From 94aea5b3bd4d50182e9f18469fa5e910eb1f260d Mon Sep 17 00:00:00 2001 From: Gabriel Dos Santos Date: Wed, 4 Mar 2026 03:12:33 +0000 Subject: [PATCH 1/4] Introduce ca cert admission controller feature --- api/datadoghq/v2alpha1/datadogagent_types.go | 18 +++++++ .../feature/admissioncontroller/envvar.go | 54 ++++++++++--------- .../feature/admissioncontroller/feature.go | 27 +++++++++- .../feature/admissioncontroller/rbac.go | 18 +++++-- 4 files changed, 87 insertions(+), 30 deletions(-) diff --git a/api/datadoghq/v2alpha1/datadogagent_types.go b/api/datadoghq/v2alpha1/datadogagent_types.go index 5ad50df0da..47ff3a6c82 100644 --- a/api/datadoghq/v2alpha1/datadogagent_types.go +++ b/api/datadoghq/v2alpha1/datadogagent_types.go @@ -1248,6 +1248,10 @@ type AgentSidecarInjectionConfig struct { // +optional // +listType=atomic Profiles []*Profile `json:"profiles,omitempty"` + + // ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication. + // +optional + ClusterAgentTLSVerification *AdmissionControllerClusterAgentTLSVerificationConfig `json:"clusterAgentTlsVerification,omitempty"` } // Selectors define a pod selector for sidecar injection. @@ -1278,6 +1282,20 @@ type Profile struct { SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"` } +// AdmissionControllerClusterAgentTLSVerificationConfig configures TLS verification settings for agent sidecars. +type AdmissionControllerClusterAgentTLSVerificationConfig struct { + // Enabled enables TLS verification for agent sidecars communicating with the cluster agent. + // Default: false + // +optional + Enabled *bool `json:"enabled,omitempty"` + + // CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate + // in namespaces where sidecar injection occurs. + // Default: false + // +optional + CopyCaConfigMap *bool `json:"copyCaConfigMap,omitempty"` +} + type KubernetesAdmissionEventsConfig struct { // Enable the Kubernetes Admission Events feature. // Default: false diff --git a/internal/controller/datadogagent/feature/admissioncontroller/envvar.go b/internal/controller/datadogagent/feature/admissioncontroller/envvar.go index a149e44ac8..5085f3a536 100644 --- a/internal/controller/datadogagent/feature/admissioncontroller/envvar.go +++ b/internal/controller/datadogagent/feature/admissioncontroller/envvar.go @@ -6,30 +6,32 @@ package admissioncontroller const ( - DDAdmissionControllerAgentSidecarEnabled = "DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_ENABLED" - DDAdmissionControllerAgentSidecarClusterAgentEnabled = "DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_CLUSTER_AGENT_ENABLED" - DDAdmissionControllerAgentSidecarProvider = "DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_PROVIDER" - DDAdmissionControllerAgentSidecarRegistry = "DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_CONTAINER_REGISTRY" - DDAdmissionControllerAgentSidecarImageName = "DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_NAME" - DDAdmissionControllerAgentSidecarImageTag = "DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_TAG" - DDAdmissionControllerAgentSidecarSelectors = "DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_SELECTORS" - DDAdmissionControllerAgentSidecarProfiles = "DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_PROFILES" - DDAdmissionControllerEnabled = "DD_ADMISSION_CONTROLLER_ENABLED" - DDAdmissionControllerValidationEnabled = "DD_ADMISSION_CONTROLLER_VALIDATION_ENABLED" - DDAdmissionControllerMutationEnabled = "DD_ADMISSION_CONTROLLER_MUTATION_ENABLED" - DDAdmissionControllerInjectConfig = "DD_ADMISSION_CONTROLLER_INJECT_CONFIG_ENABLED" - DDAdmissionControllerInjectConfigMode = "DD_ADMISSION_CONTROLLER_INJECT_CONFIG_MODE" - DDAdmissionControllerInjectTags = "DD_ADMISSION_CONTROLLER_INJECT_TAGS_ENABLED" - DDAdmissionControllerLocalServiceName = "DD_ADMISSION_CONTROLLER_INJECT_CONFIG_LOCAL_SERVICE_NAME" - DDAdmissionControllerMutateUnlabelled = "DD_ADMISSION_CONTROLLER_MUTATE_UNLABELLED" - DDAdmissionControllerServiceName = "DD_ADMISSION_CONTROLLER_SERVICE_NAME" - DDAdmissionControllerFailurePolicy = "DD_ADMISSION_CONTROLLER_FAILURE_POLICY" - DDAdmissionControllerWebhookName = "DD_ADMISSION_CONTROLLER_WEBHOOK_NAME" - DDAdmissionControllerRegistryName = "DD_ADMISSION_CONTROLLER_CONTAINER_REGISTRY" - DDAdmissionControllerCWSInstrumentationEnabled = "DD_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_ENABLED" - DDAdmissionControllerCWSInstrumentationMode = "DD_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_MODE" - DDAdmissionControllerKubernetesAdmissionEventsEnabled = "DD_ADMISSION_CONTROLLER_KUBERNETES_ADMISSION_EVENTS_ENABLED" - DDAdmissionControllerProbeEnabled = "DD_ADMISSION_CONTROLLER_PROBE_ENABLED" - DDAdmissionControllerProbeInterval = "DD_ADMISSION_CONTROLLER_PROBE_INTERVAL" - DDAdmissionControllerProbeGracePeriod = "DD_ADMISSION_CONTROLLER_PROBE_GRACE_PERIOD" + DDAdmissionControllerAgentSidecarEnabled = "DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_ENABLED" + DDAdmissionControllerAgentSidecarClusterAgentEnabled = "DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_CLUSTER_AGENT_ENABLED" + DDAdmissionControllerAgentSidecarProvider = "DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_PROVIDER" + DDAdmissionControllerAgentSidecarRegistry = "DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_CONTAINER_REGISTRY" + DDAdmissionControllerAgentSidecarImageName = "DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_NAME" + DDAdmissionControllerAgentSidecarImageTag = "DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_TAG" + DDAdmissionControllerAgentSidecarSelectors = "DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_SELECTORS" + DDAdmissionControllerAgentSidecarProfiles = "DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_PROFILES" + DDAdmissionControllerAgentSidecarClusterAgentTLSVerificationEnabled = "DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_CLUSTER_AGENT_TLS_VERIFICATION_ENABLED" + DDAdmissionControllerAgentSidecarClusterAgentTLSVerificationCopyCaConfigMap = "DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_CLUSTER_AGENT_TLS_VERIFICATION_COPY_CA_CONFIGMAP" + DDAdmissionControllerEnabled = "DD_ADMISSION_CONTROLLER_ENABLED" + DDAdmissionControllerValidationEnabled = "DD_ADMISSION_CONTROLLER_VALIDATION_ENABLED" + DDAdmissionControllerMutationEnabled = "DD_ADMISSION_CONTROLLER_MUTATION_ENABLED" + DDAdmissionControllerInjectConfig = "DD_ADMISSION_CONTROLLER_INJECT_CONFIG_ENABLED" + DDAdmissionControllerInjectConfigMode = "DD_ADMISSION_CONTROLLER_INJECT_CONFIG_MODE" + DDAdmissionControllerInjectTags = "DD_ADMISSION_CONTROLLER_INJECT_TAGS_ENABLED" + DDAdmissionControllerLocalServiceName = "DD_ADMISSION_CONTROLLER_INJECT_CONFIG_LOCAL_SERVICE_NAME" + DDAdmissionControllerMutateUnlabelled = "DD_ADMISSION_CONTROLLER_MUTATE_UNLABELLED" + DDAdmissionControllerServiceName = "DD_ADMISSION_CONTROLLER_SERVICE_NAME" + DDAdmissionControllerFailurePolicy = "DD_ADMISSION_CONTROLLER_FAILURE_POLICY" + DDAdmissionControllerWebhookName = "DD_ADMISSION_CONTROLLER_WEBHOOK_NAME" + DDAdmissionControllerRegistryName = "DD_ADMISSION_CONTROLLER_CONTAINER_REGISTRY" + DDAdmissionControllerCWSInstrumentationEnabled = "DD_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_ENABLED" + DDAdmissionControllerCWSInstrumentationMode = "DD_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_MODE" + DDAdmissionControllerKubernetesAdmissionEventsEnabled = "DD_ADMISSION_CONTROLLER_KUBERNETES_ADMISSION_EVENTS_ENABLED" + DDAdmissionControllerProbeEnabled = "DD_ADMISSION_CONTROLLER_PROBE_ENABLED" + DDAdmissionControllerProbeInterval = "DD_ADMISSION_CONTROLLER_PROBE_INTERVAL" + DDAdmissionControllerProbeGracePeriod = "DD_ADMISSION_CONTROLLER_PROBE_GRACE_PERIOD" ) diff --git a/internal/controller/datadogagent/feature/admissioncontroller/feature.go b/internal/controller/datadogagent/feature/admissioncontroller/feature.go index 1728d55213..97f8fdf5fd 100644 --- a/internal/controller/datadogagent/feature/admissioncontroller/feature.go +++ b/internal/controller/datadogagent/feature/admissioncontroller/feature.go @@ -73,6 +73,8 @@ type AgentSidecarInjectionConfig struct { imageTag string selectors []*v2alpha1.Selector profiles []*v2alpha1.Profile + tlsVerificationEnabled bool + tlsVerificationCopyCaConfigMap bool } type KubernetesAdmissionEventConfig struct { @@ -264,6 +266,16 @@ func (f *admissionControllerFeature) Configure(dda metav1.Object, ddaSpec *v2alp f.agentSidecarConfig.profiles = append(f.agentSidecarConfig.profiles, newProfile) } } + + // Configure TLS verification settings + if sidecarConfig.ClusterAgentTLSVerification != nil { + if sidecarConfig.ClusterAgentTLSVerification.Enabled != nil { + f.agentSidecarConfig.tlsVerificationEnabled = apiutils.BoolValue(sidecarConfig.ClusterAgentTLSVerification.Enabled) + } + if sidecarConfig.ClusterAgentTLSVerification.CopyCaConfigMap != nil { + f.agentSidecarConfig.tlsVerificationCopyCaConfigMap = apiutils.BoolValue(sidecarConfig.ClusterAgentTLSVerification.CopyCaConfigMap) + } + } } } @@ -292,7 +304,7 @@ func (f *admissionControllerFeature) ManageDependencies(managers feature.Resourc } // rbac - if err := managers.RBACManager().AddClusterPolicyRules(ns, rbacName, f.serviceAccountName, getRBACClusterPolicyRules(f.webhookName, f.cwsInstrumentationEnabled, f.cwsInstrumentationMode)); err != nil { + if err := managers.RBACManager().AddClusterPolicyRules(ns, rbacName, f.serviceAccountName, f.getRBACClusterPolicyRules()); err != nil { return err } if err := managers.RBACManager().AddPolicyRules(ns, rbacName, f.serviceAccountName, getRBACPolicyRules()); err != nil { @@ -510,6 +522,19 @@ func (f *admissionControllerFeature) ManageClusterAgent(managers feature.PodTemp }) } + if f.agentSidecarConfig.tlsVerificationEnabled { + managers.EnvVar().AddEnvVarToContainer(apicommon.ClusterAgentContainerName, &corev1.EnvVar{ + Name: DDAdmissionControllerAgentSidecarClusterAgentTLSVerificationEnabled, + Value: apiutils.BoolToString(&f.agentSidecarConfig.tlsVerificationEnabled), + }) + } + + if f.agentSidecarConfig.tlsVerificationCopyCaConfigMap { + managers.EnvVar().AddEnvVarToContainer(apicommon.ClusterAgentContainerName, &corev1.EnvVar{ + Name: DDAdmissionControllerAgentSidecarClusterAgentTLSVerificationCopyCaConfigMap, + Value: apiutils.BoolToString(&f.agentSidecarConfig.tlsVerificationCopyCaConfigMap), + }) + } } return nil diff --git a/internal/controller/datadogagent/feature/admissioncontroller/rbac.go b/internal/controller/datadogagent/feature/admissioncontroller/rbac.go index 5d3b7c9ee2..72455f8659 100644 --- a/internal/controller/datadogagent/feature/admissioncontroller/rbac.go +++ b/internal/controller/datadogagent/feature/admissioncontroller/rbac.go @@ -12,7 +12,7 @@ import ( "github.com/DataDog/datadog-operator/pkg/kubernetes/rbac" ) -func getRBACClusterPolicyRules(webhookName string, cwsInstrumentationEnabled bool, cwsInstrumentationMode string) []rbacv1.PolicyRule { +func (f *admissionControllerFeature) getRBACClusterPolicyRules() []rbacv1.PolicyRule { clusterPolicyRules := []rbacv1.PolicyRule{ // ValidatingWebhooksConfigs and MutatingWebhooksConfigs { @@ -25,7 +25,7 @@ func getRBACClusterPolicyRules(webhookName string, cwsInstrumentationEnabled boo { APIGroups: []string{rbac.AdmissionAPIGroup}, Resources: []string{rbac.ValidatingConfigResource, rbac.MutatingConfigResource}, - ResourceNames: []string{webhookName}, + ResourceNames: []string{f.webhookName}, Verbs: []string{ rbac.GetVerb, rbac.ListVerb, @@ -82,7 +82,7 @@ func getRBACClusterPolicyRules(webhookName string, cwsInstrumentationEnabled boo }, } - if cwsInstrumentationEnabled && cwsInstrumentationMode == "remote_copy" { + if f.cwsInstrumentationEnabled && f.cwsInstrumentationMode == "remote_copy" { clusterPolicyRules = append(clusterPolicyRules, rbacv1.PolicyRule{ APIGroups: []string{rbac.CoreAPIGroup}, Resources: []string{rbac.PodsExecResource}, @@ -92,6 +92,18 @@ func getRBACClusterPolicyRules(webhookName string, cwsInstrumentationEnabled boo }) } + if f.agentSidecarConfig != nil && f.agentSidecarConfig.tlsVerificationEnabled && f.agentSidecarConfig.tlsVerificationCopyCaConfigMap { + clusterPolicyRules = append(clusterPolicyRules, rbacv1.PolicyRule{ + APIGroups: []string{rbac.CoreAPIGroup}, + Resources: []string{rbac.ConfigMapsResource}, + Verbs: []string{ + rbac.CreateVerb, + rbac.UpdateVerb, + rbac.GetVerb, + }, + }) + } + return clusterPolicyRules } From 22162671c06ccbbb2920106b6271e801be8b7685 Mon Sep 17 00:00:00 2001 From: Gabriel Dos Santos Date: Wed, 4 Mar 2026 03:17:18 +0000 Subject: [PATCH 2/4] Update files --- .../v2alpha1/zz_generated.deepcopy.go | 30 +++++++++++++++++++ .../datadoghq.com_datadogagentinternals.yaml | 30 +++++++++++++++++++ ...hq.com_datadogagentinternals_v1alpha1.json | 30 +++++++++++++++++++ .../datadoghq.com_datadogagentprofiles.yaml | 15 ++++++++++ ...ghq.com_datadogagentprofiles_v1alpha1.json | 15 ++++++++++ .../bases/v1/datadoghq.com_datadogagents.yaml | 30 +++++++++++++++++++ .../datadoghq.com_datadogagents_v2alpha1.json | 30 +++++++++++++++++++ docs/configuration.v2alpha1.md | 2 ++ 8 files changed, 182 insertions(+) diff --git a/api/datadoghq/v2alpha1/zz_generated.deepcopy.go b/api/datadoghq/v2alpha1/zz_generated.deepcopy.go index 4733c0d92d..45479f4f76 100644 --- a/api/datadoghq/v2alpha1/zz_generated.deepcopy.go +++ b/api/datadoghq/v2alpha1/zz_generated.deepcopy.go @@ -146,6 +146,31 @@ func (in *ASMThreatsConfig) DeepCopy() *ASMThreatsConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AdmissionControllerClusterAgentTLSVerificationConfig) DeepCopyInto(out *AdmissionControllerClusterAgentTLSVerificationConfig) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } + if in.CopyCaConfigMap != nil { + in, out := &in.CopyCaConfigMap, &out.CopyCaConfigMap + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionControllerClusterAgentTLSVerificationConfig. +func (in *AdmissionControllerClusterAgentTLSVerificationConfig) DeepCopy() *AdmissionControllerClusterAgentTLSVerificationConfig { + if in == nil { + return nil + } + out := new(AdmissionControllerClusterAgentTLSVerificationConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AdmissionControllerFeatureConfig) DeepCopyInto(out *AdmissionControllerFeatureConfig) { *out = *in @@ -375,6 +400,11 @@ func (in *AgentSidecarInjectionConfig) DeepCopyInto(out *AgentSidecarInjectionCo } } } + if in.ClusterAgentTLSVerification != nil { + in, out := &in.ClusterAgentTLSVerification, &out.ClusterAgentTLSVerification + *out = new(AdmissionControllerClusterAgentTLSVerificationConfig) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AgentSidecarInjectionConfig. diff --git a/config/crd/bases/v1/datadoghq.com_datadogagentinternals.yaml b/config/crd/bases/v1/datadoghq.com_datadogagentinternals.yaml index 43993cffb5..755e796ec9 100644 --- a/config/crd/bases/v1/datadoghq.com_datadogagentinternals.yaml +++ b/config/crd/bases/v1/datadoghq.com_datadogagentinternals.yaml @@ -73,6 +73,21 @@ spec: ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent. Default : true type: boolean + clusterAgentTlsVerification: + description: ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication. + properties: + copyCaConfigMap: + description: |- + CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate + in namespaces where sidecar injection occurs. + Default: false + type: boolean + enabled: + description: |- + Enabled enables TLS verification for agent sidecars communicating with the cluster agent. + Default: false + type: boolean + type: object enabled: description: |- Enabled enables Sidecar injections. @@ -8490,6 +8505,21 @@ spec: ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent. Default : true type: boolean + clusterAgentTlsVerification: + description: ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication. + properties: + copyCaConfigMap: + description: |- + CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate + in namespaces where sidecar injection occurs. + Default: false + type: boolean + enabled: + description: |- + Enabled enables TLS verification for agent sidecars communicating with the cluster agent. + Default: false + type: boolean + type: object enabled: description: |- Enabled enables Sidecar injections. diff --git a/config/crd/bases/v1/datadoghq.com_datadogagentinternals_v1alpha1.json b/config/crd/bases/v1/datadoghq.com_datadogagentinternals_v1alpha1.json index ba086e025c..f386e8031f 100644 --- a/config/crd/bases/v1/datadoghq.com_datadogagentinternals_v1alpha1.json +++ b/config/crd/bases/v1/datadoghq.com_datadogagentinternals_v1alpha1.json @@ -37,6 +37,21 @@ "description": "ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent.\nDefault : true", "type": "boolean" }, + "clusterAgentTlsVerification": { + "additionalProperties": false, + "description": "ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication.", + "properties": { + "copyCaConfigMap": { + "description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false", + "type": "boolean" + }, + "enabled": { + "description": "Enabled enables TLS verification for agent sidecars communicating with the cluster agent.\nDefault: false", + "type": "boolean" + } + }, + "type": "object" + }, "enabled": { "description": "Enabled enables Sidecar injections.\nDefault: false", "type": "boolean" @@ -8191,6 +8206,21 @@ "description": "ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent.\nDefault : true", "type": "boolean" }, + "clusterAgentTlsVerification": { + "additionalProperties": false, + "description": "ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication.", + "properties": { + "copyCaConfigMap": { + "description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false", + "type": "boolean" + }, + "enabled": { + "description": "Enabled enables TLS verification for agent sidecars communicating with the cluster agent.\nDefault: false", + "type": "boolean" + } + }, + "type": "object" + }, "enabled": { "description": "Enabled enables Sidecar injections.\nDefault: false", "type": "boolean" diff --git a/config/crd/bases/v1/datadoghq.com_datadogagentprofiles.yaml b/config/crd/bases/v1/datadoghq.com_datadogagentprofiles.yaml index aa5590b088..4bafef4311 100644 --- a/config/crd/bases/v1/datadoghq.com_datadogagentprofiles.yaml +++ b/config/crd/bases/v1/datadoghq.com_datadogagentprofiles.yaml @@ -73,6 +73,21 @@ spec: ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent. Default : true type: boolean + clusterAgentTlsVerification: + description: ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication. + properties: + copyCaConfigMap: + description: |- + CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate + in namespaces where sidecar injection occurs. + Default: false + type: boolean + enabled: + description: |- + Enabled enables TLS verification for agent sidecars communicating with the cluster agent. + Default: false + type: boolean + type: object enabled: description: |- Enabled enables Sidecar injections. diff --git a/config/crd/bases/v1/datadoghq.com_datadogagentprofiles_v1alpha1.json b/config/crd/bases/v1/datadoghq.com_datadogagentprofiles_v1alpha1.json index 4dbcc7317b..3b81bf4928 100644 --- a/config/crd/bases/v1/datadoghq.com_datadogagentprofiles_v1alpha1.json +++ b/config/crd/bases/v1/datadoghq.com_datadogagentprofiles_v1alpha1.json @@ -41,6 +41,21 @@ "description": "ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent.\nDefault : true", "type": "boolean" }, + "clusterAgentTlsVerification": { + "additionalProperties": false, + "description": "ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication.", + "properties": { + "copyCaConfigMap": { + "description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false", + "type": "boolean" + }, + "enabled": { + "description": "Enabled enables TLS verification for agent sidecars communicating with the cluster agent.\nDefault: false", + "type": "boolean" + } + }, + "type": "object" + }, "enabled": { "description": "Enabled enables Sidecar injections.\nDefault: false", "type": "boolean" diff --git a/config/crd/bases/v1/datadoghq.com_datadogagents.yaml b/config/crd/bases/v1/datadoghq.com_datadogagents.yaml index 4dde7e8f70..2730873dca 100644 --- a/config/crd/bases/v1/datadoghq.com_datadogagents.yaml +++ b/config/crd/bases/v1/datadoghq.com_datadogagents.yaml @@ -73,6 +73,21 @@ spec: ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent. Default : true type: boolean + clusterAgentTlsVerification: + description: ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication. + properties: + copyCaConfigMap: + description: |- + CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate + in namespaces where sidecar injection occurs. + Default: false + type: boolean + enabled: + description: |- + Enabled enables TLS verification for agent sidecars communicating with the cluster agent. + Default: false + type: boolean + type: object enabled: description: |- Enabled enables Sidecar injections. @@ -8540,6 +8555,21 @@ spec: ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent. Default : true type: boolean + clusterAgentTlsVerification: + description: ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication. + properties: + copyCaConfigMap: + description: |- + CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate + in namespaces where sidecar injection occurs. + Default: false + type: boolean + enabled: + description: |- + Enabled enables TLS verification for agent sidecars communicating with the cluster agent. + Default: false + type: boolean + type: object enabled: description: |- Enabled enables Sidecar injections. diff --git a/config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json b/config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json index e7b9123233..6d91aec18c 100644 --- a/config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json +++ b/config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json @@ -37,6 +37,21 @@ "description": "ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent.\nDefault : true", "type": "boolean" }, + "clusterAgentTlsVerification": { + "additionalProperties": false, + "description": "ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication.", + "properties": { + "copyCaConfigMap": { + "description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false", + "type": "boolean" + }, + "enabled": { + "description": "Enabled enables TLS verification for agent sidecars communicating with the cluster agent.\nDefault: false", + "type": "boolean" + } + }, + "type": "object" + }, "enabled": { "description": "Enabled enables Sidecar injections.\nDefault: false", "type": "boolean" @@ -8256,6 +8271,21 @@ "description": "ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent.\nDefault : true", "type": "boolean" }, + "clusterAgentTlsVerification": { + "additionalProperties": false, + "description": "ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication.", + "properties": { + "copyCaConfigMap": { + "description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false", + "type": "boolean" + }, + "enabled": { + "description": "Enabled enables TLS verification for agent sidecars communicating with the cluster agent.\nDefault: false", + "type": "boolean" + } + }, + "type": "object" + }, "enabled": { "description": "Enabled enables Sidecar injections.\nDefault: false", "type": "boolean" diff --git a/docs/configuration.v2alpha1.md b/docs/configuration.v2alpha1.md index 9640c91d49..2155d9af45 100644 --- a/docs/configuration.v2alpha1.md +++ b/docs/configuration.v2alpha1.md @@ -35,6 +35,8 @@ spec: | --------- | ----------- | | features.admissionController.agentCommunicationMode | AgentCommunicationMode corresponds to the mode used by the Datadog application libraries to communicate with the Agent. It can be "hostip", "service", or "socket". | | features.admissionController.agentSidecarInjection.clusterAgentCommunicationEnabled | ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent. Default : true | +| features.admissionController.agentSidecarInjection.clusterAgentTlsVerification.copyCaConfigMap | CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate in namespaces where sidecar injection occurs. Default: false | +| features.admissionController.agentSidecarInjection.clusterAgentTlsVerification.enabled | Enables TLS verification for agent sidecars communicating with the cluster agent. Default: false | | features.admissionController.agentSidecarInjection.enabled | Enables Sidecar injections. Default: false | | features.admissionController.agentSidecarInjection.image.jmxEnabled | Define whether the Agent image should support JMX. To be used if the `Name` field does not correspond to a full image string. | | features.admissionController.agentSidecarInjection.image.name | Defines the Agent image name for the pod. You can provide this as: * `` - Use `agent` for the Datadog Agent, `cluster-agent` for the Datadog Cluster Agent, or `dogstatsd` for DogStatsD. The full image string is derived from `global.registry`, `[key].image.tag`, and `[key].image.jmxEnabled`. * `:` - For example, `agent:latest`. The registry is derived from `global.registry`. `[key].image.tag` and `[key].image.jmxEnabled` are ignored. * `/:` - For example, `gcr.io/datadoghq/agent:latest`. If the full image string is specified like this, then `global.registry`, `[key].image.tag`, and `[key].image.jmxEnabled` are ignored. | From 456c360263db0dbe49bfa49a153cecb21729b487 Mon Sep 17 00:00:00 2001 From: Gabriel Dos Santos Date: Wed, 4 Mar 2026 21:06:48 +0000 Subject: [PATCH 3/4] Update docs --- api/datadoghq/v2alpha1/datadogagent_types.go | 8 ++++---- .../v1/datadoghq.com_datadogagentinternals.yaml | 12 ++++++------ ...datadoghq.com_datadogagentinternals_v1alpha1.json | 12 ++++++------ .../bases/v1/datadoghq.com_datadogagentprofiles.yaml | 6 +++--- .../datadoghq.com_datadogagentprofiles_v1alpha1.json | 6 +++--- config/crd/bases/v1/datadoghq.com_datadogagents.yaml | 12 ++++++------ .../v1/datadoghq.com_datadogagents_v2alpha1.json | 12 ++++++------ docs/configuration.v2alpha1.md | 4 ++-- 8 files changed, 36 insertions(+), 36 deletions(-) diff --git a/api/datadoghq/v2alpha1/datadogagent_types.go b/api/datadoghq/v2alpha1/datadogagent_types.go index 47ff3a6c82..f0f1ef3ac9 100644 --- a/api/datadoghq/v2alpha1/datadogagent_types.go +++ b/api/datadoghq/v2alpha1/datadogagent_types.go @@ -1249,7 +1249,7 @@ type AgentSidecarInjectionConfig struct { // +listType=atomic Profiles []*Profile `json:"profiles,omitempty"` - // ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication. + // ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication. // +optional ClusterAgentTLSVerification *AdmissionControllerClusterAgentTLSVerificationConfig `json:"clusterAgentTlsVerification,omitempty"` } @@ -1282,14 +1282,14 @@ type Profile struct { SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"` } -// AdmissionControllerClusterAgentTLSVerificationConfig configures TLS verification settings for agent sidecars. +// AdmissionControllerClusterAgentTLSVerificationConfig configures TLS verification settings for Agent sidecars. type AdmissionControllerClusterAgentTLSVerificationConfig struct { - // Enabled enables TLS verification for agent sidecars communicating with the cluster agent. + // Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent. // Default: false // +optional Enabled *bool `json:"enabled,omitempty"` - // CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate + // CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate // in namespaces where sidecar injection occurs. // Default: false // +optional diff --git a/config/crd/bases/v1/datadoghq.com_datadogagentinternals.yaml b/config/crd/bases/v1/datadoghq.com_datadogagentinternals.yaml index 755e796ec9..30ad410214 100644 --- a/config/crd/bases/v1/datadoghq.com_datadogagentinternals.yaml +++ b/config/crd/bases/v1/datadoghq.com_datadogagentinternals.yaml @@ -74,17 +74,17 @@ spec: Default : true type: boolean clusterAgentTlsVerification: - description: ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication. + description: ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication. properties: copyCaConfigMap: description: |- - CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate + CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate in namespaces where sidecar injection occurs. Default: false type: boolean enabled: description: |- - Enabled enables TLS verification for agent sidecars communicating with the cluster agent. + Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent. Default: false type: boolean type: object @@ -8506,17 +8506,17 @@ spec: Default : true type: boolean clusterAgentTlsVerification: - description: ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication. + description: ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication. properties: copyCaConfigMap: description: |- - CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate + CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate in namespaces where sidecar injection occurs. Default: false type: boolean enabled: description: |- - Enabled enables TLS verification for agent sidecars communicating with the cluster agent. + Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent. Default: false type: boolean type: object diff --git a/config/crd/bases/v1/datadoghq.com_datadogagentinternals_v1alpha1.json b/config/crd/bases/v1/datadoghq.com_datadogagentinternals_v1alpha1.json index f386e8031f..b6e0f69009 100644 --- a/config/crd/bases/v1/datadoghq.com_datadogagentinternals_v1alpha1.json +++ b/config/crd/bases/v1/datadoghq.com_datadogagentinternals_v1alpha1.json @@ -39,14 +39,14 @@ }, "clusterAgentTlsVerification": { "additionalProperties": false, - "description": "ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication.", + "description": "ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication.", "properties": { "copyCaConfigMap": { - "description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false", + "description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false", "type": "boolean" }, "enabled": { - "description": "Enabled enables TLS verification for agent sidecars communicating with the cluster agent.\nDefault: false", + "description": "Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent.\nDefault: false", "type": "boolean" } }, @@ -8208,14 +8208,14 @@ }, "clusterAgentTlsVerification": { "additionalProperties": false, - "description": "ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication.", + "description": "ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication.", "properties": { "copyCaConfigMap": { - "description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false", + "description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false", "type": "boolean" }, "enabled": { - "description": "Enabled enables TLS verification for agent sidecars communicating with the cluster agent.\nDefault: false", + "description": "Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent.\nDefault: false", "type": "boolean" } }, diff --git a/config/crd/bases/v1/datadoghq.com_datadogagentprofiles.yaml b/config/crd/bases/v1/datadoghq.com_datadogagentprofiles.yaml index 4bafef4311..afd1b0e507 100644 --- a/config/crd/bases/v1/datadoghq.com_datadogagentprofiles.yaml +++ b/config/crd/bases/v1/datadoghq.com_datadogagentprofiles.yaml @@ -74,17 +74,17 @@ spec: Default : true type: boolean clusterAgentTlsVerification: - description: ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication. + description: ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication. properties: copyCaConfigMap: description: |- - CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate + CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate in namespaces where sidecar injection occurs. Default: false type: boolean enabled: description: |- - Enabled enables TLS verification for agent sidecars communicating with the cluster agent. + Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent. Default: false type: boolean type: object diff --git a/config/crd/bases/v1/datadoghq.com_datadogagentprofiles_v1alpha1.json b/config/crd/bases/v1/datadoghq.com_datadogagentprofiles_v1alpha1.json index 3b81bf4928..3185fb8533 100644 --- a/config/crd/bases/v1/datadoghq.com_datadogagentprofiles_v1alpha1.json +++ b/config/crd/bases/v1/datadoghq.com_datadogagentprofiles_v1alpha1.json @@ -43,14 +43,14 @@ }, "clusterAgentTlsVerification": { "additionalProperties": false, - "description": "ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication.", + "description": "ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication.", "properties": { "copyCaConfigMap": { - "description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false", + "description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false", "type": "boolean" }, "enabled": { - "description": "Enabled enables TLS verification for agent sidecars communicating with the cluster agent.\nDefault: false", + "description": "Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent.\nDefault: false", "type": "boolean" } }, diff --git a/config/crd/bases/v1/datadoghq.com_datadogagents.yaml b/config/crd/bases/v1/datadoghq.com_datadogagents.yaml index 2730873dca..4cd3120be4 100644 --- a/config/crd/bases/v1/datadoghq.com_datadogagents.yaml +++ b/config/crd/bases/v1/datadoghq.com_datadogagents.yaml @@ -74,17 +74,17 @@ spec: Default : true type: boolean clusterAgentTlsVerification: - description: ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication. + description: ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication. properties: copyCaConfigMap: description: |- - CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate + CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate in namespaces where sidecar injection occurs. Default: false type: boolean enabled: description: |- - Enabled enables TLS verification for agent sidecars communicating with the cluster agent. + Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent. Default: false type: boolean type: object @@ -8556,17 +8556,17 @@ spec: Default : true type: boolean clusterAgentTlsVerification: - description: ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication. + description: ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication. properties: copyCaConfigMap: description: |- - CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate + CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate in namespaces where sidecar injection occurs. Default: false type: boolean enabled: description: |- - Enabled enables TLS verification for agent sidecars communicating with the cluster agent. + Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent. Default: false type: boolean type: object diff --git a/config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json b/config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json index 6d91aec18c..119d534453 100644 --- a/config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json +++ b/config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json @@ -39,14 +39,14 @@ }, "clusterAgentTlsVerification": { "additionalProperties": false, - "description": "ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication.", + "description": "ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication.", "properties": { "copyCaConfigMap": { - "description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false", + "description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false", "type": "boolean" }, "enabled": { - "description": "Enabled enables TLS verification for agent sidecars communicating with the cluster agent.\nDefault: false", + "description": "Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent.\nDefault: false", "type": "boolean" } }, @@ -8273,14 +8273,14 @@ }, "clusterAgentTlsVerification": { "additionalProperties": false, - "description": "ClusterAgentTLSVerification configures TLS verification for sidecar-to-cluster-agent communication.", + "description": "ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication.", "properties": { "copyCaConfigMap": { - "description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false", + "description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false", "type": "boolean" }, "enabled": { - "description": "Enabled enables TLS verification for agent sidecars communicating with the cluster agent.\nDefault: false", + "description": "Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent.\nDefault: false", "type": "boolean" } }, diff --git a/docs/configuration.v2alpha1.md b/docs/configuration.v2alpha1.md index 2155d9af45..3705d38cdd 100644 --- a/docs/configuration.v2alpha1.md +++ b/docs/configuration.v2alpha1.md @@ -35,8 +35,8 @@ spec: | --------- | ----------- | | features.admissionController.agentCommunicationMode | AgentCommunicationMode corresponds to the mode used by the Datadog application libraries to communicate with the Agent. It can be "hostip", "service", or "socket". | | features.admissionController.agentSidecarInjection.clusterAgentCommunicationEnabled | ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent. Default : true | -| features.admissionController.agentSidecarInjection.clusterAgentTlsVerification.copyCaConfigMap | CopyCaConfigMap enables automatic creation of a ConfigMap containing the cluster agent's CA certificate in namespaces where sidecar injection occurs. Default: false | -| features.admissionController.agentSidecarInjection.clusterAgentTlsVerification.enabled | Enables TLS verification for agent sidecars communicating with the cluster agent. Default: false | +| features.admissionController.agentSidecarInjection.clusterAgentTlsVerification.copyCaConfigMap | CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate in namespaces where sidecar injection occurs. Default: false | +| features.admissionController.agentSidecarInjection.clusterAgentTlsVerification.enabled | Enables TLS verification for agent sidecars communicating with the Cluster Agent. Default: false | | features.admissionController.agentSidecarInjection.enabled | Enables Sidecar injections. Default: false | | features.admissionController.agentSidecarInjection.image.jmxEnabled | Define whether the Agent image should support JMX. To be used if the `Name` field does not correspond to a full image string. | | features.admissionController.agentSidecarInjection.image.name | Defines the Agent image name for the pod. You can provide this as: * `` - Use `agent` for the Datadog Agent, `cluster-agent` for the Datadog Cluster Agent, or `dogstatsd` for DogStatsD. The full image string is derived from `global.registry`, `[key].image.tag`, and `[key].image.jmxEnabled`. * `:` - For example, `agent:latest`. The registry is derived from `global.registry`. `[key].image.tag` and `[key].image.jmxEnabled` are ignored. * `/:` - For example, `gcr.io/datadoghq/agent:latest`. If the full image string is specified like this, then `global.registry`, `[key].image.tag`, and `[key].image.jmxEnabled` are ignored. | From 4125b4a19f6ebf12c7315b3bff752bd7bd567552 Mon Sep 17 00:00:00 2001 From: Gabriel Dos Santos Date: Sat, 4 Apr 2026 08:44:08 -0400 Subject: [PATCH 4/4] Always set TLS verification env vars when explicitly configured Previously the sidecar TLS verification env vars were only set when enabled=true. This changes the fields to *bool so the env vars are always passed to DCA when explicitly configured, even when false, preventing Agent default changes from overriding user intent. Adds unit tests for both enabled and explicitly disabled cases. Co-Authored-By: Claude Opus 4.6 (1M context) --- .../feature/admissioncontroller/feature.go | 16 +++--- .../admissioncontroller/feature_test.go | 56 +++++++++++++++---- .../feature/admissioncontroller/rbac.go | 3 +- pkg/testutils/builder.go | 11 ++++ 4 files changed, 67 insertions(+), 19 deletions(-) diff --git a/internal/controller/datadogagent/feature/admissioncontroller/feature.go b/internal/controller/datadogagent/feature/admissioncontroller/feature.go index dec23fde23..65ced7ca81 100644 --- a/internal/controller/datadogagent/feature/admissioncontroller/feature.go +++ b/internal/controller/datadogagent/feature/admissioncontroller/feature.go @@ -74,8 +74,8 @@ type AgentSidecarInjectionConfig struct { imageTag string selectors []*v2alpha1.Selector profiles []*v2alpha1.Profile - tlsVerificationEnabled bool - tlsVerificationCopyCaConfigMap bool + tlsVerificationEnabled *bool + tlsVerificationCopyCaConfigMap *bool } type KubernetesAdmissionEventConfig struct { @@ -271,10 +271,10 @@ func (f *admissionControllerFeature) Configure(dda metav1.Object, ddaSpec *v2alp // Configure TLS verification settings if sidecarConfig.ClusterAgentTLSVerification != nil { if sidecarConfig.ClusterAgentTLSVerification.Enabled != nil { - f.agentSidecarConfig.tlsVerificationEnabled = apiutils.BoolValue(sidecarConfig.ClusterAgentTLSVerification.Enabled) + f.agentSidecarConfig.tlsVerificationEnabled = sidecarConfig.ClusterAgentTLSVerification.Enabled } if sidecarConfig.ClusterAgentTLSVerification.CopyCaConfigMap != nil { - f.agentSidecarConfig.tlsVerificationCopyCaConfigMap = apiutils.BoolValue(sidecarConfig.ClusterAgentTLSVerification.CopyCaConfigMap) + f.agentSidecarConfig.tlsVerificationCopyCaConfigMap = sidecarConfig.ClusterAgentTLSVerification.CopyCaConfigMap } } } @@ -523,17 +523,17 @@ func (f *admissionControllerFeature) ManageClusterAgent(managers feature.PodTemp }) } - if f.agentSidecarConfig.tlsVerificationEnabled { + if f.agentSidecarConfig.tlsVerificationEnabled != nil { managers.EnvVar().AddEnvVarToContainer(apicommon.ClusterAgentContainerName, &corev1.EnvVar{ Name: DDAdmissionControllerAgentSidecarClusterAgentTLSVerificationEnabled, - Value: apiutils.BoolToString(&f.agentSidecarConfig.tlsVerificationEnabled), + Value: apiutils.BoolToString(f.agentSidecarConfig.tlsVerificationEnabled), }) } - if f.agentSidecarConfig.tlsVerificationCopyCaConfigMap { + if f.agentSidecarConfig.tlsVerificationCopyCaConfigMap != nil { managers.EnvVar().AddEnvVarToContainer(apicommon.ClusterAgentContainerName, &corev1.EnvVar{ Name: DDAdmissionControllerAgentSidecarClusterAgentTLSVerificationCopyCaConfigMap, - Value: apiutils.BoolToString(&f.agentSidecarConfig.tlsVerificationCopyCaConfigMap), + Value: apiutils.BoolToString(f.agentSidecarConfig.tlsVerificationCopyCaConfigMap), }) } } diff --git a/internal/controller/datadogagent/feature/admissioncontroller/feature_test.go b/internal/controller/datadogagent/feature/admissioncontroller/feature_test.go index 5f05187b16..dd57ee87f1 100644 --- a/internal/controller/datadogagent/feature/admissioncontroller/feature_test.go +++ b/internal/controller/datadogagent/feature/admissioncontroller/feature_test.go @@ -20,6 +20,7 @@ import ( "github.com/google/go-cmp/cmp" "github.com/stretchr/testify/assert" corev1 "k8s.io/api/core/v1" + "k8s.io/utils/ptr" ) func Test_admissionControllerFeature_Configure(t *testing.T) { @@ -112,7 +113,7 @@ func Test_admissionControllerFeature_Configure(t *testing.T) { Build(), WantConfigure: true, ClusterAgent: test.NewDefaultComponentTest().WithWantFunc( - sidecarInjectionWantFunc("", "", "", "agent", images.AgentLatestVersion, false, false)), + sidecarInjectionWantFunc("", "", "", "agent", images.AgentLatestVersion, false, false, nil, nil)), }, { Name: "Admission Controller enabled with sidecar injection adding global registry", @@ -123,7 +124,7 @@ func Test_admissionControllerFeature_Configure(t *testing.T) { Build(), WantConfigure: true, ClusterAgent: test.NewDefaultComponentTest().WithWantFunc( - sidecarInjectionWantFunc("", "globalRegistry", "globalRegistry", "agent", images.AgentLatestVersion, false, false)), + sidecarInjectionWantFunc("", "globalRegistry", "globalRegistry", "agent", images.AgentLatestVersion, false, false, nil, nil)), }, { Name: "Admission Controller enabled with sidecar injection adding both sidecar and global registry", @@ -135,7 +136,7 @@ func Test_admissionControllerFeature_Configure(t *testing.T) { Build(), WantConfigure: true, ClusterAgent: test.NewDefaultComponentTest().WithWantFunc( - sidecarInjectionWantFunc("", "globalRegistry", "sidecarRegistry", "agent", images.AgentLatestVersion, false, false)), + sidecarInjectionWantFunc("", "globalRegistry", "sidecarRegistry", "agent", images.AgentLatestVersion, false, false, nil, nil)), }, { Name: "Admission Controller enabled with sidecar injection adding test sidecar image and tag", @@ -147,7 +148,7 @@ func Test_admissionControllerFeature_Configure(t *testing.T) { Build(), WantConfigure: true, ClusterAgent: test.NewDefaultComponentTest().WithWantFunc( - sidecarInjectionWantFunc("", "", "", "testAgentImage", "testAgentTag", false, false)), + sidecarInjectionWantFunc("", "", "", "testAgentImage", "testAgentTag", false, false, nil, nil)), }, { Name: "Admission Controller enabled with sidecar injection adding global image and tag", @@ -165,7 +166,7 @@ func Test_admissionControllerFeature_Configure(t *testing.T) { Build(), WantConfigure: true, ClusterAgent: test.NewDefaultComponentTest().WithWantFunc( - sidecarInjectionWantFunc("", "", "", "overrideName", "overrideTag", false, false)), + sidecarInjectionWantFunc("", "", "", "overrideName", "overrideTag", false, false, nil, nil)), }, { Name: "Admission Controller enabled with sidecar injection adding both global and sidecar image and tag", @@ -183,7 +184,7 @@ func Test_admissionControllerFeature_Configure(t *testing.T) { Build(), WantConfigure: true, ClusterAgent: test.NewDefaultComponentTest().WithWantFunc( - sidecarInjectionWantFunc("", "", "", "sidecarAgent", "sidecarTag", false, false)), + sidecarInjectionWantFunc("", "", "", "sidecarAgent", "sidecarTag", false, false, nil, nil)), }, { Name: "Admission Controller enabled with sidecar injection with selector and profile", @@ -195,7 +196,29 @@ func Test_admissionControllerFeature_Configure(t *testing.T) { Build(), WantConfigure: true, ClusterAgent: test.NewDefaultComponentTest().WithWantFunc( - sidecarInjectionWantFunc("", "", "", "agent", images.AgentLatestVersion, true, true)), + sidecarInjectionWantFunc("", "", "", "agent", images.AgentLatestVersion, true, true, nil, nil)), + }, + { + Name: "Admission Controller enabled with sidecar TLS verification enabled", + DDA: testutils.NewDatadogAgentBuilder(). + WithAdmissionControllerEnabled(true). + WithSidecarInjectionEnabled(true). + WithSidecarInjectionTLSVerification(true, true). + Build(), + WantConfigure: true, + ClusterAgent: test.NewDefaultComponentTest().WithWantFunc( + sidecarInjectionWantFunc("", "", "", "agent", images.AgentLatestVersion, false, false, ptr.To(true), ptr.To(true))), + }, + { + Name: "Admission Controller enabled with sidecar TLS verification explicitly disabled", + DDA: testutils.NewDatadogAgentBuilder(). + WithAdmissionControllerEnabled(true). + WithSidecarInjectionEnabled(true). + WithSidecarInjectionTLSVerification(false, false). + Build(), + WantConfigure: true, + ClusterAgent: test.NewDefaultComponentTest().WithWantFunc( + sidecarInjectionWantFunc("", "", "", "agent", images.AgentLatestVersion, false, false, ptr.To(false), ptr.To(false))), }, { Name: "Admission Controller enabled with probe explicitly disabled", @@ -415,7 +438,7 @@ func sidecarHelperFunc(admissionControllerConfig, sidecarConfig []*corev1.EnvVar return envVars } -func getSidecarEnvVars(imageName, imageTag, registry string, selectors, profiles bool) []*corev1.EnvVar { +func getSidecarEnvVars(imageName, imageTag, registry string, selectors, profiles bool, tlsVerificationEnabled, tlsVerificationCopyCaConfigMap *bool) []*corev1.EnvVar { envVars := []*corev1.EnvVar{ { Name: DDAdmissionControllerAgentSidecarEnabled, @@ -461,6 +484,19 @@ func getSidecarEnvVars(imageName, imageTag, registry string, selectors, profiles envVars = append(envVars, &profileEnv) } + if tlsVerificationEnabled != nil { + envVars = append(envVars, &corev1.EnvVar{ + Name: DDAdmissionControllerAgentSidecarClusterAgentTLSVerificationEnabled, + Value: apiutils.BoolToString(tlsVerificationEnabled), + }) + } + if tlsVerificationCopyCaConfigMap != nil { + envVars = append(envVars, &corev1.EnvVar{ + Name: DDAdmissionControllerAgentSidecarClusterAgentTLSVerificationCopyCaConfigMap, + Value: apiutils.BoolToString(tlsVerificationCopyCaConfigMap), + }) + } + return envVars } @@ -565,11 +601,11 @@ func getACEnvVarsNoProbe(validation, mutation bool, acm, registry string, cws bo return envVars } -func sidecarInjectionWantFunc(acm, acRegistry, sidecarRegstry, imageName, imageTag string, selectors, profiles bool) func(testing.TB, feature.PodTemplateManagers) { +func sidecarInjectionWantFunc(acm, acRegistry, sidecarRegstry, imageName, imageTag string, selectors, profiles bool, tlsVerificationEnabled, tlsVerificationCopyCaConfigMap *bool) func(testing.TB, feature.PodTemplateManagers) { return func(t testing.TB, mgrInterface feature.PodTemplateManagers) { mgr := mgrInterface.(*fake.PodTemplateManagers) dcaEnvVars := mgr.EnvVarMgr.EnvVarsByC[apicommon.ClusterAgentContainerName] - want := sidecarHelperFunc(getACEnvVars(false, false, acm, acRegistry, false), getSidecarEnvVars(imageName, imageTag, sidecarRegstry, selectors, profiles)) + want := sidecarHelperFunc(getACEnvVars(false, false, acm, acRegistry, false), getSidecarEnvVars(imageName, imageTag, sidecarRegstry, selectors, profiles, tlsVerificationEnabled, tlsVerificationCopyCaConfigMap)) assert.ElementsMatch( t, dcaEnvVars, diff --git a/internal/controller/datadogagent/feature/admissioncontroller/rbac.go b/internal/controller/datadogagent/feature/admissioncontroller/rbac.go index 72455f8659..35eed949ce 100644 --- a/internal/controller/datadogagent/feature/admissioncontroller/rbac.go +++ b/internal/controller/datadogagent/feature/admissioncontroller/rbac.go @@ -8,6 +8,7 @@ package admissioncontroller import ( rbacv1 "k8s.io/api/rbac/v1" + apiutils "github.com/DataDog/datadog-operator/api/utils" "github.com/DataDog/datadog-operator/pkg/extendeddaemonset" "github.com/DataDog/datadog-operator/pkg/kubernetes/rbac" ) @@ -92,7 +93,7 @@ func (f *admissionControllerFeature) getRBACClusterPolicyRules() []rbacv1.Policy }) } - if f.agentSidecarConfig != nil && f.agentSidecarConfig.tlsVerificationEnabled && f.agentSidecarConfig.tlsVerificationCopyCaConfigMap { + if f.agentSidecarConfig != nil && apiutils.BoolValue(f.agentSidecarConfig.tlsVerificationEnabled) && apiutils.BoolValue(f.agentSidecarConfig.tlsVerificationCopyCaConfigMap) { clusterPolicyRules = append(clusterPolicyRules, rbacv1.PolicyRule{ APIGroups: []string{rbac.CoreAPIGroup}, Resources: []string{rbac.ConfigMapsResource}, diff --git a/pkg/testutils/builder.go b/pkg/testutils/builder.go index 94222ed247..7e90bf02c2 100644 --- a/pkg/testutils/builder.go +++ b/pkg/testutils/builder.go @@ -392,6 +392,17 @@ func (builder *DatadogAgentBuilder) WithSidecarInjectionProfiles(envKey, envValu return builder } +func (builder *DatadogAgentBuilder) WithSidecarInjectionTLSVerification(enabled, copyCaConfigMap bool) *DatadogAgentBuilder { + builder.initAdmissionController() + builder.initSidecarInjection() + if builder.datadogAgent.Spec.Features.AdmissionController.AgentSidecarInjection.ClusterAgentTLSVerification == nil { + builder.datadogAgent.Spec.Features.AdmissionController.AgentSidecarInjection.ClusterAgentTLSVerification = &v2alpha1.AdmissionControllerClusterAgentTLSVerificationConfig{} + } + builder.datadogAgent.Spec.Features.AdmissionController.AgentSidecarInjection.ClusterAgentTLSVerification.Enabled = ptr.To(enabled) + builder.datadogAgent.Spec.Features.AdmissionController.AgentSidecarInjection.ClusterAgentTLSVerification.CopyCaConfigMap = ptr.To(copyCaConfigMap) + return builder +} + // Process Discovery func (builder *DatadogAgentBuilder) initProcessDiscovery() { if builder.datadogAgent.Spec.Features.ProcessDiscovery == nil {