Skip to content

vmuser: jwt configuration is not propagated to config file #2030

Open
Open
vmuser: jwt configuration is not propagated to config file#2030
Labels
bugSomething isn't working
@zekker6

Description

@zekker6
zekker6
opened on Apr 3, 2026

VMUser configuration:

apiVersion: operator.victoriametrics.com/v1beta1
kind: VMUser
metadata:
  name: play-jwt
  namespace: play-otel
  labels:
    vmauth.victoriametrics.com/instance: play-jwt
spec:
  jwt:
    oidc:
      issuer: "https://play-sso.victoriametrics.com/auth/realms/master"
  targetRefs:
    - static:
        url: "http://vlselect-play:9471"
      paths:
        - "/logs/select/.*"
      drop_src_path_prefix_parts: 1
      headers:
        - "AccountID: {{.LogsAccountID}}"
        - "ProjectID: {{.LogsProjectID}}"
    - static:
        url: "http://vtselect-play:10471"
      paths:
        - "/traces/select/.*"
      drop_src_path_prefix_parts: 1
    - static:
        url: "http://vmselect-play:8481/select/0/prometheus?extra_label={{.MetricsExtraLabels}}&extra_filters={{.MetricsExtraFilters}}"
      paths:
        - "/metrics/.*"
      drop_src_path_prefix_parts: 1

VlMAuth configuration (just for reference):

apiVersion: operator.victoriametrics.com/v1beta1
kind: VMAuth
metadata:
  name: play-jwt
  namespace: play-otel
spec:
  userSelector:
    matchLabels:
      vmauth.victoriametrics.com/instance: play-jwt
  image:
    # renovate: depName=victoriametrics/vmauth versioning=loose
    tag: v1.139.0
  extraArgs:
    logInvalidAuthTokens: "true"
    discoverBackendIPs: "true"
  resources:
    requests:
      cpu: "100m"
      memory: "256Mi"
    limits:
      cpu: "500m"
      memory: "512Mi"

Results into this config inside the pod:

cat /opt/vmauth/config.yaml
users:
- url_map:
  - url_prefix:
    - http://vlselect-play:9471
    src_paths:
    - /logs/select/.*
    headers:
    - 'AccountID: {{.LogsAccountID}}'
    - 'ProjectID: {{.LogsProjectID}}'
    drop_src_path_prefix_parts: 1
  - url_prefix:
    - http://vtselect-play:10471
    src_paths:
    - /traces/select/.*
    drop_src_path_prefix_parts: 1
  - url_prefix:
    - http://vmselect-play:8481/select/0/prometheus?extra_label={{.MetricsExtraLabels}}&extra_filters={{.MetricsExtraFilters}}
    src_paths:
    - /metrics/.*
    drop_src_path_prefix_parts: 1
  username: play-jwt

This leads to:

2026-04-03T06:48:31.433Z    error    VictoriaMetrics/app/vmauth/auth_config.go:804    failed to load auth config; using the last successfully loaded config; error: failed to parse -auth.config="/opt/vmauth/config.yaml": failed to parse users from auth config: invalid `url_map` headers placeholders: request header:
"AccountID" placeholder: "{{.LogsAccountID}}" is only supported at JWT context

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions