Agent sidecar injection support via Admission Controller

.github/workflows/go-test.yaml

@@ -2,11 +2,11 @@ name: Go Test
 on:
   push:
     paths:
-      - 'test/**'
+      - 'test/datadog-operator/**'
       - 'charts/datadog-operator/**'
   pull_request:
     paths:
-      - 'test/**'
+      - 'test/datadog-operator/**'
       - 'charts/datadog-operator/**'
 env:
   GO111MODULE: "on"

charts/datadog/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Datadog changelog
 
+## 3.58.2
+
+* Add support for configuring Agent sidecar injection using Admission Controller.
+
 ## 3.58.1
 
 * Fix typo in PodSecurityPolicy warning note.

charts/datadog/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: datadog
-version: 3.58.1
+version: 3.58.2
 appVersion: "7"
 description: Datadog Agent
 keywords:

charts/datadog/README.md

@@ -1,6 +1,6 @@
 # Datadog
 
-![Version: 3.58.1](https://img.shields.io/badge/Version-3.58.1-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
+![Version: 3.58.2](https://img.shields.io/badge/Version-3.58.2-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
 
 [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
 
@@ -544,6 +544,14 @@ helm install <RELEASE_NAME> \
 | agents.volumeMounts | list | `[]` | Specify additional volumes to mount in all containers of the agent pod |
 | agents.volumes | list | `[]` | Specify additional volumes to mount in the dd-agent container |
 | clusterAgent.additionalLabels | object | `{}` | Adds labels to the Cluster Agent deployment and pods |
+| clusterAgent.admissionController.agentSidecarInjection.clusterAgentEnabled | bool | `true` | Enable communication between Agent sidecars and Cluster Agent. |
+| clusterAgent.admissionController.agentSidecarInjection.containerRegistry | string | `nil` |  |
+| clusterAgent.admissionController.agentSidecarInjection.enabled | bool | `false` | Enables Datadog Agent sidecar injection. |
+| clusterAgent.admissionController.agentSidecarInjection.imageName | string | `nil` |  |
+| clusterAgent.admissionController.agentSidecarInjection.imageTag | string | `nil` |  |
+| clusterAgent.admissionController.agentSidecarInjection.profiles | list | `[]` | Defines sidecar configuration override, only one profile is supported. |
+| clusterAgent.admissionController.agentSidecarInjection.provider | string | `nil` | Used by Admission Controller to add infrastructure provider specific configurations to the Agent sidecar.  |
+| clusterAgent.admissionController.agentSidecarInjection.selectors | list | `[]` | Defines pod selector for sidecar injection, only one rule is supported. |
 | clusterAgent.admissionController.configMode | string | `nil` | The kind of configuration to be injected, it can be "hostip", "service", or "socket". |
 | clusterAgent.admissionController.enabled | bool | `true` | Enable the admissionController to be able to inject APM/Dogstatsd config and standard tags (env, service, version) automatically into your pods |
 | clusterAgent.admissionController.failurePolicy | string | `"Ignore"` | Set the failure policy for dynamic admission control.' |

charts/datadog/templates/NOTES.txt

@@ -538,3 +538,14 @@ You are using the datadog.securityAgent.compliance.xccdf.enabled parameter which
 This version still supports both but the support of the old name will be dropped in the next major version of our Helm chart.
 More information about this change: https://github.com/DataDog/helm-charts/pull/1161
 {{- end }}
+
+{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.enabled }}
+    {{- if (semverCompare "<7.52.0" .Values.clusterAgent.image.tag) }}
+##############################################################################
+####               WARNING: Sidecar injection not supported.              ####
+##############################################################################
+
+The clusterAgent.admissionController.agentSidecarInjection.enabled is only supported
+by Cluster Agent 7.52.0 or later. Enabling this flag will not have any effect.
+    {{- end }}
+{{- end }}

charts/datadog/templates/_ac-agent-sidecar-env.yaml

@@ -0,0 +1,43 @@
+{{- define "ac-agent-sidecar-env" -}}
+{{- if and .Values.clusterAgent.admissionController.enabled .Values.clusterAgent.admissionController.agentSidecarInjection.enabled }}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_ENABLED
+  value: "true"
+{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.provider }}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_PROVIDER
+  value: {{ .Values.clusterAgent.admissionController.agentSidecarInjection.provider }}
+{{- end }}
+
+{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.containerRegistry }}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_CONTAINER_REGISTRY
+  value: {{ .Values.clusterAgent.admissionController.agentSidecarInjection.containerRegistry }}
+{{- else if .Values.registry }}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_CONTAINER_REGISTRY
+  value: {{ .Values.registry }}
+{{- end }}
+
+{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.imageName }}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_NAME
+  value: {{ .Values.clusterAgent.admissionController.agentSidecarInjection.imageName }}
+{{- else if .Values.agents.image.name}}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_NAME
+  value: {{ .Values.agents.image.name }}
+{{- end }}
+
+{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.imageTag }}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_TAG
+  value: {{ .Values.clusterAgent.admissionController.agentSidecarInjection.imageTag }}
+{{- else if .Values.agents.image.tag}}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_TAG
+  value: {{ .Values.agents.image.tag }}
+{{- end }}
+
+{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.selectors }}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_SELECTORS
+  value: '{{ toJson .Values.clusterAgent.admissionController.agentSidecarInjection.selectors }}'
+{{- end }}
+{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.profiles }}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_PROFILES
+  value: '{{ toJson .Values.clusterAgent.admissionController.agentSidecarInjection.profiles }}'
+{{- end }}
+{{- end }}
+{{- end }}

charts/datadog/templates/cluster-agent-deployment.yaml

@@ -235,6 +235,7 @@ spec:
           - name: DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_PATCHER_ENABLED
             value: "true"
           {{- end }}
+          {{ include "ac-agent-sidecar-env" . | nindent 10 }}
           - name: DD_REMOTE_CONFIGURATION_ENABLED
             value: {{ include "clusterAgent-remoteConfiguration-enabled" . | quote }}
           {{- if .Values.datadog.apm.instrumentation.enabled }}

charts/datadog/values.yaml

@@ -1061,6 +1061,56 @@ clusterAgent:
     # clusterAgent.admissionController.port -- Set port of cluster-agent admission controller service
     port: 8000
 
+    agentSidecarInjection:
+      # clusterAgent.admissionController.agentSidecarInjection.enabled -- Enables Datadog Agent sidecar injection.
+
+      ## When enabled, Admission Controller mutating webhook will inject Agent sidecar with minimal configuration in every pods meeting configured criteria.
+      ## ref: https://docs.datadoghq.com/integrations/eks_fargate
+      enabled: false
+
+      # clusterAgent.admissionController.agentSidecarInjection.provider -- Used by Admission Controller to add infrastructure provider specific configurations to the Agent sidecar.
+
+      ## Currently only "fargate" is supported. To use the feature in other environments (including local testing) omit the config.
+      provider:
+
+      # clusterAgent.admissionController.agentSidecarInjection.clusterAgentEnabled -- Enable communication between Agent sidecars and Cluster Agent.
+      clusterAgentEnabled: true
+
+      # clusterAgent.admissionController.containerRegistry -- Override default registry for sidecar Agent.
+      containerRegistry:
+
+      # clusterAgent.admissionController.imageName -- Override default agents.image.name for Agent sidecar.
+      imageName:
+
+      # clusterAgent.admissionController.imageTag -- Override default agents.image.tag for Agent sidecar.
+      imageTag:
+
+      # clusterAgent.admissionController.agentSidecarInjection.selectors -- Defines pod selector for sidecar injection, only one rule is supported.
+      selectors: []
+        # - objectSelector:
+        #   matchLabels:
+        #       "podlabelKey1": podlabelValue1
+        #       "podlabelKey2": podlabelValue2
+        #   namespaceSelector:
+        #     matchLabels:
+        #       "nsLabelKey1": nsLabelValue1
+        #       "nsLabelKey2": nsLabelValue2
+
+      # clusterAgent.admissionController.agentSidecarInjection.profiles -- Defines sidecar configuration override, only one profile is supported.
+
+      ## This setting allows to override sidecar Agent configuration by adding environment variables and providing resource settings.
+      profiles: []
+        # - env:
+        #     - name: DD_ORCHESTRATOR_EXPLORER_ENABLED
+        #       value: "true"
+        #   resources:
+        #     requests:
+        #       cpu: "1"
+        #       memory: "512Mi"
+        #     limits:
+        #       cpu: "2"
+        #       memory: "1024Mi"
+
   # clusterAgent.confd -- Provide additional cluster check configurations. Each key will become a file in /conf.d.
 
   ## ref: https://docs.datadoghq.com/agent/autodiscovery/

test/datadog/baseline/agent-clusterchecks-deployment_default.yaml

@@ -6,7 +6,7 @@ metadata:
   name: datadog-clusterchecks
   namespace: datadog-agent
   labels:
-    helm.sh/chart: 'datadog-3.57.3'
+    helm.sh/chart: 'datadog-3.58.2'
     app.kubernetes.io/name: "datadog"
     app.kubernetes.io/instance: "datadog"
     app.kubernetes.io/managed-by: Helm
@@ -36,8 +36,8 @@ spec:
 
       name: datadog-clusterchecks
       annotations:
-        checksum/clusteragent_token: 2a2bc6b89e48b04b4499adc7d022f736a18ee78f96da00520796532402bd8550
-        checksum/install_info: ba661cfd1e600203476c7247bad81157e5bc70aaa7f91e6cdd6be6a469cd0093
+        checksum/clusteragent_token: 28cc2de8b18dbcb16fda6dfd1c09b73b237d7dc58b4d905f1e57fc78a74ed029
+        checksum/install_info: 3c5d7a2732f453d72b241f37b74f59319bcbf51e387a8fc35dc47bc4a1a7a390
     spec:
       serviceAccountName: datadog-cluster-checks
       automountServiceAccountToken: true

test/datadog/baseline/cluster-agent-deployment_default.yaml

@@ -6,7 +6,7 @@ metadata:
   name: datadog-cluster-agent
   namespace: datadog-agent
   labels:
-    helm.sh/chart: 'datadog-3.57.3'
+    helm.sh/chart: 'datadog-3.58.2'
     app.kubernetes.io/name: "datadog"
     app.kubernetes.io/instance: "datadog"
     app.kubernetes.io/managed-by: Helm
@@ -36,11 +36,11 @@ spec:
 
       name: datadog-cluster-agent
       annotations:
-        checksum/clusteragent_token: 64345c6150cd562acd79e6965148d36a188d36b4c5656963c7beb3b62ff5bf7d
-        checksum/clusteragent-configmap: 7f009f417a71add9ae521f09f0eaf63c29efd5cdd701f5d92714fc3ac1800b6f
-        checksum/api_key: dbe0d3b411cc72447e81235afeed9e2102588d5088fcbb696a2db9e4e31af712
+        checksum/clusteragent_token: c6b4332acf829f84e022861f9a81f0653f134ed7610a59886d738eca365ccc81
+        checksum/clusteragent-configmap: c4ebd3c35d77ac0260f47e1ec10c9733cd76488f4232f76f26466174b922b430
+        checksum/api_key: 3c042e07978640da60c9adc10c03acb2e68c176d8f5ecc4c1c8d216051f476a5
         checksum/application_key: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
-        checksum/install_info: ba661cfd1e600203476c7247bad81157e5bc70aaa7f91e6cdd6be6a469cd0093
+        checksum/install_info: 3c5d7a2732f453d72b241f37b74f59319bcbf51e387a8fc35dc47bc4a1a7a390
     spec:
       serviceAccountName: datadog-cluster-agent
       automountServiceAccountToken: true
@@ -105,6 +105,8 @@ spec:
             value: "Ignore"
           - name: DD_ADMISSION_CONTROLLER_PORT
             value: "8000"
+
+
           - name: DD_REMOTE_CONFIGURATION_ENABLED
             value: "false"
           - name: DD_CLUSTER_CHECKS_ENABLED

test/datadog/baseline/cluster-agent-deployment_default_advanced_AC_injection.yaml

@@ -6,7 +6,7 @@ metadata:
   name: datadog-cluster-agent
   namespace: datadog-agent
   labels:
-    helm.sh/chart: 'datadog-3.57.3'
+    helm.sh/chart: 'datadog-3.58.2'
     app.kubernetes.io/name: "datadog"
     app.kubernetes.io/instance: "datadog"
     app.kubernetes.io/managed-by: Helm
@@ -36,11 +36,11 @@ spec:
 
       name: datadog-cluster-agent
       annotations:
-        checksum/clusteragent_token: bf8ff7d8f04853084ee401bfe3e4d5e83c6764f82c63c32bbb749a66681cb397
-        checksum/clusteragent-configmap: 7f009f417a71add9ae521f09f0eaf63c29efd5cdd701f5d92714fc3ac1800b6f
-        checksum/api_key: dbe0d3b411cc72447e81235afeed9e2102588d5088fcbb696a2db9e4e31af712
+        checksum/clusteragent_token: e7c535ed4ea19d0a98c61427f08136f73dd79ee5479e3b0d2a65196c59b9b2c6
+        checksum/clusteragent-configmap: c4ebd3c35d77ac0260f47e1ec10c9733cd76488f4232f76f26466174b922b430
+        checksum/api_key: 3c042e07978640da60c9adc10c03acb2e68c176d8f5ecc4c1c8d216051f476a5
         checksum/application_key: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
-        checksum/install_info: ba661cfd1e600203476c7247bad81157e5bc70aaa7f91e6cdd6be6a469cd0093
+        checksum/install_info: 3c5d7a2732f453d72b241f37b74f59319bcbf51e387a8fc35dc47bc4a1a7a390
     spec:
       serviceAccountName: datadog-cluster-agent
       automountServiceAccountToken: true
@@ -106,7 +106,19 @@ spec:
           - name: DD_ADMISSION_CONTROLLER_PORT
             value: "8000"
 
-          # TODO cluster agent version check
+
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_ENABLED
+            value: "true"
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_CONTAINER_REGISTRY
+            value: gcr.io/datadoghq
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_NAME
+            value: agent
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_TAG
+            value: 7.53.0
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_SELECTORS
+            value: '[{"namespaceSelector":{"matchLabels":{"agentSidecars":"true"}},"objectSelector":{"matchLabels":{"app":"nginx","runsOn":"nodeless"}}}]'
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_PROFILES
+            value: '[{"env":[{"name":"DD_ORCHESTRATOR_EXPLORER_ENABLED","value":"false"}],"resources":{"limits":{"cpu":"2","memory":"1024Mi"},"requests":{"cpu":"1","memory":"512Mi"}}}]'
           - name: DD_REMOTE_CONFIGURATION_ENABLED
             value: "false"
           - name: DD_CLUSTER_CHECKS_ENABLED

test/datadog/baseline/cluster-agent-deployment_default_minimal_AC_injection.yaml

@@ -6,7 +6,7 @@ metadata:
   name: datadog-cluster-agent
   namespace: datadog-agent
   labels:
-    helm.sh/chart: 'datadog-3.57.3'
+    helm.sh/chart: 'datadog-3.58.2'
     app.kubernetes.io/name: "datadog"
     app.kubernetes.io/instance: "datadog"
     app.kubernetes.io/managed-by: Helm
@@ -36,11 +36,11 @@ spec:
 
       name: datadog-cluster-agent
       annotations:
-        checksum/clusteragent_token: be494ddb6dfc1e236fd2df24cd29923903e1dc4d171f4d74795e26e5fc8b6aa9
-        checksum/clusteragent-configmap: 7f009f417a71add9ae521f09f0eaf63c29efd5cdd701f5d92714fc3ac1800b6f
-        checksum/api_key: dbe0d3b411cc72447e81235afeed9e2102588d5088fcbb696a2db9e4e31af712
+        checksum/clusteragent_token: 132b9662936193f4ffc25930726aeb0cf29077af55415532dbac65f19551677c
+        checksum/clusteragent-configmap: c4ebd3c35d77ac0260f47e1ec10c9733cd76488f4232f76f26466174b922b430
+        checksum/api_key: 3c042e07978640da60c9adc10c03acb2e68c176d8f5ecc4c1c8d216051f476a5
         checksum/application_key: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
-        checksum/install_info: ba661cfd1e600203476c7247bad81157e5bc70aaa7f91e6cdd6be6a469cd0093
+        checksum/install_info: 3c5d7a2732f453d72b241f37b74f59319bcbf51e387a8fc35dc47bc4a1a7a390
     spec:
       serviceAccountName: datadog-cluster-agent
       automountServiceAccountToken: true
@@ -106,7 +106,15 @@ spec:
           - name: DD_ADMISSION_CONTROLLER_PORT
             value: "8000"
 
-          # TODO cluster agent version check
+
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_ENABLED
+            value: "true"
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_PROVIDER
+            value: fargate
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_NAME
+            value: agent
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_TAG
+            value: 7.51.0
           - name: DD_REMOTE_CONFIGURATION_ENABLED
             value: "false"
           - name: DD_CLUSTER_CHECKS_ENABLED

test/datadog/baseline/daemonset_default.yaml

@@ -6,7 +6,7 @@ metadata:
   name: datadog
   namespace: datadog-agent
   labels:
-    helm.sh/chart: 'datadog-3.57.3'
+    helm.sh/chart: 'datadog-3.58.2'
     app.kubernetes.io/name: "datadog"
     app.kubernetes.io/instance: "datadog"
     app.kubernetes.io/managed-by: Helm
@@ -30,8 +30,8 @@ spec:
 
       name: datadog
       annotations:
-        checksum/clusteragent_token: 3b6811ea07d2b99a0f0fdba3311c16fe34515f24ea3bbc3395ed7600d8a541bc
-        checksum/install_info: ba661cfd1e600203476c7247bad81157e5bc70aaa7f91e6cdd6be6a469cd0093
+        checksum/clusteragent_token: 98c124e662a3ed0dca988fa0d97e414116c1c83a3b2355354dff0b225ee3d887
+        checksum/install_info: 3c5d7a2732f453d72b241f37b74f59319bcbf51e387a8fc35dc47bc4a1a7a390
         checksum/autoconf-config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b
         checksum/confd-config: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
         checksum/checksd-config: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a