restrict RBAC for kube controller secrets to the required namespace only

[vara2504]

Removed the secrets resource from the calico-kube-controllers and es-calico-kube-controllers ClusterRole and created a new Role with secrets resource in the tigera-operator and tigera-elasticsearch namespaces. In both the enterprise and cloud environments, I see that all secrets managed by the kube-controllers belong to either of these namespaces.

Tested in standalone cluster, mgmt and managed cluster .

Description

For PR author

• [ ] Tests for change.
• [ ] If changing pkg/apis/, run make gen-files
• [ ] If changing versions, run make gen-versions

For PR reviewers

A note for code reviewers - all pull requests must have the following:

• [ ] Milestone set according to targeted release.
• [ ] Appropriate labels:
  • kind/bug if this is a bugfix.
  • kind/enhancement if this is a a new feature.
  • enterprise if this PR applies to Calico Enterprise only.

[tmjd]

Please make sure you consider the multi-tenant configuration and understand if this impacts that configuration.

[vara2504]

Checked with the multi-tenant team, and we might not have any impact in the tenant namespace. https://tigera.slack.com/archives/C04EKEGHE3C/p1732310285573909