feat: role binding backfill

[james-milligan]

This PR

• backfill the flagd-kubernetes-sync role binding on upgrade

Related Issues

#292

Notes

Follow-up Tasks

This PR expands one of the options for resolving the bug described in the issue above. On startup a grouroutine is started with a 5 second timeout (to allow cache to be ready), and all pods with the openfeature.dev/enabled annotation set to "true" will have their service accounts added to the flagd-kubernetes-sync role binding, restoring its state to that which it was prior to the upgrade.

How to test

Upgrade helm and verify that the flagd connection is reestablished.

[toddbaert]

@james-milligan I could be missing something, but I still seem to have the issue after an upgrade. Here are the steps I took:

• checked out main
• built/pushed my docker image: toddbaert/ofo:main
• built charts: make build && make helm-package
• edited rendered.yaml to use toddbaert/ofo:main
• did helm install ofo . from chart dir
• deployed workload and verified everything worked

Then I applied the fix:

• checked out this branch
• edited Makefile, updating version to v0.2.24
• built/pushed my docker image: toddbaert/ofo:fix
• built charts: make build && make helm-package
• edited rendered.yaml to use toddbaert/ofo:fix
• did helm upgrade ofo . from chart dir, which upgraded the operator
• changed a flag value on the workload, saw:

"end-to-end\" is forbidden: User \"s │
│ ystem:serviceaccount:default:default\" cannot get resource \"featureflagconfigurations\" in API group \

Maybe I've somehow tested this fix incorrectly? If so please let me know what I did wrong.

[toddbaert]

@james-milligan

As discussed on on slack, the root cause of my issue was that I was using the old invalid annotation openfeature.dev: "enabled" not openfeature.dev/enabled: "true" (which works as expected).

As you noted, we may want to add support for the deprecated annotation too.

But otherwise, this works as expected. Nice job!

[james-milligan]

@james-milligan

As discussed on on slack, the root cause of my issue was that I was using the old invalid annotation openfeature.dev: "enabled" not openfeature.dev/enabled: "true" (which works as expected).

As you noted, we may want to add support for the deprecated annotation too.

But otherwise, this works as expected. Nice job!

Ive added in support for the core.openfeature.dev: "enabled" annotation, as well as expanded the test to include it

[codecov-commenter]

Codecov Report

Merging #295 (0ea83fc) into main (1eff914) will increase coverage by 0.70%.
The diff coverage is 57.40%.

@@            Coverage Diff             @@
##             main     #295      +/-   ##
==========================================
+ Coverage   50.90%   51.60%   +0.70%     
==========================================
  Files           3        3              
  Lines         444      498      +54     
==========================================
+ Hits          226      257      +31     
- Misses        202      222      +20     
- Partials       16       19       +3     

Impacted Files	Coverage Δ
webhooks/pod_webhook.go	65.96% <57.40%> (-1.67%)	⬇️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[james-milligan]

resolved test race condition through introducing a 'complete' channel to the BackfillPermissions method, this is not used in main as the process can happen asynchronously, allowing the mgr.Start(ctx) method to block