From 9151c2a5ded1b2ec6373d688efcacbf5bd5778b6 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 9 Oct 2024 11:36:21 +0200 Subject: [PATCH 1/3] Use container runtime snapshotter by default on EKS and GKE --- charts/datadog/templates/_container-agent.yaml | 7 +++---- .../templates/_daemonset-volumes-linux.yaml | 2 +- charts/datadog/templates/_helpers.tpl | 14 ++++++++++++++ 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/charts/datadog/templates/_container-agent.yaml b/charts/datadog/templates/_container-agent.yaml index 90200d49e..ff092a2aa 100644 --- a/charts/datadog/templates/_container-agent.yaml +++ b/charts/datadog/templates/_container-agent.yaml @@ -3,7 +3,7 @@ image: "{{ include "image-path" (dict "root" .Values "image" .Values.agents.image) }}" imagePullPolicy: {{ .Values.agents.image.pullPolicy }} command: ["agent", "run"] -{{ include "generate-security-context" (dict "securityContext" .Values.agents.containers.agent.securityContext "targetSystem" .Values.targetSystem "seccomp" "" "kubeversion" .Capabilities.KubeVersion.Version "sysAdmin" .Values.datadog.sbom.containerImage.uncompressedLayersSupport) | indent 2 }} +{{ include "generate-security-context" (dict "securityContext" .Values.agents.containers.agent.securityContext "targetSystem" .Values.targetSystem "seccomp" "" "kubeversion" .Capabilities.KubeVersion.Version "sysAdmin" (and (eq (include "should-support-discard-uncompressed-layers" .) "true") (not .Values.datadog.sbom.containerImage.overlayFSDirectScan))) | indent 2 }} resources: {{ toYaml .Values.agents.containers.agent.resources | indent 4 }} ports: @@ -177,11 +177,10 @@ - name: DD_SBOM_CONTAINER_IMAGE_ENABLED value: "true" {{- end }} - {{- if .Values.datadog.sbom.containerImage.uncompressedLayersSupport }} + {{- if eq (include "should-support-discard-uncompressed-layers" .) "true" }} - name: DD_SBOM_CONTAINER_IMAGE_USE_MOUNT value: "true" {{- end }} - {{- if .Values.datadog.sbom.host.enabled }} - name: DD_SBOM_HOST_ENABLED value: "true" @@ -276,7 +275,7 @@ readOnly: true {{- end }} {{- end }} - {{- if .Values.datadog.sbom.containerImage.uncompressedLayersSupport }} + {{- if eq (include "should-support-discard-uncompressed-layers" .) "true" }} - name: host-containerd-dir mountPath: /host/var/lib/containerd readOnly: true diff --git a/charts/datadog/templates/_daemonset-volumes-linux.yaml b/charts/datadog/templates/_daemonset-volumes-linux.yaml index 39ce80f63..b9b8bfb1c 100644 --- a/charts/datadog/templates/_daemonset-volumes-linux.yaml +++ b/charts/datadog/templates/_daemonset-volumes-linux.yaml @@ -147,7 +147,7 @@ path: / name: hostroot {{- end }} -{{- if .Values.datadog.sbom.containerImage.uncompressedLayersSupport }} +{{- if (eq (include "should-support-discard-uncompressed-layers" .) "true") }} - hostPath: path: /var/lib/containerd name: host-containerd-dir diff --git a/charts/datadog/templates/_helpers.tpl b/charts/datadog/templates/_helpers.tpl index 2060ada51..4d72addb4 100644 --- a/charts/datadog/templates/_helpers.tpl +++ b/charts/datadog/templates/_helpers.tpl @@ -930,6 +930,20 @@ Create RBACs for custom resources {{- end -}} {{- end -}} +{{/* + Return true if container runtime is known to discard uncompressed layers +*/}} +{{- define "should-support-discard-uncompressed-layers" -}} + {{- if or .Values.datadog.sbom.containerImage.uncompressedLayersSupport .Values.datadog.sbom.containerImage.overlayFSDirectScan (and .Values.datadog.sbom.containerImage.enabled (or (contains "-gke." .Capabilities.KubeVersion.GitVersion) (contains "-eks." .Capabilities.KubeVersion.GitVersion))) -}} + {{- if not (eq (include "should-enable-container-image-collection" .) "true") -}} + {{- fail "Container runtime support has to be enabled for SBOM collection to work. Please enable it using `datadog.containerRuntimeSupport.enabled`." -}} + {{- end -}} + true + {{- else -}} + false + {{- end -}} +{{- end -}} + {{/* Return true if language detection feature is enabled */}} From 012ba100ed6b8bb1c9c31ca89f8b9429ab8c7f89 Mon Sep 17 00:00:00 2001 From: Sylvain Baubeau Date: Thu, 10 Oct 2024 15:47:45 +0200 Subject: [PATCH 2/3] Fix eks git version pattern --- charts/datadog/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/datadog/templates/_helpers.tpl b/charts/datadog/templates/_helpers.tpl index 4d72addb4..cac84a0ca 100644 --- a/charts/datadog/templates/_helpers.tpl +++ b/charts/datadog/templates/_helpers.tpl @@ -934,7 +934,7 @@ Create RBACs for custom resources Return true if container runtime is known to discard uncompressed layers */}} {{- define "should-support-discard-uncompressed-layers" -}} - {{- if or .Values.datadog.sbom.containerImage.uncompressedLayersSupport .Values.datadog.sbom.containerImage.overlayFSDirectScan (and .Values.datadog.sbom.containerImage.enabled (or (contains "-gke." .Capabilities.KubeVersion.GitVersion) (contains "-eks." .Capabilities.KubeVersion.GitVersion))) -}} + {{- if or .Values.datadog.sbom.containerImage.uncompressedLayersSupport .Values.datadog.sbom.containerImage.overlayFSDirectScan (and .Values.datadog.sbom.containerImage.enabled (or (contains "-gke." .Capabilities.KubeVersion.GitVersion) (contains "-eks-" .Capabilities.KubeVersion.GitVersion))) -}} {{- if not (eq (include "should-enable-container-image-collection" .) "true") -}} {{- fail "Container runtime support has to be enabled for SBOM collection to work. Please enable it using `datadog.containerRuntimeSupport.enabled`." -}} {{- end -}} From 354a6dad1043d18f722e572749892baacdd41aad Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 9 Oct 2024 11:39:43 +0200 Subject: [PATCH 3/3] Bump version to 3.75.1 --- charts/datadog/CHANGELOG.md | 4 ++++ charts/datadog/Chart.yaml | 2 +- charts/datadog/README.md | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/charts/datadog/CHANGELOG.md b/charts/datadog/CHANGELOG.md index cb8c9f4de..c9ab62600 100644 --- a/charts/datadog/CHANGELOG.md +++ b/charts/datadog/CHANGELOG.md @@ -1,5 +1,9 @@ # Datadog changelog +## 3.75.1 + +* Use container runtime snapshotter by default on EKS and GKE. + ## 3.75.0 * Set default `Agent` and `Cluster-Agent` version to `7.58.0`. diff --git a/charts/datadog/Chart.yaml b/charts/datadog/Chart.yaml index 0c77605bd..0a7dfb2e3 100644 --- a/charts/datadog/Chart.yaml +++ b/charts/datadog/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: datadog -version: 3.75.0 +version: 3.75.1 appVersion: "7" description: Datadog Agent keywords: diff --git a/charts/datadog/README.md b/charts/datadog/README.md index 723ec5103..8da29ebce 100644 --- a/charts/datadog/README.md +++ b/charts/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.75.0](https://img.shields.io/badge/Version-3.75.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.75.1](https://img.shields.io/badge/Version-3.75.1-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).