Refine the permissions granted to sylva-units HelmReleases

The operator is configuring the sylva-units HelmRelease with a serviceAccount that has been introduced in !337 (merged)

But we've observed in sylva-projects/sylva-core!4101 (comment 2754374767) that this service account had insufficient permission to run workload clusters delete hook.

As noted, we should not be restrictive on the object that can be looked up by the HelmRelease, since various lookups may be added into the chart.

Ideally, we should use Role instead of ClusterRole, since sylva-units HelmRelease is not expected to produce and lookup objects outside of its own namespace (except for management-cluster HelmRelease that may perform lookups in other namespaces)

There is also an issue with current cluster scoped security resources that are produced: since ClusterRole and ClusterRoleBinding have a constant name, all SylvaUnitsReleases will compete to manage the same ClusterRole and ClusterRoleBinding. Consequently the subject could be overwritten and these resources may be deleted when a sylvaUnitsRelease is deleted whereas it is needed by other ones...

As there are many issues around this feature, in order to unblock sylva-projects/sylva-core!4101 (merged), I propose to revert it prior to re-introduce it without these limitations.