vmagent: fixed rbac for unmanaged mode with relabel configurations set

[AndrewChubatiuk]

fixes #1828

---

Summary by cubic

Fixes vmagent RBAC in ingest-only mode so relabel configs and stream aggregation work by adding minimal read-only access to ConfigMaps/Secrets when these features are enabled. Also migrates cluster-scoped RBAC objects to be namespace-less and fixes finalizer cleanup. Addresses issue #1828.

• Bug Fixes
  • Create RBAC when ingestOnlyMode=true if relabeling or stream aggregation is configured; no scrape permissions.
  • Build rules per scope; empty rules when ingest-only without relabel/aggregation.
  • Remove namespace from ClusterRole and ClusterRoleBinding for vmagent and vlagent.
  • Fix finalizer deletion for cluster-scoped objects.
  • Update RBAC tests to cover new rule sets and CHANGELOG entry added.

^{Written for commit 8c83488. Summary will update on new commits.}

[cubic-dev-ai]

2 issues found across 6 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="docs/CHANGELOG.md">

<violation number="1" location="docs/CHANGELOG.md:47">
P1: Custom agent: **Changelog Review Agent**

Changelog entry violates the required structure: it lacks a clear before/after user-visible explanation and uses internal implementation detail wording, and the reference link is malformed, so the References requirement isn’t met. Update this entry to include a before/after user-visible description and a valid reference link per the changelog rule.</violation>

<violation number="2" location="docs/CHANGELOG.md:47">
P3: Fix the malformed vmagent link so the changelog entry renders correctly.

(Based on your team's feedback about keeping documentation links accurate.) [FEEDBACK_USED]</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Custom agent: Changelog Review Agent

Changelog entry violates the required structure: it lacks a clear before/after user-visible explanation and uses internal implementation detail wording, and the reference link is malformed, so the References requirement isn’t met. Update this entry to include a before/after user-visible description and a valid reference link per the changelog rule.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At docs/CHANGELOG.md, line 47:

<comment>Changelog entry violates the required structure: it lacks a clear before/after user-visible explanation and uses internal implementation detail wording, and the reference link is malformed, so the References requirement isn’t met. Update this entry to include a before/after user-visible description and a valid reference link per the changelog rule.</comment>

<file context>
@@ -44,6 +44,7 @@ aliases:
 * BUGFIX: [vmoperator](https://docs.victoriametrics.com/operator/): use global image registry unless image.repository is defined. See [#1813](https://github.com/VictoriaMetrics/operator/issues/1813).
 * BUGFIX: [vmalertmanagerconfig](https://docs.victoriametrics.com/operator/resources/vmalertmanagerconfig/): previously spec.route and spec.receivers were required; now both parameters are optional to align with prometheus operator. VMAlertmanager now can be used to set just the global inhibition rules. See [#1800](https://github.com/VictoriaMetrics/operator/issues/1800).
 * BUGFIX: [vmoperator](https://docs.victoriametrics.com/operator/): use global image registry unless image.repository is defined. See [#1813](https://github.com/VictoriaMetrics/operator/issues/1813).
+* BUGFIX: [vmagent]((https://docs.victoriametrics.com/operator/resources/vmagent/): fixed RBAC, when ingestOnlyMode is enabled and relabel of stream aggregation configurations defined. See [#1828](https://github.com/VictoriaMetrics/operator/issues/1828).
 
 ## [v0.67.0](https://github.com/VictoriaMetrics/operator/releases/tag/v0.67.0)
</file context>