OpenStack: Cleanup ServiceAccount

For an unknown reason OpenStack was different in CCCMO and had its
OpenStack-specific `kube-system` ServiceAccount defined in manifests/.
This commit attempts to clean up this situation by moving these
manifests to pkg/cloud/openstack/assets.

pkg/cloud/cloud_test.go

@@ -141,18 +141,22 @@ func TestGetResources(t *testing.T) {
 	}, {
 		name:                  "OpenStack resources returned as expected",
 		testPlatform:          platformsMap[string(configv1.OpenStackPlatformType)],
-		expectedResourceCount: 2,
+		expectedResourceCount: 4,
 		expectedResourcesKindName: []string{
 			"Deployment/openstack-cloud-controller-manager",
 			"PodDisruptionBudget/openstack-cloud-controller-manager",
+			"ClusterRole/openstack-cloud-controller-manager",
+			"ClusterRoleBinding/cloud-controller-manager:openstack-cloud-controller-manager",
 		},
 	}, {
 		name:                  "OpenStack resources returned as expected with signle node cluster",
 		testPlatform:          platformsMap[string(configv1.OpenStackPlatformType)],
-		expectedResourceCount: 1,
+		expectedResourceCount: 3,
 		singleReplica:         true,
 		expectedResourcesKindName: []string{
 			"Deployment/openstack-cloud-controller-manager",
+			"ClusterRole/openstack-cloud-controller-manager",
+			"ClusterRoleBinding/cloud-controller-manager:openstack-cloud-controller-manager",
 		},
 	}, {
 		name:                  "GCP resources returned as expected",

pkg/cloud/openstack/assets/deployment.yaml

@@ -23,7 +23,7 @@ spec:
         infrastructure.openshift.io/cloud-controller-manager: {{ .cloudproviderName }}
     spec:
       hostNetwork: true
-      serviceAccount: cloud-controller-manager
+      serviceAccountName: cloud-controller-manager
       priorityClassName: system-cluster-critical
       nodeSelector:
         node-role.kubernetes.io/master: ""

pkg/cloud/openstack/assets/openstack-cloud-controller-manager-clusterrole.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: openstack-cloud-controller-manager
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+rules:
+  - apiGroups:
+    - ""
+    resources:
+    - services
+    - services/status
+    verbs:
+    - patch

pkg/cloud/openstack/assets/openstack-cloud-controller-manager-clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cloud-controller-manager:openstack-cloud-controller-manager
+roleRef:
+  kind: ClusterRole
+  name: openstack-cloud-controller-manager
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    namespace: kube-system
+    name: cloud-controller-manager

pkg/cloud/openstack/openstack.go

@@ -9,6 +9,7 @@ import (
 	configv1 "github.com/openshift/api/config/v1"
 	ini "gopkg.in/ini.v1"
 	appsv1 "k8s.io/api/apps/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/klog/v2"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -24,6 +25,8 @@ var (
 
 	templates = []common.TemplateSource{
 		{ReferenceObject: &appsv1.Deployment{}, EmbedFsPath: "assets/deployment.yaml"},
+		{ReferenceObject: &rbacv1.ClusterRole{}, EmbedFsPath: "assets/openstack-cloud-controller-manager-clusterrole.yaml"},
+		{ReferenceObject: &rbacv1.ClusterRoleBinding{}, EmbedFsPath: "assets/openstack-cloud-controller-manager-clusterrolebinding.yaml"},
 	}
 )
 

pkg/cloud/openstack/openstack_test.go

@@ -51,7 +51,7 @@ func TestResourcesRenderingSmoke(t *testing.T) {
 			}
 
 			resources := assets.GetRenderedResources()
-			g.Expect(resources).Should(HaveLen(1))
+			g.Expect(resources).Should(HaveLen(3))
 		})
 	}
 }