fix(api-server)!: when normalizing roles, make wildcard verb for stages include promote

[krancour]

Related to #2864

When creating/updating "Kargo Roles," which are an abstraction over a ServiceAccount/Role/RoleBinding trio, policy rules are normalized when read from or written to the underlying Role. Among other things, this normalization includes expansion of the verb * to create, delete, deletecollection, get, list, patch, update, watch.

Stages have an additional, custom promote verb that is unaccounted for.

The result is that when, the * verb is used in defining policy rules involving non-Stage resource types, the * correctly expands to all the verbs supported by those resource types, but when using the * verb in defining policy rules involving the Stage resource type, the expanded verbs lack the important custom promote verb.

This PR special cases expansion of the * verb when the resource type in the policy rule is stages, but only does so for verbs that are being added/removed. When normalizing existing rules, whether simply for retrieval/display or in preparation to be modified, expansion of * does not include the custom promote verb because Kubernetes itself does not interpret a * verb in a Role's policy rules as including any custom verbs.

This is breaking only insofar as it expands the meaning of * in relation to creating/updating "Kargo Roles" going forward. This has no effect on anything existing.

[netlify]

✅ Deploy Preview for docs-kargo-io canceled.

Name	Link
🔨 Latest commit	fcc0075
🔍 Latest deploy log	https://app.netlify.com/sites/docs-kargo-io/deploys/67225412e050d1000836d8a7