[Backport release-1.4] Feat: enhance controller auth by removing useless features & add authentication for componentrevision+healthcheck (#4023)

* Feat: use application identity in gc & componentrevision & collectHealthStatus

Signed-off-by: Somefive <yd219913@alibaba-inc.com>
(cherry picked from commit 63fc4bcc69)

* Chore: remove useless features and roles

Signed-off-by: Somefive <yd219913@alibaba-inc.com>
(cherry picked from commit f4ef77b2b3)

* Fix: remove DELETE from mutating webhook

Signed-off-by: Somefive <yd219913@alibaba-inc.com>
(cherry picked from commit 75f3d5dc35)

* Chore: enhance deploy error display

Signed-off-by: Somefive <yd219913@alibaba-inc.com>
(cherry picked from commit e69079bdae)

* Fix: e2e test vela cli output match & controllerrevision recycle for serviceaccount impersonation

Signed-off-by: Somefive <yd219913@alibaba-inc.com>
(cherry picked from commit 05b85573a2)

Co-authored-by: Somefive <yd219913@alibaba-inc.com>

pkg/webhook/core.oam.dev/v1alpha2/application/mutating_handler.go

@@ -30,7 +30,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
 	"github.com/oam-dev/kubevela/pkg/auth"
 	"github.com/oam-dev/kubevela/pkg/features"
@@ -52,7 +51,7 @@ func (h *MutatingHandler) Handle(ctx context.Context, req admission.Request) adm
 		return admission.Patched("")
 	}
 
-	if slices.Contains(req.UserInfo.Groups, common.Group) || slices.Contains(h.skipUsers, req.UserInfo.Username) {
+	if slices.Contains(h.skipUsers, req.UserInfo.Username) {
 		return admission.Patched("")
 	}
 
@@ -86,11 +85,9 @@ func (h *MutatingHandler) InjectDecoder(d *admission.Decoder) error {
 func RegisterMutatingHandler(mgr manager.Manager) {
 	server := mgr.GetWebhookServer()
 	handler := &MutatingHandler{}
-	if !utilfeature.DefaultMutableFeatureGate.Enabled(features.ControllerAutoImpersonation) {
-		if userInfo := utils.GetUserInfoFromConfig(mgr.GetConfig()); userInfo != nil {
-			klog.Infof("[ApplicationMutatingHandler] add skip user %s", userInfo.Username)
-			handler.skipUsers = []string{userInfo.Username}
-		}
+	if userInfo := utils.GetUserInfoFromConfig(mgr.GetConfig()); userInfo != nil {
+		klog.Infof("[ApplicationMutatingHandler] add skip user %s", userInfo.Username)
+		handler.skipUsers = []string{userInfo.Username}
 	}
 	server.Register("/mutating-core-oam-dev-v1beta1-applications", &webhook.Admission{Handler: handler})
 }

pkg/webhook/core.oam.dev/v1alpha2/application/mutating_handler_test.go

@@ -29,8 +29,8 @@ import (
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
+	"github.com/oam-dev/kubevela/apis/types"
 	"github.com/oam-dev/kubevela/pkg/features"
 	"github.com/oam-dev/kubevela/pkg/oam"
 )
@@ -40,7 +40,7 @@ var _ = Describe("Test Application Mutator", func() {
 	var mutatingHandler *MutatingHandler
 
 	BeforeEach(func() {
-		mutatingHandler = &MutatingHandler{}
+		mutatingHandler = &MutatingHandler{skipUsers: []string{types.VelaCoreName}}
 		Expect(mutatingHandler.InjectDecoder(decoder)).Should(BeNil())
 	})
 
@@ -55,7 +55,7 @@ var _ = Describe("Test Application Mutator", func() {
 		Expect(utilfeature.DefaultMutableFeatureGate.Set(fmt.Sprintf("%s=true", features.AuthenticateApplication))).Should(Succeed())
 		resp := mutatingHandler.Handle(ctx, admission.Request{
 			AdmissionRequest: admissionv1.AdmissionRequest{
-				UserInfo: authv1.UserInfo{Groups: []string{common.Group}},
+				UserInfo: authv1.UserInfo{Username: types.VelaCoreName},
 			}})
 		Expect(resp.Allowed).Should(BeTrue())
 		Expect(resp.Patches).Should(BeNil())