[datadog-operator] Expose DCA Agent Sidecar TLS Config

[gabedos]

What does this PR do?

Expose config option + creates RBACs for creating and mounting the cluster agent's certificate onto agent sidecar container it creates in application namespaces.

Motivation

Expose config option for new Agent feature for TLS communication on agent sidecar in admission controller

Minimum Agent Versions

This feature works only with newer Agent versions. However, the configmap rbac is fine to be applied everywhere.

• Agent: v7.78.0+
• Cluster Agent: v7.78.0+

Describe your test plan

Apply the following agent crd config

apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
metadata:
  name: datadog-test-tls
  namespace: system
spec:
  global:
    credentials:
      apiSecret:
        secretName: datadog-secret
        keyName: api-key
      appSecret:
        secretName: datadog-secret
        keyName: app-key
  features:
    admissionController:
      enabled: true
      agentSidecarInjection:
        enabled: true
        provider: fargate
        clusterAgentTlsVerification:
          enabled: true
          copyCaConfigMap: true

Check that the configmaps rbacs are present on the dca role

kubectl get clusterrole datadog-test-tls-cluster-agent -o yaml | grep -A 5 "configmaps"
  - configmaps
  verbs:
  - create
  - get
  - list
  - update

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label
• All commits are signed (see: signing commits)

[codecov-commenter]

Codecov Report

❌ Patch coverage is 72.97297% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 39.70%. Comparing base (f662670) to head (4125b4a).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/testutils/builder.go	0.00%	8 Missing ⚠️
...atadogagent/feature/admissioncontroller/feature.go	93.75%	0 Missing and 1 partial ⚠️
...r/datadogagent/feature/admissioncontroller/rbac.go	92.30%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2700      +/-   ##
==========================================
+ Coverage   39.23%   39.70%   +0.47%     
==========================================
  Files         314      314              
  Lines       27296    27698     +402     
==========================================
+ Hits        10709    10998     +289     
- Misses      15798    15899     +101     
- Partials      789      801      +12     

Flag	Coverage Δ
unittests	39.70% <72.97%> (+0.47%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...atadogagent/feature/admissioncontroller/feature.go	70.34% <93.75%> (+1.47%)	⬆️
...r/datadogagent/feature/admissioncontroller/rbac.go	90.80% <92.30%> (+1.19%)	⬆️
pkg/testutils/builder.go	0.00% <0.00%> (ø)

... and 5 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f662670...4125b4a. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[cswatt]

For documentation styleguide reasons, can we capitalize Cluster Agent and Agent?

[cswatt]

thank you!

[levan-m]

should we set this (and pass env var to DCA) even if ClusterAgentTLSVerification.Enabled == false?

[levan-m]

would be nice to have unit test confirming expected behavior.

[gabedos]

I can add a unit test for this to confirm that the values are being set properly.

But I think it should be fine to pass the envvar to DCA even if it's explicitly set to false on the Operator. Generally, I think this should be good to do because Agent defaults can change and I'd want a manually defined false by the Operator user to still apply.