Update controller RBAC permissions and documentation

[eguzki]

Description

Update the Developer Portal Controller's ServiceAccount ClusterRole with permissions required for the RBAC design.

Acceptance Criteria

• Update controller ServiceAccount ClusterRole with cluster-wide permissions:
  • apikeys (get, list, watch)
  • apikeys/status (update, patch)
  • apikeyapprovals (get, list, watch)
  • apikeyrequests (create, update, delete, get, list, watch)
  • apiproducts (get, list, watch)
• Add any additional APIKey permissions needed for chosen cleanup implementation
• Scope secrets permissions (create, update, delete, get, list) to kuadrant namespace only via RoleBinding
• Update controller README with RBAC requirements
• Document cleanup mechanism for cross-namespace APIKeyRequest resources
• Add validation that controller has required permissions at startup

Related

• Epic: RBAC system for developer portal capabilities kuadrant-console-plugin#353
• Design doc: docs/designs/2026-03-26-api-management-rbac-design.md