[stable/ambassador] rbac updates for CRDs and single namespace usage

[Flydiverny]

What this PR does / why we need it:

Adds a cluster role for checking if ambassador crds are defined, even if running in single namespace mode with role instead of cluster role.
Removes namespace permission when rbac is namespaced.

Which issue this PR fixes

• fixes Allow ambassador Helm chart to use CRDS when namespaced  emissary-ingress/emissary#1576
• fixes [stable/ambassador] CRDs not accessible #14243
• fixes Failed to install ambassador in single namespace mode #13557

Special notes for your reviewer:

Checklist

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]

• DCO signed
• Chart Version bumped
• Variables are documented in the README.md
• Title of the PR starts with chart name (e.g. [stable/chart])

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Flydiverny

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• stable/ambassador/OWNERS [Flydiverny]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Flydiverny]

/hold
Want to make sure this actually solves whatever use case people with single namespace has!

/assign @kflynn

[kflynn]

PR looks sane; I’ll wait for feedback from users before doing anything else...

[Flydiverny]

Perhaps we need to skip rbac-crds when rbac.namespaced: true assuming we can't create cluster roles at all in this use case. Which in the end would mean the user can't use CRDs in that setup.

You could still do ambassador in single namespace mode with cluster roles ( rbac.namespaced: false and scope.singleNamespace: true), which would allow for CRDs to be used.

[iNoahNothing]

Why don't we just skip rbac-crds when crds.create: false?

I could see a usecase of wanting namespaced RBAC while still wanting to use the CRD functionality. If there is some restriction against creating or giving access to anything at the cluster level, then CRDs aren't going to be desirable anyway.

[Flydiverny]

@nbkrause

If you install 2 instances or more of ambassador only one of them can create the CRDs, but all of them could watch for them in their respective namespace. Ambassador requires that it can see that the CRD definitions exist, so they would need a cluster role for this, with ambassadors current logic.

---

Is there any use case where one would do

rbac.namespaced: true
scope.singleNamespace: false

Wondering if rbac.namespaced is superfluous? It makes little sense to me why one would limit ambassador to only see things in its namespace but be configured to look in all of them :)

[Flydiverny]

Split the fix for #13557 to another PR #14604 so its not blocked :)

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

[stale]

This issue is being automatically closed due to inactivity.