Skip to content

[datadog-operator] Expose DCA Agent Sidecar TLS Config #2700

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
levan-m merged 5 commits into from
Apr 7, 2026
+327 −40
Merged

[datadog-operator] Expose DCA Agent Sidecar TLS Config #2700

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
94aea5b
Introduce ca cert admission controller feature
gabedos Mar 4, 2026
2216267
Update files
gabedos Mar 4, 2026
456c360
Update docs
gabedos Mar 4, 2026
4cd7ed5
Merge branch 'main' into gabedos/dca-ca-cert-perms
levan-m Apr 3, 2026
4125b4a
Always set TLS verification env vars when explicitly configured
gabedos Apr 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions api/datadoghq/v2alpha1/datadogagent_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1248,6 +1248,10 @@ type AgentSidecarInjectionConfig struct {
// +optional
// +listType=atomic
Profiles []*Profile `json:"profiles,omitempty"`

// ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication.
// +optional
ClusterAgentTLSVerification *AdmissionControllerClusterAgentTLSVerificationConfig `json:"clusterAgentTlsVerification,omitempty"`
}

// Selectors define a pod selector for sidecar injection.
Expand Down Expand Up @@ -1278,6 +1282,20 @@ type Profile struct {
SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
}

// AdmissionControllerClusterAgentTLSVerificationConfig configures TLS verification settings for Agent sidecars.
type AdmissionControllerClusterAgentTLSVerificationConfig struct {
// Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent.
// Default: false
// +optional
Enabled *bool `json:"enabled,omitempty"`

// CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate
// in namespaces where sidecar injection occurs.
// Default: false
// +optional
CopyCaConfigMap *bool `json:"copyCaConfigMap,omitempty"`
}

type KubernetesAdmissionEventsConfig struct {
// Enable the Kubernetes Admission Events feature.
// Default: false
Expand Down
30 changes: 30 additions & 0 deletions api/datadoghq/v2alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

30 changes: 30 additions & 0 deletions config/crd/bases/v1/datadoghq.com_datadogagentinternals.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,21 @@ spec:
ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent.
Default : true
type: boolean
clusterAgentTlsVerification:
description: ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication.
properties:
copyCaConfigMap:
description: |-
CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate
in namespaces where sidecar injection occurs.
Default: false
type: boolean
enabled:
description: |-
Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent.
Default: false
type: boolean
type: object
enabled:
description: |-
Enabled enables Sidecar injections.
Expand Down Expand Up @@ -8490,6 +8505,21 @@ spec:
ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent.
Default : true
type: boolean
clusterAgentTlsVerification:
description: ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication.
properties:
copyCaConfigMap:
description: |-
CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate
in namespaces where sidecar injection occurs.
Default: false
type: boolean
enabled:
description: |-
Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent.
Default: false
type: boolean
type: object
enabled:
description: |-
Enabled enables Sidecar injections.
Expand Down
30 changes: 30 additions & 0 deletions config/crd/bases/v1/datadoghq.com_datadogagentinternals_v1alpha1.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,21 @@
"description": "ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent.\nDefault : true",
"type": "boolean"
},
"clusterAgentTlsVerification": {
"additionalProperties": false,
"description": "ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication.",
"properties": {
"copyCaConfigMap": {
"description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false",
"type": "boolean"
},
"enabled": {
"description": "Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent.\nDefault: false",
"type": "boolean"
}
},
"type": "object"
},
"enabled": {
"description": "Enabled enables Sidecar injections.\nDefault: false",
"type": "boolean"
Expand Down Expand Up @@ -8191,6 +8206,21 @@
"description": "ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent.\nDefault : true",
"type": "boolean"
},
"clusterAgentTlsVerification": {
"additionalProperties": false,
"description": "ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication.",
"properties": {
"copyCaConfigMap": {
"description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false",
"type": "boolean"
},
"enabled": {
"description": "Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent.\nDefault: false",
"type": "boolean"
}
},
"type": "object"
},
"enabled": {
"description": "Enabled enables Sidecar injections.\nDefault: false",
"type": "boolean"
Expand Down
15 changes: 15 additions & 0 deletions config/crd/bases/v1/datadoghq.com_datadogagentprofiles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,21 @@ spec:
ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent.
Default : true
type: boolean
clusterAgentTlsVerification:
description: ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication.
properties:
copyCaConfigMap:
description: |-
CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate
in namespaces where sidecar injection occurs.
Default: false
type: boolean
enabled:
description: |-
Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent.
Default: false
type: boolean
type: object
enabled:
description: |-
Enabled enables Sidecar injections.
Expand Down
15 changes: 15 additions & 0 deletions config/crd/bases/v1/datadoghq.com_datadogagentprofiles_v1alpha1.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,21 @@
"description": "ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent.\nDefault : true",
"type": "boolean"
},
"clusterAgentTlsVerification": {
"additionalProperties": false,
"description": "ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication.",
"properties": {
"copyCaConfigMap": {
"description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false",
"type": "boolean"
},
"enabled": {
"description": "Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent.\nDefault: false",
"type": "boolean"
}
},
"type": "object"
},
"enabled": {
"description": "Enabled enables Sidecar injections.\nDefault: false",
"type": "boolean"
Expand Down
30 changes: 30 additions & 0 deletions config/crd/bases/v1/datadoghq.com_datadogagents.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,21 @@ spec:
ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent.
Default : true
type: boolean
clusterAgentTlsVerification:
description: ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication.
properties:
copyCaConfigMap:
description: |-
CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate
in namespaces where sidecar injection occurs.
Default: false
type: boolean
enabled:
description: |-
Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent.
Default: false
type: boolean
type: object
enabled:
description: |-
Enabled enables Sidecar injections.
Expand Down Expand Up @@ -8540,6 +8555,21 @@ spec:
ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent.
Default : true
type: boolean
clusterAgentTlsVerification:
description: ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication.
properties:
copyCaConfigMap:
description: |-
CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate
in namespaces where sidecar injection occurs.
Default: false
type: boolean
enabled:
description: |-
Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent.
Default: false
type: boolean
type: object
enabled:
description: |-
Enabled enables Sidecar injections.
Expand Down
30 changes: 30 additions & 0 deletions config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,21 @@
"description": "ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent.\nDefault : true",
"type": "boolean"
},
"clusterAgentTlsVerification": {
"additionalProperties": false,
"description": "ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication.",
"properties": {
"copyCaConfigMap": {
"description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false",
"type": "boolean"
},
"enabled": {
"description": "Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent.\nDefault: false",
"type": "boolean"
}
},
"type": "object"
},
"enabled": {
"description": "Enabled enables Sidecar injections.\nDefault: false",
"type": "boolean"
Expand Down Expand Up @@ -8256,6 +8271,21 @@
"description": "ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent.\nDefault : true",
"type": "boolean"
},
"clusterAgentTlsVerification": {
"additionalProperties": false,
"description": "ClusterAgentTLSVerification configures TLS verification for Agent sidecar to Cluster Agent communication.",
"properties": {
"copyCaConfigMap": {
"description": "CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate\nin namespaces where sidecar injection occurs.\nDefault: false",
"type": "boolean"
},
"enabled": {
"description": "Enabled enables TLS verification for agent sidecars communicating with the Cluster Agent.\nDefault: false",
"type": "boolean"
}
},
"type": "object"
},
"enabled": {
"description": "Enabled enables Sidecar injections.\nDefault: false",
"type": "boolean"
Expand Down
2 changes: 2 additions & 0 deletions docs/configuration.v2alpha1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ spec:
| --------- | ----------- |
| features.admissionController.agentCommunicationMode | AgentCommunicationMode corresponds to the mode used by the Datadog application libraries to communicate with the Agent. It can be "hostip", "service", or "socket". |
| features.admissionController.agentSidecarInjection.clusterAgentCommunicationEnabled | ClusterAgentCommunicationEnabled enables communication between Agent sidecars and the Cluster Agent. Default : true |
| features.admissionController.agentSidecarInjection.clusterAgentTlsVerification.copyCaConfigMap | CopyCaConfigMap enables automatic creation of a ConfigMap containing the Cluster Agent's CA certificate in namespaces where sidecar injection occurs. Default: false |
| features.admissionController.agentSidecarInjection.clusterAgentTlsVerification.enabled | Enables TLS verification for agent sidecars communicating with the Cluster Agent. Default: false |
| features.admissionController.agentSidecarInjection.enabled | Enables Sidecar injections. Default: false |
| features.admissionController.agentSidecarInjection.image.jmxEnabled | Define whether the Agent image should support JMX. To be used if the `Name` field does not correspond to a full image string. |
| features.admissionController.agentSidecarInjection.image.name | Defines the Agent image name for the pod. You can provide this as: * `<NAME>` - Use `agent` for the Datadog Agent, `cluster-agent` for the Datadog Cluster Agent, or `dogstatsd` for DogStatsD. The full image string is derived from `global.registry`, `[key].image.tag`, and `[key].image.jmxEnabled`. * `<NAME>:<TAG>` - For example, `agent:latest`. The registry is derived from `global.registry`. `[key].image.tag` and `[key].image.jmxEnabled` are ignored. * `<REGISTRY>/<NAME>:<TAG>` - For example, `gcr.io/datadoghq/agent:latest`. If the full image string is specified like this, then `global.registry`, `[key].image.tag`, and `[key].image.jmxEnabled` are ignored. |
Expand Down
Loading
Loading