usm: Match volume mounts to the CNM (#2229)

* usm: Match volume mounts to the CNM

We didn't mount the correct volumes to the process agent, hence, if CNM wasn't enabled
or after runProcessChecksInCoreAgent config turned on by default, the process-agent
container didn't have the correct mounts

* usm: Fix test expectations for Process Agent volume mounts

Update test to expect procdir, cgroups, and debugfs volume mounts in
the Process Agent container, matching the changes from commit 7789732.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: guyarb

internal/controller/datadogagent/feature/usm/feature.go

@@ -107,28 +107,24 @@ func (f *usmFeature) ManageNodeAgent(managers feature.PodTemplateManagers, provi
 	// security context capabilities
 	managers.SecurityContext().AddCapabilitiesToContainer(agent.DefaultCapabilitiesForSystemProbe(), apicommon.SystemProbeContainerName)
 
-	// volume mounts
-	procdirVol, procdirMount := volume.GetVolumes(common.ProcdirVolumeName, common.ProcdirHostPath, common.ProcdirMountPath, true)
-	managers.VolumeMount().AddVolumeMountToContainer(&procdirMount, apicommon.SystemProbeContainerName)
+	// procdir volume mount
+	procdirVol, procdirVolMount := volume.GetVolumes(common.ProcdirVolumeName, common.ProcdirHostPath, common.ProcdirMountPath, true)
 	managers.Volume().AddVolume(&procdirVol)
+	managers.VolumeMount().AddVolumeMountToContainers(&procdirVolMount, []apicommon.AgentContainerName{apicommon.ProcessAgentContainerName, apicommon.SystemProbeContainerName})
 
-	cgroupsVol, cgroupsMount := volume.GetVolumes(common.CgroupsVolumeName, common.CgroupsHostPath, common.CgroupsMountPath, true)
-	managers.VolumeMount().AddVolumeMountToContainer(&cgroupsMount, apicommon.SystemProbeContainerName)
+	// cgroups volume mount
+	cgroupsVol, cgroupsVolMount := volume.GetVolumes(common.CgroupsVolumeName, common.CgroupsHostPath, common.CgroupsMountPath, true)
 	managers.Volume().AddVolume(&cgroupsVol)
+	managers.VolumeMount().AddVolumeMountToContainers(&cgroupsVolMount, []apicommon.AgentContainerName{apicommon.ProcessAgentContainerName, apicommon.SystemProbeContainerName})
 
-	debugfsVol, debugfsMount := volume.GetVolumes(common.DebugfsVolumeName, common.DebugfsPath, common.DebugfsPath, false)
-	managers.VolumeMount().AddVolumeMountToContainer(&debugfsMount, apicommon.SystemProbeContainerName)
+	debugfsVol, debugfsVolMount := volume.GetVolumes(common.DebugfsVolumeName, common.DebugfsPath, common.DebugfsPath, false)
 	managers.Volume().AddVolume(&debugfsVol)
+	managers.VolumeMount().AddVolumeMountToContainers(&debugfsVolMount, []apicommon.AgentContainerName{apicommon.ProcessAgentContainerName, apicommon.SystemProbeContainerName})
 
 	// socket volume mount (needs write perms for the system probe container but not the others)
-	socketDirVol, socketDirMount := volume.GetVolumesEmptyDir(common.SystemProbeSocketVolumeName, common.SystemProbeSocketVolumePath, false)
-	managers.VolumeMount().AddVolumeMountToContainers(
-		&socketDirMount,
-		[]apicommon.AgentContainerName{
-			apicommon.SystemProbeContainerName,
-		},
-	)
-	managers.Volume().AddVolume(&socketDirVol)
+	socketVol, socketVolMount := volume.GetVolumesEmptyDir(common.SystemProbeSocketVolumeName, common.SystemProbeSocketVolumePath, false)
+	managers.Volume().AddVolume(&socketVol)
+	managers.VolumeMount().AddVolumeMountToContainer(&socketVolMount, apicommon.SystemProbeContainerName)
 
 	_, socketVolMountReadOnly := volume.GetVolumesEmptyDir(common.SystemProbeSocketVolumeName, common.SystemProbeSocketVolumePath, true)
 	managers.VolumeMount().AddVolumeMountToContainers(
@@ -156,16 +152,13 @@ func (f *usmFeature) ManageNodeAgent(managers feature.PodTemplateManagers, provi
 		Name:  common.DDSystemProbeEnabled,
 		Value: "true",
 	}
-	managers.EnvVar().AddEnvVarToContainers(
-		[]apicommon.AgentContainerName{apicommon.CoreAgentContainerName, apicommon.SystemProbeContainerName},
-		sysProbeEnableEnvVar,
-	)
+	managers.EnvVar().AddEnvVarToContainers(containersForEnvVars, sysProbeEnableEnvVar)
 
-	sysProbeSocketEnvVar := &corev1.EnvVar{
+	socketEnvVar := &corev1.EnvVar{
 		Name:  common.DDSystemProbeSocket,
 		Value: common.DefaultSystemProbeSocketPath,
 	}
-	managers.EnvVar().AddEnvVarToContainers(containersForEnvVars, sysProbeSocketEnvVar)
+	managers.EnvVar().AddEnvVarToContainers(containersForEnvVars, socketEnvVar)
 
 	// env vars for Process Agent only
 	sysProbeExternalEnvVar := &corev1.EnvVar{

internal/controller/datadogagent/feature/usm/feature_test.go

@@ -88,6 +88,21 @@ func Test_usmFeature_Configure(t *testing.T) {
 		assert.True(t, apiutils.IsEqualStruct(coreAgentMounts, coreWantVolumeMounts), "Core Agent volume mounts \ndiff = %s", cmp.Diff(coreAgentMounts, coreWantVolumeMounts))
 
 		processWantVolumeMounts := []corev1.VolumeMount{
+			{
+				Name:      common.ProcdirVolumeName,
+				MountPath: common.ProcdirMountPath,
+				ReadOnly:  true,
+			},
+			{
+				Name:      common.CgroupsVolumeName,
+				MountPath: common.CgroupsMountPath,
+				ReadOnly:  true,
+			},
+			{
+				Name:      common.DebugfsVolumeName,
+				MountPath: common.DebugfsPath,
+				ReadOnly:  false,
+			},
 			{
 				Name:      common.SystemProbeSocketVolumeName,
 				MountPath: common.SystemProbeSocketVolumePath,