Skip to content

[AGENTONB-2664] Generate Certificate Authority for Agent pods #2304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Eokye wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[AGENTONB-2664] Generate Certificate Authority for Agent pods #2304

Eokye wants to merge 3 commits into from

Conversation

@Eokye
Copy link
Contributor

@Eokye Eokye commented Nov 10, 2025
edited
Loading

What does this PR do?

A brief description of the change being made with this pull request.

Motivation

What inspired you to submit this pull request?

Additional Notes

Anything else we should know when reviewing?

Minimum Agent Versions

Are there minimum versions of the Datadog Agent and/or Cluster Agent required?

  • Agent: vX.Y.Z
  • Cluster Agent: vX.Y.Z

Describe your test plan

Write there any instructions and details you may have to test your PR.
Add the following env vars to your agent manifest and apply:

    env:
      - name: DD_CLUSTER_TRUST_CHAIN_ENABLE_TLS_VERIFICATION
        value: "true"
      - name: DD_CLUSTER_TRUST_CHAIN_CA_CERT_FILE_PATH
        value: "/etc/datadog-agent/certificates/tls.crt"
      - name: DD_CLUSTER_TRUST_CHAIN_CA_KEY_FILE_PATH
        value: "/etc/datadog-agent/certificates/tls.key"
  1. Check that volumes are mounted on pods and agent container. To be extra thorough for node-agent, you could enable all the relevant features to see if all agent containers have the correct mount path: /etc/datadog-agent/certificates from certificates:
    npm: 
      enabled: true
    liveProcessCollection:
      enabled: true
    liveContainerCollection:
      enabled: true
    otelCollector:
      enabled: true
    apm:
      enabled: true
      hostPortConfig:
         enabled: true
         hostPort: 8126
    cws:
      enabled: true
  1. Get logs from node agent k logs... and see if "Successfully connected to Datadog Cluster Agent" is in the logs.
  2. exec into the cluster agent pod and run
openssl s_client -connect datadog-cluster-agent:5005 \
  -CAfile /etc/datadog-agent/certificates/tls.crt \
  -showcerts

Service certificates should have Datadog Agent CA as the issuer. You should see this in the service certificates:

Server certificate
subject=O = "Datadog, Inc."
issuer=O = Datadog, CN = Datadog Agent CA

Checklist

  • PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
  • PR has a milestone or the qa/skip-qa label

@Eokye Eokye added this to the v1.21.0 milestone Nov 10, 2025
@Eokye Eokye added the enhancement New feature or request label Nov 10, 2025
@Eokye Eokye marked this pull request as ready for review November 14, 2025 19:52
@Eokye Eokye requested a review from a team as a code owner November 14, 2025 19:52
@Eokye Eokye modified the milestones: v1.21.0, v1.22.0 Nov 14, 2025
@codecov-commenter
Copy link

codecov-commenter commented Nov 14, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 3.22581% with 90 lines in your changes missing coverage. Please review.
✅ Project coverage is 38.25%. Comparing base (c3c51b1) to head (bc6762b).
⚠️ Report is 17 commits behind head on main.

Files with missing lines Patch % Lines
pkg/certificates/cert_manager.go 0.00% 76 Missing ⚠️
...controller/datadogagent/component/agent/default.go 14.28% 6 Missing ⚠️
internal/controller/datadogagent/common/volumes.go 0.00% 3 Missing ⚠️
...controller/datadogagent/controller_reconcile_v2.go 40.00% 2 Missing and 1 partial ⚠️
...adogagent/component/clusterchecksrunner/default.go 0.00% 2 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #2304      +/-   ##
==========================================
- Coverage   38.38%   38.25%   -0.14%     
==========================================
  Files         255      259       +4     
  Lines       21113    22561    +1448     
==========================================
+ Hits         8104     8630     +526     
- Misses      12383    13285     +902     
- Partials      626      646      +20
Flag Coverage Δ
unittests 38.25% <3.22%> (-0.14%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
...adogagent/component/clusterchecksrunner/default.go 10.52% <0.00%> (-0.12%) ⬇️
internal/controller/datadogagent/common/volumes.go 0.00% <0.00%> (ø)
...controller/datadogagent/controller_reconcile_v2.go 57.29% <40.00%> (-0.49%) ⬇️
...controller/datadogagent/component/agent/default.go 8.44% <14.28%> (+1.64%) ⬆️
pkg/certificates/cert_manager.go 0.00% <0.00%> (ø)

... and 15 files with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c3c51b1...bc6762b. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@levan-m levan-m modified the milestones: v1.22.0, v1.21.0, v1.23.0 Dec 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

v1.23.0

Development

Successfully merging this pull request may close these issues.

4 participants

@Eokye @codecov-commenter @levan-m