add cluster role/rolebinding for iamroleselector on namespace scope

IAMRoleSelector is a cluster scoped resource. When a controller is
configured as namespace scoped, this change adds a cluster
role/rolebinding that gives the controller access to iamroleselector and
namespaces.

Author: michaelhtm

templates/helm/templates/caches-role.yaml.tpl

@@ -1,3 +1,4 @@
+{{ VarIncludeTemplate "featuregates" "feature-gates" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -10,6 +11,16 @@ metadata:
     k8s-app: {{ IncludeTemplate "app.name" }}
     helm.sh/chart: {{ IncludeTemplate "chart.name-version" }}
 rules:
+{{ "{{ if contains \"IAMRoleSelector=true\" $featuregates }}" }}
+- apiGroups:
+  - services.k8s.aws
+  resources:
+  - iamroleselectors
+  verbs:
+  - get
+  - list
+  - watch
+{{ "{{ end }}" }}
 - apiGroups:
   - ""
   resources:
@@ -18,6 +29,14 @@ rules:
   - get
   - list
   - watch
+  {{ "{{ if eq .Values.installScope \"namespace\" }}" }}
+  {{ VarIncludeTemplate "wn" "watch-namespace" }}
+  {{ "{{ $namespaces := split \",\" $wn }}" }}
+  resourceNames:
+  {{ "{{ range $namespaces }}" }}
+    - {{ "{{ . }}" }}
+  {{ "{{ end }}" }}
+  {{ "{{ end }}" }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

templates/pkg/resource/registry.go.tpl

@@ -7,7 +7,7 @@ import (
 	acktypes "github.com/aws-controllers-k8s/runtime/pkg/types"
 )
 
-// +kubebuilder:rbac:groups=services.k8s.aws,resources=iamroleselectors,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=services.k8s.aws,resources=iamroleselectors,verbs=get;list;watch
 // +kubebuilder:rbac:groups=services.k8s.aws,resources=iamroleselectors/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=services.k8s.aws,resources=fieldexports,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=services.k8s.aws,resources=fieldexports/status,verbs=get;update;patch