The hub VMUser was using passwordRef pointing to simple-user-secret, but that
Secret was not present in the cluster (only exists in git now via the previous
commit). VM operator skips VMUser reconciliation when passwordRef cannot resolve,
leaving vmauth with only the unauthorizedUser catch-all (vmsingle).
Switching to inline password ensures immediate operator reconciliation without
waiting for Secret deployment. The simple-user-secret.yaml manifest is kept for
Vector's credential reference.
The hub's VMUser (vmauth.yaml) references simple-user-secret via passwordRef,
but the Secret was never added to the hub's manifests. Without this Secret,
the VM operator cannot reconcile the VMUser into the vmauth config, causing
ALL requests to fall through to the unauthorizedUser catch-all (vmsingle).
Result: Vector log shipping to VictoriaLogs was broken — vmauth routed
/insert/elasticsearch/_bulk to vmsingle instead of vlogs-victorialogs.
Hub defaultRules groups kubernetesSystemControllerManager, kubeScheduler, and
kubernetesSystemScheduler used wrong key 'enabled: false' — chart expects 'create: false'.
This caused KubeControllerManagerDown/KubeSchedulerDown to fire as false positives
because OTC CCE managed k8s does not expose control plane for scraping.
Dev local vmagent had empty externalLabels, so backup-alert rules evaluated by local
vmalert had no cluster_environment label on kube_job_status_failed metrics. Added
cluster_environment=dev to match what the vm-client-stack vmagent adds for hub shipping.
