operator: Change operator management to cluster scope

[RafalKorepta]

In default helm deployment the operator will managed its custom resources in
multiple namespaces. The Role rules are moved to ClusterRole resource to give
enough privileges to operator process.

K8S-586

[github-actions]

This PR is stale because it has been open 5 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[he0s]

Am I right that after this update the operator will allow deploying the operator itself and redpanda resources into different namespaces?

[RafalKorepta]

@he0s Yes, that's the plan

[he0s]

@RafalKorepta that's great! I tried to deploy a cluster with using the operator today and I wanted to have the feature in operator, since it's required to deploy operator and a new cluster into separate namespaces.

[andrewstucki]

From a basic pass LGTM. Even though the next initial release is light. I would want to verify that the upgrade works smoothly before shipping this though.

[RafalKorepta]

@andrewstucki
I created new install pack and perform certification test suite:

https://github.com/redpanda-data/cloudv2/pull/22882
https://github.com/redpanda-data/cloudv2/pull/22882#issuecomment-3143904609

[github-actions]

This PR is stale because it has been open 5 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[chrisseto]

This PR is in good shape right now. The added upgrade tests will currently fail because they're trying to install CRDs for v25.1.x that don't exist.

I don't think it makes sense to keep harpoon working the way it does as it leaves us blind to bugs that might occur from CRD changes. I'm looking into adding vCluster isolation for the upgrade tests.

We'll also need to verify that the kustomize installation path used by cloud works as expected or just upgrade them to using the helm chart. (My preference would be for the latter).

[github-actions]

This PR is stale because it has been open 5 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[chrisseto]

Strong preference to use crds.enabled=true so we don't accidentally miss any regressions. We can punt if there's an additional complication I'm overlooking.

[chrisseto]

😬 hadn't seen that issue before

[andrewstucki]

Yeah, it's gross, it happens because the linter freaks out when we're only doing type assertions/casting with an imported package (the places where we're upcasting runtime.Object to client.Object via o := obj.(client.Object)). Output looks like this as a linter failure and is unable to be suppressed:

acceptance/steps/k8s.go:13:2: "sigs.k8s.io/controller-runtime/pkg/client" imported and not used (typecheck)
--
  | "sigs.k8s.io/controller-runtime/pkg/client"

this is the only way of getting around it since I can't mute it. We can probably upgrade golangci-lint to see if any newer versions don't have this issue, but it's pretty 🤮 as is.

[chrisseto]

upgrading golangci-lint is generally pretty painful punt that to another day / week / month 😛