Fix AppArmor annotations for absent containers in annotation overrides

[lebauce]

…verrides

The fix in a0dc8c0 added a container existence check to overrideAppArmorProfile(), preventing invalid AppArmor annotations when a container (e.g. security-agent with directSendFromSystemProbe=true) is absent from the pod spec.

However, the same guard was missing from the direct annotation loop in PodTemplateSpec(), which blindly copies spec.override.nodeAgent.annotations to the pod template. Any AppArmor annotation set via that path would bypass the existing fix and still produce an invalid DaemonSet.

Apply the same container existence check when iterating override.Annotations: skip AppArmor annotations (container.apparmor.security.beta.kubernetes.io/) if does not match any container in the pod spec.

What does this PR do?

A brief description of the change being made with this pull request.

Motivation

What inspired you to submit this pull request?

Additional Notes

Anything else we should know when reviewing?

Minimum Agent Versions

Are there minimum versions of the Datadog Agent and/or Cluster Agent required?

• Agent: vX.Y.Z
• Cluster Agent: vX.Y.Z

Describe your test plan

Write there any instructions and details you may have to test your PR.

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label
• All commits are signed (see: signing commits)

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.07%. Comparing base (ef88adb) to head (8290902).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2897      +/-   ##
==========================================
+ Coverage   40.06%   40.07%   +0.01%     
==========================================
  Files         319      319              
  Lines       28039    28041       +2     
==========================================
+ Hits        11233    11237       +4     
+ Misses      15983    15982       -1     
+ Partials      823      822       -1     

Flag	Coverage Δ
unittests	40.07% <100.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...rnal/controller/datadogagent/override/container.go	95.94% <100.00%> (-0.16%)	⬇️
...ontroller/datadogagent/override/podtemplatespec.go	80.12% <100.00%> (+2.42%)	⬆️

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ef88adb...8290902. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[datadog-datadog-prod-us1]

✅ Code Coverage

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 40.16% (+0.01%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 8290902 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}

[tbavelier]

Since we're duplicating the logic, should we use a shared helper #2898 ? Also uses the opportunity to use slices.ContainsFunc instead of looping

[lebauce]

@tbavelier Thanks. I cherry-pick your commit