[helm] not enough permissions in gateway namespaced mode

[nkarpin]

Description:
When installing using helm chart in gateway namespaced mode with watch config, the certs configmap in target namespace doesn't contain ca.crt key and envoy pods are stuck in containercreating

Repro steps:

1. Install with values:

    deployment:
      envoyGateway:
        image:
          repository: docker.io/envoyproxy/gateway
          tag: v1.7.1
      config:
        envoyGateway:
          provider:
            type: Kubernetes
            kubernetes:
              deploy:
                type: GatewayNamespace
              watch:
                type: Namespaces
                namespaces:
                  - openstack

2. Apply resources:

---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: eg
spec:
  controllerName: gateway.envoyproxy.io/gatewayclass-controller
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: custom-proxy-config
  namespace: openstack
spec:
  provider:
    type: Kubernetes
    kubernetes:
      envoyDaemonSet:
        patch:
          value:
            spec:
              template:
                spec:
                  nodeSelector:
                    kubernetes.io/os: linux
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: eg
spec:
  gatewayClassName: eg
  infrastructure:
    parametersRef:
      group: gateway.envoyproxy.io
      kind: EnvoyProxy
      name: custom-proxy-config
  listeners:
  - allowedRoutes:
      namespaces:
        # or selector
        from: All
    name: https
    port: 443
    protocol: HTTPS
    tls:
      certificateRefs:
      - group: ""
        kind: Secret
        name: ingress-tls-proxy
      mode: Terminate

3. Envoy proxy pods stuck with following:

Warning FailedMount 44s (x14 over 13m) kubelet MountVolume.SetUp failed for volume "certs" : configmap references non-existent config key: ca.crt

4. In envoy-gateway logs:

2026-04-08T14:26:27.582Z ERROR gateway-api runner/runner.go:285 errors detected during translation {"runner": "gateway-api", "trace_id": "8ed04bca595fe832d0e1964909f670a2", "span_id": "bc3fefe274a02192", "gateway-class": "eg", "error": "envoy TLS secret envoy-gateway-system/envoy not found"}

5. Once envoy-gateway-gateway-helm-infra-manager role in envoy-gateway-system namespace is fixed by adding permission for secrets, pods can start

Environment:

gateway-helm chart version v1.7.1, envoy-gateway 1.7.1

[zirain]

cc @cnvergence
But you cannot install with default mode, then change the configmap to gateway namespaced mode, that's not supported.