search

DataDog / datadog-agent

Main repository for Datadog Agent
https://docs.datadoghq.com/
Apache License 2.0
2.83k stars 1.19k forks source link

Deploying Datadog full featured with terraform in kubernetes #10713

Closed nickkostov closed 2 years ago

nickkostov commented 2 years ago

Hello datadog, I am trying to translate your full on-boarded kuberenetes template to terraform. I am facing the following error:


│ 
│   with module.deploy-datadog.kubernetes_daemonset.datadog-agent-daemonset,
│   on modules/datadog-agent/main.tf line 138, in resource "kubernetes_daemonset" "datadog-agent-daemonset":
│  138: resource "kubernetes_daemonset" "datadog-agent-daemonset" {
│ 
╵
Releasing state lock. This may take a few moments...```

It looks like it is not working.
I will apply the config in the comments.
nickkostov commented 2 years ago 
resource "kubernetes_namespace" "datadog_agent_namespace" {
  metadata {
    labels = {
      app = "datadog-agent"
    }
    name = var.datadog_namespace
  }
}
resource "kubernetes_service_account" "service_account_datadog" {
  metadata {
    name      = "datadog-agent-cluster-agent"
    namespace = var.datadog_namespace
    labels = {
      app      = "datadog-agent"
      chart    = "datadog-2.28.13"
      heritage = "Helm"
    }
  }
}
resource "kubernetes_config_map" "datadog-agent-installinfo" {
  metadata {
    name      = "datadog-agent-installinfo"
    namespace = var.datadog_namespace
    labels = {
      app = var.datadog_app_label
    }
  }
  data = {
    "install_info-configmap.yaml" = "${file("modules/datadog-agent/datadog-agent/install_info-configmap.yaml")}"
  }
}

resource "kubernetes_config_map" "system-probe-configmap" {
  metadata {
    name      = "system-probe-configmap"
    namespace = var.datadog_namespace
    labels = {
      app = var.datadog_app_label
    }
  }
  data = {
    "system-probe-configmap.yaml" = "${file("modules/datadog-agent/datadog-agent/system-probe-configmap.yaml")}"
  }
}
resource "kubernetes_config_map" "datadog-agent-security" {
  metadata {
    name      = "datadog-agent-security"
    namespace = var.datadog_namespace
    labels = {
      app = var.datadog_app_label
    }
  }
  data = {
    "datadog-agent-security.yaml" = "${file("modules/datadog-agent/datadog-agent/datadog-agent-security.yaml")}"
  }

}

resource "kubernetes_cluster_role_binding" "datadog-agent-cluster-agent-role-binding" {
  metadata {
    name = "datadog-agent-cluster-agent"
    labels = {
      app = "datadog-agent"
    }
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "datadog-agent-cluster-agent"
  }
  subject {
    kind      = "ServiceAccount"
    name      = "datadog-agent-cluster-agent"
    namespace = var.datadog_namespace
  }
}

resource "kubernetes_service" "datadog-agent-cluster-agent-service" {
  metadata {
    name      = "datadog-agent-cluster-agent"
    namespace = var.datadog_namespace
    labels = {
      app = var.datadog_app_label
    }
  }
  spec {
    type = "ClusterIP"
    selector = {
      app = "datadog-agent-cluster-agent"
    }

    port {
      port     = 5005
      name     = "agentport"
      protocol = "TCP"
    }
  }
}

resource "kubernetes_service" "agent-services" {
  metadata {
    name      = "datadog-agent"
    namespace = var.datadog_namespace
    labels = {
      app      = "datadog-agent"
      chart    = "datadog-2.28.13"
      release  = "datadog-agent"
      heritage = "Helm"
    }
  }
  spec {
    selector = {
      app = "datadog-agent"
    }
    port {
      protocol    = "UDP"
      port        = 8125
      target_port = 8125
      name        = "dogstatsd"
    }
    port {
      protocol    = "TCP"
      port        = 8126
      target_port = 8126
      name        = "apm"
    }
    #external_traffic_policy = "Local"
  }
}

locals {
  # Check line 612
  capabilities_list_system_probe = tolist(["SYS_ADMIN", "SYS_RESOURCE", "SYS_PTRACE", "NET_ADMIN", "NET_BROADCAST", "NET_RAW", "IPC_LOCK", "CHOWN"])
  # Check line 714
  capabilities_list_security_agent = tolist(["AUDIT_CONTROL", "AUDIT_READ"])
}
resource "kubernetes_daemonset" "datadog-agent-daemonset" {
  metadata {
    name      = "datdog-agent"
    namespace = var.datadog_namespace
    labels = {
      app = var.datadog_app_label
    }
  }

  spec {
    strategy {
      rolling_update {
        max_unavailable = "10%"
      }
    }
    selector {
      match_labels = {
        app = var.datadog_app_label
      }
    }

    template {

      metadata {
        name = "datadog-agent"
        annotations = {
          "container.apparmor.security.beta.kubernetes.io/system-probe" = "unconfined"
          "container.seccomp.security.alpha.kubernetes.io/system-probe" = "localhost/system-probe"
        }
        labels = {
          app = var.datadog_app_label
        }
      }
      spec {

        container {
          image             = "gcr.io/datadoghq/agent:7.32.4"
          name              = "agent"
          image_pull_policy = "IfNotPresent"
          command           = ["agent", "run"]
          resources {
            limits = {
              cpu    = "0.5"
              memory = "512Mi"
            }
            requests = {
              cpu    = "250m"
              memory = "50Mi"
            }
          }

          port {
            name           = "dogstatsdport"
            protocol       = "UDP"
            container_port = "8125"
          }
          env {
            name  = "GODEBUG"
            value = "x509ignoreCN=0"
          }
          env {
            name = "DD_API_KEY"
            value_from {
              secret_key_ref {
                name = "datadog-agent"
                key  = "api-key"
              }
            }
          }
          env {
            name = "DD_KUBERNETES_KUBELET_HOST"
            value_from {
              field_ref {
                field_path = "status.hostIP"
              }
            }
          }
          env {
            name  = "KUBERNETES"
            value = "yes"
          }
          env {
            name  = "DD_LOG_LEVEL"
            value = "INFO"
          }
          env {
            name  = "DD_DOGSTATSD_PORT"
            value = "8125"
          }
          env {
            name  = "DD_DOGSTATSD_NON_LOCAL_TRAFFIC"
            value = "true"
          }
          env {
            name  = "DD_CLUSTER_AGENT_ENABLED"
            value = "true"
          }
          env {
            name  = "DD_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME"
            value = "datadog-agent-cluster-agent"
          }

          env {
            name = "DD_CLUSTER_AGENT_AUTH_TOKEN"
            value_from {
              secret_key_ref {
                name = "datadog-agent-cluster-agent"
                key  = "token"
              }
            }
          }

          env {
            name  = "DD_APM_ENABLED"
            value = "false"
          }
          env {
            name  = "DD_LOGS_ENABLED"
            value = "true"
          }
          env {
            name  = "DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL"
            value = "true"
          }
          env {
            name  = "DD_LOGS_CONFIG_K8S_CONTAINER_USE_FILE"
            value = "true"
          }
          env {
            name  = "DD_HEALTH_PORT"
            value = "5555"
          }
          env {
            name  = "DD_DOGSTATSD_SOCKET"
            value = "/var/run/datadog/dsd.socket"
          }
          env {
            name  = "DD_EXTRA_CONFIG_PROVIDERS"
            value = "clusterchecks endpointschecks"
          }
          env {
            name  = "DD_EXPVAR_PORT"
            value = "6000"
          }

          volume_mount {
            name       = "installinfo"
            sub_path   = "install_info"
            mount_path = "/etc/datadog-agent/install_info"
            read_only  = "true"
          }
          volume_mount {
            name       = "logdatadog"
            mount_path = "/var/log/datadog"
          }
          volume_mount {
            name       = "tmpdir"
            mount_path = "/tmp"
            read_only  = "false"
          }
          volume_mount {
            name       = "config"
            mount_path = "/etc/datadog-agent"
          }
          volume_mount {
            name              = "runtimesocketdir"
            mount_path        = "/host/var/run"
            mount_propagation = "None"
            read_only         = "true"
          }
          volume_mount {
            name       = "dsdsocket"
            mount_path = "/var/run/datadog"
          }
          volume_mount {
            name       = "sysprobe-socket-dir"
            mount_path = "/var/run/sysprobe"
            read_only  = "true"
          }
          volume_mount {
            name       = "sysprobe-config"
            mount_path = "/etc/datadog-agent/system-probe.yaml"
            sub_path   = "system-probe.yaml"
          }
          volume_mount {
            name              = "procdir"
            mount_path        = "/host/proc"
            mount_propagation = "None"
            read_only         = "true"
          }
          volume_mount {
            name              = "cgroups"
            mount_path        = "/host/sys/fs/cgroup"
            mount_propagation = "None"
            read_only         = "true"
          }
          volume_mount {
            name              = "pointerdir"
            mount_path        = "/opt/datadog-agent/run"
            mount_propagation = "None"
          }
          volume_mount {
            name              = "logpodpath"
            mount_path        = "/var/log/pods"
            mount_propagation = "None"
            read_only         = "true"
          }
          liveness_probe {
            failure_threshold = 6
            http_get {
              path   = "/live"
              port   = 5555
              scheme = "HTTP"
            }
            initial_delay_seconds = 15
            period_seconds        = 15
            success_threshold     = 1
            timeout_seconds       = 5
          }
          readiness_probe {
            failure_threshold = 6
            http_get {
              path   = "/ready"
              port   = 5555
              scheme = "HTTP"
            }
            initial_delay_seconds = 15
            period_seconds        = 15
            success_threshold     = 1
            timeout_seconds       = 5
          }

        }
        container {
          image             = "gcr.io/datadoghq/agent:7.32.4"
          name              = "trace-agent"
          image_pull_policy = "IfNotPresent"
          command           = ["trace-agent", "-config=/etc/datadog-agent/datadog.yaml"]
          resources {}
          port {
            container_port = 8126
            host_port      = 8126
            name           = "traceport"
            protocol       = "TCP"
          }
          env {
            name  = "GODEBUG"
            value = "x509ignoreCN=0"
          }

          env {
            name = "DD_API_KEY"
            value_from {
              secret_key_ref {
                name = "datadog-agent"
                key  = "api-key"
              }
            }
          }

          env {
            name = "DD_KUBERNETES_KUBELET_HOST"
            value_from {
              field_ref {
                field_path = "status.hostIP"
              }
            }
          }
          env {
            name  = "KUBERNETES"
            value = "yes"
          }
          env {
            name  = "DD_CLUSTER_AGENT_ENABLED"
            value = "true"
          }
          env {
            name  = "DD_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME"
            value = "datadog-agent-cluster-agent"
          }
          env {
            name = "DD_CLUSTER_AGENT_AUTH_TOKEN"
            value_from {
              secret_key_ref {
                name = "datadog-agent-cluster-agent"
                key  = "token"
              }
            }
          }
          env {
            name  = "DD_LOG_LEVEL"
            value = "INFO"
          }
          env {
            name  = "DD_APM_ENABLED"
            value = "false"
          }
          env {
            name  = "DD_APM_NON_LOCAL_TRAFFIC"
            value = "true"
          }
          env {
            name  = "DD_APM_RECEIVER_PORT"
            value = "8126"
          }
          env {
            name  = "DD_APM_RECEIVER_SOCKET"
            value = "/var/run/datadog/apm.socket"
          }
          env {
            name  = "DD_DOGSTATSD_SOCKET"
            value = "/var/run/datadog/dsd.socket"
          }
          volume_mount {
            name       = "config"
            mount_path = "/etc/datadog-agent"
          }
          volume_mount {
            name       = "logdatadog"
            mount_path = "/var/log/datadog"
          }
          volume_mount {
            name       = "tmpdir"
            mount_path = "/tmp"
            read_only  = "false"
          }
          volume_mount {
            name       = "dsdsocket"
            mount_path = "/var/run/datadog"
          }
          volume_mount {
            name              = "runtimesocketdir"
            mount_path        = "/host/var/run"
            mount_propagation = "None"
            read_only         = "true"
          }
          liveness_probe {
            initial_delay_seconds = 15
            period_seconds        = 15
            tcp_socket {
              port = 8126
            }
            timeout_seconds = 5
          }
        }
        container {
          name              = "process-agent"
          image             = "gcr.io/datadoghq/agent:7.32.4"
          image_pull_policy = "IfNotPresent"
          command           = ["process-agent", "-config=/etc/datadog-agent/datadog.yaml"]
          resources {}
          env {
            name  = "GODEBUG"
            value = "x509ignoreCN=0"
          }
          env {
            name = "DD_API_KEY"
            value_from {
              secret_key_ref {
                name = "datadog-agent"
                key  = "api-key"
              }
            }
          }
          env {
            name = "DD_KUBERNETES_KUBELET_HOST"
            value_from {
              field_ref {
                field_path = "status.hostIP"
              }
            }
          }
          env {
            name  = "KUBERNETES"
            value = "yes"
          }
          env {
            name  = "DD_CLUSTER_AGENT_ENABLED"
            value = "true"
          }
          env {
            name  = "DD_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME"
            value = "datadog-agent-cluster-agent"
          }
          env {
            name = "DD_CLUSTER_AGENT_AUTH_TOKEN"
            value_from {
              secret_key_ref {
                name = "datadog-agent-cluster-agent"
                key  = "token"
              }
            }
          }
          env {
            name  = "DD_PROCESS_AGENT_ENABLED"
            value = "true"
          }
          env {
            name  = "DD_PROCESS_AGENT_DISCOVERY_ENABLED"
            value = "false"
          }
          env {
            name  = "DD_LOG_LEVEL"
            value = "INFO"
          }
          env {
            name  = "DD_SYSTEM_PROBE_ENABLED"
            value = "true"
          }
          env {
            name  = "DD_SYSTEM_PROBE_NETWORK_ENABLED"
            value = "true"
          }
          env {
            name  = "DD_DOGSTATSD_SOCKET"
            value = "/var/run/datadog/dsd.socket"
          }
          env {
            name  = "DD_ORCHESTRATOR_EXPLORER_ENABLED"
            value = "true"
          }
          volume_mount {
            name       = "config"
            mount_path = "/etc/datadog-agent"
          }
          volume_mount {
            name       = "logdatadog"
            mount_path = "/var/log/datadog"
          }
          volume_mount {
            name       = "tmpdir"
            mount_path = "/tmp"
            read_only  = "false"
          }
          volume_mount {
            name              = "runtimesocketdir"
            mount_path        = "/host/var/run"
            mount_propagation = "None"
            read_only         = "true"
          }
          volume_mount {
            name              = "cgroups"
            mount_path        = "/host/sys/fs/cgroup"
            mount_propagation = "None"
            read_only         = "true"
          }
          volume_mount {
            name       = "passwd"
            mount_path = "/etc/passwd"
            read_only  = "true"
          }

          volume_mount {
            name              = "procdir"
            mount_path        = "/host/proc"
            mount_propagation = "None"
            read_only         = "true"
          }
          volume_mount {
            name       = "dsdsocket"
            mount_path = "/var/run/datadog"
            read_only  = "true"
          }
          volume_mount {
            name       = "sysprobe-socket-dir"
            mount_path = "/var/run/sysprobe"
            read_only  = "true"
          }
          volume_mount {
            name       = "sysprobe-config"
            mount_path = "/etc/datadog-agent/system-probe.yaml"
            sub_path   = "system-probe.yaml"
          }
        }
        ######## SYSTEM PROBE CONTAINER
        container {
          name              = "system-probe"
          image             = "gcr.io/datadoghq/agent:7.32.4"
          image_pull_policy = "IfNotPresent"

          command = ["/opt/datadog-agent/embedded/bin/system-probe", "--config=/etc/datadog-agent/system-probe.yaml"]
          security_context {
            privileged = "false"
            capabilities {
              add = local.capabilities_list_system_probe
            }
          }
          resources {
          }
          env {
            name  = "GODEBUG"
            value = "x509ignoreCN=0"
          }
          env {
            name = "DD_API_KEY"
            value_from {
              secret_key_ref {
                name = "datadog-agent"
                key  = "api-key"
              }
            }
          }
          env {
            name = "DD_KUBERNETES_KUBELET_HOST"
            value_from {
              field_ref {
                field_path = "status.hostIP"
              }
            }
          }
          env {
            name  = "KUBERNETES"
            value = "yes"
          }
          env {
            name  = "DD_LOG_LEVEL"
            value = "INFO"
          }
          volume_mount {
            name       = "logdatadog"
            mount_path = "/var/log/datadog"
          }
          volume_mount {
            name       = "tmpdir"
            mount_path = "/tmp"
            read_only  = "false"
          }
          volume_mount {
            name              = "debugfs"
            mount_path        = "/sys/kernel/debug"
            mount_propagation = "None"
          }
          volume_mount {
            name       = "config"
            mount_path = "/etc/datadog-agent"
          }
          volume_mount {
            name       = "sysprobe-config"
            mount_path = "/etc/datadog-agent/system-probe.yaml"
            sub_path   = "system-probe.yaml"
          }
          volume_mount {
            name       = "sysprobe-socket-dir"
            mount_path = "/var/run/sysprobe"
          }
          volume_mount {
            name              = "procdir"
            mount_path        = "/host/proc"
            mount_propagation = "None"
            read_only         = "true"
          }
          volume_mount {
            name              = "etc-os-release"
            mount_path        = "/host/etc/os-release"
            mount_propagation = "None"
            read_only         = "true"
          }
          volume_mount {
            name              = "etc-redhat-release"
            mount_path        = "/host/etc/redhat-release"
            mount_propagation = "None"
            read_only         = "true"
          }
          volume_mount {
            name              = "etc-fedora-release"
            mount_path        = "/host/etc/fedora-release"
            mount_propagation = "None"
            read_only         = "true"
          }
          volume_mount {
            name              = "etc-lsb-release"
            mount_path        = "/host/etc/lsb-release"
            mount_propagation = "None"
            read_only         = "true"
          }
        }
        ################ Security container
        container {
          name              = "security-agent"
          image             = "gcr.io/datadoghq/agent:7.32.4"
          image_pull_policy = "IfNotPresent"
          security_context {
            capabilities {
              add = local.capabilities_list_security_agent
            }
          }
          command = ["security-agent", "start", "-c=/etc/datadog-agent/datadog.yaml"]
          resources {
          }
          env {
            name  = "GODEBUG"
            value = "x509ignoreCN=0"
          }

          env {
            name = "DD_API_KEY"
            value_from {
              secret_key_ref {
                name = "datadog-agent"
                key  = "api-key"
              }
            }
          }
          env {
            name = "DD_KUBERNETES_KUBELET_HOST"
            value_from {
              field_ref {
                field_path = "status.hostIP"
              }
            }
          }
          env {
            name  = "KUBERNETES"
            value = "yes"
          }
          env {
            name  = "DD_LOG_LEVEL"
            value = "INFO"
          }
          env {
            name  = "DD_COMPLIANCE_CONFIG_ENABLED"
            value = "true"
          }
          env {
            name  = "DD_COMPLIANCE_CONFIG_CHECK_INTERVAL"
            value = "20m"
          }
          env {
            name  = "HOST_ROOT"
            value = "/host/root"
          }
          env {
            name  = "DD_CLUSTER_AGENT_ENABLED"
            value = "true"
          }
          env {
            name  = "DD_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME"
            value = "datadog-agent-cluster-agent"
          }
          env {
            name = "DD_CLUSTER_AGENT_AUTH_TOKEN"
            value_from {
              secret_key_ref {
                name = "datadog-agent-cluster-agent"
                key  = "token"
              }
            }
          }
          env {
            name  = "DD_RUNTIME_SECURITY_CONFIG_ENABLED"
            value = "true"
          }
          env {
            name  = "DD_RUNTIME_SECURITY_CONFIG_POLICIES_DIR"
            value = "/etc/datadog-agent/runtime-security.d"
          }
          env {
            name  = "DD_RUNTIME_SECURITY_CONFIG_SOCKET"
            value = "/var/run/sysprobe/runtime-security.sock"
          }
          env {
            name  = "DD_RUNTIME_SECURITY_CONFIG_SYSCALL_MONITOR_ENABLED"
            value = "false"
          }
          env {
            name  = "DD_DOGSTATSD_SOCKET"
            value = "/var/run/datadog/dsd.socket"
          }
          volume_mount {
            name       = "config"
            mount_path = "/etc/datadog-agent"
          }
          volume_mount {
            name       = "logdatadog"
            mount_path = "/var/log/datadog"
          }
          volume_mount {
            name       = "tmpdir"
            mount_path = "/tmp"
            read_only  = "false"
          }
          volume_mount {
            name       = "dsdsocket"
            mount_path = "/var/run/datadog"
            read_only  = "true"
          }
          volume_mount {
            name              = "runtimesocketdir"
            mount_path        = "/host/var/run"
            mount_propagation = "None"
            read_only         = "true"
          }
          volume_mount {
            name              = "cgroups"
            mount_path        = "/host/sys/fs/cgroup"
            mount_propagation = "None"
            read_only         = "true"
          }
          volume_mount {
            name       = "passwd"
            mount_path = "/etc/passwd"
            read_only  = "true"
          }
          volume_mount {
            name       = "group"
            mount_path = "/etc/group"
            read_only  = "true"
          }
          volume_mount {
            name       = "hostroot"
            mount_path = "/host/root"
            read_only  = "true"
          }
          volume_mount {
            name              = "procdir"
            mount_path        = "/host/proc"
            mount_propagation = "None"
            read_only         = "true"
          }
          volume_mount {
            name       = "sysprobe-socket-dir"
            mount_path = "/var/run/sysprobe"
            read_only  = "true"
          }
          volume_mount {
            name       = "sysprobe-config"
            mount_path = "/etc/datadog-agent/system-probe.yaml"
            sub_path   = "system-probe.yaml"
          }
        }
        init_container {
          name              = "init-volume"
          image             = "gcr.io/datadoghq/agent:7.32.4"
          image_pull_policy = "IfNotPresent"
          command           = ["bash", "-c"]
          args              = ["cp -r /etc/datadog-agent /opt"]
          volume_mount {
            name       = "config"
            mount_path = "/opt/datadog-agent"
          }
          resources {}
        }
        init_container {
          name              = "init-config"
          image             = "gcr.io/datadoghq/agent:7.32.4"
          image_pull_policy = "IfNotPresent"
          command           = ["bash", "-c"]
          args              = ["for script in $(find /etc/cont-init.d/ -type f -name '*.sh' | sort) ; do bash $script ; done"]
          volume_mount {
            name       = "logdatadog"
            mount_path = "/var/log/"
          }
          volume_mount {
            name       = "config"
            mount_path = "/etc/datadog-agent"
          }
          volume_mount {
            name              = "procdir"
            mount_path        = "/host/proc"
            mount_propagation = "None"
            read_only         = "true"
          }
          volume_mount {
            name              = "runtimesocketdir"
            mount_path        = "/host/var/run"
            mount_propagation = "None"
            read_only         = "true"
          }
          volume_mount {
            name       = "sysprobe-config"
            mount_path = "/etc/datadog-agent/system-probe.yaml"
            sub_path   = "system-probe.yaml"
          }
          env {
            name  = "GODEBUG"
            value = "x509ignoreCN=0"
          }
          env {
            name = "DD_API_KEY"
            value_from {
              secret_key_ref {
                name = "datadog-agent"
                key  = "api-key"
              }
            }
          }
          env {
            name  = "KUBERNETES"
            value = "yes"
          }
          resources {
          }
        }
        init_container {
          name    = "seccomp-setup"
          image   = "gcr.io/datadoghq/agent:7.32.4"
          command = ["cp", " /etc/config/system-probe-seccomp.json", "/host/var/lib/kubelet/seccomp/system-probe"]
          volume_mount {
            name       = "datadog-agent-security"
            mount_path = "/etc/config"

          }
          volume_mount {
            name              = "seccomp-root"
            mount_path        = "/host/var/lib/kubelet/seccomp"
            mount_propagation = "None"
          }

        }
        volume {
          name = "installinfo"
          config_map {
            name = "datadog-agent-installinfo"
          }

        }
        volume {
          name = "config"
          empty_dir {}
        }
        volume {
          name = "tmpdir"
          empty_dir {}
        }
        volume {
          name = "procdir"
          host_path {
            path = "/proc"
          }
        }

        volume {
          name = "cgroups"
          host_path {
            path = "/sys/fs/cgroup"
          }
        }
        volume {
          name = "etc-os-release"
          host_path {
            path = "/etc/os-release"
          }
        }
        volume {
          name = "etc-redhat-release"
          host_path {
            path = "/etc/redhat-release"
          }
        }
        volume {
          name = "etc-fedora-release"
          host_path {
            path = "/etc/fedora-release"
          }

        }
        volume {
          name = "etc-lsb-release"
          host_path {
            path = "/etc/lsb-release"
          }
        }
        volume {
          name = "dsdsocket"
          host_path {
            path = "/var/run/datadog/"
            type = "DirectoryOrCreate"
          }
        }
        volume {
          name = "apmsocket"
          host_path {
            path = "/var/run/datadog/"
            type = "DirectoryOrCreate"
          }
        }
        volume {
          name = "s6-run"
          empty_dir {}
        }
        volume {
          name = "sysprobe-config"
          config_map {
            name = "datadog-agent-system-probe-config"
          }

        }
        volume {
          name = "datadog-agent-security"
          config_map {
            name = "datadog-agent-security"
          }
        }
        volume {
          name = "seccomp-root"
          host_path {
            path = "/var/lib/kubelet/seccomp"
          }
        }
        volume {
          name = "debugfs"
          host_path {
            path = "/sys/kernel/debug"
          }
        }
        volume {
          name = "sysprobe-socket-dir"
          empty_dir {}
        }
        volume {
          name = "passwd"
          host_path {
            path = "/etc/passwd"
          }
        }
        volume {
          name = "hostroot"
          host_path {
            path = "/"
          }
        }
        volume {
          name = "group"
          host_path {
            path = "/etc/group"
          }
        }
        volume {
          name = "pointerdir"
          host_path {
            path = "/var/lib/datadog-agent/logs"
          }
        }
        volume {
          name = "logpodpath"
          host_path {
            path = "/var/log/pods"
          }
        }
        volume {
          name = "logscontainerspath"
          host_path {
            path = "/var/log/containers"
          }
        }
        volume {
          name = "logdockercontainerpath"
          host_path {
            path = "/var/lib/docker/containers"
          }
        }
        volume {
          name = "runtimesocketdir"
          host_path {
            path = "/var/run"
          }
        }
        toleration {
          key = "node-role.kubernetes.io/master"
          effect = "NoSchedule"
        }
        affinity {}
        service_account_name = "datadog-agent"
        node_selector = {
          "kubernetes.io/os" = "linux"
        }

        ### SPEC ENDS HERE         
      }

    }
  }
}
nickkostov commented 2 years ago

This is what you have in the documentation:

---
# Source: datadog/templates/cluster-agent-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app: "datadog-agent"
    chart: "datadog-2.28.13"
    heritage: "Helm"
    release: "datadog-agent"
  name: datadog-agent-cluster-agent
  namespace: default
---
# Source: datadog/templates/secret-api-key.yaml
apiVersion: v1
kind: Secret
metadata:
  name: datadog-agent
  namespace: default
  labels: {}
type: Opaque
data:
  api-key: PUT_YOUR_BASE64_ENCODED_API_KEY_HERE
---
# Source: datadog/templates/secret-cluster-agent-token.yaml
apiVersion: v1
kind: Secret
metadata:
  name: datadog-agent-cluster-agent
  namespace: default
  labels: {}
type: Opaque
data:
  token: PUT_A_BASE64_ENCODED_RANDOM_STRING_HERE
---
# Source: datadog/templates/install_info-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: datadog-agent-installinfo
  namespace: default
  labels: {}
  annotations: {}
data:
  install_info: |
    ---
    install_method:
      tool: kubernetes sample manifests
      tool_version: kubernetes sample manifests
      installer_version: kubernetes sample manifests
---
# Source: datadog/templates/system-probe-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: datadog-agent-system-probe-config
  namespace: default
  labels: {}
data:
  system-probe.yaml: |
    system_probe_config:
      enabled: true
      debug_port:  0
      sysprobe_socket: /var/run/sysprobe/sysprobe.sock
      enable_conntrack: true
      bpf_debug: false
      enable_tcp_queue_length: false
      enable_oom_kill: false
      collect_dns_stats: true
      max_tracked_connections: 131072
      conntrack_max_state_size: 131072
      enable_runtime_compiler: false
      runtime_compiler_output_dir: /var/tmp/datadog-agent/system-probe/build
      kernel_header_download_dir: /var/tmp/datadog-agent/system-probe/kernel-headers
      apt_config_dir: /host/etc/apt
      yum_repos_dir: /host/etc/yum.repos.d
      zypper_repos_dir: /host/etc/zypp/repos.d
    network_config:
      enabled: true
      conntrack_init_timeout: 10s
    service_monitoring_config:
      enabled: false
    runtime_security_config:
      enabled: true
      debug: false
      socket: /var/run/sysprobe/runtime-security.sock
      policies:
        dir: /etc/datadog-agent/runtime-security.d
      syscall_monitor:
        enabled: false
---
# Source: datadog/templates/system-probe-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: datadog-agent-security
  namespace: default
  labels: {}
data:
  system-probe-seccomp.json: |
    {
      "defaultAction": "SCMP_ACT_ERRNO",
      "syscalls": [
        {
          "names": [
            "accept4",
            "access",
            "arch_prctl",
            "bind",
            "bpf",
            "brk",
            "capget",
            "capset",
            "chdir",
            "clock_gettime",
            "clone",
            "close",
            "connect",
            "copy_file_range",
            "creat",
            "dup",
            "dup2",
            "dup3",
            "epoll_create",
            "epoll_create1",
            "epoll_ctl",
            "epoll_ctl_old",
            "epoll_pwait",
            "epoll_wait",
            "epoll_wait",
            "epoll_wait_old",
            "eventfd",
            "eventfd2",
            "execve",
            "execveat",
            "exit",
            "exit_group",
            "fchmod",
            "fchmodat",
            "fchown",
            "fchown32",
            "fchownat",
            "fcntl",
            "fcntl64",
            "flock",
            "fstat",
            "fstat64",
            "fstatfs",
            "fsync",
            "futex",
            "getcwd",
            "getdents",
            "getdents64",
            "getegid",
            "geteuid",
            "getgid",
            "getpeername",
            "getpid",
            "getppid",
            "getpriority",
            "getrandom",
            "getresgid",
            "getresgid32",
            "getresuid",
            "getresuid32",
            "getrlimit",
            "getrusage",
            "getsid",
            "getsockname",
            "getsockopt",
            "gettid",
            "gettimeofday",
            "getuid",
            "getxattr",
            "ioctl",
            "ipc",
            "listen",
            "lseek",
            "lstat",
            "lstat64",
            "madvise",
            "mkdir",
            "mkdirat",
            "mmap",
            "mmap2",
            "mprotect",
            "mremap",
            "munmap",
            "nanosleep",
            "newfstatat",
            "open",
            "openat",
            "pause",
            "perf_event_open",
            "pipe",
            "pipe2",
            "poll",
            "ppoll",
            "prctl",
            "pread64",
            "prlimit64",
            "pselect6",
            "read",
            "readlink",
            "readlinkat",
            "recvfrom",
            "recvmmsg",
            "recvmsg",
            "rename",
            "renameat",
            "restart_syscall",
            "rmdir",
            "rt_sigaction",
            "rt_sigpending",
            "rt_sigprocmask",
            "rt_sigqueueinfo",
            "rt_sigreturn",
            "rt_sigsuspend",
            "rt_sigtimedwait",
            "rt_tgsigqueueinfo",
            "sched_getaffinity",
            "sched_yield",
            "seccomp",
            "select",
            "semtimedop",
            "send",
            "sendmmsg",
            "sendmsg",
            "sendto",
            "set_robust_list",
            "set_tid_address",
            "setgid",
            "setgid32",
            "setgroups",
            "setgroups32",
            "setns",
            "setrlimit",
            "setsid",
            "setsidaccept4",
            "setsockopt",
            "setuid",
            "setuid32",
            "sigaltstack",
            "socket",
            "socketcall",
            "socketpair",
            "stat",
            "stat64",
            "statfs",
            "sysinfo",
            "symlinkat",
            "tgkill",
            "umask",
            "uname",
            "unlink",
            "unlinkat",
            "wait4",
            "waitid",
            "waitpid",
            "write",
            "getgroups",
            "getpgrp",
            "setpgid"
          ],
          "action": "SCMP_ACT_ALLOW",
          "args": null
        },
        {
          "names": [
            "setns"
          ],
          "action": "SCMP_ACT_ALLOW",
          "args": [
            {
              "index": 1,
              "value": 1073741824,
              "valueTwo": 0,
              "op": "SCMP_CMP_EQ"
            }
          ],
          "comment": "",
          "includes": {},
          "excludes": {}
        }
      ]
    }
---
# Source: datadog/templates/cluster-agent-rbac.yaml
apiVersion: "rbac.authorization.k8s.io/v1"
kind: ClusterRole
metadata:
  labels: {}
  name: datadog-agent-cluster-agent
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - pods
      - nodes
      - namespaces
      - componentstatuses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - get
      - list
      - watch
      - create
  - apiGroups: ["quota.openshift.io"]
    resources:
      - clusterresourcequotas
    verbs:
      - get
      - list
  - apiGroups:
      - "autoscaling"
    resources:
      - horizontalpodautoscalers
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      - datadogtoken # Kubernetes event collection state
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      - datadog-leader-election # Leader election token
    verbs:
      - get
      - update
  - apiGroups: # To create the leader election token and hpa events
      - ""
    resources:
      - configmaps
      - events
    verbs:
      - create
  - nonResourceURLs:
      - "/version"
      - "/healthz"
    verbs:
      - get
  - apiGroups: # to get the kube-system namespace UID and generate a cluster ID
      - ""
    resources:
      - namespaces
    resourceNames:
      - "kube-system"
    verbs:
      - get
  - apiGroups: # To create the cluster-id configmap
      - ""
    resources:
      - configmaps
    resourceNames:
      - "datadog-cluster-id"
    verbs:
      - create
      - get
      - update
  - apiGroups:
      - "apps"
    resources:
      - deployments
      - replicasets
      - daemonsets
      - statefulsets
    verbs:
      - list
      - get
      - watch
  - apiGroups:
      - "batch"
    resources:
      - cronjobs
      - jobs
    verbs:
      - list
      - get
      - watch
  - apiGroups:
      - ""
    resources:
      - serviceaccounts
      - namespaces
    verbs:
      - list
  - apiGroups:
      - "policy"
    resources:
      - podsecuritypolicies
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - rbac.authorization.k8s.io
    resources:
      - clusterrolebindings
      - rolebindings
    verbs:
      - list
  - apiGroups:
      - networking.k8s.io
    resources:
      - networkpolicies
    verbs:
      - list
  - apiGroups:
      - policy
    resources:
      - podsecuritypolicies
    verbs:
      - use
    resourceNames:
      - datadog-agent-cluster-agent
  - apiGroups:
      - "security.openshift.io"
    resources:
      - securitycontextconstraints
    verbs:
      - use
    resourceNames:
      - datadog-agent-cluster-agent
      - hostnetwork
---
# Source: datadog/templates/cluster-agent-rbac.yaml
apiVersion: "rbac.authorization.k8s.io/v1"
kind: ClusterRoleBinding
metadata:
  labels: {}
  name: datadog-agent-cluster-agent
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: datadog-agent-cluster-agent
subjects:
  - kind: ServiceAccount
    name: datadog-agent-cluster-agent
    namespace: default
---
# Source: datadog/templates/agent-services.yaml
apiVersion: v1
kind: Service
metadata:
  name: datadog-agent-cluster-agent
  namespace: default
  labels: {}
spec:
  type: ClusterIP
  selector:
    app: datadog-agent-cluster-agent
  ports:
    - port: 5005
      name: agentport
      protocol: TCP
---
# Source: datadog/templates/agent-services.yaml
apiVersion: v1
kind: Service
metadata:
  name: datadog-agent
  namespace: default
  labels:
    app: "datadog-agent"
    chart: "datadog-2.28.13"
    release: "datadog-agent"
    heritage: "Helm"
spec:
  selector:
    app: datadog-agent
  ports:
    - protocol: UDP
      port: 8125
      targetPort: 8125
      name: dogstatsd
    - protocol: TCP
      port: 8126
      targetPort: 8126
      name: apm
  internalTrafficPolicy: Local
---
# Source: datadog/templates/daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: datadog-agent
  namespace: default
  labels: {}
spec:
  selector:
    matchLabels:
      app: datadog-agent
  template:
    metadata:
      labels:
        app: datadog-agent
      name: datadog-agent
      annotations:
        container.apparmor.security.beta.kubernetes.io/system-probe: unconfined
        container.seccomp.security.alpha.kubernetes.io/system-probe: localhost/system-probe
    spec:
      hostPID: true
      containers:
        - name: agent
          image: "gcr.io/datadoghq/agent:7.32.4"
          imagePullPolicy: IfNotPresent
          command: ["agent", "run"]
          resources: {}
          ports:
            - containerPort: 8125
              name: dogstatsdport
              protocol: UDP
          env:
            # Needs to be removed when Agent N-2 is built with Golang 1.17
            - name: GODEBUG
              value: x509ignoreCN=0
            - name: DD_API_KEY
              valueFrom:
                secretKeyRef:
                  name: "datadog-agent"
                  key: api-key
            - name: DD_KUBERNETES_KUBELET_HOST
              valueFrom:
                fieldRef:
                  fieldPath: status.hostIP
            - name: KUBERNETES
              value: "yes"
            - name: DD_LOG_LEVEL
              value: "INFO"
            - name: DD_DOGSTATSD_PORT
              value: "8125"
            - name: DD_DOGSTATSD_NON_LOCAL_TRAFFIC
              value: "true"
            - name: DD_CLUSTER_AGENT_ENABLED
              value: "true"
            - name: DD_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME
              value: datadog-agent-cluster-agent
            - name: DD_CLUSTER_AGENT_AUTH_TOKEN
              valueFrom:
                secretKeyRef:
                  name: datadog-agent-cluster-agent
                  key: token
            - name: DD_APM_ENABLED
              value: "false"
            - name: DD_LOGS_ENABLED
              value: "true"
            - name: DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL
              value: "true"
            - name: DD_LOGS_CONFIG_K8S_CONTAINER_USE_FILE
              value: "true"
            - name: DD_HEALTH_PORT
              value: "5555"
            - name: DD_DOGSTATSD_SOCKET
              value: "/var/run/datadog/dsd.socket"
            - name: DD_EXTRA_CONFIG_PROVIDERS
              value: "clusterchecks endpointschecks"
            - name: DD_EXPVAR_PORT
              value: "6000"
          volumeMounts:
            - name: installinfo
              subPath: install_info
              mountPath: /etc/datadog-agent/install_info
              readOnly: true
            - name: logdatadog
              mountPath: /var/log/datadog
            - name: tmpdir
              mountPath: /tmp
              readOnly: false
            - name: config
              mountPath: /etc/datadog-agent
            - name: runtimesocketdir
              mountPath: /host/var/run
              mountPropagation: None
              readOnly: true
            - name: dsdsocket
              mountPath: /var/run/datadog
            - name: sysprobe-socket-dir
              mountPath: /var/run/sysprobe
              readOnly: true
            - name: sysprobe-config
              mountPath: /etc/datadog-agent/system-probe.yaml
              subPath: system-probe.yaml
            - name: procdir
              mountPath: /host/proc
              mountPropagation: None
              readOnly: true
            - name: cgroups
              mountPath: /host/sys/fs/cgroup
              mountPropagation: None
              readOnly: true
            - name: pointerdir
              mountPath: /opt/datadog-agent/run
              mountPropagation: None
            - name: logpodpath
              mountPath: /var/log/pods
              mountPropagation: None
              readOnly: true
            - name: logscontainerspath
              mountPath: /var/log/containers
              mountPropagation: None
              readOnly: true
            - name: logdockercontainerpath
              mountPath: /var/lib/docker/containers
              mountPropagation: None
              readOnly: true
          livenessProbe:
            failureThreshold: 6
            httpGet:
              path: /live
              port: 5555
              scheme: HTTP
            initialDelaySeconds: 15
            periodSeconds: 15
            successThreshold: 1
            timeoutSeconds: 5
          readinessProbe:
            failureThreshold: 6
            httpGet:
              path: /ready
              port: 5555
              scheme: HTTP
            initialDelaySeconds: 15
            periodSeconds: 15
            successThreshold: 1
            timeoutSeconds: 5
        - name: trace-agent
          image: "gcr.io/datadoghq/agent:7.32.4"
          imagePullPolicy: IfNotPresent
          command: ["trace-agent", "-config=/etc/datadog-agent/datadog.yaml"]
          resources: {}
          ports:
            - containerPort: 8126
              hostPort: 8126
              name: traceport
              protocol: TCP
          env:
            # Needs to be removed when Agent N-2 is built with Golang 1.17
            - name: GODEBUG
              value: x509ignoreCN=0
            - name: DD_API_KEY
              valueFrom:
                secretKeyRef:
                  name: "datadog-agent"
                  key: api-key
            - name: DD_KUBERNETES_KUBELET_HOST
              valueFrom:
                fieldRef:
                  fieldPath: status.hostIP
            - name: KUBERNETES
              value: "yes"
            - name: DD_CLUSTER_AGENT_ENABLED
              value: "true"
            - name: DD_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME
              value: datadog-agent-cluster-agent
            - name: DD_CLUSTER_AGENT_AUTH_TOKEN
              valueFrom:
                secretKeyRef:
                  name: datadog-agent-cluster-agent
                  key: token
            - name: DD_LOG_LEVEL
              value: "INFO"
            - name: DD_APM_ENABLED
              value: "true"
            - name: DD_APM_NON_LOCAL_TRAFFIC
              value: "true"
            - name: DD_APM_RECEIVER_PORT
              value: "8126"
            - name: DD_APM_RECEIVER_SOCKET
              value: "/var/run/datadog/apm.socket"
            - name: DD_DOGSTATSD_SOCKET
              value: "/var/run/datadog/dsd.socket"
          volumeMounts:
            - name: config
              mountPath: /etc/datadog-agent
            - name: logdatadog
              mountPath: /var/log/datadog
            - name: tmpdir
              mountPath: /tmp
              readOnly: false
            - name: dsdsocket
              mountPath: /var/run/datadog
            - name: runtimesocketdir
              mountPath: /host/var/run
              mountPropagation: None
              readOnly: true
          livenessProbe:
            initialDelaySeconds: 15
            periodSeconds: 15
            tcpSocket:
              port: 8126
            timeoutSeconds: 5
        - name: process-agent
          image: "gcr.io/datadoghq/agent:7.32.4"
          imagePullPolicy: IfNotPresent
          command: ["process-agent", "-config=/etc/datadog-agent/datadog.yaml"]
          resources: {}
          env:
            # Needs to be removed when Agent N-2 is built with Golang 1.17
            - name: GODEBUG
              value: x509ignoreCN=0
            - name: DD_API_KEY
              valueFrom:
                secretKeyRef:
                  name: "datadog-agent"
                  key: api-key
            - name: DD_KUBERNETES_KUBELET_HOST
              valueFrom:
                fieldRef:
                  fieldPath: status.hostIP
            - name: KUBERNETES
              value: "yes"
            - name: DD_CLUSTER_AGENT_ENABLED
              value: "true"
            - name: DD_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME
              value: datadog-agent-cluster-agent
            - name: DD_CLUSTER_AGENT_AUTH_TOKEN
              valueFrom:
                secretKeyRef:
                  name: datadog-agent-cluster-agent
                  key: token
            - name: DD_PROCESS_AGENT_ENABLED
              value: "true"
            - name: DD_PROCESS_AGENT_DISCOVERY_ENABLED
              value: "false"
            - name: DD_LOG_LEVEL
              value: "INFO"
            - name: DD_SYSTEM_PROBE_ENABLED
              value: "true"
            - name: DD_SYSTEM_PROBE_NETWORK_ENABLED
              value: "true"
            - name: DD_DOGSTATSD_SOCKET
              value: "/var/run/datadog/dsd.socket"
            - name: DD_ORCHESTRATOR_EXPLORER_ENABLED
              value: "true"
          volumeMounts:
            - name: config
              mountPath: /etc/datadog-agent
            - name: logdatadog
              mountPath: /var/log/datadog
            - name: tmpdir
              mountPath: /tmp
              readOnly: false
            - name: runtimesocketdir
              mountPath: /host/var/run
              mountPropagation: None
              readOnly: true
            - name: cgroups
              mountPath: /host/sys/fs/cgroup
              mountPropagation: None
              readOnly: true
            - name: passwd
              mountPath: /etc/passwd
              readOnly: true
            - name: procdir
              mountPath: /host/proc
              mountPropagation: None
              readOnly: true
            - name: dsdsocket
              mountPath: /var/run/datadog
              readOnly: true
            - name: sysprobe-socket-dir
              mountPath: /var/run/sysprobe
              readOnly: true
            - name: sysprobe-config
              mountPath: /etc/datadog-agent/system-probe.yaml
              subPath: system-probe.yaml
        - name: system-probe
          image: "gcr.io/datadoghq/agent:7.32.4"
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
              add:
                - SYS_ADMIN
                - SYS_RESOURCE
                - SYS_PTRACE
                - NET_ADMIN
                - NET_BROADCAST
                - NET_RAW
                - IPC_LOCK
                - CHOWN
            privileged: false
          command: ["/opt/datadog-agent/embedded/bin/system-probe", "--config=/etc/datadog-agent/system-probe.yaml"]
          env:
            # Needs to be removed when Agent N-2 is built with Golang 1.17
            - name: GODEBUG
              value: x509ignoreCN=0
            - name: DD_API_KEY
              valueFrom:
                secretKeyRef:
                  name: "datadog-agent"
                  key: api-key
            - name: DD_KUBERNETES_KUBELET_HOST
              valueFrom:
                fieldRef:
                  fieldPath: status.hostIP
            - name: KUBERNETES
              value: "yes"
            - name: DD_LOG_LEVEL
              value: "INFO"
          resources: {}
          volumeMounts:
            - name: logdatadog
              mountPath: /var/log/datadog
            - name: tmpdir
              mountPath: /tmp
              readOnly: false
            - name: debugfs
              mountPath: /sys/kernel/debug
              mountPropagation: None
            - name: config
              mountPath: /etc/datadog-agent
            - name: sysprobe-config
              mountPath: /etc/datadog-agent/system-probe.yaml
              subPath: system-probe.yaml
            - name: sysprobe-socket-dir
              mountPath: /var/run/sysprobe
            - name: procdir
              mountPath: /host/proc
              mountPropagation: None
              readOnly: true
            - name: etc-os-release
              mountPath: /host/etc/os-release
              mountPropagation: None
              readOnly: true
            - name: etc-redhat-release
              mountPath: /host/etc/redhat-release
              mountPropagation: None
              readOnly: true
            - name: etc-fedora-release
              mountPath: /host/etc/fedora-release
              mountPropagation: None
              readOnly: true
            - name: etc-lsb-release
              mountPath: /host/etc/lsb-release
              mountPropagation: None
              readOnly: true
        - name: security-agent
          image: "gcr.io/datadoghq/agent:7.32.4"
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
              add: ["AUDIT_CONTROL", "AUDIT_READ"]
          command: ["security-agent", "start", "-c=/etc/datadog-agent/datadog.yaml"]
          resources: {}
          env:
            # Needs to be removed when Agent N-2 is built with Golang 1.17
            - name: GODEBUG
              value: x509ignoreCN=0
            - name: DD_API_KEY
              valueFrom:
                secretKeyRef:
                  name: "datadog-agent"
                  key: api-key
            - name: DD_KUBERNETES_KUBELET_HOST
              valueFrom:
                fieldRef:
                  fieldPath: status.hostIP
            - name: KUBERNETES
              value: "yes"
            - name: DD_LOG_LEVEL
              value: "INFO"
            - name: DD_COMPLIANCE_CONFIG_ENABLED
              value: "true"
            - name: DD_COMPLIANCE_CONFIG_CHECK_INTERVAL
              value: "20m"
            - name: HOST_ROOT
              value: /host/root
            - name: DD_CLUSTER_AGENT_ENABLED
              value: "true"
            - name: DD_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME
              value: datadog-agent-cluster-agent
            - name: DD_CLUSTER_AGENT_AUTH_TOKEN
              valueFrom:
                secretKeyRef:
                  name: datadog-agent-cluster-agent
                  key: token
            - name: DD_RUNTIME_SECURITY_CONFIG_ENABLED
              value: "true"
            - name: DD_RUNTIME_SECURITY_CONFIG_POLICIES_DIR
              value: "/etc/datadog-agent/runtime-security.d"
            - name: DD_RUNTIME_SECURITY_CONFIG_SOCKET
              value: /var/run/sysprobe/runtime-security.sock
            - name: DD_RUNTIME_SECURITY_CONFIG_SYSCALL_MONITOR_ENABLED
              value: "false"
            - name: DD_DOGSTATSD_SOCKET
              value: "/var/run/datadog/dsd.socket"
          volumeMounts:
            - name: config
              mountPath: /etc/datadog-agent
            - name: logdatadog
              mountPath: /var/log/datadog
            - name: tmpdir
              mountPath: /tmp
              readOnly: false
            - name: dsdsocket
              mountPath: /var/run/datadog
              readOnly: true
            - name: runtimesocketdir
              mountPath: /host/var/run
              mountPropagation: None
              readOnly: true
            - name: cgroups
              mountPath: /host/sys/fs/cgroup
              readOnly: true
            - name: passwd
              mountPath: /etc/passwd
              readOnly: true
            - name: group
              mountPath: /etc/group
              readOnly: true
            - name: hostroot
              mountPath: /host/root
              readOnly: true
            - name: procdir
              mountPath: /host/proc
              readOnly: true
            - name: sysprobe-socket-dir
              mountPath: /var/run/sysprobe
              readOnly: true
            - name: sysprobe-config
              mountPath: /etc/datadog-agent/system-probe.yaml
              subPath: system-probe.yaml
      initContainers:
        - name: init-volume
          image: "gcr.io/datadoghq/agent:7.32.4"
          imagePullPolicy: IfNotPresent
          command: ["bash", "-c"]
          args:
            - cp -r /etc/datadog-agent /opt
          volumeMounts:
            - name: config
              mountPath: /opt/datadog-agent
          resources: {}
        - name: init-config
          image: "gcr.io/datadoghq/agent:7.32.4"
          imagePullPolicy: IfNotPresent
          command: ["bash", "-c"]
          args:
            - for script in $(find /etc/cont-init.d/ -type f -name '*.sh' | sort) ; do bash $script ; done
          volumeMounts:
            - name: logdatadog
              mountPath: /var/log/datadog
            - name: config
              mountPath: /etc/datadog-agent
            - name: procdir
              mountPath: /host/proc
              mountPropagation: None
              readOnly: true
            - name: runtimesocketdir
              mountPath: /host/var/run
              mountPropagation: None
              readOnly: true
            - name: sysprobe-config
              mountPath: /etc/datadog-agent/system-probe.yaml
              subPath: system-probe.yaml
          env:
            # Needs to be removed when Agent N-2 is built with Golang 1.17
            - name: GODEBUG
              value: x509ignoreCN=0
            - name: DD_API_KEY
              valueFrom:
                secretKeyRef:
                  name: "datadog-agent"
                  key: api-key
            - name: DD_KUBERNETES_KUBELET_HOST
              valueFrom:
                fieldRef:
                  fieldPath: status.hostIP
            - name: KUBERNETES
              value: "yes"
          resources: {}
        - name: seccomp-setup
          image: "gcr.io/datadoghq/agent:7.32.4"
          command:
            - cp
            - /etc/config/system-probe-seccomp.json
            - /host/var/lib/kubelet/seccomp/system-probe
          volumeMounts:
            - name: datadog-agent-security
              mountPath: /etc/config
            - name: seccomp-root
              mountPath: /host/var/lib/kubelet/seccomp
              mountPropagation: None
          resources: {}
      volumes:
        - name: installinfo
          configMap:
            name: datadog-agent-installinfo
        - name: config
          emptyDir: {}
        - name: logdatadog
          emptyDir: {}
        - name: tmpdir
          emptyDir: {}
        - hostPath:
            path: /proc
          name: procdir
        - hostPath:
            path: /sys/fs/cgroup
          name: cgroups
        - hostPath:
            path: /etc/os-release
          name: etc-os-release
##########################################
        - hostPath:
            path: /etc/redhat-release
          name: etc-redhat-release
        - hostPath:
            path: /etc/fedora-release
          name: etc-fedora-release
#####################################+
        - hostPath:
            path: /etc/lsb-release
          name: etc-lsb-release
        - hostPath:
            path: /var/run/datadog/
            type: DirectoryOrCreate
          name: dsdsocket
        - hostPath:
            path: /var/run/datadog/
            type: DirectoryOrCreate
          name: apmsocket
######################################
        - name: s6-run
          emptyDir: {}
######################################
        - name: sysprobe-config
          configMap:
            name: datadog-agent-system-probe-config
######################################
        - name: datadog-agent-security
          configMap:
            name: datadog-agent-security
######################################
        - hostPath:
            path: /var/lib/kubelet/seccomp
          name: seccomp-root
######################################
        - hostPath:
            path: /sys/kernel/debug
          name: debugfs
######################################
        - name: sysprobe-socket-dir
          emptyDir: {}
######################################
        - hostPath:
            path: /etc/passwd
          name: passwd
######################################
        - hostPath:
            path: /
          name: hostroot
######################################
        - hostPath:
            path: /etc/group
          name: group
######################################
        - hostPath:
            path: /var/lib/datadog-agent/logs
          name: pointerdir
######################################
        - hostPath:
            path: /var/log/pods
          name: logpodpath
######################################
        - hostPath:
            path: /var/log/containers
          name: logscontainerspath
######################################
        - hostPath:
            path: /var/lib/docker/containers
          name: logdockercontainerpath
######################################
        - hostPath:
            path: /var/run
          name: runtimesocketdir
######################################
      tolerations:
      affinity: {}
      serviceAccountName: "datadog-agent"
      nodeSelector:
        kubernetes.io/os: linux
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 10%
    type: RollingUpdate
---
# Source: datadog/templates/cluster-agent-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: datadog-agent-cluster-agent
  namespace: default
  labels: {}
spec:
  replicas: 1
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
    type: RollingUpdate
  selector:
    matchLabels:
      app: datadog-agent-cluster-agent
  template:
    metadata:
      labels:
        app: datadog-agent-cluster-agent
      name: datadog-agent-cluster-agent
      annotations: {}
    spec:
      serviceAccountName: datadog-agent-cluster-agent
      containers:
        - name: cluster-agent
          image: "gcr.io/datadoghq/cluster-agent:1.16.0"
          imagePullPolicy: IfNotPresent
          resources: {}
          ports:
            - containerPort: 5005
              name: agentport
              protocol: TCP
            - containerPort: 5000
              name: agentmetrics
              protocol: TCP
          env:
            - name: DD_HEALTH_PORT
              value: "5556"
            - name: DD_API_KEY
              valueFrom:
                secretKeyRef:
                  name: "datadog-agent"
                  key: api-key
                  optional: true
            - name: DD_CLUSTER_CHECKS_ENABLED
              value: "true"
            - name: DD_EXTRA_CONFIG_PROVIDERS
              value: "kube_endpoints kube_services"
            - name: DD_EXTRA_LISTENERS
              value: "kube_endpoints kube_services"
            - name: DD_LOG_LEVEL
              value: "INFO"
            - name: DD_LEADER_ELECTION
              value: "true"
            - name: DD_COLLECT_KUBERNETES_EVENTS
              value: "true"
            - name: DD_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME
              value: datadog-agent-cluster-agent
            - name: DD_CLUSTER_AGENT_AUTH_TOKEN
              valueFrom:
                secretKeyRef:
                  name: datadog-agent-cluster-agent
                  key: token
            - name: DD_KUBE_RESOURCES_NAMESPACE
              value: default
            - name: DD_ORCHESTRATOR_EXPLORER_ENABLED
              value: "true"
            - name: DD_ORCHESTRATOR_EXPLORER_CONTAINER_SCRUBBING_ENABLED
              value: "true"
            - name: DD_COMPLIANCE_CONFIG_ENABLED
              value: "true"
            - name: DD_COMPLIANCE_CONFIG_CHECK_INTERVAL
              value: "20m"
          livenessProbe:
            failureThreshold: 6
            httpGet:
              path: /live
              port: 5556
              scheme: HTTP
            initialDelaySeconds: 15
            periodSeconds: 15
            successThreshold: 1
            timeoutSeconds: 5
          readinessProbe:
            failureThreshold: 6
            httpGet:
              path: /ready
              port: 5556
              scheme: HTTP
            initialDelaySeconds: 15
            periodSeconds: 15
            successThreshold: 1
            timeoutSeconds: 5
          volumeMounts:
            - name: installinfo
              subPath: install_info
              mountPath: /etc/datadog-agent/install_info
              readOnly: true
      volumes:
        - name: installinfo
          configMap:
            name: datadog-agent-installinfo
      affinity:
        # Force scheduling the cluster agents on different nodes
        # to guarantee that the standby instance can immediately take the lead from a leader running of a faulty node.
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchLabels:
                  app: datadog-agent-cluster-agent
              topologyKey: kubernetes.io/hostname
      nodeSelector:
        kubernetes.io/os: linux
nickkostov commented 2 years ago

I know and realize I am container short, could you help me. I tried to deploy in order to verify that I will at lest get one pod working in any state.

nickkostov commented 2 years ago

My little dream here is to create a module for everyone to use and deploy fully featured set.

nickkostov commented 2 years ago

Solved it.

nickkostov commented 2 years ago

Missed a volume, I had to read the error three times until I realized what happened.

clamoriniere commented 2 years ago

Hi @nickkostov We would love to know more about how solved it :)

Or current recommandation to deploy the Datadog agent in kubernetes with terraform is to use the terraform helm provider and us our official datadog helm chart