The Gatekeeper ConstraintTemplate and constraint objects are cluster scoped and will be embedded in the policy-templates array. Therefore, the template sync controller needs to support cluster scoped policy templates and handle a status update on ConstraintTemplate object creation.

See the following design section for more details:
https://github.com/open-cluster-management-io/enhancements/tree/main/enhancements/sig-policy/85-gatekeeper-policy-integration#template-sync-updates

This does not include the cleanup flow. This will be handled in ACM-3329.

AC:

• The template sync controller can create cluster scoped policy templates
• The template sync controller is able to delete cluster scoped policy templates. This logic will likely need to be specific to Gatekeeper ConstraintTemplate and constraint objects.
• When a Gatekeeper ConstraintTemplate is in the policy-templates array, a status event needs to be sent from the template sync controller since the ConstraintTemplate itself does not generate status. Only the constraints created from the CRD generated from the ConstraintTemplate generate a status.
• Also, ensure that there is not an infinite loop when the ConstraintTemplate has invalid rego in it.
• If Gatekeeper is not installed, the template sync controller should not create the ConstraintTemplate and constraints, but instead should send non-compliant status events to indicate that Gatekeeper should be installed. This is detailed in this section https://github.com/open-cluster-management-io/enhancements/tree/main/enhancements/sig-policy/85-gatekeeper-policy-integration#status-reporting.
• If a Gatekeeper template is removed from the policy, the template and constraints should also be removed from the managed cluster. See https://github.com/open-cluster-management-io/governance-policy-framework-addon/pull/28 for the equivalent policy cleanup.