Gracefuly degrading smarter and super awesome syndesis operator

[zregvart]

This is a...

[x] Feature request
[ ] Regression (a behavior that used to work and stopped working in a new release)
[ ] Bug report  
[ ] Documentation issue or request

Description

With #3576 we introduced OAuthClient resource creation in the operator, subsequently we converted install/operator/deploy/syndesis-operator.yml to deal with the creation of ClusterRole and ClusterRoleBinding needed to grant the permissions to create and delete OAuthClient resource.

We also introduced the syndesis-privileged.yml template that utilizes the OAuthClient instead of the service account for OAuth configuration of oauth-proxy.

Now when we install we have a ClusterRole and a ClusterRoleBinding created per syndesis installation, which is superfluous and leads to issues like #4133, #4131, #4093 and #4126.

This makes us have a hard requirement on the installation of syndesis-operator to have ClusterRole and ClusterRoleBinding created for the operator to function.

We should handle this situation a bit more gracefully by checking in the operator if it can create the OAuthClient resource and select a template (syndesis.yml or syndesis-privileged.yml) based on the privileges given to the operator.

These should be our goals:

1. installation without any privileges via:
   • oauth-proxy service account (install/support/serviceaccount-as-oauthclient-restricted.yml)
   • install/sydesis.yml template
2. installation via the operator with permissions to create custom resource
   • via OLM
   • via descriptors install/operator/deploy/syndesis-operator.yml, install/operator/deploy/syndesis-crd.yml
3. same as 2. but with the addition of ClusterRole/ClusterRoleBinding so that OAuthClient resource can be created

The whole point being in graceful degradation and adapting to the privileges given to the operator.

We also must make sure to:

• not create conflicting OAuthClient resources (change the name of the resource, by including namespace and Syndesis CR name)
• help the user troubleshoot (write to operator stdout/log what's missing and what are the consequences)
• (in the whole process) create only single ClusterRole (perhaps even single ClusterRoleBinding with more than one subject (possible?))
• cleanup OAuthClients on Syndesis CR deletion (we already do it)

cc @rhuss @avano for any additional input

[stale[bot]]

This issue has been automatically marked as stale because it has not had any activity since 90 days. It will be closed if no further activity occurs within 7 days. Thank you for your contributions!