update templates to include admission registration

Author: deads2k

artifacts/install/apiserver-template.yaml

@@ -7,6 +7,7 @@ parameters:
   value: namespace-reservation-server:latest
 - name: NAMESPACE
   value: openshift-namespace-reservation
+- name: SERVICE_SERVING_CERT_CA
 - name: LOGLEVEL
   value: "0"
 objects:
@@ -95,4 +96,27 @@ objects:
       # singular name to be used as an alias on the CLI and for display
       singular: namespacereservation
       # kind is normally the CamelCased singular type. Your resource manifests use this.
-      kind: NamespaceReservation
+      kind: NamespaceReservation
+
+# register to intercept projectrequest creates
+- apiVersion: admissionregistration.k8s.io/v1alpha1
+  kind: ExternalAdmissionHookConfiguration
+  metadata:
+    name: namespacereservations.admission.online.openshift.io
+  externalAdmissionHooks:
+  - name: namespacereservations.admission.online.openshift.io/apis/admission.online.openshift.io/v1alpha1/namespacereservations
+    clientConfig:
+      service:
+        namespace: ${NAMESPACE}
+        name: server
+      caBundle: ${SERVICE_SERVING_CERT_CA}
+    rules:
+    - operations:
+      - CREATE
+      apiGroups:
+      - project.openshift.io
+      apiVersions:
+      - "*"
+      resources:
+      - projectrequests
+    failurePolicy: Fail

artifacts/install/rbac-template.yaml

@@ -22,7 +22,23 @@ objects:
     namespace: ${NAMESPACE}
     name: server
 
-# to have the template service broker powers
+# to let the admission server read the namespace reservations
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+  kind: ClusterRole
+  metadata:
+    annotations:
+    name: system:openshift:online:namespace-reservation-server
+  rules:
+  - apiGroups:
+    - online.openshift.io
+    resources:
+    - namespacereservations
+    verbs:
+    - get
+      list
+      watch
+
+# to let the admission server read the namespace reservations
 - apiVersion: rbac.authorization.k8s.io/v1beta1
   kind: ClusterRoleBinding
   metadata: