feat(argo-cd): add minimal RBAC option for server ClusterRole

[Maharshi-Mimo]

Add a new server.rbac.minimal configuration option that restricts argocd-server ClusterRole permissions to a minimal read-only set, removing delete and patch operations on wildcard resources.

Changes:

• Add server.rbac.minimal boolean flag (default: false) to values.yaml
• Update clusterrole.yaml template with conditional logic:
  • When minimal=false (default): uses existing permissions with delete/patch
  • When minimal=true: grants only get, list, watch verbs on wildcard resources
  • Custom rules (when enabled) take precedence over both modes
• Minimal mode removes the following dangerous permissions:
  • delete/* on wildcard resources
  • patch/* on wildcard resources
  • create on events (except pods/exec)
  • create on batch jobs
  • update/patch on applications/applicationsets

Enable with: --set server.rbac.minimal=true

This addresses security concerns by allowing operators to restrict the ArgoCD server's permissions to read-only access when appropriate.
closes #3594

Tested: Helm template rendering verified with both modes enabled and disabled.

Checklist:

• I have bumped the chart version according to versioning
• I have updated the documentation according to documentation
• I have updated the chart changelog with all the changes that come with this pull request according to changelog.
• Any new values are backwards compatible and/or have sensible default.
• I have signed off all my commits as required by DCO.
• I have created a separate pull request for each chart according to pull requests
• My build is green (troubleshooting builds).

[ebuildy]

minimal is not really explicit, what about "readOnly"?

Suggested change

	minimal: false
	readOnly: false

[mkilchhofer]

Hi @Maharshi-Mimo , Thanks for this PR and your contribution.

I don't think that this makes sense. We provide an option for users who want to harden the Argo CD deployment by using:

## Option 1: Cluster Role rules overrides 

server:
  clusterRoleRules:
    rules:
      - # your custom RBAC rules, depending on your use case

controller:
  clusterRoleRules:
    rules:
      - # your custom RBAC rules, depending on your use case

or:

## Option 2: Role rules overrides (for namespaced installations)

controller:
  roleRules:
    - # your custom RBAC rules, depending on your use case

There is no generic "minimal" setup for everyone with hardening intents in my opinion since the access depends on what the user of our Helm chart wants to manage with Argo CD.

Does that make sense?

---

Another thing I want to bring up: you clicked every checkbox of the contribution template and clearly not follow what you checked. E.g.

• I have created a separate pull request for each chart according to pull requests
• My build is green (troubleshooting builds).

Since you made non-functional changes across all Helm charts, you involved all maintainers for all charts. For the next time, please follow the task checkboxes since our review capacity is limited. 🙏