OTAGENT-254 Add support for enhanced RBAC permissions for otel-agent

Author: krlv

charts/datadog/CHANGELOG.md

@@ -1,5 +1,10 @@
 # Datadog changelog
 
+## 3.91.0
+
+* Add `datadog.otelCollector.rbac.create` to control creation additional ClusterRole for `otel-agent` required by Kubernetes Attributes processor.
+* Add `datadog.otelCollector.rbac.rules` to support additional RBAC permissions required by OTel components that are not included by default with `otel-agent`.
+
 ## 3.90.5
 
 * Update `fips.image.tag` to `1.1.7` updating openSSL version to 3.0.16

charts/datadog/Chart.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: v1
 name: datadog
-version: 3.90.5
+version: 3.91.0
 appVersion: "7"
 description: Datadog Agent
 keywords:

charts/datadog/README.md

@@ -1,6 +1,6 @@
 # Datadog
 
-![Version: 3.90.5](https://img.shields.io/badge/Version-3.90.5-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
+![Version: 3.91.0](https://img.shields.io/badge/Version-3.91.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
 
 [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
 
@@ -803,6 +803,8 @@ helm install <RELEASE_NAME> \
 | datadog.otelCollector.config | string | `nil` | OTel collector configuration |
 | datadog.otelCollector.enabled | bool | `false` | Enable the OTel Collector |
 | datadog.otelCollector.ports | list | `[{"containerPort":"4317","name":"otel-grpc"},{"containerPort":"4318","name":"otel-http"}]` | Ports that OTel Collector is listening |
+| datadog.otelCollector.rbac.create | bool | `true` | If true, check OTel Collector config for k8sattributes processor and create required ClusterRole to access Kubernetes API |
+| datadog.otelCollector.rbac.rules | list | `[]` | A set of additional RBAC rules to apply to OTel Collector's ClusterRole |
 | datadog.otlp.logs.enabled | bool | `false` | Enable logs support in the OTLP ingest endpoint |
 | datadog.otlp.receiver.protocols.grpc.enabled | bool | `false` | Enable the OTLP/gRPC endpoint |
 | datadog.otlp.receiver.protocols.grpc.endpoint | string | `"0.0.0.0:4317"` | OTLP/gRPC endpoint |

charts/datadog/ci/agent-otel-collector-with-rbac-custom-rules-values.yaml

@@ -0,0 +1,47 @@
+targetSystem: "linux"
+agents:
+  image:
+    repository: datadog/agent-dev
+    tag: nightly-ot-beta-main
+    doNotCheckTag: true
+  containers:
+    agent:
+      env:
+        - name: DD_HOSTNAME
+          value: "datadog"
+datadog:
+  apiKey: "00000000000000000000000000000000"
+  appKey: "0000000000000000000000000000000000000000"
+  otelCollector:
+    enabled: true
+    rbac:
+      create: true
+      rules:
+        - apiGroups: [""]
+          resources: ["nodes"]
+          verbs: ["get", "watch", "list"]
+    config: |
+      processors:
+        k8sattributes/passthrough:
+          passthrough: true
+        k8sattributes:
+      receivers:
+        otlp:
+      exporters:
+        datadog:
+          api:
+            key: "00000000000000000000000000000000"
+      service:
+        pipelines:
+          traces:
+            receivers: [otlp]
+            processors: [k8sattributes]
+            exporters: [datadog]
+          metrics:
+            receivers: [otlp]
+            processors: [k8sattributes]
+            exporters: [datadog]
+          logs:
+            receivers: [otlp]
+            processors: [k8sattributes]
+            exporters: [datadog]

charts/datadog/ci/agent-otel-collector-with-rbac-values.yaml

@@ -0,0 +1,41 @@
+targetSystem: "linux"
+agents:
+  image:
+    repository: datadog/agent-dev
+    tag: nightly-ot-beta-main
+    doNotCheckTag: true
+  containers:
+    agent:
+      env:
+        - name: DD_HOSTNAME
+          value: "datadog"
+datadog:
+  apiKey: "00000000000000000000000000000000"
+  appKey: "0000000000000000000000000000000000000000"
+  otelCollector:
+    enabled: true
+    config: |
+      processors:
+        k8sattributes:
+        k8sattributes/passthrough:
+          passthrough: true
+      receivers:
+        otlp:
+      exporters:
+        datadog:
+          api:
+            key: "00000000000000000000000000000000"
+      service:
+        pipelines:
+          traces:
+            receivers: [otlp]
+            processors: [k8sattributes]
+            exporters: [datadog]
+          metrics:
+            receivers: [otlp]
+            processors: [k8sattributes]
+            exporters: [datadog]
+          logs:
+            receivers: [otlp]
+            processors: [k8sattributes]
+            exporters: [datadog]

charts/datadog/templates/_helpers.tpl

@@ -117,6 +117,22 @@ false
 {{- end -}}
 {{- end -}}
 
+{{/*
+Return true if k8sattributes RBAC rules should be added to the OTel Agent ClusterRole
+*/}}
+{{- define "should-add-otel-agent-k8sattributes-rules" -}}
+{{- $return := false }}
+{{- $config := .Values.datadog.otelCollector.config | default "" | fromYaml }}
+{{- range $key, $val := $config.processors }}
+  {{- if hasPrefix "k8sattributes" $key }}
+    {{- if or (empty $val) (empty $val.passthrough) }}
+      {{- $return = true }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- $return }}
+{{- end -}}
+
 {{/*
 Return secret name to be used based on provided values.
 */}}

charts/datadog/templates/otel-agent-rbac.yaml

@@ -0,0 +1,40 @@
+{{- if and .Values.agents.rbac.create (eq (include "should-enable-otel-agent" .) "true") .Values.datadog.otelCollector.rbac.create -}}
+{{- if or (eq (include "should-add-otel-agent-k8sattributes-rules" .) "true") .Values.datadog.otelCollector.rbac.rules -}}
+apiVersion: {{ template "rbac.apiVersion" . }}
+kind: ClusterRole
+metadata:
+  name: {{ template "datadog.fullname" . }}-otel-agent
+  labels:
+{{ include "datadog.labels" . | indent 4 }}
+rules:
+{{- if eq (include "should-add-otel-agent-k8sattributes-rules" .) "true" }}
+  - apiGroups: [""]
+    resources: ["pods", "namespaces"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+{{- end -}}
+{{- if .Values.datadog.otelCollector.rbac.rules -}}
+{{ toYaml .Values.datadog.otelCollector.rbac.rules | nindent 2 -}}
+{{- end }}
+---
+apiVersion: {{ template "rbac.apiVersion" . }}
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "datadog.fullname" . }}-otel-agent
+  labels:
+{{ include "datadog.labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "datadog.fullname" . }}-otel-agent
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "agents.serviceAccountName" . }}-otel-agent
+    namespace: {{ .Release.Namespace }}
+{{- end -}}
+{{- end -}}

charts/datadog/values.yaml

@@ -600,6 +600,17 @@ datadog:
     # datadog.otelCollector.config -- OTel collector configuration
     config: null
 
+    ## Provide OTel Collector RBAC configuration
+    rbac:
+      # datadog.otelCollector.rbac.create -- If true, check OTel Collector config for k8sattributes processor
+      # and create required ClusterRole to access Kubernetes API
+      create: true
+      # datadog.otelCollector.rbac.rules -- A set of additional RBAC rules to apply to OTel Collector's ClusterRole
+      rules: []
+      #   - apiGroups: [""]
+      #     resources: ["pods", "nodes"]
+      #     verbs: ["get", "list", "watch"]
+
   ## Continuous Profiler configuration
   ##
   ## Continuous Profiler is disabled by default and can be enabled by setting the `enabled` field to