VictoriaMetrics · AndrewChubatiuk · Dec 17, 2025
@@ -358,7 +358,7 @@ type CommonScrapeSecurityEnforcements struct {
 	EnforcedNamespaceLabel string `json:"enforcedNamespaceLabel,omitempty"`
 	// ArbitraryFSAccessThroughSMs configures whether configuration
 	// based on EndpointAuth can access arbitrary files on the file system
-	// of the VMAgent container e.g. bearer token files, basic auth, tls certs
+	// of the VMAgent or VMSingle container e.g. bearer token files, basic auth, tls certs
 	// +optional
 	ArbitraryFSAccessThroughSMs ArbitraryFSAccessThroughSMsConfig `json:"arbitraryFSAccessThroughSMs,omitempty"`
 }
@@ -389,70 +389,70 @@ type CommonScrapeParams struct {
 	SelectAllByDefault bool `json:"selectAllByDefault,omitempty"`
 	// ServiceScrapeSelector defines ServiceScrapes to be selected for target discovery.
 	// Works in combination with NamespaceSelector.
-	// NamespaceSelector nil - only objects at VMAgent namespace.
+	// NamespaceSelector nil - only objects at VMAgent or VMSingle namespace.
 	// Selector nil - only objects at NamespaceSelector namespaces.
 	// If both nil - behaviour controlled by selectAllByDefault
 	// +optional
 	ServiceScrapeSelector *metav1.LabelSelector `json:"serviceScrapeSelector,omitempty"`
 	// ServiceScrapeNamespaceSelector Namespaces to be selected for VMServiceScrape discovery.
 	// Works in combination with Selector.
-	// NamespaceSelector nil - only objects at VMAgent namespace.
+	// NamespaceSelector nil - only objects at VMAgent or VMSingle namespace.
 	// Selector nil - only objects at NamespaceSelector namespaces.
 	// If both nil - behaviour controlled by selectAllByDefault
 	// +optional
 	ServiceScrapeNamespaceSelector *metav1.LabelSelector `json:"serviceScrapeNamespaceSelector,omitempty"`
 	// PodScrapeSelector defines PodScrapes to be selected for target discovery.
 	// Works in combination with NamespaceSelector.
-	// NamespaceSelector nil - only objects at VMAgent namespace.
+	// NamespaceSelector nil - only objects at VMAgent or VMSingle namespace.
 	// Selector nil - only objects at NamespaceSelector namespaces.
 	// If both nil - behaviour controlled by selectAllByDefault
 	// +optional
 	PodScrapeSelector *metav1.LabelSelector `json:"podScrapeSelector,omitempty"`
 	// PodScrapeNamespaceSelector defines Namespaces to be selected for VMPodScrape discovery.
 	// Works in combination with Selector.
-	// NamespaceSelector nil - only objects at VMAgent namespace.
+	// NamespaceSelector nil - only objects at VMAgent or VMSingle namespace.
 	// Selector nil - only objects at NamespaceSelector namespaces.
 	// If both nil - behaviour controlled by selectAllByDefault
 	// +optional
 	PodScrapeNamespaceSelector *metav1.LabelSelector `json:"podScrapeNamespaceSelector,omitempty"`
 	// ProbeSelector defines VMProbe to be selected for target probing.
 	// Works in combination with NamespaceSelector.
-	// NamespaceSelector nil - only objects at VMAgent namespace.
+	// NamespaceSelector nil - only objects at VMAgent or VMSingle namespace.
 	// Selector nil - only objects at NamespaceSelector namespaces.
 	// If both nil - behaviour controlled by selectAllByDefault
 	// +optional
 	ProbeSelector *metav1.LabelSelector `json:"probeSelector,omitempty"`
 	// ProbeNamespaceSelector defines Namespaces to be selected for VMProbe discovery.
 	// Works in combination with Selector.
-	// NamespaceSelector nil - only objects at VMAgent namespace.
+	// NamespaceSelector nil - only objects at VMAgent or VMSingle namespace.
 	// Selector nil - only objects at NamespaceSelector namespaces.
 	// If both nil - behaviour controlled by selectAllByDefault
 	// +optional
 	ProbeNamespaceSelector *metav1.LabelSelector `json:"probeNamespaceSelector,omitempty"`
 	// NodeScrapeSelector defines VMNodeScrape to be selected for scraping.
 	// Works in combination with NamespaceSelector.
-	// NamespaceSelector nil - only objects at VMAgent namespace.
+	// NamespaceSelector nil - only objects at VMAgent or VMSingle namespace.
 	// Selector nil - only objects at NamespaceSelector namespaces.
 	// If both nil - behaviour controlled by selectAllByDefault
 	// +optional
 	NodeScrapeSelector *metav1.LabelSelector `json:"nodeScrapeSelector,omitempty"`
 	// NodeScrapeNamespaceSelector defines Namespaces to be selected for VMNodeScrape discovery.
 	// Works in combination with Selector.
-	// NamespaceSelector nil - only objects at VMAgent namespace.
+	// NamespaceSelector nil - only objects at VMAgent or VMSingle namespace.
 	// Selector nil - only objects at NamespaceSelector namespaces.
 	// If both nil - behaviour controlled by selectAllByDefault
 	// +optional
 	NodeScrapeNamespaceSelector *metav1.LabelSelector `json:"nodeScrapeNamespaceSelector,omitempty"`
 	// StaticScrapeSelector defines VMStaticScrape to be selected for target discovery.
 	// Works in combination with NamespaceSelector.
 	// If both nil - match everything.
-	// NamespaceSelector nil - only objects at VMAgent namespace.
+	// NamespaceSelector nil - only objects at VMAgent or VMSingle namespace.
 	// Selector nil - only objects at NamespaceSelector namespaces.
 	// +optional
 	StaticScrapeSelector *metav1.LabelSelector `json:"staticScrapeSelector,omitempty"`
 	// StaticScrapeNamespaceSelector defines Namespaces to be selected for VMStaticScrape discovery.
 	// Works in combination with NamespaceSelector.
-	// NamespaceSelector nil - only objects at VMAgent namespace.
+	// NamespaceSelector nil - only objects at VMAgent or VMSingle namespace.
 	// Selector nil - only objects at NamespaceSelector namespaces.
 	// If both nil - behaviour controlled by selectAllByDefault
 	// +optional
@@ -463,16 +463,16 @@ type CommonScrapeParams struct {
 	ScrapeConfigSelector *metav1.LabelSelector `json:"scrapeConfigSelector,omitempty"`
 	// ScrapeConfigNamespaceSelector defines Namespaces to be selected for VMScrapeConfig discovery.
 	// Works in combination with Selector.
-	// NamespaceSelector nil - only objects at VMAgent namespace.
+	// NamespaceSelector nil - only objects at VMAgent or VMSingle namespace.
 	// Selector nil - only objects at NamespaceSelector namespaces.
 	// If both nil - behaviour controlled by selectAllByDefault
 	// +optional
 	ScrapeConfigNamespaceSelector *metav1.LabelSelector `json:"scrapeConfigNamespaceSelector,omitempty"`
 	// InlineScrapeConfig As scrape configs are appended, the user is responsible to make sure it
 	// is valid. Note that using this feature may expose the possibility to
-	// break upgrades of VMAgent. It is advised to review VMAgent release
+	// break upgrades of VMAgent or VMSingle. It is advised to review VMAgent or VMSingle release
 	// notes to ensure that no incompatible scrape configs are going to break
-	// VMAgent after the upgrade.
+	// VMAgent or VMSingle after the upgrade.
 	// it should be defined as single yaml file.
 	// inlineScrapeConfig: |
 	//     - job_name: "prometheus"
@@ -482,9 +482,9 @@ type CommonScrapeParams struct {
 	InlineScrapeConfig string `json:"inlineScrapeConfig,omitempty"`
 	// AdditionalScrapeConfigs As scrape configs are appended, the user is responsible to make sure it
 	// is valid. Note that using this feature may expose the possibility to
-	// break upgrades of VMAgent. It is advised to review VMAgent release
+	// break upgrades of VMAgent or VMSingle. It is advised to review VMAgent or VMSingle release
 	// notes to ensure that no incompatible scrape configs are going to break
-	// VMAgent after the upgrade.
+	// VMAgent or VMSingle after the upgrade.
 	// +optional
 	AdditionalScrapeConfigs *corev1.SecretKeySelector `json:"additionalScrapeConfigs,omitempty"`
 	// ServiceScrapeRelabelTemplate defines relabel config, that will be added to each VMServiceScrape.
@@ -539,6 +539,11 @@ type CommonScrapeParams struct {
 	// it doesn't affect metrics ingested directly by push API's
 	// +optional
 	ExternalLabels map[string]string `json:"externalLabels,omitempty"`
+	// IngestOnlyMode switches vmagent or vmsingle into unmanaged mode
+	// it disables any config generation for scraping
+	// Currently it prevents vmagent from managing tls and auth options for remote write
+	// +optional
+	IngestOnlyMode *bool `json:"ingestOnlyMode,omitempty"`
 	// EnableKubernetesAPISelectors instructs vmagent to use CRD scrape objects spec.selectors for
 	// Kubernetes API list and watch requests.
 	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#list-and-watch-filtering
@@ -550,6 +555,9 @@ type CommonScrapeParams struct {
 
 // isUnmanaged checks if object should managed any config objects
 func (cr *CommonScrapeParams) isUnmanaged() bool {
+	if cr.IngestOnlyMode == nil || *cr.IngestOnlyMode {
+		return true
+	}
 	return !cr.SelectAllByDefault &&
 		cr.NodeScrapeSelector == nil && cr.NodeScrapeNamespaceSelector == nil &&
 		cr.ServiceScrapeSelector == nil && cr.ServiceScrapeNamespaceSelector == nil &&
@@ -561,36 +569,54 @@ func (cr *CommonScrapeParams) isUnmanaged() bool {
 
 // isNodeScrapeUnmanaged checks if scraping agent should managed any VMNodeScrape objects
 func (cr *CommonScrapeParams) isNodeScrapeUnmanaged() bool {
+	if cr.IngestOnlyMode == nil || *cr.IngestOnlyMode {
+		return true
+	}
 	return !cr.SelectAllByDefault &&
 		cr.NodeScrapeSelector == nil && cr.NodeScrapeNamespaceSelector == nil
 }
 
 // isServiceScrapeUnmanaged checks if scraping agent should managed any VMServiceScrape objects
 func (cr *CommonScrapeParams) isServiceScrapeUnmanaged() bool {
+	if cr.IngestOnlyMode == nil || *cr.IngestOnlyMode {
+		return true
+	}
 	return !cr.SelectAllByDefault &&
 		cr.ServiceScrapeSelector == nil && cr.ServiceScrapeNamespaceSelector == nil
 }
 
 // isUnmanaged checks if scraping agent should managed any VMPodScrape objects
 func (cr *CommonScrapeParams) isPodScrapeUnmanaged() bool {
+	if cr.IngestOnlyMode == nil || *cr.IngestOnlyMode {
+		return true
+	}
 	return !cr.SelectAllByDefault &&
 		cr.PodScrapeSelector == nil && cr.PodScrapeNamespaceSelector == nil
 }
 
 // isProbeUnmanaged checks if scraping agent should managed any VMProbe objects
 func (cr *CommonScrapeParams) isProbeUnmanaged() bool {
+	if cr.IngestOnlyMode == nil || *cr.IngestOnlyMode {
+		return true
+	}
 	return !cr.SelectAllByDefault &&
 		cr.ProbeSelector == nil && cr.ProbeNamespaceSelector == nil
 }
 
 // isStaticScrapeUnmanaged checks if scraping agent should managed any VMStaticScrape objects
 func (cr *CommonScrapeParams) isStaticScrapeUnmanaged() bool {
+	if cr.IngestOnlyMode == nil || *cr.IngestOnlyMode {
+		return true
+	}
 	return !cr.SelectAllByDefault &&
 		cr.StaticScrapeSelector == nil && cr.StaticScrapeNamespaceSelector == nil
 }
 
 // isScrapeConfigUnmanaged checks if scraping agent should managed any VMScrapeConfig objects
 func (cr *CommonScrapeParams) isScrapeConfigUnmanaged() bool {
+	if cr.IngestOnlyMode == nil || *cr.IngestOnlyMode {
+		return true
+	}
 	return !cr.SelectAllByDefault &&
 		cr.ScrapeConfigSelector == nil && cr.ScrapeConfigNamespaceSelector == nil
 }
@@ -15,12 +15,14 @@ type CRDName int
 const (
 	VMAgentCRD CRDName = iota
 	VLAgentCRD
+	VMSingleCRD
 )
 
 func (c CRDName) String() string {
 	return []string{
 		"vmagents.operator.victoriametrics.com",
 		"vlagents.operator.victoriametrics.com",
+		"vmsingles.operator.victoriametrics.com",
 	}[c]
 }
 
@@ -46,6 +48,8 @@ func Init(ctx context.Context, rclient client.Client) error {
 			n = VMAgentCRD
 		case "vlagents.operator.victoriametrics.com":
 			n = VLAgentCRD
+		case "vmsingles.operator.victoriametrics.com":
+			n = VMSingleCRD
 		default:
 			continue
 		}

@@ -34,14 +34,12 @@ type VMAgentSpec struct {
 	// +optional
 	// +kubebuilder:validation:Enum=default;json
 	LogFormat string `json:"logFormat,omitempty"`
-
 	// APIServerConfig allows specifying a host and auth methods to access apiserver.
 	// If left empty, VMAgent is assumed to run inside of the cluster
 	// and will discover API servers automatically and use the pod's CA certificate
 	// and bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/.
 	// +optional
 	APIServerConfig *APIServerConfig `json:"apiServerConfig,omitempty"`
-
 	// RemoteWrite list of victoria metrics /some other remote write system
 	// for vm it must looks like: http://victoria-metrics-single:8428/api/v1/write
 	// or for cluster different url
@@ -105,11 +103,6 @@ type VMAgentSpec struct {
 
 	// ClaimTemplates allows adding additional VolumeClaimTemplates for VMAgent in StatefulMode
 	ClaimTemplates []corev1.PersistentVolumeClaim `json:"claimTemplates,omitempty"`
-	// IngestOnlyMode switches vmagent into unmanaged mode
-	// it disables any config generation for scraping
-	// Currently it prevents vmagent from managing tls and auth options for remote write
-	// +optional
-	IngestOnlyMode bool `json:"ingestOnlyMode,omitempty"`
 
 	// License allows to configure license key to be used for enterprise features.
 	// Using license key is supported starting from VictoriaMetrics v1.94.0.
@@ -350,7 +343,7 @@ type VMAgentRemoteWriteSpec struct {
 	// +optional
 	BearerTokenSecret *corev1.SecretKeySelector `json:"bearerTokenSecret,omitempty"`
 
-	// ConfigMap with relabeling config which is applied to metrics before sending them to the corresponding -remoteWrite.url
+	// ConfigMap with relabeling config which is applied to metrics before sending them to the corresponding -remoteWrite.url.
 	// +optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Key at Configmap with relabelConfig for remoteWrite",xDescriptors="urn:alm:descriptor:io.kubernetes:ConfigMapKeySelector"
 	UrlRelabelConfig *corev1.ConfigMapKeySelector `json:"urlRelabelConfig,omitempty"`
@@ -567,7 +560,7 @@ func (cr *VMAgent) IsOwnsServiceAccount() bool {
 }
 
 func (cr *VMAgent) GetClusterRoleName() string {
-	return fmt.Sprintf("monitoring:%s:vmagent-%s", cr.Namespace, cr.Name)
+	return fmt.Sprintf("monitoring:%s:%s", cr.Namespace, cr.PrefixedName())
 }
 
 // AsURL - returns url for http access
@@ -614,64 +607,36 @@ func (*VMAgent) ProbeNeedLiveness() bool {
 
 // IsUnmanaged checks if object should managed any config objects
 func (cr *VMAgent) IsUnmanaged() bool {
-	// fast path
-	if cr.Spec.IngestOnlyMode {
-		return true
-	}
 	return cr.Spec.isUnmanaged()
 }
 
 // IsNodeScrapeUnmanaged checks if vmagent should managed any VMNodeScrape objects
 func (cr *VMAgent) IsNodeScrapeUnmanaged() bool {
-	// fast path
-	if cr.Spec.IngestOnlyMode {
-		return true
-	}
 	return cr.Spec.isNodeScrapeUnmanaged()
 }
 
 // IsServiceScrapeUnmanaged checks if vmagent should managed any VMServiceScrape objects
 func (cr *VMAgent) IsServiceScrapeUnmanaged() bool {
-	// fast path
-	if cr.Spec.IngestOnlyMode {
-		return true
-	}
 	return cr.Spec.isServiceScrapeUnmanaged()
 }
 
 // IsUnmanaged checks if vmagent should managed any VMPodScrape objects
 func (cr *VMAgent) IsPodScrapeUnmanaged() bool {
-	// fast path
-	if cr.Spec.IngestOnlyMode {
-		return true
-	}
 	return cr.Spec.isPodScrapeUnmanaged()
 }
 
 // IsProbeUnmanaged checks if vmagent should managed any VMProbe objects
 func (cr *VMAgent) IsProbeUnmanaged() bool {
-	// fast path
-	if cr.Spec.IngestOnlyMode {
-		return true
-	}
 	return cr.Spec.isProbeUnmanaged()
 }
 
 // IsStaticScrapeUnmanaged checks if vmagent should managed any VMStaticScrape objects
 func (cr *VMAgent) IsStaticScrapeUnmanaged() bool {
-	// fast path
-	if cr.Spec.IngestOnlyMode {
-		return true
-	}
 	return cr.Spec.isStaticScrapeUnmanaged()
 }
 
 // IsScrapeConfigUnmanaged checks if vmagent should managed any VMScrapeConfig objects
 func (cr *VMAgent) IsScrapeConfigUnmanaged() bool {
-	// fast path
-	if cr.Spec.IngestOnlyMode {
-		return true
-	}
 	return cr.Spec.isScrapeConfigUnmanaged()
 }
 

@@ -66,6 +66,7 @@ const (
 	LastAppliedSpecAnnotation        = "operator.victoriametrics/last-applied-spec"
 	VMAuthLBServiceProxyTargetLabel  = "operator.victoriametrics.com/vmauthlb-proxy-name"
 	VMAuthLBServiceProxyJobNameLabel = "operator.victoriametrics.com/vmauthlb-proxy-job-name"
+	KubeNodeEnvName                  = "KUBE_NODE_NAME"
 )
 
 const (