Allow API Gateway controller to update k8s Deployments + Services

[nathancoleman]

The k8s client abstraction in consul-api-gateway expects to be able to create or update k8s Deployments and Services; however, the ClusterRole as defined today does not allow for updates to these resources. This prevents the Consul API Gateway controller from successfully installing a new gateway to the cluster.

Changes proposed in this PR:

• Modify ClusterRole to allow controller to update k8s Deployment
• Modify ClusterRole to allow controller to update k8s Service

How I've tested this PR:
Applied changes to deployment on GKE

How I expect reviewers to test this PR:
Follow the Learn tutorial for Consul API Gateway; however, the Consul Helm chart install needs to use the branch in this PR.

I believe the easiest way to do that is to check this branch out locally and $ helm install ... from there (replacing $ helm install --values consul/config.yaml consul hashicorp/consul --version "0.40.0" with the following):

# git checkout the branch from this PR locally
...
$ helm install --values consul/config.yaml consul <path/to>/consul-k8s/charts/consul

Checklist:

• Tests added
• CHANGELOG entry added

  HashiCorp engineers only, community PRs should not add a changelog entry.
  Entries should use present tense (e.g. Add support for...)

[andrewstucki]

Clarification that this does allow for new gateways to be deployed, but subsequent modifications to the gateway that affect the deployment/service configurations such as an annotation change on the gateway or listener port changes while the gateway has an associated service deployment should fail without these permission updates.

Aside from me commenting on the scope of this, LGTM. Also linking in the related PR for the source of the generated RBAC policy: hashicorp/consul-api-gateway#86

[ishustava]

LGTM. Would you mind also updating the Changelog?

[nickethier]

Thanks for catching this!