refactor: remove forced Knative rollout on ACL provisioning

Sites pick up credentials on their next natural deploy — no need to
force a new Revision immediately. This avoids unnecessary pod restarts
across all sites during bootstrap.

Also reduces Knative Services RBAC to read-only since update/patch
are no longer needed.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: decobot

chart/templates/clusterrole-operator-manager-role.yaml

@@ -75,6 +75,4 @@ rules:
   verbs:
   - get
   - list
-  - patch
-  - update
   - watch

config/rbac/role.yaml

@@ -76,6 +76,4 @@ rules:
   verbs:
   - get
   - list
-  - patch
-  - update
   - watch

internal/controller/namespace_controller.go

@@ -53,7 +53,7 @@ const (
 
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch;update;patch
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create
-// +kubebuilder:rbac:groups=serving.knative.dev,resources=services,verbs=get;list;watch;update;patch
+// +kubebuilder:rbac:groups=serving.knative.dev,resources=services,verbs=get;list;watch
 
 // DefaultResyncPeriod is the default interval at which the reconciler re-syncs
 // ACL users to all Valkey nodes even when nothing changed. Configurable via
@@ -291,11 +291,6 @@ func (r *NamespaceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 		valkeyTenantsProvisioned.Inc()
 		log.Info("Valkey ACL provisioned", "user", siteName, "namespace", ns.Name)
 
-		// Trigger a new Knative Revision so running pods pick up the new Secret.
-		if patchErr := r.patchKnativeServiceTimestamp(ctx, ns.Name); patchErr != nil {
-			log.Error(patchErr, "Failed to patch Knative Service (non-fatal)")
-		}
-
 	case err != nil:
 		return ctrl.Result{}, fmt.Errorf("get secret: %w", err)