VMAgent ingestOnlyMode: config-reloader crashes with RBAC forbidden error on secret watch

[vvinnich-lf]

Description
When deploying VMAgent with ingestOnlyMode: true, the config-reloader sidecar crashes during initialization with a forbidden error while attempting to read a secret that doesn't exist or isn't needed in ingest-only mode

apiVersion: operator.victoriametrics.com/v1beta1
kind: VMAgent
metadata:
  name: vm-ingestor
spec:
  replicaCount: 2
  ingestOnlyMode: true
  remoteWrite:
    - url: http://vminsert:8480/insert/0/prometheus
      inlineUrlRelabelConfig:
        - action: drop
          source_labels: [environment]

The config-reloader sidecar fails fatally on startup:

vmagent-vm-ingestor-7f99fc49ff-wvz8x config-reloader 2026-02-19T11:55:11.552Z fatal \
  /workspace/cmd/config-reloader/k8s_watch.go:123 \
  cannot get secret during init secretName: vmagent-vm-ingestor, namespace: default, \
  err: secrets "vmagent-vm-ingestor" is forbidden: User \
  "system:serviceaccount:default:vmagent-vm-ingestor" cannot get resource "secrets" \
  in API group "" in the namespace "default"

** Operator version:** v0.67.0

[AndrewChubatiuk]

before 0.68.0 VMAgent RBAC was omitted if ingestOnlyMode is set to true, starting release 0.68.0 RBAC is crafted even in ingestOnlyMode is set additionally to stream aggregation or relabelling configurations

[therapy-lf]

Unfortunately, this problem is not completely resolved. We still see errors with the 0.68.1 version:

2026-03-04T11:53:52.309Z  info                                                                                       /go/pkg/mod/github.com/!victoria!metrics/!victoria!metrics@v1.132.0/lib/logger/flag.go:12  build version: config-reloader-20260223-122806-config-reloader-v0.68.1
2026-03-04T11:53:52.309Z  info                      /go/pkg/mod/github.com/!victoria!metrics/!victoria!metrics@v1.132.0/lib/logger/flag.go:13  command-line flags
2026-03-04T11:53:52.309Z  info                      /go/pkg/mod/github.com/!victoria!metrics/!victoria!metrics@v1.132.0/lib/logger/flag.go:20    -config-envsubst-file="vmagent.yaml"
2026-03-04T11:53:52.309Z  info                      /go/pkg/mod/github.com/!victoria!metrics/!victoria!metrics@v1.132.0/lib/logger/flag.go:20    -config-secret-key="secret"
2026-03-04T11:53:52.309Z  info                      /go/pkg/mod/github.com/!victoria!metrics/!victoria!metrics@v1.132.0/lib/logger/flag.go:20    -config-secret-name="secret"
2026-03-04T11:53:52.309Z  info                      /go/pkg/mod/github.com/!victoria!metrics/!victoria!metrics@v1.132.0/lib/logger/flag.go:20    -reload-url="http://127.0.0.1:8429/-/reload"
2026-03-04T11:53:52.309Z  info                      /go/pkg/mod/github.com/!victoria!metrics/!victoria!metrics@v1.132.0/lib/logger/flag.go:20    -watched-dir="/etc/vm/relabeling"
2026-03-04T11:53:52.309Z  info                      /go/pkg/mod/github.com/!victoria!metrics/!victoria!metrics@v1.132.0/lib/logger/flag.go:20    -webhook-method="POST"
2026-03-04T11:53:52.309Z  info                      /workspace/cmd/config-reloader/main.go:91                                                  starting config reloader
2026-03-04T11:53:52.309Z  info                      /workspace/cmd/config-reloader/main.go:321                                                 starting kubernetes watcher with secret: monitoring/vmagent-vm-ingestor
2026-03-04T11:53:52.309Z  info                      /workspace/cmd/config-reloader/main.go:328                                                 starting watch for secret: vmagent-vm-ingestor at namespace: monitoring
2026-03-04T11:53:52.326Z  fatal                     /workspace/cmd/config-reloader/k8s_watch.go:138                                            cannot get secret during init secretName: vmagent-vm-ingestor, namespace: monitoring, err: secrets "vmagent-vm-ingestor" not found

[therapy-lf]

But vmagent was started once a secret with dummy data has been created

[AndrewChubatiuk]

fix will be available soon in operator v0.68.2

[AndrewChubatiuk]

hey @therapy-lf
issue was fixed in operator release 0.68.2 (operator chart 0.59.2)