From 76c137d42b1b3f1283371493e5dfc81d0063b8f4 Mon Sep 17 00:00:00 2001 From: louis-cqrl <93274433+louis-cqrl@users.noreply.github.com> Date: Wed, 27 Nov 2024 13:57:54 +0100 Subject: [PATCH 1/6] Update FIPS Proxy version to 1.1.6 (#1616) * Update tag version for fips image * fix typo * Update charts/datadog/CHANGELOG.md Co-authored-by: Celene --------- Co-authored-by: Celene --- charts/datadog/CHANGELOG.md | 4 ++++ charts/datadog/Chart.yaml | 2 +- charts/datadog/README.md | 4 ++-- charts/datadog/values.yaml | 2 +- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/charts/datadog/CHANGELOG.md b/charts/datadog/CHANGELOG.md index d9817331a..30012d4e8 100644 --- a/charts/datadog/CHANGELOG.md +++ b/charts/datadog/CHANGELOG.md @@ -1,5 +1,9 @@ # Datadog changelog +## 3.81.1 + +* Update default `fips.image.tag` to `1.1.6`, which updates PCRE2 version to 10.44 and HAProxy version to 2.4.28 + ## 3.81.0 * Add a new option to disable hostPorts for the trace-agent with `datadog.apm.useLocalService`. This option enables K8s clusters with hostPort and hostPath volumes restrictions to use the K8s local service to send traces. diff --git a/charts/datadog/Chart.yaml b/charts/datadog/Chart.yaml index a7f218f42..2fc906c6f 100644 --- a/charts/datadog/Chart.yaml +++ b/charts/datadog/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: datadog -version: 3.81.0 +version: 3.81.1 appVersion: "7" description: Datadog Agent keywords: diff --git a/charts/datadog/README.md b/charts/datadog/README.md index 5ef7b7343..4422c7fc8 100644 --- a/charts/datadog/README.md +++ b/charts/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.81.0](https://img.shields.io/badge/Version-3.81.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.81.1](https://img.shields.io/badge/Version-3.81.1-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). @@ -876,7 +876,7 @@ helm install \ | fips.image.name | string | `"fips-proxy"` | | | fips.image.pullPolicy | string | `"IfNotPresent"` | Datadog the FIPS sidecar image pull policy | | fips.image.repository | string | `nil` | Override default registry + image.name for the FIPS sidecar container. | -| fips.image.tag | string | `"1.1.5"` | Define the FIPS sidecar container version to use. | +| fips.image.tag | string | `"1.1.6"` | Define the FIPS sidecar container version to use. | | fips.local_address | string | `"127.0.0.1"` | Set local IP address | | fips.port | int | `9803` | Specifies which port is used by the containers to communicate to the FIPS sidecar. | | fips.portRange | int | `15` | Specifies the number of ports used, defaults to 13 https://github.com/DataDog/datadog-agent/blob/7.44.x/pkg/config/config.go#L1564-L1577 | diff --git a/charts/datadog/values.yaml b/charts/datadog/values.yaml index 9a0efb3bf..cccf21d2c 100644 --- a/charts/datadog/values.yaml +++ b/charts/datadog/values.yaml @@ -1475,7 +1475,7 @@ fips: name: fips-proxy # fips.image.tag -- Define the FIPS sidecar container version to use. - tag: 1.1.5 + tag: 1.1.6 # fips.image.pullPolicy -- Datadog the FIPS sidecar image pull policy pullPolicy: IfNotPresent From 1ccd7aaa914de63e5b9f294219ebd15cda3f1893 Mon Sep 17 00:00:00 2001 From: Cedric Lamoriniere Date: Tue, 3 Dec 2024 09:55:36 +0100 Subject: [PATCH 2/6] fix(mergequeue): check gitlab-ci to merge PR (#1620) --- repository.datadog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/repository.datadog.yml b/repository.datadog.yml index 814d38c3e..d7d2e4d3c 100644 --- a/repository.datadog.yml +++ b/repository.datadog.yml @@ -1,7 +1,7 @@ --- schema-version: v1 kind: mergequeue -gitlab_check_enable: false +gitlab_check_enable: true github_teams_restrictions: - action-platform - agent-all From b1b9f4c19f828e1e95af0c942dcc3640c21d3a73 Mon Sep 17 00:00:00 2001 From: Cedric Lamoriniere Date: Tue, 3 Dec 2024 12:38:54 +0100 Subject: [PATCH 3/6] fix(datadog): rename ci values files to be properly tested (#1612) --- charts/datadog/CHANGELOG.md | 4 ++++ charts/datadog/Chart.yaml | 2 +- charts/datadog/README.md | 2 +- ...apshotter.yaml => agent-sbom-snapshotter-values.yaml} | 0 .../ci/{autoscaling.yaml => autoscaling-values.yaml} | 3 ++- charts/datadog/ci/image-digest-values.yaml | 9 +++++++++ charts/datadog/ci/image-digest.yaml | 9 --------- .../ci/{otlp-ingest.yaml => otlp-ingest-values.yaml} | 2 +- 8 files changed, 18 insertions(+), 13 deletions(-) rename charts/datadog/ci/{agent-sbom-snapshotter.yaml => agent-sbom-snapshotter-values.yaml} (100%) rename charts/datadog/ci/{autoscaling.yaml => autoscaling-values.yaml} (78%) create mode 100644 charts/datadog/ci/image-digest-values.yaml delete mode 100644 charts/datadog/ci/image-digest.yaml rename charts/datadog/ci/{otlp-ingest.yaml => otlp-ingest-values.yaml} (80%) diff --git a/charts/datadog/CHANGELOG.md b/charts/datadog/CHANGELOG.md index 30012d4e8..bb852d4de 100644 --- a/charts/datadog/CHANGELOG.md +++ b/charts/datadog/CHANGELOG.md @@ -1,5 +1,9 @@ # Datadog changelog +## 3.81.2 + +* Fix ci values.yaml files name to be taken into account by the ci job. + ## 3.81.1 * Update default `fips.image.tag` to `1.1.6`, which updates PCRE2 version to 10.44 and HAProxy version to 2.4.28 diff --git a/charts/datadog/Chart.yaml b/charts/datadog/Chart.yaml index 2fc906c6f..8ac68f8fc 100644 --- a/charts/datadog/Chart.yaml +++ b/charts/datadog/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: datadog -version: 3.81.1 +version: 3.81.2 appVersion: "7" description: Datadog Agent keywords: diff --git a/charts/datadog/README.md b/charts/datadog/README.md index 4422c7fc8..7d58c19a9 100644 --- a/charts/datadog/README.md +++ b/charts/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.81.1](https://img.shields.io/badge/Version-3.81.1-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.81.2](https://img.shields.io/badge/Version-3.81.2-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). diff --git a/charts/datadog/ci/agent-sbom-snapshotter.yaml b/charts/datadog/ci/agent-sbom-snapshotter-values.yaml similarity index 100% rename from charts/datadog/ci/agent-sbom-snapshotter.yaml rename to charts/datadog/ci/agent-sbom-snapshotter-values.yaml diff --git a/charts/datadog/ci/autoscaling.yaml b/charts/datadog/ci/autoscaling-values.yaml similarity index 78% rename from charts/datadog/ci/autoscaling.yaml rename to charts/datadog/ci/autoscaling-values.yaml index 1c2602297..6d677b170 100644 --- a/charts/datadog/ci/autoscaling.yaml +++ b/charts/datadog/ci/autoscaling-values.yaml @@ -3,7 +3,7 @@ datadog: appKey: "0000000000000000000000000000000000000000" orchestratorExplorer: customResources: - - datadoghq.com/v1alpha1/datadogpodautoscalers + - datadoghq.com/v1alpha1/datadogpodautoscalers autoscaling: workload: enabled: true @@ -12,3 +12,4 @@ datadog: clusterAgent: image: tag: beta + doNotCheckTag: true diff --git a/charts/datadog/ci/image-digest-values.yaml b/charts/datadog/ci/image-digest-values.yaml new file mode 100644 index 000000000..c3bf66a1b --- /dev/null +++ b/charts/datadog/ci/image-digest-values.yaml @@ -0,0 +1,9 @@ +clusterAgent: + image: + digest: sha256:28a5e138123e273643527341c3e38721cec2d89a472958df8e956ae681c10d75 # corresponds to 7.59.0 +agents: + image: + digest: sha256:9b4be18f644bd35dad2387f37d9859674080889642b970c0e924d027c4182f6d # corresponds to 7.59.0 +clusterChecksRunner: + image: + digest: sha256:9b4be18f644bd35dad2387f37d9859674080889642b970c0e924d027c4182f6d # corresponds to 7.59.0 diff --git a/charts/datadog/ci/image-digest.yaml b/charts/datadog/ci/image-digest.yaml deleted file mode 100644 index 5e81f2ec4..000000000 --- a/charts/datadog/ci/image-digest.yaml +++ /dev/null @@ -1,9 +0,0 @@ -clusterAgent: - image: - digest: sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108 -agents: - image: - digest: sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108 -clusterChecksRunner: - image: - digest: sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108 \ No newline at end of file diff --git a/charts/datadog/ci/otlp-ingest.yaml b/charts/datadog/ci/otlp-ingest-values.yaml similarity index 80% rename from charts/datadog/ci/otlp-ingest.yaml rename to charts/datadog/ci/otlp-ingest-values.yaml index cfeed5ef4..39fb464fd 100644 --- a/charts/datadog/ci/otlp-ingest.yaml +++ b/charts/datadog/ci/otlp-ingest-values.yaml @@ -3,6 +3,6 @@ datadog: receiver: protocols: grpc: - enabled: true + enabled: true http: enabled: true From 19f1358ec56cce70d7cb14c5d3e778216d6c0ca8 Mon Sep 17 00:00:00 2001 From: Guillaume Fournier <36961134+Gui774ume@users.noreply.github.com> Date: Tue, 3 Dec 2024 16:12:58 +0100 Subject: [PATCH 4/6] [CWS] Configuration options for enabling CWSInstrumentation in the `cluster-agent` (#1382) * [CWS] Configuration options for enabling CWSInstrumentation in the cluster-agent and from the operator * [cws-instrumentation] Nest configuration under clusterRole --- charts/datadog-operator/CHANGELOG.md | 4 ++++ charts/datadog-operator/Chart.yaml | 2 +- charts/datadog-operator/README.md | 4 ++-- charts/datadog-operator/templates/clusterrole.yaml | 5 +++++ charts/datadog-operator/values.yaml | 3 +++ charts/datadog/CHANGELOG.md | 4 ++++ charts/datadog/Chart.yaml | 2 +- charts/datadog/README.md | 4 +++- charts/datadog/templates/cluster-agent-deployment.yaml | 10 ++++++++++ charts/datadog/templates/cluster-agent-rbac.yaml | 5 +++++ charts/datadog/values.yaml | 8 ++++++++ 11 files changed, 46 insertions(+), 5 deletions(-) diff --git a/charts/datadog-operator/CHANGELOG.md b/charts/datadog-operator/CHANGELOG.md index 773a75e11..c0e157a71 100644 --- a/charts/datadog-operator/CHANGELOG.md +++ b/charts/datadog-operator/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## 2.4.0 + +* Add configuration to grant the necessary RBAC to the operator for the CWS Instrumentation Admission Controller feature in the Cluster-Agent. + ## 2.3.0 * Update Datadog Operator version to 1.10.0. diff --git a/charts/datadog-operator/Chart.yaml b/charts/datadog-operator/Chart.yaml index c9e85b586..1c88e1898 100644 --- a/charts/datadog-operator/Chart.yaml +++ b/charts/datadog-operator/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: datadog-operator -version: 2.3.0 +version: 2.4.0 appVersion: 1.10.0 description: Datadog Operator keywords: diff --git a/charts/datadog-operator/README.md b/charts/datadog-operator/README.md index 532eb73ce..91a76093e 100644 --- a/charts/datadog-operator/README.md +++ b/charts/datadog-operator/README.md @@ -1,6 +1,6 @@ # Datadog Operator -![Version: 2.3.0](https://img.shields.io/badge/Version-2.3.0-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square) +![Version: 2.4.0](https://img.shields.io/badge/Version-2.4.0-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square) ## Values @@ -12,7 +12,7 @@ | appKey | string | `nil` | Your Datadog APP key | | appKeyExistingSecret | string | `nil` | Use existing Secret which stores APP key instead of creating a new one | | clusterName | string | `nil` | Set a unique cluster name reporting from the Datadog Operator. | -| clusterRole | object | `{"allowReadAllResources":false}` | Set specific configuration for the cluster role | +| clusterRole | object | `{"allowCreatePodsExec":false,"allowReadAllResources":false}` | Set specific configuration for the cluster role | | collectOperatorMetrics | bool | `true` | Configures an openmetrics check to collect operator metrics | | containerSecurityContext | object | `{}` | A security context defines privileges and access control settings for a container. | | datadogAgent.enabled | bool | `true` | Enables Datadog Agent controller | diff --git a/charts/datadog-operator/templates/clusterrole.yaml b/charts/datadog-operator/templates/clusterrole.yaml index 1032e2aba..1b7f4b2c4 100644 --- a/charts/datadog-operator/templates/clusterrole.yaml +++ b/charts/datadog-operator/templates/clusterrole.yaml @@ -803,4 +803,9 @@ rules: - list - watch {{- end }} +{{- if .Values.clusterRole.allowCreatePodsExec }} +- apiGroups: [""] + resources: ["pods/exec"] + verbs: ["create"] {{- end }} +{{- end -}} diff --git a/charts/datadog-operator/values.yaml b/charts/datadog-operator/values.yaml index 3558679f4..31f8ecd9c 100644 --- a/charts/datadog-operator/values.yaml +++ b/charts/datadog-operator/values.yaml @@ -196,3 +196,6 @@ clusterRole: # allowReadAllResources is required to allow the operator to view all custom resources. # If collecting CRDs in the Kubernetes Explorer this is required allowReadAllResources: false + + # allowCreatePodsExec is required for `remote_copy` mode of the CWS Instrumentation feature. + allowCreatePodsExec: false diff --git a/charts/datadog/CHANGELOG.md b/charts/datadog/CHANGELOG.md index bb852d4de..a2523c9a5 100644 --- a/charts/datadog/CHANGELOG.md +++ b/charts/datadog/CHANGELOG.md @@ -1,5 +1,9 @@ # Datadog changelog +## 3.82.0 + +* Add `pods/exec` RBAC to the `Cluster-Agent` when needed and inject the service account name of the `Cluster-Agent` as environment variable. + ## 3.81.2 * Fix ci values.yaml files name to be taken into account by the ci job. diff --git a/charts/datadog/Chart.yaml b/charts/datadog/Chart.yaml index 8ac68f8fc..4243de025 100644 --- a/charts/datadog/Chart.yaml +++ b/charts/datadog/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: datadog -version: 3.81.2 +version: 3.82.0 appVersion: "7" description: Datadog Agent keywords: diff --git a/charts/datadog/README.md b/charts/datadog/README.md index 7d58c19a9..4eb643233 100644 --- a/charts/datadog/README.md +++ b/charts/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.81.2](https://img.shields.io/badge/Version-3.81.2-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.82.0](https://img.shields.io/badge/Version-3.82.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). @@ -571,6 +571,8 @@ helm install \ | clusterAgent.admissionController.agentSidecarInjection.selectors | list | `[]` | Defines the pod selector for sidecar injection, currently only one rule is supported. | | clusterAgent.admissionController.configMode | string | `nil` | The kind of configuration to be injected, it can be "hostip", "service", or "socket". | | clusterAgent.admissionController.containerRegistry | string | `nil` | Override the default registry for the admission controller. | +| clusterAgent.admissionController.cwsInstrumentation.enabled | bool | `false` | Enable the CWS Instrumentation admission controller endpoint. | +| clusterAgent.admissionController.cwsInstrumentation.mode | string | `"remote_copy"` | Mode defines how the CWS Instrumentation should behave. Options are "remote_copy" or "init_container" | | clusterAgent.admissionController.enabled | bool | `true` | Enable the admissionController to be able to inject APM/Dogstatsd config and standard tags (env, service, version) automatically into your pods | | clusterAgent.admissionController.failurePolicy | string | `"Ignore"` | Set the failure policy for dynamic admission control.' | | clusterAgent.admissionController.mutateUnlabelled | bool | `false` | Enable injecting config without having the pod label 'admission.datadoghq.com/enabled="true"' | diff --git a/charts/datadog/templates/cluster-agent-deployment.yaml b/charts/datadog/templates/cluster-agent-deployment.yaml index ba6b9119a..1eb9c4fbb 100644 --- a/charts/datadog/templates/cluster-agent-deployment.yaml +++ b/charts/datadog/templates/cluster-agent-deployment.yaml @@ -160,6 +160,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + - name: DD_CLUSTER_AGENT_SERVICE_ACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName - name: DD_HEALTH_PORT {{- $healthPort := .Values.clusterAgent.healthPort }} value: {{ $healthPort | quote }} @@ -248,6 +252,12 @@ spec: {{- else }} value: {{ include "registry" .Values | quote }} {{- end }} + {{- if .Values.clusterAgent.admissionController.cwsInstrumentation.enabled }} + - name: DD_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_ENABLED + value: "true" + - name: DD_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_MODE + value: {{ .Values.clusterAgent.admissionController.cwsInstrumentation.mode | quote }} + {{- end }} {{ include "ac-agent-sidecar-env" . | nindent 10 }} - name: DD_REMOTE_CONFIGURATION_ENABLED value: {{ include "clusterAgent-remoteConfiguration-enabled" . | quote }} diff --git a/charts/datadog/templates/cluster-agent-rbac.yaml b/charts/datadog/templates/cluster-agent-rbac.yaml index e02be2434..2da18ea9b 100644 --- a/charts/datadog/templates/cluster-agent-rbac.yaml +++ b/charts/datadog/templates/cluster-agent-rbac.yaml @@ -262,6 +262,11 @@ rules: - apiGroups: ["apps"] resources: ["statefulsets", "replicasets", "deployments", "daemonsets"] verbs: ["get"] +{{- if and .Values.clusterAgent.admissionController.cwsInstrumentation.enabled (eq .Values.clusterAgent.admissionController.cwsInstrumentation.mode "remote_copy") }} +- apiGroups: [""] + resources: ["pods/exec"] + verbs: ["create"] +{{- end }} {{- end }} {{- if eq (include "should-enable-security-agent" .) "true" }} {{- if .Values.datadog.securityAgent.compliance.enabled }} diff --git a/charts/datadog/values.yaml b/charts/datadog/values.yaml index cccf21d2c..d492b8ed9 100644 --- a/charts/datadog/values.yaml +++ b/charts/datadog/values.yaml @@ -1201,6 +1201,14 @@ clusterAgent: # clusterAgent.admissionController.port -- Set port of cluster-agent admission controller service port: 8000 + cwsInstrumentation: + # clusterAgent.admissionController.cwsInstrumentation.enabled -- Enable the CWS Instrumentation admission controller endpoint. + enabled: false + + # clusterAgent.admissionController.cwsInstrumentation.mode -- Mode defines how the CWS Instrumentation should behave. + # Options are "remote_copy" or "init_container" + mode: remote_copy + agentSidecarInjection: # clusterAgent.admissionController.agentSidecarInjection.enabled -- Enables Datadog Agent sidecar injection. From 54edc22d80a42329ab63fa5a9d80159b8962b0f7 Mon Sep 17 00:00:00 2001 From: Cedric Lamoriniere Date: Wed, 4 Dec 2024 10:28:55 +0100 Subject: [PATCH 5/6] Add talos support for os-release files (#1611) Co-authored-by: faelis <91593249+faelis@users.noreply.github.com> --- charts/datadog/CHANGELOG.md | 6 ++++ charts/datadog/Chart.yaml | 3 +- charts/datadog/README.md | 5 ++- .../disable-defaultosreleasepath-values.yaml | 4 +++ charts/datadog/ci/provider-talos-values.yaml | 8 +++++ charts/datadog/templates/NOTES.txt | 19 +++++++++++ .../datadog/templates/_container-agent.yaml | 4 ++- .../_container-host-release-volumemounts.yaml | 10 +++--- .../templates/_container-process-agent.yaml | 2 +- .../templates/_container-security-agent.yaml | 2 ++ .../templates/_container-system-probe.yaml | 2 +- .../templates/_daemonset-volumes-linux.yaml | 4 +-- charts/datadog/templates/_helpers.tpl | 34 ++++++++++++++++++- charts/datadog/values.yaml | 16 +++++++++ 14 files changed, 107 insertions(+), 12 deletions(-) create mode 100644 charts/datadog/ci/disable-defaultosreleasepath-values.yaml create mode 100644 charts/datadog/ci/provider-talos-values.yaml diff --git a/charts/datadog/CHANGELOG.md b/charts/datadog/CHANGELOG.md index a2523c9a5..bfb699795 100644 --- a/charts/datadog/CHANGELOG.md +++ b/charts/datadog/CHANGELOG.md @@ -1,5 +1,11 @@ # Datadog changelog +## 3.83.0 + +* Added the configuration value `datadog.disablePasswdMount` to disable mounting the `/etc/passwd` path from the host filesystem. This option should be used when the underlying OS does not have these files (e.g., Talos OS). +* Added the configuration value `datadog.disableDefaultOsReleasePaths` to disable mounting the default "os-release" file paths from the host filesystem (e.g., `/etc/redhat-release`, `/etc/fedora-release`, etc.). Note that this change does not affect the `datadog.osReleasePath` option. To avoid mounting the `/etc/os-release` host path, set the `datadog.osReleasePath` configuration value to an empty string. This option should be used when the underlying OS does not have these files (e.g., Talos OS). +* Add `providers.talos.enabled` to simplify agent deployment configuration on Talos OS. + ## 3.82.0 * Add `pods/exec` RBAC to the `Cluster-Agent` when needed and inject the service account name of the `Cluster-Agent` as environment variable. diff --git a/charts/datadog/Chart.yaml b/charts/datadog/Chart.yaml index 4243de025..51ac9983d 100644 --- a/charts/datadog/Chart.yaml +++ b/charts/datadog/Chart.yaml @@ -1,6 +1,7 @@ +--- apiVersion: v1 name: datadog -version: 3.82.0 +version: 3.83.0 appVersion: "7" description: Datadog Agent keywords: diff --git a/charts/datadog/README.md b/charts/datadog/README.md index 4eb643233..8e5b1fb00 100644 --- a/charts/datadog/README.md +++ b/charts/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.82.0](https://img.shields.io/badge/Version-3.82.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.83.0](https://img.shields.io/badge/Version-3.83.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). @@ -727,6 +727,8 @@ helm install \ | datadog.containerRuntimeSupport.enabled | bool | `true` | Set this to false to disable agent access to container runtime. | | datadog.criSocketPath | string | `nil` | Path to the container runtime socket (if different from Docker) | | datadog.dd_url | string | `nil` | The host of the Datadog intake server to send Agent data to, only set this option if you need the Agent to send data to a custom URL | +| datadog.disableDefaultOsReleasePaths | bool | `false` | Set this to true to disable mounting datadog.osReleasePath in all containers | +| datadog.disablePasswdMount | bool | `false` | Set this to true to disable mounting /etc/passwd in all containers | | datadog.dockerSocketPath | string | `nil` | Path to the docker socket | | datadog.dogstatsd.hostSocketPath | string | `"/var/run/datadog/"` | Host path to the DogStatsD socket | | datadog.dogstatsd.nonLocalTraffic | bool | `true` | Enable this to make each node accept non-local statsd traffic (from outside of the pod) | @@ -897,6 +899,7 @@ helm install \ | providers.gke.autopilot | bool | `false` | Enables Datadog Agent deployment on GKE Autopilot | | providers.gke.cos | bool | `false` | Enables Datadog Agent deployment on GKE with Container-Optimized OS (COS) | | providers.gke.gdc | bool | `false` | Enables Datadog Agent deployment on GKE on Google Distributed Cloud (GDC) | +| providers.talos.enabled | bool | `false` | Activate all required specificities related to Talos.dev configuration, as currently the chart cannot auto-detect Talos.dev cluster. Note: The Agent deployment requires additional privileges that are not permitted by the default pod security policy. The annotation `pod-security.kubernetes.io/enforce=privileged` must be applied to the Datadog installation Kubernetes namespace. For more information on pod security policies in Talos.dev clusters, see: https://www.talos.dev/v1.8/kubernetes-guides/configuration/pod-security/ | | registry | string | `nil` | Registry to use for all Agent images (default to [gcr.io | eu.gcr.io | asia.gcr.io | datadoghq.azurecr.io | public.ecr.aws/datadog] depending on datadog.site value) | | remoteConfiguration.enabled | bool | `true` | Set to true to enable remote configuration on the Cluster Agent (if set) and the node agent. Can be overridden if `datadog.remoteConfiguration.enabled` Preferred way to enable Remote Configuration. | | targetSystem | string | `"linux"` | Target OS for this deployment (possible values: linux, windows) | diff --git a/charts/datadog/ci/disable-defaultosreleasepath-values.yaml b/charts/datadog/ci/disable-defaultosreleasepath-values.yaml new file mode 100644 index 000000000..ec6a32782 --- /dev/null +++ b/charts/datadog/ci/disable-defaultosreleasepath-values.yaml @@ -0,0 +1,4 @@ +datadog: + apiKey: "00000000000000000000000000000000" + appKey: "0000000000000000000000000000000000000000" + disableDefaultOsReleasePaths: true diff --git a/charts/datadog/ci/provider-talos-values.yaml b/charts/datadog/ci/provider-talos-values.yaml new file mode 100644 index 000000000..48de269ef --- /dev/null +++ b/charts/datadog/ci/provider-talos-values.yaml @@ -0,0 +1,8 @@ +--- +datadog: + apiKey: "00000000000000000000000000000000" + appKey: "0000000000000000000000000000000000000000" + +providers: + talos: + enabled: true diff --git a/charts/datadog/templates/NOTES.txt b/charts/datadog/templates/NOTES.txt index f2db9ed25..1978f03df 100644 --- a/charts/datadog/templates/NOTES.txt +++ b/charts/datadog/templates/NOTES.txt @@ -534,6 +534,25 @@ More information about this change: https://github.com/DataDog/helm-charts/pull/ {{- end }} +{{- if and (eq .Values.targetSystem "linux") (eq .Values.datadog.osReleasePath "") (eq (include "should-add-host-path-for-os-release-paths" .) "false") .Values.datadog.sbom.host.enabled }} +################################################################# +#### ERROR: Configuration notice #### +################################################################# +The SBOM host filesystem collection feature requires access to the os-release information from the host. +`datadog.sbom.host.enabled: true` can't be used with `datadog.disableDefaultOsReleasePaths: true`. +{{- fail "The SBOM host filesystem collection feature requires access to the os-release information from the host." }} +{{- end }} + +{{- if and (eq .Values.targetSystem "linux") (eq .Values.datadog.osReleasePath "") (eq (include "should-add-host-path-for-os-release-paths" .) "false") (eq (include "should-enable-system-probe" .) "true") }} +################################################################# +#### ERROR: Configuration notice #### +################################################################# +The current set of options used to install the chart requires the system-probe container to be enabled. +However, the `datadog.disableDefaultOsReleasePaths` option set to `true` and `datadog.osReleasePath` is empty which is not compatible when the system-probe container is required. +{{- fail "OS Release information is required when system-probe is enabled." }} +{{- end }} + + {{- $hasContainerIncludeEnv := false }} {{- range $key := .Values.datadog.env }} {{- if eq $key.name "DD_CONTAINER_INCLUDE" }} diff --git a/charts/datadog/templates/_container-agent.yaml b/charts/datadog/templates/_container-agent.yaml index 5219db7ed..151e1cebd 100644 --- a/charts/datadog/templates/_container-agent.yaml +++ b/charts/datadog/templates/_container-agent.yaml @@ -258,7 +258,7 @@ mountPath: /host/sys/fs/cgroup mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }} readOnly: true - {{- if (eq (include "should-run-process-checks-on-core-agent" .) "true") }} + {{- if and (eq (include "should-add-host-path-for-etc-passwd" .) "true") (eq (include "should-run-process-checks-on-core-agent" .) "true") }} - name: passwd mountPath: /etc/passwd readOnly: true @@ -302,6 +302,7 @@ - name: host-rpm-dir mountPath: /host/var/lib/rpm readOnly: true + {{- if eq (include "should-add-host-path-for-os-release-paths" .) "true" }} {{- if ne .Values.datadog.osReleasePath "/etc/redhat-release" }} - name: etc-redhat-release mountPath: /host/etc/redhat-release @@ -324,6 +325,7 @@ {{- end }} {{- end }} {{- end }} + {{- end }} {{- if eq .Values.targetSystem "windows" }} {{- if or .Values.datadog.logs.enabled .Values.datadog.logsEnabled }} - name: pointerdir diff --git a/charts/datadog/templates/_container-host-release-volumemounts.yaml b/charts/datadog/templates/_container-host-release-volumemounts.yaml index b775b7953..af1cfea68 100644 --- a/charts/datadog/templates/_container-host-release-volumemounts.yaml +++ b/charts/datadog/templates/_container-host-release-volumemounts.yaml @@ -1,13 +1,15 @@ {{- define "linux-container-host-release-volumemounts" -}} -{{- if not .Values.providers.gke.gdc }} -{{- if eq (include "should-enable-system-probe" .) "true" }} +{{- if or .Values.datadog.osReleasePath .Values.datadog.systemProbe.osReleasePath }} + {{- if and (not .Values.providers.gke.gdc) (not .Values.providers.gke.autopilot) }} + {{- if eq (include "should-enable-system-probe" .) "true" }} - name: os-release-file mountPath: /host{{ .Values.datadog.systemProbe.osReleasePath | default .Values.datadog.osReleasePath }} readOnly: true -{{- else if not .Values.providers.gke.autopilot}} + {{- else if .Values.datadog.osReleasePath }} - name: os-release-file mountPath: /host{{ .Values.datadog.osReleasePath }} readOnly: true -{{- end }} + {{- end }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/datadog/templates/_container-process-agent.yaml b/charts/datadog/templates/_container-process-agent.yaml index baeccc41a..d5c3434c8 100644 --- a/charts/datadog/templates/_container-process-agent.yaml +++ b/charts/datadog/templates/_container-process-agent.yaml @@ -79,7 +79,7 @@ mountPath: /host/sys/fs/cgroup mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }} readOnly: true - {{- if or .Values.datadog.processAgent.processCollection .Values.datadog.processAgent.processDiscovery .Values.datadog.processAgent.containerCollection}} + {{- if and (eq (include "should-add-host-path-for-etc-passwd" .) "true") (or .Values.datadog.processAgent.processCollection .Values.datadog.processAgent.processDiscovery .Values.datadog.processAgent.containerCollection) }} - name: passwd mountPath: /etc/passwd readOnly: true diff --git a/charts/datadog/templates/_container-security-agent.yaml b/charts/datadog/templates/_container-security-agent.yaml index 0a6be843e..7269ddd8f 100644 --- a/charts/datadog/templates/_container-security-agent.yaml +++ b/charts/datadog/templates/_container-security-agent.yaml @@ -91,9 +91,11 @@ - name: cgroups mountPath: /host/sys/fs/cgroup readOnly: true + {{- if (eq (include "should-add-host-path-for-etc-passwd" .) "true") }} - name: passwd mountPath: /etc/passwd readOnly: true + {{- end }} - name: group mountPath: /etc/group readOnly: true diff --git a/charts/datadog/templates/_container-system-probe.yaml b/charts/datadog/templates/_container-system-probe.yaml index c891a30d1..cf77ed4db 100644 --- a/charts/datadog/templates/_container-system-probe.yaml +++ b/charts/datadog/templates/_container-system-probe.yaml @@ -65,7 +65,7 @@ mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }} readOnly: true {{- include "linux-container-host-release-volumemounts" . | nindent 4 }} - {{- if .Values.datadog.systemProbe.enableDefaultOsReleasePaths }} + {{- if (eq (include "should-add-host-path-for-os-release-paths" .) "true") }} {{- if ne .Values.datadog.osReleasePath "/etc/redhat-release" }} - name: etc-redhat-release mountPath: /host/etc/redhat-release diff --git a/charts/datadog/templates/_daemonset-volumes-linux.yaml b/charts/datadog/templates/_daemonset-volumes-linux.yaml index de1e13924..6b6cb50f0 100644 --- a/charts/datadog/templates/_daemonset-volumes-linux.yaml +++ b/charts/datadog/templates/_daemonset-volumes-linux.yaml @@ -22,7 +22,7 @@ path: {{ .Values.datadog.systemProbe.osReleasePath | default .Values.datadog.osReleasePath }} name: os-release-file {{- end }} -{{- if or (and (eq (include "should-enable-system-probe" .) "true") .Values.datadog.systemProbe.enableDefaultOsReleasePaths) .Values.datadog.sbom.host.enabled }} +{{- if and (eq (include "should-add-host-path-for-os-release-paths" .) "true") (or (eq (include "should-enable-system-probe" .) "true") .Values.datadog.sbom.host.enabled) }} - hostPath: path: /etc/redhat-release name: etc-redhat-release @@ -138,7 +138,7 @@ name: btf-path {{- end }} {{- end }} -{{- if or (eq (include "process-checks-enabled" .) "true") (eq (include "should-run-process-checks-on-core-agent" .) "true") (eq (include "should-enable-system-probe" .) "true") (eq (include "should-enable-security-agent" .) "true") }} +{{- if and (eq (include "should-add-host-path-for-etc-passwd" .) "true") (or (eq (include "process-checks-enabled" .) "true") (eq (include "should-run-process-checks-on-core-agent" .) "true") (eq (include "should-enable-system-probe" .) "true") (eq (include "should-enable-security-agent" .) "true")) }} - hostPath: path: /etc/passwd name: passwd diff --git a/charts/datadog/templates/_helpers.tpl b/charts/datadog/templates/_helpers.tpl index c601eae97..f069eed1f 100644 --- a/charts/datadog/templates/_helpers.tpl +++ b/charts/datadog/templates/_helpers.tpl @@ -891,7 +891,7 @@ false Returns whether Remote Configuration should be enabled in the agent */}} {{- define "datadog-remoteConfiguration-enabled" -}} -{{- if and (.Values.remoteConfiguration.enabled) (.Values.datadog.remoteConfiguration.enabled) (not .Values.providers.gke.gdc ) -}} +{{- if and (.Values.remoteConfiguration.enabled) (.Values.datadog.remoteConfiguration.enabled) (not .Values.providers.gke.gdc) -}} true {{- else -}} false @@ -1045,3 +1045,35 @@ Create RBACs for custom resources {{- end -}} {{- end -}} {{- end -}} + + +{{/* + Returns true if Host paths for default OS Release Paths need to be added to the volumes. +*/}} +{{- define "should-add-host-path-for-os-release-paths" -}} + {{- if ne .Values.targetSystem "linux" -}} + false + {{- else if .Values.providers.talos.enabled -}} + false + {{- else if (and .Values.datadog.systemProbe.enableDefaultOsReleasePaths (not .Values.datadog.disableDefaultOsReleasePaths)) -}} + true + {{- else -}} + false + {{- end -}} +{{- end -}} + + +{{/* + Returns true if the host file /etc/passwd should be mounted, else return false. +*/}} +{{- define "should-add-host-path-for-etc-passwd" -}} + {{- if ne .Values.targetSystem "linux" -}} + false + {{- else if .Values.providers.talos.enabled -}} + false + {{- else if not .Values.datadog.disablePasswdMount -}} + true + {{- else -}} + false + {{- end -}} +{{- end -}} diff --git a/charts/datadog/values.yaml b/charts/datadog/values.yaml index d492b8ed9..50c0c7aa2 100644 --- a/charts/datadog/values.yaml +++ b/charts/datadog/values.yaml @@ -698,6 +698,12 @@ datadog: ## ref: https://docs.datadoghq.com/infrastructure/containers/?tab=helm containerCollection: true + # datadog.disableDefaultOsReleasePaths -- Set this to true to disable mounting datadog.osReleasePath in all containers + disableDefaultOsReleasePaths: false + + # datadog.disablePasswdMount -- Set this to true to disable mounting /etc/passwd in all containers + disablePasswdMount: false + # datadog.osReleasePath -- Specify the path to your os-release file osReleasePath: /etc/os-release @@ -759,6 +765,7 @@ datadog: # datadog.systemProbe.conntrackInitTimeout -- the time to wait for conntrack to initialize before failing conntrackInitTimeout: 10s + # DEPRECATED. Use datadog.disableDefaultOsReleasePaths instead. # datadog.systemProbe.enableDefaultOsReleasePaths -- enable default os-release files mount enableDefaultOsReleasePaths: true @@ -2315,6 +2322,15 @@ providers: # providers.aks.enabled -- Activate all specificities related to AKS configuration. Required as currently we cannot auto-detect AKS. enabled: false + talos: + # providers.talos.enabled -- Activate all required specificities related to Talos.dev configuration, + # as currently the chart cannot auto-detect Talos.dev cluster. + # Note: The Agent deployment requires additional privileges that are not permitted by the default pod security policy. + # The annotation `pod-security.kubernetes.io/enforce=privileged` must be applied to the Datadog installation + # Kubernetes namespace. For more information on pod security policies in Talos.dev clusters, see: + # https://www.talos.dev/v1.8/kubernetes-guides/configuration/pod-security/ + enabled: false + remoteConfiguration: # remoteConfiguration.enabled -- Set to true to enable remote configuration on the Cluster Agent (if set) and the node agent. # Can be overridden if `datadog.remoteConfiguration.enabled` From 49c13ec4d5aed9a599538bc9cc9bf7a37b18911a Mon Sep 17 00:00:00 2001 From: Gabriel Plassard <138318954+dd-gplassard@users.noreply.github.com> Date: Mon, 9 Dec 2024 16:45:23 +0100 Subject: [PATCH 6/6] [PAR] update PAR image (#1624) --- charts/private-action-runner/CHANGELOG.md | 4 ++++ charts/private-action-runner/Chart.yaml | 2 +- charts/private-action-runner/README.md | 4 ++-- charts/private-action-runner/README.md.gotmpl | 2 +- charts/private-action-runner/values.yaml | 2 +- test/private-action-runner/__snapshot__/default.yaml | 2 +- .../__snapshot__/enable-kubernetes-actions.yaml | 2 +- 7 files changed, 11 insertions(+), 7 deletions(-) diff --git a/charts/private-action-runner/CHANGELOG.md b/charts/private-action-runner/CHANGELOG.md index fb7d362c5..e7645d5cf 100644 --- a/charts/private-action-runner/CHANGELOG.md +++ b/charts/private-action-runner/CHANGELOG.md @@ -1,5 +1,9 @@ # Datadog changelog +## 0.15.1 + +* Update private action image version to `v0.1.6-beta` + ## 0.15.0 * Update private action image version to `v0.1.5-beta` diff --git a/charts/private-action-runner/Chart.yaml b/charts/private-action-runner/Chart.yaml index a6f65933a..dc246d089 100644 --- a/charts/private-action-runner/Chart.yaml +++ b/charts/private-action-runner/Chart.yaml @@ -3,7 +3,7 @@ name: private-action-runner description: A Helm chart to deploy the private action runner type: application -version: 0.15.0 +version: 0.15.1 appVersion: "1.22.0" keywords: - app builder diff --git a/charts/private-action-runner/README.md b/charts/private-action-runner/README.md index e0f476e0a..7ef069322 100644 --- a/charts/private-action-runner/README.md +++ b/charts/private-action-runner/README.md @@ -1,6 +1,6 @@ # Datadog Private Action Runner -![Version: 0.15.0](https://img.shields.io/badge/Version-0.15.0-informational?style=flat-square) ![AppVersion: v0.1.5-beta](https://img.shields.io/badge/AppVersion-v0.1.5--beta-informational?style=flat-square) +![Version: 0.15.1](https://img.shields.io/badge/Version-0.15.1-informational?style=flat-square) ![AppVersion: v0.1.6-beta](https://img.shields.io/badge/AppVersion-v0.1.6--beta-informational?style=flat-square) This Helm Chart deploys the Datadog Private Action runner inside a Kubernetes cluster. It allows you to use private actions from the Datadog Workflow and Datadog App Builder products. When deploying this chart, you can give permissions to the runner in order to be able to run Kubernetes actions. @@ -42,7 +42,7 @@ helm repo update | Key | Type | Default | Description | |-----|------|---------|-------------| -| common.image | object | `{"repository":"gcr.io/datadoghq/private-action-runner","tag":"v0.1.5-beta"}` | Current Datadog Private Action Runner image | +| common.image | object | `{"repository":"gcr.io/datadoghq/private-action-runner","tag":"v0.1.6-beta"}` | Current Datadog Private Action Runner image | | credentialFiles | list | `[]` | List of credential files to be used by the Datadog Private Action Runner | | runners[0].config | object | `{"actionsAllowlist":[],"ddBaseURL":"https://app.datadoghq.com","modes":["workflowAutomation","appBuilder"],"port":9016,"privateKey":"CHANGE_ME_PRIVATE_KEY_FROM_CONFIG","urn":"CHANGE_ME_URN_FROM_CONFIG"}` | Configuration for the Datadog Private Action Runner | | runners[0].config.actionsAllowlist | list | `[]` | List of actions that the Datadog Private Action Runner is allowed to execute | diff --git a/charts/private-action-runner/README.md.gotmpl b/charts/private-action-runner/README.md.gotmpl index a7cb66089..1f817e5fd 100644 --- a/charts/private-action-runner/README.md.gotmpl +++ b/charts/private-action-runner/README.md.gotmpl @@ -1,6 +1,6 @@ # Datadog Private Action Runner -![Version: 0.15.0](https://img.shields.io/badge/Version-0.15.0-informational?style=flat-square) ![AppVersion: v0.1.5-beta](https://img.shields.io/badge/AppVersion-v0.1.5--beta-informational?style=flat-square) +![Version: 0.15.1](https://img.shields.io/badge/Version-0.15.1-informational?style=flat-square) ![AppVersion: v0.1.6-beta](https://img.shields.io/badge/AppVersion-v0.1.6--beta-informational?style=flat-square) This Helm Chart deploys the Datadog Private Action runner inside a Kubernetes cluster. It allows you to use private actions from the Datadog Workflow and Datadog App Builder products. When deploying this chart, you can give permissions to the runner in order to be able to run Kubernetes actions. diff --git a/charts/private-action-runner/values.yaml b/charts/private-action-runner/values.yaml index 8b453c4d9..34c74b2eb 100644 --- a/charts/private-action-runner/values.yaml +++ b/charts/private-action-runner/values.yaml @@ -6,7 +6,7 @@ common: # -- Current Datadog Private Action Runner image image: repository: gcr.io/datadoghq/private-action-runner - tag: v0.1.5-beta + tag: v0.1.6-beta runners: # runners[0].name -- Name of the Datadog Private Action Runner diff --git a/test/private-action-runner/__snapshot__/default.yaml b/test/private-action-runner/__snapshot__/default.yaml index 3766b77ec..8dcfdd4b6 100644 --- a/test/private-action-runner/__snapshot__/default.yaml +++ b/test/private-action-runner/__snapshot__/default.yaml @@ -100,7 +100,7 @@ spec: value: nodeless containers: - name: runner - image: "gcr.io/datadoghq/private-action-runner:v0.1.5-beta" + image: "gcr.io/datadoghq/private-action-runner:v0.1.6-beta" imagePullPolicy: IfNotPresent ports: - name: http diff --git a/test/private-action-runner/__snapshot__/enable-kubernetes-actions.yaml b/test/private-action-runner/__snapshot__/enable-kubernetes-actions.yaml index 6b2d3f55c..ef5256028 100644 --- a/test/private-action-runner/__snapshot__/enable-kubernetes-actions.yaml +++ b/test/private-action-runner/__snapshot__/enable-kubernetes-actions.yaml @@ -144,7 +144,7 @@ spec: value: nodeless containers: - name: runner - image: "gcr.io/datadoghq/private-action-runner:v0.1.5-beta" + image: "gcr.io/datadoghq/private-action-runner:v0.1.6-beta" imagePullPolicy: IfNotPresent ports: - name: http