simplify PromotionPolicies and validating webhook for Promotions

[krancour]

This PR transitions us to using pure RBAC to determine who may promote to a given Environment.

Previously, this was based on PromotionPolicy resources and custom authorization logic in the validating webhook for Promotion resources. The webhook would evaluate policies and determine whether the subject in question was permitted to create a Promotion for the Environment it references.

The PromotionPolicy type largely goes away now (but not entirely -- more on this in a moment). The webhook replaces its old logic with a SubjectAccessReview request.

The following Role demonstrates how this works. Anyone bound to it may promote to Environments "test" and "stage" in the demo namespace, but may not promote to Environment prod.

Also note the use of a custom verb -- promote. Custom verbs for RBAC are explained nicely here.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: nonprod-promoter
  namespace: demo
rules:
- apiGroups:
  - kargo.akuity.io
  resources:
  - promotions
  verbs:
  - create
  - delete
  - get
  - list
  - watch
- apiGroups:
  - kargo.akuity.io
  resources:
  - environments
  resourceNames:
  - test
  - stage
  verbs:
  - promote

After this PR, the role of PromotionPolicy is reduced to only specifying whether auto-promotion is permitted or not. A future PR may rename it to AutoPromotionPolicy.

Note to any contributors who use steps in the quickstart to validate changes they are working on: This PR breaks the docs for you, but the docs are still correct for the latest releases.

I will fix the docs in a follow-up PR after these changes make it into a release.

cc @gdsoumya and @jessesuen (Thanks for the assistance on this, Jesse.)

[netlify]

✅ Deploy Preview for docs-kargo-akuity-io canceled.

Name	Link
🔨 Latest commit	7f90877
🔍 Latest deploy log	https://app.netlify.com/sites/docs-kargo-akuity-io/deploys/649d99222f495f00083701c6

[codecov]

Codecov Report

Merging #450 (7f90877) into main (15f274a) will decrease coverage by 1.18%.
The diff coverage is 90.00%.

@@            Coverage Diff             @@
##             main     #450      +/-   ##
==========================================
- Coverage   52.22%   51.04%   -1.18%     
==========================================
  Files          46       46              
  Lines        4366     4194     -172     
==========================================
- Hits         2280     2141     -139     
+ Misses       1993     1960      -33     
  Partials       93       93              

Impacted Files	Coverage Δ
api/v1alpha1/zz_generated.deepcopy.go	1.09% <ø> (+0.02%)	⬆️
internal/webhooks/promotions/webhooks.go	90.98% <90.00%> (+1.69%)	⬆️

[gdsoumya]

Looks good one small comment, I think we can take that up in a different PR if a change is required.

[gdsoumya]

Is this needed?