Missing RBAC configuration

[sempex]

The helm chart of cloud-provider-vsphere is missing quite an important bit of RBAC rules. Your pod's won't start by default it will throw something like:

Unable to get configmap/extension-apiserver-authentication in kube-system.  Usually fixed by '
kubectl create rolebinding -n kube-system ROLEBINDING_NAME --role=extension-apiserver-authentication-reader --serviceaccount=YOUR_NS:YOUR_SA'
unable to load configmap based request-header-client-ca-file: configmaps "extension-apiserver-authentication" is forbidden: User "system:serviceaccount:kube-
vsphere-cpi:cloud-controller-manager" cannot get resource "configmaps" in API group "" in the namespace "kube-system"

There is additional Configuration needed, that it can read it's own configmap holding the configuration for the cloud-provider-vsphere for example:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cpi-configmap-reader
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: configmap-reader-cloud-controller-manager
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cpi-configmap-reader
subjects:
- kind: ServiceAccount
  name: cloud-controller-manager
  namespace: kube-vsphere-cpi
- kind: User
  name: cloud-controller-manager
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: cloud-controller-manager

With that the operator is able to read it's own configuration, it requires "watch" as well, to watch the extension-apiserver-authentication configmap in the kube-system namespace. Although I didn't find out what that one is used for yet.

I would suggest to implement this in some form into the helm chart. I can create a MR for it if this is wanted. Let me know if you need a MR 💯