VictoriaMetrics · AndrewChubatiuk · Apr 23, 2026 · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026
@@ -49,6 +49,11 @@ type VMAuthSpec struct {
 	// with selectAllByDefault: false - selects nothing
 	// +optional
 	SelectAllByDefault bool `json:"selectAllByDefault,omitempty" yaml:"selectAllByDefault,omitempty"`
+	// ArbitraryFSAccessThroughSMs configures whether configuration
+	// can contain paths to arbitrary files on the file system
+	// e.g bearer token files, basic auth password files, tls certs file paths
+	// +optional
+	ArbitraryFSAccessThroughSMs ArbitraryFSAccessThroughSMsConfig `json:"arbitraryFSAccessThroughSMs,omitempty"`
 	// UserSelector defines VMUser to be selected for config file generation.
 	// Works in combination with NamespaceSelector.
 	// NamespaceSelector nil - only objects at VMAuth namespace.

@@ -264,6 +264,15 @@ func (cr *VMUser) PrefixedName() string {
 	return fmt.Sprintf("vmuser-%s", cr.Name)
 }
 
+func (cr *VMUser) ValidateArbitraryFSAccess() error {
+	var props []string
+	props = cr.Spec.TLSConfig.appendForbiddenProperties(props)
+	if len(props) > 0 {
+		return fmt.Errorf("%s are prohibited", strings.Join(props, ", "))
+	}
+	return nil
+}
+
 // PasswordRefAsKey - builds key for passwordRef cache
 func (cr *VMUser) PasswordRefAsKey() string {
 	return fmt.Sprintf("%s/%s/%s", cr.Namespace, cr.Spec.PasswordRef.Name, cr.Spec.PasswordRef.Key)

@@ -13,6 +13,8 @@ aliases:
 
 ## tip
 
+* FEATURE: [vmauth](https://docs.victoriametrics.com/operator/resources/vmauth): previously VMAuth could read configuration only from predefined locations; now VMAuth supports arbitrary filesystem access configuration, allowing users to reference required files directly and reducing configuration workarounds. See [#899](https://github.com/VictoriaMetrics/operator/issues/899).
+
 * BUGFIX: [converter](https://docs.victoriametrics.com/operator/integrations/prometheus/#objects-conversion): disable all prometheus controllers if CRD group was not found. See [#2838](https://github.com/VictoriaMetrics/helm-charts/issues/2838).
 
 ## [v0.69.0](https://github.com/VictoriaMetrics/operator/releases/tag/v0.69.0)

@@ -123,6 +123,11 @@ func (pos *parsedObjects) buildConfig(ctx context.Context, rclient client.Client
 				return err
 			}
 		}
+		if cr.Spec.ArbitraryFSAccessThroughSMs.Deny {
+			if err := user.ValidateArbitraryFSAccess(); err != nil {
+				return err
+			}
+		}
 		return nil
 	})
 	toCreateSecrets, toUpdate, err := pos.addAuthCredentialsBuildSecrets(ac)
-Original file line number
+Diff line change
@@ Expand Up / @@ -13,6 +13,8 @@ aliases: @@
     ## tip
+    * FEATURE: [vmauth](https://docs.victoriametrics.com/operator/resources/vmauth): previously VMAuth could read configuration only from predefined locations; now VMAuth supports arbitrary filesystem access configuration, allowing users to reference required files directly and reducing configuration workarounds. See [#899](https://github.com/VictoriaMetrics/operator/issues/899).
     * BUGFIX: [converter](https://docs.victoriametrics.com/operator/integrations/prometheus/#objects-conversion): disable all prometheus controllers if CRD group was not found. See [#2838](https://github.com/VictoriaMetrics/helm-charts/issues/2838).
     ## [v0.69.0](https://github.com/VictoriaMetrics/operator/releases/tag/v0.69.0)
@@ Expand Down @@