[RHOAIENG-15773] Fix MR permissions management error (give dashboard ServiceAccount permission to get endpoints)

[mturley]

Resolves critical bug RHOAIENG-15773.

Description

Due to a change in the Model Registry operator (PR here, issue here), the registry-user-${registryname} role that is generated for each model registry now has an additional permission: get endpoints.

The service account used by the dashboard to create rolebindings for managing model registry permissions does not have permission to get endpoints today. Because of this change, the Manage Permissions page's requests to create new rolebindings using this role are failing in the dashboard. This is due to a cluster API restriction that a user may not grant other users permissions that they don't have themselves.

We would like to discuss a longer-term solution to the constraint we've found here. It should not be possible to cause dashboard permission regressions by changing roles in another component (ideally, any user with rhoai admin permissions should have the same permissions any model registry user have). But for now, the short term fix is to add this new get endpoints permission to our ServiceAccount's ClusterRole.

How Has This Been Tested?

Observe that with these manifests changed (via a devFlag on the cluster), the odh-dashboard ClusterRole has the changes from this PR's diff. Go to Model Registry Settings, click Manage Permissions on a registry, try to add a user, group or project, and make sure it succeeds.

Test Impact

N/A, end to end tests would be nice for this case though once we are ready for that.

Request review criteria:

Self checklist (all need to be checked):

• The developer has manually tested the changes and verified that the changes work
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has added tests or explained why testing cannot be added (unit or cypress tests for related changes)

If you have UI changes:

• Included any necessary screenshots or gifs if it was a UI change.
• Included tags to the UX team if it was a UI/UX change.

After the PR is posted & before it merges:

• The developer has tested their solution on a cluster by using the image produced by the PR to main

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.56%. Comparing base (ca3d3e4) to head (425ce4c).
Report is 14 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3546      +/-   ##
==========================================
+ Coverage   85.54%   85.56%   +0.01%     
==========================================
  Files        1342     1342              
  Lines       31025    31025              
  Branches     8679     8679              
==========================================
+ Hits        26541    26546       +5     
+ Misses       4484     4479       -5     

see 3 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ca3d3e4...425ce4c. Read the comment docs.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andrewballantyne

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [andrewballantyne]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[andrewballantyne]

/hold

Double checking with the architects before we merge

[andrewballantyne]

/unhold

No response, lets go ahead with this -- if we need to revert it, we have time.