feat: clean the config and fix the manifests generation

[cw-Guo]

What this PR does / why we need it:

Cleans up config/ and consolidate the manifests/setup/setup.yaml, config/default/ now is the single canonical kustomize entry point for the production install bundle, and also fixes the kubebuilder markers to generate the wanted roles and so on.

Which issue(s) this PR fixes:

Fixes #

Does this PR introduced a user-facing change?

Additional documentation, usage docs, etc.:

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Pull request overview

Copilot reviewed 53 out of 56 changed files in this pull request and generated 4 comments.

Comments suppressed due to low confidence (10)

config/rbac/kustomization.yaml:1

• The comment states leader-election RBAC is 'intentionally disabled' and that 'the production deployment does not enable --leader-elect', but the rendered Deployment in manifests/setup/setup.yaml (and config/manager/manager.yaml) passes --leader-elect, and these two leader-election resources are actively included (not commented out). Either remove the contradictory comment or rewrite it to reflect that leader-election RBAC is enabled to match the manager args.
  tests/scripts/fluentd_e2e.sh:1
• Using a literal \\n in the sed replacement to inject a new imagePullPolicy: line is a GNU sed extension; BSD/macOS sed will emit a literal n instead of a newline and produce invalid YAML, breaking the script for developers running e2e locally on macOS. Consider either using two separate sed expressions where the second uses a\\ to append a line, piping through awk, or constructing the multi-line replacement using a literal newline inside the shell string ($'\\n'). At minimum, document the GNU-sed dependency.
  manifests/setup/setup.yaml:1
• The manager is started with --metrics-bind-address=:8443 but the container declares no containerPort for 8443 and the metrics Service / NetworkPolicy / ServiceMonitor sections in config/default/kustomization.yaml are all commented out. The metrics endpoint will therefore be unreachable from outside the pod. If metrics aren't intended to be exposed in the default bundle, consider setting --metrics-bind-address=0 (disabled) to avoid binding an unused port; if they are intended, expose the port and enable the metrics Service.
  manifests/setup/setup.yaml:1
• readOnlyRootFilesystem: true is set, but the manager binary currently writes leader-election cache files (controller-runtime writes to its temp dir) and may rely on /tmp. Without an emptyDir mount at /tmp (only the env configmap is mounted under /fluent-operator), the pod can fail to acquire the leader lease or to perform any operation that touches the filesystem. Consider adding an emptyDir volume mounted at /tmp to keep the read-only root while preserving writable scratch space.
  config/rbac/role_binding.yaml:1
• The ServiceAccount subject no longer specifies a namespace. For a ClusterRoleBinding, the subject's namespace is required when kind: ServiceAccount; kustomize's namespace transformer does set it for ServiceAccount resources, but it does not by default rewrite subject namespaces inside (Cluster)RoleBindings unless configured to. Verify the rendered setup.yaml actually contains namespace: fluent under this subject (looking at the diff for setup.yaml, the ClusterRoleBinding still references namespace: fluent, so kustomize is handling it — please confirm this stays true if a consumer overrides the namespace in manifests/setup/kustomization.yaml).
  config/manager/manager.yaml:1
• Quoting ALL is unnecessary and inconsistent with the rendered manifests/setup/setup.yaml (which emits - ALL unquoted). Drop the quotes to keep source and generated forms identical and avoid spurious diffs on regeneration.
  controllers/fluentdconfig_controller.go:1
• The previous markers granted get;update;patch on fluentdconfigs/status and update on fluentdconfigs/finalizers. The new consolidated marker on line 90 covers */status but the /finalizers permission has been dropped entirely. If the controller still adds/removes finalizers on fluentdconfigs or clusterfluentdconfigs (the previous code did via the update verb on /finalizers), reconciliation will fail with a forbidden error. Please verify whether finalizer handling was removed; if not, restore a +kubebuilder:rbac:groups=fluentd.fluent.io,resources=clusterfluentdconfigs/finalizers;fluentdconfigs/finalizers,verbs=update marker.
  controllers/fluentbit_controller.go:1
• The marker core,resources=events,verbs=list;watch was removed here. If the controller's manager still records Events (controller-runtime's default event recorder calls create/patch on events) or any reconciler watches them, this will produce permission errors. The rendered ClusterRole in setup.yaml no longer grants events at all (only the new leader-election Role grants events: create;patch in the fluent namespace, which won't cover cluster-scoped consumers). Please confirm event recording still works at runtime, and if so, retain at least events,verbs=create;patch on the operator's ClusterRole or namespaced Role as appropriate.
  tests/scripts/fluentd_e2e.sh:1
• The VERSION variable (previously read from the VERSION file) was removed, but if other parts of this script or downstream tooling referenced $VERSION, those references will now be unbound. Please confirm nothing else in the file (not shown in the diff) still uses $VERSION.
  manifests/setup/setup.yaml:1
• The leader-election Role/RoleBinding are hard-coded to namespace: fluent. If a user customizes the install namespace via manifests/setup/kustomization.yaml (the comment in that file suggests doing so), this resource will be left in fluent while the Deployment moves to the new namespace, and leader election will fail with a forbidden error on leases. Confirm the kustomize namespace transformer rewrites these as expected, and document the requirement to regenerate (make manifests) after changing namespaces.

[Copilot]

Pull request overview

Copilot reviewed 54 out of 57 changed files in this pull request and generated 3 comments.

Comments suppressed due to low confidence (1)

config/rbac/role_binding.yaml:15

• subjects for a ClusterRoleBinding that targets a ServiceAccount should include namespace. With it omitted, applying this YAML directly would bind to a ServiceAccount in an empty/unknown namespace (effectively granting no permissions). If you intend to rely on kustomize’s namespace transformer to inject it, consider making that explicit (or set namespace: fluent here) to avoid standalone usage pitfalls.