Shared ServiceAccount across 4 workloads with cluster-wide secrets CRUD

[raballew]

Description

Multiple workloads share the same serviceAccount :

• controller
• router

For example the router does not need to write/read secrets,..

Suggested Fix

• Create separate ServiceAccounts: router-sa (zero RBAC)
• Add automountServiceAccountToken: false to routers

Consider any other necessary improvements to RBAC.

[ambient-code]

Fix Plan for #351

The issue is that the controller-manager ServiceAccount is shared across the controller and router workloads, giving the router full secrets CRUD access (via the jumpstarter-manager-role ClusterRole) when it doesn't need it.

Changes

Helm chart (controller/deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/):

1. rbac/service_account.yaml - Split into two ServiceAccounts: controller-manager (for the controller) and router-sa (for the router, with automountServiceAccountToken: false)
2. rbac/role_binding.yaml - Updated label to jumpstarter-controller (only the controller SA is bound to the ClusterRole)
3. rbac/leader_election_role.yaml / leader_election_role_binding.yaml - Updated labels to jumpstarter-controller
4. router-deployment.yaml - Uses router-sa with automountServiceAccountToken: false
5. additional-router-deployment.yaml - Same as above

Operator (controller/deploy/operator/):

1. internal/controller/jumpstarter/rbac.go - Added createRouterServiceAccount() that creates a dedicated {name}-router-sa with automountServiceAccountToken: false and zero RBAC bindings. Added reconciliation logic for the router SA.
2. internal/controller/jumpstarter/jumpstarter_controller.go - Updated createRouterDeployment() to use the router SA with automountServiceAccountToken: false

Result

• The controller keeps its existing RBAC (secrets CRUD, CRD access, leader election)
• The router gets a dedicated SA with no RBAC permissions and no auto-mounted token
• The secrets-job continues to use controller-manager SA (it needs secrets CRUD to create router/controller secrets)

[ambient-code]

Fix submitted in PR #433: #433