Allow enabling SBOM collection for host and container images (#836)

* Allow enabling SBOM collection for host and container images * small fixes and add test * actually add test * address comments --------- Co-authored-by: Celene <[email protected]>
DataDog · Nov 3, 2023 · 4aa86f5 · 4aa86f5
1 parent 806d78f
commit 4aa86f5
Show file tree

Hide file tree

Showing 11 changed files with 454 additions and 1 deletion.
diff --git a/apis/datadoghq/common/envvar.go b/apis/datadoghq/common/envvar.go
@@ -105,6 +105,11 @@ const (
 	DDRuntimeSecurityConfigNetworkEnabled             = "DD_RUNTIME_SECURITY_CONFIG_NETWORK_ENABLED"
 	DDRuntimeSecurityConfigActivityDumpEnabled        = "DD_RUNTIME_SECURITY_CONFIG_ACTIVITY_DUMP_ENABLED"
 	DDRuntimeSecurityConfigRemoteConfigurationEnabled = "DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED"
+	DDSBOMEnabled                                     = "DD_SBOM_ENABLED"
+	DDSBOMContainerImageEnabled                       = "DD_SBOM_CONTAINER_IMAGE_ENABLED"
+	DDSBOMContainerImageAnalyzers                     = "DD_SBOM_CONTAINER_IMAGE_ANALYZERS"
+	DDSBOMHostEnabled                                 = "DD_SBOM_HOST_ENABLED"
+	DDSBOMHostAnalyzers                               = "DD_SBOM_HOST_ANALYZERS"
 	DDSecretBackendCommand                            = "DD_SECRET_BACKEND_COMMAND"
 	DDSite                                            = "DD_SITE"
 	DDSystemProbeAgentEnabled                         = "DD_SYSTEM_PROBE_ENABLED"

diff --git a/apis/datadoghq/v2alpha1/datadogagent_types.go b/apis/datadoghq/v2alpha1/datadogagent_types.go
@@ -75,6 +75,8 @@ type DatadogFeatures struct {
 	OTLP *OTLPFeatureConfig `json:"otlp,omitempty"`
 	// Remote Configuration configuration.
 	RemoteConfiguration *RemoteConfigurationFeatureConfig `json:"remoteConfiguration,omitempty"`
+	// SBOM collection configuration.
+	SBOM *SBOMFeatureConfig `json:"sbom,omitempty"`
 
 	// Cluster-level features
 
@@ -317,6 +319,31 @@ type RemoteConfigurationFeatureConfig struct {
 	Enabled *bool `json:"enabled,omitempty"`
 }
 
+// SBOMFeatureConfig contains SBOM (Software Bill of Materials) collection configuration.
+// SBOM runs in the Agent.
+type SBOMFeatureConfig struct {
+	// Enable this option to activate SBOM collection.
+	// Default: false
+	// +optional
+	Enabled *bool `json:"enabled,omitempty"`
+
+	ContainerImage *SBOMTypeConfig `json:"containerImage,omitempty"`
+	Host           *SBOMTypeConfig `json:"host,omitempty"`
+}
+
+// SBOMTypeConfig contains configuration for a SBOM collection type.
+type SBOMTypeConfig struct {
+	// Enable this option to activate SBOM collection.
+	// Default: false
+	// +optional
+	Enabled *bool `json:"enabled,omitempty"`
+
+	// Analyzers to use for SBOM collection.
+	// +optional
+	// +listType=set
+	Analyzers []string `json:"analyzers,omitempty"`
+}
+
 // NPMFeatureConfig contains NPM (Network Performance Monitoring) feature configuration.
 // Network Performance Monitoring runs in the System Probe and Process Agent.
 type NPMFeatureConfig struct {

diff --git a/apis/datadoghq/v2alpha1/zz_generated.deepcopy.go b/apis/datadoghq/v2alpha1/zz_generated.deepcopy.go
diff --git a/apis/datadoghq/v2alpha1/zz_generated.openapi.go b/apis/datadoghq/v2alpha1/zz_generated.openapi.go
diff --git a/config/crd/bases/v1/datadoghq.com_datadogagents.yaml b/config/crd/bases/v1/datadoghq.com_datadogagents.yaml
@@ -8359,6 +8359,39 @@ spec:
                           description: 'Enable this option to activate Remote Configuration. Default: true'
                           type: boolean
                       type: object
+                    sbom:
+                      description: SBOM collection configuration.
+                      properties:
+                        containerImage:
+                          description: SBOMTypeConfig contains configuration for a SBOM collection type.
+                          properties:
+                            analyzers:
+                              description: Analyzers to use for SBOM collection.
+                              items:
+                                type: string
+                              type: array
+                              x-kubernetes-list-type: set
+                            enabled:
+                              description: 'Enable this option to activate SBOM collection. Default: false'
+                              type: boolean
+                          type: object
+                        enabled:
+                          description: 'Enable this option to activate SBOM collection. Default: false'
+                          type: boolean
+                        host:
+                          description: SBOMTypeConfig contains configuration for a SBOM collection type.
+                          properties:
+                            analyzers:
+                              description: Analyzers to use for SBOM collection.
+                              items:
+                                type: string
+                              type: array
+                              x-kubernetes-list-type: set
+                            enabled:
+                              description: 'Enable this option to activate SBOM collection. Default: false'
+                              type: boolean
+                          type: object
+                      type: object
                     tcpQueueLength:
                       description: TCPQueueLength configuration.
                       properties:

diff --git a/config/crd/bases/v1beta1/datadoghq.com_datadogagents.yaml b/config/crd/bases/v1beta1/datadoghq.com_datadogagents.yaml
@@ -15909,6 +15909,39 @@ spec:
                           description: 'Enable this option to activate Remote Configuration. Default: true'
                           type: boolean
                       type: object
+                    sbom:
+                      description: SBOM collection configuration.
+                      properties:
+                        containerImage:
+                          description: SBOMTypeConfig contains configuration for a SBOM collection type.
+                          properties:
+                            analyzers:
+                              description: Analyzers to use for SBOM collection.
+                              items:
+                                type: string
+                              type: array
+                              x-kubernetes-list-type: set
+                            enabled:
+                              description: 'Enable this option to activate SBOM collection. Default: false'
+                              type: boolean
+                          type: object
+                        enabled:
+                          description: 'Enable this option to activate SBOM collection. Default: false'
+                          type: boolean
+                        host:
+                          description: SBOMTypeConfig contains configuration for a SBOM collection type.
+                          properties:
+                            analyzers:
+                              description: Analyzers to use for SBOM collection.
+                              items:
+                                type: string
+                              type: array
+                              x-kubernetes-list-type: set
+                            enabled:
+                              description: 'Enable this option to activate SBOM collection. Default: false'
+                              type: boolean
+                          type: object
+                      type: object
                     tcpQueueLength:
                       description: TCPQueueLength configuration.
                       properties:

diff --git a/controllers/datadogagent/controller.go b/controllers/datadogagent/controller.go
@@ -55,6 +55,7 @@ import (
 	_ "github.com/DataDog/datadog-operator/controllers/datadogagent/feature/processdiscovery"
 	_ "github.com/DataDog/datadog-operator/controllers/datadogagent/feature/prometheusscrape"
 	_ "github.com/DataDog/datadog-operator/controllers/datadogagent/feature/remoteconfig"
+	_ "github.com/DataDog/datadog-operator/controllers/datadogagent/feature/sbom"
 	_ "github.com/DataDog/datadog-operator/controllers/datadogagent/feature/tcpqueuelength"
 	_ "github.com/DataDog/datadog-operator/controllers/datadogagent/feature/usm"
 )

diff --git a/controllers/datadogagent/feature/ids.go b/controllers/datadogagent/feature/ids.go
@@ -55,6 +55,8 @@ const (
 	OTLPIDType = "otlp"
 	// RemoteConfigurationIDType Remote Config feature
 	RemoteConfigurationIDType = "remote_config"
+	// SBOMIDType SBOM collection feature
+	SBOMIDType = "sbom"
 	// DummyIDType Dummy feature.
 	DummyIDType = "dummy"
 )
diff --git a/controllers/datadogagent/feature/sbom/feature.go b/controllers/datadogagent/feature/sbom/feature.go
@@ -0,0 +1,139 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+package sbom
+
+import (
+	"strings"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/DataDog/datadog-operator/apis/datadoghq/v1alpha1"
+	"github.com/DataDog/datadog-operator/apis/datadoghq/v2alpha1"
+	apiutils "github.com/DataDog/datadog-operator/apis/utils"
+	"github.com/go-logr/logr"
+
+	apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common"
+	apicommonv1 "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1"
+
+	"github.com/DataDog/datadog-operator/controllers/datadogagent/feature"
+)
+
+func init() {
+	err := feature.Register(feature.SBOMIDType, buildSBOMFeature)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func buildSBOMFeature(options *feature.Options) feature.Feature {
+	sbomFeature := &sbomFeature{}
+
+	if options != nil {
+		sbomFeature.logger = options.Logger
+	}
+
+	return sbomFeature
+}
+
+type sbomFeature struct {
+	owner  metav1.Object
+	logger logr.Logger
+
+	enabled                 bool
+	containerImageEnabled   bool
+	containerImageAnalyzers []string
+	hostEnabled             bool
+	hostAnalyzers           []string
+}
+
+// ID returns the ID of the Feature
+func (f *sbomFeature) ID() feature.IDType {
+	return feature.SBOMIDType
+}
+
+// Configure is used to configure the feature from a v2alpha1.DatadogAgent instance.
+func (f *sbomFeature) Configure(dda *v2alpha1.DatadogAgent) (reqComp feature.RequiredComponents) {
+	f.owner = dda
+
+	if dda.Spec.Features != nil && dda.Spec.Features.SBOM != nil && apiutils.BoolValue(dda.Spec.Features.SBOM.Enabled) {
+		f.enabled = true
+		if dda.Spec.Features.SBOM.ContainerImage != nil && apiutils.BoolValue(dda.Spec.Features.SBOM.ContainerImage.Enabled) {
+			f.containerImageEnabled = true
+			f.containerImageAnalyzers = dda.Spec.Features.SBOM.ContainerImage.Analyzers
+		}
+		if dda.Spec.Features.SBOM.Host != nil && apiutils.BoolValue(dda.Spec.Features.SBOM.Host.Enabled) {
+			f.hostEnabled = true
+			f.hostAnalyzers = dda.Spec.Features.SBOM.Host.Analyzers
+		}
+		reqComp = feature.RequiredComponents{
+			Agent: feature.RequiredComponent{
+				IsRequired: apiutils.NewBoolPointer(true),
+				Containers: []apicommonv1.AgentContainerName{
+					apicommonv1.CoreAgentContainerName,
+				},
+			},
+		}
+	}
+
+	return reqComp
+}
+
+// ConfigureV1 use to configure the feature from a v1alpha1.DatadogAgent instance.
+func (f *sbomFeature) ConfigureV1(dda *v1alpha1.DatadogAgent) (reqComp feature.RequiredComponents) {
+	return
+}
+
+// ManageDependencies allows a feature to manage its dependencies.
+// Feature's dependencies should be added in the store.
+func (f *sbomFeature) ManageDependencies(managers feature.ResourceManagers, components feature.RequiredComponents) error {
+	return nil
+}
+
+// ManageClusterAgent allows a feature to configure the ClusterAgent's corev1.PodTemplateSpec
+// It should do nothing if the feature doesn't need to configure it.
+func (f *sbomFeature) ManageClusterAgent(managers feature.PodTemplateManagers) error {
+	return nil
+}
+
+// ManageNodeAgent allows a feature to configure the Node Agent's corev1.PodTemplateSpec
+// It should do nothing if the feature doesn't need to configure it.
+func (f *sbomFeature) ManageNodeAgent(managers feature.PodTemplateManagers) error {
+	managers.EnvVar().AddEnvVar(&corev1.EnvVar{
+		Name:  apicommon.DDSBOMEnabled,
+		Value: apiutils.BoolToString(&f.enabled),
+	})
+
+	managers.EnvVar().AddEnvVar(&corev1.EnvVar{
+		Name:  apicommon.DDSBOMContainerImageEnabled,
+		Value: apiutils.BoolToString(&f.containerImageEnabled),
+	})
+	if len(f.containerImageAnalyzers) > 0 {
+		managers.EnvVar().AddEnvVar(&corev1.EnvVar{
+			Name:  apicommon.DDSBOMContainerImageAnalyzers,
+			Value: strings.Join(f.containerImageAnalyzers, " "),
+		})
+	}
+
+	managers.EnvVar().AddEnvVar(&corev1.EnvVar{
+		Name:  apicommon.DDSBOMHostEnabled,
+		Value: apiutils.BoolToString(&f.hostEnabled),
+	})
+	if len(f.hostAnalyzers) > 0 {
+		managers.EnvVar().AddEnvVar(&corev1.EnvVar{
+			Name:  apicommon.DDSBOMHostAnalyzers,
+			Value: strings.Join(f.hostAnalyzers, " "),
+		})
+	}
+
+	return nil
+}
+
+// ManageClusterChecksRunner allows a feature to configure the ClusterChecksRunner's corev1.PodTemplateSpec
+// It should do nothing if the feature doesn't need to configure it.
+func (f *sbomFeature) ManageClusterChecksRunner(managers feature.PodTemplateManagers) error {
+	return nil
+}