fix(helm): remove metrics-reader ClusterRole (#7107)

b5fddbd0 · Thomas Montfort · GitHub · 8a0657cb · 8a0657cb
Unverified Commit b5fddbd0 authored Mar 09, 2026 by Thomas Montfort Committed by GitHub Mar 09, 2026
Show whitespace changes
Inline Side-by-side

Showing with 0 additions and 57 deletions

deploy/helm/charts/platform/components/operator/templates/metrics-reader-rbac.yaml ...rm/components/operator/templates/metrics-reader-rbac.yaml +0 -57

No files found.
--- a/deploy/helm/charts/platform/components/operator/templates/metrics-reader-rbac.yaml
+++ b/deploy/helm/charts/platform/components/operator/templates/metrics-reader-rbac.yaml
-# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# ClusterRole granting GET access to the /metrics non-resource URL.
-# Required by controller-runtime's WithAuthenticationAndAuthorization filter,
-# which performs a SubjectAccessReview for every metrics scrape request.
-# Prometheus's service account must be bound to this role to pass authorization.
-{{- if not (eq (toString .Values.metricsService.enabled) "false") }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "dynamo-operator.fullname" . }}-metrics-reader
-  labels:
-    app.kubernetes.io/component: metrics
-    app.kubernetes.io/created-by: dynamo-operator
-    app.kubernetes.io/part-of: dynamo-operator
-  {{- include "dynamo-operator.labels" . | nindent 4 }}
-rules:
- nonResourceURLs:
-  - "/metrics"
-  verbs:
-  - get
---
-# Bind the metrics-reader ClusterRole to the operator's own service account
-# so that test case 5 (manual token-based scraping) works out of the box.
-# Prometheus typically gets this permission from kube-prometheus-stack's own RBAC,
-# but binding it here ensures the operator's SA can also access its own metrics.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ include "dynamo-operator.fullname" . }}-metrics-reader-binding
-  labels:
-    app.kubernetes.io/component: metrics
-    app.kubernetes.io/created-by: dynamo-operator
-    app.kubernetes.io/part-of: dynamo-operator
-  {{- include "dynamo-operator.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ include "dynamo-operator.fullname" . }}-metrics-reader
-subjects:
- kind: ServiceAccount
-  name: {{ include "dynamo-operator.fullname" . }}-controller-manager
-  namespace: {{ .Release.Namespace }}
-{{- end }}