chore: remove unused kubewarden-controller-metrics-reader ClusterRole

[nicknikolakakis]

Summary

Removes the unused kubewarden-controller-metrics-reader ClusterRole, which is a kubebuilder scaffold leftover from the kube-rbac-proxy pattern.

Investigation findings

• No ClusterRoleBinding references kubewarden-controller-metrics-reader anywhere in the kubewarden ecosystem
• kube-rbac-proxy is not deployed by the Helm chart - the deployment template contains no proxy sidecar container
• Metrics are exposed directly by the controller on port 8088 (cmd/controller/main.go:97), and optionally via the OpenTelemetry Collector sidecar on port 8080
• Prometheus scrapes via plain HTTP - the kubewarden docs instruct users to create ServiceMonitors targeting port 8080/metrics without RBAC-based authentication
• The config/rbac/ scaffold files for kube-rbac-proxy are all commented out in kustomization.yaml, confirming the pattern was intentionally disabled

Changes

• Removed the kubewarden-controller-metrics-reader ClusterRole from charts/kubewarden-controller/templates/rbac.yaml
• Deleted the kubebuilder scaffold file config/rbac/auth_proxy_client_clusterrole.yaml
• Updated config/rbac/kustomization.yaml to remove the stale commented-out reference

Note

The kubewarden-controller-proxy-role ClusterRole (for tokenreviews/subjectaccessreviews) and its binding also appear to be leftovers from the same kube-rbac-proxy pattern since the proxy is not deployed. This could be addressed in a follow-up if desired.

Fixes #1532

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.96%. Comparing base (00ce0a3) to head (bc1c8ae).
⚠️ Report is 67 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1541      +/-   ##
==========================================
- Coverage   80.03%   79.96%   -0.08%     
==========================================
  Files         127      127              
  Lines       16570    16570              
==========================================
- Hits        13262    13250      -12     
- Misses       3308     3320      +12     

Flag	Coverage Δ
rust-tests	79.96% <ø> (-0.08%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Removes an unused kubebuilder-scaffold RBAC artifact (kubewarden-controller-metrics-reader) related to the disabled kube-rbac-proxy pattern, reducing Helm/chart and kustomize RBAC noise.

Changes:

• Removed the kubewarden-controller-metrics-reader ClusterRole from the Helm chart RBAC template.
• Deleted the unused scaffold RBAC manifest config/rbac/auth_proxy_client_clusterrole.yaml.
• Cleaned up config/rbac/kustomization.yaml by removing the stale commented reference and updating the comment.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
config/rbac/kustomization.yaml	Removes stale commented-out reference to a deleted auth-proxy RBAC manifest.
config/rbac/auth_proxy_client_clusterrole.yaml	Deletes unused scaffold ClusterRole manifest (metrics-reader).
charts/kubewarden-controller/templates/rbac.yaml	Drops the unused kubewarden-controller-metrics-reader ClusterRole from Helm RBAC output.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jvanz]

LGTM. I think we can merge this. Furthermore, if this causes issues, we should get errors from CI as well.

[jvanz]

Considering that we are reorganizing the RBAC files under the charts directory on #1520 I'm closing this PR and removing the role from that PR. Thanks @nicknikolakakis for the investigation!