From 2c1200230ec45184ba44500c4affd608b78559fc Mon Sep 17 00:00:00 2001
From: Scot Wells <wells.scot@gmail.com>
Date: Thu, 19 Mar 2026 14:51:00 -0500
Subject: [PATCH] fix: add metrics auth RBAC to rbac_deployment component

Add metrics_auth_role and metrics_auth_role_binding to the
rbac_deployment kustomize Component so the operator SA can perform
TokenReview and SubjectAccessReview for metrics authentication.

Without this RBAC, the controller-runtime metrics filter cannot
validate bearer tokens from VMAgent, causing all scrape requests
to fail with 401.
---
 config/rbac_deployment/kustomization.yaml       |  2 ++
 config/rbac_deployment/metrics_auth_role.yaml   | 17 +++++++++++++++++
 .../metrics_auth_role_binding.yaml              | 12 ++++++++++++
 3 files changed, 31 insertions(+)
 create mode 100644 config/rbac_deployment/metrics_auth_role.yaml
 create mode 100644 config/rbac_deployment/metrics_auth_role_binding.yaml

diff --git a/config/rbac_deployment/kustomization.yaml b/config/rbac_deployment/kustomization.yaml
index aae863b..539d570 100644
--- a/config/rbac_deployment/kustomization.yaml
+++ b/config/rbac_deployment/kustomization.yaml
@@ -3,3 +3,5 @@ kind: Component
 resources:
   - leader_election_role.yaml
   - leader_election_role_binding.yaml
+  - metrics_auth_role.yaml
+  - metrics_auth_role_binding.yaml
diff --git a/config/rbac_deployment/metrics_auth_role.yaml b/config/rbac_deployment/metrics_auth_role.yaml
new file mode 100644
index 0000000..32d2e4e
--- /dev/null
+++ b/config/rbac_deployment/metrics_auth_role.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: metrics-auth-role
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
diff --git a/config/rbac_deployment/metrics_auth_role_binding.yaml b/config/rbac_deployment/metrics_auth_role_binding.yaml
new file mode 100644
index 0000000..e775d67
--- /dev/null
+++ b/config/rbac_deployment/metrics_auth_role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: metrics-auth-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: metrics-auth-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system