HOSTEDCP-1536: feat(install): expose hypershift-readers ClusterRole at install time

[andreadecorte]

What this PR does / why we need it:
Today, hypershift install exposes a flag:

--enable-admin-rbac-generation
which creates ClusterRoles and ClusterRoleBinding for Hosted cluster admins and readers.

We want to start using the hypershift-readers ClusterRole in ROSA HCP to replace the one currently deployed on the Management Clusters by OSDFM, as it was already agreed that this is better located in HO, as it is close to the resources and the logic.

To do that, we need to:

• add a new install flag
  --enable-reader-rbac-generation
  that creates only the hypershift-readers ClusterRole (as the binding will be handled elsewhere), to avoid creating useless resources that could impact the exposure
• align the ClusterRole with what we have on OSDFM in terms of role aggregation and also add the missing HyperShift API group for certificates which where added recently in HyperShift

The existing flag --enable-admin-rbac-generation is kept unchanged in case we want to deploy both personas including ClusterRoleBindings.

Which issue(s) this PR fixes:
Fixes #HOSTEDCP-1536

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: andreadecorte
Once this PR has been reviewed and has the lgtm label, please assign jparrill for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

✅ Deploy Preview for hypershift-docs ready!

Name	Link
🔨 Latest commit	3539a54
🔍 Latest deploy log	https://app.netlify.com/sites/hypershift-docs/deploys/66225d54493a2500088b3f61
😎 Deploy Preview	https://deploy-preview-3913--hypershift-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[bryan-cox]

/retitle HOSTEDCP-1536: feat(install): expose hypershift-readers ClusterRole at install time

[openshift-ci-robot]

@andreadecorte: This pull request references HOSTEDCP-1536 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

What this PR does / why we need it:
Today, hypershift install exposes a flag:

--enable-admin-rbac-generation
which creates ClusterRoles and ClusterRoleBinding for Hosted cluster admins and readers.

We want to start using the hypershift-readers ClusterRole in ROSA HCP to replace the one currently deployed on the Management Clusters by OSDFM, as it was already agreed that this is better located in HO, as it is close to the resources and the logic.

To do that, we need to:

• add a new install flag
  --enable-reader-rbac-generation
  that creates only the hypershift-readers ClusterRole (as the binding will be handled elsewhere), to avoid creating useless resources that could impact the exposure
• align the ClusterRole with what we have on OSDFM in terms of role aggregation and also add the missing HyperShift API group for certificates which where added recently in HyperShift

The existing flag --enable-admin-rbac-generation is kept unchanged in case we want to deploy both personas including ClusterRoleBindings.

Which issue(s) this PR fixes:
Fixes #HOSTEDCP-1536

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bryan-cox]

Hey @andreadecorte 👋🏻 - looks like you are failing verify because you are missing a generated file. If you run make verify locally, it should show up.

[andreadecorte]

Hey @andreadecorte 👋🏻 - looks like you are failing verify because you are missing a generated file. If you run make verify locally, it should show up.

thanks for the hint, fixed!

[bryan-cox]

/test verify

[andreadecorte]

/test e2e-kubevirt-aws-ovn

[openshift-ci]

@andreadecorte: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[stevekuznetsov]

Having the names of roles that are used in one deployment of HyperShift hard-coded here seems like the wrong choice - perhaps expose which roles this should aggregate into as an option for the install command.

[stevekuznetsov]

Not sure that this change is necessary, you could reduce your diff by leaving it out. It's not like we will be changing the list at any time (and therefore benefiting from having a slice for it).