feat(helm): support namespaced RBAC in charts (#1549)

Close #1546 

- Adds a helm value to configure whether to use cluster scoped or
namespaced RBAC for getter and writer roles
- Render controller roles to `Role/RoleBinding` or
`ClusterRole/ClusterRoleBinding` conditionally
- Updated helm unit tests, tested manually by impersonating the service
accounts
- Limitation: When controller is not using cluster scoped role, either
manually set `controller.watchNamespaces` or it is defaulted to the
namespace accessible by the role.

---------

Signed-off-by: Jet Chiang <pokyuen.jetchiang-ext@solo.io>

Author: supreme-gg-gg

.github/workflows/ci.yaml

@@ -102,6 +102,29 @@ jobs:
           # no need to run e2e tests with race, as this will just apply to the test code.
           # all objects created in e2e tests have a generated name, so they can run in parallel safely.
           go test -v github.com/kagent-dev/kagent/go/core/test/e2e -failfast -shuffle=on
+
+      - name: Run namespace-scoped e2e tests
+        if: success()
+        env:
+          OPENAI_API_KEY: fake
+          KAGENT_HELM_EXTRA_ARGS: >-
+            --set rbac.clusterScoped=false
+            --set 'rbac.namespaces={kagent}'
+        run: |
+          # Upgrade helm to use namespace-scoped RBAC
+          make helm-install-provider
+          
+          # Wait for controller to be ready after upgrade
+          kubectl rollout status deployment/kagent-controller -n kagent --timeout=90s
+          
+          # Setup environment variables (reusing logic from previous step)
+          HOST_IP=$(docker network inspect kind -f '{{range .IPAM.Config}}{{if .Gateway}}{{.Gateway}}{{"\n"}}{{end}}{{end}}' | grep -E '^[0-9]+\.' | head -1)
+          export KAGENT_LOCAL_HOST=$HOST_IP
+          export KAGENT_URL="http://$(kubectl get svc -n kagent kagent-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}'):8083"
+          
+          # Run critical tests with namespace-scoped RBAC to verify the controller didn't lose needed permissions
+          cd go
+          go test -v github.com/kagent-dev/kagent/go/core/test/e2e -run '^TestE2EInvokeInlineAgent$|^TestE2EInvokeDeclarativeAgentWithMcpServerTool$' -failfast
       - name: fail print info
         if: failure()
         run: |