fix(manifests): add GRPC_SERVICE_ACCOUNT to api-server template

The gRPC interceptor needs to know the control-plane's OIDC client ID
to tag it as a service caller. Without this, gRPC watch streams
authenticate the JWT but don't grant service-caller privileges, so
session/project events are silently filtered out.

Read from the same ambient-control-plane-oidc secret to stay in sync.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: jsell-rh

components/manifests/templates/template-services.yaml

@@ -202,6 +202,11 @@ objects:
             env:
               - name: AMBIENT_ENV
                 value: production
+              - name: GRPC_SERVICE_ACCOUNT
+                valueFrom:
+                  secretKeyRef:
+                    name: ambient-control-plane-oidc
+                    key: client-id
               - name: CREDENTIAL_ENCRYPTION_KEYRING
                 valueFrom:
                   secretKeyRef: