Skip to content

Latest commit

 

History

History
260 lines (207 loc) · 13.2 KB

README.md

File metadata and controls

260 lines (207 loc) · 13.2 KB

Datadog Operator

Version: 1.8.2 AppVersion: 1.7.0

Values

Key Type Default Description
affinity object {} Allows to specify affinity for Datadog Operator PODs
apiKey string nil Your Datadog API key
apiKeyExistingSecret string nil Use existing Secret which stores API key instead of creating a new one
appKey string nil Your Datadog APP key
appKeyExistingSecret string nil Use existing Secret which stores APP key instead of creating a new one
clusterName string nil Set a unique cluster name reporting from the Datadog Operator.
collectOperatorMetrics bool true Configures an openmetrics check to collect operator metrics
containerSecurityContext object {} A security context defines privileges and access control settings for a container.
datadogAgent.enabled bool true Enables Datadog Agent controller
datadogAgentProfile.enabled bool false If true, enables DatadogAgentProfile controller (beta). Requires v1.5.0+
datadogCRDs.crds.datadogAgents bool true Set to true to deploy the DatadogAgents CRD
datadogCRDs.crds.datadogMetrics bool true Set to true to deploy the DatadogMetrics CRD
datadogCRDs.crds.datadogMonitors bool true Set to true to deploy the DatadogMonitors CRD
datadogCRDs.crds.datadogSLOs bool false Set to true to deploy the DatadogSLO CRD
datadogCRDs.migration.datadogAgents.conversionWebhook.enabled bool false
datadogCRDs.migration.datadogAgents.conversionWebhook.name string "datadog-operator-webhook-service"
datadogCRDs.migration.datadogAgents.conversionWebhook.namespace string "default"
datadogCRDs.migration.datadogAgents.useCertManager bool false
datadogCRDs.migration.datadogAgents.version string "v2alpha1"
datadogMonitor.enabled bool false Enables the Datadog Monitor controller
datadogSLO.enabled bool false Enables the Datadog SLO controller
dd_url string nil The host of the Datadog intake server to send Agent data to, only set this option if you need the Agent to send data to a custom URL
env list [] Define any environment variables to be passed to the operator.
fullnameOverride string ""
image.pullPolicy string "IfNotPresent" Define the pullPolicy for Datadog Operator image
image.repository string "gcr.io/datadoghq/operator" Repository to use for Datadog Operator image
image.tag string "1.7.0" Define the Datadog Operator version to use
imagePullSecrets list [] Datadog Operator repository pullSecret (ex: specify docker registry credentials)
installCRDs bool true Set to true to deploy the Datadog's CRDs
introspection.enabled bool false If true, enables introspection feature (beta). Requires v1.4.0+
logLevel string "info" Set Datadog Operator log level (debug, info, error, panic, fatal)
maximumGoroutines string nil Override default goroutines threshold for the health check failure.
metricsPort int 8383 Port used for OpenMetrics endpoint
nameOverride string "" Override name of app
nodeSelector object {} Allows to schedule Datadog Operator on specific nodes
operatorMetricsEnabled string "true" Enable forwarding of Datadog Operator metrics and events to Datadog.
podAnnotations object {} Allows setting additional annotations for Datadog Operator PODs
podLabels object {} Allows setting additional labels for for Datadog Operator PODs
rbac.create bool true Specifies whether the RBAC resources should be created
remoteConfiguration.enabled bool false If true, enables Remote Configuration in the Datadog Operator (beta). Requires clusterName, API and App keys to be set.
replicaCount int 1 Number of instances of Datadog Operator
resources object {} Set resources requests/limits for Datadog Operator PODs
secretBackend.arguments string "" Specifies the space-separated arguments passed to the command that implements the secret backend api
secretBackend.command string "" Specifies the path to the command that implements the secret backend api
serviceAccount.annotations object {} Allows setting additional annotations for service account
serviceAccount.create bool true Specifies whether a service account should be created
serviceAccount.name string nil The name of the service account to use. If not set name is generated using the fullname template
site string nil The site of the Datadog intake to send data to (documentation: https://docs.datadoghq.com/getting_started/site/)
supportExtendedDaemonset string "false" If true, supports using ExtendedDaemonSet CRD
tolerations list [] Allows to schedule Datadog Operator on tainted nodes
volumeMounts list [] Specify additional volumes to mount in the container
volumes list [] Specify additional volumes to mount in the container
watchNamespaces list [] Restricts the Operator to watch its managed resources on specific namespaces

How to configure which namespaces are watched by the Operator.

By default, the Operator only watches resources (DatadogAgent, DatadogMonitor) that are present in the same namespace.

It is possible to configure the Operator to watch resources that are present in one or several specific namespaces.

watchNamespaces:
- "default"
- "datadog"

To watch all namespaces, the following configuration needs to be used:

watchNamespaces:
- ""

Migrating to the version 1.0 of the Datadog Operator

Disclaimer

As part of the General Availability release of the Datadog Operator, we are offering a migration path for our early adopters to migrate to the GA version of the custom resource, v2alpha1/DatadogAgent.

The Datadog Operator v1.X reconciles the version v2alpha1 of the DatadogAgent custom resource, while the v0.X reconciles v1alpha1.

Requirements

If you are using the v1alpha1 with a v0.X version of the Datadog Operator and would like to upgrade, you will need to use the Conversion Webhook feature.

Start by ensuring that you have the minimum required version of the chart and it's dependencies:

NAME                	CHART VERSION	APP VERSION	DESCRIPTION
datadog/datadog-crds	0.6.1        	1          	Datadog Kubernetes CRDs chart

and for the Datadog Operator chart:

NAME                    	CHART VERSION	APP VERSION	DESCRIPTION
datadog/datadog-operator	1.1.0        	1.1.0      	Datadog Operator

Then you will need to install the cert manager if you don't have it already, add the chart:

helm repo add jetstack https://charts.jetstack.io

and then install it:

 helm install \
  cert-manager jetstack/cert-manager \
  --version v1.11.0 \
  --set installCRDs=true

Migration

You can update with the following:

helm upgrade \
    datadog-operator datadog/datadog-operator \
    --set image.tag=1.7.0 \
    --set datadogCRDs.migration.datadogAgents.version=v2alpha1 \
    --set datadogCRDs.migration.datadogAgents.useCertManager=true \
    --set datadogCRDs.migration.datadogAgents.conversionWebhook.enabled=true

Notes

Starting at the version 1.0.0 of the datadog-operator chart, the fields image.tag has a default values of 1.0.0 and datadogCRDs.migration.datadogAgents.version is v2alpha1.

We set them in the command here to illustrate the migration of going from a Datadog Operator version < 1.0.0 with a stored version of v1alpha1 to the GA version of 1.0.0 with a stored version of v2alpha1.

Implementation details

This will create a self-signed Certificate (using an Issuer) that will be used by the Certificate Manager to mutate the DatadogAgent CRD to document the caBundle that the API Server will use to contact the Conversion Webhook.

The Datadog Operator will be running the new reconciler for v2alpha1 object and will also start a Conversion Webhook Server, exposed on port 9443. This server is the one the API Server will be using to convert v1alpha1 DatadogAgent into v2alpha1.

Lifecycle

The conversionWebhook is not supposed to be an ever running process, we recommend using it to migrate your objects as a transition.

Once converted, you can store the new version of your DatadogAgent, deactivate the conversion and simply deploy v2alpha1 objects.

Roadmap

Upon releasing the v2 version of the DatadogAgent object, we will remove v1alpha1 from the CRD as part of a major update of the charts (datadog-crds and datadog-operator).

Troubleshooting

  • I don't see v2alpha1 version of the DatadogAgent resource

The v1alpha1 and the v2alpha1 are served so you might need to specify which version you want to see:

kubectl get datadogagents.v2alpha1.datadoghq.com datadog-agent
  • The Conversion is not working

The logs of the Datadog Operator pod should show that the conversion webhook is enabled, the server is running, the certificates are watched.

kubectl logs datadog-operator-XXX-YYY
[...]
{"level":"INFO","ts":"2023-02-16T16:47:07Z","logger":"controller-runtime.webhook","msg":"Registering webhook","path":"/convert"}
{"level":"INFO","ts":"2023-02-16T16:47:07Z","logger":"controller-runtime.builder","msg":"Conversion webhook enabled","GVK":"datadoghq.com/v2alpha1, Kind=DatadogAgent"}
{"level":"INFO","ts":"2023-02-16T16:47:07Z","logger":"setup","msg":"starting manager"}
{"level":"INFO","ts":"2023-02-16T16:47:07Z","logger":"controller-runtime.webhook.webhooks","msg":"Starting webhook server"}
{"level":"INFO","ts":"2023-02-16T16:47:07Z","logger":"controller-runtime.certwatcher","msg":"Updated current TLS certificate"}
{"level":"INFO","ts":"2023-02-16T16:47:07Z","logger":"controller-runtime.webhook","msg":"Serving webhook server","host":"","port":9443}
{"level":"INFO","ts":"2023-02-16T16:47:07Z","msg":"Starting server","path":"/metrics","kind":"metrics","addr":"0.0.0.0:8383"}
{"level":"INFO","ts":"2023-02-16T16:47:07Z","msg":"Starting server","kind":"health probe","addr":"0.0.0.0:8081"}
{"level":"INFO","ts":"2023-02-16T16:47:07Z","logger":"controller-runtime.certwatcher","msg":"Starting certificate watcher"}
[...]
  • Check the service registered for the conversion for a registered Endpoint
kubectl describe service datadog-operator-webhook-service
[...]
Name:              datadog-operator-webhook-service
Namespace:         default
[...]
Selector:          app.kubernetes.io/instance=datadog-operator,app.kubernetes.io/name=datadog-operator
[...]
Port:              <unset>  443/TCP
TargetPort:        9443/TCP
Endpoints:         10.88.3.28:9443
  • Verify the registered service for the conversion webhook
kubectl describe crd datadogagents.datadoghq.com
[...]
  Conversion:
    Strategy:  Webhook
    Webhook:
      Client Config:
        Ca Bundle:  LS0t[...]UtLS0tLQo=
        Service:
          Name:       datadog-operator-webhook-service
          Namespace:  default
          Path:       /convert
          Port:       443
      Conversion Review Versions:
        v1
  • The CRD does not have the caBundle

Make sure that the CRD has the correct annotation: cert-manager.io/inject-ca-from: default/datadog-operator-serving-cert and check the logs of the cert-manager-cainjector pod.

If you do not see anything standing out, setting the log level to 5 (debug) might help:

kubectl edit deploy cert-manager-cainjector -n cert-manager
[...]
    spec:
      containers:
      - args:
        - --v=5
[...]

You should see logs such as:

[...]
I0217 08:11:15.582479       1 controller.go:178] cert-manager/certificate/customresourcedefinition/generic-inject-reconciler "msg"="updated object" "resource_kind"="CustomResourceDefinition" "resource_name"="datadogagents.datadoghq.com" "resource_namespace"="" "resource_version"="v1"
I0217 08:25:24.989209       1 sources.go:98] cert-manager/certificate/customresourcedefinition/generic-inject-reconciler "msg"="Extracting CA from Certificate resource" "certificate"="default/datadog-operator-serving-cert" "resource_kind"="CustomResourceDefinition" "resource_name"="datadogagents.datadoghq.com" "resource_namespace"="" "resource_version"="v1"
[...]

Rollback

If you migrated to the new version of the Datadog Operator using v2alpha1 but want to rollback to the former version, we recommend:

  • Scaling the Datadog Operator deployment to 0 replicas.
    kubectl scale deploy datadog-operator --replicas=0
    
  • Upgrading the chart to have v1alpha1 stored and for the Datadog Operator to use the 0.8.X image.
    helm upgrade \
      datadog-operator datadog/datadog-operator \
      --set image.tag=0.8.4 \
      --set datadogCRDs.migration.datadogAgents.version=v1alpha1 \
      --set datadogCRDs.migration.datadogAgents.useCertManager=false \
      --set datadogCRDs.migration.datadogAgents.conversionWebhook.enabled=false
    
  • Redeploy the previous DatadogAgent v1alpha1 object.

Note: The Daemonset of the Datadog Agents will be rolled out in the process.