[ACTP] Use Config maps for par deploy in dca

[merchristK]

What does this PR do?

When deploying PAR in DCA, use configmap and volume mounts instead of adding envvar

Motivation

We want to do this because:

• It's more scalable: anytime the config changes, we shouldn't be updating the operator to support new configs.
• For consistency since node agent uses cm as well

Additional Notes

Anything else we should know when reviewing?

Minimum Agent Versions

Are there minimum versions of the Datadog Agent and/or Cluster Agent required?

• Agent: v7.77.x
• Cluster Agent: v7.77.x

Describe your test plan

Build and deploy the operator locally

Commands

# Build the operator image
make IMG=datadog/datadog-operator:test-par docker-build

# Install CRDs
make install

# Deploy the operator
make IMG=datadog/datadog-operator:test-par deploy

Apply the DatadogAgent object in a local k8s cluster

datadog-agent.yaml

apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
metadata:
  name: datadog
  annotations:
    agent.datadoghq.com/private-action-runner-enabled: "true"
    agent.datadoghq.com/private-action-runner-configdata: |
      private_action_runner:
        enabled: true
        self_enroll: true
        actions_allowlist:
          - com.datadoghq.gitlab.*
          - com.datadoghq.script.*
          - com.datadoghq.kubernetes.core.*
    cluster-agent.datadoghq.com/private-action-runner-enabled: "true"
    cluster-agent.datadoghq.com/private-action-runner-configdata: |
      private_action_runner:
        enabled: true
        self_enroll: true
        actions_allowlist:
          - com.datadoghq.gitlab.*
          - com.datadoghq.script.*
          - com.datadoghq.kubernetes.core.*

spec:
  global:
    clusterName: mmklearning.docker-desktop
    site: datadoghq.com
    credentials:
      apiSecret:
        secretName: datadog-secret
        keyName: api-key
      appSecret:
        secretName: datadog-secret
        keyName: app-key
    kubelet:
      tlsVerify: false
  override:
    nodeAgent:
      image:
        # name: datadog/agent:7.76.0-rc.1
        name: some-internal-image
        pullPolicy: Always
    clusterAgent:
      replicas: 3
      image:
        # name: datadog/agent:7.76.0-rc.1
        name: some-internal-image
        pullPolicy: IfNotPresent
  features:
    logCollection:
      enabled: true
      containerCollectAll: true
    liveContainerCollection:
      enabled: true

kustomization.yaml

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
  - datadog-agent.yaml

secretGenerator:
  - envs:
      - .env
    name: datadog-secret
    namespace: datadog-operator

generatorOptions:
  disableNameSuffixHash: true

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label
• All commits are signed (see: signing commits)

[merchristK]

• [ACTP] Use Config maps for par deploy in dca #2659 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 84.14634% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 38.69%. Comparing base (6489f08) to head (e609c17).

Files with missing lines	Patch %	Lines
...atadogagent/feature/privateactionrunner/feature.go	84.05%	6 Missing and 5 partials ⚠️
...datadogagent/feature/privateactionrunner/config.go	80.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2659      +/-   ##
==========================================
+ Coverage   38.59%   38.69%   +0.10%     
==========================================
  Files         307      307              
  Lines       26471    26525      +54     
==========================================
+ Hits        10216    10265      +49     
  Misses      15494    15494              
- Partials      761      766       +5     

Flag	Coverage Δ
unittests	38.69% <84.14%> (+0.10%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...r/datadogagent/feature/privateactionrunner/rbac.go	100.00% <100.00%> (ø)
...datadogagent/feature/privateactionrunner/config.go	97.82% <80.00%> (-2.18%)	⬇️
...atadogagent/feature/privateactionrunner/feature.go	77.21% <84.05%> (+7.49%)	⬆️

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6489f08...e609c17. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[dd-gplassard]

feels like they should be a higher level API rather than us patching it like this

[merchristK]

Hum the only thing I could find in the manager that would fit was this one

datadog-operator/internal/controller/datadogagent/feature/types.go

Line 232 in 56c2101

type PodTemplateManagers interface {

Let me ask container-platform

[merchristK]

It seems there are also examples of such usage

datadog-operator/internal/controller/datadogagent/feature/otelcollector/feature.go

Line 324 in 56c2101

"--config="+command,

[tbavelier]

nit but "breaking change" compared to previous version: with this version, the annotation does not take "priority" over the configdata, meaning a user with:

    cluster-agent.datadoghq.com/private-action-runner-enabled: "true"
    cluster-agent.datadoghq.com/private-action-runner-configdata: |
      private_action_runner:
        enabled: false
        self_enroll: true
        identity_secret_name: datadog-par-identity
        actions_allowlist:
          - com.datadoghq.http.request
          - com.datadoghq.kubernetes.core.listPod
          - com.datadoghq.traceroute

will not have PAR enabled since the enabled stays the same in the CM.

Also not in scope of this PR, but instead of having the conditional for the RBAC in rbac.go (if config == nil || !config.Enabled || !config.SelfEnroll), could we please move it to feature.go before calling managers.RBACManager().AddPolicyRules( ? That way, we avoid creating an empty role when self-enroll is false and it's clearer when we do add rbacs. Moreover, that simplifies the conditional to simply config.SelfEnroll considering in ManageDependencies, we are already in a block f.clusterConfig != nil && f.clusterConfig.Enabled:

		// Add RBAC for secret access during self-enrollment
		if f.clusterConfig.SelfEnroll {
			rbacResourcesName := getPrivateActionRunnerRbacResourcesName(f.owner)
			if err := managers.RBACManager().AddPolicyRules(
				f.owner.GetNamespace(),
				rbacResourcesName,
				f.clusterServiceAccountName,
				getClusterAgentRBACPolicyRules(f.clusterConfig),
			); err != nil {
				return err
			}
		}