redpanda-data · hidalgopl · May 7, 2026 · May 7, 2026 · May 7, 2026 · May 7, 2026
@@ -0,0 +1,4 @@
+project: operator
+kind: Added
+body: Added `rpk-k8s multicluster bundle` for collecting cross-cluster operator diagnostics (per-peer pod, deployment, TLS, raft status, logs, multi-sample `/metrics`) into a single zip. Discovers peers from labelled kubeconfig cache Secrets given any one peer's kubeconfig. Includes a chart-level binding of the operator ServiceAccount to the `metrics-reader` ClusterRole so the bundle (and the existing ServiceMonitor) can scrape `/metrics` without 403.
+time: 2026-05-08T14:04:11.47156921+02:00
@@ -75,6 +75,7 @@ run `task generate:third-party-licenses-list`
 | github.com/cyphar/filepath-securejoin | [MPL-2.0](https://github.com/cyphar/filepath-securejoin/blob/v0.6.1/COPYING.md) |
 | github.com/cyphar/filepath-securejoin | [BSD-3-Clause](https://github.com/cyphar/filepath-securejoin/blob/v0.6.1/COPYING.md) |
 | github.com/davecgh/go-spew/spew | [ISC](https://github.com/davecgh/go-spew/blob/d8f796af33cc/LICENSE) |
+| github.com/docker/go-units | [Apache-2.0](https://github.com/docker/go-units/blob/v0.5.0/LICENSE) |
 | github.com/emicklei/go-restful/v3 | [MIT](https://github.com/emicklei/go-restful/blob/v3.13.0/LICENSE) |
 | github.com/evanphx/json-patch | [BSD-3-Clause](https://github.com/evanphx/json-patch/blob/v5.9.11/LICENSE) |
 | github.com/evanphx/json-patch/v5 | [BSD-3-Clause](https://github.com/evanphx/json-patch/blob/v5.9.11/v5/LICENSE) |

@@ -166,8 +166,40 @@ func ClusterRoleBindings(dot *helmette.Dot) []rbacv1.ClusterRoleBinding {
 		return nil
 	}
 
-	// NB: We skip over making a binding for the metrics viewer role.
-	var bindings []rbacv1.ClusterRoleBinding
+	// Bind the operator's own ServiceAccount to the metrics-reader
+	// ClusterRole emitted in ClusterRoles. controller-runtime's metrics
+	// server enforces authentication + authorization by default, so
+	// anything authenticating as the operator SA — including the bundled
+	// ServiceMonitor scraping with the pod's projected token, and tools
+	// like `rpk k8s multicluster bundle` — needs `nonResourceURLs:
+	// /metrics get`. Other consumers (e.g. an external Prometheus running
+	// under its own SA) can bind to the same ClusterRole separately.
+	metricsRoleName := cleanForK8sWithSuffix(Fullname(dot)+"-"+dot.Release.Namespace, "metrics-reader")
+	bindings := []rbacv1.ClusterRoleBinding{
+		{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "rbac.authorization.k8s.io/v1",
+				Kind:       "ClusterRoleBinding",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:        metricsRoleName,
+				Labels:      Labels(dot),
+				Annotations: values.Annotations,
+			},
+			RoleRef: rbacv1.RoleRef{
+				APIGroup: "rbac.authorization.k8s.io",
+				Kind:     "ClusterRole",
+				Name:     metricsRoleName,
+			},
+			Subjects: []rbacv1.Subject{
+				{
+					Kind:      "ServiceAccount",
+					Name:      ServiceAccountName(dot),
+					Namespace: dot.Release.Namespace,
+				},
+			},
+		},
+	}
 	for _, bundle := range rbacBundles(dot) {
 		if !bundle.Enabled {
 			continue

@@ -61,7 +61,8 @@
 {{- (dict "r" (coalesce nil)) | toJson -}}
 {{- break -}}
 {{- end -}}
-{{- $bindings := (coalesce nil) -}}
+{{- $metricsRoleName := (get (fromJson (include "operator.cleanForK8sWithSuffix" (dict "a" (list (printf "%s%s" (printf "%s%s" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r") "-") $dot.Release.Namespace) "metrics-reader")))) "r") -}}
+{{- $bindings := (list (mustMergeOverwrite (dict "metadata" (dict) "roleRef" (dict "apiGroup" "" "kind" "" "name" "")) (mustMergeOverwrite (dict) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding")) (dict "metadata" (mustMergeOverwrite (dict) (dict "name" $metricsRoleName "labels" (get (fromJson (include "operator.Labels" (dict "a" (list $dot)))) "r") "annotations" $values.annotations)) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "") (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" $metricsRoleName)) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "") (dict "kind" "ServiceAccount" "name" (get (fromJson (include "operator.ServiceAccountName" (dict "a" (list $dot)))) "r") "namespace" $dot.Release.Namespace)))))) -}}
 {{- range $_, $bundle := (get (fromJson (include "operator.rbacBundles" (dict "a" (list $dot)))) "r") -}}
 {{- if (not $bundle.Enabled) -}}
 {{- continue -}}