diff --git a/.github/helm-docs.sh b/.github/helm-docs.sh index 04ad473d7..03d901387 100755 --- a/.github/helm-docs.sh +++ b/.github/helm-docs.sh @@ -1,7 +1,7 @@ #!/bin/bash set -euo pipefail -HELM_DOCS_VERSION="1.10.0" +HELM_DOCS_VERSION="1.14.2" OS=$(uname) ARCH=$(uname -m) diff --git a/.github/kubeconform.sh b/.github/kubeconform.sh index 872c011d3..749da9719 100755 --- a/.github/kubeconform.sh +++ b/.github/kubeconform.sh @@ -1,7 +1,7 @@ #!/bin/bash set -euo pipefail -KUBECONFORM_VERSION="v0.6.4" +KUBECONFORM_VERSION="v0.6.7" # https://github.com/yannh/kubeconform/issues/51 CRD_SPEC_URL="https://raw.githubusercontent.com/kubernetes/kubernetes/master/api/openapi-spec/v3/apis__apiextensions.k8s.io__v1_openapi.json" # Remove after v1.16 support / testing is dropped diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d6a4f786a..bbce00ed9 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -5,6 +5,11 @@ on: paths: - "charts/**" +# Permission forced by repo-level setting; only elevate on job-level +permissions: + contents: read + # packages: read + jobs: changed: runs-on: ubuntu-latest @@ -12,7 +17,7 @@ jobs: charts: ${{ steps.list-changed.outputs.changed }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up Helm @@ -23,7 +28,7 @@ jobs: with: python-version: 3.7 - name: Set up chart-testing - uses: helm/chart-testing-action@v2.3.1 + uses: helm/chart-testing-action@v2.6.1 - name: Run chart-testing (list-changed) id: list-changed env: @@ -47,14 +52,14 @@ jobs: - changed steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - uses: actions/setup-python@v4 with: python-version: 3.7 - name: Set up chart-testing - uses: helm/chart-testing-action@v2.3.1 + uses: helm/chart-testing-action@v2.6.1 - name: Run chart-testing (lint) run: ct lint --config .github/ct.yaml @@ -64,7 +69,7 @@ jobs: - changed steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Run helm-docs @@ -87,10 +92,15 @@ jobs: - v1.22.17 - v1.24.17 - v1.25.16 - - v1.26.13 + - v1.26.15 + - v1.27.16 + - v1.28.13 + - v1.29.8 + - v1.30.4 + - v1.31.1 steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Add datadog helm repo @@ -112,27 +122,43 @@ jobs: - kubeconform-chart strategy: matrix: - k8s: - - v1.18.20 - - v1.22.9 - - v1.24.2 - - v1.25.16 - - v1.26.13 + versions: + - k8s: v1.18.20 + kind: v0.17.0 + - k8s: v1.22.17 + kind: v0.22.0 + - k8s: v1.24.17 + kind: v0.22.0 + - k8s: v1.25.16 + kind: v0.22.0 + - k8s: v1.26.15 + kind: v0.22.0 + - k8s: v1.27.16 + kind: v0.22.0 + - k8s: v1.28.13 + kind: v0.22.0 + - k8s: v1.29.8 + kind: v0.22.0 + - k8s: v1.30.4 + kind: v0.22.0 + - k8s: v1.31.1 + kind: v0.22.0 steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Create kind ${{ matrix.k8s }} cluster - uses: helm/kind-action@v1.5.0 + - name: Create kind ${{ matrix.versions.k8s }} cluster with kind version ${{ matrix.versions.kind }} + uses: helm/kind-action@v1.10.0 with: - node_image: kindest/node:${{ matrix.k8s }} + version: ${{ matrix.versions.kind }} + node_image: kindest/node:${{ matrix.versions.k8s}} config: .github/kind_config.yaml - uses: actions/setup-python@v4 with: python-version: 3.7 - name: Set up chart-testing - uses: helm/chart-testing-action@v2.3.1 + uses: helm/chart-testing-action@v2.6.1 - name: Run chart-testing (install) run: ct install --config .github/ct.yaml diff --git a/.github/workflows/go-test-private-action-runner.yaml b/.github/workflows/go-test-private-action-runner.yaml index a42811bde..dc26fd575 100644 --- a/.github/workflows/go-test-private-action-runner.yaml +++ b/.github/workflows/go-test-private-action-runner.yaml @@ -8,6 +8,12 @@ on: paths: - 'test/private-action-runner/**' - 'charts/private-action-runner/**' + +# Permission forced by repo-level setting; only elevate on job-level +permissions: + contents: read + # packages: read + env: GO111MODULE: "on" PROJECTNAME: "helm-charts" diff --git a/.github/workflows/go-test.yaml b/.github/workflows/go-test.yaml index 8b83c292b..739a20b1b 100644 --- a/.github/workflows/go-test.yaml +++ b/.github/workflows/go-test.yaml @@ -8,6 +8,12 @@ on: paths: - 'test/datadog-operator/**' - 'charts/datadog-operator/**' + +# Permission forced by repo-level setting; only elevate on job-level +permissions: + contents: read + # packages: read + env: GO111MODULE: "on" PROJECTNAME: "helm-charts" @@ -21,9 +27,9 @@ jobs: go-version: 1.21 id: go - name: Set up Helm - uses: azure/setup-helm@v3.5 + uses: azure/setup-helm@v4.2.0 with: - version: v3.10.1 + version: v3.14.0 - name: Add Datadog Helm repo run: helm repo add datadog https://helm.datadoghq.com && helm repo update - name: Check out code into the Go module directory @@ -39,27 +45,40 @@ jobs: runs-on: ubuntu-20.04 strategy: matrix: - k8s: - - v1.16.15 - - v1.18.20 - - v1.22.9 - - v1.24.2 - - v1.25.2 - - v1.26.6 - - v1.27.3 - - v1.28.7 - - v1.29.2 - - v1.30.0 + versions: + - k8s: v1.16.15 + kind: v0.15.0 + - k8s: v1.18.20 + kind: v0.17.0 + - k8s: v1.22.17 + kind: v0.22.0 + - k8s: v1.24.17 + kind: v0.22.0 + - k8s: v1.25.16 + kind: v0.22.0 + - k8s: v1.26.15 + kind: v0.22.0 + - k8s: v1.27.16 + kind: v0.22.0 + - k8s: v1.28.13 + kind: v0.22.0 + - k8s: v1.29.8 + kind: v0.22.0 + - k8s: v1.30.4 + kind: v0.22.0 + - k8s: v1.31.1 + kind: v0.22.0 steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Create kind ${{ matrix.k8s }} cluster - uses: helm/kind-action@v1.5.0 + - name: Create K8s ${{ matrix.versions.k8s }} cluster with kind version ${{ matrix.versions.kind }} + uses: helm/kind-action@v1.10.0 with: - node_image: kindest/node:${{ matrix.k8s }} - cluster_name: operator-ci-${{ matrix.k8s }} + version: ${{ matrix.versions.kind }} + node_image: kindest/node:${{ matrix.versions.k8s }} + cluster_name: operator-ci-${{ matrix.versions.k8s }} config: .github/kind_config.yaml - name: Add Cert Manager Helm repo run: helm repo add jetstack https://charts.jetstack.io && helm repo update @@ -69,8 +88,8 @@ jobs: env: API_KEY: ${{ secrets.GO_INTEG_TEST_API_KEY }} APP_KEY: ${{ secrets.GO_INTEG_TEST_APP_KEY }} - CLUSTER_NAME: operator-ci-${{ matrix.k8s }} - K8S_VERSION: ${{ matrix.k8s }} + CLUSTER_NAME: operator-ci-${{ matrix.versions.k8s }} + K8S_VERSION: ${{ matrix.versions.k8s }} run: | kubectl cluster-info kubectl get nodes diff --git a/.github/workflows/pr-labeler.yaml b/.github/workflows/pr-labeler.yaml index f1d36ed3d..ff711a73d 100644 --- a/.github/workflows/pr-labeler.yaml +++ b/.github/workflows/pr-labeler.yaml @@ -4,10 +4,17 @@ on: branches: - main +# Permission forced by repo-level setting; only elevate on job-level +permissions: + contents: read + # packages: read + jobs: label: name: Add label for PRs runs-on: ubuntu-latest + permissions: + pull-requests: write timeout-minutes: 5 steps: - uses: actions/labeler@v5 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index bb531756f..e33b3d11f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -7,9 +7,14 @@ on: paths: - 'charts/**' +permissions: {} + jobs: release: runs-on: ubuntu-latest + permissions: + # https://github.com/helm/chart-releaser-action + contents: write steps: - name: Checkout uses: actions/checkout@v3 diff --git a/charts/datadog-crds/CHANGELOG.md b/charts/datadog-crds/CHANGELOG.md index ff96a6ce4..39f9e8402 100644 --- a/charts/datadog-crds/CHANGELOG.md +++ b/charts/datadog-crds/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +# 2.2.0 + +* Update CRDs from Datadog Operator v1.10.0 tag. + ## 2.1.0 * Update CRDs from Datadog Operator v1.9.0 tag. diff --git a/charts/datadog-crds/Chart.yaml b/charts/datadog-crds/Chart.yaml index e84be10f4..f4e6c9763 100644 --- a/charts/datadog-crds/Chart.yaml +++ b/charts/datadog-crds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: datadog-crds description: Datadog Kubernetes CRDs chart -version: 2.1.0 +version: 2.2.0 appVersion: "1" keywords: - monitoring diff --git a/charts/datadog-crds/README.md b/charts/datadog-crds/README.md index 7c6f76e88..851d16f49 100644 --- a/charts/datadog-crds/README.md +++ b/charts/datadog-crds/README.md @@ -1,6 +1,6 @@ # Datadog CRDs -![Version: 2.1.0](https://img.shields.io/badge/Version-2.1.0-informational?style=flat-square) ![AppVersion: 1](https://img.shields.io/badge/AppVersion-1-informational?style=flat-square) +![Version: 2.2.0](https://img.shields.io/badge/Version-2.2.0-informational?style=flat-square) ![AppVersion: 1](https://img.shields.io/badge/AppVersion-1-informational?style=flat-square) This chart was designed to allow other "datadog" charts to share `CustomResourceDefinitions` such as the `DatadogMetric`. diff --git a/charts/datadog-crds/templates/datadoghq.com_datadogagents_v1.yaml b/charts/datadog-crds/templates/datadoghq.com_datadogagents_v1.yaml index a0c10a59a..5359f9b03 100644 --- a/charts/datadog-crds/templates/datadoghq.com_datadogagents_v1.yaml +++ b/charts/datadog-crds/templates/datadoghq.com_datadogagents_v1.yaml @@ -701,6 +701,14 @@ spec: type: boolean endpoint: type: string + hostPortConfig: + properties: + enabled: + type: boolean + hostPort: + format: int32 + type: integer + type: object type: object http: properties: @@ -708,6 +716,14 @@ spec: type: boolean endpoint: type: string + hostPortConfig: + properties: + enabled: + type: boolean + hostPort: + format: int32 + type: integer + type: object type: object type: object type: object @@ -851,6 +867,73 @@ spec: url: type: string type: object + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map fips: properties: customFIPSConfig: @@ -1006,6 +1089,18 @@ spec: tlsVerify: type: boolean type: object + kubernetesResourcesAnnotationsAsTags: + additionalProperties: + additionalProperties: + type: string + type: object + type: object + kubernetesResourcesLabelsAsTags: + additionalProperties: + additionalProperties: + type: string + type: object + type: object localService: properties: forceEnableLocalService: @@ -1076,6 +1171,31 @@ spec: type: object registry: type: string + secretBackend: + properties: + args: + type: string + command: + type: string + enableGlobalPermissions: + type: boolean + roles: + items: + properties: + namespace: + type: string + secrets: + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + type: array + x-kubernetes-list-type: atomic + timeout: + format: int32 + type: integer + type: object site: type: string tags: @@ -1975,6 +2095,29 @@ spec: x-kubernetes-list-map-keys: - name x-kubernetes-list-type: map + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array extraChecksd: properties: configDataMap: @@ -2137,6 +2280,10 @@ spec: type: string type: object type: object + serviceAccountAnnotations: + additionalProperties: + type: string + type: object serviceAccountName: type: string tolerations: @@ -3723,6 +3870,14 @@ spec: type: boolean endpoint: type: string + hostPortConfig: + properties: + enabled: + type: boolean + hostPort: + format: int32 + type: integer + type: object type: object http: properties: @@ -3730,6 +3885,14 @@ spec: type: boolean endpoint: type: string + hostPortConfig: + properties: + enabled: + type: boolean + hostPort: + format: int32 + type: integer + type: object type: object type: object type: object diff --git a/charts/datadog-operator/CHANGELOG.md b/charts/datadog-operator/CHANGELOG.md index 2f6ee332c..773a75e11 100644 --- a/charts/datadog-operator/CHANGELOG.md +++ b/charts/datadog-operator/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## 2.3.0 + +* Update Datadog Operator version to 1.10.0. + +## 2.2.0 + +* Add clusterRole.allowReadAllResources to allow viewing all resources. This is required for collecting custom resources in the Kubernetes Explorer + ## 2.1.0 * Update Datadog Operator version to 1.9.0. diff --git a/charts/datadog-operator/Chart.lock b/charts/datadog-operator/Chart.lock index b5c089010..41fd2ccbd 100644 --- a/charts/datadog-operator/Chart.lock +++ b/charts/datadog-operator/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: datadog-crds repository: https://helm.datadoghq.com - version: 2.1.0 -digest: sha256:8f24ab33303f20421688b071b9fb028c0662795952298300ed4b9a060a4332ac -generated: "2024-10-10T12:48:27.526346-04:00" + version: 2.2.0 +digest: sha256:42b9b7296f565f17f11adea26fa8cb003c0f01551a84793873a3ae6c73efedc2 +generated: "2024-11-08T14:03:54.721912-05:00" diff --git a/charts/datadog-operator/Chart.yaml b/charts/datadog-operator/Chart.yaml index 6577418a7..c9e85b586 100644 --- a/charts/datadog-operator/Chart.yaml +++ b/charts/datadog-operator/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: datadog-operator -version: 2.1.0 -appVersion: 1.9.0 +version: 2.3.0 +appVersion: 1.10.0 description: Datadog Operator keywords: - monitoring @@ -17,7 +17,7 @@ maintainers: email: support@datadoghq.com dependencies: - name: datadog-crds - version: "=2.1.0" + version: "=2.2.0" alias: datadogCRDs repository: https://helm.datadoghq.com condition: installCRDs diff --git a/charts/datadog-operator/README.md b/charts/datadog-operator/README.md index 0bf92862f..532eb73ce 100644 --- a/charts/datadog-operator/README.md +++ b/charts/datadog-operator/README.md @@ -1,6 +1,6 @@ # Datadog Operator -![Version: 2.1.0](https://img.shields.io/badge/Version-2.1.0-informational?style=flat-square) ![AppVersion: 1.9.0](https://img.shields.io/badge/AppVersion-1.9.0-informational?style=flat-square) +![Version: 2.3.0](https://img.shields.io/badge/Version-2.3.0-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square) ## Values @@ -12,6 +12,7 @@ | appKey | string | `nil` | Your Datadog APP key | | appKeyExistingSecret | string | `nil` | Use existing Secret which stores APP key instead of creating a new one | | clusterName | string | `nil` | Set a unique cluster name reporting from the Datadog Operator. | +| clusterRole | object | `{"allowReadAllResources":false}` | Set specific configuration for the cluster role | | collectOperatorMetrics | bool | `true` | Configures an openmetrics check to collect operator metrics | | containerSecurityContext | object | `{}` | A security context defines privileges and access control settings for a container. | | datadogAgent.enabled | bool | `true` | Enables Datadog Agent controller | @@ -32,7 +33,7 @@ | image.doNotCheckTag | bool | `false` | Permit skipping operator image tag compatibility with the chart. | | image.pullPolicy | string | `"IfNotPresent"` | Define the pullPolicy for Datadog Operator image | | image.repository | string | `"gcr.io/datadoghq/operator"` | Repository to use for Datadog Operator image | -| image.tag | string | `"1.9.0"` | Define the Datadog Operator version to use | +| image.tag | string | `"1.10.0"` | Define the Datadog Operator version to use | | imagePullSecrets | list | `[]` | Datadog Operator repository pullSecret (ex: specify docker registry credentials) | | installCRDs | bool | `true` | Set to true to deploy the Datadog's CRDs | | introspection.enabled | bool | `false` | If true, enables introspection feature (beta). Requires v1.4.0+ | diff --git a/charts/datadog-operator/templates/_helpers.tpl b/charts/datadog-operator/templates/_helpers.tpl index 2ec94580f..afc48dc57 100644 --- a/charts/datadog-operator/templates/_helpers.tpl +++ b/charts/datadog-operator/templates/_helpers.tpl @@ -85,6 +85,6 @@ Check operator image tag version. {{- if not .Values.image.doNotCheckTag -}} {{- .Values.image.tag -}} {{- else -}} -{{ "1.9.0" }} +{{ "1.10.0" }} {{- end -}} {{- end -}} diff --git a/charts/datadog-operator/templates/clusterrole.yaml b/charts/datadog-operator/templates/clusterrole.yaml index 1b90e330a..1032e2aba 100644 --- a/charts/datadog-operator/templates/clusterrole.yaml +++ b/charts/datadog-operator/templates/clusterrole.yaml @@ -794,5 +794,13 @@ rules: - patch - update {{- end }} +{{- if .Values.clusterRole.allowReadAllResources }} +- apiGroups: + - '*' + resources: + - '*' + verbs: + - list + - watch +{{- end }} {{- end }} - diff --git a/charts/datadog-operator/values.yaml b/charts/datadog-operator/values.yaml index fbd4339e9..3558679f4 100644 --- a/charts/datadog-operator/values.yaml +++ b/charts/datadog-operator/values.yaml @@ -47,7 +47,7 @@ image: # image.repository -- Repository to use for Datadog Operator image repository: gcr.io/datadoghq/operator # image.tag -- Define the Datadog Operator version to use - tag: 1.9.0 + tag: 1.10.0 # image.pullPolicy -- Define the pullPolicy for Datadog Operator image pullPolicy: IfNotPresent # image.doNotCheckTag -- Permit skipping operator image tag compatibility with the chart. @@ -190,3 +190,9 @@ livenessProbe: # timeoutSeconds: 1 # successThreshold: 1 # failureThreshold: 3 + +# clusterRole -- Set specific configuration for the cluster role +clusterRole: + # allowReadAllResources is required to allow the operator to view all custom resources. + # If collecting CRDs in the Kubernetes Explorer this is required + allowReadAllResources: false diff --git a/charts/datadog/CHANGELOG.md b/charts/datadog/CHANGELOG.md index 040f3199a..ca53956f3 100644 --- a/charts/datadog/CHANGELOG.md +++ b/charts/datadog/CHANGELOG.md @@ -1,9 +1,58 @@ # Datadog changelog -## 3.75.0 +## 3.80.0 * Add `datadog.admissionController.validation` and `datadog.admissionController.mutation` to enable/disable the admission controller validation and mutation webhooks. +## 3.79.0 + +* Add Logs Collection support for Google GKE on GDC + +## 3.78.0 + +* Set default `Agent` and `Cluster-Agent` version to `7.59.0`. + +## 3.77.3 + +* Update version required for datadog.processAgent.runInCoreAgent and remove experimental status. + +## 3.77.2 + +* Add the ability to include Security Contexts at the container level for Cluster Checks Runners. + +## 3.77.1 + +* Modify command that removes the default conf.d directory from the Cluster Checks Runners and only removes the default YAML files. + +## 3.77.0 + +* Add experimental support for overlayfs direct scan for SBOMs + +## 3.76.3 + +* Add `podisruptionbudgets` RBAC to the Cluster Agent. + +## 3.76.2 + +* Fix warning message displayed when installing/upgrading the Agent with OTel collector. +* Add preview message in values.yaml file. + +## 3.76.1 + +* Gate `datadog.sbom.containerImage.uncompressedLayersSupport` feature behind `datadog.sbom.containerImage.enabled`: if the latter is not enabled (default), do not modify template based on `datadog.sbom.containerImage.uncompressedLayersSupport`. + +## 3.76.0 + +* Set `datadog.sbom.containerImage.uncompressedLayersSupport` to `true` by default. + +## 3.75.0 + +* Set default `Agent` and `Cluster-Agent` version to `7.58.0`. + +## 3.74.6 + +* Fix error message for when System Probe is enabled on GKE Autopilot + ## 3.74.5 * Add configuration option for `datadog.KubernetesEvents.sourceDetectionEnabled` to map Kubernetes events to integration sources based on controller names. Disabled by default. diff --git a/charts/datadog/Chart.yaml b/charts/datadog/Chart.yaml index 0c77605bd..f8279e5d2 100644 --- a/charts/datadog/Chart.yaml +++ b/charts/datadog/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: datadog -version: 3.75.0 +version: 3.80.0 appVersion: "7" description: Datadog Agent keywords: diff --git a/charts/datadog/README.md b/charts/datadog/README.md index 3cbfd2d45..387e9d5c8 100644 --- a/charts/datadog/README.md +++ b/charts/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.75.0](https://img.shields.io/badge/Version-3.75.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.80.0](https://img.shields.io/badge/Version-3.80.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). @@ -515,7 +515,7 @@ helm install \ | agents.image.pullPolicy | string | `"IfNotPresent"` | Datadog Agent image pull policy | | agents.image.pullSecrets | list | `[]` | Datadog Agent repository pullSecret (ex: specify docker registry credentials) | | agents.image.repository | string | `nil` | Override default registry + image.name for Agent | -| agents.image.tag | string | `"7.57.2"` | Define the Agent version to use | +| agents.image.tag | string | `"7.59.0"` | Define the Agent version to use | | agents.image.tagSuffix | string | `""` | Suffix to append to Agent tag | | agents.localService.forceLocalServiceEnabled | bool | `false` | Force the creation of the internal traffic policy service to target the agent running on the local node. By default, the internal traffic service is created only on Kubernetes 1.22+ where the feature became beta and enabled by default. This option allows to force the creation of the internal traffic service on kubernetes 1.21 where the feature was alpha and required a feature gate to be explicitly enabled. | | agents.localService.overrideName | string | `""` | Name of the internal traffic service to target the agent running on the local node | @@ -594,7 +594,7 @@ helm install \ | clusterAgent.image.pullPolicy | string | `"IfNotPresent"` | Cluster Agent image pullPolicy | | clusterAgent.image.pullSecrets | list | `[]` | Cluster Agent repository pullSecret (ex: specify docker registry credentials) | | clusterAgent.image.repository | string | `nil` | Override default registry + image.name for Cluster Agent | -| clusterAgent.image.tag | string | `"7.57.2"` | Cluster Agent image tag to use | +| clusterAgent.image.tag | string | `"7.59.0"` | Cluster Agent image tag to use | | clusterAgent.livenessProbe | object | Every 15s / 6 KO / 1 OK | Override default Cluster Agent liveness probe settings | | clusterAgent.metricsProvider.aggregator | string | `"avg"` | Define the aggregator the cluster agent will use to process the metrics. The options are (avg, min, max, sum) | | clusterAgent.metricsProvider.createReaderRbac | bool | `true` | Create `external-metrics-reader` RBAC automatically (to allow HPA to read data from Cluster Agent) | @@ -633,6 +633,8 @@ helm install \ | clusterAgent.volumes | list | `[]` | Specify additional volumes to mount in the cluster-agent container | | clusterChecksRunner.additionalLabels | object | `{}` | Adds labels to the cluster checks runner deployment and pods | | clusterChecksRunner.affinity | object | `{}` | Allow the ClusterChecks Deployment to schedule using affinity rules. | +| clusterChecksRunner.containers.agent.securityContext | object | `{}` | Specify securityContext on the agent container | +| clusterChecksRunner.containers.initContainers.securityContext | object | `{}` | Specify securityContext on the init containers | | clusterChecksRunner.createPodDisruptionBudget | bool | `false` | Create the pod disruption budget to apply to the cluster checks agents | | clusterChecksRunner.deploymentAnnotations | object | `{}` | Annotations to add to the cluster-checks-runner's Deployment | | clusterChecksRunner.dnsConfig | object | `{}` | specify dns configuration options for datadog cluster agent containers e.g ndots | @@ -646,7 +648,7 @@ helm install \ | clusterChecksRunner.image.pullPolicy | string | `"IfNotPresent"` | Datadog Agent image pull policy | | clusterChecksRunner.image.pullSecrets | list | `[]` | Datadog Agent repository pullSecret (ex: specify docker registry credentials) | | clusterChecksRunner.image.repository | string | `nil` | Override default registry + image.name for Cluster Check Runners | -| clusterChecksRunner.image.tag | string | `"7.57.2"` | Define the Agent version to use | +| clusterChecksRunner.image.tag | string | `"7.59.0"` | Define the Agent version to use | | clusterChecksRunner.image.tagSuffix | string | `""` | Suffix to append to Agent tag | | clusterChecksRunner.livenessProbe | object | Every 15s / 6 KO / 1 OK | Override default agent liveness probe settings | | clusterChecksRunner.networkPolicy.create | bool | `false` | If true, create a NetworkPolicy for the cluster checks runners. DEPRECATED. Use datadog.networkPolicy.create instead | @@ -778,7 +780,7 @@ helm install \ | datadog.orchestratorExplorer.enabled | bool | `true` | Set this to false to disable the orchestrator explorer | | datadog.originDetectionUnified.enabled | bool | `false` | Enabled enables unified mechanism for origin detection. Default: false. (Requires Agent 7.54.0+). | | datadog.osReleasePath | string | `"/etc/os-release"` | Specify the path to your os-release file | -| datadog.otelCollector.config | object | `{}` | OTel collector configuration | +| datadog.otelCollector.config | string | `nil` | OTel collector configuration | | datadog.otelCollector.enabled | bool | `false` | Enable the OTel Collector | | datadog.otelCollector.ports | list | `[{"containerPort":"4317","name":"otel-grpc"},{"containerPort":"4318","name":"otel-http"}]` | Ports that OTel Collector is listening | | datadog.otlp.logs.enabled | bool | `false` | Enable logs support in the OTLP ingest endpoint | @@ -794,7 +796,7 @@ helm install \ | datadog.processAgent.enabled | bool | `true` | Set this to true to enable live process monitoring agent DEPRECATED. Set `datadog.processAgent.processCollection` or `datadog.processAgent.containerCollection` instead. # Note: /etc/passwd is automatically mounted when `processCollection`, `processDiscovery`, or `containerCollection` is enabled. # ref: https://docs.datadoghq.com/graphing/infrastructure/process/#kubernetes-daemonset | | datadog.processAgent.processCollection | bool | `false` | Set this to true to enable process collection | | datadog.processAgent.processDiscovery | bool | `true` | Enables or disables autodiscovery of integrations | -| datadog.processAgent.runInCoreAgent | bool | `false` | Set this to true to run the following features in the core agent: Live Processes, Live Containers, Process Discovery. # This is an experimental feature requiring Agent 7.53.0+ and Linux. Currently not compatible with APM Single Step Instrumentation. | +| datadog.processAgent.runInCoreAgent | bool | `false` | Set this to true to run the following features in the core agent: Live Processes, Live Containers, Process Discovery. # This requires Agent 7.57.0+ and Linux. | | datadog.processAgent.stripProcessArguments | bool | `false` | Set this to scrub all arguments from collected processes # Requires datadog.processAgent.processCollection to be set to true to have any effect # ref: https://docs.datadoghq.com/infrastructure/process/?tab=linuxwindows#process-arguments-scrubbing | | datadog.profiling.enabled | string | `nil` | Enable Continuous Profiler by injecting `DD_PROFILING_ENABLED` environment variable with the same value to all pods in the cluster Valid values are: - false: Profiler is turned off and can not be turned on by other means. - null: Profiler is turned off, but can be turned on by other means. - auto: Profiler is turned off, but the library will turn it on if the application is a good candidate for profiling. - true: Profiler is turned on. | | datadog.prometheusScrape.additionalConfigs | list | `[]` | Allows adding advanced openmetrics check configurations with custom discovery rules. (Requires Agent version 7.27+) | @@ -803,7 +805,8 @@ helm install \ | datadog.prometheusScrape.version | int | `2` | Version of the openmetrics check to schedule by default. | | datadog.remoteConfiguration.enabled | bool | `true` | Set to true to enable remote configuration. DEPRECATED: Consider using remoteConfiguration.enabled instead | | datadog.sbom.containerImage.enabled | bool | `false` | Enable SBOM collection for container images | -| datadog.sbom.containerImage.uncompressedLayersSupport | bool | `false` | Use container runtime snapshotter This should be set to true when using EKS, GKE or if containerd is configured to discard uncompressed layers. This feature will cause the SYS_ADMIN capability to be added to the Agent container. | +| datadog.sbom.containerImage.overlayFSDirectScan | bool | `false` | Use experimental overlayFS direct scan | +| datadog.sbom.containerImage.uncompressedLayersSupport | bool | `true` | Use container runtime snapshotter This should be set to true when using EKS, GKE or if containerd is configured to discard uncompressed layers. This feature will cause the SYS_ADMIN capability to be added to the Agent container. Setting this to false could cause a high error rate when generating SBOMs due to missing uncompressed layer. See https://docs.datadoghq.com/security/cloud_security_management/troubleshooting/vulnerabilities/#uncompressed-container-image-layers | | datadog.sbom.host.enabled | bool | `false` | Enable SBOM collection for host filesystems | | datadog.secretAnnotations | object | `{}` | | | datadog.secretBackend.arguments | string | `nil` | Configure the secret backend command arguments (space-separated strings). | @@ -880,6 +883,7 @@ helm install \ | providers.eks.ec2.useHostnameFromFile | bool | `false` | Use hostname from EC2 filesystem instead of fetching from metadata endpoint. | | providers.gke.autopilot | bool | `false` | Enables Datadog Agent deployment on GKE Autopilot | | providers.gke.cos | bool | `false` | Enables Datadog Agent deployment on GKE with Container-Optimized OS (COS) | +| providers.gke.gdc | bool | `false` | Enables Datadog Agent deployment on GKE on Google Distributed Cloud (GDC) | | registry | string | `nil` | Registry to use for all Agent images (default to [gcr.io | eu.gcr.io | asia.gcr.io | datadoghq.azurecr.io | public.ecr.aws/datadog] depending on datadog.site value) | | remoteConfiguration.enabled | bool | `true` | Set to true to enable remote configuration on the Cluster Agent (if set) and the node agent. Can be overridden if `datadog.remoteConfiguration.enabled` Preferred way to enable Remote Configuration. | | targetSystem | string | `"linux"` | Target OS for this deployment (possible values: linux, windows) | diff --git a/charts/datadog/ci/gke-gdc-values.yaml b/charts/datadog/ci/gke-gdc-values.yaml new file mode 100644 index 000000000..1c6fcc087 --- /dev/null +++ b/charts/datadog/ci/gke-gdc-values.yaml @@ -0,0 +1,20 @@ +providers: + gke: + gdc: true + +datadog: + apiKey: "00000000000000000000000000000000" + appKey: "0000000000000000000000000000000000000000" + + apm: + socketEnabled: false + portEnabled: false + + logs: + enabled: true + containerCollectAll: true + containerCollectUsingFiles: true + autoMultiLineDetection: true + + kubeStateMetricsCore: + enabled: true diff --git a/charts/datadog/templates/NOTES.txt b/charts/datadog/templates/NOTES.txt index 9201c6a04..e6002afba 100644 --- a/charts/datadog/templates/NOTES.txt +++ b/charts/datadog/templates/NOTES.txt @@ -338,7 +338,7 @@ On GKE Autopilot, only one "datadog" Helm chart release is allowed by Kubernetes ##################################################################### #### WARNING: System Probe is not supported on GKE Autopilot #### ##################################################################### -{{- fail "On GKE Autopilot environments, System Probe is not supported. The option 'datadog.securityAgent.runtime.enabled' must be set 'false'" }} +{{- fail "On GKE Autopilot environments, System Probe is not supported. The option 'datadog.securityAgent.runtime.enabled', 'datadog.securityAgent.runtime.fimEnabled', 'datadog.networkMonitoring.enabled', 'datadog.systemProbe.enableTCPQueueLength', 'datadog.systemProbe.enableOOMKill' and 'datadog.serviceMonitoring.enabled' must be set 'false'" }} {{- end }} @@ -605,5 +605,5 @@ OTel collector is not supported on GKE Autopilot. ################################################################# #### WARNING: Private Beta notice #### ################################################################# -OTel collector is in private beta. Please reach out to your Datadog representative for more information. +OTel collector is in preview. Please reach out to your Datadog representative for more information. {{- end }} diff --git a/charts/datadog/templates/_components-common-env.yaml b/charts/datadog/templates/_components-common-env.yaml index 0a58d9114..0ca7b0363 100644 --- a/charts/datadog/templates/_components-common-env.yaml +++ b/charts/datadog/templates/_components-common-env.yaml @@ -64,4 +64,10 @@ - name: DD_EXCLUDE_PAUSE_CONTAINER value: "false" {{- end }} +{{- if .Values.providers.gke.gdc }} +- name: DD_KUBELET_CLIENT_CRT + value: /certs/tls.crt +- name: DD_KUBELET_CLIENT_KEY + value: /certs/tls.key +{{- end }} {{- end }} diff --git a/charts/datadog/templates/_container-agent.yaml b/charts/datadog/templates/_container-agent.yaml index 90200d49e..5219db7ed 100644 --- a/charts/datadog/templates/_container-agent.yaml +++ b/charts/datadog/templates/_container-agent.yaml @@ -3,7 +3,7 @@ image: "{{ include "image-path" (dict "root" .Values "image" .Values.agents.image) }}" imagePullPolicy: {{ .Values.agents.image.pullPolicy }} command: ["agent", "run"] -{{ include "generate-security-context" (dict "securityContext" .Values.agents.containers.agent.securityContext "targetSystem" .Values.targetSystem "seccomp" "" "kubeversion" .Capabilities.KubeVersion.Version "sysAdmin" .Values.datadog.sbom.containerImage.uncompressedLayersSupport) | indent 2 }} +{{ include "generate-security-context" (dict "securityContext" .Values.agents.containers.agent.securityContext "targetSystem" .Values.targetSystem "seccomp" "" "kubeversion" .Capabilities.KubeVersion.Version "sysAdmin" (and (eq (include "should-enable-sbom-container-image-collection" .) "true") (and .Values.datadog.sbom.containerImage.uncompressedLayersSupport (not .Values.datadog.sbom.containerImage.overlayFSDirectScan)))) | indent 2 }} resources: {{ toYaml .Values.agents.containers.agent.resources | indent 4 }} ports: @@ -121,7 +121,7 @@ - name: DD_HEALTH_PORT {{- $healthPort := .Values.agents.containers.agent.healthPort }} value: {{ $healthPort | quote }} - {{- if eq .Values.targetSystem "linux" }} + {{- if and (eq .Values.targetSystem "linux") (not .Values.providers.gke.gdc) }} - name: DD_DOGSTATSD_SOCKET value: {{ .Values.datadog.dogstatsd.socketPath | quote }} {{- end }} @@ -177,11 +177,17 @@ - name: DD_SBOM_CONTAINER_IMAGE_ENABLED value: "true" {{- end }} + {{- if (eq (include "should-enable-sbom-container-image-collection" .) "true") }} {{- if .Values.datadog.sbom.containerImage.uncompressedLayersSupport }} + {{- if .Values.datadog.sbom.containerImage.overlayFSDirectScan }} + - name: DD_SBOM_CONTAINER_IMAGE_OVERLAYFS_DIRECT_SCAN + value: "true" + {{- else }} - name: DD_SBOM_CONTAINER_IMAGE_USE_MOUNT value: "true" {{- end }} - + {{- end }} + {{- end }} {{- if .Values.datadog.sbom.host.enabled }} - name: DD_SBOM_HOST_ENABLED value: "true" @@ -231,6 +237,7 @@ readOnly: true {{- end }} {{- if eq .Values.targetSystem "linux" }} + {{- if not .Values.providers.gke.gdc }} - name: dsdsocket mountPath: {{ (dir .Values.datadog.dogstatsd.socketPath) }} readOnly: false @@ -256,6 +263,7 @@ mountPath: /etc/passwd readOnly: true {{- end }} + {{- end }} {{- if or .Values.datadog.logs.enabled .Values.datadog.logsEnabled }} - name: pointerdir mountPath: /opt/datadog-agent/run @@ -269,17 +277,20 @@ mountPath: /var/log/containers mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }} readOnly: true - {{- if not .Values.datadog.criSocketPath }} + {{- if and (not .Values.datadog.criSocketPath) (not .Values.providers.gke.gdc) }} - name: logdockercontainerpath mountPath: /var/lib/docker/containers mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }} readOnly: true {{- end }} {{- end }} - {{- if .Values.datadog.sbom.containerImage.uncompressedLayersSupport }} + {{- if and (eq (include "should-enable-sbom-container-image-collection" .) "true") (or .Values.datadog.sbom.containerImage.uncompressedLayersSupport .Values.datadog.sbom.containerImage.overlayFSDirectScan)}} - name: host-containerd-dir mountPath: /host/var/lib/containerd readOnly: true + - name: host-docker-dir + mountPath: /host/var/lib/docker + readOnly: true {{- end }} {{- if .Values.datadog.sbom.host.enabled }} - name: host-apk-dir @@ -329,6 +340,10 @@ {{- if .Values.datadog.kubelet.hostCAPath }} {{ include "datadog.kubelet.volumeMount" . | indent 4 }} {{- end }} + {{- if .Values.providers.gke.gdc }} + - name: kubelet-cert-volume + mountPath: /certs + {{- end }} {{- if .Values.agents.volumeMounts }} {{ toYaml .Values.agents.volumeMounts | indent 4 }} {{- end }} diff --git a/charts/datadog/templates/_container-cri-volumemounts.yaml b/charts/datadog/templates/_container-cri-volumemounts.yaml index fa85ce44e..af88ed5f3 100644 --- a/charts/datadog/templates/_container-cri-volumemounts.yaml +++ b/charts/datadog/templates/_container-cri-volumemounts.yaml @@ -1,5 +1,5 @@ {{- define "container-crisocket-volumemounts" -}} -{{- if .Values.datadog.containerRuntimeSupport.enabled }} +{{- if (eq (include "container-runtime-support-enabled" .) "true") }} {{- if eq .Values.targetSystem "linux" }} - name: runtimesocketdir mountPath: {{ print "/host/" (dir (include "datadog.dockerOrCriSocketPath" .)) | clean }} diff --git a/charts/datadog/templates/_container-host-release-volumemounts.yaml b/charts/datadog/templates/_container-host-release-volumemounts.yaml index 7e3ad1ac4..b775b7953 100644 --- a/charts/datadog/templates/_container-host-release-volumemounts.yaml +++ b/charts/datadog/templates/_container-host-release-volumemounts.yaml @@ -1,4 +1,5 @@ {{- define "linux-container-host-release-volumemounts" -}} +{{- if not .Values.providers.gke.gdc }} {{- if eq (include "should-enable-system-probe" .) "true" }} - name: os-release-file mountPath: /host{{ .Values.datadog.systemProbe.osReleasePath | default .Values.datadog.osReleasePath }} @@ -9,3 +10,4 @@ readOnly: true {{- end }} {{- end }} +{{- end }} diff --git a/charts/datadog/templates/_container-trace-agent.yaml b/charts/datadog/templates/_container-trace-agent.yaml index c14094a09..66130e2f1 100644 --- a/charts/datadog/templates/_container-trace-agent.yaml +++ b/charts/datadog/templates/_container-trace-agent.yaml @@ -86,7 +86,7 @@ readOnly: true {{- end }} {{- if eq .Values.targetSystem "linux" }} - {{- if not .Values.providers.gke.autopilot }} + {{- if not (or .Values.providers.gke.autopilot .Values.providers.gke.gdc) }} - name: procdir mountPath: /host/proc mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }} @@ -99,6 +99,7 @@ - name: tmpdir mountPath: /tmp readOnly: false # Need RW for tmp directory + {{- if not .Values.providers.gke.gdc }} - name: dsdsocket mountPath: {{ (dir .Values.datadog.dogstatsd.socketPath) }} readOnly: false # Need RW for UDS DSD socket @@ -109,6 +110,7 @@ {{- end }} {{- end }} {{- include "container-crisocket-volumemounts" . | nindent 4 }} + {{- end }} {{- include "container-cloudinit-volumemounts" . | nindent 4 }} {{- if .Values.datadog.kubelet.hostCAPath }} {{ include "datadog.kubelet.volumeMount" . | indent 4 }} diff --git a/charts/datadog/templates/_containers-common-env.yaml b/charts/datadog/templates/_containers-common-env.yaml index faa496348..84428aeb1 100644 --- a/charts/datadog/templates/_containers-common-env.yaml +++ b/charts/datadog/templates/_containers-common-env.yaml @@ -30,6 +30,15 @@ - name: DD_KUBERNETES_HTTPS_KUBELET_PORT value: "0" {{- end }} +{{- if .Values.providers.gke.gdc }} +- name: DD_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName +- name: DD_HOSTNAME + value: "$(DD_NODE_NAME)-$(DD_CLUSTER_NAME)" +{{- end }} {{- if eq .Values.targetSystem "linux" }} {{- if .Values.providers.eks.ec2.useHostnameFromFile }} - name: DD_HOSTNAME_FILE @@ -116,7 +125,7 @@ {{- end }} {{- end }} {{- else }} # No support for env AD -{{- if .Values.datadog.containerRuntimeSupport.enabled }} +{{- if (eq (include "container-runtime-support-enabled" .) "true") }} {{- if or .Values.providers.gke.autopilot .Values.datadog.criSocketPath }} - name: DD_CRI_SOCKET_PATH value: {{ print "/host/" (include "datadog.dockerOrCriSocketPath" .) | clean }} diff --git a/charts/datadog/templates/_containers-init-linux.yaml b/charts/datadog/templates/_containers-init-linux.yaml index 089555505..fd0636250 100644 --- a/charts/datadog/templates/_containers-init-linux.yaml +++ b/charts/datadog/templates/_containers-init-linux.yaml @@ -1,7 +1,7 @@ {{- define "containers-init-linux" -}} - name: init-volume {{- if not .Values.providers.gke.autopilot }} -{{ include "generate-security-context" (dict "securityContext" .Values.agents.containers.initContainers.securityContext "targetSystem" .Values.targetSystem "seccomp" "" "kubeversion" .Capabilities.KubeVersion.Version) | indent 2 }} +{{- include "generate-security-context" (dict "securityContext" .Values.agents.containers.initContainers.securityContext "targetSystem" .Values.targetSystem "seccomp" "" "kubeversion" .Capabilities.KubeVersion.Version) | indent 2 }} {{- end }} image: "{{ include "image-path" (dict "root" .Values "image" .Values.agents.image) }}" imagePullPolicy: {{ .Values.agents.image.pullPolicy }} @@ -16,7 +16,7 @@ {{ toYaml .Values.agents.containers.initContainers.resources | indent 4 }} - name: init-config {{- if not .Values.providers.gke.autopilot }} -{{ include "generate-security-context" (dict "securityContext" .Values.agents.containers.initContainers.securityContext "targetSystem" .Values.targetSystem "seccomp" "" "kubeversion" .Capabilities.KubeVersion.Version) | indent 2 }} +{{- include "generate-security-context" (dict "securityContext" .Values.agents.containers.initContainers.securityContext "targetSystem" .Values.targetSystem "seccomp" "" "kubeversion" .Capabilities.KubeVersion.Version) | indent 2 }} {{- end }} image: "{{ include "image-path" (dict "root" .Values "image" .Values.agents.image) }}" imagePullPolicy: {{ .Values.agents.image.pullPolicy }} @@ -26,9 +26,6 @@ args: - for script in $(find /etc/cont-init.d/ -type f -name '*.sh' | sort) ; do bash $script ; done volumeMounts: - - name: logdatadog - mountPath: {{ template "datadog.logDirectoryPath" . }} - readOnly: false # Need RW to write logs - name: config mountPath: /etc/datadog-agent readOnly: false # Need RW for config path @@ -42,11 +39,16 @@ mountPath: /checks.d readOnly: true {{- end }} + {{- if not .Values.providers.gke.gdc }} + - name: logdatadog + mountPath: {{ template "datadog.logDirectoryPath" . }} + readOnly: false # Need RW to write logs - name: procdir mountPath: /host/proc mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }} readOnly: true {{- include "container-crisocket-volumemounts" . | nindent 4 }} + {{- end }} {{- if eq (include "should-enable-system-probe" .) "true" }} - name: sysprobe-config mountPath: /etc/datadog-agent/system-probe.yaml diff --git a/charts/datadog/templates/_daemonset-volumes-linux.yaml b/charts/datadog/templates/_daemonset-volumes-linux.yaml index 39ce80f63..de1e13924 100644 --- a/charts/datadog/templates/_daemonset-volumes-linux.yaml +++ b/charts/datadog/templates/_daemonset-volumes-linux.yaml @@ -3,6 +3,14 @@ emptyDir: {} - name: tmpdir emptyDir: {} +- name: s6-run + emptyDir: {} +{{- if (or (.Values.datadog.confd) (.Values.datadog.autoconf)) }} +- name: confd + configMap: + name: {{ include "agents.confd-configmap-name" . }} +{{- end }} +{{- if not .Values.providers.gke.gdc }} - hostPath: path: /proc name: procdir @@ -58,13 +66,6 @@ type: DirectoryOrCreate name: apmsocket {{- end }} -- name: s6-run - emptyDir: {} -{{- if (or (.Values.datadog.confd) (.Values.datadog.autoconf)) }} -- name: confd - configMap: - name: {{ include "agents.confd-configmap-name" . }} -{{- end }} {{- if eq (include "should-enable-system-probe" .) "true" }} - name: sysprobe-config configMap: @@ -147,10 +148,13 @@ path: / name: hostroot {{- end }} -{{- if .Values.datadog.sbom.containerImage.uncompressedLayersSupport }} +{{- if and (eq (include "should-enable-sbom-container-image-collection" .) "true") .Values.datadog.sbom.containerImage.uncompressedLayersSupport }} - hostPath: path: /var/lib/containerd name: host-containerd-dir +- hostPath: + path: /var/lib/docker + name: host-docker-dir {{- end }} {{- if .Values.datadog.sbom.host.enabled }} - hostPath: @@ -180,6 +184,12 @@ name: {{ .Values.datadog.securityAgent.runtime.policies.configMap }} {{- end }} {{- end }} +{{- if (eq (include "container-runtime-support-enabled" .) "true") }} +- hostPath: + path: {{ dir (include "datadog.dockerOrCriSocketPath" .) }} + name: runtimesocketdir +{{- end }} +{{- end }} {{- if or .Values.datadog.logs.enabled .Values.datadog.logsEnabled }} - hostPath: path: {{ template "datadog.hostMountRoot" . }}/logs @@ -190,15 +200,15 @@ - hostPath: path: /var/log/containers name: logscontainerspath -{{- if not .Values.datadog.criSocketPath }} +{{- if and (not .Values.datadog.criSocketPath) (not .Values.providers.gke.gdc) }} - hostPath: path: /var/lib/docker/containers name: logdockercontainerpath {{- end }} {{- end }} -{{- if .Values.datadog.containerRuntimeSupport.enabled }} -- hostPath: - path: {{ dir (include "datadog.dockerOrCriSocketPath" .) }} - name: runtimesocketdir +{{- if .Values.providers.gke.gdc }} +- secret: + secretName: datadog-kubelet-cert + name: kubelet-cert-volume {{- end }} {{- end -}} diff --git a/charts/datadog/templates/_daemonset-volumes-windows.yaml b/charts/datadog/templates/_daemonset-volumes-windows.yaml index 39598e91b..55a606065 100644 --- a/charts/datadog/templates/_daemonset-volumes-windows.yaml +++ b/charts/datadog/templates/_daemonset-volumes-windows.yaml @@ -21,7 +21,7 @@ path: C:/ProgramData name: logdockercontainerpath {{- end }} -{{- if .Values.datadog.containerRuntimeSupport.enabled }} +{{- if (eq (include "container-runtime-support-enabled" .) "true") }} - hostPath: path: {{ template "datadog.dockerOrCriSocketPath" . }} name: runtimesocket diff --git a/charts/datadog/templates/_helpers.tpl b/charts/datadog/templates/_helpers.tpl index 2060ada51..3a3eeced0 100644 --- a/charts/datadog/templates/_helpers.tpl +++ b/charts/datadog/templates/_helpers.tpl @@ -10,7 +10,7 @@ {{- $version = "6.55.1" -}} {{- end -}} {{- if and (eq $length 1) (or (eq $version "7") (eq $version "latest")) -}} -{{- $version = "7.55.1" -}} +{{- $version = "7.58.1" -}} {{- end -}} {{- $version -}} {{- end -}} @@ -110,7 +110,7 @@ Create chart name and version as used by the chart label. Return true if the OTelAgent needs to be deployed */}} {{- define "should-enable-otel-agent" -}} -{{- if and .Values.datadog.otelCollector.enabled -}} +{{- if and .Values.datadog.otelCollector.enabled (not .Values.providers.gke.gdc) -}} true {{- else -}} false @@ -237,6 +237,8 @@ Return agent host mount root {{- define "datadog.hostMountRoot" -}} {{- if .Values.providers.gke.autopilot -}} /var/autopilot/addon/datadog +{{- else if .Values.providers.gke.gdc -}} +/var/datadog {{- else -}} /var/lib/datadog-agent {{- end -}} @@ -340,7 +342,7 @@ false Return true if the system-probe container should be created. */}} {{- define "should-enable-system-probe" -}} -{{- if and (not .Values.providers.gke.autopilot) (eq (include "system-probe-feature" .) "true") (eq .Values.targetSystem "linux") -}} +{{- if and (not (or .Values.providers.gke.autopilot .Values.providers.gke.gdc )) (eq (include "system-probe-feature" .) "true") (eq .Values.targetSystem "linux") -}} true {{- else -}} false @@ -363,7 +365,7 @@ false Return true if the fips side car container should be created. */}} {{- define "should-enable-fips" -}} -{{- if and (not .Values.providers.gke.autopilot) (eq .Values.targetSystem "linux") .Values.fips.enabled -}} +{{- if and (not (or .Values.providers.gke.autopilot .Values.providers.gke.gdc )) (eq .Values.targetSystem "linux") .Values.fips.enabled -}} true {{- else -}} false @@ -385,7 +387,7 @@ false Return true if the security-agent container should be created. */}} {{- define "should-enable-security-agent" -}} -{{- if and (not .Values.providers.gke.autopilot) (eq .Values.targetSystem "linux") (eq (include "security-agent-feature" .) "true") -}} +{{- if and (not (or .Values.providers.gke.autopilot .Values.providers.gke.gdc )) (eq .Values.targetSystem "linux") (eq (include "security-agent-feature" .) "true") -}} true {{- else -}} false @@ -396,7 +398,7 @@ false Return true if the compliance features should be enabled. */}} {{- define "should-enable-compliance" -}} -{{- if and (not .Values.providers.gke.autopilot) (eq .Values.targetSystem "linux") .Values.datadog.securityAgent.compliance.enabled -}} +{{- if and (not (or .Values.providers.gke.autopilot .Values.providers.gke.gdc )) (eq .Values.targetSystem "linux") .Values.datadog.securityAgent.compliance.enabled -}} true {{- else -}} false @@ -407,7 +409,7 @@ false Return true if the runtime security features should be enabled. */}} {{- define "should-enable-runtime-security" -}} -{{- if and (not .Values.providers.gke.autopilot) (or .Values.datadog.securityAgent.runtime.enabled .Values.datadog.securityAgent.runtime.fimEnabled) -}} +{{- if and (not (or .Values.providers.gke.autopilot .Values.providers.gke.gdc)) (or .Values.datadog.securityAgent.runtime.enabled .Values.datadog.securityAgent.runtime.fimEnabled) -}} true {{- else -}} false @@ -420,7 +422,7 @@ Return true if the hostPid features should be enabled for the Agent pod. {{- define "should-enable-host-pid" -}} {{- if eq .Values.targetSystem "windows" -}} false -{{- else if and (not .Values.providers.gke.autopilot) (or (eq (include "should-enable-compliance" .) "true") .Values.datadog.dogstatsd.useHostPID .Values.datadog.useHostPID) -}} +{{- else if and (not (or .Values.providers.gke.autopilot .Values.providers.gke.gdc)) (or (eq (include "should-enable-compliance" .) "true") .Values.datadog.dogstatsd.useHostPID .Values.datadog.useHostPID) -}} true {{- else -}} false @@ -474,10 +476,10 @@ false {{- end -}} {{/* -Return true hostPath should be use for DSD socket. Return always false on GKE autopilot. +Return true hostPath should be use for DSD socket. Return always false on GKE autopilot or GDC. */}} {{- define "should-mount-hostPath-for-dsd-socket" -}} -{{- if or .Values.providers.gke.autopilot (eq .Values.targetSystem "windows") -}} +{{- if or .Values.providers.gke.autopilot .Values.providers.gke.gdc (eq .Values.targetSystem "windows") -}} false {{- end -}} {{- if .Values.datadog.dogstatsd.useSocketVolume -}} @@ -488,13 +490,13 @@ false {{- end -}} {{/* -Return true if a APM over UDS is configured. Return always false on GKE autopilot. +Return true if a APM over UDS is configured. Return always false on GKE Autopilot or Google Distributed Cloud. */}} {{- define "trace-agent-use-uds" -}} -{{- if or .Values.providers.gke.autopilot (eq .Values.targetSystem "windows") -}} +{{- if or .Values.providers.gke.autopilot .Values.providers.gke.gdc (eq .Values.targetSystem "windows") -}} false {{- end -}} -{{- if or .Values.datadog.apm.socketEnabled .Values.datadog.apm.useSocketVolume -}} +{{- if and (or .Values.datadog.apm.socketEnabled .Values.datadog.apm.useSocketVolume) (not .Values.providers.gke.gdc) -}} true {{- else -}} false @@ -542,6 +544,9 @@ Returns provider kind {{- if .Values.providers.gke.autopilot -}} gke-autopilot {{- end -}} +{{- if .Values.providers.gke.gdc -}} +gke-gdc +{{- end -}} {{- end -}} {{/* @@ -854,7 +859,7 @@ In 7.36, `--config` was deprecated and `--cfgpath` should be used instead. {{/* Returns whether or not the underlying OS is Google Container-Optimized-OS -Note: GKE Autopilot clusters only use COS (see https://cloud.google.com/kubernetes-engine/docs/concepts/node-images) +Note: GKE Autopilot only use COS (see https://cloud.google.com/kubernetes-engine/docs/concepts/node-images) */}} {{- define "can-mount-host-usr-src" -}} {{- if or .Values.providers.gke.autopilot .Values.providers.gke.cos -}} @@ -868,7 +873,7 @@ false Returns whether Remote Configuration should be enabled in the agent */}} {{- define "datadog-remoteConfiguration-enabled" -}} -{{- if and (.Values.remoteConfiguration.enabled) (.Values.datadog.remoteConfiguration.enabled) -}} +{{- if and (.Values.remoteConfiguration.enabled) (.Values.datadog.remoteConfiguration.enabled) (not .Values.providers.gke.gdc ) -}} true {{- else -}} false @@ -879,7 +884,7 @@ false Returns whether Remote Configuration should be enabled in the cluster agent */}} {{- define "clusterAgent-remoteConfiguration-enabled" -}} -{{- if and .Values.remoteConfiguration.enabled (or .Values.clusterAgent.admissionController.remoteInstrumentation.enabled (((.Values.datadog.autoscaling).workload).enabled)) -}} +{{- if and .Values.remoteConfiguration.enabled (or .Values.clusterAgent.admissionController.remoteInstrumentation.enabled (((.Values.datadog.autoscaling).workload).enabled)) (not .Values.providers.gke.gdc ) -}} true {{- else -}} false @@ -902,11 +907,22 @@ Create RBACs for custom resources {{- end }} {{- end }} +{{/* + Return true if Container Runtime Support is enabled +*/}} +{{- define "container-runtime-support-enabled" -}} + {{- if and .Values.datadog.containerRuntimeSupport.enabled (not .Values.providers.gke.gdc) -}} + true + {{- else -}} + false + {{- end -}} +{{- end -}} + {{/* Return true if container image collection is enabled */}} {{- define "should-enable-container-image-collection" -}} - {{- if and (not .Values.datadog.containerRuntimeSupport.enabled) (or .Values.datadog.containerImageCollection.enabled .Values.datadog.sbom.containerImage.enabled) -}} + {{- if and (not (include "container-runtime-support-enabled" .)) (or .Values.datadog.containerImageCollection.enabled .Values.datadog.sbom.containerImage.enabled) -}} {{- fail "Container runtime support has to be enabled for container image collection to work. Please enable it using `datadog.containerRuntimeSupport.enabled`." -}} {{- end -}} {{- if or .Values.datadog.containerImageCollection.enabled .Values.datadog.sbom.containerImage.enabled -}} @@ -945,6 +961,9 @@ Create RBACs for custom resources Return true if any process-related check is enabled */}} {{- define "process-checks-enabled" -}} + {{- if .Values.providers.gke.gdc }} + false + {{- end -}} {{- if or .Values.datadog.processAgent.containerCollection .Values.datadog.processAgent.processCollection .Values.datadog.processAgent.processDiscovery (eq (include "language-detection-enabled" .) "true") -}} true {{- else -}} @@ -967,11 +986,14 @@ Create RBACs for custom resources Returns true if process-related checks should run on the core agent. */}} {{- define "should-run-process-checks-on-core-agent" -}} + {{- if .Values.providers.gke.gdc -}} + false + {{- end -}} {{- if ne .Values.targetSystem "linux" -}} false {{- else if (ne (include "get-process-checks-in-core-agent-envvar" .) "") -}} {{- include "get-process-checks-in-core-agent-envvar" . -}} - {{- else if and (not .Values.agents.image.doNotCheckTag) .Values.datadog.processAgent.runInCoreAgent (semverCompare ">=7.53.0-0" (include "get-agent-version" .)) -}} + {{- else if and (not .Values.agents.image.doNotCheckTag) .Values.datadog.processAgent.runInCoreAgent (semverCompare ">=7.57.0-0" (include "get-agent-version" .)) -}} true {{- else -}} false @@ -982,6 +1004,9 @@ Create RBACs for custom resources Returns true if the process-agent container should be created. */}} {{- define "should-enable-process-agent" -}} + {{- if .Values.providers.gke.gdc -}} + false + {{- end -}} {{- if or .Values.datadog.networkMonitoring.enabled .Values.datadog.serviceMonitoring.enabled -}} true {{- else if and (not .Values.agents.image.doNotCheckTag) (eq (include "should-enable-k8s-resource-monitoring" .) "true") (semverCompare "<=7.51.0-0" (include "get-agent-version" .)) -}} diff --git a/charts/datadog/templates/_processes-common-env.yaml b/charts/datadog/templates/_processes-common-env.yaml index 41f723d26..65fcd07f8 100644 --- a/charts/datadog/templates/_processes-common-env.yaml +++ b/charts/datadog/templates/_processes-common-env.yaml @@ -1,5 +1,6 @@ # Defines set of environment variables for Processes-related checks. {{- define "processes-common-envs" -}} +{{- if not .Values.providers.gke.gdc }} - name: DD_PROCESS_CONFIG_PROCESS_COLLECTION_ENABLED value: {{ .Values.datadog.processAgent.processCollection | quote }} - name: DD_PROCESS_CONFIG_CONTAINER_COLLECTION_ENABLED @@ -11,5 +12,6 @@ {{- if and (eq .Values.targetSystem "linux") (eq (include "get-process-checks-in-core-agent-envvar" .) "") }} - name: DD_PROCESS_CONFIG_RUN_IN_CORE_AGENT_ENABLED value: {{ (include "should-run-process-checks-on-core-agent" .) | quote }} -{{- end }} +{{- end }} +{{- end }} {{- end -}} diff --git a/charts/datadog/templates/agent-clusterchecks-deployment.yaml b/charts/datadog/templates/agent-clusterchecks-deployment.yaml index 07696c35b..6ae0de1c5 100644 --- a/charts/datadog/templates/agent-clusterchecks-deployment.yaml +++ b/charts/datadog/templates/agent-clusterchecks-deployment.yaml @@ -78,6 +78,10 @@ spec: command: ["bash", "-c"] args: - cp -r /etc/datadog-agent /opt +{{- if .Values.clusterChecksRunner.containers.initContainers.securityContext }} + securityContext: +{{ toYaml .Values.clusterChecksRunner.containers.initContainers.securityContext | indent 10 }} +{{- end }} volumeMounts: - name: config mountPath: /opt/datadog-agent @@ -90,6 +94,10 @@ spec: command: ["bash", "-c"] args: - for script in $(find /etc/cont-init.d/ -type f -name '*.sh' | sort) ; do bash $script ; done +{{- if .Values.clusterChecksRunner.containers.initContainers.securityContext }} + securityContext: +{{ toYaml .Values.clusterChecksRunner.containers.initContainers.securityContext | indent 10 }} +{{- end }} volumeMounts: - name: config mountPath: /etc/datadog-agent @@ -109,7 +117,7 @@ spec: image: "{{ include "image-path" (dict "root" .Values "image" .Values.clusterChecksRunner.image) }}" command: ["bash", "-c"] args: - - rm -rf /etc/datadog-agent/conf.d && touch /etc/datadog-agent/datadog.yaml && exec agent run + - find /etc/datadog-agent/conf.d/ -name "*.yaml.default" -type f -delete && touch /etc/datadog-agent/datadog.yaml && exec agent run imagePullPolicy: {{ .Values.clusterChecksRunner.image.pullPolicy }} {{- if .Values.clusterChecksRunner.ports }} ports: @@ -177,6 +185,10 @@ spec: {{- include "additional-env-dict-entries" .Values.clusterChecksRunner.envDict | indent 10 }} resources: {{ toYaml .Values.clusterChecksRunner.resources | indent 10 }} +{{- if .Values.clusterChecksRunner.containers.agent.securityContext }} + securityContext: +{{ toYaml .Values.clusterChecksRunner.containers.agent.securityContext | indent 10 }} +{{- end }} volumeMounts: - name: installinfo subPath: install_info diff --git a/charts/datadog/templates/cluster-agent-rbac.yaml b/charts/datadog/templates/cluster-agent-rbac.yaml index dd6c22cf3..e02be2434 100644 --- a/charts/datadog/templates/cluster-agent-rbac.yaml +++ b/charts/datadog/templates/cluster-agent-rbac.yaml @@ -272,16 +272,17 @@ rules: - namespaces verbs: - list -{{- if and .Values.clusterAgent.podSecurity.podSecurityPolicy.create (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} - apiGroups: - "policy" resources: + - poddisruptionbudgets + {{- if and .Values.clusterAgent.podSecurity.podSecurityPolicy.create (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} - podsecuritypolicies + {{- end }} verbs: - get - list - watch -{{- end }} - apiGroups: - rbac.authorization.k8s.io resources: diff --git a/charts/datadog/templates/daemonset.yaml b/charts/datadog/templates/daemonset.yaml index ba95268cf..45dc64663 100644 --- a/charts/datadog/templates/daemonset.yaml +++ b/charts/datadog/templates/daemonset.yaml @@ -62,7 +62,7 @@ spec: container.seccomp.security.alpha.kubernetes.io/system-probe: {{ .Values.datadog.systemProbe.seccomp }} {{- end }} {{- end }} - {{- if and .Values.agents.podSecurity.apparmor.enabled .Values.datadog.sbom.containerImage.uncompressedLayersSupport }} + {{- if and .Values.agents.podSecurity.apparmor.enabled (eq (include "should-enable-sbom-container-image-collection" .) "true") .Values.datadog.sbom.containerImage.uncompressedLayersSupport }} container.apparmor.security.beta.kubernetes.io/agent: unconfined {{- end }} {{- if .Values.agents.podAnnotations }} @@ -73,7 +73,7 @@ spec: shareProcessNamespace: {{ .Values.agents.shareProcessNamespace }} {{- end }} {{- if .Values.datadog.securityContext -}} - {{ include "generate-security-context" (dict "securityContext" .Values.datadog.securityContext "targetSystem" .Values.targetSystem "seccomp" "" "kubeversion" .Capabilities.KubeVersion.Version ) | nindent 6 }} + {{ include "generate-security-context" (dict "securityContext" .Values.datadog.securityContext "targetSystem" .Values.targetSystem "seccomp" "" "kubeversion" .Capabilities.KubeVersion.Version) | nindent 6 }} {{- else if or .Values.agents.podSecurity.podSecurityPolicy.create .Values.agents.podSecurity.securityContextConstraints.create -}} {{- if .Values.agents.podSecurity.securityContext }} {{- if .Values.agents.podSecurity.securityContext.seLinuxOptions }} @@ -139,7 +139,7 @@ spec: {{ include "containers-init-windows" . | nindent 6 }} {{- end }} {{- if eq .Values.targetSystem "linux" }} - {{ include "containers-init-linux" . | nindent 6 }} + {{- include "containers-init-linux" . | nindent 6 -}} {{- end }} {{- if and (eq (include "should-enable-system-probe" .) "true") (eq .Values.datadog.systemProbe.seccomp "localhost/system-probe") }} {{ include "system-probe-init" . | nindent 6 }} diff --git a/charts/datadog/values.yaml b/charts/datadog/values.yaml index 136a53f74..d38cba42a 100644 --- a/charts/datadog/values.yaml +++ b/charts/datadog/values.yaml @@ -546,22 +546,6 @@ datadog: iast: # datadog.asm.iast.enabled -- Enable Application Security Management Interactive Application Security Testing by injecting `DD_IAST_ENABLED=true` environment variable to all pods in the cluster enabled: false - - ## OTel collector related configuration - otelCollector: - # datadog.otelCollector.enabled -- Enable the OTel Collector - enabled: false - # datadog.otelCollector.ports -- Ports that OTel Collector is listening - ports: - - # Default GRPC port of OTLP receiver - - containerPort: "4317" - name: otel-grpc - # Default HTTP port of OTLP receiver - - containerPort: "4318" - name: otel-http - # datadog.otelCollector.config -- OTel collector configuration - config: {} ## OTLP ingest related configuration otlp: receiver: @@ -586,6 +570,23 @@ datadog: logs: # datadog.otlp.logs.enabled -- Enable logs support in the OTLP ingest endpoint enabled: false + ## OTel collector is currently in preview. Please reach out to your Datadog representative for more information. + ## OTLP Ingest is the GA feature for sending OTLP data to Datadog Agent. + ## OTel collector related configuration + otelCollector: + # datadog.otelCollector.enabled -- Enable the OTel Collector + enabled: false + # datadog.otelCollector.ports -- Ports that OTel Collector is listening + ports: + + # Default GRPC port of OTLP receiver + - containerPort: "4317" + name: otel-grpc + # Default HTTP port of OTLP receiver + - containerPort: "4318" + name: otel-http + # datadog.otelCollector.config -- OTel collector configuration + config: null ## Continuous Profiler configuration ## @@ -684,7 +685,7 @@ datadog: processDiscovery: true # datadog.processAgent.runInCoreAgent -- Set this to true to run the following features in the core agent: Live Processes, Live Containers, Process Discovery. - ## This is an experimental feature requiring Agent 7.53.0+ and Linux. Currently not compatible with APM Single Step Instrumentation. + ## This requires Agent 7.57.0+ and Linux. runInCoreAgent: false # datadog.processAgent.containerCollection -- Set this to true to enable container collection @@ -821,7 +822,12 @@ datadog: # This should be set to true when using EKS, GKE or if containerd is configured to # discard uncompressed layers. # This feature will cause the SYS_ADMIN capability to be added to the Agent container. - uncompressedLayersSupport: false + # Setting this to false could cause a high error rate when generating SBOMs due to missing uncompressed layer. + # See https://docs.datadoghq.com/security/cloud_security_management/troubleshooting/vulnerabilities/#uncompressed-container-image-layers + uncompressedLayersSupport: true + + # datadog.sbom.containerImage.overlayFSDirectScan -- Use experimental overlayFS direct scan + overlayFSDirectScan: false host: # datadog.sbom.host.enabled -- Enable SBOM collection for host filesystems @@ -1002,7 +1008,7 @@ clusterAgent: name: cluster-agent # clusterAgent.image.tag -- Cluster Agent image tag to use - tag: 7.57.2 + tag: 7.59.0 # clusterAgent.image.digest -- Cluster Agent image digest to use, takes precedence over tag if specified digest: "" @@ -1505,7 +1511,7 @@ agents: name: agent # agents.image.tag -- Define the Agent version to use - tag: 7.57.2 + tag: 7.59.0 # agents.image.digest -- Define Agent image digest to use, takes precedence over tag if specified digest: "" @@ -2011,7 +2017,7 @@ clusterChecksRunner: name: agent # clusterChecksRunner.image.tag -- Define the Agent version to use - tag: 7.57.2 + tag: 7.59.0 # clusterChecksRunner.image.digest -- Define Agent image digest to use, takes precedence over tag if specified digest: "" @@ -2222,6 +2228,14 @@ clusterChecksRunner: # clusterChecksRunner.securityContext -- Allows you to overwrite the default PodSecurityContext on the clusterchecks pods. securityContext: {} + containers: + agent: + # clusterChecksRunner.containers.agent.securityContext -- Specify securityContext on the agent container + securityContext: {} + initContainers: + # clusterChecksRunner.containers.initContainers.securityContext -- Specify securityContext on the init containers + securityContext: {} + # clusterChecksRunner.ports -- Allows to specify extra ports (hostPorts for instance) for this container ports: [] @@ -2271,6 +2285,9 @@ providers: # providers.gke.cos -- Enables Datadog Agent deployment on GKE with Container-Optimized OS (COS) cos: false + # providers.gke.gdc -- Enables Datadog Agent deployment on GKE on Google Distributed Cloud (GDC) + gdc: false + eks: ec2: # providers.eks.ec2.useHostnameFromFile -- Use hostname from EC2 filesystem instead of fetching from metadata endpoint. diff --git a/charts/observability-pipelines-worker/CHANGELOG.md b/charts/observability-pipelines-worker/CHANGELOG.md index 5b0a92a21..aac9b3464 100644 --- a/charts/observability-pipelines-worker/CHANGELOG.md +++ b/charts/observability-pipelines-worker/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## 2.2.1 + +* Official image `2.2.1` + ## 2.2.0 * Official image `2.2.0` diff --git a/charts/observability-pipelines-worker/Chart.yaml b/charts/observability-pipelines-worker/Chart.yaml index 0e4de305c..757f49855 100644 --- a/charts/observability-pipelines-worker/Chart.yaml +++ b/charts/observability-pipelines-worker/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: observability-pipelines-worker -version: "2.2.0" +version: "2.2.1" description: Observability Pipelines Worker type: application keywords: @@ -13,7 +13,7 @@ icon: https://datadog-live.imgix.net/img/dd_logo_70x75.png maintainers: - name: Datadog email: support@datadoghq.com -appVersion: "2.2.0" +appVersion: "2.2.1" annotations: artifacthub.io/links: | - name: Chart Source diff --git a/charts/observability-pipelines-worker/README.md b/charts/observability-pipelines-worker/README.md index 485509309..a9e50e99e 100644 --- a/charts/observability-pipelines-worker/README.md +++ b/charts/observability-pipelines-worker/README.md @@ -1,6 +1,6 @@ # Observability Pipelines Worker -![Version: 2.2.0](https://img.shields.io/badge/Version-2.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.2.0](https://img.shields.io/badge/AppVersion-2.2.0-informational?style=flat-square) +![Version: 2.2.1](https://img.shields.io/badge/Version-2.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.2.1](https://img.shields.io/badge/AppVersion-2.2.1-informational?style=flat-square) ## How to use Datadog Helm repository @@ -110,7 +110,7 @@ The command removes all the Kubernetes components associated with the chart and | image.pullPolicy | string | `"IfNotPresent"` | Specify the [pullPolicy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy). | | image.pullSecrets | list | `[]` | Specify the [imagePullSecrets](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod). | | image.repository | string | `"gcr.io/datadoghq"` | Specify the image repository to use. | -| image.tag | string | `"2.2.0"` | Specify the image tag to use. | +| image.tag | string | `"2.2.1"` | Specify the image tag to use. | | ingress.annotations | object | `{}` | Specify annotations for the Ingress. | | ingress.className | string | `""` | Specify the [ingressClassName](https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress), requires Kubernetes >= 1.18. | | ingress.enabled | bool | `false` | If **true**, create an Ingress resource. | diff --git a/charts/observability-pipelines-worker/values.yaml b/charts/observability-pipelines-worker/values.yaml index e4f84ec44..566c7333e 100644 --- a/charts/observability-pipelines-worker/values.yaml +++ b/charts/observability-pipelines-worker/values.yaml @@ -42,7 +42,7 @@ image: # image.name -- Specify the image name to use (relative to `image.repository`). name: observability-pipelines-worker # image.tag -- Specify the image tag to use. - tag: 2.2.0 + tag: 2.2.1 # image.digest -- (string) Specify the image digest to use; takes precedence over `image.tag`. digest: ## Currently, we offer images at: diff --git a/charts/private-action-runner/CHANGELOG.md b/charts/private-action-runner/CHANGELOG.md index 3549c9050..89adc7088 100644 --- a/charts/private-action-runner/CHANGELOG.md +++ b/charts/private-action-runner/CHANGELOG.md @@ -1,5 +1,13 @@ # Datadog changelog +## 0.14.3 + +* Add GitLab private actions and fix image repository link. + +## 0.14.2 + +* Update private action image version to `v0.1.3-beta` + ## 0.14.1 * Update private action image version to `v0.1.2-beta` diff --git a/charts/private-action-runner/Chart.yaml b/charts/private-action-runner/Chart.yaml index 1e0232c5e..269eac221 100644 --- a/charts/private-action-runner/Chart.yaml +++ b/charts/private-action-runner/Chart.yaml @@ -3,7 +3,7 @@ name: private-action-runner description: A Helm chart to deploy the private action runner type: application -version: 0.14.1 +version: 0.14.3 appVersion: "1.22.0" keywords: - app builder diff --git a/charts/private-action-runner/README.md b/charts/private-action-runner/README.md index ee6671058..af2b7bad5 100644 --- a/charts/private-action-runner/README.md +++ b/charts/private-action-runner/README.md @@ -1,6 +1,6 @@ # Datadog Private Action Runner -![Version: 0.14.1](https://img.shields.io/badge/Version-0.14.1-informational?style=flat-square) ![AppVersion: v0.1.2-beta](https://img.shields.io/badge/AppVersion-v0.1.2--beta-informational?style=flat-square) +![Version: 0.14.3](https://img.shields.io/badge/Version-0.14.3-informational?style=flat-square) ![AppVersion: v0.1.4-beta](https://img.shields.io/badge/AppVersion-v0.1.4--beta-informational?style=flat-square) This Helm Chart deploys the Datadog Private Action runner inside a Kubernetes cluster. It allows you to use private actions from the Datadog Workflow and Datadog App Builder products. When deploying this chart, you can give permissions to the runner in order to be able to run Kubernetes actions. @@ -42,7 +42,7 @@ helm repo update | Key | Type | Default | Description | |-----|------|---------|-------------| -| common.image | object | `{"repository":"us-east4-docker.pkg.dev/datadog-sandbox/apps-on-prem/onprem-runner","tag":"v0.1.2-beta"}` | Current Datadog Private Action Runner image | +| common.image | object | `{"repository":"gcr.io/datadoghq/private-action-runner","tag":"v0.1.4-beta"}` | Current Datadog Private Action Runner image | | credentialFiles | list | `[]` | List of credential files to be used by the Datadog Private Action Runner | | runners[0].config | object | `{"actionsAllowlist":[],"ddBaseURL":"https://app.datadoghq.com","modes":["workflowAutomation","appBuilder"],"port":9016,"privateKey":"CHANGE_ME_PRIVATE_KEY_FROM_CONFIG","urn":"CHANGE_ME_URN_FROM_CONFIG"}` | Configuration for the Datadog Private Action Runner | | runners[0].config.actionsAllowlist | list | `[]` | List of actions that the Datadog Private Action Runner is allowed to execute | diff --git a/charts/private-action-runner/README.md.gotmpl b/charts/private-action-runner/README.md.gotmpl index 6fa83d3f3..061bb5ec3 100644 --- a/charts/private-action-runner/README.md.gotmpl +++ b/charts/private-action-runner/README.md.gotmpl @@ -1,6 +1,6 @@ # Datadog Private Action Runner -![Version: 0.14.1](https://img.shields.io/badge/Version-0.14.1-informational?style=flat-square) ![AppVersion: v0.1.2-beta](https://img.shields.io/badge/AppVersion-v0.1.2--beta-informational?style=flat-square) +![Version: 0.14.3](https://img.shields.io/badge/Version-0.14.3-informational?style=flat-square) ![AppVersion: v0.1.4-beta](https://img.shields.io/badge/AppVersion-v0.1.4--beta-informational?style=flat-square) This Helm Chart deploys the Datadog Private Action runner inside a Kubernetes cluster. It allows you to use private actions from the Datadog Workflow and Datadog App Builder products. When deploying this chart, you can give permissions to the runner in order to be able to run Kubernetes actions. diff --git a/charts/private-action-runner/values.yaml b/charts/private-action-runner/values.yaml index 231e783fd..b72ae56df 100644 --- a/charts/private-action-runner/values.yaml +++ b/charts/private-action-runner/values.yaml @@ -5,8 +5,8 @@ common: # -- Current Datadog Private Action Runner image image: - repository: us-east4-docker.pkg.dev/datadog-sandbox/apps-on-prem/onprem-runner - tag: v0.1.2-beta + repository: gcr.io/datadoghq/private-action-runner + tag: v0.1.4-beta runners: # runners[0].name -- Name of the Datadog Private Action Runner diff --git a/crds/datadoghq.com_datadogagents.yaml b/crds/datadoghq.com_datadogagents.yaml index d3c0cf280..b8a5b538c 100644 --- a/crds/datadoghq.com_datadogagents.yaml +++ b/crds/datadoghq.com_datadogagents.yaml @@ -695,6 +695,14 @@ spec: type: boolean endpoint: type: string + hostPortConfig: + properties: + enabled: + type: boolean + hostPort: + format: int32 + type: integer + type: object type: object http: properties: @@ -702,6 +710,14 @@ spec: type: boolean endpoint: type: string + hostPortConfig: + properties: + enabled: + type: boolean + hostPort: + format: int32 + type: integer + type: object type: object type: object type: object @@ -845,6 +861,73 @@ spec: url: type: string type: object + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map fips: properties: customFIPSConfig: @@ -1000,6 +1083,18 @@ spec: tlsVerify: type: boolean type: object + kubernetesResourcesAnnotationsAsTags: + additionalProperties: + additionalProperties: + type: string + type: object + type: object + kubernetesResourcesLabelsAsTags: + additionalProperties: + additionalProperties: + type: string + type: object + type: object localService: properties: forceEnableLocalService: @@ -1070,6 +1165,31 @@ spec: type: object registry: type: string + secretBackend: + properties: + args: + type: string + command: + type: string + enableGlobalPermissions: + type: boolean + roles: + items: + properties: + namespace: + type: string + secrets: + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + type: array + x-kubernetes-list-type: atomic + timeout: + format: int32 + type: integer + type: object site: type: string tags: @@ -1969,6 +2089,29 @@ spec: x-kubernetes-list-map-keys: - name x-kubernetes-list-type: map + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array extraChecksd: properties: configDataMap: @@ -2131,6 +2274,10 @@ spec: type: string type: object type: object + serviceAccountAnnotations: + additionalProperties: + type: string + type: object serviceAccountName: type: string tolerations: @@ -3717,6 +3864,14 @@ spec: type: boolean endpoint: type: string + hostPortConfig: + properties: + enabled: + type: boolean + hostPort: + format: int32 + type: integer + type: object type: object http: properties: @@ -3724,6 +3879,14 @@ spec: type: boolean endpoint: type: string + hostPortConfig: + properties: + enabled: + type: boolean + hostPort: + format: int32 + type: integer + type: object type: object type: object type: object diff --git a/repository.datadog.yml b/repository.datadog.yml index b49e10d17..814d38c3e 100644 --- a/repository.datadog.yml +++ b/repository.datadog.yml @@ -10,11 +10,11 @@ github_teams_restrictions: - container-helm-chart-maintainers - container-integrations - container-t2 - - Synthetics - - Documentation - - Observability Pipelines - - Telemetry and Analytics - - Vector + - synthetics + - documentation + - observability-pipelines + - telemetry-and-analytics + - vector github_users_restrictions: - cahillsf - clamoriniere diff --git a/test/datadog-operator/baseline/DatadogAgent_CRD_default.yaml b/test/datadog-operator/baseline/DatadogAgent_CRD_default.yaml index 22931c5af..2b46bb5d6 100644 --- a/test/datadog-operator/baseline/DatadogAgent_CRD_default.yaml +++ b/test/datadog-operator/baseline/DatadogAgent_CRD_default.yaml @@ -7,7 +7,7 @@ metadata: controller-gen.kubebuilder.io/version: v0.14.0 name: datadogagents.datadoghq.com labels: - helm.sh/chart: 'datadogCRDs-2.1.0' + helm.sh/chart: 'datadogCRDs-2.2.0' app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/name: 'datadogCRDs' app.kubernetes.io/instance: 'datadog-operator' @@ -701,6 +701,14 @@ spec: type: boolean endpoint: type: string + hostPortConfig: + properties: + enabled: + type: boolean + hostPort: + format: int32 + type: integer + type: object type: object http: properties: @@ -708,6 +716,14 @@ spec: type: boolean endpoint: type: string + hostPortConfig: + properties: + enabled: + type: boolean + hostPort: + format: int32 + type: integer + type: object type: object type: object type: object @@ -851,6 +867,73 @@ spec: url: type: string type: object + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map fips: properties: customFIPSConfig: @@ -1006,6 +1089,18 @@ spec: tlsVerify: type: boolean type: object + kubernetesResourcesAnnotationsAsTags: + additionalProperties: + additionalProperties: + type: string + type: object + type: object + kubernetesResourcesLabelsAsTags: + additionalProperties: + additionalProperties: + type: string + type: object + type: object localService: properties: forceEnableLocalService: @@ -1076,6 +1171,31 @@ spec: type: object registry: type: string + secretBackend: + properties: + args: + type: string + command: + type: string + enableGlobalPermissions: + type: boolean + roles: + items: + properties: + namespace: + type: string + secrets: + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + type: array + x-kubernetes-list-type: atomic + timeout: + format: int32 + type: integer + type: object site: type: string tags: @@ -1975,6 +2095,29 @@ spec: x-kubernetes-list-map-keys: - name x-kubernetes-list-type: map + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array extraChecksd: properties: configDataMap: @@ -2137,6 +2280,10 @@ spec: type: string type: object type: object + serviceAccountAnnotations: + additionalProperties: + type: string + type: object serviceAccountName: type: string tolerations: @@ -3723,6 +3870,14 @@ spec: type: boolean endpoint: type: string + hostPortConfig: + properties: + enabled: + type: boolean + hostPort: + format: int32 + type: integer + type: object type: object http: properties: @@ -3730,6 +3885,14 @@ spec: type: boolean endpoint: type: string + hostPortConfig: + properties: + enabled: + type: boolean + hostPort: + format: int32 + type: integer + type: object type: object type: object type: object diff --git a/test/datadog-operator/baseline/Operator_Deployment_default.yaml b/test/datadog-operator/baseline/Operator_Deployment_default.yaml index 48ea073c0..cd52a9683 100644 --- a/test/datadog-operator/baseline/Operator_Deployment_default.yaml +++ b/test/datadog-operator/baseline/Operator_Deployment_default.yaml @@ -7,9 +7,9 @@ metadata: namespace: datadog-agent labels: app.kubernetes.io/name: datadog-operator - helm.sh/chart: datadog-operator-2.1.0 + helm.sh/chart: datadog-operator-2.3.0 app.kubernetes.io/instance: datadog-operator - app.kubernetes.io/version: "1.9.0" + app.kubernetes.io/version: "1.10.0" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -35,7 +35,7 @@ spec: serviceAccountName: datadog-operator containers: - name: datadog-operator - image: "gcr.io/datadoghq/operator:1.9.0" + image: "gcr.io/datadoghq/operator:1.10.0" imagePullPolicy: IfNotPresent env: - name: WATCH_NAMESPACE diff --git a/test/datadog-operator/operator_deployment_test.go b/test/datadog-operator/operator_deployment_test.go index 1bfa22777..d97cad2a5 100644 --- a/test/datadog-operator/operator_deployment_test.go +++ b/test/datadog-operator/operator_deployment_test.go @@ -104,7 +104,7 @@ func verifyDeployment(t *testing.T, manifest string) { assert.Equal(t, 1, len(deployment.Spec.Template.Spec.Containers)) operatorContainer := deployment.Spec.Template.Spec.Containers[0] assert.Equal(t, v1.PullPolicy("IfNotPresent"), operatorContainer.ImagePullPolicy) - assert.Equal(t, "gcr.io/datadoghq/operator:1.9.0", operatorContainer.Image) + assert.Equal(t, "gcr.io/datadoghq/operator:1.10.0", operatorContainer.Image) assert.NotContains(t, operatorContainer.Args, "-webhookEnabled=false") assert.NotContains(t, operatorContainer.Args, "-webhookEnabled=true") } diff --git a/test/datadog/baseline/agent-clusterchecks-deployment_default.yaml b/test/datadog/baseline/agent-clusterchecks-deployment_default.yaml index a629e6ffe..f0d675e83 100644 --- a/test/datadog/baseline/agent-clusterchecks-deployment_default.yaml +++ b/test/datadog/baseline/agent-clusterchecks-deployment_default.yaml @@ -6,7 +6,7 @@ metadata: name: datadog-clusterchecks namespace: datadog-agent labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -36,8 +36,8 @@ spec: name: datadog-clusterchecks annotations: - checksum/clusteragent_token: e95c3aa09253f021e31a1ac5c7ee014e6454d2d5fee0482b0f253e12dab68afd - checksum/install_info: 4431ead135ce20065fbe40abb5a6e6324fb9e43978cfd3ef1857d9fcaa613aa8 + checksum/clusteragent_token: 7252ac95e9b7a2be76a893f29be97ba3ddfa93e988f208d18a1e4e410b6b9b7a + checksum/install_info: 113a50d660d16d7edc1f9242b70b5dde0f3f6f12ce82ce794a8dc01e2863e6a5 spec: serviceAccountName: datadog-cluster-checks automountServiceAccountToken: true @@ -45,7 +45,7 @@ spec: [] initContainers: - name: init-volume - image: "gcr.io/datadoghq/agent:7.57.2" + image: "gcr.io/datadoghq/agent:7.59.0" imagePullPolicy: IfNotPresent command: ["bash", "-c"] args: @@ -57,7 +57,7 @@ spec: resources: {} - name: init-config - image: "gcr.io/datadoghq/agent:7.57.2" + image: "gcr.io/datadoghq/agent:7.59.0" imagePullPolicy: IfNotPresent command: ["bash", "-c"] args: @@ -70,19 +70,20 @@ spec: {} containers: - name: agent - image: "gcr.io/datadoghq/agent:7.57.2" + image: "gcr.io/datadoghq/agent:7.59.0" command: ["bash", "-c"] args: - - rm -rf /etc/datadog-agent/conf.d && touch /etc/datadog-agent/datadog.yaml && exec agent run + - find /etc/datadog-agent/conf.d/ -name "*.yaml.default" -type f -delete && touch /etc/datadog-agent/datadog.yaml && exec agent run imagePullPolicy: IfNotPresent env: + + - name: KUBERNETES + value: "yes" - name: DD_API_KEY valueFrom: secretKeyRef: name: "datadog-secret" key: api-key - - name: KUBERNETES - value: "yes" - name: DD_LOG_LEVEL value: "INFO" - name: DD_EXTRA_CONFIG_PROVIDERS diff --git a/test/datadog/baseline/cluster-agent-deployment_default.yaml b/test/datadog/baseline/cluster-agent-deployment_default.yaml index 57a30d06a..20f97b46b 100644 --- a/test/datadog/baseline/cluster-agent-deployment_default.yaml +++ b/test/datadog/baseline/cluster-agent-deployment_default.yaml @@ -6,7 +6,7 @@ metadata: name: datadog-cluster-agent namespace: datadog-agent labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -36,17 +36,17 @@ spec: name: datadog-cluster-agent annotations: - checksum/clusteragent_token: d786ae722980a2b7f91d4be2bf9eebfb9997a1fd85c3a0368c360cb060ed54fc - checksum/clusteragent-configmap: a4b18a57220d8a10e808c1d1fb842d71eb6b72c99041c603784aecdd4d8003cc - checksum/api_key: fee83544b853e02ebb8f3fc57ab8c3a39bec4379bd187f18a27a58bbaca57208 + checksum/clusteragent_token: 789eaddd8ebf97ad196c8ccbad93bdfa98bebad0d60672807686f6587b30fe99 + checksum/clusteragent-configmap: f7ddc12f1f727af3c450b5b1fc979f56419ae0902320da72a4077d5a3e899f8d + checksum/api_key: 16b334660f377f7344c3de471b1b9c142c4ff1a49cf6dbf2acbc92d4b2979115 checksum/application_key: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b - checksum/install_info: 4431ead135ce20065fbe40abb5a6e6324fb9e43978cfd3ef1857d9fcaa613aa8 + checksum/install_info: 113a50d660d16d7edc1f9242b70b5dde0f3f6f12ce82ce794a8dc01e2863e6a5 spec: serviceAccountName: datadog-cluster-agent automountServiceAccountToken: true initContainers: - name: init-volume - image: "gcr.io/datadoghq/cluster-agent:7.57.2" + image: "gcr.io/datadoghq/cluster-agent:7.59.0" imagePullPolicy: IfNotPresent command: - cp @@ -59,7 +59,7 @@ spec: mountPath: /opt/datadog-agent containers: - name: cluster-agent - image: "gcr.io/datadoghq/cluster-agent:7.57.2" + image: "gcr.io/datadoghq/cluster-agent:7.59.0" imagePullPolicy: IfNotPresent resources: {} @@ -86,12 +86,13 @@ spec: name: "datadog" key: api-key optional: true + + - name: KUBERNETES + value: "yes" - name: DD_LANGUAGE_DETECTION_ENABLED value: "false" - name: DD_LANGUAGE_DETECTION_REPORTING_ENABLED value: "false" - - name: KUBERNETES - value: "yes" - name: DD_ADMISSION_CONTROLLER_ENABLED value: "true" - name: DD_ADMISSION_CONTROLLER_WEBHOOK_NAME @@ -108,6 +109,8 @@ spec: value: "Ignore" - name: DD_ADMISSION_CONTROLLER_PORT value: "8000" + - name: DD_ADMISSION_CONTROLLER_CONTAINER_REGISTRY + value: "gcr.io/datadoghq" - name: DD_REMOTE_CONFIGURATION_ENABLED @@ -130,6 +133,8 @@ spec: value: datadogtoken - name: DD_COLLECT_KUBERNETES_EVENTS value: "true" + - name: DD_KUBERNETES_EVENTS_SOURCE_DETECTION_ENABLED + value: "false" - name: DD_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME value: datadog-cluster-agent - name: DD_CLUSTER_AGENT_AUTH_TOKEN diff --git a/test/datadog/baseline/cluster-agent-deployment_default_advanced_AC_injection.yaml b/test/datadog/baseline/cluster-agent-deployment_default_advanced_AC_injection.yaml index d6572693a..567fca801 100644 --- a/test/datadog/baseline/cluster-agent-deployment_default_advanced_AC_injection.yaml +++ b/test/datadog/baseline/cluster-agent-deployment_default_advanced_AC_injection.yaml @@ -6,7 +6,7 @@ metadata: name: datadog-cluster-agent namespace: datadog-agent labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -36,17 +36,17 @@ spec: name: datadog-cluster-agent annotations: - checksum/clusteragent_token: 146a7a7f2e304ae7637352cb1ecd1fd9b92739626753086c8a562b3a848904fa - checksum/clusteragent-configmap: a4b18a57220d8a10e808c1d1fb842d71eb6b72c99041c603784aecdd4d8003cc - checksum/api_key: fee83544b853e02ebb8f3fc57ab8c3a39bec4379bd187f18a27a58bbaca57208 + checksum/clusteragent_token: e3466aa95772fd657b731896232e59a2386ac6c1a38b0ab18cbdeb09156544e8 + checksum/clusteragent-configmap: f7ddc12f1f727af3c450b5b1fc979f56419ae0902320da72a4077d5a3e899f8d + checksum/api_key: 16b334660f377f7344c3de471b1b9c142c4ff1a49cf6dbf2acbc92d4b2979115 checksum/application_key: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b - checksum/install_info: 4431ead135ce20065fbe40abb5a6e6324fb9e43978cfd3ef1857d9fcaa613aa8 + checksum/install_info: 113a50d660d16d7edc1f9242b70b5dde0f3f6f12ce82ce794a8dc01e2863e6a5 spec: serviceAccountName: datadog-cluster-agent automountServiceAccountToken: true initContainers: - name: init-volume - image: "gcr.io/datadoghq/cluster-agent:7.57.2" + image: "gcr.io/datadoghq/cluster-agent:7.59.0" imagePullPolicy: IfNotPresent command: - cp @@ -59,7 +59,7 @@ spec: mountPath: /opt/datadog-agent containers: - name: cluster-agent - image: "gcr.io/datadoghq/cluster-agent:7.57.2" + image: "gcr.io/datadoghq/cluster-agent:7.59.0" imagePullPolicy: IfNotPresent resources: {} @@ -86,12 +86,13 @@ spec: name: "datadog" key: api-key optional: true + + - name: KUBERNETES + value: "yes" - name: DD_LANGUAGE_DETECTION_ENABLED value: "false" - name: DD_LANGUAGE_DETECTION_REPORTING_ENABLED value: "false" - - name: KUBERNETES - value: "yes" - name: DD_ADMISSION_CONTROLLER_ENABLED value: "true" - name: DD_ADMISSION_CONTROLLER_WEBHOOK_NAME @@ -108,6 +109,8 @@ spec: value: "Ignore" - name: DD_ADMISSION_CONTROLLER_PORT value: "8000" + - name: DD_ADMISSION_CONTROLLER_CONTAINER_REGISTRY + value: "gcr.io/datadoghq" - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_ENABLED @@ -144,6 +147,8 @@ spec: value: datadogtoken - name: DD_COLLECT_KUBERNETES_EVENTS value: "true" + - name: DD_KUBERNETES_EVENTS_SOURCE_DETECTION_ENABLED + value: "false" - name: DD_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME value: datadog-cluster-agent - name: DD_CLUSTER_AGENT_AUTH_TOKEN diff --git a/test/datadog/baseline/cluster-agent-deployment_default_minimal_AC_injection.yaml b/test/datadog/baseline/cluster-agent-deployment_default_minimal_AC_injection.yaml index a461cb056..6421f7579 100644 --- a/test/datadog/baseline/cluster-agent-deployment_default_minimal_AC_injection.yaml +++ b/test/datadog/baseline/cluster-agent-deployment_default_minimal_AC_injection.yaml @@ -6,7 +6,7 @@ metadata: name: datadog-cluster-agent namespace: datadog-agent labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -36,17 +36,17 @@ spec: name: datadog-cluster-agent annotations: - checksum/clusteragent_token: 5df33a65f728b7353527940691335906c2e2a4837cf2545fc465c3ccbdecb7cd - checksum/clusteragent-configmap: a4b18a57220d8a10e808c1d1fb842d71eb6b72c99041c603784aecdd4d8003cc - checksum/api_key: fee83544b853e02ebb8f3fc57ab8c3a39bec4379bd187f18a27a58bbaca57208 + checksum/clusteragent_token: 153bf4c7a1851a4a2b03bcb46a026255dda1d786c6a5b95827e5364391602e55 + checksum/clusteragent-configmap: f7ddc12f1f727af3c450b5b1fc979f56419ae0902320da72a4077d5a3e899f8d + checksum/api_key: 16b334660f377f7344c3de471b1b9c142c4ff1a49cf6dbf2acbc92d4b2979115 checksum/application_key: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b - checksum/install_info: 4431ead135ce20065fbe40abb5a6e6324fb9e43978cfd3ef1857d9fcaa613aa8 + checksum/install_info: 113a50d660d16d7edc1f9242b70b5dde0f3f6f12ce82ce794a8dc01e2863e6a5 spec: serviceAccountName: datadog-cluster-agent automountServiceAccountToken: true initContainers: - name: init-volume - image: "gcr.io/datadoghq/cluster-agent:7.57.2" + image: "gcr.io/datadoghq/cluster-agent:7.59.0" imagePullPolicy: IfNotPresent command: - cp @@ -59,7 +59,7 @@ spec: mountPath: /opt/datadog-agent containers: - name: cluster-agent - image: "gcr.io/datadoghq/cluster-agent:7.57.2" + image: "gcr.io/datadoghq/cluster-agent:7.59.0" imagePullPolicy: IfNotPresent resources: {} @@ -86,12 +86,13 @@ spec: name: "datadog" key: api-key optional: true + + - name: KUBERNETES + value: "yes" - name: DD_LANGUAGE_DETECTION_ENABLED value: "false" - name: DD_LANGUAGE_DETECTION_REPORTING_ENABLED value: "false" - - name: KUBERNETES - value: "yes" - name: DD_ADMISSION_CONTROLLER_ENABLED value: "true" - name: DD_ADMISSION_CONTROLLER_WEBHOOK_NAME @@ -108,6 +109,8 @@ spec: value: "Ignore" - name: DD_ADMISSION_CONTROLLER_PORT value: "8000" + - name: DD_ADMISSION_CONTROLLER_CONTAINER_REGISTRY + value: "gcr.io/datadoghq" - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_ENABLED @@ -119,7 +122,7 @@ spec: - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_NAME value: agent - name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_TAG - value: 7.57.2 + value: 7.59.0 - name: DD_REMOTE_CONFIGURATION_ENABLED value: "false" - name: DD_CLUSTER_CHECKS_ENABLED @@ -140,6 +143,8 @@ spec: value: datadogtoken - name: DD_COLLECT_KUBERNETES_EVENTS value: "true" + - name: DD_KUBERNETES_EVENTS_SOURCE_DETECTION_ENABLED + value: "false" - name: DD_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME value: datadog-cluster-agent - name: DD_CLUSTER_AGENT_AUTH_TOKEN diff --git a/test/datadog/baseline/daemonset_default.yaml b/test/datadog/baseline/daemonset_default.yaml index 0661feb0b..15abb4696 100644 --- a/test/datadog/baseline/daemonset_default.yaml +++ b/test/datadog/baseline/daemonset_default.yaml @@ -6,7 +6,7 @@ metadata: name: datadog namespace: datadog-agent labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -30,8 +30,8 @@ spec: name: datadog annotations: - checksum/clusteragent_token: 6b801cdee7b458f8dc8cf101150135babecf647416c222dcf109ae6517afefc4 - checksum/install_info: 4431ead135ce20065fbe40abb5a6e6324fb9e43978cfd3ef1857d9fcaa613aa8 + checksum/clusteragent_token: 36d1e9094d3cb200659405983a1c3aa58982bd20ea30a71974a01965e0df5ddf + checksum/install_info: 113a50d660d16d7edc1f9242b70b5dde0f3f6f12ce82ce794a8dc01e2863e6a5 checksum/autoconf-config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b checksum/confd-config: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a checksum/checksd-config: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a @@ -42,7 +42,7 @@ spec: hostPID: true containers: - name: agent - image: "gcr.io/datadoghq/agent:7.57.2" + image: "gcr.io/datadoghq/agent:7.59.0" imagePullPolicy: IfNotPresent command: ["agent", "run"] @@ -62,12 +62,13 @@ spec: value: "true" - name: DD_AUTH_TOKEN_FILE_PATH value: /etc/datadog-agent/auth/token + + - name: KUBERNETES + value: "yes" - name: DD_LANGUAGE_DETECTION_ENABLED value: "false" - name: DD_LANGUAGE_DETECTION_REPORTING_ENABLED value: "false" - - name: KUBERNETES - value: "yes" - name: DD_KUBERNETES_KUBELET_HOST valueFrom: fieldRef: @@ -76,6 +77,7 @@ spec: value: "false" + - name: DD_PROCESS_CONFIG_PROCESS_COLLECTION_ENABLED value: "false" - name: DD_PROCESS_CONFIG_CONTAINER_COLLECTION_ENABLED @@ -202,7 +204,7 @@ spec: successThreshold: 1 timeoutSeconds: 5 - name: trace-agent - image: "gcr.io/datadoghq/agent:7.57.2" + image: "gcr.io/datadoghq/agent:7.59.0" imagePullPolicy: IfNotPresent command: ["trace-agent", "-config=/etc/datadog-agent/datadog.yaml"] resources: @@ -221,12 +223,13 @@ spec: value: "true" - name: DD_AUTH_TOKEN_FILE_PATH value: /etc/datadog-agent/auth/token + + - name: KUBERNETES + value: "yes" - name: DD_LANGUAGE_DETECTION_ENABLED value: "false" - name: DD_LANGUAGE_DETECTION_REPORTING_ENABLED value: "false" - - name: KUBERNETES - value: "yes" - name: DD_KUBERNETES_KUBELET_HOST valueFrom: fieldRef: @@ -308,7 +311,7 @@ spec: port: 8126 timeoutSeconds: 5 - name: process-agent - image: "gcr.io/datadoghq/agent:7.57.2" + image: "gcr.io/datadoghq/agent:7.59.0" imagePullPolicy: IfNotPresent command: ["process-agent", "--cfgpath=/etc/datadog-agent/datadog.yaml"] resources: @@ -323,12 +326,13 @@ spec: value: "true" - name: DD_AUTH_TOKEN_FILE_PATH value: /etc/datadog-agent/auth/token + + - name: KUBERNETES + value: "yes" - name: DD_LANGUAGE_DETECTION_ENABLED value: "false" - name: DD_LANGUAGE_DETECTION_REPORTING_ENABLED value: "false" - - name: KUBERNETES - value: "yes" - name: DD_KUBERNETES_KUBELET_HOST valueFrom: fieldRef: @@ -346,6 +350,7 @@ spec: name: datadog-cluster-agent key: token + - name: DD_PROCESS_CONFIG_PROCESS_COLLECTION_ENABLED value: "false" - name: DD_PROCESS_CONFIG_CONTAINER_COLLECTION_ENABLED @@ -402,10 +407,8 @@ spec: mountPropagation: None readOnly: true initContainers: - - - name: init-volume - - image: "gcr.io/datadoghq/agent:7.57.2" + - name: init-volume + image: "gcr.io/datadoghq/agent:7.59.0" imagePullPolicy: IfNotPresent command: ["bash", "-c"] args: @@ -416,9 +419,8 @@ spec: readOnly: false # Need RW for config path resources: {} - - name: init-config - - image: "gcr.io/datadoghq/agent:7.57.2" + - name: init-config + image: "gcr.io/datadoghq/agent:7.59.0" imagePullPolicy: IfNotPresent command: - bash @@ -426,12 +428,12 @@ spec: args: - for script in $(find /etc/cont-init.d/ -type f -name '*.sh' | sort) ; do bash $script ; done volumeMounts: - - name: logdatadog - mountPath: /var/log/datadog - readOnly: false # Need RW to write logs - name: config mountPath: /etc/datadog-agent readOnly: false # Need RW for config path + - name: logdatadog + mountPath: /var/log/datadog + readOnly: false # Need RW to write logs - name: procdir mountPath: /host/proc mountPropagation: None @@ -451,12 +453,13 @@ spec: value: "true" - name: DD_AUTH_TOKEN_FILE_PATH value: /etc/datadog-agent/auth/token + + - name: KUBERNETES + value: "yes" - name: DD_LANGUAGE_DETECTION_ENABLED value: "false" - name: DD_LANGUAGE_DETECTION_REPORTING_ENABLED value: "false" - - name: KUBERNETES - value: "yes" - name: DD_KUBERNETES_KUBELET_HOST valueFrom: fieldRef: @@ -479,6 +482,8 @@ spec: emptyDir: {} - name: tmpdir emptyDir: {} + - name: s6-run + emptyDir: {} - hostPath: path: /proc name: procdir @@ -496,8 +501,6 @@ spec: path: /var/run/datadog/ type: DirectoryOrCreate name: apmsocket - - name: s6-run - emptyDir: {} - hostPath: path: /etc/passwd name: passwd diff --git a/test/datadog/baseline/gdc_daemonset_default.yaml b/test/datadog/baseline/gdc_daemonset_default.yaml new file mode 100644 index 000000000..829e5c79f --- /dev/null +++ b/test/datadog/baseline/gdc_daemonset_default.yaml @@ -0,0 +1,280 @@ +--- +# Source: datadog/templates/daemonset.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: datadog + namespace: datadog-agent + labels: + helm.sh/chart: 'datadog-3.79.0' + app.kubernetes.io/name: "datadog" + app.kubernetes.io/instance: "datadog" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/version: "7" + app.kubernetes.io/component: agent + env.datadoghq.com/kind: gke-gdc +spec: + revisionHistoryLimit: 10 + selector: + matchLabels: + app: datadog + template: + metadata: + labels: + app.kubernetes.io/name: "datadog" + app.kubernetes.io/instance: "datadog" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: agent + admission.datadoghq.com/enabled: "false" + app: datadog + env.datadoghq.com/kind: gke-gdc + name: datadog + annotations: + checksum/clusteragent_token: ac6f3df32a82b47f1cec6be0a9dce0cc1978c1f64fd5b75177734090bacf54da + checksum/install_info: 113a50d660d16d7edc1f9242b70b5dde0f3f6f12ce82ce794a8dc01e2863e6a5 + checksum/autoconf-config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + checksum/confd-config: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a + checksum/checksd-config: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a + spec: + + securityContext: + runAsUser: 0 + containers: + - name: agent + image: "gcr.io/datadoghq/agent:7.59.0" + imagePullPolicy: IfNotPresent + command: ["agent", "run"] + + resources: + {} + ports: + - containerPort: 8125 + name: dogstatsdport + protocol: UDP + env: + - name: DD_API_KEY + valueFrom: + secretKeyRef: + name: "datadog-secret" + key: api-key + - name: DD_REMOTE_CONFIGURATION_ENABLED + value: "false" + - name: DD_AUTH_TOKEN_FILE_PATH + value: /etc/datadog-agent/auth/token + + - name: KUBERNETES + value: "yes" + - name: DD_KUBELET_CLIENT_CRT + value: /certs/tls.crt + - name: DD_KUBELET_CLIENT_KEY + value: /certs/tls.key + - name: DD_LANGUAGE_DETECTION_ENABLED + value: "false" + - name: DD_LANGUAGE_DETECTION_REPORTING_ENABLED + value: "false" + - name: DD_KUBERNETES_KUBELET_HOST + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: DD_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: DD_HOSTNAME + value: "$(DD_NODE_NAME)-$(DD_CLUSTER_NAME)" + - name: DD_OTLP_CONFIG_LOGS_ENABLED + value: "false" + - name: DD_PROVIDER_KIND + value: gke-gdc + + + - name: DD_LOG_LEVEL + value: "INFO" + - name: DD_DOGSTATSD_PORT + value: "8125" + - name: DD_DOGSTATSD_NON_LOCAL_TRAFFIC + value: "true" + - name: DD_DOGSTATSD_TAG_CARDINALITY + value: "low" + - name: DD_CLUSTER_AGENT_ENABLED + value: "true" + - name: DD_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME + value: datadog-cluster-agent + - name: DD_CLUSTER_AGENT_AUTH_TOKEN + valueFrom: + secretKeyRef: + name: datadog-cluster-agent + key: token + - name: DD_APM_ENABLED + value: "false" + - name: DD_LOGS_ENABLED + value: "false" + - name: DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL + value: "false" + - name: DD_LOGS_CONFIG_K8S_CONTAINER_USE_FILE + value: "true" + - name: DD_LOGS_CONFIG_AUTO_MULTI_LINE_DETECTION + value: "false" + - name: DD_HEALTH_PORT + value: "5555" + - name: DD_EXTRA_CONFIG_PROVIDERS + value: "clusterchecks endpointschecks" + - name: DD_IGNORE_AUTOCONF + value: "kubernetes_state" + - name: DD_CONTAINER_LIFECYCLE_ENABLED + value: "true" + - name: DD_ORCHESTRATOR_EXPLORER_ENABLED + value: "true" + - name: DD_EXPVAR_PORT + value: "6000" + - name: DD_COMPLIANCE_CONFIG_ENABLED + value: "false" + - name: DD_CONTAINER_IMAGE_ENABLED + value: "true" + - name: DD_KUBELET_CORE_CHECK_ENABLED + value: "true" + volumeMounts: + - name: logdatadog + mountPath: /var/log/datadog + readOnly: false # Need RW to write logs + - name: installinfo + subPath: install_info + mountPath: /etc/datadog-agent/install_info + readOnly: true + - name: tmpdir + mountPath: /tmp + readOnly: false # Need RW to write to /tmp directory + + - name: config + mountPath: /etc/datadog-agent + readOnly: false # Need RW to mount to config path + - name: auth-token + mountPath: /etc/datadog-agent/auth + readOnly: false # Need RW to write auth token + + + - name: kubelet-cert-volume + mountPath: /certs + livenessProbe: + failureThreshold: 6 + httpGet: + path: /live + port: 5555 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 6 + httpGet: + path: /ready + port: 5555 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 5 + startupProbe: + failureThreshold: 6 + httpGet: + path: /startup + port: 5555 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 5 + initContainers: + - name: init-volume + image: "gcr.io/datadoghq/agent:7.59.0" + imagePullPolicy: IfNotPresent + command: ["bash", "-c"] + args: + - cp -r /etc/datadog-agent /opt + volumeMounts: + - name: config + mountPath: /opt/datadog-agent + readOnly: false # Need RW for config path + resources: + {} + - name: init-config + image: "gcr.io/datadoghq/agent:7.59.0" + imagePullPolicy: IfNotPresent + command: + - bash + - -c + args: + - for script in $(find /etc/cont-init.d/ -type f -name '*.sh' | sort) ; do bash $script ; done + volumeMounts: + - name: config + mountPath: /etc/datadog-agent + readOnly: false # Need RW for config path + env: + - name: DD_API_KEY + valueFrom: + secretKeyRef: + name: "datadog-secret" + key: api-key + - name: DD_REMOTE_CONFIGURATION_ENABLED + value: "false" + - name: DD_AUTH_TOKEN_FILE_PATH + value: /etc/datadog-agent/auth/token + + - name: KUBERNETES + value: "yes" + - name: DD_KUBELET_CLIENT_CRT + value: /certs/tls.crt + - name: DD_KUBELET_CLIENT_KEY + value: /certs/tls.key + - name: DD_LANGUAGE_DETECTION_ENABLED + value: "false" + - name: DD_LANGUAGE_DETECTION_REPORTING_ENABLED + value: "false" + - name: DD_KUBERNETES_KUBELET_HOST + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: DD_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: DD_HOSTNAME + value: "$(DD_NODE_NAME)-$(DD_CLUSTER_NAME)" + - name: DD_OTLP_CONFIG_LOGS_ENABLED + value: "false" + - name: DD_PROVIDER_KIND + value: gke-gdc + resources: + {} + volumes: + - name: auth-token + emptyDir: {} + - name: installinfo + configMap: + name: datadog-installinfo + - name: config + emptyDir: {} + + - name: logdatadog + emptyDir: {} + - name: tmpdir + emptyDir: {} + - name: s6-run + emptyDir: {} + - secret: + secretName: datadog-kubelet-cert + name: kubelet-cert-volume + tolerations: + affinity: + {} + serviceAccountName: "datadog" + automountServiceAccountToken: true + nodeSelector: + kubernetes.io/os: linux + updateStrategy: + rollingUpdate: + maxUnavailable: 10% + type: RollingUpdate \ No newline at end of file diff --git a/test/datadog/baseline/gdc_daemonset_logs_collection.yaml b/test/datadog/baseline/gdc_daemonset_logs_collection.yaml new file mode 100644 index 000000000..46d33c986 --- /dev/null +++ b/test/datadog/baseline/gdc_daemonset_logs_collection.yaml @@ -0,0 +1,301 @@ +--- +# Source: datadog/templates/daemonset.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: datadog + namespace: datadog-agent + labels: + helm.sh/chart: 'datadog-3.79.0' + app.kubernetes.io/name: "datadog" + app.kubernetes.io/instance: "datadog" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/version: "7" + app.kubernetes.io/component: agent + env.datadoghq.com/kind: gke-gdc +spec: + revisionHistoryLimit: 10 + selector: + matchLabels: + app: datadog + template: + metadata: + labels: + app.kubernetes.io/name: "datadog" + app.kubernetes.io/instance: "datadog" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: agent + admission.datadoghq.com/enabled: "false" + app: datadog + env.datadoghq.com/kind: gke-gdc + name: datadog + annotations: + checksum/clusteragent_token: 009553ab18468f5e3c937f34ded921a712214a78b4cbd82f8233e4512e20390d + checksum/install_info: 113a50d660d16d7edc1f9242b70b5dde0f3f6f12ce82ce794a8dc01e2863e6a5 + checksum/autoconf-config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + checksum/confd-config: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a + checksum/checksd-config: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a + spec: + + securityContext: + runAsUser: 0 + containers: + - name: agent + image: "gcr.io/datadoghq/agent:7.59.0" + imagePullPolicy: IfNotPresent + command: ["agent", "run"] + + resources: + {} + ports: + - containerPort: 8125 + name: dogstatsdport + protocol: UDP + env: + - name: DD_API_KEY + valueFrom: + secretKeyRef: + name: "datadog-secret" + key: api-key + - name: DD_REMOTE_CONFIGURATION_ENABLED + value: "false" + - name: DD_AUTH_TOKEN_FILE_PATH + value: /etc/datadog-agent/auth/token + + - name: KUBERNETES + value: "yes" + - name: DD_KUBELET_CLIENT_CRT + value: /certs/tls.crt + - name: DD_KUBELET_CLIENT_KEY + value: /certs/tls.key + - name: DD_LANGUAGE_DETECTION_ENABLED + value: "false" + - name: DD_LANGUAGE_DETECTION_REPORTING_ENABLED + value: "false" + - name: DD_KUBERNETES_KUBELET_HOST + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: DD_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: DD_HOSTNAME + value: "$(DD_NODE_NAME)-$(DD_CLUSTER_NAME)" + - name: DD_OTLP_CONFIG_LOGS_ENABLED + value: "false" + - name: DD_PROVIDER_KIND + value: gke-gdc + + + - name: DD_LOG_LEVEL + value: "INFO" + - name: DD_DOGSTATSD_PORT + value: "8125" + - name: DD_DOGSTATSD_NON_LOCAL_TRAFFIC + value: "true" + - name: DD_DOGSTATSD_TAG_CARDINALITY + value: "low" + - name: DD_CLUSTER_AGENT_ENABLED + value: "true" + - name: DD_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME + value: datadog-cluster-agent + - name: DD_CLUSTER_AGENT_AUTH_TOKEN + valueFrom: + secretKeyRef: + name: datadog-cluster-agent + key: token + - name: DD_APM_ENABLED + value: "false" + - name: DD_LOGS_ENABLED + value: "true" + - name: DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL + value: "true" + - name: DD_LOGS_CONFIG_K8S_CONTAINER_USE_FILE + value: "true" + - name: DD_LOGS_CONFIG_AUTO_MULTI_LINE_DETECTION + value: "true" + - name: DD_HEALTH_PORT + value: "5555" + - name: DD_EXTRA_CONFIG_PROVIDERS + value: "clusterchecks endpointschecks" + - name: DD_IGNORE_AUTOCONF + value: "kubernetes_state" + - name: DD_CONTAINER_LIFECYCLE_ENABLED + value: "true" + - name: DD_ORCHESTRATOR_EXPLORER_ENABLED + value: "true" + - name: DD_EXPVAR_PORT + value: "6000" + - name: DD_COMPLIANCE_CONFIG_ENABLED + value: "false" + - name: DD_CONTAINER_IMAGE_ENABLED + value: "true" + - name: DD_KUBELET_CORE_CHECK_ENABLED + value: "true" + volumeMounts: + - name: logdatadog + mountPath: /var/log/datadog + readOnly: false # Need RW to write logs + - name: installinfo + subPath: install_info + mountPath: /etc/datadog-agent/install_info + readOnly: true + - name: tmpdir + mountPath: /tmp + readOnly: false # Need RW to write to /tmp directory + + - name: config + mountPath: /etc/datadog-agent + readOnly: false # Need RW to mount to config path + - name: auth-token + mountPath: /etc/datadog-agent/auth + readOnly: false # Need RW to write auth token + + + - name: pointerdir + mountPath: /opt/datadog-agent/run + mountPropagation: None + readOnly: false # Need RW for logs pointer + - name: logpodpath + mountPath: /var/log/pods + mountPropagation: None + readOnly: true + - name: logscontainerspath + mountPath: /var/log/containers + mountPropagation: None + readOnly: true + - name: kubelet-cert-volume + mountPath: /certs + livenessProbe: + failureThreshold: 6 + httpGet: + path: /live + port: 5555 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 6 + httpGet: + path: /ready + port: 5555 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 5 + startupProbe: + failureThreshold: 6 + httpGet: + path: /startup + port: 5555 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 5 + initContainers: + - name: init-volume + image: "gcr.io/datadoghq/agent:7.59.0" + imagePullPolicy: IfNotPresent + command: ["bash", "-c"] + args: + - cp -r /etc/datadog-agent /opt + volumeMounts: + - name: config + mountPath: /opt/datadog-agent + readOnly: false # Need RW for config path + resources: + {} + - name: init-config + image: "gcr.io/datadoghq/agent:7.59.0" + imagePullPolicy: IfNotPresent + command: + - bash + - -c + args: + - for script in $(find /etc/cont-init.d/ -type f -name '*.sh' | sort) ; do bash $script ; done + volumeMounts: + - name: config + mountPath: /etc/datadog-agent + readOnly: false # Need RW for config path + env: + - name: DD_API_KEY + valueFrom: + secretKeyRef: + name: "datadog-secret" + key: api-key + - name: DD_REMOTE_CONFIGURATION_ENABLED + value: "false" + - name: DD_AUTH_TOKEN_FILE_PATH + value: /etc/datadog-agent/auth/token + + - name: KUBERNETES + value: "yes" + - name: DD_KUBELET_CLIENT_CRT + value: /certs/tls.crt + - name: DD_KUBELET_CLIENT_KEY + value: /certs/tls.key + - name: DD_LANGUAGE_DETECTION_ENABLED + value: "false" + - name: DD_LANGUAGE_DETECTION_REPORTING_ENABLED + value: "false" + - name: DD_KUBERNETES_KUBELET_HOST + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: DD_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: DD_HOSTNAME + value: "$(DD_NODE_NAME)-$(DD_CLUSTER_NAME)" + - name: DD_OTLP_CONFIG_LOGS_ENABLED + value: "false" + - name: DD_PROVIDER_KIND + value: gke-gdc + resources: + {} + volumes: + - name: auth-token + emptyDir: {} + - name: installinfo + configMap: + name: datadog-installinfo + - name: config + emptyDir: {} + + - name: logdatadog + emptyDir: {} + - name: tmpdir + emptyDir: {} + - name: s6-run + emptyDir: {} + - hostPath: + path: /var/datadog/logs + name: pointerdir + - hostPath: + path: /var/log/pods + name: logpodpath + - hostPath: + path: /var/log/containers + name: logscontainerspath + - secret: + secretName: datadog-kubelet-cert + name: kubelet-cert-volume + tolerations: + affinity: + {} + serviceAccountName: "datadog" + automountServiceAccountToken: true + nodeSelector: + kubernetes.io/os: linux + updateStrategy: + rollingUpdate: + maxUnavailable: 10% + type: RollingUpdate \ No newline at end of file diff --git a/test/datadog/baseline/other_default.yaml b/test/datadog/baseline/other_default.yaml index 202d88d15..b203ba643 100644 --- a/test/datadog/baseline/other_default.yaml +++ b/test/datadog/baseline/other_default.yaml @@ -6,7 +6,7 @@ metadata: name: datadog-clusterchecks namespace: datadog-agent labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -24,7 +24,7 @@ metadata: name: datadog-cluster-agent namespace: datadog-agent labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -41,13 +41,13 @@ kind: ServiceAccount automountServiceAccountToken: true metadata: labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm app.kubernetes.io/version: "7" app: "datadog" - chart: "datadog-3.73.0" + chart: "datadog-3.79.0" heritage: "Helm" release: "datadog" name: datadog-cluster-checks @@ -60,10 +60,10 @@ automountServiceAccountToken: true metadata: labels: app: "datadog" - chart: "datadog-3.73.0" + chart: "datadog-3.79.0" heritage: "Helm" release: "datadog" - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -79,7 +79,7 @@ metadata: name: datadog namespace: datadog-agent labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -92,14 +92,14 @@ metadata: name: datadog-cluster-agent namespace: datadog-agent labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm app.kubernetes.io/version: "7" type: Opaque data: - token: "RmllNXRpbDNzWGNCeXpsVFpPOUU4ZXUzSVZncU1NeFA=" + token: "VUhXVVpZMDVTb1Bnd2VxODM1bTRDcU43SFc0UEhTSng=" --- # Source: datadog/templates/cluster-agent-confd-configmap.yaml apiVersion: v1 @@ -108,7 +108,7 @@ metadata: name: datadog-cluster-agent-confd namespace: datadog-agent labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -162,20 +162,20 @@ metadata: name: datadog-installinfo namespace: datadog-agent labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm app.kubernetes.io/version: "7" annotations: - checksum/install_info: 4431ead135ce20065fbe40abb5a6e6324fb9e43978cfd3ef1857d9fcaa613aa8 + checksum/install_info: 113a50d660d16d7edc1f9242b70b5dde0f3f6f12ce82ce794a8dc01e2863e6a5 data: install_info: | --- install_method: tool: helm tool_version: Helm - installer_version: datadog-3.73.0 + installer_version: datadog-3.79.0 --- # Source: datadog/templates/kpi-telemetry-configmap.yaml apiVersion: v1 @@ -184,22 +184,22 @@ metadata: name: datadog-kpi-telemetry-configmap namespace: datadog-agent labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm app.kubernetes.io/version: "7" data: install_type: k8s_manual - install_id: "eadedf6d-d365-4d8d-860f-93fcf8617956" - install_time: "1727279193" + install_id: "3111252e-d253-4641-b8b3-30b9c6be6466" + install_time: "1731360232" --- # Source: datadog/templates/cluster-agent-rbac.yaml apiVersion: "rbac.authorization.k8s.io/v1" kind: ClusterRole metadata: labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -384,6 +384,7 @@ rules: - apiGroups: - admissionregistration.k8s.io resources: + - validatingwebhookconfigurations - mutatingwebhookconfigurations resourceNames: - "datadog-webhook" @@ -391,6 +392,7 @@ rules: - apiGroups: - admissionregistration.k8s.io resources: + - validatingwebhookconfigurations - mutatingwebhookconfigurations verbs: ["create"] - apiGroups: ["batch"] @@ -414,7 +416,7 @@ apiVersion: "rbac.authorization.k8s.io/v1" kind: ClusterRole metadata: labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -510,7 +512,7 @@ kind: ClusterRole metadata: name: datadog labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -558,7 +560,7 @@ apiVersion: "rbac.authorization.k8s.io/v1" kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -578,7 +580,7 @@ apiVersion: "rbac.authorization.k8s.io/v1" kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -598,7 +600,7 @@ apiVersion: "rbac.authorization.k8s.io/v1" kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -619,7 +621,7 @@ kind: ClusterRoleBinding metadata: name: datadog labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -638,7 +640,7 @@ apiVersion: "rbac.authorization.k8s.io/v1" kind: Role metadata: labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -655,7 +657,7 @@ apiVersion: "rbac.authorization.k8s.io/v1" kind: Role metadata: labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -677,7 +679,7 @@ apiVersion: "rbac.authorization.k8s.io/v1" kind: RoleBinding metadata: labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -698,7 +700,7 @@ apiVersion: "rbac.authorization.k8s.io/v1" kind: RoleBinding metadata: labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -721,7 +723,7 @@ metadata: name: datadog-cluster-agent namespace: datadog-agent labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -743,10 +745,10 @@ metadata: namespace: datadog-agent labels: app: "datadog" - chart: "datadog-3.73.0" + chart: "datadog-3.79.0" release: "datadog" heritage: "Helm" - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -769,10 +771,10 @@ metadata: namespace: datadog-agent labels: app: "datadog" - chart: "datadog-3.73.0" + chart: "datadog-3.79.0" release: "datadog" heritage: "Helm" - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -798,7 +800,7 @@ metadata: name: datadog namespace: datadog-agent labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -822,8 +824,8 @@ spec: name: datadog annotations: - checksum/clusteragent_token: a73a414b38d45377a23c51d2dc231cae02e9fcc4eb937bfe7d692f0f989e1391 - checksum/install_info: 4431ead135ce20065fbe40abb5a6e6324fb9e43978cfd3ef1857d9fcaa613aa8 + checksum/clusteragent_token: f00581a69706d733ac0c8e932c003a67a287dff70bc15af0030fff5a1e66e0cd + checksum/install_info: 113a50d660d16d7edc1f9242b70b5dde0f3f6f12ce82ce794a8dc01e2863e6a5 checksum/autoconf-config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b checksum/confd-config: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a checksum/checksd-config: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a @@ -834,7 +836,7 @@ spec: hostPID: true containers: - name: agent - image: "gcr.io/datadoghq/agent:7.57.2" + image: "gcr.io/datadoghq/agent:7.59.0" imagePullPolicy: IfNotPresent command: ["agent", "run"] @@ -854,12 +856,13 @@ spec: value: "true" - name: DD_AUTH_TOKEN_FILE_PATH value: /etc/datadog-agent/auth/token + + - name: KUBERNETES + value: "yes" - name: DD_LANGUAGE_DETECTION_ENABLED value: "false" - name: DD_LANGUAGE_DETECTION_REPORTING_ENABLED value: "false" - - name: KUBERNETES - value: "yes" - name: DD_KUBERNETES_KUBELET_HOST valueFrom: fieldRef: @@ -868,6 +871,7 @@ spec: value: "false" + - name: DD_PROCESS_CONFIG_PROCESS_COLLECTION_ENABLED value: "false" - name: DD_PROCESS_CONFIG_CONTAINER_COLLECTION_ENABLED @@ -995,7 +999,7 @@ spec: successThreshold: 1 timeoutSeconds: 5 - name: trace-agent - image: "gcr.io/datadoghq/agent:7.57.2" + image: "gcr.io/datadoghq/agent:7.59.0" imagePullPolicy: IfNotPresent command: ["trace-agent", "-config=/etc/datadog-agent/datadog.yaml"] resources: @@ -1014,12 +1018,13 @@ spec: value: "true" - name: DD_AUTH_TOKEN_FILE_PATH value: /etc/datadog-agent/auth/token + + - name: KUBERNETES + value: "yes" - name: DD_LANGUAGE_DETECTION_ENABLED value: "false" - name: DD_LANGUAGE_DETECTION_REPORTING_ENABLED value: "false" - - name: KUBERNETES - value: "yes" - name: DD_KUBERNETES_KUBELET_HOST valueFrom: fieldRef: @@ -1101,7 +1106,7 @@ spec: port: 8126 timeoutSeconds: 5 - name: process-agent - image: "gcr.io/datadoghq/agent:7.57.2" + image: "gcr.io/datadoghq/agent:7.59.0" imagePullPolicy: IfNotPresent command: ["process-agent", "--cfgpath=/etc/datadog-agent/datadog.yaml"] resources: @@ -1116,12 +1121,13 @@ spec: value: "true" - name: DD_AUTH_TOKEN_FILE_PATH value: /etc/datadog-agent/auth/token + + - name: KUBERNETES + value: "yes" - name: DD_LANGUAGE_DETECTION_ENABLED value: "false" - name: DD_LANGUAGE_DETECTION_REPORTING_ENABLED value: "false" - - name: KUBERNETES - value: "yes" - name: DD_KUBERNETES_KUBELET_HOST valueFrom: fieldRef: @@ -1139,6 +1145,7 @@ spec: name: datadog-cluster-agent key: token + - name: DD_PROCESS_CONFIG_PROCESS_COLLECTION_ENABLED value: "false" - name: DD_PROCESS_CONFIG_CONTAINER_COLLECTION_ENABLED @@ -1195,10 +1202,8 @@ spec: mountPropagation: None readOnly: true initContainers: - - - name: init-volume - - image: "gcr.io/datadoghq/agent:7.57.2" + - name: init-volume + image: "gcr.io/datadoghq/agent:7.59.0" imagePullPolicy: IfNotPresent command: ["bash", "-c"] args: @@ -1209,9 +1214,8 @@ spec: readOnly: false # Need RW for config path resources: {} - - name: init-config - - image: "gcr.io/datadoghq/agent:7.57.2" + - name: init-config + image: "gcr.io/datadoghq/agent:7.59.0" imagePullPolicy: IfNotPresent command: - bash @@ -1219,12 +1223,12 @@ spec: args: - for script in $(find /etc/cont-init.d/ -type f -name '*.sh' | sort) ; do bash $script ; done volumeMounts: - - name: logdatadog - mountPath: /var/log/datadog - readOnly: false # Need RW to write logs - name: config mountPath: /etc/datadog-agent readOnly: false # Need RW for config path + - name: logdatadog + mountPath: /var/log/datadog + readOnly: false # Need RW to write logs - name: procdir mountPath: /host/proc mountPropagation: None @@ -1244,12 +1248,13 @@ spec: value: "true" - name: DD_AUTH_TOKEN_FILE_PATH value: /etc/datadog-agent/auth/token + + - name: KUBERNETES + value: "yes" - name: DD_LANGUAGE_DETECTION_ENABLED value: "false" - name: DD_LANGUAGE_DETECTION_REPORTING_ENABLED value: "false" - - name: KUBERNETES - value: "yes" - name: DD_KUBERNETES_KUBELET_HOST valueFrom: fieldRef: @@ -1272,6 +1277,8 @@ spec: emptyDir: {} - name: tmpdir emptyDir: {} + - name: s6-run + emptyDir: {} - hostPath: path: /proc name: procdir @@ -1289,8 +1296,6 @@ spec: path: /var/run/datadog/ type: DirectoryOrCreate name: apmsocket - - name: s6-run - emptyDir: {} - hostPath: path: /etc/passwd name: passwd @@ -1316,7 +1321,7 @@ metadata: name: datadog-clusterchecks namespace: datadog-agent labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -1346,8 +1351,8 @@ spec: name: datadog-clusterchecks annotations: - checksum/clusteragent_token: 76253444996a0411d5a94059333082990230f8818371b4c7b8493c5147e20108 - checksum/install_info: 4431ead135ce20065fbe40abb5a6e6324fb9e43978cfd3ef1857d9fcaa613aa8 + checksum/clusteragent_token: 0f3c4653bf6f20423353df3b2c09b545f377c8943c78e038a764c08ee01e7cec + checksum/install_info: 113a50d660d16d7edc1f9242b70b5dde0f3f6f12ce82ce794a8dc01e2863e6a5 spec: serviceAccountName: datadog-cluster-checks automountServiceAccountToken: true @@ -1355,7 +1360,7 @@ spec: [] initContainers: - name: init-volume - image: "gcr.io/datadoghq/agent:7.57.2" + image: "gcr.io/datadoghq/agent:7.59.0" imagePullPolicy: IfNotPresent command: ["bash", "-c"] args: @@ -1367,7 +1372,7 @@ spec: resources: {} - name: init-config - image: "gcr.io/datadoghq/agent:7.57.2" + image: "gcr.io/datadoghq/agent:7.59.0" imagePullPolicy: IfNotPresent command: ["bash", "-c"] args: @@ -1380,19 +1385,20 @@ spec: {} containers: - name: agent - image: "gcr.io/datadoghq/agent:7.57.2" + image: "gcr.io/datadoghq/agent:7.59.0" command: ["bash", "-c"] args: - - rm -rf /etc/datadog-agent/conf.d && touch /etc/datadog-agent/datadog.yaml && exec agent run + - find /etc/datadog-agent/conf.d/ -name "*.yaml.default" -type f -delete && touch /etc/datadog-agent/datadog.yaml && exec agent run imagePullPolicy: IfNotPresent env: + + - name: KUBERNETES + value: "yes" - name: DD_API_KEY valueFrom: secretKeyRef: name: "datadog-secret" key: api-key - - name: KUBERNETES - value: "yes" - name: DD_LOG_LEVEL value: "INFO" - name: DD_EXTRA_CONFIG_PROVIDERS @@ -1507,7 +1513,7 @@ metadata: name: datadog-cluster-agent namespace: datadog-agent labels: - helm.sh/chart: 'datadog-3.73.0' + helm.sh/chart: 'datadog-3.79.0' app.kubernetes.io/name: "datadog" app.kubernetes.io/instance: "datadog" app.kubernetes.io/managed-by: Helm @@ -1537,15 +1543,15 @@ spec: name: datadog-cluster-agent annotations: - checksum/clusteragent_token: 8d93968cf1fcd7528edb7c1d0667c1e200602d1dbcc33fbf7c7274cabc757ee1 - checksum/clusteragent-configmap: 65496f49f667006695458d448536cabbf214be02a08201234f491c7a3b50e1bd - checksum/install_info: 4431ead135ce20065fbe40abb5a6e6324fb9e43978cfd3ef1857d9fcaa613aa8 + checksum/clusteragent_token: dc1e3efaa7c41119e5e666c61d458d5dd5b608c3f5be3e7044f14e087aadeca2 + checksum/clusteragent-configmap: 01caadfa4eb3983f3938c37d3a44a51e3ca2969b2d5ffff36f24d025f3246067 + checksum/install_info: 113a50d660d16d7edc1f9242b70b5dde0f3f6f12ce82ce794a8dc01e2863e6a5 spec: serviceAccountName: datadog-cluster-agent automountServiceAccountToken: true initContainers: - name: init-volume - image: "gcr.io/datadoghq/cluster-agent:7.57.2" + image: "gcr.io/datadoghq/cluster-agent:7.59.0" imagePullPolicy: IfNotPresent command: - cp @@ -1558,7 +1564,7 @@ spec: mountPath: /opt/datadog-agent containers: - name: cluster-agent - image: "gcr.io/datadoghq/cluster-agent:7.57.2" + image: "gcr.io/datadoghq/cluster-agent:7.59.0" imagePullPolicy: IfNotPresent resources: {} @@ -1585,12 +1591,13 @@ spec: name: "datadog-secret" key: api-key optional: true + + - name: KUBERNETES + value: "yes" - name: DD_LANGUAGE_DETECTION_ENABLED value: "false" - name: DD_LANGUAGE_DETECTION_REPORTING_ENABLED value: "false" - - name: KUBERNETES - value: "yes" - name: DD_ADMISSION_CONTROLLER_ENABLED value: "true" - name: DD_ADMISSION_CONTROLLER_WEBHOOK_NAME @@ -1607,6 +1614,8 @@ spec: value: "Ignore" - name: DD_ADMISSION_CONTROLLER_PORT value: "8000" + - name: DD_ADMISSION_CONTROLLER_CONTAINER_REGISTRY + value: "gcr.io/datadoghq" - name: DD_REMOTE_CONFIGURATION_ENABLED @@ -1631,6 +1640,8 @@ spec: value: datadogtoken - name: DD_COLLECT_KUBERNETES_EVENTS value: "true" + - name: DD_KUBERNETES_EVENTS_SOURCE_DETECTION_ENABLED + value: "false" - name: DD_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME value: datadog-cluster-agent - name: DD_CLUSTER_AGENT_AUTH_TOKEN diff --git a/test/datadog/baseline_test.go b/test/datadog/baseline_test.go index 8118d5128..baf66fe53 100644 --- a/test/datadog/baseline_test.go +++ b/test/datadog/baseline_test.go @@ -113,6 +113,42 @@ func Test_baseline_manifests(t *testing.T) { baselineManifestPath: "./baseline/other_default.yaml", assertions: verifyUntypedResources, }, + { + name: "GDC DaemonSet default", + command: common.HelmCommand{ + ReleaseName: "datadog", + ChartPath: "../../charts/datadog", + ShowOnly: []string{"templates/daemonset.yaml"}, + Values: []string{"../../charts/datadog/values.yaml"}, + Overrides: map[string]string{ + "datadog.apiKeyExistingSecret": "datadog-secret", + "datadog.appKeyExistingSecret": "datadog-secret", + "providers.gke.gdc": "true", + }, + }, + baselineManifestPath: "./baseline/gdc_daemonset_default.yaml", + assertions: verifyDaemonset, + }, + { + name: "GDC DaemonSet logs collection enabled", + command: common.HelmCommand{ + ReleaseName: "datadog", + ChartPath: "../../charts/datadog", + ShowOnly: []string{"templates/daemonset.yaml"}, + Values: []string{"../../charts/datadog/values.yaml"}, + Overrides: map[string]string{ + "datadog.apiKeyExistingSecret": "datadog-secret", + "datadog.appKeyExistingSecret": "datadog-secret", + "datadog.logs.enabled": "true", + "datadog.logs.containerCollectAll": "true", + "datadog.logs.containerCollectUsingFiles": "true", + "datadog.logs.autoMultiLineDetection": "true", + "providers.gke.gdc": "true", + }, + }, + baselineManifestPath: "./baseline/gdc_daemonset_logs_collection.yaml", + assertions: verifyDaemonset, + }, } for _, tt := range tests { diff --git a/test/datadog/gdc_test.go b/test/datadog/gdc_test.go new file mode 100644 index 000000000..b8b2ecf98 --- /dev/null +++ b/test/datadog/gdc_test.go @@ -0,0 +1,90 @@ +package datadog + +import ( + "fmt" + "github.com/DataDog/helm-charts/test/common" + "github.com/stretchr/testify/assert" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + "testing" +) + +var allowedHostPaths = map[string]interface{}{ + "/var/datadog/logs": nil, + "/var/log/pods": nil, + "/var/log/containers": nil, +} + +func Test_gdcConfigs(t *testing.T) { + tests := []struct { + name string + command common.HelmCommand + assertions func(t *testing.T, manifest string) + }{ + { + name: "default", + command: common.HelmCommand{ + ReleaseName: "datadog", + ChartPath: "../../charts/datadog", + ShowOnly: []string{"templates/daemonset.yaml"}, + Values: []string{"../../charts/datadog/values.yaml"}, + Overrides: map[string]string{ + "datadog.apiKeyExistingSecret": "datadog-secret", + "datadog.appKeyExistingSecret": "datadog-secret", + "datadog.logs.enabled": "true", + "agents.image.doNotCheckTag": "true", + "datadog.logs.containerCollectAll": "true", + "datadog.logs.containerCollectUsingFiles": "true", + "datadog.logs.autoMultiLineDetection": "true", + "providers.gke.gdc": "true", + }, + }, + assertions: verifyDaemonsetGDCMinimal, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + manifest, err := common.RenderChart(t, tt.command) + assert.Nil(t, err, "couldn't render template") + tt.assertions(t, manifest) + }) + } +} + +func verifyDaemonsetGDCMinimal(t *testing.T, manifest string) { + var ds appsv1.DaemonSet + common.Unmarshal(t, manifest, &ds) + agentContainer := &corev1.Container{} + + assert.Equal(t, 1, len(ds.Spec.Template.Spec.Containers)) + + for _, container := range ds.Spec.Template.Spec.Containers { + if container.Name == "agent" { + agentContainer = &container + } + } + + assert.NotNil(t, agentContainer) + + var validHostPath = true + for _, volume := range ds.Spec.Template.Spec.Volumes { + if volume.HostPath != nil { + _, validHostPath = allowedHostPaths[volume.HostPath.Path] + assert.True(t, validHostPath, fmt.Sprintf("DaemonSet has restricted hostPath mounted: %s ", volume.HostPath.Path)) + } + } + + validPorts := true + for _, container := range ds.Spec.Template.Spec.Containers { + if container.Ports != nil { + for _, port := range container.Ports { + if port.HostPort > 0 { + validPorts = false + break + } + } + } + } + assert.True(t, validPorts, "Daemonset has restricted hostPort mounted.") +} diff --git a/test/datadog/process_agent_test.go b/test/datadog/process_agent_test.go index a9f16bc4d..09c042e2b 100644 --- a/test/datadog/process_agent_test.go +++ b/test/datadog/process_agent_test.go @@ -19,6 +19,7 @@ const ( DDSystemProbeEnabled = "DD_SYSTEM_PROBE_ENABLED" DDNetworkMonitoringEnabled = "DD_SYSTEM_PROBE_NETWORK_ENABLED" DDOrchestratorEnabled = "DD_ORCHESTRATOR_EXPLORER_ENABLED" + DDLanguageDetectionEnabled = "DD_LANGUAGE_DETECTION_ENABLED" ) func Test_processAgentConfigs(t *testing.T) { @@ -247,6 +248,44 @@ func Test_processAgentConfigs(t *testing.T) { }, assertions: verifyLinuxRunInCoreAgent, }, + { + name: "language detection on process agent", + command: common.HelmCommand{ + ReleaseName: "datadog", + ChartPath: "../../charts/datadog", + ShowOnly: []string{"templates/daemonset.yaml"}, + Values: []string{"../../charts/datadog/values.yaml"}, + Overrides: map[string]string{ + "datadog.apiKeyExistingSecret": "datadog-secret", + "datadog.appKeyExistingSecret": "datadog-secret", + "datadog.processAgent.runInCoreAgent": "false", + "datadog.processAgent.processCollection": "true", + "agents.image.tag": "7.56", + "datadog.apm.instrumentation.language_detection.enabled": "true", + "datadog.apm.instrumentation.enabled": "true", + }, + }, + assertions: verifyLanguageDetectionInProcessAgent, + }, + { + name: "language detection on core agent", + command: common.HelmCommand{ + ReleaseName: "datadog", + ChartPath: "../../charts/datadog", + ShowOnly: []string{"templates/daemonset.yaml"}, + Values: []string{"../../charts/datadog/values.yaml"}, + Overrides: map[string]string{ + "datadog.apiKeyExistingSecret": "datadog-secret", + "datadog.appKeyExistingSecret": "datadog-secret", + "datadog.processAgent.runInCoreAgent": "true", + "datadog.processAgent.processCollection": "true", + "agents.image.tag": "7.57", + "datadog.apm.instrumentation.language_detection.enabled": "true", + "datadog.apm.instrumentation.enabled": "true", + }, + }, + assertions: verifyLanguageDetectionInCoreAgent, + }, } for _, tt := range tests { @@ -272,7 +311,7 @@ func verifyDaemonsetMinimal(t *testing.T, manifest string) { assert.True(t, ok) processEnvs := getEnvVarMap(processAgentContainer.Env) assertDefaultCommonProcessEnvs(t, processEnvs) - assert.Equal(t, "false", coreEnvs[DDProcessRunInCoreAgentEnabled]) + assert.Equal(t, "false", processEnvs[DDProcessRunInCoreAgentEnabled]) assert.True(t, getPasswdMount(t, processAgentContainer.VolumeMounts)) } @@ -309,6 +348,45 @@ func verifyLinuxRunInCoreAgent(t *testing.T, manifest string) { assert.False(t, ok) } +func verifyLanguageDetectionInCoreAgent(t *testing.T, manifest string) { + var deployment appsv1.DaemonSet + common.Unmarshal(t, manifest, &deployment) + coreAgentContainer, ok := getContainer(t, deployment.Spec.Template.Spec.Containers, "agent") + assert.True(t, ok) + coreEnvs := getEnvVarMap(coreAgentContainer.Env) + assert.Equal(t, "true", coreEnvs[DDContainerCollectionEnabled]) + assert.Equal(t, "true", coreEnvs[DDProcessCollectionEnabled]) + assert.Equal(t, "true", coreEnvs[DDProcessDiscoveryEnabled]) + assert.Equal(t, "false", coreEnvs[DDStripProcessArgs]) + assert.Equal(t, "true", coreEnvs[DDProcessRunInCoreAgentEnabled]) + assert.Equal(t, "true", coreEnvs[DDLanguageDetectionEnabled]) + assert.True(t, getPasswdMount(t, coreAgentContainer.VolumeMounts)) + + _, ok = getContainer(t, deployment.Spec.Template.Spec.Containers, "process-agent") + assert.False(t, ok) +} + +func verifyLanguageDetectionInProcessAgent(t *testing.T, manifest string) { + var deployment appsv1.DaemonSet + common.Unmarshal(t, manifest, &deployment) + coreAgentContainer, ok := getContainer(t, deployment.Spec.Template.Spec.Containers, "agent") + assert.True(t, ok) + coreEnvs := getEnvVarMap(coreAgentContainer.Env) + assert.Equal(t, "false", coreEnvs[DDProcessRunInCoreAgentEnabled]) + assert.False(t, getPasswdMount(t, coreAgentContainer.VolumeMounts)) + + processAgentContainer, ok := getContainer(t, deployment.Spec.Template.Spec.Containers, "process-agent") + assert.True(t, ok) + processEnvs := getEnvVarMap(processAgentContainer.Env) + assert.Equal(t, "true", processEnvs[DDContainerCollectionEnabled]) + assert.Equal(t, "true", processEnvs[DDProcessCollectionEnabled]) + assert.Equal(t, "true", processEnvs[DDProcessDiscoveryEnabled]) + assert.Equal(t, "false", processEnvs[DDStripProcessArgs]) + assert.Equal(t, "false", processEnvs[DDProcessRunInCoreAgentEnabled]) + assert.Equal(t, "true", processEnvs[DDLanguageDetectionEnabled]) + assert.True(t, getPasswdMount(t, processAgentContainer.VolumeMounts)) +} + func verifyChecksOff(t *testing.T, manifest string) { var deployment appsv1.DaemonSet common.Unmarshal(t, manifest, &deployment) diff --git a/test/private-action-runner/__snapshot__/default.yaml b/test/private-action-runner/__snapshot__/default.yaml index bae87b7e3..0ff7ed363 100644 --- a/test/private-action-runner/__snapshot__/default.yaml +++ b/test/private-action-runner/__snapshot__/default.yaml @@ -100,7 +100,7 @@ spec: value: nodeless containers: - name: runner - image: "us-east4-docker.pkg.dev/datadog-sandbox/apps-on-prem/onprem-runner:v0.1.2-beta" + image: "gcr.io/datadoghq/private-action-runner:v0.1.4-beta" imagePullPolicy: IfNotPresent ports: - name: http diff --git a/test/private-action-runner/__snapshot__/enable-kubernetes-actions.yaml b/test/private-action-runner/__snapshot__/enable-kubernetes-actions.yaml index 08a3b48c9..c4d5a2779 100644 --- a/test/private-action-runner/__snapshot__/enable-kubernetes-actions.yaml +++ b/test/private-action-runner/__snapshot__/enable-kubernetes-actions.yaml @@ -144,7 +144,7 @@ spec: value: nodeless containers: - name: runner - image: "us-east4-docker.pkg.dev/datadog-sandbox/apps-on-prem/onprem-runner:v0.1.2-beta" + image: "gcr.io/datadoghq/private-action-runner:v0.1.4-beta" imagePullPolicy: IfNotPresent ports: - name: http