[epic] ClusterExtension uses service account provided in spec to manage content

[joelanford]

Follow least privilege principle and reduce confused deputy problems by limiting the scope of OLM v1’s permissions. Instead, have users provide a ServiceAccount with the necessary permissions to manage an extension.

For more information on this feature, please see the following documents:

• brief
• rfc

Tasks

• Add new required field to ClusterExtension spec for users to reference a ServiceAccount #971
• Implement a Go struct for fetching and caching authentication tokens for a ServiceAccount #972
• Wire up installation of content using a provided ServiceAccount #973
• Implement a dynamic caching layer that establishes watches utilizing a ServiceAccount #974
• Wire up dynamic caching layer to manage installed content #975
• Write E2E tests for provided ServiceAccount feature #976
• Write Provided ServiceAccount Documentation #977

[joelanford]

I've done some hacking today to get support into helm-operator-plugins and rukpak for specifying and using a service account operator-framework/rukpak#857

I know we're looking to eliminate the separate rukpak controller's but perhaps these changes are useful in some way if we reuse or vendor helm-operator-plugins and/or rukpak code.

[varshaprasad96]

Related #840

[skattoju]

/assign

[joelanford]

By the way, I think this particular feature is going to be a fairly complex change that will require some upfront design.

@skattoju if you want to pick this up, can we do a kickoff meeting to discuss the high level goals and talk through some of the implications? And I think we'll want to put together a design doc for this one once we figure out what the plan is.

The issue that @varshaprasad96 linked has a bunch of the context.

[skattoju]

Definitely! I'll set something up 👍

[skattoju]

i have started a PoC i am still testing to see if it works..
https://github.com/skattoju/operator-controller/tree/sa_from_spec_poc