From 9bdffe5a84d3a9792a1966076f313730d2a2d73f Mon Sep 17 00:00:00 2001 From: Sylvain Baubeau Date: Tue, 11 Jul 2023 18:06:38 +0200 Subject: [PATCH] Allow enabling SBOM collection for host and container images --- charts/datadog/CHANGELOG.md | 4 +++ charts/datadog/Chart.yaml | 2 +- charts/datadog/README.md | 5 +++- .../datadog/templates/_container-agent.yaml | 16 ++++++++++ charts/datadog/templates/_helpers.tpl | 29 +++++++++++++++++++ charts/datadog/values.yaml | 18 ++++++++++++ 6 files changed, 72 insertions(+), 2 deletions(-) diff --git a/charts/datadog/CHANGELOG.md b/charts/datadog/CHANGELOG.md index 82e657a20..c84e2e942 100644 --- a/charts/datadog/CHANGELOG.md +++ b/charts/datadog/CHANGELOG.md @@ -1,5 +1,9 @@ # Datadog changelog +## 3.36.3 + +* Allow enabling SBOM collection for host and container images. + ## 3.36.2 * Update `fips.image.tag` to `0.5.5` which upgrades HAProxy to 2.4.24 and zlib to 1.3 diff --git a/charts/datadog/Chart.yaml b/charts/datadog/Chart.yaml index acb0b056b..697f4da97 100644 --- a/charts/datadog/Chart.yaml +++ b/charts/datadog/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: datadog -version: 3.36.2 +version: 3.36.3 appVersion: "7" description: Datadog Agent keywords: diff --git a/charts/datadog/README.md b/charts/datadog/README.md index c9fcf2378..f99df5439 100644 --- a/charts/datadog/README.md +++ b/charts/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.36.2](https://img.shields.io/badge/Version-3.36.2-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.36.3](https://img.shields.io/badge/Version-3.36.3-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). @@ -632,6 +632,9 @@ helm install \ | datadog.envFrom | list | `[]` | Set environment variables for all Agents directly from configMaps and/or secrets | | datadog.excludePauseContainer | bool | `true` | Exclude pause containers from the Agent Autodiscovery. | | datadog.expvarPort | int | `6000` | Specify the port to expose pprof and expvar to not interfer with the agentmetrics port from the cluster-agent, which defaults to 5000 | +| datadog.features.containerMonitoring.containerImageCollection.enabled | bool | `false` | Enable collection of container images metadata | +| datadog.features.sbom.containerImage.enabled | bool | `false` | Enable SBOM collection for container images | +| datadog.features.sbom.host.enabled | bool | `false` | Enable SBOM collection for host filesystem | | datadog.helmCheck.collectEvents | bool | `false` | Set this to true to enable event collection in the Helm Check (Requires Agent 7.36.0+ and Cluster Agent 1.20.0+) This requires datadog.HelmCheck.enabled to be set to true | | datadog.helmCheck.enabled | bool | `false` | Set this to true to enable the Helm check (Requires Agent 7.35.0+ and Cluster Agent 1.19.0+) This requires clusterAgent.enabled to be set to true | | datadog.helmCheck.valuesAsTags | object | `{}` | Collects Helm values from a release and uses them as tags (Requires Agent and Cluster Agent 7.40.0+). This requires datadog.HelmCheck.enabled to be set to true | diff --git a/charts/datadog/templates/_container-agent.yaml b/charts/datadog/templates/_container-agent.yaml index 1e199823f..cbbbde54b 100644 --- a/charts/datadog/templates/_container-agent.yaml +++ b/charts/datadog/templates/_container-agent.yaml @@ -152,6 +152,22 @@ value: {{ .Values.datadog.expvarPort | quote }} - name: DD_COMPLIANCE_CONFIG_ENABLED value: {{ .Values.datadog.securityAgent.compliance.enabled | quote }} + {{- if eq (include "should-enable-container-image-collection" .) "true" }} + - name: DD_CONTAINER_IMAGE_ENABLED + value: "true" + {{- end }} + {{- if or .Values.datadog.features.sbom.host.enabled (eq (include "should-enable-sbom-container-image-collection" .) "true") }} + - name: DD_SBOM_ENABLED + value: "true" + {{- if eq (include "should-enable-sbom-container-image-collection" .) "true" }} + - name: DD_SBOM_CONTAINER_IMAGE_ENABLED + value: "true" + {{- end }} + {{- if .Values.datadog.features.sbom.host.enabled }} + - name: DD_SBOM_HOST_ENABLED + value: "true" + {{- end }} + {{- end }} {{- include "additional-env-entries" .Values.agents.containers.agent.env | indent 4 }} {{- include "additional-env-dict-entries" .Values.agents.containers.agent.envDict | indent 4 }} volumeMounts: diff --git a/charts/datadog/templates/_helpers.tpl b/charts/datadog/templates/_helpers.tpl index 14e4508bb..25eab165b 100644 --- a/charts/datadog/templates/_helpers.tpl +++ b/charts/datadog/templates/_helpers.tpl @@ -831,3 +831,32 @@ true false {{- end -}} {{- end -}} + +{{/* + Return true if container image collection is enabled +*/}} +{{- define "should-enable-container-image-collection" -}} + {{- if and (not .Values.datadog.containerRuntimeSupport.enabled) + (or .Values.datadog.features.containerMonitoring.containerImageCollection.enabled .Values.datadog.features.sbom.containerImage.enabled) -}} + {{- fail "Container runtime support has to be enabled for container image collection to work. Please enable it using `datadog.containerRuntimeSupport.enabled`." -}} + {{- end -}} + {{- if or .Values.datadog.features.containerMonitoring.containerImageCollection.enabled .Values.datadog.features.sbom.containerImage.enabled -}} + true + {{- else -}} + false + {{- end -}} +{{- end -}} + +{{/* + Return true if SBOM collection for container image is enabled +*/}} +{{- define "should-enable-sbom-container-image-collection" -}} + {{- if .Values.datadog.features.sbom.containerImage.enabled -}} + {{- if not (eq (include "should-enable-container-image-collection" .) "true") -}} + {{- fail "Container runtime support has to be enabled for SBOM collection to work. Please enable it using `datadog.containerRuntimeSupport.enabled`." -}} + {{- end -}} + true + {{- else -}} + false + {{- end -}} +{{- end -}} diff --git a/charts/datadog/values.yaml b/charts/datadog/values.yaml index 1aa50888b..c57c4b1ae 100644 --- a/charts/datadog/values.yaml +++ b/charts/datadog/values.yaml @@ -799,6 +799,24 @@ datadog: ## ref: https://docs.datadoghq.com/agent/guide/autodiscovery-management/?tab=containerizedagent#pause-containers excludePauseContainer: true + features: + + # Container monitoring + containerMonitoring: + containerImageCollection: + # datadog.features.containerMonitoring.containerImageCollection.enabled -- Enable collection of container images metadata + enabled: false + + # (Software Bill Of Materials) configuration + sbom: + containerImage: + # datadog.features.sbom.containerImage.enabled -- Enable SBOM collection for container images + enabled: false + + host: + # datadog.features.sbom.host.enabled -- Enable SBOM collection for host filesystem + enabled: false + ## This is the Datadog Cluster Agent implementation that handles cluster-wide ## metrics more cleanly, separates concerns for better rbac, and implements ## the external metrics API so you can autoscale HPAs based on datadog metrics