feat(appsec): forward sidecar injection mode and istio-gateway config to cluster-agent#2774
Open
eliottness wants to merge 5 commits intomainfrom
Open
feat(appsec): forward sidecar injection mode and istio-gateway config to cluster-agent#2774eliottness wants to merge 5 commits intomainfrom
eliottness wants to merge 5 commits intomainfrom
Conversation
… to cluster-agent - Add "istio-gateway" to allowed proxy values (networking.istio.io/gateways informer) - Add RBAC rule for gateways.networking.istio.io (Get/List/Watch) - Add RBAC rule for configmaps (Get/Update) picked up by linter - Add AnnotationInjectorMode + 9 AnnotationSidecar* annotation constants - Add DDClusterAgentAppsecInjectorMode + 9 DDAdmissionControllerAppsecSidecar* env var constants - Add Mode and sidecar fields to Config struct; parse from annotations in FromAnnotations() - Relax validation: ProcessorServiceName now only required in external mode (not sidecar) - Forward all new env vars in ManageClusterAgent() via a map[string]string loop - Update rbac_test.go: split Istio rule test, add gateways assertion - Update feature_test.go: add sidecar mode, istio-gateway proxy, and mode validation test cases Rationale: Three recent datadog-agent PRs (#45331, #47263, #47926) introduced sidecar injection mode, istio-gateway as a new proxy type, and the corresponding RBAC requirements. The operator was not forwarding any of these configs to the cluster-agent. This change closes that gap so operators using sidecar mode or the Istio Gateway integration get the correct cluster-agent configuration without manual env var overrides.
- Bump ClusterAgentMinVersion from 7.73.0 to 7.76.0 - Update version boundary tests to match new minimum - Commit go.work.sum update
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2774 +/- ##
==========================================
+ Coverage 38.81% 39.02% +0.20%
==========================================
Files 309 309
Lines 26803 27153 +350
==========================================
+ Hits 10404 10596 +192
- Misses 15620 15776 +156
- Partials 779 781 +2
Flags with carried forward coverage won't be shown. Click here to find out more.
... and 5 files with indirect coverage changes Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 43ea9f6186
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…nd body parsing limit - Validate SidecarPort and SidecarHealthPort using k8s IsValidPortNum (1-65535) - Validate SidecarBodyParsingSizeLimit is a non-zero integer (negative disables body parsing) - Validate sidecar resource quantities (CPU/memory) using resource.ParseQuantity - Add test cases covering all new validation paths
strconv.Itoa(0) produces the non-empty string '0', causing DD_APPSEC_PROXY_PROCESSOR_PORT=0 to be injected even when the annotation is not set. Move processor port out of the string map and guard it with != 0, matching the original per-field pattern. Add a test case to assert the env var is absent when unset.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Forwards three sets of new AppSec configuration from the operator to the cluster-agent, covering changes introduced in recent datadog-agent PRs:
"istio-gateway"to the list of allowedappsec.injector.proxiesvalues so operators can select it via annotation.networking.istio.io/gatewaysso the cluster-agent's informer works for the Istio Gateway integration.AnnotationInjectorMode+ 9AnnotationSidecar*annotations and their corresponding env vars (DD_CLUSTER_AGENT_APPSEC_INJECTOR_MODE,DD_ADMISSION_CONTROLLER_APPSEC_SIDECAR_*) that the cluster-agent reads.Motivation
The operator was not forwarding any of these configs, meaning users on sidecar mode or using the Istio Gateway integration had to set env vars manually on the cluster-agent. This closes that gap.
Describe your test plan
go test ./internal/controller/datadogagent/feature/appsec/...golangci-ling -w ./internal/controller/datadogagent/feature/appsec/...Checklist
bug,enhancement,refactoring,documentation,tooling, and/ordependenciesqa/skip-qalabel