Add support for sa token volume projection in admission charts

dimityrmirchev commented 2 years ago

How to categorize this PR?

/area security /kind enhancement /platform kubevirt

What this PR does / why we need it: This PR adds:

The ability to configure the admission deployment to use service account token volume projection (ref).
The ability to configure a user instead of a service account subject in the clusterrolebinding definition when using a "virtual garden" setup. This will enable other possibilities for authentication to the virtual garden, i.e., leveraging oidc-webhook-authenticator.

Which issue(s) this PR fixes: Fixes #

Special notes for your reviewer: This PR is related to gardener/gardener-extension-provider-gcp#380

Release note:

`gardener-extension-admission-kubevirt` now supports configuration for enabling service account token volume projection. It is exposed through the `.Values.global.serviceAccountTokenVolumeProjection` section in the respective chart's values.

It is now possible to configure a `user` instead of a `serviceaccount` subject in the `clusterrolebinding` for the `gardener-extension-admission-kubevirt` when using virtual garden setup by setting `.Values.global.virtualGarden.user.name`.

dimityrmirchev commented 2 years ago

/invite @rfranzke @vpnachev

vpnachev commented 2 years ago

/close

As this repo is moved to the attic org.

gardener-attic / gardener-extension-provider-kubevirt

Add support for sa token volume projection in admission charts #119