From a6c6ad0c27e3a866eb73ff26e3ce57d8f516e1b5 Mon Sep 17 00:00:00 2001
From: Mangirdas Judeikis <mangirdas@judeikis.lt>
Date: Thu, 12 Oct 2023 20:06:04 +0300
Subject: [PATCH] Add metrics-viewer 'battery'

---
 .../metrics-cluster-role-binding.yaml            | 16 ++++++++++++++++
 config/root-phase0/metrics-cluster-role.yaml     | 11 +++++++++++
 .../metrics-service-account-secret.yaml          |  8 ++++++++
 config/root-phase0/metrics-service-account.yaml  |  7 +++++++
 pkg/server/options/batteries/batteries.go        |  4 ++++
 5 files changed, 46 insertions(+)
 create mode 100644 config/root-phase0/metrics-cluster-role-binding.yaml
 create mode 100644 config/root-phase0/metrics-cluster-role.yaml
 create mode 100644 config/root-phase0/metrics-service-account-secret.yaml
 create mode 100644 config/root-phase0/metrics-service-account.yaml

diff --git a/config/root-phase0/metrics-cluster-role-binding.yaml b/config/root-phase0/metrics-cluster-role-binding.yaml
new file mode 100644
index 00000000000..f58105e875a
--- /dev/null
+++ b/config/root-phase0/metrics-cluster-role-binding.yaml
@@ -0,0 +1,16 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: metrics-viewer
+  namespace: default
+  annotations:
+    bootstrap.kcp.io/battery: metrics-viewer
+subjects:
+- kind: ServiceAccount
+  name: metrics
+  namespace: default
+  apiGroup: ""
+roleRef:
+  kind: ClusterRole
+  name: metrics-viewer
+  apiGroup: ""
diff --git a/config/root-phase0/metrics-cluster-role.yaml b/config/root-phase0/metrics-cluster-role.yaml
new file mode 100644
index 00000000000..a5a1b251795
--- /dev/null
+++ b/config/root-phase0/metrics-cluster-role.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: metrics-viewer
+  annotations:
+    bootstrap.kcp.io/battery: metrics-viewer
+rules:
+- nonResourceURLs:
+  - '/metrics'
+  verbs:
+  - 'GET'
diff --git a/config/root-phase0/metrics-service-account-secret.yaml b/config/root-phase0/metrics-service-account-secret.yaml
new file mode 100644
index 00000000000..20e00d91926
--- /dev/null
+++ b/config/root-phase0/metrics-service-account-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/service-account-token
+metadata:
+  name: metrics
+  annotations:
+    kubernetes.io/service-account.name: metrics
+    bootstrap.kcp.io/battery: metrics-viewer
diff --git a/config/root-phase0/metrics-service-account.yaml b/config/root-phase0/metrics-service-account.yaml
new file mode 100644
index 00000000000..711960ae099
--- /dev/null
+++ b/config/root-phase0/metrics-service-account.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: metrics
+  namespace: default
+  annotations:
+    bootstrap.kcp.io/battery: metrics-viewer
diff --git a/pkg/server/options/batteries/batteries.go b/pkg/server/options/batteries/batteries.go
index 563d205a1ae..6e471aee3b7 100644
--- a/pkg/server/options/batteries/batteries.go
+++ b/pkg/server/options/batteries/batteries.go
@@ -28,11 +28,15 @@ const (
 
 	// User leads to an additional user named "user" in the admin.kubeconfig that is not admin.
 	User = "user"
+
+	// MetricsViewer leads to an additional service account named "metrics" in the root namespace that can view metrics.
+	MetricsViewer = "metrics-viewer"
 )
 
 var All = sets.New[string](
 	WorkspaceTypes,
 	User,
+	MetricsViewer,
 )
 
 var Defaults = sets.New[string](