fix: Add /federate nonResourceURLs permission to Prometheus ClusterRole

anispate · claude · anispate · commit b2978672d548 · 2026-01-29T14:19:03.000-05:00
Adds the /federate endpoint permission to the auto-generated Prometheus ClusterRole to fix HTTP 403 Forbidden errors when ServiceMonitors attempt to scrape metrics from the /federate endpoint. This resolves the issue where CMO federation to hypershift-monitoring-stack fails on all MC clusters because the ClusterRole was missing the required nonResourceURLs permission. Fixes: SREP-3312 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/pkg/controllers/monitoring/monitoring-stack/components.go b/pkg/controllers/monitoring/monitoring-stack/components.go
@@ -83,6 +83,9 @@ func newPrometheusClusterRole(ms *stack.MonitoringStack, rbacResourceName string
 			Resources:     []string{"securitycontextconstraints"},
 			ResourceNames: []string{"nonroot", "nonroot-v2"},
 			Verbs:         []string{"use"},
+		}, {
+			NonResourceURLs: []string{"/federate"},
+			Verbs:           []string{"get"},
 		}},
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -83,6 +83,9 @@ func newPrometheusClusterRole(ms *stack.MonitoringStack, rbacResourceName string`
`83`	`83`	`Resources: []string{"securitycontextconstraints"},`
`84`	`84`	`ResourceNames: []string{"nonroot", "nonroot-v2"},`
`85`	`85`	`Verbs: []string{"use"},`
	`86`	`+ }, {`
	`87`	`+ NonResourceURLs: []string{"/federate"},`
	`88`	`+ Verbs: []string{"get"},`
`86`	`89`	`}},`
`87`	`90`	`}`
`88`	`91`	`}`