Remove Helm conditionals from generated ClusterRole

The ClusterRole is generated by controller-gen and CI verifies it
matches. Helm conditionals cannot be used in generated files.

The operator code guards are the enforcement mechanism — the
ClusterRole permissions are a ceiling, not a guarantee. The registry-api
ClusterRole/ClusterRoleBinding (hand-managed) retain their conditionals.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

Author: JAORMX

deploy/charts/operator/templates/clusterrole/role.yaml

@@ -10,6 +10,7 @@ rules:
   - configmaps
   - persistentvolumeclaims
   - secrets
+  - serviceaccounts
   - services
   verbs:
   - create
@@ -19,20 +20,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  verbs:
-  - get
-  - list
-  - watch
-{{- if not .Values.operator.rbac.disableWorkloadRBAC }}
-  - create
-  - delete
-  - patch
-  - update
-{{- end }}
 - apiGroups:
   - ""
   resources:
@@ -95,7 +82,6 @@ rules:
   - get
   - list
   - watch
-{{- if not .Values.operator.rbac.disableWorkloadRBAC }}
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
@@ -109,7 +95,6 @@ rules:
   - patch
   - update
   - watch
-{{- end }}
 - apiGroups:
   - toolhive.stacklok.dev
   resources: