fix: permission to manage HorizontalPodAutoscaler

[vbelouso]

This change fixes an error when HPA is enabled (autoscaling.enabled=true)

Without changes I get an error

Unable to continue with install: could not get information about the resource: 
horizontalpodautoscalers.autoscaling "konnect-dp-kong" is forbidden:
User "system:serviceaccount:openshift-operators:kong-operator" cannot get 
resource "horizontalpodautoscalers" in API group "autoscaling" in the namespace "kong"

Environment: OpenShift version 4.8.2 Kong Operator 0.8.0 installed from https://operatorhub.io/

[CLAassistant]

All committers have signed the CLA.

[shaneutt]

@vbelouso we appreciate your contribution, however unfortunately as per the README this project is considered deprecated and we're not looking for new contributions at this time (with the exception of security issues).

To provide some additional context: The maintainers learned that Helm based operators can be quite limiting for implementing the features we would want out of an operator and so we've decided against graduating this project from version 0 to version 1, and we're focusing instead on our upcoming Golang based operator which is under active development and we're currently expecting the trajectory of that Operator to take it to a v1.x.x release in time.

Based on what I see here it seems like you're doing a new install of Kong on Kubernetes and as such we recommend using the Helm Chart for new deployments in the interim between now and when our Operator reaches v1 status. The Helm chart in fact has options available in support of HPA:

• https://github.com/Kong/charts/tree/main/charts/kong#general-parameters
• https://github.com/Kong/charts/blob/main/charts/kong/values.yaml#L692

Let us know if this is helpful, and if you have any additional questions or concerns we can address for you?

[vbelouso]

@shaneutt hi, thanks for the info.
I will also provide a little background. We are currently working directly with Kong to improve the product and adapt it to OpenShift(OCP). In particular, I do documentation validation when working with OCP.
I know about your plans to migrate to the Go-based operator and we will also help with this.
So my PR was aimed at helping out with the current state before you migrate to another operator.
In any case, it's up to you and thanks for the feedback.

[shaneutt]

Ah, I see :thinking:

My main concern was that it appeared to me as though maybe you were a new Kong user picking up the v0 Operator and I wanted to try and dissuade you from starting new deployments on it for reasons I hope make perfect sense given all the context I provided.

That said, it's very appreciated that you are trying to spot and resolve problems in the current Helm Operator. Given that we've never had any official support for this operator, and given that we've taken a policy of deprecation it's a bit of a fine line on whether to accept things that aren't security fixes :thinking: but since my main concern (that you were a new user building foundations on this tool) are alleviated, and because we expect we will at some point have a couple more smaller maintenance releases I think I can be persuaded that we should include this.

Question: How do you feel about changing the * verb to enumerate the exact verbs needed?

[vbelouso]

I was thinking about changing the * to be "least privileges", but I'll have to do more testing to figure out which verbs to use.
I remember exactly it was get, delete and there will surely be something else. If you don't mind, I'll check it out in the next few days and give you feedback.

[shaneutt]

I was thinking about changing the * to be "least privileges", but I'll have to do more testing to figure out which verbs to use. I remember exactly it was get, delete and there will surely be something else. If you don't mind, I'll check it out in the next few days and give you feedback.

Sounds good, thank you :vulcan_salute:

[vbelouso]

@shaneutt Hi, based on my test it's enough to have get,create,delete permissions for HPA