CNTRLPLANE-79: Disable oauth admission plugins

[liouk]

When auth type is not OAuth (i.e. OIDC or None), we must disable the plugins relevant for RoleBindingRestrictions, as this API relies on the User & Group APIs, which are part of the OAuth apiserver.

This PR adds a config observer specific to these plugins, and a special config merge rule that ensures that any plugin configured in the --disable-admission-plugins API server argument, will be removed from the --enable-admission-plugins one if it exists there.

[openshift-ci-robot]

@liouk: This pull request references CNTRLPLANE-79 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

When auth type is not OAuth (i.e. OIDC or None), we must disable the plugins relevant for RoleBindingRestrictions, as this API relies on the User & Group APIs, which are part of the OAuth apiserver.

This PR adds a config observer specific to these plugins, and a special config merge rule that ensures that any plugin configured in the --disable-admission-plugins API server argument, will be removed from the --enable-admission-plugins one if it exists there.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: liouk
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[liouk]

/jira refresh

[openshift-ci-robot]

@liouk: This pull request references CNTRLPLANE-79 which is a valid jira issue.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@liouk: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	d706513	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/e2e-metal-single-node-live-iso	d706513	link	false	/test e2e-metal-single-node-live-iso
ci/prow/e2e-aws-ovn-serial	d706513	link	true	/test e2e-aws-ovn-serial
ci/prow/e2e-aws-ovn	d706513	link	true	/test e2e-aws-ovn
ci/prow/k8s-e2e-gcp-serial	d706513	link	false	/test k8s-e2e-gcp-serial
ci/prow/e2e-aws-ovn-upgrade	d706513	link	true	/test e2e-aws-ovn-upgrade
ci/prow/k8s-e2e-gcp	d706513	link	true	/test k8s-e2e-gcp
ci/prow/e2e-gcp-operator-single-node	d706513	link	false	/test e2e-gcp-operator-single-node
ci/prow/e2e-gcp-operator	d706513	link	true	/test e2e-gcp-operator
ci/prow/e2e-aws-ovn-single-node	d706513	link	false	/test e2e-aws-ovn-single-node
ci/prow/e2e-aws-operator-disruptive-single-node	d706513	link	false	/test e2e-aws-operator-disruptive-single-node

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.