Skip to content

Latest commit

 

History

History
4325 lines (2863 loc) · 307 KB

api.md

File metadata and controls

4325 lines (2863 loc) · 307 KB
weight title menu aliases
12
API Docs
docs
parent weight
operator
12
/operator/api/
/operator/api/index.html
/operator/api.html

Packages

operator.victoriametrics.com/v1beta1

Package v1beta1 contains API Schema definitions for the victoriametrics v1beta1 API group

Resource Types

APIServerConfig

APIServerConfig defines a host and auth methods to access apiserver.

Appears in:

Field Description Scheme Required
authorization Authorization false
basicAuth BasicAuth allow an endpoint to authenticate over basic authentication BasicAuth false
bearerToken Bearer token for accessing apiserver. string false
bearerTokenFile File to read bearer token for accessing apiserver. string false
host Host of apiserver.
A valid string consisting of a hostname or IP followed by an optional port number
string true
tlsConfig TLSConfig Config to use for accessing apiserver. TLSConfig false

AdditionalServiceSpec

ServiceSpec defines additional service for CRD with user-defined params. by default, some of fields can be inherited from default service definition for the CRD: labels,selector, ports. if metadata.name is not defined, service will have format {{CRD_TYPE}}-{{CRD_NAME}}-additional-service. if UseAsDefault is set to true, changes applied to the main service without additional service creation

Appears in:

Field Description Scheme Required
metadata Refer to Kubernetes API documentation for fields of metadata. EmbeddedObjectMetadata false
spec ServiceSpec describes the attributes that a user creates on a service.
More info: https://kubernetes.io/docs/concepts/services-networking/service/
ServiceSpec true
useAsDefault UseAsDefault applies changes from given service definition to the main object Service
Changing from headless service to clusterIP or loadbalancer may break cross-component communication
boolean false

AlertmanagerGossipConfig

AlertmanagerGossipConfig defines Gossip TLS configuration for alertmanager

Appears in:

Field Description Scheme Required
tls_client_config TLSClientConfig defines client TLS configuration for alertmanager TLSClientConfig true
tls_server_config TLSServerConfig defines server TLS configuration for alertmanager TLSServerConfig true

AlertmanagerHTTPConfig

AlertmanagerHTTPConfig defines http server configuration for alertmanager

Appears in:

Field Description Scheme Required
headers Headers defines list of headers that can be added to HTTP responses. object (keys:string, values:string) false
http2 HTTP2 enables HTTP/2 support. Note that HTTP/2 is only supported with TLS.
This can not be changed on the fly.
boolean false

AlertmanagerWebConfig

AlertmanagerWebConfig defines web server configuration for alertmanager

Appears in:

Field Description Scheme Required
basic_auth_users BasicAuthUsers Usernames and hashed passwords that have full access to the web server
Passwords must be hashed with bcrypt
object (keys:string, values:string) false
http_server_config HTTPServerConfig defines http server configuration for alertmanager web server AlertmanagerHTTPConfig false
tls_server_config TLSServerConfig defines server TLS configuration for alertmanager TLSServerConfig false

ArbitraryFSAccessThroughSMsConfig

ArbitraryFSAccessThroughSMsConfig enables users to configure, whether a service scrape selected by the vmagent instance is allowed to use arbitrary files on the file system of the vmagent container. This is the case when e.g. a service scrape specifies a BearerTokenFile in an endpoint. A malicious user could create a service scrape selecting arbitrary secret files in the vmagent container. Those secrets would then be sent with a scrape request by vmagent to a malicious target. Denying the above would prevent the attack, users can instead use the BearerTokenSecret field.

Appears in:

Field Description Scheme Required
deny boolean true

AttachMetadata

AttachMetadata configures metadata attachment

Appears in:

Field Description Scheme Required
node Node instructs vmagent to add node specific metadata from service discovery
Valid for roles: pod, endpoints, endpointslice.
boolean false

Authorization

Authorization configures generic authorization params

Appears in:

Field Description Scheme Required
credentials Reference to the secret with value for authorization SecretKeySelector true
credentialsFile File with value for authorization string false
type Type of authorization, default to bearer string false

AzureSDConfig

AzureSDConfig allow retrieving scrape targets from Azure VMs. See here

Appears in:

Field Description Scheme Required
authenticationMethod # The authentication method, either OAuth or ManagedIdentity.
See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
string false
clientID Optional client ID. Only required with the OAuth authentication method. string false
clientSecret Optional client secret. Only required with the OAuth authentication method. SecretKeySelector false
environment The Azure environment. string false
port The port to scrape metrics from. If using the public IP address, this must
instead be specified in the relabeling rule.
integer false
resourceGroup Optional resource group name. Limits discovery to this resource group. string false
subscriptionID The subscription ID. Always required. string true
tenantID Optional tenant ID. Only required with the OAuth authentication method. string false

BasicAuth

BasicAuth allow an endpoint to authenticate over basic authentication

Appears in:

Field Description Scheme Required
password Password defines reference for secret with password value
The secret needs to be in the same namespace as scrape object
SecretKeySelector false
password_file PasswordFile defines path to password file at disk
must be pre-mounted
string false
username Username defines reference for secret with username value
The secret needs to be in the same namespace as scrape object
SecretKeySelector false

BearerAuth

BearerAuth defines auth with bearer token

Appears in:

Field Description Scheme Required
bearerTokenFile Path to bearer token file string false
bearerTokenSecret Optional bearer auth token to use for -remoteWrite.url SecretKeySelector false

CRDRef

CRDRef describe CRD target reference.

Appears in:

Field Description Scheme Required
kind Kind one of:
VMAgent,VMAlert, VMSingle, VMCluster/vmselect, VMCluster/vmstorage,VMCluster/vminsert or VMAlertManager
string true
name Name target CRD object name string true
namespace Namespace target CRD object namespace. string true

Certs

Certs defines TLS certs configuration

Appears in:

Field Description Scheme Required
cert_file CertFile defines path to the pre-mounted file with certificate
mutually exclusive with CertSecretRef
string false
cert_secret_ref CertSecretRef defines reference for secret with certificate content under given key
mutually exclusive with CertFile
SecretKeySelector false
key_file KeyFile defines path to the pre-mounted file with certificate key
mutually exclusive with KeySecretRef
string false
key_secret_ref Key defines reference for secret with certificate key content under given key
mutually exclusive with KeyFile
SecretKeySelector false

CommonApplicationDeploymentParams

CommonApplicationDeploymentParams defines common params for deployment and statefulset specifications

Appears in:

Field Description Scheme Required
affinity Affinity If specified, the pod's scheduling constraints. Affinity false
configMaps ConfigMaps is a list of ConfigMaps in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/configs/CONFIGMAP_NAME folder
string array false
containers Containers property allows to inject additions sidecars or to patch existing containers.
It can be useful for proxies, backup, etc.
Container array false
dnsConfig Specifies the DNS parameters of a pod.
Parameters specified here will be merged to the generated DNS
configuration based on DNSPolicy.
PodDNSConfig false
dnsPolicy DNSPolicy sets DNS policy for the pod DNSPolicy false
extraArgs ExtraArgs that will be passed to the application container
for example remoteWrite.tmpDataPath: /tmp
object (keys:string, values:string) false
extraEnvs ExtraEnvs that will be passed to the application container EnvVar array false
hostAliases HostAliases provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
HostAlias array false
hostNetwork HostNetwork controls whether the pod may use the node network namespace boolean false
host_aliases HostAliasesUnderScore provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
Has Priority over hostAliases field
HostAlias array false
imagePullSecrets ImagePullSecrets An optional list of references to secrets in the same namespace
to use for pulling images from registries
see https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod
LocalObjectReference array false
initContainers InitContainers allows adding initContainers to the pod definition.
Any errors during the execution of an initContainer will lead to a restart of the Pod.
More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
Container array false
minReadySeconds MinReadySeconds defines a minim number os seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle
integer false
nodeSelector NodeSelector Define which Nodes the Pods are scheduled on. object (keys:string, values:string) false
paused Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions.
boolean false
priorityClassName PriorityClassName class assigned to the Pods string false
readinessGates ReadinessGates defines pod readiness gates PodReadinessGate array true
replicaCount ReplicaCount is the expected size of the Application. integer false
revisionHistoryLimitCount The number of old ReplicaSets to retain to allow rollback in deployment or
maximum number of revisions that will be maintained in the Deployment revision history.
Has no effect at StatefulSets
Defaults to 10.
integer false
runtimeClassName RuntimeClassName - defines runtime class for kubernetes pod.
https://kubernetes.io/docs/concepts/containers/runtime-class/
string false
schedulerName SchedulerName - defines kubernetes scheduler name string false
secrets Secrets is a list of Secrets in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/secrets/SECRET_NAME folder
string array false
securityContext SecurityContext holds pod-level security attributes and common container settings.
This defaults to the default PodSecurityContext.
SecurityContext false
terminationGracePeriodSeconds TerminationGracePeriodSeconds period for container graceful termination integer false
tolerations Tolerations If specified, the pod's tolerations. Toleration array false
topologySpreadConstraints TopologySpreadConstraints embedded kubernetes pod configuration option,
controls how pods are spread across your cluster among failure-domains
such as regions, zones, nodes, and other user-defined topology domains
https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
TopologySpreadConstraint array false
volumeMounts VolumeMounts allows configuration of additional VolumeMounts on the output Deployment/StatefulSet definition.
VolumeMounts specified will be appended to other VolumeMounts in the Application container
VolumeMount array false
volumes Volumes allows configuration of additional volumes on the output Deployment/StatefulSet definition.
Volumes specified will be appended to other volumes that are generated.
/ +optional
Volume array true

CommonConfigReloaderParams

Appears in:

Field Description Scheme Required
configReloaderExtraArgs ConfigReloaderExtraArgs that will be passed to VMAuths config-reloader container
for example resyncInterval: "30s"
object (keys:string, values:string) false
configReloaderImageTag ConfigReloaderImageTag defines image:tag for config-reloader container string false
configReloaderResources ConfigReloaderResources config-reloader container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
if not defined default resources from operator config will be used
ResourceRequirements false
useVMConfigReloader UseVMConfigReloader replaces prometheus-like config-reloader
with vm one. It uses secrets watch instead of file watch
which greatly increases speed of config updates
boolean false

CommonDefaultableParams

CommonDefaultableParams contains Application settings with known values populated from operator configuration

Appears in:

Field Description Scheme Required
disableSelfServiceScrape DisableSelfServiceScrape controls creation of VMServiceScrape by operator
for the application.
Has priority over VM_DISABLESELFSERVICESCRAPECREATION operator env variable
boolean false
image Image - docker image settings
if no specified operator uses default version from operator config
Image false
port Port listen address string false
resources Resources container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
if not defined default resources from operator config will be used
ResourceRequirements false
useDefaultResources UseDefaultResources controls resource settings
By default, operator sets built-in resource requirements
boolean false
useStrictSecurity UseStrictSecurity enables strict security mode for component
it restricts disk writes access
uses non-root user out of the box
drops not needed security permissions
boolean false

Condition

Condition defines status condition of the resource

Appears in:

Field Description Scheme Required
lastTransitionTime lastTransitionTime is the last time the condition transitioned from one status to another. Time true
lastUpdateTime LastUpdateTime is the last time of given type update.
This value is used for status TTL update and removal
Time true
message message is a human readable message indicating details about the transition.
This may be an empty string.
string false
observedGeneration observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
integer false
reason reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
string true
type Type of condition in CamelCase or in name.namespace.resource.victoriametrics.com/CamelCase. string true

ConfigMapKeyReference

ConfigMapKeyReference refers to a key in a ConfigMap.

Appears in:

Field Description Scheme Required
key The ConfigMap key to refer to. string true

ConsulSDConfig

ConsulSDConfig defines a Consul service discovery configuration. See here

Appears in:

Field Description Scheme Required
allowStale Allow stale Consul results (see https://developer.hashicorp.com/consul/api-docs/features/consistency). Will reduce load on Consul.
If unset, use its default value.
boolean false
authorization Authorization header to use on every scrape request. Authorization false
basicAuth BasicAuth information to use on every scrape request. BasicAuth false
datacenter Consul Datacenter name, if not provided it will use the local Consul Agent Datacenter. string false
filter Filter defines filter for /v1/catalog/services requests
See https://developer.hashicorp.com/consul/api-docs/features/filtering
string false
followRedirects Configure whether HTTP requests follow HTTP 3xx redirects.
If unset, use its default value.
boolean false
namespace Namespaces are only supported in Consul Enterprise. string false
nodeMeta Node metadata key/value pairs to filter nodes for a given service. object (keys:string, values:string) false
oauth2 OAuth2 defines auth configuration OAuth2 false
partition Admin Partitions are only supported in Consul Enterprise. string false
proxyURL ProxyURL eg http://proxyserver:2195 Directs scrapes to proxy through this endpoint. string false
proxy_client_config ProxyClientConfig configures proxy auth settings for scraping
See feature description
ProxyAuth false
scheme HTTP Scheme default "http" string false
server A valid string consisting of a hostname or IP followed by an optional port number. string true
services A list of services for which targets are retrieved. If omitted, all services are scraped. string array false
tagSeparator The string by which Consul tags are joined into the tag label.
If unset, use its default value.
string false
tags An optional list of tags used to filter nodes for a given service. Services must contain all tags in the list. string array false
tlsConfig TLS configuration to use on every scrape request TLSConfig false
tokenRef Consul ACL TokenRef, if not provided it will use the ACL from the local Consul Agent. SecretKeySelector false

ContainerSecurityContext

ContainerSecurityContext defines security context for each application container

Appears in:

Field Description Scheme Required
allowPrivilegeEscalation AllowPrivilegeEscalation controls whether a process can gain more
privileges than its parent process. This bool directly controls if
the no_new_privs flag will be set on the container process.
AllowPrivilegeEscalation is true always when the container is:
1) run as Privileged
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
boolean false
capabilities The capabilities to add/drop when running containers.
Defaults to the default set of capabilities granted by the container runtime.
Note that this field cannot be set when spec.os.name is windows.
Capabilities false
privileged Run containers in privileged mode.
Processes in privileged containers are essentially equivalent to root on the host.
Note that this field cannot be set when spec.os.name is windows.
boolean false
procMount procMount denotes the type of proc mount to use for the containers.
The default is DefaultProcMount which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
ProcMountType false
readOnlyRootFilesystem Whether this containers has a read-only root filesystem.
Default is false.
Note that this field cannot be set when spec.os.name is windows.
boolean false

DNSSDConfig

DNSSDConfig allows specifying a set of DNS domain names which are periodically queried to discover a list of targets. The DNS servers to be contacted are read from /etc/resolv.conf. See here

Appears in:

Field Description Scheme Required
names A list of DNS domain names to be queried. string array true
port The port number used if the query type is not SRV
Ignored for SRV records
integer false
type string false

DigitalOceanSDConfig

DigitalOceanSDConfig allow retrieving scrape targets from DigitalOcean's Droplets API. This service discovery uses the public IPv4 address by default, by that can be changed with relabeling. See here

Appears in:

Field Description Scheme Required
authorization Authorization header to use on every scrape request. Authorization false
followRedirects Configure whether HTTP requests follow HTTP 3xx redirects. boolean false
oauth2 OAuth2 defines auth configuration OAuth2 false
port The port to scrape metrics from. integer false
proxyURL ProxyURL eg http://proxyserver:2195 Directs scrapes to proxy through this endpoint. string false
proxy_client_config ProxyClientConfig configures proxy auth settings for scraping
See feature description
ProxyAuth false
tlsConfig TLS configuration to use on every scrape request TLSConfig false

DiscordConfig

Appears in:

Field Description Scheme Required
http_config HTTP client configuration. HTTPConfig false
message The message body template string false
send_resolved SendResolved controls notify about resolved alerts. boolean false
title The message title template string false
webhook_url The discord webhook URL
one of urlSecret and url must be defined.
string false
webhook_url_secret URLSecret defines secret name and key at the CRD namespace.
It must contain the webhook URL.
one of urlSecret and url must be defined.
SecretKeySelector false

DiscoverySelector

DiscoverySelector can be used at CRD components discovery

Appears in:

Field Description Scheme Required
labelSelector LabelSelector true
namespaceSelector NamespaceSelector true

EC2Filter

EC2Filter is the configuration for filtering EC2 instances.

Appears in:

Field Description Scheme Required
name string true
values string array true

EC2SDConfig

EC2SDConfig allow retrieving scrape targets from AWS EC2 instances. The private IP address is used by default, but may be changed to the public IP address with relabeling. The IAM credentials used must have the ec2:DescribeInstances permission to discover scrape targets. See here

Appears in:

Field Description Scheme Required
accessKey AccessKey is the AWS API key. SecretKeySelector false
filters Filters can be used optionally to filter the instance list by other criteria.
Available filter criteria can be found here:
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
Filter API documentation: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Filter.html
EC2Filter array false
port The port to scrape metrics from. If using the public IP address, this must
instead be specified in the relabeling rule.
integer false
region The AWS region string false
roleARN AWS Role ARN, an alternative to using AWS API keys. string false
secretKey SecretKey is the AWS API secret. SecretKeySelector false

EmailConfig

EmailConfig configures notifications via Email.

Appears in:

Field Description Scheme Required
auth_identity The identity to use for authentication. string false
auth_password AuthPassword defines secret name and key at CRD namespace. SecretKeySelector false
auth_secret AuthSecret defines secrent name and key at CRD namespace.
It must contain the CRAM-MD5 secret.
SecretKeySelector false
auth_username The username to use for authentication. string false
from The sender address.
fallback to global setting if empty
string false
headers Further headers email header key/value pairs. Overrides any headers
previously set by the notification implementation.
object (keys:string, values:string) true
hello The hostname to identify to the SMTP server. string false
html The HTML body of the email notification. string false
require_tls The SMTP TLS requirement.
Note that Go does not support unencrypted connections to remote SMTP endpoints.
boolean false
send_resolved SendResolved controls notify about resolved alerts. boolean false
smarthost The SMTP host through which emails are sent.
fallback to global setting if empty
string false
text The text body of the email notification. string false
tls_config TLS configuration TLSConfig false
to The email address to send notifications to. string false

EmbeddedHPA

EmbeddedHPA embeds HorizontalPodAutoScaler spec v2. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/

Appears in:

Field Description Scheme Required
behaviour HorizontalPodAutoscalerBehavior true
maxReplicas integer true
metrics MetricSpec array true
minReplicas integer true

EmbeddedIngress

EmbeddedIngress describes ingress configuration options.

Appears in:

Field Description Scheme Required
annotations Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata. They are not
queryable and should be preserved when modifying objects.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
object (keys:string, values:string) false
class_name ClassName defines ingress class name for VMAuth string false
extraRules ExtraRules - additional rules for ingress,
must be checked for correctness by user.
IngressRule array false
extraTls ExtraTLS - additional TLS configuration for ingress
must be checked for correctness by user.
IngressTLS array false
host Host defines ingress host parameter for default rule
It will be used, only if TlsHosts is empty
string false
labels Labels Map of string keys and values that can be used to organize and categorize
(scope and select) objects. May match selectors of replication controllers
and services.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
object (keys:string, values:string) false
name Name must be unique within a namespace. Is required when creating resources, although
some resources may allow a client to request the generation of an appropriate name
automatically. Name is primarily intended for creation idempotence and configuration
definition.
Cannot be updated.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
string false
tlsHosts TlsHosts configures TLS access for ingress, tlsSecretName must be defined for it. string array true
tlsSecretName TlsSecretName defines secretname at the VMAuth namespace with cert and key
https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
string false

EmbeddedObjectMetadata

EmbeddedObjectMetadata contains a subset of the fields included in k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Only fields which are relevant to embedded resources are included.

Appears in:

Field Description Scheme Required
annotations Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata. They are not
queryable and should be preserved when modifying objects.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
object (keys:string, values:string) false
labels Labels Map of string keys and values that can be used to organize and categorize
(scope and select) objects. May match selectors of replication controllers
and services.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
object (keys:string, values:string) false
name Name must be unique within a namespace. Is required when creating resources, although
some resources may allow a client to request the generation of an appropriate name
automatically. Name is primarily intended for creation idempotence and configuration
definition.
Cannot be updated.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
string false

EmbeddedPersistentVolumeClaim

EmbeddedPersistentVolumeClaim is an embedded version of k8s.io/api/core/v1.PersistentVolumeClaim. It contains TypeMeta and a reduced ObjectMeta.

Appears in:

Field Description Scheme Required
metadata Refer to Kubernetes API documentation for fields of metadata. EmbeddedObjectMetadata false
spec Spec defines the desired characteristics of a volume requested by a pod author.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
PersistentVolumeClaimSpec false

EmbeddedPodDisruptionBudgetSpec

Appears in:

Field Description Scheme Required
maxUnavailable An eviction is allowed if at most "maxUnavailable" pods selected by
"selector" are unavailable after the eviction, i.e. even in absence of
the evicted pod. For example, one can prevent all voluntary evictions
by specifying 0. This is a mutually exclusive setting with "minAvailable".
IntOrString false
minAvailable An eviction is allowed if at least "minAvailable" pods selected by
"selector" will still be available after the eviction, i.e. even in the
absence of the evicted pod. So for example you can prevent all voluntary
evictions by specifying "100%".
IntOrString false
selectorLabels replaces default labels selector generated by operator
it's useful when you need to create custom budget
object (keys:string, values:string) false

EmbeddedProbes

EmbeddedProbes - it allows to override some probe params. its not necessary to specify all options, operator will replace missing spec with default values.

Appears in:

Field Description Scheme Required
livenessProbe LivenessProbe that will be added CRD pod Probe false
readinessProbe ReadinessProbe that will be added CRD pod Probe false
startupProbe StartupProbe that will be added to CRD pod Probe false

Endpoint

Endpoint defines a scrapeable endpoint serving metrics.

Appears in:

Field Description Scheme Required
attach_metadata AttachMetadata configures metadata attaching from service discovery AttachMetadata false
authorization Authorization with http header Authorization Authorization false
basicAuth BasicAuth allow an endpoint to authenticate over basic authentication BasicAuth false
bearerTokenFile File to read bearer token for scraping targets. string false
bearerTokenSecret Secret to mount to read bearer token for scraping targets. The secret
needs to be in the same namespace as the scrape object and accessible by
the victoria-metrics operator.
SecretKeySelector false
follow_redirects FollowRedirects controls redirects for scraping. boolean false
honorLabels HonorLabels chooses the metric's labels on collisions with target labels. boolean false
honorTimestamps HonorTimestamps controls whether vmagent respects the timestamps present in scraped data. boolean false
interval Interval at which metrics should be scraped string false
max_scrape_size MaxScrapeSize defines a maximum size of scraped data for a job string false
metricRelabelConfigs MetricRelabelConfigs to apply to samples after scrapping. RelabelConfig array false
oauth2 OAuth2 defines auth configuration OAuth2 false
params Optional HTTP URL parameters object (keys:string, values:string array) false
path HTTP path to scrape for metrics. string false
port Name of the port exposed at Service. string false
proxyURL ProxyURL eg http://proxyserver:2195 Directs scrapes to proxy through this endpoint. string false
relabelConfigs RelabelConfigs to apply to samples during service discovery. RelabelConfig array false
sampleLimit SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. integer false
scheme HTTP scheme to use for scraping. string false
scrapeTimeout Timeout after which the scrape is ended string false
scrape_interval ScrapeInterval is the same as Interval and has priority over it.
one of scrape_interval or interval can be used
string false
seriesLimit SeriesLimit defines per-scrape limit on number of unique time series
a single target can expose during all the scrapes on the time window of 24h.
integer false
targetPort TargetPort
Name or number of the pod port this endpoint refers to. Mutually exclusive with port.
IntOrString false
tlsConfig TLSConfig configuration to use when scraping the endpoint TLSConfig false
vm_scrape_params VMScrapeParams defines VictoriaMetrics specific scrape parameters VMScrapeParams false

EndpointAuth

EndpointAuth defines target endpoint authorization options for scrapping

Appears in:

Field Description Scheme Required
authorization Authorization with http header Authorization Authorization false
basicAuth BasicAuth allow an endpoint to authenticate over basic authentication BasicAuth false
bearerTokenFile File to read bearer token for scraping targets. string false
bearerTokenSecret Secret to mount to read bearer token for scraping targets. The secret
needs to be in the same namespace as the scrape object and accessible by
the victoria-metrics operator.
SecretKeySelector false
oauth2 OAuth2 defines auth configuration OAuth2 false
tlsConfig TLSConfig configuration to use when scraping the endpoint TLSConfig false

EndpointRelabelings

EndpointRelabelings defines service discovery and metrics relabeling configuration for endpoints

Appears in:

Field Description Scheme Required
metricRelabelConfigs MetricRelabelConfigs to apply to samples after scrapping. RelabelConfig array false
relabelConfigs RelabelConfigs to apply to samples during service discovery. RelabelConfig array false

EndpointScrapeParams

ScrapeTargetParams defines common configuration params for all scrape endpoint targets

Appears in:

Field Description Scheme Required
follow_redirects FollowRedirects controls redirects for scraping. boolean false
honorLabels HonorLabels chooses the metric's labels on collisions with target labels. boolean false
honorTimestamps HonorTimestamps controls whether vmagent respects the timestamps present in scraped data. boolean false
interval Interval at which metrics should be scraped string false
max_scrape_size MaxScrapeSize defines a maximum size of scraped data for a job string false
params Optional HTTP URL parameters object (keys:string, values:string array) false
path HTTP path to scrape for metrics. string false
proxyURL ProxyURL eg http://proxyserver:2195 Directs scrapes to proxy through this endpoint. string false
sampleLimit SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. integer false
scheme HTTP scheme to use for scraping. string false
scrapeTimeout Timeout after which the scrape is ended string false
scrape_interval ScrapeInterval is the same as Interval and has priority over it.
one of scrape_interval or interval can be used
string false
seriesLimit SeriesLimit defines per-scrape limit on number of unique time series
a single target can expose during all the scrapes on the time window of 24h.
integer false
vm_scrape_params VMScrapeParams defines VictoriaMetrics specific scrape parameters VMScrapeParams false

ExternalConfig

ExternalConfig defines external source of configuration

Appears in:

Field Description Scheme Required
localPath LocalPath contains static path to a config, which is managed externally for cases
when using secrets is not applicable, e.g.: Vault sidecar.
string false
secretRef SecretRef defines selector for externally managed secret which contains configuration SecretKeySelector false

FileSDConfig

FileSDConfig defines a file service discovery configuration. See here

Appears in:

Field Description Scheme Required
files List of files to be used for file discovery. string array true

GCESDConfig

GCESDConfig configures scrape targets from GCP GCE instances. The private IP address is used by default, but may be changed to the public IP address with relabeling. See here

The GCE service discovery will load the Google Cloud credentials from the file specified by the GOOGLE_APPLICATION_CREDENTIALS environment variable. See https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform

Appears in:

Field Description Scheme Required
filter Filter can be used optionally to filter the instance list by other criteria
Syntax of this filter is described in the filter query parameter section:
https://cloud.google.com/compute/docs/reference/latest/instances/list
string false
port The port to scrape metrics from. If using the public IP address, this must
instead be specified in the relabeling rule.
integer false
project The Google Cloud Project ID string true
tagSeparator The tag separator is used to separate the tags on concatenation string false
zone The zone of the scrape targets. If you need multiple zones use multiple GCESDConfigs. string true

HTTPAuth

HTTPAuth generic auth used with http protocols

Appears in:

Field Description Scheme Required
basicAuth BasicAuth false
headers Headers allow configuring custom http headers
Must be in form of semicolon separated header with value
e.g.
headerName:headerValue
vmalert supports it since 1.79.0 version
string array false
oauth2 OAuth2 false
tlsConfig TLSConfig false

HTTPConfig

HTTPConfig defines a client HTTP configuration for VMAlertmanagerConfig objects See https://prometheus.io/docs/alerting/latest/configuration/#http_config

Appears in:

Field Description Scheme Required
authorization Authorization header configuration for the client.
This is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+.
Authorization false
basic_auth BasicAuth for the client. BasicAuth false
bearer_token_file BearerTokenFile defines filename for bearer token, it must be mounted to pod. string false
bearer_token_secret The secret's key that contains the bearer token
It must be at them same namespace as CRD
SecretKeySelector false
oauth2 OAuth2 client credentials used to fetch a token for the targets. OAuth2 false
proxyURL Optional proxy URL. string false
tls_config TLS configuration for the client. TLSConfig false

HTTPSDConfig

HTTPSDConfig defines a HTTP service discovery configuration. See here

Appears in:

Field Description Scheme Required
authorization Authorization header to use on every scrape request. Authorization false
basicAuth BasicAuth information to use on every scrape request. BasicAuth false
proxyURL ProxyURL eg http://proxyserver:2195 Directs scrapes to proxy through this endpoint. string false
proxy_client_config ProxyClientConfig configures proxy auth settings for scraping
See feature description
ProxyAuth false
tlsConfig TLS configuration to use on every scrape request TLSConfig false
url URL from which the targets are fetched. string true

Image

Image defines docker image settings

Appears in:

Field Description Scheme Required
pullPolicy PullPolicy describes how to pull docker image PullPolicy true
repository Repository contains name of docker image + it's repository if needed string true
tag Tag contains desired docker image version string true

ImageConfig

ImageConfig is used to attach images to the incident. See https://developer.pagerduty.com/docs/ZG9jOjExMDI5NTgx-send-an-alert-event#the-images-property for more information.

Appears in:

Field Description Scheme Required
alt string false
href string false
source string true

InhibitRule

InhibitRule defines an inhibition rule that allows to mute alerts when other alerts are already firing. Note, it doesn't support deprecated alertmanager config options. See https://prometheus.io/docs/alerting/latest/configuration/#inhibit_rule

Appears in:

Field Description Scheme Required
equal Labels that must have an equal value in the source and target alert for
the inhibition to take effect.
string array false
source_matchers SourceMatchers defines a list of matchers for which one or more alerts have
to exist for the inhibition to take effect.
string array false
target_matchers TargetMatchers defines a list of matchers that have to be fulfilled by the target
alerts to be muted.
string array false

InsertPorts

Appears in:

Field Description Scheme Required
graphitePort GraphitePort listen port string false
influxPort InfluxPort listen port string false
openTSDBHTTPPort OpenTSDBHTTPPort for http connections. string false
openTSDBPort OpenTSDBPort for tcp and udp listen string false

K8SSelectorConfig

K8SSelectorConfig is Kubernetes Selector Config

Appears in:

Field Description Scheme Required
field string true
label string true
role string true

KubernetesSDConfig

KubernetesSDConfig allows retrieving scrape targets from Kubernetes' REST API. See here

Appears in:

Field Description Scheme Required
apiServer The API server address consisting of a hostname or IP address followed
by an optional port number.
If left empty, assuming process is running inside
of the cluster. It will discover API servers automatically and use the pod's
CA certificate and bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/.
string false
attach_metadata AttachMetadata configures metadata attaching from service discovery AttachMetadata false
authorization Authorization header to use on every scrape request. Authorization false
basicAuth BasicAuth information to use on every scrape request. BasicAuth false
followRedirects Configure whether HTTP requests follow HTTP 3xx redirects. boolean false
namespaces Optional namespace discovery. If omitted, discover targets across all namespaces. NamespaceDiscovery false
oauth2 OAuth2 defines auth configuration OAuth2 false
proxyURL ProxyURL eg http://proxyserver:2195 Directs scrapes to proxy through this endpoint. string false
proxy_client_config ProxyClientConfig configures proxy auth settings for scraping
See feature description
ProxyAuth false
role Role of the Kubernetes entities that should be discovered. string true
selectors Selector to select objects. K8SSelectorConfig array false
tlsConfig TLS configuration to use on every scrape request TLSConfig false

License

License holds license key for enterprise features. Using license key is supported starting from VictoriaMetrics v1.94.0. See here

Appears in:

Field Description Scheme Required
forceOffline Enforce offline verification of the license key. boolean true
key Enterprise license key. This flag is available only in VictoriaMetrics enterprise.
To request a trial license, go to
string true
keyRef KeyRef is reference to secret with license key for enterprise features. SecretKeySelector true
reloadInterval Interval to be used for checking for license key changes. Note that this is only applicable when using KeyRef. string true

LinkConfig

LinkConfig is used to attach text links to the incident. See https://developer.pagerduty.com/docs/ZG9jOjExMDI5NTgx-send-an-alert-event#the-links-property for more information.

Appears in:

Field Description Scheme Required
href string true
text string true

MSTeamsConfig

Appears in:

Field Description Scheme Required
http_config HTTP client configuration. HTTPConfig false
send_resolved SendResolved controls notify about resolved alerts. boolean false
text The text body of the teams notification. string false
title The title of the teams notification. string false
webhook_url The incoming webhook URL
one of urlSecret and url must be defined.
string false
webhook_url_secret URLSecret defines secret name and key at the CRD namespace.
It must contain the webhook URL.
one of urlSecret and url must be defined.
SecretKeySelector false

ManagedObjectsMetadata

ManagedObjectsMetadata contains Labels and Annotations

Appears in:

Field Description Scheme Required
annotations Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata. They are not
queryable and should be preserved when modifying objects.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
object (keys:string, values:string) true
labels Labels Map of string keys and values that can be used to organize and categorize
(scope and select) objects.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
object (keys:string, values:string) true

NamespaceDiscovery

NamespaceDiscovery is the configuration for discovering Kubernetes namespaces.

Appears in:

Field Description Scheme Required
names List of namespaces where to watch for resources.
If empty and ownNamespace isn't true, watch for resources in all namespaces.
string array false
ownNamespace Includes the namespace in which the pod exists to the list of watched namespaces. boolean false

NamespaceSelector

NamespaceSelector is a selector for selecting either all namespaces or a list of namespaces.

Appears in:

Field Description Scheme Required
any Boolean describing whether all namespaces are selected in contrast to a
list restricting them.
boolean false
matchNames List of namespace names. string array false

OAuth2

OAuth2 defines OAuth2 configuration

Appears in:

Field Description Scheme Required
client_id The secret or configmap containing the OAuth2 client id SecretOrConfigMap true
client_secret The secret containing the OAuth2 client secret SecretKeySelector false
client_secret_file ClientSecretFile defines path for client secret file. string false
endpoint_params Parameters to append to the token URL object (keys:string, values:string) false
scopes OAuth2 scopes used for the token request string array false
token_url The URL to fetch the token from string true

OpenStackSDConfig

OpenStackSDConfig allow retrieving scrape targets from OpenStack Nova instances. See here

Appears in:

Field Description Scheme Required
allTenants Whether the service discovery should list all instances for all projects.
It is only relevant for the 'instance' role and usually requires admin permissions.
boolean false
applicationCredentialId ApplicationCredentialID string false
applicationCredentialName The ApplicationCredentialID or ApplicationCredentialName fields are
required if using an application credential to authenticate. Some providers
allow you to create an application credential to authenticate rather than a
password.
string false
applicationCredentialSecret The applicationCredentialSecret field is required if using an application
credential to authenticate.
SecretKeySelector false
availability Availability of the endpoint to connect to. string false
domainID DomainID string false
domainName At most one of domainId and domainName must be provided if using username
with Identity V3. Otherwise, either are optional.
string false
identityEndpoint IdentityEndpoint specifies the HTTP endpoint that is required to work with
the Identity API of the appropriate version.
string false
password Password for the Identity V2 and V3 APIs. Consult with your provider's
control panel to discover your account's preferred method of authentication.
SecretKeySelector false
port The port to scrape metrics from. If using the public IP address, this must
instead be specified in the relabeling rule.
integer false
projectID ProjectID string false
projectName The ProjectId and ProjectName fields are optional for the Identity V2 API.
Some providers allow you to specify a ProjectName instead of the ProjectId.
Some require both. Your provider's authentication policies will determine
how these fields influence authentication.
string false
region The OpenStack Region. string true
role The OpenStack role of entities that should be discovered. string true
tlsConfig TLS configuration to use on every scrape request TLSConfig false
userid UserID string false
username Username is required if using Identity V2 API. Consult with your provider's
control panel to discover your account's username.
In Identity V3, either userid or a combination of username
and domainId or domainName are needed
string false

OpsGenieConfig

OpsGenieConfig configures notifications via OpsGenie. See https://prometheus.io/docs/alerting/latest/configuration/#opsgenie_config

Appears in:

Field Description Scheme Required
actions Comma separated list of actions that will be available for the alert. string true
apiURL The URL to send OpsGenie API requests to. string false
api_key The secret's key that contains the OpsGenie API key.
It must be at them same namespace as CRD
fallback to global setting if empty
SecretKeySelector false
description Description of the incident. string false
details A set of arbitrary key/value pairs that provide further detail about the incident. object (keys:string, values:string) false
entity Optional field that can be used to specify which domain alert is related to. string true
http_config HTTP client configuration. HTTPConfig false
message Alert text limited to 130 characters. string false
note Additional alert note. string false
priority Priority level of alert. Possible values are P1, P2, P3, P4, and P5. string false
responders List of responders responsible for notifications. OpsGenieConfigResponder array false
send_resolved SendResolved controls notify about resolved alerts. boolean false
source Backlink to the sender of the notification. string false
tags Comma separated list of tags attached to the notifications. string false
update_alerts Whether to update message and description of the alert in OpsGenie if it already exists
By default, the alert is never updated in OpsGenie, the new message only appears in activity log.
boolean true

OpsGenieConfigResponder

OpsGenieConfigResponder defines a responder to an incident. One of id, name or username has to be defined.

Appears in:

Field Description Scheme Required
id ID of the responder. string false
name Name of the responder. string false
type Type of responder. string true
username Username of the responder. string false

PagerDutyConfig

PagerDutyConfig configures notifications via PagerDuty. See https://prometheus.io/docs/alerting/latest/configuration/#pagerduty_config

Appears in:

Field Description Scheme Required
class The class/type of the event. string false
client Client identification. string false
client_url Backlink to the sender of notification. string false
component The part or component of the affected system that is broken. string false
description Description of the incident. string false
details Arbitrary key/value pairs that provide further detail about the incident. object (keys:string, values:string) false
group A cluster or grouping of sources. string false
http_config HTTP client configuration. HTTPConfig false
images Images to attach to the incident. ImageConfig array false
links Links to attach to the incident. LinkConfig array false
routing_key The secret's key that contains the PagerDuty integration key (when using
Events API v2). Either this field or serviceKey needs to be defined.
It must be at them same namespace as CRD
SecretKeySelector false
send_resolved SendResolved controls notify about resolved alerts. boolean false
service_key The secret's key that contains the PagerDuty service key (when using
integration type "Prometheus"). Either this field or routingKey needs to
be defined.
It must be at them same namespace as CRD
SecretKeySelector false
severity Severity of the incident. string false
url The URL to send requests to. string false

PodMetricsEndpoint

PodMetricsEndpoint defines a scrapeable endpoint of a Kubernetes Pod serving metrics.

Appears in:

Field Description Scheme Required
attach_metadata AttachMetadata configures metadata attaching from service discovery AttachMetadata false
authorization Authorization with http header Authorization Authorization false
basicAuth BasicAuth allow an endpoint to authenticate over basic authentication BasicAuth false
bearerTokenFile File to read bearer token for scraping targets. string false
bearerTokenSecret Secret to mount to read bearer token for scraping targets. The secret
needs to be in the same namespace as the scrape object and accessible by
the victoria-metrics operator.
SecretKeySelector false
filterRunning FilterRunning applies filter with pod status == running
it prevents from scrapping metrics at failed or succeed state pods.
enabled by default
boolean false
follow_redirects FollowRedirects controls redirects for scraping. boolean false
honorLabels HonorLabels chooses the metric's labels on collisions with target labels. boolean false
honorTimestamps HonorTimestamps controls whether vmagent respects the timestamps present in scraped data. boolean false
interval Interval at which metrics should be scraped string false
max_scrape_size MaxScrapeSize defines a maximum size of scraped data for a job string false
metricRelabelConfigs MetricRelabelConfigs to apply to samples after scrapping. RelabelConfig array false
oauth2 OAuth2 defines auth configuration OAuth2 false
params Optional HTTP URL parameters object (keys:string, values:string array) false
path HTTP path to scrape for metrics. string false
port Name of the port exposed at Pod. string false
proxyURL ProxyURL eg http://proxyserver:2195 Directs scrapes to proxy through this endpoint. string false
relabelConfigs RelabelConfigs to apply to samples during service discovery. RelabelConfig array false
sampleLimit SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. integer false
scheme HTTP scheme to use for scraping. string false
scrapeTimeout Timeout after which the scrape is ended string false
scrape_interval ScrapeInterval is the same as Interval and has priority over it.
one of scrape_interval or interval can be used
string false
seriesLimit SeriesLimit defines per-scrape limit on number of unique time series
a single target can expose during all the scrapes on the time window of 24h.
integer false
targetPort TargetPort
Name or number of the pod port this endpoint refers to. Mutually exclusive with port.
IntOrString false
tlsConfig TLSConfig configuration to use when scraping the endpoint TLSConfig false
vm_scrape_params VMScrapeParams defines VictoriaMetrics specific scrape parameters VMScrapeParams false

ProbeTargetIngress

ProbeTargetIngress defines the set of Ingress objects considered for probing.

Appears in:

Field Description Scheme Required
namespaceSelector Select Ingress objects by namespace. NamespaceSelector true
relabelingConfigs RelabelConfigs to apply to samples during service discovery. RelabelConfig array true
selector Select Ingress objects by labels. LabelSelector true

ProxyAuth

ProxyAuth represent proxy auth config Only VictoriaMetrics scrapers supports it. See https://github.com/VictoriaMetrics/VictoriaMetrics/commit/a6a71ef861444eb11fe8ec6d2387f0fc0c4aea87

Appears in:

Field Description Scheme Required
basic_auth BasicAuth true
bearer_token SecretKeySelector true
bearer_token_file string true
tls_config TLSConfig true

PushoverConfig

PushoverConfig configures notifications via Pushover. See https://prometheus.io/docs/alerting/latest/configuration/#pushover_config

Appears in:

Field Description Scheme Required
expire How long your notification will continue to be retried for, unless the user
acknowledges the notification.
string false
html Whether notification message is HTML or plain text. boolean false
http_config HTTP client configuration. HTTPConfig false
message Notification message. string false
priority Priority, see https://pushover.net/api#priority string false
retry How often the Pushover servers will send the same notification to the user.
Must be at least 30 seconds.
string false
send_resolved SendResolved controls notify about resolved alerts. boolean false
sound The name of one of the sounds supported by device clients to override the user's default sound choice string false
title Notification title. string false
token The secret's key that contains the registered application’s API token, see https://pushover.net/apps.
It must be at them same namespace as CRD
SecretKeySelector true
url A supplementary URL shown alongside the message. string false
url_title A title for supplementary URL, otherwise just the URL is shown string false
user_key The secret's key that contains the recipient user’s user key.
It must be at them same namespace as CRD
SecretKeySelector true

Receiver

Receiver defines one or more notification integrations.

Appears in:

Field Description Scheme Required
discord_configs DiscordConfig array false
email_configs EmailConfigs defines email notification configurations. EmailConfig array false
msteams_configs MSTeamsConfig array false
name Name of the receiver. Must be unique across all items from the list. string true
opsgenie_configs OpsGenieConfigs defines ops genie notification configurations. OpsGenieConfig array false
pagerduty_configs PagerDutyConfigs defines pager duty notification configurations. PagerDutyConfig array false
pushover_configs PushoverConfigs defines push over notification configurations. PushoverConfig array false
slack_configs SlackConfigs defines slack notification configurations. SlackConfig array false
sns_configs SnsConfig array false
telegram_configs TelegramConfig array false
victorops_configs VictorOpsConfigs defines victor ops notification configurations. VictorOpsConfig array false
webex_configs WebexConfig array false
webhook_configs WebhookConfigs defines webhook notification configurations. WebhookConfig array false
wechat_configs WeChatConfigs defines wechat notification configurations. WeChatConfig array false

RelabelConfig

RelabelConfig allows dynamic rewriting of the label set More info: https://docs.victoriametrics.com/#relabeling

Appears in:

Field Description Scheme Required
action Action to perform based on regex matching. Default is 'replace' string false
if If represents metricsQL match expression (or list of expressions): '{name=~"foo_.*"}' StringOrArray false
labels Labels is used together with Match for action: graphite object (keys:string, values:string) false
match Match is used together with Labels for action: graphite string false
modulus Modulus to take of the hash of the source label values. integer false
regex Regular expression against which the extracted value is matched. Default is '(.*)'
victoriaMetrics supports multiline regex joined with |
https://docs.victoriametrics.com/vmagent/#relabeling-enhancements
StringOrArray false
replacement Replacement value against which a regex replace is performed if the
regular expression matches. Regex capture groups are available. Default is '$1'
string false
separator Separator placed between concatenated source label values. default is ';'. string false
sourceLabels The source labels select values from existing labels. Their content is concatenated
using the configured separator and matched against the configured regular expression
for the replace, keep, and drop actions.
string array false
source_labels UnderScoreSourceLabels - additional form of source labels source_labels
for compatibility with original relabel config.
if set both sourceLabels and source_labels, sourceLabels has priority.
for details #131
string array false
targetLabel Label to which the resulting value is written in a replace action.
It is mandatory for replace actions. Regex capture groups are available.
string false
target_label UnderScoreTargetLabel - additional form of target label - target_label
for compatibility with original relabel config.
if set both targetLabel and target_label, targetLabel has priority.
for details #131
string false

Route

Route defines a node in the routing tree.

Appears in:

Field Description Scheme Required
active_time_intervals ActiveTimeIntervals Times when the route should be active
These must match the name at time_intervals
string array false
continue Continue indicating whether an alert should continue matching subsequent
sibling nodes. It will always be true for the first-level route if disableRouteContinueEnforce for vmalertmanager not set.
boolean false
group_by List of labels to group by. string array false
group_interval How long to wait before sending an updated notification. string false
group_wait How long to wait before sending the initial notification. string false
matchers List of matchers that the alert’s labels should match. For the first
level route, the operator adds a namespace: "CRD_NS" matcher.
https://prometheus.io/docs/alerting/latest/configuration/#matcher
string array false
mute_time_intervals MuteTimeIntervals is a list of interval names that will mute matched alert string array false
receiver Name of the receiver for this route. string true
repeat_interval How long to wait before repeating the last notification. string false
routes Child routes.
https://prometheus.io/docs/alerting/latest/configuration/#route
JSON array true

Rule

Rule describes an alerting or recording rule.

Appears in:

Field Description Scheme Required
alert Alert is a name for alert string false
annotations Annotations will be added to rule configuration object (keys:string, values:string) false
debug Debug enables logging for rule
it useful for tracking
boolean false
expr Expr is query, that will be evaluated at dataSource string false
for For evaluation interval in time.Duration format
30s, 1m, 1h or nanoseconds
string false
keep_firing_for KeepFiringFor will make alert continue firing for this long
even when the alerting expression no longer has results.
Use time.Duration format, 30s, 1m, 1h or nanoseconds
string false
labels Labels will be added to rule configuration object (keys:string, values:string) false
record Record represents a query, that will be recorded to dataSource string false
update_entries_limit UpdateEntriesLimit defines max number of rule's state updates stored in memory.
Overrides -rule.updateEntriesLimit in vmalert.
integer false

RuleGroup

RuleGroup is a list of sequentially evaluated recording and alerting rules.

Appears in:

Field Description Scheme Required
concurrency Concurrency defines how many rules execute at once. integer false
eval_alignment Optional
The evaluation timestamp will be aligned with group's interval,
instead of using the actual timestamp that evaluation happens at.
It is enabled by default to get more predictable results
and to visually align with graphs plotted via Grafana or vmui.
boolean true
eval_delay Optional
Adjust the time parameter of group evaluation requests to compensate intentional query delay from the datasource.
string true
eval_offset Optional
Group will be evaluated at the exact offset in the range of [0...interval].
string true
extra_filter_labels ExtraFilterLabels optional list of label filters applied to every rule's
request within a group. Is compatible only with VM datasource.
See more details here
Deprecated, use params instead
object (keys:string, values:string) false
headers Headers contains optional HTTP headers added to each rule request
Must be in form header-name: value
For example:
headers:
- "CustomHeader: foo"
- "CustomHeader2: bar"
string array false
interval evaluation interval for group string false
labels Labels optional list of labels added to every rule within a group.
It has priority over the external labels.
Labels are commonly used for adding environment
or tenant-specific tag.
object (keys:string, values:string) false
limit Limit the number of alerts an alerting rule and series a recording
rule can produce
integer false
name Name of group string true
notifier_headers NotifierHeaders contains optional HTTP headers added to each alert request which will send to notifier
Must be in form header-name: value
For example:
headers:
- "CustomHeader: foo"
- "CustomHeader2: bar"
string array false
params Params optional HTTP URL parameters added to each rule request Values false
rules Rules list of alert rules Rule array true
tenant Tenant id for group, can be used only with enterprise version of vmalert.
See more details here.
string false
type Type defines datasource type for enterprise version of vmalert
possible values - prometheus,graphite,vlogs
string false

SecretOrConfigMap

SecretOrConfigMap allows to specify data as a Secret or ConfigMap. Fields are mutually exclusive.

Appears in:

Field Description Scheme Required
configMap ConfigMap containing data to use for the targets. ConfigMapKeySelector false
secret Secret containing data to use for the targets. SecretKeySelector false

SecurityContext

SecurityContext extends PodSecurityContext with ContainerSecurityContext It allows to globally configure security params for pod and all containers

Appears in:

Sigv4Config

Appears in:

Field Description Scheme Required
access_key The AWS API keys. Both access_key and secret_key must be supplied or both must be blank.
If blank the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are used.
string false
access_key_selector secret key selector to get the keys from a Kubernetes Secret SecretKeySelector false
profile Named AWS profile used to authenticate string false
region AWS region, if blank the region from the default credentials chain is used string false
role_arn AWS Role ARN, an alternative to using AWS API keys string false
secret_key_selector secret key selector to get the keys from a Kubernetes Secret SecretKeySelector false

SlackAction

SlackAction configures a single Slack action that is sent with each notification. See https://api.slack.com/docs/message-attachments#action_fields and https://api.slack.com/docs/message-buttons for more information.

Appears in:

Field Description Scheme Required
confirm SlackConfirmationField false
name string false
style string false
text string true
type string true
url string false
value string false

SlackConfig

SlackConfig configures notifications via Slack. See https://prometheus.io/docs/alerting/latest/configuration/#slack_config

Appears in:

Field Description Scheme Required
actions A list of Slack actions that are sent with each notification. SlackAction array false
api_url The secret's key that contains the Slack webhook URL.
It must be at them same namespace as CRD
fallback to global setting if empty
SecretKeySelector false
callback_id string false
channel The channel or user to send notifications to. string false
color string false
fallback string false
fields A list of Slack fields that are sent with each notification. SlackField array false
footer string false
http_config HTTP client configuration. HTTPConfig false
icon_emoji string false
icon_url string false
image_url string false
link_names boolean false
mrkdwn_in string array false
pretext string false
send_resolved SendResolved controls notify about resolved alerts. boolean false
short_fields boolean false
text string false
thumb_url string false
title string false
title_link string false
username string false

SlackConfirmationField

SlackConfirmationField protect users from destructive actions or particularly distinguished decisions by asking them to confirm their button click one more time. See https://api.slack.com/docs/interactive-message-field-guide#confirmation_fields for more information.

Appears in:

Field Description Scheme Required
dismiss_text string false
ok_text string false
text string true
title string false

SlackField

SlackField configures a single Slack field that is sent with each notification. See https://api.slack.com/docs/message-attachments#fields for more information.

Appears in:

Field Description Scheme Required
short boolean false
title string true
value string true

SnsConfig

Appears in:

Field Description Scheme Required
api_url The api URL string false
attributes SNS message attributes object (keys:string, values:string) false
http_config HTTP client configuration. HTTPConfig false
message The message content of the SNS notification. string false
phone_number Phone number if message is delivered via SMS
Specify this, topic_arn or target_arn
string true
send_resolved SendResolved controls notify about resolved alerts. boolean false
sigv4 Configure the AWS Signature Verification 4 signing process Sigv4Config true
subject The subject line if message is delivered to an email endpoint. string false
target_arn Mobile platform endpoint ARN if message is delivered via mobile notifications
Specify this, topic_arn or phone_number
string false
topic_arn SNS topic ARN, either specify this, phone_number or target_arn string false

StaticConfig

StaticConfig defines a static configuration. See here

Appears in:

Field Description Scheme Required
labels Labels assigned to all metrics scraped from the targets. object (keys:string, values:string) false
targets List of targets for this static configuration. string array false

StaticRef

StaticRef - user-defined routing host address.

Appears in:

Field Description Scheme Required
url URL http url for given staticRef. string true
urls URLs allows setting multiple urls for load-balancing at vmauth-side. string array false

StatusMetadata

StatusMetadata holds metadata of application update status

Appears in:

Field Description Scheme Required
conditions Known .status.conditions.type are: "Available", "Progressing", and "Degraded" Condition array true
observedGeneration ObservedGeneration defines current generation picked by operator for the
reconcile
integer true
reason Reason defines human readadble error reason string true
updateStatus UpdateStatus defines a status for update rollout UpdateStatus true

StorageSpec

StorageSpec defines the configured storage for a group Prometheus servers. If neither emptyDir nor volumeClaimTemplate is specified, then by default an EmptyDir will be used.

Appears in:

Field Description Scheme Required
disableMountSubPath Deprecated: subPath usage will be disabled by default in a future release, this option will become unnecessary.
DisableMountSubPath allows to remove any subPath usage in volume mounts.
boolean false
emptyDir EmptyDirVolumeSource to be used by the Prometheus StatefulSets. If specified, used in place of any volumeClaimTemplate. More
info: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir
EmptyDirVolumeSource false
volumeClaimTemplate A PVC spec to be used by the VMAlertManager StatefulSets. EmbeddedPersistentVolumeClaim false

StreamAggrConfig

StreamAggrConfig defines the stream aggregation config

Appears in:

Field Description Scheme Required
configmap ConfigMap with stream aggregation rules ConfigMapKeySelector false
dedupInterval Allows setting different de-duplication intervals per each configured remote storage string false
dropInput Allow drop all the input samples after the aggregation boolean false
dropInputLabels labels to drop from samples for aggregator before stream de-duplication and aggregation string array false
ignoreFirstIntervals IgnoreFirstIntervals instructs to ignore first interval integer false
ignoreOldSamples IgnoreOldSamples instructs to ignore samples with old timestamps outside the current aggregation interval. boolean false
keepInput Allows writing both raw and aggregate data boolean false
rules Stream aggregation rules StreamAggrRule array false

StreamAggrRule

StreamAggrRule defines the rule in stream aggregation config

Appears in:

Field Description Scheme Required
by By is an optional list of labels for grouping input series.

See also Without.

If neither By nor Without are set, then the Outputs are calculated
individually per each input time series.
string array false
dedup_interval DedupInterval is an optional interval for deduplication. string false
drop_input_labels DropInputLabels is an optional list with labels, which must be dropped before further processing of input samples.

Labels are dropped before de-duplication and aggregation.
string false
flush_on_shutdown FlushOnShutdown defines whether to flush the aggregation state on process termination
or config reload. Is false by default.
It is not recommended changing this setting, unless unfinished aggregations states
are preferred to missing data points.
boolean false
ignore_first_intervals integer true
ignore_old_samples IgnoreOldSamples instructs to ignore samples with old timestamps outside the current aggregation interval. boolean false
input_relabel_configs InputRelabelConfigs is an optional relabeling rules, which are applied on the input
before aggregation.
RelabelConfig array false
interval Interval is the interval between aggregations. string true
keep_metric_names KeepMetricNames instructs to leave metric names as is for the output time series without adding any suffix. boolean false
match Match is a label selector (or list of label selectors) for filtering time series for the given selector.

If the match isn't set, then all the input time series are processed.
StringOrArray false
no_align_flush_to_interval NoAlignFlushToInterval disables aligning of flushes to multiples of Interval.
By default flushes are aligned to Interval.
boolean false
output_relabel_configs OutputRelabelConfigs is an optional relabeling rules, which are applied
on the aggregated output before being sent to remote storage.
RelabelConfig array false
outputs Outputs is a list of output aggregate functions to produce.

The following names are allowed:

- total - aggregates input counters
- increase - counts the increase over input counters
- count_series - counts the input series
- count_samples - counts the input samples
- sum_samples - sums the input samples
- last - the last biggest sample value
- min - the minimum sample value
- max - the maximum sample value
- avg - the average value across all the samples
- stddev - standard deviation across all the samples
- stdvar - standard variance across all the samples
- histogram_bucket - creates VictoriaMetrics histogram for input samples
- quantiles(phi1, ..., phiN) - quantiles' estimation for phi in the range [0..1]

The output time series will have the following names:

input_name:aggr__
string array true
staleness_interval Staleness interval is interval after which the series state will be reset if no samples have been sent during it.
The parameter is only relevant for outputs: total, total_prometheus, increase, increase_prometheus and histogram_bucket.
string false
without Without is an optional list of labels, which must be excluded when grouping input series.

See also By.

If neither By nor Without are set, then the Outputs are calculated
individually per each input time series.
string array false

StringOrArray

Underlying type: string array

StringOrArray is a helper type for storing string or array of string.

Appears in:

TLSClientConfig

TLSClientConfig defines TLS configuration for the application's client

Appears in:

Field Description Scheme Required
ca_file CAFile defines path to the pre-mounted file with CA
mutually exclusive with CASecretRef
string false
ca_secret_ref CA defines reference for secret with CA content under given key
mutually exclusive with CAFile
SecretKeySelector false
cert_file CertFile defines path to the pre-mounted file with certificate
mutually exclusive with CertSecretRef
string false
cert_secret_ref CertSecretRef defines reference for secret with certificate content under given key
mutually exclusive with CertFile
SecretKeySelector false
insecure_skip_verify Cert defines reference for secret with CA content under given key
mutually exclusive with CertFile
boolean false
key_file KeyFile defines path to the pre-mounted file with certificate key
mutually exclusive with KeySecretRef
string false
key_secret_ref Key defines reference for secret with certificate key content under given key
mutually exclusive with KeyFile
SecretKeySelector false
server_name ServerName indicates a name of a server string false

TLSConfig

TLSConfig specifies TLSConfig configuration parameters.

Appears in:

Field Description Scheme Required
ca Stuct containing the CA cert to use for the targets. SecretOrConfigMap false
caFile Path to the CA cert in the container to use for the targets. string false
cert Struct containing the client cert file for the targets. SecretOrConfigMap false
certFile Path to the client cert file in the container for the targets. string false
insecureSkipVerify Disable target certificate validation. boolean false
keyFile Path to the client key file in the container for the targets. string false
keySecret Secret containing the client key file for the targets. SecretKeySelector false
serverName Used to verify the hostname for the targets. string false

TLSServerConfig

TLSServerConfig defines TLS configuration for the application's server

Appears in:

Field Description Scheme Required
cert_file CertFile defines path to the pre-mounted file with certificate
mutually exclusive with CertSecretRef
string false
cert_secret_ref CertSecretRef defines reference for secret with certificate content under given key
mutually exclusive with CertFile
SecretKeySelector false
cipher_suites CipherSuites defines list of supported cipher suites for TLS versions up to TLS 1.2
https://golang.org/pkg/crypto/tls/#pkg-constants
string array false
client_auth_type Cert defines reference for secret with CA content under given key
mutually exclusive with CertFile
ClientAuthType defines server policy for client authentication
If you want to enable client authentication (aka mTLS), you need to use RequireAndVerifyClientCert
Note, mTLS is supported only at enterprise version of VictoriaMetrics components
string false
client_ca_file ClientCAFile defines path to the pre-mounted file with CA
mutually exclusive with ClientCASecretRef
string false
client_ca_secret_ref ClientCASecretRef defines reference for secret with CA content under given key
mutually exclusive with ClientCAFile
SecretKeySelector false
curve_preferences CurvePreferences defines elliptic curves that will be used in an ECDHE handshake, in preference order.
https://golang.org/pkg/crypto/tls/#CurveID
string array false
key_file KeyFile defines path to the pre-mounted file with certificate key
mutually exclusive with KeySecretRef
string false
key_secret_ref Key defines reference for secret with certificate key content under given key
mutually exclusive with KeyFile
SecretKeySelector false
max_version MaxVersion maximum TLS version that is acceptable. string false
min_version MinVersion minimum TLS version that is acceptable. string false
prefer_server_cipher_suites PreferServerCipherSuites controls whether the server selects the
client's most preferred ciphersuite
boolean false

TargetEndpoint

TargetEndpoint defines single static target endpoint.

Appears in:

Field Description Scheme Required
authorization Authorization with http header Authorization Authorization false
basicAuth BasicAuth allow an endpoint to authenticate over basic authentication BasicAuth false
bearerTokenFile File to read bearer token for scraping targets. string false
bearerTokenSecret Secret to mount to read bearer token for scraping targets. The secret
needs to be in the same namespace as the scrape object and accessible by
the victoria-metrics operator.
SecretKeySelector false
follow_redirects FollowRedirects controls redirects for scraping. boolean false
honorLabels HonorLabels chooses the metric's labels on collisions with target labels. boolean false
honorTimestamps HonorTimestamps controls whether vmagent respects the timestamps present in scraped data. boolean false
interval Interval at which metrics should be scraped string false
labels Labels static labels for targets. object (keys:string, values:string) false
max_scrape_size MaxScrapeSize defines a maximum size of scraped data for a job string false
metricRelabelConfigs MetricRelabelConfigs to apply to samples after scrapping. RelabelConfig array false
oauth2 OAuth2 defines auth configuration OAuth2 false
params Optional HTTP URL parameters object (keys:string, values:string array) false
path HTTP path to scrape for metrics. string false
proxyURL ProxyURL eg http://proxyserver:2195 Directs scrapes to proxy through this endpoint. string false
relabelConfigs RelabelConfigs to apply to samples during service discovery. RelabelConfig array false
sampleLimit SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. integer false
scheme HTTP scheme to use for scraping. string false
scrapeTimeout Timeout after which the scrape is ended string false
scrape_interval ScrapeInterval is the same as Interval and has priority over it.
one of scrape_interval or interval can be used
string false
seriesLimit SeriesLimit defines per-scrape limit on number of unique time series
a single target can expose during all the scrapes on the time window of 24h.
integer false
targets Targets static targets addresses in form of ["192.122.55.55:9100","some-name:9100"]. string array true
tlsConfig TLSConfig configuration to use when scraping the endpoint TLSConfig false
vm_scrape_params VMScrapeParams defines VictoriaMetrics specific scrape parameters VMScrapeParams false

TargetRef

TargetRef describes target for user traffic forwarding. one of target types can be chosen: crd or static per targetRef. user can define multiple targetRefs with different ref Types.

Appears in:

Field Description Scheme Required
URLMapCommon URLMapCommon true
crd CRD describes exist operator's CRD object,
operator generates access url based on CRD params.
CRDRef false
hosts string array true
paths Paths - matched path to route. string array false
static Static - user defined url for traffic forward,
for instance http://vmsingle:8429
StaticRef false
targetRefBasicAuth TargetRefBasicAuth allow an target endpoint to authenticate over basic authentication TargetRefBasicAuth false
target_path_suffix TargetPathSuffix allows to add some suffix to the target path
It allows to hide tenant configuration from user with crd as ref.
it also may contain any url encoded params.
string false

TargetRefBasicAuth

TargetRefBasicAuth target basic authentication

Appears in:

Field Description Scheme Required
password The secret in the service scrape namespace that contains the password
for authentication.
It must be at them same namespace as CRD
SecretKeySelector true
username The secret in the service scrape namespace that contains the username
for authentication.
It must be at them same namespace as CRD
SecretKeySelector true

TelegramConfig

TelegramConfig configures notification via telegram https://prometheus.io/docs/alerting/latest/configuration/#telegram_config

Appears in:

Field Description Scheme Required
api_url APIUrl the Telegram API URL i.e. https://api.telegram.org. string false
bot_token BotToken token for the bot
https://core.telegram.org/bots/api
SecretKeySelector true
chat_id ChatID is ID of the chat where to send the messages. integer true
disable_notifications DisableNotifications boolean false
http_config HTTP client configuration. HTTPConfig false
message Message is templated message string false
parse_mode ParseMode for telegram message,
supported values are MarkdownV2, Markdown, Markdown and empty string for plain text.
string false
send_resolved SendResolved controls notify about resolved alerts. boolean false

TimeInterval

TimeInterval defines intervals of time

Appears in:

Field Description Scheme Required
days_of_month DayOfMonth defines list of numerical days in the month. Days begin at 1. Negative values are also accepted.
for example, ['1:5', '-3:-1']
string array false
location Location in golang time location form, e.g. UTC string false
months Months defines list of calendar months identified by a case-insensitive name (e.g. ‘January’) or numeric 1.
For example, ['1:3', 'may:august', 'december']
string array false
times Times defines time range for mute TimeRange array false
weekdays Weekdays defines list of days of the week, where the week begins on Sunday and ends on Saturday. string array false
years Years defines numerical list of years, ranges are accepted.
For example, ['2020:2022', '2030']
string array false

TimeIntervals

TimeIntervals for alerts

Appears in:

Field Description Scheme Required
name Name of interval string true
time_intervals TimeIntervals interval configuration TimeInterval array true

TimeRange

TimeRange ranges inclusive of the starting time and exclusive of the end time

Appears in:

Field Description Scheme Required
end_time EndTime for example HH:MM string true
start_time StartTime for example HH:MM string true

URLMapCommon

URLMapCommon contains common fields for unauthorized user and user in vmuser

Appears in:

Field Description Scheme Required
discover_backend_ips DiscoverBackendIPs instructs discovering URLPrefix backend IPs via DNS. boolean true
drop_src_path_prefix_parts DropSrcPathPrefixParts is the number of /-delimited request path prefix parts to drop before proxying the request to backend.
See here for more details.
integer false
headers RequestHeaders represent additional http headers, that vmauth uses
in form of ["header_key: header_value"]
multiple values for header key:
["header_key: value1,value2"]
it's available since 1.68.0 version of vmauth
string array false
load_balancing_policy LoadBalancingPolicy defines load balancing policy to use for backend urls.
Supported policies: least_loaded, first_available.
See here for more details (default "least_loaded")
string false
response_headers ResponseHeaders represent additional http headers, that vmauth adds for request response
in form of ["header_key: header_value"]
multiple values for header key:
["header_key: value1,value2"]
it's available since 1.93.0 version of vmauth
string array false
retry_status_codes RetryStatusCodes defines http status codes in numeric format for request retries
Can be defined per target or at VMUser.spec level
e.g. [429,503]
integer array false
src_headers SrcHeaders is an optional list of headers, which must match request headers. string array true
src_query_args SrcQueryArgs is an optional list of query args, which must match request URL query args. string array true

UnauthorizedAccessConfigURLMap

UnauthorizedAccessConfigURLMap defines element of url_map routing configuration For UnauthorizedAccessConfig and VMAuthUnauthorizedUserAccessSpec.URLMap

Appears in:

Field Description Scheme Required
URLMapCommon URLMapCommon true
src_hosts SrcHosts is an optional list of regular expressions, which must match the request hostname. string array true
src_paths SrcPaths is an optional list of regular expressions, which must match the request path. string array true
url_prefix UrlPrefix contains backend url prefixes for the proxied request url.
URLPrefix defines prefix prefix for destination
StringOrArray true

UpdateStatus

Underlying type: string

UpdateStatus defines status for application

Appears in:

VLogs

VLogs is fast, cost-effective and scalable logs database. VLogs is the Schema for the vlogs API

Field Description Scheme Required
apiVersion string operator.victoriametrics.com/v1beta1
kind string VLogs
metadata Refer to Kubernetes API documentation for fields of metadata. ObjectMeta true
spec VLogsSpec true

VLogsSpec

VLogsSpec defines the desired state of VLogs

Appears in:

Field Description Scheme Required
affinity Affinity If specified, the pod's scheduling constraints. Affinity false
configMaps ConfigMaps is a list of ConfigMaps in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/configs/CONFIGMAP_NAME folder
string array false
containers Containers property allows to inject additions sidecars or to patch existing containers.
It can be useful for proxies, backup, etc.
Container array false
disableSelfServiceScrape DisableSelfServiceScrape controls creation of VMServiceScrape by operator
for the application.
Has priority over VM_DISABLESELFSERVICESCRAPECREATION operator env variable
boolean false
dnsConfig Specifies the DNS parameters of a pod.
Parameters specified here will be merged to the generated DNS
configuration based on DNSPolicy.
PodDNSConfig false
dnsPolicy DNSPolicy sets DNS policy for the pod DNSPolicy false
extraArgs ExtraArgs that will be passed to the application container
for example remoteWrite.tmpDataPath: /tmp
object (keys:string, values:string) false
extraEnvs ExtraEnvs that will be passed to the application container EnvVar array false
futureRetention FutureRetention for the stored logs
Log entries with timestamps bigger than now+futureRetention are rejected during data ingestion; see https://docs.victoriametrics.com/victorialogs/#retention
string true
hostAliases HostAliases provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
HostAlias array false
hostNetwork HostNetwork controls whether the pod may use the node network namespace boolean false
host_aliases HostAliasesUnderScore provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
Has Priority over hostAliases field
HostAlias array false
image Image - docker image settings
if no specified operator uses default version from operator config
Image false
imagePullSecrets ImagePullSecrets An optional list of references to secrets in the same namespace
to use for pulling images from registries
see https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod
LocalObjectReference array false
initContainers InitContainers allows adding initContainers to the pod definition.
Any errors during the execution of an initContainer will lead to a restart of the Pod.
More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
Container array false
logFormat LogFormat for VLogs to be configured with. string false
logIngestedRows Whether to log all the ingested log entries; this can be useful for debugging of data ingestion; see https://docs.victoriametrics.com/victorialogs/data-ingestion/ boolean true
logLevel LogLevel for VictoriaLogs to be configured with. string false
logNewStreams LogNewStreams Whether to log creation of new streams; this can be useful for debugging of high cardinality issues with log streams; see https://docs.victoriametrics.com/victorialogs/keyconcepts/#stream-fields boolean true
managedMetadata ManagedMetadata defines metadata that will be added to the all objects
created by operator for the given CustomResource
ManagedObjectsMetadata true
minReadySeconds MinReadySeconds defines a minim number os seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle
integer false
nodeSelector NodeSelector Define which Nodes the Pods are scheduled on. object (keys:string, values:string) false
paused Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions.
boolean false
podMetadata PodMetadata configures Labels and Annotations which are propagated to the VLogs pods. EmbeddedObjectMetadata false
port Port listen address string false
priorityClassName PriorityClassName class assigned to the Pods string false
readinessGates ReadinessGates defines pod readiness gates PodReadinessGate array true
removePvcAfterDelete RemovePvcAfterDelete - if true, controller adds ownership to pvc
and after VLogs object deletion - pvc will be garbage collected
by controller manager
boolean false
replicaCount ReplicaCount is the expected size of the Application. integer false
resources Resources container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
if not defined default resources from operator config will be used
ResourceRequirements false
retentionPeriod RetentionPeriod for the stored logs string true
revisionHistoryLimitCount The number of old ReplicaSets to retain to allow rollback in deployment or
maximum number of revisions that will be maintained in the Deployment revision history.
Has no effect at StatefulSets
Defaults to 10.
integer false
runtimeClassName RuntimeClassName - defines runtime class for kubernetes pod.
https://kubernetes.io/docs/concepts/containers/runtime-class/
string false
schedulerName SchedulerName - defines kubernetes scheduler name string false
secrets Secrets is a list of Secrets in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/secrets/SECRET_NAME folder
string array false
securityContext SecurityContext holds pod-level security attributes and common container settings.
This defaults to the default PodSecurityContext.
SecurityContext false
serviceAccountName ServiceAccountName is the name of the ServiceAccount to use to run the pods string false
serviceScrapeSpec ServiceScrapeSpec that will be added to vlogs VMServiceScrape spec VMServiceScrapeSpec false
serviceSpec ServiceSpec that will be added to vlogs service spec AdditionalServiceSpec false
storage Storage is the definition of how storage will be used by the VLogs
by default it`s empty dir
PersistentVolumeClaimSpec false
storageDataPath StorageDataPath disables spec.storage option and overrides arg for victoria-logs binary --storageDataPath,
its users responsibility to mount proper device into given path.
string false
storageMetadata StorageMeta defines annotations and labels attached to PVC for given vlogs CR EmbeddedObjectMetadata false
terminationGracePeriodSeconds TerminationGracePeriodSeconds period for container graceful termination integer false
tolerations Tolerations If specified, the pod's tolerations. Toleration array false
topologySpreadConstraints TopologySpreadConstraints embedded kubernetes pod configuration option,
controls how pods are spread across your cluster among failure-domains
such as regions, zones, nodes, and other user-defined topology domains
https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
TopologySpreadConstraint array false
useDefaultResources UseDefaultResources controls resource settings
By default, operator sets built-in resource requirements
boolean false
useStrictSecurity UseStrictSecurity enables strict security mode for component
it restricts disk writes access
uses non-root user out of the box
drops not needed security permissions
boolean false
volumeMounts VolumeMounts allows configuration of additional VolumeMounts on the output Deployment/StatefulSet definition.
VolumeMounts specified will be appended to other VolumeMounts in the Application container
VolumeMount array false
volumes Volumes allows configuration of additional volumes on the output Deployment/StatefulSet definition.
Volumes specified will be appended to other volumes that are generated.
/ +optional
Volume array true

VMAgent

VMAgent - is a tiny but brave agent, which helps you collect metrics from various sources and stores them in VictoriaMetrics or any other Prometheus-compatible storage system that supports the remote_write protocol.

Field Description Scheme Required
apiVersion string operator.victoriametrics.com/v1beta1
kind string VMAgent
metadata Refer to Kubernetes API documentation for fields of metadata. ObjectMeta true
spec VMAgentSpec true

VMAgentRemoteWriteSettings

VMAgentRemoteWriteSettings - defines global settings for all remoteWrite urls.

Appears in:

Field Description Scheme Required
flushInterval Interval for flushing the data to remote storage. (default 1s) string false
label Labels in the form 'name=value' to add to all the metrics before sending them. This overrides the label if it already exists. object (keys:string, values:string) false
maxBlockSize The maximum size in bytes of unpacked request to send to remote storage integer false
maxDiskUsagePerURL The maximum file-based buffer size in bytes at -remoteWrite.tmpDataPath integer false
queues The number of concurrent queues integer false
showURL Whether to show -remoteWrite.url in the exported metrics. It is hidden by default, since it can contain sensitive auth info boolean false
tmpDataPath Path to directory where temporary data for remote write component is stored (default vmagent-remotewrite-data) string false
useMultiTenantMode Configures vmagent accepting data via the same multitenant endpoints as vminsert at VictoriaMetrics cluster does,
see here.
it's global setting and affects all remote storage configurations
boolean false

VMAgentRemoteWriteSpec

VMAgentRemoteWriteSpec defines the remote storage configuration for VmAgent

Appears in:

Field Description Scheme Required
basicAuth BasicAuth allow an endpoint to authenticate over basic authentication BasicAuth false
bearerTokenSecret Optional bearer auth token to use for -remoteWrite.url SecretKeySelector false
forceVMProto ForceVMProto forces using VictoriaMetrics protocol for sending data to -remoteWrite.url boolean false
headers Headers allow configuring custom http headers
Must be in form of semicolon separated header with value
e.g.
headerName: headerValue
vmagent supports since 1.79.0 version
string array false
inlineUrlRelabelConfig InlineUrlRelabelConfig defines relabeling config for remoteWriteURL, it can be defined at crd spec. RelabelConfig array false
maxDiskUsage MaxDiskUsage defines the maximum file-based buffer size in bytes for -remoteWrite.url string false
oauth2 OAuth2 defines auth configuration OAuth2 false
sendTimeout Timeout for sending a single block of data to -remoteWrite.url (default 1m0s) string false
streamAggrConfig StreamAggrConfig defines stream aggregation configuration for VMAgent for -remoteWrite.url StreamAggrConfig false
tlsConfig TLSConfig describes tls configuration for remote write target TLSConfig false
url URL of the endpoint to send samples to. string true
urlRelabelConfig ConfigMap with relabeling config which is applied to metrics before sending them to the corresponding -remoteWrite.url ConfigMapKeySelector false

VMAgentSecurityEnforcements

VMAgentSecurityEnforcements defines security configuration for endpoint scrapping

Appears in:

Field Description Scheme Required
arbitraryFSAccessThroughSMs ArbitraryFSAccessThroughSMs configures whether configuration
based on EndpointAuth can access arbitrary files on the file system
of the VMAgent container e.g. bearer token files, basic auth, tls certs
ArbitraryFSAccessThroughSMsConfig false
enforcedNamespaceLabel EnforcedNamespaceLabel enforces adding a namespace label of origin for each alert
and metric that is user created. The label value will always be the namespace of the object that is
being created.
string false
ignoreNamespaceSelectors IgnoreNamespaceSelectors if set to true will ignore NamespaceSelector settings from
scrape objects, and they will only discover endpoints
within their current namespace. Defaults to false.
boolean false
overrideHonorLabels OverrideHonorLabels if set to true overrides all user configured honor_labels.
If HonorLabels is set in scrape objects to true, this overrides honor_labels to false.
boolean false
overrideHonorTimestamps OverrideHonorTimestamps allows to globally enforce honoring timestamps in all scrape configs. boolean false

VMAgentSpec

VMAgentSpec defines the desired state of VMAgent

Appears in:

Field Description Scheme Required
aPIServerConfig APIServerConfig allows specifying a host and auth methods to access apiserver.
If left empty, VMAgent is assumed to run inside of the cluster
and will discover API servers automatically and use the pod's CA certificate
and bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/.
APIServerConfig false
additionalScrapeConfigs AdditionalScrapeConfigs As scrape configs are appended, the user is responsible to make sure it
is valid. Note that using this feature may expose the possibility to
break upgrades of VMAgent. It is advised to review VMAgent release
notes to ensure that no incompatible scrape configs are going to break
VMAgent after the upgrade.
SecretKeySelector false
affinity Affinity If specified, the pod's scheduling constraints. Affinity false
arbitraryFSAccessThroughSMs ArbitraryFSAccessThroughSMs configures whether configuration
based on EndpointAuth can access arbitrary files on the file system
of the VMAgent container e.g. bearer token files, basic auth, tls certs
ArbitraryFSAccessThroughSMsConfig false
claimTemplates ClaimTemplates allows adding additional VolumeClaimTemplates for VMAgent in StatefulMode PersistentVolumeClaim array true
configMaps ConfigMaps is a list of ConfigMaps in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/configs/CONFIGMAP_NAME folder
string array false
configReloaderExtraArgs ConfigReloaderExtraArgs that will be passed to VMAuths config-reloader container
for example resyncInterval: "30s"
object (keys:string, values:string) false
configReloaderImageTag ConfigReloaderImageTag defines image:tag for config-reloader container string false
configReloaderResources ConfigReloaderResources config-reloader container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
if not defined default resources from operator config will be used
ResourceRequirements false
containers Containers property allows to inject additions sidecars or to patch existing containers.
It can be useful for proxies, backup, etc.
Container array false
disableSelfServiceScrape DisableSelfServiceScrape controls creation of VMServiceScrape by operator
for the application.
Has priority over VM_DISABLESELFSERVICESCRAPECREATION operator env variable
boolean false
dnsConfig Specifies the DNS parameters of a pod.
Parameters specified here will be merged to the generated DNS
configuration based on DNSPolicy.
PodDNSConfig false
dnsPolicy DNSPolicy sets DNS policy for the pod DNSPolicy false
enforcedNamespaceLabel EnforcedNamespaceLabel enforces adding a namespace label of origin for each alert
and metric that is user created. The label value will always be the namespace of the object that is
being created.
string false
externalLabels ExternalLabels The labels to add to any time series scraped by vmagent.
it doesn't affect metrics ingested directly by push API's
object (keys:string, values:string) false
extraArgs ExtraArgs that will be passed to the application container
for example remoteWrite.tmpDataPath: /tmp
object (keys:string, values:string) false
extraEnvs ExtraEnvs that will be passed to the application container EnvVar array false
hostAliases HostAliases provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
HostAlias array false
hostNetwork HostNetwork controls whether the pod may use the node network namespace boolean false
host_aliases HostAliasesUnderScore provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
Has Priority over hostAliases field
HostAlias array false
ignoreNamespaceSelectors IgnoreNamespaceSelectors if set to true will ignore NamespaceSelector settings from
scrape objects, and they will only discover endpoints
within their current namespace. Defaults to false.
boolean false
image Image - docker image settings
if no specified operator uses default version from operator config
Image false
imagePullSecrets ImagePullSecrets An optional list of references to secrets in the same namespace
to use for pulling images from registries
see https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod
LocalObjectReference array false
ingestOnlyMode IngestOnlyMode switches vmagent into unmanaged mode
it disables any config generation for scraping
Currently it prevents vmagent from managing tls and auth options for remote write
boolean false
initContainers InitContainers allows adding initContainers to the pod definition.
Any errors during the execution of an initContainer will lead to a restart of the Pod.
More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
Container array false
inlineRelabelConfig InlineRelabelConfig - defines GlobalRelabelConfig for vmagent, can be defined directly at CRD. RelabelConfig array false
inlineScrapeConfig InlineScrapeConfig As scrape configs are appended, the user is responsible to make sure it
is valid. Note that using this feature may expose the possibility to
break upgrades of VMAgent. It is advised to review VMAgent release
notes to ensure that no incompatible scrape configs are going to break
VMAgent after the upgrade.
it should be defined as single yaml file.
inlineScrapeConfig: |
- job_name: "prometheus"
static_configs:
- targets: ["localhost:9090"]
string false
insertPorts InsertPorts - additional listen ports for data ingestion. InsertPorts true
license License allows to configure license key to be used for enterprise features.
Using license key is supported starting from VictoriaMetrics v1.94.0.
See here
License false
logFormat LogFormat for VMAgent to be configured with. string false
logLevel LogLevel for VMAgent to be configured with.
INFO, WARN, ERROR, FATAL, PANIC
string false
managedMetadata ManagedMetadata defines metadata that will be added to the all objects
created by operator for the given CustomResource
ManagedObjectsMetadata true
maxScrapeInterval MaxScrapeInterval allows limiting maximum scrape interval for VMServiceScrape, VMPodScrape and other scrapes
If interval is higher than defined limit, maxScrapeInterval will be used.
string true
minReadySeconds MinReadySeconds defines a minim number os seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle
integer false
minScrapeInterval MinScrapeInterval allows limiting minimal scrape interval for VMServiceScrape, VMPodScrape and other scrapes
If interval is lower than defined limit, minScrapeInterval will be used.
string true
nodeScrapeNamespaceSelector NodeScrapeNamespaceSelector defines Namespaces to be selected for VMNodeScrape discovery.
Works in combination with Selector.
NamespaceSelector nil - only objects at VMAgent namespace.
Selector nil - only objects at NamespaceSelector namespaces.
If both nil - behaviour controlled by selectAllByDefault
LabelSelector false
nodeScrapeRelabelTemplate NodeScrapeRelabelTemplate defines relabel config, that will be added to each VMNodeScrape.
it's useful for adding specific labels to all targets
RelabelConfig array false
nodeScrapeSelector NodeScrapeSelector defines VMNodeScrape to be selected for scraping.
Works in combination with NamespaceSelector.
NamespaceSelector nil - only objects at VMAgent namespace.
Selector nil - only objects at NamespaceSelector namespaces.
If both nil - behaviour controlled by selectAllByDefault
LabelSelector false
nodeSelector NodeSelector Define which Nodes the Pods are scheduled on. object (keys:string, values:string) false
overrideHonorLabels OverrideHonorLabels if set to true overrides all user configured honor_labels.
If HonorLabels is set in scrape objects to true, this overrides honor_labels to false.
boolean false
overrideHonorTimestamps OverrideHonorTimestamps allows to globally enforce honoring timestamps in all scrape configs. boolean false
paused Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions.
boolean false
podDisruptionBudget PodDisruptionBudget created by operator EmbeddedPodDisruptionBudgetSpec false
podMetadata PodMetadata configures Labels and Annotations which are propagated to the vmagent pods. EmbeddedObjectMetadata false
podScrapeNamespaceSelector PodScrapeNamespaceSelector defines Namespaces to be selected for VMPodScrape discovery.
Works in combination with Selector.
NamespaceSelector nil - only objects at VMAgent namespace.
Selector nil - only objects at NamespaceSelector namespaces.
If both nil - behaviour controlled by selectAllByDefault
LabelSelector false
podScrapeRelabelTemplate PodScrapeRelabelTemplate defines relabel config, that will be added to each VMPodScrape.
it's useful for adding specific labels to all targets
RelabelConfig array false
podScrapeSelector PodScrapeSelector defines PodScrapes to be selected for target discovery.
Works in combination with NamespaceSelector.
NamespaceSelector nil - only objects at VMAgent namespace.
Selector nil - only objects at NamespaceSelector namespaces.
If both nil - behaviour controlled by selectAllByDefault
LabelSelector false
port Port listen address string false
priorityClassName PriorityClassName class assigned to the Pods string false
probeNamespaceSelector ProbeNamespaceSelector defines Namespaces to be selected for VMProbe discovery.
Works in combination with Selector.
NamespaceSelector nil - only objects at VMAgent namespace.
Selector nil - only objects at NamespaceSelector namespaces.
If both nil - behaviour controlled by selectAllByDefault
LabelSelector false
probeScrapeRelabelTemplate ProbeScrapeRelabelTemplate defines relabel config, that will be added to each VMProbeScrape.
it's useful for adding specific labels to all targets
RelabelConfig array false
probeSelector ProbeSelector defines VMProbe to be selected for target probing.
Works in combination with NamespaceSelector.
NamespaceSelector nil - only objects at VMAgent namespace.
Selector nil - only objects at NamespaceSelector namespaces.
If both nil - behaviour controlled by selectAllByDefault
LabelSelector false
readinessGates ReadinessGates defines pod readiness gates PodReadinessGate array true
relabelConfig RelabelConfig ConfigMap with global relabel config -remoteWrite.relabelConfig
This relabeling is applied to all the collected metrics before sending them to remote storage.
ConfigMapKeySelector false
remoteWrite RemoteWrite list of victoria metrics /some other remote write system
for vm it must looks like: http://victoria-metrics-single:8429/api/v1/write
or for cluster different url
https://github.com/VictoriaMetrics/VictoriaMetrics/tree/master/app/vmagent#splitting-data-streams-among-multiple-systems
VMAgentRemoteWriteSpec array true
remoteWriteSettings RemoteWriteSettings defines global settings for all remoteWrite urls. VMAgentRemoteWriteSettings false
replicaCount ReplicaCount is the expected size of the Application. integer false
resources Resources container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
if not defined default resources from operator config will be used
ResourceRequirements false
revisionHistoryLimitCount The number of old ReplicaSets to retain to allow rollback in deployment or
maximum number of revisions that will be maintained in the Deployment revision history.
Has no effect at StatefulSets
Defaults to 10.
integer false
rollingUpdate RollingUpdate - overrides deployment update params. RollingUpdateDeployment false
runtimeClassName RuntimeClassName - defines runtime class for kubernetes pod.
https://kubernetes.io/docs/concepts/containers/runtime-class/
string false
schedulerName SchedulerName - defines kubernetes scheduler name string false
scrapeConfigNamespaceSelector ScrapeConfigNamespaceSelector defines Namespaces to be selected for VMScrapeConfig discovery.
Works in combination with Selector.
NamespaceSelector nil - only objects at VMAgent namespace.
Selector nil - only objects at NamespaceSelector namespaces.
If both nil - behaviour controlled by selectAllByDefault
LabelSelector false
scrapeConfigRelabelTemplate ScrapeConfigRelabelTemplate defines relabel config, that will be added to each VMScrapeConfig.
it's useful for adding specific labels to all targets
RelabelConfig array false
scrapeConfigSelector ScrapeConfigSelector defines VMScrapeConfig to be selected for target discovery.
Works in combination with NamespaceSelector.
LabelSelector false
scrapeInterval ScrapeInterval defines how often scrape targets by default string false
scrapeTimeout ScrapeTimeout defines global timeout for targets scrape string false
secrets Secrets is a list of Secrets in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/secrets/SECRET_NAME folder
string array false
securityContext SecurityContext holds pod-level security attributes and common container settings.
This defaults to the default PodSecurityContext.
SecurityContext false
selectAllByDefault SelectAllByDefault changes default behavior for empty CRD selectors, such ServiceScrapeSelector.
with selectAllByDefault: true and empty serviceScrapeSelector and ServiceScrapeNamespaceSelector
Operator selects all exist serviceScrapes
with selectAllByDefault: false - selects nothing
boolean false
serviceAccountName ServiceAccountName is the name of the ServiceAccount to use to run the pods string false
serviceScrapeNamespaceSelector ServiceScrapeNamespaceSelector Namespaces to be selected for VMServiceScrape discovery.
Works in combination with Selector.
NamespaceSelector nil - only objects at VMAgent namespace.
Selector nil - only objects at NamespaceSelector namespaces.
If both nil - behaviour controlled by selectAllByDefault
LabelSelector false
serviceScrapeRelabelTemplate ServiceScrapeRelabelTemplate defines relabel config, that will be added to each VMServiceScrape.
it's useful for adding specific labels to all targets
RelabelConfig array false
serviceScrapeSelector ServiceScrapeSelector defines ServiceScrapes to be selected for target discovery.
Works in combination with NamespaceSelector.
NamespaceSelector nil - only objects at VMAgent namespace.
Selector nil - only objects at NamespaceSelector namespaces.
If both nil - behaviour controlled by selectAllByDefault
LabelSelector false
serviceScrapeSpec ServiceScrapeSpec that will be added to vmagent VMServiceScrape spec VMServiceScrapeSpec false
serviceSpec ServiceSpec that will be added to vmagent service spec AdditionalServiceSpec false
shardCount ShardCount - numbers of shards of VMAgent
in this case operator will use 1 deployment/sts per shard with
replicas count according to spec.replicas,
see here
integer false
statefulMode StatefulMode enables StatefulSet for VMAgent instead of Deployment
it allows using persistent storage for vmagent's persistentQueue
boolean false
statefulRollingUpdateStrategy StatefulRollingUpdateStrategy allows configuration for strategyType
set it to RollingUpdate for disabling operator statefulSet rollingUpdate
StatefulSetUpdateStrategyType false
statefulStorage StatefulStorage configures storage for StatefulSet StorageSpec false
staticScrapeNamespaceSelector StaticScrapeNamespaceSelector defines Namespaces to be selected for VMStaticScrape discovery.
Works in combination with NamespaceSelector.
NamespaceSelector nil - only objects at VMAgent namespace.
Selector nil - only objects at NamespaceSelector namespaces.
If both nil - behaviour controlled by selectAllByDefault
LabelSelector false
staticScrapeRelabelTemplate StaticScrapeRelabelTemplate defines relabel config, that will be added to each VMStaticScrape.
it's useful for adding specific labels to all targets
RelabelConfig array false
staticScrapeSelector StaticScrapeSelector defines VMStaticScrape to be selected for target discovery.
Works in combination with NamespaceSelector.
If both nil - match everything.
NamespaceSelector nil - only objects at VMAgent namespace.
Selector nil - only objects at NamespaceSelector namespaces.
LabelSelector false
streamAggrConfig StreamAggrConfig defines global stream aggregation configuration for VMAgent StreamAggrConfig false
terminationGracePeriodSeconds TerminationGracePeriodSeconds period for container graceful termination integer false
tolerations Tolerations If specified, the pod's tolerations. Toleration array false
topologySpreadConstraints TopologySpreadConstraints embedded kubernetes pod configuration option,
controls how pods are spread across your cluster among failure-domains
such as regions, zones, nodes, and other user-defined topology domains
https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
TopologySpreadConstraint array false
updateStrategy UpdateStrategy - overrides default update strategy.
works only for deployments, statefulset always use OnDelete.
DeploymentStrategyType false
useDefaultResources UseDefaultResources controls resource settings
By default, operator sets built-in resource requirements
boolean false
useStrictSecurity UseStrictSecurity enables strict security mode for component
it restricts disk writes access
uses non-root user out of the box
drops not needed security permissions
boolean false
useVMConfigReloader UseVMConfigReloader replaces prometheus-like config-reloader
with vm one. It uses secrets watch instead of file watch
which greatly increases speed of config updates
boolean false
vmAgentExternalLabelName VMAgentExternalLabelName Name of vmAgent external label used to denote vmAgent instance
name. Defaults to the value of prometheus. External label will
not be added when value is set to empty string ("").
string false
volumeMounts VolumeMounts allows configuration of additional VolumeMounts on the output Deployment/StatefulSet definition.
VolumeMounts specified will be appended to other VolumeMounts in the Application container
VolumeMount array false
volumes Volumes allows configuration of additional volumes on the output Deployment/StatefulSet definition.
Volumes specified will be appended to other volumes that are generated.
/ +optional
Volume array true

VMAlert

VMAlert executes a list of given alerting or recording rules against configured address.

Field Description Scheme Required
apiVersion string operator.victoriametrics.com/v1beta1
kind string VMAlert
metadata Refer to Kubernetes API documentation for fields of metadata. ObjectMeta true
spec VMAlertSpec true

VMAlertDatasourceSpec

VMAlertDatasourceSpec defines the remote storage configuration for VmAlert to read alerts from

Appears in:

Field Description Scheme Required
basicAuth BasicAuth false
headers Headers allow configuring custom http headers
Must be in form of semicolon separated header with value
e.g.
headerName:headerValue
vmalert supports it since 1.79.0 version
string array false
oauth2 OAuth2 false
tlsConfig TLSConfig false
url Victoria Metrics or VMSelect url. Required parameter. E.g. http://127.0.0.1:8428 string true

VMAlertNotifierSpec

VMAlertNotifierSpec defines the notifier url for sending information about alerts

Appears in:

Field Description Scheme Required
basicAuth BasicAuth false
headers Headers allow configuring custom http headers
Must be in form of semicolon separated header with value
e.g.
headerName:headerValue
vmalert supports it since 1.79.0 version
string array false
oauth2 OAuth2 false
selector Selector allows service discovery for alertmanager
in this case all matched vmalertmanager replicas will be added into vmalert notifier.url
as statefulset pod.fqdn
DiscoverySelector false
tlsConfig TLSConfig false
url AlertManager url. E.g. http://127.0.0.1:9093 string false

VMAlertRemoteReadSpec

VMAlertRemoteReadSpec defines the remote storage configuration for VmAlert to read alerts from

Appears in:

Field Description Scheme Required
basicAuth BasicAuth false
headers Headers allow configuring custom http headers
Must be in form of semicolon separated header with value
e.g.
headerName:headerValue
vmalert supports it since 1.79.0 version
string array false
lookback Lookback defines how far to look into past for alerts timeseries. For example, if lookback=1h then range from now() to now()-1h will be scanned. (default 1h0m0s)
Applied only to RemoteReadSpec
string false
oauth2 OAuth2 false
tlsConfig TLSConfig false
url URL of the endpoint to send samples to. string true

VMAlertRemoteWriteSpec

VMAlertRemoteWriteSpec defines the remote storage configuration for VmAlert

Appears in:

Field Description Scheme Required
basicAuth BasicAuth false
concurrency Defines number of readers that concurrently write into remote storage (default 1) integer false
flushInterval Defines interval of flushes to remote write endpoint (default 5s) string false
headers Headers allow configuring custom http headers
Must be in form of semicolon separated header with value
e.g.
headerName:headerValue
vmalert supports it since 1.79.0 version
string array false
maxBatchSize Defines defines max number of timeseries to be flushed at once (default 1000) integer false
maxQueueSize Defines the max number of pending datapoints to remote write endpoint (default 100000) integer false
oauth2 OAuth2 false
tlsConfig TLSConfig false
url URL of the endpoint to send samples to. string true

VMAlertSpec

VMAlertSpec defines the desired state of VMAlert

Appears in:

Field Description Scheme Required
affinity Affinity If specified, the pod's scheduling constraints. Affinity false
configMaps ConfigMaps is a list of ConfigMaps in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/configs/CONFIGMAP_NAME folder
string array false
configReloaderExtraArgs ConfigReloaderExtraArgs that will be passed to VMAuths config-reloader container
for example resyncInterval: "30s"
object (keys:string, values:string) false
configReloaderImageTag ConfigReloaderImageTag defines image:tag for config-reloader container string false
configReloaderResources ConfigReloaderResources config-reloader container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
if not defined default resources from operator config will be used
ResourceRequirements false
containers Containers property allows to inject additions sidecars or to patch existing containers.
It can be useful for proxies, backup, etc.
Container array false
datasource Datasource Victoria Metrics or VMSelect url. Required parameter. e.g. http://127.0.0.1:8428 VMAlertDatasourceSpec true
disableSelfServiceScrape DisableSelfServiceScrape controls creation of VMServiceScrape by operator
for the application.
Has priority over VM_DISABLESELFSERVICESCRAPECREATION operator env variable
boolean false
dnsConfig Specifies the DNS parameters of a pod.
Parameters specified here will be merged to the generated DNS
configuration based on DNSPolicy.
PodDNSConfig false
dnsPolicy DNSPolicy sets DNS policy for the pod DNSPolicy false
enforcedNamespaceLabel EnforcedNamespaceLabel enforces adding a namespace label of origin for each alert
and metric that is user created. The label value will always be the namespace of the object that is
being created.
string false
evaluationInterval EvaluationInterval defines how often to evaluate rules by default string false
externalLabels ExternalLabels in the form 'name: value' to add to all generated recording rules and alerts. object (keys:string, values:string) false
extraArgs ExtraArgs that will be passed to the application container
for example remoteWrite.tmpDataPath: /tmp
object (keys:string, values:string) false
extraEnvs ExtraEnvs that will be passed to the application container EnvVar array false
hostAliases HostAliases provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
HostAlias array false
hostNetwork HostNetwork controls whether the pod may use the node network namespace boolean false
host_aliases HostAliasesUnderScore provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
Has Priority over hostAliases field
HostAlias array false
image Image - docker image settings
if no specified operator uses default version from operator config
Image false
imagePullSecrets ImagePullSecrets An optional list of references to secrets in the same namespace
to use for pulling images from registries
see https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod
LocalObjectReference array false
initContainers InitContainers allows adding initContainers to the pod definition.
Any errors during the execution of an initContainer will lead to a restart of the Pod.
More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
Container array false
license License allows to configure license key to be used for enterprise features.
Using license key is supported starting from VictoriaMetrics v1.94.0.
See here
License false
logFormat LogFormat for VMAlert to be configured with.
default or json
string false
logLevel LogLevel for VMAlert to be configured with. string false
managedMetadata ManagedMetadata defines metadata that will be added to the all objects
created by operator for the given CustomResource
ManagedObjectsMetadata true
minReadySeconds MinReadySeconds defines a minim number os seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle
integer false
nodeSelector NodeSelector Define which Nodes the Pods are scheduled on. object (keys:string, values:string) false
notifier Notifier prometheus alertmanager endpoint spec. Required at least one of notifier or notifiers when there are alerting rules. e.g. http://127.0.0.1:9093
If specified both notifier and notifiers, notifier will be added as last element to notifiers.
only one of notifier options could be chosen: notifierConfigRef or notifiers + notifier
VMAlertNotifierSpec false
notifierConfigRef NotifierConfigRef reference for secret with notifier configuration for vmalert
only one of notifier options could be chosen: notifierConfigRef or notifiers + notifier
SecretKeySelector false
notifiers Notifiers prometheus alertmanager endpoints. Required at least one of notifier or notifiers when there are alerting rules. e.g. http://127.0.0.1:9093
If specified both notifier and notifiers, notifier will be added as last element to notifiers.
only one of notifier options could be chosen: notifierConfigRef or notifiers + notifier
VMAlertNotifierSpec array false
paused Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions.
boolean false
podDisruptionBudget PodDisruptionBudget created by operator EmbeddedPodDisruptionBudgetSpec false
podMetadata PodMetadata configures Labels and Annotations which are propagated to the VMAlert pods. EmbeddedObjectMetadata true
port Port listen address string false
priorityClassName PriorityClassName class assigned to the Pods string false
readinessGates ReadinessGates defines pod readiness gates PodReadinessGate array true
remoteRead RemoteRead Optional URL to read vmalert state (persisted via RemoteWrite)
This configuration only makes sense if alerts state has been successfully
persisted (via RemoteWrite) before.
see -remoteRead.url docs in vmalerts for details.
E.g. http://127.0.0.1:8428
VMAlertRemoteReadSpec false
remoteWrite RemoteWrite Optional URL to remote-write compatible storage to persist
vmalert state and rule results to.
Rule results will be persisted according to each rule.
Alerts state will be persisted in the form of time series named ALERTS and ALERTS_FOR_STATE
see -remoteWrite.url docs in vmalerts for details.
E.g. http://127.0.0.1:8428
VMAlertRemoteWriteSpec false
replicaCount ReplicaCount is the expected size of the Application. integer false
resources Resources container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
if not defined default resources from operator config will be used
ResourceRequirements false
revisionHistoryLimitCount The number of old ReplicaSets to retain to allow rollback in deployment or
maximum number of revisions that will be maintained in the Deployment revision history.
Has no effect at StatefulSets
Defaults to 10.
integer false
rollingUpdate RollingUpdate - overrides deployment update params. RollingUpdateDeployment false
ruleNamespaceSelector RuleNamespaceSelector to be selected for VMRules discovery.
Works in combination with Selector.
If both nil - behaviour controlled by selectAllByDefault
NamespaceSelector nil - only objects at VMAlert namespace.
LabelSelector false
rulePath RulePath to the file with alert rules.
Supports patterns. Flag can be specified multiple times.
Examples:
-rule /path/to/file. Path to a single file with alerting rules
-rule dir/.yaml -rule /.yaml. Relative path to all .yaml files in folder,
absolute path to all .yaml files in root.
by default operator adds /etc/vmalert/configs/base/vmalert.yaml
string array false
ruleSelector RuleSelector selector to select which VMRules to mount for loading alerting
rules from.
Works in combination with NamespaceSelector.
If both nil - behaviour controlled by selectAllByDefault
NamespaceSelector nil - only objects at VMAlert namespace.
LabelSelector false
runtimeClassName RuntimeClassName - defines runtime class for kubernetes pod.
https://kubernetes.io/docs/concepts/containers/runtime-class/
string false
schedulerName SchedulerName - defines kubernetes scheduler name string false
secrets Secrets is a list of Secrets in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/secrets/SECRET_NAME folder
string array false
securityContext SecurityContext holds pod-level security attributes and common container settings.
This defaults to the default PodSecurityContext.
SecurityContext false
selectAllByDefault SelectAllByDefault changes default behavior for empty CRD selectors, such RuleSelector.
with selectAllByDefault: true and empty serviceScrapeSelector and RuleNamespaceSelector
Operator selects all exist serviceScrapes
with selectAllByDefault: false - selects nothing
boolean false
serviceAccountName ServiceAccountName is the name of the ServiceAccount to use to run the pods string false
serviceScrapeSpec ServiceScrapeSpec that will be added to vmalert VMServiceScrape spec VMServiceScrapeSpec false
serviceSpec ServiceSpec that will be added to vmalert service spec AdditionalServiceSpec false
terminationGracePeriodSeconds TerminationGracePeriodSeconds period for container graceful termination integer false
tolerations Tolerations If specified, the pod's tolerations. Toleration array false
topologySpreadConstraints TopologySpreadConstraints embedded kubernetes pod configuration option,
controls how pods are spread across your cluster among failure-domains
such as regions, zones, nodes, and other user-defined topology domains
https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
TopologySpreadConstraint array false
updateStrategy UpdateStrategy - overrides default update strategy. DeploymentStrategyType false
useDefaultResources UseDefaultResources controls resource settings
By default, operator sets built-in resource requirements
boolean false
useStrictSecurity UseStrictSecurity enables strict security mode for component
it restricts disk writes access
uses non-root user out of the box
drops not needed security permissions
boolean false
useVMConfigReloader UseVMConfigReloader replaces prometheus-like config-reloader
with vm one. It uses secrets watch instead of file watch
which greatly increases speed of config updates
boolean false
volumeMounts VolumeMounts allows configuration of additional VolumeMounts on the output Deployment/StatefulSet definition.
VolumeMounts specified will be appended to other VolumeMounts in the Application container
VolumeMount array false
volumes Volumes allows configuration of additional volumes on the output Deployment/StatefulSet definition.
Volumes specified will be appended to other volumes that are generated.
/ +optional
Volume array true

VMAlertmanager

VMAlertmanager represents Victoria-Metrics deployment for Alertmanager.

Field Description Scheme Required
apiVersion string operator.victoriametrics.com/v1beta1
kind string VMAlertmanager
metadata Refer to Kubernetes API documentation for fields of metadata. ObjectMeta true
spec Specification of the desired behavior of the VMAlertmanager cluster. More info:
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
VMAlertmanagerSpec true

VMAlertmanagerConfig

VMAlertmanagerConfig is the Schema for the vmalertmanagerconfigs API

Field Description Scheme Required
apiVersion string operator.victoriametrics.com/v1beta1
kind string VMAlertmanagerConfig
metadata Refer to Kubernetes API documentation for fields of metadata. ObjectMeta true
spec VMAlertmanagerConfigSpec true

VMAlertmanagerConfigSpec

VMAlertmanagerConfigSpec defines configuration for VMAlertmanagerConfig it must reference only locally defined objects

Appears in:

Field Description Scheme Required
inhibit_rules InhibitRules will only apply for alerts matching
the resource's namespace.
InhibitRule array false
receivers Receivers defines alert receivers Receiver array true
route Route definition for alertmanager, may include nested routes. Route true
time_intervals TimeIntervals defines named interval for active/mute notifications interval
See https://prometheus.io/docs/alerting/latest/configuration/#time_interval
TimeIntervals array false

VMAlertmanagerSpec

VMAlertmanagerSpec is a specification of the desired behavior of the VMAlertmanager cluster. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status

Appears in:

Field Description Scheme Required
additionalPeers AdditionalPeers allows injecting a set of additional Alertmanagers to peer with to form a highly available cluster. string array true
affinity Affinity If specified, the pod's scheduling constraints. Affinity false
claimTemplates ClaimTemplates allows adding additional VolumeClaimTemplates for StatefulSet PersistentVolumeClaim array true
clusterAdvertiseAddress ClusterAdvertiseAddress is the explicit address to advertise in cluster.
Needs to be provided for non RFC1918 [1] (public) addresses.
[1] RFC1918: https://tools.ietf.org/html/rfc1918
string false
clusterDomainName ClusterDomainName defines domain name suffix for in-cluster dns addresses
aka .cluster.local
used to build pod peer addresses for in-cluster communication
string false
configMaps ConfigMaps is a list of ConfigMaps in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/configs/CONFIGMAP_NAME folder
string array false
configNamespaceSelector ConfigNamespaceSelector defines namespace selector for VMAlertmanagerConfig.
Works in combination with Selector.
NamespaceSelector nil - only objects at VMAlertmanager namespace.
Selector nil - only objects at NamespaceSelector namespaces.
If both nil - behaviour controlled by selectAllByDefault
LabelSelector false
configRawYaml ConfigRawYaml - raw configuration for alertmanager,
it helps it to start without secret.
priority -> hardcoded ConfigRaw -> ConfigRaw, provided by user -> ConfigSecret.
string false
configReloaderExtraArgs ConfigReloaderExtraArgs that will be passed to VMAuths config-reloader container
for example resyncInterval: "30s"
object (keys:string, values:string) false
configReloaderImageTag ConfigReloaderImageTag defines image:tag for config-reloader container string false
configReloaderResources ConfigReloaderResources config-reloader container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
if not defined default resources from operator config will be used
ResourceRequirements false
configSecret ConfigSecret is the name of a Kubernetes Secret in the same namespace as the
VMAlertmanager object, which contains configuration for this VMAlertmanager,
configuration must be inside secret key: alertmanager.yaml.
It must be created by user.
instance. Defaults to 'vmalertmanager-'
The secret is mounted into /etc/alertmanager/config.
string false
configSelector ConfigSelector defines selector for VMAlertmanagerConfig, result config will be merged with with Raw or Secret config.
Works in combination with NamespaceSelector.
NamespaceSelector nil - only objects at VMAlertmanager namespace.
Selector nil - only objects at NamespaceSelector namespaces.
If both nil - behaviour controlled by selectAllByDefault
LabelSelector false
containers Containers property allows to inject additions sidecars or to patch existing containers.
It can be useful for proxies, backup, etc.
Container array false
disableNamespaceMatcher DisableNamespaceMatcher disables top route namespace label matcher for VMAlertmanagerConfig
It may be useful if alert doesn't have namespace label for some reason
boolean false
disableRouteContinueEnforce DisableRouteContinueEnforce cancel the behavior for VMAlertmanagerConfig that always enforce first-level route continue to true boolean false
disableSelfServiceScrape DisableSelfServiceScrape controls creation of VMServiceScrape by operator
for the application.
Has priority over VM_DISABLESELFSERVICESCRAPECREATION operator env variable
boolean false
dnsConfig Specifies the DNS parameters of a pod.
Parameters specified here will be merged to the generated DNS
configuration based on DNSPolicy.
PodDNSConfig false
dnsPolicy DNSPolicy sets DNS policy for the pod DNSPolicy false
enforcedTopRouteMatchers EnforcedTopRouteMatchers defines label matchers to be added for the top route
of VMAlertmanagerConfig
It allows to make some set of labels required for alerts.
https://prometheus.io/docs/alerting/latest/configuration/#matcher
string array true
externalURL ExternalURL the VMAlertmanager instances will be available under. This is
necessary to generate correct URLs. This is necessary if VMAlertmanager is not
served from root of a DNS name.
string false
extraArgs ExtraArgs that will be passed to the application container
for example remoteWrite.tmpDataPath: /tmp
object (keys:string, values:string) false
extraEnvs ExtraEnvs that will be passed to the application container EnvVar array false
gossipConfig GossipConfig defines gossip TLS configuration for Alertmanager cluster AlertmanagerGossipConfig false
hostAliases HostAliases provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
HostAlias array false
hostNetwork HostNetwork controls whether the pod may use the node network namespace boolean false
host_aliases HostAliasesUnderScore provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
Has Priority over hostAliases field
HostAlias array false
image Image - docker image settings
if no specified operator uses default version from operator config
Image false
imagePullSecrets ImagePullSecrets An optional list of references to secrets in the same namespace
to use for pulling images from registries
see https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod
LocalObjectReference array false
initContainers InitContainers allows adding initContainers to the pod definition.
Any errors during the execution of an initContainer will lead to a restart of the Pod.
More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
Container array false
listenLocal ListenLocal makes the VMAlertmanager server listen on loopback, so that it
does not bind against the Pod IP. Note this is only for the VMAlertmanager
UI, not the gossip communication.
boolean false
logFormat LogFormat for VMAlertmanager to be configured with. string false
logLevel Log level for VMAlertmanager to be configured with. string false
managedMetadata ManagedMetadata defines metadata that will be added to the all objects
created by operator for the given CustomResource
ManagedObjectsMetadata true
minReadySeconds MinReadySeconds defines a minim number os seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle
integer false
nodeSelector NodeSelector Define which Nodes the Pods are scheduled on. object (keys:string, values:string) false
paused Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions.
boolean false
podDisruptionBudget PodDisruptionBudget created by operator EmbeddedPodDisruptionBudgetSpec false
podMetadata PodMetadata configures Labels and Annotations which are propagated to the alertmanager pods. EmbeddedObjectMetadata false
port Port listen address string false
portName PortName used for the pods and governing service.
This defaults to web
string false
priorityClassName PriorityClassName class assigned to the Pods string false
readinessGates ReadinessGates defines pod readiness gates PodReadinessGate array true
replicaCount ReplicaCount is the expected size of the Application. integer false
resources Resources container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
if not defined default resources from operator config will be used
ResourceRequirements false
retention Retention Time duration VMAlertmanager shall retain data for. Default is '120h',
and must match the regular expression [0-9]+(ms|s|m|h) (milliseconds seconds minutes hours).
string false
revisionHistoryLimitCount The number of old ReplicaSets to retain to allow rollback in deployment or
maximum number of revisions that will be maintained in the Deployment revision history.
Has no effect at StatefulSets
Defaults to 10.
integer false
rollingUpdateStrategy RollingUpdateStrategy defines strategy for application updates
Default is OnDelete, in this case operator handles update process
Can be changed for RollingUpdate
StatefulSetUpdateStrategyType false
routePrefix RoutePrefix VMAlertmanager registers HTTP handlers for. This is useful,
if using ExternalURL and a proxy is rewriting HTTP routes of a request,
and the actual ExternalURL is still true, but the server serves requests
under a different route prefix. For example for use with kubectl proxy.
string false
runtimeClassName RuntimeClassName - defines runtime class for kubernetes pod.
https://kubernetes.io/docs/concepts/containers/runtime-class/
string false
schedulerName SchedulerName - defines kubernetes scheduler name string false
secrets Secrets is a list of Secrets in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/secrets/SECRET_NAME folder
string array false
securityContext SecurityContext holds pod-level security attributes and common container settings.
This defaults to the default PodSecurityContext.
SecurityContext false
selectAllByDefault SelectAllByDefault changes default behavior for empty CRD selectors, such ConfigSelector.
with selectAllByDefault: true and undefined ConfigSelector and ConfigNamespaceSelector
Operator selects all exist alertManagerConfigs
with selectAllByDefault: false - selects nothing
boolean false
serviceAccountName ServiceAccountName is the name of the ServiceAccount to use to run the pods string false
serviceScrapeSpec ServiceScrapeSpec that will be added to vmalertmanager VMServiceScrape spec VMServiceScrapeSpec false
serviceSpec ServiceSpec that will be added to vmalertmanager service spec AdditionalServiceSpec false
storage Storage is the definition of how storage will be used by the VMAlertmanager
instances.
StorageSpec false
templates Templates is a list of ConfigMap key references for ConfigMaps in the same namespace as the VMAlertmanager
object, which shall be mounted into the VMAlertmanager Pods.
The Templates are mounted into /etc/vm/templates//.
ConfigMapKeyReference array false
terminationGracePeriodSeconds TerminationGracePeriodSeconds period for container graceful termination integer false
tolerations Tolerations If specified, the pod's tolerations. Toleration array false
topologySpreadConstraints TopologySpreadConstraints embedded kubernetes pod configuration option,
controls how pods are spread across your cluster among failure-domains
such as regions, zones, nodes, and other user-defined topology domains
https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
TopologySpreadConstraint array false
useDefaultResources UseDefaultResources controls resource settings
By default, operator sets built-in resource requirements
boolean false
useStrictSecurity UseStrictSecurity enables strict security mode for component
it restricts disk writes access
uses non-root user out of the box
drops not needed security permissions
boolean false
useVMConfigReloader UseVMConfigReloader replaces prometheus-like config-reloader
with vm one. It uses secrets watch instead of file watch
which greatly increases speed of config updates
boolean false
volumeMounts VolumeMounts allows configuration of additional VolumeMounts on the output Deployment/StatefulSet definition.
VolumeMounts specified will be appended to other VolumeMounts in the Application container
VolumeMount array false
volumes Volumes allows configuration of additional volumes on the output Deployment/StatefulSet definition.
Volumes specified will be appended to other volumes that are generated.
/ +optional
Volume array true
webConfig WebConfig defines configuration for webserver
https://github.com/prometheus/alertmanager/blob/main/docs/https.md
AlertmanagerWebConfig false

VMAuth

VMAuth is the Schema for the vmauths API

Field Description Scheme Required
apiVersion string operator.victoriametrics.com/v1beta1
kind string VMAuth
metadata Refer to Kubernetes API documentation for fields of metadata. ObjectMeta true
spec VMAuthSpec true

VMAuthLoadBalancer

VMAuthLoadBalancer configures vmauth as a load balancer for the requests

Appears in:

Field Description Scheme Required
disableInsertBalancing boolean true
disableSelectBalancing boolean true
enabled boolean true
spec VMAuthLoadBalancerSpec true

VMAuthLoadBalancerSpec

VMAuthLoadBalancerSpec defines configuration spec for VMAuth used as load-balancer for VMCluster component

Appears in:

Field Description Scheme Required
affinity Affinity If specified, the pod's scheduling constraints. Affinity false
configMaps ConfigMaps is a list of ConfigMaps in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/configs/CONFIGMAP_NAME folder
string array false
containers Containers property allows to inject additions sidecars or to patch existing containers.
It can be useful for proxies, backup, etc.
Container array false
disableSelfServiceScrape DisableSelfServiceScrape controls creation of VMServiceScrape by operator
for the application.
Has priority over VM_DISABLESELFSERVICESCRAPECREATION operator env variable
boolean false
dnsConfig Specifies the DNS parameters of a pod.
Parameters specified here will be merged to the generated DNS
configuration based on DNSPolicy.
PodDNSConfig false
dnsPolicy DNSPolicy sets DNS policy for the pod DNSPolicy false
extraArgs ExtraArgs that will be passed to the application container
for example remoteWrite.tmpDataPath: /tmp
object (keys:string, values:string) false
extraEnvs ExtraEnvs that will be passed to the application container EnvVar array false
hostAliases HostAliases provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
HostAlias array false
hostNetwork HostNetwork controls whether the pod may use the node network namespace boolean false
host_aliases HostAliasesUnderScore provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
Has Priority over hostAliases field
HostAlias array false
image Image - docker image settings
if no specified operator uses default version from operator config
Image false
imagePullSecrets ImagePullSecrets An optional list of references to secrets in the same namespace
to use for pulling images from registries
see https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod
LocalObjectReference array false
initContainers InitContainers allows adding initContainers to the pod definition.
Any errors during the execution of an initContainer will lead to a restart of the Pod.
More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
Container array false
logFormat LogFormat for vmauth
default or json
string false
logLevel LogLevel for vmauth container. string false
minReadySeconds MinReadySeconds defines a minim number os seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle
integer false
nodeSelector NodeSelector Define which Nodes the Pods are scheduled on. object (keys:string, values:string) false
paused Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions.
boolean false
podDisruptionBudget PodDisruptionBudget created by operator EmbeddedPodDisruptionBudgetSpec false
podMetadata Common params for scheduling
PodMetadata configures Labels and Annotations which are propagated to the vmauth lb pods.
EmbeddedObjectMetadata true
port Port listen address string false
priorityClassName PriorityClassName class assigned to the Pods string false
readinessGates ReadinessGates defines pod readiness gates PodReadinessGate array true
replicaCount ReplicaCount is the expected size of the Application. integer false
resources Resources container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
if not defined default resources from operator config will be used
ResourceRequirements false
revisionHistoryLimitCount The number of old ReplicaSets to retain to allow rollback in deployment or
maximum number of revisions that will be maintained in the Deployment revision history.
Has no effect at StatefulSets
Defaults to 10.
integer false
runtimeClassName RuntimeClassName - defines runtime class for kubernetes pod.
https://kubernetes.io/docs/concepts/containers/runtime-class/
string false
schedulerName SchedulerName - defines kubernetes scheduler name string false
secrets Secrets is a list of Secrets in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/secrets/SECRET_NAME folder
string array false
securityContext SecurityContext holds pod-level security attributes and common container settings.
This defaults to the default PodSecurityContext.
SecurityContext false
serviceScrapeSpec ServiceScrapeSpec that will be added to vmauthlb VMServiceScrape spec VMServiceScrapeSpec false
serviceSpec AdditionalServiceSpec defines service override configuration for vmauth lb deployment
it'll be only applied to vmclusterlb- service
AdditionalServiceSpec true
terminationGracePeriodSeconds TerminationGracePeriodSeconds period for container graceful termination integer false
tolerations Tolerations If specified, the pod's tolerations. Toleration array false
topologySpreadConstraints TopologySpreadConstraints embedded kubernetes pod configuration option,
controls how pods are spread across your cluster among failure-domains
such as regions, zones, nodes, and other user-defined topology domains
https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
TopologySpreadConstraint array false
useDefaultResources UseDefaultResources controls resource settings
By default, operator sets built-in resource requirements
boolean false
useStrictSecurity UseStrictSecurity enables strict security mode for component
it restricts disk writes access
uses non-root user out of the box
drops not needed security permissions
boolean false
volumeMounts VolumeMounts allows configuration of additional VolumeMounts on the output Deployment/StatefulSet definition.
VolumeMounts specified will be appended to other VolumeMounts in the Application container
VolumeMount array false
volumes Volumes allows configuration of additional volumes on the output Deployment/StatefulSet definition.
Volumes specified will be appended to other volumes that are generated.
/ +optional
Volume array true

VMAuthSpec

VMAuthSpec defines the desired state of VMAuth

Appears in:

Field Description Scheme Required
affinity Affinity If specified, the pod's scheduling constraints. Affinity false
configMaps ConfigMaps is a list of ConfigMaps in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/configs/CONFIGMAP_NAME folder
string array false
configReloaderExtraArgs ConfigReloaderExtraArgs that will be passed to VMAuths config-reloader container
for example resyncInterval: "30s"
object (keys:string, values:string) false
configReloaderImageTag ConfigReloaderImageTag defines image:tag for config-reloader container string false
configReloaderResources ConfigReloaderResources config-reloader container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
if not defined default resources from operator config will be used
ResourceRequirements false
configSecret ConfigSecret is the name of a Kubernetes Secret in the same namespace as the
VMAuth object, which contains auth configuration for vmauth,
configuration must be inside secret key: config.yaml.
It must be created and managed manually.
If it's defined, configuration for vmauth becomes unmanaged and operator'll not create any related secrets/config-reloaders
Deprecated, use externalConfig.secretRef instead
string true
containers Containers property allows to inject additions sidecars or to patch existing containers.
It can be useful for proxies, backup, etc.
Container array false
default_url DefaultURLs backend url for non-matching paths filter
usually used for default backend with error message
string array true
disableSelfServiceScrape DisableSelfServiceScrape controls creation of VMServiceScrape by operator
for the application.
Has priority over VM_DISABLESELFSERVICESCRAPECREATION operator env variable
boolean false
discover_backend_ips DiscoverBackendIPs instructs discovering URLPrefix backend IPs via DNS. boolean true
dnsConfig Specifies the DNS parameters of a pod.
Parameters specified here will be merged to the generated DNS
configuration based on DNSPolicy.
PodDNSConfig false
dnsPolicy DNSPolicy sets DNS policy for the pod DNSPolicy false
drop_src_path_prefix_parts DropSrcPathPrefixParts is the number of /-delimited request path prefix parts to drop before proxying the request to backend.
See here for more details.
integer false
dump_request_on_errors DumpRequestOnErrors instructs vmauth to return detailed request params to the client
if routing rules don't allow to forward request to the backends.
Useful for debugging src_hosts and src_headers based routing rules

available since v1.107.0 vmauth version
boolean false
externalConfig ExternalConfig defines a source of external VMAuth configuration.
If it's defined, configuration for vmauth becomes unmanaged and operator'll not create any related secrets/config-reloaders
ExternalConfig false
extraArgs ExtraArgs that will be passed to the application container
for example remoteWrite.tmpDataPath: /tmp
object (keys:string, values:string) false
extraEnvs ExtraEnvs that will be passed to the application container EnvVar array false
headers Headers represent additional http headers, that vmauth uses
in form of ["header_key: header_value"]
multiple values for header key:
["header_key: value1,value2"]
it's available since 1.68.0 version of vmauth
string array false
hostAliases HostAliases provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
HostAlias array false
hostNetwork HostNetwork controls whether the pod may use the node network namespace boolean false
host_aliases HostAliasesUnderScore provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
Has Priority over hostAliases field
HostAlias array false
image Image - docker image settings
if no specified operator uses default version from operator config
Image false
imagePullSecrets ImagePullSecrets An optional list of references to secrets in the same namespace
to use for pulling images from registries
see https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod
LocalObjectReference array false
ingress Ingress enables ingress configuration for VMAuth. EmbeddedIngress true
initContainers InitContainers allows adding initContainers to the pod definition.
Any errors during the execution of an initContainer will lead to a restart of the Pod.
More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
Container array false
ip_filters IPFilters defines per target src ip filters
supported only with enterprise version of vmauth
VMUserIPFilters false
license License allows to configure license key to be used for enterprise features.
Using license key is supported starting from VictoriaMetrics v1.94.0.
See here
License false
load_balancing_policy LoadBalancingPolicy defines load balancing policy to use for backend urls.
Supported policies: least_loaded, first_available.
See here for more details (default "least_loaded")
string false
logFormat LogFormat for VMAuth to be configured with. string false
logLevel LogLevel for victoria metrics single to be configured with. string false
managedMetadata ManagedMetadata defines metadata that will be added to the all objects
created by operator for the given CustomResource
ManagedObjectsMetadata true
max_concurrent_requests MaxConcurrentRequests defines max concurrent requests per user
300 is default value for vmauth
integer false
minReadySeconds MinReadySeconds defines a minim number os seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle
integer false
nodeSelector NodeSelector Define which Nodes the Pods are scheduled on. object (keys:string, values:string) false
paused Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions.
boolean false
podDisruptionBudget PodDisruptionBudget created by operator EmbeddedPodDisruptionBudgetSpec false
podMetadata PodMetadata configures Labels and Annotations which are propagated to the VMAuth pods. EmbeddedObjectMetadata false
port Port listen address string false
priorityClassName PriorityClassName class assigned to the Pods string false
readinessGates ReadinessGates defines pod readiness gates PodReadinessGate array true
replicaCount ReplicaCount is the expected size of the Application. integer false
resources Resources container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
if not defined default resources from operator config will be used
ResourceRequirements false
response_headers ResponseHeaders represent additional http headers, that vmauth adds for request response
in form of ["header_key: header_value"]
multiple values for header key:
["header_key: value1,value2"]
it's available since 1.93.0 version of vmauth
string array false
retry_status_codes RetryStatusCodes defines http status codes in numeric format for request retries
e.g. [429,503]
integer array false
revisionHistoryLimitCount The number of old ReplicaSets to retain to allow rollback in deployment or
maximum number of revisions that will be maintained in the Deployment revision history.
Has no effect at StatefulSets
Defaults to 10.
integer false
runtimeClassName RuntimeClassName - defines runtime class for kubernetes pod.
https://kubernetes.io/docs/concepts/containers/runtime-class/
string false
schedulerName SchedulerName - defines kubernetes scheduler name string false
secrets Secrets is a list of Secrets in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/secrets/SECRET_NAME folder
string array false
securityContext SecurityContext holds pod-level security attributes and common container settings.
This defaults to the default PodSecurityContext.
SecurityContext false
selectAllByDefault SelectAllByDefault changes default behavior for empty CRD selectors, such userSelector.
with selectAllByDefault: true and empty userSelector and userNamespaceSelector
Operator selects all exist users
with selectAllByDefault: false - selects nothing
boolean false
serviceAccountName ServiceAccountName is the name of the ServiceAccount to use to run the pods string false
serviceScrapeSpec ServiceScrapeSpec that will be added to vmauth VMServiceScrape spec VMServiceScrapeSpec false
serviceSpec ServiceSpec that will be added to vmsingle service spec AdditionalServiceSpec false
terminationGracePeriodSeconds TerminationGracePeriodSeconds period for container graceful termination integer false
tlsConfig TLSConfig defines tls configuration for the backend connection TLSConfig false
tolerations Tolerations If specified, the pod's tolerations. Toleration array false
topologySpreadConstraints TopologySpreadConstraints embedded kubernetes pod configuration option,
controls how pods are spread across your cluster among failure-domains
such as regions, zones, nodes, and other user-defined topology domains
https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
TopologySpreadConstraint array false
unauthorizedAccessConfig UnauthorizedAccessConfig configures access for un authorized users

Deprecated, use unauthorizedUserAccessSpec instead
will be removed at v1.0 release
UnauthorizedAccessConfigURLMap array true
unauthorizedUserAccessSpec UnauthorizedUserAccessSpec defines unauthorized_user config section of vmauth config VMAuthUnauthorizedUserAccessSpec false
useDefaultResources UseDefaultResources controls resource settings
By default, operator sets built-in resource requirements
boolean false
useStrictSecurity UseStrictSecurity enables strict security mode for component
it restricts disk writes access
uses non-root user out of the box
drops not needed security permissions
boolean false
useVMConfigReloader UseVMConfigReloader replaces prometheus-like config-reloader
with vm one. It uses secrets watch instead of file watch
which greatly increases speed of config updates
boolean false
userNamespaceSelector UserNamespaceSelector Namespaces to be selected for VMAuth discovery.
Works in combination with Selector.
NamespaceSelector nil - only objects at VMAuth namespace.
Selector nil - only objects at NamespaceSelector namespaces.
If both nil - behaviour controlled by selectAllByDefault
LabelSelector false
userSelector UserSelector defines VMUser to be selected for config file generation.
Works in combination with NamespaceSelector.
NamespaceSelector nil - only objects at VMAuth namespace.
If both nil - behaviour controlled by selectAllByDefault
LabelSelector false
volumeMounts VolumeMounts allows configuration of additional VolumeMounts on the output Deployment/StatefulSet definition.
VolumeMounts specified will be appended to other VolumeMounts in the Application container
VolumeMount array false
volumes Volumes allows configuration of additional volumes on the output Deployment/StatefulSet definition.
Volumes specified will be appended to other volumes that are generated.
/ +optional
Volume array true

VMAuthUnauthorizedUserAccessSpec

VMAuthUnauthorizedUserAccessSpec defines unauthorized_user section configuration for vmauth

Appears in:

Field Description Scheme Required
default_url DefaultURLs backend url for non-matching paths filter
usually used for default backend with error message
string array true
discover_backend_ips DiscoverBackendIPs instructs discovering URLPrefix backend IPs via DNS. boolean true
drop_src_path_prefix_parts DropSrcPathPrefixParts is the number of /-delimited request path prefix parts to drop before proxying the request to backend.
See here for more details.
integer false
dump_request_on_errors DumpRequestOnErrors instructs vmauth to return detailed request params to the client
if routing rules don't allow to forward request to the backends.
Useful for debugging src_hosts and src_headers based routing rules

available since v1.107.0 vmauth version
boolean false
headers Headers represent additional http headers, that vmauth uses
in form of ["header_key: header_value"]
multiple values for header key:
["header_key: value1,value2"]
it's available since 1.68.0 version of vmauth
string array false
ip_filters IPFilters defines per target src ip filters
supported only with enterprise version of vmauth
VMUserIPFilters false
load_balancing_policy LoadBalancingPolicy defines load balancing policy to use for backend urls.
Supported policies: least_loaded, first_available.
See here for more details (default "least_loaded")
string false
max_concurrent_requests MaxConcurrentRequests defines max concurrent requests per user
300 is default value for vmauth
integer false
metric_labels MetricLabels - additional labels for metrics exported by vmauth for given user. object (keys:string, values:string) false
response_headers ResponseHeaders represent additional http headers, that vmauth adds for request response
in form of ["header_key: header_value"]
multiple values for header key:
["header_key: value1,value2"]
it's available since 1.93.0 version of vmauth
string array false
retry_status_codes RetryStatusCodes defines http status codes in numeric format for request retries
e.g. [429,503]
integer array false
tlsConfig TLSConfig defines tls configuration for the backend connection TLSConfig false
url_map UnauthorizedAccessConfigURLMap array true
url_prefix URLPrefix defines prefix prefix for destination StringOrArray true

VMBackup

Appears in:

Field Description Scheme Required
acceptEULA AcceptEULA accepts enterprise feature usage, must be set to true.
otherwise backupmanager cannot be added to single/cluster version.
https://victoriametrics.com/legal/esa/
boolean false
concurrency Defines number of concurrent workers. Higher concurrency may reduce backup duration (default 10) integer false
credentialsSecret CredentialsSecret is secret in the same namespace for access to remote storage
The secret is mounted into /etc/vm/creds.
SecretKeySelector false
customS3Endpoint Custom S3 endpoint for use with S3-compatible storages (e.g. MinIO). S3 is used if not set string false
destination Defines destination for backup string true
destinationDisableSuffixAdd DestinationDisableSuffixAdd - disables suffix adding for cluster version backups
each vmstorage backup must have unique backup folder
so operator adds POD_NAME as suffix for backup destination folder.
boolean false
disableDaily Defines if daily backups disabled (default false) boolean false
disableHourly Defines if hourly backups disabled (default false) boolean false
disableMonthly Defines if monthly backups disabled (default false) boolean false
disableWeekly Defines if weekly backups disabled (default false) boolean false
extraArgs extra args like maxBytesPerSecond default 0 object (keys:string, values:string) false
extraEnvs EnvVar array false
image Image - docker image settings for VMBackuper Image false
logFormat LogFormat for VMBackup to be configured with.
default or json
string false
logLevel LogLevel for VMBackup to be configured with. string false
port Port for health check connections string true
resources Resources container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
if not defined default resources from operator config will be used
ResourceRequirements false
restore Restore Allows to enable restore options for pod
Read more
VMRestore false
snapshotCreateURL SnapshotCreateURL overwrites url for snapshot create string false
snapshotDeleteURL SnapShotDeleteURL overwrites url for snapshot delete string false
volumeMounts VolumeMounts allows configuration of additional VolumeMounts on the output Deployment definition.
VolumeMounts specified will be appended to other VolumeMounts in the vmbackupmanager container,
that are generated as a result of StorageSpec objects.
VolumeMount array false

VMCluster

VMCluster is fast, cost-effective and scalable time-series database. Cluster version with

Field Description Scheme Required
apiVersion string operator.victoriametrics.com/v1beta1
kind string VMCluster
metadata Refer to Kubernetes API documentation for fields of metadata. ObjectMeta false
spec VMClusterSpec true

VMClusterSpec

VMClusterSpec defines the desired state of VMCluster

Appears in:

Field Description Scheme Required
clusterDomainName ClusterDomainName defines domain name suffix for in-cluster dns addresses
aka .cluster.local
used by vminsert and vmselect to build vmstorage address
string false
clusterVersion ClusterVersion defines default images tag for all components.
it can be overwritten with component specific image.tag value.
string false
imagePullSecrets ImagePullSecrets An optional list of references to secrets in the same namespace
to use for pulling images from registries
see https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod
LocalObjectReference array false
license License allows to configure license key to be used for enterprise features.
Using license key is supported starting from VictoriaMetrics v1.94.0.
See here
License false
managedMetadata ManagedMetadata defines metadata that will be added to the all objects
created by operator for the given CustomResource
ManagedObjectsMetadata true
paused Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions.
boolean false
replicationFactor ReplicationFactor defines how many copies of data make among
distinct storage nodes
integer false
requestsLoadBalancer RequestsLoadBalancer configures load-balancing for vminsert and vmselect requests
it helps to evenly spread load across pods
usually it's not possible with kubernetes TCP based service
VMAuthLoadBalancer true
retentionPeriod RetentionPeriod for the stored metrics
Note VictoriaMetrics has data/ and indexdb/ folders
metrics from data/ removed eventually as soon as partition leaves retention period
reverse index data at indexdb rotates once at the half of configured
retention period
string true
serviceAccountName ServiceAccountName is the name of the ServiceAccount to use to run the
VMSelect, VMStorage and VMInsert Pods.
string false
useStrictSecurity UseStrictSecurity enables strict security mode for component
it restricts disk writes access
uses non-root user out of the box
drops not needed security permissions
boolean false
vminsert VMInsert false
vmselect VMSelect false
vmstorage VMStorage false

VMInsert

Appears in:

Field Description Scheme Required
affinity Affinity If specified, the pod's scheduling constraints. Affinity false
clusterNativeListenPort ClusterNativePort for multi-level cluster setup.
More details
string false
configMaps ConfigMaps is a list of ConfigMaps in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/configs/CONFIGMAP_NAME folder
string array false
containers Containers property allows to inject additions sidecars or to patch existing containers.
It can be useful for proxies, backup, etc.
Container array false
disableSelfServiceScrape DisableSelfServiceScrape controls creation of VMServiceScrape by operator
for the application.
Has priority over VM_DISABLESELFSERVICESCRAPECREATION operator env variable
boolean false
dnsConfig Specifies the DNS parameters of a pod.
Parameters specified here will be merged to the generated DNS
configuration based on DNSPolicy.
PodDNSConfig false
dnsPolicy DNSPolicy sets DNS policy for the pod DNSPolicy false
extraArgs ExtraArgs that will be passed to the application container
for example remoteWrite.tmpDataPath: /tmp
object (keys:string, values:string) false
extraEnvs ExtraEnvs that will be passed to the application container EnvVar array false
hostAliases HostAliases provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
HostAlias array false
hostNetwork HostNetwork controls whether the pod may use the node network namespace boolean false
host_aliases HostAliasesUnderScore provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
Has Priority over hostAliases field
HostAlias array false
hpa HPA defines kubernetes PodAutoScaling configuration version 2. EmbeddedHPA true
image Image - docker image settings
if no specified operator uses default version from operator config
Image false
imagePullSecrets ImagePullSecrets An optional list of references to secrets in the same namespace
to use for pulling images from registries
see https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod
LocalObjectReference array false
initContainers InitContainers allows adding initContainers to the pod definition.
Any errors during the execution of an initContainer will lead to a restart of the Pod.
More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
Container array false
insertPorts InsertPorts - additional listen ports for data ingestion. InsertPorts true
logFormat LogFormat for VMInsert to be configured with.
default or json
string false
logLevel LogLevel for VMInsert to be configured with. string false
minReadySeconds MinReadySeconds defines a minim number os seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle
integer false
nodeSelector NodeSelector Define which Nodes the Pods are scheduled on. object (keys:string, values:string) false
paused Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions.
boolean false
podDisruptionBudget PodDisruptionBudget created by operator EmbeddedPodDisruptionBudgetSpec false
podMetadata PodMetadata configures Labels and Annotations which are propagated to the VMInsert pods. EmbeddedObjectMetadata true
port Port listen address string false
priorityClassName PriorityClassName class assigned to the Pods string false
readinessGates ReadinessGates defines pod readiness gates PodReadinessGate array true
replicaCount ReplicaCount is the expected size of the Application. integer false
resources Resources container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
if not defined default resources from operator config will be used
ResourceRequirements false
revisionHistoryLimitCount The number of old ReplicaSets to retain to allow rollback in deployment or
maximum number of revisions that will be maintained in the Deployment revision history.
Has no effect at StatefulSets
Defaults to 10.
integer false
rollingUpdate RollingUpdate - overrides deployment update params. RollingUpdateDeployment false
runtimeClassName RuntimeClassName - defines runtime class for kubernetes pod.
https://kubernetes.io/docs/concepts/containers/runtime-class/
string false
schedulerName SchedulerName - defines kubernetes scheduler name string false
secrets Secrets is a list of Secrets in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/secrets/SECRET_NAME folder
string array false
securityContext SecurityContext holds pod-level security attributes and common container settings.
This defaults to the default PodSecurityContext.
SecurityContext false
serviceScrapeSpec ServiceScrapeSpec that will be added to vminsert VMServiceScrape spec VMServiceScrapeSpec false
serviceSpec ServiceSpec that will be added to vminsert service spec AdditionalServiceSpec false
terminationGracePeriodSeconds TerminationGracePeriodSeconds period for container graceful termination integer false
tolerations Tolerations If specified, the pod's tolerations. Toleration array false
topologySpreadConstraints TopologySpreadConstraints embedded kubernetes pod configuration option,
controls how pods are spread across your cluster among failure-domains
such as regions, zones, nodes, and other user-defined topology domains
https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
TopologySpreadConstraint array false
updateStrategy UpdateStrategy - overrides default update strategy. DeploymentStrategyType false
useDefaultResources UseDefaultResources controls resource settings
By default, operator sets built-in resource requirements
boolean false
useStrictSecurity UseStrictSecurity enables strict security mode for component
it restricts disk writes access
uses non-root user out of the box
drops not needed security permissions
boolean false
volumeMounts VolumeMounts allows configuration of additional VolumeMounts on the output Deployment/StatefulSet definition.
VolumeMounts specified will be appended to other VolumeMounts in the Application container
VolumeMount array false
volumes Volumes allows configuration of additional volumes on the output Deployment/StatefulSet definition.
Volumes specified will be appended to other volumes that are generated.
/ +optional
Volume array true

VMNodeScrape

VMNodeScrape defines discovery for targets placed on kubernetes nodes, usually its node-exporters and other host services. InternalIP is used as address for scraping.

Field Description Scheme Required
apiVersion string operator.victoriametrics.com/v1beta1
kind string VMNodeScrape
metadata Refer to Kubernetes API documentation for fields of metadata. ObjectMeta true
spec VMNodeScrapeSpec true

VMNodeScrapeSpec

VMNodeScrapeSpec defines specification for VMNodeScrape.

Appears in:

Field Description Scheme Required
authorization Authorization with http header Authorization Authorization false
basicAuth BasicAuth allow an endpoint to authenticate over basic authentication BasicAuth false
bearerTokenFile File to read bearer token for scraping targets. string false
bearerTokenSecret Secret to mount to read bearer token for scraping targets. The secret
needs to be in the same namespace as the scrape object and accessible by
the victoria-metrics operator.
SecretKeySelector false
follow_redirects FollowRedirects controls redirects for scraping. boolean false
honorLabels HonorLabels chooses the metric's labels on collisions with target labels. boolean false
honorTimestamps HonorTimestamps controls whether vmagent respects the timestamps present in scraped data. boolean false
interval Interval at which metrics should be scraped string false
jobLabel The label to use to retrieve the job name from. string false
max_scrape_size MaxScrapeSize defines a maximum size of scraped data for a job string false
metricRelabelConfigs MetricRelabelConfigs to apply to samples after scrapping. RelabelConfig array false
oauth2 OAuth2 defines auth configuration OAuth2 false
params Optional HTTP URL parameters object (keys:string, values:string array) false
path HTTP path to scrape for metrics. string false
port Name of the port exposed at Node. string false
proxyURL ProxyURL eg http://proxyserver:2195 Directs scrapes to proxy through this endpoint. string false
relabelConfigs RelabelConfigs to apply to samples during service discovery. RelabelConfig array false
sampleLimit SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. integer false
scheme HTTP scheme to use for scraping. string false
scrapeTimeout Timeout after which the scrape is ended string false
scrape_interval ScrapeInterval is the same as Interval and has priority over it.
one of scrape_interval or interval can be used
string false
selector Selector to select kubernetes Nodes. LabelSelector false
seriesLimit SeriesLimit defines per-scrape limit on number of unique time series
a single target can expose during all the scrapes on the time window of 24h.
integer false
targetLabels TargetLabels transfers labels on the Kubernetes Node onto the target. string array false
tlsConfig TLSConfig configuration to use when scraping the endpoint TLSConfig false
vm_scrape_params VMScrapeParams defines VictoriaMetrics specific scrape parameters VMScrapeParams false

VMPodScrape

VMPodScrape is scrape configuration for pods, it generates vmagent's config for scraping pod targets based on selectors.

Field Description Scheme Required
apiVersion string operator.victoriametrics.com/v1beta1
kind string VMPodScrape
metadata Refer to Kubernetes API documentation for fields of metadata. ObjectMeta false
spec VMPodScrapeSpec true

VMPodScrapeSpec

VMPodScrapeSpec defines the desired state of VMPodScrape

Appears in:

Field Description Scheme Required
attach_metadata AttachMetadata configures metadata attaching from service discovery AttachMetadata false
jobLabel The label to use to retrieve the job name from. string false
namespaceSelector Selector to select which namespaces the Endpoints objects are discovered from. NamespaceSelector false
podMetricsEndpoints A list of endpoints allowed as part of this PodMonitor. PodMetricsEndpoint array true
podTargetLabels PodTargetLabels transfers labels on the Kubernetes Pod onto the target. string array false
sampleLimit SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. integer false
selector Selector to select Pod objects. LabelSelector false
seriesLimit SeriesLimit defines per-scrape limit on number of unique time series
a single target can expose during all the scrapes on the time window of 24h.
integer false

VMProbe

VMProbe defines a probe for targets, that will be executed with prober, like blackbox exporter. It helps to monitor reachability of target with various checks.

Field Description Scheme Required
apiVersion string operator.victoriametrics.com/v1beta1
kind string VMProbe
metadata Refer to Kubernetes API documentation for fields of metadata. ObjectMeta false
spec VMProbeSpec true

VMProbeSpec

VMProbeSpec contains specification parameters for a Probe.

Appears in:

Field Description Scheme Required
authorization Authorization with http header Authorization Authorization false
basicAuth BasicAuth allow an endpoint to authenticate over basic authentication BasicAuth false
bearerTokenFile File to read bearer token for scraping targets. string false
bearerTokenSecret Secret to mount to read bearer token for scraping targets. The secret
needs to be in the same namespace as the scrape object and accessible by
the victoria-metrics operator.
SecretKeySelector false
follow_redirects FollowRedirects controls redirects for scraping. boolean false
honorLabels HonorLabels chooses the metric's labels on collisions with target labels. boolean false
honorTimestamps HonorTimestamps controls whether vmagent respects the timestamps present in scraped data. boolean false
interval Interval at which metrics should be scraped string false
jobName The job name assigned to scraped metrics by default. string true
max_scrape_size MaxScrapeSize defines a maximum size of scraped data for a job string false
metricRelabelConfigs MetricRelabelConfigs to apply to samples after scrapping. RelabelConfig array false
module The module to use for probing specifying how to probe the target.
Example module configuring in the blackbox exporter:
https://github.com/prometheus/blackbox_exporter/blob/master/example.yml
string true
oauth2 OAuth2 defines auth configuration OAuth2 false
params Optional HTTP URL parameters object (keys:string, values:string array) false
path HTTP path to scrape for metrics. string false
proxyURL ProxyURL eg http://proxyserver:2195 Directs scrapes to proxy through this endpoint. string false
sampleLimit SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. integer false
scheme HTTP scheme to use for scraping. string false
scrapeTimeout Timeout after which the scrape is ended string false
scrape_interval ScrapeInterval is the same as Interval and has priority over it.
one of scrape_interval or interval can be used
string false
seriesLimit SeriesLimit defines per-scrape limit on number of unique time series
a single target can expose during all the scrapes on the time window of 24h.
integer false
targets Targets defines a set of static and/or dynamically discovered targets to be probed using the prober. VMProbeTargets true
tlsConfig TLSConfig configuration to use when scraping the endpoint TLSConfig false
vmProberSpec Specification for the prober to use for probing targets.
The prober.URL parameter is required. Targets cannot be probed if left empty.
VMProberSpec true
vm_scrape_params VMScrapeParams defines VictoriaMetrics specific scrape parameters VMScrapeParams false

VMProbeTargetStaticConfig

VMProbeTargetStaticConfig defines the set of static targets considered for probing.

Appears in:

Field Description Scheme Required
labels Labels assigned to all metrics scraped from the targets. object (keys:string, values:string) true
relabelingConfigs RelabelConfigs to apply to samples during service discovery. RelabelConfig array true
targets Targets is a list of URLs to probe using the configured prober. string array true

VMProbeTargets

VMProbeTargets defines a set of static and dynamically discovered targets for the prober.

Appears in:

Field Description Scheme Required
ingress Ingress defines the set of dynamically discovered ingress objects which hosts are considered for probing. ProbeTargetIngress true
staticConfig StaticConfig defines static targets which are considers for probing. VMProbeTargetStaticConfig true

VMProberSpec

VMProberSpec contains specification parameters for the Prober used for probing.

Appears in:

Field Description Scheme Required
path Path to collect metrics from.
Defaults to /probe.
string true
scheme HTTP scheme to use for scraping.
Defaults to http.
string false
url Mandatory URL of the prober. string true

VMRestore

VMRestore defines config options for vmrestore start-up

Appears in:

Field Description Scheme Required
onStart OnStart defines configuration for restore on pod start VMRestoreOnStartConfig false

VMRestoreOnStartConfig

VMRestoreOnStartConfig controls vmrestore setting

Appears in:

Field Description Scheme Required
enabled Enabled defines if restore on start enabled boolean false

VMRule

VMRule defines rule records for vmalert application

Field Description Scheme Required
apiVersion string operator.victoriametrics.com/v1beta1
kind string VMRule
metadata Refer to Kubernetes API documentation for fields of metadata. ObjectMeta true
spec VMRuleSpec true

VMRuleSpec

VMRuleSpec defines the desired state of VMRule

Appears in:

Field Description Scheme Required
groups Groups list of group rules RuleGroup array true

VMScrapeConfig

VMScrapeConfig specifies a set of targets and parameters describing how to scrape them.

Field Description Scheme Required
apiVersion string operator.victoriametrics.com/v1beta1
kind string VMScrapeConfig
metadata Refer to Kubernetes API documentation for fields of metadata. ObjectMeta true
spec VMScrapeConfigSpec true

VMScrapeConfigSpec

VMScrapeConfigSpec defines the desired state of VMScrapeConfig

Appears in:

Field Description Scheme Required
authorization Authorization with http header Authorization Authorization false
azureSDConfigs AzureSDConfigs defines a list of Azure service discovery configurations. AzureSDConfig array false
basicAuth BasicAuth allow an endpoint to authenticate over basic authentication BasicAuth false
bearerTokenFile File to read bearer token for scraping targets. string false
bearerTokenSecret Secret to mount to read bearer token for scraping targets. The secret
needs to be in the same namespace as the scrape object and accessible by
the victoria-metrics operator.
SecretKeySelector false
consulSDConfigs ConsulSDConfigs defines a list of Consul service discovery configurations. ConsulSDConfig array false
digitalOceanSDConfigs DigitalOceanSDConfigs defines a list of DigitalOcean service discovery configurations. DigitalOceanSDConfig array false
dnsSDConfigs DNSSDConfigs defines a list of DNS service discovery configurations. DNSSDConfig array false
ec2SDConfigs EC2SDConfigs defines a list of EC2 service discovery configurations. EC2SDConfig array false
fileSDConfigs FileSDConfigs defines a list of file service discovery configurations. FileSDConfig array false
follow_redirects FollowRedirects controls redirects for scraping. boolean false
gceSDConfigs GCESDConfigs defines a list of GCE service discovery configurations. GCESDConfig array false
honorLabels HonorLabels chooses the metric's labels on collisions with target labels. boolean false
honorTimestamps HonorTimestamps controls whether vmagent respects the timestamps present in scraped data. boolean false
httpSDConfigs HTTPSDConfigs defines a list of HTTP service discovery configurations. HTTPSDConfig array false
interval Interval at which metrics should be scraped string false
kubernetesSDConfigs KubernetesSDConfigs defines a list of Kubernetes service discovery configurations. KubernetesSDConfig array false
max_scrape_size MaxScrapeSize defines a maximum size of scraped data for a job string false
metricRelabelConfigs MetricRelabelConfigs to apply to samples after scrapping. RelabelConfig array false
oauth2 OAuth2 defines auth configuration OAuth2 false
openstackSDConfigs OpenStackSDConfigs defines a list of OpenStack service discovery configurations. OpenStackSDConfig array false
params Optional HTTP URL parameters object (keys:string, values:string array) false
path HTTP path to scrape for metrics. string false
proxyURL ProxyURL eg http://proxyserver:2195 Directs scrapes to proxy through this endpoint. string false
relabelConfigs RelabelConfigs to apply to samples during service discovery. RelabelConfig array false
sampleLimit SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. integer false
scheme HTTP scheme to use for scraping. string false
scrapeTimeout Timeout after which the scrape is ended string false
scrape_interval ScrapeInterval is the same as Interval and has priority over it.
one of scrape_interval or interval can be used
string false
seriesLimit SeriesLimit defines per-scrape limit on number of unique time series
a single target can expose during all the scrapes on the time window of 24h.
integer false
staticConfigs StaticConfigs defines a list of static targets with a common label set. StaticConfig array false
tlsConfig TLSConfig configuration to use when scraping the endpoint TLSConfig false
vm_scrape_params VMScrapeParams defines VictoriaMetrics specific scrape parameters VMScrapeParams false

VMScrapeParams

VMScrapeParams defines scrape target configuration that compatible only with VictoriaMetrics scrapers VMAgent and VMSingle

Appears in:

Field Description Scheme Required
disable_compression DisableCompression boolean false
disable_keep_alive disable_keepalive allows disabling HTTP keep-alive when scraping targets.
By default, HTTP keep-alive is enabled, so TCP connections to scrape targets
could be re-used.
See https://docs.victoriametrics.com/vmagent#scrape_config-enhancements
boolean false
headers Headers allows sending custom headers to scrape targets
must be in of semicolon separated header with it's value
eg:
headerName: headerValue
vmagent supports since 1.79.0 version
string array false
no_stale_markers boolean false
proxy_client_config ProxyClientConfig configures proxy auth settings for scraping
See feature description https://docs.victoriametrics.com/vmagent#scraping-targets-via-a-proxy
ProxyAuth false
scrape_align_interval string false
scrape_offset string false
stream_parse boolean false

VMSelect

VMSelect defines configuration section for vmselect components of the victoria-metrics cluster

Appears in:

Field Description Scheme Required
affinity Affinity If specified, the pod's scheduling constraints. Affinity false
cacheMountPath CacheMountPath allows to add cache persistent for VMSelect,
will use "/cache" as default if not specified.
string false
claimTemplates ClaimTemplates allows adding additional VolumeClaimTemplates for StatefulSet PersistentVolumeClaim array true
clusterNativeListenPort ClusterNativePort for multi-level cluster setup.
More details
string false
configMaps ConfigMaps is a list of ConfigMaps in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/configs/CONFIGMAP_NAME folder
string array false
containers Containers property allows to inject additions sidecars or to patch existing containers.
It can be useful for proxies, backup, etc.
Container array false
disableSelfServiceScrape DisableSelfServiceScrape controls creation of VMServiceScrape by operator
for the application.
Has priority over VM_DISABLESELFSERVICESCRAPECREATION operator env variable
boolean false
dnsConfig Specifies the DNS parameters of a pod.
Parameters specified here will be merged to the generated DNS
configuration based on DNSPolicy.
PodDNSConfig false
dnsPolicy DNSPolicy sets DNS policy for the pod DNSPolicy false
extraArgs ExtraArgs that will be passed to the application container
for example remoteWrite.tmpDataPath: /tmp
object (keys:string, values:string) false
extraEnvs ExtraEnvs that will be passed to the application container EnvVar array false
hostAliases HostAliases provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
HostAlias array false
hostNetwork HostNetwork controls whether the pod may use the node network namespace boolean false
host_aliases HostAliasesUnderScore provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
Has Priority over hostAliases field
HostAlias array false
hpa Configures horizontal pod autoscaling.
Note, enabling this option disables vmselect to vmselect communication. In most cases it's not an issue.
EmbeddedHPA false
image Image - docker image settings
if no specified operator uses default version from operator config
Image false
imagePullSecrets ImagePullSecrets An optional list of references to secrets in the same namespace
to use for pulling images from registries
see https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod
LocalObjectReference array false
initContainers InitContainers allows adding initContainers to the pod definition.
Any errors during the execution of an initContainer will lead to a restart of the Pod.
More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
Container array false
logFormat LogFormat for VMSelect to be configured with.
default or json
string false
logLevel LogLevel for VMSelect to be configured with. string false
minReadySeconds MinReadySeconds defines a minim number os seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle
integer false
nodeSelector NodeSelector Define which Nodes the Pods are scheduled on. object (keys:string, values:string) false
paused Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions.
boolean false
persistentVolume Storage - add persistent volume for cacheMountPath
its useful for persistent cache
use storage instead of persistentVolume.
StorageSpec false
podDisruptionBudget PodDisruptionBudget created by operator EmbeddedPodDisruptionBudgetSpec false
podMetadata PodMetadata configures Labels and Annotations which are propagated to the VMSelect pods. EmbeddedObjectMetadata true
port Port listen address string false
priorityClassName PriorityClassName class assigned to the Pods string false
readinessGates ReadinessGates defines pod readiness gates PodReadinessGate array true
replicaCount ReplicaCount is the expected size of the Application. integer false
resources Resources container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
if not defined default resources from operator config will be used
ResourceRequirements false
revisionHistoryLimitCount The number of old ReplicaSets to retain to allow rollback in deployment or
maximum number of revisions that will be maintained in the Deployment revision history.
Has no effect at StatefulSets
Defaults to 10.
integer false
rollingUpdateStrategy RollingUpdateStrategy defines strategy for application updates
Default is OnDelete, in this case operator handles update process
Can be changed for RollingUpdate
StatefulSetUpdateStrategyType false
runtimeClassName RuntimeClassName - defines runtime class for kubernetes pod.
https://kubernetes.io/docs/concepts/containers/runtime-class/
string false
schedulerName SchedulerName - defines kubernetes scheduler name string false
secrets Secrets is a list of Secrets in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/secrets/SECRET_NAME folder
string array false
securityContext SecurityContext holds pod-level security attributes and common container settings.
This defaults to the default PodSecurityContext.
SecurityContext false
serviceScrapeSpec ServiceScrapeSpec that will be added to vmselect VMServiceScrape spec VMServiceScrapeSpec false
serviceSpec ServiceSpec that will be added to vmselect service spec AdditionalServiceSpec false
storage StorageSpec - add persistent volume claim for cacheMountPath
its needed for persistent cache
StorageSpec false
terminationGracePeriodSeconds TerminationGracePeriodSeconds period for container graceful termination integer false
tolerations Tolerations If specified, the pod's tolerations. Toleration array false
topologySpreadConstraints TopologySpreadConstraints embedded kubernetes pod configuration option,
controls how pods are spread across your cluster among failure-domains
such as regions, zones, nodes, and other user-defined topology domains
https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
TopologySpreadConstraint array false
useDefaultResources UseDefaultResources controls resource settings
By default, operator sets built-in resource requirements
boolean false
useStrictSecurity UseStrictSecurity enables strict security mode for component
it restricts disk writes access
uses non-root user out of the box
drops not needed security permissions
boolean false
volumeMounts VolumeMounts allows configuration of additional VolumeMounts on the output Deployment/StatefulSet definition.
VolumeMounts specified will be appended to other VolumeMounts in the Application container
VolumeMount array false
volumes Volumes allows configuration of additional volumes on the output Deployment/StatefulSet definition.
Volumes specified will be appended to other volumes that are generated.
/ +optional
Volume array true

VMServiceScrape

VMServiceScrape is scrape configuration for endpoints associated with kubernetes service, it generates scrape configuration for vmagent based on selectors. result config will scrape service endpoints

Field Description Scheme Required
apiVersion string operator.victoriametrics.com/v1beta1
kind string VMServiceScrape
metadata Refer to Kubernetes API documentation for fields of metadata. ObjectMeta true
spec VMServiceScrapeSpec true

VMServiceScrapeSpec

VMServiceScrapeSpec defines the desired state of VMServiceScrape

Appears in:

Field Description Scheme Required
attach_metadata AttachMetadata configures metadata attaching from service discovery AttachMetadata false
discoveryRole DiscoveryRole - defines kubernetes_sd role for objects discovery.
by default, its endpoints.
can be changed to service or endpointslices.
note, that with service setting, you have to use port: "name"
and cannot use targetPort for endpoints.
string false
endpoints A list of endpoints allowed as part of this ServiceScrape. Endpoint array true
jobLabel The label to use to retrieve the job name from. string false
namespaceSelector Selector to select which namespaces the Endpoints objects are discovered from. NamespaceSelector false
podTargetLabels PodTargetLabels transfers labels on the Kubernetes Pod onto the target. string array false
sampleLimit SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. integer false
selector Selector to select Endpoints objects by corresponding Service labels. LabelSelector false
seriesLimit SeriesLimit defines per-scrape limit on number of unique time series
a single target can expose during all the scrapes on the time window of 24h.
integer false
targetLabels TargetLabels transfers labels on the Kubernetes Service onto the target. string array false

VMSingle

VMSingle is fast, cost-effective and scalable time-series database.

Field Description Scheme Required
apiVersion string operator.victoriametrics.com/v1beta1
kind string VMSingle
metadata Refer to Kubernetes API documentation for fields of metadata. ObjectMeta true
spec VMSingleSpec true

VMSingleSpec

VMSingleSpec defines the desired state of VMSingle

Appears in:

Field Description Scheme Required
affinity Affinity If specified, the pod's scheduling constraints. Affinity false
configMaps ConfigMaps is a list of ConfigMaps in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/configs/CONFIGMAP_NAME folder
string array false
containers Containers property allows to inject additions sidecars or to patch existing containers.
It can be useful for proxies, backup, etc.
Container array false
disableSelfServiceScrape DisableSelfServiceScrape controls creation of VMServiceScrape by operator
for the application.
Has priority over VM_DISABLESELFSERVICESCRAPECREATION operator env variable
boolean false
dnsConfig Specifies the DNS parameters of a pod.
Parameters specified here will be merged to the generated DNS
configuration based on DNSPolicy.
PodDNSConfig false
dnsPolicy DNSPolicy sets DNS policy for the pod DNSPolicy false
extraArgs ExtraArgs that will be passed to the application container
for example remoteWrite.tmpDataPath: /tmp
object (keys:string, values:string) false
extraEnvs ExtraEnvs that will be passed to the application container EnvVar array false
hostAliases HostAliases provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
HostAlias array false
hostNetwork HostNetwork controls whether the pod may use the node network namespace boolean false
host_aliases HostAliasesUnderScore provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
Has Priority over hostAliases field
HostAlias array false
image Image - docker image settings
if no specified operator uses default version from operator config
Image false
imagePullSecrets ImagePullSecrets An optional list of references to secrets in the same namespace
to use for pulling images from registries
see https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod
LocalObjectReference array false
initContainers InitContainers allows adding initContainers to the pod definition.
Any errors during the execution of an initContainer will lead to a restart of the Pod.
More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
Container array false
insertPorts InsertPorts - additional listen ports for data ingestion. InsertPorts true
license License allows to configure license key to be used for enterprise features.
Using license key is supported starting from VictoriaMetrics v1.94.0.
See here
License false
logFormat LogFormat for VMSingle to be configured with. string false
logLevel LogLevel for victoria metrics single to be configured with. string false
managedMetadata ManagedMetadata defines metadata that will be added to the all objects
created by operator for the given CustomResource
ManagedObjectsMetadata true
minReadySeconds MinReadySeconds defines a minim number os seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle
integer false
nodeSelector NodeSelector Define which Nodes the Pods are scheduled on. object (keys:string, values:string) false
paused Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions.
boolean false
podMetadata PodMetadata configures Labels and Annotations which are propagated to the VMSingle pods. EmbeddedObjectMetadata false
port Port listen address string false
priorityClassName PriorityClassName class assigned to the Pods string false
readinessGates ReadinessGates defines pod readiness gates PodReadinessGate array true
removePvcAfterDelete RemovePvcAfterDelete - if true, controller adds ownership to pvc
and after VMSingle object deletion - pvc will be garbage collected
by controller manager
boolean false
replicaCount ReplicaCount is the expected size of the Application. integer false
resources Resources container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
if not defined default resources from operator config will be used
ResourceRequirements false
retentionPeriod RetentionPeriod for the stored metrics
Note VictoriaMetrics has data/ and indexdb/ folders
metrics from data/ removed eventually as soon as partition leaves retention period
reverse index data at indexdb rotates once at the half of configured retention period
string true
revisionHistoryLimitCount The number of old ReplicaSets to retain to allow rollback in deployment or
maximum number of revisions that will be maintained in the Deployment revision history.
Has no effect at StatefulSets
Defaults to 10.
integer false
runtimeClassName RuntimeClassName - defines runtime class for kubernetes pod.
https://kubernetes.io/docs/concepts/containers/runtime-class/
string false
schedulerName SchedulerName - defines kubernetes scheduler name string false
secrets Secrets is a list of Secrets in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/secrets/SECRET_NAME folder
string array false
securityContext SecurityContext holds pod-level security attributes and common container settings.
This defaults to the default PodSecurityContext.
SecurityContext false
serviceAccountName ServiceAccountName is the name of the ServiceAccount to use to run the pods string false
serviceScrapeSpec ServiceScrapeSpec that will be added to vmsingle VMServiceScrape spec VMServiceScrapeSpec false
serviceSpec ServiceSpec that will be added to vmsingle service spec AdditionalServiceSpec false
storage Storage is the definition of how storage will be used by the VMSingle
by default it`s empty dir
this option is ignored if storageDataPath is set
PersistentVolumeClaimSpec false
storageDataPath StorageDataPath disables spec.storage option and overrides arg for victoria-metrics binary --storageDataPath,
its users responsibility to mount proper device into given path.
It requires to provide spec.volumes and spec.volumeMounts with at least 1 value
string false
storageMetadata StorageMeta defines annotations and labels attached to PVC for given vmsingle CR EmbeddedObjectMetadata false
streamAggrConfig StreamAggrConfig defines stream aggregation configuration for VMSingle StreamAggrConfig true
terminationGracePeriodSeconds TerminationGracePeriodSeconds period for container graceful termination integer false
tolerations Tolerations If specified, the pod's tolerations. Toleration array false
topologySpreadConstraints TopologySpreadConstraints embedded kubernetes pod configuration option,
controls how pods are spread across your cluster among failure-domains
such as regions, zones, nodes, and other user-defined topology domains
https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
TopologySpreadConstraint array false
useDefaultResources UseDefaultResources controls resource settings
By default, operator sets built-in resource requirements
boolean false
useStrictSecurity UseStrictSecurity enables strict security mode for component
it restricts disk writes access
uses non-root user out of the box
drops not needed security permissions
boolean false
vmBackup VMBackup configuration for backup VMBackup false
volumeMounts VolumeMounts allows configuration of additional VolumeMounts on the output Deployment/StatefulSet definition.
VolumeMounts specified will be appended to other VolumeMounts in the Application container
VolumeMount array false
volumes Volumes allows configuration of additional volumes on the output Deployment/StatefulSet definition.
Volumes specified will be appended to other volumes that are generated.
/ +optional
Volume array true

VMStaticScrape

VMStaticScrape defines static targets configuration for scraping.

Field Description Scheme Required
apiVersion string operator.victoriametrics.com/v1beta1
kind string VMStaticScrape
metadata Refer to Kubernetes API documentation for fields of metadata. ObjectMeta true
spec VMStaticScrapeSpec true

VMStaticScrapeSpec

VMStaticScrapeSpec defines the desired state of VMStaticScrape.

Appears in:

Field Description Scheme Required
jobName JobName name of job. string true
sampleLimit SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. integer false
seriesLimit SeriesLimit defines per-scrape limit on number of unique time series
a single target can expose during all the scrapes on the time window of 24h.
integer false
targetEndpoints A list of target endpoints to scrape metrics from. TargetEndpoint array true

VMStorage

Appears in:

Field Description Scheme Required
affinity Affinity If specified, the pod's scheduling constraints. Affinity false
claimTemplates ClaimTemplates allows adding additional VolumeClaimTemplates for StatefulSet PersistentVolumeClaim array true
configMaps ConfigMaps is a list of ConfigMaps in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/configs/CONFIGMAP_NAME folder
string array false
containers Containers property allows to inject additions sidecars or to patch existing containers.
It can be useful for proxies, backup, etc.
Container array false
disableSelfServiceScrape DisableSelfServiceScrape controls creation of VMServiceScrape by operator
for the application.
Has priority over VM_DISABLESELFSERVICESCRAPECREATION operator env variable
boolean false
dnsConfig Specifies the DNS parameters of a pod.
Parameters specified here will be merged to the generated DNS
configuration based on DNSPolicy.
PodDNSConfig false
dnsPolicy DNSPolicy sets DNS policy for the pod DNSPolicy false
extraArgs ExtraArgs that will be passed to the application container
for example remoteWrite.tmpDataPath: /tmp
object (keys:string, values:string) false
extraEnvs ExtraEnvs that will be passed to the application container EnvVar array false
hostAliases HostAliases provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
HostAlias array false
hostNetwork HostNetwork controls whether the pod may use the node network namespace boolean false
host_aliases HostAliasesUnderScore provides mapping for ip and hostname,
that would be propagated to pod,
cannot be used with HostNetwork.
Has Priority over hostAliases field
HostAlias array false
image Image - docker image settings
if no specified operator uses default version from operator config
Image false
imagePullSecrets ImagePullSecrets An optional list of references to secrets in the same namespace
to use for pulling images from registries
see https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod
LocalObjectReference array false
initContainers InitContainers allows adding initContainers to the pod definition.
Any errors during the execution of an initContainer will lead to a restart of the Pod.
More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
Container array false
logFormat LogFormat for VMStorage to be configured with.
default or json
string false
logLevel LogLevel for VMStorage to be configured with. string false
maintenanceInsertNodeIDs MaintenanceInsertNodeIDs - excludes given node ids from insert requests routing, must contain pod suffixes - for pod-0, id will be 0 and etc.
lets say, you have pod-0, pod-1, pod-2, pod-3. to exclude pod-0 and pod-3 from insert routing, define nodeIDs: [0,3].
Useful at storage expanding, when you want to rebalance some data at cluster.
integer array false
maintenanceSelectNodeIDs MaintenanceInsertNodeIDs - excludes given node ids from select requests routing, must contain pod suffixes - for pod-0, id will be 0 and etc. integer array true
minReadySeconds MinReadySeconds defines a minim number os seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle
integer false
nodeSelector NodeSelector Define which Nodes the Pods are scheduled on. object (keys:string, values:string) false
paused Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions.
boolean false
podDisruptionBudget PodDisruptionBudget created by operator EmbeddedPodDisruptionBudgetSpec false
podMetadata PodMetadata configures Labels and Annotations which are propagated to the VMStorage pods. EmbeddedObjectMetadata true
port Port listen address string false
priorityClassName PriorityClassName class assigned to the Pods string false
readinessGates ReadinessGates defines pod readiness gates PodReadinessGate array true
replicaCount ReplicaCount is the expected size of the Application. integer false
resources Resources container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
if not defined default resources from operator config will be used
ResourceRequirements false
revisionHistoryLimitCount The number of old ReplicaSets to retain to allow rollback in deployment or
maximum number of revisions that will be maintained in the Deployment revision history.
Has no effect at StatefulSets
Defaults to 10.
integer false
rollingUpdateStrategy RollingUpdateStrategy defines strategy for application updates
Default is OnDelete, in this case operator handles update process
Can be changed for RollingUpdate
StatefulSetUpdateStrategyType false
runtimeClassName RuntimeClassName - defines runtime class for kubernetes pod.
https://kubernetes.io/docs/concepts/containers/runtime-class/
string false
schedulerName SchedulerName - defines kubernetes scheduler name string false
secrets Secrets is a list of Secrets in the same namespace as the Application
object, which shall be mounted into the Application container
at /etc/vm/secrets/SECRET_NAME folder
string array false
securityContext SecurityContext holds pod-level security attributes and common container settings.
This defaults to the default PodSecurityContext.
SecurityContext false
serviceScrapeSpec ServiceScrapeSpec that will be added to vmstorage VMServiceScrape spec VMServiceScrapeSpec false
serviceSpec ServiceSpec that will be create additional service for vmstorage AdditionalServiceSpec false
storage Storage - add persistent volume for StorageDataPath
its useful for persistent cache
StorageSpec false
storageDataPath StorageDataPath - path to storage data string false
terminationGracePeriodSeconds TerminationGracePeriodSeconds period for container graceful termination integer false
tolerations Tolerations If specified, the pod's tolerations. Toleration array false
topologySpreadConstraints TopologySpreadConstraints embedded kubernetes pod configuration option,
controls how pods are spread across your cluster among failure-domains
such as regions, zones, nodes, and other user-defined topology domains
https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
TopologySpreadConstraint array false
useDefaultResources UseDefaultResources controls resource settings
By default, operator sets built-in resource requirements
boolean false
useStrictSecurity UseStrictSecurity enables strict security mode for component
it restricts disk writes access
uses non-root user out of the box
drops not needed security permissions
boolean false
vmBackup VMBackup configuration for backup VMBackup false
vmInsertPort VMInsertPort for VMInsert connections string false
vmSelectPort VMSelectPort for VMSelect connections string false
volumeMounts VolumeMounts allows configuration of additional VolumeMounts on the output Deployment/StatefulSet definition.
VolumeMounts specified will be appended to other VolumeMounts in the Application container
VolumeMount array false
volumes Volumes allows configuration of additional volumes on the output Deployment/StatefulSet definition.
Volumes specified will be appended to other volumes that are generated.
/ +optional
Volume array true

VMUser

VMUser is the Schema for the vmusers API

Field Description Scheme Required
apiVersion string operator.victoriametrics.com/v1beta1
kind string VMUser
metadata Refer to Kubernetes API documentation for fields of metadata. ObjectMeta true
spec VMUserSpec true

VMUserConfigOptions

VMUserConfigOptions defines configuration options for VMUser object

Appears in:

Field Description Scheme Required
default_url DefaultURLs backend url for non-matching paths filter
usually used for default backend with error message
string array true
discover_backend_ips DiscoverBackendIPs instructs discovering URLPrefix backend IPs via DNS. boolean true
drop_src_path_prefix_parts DropSrcPathPrefixParts is the number of /-delimited request path prefix parts to drop before proxying the request to backend.
See here for more details.
integer false
dump_request_on_errors DumpRequestOnErrors instructs vmauth to return detailed request params to the client
if routing rules don't allow to forward request to the backends.
Useful for debugging src_hosts and src_headers based routing rules

available since v1.107.0 vmauth version
boolean false
headers Headers represent additional http headers, that vmauth uses
in form of ["header_key: header_value"]
multiple values for header key:
["header_key: value1,value2"]
it's available since 1.68.0 version of vmauth
string array false
ip_filters IPFilters defines per target src ip filters
supported only with enterprise version of vmauth
VMUserIPFilters false
load_balancing_policy LoadBalancingPolicy defines load balancing policy to use for backend urls.
Supported policies: least_loaded, first_available.
See here for more details (default "least_loaded")
string false
max_concurrent_requests MaxConcurrentRequests defines max concurrent requests per user
300 is default value for vmauth
integer false
response_headers ResponseHeaders represent additional http headers, that vmauth adds for request response
in form of ["header_key: header_value"]
multiple values for header key:
["header_key: value1,value2"]
it's available since 1.93.0 version of vmauth
string array false
retry_status_codes RetryStatusCodes defines http status codes in numeric format for request retries
e.g. [429,503]
integer array false
tlsConfig TLSConfig defines tls configuration for the backend connection TLSConfig false

VMUserIPFilters

VMUserIPFilters defines filters for IP addresses supported only with enterprise version of vmauth

Appears in:

Field Description Scheme Required
allow_list string array true
deny_list string array true

VMUserSpec

VMUserSpec defines the desired state of VMUser

Appears in:

Field Description Scheme Required
bearerToken BearerToken Authorization header value for accessing protected endpoint. string false
default_url DefaultURLs backend url for non-matching paths filter
usually used for default backend with error message
string array true
disable_secret_creation DisableSecretCreation skips related secret creation for vmuser boolean true
discover_backend_ips DiscoverBackendIPs instructs discovering URLPrefix backend IPs via DNS. boolean true
drop_src_path_prefix_parts DropSrcPathPrefixParts is the number of /-delimited request path prefix parts to drop before proxying the request to backend.
See here for more details.
integer false
dump_request_on_errors DumpRequestOnErrors instructs vmauth to return detailed request params to the client
if routing rules don't allow to forward request to the backends.
Useful for debugging src_hosts and src_headers based routing rules

available since v1.107.0 vmauth version
boolean false
generatePassword GeneratePassword instructs operator to generate password for user
if spec.password if empty.
boolean false
headers Headers represent additional http headers, that vmauth uses
in form of ["header_key: header_value"]
multiple values for header key:
["header_key: value1,value2"]
it's available since 1.68.0 version of vmauth
string array false
ip_filters IPFilters defines per target src ip filters
supported only with enterprise version of vmauth
VMUserIPFilters false
load_balancing_policy LoadBalancingPolicy defines load balancing policy to use for backend urls.
Supported policies: least_loaded, first_available.
See here for more details (default "least_loaded")
string false
max_concurrent_requests MaxConcurrentRequests defines max concurrent requests per user
300 is default value for vmauth
integer false
metric_labels MetricLabels - additional labels for metrics exported by vmauth for given user. object (keys:string, values:string) false
name Name of the VMUser object. string false
password Password basic auth password for accessing protected endpoint. string false
passwordRef PasswordRef allows fetching password from user-create secret by its name and key. SecretKeySelector false
response_headers ResponseHeaders represent additional http headers, that vmauth adds for request response
in form of ["header_key: header_value"]
multiple values for header key:
["header_key: value1,value2"]
it's available since 1.93.0 version of vmauth
string array false
retry_status_codes RetryStatusCodes defines http status codes in numeric format for request retries
e.g. [429,503]
integer array false
targetRefs TargetRefs - reference to endpoints, which user may access. TargetRef array true
tlsConfig TLSConfig defines tls configuration for the backend connection TLSConfig false
tokenRef TokenRef allows fetching token from user-created secrets by its name and key. SecretKeySelector false
username UserName basic auth user name for accessing protected endpoint,
will be replaced with metadata.name of VMUser if omitted.
string false

VictorOpsConfig

VictorOpsConfig configures notifications via VictorOps. See https://prometheus.io/docs/alerting/latest/configuration/#victorops_config

Appears in:

Field Description Scheme Required
api_key The secret's key that contains the API key to use when talking to the VictorOps API.
It must be at them same namespace as CRD
fallback to global setting if empty
SecretKeySelector false
api_url The VictorOps API URL. string false
custom_fields Adds optional custom fields
https://github.com/prometheus/alertmanager/blob/v0.24.0/config/notifiers.go#L537
object (keys:string, values:string) false
entity_display_name Contains summary of the alerted problem. string false
http_config The HTTP client's configuration. HTTPConfig false
message_type Describes the behavior of the alert (CRITICAL, WARNING, INFO). string false
monitoring_tool The monitoring tool the state message is from. string false
routing_key A key used to map the alert to a team. string true
send_resolved SendResolved controls notify about resolved alerts. boolean false
state_message Contains long explanation of the alerted problem. string false

WeChatConfig

WeChatConfig configures notifications via WeChat. See https://prometheus.io/docs/alerting/latest/configuration/#wechat_config

Appears in:

Field Description Scheme Required
agent_id string false
api_secret The secret's key that contains the WeChat API key.
The secret needs to be in the same namespace as the AlertmanagerConfig
fallback to global alertmanager setting if empty
SecretKeySelector false
api_url The WeChat API URL.
fallback to global alertmanager setting if empty
string false
corp_id The corp id for authentication.
fallback to global alertmanager setting if empty
string false
http_config HTTP client configuration. HTTPConfig false
message API request data as defined by the WeChat API. string true
message_type string false
send_resolved SendResolved controls notify about resolved alerts. boolean false
to_party string false
to_tag string false
to_user string false

WebexConfig

Appears in:

Field Description Scheme Required
api_url The Webex Teams API URL, i.e. https://webexapis.com/v1/messages string false
http_config HTTP client configuration. You must use this configuration to supply the bot token as part of the HTTP Authorization header. HTTPConfig false
message The message body template string false
room_id The ID of the Webex Teams room where to send the messages string true
send_resolved SendResolved controls notify about resolved alerts. boolean false

WebhookConfig

WebhookConfig configures notifications via a generic receiver supporting the webhook payload. See https://prometheus.io/docs/alerting/latest/configuration/#webhook_config

Appears in:

Field Description Scheme Required
http_config HTTP client configuration. HTTPConfig false
max_alerts Maximum number of alerts to be sent per webhook message. When 0, all alerts are included. integer false
send_resolved SendResolved controls notify about resolved alerts. boolean false
url URL to send requests to,
one of urlSecret and url must be defined.
string false
url_secret URLSecret defines secret name and key at the CRD namespace.
It must contain the webhook URL.
one of urlSecret and url must be defined.
SecretKeySelector false