From b190b0270d627121bb26b3ec31dc54a68098b15a Mon Sep 17 00:00:00 2001
From: Anish Patel <anispate@redhat.com>
Date: Thu, 29 Jan 2026 14:19:03 -0500
Subject: [PATCH] fix: add /federate nonResourceURLs permission to Prometheus
 ClusterRole
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds the /federate endpoint permission to the auto-generated Prometheus
ClusterRole to fix HTTP 403 Forbidden errors when ServiceMonitors attempt
to scrape metrics from the /federate endpoint.

This resolves the issue where CMO federation to hypershift-monitoring-stack
fails on all MC clusters because the ClusterRole was missing the required
nonResourceURLs permission.

Fixes: SREP-3312

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 pkg/controllers/monitoring/monitoring-stack/components.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/controllers/monitoring/monitoring-stack/components.go b/pkg/controllers/monitoring/monitoring-stack/components.go
index c0db4b4b9..8ccd21cd2 100644
--- a/pkg/controllers/monitoring/monitoring-stack/components.go
+++ b/pkg/controllers/monitoring/monitoring-stack/components.go
@@ -83,6 +83,9 @@ func newPrometheusClusterRole(ms *stack.MonitoringStack, rbacResourceName string
 			Resources:     []string{"securitycontextconstraints"},
 			ResourceNames: []string{"nonroot", "nonroot-v2"},
 			Verbs:         []string{"use"},
+		}, {
+			NonResourceURLs: []string{"/federate"},
+			Verbs:           []string{"get"},
 		}},
 	}
 }