ansible: Add service account for host-provisioner

The _k8s-worker_ Ansible role in the configuration policy now uses the
Kubernetes API to create bootstrap tokens for adding worker nodes to the
cluster.  For this to work, the pod running the host-provisioner must be
associated with a service account that has the correct permissions to
create secrets and access the `cluster-info` ConfigMap.

ansible/kustomization.yaml

@@ -1,6 +1,19 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
+transformers:
+- |
+  apiVersion: builtin
+  kind: NamespaceTransformer
+  metadata:
+    name: namespace-transformer
+    namespace: ansible
+  unsetOnly: true
+  setRoleBindingSubjects: allServiceAccounts
+  fieldSpecs:
+  - path: metadata/namespace
+    create: true
+
 labels:
 - pairs:
     app.kubernetes.io/instance: ansible
@@ -9,8 +22,6 @@ labels:
 - pairs:
     app.kubernetes.io/part-of: ansible
 
-namespace: ansible
-
 resources:
 - ../dch-root-ca
 - ../ssh-host-keys