rebuild datadog-cluster-agent

.github/workflows/base-images.yaml

@@ -141,6 +141,6 @@ jobs:
           path: './oci/base/ubuntu'
           build_file: 'Dockerfile' 
           image: public/ubuntu
-          tag: latest
+          tag: 22.04
           cache: true
           cache_registry: cache

.github/workflows/datadog-agent.yaml

@@ -0,0 +1,29 @@
+name: Build & push chart builder apline base image
+on:
+  pull_request:
+  push:
+    paths:
+      - '.github/workflows/datadog-agent.yaml'
+      - 'oci/datadog-cluster-agent/Dockerfile'
+    branches:
+      - main
+
+jobs:
+  datadog-agent:
+    runs-on: ubuntu-latest
+    name: build chart builder datadog-cluster-agent image
+    steps:
+      - uses: actions/checkout@master
+
+      - name: 'Artifact: build && push datadog-cluster-agent image'
+        uses: aevea/action-kaniko@master
+        with:
+          registry: artifact.onwalk.net
+          username: admin 
+          password: ${{ secrets.HELM_REPO_PASSWORD }}
+          path: 'oci/datadog-cluster-agent/'
+          build_file: 'Dockerfile'
+          image: public/datadog-cluster-agent
+          tag: latest
+          cache: false
+          cache_registry: cache

oci/datadog-cluster-agent/DOCKERHUB.md

@@ -0,0 +1,7 @@
+# Documentation
+
+Refer to the official [Cluster Agent documentation page](https://docs.datadoghq.com/agent/cluster_agent/).
+
+# Support
+
+For issues and help troubleshooting, contact [Datadog support team](https://docs.datadoghq.com/help/). If you want to contribute or think you found a bug in the agent, let's talk in the [Datadog/datadog-agent github repositoty](https://github.com/DataDog/datadog-agent).

oci/datadog-cluster-agent/Dockerfile

@@ -0,0 +1,99 @@
+########################################
+# Preparation stage: layout and chmods #
+########################################
+
+FROM ubuntu:22.04 as builder
+ARG TARGETARCH
+LABEL baseimage.os "ubuntu jammy LTS"
+LABEL baseimage.name "ubuntu:22.04"
+
+WORKDIR /output
+
+COPY datadog-cluster-agent.$TARGETARCH opt/datadog-agent/bin/datadog-cluster-agent
+COPY ./conf.d etc/datadog-agent/conf.d
+COPY ./datadog-cluster.yaml etc/datadog-agent/datadog-cluster.yaml
+COPY ./security-agent-policies/compliance/containers/ etc/datadog-agent/compliance.d
+COPY ./install_info etc/datadog-agent/install_info
+COPY entrypoint.sh .
+COPY readsecret.sh readsecret_multiple_providers.sh ./
+
+RUN chmod 755 entrypoint.sh \
+    && chown root:root readsecret.sh readsecret_multiple_providers.sh \
+    && chmod 550 readsecret.sh readsecret_multiple_providers.sh \
+    && chmod g+r,g+w,g+X -R etc/datadog-agent/ \
+    && chmod +x opt/datadog-agent/bin/datadog-cluster-agent \
+    && ln -s /opt/datadog-agent/bin/datadog-cluster-agent opt/datadog-agent/bin/agent
+
+FROM builder AS nosys-seccomp
+COPY nosys-seccomp/nosys.c   /tmp/nosys.c
+COPY nosys-seccomp/nosys.sym /tmp/nosys.sym
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt update && apt install --no-install-recommends -y gcc libc6-dev libseccomp-dev
+RUN gcc -pipe -Wall -Wextra -O2 -shared -fPIC -Wl,--version-script=/tmp/nosys.sym -o /tmp/nosys.so /tmp/nosys.c -lseccomp
+
+####################################
+# Actual docker image construction #
+####################################
+
+FROM artifact.onwalk.net/public/ubuntu:22.04
+
+LABEL maintainer "Datadog <package@datadoghq.com>"
+
+ARG CIBUILD
+# NOTE about APT mirrorlists:
+# It seems that this feature could use some improvement. If you just get mirrorlist
+# from mirrors.ubuntu.com/mirrors.txt, it might contain faulty mirrors that either
+# cause `apt update` to fail with exit code 100 or make it hang on `0% [Working]`
+# indefinitely. Therefore we create a mirrorlist with the 2 mirrors that we know
+# should be reliable enough in combination and also well maintained.
+RUN if [ "$CIBUILD" = "true" ]; then \
+  echo "http://us-east-1.ec2.archive.ubuntu.com/ubuntu\tpriority:1\nhttp://archive.ubuntu.com/ubuntu" > /etc/apt/mirrorlist.main && \
+  echo "http://us-east-1.ec2.ports.ubuntu.com/ubuntu-ports\tpriority:1\nhttp://ports.ubuntu.com/ubuntu-ports" > /etc/apt/mirrorlist.ports && \
+  sed -i -e 's#http://archive.ubuntu.com\S*#mirror+file:/etc/apt/mirrorlist.main#g' \
+         -e 's#http://security.ubuntu.com\S*#mirror+file:/etc/apt/mirrorlist.main#g' \
+         -e 's#http://ports.ubuntu.com\S*#mirror+file:/etc/apt/mirrorlist.ports#g' /etc/apt/sources.list; \
+  fi
+
+ENV PATH="/opt/datadog-agent/bin/:$PATH" \
+    DOCKER_DD_AGENT="true" \
+    # Allow User Group to exec the secret backend script.
+    DD_SECRET_BACKEND_COMMAND_ALLOW_GROUP_EXEC_PERM="true"
+
+RUN apt-get update \
+    && apt full-upgrade -y \
+    && apt-get install --no-install-recommends -y ca-certificates curl libseccomp2 tzdata \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+COPY --from=builder /output /
+
+# Allow running as an unprivileged user:
+# - General case is the dd-agent user
+# - OpenShift uses a random UID in the root group
+#
+# Containerd does not preserve permissions when mounting a volume on top
+# of an empty folder. Creating .placeholder files as a workaround.
+#
+RUN adduser --system --no-create-home --disabled-password --ingroup root dd-agent \
+    && mkdir -p /var/log/datadog/ /conf.d \
+    && touch /var/log/datadog/.placeholder \
+    && touch /tmp/.placeholder \
+    && chown -R dd-agent:root /etc/datadog-agent/ /var/log/datadog/ /conf.d /tmp/ \
+    && chmod g+r,g+w,g+X -R /etc/datadog-agent/ /var/log/datadog/ /conf.d /tmp/
+
+# Ensure the glibc doesn't try to call syscalls that may not be supported
+COPY --from=nosys-seccomp /tmp/nosys.so /lib/x86_64-linux-gnu/nosys.so
+ENV LD_PRELOAD=/lib/x86_64-linux-gnu/nosys.so
+
+# Incompatible with the custom metrics API on port 443
+# Set DD_EXTERNAL_METRICS_PROVIDER_PORT to a higher value to run as non-root
+# USER dd-agent
+
+# Leave following directories RW to allow use of readonly rootfs
+VOLUME ["/etc/datadog-agent", "/var/log/datadog", "/tmp"]
+
+ENTRYPOINT ["/entrypoint.sh"]
+
+# No docker healthcheck, use a HTTP check
+# on port 5005 and/or 443 on Kubernetes
+
+CMD ["datadog-cluster-agent", "start"]

oci/datadog-cluster-agent/README.md

@@ -0,0 +1,8 @@
+# Datadog Cluster Agent | Containerized environments
+
+Information on The Datadog Cluster Agent is available in the Datadog documentation: [docs.datadoghq.com/agent/agent/cluster_agent][1]
+
+The Datadog Cluster Agent image is available [in the docker hub][2].
+
+[1]: https://docs.datadoghq.com/agent/cluster_agent/
+[2]: https://hub.docker.com/r/datadog/cluster-agent/

oci/datadog-cluster-agent/conf.d/kubernetes_apiserver.d/conf.yaml.default

@@ -0,0 +1,25 @@
+init_config:
+instances:
+  - ## Tagging
+    ##
+
+    # You can add extra tags to your Kubernetes API Server metrics, events and Service Checks with the tags list option.
+    #
+    # tags: ["foo:bar"]
+    #
+    # To deactivate the event collection, flip the collect_events option to false.
+    # collect_events: false
+    #
+    # Specify a list of exclusion filters over the event type, involvedObject.kind, reason, following the Kubernetes field-selector format.
+    #
+    # filtered_event_types: ["reason!=FailedGetScale","involvedObject.kind==Pod","type==Normal"]
+    #
+    # Maximum number of events you wish to collect per check run.
+    # max_events_per_run: 300
+    #
+    # Parameter specified by the Cluster Agent when the event collection is configured as a cluster check.
+    # skip_leader_election: false
+    #
+    # Specify the frequency in seconds at which the Agent should list all events to re-sync following the informer pattern
+    #
+    # kubernetes_event_resync_period_s: 300

oci/datadog-cluster-agent/conf.d/orchestrator.d/conf.yaml.default

@@ -0,0 +1,6 @@
+ad_identifiers:
+  - _kube_orchestrator
+init_config:
+
+instances:
+  -

oci/datadog-cluster-agent/entrypoint.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Unless explicitly stated otherwise all files in this repository are licensed
+# under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2016-present Datadog, Inc.
+
+
+##### Core config #####
+
+if [[ -z "$DD_API_KEY" ]]; then
+    echo "You must set an DD_API_KEY environment variable to run the Datadog Cluster Agent container"
+    exit 1
+fi
+
+##### Copy the custom confs removing any ".." folder in the paths #####
+find /conf.d -name '*.yaml' -o -name '*.yaml.default' | sed -E "s#/\.\.[^/]+##" | xargs -I{} cp --parents -fv {} /etc/datadog-agent/
+
+##### Starting up #####
+export PATH="/opt/datadog-agent/bin/datadog-cluster-agent/:/opt/datadog-agent/embedded/bin/":$PATH
+
+exec "$@"

oci/datadog-cluster-agent/install_info

@@ -0,0 +1,5 @@
+---
+install_method:
+  tool: docker
+  tool_version: docker
+  installer_version: docker

oci/datadog-cluster-agent/readsecret.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Unless explicitly stated otherwise all files in this repository are licensed
+# under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2016-present Datadog, Inc.
+
+/opt/datadog-agent/bin/datadog-cluster-agent secret-helper read $@

oci/datadog-cluster-agent/readsecret_multiple_providers.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -e
+
+# Unless explicitly stated otherwise all files in this repository are licensed
+# under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2016-present Datadog, Inc.
+
+/opt/datadog-agent/bin/datadog-cluster-agent secret-helper read --with-provider-prefixes