[PROCS-4293] Improve support for processAgent.runInCoreAgent feature (

#1504) * Improve support for run in core agent feature * Update CHANGELONG and docs * Remove check for enabled process checks * Update CHANGELOG and docs * Update Chart.yaml * Update README.md
DataDog · Aug 28, 2024 · fb73823 · fb73823
1 parent 78ce3e0
commit fb73823
Show file tree

Hide file tree

Showing 9 changed files with 71 additions and 21 deletions.
diff --git a/charts/datadog/CHANGELOG.md b/charts/datadog/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Datadog changelog
 
+## 3.70.4
+
+* Improve support for `processAgent.runInCoreAgent` feature.
+
 ## 3.70.3
 
 * Update `fips.image.tag` to `1.1.4`

diff --git a/charts/datadog/Chart.yaml b/charts/datadog/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: datadog
-version: 3.70.3
+version: 3.70.4
 appVersion: "7"
 description: Datadog Agent
 keywords:

diff --git a/charts/datadog/README.md b/charts/datadog/README.md
@@ -1,6 +1,6 @@
 # Datadog
 
-![Version: 3.70.3](https://img.shields.io/badge/Version-3.70.3-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
+![Version: 3.70.4](https://img.shields.io/badge/Version-3.70.4-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
 
 [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
 

diff --git a/charts/datadog/templates/_container-agent.yaml b/charts/datadog/templates/_container-agent.yaml
@@ -251,7 +251,7 @@
       mountPath: /host/sys/fs/cgroup
       mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }}
       readOnly: true
-    {{- if .Values.datadog.processAgent.runInCoreAgent }}
+    {{- if (eq (include "should-run-process-checks-on-core-agent" .) "true") }}
     - name: passwd
       mountPath: /etc/passwd
       readOnly: true

diff --git a/charts/datadog/templates/_daemonset-volumes-linux.yaml b/charts/datadog/templates/_daemonset-volumes-linux.yaml
@@ -137,7 +137,7 @@
   name: btf-path
 {{- end }}
 {{- end }}
-{{- if or (eq (include "process-checks-enabled" .) "true") .Values.datadog.processAgent.runInCoreAgent (eq (include "should-enable-system-probe" .) "true") (eq (include "should-enable-security-agent" .) "true") }}
+{{- if or (eq (include "process-checks-enabled" .) "true") (eq (include "should-run-process-checks-on-core-agent" .) "true") (eq (include "should-enable-system-probe" .) "true") (eq (include "should-enable-security-agent" .) "true") }}
 - hostPath:
     path: /etc/passwd
   name: passwd

diff --git a/charts/datadog/templates/_helpers.tpl b/charts/datadog/templates/_helpers.tpl
@@ -943,30 +943,49 @@ Create RBACs for custom resources
   Return true if any process-related check is enabled
 */}}
 {{- define "process-checks-enabled" -}}
-  {{- if or .Values.datadog.processAgent.containerCollection .Values.datadog.processAgent.processCollection .Values.datadog.processAgent.processDiscovery .Values.datadog.apm.instrumentation.language_detection.enabled -}}
+  {{- if or .Values.datadog.processAgent.containerCollection .Values.datadog.processAgent.processCollection .Values.datadog.processAgent.processDiscovery (eq (include "language-detection-enabled" .) "true") -}}
     true
   {{- else -}}
     false
   {{- end -}}
 {{- end -}}
 
+{{/*
+  Return value of "DD_PROCESS_CONFIG_RUN_IN_CORE_AGENT_ENABLED" env var in core agent container.
+*/}}
+{{- define "get-process-checks-in-core-agent-envvar" -}}
+  {{- range .Values.agents.containers.agent.env -}}
+    {{- if eq .name "DD_PROCESS_CONFIG_RUN_IN_CORE_AGENT_ENABLED" -}}
+      {{- .value -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+  Returns true if process-related checks should run on the core agent.
+*/}}
+{{- define "should-run-process-checks-on-core-agent" -}}
+  {{- if ne .Values.targetSystem "linux" -}}
+    false
+  {{- else if (ne (include "get-process-checks-in-core-agent-envvar" .) "") -}}
+    {{- include "get-process-checks-in-core-agent-envvar" . -}}
+  {{- else if and (not .Values.agents.image.doNotCheckTag) .Values.datadog.processAgent.runInCoreAgent (semverCompare ">=7.53.0-0" (include "get-agent-version" .)) -}}
+      true
+  {{- else -}}
+    false
+  {{- end -}}
+{{- end -}}
+
 {{/*
   Returns true if the process-agent container should be created.
 */}}
 {{- define "should-enable-process-agent" -}}
   {{- if or .Values.datadog.networkMonitoring.enabled .Values.datadog.serviceMonitoring.enabled -}}
     true
-  {{- else if and (eq .Values.targetSystem "windows") (eq (include "process-checks-enabled" .) "true") -}}
+  {{- else if and (not .Values.agents.image.doNotCheckTag) (eq (include "should-enable-k8s-resource-monitoring" .) "true") (semverCompare "<=7.51.0-0" (include "get-agent-version" .)) -}}
     true
-  {{- else if not .Values.agents.image.doNotCheckTag -}}
-    {{- $version := (include "get-agent-version" .) -}}
-    {{- if and (eq (include "should-enable-k8s-resource-monitoring" .) "true") (semverCompare "<=7.51.0-0" $version) -}}
-      true
-    {{- else if and .Values.datadog.processAgent.runInCoreAgent (semverCompare ">=7.53.0-0" $version) -}}
-      false
-    {{- else -}}
-      {{- include "process-checks-enabled" . -}}
-    {{- end -}}
+  {{- else if (eq (include "should-run-process-checks-on-core-agent" .) "true") -}}
+    false
   {{- else -}}
     {{- include "process-checks-enabled" . -}}
   {{- end -}}

diff --git a/charts/datadog/templates/_processes-common-env.yaml b/charts/datadog/templates/_processes-common-env.yaml
@@ -8,8 +8,8 @@
   value: {{ .Values.datadog.processAgent.processDiscovery | quote }}
 - name: DD_STRIP_PROCESS_ARGS
   value: {{ .Values.datadog.processAgent.stripProcessArguments | quote }}
-{{- if eq .Values.targetSystem "linux" }}
+{{- if and (eq .Values.targetSystem "linux") (eq (include "get-process-checks-in-core-agent-envvar" .) "") }}
 - name: DD_PROCESS_CONFIG_RUN_IN_CORE_AGENT_ENABLED
-  value: {{ .Values.datadog.processAgent.runInCoreAgent | quote }}
-{{- end }}  
+  value: {{ (include "should-run-process-checks-on-core-agent" .) | quote }}
+{{- end }} 
 {{- end -}}
diff --git a/test/datadog/process_agent_test.go b/test/datadog/process_agent_test.go
@@ -230,6 +230,23 @@ func Test_processAgentConfigs(t *testing.T) {
 			},
 			assertions: verifyLinuxRunInCoreAgentOld,
 		},
+		{
+			name: "enable process checks in core agent -- env var override",
+			command: common.HelmCommand{
+				ReleaseName: "datadog",
+				ChartPath:   "../../charts/datadog",
+				ShowOnly:    []string{"templates/daemonset.yaml"},
+				Values:      []string{"../../charts/datadog/values.yaml", "values/process-run-in-core-envvars.yaml" },
+				Overrides: map[string]string{
+					"datadog.apiKeyExistingSecret":        "datadog-secret",
+					"datadog.appKeyExistingSecret":        "datadog-secret",
+					"datadog.processAgent.runInCoreAgent": "false",
+					"agents.image.doNotCheckTag":          "true",
+					"datadog.processAgent.processCollection": "true",
+				},
+			},
+			assertions: verifyLinuxRunInCoreAgent,
+		},
 	}
 
 	for _, tt := range tests {
@@ -368,14 +385,14 @@ func verifyLinuxRunInCoreAgentOld(t *testing.T, manifest string) {
 	assert.True(t, ok)
 	coreEnvs := getEnvVarMap(coreAgentContainer.Env)
 	assertDefaultCommonProcessEnvs(t, coreEnvs)
-	assert.Equal(t, "true", coreEnvs[DDProcessRunInCoreAgentEnabled])
-	assert.True(t, getPasswdMount(t, coreAgentContainer.VolumeMounts))
+	assert.Equal(t, "false", coreEnvs[DDProcessRunInCoreAgentEnabled])
+	assert.False(t, getPasswdMount(t, coreAgentContainer.VolumeMounts))
 
 	processAgentContainer, ok := getContainer(t, deployment.Spec.Template.Spec.Containers, "process-agent")
 	assert.True(t, ok)
 	processEnvs := getEnvVarMap(processAgentContainer.Env)
 	assertDefaultCommonProcessEnvs(t, processEnvs)
-	assert.Equal(t, "true", coreEnvs[DDProcessRunInCoreAgentEnabled])
+	assert.Equal(t, "false", coreEnvs[DDProcessRunInCoreAgentEnabled])
 	assert.True(t, getPasswdMount(t, processAgentContainer.VolumeMounts))
 }
 

diff --git a/test/datadog/values/process-run-in-core-envvars.yaml b/test/datadog/values/process-run-in-core-envvars.yaml
@@ -0,0 +1,10 @@
+agents:
+  containers:
+    agent:
+      env:
+        - name: DD_PROCESS_CONFIG_RUN_IN_CORE_AGENT_ENABLED
+          value: "true"
+    processAgent:
+      env:
+        - name: DD_PROCESS_CONFIG_RUN_IN_CORE_AGENT_ENABLED
+          value: "true"