Add support for system-probe extra volumeMounts (#323)

api/v1alpha1/datadogagent_types.go

@@ -578,6 +578,13 @@ type SystemProbeSpec struct {
 	// +listMapKey=name
 	Env []corev1.EnvVar `json:"env,omitempty"`
 
+	// Specify additional volume mounts in the Security Agent container.
+	// +optional
+	// +listType=map
+	// +listMapKey=name
+	// +listMapKey=mountPath
+	VolumeMounts []corev1.VolumeMount `json:"volumeMounts,omitempty"`
+
 	// Datadog SystemProbe resource requests and limits.
 	// Make sure to keep requests and limits equal to keep the pods in the Guaranteed QoS class.
 	// See also: http://kubernetes.io/docs/user-guide/compute-resources/

config/crd/bases/v1/datadoghq.com_datadogagents.yaml

@@ -3822,6 +3822,52 @@ spec:
                                 type: string
                             type: object
                         type: object
+                      volumeMounts:
+                        description: Specify additional volume mounts in the Security
+                          Agent container.
+                        items:
+                          description: VolumeMount describes a mounting of a Volume
+                            within a container.
+                          properties:
+                            mountPath:
+                              description: Path within the container at which the
+                                volume should be mounted.  Must not contain ':'.
+                              type: string
+                            mountPropagation:
+                              description: mountPropagation determines how mounts
+                                are propagated from the host to container and the
+                                other way around. When not set, MountPropagationNone
+                                is used. This field is beta in 1.10.
+                              type: string
+                            name:
+                              description: This must match the Name of a Volume.
+                              type: string
+                            readOnly:
+                              description: Mounted read-only if true, read-write otherwise
+                                (false or unspecified). Defaults to false.
+                              type: boolean
+                            subPath:
+                              description: Path within the volume from which the container's
+                                volume should be mounted. Defaults to "" (volume's
+                                root).
+                              type: string
+                            subPathExpr:
+                              description: Expanded path within the volume from which
+                                the container's volume should be mounted. Behaves
+                                similarly to SubPath but environment variable references
+                                $(VAR_NAME) are expanded using the container's environment.
+                                Defaults to "" (volume's root). SubPathExpr and SubPath
+                                are mutually exclusive.
+                              type: string
+                          required:
+                          - mountPath
+                          - name
+                          type: object
+                        type: array
+                        x-kubernetes-list-map-keys:
+                        - name
+                        - mountPath
+                        x-kubernetes-list-type: map
                     type: object
                   useExtendedDaemonset:
                     description: UseExtendedDaemonset use ExtendedDaemonset for Agent

config/crd/bases/v1beta1/datadoghq.com_datadogagents.yaml

@@ -3681,6 +3681,47 @@ spec:
                               type: string
                           type: object
                       type: object
+                    volumeMounts:
+                      description: Specify additional volume mounts in the Security
+                        Agent container.
+                      items:
+                        description: VolumeMount describes a mounting of a Volume
+                          within a container.
+                        properties:
+                          mountPath:
+                            description: Path within the container at which the volume
+                              should be mounted.  Must not contain ':'.
+                            type: string
+                          mountPropagation:
+                            description: mountPropagation determines how mounts are
+                              propagated from the host to container and the other
+                              way around. When not set, MountPropagationNone is used.
+                              This field is beta in 1.10.
+                            type: string
+                          name:
+                            description: This must match the Name of a Volume.
+                            type: string
+                          readOnly:
+                            description: Mounted read-only if true, read-write otherwise
+                              (false or unspecified). Defaults to false.
+                            type: boolean
+                          subPath:
+                            description: Path within the volume from which the container's
+                              volume should be mounted. Defaults to "" (volume's root).
+                            type: string
+                          subPathExpr:
+                            description: Expanded path within the volume from which
+                              the container's volume should be mounted. Behaves similarly
+                              to SubPath but environment variable references $(VAR_NAME)
+                              are expanded using the container's environment. Defaults
+                              to "" (volume's root). SubPathExpr and SubPath are mutually
+                              exclusive.
+                            type: string
+                        required:
+                        - mountPath
+                        - name
+                        type: object
+                      type: array
                   type: object
                 useExtendedDaemonset:
                   description: UseExtendedDaemonset use ExtendedDaemonset for Agent

controllers/datadogagent/utils.go

@@ -1630,6 +1630,9 @@ func getVolumeMountsForSystemProbe(dda *datadoghqv1alpha1.DatadogAgent) []corev1
 		}
 	}
 
+	// Add extra volume mounts
+	volumeMounts = append(volumeMounts, dda.Spec.Agent.SystemProbe.VolumeMounts...)
+
 	return volumeMounts
 }
 

docs/configuration.md

@@ -201,6 +201,7 @@ spec:
 | agent.systemProbe.securityContext.windowsOptions.gmsaCredentialSpec | GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. |
 | agent.systemProbe.securityContext.windowsOptions.gmsaCredentialSpecName | GMSACredentialSpecName is the name of the GMSA credential spec to use. |
 | agent.systemProbe.securityContext.windowsOptions.runAsUserName | The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. |
+| agent.systemProbe.volumeMounts | Specify additional volume mounts in the Security Agent container. |
 | agent.useExtendedDaemonset | UseExtendedDaemonset use ExtendedDaemonset for Agent deployment. default value is false. |
 | clusterAgent.additionalAnnotations | AdditionalAnnotations provide annotations that will be added to the Cluster Agent Pods. |
 | clusterAgent.additionalLabels | AdditionalLabels provide labels that will be added to the Cluster Agent Pods. |