Enable logs RBAC enforcement by default

[crenshaw-dev]

Summary

In 2.4 we introduced new RBAC for logs. In 2.5, we should enable that enforcement by default as promised in the 2.3 -> 2.4 upgrade guide.

Motivation

We said we'd do it. :-)

Proposal

Set the flag to true by default, and add a note to the 2.4 -> 2.5 upgrade notes.

[crenshaw-dev]

I think we should save this for 3.0.

Project-scoped roles can currently only hold RBAC for the applications resource. So this change would break logs for anyone who relies on a Project-scoped role implicitly granting logs access via applications, get.

[niqdev]

I know that this is not enabled by default in 2.x, but after upgrading to argo-helm 5.8.7, I had to explicitly add p, role:admin, logs, get, */*, allow for the admin user to re-enable the logs.

Shouldn't this be added also to the admin by default?

[agaudreault]

Project-scoped roles should support logs resource before this can be enabled by default IMO. It makes more sense to allow/deny logs within an application or project instead of globally. It also aligns with the principle of least privilege that is currently configurable in the Project resource.

[reggie-k]

Actually, projects scoped roles already support logs.