diff --git a/helm/temporal-worker-controller/templates/manager.yaml b/helm/temporal-worker-controller/templates/manager.yaml
index 50f8d7b1..e1aaceea 100644
--- a/helm/temporal-worker-controller/templates/manager.yaml
+++ b/helm/temporal-worker-controller/templates/manager.yaml
@@ -67,8 +67,12 @@ spec:
         args:
         - --leader-elect
         {{- if .Values.metrics.enabled }}
+        {{- if .Values.metrics.disableAuth }}
+        - "--metrics-bind-address=:{{ .Values.metrics.port }}"
+        {{- else }}
         - "--metrics-bind-address=127.0.0.1:{{ .Values.metrics.port }}"
         {{- end }}
+        {{- end }}
         - "--health-probe-bind-address=:8081"
         {{- if .Values.webhook.enabled }}
         {{ fail "webhooks aren't supported yet" }}
diff --git a/helm/temporal-worker-controller/values.yaml b/helm/temporal-worker-controller/values.yaml
index 765321dd..930a6e39 100644
--- a/helm/temporal-worker-controller/values.yaml
+++ b/helm/temporal-worker-controller/values.yaml
@@ -57,19 +57,42 @@ affinity: {}
 # More than one replica is required for high availability.
 replicas: 2
 
-# Opt out of these resources if you want to disable the
-# auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
+# authProxy and metrics.disableAuth together control how /metrics is exposed.
+# They should be set consistently — see the two supported modes below.
+#
+# Mode 1 — Auth-protected metrics (default, recommended for production):
+#   authProxy.enabled: true
+#   metrics.disableAuth: false
+#
+#   A kube-rbac-proxy sidecar (https://github.com/brancz/kube-rbac-proxy) is
+#   injected into the manager pod. It listens on HTTPS port 8443 and proxies to
+#   the manager's metrics endpoint on localhost, authorizing each request via
+#   Kubernetes SubjectAccessReviews. The manager binds metrics to 127.0.0.1 so
+#   it is only reachable through the proxy.
+#
+#   Use this when: running in production, using Prometheus Operator with
+#   ServiceMonitor + RBAC bearer tokens, or in multi-tenant clusters where
+#   metrics should not be freely readable.
+#
+# Mode 2 — Unauthenticated metrics:
+#   authProxy.enabled: false
+#   metrics.disableAuth: true
+#
+#   No proxy sidecar is injected. The manager binds metrics to 0.0.0.0:metrics.port
+#   so Prometheus can scrape it directly without credentials.
+#
+#   Use this when: network-level controls already restrict access (NetworkPolicy,
+#   service mesh, same-namespace Prometheus), your scraper cannot present a
+#   bearer token, or simplicity is preferred (e.g. dev/staging).
 authProxy:
   enabled: true
 
 metrics:
   enabled: true
   port: 8080
-  # Set to true if you want your controller-manager to expose the /metrics
-  # endpoint w/o any authn/z. If false, creates an HTTP proxy sidecar container
-  # for the controller manager which performs RBAC authorization against the
-  # Kubernetes API using SubjectAccessReviews.
+  # See the authProxy comment above for how disableAuth interacts with authProxy.enabled.
+  # When false (default): metrics bind to 127.0.0.1 and are proxied through kube-rbac-proxy.
+  # When true: metrics bind to 0.0.0.0 and are exposed directly without authentication.
   disableAuth: false
 
 namespace: