tetragon: run Tetragon without access to CRD

[aohoyd]

Fixes #1880

Tetragon

• new flag enable-tracing-policy-crd was added and enabled by default

Tetragon operator

• new flag skip-tracing-policy-crd was added and disabled by default

Helm chart

• two flags above were added into configmaps and values file

[jrfastab]

/test

[netlify]

✅ Deploy Preview for tetragon ready!

Name	Link
🔨 Latest commit	a94d9a0
🔍 Latest deploy log	https://app.netlify.com/sites/tetragon/deploys/65aba1d2505f070008830638
😎 Deploy Preview	https://deploy-preview-1931--tetragon.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[aohoyd]

I've synced with main and re-generated doc files

[kkourt]

Thanks, this looks good to me. Could you please split the patch into two patches: one for the agent changes, and one for the operator changes?

[aohoyd]

Thanks, this looks good to me. Could you please split the patch into two patches: one for the agent changes, and one for the operator changes?

Sure, done (I've splitted commit)

@kkourt did you mean to open separated PR?

[mtardy]

Thanks, this looks good to me. Could you please split the patch into two patches: one for the agent changes, and one for the operator changes?

Sure, done (I've splitted commit)

@kkourt did you mean to open separated PR?

I can't speak for Kornilios but I would say separate commits, so looking all good!

[kkourt]

Thanks, this looks good to me. Could you please split the patch into two patches: one for the agent changes, and one for the operator changes?

Sure, done (I've splitted commit)

@kkourt did you mean to open separated PR?

I mean splitting the commits. Thanks!

[kkourt]

LGTM, thanks!

[aohoyd]

synced fork

[lambdanis]

@aohoyd Can you rebase your branch with cilium:main instead of merging it? It makes the git history easier to read. At the moment the checkpath CI job is failing because of the merge commit (https://github.com/cilium/tetragon/actions/runs/7526335727/job/20488255210?pr=1931).

[aohoyd]

@lambdanis sorry, did this via UI. I've reverted merge commit and made a rebase

[aohoyd]

I'm not sure, but failed test looks like spontaneous error. Can anyone restart it?

[kkourt]

Tests look all good! ✅

@mtardy, @tpapagian, @lambdanis: do you plan to review?
Otherwise, I would suggest we merge.

[tpapagian]

Not super-familiar with this part of the codebase, but LGTM! Thanks

[lambdanis]

Small note: if all CRDs are disabled, then I believe Tetragon operator has nothing to do, but it still runs, and there is no way to disable it. Unless someone corrects me, we can update the Helm chart to allow disabling the whole operator in such cases. But this can be a follow-up, not blocking for this PR.

[aohoyd]

@lambdanis I can do it in separate PR, not a problem. Correct me if I'm wrong:
Operator should be disabled in next case:

• if tetragonOperator.podInfo.enabled is false and tetragonOperator.tracingPolicy.enabled is false

Didn't I miss something? Is tetragon.enableK8sAPI related?

[lambdanis]

Operator should be disabled in next case:

• if tetragonOperator.podInfo.enabled is false and tetragonOperator.tracingPolicy.enabled is false

Yes. One option is to introduce tetragonOperator.enabled Helm value, then it'll be easier to maintain I think if new CRDs are introduced. cc @michi-covalent to confirm/deny/comment.

[michi-covalent]

adding tetragonOperator.enabled seems reasonable if we want to be able to disable the operator altogether. we can do that as a follow-up PR ✅

[aohoyd]

I've added the new flag in #2004

[mtardy]

Failure in the CI is unrelated #2010 and we can merge this one.

[mtardy]

Tests look all good! ✅
@mtardy, @tpapagian, @lambdanis: do you plan to review?
Otherwise, I would suggest we merge.

So I'll merge this, I was just pulled-in by GitHub because of the docs change.