Add ClusterRole for kvm-ha-service

  The kvm-ha-service requires direct access to the Hypervisor CRD to
  implement HA-driven self-enable and disable logic.

  Permissions granted:
  - get/list/watch/update on hypervisors: to read spec.highAvailability
    and set spec.maintenance=ha
  - get/update on hypervisors/status: to set the HypervisorDisabled
    status condition (Succeeded and ReadyEvicted reasons)

Author: PaulPickhardt

charts/openstack-hypervisor-operator/templates/ha-service-rbac.yaml

@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "openstack-hypervisor-operator.fullname" . }}-ha-service-role
+  labels:
+  {{- include "openstack-hypervisor-operator.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - kvm.cloud.sap
+  resources:
+  - hypervisors
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - kvm.cloud.sap
+  resources:
+  - hypervisors/status
+  verbs:
+  - get
+  - update