fix: add EPP RBAC for InferenceModelRewrite (required by v0.7.0)

EPP v0.7.0 (built on gateway-api-inference-extension v1.3.0) watches
InferenceModelRewrite resources on startup. The inferencepool Helm
chart v1.0.1 (shipped with llm-d v0.3.0) does not include this
permission, causing the EPP to crash-loop with a forbidden error
when its image is patched to v0.7.0.

Add a supplemental Role and RoleBinding granting the EPP service
account read-only access to inferencemodelrewrites, applied alongside
the existing image and ConfigMap patches in deploy/lib/infra_llmd.sh.

Made-with: Cursor

Author: kahilam

deploy/lib/infra_llmd.sh

@@ -338,6 +338,35 @@ deploy_llm_d_infrastructure() {
             else
                 log_warning "ConfigMap $LLM_D_EPP_NAME not found in $LLMD_NS"
             fi
+
+            # Ensure EPP has RBAC for InferenceModelRewrite (required by EPP v0.7.0+
+            # which watches this CRD, but older inferencepool Helm charts don't include it).
+            log_info "Ensuring EPP RBAC includes inferencemodelrewrites permission"
+            kubectl apply -f - <<RBAC_EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ${LLM_D_EPP_NAME}-model-rewrite
+  namespace: ${LLMD_NS}
+rules:
+- apiGroups: ["inference.networking.x-k8s.io"]
+  resources: ["inferencemodelrewrites"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ${LLM_D_EPP_NAME}-model-rewrite
+  namespace: ${LLMD_NS}
+subjects:
+- kind: ServiceAccount
+  name: ${LLM_D_EPP_NAME}
+  namespace: ${LLMD_NS}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ${LLM_D_EPP_NAME}-model-rewrite
+RBAC_EOF
         else
             log_warning "Skipping inference-scheduler patch: Deployment $LLM_D_EPP_NAME not found in $LLMD_NS"
         fi