[CWS] Configuration options for enabling CWSInstrumentation in the `c…

…luster-agent` (#1382)

* [CWS] Configuration options for enabling CWSInstrumentation in the cluster-agent and from the operator

* [cws-instrumentation] Nest configuration under clusterRole

charts/datadog-operator/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 2.4.0
+
+* Add configuration to grant the necessary RBAC to the operator for the CWS Instrumentation Admission Controller feature in the Cluster-Agent.
+
 ## 2.3.0
 
 * Update Datadog Operator version to 1.10.0.

charts/datadog-operator/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: datadog-operator
-version: 2.3.0
+version: 2.4.0
 appVersion: 1.10.0
 description: Datadog Operator
 keywords:

charts/datadog-operator/README.md

@@ -1,6 +1,6 @@
 # Datadog Operator
 
-![Version: 2.3.0](https://img.shields.io/badge/Version-2.3.0-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square)
+![Version: 2.4.0](https://img.shields.io/badge/Version-2.4.0-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square)
 
 ## Values
 
@@ -12,7 +12,7 @@
 | appKey | string | `nil` | Your Datadog APP key |
 | appKeyExistingSecret | string | `nil` | Use existing Secret which stores APP key instead of creating a new one |
 | clusterName | string | `nil` | Set a unique cluster name reporting from the Datadog Operator. |
-| clusterRole | object | `{"allowReadAllResources":false}` | Set specific configuration for the cluster role |
+| clusterRole | object | `{"allowCreatePodsExec":false,"allowReadAllResources":false}` | Set specific configuration for the cluster role |
 | collectOperatorMetrics | bool | `true` | Configures an openmetrics check to collect operator metrics |
 | containerSecurityContext | object | `{}` | A security context defines privileges and access control settings for a container. |
 | datadogAgent.enabled | bool | `true` | Enables Datadog Agent controller |

charts/datadog-operator/templates/clusterrole.yaml

@@ -803,4 +803,9 @@ rules:
   - list
   - watch
 {{- end }}
+{{- if .Values.clusterRole.allowCreatePodsExec }}
+- apiGroups: [""]
+  resources: ["pods/exec"]
+  verbs: ["create"]
 {{- end }}
+{{- end -}}

charts/datadog-operator/values.yaml

@@ -196,3 +196,6 @@ clusterRole:
   # allowReadAllResources is required to allow the operator to view all custom resources.
   # If collecting CRDs in the Kubernetes Explorer this is required
   allowReadAllResources: false
+
+  # allowCreatePodsExec is required for `remote_copy` mode of the CWS Instrumentation feature.
+  allowCreatePodsExec: false

charts/datadog/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Datadog changelog
 
+## 3.82.0
+
+* Add `pods/exec` RBAC to the `Cluster-Agent` when needed and inject the service account name of the `Cluster-Agent` as environment variable.
+
 ## 3.81.2
 
 * Fix ci values.yaml files name to be taken into account by the ci job.

charts/datadog/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: datadog
-version: 3.81.2
+version: 3.82.0
 appVersion: "7"
 description: Datadog Agent
 keywords:

charts/datadog/README.md

@@ -1,6 +1,6 @@
 # Datadog
 
-![Version: 3.81.2](https://img.shields.io/badge/Version-3.81.2-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
+![Version: 3.82.0](https://img.shields.io/badge/Version-3.82.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
 
 [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
 
@@ -571,6 +571,8 @@ helm install <RELEASE_NAME> \
 | clusterAgent.admissionController.agentSidecarInjection.selectors | list | `[]` | Defines the pod selector for sidecar injection, currently only one rule is supported. |
 | clusterAgent.admissionController.configMode | string | `nil` | The kind of configuration to be injected, it can be "hostip", "service", or "socket". |
 | clusterAgent.admissionController.containerRegistry | string | `nil` | Override the default registry for the admission controller. |
+| clusterAgent.admissionController.cwsInstrumentation.enabled | bool | `false` | Enable the CWS Instrumentation admission controller endpoint. |
+| clusterAgent.admissionController.cwsInstrumentation.mode | string | `"remote_copy"` | Mode defines how the CWS Instrumentation should behave. Options are "remote_copy" or "init_container" |
 | clusterAgent.admissionController.enabled | bool | `true` | Enable the admissionController to be able to inject APM/Dogstatsd config and standard tags (env, service, version) automatically into your pods |
 | clusterAgent.admissionController.failurePolicy | string | `"Ignore"` | Set the failure policy for dynamic admission control.' |
 | clusterAgent.admissionController.mutateUnlabelled | bool | `false` | Enable injecting config without having the pod label 'admission.datadoghq.com/enabled="true"' |

charts/datadog/templates/cluster-agent-deployment.yaml

@@ -160,6 +160,10 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
+          - name: DD_CLUSTER_AGENT_SERVICE_ACCOUNT_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.serviceAccountName
           - name: DD_HEALTH_PORT
           {{- $healthPort := .Values.clusterAgent.healthPort }}
             value: {{ $healthPort | quote }}
@@ -248,6 +252,12 @@ spec:
           {{- else }}
             value: {{ include "registry" .Values | quote }}
           {{- end }}
+          {{- if .Values.clusterAgent.admissionController.cwsInstrumentation.enabled }}
+          - name: DD_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_ENABLED
+            value: "true"
+          - name: DD_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_MODE
+            value: {{ .Values.clusterAgent.admissionController.cwsInstrumentation.mode | quote }}
+          {{- end }}
           {{ include "ac-agent-sidecar-env" . | nindent 10 }}
           - name: DD_REMOTE_CONFIGURATION_ENABLED
             value: {{ include "clusterAgent-remoteConfiguration-enabled" . | quote }}

charts/datadog/templates/cluster-agent-rbac.yaml

@@ -262,6 +262,11 @@ rules:
 - apiGroups: ["apps"]
   resources: ["statefulsets", "replicasets", "deployments", "daemonsets"]
   verbs: ["get"]
+{{- if and .Values.clusterAgent.admissionController.cwsInstrumentation.enabled (eq .Values.clusterAgent.admissionController.cwsInstrumentation.mode "remote_copy") }}
+- apiGroups: [""]
+  resources: ["pods/exec"]
+  verbs: ["create"]
+{{- end }}
 {{- end }}
 {{- if eq  (include "should-enable-security-agent" .) "true" }}
 {{- if .Values.datadog.securityAgent.compliance.enabled }}

charts/datadog/values.yaml

@@ -1201,6 +1201,14 @@ clusterAgent:
     # clusterAgent.admissionController.port -- Set port of cluster-agent admission controller service
     port: 8000
 
+    cwsInstrumentation:
+      # clusterAgent.admissionController.cwsInstrumentation.enabled -- Enable the CWS Instrumentation admission controller endpoint.
+      enabled: false
+
+      # clusterAgent.admissionController.cwsInstrumentation.mode -- Mode defines how the CWS Instrumentation should behave.
+      # Options are "remote_copy" or "init_container"
+      mode: remote_copy
+
     agentSidecarInjection:
       # clusterAgent.admissionController.agentSidecarInjection.enabled -- Enables Datadog Agent sidecar injection.