port-rebase fixes

Signed-off-by: Artem Fetishev <rtm@victoriametrics.com>

.github/copilot-instructions.md

@@ -0,0 +1,23 @@
+# Project Overview
+
+VictoriaMetrics is a fast, cost-saving, and scalable solution for monitoring and managing time series data. It delivers high performance and reliability, making it an ideal choice for businesses of all sizes.
+
+## Folder Structure
+
+- `/app`: Contains the compilable binaries.
+- `/lib`: Contains the golang reusable libraries
+- `/docs/victoriametrics`: Contains documentation for the project.
+- `/apptest/tests`: Contains integration tests.
+
+## Libraries and Frameworks
+
+- Backend: Golang, no framework. Use third-party libraries sparingly.
+- Frontend: React.
+
+## Code review guidelines
+
+Ensure the feature or bugfix includes a changelog entry in /docs/victoriametrics/changelog/CHANGELOG.md.
+Verify the entry is under the ## tip section and matches the structure and style of existing entries.
+Chore-only changes may be omitted from the changelog.
+
+

.github/workflows/docs.yaml

@@ -28,7 +28,7 @@ jobs:
           path: __vm-docs
 
       - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@v7
+        uses: crazy-max/ghaction-import-gpg@v6
         id: import-gpg
         with:
           gpg_private_key: ${{ secrets.VM_BOT_GPG_PRIVATE_KEY }}

SECURITY.md

@@ -12,31 +12,6 @@ The following versions of VictoriaMetrics receive regular security fixes:
 
 See [this page](https://victoriametrics.com/security/) for more details.
 
-## Software Bill of Materials (SBOM)
-
-Every VictoriaMetrics container{{% available_from "#" %}} image published to
-[Docker Hub](https://hub.docker.com/u/victoriametrics)
-and [Quay.io](https://quay.io/organization/victoriametrics)
-includes an [SPDX](https://spdx.dev/) SBOM attestation
-generated automatically by BuildKit during
-`docker buildx build`.
-
-To inspect the SBOM for an image:
-
-```sh
-docker buildx imagetools inspect \
-  docker.io/victoriametrics/victoria-metrics:latest \
-  --format "{{ json .SBOM }}"
-```
-
-To scan an image using its SBOM attestation with
-[Trivy](https://github.com/aquasecurity/trivy):
-
-```sh
-trivy image --sbom-sources oci \
-  docker.io/victoriametrics/victoria-metrics:latest
-```
-
 ## Reporting a Vulnerability
 
 Please report any security issues to <security@victoriametrics.com>

app/vmagent/datadogsketches/request_handler.go

@@ -49,11 +49,6 @@ func insertRows(at *auth.Token, sketches []*datadogsketches.Sketch, extraLabels
 				Name:  "__name__",
 				Value: m.Name,
 			})
-			// See https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10557
-			labels = append(labels, prompb.Label{
-				Name:  "host",
-				Value: sketch.Host,
-			})
 			for _, label := range m.Labels {
 				labels = append(labels, prompb.Label{
 					Name:  label.Name,
@@ -62,6 +57,9 @@ func insertRows(at *auth.Token, sketches []*datadogsketches.Sketch, extraLabels
 			}
 			for _, tag := range sketch.Tags {
 				name, value := datadogutil.SplitTag(tag)
+				if name == "host" {
+					name = "exported_host"
+				}
 				labels = append(labels, prompb.Label{
 					Name:  name,
 					Value: value,

app/vmalert/config/config.go

@@ -81,9 +81,12 @@ func (g *Group) Validate(validateTplFn ValidateTplFn, validateExpressions bool)
 	if g.Interval.Duration() < 0 {
 		return fmt.Errorf("interval shouldn't be lower than 0")
 	}
-	// if `eval_offset` is set, the group interval must be specified explicitly(instead of inherited from global evaluationInterval flag) and must bigger than offset.
-	if g.EvalOffset.Duration().Abs() > g.Interval.Duration() {
-		return fmt.Errorf("the abs value of eval_offset should be smaller than interval; now eval_offset: %v, interval: %v", g.EvalOffset.Duration(), g.Interval.Duration())
+	if g.EvalOffset.Duration() < 0 {
+		return fmt.Errorf("eval_offset shouldn't be lower than 0")
+	}
+	// if `eval_offset` is set, interval won't use global evaluationInterval flag and must bigger than offset.
+	if g.EvalOffset.Duration() > g.Interval.Duration() {
+		return fmt.Errorf("eval_offset should be smaller than interval; now eval_offset: %v, interval: %v", g.EvalOffset.Duration(), g.Interval.Duration())
 	}
 	if g.EvalOffset != nil && g.EvalDelay != nil {
 		return fmt.Errorf("eval_offset cannot be used with eval_delay")

app/vmalert/config/config_test.go

@@ -176,17 +176,11 @@ func TestGroupValidate_Failure(t *testing.T) {
 	}, false, "interval shouldn't be lower than 0")
 
 	f(&Group{
-		Name:       "too big eval_offset",
+		Name:       "wrong eval_offset",
 		Interval:   promutil.NewDuration(time.Minute),
 		EvalOffset: promutil.NewDuration(2 * time.Minute),
 	}, false, "eval_offset should be smaller than interval")
 
-	f(&Group{
-		Name:       "too big negative eval_offset",
-		Interval:   promutil.NewDuration(time.Minute),
-		EvalOffset: promutil.NewDuration(-2 * time.Minute),
-	}, false, "eval_offset should be smaller than interval")
-
 	limit := -1
 	f(&Group{
 		Name:  "wrong limit",

app/vmalert/main.go

@@ -56,7 +56,7 @@ absolute path to all .tpl files in root.
  -rule.templates="dir/**/*.tpl". Includes all the .tpl files in "dir" subfolders recursively.
 `)
 
-	configCheckInterval = flag.Duration("configCheckInterval", 0, "Interval for checking for changes in '-rule', '-rule.templates' and '-notifier.config' files. "+
+	configCheckInterval = flag.Duration("configCheckInterval", 0, "Interval for checking for changes in '-rule' or '-notifier.config' files. "+
 		"By default, the checking is disabled. Send SIGHUP signal in order to force config check for changes.")
 
 	httpListenAddrs  = flagutil.NewArrayString("httpListenAddr", "Address to listen for incoming http requests. See also -tls and -httpListenAddr.useProxyProtocol")

app/vmalert/remotewrite/client.go

@@ -186,11 +186,6 @@ func (c *Client) run(ctx context.Context) {
 				return
 			case <-ticker.C:
 				c.flush(ctx, wr)
-				// drain the potential stale tick to avoid small or empty flushes after a slow flush.
-				select {
-				case <-ticker.C:
-				default:
-				}
 			case ts, ok := <-c.input:
 				if !ok {
 					continue

app/vmalert/rule/group.go

@@ -484,15 +484,8 @@ func (g *Group) UpdateWith(newGroup *Group) {
 // delayBeforeStart calculates delay based on Group ID, so all groups will start at different moments of time.
 func (g *Group) delayBeforeStart(ts time.Time, maxDelay time.Duration) time.Duration {
 	if g.EvalOffset != nil {
-		offset := *g.EvalOffset
-		// adjust the offset for negative evalOffset, the rule is:
-		// `eval_offset: -x` is equivalent to `eval_offset: y` for `interval: x+y`.
-		// For example, `eval_offset: -6m` is equivalent to `eval_offset: 4m` for `interval: 10m`.
-		if offset < 0 {
-			offset += g.Interval
-		}
 		// if offset is specified, ignore the maxDelay and return a duration aligned with offset
-		currentOffsetPoint := ts.Truncate(g.Interval).Add(offset)
+		currentOffsetPoint := ts.Truncate(g.Interval).Add(*g.EvalOffset)
 		if currentOffsetPoint.Before(ts) {
 			// wait until the next offset point
 			return currentOffsetPoint.Add(g.Interval).Sub(ts)

app/vmalert/rule/group_test.go

@@ -606,15 +606,6 @@ func TestGroupStartDelay(t *testing.T) {
 	f("2023-01-01T00:03:30.000+00:00", "2023-01-01T00:08:00.000+00:00")
 	f("2023-01-01T00:08:00.000+00:00", "2023-01-01T00:08:00.000+00:00")
 
-	// test group with negative offset -2min, which is equivalent to 3min offset for 5min interval
-	offset = -2 * time.Minute
-	g.EvalOffset = &offset
-
-	f("2023-01-01T00:00:15.000+00:00", "2023-01-01T00:03:00.000+00:00")
-	f("2023-01-01T00:01:00.000+00:00", "2023-01-01T00:03:00.000+00:00")
-	f("2023-01-01T00:03:30.000+00:00", "2023-01-01T00:08:00.000+00:00")
-	f("2023-01-01T00:08:00.000+00:00", "2023-01-01T00:08:00.000+00:00")
-
 	maxDelay = time.Minute * 1
 	g.EvalOffset = nil
 

app/vmauth/auth_config.go

@@ -13,7 +13,6 @@ import (
 	"net/url"
 	"os"
 	"regexp"
-	"slices"
 	"sort"
 	"strconv"
 	"strings"
@@ -29,7 +28,6 @@ import (
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/fasttime"
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/flagutil"
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/fs/fscore"
-	"github.com/VictoriaMetrics/VictoriaMetrics/lib/httpserver"
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/logger"
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/netutil"
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/procutil"
@@ -92,8 +90,6 @@ type UserInfo struct {
 
 	MetricLabels map[string]string `yaml:"metric_labels,omitempty"`
 
-	AccessLog *AccessLog `yaml:"access_log,omitempty"`
-
 	concurrencyLimitCh      chan struct{}
 	concurrencyLimitReached *metrics.Counter
 
@@ -106,40 +102,11 @@ type UserInfo struct {
 	requestsDuration *metrics.Summary
 }
 
-// AccessLog represents configuration for access log settings.
-type AccessLog struct {
-	Filters *AccessLogFilters `yaml:"filters"`
-}
-
-// AccessLogFilters represents list of filters for access logs printing
-type AccessLogFilters struct {
-	// SkipStatusCodes is a list of HTTP status codes for which access logs will be skipped
-	SkipStatusCodes []int `yaml:"skip_status_codes"`
-}
-
-func (ui *UserInfo) logRequest(r *http.Request, userName string, statusCode int, duration time.Duration) {
-	if ui.AccessLog == nil {
-		return
-	}
-	filters := ui.AccessLog.Filters
-	if filters != nil && len(filters.SkipStatusCodes) > 0 {
-		if slices.Contains(filters.SkipStatusCodes, statusCode) {
-			return
-		}
-	}
-
-	remoteAddr := httpserver.GetQuotedRemoteAddr(r)
-	requestURI := httpserver.GetRequestURI(r)
-	logger.Infof("access_log request_host=%q request_uri=%q status_code=%d remote_addr=%s user_agent=%q referer=%q duration_ms=%d username=%q",
-		r.Host, requestURI, statusCode, remoteAddr, r.UserAgent(), r.Referer(), duration.Milliseconds(), userName)
-}
-
 // HeadersConf represents config for request and response headers.
 type HeadersConf struct {
-	RequestHeaders     []*Header `yaml:"headers,omitempty"`
-	ResponseHeaders    []*Header `yaml:"response_headers,omitempty"`
-	KeepOriginalHost   *bool     `yaml:"keep_original_host,omitempty"`
-	hasAnyPlaceHolders bool
+	RequestHeaders   []*Header `yaml:"headers,omitempty"`
+	ResponseHeaders  []*Header `yaml:"response_headers,omitempty"`
+	KeepOriginalHost *bool     `yaml:"keep_original_host,omitempty"`
 }
 
 func (ui *UserInfo) beginConcurrencyLimit(ctx context.Context) error {
@@ -382,7 +349,6 @@ func (bus *backendURLs) add(u *url.URL) {
 		url:                u,
 		healthCheckContext: bus.healthChecksContext,
 		healthCheckWG:      &bus.healthChecksWG,
-		hasPlaceHolders:    hasAnyPlaceholders(u),
 	})
 }
 
@@ -400,8 +366,6 @@ type backendURL struct {
 	concurrentRequests atomic.Int32
 
 	url *url.URL
-
-	hasPlaceHolders bool
 }
 
 func (bu *backendURL) isBroken() bool {
@@ -878,14 +842,12 @@ func reloadAuthConfigData(data []byte) (bool, error) {
 		return false, fmt.Errorf("failed to parse auth config: %w", err)
 	}
 
-	jui, oidcDP, err := parseJWTUsers(ac)
+	jui, err := parseJWTUsers(ac)
 	if err != nil {
 		return false, fmt.Errorf("failed to parse JWT users from auth config: %w", err)
 	}
-	oidcDP.startDiscovery()
 	jwtc := &jwtCache{
-		users:  jui,
-		oidcDP: oidcDP,
+		users: jui,
 	}
 
 	m, err := parseAuthConfigUsers(ac)
@@ -904,11 +866,6 @@ func reloadAuthConfigData(data []byte) (bool, error) {
 	}
 	metrics.RegisterSet(ac.ms)
 
-	jwtcPrev := jwtAuthCache.Load()
-	if jwtcPrev != nil {
-		jwtcPrev.oidcDP.stopDiscovery()
-	}
-
 	authConfig.Store(ac)
 	authConfigData.Store(&data)
 	authUsers.Store(&m)
@@ -946,9 +903,6 @@ func parseAuthConfig(data []byte) (*AuthConfig, error) {
 		if ui.Name != "" {
 			return nil, fmt.Errorf("field name can't be specified for unauthorized_user section")
 		}
-		if err := parseJWTPlaceholdersForUserInfo(ui, false); err != nil {
-			return nil, err
-		}
 		if err := ui.initURLs(); err != nil {
 			return nil, err
 		}
@@ -1006,10 +960,6 @@ func parseAuthConfigUsers(ac *AuthConfig) (map[string]*UserInfo, error) {
 					at, ui.Username, ui.Name, uiOld.Username, uiOld.Name)
 			}
 		}
-
-		if err := parseJWTPlaceholdersForUserInfo(ui, false); err != nil {
-			return nil, err
-		}
 		if err := ui.initURLs(); err != nil {
 			return nil, err
 		}
@@ -1109,7 +1059,6 @@ func (ui *UserInfo) initURLs() error {
 			return err
 		}
 	}
-
 	for _, e := range ui.URLMaps {
 		if len(e.SrcPaths) == 0 && len(e.SrcHosts) == 0 && len(e.SrcQueryArgs) == 0 && len(e.SrcHeaders) == 0 {
 			return fmt.Errorf("missing `src_paths`, `src_hosts`, `src_query_args` and `src_headers` in `url_map`")
@@ -1169,9 +1118,6 @@ func (ui *UserInfo) name() string {
 		h := xxhash.Sum64([]byte(ui.AuthToken))
 		return fmt.Sprintf("auth_token:hash:%016X", h)
 	}
-	if ui.JWT != nil {
-		return `jwt`
-	}
 	return ""
 }
 

app/vmauth/auth_config_test.go

@@ -4,11 +4,8 @@ import (
 	"bytes"
 	"fmt"
 	"net"
-	"net/http"
 	"net/url"
-	"strings"
 	"testing"
-	"time"
 
 	"gopkg.in/yaml.v2"
 
@@ -279,50 +276,6 @@ users:
   url_prefix: http://foo.bar
   metric_labels:
     not-prometheus-compatible: value
-`)
-	// placeholder in url_prefix
-	f(`
-users:
-- username: foo
-  password: bar
-  url_prefix: 'http://ahost/{{a_placeholder}}/foobar'
-`)
-	// placeholder in a header
-	f(`
-users:
-- username: foo
-  password: bar
-  headers:
-  - 'X-Foo: {{a_placeholder}}'
-  url_prefix: 'http://ahost'
-`)
-	// placeholder in url_prefix
-	f(`
-users:
-- username: foo
-  password: bar
-  url_prefix: 'http://ahost/{{a_placeholder}}/foobar'
-`)
-	// placeholder in a header in url_map
-	f(`
-users:
-- username: foo
-  password: bar
-  url_map:
-    - src_paths: ["/select/.*"]
-      headers:
-        - 'X-Foo: {{a_placeholder}}'
-      url_prefix: 'http://ahost'
-`)
-
-	// placeholder in a header in url_map
-	f(`
-users:
-- username: foo
-  password: bar
-  url_map:
-    - src_paths: ["/select/.*"]
-      url_prefix: 'http://ahost/{{a_placeholder}}/foobar'
 `)
 }
 
@@ -684,31 +637,6 @@ users:
 			URLPrefix: mustParseURL("http://aaa:343/bbb"),
 		},
 	}, nil)
-
-	// Multiple users with access logs enabled
-	f(`
-users:
-- username: foo
-  url_prefix: http://foo
-  access_log: {}
-- username: bar
-  url_prefix: https://bar/x/
-  access_log:
-    filters:
-      skip_status_codes: [404]
-`, map[string]*UserInfo{
-		getHTTPAuthBasicToken("foo", ""): {
-			Username:  "foo",
-			URLPrefix: mustParseURL("http://foo"),
-			AccessLog: &AccessLog{},
-		},
-		getHTTPAuthBasicToken("bar", ""): {
-			Username:  "bar",
-			URLPrefix: mustParseURL("https://bar/x/"),
-			AccessLog: &AccessLog{Filters: &AccessLogFilters{SkipStatusCodes: []int{404}}},
-		},
-	}, nil)
-
 }
 
 func TestParseAuthConfigPassesTLSVerificationConfig(t *testing.T) {
@@ -996,41 +924,6 @@ func TestDiscoverBackendIPsWithIPV6(t *testing.T) {
 
 }
 
-func TestLogRequest(t *testing.T) {
-	ui := &UserInfo{AccessLog: &AccessLog{}}
-
-	testOutput := &bytes.Buffer{}
-	logger.SetOutputForTests(testOutput)
-	defer logger.ResetOutputForTest()
-
-	req, err := http.NewRequest("GET", "http://localhost:8080/select/0/prometheus", nil)
-	if err != nil {
-		t.Fatalf("unexpected error: %s", err)
-	}
-
-	f := func(user string, status int, duration time.Duration, expectedLog string) {
-		t.Helper()
-
-		testOutput.Reset()
-		ui.logRequest(req, user, status, duration)
-
-		got := testOutput.String()
-		if expectedLog == "" && got != "" {
-			t.Fatalf("expected empty log, got %q", got)
-		}
-		if !strings.Contains(got, expectedLog) {
-			t.Fatalf("output \n%q \nshould contain \n%q", testOutput.String(), expectedLog)
-		}
-	}
-
-	f("foo", 200, 10*time.Millisecond, `access_log request_host="localhost:8080" request_uri="" status_code=200 remote_addr="" user_agent="" referer="" duration_ms=10 username="foo"`)
-	f("foo", 404, time.Second, `access_log request_host="localhost:8080" request_uri="" status_code=404 remote_addr="" user_agent="" referer="" duration_ms=1000 username="foo"`)
-
-	ui.AccessLog.Filters = &AccessLogFilters{SkipStatusCodes: []int{200}}
-	f("foo", 200, 10*time.Millisecond, ``)
-	f("foo", 404, 10*time.Millisecond, `access_log request_host="localhost:8080" request_uri="" status_code=404 remote_addr="" user_agent="" referer="" duration_ms=10 username="foo"`)
-}
-
 func getRegexs(paths []string) []*Regex {
 	var sps []*Regex
 	for _, path := range paths {

app/vmauth/example_config.yml

@@ -116,20 +116,6 @@ users:
   - "http://default1:8888/unsupported_url_handler"
   - "http://default2:8888/unsupported_url_handler"
 
-# A JWT token based routing:
-# - Requests with JWT token that has the following structure:
-# {"team": "ops", "security": {"read_access": "1"}, "vm_access": {"metrics_account_id": 1000,"metrics_project_id":5}}
-# is routed to vmselect nodes and request url placeholder replaced with metrics tenant identificators
-- name: jwt-opts-team
-  jwt:
-    match_claims:
-     team: ops
-     security.read_access: "1"
-    skip_verify: true
-  url_prefix:
-  - "http://vmselect1:8481/select/{{.MetricsTenant}}/prometheus"
-  - "http://vmselect2:8481/select/{{.MetricsTenant}}/prometheus"
-
 # Requests without Authorization header are proxied according to `unauthorized_user` section.
 # Requests are proxied in round-robin fashion between `url_prefix` backends.
 # The deny_partial_response query arg is added to all the proxied requests.
@@ -139,8 +125,3 @@ unauthorized_user:
   - http://vmselect-az1/?deny_partial_response=1
   - http://vmselect-az2/?deny_partial_response=1
   retry_status_codes: [503, 500]
-  # log access for requests routed to this user
-  access_log:
-    filters:
-      # except requests with Status Codes below
-      skip_status_codes: [200, 202]

app/vmauth/jwt.go

@@ -2,114 +2,49 @@ package main
 
 import (
 	"fmt"
-	"net/url"
 	"os"
-	"slices"
-	"sort"
 	"strings"
-	"sync"
-	"sync/atomic"
 	"time"
 
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/jwt"
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/logger"
 )
 
-const (
-	metricsTenantPlaceholder       = `{{.MetricsTenant}}`
-	metricsExtraLabelsPlaceholder  = `{{.MetricsExtraLabels}}`
-	metricsExtraFiltersPlaceholder = `{{.MetricsExtraFilters}}`
-
-	logsAccountIDPlaceholder          = `{{.LogsAccountID}}`
-	logsProjectIDPlaceholder          = `{{.LogsProjectID}}`
-	logsExtraFiltersPlaceholder       = `{{.LogsExtraFilters}}`
-	logsExtraStreamFiltersPlaceholder = `{{.LogsExtraStreamFilters}}`
-
-	placeholderPrefix = `{{`
-)
-
-var allPlaceholders = []string{
-	metricsTenantPlaceholder,
-	metricsExtraLabelsPlaceholder,
-	metricsExtraFiltersPlaceholder,
-	logsAccountIDPlaceholder,
-	logsProjectIDPlaceholder,
-	logsExtraFiltersPlaceholder,
-	logsExtraStreamFiltersPlaceholder,
-}
-
-var urlPathPlaceHolders = []string{
-	metricsTenantPlaceholder,
-	logsAccountIDPlaceholder,
-	logsProjectIDPlaceholder,
-}
-
 type jwtCache struct {
 	// users contain UserInfo`s from AuthConfig with JWTConfig set
 	users []*UserInfo
-
-	oidcDP *oidcDiscovererPool
 }
 
 type JWTConfig struct {
-	PublicKeys        []string          `yaml:"public_keys,omitempty"`
-	PublicKeyFiles    []string          `yaml:"public_key_files,omitempty"`
-	SkipVerify        bool              `yaml:"skip_verify,omitempty"`
-	OIDC              *oidcConfig       `yaml:"oidc,omitempty"`
-	MatchClaims       map[string]string `yaml:"match_claims,omitempty"`
-	parsedMatchClaims []*jwt.Claim
+	PublicKeys     []string `yaml:"public_keys,omitempty"`
+	PublicKeyFiles []string `yaml:"public_key_files,omitempty"`
+	SkipVerify     bool     `yaml:"skip_verify,omitempty"`
 
-	// verifierPool is used to verify JWT tokens.
-	// It is initialized from PublicKeys and/or PublicKeyFiles.
-	// In this case, it is initialized once at config reload and never updated until next reload
-	// In case of OIDC, it is initialized on config reload and periodically updated by discovery process.
-	verifierPool atomic.Pointer[jwt.VerifierPool]
+	verifierPool *jwt.VerifierPool
 }
 
-func parseJWTUsers(ac *AuthConfig) ([]*UserInfo, *oidcDiscovererPool, error) {
+func parseJWTUsers(ac *AuthConfig) ([]*UserInfo, error) {
 	jui := make([]*UserInfo, 0, len(ac.Users))
-	oidcDP := &oidcDiscovererPool{}
-
-	uniqClaims := make(map[string]*UserInfo)
-	var sortedClaims []string
-	for idx, ui := range ac.Users {
+	for _, ui := range ac.Users {
 		jwtToken := ui.JWT
 		if jwtToken == nil {
 			continue
 		}
 
 		if ui.AuthToken != "" || ui.BearerToken != "" || ui.Username != "" || ui.Password != "" {
-			return nil, nil, fmt.Errorf("auth_token, bearer_token, username and password cannot be specified if jwt is set")
+			return nil, fmt.Errorf("auth_token, bearer_token, username and password cannot be specified if jwt is set")
 		}
-		if len(jwtToken.PublicKeys) == 0 && len(jwtToken.PublicKeyFiles) == 0 && !jwtToken.SkipVerify && jwtToken.OIDC == nil {
-			return nil, nil, fmt.Errorf("jwt must contain at least a single public key, public_key_files, oidc or have skip_verify=true")
+		if len(jwtToken.PublicKeys) == 0 && len(jwtToken.PublicKeyFiles) == 0 && !jwtToken.SkipVerify {
+			return nil, fmt.Errorf("jwt must contain at least a single public key, public_key_files or have skip_verify=true")
 		}
-		var claimsString string
-		sortedClaims = sortedClaims[:0]
-		parsedClaims := make([]*jwt.Claim, 0, len(jwtToken.MatchClaims))
-		for ck, cv := range jwtToken.MatchClaims {
-			sortedClaims = append(sortedClaims, fmt.Sprintf("%s=%s", ck, cv))
-			pc, err := jwt.NewClaim(ck, cv)
-			if err != nil {
-				return nil, nil, fmt.Errorf("incorrect match claim, key=%q, value regex=%q: %w", ck, cv, err)
-			}
-			parsedClaims = append(parsedClaims, pc)
-		}
-		ui.JWT.parsedMatchClaims = parsedClaims
-		sort.Strings(sortedClaims)
-		claimsString = strings.Join(sortedClaims, ",")
 
-		if oldUI, ok := uniqClaims[claimsString]; ok {
-			return nil, nil, fmt.Errorf("duplicate match claims=%q found for name=%q at idx=%d; the previous one is set for name=%q", claimsString, ui.Name, idx, oldUI.Name)
-		}
-		uniqClaims[claimsString] = &ui
 		if len(jwtToken.PublicKeys) > 0 || len(jwtToken.PublicKeyFiles) > 0 {
 			keys := make([]any, 0, len(jwtToken.PublicKeys)+len(jwtToken.PublicKeyFiles))
 
 			for i := range jwtToken.PublicKeys {
 				k, err := jwt.ParseKey([]byte(jwtToken.PublicKeys[i]))
 				if err != nil {
-					return nil, nil, err
+					return nil, err
 				}
 				keys = append(keys, k)
 			}
@@ -117,52 +52,30 @@ func parseJWTUsers(ac *AuthConfig) ([]*UserInfo, *oidcDiscovererPool, error) {
 			for _, filePath := range jwtToken.PublicKeyFiles {
 				keyData, err := os.ReadFile(filePath)
 				if err != nil {
-					return nil, nil, fmt.Errorf("cannot read public key from file %q: %w", filePath, err)
+					return nil, fmt.Errorf("cannot read public key from file %q: %w", filePath, err)
 				}
 				k, err := jwt.ParseKey(keyData)
 				if err != nil {
-					return nil, nil, fmt.Errorf("cannot parse public key from file %q: %w", filePath, err)
+					return nil, fmt.Errorf("cannot parse public key from file %q: %w", filePath, err)
 				}
 				keys = append(keys, k)
 			}
 
 			vp, err := jwt.NewVerifierPool(keys)
 			if err != nil {
-				return nil, nil, err
+				return nil, err
 			}
 
-			jwtToken.verifierPool.Store(vp)
-		}
-		if jwtToken.OIDC != nil {
-			if len(jwtToken.PublicKeys) > 0 || len(jwtToken.PublicKeyFiles) > 0 || jwtToken.SkipVerify {
-				return nil, nil, fmt.Errorf("jwt with oidc cannot contain public keys or have skip_verify=true")
-			}
-
-			if jwtToken.OIDC.Issuer == "" {
-				return nil, nil, fmt.Errorf("oidc issuer cannot be empty")
-			}
-			isserURL, err := url.Parse(jwtToken.OIDC.Issuer)
-			if err != nil {
-				return nil, nil, fmt.Errorf("oidc issuer %q must be a valid URL", jwtToken.OIDC.Issuer)
-			}
-			if isserURL.Scheme != "https" && isserURL.Scheme != "http" {
-				return nil, nil, fmt.Errorf("oidc issuer %q must have http or https scheme", jwtToken.OIDC.Issuer)
-			}
-
-			oidcDP.createOrAdd(ui.JWT.OIDC.Issuer, &ui.JWT.verifierPool)
-		}
-
-		if err := parseJWTPlaceholdersForUserInfo(&ui, true); err != nil {
-			return nil, nil, err
+			jwtToken.verifierPool = vp
 		}
 
 		if err := ui.initURLs(); err != nil {
-			return nil, nil, err
+			return nil, err
 		}
 
 		metricLabels, err := ui.getMetricLabels()
 		if err != nil {
-			return nil, nil, fmt.Errorf("cannot parse metric_labels: %w", err)
+			return nil, fmt.Errorf("cannot parse metric_labels: %w", err)
 		}
 		ui.requests = ac.ms.GetOrCreateCounter(`vmauth_user_requests_total` + metricLabels)
 		ui.requestErrors = ac.ms.GetOrCreateCounter(`vmauth_user_request_errors_total` + metricLabels)
@@ -181,53 +94,36 @@ func parseJWTUsers(ac *AuthConfig) ([]*UserInfo, *oidcDiscovererPool, error) {
 
 		rt, err := newRoundTripper(ui.TLSCAFile, ui.TLSCertFile, ui.TLSKeyFile, ui.TLSServerName, ui.TLSInsecureSkipVerify)
 		if err != nil {
-			return nil, nil, fmt.Errorf("cannot initialize HTTP RoundTripper: %w", err)
+			return nil, fmt.Errorf("cannot initialize HTTP RoundTripper: %w", err)
 		}
 		ui.rt = rt
 
 		jui = append(jui, &ui)
 	}
 
-	// sort by amount of matching claims
-	// it allows to more specific claim win in case of clash
-	sort.SliceStable(jui, func(i, j int) bool {
-		return len(jui[i].JWT.MatchClaims) > len(jui[j].JWT.MatchClaims)
-	})
-
-	return jui, oidcDP, nil
-}
-
-var tokenPool sync.Pool
-
-func getToken() *jwt.Token {
-	tkn := tokenPool.Get()
-	if tkn == nil {
-		return &jwt.Token{}
+	// the limitation will be lifted once claim based matching will be implemented
+	if len(jui) > 1 {
+		return nil, fmt.Errorf("multiple users with JWT tokens are not supported; found %d users", len(jui))
 	}
-	return tkn.(*jwt.Token)
+
+	return jui, nil
 }
 
-func putToken(tkn *jwt.Token) {
-	tkn.Reset()
-	tokenPool.Put(tkn)
-}
-
-func getJWTUserInfo(ats []string) (*UserInfo, *jwt.Token) {
+func getUserInfoByJWTToken(ats []string) *UserInfo {
 	js := *jwtAuthCache.Load()
 	if len(js.users) == 0 {
-		return nil, nil
+		return nil
 	}
 
-	tkn := getToken()
-
 	for _, at := range ats {
 		if strings.Count(at, ".") != 2 {
 			continue
 		}
 
 		at, _ = strings.CutPrefix(at, `http_auth:`)
-		tkn.Reset()
-		if err := tkn.Parse(at, true); err != nil {
+
+		tkn, err := jwt.NewToken(at, true)
+		if err != nil {
 			if *logInvalidAuthTokens {
 				logger.Infof("cannot parse jwt token: %s", err)
 			}
@@ -235,252 +131,26 @@ func getJWTUserInfo(ats []string) (*UserInfo, *jwt.Token) {
 		}
 		if tkn.IsExpired(time.Now()) {
 			if *logInvalidAuthTokens {
-				// TODO: add more context:
-				// token claims with issuer
 				logger.Infof("jwt token is expired")
 			}
 			continue
 		}
 
-		if ui := getUserInfoByJWTToken(tkn, js.users); ui != nil {
-			return ui, tkn
-		}
-	}
+		for _, ui := range js.users {
+			if ui.JWT.SkipVerify {
+				return ui
+			}
 
-	putToken(tkn)
-	return nil, nil
-}
-
-func getUserInfoByJWTToken(tkn *jwt.Token, users []*UserInfo) *UserInfo {
-	for _, ui := range users {
-		if !tkn.MatchClaims(ui.JWT.parsedMatchClaims) {
-			continue
-		}
-
-		if ui.JWT.SkipVerify {
-			return ui
-		}
-
-		if ui.JWT.OIDC != nil {
-			// OIDC requires iss claim.
-			// It must match the discovery issuer URL set in OIDC config.
-			// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
-			if tkn.Issuer() == "" {
+			if err := ui.JWT.verifierPool.Verify(tkn); err != nil {
 				if *logInvalidAuthTokens {
-					logger.Infof("jwt token must have issuer filed")
+					logger.Infof("cannot verify jwt token: %s", err)
 				}
-				return nil
-			}
-			if tkn.Issuer() != ui.JWT.OIDC.Issuer {
-				if *logInvalidAuthTokens {
-					logger.Infof("jwt token issuer: %q does not match oidc issuer: %q", tkn.Issuer(), ui.JWT.OIDC.Issuer)
-				}
-				return nil
-			}
-		}
-
-		vp := ui.JWT.verifierPool.Load()
-		if vp == nil {
-			if *logInvalidAuthTokens {
-				logger.Infof("jwt verifier not initialed")
-			}
-			return nil
-		}
-
-		if err := vp.Verify(tkn); err != nil {
-			if *logInvalidAuthTokens {
-				logger.Infof("cannot verify jwt token: %s", err)
-			}
-			return nil
-		}
-
-		return ui
-	}
-
-	if *logInvalidAuthTokens {
-		logger.Infof("no user match jwt token")
-	}
-
-	return nil
-}
-
-func replaceJWTPlaceholders(bu *backendURL, hc HeadersConf, vma *jwt.VMAccessClaim) (*url.URL, HeadersConf) {
-	if !bu.hasPlaceHolders && !hc.hasAnyPlaceHolders {
-		return bu.url, hc
-	}
-	targetURL := bu.url
-	data := jwtClaimsData(vma)
-	if bu.hasPlaceHolders {
-		// template url params and request path
-		// make a copy of url
-		uCopy := *bu.url
-		for _, uph := range urlPathPlaceHolders {
-			replacement := data[uph]
-			uCopy.Path = strings.ReplaceAll(uCopy.Path, uph, replacement[0])
-		}
-		query := uCopy.Query()
-		var foundAnyQueryPlaceholder bool
-		var templatedValues []string
-		for param, values := range query {
-			templatedValues = templatedValues[:0]
-			// filter in-place values with placeholders
-			// and accumulate replacements
-			// it will change the order of param values
-			// but it's not guaranteed
-			// and will be changed in any way with multiple arg templates
-			var cnt int
-			for _, value := range values {
-				if dv, ok := data[value]; ok {
-					foundAnyQueryPlaceholder = true
-					templatedValues = append(templatedValues, dv...)
-					continue
-				}
-				values[cnt] = value
-				cnt++
-			}
-			values = values[:cnt]
-			values = append(values, templatedValues...)
-			query[param] = values
-		}
-		if foundAnyQueryPlaceholder {
-			uCopy.RawQuery = query.Encode()
-		}
-		targetURL = &uCopy
-	}
-	if hc.hasAnyPlaceHolders {
-		// make a copy of headers and update only values with placeholder
-		rhs := make([]*Header, 0, len(hc.RequestHeaders))
-		for _, rh := range hc.RequestHeaders {
-			if dv, ok := data[rh.Value]; ok {
-				rh := &Header{
-					Name:  rh.Name,
-					Value: strings.Join(dv, ","),
-				}
-				rhs = append(rhs, rh)
 				continue
 			}
-			rhs = append(rhs, rh)
-		}
-		hc.RequestHeaders = rhs
-	}
 
-	return targetURL, hc
-}
-
-func jwtClaimsData(vma *jwt.VMAccessClaim) map[string][]string {
-	data := map[string][]string{
-		// TODO: optimize at parsing stage
-		metricsTenantPlaceholder:       {fmt.Sprintf("%d:%d", vma.MetricsAccountID, vma.MetricsProjectID)},
-		metricsExtraLabelsPlaceholder:  vma.MetricsExtraLabels,
-		metricsExtraFiltersPlaceholder: vma.MetricsExtraFilters,
-
-		// TODO: optimize at parsing stage
-		logsAccountIDPlaceholder:          {fmt.Sprintf("%d", vma.LogsAccountID)},
-		logsProjectIDPlaceholder:          {fmt.Sprintf("%d", vma.LogsProjectID)},
-		logsExtraFiltersPlaceholder:       vma.LogsExtraFilters,
-		logsExtraStreamFiltersPlaceholder: vma.LogsExtraStreamFilters,
-	}
-	return data
-}
-
-func parseJWTPlaceholdersForUserInfo(ui *UserInfo, isAllowed bool) error {
-	if ui.URLPrefix != nil {
-		if err := validateJWTPlaceholdersForURL(ui.URLPrefix, isAllowed); err != nil {
-			return err
+			return ui
 		}
 	}
-	if err := parsePlaceholdersForHC(&ui.HeadersConf, isAllowed); err != nil {
-		return err
-	}
-	if ui.DefaultURL != nil {
-		if err := validateJWTPlaceholdersForURL(ui.DefaultURL, isAllowed); err != nil {
-			return fmt.Errorf("invalid `default_url` placeholders: %w", err)
-		}
-	}
-	for i := range ui.URLMaps {
-		e := &ui.URLMaps[i]
-		if e.URLPrefix != nil {
-			if err := validateJWTPlaceholdersForURL(e.URLPrefix, isAllowed); err != nil {
-				return fmt.Errorf("invalid `url_map` `url_prefix` placeholders: %w", err)
-			}
-		}
-		if err := parsePlaceholdersForHC(&e.HeadersConf, isAllowed); err != nil {
-			return fmt.Errorf("invalid `url_map` headers placeholders: %w", err)
-		}
 
-	}
 	return nil
 }
-
-func validateJWTPlaceholdersForURL(up *URLPrefix, isAllowed bool) error {
-	for _, bu := range up.busOriginal {
-		ok := strings.Contains(bu.Path, placeholderPrefix)
-		if ok && !isAllowed {
-			return fmt.Errorf("placeholder: %q is only allowed at JWT token context", bu.Path)
-		}
-		if ok {
-			p := bu.Path
-			for _, ph := range allPlaceholders {
-				p = strings.ReplaceAll(p, ph, ``)
-			}
-			if strings.Contains(p, placeholderPrefix) {
-				return fmt.Errorf("invalid placeholder found in URL request path: %q, supported values are: %s", bu.Path, strings.Join(allPlaceholders, ", "))
-
-			}
-		}
-		for param, values := range bu.Query() {
-			for _, value := range values {
-				ok := strings.Contains(value, placeholderPrefix)
-				if ok && !isAllowed {
-					return fmt.Errorf("query param: %q with placeholder: %q is only allowed at JWT token context", param, value)
-				}
-				if ok {
-					// possible placeholder
-					if !slices.Contains(allPlaceholders, value) {
-						return fmt.Errorf("query param: %q has unsupported placeholder string: %q, supported values are: %s", param, value, strings.Join(allPlaceholders, ", "))
-					}
-				}
-			}
-		}
-	}
-	return nil
-}
-
-func parsePlaceholdersForHC(hc *HeadersConf, isAllowed bool) error {
-	for _, rhs := range hc.RequestHeaders {
-		ok := strings.Contains(rhs.Value, placeholderPrefix)
-		if ok && !isAllowed {
-			return fmt.Errorf("request header: %q placeholder: %q is only supported at JWT context", rhs.Name, rhs.Value)
-		}
-		if ok {
-			if !slices.Contains(allPlaceholders, rhs.Value) {
-				return fmt.Errorf("request header: %q has unsupported placeholder: %q, supported values are: %s", rhs.Name, rhs.Value, strings.Join(allPlaceholders, ", "))
-			}
-			hc.hasAnyPlaceHolders = true
-		}
-	}
-	for _, rhs := range hc.ResponseHeaders {
-		if strings.Contains(rhs.Value, placeholderPrefix) {
-			return fmt.Errorf("response header placeholders are not supported; found placeholder prefix at header: %q with value: %q", rhs.Name, rhs.Value)
-		}
-	}
-	return nil
-}
-
-func hasAnyPlaceholders(u *url.URL) bool {
-	if strings.Contains(u.Path, placeholderPrefix) {
-		return true
-	}
-	if len(u.Query()) == 0 {
-		return false
-	}
-	for _, values := range u.Query() {
-		for _, value := range values {
-			if strings.HasPrefix(value, placeholderPrefix) {
-				return true
-			}
-		}
-
-	}
-	return false
-}

app/vmauth/jwt_test.go

@@ -1,10 +1,7 @@
 package main
 
 import (
-	"encoding/json"
 	"fmt"
-	"net/http"
-	"net/http/httptest"
 	"os"
 	"path/filepath"
 	"testing"
@@ -35,20 +32,18 @@ XOtclIk1uhc03oL9nOQ=
 		ac, err := parseAuthConfig([]byte(s))
 		if err != nil {
 			if expErr != err.Error() {
-				t.Fatalf("unexpected error; got\n%q\nwant\n%q", err.Error(), expErr)
+				t.Fatalf("unexpected error; got %q; want %q", err.Error(), expErr)
 			}
 			return
 		}
-		users, oidcDP, err := parseJWTUsers(ac)
-		if err == nil {
-			t.Fatalf("expecting non-nil error; got %v", users)
-		}
-		if expErr != err.Error() {
-			t.Fatalf("unexpected error; got\n%q\nwant \n%q", err.Error(), expErr)
-		}
-		if oidcDP != nil {
-			t.Fatalf("expecting nil oidcDP; got %v", oidcDP)
+		users, err := parseJWTUsers(ac)
+		if err != nil {
+			if expErr != err.Error() {
+				t.Fatalf("unexpected error; got %q; want %q", err.Error(), expErr)
+			}
+			return
 		}
+		t.Fatalf("expecting non-nil error; got %v", users)
 	}
 
 	// unauthorized_user cannot be used with jwt
@@ -85,28 +80,28 @@ users:
 users:
 - jwt: {}
   url_prefix: http://foo.bar
-`, `jwt must contain at least a single public key, public_key_files, oidc or have skip_verify=true`)
+`, `jwt must contain at least a single public key, public_key_files or have skip_verify=true`)
 
 	// jwt public_keys or skip_verify must be set, part 2
 	f(`
 users:
 - jwt: {public_keys: null}
   url_prefix: http://foo.bar
-`, `jwt must contain at least a single public key, public_key_files, oidc or have skip_verify=true`)
+`, `jwt must contain at least a single public key, public_key_files or have skip_verify=true`)
 
 	// jwt public_keys or skip_verify must be set, part 3
 	f(`
 users:
 - jwt: {public_keys: []}
   url_prefix: http://foo.bar
-`, `jwt must contain at least a single public key, public_key_files, oidc or have skip_verify=true`)
+`, `jwt must contain at least a single public key, public_key_files or have skip_verify=true`)
 
 	// jwt public_keys, public_key_files or skip_verify must be set
 	f(`
 users:
 - jwt: {public_key_files: []}
   url_prefix: http://foo.bar
-`, `jwt must contain at least a single public key, public_key_files, oidc or have skip_verify=true`)
+`, `jwt must contain at least a single public key, public_key_files or have skip_verify=true`)
 
 	// invalid public key, part 1
 	f(`
@@ -145,7 +140,7 @@ users:
     public_keys:
     - %q
   url_prefix: http://foo.bar
-`, validRSAPublicKey, validECDSAPublicKey), `duplicate match claims="" found for name="" at idx=1; the previous one is set for name=""`)
+`, validRSAPublicKey, validECDSAPublicKey), `multiple users with JWT tokens are not supported; found 2 users`)
 
 	// public key file doesn't exist
 	f(`
@@ -169,122 +164,6 @@ users:
     - `+publicKeyFile+`
   url_prefix: http://foo.bar
 `, "cannot parse public key from file \""+publicKeyFile+"\": failed to parse key \"invalidPEM\": failed to decode PEM block containing public key")
-
-	// unsupported placeholder in a header
-	f(`
-users:
-- jwt: 
-    skip_verify: true
-  url_prefix: http://foo.bar/{{.UnsupportedPlaceholder}}/foo`,
-		"invalid placeholder found in URL request path: \"/{{.UnsupportedPlaceholder}}/foo\", supported values are: {{.MetricsTenant}}, {{.MetricsExtraLabels}}, {{.MetricsExtraFilters}}, {{.LogsAccountID}}, {{.LogsProjectID}}, {{.LogsExtraFilters}}, {{.LogsExtraStreamFilters}}",
-	)
-	// unsupported placeholder in a header
-	f(`
-users:
-- jwt: 
-    skip_verify: true
-  headers:
-    - "AccountID: {{.UnsupportedPlaceholder}}"
-  url_prefix: http://foo.bar
-`,
-		"request header: \"AccountID\" has unsupported placeholder: \"{{.UnsupportedPlaceholder}}\", supported values are: {{.MetricsTenant}}, {{.MetricsExtraLabels}}, {{.MetricsExtraFilters}}, {{.LogsAccountID}}, {{.LogsProjectID}}, {{.LogsExtraFilters}}, {{.LogsExtraStreamFilters}}",
-	)
-
-	// spaces in templating not allowed
-	f(`
-users:
-- jwt: 
-    skip_verify: true
-  headers:
-    - "AccountID: {{ .LogsAccountID }}"
-  url_prefix: http://foo.bar
-`,
-		"request header: \"AccountID\" has unsupported placeholder: \"{{ .LogsAccountID }}\", supported values are: {{.MetricsTenant}}, {{.MetricsExtraLabels}}, {{.MetricsExtraFilters}}, {{.LogsAccountID}}, {{.LogsProjectID}}, {{.LogsExtraFilters}}, {{.LogsExtraStreamFilters}}",
-	)
-
-	// oidc is not an object
-	f(`
-users:
-- jwt: 
-    oidc: "not an object"
-  url_prefix: http://foo.bar
-`,
-		"cannot unmarshal AuthConfig data: yaml: unmarshal errors:\n  line 4: cannot unmarshal !!str `not an ...` into main.oidcConfig",
-	)
-
-	// oidc issuer empty
-	f(`
-users:
-- jwt: 
-    oidc: {}
-  url_prefix: http://foo.bar
-`,
-		"oidc issuer cannot be empty",
-	)
-
-	// oidc issuer invalid urls
-	f(`
-users:
-- jwt: 
-    oidc:
-      issuer: "::invalid-url"
-  url_prefix: http://foo.bar
-`,
-		"oidc issuer \"::invalid-url\" must be a valid URL",
-	)
-
-	// oidc issuer invalid urls
-	f(`
-users:
-- jwt: 
-    oidc:
-      issuer: "invalid-url"
-  url_prefix: http://foo.bar
-`,
-		"oidc issuer \"invalid-url\" must have http or https scheme",
-	)
-
-	// oidc and public_keys are not allowed
-	f(fmt.Sprintf(`
-users:
-- jwt: 
-    public_keys:
-    - %q
-    oidc: 
-      issuer: https://example.com
-  url_prefix: http://foo.bar
-`, validRSAPublicKey),
-		"jwt with oidc cannot contain public keys or have skip_verify=true",
-	)
-
-	// oidc and skip_verify are not allowed
-	f(`
-users:
-- jwt: 
-    skip_verify: true
-    oidc: 
-      issuer: https://example.com
-  url_prefix: http://foo.bar
-`,
-		"jwt with oidc cannot contain public keys or have skip_verify=true",
-	)
-	// duplicate claims
-	f(`
-users:
-- jwt:
-    skip_verify: true
-    match_claims:
-     team: ops
-  name: user-1
-  url_prefix: http://foo.bar
-- jwt:
-    skip_verify: true
-    match_claims:
-     team: ops
-  name: user-2
-  url_prefix: http://foo.bar`,
-		"duplicate match claims=\"team=ops\" found for name=\"user-2\" at idx=1; the previous one is set for name=\"user-1\"",
-	)
 }
 
 func TestJWTParseAuthConfigSuccess(t *testing.T) {
@@ -314,12 +193,10 @@ XOtclIk1uhc03oL9nOQ=
 			t.Fatalf("unexpected error: %s", err)
 		}
 
-		jui, oidcDP, err := parseJWTUsers(ac)
+		jui, err := parseJWTUsers(ac)
 		if err != nil {
 			t.Fatalf("unexpected error: %s", err)
 		}
-		oidcDP.startDiscovery()
-		defer oidcDP.stopDiscovery()
 
 		for _, ui := range jui {
 			if ui.JWT == nil {
@@ -327,13 +204,13 @@ XOtclIk1uhc03oL9nOQ=
 			}
 
 			if ui.JWT.SkipVerify {
-				if ui.JWT.verifierPool.Load() != nil {
+				if ui.JWT.verifierPool != nil {
 					t.Fatalf("unexpected non-nil verifier pool for skip_verify=true")
 				}
 				continue
 			}
 
-			if ui.JWT.verifierPool.Load() == nil {
+			if ui.JWT.verifierPool == nil {
 				t.Fatalf("unexpected nil verifier pool for non-empty public keys")
 			}
 		}
@@ -424,80 +301,4 @@ users:
     - %q
   url_prefix: http://foo.bar
 `, validECDSAPublicKey, rsaKeyFile))
-
-	// oidc stub server
-	var ipSrv *httptest.Server
-	ipSrv = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.URL.Path == "/.well-known/openid-configuration" {
-			w.Header().Set("Content-Type", "application/json")
-			_ = json.NewEncoder(w).Encode(map[string]string{
-				"issuer":   ipSrv.URL,
-				"jwks_uri": fmt.Sprintf("%s/jwks", ipSrv.URL),
-			})
-			return
-		}
-		if r.URL.Path == "/jwks" {
-			// resp generated by https://jwkset.com/generate
-			w.Header().Set("Content-Type", "application/json")
-			w.Write([]byte(`
-{
-  "keys": [
-    {
-      "kty": "RSA",
-      "kid": "f13eee91-f566-4829-80fa-fca847c21f0e",
-      "d": "Ua1llEFz3LZ05CrK5a2JxKMUEWJGXhBPPF20hHQjzxd1w0IEJK_mhPZQG8dNtBROBNIi1FC9l6QRw-RTnVIVat5Xy4yDFNKXXL3ZLXejOHY8SXrNEIDqQ-cSwIpK9cK7Umib0PcPeEeeAED5mqDH75D8_YssWFF18kLbNB5Z9pZmn6Fshiht7l2Sh4GN-KcReOW6eiQQwckDte3OGmZCRbtEriLWJt5TUGUvfZVIlcclqNMycNB6jGa9E1pO5Up7Ki3ZbI_-6XmRgZPtqnR9oLJ1zn3fj3hYpCXo-zcqLuOu3qxcslsq5igsfBzgGtfIJHY9LfWmHUsaDEa5cAX1gQ",
-      "n": "xbLXXBTNREk70UCMiqZ53_mTzYh89W-UaPU61GZ-RZ5lYcLgyWOb5mdyRbvJpcgfZpsOeGAUWbk3GkQ4vqn8kUMnnWhUum2Qk9kGubOJGLW6yaURd00j3E-ilQ5xO2R_Hzz8bAojxV8GKdGTQ-iTf8z8nsSHH8kR2SERbNJCFFtwtFU7vyFWyoH4Lmvu2UpICTHFCR9RqwQVjyoKB1JjJ6Dh1L4zPTlsvQEnqoeFQHPYr0QcQSMYXdfPvlt_FiLOAOE89fX_9T2r9WbFAoda3uTRE5_aal0jxUU2cFyeVSIgauNtF07fp422XFb4XPkWQWrdNx0KX53laSIYQ9HOpw",
-      "e": "AQAB",
-      "p": "2JT57AD-Q2lamgjgyn0wL7DgYZ3OoCTTrDm5_NHg6h13uDvyIlXSukuUeWm4tzPSDedpstbS7dgXkLw5eQXBHwPYtByTcEZS8Z37CBnhMOOhfo_U1aNIPPanJACvWBgz47-TxHsxW1YhztZqghRoicBZPSSBAj49MgANJ4jF0zc",
-      "q": "6a4MkeSXJI-ZzQ-bgP8hwJqpLFr0AiNGQcjZMH4Nn4CPGdnGiqqe6flhfLimgbNhbb67B0-8fLIji8zGhGKDL_JSIpAAdmfs2vzeEsY2hScrqVbd1VbfRcRh0J6lsn7obxkbvQthp9sX2DQbeDcEeaFEvd9gDKQSATYEqWo7eBE",
-      "dp": "haL2yu6Z9RJuuxi7S3YPY33qFZF_y0St71j3L854zzw7gMxMTW9TRWwZQwk-1pv9AmNFzvnK0MNDVyUs-UXZsb932TrApshdqYRnPsppLvdl0GgDVYcYrbUr0IUzrFHSwraVAOlavRbaaXvX4EejcUvkRFvf1nh83fs2Iqy8E-U",
-      "dq": "Cnf5qC-Ndd3ZDg688LJ9WJuVKJ-Kfu4Fn7zXvgxnn9Wqk4XmFyA9rk21yFidXQIkQz5gMpun3g48-W5bFmMzbVp1w4af_q35NnZNnJm0p5Jxqkxx87TIm9-IYkg5NB3rW87MJ1PzNAnkr5LmCCSu1qQa6Eaxjt9qzxMUcmKH94E",
-      "qi": "saAeU11iaKHmye3cwCAYkegcyWbXV3xIXEVJtS9Af_yM19UhspwY2VhuwRaajcwYZwtvR9_ITmX9M-ea7uLdd7aDYO1fujC8NGbopeC4Hkr7yb5vTly3pfKf4h-3LwGGUucJUetdz1lmMIYiyuG4_gSf1yIEtPDLKzXiedgEMdI"
-    }
-  ]
-}
-`))
-			return
-		}
-
-		http.NotFound(w, r)
-	}))
-	defer ipSrv.Close()
-
-	f(`
-users:
-- jwt:
-    oidc:
-      issuer: ` + ipSrv.URL + `
-  url_prefix: http://foo.bar
-`)
-	// multiple match claims
-	f(fmt.Sprintf(`
-users:
-- jwt:
-   match_claims:
-    role: ro
-    team: dev
-   public_keys:
-    - %q
-  url_prefix: http://foo.bar
-- jwt:
-   match_claims:
-      role: admin
-      team: dev
-   public_key_files:
-    - %q
-    - %q
-  url_prefix: http://foo.bar
-- jwt:
-   match_claims:
-     role: viewer
-     team: dev
-     department: ceo
-   skip_verify: true
-  url_prefix: http://foo.bar
-
-
-`, validRSAPublicKey, rsaKeyFile, ecdsaKeyFile))
-
 }

app/vmauth/main.go

@@ -16,7 +16,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/VictoriaMetrics/VictoriaMetrics/lib/jwt"
 	"github.com/VictoriaMetrics/metrics"
 
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/buildinfo"
@@ -174,7 +173,7 @@ func requestHandler(w http.ResponseWriter, r *http.Request) bool {
 		// Process requests for unauthorized users
 		ui := authConfig.Load().UnauthorizedUser
 		if ui != nil {
-			processUserRequest(w, r, ui, nil)
+			processUserRequest(w, r, ui)
 			return true
 		}
 
@@ -183,21 +182,17 @@ func requestHandler(w http.ResponseWriter, r *http.Request) bool {
 	}
 
 	if ui := getUserInfoByAuthTokens(ats); ui != nil {
-		processUserRequest(w, r, ui, nil)
+		processUserRequest(w, r, ui)
 		return true
 	}
-	if ui, tkn := getJWTUserInfo(ats); ui != nil {
-		if tkn == nil {
-			logger.Panicf("BUG: unexpected nil jwt token for user %q", ui.name())
-		}
-		defer putToken(tkn)
-		processUserRequest(w, r, ui, tkn)
+	if ui := getUserInfoByJWTToken(ats); ui != nil {
+		processUserRequest(w, r, ui)
 		return true
 	}
 
 	uu := authConfig.Load().UnauthorizedUser
 	if uu != nil {
-		processUserRequest(w, r, uu, nil)
+		processUserRequest(w, r, uu)
 		return true
 	}
 
@@ -226,37 +221,7 @@ func getUserInfoByAuthTokens(ats []string) *UserInfo {
 	return nil
 }
 
-// responseWriterWithStatus is a wrapper around http.ResponseWriter that captures the status code written to the response.
-type responseWriterWithStatus struct {
-	http.ResponseWriter
-	status int
-}
-
-// WriteHeader records the status so it can be easily retrieved later
-func (rws *responseWriterWithStatus) WriteHeader(status int) {
-	rws.status = status
-	rws.ResponseWriter.WriteHeader(status)
-}
-
-// Flush implements net/http.Flusher interface
-//
-// This is needed for the copyStreamToClient()
-func (rws *responseWriterWithStatus) Flush() {
-	flusher, ok := rws.ResponseWriter.(http.Flusher)
-	if !ok {
-		logger.Panicf("BUG: it is expected http.ResponseWriter (%T) supports http.Flusher interface", rws.ResponseWriter)
-	}
-	flusher.Flush()
-}
-
-// Unwrap returns the original ResponseWriter wrapped by rws.
-//
-// This is needed for the net/http.ResponseController - see https://pkg.go.dev/net/http#NewResponseController
-func (rws *responseWriterWithStatus) Unwrap() http.ResponseWriter {
-	return rws.ResponseWriter
-}
-
-func processUserRequest(w http.ResponseWriter, r *http.Request, ui *UserInfo, tkn *jwt.Token) {
+func processUserRequest(w http.ResponseWriter, r *http.Request, ui *UserInfo) {
 	startTime := time.Now()
 	defer ui.requestsDuration.UpdateDuration(startTime)
 
@@ -265,20 +230,6 @@ func processUserRequest(w http.ResponseWriter, r *http.Request, ui *UserInfo, tk
 	ctx, cancel := context.WithTimeout(r.Context(), *maxQueueDuration)
 	defer cancel()
 
-	userName := ui.name()
-	if userName == "" {
-		userName = "unauthorized"
-	}
-
-	if ui.AccessLog != nil {
-		w = &responseWriterWithStatus{ResponseWriter: w}
-		defer func() {
-			rws := w.(*responseWriterWithStatus)
-			duration := time.Since(startTime)
-			ui.logRequest(r, userName, rws.status, duration)
-		}()
-	}
-
 	// Acquire global concurrency limit.
 	if err := beginConcurrencyLimit(ctx); err != nil {
 		handleConcurrencyLimitError(w, r, err)
@@ -297,6 +248,10 @@ func processUserRequest(w http.ResponseWriter, r *http.Request, ui *UserInfo, tk
 	}
 
 	// Read the initial chunk for the request body.
+	userName := ui.name()
+	if userName == "" {
+		userName = "unauthorized"
+	}
 	bb, err := bufferRequestBody(ctx, r.Body, userName)
 	if err != nil {
 		httpserver.Errorf(w, r, "%s", err)
@@ -317,7 +272,7 @@ func processUserRequest(w http.ResponseWriter, r *http.Request, ui *UserInfo, tk
 	defer ui.endConcurrencyLimit()
 
 	// Process the request.
-	processRequest(w, r, ui, tkn)
+	processRequest(w, r, ui)
 }
 
 func beginConcurrencyLimit(ctx context.Context) error {
@@ -390,7 +345,7 @@ func bufferRequestBody(ctx context.Context, r io.ReadCloser, userName string) (i
 	return bb, nil
 }
 
-func processRequest(w http.ResponseWriter, r *http.Request, ui *UserInfo, tkn *jwt.Token) {
+func processRequest(w http.ResponseWriter, r *http.Request, ui *UserInfo) {
 	u := normalizeURL(r.URL)
 	up, hc := ui.getURLPrefixAndHeaders(u, r.Host, r.Header)
 	isDefault := false
@@ -422,21 +377,16 @@ func processRequest(w http.ResponseWriter, r *http.Request, ui *UserInfo, tkn *j
 			break
 		}
 		targetURL := bu.url
-		if tkn != nil {
-			// for security reasons allow templating only for configured url values and headers
-			targetURL, hc = replaceJWTPlaceholders(bu, hc, tkn.VMAccess())
-		}
 		if isDefault {
 			// Don't change path and add request_path query param for default route.
-			targetURLCopy := *targetURL
 			query := targetURL.Query()
 			query.Set("request_path", u.String())
-			targetURLCopy.RawQuery = query.Encode()
-			targetURL = &targetURLCopy
+			targetURL.RawQuery = query.Encode()
 		} else {
 			// Update path for regular routes.
 			targetURL = mergeURLs(targetURL, u, up.dropSrcPathPrefixParts, up.mergeQueryArgs)
 		}
+
 		wasLocalRetry := false
 	again:
 		ok, needLocalRetry := tryProcessingRequest(w, r, targetURL, hc, up.retryStatusCodes, ui, bu)

app/vmauth/main_test.go

@@ -12,13 +12,11 @@ import (
 	"encoding/pem"
 	"fmt"
 	"io"
-	"math/big"
 	"net"
 	"net/http"
 	"net/http/httptest"
 	"os"
 	"path/filepath"
-	"sort"
 	"strings"
 	"sync/atomic"
 	"testing"
@@ -103,35 +101,6 @@ User-Agent: vmauth
 X-Forwarded-For: 12.34.56.78, 42.2.3.84`
 	f(cfgStr, requestURL, backendHandler, responseExpected)
 
-	// with default_url
-	cfgStr = `
-unauthorized_user:
-  default_url: {BACKEND}/default
-  url_map:
-  - src_paths:
-    - /empty
-    url_prefix: {BACKEND}/empty`
-	requestURL = "http://some-host.com/abc/def?some_arg=some_value"
-	backendHandler = func(w http.ResponseWriter, r *http.Request) {
-		h := w.Header()
-		h.Set("Connection", "close")
-		h.Set("Foo", "bar")
-
-		var bb bytes.Buffer
-		if err := r.Header.Write(&bb); err != nil {
-			panic(fmt.Errorf("unexpected error when marshaling headers: %w", err))
-		}
-		fmt.Fprintf(w, "requested_url=http://%s%s\n%s", r.Host, r.URL, bb.String())
-	}
-	responseExpected = `
-statusCode=200
-Foo: bar
-requested_url={BACKEND}/default?request_path=http%3A%2F%2Fsome-host.com%2Fabc%2Fdef%3Fsome_arg%3Dsome_value
-Pass-Header: abc
-User-Agent: vmauth
-X-Forwarded-For: 12.34.56.78, 42.2.3.84`
-	f(cfgStr, requestURL, backendHandler, responseExpected)
-
 	// routing of all failed to authorize requests to unauthorized_user (issue #7543)
 	cfgStr = `
 unauthorized_user:
@@ -602,41 +571,22 @@ func TestJWTRequestHandler(t *testing.T) {
 
 		return payload + "." + signatureB64
 	}
+	genToken(t, nil, false)
 
 	f := func(cfgStr string, r *http.Request, responseExpected string) {
 		t.Helper()
 
 		ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			if _, err := w.Write([]byte("path: " + r.URL.Path + "\n")); err != nil {
+			if _, err := w.Write([]byte(r.RequestURI + "\n")); err != nil {
 				panic(fmt.Errorf("cannot write response: %w", err))
 			}
-			if _, err := w.Write([]byte("query:\n")); err != nil {
-				panic(fmt.Errorf("cannot write response: %w", err))
-			}
-			names := make([]string, 0, len(r.URL.Query()))
-			query := r.URL.Query()
-			for n := range query {
-				names = append(names, n)
-			}
-			sort.Strings(names)
-			for _, n := range names {
-				for _, v := range query[n] {
-					if _, err := w.Write([]byte("    " + n + "=" + v + "\n")); err != nil {
-						panic(fmt.Errorf("cannot write response: %w", err))
-					}
-				}
-			}
-
-			if _, err := w.Write([]byte("headers:\n")); err != nil {
-				panic(fmt.Errorf("cannot write response: %w", err))
-			}
-			if v := r.Header.Get(`AccountID`); v != "" {
-				if _, err := w.Write([]byte(`    AccountID=` + v + "\n")); err != nil {
+			if v := r.Header.Get(`extra_label`); v != "" {
+				if _, err := w.Write([]byte(`extra_label=` + v + "\n")); err != nil {
 					panic(fmt.Errorf("cannot write response: %w", err))
 				}
 			}
-			if v := r.Header.Get(`ProjectID`); v != "" {
-				if _, err := w.Write([]byte(`    ProjectID=` + v + "\n")); err != nil {
+			if v := r.Header.Get(`extra_filters`); v != "" {
+				if _, err := w.Write([]byte(`extra_filters=` + v + "\n")); err != nil {
 					panic(fmt.Errorf("cannot write response: %w", err))
 				}
 			}
@@ -682,7 +632,7 @@ users:
     - %q
   url_prefix: {BACKEND}/foo`, string(publicKeyPEM))
 	noVMAccessClaimToken := genToken(t, nil, true)
-	minimalToken := genToken(t, map[string]any{
+	defaultVMAccessClaimToken := genToken(t, map[string]any{
 		"exp":       time.Now().Add(10 * time.Minute).Unix(),
 		"vm_access": map[string]any{},
 	}, true)
@@ -695,30 +645,6 @@ users:
 		"vm_access": map[string]any{},
 	}, false)
 
-	fullToken := genToken(t, map[string]any{
-		"exp": time.Now().Add(10 * time.Minute).Unix(),
-		"vm_access": map[string]any{
-			"metrics_account_id": 123,
-			"metrics_project_id": 234,
-			"metrics_extra_labels": []string{
-				"label1=value1",
-				"label2=value2",
-			},
-			"metrics_extra_filters": []string{
-				`{label3="value3"}`,
-				`{label4="value4"}`,
-			},
-			"logs_account_id": 345,
-			"logs_project_id": 456,
-			"logs_extra_filters": []string{
-				`{"namespace":"my-app","env":"prod"}`,
-			},
-			"logs_extra_stream_filters": []string{
-				`{"team":"dev"}`,
-			},
-		},
-	}, true)
-
 	// missing authorization
 	request := httptest.NewRequest(`GET`, "http://some-host.com/abc", nil)
 	responseExpected := `
@@ -756,9 +682,7 @@ Unauthorized`
 	request.Header.Set(`Authorization`, `Bearer `+invalidSignatureToken)
 	responseExpected = `
 statusCode=200
-path: /foo/abc
-query:
-headers:`
+/foo/abc`
 	f(`
 users:
 - jwt:
@@ -767,17 +691,15 @@ users:
 
 	// token with default valid vm_access claim
 	request = httptest.NewRequest(`GET`, "http://some-host.com/abc", nil)
-	request.Header.Set(`Authorization`, `Bearer `+minimalToken)
+	request.Header.Set(`Authorization`, `Bearer `+defaultVMAccessClaimToken)
 	responseExpected = `
 statusCode=200
-path: /foo/abc
-query:
-headers:`
+/foo/abc`
 	f(simpleCfgStr, request, responseExpected)
 
 	// jwt token used but no matching user with JWT token in config
 	request = httptest.NewRequest(`GET`, "http://some-host.com/abc", nil)
-	request.Header.Set(`Authorization`, `Bearer `+minimalToken)
+	request.Header.Set(`Authorization`, `Bearer `+defaultVMAccessClaimToken)
 	responseExpected = `
 statusCode=401
 Unauthorized`
@@ -793,747 +715,20 @@ users:
 		t.Fatalf("failed to write public key file: %s", err)
 	}
 	request = httptest.NewRequest(`GET`, "http://some-host.com/abc", nil)
-	request.Header.Set(`Authorization`, `Bearer `+minimalToken)
+	request.Header.Set(`Authorization`, `Bearer `+defaultVMAccessClaimToken)
 	responseExpected = `
 statusCode=200
-path: /foo/abc
-query:
-headers:`
+/foo/abc`
 	f(fmt.Sprintf(`
 users:
 - jwt:
     public_key_files:
     - %q
-  url_prefix: {BACKEND}/foo`, publicKeyFile), request, responseExpected)
-
-	// ---- VictoriaMetrics specific tests ----
-
-	// extra_label and extra_filters dropped if empty in vm_access claim
-	request = httptest.NewRequest(`GET`, "http://some-host.com/api/v1/query", nil)
-	request.Header.Set(`Authorization`, `Bearer `+minimalToken)
-	responseExpected = `
-statusCode=200
-path: /select/0:0/api/v1/query
-query:
-headers:`
-	f(fmt.Sprintf(
-		`
-users:
-- jwt:
-    public_keys:
-    - %q
-  url_prefix: {BACKEND}/select/{{.MetricsTenant}}/?extra_label={{.MetricsExtraLabels}}&extra_filters={{.MetricsExtraFilters}}`, string(publicKeyPEM)),
-		request,
-		responseExpected,
-	)
-
-	// extra_label and extra_filters set if present in vm_access claim
-	request = httptest.NewRequest(`GET`, "http://some-host.com/api/v1/query", nil)
-	request.Header.Set(`Authorization`, `Bearer `+fullToken)
-	responseExpected = `
-statusCode=200
-path: /select/123:234/api/v1/query
-query:
-    extra_filters={label3="value3"}
-    extra_filters={label4="value4"}
-    extra_label=label1=value1
-    extra_label=label2=value2
-headers:`
-	f(fmt.Sprintf(
-		`
-users:
-- jwt:
-    public_keys:
-    - %q
-  url_prefix: {BACKEND}/select/{{.MetricsTenant}}/?extra_label={{.MetricsExtraLabels}}&extra_filters={{.MetricsExtraFilters}}`, string(publicKeyPEM)),
-		request,
-		responseExpected,
-	)
-
-	// extra_label and extra_filters from vm_access claim merged with statically defined
-	request = httptest.NewRequest(`GET`, "http://some-host.com/api/v1/query", nil)
-	request.Header.Set(`Authorization`, `Bearer `+fullToken)
-	responseExpected = `
-statusCode=200
-path: /select/123:234/api/v1/query
-query:
-    extra_filters=aStaticFilter
-    extra_filters={label3="value3"}
-    extra_filters={label4="value4"}
-    extra_label=aStaticLabel
-    extra_label=label1=value1
-    extra_label=label2=value2
-headers:`
-	f(fmt.Sprintf(
-		`
-users:
-- jwt:
-    public_keys:
-    - %q
-  url_prefix: {BACKEND}/select/{{.MetricsTenant}}/?extra_label=aStaticLabel&extra_filters=aStaticFilter&extra_label={{.MetricsExtraLabels}}&extra_filters={{.MetricsExtraFilters}}`, string(publicKeyPEM)),
-		request,
-		responseExpected,
-	)
-
-	// extra_labels and extra_filters set from vm_access claim should override user provided query args
-	request = httptest.NewRequest(`GET`, "http://some-host.com/api/v1/query?extra_label=userProvidedLabel&extra_filters=userProvidedFilter", nil)
-	request.Header.Set(`Authorization`, `Bearer `+fullToken)
-	responseExpected = `
-statusCode=200
-path: /select/123:234/api/v1/query
-query:
-    extra_filters={label3="value3"}
-    extra_filters={label4="value4"}
-    extra_label=label1=value1
-    extra_label=label2=value2
-headers:`
-	f(
-		fmt.Sprintf(`
-users:
-- jwt:
-    public_keys:
-    - %q
-  url_prefix: {BACKEND}/select/{{.MetricsTenant}}/?extra_label={{.MetricsExtraLabels}}&extra_filters={{.MetricsExtraFilters}}`, string(publicKeyPEM)),
-		request,
-		responseExpected,
-	)
-
-	// merge user provided query args with extra_labels and extra_filters from vm_access claim
-	request = httptest.NewRequest(`GET`, "http://some-host.com/api/v1/query?extra_label=userProvidedLabel&extra_filters=userProvidedFilter", nil)
-	request.Header.Set(`Authorization`, `Bearer `+fullToken)
-	responseExpected = `
-statusCode=200
-path: /select/123:234/api/v1/query
-query:
-    extra_filters={label3="value3"}
-    extra_filters={label4="value4"}
-    extra_filters=userProvidedFilter
-    extra_label=label1=value1
-    extra_label=label2=value2
-    extra_label=userProvidedLabel
-headers:`
-	f(fmt.Sprintf(`
-users:
-- jwt:
-    public_keys:
-    - %q
-  merge_query_args: [extra_filters, extra_label]
-  url_prefix: {BACKEND}/select/{{.MetricsTenant}}/?extra_label={{.MetricsExtraLabels}}&extra_filters={{.MetricsExtraFilters}}`, string(publicKeyPEM)),
-		request,
-		responseExpected,
-	)
-
-	// pass user provided query args if vm_access claim has no extra_labels and extra_filters
-	request = httptest.NewRequest(`GET`, "http://some-host.com/api/v1/query?extra_label=userProvidedLabel&extra_filters=userProvidedFilter", nil)
-	request.Header.Set(`Authorization`, `Bearer `+fullToken)
-	responseExpected = `
-statusCode=200
-path: /select/123:234/api/v1/query
-query:
-    extra_filters=userProvidedFilter
-    extra_label=userProvidedLabel
-headers:`
-	f(fmt.Sprintf(`
-users:
-- jwt:
-    public_keys:
-    - %q
-  merge_query_args: [extra_filters, extra_label]
-  url_prefix: {BACKEND}/select/{{.MetricsTenant}}/`, string(publicKeyPEM)),
-		request,
-		responseExpected,
-	)
-
-	// pass user provided query args if vm_access claim has no extra_labels and extra_filters
-	request = httptest.NewRequest(`GET`, "http://some-host.com/api/v1/query?extra_label=userProvidedLabel&extra_filters=userProvidedFilter", nil)
-	request.Header.Set(`Authorization`, `Bearer `+fullToken)
-	responseExpected = `
-statusCode=200
-path: /select/123:234/api/v1/query
-query:
-    extra_filters=userProvidedFilter
-    extra_label=userProvidedLabel
-headers:`
-	f(fmt.Sprintf(`
-users:
-- jwt:
-    public_keys:
-    - %q
-  url_prefix: {BACKEND}/select/{{.MetricsTenant}}/`, string(publicKeyPEM)),
-		request,
-		responseExpected,
-	)
-
-	// placeholders in url_map
-	request = httptest.NewRequest(`GET`, "http://some-host.com/api/v1/query", nil)
-	request.Header.Set(`Authorization`, `Bearer `+fullToken)
-	responseExpected = `
-statusCode=200
-path: /select/123:234/api/v1/query
-query:
-    extra_filters={label3="value3"}
-    extra_filters={label4="value4"}
-    extra_label=label1=value1
-    extra_label=label2=value2
-headers:`
-	f(fmt.Sprintf(
-		`
-users:
-- jwt:
-    public_keys:
-    - %q
-  url_map:
-    - src_paths: ["/api/.*"]
-      url_prefix: {BACKEND}/select/{{.MetricsTenant}}/?extra_label={{.MetricsExtraLabels}}&extra_filters={{.MetricsExtraFilters}}`, string(publicKeyPEM)),
-		request,
-		responseExpected,
-	)
-
-	// ---- VictoriaLogs specific tests ----
-
-	// tenant headers not overwritten if set statically
-	// extra_filters extra_stream_filters dropped if empty in vm_access claim
-	request = httptest.NewRequest(`GET`, "http://some-host.com/query", nil)
-	request.Header.Set(`Authorization`, `Bearer `+minimalToken)
-	responseExpected = `
-statusCode=200
-path: /select/logsql/query
-query:
-headers:
-    AccountID=555
-    ProjectID=666`
-	f(
-		fmt.Sprintf(`
-users:
-- jwt:
-    public_keys:
-    - %q
-  headers:
-    - "AccountID: 555"
-    - "ProjectID: 666"
-  url_prefix: {BACKEND}/select/logsql/?extra_filters={{.LogsExtraFilters}}&extra_stream_filters={{.LogsExtraStreamFilters}}`, string(publicKeyPEM)),
-		request,
-		responseExpected,
-	)
-
-	// tenant headers are overwritten if set as placeholders
-	request = httptest.NewRequest(`GET`, "http://some-host.com/query", nil)
-	request.Header.Set(`Authorization`, `Bearer `+minimalToken)
-	responseExpected = `
-statusCode=200
-path: /select/logsql/query
-query:
-headers:
-    AccountID=0
-    ProjectID=0`
-	f(
-		fmt.Sprintf(`
-users:
-- jwt:
-    public_keys:
-    - %q
-  headers:
-    - "AccountID: {{.LogsAccountID}}"
-    - "ProjectID: {{.LogsProjectID}}"
-  url_prefix: {BACKEND}/select/logsql/?extra_filters={{.LogsExtraFilters}}&extra_stream_filters={{.LogsExtraStreamFilters}}`, string(publicKeyPEM)),
-		request,
-		responseExpected,
-	)
-
-	// tenant headers are overwritten if set as placeholders
-	// extra_filters extra_stream_filters from vm_access claim merged with statically defined
-	request = httptest.NewRequest(`GET`, "http://some-host.com/query", nil)
-	request.Header.Set(`Authorization`, `Bearer `+fullToken)
-	responseExpected = `
-statusCode=200
-path: /select/logsql/query
-query:
-    extra_filters=aStaticFilter
-    extra_filters={"namespace":"my-app","env":"prod"}
-    extra_stream_filters=aStaticStreamFilter
-    extra_stream_filters={"team":"dev"}
-headers:
-    AccountID=345
-    ProjectID=456`
-	f(
-		fmt.Sprintf(`
-users:
-- jwt:
-    public_keys:
-    - %q
-  headers:
-    - "AccountID: {{.LogsAccountID}}"
-    - "ProjectID: {{.LogsProjectID}}"
-  url_prefix: {BACKEND}/select/logsql/?extra_filters=aStaticFilter&extra_stream_filters=aStaticStreamFilter&extra_filters={{.LogsExtraFilters}}&extra_stream_filters={{.LogsExtraStreamFilters}}`, string(publicKeyPEM)),
-		request,
-		responseExpected,
-	)
-
-	// tenant headers are overwritten if set as placeholders
-	// extra_filters extra_stream_filters from vm_access claim merged with statically defined
-	request = httptest.NewRequest(`GET`, "http://some-host.com/query", nil)
-	request.Header.Set(`Authorization`, `Bearer `+fullToken)
-	responseExpected = `
-statusCode=200
-path: /select/logsql/query
-query:
-    extra_filters=aStaticFilter
-    extra_filters={"namespace":"my-app","env":"prod"}
-    extra_stream_filters=aStaticStreamFilter
-    extra_stream_filters={"team":"dev"}
-headers:
-    AccountID=345
-    ProjectID=456`
-	f(
-		fmt.Sprintf(`
-users:
-- jwt:
-    public_keys:
-    - %q
-  headers:
-    - "AccountID: {{.LogsAccountID}}"
-    - "ProjectID: {{.LogsProjectID}}"
-  url_prefix: {BACKEND}/select/logsql/?extra_filters=aStaticFilter&extra_stream_filters=aStaticStreamFilter&extra_filters={{.LogsExtraFilters}}&extra_stream_filters={{.LogsExtraStreamFilters}}`, string(publicKeyPEM)),
-		request,
-		responseExpected,
-	)
-
-	// claim info should overwrite user provided query args and headers
-	request = httptest.NewRequest(`GET`, "http://some-host.com/query?extra_filters=aUserFilter&extra_stream_filters=aUserStreamFilter", nil)
-	request.Header.Set(`Authorization`, `Bearer `+fullToken)
-	request.Header.Set(`AccountID`, `aUserAccountID`)
-	request.Header.Set(`ProjectID`, `aUserProjectID`)
-	responseExpected = `
-statusCode=200
-path: /select/logsql/query
-query:
-    extra_filters={"namespace":"my-app","env":"prod"}
-    extra_stream_filters={"team":"dev"}
-headers:
-    AccountID=345
-    ProjectID=456`
-	f(
-		fmt.Sprintf(`
-users:
-- jwt:
-    public_keys:
-    - %q
-  headers:
-    - "AccountID: {{.LogsAccountID}}"
-    - "ProjectID: {{.LogsProjectID}}"
-  url_prefix: {BACKEND}/select/logsql/?extra_filters={{.LogsExtraFilters}}&extra_stream_filters={{.LogsExtraStreamFilters}}`, string(publicKeyPEM)),
-		request,
-		responseExpected,
-	)
-
-	// merge user provided query args with extra_filters and extra_stream_filters from vm_access claim
-	request = httptest.NewRequest(`GET`, "http://some-host.com/query?extra_filters=aUserFilter&extra_stream_filters=aUserStreamFilter", nil)
-	request.Header.Set(`Authorization`, `Bearer `+fullToken)
-	responseExpected = `
-statusCode=200
-path: /select/logsql/query
-query:
-    extra_filters={"namespace":"my-app","env":"prod"}
-    extra_filters=aUserFilter
-    extra_stream_filters={"team":"dev"}
-    extra_stream_filters=aUserStreamFilter
-headers:
-    AccountID=345
-    ProjectID=456`
-	f(
-		fmt.Sprintf(`
-users:
-- jwt:
-    public_keys:
-    - %q
-  headers:
-    - "AccountID: {{.LogsAccountID}}"
-    - "ProjectID: {{.LogsProjectID}}"
-  merge_query_args: [extra_filters, extra_stream_filters]
-  url_prefix: {BACKEND}/select/logsql/?extra_filters={{.LogsExtraFilters}}&extra_stream_filters={{.LogsExtraStreamFilters}}`, string(publicKeyPEM)),
-		request,
-		responseExpected,
-	)
-
-	// pass user provided query args if vm_access claim has no extra_labels and extra_filters
-	request = httptest.NewRequest(`GET`, "http://some-host.com/query?extra_filters=aUserFilter&extra_stream_filters=aUserStreamFilter", nil)
-	request.Header.Set(`Authorization`, `Bearer `+minimalToken)
-	responseExpected = `
-statusCode=200
-path: /select/logsql/query
-query:
-    extra_filters=aUserFilter
-    extra_stream_filters=aUserStreamFilter
-headers:
-    AccountID=0
-    ProjectID=0`
-	f(
-		fmt.Sprintf(`
-users:
-- jwt:
-    public_keys:
-    - %q
-  headers:
-    - "AccountID: {{.LogsAccountID}}"
-    - "ProjectID: {{.LogsProjectID}}"
-  merge_query_args: [extra_filters, extra_stream_filters]
-  url_prefix: {BACKEND}/select/logsql/?extra_filters={{.LogsExtraFilters}}&extra_stream_filters={{.LogsExtraStreamFilters}}`, string(publicKeyPEM)),
-		request,
-		responseExpected,
-	)
-
-	// placeholders in url_map
-	request = httptest.NewRequest(`GET`, "http://some-host.com/query", nil)
-	request.Header.Set(`Authorization`, `Bearer `+fullToken)
-	responseExpected = `
-statusCode=200
-path: /select/logsql/query
-query:
-    extra_filters={"namespace":"my-app","env":"prod"}
-    extra_stream_filters={"team":"dev"}
-headers:
-    AccountID=345
-    ProjectID=456`
-	f(fmt.Sprintf(
-		`
-users:
-- jwt:
-    public_keys:
-    - %q
-  url_map:
-    - src_paths: ["/query"]
-      headers:
-        - "AccountID: {{.LogsAccountID}}"
-        - "ProjectID: {{.LogsProjectID}}"
-      url_prefix: {BACKEND}/select/logsql/?extra_filters={{.LogsExtraFilters}}&extra_stream_filters={{.LogsExtraStreamFilters}}`, string(publicKeyPEM)),
-		request,
-		responseExpected,
-	)
-
-	// multiple placeholders in url_map for the same param
-	request = httptest.NewRequest(`GET`, "http://some-host.com/query", nil)
-	request.Header.Set(`Authorization`, `Bearer `+fullToken)
-	responseExpected = `
-statusCode=200
-path: /select/logsql/query
-query:
-    extra_filters={"namespace":"my-app","env":"prod"}
-    extra_stream_filters={"team":"dev"}
-    tenant_info=static=value
-    tenant_info=345
-    tenant_info=456
-headers:
-    AccountID=345
-    ProjectID=456`
-	f(fmt.Sprintf(
-		`
-users:
-- jwt:
-    public_keys:
-    - %q
-  url_map:
-    - src_paths: ["/query"]
-      headers:
-        - "AccountID: {{.LogsAccountID}}"
-        - "ProjectID: {{.LogsProjectID}}"
-      url_prefix: {BACKEND}/select/logsql/?extra_filters={{.LogsExtraFilters}}&extra_stream_filters={{.LogsExtraStreamFilters}}&tenant_info=static=value&tenant_info={{.LogsAccountID}}&tenant_info={{.LogsProjectID}}`, string(publicKeyPEM)),
-		request,
-		responseExpected,
-	)
-	// client request params must be ignored by placeholders
-	request = httptest.NewRequest(`GET`, "http://some-host.com/query?template_attack={{.LogsExtraFilters}}", nil)
-	request.Header.Set(`Authorization`, `Bearer `+fullToken)
-	request.Header.Set(`AccountID`, `{{.LogsAccountID}}`)
-	responseExpected = `
-statusCode=200
-path: /select/logsql/query
-query:
-    extra_filters={"namespace":"my-app","env":"prod"}
-    extra_stream_filters={"team":"dev"}
-    template_attack={{.LogsExtraFilters}}
-headers:
-    AccountID={{.LogsAccountID}}`
-	f(fmt.Sprintf(
-		`
-users:
-- jwt:
-    public_keys:
-    - %q
-  url_map:
-    - src_paths: ["/query"]
-      url_prefix: {BACKEND}/select/logsql/?extra_filters={{.LogsExtraFilters}}&extra_stream_filters={{.LogsExtraStreamFilters}}`, string(publicKeyPEM)),
-		request,
-		responseExpected,
-	)
-	nestedToken := genToken(t, map[string]any{
-		"exp":  time.Now().Add(10 * time.Minute).Unix(),
-		"team": "dev",
-		"nested": map[string]any{
-			"department_id": 0,
-			"scopes":        []string{"metrics", "logs"},
-			"team_permissions": map[string]any{
-				"read":  0,
-				"write": 1,
-			},
-		},
-		"vm_access": map[string]any{
-			"metrics_account_id": 123,
-			"metrics_project_id": 234,
-			"metrics_extra_labels": []string{
-				"label1=value1",
-				"label2=value2",
-			},
-			"metrics_extra_filters": []string{
-				`{label3="value3"}`,
-				`{label4="value4"}`,
-			},
-			"logs_account_id": 345,
-			"logs_project_id": 456,
-			"logs_extra_filters": []string{
-				`{"namespace":"my-app","env":"prod"}`,
-			},
-			"logs_extra_stream_filters": []string{
-				`{"team":"dev"}`,
-			},
-		},
-	}, true)
-
-	// use claim for routing, must specific match wins
-	request = httptest.NewRequest(`GET`, "http://some-host.com/route", nil)
-	request.Header.Set(`Authorization`, `Bearer `+nestedToken)
-	responseExpected = `
-statusCode=200
-path: /dev/route
-query:
-headers:
-`
-	f(`
-users:
-- jwt:
-    skip_verify: true
-    match_claims:
-     team: dev
-     nested.scopes.1: "logs"
-     nested.department_id: "0"
-  url_map:
-    - src_paths: ["/route"]
-      url_prefix: {BACKEND}/dev
-- jwt:
-    skip_verify: true
-    match_claims:
-     team: dev
-     nested.scopes.1: "logs"
-  url_map:
-    - src_paths: ["/route"]
-      url_prefix: {BACKEND}/ops
-`,
-		request,
-		responseExpected,
-	)
-
-	// use claim for routing, most specific not matching
-	request = httptest.NewRequest(`GET`, "http://some-host.com/route", nil)
-	request.Header.Set(`Authorization`, `Bearer `+nestedToken)
-	responseExpected = `
-statusCode=200
-path: /less_claims/route
-query:
-headers:
-`
-	f(`
-users:
-- jwt:
-    skip_verify: true
-    match_claims:
-     team: ops
-     nested.scopes.1: "logs"
-     nested.department_id: "0"
-  url_map:
-    - src_paths: ["/route"]
-      url_prefix: {BACKEND}/more_claims
-- jwt:
-    skip_verify: true
-    match_claims:
-     team: dev
-     nested.team_permissions.write: "1"
-  url_map:
-    - src_paths: ["/route"]
-      url_prefix: {BACKEND}/less_claims
-`,
-		request,
-		responseExpected,
-	)
-
-	// use claim for routing, empty claim match
-	request = httptest.NewRequest(`GET`, "http://some-host.com/route", nil)
-	request.Header.Set(`Authorization`, `Bearer `+nestedToken)
-	responseExpected = `
-statusCode=200
-path: /empty/route
-query:
-headers:
-`
-	f(`
-users:
-- jwt:
-    skip_verify: true
-  url_map:
-    - src_paths: ["/route"]
-      url_prefix: {BACKEND}/empty
-- jwt:
-    skip_verify: true
-    match_claims:
-     team: ops
-     nested.team_permissions.write: "1"
-  url_map:
-    - src_paths: ["/route"]
-      url_prefix: {BACKEND}/ops
-`,
-		request,
-		responseExpected,
-	)
-
-}
-
-func TestOIDCRequestHandler(t *testing.T) {
-	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		t.Fatalf("cannot generate RSA key: %s", err)
-	}
-
-	var oidcSrv *httptest.Server
-	oidcRespOK := atomic.Bool{}
-	oidcRespOK.Store(true)
-
-	oidcSrv = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		switch r.URL.Path {
-		case "/.well-known/openid-configuration":
-			w.Header().Set("Content-Type", "application/json")
-			if err := json.NewEncoder(w).Encode(map[string]string{
-				"issuer":   oidcSrv.URL,
-				"jwks_uri": oidcSrv.URL + "/jwks",
-			}); err != nil {
-				panic(fmt.Errorf("cannot write openid-configuration response: %w", err))
-			}
-		case "/jwks":
-			if !oidcRespOK.Load() {
-				http.Error(w, "internal server error", http.StatusInternalServerError)
-				return
-			}
-
-			// Encode the RSA public key in JWK format (base64url, no padding)
-			nBytes := privateKey.N.Bytes()
-			eBytes := big.NewInt(int64(privateKey.E)).Bytes()
-			jwksBody := fmt.Sprintf(`{"keys":[{"kty":"RSA","kid":%q,"n":%q,"e":%q}]}`,
-				`test-key-id`,
-				base64.RawURLEncoding.EncodeToString(nBytes),
-				base64.RawURLEncoding.EncodeToString(eBytes),
-			)
-
-			w.Header().Set("Content-Type", "application/json")
-			if _, err := w.Write([]byte(jwksBody)); err != nil {
-				panic(fmt.Errorf("cannot write jwks response: %w", err))
-			}
-		default:
-			http.NotFound(w, r)
-		}
-	}))
-	defer oidcSrv.Close()
-
-	headerJSON, err := json.Marshal(map[string]any{
-		"alg": "RS256",
-		"typ": "JWT",
-		"iss": oidcSrv.URL,
-		"kid": `test-key-id`,
-	})
-	if err != nil {
-		t.Fatalf("cannot marshal JWT header: %s", err)
-	}
-	headerB64 := base64.RawURLEncoding.EncodeToString(headerJSON)
-
-	bodyJSON, err := json.Marshal(map[string]any{
-		"exp":       time.Now().Add(time.Minute).Unix(),
-		"iss":       oidcSrv.URL,
-		"vm_access": map[string]any{},
-	})
-	if err != nil {
-		t.Fatalf("cannot marshal JWT body: %s", err)
-	}
-	bodyB64 := base64.RawURLEncoding.EncodeToString(bodyJSON)
-
-	payload := headerB64 + "." + bodyB64
-
-	var signatureB64 string
-	hash := crypto.SHA256
-	h := hash.New()
-	h.Write([]byte(payload))
-	digest := h.Sum(nil)
-
-	signature, err := rsa.SignPKCS1v15(rand.Reader, privateKey, hash, digest)
-	if err != nil {
-		t.Fatalf("cannot sign JWT token: %s", err)
-	}
-	signatureB64 = base64.RawURLEncoding.EncodeToString(signature)
-
-	tkn := payload + "." + signatureB64
-
-	backSrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusOK)
-	}))
-	defer backSrv.Close()
-
-	f := func(responseExpected string) {
-		t.Helper()
-
-		cfgStr := `
-users:
-- jwt:
-    oidc:
-      issuer: ` + oidcSrv.URL + `
-  url_prefix: ` + backSrv.URL + `/
-`
-
-		cfgOrigP := authConfigData.Load()
-		if _, err := reloadAuthConfigData([]byte(cfgStr)); err != nil {
-			t.Fatalf("cannot load config data: %s", err)
-		}
-		defer func() {
-			cfgOrig := []byte("unauthorized_user:\n  url_prefix: http://foo/bar")
-			if cfgOrigP != nil {
-				cfgOrig = *cfgOrigP
-			}
-			if _, err := reloadAuthConfigData(cfgOrig); err != nil {
-				t.Fatalf("cannot restore original config: %s", err)
-			}
-		}()
-
-		r := httptest.NewRequest("GET", "http://some-host.com/api/v1/query", nil)
-		r.Header.Set("Authorization", "Bearer "+tkn)
-
-		w := &fakeResponseWriter{}
-		if !requestHandlerWithInternalRoutes(w, r) {
-			t.Fatalf("unexpected false returned from requestHandler")
-		}
-
-		if response := w.getResponse(); response != responseExpected {
-			t.Fatalf("unexpected response\ngot\n%s\nwant\n%s", response, responseExpected)
-		}
-	}
-
-	// successful
-	f(`statusCode=200
-`)
-
-	oidcRespOK.Store(false)
-	// OIDC server error
-	f(`statusCode=401
-Unauthorized
-`)
+  url_prefix: {BACKEND}/foo`, string(publicKeyFile)), request, responseExpected)
 }
 
 type fakeResponseWriter struct {
-	statusCode int
-	h          http.Header
+	h http.Header
 
 	bb bytes.Buffer
 }
@@ -1559,7 +754,6 @@ func (w *fakeResponseWriter) Write(p []byte) (int, error) {
 }
 
 func (w *fakeResponseWriter) WriteHeader(statusCode int) {
-	w.statusCode = statusCode
 	fmt.Fprintf(&w.bb, "statusCode=%d\n", statusCode)
 	if w.h == nil {
 		return
@@ -1580,12 +774,6 @@ func (w *fakeResponseWriter) SetReadDeadline(deadline time.Time) error {
 	return nil
 }
 
-func (w *fakeResponseWriter) reset() {
-	w.bb.Reset()
-	w.statusCode = 0
-	clear(w.h)
-}
-
 func TestBufferRequestBody_Success(t *testing.T) {
 	defaultRequestBufferSize := requestBufferSize.String()
 	defer func() {

app/vmauth/main_timing_test.go

@@ -1,194 +0,0 @@
-package main
-
-import (
-	"crypto"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/json"
-	"encoding/pem"
-	"fmt"
-	"net/http"
-	"net/http/httptest"
-	"strings"
-	"testing"
-	"time"
-)
-
-func BenchmarkJWTRequestHandler(b *testing.B) {
-	// Generate RSA key pair for testing
-	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		b.Fatalf("cannot generate RSA key: %s", err)
-	}
-
-	// Generate public key PEM
-	publicKeyBytes, err := x509.MarshalPKIXPublicKey(&privateKey.PublicKey)
-	if err != nil {
-		b.Fatalf("cannot marshal public key: %s", err)
-	}
-	publicKeyPEM := pem.EncodeToMemory(&pem.Block{
-		Type:  "PUBLIC KEY",
-		Bytes: publicKeyBytes,
-	})
-
-	genToken := func(t *testing.B, body map[string]any, valid bool) string {
-		t.Helper()
-
-		headerJSON, err := json.Marshal(map[string]any{
-			"alg": "RS256",
-			"typ": "JWT",
-		})
-		if err != nil {
-			t.Fatalf("cannot marshal header: %s", err)
-		}
-		headerB64 := base64.RawURLEncoding.EncodeToString(headerJSON)
-
-		bodyJSON, err := json.Marshal(body)
-		if err != nil {
-			t.Fatalf("cannot marshal body: %s", err)
-		}
-		bodyB64 := base64.RawURLEncoding.EncodeToString(bodyJSON)
-
-		payload := headerB64 + "." + bodyB64
-
-		var signatureB64 string
-		if valid {
-			// Create real RSA signature
-			hash := crypto.SHA256
-			h := hash.New()
-			h.Write([]byte(payload))
-			digest := h.Sum(nil)
-
-			signature, err := rsa.SignPKCS1v15(rand.Reader, privateKey, hash, digest)
-			if err != nil {
-				t.Fatalf("cannot sign token: %s", err)
-			}
-			signatureB64 = base64.RawURLEncoding.EncodeToString(signature)
-		} else {
-			signatureB64 = base64.RawURLEncoding.EncodeToString([]byte("invalid_signature"))
-		}
-
-		return payload + "." + signatureB64
-	}
-
-	f := func(name string, cfgStr string, r *http.Request, statusCodeExpected int) {
-		b.Helper()
-
-		b.ReportAllocs()
-		b.ResetTimer()
-		ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			w.WriteHeader(http.StatusOK)
-			if _, err := w.Write([]byte("path: " + r.URL.Path + "\n")); err != nil {
-				panic(fmt.Errorf("cannot write response: %w", err))
-			}
-		}))
-		defer ts.Close()
-
-		cfgStr = strings.ReplaceAll(cfgStr, "{BACKEND}", ts.URL)
-
-		cfgOrigP := authConfigData.Load()
-		if _, err := reloadAuthConfigData([]byte(cfgStr)); err != nil {
-			b.Fatalf("cannot load config data: %s", err)
-		}
-		defer func() {
-			cfgOrig := []byte("unauthorized_user:\n  url_prefix: http://foo/bar")
-			if cfgOrigP != nil {
-				cfgOrig = *cfgOrigP
-			}
-			_, err := reloadAuthConfigData(cfgOrig)
-			if err != nil {
-				b.Fatalf("cannot load the original config: %s", err)
-			}
-		}()
-
-		b.Run(name, func(b *testing.B) {
-			b.ResetTimer()
-			b.ReportAllocs()
-			b.RunParallel(func(pb *testing.PB) {
-				w := &fakeResponseWriter{}
-				for pb.Next() {
-					w.reset()
-					if !requestHandlerWithInternalRoutes(w, r) {
-						b.Fatalf("unexpected false is returned from requestHandler")
-					}
-					if w.statusCode != statusCodeExpected {
-						b.Fatalf("unexpected response code (-%d;+%d)", statusCodeExpected, w.statusCode)
-					}
-
-				}
-			})
-		})
-	}
-
-	simpleCfgStr := fmt.Sprintf(`
-users:
-- jwt:
-    public_keys:
-    - %q
-  url_prefix: {BACKEND}/foo`, string(publicKeyPEM))
-	noVMAccessClaimToken := genToken(b, nil, true)
-	expiredToken := genToken(b, map[string]any{
-		"exp":       10,
-		"vm_access": map[string]any{},
-	}, true)
-
-	fullToken := genToken(b, map[string]any{
-		"exp":   time.Now().Add(10 * time.Minute).Unix(),
-		"scope": "email id",
-		"vm_access": map[string]any{
-			"extra_labels": map[string]string{
-				"label":  "value1",
-				"label2": "value3",
-			},
-			"extra_filters":      []string{"stream_filter1", "stream_filter2"},
-			"metrics_account_id": 123,
-			"metrics_project_id": 234,
-			"metrics_extra_labels": []string{
-				"label1=value1",
-				"label2=value2",
-			},
-			"metrics_extra_filters": []string{
-				`{label3="value3"}`,
-				`{label4="value4"}`,
-			},
-			"logs_account_id": 345,
-			"logs_project_id": 456,
-			"logs_extra_filters": []string{
-				`{"namespace":"my-app","env":"prod"}`,
-			},
-			"logs_extra_stream_filters": []string{
-				`{"team":"dev"}`,
-			},
-		},
-	}, true)
-
-	// tenant headers are overwritten if set as placeholders
-	// extra_filters extra_stream_filters from vm_access claim merged with statically defined
-	request := httptest.NewRequest(`GET`, "http://some-host.com/query", nil)
-	request.Header.Set(`Authorization`, `Bearer `+fullToken)
-	f("full_template",
-		fmt.Sprintf(`
-users:
-- jwt:
-    public_keys:
-    - %q
-  headers:
-    - "AccountID: {{.LogsAccountID}}"
-    - "ProjectID: {{.LogsProjectID}}"
-  url_prefix: {BACKEND}/select/logsql/?extra_filters=aStaticFilter&extra_stream_filters=aStaticStreamFilter&extra_filters={{.LogsExtraFilters}}&extra_stream_filters={{.LogsExtraStreamFilters}}`, string(publicKeyPEM)),
-		request,
-		http.StatusOK,
-	)
-
-	// token without vm_access claim
-	request = httptest.NewRequest(`GET`, "http://some-host.com/abc", nil)
-	request.Header.Set(`Authorization`, `Bearer `+noVMAccessClaimToken)
-	f("token_without_claim", simpleCfgStr, request, http.StatusUnauthorized)
-
-	// expired token
-	request = httptest.NewRequest(`GET`, "http://some-host.com/abc", nil)
-	request.Header.Set(`Authorization`, `Bearer `+expiredToken)
-	f("expired_token", simpleCfgStr, request, http.StatusUnauthorized)
-}

app/vmauth/oidc.go

@@ -1,195 +0,0 @@
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"net/http"
-	"strings"
-	"sync"
-	"sync/atomic"
-	"time"
-
-	"github.com/VictoriaMetrics/VictoriaMetrics/lib/jwt"
-	"github.com/VictoriaMetrics/VictoriaMetrics/lib/logger"
-	"github.com/VictoriaMetrics/VictoriaMetrics/lib/timeutil"
-)
-
-type oidcConfig struct {
-	Issuer string `yaml:"issuer"`
-}
-
-type oidcDiscovererPool struct {
-	ds map[string]*oidcDiscoverer
-
-	context context.Context
-	cancel  func()
-	wg      *sync.WaitGroup
-}
-
-func (dp *oidcDiscovererPool) createOrAdd(issuer string, vp *atomic.Pointer[jwt.VerifierPool]) {
-	if dp.ds == nil {
-		dp.ds = make(map[string]*oidcDiscoverer)
-		dp.context, dp.cancel = context.WithCancel(context.Background())
-		dp.wg = &sync.WaitGroup{}
-	}
-
-	ds, found := dp.ds[issuer]
-	if !found {
-		ds = &oidcDiscoverer{
-			issuer: issuer,
-		}
-		dp.ds[issuer] = ds
-	}
-
-	ds.vps = append(ds.vps, vp)
-}
-
-func (dp *oidcDiscovererPool) startDiscovery() {
-	if len(dp.ds) == 0 {
-		return
-	}
-
-	for _, d := range dp.ds {
-		dp.wg.Go(func() {
-			if err := d.refreshVerifierPools(dp.context); err != nil {
-				logger.Errorf("failed to initialize OIDC verifier pool at start for issuer %q: %s", d.issuer, err)
-			}
-		})
-	}
-	dp.wg.Wait()
-
-	for _, d := range dp.ds {
-		dp.wg.Go(func() {
-			d.run(dp.context)
-		})
-	}
-}
-
-func (dp *oidcDiscovererPool) stopDiscovery() {
-	if len(dp.ds) == 0 {
-		return
-	}
-
-	dp.cancel()
-	dp.wg.Wait()
-}
-
-type oidcDiscoverer struct {
-	issuer string
-	vps    []*atomic.Pointer[jwt.VerifierPool]
-}
-
-func (d *oidcDiscoverer) run(ctx context.Context) {
-	t := time.NewTimer(timeutil.AddJitterToDuration(time.Second * 10))
-	defer t.Stop()
-
-	for {
-		select {
-		case <-t.C:
-			if err := d.refreshVerifierPools(ctx); errors.Is(err, context.Canceled) {
-				return
-			} else if err != nil {
-				t.Reset(timeutil.AddJitterToDuration(time.Second * 10))
-				logger.Errorf("failed to refresh OIDC verifier pool for issuer %q: %v", d.issuer, err)
-				continue
-			}
-			// OIDC may return Cache-Control header with max-age directive.
-			// It could be used as time range for next refresh.
-			// https://openid.net/specs/openid-connect-core-1_0.html#RotateEncKeys
-			t.Reset(timeutil.AddJitterToDuration(time.Minute * 5))
-		case <-ctx.Done():
-			return
-		}
-	}
-}
-
-func (d *oidcDiscoverer) refreshVerifierPools(ctx context.Context) error {
-	cfg, err := getOpenIDConfiguration(ctx, d.issuer)
-	if err != nil {
-		return err
-	}
-	// The issuer in the OIDC configuration must match the expected issuer.
-	// https://openid.net/specs/openid-connect-core-1_0.html#RotateEncKeys
-	if cfg.Issuer != d.issuer {
-		return fmt.Errorf("openid configuration issuer %q does not match expected issuer %q", cfg.Issuer, d.issuer)
-	}
-
-	verifierPool, err := fetchAndParseJWKs(ctx, cfg.JWKsURI)
-	if err != nil {
-		return err
-	}
-
-	for _, vp := range d.vps {
-		vp.Store(verifierPool)
-	}
-	return nil
-}
-
-// See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata for details.
-type openidConfig struct {
-	Issuer  string `json:"issuer"`
-	JWKsURI string `json:"jwks_uri"`
-}
-
-var oidcHTTPClient = &http.Client{
-	Timeout: time.Second * 5,
-}
-
-func fetchAndParseJWKs(ctx context.Context, jwksURI string) (*jwt.VerifierPool, error) {
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, jwksURI, nil)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create request for fetching jwks keys from %q: %w", jwksURI, err)
-	}
-
-	resp, err := oidcHTTPClient.Do(req)
-	if err != nil {
-		return nil, fmt.Errorf("failed to fetch jwks keys from %q: %w", jwksURI, err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("unexpected status code %d when fetching jwks keys from %q", resp.StatusCode, jwksURI)
-	}
-
-	b, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read response body from %q: %w", jwksURI, err)
-	}
-
-	vp, err := jwt.ParseJWKs(b)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse jwks keys from %q: %v", jwksURI, err)
-	}
-
-	return vp, nil
-}
-
-func getOpenIDConfiguration(ctx context.Context, issuer string) (openidConfig, error) {
-	issuer, _ = strings.CutSuffix(issuer, "/")
-	configURL := fmt.Sprintf("%s/.well-known/openid-configuration", issuer)
-
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, configURL, nil)
-	if err != nil {
-		return openidConfig{}, fmt.Errorf("failed to create request for fetching openid config from %q: %w", configURL, err)
-	}
-
-	resp, err := oidcHTTPClient.Do(req)
-	if err != nil {
-		return openidConfig{}, fmt.Errorf("failed to fetch openid config from %q: %w", configURL, err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return openidConfig{}, fmt.Errorf("unexpected status code %d when fetching openid config from %q", resp.StatusCode, configURL)
-	}
-
-	var cfg openidConfig
-	if err := json.NewDecoder(resp.Body).Decode(&cfg); err != nil {
-		return openidConfig{}, fmt.Errorf("failed to decode openid config from %q: %s", configURL, err)
-	}
-
-	return cfg, nil
-}

app/vminsert/datadogsketches/request_handler.go

@@ -45,14 +45,15 @@ func insertRows(sketches []*datadogsketches.Sketch, extraLabels []prompb.Label)
 		ms := sketch.ToSummary()
 		for _, m := range ms {
 			ctx.Labels = ctx.Labels[:0]
-			// See https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10557
-			ctx.AddLabel("host", sketch.Host) // newly added
 			ctx.AddLabel("", m.Name)
 			for _, label := range m.Labels {
 				ctx.AddLabel(label.Name, label.Value)
 			}
 			for _, tag := range sketch.Tags {
 				name, value := datadogutil.SplitTag(tag)
+				if name == "host" {
+					name = "exported_host"
+				}
 				ctx.AddLabel(name, value)
 			}
 			for j := range extraLabels {

app/vmselect/main.go

@@ -321,23 +321,19 @@ func RequestHandler(w http.ResponseWriter, r *http.Request) bool {
 		return true
 	case "/tags/tagSeries":
 		graphiteTagsTagSeriesRequests.Inc()
-		err := &httpserver.ErrorWithStatusCode{
-			Err: fmt.Errorf("graphite tag registration has been disabled and is planned to be removed in future. " +
-				"See: https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10544"),
-			StatusCode: http.StatusNotImplemented,
+		if err := graphite.TagsTagSeriesHandler(startTime, w, r); err != nil {
+			graphiteTagsTagSeriesErrors.Inc()
+			httpserver.Errorf(w, r, "%s", err)
+			return true
 		}
-		graphiteTagsTagSeriesErrors.Inc()
-		httpserver.Errorf(w, r, "%s", err)
 		return true
 	case "/tags/tagMultiSeries":
 		graphiteTagsTagMultiSeriesRequests.Inc()
-		err := &httpserver.ErrorWithStatusCode{
-			Err: fmt.Errorf("graphite tag registration has been disabled and is planned to be removed in future. " +
-				"See: https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10544"),
-			StatusCode: http.StatusNotImplemented,
+		if err := graphite.TagsTagMultiSeriesHandler(startTime, w, r); err != nil {
+			graphiteTagsTagMultiSeriesErrors.Inc()
+			httpserver.Errorf(w, r, "%s", err)
+			return true
 		}
-		graphiteTagsTagMultiSeriesErrors.Inc()
-		httpserver.Errorf(w, r, "%s", err)
 		return true
 	case "/tags":
 		graphiteTagsRequests.Inc()

app/vmselect/prometheus/prometheus.go

@@ -12,7 +12,6 @@ import (
 	"sync"
 	"sync/atomic"
 	"time"
-	"unicode/utf8"
 
 	"github.com/VictoriaMetrics/metrics"
 	"github.com/VictoriaMetrics/metricsql"
@@ -529,14 +528,6 @@ func LabelValuesHandler(qt *querytracer.Tracer, startTime time.Time, labelName s
 		return err
 	}
 	sq := storage.NewSearchQuery(cp.start, cp.end, cp.filterss, *maxLabelsAPISeries)
-
-	if strings.HasPrefix(labelName, "U__") {
-		// This label seems to be Unicode-encoded according to the Prometheus spec.
-		// See https://prometheus.io/docs/prometheus/latest/querying/api/#querying-label-values
-		// Spec: https://github.com/prometheus/proposals/blob/main/proposals/0028-utf8.md
-		labelName = unescapePrometheusLabelName(labelName)
-	}
-
 	labelValues, err := netstorage.LabelValues(qt, labelName, sq, limit, cp.deadline)
 	if err != nil {
 		return fmt.Errorf("cannot obtain values for label %q: %w", labelName, err)
@@ -1339,70 +1330,3 @@ func calculateMaxUniqueTimeSeriesForResource(maxConcurrentRequests, remainingMem
 func GetMaxUniqueTimeSeries() int {
 	return maxUniqueTimeseriesValue
 }
-
-// copied from https://github.com/prometheus/common/blob/adea6285c1c7447fcb7bfdeb6abfc6eff893e0a7/model/metric.go#L483
-// it's not possible to use direct import due to increased binary size
-func unescapePrometheusLabelName(name string) string {
-	// lower function taken from strconv.atoi.
-	lower := func(c byte) byte {
-		return c | ('x' - 'X')
-	}
-	if len(name) == 0 {
-		return name
-	}
-	escapedName, found := strings.CutPrefix(name, "U__")
-	if !found {
-		return name
-	}
-
-	var unescaped strings.Builder
-TOP:
-	for i := 0; i < len(escapedName); i++ {
-		// All non-underscores are treated normally.
-		if escapedName[i] != '_' {
-			unescaped.WriteByte(escapedName[i])
-			continue
-		}
-		i++
-		if i >= len(escapedName) {
-			return name
-		}
-		// A double underscore is a single underscore.
-		if escapedName[i] == '_' {
-			unescaped.WriteByte('_')
-			continue
-		}
-		// We think we are in a UTF-8 code, process it.
-		var utf8Val uint
-		for j := 0; i < len(escapedName); j++ {
-			// This is too many characters for a utf8 value based on the MaxRune
-			// value of '\U0010FFFF'.
-			if j >= 6 {
-				return name
-			}
-			// Found a closing underscore, convert to a rune, check validity, and append.
-			if escapedName[i] == '_' {
-				utf8Rune := rune(utf8Val)
-				if !utf8.ValidRune(utf8Rune) {
-					return name
-				}
-				unescaped.WriteRune(utf8Rune)
-				continue TOP
-			}
-			r := lower(escapedName[i])
-			utf8Val *= 16
-			switch {
-			case r >= '0' && r <= '9':
-				utf8Val += uint(r) - '0'
-			case r >= 'a' && r <= 'f':
-				utf8Val += uint(r) - 'a' + 10
-			default:
-				return name
-			}
-			i++
-		}
-		// Didn't find closing underscore, invalid.
-		return name
-	}
-	return unescaped.String()
-}

app/vmselect/promql/eval.go

@@ -1166,61 +1166,6 @@ func evalInstantRollup(qt *querytracer.Tracer, ec *EvalConfig, funcName string,
 			},
 		}
 		return evalExpr(qt, ec, be)
-	// the cached rate result could be inaccurate in edge cases, see https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10098
-	case "rate":
-		if iafc != nil {
-			if !strings.EqualFold(iafc.ae.Name, "sum") {
-				qt.Printf("do not apply instant rollup optimization for incremental aggregate %s()", iafc.ae.Name)
-				return evalAt(qt, timestamp, window)
-			}
-			qt.Printf("optimized calculation for sum(rate(m[d])) as (sum(increase(m[d])) / d)")
-			afe := expr.(*metricsql.AggrFuncExpr)
-			fe := afe.Args[0].(*metricsql.FuncExpr)
-			feIncrease := *fe
-			feIncrease.Name = "increase"
-			// copy RollupExpr to drop possible offset,
-			// see https://github.com/VictoriaMetrics/VictoriaMetrics/issues/9762
-			newArg := copyRollupExpr(fe.Args[0].(*metricsql.RollupExpr))
-			newArg.Offset = nil
-			feIncrease.Args = []metricsql.Expr{newArg}
-			d := newArg.Window.Duration(ec.Step)
-			if d == 0 {
-				d = ec.Step
-			}
-			afeIncrease := *afe
-			afeIncrease.Args = []metricsql.Expr{&feIncrease}
-			be := &metricsql.BinaryOpExpr{
-				Op:              "/",
-				KeepMetricNames: true,
-				Left:            &afeIncrease,
-				Right: &metricsql.NumberExpr{
-					N: float64(d) / 1000,
-				},
-			}
-			return evalExpr(qt, ec, be)
-		}
-		qt.Printf("optimized calculation for instant rollup rate(m[d]) as (increase(m[d]) / d)")
-		fe := expr.(*metricsql.FuncExpr)
-		feIncrease := *fe
-		feIncrease.Name = "increase"
-		// copy RollupExpr to drop possible offset,
-		// see https://github.com/VictoriaMetrics/VictoriaMetrics/issues/9762
-		newArg := copyRollupExpr(fe.Args[0].(*metricsql.RollupExpr))
-		newArg.Offset = nil
-		feIncrease.Args = []metricsql.Expr{newArg}
-		d := newArg.Window.Duration(ec.Step)
-		if d == 0 {
-			d = ec.Step
-		}
-		be := &metricsql.BinaryOpExpr{
-			Op:              "/",
-			KeepMetricNames: fe.KeepMetricNames,
-			Left:            &feIncrease,
-			Right: &metricsql.NumberExpr{
-				N: float64(d) / 1000,
-			},
-		}
-		return evalExpr(qt, ec, be)
 	case "max_over_time":
 		if iafc != nil {
 			if !strings.EqualFold(iafc.ae.Name, "max") {

app/vmselect/promql/exec_test.go

@@ -4018,12 +4018,6 @@ func TestExecSuccess(t *testing.T) {
 		resultExpected := []netstorage.Result{}
 		f(q, resultExpected)
 	})
-	t.Run(`histogram_fraction(scalar)`, func(t *testing.T) {
-		t.Parallel()
-		q := `histogram_fraction(123, 456, time())`
-		resultExpected := []netstorage.Result{}
-		f(q, resultExpected)
-	})
 	t.Run(`histogram_quantile(single-value-no-le)`, func(t *testing.T) {
 		t.Parallel()
 		q := `histogram_quantile(0.6, label_set(100, "foo", "bar"))`
@@ -4036,12 +4030,6 @@ func TestExecSuccess(t *testing.T) {
 		resultExpected := []netstorage.Result{}
 		f(q, resultExpected)
 	})
-	t.Run(`histogram_fraction(single-value-no-le)`, func(t *testing.T) {
-		t.Parallel()
-		q := `histogram_fraction(123,456, label_set(100, "foo", "bar"))`
-		resultExpected := []netstorage.Result{}
-		f(q, resultExpected)
-	})
 	t.Run(`histogram_quantile(single-value-invalid-le)`, func(t *testing.T) {
 		t.Parallel()
 		q := `histogram_quantile(0.6, label_set(100, "le", "foobar"))`
@@ -4054,12 +4042,6 @@ func TestExecSuccess(t *testing.T) {
 		resultExpected := []netstorage.Result{}
 		f(q, resultExpected)
 	})
-	t.Run(`histogram_fraction(single-value-invalid-le)`, func(t *testing.T) {
-		t.Parallel()
-		q := `histogram_fraction(50, 60, label_set(100, "le", "foobar"))`
-		resultExpected := []netstorage.Result{}
-		f(q, resultExpected)
-	})
 	t.Run(`histogram_quantile(single-value-inf-le)`, func(t *testing.T) {
 		t.Parallel()
 		q := `histogram_quantile(0.6, label_set(100, "le", "+Inf"))`
@@ -4201,28 +4183,6 @@ func TestExecSuccess(t *testing.T) {
 		resultExpected := []netstorage.Result{r}
 		f(q, resultExpected)
 	})
-	t.Run(`histogram_fraction(single-value-valid-le)`, func(t *testing.T) {
-		t.Parallel()
-		q := `histogram_fraction(0, 100, label_set(100, "le", "200"))`
-		r := netstorage.Result{
-			MetricName: metricNameExpected,
-			Values:     []float64{0.5, 0.5, 0.5, 0.5, 0.5, 0.5},
-			Timestamps: timestampsExpected,
-		}
-		resultExpected := []netstorage.Result{r}
-		f(q, resultExpected)
-	})
-	t.Run(`histogram_fraction(single-value-valid-le)`, func(t *testing.T) {
-		t.Parallel()
-		q := `histogram_fraction(200, 300, label_set(100, "le", "200"))`
-		r := netstorage.Result{
-			MetricName: metricNameExpected,
-			Values:     []float64{0, 0, 0, 0, 0, 0},
-			Timestamps: timestampsExpected,
-		}
-		resultExpected := []netstorage.Result{r}
-		f(q, resultExpected)
-	})
 	t.Run(`histogram_quantile(single-value-valid-le, boundsLabel)`, func(t *testing.T) {
 		t.Parallel()
 		q := `sort(histogram_quantile(0.6, label_set(100, "le", "200"), "foobar"))`
@@ -4252,7 +4212,7 @@ func TestExecSuccess(t *testing.T) {
 		resultExpected := []netstorage.Result{r1, r2, r3}
 		f(q, resultExpected)
 	})
-	t.Run(`histogram_share(single-value-valid-le, boundsLabel)`, func(t *testing.T) {
+	t.Run(`histogram_quantile(single-value-valid-le, boundsLabel)`, func(t *testing.T) {
 		t.Parallel()
 		q := `sort(histogram_share(120, label_set(100, "le", "200"), "foobar"))`
 		r1 := netstorage.Result{
@@ -4351,37 +4311,7 @@ func TestExecSuccess(t *testing.T) {
 		resultExpected := []netstorage.Result{r}
 		f(q, resultExpected)
 	})
-	t.Run(`histogram_fraction(single-value-valid-le-max-le)`, func(t *testing.T) {
-		t.Parallel()
-		q := `histogram_fraction(0,100, (
-			label_set(100, "le", "100"),
-			label_set(40, "le", "50"),
-			label_set(0, "le", "10"),
-		))`
-		r := netstorage.Result{
-			MetricName: metricNameExpected,
-			Values:     []float64{1, 1, 1, 1, 1, 1},
-			Timestamps: timestampsExpected,
-		}
-		resultExpected := []netstorage.Result{r}
-		f(q, resultExpected)
-	})
-	t.Run(`histogram_fraction(single-value-valid-le-min-le)`, func(t *testing.T) {
-		t.Parallel()
-		q := `histogram_fraction(0,10, (
-			label_set(100, "le", "100"),
-			label_set(40, "le", "50"),
-			label_set(0, "le", "10"),
-		))`
-		r := netstorage.Result{
-			MetricName: metricNameExpected,
-			Values:     []float64{0, 0, 0, 0, 0, 0},
-			Timestamps: timestampsExpected,
-		}
-		resultExpected := []netstorage.Result{r}
-		f(q, resultExpected)
-	})
-	t.Run(`histogram_share(single-value-valid-le-mid-le-1)`, func(t *testing.T) {
+	t.Run(`histogram_share(single-value-valid-le-mid-le)`, func(t *testing.T) {
 		t.Parallel()
 		q := `histogram_share(105, (
 			label_set(100, "le", "200"),
@@ -4395,34 +4325,6 @@ func TestExecSuccess(t *testing.T) {
 		resultExpected := []netstorage.Result{r}
 		f(q, resultExpected)
 	})
-	t.Run(`histogram_share(single-value-valid-le-mid-le-2)`, func(t *testing.T) {
-		t.Parallel()
-		q := `histogram_share(55, (
-			label_set(100, "le", "200"),
-			label_set(0, "le", "55"),
-		))`
-		r := netstorage.Result{
-			MetricName: metricNameExpected,
-			Values:     []float64{0, 0, 0, 0, 0, 0},
-			Timestamps: timestampsExpected,
-		}
-		resultExpected := []netstorage.Result{r}
-		f(q, resultExpected)
-	})
-	t.Run(`histogram_fraction(single-value-valid-le-mid-le)`, func(t *testing.T) {
-		t.Parallel()
-		q := `histogram_fraction(55,105, (
-			label_set(100, "le", "200"),
-			label_set(0, "le", "55"),
-		))`
-		r := netstorage.Result{
-			MetricName: metricNameExpected,
-			Values:     []float64{0.3448275862068966, 0.3448275862068966, 0.3448275862068966, 0.3448275862068966, 0.3448275862068966, 0.3448275862068966},
-			Timestamps: timestampsExpected,
-		}
-		resultExpected := []netstorage.Result{r}
-		f(q, resultExpected)
-	})
 	t.Run(`histogram_quantile(single-value-valid-le-min-phi-no-zero-bucket)`, func(t *testing.T) {
 		t.Parallel()
 		q := `histogram_quantile(0, label_set(100, "le", "200"))`
@@ -4456,17 +4358,6 @@ func TestExecSuccess(t *testing.T) {
 		resultExpected := []netstorage.Result{r}
 		f(q, resultExpected)
 	})
-	t.Run(`histogram_fraction(scalar-phi)`, func(t *testing.T) {
-		t.Parallel()
-		q := `histogram_fraction(25, time() / 8, label_set(100, "le", "200"))`
-		r := netstorage.Result{
-			MetricName: metricNameExpected,
-			Values:     []float64{0.5, 0.625, 0.75, 0.875, 0.875, 0.875},
-			Timestamps: timestampsExpected,
-		}
-		resultExpected := []netstorage.Result{r}
-		f(q, resultExpected)
-	})
 	t.Run(`histogram_quantile(duplicate-le)`, func(t *testing.T) {
 		// See https://github.com/VictoriaMetrics/VictoriaMetrics/pull/3225
 		t.Parallel()
@@ -4548,36 +4439,6 @@ func TestExecSuccess(t *testing.T) {
 		resultExpected := []netstorage.Result{r1, r2}
 		f(q, resultExpected)
 	})
-	t.Run(`histogram_fraction(valid)`, func(t *testing.T) {
-		t.Parallel()
-		q := `sort(histogram_fraction(0, 25,
-			label_set(90, "foo", "bar", "le", "10")
-			or label_set(100, "foo", "bar", "le", "30")
-			or label_set(300, "foo", "bar", "le", "+Inf")
-			or label_set(200, "tag", "xx", "le", "10")
-			or label_set(300, "tag", "xx", "le", "30")
-		))`
-		r1 := netstorage.Result{
-			MetricName: metricNameExpected,
-			Values:     []float64{0.325, 0.325, 0.325, 0.325, 0.325, 0.325},
-			Timestamps: timestampsExpected,
-		}
-		r1.MetricName.Tags = []storage.Tag{{
-			Key:   []byte("foo"),
-			Value: []byte("bar"),
-		}}
-		r2 := netstorage.Result{
-			MetricName: metricNameExpected,
-			Values:     []float64{0.9166666666666666, 0.9166666666666666, 0.9166666666666666, 0.9166666666666666, 0.9166666666666666, 0.9166666666666666},
-			Timestamps: timestampsExpected,
-		}
-		r2.MetricName.Tags = []storage.Tag{{
-			Key:   []byte("tag"),
-			Value: []byte("xx"),
-		}}
-		resultExpected := []netstorage.Result{r1, r2}
-		f(q, resultExpected)
-	})
 	t.Run(`histogram_quantile(negative-bucket-count)`, func(t *testing.T) {
 		t.Parallel()
 		q := `histogram_quantile(0.6,
@@ -4694,25 +4555,6 @@ func TestExecSuccess(t *testing.T) {
 		resultExpected := []netstorage.Result{r}
 		f(q, resultExpected)
 	})
-	t.Run(`histogram_fraction(normal-bucket-count)`, func(t *testing.T) {
-		t.Parallel()
-		q := `histogram_fraction(22,35,
-			label_set(0, "foo", "bar", "le", "10")
-			or label_set(100, "foo", "bar", "le", "30")
-			or label_set(300, "foo", "bar", "le", "+Inf")
-		)`
-		r := netstorage.Result{
-			MetricName: metricNameExpected,
-			Values:     []float64{0.1333333333333333, 0.1333333333333333, 0.1333333333333333, 0.1333333333333333, 0.1333333333333333, 0.1333333333333333},
-			Timestamps: timestampsExpected,
-		}
-		r.MetricName.Tags = []storage.Tag{{
-			Key:   []byte("foo"),
-			Value: []byte("bar"),
-		}}
-		resultExpected := []netstorage.Result{r}
-		f(q, resultExpected)
-	})
 	t.Run(`histogram_quantile(normal-bucket-count, boundsLabel)`, func(t *testing.T) {
 		t.Parallel()
 		q := `sort(histogram_quantile(0.2,

app/vmselect/promql/transform.go

@@ -51,7 +51,6 @@ var transformFuncs = map[string]transformFunc{
 	"exp":                        newTransformFuncOneArg(transformExp),
 	"floor":                      newTransformFuncOneArg(transformFloor),
 	"histogram_avg":              transformHistogramAvg,
-	"histogram_fraction":         transformHistogramFraction,
 	"histogram_quantile":         transformHistogramQuantile,
 	"histogram_quantiles":        transformHistogramQuantiles,
 	"histogram_share":            transformHistogramShare,
@@ -663,13 +662,13 @@ func transformHistogramShare(tfa *transformFuncArg) ([]*timeseries, error) {
 		if math.IsNaN(leReq) || len(xss) == 0 {
 			return nan, nan, nan
 		}
+		fixBrokenBuckets(i, xss)
 		if leReq < 0 {
 			return 0, 0, 0
 		}
 		if math.IsInf(leReq, 1) {
 			return 1, 1, 1
 		}
-		fixBrokenBuckets(i, xss)
 		var vPrev, lePrev float64
 		for _, xs := range xss {
 			v := xs.ts.Values[i]
@@ -730,85 +729,6 @@ func transformHistogramShare(tfa *transformFuncArg) ([]*timeseries, error) {
 	return rvs, nil
 }
 
-// histogram_fraction is a shortcut for `histogram_share(upperLe, buckets) - histogram_share(lowerLe, buckets)`;
-// histogram_fraction(x, y) = histogram_fraction(-Inf, y) - histogram_fraction(-Inf, x) = histogram_share(y) - histogram_share(x).
-// This function is supported by PromQL.
-func transformHistogramFraction(tfa *transformFuncArg) ([]*timeseries, error) {
-	args := tfa.args
-	if err := expectTransformArgsNum(args, 3); err != nil {
-		return nil, err
-	}
-	lowerles, err := getScalar(args[0], 0)
-	if err != nil {
-		return nil, fmt.Errorf("cannot parse lower le: %w", err)
-	}
-	upperles, err := getScalar(args[1], 1)
-	if err != nil {
-		return nil, fmt.Errorf("cannot parse upper le: %w", err)
-	}
-	if lowerles[0] >= upperles[0] {
-		return nil, fmt.Errorf("lower le cannot be greater than upper le; got lower le: %f, upper le: %f", lowerles[0], upperles[0])
-	}
-
-	// Convert buckets with `vmrange` labels to buckets with `le` labels.
-	tss := vmrangeBucketsToLE(args[2])
-
-	// Group metrics by all tags excluding "le"
-	m := groupLeTimeseries(tss)
-
-	fraction := func(i int, lowerle, upperle float64, xss []leTimeseries) (q float64) {
-		if math.IsNaN(lowerle) || math.IsNaN(upperle) || len(xss) == 0 {
-			return nan
-		}
-		fixBrokenBuckets(i, xss)
-		share := func(leReq float64) float64 {
-			if leReq < 0 {
-				return 0
-			}
-			if math.IsInf(leReq, 1) {
-				return 1
-			}
-			var vPrev, lePrev float64
-			for _, xs := range xss {
-				v := xs.ts.Values[i]
-				le := xs.le
-				if leReq >= le {
-					vPrev = v
-					lePrev = le
-					continue
-				}
-				// precondition: lePrev <= leReq < le
-				vLast := xss[len(xss)-1].ts.Values[i]
-				lower := vPrev / vLast
-				if math.IsInf(le, 1) {
-					return lower
-				}
-				if lePrev == leReq {
-					return lower
-				}
-				q = lower + (v-vPrev)/vLast*(leReq-lePrev)/(le-lePrev)
-				return q
-			}
-			return 1
-		}
-		return share(upperle) - share(lowerle)
-	}
-	rvs := make([]*timeseries, 0, len(m))
-	for _, xss := range m {
-		sort.Slice(xss, func(i, j int) bool {
-			return xss[i].le < xss[j].le
-		})
-		xss = mergeSameLE(xss)
-		dst := xss[0].ts
-		for i := range dst.Values {
-			q := fraction(i, lowerles[i], upperles[i], xss)
-			dst.Values[i] = q
-		}
-		rvs = append(rvs, dst)
-	}
-	return rvs, nil
-}
-
 func transformHistogramAvg(tfa *transformFuncArg) ([]*timeseries, error) {
 	args := tfa.args
 	if err := expectTransformArgsNum(args, 1); err != nil {

app/vmselect/vmui/assets/MetricsQL-DDLrk-ox.md

@@ -1227,10 +1227,7 @@ Metric names are stripped from the resulting series. Add [keep_metric_names](#ke
 #### buckets_limit
 
 `buckets_limit(limit, buckets)` is a [transform function](#transform-functions), which limits the number
-of [histogram buckets](https://valyala.medium.com/improving-histogram-usability-for-prometheus-and-grafana-bc7e5df0e350) to the given `limit`. 
-
-The result will preserve the first and the last bucket to improve accuracy for min and max values. 
-So, if the `limit` is greater than 0 and less than 3, the function will still return 3 buckets: the first bucket, the last bucket, and a selected bucket.
+of [histogram buckets](https://valyala.medium.com/improving-histogram-usability-for-prometheus-and-grafana-bc7e5df0e350) to the given `limit`.
 
 See also [prometheus_buckets](#prometheus_buckets) and [histogram_quantile](#histogram_quantile).
 
@@ -1384,15 +1381,6 @@ It can be used for calculating the average over the given time range across mult
 For example, `histogram_avg(sum(histogram_over_time(response_time_duration_seconds[5m])) by (vmrange,job))` would return the average response time
 per each `job` over the last 5 minutes.
 
-#### histogram_fraction
-
-`histogram_fraction(lowerLe, upperLe, buckets)` is a [transform function](#transform-functions), which calculates the share (in the range `[0...1]`) for `buckets` that fall between `lowerLe` and `upperLe`.
-The result of `histogram_fraction(lowerLe, upperLe, buckets)` is equivalent to `histogram_share(upperLe, buckets) - histogram_share(lowerLe, buckets)`.
-
-This function is supported by PromQL.
-
-See also [histogram_share](#histogram_share).
-
 #### histogram_quantile
 
 `histogram_quantile(phi, buckets)` is a [transform function](#transform-functions), which calculates `phi`-[percentile](https://en.wikipedia.org/wiki/Percentile)

app/vmselect/vmui/index.html

@@ -37,10 +37,10 @@
   <meta property="og:title" content="UI for VictoriaMetrics">
   <meta property="og:url" content="https://victoriametrics.com/">
   <meta property="og:description" content="Explore and troubleshoot your VictoriaMetrics data">
-  <script type="module" crossorigin src="./assets/index-DeVEZ1fy.js"></script>
+  <script type="module" crossorigin src="./assets/index-C1hTBemk.js"></script>
   <link rel="modulepreload" crossorigin href="./assets/vendor-BR6Q0Fin.js">
   <link rel="stylesheet" crossorigin href="./assets/vendor-D1GxaB_c.css">
-  <link rel="stylesheet" crossorigin href="./assets/index-DffVfcrT.css">
+  <link rel="stylesheet" crossorigin href="./assets/index-D7CzMv1O.css">
 </head>
 <body>
 <noscript>You need to enable JavaScript to run this app.</noscript>

app/vmui/Dockerfile-web

@@ -1,4 +1,4 @@
-FROM golang:1.26.1 AS build-web-stage
+FROM golang:1.26.0 AS build-web-stage
 COPY build /build
 
 WORKDIR /build

app/vmui/packages/vmui/package-lock.json

@@ -1681,9 +1681,9 @@
       }
     },
     "node_modules/@rollup/rollup-android-arm-eabi": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.59.0.tgz",
-      "integrity": "sha512-upnNBkA6ZH2VKGcBj9Fyl9IGNPULcjXRlg0LLeaioQWueH30p6IXtJEbKAgvyv+mJaMxSm1l6xwDXYjpEMiLMg==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.52.5.tgz",
+      "integrity": "sha512-8c1vW4ocv3UOMp9K+gToY5zL2XiiVw3k7f1ksf4yO1FlDFQ1C2u72iACFnSOceJFsWskc2WZNqeRhFRPzv+wtQ==",
       "cpu": [
         "arm"
       ],
@@ -1694,9 +1694,9 @@
       ]
     },
     "node_modules/@rollup/rollup-android-arm64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.59.0.tgz",
-      "integrity": "sha512-hZ+Zxj3SySm4A/DylsDKZAeVg0mvi++0PYVceVyX7hemkw7OreKdCvW2oQ3T1FMZvCaQXqOTHb8qmBShoqk69Q==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.52.5.tgz",
+      "integrity": "sha512-mQGfsIEFcu21mvqkEKKu2dYmtuSZOBMmAl5CFlPGLY94Vlcm+zWApK7F/eocsNzp8tKmbeBP8yXyAbx0XHsFNA==",
       "cpu": [
         "arm64"
       ],
@@ -1707,9 +1707,9 @@
       ]
     },
     "node_modules/@rollup/rollup-darwin-arm64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.59.0.tgz",
-      "integrity": "sha512-W2Psnbh1J8ZJw0xKAd8zdNgF9HRLkdWwwdWqubSVk0pUuQkoHnv7rx4GiF9rT4t5DIZGAsConRE3AxCdJ4m8rg==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.52.5.tgz",
+      "integrity": "sha512-takF3CR71mCAGA+v794QUZ0b6ZSrgJkArC+gUiG6LB6TQty9T0Mqh3m2ImRBOxS2IeYBo4lKWIieSvnEk2OQWA==",
       "cpu": [
         "arm64"
       ],
@@ -1720,9 +1720,9 @@
       ]
     },
     "node_modules/@rollup/rollup-darwin-x64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.59.0.tgz",
-      "integrity": "sha512-ZW2KkwlS4lwTv7ZVsYDiARfFCnSGhzYPdiOU4IM2fDbL+QGlyAbjgSFuqNRbSthybLbIJ915UtZBtmuLrQAT/w==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.52.5.tgz",
+      "integrity": "sha512-W901Pla8Ya95WpxDn//VF9K9u2JbocwV/v75TE0YIHNTbhqUTv9w4VuQ9MaWlNOkkEfFwkdNhXgcLqPSmHy0fA==",
       "cpu": [
         "x64"
       ],
@@ -1733,9 +1733,9 @@
       ]
     },
     "node_modules/@rollup/rollup-freebsd-arm64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.59.0.tgz",
-      "integrity": "sha512-EsKaJ5ytAu9jI3lonzn3BgG8iRBjV4LxZexygcQbpiU0wU0ATxhNVEpXKfUa0pS05gTcSDMKpn3Sx+QB9RlTTA==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.52.5.tgz",
+      "integrity": "sha512-QofO7i7JycsYOWxe0GFqhLmF6l1TqBswJMvICnRUjqCx8b47MTo46W8AoeQwiokAx3zVryVnxtBMcGcnX12LvA==",
       "cpu": [
         "arm64"
       ],
@@ -1746,9 +1746,9 @@
       ]
     },
     "node_modules/@rollup/rollup-freebsd-x64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.59.0.tgz",
-      "integrity": "sha512-d3DuZi2KzTMjImrxoHIAODUZYoUUMsuUiY4SRRcJy6NJoZ6iIqWnJu9IScV9jXysyGMVuW+KNzZvBLOcpdl3Vg==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.52.5.tgz",
+      "integrity": "sha512-jr21b/99ew8ujZubPo9skbrItHEIE50WdV86cdSoRkKtmWa+DDr6fu2c/xyRT0F/WazZpam6kk7IHBerSL7LDQ==",
       "cpu": [
         "x64"
       ],
@@ -1759,9 +1759,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-arm-gnueabihf": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.59.0.tgz",
-      "integrity": "sha512-t4ONHboXi/3E0rT6OZl1pKbl2Vgxf9vJfWgmUoCEVQVxhW6Cw/c8I6hbbu7DAvgp82RKiH7TpLwxnJeKv2pbsw==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.52.5.tgz",
+      "integrity": "sha512-PsNAbcyv9CcecAUagQefwX8fQn9LQ4nZkpDboBOttmyffnInRy8R8dSg6hxxl2Re5QhHBf6FYIDhIj5v982ATQ==",
       "cpu": [
         "arm"
       ],
@@ -1772,9 +1772,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-arm-musleabihf": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.59.0.tgz",
-      "integrity": "sha512-CikFT7aYPA2ufMD086cVORBYGHffBo4K8MQ4uPS/ZnY54GKj36i196u8U+aDVT2LX4eSMbyHtyOh7D7Zvk2VvA==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.52.5.tgz",
+      "integrity": "sha512-Fw4tysRutyQc/wwkmcyoqFtJhh0u31K+Q6jYjeicsGJJ7bbEq8LwPWV/w0cnzOqR2m694/Af6hpFayLJZkG2VQ==",
       "cpu": [
         "arm"
       ],
@@ -1785,9 +1785,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-arm64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.59.0.tgz",
-      "integrity": "sha512-jYgUGk5aLd1nUb1CtQ8E+t5JhLc9x5WdBKew9ZgAXg7DBk0ZHErLHdXM24rfX+bKrFe+Xp5YuJo54I5HFjGDAA==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.52.5.tgz",
+      "integrity": "sha512-a+3wVnAYdQClOTlyapKmyI6BLPAFYs0JM8HRpgYZQO02rMR09ZcV9LbQB+NL6sljzG38869YqThrRnfPMCDtZg==",
       "cpu": [
         "arm64"
       ],
@@ -1798,9 +1798,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-arm64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.59.0.tgz",
-      "integrity": "sha512-peZRVEdnFWZ5Bh2KeumKG9ty7aCXzzEsHShOZEFiCQlDEepP1dpUl/SrUNXNg13UmZl+gzVDPsiCwnV1uI0RUA==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.52.5.tgz",
+      "integrity": "sha512-AvttBOMwO9Pcuuf7m9PkC1PUIKsfaAJ4AYhy944qeTJgQOqJYJ9oVl2nYgY7Rk0mkbsuOpCAYSs6wLYB2Xiw0Q==",
       "cpu": [
         "arm64"
       ],
@@ -1811,22 +1811,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-loong64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.59.0.tgz",
-      "integrity": "sha512-gbUSW/97f7+r4gHy3Jlup8zDG190AuodsWnNiXErp9mT90iCy9NKKU0Xwx5k8VlRAIV2uU9CsMnEFg/xXaOfXg==",
-      "cpu": [
-        "loong64"
-      ],
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-loong64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-musl/-/rollup-linux-loong64-musl-4.59.0.tgz",
-      "integrity": "sha512-yTRONe79E+o0FWFijasoTjtzG9EBedFXJMl888NBEDCDV9I2wGbFFfJQQe63OijbFCUZqxpHz1GzpbtSFikJ4Q==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.52.5.tgz",
+      "integrity": "sha512-DkDk8pmXQV2wVrF6oq5tONK6UHLz/XcEVow4JTTerdeV1uqPeHxwcg7aFsfnSm9L+OO8WJsWotKM2JJPMWrQtA==",
       "cpu": [
         "loong64"
       ],
@@ -1837,22 +1824,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-ppc64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.59.0.tgz",
-      "integrity": "sha512-sw1o3tfyk12k3OEpRddF68a1unZ5VCN7zoTNtSn2KndUE+ea3m3ROOKRCZxEpmT9nsGnogpFP9x6mnLTCaoLkA==",
-      "cpu": [
-        "ppc64"
-      ],
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-ppc64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-musl/-/rollup-linux-ppc64-musl-4.59.0.tgz",
-      "integrity": "sha512-+2kLtQ4xT3AiIxkzFVFXfsmlZiG5FXYW7ZyIIvGA7Bdeuh9Z0aN4hVyXS/G1E9bTP/vqszNIN/pUKCk/BTHsKA==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.52.5.tgz",
+      "integrity": "sha512-W/b9ZN/U9+hPQVvlGwjzi+Wy4xdoH2I8EjaCkMvzpI7wJUs8sWJ03Rq96jRnHkSrcHTpQe8h5Tg3ZzUPGauvAw==",
       "cpu": [
         "ppc64"
       ],
@@ -1863,9 +1837,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-riscv64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.59.0.tgz",
-      "integrity": "sha512-NDYMpsXYJJaj+I7UdwIuHHNxXZ/b/N2hR15NyH3m2qAtb/hHPA4g4SuuvrdxetTdndfj9b1WOmy73kcPRoERUg==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.52.5.tgz",
+      "integrity": "sha512-sjQLr9BW7R/ZiXnQiWPkErNfLMkkWIoCz7YMn27HldKsADEKa5WYdobaa1hmN6slu9oWQbB6/jFpJ+P2IkVrmw==",
       "cpu": [
         "riscv64"
       ],
@@ -1876,9 +1850,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-riscv64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.59.0.tgz",
-      "integrity": "sha512-nLckB8WOqHIf1bhymk+oHxvM9D3tyPndZH8i8+35p/1YiVoVswPid2yLzgX7ZJP0KQvnkhM4H6QZ5m0LzbyIAg==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.52.5.tgz",
+      "integrity": "sha512-hq3jU/kGyjXWTvAh2awn8oHroCbrPm8JqM7RUpKjalIRWWXE01CQOf/tUNWNHjmbMHg/hmNCwc/Pz3k1T/j/Lg==",
       "cpu": [
         "riscv64"
       ],
@@ -1889,9 +1863,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-s390x-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.59.0.tgz",
-      "integrity": "sha512-oF87Ie3uAIvORFBpwnCvUzdeYUqi2wY6jRFWJAy1qus/udHFYIkplYRW+wo+GRUP4sKzYdmE1Y3+rY5Gc4ZO+w==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.52.5.tgz",
+      "integrity": "sha512-gn8kHOrku8D4NGHMK1Y7NA7INQTRdVOntt1OCYypZPRt6skGbddska44K8iocdpxHTMMNui5oH4elPH4QOLrFQ==",
       "cpu": [
         "s390x"
       ],
@@ -1902,9 +1876,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-x64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.59.0.tgz",
-      "integrity": "sha512-3AHmtQq/ppNuUspKAlvA8HtLybkDflkMuLK4DPo77DfthRb71V84/c4MlWJXixZz4uruIH4uaa07IqoAkG64fg==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.52.5.tgz",
+      "integrity": "sha512-hXGLYpdhiNElzN770+H2nlx+jRog8TyynpTVzdlc6bndktjKWyZyiCsuDAlpd+j+W+WNqfcyAWz9HxxIGfZm1Q==",
       "cpu": [
         "x64"
       ],
@@ -1915,9 +1889,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-x64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.59.0.tgz",
-      "integrity": "sha512-2UdiwS/9cTAx7qIUZB/fWtToJwvt0Vbo0zmnYt7ED35KPg13Q0ym1g442THLC7VyI6JfYTP4PiSOWyoMdV2/xg==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.52.5.tgz",
+      "integrity": "sha512-arCGIcuNKjBoKAXD+y7XomR9gY6Mw7HnFBv5Rw7wQRvwYLR7gBAgV7Mb2QTyjXfTveBNFAtPt46/36vV9STLNg==",
       "cpu": [
         "x64"
       ],
@@ -1927,23 +1901,10 @@
         "linux"
       ]
     },
-    "node_modules/@rollup/rollup-openbsd-x64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-openbsd-x64/-/rollup-openbsd-x64-4.59.0.tgz",
-      "integrity": "sha512-M3bLRAVk6GOwFlPTIxVBSYKUaqfLrn8l0psKinkCFxl4lQvOSz8ZrKDz2gxcBwHFpci0B6rttydI4IpS4IS/jQ==",
-      "cpu": [
-        "x64"
-      ],
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "openbsd"
-      ]
-    },
     "node_modules/@rollup/rollup-openharmony-arm64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.59.0.tgz",
-      "integrity": "sha512-tt9KBJqaqp5i5HUZzoafHZX8b5Q2Fe7UjYERADll83O4fGqJ49O1FsL6LpdzVFQcpwvnyd0i+K/VSwu/o/nWlA==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.52.5.tgz",
+      "integrity": "sha512-QoFqB6+/9Rly/RiPjaomPLmR/13cgkIGfA40LHly9zcH1S0bN2HVFYk3a1eAyHQyjs3ZJYlXvIGtcCs5tko9Cw==",
       "cpu": [
         "arm64"
       ],
@@ -1954,9 +1915,9 @@
       ]
     },
     "node_modules/@rollup/rollup-win32-arm64-msvc": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.59.0.tgz",
-      "integrity": "sha512-V5B6mG7OrGTwnxaNUzZTDTjDS7F75PO1ae6MJYdiMu60sq0CqN5CVeVsbhPxalupvTX8gXVSU9gq+Rx1/hvu6A==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.52.5.tgz",
+      "integrity": "sha512-w0cDWVR6MlTstla1cIfOGyl8+qb93FlAVutcor14Gf5Md5ap5ySfQ7R9S/NjNaMLSFdUnKGEasmVnu3lCMqB7w==",
       "cpu": [
         "arm64"
       ],
@@ -1967,9 +1928,9 @@
       ]
     },
     "node_modules/@rollup/rollup-win32-ia32-msvc": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.59.0.tgz",
-      "integrity": "sha512-UKFMHPuM9R0iBegwzKF4y0C4J9u8C6MEJgFuXTBerMk7EJ92GFVFYBfOZaSGLu6COf7FxpQNqhNS4c4icUPqxA==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.52.5.tgz",
+      "integrity": "sha512-Aufdpzp7DpOTULJCuvzqcItSGDH73pF3ko/f+ckJhxQyHtp67rHw3HMNxoIdDMUITJESNE6a8uh4Lo4SLouOUg==",
       "cpu": [
         "ia32"
       ],
@@ -1980,9 +1941,9 @@
       ]
     },
     "node_modules/@rollup/rollup-win32-x64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.59.0.tgz",
-      "integrity": "sha512-laBkYlSS1n2L8fSo1thDNGrCTQMmxjYY5G0WFWjFFYZkKPjsMBsgJfGf4TLxXrF6RyhI60L8TMOjBMvXiTcxeA==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.52.5.tgz",
+      "integrity": "sha512-UGBUGPFp1vkj6p8wCRraqNhqwX/4kNQPS57BCFc8wYh0g94iVIW33wJtQAx3G7vrjjNtRaxiMUylM0ktp/TRSQ==",
       "cpu": [
         "x64"
       ],
@@ -1993,9 +1954,9 @@
       ]
     },
     "node_modules/@rollup/rollup-win32-x64-msvc": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.59.0.tgz",
-      "integrity": "sha512-2HRCml6OztYXyJXAvdDXPKcawukWY2GpR5/nxKp4iBgiO3wcoEGkAaqctIbZcNB6KlUQBIqt8VYkNSj2397EfA==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.52.5.tgz",
+      "integrity": "sha512-TAcgQh2sSkykPRWLrdyy2AiceMckNf5loITqXxFI5VuQjS5tSuw3WlwdN8qv8vzjLAUTvYaH/mVjSFpbkFbpTg==",
       "cpu": [
         "x64"
       ],
@@ -2416,13 +2377,13 @@
       }
     },
     "node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch": {
-      "version": "9.0.9",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
-      "integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
+      "version": "9.0.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
+      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
-        "brace-expansion": "^2.0.2"
+        "brace-expansion": "^2.0.1"
       },
       "engines": {
         "node": ">=16 || 14 >=14.17"
@@ -4656,9 +4617,9 @@
       }
     },
     "node_modules/immutable": {
-      "version": "5.1.5",
-      "resolved": "https://registry.npmjs.org/immutable/-/immutable-5.1.5.tgz",
-      "integrity": "sha512-t7xcm2siw+hlUM68I+UEOK+z84RzmN59as9DZ7P1l0994DKUWV7UXBMQZVxaoMSRQ+PBZbHCOoBt7a2wxOMt+A==",
+      "version": "5.1.4",
+      "resolved": "https://registry.npmjs.org/immutable/-/immutable-5.1.4.tgz",
+      "integrity": "sha512-p6u1bG3YSnINT5RQmx/yRZBpenIl30kVxkTLDyHLIMk0gict704Q9n+thfDI7lTRm9vXdDYutVzXhzcThxTnXA==",
       "devOptional": true,
       "license": "MIT"
     },
@@ -5497,9 +5458,9 @@
       }
     },
     "node_modules/minimatch": {
-      "version": "3.1.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
-      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
+      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
@@ -6219,9 +6180,9 @@
       }
     },
     "node_modules/rollup": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.59.0.tgz",
-      "integrity": "sha512-2oMpl67a3zCH9H79LeMcbDhXW/UmWG/y2zuqnF2jQq5uq9TbM9TVyXvA4+t+ne2IIkBdrLpAaRQAvo7YI/Yyeg==",
+      "version": "4.52.5",
+      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.52.5.tgz",
+      "integrity": "sha512-3GuObel8h7Kqdjt0gxkEzaifHTqLVW56Y/bjN7PSQtkKr0w3V/QYSdt6QWYtd7A1xUtYQigtdUfgj1RvWVtorw==",
       "license": "MIT",
       "dependencies": {
         "@types/estree": "1.0.8"
@@ -6234,31 +6195,28 @@
         "npm": ">=8.0.0"
       },
       "optionalDependencies": {
-        "@rollup/rollup-android-arm-eabi": "4.59.0",
-        "@rollup/rollup-android-arm64": "4.59.0",
-        "@rollup/rollup-darwin-arm64": "4.59.0",
-        "@rollup/rollup-darwin-x64": "4.59.0",
-        "@rollup/rollup-freebsd-arm64": "4.59.0",
-        "@rollup/rollup-freebsd-x64": "4.59.0",
-        "@rollup/rollup-linux-arm-gnueabihf": "4.59.0",
-        "@rollup/rollup-linux-arm-musleabihf": "4.59.0",
-        "@rollup/rollup-linux-arm64-gnu": "4.59.0",
-        "@rollup/rollup-linux-arm64-musl": "4.59.0",
-        "@rollup/rollup-linux-loong64-gnu": "4.59.0",
-        "@rollup/rollup-linux-loong64-musl": "4.59.0",
-        "@rollup/rollup-linux-ppc64-gnu": "4.59.0",
-        "@rollup/rollup-linux-ppc64-musl": "4.59.0",
-        "@rollup/rollup-linux-riscv64-gnu": "4.59.0",
-        "@rollup/rollup-linux-riscv64-musl": "4.59.0",
-        "@rollup/rollup-linux-s390x-gnu": "4.59.0",
-        "@rollup/rollup-linux-x64-gnu": "4.59.0",
-        "@rollup/rollup-linux-x64-musl": "4.59.0",
-        "@rollup/rollup-openbsd-x64": "4.59.0",
-        "@rollup/rollup-openharmony-arm64": "4.59.0",
-        "@rollup/rollup-win32-arm64-msvc": "4.59.0",
-        "@rollup/rollup-win32-ia32-msvc": "4.59.0",
-        "@rollup/rollup-win32-x64-gnu": "4.59.0",
-        "@rollup/rollup-win32-x64-msvc": "4.59.0",
+        "@rollup/rollup-android-arm-eabi": "4.52.5",
+        "@rollup/rollup-android-arm64": "4.52.5",
+        "@rollup/rollup-darwin-arm64": "4.52.5",
+        "@rollup/rollup-darwin-x64": "4.52.5",
+        "@rollup/rollup-freebsd-arm64": "4.52.5",
+        "@rollup/rollup-freebsd-x64": "4.52.5",
+        "@rollup/rollup-linux-arm-gnueabihf": "4.52.5",
+        "@rollup/rollup-linux-arm-musleabihf": "4.52.5",
+        "@rollup/rollup-linux-arm64-gnu": "4.52.5",
+        "@rollup/rollup-linux-arm64-musl": "4.52.5",
+        "@rollup/rollup-linux-loong64-gnu": "4.52.5",
+        "@rollup/rollup-linux-ppc64-gnu": "4.52.5",
+        "@rollup/rollup-linux-riscv64-gnu": "4.52.5",
+        "@rollup/rollup-linux-riscv64-musl": "4.52.5",
+        "@rollup/rollup-linux-s390x-gnu": "4.52.5",
+        "@rollup/rollup-linux-x64-gnu": "4.52.5",
+        "@rollup/rollup-linux-x64-musl": "4.52.5",
+        "@rollup/rollup-openharmony-arm64": "4.52.5",
+        "@rollup/rollup-win32-arm64-msvc": "4.52.5",
+        "@rollup/rollup-win32-ia32-msvc": "4.52.5",
+        "@rollup/rollup-win32-x64-gnu": "4.52.5",
+        "@rollup/rollup-win32-x64-msvc": "4.52.5",
         "fsevents": "~2.3.2"
       }
     },

app/vmui/packages/vmui/src/assets/MetricsQL.md

@@ -1227,10 +1227,7 @@ Metric names are stripped from the resulting series. Add [keep_metric_names](#ke
 #### buckets_limit
 
 `buckets_limit(limit, buckets)` is a [transform function](#transform-functions), which limits the number
-of [histogram buckets](https://valyala.medium.com/improving-histogram-usability-for-prometheus-and-grafana-bc7e5df0e350) to the given `limit`. 
-
-The result will preserve the first and the last bucket to improve accuracy for min and max values. 
-So, if the `limit` is greater than 0 and less than 3, the function will still return 3 buckets: the first bucket, the last bucket, and a selected bucket.
+of [histogram buckets](https://valyala.medium.com/improving-histogram-usability-for-prometheus-and-grafana-bc7e5df0e350) to the given `limit`.
 
 See also [prometheus_buckets](#prometheus_buckets) and [histogram_quantile](#histogram_quantile).
 
@@ -1384,15 +1381,6 @@ It can be used for calculating the average over the given time range across mult
 For example, `histogram_avg(sum(histogram_over_time(response_time_duration_seconds[5m])) by (vmrange,job))` would return the average response time
 per each `job` over the last 5 minutes.
 
-#### histogram_fraction
-
-`histogram_fraction(lowerLe, upperLe, buckets)` is a [transform function](#transform-functions), which calculates the share (in the range `[0...1]`) for `buckets` that fall between `lowerLe` and `upperLe`.
-The result of `histogram_fraction(lowerLe, upperLe, buckets)` is equivalent to `histogram_share(upperLe, buckets) - histogram_share(lowerLe, buckets)`.
-
-This function is supported by PromQL.
-
-See also [histogram_share](#histogram_share).
-
 #### histogram_quantile
 
 `histogram_quantile(phi, buckets)` is a [transform function](#transform-functions), which calculates `phi`-[percentile](https://en.wikipedia.org/wiki/Percentile)

app/vmui/packages/vmui/src/components/ExploreMetrics/ExploreMetricGraph/ExploreMetricItemGraph.tsx

@@ -55,7 +55,7 @@ const ExploreMetricItem: FC<ExploreMetricItemGraphProps> = ({
 
     const base = `{${params.join(",")}}`;
     if (isBucket) {
-      return [`sum(increase_pure(${base})) by (vmrange, le)`];
+      return [`sum(rate(${base})) by (vmrange, le)`];
     }
     const queryBase = rateEnabled ? `rollup_rate(${base})` : `rollup(${base})`;
     return [`

app/vmui/packages/vmui/src/components/Main/TextField/TextField.tsx

@@ -27,7 +27,6 @@ interface TextFieldProps {
   endIcon?: ReactNode
   startIcon?: ReactNode
   disabled?: boolean
-  readonly?: boolean
   autofocus?: boolean
   helperText?: string
   inputmode?: "search" | "text" | "email" | "tel" | "url" | "none" | "numeric" | "decimal"
@@ -51,7 +50,6 @@ const TextField: FC<TextFieldProps> = ({
   endIcon,
   startIcon,
   disabled = false,
-  readonly = false,
   autofocus = false,
   inputmode = "text",
   caretPosition,
@@ -150,7 +148,6 @@ const TextField: FC<TextFieldProps> = ({
         <textarea
           className={inputClasses}
           disabled={disabled}
-          readOnly={readonly}
           ref={textareaRef}
           value={value}
           rows={1}
@@ -169,7 +166,6 @@ const TextField: FC<TextFieldProps> = ({
         <input
           className={inputClasses}
           disabled={disabled}
-          readOnly={readonly}
           ref={inputRef}
           value={value}
           type={type}

app/vmui/packages/vmui/src/pages/DownsamplingFilters/index.tsx

@@ -115,20 +115,16 @@ const DownsamplingFilters: FC = () => {
         </div>
         <div className="vm-downsampling-filters-body-top">
           <a
+            className="vm-link vm-link_with-icon"
             target="_blank"
             href="https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#downsampling"
             rel="help noreferrer"
           >
-            <Button
-              variant="text"
-              color="gray"
-              startIcon={<WikiIcon/>}
-            >
-              Documentation
-            </Button>
+            <WikiIcon/>
+            Documentation
           </a>
           <Button
-            variant="outlined"
+            variant="text"
             onClick={handleRunExample}
           >
             Try example
@@ -138,7 +134,7 @@ const DownsamplingFilters: FC = () => {
             onClick={handleApplyFilters}
             startIcon={<PlayIcon/>}
           >
-            Preview
+            Apply
           </Button>
         </div>
       </div>

app/vmui/packages/vmui/src/pages/Relabel/index.tsx

@@ -90,33 +90,25 @@ const Relabel: FC = () => {
         </div>
         <div className="vm-relabeling-header-bottom">
           <a
+            className="vm-link vm-link_with-icon"
             target="_blank"
             href="https://docs.victoriametrics.com/victoriametrics/relabeling/"
             rel="help noreferrer"
           >
-            <Button
-              variant="text"
-              color="gray"
-              startIcon={<InfoIcon/>}
-            >
-              Relabeling cookbook
-            </Button>
+            <InfoIcon/>
+            Relabeling cookbook
           </a>
           <a
+            className="vm-link vm-link_with-icon"
             target="_blank"
             href="https://docs.victoriametrics.com/victoriametrics/relabeling/"
             rel="help noreferrer"
           >
-            <Button
-              variant="text"
-              color="gray"
-              startIcon={<WikiIcon/>}
-            >
-              Documentation
-            </Button>
+            <WikiIcon/>
+            Documentation
           </a>
           <Button
-            variant="outlined"
+            variant="text"
             onClick={handleRunExample}
           >
             Try example
@@ -126,7 +118,7 @@ const Relabel: FC = () => {
             onClick={handleRunQuery}
             startIcon={<PlayIcon/>}
           >
-            Preview
+            Submit
           </Button>
         </div>
       </div>

app/vmui/packages/vmui/src/pages/Relabel/style.scss

@@ -33,7 +33,7 @@
       display: flex;
       align-items: center;
       justify-content: flex-end;
-      gap: $padding-small;
+      gap: $padding-global;
 
       a {
         color: $color-text-secondary;

app/vmui/packages/vmui/src/pages/RetentionFilters/index.tsx

@@ -107,20 +107,16 @@ const RetentionFilters: FC = () => {
         </div>
         <div className="vm-retention-filters-body-top">
           <a
+            className="vm-link vm-link_with-icon"
             target="_blank"
             href="https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#retention-filters"
             rel="help noreferrer"
           >
-            <Button
-              variant="text"
-              color="gray"
-              startIcon={<WikiIcon/>}
-            >
-              Documentation
-            </Button>
+            <WikiIcon/>
+            Documentation
           </a>
           <Button
-            variant="outlined"
+            variant="text"
             onClick={handleRunExample}
           >
             Try example
@@ -130,7 +126,7 @@ const RetentionFilters: FC = () => {
             onClick={handleApplyFilters}
             startIcon={<PlayIcon/>}
           >
-            Preview
+            Apply
           </Button>
         </div>
       </div>

app/vmui/packages/vmui/src/pages/WithTemplate/index.tsx

@@ -48,7 +48,7 @@ const WithTemplate: FC = () => {
             type="textarea"
             label="MetricsQL query after expanding WITH expressions and applying other optimizations"
             value={data}
-            readonly
+            disabled
           />
         </div>
         <div className="vm-with-template-body-top">

app/vmui/packages/vmui/vite.config.ts

@@ -21,7 +21,7 @@ const getProxy = (): Record<string, ProxyOptions> | undefined => {
   };
 
   return {
-    "^/prometheus/.*": { ...commonProxy },
+    "^/prometheus/(api|vmalert)/.*": { ...commonProxy },
     "/prometheus/vmui/config.json": { ...commonProxy },
   };
 };

apptest/model.go

@@ -33,8 +33,6 @@ type PrometheusQuerier interface {
 	// separate interface or rename this interface to allow for multiple querier
 	// types.
 	GraphiteMetricsIndex(t *testing.T, opts QueryOpts) GraphiteMetricsIndexResponse
-	GraphiteTagsTagSeries(t *testing.T, record string, opts QueryOpts)
-	GraphiteTagsTagMultiSeries(t *testing.T, records []string, opts QueryOpts)
 }
 
 // Writer contains methods for writing new data

apptest/tests/graphite_test.go

@@ -60,60 +60,3 @@ func TestClusterMetricsIndex(t *testing.T) {
 
 	testMetricsIndex(tc.T(), sut)
 }
-
-// testTagSeries tests the registration of new time series in index.
-//
-// See https://graphite.readthedocs.io/en/stable/tags.html#adding-series-to-the-tagdb.
-func testTagSeries(tc *apptest.TestCase, sut apptest.PrometheusWriteQuerier, getStorageMetric func(string) int) {
-	t := tc.T()
-
-	assertNewTimeseriesCreatedTotal := func(want int) {
-		tc.Assert(&apptest.AssertOptions{
-			Msg: "unexpected vm_new_timeseries_created_total",
-			Got: func() any {
-				return getStorageMetric("vm_new_timeseries_created_total")
-			},
-			Want: want,
-		})
-	}
-
-	rec := "disk.used;rack=a1;datacenter=dc1;server=web01"
-	sut.GraphiteTagsTagSeries(t, rec, apptest.QueryOpts{})
-	assertNewTimeseriesCreatedTotal(0)
-
-	recs := []string{
-		"metric.yyy;t2=a;t1=b;t3=c",
-		"metric.zzz;t5=d;t4=e;t6=f",
-		"metric.xxx;t8=g;t7=h;t9=i",
-	}
-	sut.GraphiteTagsTagMultiSeries(t, recs, apptest.QueryOpts{})
-	assertNewTimeseriesCreatedTotal(0)
-}
-
-func TestSingleTagSeries(t *testing.T) {
-	tc := apptest.NewTestCase(t)
-	defer tc.Stop()
-
-	sut := tc.MustStartDefaultVmsingle()
-	getStorageMetric := func(name string) int {
-		return sut.GetIntMetric(t, name)
-	}
-
-	testTagSeries(tc, sut, getStorageMetric)
-}
-
-func TestClusterTagSeries(t *testing.T) {
-	tc := apptest.NewTestCase(t)
-	defer tc.Stop()
-
-	sut := tc.MustStartDefaultCluster()
-	getStorageMetric := func(name string) int {
-		var v int
-		for _, s := range sut.Vmstorages {
-			v += s.GetIntMetric(t, name)
-		}
-		return v
-	}
-
-	testTagSeries(tc, sut, getStorageMetric)
-}

apptest/tests/metricsql_test.go

@@ -32,8 +32,6 @@ func TestSingleInstantQuery(t *testing.T) {
 	testInstantQueryDoesNotReturnStaleNaNs(t, sut)
 
 	testQueryRangeWithAtModifier(t, sut)
-
-	testLabelValuesWithUTFNames(t, sut)
 }
 
 func TestClusterInstantQuery(t *testing.T) {
@@ -46,8 +44,6 @@ func TestClusterInstantQuery(t *testing.T) {
 	testInstantQueryDoesNotReturnStaleNaNs(t, sut)
 
 	testQueryRangeWithAtModifier(t, sut)
-
-	testLabelValuesWithUTFNames(t, sut)
 }
 
 func testInstantQueryWithUTFNames(t *testing.T, sut apptest.PrometheusWriteQuerier) {
@@ -240,46 +236,3 @@ func testQueryRangeWithAtModifier(t *testing.T, sut apptest.PrometheusWriteQueri
 		t.Fatalf("unexpected error: %q", resp.Error)
 	}
 }
-
-// This test checks that label values are decoded from UTF-8 according to Prometheus spec.
-// See https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10446
-// Spec: https://prometheus.io/docs/prometheus/latest/querying/api/#querying-label-values
-func testLabelValuesWithUTFNames(t *testing.T, sut apptest.PrometheusWriteQuerier) {
-
-	timestamp := millis("2025-01-01T00:00:00Z")
-	data := prompb.WriteRequest{
-		Timeseries: []prompb.TimeSeries{
-			{
-				Labels: []prompb.Label{
-					{Name: "__name__", Value: "labelvals"},
-					{Name: "kubernetes_something/special&' chars", Value: "漢©®€£"},
-					{Name: "3👋tfにちは", Value: "漢©®€£"},
-				},
-				Samples: []prompb.Sample{
-					{Value: 1, Timestamp: timestamp},
-				},
-			},
-		},
-	}
-
-	sut.PrometheusAPIV1Write(t, data, apptest.QueryOpts{})
-	sut.ForceFlush(t)
-
-	cmpOptions := []cmp.Option{}
-
-	// encoded via prometheus model.EscapeName(string,model.ValueEncodingEscaping)
-	want := map[string][]string{
-		"__name__": {"labelvals"},
-		"U__kubernetes__something_2f_special_26__27__20_chars": {"漢©®€£"},
-		"U___33__1f44b_tf_306b__3061__306f_":                   {"漢©®€£"},
-	}
-	for labelName, expected := range want {
-		got := sut.PrometheusAPIV1LabelValues(t, labelName, `{__name__="labelvals"}`, apptest.QueryOpts{
-			Start: fmt.Sprintf("%d", timestamp),
-			End:   fmt.Sprintf("%d", timestamp),
-		})
-		if diff := cmp.Diff(expected, got.Data, cmpOptions...); diff != "" {
-			t.Errorf("unexpected response (-want, +got):\n%s", diff)
-		}
-	}
-}

apptest/tests/per_day_index_test.go

@@ -61,8 +61,8 @@ func TestClusterSearchWithDisabledPerDayIndex(t *testing.T) {
 
 type startSUTFunc func(name string, disablePerDayIndex bool) apptest.PrometheusWriteQuerier
 
-// testSearchWithDisabledPerDayIndex shows what search results to expect when
-// data is first inserted with per-day index enabled and then with per-day index
+// testDisablePerDayIndex_Search shows what search results to expect when data
+// is first inserted with per-day index enabled and then with per-day index
 // disabled.
 //
 // The data inserted with enabled per-day index must be searchable with disabled
@@ -112,8 +112,8 @@ func testSearchWithDisabledPerDayIndex(tc *apptest.TestCase, start startSUTFunc)
 		})
 	}
 
-	// Start SUT with enabled per-day index, insert sample1, and confirm it is
-	// searchable.
+	// Start vmsingle with enabled per-day index, insert sample1, and confirm it
+	// is searchable.
 	sut := start("with-per-day-index", false)
 	sample1 := []string{"metric1 111 1704067200000"} // 2024-01-01T00:00:00Z
 	sut.PrometheusAPIV1ImportPrometheus(t, sample1, apptest.QueryOpts{})
@@ -130,8 +130,8 @@ func testSearchWithDisabledPerDayIndex(tc *apptest.TestCase, start startSUTFunc)
 		},
 	})
 
-	// Restart SUT with disabled per-day index, insert sample2, and confirm that
-	// both sample1 and sample2 is searchable.
+	// Restart vmsingle with disabled per-day index, insert sample2, and confirm
+	// that both sample1 and sample2 is searchable.
 	tc.StopPrometheusWriteQuerier(sut)
 	sut = start("without-per-day-index", true)
 	sample2 := []string{"metric2 222 1704067200000"} // 2024-01-01T00:00:00Z
@@ -156,8 +156,8 @@ func testSearchWithDisabledPerDayIndex(tc *apptest.TestCase, start startSUTFunc)
 		},
 	})
 
-	// Insert sample1 but for a different date, restart SUT with enabled per-day
-	// index and confirm that:
+	// Insert sample1 but for a different date, restart vmsingle with enabled
+	// per-day index and confirm that:
 	// - sample1 is searchable within the time range of Jan 1st
 	// - sample1 is not searchable within the time range of Jan 20th
 	// - sample1 is searchable within the time range of Jan 1st-20th (because

apptest/vminsert.go

@@ -298,14 +298,13 @@ func (app *Vminsert) String() string {
 func (app *Vminsert) sendBlocking(t *testing.T, numRecordsToSend int, send func()) {
 	t.Helper()
 
-	wantRowsSentCount := app.rpcRowsSentTotal(t) + numRecordsToSend
-
 	send()
 
 	const (
 		retries = 20
 		period  = 100 * time.Millisecond
 	)
+	wantRowsSentCount := app.rpcRowsSentTotal(t) + numRecordsToSend
 	for range retries {
 		d := app.rpcRowsSentTotal(t)
 		if d >= wantRowsSentCount {

apptest/vmselect.go

@@ -307,37 +307,6 @@ func (app *Vmselect) GraphiteMetricsIndex(t *testing.T, opts QueryOpts) Graphite
 	return index
 }
 
-// GraphiteTagsTagSeries is a test helper function that registers Graphite tags
-// for a single time series by sending a HTTP POST request to
-// /graphite/tags/tagSeries vmsingle endpoint.
-func (app *Vmselect) GraphiteTagsTagSeries(t *testing.T, record string, opts QueryOpts) {
-	t.Helper()
-
-	url := fmt.Sprintf("http://%s/select/%s/graphite/tags/tagSeries", app.httpListenAddr, opts.getTenant())
-	values := opts.asURLValues()
-	values.Add("path", record)
-
-	_, statusCode := app.cli.PostForm(t, url, values)
-	if got, want := statusCode, http.StatusNotImplemented; got != want {
-		t.Fatalf("unexpected status code: got %d, want %d", got, want)
-	}
-}
-
-func (app *Vmselect) GraphiteTagsTagMultiSeries(t *testing.T, records []string, opts QueryOpts) {
-	t.Helper()
-
-	url := fmt.Sprintf("http://%s/select/%s/graphite/tags/tagMultiSeries", app.httpListenAddr, opts.getTenant())
-	values := opts.asURLValues()
-	for _, rec := range records {
-		values.Add("path", rec)
-	}
-
-	_, statusCode := app.cli.PostForm(t, url, values)
-	if got, want := statusCode, http.StatusNotImplemented; got != want {
-		t.Fatalf("unexpected status code: got %d, want %d", got, want)
-	}
-}
-
 // APIV1AdminTenants sends a query to a /admin/tenants endpoint
 func (app *Vmselect) APIV1AdminTenants(t *testing.T) *AdminTenantsResponse {
 	t.Helper()

apptest/vmsingle.go

@@ -414,37 +414,6 @@ func (app *Vmsingle) GraphiteMetricsIndex(t *testing.T, _ QueryOpts) GraphiteMet
 	return index
 }
 
-// GraphiteTagsTagSeries is a test helper function that registers Graphite tags
-// for a single time series by sending a HTTP POST request to
-// /graphite/tags/tagSeries vmsingle endpoint.
-func (app *Vmsingle) GraphiteTagsTagSeries(t *testing.T, record string, opts QueryOpts) {
-	t.Helper()
-
-	url := fmt.Sprintf("http://%s/graphite/tags/tagSeries", app.httpListenAddr)
-	values := opts.asURLValues()
-	values.Add("path", record)
-
-	_, statusCode := app.cli.PostForm(t, url, values)
-	if got, want := statusCode, http.StatusNotImplemented; got != want {
-		t.Fatalf("unexpected status code: got %d, want %d", got, want)
-	}
-}
-
-func (app *Vmsingle) GraphiteTagsTagMultiSeries(t *testing.T, records []string, opts QueryOpts) {
-	t.Helper()
-
-	url := fmt.Sprintf("http://%s/graphite/tags/tagMultiSeries", app.httpListenAddr)
-	values := opts.asURLValues()
-	for _, rec := range records {
-		values.Add("path", rec)
-	}
-
-	_, statusCode := app.cli.PostForm(t, url, values)
-	if got, want := statusCode, http.StatusNotImplemented; got != want {
-		t.Fatalf("unexpected status code: got %d, want %d", got, want)
-	}
-}
-
 // APIV1StatusMetricNamesStats sends a query to a /api/v1/status/metric_names_stats endpoint
 // and returns the statistics response for given params.
 //

dashboards/alert-statistics.json

@@ -31,6 +31,12 @@
       "id": "table",
       "name": "Table",
       "version": ""
+    },
+    {
+      "type": "datasource",
+      "id": "victoriametrics-metrics-datasource",
+      "name": "VictoriaMetrics",
+      "version": "0.16.0"
     }
   ],
   "annotations": {
@@ -55,7 +61,6 @@
       }
     ]
   },
-  "description": "Overview of alerts state in time based on metrics generated by VictoriaMetrics vmalert.",
   "editable": true,
   "fiscalYearStartMonth": 0,
   "graphTooltip": 0,
@@ -174,7 +179,7 @@
           },
           "editorMode": "code",
           "exemplar": false,
-          "expr": "sort_desc(topk_max($topk, sum(vmalert_alerts_firing{job=~\"$job\",instance=~\"$instance\",group=~\"$group\"}) by (alertname)))",
+          "expr": "sort_desc(topk_max($topk, sum(vmalert_alerts_firing{group=~\"$group\"}) by (alertname)))",
           "format": "time_series",
           "instant": false,
           "legendFormat": "__auto",
@@ -242,7 +247,7 @@
           },
           "editorMode": "code",
           "exemplar": false,
-          "expr": "count(count(vmalert_alerting_rules_errors_total{job=~\"$job\",instance=~\"$instance\",group=~\"$group\"}) by (group))",
+          "expr": "count(count(vmalert_alerting_rules_errors_total{group=~\"$group\"}) by (group))",
           "interval": "",
           "legendFormat": "",
           "range": true,
@@ -309,7 +314,7 @@
           },
           "editorMode": "code",
           "exemplar": false,
-          "expr": "count(vmalert_alerting_rules_errors_total{job=~\"$job\",instance=~\"$instance\",group=~\"$group\"})",
+          "expr": "count(vmalert_alerting_rules_errors_total{group=~\"$group\"})",
           "instant": false,
           "interval": "",
           "legendFormat": "",
@@ -398,7 +403,7 @@
           },
           "editorMode": "code",
           "exemplar": false,
-          "expr": "topk_max(100, sum(increases_over_time(vmalert_alerts_firing{job=~\"$job\",instance=~\"$instance\",group=~\"$group\"}[$__range])) by(group, alertname) > 0)",
+          "expr": "topk_max(100, sum(increases_over_time(vmalert_alerts_firing{group=~\"$group\"}[$__range])) by(group, alertname) > 0)",
           "format": "table",
           "instant": true,
           "key": "Q-3934f0fb-8ad6-4519-a98d-c26d0fc6b312-0",
@@ -551,7 +556,7 @@
           },
           "editorMode": "code",
           "exemplar": false,
-          "expr": "topk_max($topk, sum(increases_over_time(vmalert_alerts_firing{job=~\"$job\",instance=~\"$instance\",group=~\"$group\"}[$__range])) by (group, alertname) > 0)",
+          "expr": "topk_max($topk, sum(increases_over_time(vmalert_alerts_firing{group=~\"$group\"}[$__range])) by (group, alertname) > 0)",
           "format": "table",
           "instant": true,
           "key": "Q-3934f0fb-8ad6-4519-a98d-c26d0fc6b312-0",
@@ -603,46 +608,6 @@
         "regex": "",
         "type": "datasource"
       },
-      {
-        "allValue": ".*",
-        "current": {},
-        "datasource": {
-          "type": "prometheus",
-          "uid": "${ds}"
-        },
-        "definition": "label_values(vm_app_version{version=~\"^vmalert.*\"},job)",
-        "includeAll": true,
-        "multi": true,
-        "name": "job",
-        "options": [],
-        "query": {
-          "query": "label_values(vm_app_version{version=~\"^vmalert.*\"},job)",
-          "refId": "StandardVariableQuery"
-        },
-        "refresh": 1,
-        "regex": "",
-        "type": "query"
-      },
-      {
-        "allValue": ".*",
-        "current": {},
-        "datasource": {
-          "type": "prometheus",
-          "uid": "${ds}"
-        },
-        "definition": "label_values(vm_app_version{job=~\"$job\"},instance)",
-        "includeAll": true,
-        "multi": true,
-        "name": "instance",
-        "options": [],
-        "query": {
-          "query": "label_values(vm_app_version{job=~\"$job\"},instance)",
-          "refId": "StandardVariableQuery"
-        },
-        "refresh": 1,
-        "regex": "",
-        "type": "query"
-      },
       {
         "allValue": ".*",
         "current": {},

dashboards/victoriametrics-cluster.json

@@ -1521,7 +1521,7 @@
             {
               "targetBlank": true,
               "title": "Drilldown",
-              "url": "/d/oS7Bi_0Wz?viewPanel=203&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+              "url": "/d/oS7Bi_0Wz?viewPanel=203&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
             }
           ],
           "mappings": [],
@@ -1650,12 +1650,12 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown - RSS memory usage",
-                  "url": "/d/oS7Bi_0Wz?viewPanel=189&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz?viewPanel=189&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 },
                 {
                   "targetBlank": true,
                   "title": "Drilldown - Memory usage breakdown",
-                  "url": "/d/oS7Bi_0Wz?viewPanel=225&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz?viewPanel=225&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -1770,7 +1770,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz?viewPanel=192&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz?viewPanel=192&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -1888,7 +1888,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz?viewPanel=190&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz?viewPanel=190&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -5077,7 +5077,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz?viewPanel=224&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz?viewPanel=224&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -6107,7 +6107,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz?viewPanel=192&var-job=$job_storage&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz?viewPanel=192&var-job=$job_storage&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -6257,7 +6257,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz?viewPanel=190&var-job=$job_storage&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz?viewPanel=190&var-job=$job_storage&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -6908,7 +6908,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz?viewPanel=200&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz?viewPanel=200&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -7178,7 +7178,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz?viewPanel=201&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz?viewPanel=201&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -8042,7 +8042,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz?viewPanel=192&var-job=$job_select&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz?viewPanel=192&var-job=$job_select&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -8186,7 +8186,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz?viewPanel=190&var-job=$job_select&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz?viewPanel=190&var-job=$job_select&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -9375,7 +9375,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz?viewPanel=192&var-job=$job_insert&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz?viewPanel=192&var-job=$job_insert&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -9519,7 +9519,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz?viewPanel=190&var-job=$job_insert&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz?viewPanel=190&var-job=$job_insert&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],

dashboards/victoriametrics.json

@@ -1521,7 +1521,7 @@
             {
               "targetBlank": true,
               "title": "Drilldown",
-              "url": "/d/wNf0q_kZk?viewPanel=154&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+              "url": "/d/wNf0q_kZk?viewPanel=154&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
             }
           ],
           "mappings": [],
@@ -1644,12 +1644,12 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown - RSS memory usage",
-                  "url": "/d/wNf0q_kZk?viewPanel=148&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/wNf0q_kZk?viewPanel=148&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 },
                 {
                   "targetBlank": true,
                   "title": "Drilldown - Memory usage breakdown",
-                  "url": "/d/wNf0q_kZk?viewPanel=141&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/wNf0q_kZk?viewPanel=141&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -1764,7 +1764,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/wNf0q_kZk?viewPanel=151&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/wNf0q_kZk?viewPanel=151&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -1882,7 +1882,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/wNf0q_kZk?viewPanel=149&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/wNf0q_kZk?viewPanel=149&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -5122,7 +5122,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/wNf0q_kZk?viewPanel=140&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/wNf0q_kZk?viewPanel=140&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -5356,7 +5356,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/wNf0q_kZk?viewPanel=150&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/wNf0q_kZk?viewPanel=150&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -5973,7 +5973,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/wNf0q_kZk?viewPanel=153&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/wNf0q_kZk?viewPanel=153&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -6237,7 +6237,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/wNf0q_kZk?viewPanel=152&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/wNf0q_kZk?viewPanel=152&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],

dashboards/vm/victoriametrics-cluster.json

@@ -1522,7 +1522,7 @@
             {
               "targetBlank": true,
               "title": "Drilldown",
-              "url": "/d/oS7Bi_0Wz_vm?viewPanel=203&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+              "url": "/d/oS7Bi_0Wz_vm?viewPanel=203&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
             }
           ],
           "mappings": [],
@@ -1651,12 +1651,12 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown - RSS memory usage",
-                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=189&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=189&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 },
                 {
                   "targetBlank": true,
                   "title": "Drilldown - Memory usage breakdown",
-                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=225&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=225&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -1771,7 +1771,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=192&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=192&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -1889,7 +1889,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=190&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=190&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -5078,7 +5078,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=224&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=224&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -6108,7 +6108,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=192&var-job=$job_storage&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=192&var-job=$job_storage&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -6258,7 +6258,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=190&var-job=$job_storage&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=190&var-job=$job_storage&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -6909,7 +6909,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=200&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=200&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -7179,7 +7179,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=201&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=201&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -8043,7 +8043,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=192&var-job=$job_select&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=192&var-job=$job_select&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -8187,7 +8187,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=190&var-job=$job_select&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=190&var-job=$job_select&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -9376,7 +9376,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=192&var-job=$job_insert&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=192&var-job=$job_insert&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -9520,7 +9520,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=190&var-job=$job_insert&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/oS7Bi_0Wz_vm?viewPanel=190&var-job=$job_insert&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],

dashboards/vm/victoriametrics.json

@@ -1522,7 +1522,7 @@
             {
               "targetBlank": true,
               "title": "Drilldown",
-              "url": "/d/wNf0q_kZk_vm?viewPanel=154&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+              "url": "/d/wNf0q_kZk_vm?viewPanel=154&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
             }
           ],
           "mappings": [],
@@ -1645,12 +1645,12 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown - RSS memory usage",
-                  "url": "/d/wNf0q_kZk_vm?viewPanel=148&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/wNf0q_kZk_vm?viewPanel=148&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 },
                 {
                   "targetBlank": true,
                   "title": "Drilldown - Memory usage breakdown",
-                  "url": "/d/wNf0q_kZk_vm?viewPanel=141&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/wNf0q_kZk_vm?viewPanel=141&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -1765,7 +1765,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/wNf0q_kZk_vm?viewPanel=151&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/wNf0q_kZk_vm?viewPanel=151&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -1883,7 +1883,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/wNf0q_kZk_vm?viewPanel=149&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/wNf0q_kZk_vm?viewPanel=149&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -5123,7 +5123,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/wNf0q_kZk_vm?viewPanel=140&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/wNf0q_kZk_vm?viewPanel=140&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -5357,7 +5357,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/wNf0q_kZk_vm?viewPanel=150&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/wNf0q_kZk_vm?viewPanel=150&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -5974,7 +5974,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/wNf0q_kZk_vm?viewPanel=153&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/wNf0q_kZk_vm?viewPanel=153&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -6238,7 +6238,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/wNf0q_kZk_vm?viewPanel=152&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/wNf0q_kZk_vm?viewPanel=152&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],

dashboards/vm/vmagent.json

@@ -964,7 +964,7 @@
           "links": [
             {
               "title": "Drilldown",
-              "url": "/d/G7Z9GzMGz_vm?viewPanel=123&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+              "url": "/d/G7Z9GzMGz_vm?viewPanel=123&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
             }
           ],
           "mappings": [],
@@ -1231,7 +1231,7 @@
             {
               "targetBlank": true,
               "title": "Drilldown",
-              "url": "/d/G7Z9GzMGz_vm?viewPanel=162&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+              "url": "/d/G7Z9GzMGz_vm?viewPanel=162&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
             }
           ],
           "mappings": [],
@@ -1743,7 +1743,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/G7Z9GzMGz_vm?viewPanel=117&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/G7Z9GzMGz_vm?viewPanel=117&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -1858,7 +1858,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/G7Z9GzMGz_vm?viewPanel=119&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/G7Z9GzMGz_vm?viewPanel=119&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -2332,7 +2332,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/G7Z9GzMGz_vm?viewPanel=121&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/G7Z9GzMGz_vm?viewPanel=121&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],

dashboards/vm/vmauth.json

@@ -1612,7 +1612,7 @@
                 "type": "victoriametrics-metrics-datasource",
                 "uid": "$ds"
               },
-              "expr": "sum(go_memstats_sys_bytes{job=~\"$job\", instance=~\"$instance\"})",
+              "expr": "sum(go_memstats_sys_bytes{job=~\"$job\", instance=~\"$instance\"}) + sum(vm_cache_size_bytes{job=~\"$job\", instance=~\"$instance\"})",
               "format": "time_series",
               "hide": false,
               "intervalFactor": 1,
@@ -1624,7 +1624,7 @@
                 "type": "victoriametrics-metrics-datasource",
                 "uid": "$ds"
               },
-              "expr": "sum(go_memstats_heap_inuse_bytes{job=~\"$job\", instance=~\"$instance\"})",
+              "expr": "sum(go_memstats_heap_inuse_bytes{job=~\"$job\", instance=~\"$instance\"}) + sum(vm_cache_size_bytes{job=~\"$job\", instance=~\"$instance\"})",
               "format": "time_series",
               "hide": false,
               "intervalFactor": 1,

dashboards/vmagent.json

@@ -963,7 +963,7 @@
           "links": [
             {
               "title": "Drilldown",
-              "url": "/d/G7Z9GzMGz?viewPanel=123&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+              "url": "/d/G7Z9GzMGz?viewPanel=123&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
             }
           ],
           "mappings": [],
@@ -1230,7 +1230,7 @@
             {
               "targetBlank": true,
               "title": "Drilldown",
-              "url": "/d/G7Z9GzMGz?viewPanel=162&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+              "url": "/d/G7Z9GzMGz?viewPanel=162&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
             }
           ],
           "mappings": [],
@@ -1742,7 +1742,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/G7Z9GzMGz?viewPanel=117&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/G7Z9GzMGz?viewPanel=117&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -1857,7 +1857,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/G7Z9GzMGz?viewPanel=119&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/G7Z9GzMGz?viewPanel=119&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],
@@ -2331,7 +2331,7 @@
                 {
                   "targetBlank": true,
                   "title": "Drilldown",
-                  "url": "/d/G7Z9GzMGz?viewPanel=121&var-job=${__field.labels.job}&var-ds=$ds&${__url_time_range}"
+                  "url": "/d/G7Z9GzMGz?viewPanel=121&var-job=${__field.labels.job}&var-ds=$ds&var-instance=$instance&${__url_time_range}"
                 }
               ],
               "mappings": [],

dashboards/vmauth.json

@@ -1611,7 +1611,7 @@
                 "type": "prometheus",
                 "uid": "$ds"
               },
-              "expr": "sum(go_memstats_sys_bytes{job=~\"$job\", instance=~\"$instance\"})",
+              "expr": "sum(go_memstats_sys_bytes{job=~\"$job\", instance=~\"$instance\"}) + sum(vm_cache_size_bytes{job=~\"$job\", instance=~\"$instance\"})",
               "format": "time_series",
               "hide": false,
               "intervalFactor": 1,
@@ -1623,7 +1623,7 @@
                 "type": "prometheus",
                 "uid": "$ds"
               },
-              "expr": "sum(go_memstats_heap_inuse_bytes{job=~\"$job\", instance=~\"$instance\"})",
+              "expr": "sum(go_memstats_heap_inuse_bytes{job=~\"$job\", instance=~\"$instance\"}) + sum(vm_cache_size_bytes{job=~\"$job\", instance=~\"$instance\"})",
               "format": "time_series",
               "hide": false,
               "intervalFactor": 1,

deployment/docker/Makefile

@@ -7,7 +7,7 @@ ROOT_IMAGE ?= alpine:3.23.3
 ROOT_IMAGE_SCRATCH ?= scratch
 CERTS_IMAGE := alpine:3.23.3
 
-GO_BUILDER_IMAGE := golang:1.26.1
+GO_BUILDER_IMAGE := golang:1.26.0
 
 BUILDER_IMAGE := local/builder:2.0.0-$(shell echo $(GO_BUILDER_IMAGE) | tr :/ __)-1
 BASE_IMAGE := local/base:1.1.4-$(shell echo $(ROOT_IMAGE) | tr :/ __)-$(shell echo $(CERTS_IMAGE) | tr :/ __)
@@ -100,7 +100,6 @@ publish-via-docker:
 		) \
 		-o type=image \
 		--provenance=false \
-		--sbom=true \
 		-f app/$(APP_NAME)/multiarch/Dockerfile \
 		--push \
 		bin
@@ -121,7 +120,6 @@ publish-via-docker:
 		) \
 		-o type=image \
 		--provenance=false \
-		--sbom=true \
 		-f app/$(APP_NAME)/multiarch/Dockerfile \
 		--push \
 		bin

deployment/docker/compose-vm-cluster.yml

@@ -3,7 +3,7 @@ services:
   #  It scrapes targets defined in --promscrape.config
   #  And forward them to --remoteWrite.url
   vmagent:
-    image: victoriametrics/vmagent:v1.137.0
+    image: victoriametrics/vmagent:v1.136.0
     depends_on:
       - "vmauth"
     ports:
@@ -33,19 +33,18 @@ services:
       - ./../../dashboards/vmagent.json:/var/lib/grafana/dashboards/vmagent.json
       - ./../../dashboards/vmalert.json:/var/lib/grafana/dashboards/vmalert.json
       - ./../../dashboards/vmauth.json:/var/lib/grafana/dashboards/vmauth.json
-      - ./../../dashboards/alert-statistics.json:/var/lib/grafana/dashboards/alert-statistics.json
 
   # vmstorage shards. Each shard receives 1/N of all metrics sent to vminserts,
   # where N is number of vmstorages (2 in this case).
   vmstorage-1:
-    image: victoriametrics/vmstorage:v1.137.0-cluster
+    image: victoriametrics/vmstorage:v1.136.0-cluster
     volumes:
       - strgdata-1:/storage
     command:
       - "--storageDataPath=/storage"
     restart: always
   vmstorage-2:
-    image: victoriametrics/vmstorage:v1.137.0-cluster
+    image: victoriametrics/vmstorage:v1.136.0-cluster
     volumes:
       - strgdata-2:/storage
     command:
@@ -55,7 +54,7 @@ services:
   # vminsert is ingestion frontend. It receives metrics pushed by vmagent,
   # pre-process them and distributes across configured vmstorage shards.
   vminsert-1:
-    image: victoriametrics/vminsert:v1.137.0-cluster
+    image: victoriametrics/vminsert:v1.136.0-cluster
     depends_on:
       - "vmstorage-1"
       - "vmstorage-2"
@@ -64,7 +63,7 @@ services:
       - "--storageNode=vmstorage-2:8400"
     restart: always
   vminsert-2:
-    image: victoriametrics/vminsert:v1.137.0-cluster
+    image: victoriametrics/vminsert:v1.136.0-cluster
     depends_on:
       - "vmstorage-1"
       - "vmstorage-2"
@@ -76,7 +75,7 @@ services:
   # vmselect is a query fronted. It serves read queries in MetricsQL or PromQL.
   # vmselect collects results from configured `--storageNode` shards.
   vmselect-1:
-    image: victoriametrics/vmselect:v1.137.0-cluster
+    image: victoriametrics/vmselect:v1.136.0-cluster
     depends_on:
       - "vmstorage-1"
       - "vmstorage-2"
@@ -86,7 +85,7 @@ services:
       - "--vmalert.proxyURL=http://vmalert:8880"
     restart: always
   vmselect-2:
-    image: victoriametrics/vmselect:v1.137.0-cluster
+    image: victoriametrics/vmselect:v1.136.0-cluster
     depends_on:
       - "vmstorage-1"
       - "vmstorage-2"
@@ -101,7 +100,7 @@ services:
   # read requests from Grafana, vmui, vmalert among vmselects.
   # It can be used as an authentication proxy.
   vmauth:
-    image: victoriametrics/vmauth:v1.137.0
+    image: victoriametrics/vmauth:v1.136.0
     depends_on:
       - "vmselect-1"
       - "vmselect-2"
@@ -115,7 +114,7 @@ services:
 
   # vmalert executes alerting and recording rules
   vmalert:
-    image: victoriametrics/vmalert:v1.137.0
+    image: victoriametrics/vmalert:v1.136.0
     depends_on:
       - "vmauth"
     ports:

deployment/docker/compose-vm-single.yml

@@ -3,7 +3,7 @@ services:
   #  It scrapes targets defined in --promscrape.config
   #  And forward them to --remoteWrite.url
   vmagent:
-    image: victoriametrics/vmagent:v1.137.0
+    image: victoriametrics/vmagent:v1.136.0
     depends_on:
       - "victoriametrics"
     ports:
@@ -18,7 +18,7 @@ services:
   # VictoriaMetrics instance, a single process responsible for
   # storing metrics and serve read requests.
   victoriametrics:
-    image: victoriametrics/victoria-metrics:v1.137.0
+    image: victoriametrics/victoria-metrics:v1.136.0
     ports:
       - 8428:8428
       - 8089:8089
@@ -50,12 +50,11 @@ services:
       - ./../../dashboards/victoriametrics.json:/var/lib/grafana/dashboards/vm.json
       - ./../../dashboards/vmagent.json:/var/lib/grafana/dashboards/vmagent.json
       - ./../../dashboards/vmalert.json:/var/lib/grafana/dashboards/vmalert.json
-      - ./../../dashboards/alert-statistics.json:/var/lib/grafana/dashboards/alert-statistics.json
     restart: always
 
   # vmalert executes alerting and recording rules
   vmalert:
-    image: victoriametrics/vmalert:v1.137.0
+    image: victoriametrics/vmalert:v1.136.0
     depends_on:
       - "victoriametrics"
       - "alertmanager"

deployment/docker/vmanomaly/vmanomaly-integration/compose.yml

@@ -1,6 +1,6 @@
 services:
   vmagent:
-    image: victoriametrics/vmagent:v1.137.0
+    image: victoriametrics/vmagent:v1.136.0
     depends_on:
       - "victoriametrics"
     ports:
@@ -14,7 +14,7 @@ services:
     restart: always
 
   victoriametrics:
-    image: victoriametrics/victoria-metrics:v1.137.0
+    image: victoriametrics/victoria-metrics:v1.136.0
     ports:
       - 8428:8428
     volumes:
@@ -40,7 +40,7 @@ services:
     restart: always
 
   vmalert:
-    image: victoriametrics/vmalert:v1.137.0
+    image: victoriametrics/vmalert:v1.136.0
     depends_on:
       - "victoriametrics"
     ports:
@@ -59,7 +59,7 @@ services:
       - '--external.alert.source=explore?orgId=1&left=["now-1h","now","VictoriaMetrics",{"expr": },{"mode":"Metrics"},{"ui":[true,true,true,"none"]}]'
     restart: always
   vmanomaly:
-    image: victoriametrics/vmanomaly:v1.29.0
+    image: victoriametrics/vmanomaly:v1.28.7
     depends_on:
       - "victoriametrics"
     ports:

docs/anomaly-detection/CHANGELOG.md

@@ -14,21 +14,6 @@ aliases:
 ---
 Please find the changelog for VictoriaMetrics Anomaly Detection below.
 
-## v1.29.0
-Released: 2026-03-05
-
-- UI: Updated [vmanomaly UI](https://docs.victoriametrics.com/anomaly-detection/ui/) from [v1.4.3](https://docs.victoriametrics.com/anomaly-detection/ui/#v143) to [v1.5.0](https://docs.victoriametrics.com/anomaly-detection/ui/#v150), see respective [release notes](https://docs.victoriametrics.com/anomaly-detection/ui/#v150) for details. Notable changes include [AI assistance](https://docs.victoriametrics.com/anomaly-detection/ui/#ai-assistance) support capable of applying model configuration changes, generating VMAlert rules, and providing general guidance on using the product.
-
-- IMPROVEMENT: Optimized internal data structures for readers when `query_from_last_seen_timestamp` [parameter](https://docs.victoriametrics.com/anomaly-detection/components/reader/#config-parameters) is enabled, resulting in reduced memory usage and improved performance for large datasets.
-
-- IMPROVEMENT: Hardened [hot reload](https://docs.victoriametrics.com/anomaly-detection/components/#hot-reload) with staged snapshot apply and automatic rollback. Reload now validates once and applies the same snapshot, preventing re-read race conditions and avoiding same-port conflicts during restart; failures keep previous runtime and are reflected in [startup metrics](https://docs.victoriametrics.com/anomaly-detection/components/monitoring/#startup-metrics).
-
-- BUGFIX: Config file read/parse failures are now non-fatal in [hot reload](https://docs.victoriametrics.com/anomaly-detection/components/#hot-reload) mode (service keeps running), while initial startup remains fatal for invalid/broken config files.
-
-- BUGFIX: Fixed missing datapoints in [BacktestingScheduler](https://docs.victoriametrics.com/anomaly-detection/components/scheduler/#backtesting-scheduler) windows used in [exact mode](https://docs.victoriametrics.com/anomaly-detection/components/scheduler/#defining-inference-timeframe-1), leading to "gaps" in plotted predictions and scores.
-
-- BUGFIX: Fixed a model state update issue in [BacktestingScheduler exact mode](https://docs.victoriametrics.com/anomaly-detection/components/scheduler/#defining-inference-timeframe-1) when parallelization (`settings.n_workers > 1`) was enabled, causing [online models](https://docs.victoriametrics.com/anomaly-detection/components/models/#online-models) to produce stale/flat `yhat`, `yhat_lower`, and `yhat_upper` lines.
-
 ## v1.28.7
 Released: 2026-02-09
 
@@ -58,7 +43,7 @@ Released: 2026-01-12
 ## v1.28.3
 Released: 2025-12-17
 
-- IMPROVEMENT: Aligned service endpoints for `vmanomaly` [MCP Server](https://github.com/VictoriaMetrics/mcp-vmanomaly) integration.
+- IMPROVEMENT: Aligned service endpoints for `vmanomaly` [MCP Server](https://github.com/VictoriaMetrics-Community/mcp-vmanomaly) integration.
 
 ## v1.28.2
 Released: 2025-12-11

docs/anomaly-detection/FAQ.md

@@ -139,7 +139,7 @@ For information on migrating between different versions of `vmanomaly`, please r
 
 ## Choosing the right model for vmanomaly
 
-> {{% available_from "v1.28.3" anomaly %}} Try our [MCP Server](https://github.com/VictoriaMetrics/mcp-vmanomaly) to get AI-assisted recommendations on selecting the best model and its configuration for your use case. See [installation guide](https://github.com/VictoriaMetrics/mcp-vmanomaly#installation) for more details.
+> {{% available_from "v1.28.3" anomaly %}} Try our [MCP Server](https://github.com/VictoriaMetrics-Community/mcp-vmanomaly) to get AI-assisted recommendations on selecting the best model and its configuration for your use case. See [installation guide](https://github.com/VictoriaMetrics-Community/mcp-vmanomaly#installation) for more details.
 
 Selecting the best model for `vmanomaly` depends on the data's nature and the [types of anomalies](https://victoriametrics.com/blog/victoriametrics-anomaly-detection-handbook-chapter-2/#categories-of-anomalies) to detect. For instance, [Z-score](https://docs.victoriametrics.com/anomaly-detection/components/models/#online-z-score) is suitable for data without trends or seasonality, while more complex patterns might require models like [Prophet](https://docs.victoriametrics.com/anomaly-detection/components/models/#prophet).
 
@@ -151,8 +151,7 @@ Still not 100% sure what to use? We are [here to help](https://docs.victoriametr
 
 ## Incorporating domain knowledge
 
-> [!TIP]
-> {{% available_from "v1.28.3" anomaly %}} Try our [MCP Server](https://github.com/VictoriaMetrics/mcp-vmanomaly) to get AI-assisted recommendations on incorporating domain knowledge into your anomaly detection models. See [installation guide](https://github.com/VictoriaMetrics/mcp-vmanomaly#installation) for more details. {{% available_from "v1.29.0" anomaly %}} Connect MCP server to the [vmanomaly UI](https://docs.victoriametrics.com/anomaly-detection/ui/) to benefit from better response quality and tool access in the UI Copilot, which provides AI-assisted configuration generation and debugging capabilities. See the [UI documentation](https://docs.victoriametrics.com/anomaly-detection/ui/#ai-assistance) for instructions on how to set it up.
+> {{% available_from "v1.28.3" anomaly %}} Try our [MCP Server](https://github.com/VictoriaMetrics-Community/mcp-vmanomaly) to get AI-assisted recommendations on incorporating domain knowledge into your anomaly detection models. See [installation guide](https://github.com/VictoriaMetrics-Community/mcp-vmanomaly#installation) for more details.
 
 Anomaly detection models can significantly improve when incorporating business-specific assumptions about the data and what constitutes an anomaly. `vmanomaly` supports various [business-side configuration parameters](https://docs.victoriametrics.com/anomaly-detection/components/models/#common-args) across all built-in models to **reduce [false positives](https://victoriametrics.com/blog/victoriametrics-anomaly-detection-handbook-chapter-1/#false-positive)** and **align model behavior with business needs**, for example:
 
@@ -237,7 +236,7 @@ groups:
 
 > {{% available_from "v1.27.0" anomaly %}} You can also use the [vmanomaly UI](https://docs.victoriametrics.com/anomaly-detection/ui/) to generate alerting rules automatically based on your model configurations and selected thresholds.
 
-> {{% available_from "v1.28.3" anomaly %}} Check out our [MCP Server](https://github.com/VictoriaMetrics/mcp-vmanomaly) to get AI-assisted recommendations on setting up alerting rules based on produced anomaly scores. See [installation guide](https://github.com/VictoriaMetrics/mcp-vmanomaly#installation) for more details.
+> {{% available_from "v1.28.3" anomaly %}} Check out our [MCP Server](https://github.com/VictoriaMetrics-Community/mcp-vmanomaly) to get AI-assisted recommendations on setting up alerting rules based on produced anomaly scores. See [installation guide](https://github.com/VictoriaMetrics-Community/mcp-vmanomaly#installation) for more details.
 
 ## Preventing alert fatigue
 Produced anomaly scores are designed in such a way that values from 0.0 to 1.0 indicate non-anomalous data, while a value greater than 1.0 is generally classified as an anomaly. However, there are no perfect models for anomaly detection, that's why reasonable defaults expressions like `anomaly_score > 1` may not work 100% of the time. However, anomaly scores, produced by `vmanomaly` are written back as metrics to VictoriaMetrics, where tools like [`vmalert`](https://docs.victoriametrics.com/victoriametrics/vmalert/) can use [MetricsQL](https://docs.victoriametrics.com/victoriametrics/metricsql/) expressions to fine-tune alerting thresholds and conditions, balancing between avoiding [false negatives](https://victoriametrics.com/blog/victoriametrics-anomaly-detection-handbook-chapter-1/#false-negative) and reducing [false positives](https://victoriametrics.com/blog/victoriametrics-anomaly-detection-handbook-chapter-1/#false-positive).
@@ -420,7 +419,7 @@ services:
   # ...
   vmanomaly:
     container_name: vmanomaly
-    image: victoriametrics/vmanomaly:v1.29.0
+    image: victoriametrics/vmanomaly:v1.28.7
     # ...
     restart: always
     volumes:
@@ -638,7 +637,7 @@ options:
 Here’s an example of using the config splitter to divide configurations based on the `extra_filters` argument from the reader section:
 
 ```sh
-docker pull victoriametrics/vmanomaly:v1.29.0 && docker image tag victoriametrics/vmanomaly:v1.29.0 vmanomaly
+docker pull victoriametrics/vmanomaly:v1.28.6 && docker image tag victoriametrics/vmanomaly:v1.28.7 vmanomaly
 ```
 
 ```sh

docs/anomaly-detection/Migration.md

@@ -45,8 +45,8 @@ There are 2 types of compatibilitity to consider when migrating in stateful mode
 
 | Group start | Group end | Compatibility | Notes |
 |---------|--------- |------------|-------|
-| [v1.29.0](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1290) | Latest* | Fully Compatible | Just a placeholder for new releases |
-| [v1.26.0](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1262) | [v1.29.0](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1290) | Fully Compatible | [v1.28.0](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1280) introduced [rolling](https://docs.victoriametrics.com/anomaly-detection/components/models/#rolling-models) model class drop in favor of [online](https://docs.victoriametrics.com/anomaly-detection/components/models/#online-models) models (`rolling_quantile` and `std` models), however, it does not impact compatibility, as artifacts were not produced by default for rolling models. Also, offline `mad` and `zscore` models are redirecting to their respective online counterparts since [v1.28.4](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1284). |
+| [v1.28.7](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1287) | Latest* | Fully Compatible | Just a placeholder for new releases |
+| [v1.26.0](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1262) | [v1.28.7](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1287) | Fully Compatible | [v1.28.0](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1280) introduced [rolling](https://docs.victoriametrics.com/anomaly-detection/components/models/#rolling-models) model class drop in favor of [online](https://docs.victoriametrics.com/anomaly-detection/components/models/#online-models) models (`rolling_quantile` and `std` models), however, it does not impact compatibility, as artifacts were not produced by default for rolling models. Also, offline `mad` and `zscore` models are redirecting to their respective online counterparts since [v1.28.4](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1284). |
 | [v1.25.3](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1253) | [v1.26.0](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1270) | Partially Compatible* | [v1.25.3](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1253) introduced `forecast_at` argument for base [univariate](https://docs.victoriametrics.com/anomaly-detection/components/models/#univariate-models) and `Prophet` [models](https://docs.victoriametrics.com/anomaly-detection/components/models/#prophet), however, itself remains backward-reversible from newer states like [v1.26.2](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1262), [v1.27.0](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1270). (All models except `isolation_forest_multivariate` class will be dropped) |
 | [v1.25.1](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1251) | [v1.25.2](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1252) | Fully Compatible | In [v1.25.1](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1251) there was a change to `vmanomaly.db` metadata database format, so migrating from v1.24.0-v1.25.0 requires deletion of a state, see note above the table |
 | [v1.24.1](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1241) | [v1.25.0](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1250) | Partially Compatible* | In [v1.25.0](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1250) there were changes to **data dump layout** and to `online_quantile` and `isolation_forest_multivariate` [model](https://docs.victoriametrics.com/anomaly-detection/components/models/) states, so to migrate from v1.24.0-v1.24.1 it is recommended to drop the state |

docs/anomaly-detection/QuickStart.md

@@ -122,7 +122,7 @@ Below are the steps to get `vmanomaly` up and running inside a Docker container:
 1. Pull Docker image:
 
 ```sh
-docker pull victoriametrics/vmanomaly:v1.29.0
+docker pull victoriametrics/vmanomaly:v1.28.7
 ```
 
 2. Create the license file with your license key.
@@ -142,7 +142,7 @@ docker run -it \
     -v ./license:/license \
     -v ./config.yaml:/config.yaml \
     -p 8490:8490 \
-    victoriametrics/vmanomaly:v1.29.0 \
+    victoriametrics/vmanomaly:v1.28.7 \
     /config.yaml \
     --licenseFile=/license \
     --loggerLevel=INFO \
@@ -159,7 +159,7 @@ docker run -it \
     -e VMANOMALY_DATA_DUMPS_DIR=/tmp/vmanomaly/data \
     -e VMANOMALY_MODEL_DUMPS_DIR=/tmp/vmanomaly/models \
     -p 8490:8490 \
-    victoriametrics/vmanomaly:v1.29.0 \
+    victoriametrics/vmanomaly:v1.28.7 \
     /config.yaml \
     --licenseFile=/license \
     --loggerLevel=INFO \
@@ -172,7 +172,7 @@ services:
   # ...
   vmanomaly:
     container_name: vmanomaly
-    image: victoriametrics/vmanomaly:v1.29.0
+    image: victoriametrics/vmanomaly:v1.28.7
     # ...
     restart: always
     volumes:
@@ -305,11 +305,11 @@ writer:
 
 ### UI
 
-{{% available_from "v1.26.0" anomaly %}} `vmanomaly`'s built-in web UI can be used for prototyping and interactive experimenting to produce vmanomaly's and vmalert's configuration files. Please refer to the [UI documentation](https://docs.victoriametrics.com/anomaly-detection/ui/) for detailed instructions and examples. {{% available_from "v1.29.0" anomaly %}} Connect MCP server to the UI to benefit from better response quality and tool access in the UI Copilot, which provides AI-assisted configuration generation and debugging capabilities. See the [UI documentation](https://docs.victoriametrics.com/anomaly-detection/ui/#ai-assistance) for instructions on how to set it up.
+{{% available_from "v1.26.0" anomaly %}} `vmanomaly`'s built-in web UI can be used for prototyping and interactive experimenting to produce vmanomaly's and vmalert's configuration files. Please refer to the [UI documentation](https://docs.victoriametrics.com/anomaly-detection/ui/) for detailed instructions and examples.
 
 ![vmanomaly-ui-overview](vmanomaly-ui-overview.webp)
 > [!TIP]
-> Public playgrounds with pre-configured `vmanomaly` instances and VictoriaMetrics/VictoriaLogs/VictoriaTraces datasources are available for interactive experimenting without the need to set up your own instance or getting an enterprise license. You can find them in the [UI documentation](https://docs.victoriametrics.com/anomaly-detection/ui/#playgrounds) or access them directly via the links - [metrics](https://play-vmanomaly.victoriametrics.com/metrics/), [logs](https://play-vmanomaly.victoriametrics.com/logs/), [traces](https://play-vmanomaly.victoriametrics.com/traces/) - or embedded versions in the collapsible blocks.
+Public playgrounds with pre-configured `vmanomaly` instances and VictoriaMetrics/VictoriaLogs/VictoriaTraces datasources are available for interactive experimenting without the need to set up your own instance or getting an enterprise license. You can find them in the [UI documentation](https://docs.victoriametrics.com/anomaly-detection/ui/#playgrounds) or access them directly via the links - [metrics](https://play-vmanomaly.victoriametrics.com/metrics/), [logs](https://play-vmanomaly.victoriametrics.com/logs/), [traces](https://play-vmanomaly.victoriametrics.com/traces/) - or embedded versions in the collapsible blocks.
 
 {{% collapse name="Playground on VictoriaMetrics Datasource" %}}
 

docs/anomaly-detection/README.md

@@ -55,7 +55,7 @@ Get started with VictoriaMetrics Anomaly Detection by following our guides and i
 
 - **Quickstart**: Learn how to quickly set up `vmanomaly` by following the [Quickstart Guide](https://docs.victoriametrics.com/anomaly-detection/quickstart/).
 - **UI**: Explore anomaly detection configurations through the [vmanomaly UI](https://docs.victoriametrics.com/anomaly-detection/ui/).
-- **MCP**: Allow AI to assist you in generating service and alerting configurations, answering questions, planning migration with the [MCP Server](https://github.com/VictoriaMetrics/mcp-vmanomaly). Find the setup guide how to setup and use it [here](https://github.com/VictoriaMetrics/mcp-vmanomaly?tab=readme-ov-file#installation).
+- **MCP**: Allow AI to assist you in generating service and alerting configurations, answering questions, planning migration with the [MCP Server](https://github.com/VictoriaMetrics-Community/mcp-vmanomaly). Find the setup guide how to setup and use it [here](https://github.com/VictoriaMetrics-Community/mcp-vmanomaly?tab=readme-ov-file#installation).
 - **Integration**: Integrate anomaly detection into your existing observability stack. Find detailed steps [here](https://docs.victoriametrics.com/anomaly-detection/guides/guide-vmanomaly-vmalert/).
 - **Anomaly Detection Presets**: Enable anomaly detection on predefined sets of metrics. Learn more [here](https://docs.victoriametrics.com/anomaly-detection/presets/).
 

docs/anomaly-detection/UI.md

@@ -183,94 +183,6 @@ The best applications of this mode are:
 
 > However, the UI can be **combined with existing production jobs of anomaly detection, as it is available in non-blocking mode for all running vmanomaly instances** {{% available_from "v1.26.0" anomaly %}}, regardless of the preset or configuration used, just at a cost of increased resource usage.
 
-## AI Assistance
-
-{{% available_from "v1.29.0" anomaly %}} Copilot is an AI assistant built into the vmanomaly UI. It understands current anomaly detection configuration in the UI and helps iterate faster and obtain better results - without leaving the UI, searching the docs manually, or being an expert in anomaly detection.
-
-### What you can do with Copilot
-
-- **Ask questions** about any model (e.g. [Prophet](https://docs.victoriametrics.com/anomaly-detection/components/models/#prophet) or [Z-score](https://docs.victoriametrics.com/anomaly-detection/components/models/#online-z-score) — parameters, trade-offs, when to use each)
-- **Improve detection quality** — describe what's wrong ("too many false positives", "missing spikes") and Copilot reads the config, searches the docs, and proposes a validated configuration change to fix the issue.
-- **Get config suggestions inline** — suggestions appear as interactive cards with an explanation and a YAML diff; click **Apply** to write the change directly to your current settings, or **Decline** to keep the conversation going.
-
-### How it works
-
-Copilot appears as a **chat popup** anchored to the bottom-right corner of the page. The panel is resizable by dragging its left edge, and can be opened or closed by clicking the respective icon.
-
-> [!TIP] Copilot is context-aware
-> It reads your active model, scheduler, and anomaly settings from the UI automatically, so you don't need to paste your config manually.
-
-### Configuration
-
-AI Assistant is disabled by default; enable it with `VMANOMALY_COPILOT_ENABLED=true`, then configure an LLM provider API key and, optionally, a model. Once enabled and configured, Copilot will appear as a chat popup in the bottom-right corner of the UI.
-
-
-
-Supported providers and model formats:
-
-- **Anthropic** — set `ANTHROPIC_API_KEY`; model format: `anthropic:<model>`
-  - Examples: `claude-haiku-4-5`, `claude-sonnet-4-6`; see [full list](https://platform.claude.com/docs/en/about-claude/models/overview#latest-models-comparison)
-- **OpenAI** — set `OPENAI_API_KEY`; model format: `openai:<model>`
-  - Examples: `gpt-5-mini`, `gpt-5.2`; see [full list](https://platform.openai.com/docs/models)
-
-Set exactly one provider key matching your selected model provider:
-
-```bash
-# Anthropic
-export ANTHROPIC_API_KEY=your_key_here
-
-# or OpenAI
-export OPENAI_API_KEY=your_key_here
-```
-
-Optionally override the default model:
-
-```bash
-export VMANOMALY_COPILOT_MODEL=openai:gpt-5-mini
-```
-
-### MCP tools server
-
-Connects Copilot to [mcp-vmanomaly](https://github.com/VictoriaMetrics/mcp-vmanomaly) for full tool access (built-in docs, models configuration and validation, alerts recommendation, service healthchecks, etc.). Full [tools list](https://github.com/VictoriaMetrics/mcp-vmanomaly?tab=readme-ov-file#toolset):
-
-> [!NOTE]
-> Only `http` [mode](https://github.com/VictoriaMetrics/mcp-vmanomaly?tab=readme-ov-file#modes) is supported. Set `VMANOMALY_MCP_SERVER_URL` to the MCP server HTTP endpoint. The server must be reachable from within the vmanomaly container.
-
-For example:
-
-```bash
-export VMANOMALY_MCP_SERVER_URL=http://localhost:8081/mcp
-```
-
-Use `localhost` only when the vmanomaly process can reach the MCP server on its own loopback interface (for example, both running on the host). If vmanomaly runs in a separate Docker container, use a reachable container or host address instead.
-
-**Example**: if using Docker, run `mcp-vmanomaly` and vmanomaly UI in the same Docker network so they can reach each other by container name:
-
-```bash
-docker network create vmanomaly-network
-
-docker run -d --rm \
-  --name mcp-vmanomaly \
-  --network vmanomaly-network \
-  -e VMANOMALY_ENDPOINT=http://vmanomaly-instance:8490 \
-  -e MCP_SERVER_MODE=http \
-  -e MCP_LISTEN_ADDR=:8081 \
-  ghcr.io/victoriametrics/mcp-vmanomaly
-
-docker run -it --rm \
-  --name vmanomaly-instance \
-  --network vmanomaly-network \
-  -e VMANOMALY_COPILOT_ENABLED=true \
-  -e OPENAI_API_KEY="$OPENAI_API_KEY" \
-  -e VMANOMALY_COPILOT_MODEL=openai:gpt-5-mini \
-  -e VMANOMALY_MCP_SERVER_URL=http://mcp-vmanomaly:8081/mcp \
-  -p 8080:8080 \
-  -p 8490:8490 \
-  victoriametrics/vmanomaly:v1.29.0 \
-  vmanomaly_config.yaml
-```
-
-
 ## UI Navigation
 
 The vmanomaly UI provides a user-friendly interface for exploring and configuring anomaly detection models. The main components of the UI include:
@@ -589,15 +501,6 @@ If the **results** look good and the **model configuration should be deployed in
 
 ## Changelog
 
-### v1.5.0
-Released: 2026-03-05
-
-vmanomaly version: [v1.29.0](https://docs.victoriametrics.com/anomaly-detection/changelog/#v1290)
-
-- FEATURE: Allowed AI assistance use for documentation Q&A, model configuration suggestion and application, optionally backed by [MCP Server tools](https://github.com/VictoriaMetrics/mcp-vmanomaly/tree/main). Please refer to [AI Assistance](https://docs.victoriametrics.com/anomaly-detection/ui/#ai-assistance) section for details.
-- FEATURE: Added filtering of timeseries in the Visualization Panel by labels and statistics (e.g. anomaly count) to focus on the most relevant series when many series are returned by the query.
-- BUGFIX: Fixed missing datapoints in [BacktestingScheduler](https://docs.victoriametrics.com/anomaly-detection/components/scheduler/#backtesting-scheduler) windows combined with [exact mode](https://docs.victoriametrics.com/anomaly-detection/components/scheduler/#defining-inference-timeframe-1), leading to "gaps" in plotted predictions and scores.
-
 ### v1.4.3
 Released: 2026-02-09
 

docs/anomaly-detection/components/models.md

@@ -1219,7 +1219,7 @@ monitoring:
 Let's pull the docker image for `vmanomaly`:
 
 ```sh
-docker pull victoriametrics/vmanomaly:v1.29.0
+docker pull victoriametrics/vmanomaly:v1.28.7
 ```
 
 Now we can run the docker container putting as volumes both config and model file:
@@ -1233,7 +1233,7 @@ docker run -it \
 -v $(PWD)/license:/license \
 -v $(PWD)/custom_model.py:/vmanomaly/model/custom.py \
 -v $(PWD)/custom.yaml:/config.yaml \
-victoriametrics/vmanomaly:v1.29.0 /config.yaml \
+victoriametrics/vmanomaly:v1.28.7 /config.yaml \
 --licenseFile=/license
 --watch
 ```

docs/anomaly-detection/guides/guide-vmanomaly-vmalert/README.md

@@ -10,9 +10,9 @@ sitemap:
 
 - To use *vmanomaly*, part of the enterprise package, a license key is required. Obtain your key [here](https://victoriametrics.com/products/enterprise/trial/) for this tutorial or for enterprise use.
 - In the tutorial, we'll be using the following VictoriaMetrics components:
-  -  [VictoriaMetrics Single-Node](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/) (v1.137.0)
-  -  [vmalert](https://docs.victoriametrics.com/victoriametrics/vmalert/) (v1.137.0)
-  -  [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/) (v1.137.0)
+  -  [VictoriaMetrics Single-Node](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/) (v1.136.0)
+  -  [vmalert](https://docs.victoriametrics.com/victoriametrics/vmalert/) (v1.136.0)
+  -  [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/) (v1.136.0)
 - [Grafana](https://grafana.com/) (v.10.2.1)
 - [Docker](https://docs.docker.com/get-docker/) and [Docker Compose](https://docs.docker.com/compose/)
 - [Node exporter](https://github.com/prometheus/node_exporter#node-exporter) (v1.7.0) and [Alertmanager](https://prometheus.io/docs/alerting/latest/alertmanager/) (v0.27.0)
@@ -323,7 +323,7 @@ Let's wrap it all up together into the `docker-compose.yml` file.
 services:
   vmagent:
     container_name: vmagent
-    image: victoriametrics/vmagent:v1.137.0
+    image: victoriametrics/vmagent:v1.136.0
     depends_on:
       - "victoriametrics"
     ports:
@@ -340,7 +340,7 @@ services:
 
   victoriametrics:
     container_name: victoriametrics
-    image: victoriametrics/victoria-metrics:v1.137.0
+    image: victoriametrics/victoria-metrics:v1.136.0
     ports:
       - 8428:8428
     volumes:
@@ -373,7 +373,7 @@ services:
 
   vmalert:
     container_name: vmalert
-    image: victoriametrics/vmalert:v1.137.0
+    image: victoriametrics/vmalert:v1.136.0
     depends_on:
       - "victoriametrics"
     ports:
@@ -395,7 +395,7 @@ services:
     restart: always
   vmanomaly:
     container_name: vmanomaly
-    image: victoriametrics/vmanomaly:v1.29.0
+    image: victoriametrics/vmanomaly:v1.28.5
     depends_on:
       - "victoriametrics"
     ports:

docs/guides/getting-started-with-opentelemetry/README.md

@@ -7,7 +7,7 @@ sitemap:
   disable: true
 ---
 
-This guide walks you through deploying VictoriaMetrics and VictoriaLogs on Kubernetes, and collecting [metrics](https://docs.victoriametrics.com/victoriametrics/data-ingestion/opentelemetry-collector/) and [logs](https://docs.victoriametrics.com/victorialogs/data-ingestion/opentelemetry/) from a Go application either directly or via the [OpenTelemetry Collector](https://opentelemetry.io/docs/collector/).
+This guide walks you through deploying VictoriaMetrics and VictoriaLogs on Kubernetes, and collecting [metrics](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#sending-data-via-opentelemetry) and [logs](https://docs.victoriametrics.com/victorialogs/data-ingestion/opentelemetry/) from a Go application either directly or via the [OpenTelemetry Collector](https://opentelemetry.io/docs/collector/).
 
 ## Pre-Requirements
 
@@ -316,4 +316,4 @@ using query `service.name: unknown_service:otel`.
 ## Limitations
 
 - VictoriaMetrics and VictoriaLogs do not support experimental JSON encoding [format](https://github.com/open-telemetry/opentelemetry-proto/blob/main/examples/metrics.json).
-
+- VictoriaMetrics supports only the `AggregationTemporalityCumulative` type for [histogram](https://opentelemetry.io/docs/specs/otel/metrics/data-model/#histogram) and [summary](https://opentelemetry.io/docs/specs/otel/metrics/data-model/#summary-legacy). Either consider using cumulative temporality or use the [`delta-to-cumulative processor`](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/processor/deltatocumulativeprocessor) to convert to cumulative temporality in OpenTelemetry Collector.

docs/guides/grafana-vmauth-openid-configuration/README.md

@@ -1,463 +0,0 @@
-Using [Grafana](https://grafana.com/) with [vmauth](https://docs.victoriametrics.com/victoriametrics/vmauth/) is an effective way to provide [multi-tenant](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/#multitenancy) access to your metrics, logs, and traces.
-vmauth provides a way to authenticate users using [JWT tokens](https://en.wikipedia.org/wiki/JSON_Web_Token) {{% available_from "v1.138.0" %}} issued by an external identity provider.
-Those tokens can include information about the user and their tenant, which vmauth can use to restrict access so users only see metrics in their own tenant.
-
-This guide walks through configuring Grafana with OIDC to query metrics from both single-node and cluster deployments of VictoriaMetrics.
-
-## Prerequisites
-
-* [Docker](https://docs.docker.com/engine/install/) and [docker compose](https://docs.docker.com/compose/) must be installed.
-* [jq tool](https://jqlang.org/)
-* Add `grafana` and `keycloak` hosts to the `/etc/hosts` file, pointing to `127.0.0.1`.
-
-```
-# /etc/hosts
-
-# Setup vmauth - Multi-Tenant Access with Grafana & OIDC
-# https://docs.victoriametrics.com/guides/grafana-vmauth-openid-configuration/#prerequisites
-127.0.0.1 keycloak grafana
-```
-
-## Identity provider
-
-The identity provider must be able to issue JWT tokens with the following `vm_access` claim:
-
-```json
-{
-  "exp": 1772019469,
-  "vm_access": {
-    "metrics_account_id": 0,
-    "metrics_project_id": 0,
-    "metrics_extra_labels": [
-      "team=dev"
-    ],
-    "metrics_extra_filters": [
-     "{env=~\"aws|gcp\",cluster!=\"production\"}"
-    ]
-  }
-}
-```
-> Note: all properties inside `vm_access` are optional and could be omitted. `vm_access: {}` is a valid claim value.
-
-Some identity providers support only string-based claim values, and vmauth supports these as well:
-```json
-{
-  "exp": 1772019469,
-  "vm_access": "{\"metrics_account_id\": 0, \"metrics_project_id\": 0}"
-}
-```
-
-See details about all supported options in the [vmauth - JWT token auth proxy](https://docs.victoriametrics.com/victoriametrics/vmauth/#jwt-token-auth-proxy).
-
-### Setup Keycloak
-
-[Keycloak](https://www.keycloak.org/) is an open-source identity provider that can issue JWT tokens.
-
-Add the following section to your `compose.yaml` file to configure Keycloak:
-
-```yaml
-# compose.yaml
-services:
-  keycloak:
-    image: quay.io/keycloak/keycloak:26.3
-    command:
-      - start-dev
-      - --http-port=3001
-    ports:
-      - 127.0.0.1:3001:3001
-    environment:
-      KC_HOSTNAME_BACKCHANNEL_DYNAMIC: "true"
-      KC_HOSTNAME: http://keycloak:3001/
-      KC_BOOTSTRAP_ADMIN_USERNAME: admin
-      KC_BOOTSTRAP_ADMIN_PASSWORD: change_me
-    volumes:
-      - keycloakdata:/opt/keycloak/data
-
-volumes:
-  keycloakdata: {}
-```
-
-Start the services:
-```sh
-docker compose up
-```
-
-Once Keycloak is available, follow the steps below to configure the OIDC client and users for Grafana:
-
-### Create client
-
-1. Open [http://keycloak:3001](http://keycloak:3001).
-1. Log in with credentials.
-    - Username: `admin`
-    - Password: `change_me`
-1. Go to `Clients` -> `Create client`.
-    - Use `OpenID Connect` as `Client Type`.
-    - Specify `grafana` as `Client ID`.
-    - Click `Next`.
-   ![Create client 1](create-client-1.webp)
-1. Enable `Client authentication`
-    - Enable `Authorization`.
-    - Enable `Direct access grants` (this is only required for testing the token but it can be disabled in production)
-   ![Create client 2](create-client-2.webp)
-    - Click `Next`.
-1. Add the Grafana URL as `Root URL`. For example, `http://grafana:3000`.
-   ![Create client 3](create-client-3.webp)
-    - Click `Save`.
-1. Go to `Clients` -> `grafana` -> `Client scopes`.
-   ![Create mapper 1](create-mapper-1.webp)
-   - Click on `grafana-dedicated` -> `Configure a new mapper` -> `User attribute`.
-   ![Create mapper 2](create-mapper-2.webp)
-1. Configure the mapper as follows:
-   - Set `Name` to `vm_access`.
-   - Set `User Attribute` to `vm_access`.
-   - Set `Token Claim Name` to `vm_access`.
-   - Set `Claim JSON Type` to `JSON`.
-   - Enable `Add to ID token` and `Add to access token`.
-   
-   ![Create mapper 3](create-mapper-3.webp)
-   - Click `Save`.
-
-### Create users
-
-1. Go to `Realm settings` -> `User profile`.
-   - Click `Create attribute`.
-   - Specify `vm_access` as `Attribute [Name]`.
-   ![User attributes](create-attribute.webp)
-   - Click `Create`.
-1. Go to `Users` -> `Add user`.
-   - Mark email as verified.
-   - Specify `test-dev` as `Username`.
-   - Specify `test-dev@example.com` as `Email`.
-   - Specify `vm_access` as `{"metrics_account_id": 1, "metrics_project_id": 2, "metrics_extra_labels": ["team=dev"]}`.
-   - Press `Create`
-   ![User attributes](user-attributes.webp)
-   - Go to `Users` -> `test-dev` user -> `Credentials` tab.
-   - Press `Set Password`.
-   - Type the password `testpass`.
-   - Disable `Temporary` option 
-   - Press `Save` and confirm.
-
-1. Go to `Users` -> `admin` user.
-   - Mark email as verified.
-   - Specify `admin@example.com` as `Email`.
-   - Specify `vm_access` as `{"metrics_account_id": 1, "metrics_project_id": 2, "metrics_extra_labels": ["team=admin"]}`.
-   - Click `Save`.
-
-### Test identity provider
-
-Gather the following information needed to configure Grafana:
-
-1. The Realm name must be `master`. To get the name, go to `Realm settings` -> `General` and copy the `Name`.
-1. The Client ID must be `grafana`. To get the ID, go to `Clients` -> `grafana` -> `Settings` and copy the `Client ID`.
-1. The Client Secret is dynamically generated. To get the secret, go to `Clients` -> `grafana` -> `Credentials` and copy the `Client Secret`.<br>
-   ![Client secret](client-secret.webp)
-   <br>
-
-Test that everything is working by requesting a token using `curl`:
-
-```sh
-TOKEN=$(curl --fail -s -X POST "http://keycloak:3001/realms/master/protocol/openid-connect/token" \
-    -H "Content-Type: application/x-www-form-urlencoded" \
-    -d "client_id=grafana" \
-    -d "client_secret={CLIENT_SECRET}" \
-    -d "grant_type=password" \
-    -d "username=test-dev" \
-    -d "password=testpass" | jq -r '.access_token') && echo $TOKEN
-```
-
-<!--
-fish example:
-set TOKEN (curl --fail -s -X POST "http://keycloak:3001/realms/master/protocol/openid-connect/token" \
-  -H "Content-Type: application/x-www-form-urlencoded" \
-  -d "client_id=grafana" \
-  -d "client_secret={CLIENT_SECRET}" \
-  -d "grant_type=password" \
-  -d "username=test-dev" \
-  -d "password=testpass" | jq -r '.access_token'); and echo $TOKEN
--->
-
-The response should contain a valid JWT token with the `vm_access` claim. 
-Use [jwt.io](https://jwt.io/) to decode and verify that the vm_access claim is present with the expected values.
-
-> Please note that the issued token is short-lived, so you might need to refresh it before use in later chapters. 
-
-## VictoriaMetrics
-
-### Storage and scraping
-
-First, create a `scrape.yaml` file with vmagent scrape configuration to ingest data into vmsingle and vmstorage for testing purposes:
-
-```yaml
-# scrape.yaml
-scrape_configs:
-  - job_name: stat
-    metric_relabel_configs:
-      # The team label showcases extra_filter functionality used with vmsingle.
-      - if: "{instance =~ 'vmauth.*'}"
-        action: replace
-        target_label: team
-        replacement: admin
-      - if: "{instance =~ 'vmagent.*'}"
-        action: replace
-        target_label: team
-        replacement: dev
-
-      # The vm_account_id and vm_project_id labels showcase tenant functionality used with vmcluster
-      - if: "{instance =~ 'vmauth.*'}"
-        action: replace
-        target_label: vm_account_id
-        replacement: '1'
-      - if: "{instance =~ 'vmauth.*'}"
-        action: replace
-        target_label: vm_project_id
-        replacement: '2'
-      - if: "{instance =~ 'vmagent.*'}"
-        action: replace
-        target_label: vm_account_id
-        replacement: '1'
-      - if: "{instance =~ 'vmagent.*'}"
-        action: replace
-        target_label: vm_project_id
-        replacement: '2'
-    static_configs:
-      - targets:
-          - vmagent:8429
-          - vmauth:8427
-
-```
-
-Add VictoriaMetrics single-node and cluster to the `compose.yaml` file.
-These services will be used to store metrics scraped by vmagent and to query them via Grafana using vmauth.
-
-Relabeling rules will add the `team` label to the scraped metrics in order to test multi-tenant access.
-Metrics from `vmagent` will be labeled with `team=dev` and metrics from `vmauth` will be labeled with `team=admin`.
-
-vmagent will write data into VictoriaMetrics single-node and cluster (with tenant `1:2`).
-
-```yaml
-# compose.yaml
-services:
-  vmsingle:
-    image: victoriametrics/victoria-metrics:v1.138.0
-
-  vmstorage:
-    image: victoriametrics/vmstorage:v1.138.0-cluster
-
-  vminsert:
-    image: victoriametrics/vminsert:v1.138.0-cluster
-    command:
-      - -storageNode=vmstorage:8400
-
-  vmselect:
-    image: victoriametrics/vmselect:v1.138.0-cluster
-    command:
-      - -storageNode=vmstorage:8401
-
-  vmagent:
-    image: victoriametrics/vmagent:v1.138.0
-    volumes:
-      - ./scrape.yaml:/etc/vmagent/config.yaml
-    command:
-      - -promscrape.config=/etc/vmagent/config.yaml
-      - -remoteWrite.url=http://vminsert:8480/insert/multitenant/prometheus/api/v1/write
-      - -remoteWrite.url=http://vmsingle:8428/api/v1/write
-```
-
-### Vmauth
-
-Before we start, let's explore the concept of placeholders supported in the vmauth configuration.
-Placeholders can be used inside the `url_prefix` property to restrict access by setting the [tenant](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/#url-format) or [extra filters](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#prometheus-querying-api-enhancements).
-
-A placeholder value is taken from the authenticated JWT token.
-The following placeholders are supported:
-- `{{.MetricsTenant}}` placeholder is a combination of `vm_access.metrics_account_id` and `vm_access.metrics_project_id` delimited by `:`.
-- `{{.MetricsExtraLabels}}` placeholder is substituted from `vm_access.metrics_extra_labels` claim property.
-- `{{.MetricsExtraFilters}}` placeholder is substituted from `vm_access.metrics_extra_filters` claim property.
-
-Now, let's create a vmauth configuration file `auth.yaml` that enables OIDC authorization using the [identity provider](https://docs.victoriametrics.com/guides/grafana-vmauth-openid-configuration/#identity-provider).
-For cluster access, we use the `{{.MetricsTenant}}` placeholder to route requests to a specific tenant.
-For single-node access, we use `{{.MetricsExtraLabels}}`. 
-Read more about templating in vmauth [docs](https://docs.victoriametrics.com/victoriametrics/vmauth/#jwt-claim-based-request-templating).
-
-```yaml
-# auth.yaml
-users:
-  - jwt:
-      oidc:
-        issuer: 'http://keycloak:3001/realms/master'
-    url_map:
-      - src_paths:
-          - "/insert/.*"
-        drop_src_path_prefix_parts: 1
-        url_prefix: "http://vminsert:8480/insert/{{.MetricsTenant}}/prometheus/"
-      - src_paths:
-          - "/select/.*"
-        drop_src_path_prefix_parts: 1
-        url_prefix: "http://vmselect:8481/select/{{.MetricsTenant}}/prometheus/"
-      - src_paths:
-          - "/single/.*"
-        drop_src_path_prefix_parts: 1
-        url_prefix: "http://vmsingle:8428?extra_label={{.MetricsExtraLabels}}"
-```
-
-Now add the vmauth service to `compose.yaml`:
-
-```yaml
-# compose.yaml
-services:
-  vmauth:
-    image: docker.io/victoriametrics/vmauth:v1.138.0
-    ports:
-      - 8427:8427
-    volumes:
-      - ./auth.yaml:/auth.yaml
-    command:
-      - -auth.config=/auth.yaml
-```
-
-### Test vmauth
-
-Start the services:
-
-```sh
-docker compose up
-```
-
-Use the token obtained in the [Test identity provider](https://docs.victoriametrics.com/guides/grafana-vmauth-openid-configuration/#test-identity-provider) section to test vmauth configuration.
-
-Cluster select:
-```sh
-curl --fail http://localhost:8427/select/api/v1/status/buildinfo -H "Authorization: Bearer $TOKEN"
-
-# Output:
-# {"status":"success","data":{"version":"2.24.0"}}
-```
-
-Cluster insert:
-```sh
-curl --fail http://localhost:8427/insert/api/v1/write -H "Authorization: Bearer $TOKEN" -i
-# Output
-# HTTP/1.1 204 No Content
-# ...
-```
-
-Single select:
-```sh
-curl --fail http://localhost:8427/single/api/v1/status/buildinfo -H "Authorization: Bearer $TOKEN"
-
-# Output:
-# {"status":"success","data":{"version":"2.24.0"}}
-```
-
-## Grafana
-
-### Setup
-
-Add the Grafana service to the `compose.yaml` file.
-This configuration enables OAuth authentication using the previously configured Keycloak service as the identity provider.
-Don't forget to replace the `{CLIENT_SECRET}` placeholder with the actual client secret gathered earlier.
-
-```yaml
-# compose.yaml
-services:
-  grafana:
-    image: grafana/grafana:12.1.0
-    ports:
-      - 3000:3000
-    environment:
-      GF_SERVER_ROOT_URL: http://grafana:3000
-      GF_AUTH_GENERIC_OAUTH_ENABLED: true
-      GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: true
-      GF_AUTH_GENERIC_OAUTH_NAME: keycloak
-      GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana
-      GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: '{CLIENT_SECRET}'
-      GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH: email
-      GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH: username
-      GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH: full_name
-      GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email
-      GF_AUTH_GENERIC_OAUTH_USE_REFRESH_TOKEN: true
-      GF_AUTH_GENERIC_OAUTH_AUTH_URL: http://keycloak:3001/realms/master/protocol/openid-connect/auth
-      GF_AUTH_GENERIC_OAUTH_TOKEN_URL: http://keycloak:3001/realms/master/protocol/openid-connect/token
-      GF_AUTH_GENERIC_OAUTH_API_URL: http://keycloak:3001/realms/master/protocol/openid-connect/userinfo
-      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: contains(groups[*], 'grafana-editor') && 'Editor' || 'GrafanaAdmin'
-    volumes:
-      - grafanadata:/var/lib/grafana/
-
-volumes:
-  grafanadata: {}
-```
-
-Alternatively, OAuth authentication can be enabled via the `grafana.ini` configuration file.
-Don't forget to mount it to the Grafana service at `/etc/grafana/grafana.ini`.
-
-```ini
-# grafana.ini
-
-[server]
-root_url = http://grafana:3000
-
-[auth.generic_oauth]
-enabled = true
-allow_sign_up = true
-name = keycloak
-client_id = grafana
-client_secret = {CLIENT_SECRET}
-scopes = openid profile email
-auth_url = http://keycloak:3001/realms/master/protocol/openid-connect/auth
-token_url = http://keycloak:3001/realms/master/protocol/openid-connect/token
-api_url = http://keycloak:3001/realms/master/protocol/openid-connect/userinfo
-use_refresh_token = true
-```
-
-After starting Grafana with the new config, you should be able to log in [http://grafana:3000](http://grafana:3000) using your [identity provider](https://docs.victoriametrics.com/guides/grafana-vmauth-openid-configuration/#identity-provider).
-
-![Grafana login](grafana-login.webp)
-
-### Datasource
-
-Create two Prometheus datasources in Grafana with the following URLs: `http://vmauth:8427/select` and `http://vmauth:8427/single`, pointing to the `vmselect` and `vmsingle` services, respectively. Make sure the authentication method is set to `Forward OAuth identity`.
-
-![Prometheus datasource](grafana-datasource-prometheus.webp)
-
-You can also use the VictoriaMetrics [Grafana datasource](https://github.com/VictoriaMetrics/victoriametrics-datasource) plugin.
-See installation instructions in [Grafana datasource - Installation](https://docs.victoriametrics.com/victoriametrics/victoriametrics-datasource/#installation).
-
-Users with the `vm_access` claim will be able to query metrics from the specified tenant with extra filters applied.
-
-### Test access
-
-The Grafana datasources configuration should be as follows:
-
-![Test datasources](grafana-test-datasources.webp)
-<figcaption style="text-align: center; font-style: italic;">Grafana vmauth datasources</figcaption>
-
-Let's log in as a dev user in the VictoriaMetrics cluster and single versions.
-Both data sources should return the same metrics.
-
-The only difference is the filter: for the VictoriaMetrics cluster, the `vmauth-cluster` data source must restrict results by `tenant=1:2`.
-
-![Cluster dev](grafana-cluster-dev.webp)
-<figcaption style="text-align: center; font-style: italic;">Logged in as dev user to Grafana dashboard on VictoriaMetrics Cluster</figcaption>
-
-While on VictoriaMetrics single `vmauth-single` must apply the `team=dev` label filter instead.
-
-![Single dev](grafana-single-dev.webp)
-<figcaption style="text-align: center; font-style: italic;">Logged in as dev user to Grafana dashboard on VictoriaMetrics Single</figcaption>
-
-Let's log in as an admin user. The `vmauth-single` data source should differ from the previous user, while `vmauth-cluster` should remain the same because both users use tenant `1:2`.
-
-The only difference is the filter: in the VictoriaMetrics cluster `vmauth-cluster`, the data source must restrict results by `tenant=1:2`.
-
-
-![Cluster admin](grafana-cluster-admin.webp)
-<figcaption style="text-align: center; font-style: italic;">Logged in as admin user to Grafana dashboard on VictoriaMetrics Cluster</figcaption>
-
-While in VictoriaMetrics single `vmauth-single` must apply the `team=admin` label filter instead.
-
-![Cluster admin](grafana-single-admin.webp)
-<figcaption style="text-align: center; font-style: italic;">Logged in as admin user to Grafana dashboard on VictoriaMetrics Single</figcaption>
-
-## Summary
-
-In this guide, we demonstrated how to set up vmauth with OIDC authorization using Keycloak as the identity provider. We also showed how to provide multi-tenant access to your metrics stored in VictoriaMetrics, single-node or cluster, using Grafana and vmauth with OIDC authorization enabled.
-

docs/guides/grafana-vmauth-openid-configuration/_index.md

@@ -1,14 +0,0 @@
----
-weight: 5
-title: Setup vmauth - Multi-Tenant Access with Grafana & OIDC
-menu:
-  docs:
-    parent: guides
-    weight: 5
-tags:
-  - metrics
-  - guide
-aliases:
-- /guides/grafana-vmauth-openid-configuration.html
----
-{{% content "README.md" %}}

docs/guides/grafana-vmgateway-openid-configuration/README.md

@@ -6,8 +6,6 @@ build:
 sitemap:
   disable: true
 ---
-> vmgateway access control feature has been deprecated. Consider following the vmauth guide [Setup vmauth - Multi-Tenant Access with Grafana & OIDC](https://docs.victoriametrics.com/guides/grafana-vmauth-openid-configuration/) instead. See [migration](https://docs.victoriametrics.com/victoriametrics/vmgateway/#access-control-migration-to-vmauth) docs.
-
 Using [Grafana](https://grafana.com/) with [vmgateway](https://docs.victoriametrics.com/victoriametrics/vmgateway/) is a great way to provide [multi-tenant](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/#multitenancy) access to your metrics.
 vmgateway provides a way to authenticate users using [JWT tokens](https://en.wikipedia.org/wiki/JSON_Web_Token) issued by an external identity provider.
 Those tokens can include information about the user and the tenant they belong to, which can be used
@@ -40,7 +38,7 @@ See details about all supported options in the [vmgateway documentation](https:/
 
 ### Configuration example for Keycloak
 
-[Keycloak](https://www.keycloak.org/) is an open-source identity service that can issue JWT tokens.
+[Keycloak](https://www.keycloak.org/) is an open source identity service that can be used to issue JWT tokens.
 
 1. Log in with admin credentials to your Keycloak instance
 1. Go to `Clients` -> `Create`.<br>
@@ -85,9 +83,9 @@ See details about all supported options in the [vmgateway documentation](https:/
    ![User attributes](user-attributes.webp)
    Click `Save`.
 
-## Configure Grafana
+## Configure grafana
 
-To forward JWT tokens, Grafana must be configured to use OpenID Connect authentication as follows:
+To forward JWT tokens Grafana must be configured to use OpenID Connect authentication as follows:
 
 ```ini
 [auth.generic_oauth]
@@ -102,7 +100,7 @@ token_url = http://localhost:3001/realms/{KEYCLOAK_REALM}/protocol/openid-connec
 api_url = http://localhost:3001/realms/{KEYCLOAK_REALM}/protocol/openid-connect/userinfo
 ```
 
-After restarting Grafana with the new config, you should be able to log in using your identity provider.
+After restarting Grafana with the new config you should be able to log in using your identity provider.
 
 ## Start vmgateway
 
@@ -120,7 +118,7 @@ In order to enable multi-tenant access, you must also specify the `-clusterMode=
     -read.url=http://localhost:8481
 ```
 
-With this configuration, vmgateway will use the `vm_access` claim from the JWT token to restrict access to metrics.
+With this configuration vmgateway will use the `vm_access` claim from the JWT token to restrict access to metrics.
 For example, if the JWT token contains the following `vm_access` claim:
 
 ```json
@@ -133,21 +131,21 @@ For example, if the JWT token contains the following `vm_access` claim:
   }
 }
 ```
-> Note: in case `project_id` is not specified, the default value `0` is used.
+> Note: in case `project_id` is not specified, default value `0` is used.
 
-Then vmgateway will proxy the request to an endpoint with the following path:
+Then vmgateway will proxy request to an endpoint with the following path:
 
 ```sh
 http://localhost:8480/select/0:0/
 ```
 
-This allows us to restrict access to specific tenants without having to create separate datasources in Grafana,
+This allows to restrict access to specific tenants without having to create separate datasources in Grafana,
 or manually managing access at another proxy level. 
 
 ### Multi-tenant access for single-node VictoriaMetrics
 
-To use multi-tenant access with single-node VictoriaMetrics, you can use token claims such as `extra_labels`
-or `extra_filters` filled dynamically by using the Identity Provider's user information.
+In order to use multi-tenant access with single-node VictoriaMetrics, you can use token claims such as `extra_labels`
+or `extra_filters` filled dynamically by using Identity Provider's user information.
 vmgateway uses those claims and [enhanced Prometheus querying API](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#prometheus-querying-api-enhancements)
 to provide additional filtering capabilities.
 
@@ -169,14 +167,14 @@ This will add the following query args to the proxied request:
 - `extra_labels=team=dev`
 - `extra_filters={env=~"aws|gcp",cluster!="production"}`
 
-With this configuration, VictoriaMetrics will add the following filters to every query: `{team="dev", env=~"aws|gcp", cluster!="production"}`.
+With this configuration VictoriaMetrics will add the following filters to every query: `{team="dev", env=~"aws|gcp", cluster!="production"}`.
 So when user will try to query `vm_http_requests_total` query will be transformed to `vm_http_requests_total{team="dev", env=~"aws|gcp", cluster!="production"}`.
 
 ### Token signature verification
 
 It is also possible to enable [JWT token signature verification](https://docs.victoriametrics.com/victoriametrics/vmgateway/#jwt-signature-verification) at
 vmgateway.
-To do this by using the OpenID Connect discovery endpoint, you need to specify the `-auth.oidcDiscoveryEndpoints` flag. For example:
+To do this by using OpenID Connect discovery endpoint you need to specify the `-auth.oidcDiscoveryEndpoints` flag. For example:
 
 ```sh
 ./bin/vmgateway \
@@ -203,7 +201,7 @@ It is also possible to provide the public keys directly via the `-auth.publicKey
 Create a new Prometheus datasource in Grafana with the following URL `http://<vmgateway>:8431`.
 URL should point to the vmgateway instance.
 
-In the "Type and version" section, it is recommended to set the type to "Prometheus" and the version to at least "2.24.x":
+In the "Type and version" section it is recommended to set the type to "Prometheus" and the version to at least "2.24.x":
 
 ![Prometheus datasource](grafana-datasource-prometheus.webp)
 
@@ -216,11 +214,11 @@ Enable `Forward OAuth identity` flag.<br>
 ![Oauth identity](grafana-ds.webp)
 
 Now you can use Grafana to query metrics from the specified tenant.
-Users with a `vm_access` claim will be able to query metrics from the specified tenant.
+Users with `vm_access` claim will be able to query metrics from the specified tenant.
 
 ## Test multi-tenant access
 
-For the test purpose, we will set up the following services as [docker-compose](https://docs.docker.com/compose/) manifest:
+For the test purpose we will setup the following services as [docker-compose](https://docs.docker.com/compose/) manifest:
 - Grafana
 - Keycloak
 - vmagent to generate test metrics
@@ -251,27 +249,27 @@ services:
       - grafana_data:/var/lib/grafana/
 
   vmsingle:
-    image: victoriametrics/victoria-metrics:v1.137.0
+    image: victoriametrics/victoria-metrics:v1.136.0
     command:
       - -httpListenAddr=0.0.0.0:8429
 
   vmstorage:
-    image: victoriametrics/vmstorage:v1.137.0-cluster
+    image: victoriametrics/vmstorage:v1.136.0-cluster
 
   vminsert:
-    image: victoriametrics/vminsert:v1.137.0-cluster
+    image: victoriametrics/vminsert:v1.136.0-cluster
     command:
       - -storageNode=vmstorage:8400
       - -httpListenAddr=0.0.0.0:8480
 
   vmselect:
-    image: victoriametrics/vmselect:v1.137.0-cluster
+    image: victoriametrics/vmselect:v1.136.0-cluster
     command:
       - -storageNode=vmstorage:8401
       - -httpListenAddr=0.0.0.0:8481
 
   vmagent:
-    image: victoriametrics/vmagent:v1.137.0
+    image: victoriametrics/vmagent:v1.136.0
     volumes:
       - ./scrape.yaml:/etc/vmagent/config.yaml
     command:
@@ -280,7 +278,7 @@ services:
       - -remoteWrite.url=http://vmsingle:8429/api/v1/write
 
   vmgateway-cluster:
-    image: victoriametrics/vmgateway:v1.137.0-enterprise
+    image: victoriametrics/vmgateway:v1.136.0-enterprise
     ports:
       - 8431:8431
     volumes:
@@ -296,7 +294,7 @@ services:
       - -auth.oidcDiscoveryEndpoints=http://keycloak:8080/realms/master/.well-known/openid-configuration
 
   vmgateway-single:
-    image: victoriametrics/vmgateway:v1.137.0-enterprise
+    image: victoriametrics/vmgateway:v1.136.0-enterprise
     ports:
       - 8432:8431
     volumes:
@@ -313,7 +311,7 @@ volumes:
   grafana_data:
 ```
 
-For the test purpose, vmagent will be configured to scrape metrics from the following targets(`scrape.yaml` contents):
+For the test purpose vmagent will be configured to scrape metrics from the following targets(`scrape.yaml` contents):
 
 ```yaml
 scrape_configs:
@@ -343,27 +341,27 @@ Grafana datasources configuration will be the following:
 
 ![Test datasources](grafana-test-datasources.webp)
 
-Let's log in as a user with `team=dev` labels limitation set via claims.
+Let's login as user with `team=dev` labels limitation set via claims.
 
-Using `vmgateway-cluster` results in `No data` response as the proxied request will go to tenant `0:1`.
-Since vmagent is configured to write only to `0:0`, the `No data` response is expected.
+Using `vmgateway-cluster` results into `No data` response as proxied request will go to tenant `0:1`.
+Since vmagent is only configured to write to `0:0` `No data` is an expected response.
 
 ![Dev cluster nodata](dev-cluster-nodata.webp)
 
-Switching to `vmgateway-single` does have data. Note that it is limited to metrics with the `team=dev` label.
+Switching to `vmgateway-single` does have data. Note that it is limited to metrics with `team=dev` label.
 
 ![Dev single data](dev-single-data.webp)
 
-Now let's log in as a user with `team=admin`.
+Now lets login as user with `team=admin`.
 
-Both cluster and single-node datasources now return metrics for `team=admin`.
+Both cluster and single node datasources now return metrics for `team=admin`.
 
 ![Admin cluster data](admin-cluster-data.webp)
 ![Admin single data](admin-single-data.webp)
 
-## Using OAuth for remote write with vmagent
+## Using oAuth for remote write with vmagent
 
-vmagent can be configured to use OAuth for remote write. This adds authentication to write requests.
+vmagent can be configured to use oAuth for remote write. This is in order to add authentication to the write requests.
 
 In order to create a client for vmagent to use, follow the steps below:
 
@@ -377,7 +375,7 @@ In order to create a client for vmagent to use, follow the steps below:
    Enable `Authorization`.<br>
    ![Create client 2](vmagent-create-client-2.webp)
    Click `Next`.<br>
-1. Leave the URLs section empty, as vmagent will not use any.
+1. Leave URLs section empty as vmagent will not use any.
    ![Create client 3](vmagent-create-client-3.webp)
    Click `Save`.<br>
 1. Go to `Clients` -> `vmagent` -> `Credentials`.<br>
@@ -398,16 +396,16 @@ In order to create a client for vmagent to use, follow the steps below:
    Click `Save`.<br>
 1. Go to `Service account roles` -> click on `service-account-vmagent`.<br>
    ![vmagent service account](vmagent-sa.webp)
-1. Go to the `Attributes` tab and add an attribute.
+1. Go to `Attributes` tab and add an attribute.
    Change `vm_access` attribute value to `{"tenant_id" : {"account_id": 0, "project_id": 0 }}`. <br>
    ![User attributes](vmagent-sa-attributes.webp)
    Click `Save`.
 
-Once the iDP configuration is done, the vmagent configuration needs to be updated to use OAuth for remote write:
+Once iDP configuration is done, vmagent configuration needs to be updated to use oAuth for remote write:
 
 ```yaml
   vmagent:
-    image: victoriametrics/vmagent:v1.137.0
+    image: victoriametrics/vmagent:v1.136.0
     volumes:
       - ./scrape.yaml:/etc/vmagent/config.yaml
       - ./vmagent-client-secret:/etc/vmagent/oauth2-client-secret
@@ -421,8 +419,7 @@ Once the iDP configuration is done, the vmagent configuration needs to be update
       - -remoteWrite.oauth2.scopes=openid
 ```
 
-It is required to replace `{CLIENT_ID}` with the client ID and provide the client secret in the `vmagent-client-secret` file.
+It is required to replace `{CLIENT_ID}` with the client ID and provide the client secret in `vmagent-client-secret` file.
 Note that vmagent will use the same token for both single-node and cluster vmgateway. vmgateway running in cluster mode
-will use the tenant information from the token to route the request to the correct tenant. vmgateway running in single-node mode
+will use tenant information from the token to route the request to the correct tenant. vmgateway running in single-node mode
 will just verify token validity.
-

docs/guides/grafana-vmgateway-openid-configuration/_index.md

@@ -1,7 +1,10 @@
 ---
-weight: 16
+weight: 5
 title: Setup vmgateway - Multi-Tenant Access with Grafana & OIDC
-menu: false
+menu:
+  docs:
+    parent: guides
+    weight: 5
 tags:
   - metrics
   - guide

docs/guides/k8s-monitoring-via-vm-cluster/README.md

@@ -6,62 +6,67 @@ build:
 sitemap:
   disable: true
 ---
+**This guide covers:**
 
-This guide walks you through deploying a VictoriaMetrics cluster version on Kubernetes.
+* The setup of a [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/) in [Kubernetes](https://kubernetes.io/) via Helm charts
+* How to scrape metrics from k8s components using service discovery 
+* How to visualize stored data 
+* How to store metrics in [VictoriaMetrics](https://victoriametrics.com) tsdb
 
-By the end of this guide, you will know:
-
-- How to install and configure [VictoriaMetrics cluster version](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/) using Helm.
-- How to scrape metrics from Kubernetes components using service discovery.
-- How to store metrics in [VictoriaMetrics](https://victoriametrics.com) time-series database.
-- How to visualize metrics in Grafana
+**Precondition**
 
 We will use:
+* [Kubernetes cluster 1.31.1-gke.1678000](https://cloud.google.com/kubernetes-engine)
+> We use GKE cluster from [GCP](https://cloud.google.com/) but this guide is also applied on any Kubernetes cluster. For example [Amazon EKS](https://aws.amazon.com/ru/eks/).
+* [Helm 3.14+](https://helm.sh/docs/intro/install)
+* [kubectl 1.31](https://kubernetes.io/docs/tasks/tools/install-kubectl)
 
-- [Kubernetes cluster 1.34+](https://cloud.google.com/kubernetes-engine)
-- [Helm 4.1+](https://helm.sh/docs/intro/install)
-- [kubectl 1.34+](https://kubernetes.io/docs/tasks/tools/install-kubectl)
-
-> We use a GKE cluster from [GCP](https://cloud.google.com/), but this guide can also be applied to any Kubernetes cluster. For example, [Amazon EKS](https://aws.amazon.com/ru/eks/) or an on-premises cluster.
+![VMCluster on K8s](scheme.webp)
 
 ## 1. VictoriaMetrics Helm repository
 
-To start, add the VictoriaMetrics Helm repository with the following commands:
+You need to add the VictoriaMetrics Helm repository to install VictoriaMetrics components. We’re going to use [VictoriaMetrics Cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/). You can do this by running the following command:
 
 ```shell
 helm repo add vm https://victoriametrics.github.io/helm-charts/
+```
+
+Update Helm repositories:
+
+```shell
 helm repo update
 ```
 
-To verify that everything is set up correctly, you may run this command:
+To verify that everything is set up correctly you may run this command:
 
 ```shell
 helm search repo vm/
 ```
 
-You should see a list similar to this:
+The expected output is:
 
 ```text
-NAME                                    CHART VERSION   APP VERSION     DESCRIPTION
-vm/victoria-metrics-cluster             0.34.0          v1.135.0        VictoriaMetrics Cluster version - high-performa...
-vm/victoria-metrics-agent               0.31.0          v1.135.0        VictoriaMetrics Agent - collects metrics from v...
-...(the list continues)...
+NAME                           	CHART VERSION	APP VERSION	DESCRIPTION                                       
+vm/victoria-logs-single        	0.9.3        	v1.16.0    	Victoria Logs Single version - high-performance...
+vm/victoria-metrics-agent      	0.17.2       	v1.113.0   	Victoria Metrics Agent - collects metrics from ...
+vm/victoria-metrics-alert      	0.15.0       	v1.113.0   	Victoria Metrics Alert - executes a list of giv...
+vm/victoria-metrics-anomaly    	1.9.0        	v1.21.0    	Victoria Metrics Anomaly Detection - a service ...
+vm/victoria-metrics-auth       	0.10.0       	v1.113.0   	Victoria Metrics Auth - is a simple auth proxy ...
+vm/victoria-metrics-cluster    	0.19.2       	v1.113.0   	Victoria Metrics Cluster version - high-perform...
+vm/victoria-metrics-common     	0.0.42       	           	Victoria Metrics Common - contains shared templ...
+vm/victoria-metrics-distributed	0.9.0        	v1.113.0   	A Helm chart for Running VMCluster on Multiple ...
+vm/victoria-metrics-gateway    	0.8.0        	v1.113.0   	Victoria Metrics Gateway - Auth & Rate-Limittin...
+vm/victoria-metrics-k8s-stack  	0.39.0       	v1.113.0   	Kubernetes monitoring on VictoriaMetrics stack....
+vm/victoria-metrics-operator   	0.43.0       	v0.54.1    	Victoria Metrics Operator                         
+vm/victoria-metrics-single     	0.15.1       	v1.113.0   	Victoria Metrics Single version - high-performa...
 ```
 
 ## 2. Install VictoriaMetrics Cluster from the Helm chart
 
-A [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/) consists of three services:
-
-- `vminsert`: receives incoming metrics and distributes them across `vmstorage` nodes via consistent hashing on metric names and labels.
-- `vmstorage`: stores raw data and serves queries filtered by time range and labels.
-- `vmselect`: executes queries by fetching data across all configured `vmstorage` nodes.
-
-![VictoriaMetrics Cluster on Kubernetes](scheme.webp)
-
-To get started, create a config file for the VictoriaMetrics Helm chart:
+Run this command in your terminal:
 
 ```sh
-cat <<EOF >victoria-metrics-cluster-values.yml
+cat <<EOF | helm install vmcluster vm/victoria-metrics-cluster -f -
 vmselect:
   podAnnotations:
       prometheus.io/scrape: "true"
@@ -79,26 +84,19 @@ vmstorage:
 EOF
 ```
 
-The config file defines two settings for the VictoriaMetrics services:
+* By running `Helm install vmcluster vm/victoria-metrics-cluster` we install [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/) to default [namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) inside your cluster.
+* By adding `podAnnotations: prometheus.io/scrape: "true"` we enable the scraping of metrics from the vmselect, vminsert and vmstorage pods.
+* By adding `podAnnotations:prometheus.io/port: "some_port" ` we  enable the scraping of metrics from the vmselect, vminsert and vmstorage pods from their ports as well.
 
-- `podAnnotations: prometheus.io/scrape: "true"` enables automatic service discovery and metric scraping from the VictoriaMetrics pods.
-- `podAnnotations:prometheus.io/port: "<port-number>"` defines which port numbers to target for scraping metrics from the VictoriaMetrics pods.
 
-Next, install VictoriaMetrics cluster version with the following command:
-
-```sh
-helm install vmcluster vm/victoria-metrics-cluster -f victoria-metrics-cluster-values.yml
-```
-
-The expected output should look like this:
+As a result of this command you will see the following output:
 
 ```text
 NAME: vmcluster
-LAST DEPLOYED: Wed Feb  4 12:00:55 2026
+LAST DEPLOYED: Fri Mar 21 11:55:50 2025
 NAMESPACE: default
 STATUS: deployed
 REVISION: 1
-DESCRIPTION: Install complete
 TEST SUITE: None
 NOTES:
 Write API:
@@ -143,29 +141,16 @@ for example - inside the Kubernetes cluster:
     http://vmcluster-victoria-metrics-cluster-vmselect.default.svc.cluster.local.:8481/select/0/prometheus/
 ```
 
-Note the following endpoint URLs:
-
-- The `remote_write` URL will be required on [Step 3](https://docs.victoriametrics.com/guides/k8s-monitoring-via-vm-cluster/#id-3-install-vmagent-from-the-helm-chart) to configure where the `vmagent` service sends telemetry data.
-
-    ```text
-        remote_write:
-          - url: http://vmcluster-victoria-metrics-cluster-vminsert.default.svc.cluster.local.:8480/insert/0/prometheus/
-    ```
-
-- The `VictoriaMetrics read api` will be required on [Step 4](https://docs.victoriametrics.com/guides/k8s-monitoring-via-vm-cluster/#id-4-install-and-connect-grafana-to-victoriametrics-with-helm) to configure the Grafana datasource.
-
-    ```text
-    The VictoriaMetrics read api can be accessed via port 8481 with the following DNS name from within your cluster:
-    vmcluster-victoria-metrics-cluster-vmselect.default.svc.cluster.local.
-    ```
+For us it’s important to remember the url for the datasource (copy lines from the output).
 
 Verify that [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/) pods are up and running by executing the following command:
 
+
 ```sh
 kubectl get pods
 ```
 
-You should see a list of pods similar to this:
+The expected output is:
 
 ```text
 NAME                                                           READY   STATUS    RESTARTS   AGE
@@ -179,75 +164,266 @@ vmcluster-victoria-metrics-cluster-vmstorage-1                 1/1     Running
 
 ## 3. Install vmagent from the Helm chart
 
-In order to collect metrics from the Kubernetes cluster, we need to install [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/). This service scrapes, relabels, and sends metrics to the `vminsert` service running in the cluster.
+To scrape metrics from Kubernetes with a [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/) we need to install [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/) with additional configuration. To do so, please run these commands in your terminal:
 
-Run the following command to install the `vmagent` service in your cluster:
 
 ```shell
 helm install vmagent vm/victoria-metrics-agent -f https://docs.victoriametrics.com/guides/examples/guide-vmcluster-vmagent-values.yaml
 ```
 
-Here are the key settings in the chart values file `guide-vmcluster-vmagent-values.yaml`:
+Here is full file content `guide-vmcluster-vmagent-values.yaml`
 
-- `remoteWrite` defines the `vminsert` endpoint that receives telemetry from [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/). This value should match exactly the URL for the `remote_write` in the output of [Step 2](https://docs.victoriametrics.com/guides/k8s-monitoring-via-vm-cluster/#id-2-install-victoriametrics-cluster-from-the-helm-chart).
+```yaml
+remoteWrite:
+  - url: http://vmcluster-victoria-metrics-cluster-vminsert.default.svc.cluster.local:8480/insert/0/prometheus/
 
-    ```yaml
-    remoteWrite:
-      - url: http://vmcluster-victoria-metrics-cluster-vminsert.default.svc.cluster.local:8480/insert/0/prometheus/
-    ```
+config:
+  global:
+    scrape_interval: 10s
 
-- `metric_relabel_configs` defines label-rewriting rules that help us show Kubernetes metrics in the Grafana dashboard later on.
+  scrape_configs:
+    - job_name: vmagent
+      static_configs:
+        - targets: ["localhost:8429"]
+    - job_name: "kubernetes-apiservers"
+      kubernetes_sd_configs:
+        - role: endpoints
+      scheme: https
+      tls_config:
+        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        insecure_skip_verify: true
+      bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+      relabel_configs:
+        - source_labels:
+            [
+              __meta_kubernetes_namespace,
+              __meta_kubernetes_service_name,
+              __meta_kubernetes_endpoint_port_name,
+            ]
+          action: keep
+          regex: default;kubernetes;https
+    - job_name: "kubernetes-nodes"
+      scheme: https
+      tls_config:
+        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        insecure_skip_verify: true
+      bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+      kubernetes_sd_configs:
+        - role: node
+      relabel_configs:
+        - action: labelmap
+          regex: __meta_kubernetes_node_label_(.+)
+    - job_name: "kubernetes-nodes-cadvisor"
+      scheme: https
+      tls_config:
+        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        insecure_skip_verify: true
+      bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+      kubernetes_sd_configs:
+        - role: node
+      metrics_path: /metrics/cadvisor
+      relabel_configs:
+        - action: labelmap
+          regex: __meta_kubernetes_node_label_(.+)
+        - source_labels: [__metrics_path__]
+          target_label: metrics_path
+      metric_relabel_configs:
+        - action: replace
+          source_labels: [pod]
+          regex: '(.+)'
+          target_label: pod_name
+          replacement: '${1}'
+        - action: replace
+          source_labels: [container]
+          regex: '(.+)'
+          target_label: container_name
+          replacement: '${1}'
+        - action: replace
+          target_label: name
+          replacement: k8s_stub
+        - action: replace
+          source_labels: [id]
+          regex: '^/system\.slice/(.+)\.service$'
+          target_label: systemd_service_name
+          replacement: '${1}'
+    - job_name: "kubernetes-service-endpoints"
+      kubernetes_sd_configs:
+        - role: endpoints
+      relabel_configs:
+        - action: drop
+          source_labels: [__meta_kubernetes_pod_container_init]
+          regex: true
+        - action: keep_if_equal
+          source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_container_port_number]
+        - source_labels:
+            [__meta_kubernetes_service_annotation_prometheus_io_scrape]
+          action: keep
+          regex: true
+        - source_labels:
+            [__meta_kubernetes_service_annotation_prometheus_io_scheme]
+          action: replace
+          target_label: __scheme__
+          regex: (https?)
+        - source_labels:
+            [__meta_kubernetes_service_annotation_prometheus_io_path]
+          action: replace
+          target_label: __metrics_path__
+          regex: (.+)
+        - source_labels:
+            [
+              __address__,
+              __meta_kubernetes_service_annotation_prometheus_io_port,
+            ]
+          action: replace
+          target_label: __address__
+          regex: ([^:]+)(?::\d+)?;(\d+)
+          replacement: $1:$2
+        - action: labelmap
+          regex: __meta_kubernetes_service_label_(.+)
+        - source_labels: [__meta_kubernetes_namespace]
+          action: replace
+          target_label: kubernetes_namespace
+        - source_labels: [__meta_kubernetes_service_name]
+          action: replace
+          target_label: kubernetes_name
+        - source_labels: [__meta_kubernetes_pod_node_name]
+          action: replace
+          target_label: kubernetes_node
+    - job_name: "kubernetes-service-endpoints-slow"
+      scrape_interval: 5m
+      scrape_timeout: 30s
+      kubernetes_sd_configs:
+        - role: endpoints
+      relabel_configs:
+        - action: drop
+          source_labels: [__meta_kubernetes_pod_container_init]
+          regex: true
+        - action: keep_if_equal
+          source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_container_port_number]
+        - source_labels:
+            [__meta_kubernetes_service_annotation_prometheus_io_scrape_slow]
+          action: keep
+          regex: true
+        - source_labels:
+            [__meta_kubernetes_service_annotation_prometheus_io_scheme]
+          action: replace
+          target_label: __scheme__
+          regex: (https?)
+        - source_labels:
+            [__meta_kubernetes_service_annotation_prometheus_io_path]
+          action: replace
+          target_label: __metrics_path__
+          regex: (.+)
+        - source_labels:
+            [
+              __address__,
+              __meta_kubernetes_service_annotation_prometheus_io_port,
+            ]
+          action: replace
+          target_label: __address__
+          regex: ([^:]+)(?::\d+)?;(\d+)
+          replacement: $1:$2
+        - action: labelmap
+          regex: __meta_kubernetes_service_label_(.+)
+        - source_labels: [__meta_kubernetes_namespace]
+          action: replace
+          target_label: kubernetes_namespace
+        - source_labels: [__meta_kubernetes_service_name]
+          action: replace
+          target_label: kubernetes_name
+        - source_labels: [__meta_kubernetes_pod_node_name]
+          action: replace
+          target_label: kubernetes_node
+    - job_name: "kubernetes-services"
+      metrics_path: /probe
+      params:
+        module: [http_2xx]
+      kubernetes_sd_configs:
+        - role: service
+      relabel_configs:
+        - source_labels:
+            [__meta_kubernetes_service_annotation_prometheus_io_probe]
+          action: keep
+          regex: true
+        - source_labels: [__address__]
+          target_label: __param_target
+        - target_label: __address__
+          replacement: blackbox
+        - source_labels: [__param_target]
+          target_label: instance
+        - action: labelmap
+          regex: __meta_kubernetes_service_label_(.+)
+        - source_labels: [__meta_kubernetes_namespace]
+          target_label: kubernetes_namespace
+        - source_labels: [__meta_kubernetes_service_name]
+          target_label: kubernetes_name
+    - job_name: "kubernetes-pods"
+      kubernetes_sd_configs:
+        - role: pod
+      relabel_configs:
+        - action: drop
+          source_labels: [__meta_kubernetes_pod_container_init]
+          regex: true
+        - action: keep_if_equal
+          source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_container_port_number]
+        - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
+          action: keep
+          regex: true
+        - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
+          action: replace
+          target_label: __metrics_path__
+          regex: (.+)
+        - source_labels:
+            [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
+          action: replace
+          regex: ([^:]+)(?::\d+)?;(\d+)
+          replacement: $1:$2
+          target_label: __address__
+        - action: labelmap
+          regex: __meta_kubernetes_pod_label_(.+)
+        - source_labels: [__meta_kubernetes_namespace]
+          action: replace
+          target_label: kubernetes_namespace
+        - source_labels: [__meta_kubernetes_pod_name]
+          action: replace
+          target_label: kubernetes_pod_name
+```
+
+* By updating `remoteWrite` we're configuring [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/) to write scraped metrics into the `vminsert` service.
+* The second part of this yaml file is needed to add the `metric_relabel_configs` section that helps us to show Kubernetes metrics on the Grafana dashboard.
 
-    ```yaml
-          metric_relabel_configs:
-            - action: replace
-              source_labels: [pod]
-              regex: '(.+)'
-              target_label: pod_name
-              replacement: '${1}'
-            - action: replace
-              source_labels: [container]
-              regex: '(.+)'
-              target_label: container_name
-              replacement: '${1}'
-            - action: replace
-              target_label: name
-              replacement: k8s_stub
-            - action: replace
-              source_labels: [id]
-              regex: '^/system\.slice/(.+)\.service$'
-              target_label: systemd_service_name
-              replacement: '${1}'
-    ```
 
 Verify that `vmagent`'s pod is up and running by executing the following command:
 
+
 ```shell
 kubectl get pods | grep vmagent
 ```
 
-Check that the pod is in `Running` state:
+The expected output is:
 
 ```text
 vmagent-victoria-metrics-agent-69974b95b4-mhjph                1/1     Running   0          11m
 ```
 
+
 ## 4. Install and connect Grafana to VictoriaMetrics with Helm
 
-Add the Grafana Community Helm repository:
+Add the Grafana Helm repository. 
+
 
 ```shell
-helm repo add grafana-community https://grafana-community.github.io/helm-charts
+helm repo add grafana https://grafana.github.io/helm-charts
 helm repo update
 ```
 
-> [!NOTE] Tip
-> See more information on Grafana in [ArtifactHUB](https://artifacthub.io/packages/helm/grafana-community/grafana)
+See more information on Grafana ArtifactHUB [https://artifacthub.io/packages/helm/grafana/grafana](https://artifacthub.io/packages/helm/grafana/grafana)
+
+To install the chart with the release name `my-grafana`, add the VictoriaMetrics datasource with official dashboard and the Kubernetes dashboard:
 
-Create a values config file to define the data sources and dashboards for VictoriaMetrics in the Grafana service:
 
 ```sh
-cat <<EOF > grafana-cluster-values.yml
+cat <<EOF | helm install my-grafana grafana/grafana -f -
   datasources:
     datasources.yaml:
       apiVersion: 1
@@ -278,111 +454,60 @@ cat <<EOF > grafana-cluster-values.yml
     default:
       victoriametrics:
         gnetId: 11176
+        revision: 18
         datasource: victoriametrics
       vmagent:
         gnetId: 12683
+        revision: 7
         datasource: victoriametrics
       kubernetes:
         gnetId: 14205
+        revision: 1
         datasource: victoriametrics
 EOF
 ```
 
-The config file defines the following settings for Grafana:
-
-- Provides a VictoriaMetrics data source. This value must match the `VictoriaMetrics read api` endpoint and port obtained in [Step 2](https://docs.victoriametrics.com/guides/k8s-monitoring-via-vm-cluster/#id-2-install-victoriametrics-cluster-from-the-helm-chart) during the VictoriaMetrics cluster installation.
-- Adds three starter dashboards:
-  - [VictoriaMetrics - cluster](https://grafana.com/grafana/dashboards/11176-victoriametrics-cluster/) for the [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/).
-  - [VictoriaMetrics - vmagent](https://grafana.com/grafana/dashboards/12683-victoriametrics-vmagent/) for the [VictoriaMetrics agent](https://docs.victoriametrics.com/victoriametrics/vmagent/).
-  - [Kubernetes cluster Monitoring (via Prometheus)](https://grafana.com/grafana/dashboards/14205-kubernetes-cluster-monitoring-via-prometheus/) to show Kubernetes cluster metrics.
-
-Run the following command to install the Grafana chart with the name `my-grafana`:
-
-```sh
-helm install my-grafana grafana-community/grafana -f grafana-cluster-values.yml
-```
-
-You should get the following output:
-
-```text
-NAME: my-grafana
-LAST DEPLOYED: Wed Feb  4 15:00:28 2026
-NAMESPACE: default
-STATUS: deployed
-REVISION: 1
-DESCRIPTION: Install complete
-NOTES:
-1. Get your 'admin' user password by running:
-
-   kubectl get secret --namespace default my-grafana -o jsonpath="{.data.admin-password}" | base64 --decode ; echo
+By running this command we:
+* Install Grafana from the Helm repository.
+* Provision a VictoriaMetrics data source with the url from the output above which we remembered.
+* Add [this dashboard](https://grafana.com/grafana/dashboards/11176) for [VictoriaMetrics Cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/).
+* Add [this dashboard](https://grafana.com/grafana/dashboards/12683) for [VictoriaMetrics Agent](https://docs.victoriametrics.com/victoriametrics/vmagent/).
+* Add [this dashboard](https://grafana.com/grafana/dashboards/14205) to see Kubernetes cluster metrics.
 
 
-2. The Grafana server can be accessed via port 80 on the following DNS name from within your cluster:
+Please see the output log in your terminal. Copy, paste and run these commands. 
+The first one will show `admin` password for the Grafana admin.
+The second and the third will forward Grafana to `127.0.0.1:3000`:
 
-   my-grafana.default.svc.cluster.local
-
-   Get the Grafana URL to visit by running these commands in the same shell:
-     export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=grafana,app.kubernetes.io/instance=my-grafana" -o jsonpath="{.items[0].metadata.name}")
-     kubectl --namespace default port-forward $POD_NAME 3000
-
-3. Login with the password from step 1 and the username: admin
-#################################################################################
-######   WARNING: Persistence is disabled!!! You will lose your data when   #####
-######            the Grafana pod is terminated.                            #####
-#################################################################################
-```
-
-Use the first command in the output to obtain the password for the `admin` user:
 
 ```shell
 kubectl get secret --namespace default my-grafana -o jsonpath="{.data.admin-password}" | base64 --decode ; echo
 
-```
+export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=grafana,app.kubernetes.io/instance=my-grafana" -o jsonpath="{.items[0].metadata.name}")
 
-The second part of the output shows how to port-forward the Grafana service in order to access it locally on `127.0.0.1:3000`:
-
-```shell
-export pod_name=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=grafana,app.kubernetes.io/instance=my-grafana" -o jsonpath="{.items[0].metadata.name}")
-
-kubectl --namespace default port-forward $pod_name 3000
+kubectl --namespace default port-forward $POD_NAME 3000
 ```
 
 ## 5. Check the result you obtained in your browser
 
-To check that [VictoriaMetrics](https://victoriametrics.com) collects metrics from the Kubernetes cluster, open in your browser `http://127.0.0.1:3000/dashboards`. Use `admin` for login and `password` obtained in the previous step.
-
-You should see three dashboards installed. Select "Kubernetes Cluster Monitoring".
+To check that [VictoriaMetrics](https://victoriametrics.com) collects metrics from k8s cluster open in browser [http://127.0.0.1:3000/dashboards](http://127.0.0.1:3000/dashboards) and choose the `Kubernetes Cluster Monitoring (via Prometheus)` dashboard. Use `admin` for login and `password` that you previously got from kubectl. 
 
 ![Dashboards](dashes-agent.webp)
-<figcaption style="text-align: center; font-style: italic;">List of pre-installed dashboards in Grafana</figcaption>
 
-This is the main dashboard, which shows activity across your Kubernetes cluster:
+You will see something like this:
 
-![Kubernetes Cluster Dashboard](dashboard.webp)
-<figcaption style="text-align: center; font-style: italic;">Grafana dashboard for Kubernetes metrics</figcaption>
+![VMCluster metrics](dashboard.webp)
 
-The VictoriaMetrics cluster dashboard is also available to monitor telemetry ingestion and resource utilization:
+The VictoriaMetrics dashboard is also available to use:
 
-![VMCluster dashboard](grafana-dash-vmcluster.webp)
-<figcaption style="text-align: center; font-style: italic;">Grafana dashboard for VictoriaMetrics services</figcaption>
+![VMCluster dashboard](grafana-dash.webp)
 
-And vmagent has a separate dashboard to monitor scraping and queue activity:
+vmagent has its own dashboard:
 
-![VMAgent dashboard](grafana-dash-vmagent.webp)
-<figcaption style="text-align: center; font-style: italic;">Grafana dashboard for vmagent ingestion and resource usage</figcaption>
+![VMAgent dashboard](grafana-dash.webp)
 
 ## 6. Final thoughts
 
-- We set up a TimeSeries Database for your Kubernetes cluster.
-- We collected metrics from all running pods, nodes, and services and stored them in a VictoriaMetrics database.
-- We visualized resources used in the Kubernetes cluster by using Grafana dashboards.
-
-Consider reading these resources to complete your setup:
-
-- VictoriaMetrics
-  - [Learn more about the cluster version](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/)
-  - [Migrate existing metric data into VictoriaMetrics with vmctl](https://docs.victoriametrics.com/victoriametrics/vmctl/)
-  - [Setup alerts](https://docs.victoriametrics.com/victoriametrics/vmalert/)
-- Grafana
-  - [Enable persistent storage](https://grafana.com/docs/grafana/latest/setup-grafana/installation/helm/#enable-persistent-storage-recommended)
-  - [Configure private TLS authority](https://grafana.com/docs/grafana/latest/setup-grafana/installation/helm/#configure-a-private-ca-certificate-authority)
+* We set up TimeSeries Database for your Kubernetes cluster.
+* We collected metrics from all running pods,nodes, … and stored them in a VictoriaMetrics database.
+* We visualized resources used in the Kubernetes cluster by using Grafana dashboards.

docs/guides/vmagent-openid-configuration/README.md

@@ -1,277 +0,0 @@
-Using [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/) with [vmauth](https://docs.victoriametrics.com/victoriametrics/vmauth/) and OAuth authentication{{% available_from "v1.138.0" %}} enables secure metric ingestion in multi-tenant environments, where vmagent authenticates to vmauth using [JWT tokens](https://en.wikipedia.org/wiki/JSON_Web_Token) issued by an external identity provider. These tokens include tenant information so that metrics are written to the correct tenant.
-
-This guide walks through configuring vmagent to ingest metrics through vmauth with OIDC authorization enabled.
-
-## Prerequisites
-
-* [Docker](https://docs.docker.com/engine/install/) and [docker compose](https://docs.docker.com/compose/) must be installed.
-* [jq tool](https://jqlang.org/)
-* Add the `keycloak` host to the `/etc/hosts` file pointing to `127.0.0.1`.
-
-```
-# /etc/hosts
-
-# Setup vmagent - Multi-Tenant remote write & OIDC
-# https://docs.victoriametrics.com/guides/vmagent-openid-configuration/#prerequisites
-127.0.0.1 keycloak
-```
-
-## Identity provider
-
-The identity service must be able to issue JWT tokens with the following `vm_access` claim:
-
-```json
-{
-  "exp": 1772019469,
-  "vm_access": {
-    "metrics_account_id": 0,
-    "metrics_project_id": 0
-  }
-}
-```
-> Note: if `metrics_account_id` or `metrics_project_id` are not specified, the default value `0` is used.
-
-Some identity providers only support string-based claim values; vmauth supports those as well:
-```json
-{
-   "exp": 1772019469,
-   "vm_access": "{\"metrics_account_id\": 0, \"metrics_project_id\": 0}"
-}
-```
-
-See details about all supported options in the [vmauth documentation](https://docs.victoriametrics.com/victoriametrics/vmauth/#jwt-token-auth-proxy).
-
-### Setup Keycloak
-
-[Keycloak](https://www.keycloak.org/) is an open-source identity service that can issue JWT tokens.
-
-Add the following section to your `compose.yaml` file to configure Keycloak:
-
-```yaml
-# compose.yaml
-services:
-  keycloak:
-    image: quay.io/keycloak/keycloak:26.3
-    command:
-      - start-dev
-      - --http-port=3001
-    ports:
-      - 127.0.0.1:3001:3001
-    environment:
-      KC_HOSTNAME_BACKCHANNEL_DYNAMIC: "true"
-      KC_HOSTNAME: http://keycloak:3001/
-      KC_BOOTSTRAP_ADMIN_USERNAME: admin
-      KC_BOOTSTRAP_ADMIN_PASSWORD: change_me
-    volumes:
-      - keycloakdata:/opt/keycloak/data
-
-volumes:
-  keycloakdata: {}
-```
-
-Run `docker compose up` to start Keycloak.
-
-Once Keycloak is available at `http://keycloak:3001`, follow the steps below to configure the OIDC client for vmagent:
-
-### Create client
-
-1. Log in with admin credentials to your Keycloak instance
-  - Username: `admin`
-  - Password: `change_me`
-1. Go to `Clients` -> `Create client`.
-   - Use `OpenID Connect` as `Client Type`.
-   - Specify `vmagent` as `Client ID`.
-   - Click `Next`.
-   ![Create client 1](vmagent-create-client-1.webp)
-1. Enable `Client authentication`.
-   - Enable `Authorization`.
-   ![Create client 2](vmagent-create-client-2.webp)
-   - Click `Next`.
-1. Leave the URLs section empty as vmagent does not require any URLs.
-   ![Create client 3](vmagent-create-client-3.webp)
-   - Click `Save`.
-1. Go to `Clients` -> `vmagent` -> `Credentials`.
-   ![Client secret](vmagent-client-secret.webp)
-   - Copy the value of `Client secret`. It will be used later in vmagent configuration.
-1. Go to `Clients` -> `vmagent` -> `Client scopes`.
-   ![Create mapper 1](vmagent-create-mapper-1.webp)
-   - Click on `vmagent-dedicated` -> `Configure a new mapper` -> `User attribute`.
-   ![Create mapper 2](vmagent-create-mapper-2.webp)
-1. Configure the mapper as follows:
-    - `Name` as `vm_access`.
-    - `User Attribute` as `vm_access`.
-    - `Token Claim Name` as `vm_access`.
-    - `Claim JSON Type` as `JSON`.
-    - Enable `Add to ID token` and `Add to access token`.
-
-   ![Create mapper 3](vmagent-create-mapper-3.webp)
-   - Click `Save`.
-
-### Create User Attributes
-
-1. Go to `Realm settings` -> `User profile`.
-   - Click `Create attribute`.
-   - Specify `vm_access` as `Attribute [Name]`.
-   ![User attributes](create-attribute.webp)
-   - Click `Create`.
-
-### Configure service account
-
-1. Go to `Client` -> `vmagent` -> `Service account roles` -> click on `service-account-vmagent`.
-   ![vmagent service account](vmagent-sa.webp)
-1. Set the `vm_access` attribute value to `{"metrics_account_id": 0, "metrics_project_id": 0}`.
-   ![User attributes](vmagent-sa-attributes.webp)
-   - Click `Save`.
-
-### Test identity provider
-
-Start the service:
-```sh
-docker compose up
-```
-
-Verify the setup by requesting a token with `curl`:
-
-```sh
-TOKEN=$(curl -s -X POST "http://keycloak:3001/realms/master/protocol/openid-connect/token" \
-  -H "Content-Type: application/x-www-form-urlencoded" \
-  -d "client_id=vmagent" \
-  -d "client_secret={CLIENT_SECRET}" \
-  -d "grant_type=client_credentials" \
-  | jq -r '.access_token') && echo "$TOKEN"
-```
-
-The response should contain a valid JWT token with the `vm_access` claim.
-Use [jwt.io](https://jwt.io/) to decode and inspect the token.
-
-## VictoriaMetrics
-
-### Setup storage
-
-Add the VictoriaMetrics cluster components to the `compose.yaml` file.
-These services will store and query the metrics scraped by vmagent.
-
-```yaml
-# compose.yaml
-services:
-  vmstorage:
-    image: victoriametrics/vmstorage:v1.138.0-cluster
-
-  vminsert:
-    image: victoriametrics/vminsert:v1.138.0-cluster
-    command:
-      - -storageNode=vmstorage:8400
-
-  vmselect:
-    image: victoriametrics/vmselect:v1.138.0-cluster
-    command:
-      - -storageNode=vmstorage:8401
-    ports:
-      - 8481:8481
-```
-
-### Setup vmauth
-
-Create a vmauth configuration file `vm-auth.yaml` that enables OIDC authorization using the identity provider.
-
-The `{{.MetricsTenant}}` is expanded by vmauth into `accountID:projectID` derived from the vm_access claim, and defaults to `0:0` if not set.
-
-```yaml
-# vm-auth.yaml
-
-users:
-- jwt:
-    oidc:
-      issuer: 'http://keycloak:3001/realms/master'
-  url_map:
-    - src_paths:
-        - "/insert/.*"
-      drop_src_path_prefix_parts: 1
-      url_prefix: "http://vminsert:8480/insert/{{.MetricsTenant}}/prometheus/"
-```
-
-Add the vmauth service to `compose.yaml`:
-
-```yaml
-# compose.yaml
-services:
-  vmauth:
-    image: victoriametrics/vmauth:v1.138.0-enterprise
-    ports:
-      - 8427:8427
-    volumes:
-      - ./vm-auth.yaml:/etc/config.yaml
-    command:
-      - -auth.config=/etc/config.yaml
-```
-
-### Test vmauth
-
-Start the services:
-
-```sh
-docker compose up
-```
-
-Use the token obtained in the [Test identity provider](https://docs.victoriametrics.com/guides/vmagent-openid-configuration/#test-identity-provider) section to test the vmauth configuration.
-
-```sh
-curl http://localhost:8427/insert/api/v1/write -H "Authorization: Bearer ${TOKEN}" -i
-# Output
-# HTTP/1.1 204 No Content
-# ...
-```
-
-## Vmagent
-
-### Setup
-
-First, create a demo `scrape.yaml` file with basic scrape targets:
-
-```yaml
-# scrape.yaml
-scrape_configs:
-  - job_name: stat
-    static_configs:
-      - targets:
-          - vmagent:8429
-          - vmauth:8427
-```
-
-Now we'll configure vmagent to authenticate to vmauth using OAuth2 client credentials flow.
-The vmagent service automatically obtains and refreshes JWT tokens from the identity provider and includes them in the `Authorization` header when sending metrics to vmauth.
-This enables secure metric ingestion with proper tenant isolation based on the claims in the JWT token.
-
-We'll use the `vmagent` client that was created in the [Create client](https://docs.victoriametrics.com/guides/vmagent-openid-configuration/#create-client) section.
-The client secret obtained from that step will be used to authenticate vmagent with Keycloak.
-
-Add the vmagent service to `compose.yaml` with OAuth2 configuration:
-
-```yaml
-# compose.yaml
-services:
-  vmagent:
-    image: victoriametrics/vmagent:v1.138.0
-    volumes:
-      - ./scrape.yaml:/etc/vmagent/config.yaml
-    command:
-      - -promscrape.config=/etc/vmagent/config.yaml
-      - -remoteWrite.url=http://vmauth:8427/insert/api/v1/write
-      - -remoteWrite.oauth2.clientID=vmagent
-      # This flag is used for demo purposes. In production, use -remoteWrite.oauth2.clientSecretFile instead to avoid exposing the secret in the command line/process list
-      - -remoteWrite.oauth2.clientSecret={CLIENT_SECRET}
-      - -remoteWrite.oauth2.tokenUrl=http://keycloak:3001/realms/master/protocol/openid-connect/token
-      - -remoteWrite.oauth2.scopes=openid
-```
-
-Use the client secret obtained in the [Create client](https://docs.victoriametrics.com/guides/vmagent-openid-configuration/#create-client) section.
-
-### Test metrics
-
-Go to `http://localhost:8481/select/0/vmui/` and query the `vm_app_version` metric. If the metric is present, then everything is working as expected.
-
-## Summary
-
-This guide showed how to configure vmagent to ingest metrics into a VictoriaMetrics cluster through vmauth using OIDC authentication.
-Vmagent uses the OAuth2 client credentials flow to obtain JWT tokens from Keycloak, which vmauth validates and uses to route requests to the correct tenant.
-

docs/guides/vmagent-openid-configuration/_index.md

@@ -1,12 +0,0 @@
----
-weight: 5
-title: Setup vmagent - Multi-Tenant remote write & OIDC
-menu:
-  docs:
-    parent: guides
-    weight: 5
-tags:
-  - metrics
-  - guide
----
-{{% content "README.md" %}}