fix(helm): add RBAC conditional toggles for controller and gateway ClusterRole resources

[lexburner]

Ⅰ. Describe what this PR did

Fix the issue where controller.rbac.create was defined in values.yaml but not referenced in any controller RBAC templates, and add fine-grained RBAC toggle support for both controller and gateway components.

Changes:

1. controller ClusterRole/ClusterRoleBinding: Add {{- if .Values.controller.rbac.create }} conditional to controller-clusterrole.yaml and controller-clusterrolebinding.yaml, so that controller.rbac.create (which already existed in values.yaml but was never used) now actually controls whether these cluster-level resources are created.

2. controller Role/RoleBinding: Keep these unconditionally created (removed any conditional), since namespace admins always have permission to manage namespace-scoped RBAC resources.

3. gateway ClusterRole/ClusterRoleBinding: Add a new gateway.rbac.create toggle (default true) alongside the existing gateway.rbac.enabled. The enabled flag controls whether the RBAC resources are functionally needed (not needed for Gateway API), while create controls whether the cluster-level resources should be created by Helm (set to false when pre-provisioned by a cluster admin).

4. Documentation: Update both README.md and README.zh.md with accurate descriptions for all RBAC toggles.

All changes are backward compatible — default values preserve existing behavior.

Ⅱ. Does this pull request fix one issue?

fixes #3749

Ⅲ. Why don't you add test cases (unit test/integration test)?

This change only modifies Helm templates and documentation. The conditional logic uses standard Helm {{- if }} directives with boolean values, which can be verified by helm template rendering.

Ⅳ. Describe how to verify it

1. helm template with default values — output should be identical to before (all RBAC resources created)
2. helm template --set controller.rbac.create=false — controller ClusterRole and ClusterRoleBinding should be absent
3. helm template --set gateway.rbac.create=false — gateway ClusterRole and ClusterRoleBinding should be absent, while gateway Role and RoleBinding remain (if gateway.rbac.enabled=true)

Ⅴ. Special notes for reviews

• controller.rbac.create already existed in values.yaml but was never referenced in templates — this was the original bug
• The separation of gateway.rbac.enabled (functional need) vs gateway.rbac.create (permission to create cluster-level resources) addresses two distinct concerns

Ⅵ. AI Coding Tool Usage Checklist (if applicable)

• For regular updates/changes (not new plugins):
  • I have provided the prompts/instructions I gave to the AI Coding tool below
  • I have included the AI Coding summary below

AI Coding Prompts (for regular updates)

• Investigated why controller.rbac.create in values.yaml was not referenced in controller RBAC templates
• Analyzed the difference between namespace-scoped and cluster-scoped RBAC resources and their permission requirements
• Added conditional toggles and updated documentation

AI Coding Summary

• Fixed unused controller.rbac.create toggle by adding conditionals to ClusterRole/ClusterRoleBinding templates
• Removed unnecessary conditionals from namespace-scoped Role/RoleBinding (namespace admin always has permission)
• Added gateway.rbac.create to separate functional need from deployment permission concerns
• Updated English and Chinese documentation
• All changes are backward compatible with default values

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!