From ecede35dabd4e8b18602cfa5d8cda3ccf36fbe8e Mon Sep 17 00:00:00 2001 From: Sylvain Baubeau Date: Tue, 22 Oct 2024 12:51:21 +0200 Subject: [PATCH 1/5] Set datadog.sbom.containerImage.uncompressedLayersSupport to true by default --- charts/datadog/README.md | 2 +- charts/datadog/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/datadog/README.md b/charts/datadog/README.md index 723ec5103..c6c291e81 100644 --- a/charts/datadog/README.md +++ b/charts/datadog/README.md @@ -799,7 +799,7 @@ helm install \ | datadog.prometheusScrape.version | int | `2` | Version of the openmetrics check to schedule by default. | | datadog.remoteConfiguration.enabled | bool | `true` | Set to true to enable remote configuration. DEPRECATED: Consider using remoteConfiguration.enabled instead | | datadog.sbom.containerImage.enabled | bool | `false` | Enable SBOM collection for container images | -| datadog.sbom.containerImage.uncompressedLayersSupport | bool | `false` | Use container runtime snapshotter This should be set to true when using EKS, GKE or if containerd is configured to discard uncompressed layers. This feature will cause the SYS_ADMIN capability to be added to the Agent container. | +| datadog.sbom.containerImage.uncompressedLayersSupport | bool | `true` | Use container runtime snapshotter This should be set to true when using EKS, GKE or if containerd is configured to discard uncompressed layers. This feature will cause the SYS_ADMIN capability to be added to the Agent container. | | datadog.sbom.host.enabled | bool | `false` | Enable SBOM collection for host filesystems | | datadog.secretAnnotations | object | `{}` | | | datadog.secretBackend.arguments | string | `nil` | Configure the secret backend command arguments (space-separated strings). | diff --git a/charts/datadog/values.yaml b/charts/datadog/values.yaml index 02f321c97..b78085e93 100644 --- a/charts/datadog/values.yaml +++ b/charts/datadog/values.yaml @@ -821,7 +821,7 @@ datadog: # This should be set to true when using EKS, GKE or if containerd is configured to # discard uncompressed layers. # This feature will cause the SYS_ADMIN capability to be added to the Agent container. - uncompressedLayersSupport: false + uncompressedLayersSupport: true host: # datadog.sbom.host.enabled -- Enable SBOM collection for host filesystems From 8b14e65dd7c746719a50314eb0b7286bb9b70c9a Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 9 Oct 2024 11:39:43 +0200 Subject: [PATCH 2/5] Bump version to 3.75.1 --- charts/datadog/CHANGELOG.md | 4 ++++ charts/datadog/Chart.yaml | 2 +- charts/datadog/README.md | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/charts/datadog/CHANGELOG.md b/charts/datadog/CHANGELOG.md index cb8c9f4de..6891018aa 100644 --- a/charts/datadog/CHANGELOG.md +++ b/charts/datadog/CHANGELOG.md @@ -1,5 +1,9 @@ # Datadog changelog +## 3.75.1 + +* Set `datadog.sbom.containerImage.uncompressedLayersSupport` to `true` by default. + ## 3.75.0 * Set default `Agent` and `Cluster-Agent` version to `7.58.0`. diff --git a/charts/datadog/Chart.yaml b/charts/datadog/Chart.yaml index 0c77605bd..0a7dfb2e3 100644 --- a/charts/datadog/Chart.yaml +++ b/charts/datadog/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: datadog -version: 3.75.0 +version: 3.75.1 appVersion: "7" description: Datadog Agent keywords: diff --git a/charts/datadog/README.md b/charts/datadog/README.md index c6c291e81..dd9312027 100644 --- a/charts/datadog/README.md +++ b/charts/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.75.0](https://img.shields.io/badge/Version-3.75.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.75.1](https://img.shields.io/badge/Version-3.75.1-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). From 1fe919e16328424b563f1aba1dc83995dc5cc6ae Mon Sep 17 00:00:00 2001 From: Sylvain Baubeau Date: Tue, 22 Oct 2024 14:24:45 +0200 Subject: [PATCH 3/5] Update description --- charts/datadog/README.md | 2 +- charts/datadog/values.yaml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/charts/datadog/README.md b/charts/datadog/README.md index dd9312027..35185fa90 100644 --- a/charts/datadog/README.md +++ b/charts/datadog/README.md @@ -799,7 +799,7 @@ helm install \ | datadog.prometheusScrape.version | int | `2` | Version of the openmetrics check to schedule by default. | | datadog.remoteConfiguration.enabled | bool | `true` | Set to true to enable remote configuration. DEPRECATED: Consider using remoteConfiguration.enabled instead | | datadog.sbom.containerImage.enabled | bool | `false` | Enable SBOM collection for container images | -| datadog.sbom.containerImage.uncompressedLayersSupport | bool | `true` | Use container runtime snapshotter This should be set to true when using EKS, GKE or if containerd is configured to discard uncompressed layers. This feature will cause the SYS_ADMIN capability to be added to the Agent container. | +| datadog.sbom.containerImage.uncompressedLayersSupport | bool | `true` | Use container runtime snapshotter This should be set to true when using EKS, GKE or if containerd is configured to discard uncompressed layers. This feature will cause the SYS_ADMIN capability to be added to the Agent container. Setting this to false could cause a high error rate when generating SBOMs due to missing uncompressed layer. See https://docs.datadoghq.com/security/cloud_security_management/troubleshooting/vulnerabilities/#uncompressed-container-image-layers | | datadog.sbom.host.enabled | bool | `false` | Enable SBOM collection for host filesystems | | datadog.secretAnnotations | object | `{}` | | | datadog.secretBackend.arguments | string | `nil` | Configure the secret backend command arguments (space-separated strings). | diff --git a/charts/datadog/values.yaml b/charts/datadog/values.yaml index b78085e93..236d2eac4 100644 --- a/charts/datadog/values.yaml +++ b/charts/datadog/values.yaml @@ -821,6 +821,8 @@ datadog: # This should be set to true when using EKS, GKE or if containerd is configured to # discard uncompressed layers. # This feature will cause the SYS_ADMIN capability to be added to the Agent container. + # Setting this to false could cause a high error rate when generating SBOMs due to missing uncompressed layer. + # See https://docs.datadoghq.com/security/cloud_security_management/troubleshooting/vulnerabilities/#uncompressed-container-image-layers uncompressedLayersSupport: true host: From 207f66e4b1145c5ac6a9a7d0ab61455479171307 Mon Sep 17 00:00:00 2001 From: Sylvain Baubeau Date: Tue, 22 Oct 2024 14:26:10 +0200 Subject: [PATCH 4/5] Bump minor instead of patch version --- charts/datadog/CHANGELOG.md | 2 +- charts/datadog/Chart.yaml | 2 +- charts/datadog/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/datadog/CHANGELOG.md b/charts/datadog/CHANGELOG.md index 6891018aa..aea696be7 100644 --- a/charts/datadog/CHANGELOG.md +++ b/charts/datadog/CHANGELOG.md @@ -1,6 +1,6 @@ # Datadog changelog -## 3.75.1 +## 3.76.0 * Set `datadog.sbom.containerImage.uncompressedLayersSupport` to `true` by default. diff --git a/charts/datadog/Chart.yaml b/charts/datadog/Chart.yaml index 0a7dfb2e3..fd6a51a19 100644 --- a/charts/datadog/Chart.yaml +++ b/charts/datadog/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: datadog -version: 3.75.1 +version: 3.76.0 appVersion: "7" description: Datadog Agent keywords: diff --git a/charts/datadog/README.md b/charts/datadog/README.md index 35185fa90..c8ad584a2 100644 --- a/charts/datadog/README.md +++ b/charts/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.75.1](https://img.shields.io/badge/Version-3.75.1-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.76.0](https://img.shields.io/badge/Version-3.76.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). From 698e982234b1a3e4e1c2e56c46f8faf296e627cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Bavelier?= Date: Wed, 23 Oct 2024 11:25:53 +0200 Subject: [PATCH 5/5] Remove k8s 1.18.20 from testing matrix to fix CI --- .github/workflows/ci.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ed86783d7..04ed541b9 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -118,7 +118,8 @@ jobs: strategy: matrix: k8s: - - v1.18.20 + # TODO: `kind create cluster --config .github/kind_config.yaml --name chart-testing --wait 60s --image kindest/node:v1.18.20` fails + # - v1.18.20 - v1.22.17 - v1.24.17 - v1.25.16