datadog-integration: updated consul-server agent telemetry-config.jso…

…n with dd specific items as well as additional missing VM based options, unit tests, dd unix socket integration, dd agent acl token generation | final initial-push
hashicorp · Feb 9, 2024 · d27ea03 · d27ea03
1 parent 8b6a9d8
commit d27ea03
Show file tree

Hide file tree

Showing 12 changed files with 276 additions and 21 deletions.
diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl
@@ -428,10 +428,10 @@ Usage: {{ template "consul.validateTelemetryCollectorCloud" . }}
 */}}
 {{- define "consul.validateTelemetryCollectorCloud" -}}
 {{- if (and .Values.telemetryCollector.cloud.clientId.secretName (and (not .Values.global.cloud.clientSecret.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }}
-{{fail "When telemetryCollector.cloud.clientId.secretName is set, telemetryCollector.cloud.clientSecret.secretName must also be set."}}
+{{fail "When telemetryCollector.cloud.clientId.secretName is set, telemetryCollector.cloud.clientSecret.secretName must also be set." }}
 {{- end }}
 {{- if (and .Values.telemetryCollector.cloud.clientSecret.secretName (and (not .Values.global.cloud.clientId.secretName) (not .Values.telemetryCollector.cloud.clientId.secretName))) }}
-{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, telemetryCollector.cloud.clientId.secretName must also be set."}}
+{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, telemetryCollector.cloud.clientId.secretName must also be set." }}
 {{- end }}
 {{- end }}
 
@@ -532,6 +532,9 @@ Fail if Consul OpenMetrics (Prometheus) and DogStatsD metrics are both enabled.
     - global.metrics.datadogIntegration.openMetricsPrometheus.enabled (scrapes `/v1/agent/metrics?format=prometheus`)
     - see https://docs.datadoghq.com/integrations/consul/?tab=host#host for recommendation to not have both
 
+Fail if Consul Open Telemetry collector forwarding protocol is not one of either "http" or "grpc"
+    - global.metrics.datadogIntegration.datadogOpenTelemetryCollector.protocol!="http" || global.metrics.datadogIntegration.datadogOpenTelemetryCollector.protocol!="grpc"
+
 Usage: {{ template "consul.validateDatadogConfiguration" . }}
 
 */}}
@@ -543,6 +546,9 @@ Usage: {{ template "consul.validateDatadogConfiguration" . }}
 {{- if and .Values.global.metrics.datadogIntegration.dogstatsd.enabled .Values.global.metrics.datadogIntegration.openMetricsPrometheus.enabled }}
 {{fail "You must have one of DogStatsD (global.metrics.datadogIntegration.dogstatsd.enabled) or OpenMetrics (global.metrics.datadogIntegration.openMetricsPrometheus.enabled) enabled, not both as this is an unsupported configuration." }}
 {{- end }}
+{{- if and .Values.global.metrics.datadogIntegration.datadogOpenTelemetryCollector.enabled (or (eq (.Values.global.metrics.datadogIntegration.datadogOpenTelemetryCollector.protocol | trimAll "\"" | quote) "http") (eq (.Values.global.metrics.datadogIntegration.datadogOpenTelemetryCollector.protocol | trimAll "\"" | quote) "grpc")) }}
+{{fail "Valid values for global.metrics.datadogIntegration.datadogOpenTelemetryCollector.protocol must be one of either \"http\" or \"grpc\"." }}
+{{- end }}
 {{- end -}}
 
 {{/*

diff --git a/charts/consul/templates/datadog-agent-role.yaml b/charts/consul/templates/datadog-agent-role.yaml
@@ -0,0 +1,38 @@
+{{- if .Values.global.metrics.datadogIntegration.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "consul.fullname" . }}-datadog-metrics-agent
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: datadog
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    component: agent
+{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }}
+{{- if .Values.global.enablePodSecurityPolicies }}
+rules:
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    resourceNames:
+      - {{ template "consul.fullname" . }}-datadog-metrics-agent
+    verbs:
+      - use
+{{- end }}
+{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }}
+  - apiGroups: ["security.openshift.io"]
+    resources: ["securitycontextconstraints"]
+    resourceNames:
+      - {{ template "consul.fullname" . }}-datadog-metrics-agent
+    verbs:
+      - use
+{{- end }}
+{{- else}}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    resourceNames:
+      - {{ .Release.Namespace }}-datadog-agent-metrics-acl-token
+    verbs: [ "get", "watch", "list" ]
+{{- end }}
+{{- end }}
diff --git a/charts/consul/templates/datadog-agent-rolebinding.yaml b/charts/consul/templates/datadog-agent-rolebinding.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.global.metrics.datadogIntegration.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: datadog-read-secrets
+  namespace: consul
+  labels:
+    component: agent
+subjects:
+  - kind: ServiceAccount
+    apiGroup: ""
+    name: datadog-agent
+    namespace: datadog
+  - kind: ServiceAccount
+    apiGroup: ""
+    name: datadog-cluster-agent
+    namespace: datadog
+roleRef:
+  kind: Role
+  name: {{ template "consul.fullname" . }}-datadog-metrics-agent
+  apiGroup: ""
+{{- end }}
diff --git a/charts/consul/templates/server-acl-init-job.yaml b/charts/consul/templates/server-acl-init-job.yaml
@@ -276,7 +276,7 @@ spec:
             -create-enterprise-license-token=true \
             {{- end }}
 
-            {{- if (and .Values.global.metrics.datadogIntegration.enabled .Values.global.acls.manageSystemACLs) }}
+            {{- if (and (not .Values.global.metrics.datadogIntegration.dogstatsd.enabled) .Values.global.metrics.datadogIntegration.enabled .Values.global.acls.manageSystemACLs) }}
             -create-dd-agent-token=true \
             {{- end }}
 

diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml
@@ -155,7 +155,7 @@ spec:
                   "tls_private_key": "/etc/datadog-agent/conf.d/consul.d/certs/tls.key",
                   "tls_ca_cert": "/etc/datadog-agent/conf.d/consul.d/ca/tls.crt",
         {{- else }}
-                  "openmetrics_endpoint": "http://%%host%%:8500/v1/agent/metrics?format=prometheus",
+                  "openmetrics_endpoint": "http://consul-server.{{ .Release.Namespace }}.svc:8500/v1/agent/metrics?format=prometheus",
         {{- end }}
         {{- if ( .Values.global.acls.manageSystemACLs) }}
                   "headers": {
@@ -168,7 +168,7 @@ spec:
               ]
             }
           }
-        {{- else }}
+        {{- else if (not .Values.global.metrics.datadogIntegration.dogstatsd.enabled) }}
         "ad.datadoghq.com/consul.checks": |
           {
             "consul": {
@@ -195,6 +195,8 @@ spec:
               ]
             }
           }
+        {{- else }}
+        "ad.datadoghq.com/consul.metrics_exclude": "true"
         {{- end }}
         {{- end }}
         {{- end }}

diff --git a/charts/consul/templates/telemetry-collector-deployment.yaml b/charts/consul/templates/telemetry-collector-deployment.yaml
@@ -248,6 +248,19 @@ spec:
             - name: SSL_CERT_DIR
               value: "/etc/ssl/certs:/trusted-cas"
             {{- end }}
+            {{- if .Values.global.metrics.datadogIntegration.datadogOpenTelemetryCollector.enabled }}
+            - name: HOST_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.hostIP
+            {{- if eq (.Values.global.metrics.datadogIntegration.datadogOpenTelemetryCollector.protocol | lower ) "http" }}
+            - name: CO_OTEL_HTTP_ENDPOINT
+              value: "http://$(HOST_IP):4318"
+            {{- else if eq (.Values.global.metrics.datadogIntegration.datadogOpenTelemetryCollector.protocol | lower) "grpc" }}
+            - name: CO_OTEL_HTTP_ENDPOINT
+              value: "grpc://$(HOST_IP):4317"
+            {{- end }}
+            {{- end }}
             {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }}
         command:
         - "/bin/sh"

diff --git a/charts/consul/test/unit/server-acl-init-job.bats b/charts/consul/test/unit/server-acl-init-job.bats
@@ -2475,4 +2475,21 @@ load _helpers
   local actual=$( echo "$command" |
     yq 'any(contains("-create-dd-agent-token"))' | tee /dev/stderr)
   [ "${actual}" = "true" ]
+}
+
+@test "serverACLInit/Job: -create-dd-agent-token NOT set when global.metrics.datadogIntegration=true, global.metrics.datadogIntegration.dogstatsd.enabled=true, and global.acls.manageSystemACLs=true" {
+  cd `chart_dir`
+  local command=$(helm template \
+      -s templates/server-acl-init-job.yaml  \
+      --set 'global.metrics.enabled=true'  \
+      --set 'global.metrics.enableAgentMetrics=true'  \
+      --set 'global.metrics.datadogIntegration.enabled=true' \
+      --set 'global.metrics.datadogIntegration.dogstatsd.enabled=true' \
+      --set 'global.acls.manageSystemACLs=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
+
+  local actual=$( echo "$command" |
+    yq 'any(contains("-create-dd-agent-token"))' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
 }
diff --git a/charts/consul/test/unit/server-config-configmap.bats b/charts/consul/test/unit/server-config-configmap.bats
@@ -1366,6 +1366,7 @@ load _helpers
       --set 'global.metrics.enabled=true'  \
       --set 'global.metrics.enableAgentMetrics=true'  \
       --set 'global.metrics.datadogIntegration.enabled=true'  \
+      --set 'global.metrics.datadogIntegration.dogstatsd.enabled=true'  \
       . | tee /dev/stderr |
       yq -r '.data["telemetry-config.json"]' | jq -r .telemetry.dogstatsd_tags | jq -r '[ .[] ]| join (" ")' | tee /dev/stderr)
 

diff --git a/charts/consul/test/unit/server-statefulset.bats b/charts/consul/test/unit/server-statefulset.bats
@@ -901,7 +901,7 @@ load _helpers
 
 @test "server/StatefulSet: when global.metrics.datadogIntegration.openMetricsPrometheus.enabled, applicable openmetrics annotation is set" {
   cd `chart_dir`
-  local annotations=$(helm template --debug \
+  local annotations=$(helm template \
       -s templates/server-statefulset.yaml  \
       --set 'global.metrics.enabled=true'  \
       --set 'global.metrics.enableAgentMetrics=true'  \
@@ -919,7 +919,11 @@ load _helpers
 
   local actual="$( echo "$consul_checks" | \
     jq -r .openmetrics.instances | jq -r .[0].openmetrics_endpoint | tee /dev/stderr)"
-  [ "${actual}" = "http://%%host%%:8500/v1/agent/metrics" ]
+  [ "${actual}" = "http://consul-server.default.svc:8500/v1/agent/metrics?format=prometheus" ]
+
+  local actual="$( echo "$consul_checks" | \
+    jq -r .openmetrics.instances | jq -r .[0].headers | tee /dev/stderr)"
+  [ -n "${actual}" ]
 
   local actual="$( echo "$consul_checks" | \
     jq -r .openmetrics.instances | jq -r .[0].namespace | tee /dev/stderr)"
@@ -933,7 +937,7 @@ load _helpers
 
 @test "server/StatefulSet: when datadogIntegration.openMetricsPrometheus.enabled, applicable openmetrics annotation is set with tls url" {
   cd `chart_dir`
-  local annotations=$(helm template --debug \
+  local annotations=$(helm template \
       -s templates/server-statefulset.yaml  \
       --set 'global.metrics.enabled=true'  \
       --set 'global.tls.enabled=true'  \
@@ -952,7 +956,59 @@ load _helpers
 
   local actual="$( echo "$consul_checks" | \
     jq -r .openmetrics.instances | jq -r .[0].openmetrics_endpoint | tee /dev/stderr)"
-  [ "${actual}" = "https://%%host%%:8501/v1/agent/metrics" ]
+  [ "${actual}" = "https://consul-server.default.svc:8501/v1/agent/metrics?format=prometheus" ]
+
+  local actual="$( echo "$consul_checks" | \
+    jq -r .openmetrics.instances | jq -r .[0].headers | tee /dev/stderr)"
+  [ -n "${actual}" ]
+
+  local actual="$( echo "$consul_checks" | \
+    jq -r .openmetrics.instances | jq -r .[0].tls_cert | tee /dev/stderr)"
+  [ "${actual}" = "/etc/datadog-agent/conf.d/consul.d/certs/tls.crt" ]
+
+  local actual="$( echo "$consul_checks" | \
+    jq -r .openmetrics.instances | jq -r .[0].tls_private_key | tee /dev/stderr)"
+  [ "${actual}" = "/etc/datadog-agent/conf.d/consul.d/certs/tls.key" ]
+
+  local actual="$( echo "$consul_checks" | \
+    jq -r .openmetrics.instances | jq -r .[0].tls_ca_cert | tee /dev/stderr)"
+  [ "${actual}" = "/etc/datadog-agent/conf.d/consul.d/ca/tls.crt" ]
+
+  local actual="$( echo "$consul_checks" | \
+    jq -r .openmetrics.instances | jq -r .[0].namespace | tee /dev/stderr)"
+  [ "${actual}" = "default" ]
+
+  local actual="$( echo "$consul_checks" | \
+    jq -r .openmetrics.instances | jq -r .[0].metrics[0] | tee /dev/stderr)"
+  [ "${actual}" = ".*" ]
+}
+
+@test "server/StatefulSet: when global.metrics.datadogIntegration.openMetricsPrometheus.enabled, applicable openmetrics annotation is set with acls.manageSystemACLs enabled" {
+  cd `chart_dir`
+  local annotations=$(helm template \
+      -s templates/server-statefulset.yaml  \
+      --set 'global.metrics.enabled=true'  \
+      --set 'global.acls.manageSystemACLs=true' \
+      --set 'global.metrics.enableAgentMetrics=true'  \
+      --set 'global.metrics.datadogIntegration.enabled=true' \
+      --set 'global.metrics.datadogIntegration.openMetricsPrometheus.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.metadata.annotations' | tee /dev/stderr)
+
+  local consul_checks=$(echo "$annotations" | \
+    yq -r '."ad.datadoghq.com/consul.checks"' | tee /dev/stderr)
+
+  local actual="$( echo "$consul_checks" | \
+    jq -r .openmetrics.init_config | tee /dev/stderr)"
+  [ "${actual}" = "{}" ]
+
+  local actual="$( echo "$consul_checks" | \
+    jq -r .openmetrics.instances | jq -r .[0].openmetrics_endpoint | tee /dev/stderr)"
+  [ "${actual}" = "http://consul-server.default.svc:8500/v1/agent/metrics?format=prometheus" ]
+
+  local actual="$( echo "$consul_checks" | \
+    jq -r .openmetrics.instances | jq -r '.[0].headers["X-Consul-Token"]' | tee /dev/stderr)"
+  [ "${actual}" = "ENC[k8s_secret@default/default-datadog-agent-metrics-acl-token/token]" ]
 
   local actual="$( echo "$consul_checks" | \
     jq -r .openmetrics.instances | jq -r .[0].namespace | tee /dev/stderr)"

diff --git a/charts/consul/test/unit/telemetry-collector-deployment.bats b/charts/consul/test/unit/telemetry-collector-deployment.bats
@@ -1371,3 +1371,82 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \
   local actual=$(echo $object | jq -r '.[1].args | any(contains("-service-namespace=fakenamespace"))' | tee /dev/stderr)
   [ "${actual}" = 'true' ]
 }
+
+#--------------------------------------------------------------------
+# global.metrics.datadogIntegration.datadogOpenTelemetryCollector
+
+@test "telemetryCollector/Deployment: DataDog OTLP Collector HTTP protocol verification" {
+  cd `chart_dir`
+  local object=$(helm template \
+      -s templates/telemetry-collector-deployment.yaml  \
+      --set 'telemetryCollector.enabled=true' \
+      --set 'telemetryCollector.cloud.enabled=false' \
+      --set 'global.metrics.enabled=true' \
+      --set 'global.metrics.enableAgentMetrics=true' \
+      --set 'global.metrics.datadogIntegration.enabled=true' \
+      --set 'global.metrics.datadogIntegration.datadogOpenTelemetryCollector.enabled=true' \
+      --set 'global.metrics.datadogIntegration.datadogOpenTelemetryCollector.protocol'="http" \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo "$object" |
+      yq -r '.[] | select(.name=="CO_OTEL_HTTP_ENDPOINT").value' | tee /dev/stderr)
+  [ "${actual}" = 'http://$(HOST_IP):4318' ]
+}
+
+@test "telemetryCollector/Deployment: DataDog OTLP Collector HTTP protocol verification, case-insensitive" {
+  cd `chart_dir`
+  local object=$(helm template \
+      -s templates/telemetry-collector-deployment.yaml  \
+      --set 'telemetryCollector.enabled=true' \
+      --set 'telemetryCollector.cloud.enabled=false' \
+      --set 'global.metrics.enabled=true' \
+      --set 'global.metrics.enableAgentMetrics=true' \
+      --set 'global.metrics.datadogIntegration.enabled=true' \
+      --set 'global.metrics.datadogIntegration.datadogOpenTelemetryCollector.enabled=true' \
+      --set 'global.metrics.datadogIntegration.datadogOpenTelemetryCollector.protocol'="HTTP" \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo "$object" |
+      yq -r '.[] | select(.name=="CO_OTEL_HTTP_ENDPOINT").value' | tee /dev/stderr)
+  [ "${actual}" = 'http://$(HOST_IP):4318' ]
+}
+
+@test "telemetryCollector/Deployment: DataDog OTLP Collector gRPC protocol verification" {
+  cd `chart_dir`
+  local object=$(helm template \
+      -s templates/telemetry-collector-deployment.yaml  \
+      --set 'telemetryCollector.enabled=true' \
+      --set 'telemetryCollector.cloud.enabled=false' \
+      --set 'global.metrics.enabled=true' \
+      --set 'global.metrics.enableAgentMetrics=true' \
+      --set 'global.metrics.datadogIntegration.enabled=true' \
+      --set 'global.metrics.datadogIntegration.datadogOpenTelemetryCollector.enabled=true' \
+      --set 'global.metrics.datadogIntegration.datadogOpenTelemetryCollector.protocol'="grpc" \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo "$object" |
+      yq -r '.[] | select(.name=="CO_OTEL_HTTP_ENDPOINT").value' | tee /dev/stderr)
+  [ "${actual}" = 'grpc://$(HOST_IP):4317' ]
+}
+
+@test "telemetryCollector/Deployment: DataDog OTLP Collector gRPC protocol verification, case-insensitive" {
+  cd `chart_dir`
+  local object=$(helm template \
+      -s templates/telemetry-collector-deployment.yaml  \
+      --set 'telemetryCollector.enabled=true' \
+      --set 'telemetryCollector.cloud.enabled=false' \
+      --set 'global.metrics.enabled=true' \
+      --set 'global.metrics.enableAgentMetrics=true' \
+      --set 'global.metrics.datadogIntegration.enabled=true' \
+      --set 'global.metrics.datadogIntegration.datadogOpenTelemetryCollector.enabled=true' \
+      --set 'global.metrics.datadogIntegration.datadogOpenTelemetryCollector.protocol'="gRPC" \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo "$object" |
+      yq -r '.[] | select(.name=="CO_OTEL_HTTP_ENDPOINT").value' | tee /dev/stderr)
+  [ "${actual}" = 'grpc://$(HOST_IP):4317' ]
+}