fix: add missing helm hook annotations to test objects

Previously the test role and rolebinding were being installed
unconditionally. With this change they are only installed when running
helm test and then removed.

Having the role and rolebinding installed unconditionally would mean
that any serviceaccount (including the default) would be able to view
service objects in the lagoon-logging namespace. This is an unnecessary
elevation of privilege, but these service objects do not contain
anything sensitive.

charts/lagoon-logging/templates/tests/cdn-service-annotations.yaml

@@ -3,6 +3,9 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: service-reader
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 rules:
 - apiGroups: [""] # "" indicates the core API group
   resources: ["services"]
@@ -12,6 +15,9 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: read-services
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 subjects:
 - kind: Group
   name: system:serviceaccounts # all serviceaccounts
@@ -29,6 +35,7 @@ metadata:
     {{- include "lagoon-logging.logsDispatcher.labels" . | nindent 4 }}
   annotations:
     "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
   containers:
   - name: kubectl

charts/lagoon-logging/templates/tests/test-connection.yaml

@@ -6,6 +6,7 @@ metadata:
     {{- include "lagoon-logging.logsDispatcher.labels" . | nindent 4 }}
   annotations:
     "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
   containers:
   - name: nc