chore: impersonate KGO RBACs with make _run

Makefile

@@ -498,19 +498,25 @@ _ensure-kong-system-namespace:
 	@kubectl create ns kong-system 2>/dev/null || true
 
 # Run a controller from your host.
-# TODO: In order not to rely on 'main' version of Gateway API CRDs address but
-# on the tag that is used in code (defined in go.mod) address this by solving
-# https://github.com/Kong/gateway-operator/pull/480.
 .PHONY: run
-run: webhook-certs-dir manifests generate install.all _ensure-kong-system-namespace
+run: webhook-certs-dir manifests generate install.all _ensure-kong-system-namespace install.rbacs
 	@$(MAKE) _run
 
+# Run a controller from your host and make it impersonate the controller-manager service account from kong-system namespace.
+.PHONY: run.with_impersonate
+run.with_impersonate: webhook-certs-dir manifests generate install.all _ensure-kong-system-namespace install.rbacs
+	@$(MAKE) _run.with-impersonate
+
+KUBECONFIG ?= $(HOME)/.kube/config
+
 # Run the operator without checking any preconditions, installing CRDs etc.
 # This is mostly useful when 'run' was run at least once on a server and CRDs, RBACs
 # etc didn't change in between the runs.
 .PHONY: _run
 _run:
-	GATEWAY_OPERATOR_DEVELOPMENT_MODE=true go run ./cmd/main.go \
+	KUBECONFIG=$(KUBECONFIG) \
+		GATEWAY_OPERATOR_DEVELOPMENT_MODE=true \
+		go run ./cmd/main.go \
 		--no-leader-election \
 		-cluster-ca-secret-namespace kong-system \
 		-enable-controller-kongplugininstallation \
@@ -520,6 +526,21 @@ _run:
 		-zap-log-level 2 \
 		-zap-devel true
 
+# Run the operator locally with impersonation of controller-manager service account from kong-system namespace.
+# The operator will use a temporary kubeconfig file and impersonate the real RBACs.
+.PHONY: _run.with-impersonate
+_run.with-impersonate:
+	@$(eval TMP := $(shell mktemp -d))
+	@$(eval TMP_KUBECONFIG := $(TMP)/kubeconfig)
+	[ ! -z "$(KUBECONFIG)" ] || exit 1
+	cp $(KUBECONFIG) $(TMP_KUBECONFIG)
+	@$(eval TMP_TOKEN := $(shell kubectl create token --namespace=kong-system controller-manager))
+	@$(eval CLUSTER := $(shell kubectl config get-contexts | grep '^\*' | tr -s ' ' | cut -d ' ' -f 3))
+	KUBECONFIG=$(TMP_KUBECONFIG) kubectl config set-credentials kgo --token=$(TMP_TOKEN)
+	KUBECONFIG=$(TMP_KUBECONFIG) kubectl config set-context kgo --cluster=$(CLUSTER) --user=kgo --namespace=kong-system
+	KUBECONFIG=$(TMP_KUBECONFIG) kubectl config use-context kgo
+	bash -c "trap 'echo deleting temporary kubeconfig $(TMP); rm -rf $(TMP)' EXIT; $(MAKE) _run KUBECONFIG=$(TMP_KUBECONFIG)"
+
 SKAFFOLD_RUN_PROFILE ?= dev
 
 .PHONY: _skaffold
@@ -569,6 +590,11 @@ KUBERNETES_CONFIGURATION_CRDS_CRDS_LOCAL_PATH = $(shell go env GOPATH)/pkg/mod/$
 install.kubernetes-configuration-crds: kustomize
 	$(KUSTOMIZE) build $(KUBERNETES_CONFIGURATION_CRDS_CRDS_LOCAL_PATH) | kubectl apply -f -
 
+# Install RBACs from config/rbac into the K8s cluster specified in ~/.kube/config.
+.PHONY: install.rbacs
+install.rbacs: kustomize
+	$(KUSTOMIZE) build config/rbac | kubectl apply -f -
+
 # Install standard and experimental CRDs into the K8s cluster specified in ~/.kube/config.
 .PHONY: install.all
 install.all: manifests kustomize install-gateway-api-crds install.kubernetes-configuration-crds