Move mutable configmaps out of deployment manifest

[hty690]

Moving "antrea-ca" and "antrea-cluster-identity" out of deployment manifest.
Instead creating them in the code.

Fixes #1945

[codecov-io]

Codecov Report

Merging #1983 (79cc8e4) into main (e99a0bf) will increase coverage by 6.68%.
The diff coverage is 42.30%.

@@            Coverage Diff             @@
##             main    #1983      +/-   ##
==========================================
+ Coverage   60.10%   66.78%   +6.68%     
==========================================
  Files         197      197              
  Lines       17217    17259      +42     
==========================================
+ Hits        10348    11527    +1179     
+ Misses       5762     4543    -1219     
- Partials     1107     1189      +82     

Flag	Coverage Δ
e2e-tests	26.45% <38.46%> (?)
kind-e2e-tests	56.49% <40.38%> (+10.62%)	⬆️
unit-tests	41.74% <3.84%> (-0.11%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/flowaggregator/certificate.go	0.00% <0.00%> (ø)
pkg/apiserver/certificate/cacert_controller.go	58.95% <64.70%> (+24.78%)	⬆️
pkg/clusteridentity/clusteridentity.go	71.25% <64.70%> (+3.06%)	⬆️
pkg/agent/route/route_linux.go	46.30% <0.00%> (+0.32%)	⬆️
pkg/agent/controller/networkpolicy/cache.go	85.29% <0.00%> (+0.65%)	⬆️
pkg/agent/cniserver/pod_configuration.go	54.68% <0.00%> (+0.78%)	⬆️
pkg/controller/grouping/group_entity_index.go	94.58% <0.00%> (+1.27%)	⬆️
pkg/apiserver/storage/ram/store.go	81.95% <0.00%> (+1.50%)	⬆️
...ntroller/networkpolicy/networkpolicy_controller.go	71.10% <0.00%> (+1.62%)	⬆️
pkg/agent/agent.go	48.92% <0.00%> (+1.67%)	⬆️
... and 46 more

[tnqn]

What about flow-aggregator-ca?

[tnqn]

why don't create the configmap with the desired content directly which can avoid an extra call?
Also feel there is no need to have another method to construct a configmap, it's just one line code that is not shared by others.

[jianjuns]

Do you plan to cover flow-aggregator-ca as @antoninbas suggested?

[hty690]

Do you plan to cover flow-aggregator-ca as @antoninbas suggested?

Yes. I'm working on it.

[tnqn]

LGTM overall

[tnqn]

No need to specify the two fields if they are not set

[tnqn]

ditto

[tnqn]

LGTM, thanks

[tnqn]

/test-all

[antoninbas]

I may be missing something obvious but why don't we just add the "create" verb to the list above:

  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      - antrea-ca
      - antrea-cluster-identity
    verbs:
      - get
      - update
      - create

[jianjuns]

I wondered too, and thought maybe "create" does not work with resourceNames, but just checked and found it could. Then we should add create to the existing verb list.

[hty690]

I added "create" to this verb list and I met the error
error when creating 'kube-system/antrea-cluster-identity' ConfigMap: configmaps is forbidden: User "system:serviceaccount:kube-system:antrea-controller" cannot create resource "configmaps" in API group "" in the namespace "kube-system"

[hty690]

I found it works. I will recommit the changes.

[tnqn]

Specifying resourceNames for "create" verb doesn't work: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources

Note: You cannot restrict create or deletecollection requests by resourceName. For create, this limitation is because the object name is not known at authorization time.

I did a test and it's consistent with the doc, how did you test?

[hty690]

I deleted and reapplied the yaml. And I found "antrea-ca" and "antrea-cluster-identity" was not deleted. and recreated. Maybe that's why I tested it with no error.

[jianjuns]

Ok, then the current yaml makes sense.

[tnqn]

Please add the label as the previous one in manifest yaml, in case we need a way to filter all antrea resources later.

[tnqn]

LGTM

[tnqn]

/test-all

[tnqn]

/test-e2e