[AGENTRUN-230] Add support for a fips_mode value that will add the -fips image tagSuffix (#1835)

Co-authored-by: misteriaud <[email protected]>
Co-authored-by: datadog-githubops-containers[bot] <152526959+datadog-githubops-containers[bot]@users.noreply.github.com>
Co-authored-by: levan-m <[email protected]>

Author: 4 people

charts/datadog/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Datadog changelog
 
+## 3.114.0
+
+* Add a new parameter `useFIPSAgent` to use FIPS-compliant images for the Agent and DCA.
+
 ## 3.113.0
 
 * Add configuration option for `datadog.kubelet.useApiServer` to get the pod list from the API Server instead of the Kubelet. Disabled by default. This option requires Agent **7.65.0+**.

charts/datadog/Chart.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: v1
 name: datadog
-version: 3.113.0
+version: 3.114.0
 appVersion: "7"
 description: Datadog Agent
 keywords:

charts/datadog/README.md

@@ -1,10 +1,10 @@
 # Datadog
 
-![Version: 3.113.0](https://img.shields.io/badge/Version-3.113.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
+![Version: 3.114.0](https://img.shields.io/badge/Version-3.114.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
 
 [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
 
-Datadog [offers two variants](https://hub.docker.com/r/datadog/agent/tags/), switch to a `-jmx` tag if you need to run JMX/java integrations. The chart also supports running [the standalone dogstatsd image](https://hub.docker.com/r/datadog/dogstatsd/tags/).
+Datadog [offers three build variants](https://hub.docker.com/r/datadog/agent/tags/), switch to a `-jmx` tag if you need to run JMX/java integrations or set the `useFIPSAgent: true` value to use the `-fips` tags if you require FIPS compliant cryptography modules. The chart also supports running [the standalone dogstatsd image](https://hub.docker.com/r/datadog/dogstatsd/tags/).
 
 See the [Datadog JMX integration](https://docs.datadoghq.com/integrations/java/) to learn more.
 
@@ -907,17 +907,17 @@ helm install <RELEASE_NAME> \
 | existingClusterAgent.serviceName | string | `nil` | Existing service name to use for reaching the external Cluster Agent |
 | existingClusterAgent.tokenSecretName | string | `nil` | Existing secret name to use for external Cluster Agent token |
 | fips.customFipsConfig | object | `{}` | Configure a custom configMap to provide the FIPS configuration. Specify custom contents for the FIPS proxy sidecar container config (/etc/datadog-fips-proxy/datadog-fips-proxy.cfg). If empty, the default FIPS proxy sidecar container config is used. |
-| fips.enabled | bool | `false` | Enable fips sidecar |
+| fips.enabled | bool | `false` | Enable fips proxy sidecar. The fips-proxy method is getting phased out in favor of FIPS-compliant images (refer to the `useFIPSAgent` setting). |
 | fips.image.digest | string | `""` | Define the FIPS sidecar image digest to use, takes precedence over `fips.image.tag` if specified. |
 | fips.image.name | string | `"fips-proxy"` |  |
 | fips.image.pullPolicy | string | `"IfNotPresent"` | Datadog the FIPS sidecar image pull policy |
 | fips.image.repository | string | `nil` | Override default registry + image.name for the FIPS sidecar container. |
 | fips.image.tag | string | `"1.1.10"` | Define the FIPS sidecar container version to use. |
-| fips.local_address | string | `"127.0.0.1"` | Set local IP address |
-| fips.port | int | `9803` | Specifies which port is used by the containers to communicate to the FIPS sidecar. |
-| fips.portRange | int | `15` | Specifies the number of ports used, defaults to 13 https://github.com/DataDog/datadog-agent/blob/7.44.x/pkg/config/config.go#L1564-L1577 |
-| fips.resources | object | `{}` | Resource requests and limits for the FIPS sidecar container. |
-| fips.use_https | bool | `false` | Option to enable https |
+| fips.local_address | string | `"127.0.0.1"` | Set local IP address. This setting is only used for the fips-proxy sidecar. |
+| fips.port | int | `9803` | Specifies which port is used by the containers to communicate to the FIPS sidecar. This setting is only used for the fips-proxy sidecar. |
+| fips.portRange | int | `15` | Specifies the number of ports used, defaults to 13 https://github.com/DataDog/datadog-agent/blob/7.44.x/pkg/config/config.go#L1564-L1577. This setting is only used for the fips-proxy sidecar. |
+| fips.resources | object | `{}` | Resource requests and limits for the FIPS sidecar container. This setting is only used for the fips-proxy sidecar. |
+| fips.use_https | bool | `false` | Option to enable https. This setting is only used for the fips-proxy sidecar. |
 | fullnameOverride | string | `nil` | Override the full qualified app name |
 | kube-state-metrics.image.repository | string | `"registry.k8s.io/kube-state-metrics/kube-state-metrics"` | Default kube-state-metrics image repository. |
 | kube-state-metrics.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for KSM. KSM only supports Linux. |
@@ -935,6 +935,7 @@ helm install <RELEASE_NAME> \
 | registry | string | `nil` | Registry to use for all Agent images (default to [gcr.io | eu.gcr.io | asia.gcr.io | datadoghq.azurecr.io | public.ecr.aws/datadog] depending on datadog.site value) |
 | remoteConfiguration.enabled | bool | `true` | Set to true to enable remote configuration on the Cluster Agent (if set) and the node agent. Can be overridden if `datadog.remoteConfiguration.enabled` Preferred way to enable Remote Configuration. |
 | targetSystem | string | `"linux"` | Target OS for this deployment (possible values: linux, windows) |
+| useFIPSAgent | bool | `false` | Setting useFIPSAgent to true makes the helm chart use Agent images that are FIPS-compliant for use in GOVCLOUD environments. Setting this to true disables the fips-proxy sidecar and is the recommended method for enabling FIPS compliance. |
 
 ## Configuration options for Windows deployments
 <a name="windows-config"></a>

charts/datadog/README.md.gotmpl

@@ -4,7 +4,7 @@
 
 [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
 
-Datadog [offers two variants](https://hub.docker.com/r/datadog/agent/tags/), switch to a `-jmx` tag if you need to run JMX/java integrations. The chart also supports running [the standalone dogstatsd image](https://hub.docker.com/r/datadog/dogstatsd/tags/).
+Datadog [offers three build variants](https://hub.docker.com/r/datadog/agent/tags/), switch to a `-jmx` tag if you need to run JMX/java integrations or set the `useFIPSAgent: true` value to use the `-fips` tags if you require FIPS compliant cryptography modules. The chart also supports running [the standalone dogstatsd image](https://hub.docker.com/r/datadog/dogstatsd/tags/).
 
 See the [Datadog JMX integration](https://docs.datadoghq.com/integrations/java/) to learn more.
 

charts/datadog/templates/NOTES.txt

@@ -658,3 +658,16 @@ OTel collector is not supported on GKE Autopilot.
 #################################################################
 OTel collector is in preview. Please reach out to your Datadog representative for more information.
 {{- end }}
+
+
+{{- if (eq (include "should-enable-fips-proxy" .) "true")  }}
+#################################################################
+####               WARNING: Deprecation notice               ####
+#################################################################
+The FIPS Proxy is getting phased out in favor of FIPS-compliant images.
+For new deployments, we recommend using the FIPS Agent.
+You can enable it by setting `useFIPSAgent` to true in your datadog-agent.yaml file.
+
+To learn more about it please refer to the following documentation:
+https://docs.datadoghq.com/agent/guide/fips-agent/
+{{- end }}

charts/datadog/templates/_container-fips-proxy.yaml

@@ -23,7 +23,7 @@
 {{- end -}}
 
 {{- define "fips-envvar" -}}
-{{- if eq  (include "should-enable-fips" .) "true" }}
+{{- if eq  (include "should-enable-fips-proxy" .) "true" }}
 - name: DD_FIPS_ENABLED
   value: {{ .Values.fips.enabled | quote }}
 - name: DD_FIPS_PORT_RANGE_START

charts/datadog/templates/_daemonset-volumes-linux.yaml

@@ -41,7 +41,7 @@
     path: /etc/system-release
   name: etc-system-release
 {{- end -}}
-{{- if eq (include "should-enable-fips" . ) "true" }}
+{{- if eq (include "should-enable-fips-proxy" . ) "true" }}
 {{ include "linux-container-fips-proxy-cfg-volume" . }}
 {{- end }}
 {{- if eq (include "should-mount-hostPath-for-dsd-socket" .) "true" }}

charts/datadog/templates/_helpers.tpl

@@ -359,8 +359,11 @@ Return a remote image path based on `.Values` (passed as root) and `.` (any `.im
 {{- end -}}
 {{- else -}}
 {{- $tagSuffix := "" -}}
+{{- if (eq (include "use-fips-images" .root) "true") -}}
+{{- $tagSuffix = printf "-%s" "fips" -}}
+{{- end -}}
 {{- if .image.tagSuffix -}}
-{{- $tagSuffix = printf "-%s" .image.tagSuffix -}}
+{{- $tagSuffix = printf "%s-%s" $tagSuffix .image.tagSuffix -}}
 {{- end -}}
 {{- if .image.repository -}}
 {{- .image.repository -}}:{{ .image.tag }}{{ $tagSuffix }}
@@ -408,11 +411,22 @@ false
 {{- end -}}
 {{- end -}}
 
+{{/*
+Return true if we should use the -fips image tags.
+*/}}
+{{- define "use-fips-images" -}}
+{{- if .useFIPSAgent -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return true if the fips side car container should be created.
 */}}
-{{- define "should-enable-fips" -}}
-{{- if and (not (or .Values.providers.gke.autopilot .Values.providers.gke.gdc )) (eq .Values.targetSystem "linux") .Values.fips.enabled -}}
+{{- define "should-enable-fips-proxy" -}}
+{{- if and (not (or (eq (include "use-fips-images" .Values) "true") (or .Values.providers.gke.autopilot .Values.providers.gke.gdc ))) (eq .Values.targetSystem "linux") .Values.fips.enabled -}}
 true
 {{- else -}}
 false
@@ -423,7 +437,7 @@ false
 Return true if the fips side car configMap should be mounted.
 */}}
 {{- define "should-mount-fips-configmap" -}}
-{{- if and (eq (include "should-enable-fips" .) "true") (not (empty .Values.fips.customFipsConfig)) -}}
+{{- if and (eq (include "should-enable-fips-proxy" .) "true") (not (empty .Values.fips.customFipsConfig)) -}}
 true
 {{- else -}}
 false

charts/datadog/templates/agent-clusterchecks-deployment.yaml

@@ -118,7 +118,7 @@ spec:
 {{ toYaml .Values.agents.containers.initContainers.resources | indent 10 }}
 {{- end }}
       containers:
-        {{- if eq  (include "should-enable-fips" .) "true" }}
+        {{- if eq  (include "should-enable-fips-proxy" .) "true" }}
           {{- include "fips-proxy" . | nindent 6 }}
         {{- end }}
       - name: agent

charts/datadog/templates/cluster-agent-deployment.yaml

@@ -119,7 +119,7 @@ spec:
           - name: config
             mountPath: /opt/datadog-agent
       containers:
-        {{- if eq  (include "should-enable-fips" .) "true" }}
+        {{- if eq  (include "should-enable-fips-proxy" .) "true" }}
           {{- include "fips-proxy" . | nindent 6 }}
         {{- end }}
       - name: cluster-agent

charts/datadog/templates/daemonset.yaml

@@ -125,7 +125,7 @@ spec:
         {{- if eq (include "should-enable-trace-agent" .) "true" }}
           {{- include "container-trace-agent" . | nindent 6 }}
         {{- end }}
-        {{- if eq  (include "should-enable-fips" .) "true" }}
+        {{- if eq  (include "should-enable-fips-proxy" .) "true" }}
           {{- include "fips-proxy" . | nindent 6 }}
         {{- end }}
         {{- if eq  (include "should-enable-process-agent" .) "true" }}

charts/datadog/values.yaml

@@ -1578,24 +1578,33 @@ existingClusterAgent:
   # existingClusterAgent.clusterchecksEnabled -- set this to false if you don’t want the agents to run the cluster checks of the joined external cluster agent
   clusterchecksEnabled: true
 
-# fips is used to enable the fips sidecar container for GOVCLOUD environments.
+# useFIPSAgent -- Setting useFIPSAgent to true makes the helm chart use Agent images that are FIPS-compliant for use in GOVCLOUD environments.
+# Setting this to true disables the fips-proxy sidecar and is the recommended method for enabling FIPS compliance.
+useFIPSAgent: false
+
+## fips is used to enable and configure the fips-proxy sidecar.
 fips:
-  # fips.enabled -- Enable fips sidecar
+  # fips.enabled -- Enable fips proxy sidecar.
+  # The fips-proxy method is getting phased out in favor of FIPS-compliant images (refer to the `useFIPSAgent` setting).
   enabled: false
 
   # TODO: Option to override config of the FIPS side car: /etc/datadog-fips-proxy/datadog-fips-proxy.cfg
   # customConfig: false
 
   # fips.port -- Specifies which port is used by the containers to communicate to the FIPS sidecar.
+  # This setting is only used for the fips-proxy sidecar.
   port: 9803
 
-  # fips.portRange -- Specifies the number of ports used, defaults to 13 https://github.com/DataDog/datadog-agent/blob/7.44.x/pkg/config/config.go#L1564-L1577
+  # fips.portRange -- Specifies the number of ports used, defaults to 13 https://github.com/DataDog/datadog-agent/blob/7.44.x/pkg/config/config.go#L1564-L1577.
+  # This setting is only used for the fips-proxy sidecar.
   portRange: 15
 
-  # fips.use_https -- Option to enable https
+  # fips.use_https -- Option to enable https.
+  # This setting is only used for the fips-proxy sidecar.
   use_https: false
 
   # fips.resources -- Resource requests and limits for the FIPS sidecar container.
+  # This setting is only used for the fips-proxy sidecar.
   resources: {}
     # limits:
     #   cpu: 100m
@@ -1604,7 +1613,8 @@ fips:
     #   cpu: 20m
     #   memory: 64Mi
 
-  # fips.local_address -- Set local IP address
+  # fips.local_address -- Set local IP address.
+  # This setting is only used for the fips-proxy sidecar.
   local_address: "127.0.0.1"
 
   ## Define the Datadog image to work with

test/datadog/fips_mode_test.go

@@ -0,0 +1,123 @@
+package datadog
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"strconv"
+
+	"github.com/DataDog/helm-charts/test/common"
+	"github.com/stretchr/testify/require"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func TestFIPSModeConditions(t *testing.T) {
+	tests := []struct {
+		name            string
+		enableFIPSProxy bool
+		enableFIPSAgent bool
+		expectFIPSProxy bool
+		expectFIPSAgent bool
+		enableJMX       bool
+	}{
+		{
+			name:            "neither fips proxy nor fips agent",
+			enableFIPSProxy: false,
+			enableFIPSAgent: false,
+			expectFIPSProxy: false,
+			expectFIPSAgent: false,
+		},
+		{
+			name:            "fips proxy only",
+			enableFIPSProxy: true,
+			enableFIPSAgent: false,
+			expectFIPSProxy: true,
+			expectFIPSAgent: false,
+		},
+		{
+			name:            "fips image only",
+			enableFIPSProxy: false,
+			enableFIPSAgent: true,
+			expectFIPSProxy: false,
+			expectFIPSAgent: true,
+		},
+		{
+			name:            "fips proxy and fips image",
+			enableFIPSProxy: true,
+			enableFIPSAgent: true,
+			expectFIPSProxy: false, // fips proxy should be disabled when fips agent is enabled
+			expectFIPSAgent: true,
+		},
+		{
+			name:            "fips image with JMX enabled",
+			enableFIPSProxy: false,
+			enableFIPSAgent: true,
+			expectFIPSProxy: false,
+			expectFIPSAgent: true,
+			enableJMX:       true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			values := map[string]string{
+				"useFIPSAgent":                 strconv.FormatBool(tt.enableFIPSAgent),
+				"fips.enabled":                 strconv.FormatBool(tt.enableFIPSProxy),
+				"datadog.apiKeyExistingSecret": "datadog-secret",
+				"datadog.appKeyExistingSecret": "datadog-secret",
+			}
+
+			if tt.enableJMX {
+				values["agents.image.tagSuffix"] = "jmx"
+			}
+
+			manifest, err := common.RenderChart(t, common.HelmCommand{
+				ReleaseName: "datadog",
+				ChartPath:   "../../charts/datadog",
+				ShowOnly:    []string{"templates/daemonset.yaml"},
+				Values:      []string{"../../charts/datadog/values.yaml"},
+				Overrides:   values,
+			})
+			require.NoError(t, err, "couldn't render template")
+
+			// Parse the manifest to find the should-enable-fips-proxy value and check image tags
+			var daemonSet appsv1.DaemonSet
+			common.Unmarshal(t, manifest, &daemonSet)
+
+			// Checking that daemonSet contains or not fips-proxy container based on the fips proxy configuration
+			checkFIPSProxy(t, daemonSet.Spec.Template.Spec.Containers, tt.expectFIPSProxy)
+
+			// Checking that all containers have the fips image suffix if fips agent is enabled
+			checkFIPSImage(t, daemonSet.Spec.Template.Spec.Containers, tt.expectFIPSAgent)
+		})
+	}
+}
+
+func checkFIPSProxy(t *testing.T, containers []corev1.Container, expectFIPSProxy bool) {
+	hasFIPSProxy := false
+	for _, container := range containers {
+		if strings.Contains(container.Image, "fips-proxy") {
+			hasFIPSProxy = true
+			break
+		}
+	}
+	if expectFIPSProxy {
+		require.True(t, hasFIPSProxy, "fips proxy container should be present")
+	} else {
+		require.False(t, hasFIPSProxy, "fips proxy container should not be present")
+	}
+}
+
+func checkFIPSImage(t *testing.T, containers []corev1.Container, expectFIPSImage bool) {
+	if expectFIPSImage {
+		for _, container := range containers {
+			require.Contains(t, container.Image, "-fips", fmt.Sprintf("fips container %s should have the fips image suffix: %s", container.Name, container.Image))
+		}
+	} else {
+		for _, container := range containers {
+			require.NotContains(t, container.Image, "-fips", fmt.Sprintf("fips container %s should not have the fips image suffix: %s", container.Name, container.Image))
+		}
+	}
+}