Update openshift role to use namespace-local roles

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

roles/openshift/project/templates/appowners.yml

@@ -5,6 +5,10 @@ metadata:
   name: appowners
 roleRef:
   name: appowner
+{% if env == "staging" %}
+  # See note in role-appowners.yml
+  namespace: "{{app}}"
+{% endif %}
 userNames:
 {% for owner in appowners %}
 - {{ owner }}

roles/openshift/project/templates/role-appowners.yml

@@ -1,11 +1,16 @@
 apiVersion: v1
+{% if env == "staging" %}
+kind: Role
+{% else %}
 # Namespace-local roles did not work until openshift 3.6
 # https://github.com/openshift/origin/issues/14078
 kind: ClusterRole
+{% endif %}
 metadata:
   annotations:
     openshift.io/description: An application owner. Can view everything but ConfigMaps.
   name: appowner
+  namespace: "{{ app }}"
 rules:
 - apiGroups:
   - ""