Allow eksa-controller-manager to remove package bundle controllers (#833

)

These permissions will allow the eksa-controller to delete package bundle
controller helm installations completely, and without error.

The namespace in question is the workload clusters,
e.g. eksa-packages-my-workload-cluster.

The secret in question is the registry-mirror-secret that is created for
workload clusters (regardless of whether or registry mirror is in use).

Part of #807.

charts/eks-anywhere-packages/templates/role.yaml

@@ -44,4 +44,26 @@ rules:
   verbs:
   - create
   - patch
-{{- end }}
+{{- end }}
+{{- if .Values.workloadOnly }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "eks-anywhere-packages.fullname" . }}-manager-role
+  namespace: {{ .Values.namespace }}-{{ .Values.clusterName }}
+  labels:
+    {{- include "eks-anywhere-packages.labels" . | nindent 4 }}
+  {{- with .Values.additionalAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  - secrets
+  verbs:
+  - delete
+{{- end }}

charts/eks-anywhere-packages/templates/rolebinding.yaml

@@ -18,4 +18,26 @@ subjects:
   - kind: ServiceAccount
     name: {{ .Values.serviceAccount.name }}
     namespace: {{ .Values.namespace }}
-{{- end }}
+{{- end }}
+{{- if .Values.workloadOnly }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "eks-anywhere-packages.fullname" . }}-manager-rolebinding
+  namespace: {{ .Values.namespace }}-{{ .Values.clusterName }}
+  labels:
+    {{- include "eks-anywhere-packages.labels" . | nindent 4 }}
+  {{- with .Values.additionalAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "eks-anywhere-packages.fullname" . }}-manager-role
+subjects:
+  - kind: ServiceAccount
+    name: eksa-controller-manager
+    namespace: eksa-system
+{{- end }}