[#443] Modified Airflow worker permissions to enable ConfigMap creation

[float34]

Added appropriate permissions to Airflow worker so it will be able to create and save ConfigMaps.
This PR closes #443

[aliaksandr-d]

Ok to test

[legion-bot]

Can one of the admins verify this patch?

[legion-bot]

Build status: FAILURE

[kirillmakhonin]

ASK [aws_resources : Create Airflow Postgres RDS instance] ********************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Timeout waiting for RDS resource legion-ci-airflow-rds"}
	to retry, use: --limit @/var/lib/jenkins/workspace/Create_cluster/deploy/ansible/create-cluster.retry

[kirillmakhonin]

ok to test

[legion-bot]

Build status: FAILURE

[aliaksandr-d]

Downloading plugin: favorite-plugin from https://updates.jenkins.io/download/plugins/favorite-plugin/2.3.2/favorite-plugin.hpi

Failed to download plugin: favorite or favorite-plugin

[kirillmakhonin]

ok to test

[kirillmakhonin]

@aliaksandr-d @Torquerrr please check that with this RBAC rule configmaps from other namespaces are not accessable.

[kirillmakhonin]

@aliaksandr-d and please modify RBAC rule to allow operations only with required configmaps

[aliaksandr-d]

Need to rework role mapping. Please, add regular expression for a configmap and secrets names, check if other configmaps and secrets are unavailable, also please check the restrictions for configmaps in other namespaces.

[legion-bot]

Build status: FAILURE

[aliaksandr-d]

@kirillmakhonin
Looks like it's forbidden to use asterisk in resourceNames field in K8s Role.
Also rule in K8s Role doesn't support any labels selectors. We should specify an exact list of configmaps or secrets.
kubernetes/kubernetes#56582 (comment)
If you have another solution, please, let me know.

[aliaksandr-d]

ok to test

[legion-bot]

Build status: FAILURE

[aliaksandr-d]

ok to test

[legion-bot]

Build status: FAILURE

[legion-bot]

Build status: FAILURE

[akharlamov]

👍

[kirillmakhonin]

ok to test

[legion-bot]

Build status: FAILURE

[aliaksandr-d]

TASK [legion_enclave : Attach Airflow S3 accesse policy to the role] ***********
fatal: [localhost]: FAILED! => {"changed": true, "msg": "Rate exceeded"}
	to retry, use: --limit @/var/lib/jenkins/workspace/Deploy_Legion_Enclave/deploy/ansible/deploy-legion-enclave.retry

[aliaksandr-d]

ok to test

[legion-bot]

Build status: FAILURE

[aliaksandr-d]

Check EDI scale up procedure :: Try to scale up model through EDI ... 
2018-09-19 08:30:03,109 - INFO - Some hanging processes have been detected for failed test 'Check EDI scale up procedure'

2018-09-19 08:30:03,109 - INFO - Killing active process 'legionctl --verbose scale demo-abc-model 2 --edi https://edi-company-a.legion-ci.epm.kharlamov.biz --user admin --password admin' for test 'Check EDI scale up procedure' because of 'Test timeout 6 minutes exceeded.'

2018-09-19 08:30:03,109 - DEBUG - Killing process #10362

2018-09-19 08:30:13,110 - ERROR - Cannot gather process #10362 logs: ExecutionTimeoutException()
/var/lib/jenkins/workspace/Deploy_Legion_Release/.venv/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
/var/lib/jenkins/workspace/Deploy_Legion_Release/.venv/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
[ ERROR ] Cannot gather process #10362 logs: ExecutionTimeoutException()
| FAIL |
Test timeout 6 minutes exceeded.

[aliaksandr-d]

ok to test

[legion-bot]

Build status: SUCCESS