OCPBUGS-31353: Minimize wildcard privileges for CRDs and namespaces

- Scoped namespace permissions to read-only to enable informer watches.
- Restricted wildcard namespace permissions exclusively to operand namespaces (routers and canary).
- Scoped CRD permissions to read-only to enable informer watches.
- Restricted wildcard CRD permissions exclusively to Gateway API.

manifests/00-cluster-role.yaml

@@ -15,7 +15,6 @@ rules:
   - ""
   resources:
   - configmaps
-  - namespaces
   - serviceaccounts
   - endpoints
   - services
@@ -25,6 +24,25 @@ rules:
   verbs:
   - "*"
 
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  resourceNames:
+  - openshift-ingress
+  - openshift-ingress-canary
+  verbs:
+  - "*"
+
 - apiGroups:
   - ""
   resources:
@@ -172,6 +190,20 @@ rules:
   resources:
   - customresourcedefinitions
   verbs:
+  - get
+  - list
+  - watch
+
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  resourceNames:
+  - gatewayclasses.gateway.networking.k8s.io
+  - gateways.gateway.networking.k8s.io
+  - httproutes.gateway.networking.k8s.io
+  - referencegrants.gateway.networking.k8s.io
+  verbs:
   - '*'
 
 - apiGroups: