fix: wire IRSA role to EBS CSI driver addon

The IRSA IAM role for the EBS CSI driver was created in #3166 but never
connected to the addon via service_account_role_arn. Without this, the
controller pods fall back to IMDS for credentials, which fails with
IMDSv2 (hop limit 1), causing CrashLoopBackOff.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: asmacdo

src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf

@@ -151,6 +151,7 @@ resource "aws_eks_addon" "aws-ebs-csi-driver" {
   # required for Kubernetes v1.23+ on AWS
   addon_name                  = "aws-ebs-csi-driver"
   cluster_name                = aws_eks_cluster.main.name
+  service_account_role_arn    = aws_iam_role.ebs_csi_driver.arn
   resolve_conflicts_on_create = "OVERWRITE"
   resolve_conflicts_on_update = "OVERWRITE"