[CONTP-512] Add settings on sidecar to terminate on finished job

pkg/clusteragent/admission/mutate/agent_sidecar/agent_sidecar.go

@@ -16,6 +16,7 @@ import (
 	"os"
 	"slices"
 	"strconv"
+	"strings"
 
 	admiv1 "k8s.io/api/admission/v1"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@@ -177,12 +178,25 @@ func (w *Webhook) injectAgentSidecar(pod *corev1.Pod, _ string, _ dynamic.Interf
 	// highest override-priority. They only apply to the agent sidecar container.
 	for i := range pod.Spec.Containers {
 		if pod.Spec.Containers[i].Name == agentSidecarContainerName {
+			if isOwnedByJob(pod.OwnerReferences) {
+				updated, err = withEnvOverrides(&pod.Spec.Containers[i], corev1.EnvVar{
+					Name:  "DD_AUTO_EXIT_NOPROCESS_ENABLED",
+					Value: "true",
+				})
+			}
+			if err != nil {
+				log.Errorf("Failed to apply env overrides: %v", err)
+				return podUpdated, errors.New(metrics.InternalError)
+			}
+			podUpdated = podUpdated || updated
+
 			updated, err = applyProfileOverrides(&pod.Spec.Containers[i], w.profilesJSON)
 			if err != nil {
 				log.Errorf("Failed to apply profile overrides: %v", err)
 				return podUpdated, errors.New(metrics.InvalidInput)
 			}
 			podUpdated = podUpdated || updated
+
 			break
 		}
 	}
@@ -320,3 +334,13 @@ func labelSelectors(datadogConfig config.Component) (namespaceSelector, objectSe
 
 	return namespaceSelector, objectSelector
 }
+
+// isOwnedByJob returns true if the pod is owned by a Job
+func isOwnedByJob(ownerReferences []metav1.OwnerReference) bool {
+	for _, owner := range ownerReferences {
+		if strings.HasPrefix(owner.APIVersion, "batch/") && owner.Kind == "Job" {
+			return true
+		}
+	}
+	return false
+}

pkg/clusteragent/admission/mutate/agent_sidecar/agent_sidecar_test.go

@@ -139,6 +139,54 @@ func TestInjectAgentSidecar(t *testing.T) {
 				}
 			},
 		},
+		{
+			Name: "should inject sidecar if no sidecar present, no provider set, owned by Job",
+			Pod: &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "pod-name",
+					OwnerReferences: []metav1.OwnerReference{
+						{
+							APIVersion: "batch/v1",
+							Kind:       "Job",
+						},
+					},
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{Name: "container-name"},
+					},
+				},
+			},
+			provider:        "",
+			profilesJSON:    "[]",
+			ExpectError:     false,
+			ExpectInjection: true,
+			ExpectedPodAfterInjection: func() *corev1.Pod {
+				defaultContainer := *NewWebhook(mockConfig).getDefaultSidecarTemplate()
+				// Update envvar when pod owned by Job
+				defaultContainer.Env = append(defaultContainer.Env, corev1.EnvVar{
+					Name:  "DD_AUTO_EXIT_NOPROCESS_ENABLED",
+					Value: "true",
+				})
+				return &corev1.Pod{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "pod-name",
+						OwnerReferences: []metav1.OwnerReference{
+							{
+								APIVersion: "batch/v1",
+								Kind:       "Job",
+							},
+						},
+					},
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{
+							{Name: "container-name"},
+							defaultContainer,
+						},
+					},
+				}
+			},
+		},
 		{
 			Name: "should inject sidecar if no sidecar present, with supported provider",
 			Pod: &corev1.Pod{

releasenotes/notes/sidecar-killed-on-job-5dd6537ed1098646.yaml

@@ -0,0 +1,12 @@
+# Each section from every release note are combined when the
+# CHANGELOG.rst is rendered. So the text needs to be worded so that
+# it does not depend on any information only available in another
+# section. This may mean repeating some details, but each section
+# must be readable independently of the other.
+#
+# Each section note must be formatted as reStructuredText.
+---
+fixes:
+  - |
+    When the Datadog Cluster Agent injects the Datadog Agent as a sidecar
+    on a Job, the agent will now exit when the main Job completes.