From 5695dbb7aa322fe278078ff1bdc66b76fbf1615b Mon Sep 17 00:00:00 2001 From: Gabriel Dos Santos <91925154+gabedos@users.noreply.github.com> Date: Wed, 11 Mar 2026 10:24:35 -0400 Subject: [PATCH 1/5] Release v1.25.0-rc.1 (#2738) --- ...atadog-operator.clusterserviceversion.yaml | 15 +- .../datadoghq.com_datadogagentinternals.yaml | 571 ++++++++++++++++-- .../datadoghq.com_datadogagentprofiles.yaml | 452 +++++++++++++- .../datadoghq.com_datadogagents.yaml | 571 ++++++++++++++++-- .../datadoghq.com_datadogpodautoscalers.yaml | 98 ++- config/manager/kustomization.yaml | 2 +- 6 files changed, 1593 insertions(+), 116 deletions(-) diff --git a/bundle/manifests/datadog-operator.clusterserviceversion.yaml b/bundle/manifests/datadog-operator.clusterserviceversion.yaml index 925611dbd..d52eaa09b 100644 --- a/bundle/manifests/datadog-operator.clusterserviceversion.yaml +++ b/bundle/manifests/datadog-operator.clusterserviceversion.yaml @@ -194,7 +194,7 @@ metadata: ] capabilities: Full Lifecycle categories: Monitoring, Logging & Tracing - createdAt: "2026-03-06 15:37:29" + createdAt: "2026-03-10 23:53:52" description: |- Datadog provides a modern monitoring and analytics platform. Gather metrics, logs and traces for full observability of your Kubernetes cluster with Datadog Operator. @@ -202,7 +202,7 @@ metadata: operators.operatorframework.io/builder: operator-sdk-v1.34.1 operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 repository: https://github.com/DataDog/datadog-operator - containerImage: gcr.io/datadoghq/operator:1.24.0 + containerImage: gcr.io/datadoghq/operator:1.25.0-rc.1 support: Datadog, Inc. features.operators.openshift.io/disconnected: "true" features.operators.openshift.io/fips-compliant: "false" @@ -211,12 +211,12 @@ metadata: features.operators.openshift.io/token-auth-aws: "false" features.operators.openshift.io/token-auth-azure: "false" features.operators.openshift.io/token-auth-gcp: "false" - olm.skipRange: '>=1.7.0 <1.24.0' + olm.skipRange: '>=1.7.0 <1.25.0-rc.1' labels: operatorframework.io/arch.amd64: supported operatorframework.io/arch.arm64: supported operatorframework.io/os.linux: supported - name: datadog-operator.v1.24.0 + name: datadog-operator.v1.25.0-rc.1 namespace: placeholder spec: apiservicedefinitions: {} @@ -587,6 +587,7 @@ spec: resources: - endpointslices verbs: + - get - list - watch - apiGroups: @@ -820,7 +821,7 @@ spec: fieldPath: metadata.namespace - name: DD_TOOL_VERSION value: redhat-community-operators - image: gcr.io/datadoghq/operator:1.24.0 + image: gcr.io/datadoghq/operator:1.25.0-rc.1 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -918,5 +919,5 @@ spec: minKubeVersion: 1.16.0 provider: name: Datadog - version: 1.24.0 - replaces: datadog-operator.v1.23.1 + version: 1.25.0-rc.1 + replaces: datadog-operator.v1.24.0 diff --git a/bundle/manifests/datadoghq.com_datadogagentinternals.yaml b/bundle/manifests/datadoghq.com_datadogagentinternals.yaml index 880335860..f586eb2ce 100644 --- a/bundle/manifests/datadoghq.com_datadogagentinternals.yaml +++ b/bundle/manifests/datadoghq.com_datadogagentinternals.yaml @@ -146,8 +146,9 @@ spec: variable present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -206,6 +207,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume + mount containing the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -275,7 +313,7 @@ spec: Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. - This is an alpha field and requires enabling the + This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. @@ -775,6 +813,17 @@ spec: type: string type: array x-kubernetes-list-type: set + injectionMode: + description: |- + InjectionMode is the injection mode to use for libraries injection. + Valid values are: "auto", "init_container", "csi" (experimental, requires Cluster Agent 7.76.0+ and Datadog CSI Driver 1.2.0+), "image_volume" (experimental, requires Cluster Agent 7.77.0+). + Empty by default so the Cluster Agent can apply its own defaults. + enum: + - auto + - init_container + - csi + - image_volume + type: string injector: description: Injector configures the APM Injector. properties: @@ -823,8 +872,9 @@ spec: variable present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -883,6 +933,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume + mount containing the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -1350,6 +1437,28 @@ spec: Default: false type: boolean type: object + dataPlane: + description: |- + DataPlane configuration for the Agent Data Plane. + Agent Data Plane is a high-performance sidecar that handles data ingestion. + properties: + dogstatsd: + description: Dogstatsd configures DogStatsD handling by the + Data Plane. + properties: + enabled: + description: |- + Enabled configures the Data Plane to handle DogStatsD traffic. + When enabled, DogStatsD is disabled in the Core Agent. + Default: false + type: boolean + type: object + enabled: + description: |- + Enabled enables the Data Plane. + Default: false + type: boolean + type: object dogstatsd: description: Dogstatsd configuration. properties: @@ -2712,8 +2821,9 @@ spec: in a Container. properties: name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -2771,6 +2881,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -2966,7 +3113,7 @@ spec: Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. - This is an alpha field and requires enabling the + This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. @@ -3075,6 +3222,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -3319,6 +3503,12 @@ spec: The secret backend command to use. Datadog provides a pre-defined binary `/readsecret_multiple_providers.sh`. Read more about `/readsecret_multiple_providers.sh` at https://docs.datadoghq.com/agent/configuration/secrets-management/?tab=linux#script-for-reading-from-multiple-secret-providers. type: string + config: + additionalProperties: + type: string + description: Additional configuration for the secret backend + type. + type: object enableGlobalPermissions: description: |- Whether to create a global permission allowing Datadog agents to read all Kubernetes secrets. @@ -3364,6 +3554,12 @@ spec: Default: `30`. format: int32 type: integer + type: + description: |- + The built-in secret backend type to use (e.g., `k8s.secrets`, `docker.secrets`, `aws.secrets`). + Alternative to Command; when Type is set, the Agent uses the built-in backend to resolve secrets. + Requires Agent 7.70+. + type: string type: object site: description: |- @@ -3969,8 +4165,8 @@ spec: most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + compute a sum by iterating through the elements of this field and subtracting + "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm @@ -4412,8 +4608,9 @@ spec: present in a Container. properties: name: - description: Name of the environment variable. Must - be a C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -4471,6 +4668,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume mount + containing the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -4907,7 +5141,7 @@ spec: Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. - This is an alpha field and requires enabling the + This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. @@ -5581,8 +5815,9 @@ spec: in a Container. properties: name: - description: Name of the environment variable. Must be - a C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -5640,6 +5875,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -5724,8 +5996,9 @@ spec: type: object x-kubernetes-map-type: atomic prefix: - description: Optional text to prepend to the name of each - environment variable. Must be a C_IDENTIFIER. + description: |- + Optional text to prepend to the name of each environment variable. + May consist of any printable ASCII characters except '='. type: string secretRef: description: The Secret to select from @@ -6216,9 +6489,10 @@ spec: operator: description: |- Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. + Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). type: string tolerationSeconds: description: |- @@ -7041,7 +7315,7 @@ spec: resources: description: |- resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + Users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources @@ -7129,15 +7403,13 @@ spec: volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. If specified, the CSI driver will create or update the volume with the attributes defined in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. + it can be changed after the claim is created. An empty string or nil value indicates that no + VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, + this field can be reset to its previous value (including nil) to cancel the modification. If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -7319,12 +7591,10 @@ spec: description: |- glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. - More info: https://examples.k8s.io/volumes/glusterfs/README.md properties: endpoints: - description: |- - endpoints is the endpoint name that details Glusterfs topology. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + description: endpoints is the endpoint name that details + Glusterfs topology. type: string path: description: |- @@ -7403,7 +7673,7 @@ spec: description: |- iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. - More info: https://examples.k8s.io/volumes/iscsi/README.md + More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi properties: chapAuthDiscovery: description: chapAuthDiscovery defines whether support @@ -7829,6 +8099,129 @@ spec: type: array x-kubernetes-list-type: atomic type: object + podCertificate: + description: |- + Projects an auto-rotating credential bundle (private key and certificate + chain) that the pod can use either as a TLS client or server. + + Kubelet generates a private key and uses it to send a + PodCertificateRequest to the named signer. Once the signer approves the + request and issues a certificate chain, Kubelet writes the key and + certificate chain to the pod filesystem. The pod does not start until + certificates have been issued for each podCertificate projected volume + source in its spec. + + Kubelet will begin trying to rotate the certificate at the time indicated + by the signer using the PodCertificateRequest.Status.BeginRefreshAt + timestamp. + + Kubelet can write a single file, indicated by the credentialBundlePath + field, or separate files, indicated by the keyPath and + certificateChainPath fields. + + The credential bundle is a single file in PEM format. The first PEM + entry is the private key (in PKCS#8 format), and the remaining PEM + entries are the certificate chain issued by the signer (typically, + signers will return their certificate chain in leaf-to-root order). + + Prefer using the credential bundle format, since your application code + can read it atomically. If you use keyPath and certificateChainPath, + your application must make two separate file reads. If these coincide + with a certificate rotation, it is possible that the private key and leaf + certificate you read may not correspond to each other. Your application + will need to check for this condition, and re-read until they are + consistent. + + The named signer controls chooses the format of the certificate it + issues; consult the signer implementation's documentation to learn how to + use the certificates it issues. + properties: + certificateChainPath: + description: |- + Write the certificate chain at this path in the projected volume. + + Most applications should use credentialBundlePath. When using keyPath + and certificateChainPath, your application needs to check that the key + and leaf certificate are consistent, because it is possible to read the + files mid-rotation. + type: string + credentialBundlePath: + description: |- + Write the credential bundle at this path in the projected volume. + + The credential bundle is a single file that contains multiple PEM blocks. + The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private + key. + + The remaining blocks are CERTIFICATE blocks, containing the issued + certificate chain from the signer (leaf and any intermediates). + + Using credentialBundlePath lets your Pod's application code make a single + atomic read that retrieves a consistent key and certificate chain. If you + project them to separate files, your application code will need to + additionally check that the leaf certificate was issued to the key. + type: string + keyPath: + description: |- + Write the key at this path in the projected volume. + + Most applications should use credentialBundlePath. When using keyPath + and certificateChainPath, your application needs to check that the key + and leaf certificate are consistent, because it is possible to read the + files mid-rotation. + type: string + keyType: + description: |- + The type of keypair Kubelet will generate for the pod. + + Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", + "ECDSAP521", and "ED25519". + type: string + maxExpirationSeconds: + description: |- + maxExpirationSeconds is the maximum lifetime permitted for the + certificate. + + Kubelet copies this value verbatim into the PodCertificateRequests it + generates for this projection. + + If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver + will reject values shorter than 3600 (1 hour). The maximum allowable + value is 7862400 (91 days). + + The signer implementation is then free to issue a certificate with any + lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 + seconds (1 hour). This constraint is enforced by kube-apiserver. + `kubernetes.io` signers will never issue certificates with a lifetime + longer than 24 hours. + format: int32 + type: integer + signerName: + description: Kubelet's generated CSRs will + be addressed to this signer. + type: string + userAnnotations: + additionalProperties: + type: string + description: |- + userAnnotations allow pod authors to pass additional information to + the signer implementation. Kubernetes does not restrict or validate this + metadata in any way. + + These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of + the PodCertificateRequest objects that Kubelet creates. + + Entries are subject to the same validation as object metadata annotations, + with the addition that all keys must be domain-prefixed. No restrictions + are placed on values, except an overall size limitation on the entire field. + + Signers should document the keys and values they support. Signers should + deny requests that contain keys they do not recognize. + type: object + required: + - keyType + - signerName + type: object secret: description: secret information about the secret data to project @@ -7963,7 +8356,6 @@ spec: description: |- rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. - More info: https://examples.k8s.io/volumes/rbd/README.md properties: fsType: description: |- @@ -8617,8 +9009,9 @@ spec: variable present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -8680,6 +9073,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume + mount containing the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -8750,7 +9180,7 @@ spec: Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. - This is an alpha field and requires enabling the + This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. @@ -9252,6 +9682,17 @@ spec: type: string type: array x-kubernetes-list-type: set + injectionMode: + description: |- + InjectionMode is the injection mode to use for libraries injection. + Valid values are: "auto", "init_container", "csi" (experimental, requires Cluster Agent 7.76.0+ and Datadog CSI Driver 1.2.0+), "image_volume" (experimental, requires Cluster Agent 7.77.0+). + Empty by default so the Cluster Agent can apply its own defaults. + enum: + - auto + - init_container + - csi + - image_volume + type: string injector: description: Injector configures the APM Injector. properties: @@ -9300,8 +9741,9 @@ spec: variable present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -9363,6 +9805,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume + mount containing the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -9832,6 +10311,28 @@ spec: Default: false type: boolean type: object + dataPlane: + description: |- + DataPlane configuration for the Agent Data Plane. + Agent Data Plane is a high-performance sidecar that handles data ingestion. + properties: + dogstatsd: + description: Dogstatsd configures DogStatsD handling by + the Data Plane. + properties: + enabled: + description: |- + Enabled configures the Data Plane to handle DogStatsD traffic. + When enabled, DogStatsD is disabled in the Core Agent. + Default: false + type: boolean + type: object + enabled: + description: |- + Enabled enables the Data Plane. + Default: false + type: boolean + type: object dogstatsd: description: Dogstatsd configuration. properties: diff --git a/bundle/manifests/datadoghq.com_datadogagentprofiles.yaml b/bundle/manifests/datadoghq.com_datadogagentprofiles.yaml index fe495af9a..906cb71c2 100644 --- a/bundle/manifests/datadoghq.com_datadogagentprofiles.yaml +++ b/bundle/manifests/datadoghq.com_datadogagentprofiles.yaml @@ -146,8 +146,9 @@ spec: variable present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -209,6 +210,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume + mount containing the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -279,7 +317,7 @@ spec: Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. - This is an alpha field and requires enabling the + This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. @@ -781,6 +819,17 @@ spec: type: string type: array x-kubernetes-list-type: set + injectionMode: + description: |- + InjectionMode is the injection mode to use for libraries injection. + Valid values are: "auto", "init_container", "csi" (experimental, requires Cluster Agent 7.76.0+ and Datadog CSI Driver 1.2.0+), "image_volume" (experimental, requires Cluster Agent 7.77.0+). + Empty by default so the Cluster Agent can apply its own defaults. + enum: + - auto + - init_container + - csi + - image_volume + type: string injector: description: Injector configures the APM Injector. properties: @@ -829,8 +878,9 @@ spec: variable present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -892,6 +942,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume + mount containing the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -1361,6 +1448,28 @@ spec: Default: false type: boolean type: object + dataPlane: + description: |- + DataPlane configuration for the Agent Data Plane. + Agent Data Plane is a high-performance sidecar that handles data ingestion. + properties: + dogstatsd: + description: Dogstatsd configures DogStatsD handling by + the Data Plane. + properties: + enabled: + description: |- + Enabled configures the Data Plane to handle DogStatsD traffic. + When enabled, DogStatsD is disabled in the Core Agent. + Default: false + type: boolean + type: object + enabled: + description: |- + Enabled enables the Data Plane. + Default: false + type: boolean + type: object dogstatsd: description: Dogstatsd configuration. properties: @@ -2740,8 +2849,9 @@ spec: in a Container. properties: name: - description: Name of the environment variable. Must - be a C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -2799,6 +2909,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -2994,7 +3141,7 @@ spec: Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. - This is an alpha field and requires enabling the + This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. @@ -3104,6 +3251,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -3349,6 +3533,12 @@ spec: The secret backend command to use. Datadog provides a pre-defined binary `/readsecret_multiple_providers.sh`. Read more about `/readsecret_multiple_providers.sh` at https://docs.datadoghq.com/agent/configuration/secrets-management/?tab=linux#script-for-reading-from-multiple-secret-providers. type: string + config: + additionalProperties: + type: string + description: Additional configuration for the secret backend + type. + type: object enableGlobalPermissions: description: |- Whether to create a global permission allowing Datadog agents to read all Kubernetes secrets. @@ -3394,6 +3584,12 @@ spec: Default: `30`. format: int32 type: integer + type: + description: |- + The built-in secret backend type to use (e.g., `k8s.secrets`, `docker.secrets`, `aws.secrets`). + Alternative to Command; when Type is set, the Agent uses the built-in backend to resolve secrets. + Requires Agent 7.70+. + type: string type: object site: description: |- @@ -4001,8 +4197,8 @@ spec: most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + compute a sum by iterating through the elements of this field and subtracting + "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched @@ -4446,8 +4642,9 @@ spec: present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -4506,6 +4703,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume + mount containing the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -4945,7 +5179,7 @@ spec: Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. - This is an alpha field and requires enabling the + This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. @@ -5621,8 +5855,9 @@ spec: present in a Container. properties: name: - description: Name of the environment variable. Must - be a C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -5680,6 +5915,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume mount + containing the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -5764,8 +6036,9 @@ spec: type: object x-kubernetes-map-type: atomic prefix: - description: Optional text to prepend to the name - of each environment variable. Must be a C_IDENTIFIER. + description: |- + Optional text to prepend to the name of each environment variable. + May consist of any printable ASCII characters except '='. type: string secretRef: description: The Secret to select from @@ -6258,9 +6531,10 @@ spec: operator: description: |- Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. + Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). type: string tolerationSeconds: description: |- @@ -7090,7 +7364,7 @@ spec: resources: description: |- resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + Users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources @@ -7179,15 +7453,13 @@ spec: volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. If specified, the CSI driver will create or update the volume with the attributes defined in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. + it can be changed after the claim is created. An empty string or nil value indicates that no + VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, + this field can be reset to its previous value (including nil) to cancel the modification. If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -7370,12 +7642,10 @@ spec: description: |- glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. - More info: https://examples.k8s.io/volumes/glusterfs/README.md properties: endpoints: - description: |- - endpoints is the endpoint name that details Glusterfs topology. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + description: endpoints is the endpoint name that + details Glusterfs topology. type: string path: description: |- @@ -7454,7 +7724,7 @@ spec: description: |- iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. - More info: https://examples.k8s.io/volumes/iscsi/README.md + More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi properties: chapAuthDiscovery: description: chapAuthDiscovery defines whether @@ -7884,6 +8154,129 @@ spec: type: array x-kubernetes-list-type: atomic type: object + podCertificate: + description: |- + Projects an auto-rotating credential bundle (private key and certificate + chain) that the pod can use either as a TLS client or server. + + Kubelet generates a private key and uses it to send a + PodCertificateRequest to the named signer. Once the signer approves the + request and issues a certificate chain, Kubelet writes the key and + certificate chain to the pod filesystem. The pod does not start until + certificates have been issued for each podCertificate projected volume + source in its spec. + + Kubelet will begin trying to rotate the certificate at the time indicated + by the signer using the PodCertificateRequest.Status.BeginRefreshAt + timestamp. + + Kubelet can write a single file, indicated by the credentialBundlePath + field, or separate files, indicated by the keyPath and + certificateChainPath fields. + + The credential bundle is a single file in PEM format. The first PEM + entry is the private key (in PKCS#8 format), and the remaining PEM + entries are the certificate chain issued by the signer (typically, + signers will return their certificate chain in leaf-to-root order). + + Prefer using the credential bundle format, since your application code + can read it atomically. If you use keyPath and certificateChainPath, + your application must make two separate file reads. If these coincide + with a certificate rotation, it is possible that the private key and leaf + certificate you read may not correspond to each other. Your application + will need to check for this condition, and re-read until they are + consistent. + + The named signer controls chooses the format of the certificate it + issues; consult the signer implementation's documentation to learn how to + use the certificates it issues. + properties: + certificateChainPath: + description: |- + Write the certificate chain at this path in the projected volume. + + Most applications should use credentialBundlePath. When using keyPath + and certificateChainPath, your application needs to check that the key + and leaf certificate are consistent, because it is possible to read the + files mid-rotation. + type: string + credentialBundlePath: + description: |- + Write the credential bundle at this path in the projected volume. + + The credential bundle is a single file that contains multiple PEM blocks. + The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private + key. + + The remaining blocks are CERTIFICATE blocks, containing the issued + certificate chain from the signer (leaf and any intermediates). + + Using credentialBundlePath lets your Pod's application code make a single + atomic read that retrieves a consistent key and certificate chain. If you + project them to separate files, your application code will need to + additionally check that the leaf certificate was issued to the key. + type: string + keyPath: + description: |- + Write the key at this path in the projected volume. + + Most applications should use credentialBundlePath. When using keyPath + and certificateChainPath, your application needs to check that the key + and leaf certificate are consistent, because it is possible to read the + files mid-rotation. + type: string + keyType: + description: |- + The type of keypair Kubelet will generate for the pod. + + Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", + "ECDSAP521", and "ED25519". + type: string + maxExpirationSeconds: + description: |- + maxExpirationSeconds is the maximum lifetime permitted for the + certificate. + + Kubelet copies this value verbatim into the PodCertificateRequests it + generates for this projection. + + If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver + will reject values shorter than 3600 (1 hour). The maximum allowable + value is 7862400 (91 days). + + The signer implementation is then free to issue a certificate with any + lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 + seconds (1 hour). This constraint is enforced by kube-apiserver. + `kubernetes.io` signers will never issue certificates with a lifetime + longer than 24 hours. + format: int32 + type: integer + signerName: + description: Kubelet's generated CSRs + will be addressed to this signer. + type: string + userAnnotations: + additionalProperties: + type: string + description: |- + userAnnotations allow pod authors to pass additional information to + the signer implementation. Kubernetes does not restrict or validate this + metadata in any way. + + These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of + the PodCertificateRequest objects that Kubelet creates. + + Entries are subject to the same validation as object metadata annotations, + with the addition that all keys must be domain-prefixed. No restrictions + are placed on values, except an overall size limitation on the entire field. + + Signers should document the keys and values they support. Signers should + deny requests that contain keys they do not recognize. + type: object + required: + - keyType + - signerName + type: object secret: description: secret information about the secret data to project @@ -8021,7 +8414,6 @@ spec: description: |- rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. - More info: https://examples.k8s.io/volumes/rbd/README.md properties: fsType: description: |- diff --git a/bundle/manifests/datadoghq.com_datadogagents.yaml b/bundle/manifests/datadoghq.com_datadogagents.yaml index 6225cb78d..b0fc52b99 100644 --- a/bundle/manifests/datadoghq.com_datadogagents.yaml +++ b/bundle/manifests/datadoghq.com_datadogagents.yaml @@ -145,8 +145,9 @@ spec: variable present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -205,6 +206,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume + mount containing the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -274,7 +312,7 @@ spec: Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. - This is an alpha field and requires enabling the + This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. @@ -774,6 +812,17 @@ spec: type: string type: array x-kubernetes-list-type: set + injectionMode: + description: |- + InjectionMode is the injection mode to use for libraries injection. + Valid values are: "auto", "init_container", "csi" (experimental, requires Cluster Agent 7.76.0+ and Datadog CSI Driver 1.2.0+), "image_volume" (experimental, requires Cluster Agent 7.77.0+). + Empty by default so the Cluster Agent can apply its own defaults. + enum: + - auto + - init_container + - csi + - image_volume + type: string injector: description: Injector configures the APM Injector. properties: @@ -822,8 +871,9 @@ spec: variable present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -882,6 +932,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume + mount containing the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -1349,6 +1436,28 @@ spec: Default: false type: boolean type: object + dataPlane: + description: |- + DataPlane configuration for the Agent Data Plane. + Agent Data Plane is a high-performance sidecar that handles data ingestion. + properties: + dogstatsd: + description: Dogstatsd configures DogStatsD handling by the + Data Plane. + properties: + enabled: + description: |- + Enabled configures the Data Plane to handle DogStatsD traffic. + When enabled, DogStatsD is disabled in the Core Agent. + Default: false + type: boolean + type: object + enabled: + description: |- + Enabled enables the Data Plane. + Default: false + type: boolean + type: object dogstatsd: description: Dogstatsd configuration. properties: @@ -2711,8 +2820,9 @@ spec: in a Container. properties: name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -2770,6 +2880,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -2965,7 +3112,7 @@ spec: Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. - This is an alpha field and requires enabling the + This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. @@ -3074,6 +3221,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -3318,6 +3502,12 @@ spec: The secret backend command to use. Datadog provides a pre-defined binary `/readsecret_multiple_providers.sh`. Read more about `/readsecret_multiple_providers.sh` at https://docs.datadoghq.com/agent/configuration/secrets-management/?tab=linux#script-for-reading-from-multiple-secret-providers. type: string + config: + additionalProperties: + type: string + description: Additional configuration for the secret backend + type. + type: object enableGlobalPermissions: description: |- Whether to create a global permission allowing Datadog agents to read all Kubernetes secrets. @@ -3363,6 +3553,12 @@ spec: Default: `30`. format: int32 type: integer + type: + description: |- + The built-in secret backend type to use (e.g., `k8s.secrets`, `docker.secrets`, `aws.secrets`). + Alternative to Command; when Type is set, the Agent uses the built-in backend to resolve secrets. + Requires Agent 7.70+. + type: string type: object site: description: |- @@ -3968,8 +4164,8 @@ spec: most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + compute a sum by iterating through the elements of this field and subtracting + "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm @@ -4411,8 +4607,9 @@ spec: present in a Container. properties: name: - description: Name of the environment variable. Must - be a C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -4470,6 +4667,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume mount + containing the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -4906,7 +5140,7 @@ spec: Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. - This is an alpha field and requires enabling the + This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. @@ -5580,8 +5814,9 @@ spec: in a Container. properties: name: - description: Name of the environment variable. Must be - a C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -5639,6 +5874,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -5723,8 +5995,9 @@ spec: type: object x-kubernetes-map-type: atomic prefix: - description: Optional text to prepend to the name of each - environment variable. Must be a C_IDENTIFIER. + description: |- + Optional text to prepend to the name of each environment variable. + May consist of any printable ASCII characters except '='. type: string secretRef: description: The Secret to select from @@ -6215,9 +6488,10 @@ spec: operator: description: |- Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. + Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). type: string tolerationSeconds: description: |- @@ -7040,7 +7314,7 @@ spec: resources: description: |- resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + Users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources @@ -7128,15 +7402,13 @@ spec: volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. If specified, the CSI driver will create or update the volume with the attributes defined in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. + it can be changed after the claim is created. An empty string or nil value indicates that no + VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, + this field can be reset to its previous value (including nil) to cancel the modification. If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -7318,12 +7590,10 @@ spec: description: |- glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. - More info: https://examples.k8s.io/volumes/glusterfs/README.md properties: endpoints: - description: |- - endpoints is the endpoint name that details Glusterfs topology. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + description: endpoints is the endpoint name that details + Glusterfs topology. type: string path: description: |- @@ -7402,7 +7672,7 @@ spec: description: |- iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. - More info: https://examples.k8s.io/volumes/iscsi/README.md + More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi properties: chapAuthDiscovery: description: chapAuthDiscovery defines whether support @@ -7828,6 +8098,129 @@ spec: type: array x-kubernetes-list-type: atomic type: object + podCertificate: + description: |- + Projects an auto-rotating credential bundle (private key and certificate + chain) that the pod can use either as a TLS client or server. + + Kubelet generates a private key and uses it to send a + PodCertificateRequest to the named signer. Once the signer approves the + request and issues a certificate chain, Kubelet writes the key and + certificate chain to the pod filesystem. The pod does not start until + certificates have been issued for each podCertificate projected volume + source in its spec. + + Kubelet will begin trying to rotate the certificate at the time indicated + by the signer using the PodCertificateRequest.Status.BeginRefreshAt + timestamp. + + Kubelet can write a single file, indicated by the credentialBundlePath + field, or separate files, indicated by the keyPath and + certificateChainPath fields. + + The credential bundle is a single file in PEM format. The first PEM + entry is the private key (in PKCS#8 format), and the remaining PEM + entries are the certificate chain issued by the signer (typically, + signers will return their certificate chain in leaf-to-root order). + + Prefer using the credential bundle format, since your application code + can read it atomically. If you use keyPath and certificateChainPath, + your application must make two separate file reads. If these coincide + with a certificate rotation, it is possible that the private key and leaf + certificate you read may not correspond to each other. Your application + will need to check for this condition, and re-read until they are + consistent. + + The named signer controls chooses the format of the certificate it + issues; consult the signer implementation's documentation to learn how to + use the certificates it issues. + properties: + certificateChainPath: + description: |- + Write the certificate chain at this path in the projected volume. + + Most applications should use credentialBundlePath. When using keyPath + and certificateChainPath, your application needs to check that the key + and leaf certificate are consistent, because it is possible to read the + files mid-rotation. + type: string + credentialBundlePath: + description: |- + Write the credential bundle at this path in the projected volume. + + The credential bundle is a single file that contains multiple PEM blocks. + The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private + key. + + The remaining blocks are CERTIFICATE blocks, containing the issued + certificate chain from the signer (leaf and any intermediates). + + Using credentialBundlePath lets your Pod's application code make a single + atomic read that retrieves a consistent key and certificate chain. If you + project them to separate files, your application code will need to + additionally check that the leaf certificate was issued to the key. + type: string + keyPath: + description: |- + Write the key at this path in the projected volume. + + Most applications should use credentialBundlePath. When using keyPath + and certificateChainPath, your application needs to check that the key + and leaf certificate are consistent, because it is possible to read the + files mid-rotation. + type: string + keyType: + description: |- + The type of keypair Kubelet will generate for the pod. + + Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", + "ECDSAP521", and "ED25519". + type: string + maxExpirationSeconds: + description: |- + maxExpirationSeconds is the maximum lifetime permitted for the + certificate. + + Kubelet copies this value verbatim into the PodCertificateRequests it + generates for this projection. + + If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver + will reject values shorter than 3600 (1 hour). The maximum allowable + value is 7862400 (91 days). + + The signer implementation is then free to issue a certificate with any + lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 + seconds (1 hour). This constraint is enforced by kube-apiserver. + `kubernetes.io` signers will never issue certificates with a lifetime + longer than 24 hours. + format: int32 + type: integer + signerName: + description: Kubelet's generated CSRs will + be addressed to this signer. + type: string + userAnnotations: + additionalProperties: + type: string + description: |- + userAnnotations allow pod authors to pass additional information to + the signer implementation. Kubernetes does not restrict or validate this + metadata in any way. + + These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of + the PodCertificateRequest objects that Kubelet creates. + + Entries are subject to the same validation as object metadata annotations, + with the addition that all keys must be domain-prefixed. No restrictions + are placed on values, except an overall size limitation on the entire field. + + Signers should document the keys and values they support. Signers should + deny requests that contain keys they do not recognize. + type: object + required: + - keyType + - signerName + type: object secret: description: secret information about the secret data to project @@ -7962,7 +8355,6 @@ spec: description: |- rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. - More info: https://examples.k8s.io/volumes/rbd/README.md properties: fsType: description: |- @@ -8668,8 +9060,9 @@ spec: variable present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -8731,6 +9124,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume + mount containing the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -8801,7 +9231,7 @@ spec: Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. - This is an alpha field and requires enabling the + This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. @@ -9303,6 +9733,17 @@ spec: type: string type: array x-kubernetes-list-type: set + injectionMode: + description: |- + InjectionMode is the injection mode to use for libraries injection. + Valid values are: "auto", "init_container", "csi" (experimental, requires Cluster Agent 7.76.0+ and Datadog CSI Driver 1.2.0+), "image_volume" (experimental, requires Cluster Agent 7.77.0+). + Empty by default so the Cluster Agent can apply its own defaults. + enum: + - auto + - init_container + - csi + - image_volume + type: string injector: description: Injector configures the APM Injector. properties: @@ -9351,8 +9792,9 @@ spec: variable present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. type: string value: description: |- @@ -9414,6 +9856,43 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume + mount containing the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests @@ -9883,6 +10362,28 @@ spec: Default: false type: boolean type: object + dataPlane: + description: |- + DataPlane configuration for the Agent Data Plane. + Agent Data Plane is a high-performance sidecar that handles data ingestion. + properties: + dogstatsd: + description: Dogstatsd configures DogStatsD handling by + the Data Plane. + properties: + enabled: + description: |- + Enabled configures the Data Plane to handle DogStatsD traffic. + When enabled, DogStatsD is disabled in the Core Agent. + Default: false + type: boolean + type: object + enabled: + description: |- + Enabled enables the Data Plane. + Default: false + type: boolean + type: object dogstatsd: description: Dogstatsd configuration. properties: diff --git a/bundle/manifests/datadoghq.com_datadogpodautoscalers.yaml b/bundle/manifests/datadoghq.com_datadogpodautoscalers.yaml index 7b2fe59c9..b844f786c 100644 --- a/bundle/manifests/datadoghq.com_datadogpodautoscalers.yaml +++ b/bundle/manifests/datadoghq.com_datadogpodautoscalers.yaml @@ -90,17 +90,56 @@ spec: DatadogPodAutoscalerContainerConstraints defines constraints that should always be respected for a container. If no constraints are set, it enables resource scaling for all containers without any constraints. properties: + controlledResources: + description: |- + Specifies the resources for which recommendations will be computed. + If not specified, it defaults to CPU and Memory. + If an empty list is provided, no resource will be controlled (equivalent to Enabled=false). + items: + description: ResourceName is the name identifying various + resources in a ResourceList. + type: string + type: array + controlledValues: + description: |- + Specifies whether recommendations are made to Requests and Limits (RequestsAndLimits) or Requests only (RequestsOnly). + The default is "RequestsAndLimits". + enum: + - RequestsAndLimits + - RequestsOnly + type: string enabled: description: Enabled, if false, allows one to disable resource autoscaling for the container. Defaults to true. type: boolean + maxAllowed: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: MaxAllowed is the upper limit for the requests + of the container. + type: object + minAllowed: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: MinAllowed is the lower limit for the requests + of the container. + type: object name: description: Name is the name of the container. Can be "*" to apply to all containers. type: string requests: - description: Requests defines the constraints for the requests - of the container. + description: |- + Requests defines the constraints for the requests of the container. + WARNING: Deprecated properties: maxAllowed: additionalProperties: @@ -131,6 +170,7 @@ spec: description: MaxReplicas is the upper limit for the number of POD replicas. Needs to be >= minReplicas. format: int32 + minimum: 1 type: integer minReplicas: description: MinReplicas is the lower limit for the number of @@ -138,8 +178,6 @@ spec: format: int32 minimum: 1 type: integer - required: - - maxReplicas type: object owner: description: |- @@ -336,6 +374,7 @@ spec: description: Name is the name of the resource. enum: - cpu + - memory type: string value: description: Value is the value of the objective @@ -530,6 +569,7 @@ spec: description: Name is the name of the resource. enum: - cpu + - memory type: string value: description: Value is the value of the objective. @@ -1034,17 +1074,56 @@ spec: DatadogPodAutoscalerContainerConstraints defines constraints that should always be respected for a container. If no constraints are set, it enables resource scaling for all containers without any constraints. properties: + controlledResources: + description: |- + Specifies the resources for which recommendations will be computed. + If not specified, it defaults to CPU and Memory. + If an empty list is provided, no resource will be controlled (equivalent to Enabled=false). + items: + description: ResourceName is the name identifying various + resources in a ResourceList. + type: string + type: array + controlledValues: + description: |- + Specifies whether recommendations are made to Requests and Limits (RequestsAndLimits) or Requests only (RequestsOnly). + The default is "RequestsAndLimits". + enum: + - RequestsAndLimits + - RequestsOnly + type: string enabled: description: Enabled, if false, allows one to disable resource autoscaling for the container. Defaults to true. type: boolean + maxAllowed: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: MaxAllowed is the upper limit for the requests + of the container. + type: object + minAllowed: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: MinAllowed is the lower limit for the requests + of the container. + type: object name: description: Name is the name of the container. Can be "*" to apply to all containers. type: string requests: - description: Requests defines the constraints for the requests - of the container. + description: |- + Requests defines the constraints for the requests of the container. + WARNING: Deprecated properties: maxAllowed: additionalProperties: @@ -1075,6 +1154,7 @@ spec: description: MaxReplicas is the upper limit for the number of POD replicas. Needs to be >= minReplicas. format: int32 + minimum: 1 type: integer minReplicas: description: MinReplicas is the lower limit for the number of @@ -1082,8 +1162,6 @@ spec: format: int32 minimum: 1 type: integer - required: - - maxReplicas type: object fallback: default: {} @@ -1128,6 +1206,7 @@ spec: description: Name is the name of the resource. enum: - cpu + - memory type: string value: description: Value is the value of the objective @@ -1325,6 +1404,7 @@ spec: description: Name is the name of the resource. enum: - cpu + - memory type: string value: description: Value is the value of the objective. @@ -1408,6 +1488,7 @@ spec: description: Name is the name of the resource. enum: - cpu + - memory type: string value: description: Value is the value of the objective @@ -1602,6 +1683,7 @@ spec: description: Name is the name of the resource. enum: - cpu + - memory type: string value: description: Value is the value of the objective. diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index f21b19215..20d337329 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -3,6 +3,6 @@ resources: images: - name: controller newName: gcr.io/datadoghq/operator - newTag: 1.24.0 + newTag: 1.25.0-rc.1 apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization From bb829df21693e75f8f9274447f289aedbdca8485 Mon Sep 17 00:00:00 2001 From: "dd-octo-sts[bot]" <200755185+dd-octo-sts[bot]@users.noreply.github.com> Date: Wed, 18 Mar 2026 18:16:49 +0100 Subject: [PATCH 2/5] Fix missing workqueue_* metrics in /metrics endpoint (#2772) (#2776) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The 7 standard workqueue Prometheus metrics (workqueue_depth, workqueue_adds_total, workqueue_queue_duration_seconds, workqueue_work_duration_seconds, workqueue_retries_total, workqueue_unfinished_work_seconds, workqueue_longest_running_processor_seconds) were absent from the operator's /metrics endpoint. Root cause: k8s.io/kube-aggregator (imported in main.go) transitively imports k8s.io/component-base/metrics/prometheus/workqueue via k8s.io/apiserver/pkg/storageversion. That package's init() calls workqueue.SetProvider() first (sync.Once), routing all workqueue metrics to the k8s legacy Prometheus registry — not to controller-runtime's ctrlmetrics.Registry that the /metrics endpoint serves from. Fix: enable UsePriorityQueue on the controller manager. The priority queue bypasses the global SetProvider entirely and directly uses controller-runtime's internal WorkqueueMetricsProvider, which writes to ctrlmetrics.Registry. Since no custom priorities are set, all items default to priority 0 and queue behaviour is unchanged (FIFO). The only observable difference is that workqueue_depth gains an extra `priority` label (value "0"). Fixes #2771 (cherry picked from commit a312b889282f7c4b87d1b8f817a4ec7c765d75c0) Co-authored-by: Timothée Bavelier <97530782+tbavelier@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 --- cmd/main.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/cmd/main.go b/cmd/main.go index d808d8e85..384a8e72d 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -31,8 +31,10 @@ import ( "k8s.io/client-go/tools/leaderelection/resourcelock" "k8s.io/klog/v2" apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1" + "k8s.io/utils/ptr" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" + ctrlconfig "sigs.k8s.io/controller-runtime/pkg/config" ctrlzap "sigs.k8s.io/controller-runtime/pkg/log/zap" "sigs.k8s.io/controller-runtime/pkg/manager" "sigs.k8s.io/controller-runtime/pkg/metrics/filters" @@ -289,6 +291,16 @@ func run(opts *options) error { DatadogDashboardEnabled: opts.datadogDashboardEnabled, DatadogGenericResourceEnabled: opts.datadogGenericResourceEnabled, }), + // UsePriorityQueue makes all controllers use the priority queue, which + // directly registers workqueue metrics into controller-runtime's metrics + // registry (ctrlmetrics.Registry) rather than routing them through the + // global workqueue.SetProvider() call. This is necessary because + // k8s.io/kube-aggregator (transitively via k8s.io/component-base) wins + // the sync.Once in SetProvider, routing standard workqueue metrics to the + // k8s legacy registry instead of controller-runtime's registry. + Controller: ctrlconfig.Controller{ + UsePriorityQueue: ptr.To(true), + }, }) if err != nil { return setupErrorf(setupLog, err, "Unable to start manager") From a21e39fe375f61e7ca9d0a6769a7342fdeec7098 Mon Sep 17 00:00:00 2001 From: Merchrist <99204620+merchristK@users.noreply.github.com> Date: Thu, 19 Mar 2026 11:40:20 +0100 Subject: [PATCH 3/5] [ACTP] Add k8s remediation RBAC rules for private action runner (#2770) * Add k8s remediation RBAC rules for private action runner When the annotation `cluster-agent.datadoghq.com/private-action-runner-k8s-remediation-enabled` is set to true, extend the cluster agent RBAC with additional policy rules for deployments, pods, configmaps, and events needed for k8s remediation. Co-Authored-By: Claude Sonnet 4.5 * create new clusterrole * update rbac * revert * Add kubebuilder RBAC markers for PAR k8s remediation Co-Authored-By: Claude Sonnet 4.5 * update comment --------- Co-authored-by: Claude Sonnet 4.5 (cherry picked from commit 6a0f97696bf2e112f5414ed8a61a80272911a3e8) --- .../feature/privateactionrunner/feature.go | 15 ++++++- .../privateactionrunner/feature_test.go | 25 +++++++++++ .../feature/privateactionrunner/rbac.go | 42 +++++++++++++++++++ .../feature/privateactionrunner/rbac_test.go | 10 ++--- .../datadogagent/feature/utils/utils.go | 5 ++- .../controller/datadogagent_controller.go | 8 ++++ 6 files changed, 96 insertions(+), 9 deletions(-) diff --git a/internal/controller/datadogagent/feature/privateactionrunner/feature.go b/internal/controller/datadogagent/feature/privateactionrunner/feature.go index 60a74ed32..4496bc7df 100644 --- a/internal/controller/datadogagent/feature/privateactionrunner/feature.go +++ b/internal/controller/datadogagent/feature/privateactionrunner/feature.go @@ -10,6 +10,7 @@ import ( "github.com/go-logr/logr" corev1 "k8s.io/api/core/v1" + rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" apicommon "github.com/DataDog/datadog-operator/api/datadoghq/common" @@ -47,6 +48,7 @@ type privateActionRunnerFeature struct { clusterConfig *PrivateActionRunnerConfig clusterConfigData string clusterServiceAccountName string + k8sRemediationEnabled bool } // ID returns the ID of the Feature @@ -105,6 +107,7 @@ func (f *privateActionRunnerFeature) Configure(dda metav1.Object, ddaSpec *v2alp } } f.clusterConfig = clusterConfig + f.k8sRemediationEnabled = featureutils.HasFeatureEnableAnnotation(dda, featureutils.ClusterAgentPrivateActionRunnerK8sRemediationEnabled) f.clusterServiceAccountName = constants.GetClusterAgentServiceAccount(dda.GetName(), ddaSpec) reqComp.ClusterAgent = feature.RequiredComponent{ @@ -171,12 +174,20 @@ func (f *privateActionRunnerFeature) ManageDependencies(managers feature.Resourc return err } + var clusterAgentPolicyRules []rbacv1.PolicyRule if f.clusterConfig.SelfEnroll { - err := managers.RBACManager().AddPolicyRules( + clusterAgentPolicyRules = append(clusterAgentPolicyRules, getClusterAgentRBACPolicyRules(f.clusterConfig.IdentitySecretName)...) + } + if f.k8sRemediationEnabled { + clusterAgentPolicyRules = append(clusterAgentPolicyRules, getK8sRemediationPolicyRules()...) + } + if len(clusterAgentPolicyRules) > 0 { + err := managers.RBACManager().AddClusterPolicyRulesByComponent( f.owner.GetNamespace(), f.getRbacResourcesName(), f.clusterServiceAccountName, - getClusterAgentRBACPolicyRules(f.clusterConfig.IdentitySecretName), + clusterAgentPolicyRules, + string(v2alpha1.ClusterAgentComponentName), ) if err != nil { return err diff --git a/internal/controller/datadogagent/feature/privateactionrunner/feature_test.go b/internal/controller/datadogagent/feature/privateactionrunner/feature_test.go index 2ef74ab06..24028353b 100644 --- a/internal/controller/datadogagent/feature/privateactionrunner/feature_test.go +++ b/internal/controller/datadogagent/feature/privateactionrunner/feature_test.go @@ -243,6 +243,7 @@ func Test_privateActionRunnerFeature_ConfigureClusterAgent(t *testing.T) { annotations map[string]string wantClusterAgentEnabled bool wantNodeAgentEnabled bool + wantK8sRemediationEnabled bool expectedClusterConfigData string }{ { @@ -314,6 +315,28 @@ func Test_privateActionRunnerFeature_ConfigureClusterAgent(t *testing.T) { self_enroll: false urn: urn:dd:apps:on-prem-runner:us1:1:runner-xyz`, }, + { + name: "k8s remediation annotation enabled", + annotations: map[string]string{ + "cluster-agent.datadoghq.com/private-action-runner-enabled": "true", + "cluster-agent.datadoghq.com/private-action-runner-k8s-remediation-enabled": "true", + }, + wantClusterAgentEnabled: true, + wantNodeAgentEnabled: false, + wantK8sRemediationEnabled: true, + expectedClusterConfigData: defaultConfigData, + }, + { + name: "k8s remediation annotation disabled", + annotations: map[string]string{ + "cluster-agent.datadoghq.com/private-action-runner-enabled": "true", + "cluster-agent.datadoghq.com/private-action-runner-k8s-remediation-enabled": "false", + }, + wantClusterAgentEnabled: true, + wantNodeAgentEnabled: false, + wantK8sRemediationEnabled: false, + expectedClusterConfigData: defaultConfigData, + }, } for _, tt := range tests { @@ -345,6 +368,8 @@ func Test_privateActionRunnerFeature_ConfigureClusterAgent(t *testing.T) { } else { assert.Nil(t, parFeat.clusterConfig, "clusterConfig should be nil when not enabled") } + + assert.Equal(t, tt.wantK8sRemediationEnabled, parFeat.k8sRemediationEnabled, "k8sRemediationEnabled should match") }) } } diff --git a/internal/controller/datadogagent/feature/privateactionrunner/rbac.go b/internal/controller/datadogagent/feature/privateactionrunner/rbac.go index d5046ceca..60a617d9e 100644 --- a/internal/controller/datadogagent/feature/privateactionrunner/rbac.go +++ b/internal/controller/datadogagent/feature/privateactionrunner/rbac.go @@ -31,3 +31,45 @@ func getClusterAgentRBACPolicyRules(identitySecretName string) []rbacv1.PolicyRu }, } } + +// getK8sRemediationPolicyRules returns the ClusterRole policy rules required for k8s remediation actions. +// The policy rules included are constrained within the maximum set the DCA could have if all features were enabled +func getK8sRemediationPolicyRules() []rbacv1.PolicyRule { + return []rbacv1.PolicyRule{ + // Read to some workload types + { + APIGroups: []string{rbac.AppsAPIGroup}, + Resources: []string{rbac.DeploymentsResource, rbac.DaemonsetsResource, rbac.StatefulsetsResource, rbac.ReplicasetsResource}, + Verbs: []string{rbac.GetVerb, rbac.ListVerb, rbac.WatchVerb}, + }, + { + APIGroups: []string{rbac.CoreAPIGroup}, + Resources: []string{rbac.PodsResource, rbac.EventsResource, rbac.ConfigMapsResource}, + Verbs: []string{rbac.GetVerb, rbac.ListVerb, rbac.WatchVerb}, + }, + // Write deployments (patch/restart) + { + APIGroups: []string{rbac.AppsAPIGroup}, + Resources: []string{rbac.DeploymentsResource}, + Verbs: []string{rbac.PatchVerb}, + }, + // Patch pods + { + APIGroups: []string{rbac.CoreAPIGroup}, + Resources: []string{rbac.PodsResource}, + Verbs: []string{rbac.PatchVerb}, + }, + // Full write access to configmaps + { + APIGroups: []string{rbac.CoreAPIGroup}, + Resources: []string{rbac.ConfigMapsResource}, + Verbs: []string{rbac.CreateVerb, rbac.UpdateVerb, rbac.PatchVerb}, + }, + // Write events + { + APIGroups: []string{rbac.CoreAPIGroup}, + Resources: []string{rbac.EventsResource}, + Verbs: []string{rbac.CreateVerb, rbac.PatchVerb}, + }, + } +} diff --git a/internal/controller/datadogagent/feature/privateactionrunner/rbac_test.go b/internal/controller/datadogagent/feature/privateactionrunner/rbac_test.go index e91f70ffd..d7e310728 100644 --- a/internal/controller/datadogagent/feature/privateactionrunner/rbac_test.go +++ b/internal/controller/datadogagent/feature/privateactionrunner/rbac_test.go @@ -13,7 +13,7 @@ import ( "github.com/DataDog/datadog-operator/pkg/kubernetes/rbac" ) -func TestGetRBACPolicyRules(t *testing.T) { +func TestGetClusterAgentRBACPolicyRules(t *testing.T) { tests := []struct { name string identitySecretName string @@ -43,10 +43,10 @@ func TestGetRBACPolicyRules(t *testing.T) { assert.Len(t, rules, 1, "Should have exactly one policy rule") rule := rules[0] - assert.Equal(t, []string{rbac.CoreAPIGroup}, rule.APIGroups, "APIGroups should be core") - assert.Equal(t, []string{rbac.SecretsResource}, rule.Resources, "Resources should be secrets") - assert.Equal(t, []string{tt.expectedSecretName}, rule.ResourceNames, "ResourceNames should match expected secret name") - assert.ElementsMatch(t, []string{rbac.GetVerb, rbac.UpdateVerb, rbac.CreateVerb}, rule.Verbs, "Verbs should include get, update, and create") + assert.Equal(t, []string{rbac.CoreAPIGroup}, rule.APIGroups) + assert.Equal(t, []string{rbac.SecretsResource}, rule.Resources) + assert.Equal(t, []string{tt.expectedSecretName}, rule.ResourceNames) + assert.ElementsMatch(t, []string{rbac.GetVerb, rbac.UpdateVerb, rbac.CreateVerb}, rule.Verbs) }) } } diff --git a/internal/controller/datadogagent/feature/utils/utils.go b/internal/controller/datadogagent/feature/utils/utils.go index 7b121eadb..8ef5d763d 100644 --- a/internal/controller/datadogagent/feature/utils/utils.go +++ b/internal/controller/datadogagent/feature/utils/utils.go @@ -29,8 +29,9 @@ const ( EnablePrivateActionRunnerAnnotation = "agent.datadoghq.com/private-action-runner-enabled" PrivateActionRunnerConfigDataAnnotation = "agent.datadoghq.com/private-action-runner-configdata" - EnableClusterAgentPrivateActionRunnerAnnotation = "cluster-agent.datadoghq.com/private-action-runner-enabled" - ClusterAgentPrivateActionRunnerConfigDataAnnotation = "cluster-agent.datadoghq.com/private-action-runner-configdata" + EnableClusterAgentPrivateActionRunnerAnnotation = "cluster-agent.datadoghq.com/private-action-runner-enabled" + ClusterAgentPrivateActionRunnerConfigDataAnnotation = "cluster-agent.datadoghq.com/private-action-runner-configdata" + ClusterAgentPrivateActionRunnerK8sRemediationEnabled = "cluster-agent.datadoghq.com/private-action-runner-k8s-remediation-enabled" ) func agentSupportsRunInCoreAgent(ddaSpec *v2alpha1.DatadogAgentSpec) bool { diff --git a/internal/controller/datadogagent_controller.go b/internal/controller/datadogagent_controller.go index d986ccff6..875c8aafa 100644 --- a/internal/controller/datadogagent_controller.go +++ b/internal/controller/datadogagent_controller.go @@ -109,6 +109,14 @@ type DatadogAgentReconciler struct { // +kubebuilder:rbac:groups=gateway.envoyproxy.io,resources=envoyextensionpolicies,verbs=get;delete;create // +kubebuilder:rbac:groups=networking.istio.io,resources=envoyfilters,verbs=get;create;delete +// Configure Private Action Runner k8s remediation +// +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;statefulsets;replicasets,verbs=get;list;watch +// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=patch +// +kubebuilder:rbac:groups="",resources=pods;events;configmaps,verbs=get;list;watch +// +kubebuilder:rbac:groups="",resources=pods,verbs=patch +// +kubebuilder:rbac:groups="",resources=configmaps,verbs=create;update;patch +// +kubebuilder:rbac:groups="",resources=events,verbs=create;patch + // OpenShift // +kubebuilder:rbac:groups=quota.openshift.io,resources=clusterresourcequotas,verbs=get;list // +kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,resourceNames=restricted,verbs=use From 90499b6cc30ce0b5cd6b6f729a46c2fa474e790d Mon Sep 17 00:00:00 2001 From: Merchrist Kiki Date: Fri, 20 Mar 2026 12:00:45 +0100 Subject: [PATCH 4/5] merge merchristk-fix-par-self-enroll-secret-rbac-scope --- .../feature/privateactionrunner/feature.go | 21 ++++++++++++------- .../feature/privateactionrunner/rbac.go | 1 - 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/internal/controller/datadogagent/feature/privateactionrunner/feature.go b/internal/controller/datadogagent/feature/privateactionrunner/feature.go index 4496bc7df..e1f9aaf00 100644 --- a/internal/controller/datadogagent/feature/privateactionrunner/feature.go +++ b/internal/controller/datadogagent/feature/privateactionrunner/feature.go @@ -10,7 +10,6 @@ import ( "github.com/go-logr/logr" corev1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" apicommon "github.com/DataDog/datadog-operator/api/datadoghq/common" @@ -174,19 +173,27 @@ func (f *privateActionRunnerFeature) ManageDependencies(managers feature.Resourc return err } - var clusterAgentPolicyRules []rbacv1.PolicyRule if f.clusterConfig.SelfEnroll { - clusterAgentPolicyRules = append(clusterAgentPolicyRules, getClusterAgentRBACPolicyRules(f.clusterConfig.IdentitySecretName)...) + // This creates a Role (not ClusterRole) with permissions on the identity secret used during self enrollment + err := managers.RBACManager().AddPolicyRulesByComponent( + f.owner.GetNamespace(), + f.getRbacResourcesName(), + f.clusterServiceAccountName, + getClusterAgentRBACPolicyRules(f.clusterConfig.IdentitySecretName), + string(v2alpha1.ClusterAgentComponentName), + ) + if err != nil { + return err + } } + if f.k8sRemediationEnabled { - clusterAgentPolicyRules = append(clusterAgentPolicyRules, getK8sRemediationPolicyRules()...) - } - if len(clusterAgentPolicyRules) > 0 { + // This creates a ClusterRole with cluster-wide access to workload resources for k8s remediation. err := managers.RBACManager().AddClusterPolicyRulesByComponent( f.owner.GetNamespace(), f.getRbacResourcesName(), f.clusterServiceAccountName, - clusterAgentPolicyRules, + getK8sRemediationPolicyRules(), string(v2alpha1.ClusterAgentComponentName), ) if err != nil { diff --git a/internal/controller/datadogagent/feature/privateactionrunner/rbac.go b/internal/controller/datadogagent/feature/privateactionrunner/rbac.go index 60a617d9e..adbb43799 100644 --- a/internal/controller/datadogagent/feature/privateactionrunner/rbac.go +++ b/internal/controller/datadogagent/feature/privateactionrunner/rbac.go @@ -16,7 +16,6 @@ const ( ) // getClusterAgentRBACPolicyRules returns the RBAC policy rules for the Private Action Runner -// This creates a Role (not ClusterRole) with permissions on the identity secret used during self enrollment func getClusterAgentRBACPolicyRules(identitySecretName string) []rbacv1.PolicyRule { if identitySecretName == "" { identitySecretName = defaultIdentitySecretName From 77771eba4d82cbd95d554b15b975db5b000d77f7 Mon Sep 17 00:00:00 2001 From: Merchrist Kiki Date: Mon, 23 Mar 2026 17:11:56 +0100 Subject: [PATCH 5/5] Fix PAR ConfigMap name for profile DDAIs Use constants.GetDDAName() instead of f.owner.GetName() when building the node/cluster-agent ConfigMap names. Profile DDAIs have a different name from the parent DDA, so the previous code produced a ConfigMap name that was never created, causing DaemonSets for those profiles to fail to start (missing ConfigMap mount). Co-Authored-By: Claude Sonnet 4.6 --- .../feature/privateactionrunner/feature.go | 4 +- .../privateactionrunner/feature_test.go | 44 +++++++++++++++++++ 2 files changed, 46 insertions(+), 2 deletions(-) diff --git a/internal/controller/datadogagent/feature/privateactionrunner/feature.go b/internal/controller/datadogagent/feature/privateactionrunner/feature.go index e1f9aaf00..31154a7e6 100644 --- a/internal/controller/datadogagent/feature/privateactionrunner/feature.go +++ b/internal/controller/datadogagent/feature/privateactionrunner/feature.go @@ -206,11 +206,11 @@ func (f *privateActionRunnerFeature) ManageDependencies(managers feature.Resourc } func (f *privateActionRunnerFeature) getConfigMapName() string { - return fmt.Sprintf("%s-privateactionrunner", f.owner.GetName()) + return fmt.Sprintf("%s-privateactionrunner", constants.GetDDAName(f.owner)) } func (f *privateActionRunnerFeature) getClusterAgentConfigMapName() string { - return fmt.Sprintf("%s-clusteragent-privateactionrunner", f.owner.GetName()) + return fmt.Sprintf("%s-clusteragent-privateactionrunner", constants.GetDDAName(f.owner)) } func (f *privateActionRunnerFeature) getRbacResourcesName() string { diff --git a/internal/controller/datadogagent/feature/privateactionrunner/feature_test.go b/internal/controller/datadogagent/feature/privateactionrunner/feature_test.go index 24028353b..8639ce23e 100644 --- a/internal/controller/datadogagent/feature/privateactionrunner/feature_test.go +++ b/internal/controller/datadogagent/feature/privateactionrunner/feature_test.go @@ -128,6 +128,50 @@ func Test_privateActionRunnerFeature_ManageNodeAgent(t *testing.T) { assert.Equal(t, "7aca0ab8a2cb083533a5552c17a50aa3", managers.AnnotationMgr.Annotations["checksum/private_action_runner-custom-config"]) } +// Test_privateActionRunnerFeature_ProfileDDAI_ConfigMapNames verifies that when PAR is +// enabled on a profile DDAI (whose name differs from the parent DDA), the ConfigMaps are +// named after the DDA (not the DDAI) so all profile DDAIs share the same ConfigMap. +func Test_privateActionRunnerFeature_ProfileDDAI_ConfigMapNames(t *testing.T) { + testScheme := runtime.NewScheme() + _ = corev1.AddToScheme(testScheme) + _ = v2alpha1.AddToScheme(testScheme) + + // Simulate a profile DDAI: name differs from parent DDA, but DDA name is in the label. + profileDDAI := &v2alpha1.DatadogAgent{ + ObjectMeta: metav1.ObjectMeta{ + Name: "compute-nodeless-200m-v2", + Namespace: "default", + Labels: map[string]string{ + apicommon.DatadogAgentNameLabelKey: "datadog-agent", + }, + Annotations: map[string]string{ + "agent.datadoghq.com/private-action-runner-enabled": "true", + "cluster-agent.datadoghq.com/private-action-runner-enabled": "true", + }, + }, + } + + f := buildPrivateActionRunnerFeature(nil) + f.Configure(profileDDAI, &v2alpha1.DatadogAgentSpec{}, nil) + + storeOptions := &store.StoreOptions{Scheme: testScheme} + resourceManagers := feature.NewResourceManagers(store.NewStore(profileDDAI, storeOptions)) + err := f.ManageDependencies(resourceManagers, "") + require.NoError(t, err) + + // Node agent ConfigMap must use the DDA name so all DDAIs share the same ConfigMap. + _, found := resourceManagers.Store().Get(kubernetes.ConfigMapKind, "default", "datadog-agent-privateactionrunner") + assert.True(t, found, "node agent ConfigMap should use DDA name, not profile DDAI name") + _, wrongFound := resourceManagers.Store().Get(kubernetes.ConfigMapKind, "default", "compute-nodeless-200m-v2-privateactionrunner") + assert.False(t, wrongFound, "node agent ConfigMap must NOT use profile DDAI name") + + // Cluster agent ConfigMap must use the DDA name for the same reason. + _, caFound := resourceManagers.Store().Get(kubernetes.ConfigMapKind, "default", "datadog-agent-clusteragent-privateactionrunner") + assert.True(t, caFound, "cluster agent ConfigMap should use DDA name, not profile DDAI name") + _, caWrongFound := resourceManagers.Store().Get(kubernetes.ConfigMapKind, "default", "compute-nodeless-200m-v2-clusteragent-privateactionrunner") + assert.False(t, caWrongFound, "cluster agent ConfigMap must NOT use profile DDAI name") +} + func Test_privateActionRunnerFeature_ID(t *testing.T) { f := buildPrivateActionRunnerFeature(nil) assert.Equal(t, string(feature.PrivateActionRunnerIDType), string(f.ID()))