[CONTINT-5028] Add permissions to collect Argo and Flux CRDs and use kustomize SA for e2e-tests

[tbavelier]

What does this PR do?

• Re-introduces permissions changes reverted by Revert "[CONTINT-5028] Add permissions to collect Argo and Flux CRDs (#2470)" #2487
• Adds an optional E2E_GO_TEST_TIMEOUT that can be overridden to catch the test failing before the CI timing out (60mns) at which point we don't get any useful log
• In the Helm chart provisioning, disable the SA account creation and instead manually point to the kustomize created one that maps to the proper clusterrole (e.g. if it's modified as part of the PR)

Motivation

• E2E tests were failing on the original PR as the cluster Agent could not get created since the operator tried to grant permissions it didn't hold due to the use of the "wrong" SA (would only use the templated clusterrole which lags behind main):

  {"level":"ERROR","ts":"2026-01-14T09:14:18.881Z","msg":"Reconciler error","controller":"datadogagent","controllerGroup":"datadoghq.com","controllerKind":"DatadogAgent","DatadogAgent":{"name":"dda-minimum","namespace":"e2e-operator"},"namespace":"e2e-operator","name":"dda-minimum","reconcileID":"2676b79b-f3dd-4009-9ff1-e5f32d25ec6b","error":"[clusterroles.rbac.authorization.k8s.io \"e2e-operator-dda-minimum-orch-exp-dca\" is forbidden: user \"system:serviceaccount:e2e-operator:datadog-operator-linux\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:e2e-operator\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"argoproj.io\"], Resources:[\"applications\"], Verbs:[\"list\" \"watch\"]}\n{APIGroups:[\"argoproj.io\"], Resources:[\"applicationsets\"], Verbs:[\"list\" \"watch\"]}\n{APIGroups:[\"kustomize.toolkit.fluxcd.io\"], Resources:[\"kustomizations\"], Verbs:[\"list\" \"watch\"]}\n{APIGroups:[\"source.toolkit.fluxcd.io\"], Resources:[\"buckets\"], Verbs:[\"list\" \"watch\"]}\n{APIGroups:[\"source.toolkit.fluxcd.io\"], Resources:[\"externalartifacts\"], Verbs:[\"list\" \"watch\"]}\n{APIGroups:[\"source.toolkit.fluxcd.io\"], Resources:[\"gitrepositories\"], Verbs:[\"list\" \"watch\"]}\n{APIGroups:[\"source.toolkit.fluxcd.io\"], Resources:[\"helmcharts\"], Verbs:[\"list\" \"watch\"]}\n{APIGroups:[\"source.toolkit.fluxcd.io\"], Resources:[\"helmrepositories\"], Verbs:[\"list\" \"watch\"]}\n{APIGroups:[\"source.toolkit.fluxcd.io\"], Resources:[\"ocirepositories\"], Verbs:[\"list\" \"watch\"]}, clusterroles.rbac.authorization.k8s.io \"e2e-operator-dda-minimum-orch-exp-dca\" not found]","errorCauses":[{"error":"clusterroles.rbac.authorization.k8s.io \"e2e-operator-dda-minimum-orch-exp-dca\" is forbidden: user \"system:serviceaccount:e2e-operator:datadog-operator-linux\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:e2e-operator\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"argoproj.io\"], Resources:[\"applications\"], Verbs:[\"list\" \"watch\"]}\n{APIGroups:[\"argoproj.io\"], Resources:[\"applicationsets\"], Verbs:[\"list\" \"watch\"]}\n{APIGroups:[\"kustomize.toolkit.fluxcd.io\"], Resources:[\"kustomizations\"], Verbs:[\"list\" \"watch\"]}\n{APIGroups:[\"source.toolkit.fluxcd.io\"], Resources:[\"buckets\"], Verbs:[\"list\" \"watch\"]}\n{APIGroups:[\"source.toolkit.fluxcd.io\"], Resources:[\"externalartifacts\"], Verbs:[\"list\" \"watch\"]}\n{APIGroups:[\"source.toolkit.fluxcd.io\"], Resources:[\"gitrepositories\"], Verbs:[\"list\" \"watch\"]}\n{APIGroups:[\"source.toolkit.fluxcd.io\"], Resources:[\"helmcharts\"], Verbs:[\"list\" \"watch\"]}\n{APIGroups:[\"source.toolkit.fluxcd.io\"], Resources:[\"helmrepositories\"], Verbs:[\"list\" \"watch\"]}\n{APIGroups:[\"source.toolkit.fluxcd.io\"], Resources:[\"ocirepositories\"], Verbs:[\"list\" \"watch\"]}"},{"error":"clusterroles.rbac.authorization.k8s.io \"e2e-operator-dda-minimum-orch-exp-dca\" not found"}],"stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:347\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:255"}

Additional Notes

Anything else we should know when reviewing?

Minimum Agent Versions

Are there minimum versions of the Datadog Agent and/or Cluster Agent required?

• Agent: vX.Y.Z
• Cluster Agent: vX.Y.Z

Describe your test plan

See #2470

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label
• All commits are signed (see: signing commits)

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 37.95%. Comparing base (b4b6e01) to head (1e5fe9b).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2486      +/-   ##
==========================================
- Coverage   38.09%   37.95%   -0.15%     
==========================================
  Files         299      300       +1     
  Lines       25182    25834     +652     
==========================================
+ Hits         9594     9805     +211     
- Misses      14853    15287     +434     
- Partials      735      742       +7     

Flag	Coverage Δ
unittests	37.95% <100.00%> (-0.15%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
.../datadogagent/feature/orchestratorexplorer/rbac.go	100.00% <100.00%> (ø)
internal/controller/datadogagent_controller.go	66.66% <ø> (ø)

... and 8 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b4b6e01...1e5fe9b. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.