feat: Add httproute support for vmauth.

[hkmdxlftjf]

feat: #1625

Hello,

I’ve extended the vmspec.spec to include an httpRoute definition, for example:

apiVersion: operator.victoriametrics.com/v1beta1
kind: VMAuth
metadata:
  name: vmauth-sample
spec:
  selectAllByDefault: true
  httpRoute:
    spec:
      parentRefs:
      - group: gateway.networking.k8s.io
        kind: Gateway
        name: eg
      rules:
      - matches:
        - path:
            type: PathPrefix
            value: /

This configuration creates an HTTPRoute resource that binds the VMAuth instance to the specified Gateway.

Additionally, the httpRoute spec looks like this:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  creationTimestamp: "2025-11-20T03:55:34Z"
  finalizers:
  - apps.victoriametrics.com/finalizer
  generation: 1
  labels:
    app.kubernetes.io/component: monitoring
    app.kubernetes.io/instance: vmauth-sample
    app.kubernetes.io/name: vmauth
    managed-by: vm-operator
  name: vmauth-vmauth-sample
  namespace: default
  ownerReferences:
  - apiVersion: operator.victoriametrics.com/v1beta1
    blockOwnerDeletion: true
    controller: true
    kind: VMAuth
    name: vmauth-sample
    uid: fe949e6b-7f59-4115-8d44-0e2af8192779
  resourceVersion: "8185085"
  uid: f25fa425-b16c-4004-af8f-c87935a8173b
spec:
  parentRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: eg
  rules:
  - backendRefs:
    - group: ""
      kind: Service
      name: vmauth-vmauth-sample
      port: 8427
      weight: 1
    matches:
    - path:
        type: PathPrefix
        value: /

[AndrewChubatiuk]

overall looks good, please add unit (internal/controller/operator/factory/vmauth/vmauth_test.go) and e2e (test/e2e/vmauth_test.go) tests for this feature

[hkmdxlftjf]

overall looks good, please add unit (internal/controller/operator/factory/vmauth/vmauth_test.go) and e2e (test/e2e/vmauth_test.go) tests for this feature

Thanks! I've already added the tests.

[hkmdxlftjf]

I'm not sure if this is an issue. When I add the following to vmauth_controller:

// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=httproutes,verbs=get;list;watch;create;update;patch;delete

and then run make manifests, it doesn't seem to update anything under config/rbac/.
I also tried deleting all files under config/rbac/*.yaml and running make manifests again, but the result is the same.

[AndrewChubatiuk]

and then run make manifests, it doesn't seem to update anything under config/rbac/.

it doesn't add manifests to config/rbac/, please add it manually
also operator should check if gateway api CRDs are installed in a cluster to allow using this functionality, they should not be provided by VM operator

[hkmdxlftjf]

and then run make manifests, it doesn't seem to update anything under config/rbac/.

it doesn't add manifests to config/rbac/, please add it manually also operator should check if gateway api CRDs are installed in a cluster to allow using this functionality, they should not be provided by VM operator

I have added the RBAC manifests to config/rbac/.

Regarding the Gateway API, I added a check for the HTTPRoute CRD. Currently, if the CRD is missing, the operator simply skips creating the HTTPRoute. However, should the operator update the Status to inform the user that their requested HTTPRoute was not created due to the missing CRD?

[AndrewChubatiuk]

if CreateOrUpdate returns error it will automatically set status to Failed. Just need to write proper log message and text in error message

[hkmdxlftjf]

Please let me know if there’s anything else I should update.

[wilmardo]

Great work! I am interested in this feature as well so thanks for the effort <3

Quick points I noticed during review:

• It needs a reference in the docs for the VMAuthSpec
• In the above docs the EmbeddedIngress is currently marked as required I am not sure if this is enforced in the code somewhere (needs checking). But for sure the docs needs to be updated that Ingress is optional when an HTTPRoute is present. Or make both optional

[hkmdxlftjf]

Great work! I am interested in this feature as well so thanks for the effort <3

Quick points I noticed during review:

• It needs a reference in the docs for the VMAuthSpec
• In the above docs the EmbeddedIngress is currently marked as required I am not sure if this is enforced in the code somewhere (needs checking). But for sure the docs needs to be updated that Ingress is optional when an HTTPRoute is present. Or make both optional

Thank you for the feedback!

• It needs a reference in the docs for the VMAuthSpec

I’ll add the missing reference to VMAuthSpec in the documentation.

• In the above docs the EmbeddedIngress is currently marked as required I am not sure if this is enforced in the code somewhere (needs checking). But for sure the docs needs to be updated that Ingress is optional when an HTTPRoute is present. Or make both optional

It looks like this is a documentation mistake. @AndrewChubatiuk Should I update it in this PR?

[AndrewChubatiuk]

It looks like this is a documentation mistake. @AndrewChubatiuk Should I update it in this PR?

right, looks like a documentation issue. no need to do it

[hkmdxlftjf]

Hi, may I ask if this is ready to be merged?
Please let me know if anything else is needed from my side.

[AndrewChubatiuk]

@Haleygo @f41gh7 @vrutkovs
could you please take a look as well?

[vrutkovs]

Looks good, two more code change suggestions

[f41gh7]

Overall looks good! Please address minor GetCRD comment

[f41gh7]

LGTM

[f41gh7]

Thanks for contribution!