Add support for secret_refresh_interval (#1913) (#1921)

(cherry picked from commit 58ce3eb)

Co-authored-by: maxime mouial <[email protected]>

Author: datadog-githubops-containers[bot]

api/datadoghq/v2alpha1/datadogagent_types.go

@@ -1546,6 +1546,11 @@ type SecretBackendConfig struct {
 	// +optional
 	Timeout *int32 `json:"timeout,omitempty"`
 
+	// The refresh interval for secrets (0 disables refreshing).
+	// Default: `0`.
+	// +optional
+	RefreshInterval *int32 `json:"refreshInterval,omitempty"`
+
 	// Whether to create a global permission allowing Datadog agents to read all Kubernetes secrets.
 	// Default: `false`.
 	// +optional

api/datadoghq/v2alpha1/zz_generated.deepcopy.go

@@ -2791,6 +2791,12 @@ spec:
                             Whether to create a global permission allowing Datadog agents to read all Kubernetes secrets.
                             Default: `false`.
                           type: boolean
+                        refreshInterval:
+                          description: |-
+                            The refresh interval for secrets (0 disables refreshing).
+                            Default: `0`.
+                          format: int32
+                          type: integer
                         roles:
                           description: |-
                             Roles for Datadog to read the specified secrets, replacing `enableGlobalPermissions`.

api/datadoghq/v2alpha1/zz_generated.openapi.go

@@ -2917,6 +2917,11 @@
                   "description": "Whether to create a global permission allowing Datadog agents to read all Kubernetes secrets.\nDefault: `false`.",
                   "type": "boolean"
                 },
+                "refreshInterval": {
+                  "description": "The refresh interval for secrets (0 disables refreshing).\nDefault: `0`.",
+                  "format": "int32",
+                  "type": "integer"
+                },
                 "roles": {
                   "description": "Roles for Datadog to read the specified secrets, replacing `enableGlobalPermissions`.\nThey are defined as a list of namespace/secrets.\nEach defined namespace needs to be present in the DatadogAgent controller using `WATCH_NAMESPACE` or `DD_AGENT_WATCH_NAMESPACE`.\nSee also: https://github.com/DataDog/datadog-operator/blob/main/docs/secret_management.md#how-to-deploy-the-agent-components-using-the-secret-backend-feature-with-datadogagent.",
                   "items": {

config/crd/bases/v1/datadoghq.com_datadogagents.yaml

@@ -253,6 +253,7 @@ spec:
 | global.secretBackend.args | List of arguments to pass to the command (space-separated strings). |
 | global.secretBackend.command | The secret backend command to use. Datadog provides a pre-defined binary `/readsecret_multiple_providers.sh`. Read more about `/readsecret_multiple_providers.sh` at https://docs.datadoghq.com/agent/configuration/secrets-management/?tab=linux#script-for-reading-from-multiple-secret-providers. |
 | global.secretBackend.enableGlobalPermissions | Whether to create a global permission allowing Datadog agents to read all Kubernetes secrets. Default: `false`. |
+| global.secretBackend.refreshInterval | The refresh interval for secrets (0 disables refreshing). Default: `0`. |
 | global.secretBackend.roles | For Datadog to read the specified secrets, replacing `enableGlobalPermissions`. They are defined as a list of namespace/secrets. Each defined namespace needs to be present in the DatadogAgent controller using `WATCH_NAMESPACE` or `DD_AGENT_WATCH_NAMESPACE`. See also: https://github.com/DataDog/datadog-operator/blob/main/docs/secret_management.md#how-to-deploy-the-agent-components-using-the-secret-backend-feature-with-datadogagent. |
 | global.secretBackend.timeout | The command timeout in seconds. Default: `30`. |
 | global.site | Is the Datadog intake site Agent data are sent to. Set to 'datadoghq.com' to send data to the US1 site (default). Set to 'datadoghq.eu' to send data to the EU site. Set to 'us3.datadoghq.com' to send data to the US3 site. Set to 'us5.datadoghq.com' to send data to the US5 site. Set to 'ddog-gov.com' to send data to the US1-FED site. Set to 'ap1.datadoghq.com' to send data to the AP1 site. Default: 'datadoghq.com' |

config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json

@@ -26,6 +26,7 @@ const (
 	DDSecretBackendCommand                 = "DD_SECRET_BACKEND_COMMAND"
 	DDSecretBackendArguments               = "DD_SECRET_BACKEND_ARGUMENTS"
 	DDSecretBackendTimeout                 = "DD_SECRET_BACKEND_TIMEOUT"
+	DDSecretRefreshInterval                = "DD_SECRET_REFRESH_INTERVAL"
 	DDTags                                 = "DD_TAGS"
 	DockerHost                             = "DOCKER_HOST"
 	DDKubernetesResourcesLabelsAsTags      = "DD_KUBERNETES_RESOURCES_LABELS_AS_TAGS"

docs/configuration.v2alpha1.md

@@ -234,6 +234,14 @@ func applyGlobalSettings(logger logr.Logger, manager feature.PodTemplateManagers
 				Value: strconv.FormatInt(int64(*config.SecretBackend.Timeout), 10),
 			})
 		}
+
+		// Set secret backend refresh interval
+		if config.SecretBackend.RefreshInterval != nil && *config.SecretBackend.RefreshInterval > 0 {
+			manager.EnvVar().AddEnvVar(&corev1.EnvVar{
+				Name:  DDSecretRefreshInterval,
+				Value: strconv.FormatInt(int64(*config.SecretBackend.RefreshInterval), 10),
+			})
+		}
 	}
 
 	// Update images with Global Registry and UseFIPSAgent configurations

internal/controller/datadogagent/global/envvar.go

@@ -367,7 +367,7 @@ func TestNodeAgentComponenGlobalSettings(t *testing.T) {
 				ddaName,
 				ddaNamespace,
 				testutils.NewDatadogAgentBuilder().
-					WithGlobalSecretBackendGlobalPerms(secretBackendCommand, secretBackendArgs, secretBackendTimeout).
+					WithGlobalSecretBackendGlobalPerms(secretBackendCommand, secretBackendArgs, secretBackendTimeout, 0).
 					WithCredentials("apiKey", "appKey").
 					BuildWithDefaults(),
 			),
@@ -425,14 +425,83 @@ func TestNodeAgentComponenGlobalSettings(t *testing.T) {
 			want:                      assertAll,
 			wantDependency:            assertSecretBackendGlobalPerms,
 		},
+		{
+			name:                           "Secret backend - with refresh interval",
+			singleContainerStrategyEnabled: false,
+			dda: addNameNamespaceToDDA(
+				ddaName,
+				ddaNamespace,
+				testutils.NewDatadogAgentBuilder().
+					WithGlobalSecretBackendGlobalPerms(secretBackendCommand, secretBackendArgs, secretBackendTimeout, 3600).
+					WithCredentials("apiKey", "appKey").
+					BuildWithDefaults(),
+			),
+			wantCoreAgentEnvVars: nil,
+			wantEnvVars: getExpectedEnvVars([]*corev1.EnvVar{
+				{
+					Name:  DDSecretBackendCommand,
+					Value: secretBackendCommand,
+				},
+				{
+					Name:  DDSecretBackendArguments,
+					Value: secretBackendArgs,
+				},
+				{
+					Name:  DDSecretBackendTimeout,
+					Value: "60",
+				},
+				{
+					Name:  DDSecretRefreshInterval,
+					Value: "3600",
+				},
+				{
+					Name: constants.DDAPIKey,
+					ValueFrom: &corev1.EnvVarSource{
+						SecretKeyRef: &corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: "datadog-secret",
+							},
+							Key: v2alpha1.DefaultAPIKeyKey,
+						},
+					},
+				},
+				{
+					Name: constants.DDAppKey,
+					ValueFrom: &corev1.EnvVarSource{
+						SecretKeyRef: &corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: "datadog-secret",
+							},
+							Key: v2alpha1.DefaultAPPKeyKey,
+						},
+					},
+				},
+				{
+					Name: DDClusterAgentAuthToken,
+					ValueFrom: &corev1.EnvVarSource{
+						SecretKeyRef: &corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: "datadog-token",
+							},
+							Key: common.DefaultTokenKey,
+						},
+					},
+				},
+			}...),
+			wantCoreAgentVolumeMounts: getExpectedVolumeMounts(),
+			wantVolumeMounts:          getExpectedVolumeMounts(),
+			wantVolumes:               getExpectedVolumes(),
+			want:                      assertAll,
+			wantDependency:            assertSecretBackendGlobalPerms,
+		},
 		{
 			name:                           "Secret backend - specific secret permissions",
 			singleContainerStrategyEnabled: false,
 			dda: addNameNamespaceToDDA(
 				ddaName,
 				ddaNamespace,
 				testutils.NewDatadogAgentBuilder().
-					WithGlobalSecretBackendSpecificRoles(secretBackendCommand, secretBackendArgs, secretBackendTimeout, secretNamespace, secretNames).
+					WithGlobalSecretBackendSpecificRoles(secretBackendCommand, secretBackendArgs, secretBackendTimeout, 0, secretNamespace, secretNames).
 					WithCredentials("apiKey", "appKey").
 					BuildWithDefaults(),
 			),

internal/controller/datadogagent/global/global.go

@@ -970,21 +970,23 @@ func (builder *DatadogAgentBuilder) WithChecksTagCardinality(cardinality string)
 
 // Global SecretBackend
 
-func (builder *DatadogAgentBuilder) WithGlobalSecretBackendGlobalPerms(command string, args string, timeout int32) *DatadogAgentBuilder {
+func (builder *DatadogAgentBuilder) WithGlobalSecretBackendGlobalPerms(command string, args string, timeout int32, refreshInterval int32) *DatadogAgentBuilder {
 	builder.datadogAgent.Spec.Global.SecretBackend = &v2alpha1.SecretBackendConfig{
 		Command:                 apiutils.NewStringPointer(command),
 		Args:                    apiutils.NewStringPointer(args),
 		Timeout:                 apiutils.NewInt32Pointer(timeout),
+		RefreshInterval:         apiutils.NewInt32Pointer(refreshInterval),
 		EnableGlobalPermissions: apiutils.NewBoolPointer(true),
 	}
 	return builder
 }
 
-func (builder *DatadogAgentBuilder) WithGlobalSecretBackendSpecificRoles(command string, args string, timeout int32, secretNs string, secretNames []string) *DatadogAgentBuilder {
+func (builder *DatadogAgentBuilder) WithGlobalSecretBackendSpecificRoles(command string, args string, timeout int32, refreshInterval int32, secretNs string, secretNames []string) *DatadogAgentBuilder {
 	builder.datadogAgent.Spec.Global.SecretBackend = &v2alpha1.SecretBackendConfig{
 		Command:                 apiutils.NewStringPointer(command),
 		Args:                    apiutils.NewStringPointer(args),
 		Timeout:                 apiutils.NewInt32Pointer(timeout),
+		RefreshInterval:         apiutils.NewInt32Pointer(refreshInterval),
 		EnableGlobalPermissions: apiutils.NewBoolPointer(false),
 		Roles: []*v2alpha1.SecretBackendRolesConfig{
 			{