AsKey returns unique key for object
+func (cr *VMRule) AsKey(_ bool) string {
+	return fmt.Sprintf("%s-%s.yaml", cr.Namespace, cr.Name)
+}
+
 // Validate performs semantic validation of object
 func (cr *VMRule) Validate() error {
 	if MustSkipCRValidation(cr) {

@@ -530,6 +530,11 @@ func (cr *VMScrapeConfig) Validate() error {
 	return cr.Spec.validate()
 }
 
+// AsKey returns unique key for object
+func (cr *VMScrapeConfig) AsKey(_ bool) string {
+	return cr.Namespace + "/" + cr.Name
+}
+
 // GetStatusMetadata implements reconcile.objectWithStatus interface
 func (cr *VMScrapeConfig) GetStatusMetadata() *StatusMetadata {
 	return &cr.Status.StatusMetadata

@@ -164,6 +164,11 @@ func (cr *VMServiceScrape) Validate() error {
 	return nil
 }
 
+// AsKey returns unique key for object
+func (cr *VMServiceScrape) AsKey(_ bool) string {
+	return cr.Namespace + "/" + cr.Name
+}
+
 // GetStatusMetadata implements reconcile.objectWithStatus interface
 func (cr *VMServiceScrape) GetStatusMetadata() *StatusMetadata {
 	return &cr.Status.StatusMetadata

@@ -93,6 +93,11 @@ func (cr *VMStaticScrape) GetStatusMetadata() *StatusMetadata {
 	return &cr.Status.StatusMetadata
 }
 
+// AsKey returns unique key for object
+func (cr *VMStaticScrape) AsKey(_ bool) string {
+	return cr.Namespace + "/" + cr.Name
+}
+
 func init() {
 	SchemeBuilder.Register(&VMStaticScrape{}, &VMStaticScrapeList{})
 }
@@ -2,6 +2,7 @@ package v1beta1
 
 import (
 	"fmt"
+	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -15,10 +16,10 @@ type VMUserSpec struct {
 	// Name of the VMUser object.
 	// +optional
 	Name *string `json:"name,omitempty"`
-	// UserName basic auth user name for accessing protected endpoint,
+	// Username basic auth user name for accessing protected endpoint,
 	// will be replaced with metadata.name of VMUser if omitted.
 	// +optional
-	UserName *string `json:"username,omitempty"`
+	Username *string `json:"username,omitempty"`
 	// Password basic auth password for accessing protected endpoint.
 	// +optional
 	Password *string `json:"password,omitempty"`
@@ -119,6 +120,7 @@ func (cr *CRDRef) AddRefToObj(obj client.Object) client.Object {
 	return obj
 }
 
+// AsKey returns unique key for object
 func (cr *CRDRef) AsKey() string {
 	return fmt.Sprintf("%s/%s/%s", cr.Kind, cr.Namespace, cr.Name)
 }
@@ -232,11 +234,37 @@ func (cr *VMUser) GetStatusMetadata() *StatusMetadata {
 	return &cr.Status.StatusMetadata
 }
 
+func (cr *VMUser) AsKey(hide bool) string {
+	var id string
+	if cr.Spec.Username != nil {
+		v := *cr.Spec.Username
+		if hide {
+			v = strings.Repeat("*", 5)
+		}
+		id = "basicAuth:" + v
+	}
+	if cr.Spec.Password != nil {
+		v := *cr.Spec.Password
+		if hide {
+			v = strings.Repeat("*", 5)
+		}
+		return id + ":" + v
+	}
+	if cr.Spec.BearerToken != nil {
+		v := *cr.Spec.BearerToken
+		if hide {
+			v = strings.Repeat("*", 5)
+		}
+		return "bearerToken:" + v
+	}
+	return id
+}
+
 func (cr *VMUser) Validate() error {
 	if MustSkipCRValidation(cr) {
 		return nil
 	}
-	if cr.Spec.UserName != nil && cr.Spec.BearerToken != nil {
+	if cr.Spec.Username != nil && cr.Spec.BearerToken != nil {
 		return fmt.Errorf("one of spec.username and spec.bearerToken must be defined for user, got both")
 	}
 	if cr.Spec.PasswordRef != nil && cr.Spec.Password != nil {

@@ -18,15 +18,15 @@ func TestVMUser_Validate(t *testing.T) {
 	// invalid auths
 	f(&VMUser{
 		Spec: VMUserSpec{
-			UserName:    ptr.To("user"),
+			Username:    ptr.To("user"),
 			BearerToken: ptr.To("bearer"),
 		},
 	}, true)
 
 	// invalid ref
 	f(&VMUser{
 		Spec: VMUserSpec{
-			UserName: ptr.To("some-user"),
+			Username: ptr.To("some-user"),
 			TargetRefs: []TargetRef{
 				{
 					CRD:    &CRDRef{Name: "sm"},
@@ -39,7 +39,7 @@ func TestVMUser_Validate(t *testing.T) {
 	// invalid ref wo targets
 	f(&VMUser{
 		Spec: VMUserSpec{
-			UserName: ptr.To("some-user"),
+			Username: ptr.To("some-user"),
 			TargetRefs: []TargetRef{
 				{
 					Paths: []string{"/some-path"},
@@ -51,7 +51,7 @@ func TestVMUser_Validate(t *testing.T) {
 	// invalid ref crd, bad empty ns
 	f(&VMUser{
 		Spec: VMUserSpec{
-			UserName: ptr.To("some-user"),
+			Username: ptr.To("some-user"),
 			TargetRefs: []TargetRef{
 				{
 					CRD: &CRDRef{
@@ -68,7 +68,7 @@ func TestVMUser_Validate(t *testing.T) {
 	// incorrect password
 	f(&VMUser{
 		Spec: VMUserSpec{
-			UserName: ptr.To("some-user"),
+			Username: ptr.To("some-user"),
 			Password: ptr.To("some-password"),
 			PasswordRef: &corev1.SecretKeySelector{
 				Key: "some-key",

@@ -41233,7 +41233,7 @@ spec:
                 x-kubernetes-map-type: atomic
               username:
                 description: |-
-                  UserName basic auth user name for accessing protected endpoint,
+                  Username basic auth user name for accessing protected endpoint,
                   will be replaced with metadata.name of VMUser if omitted.
                 type: string
             required:

@@ -15,6 +15,7 @@ aliases:
 
 * FEATURE: [vmagent](https://docs.victoriametrics.com/operator/resources/vmagent/): support `namespace` parameter in `attach_metadata` section for all scrape configurations. See [#1654](https://github.com/VictoriaMetrics/operator/issues/1654).
 * FEATURE: [vlagent](https://docs.victoriametrics.com/operator/resources/vlagent): support logs collection. See [#1501](https://github.com/VictoriaMetrics/operator/issues/1501).
+* FEATURE: [vmoperator](https://docs.victoriametrics.com/operator/): use `operator_bad_objects_total` metric with `object_namespace` and `crd` labels to track invalid objects managed by VMAgent, VMAuth, VMAlert and VMAlertmanager. Old `operator_alertmanager_bad_objects_count` and `operator_vmalert_bad_objects_count` are deprecated and will be removed in next releases.
 
 * BUGFIX: [vmoperator](https://docs.victoriametrics.com/operator/): fixed HPA cleanup logic for all cluster resources, before it was constantly recreated. Bug introduced in [this commit](https://github.com/VictoriaMetrics/operator/commit/983d1678c37497a7d03d2f57821219fd4975deec).
 

@@ -4952,7 +4952,7 @@ Appears in: [VMUser](#vmuser)
 | targetRefs<a href="#vmuserspec-targetrefs" id="vmuserspec-targetrefs">#</a><br/>_[TargetRef](#targetref) array_ | _(Required)_<br/>TargetRefs - reference to endpoints, which user may access. |
 | tlsConfig<a href="#vmuserspec-tlsconfig" id="vmuserspec-tlsconfig">#</a><br/>_[TLSConfig](#tlsconfig)_ | _(Optional)_<br/>TLSConfig defines tls configuration for the backend connection |
 | tokenRef<a href="#vmuserspec-tokenref" id="vmuserspec-tokenref">#</a><br/>_[SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#secretkeyselector-v1-core)_ | _(Optional)_<br/>TokenRef allows fetching token from user-created secrets by its name and key. |
-| username<a href="#vmuserspec-username" id="vmuserspec-username">#</a><br/>_string_ | _(Optional)_<br/>UserName basic auth user name for accessing protected endpoint,<br />will be replaced with metadata.name of VMUser if omitted. |
+| username<a href="#vmuserspec-username" id="vmuserspec-username">#</a><br/>_string_ | _(Optional)_<br/>Username basic auth user name for accessing protected endpoint,<br />will be replaced with metadata.name of VMUser if omitted. |