Helm operator security hardening

[smallc2009]

What this PR does / why we need it:

• Set runAsNonRoot: true with UID 65532 for operator pod
• Add restrictive securityContext: drop all capabilities, readOnlyRootFilesystem
• Add seccompProfile: RuntimeDefault for both pod and container
• Add fsGroup: 65532 for pod-level security
• Add liveness probe (GET /healthz:8081, 15s delay, 20s period)
• Add readiness probe (GET /readyz:8081, 5s delay, 10s period)

Changes applied to both values.yaml defaults and deployment template.

Which issue(s) this PR fixes:

Fixes #1945

Does this PR introduced a user-facing change?

Additional documentation, usage docs, etc.:

[Copilot]

Pull request overview

This PR hardens the Helm deployment defaults for the Fluent Operator, but it also includes unrelated Fluent Bit S3 output API/CRD updates.

Changes:

• Adds default pod/container security contexts and probes to the Helm operator chart.
• Renders operator liveness/readiness probes in the Helm deployment template.
• Adds S3 networking fields across API types, docs, generated deepcopy, and CRD manifests.

Reviewed changes

Copilot reviewed 13 out of 14 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
charts/fluent-operator/values.yaml	Adds hardened operator security defaults and probe values.
charts/fluent-operator/templates/fluent-operator-deployment.yaml	Renders operator liveness/readiness probes.
apis/fluentbit/v1alpha2/plugins/output/s3_types.go	Adds S3 networking fields and config rendering.
apis/fluentbit/v1alpha2/plugins/output/s3_types_test.go	Extends S3 params test for new networking fields.
apis/fluentbit/v1alpha2/plugins/output/zz_generated.deepcopy.go	Regenerates deepcopy logic for new S3 fields.
docs/plugins/fluentbit/output/s3.md	Documents new S3 fields.
config/crd/bases/fluentbit.fluent.io_outputs.yaml	Regenerates Output CRD schema.
config/crd/bases/fluentbit.fluent.io_clusteroutputs.yaml	Regenerates ClusterOutput CRD schema.
charts/fluent-operator/crds/fluentbit.fluent.io_outputs.yaml	Updates Helm-bundled Output CRD.
charts/fluent-operator/crds/fluentbit.fluent.io_clusteroutputs.yaml	Updates Helm-bundled ClusterOutput CRD.
charts/fluent-operator-fluent-bit-crds/templates/fluentbit.fluent.io_outputs.yaml	Updates standalone Fluent Bit Output CRD chart template.
charts/fluent-operator-fluent-bit-crds/templates/fluentbit.fluent.io_clusteroutputs.yaml	Updates standalone Fluent Bit ClusterOutput CRD chart template.
manifests/setup/setup.yaml	Updates generated setup manifest CRD schemas.
manifests/setup/fluent-operator-crd.yaml	Updates generated CRD manifest schemas.

Files not reviewed (1)

• apis/fluentbit/v1alpha2/plugins/output/zz_generated.deepcopy.go: Language not supported

Comments suppressed due to low confidence (5)

apis/fluentbit/v1alpha2/plugins/output/s3_types.go:150

• This renders the Keepalive field as net.tcp_keepalive, but the field comment/JSON name describe the existing connection keepalive option that the shared networking implementation renders as net.keepalive (apis/fluentbit/v1alpha2/plugins/net_types.go:55-56). Users setting keepalive for S3 will configure a different Fluent Bit option than the CRD documents.

	plugins.InsertKVField(kvs, "net.tcp_keepalive", o.Keepalive)

apis/fluentbit/v1alpha2/plugins/output/s3_types.go:154

• KeepaliveIdleTimeout is added to the renderer but the updated S3 params test does not set this field or assert the emitted net.keepalive_idle_timeout key. Because the test covers the other newly added networking fields, this path should be included to catch key/tag regressions.

	plugins.InsertKVField(kvs, "net.keepalive_idle_timeout", o.KeepaliveIdleTimeout)

apis/fluentbit/v1alpha2/plugins/output/s3_types.go:69

• Correct the grammar in this new field description: "this include" should be "this includes".

	// Set maximum time expressed in seconds to wait for a TCP connection to be established, this include the TLS handshake time.

apis/fluentbit/v1alpha2/plugins/output/s3_types.go:78

• Use the standard capitalization "IPv6" in this new field description.

	// Prioritize IPV6 DNS results when trying to establish a connection.

apis/fluentbit/v1alpha2/plugins/output/s3_types.go:73

• These S3-specific networking fields bypass the shared plugins.Networking API used by other output plugins (for example, apis/fluentbit/v1alpha2/plugins/output/http_types.go:67 and :119-124). This creates a different schema for the same Fluent Bit networking options and duplicates rendering logic; consider extending/reusing the shared networking struct so S3 stays consistent with the rest of the outputs.

	// Set maximum time expressed in seconds to wait for a TCP connection to be established, this include the TLS handshake time.
	ConnectTimeout *int32 `json:"ConnectTimeout,omitempty"`
	// On connection timeout, specify if it should log an error. When disabled, the timeout is logged as a debug message.
	ConnectTimeoutLogError *bool `json:"connectTimeoutLogError,omitempty"`
	// Select the primary DNS connection type (TCP or UDP).