scrapeconfig: support more discovery mechanisms

[AndrewChubatiuk]

fixes #899
fixes #1951

---

Summary by cubic

Expands service discovery and unifies HTTP/TLS/auth/proxy handling across vmagent, vmsingle, and vmalertmanager for simpler, safer configs. Adds optional filesystem access enforcement across scrapes and Alertmanager receivers, plus Mattermost receiver support.

• New Features

  • SD configs: Kuma, OVHCloud, PuppetDB, Vultr.
  • Shared HTTPSDOptions across HTTPSDConfig, ConsulSDConfig, AzureSDConfig, EurekaSDConfig.
  • HTTPConfig: adds follow_redirects and ProxyConfig (proxyURL, noProxy, proxyFromEnvironment, proxyConnectHeader); applied to vmalertmanager HTTP paths.
  • FS access enforcement: deny token/password/TLS file paths across scrape objects and VMAlertmanagerConfig receivers via VMAlertmanager.spec.arbitraryFSAccessThroughSMs.
  • ScrapeClass: centralized type with attachMetadata.
  • VMAlertmanagerConfig: adds Mattermost receiver.

• Migration

  • HTTP fields moved under HTTPSDOptions; proxyURL replaced with ProxyConfig; AzureSDConfig.port is now int32.
  • Rename ProxyAuth to ProxyClientConfig under VMScrapeParams.
  • EndpointAuth now lives under EndpointScrapeParams for Service/Pod/Node/Static/Probe.
  • VMAlertmanagerTracingConfig: rename HTTPHeaders to Headers.
  • TLSServerConfig.prefer_server_cipher_suites is now *bool.

^{Written for commit 73adb50. Summary will update on new commits.}

[cubic-dev-ai]

2 issues found across 9 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="docs/CHANGELOG.md">

<violation number="1" location="docs/CHANGELOG.md:31">
P3: Fix the typo in the changelog entry: `eureka_sd_confiig` should be `eureka_sd_config` so the documented discovery config name is accurate.</violation>

<violation number="2" location="docs/CHANGELOG.md:31">
P1: Custom agent: **Changelog Review Agent**

Changelog entries must include a user-centric before/after explanation and link relevant issues/PRs (Required structure §§3–4). This entry only lists added configs and provides no references, so it does not meet the mandated changelog format.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="docs/CHANGELOG.md">

<violation number="1" location="docs/CHANGELOG.md:31">
P1: Custom agent: **Changelog Review Agent**

Changelog entry does not follow the required structure (missing before/after user-centric explanation and references), which violates the Changelog Review Agent rule’s mandatory format.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Custom agent: Changelog Review Agent

Changelog entry does not follow the required structure (missing before/after user-centric explanation and references), which violates the Changelog Review Agent rule’s mandatory format.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At docs/CHANGELOG.md, line 31:

<comment>Changelog entry does not follow the required structure (missing before/after user-centric explanation and references), which violates the Changelog Review Agent rule’s mandatory format.</comment>

<file context>
@@ -28,7 +28,7 @@ aliases:
 * FEATURE: [vmscrapeconfig](https://docs.victoriametrics.com/operator/resources/vmscrapeconfig/): added nomad_sd_config support. See [#1809](https://github.com/VictoriaMetrics/operator/issues/1809).
 * FEATURE: [vmoperator](https://docs.victoriametrics.com/operator/): support VPA for vmcluster, vtcluster, vlcluster and vmauth. See [#1795](https://github.com/VictoriaMetrics/operator/issues/1795). Thanks to the @dctrwatson for the pull request [#1803](https://github.com/VictoriaMetrics/operator/pull/1803).
-* FEATURE: [vmscrapeconfig](https://docs.victoriametrics.com/operator/resources/vmscrapeconfig/): added kuma_sd_config, hetzner_sd_config, eureka_sd_confiig, puppetdb_sd_config and vultr_sd_config support.
+* FEATURE: [vmscrapeconfig](https://docs.victoriametrics.com/operator/resources/vmscrapeconfig/): added kuma_sd_config, hetzner_sd_config, eureka_sd_config, puppetdb_sd_config and vultr_sd_config support.
 
 * BUGFIX: [vmagent](https://docs.victoriametrics.com/operator/resources/vmagent/): previously the operator requested `nodes/proxy` RBAC permissions even though vmagent did not use them; now this permission is no longer required, reducing the default privilege footprint for users running vmagent. See [#1753](https://github.com/VictoriaMetrics/operator/issues/1753).
</file context>

[cubic-dev-ai]

9 issues found across 11 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="docs/api.md">

<violation number="1" location="docs/api.md:2339">
P3: `MattermostConfig` description is incorrect and references Teams “adaptive cards/flows,” which misdocuments the Mattermost integration.</violation>
</file>

<file name="api/operator/v1beta1/vmalertmanagerconfig_types.go">

<violation number="1" location="api/operator/v1beta1/vmalertmanagerconfig_types.go:435">
P1: Mattermost receivers bypass arbitrary filesystem access enforcement because they are not included in `ValidateArbitraryFSAccess()`.</violation>

<violation number="2" location="api/operator/v1beta1/vmalertmanagerconfig_types.go:507">
P2: Webex validation dropped the required `http_config.authorization` check, allowing invalid receiver configs to pass CR validation.</violation>

<violation number="3" location="api/operator/v1beta1/vmalertmanagerconfig_types.go:1637">
P2: `MattermostConfig.validate()` does not reject configurations where both `url` and `url_secret` are set.</violation>
</file>

<file name="config/crd/overlay/crd.descriptionless.yaml">

<violation number="1">
P1: Mattermost CRD schema uses wrong secret field name and invalidly requires it, breaking receiver configuration.</violation>
</file>

<file name="internal/controller/operator/factory/vmalertmanager/config.go">

<violation number="1" location="internal/controller/operator/factory/vmalertmanager/config.go:150">
P1: Nil pointer dereference when `baseCfg.Global` is nil. When the base alertmanager config has no `global:` section, `baseCfg.Global` will be nil, and passing it to `buildOpsGenie`, `buildSlack`, `buildEmail`, etc. will panic on the first field access (e.g., `gc.OpsGenieAPIKey`). Initialize a zero-value `globalConfig` before passing it to `buildReceiver`.</violation>

<violation number="2" location="internal/controller/operator/factory/vmalertmanager/config.go:1353">
P1: Missing `description` field in OpsGenie config output. The old `buildOpsGenie` included `toYamlString("description", og.Description)`, but it was dropped in this refactor. OpsGenie alerts will silently lose their incident description.</violation>
</file>

<file name="config/crd/overlay/crd.yaml">

<violation number="1">
P3: The Mattermost schema description is incorrect (mentions adaptive cards/flows), which will mislead generated CRD documentation.</violation>

<violation number="2">
P1: Renaming `http_headers` to `headers` in the CRD without keeping a compatibility alias introduces a breaking API change for existing manifests.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}