Agent sidecar injection support via Admission Controller

Author: levan-m

.github/workflows/go-test.yaml

@@ -2,11 +2,11 @@ name: Go Test
 on:
   push:
     paths:
-      - 'test/**'
+      - 'test/datadog-operator/**'
       - 'charts/datadog-operator/**'
   pull_request:
     paths:
-      - 'test/**'
+      - 'test/datadog-operator/**'
       - 'charts/datadog-operator/**'
 env:
   GO111MODULE: "on"

charts/datadog/templates/NOTES.txt

@@ -538,3 +538,14 @@ You are using the datadog.securityAgent.compliance.xccdf.enabled parameter which
 This version still supports both but the support of the old name will be dropped in the next major version of our Helm chart.
 More information about this change: https://github.com/DataDog/helm-charts/pull/1161
 {{- end }}
+
+{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.enabled }}
+    {{- if (semverCompare "<7.52.0" .Values.clusterAgent.image.tag) }}
+##############################################################################
+####               WARNING: Sidecar injection not supported.              ####
+##############################################################################
+
+The clusterAgent.admissionController.agentSidecarInjection.enabled is only supported
+by Cluster Agent 7.52.0 or later. Enabling this flag will not have any effect.
+    {{- end }}
+{{- end }}

charts/datadog/templates/_ac-agent-sidecar-env.yaml

@@ -0,0 +1,43 @@
+{{- define "ac-agent-sidecar-env" -}}
+{{- if and .Values.clusterAgent.admissionController.enabled .Values.clusterAgent.admissionController.agentSidecarInjection.enabled }}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_ENABLED
+  value: "true"
+{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.provider }}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_PROVIDER
+  value: {{ .Values.clusterAgent.admissionController.agentSidecarInjection.provider }}
+{{- end }}
+
+{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.containerRegistry }}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_CONTAINER_REGISTRY
+  value: {{ .Values.clusterAgent.admissionController.agentSidecarInjection.containerRegistry }}
+{{- else if .Values.registry }}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_CONTAINER_REGISTRY
+  value: {{ .Values.registry }}
+{{- end }}
+
+{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.imageName }}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_NAME
+  value: {{ .Values.clusterAgent.admissionController.agentSidecarInjection.imageName }}
+{{- else if .Values.agents.image.name}}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_NAME
+  value: {{ .Values.agents.image.name }}
+{{- end }}
+
+{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.imageTag }}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_TAG
+  value: {{ .Values.clusterAgent.admissionController.agentSidecarInjection.imageTag }}
+{{- else if .Values.agents.image.tag}}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_TAG
+  value: {{ .Values.agents.image.tag }}
+{{- end }}
+
+{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.selectors }}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_SELECTORS
+  value: '{{ toJson .Values.clusterAgent.admissionController.agentSidecarInjection.selectors }}'
+{{- end }}
+{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.profiles }}
+- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_PROFILES
+  value: '{{ toJson .Values.clusterAgent.admissionController.agentSidecarInjection.profiles }}'
+{{- end }}
+{{- end }}
+{{- end }}

charts/datadog/templates/cluster-agent-deployment.yaml

@@ -235,6 +235,7 @@ spec:
           - name: DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_PATCHER_ENABLED
             value: "true"
           {{- end }}
+          {{ include "ac-agent-sidecar-env" . | nindent 10 }}
           - name: DD_REMOTE_CONFIGURATION_ENABLED
             value: {{ include "clusterAgent-remoteConfiguration-enabled" . | quote }}
           {{- if .Values.datadog.apm.instrumentation.enabled }}

charts/datadog/values.yaml

@@ -1061,6 +1061,56 @@ clusterAgent:
     # clusterAgent.admissionController.port -- Set port of cluster-agent admission controller service
     port: 8000
 
+    agentSidecarInjection:
+      # clusterAgent.admissionController.agentSidecarInjection.enabled -- Enables Datadog Agent sidecar injection.
+      
+      ## When enabled, Admission Controller mutating webhook will inject Agent sidecar with minimal configuration in every pods meeting configured criteria.
+      ## ref: https://docs.datadoghq.com/integrations/eks_fargate
+      enabled: false
+      
+      # clusterAgent.admissionController.agentSidecarInjection.provider -- Used by Admission Controller to add infrastructure provider specific configurations to the Agent sidecar. 
+      
+      ## Currently only "fargate" is supported. To use the feature in other environments (including local testing) omit the config.
+      provider: # "fargate" or ""
+      
+      # clusterAgent.admissionController.agentSidecarInjection.clusterAgentEnabled -- Enable communication between Agent sidecars and Cluster Agent.
+      clusterAgentEnabled: true
+
+      # clusterAgent.admissionController.containerRegistry -- Override default registry for sidecar Agent.
+      containerRegistry:
+
+      # clusterAgent.admissionController.imageName -- Override default agents.image.name for Agent sidecar.
+      imageName:
+
+      # clusterAgent.admissionController.imageTag -- Override default agents.image.tag for Agent sidecar.
+      imageTag: 
+      
+      # clusterAgent.admissionController.agentSidecarInjection.selectors -- Defines pod selector for sidecar injection, only one rule is supported.
+      selectors: []
+        # - objectSelector:
+        #   matchLabels:
+        #       "podlabelKey1": podlabelValue1
+        #       "podlabelKey2": podlabelValue2
+        #   namespaceSelector:
+        #     matchLabels:
+        #       "nsLabelKey1": nsLabelValue1
+        #       "nsLabelKey2": nsLabelValue2
+      
+      # clusterAgent.admissionController.agentSidecarInjection.profiles -- Defines sidecar configuration override, only one profile is supported.
+
+      ## This setting allows to override sidecar Agent configuration by adding environment variables and providing resource settings.
+      profiles: []
+        # - env:
+        #     - name: DD_ORCHESTRATOR_EXPLORER_ENABLED
+        #       value: "true"
+        #   resources:
+        #     requests:
+        #       cpu: "1"
+        #       memory: "512Mi"
+        #     limits:
+        #       cpu: "2"
+        #       memory: "1024Mi"
+
   # clusterAgent.confd -- Provide additional cluster check configurations. Each key will become a file in /conf.d.
 
   ## ref: https://docs.datadoghq.com/agent/autodiscovery/

test/datadog/baseline/agent-clusterchecks-deployment_default.yaml

@@ -36,7 +36,7 @@ spec:
 
       name: datadog-clusterchecks
       annotations:
-        checksum/clusteragent_token: 2a2bc6b89e48b04b4499adc7d022f736a18ee78f96da00520796532402bd8550
+        checksum/clusteragent_token: a27982154deaa89254d681a77c2259d7e679a6d30a8e42c2cc382ab12362901f
         checksum/install_info: ba661cfd1e600203476c7247bad81157e5bc70aaa7f91e6cdd6be6a469cd0093
     spec:
       serviceAccountName: datadog-cluster-checks

test/datadog/baseline/cluster-agent-deployment_default.yaml

@@ -36,7 +36,7 @@ spec:
 
       name: datadog-cluster-agent
       annotations:
-        checksum/clusteragent_token: 64345c6150cd562acd79e6965148d36a188d36b4c5656963c7beb3b62ff5bf7d
+        checksum/clusteragent_token: 5e73a77242cd46ce2e8572b9d427708ef62cda418c62a4441c872f43c0cfc8d7
         checksum/clusteragent-configmap: 7f009f417a71add9ae521f09f0eaf63c29efd5cdd701f5d92714fc3ac1800b6f
         checksum/api_key: dbe0d3b411cc72447e81235afeed9e2102588d5088fcbb696a2db9e4e31af712
         checksum/application_key: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
@@ -105,6 +105,8 @@ spec:
             value: "Ignore"
           - name: DD_ADMISSION_CONTROLLER_PORT
             value: "8000"
+          
+          
           - name: DD_REMOTE_CONFIGURATION_ENABLED
             value: "false"
           - name: DD_CLUSTER_CHECKS_ENABLED

test/datadog/baseline/cluster-agent-deployment_default_advanced_AC_injection.yaml

@@ -36,7 +36,7 @@ spec:
 
       name: datadog-cluster-agent
       annotations:
-        checksum/clusteragent_token: bf8ff7d8f04853084ee401bfe3e4d5e83c6764f82c63c32bbb749a66681cb397
+        checksum/clusteragent_token: ecd48e62f885ce8d94f5a2c8891c6c0e7cb740834f73e72bf03ac9a1ba518412
         checksum/clusteragent-configmap: 7f009f417a71add9ae521f09f0eaf63c29efd5cdd701f5d92714fc3ac1800b6f
         checksum/api_key: dbe0d3b411cc72447e81235afeed9e2102588d5088fcbb696a2db9e4e31af712
         checksum/application_key: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
@@ -106,7 +106,19 @@ spec:
           - name: DD_ADMISSION_CONTROLLER_PORT
             value: "8000"
 
-          # TODO cluster agent version check
+          
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_ENABLED
+            value: "true"
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_CONTAINER_REGISTRY
+            value: gcr.io/datadoghq
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_NAME
+            value: agent
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_TAG
+            value: 7.53.0
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_SELECTORS
+            value: '[{"namespaceSelector":{"matchLabels":{"agentSidecars":"true"}},"objectSelector":{"matchLabels":{"app":"nginx","runsOn":"nodeless"}}}]'
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_PROFILES
+            value: '[{"env":[{"name":"DD_ORCHESTRATOR_EXPLORER_ENABLED","value":"false"}],"resources":{"limits":{"cpu":"2","memory":"1024Mi"},"requests":{"cpu":"1","memory":"512Mi"}}}]'
           - name: DD_REMOTE_CONFIGURATION_ENABLED
             value: "false"
           - name: DD_CLUSTER_CHECKS_ENABLED

test/datadog/baseline/cluster-agent-deployment_default_minimal_AC_injection.yaml

@@ -36,7 +36,7 @@ spec:
 
       name: datadog-cluster-agent
       annotations:
-        checksum/clusteragent_token: be494ddb6dfc1e236fd2df24cd29923903e1dc4d171f4d74795e26e5fc8b6aa9
+        checksum/clusteragent_token: e3d005d6dff3e012e59ebf6787cabc97a0ce7a826fb88a985fa9e3ee1c4b897f
         checksum/clusteragent-configmap: 7f009f417a71add9ae521f09f0eaf63c29efd5cdd701f5d92714fc3ac1800b6f
         checksum/api_key: dbe0d3b411cc72447e81235afeed9e2102588d5088fcbb696a2db9e4e31af712
         checksum/application_key: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
@@ -106,7 +106,15 @@ spec:
           - name: DD_ADMISSION_CONTROLLER_PORT
             value: "8000"
 
-          # TODO cluster agent version check
+          
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_ENABLED
+            value: "true"
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_PROVIDER
+            value: fargate
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_NAME
+            value: agent
+          - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_TAG
+            value: 7.51.0
           - name: DD_REMOTE_CONFIGURATION_ENABLED
             value: "false"
           - name: DD_CLUSTER_CHECKS_ENABLED

test/datadog/baseline/daemonset_default.yaml

@@ -30,7 +30,7 @@ spec:
 
       name: datadog
       annotations:
-        checksum/clusteragent_token: 3b6811ea07d2b99a0f0fdba3311c16fe34515f24ea3bbc3395ed7600d8a541bc
+        checksum/clusteragent_token: a2247471c9f45da90af6ffbca68d5253753fe8fd99568d95d00bb32c0053dd5d
         checksum/install_info: ba661cfd1e600203476c7247bad81157e5bc70aaa7f91e6cdd6be6a469cd0093
         checksum/autoconf-config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b
         checksum/confd-config: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

test/datadog/baseline/other_default.yaml

@@ -99,7 +99,7 @@ metadata:
     app.kubernetes.io/version: "7"
 type: Opaque
 data:
-  token: "QzdpVlQxRTRoU2lSNlFteEZqWjl6RFFJRFV4bzlzRU4="
+  token: "VDV4MWZTb1FvWDREcm5hMlBYaklXT0IxQmRlcm1QQUk="
 ---
 # Source: datadog/templates/cluster-agent-confd-configmap.yaml
 apiVersion: v1
@@ -185,9 +185,9 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/version: "7"
 data:
-  install_id: "e2a0fac0-1cd5-44d6-bb6c-8878699e1dd4"
+  install_id: "a55b4d56-a363-4f59-95e1-a39d8eb06cac"
   install_type: k8s_manual
-  install_time: "1709149978"
+  install_time: "1710523214"
 ---
 # Source: datadog/templates/cluster-agent-rbac.yaml
 apiVersion: "rbac.authorization.k8s.io/v1"
@@ -808,7 +808,7 @@ spec:
 
       name: datadog
       annotations:
-        checksum/clusteragent_token: c9184bcaa371fdfaa1d86bc729cc022ee91730c48a87174a10787cdfe8dc5acc
+        checksum/clusteragent_token: 239e62f7908327b7110d0e12f11a758f7cd65339d87c7cde816ca9f4daaed148
         checksum/install_info: ba661cfd1e600203476c7247bad81157e5bc70aaa7f91e6cdd6be6a469cd0093
         checksum/autoconf-config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b
         checksum/confd-config: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
@@ -1290,7 +1290,7 @@ spec:
 
       name: datadog-clusterchecks
       annotations:
-        checksum/clusteragent_token: de6adc9c0cc883525e7c5915e72c98fe170c0606a36d7a01481988b622d1bcad
+        checksum/clusteragent_token: 5680d8ac272dacf1ebf5825280bf07461e17b04341ece6697f156307f5804518
         checksum/install_info: ba661cfd1e600203476c7247bad81157e5bc70aaa7f91e6cdd6be6a469cd0093
     spec:
       serviceAccountName: datadog-cluster-checks
@@ -1471,7 +1471,7 @@ spec:
 
       name: datadog-cluster-agent
       annotations:
-        checksum/clusteragent_token: 54246db63a3d62937e36712985dc2c26e092adae8cf7460e8bee17e21abdc65c
+        checksum/clusteragent_token: bad4e1460b330b929541d47c97ff618001505c56ac50e29459be18fa85053376
         checksum/clusteragent-configmap: 358d304b0a5c7d72ee884b4973628f54e132dd0725ac3d1a119391f8b18f7105
         checksum/install_info: ba661cfd1e600203476c7247bad81157e5bc70aaa7f91e6cdd6be6a469cd0093
     spec:
@@ -1538,6 +1538,8 @@ spec:
             value: "Ignore"
           - name: DD_ADMISSION_CONTROLLER_PORT
             value: "8000"
+          
+          
           - name: DD_REMOTE_CONFIGURATION_ENABLED
             value: "false"
           - name: DD_CLUSTER_CHECKS_ENABLED

test/datadog/baseline_test.go

@@ -56,8 +56,9 @@ func Test_baseline_manifests(t *testing.T) {
 				ReleaseName: "datadog",
 				ChartPath:   "../../charts/datadog",
 				ShowOnly:    []string{"templates/cluster-agent-deployment.yaml"},
-				Values:      []string{"../../charts/datadog/values.yaml" /*,"./manifests/dca_AC_sidecar_fargateMinimal.yaml"*/},
-				Overrides:   map[string]string{},
+				Values: []string{"../../charts/datadog/values.yaml",
+					"./manifests/dca_AC_sidecar_fargateMinimal.yaml"},
+				Overrides: map[string]string{},
 			},
 			baselineManifestPath: "./baseline/cluster-agent-deployment_default_minimal_AC_injection.yaml",
 			assertions:           verifyDeployment,
@@ -68,8 +69,9 @@ func Test_baseline_manifests(t *testing.T) {
 				ReleaseName: "datadog",
 				ChartPath:   "../../charts/datadog",
 				ShowOnly:    []string{"templates/cluster-agent-deployment.yaml"},
-				Values:      []string{"../../charts/datadog/values.yaml" /*,"./manifests/dca_AC_sidecar_advanced.yaml"*/},
-				Overrides:   map[string]string{},
+				Values: []string{"../../charts/datadog/values.yaml",
+					"./manifests/dca_AC_sidecar_advanced.yaml"},
+				Overrides: map[string]string{},
 			},
 			baselineManifestPath: "./baseline/cluster-agent-deployment_default_advanced_AC_injection.yaml",
 			assertions:           verifyDeployment,