Admission Webhooks for OLM

[ecordell]

Description of the change:
This adds an admission webhook to OLM that:

• Detects when a user is creating a CSV
• Processes the CSV for the required RBAC
• Checks if the user has enough permission to have created the RBAC directly
• If so, creates the RBAC for the CSV

Directly applying a CSV and CRD will result in the CSV transitioning past Pending and into running states.

If the RBAC generation fails for some reason, the CSV status will explain exactly which rbac rules still need to be filled.

The processing is done asynchronously and doesn't block storage of the CSV by etcd.

The webhook requires TLS certs coordinated with the kube apiserver. For this PR, the webhook is only enabled when running locally, and certs are generated at that time. Upstream deployments should probably integrate with cert-manager, and OpenShift deployments should use service-ca-signer (this work is coming).

Motivation for the change:

It can be frustrating to iterate on CSVs if you have to syncronize rbac between CSV and standard roles/rolebindings.

This also restores the older behavior of OLM, which

Reviewer Checklist

• Implementation matches the proposed design, or proposal is updated to match implementation
• Sufficient unit test coverage
• Sufficient end-to-end test coverage
• Docs updated or added to /docs
• Commit messages sensible and descriptive

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ecordell

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ecordell]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[njhale]

Thanks for working on this. A few preliminary comments:

[ecordell]

/retest

[ecordell]

/retest

[openshift-ci-robot]

@ecordell: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/prow/schema-check	7a48eec	link	/test schema-check
ci/prow/e2e-aws	7a48eec	link	/test e2e-aws
ci/prow/e2e-aws-upgrade	7a48eec	link	/test e2e-aws-upgrade
ci/prow/e2e-gcp-upgrade	1af1132	link	/test e2e-gcp-upgrade
ci/prow/e2e-aws-console-olm	1af1132	link	/test e2e-aws-console-olm

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[awgreene]

Closing this in favor of #1102

[openshift-ci-robot]

@ecordell: PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.