Prevent bad configuration with install error report

DataDog · Nov 21, 2024 · 6299ab1 · 6299ab1
1 parent b8797e7
commit 6299ab1
Show file tree

Hide file tree

Showing 8 changed files with 61 additions and 13 deletions.
diff --git a/charts/datadog/CHANGELOG.md b/charts/datadog/CHANGELOG.md
@@ -2,10 +2,9 @@
 
 ## 3.82.0
 
-* Added the configuration value `datadog.processAgent.disablePasswdMount` to disable mounting the `/etc/passwd` path from the host filesystem. This option should be used when the underlying OS does not have these files (e.g., Talos OS).
+* Added the configuration value `datadog.disablePasswdMount` to disable mounting the `/etc/passwd` path from the host filesystem. This option should be used when the underlying OS does not have these files (e.g., Talos OS).
 
-* Added the configuration value `datadog.processAgent.disableOsReleaseFileMount` to disable mounting the default "os-release" file paths from the host filesystem (e.g., `/etc/redhat-release`, `/etc/fedora-release`, etc.). Note that this change does not affect the `datadog.osReleasePath` option. To avoid mounting the `/etc/os-release` host path, set the `datadog.osReleasePath` configuration value to an empty string. This option should be used when the underlying OS does not have these files (e.g., Talos OS).
-* Deprecate `datadog.systemProbe.enableDefaultOsReleasePaths` in favor of `datadog.disableDefaultOsReleasePaths`.
+* Added the configuration value `datadog.disableDefaultOsReleasePaths` to disable mounting the default "os-release" file paths from the host filesystem (e.g., `/etc/redhat-release`, `/etc/fedora-release`, etc.). Note that this change does not affect the `datadog.osReleasePath` option. To avoid mounting the `/etc/os-release` host path, set the `datadog.osReleasePath` configuration value to an empty string. This option should be used when the underlying OS does not have these files (e.g., Talos OS).
 
 ## 3.81.0
 

diff --git a/charts/datadog/templates/NOTES.txt b/charts/datadog/templates/NOTES.txt
@@ -534,6 +534,25 @@ More information about this change: https://github.com/DataDog/helm-charts/pull/
 {{- end }}
 
 
+{{- if and (ne .Values.targetSystem "linux") (eq (include "should-add-host-path-for-os-release-paths" .) "false") .Values.datadog.sbom.host.enabled }}
+#################################################################
+####               ERROR: Configuration notice             ####
+#################################################################
+The SBOM host filesystem collection feature requires access to the os-release information from the host.
+`datadog.sbom.host.enabled: true` can't be use with `datadog.disableDefaultOsReleasePaths: true`.
+{{- fail "The SBOM host filesystem collection feature requires access to the os-release information from the host." }}
+{{- end }}
+
+{{- if and (ne .Values.targetSystem "linux") (eq (include "should-add-host-path-for-os-release-paths" .) "false") (eq (include "should-enable-system-probe" .) "true") }}
+#################################################################
+####               ERROR: Configuration notice             ####
+#################################################################
+The current set of options used to install the chart requires the system-probe container to be enabled.
+However, the datadog.disableDefaultOsReleasePaths option set to true is not compatible when the system-probe container is required.
+{{- fail "datadog.disableDefaultOsReleasePaths can't be set to `true` when system-probe is enabled." }}
+{{- end }}
+
+
 {{- $hasContainerIncludeEnv := false }}
 {{- range $key := .Values.datadog.env }}
   {{- if eq $key.name "DD_CONTAINER_INCLUDE" }}

diff --git a/charts/datadog/templates/_container-agent.yaml b/charts/datadog/templates/_container-agent.yaml
@@ -258,7 +258,7 @@
       mountPath: /host/sys/fs/cgroup
       mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }}
       readOnly: true
-    {{- if and (eq (include "should-run-process-checks-on-core-agent" .) "true") (not .Values.datadog.disablePasswdMount) }}
+    {{- if and (eq (include "should-add-host-path-for-etc-passwd" .) "true") (eq (include "should-run-process-checks-on-core-agent" .) "true") }}
     - name: passwd
       mountPath: /etc/passwd
       readOnly: true

diff --git a/charts/datadog/templates/_container-host-release-volumemounts.yaml b/charts/datadog/templates/_container-host-release-volumemounts.yaml
@@ -1,13 +1,15 @@
 {{- define "linux-container-host-release-volumemounts" -}}
-{{- if or (not .Values.providers.gke.gdc) (not .Values.datadog.disableDefaultOsReleasePaths) }}
-{{- if eq (include "should-enable-system-probe" .) "true" }}
+{{- if or .Values.datadog.osReleasePath .Values.datadog.systemProbe.osReleasePath }}
+  {{- if and (not .Values.providers.gke.gdc) (not .Values.providers.gke.autopilot) }}
+    {{- if eq (include "should-enable-system-probe" .) "true" }}
 - name: os-release-file
   mountPath: /host{{ .Values.datadog.systemProbe.osReleasePath | default .Values.datadog.osReleasePath }}
   readOnly: true
-{{- else if or (not .Values.providers.gke.autopilot) }}
+    {{- else if .Values.datadog.osReleasePath }}
 - name: os-release-file
   mountPath: /host{{ .Values.datadog.osReleasePath }}
   readOnly: true
-{{- end }}
+    {{- end }}
+  {{- end }}
 {{- end }}
 {{- end }}
diff --git a/charts/datadog/templates/_container-process-agent.yaml b/charts/datadog/templates/_container-process-agent.yaml
@@ -79,7 +79,7 @@
       mountPath: /host/sys/fs/cgroup
       mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }}
       readOnly: true
-    {{- if and (or .Values.datadog.processAgent.processCollection .Values.datadog.processAgent.processDiscovery .Values.datadog.processAgent.containerCollection) (not .Values.datadog.disablePasswdMount) }}
+    {{- if and (eq (include "should-add-host-path-for-etc-passwd" .) "true") (or .Values.datadog.processAgent.processCollection .Values.datadog.processAgent.processDiscovery .Values.datadog.processAgent.containerCollection) }}
     - name: passwd
       mountPath: /etc/passwd
       readOnly: true

diff --git a/charts/datadog/templates/_container-security-agent.yaml b/charts/datadog/templates/_container-security-agent.yaml
@@ -91,7 +91,7 @@
     - name: cgroups
       mountPath: /host/sys/fs/cgroup
       readOnly: true
-    {{- if not .Values.datadog.disablePasswdMount }}
+    {{- if (eq (include "should-add-host-path-for-etc-passwd" .) "true") }}
     - name: passwd
       mountPath: /etc/passwd
       readOnly: true

diff --git a/charts/datadog/templates/_daemonset-volumes-linux.yaml b/charts/datadog/templates/_daemonset-volumes-linux.yaml
@@ -17,12 +17,12 @@
 - hostPath:
     path: /sys/fs/cgroup
   name: cgroups
-{{- if and (not .Values.providers.gke.autopilot) (not .Values.datadog.disableDefaultOsReleasePaths) (or .Values.datadog.systemProbe.osReleasePath .Values.datadog.osReleasePath .Values.datadog.sbom.host.enabled) }}
+{{- if and (not .Values.providers.gke.autopilot) (or .Values.datadog.systemProbe.osReleasePath .Values.datadog.osReleasePath .Values.datadog.sbom.host.enabled) }}
 - hostPath:
     path: {{ .Values.datadog.systemProbe.osReleasePath | default .Values.datadog.osReleasePath }}
   name: os-release-file
 {{- end }}
-{{- if or (and (eq (include "should-enable-system-probe" .) "true") (and .Values.datadog.systemProbe.enableDefaultOsReleasePaths (not .Values.datadog.disableDefaultOsReleasePaths))) .Values.datadog.sbom.host.enabled }}
+{{- if and (eq (include "should-add-host-path-for-os-release-path" .) "true") (or (eq (include "should-enable-system-probe" .) "true") .Values.datadog.sbom.host.enabled) }}
 - hostPath:
     path: /etc/redhat-release
   name: etc-redhat-release
@@ -138,7 +138,7 @@
   name: btf-path
 {{- end }}
 {{- end }}
-{{- if and (or (eq (include "process-checks-enabled" .) "true") (eq (include "should-run-process-checks-on-core-agent" .) "true") (eq (include "should-enable-system-probe" .) "true") (eq (include "should-enable-security-agent" .) "true")) (not .Values.datadog.disablePasswdMount) }}
+{{- if and (eq (include "should-add-host-path-for-etc-passwd" .) "true") (or (eq (include "process-checks-enabled" .) "true") (eq (include "should-run-process-checks-on-core-agent" .) "true") (eq (include "should-enable-system-probe" .) "true") (eq (include "should-enable-security-agent" .) "true")) }}
 - hostPath:
     path: /etc/passwd
   name: passwd

diff --git a/charts/datadog/templates/_helpers.tpl b/charts/datadog/templates/_helpers.tpl
@@ -1045,3 +1045,31 @@ Create RBACs for custom resources
   {{- end -}}
 {{- end -}}
 {{- end -}}
+
+
+{{/*
+  Returns true if Host paths for default OS Release Paths need to be added to the volumes.
+*/}}
+{{- define "should-add-host-path-for-os-release-paths" -}}
+  {{- if ne .Values.targetSystem "linux" -}}
+    false
+  {{- else if (and .Values.datadog.systemProbe.enableDefaultOsReleasePaths (not .Values.datadog.disableDefaultOsReleasePaths)) -}}
+    true
+  {{- else -}}
+    false
+  {{- end -}}
+{{- end -}}
+
+
+{{/*
+  Returns true if the host file /etc/passwd should be mounted, else return false.
+*/}}
+{{- define "should-add-host-path-for-etc-passwd" -}}
+  {{- if ne .Values.targetSystem "linux" -}}
+    false
+  {{- else if not .Values.datadog.disablePasswdMount -}}
+    true
+  {{- else -}}
+    false
+  {{- end -}}
+{{- end -}}