Precreate the openshift-gitops-cluster-admin-rolebinding CRB

This is to fix an issue on spokes. See
validatedpatterns/clustergroup-chart#103
for the full reasoning.

TLDR: we need to drop sync-waves in clustergroup from CRBs to avoid
an argo bug, but then without those the SA will never have the right
permissions to create another service account, so we precreate the
CRB via the acm-chart

Closes: validatedpatterns/clustergroup-chart#63

Author: mbaldessari

templates/policies/application-policies.yaml

@@ -29,6 +29,23 @@ spec:
             include:
               - default
           object-templates:
+            - complianceType: mustonlyhave
+              objectDefinition:
+                apiVersion: rbac.authorization.k8s.io/v1
+                kind: ClusterRoleBinding
+                metadata:
+                  name: openshift-gitops-cluster-admin-rolebinding
+                roleRef:
+                  apiGroup: rbac.authorization.k8s.io
+                  kind: ClusterRole
+                  name: cluster-admin
+                subjects:
+                  - kind: ServiceAccount
+                    name: openshift-gitops-argocd-application-controller
+                    namespace: openshift-gitops
+                  - kind: ServiceAccount
+                    name: openshift-gitops-argocd-server
+                    namespace: openshift-gitops
             - complianceType: mustonlyhave
               objectDefinition:
                 apiVersion: argoproj.io/v1alpha1