From 4e9099b5bcec1a1f3ea6ecb9c1c675f2ed44c9fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Bavelier?= Date: Fri, 30 Aug 2024 14:20:37 +0200 Subject: [PATCH] add RBAC to DCA when roles --- charts/datadog/CHANGELOG.md | 4 ++ charts/datadog/Chart.yaml | 2 +- charts/datadog/README.md | 2 +- .../datadog/templates/cluster-agent-rbac.yaml | 41 +++++++++++++++++++ 4 files changed, 47 insertions(+), 2 deletions(-) diff --git a/charts/datadog/CHANGELOG.md b/charts/datadog/CHANGELOG.md index 415a0212c..f615fff48 100644 --- a/charts/datadog/CHANGELOG.md +++ b/charts/datadog/CHANGELOG.md @@ -1,5 +1,9 @@ # Datadog changelog +## 3.70.6 + +* Add `Role` and `RoleBinding` to `Cluster-Agent` when `datadog.secretBackend.roles` is enabled, allowing the cluster Agent to access specified secrets. It was previously only enabled for `Agent`. + ## 3.70.5 * Set default `Agent` and `Cluster-Agent` version to `7.56.1`. diff --git a/charts/datadog/Chart.yaml b/charts/datadog/Chart.yaml index 3a619bd20..9d68affa5 100644 --- a/charts/datadog/Chart.yaml +++ b/charts/datadog/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: datadog -version: 3.70.5 +version: 3.70.6 appVersion: "7" description: Datadog Agent keywords: diff --git a/charts/datadog/README.md b/charts/datadog/README.md index 0ad03910d..37232aa31 100644 --- a/charts/datadog/README.md +++ b/charts/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.70.5](https://img.shields.io/badge/Version-3.70.5-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.70.6](https://img.shields.io/badge/Version-3.70.6-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). diff --git a/charts/datadog/templates/cluster-agent-rbac.yaml b/charts/datadog/templates/cluster-agent-rbac.yaml index bcdd6e53e..528673f2f 100644 --- a/charts/datadog/templates/cluster-agent-rbac.yaml +++ b/charts/datadog/templates/cluster-agent-rbac.yaml @@ -385,6 +385,47 @@ subjects: {{- end }} {{- end }} +{{- if and (eq (include "should-deploy-cluster-agent" .) "true") .Values.clusterAgent.rbac.create }} +{{- range $role := .Values.datadog.secretBackend.roles }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "datadog.fullname" $ }}-dca-secret-reader-{{ $role.namespace }} + namespace: {{ $role.namespace }} + labels: +{{ include "datadog.labels" $ | indent 4 }} +rules: + - apiGroups: + - "" + resources: + - secrets + resourceNames: {{ toYaml $role.secrets | nindent 6 }} + verbs: + - get + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "datadog.fullname" $ }}-dca-read-secrets-{{ $role.namespace }} + namespace: {{ $role.namespace }} + labels: +{{ include "datadog.labels" $ | indent 4 }} +subjects: + - kind: ServiceAccount + name: {{ template "datadog.fullname" $ }}-cluster-agent + apiGroup: "" + namespace: {{ $.Release.Namespace }} +roleRef: + kind: Role + name: {{ template "datadog.fullname" $ }}-dca-secret-reader-{{ $role.namespace }} + apiGroup: "" +{{- end }} # end range $role := .Values.datadog.secretBackend.roles +{{- end }} + + {{- if and (eq (include "should-deploy-cluster-agent" .) "true") .Values.clusterAgent.rbac.create .Values.clusterAgent.metricsProvider.enabled }} --- apiVersion: {{ template "rbac.apiVersion" . }}