[APM Onboarding] Disable APM Instrumentation on Datadog namespace

[liliyadd]

What this PR does / why we need it:

This PR adds the namespace where the datadog-agent is deployed to the exclude-list of APM Single Step Instrumentation. It's important to exclude cluster-agent deployment and agent daemonset by default to make sure sure that cluster-agent pods creation is not blocked if the admission-controller is not available (if cluster-agent pods are not ready/available).

Special notes for your reviewer:

Checklist

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]

• Chart Version bumped
• Documentation has been updated with helm-docs (run: .github/helm-docs.sh)
• CHANGELOG.md has been updated
• Variables are documented in the README.md
• For Datadog Operator chart or value changes update the test baselines (run: make update-test-baselines)

[Kyle-Verhoog]

We should be sure to document in the public manual instructions when not using the helm chart/operator to exclude the Agent namespace as well. I don't think we have any public docs on the setting yet so this would be future work.

[Kyle-Verhoog]

Should we default apmInstrumentation.disabledNamespaces to an empty list when not defined to simplify this check?

[liliyadd]

apmInstrumentation.disabledNamespaces is a string; it's "" by default.

https://github.com/DataDog/helm-charts/blob/main/charts/datadog/templates/_helpers.tpl#L618-L631 has similar pattern and usage https://github.com/DataDog/helm-charts/blob/main/charts/datadog/templates/_containers-common-env.yaml#L27-L30

[clamoriniere]

why the {{- if .Values.datadog.apm.instrumentation.enabled }} doesn't inclose the other apmInstrumentation options?
We usually use this patern (have a global setting like .Values.datadog.apm.instrumentation.enabled to enable or disable a full feature). And I suppose it doesn't make sense to not set DD_APM_INSTRUMENTATION_ENABLED but we still inject the DD_APM_INSTRUMENTATION_DISABLED_NAMESPACES or DD_APM_INSTRUMENTATION_ENABLED_NAMESPACES

[liliyadd]

As per RFC:
To allow more granular control of the injection process, Single Step Instrumentation introduces a set of new configuration parameters on the Cluster Agent:
datadog.apm.instrumentation.enabled - boolean indicating if automatic injection should be enabled in the whole cluster. Default value - false.
datadog.apm.instrumentation.enabledNamespaces - comma-separated list of namespaces where automatic injection is enabled. Default value - empty list. This setting applies only when cluster-level configuration datadog.apm.instrumentation.enabled is set to false.
datadog.apm.instrumentation.disabledNamespaces - comma-separated list of namespaces where automatic injection needs to be disabled. Applies only when datadog.apm.instrumentation.enabled is set to true. Default value - empty list. Single Step Instrumentation will always skip injections in Kubernetes system namespace kube-system.

[levan-m]

This question was raised in Operator PR as well here.

[clamoriniere]

Hi @liliyadd

I think the behavior should be changed, because all the other features in the agent don't use the same pattern, and IMO the current behavior is error-prone.

What I think can make more sense is:

• datadog.apm.instrumentation.enabled - boolean indicating if automatic injection should be enabled
• datadog.apm.instrumentation.enabledNamespaces - comma-separated list of namespaces where automatic injection is enabled. (Default value - empty string). If value is empty, automatic injection is enabled on the whole cluster*. (*except kube-systems, and the "agent install" namespace).
• datadog.apm.instrumentation.disabledNamespaces - comma-separated list of namespaces where automatic injection needs to be disabled. (Default value - empty string). If disabledNamespaces automatic injection is active on every namespace except the one present in disabledNamespaces and kube-systems, and the "agent install" namespace.

I think this change can still be done, and make more sense for cross agent configuration genericity.

[clamoriniere]

General behaviour question what happens if disabledNamespaces is never empty?

Based on the other PR #1211 and specifically this part of the code https://github.com/DataDog/helm-charts/pull/1211/files#diff-5dec0964fafbdc987c2b122b6f38a16f03c7129501b7cb14fd5bbe37afb2cd0dR168
I think the user will not be able to set the enabledNamespaces option.

Is it the expected behaviour? should have a precedence between the option? do we have a reason to not allow both options at the same time?

[liliyadd]

The main reason not to allow disabledNamespaces and enabledNamespaces set at the same time is to prevent unspecified behavior when a namespace is present in both lists.

disabledNamespaces shouldn't be empty only when SSI is on for the cluster and we just want disable it in the few namespaces.

If users set enabledNamespaces, generally it means that SSI is disable in the whole cluster.

[liliyadd]

Test cases:

1. Disabled namespaces set, datadog running in ns default
   values.yaml

    # APM Single Step Instrumentation
    # This feature is in beta. It requires Cluster Agent 7.49+.
    instrumentation:
      # datadog.apm.instrumentation.enabled -- Enable injecting the Datadog APM libraries into all pods in the cluster (beta).
      enabled: true

      # datadog.apm.instrumentation.enabledNamespaces -- Enable injecting the Datadog APM libraries into pods in specific namespaces (beta).
      enabledNamespaces: []

      # datadog.apm.instrumentation.disabledNamespaces -- Disable injecting the Datadog APM libraries into pods in specific namespaces (beta).
      disabledNamespaces:
      - test1
      - test2

      # datadog.apm.instrumentation.libVersions -- Inject specific version of tracing libraries with Single Step Instrumentation (beta).
      libVersions: {}

Result env variables on cluster-agent:

          - name: DD_APM_INSTRUMENTATION_ENABLED
            value: "true"
          - name: DD_APM_INSTRUMENTATION_DISABLED_NAMESPACES
            value: "[\"test1\",\"test2\",\"default\"]"

2. Disabled namespaces not set, atadog running in ns default
   values.yaml

    # APM Single Step Instrumentation
    # This feature is in beta. It requires Cluster Agent 7.49+.
    instrumentation:
      # datadog.apm.instrumentation.enabled -- Enable injecting the Datadog APM libraries into all pods in the cluster (beta).
      enabled: true

      # datadog.apm.instrumentation.enabledNamespaces -- Enable injecting the Datadog APM libraries into pods in specific namespaces (beta).
      enabledNamespaces: []

      # datadog.apm.instrumentation.disabledNamespaces -- Disable injecting the Datadog APM libraries into pods in specific namespaces (beta).
      disabledNamespaces: []

      # datadog.apm.instrumentation.libVersions -- Inject specific version of tracing libraries with Single Step Instrumentation (beta).
      libVersions: {}

Result env variables on cluster-agent:

          - name: DD_APM_INSTRUMENTATION_ENABLED
            value: "true"
          - name: DD_APM_INSTRUMENTATION_DISABLED_NAMESPACES
            value: "[\"default\"]"

3. Enabled namespaces has default namespace
   values.yaml

    # APM Single Step Instrumentation
    # This feature is in beta. It requires Cluster Agent 7.49+.
    instrumentation:
      # datadog.apm.instrumentation.enabledNamespaces -- Enable injecting the Datadog APM libraries into pods in specific namespaces (beta).
      enabledNamespaces: [test1, default]

      # datadog.apm.instrumentation.disabledNamespaces -- Disable injecting the Datadog APM libraries into pods in specific namespaces (beta).
      disabledNamespaces: []

      # datadog.apm.instrumentation.libVersions -- Inject specific version of tracing libraries with Single Step Instrumentation (beta).
      libVersions: {}

Result env variables on cluster-agent:

          - name: DD_APM_INSTRUMENTATION_ENABLED_NAMESPACES
            value: "[\"test1\"]"

4. Enabled namespaces has default namespace, with instrumentation.enabled='true'
   values.yaml

    instrumentation:
      # datadog.apm.instrumentation.enabled -- Enable injecting the Datadog APM libraries into all pods in the cluster (beta).
      enabled: true

      # datadog.apm.instrumentation.enabledNamespaces -- Enable injecting the Datadog APM libraries into pods in specific namespaces (beta).
      enabledNamespaces: [test1, default]

      # datadog.apm.instrumentation.disabledNamespaces -- Disable injecting the Datadog APM libraries into pods in specific namespaces (beta).
      disabledNamespaces: []

      # datadog.apm.instrumentation.libVersions -- Inject specific version of tracing libraries with Single Step Instrumentation (beta).
      libVersions: {}

Result env variables on cluster-agent:

          - name: DD_APM_INSTRUMENTATION_ENABLED
            value: "true"
          - name: DD_APM_INSTRUMENTATION_DISABLED_NAMESPACES
            value: "[\"default\"]"

[levan-m]

Looks good to me.

I tried various combinations of enabled, enabledNamespace disabledNamespaces and chart renders correct env variables.