From 7ee4889bb168ca961380bbbdf1f6ee8f5c5a158a Mon Sep 17 00:00:00 2001
From: Fabian Fischer <glrf@users.noreply.github.com>
Date: Tue, 22 Nov 2022 10:32:36 +0100
Subject: [PATCH] Add clusterrole appuio:metrics-viewer

This clusterrole can be used to delegate access to the user-workload
monitoring metrics. By binding this clusterrole in a namespace it gives
the subjects access to all metrics in that namespace
---
 class/defaults.yml                             |  6 ++++++
 .../10_additional_clusterroles.yaml            | 18 ++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/class/defaults.yml b/class/defaults.yml
index 6af1096..232be03 100644
--- a/class/defaults.yml
+++ b/class/defaults.yml
@@ -55,6 +55,12 @@ parameters:
               - edit
               - patch
               - delete
+      appuio:metrics-reader:
+        rules:
+          - apiGroups: ['']
+            resources: [pods]
+            verbs:
+              - get
 
     bypassNamespaceRestrictions:
       # Roles are not supported for the APPUiO Cloud Agent. Should be left empty.
diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/10_additional_clusterroles.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/10_additional_clusterroles.yaml
index a83fa29..68ce525 100644
--- a/tests/golden/defaults/appuio-cloud/appuio-cloud/10_additional_clusterroles.yaml
+++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/10_additional_clusterroles.yaml
@@ -1,5 +1,23 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/component: appuio-cloud
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: appuio-cloud
+    name: appuio-metrics-reader
+  name: appuio:metrics-reader
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+    verbs:
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
   annotations: {}
   labels: