DataDog · fanny-jiang · Feb 27, 2025 · Feb 27, 2025 · Feb 27, 2025 · Feb 27, 2025
diff --git a/.github/workflows/no-ci.yaml b/.github/workflows/no-ci.yaml
@@ -1,9 +1,8 @@
-name: No lint and test needed
+name: No chart lint and test needed
 on:
   pull_request:
     paths-ignore:
       - 'charts/**'
-      - 'test/**'
 jobs:
   pr-validated:
     name: pr-validated

diff --git a/charts/datadog/templates/_daemonset-volumes-linux.yaml b/charts/datadog/templates/_daemonset-volumes-linux.yaml
@@ -17,11 +17,19 @@
 - hostPath:
     path: /sys/fs/cgroup
   name: cgroups
-{{- if or (and (or .Values.datadog.systemProbe.osReleasePath .Values.datadog.osReleasePath .Values.datadog.sbom.host.enabled)) (and .Values.providers.gke.autopilot (eq (include "gke-autopilot-workloadallowlists-enabled" .) "true")) }}
+{{- if or .Values.datadog.systemProbe.osReleasePath .Values.datadog.osReleasePath .Values.datadog.sbom.host.enabled }}
+{{- if .Values.providers.gke.autopilot}}
+{{- if eq (include "gke-autopilot-workloadallowlists-enabled" . ) "true" }}
 - hostPath:
     path: {{ .Values.datadog.systemProbe.osReleasePath | default .Values.datadog.osReleasePath }}
   name: os-release-file
 {{- end }}
+{{- else}}
+- hostPath:
+    path: {{ .Values.datadog.systemProbe.osReleasePath | default .Values.datadog.osReleasePath }}
+  name: os-release-file
+{{- end }}
+{{- end }}
 {{- if and (eq (include "should-add-host-path-for-os-release-paths" .) "true") (or (eq (include "should-enable-system-probe" .) "true") (eq (include "should-enable-sbom-host-fs-collection" .) "true")) }}
 - hostPath:
     path: /etc/redhat-release

diff --git a/charts/datadog/templates/_helpers.tpl b/charts/datadog/templates/_helpers.tpl
@@ -372,16 +372,24 @@ false
 
 {{/*
 Return true if the system-probe container should be created.
+The system-probe container should NOT be created if:
+* running GKE GDC
+* running GKE Autopilot without WorkloadAllowlists support (GKE version < 1.32.1-gke.1729000)
 */}}
 {{- define "should-enable-system-probe" -}}
-{{- if or (eq (include "system-probe-feature" .) "true") (eq .Values.targetSystem "linux") (not .Values.providers.gke.gdc) (and .Values.providers.gke.autopilot (eq (include "gke-autopilot-workloadallowlists-enabled" .) "true")) -}}
+{{- $systemProbeFeature := eq (include "system-probe-feature" .) "true" -}}
+{{- $isLinux := eq .Values.targetSystem "linux" -}}
+{{- $isGdc := .Values.providers.gke.gdc -}}
+{{- $isAutopilot := .Values.providers.gke.autopilot -}}
+{{- $workloadAllowlistsEnabled := eq (include "gke-autopilot-workloadallowlists-enabled" .) "true" -}}
+
+{{- if and (or ($systemProbeFeature) ($isLinux) (not $isGdc) (and $isAutopilot ($workloadAllowlistsEnabled))) (not (and ($isAutopilot) (not $workloadAllowlistsEnabled))) -}}
 true
 {{- else -}}
 false
 {{- end -}}
 {{- end -}}
 
-
 {{/*
 Return true if a security-agent feature is enabled.
 */}}
@@ -1058,9 +1066,7 @@ Create RBACs for custom resources
   Returns true if process-related checks should run on the core agent.
 */}}
 {{- define "should-run-process-checks-on-core-agent" -}}
-  {{- if .Values.providers.gke.gdc -}}
-    false
-  {{- else if and (.Values.providers.gke.autopilot) (not (eq (include "gke-autopilot-workloadallowlists-enabled" .) "true")) -}}
+  {{- if or (.Values.providers.gke.gdc) (and (.Values.providers.gke.autopilot) (not (eq (include "gke-autopilot-workloadallowlists-enabled" .) "true"))) -}}
     false
   {{- else if ne .Values.targetSystem "linux" -}}
     false

diff --git a/test/common/common.go b/test/common/common.go
@@ -1,7 +1,9 @@
 package common
 
 import (
-	appsv1 "k8s.io/api/apps/v1"
+	"bytes"
+	"fmt"
+	"io"
 	"os"
 	"path/filepath"
 	"strings"
@@ -11,6 +13,9 @@ import (
 	"github.com/gruntwork-io/terratest/modules/k8s"
 	"github.com/gruntwork-io/terratest/modules/random"
 	"github.com/stretchr/testify/require"
+	yaml "gopkg.in/yaml.v3"
+	appsv1 "k8s.io/api/apps/v1"
+	yaml2 "k8s.io/apimachinery/pkg/util/yaml"
 )
 
 type HelmCommand struct {
@@ -117,3 +122,56 @@ func Contains(str string, list []string) bool {
 	}
 	return false
 }
+
+// Takes multi-document YAML and filter out keys from each document.
+func FilterYamlKeysMultiManifest(manifest string, filterKeys map[string]interface{}) (string, error) {
+	reader := strings.NewReader(manifest)
+	decoder := yaml2.NewYAMLOrJSONDecoder(reader, 4096)
+	builder := strings.Builder{}
+	for {
+		var obj map[string]interface{}
+		// We read the next YAML document from the input stream until we reach EOF.
+		// This is needed if Helm rendering contains multiple resource manifests.
+		err := decoder.Decode(&obj)
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return "", fmt.Errorf("couldn't decode manifest for filtering dynamic keys: %s", err)
+		}
+
+		filterKeysRecursive(&obj, filterKeys)
+
+		var buf bytes.Buffer
+		enc := yaml.NewEncoder(&buf)
+		enc.SetIndent(2) // Adjust indentation (default is 4)
+		err = enc.Encode(obj)
+		if err != nil {
+			return "", fmt.Errorf("couldn't encode manifest after filtering: %s", err)
+		}
+
+		err = enc.Close()
+		if err != nil {
+			return "", fmt.Errorf("couldn't close encoder: %s", err)
+		}
+
+		output := buf.String()
+		_, err = builder.WriteString(output)
+		if err != nil {
+			return "", fmt.Errorf("couldn't write manifest string in builder: %s", err)
+		}
+		builder.WriteString("---\n")
+	}
+	return builder.String(), nil
+}
+
+func filterKeysRecursive(yamlMap *map[string]interface{}, keys map[string]interface{}) {
+	for yamlKey := range *yamlMap {
+		if _, found := keys[yamlKey]; found {
+			// fmt.Println("deleting key", yamlKey)
+			delete(*yamlMap, yamlKey)
+		} else if nested, ok := (*yamlMap)[yamlKey].(map[string]interface{}); ok {
+			filterKeysRecursive(&nested, keys)
+		}
+	}
+}