vmuser: support JWT auth

[AndrewChubatiuk]

related issue #591
related issue VictoriaMetrics/VictoriaMetrics#9439

---

Summary by cubic

Adds JWT auth to VMUser for vmauth, with OIDC issuer support and claim-based routing. Verification supports inline public keys, Secret refs (merged at build), or skip-verify for testing, with validation enforcing exactly one mechanism.

• New Features
  • New VMUserSpec.jwt: skipVerify, publicKeys, publicKeyRefs, matchClaims, and oidc.issuer.
  • Validation: only one of username, bearerToken, or jwt; and exactly one of jwt.{skipVerify | publicKeys/publicKeyRefs | oidc}; oidc.issuer is required when oidc is set.
  • Config: emits jwt.skip_verify, jwt.public_keys, jwt.match_claims, and jwt.oidc.issuer; publicKeyRefs are resolved into publicKeys.
  • CRD schema, deepcopy, docs, and changelog updated; tests added for skip-verify, Secret refs, claim routing, and OIDC.

^{Written for commit 45b87cc. Summary will update on new commits.}

[cubic-dev-ai]

3 issues found across 8 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="docs/CHANGELOG.md">

<violation number="1" location="docs/CHANGELOG.md:23">
P1: Custom agent: **Changelog Review Agent**

Changelog entry is missing the required user-centric before/after explanation and reference link(s), so it doesn’t follow the mandated changelog structure.</violation>
</file>

<file name="internal/controller/operator/factory/vmauth/vmusers_config.go">

<violation number="1" location="internal/controller/operator/factory/vmauth/vmusers_config.go:193">
P2: JWT branch always returns false, so secret updates (e.g., changed `name`) are dropped and never persisted.</violation>
</file>

<file name="api/operator/v1beta1/vmuser_types.go">

<violation number="1" location="api/operator/v1beta1/vmuser_types.go:339">
P1: Validate JWT config requires either `skipVerify=true` or at least one public key/public key ref. Right now `spec.jwt: {}` passes validation and can produce an empty `jwt` section.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[vrutkovs]

We didn't have a check for this before, but what if its zero? Is it treated as unauthenticated user?

[AndrewChubatiuk]

this check was added as with this PR more auth mechanisms are supported
if there are more than 1 auth mechanism set vmauth fails during configuration validation. if there're no auth mechanisms VMUser is treated as basic auth user