feat(evalhub):add secrets reader RBAC for API SA

config/rbac/evalhub/evalhub_secrets_reader_role.yaml

@@ -0,0 +1,13 @@
+---
+# ClusterRole for EvalHub API secret existence checks.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: evalhub-secrets-reader
+  labels:
+    app.kubernetes.io/name: trustyai-service-operator
+    app.kubernetes.io/component: evalhub
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get"]

config/rbac/kustomization.yaml

@@ -13,6 +13,7 @@ resources:
   - evalhub/evalhub_jobs_writer_binding.yaml
   - evalhub/evalhub_job_config_role.yaml
   - evalhub/evalhub_job_config_binding.yaml
+  - evalhub/evalhub_secrets_reader_role.yaml
   - evalhub/evalhub_mlflow_access_role.yaml
   - evalhub/evalhub_mlflow_access_binding.yaml
   - evalhub/evalhub_mlflow_jobs_role.yaml

controllers/evalhub/service_accounts.go

@@ -181,6 +181,12 @@ func (r *EvalHubReconciler) createServiceAccount(ctx context.Context, instance *
 		return err
 	}
 
+	// Create RoleBinding for API SA secrets-reader
+	err = r.createSecretsReaderRoleBinding(ctx, instance, serviceAccountName)
+	if err != nil {
+		return err
+	}
+
 	// Create RoleBindings for split resource-manager roles (API SA only)
 	err = r.createJobsWriterRoleBinding(ctx, instance, serviceAccountName)
 	if err != nil {
@@ -226,6 +232,9 @@ const (
 	jobConfigClusterRoleName  = "trustyai-service-operator-evalhub-job-config"
 )
 
+// secretsReaderClusterRoleName allows the API SA to validate referenced secrets.
+const secretsReaderClusterRoleName = "trustyai-service-operator-evalhub-secrets-reader"
+
 // MLFlow access uses custom ClusterRoles scoped to the "mlflow.kubeflow.org" API group.
 // MLFlow's kubernetes-workspace-provider checks permissions via SelfSubjectAccessReview
 // against this group (not core Kubernetes resources). The ClusterRoles are pre-created
@@ -527,6 +536,16 @@ func (r *EvalHubReconciler) createJobConfigRoleBinding(ctx context.Context, inst
 	})
 }
 
+// createSecretsReaderRoleBinding creates a RoleBinding for the API SA to the
+// secrets-reader ClusterRole (secrets get).
+func (r *EvalHubReconciler) createSecretsReaderRoleBinding(ctx context.Context, instance *evalhubv1alpha1.EvalHub, serviceAccountName string) error {
+	return r.createGenericRoleBinding(ctx, instance, instance.Name+"-secrets-reader-rb", serviceAccountName, rbacv1.RoleRef{
+		Kind:     "ClusterRole",
+		Name:     secretsReaderClusterRoleName,
+		APIGroup: rbacv1.GroupName,
+	})
+}
+
 // createGenericRoleBinding creates a namespace-scoped RoleBinding with the given
 // name, subject SA, and role reference. Handles create-or-update logic including
 // immutable RoleRef recreation.

controllers/evalhub/unit_test.go

@@ -806,6 +806,60 @@ func TestEvalHubReconciler_createAPIAccessRoleBinding_RefersToRole(t *testing.T)
 	})
 }
 
+// TestEvalHubReconciler_createSecretsReaderRoleBinding verifies that the API SA
+// is bound to the secrets-reader ClusterRole.
+func TestEvalHubReconciler_createSecretsReaderRoleBinding(t *testing.T) {
+	scheme := runtime.NewScheme()
+	require.NoError(t, rbacv1.AddToScheme(scheme))
+	require.NoError(t, evalhubv1alpha1.AddToScheme(scheme))
+
+	ctx := context.Background()
+	testNamespace := "test-namespace"
+	evalHubName := "test-evalhub"
+
+	evalHub := &evalhubv1alpha1.EvalHub{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      evalHubName,
+			Namespace: testNamespace,
+			UID:       "test-uid-123",
+		},
+	}
+
+	fakeClient := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithObjects(evalHub).
+		Build()
+
+	reconciler := &EvalHubReconciler{
+		Client:        fakeClient,
+		Scheme:        scheme,
+		EventRecorder: record.NewFakeRecorder(10),
+	}
+
+	t.Run("should create RoleBinding to secrets-reader ClusterRole", func(t *testing.T) {
+		apiSAName := evalHubName + "-api"
+		err := reconciler.createSecretsReaderRoleBinding(ctx, evalHub, apiSAName)
+		require.NoError(t, err)
+
+		rbName := evalHubName + "-secrets-reader-rb"
+		rb := &rbacv1.RoleBinding{}
+		err = fakeClient.Get(ctx, types.NamespacedName{
+			Name:      rbName,
+			Namespace: testNamespace,
+		}, rb)
+		require.NoError(t, err)
+
+		assert.Equal(t, "ClusterRole", rb.RoleRef.Kind)
+		assert.Equal(t, secretsReaderClusterRoleName, rb.RoleRef.Name)
+		assert.Equal(t, rbacv1.GroupName, rb.RoleRef.APIGroup)
+
+		require.Len(t, rb.Subjects, 1)
+		assert.Equal(t, "ServiceAccount", rb.Subjects[0].Kind)
+		assert.Equal(t, apiSAName, rb.Subjects[0].Name)
+		assert.Equal(t, testNamespace, rb.Subjects[0].Namespace)
+	})
+}
+
 // TestEvalHubReconciler_createMLFlowAccessRoleBinding_JobsRole verifies that the jobs
 // MLflow RoleBinding uses the restricted jobs-specific ClusterRole.
 func TestEvalHubReconciler_createMLFlowAccessRoleBinding_JobsRole(t *testing.T) {