kyverno: codify aggregated ClusterRole for keel mutate-existing

The previous commit (bc714755) added mutateExistingOnPolicyUpdate=true
to the inject-keel-annotations ClusterPolicy but Kyverno's validate
webhook rejected it: the background-controller SA needs update/patch
on apps/v1 Deployment/StatefulSet/DaemonSet.

Created live via kubectl + now in TF so the next apply is idempotent.
The ClusterRole aggregates into kyverno:background-controller via the
rbac.kyverno.io/aggregate-to-background-controller label.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

stacks/kyverno/modules/kyverno/keel-annotations.tf

@@ -124,3 +124,23 @@ resource "kubernetes_manifest" "policy_inject_keel_annotations" {
   }
   depends_on = [helm_release.kyverno]
 }
+
+# Grant the Kyverno background-controller SA permission to mutate
+# Deployments / StatefulSets / DaemonSets — required for the policy
+# above (mutateExistingOnPolicyUpdate=true + mutate.targets). Kyverno's
+# `kyverno:background-controller` ClusterRole aggregates roles labeled
+# `rbac.kyverno.io/aggregate-to-background-controller: "true"`.
+resource "kubernetes_cluster_role" "keel_mutate_existing" {
+  metadata {
+    name = "kyverno:background-controller:keel-mutate-existing"
+    labels = {
+      "rbac.kyverno.io/aggregate-to-background-controller" = "true"
+    }
+  }
+  rule {
+    api_groups = ["apps"]
+    resources  = ["deployments", "statefulsets", "daemonsets"]
+    verbs      = ["get", "list", "watch", "update", "patch"]
+  }
+  depends_on = [helm_release.kyverno]
+}