Skip to content

Auto-restart Datadog agents on API key change in a K8s Secret #1718

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Auto-restart Datadog agents on API key change in a K8s Secret #1718

wants to merge 2 commits into from

Conversation

@dmgress
Copy link

@dmgress dmgress commented Feb 23, 2025
edited
Loading

What does this PR do?

When the API key is stored in a Kubernetes Secret, the reconciliation code adds a SHA256 hash of the secret's data as a new environment variable. This change spreads to all objects.

So, if the secret's data changes, it triggers a rolling update for the cluster agent ReplicaSet and agent DaemonSet, making them use the new API key.

Motivation

The Datadog agent doesn't update secrets already in memory, like the API key. If the API key is changed and the old one is revoked, the agent and cluster agent can't send data until they are restarted with the new key.

Even though data is buffered, there might be a temporary gap and a risk of data loss if the agents can't send data.

Using Kubernetes' built-in methods to update the agents when the key changes avoid the need for custom code. Not using labels and annotations prevents the accidental creation of custom metrics.

Additional Notes

No notes

Minimum Agent Versions

Not applicable, changes are on the reconciliation code.

Describe your test plan

I created additional test cases in internal/controller/datadogagent/controller_reconcile_v2_test.go and also manually verified the change works in a kind cluster

Manual test plan:

  1. I created new API and application keys in Datadog
  2. I started a kind cluster with two workers nodes
  3. I created the kubernetes secret to hold the API and application keys
  4. I applied the datadog operator with the change and created a DatadogAgent object using examples/datadogagent/datadog-agent-with-secret-keys.yaml
  5. I verified the new env variable is present on the cluster agent and agent instances
  6. I deployed an application on the cluster to get a metric going
  7. I revoked the API and observed the agent couldn't send new metric data
  8. I created a new API key and set it in the secret
  9. I observed the change in the value of the new env variable and the rotation of instances
  10. I observed the metric data could be send again

Checklist

  • PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
  • PR has a milestone or the qa/skip-qa label

@dmgress dmgress marked this pull request as ready for review February 23, 2025 08:45
@dmgress dmgress requested a review from a team as a code owner February 23, 2025 08:45
@dmgress dmgress marked this pull request as draft February 23, 2025 10:44
@dmgress dmgress force-pushed the secret-rotating-reconciliation branch 3 times, most recently from 93d630e to a596ef5 Compare February 23, 2025 10:55
dmgress and others added 2 commits February 23, 2025 11:55
@dmgress
Add functionality to update and manage API secret hash in DatadogAgent
9d6753f
@dmgress
Keep three test cases to check env variable set/unset correctly
f09955a 
If an API secret is used, then expect an env with a hash
If no API secret is used, then expect the env does not exist
If an API secret is used but does not exist, then the env should not exist
@dmgress dmgress force-pushed the secret-rotating-reconciliation branch from a596ef5 to f09955a Compare February 23, 2025 11:16
@dmgress dmgress marked this pull request as ready for review February 23, 2025 11:18
@dd-octo-sts
Copy link

dd-octo-sts bot commented Oct 13, 2025

This pull request has been automatically marked as stale because it has not had activity in the past 15 days.

It will be closed in 30 days if no further activity occurs. If this pull request is still relevant, adding a comment or pushing new commits will keep it open. Also, you can always reopen the pull request if you missed the window.

Thank you for your contributions!

@dd-octo-sts dd-octo-sts bot added the stale label Oct 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dmgress