feat: Fine grained update delete RBAC w/ v3 gate

[fffinkel]

We would like to allow our engineers to use the rollback functionality while having auto-sync enabled, without granting them the ability to edit an application's sub-resource manifests. For compliance purposes, we can only deploy using a known set of manifests from a protected source, which is the git repo holding our manifests that engineers do not have access to.

Using the rollback functionality when auto-sync is enabled requires the user to disable auto-sync, which in turn requires update permissions on the application itself. We can allow this by doing the following:

p, my-user, applications, update, */*, allow

However, this will also allow engineers to edit application manifests. It follows that we would like to add a deny for the application's sub-resources, but as the RBAC documentation states, this deny is ignored.

This PR changes application resource RBAC to allow users to set separate update/delete permissions for the application itself, but still deny sub-resources. We can then do something like this:

p, my-user, applications, update, */*, allow
p, my-user, applications, update/*/Deployment/*, deny

It introduces a breaking change to RBAC (see argoproj#19988), so it will have to wait until V3. To allow this functionality in V2, a config value (server.rbac.enablev3 in argocd-cm) was added that allows the user to opt in to this new behavior.

RBAC docs: https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#fine-grained-permissions-for-updatedelete-action

Also of note: I did my best to implement argoproj#19988 in the first comment, and then to add the config value gating in a following commit, so that the first commit can be cherry-picked or the second commit reverted when the V3 release is cut.

Closes argoproj#20600

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[sudovinh]

Changes look good overall! I’ve left a few non-blocking comments on minor items like typos and a suggestion to update an error message. Nice work!