search

DataDog / helm-charts

Helm charts for Datadog products
Apache License 2.0
330 stars 1.01k forks source link

Agent sidecar injection support via Admission Controller #1348

Closed levan-m closed 4 months ago

levan-m commented 4 months ago

What this PR does / why we need it:

Adds support for agent sidecar injection configuration.

CECO-885

Which issue this PR fixes

(optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged)

Special notes for your reviewer:

First two commits sets up baselines, so easiest to review is go to third commit (or later).

Testing

Below we provide instructions how to test feature on Kind and Fargate clusters.

  1. Agent will be installed in datadog-agent namespace. Application will be installed in fargate namespace.
  2. Create secret in each namespace: 
    kubectl create secret generic datadog-secret -n datadog-agent --from-literal api-key=<YOUR_DATADOG_API_KEY> --from-literal token=<CLUSTER_AGENT_TOKEN>
kubectl create secret generic datadog-secret -n fargate --from-literal api-key=<YOUR_DATADOG_API_KEY> --from-literal token=<CLUSTER_AGENT_TOKEN>
  3. Create below RBAC in fargate namespace: 
    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: datadog-agent
namespace: fargate
rules:
- apiGroups:
  - ""
resources:
  - nodes
  - namespaces
  - endpoints
verbs:
  - get
  - list
- apiGroups:
  - ""
resources:
  - nodes/metrics
  - nodes/spec
  - nodes/stats
  - nodes/proxy
  - nodes/pods
  - nodes/healthz
verbs:
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: datadog-agent
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: datadog-agent
subjects:
- kind: ServiceAccount
name: datadog-agent
namespace: fargate
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: datadog-agent
namespace: fargate
Kind
  1. Create datadog.yaml values file for Helm installation. 
    
datadog:
apiKeyExistingSecret: datadog-secret
clusterName: "kind-sidecar"

agents: enabled: false

clusterAgent: tokenExistingSecret: datadog-secret image: tag: 7.52.0-rc.2 enabled: true admissionController: enabled: true agentSidecarInjection: enabled: true selectors:

4. Apply manifest `kubectl apply -f redis.yaml -n fargate`.
5. Once pod is created it should be created with 2 containers, `redis` and `datadog-agent-injected`.

##### Fargate

1. Install Datadog Agent chart in `datadog-agent` namespace using:

helm install datadog ./charts/datadog -n datadog-agent \
    --set datadog.clusterName=cluster-name \
    --set agents.enabled=false \
    --set datadog.apiKeyExistingSecret=datadog-secret \
    --set clusterAgent.tokenExistingSecret=datadog-secret \
    --set clusterAgent.image.tag=7.52.0-rc.2 \
    --set clusterAgent.admissionController.agentSidecarInjection.enabled=true \
    --set clusterAgent.admissionController.agentSidecarInjection.provider=fargate
  1. Install an application in fargate namespace with a agent.datadoghq.com/sidecar: "fargate" pod label. Sample manifest: 
    apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
 labels:
   app: redis
   agent.datadoghq.com/sidecar: "fargate"
 name: redis
 annotations:
   ad.datadoghq.com/redis.check_names: '["redisdb"]'
   ad.datadoghq.com/redis.init_configs: '[{}]'
   ad.datadoghq.com/redis.instances: |
     [
       {
         "host": "%%host%%",
         "port": "6379"
       }
     ]         
spec:
 serviceAccountName: datadog-agent
 containers:
 - name: redis
   image: redis:latest
   args:
     - "redis-server"
   ports:
   - containerPort: 6379
  2. Confirm redis pods are created with two containers.

Checklist

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]