fix(ci): grant ci-deployer Endpoints write (admin role excludes it)

The deploy failed creating the selectorless stalwart-http Service's
Endpoints: since the CVE-2021-25740 hardening the namespaced 'admin' role
no longer grants write on legacy Endpoints. Explicit endpoints +
endpointslices rules on the ci-deployer role (already applied live);
manifest comment touch retriggers the infra apply.

infrastructure/production/fleet/apps/mail-autodiscovery.yaml

@@ -15,6 +15,9 @@
 #
 # Customer domains (autodiscover.<customer>.tld) need per-domain certs and an
 # automated Ingress/Certificate per verified domain — follow-up feature.
+#
+# NB: the ci-deployer Role carries explicit Endpoints write — the namespaced
+# 'admin' role stopped granting it (CVE-2021-25740 hardening).
 apiVersion: v1
 kind: Service
 metadata:

infrastructure/production/fleet/ci/ci-deployer.yaml

@@ -48,6 +48,15 @@ rules:
   - apiGroups: ["traefik.io"]
     resources: ["middlewares"]
     verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  # 'admin' stopped granting WRITE on legacy Endpoints (CVE-2021-25740
+  # hardening), but the selectorless stalwart-http Service needs its
+  # Endpoints applied by the pipeline. EndpointSlice included for parity.
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding