DataDog · celenechang · Mar 17, 2022 · Mar 10, 2022 · Mar 12, 2022 · Mar 16, 2022
@@ -118,7 +118,6 @@ type AgentCredentials struct {
 
 	// UseSecretBackend use the Agent secret backend feature for retreiving all credentials needed by
 	// the different components: Agent, Cluster, Cluster-Checks.
-	// If `useSecretBackend: true`, other credential parameters will be ignored.
 	// default value is false.
 	UseSecretBackend *bool `json:"useSecretBackend,omitempty"`
 }

@@ -11897,9 +11897,7 @@ spec:
                   useSecretBackend:
                     description: 'UseSecretBackend use the Agent secret backend feature
                       for retreiving all credentials needed by the different components:
-                      Agent, Cluster, Cluster-Checks. If `useSecretBackend: true`,
-                      other credential parameters will be ignored. default value is
-                      false.'
+                      Agent, Cluster, Cluster-Checks. default value is false.'
                     type: boolean
                 type: object
               features:

@@ -11484,8 +11484,7 @@ spec:
                 useSecretBackend:
                   description: 'UseSecretBackend use the Agent secret backend feature
                     for retreiving all credentials needed by the different components:
-                    Agent, Cluster, Cluster-Checks. If `useSecretBackend: true`, other
-                    credential parameters will be ignored. default value is false.'
+                    Agent, Cluster, Cluster-Checks. default value is false.'
                   type: boolean
               type: object
             features:

@@ -35,7 +35,7 @@ import (
 )
 
 func (r *Reconciler) reconcileAgent(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent, newStatus *datadoghqv1alpha1.DatadogAgentStatus) (reconcile.Result, error) {
-	result, err := r.manageAgentDependencies(logger, dda, newStatus)
+	result, err := r.manageAgentDependencies(logger, dda)
 	if utils.ShouldReturn(result, err) {
 		return result, err
 	}
@@ -270,8 +270,8 @@ func (r *Reconciler) updateDaemonSet(logger logr.Logger, dda *datadoghqv1alpha1.
 	return reconcile.Result{RequeueAfter: 5 * time.Second}, nil
 }
 
-func (r *Reconciler) manageAgentDependencies(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent, newStatus *datadoghqv1alpha1.DatadogAgentStatus) (reconcile.Result, error) {
-	result, err := r.manageAgentSecret(logger, dda, newStatus)
+func (r *Reconciler) manageAgentDependencies(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent) (reconcile.Result, error) {
+	result, err := r.manageAgentSecret(logger, dda)
 	if utils.ShouldReturn(result, err) {
 		return result, err
 	}

@@ -32,10 +32,11 @@ import (
 	"github.com/DataDog/datadog-operator/pkg/controller/utils/comparison"
 	"github.com/DataDog/datadog-operator/pkg/controller/utils/datadog"
 	"github.com/DataDog/datadog-operator/pkg/kubernetes"
+	"github.com/DataDog/datadog-operator/pkg/secrets"
 )
 
 func (r *Reconciler) reconcileClusterAgent(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent, newStatus *datadoghqv1alpha1.DatadogAgentStatus) (reconcile.Result, error) {
-	result, err := r.manageClusterAgentDependencies(logger, dda, newStatus)
+	result, err := r.manageClusterAgentDependencies(logger, dda)
 	if utils.ShouldReturn(result, err) {
 		return result, err
 	}
@@ -190,13 +191,13 @@ func newClusterAgentDeploymentFromInstance(logger logr.Logger, dda *datadoghqv1a
 	return dca, hash, err
 }
 
-func (r *Reconciler) manageClusterAgentDependencies(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent, newStatus *datadoghqv1alpha1.DatadogAgentStatus) (reconcile.Result, error) {
-	result, err := r.manageAgentSecret(logger, dda, newStatus)
+func (r *Reconciler) manageClusterAgentDependencies(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent) (reconcile.Result, error) {
+	result, err := r.manageAgentSecret(logger, dda)
 	if utils.ShouldReturn(result, err) {
 		return result, err
 	}
 
-	result, err = r.manageExternalMetricsSecret(logger, dda, newStatus)
+	result, err = r.manageExternalMetricsSecret(logger, dda)
 	if utils.ShouldReturn(result, err) {
 		return result, err
 	}
@@ -603,10 +604,6 @@ func getEnvVarsForClusterAgent(logger logr.Logger, dda *datadoghqv1alpha1.Datado
 			Name:  datadoghqv1alpha1.DDClusterAgentKubeServiceName,
 			Value: getClusterAgentServiceName(dda),
 		},
-		{
-			Name:      datadoghqv1alpha1.DDClusterAgentAuthToken,
-			ValueFrom: getClusterAgentAuthToken(dda),
-		},
 		{
 			Name:  datadoghqv1alpha1.DDLeaderElection,
 			Value: "true",
@@ -625,6 +622,20 @@ func getEnvVarsForClusterAgent(logger logr.Logger, dda *datadoghqv1alpha1.Datado
 		},
 	}
 
+	// This triggers use of the secret backend.
+	// Otherwise, read from the default or configured secret
+	if secrets.IsEnc(dda.Spec.Credentials.Token) {
+		envVars = append(envVars, corev1.EnvVar{
+			Name:  datadoghqv1alpha1.DDClusterAgentAuthToken,
+			Value: dda.Spec.Credentials.Token,
+		})
+	} else {
+		envVars = append(envVars, corev1.EnvVar{
+			Name:      datadoghqv1alpha1.DDClusterAgentAuthToken,
+			ValueFrom: getClusterAgentAuthToken(dda),
+		})
+	}
+
 	if spec.ClusterName != "" {
 		envVars = append(envVars, corev1.EnvVar{
 			Name:  datadoghqv1alpha1.DDClusterName,
@@ -661,10 +672,19 @@ func getEnvVarsForClusterAgent(logger logr.Logger, dda *datadoghqv1alpha1.Datado
 		Value: *spec.ClusterAgent.Config.LogLevel,
 	})
 
-	envVars = append(envVars, corev1.EnvVar{
-		Name:      datadoghqv1alpha1.DDAPIKey,
-		ValueFrom: getAPIKeyFromSecret(dda),
-	})
+	// This triggers use of the secret backend.
+	// Otherwise, read from the default or configured secret
+	if secrets.IsEnc(dda.Spec.Credentials.DatadogCredentials.APIKey) {
+		envVars = append(envVars, corev1.EnvVar{
+			Name:  datadoghqv1alpha1.DDAPIKey,
+			Value: dda.Spec.Credentials.DatadogCredentials.APIKey,
+		})
+	} else {
+		envVars = append(envVars, corev1.EnvVar{
+			Name:      datadoghqv1alpha1.DDAPIKey,
+			ValueFrom: getAPIKeyFromSecret(dda),
+		})
+	}
 
 	if spec.Site != "" {
 		envVars = append(envVars, corev1.EnvVar{
@@ -704,20 +724,38 @@ func getEnvVarsForClusterAgent(logger logr.Logger, dda *datadoghqv1alpha1.Datado
 		}
 
 		if hasMetricsProviderCustomCredentials(spec.ClusterAgent) {
-			apiSet, secretName, secretKey := utils.GetAPIKeySecret(dda.Spec.ClusterAgent.Config.ExternalMetrics.Credentials, getDefaultExternalMetricSecretName(dda))
-			if apiSet {
+			// This triggers use of the secret backend.
+			// Otherwise, read from the default or configured secret
+			if secrets.IsEnc(dda.Spec.ClusterAgent.Config.ExternalMetrics.Credentials.APIKey) {
 				envVars = append(envVars, corev1.EnvVar{
-					Name:      datadoghqv1alpha1.DDExternalMetricsProviderAPIKey,
-					ValueFrom: buildEnvVarFromSecret(secretName, secretKey),
+					Name:  datadoghqv1alpha1.DDExternalMetricsProviderAPIKey,
+					Value: dda.Spec.ClusterAgent.Config.ExternalMetrics.Credentials.APIKey,
 				})
+			} else {
+				apiSet, secretName, secretKey := utils.GetAPIKeySecret(dda.Spec.ClusterAgent.Config.ExternalMetrics.Credentials, getDefaultExternalMetricSecretName(dda))
+				if apiSet {
+					envVars = append(envVars, corev1.EnvVar{
+						Name:      datadoghqv1alpha1.DDExternalMetricsProviderAPIKey,
+						ValueFrom: buildEnvVarFromSecret(secretName, secretKey),
+					})
+				}
 			}
 
-			appSet, secretName, secretKey := utils.GetAppKeySecret(dda.Spec.ClusterAgent.Config.ExternalMetrics.Credentials, getDefaultExternalMetricSecretName(dda))
-			if appSet {
+			// This triggers use of the secret backend.
+			// Otherwise, read from the default or configured secret
+			if secrets.IsEnc(dda.Spec.ClusterAgent.Config.ExternalMetrics.Credentials.AppKey) {
 				envVars = append(envVars, corev1.EnvVar{
-					Name:      datadoghqv1alpha1.DDExternalMetricsProviderAppKey,
-					ValueFrom: buildEnvVarFromSecret(secretName, secretKey),
+					Name:  datadoghqv1alpha1.DDExternalMetricsProviderAppKey,
+					Value: dda.Spec.ClusterAgent.Config.ExternalMetrics.Credentials.AppKey,
 				})
+			} else {
+				appSet, secretName, secretKey := utils.GetAppKeySecret(dda.Spec.ClusterAgent.Config.ExternalMetrics.Credentials, getDefaultExternalMetricSecretName(dda))
+				if appSet {
+					envVars = append(envVars, corev1.EnvVar{
+						Name:      datadoghqv1alpha1.DDExternalMetricsProviderAppKey,
+						ValueFrom: buildEnvVarFromSecret(secretName, secretKey),
+					})
+				}
 			}
 		}
 	}

@@ -31,10 +31,11 @@ import (
 	"github.com/DataDog/datadog-operator/pkg/controller/utils/comparison"
 	"github.com/DataDog/datadog-operator/pkg/controller/utils/datadog"
 	"github.com/DataDog/datadog-operator/pkg/kubernetes"
+	"github.com/DataDog/datadog-operator/pkg/secrets"
 )
 
 func (r *Reconciler) reconcileClusterChecksRunner(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent, newStatus *datadoghqv1alpha1.DatadogAgentStatus) (reconcile.Result, error) {
-	result, err := r.manageClusterChecksRunnerDependencies(logger, dda, newStatus)
+	result, err := r.manageClusterChecksRunnerDependencies(logger, dda)
 	if utils.ShouldReturn(result, err) {
 		return result, err
 	}
@@ -197,8 +198,8 @@ func newClusterChecksRunnerDeploymentFromInstance(
 	return dca, hash, err
 }
 
-func (r *Reconciler) manageClusterChecksRunnerDependencies(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent, newStatus *datadoghqv1alpha1.DatadogAgentStatus) (reconcile.Result, error) {
-	result, err := r.manageAgentSecret(logger, dda, newStatus)
+func (r *Reconciler) manageClusterChecksRunnerDependencies(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent) (reconcile.Result, error) {
+	result, err := r.manageAgentSecret(logger, dda)
 	if utils.ShouldReturn(result, err) {
 		return result, err
 	}
@@ -340,10 +341,6 @@ func buildClusterChecksRunnerConfigurationConfigMap(dda *datadoghqv1alpha1.Datad
 func getEnvVarsForClusterChecksRunner(dda *datadoghqv1alpha1.DatadogAgent) []corev1.EnvVar {
 	spec := &dda.Spec
 	envVars := []corev1.EnvVar{
-		{
-			Name:      datadoghqv1alpha1.DDAPIKey,
-			ValueFrom: getAPIKeyFromSecret(dda),
-		},
 		{
 			Name:  datadoghqv1alpha1.DDClusterChecksEnabled,
 			Value: "true",
@@ -356,10 +353,6 @@ func getEnvVarsForClusterChecksRunner(dda *datadoghqv1alpha1.DatadogAgent) []cor
 			Name:  datadoghqv1alpha1.DDClusterAgentKubeServiceName,
 			Value: getClusterAgentServiceName(dda),
 		},
-		{
-			Name:      datadoghqv1alpha1.DDClusterAgentAuthToken,
-			ValueFrom: getClusterAgentAuthToken(dda),
-		},
 		{
 			Name:  datadoghqv1alpha1.DDExtraConfigProviders,
 			Value: datadoghqv1alpha1.ClusterChecksConfigProvider,
@@ -418,6 +411,34 @@ func getEnvVarsForClusterChecksRunner(dda *datadoghqv1alpha1.DatadogAgent) []cor
 		},
 	}
 
+	// This triggers use of the secret backend.
+	// Otherwise, read from the default or configured secret
+	if secrets.IsEnc(dda.Spec.Credentials.DatadogCredentials.APIKey) {
+		envVars = append(envVars, corev1.EnvVar{
+			Name:  datadoghqv1alpha1.DDAPIKey,
+			Value: dda.Spec.Credentials.DatadogCredentials.APIKey,
+		})
+	} else {
+		envVars = append(envVars, corev1.EnvVar{
+			Name:      datadoghqv1alpha1.DDAPIKey,
+			ValueFrom: getAPIKeyFromSecret(dda),
+		})
+	}
+
+	// This triggers use of the secret backend.
+	// Otherwise, read from the default or configured secret
+	if secrets.IsEnc(dda.Spec.Credentials.Token) {
+		envVars = append(envVars, corev1.EnvVar{
+			Name:  datadoghqv1alpha1.DDClusterAgentAuthToken,
+			Value: dda.Spec.Credentials.Token,
+		})
+	} else {
+		envVars = append(envVars, corev1.EnvVar{
+			Name:      datadoghqv1alpha1.DDClusterAgentAuthToken,
+			ValueFrom: getClusterAgentAuthToken(dda),
+		})
+	}
+
 	if spec.ClusterName != "" {
 		envVars = append(envVars, corev1.EnvVar{
 			Name:  datadoghqv1alpha1.DDClusterName,

@@ -7,8 +7,6 @@ package datadogagent
 
 import (
 	"context"
-	"fmt"
-	"time"
 
 	"github.com/go-logr/logr"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -17,37 +15,30 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
 	datadoghqv1alpha1 "github.com/DataDog/datadog-operator/apis/datadoghq/v1alpha1"
-	"github.com/DataDog/datadog-operator/pkg/controller/utils/condition"
 	"github.com/DataDog/datadog-operator/pkg/controller/utils/datadog"
 	"github.com/DataDog/datadog-operator/pkg/kubernetes"
 )
 
 type managedSecret struct {
 	name        string
 	requireFunc func(dda *datadoghqv1alpha1.DatadogAgent) bool
-	createFunc  func(name string, dda *datadoghqv1alpha1.DatadogAgent) (*corev1.Secret, error)
+	createFunc  func(name string, dda *datadoghqv1alpha1.DatadogAgent) *corev1.Secret
 }
 
-func (r *Reconciler) manageSecret(logger logr.Logger, secret managedSecret, dda *datadoghqv1alpha1.DatadogAgent, newStatus *datadoghqv1alpha1.DatadogAgentStatus) (reconcile.Result, error) {
+func (r *Reconciler) manageSecret(logger logr.Logger, secret managedSecret, dda *datadoghqv1alpha1.DatadogAgent) (reconcile.Result, error) {
 	if !secret.requireFunc(dda) {
 		result, err := r.cleanupSecret(dda.Namespace, secret.name, dda)
 		return result, err
 	}
 
-	now := metav1.NewTime(time.Now())
 	secretObj := &corev1.Secret{}
 	err := r.client.Get(context.TODO(), types.NamespacedName{Namespace: dda.Namespace, Name: secret.name}, secretObj)
 	if err != nil {
 		if apierrors.IsNotFound(err) {
-			s, errCreate := secret.createFunc(secret.name, dda)
-			if errCreate != nil {
-				condition.UpdateDatadogAgentStatusConditions(newStatus, now, datadoghqv1alpha1.DatadogAgentConditionTypeSecretError, corev1.ConditionTrue, fmt.Sprintf("%v", err), false)
-				return reconcile.Result{}, fmt.Errorf("cannot create secret %s, err: %w", secret.name, errCreate)
-			}
+			s := secret.createFunc(secret.name, dda)
 
 			return r.createSecret(logger, s, dda)
 		}
@@ -77,10 +68,7 @@ func (r *Reconciler) updateIfNeededSecret(secret managedSecret, dda *datadoghqv1
 		return reconcile.Result{}, nil
 	}
 
-	newSecret, err := secret.createFunc(secret.name, dda)
-	if err != nil {
-		return reconcile.Result{}, err
-	}
+	newSecret := secret.createFunc(secret.name, dda)
 
 	result := reconcile.Result{}
 	if !(apiequality.Semantic.DeepEqual(newSecret.Data, currentSecret.Data) &&
@@ -124,16 +112,3 @@ func (r *Reconciler) cleanupSecret(namespace, name string, dda *datadoghqv1alpha
 
 	return reconcile.Result{}, err
 }
-
-func dataFromCredentials(credentials *datadoghqv1alpha1.DatadogCredentials) map[string][]byte {
-	data := make(map[string][]byte)
-	// Create secret using DatadogAgent credentials if it exists
-	if credentials.APIKey != "" {
-		data[datadoghqv1alpha1.DefaultAPIKeyKey] = []byte(credentials.APIKey)
-	}
-	if credentials.AppKey != "" {
-		data[datadoghqv1alpha1.DefaultAPPKeyKey] = []byte(credentials.AppKey)
-	}
-
-	return data
-}