Cache [MKP] - Create ServiceAccount, Roles and RoleBindings before running the deployer

[Ark-kun]

The MKP postsubmit tests are flaky. I suspect that the reson for the failure is that at the time the deployer job starts, the deployer service account is not bound to the roles yet, so it has no permissions and fails to create any resources.
This commit uses Heml hooks to solve the issue.
See https://helm.sh/docs/topics/charts_hooks/ helm/helm#4884 https://github.com/helm/charts/blob/edecc9842d1a63758c3bd0fc13a5d019e079f656/stable/prometheus-operator/templates/prometheus-operator/admission-webhooks/job-patch/clusterrolebinding.yaml

P.S. In the future we should switch the deployer to Job. Helm has explicit support for running pre-install hooks and will automatically wait for the job to complete and then delete the job and the deployer resources (job, service account, roles, rolebindings) https://github.com/helm/charts/blob/edecc9842d1a63758c3bd0fc13a5d019e079f656/stable/prometheus-operator/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign rmgogogo
You can assign the PR to them by writing /assign @rmgogogo in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• manifests/gcp_marketplace/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubeflow-bot]

This change is 

[rmgogogo]

less knowledge on this useage. I'm wondering whether it can work. (MKP only use HELM as template engine). If this change can let the part of yaml be generated ahead, then it can help.

When you mean flaky, do you mean it sometimes pass but sometimes fail? After this PR, it always pass?

[rmgogogo]

FYI, I'm adding the MKP test to presubmit:
https://github.com/kubernetes/test-infra/pull/17124/files#
#3438

[Bobgy]

Why doesn't the deployment retry/restart when it fails?

[Ark-kun]

Why doesn't the deployment retry/restart when it fails?

Interesting question. It has restartPolicy: Always, so it should restart.

[rmgogogo]

is this one still required after #3422

[rmgogogo]

is this one still required after #3422

Kindly ping.

BTW, the Kustomize path also can't work.

[Ark-kun]

is this one still required after #3422

Are you sure you've liked to the correct PR?

[Ark-kun]

is this one still required

If the cache is deployed reliably (both MKP and standalone), then this is not needed.

[rmgogogo]

is this one still required

If the cache is deployed reliably (both MKP and standalone), then this is not needed.

Kustomize side is due to I tested it via customized-namespace but ClusterRoleBinding in ClusterScopedResource has namespace value.

MKP side, I didn't test it but this PR may can't help (I'm not 100% sure) as internally it didn't use HELM. Here let's keep this PR here for more test to see if necessary.

[Ark-kun]

Closing this experimental PR since the cache deployer seems to work fine as it is.
Also Marketplace might not use Helm and so might not understand these annotations.