✨ Check known required permissions for install before installing with the helm applier

[bentito]

Description

This is a successor PR to #1716 and is primarily the contributions of @trgeiger and @joelanford .

Goal and title, remain the same. Approach is a bit modified:

Pulls in RBAC authorization code from k8s.is/kubernetes, uses that code to check GET and other verb permissions as prelude to and as response from a Helm dry-run

To pull in the RBAC auth code concisely, repeatably and with warnings if the used code changes, we add a maintenance utility that adds the needed replace directives for all related staging modules (e.g., k8s.io/api, k8s.io/apimachinery, etc.) and they are automatically pinned to the corresponding published version.

All this code is initially called at

missingRules, err := h.PreAuthorizer.PreAuthorize(ctx, &ceServiceAccount, strings.NewReader(tmplRel.Manifest))

in internal/operator-controller/applier/helm.go

Reviewer Checklist

• API Go Documentation
• Tests: Unit Tests (and E2E Tests, if appropriate)
• Comprehensive Commit Messages
• Links to related GitHub Issue(s)

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	95145c6
🔍 Latest deploy log	https://app.netlify.com/sites/olmv1/deploys/67f02d13e41c8c0008be24f6
😎 Deploy Preview	https://deploy-preview-1858--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[codecov]

Codecov Report

Attention: Patch coverage is 42.58242% with 418 lines in your changes missing coverage. Please review.

Project coverage is 65.97%. Comparing base (23b9cdc) to head (95145c6).
Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
hack/tools/k8smaintainer/main.go	0.00%	227 Missing ⚠️
internal/operator-controller/authorization/rbac.go	64.97%	117 Missing and 21 partials ⚠️
internal/operator-controller/applier/helm.go	36.70%	42 Missing and 8 partials ⚠️
cmd/operator-controller/main.go	80.00%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1858      +/-   ##
==========================================
- Coverage   68.93%   65.97%   -2.96%     
==========================================
  Files          66       69       +3     
  Lines        5243     6025     +782     
==========================================
+ Hits         3614     3975     +361     
- Misses       1397     1787     +390     
- Partials      232      263      +31     

Flag	Coverage Δ
e2e	45.60% <5.98%> (-4.79%)	⬇️
unit	54.87% <39.14%> (-1.86%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[trgeiger]

I added some tests but they still need to be tweaked/finalized. I noticed while writing them up that due to the order of the logic where missing rules are checked before escalation, if bind/escalate are in play but we're missing the explicit permissions that bind/escalate would give us we end up with a result where there's no error but we do have missing rules. @joelanford is that what we would want? I would think if we can bind or escalate that we would not return that we're missing those rules since the SA can grant them.

EDIT: This isn't a concern, I misunderstood the permissions logic here