From e51878fa920b685c8093e003dd39d6d746dcf60f Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Fri, 18 Jul 2025 12:44:11 -0500
Subject: [PATCH] ansible: Allow h-p to update scrape-collectd CM

The `scrape-collectd` ConfigMap in the `default` namespace is used by
Victoria Metrics to identif the hosts from which it should scrape
collectd metrics.  When deploying new machines that are _not_ part of
the Kubernetes cluster, we need to explicitly add them to this list.
The _host-provisioner_ can do this with an Ansible task, but it needs
the appropriate permissions to do so.
---
 ansible/rbac.yaml | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/ansible/rbac.yaml b/ansible/rbac.yaml
index 4b9de79..7cc3e46 100644
--- a/ansible/rbac.yaml
+++ b/ansible/rbac.yaml
@@ -132,3 +132,38 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: host-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: host-provisioner
+  namespace: victoria-metrics
+  annotations:
+    kubernetes.io/description: >-
+      Allows the host-provisioner to update the scrape-collectd
+      ConfigMap when adding new hosts.
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - patch
+  - get
+  resourceNames:
+  - scrape-collectd
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: host-provisioner
+  namespace: victoria-metrics
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: host-provisioner
+subjects:
+- kind: ServiceAccount
+  name: host-provisioner