Allow using FIPS variants of ddot-collector and agent -full images#2605
Allow using FIPS variants of ddot-collector and agent -full images#2605
Conversation
agagniere
force-pushed
the
agagniere/fips-full-and-ddot-fips
branch
from
fdb5e60 to
ea11e23
Compare
agagniere
changed the title
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #2605 +/- ##
==========================================
- Coverage 39.24% 39.21% -0.03%
==========================================
Files 314 314
Lines 27288 27298 +10
==========================================
- Hits 10708 10706 -2
- Misses 15792 15802 +10
- Partials 788 790 +2
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
agagniere
force-pushed
the
agagniere/fips-full-and-ddot-fips
branch
from
ea11e23 to
482fefb
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 482fefbed0
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
agagniere
force-pushed
the
agagniere/fips-full-and-ddot-fips
branch
from
f0ea705 to
5c1726e
Compare
agagniere
force-pushed
the
agagniere/fips-full-and-ddot-fips
branch
from
5c1726e to
6d35212
Compare
| isFull: true, | ||
| }, | ||
| want: "gcr.io/datadoghq/agent:7.64.0-fips-jmx", | ||
| want: "gcr.io/datadoghq/agent:7.64.0-fips-full", |
There was a problem hiding this comment.
Does fips-full include jmx?
There was a problem hiding this comment.
--build-arg WITH_JMX=true --build-arg WITH_JMX_FIPS=true
b5b4eb5 to
df0544d
Compare
agagniere
requested review from
Copilot and
levan-m
and removed request for
a team and
asopkin
There was a problem hiding this comment.
Pull request overview
This PR enables the use of FIPS variants of ddot-collector and agent -full images by introducing version validation and preserving the useFIPSAgent setting when overriding the agent version tag. The PR introduces a minimum version check (v7.78.0) for when these FIPS variants started being published, and fixes a pre-existing parsing bug where Full suffix combined with FIPS or JMX would not be handled correctly.
Changes:
- Added
DDOTFIPSMinimumVersionconstant to define when FIPS variants became available for ddot-collector and -full images - Implemented
FIPSVersionError()method to validate FIPS version compatibility - Refactored tag suffix parsing into a separate
parseTagSuffixes()function to handle all combinations of suffixes correctly - Added validation calls in reconcilers to catch incompatible FIPS version combinations
- Enhanced
ToString()method to properly handle FIPS+Full combinations - Added comprehensive test coverage for the new functionality
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/images/images.go | Added FIPS version validation, refactored tag parsing to fix pre-existing bug, improved suffix handling logic |
| pkg/images/images_test.go | Added test cases for FIPS+Full combinations, FIPS version validation, and updated existing test expectations |
| internal/controller/datadogagent/global/global.go | Added ValidateFIPSVersions function and improved method chaining |
| internal/controller/datadogagent/global/global_test.go | Added comprehensive tests for FIPS version validation |
| internal/controller/datadogagent/controller_reconcile_agent.go | Integrated FIPS version validation after all image modifications |
| internal/controller/datadogagent/component_reconciler.go | Integrated FIPS version validation in component reconciliation |
| internal/controller/datadogagentinternal/component_reconciler.go | Same FIPS validation integration for internal component reconciliation |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Preserve useFIPSAgent setting when overriding the agent version tag
Parse tag suffixes right to left (Full -> JMX -> FIPS) in fromImageConfig, matching the existing logic in FromString. Previously, checking FIPS before Full meant that -fips-full tags were misidentified: the FIPS flag was missed and -fips was left in the base tag, leading to double suffixes like -fips-fips-full when combined with a FIPS-enabled current image. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Extract parseTagSuffixes helper and use it in both FromString and fromImageConfig. When the name contains a tag, fromImageConfig now delegates directly to FromString instead of duplicating the logic. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
agagniere
force-pushed
the
agagniere/fips-full-and-ddot-fips
branch
from
660cbb4 to
fee75a5
Compare
Preserve useFIPSAgent setting when overriding the agent version tag
What does this PR do?
useFIPSAgentsetting now applies to agent-fullandddot-collectorimages.Motivation
We will start publishing FIPS variants of those images soon: DataDog/datadog-agent#46053
OTAGENT-845
Minimum Agent Versions
Are there minimum versions of the Datadog Agent and/or Cluster Agent required?
Agent: v7.78.0
can be merged before as the check makes sure the combination is valid
Describe your test plan
I added a few test cases
Checklist
bug,enhancement,refactoring,documentation,tooling, and/ordependenciesqa/skip-qalabelFootnotes
https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits ↩