fix: helm secrets rbac for gateway namespace with watch list of namespaces (envoyproxy#8706)

cnvergence · rudrakhp · cnvergence · commit 60c3cf4754c6 · 2026-04-16T10:09:00.000+02:00
* fix: helm secrets rbac for gateway namespace with watch list of namespaces Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * add release notes Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * review update Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> --------- Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> Co-authored-by: Rudrakh Panigrahi <rudrakh97@gmail.com> (cherry picked from commit c48a346)
diff --git a/charts/gateway-helm/templates/_rbac.tpl b/charts/gateway-helm/templates/_rbac.tpl
@@ -263,6 +263,17 @@ verbs:
   - watch
 {{- end }}
 
+{{- define "eg.rbac.controllernamespace.secrets.read" -}}
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+{{- end }}
+
 {{- define "eg.rbac.infra.tokenreview" -}}
 - apiGroups:
   - authentication.k8s.io
diff --git a/charts/gateway-helm/templates/infra-manager-rbac.yaml b/charts/gateway-helm/templates/infra-manager-rbac.yaml
@@ -42,6 +42,9 @@ metadata:
   {{- include "eg.labels" . | nindent 4 }}
 rules:
 {{ include "eg.rbac.infra.basic" . }}
+{{ if and (.Values.config.envoyGateway.provider.kubernetes) (.Values.config.envoyGateway.provider.kubernetes.watch) (.Values.config.envoyGateway.provider.kubernetes.deploy) (eq .Values.config.envoyGateway.provider.kubernetes.deploy.type "GatewayNamespace") (.Values.config.envoyGateway.provider.kubernetes.watch.namespaces) (gt (len .Values.config.envoyGateway.provider.kubernetes.watch.namespaces) 0) }}
+{{ include "eg.rbac.controllernamespace.secrets.read" . }}
+{{ end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/release-notes/current.yaml b/release-notes/current.yaml
@@ -29,6 +29,7 @@ bug fixes: |
   BackendTLSPolicy was ignored when configuring TLS for telemetry backends (access logs, tracing, metrics).
   Fixed client certificate secret never delivered when it is exclusively referenced by a SecurityPolicy `extAuth`/`jwt`/`oidc` Backend
   Fixed xRoute status condition when route has mirror filter and the mirror backend has no endpoints.
+  Fixed gateway-helm RBAC in GatewayNamespace mode with explicit `watch.namespaces` list by adding controller-namespace secret read permissions to infra-manager.
 
 # Enhancements that improve performance.
 performance improvements: |
diff --git a/test/helm/gateway-helm/envoy-gateway-gateway-namespace-config-watch.out.yaml b/test/helm/gateway-helm/envoy-gateway-gateway-namespace-config-watch.out.yaml
@@ -438,6 +438,15 @@ rules:
   - list
   - get
   - watch
+
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
 ---
 # Source: gateway-helm/templates/leader-election-rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
