DataDog · dd-mergequeue · May 7, 2025 · Apr 23, 2025 · Apr 23, 2025 · Apr 23, 2025
@@ -1,5 +1,9 @@
 # Datadog changelog
 
+## 3.110.17
+
+* Add a `fips_mode` value that will use add a `-fips` suffix to agent and DCA image tags.
+
 ## 3.110.16
 
 * Fix otel-agent container template to respect config `otelCollector.enabled` in values.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: v1
 name: datadog
-version: 3.110.16
+version: 3.110.17
 appVersion: "7"
 description: Datadog Agent
 keywords:

@@ -1,10 +1,10 @@
 # Datadog
 
-![Version: 3.110.16](https://img.shields.io/badge/Version-3.110.16-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
+![Version: 3.110.17](https://img.shields.io/badge/Version-3.110.17-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
 
 [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
 
-Datadog [offers two variants](https://hub.docker.com/r/datadog/agent/tags/), switch to a `-jmx` tag if you need to run JMX/java integrations. The chart also supports running [the standalone dogstatsd image](https://hub.docker.com/r/datadog/dogstatsd/tags/).
+Datadog [offers three build variants](https://hub.docker.com/r/datadog/agent/tags/), switch to a `-jmx` tag if you need to run JMX/java integrations or set the `fips.useFipsImages: true` value to use the `-fips` tags if you require FIPS compliant cryptography modules. The chart also supports running [the standalone dogstatsd image](https://hub.docker.com/r/datadog/dogstatsd/tags/).
 
 See the [Datadog JMX integration](https://docs.datadoghq.com/integrations/java/) to learn more.
 
@@ -903,17 +903,18 @@ helm install <RELEASE_NAME> \
 | existingClusterAgent.serviceName | string | `nil` | Existing service name to use for reaching the external Cluster Agent |
 | existingClusterAgent.tokenSecretName | string | `nil` | Existing secret name to use for external Cluster Agent token |
 | fips.customFipsConfig | object | `{}` | Configure a custom configMap to provide the FIPS configuration. Specify custom contents for the FIPS proxy sidecar container config (/etc/datadog-fips-proxy/datadog-fips-proxy.cfg). If empty, the default FIPS proxy sidecar container config is used. |
-| fips.enabled | bool | `false` | Enable fips sidecar |
+| fips.enabled | bool | `false` |  |
 | fips.image.digest | string | `""` | Define the FIPS sidecar image digest to use, takes precedence over `fips.image.tag` if specified. |
 | fips.image.name | string | `"fips-proxy"` |  |
 | fips.image.pullPolicy | string | `"IfNotPresent"` | Datadog the FIPS sidecar image pull policy |
 | fips.image.repository | string | `nil` | Override default registry + image.name for the FIPS sidecar container. |
 | fips.image.tag | string | `"1.1.9"` | Define the FIPS sidecar container version to use. |
-| fips.local_address | string | `"127.0.0.1"` | Set local IP address |
-| fips.port | int | `9803` | Specifies which port is used by the containers to communicate to the FIPS sidecar. |
-| fips.portRange | int | `15` | Specifies the number of ports used, defaults to 13 https://github.com/DataDog/datadog-agent/blob/7.44.x/pkg/config/config.go#L1564-L1577 |
-| fips.resources | object | `{}` | Resource requests and limits for the FIPS sidecar container. |
-| fips.use_https | bool | `false` | Option to enable https |
+| fips.local_address | string | `"127.0.0.1"` | Set local IP address This setting is only used for the fips-proxy sidecar. |
+| fips.port | int | `9803` | Specifies which port is used by the containers to communicate to the FIPS sidecar. This setting is only used for the fips-proxy sidecar. |
+| fips.portRange | int | `15` | Specifies the number of ports used, defaults to 13 https://github.com/DataDog/datadog-agent/blob/7.44.x/pkg/config/config.go#L1564-L1577 This setting is only used for the fips-proxy sidecar. |
+| fips.resources | object | `{}` | Resource requests and limits for the FIPS sidecar container. This setting is only used for the fips-proxy sidecar. |
+| fips.useFipsImages | bool | `false` |  |
+| fips.use_https | bool | `false` | Option to enable https This setting is only used for the fips-proxy sidecar. |
 | fullnameOverride | string | `nil` | Override the full qualified app name |
 | kube-state-metrics.image.repository | string | `"registry.k8s.io/kube-state-metrics/kube-state-metrics"` | Default kube-state-metrics image repository. |
 | kube-state-metrics.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for KSM. KSM only supports Linux. |

@@ -4,7 +4,7 @@
 
 [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
 
-Datadog [offers two variants](https://hub.docker.com/r/datadog/agent/tags/), switch to a `-jmx` tag if you need to run JMX/java integrations. The chart also supports running [the standalone dogstatsd image](https://hub.docker.com/r/datadog/dogstatsd/tags/).
+Datadog [offers three build variants](https://hub.docker.com/r/datadog/agent/tags/), switch to a `-jmx` tag if you need to run JMX/java integrations or set the `fips.useFipsImages: true` value to use the `-fips` tags if you require FIPS compliant cryptography modules. The chart also supports running [the standalone dogstatsd image](https://hub.docker.com/r/datadog/dogstatsd/tags/).
 
 See the [Datadog JMX integration](https://docs.datadoghq.com/integrations/java/) to learn more.
 

@@ -23,7 +23,7 @@
 {{- end -}}
 
 {{- define "fips-envvar" -}}
-{{- if eq  (include "should-enable-fips" .) "true" }}
+{{- if eq  (include "should-enable-fips-proxy" .) "true" }}
 - name: DD_FIPS_ENABLED
   value: {{ .Values.fips.enabled | quote }}
 - name: DD_FIPS_PORT_RANGE_START

@@ -41,7 +41,7 @@
     path: /etc/system-release
   name: etc-system-release
 {{- end -}}
-{{- if eq (include "should-enable-fips" . ) "true" }}
+{{- if eq (include "should-enable-fips-proxy" . ) "true" }}
 {{ include "linux-container-fips-proxy-cfg-volume" . }}
 {{- end }}
 {{- if eq (include "should-mount-hostPath-for-dsd-socket" .) "true" }}

@@ -362,6 +362,9 @@ Return a remote image path based on `.Values` (passed as root) and `.` (any `.im
 {{- if .image.tagSuffix -}}
 {{- $tagSuffix = printf "-%s" .image.tagSuffix -}}
 {{- end -}}
+{{- if (eq (include "use-fips-images" .root) "true") -}}
+{{- $tagSuffix = printf "-%s" "fips" -}}
+{{- end -}}
 {{- if .image.repository -}}
 {{- .image.repository -}}:{{ .image.tag }}{{ $tagSuffix }}
 {{- else -}}
@@ -408,11 +411,22 @@ false
 {{- end -}}
 {{- end -}}
 
+{{/*
+Return true if we should use the -fips image tags.
+*/}}
+{{- define "use-fips-images" -}}
+{{- if .useFipsImages -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return true if the fips side car container should be created.
 */}}
-{{- define "should-enable-fips" -}}
-{{- if and (not (or .Values.providers.gke.autopilot .Values.providers.gke.gdc )) (eq .Values.targetSystem "linux") .Values.fips.enabled -}}
+{{- define "should-enable-fips-proxy" -}}
+{{- if and (not (or (eq (include "use-fips-images" $) "true") (or .Values.providers.gke.autopilot .Values.providers.gke.gdc ))) (eq .Values.targetSystem "linux") .Values.fips.enabled -}}
 true
 {{- else -}}
 false
@@ -423,7 +437,7 @@ false
 Return true if the fips side car configMap should be mounted.
 */}}
 {{- define "should-mount-fips-configmap" -}}
-{{- if and (eq (include "should-enable-fips" .) "true") (not (empty .Values.fips.customFipsConfig)) -}}
+{{- if and (eq (include "should-enable-fips-proxy" .) "true") (not (empty .Values.fips.customFipsConfig)) -}}
 true
 {{- else -}}
 false

@@ -118,7 +118,7 @@ spec:
 {{ toYaml .Values.agents.containers.initContainers.resources | indent 10 }}
 {{- end }}
       containers:
-        {{- if eq  (include "should-enable-fips" .) "true" }}
+        {{- if eq  (include "should-enable-fips-proxy" .) "true" }}
           {{- include "fips-proxy" . | nindent 6 }}
         {{- end }}
       - name: agent

@@ -119,7 +119,7 @@ spec:
           - name: config
             mountPath: /opt/datadog-agent
       containers:
-        {{- if eq  (include "should-enable-fips" .) "true" }}
+        {{- if eq  (include "should-enable-fips-proxy" .) "true" }}
           {{- include "fips-proxy" . | nindent 6 }}
         {{- end }}
       - name: cluster-agent

@@ -125,7 +125,7 @@ spec:
         {{- if eq (include "should-enable-trace-agent" .) "true" }}
           {{- include "container-trace-agent" . | nindent 6 }}
         {{- end }}
-        {{- if eq  (include "should-enable-fips" .) "true" }}
+        {{- if eq  (include "should-enable-fips-proxy" .) "true" }}
           {{- include "fips-proxy" . | nindent 6 }}
         {{- end }}
         {{- if eq  (include "should-enable-process-agent" .) "true" }}

@@ -1569,24 +1569,36 @@
   # existingClusterAgent.clusterchecksEnabled -- set this to false if you don’t want the agents to run the cluster checks of the joined external cluster agent
   clusterchecksEnabled: true
 
-# fips is used to enable the fips sidecar container for GOVCLOUD environments.
+## fips is used to enable and configure the FIPS compliant mode for the Datadog Agent.
+## The current method uses the fips-proxy sidecar to enable FIPS compliance.
+## The fips-proxy will be progressively deprecated in the future in favor of the use of FIPS compliant images.
 fips:
-  # fips.enabled -- Enable fips sidecar
+  ## fips.enabled -- Enable fips compliant mode
   enabled: false
 
+  ## fips.useFipsImages -- Setting fips.useFipsImages: true makes the helm chart install FIPS compliant image tags for use in GOVCLOUD environments
+  ## NOTE: 
+  ##    - setting this to true disables the fips-proxy sidecar
+  ##    - this is the recommended method for enabling FIPS compliance
+  useFipsImages: false
+
   # TODO: Option to override config of the FIPS side car: /etc/datadog-fips-proxy/datadog-fips-proxy.cfg
   # customConfig: false
 
   # fips.port -- Specifies which port is used by the containers to communicate to the FIPS sidecar.
+  # This setting is only used for the fips-proxy sidecar.
   port: 9803
 
   # fips.portRange -- Specifies the number of ports used, defaults to 13 https://github.com/DataDog/datadog-agent/blob/7.44.x/pkg/config/config.go#L1564-L1577
+  # This setting is only used for the fips-proxy sidecar.
   portRange: 15
 
   # fips.use_https -- Option to enable https
+  # This setting is only used for the fips-proxy sidecar.
   use_https: false
 
   # fips.resources -- Resource requests and limits for the FIPS sidecar container.
+  # This setting is only used for the fips-proxy sidecar.
   resources: {}
     # limits:
     #   cpu: 100m
@@ -1596,9 +1608,11 @@
     #   memory: 64Mi
 
   # fips.local_address -- Set local IP address
+  # This setting is only used for the fips-proxy sidecar.
   local_address: "127.0.0.1"
 
   ## Define the Datadog image to work with
+  # This setting is only used for the fips-proxy sidecar.
   image:
     ## fips.image.name -- Define the FIPS sidecar container image name.
     name: fips-proxy
@@ -1619,6 +1633,7 @@
 
   ## Note: Use `|` to declare multi-line configuration.
   ## ref: https://docs.datadoghq.com/agent/guide/agent-fips-proxy
+  # This setting is only used for the fips-proxy sidecar.
   customFipsConfig: {}  # |
   #  foobar
   #     foo bar baz

@@ -0,0 +1,91 @@
+package datadog
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/DataDog/helm-charts/test/common"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func TestFIPSModeConditions(t *testing.T) {
+	tests := []struct {
+		name                   string
+		setFipsEnabledSetting  bool
+		setUseFipsImageSetting bool
+		expectFipsProxy        bool
+		expectFipsImageSuffix  bool
+	}{
+		{
+			name:                   "fips.useFipsImages true should not use fips-proxy and use fips image",
+			setFipsEnabledSetting:  true,
+			setUseFipsImageSetting: true,
+			expectFipsProxy:        false,
+			expectFipsImageSuffix:  true,
+		},
+		{
+			name:                   "fips.useFipsImages false and fips.enabled true should use fips-proxy and not use fips image",
+			setFipsEnabledSetting:  true,
+			setUseFipsImageSetting: false,
+			expectFipsProxy:        true,
+			expectFipsImageSuffix:  false,
+		},
+		{
+			name:                   "fips.useFipsImages false and fips.enabled false should not use fips-proxy or fips image",
+			setFipsEnabledSetting:  false,
+			setUseFipsImageSetting: true,
+			expectFipsProxy:        false,
+			expectFipsImageSuffix:  false,
+		},
+		{
+			name:                   "fips.useFipsImages false and fips.enabled false should not use fips-proxy or fips image",
+			setFipsEnabledSetting:  false,
+			setUseFipsImageSetting: true,
+			expectFipsProxy:        false,
+			expectFipsImageSuffix:  false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			values := map[string]string{
+				// "fips.useFipsImages": strconv.FormatBool(tt.setUseFipsImageSetting),
+				// "fips.enabled":       strconv.FormatBool(tt.setFipsEnabledSetting),
+			}
+
+			manifest, err := common.RenderChart(t, common.HelmCommand{
+				ReleaseName: "datadog",
+				ChartPath:   "../../charts/datadog",
+				Values:      []string{"../../charts/datadog/values.yaml"},
+				Overrides:   values,
+			})
+			require.NoError(t, err, "couldn't render template")
+
+			// Parse the manifest to find the should-enable-fips-proxy value and check image tags
+			var configMap corev1.ConfigMap
+			var daemonSet appsv1.DaemonSet
+
+			common.Unmarshal(t, manifest, &configMap)
+			common.Unmarshal(t, manifest, &daemonSet)
+
+			fmt.Printf("configMap: %+v\n", configMap)
+
+			// Check FIPS proxy setting
+			if value, ok := configMap.Data["should-enable-fips-proxy"]; ok {
+				fmt.Printf("should-enable-fips-proxy: %s\n", value)
+				assert.Equal(t, tt.expectFipsProxy, value == "true", "should-enable-fips-proxy value is incorrect")
+			}
+
+			// Check FIPS image suffix
+			for _, container := range daemonSet.Spec.Template.Spec.Containers {
+				fmt.Printf("container.Image: %s\n", container.Image)
+				assert.Equal(t, tt.expectFipsImageSuffix, strings.Contains(container.Image, "-fips"), "fips image suffix is incorrect")
+			}
+
+		})
+	}
+}