[CECO-743] Secret backend configuration

[tbavelier]

What does this PR do?

Implements the Secrets Backend within global to directly configure Secrets management from the DatadogAgent custom resource, providing helpers to handle RBAC similar to the Helm chart

Motivation

• https://datadoghq.atlassian.net/browse/CECO-743
• Helm chart parity
• Internal feedback

Describe your test plan

The scenarios below are covered by the unit tests and replicate them in e2e manner, verifying functionality. Ensure the new version of the CRD is installed with make install and install the built-operator with make IMG=<replace me> deploy (pre-loading your built image in your cluster with kind load docker-image <replace me> --name <KIND CLUSTER NAME>

Testing env variables

[...]
  global:
    [...]
    secretBackend:
      command: "/readsecret_multiple_providers.sh"
      args: "foo bar"
      timeout: 60

Exec into your Agent pod and assert:

• agent config | grep secret_backend -A 2 matches the parameters defined in the CR

Testing global RBAC and secrets resolution

• Remove the args and timeout. Add enableGlobalPermissions set to true. Re-deploy your CR

[...]
  global:
    [...]
    secretBackend:
      command: "/readsecret_multiple_providers.sh"
      enableGlobalPermissions: true

• Deploy the RabbitMQ operator and a sample workload :
  • kubectl apply -f "https://github.com/rabbitmq/cluster-operator/releases/download/v2.9.0/cluster-operator.yml"
  • Apply the manifest below

    apiVersion: rabbitmq.com/v1beta1
    kind: RabbitmqCluster
    metadata:
      name: rabbitmqcluster-sample
      namespace: rabbitmq-system
    spec:
      override:
        statefulSet:
          spec:
            template:
              metadata:
                annotations:
                  ad.datadoghq.com/rabbitmq.check_names: '["rabbitmq"]'
                  ad.datadoghq.com/rabbitmq.init_configs: "[{}]"
                  ad.datadoghq.com/rabbitmq.instances: |
                    [
                      {
                        "rabbitmq_api_url": "http://%%host%%:15672/api/",
                        "username": "ENC[k8s_secret@rabbitmq-system/rabbitmqcluster-sample-default-user/username]",
                        "password": "ENC[k8s_secret@rabbitmq-system/rabbitmqcluster-sample-default-user/password]"
                      }
                    ]

Assert the following :

• Both the Agent and DCA are able to access the k8s secret with k auth can-i get -n rabbitmq-system secrets/rabbitmqcluster-sample-default-user --as=system:serviceaccount:system:datadog-agent
  
• The Agent is resolving the secret successfully with agent secret inside the node Agent
  

Testing specific RBAC (roles), its priority over enableGlobalPermissions and binding

• Ensure rabbitmq-system is within WATCH_NAMESPACE variable if not using global watch scope :
  
• Add roles and enable CCR. Re-deploy your CR

[...]
  global:
    [...]
    secretBackend:
      command: "/readsecret_multiple_providers.sh"
      enableGlobalPermissions: true
      roles:
      - namespace: rabbitmq-system
        secrets:
        - "rabbitmqcluster-sample-default-user"

Assert the following :

• The Agent, DCA and CCR are able to access the k8s secret with k auth can-i get -n rabbitmq-system secrets/rabbitmqcluster-sample-default-user --as=system:serviceaccount:system:datadog-agent
• The Agent, DCA and CCR are NOT able to access the non-specified k8s secret with k auth can-i get -n rabbitmq-system secrets/rabbitmqcluster-sample-erlang-cookie --as=system:serviceaccount:system:datadog-agent

* Depending on the (other) features enabled, the DCA might have access to secrets cluster-wide, so in that case, verify the Role and RoleBinding with `secret-backend`

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label

[github-actions]

This pull request does not contain a valid label. Please add one of the following labels: bug, enhancement, refactoring, documentation, tooling, dependencies

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 85.86957% with 13 lines in your changes missing coverage. Please review.

Project coverage is 48.92%. Comparing base (5e5ce7e) to head (b981128).

Files with missing lines	Patch %	Lines
...nternal/controller/datadogagent/override/global.go	84.12%	8 Missing and 2 partials ⚠️
internal/controller/datadogagent/merger/rbac.go	57.14%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1395      +/-   ##
==========================================
+ Coverage   48.75%   48.92%   +0.17%     
==========================================
  Files         222      222              
  Lines       19342    19432      +90     
==========================================
+ Hits         9431     9508      +77     
- Misses       9425     9435      +10     
- Partials      486      489       +3     

Flag	Coverage Δ
unittests	48.92% <85.86%> (+0.17%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
api/datadoghq/v2alpha1/datadogagent_types.go	100.00% <ø> (ø)
api/datadoghq/v2alpha1/test/builder.go	91.83% <100.00%> (+0.33%)	⬆️
internal/controller/datadogagent/merger/rbac.go	32.23% <57.14%> (+0.26%)	⬆️
...nternal/controller/datadogagent/override/global.go	50.81% <84.12%> (+8.67%)	⬆️

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5e5ce7e...b981128. Read the comment docs.

[fanny-jiang]

🎉

[tbavelier]

/merge

[dd-devflow]

🚂 MergeQueue: pull request added to the queue

The median merge time in main is 14m.

Use /merge -c to cancel this operation!