feat(helm): add RBAC for authenticated controller metrics scrapes

The controller manager already wires controller-runtime's
WithAuthenticationAndAuthorization filter on the metrics endpoint when
--metrics-secure is true (the default). For that filter to validate
incoming scrape requests it needs permission to issue TokenReview and
SubjectAccessReview calls; ship those rights as a dedicated auth role
bound to the controller ServiceAccount.

Also ship an unbound `<fullname>-metrics-reader` ClusterRole granting
`get` on the `/metrics` non-resource URL. The chart deliberately leaves
the binding to the cluster operator: which ServiceAccount (Prometheus,
VictoriaMetrics, OpenTelemetry, etc.) is allowed to scrape is a
deployment-time choice, not a chart-time one.

The auth role and its binding are gated additionally on
`controller.metrics.secureServing` since they are no-ops when the filter
is disabled. All resources are gated on `controller.metrics.enabled` and
default off.

Author: danielorbach

helm/kagent/templates/rbac/metrics-auth-clusterrole.yaml

@@ -0,0 +1,21 @@
+{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.secureServing }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kagent.fullname" . }}-metrics-auth-role
+  labels:
+    {{- include "kagent.controller.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - authentication.k8s.io
+    resources:
+      - tokenreviews
+    verbs:
+      - create
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create
+{{- end }}

helm/kagent/templates/rbac/metrics-auth-clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.secureServing }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "kagent.fullname" . }}-metrics-auth-rolebinding
+  labels:
+    {{- include "kagent.controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "kagent.fullname" . }}-metrics-auth-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "kagent.fullname" . }}-controller
+    namespace: {{ include "kagent.namespace" . }}
+{{- end }}

helm/kagent/templates/rbac/metrics-reader-clusterrole.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.controller.metrics.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kagent.fullname" . }}-metrics-reader
+  labels:
+    {{- include "kagent.controller.labels" . | nindent 4 }}
+rules:
+  - nonResourceURLs:
+      - "/metrics"
+    verbs:
+      - get
+{{- end }}

helm/kagent/tests/controller-metrics-rbac_test.yaml

@@ -0,0 +1,113 @@
+suite: test controller metrics rbac
+templates:
+  - rbac/metrics-reader-clusterrole.yaml
+  - rbac/metrics-auth-clusterrole.yaml
+  - rbac/metrics-auth-clusterrolebinding.yaml
+tests:
+  - it: should not render any metrics rbac by default
+    asserts:
+      - hasDocuments:
+          count: 0
+        template: rbac/metrics-reader-clusterrole.yaml
+      - hasDocuments:
+          count: 0
+        template: rbac/metrics-auth-clusterrole.yaml
+      - hasDocuments:
+          count: 0
+        template: rbac/metrics-auth-clusterrolebinding.yaml
+
+  - it: should render metrics-reader when metrics enabled
+    set:
+      controller.metrics.enabled: true
+    template: rbac/metrics-reader-clusterrole.yaml
+    asserts:
+      - isKind:
+          of: ClusterRole
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-metrics-reader
+      - equal:
+          path: rules[0].nonResourceURLs[0]
+          value: /metrics
+      - equal:
+          path: rules[0].verbs[0]
+          value: get
+
+  - it: should render auth role and binding when secure serving enabled
+    set:
+      controller.metrics.enabled: true
+    asserts:
+      - isKind:
+          of: ClusterRole
+        template: rbac/metrics-auth-clusterrole.yaml
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-metrics-auth-role
+        template: rbac/metrics-auth-clusterrole.yaml
+      - isKind:
+          of: ClusterRoleBinding
+        template: rbac/metrics-auth-clusterrolebinding.yaml
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-metrics-auth-rolebinding
+        template: rbac/metrics-auth-clusterrolebinding.yaml
+
+  - it: auth role should grant token and subject access reviews
+    set:
+      controller.metrics.enabled: true
+    template: rbac/metrics-auth-clusterrole.yaml
+    asserts:
+      - equal:
+          path: rules[0].apiGroups[0]
+          value: authentication.k8s.io
+      - equal:
+          path: rules[0].resources[0]
+          value: tokenreviews
+      - equal:
+          path: rules[0].verbs[0]
+          value: create
+      - equal:
+          path: rules[1].apiGroups[0]
+          value: authorization.k8s.io
+      - equal:
+          path: rules[1].resources[0]
+          value: subjectaccessreviews
+      - equal:
+          path: rules[1].verbs[0]
+          value: create
+
+  - it: auth rolebinding should reference controller serviceaccount
+    set:
+      controller.metrics.enabled: true
+    template: rbac/metrics-auth-clusterrolebinding.yaml
+    asserts:
+      - equal:
+          path: roleRef.kind
+          value: ClusterRole
+      - equal:
+          path: roleRef.name
+          value: RELEASE-NAME-metrics-auth-role
+      - equal:
+          path: subjects[0].kind
+          value: ServiceAccount
+      - equal:
+          path: subjects[0].name
+          value: RELEASE-NAME-controller
+      - equal:
+          path: subjects[0].namespace
+          value: NAMESPACE
+
+  - it: should skip auth role when secure serving disabled
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.secureServing: false
+    asserts:
+      - hasDocuments:
+          count: 1
+        template: rbac/metrics-reader-clusterrole.yaml
+      - hasDocuments:
+          count: 0
+        template: rbac/metrics-auth-clusterrole.yaml
+      - hasDocuments:
+          count: 0
+        template: rbac/metrics-auth-clusterrolebinding.yaml