From 81940b9327bdf23e32fc5afa009bca53eca82d23 Mon Sep 17 00:00:00 2001 From: Celene Date: Tue, 13 Aug 2024 10:18:37 -0400 Subject: [PATCH 1/3] [cleanup] reorganize rbac-related methods --- apis/datadoghq/v1alpha1/test/new.go | 4 +- controllers/datadogagent/common/const.go | 2 + .../{component/new.go => common/utils.go} | 15 +- controllers/datadogagent/common/volumes.go | 318 ++++++++++++++ .../datadogagent/component/agent/default.go | 412 +++++------------- .../datadogagent/component/agent/new.go | 6 +- .../datadogagent/component/agent/rbac.go | 74 ---- .../component/clusteragent/default.go | 160 ++----- .../component/clusteragent/default_test.go | 4 +- .../component/clusteragent/utils.go | 21 - .../component/clusterchecksrunner/default.go | 148 +------ controllers/datadogagent/component/utils.go | 354 +-------------- .../controller_reconcile_agent.go | 3 +- .../datadogagent/dependencies/store.go | 4 +- .../feature/enabledefault/configmap.go | 232 ++++++++++ .../feature/enabledefault/feature.go | 16 +- .../feature/enabledefault/rbac.go | 293 +++++++++++++ .../datadogagent/override/dependencies.go | 4 + .../datadogagent_controller_profiles_test.go | 5 +- 19 files changed, 1056 insertions(+), 1019 deletions(-) rename controllers/datadogagent/{component/new.go => common/utils.go} (82%) create mode 100644 controllers/datadogagent/common/volumes.go delete mode 100644 controllers/datadogagent/component/agent/rbac.go create mode 100644 controllers/datadogagent/feature/enabledefault/configmap.go create mode 100644 controllers/datadogagent/feature/enabledefault/rbac.go diff --git a/apis/datadoghq/v1alpha1/test/new.go b/apis/datadoghq/v1alpha1/test/new.go index 750098fb8..ff8d33d91 100644 --- a/apis/datadoghq/v1alpha1/test/new.go +++ b/apis/datadoghq/v1alpha1/test/new.go @@ -19,7 +19,7 @@ import ( commonv1 "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1" datadoghqv1alpha1 "github.com/DataDog/datadog-operator/apis/datadoghq/v1alpha1" apiutils "github.com/DataDog/datadog-operator/apis/utils" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" + "github.com/DataDog/datadog-operator/controllers/datadogagent/common" "github.com/DataDog/datadog-operator/pkg/controller/utils/comparison" "github.com/DataDog/datadog-operator/pkg/defaulting" "github.com/google/uuid" @@ -326,7 +326,7 @@ func NewDefaultedDatadogAgent(ns, name string, options *NewDatadogAgentOptions) }, { Name: apicommon.DDAPMInstrumentationInstallType, - Value: component.DefaultAgentInstallType, + Value: common.DefaultAgentInstallType, }, } } diff --git a/controllers/datadogagent/common/const.go b/controllers/datadogagent/common/const.go index f21b54d88..1d676af62 100644 --- a/controllers/datadogagent/common/const.go +++ b/controllers/datadogagent/common/const.go @@ -19,4 +19,6 @@ const ( ClusterAgentSuffix = "dca" CustomResourceDefinitionsName = "customresourcedefinitions" + + DefaultAgentInstallType = "k8s_manual" ) diff --git a/controllers/datadogagent/component/new.go b/controllers/datadogagent/common/utils.go similarity index 82% rename from controllers/datadogagent/component/new.go rename to controllers/datadogagent/common/utils.go index f14463353..a4d3a7a75 100644 --- a/controllers/datadogagent/component/new.go +++ b/controllers/datadogagent/common/utils.go @@ -3,9 +3,11 @@ // This product includes software developed at Datadog (https://www.datadoghq.com/). // Copyright 2016-present Datadog, Inc. -package component +package common import ( + "fmt" + apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common" "github.com/DataDog/datadog-operator/controllers/datadogagent/object" "github.com/DataDog/datadog-operator/pkg/kubernetes" @@ -60,3 +62,14 @@ func GetDefaultLabels(owner metav1.Object, componentKind, componentName, version return labels } + +// GetAgentVersion return the Agent version based on the DatadogAgent info +func GetAgentVersion(dda metav1.Object) string { + // TODO implement this method + return "" +} + +// GetDefaultSeccompConfigMapName returns the default seccomp configmap name based on the DatadogAgent name +func GetDefaultSeccompConfigMapName(dda metav1.Object) string { + return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.SystemProbeAgentSecurityConfigMapSuffixName) +} diff --git a/controllers/datadogagent/common/volumes.go b/controllers/datadogagent/common/volumes.go new file mode 100644 index 000000000..424c4df4e --- /dev/null +++ b/controllers/datadogagent/common/volumes.go @@ -0,0 +1,318 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2016-present Datadog, Inc. + +package common + +import ( + "fmt" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common" +) + +// GetVolumeForConfig return the volume that contains the agent config +func GetVolumeForConfig() corev1.Volume { + return corev1.Volume{ + Name: apicommon.ConfigVolumeName, + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + } +} + +// GetVolumeForConfd return the volume that contains the agent confd config files +func GetVolumeForConfd() corev1.Volume { + return corev1.Volume{ + Name: apicommon.ConfdVolumeName, + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + } +} + +// GetVolumeForChecksd return the volume that contains the agent confd config files +func GetVolumeForChecksd() corev1.Volume { + return corev1.Volume{ + Name: apicommon.ChecksdVolumeName, + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + } +} + +// GetVolumeForRmCorechecks return the volume that overwrites the corecheck directory +func GetVolumeForRmCorechecks() corev1.Volume { + return corev1.Volume{ + Name: "remove-corechecks", + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + } +} + +// GetVolumeForAuth return the Volume container authentication information +func GetVolumeForAuth() corev1.Volume { + return corev1.Volume{ + Name: apicommon.AuthVolumeName, + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + } +} + +// GetVolumeForLogs return the Volume that should container generated logs +func GetVolumeForLogs() corev1.Volume { + return corev1.Volume{ + Name: apicommon.LogDatadogVolumeName, + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + } +} + +// GetVolumeInstallInfo return the Volume that should install-info file +func GetVolumeInstallInfo(owner metav1.Object) corev1.Volume { + return corev1.Volume{ + Name: apicommon.InstallInfoVolumeName, + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: GetInstallInfoConfigMapName(owner), + }, + }, + }, + } +} + +// GetVolumeForProc returns the volume with /proc +func GetVolumeForProc() corev1.Volume { + return corev1.Volume{ + Name: apicommon.ProcdirVolumeName, + VolumeSource: corev1.VolumeSource{ + HostPath: &corev1.HostPathVolumeSource{ + Path: apicommon.ProcdirHostPath, + }, + }, + } +} + +// GetVolumeForCgroups returns the volume that contains the cgroup directory +func GetVolumeForCgroups() corev1.Volume { + return corev1.Volume{ + Name: apicommon.CgroupsVolumeName, + VolumeSource: corev1.VolumeSource{ + HostPath: &corev1.HostPathVolumeSource{ + Path: "/sys/fs/cgroup", + }, + }, + } +} + +// GetVolumeForDogstatsd returns the volume with the Dogstatsd socket +func GetVolumeForDogstatsd() corev1.Volume { + return corev1.Volume{ + Name: apicommon.DogstatsdSocketVolumeName, + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + } +} + +// GetInstallInfoConfigMapName return the InstallInfo config map name base on the dda name +func GetInstallInfoConfigMapName(dda metav1.Object) string { + return fmt.Sprintf("%s-install-info", dda.GetName()) +} + +// GetVolumeMountForConfig return the VolumeMount that contains the agent config +func GetVolumeMountForConfig() corev1.VolumeMount { + return corev1.VolumeMount{ + Name: apicommon.ConfigVolumeName, + MountPath: apicommon.ConfigVolumePath, + } +} + +// GetVolumeMountForConfd return the VolumeMount that contains the agent confd config files +func GetVolumeMountForConfd() corev1.VolumeMount { + return corev1.VolumeMount{ + Name: apicommon.ConfdVolumeName, + MountPath: apicommon.ConfdVolumePath, + ReadOnly: true, + } +} + +// GetVolumeMountForChecksd return the VolumeMount that contains the agent checksd config files +func GetVolumeMountForChecksd() corev1.VolumeMount { + return corev1.VolumeMount{ + Name: apicommon.ChecksdVolumeName, + MountPath: apicommon.ChecksdVolumePath, + ReadOnly: true, + } +} + +// GetVolumeMountForRmCorechecks return the VolumeMount that overwrites the corechecks directory +func GetVolumeMountForRmCorechecks() corev1.VolumeMount { + return corev1.VolumeMount{ + Name: "remove-corechecks", + MountPath: fmt.Sprintf("%s/%s", apicommon.ConfigVolumePath, "conf.d"), + } +} + +// GetVolumeMountForAuth returns the VolumeMount that contains the authentication information +func GetVolumeMountForAuth(readOnly bool) corev1.VolumeMount { + return corev1.VolumeMount{ + Name: apicommon.AuthVolumeName, + MountPath: apicommon.AuthVolumePath, + ReadOnly: readOnly, + } +} + +// GetVolumeMountForLogs return the VolumeMount for the container generated logs +func GetVolumeMountForLogs() corev1.VolumeMount { + return corev1.VolumeMount{ + Name: apicommon.LogDatadogVolumeName, + MountPath: apicommon.LogDatadogVolumePath, + ReadOnly: false, + } +} + +// GetVolumeForTmp return the Volume use for /tmp +func GetVolumeForTmp() corev1.Volume { + return corev1.Volume{ + Name: apicommon.TmpVolumeName, + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + } +} + +// GetVolumeMountForTmp return the VolumeMount for /tmp +func GetVolumeMountForTmp() corev1.VolumeMount { + return corev1.VolumeMount{ + Name: apicommon.TmpVolumeName, + MountPath: apicommon.TmpVolumePath, + ReadOnly: false, + } +} + +// GetVolumeForCertificates return the Volume use to store certificates +func GetVolumeForCertificates() corev1.Volume { + return corev1.Volume{ + Name: apicommon.CertificatesVolumeName, + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + } +} + +// GetVolumeMountForCertificates return the VolumeMount use to store certificates +func GetVolumeMountForCertificates() corev1.VolumeMount { + return corev1.VolumeMount{ + Name: apicommon.CertificatesVolumeName, + MountPath: apicommon.CertificatesVolumePath, + ReadOnly: false, + } +} + +// GetVolumeMountForInstallInfo return the VolumeMount that contains the agent install-info file +func GetVolumeMountForInstallInfo() corev1.VolumeMount { + return corev1.VolumeMount{ + Name: apicommon.InstallInfoVolumeName, + MountPath: apicommon.InstallInfoVolumePath, + SubPath: apicommon.InstallInfoVolumeSubPath, + ReadOnly: apicommon.InstallInfoVolumeReadOnly, + } +} + +// GetVolumeMountForProc returns the VolumeMount that contains /proc +func GetVolumeMountForProc() corev1.VolumeMount { + return corev1.VolumeMount{ + Name: apicommon.ProcdirVolumeName, + MountPath: apicommon.ProcdirMountPath, + ReadOnly: true, + } +} + +// GetVolumeMountForCgroups returns the VolumeMount that contains the cgroups info +func GetVolumeMountForCgroups() corev1.VolumeMount { + return corev1.VolumeMount{ + Name: apicommon.CgroupsVolumeName, + MountPath: apicommon.CgroupsMountPath, + ReadOnly: true, + } +} + +// GetVolumeMountForDogstatsdSocket returns the VolumeMount with the Dogstatsd socket +func GetVolumeMountForDogstatsdSocket(readOnly bool) corev1.VolumeMount { + return corev1.VolumeMount{ + Name: apicommon.DogstatsdSocketVolumeName, + MountPath: apicommon.DogstatsdSocketLocalPath, + ReadOnly: readOnly, + } +} + +// GetVolumeForRuntimeSocket returns the Volume for the runtime socket +func GetVolumeForRuntimeSocket() corev1.Volume { + return corev1.Volume{ + Name: apicommon.CriSocketVolumeName, + VolumeSource: corev1.VolumeSource{ + HostPath: &corev1.HostPathVolumeSource{ + Path: apicommon.RuntimeDirVolumePath, + }, + }, + } +} + +// GetVolumeMountForRuntimeSocket returns the VolumeMount with the runtime socket +func GetVolumeMountForRuntimeSocket(readOnly bool) corev1.VolumeMount { + return corev1.VolumeMount{ + Name: apicommon.CriSocketVolumeName, + MountPath: apicommon.HostCriSocketPathPrefix + apicommon.RuntimeDirVolumePath, + ReadOnly: readOnly, + } +} + +// GetVolumeMountForSecurity returns the VolumeMount for datadog-agent-security +func GetVolumeMountForSecurity() corev1.VolumeMount { + return corev1.VolumeMount{ + Name: apicommon.SeccompSecurityVolumeName, + MountPath: apicommon.SeccompSecurityVolumePath, + } +} + +// GetVolumeForSecurity returns the Volume for datadog-agent-security +func GetVolumeForSecurity(owner metav1.Object) corev1.Volume { + return corev1.Volume{ + Name: apicommon.SeccompSecurityVolumeName, + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: GetDefaultSeccompConfigMapName(owner), + }, + }, + }, + } +} + +// GetVolumeMountForSeccomp returns the VolumeMount for seccomp root +func GetVolumeMountForSeccomp() corev1.VolumeMount { + return corev1.VolumeMount{ + Name: apicommon.SeccompRootVolumeName, + MountPath: apicommon.SeccompRootVolumePath, + } +} + +// GetVolumeForSeccomp returns the volume for seccomp root +func GetVolumeForSeccomp() corev1.Volume { + return corev1.Volume{ + Name: apicommon.SeccompRootVolumeName, + VolumeSource: corev1.VolumeSource{ + HostPath: &corev1.HostPathVolumeSource{ + Path: apicommon.SeccompRootPath, + }, + }, + } +} diff --git a/controllers/datadogagent/component/agent/default.go b/controllers/datadogagent/component/agent/default.go index 05803474a..5a4d8fc3d 100644 --- a/controllers/datadogagent/component/agent/default.go +++ b/controllers/datadogagent/component/agent/default.go @@ -12,12 +12,13 @@ import ( edsv1alpha1 "github.com/DataDog/extendeddaemonset/api/v1alpha1" apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common" - "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1" + commonv1 "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1" "github.com/DataDog/datadog-operator/apis/datadoghq/v2alpha1" apiutils "github.com/DataDog/datadog-operator/apis/utils" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" + "github.com/DataDog/datadog-operator/controllers/datadogagent/common" componentdca "github.com/DataDog/datadog-operator/controllers/datadogagent/component/clusteragent" "github.com/DataDog/datadog-operator/controllers/datadogagent/feature" + "github.com/DataDog/datadog-operator/controllers/datadogagent/object" "github.com/DataDog/datadog-operator/pkg/controller/utils" "github.com/DataDog/datadog-operator/pkg/defaulting" @@ -28,7 +29,7 @@ import ( // NewDefaultAgentDaemonset return a new default agent DaemonSet func NewDefaultAgentDaemonset(dda metav1.Object, edsOptions *ExtendedDaemonsetOptions, agentComponent feature.RequiredComponent) *appsv1.DaemonSet { - daemonset := NewDaemonset(dda, edsOptions, apicommon.DefaultAgentResourceSuffix, component.GetAgentName(dda), component.GetAgentVersion(dda), nil) + daemonset := NewDaemonset(dda, edsOptions, apicommon.DefaultAgentResourceSuffix, GetAgentName(dda), common.GetAgentVersion(dda), nil) podTemplate := NewDefaultAgentPodTemplateSpec(dda, agentComponent, daemonset.GetLabels()) daemonset.Spec.Template = *podTemplate return daemonset @@ -36,7 +37,7 @@ func NewDefaultAgentDaemonset(dda metav1.Object, edsOptions *ExtendedDaemonsetOp // NewDefaultAgentExtendedDaemonset return a new default agent DaemonSet func NewDefaultAgentExtendedDaemonset(dda metav1.Object, edsOptions *ExtendedDaemonsetOptions, agentComponent feature.RequiredComponent) *edsv1alpha1.ExtendedDaemonSet { - edsDaemonset := NewExtendedDaemonset(dda, edsOptions, apicommon.DefaultAgentResourceSuffix, component.GetAgentName(dda), component.GetAgentVersion(dda), nil) + edsDaemonset := NewExtendedDaemonset(dda, edsOptions, apicommon.DefaultAgentResourceSuffix, GetAgentName(dda), common.GetAgentVersion(dda), nil) edsDaemonset.Spec.Template = *NewDefaultAgentPodTemplateSpec(dda, agentComponent, edsDaemonset.GetLabels()) return edsDaemonset } @@ -86,6 +87,16 @@ func DefaultCapabilitiesForSystemProbe() []corev1.Capability { } } +// GetAgentName return the Agent name based on the DatadogAgent info +func GetAgentName(dda metav1.Object) string { + return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultAgentResourceSuffix) +} + +// GetAgentRoleName returns the name of the role for the Agent +func GetAgentRoleName(dda metav1.Object) string { + return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultAgentResourceSuffix) +} + func getDefaultServiceAccountName(dda metav1.Object) string { return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultAgentResourceSuffix) } @@ -94,13 +105,13 @@ func agentImage() string { return fmt.Sprintf("%s/%s:%s", apicommon.DefaultImageRegistry, apicommon.DefaultAgentImageName, defaulting.AgentLatestVersion) } -func initContainers(dda metav1.Object, requiredContainers []common.AgentContainerName) []corev1.Container { +func initContainers(dda metav1.Object, requiredContainers []commonv1.AgentContainerName) []corev1.Container { initContainers := []corev1.Container{ initVolumeContainer(), initConfigContainer(dda), } for _, containerName := range requiredContainers { - if containerName == common.SystemProbeContainerName { + if containerName == commonv1.SystemProbeContainerName { initContainers = append(initContainers, initSeccompSetupContainer()) } } @@ -110,7 +121,7 @@ func initContainers(dda metav1.Object, requiredContainers []common.AgentContaine func agentSingleContainer(dda metav1.Object) []corev1.Container { agentSingleContainer := corev1.Container{ - Name: string(common.UnprivilegedSingleAgentContainerName), + Name: string(commonv1.UnprivilegedSingleAgentContainerName), Image: agentImage(), Env: envVarsForCoreAgent(dda), VolumeMounts: volumeMountsForCoreAgent(), @@ -125,22 +136,22 @@ func agentSingleContainer(dda metav1.Object) []corev1.Container { return containers } -func agentOptimizedContainers(dda metav1.Object, requiredContainers []common.AgentContainerName) []corev1.Container { +func agentOptimizedContainers(dda metav1.Object, requiredContainers []commonv1.AgentContainerName) []corev1.Container { containers := []corev1.Container{coreAgentContainer(dda)} for _, containerName := range requiredContainers { switch containerName { - case common.CoreAgentContainerName: + case commonv1.CoreAgentContainerName: // Nothing to do. It's always required. - case common.TraceAgentContainerName: + case commonv1.TraceAgentContainerName: containers = append(containers, traceAgentContainer(dda)) - case common.ProcessAgentContainerName: + case commonv1.ProcessAgentContainerName: containers = append(containers, processAgentContainer(dda)) - case common.SecurityAgentContainerName: + case commonv1.SecurityAgentContainerName: containers = append(containers, securityAgentContainer(dda)) - case common.SystemProbeContainerName: + case commonv1.SystemProbeContainerName: containers = append(containers, systemProbeContainer(dda)) - case common.OtelAgent: + case commonv1.OtelAgent: containers = append(containers, otelAgentContainer(dda)) } } @@ -150,7 +161,7 @@ func agentOptimizedContainers(dda metav1.Object, requiredContainers []common.Age func coreAgentContainer(dda metav1.Object) corev1.Container { return corev1.Container{ - Name: string(common.CoreAgentContainerName), + Name: string(commonv1.CoreAgentContainerName), Image: agentImage(), Command: []string{"agent", "run"}, Env: envVarsForCoreAgent(dda), @@ -163,7 +174,7 @@ func coreAgentContainer(dda metav1.Object) corev1.Container { func traceAgentContainer(dda metav1.Object) corev1.Container { return corev1.Container{ - Name: string(common.TraceAgentContainerName), + Name: string(commonv1.TraceAgentContainerName), Image: agentImage(), Command: []string{ "trace-agent", @@ -177,7 +188,7 @@ func traceAgentContainer(dda metav1.Object) corev1.Container { func processAgentContainer(dda metav1.Object) corev1.Container { return corev1.Container{ - Name: string(common.ProcessAgentContainerName), + Name: string(commonv1.ProcessAgentContainerName), Image: agentImage(), Command: []string{ "process-agent", fmt.Sprintf("--config=%s", apicommon.AgentCustomConfigVolumePath), @@ -190,7 +201,7 @@ func processAgentContainer(dda metav1.Object) corev1.Container { func otelAgentContainer(dda metav1.Object) corev1.Container { return corev1.Container{ - Name: string(common.OtelAgent), + Name: string(commonv1.OtelAgent), Image: agentImage(), Command: []string{ "/otel-agent", @@ -217,7 +228,7 @@ func otelAgentContainer(dda metav1.Object) corev1.Container { func securityAgentContainer(dda metav1.Object) corev1.Container { return corev1.Container{ - Name: string(common.SecurityAgentContainerName), + Name: string(commonv1.SecurityAgentContainerName), Image: agentImage(), Command: []string{ "security-agent", @@ -230,7 +241,7 @@ func securityAgentContainer(dda metav1.Object) corev1.Container { func systemProbeContainer(dda metav1.Object) corev1.Container { return corev1.Container{ - Name: string(common.SystemProbeContainerName), + Name: string(commonv1.SystemProbeContainerName), Image: agentImage(), Command: []string{ "system-probe", @@ -350,7 +361,7 @@ func envVarsForTraceAgent(dda metav1.Object) []corev1.EnvVar { }, { Name: apicommon.DDAPMInstrumentationInstallType, - Value: component.DefaultAgentInstallType, + Value: common.DefaultAgentInstallType, }, } @@ -378,35 +389,35 @@ func envVarsForOtelAgent(dda metav1.Object) []corev1.EnvVar { func volumeMountsForInitConfig() []corev1.VolumeMount { return []corev1.VolumeMount{ - component.GetVolumeMountForLogs(), - component.GetVolumeMountForChecksd(), - component.GetVolumeMountForAuth(false), - component.GetVolumeMountForConfd(), - component.GetVolumeMountForConfig(), - component.GetVolumeMountForProc(), - component.GetVolumeMountForRuntimeSocket(true), + common.GetVolumeMountForLogs(), + common.GetVolumeMountForChecksd(), + common.GetVolumeMountForAuth(false), + common.GetVolumeMountForConfd(), + common.GetVolumeMountForConfig(), + common.GetVolumeMountForProc(), + common.GetVolumeMountForRuntimeSocket(true), } } -func volumesForAgent(dda metav1.Object, requiredContainers []common.AgentContainerName) []corev1.Volume { +func volumesForAgent(dda metav1.Object, requiredContainers []commonv1.AgentContainerName) []corev1.Volume { volumes := []corev1.Volume{ - component.GetVolumeForLogs(), - component.GetVolumeForAuth(), - component.GetVolumeInstallInfo(dda), - component.GetVolumeForChecksd(), - component.GetVolumeForConfd(), - component.GetVolumeForConfig(), - component.GetVolumeForProc(), - component.GetVolumeForCgroups(), - component.GetVolumeForDogstatsd(), - component.GetVolumeForRuntimeSocket(), + common.GetVolumeForLogs(), + common.GetVolumeForAuth(), + common.GetVolumeInstallInfo(dda), + common.GetVolumeForChecksd(), + common.GetVolumeForConfd(), + common.GetVolumeForConfig(), + common.GetVolumeForProc(), + common.GetVolumeForCgroups(), + common.GetVolumeForDogstatsd(), + common.GetVolumeForRuntimeSocket(), } for _, containerName := range requiredContainers { - if containerName == common.SystemProbeContainerName { + if containerName == commonv1.SystemProbeContainerName { sysProbeVolumes := []corev1.Volume{ - component.GetVolumeForSecurity(dda), - component.GetVolumeForSeccomp(), + common.GetVolumeForSecurity(dda), + common.GetVolumeForSeccomp(), } volumes = append(volumes, sysProbeVolumes...) } @@ -417,299 +428,92 @@ func volumesForAgent(dda metav1.Object, requiredContainers []common.AgentContain func volumeMountsForCoreAgent() []corev1.VolumeMount { return []corev1.VolumeMount{ - component.GetVolumeMountForLogs(), - component.GetVolumeMountForAuth(false), - component.GetVolumeMountForInstallInfo(), - component.GetVolumeMountForConfig(), - component.GetVolumeMountForProc(), - component.GetVolumeMountForCgroups(), - component.GetVolumeMountForDogstatsdSocket(false), - component.GetVolumeMountForRuntimeSocket(true), + common.GetVolumeMountForLogs(), + common.GetVolumeMountForAuth(false), + common.GetVolumeMountForInstallInfo(), + common.GetVolumeMountForConfig(), + common.GetVolumeMountForProc(), + common.GetVolumeMountForCgroups(), + common.GetVolumeMountForDogstatsdSocket(false), + common.GetVolumeMountForRuntimeSocket(true), } } func volumeMountsForTraceAgent() []corev1.VolumeMount { return []corev1.VolumeMount{ - component.GetVolumeMountForLogs(), - component.GetVolumeMountForProc(), - component.GetVolumeMountForCgroups(), - component.GetVolumeMountForAuth(true), - component.GetVolumeMountForConfig(), - component.GetVolumeMountForDogstatsdSocket(false), - component.GetVolumeMountForRuntimeSocket(true), + common.GetVolumeMountForLogs(), + common.GetVolumeMountForProc(), + common.GetVolumeMountForCgroups(), + common.GetVolumeMountForAuth(true), + common.GetVolumeMountForConfig(), + common.GetVolumeMountForDogstatsdSocket(false), + common.GetVolumeMountForRuntimeSocket(true), } } func volumeMountsForProcessAgent() []corev1.VolumeMount { return []corev1.VolumeMount{ - component.GetVolumeMountForLogs(), - component.GetVolumeMountForAuth(true), - component.GetVolumeMountForConfig(), - component.GetVolumeMountForDogstatsdSocket(false), - component.GetVolumeMountForRuntimeSocket(true), - component.GetVolumeMountForProc(), + common.GetVolumeMountForLogs(), + common.GetVolumeMountForAuth(true), + common.GetVolumeMountForConfig(), + common.GetVolumeMountForDogstatsdSocket(false), + common.GetVolumeMountForRuntimeSocket(true), + common.GetVolumeMountForProc(), } } func volumeMountsForSecurityAgent() []corev1.VolumeMount { return []corev1.VolumeMount{ - component.GetVolumeMountForLogs(), - component.GetVolumeMountForAuth(true), - component.GetVolumeMountForConfig(), - component.GetVolumeMountForDogstatsdSocket(false), - component.GetVolumeMountForRuntimeSocket(true), + common.GetVolumeMountForLogs(), + common.GetVolumeMountForAuth(true), + common.GetVolumeMountForConfig(), + common.GetVolumeMountForDogstatsdSocket(false), + common.GetVolumeMountForRuntimeSocket(true), } } func volumeMountsForSystemProbe() []corev1.VolumeMount { return []corev1.VolumeMount{ - component.GetVolumeMountForLogs(), - component.GetVolumeMountForAuth(true), - component.GetVolumeMountForConfig(), + common.GetVolumeMountForLogs(), + common.GetVolumeMountForAuth(true), + common.GetVolumeMountForConfig(), } } func volumeMountsForSeccompSetup() []corev1.VolumeMount { return []corev1.VolumeMount{ - component.GetVolumeMountForSecurity(), - component.GetVolumeMountForSeccomp(), + common.GetVolumeMountForSecurity(), + common.GetVolumeMountForSeccomp(), } } func volumeMountsForOtelAgent() []corev1.VolumeMount { return []corev1.VolumeMount{ // TODO: add/remove volume mounts - component.GetVolumeMountForLogs(), - component.GetVolumeMountForAuth(true), - component.GetVolumeMountForConfig(), - component.GetVolumeMountForDogstatsdSocket(false), - component.GetVolumeMountForRuntimeSocket(true), - component.GetVolumeMountForProc(), - } -} - -// DefaultSeccompConfigDataForSystemProbe returns configmap data for the default seccomp profile -func DefaultSeccompConfigDataForSystemProbe() map[string]string { - return map[string]string{ - "system-probe-seccomp.json": `{ - "defaultAction": "SCMP_ACT_ERRNO", - "syscalls": [ - { - "names": [ - "accept4", - "access", - "arch_prctl", - "bind", - "bpf", - "brk", - "capget", - "capset", - "chdir", - "chmod", - "clock_gettime", - "clone", - "clone3", - "close", - "connect", - "copy_file_range", - "creat", - "dup", - "dup2", - "dup3", - "epoll_create", - "epoll_create1", - "epoll_ctl", - "epoll_ctl_old", - "epoll_pwait", - "epoll_wait", - "epoll_wait_old", - "eventfd", - "eventfd2", - "execve", - "execveat", - "exit", - "exit_group", - "faccessat", - "faccessat2", - "fchmod", - "fchmodat", - "fchown", - "fchown32", - "fchownat", - "fcntl", - "fcntl64", - "flock", - "fstat", - "fstat64", - "fstatfs", - "fsync", - "futex", - "futimens", - "getcwd", - "getdents", - "getdents64", - "getegid", - "geteuid", - "getgid", - "getgroups", - "getpeername", - "getpgrp", - "getpid", - "getppid", - "getpriority", - "getrandom", - "getresgid", - "getresgid32", - "getresuid", - "getresuid32", - "getrlimit", - "getrusage", - "getsid", - "getsockname", - "getsockopt", - "gettid", - "gettimeofday", - "getuid", - "getxattr", - "inotify_add_watch", - "inotify_init", - "inotify_init1", - "inotify_rm_watch", - "ioctl", - "ipc", - "listen", - "lseek", - "lstat", - "lstat64", - "madvise", - "memfd_create", - "mkdir", - "mkdirat", - "mmap", - "mmap2", - "mprotect", - "mremap", - "munmap", - "nanosleep", - "newfstatat", - "open", - "openat", - "openat2", - "pause", - "perf_event_open", - "pipe", - "pipe2", - "poll", - "ppoll", - "prctl", - "pread64", - "prlimit64", - "pselect6", - "read", - "readlink", - "readlinkat", - "recvfrom", - "recvmmsg", - "recvmsg", - "rename", - "renameat", - "renameat2", - "restart_syscall", - "rmdir", - "rseq", - "rt_sigaction", - "rt_sigpending", - "rt_sigprocmask", - "rt_sigqueueinfo", - "rt_sigreturn", - "rt_sigsuspend", - "rt_sigtimedwait", - "rt_tgsigqueueinfo", - "sched_getaffinity", - "sched_yield", - "seccomp", - "select", - "semtimedop", - "send", - "sendmmsg", - "sendmsg", - "sendto", - "set_robust_list", - "set_tid_address", - "setgid", - "setgid32", - "setgroups", - "setgroups32", - "setitimer", - "setns", - "setpgid", - "setrlimit", - "setsid", - "setsidaccept4", - "setsockopt", - "setuid", - "setuid32", - "sigaltstack", - "socket", - "socketcall", - "socketpair", - "stat", - "stat64", - "statfs", - "statx", - "symlinkat", - "sysinfo", - "tgkill", - "umask", - "uname", - "unlink", - "unlinkat", - "utime", - "utimensat", - "utimes", - "wait4", - "waitid", - "waitpid", - "write" - ], - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "names": [ - "setns" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 1, - "value": 1073741824, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ], - "comment": "", - "includes": {}, - "excludes": {} - }, - { - "names": [ - "kill" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 1, - "value": 0, - "op": "SCMP_CMP_EQ" - } - ], - "comment": "allow process detection via kill", - "includes": {}, - "excludes": {} - } - ] + common.GetVolumeMountForLogs(), + common.GetVolumeMountForAuth(true), + common.GetVolumeMountForConfig(), + common.GetVolumeMountForDogstatsdSocket(false), + common.GetVolumeMountForRuntimeSocket(true), + common.GetVolumeMountForProc(), + } +} + +func GetDefaultMetadata(owner metav1.Object, componentKind, componentName, version string, selector *metav1.LabelSelector) (map[string]string, map[string]string, *metav1.LabelSelector) { + labels := common.GetDefaultLabels(owner, componentKind, componentName, version) + annotations := object.GetDefaultAnnotations(owner) + + if selector != nil { + for key, val := range selector.MatchLabels { + labels[key] = val + } + } else { + selector = &metav1.LabelSelector{ + MatchLabels: map[string]string{ + apicommon.AgentDeploymentNameLabelKey: owner.GetName(), + apicommon.AgentDeploymentComponentLabelKey: componentKind, + }, } - `, } + return labels, annotations, selector } diff --git a/controllers/datadogagent/component/agent/new.go b/controllers/datadogagent/component/agent/new.go index d0ceec4f4..2244f284f 100644 --- a/controllers/datadogagent/component/agent/new.go +++ b/controllers/datadogagent/component/agent/new.go @@ -8,7 +8,7 @@ package agent import ( "time" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" + "github.com/DataDog/datadog-operator/controllers/datadogagent/common" edsv1alpha1 "github.com/DataDog/extendeddaemonset/api/v1alpha1" appsv1 "k8s.io/api/apps/v1" @@ -18,7 +18,7 @@ import ( // NewDaemonset use to generate the skeleton of a new daemonset based on few information func NewDaemonset(owner metav1.Object, edsOptions *ExtendedDaemonsetOptions, componentKind, componentName, version string, selector *metav1.LabelSelector) *appsv1.DaemonSet { - labels, annotations, selector := component.GetDefaultMetadata(owner, componentKind, componentName, version, selector) + labels, annotations, selector := common.GetDefaultMetadata(owner, componentKind, componentName, version, selector) daemonset := &appsv1.DaemonSet{ ObjectMeta: metav1.ObjectMeta{ @@ -47,7 +47,7 @@ func NewExtendedDaemonset(owner metav1.Object, edsOptions *ExtendedDaemonsetOpti // Per https://github.com/DataDog/extendeddaemonset/blob/28a8e082cee9890ae6d925a7d6247a36c6f6ba5d/controllers/extendeddaemonsetreplicaset/controller.go#L344-L360 // Up until v0.8.2, the Datadog Operator set the selector to nil, which circumvented this case. // Until the EDS controller uses the Affinity field to get the NodeList instead of Spec.Selector, let's keep the previous behavior. - labels, annotations, _ := component.GetDefaultMetadata(owner, componentKind, componentName, version, selector) + labels, annotations, _ := common.GetDefaultMetadata(owner, componentKind, componentName, version, selector) daemonset := &edsv1alpha1.ExtendedDaemonSet{ ObjectMeta: metav1.ObjectMeta{ diff --git a/controllers/datadogagent/component/agent/rbac.go b/controllers/datadogagent/component/agent/rbac.go deleted file mode 100644 index 31b5770e3..000000000 --- a/controllers/datadogagent/component/agent/rbac.go +++ /dev/null @@ -1,74 +0,0 @@ -// Unless explicitly stated otherwise all files in this repository are licensed -// under the Apache License Version 2.0. -// This product includes software developed at Datadog (https://www.datadoghq.com/). -// Copyright 2016-present Datadog, Inc. - -package agent - -import ( - "fmt" - - apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common" - "github.com/DataDog/datadog-operator/pkg/kubernetes/rbac" - rbacv1 "k8s.io/api/rbac/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -// GetAgentRoleName returns the name of the role for the Agent -func GetAgentRoleName(dda metav1.Object) string { - return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultAgentResourceSuffix) -} - -// GetDefaultAgentClusterRolePolicyRules returns the default policy rules for the Agent cluster role -func GetDefaultAgentClusterRolePolicyRules(excludeNonResourceRules bool) []rbacv1.PolicyRule { - policyRule := []rbacv1.PolicyRule{ - getKubeletPolicyRule(), - getEndpointsPolicyRule(), - getLeaderElectionPolicyRule(), - } - - if !excludeNonResourceRules { - policyRule = append(policyRule, getMetricsEndpointPolicyRule()) - } - - return policyRule -} - -func getMetricsEndpointPolicyRule() rbacv1.PolicyRule { - return rbacv1.PolicyRule{ - NonResourceURLs: []string{ - rbac.MetricsURL, - rbac.MetricsSLIsURL, - }, - Verbs: []string{rbac.GetVerb}, - } -} - -func getKubeletPolicyRule() rbacv1.PolicyRule { - return rbacv1.PolicyRule{ - APIGroups: []string{rbac.CoreAPIGroup}, - Resources: []string{ - rbac.NodeMetricsResource, - rbac.NodeSpecResource, - rbac.NodeProxyResource, - rbac.NodeStats, - }, - Verbs: []string{rbac.GetVerb}, - } -} - -func getEndpointsPolicyRule() rbacv1.PolicyRule { - return rbacv1.PolicyRule{ - APIGroups: []string{rbac.CoreAPIGroup}, - Resources: []string{rbac.EndpointsResource}, - Verbs: []string{rbac.GetVerb}, - } -} - -func getLeaderElectionPolicyRule() rbacv1.PolicyRule { - return rbacv1.PolicyRule{ - APIGroups: []string{rbac.CoordinationAPIGroup}, - Resources: []string{rbac.LeasesResource}, - Verbs: []string{rbac.GetVerb}, - } -} diff --git a/controllers/datadogagent/component/clusteragent/default.go b/controllers/datadogagent/component/clusteragent/default.go index 26775e99c..3575d2adb 100644 --- a/controllers/datadogagent/component/clusteragent/default.go +++ b/controllers/datadogagent/component/clusteragent/default.go @@ -12,7 +12,6 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common" @@ -20,15 +19,39 @@ import ( apiutils "github.com/DataDog/datadog-operator/apis/utils" "github.com/DataDog/datadog-operator/controllers/datadogagent/common" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" "github.com/DataDog/datadog-operator/pkg/controller/utils" "github.com/DataDog/datadog-operator/pkg/defaulting" - "github.com/DataDog/datadog-operator/pkg/kubernetes/rbac" ) +// GetClusterAgentServiceName return the Cluster-Agent service name based on the DatadogAgent name +func GetClusterAgentServiceName(dda metav1.Object) string { + return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterAgentResourceSuffix) +} + +// GetClusterAgentName return the Cluster-Agent name based on the DatadogAgent name +func GetClusterAgentName(dda metav1.Object) string { + return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterAgentResourceSuffix) +} + +// GetClusterAgentVersion return the Cluster-Agent version based on the DatadogAgent info +func GetClusterAgentVersion(dda metav1.Object) string { + // Todo implement this function + return "" +} + +// GetClusterAgentRbacResourcesName return the Cluster-Agent RBAC resource name +func GetClusterAgentRbacResourcesName(dda metav1.Object) string { + return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterAgentResourceSuffix) +} + +// GetDefaultServiceAccountName return the default Cluster-Agent ServiceAccountName +func GetDefaultServiceAccountName(dda metav1.Object) string { + return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterAgentResourceSuffix) +} + // NewDefaultClusterAgentDeployment return a new default cluster-agent deployment func NewDefaultClusterAgentDeployment(dda metav1.Object) *appsv1.Deployment { - deployment := component.NewDeployment(dda, apicommon.DefaultClusterAgentResourceSuffix, GetClusterAgentName(dda), GetClusterAgentVersion(dda), nil) + deployment := common.NewDeployment(dda, apicommon.DefaultClusterAgentResourceSuffix, GetClusterAgentName(dda), GetClusterAgentVersion(dda), nil) podTemplate := NewDefaultClusterAgentPodTemplateSpec(dda) for key, val := range deployment.GetLabels() { podTemplate.Labels[key] = val @@ -46,11 +69,11 @@ func NewDefaultClusterAgentDeployment(dda metav1.Object) *appsv1.Deployment { // NewDefaultClusterAgentPodTemplateSpec return a default PodTemplateSpec for the cluster-agent deployment func NewDefaultClusterAgentPodTemplateSpec(dda metav1.Object) *corev1.PodTemplateSpec { volumes := []corev1.Volume{ - component.GetVolumeInstallInfo(dda), - component.GetVolumeForConfd(), - component.GetVolumeForLogs(), - component.GetVolumeForCertificates(), - component.GetVolumeForAuth(), + common.GetVolumeInstallInfo(dda), + common.GetVolumeForConfd(), + common.GetVolumeForLogs(), + common.GetVolumeForCertificates(), + common.GetVolumeForAuth(), // /tmp is needed because some versions of the DCA (at least until // 1.19.0) write to it. @@ -59,16 +82,16 @@ func NewDefaultClusterAgentPodTemplateSpec(dda metav1.Object) *corev1.PodTemplat // In some envs like Openshift, when running as non-root, the pod will // not have permissions to write on /tmp, that's why we need to mount // it with write perms. - component.GetVolumeForTmp(), + common.GetVolumeForTmp(), } volumeMounts := []corev1.VolumeMount{ - component.GetVolumeMountForInstallInfo(), - component.GetVolumeMountForConfd(), - component.GetVolumeMountForLogs(), - component.GetVolumeMountForCertificates(), - component.GetVolumeMountForAuth(false), - component.GetVolumeMountForTmp(), + common.GetVolumeMountForInstallInfo(), + common.GetVolumeMountForConfd(), + common.GetVolumeMountForLogs(), + common.GetVolumeMountForCertificates(), + common.GetVolumeMountForAuth(false), + common.GetVolumeMountForTmp(), } podTemplate := &corev1.PodTemplateSpec{ @@ -82,11 +105,6 @@ func NewDefaultClusterAgentPodTemplateSpec(dda metav1.Object) *corev1.PodTemplat return podTemplate } -// GetDefaultServiceAccountName return the default Cluster-Agent ServiceAccountName -func GetDefaultServiceAccountName(dda metav1.Object) string { - return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterAgentResourceSuffix) -} - func defaultPodSpec(dda metav1.Object, volumes []corev1.Volume, volumeMounts []corev1.VolumeMount, envVars []corev1.EnvVar) corev1.PodSpec { podSpec := corev1.PodSpec{ ServiceAccountName: GetDefaultServiceAccountName(dda), @@ -161,7 +179,7 @@ func defaultEnvVars(dda metav1.Object) []corev1.EnvVar { }, { Name: apicommon.DDAPMInstrumentationInstallType, - Value: component.DefaultAgentInstallType, + Value: common.DefaultAgentInstallType, }, { Name: apicommon.DDAuthTokenFilePath, @@ -194,101 +212,3 @@ func DefaultAffinity() *corev1.Affinity { }, } } - -// GetDefaultClusterAgentRolePolicyRules returns the default policy rules for the Cluster Agent -// Can be used by the Agent if the Cluster Agent is disabled -func GetDefaultClusterAgentRolePolicyRules(dda metav1.Object) []rbacv1.PolicyRule { - rules := []rbacv1.PolicyRule{} - - rules = append(rules, GetLeaderElectionPolicyRule(dda)...) - rules = append(rules, rbacv1.PolicyRule{ - APIGroups: []string{rbac.CoreAPIGroup}, - Resources: []string{rbac.ConfigMapsResource}, - ResourceNames: []string{ - common.DatadogClusterIDResourceName, - }, - Verbs: []string{rbac.GetVerb, rbac.UpdateVerb, rbac.CreateVerb}, - }) - return rules -} - -// GetDefaultClusterAgentClusterRolePolicyRules returns the default policy rules for the Cluster Agent -// Can be used by the Agent if the Cluster Agent is disabled -func GetDefaultClusterAgentClusterRolePolicyRules(dda metav1.Object) []rbacv1.PolicyRule { - return []rbacv1.PolicyRule{ - { - APIGroups: []string{rbac.CoreAPIGroup}, - Resources: []string{ - rbac.ServicesResource, - rbac.EventsResource, - rbac.EndpointsResource, - rbac.PodsResource, - rbac.NodesResource, - rbac.ComponentStatusesResource, - rbac.ConfigMapsResource, - rbac.NamespaceResource, - }, - Verbs: []string{ - rbac.GetVerb, - rbac.ListVerb, - rbac.WatchVerb, - }, - }, - { - APIGroups: []string{rbac.OpenShiftQuotaAPIGroup}, - Resources: []string{rbac.ClusterResourceQuotasResource}, - Verbs: []string{rbac.GetVerb, rbac.ListVerb}, - }, - { - NonResourceURLs: []string{rbac.VersionURL, rbac.HealthzURL}, - Verbs: []string{rbac.GetVerb}, - }, - { - // Horizontal Pod Autoscaling - APIGroups: []string{rbac.AutoscalingAPIGroup}, - Resources: []string{rbac.HorizontalPodAutoscalersRecource}, - Verbs: []string{rbac.ListVerb, rbac.WatchVerb}, - }, - { - APIGroups: []string{rbac.CoreAPIGroup}, - Resources: []string{rbac.NamespaceResource}, - ResourceNames: []string{ - common.KubeSystemResourceName, - }, - Verbs: []string{rbac.GetVerb}, - }, - } -} - -// GetLeaderElectionPolicyRule returns the policy rules for leader election -func GetLeaderElectionPolicyRule(dda metav1.Object) []rbacv1.PolicyRule { - return []rbacv1.PolicyRule{ - { - APIGroups: []string{rbac.CoreAPIGroup}, - Resources: []string{rbac.ConfigMapsResource}, - ResourceNames: []string{ - common.DatadogLeaderElectionOldResourceName, // Kept for backward compatibility with agent <7.37.0 - utils.GetDatadogLeaderElectionResourceName(dda), - }, - Verbs: []string{rbac.GetVerb, rbac.UpdateVerb}, - }, - { - APIGroups: []string{rbac.CoreAPIGroup}, - Resources: []string{rbac.ConfigMapsResource}, - Verbs: []string{rbac.CreateVerb}, - }, - { - APIGroups: []string{rbac.CoordinationAPIGroup}, - Resources: []string{rbac.LeasesResource}, - Verbs: []string{rbac.CreateVerb}, - }, - { - APIGroups: []string{rbac.CoordinationAPIGroup}, - Resources: []string{rbac.LeasesResource}, - ResourceNames: []string{ - utils.GetDatadogLeaderElectionResourceName(dda), - }, - Verbs: []string{rbac.GetVerb, rbac.UpdateVerb}, - }, - } -} diff --git a/controllers/datadogagent/component/clusteragent/default_test.go b/controllers/datadogagent/component/clusteragent/default_test.go index 60b29e456..ab63ac539 100644 --- a/controllers/datadogagent/component/clusteragent/default_test.go +++ b/controllers/datadogagent/component/clusteragent/default_test.go @@ -8,7 +8,7 @@ import ( apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common" datadoghqv2alpha1 "github.com/DataDog/datadog-operator/apis/datadoghq/v2alpha1" apiutils "github.com/DataDog/datadog-operator/apis/utils" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" + "github.com/DataDog/datadog-operator/controllers/datadogagent/common" "github.com/DataDog/datadog-operator/pkg/defaulting" "github.com/DataDog/datadog-operator/pkg/testutils" "github.com/stretchr/testify/assert" @@ -225,7 +225,7 @@ func clusterAgentDefaultEnvVars(dda *datadoghqv2alpha1.DatadogAgent) []corev1.En }, { Name: "DD_INSTRUMENTATION_INSTALL_TYPE", - Value: component.DefaultAgentInstallType, + Value: common.DefaultAgentInstallType, }, { Name: "DD_INSTRUMENTATION_INSTALL_TIME", diff --git a/controllers/datadogagent/component/clusteragent/utils.go b/controllers/datadogagent/component/clusteragent/utils.go index 0fd348d87..8e37a21c6 100644 --- a/controllers/datadogagent/component/clusteragent/utils.go +++ b/controllers/datadogagent/component/clusteragent/utils.go @@ -19,27 +19,6 @@ import ( "k8s.io/apimachinery/pkg/version" ) -// GetClusterAgentServiceName return the Cluster-Agent service name based on the DatadogAgent name -func GetClusterAgentServiceName(dda metav1.Object) string { - return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterAgentResourceSuffix) -} - -// GetClusterAgentName return the Cluster-Agent name based on the DatadogAgent name -func GetClusterAgentName(dda metav1.Object) string { - return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterAgentResourceSuffix) -} - -// GetClusterAgentVersion return the Cluster-Agent version based on the DatadogAgent info -func GetClusterAgentVersion(dda metav1.Object) string { - // Todo implement this function - return "" -} - -// GetClusterAgentRbacResourcesName return the Cluster-Agent RBAC resource name -func GetClusterAgentRbacResourcesName(dda metav1.Object) string { - return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterAgentResourceSuffix) -} - // GetClusterAgentService returns the Cluster-Agent service func GetClusterAgentService(dda metav1.Object) *corev1.Service { labels := object.GetDefaultLabels(dda, apicommon.DefaultClusterAgentResourceSuffix, GetClusterAgentVersion(dda)) diff --git a/controllers/datadogagent/component/clusterchecksrunner/default.go b/controllers/datadogagent/component/clusterchecksrunner/default.go index 883ee7b05..25e472244 100644 --- a/controllers/datadogagent/component/clusterchecksrunner/default.go +++ b/controllers/datadogagent/component/clusterchecksrunner/default.go @@ -11,23 +11,24 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common" apicommonv1 "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1" apiutils "github.com/DataDog/datadog-operator/apis/utils" "github.com/DataDog/datadog-operator/controllers/datadogagent/common" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" componentdca "github.com/DataDog/datadog-operator/controllers/datadogagent/component/clusteragent" - "github.com/DataDog/datadog-operator/pkg/controller/utils" "github.com/DataDog/datadog-operator/pkg/defaulting" - "github.com/DataDog/datadog-operator/pkg/kubernetes/rbac" ) +// GetClusterChecksRunnerName return the Cluster-Checks-Runner name based on the DatadogAgent name +func GetClusterChecksRunnerName(dda metav1.Object) string { + return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterChecksRunnerResourceSuffix) +} + // NewDefaultClusterChecksRunnerDeployment return a new default cluster-checks-runner deployment func NewDefaultClusterChecksRunnerDeployment(dda metav1.Object) *appsv1.Deployment { - deployment := component.NewDeployment(dda, apicommon.DefaultClusterChecksRunnerResourceSuffix, component.GetClusterChecksRunnerName(dda), component.GetAgentVersion(dda), nil) + deployment := common.NewDeployment(dda, apicommon.DefaultClusterChecksRunnerResourceSuffix, GetClusterChecksRunnerName(dda), common.GetAgentVersion(dda), nil) podTemplate := NewDefaultClusterChecksRunnerPodTemplateSpec(dda) for key, val := range deployment.GetLabels() { @@ -47,10 +48,10 @@ func NewDefaultClusterChecksRunnerDeployment(dda metav1.Object) *appsv1.Deployme // NewDefaultClusterChecksRunnerPodTemplateSpec returns a default cluster-checks-runner for the cluster-agent deployment func NewDefaultClusterChecksRunnerPodTemplateSpec(dda metav1.Object) *corev1.PodTemplateSpec { volumes := []corev1.Volume{ - component.GetVolumeInstallInfo(dda), - component.GetVolumeForConfig(), - component.GetVolumeForRmCorechecks(), - component.GetVolumeForLogs(), + common.GetVolumeInstallInfo(dda), + common.GetVolumeForConfig(), + common.GetVolumeForRmCorechecks(), + common.GetVolumeForLogs(), // /tmp is needed because some versions of the DCA (at least until // 1.19.0) write to it. @@ -59,15 +60,15 @@ func NewDefaultClusterChecksRunnerPodTemplateSpec(dda metav1.Object) *corev1.Pod // In some envs like Openshift, when running as non-root, the pod will // not have permissions to write on /tmp, that's why we need to mount // it with write perms. - component.GetVolumeForTmp(), + common.GetVolumeForTmp(), } volumeMounts := []corev1.VolumeMount{ - component.GetVolumeMountForInstallInfo(), - component.GetVolumeMountForConfig(), - component.GetVolumeMountForLogs(), - component.GetVolumeMountForTmp(), - component.GetVolumeMountForRmCorechecks(), + common.GetVolumeMountForInstallInfo(), + common.GetVolumeMountForConfig(), + common.GetVolumeMountForLogs(), + common.GetVolumeMountForTmp(), + common.GetVolumeMountForRmCorechecks(), } template := &corev1.PodTemplateSpec{ @@ -81,128 +82,11 @@ func NewDefaultClusterChecksRunnerPodTemplateSpec(dda metav1.Object) *corev1.Pod return template } -// GetDefaultClusterChecksRunnerClusterRolePolicyRules returns the default Cluster Role Policy Rules for the Cluster Checks Runner -func GetDefaultClusterChecksRunnerClusterRolePolicyRules(dda metav1.Object, excludeNonResourceRules bool) []rbacv1.PolicyRule { - policyRule := []rbacv1.PolicyRule{ - { - APIGroups: []string{rbac.CoreAPIGroup}, - Resources: []string{ - rbac.ServicesResource, - rbac.EventsResource, - rbac.EndpointsResource, - rbac.PodsResource, - rbac.NodesResource, - rbac.ComponentStatusesResource, - rbac.ConfigMapsResource, - rbac.NamespaceResource, - }, - Verbs: []string{ - rbac.GetVerb, - rbac.ListVerb, - rbac.WatchVerb, - }, - }, - { - APIGroups: []string{rbac.CoreAPIGroup}, - Resources: []string{ - rbac.ConfigMapsResource, - }, - Verbs: []string{ - rbac.CreateVerb, - }, - }, - { - APIGroups: []string{rbac.CoreAPIGroup}, - Resources: []string{ - rbac.ConfigMapsResource, - }, - ResourceNames: []string{ - utils.GetDatadogLeaderElectionResourceName(dda), - }, - Verbs: []string{ - rbac.GetVerb, - rbac.UpdateVerb, - }, - }, - { - APIGroups: []string{rbac.OpenShiftQuotaAPIGroup}, - Resources: []string{ - rbac.ClusterResourceQuotasResource, - }, - Verbs: []string{ - rbac.GetVerb, - rbac.ListVerb, - }, - }, - { - NonResourceURLs: []string{ - rbac.VersionURL, - rbac.HealthzURL, - }, - Verbs: []string{ - rbac.GetVerb, - }, - }, - // Leader election that uses Leases, such as kube-controller-manager - { - APIGroups: []string{rbac.CoordinationAPIGroup}, - Resources: []string{ - rbac.LeasesResource, - }, - Verbs: []string{ - rbac.GetVerb, - rbac.ListVerb, - rbac.WatchVerb, - }, - }, - // Horizontal Pod Autoscaling - { - APIGroups: []string{rbac.AutoscalingAPIGroup}, - Resources: []string{ - rbac.HorizontalPodAutoscalersRecource, - }, - Verbs: []string{ - rbac.ListVerb, - rbac.WatchVerb, - }, - }, - { - APIGroups: []string{rbac.CoreAPIGroup}, - Resources: []string{ - rbac.NamespaceResource, - }, - ResourceNames: []string{ - common.KubeSystemResourceName, - }, - Verbs: []string{ - rbac.GetVerb, - }, - }, - } - - if !excludeNonResourceRules { - policyRule = append(policyRule, rbacv1.PolicyRule{ - NonResourceURLs: []string{ - rbac.MetricsURL, - rbac.MetricsSLIsURL, - }, - Verbs: []string{rbac.GetVerb}, - }) - } - - return policyRule -} - // GetDefaultServiceAccountName return the default Cluster-Agent ServiceAccountName func GetDefaultServiceAccountName(dda metav1.Object) string { return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterChecksRunnerResourceSuffix) } -// GetCCRRbacResourcesName returns the Cluster Checks Runner RBAC resource name -func GetCCRRbacResourcesName(dda metav1.Object) string { - return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterChecksRunnerResourceSuffix) -} - func clusterChecksRunnerImage() string { return fmt.Sprintf("%s/%s:%s", apicommon.DefaultImageRegistry, apicommon.DefaultAgentImageName, defaulting.AgentLatestVersion) } diff --git a/controllers/datadogagent/component/utils.go b/controllers/datadogagent/component/utils.go index 2e9653a6d..08ea52f8d 100644 --- a/controllers/datadogagent/component/utils.go +++ b/controllers/datadogagent/component/utils.go @@ -19,7 +19,11 @@ import ( apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common" commonv1 "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1" "github.com/DataDog/datadog-operator/apis/datadoghq/v2alpha1" + componentagent "github.com/DataDog/datadog-operator/controllers/datadogagent/component/agent" + componentdca "github.com/DataDog/datadog-operator/controllers/datadogagent/component/clusteragent" + componentccr "github.com/DataDog/datadog-operator/controllers/datadogagent/component/clusterchecksrunner" "github.com/DataDog/datadog-operator/controllers/datadogagent/object" + cilium "github.com/DataDog/datadog-operator/pkg/cilium/v1" "github.com/DataDog/datadog-operator/pkg/kubernetes" "github.com/DataDog/datadog-operator/pkg/utils" @@ -27,340 +31,8 @@ import ( const ( localServiceDefaultMinimumVersion = "1.22-0" - - DefaultAgentInstallType = "k8s_manual" ) -// GetVolumeForConfig return the volume that contains the agent config -func GetVolumeForConfig() corev1.Volume { - return corev1.Volume{ - Name: apicommon.ConfigVolumeName, - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, - }, - } -} - -// GetVolumeForConfd return the volume that contains the agent confd config files -func GetVolumeForConfd() corev1.Volume { - return corev1.Volume{ - Name: apicommon.ConfdVolumeName, - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, - }, - } -} - -// GetVolumeForChecksd return the volume that contains the agent confd config files -func GetVolumeForChecksd() corev1.Volume { - return corev1.Volume{ - Name: apicommon.ChecksdVolumeName, - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, - }, - } -} - -// GetVolumeForRmCorechecks return the volume that overwrites the corecheck directory -func GetVolumeForRmCorechecks() corev1.Volume { - return corev1.Volume{ - Name: "remove-corechecks", - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, - }, - } -} - -// GetVolumeForAuth return the Volume container authentication information -func GetVolumeForAuth() corev1.Volume { - return corev1.Volume{ - Name: apicommon.AuthVolumeName, - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, - }, - } -} - -// GetVolumeForLogs return the Volume that should container generated logs -func GetVolumeForLogs() corev1.Volume { - return corev1.Volume{ - Name: apicommon.LogDatadogVolumeName, - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, - }, - } -} - -// GetVolumeInstallInfo return the Volume that should install-info file -func GetVolumeInstallInfo(owner metav1.Object) corev1.Volume { - return corev1.Volume{ - Name: apicommon.InstallInfoVolumeName, - VolumeSource: corev1.VolumeSource{ - ConfigMap: &corev1.ConfigMapVolumeSource{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: GetInstallInfoConfigMapName(owner), - }, - }, - }, - } -} - -// GetVolumeForProc returns the volume with /proc -func GetVolumeForProc() corev1.Volume { - return corev1.Volume{ - Name: apicommon.ProcdirVolumeName, - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: apicommon.ProcdirHostPath, - }, - }, - } -} - -// GetVolumeForCgroups returns the volume that contains the cgroup directory -func GetVolumeForCgroups() corev1.Volume { - return corev1.Volume{ - Name: apicommon.CgroupsVolumeName, - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/sys/fs/cgroup", - }, - }, - } -} - -// GetVolumeForDogstatsd returns the volume with the Dogstatsd socket -func GetVolumeForDogstatsd() corev1.Volume { - return corev1.Volume{ - Name: apicommon.DogstatsdSocketVolumeName, - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, - }, - } -} - -// GetInstallInfoConfigMapName return the InstallInfo config map name base on the dda name -func GetInstallInfoConfigMapName(dda metav1.Object) string { - return fmt.Sprintf("%s-install-info", dda.GetName()) -} - -// GetVolumeMountForConfig return the VolumeMount that contains the agent config -func GetVolumeMountForConfig() corev1.VolumeMount { - return corev1.VolumeMount{ - Name: apicommon.ConfigVolumeName, - MountPath: apicommon.ConfigVolumePath, - } -} - -// GetVolumeMountForConfd return the VolumeMount that contains the agent confd config files -func GetVolumeMountForConfd() corev1.VolumeMount { - return corev1.VolumeMount{ - Name: apicommon.ConfdVolumeName, - MountPath: apicommon.ConfdVolumePath, - ReadOnly: true, - } -} - -// GetVolumeMountForChecksd return the VolumeMount that contains the agent checksd config files -func GetVolumeMountForChecksd() corev1.VolumeMount { - return corev1.VolumeMount{ - Name: apicommon.ChecksdVolumeName, - MountPath: apicommon.ChecksdVolumePath, - ReadOnly: true, - } -} - -// GetVolumeMountForRmCorechecks return the VolumeMount that overwrites the corechecks directory -func GetVolumeMountForRmCorechecks() corev1.VolumeMount { - return corev1.VolumeMount{ - Name: "remove-corechecks", - MountPath: fmt.Sprintf("%s/%s", apicommon.ConfigVolumePath, "conf.d"), - } -} - -// GetVolumeMountForAuth returns the VolumeMount that contains the authentication information -func GetVolumeMountForAuth(readOnly bool) corev1.VolumeMount { - return corev1.VolumeMount{ - Name: apicommon.AuthVolumeName, - MountPath: apicommon.AuthVolumePath, - ReadOnly: readOnly, - } -} - -// GetVolumeMountForLogs return the VolumeMount for the container generated logs -func GetVolumeMountForLogs() corev1.VolumeMount { - return corev1.VolumeMount{ - Name: apicommon.LogDatadogVolumeName, - MountPath: apicommon.LogDatadogVolumePath, - ReadOnly: false, - } -} - -// GetVolumeForTmp return the Volume use for /tmp -func GetVolumeForTmp() corev1.Volume { - return corev1.Volume{ - Name: apicommon.TmpVolumeName, - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, - }, - } -} - -// GetVolumeMountForTmp return the VolumeMount for /tmp -func GetVolumeMountForTmp() corev1.VolumeMount { - return corev1.VolumeMount{ - Name: apicommon.TmpVolumeName, - MountPath: apicommon.TmpVolumePath, - ReadOnly: false, - } -} - -// GetVolumeForCertificates return the Volume use to store certificates -func GetVolumeForCertificates() corev1.Volume { - return corev1.Volume{ - Name: apicommon.CertificatesVolumeName, - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, - }, - } -} - -// GetVolumeMountForCertificates return the VolumeMount use to store certificates -func GetVolumeMountForCertificates() corev1.VolumeMount { - return corev1.VolumeMount{ - Name: apicommon.CertificatesVolumeName, - MountPath: apicommon.CertificatesVolumePath, - ReadOnly: false, - } -} - -// GetVolumeMountForInstallInfo return the VolumeMount that contains the agent install-info file -func GetVolumeMountForInstallInfo() corev1.VolumeMount { - return corev1.VolumeMount{ - Name: apicommon.InstallInfoVolumeName, - MountPath: apicommon.InstallInfoVolumePath, - SubPath: apicommon.InstallInfoVolumeSubPath, - ReadOnly: apicommon.InstallInfoVolumeReadOnly, - } -} - -// GetVolumeMountForProc returns the VolumeMount that contains /proc -func GetVolumeMountForProc() corev1.VolumeMount { - return corev1.VolumeMount{ - Name: apicommon.ProcdirVolumeName, - MountPath: apicommon.ProcdirMountPath, - ReadOnly: true, - } -} - -// GetVolumeMountForCgroups returns the VolumeMount that contains the cgroups info -func GetVolumeMountForCgroups() corev1.VolumeMount { - return corev1.VolumeMount{ - Name: apicommon.CgroupsVolumeName, - MountPath: apicommon.CgroupsMountPath, - ReadOnly: true, - } -} - -// GetVolumeMountForDogstatsdSocket returns the VolumeMount with the Dogstatsd socket -func GetVolumeMountForDogstatsdSocket(readOnly bool) corev1.VolumeMount { - return corev1.VolumeMount{ - Name: apicommon.DogstatsdSocketVolumeName, - MountPath: apicommon.DogstatsdSocketLocalPath, - ReadOnly: readOnly, - } -} - -// GetVolumeForRuntimeSocket returns the Volume for the runtime socket -func GetVolumeForRuntimeSocket() corev1.Volume { - return corev1.Volume{ - Name: apicommon.CriSocketVolumeName, - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: apicommon.RuntimeDirVolumePath, - }, - }, - } -} - -// GetVolumeMountForRuntimeSocket returns the VolumeMount with the runtime socket -func GetVolumeMountForRuntimeSocket(readOnly bool) corev1.VolumeMount { - return corev1.VolumeMount{ - Name: apicommon.CriSocketVolumeName, - MountPath: apicommon.HostCriSocketPathPrefix + apicommon.RuntimeDirVolumePath, - ReadOnly: readOnly, - } -} - -// GetVolumeMountForSecurity returns the VolumeMount for datadog-agent-security -func GetVolumeMountForSecurity() corev1.VolumeMount { - return corev1.VolumeMount{ - Name: apicommon.SeccompSecurityVolumeName, - MountPath: apicommon.SeccompSecurityVolumePath, - } -} - -// GetVolumeForSecurity returns the Volume for datadog-agent-security -func GetVolumeForSecurity(owner metav1.Object) corev1.Volume { - return corev1.Volume{ - Name: apicommon.SeccompSecurityVolumeName, - VolumeSource: corev1.VolumeSource{ - ConfigMap: &corev1.ConfigMapVolumeSource{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: GetDefaultSeccompConfigMapName(owner), - }, - }, - }, - } -} - -// GetVolumeMountForSeccomp returns the VolumeMount for seccomp root -func GetVolumeMountForSeccomp() corev1.VolumeMount { - return corev1.VolumeMount{ - Name: apicommon.SeccompRootVolumeName, - MountPath: apicommon.SeccompRootVolumePath, - } -} - -// GetVolumeForSeccomp returns the volume for seccomp root -func GetVolumeForSeccomp() corev1.Volume { - return corev1.Volume{ - Name: apicommon.SeccompRootVolumeName, - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: apicommon.SeccompRootPath, - }, - }, - } -} - -// GetClusterAgentServiceName return the Cluster-Agent service name based on the DatadogAgent name -func GetClusterAgentServiceName(dda metav1.Object) string { - return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterAgentResourceSuffix) -} - -// GetClusterAgentName return the Cluster-Agent name based on the DatadogAgent name -func GetClusterAgentName(dda metav1.Object) string { - return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterAgentResourceSuffix) -} - -// GetClusterAgentVersion return the Cluster-Agent version based on the DatadogAgent info -func GetClusterAgentVersion(dda metav1.Object) string { - // Todo implement this function - return "" -} - -// GetAgentName return the Agent name based on the DatadogAgent info -func GetAgentName(dda metav1.Object) string { - return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultAgentResourceSuffix) -} - -// GetAgentVersion return the Agent version based on the DatadogAgent info -func GetAgentVersion(dda metav1.Object) string { - // TODO implement this method - return "" -} - // GetAgentVersionFromImage returns the Agent version based on the AgentImageConfig func GetAgentVersionFromImage(imageConfig commonv1.AgentImageConfig) string { version := "" @@ -374,16 +46,6 @@ func GetAgentVersionFromImage(imageConfig commonv1.AgentImageConfig) string { return version } -// GetClusterChecksRunnerName return the Cluster-Checks-Runner name based on the DatadogAgent name -func GetClusterChecksRunnerName(dda metav1.Object) string { - return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterChecksRunnerResourceSuffix) -} - -// GetDefaultSeccompConfigMapName returns the default seccomp configmap name based on the DatadogAgent name -func GetDefaultSeccompConfigMapName(dda metav1.Object) string { - return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.SystemProbeAgentSecurityConfigMapSuffixName) -} - // BuildEnvVarFromSource return an *corev1.EnvVar from a Env Var name and *corev1.EnvVarSource func BuildEnvVarFromSource(name string, source *corev1.EnvVarSource) *corev1.EnvVar { return &corev1.EnvVar{ @@ -515,13 +177,13 @@ func GetNetworkPolicyMetadata(dda metav1.Object, componentName v2alpha1.Componen var suffix string switch componentName { case v2alpha1.NodeAgentComponentName: - policyName = GetAgentName(dda) + policyName = componentagent.GetAgentName(dda) suffix = apicommon.DefaultAgentResourceSuffix case v2alpha1.ClusterAgentComponentName: - policyName = GetClusterAgentName(dda) + policyName = componentdca.GetClusterAgentName(dda) suffix = apicommon.DefaultClusterAgentResourceSuffix case v2alpha1.ClusterChecksRunnerComponentName: - policyName = GetClusterChecksRunnerName(dda) + policyName = componentccr.GetClusterChecksRunnerName(dda) suffix = apicommon.DefaultClusterChecksRunnerResourceSuffix } podSelector = metav1.LabelSelector{ @@ -1007,7 +669,7 @@ func ingressAgent(podSelector metav1.LabelSelector, dda metav1.Object, hostNetwo ingress.FromEndpoints = []metav1.LabelSelector{ { MatchLabels: map[string]string{ - kubernetes.AppKubernetesInstanceLabelKey: GetAgentName(dda), + kubernetes.AppKubernetesInstanceLabelKey: componentagent.GetAgentName(dda), kubernetes.AppKubernetesPartOfLabelKey: fmt.Sprintf("%s-%s", dda.GetNamespace(), dda.GetName()), }, }, diff --git a/controllers/datadogagent/controller_reconcile_agent.go b/controllers/datadogagent/controller_reconcile_agent.go index 9d1ff1851..0acbbedad 100644 --- a/controllers/datadogagent/controller_reconcile_agent.go +++ b/controllers/datadogagent/controller_reconcile_agent.go @@ -14,7 +14,6 @@ import ( "github.com/DataDog/datadog-operator/apis/datadoghq/v1alpha1" datadoghqv2alpha1 "github.com/DataDog/datadog-operator/apis/datadoghq/v2alpha1" apiutils "github.com/DataDog/datadog-operator/apis/utils" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" componentagent "github.com/DataDog/datadog-operator/controllers/datadogagent/component/agent" "github.com/DataDog/datadog-operator/controllers/datadogagent/feature" "github.com/DataDog/datadog-operator/controllers/datadogagent/override" @@ -508,7 +507,7 @@ func (r *Reconciler) getValidDaemonSetNames(dsName string, providerList map[stri // getDaemonSetNameFromDatadogAgent returns the expected DS/EDS name based on // the DDA name and nodeAgent name override func getDaemonSetNameFromDatadogAgent(dda *datadoghqv2alpha1.DatadogAgent) string { - dsName := component.GetAgentName(dda) + dsName := componentagent.GetAgentName(dda) if componentOverride, ok := dda.Spec.Override[datadoghqv2alpha1.NodeAgentComponentName]; ok { if componentOverride.Name != nil && *componentOverride.Name != "" { dsName = *componentOverride.Name diff --git a/controllers/datadogagent/dependencies/store.go b/controllers/datadogagent/dependencies/store.go index 7356cefa4..9bde7f746 100644 --- a/controllers/datadogagent/dependencies/store.go +++ b/controllers/datadogagent/dependencies/store.go @@ -13,7 +13,7 @@ import ( "github.com/go-logr/logr" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" + "github.com/DataDog/datadog-operator/controllers/datadogagent/common" "github.com/DataDog/datadog-operator/controllers/datadogagent/object" "github.com/DataDog/datadog-operator/pkg/equality" "github.com/DataDog/datadog-operator/pkg/kubernetes" @@ -107,7 +107,7 @@ func (ds *Store) AddOrUpdate(kind kubernetes.ObjectKind, obj client.Object) erro obj.GetLabels()[operatorStoreLabelKey] = "true" if ds.owner != nil { - defaultLabels := object.GetDefaultLabels(ds.owner, ds.owner.GetName(), component.GetAgentVersion(ds.owner)) + defaultLabels := object.GetDefaultLabels(ds.owner, ds.owner.GetName(), common.GetAgentVersion(ds.owner)) if len(defaultLabels) > 0 { for key, val := range defaultLabels { obj.GetLabels()[key] = val diff --git a/controllers/datadogagent/feature/enabledefault/configmap.go b/controllers/datadogagent/feature/enabledefault/configmap.go new file mode 100644 index 000000000..f5a0273aa --- /dev/null +++ b/controllers/datadogagent/feature/enabledefault/configmap.go @@ -0,0 +1,232 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2016-present Datadog, Inc. + +package enabledefault + +// DefaultSeccompConfigDataForSystemProbe returns configmap data for the default seccomp profile +func DefaultSeccompConfigDataForSystemProbe() map[string]string { + return map[string]string{ + "system-probe-seccomp.json": `{ + "defaultAction": "SCMP_ACT_ERRNO", + "syscalls": [ + { + "names": [ + "accept4", + "access", + "arch_prctl", + "bind", + "bpf", + "brk", + "capget", + "capset", + "chdir", + "chmod", + "clock_gettime", + "clone", + "clone3", + "close", + "connect", + "copy_file_range", + "creat", + "dup", + "dup2", + "dup3", + "epoll_create", + "epoll_create1", + "epoll_ctl", + "epoll_ctl_old", + "epoll_pwait", + "epoll_wait", + "epoll_wait_old", + "eventfd", + "eventfd2", + "execve", + "execveat", + "exit", + "exit_group", + "faccessat", + "faccessat2", + "fchmod", + "fchmodat", + "fchown", + "fchown32", + "fchownat", + "fcntl", + "fcntl64", + "flock", + "fstat", + "fstat64", + "fstatfs", + "fsync", + "futex", + "futimens", + "getcwd", + "getdents", + "getdents64", + "getegid", + "geteuid", + "getgid", + "getgroups", + "getpeername", + "getpgrp", + "getpid", + "getppid", + "getpriority", + "getrandom", + "getresgid", + "getresgid32", + "getresuid", + "getresuid32", + "getrlimit", + "getrusage", + "getsid", + "getsockname", + "getsockopt", + "gettid", + "gettimeofday", + "getuid", + "getxattr", + "inotify_add_watch", + "inotify_init", + "inotify_init1", + "inotify_rm_watch", + "ioctl", + "ipc", + "listen", + "lseek", + "lstat", + "lstat64", + "madvise", + "memfd_create", + "mkdir", + "mkdirat", + "mmap", + "mmap2", + "mprotect", + "mremap", + "munmap", + "nanosleep", + "newfstatat", + "open", + "openat", + "openat2", + "pause", + "perf_event_open", + "pipe", + "pipe2", + "poll", + "ppoll", + "prctl", + "pread64", + "prlimit64", + "pselect6", + "read", + "readlink", + "readlinkat", + "recvfrom", + "recvmmsg", + "recvmsg", + "rename", + "renameat", + "renameat2", + "restart_syscall", + "rmdir", + "rseq", + "rt_sigaction", + "rt_sigpending", + "rt_sigprocmask", + "rt_sigqueueinfo", + "rt_sigreturn", + "rt_sigsuspend", + "rt_sigtimedwait", + "rt_tgsigqueueinfo", + "sched_getaffinity", + "sched_yield", + "seccomp", + "select", + "semtimedop", + "send", + "sendmmsg", + "sendmsg", + "sendto", + "set_robust_list", + "set_tid_address", + "setgid", + "setgid32", + "setgroups", + "setgroups32", + "setitimer", + "setns", + "setpgid", + "setrlimit", + "setsid", + "setsidaccept4", + "setsockopt", + "setuid", + "setuid32", + "sigaltstack", + "socket", + "socketcall", + "socketpair", + "stat", + "stat64", + "statfs", + "statx", + "symlinkat", + "sysinfo", + "tgkill", + "umask", + "uname", + "unlink", + "unlinkat", + "utime", + "utimensat", + "utimes", + "wait4", + "waitid", + "waitpid", + "write" + ], + "action": "SCMP_ACT_ALLOW", + "args": null + }, + { + "names": [ + "setns" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 1, + "value": 1073741824, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "kill" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 1, + "value": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "allow process detection via kill", + "includes": {}, + "excludes": {} + } + ] + } + `, + } +} diff --git a/controllers/datadogagent/feature/enabledefault/feature.go b/controllers/datadogagent/feature/enabledefault/feature.go index 6703e6460..f7abb5178 100644 --- a/controllers/datadogagent/feature/enabledefault/feature.go +++ b/controllers/datadogagent/feature/enabledefault/feature.go @@ -13,10 +13,10 @@ import ( commonv1 "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1" "github.com/DataDog/datadog-operator/apis/datadoghq/v2alpha1" apiutils "github.com/DataDog/datadog-operator/apis/utils" + "github.com/DataDog/datadog-operator/controllers/datadogagent/common" "github.com/DataDog/datadog-operator/controllers/datadogagent/component" "github.com/DataDog/datadog-operator/controllers/datadogagent/component/agent" componentdca "github.com/DataDog/datadog-operator/controllers/datadogagent/component/clusteragent" - componentccr "github.com/DataDog/datadog-operator/controllers/datadogagent/component/clusterchecksrunner" "github.com/DataDog/datadog-operator/controllers/datadogagent/feature" "github.com/DataDog/datadog-operator/controllers/datadogagent/object" "github.com/DataDog/datadog-operator/pkg/controller/utils/comparison" @@ -276,7 +276,7 @@ func (f *defaultFeature) agentDependencies(managers feature.ResourceManagers, re } // ClusterRole creation - if err := managers.RBACManager().AddClusterPolicyRules(f.owner.GetNamespace(), agent.GetAgentRoleName(f.owner), f.agent.serviceAccountName, agent.GetDefaultAgentClusterRolePolicyRules(f.disableNonResourceRules)); err != nil { + if err := managers.RBACManager().AddClusterPolicyRules(f.owner.GetNamespace(), agent.GetAgentRoleName(f.owner), f.agent.serviceAccountName, getDefaultAgentClusterRolePolicyRules(f.disableNonResourceRules)); err != nil { errs = append(errs, err) } @@ -285,9 +285,9 @@ func (f *defaultFeature) agentDependencies(managers feature.ResourceManagers, re for _, containerName := range requiredComponent.Containers { if containerName == commonv1.SystemProbeContainerName { errs = append(errs, managers.ConfigMapManager().AddConfigMap( - component.GetDefaultSeccompConfigMapName(f.owner), + common.GetDefaultSeccompConfigMapName(f.owner), f.owner.GetNamespace(), - agent.DefaultSeccompConfigDataForSystemProbe(), + DefaultSeccompConfigDataForSystemProbe(), )) } } @@ -305,12 +305,12 @@ func (f *defaultFeature) clusterAgentDependencies(managers feature.ResourceManag } // Role Creation - if err := managers.RBACManager().AddPolicyRulesByComponent(f.owner.GetNamespace(), componentdca.GetClusterAgentRbacResourcesName(f.owner), f.clusterAgent.serviceAccountName, componentdca.GetDefaultClusterAgentRolePolicyRules(f.owner), string(v2alpha1.ClusterAgentComponentName)); err != nil { + if err := managers.RBACManager().AddPolicyRulesByComponent(f.owner.GetNamespace(), componentdca.GetClusterAgentRbacResourcesName(f.owner), f.clusterAgent.serviceAccountName, getDefaultClusterAgentRolePolicyRules(f.owner), string(v2alpha1.ClusterAgentComponentName)); err != nil { errs = append(errs, err) } // ClusterRole creation - if err := managers.RBACManager().AddClusterPolicyRulesByComponent(f.owner.GetNamespace(), componentdca.GetClusterAgentRbacResourcesName(f.owner), f.clusterAgent.serviceAccountName, componentdca.GetDefaultClusterAgentClusterRolePolicyRules(f.owner), string(v2alpha1.ClusterAgentComponentName)); err != nil { + if err := managers.RBACManager().AddClusterPolicyRulesByComponent(f.owner.GetNamespace(), componentdca.GetClusterAgentRbacResourcesName(f.owner), f.clusterAgent.serviceAccountName, getDefaultClusterAgentClusterRolePolicyRules(f.owner), string(v2alpha1.ClusterAgentComponentName)); err != nil { errs = append(errs, err) } } @@ -333,7 +333,7 @@ func (f *defaultFeature) clusterChecksRunnerDependencies(managers feature.Resour } // ClusterRole creation - if err := managers.RBACManager().AddClusterPolicyRulesByComponent(f.owner.GetNamespace(), componentccr.GetCCRRbacResourcesName(f.owner), f.clusterChecksRunner.serviceAccountName, componentccr.GetDefaultClusterChecksRunnerClusterRolePolicyRules(f.owner, f.disableNonResourceRules), string(v2alpha1.ClusterChecksRunnerComponentName)); err != nil { + if err := managers.RBACManager().AddClusterPolicyRulesByComponent(f.owner.GetNamespace(), getCCRRbacResourcesName(f.owner), f.clusterChecksRunner.serviceAccountName, getDefaultClusterChecksRunnerClusterRolePolicyRules(f.owner, f.disableNonResourceRules), string(v2alpha1.ClusterChecksRunnerComponentName)); err != nil { errs = append(errs, err) } } @@ -406,7 +406,7 @@ func (f *defaultFeature) addDefaultCommonEnvs(managers feature.PodTemplateManage func buildInstallInfoConfigMap(dda metav1.Object) *corev1.ConfigMap { configMap := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ - Name: component.GetInstallInfoConfigMapName(dda), + Name: common.GetInstallInfoConfigMapName(dda), Namespace: dda.GetNamespace(), }, Data: map[string]string{ diff --git a/controllers/datadogagent/feature/enabledefault/rbac.go b/controllers/datadogagent/feature/enabledefault/rbac.go new file mode 100644 index 000000000..769b66d5d --- /dev/null +++ b/controllers/datadogagent/feature/enabledefault/rbac.go @@ -0,0 +1,293 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2016-present Datadog, Inc. + +package enabledefault + +import ( + "fmt" + + apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common" + "github.com/DataDog/datadog-operator/controllers/datadogagent/common" + "github.com/DataDog/datadog-operator/pkg/controller/utils" + "github.com/DataDog/datadog-operator/pkg/kubernetes/rbac" + + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// RBAC for Agent + +// getDefaultAgentClusterRolePolicyRules returns the default policy rules for the Agent cluster role +func getDefaultAgentClusterRolePolicyRules(excludeNonResourceRules bool) []rbacv1.PolicyRule { + policyRule := []rbacv1.PolicyRule{ + getKubeletPolicyRule(), + getEndpointsPolicyRule(), + getLeaderElectionPolicyRule(), + } + + if !excludeNonResourceRules { + policyRule = append(policyRule, getMetricsEndpointPolicyRule()) + } + + return policyRule +} + +func getMetricsEndpointPolicyRule() rbacv1.PolicyRule { + return rbacv1.PolicyRule{ + NonResourceURLs: []string{ + rbac.MetricsURL, + rbac.MetricsSLIsURL, + }, + Verbs: []string{rbac.GetVerb}, + } +} + +func getKubeletPolicyRule() rbacv1.PolicyRule { + return rbacv1.PolicyRule{ + APIGroups: []string{rbac.CoreAPIGroup}, + Resources: []string{ + rbac.NodeMetricsResource, + rbac.NodeSpecResource, + rbac.NodeProxyResource, + rbac.NodeStats, + }, + Verbs: []string{rbac.GetVerb}, + } +} + +func getEndpointsPolicyRule() rbacv1.PolicyRule { + return rbacv1.PolicyRule{ + APIGroups: []string{rbac.CoreAPIGroup}, + Resources: []string{rbac.EndpointsResource}, + Verbs: []string{rbac.GetVerb}, + } +} + +func getLeaderElectionPolicyRule() rbacv1.PolicyRule { + return rbacv1.PolicyRule{ + APIGroups: []string{rbac.CoordinationAPIGroup}, + Resources: []string{rbac.LeasesResource}, + Verbs: []string{rbac.GetVerb}, + } +} + +// RBAC for Cluster Agent + +// getDefaultClusterAgentRolePolicyRules returns the default policy rules for the Cluster Agent +// Can be used by the Agent if the Cluster Agent is disabled +func getDefaultClusterAgentRolePolicyRules(dda metav1.Object) []rbacv1.PolicyRule { + rules := []rbacv1.PolicyRule{} + + rules = append(rules, getLeaderElectionPolicyRuleDCA(dda)...) + rules = append(rules, rbacv1.PolicyRule{ + APIGroups: []string{rbac.CoreAPIGroup}, + Resources: []string{rbac.ConfigMapsResource}, + ResourceNames: []string{ + common.DatadogClusterIDResourceName, + }, + Verbs: []string{rbac.GetVerb, rbac.UpdateVerb, rbac.CreateVerb}, + }) + return rules +} + +// getDefaultClusterAgentClusterRolePolicyRules returns the default policy rules for the Cluster Agent +// Can be used by the Agent if the Cluster Agent is disabled +func getDefaultClusterAgentClusterRolePolicyRules(dda metav1.Object) []rbacv1.PolicyRule { + return []rbacv1.PolicyRule{ + { + APIGroups: []string{rbac.CoreAPIGroup}, + Resources: []string{ + rbac.ServicesResource, + rbac.EventsResource, + rbac.EndpointsResource, + rbac.PodsResource, + rbac.NodesResource, + rbac.ComponentStatusesResource, + rbac.ConfigMapsResource, + rbac.NamespaceResource, + }, + Verbs: []string{ + rbac.GetVerb, + rbac.ListVerb, + rbac.WatchVerb, + }, + }, + { + APIGroups: []string{rbac.OpenShiftQuotaAPIGroup}, + Resources: []string{rbac.ClusterResourceQuotasResource}, + Verbs: []string{rbac.GetVerb, rbac.ListVerb}, + }, + { + NonResourceURLs: []string{rbac.VersionURL, rbac.HealthzURL}, + Verbs: []string{rbac.GetVerb}, + }, + { + // Horizontal Pod Autoscaling + APIGroups: []string{rbac.AutoscalingAPIGroup}, + Resources: []string{rbac.HorizontalPodAutoscalersRecource}, + Verbs: []string{rbac.ListVerb, rbac.WatchVerb}, + }, + { + APIGroups: []string{rbac.CoreAPIGroup}, + Resources: []string{rbac.NamespaceResource}, + ResourceNames: []string{ + common.KubeSystemResourceName, + }, + Verbs: []string{rbac.GetVerb}, + }, + } +} + +// getLeaderElectionPolicyRuleDCA returns the policy rules for leader election +func getLeaderElectionPolicyRuleDCA(dda metav1.Object) []rbacv1.PolicyRule { + return []rbacv1.PolicyRule{ + { + APIGroups: []string{rbac.CoreAPIGroup}, + Resources: []string{rbac.ConfigMapsResource}, + ResourceNames: []string{ + common.DatadogLeaderElectionOldResourceName, // Kept for backward compatibility with agent <7.37.0 + utils.GetDatadogLeaderElectionResourceName(dda), + }, + Verbs: []string{rbac.GetVerb, rbac.UpdateVerb}, + }, + { + APIGroups: []string{rbac.CoreAPIGroup}, + Resources: []string{rbac.ConfigMapsResource}, + Verbs: []string{rbac.CreateVerb}, + }, + { + APIGroups: []string{rbac.CoordinationAPIGroup}, + Resources: []string{rbac.LeasesResource}, + Verbs: []string{rbac.CreateVerb}, + }, + { + APIGroups: []string{rbac.CoordinationAPIGroup}, + Resources: []string{rbac.LeasesResource}, + ResourceNames: []string{ + utils.GetDatadogLeaderElectionResourceName(dda), + }, + Verbs: []string{rbac.GetVerb, rbac.UpdateVerb}, + }, + } +} + +// RBAC for Cluster Checks Runner + +// getCCRRbacResourcesName returns the Cluster Checks Runner RBAC resource name +func getCCRRbacResourcesName(dda metav1.Object) string { + return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterChecksRunnerResourceSuffix) +} + +// getDefaultClusterChecksRunnerClusterRolePolicyRules returns the default Cluster Role Policy Rules for the Cluster Checks Runner +func getDefaultClusterChecksRunnerClusterRolePolicyRules(dda metav1.Object, excludeNonResourceRules bool) []rbacv1.PolicyRule { + policyRule := []rbacv1.PolicyRule{ + { + APIGroups: []string{rbac.CoreAPIGroup}, + Resources: []string{ + rbac.ServicesResource, + rbac.EventsResource, + rbac.EndpointsResource, + rbac.PodsResource, + rbac.NodesResource, + rbac.ComponentStatusesResource, + rbac.ConfigMapsResource, + rbac.NamespaceResource, + }, + Verbs: []string{ + rbac.GetVerb, + rbac.ListVerb, + rbac.WatchVerb, + }, + }, + { + APIGroups: []string{rbac.CoreAPIGroup}, + Resources: []string{ + rbac.ConfigMapsResource, + }, + Verbs: []string{ + rbac.CreateVerb, + }, + }, + { + APIGroups: []string{rbac.CoreAPIGroup}, + Resources: []string{ + rbac.ConfigMapsResource, + }, + ResourceNames: []string{ + utils.GetDatadogLeaderElectionResourceName(dda), + }, + Verbs: []string{ + rbac.GetVerb, + rbac.UpdateVerb, + }, + }, + { + APIGroups: []string{rbac.OpenShiftQuotaAPIGroup}, + Resources: []string{ + rbac.ClusterResourceQuotasResource, + }, + Verbs: []string{ + rbac.GetVerb, + rbac.ListVerb, + }, + }, + { + NonResourceURLs: []string{ + rbac.VersionURL, + rbac.HealthzURL, + }, + Verbs: []string{ + rbac.GetVerb, + }, + }, + // Leader election that uses Leases, such as kube-controller-manager + { + APIGroups: []string{rbac.CoordinationAPIGroup}, + Resources: []string{ + rbac.LeasesResource, + }, + Verbs: []string{ + rbac.GetVerb, + rbac.ListVerb, + rbac.WatchVerb, + }, + }, + // Horizontal Pod Autoscaling + { + APIGroups: []string{rbac.AutoscalingAPIGroup}, + Resources: []string{ + rbac.HorizontalPodAutoscalersRecource, + }, + Verbs: []string{ + rbac.ListVerb, + rbac.WatchVerb, + }, + }, + { + APIGroups: []string{rbac.CoreAPIGroup}, + Resources: []string{ + rbac.NamespaceResource, + }, + ResourceNames: []string{ + common.KubeSystemResourceName, + }, + Verbs: []string{ + rbac.GetVerb, + }, + }, + } + + if !excludeNonResourceRules { + policyRule = append(policyRule, rbacv1.PolicyRule{ + NonResourceURLs: []string{ + rbac.MetricsURL, + rbac.MetricsSLIsURL, + }, + Verbs: []string{rbac.GetVerb}, + }) + } + + return policyRule +} diff --git a/controllers/datadogagent/override/dependencies.go b/controllers/datadogagent/override/dependencies.go index dfaffef13..e2492e841 100644 --- a/controllers/datadogagent/override/dependencies.go +++ b/controllers/datadogagent/override/dependencies.go @@ -49,6 +49,8 @@ func Dependencies(logger logr.Logger, manager feature.ResourceManagers, dda *v2a func overrideRBAC(logger logr.Logger, manager feature.ResourceManagers, override *v2alpha1.DatadogAgentComponentOverride, component v2alpha1.ComponentName, namespace string) error { var errs []error + + // Delete created RBACs if CreateRbac is set to false if override.CreateRbac != nil && !*override.CreateRbac { rbacManager := manager.RBACManager() logger.Info("Deleting RBACs for %s", component) @@ -57,6 +59,8 @@ func overrideRBAC(logger logr.Logger, manager feature.ResourceManagers, override errs = append(errs, rbacManager.DeleteClusterRoleByComponent(string(component))) } + // Note: ServiceAccountName overrides are taken into account in the features code (out of pattern) + return errors.NewAggregate(errs) } diff --git a/controllers/datadogagent_controller_profiles_test.go b/controllers/datadogagent_controller_profiles_test.go index f5d4c8746..ee1817cb0 100644 --- a/controllers/datadogagent_controller_profiles_test.go +++ b/controllers/datadogagent_controller_profiles_test.go @@ -18,9 +18,10 @@ import ( "github.com/DataDog/datadog-operator/apis/datadoghq/v1alpha1" "github.com/DataDog/datadog-operator/apis/datadoghq/v2alpha1" "github.com/DataDog/datadog-operator/apis/utils" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" + componentagent "github.com/DataDog/datadog-operator/controllers/datadogagent/component/agent" "github.com/DataDog/datadog-operator/controllers/testutils" "github.com/DataDog/datadog-operator/pkg/agentprofile" + . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" appsv1 "k8s.io/api/apps/v1" @@ -1205,7 +1206,7 @@ func randomKubernetesObjectName() string { func defaultDaemonSetNamespacedName(namespace string, agent *v2alpha1.DatadogAgent) types.NamespacedName { return types.NamespacedName{ Namespace: namespace, - Name: component.GetAgentName(agent), + Name: componentagent.GetAgentName(agent), } } From 01b51d4f9d0911bbb1d5a7ea20392ec4501c6ab4 Mon Sep 17 00:00:00 2001 From: Celene Date: Wed, 14 Aug 2024 07:59:43 -0400 Subject: [PATCH 2/3] separate out networks into objects --- controllers/datadogagent/common/utils.go | 59 ++++++++++++++++++ .../{utils.go => objects/network.go} | 60 +------------------ .../datadogagent/feature/apm/feature.go | 9 +-- .../feature/clusterchecks/feature.go | 24 ++++---- .../datadogagent/feature/dogstatsd/feature.go | 6 +- .../feature/enabledefault/feature.go | 11 ++-- .../feature/externalmetrics/feature.go | 23 +++---- .../feature/kubernetesstatecore/feature.go | 7 +-- .../feature/orchestratorexplorer/feature.go | 5 +- .../datadogagent/feature/otlp/feature.go | 8 +-- .../datadogagent/feature/utils/utils.go | 4 +- controllers/datadogagent/override/global.go | 6 +- 12 files changed, 111 insertions(+), 111 deletions(-) rename controllers/datadogagent/component/{utils.go => objects/network.go} (89%) diff --git a/controllers/datadogagent/common/utils.go b/controllers/datadogagent/common/utils.go index a4d3a7a75..27fc23fb6 100644 --- a/controllers/datadogagent/common/utils.go +++ b/controllers/datadogagent/common/utils.go @@ -7,13 +7,18 @@ package common import ( "fmt" + "strings" apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common" + commonv1 "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1" "github.com/DataDog/datadog-operator/controllers/datadogagent/object" "github.com/DataDog/datadog-operator/pkg/kubernetes" + "github.com/DataDog/datadog-operator/pkg/utils" appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/version" ) // NewDeployment use to generate the skeleton of a new deployment based on few information @@ -73,3 +78,57 @@ func GetAgentVersion(dda metav1.Object) string { func GetDefaultSeccompConfigMapName(dda metav1.Object) string { return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.SystemProbeAgentSecurityConfigMapSuffixName) } + +// GetAgentVersionFromImage returns the Agent version based on the AgentImageConfig +func GetAgentVersionFromImage(imageConfig commonv1.AgentImageConfig) string { + version := "" + if imageConfig.Name != "" { + version = strings.TrimSuffix(utils.GetTagFromImageName(imageConfig.Name), "-jmx") + } + // Give priority to image Tag setting + if imageConfig.Tag != "" { + version = imageConfig.Tag + } + return version +} + +// BuildEnvVarFromSource return an *corev1.EnvVar from a Env Var name and *corev1.EnvVarSource +func BuildEnvVarFromSource(name string, source *corev1.EnvVarSource) *corev1.EnvVar { + return &corev1.EnvVar{ + Name: name, + ValueFrom: source, + } +} + +// BuildEnvVarFromSecret return an corev1.EnvVarSource correspond to a secret reference +func BuildEnvVarFromSecret(name, key string) *corev1.EnvVarSource { + return &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: name, + }, + Key: key, + }, + } +} + +const ( + localServiceDefaultMinimumVersion = "1.22-0" +) + +// GetAgentLocalServiceSelector creates the selector to be used for the agent local service +func GetAgentLocalServiceSelector(dda metav1.Object) map[string]string { + return map[string]string{ + kubernetes.AppKubernetesPartOfLabelKey: object.NewPartOfLabelValue(dda).String(), + apicommon.AgentDeploymentComponentLabelKey: apicommon.DefaultAgentResourceSuffix, + } +} + +// ShouldCreateAgentLocalService returns whether the node agent local service should be created based on the Kubernetes version +func ShouldCreateAgentLocalService(versionInfo *version.Info, forceEnableLocalService bool) bool { + if versionInfo == nil || versionInfo.GitVersion == "" { + return false + } + // Service Internal Traffic Policy is enabled by default since 1.22 + return utils.IsAboveMinVersion(versionInfo.GitVersion, localServiceDefaultMinimumVersion) || forceEnableLocalService +} diff --git a/controllers/datadogagent/component/utils.go b/controllers/datadogagent/component/objects/network.go similarity index 89% rename from controllers/datadogagent/component/utils.go rename to controllers/datadogagent/component/objects/network.go index 08ea52f8d..f366f514f 100644 --- a/controllers/datadogagent/component/utils.go +++ b/controllers/datadogagent/component/objects/network.go @@ -3,21 +3,18 @@ // This product includes software developed at Datadog (https://www.datadoghq.com/). // Copyright 2016-present Datadog, Inc. -package component +package objects import ( "fmt" "strconv" "strings" - corev1 "k8s.io/api/core/v1" netv1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" - "k8s.io/apimachinery/pkg/version" apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common" - commonv1 "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1" "github.com/DataDog/datadog-operator/apis/datadoghq/v2alpha1" componentagent "github.com/DataDog/datadog-operator/controllers/datadogagent/component/agent" componentdca "github.com/DataDog/datadog-operator/controllers/datadogagent/component/clusteragent" @@ -26,46 +23,8 @@ import ( cilium "github.com/DataDog/datadog-operator/pkg/cilium/v1" "github.com/DataDog/datadog-operator/pkg/kubernetes" - "github.com/DataDog/datadog-operator/pkg/utils" ) -const ( - localServiceDefaultMinimumVersion = "1.22-0" -) - -// GetAgentVersionFromImage returns the Agent version based on the AgentImageConfig -func GetAgentVersionFromImage(imageConfig commonv1.AgentImageConfig) string { - version := "" - if imageConfig.Name != "" { - version = strings.TrimSuffix(utils.GetTagFromImageName(imageConfig.Name), "-jmx") - } - // Give priority to image Tag setting - if imageConfig.Tag != "" { - version = imageConfig.Tag - } - return version -} - -// BuildEnvVarFromSource return an *corev1.EnvVar from a Env Var name and *corev1.EnvVarSource -func BuildEnvVarFromSource(name string, source *corev1.EnvVarSource) *corev1.EnvVar { - return &corev1.EnvVar{ - Name: name, - ValueFrom: source, - } -} - -// BuildEnvVarFromSecret return an corev1.EnvVarSource correspond to a secret reference -func BuildEnvVarFromSecret(name, key string) *corev1.EnvVarSource { - return &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: name, - }, - Key: key, - }, - } -} - // BuildKubernetesNetworkPolicy creates the base node agent kubernetes network policy func BuildKubernetesNetworkPolicy(dda metav1.Object, componentName v2alpha1.ComponentName) (string, string, metav1.LabelSelector, []netv1.PolicyType, []netv1.NetworkPolicyIngressRule, []netv1.NetworkPolicyEgressRule) { policyName, podSelector := GetNetworkPolicyMetadata(dda, componentName) @@ -215,23 +174,6 @@ func dcaServicePort() netv1.NetworkPolicyPort { } } -// GetAgentLocalServiceSelector creates the selector to be used for the agent local service -func GetAgentLocalServiceSelector(dda metav1.Object) map[string]string { - return map[string]string{ - kubernetes.AppKubernetesPartOfLabelKey: object.NewPartOfLabelValue(dda).String(), - apicommon.AgentDeploymentComponentLabelKey: apicommon.DefaultAgentResourceSuffix, - } -} - -// ShouldCreateAgentLocalService returns whether the node agent local service should be created based on the Kubernetes version -func ShouldCreateAgentLocalService(versionInfo *version.Info, forceEnableLocalService bool) bool { - if versionInfo == nil || versionInfo.GitVersion == "" { - return false - } - // Service Internal Traffic Policy is enabled by default since 1.22 - return utils.IsAboveMinVersion(versionInfo.GitVersion, localServiceDefaultMinimumVersion) || forceEnableLocalService -} - // BuildCiliumPolicy creates the base node agent, DCA, or CCR cilium network policy func BuildCiliumPolicy(dda metav1.Object, site string, ddURL string, hostNetwork bool, dnsSelectorEndpoints []metav1.LabelSelector, componentName v2alpha1.ComponentName) (string, string, []cilium.NetworkPolicySpec) { policyName, podSelector := GetNetworkPolicyMetadata(dda, componentName) diff --git a/controllers/datadogagent/feature/apm/feature.go b/controllers/datadogagent/feature/apm/feature.go index 6da891b35..292f58f83 100644 --- a/controllers/datadogagent/feature/apm/feature.go +++ b/controllers/datadogagent/feature/apm/feature.go @@ -20,7 +20,8 @@ import ( apicommonv1 "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1" "github.com/DataDog/datadog-operator/apis/datadoghq/v2alpha1" apiutils "github.com/DataDog/datadog-operator/apis/utils" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" + "github.com/DataDog/datadog-operator/controllers/datadogagent/common" + "github.com/DataDog/datadog-operator/controllers/datadogagent/component/objects" "github.com/DataDog/datadog-operator/controllers/datadogagent/feature" "github.com/DataDog/datadog-operator/controllers/datadogagent/merger" "github.com/DataDog/datadog-operator/controllers/datadogagent/object/volume" @@ -169,7 +170,7 @@ func (f *apmFeature) shouldEnableLanguageDetection() bool { // Feature's dependencies should be added in the store. func (f *apmFeature) ManageDependencies(managers feature.ResourceManagers, components feature.RequiredComponents) error { // agent local service - if component.ShouldCreateAgentLocalService(managers.Store().GetVersionInfo(), f.forceEnableLocalService) { + if common.ShouldCreateAgentLocalService(managers.Store().GetVersionInfo(), f.forceEnableLocalService) { apmPort := &corev1.ServicePort{ Protocol: corev1.ProtocolTCP, TargetPort: intstr.FromInt(int(apicommon.DefaultApmPort)), @@ -185,14 +186,14 @@ func (f *apmFeature) ManageDependencies(managers feature.ResourceManagers, compo } serviceInternalTrafficPolicy := corev1.ServiceInternalTrafficPolicyLocal - if err := managers.ServiceManager().AddService(f.localServiceName, f.owner.GetNamespace(), component.GetAgentLocalServiceSelector(f.owner), []corev1.ServicePort{*apmPort}, &serviceInternalTrafficPolicy); err != nil { + if err := managers.ServiceManager().AddService(f.localServiceName, f.owner.GetNamespace(), common.GetAgentLocalServiceSelector(f.owner), []corev1.ServicePort{*apmPort}, &serviceInternalTrafficPolicy); err != nil { return err } } // network policies if f.hostPortEnabled { - policyName, podSelector := component.GetNetworkPolicyMetadata(f.owner, v2alpha1.NodeAgentComponentName) + policyName, podSelector := objects.GetNetworkPolicyMetadata(f.owner, v2alpha1.NodeAgentComponentName) if f.createKubernetesNetworkPolicy { protocolTCP := corev1.ProtocolTCP ingressRules := []netv1.NetworkPolicyIngressRule{ diff --git a/controllers/datadogagent/feature/clusterchecks/feature.go b/controllers/datadogagent/feature/clusterchecks/feature.go index f953af14e..b6082b38d 100644 --- a/controllers/datadogagent/feature/clusterchecks/feature.go +++ b/controllers/datadogagent/feature/clusterchecks/feature.go @@ -7,10 +7,10 @@ package clusterchecks import ( apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common" - "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1" + commonv1 "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1" "github.com/DataDog/datadog-operator/apis/datadoghq/v2alpha1" apiutils "github.com/DataDog/datadog-operator/apis/utils" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" + "github.com/DataDog/datadog-operator/controllers/datadogagent/component/objects" "github.com/DataDog/datadog-operator/controllers/datadogagent/feature" "github.com/DataDog/datadog-operator/controllers/datadogagent/object" cilium "github.com/DataDog/datadog-operator/pkg/cilium/v1" @@ -81,8 +81,8 @@ func (f *clusterChecksFeature) Configure(dda *v2alpha1.DatadogAgent) (reqComp fe } func (f *clusterChecksFeature) ManageDependencies(managers feature.ResourceManagers, components feature.RequiredComponents) error { - policyName, podSelector := component.GetNetworkPolicyMetadata(f.owner, v2alpha1.ClusterAgentComponentName) - _, ccrPodSelector := component.GetNetworkPolicyMetadata(f.owner, v2alpha1.ClusterChecksRunnerComponentName) + policyName, podSelector := objects.GetNetworkPolicyMetadata(f.owner, v2alpha1.ClusterAgentComponentName) + _, ccrPodSelector := objects.GetNetworkPolicyMetadata(f.owner, v2alpha1.ClusterChecksRunnerComponentName) if f.createKubernetesNetworkPolicy { ingressRules := []netv1.NetworkPolicyIngressRule{ { @@ -139,7 +139,7 @@ func (f *clusterChecksFeature) ManageDependencies(managers feature.ResourceManag func (f *clusterChecksFeature) ManageClusterAgent(managers feature.PodTemplateManagers) error { managers.EnvVar().AddEnvVarToContainer( - common.ClusterAgentContainerName, + commonv1.ClusterAgentContainerName, &corev1.EnvVar{ Name: apicommon.DDClusterChecksEnabled, Value: "true", @@ -147,7 +147,7 @@ func (f *clusterChecksFeature) ManageClusterAgent(managers feature.PodTemplateMa ) managers.EnvVar().AddEnvVarToContainer( - common.ClusterAgentContainerName, + commonv1.ClusterAgentContainerName, &corev1.EnvVar{ Name: apicommon.DDExtraConfigProviders, Value: apicommon.KubeServicesAndEndpointsConfigProviders, @@ -155,7 +155,7 @@ func (f *clusterChecksFeature) ManageClusterAgent(managers feature.PodTemplateMa ) managers.EnvVar().AddEnvVarToContainer( - common.ClusterAgentContainerName, + commonv1.ClusterAgentContainerName, &corev1.EnvVar{ Name: apicommon.DDExtraListeners, Value: apicommon.KubeServicesAndEndpointsListeners, @@ -173,16 +173,16 @@ func (f *clusterChecksFeature) ManageClusterAgent(managers feature.PodTemplateMa // if SingleContainerStrategy is enabled and can be used with the configured feature set. // It should do nothing if the feature doesn't need to configure it. func (f *clusterChecksFeature) ManageSingleContainerNodeAgent(managers feature.PodTemplateManagers, provider string) error { - f.manageNodeAgent(common.UnprivilegedSingleAgentContainerName, managers, provider) + f.manageNodeAgent(commonv1.UnprivilegedSingleAgentContainerName, managers, provider) return nil } func (f *clusterChecksFeature) ManageNodeAgent(managers feature.PodTemplateManagers, provider string) error { - f.manageNodeAgent(common.CoreAgentContainerName, managers, provider) + f.manageNodeAgent(commonv1.CoreAgentContainerName, managers, provider) return nil } -func (f *clusterChecksFeature) manageNodeAgent(agentContainerName common.AgentContainerName, managers feature.PodTemplateManagers, provider string) error { +func (f *clusterChecksFeature) manageNodeAgent(agentContainerName commonv1.AgentContainerName, managers feature.PodTemplateManagers, provider string) error { if f.useClusterCheckRunners { managers.EnvVar().AddEnvVarToContainer( agentContainerName, @@ -207,7 +207,7 @@ func (f *clusterChecksFeature) manageNodeAgent(agentContainerName common.AgentCo func (f *clusterChecksFeature) ManageClusterChecksRunner(managers feature.PodTemplateManagers) error { if f.useClusterCheckRunners { managers.EnvVar().AddEnvVarToContainer( - common.ClusterChecksRunnersContainerName, + commonv1.ClusterChecksRunnersContainerName, &corev1.EnvVar{ Name: apicommon.DDClusterChecksEnabled, Value: "true", @@ -215,7 +215,7 @@ func (f *clusterChecksFeature) ManageClusterChecksRunner(managers feature.PodTem ) managers.EnvVar().AddEnvVarToContainer( - common.ClusterChecksRunnersContainerName, + commonv1.ClusterChecksRunnersContainerName, &corev1.EnvVar{ Name: apicommon.DDExtraConfigProviders, Value: apicommon.ClusterChecksConfigProvider, diff --git a/controllers/datadogagent/feature/dogstatsd/feature.go b/controllers/datadogagent/feature/dogstatsd/feature.go index 9f04c4b8f..55816e738 100644 --- a/controllers/datadogagent/feature/dogstatsd/feature.go +++ b/controllers/datadogagent/feature/dogstatsd/feature.go @@ -17,7 +17,7 @@ import ( apicommonv1 "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1" "github.com/DataDog/datadog-operator/apis/datadoghq/v2alpha1" apiutils "github.com/DataDog/datadog-operator/apis/utils" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" + "github.com/DataDog/datadog-operator/controllers/datadogagent/common" "github.com/DataDog/datadog-operator/controllers/datadogagent/feature" "github.com/DataDog/datadog-operator/controllers/datadogagent/merger" "github.com/DataDog/datadog-operator/controllers/datadogagent/object/volume" @@ -103,7 +103,7 @@ func (f *dogstatsdFeature) Configure(dda *v2alpha1.DatadogAgent) (reqComp featur // Feature's dependencies should be added in the store. func (f *dogstatsdFeature) ManageDependencies(managers feature.ResourceManagers, components feature.RequiredComponents) error { // agent local service - if component.ShouldCreateAgentLocalService(managers.Store().GetVersionInfo(), f.forceEnableLocalService) { + if common.ShouldCreateAgentLocalService(managers.Store().GetVersionInfo(), f.forceEnableLocalService) { dsdPort := &corev1.ServicePort{ Protocol: corev1.ProtocolUDP, TargetPort: intstr.FromInt(int(apicommon.DefaultDogstatsdPort)), @@ -118,7 +118,7 @@ func (f *dogstatsdFeature) ManageDependencies(managers feature.ResourceManagers, } } serviceInternalTrafficPolicy := corev1.ServiceInternalTrafficPolicyLocal - if err := managers.ServiceManager().AddService(f.localServiceName, f.owner.GetNamespace(), component.GetAgentLocalServiceSelector(f.owner), []corev1.ServicePort{*dsdPort}, &serviceInternalTrafficPolicy); err != nil { + if err := managers.ServiceManager().AddService(f.localServiceName, f.owner.GetNamespace(), common.GetAgentLocalServiceSelector(f.owner), []corev1.ServicePort{*dsdPort}, &serviceInternalTrafficPolicy); err != nil { return err } } diff --git a/controllers/datadogagent/feature/enabledefault/feature.go b/controllers/datadogagent/feature/enabledefault/feature.go index 6092bc6f2..1adb6880a 100644 --- a/controllers/datadogagent/feature/enabledefault/feature.go +++ b/controllers/datadogagent/feature/enabledefault/feature.go @@ -14,8 +14,7 @@ import ( "github.com/DataDog/datadog-operator/apis/datadoghq/v2alpha1" apiutils "github.com/DataDog/datadog-operator/apis/utils" "github.com/DataDog/datadog-operator/controllers/datadogagent/common" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component/agent" + componentagent "github.com/DataDog/datadog-operator/controllers/datadogagent/component/agent" componentdca "github.com/DataDog/datadog-operator/controllers/datadogagent/component/clusteragent" "github.com/DataDog/datadog-operator/controllers/datadogagent/feature" "github.com/DataDog/datadog-operator/controllers/datadogagent/object" @@ -276,7 +275,7 @@ func (f *defaultFeature) agentDependencies(managers feature.ResourceManagers, re } // ClusterRole creation - if err := managers.RBACManager().AddClusterPolicyRules(f.owner.GetNamespace(), agent.GetAgentRoleName(f.owner), f.agent.serviceAccountName, getDefaultAgentClusterRolePolicyRules(f.disableNonResourceRules)); err != nil { + if err := managers.RBACManager().AddClusterPolicyRules(f.owner.GetNamespace(), componentagent.GetAgentRoleName(f.owner), f.agent.serviceAccountName, getDefaultAgentClusterRolePolicyRules(f.disableNonResourceRules)); err != nil { errs = append(errs, err) } @@ -388,17 +387,17 @@ func (f *defaultFeature) ManageClusterChecksRunner(managers feature.PodTemplateM func (f *defaultFeature) addDefaultCommonEnvs(managers feature.PodTemplateManagers) { if f.dcaTokenInfo.token.SecretName != "" { - tokenEnvVar := component.BuildEnvVarFromSource(apicommon.DDClusterAgentAuthToken, component.BuildEnvVarFromSecret(f.dcaTokenInfo.token.SecretName, f.dcaTokenInfo.token.SecretKey)) + tokenEnvVar := common.BuildEnvVarFromSource(apicommon.DDClusterAgentAuthToken, common.BuildEnvVarFromSecret(f.dcaTokenInfo.token.SecretName, f.dcaTokenInfo.token.SecretKey)) managers.EnvVar().AddEnvVar(tokenEnvVar) } if f.credentialsInfo.apiKey.SecretName != "" { - apiKeyEnvVar := component.BuildEnvVarFromSource(apicommon.DDAPIKey, component.BuildEnvVarFromSecret(f.credentialsInfo.apiKey.SecretName, f.credentialsInfo.apiKey.SecretKey)) + apiKeyEnvVar := common.BuildEnvVarFromSource(apicommon.DDAPIKey, common.BuildEnvVarFromSecret(f.credentialsInfo.apiKey.SecretName, f.credentialsInfo.apiKey.SecretKey)) managers.EnvVar().AddEnvVar(apiKeyEnvVar) } if f.credentialsInfo.appKey.SecretName != "" { - appKeyEnvVar := component.BuildEnvVarFromSource(apicommon.DDAppKey, component.BuildEnvVarFromSecret(f.credentialsInfo.appKey.SecretName, f.credentialsInfo.appKey.SecretKey)) + appKeyEnvVar := common.BuildEnvVarFromSource(apicommon.DDAppKey, common.BuildEnvVarFromSecret(f.credentialsInfo.appKey.SecretName, f.credentialsInfo.appKey.SecretKey)) managers.EnvVar().AddEnvVar(appKeyEnvVar) } } diff --git a/controllers/datadogagent/feature/externalmetrics/feature.go b/controllers/datadogagent/feature/externalmetrics/feature.go index b5838d88e..3cd22b27b 100644 --- a/controllers/datadogagent/feature/externalmetrics/feature.go +++ b/controllers/datadogagent/feature/externalmetrics/feature.go @@ -13,13 +13,14 @@ import ( apicommonv1 "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1" "github.com/DataDog/datadog-operator/apis/datadoghq/v2alpha1" apiutils "github.com/DataDog/datadog-operator/apis/utils" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" + "github.com/DataDog/datadog-operator/controllers/datadogagent/common" componentdca "github.com/DataDog/datadog-operator/controllers/datadogagent/component/clusteragent" + "github.com/DataDog/datadog-operator/controllers/datadogagent/component/objects" "github.com/DataDog/datadog-operator/controllers/datadogagent/feature" cilium "github.com/DataDog/datadog-operator/pkg/cilium/v1" "github.com/DataDog/datadog-operator/pkg/kubernetes/rbac" - "github.com/go-logr/logr" + "github.com/go-logr/logr" corev1 "k8s.io/api/core/v1" netv1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -206,7 +207,7 @@ func (f *externalMetricsFeature) ManageDependencies(managers feature.ResourceMan } // network policies - policyName, podSelector := component.GetNetworkPolicyMetadata(f.owner, v2alpha1.ClusterAgentComponentName) + policyName, podSelector := objects.GetNetworkPolicyMetadata(f.owner, v2alpha1.ClusterAgentComponentName) if f.createKubernetesNetworkPolicy { ingressRules := []netv1.NetworkPolicyIngressRule{ { @@ -289,15 +290,15 @@ func (f *externalMetricsFeature) ManageClusterAgent(managers feature.PodTemplate var apiKeyEnvVar *corev1.EnvVar // api key from existing secret if s.name != "" { - apiKeyEnvVar = component.BuildEnvVarFromSource( + apiKeyEnvVar = common.BuildEnvVarFromSource( apicommon.DDExternalMetricsProviderAPIKey, - component.BuildEnvVarFromSecret(s.name, s.key), + common.BuildEnvVarFromSecret(s.name, s.key), ) } else { // api key from secret created by operator - apiKeyEnvVar = component.BuildEnvVarFromSource( + apiKeyEnvVar = common.BuildEnvVarFromSource( apicommon.DDExternalMetricsProviderAPIKey, - component.BuildEnvVarFromSecret(componentdca.GetDefaultExternalMetricSecretName(f.owner), apicommon.DefaultAPIKeyKey), + common.BuildEnvVarFromSecret(componentdca.GetDefaultExternalMetricSecretName(f.owner), apicommon.DefaultAPIKeyKey), ) } managers.EnvVar().AddEnvVarToContainer(apicommonv1.ClusterAgentContainerName, apiKeyEnvVar) @@ -307,15 +308,15 @@ func (f *externalMetricsFeature) ManageClusterAgent(managers feature.PodTemplate var appKeyEnvVar *corev1.EnvVar // app key from existing secret if s.name != "" { - appKeyEnvVar = component.BuildEnvVarFromSource( + appKeyEnvVar = common.BuildEnvVarFromSource( apicommon.DDExternalMetricsProviderAppKey, - component.BuildEnvVarFromSecret(s.name, s.key), + common.BuildEnvVarFromSecret(s.name, s.key), ) } else { // api key from secret created by operator - appKeyEnvVar = component.BuildEnvVarFromSource( + appKeyEnvVar = common.BuildEnvVarFromSource( apicommon.DDExternalMetricsProviderAppKey, - component.BuildEnvVarFromSecret(componentdca.GetDefaultExternalMetricSecretName(f.owner), apicommon.DefaultAPPKeyKey), + common.BuildEnvVarFromSecret(componentdca.GetDefaultExternalMetricSecretName(f.owner), apicommon.DefaultAPPKeyKey), ) } managers.EnvVar().AddEnvVarToContainer(apicommonv1.ClusterAgentContainerName, appKeyEnvVar) diff --git a/controllers/datadogagent/feature/kubernetesstatecore/feature.go b/controllers/datadogagent/feature/kubernetesstatecore/feature.go index fbf4066fe..56ea34aa6 100644 --- a/controllers/datadogagent/feature/kubernetesstatecore/feature.go +++ b/controllers/datadogagent/feature/kubernetesstatecore/feature.go @@ -21,8 +21,7 @@ import ( "github.com/DataDog/datadog-operator/pkg/kubernetes" "github.com/DataDog/datadog-operator/pkg/utils" - common "github.com/DataDog/datadog-operator/controllers/datadogagent/common" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" + "github.com/DataDog/datadog-operator/controllers/datadogagent/common" "github.com/DataDog/datadog-operator/controllers/datadogagent/feature" "github.com/DataDog/datadog-operator/controllers/datadogagent/merger" "github.com/DataDog/datadog-operator/controllers/datadogagent/object" @@ -95,14 +94,14 @@ func (f *ksmFeature) Configure(dda *v2alpha1.DatadogAgent) feature.RequiredCompo output.ClusterChecksRunner.IsRequired = apiutils.NewBoolPointer(true) if ccrOverride, ok := dda.Spec.Override[v2alpha1.ClusterChecksRunnerComponentName]; ok { - if ccrOverride.Image != nil && !utils.IsAboveMinVersion(component.GetAgentVersionFromImage(*ccrOverride.Image), crdAPIServiceCollectionMinVersion) { + if ccrOverride.Image != nil && !utils.IsAboveMinVersion(common.GetAgentVersionFromImage(*ccrOverride.Image), crdAPIServiceCollectionMinVersion) { // Disable if image is overridden to an unsupported version f.collectAPIServiceMetrics = false f.collectCRDMetrics = false } } } else if clusterAgentOverride, ok := dda.Spec.Override[v2alpha1.ClusterAgentComponentName]; ok { - if clusterAgentOverride.Image != nil && !utils.IsAboveMinVersion(component.GetAgentVersionFromImage(*clusterAgentOverride.Image), crdAPIServiceCollectionMinVersion) { + if clusterAgentOverride.Image != nil && !utils.IsAboveMinVersion(common.GetAgentVersionFromImage(*clusterAgentOverride.Image), crdAPIServiceCollectionMinVersion) { // Disable if image is overridden to an unsupported version f.collectAPIServiceMetrics = false f.collectCRDMetrics = false diff --git a/controllers/datadogagent/feature/orchestratorexplorer/feature.go b/controllers/datadogagent/feature/orchestratorexplorer/feature.go index 6f9feeee5..e2f7b90c5 100644 --- a/controllers/datadogagent/feature/orchestratorexplorer/feature.go +++ b/controllers/datadogagent/feature/orchestratorexplorer/feature.go @@ -20,8 +20,7 @@ import ( apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common" apicommonv1 "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1" - common "github.com/DataDog/datadog-operator/controllers/datadogagent/common" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" + "github.com/DataDog/datadog-operator/controllers/datadogagent/common" "github.com/DataDog/datadog-operator/controllers/datadogagent/feature" "github.com/DataDog/datadog-operator/controllers/datadogagent/object" "github.com/DataDog/datadog-operator/controllers/datadogagent/object/volume" @@ -83,7 +82,7 @@ func (f *orchestratorExplorerFeature) Configure(dda *v2alpha1.DatadogAgent) (req // Process Agent is not required as of agent version 7.51.0 if nodeAgent, ok := dda.Spec.Override[v2alpha1.NodeAgentComponentName]; ok { - if nodeAgent.Image != nil && !utils.IsAboveMinVersion(component.GetAgentVersionFromImage(*nodeAgent.Image), NoProcessAgentMinVersion) { + if nodeAgent.Image != nil && !utils.IsAboveMinVersion(common.GetAgentVersionFromImage(*nodeAgent.Image), NoProcessAgentMinVersion) { f.processAgentRequired = true reqContainers = append(reqContainers, apicommonv1.ProcessAgentContainerName) } diff --git a/controllers/datadogagent/feature/otlp/feature.go b/controllers/datadogagent/feature/otlp/feature.go index 834d2c484..dcbbe0768 100644 --- a/controllers/datadogagent/feature/otlp/feature.go +++ b/controllers/datadogagent/feature/otlp/feature.go @@ -21,7 +21,7 @@ import ( apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common" apicommonv1 "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" + "github.com/DataDog/datadog-operator/controllers/datadogagent/common" "github.com/DataDog/datadog-operator/controllers/datadogagent/feature" ) @@ -114,7 +114,7 @@ func (f *otlpFeature) Configure(dda *v2alpha1.DatadogAgent) (reqComp feature.Req // Feature's dependencies should be added in the store. func (f *otlpFeature) ManageDependencies(managers feature.ResourceManagers, components feature.RequiredComponents) error { if f.grpcEnabled { - if component.ShouldCreateAgentLocalService(managers.Store().GetVersionInfo(), f.forceEnableLocalService) { + if common.ShouldCreateAgentLocalService(managers.Store().GetVersionInfo(), f.forceEnableLocalService) { port, err := extractPortEndpoint(f.grpcEndpoint) if err != nil { f.logger.Error(err, "failed to extract port from OTLP/gRPC endpoint") @@ -129,13 +129,13 @@ func (f *otlpFeature) ManageDependencies(managers feature.ResourceManagers, comp }, } serviceInternalTrafficPolicy := corev1.ServiceInternalTrafficPolicyLocal - if err := managers.ServiceManager().AddService(f.localServiceName, f.owner.GetNamespace(), component.GetAgentLocalServiceSelector(f.owner), servicePort, &serviceInternalTrafficPolicy); err != nil { + if err := managers.ServiceManager().AddService(f.localServiceName, f.owner.GetNamespace(), common.GetAgentLocalServiceSelector(f.owner), servicePort, &serviceInternalTrafficPolicy); err != nil { return err } } } if f.httpEnabled { - if component.ShouldCreateAgentLocalService(managers.Store().GetVersionInfo(), f.forceEnableLocalService) { + if common.ShouldCreateAgentLocalService(managers.Store().GetVersionInfo(), f.forceEnableLocalService) { port, err := extractPortEndpoint(f.httpEndpoint) if err != nil { f.logger.Error(err, "failed to extract port from OTLP/HTTP endpoint") diff --git a/controllers/datadogagent/feature/utils/utils.go b/controllers/datadogagent/feature/utils/utils.go index b481509a5..8c3f93980 100644 --- a/controllers/datadogagent/feature/utils/utils.go +++ b/controllers/datadogagent/feature/utils/utils.go @@ -13,7 +13,7 @@ import ( "github.com/DataDog/datadog-operator/pkg/defaulting" "github.com/DataDog/datadog-operator/pkg/utils" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" + "github.com/DataDog/datadog-operator/controllers/datadogagent/common" ) // Process Checks utils @@ -24,7 +24,7 @@ func agentSupportsRunInCoreAgent(dda *v2alpha1.DatadogAgent) bool { // Agent version must >= 7.53.0 to run feature in core agent if nodeAgent, ok := dda.Spec.Override[v2alpha1.NodeAgentComponentName]; ok { if nodeAgent.Image != nil { - return utils.IsAboveMinVersion(component.GetAgentVersionFromImage(*nodeAgent.Image), RunInCoreAgentMinVersion) + return utils.IsAboveMinVersion(common.GetAgentVersionFromImage(*nodeAgent.Image), RunInCoreAgentMinVersion) } } return utils.IsAboveMinVersion(defaulting.AgentLatestVersion, RunInCoreAgentMinVersion) diff --git a/controllers/datadogagent/override/global.go b/controllers/datadogagent/override/global.go index 2d1970a04..0bc686546 100644 --- a/controllers/datadogagent/override/global.go +++ b/controllers/datadogagent/override/global.go @@ -14,7 +14,7 @@ import ( apicommonv1 "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1" "github.com/DataDog/datadog-operator/apis/datadoghq/v2alpha1" apiutils "github.com/DataDog/datadog-operator/apis/utils" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" + "github.com/DataDog/datadog-operator/controllers/datadogagent/component/objects" "github.com/DataDog/datadog-operator/controllers/datadogagent/feature" "github.com/DataDog/datadog-operator/controllers/datadogagent/object/volume" "github.com/DataDog/datadog-operator/pkg/defaulting" @@ -97,7 +97,7 @@ func applyGlobalSettings(logger logr.Logger, manager feature.PodTemplateManagers var err error switch config.NetworkPolicy.Flavor { case v2alpha1.NetworkPolicyFlavorKubernetes: - err = resourcesManager.NetworkPolicyManager().AddKubernetesNetworkPolicy(component.BuildKubernetesNetworkPolicy(dda, componentName)) + err = resourcesManager.NetworkPolicyManager().AddKubernetesNetworkPolicy(objects.BuildKubernetesNetworkPolicy(dda, componentName)) case v2alpha1.NetworkPolicyFlavorCilium: var ddURL string var dnsSelectorEndpoints []metav1.LabelSelector @@ -108,7 +108,7 @@ func applyGlobalSettings(logger logr.Logger, manager feature.PodTemplateManagers dnsSelectorEndpoints = config.NetworkPolicy.DNSSelectorEndpoints } err = resourcesManager.CiliumPolicyManager().AddCiliumPolicy( - component.BuildCiliumPolicy( + objects.BuildCiliumPolicy( dda, *config.Site, ddURL, From 5922b972e1c926044eef38e46cec9f8f05d15563 Mon Sep 17 00:00:00 2001 From: Celene Date: Wed, 14 Aug 2024 12:57:05 -0400 Subject: [PATCH 3/3] small fix --- controllers/datadogagent/component/clusteragent/default.go | 6 +++--- .../datadogagent/component/clusterchecksrunner/default.go | 6 +++--- .../component/clusterchecksrunner/default_test.go | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/controllers/datadogagent/component/clusteragent/default.go b/controllers/datadogagent/component/clusteragent/default.go index 3575d2adb..070e199ab 100644 --- a/controllers/datadogagent/component/clusteragent/default.go +++ b/controllers/datadogagent/component/clusteragent/default.go @@ -44,8 +44,8 @@ func GetClusterAgentRbacResourcesName(dda metav1.Object) string { return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterAgentResourceSuffix) } -// GetDefaultServiceAccountName return the default Cluster-Agent ServiceAccountName -func GetDefaultServiceAccountName(dda metav1.Object) string { +// getDefaultServiceAccountName return the default Cluster-Agent ServiceAccountName +func getDefaultServiceAccountName(dda metav1.Object) string { return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterAgentResourceSuffix) } @@ -107,7 +107,7 @@ func NewDefaultClusterAgentPodTemplateSpec(dda metav1.Object) *corev1.PodTemplat func defaultPodSpec(dda metav1.Object, volumes []corev1.Volume, volumeMounts []corev1.VolumeMount, envVars []corev1.EnvVar) corev1.PodSpec { podSpec := corev1.PodSpec{ - ServiceAccountName: GetDefaultServiceAccountName(dda), + ServiceAccountName: getDefaultServiceAccountName(dda), Containers: []corev1.Container{ { Name: string(apicommonv1.ClusterAgentContainerName), diff --git a/controllers/datadogagent/component/clusterchecksrunner/default.go b/controllers/datadogagent/component/clusterchecksrunner/default.go index 25e472244..5e4967fe6 100644 --- a/controllers/datadogagent/component/clusterchecksrunner/default.go +++ b/controllers/datadogagent/component/clusterchecksrunner/default.go @@ -82,8 +82,8 @@ func NewDefaultClusterChecksRunnerPodTemplateSpec(dda metav1.Object) *corev1.Pod return template } -// GetDefaultServiceAccountName return the default Cluster-Agent ServiceAccountName -func GetDefaultServiceAccountName(dda metav1.Object) string { +// getDefaultServiceAccountName return the default Cluster-Agent ServiceAccountName +func getDefaultServiceAccountName(dda metav1.Object) string { return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterChecksRunnerResourceSuffix) } @@ -93,7 +93,7 @@ func clusterChecksRunnerImage() string { func defaultPodSpec(dda metav1.Object, volumes []corev1.Volume, volumeMounts []corev1.VolumeMount, envVars []corev1.EnvVar) corev1.PodSpec { podSpec := corev1.PodSpec{ - ServiceAccountName: GetDefaultServiceAccountName(dda), + ServiceAccountName: getDefaultServiceAccountName(dda), InitContainers: []corev1.Container{ { Name: "init-config", diff --git a/controllers/datadogagent/component/clusterchecksrunner/default_test.go b/controllers/datadogagent/component/clusterchecksrunner/default_test.go index d573a974d..9cc470c1d 100644 --- a/controllers/datadogagent/component/clusterchecksrunner/default_test.go +++ b/controllers/datadogagent/component/clusterchecksrunner/default_test.go @@ -13,7 +13,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -func TestGetDefaultServiceAccountName(t *testing.T) { +func Test_getDefaultServiceAccountName(t *testing.T) { dda := v2alpha1.DatadogAgent{ ObjectMeta: metav1.ObjectMeta{ Name: "my-datadog-agent", @@ -21,5 +21,5 @@ func TestGetDefaultServiceAccountName(t *testing.T) { }, } - assert.Equal(t, "my-datadog-agent-cluster-checks-runner", GetDefaultServiceAccountName(&dda)) + assert.Equal(t, "my-datadog-agent-cluster-checks-runner", getDefaultServiceAccountName(&dda)) }