Move to a namespace-scoped operator approach for better security

[rooftopcellist]

Related awx-operator PR: https://github.com/ansible/awx-operator/pull/541

I propose we move the awx-resource-operator from a cluster-scoped operator to a namespace-scoped operator. At a high level this means only Roles for service accounts, no ClusterRoles, and it also means that operators & AWX Resource deployments will have a 1-to-1 relationship.

• This means one operator can only deploy to a single namespace
• This increases security, the awx-resource-operator SA has less cluster-wide access
• Safer upgrades: upgrade is sand-boxed to a single namespace, so this will help with conflicts with other awx-resource-operators (or operators in general) in a cluster.
• If AWX Resource deployments are needed in multiple namespaces, multiple awx-resource-operators can be deployed to accomplish this.

[Zokormazo]

If AWX Resource deployments are needed in multiple namespaces, multiple awx-resource-operators can be deployed to accomplish this.

Do we have to modify the namespace on Role and ClusterRole manually to accomplish this?

[rooftopcellist]

@Zokormazo absolutely right, I have removed spots where the namespace had been hard-coded, as we talked about.

[rooftopcellist]

Templating Additions

The latest commit on this PR makes it possible to template out the tower-resource-operator.yaml definition file.

Benefits:

• tower-resource-operator.yaml no longer needs to be updated manually, which is error-prone and tedious
• operator_image and runner_image can now be parameterized for easy testing

Example usage for testing changes by building images:

# Set Context
kubectl config set-context --current --namespace=default

# Build & Push Operator
operator-sdk build quay.io/chadams/awx-resource-operator:dev
docker push quay.io/chadams/awx-resource-operator:dev

# Build job launch job container
docker build -t quay.io/chadams/operator-job-run:dev -f build/Dockerfile.runner .
docker push quay.io/chadams/operator-job-run:dev 

# Template tower-resource-operator.yaml file
ansible-playbook ansible/chain-operator-files.yml -e operator_image=quay.io/chadams/awx-resource-operator -e operator_version=dev -e runner_image=quay.io/chadams/operator-job-run -e runner_version=dev

# Deploy the Operator'
kubectl create -f deploy/tower-resource-operator.yaml 

Namespace-scoped Operator changes

This can now be deployed to any namespace (not just tower-operator ns).
There are no longer any access errors when deploying.

role.rbac.authorization.k8s.io/tower-resource-operator created
rolebinding.rbac.authorization.k8s.io/tower-resource-operator created
serviceaccount/tower-resource-operator created
customresourcedefinition.apiextensions.k8s.io/ansiblejobs.tower.ansible.com created
customresourcedefinition.apiextensions.k8s.io/jobtemplates.tower.ansible.com created
deployment.apps/tower-resource-operator created

$ oc get pods
NAME                                      READY   STATUS    RESTARTS   AGE
tower-resource-operator-5695559dd-ckw27   1/1     Running   0          12m
$ oc get deployments
NAME                      READY   UP-TO-DATE   AVAILABLE   AGE
tower-resource-operator   1/1     1            1           12m