[CONTP-1715] Align Operator to Helm csi daemonset and include csidrivers RBAC for DCA (#3093)

* Align with Helm Daemonset: volumes, deprecated registry, APM annotation

* Add spec.apm.enabled field to condition the CSIDriver annotation and daemonset env var

* Add list/watch/get for csidrivers to DCA clusterrole for admission controller

Author: tbavelier

api/datadoghq/v1alpha1/datadogcsidriver_types.go

@@ -40,11 +40,24 @@ type DatadogCSIDriverSpec struct {
 	// +optional
 	DSDSocketPath *string `json:"dsdSocketPath,omitempty"`
 
+	// APM configures APM/Single Step Instrumentation support for the CSI driver.
+	// +optional
+	APM *DatadogCSIDriverAPMConfig `json:"apm,omitempty"`
+
 	// Override allows customization of the CSI driver DaemonSet pod template.
 	// +optional
 	Override *DatadogCSIDriverOverride `json:"override,omitempty"`
 }
 
+// DatadogCSIDriverAPMConfig defines APM/Single Step Instrumentation settings for the CSI driver.
+// +k8s:openapi-gen=true
+type DatadogCSIDriverAPMConfig struct {
+	// Enabled enables APM/Single Step Instrumentation support for the CSI driver.
+	// Default: true
+	// +optional
+	Enabled *bool `json:"enabled,omitempty"`
+}
+
 // DatadogCSIDriverOverride provides override capabilities for the CSI driver DaemonSet.
 // +k8s:openapi-gen=true
 type DatadogCSIDriverOverride struct {

api/datadoghq/v1alpha1/zz_generated.deepcopy.go

@@ -48,6 +48,15 @@ spec:
             spec:
               description: DatadogCSIDriverSpec defines the desired state of DatadogCSIDriver
               properties:
+                apm:
+                  description: APM configures APM/Single Step Instrumentation support for the CSI driver.
+                  properties:
+                    enabled:
+                      description: |-
+                        Enabled enables APM/Single Step Instrumentation support for the CSI driver.
+                        Default: true
+                      type: boolean
+                  type: object
                 apmSocketPath:
                   description: |-
                     APMSocketPath is the host path to the APM socket.

api/datadoghq/v1alpha1/zz_generated.openapi.go

@@ -17,6 +17,17 @@
       "additionalProperties": false,
       "description": "DatadogCSIDriverSpec defines the desired state of DatadogCSIDriver",
       "properties": {
+        "apm": {
+          "additionalProperties": false,
+          "description": "APM configures APM/Single Step Instrumentation support for the CSI driver.",
+          "properties": {
+            "enabled": {
+              "description": "Enabled enables APM/Single Step Instrumentation support for the CSI driver.\nDefault: true",
+              "type": "boolean"
+            }
+          },
+          "type": "object"
+        },
         "apmSocketPath": {
           "description": "APMSocketPath is the host path to the APM socket.\nDefault: /var/run/datadog/apm.socket",
           "type": "string"

config/crd/bases/v1/datadoghq.com_datadogcsidrivers.yaml

@@ -9,6 +9,8 @@ const (
 	admissionControllerPortName                = "admissioncontrollerport"
 	admissionControllerSocketCommunicationMode = "socket"
 	admissionControllerHostipCommunicationMode = "hostip"
+	admissionControllerCSICommunicationMode    = "csi"
+	datadogCSIDriverName                       = "k8s.csi.datadoghq.com"
 
 	// DefaultAdmissionControllerServicePort default admission controller service port
 	defaultAdmissionControllerServicePort = 443

config/crd/bases/v1/datadoghq.com_datadogcsidrivers_v1alpha1.json

@@ -14,12 +14,16 @@ import (
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/feature"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/feature/fake"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/feature/test"
+	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/store"
 	"github.com/DataDog/datadog-operator/pkg/images"
+	"github.com/DataDog/datadog-operator/pkg/kubernetes"
+	"github.com/DataDog/datadog-operator/pkg/kubernetes/rbac"
 	"github.com/DataDog/datadog-operator/pkg/testutils"
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/utils/ptr"
 )
 
@@ -40,6 +44,7 @@ func Test_admissionControllerFeature_Configure(t *testing.T) {
 			WantConfigure: true,
 			ClusterAgent: test.NewDefaultComponentTest().WithWantFunc(
 				admissionControllerWantFunc(false, false, "", "", false)),
+			WantDependenciesFunc: assertCSIDriverRBAC,
 		},
 		{
 			Name: "Admission Controller enabled with validation and mutation enabled",
@@ -246,6 +251,31 @@ func Test_admissionControllerFeature_Configure(t *testing.T) {
 	tests.Run(t, buildAdmissionControllerFeature)
 }
 
+func assertCSIDriverRBAC(t testing.TB, sc store.StoreClient) {
+	crObj, found := sc.Get(kubernetes.ClusterRolesKind, "", "-cluster-agent")
+	assert.True(t, found, "Cluster Agent ClusterRole should be created")
+
+	cr, ok := crObj.(*rbacv1.ClusterRole)
+	assert.True(t, ok, "Cluster Agent ClusterRole should have the expected type")
+
+	assert.Contains(t, cr.Rules, rbacv1.PolicyRule{
+		APIGroups: []string{rbac.StorageAPIGroup},
+		Resources: []string{rbac.CSIDriversResource},
+		Verbs: []string{
+			rbac.ListVerb,
+			rbac.WatchVerb,
+		},
+	})
+	assert.Contains(t, cr.Rules, rbacv1.PolicyRule{
+		APIGroups:     []string{rbac.StorageAPIGroup},
+		Resources:     []string{rbac.CSIDriversResource},
+		ResourceNames: []string{datadogCSIDriverName},
+		Verbs: []string{
+			rbac.GetVerb,
+		},
+	})
+}
+
 func testDCAResources(acm string, registry string, cwsInstrumentationEnabled bool) *test.ComponentTest {
 	return test.NewDefaultComponentTest().WithWantFunc(
 		func(t testing.TB, mgrInterface feature.PodTemplateManagers) {

internal/controller/datadogagent/feature/admissioncontroller/const.go

@@ -81,6 +81,23 @@ func (f *admissionControllerFeature) getRBACClusterPolicyRules() []rbacv1.Policy
 				rbac.GetVerb,
 			},
 		},
+		// CSIDrivers
+		{
+			APIGroups: []string{rbac.StorageAPIGroup},
+			Resources: []string{rbac.CSIDriversResource},
+			Verbs: []string{
+				rbac.ListVerb,
+				rbac.WatchVerb,
+			},
+		},
+		{
+			APIGroups:     []string{rbac.StorageAPIGroup},
+			Resources:     []string{rbac.CSIDriversResource},
+			ResourceNames: []string{datadogCSIDriverName},
+			Verbs: []string{
+				rbac.GetVerb,
+			},
+		},
 	}
 
 	if f.cwsInstrumentationEnabled && f.cwsInstrumentationMode == "remote_copy" {

internal/controller/datadogagent/feature/admissioncontroller/feature_test.go

@@ -81,6 +81,8 @@ type DatadogAgentReconciler struct {
 // +kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=get;create
 // +kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=get
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get
+// +kubebuilder:rbac:groups=storage.k8s.io,resources=csidrivers,verbs=list;watch
+// +kubebuilder:rbac:groups=storage.k8s.io,resources=csidrivers,resourceNames=k8s.csi.datadoghq.com,verbs=get
 
 // Configure External Metrics server
 // +kubebuilder:rbac:groups=apiregistration.k8s.io,resources=apiservices,verbs=*

internal/controller/datadogagent/feature/admissioncontroller/rbac.go

@@ -14,6 +14,8 @@ const (
 	defaultCSIDriverImageName = "csi-driver"
 	// defaultRegistrarImageName is the default CSI node driver registrar image name
 	defaultRegistrarImageName = "csi-node-driver-registrar"
+	// defaultRegistrarImageRegistry is the default CSI node driver registrar image registry
+	defaultRegistrarImageRegistry = "k8s.gcr.io/sig-storage"
 	// defaultAPMSocketPath is the default host path to the APM socket
 	defaultAPMSocketPath = "/var/run/datadog/apm.socket"
 	// defaultDSDSocketPath is the default host path to the DogStatsD socket
@@ -34,10 +36,10 @@ const (
 	registrationDirPath = "/var/lib/kubelet/plugins_registry"
 	registrarMountPath  = "/registration"
 
-	// Host path templates (used with fmt.Sprintf and the CSI driver name)
-	kubeletPluginsDirFmt = "/var/lib/kubelet/plugins/%s"
-	kubeletStorageDirFmt = "/var/lib/kubelet/plugins/%s/storage"
-	csiSocketPathFmt     = "/var/lib/kubelet/plugins/%s/csi.sock"
+	// Host paths
+	kubeletPluginsDir = "/var/lib/kubelet/plugins/datadog.csi/driver"
+	kubeletStorageDir = "/var/lib/kubelet/plugins/datadog.csi/storage"
+	csiSocketPath     = "/var/lib/kubelet/plugins/datadog.csi/driver/csi.sock"
 
 	// CSI socket path inside the container
 	csiSocketAddress = "/csi/csi.sock"
@@ -54,6 +56,9 @@ const (
 	appLabelKey                     = "app"
 	admissionControllerEnabledLabel = "admission.datadoghq.com/enabled"
 
+	// CSIDriver annotations
+	apmEnabledAnnotationKey = "csi.datadoghq.com/apm-enabled"
+
 	// finalizerName is the finalizer for CSIDriver object cleanup
 	finalizerName = "finalizer.datadoghq.com/csi-driver"
 )