feat: Fine grained update delete RBAC w/ v3 gate

[fffinkel]

We would like to allow our engineers to use the rollback functionality while having auto-sync enabled, without granting them the ability to edit an application's sub-resource manifests. For compliance purposes, we can only deploy using a known set of manifests from a protected source, which is the git repo holding our manifests that engineers do not have access to.

Using the rollback functionality when auto-sync is enabled requires the user to disable auto-sync, which in turn requires update permissions on the application itself. We can allow this by doing the following:

p, my-user, applications, update, */*, allow

However, this will also allow engineers to edit application manifests. It follows that we would like to add a deny for the application's sub-resources, but as the RBAC documentation states, this deny is ignored.

This PR changes application resource RBAC to allow users to set separate update/delete permissions for the application itself, but still deny sub-resources. We can then do something like this:

p, my-user, applications, update, */*, allow
p, my-user, applications, update/*/Deployment/*, */*, deny

It introduces a breaking change to RBAC (see #19988), so it will have to wait until V3. To allow this functionality in V2, a config value (server.rbac.enablev3 in argocd-cm) was added that allows the user to opt in to this new behavior. I did my best to implement #19988 in the first commit, and then to add the config value gating in a following commit, so that the first commit can be cherry-picked or the second commit reverted when the V3 release is cut.

RBAC docs: https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#fine-grained-permissions-for-updatedelete-action

Closes #20600

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[bunnyshell]

🔴 Preview Environment stopped on Bunnyshell

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

• 🔵 /bns:start to start the environment
• 🚀 /bns:deploy to redeploy the environment
• ❌ /bns:delete to remove the environment

[codecov]

Codecov Report

Attention: Patch coverage is 29.41176% with 12 lines in your changes missing coverage. Please review.

Please upload report for BASE (master@2a497ef). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
util/settings/settings.go	0.00%	9 Missing ⚠️
server/application/application.go	62.50%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##             master   #20671   +/-   ##
=========================================
  Coverage          ?   55.23%           
=========================================
  Files             ?      337           
  Lines             ?    56960           
  Branches          ?        0           
=========================================
  Hits              ?    31463           
  Misses            ?    22818           
  Partials          ?     2679           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[andrii-korotkov-verkada]

I think instead of introducing a breaking change we should create a new mechanism for setting permissions for applications themselves only.

Maybe we introduce the new permission terms like update_self or delete_self.

I'd probably comment on the issue and continue the discussion there.