[MVP] feat: Add DatadogInstrument CRD and operator feature

[Mathew-Estafanous]

What does this PR do?

Introduces the DatadogInstrumentation CRD and an operator feature that provisions the infrastructure needed for the Cluster Agent to act on it.

The CRD lets teams define Datadog integration checks for their workloads without modifying pod annotations or restarting agents:

apiVersion: datadoghq.com/v1alpha1
kind: DatadogInstrumentation
metadata:
  name: redis-check
  namespace: cache
spec:
  selector:
    matchLabels:
      app: redis
  config:
    checks:
      - integration: redisdb
        containerImage:
          - redis
        initConfig: {}
        instances:
          - host: "%%host%%"
            port: 6379

The operator feature (workload_config) handles:

• ConfigMap provisioning: creates a ConfigMap (<dda-name>-crd-check-conf) with create-only semantics — the operator creates it but never overwrites it, so the Cluster Agent can freely write check configs into it.
• Volume mount: mounts the ConfigMap to the Node Agent at <config-path>/crd-conf.d/ so the Agent picks up checks written by the Cluster Agent.
• RBAC: grants the Cluster Agent get/list/watch on datadoginstrumentation and get/update on the ConfigMap.

Store: AddOnly semantics

A new AddOnly method on the dependency store marks objects as create-only. During Apply(), the store skips updates for these objects, preventing the operator's reconciliation loop from resetting externally-managed content.

Motivation

Non-SRE teams need a way to configure Datadog monitoring for their workloads without touching pod annotations or coordinating agent restarts. The DatadogInstrumentation CRD provides a Kubernetes-native interface for this. The spec.config wrapper is designed to support additional features in future releases.

Describe how you validated your changes

• Deployed to a local Kind cluster (podcheck-crd) and verified:
  • CRD installs and accepts valid resources
  • Operator creates the ConfigMap with correct owner references
  • Node Agent mounts the ConfigMap at the expected path
  • ClusterRole and ClusterRoleBinding are created with the correct permissions
  • ConfigMap content written by the Cluster Agent survives operator reconciliation cycles
  • ConfigMap is cleaned up when the DatadogAgentInternal is removed

Additional Notes

• Cluster Agent logic is out of scope. This PR only covers the operator side — CRD definition and infrastructure provisioning. The Cluster Agent will watch DatadogWorkloadConfig resources and write resolved check configs into the ConfigMap in a separate change.
• The CRD is namespace-scoped (short name: ddwc).
• spec.selector requires at least one of matchLabels or matchAnnotations (enforced by validation).

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 84 lines in your changes missing coverage. Please review.
✅ Project coverage is 38.57%. Comparing base (6fbf327) to head (877d28e).
⚠️ Report is 9 commits behind head on main.

Files with missing lines	Patch %	Lines
...er/datadogagent/feature/instrumentation/feature.go	0.00%	74 Missing ⚠️
internal/controller/datadogagent/store/store.go	0.00%	9 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2724      +/-   ##
==========================================
- Coverage   38.80%   38.57%   -0.23%     
==========================================
  Files         308      310       +2     
  Lines       26703    27186     +483     
==========================================
+ Hits        10363    10488     +125     
- Misses      15561    15920     +359     
+ Partials      779      778       -1     

Flag	Coverage Δ
unittests	38.57% <0.00%> (-0.23%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
internal/controller/datadogagent/controller.go	92.85% <ø> (ø)
internal/controller/datadogagent_controller.go	66.66% <ø> (ø)
internal/controller/datadogagent/store/store.go	66.10% <0.00%> (-2.29%)	⬇️
...er/datadogagent/feature/instrumentation/feature.go	0.00% <0.00%> (ø)

... and 11 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6fbf327...877d28e. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.