DELA-251 - Initial implementation of cloud auth proof for an API key #43554
+7,816
−582
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wynbennett
added
component/system-probe
long review
Contributor
Go Package Import DifferencesBaseline: aca3356
|
wynbennett
changed the title
Contributor
Static quality checks❌ Please find below the results from static quality gates Error
Gate failure full details
Static quality gates prevent the PR to merge! Successful checksInfo
2 successful checks with minimal change (< 2 KiB)
On-wire sizes (compressed)
|
# Conflicts: # comp/core/agenttelemetry/fx/go.mod # comp/core/agenttelemetry/fx/go.sum # comp/core/agenttelemetry/impl/go.mod # comp/core/agenttelemetry/impl/go.sum # comp/core/config/go.mod # comp/core/config/go.sum # comp/core/configsync/go.mod # comp/core/configsync/go.sum # comp/core/hostname/hostnameinterface/go.sum # comp/core/ipc/httphelpers/go.mod # comp/core/ipc/httphelpers/go.sum # comp/core/ipc/impl/go.mod # comp/core/ipc/impl/go.sum # comp/core/ipc/mock/go.mod # comp/core/ipc/mock/go.sum # comp/core/log/fx/go.mod # comp/core/log/fx/go.sum # comp/core/log/impl-trace/go.mod # comp/core/log/impl-trace/go.sum # comp/core/log/impl/go.mod # comp/core/log/impl/go.sum # comp/core/secrets/fx/go.mod # comp/core/secrets/fx/go.sum # comp/core/secrets/impl/go.mod # comp/core/secrets/impl/go.sum # comp/core/status/statusimpl/go.mod # comp/core/status/statusimpl/go.sum # comp/core/tagger/def/go.mod # comp/core/tagger/def/go.sum # comp/core/tagger/fx-remote/go.sum # comp/core/tagger/impl-remote/go.sum # comp/core/tagger/subscriber/go.sum # comp/core/telemetry/go.sum # comp/forwarder/defaultforwarder/go.sum # comp/forwarder/orchestrator/orchestratorinterface/go.sum # comp/logs/agent/config/go.mod # comp/logs/agent/config/go.sum # comp/otelcol/collector-contrib/def/go.sum # comp/otelcol/collector-contrib/impl/go.mod # comp/otelcol/collector-contrib/impl/go.sum # comp/otelcol/converter/impl/go.mod # comp/otelcol/converter/impl/go.sum # comp/otelcol/ddflareextension/impl/go.mod # comp/otelcol/ddflareextension/impl/go.sum # comp/otelcol/ddprofilingextension/impl/go.sum # comp/otelcol/logsagentpipeline/go.sum # comp/otelcol/logsagentpipeline/logsagentpipelineimpl/go.mod # comp/otelcol/logsagentpipeline/logsagentpipelineimpl/go.sum # comp/otelcol/otlp/components/connector/datadogconnector/go.mod # comp/otelcol/otlp/components/connector/datadogconnector/go.sum # comp/otelcol/otlp/components/exporter/datadogexporter/go.mod # comp/otelcol/otlp/components/exporter/datadogexporter/go.sum # comp/otelcol/otlp/components/exporter/logsagentexporter/go.mod # comp/otelcol/otlp/components/exporter/logsagentexporter/go.sum # comp/otelcol/otlp/components/exporter/serializerexporter/go.mod # comp/otelcol/otlp/components/exporter/serializerexporter/go.sum # comp/otelcol/otlp/components/processor/infraattributesprocessor/go.sum # comp/otelcol/otlp/testutil/go.sum # comp/otelcol/status/impl/go.mod # comp/otelcol/status/impl/go.sum # comp/serializer/logscompression/go.mod # comp/serializer/logscompression/go.sum # comp/serializer/metricscompression/go.mod # comp/serializer/metricscompression/go.sum # go.mod # go.sum # internal/tools/go.mod # internal/tools/go.sum # pkg/api/go.mod # pkg/api/go.sum # pkg/config/create/go.sum # pkg/config/env/go.mod # pkg/config/env/go.sum # pkg/config/helper/go.sum # pkg/config/mock/go.mod # pkg/config/mock/go.sum # pkg/config/nodetreemodel/go.sum # pkg/config/remote/go.sum # pkg/config/setup/go.mod # pkg/config/setup/go.sum # pkg/config/structure/go.sum # pkg/config/teeconfig/go.sum # pkg/config/utils/go.mod # pkg/config/utils/go.sum # pkg/config/viperconfig/go.sum # pkg/fleet/installer/go.sum # pkg/logs/client/go.mod # pkg/logs/client/go.sum # pkg/logs/diagnostic/go.mod # pkg/logs/diagnostic/go.sum # pkg/logs/message/go.mod # pkg/logs/message/go.sum # pkg/logs/metrics/go.sum # pkg/logs/pipeline/go.mod # pkg/logs/pipeline/go.sum # pkg/logs/processor/go.mod # pkg/logs/processor/go.sum # pkg/logs/sds/go.mod # pkg/logs/sds/go.sum # pkg/logs/sender/go.mod # pkg/logs/sender/go.sum # pkg/logs/sources/go.mod # pkg/logs/sources/go.sum # pkg/logs/util/testutils/go.mod # pkg/logs/util/testutils/go.sum # pkg/metrics/go.mod # pkg/metrics/go.sum # pkg/network/driver/go.sum # pkg/opentelemetry-mapping-go/otlp/logs/go.sum # pkg/process/util/api/go.mod # pkg/process/util/api/go.sum # pkg/security/seclwin/go.mod # pkg/serializer/go.mod # pkg/serializer/go.sum # pkg/telemetry/go.sum # pkg/trace/go.mod # pkg/trace/go.sum # pkg/util/compression/go.mod # pkg/util/compression/go.sum # pkg/util/filesystem/go.mod # pkg/util/filesystem/go.sum # pkg/util/flavor/go.mod # pkg/util/flavor/go.sum # pkg/util/fxutil/go.sum # pkg/util/grpc/go.sum # pkg/util/http/go.mod # pkg/util/http/go.sum # pkg/util/log/setup/go.mod # pkg/util/log/setup/go.sum # pkg/util/system/go.mod # pkg/util/system/go.sum # test/e2e-framework/go.sum # test/fakeintake/go.sum # test/new-e2e/go.sum # test/otel/go.mod # test/otel/go.sum
Regression DetectorRegression Detector ResultsMetrics dashboard Baseline: e1e8408 Optimization Goals: ✅ No significant changes detected
|
| perf | experiment | goal | Δ mean % | Δ mean % CI | trials | links |
|---|---|---|---|---|---|---|
| ➖ | docker_containers_cpu | % cpu utilization | +4.16 | [+1.03, +7.29] | 1 | Logs |
Fine details of change detection per experiment
| perf | experiment | goal | Δ mean % | Δ mean % CI | trials | links |
|---|---|---|---|---|---|---|
| ➖ | docker_containers_cpu | % cpu utilization | +4.16 | [+1.03, +7.29] | 1 | Logs |
| ➖ | quality_gate_logs | % cpu utilization | +1.72 | [+0.22, +3.22] | 1 | Logs bounds checks dashboard |
| ➖ | ddot_logs | memory utilization | +0.95 | [+0.87, +1.02] | 1 | Logs |
| ➖ | tcp_syslog_to_blackhole | ingress throughput | +0.85 | [+0.77, +0.93] | 1 | Logs |
| ➖ | file_tree | memory utilization | +0.80 | [+0.75, +0.85] | 1 | Logs |
| ➖ | quality_gate_idle | memory utilization | +0.62 | [+0.57, +0.67] | 1 | Logs bounds checks dashboard |
| ➖ | otlp_ingest_logs | memory utilization | +0.53 | [+0.43, +0.64] | 1 | Logs |
| ➖ | ddot_metrics_sum_cumulativetodelta_exporter | memory utilization | +0.48 | [+0.25, +0.71] | 1 | Logs |
| ➖ | quality_gate_metrics_logs | memory utilization | +0.41 | [+0.19, +0.63] | 1 | Logs bounds checks dashboard |
| ➖ | ddot_metrics_sum_delta | memory utilization | +0.41 | [+0.21, +0.60] | 1 | Logs |
| ➖ | ddot_metrics | memory utilization | +0.34 | [+0.11, +0.57] | 1 | Logs |
| ➖ | otlp_ingest_metrics | memory utilization | +0.33 | [+0.18, +0.47] | 1 | Logs |
| ➖ | uds_dogstatsd_20mb_12k_contexts_20_senders | memory utilization | +0.29 | [+0.24, +0.35] | 1 | Logs |
| ➖ | quality_gate_idle_all_features | memory utilization | +0.22 | [+0.18, +0.25] | 1 | Logs bounds checks dashboard |
| ➖ | file_to_blackhole_0ms_latency | egress throughput | +0.04 | [-0.45, +0.53] | 1 | Logs |
| ➖ | file_to_blackhole_1000ms_latency | egress throughput | +0.01 | [-0.40, +0.41] | 1 | Logs |
| ➖ | tcp_dd_logs_filter_exclude | ingress throughput | -0.00 | [-0.09, +0.09] | 1 | Logs |
| ➖ | uds_dogstatsd_to_api_v3 | ingress throughput | -0.01 | [-0.13, +0.12] | 1 | Logs |
| ➖ | uds_dogstatsd_to_api | ingress throughput | -0.01 | [-0.14, +0.11] | 1 | Logs |
| ➖ | file_to_blackhole_500ms_latency | egress throughput | -0.05 | [-0.43, +0.33] | 1 | Logs |
| ➖ | file_to_blackhole_100ms_latency | egress throughput | -0.05 | [-0.10, -0.01] | 1 | Logs |
| ➖ | docker_containers_memory | memory utilization | -0.13 | [-0.20, -0.05] | 1 | Logs |
| ➖ | ddot_metrics_sum_cumulative | memory utilization | -0.14 | [-0.31, +0.02] | 1 | Logs |
Bounds Checks: ✅ Passed
| perf | experiment | bounds_check_name | replicates_passed | links |
|---|---|---|---|---|
| ✅ | docker_containers_cpu | simple_check_run | 10/10 | |
| ✅ | docker_containers_memory | memory_usage | 10/10 | |
| ✅ | docker_containers_memory | simple_check_run | 10/10 | |
| ✅ | file_to_blackhole_0ms_latency | lost_bytes | 10/10 | |
| ✅ | file_to_blackhole_0ms_latency | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_1000ms_latency | lost_bytes | 10/10 | |
| ✅ | file_to_blackhole_1000ms_latency | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_100ms_latency | lost_bytes | 10/10 | |
| ✅ | file_to_blackhole_100ms_latency | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_500ms_latency | lost_bytes | 10/10 | |
| ✅ | file_to_blackhole_500ms_latency | memory_usage | 10/10 | |
| ✅ | quality_gate_idle | intake_connections | 10/10 | bounds checks dashboard |
| ✅ | quality_gate_idle | memory_usage | 10/10 | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | intake_connections | 10/10 | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | memory_usage | 10/10 | bounds checks dashboard |
| ✅ | quality_gate_logs | intake_connections | 10/10 | bounds checks dashboard |
| ✅ | quality_gate_logs | lost_bytes | 10/10 | bounds checks dashboard |
| ✅ | quality_gate_logs | memory_usage | 10/10 | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | cpu_usage | 10/10 | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | intake_connections | 10/10 | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | lost_bytes | 10/10 | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | memory_usage | 10/10 | bounds checks dashboard |
Explanation
Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%
Performance changes are noted in the perf column of each table:
- ✅ = significantly better comparison variant performance
- ❌ = significantly worse comparison variant performance
- ➖ = no significant change in performance
A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".
For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:
-
Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
-
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
-
Its configuration does not mark it "erratic".
CI Pass/Fail Decision
✅ Passed. All Quality Gates passed.
- quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
tobz
reviewed
Dec 2, 2025
Comment on lines
+33
to
+68
| // domainURLRegexp matches and captures known Datadog domains with optional protocol and trailing characters | ||
| // Captures: protocol (optional), subdomain (ignored), regional prefix + base domain, trailing dot (optional) | ||
| // Examples: https://agent.datad0g.com., http://metrics.us1.datadoghq.com, agent.ddog-gov.com | ||
| var domainURLRegexp = regexp.MustCompile(`^(?:https?://)?[^./]+\.((?:[a-z]{2,}\d{1,2}\.)?)(?:(datadoghq|datad0g)\.(com|eu)|(ddog-gov\.com))(\.)?\/?$`) | ||
|
|
||
| // getAPIDomain transforms intake/metrics endpoints (e.g., agent.datad0g.com) to API endpoints (e.g., app.datad0g.com) | ||
| // for known Datadog domains. This ensures API operations use the correct subdomain. | ||
| func getAPIDomain(endpoint string) string { | ||
| matches := domainURLRegexp.FindStringSubmatch(endpoint) | ||
| if matches == nil { | ||
| // Not a known Datadog domain, return unchanged | ||
| return endpoint | ||
| } | ||
|
|
||
| // matches[1] = regional prefix (e.g., "us1.", "eu1.", or "") | ||
| // matches[2] = base domain name (e.g., "datadoghq", "datad0g", or "") | ||
| // matches[3] = TLD (e.g., "com", "eu", or "") | ||
| // matches[4] = gov cloud domain (e.g., "ddog-gov.com", or "") | ||
| // matches[5] = trailing dot (e.g., ".", or "") | ||
|
|
||
| var baseDomain string | ||
| if matches[4] != "" { | ||
| // Gov cloud domain | ||
| baseDomain = matches[4] | ||
| } else { | ||
| // Regular Datadog domain | ||
| baseDomain = matches[1] + matches[2] + "." + matches[3] | ||
| } | ||
|
|
||
| // Append trailing dot if present | ||
| if matches[5] != "" { | ||
| baseDomain += "." | ||
| } | ||
|
|
||
| return "https://api." + baseDomain | ||
| } |
Member
There was a problem hiding this comment.
This should probably live in pkg/config/utils/endpoints.go so that it can be (eventually) unified with the existing logic we use for evaluating URLs for whether or not they're official Datadog sites.
Author
There was a problem hiding this comment.
Yeah, I can see that. The idea was to do the same logic as getAPIDomain in forwarder_health.go https://github.com/DataDog/datadog-agent/blob/main/comp/forwarder/defaultforwarder/forwarder_health.go#L202 which the api/v1/validate endpoint uses. However, that code does not support the staging domain due to it's restrictive regex https://github.com/DataDog/datadog-agent/blob/main/comp/forwarder/defaultforwarder/forwarder_health.go#L48. So I put the logic within delegated auth simply because it was not to be used by anything else right now.
I think eventually this code should be moved to a shared location and both the api/v1/validate endpoint and the api/v2/intake-key (delegated auth) endpoint should utilize it.
I am happy to move it to the shared location now and then maybe we can migrate api/v1/validate to use it at some point. I am unsure why we don't support api/v1/validate in staging right now.
…r to refresh interval
# Conflicts: # comp/core/tagger/fx-remote/go.sum # comp/core/tagger/impl-remote/go.sum # comp/otelcol/collector-contrib/def/go.sum # comp/otelcol/collector-contrib/impl/go.mod # comp/otelcol/collector-contrib/impl/go.sum # comp/otelcol/converter/impl/go.sum # comp/otelcol/ddflareextension/impl/go.mod # comp/otelcol/ddflareextension/impl/go.sum # comp/otelcol/ddprofilingextension/impl/go.mod # comp/otelcol/ddprofilingextension/impl/go.sum # comp/otelcol/otlp/components/exporter/datadogexporter/go.mod # comp/otelcol/otlp/components/exporter/datadogexporter/go.sum # comp/otelcol/otlp/components/exporter/logsagentexporter/go.mod # comp/otelcol/otlp/components/exporter/logsagentexporter/go.sum # comp/otelcol/otlp/components/exporter/serializerexporter/go.mod # comp/otelcol/otlp/components/exporter/serializerexporter/go.sum # comp/otelcol/otlp/components/processor/infraattributesprocessor/go.sum # comp/otelcol/otlp/testutil/go.sum # comp/otelcol/status/impl/go.sum # go.mod # go.sum # pkg/config/remote/go.sum # pkg/opentelemetry-mapping-go/otlp/logs/go.sum # pkg/trace/go.mod # pkg/trace/go.sum # pkg/util/grpc/go.sum # test/e2e-framework/go.sum # test/new-e2e/go.sum # test/otel/go.mod # test/otel/go.sum
This reverts commit 3780af6.
…port for sub-configs
# Conflicts: # comp/api/api/def/go.mod # comp/core/agenttelemetry/def/go.mod # comp/core/agenttelemetry/fx/go.mod # comp/core/agenttelemetry/impl/go.mod # comp/core/agenttelemetry/impl/go.sum # comp/core/config/go.mod # comp/core/configsync/go.mod # comp/core/configsync/go.sum # comp/core/flare/builder/go.mod # comp/core/flare/types/go.mod # comp/core/hostname/hostnameinterface/go.mod # comp/core/ipc/def/go.mod # comp/core/ipc/httphelpers/go.mod # comp/core/ipc/impl/go.mod # comp/core/ipc/mock/go.mod # comp/core/log/def/go.mod # comp/core/log/fx/go.mod # comp/core/log/impl-trace/go.mod # comp/core/log/impl/go.mod # comp/core/log/mock/go.mod # comp/core/secrets/def/go.mod # comp/core/secrets/fx/go.mod # comp/core/secrets/impl/go.mod # comp/core/secrets/impl/go.sum # comp/core/secrets/mock/go.mod # comp/core/secrets/noop-impl/go.mod # comp/core/secrets/utils/go.mod # comp/core/status/go.mod # comp/core/status/statusimpl/go.mod # comp/core/tagger/def/go.mod # comp/core/tagger/fx-remote/go.mod # comp/core/tagger/fx-remote/go.sum # comp/core/tagger/generic_store/go.mod # comp/core/tagger/impl-remote/go.mod # comp/core/tagger/impl-remote/go.sum # comp/core/tagger/origindetection/go.mod # comp/core/tagger/subscriber/go.mod # comp/core/tagger/subscriber/go.sum # comp/core/tagger/tags/go.mod # comp/core/tagger/telemetry/go.mod # comp/core/tagger/types/go.mod # comp/core/tagger/utils/go.mod # comp/core/telemetry/go.mod # comp/def/go.mod # comp/forwarder/defaultforwarder/go.mod # comp/forwarder/defaultforwarder/go.sum # comp/forwarder/orchestrator/orchestratorinterface/go.mod # comp/forwarder/orchestrator/orchestratorinterface/go.sum # comp/logs/agent/config/go.mod # comp/netflow/payload/go.mod # comp/otelcol/collector-contrib/def/go.mod # comp/otelcol/collector-contrib/def/go.sum # comp/otelcol/collector-contrib/impl/go.mod # comp/otelcol/collector-contrib/impl/go.sum # comp/otelcol/converter/def/go.mod # comp/otelcol/converter/impl/go.mod # comp/otelcol/ddflareextension/def/go.mod # comp/otelcol/ddflareextension/impl/go.mod # comp/otelcol/ddflareextension/impl/go.sum # comp/otelcol/ddflareextension/types/go.mod # comp/otelcol/ddprofilingextension/def/go.mod # comp/otelcol/ddprofilingextension/impl/go.mod # comp/otelcol/ddprofilingextension/impl/go.sum # comp/otelcol/logsagentpipeline/go.mod # comp/otelcol/logsagentpipeline/go.sum # comp/otelcol/logsagentpipeline/logsagentpipelineimpl/go.mod # comp/otelcol/logsagentpipeline/logsagentpipelineimpl/go.sum # comp/otelcol/otlp/components/exporter/datadogexporter/go.mod # comp/otelcol/otlp/components/exporter/datadogexporter/go.sum # comp/otelcol/otlp/components/exporter/logsagentexporter/go.mod # comp/otelcol/otlp/components/exporter/logsagentexporter/go.sum # comp/otelcol/otlp/components/exporter/serializerexporter/go.mod # comp/otelcol/otlp/components/exporter/serializerexporter/go.sum # comp/otelcol/otlp/components/metricsclient/go.mod # comp/otelcol/otlp/components/processor/infraattributesprocessor/go.mod # comp/otelcol/otlp/components/processor/infraattributesprocessor/go.sum # comp/otelcol/otlp/testutil/go.mod # comp/otelcol/status/def/go.mod # comp/otelcol/status/impl/go.mod # comp/otelcol/status/impl/go.sum # comp/serializer/logscompression/go.mod # comp/serializer/metricscompression/go.mod # comp/trace/agent/def/go.mod # comp/trace/compression/def/go.mod # comp/trace/compression/impl-gzip/go.mod # comp/trace/compression/impl-zstd/go.mod # go.mod # go.sum # go.work # modules.yml # pkg/aggregator/ckey/go.mod # pkg/aggregator/sender_test.go # pkg/api/go.mod # pkg/collector/check/defaults/go.mod # pkg/config/create/go.mod # pkg/config/env/go.mod # pkg/config/helper/go.mod # pkg/config/mock/go.mod # pkg/config/model/go.mod # pkg/config/nodetreemodel/go.mod # pkg/config/remote/go.mod # pkg/config/remote/go.sum # pkg/config/setup/config.go # pkg/config/setup/go.mod # pkg/config/structure/go.mod # pkg/config/teeconfig/go.mod # pkg/config/utils/go.mod # pkg/config/viperconfig/go.mod # pkg/errors/go.mod # pkg/fips/go.mod # pkg/fleet/installer/go.mod # pkg/fleet/installer/go.sum # pkg/gohai/go.mod # pkg/linters/components/pkgconfigusage/go.mod # pkg/logs/client/go.mod # pkg/logs/client/go.sum # pkg/logs/diagnostic/go.mod # pkg/logs/message/go.mod # pkg/logs/metrics/go.mod # pkg/logs/pipeline/go.mod # pkg/logs/pipeline/go.sum # pkg/logs/processor/go.mod # pkg/logs/processor/go.sum # pkg/logs/sender/go.mod # pkg/logs/sender/go.sum # pkg/logs/sources/go.mod # pkg/logs/status/statusinterface/go.mod # pkg/logs/status/utils/go.mod # pkg/logs/types/go.mod # pkg/logs/util/testutils/go.mod # pkg/metrics/go.mod # pkg/metrics/go.sum # pkg/network/driver/go.mod # pkg/network/driver/go.sum # pkg/network/payload/go.mod # pkg/networkdevice/profile/go.mod # pkg/networkpath/payload/go.mod # pkg/obfuscate/go.mod # pkg/opentelemetry-mapping-go/inframetadata/go.mod # pkg/opentelemetry-mapping-go/inframetadata/gohai/internal/gohaitest/go.mod # pkg/opentelemetry-mapping-go/otlp/attributes/go.mod # pkg/opentelemetry-mapping-go/otlp/logs/go.mod # pkg/opentelemetry-mapping-go/otlp/logs/go.sum # pkg/opentelemetry-mapping-go/otlp/metrics/go.mod # pkg/opentelemetry-mapping-go/otlp/rum/go.mod # pkg/orchestrator/model/go.mod # pkg/orchestrator/util/go.mod # pkg/process/util/api/go.mod # pkg/process/util/api/go.sum # pkg/proto/go.mod # pkg/remoteconfig/state/go.mod # pkg/security/secl/go.mod # pkg/security/seclwin/go.mod # pkg/serializer/go.mod # pkg/serializer/go.sum # pkg/ssi/testutils/go.mod # pkg/status/health/go.mod # pkg/tagger/types/go.mod # pkg/tagset/go.mod # pkg/telemetry/go.mod # pkg/trace/go.mod # pkg/util/backoff/go.mod # pkg/util/buf/go.mod # pkg/util/cache/go.mod # pkg/util/cgroups/go.mod # pkg/util/cgroups/go.sum # pkg/util/common/go.mod # pkg/util/compression/go.mod # pkg/util/compression/go.sum # pkg/util/containers/image/go.mod # pkg/util/defaultpaths/go.mod # pkg/util/executable/go.mod # pkg/util/filesystem/go.mod # pkg/util/flavor/go.mod # pkg/util/fxutil/go.mod # pkg/util/grpc/go.mod # pkg/util/grpc/go.sum # pkg/util/hostinfo/go.mod # pkg/util/hostname/validate/go.mod # pkg/util/http/go.mod # pkg/util/json/go.mod # pkg/util/jsonquery/go.mod # pkg/util/log/go.mod # pkg/util/log/setup/go.mod # pkg/util/option/go.mod # pkg/util/otel/go.mod # pkg/util/pointer/go.mod # pkg/util/prometheus/go.mod # pkg/util/quantile/go.mod # pkg/util/quantile/sketchtest/go.mod # pkg/util/scrubber/go.mod # pkg/util/sort/go.mod # pkg/util/startstop/go.mod # pkg/util/statstracker/go.mod # pkg/util/system/go.mod # pkg/util/system/socket/go.mod # pkg/util/testutil/go.mod # pkg/util/utilizationtracker/go.mod # pkg/util/uuid/go.mod # pkg/util/winutil/go.mod # pkg/version/go.mod # test/e2e-framework/go.mod # test/e2e-framework/go.sum # test/fakeintake/go.mod # test/new-e2e/go.mod # test/new-e2e/go.sum # test/otel/go.mod # test/otel/go.sum
Contributor
|
I have read the CLA Document and I hereby sign the CLA You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot. |
# Conflicts: # cmd/privateactionrunner/subcommands/run/command.go # cmd/serverless-init/main.go # cmd/serverless-init/main_test.go # cmd/system-probe/subcommands/run/command.go # comp/core/agenttelemetry/def/go.sum # comp/core/agenttelemetry/fx/go.sum # comp/core/agenttelemetry/impl/go.sum # comp/core/config/go.sum # comp/core/configsync/go.sum # comp/core/ipc/httphelpers/go.sum # comp/core/ipc/impl/go.mod # comp/core/ipc/impl/go.sum # comp/core/ipc/mock/go.sum # comp/core/log/fx/go.sum # comp/core/log/impl-trace/go.sum # comp/core/log/impl/go.sum # comp/core/secrets/fx/go.sum # comp/core/secrets/impl/go.sum # comp/core/status/statusimpl/go.sum # comp/core/tagger/def/go.sum # comp/core/tagger/fx-remote/go.sum # comp/core/tagger/impl-remote/go.sum # comp/core/tagger/subscriber/go.sum # comp/forwarder/defaultforwarder/go.sum # comp/forwarder/orchestrator/orchestratorinterface/go.sum # comp/logs/agent/config/go.sum # comp/otelcol/collector-contrib/def/go.sum # comp/otelcol/collector-contrib/impl/go.mod # comp/otelcol/collector-contrib/impl/go.sum # comp/otelcol/converter/impl/go.sum # comp/otelcol/ddflareextension/impl/go.mod # comp/otelcol/ddflareextension/impl/go.sum # comp/otelcol/ddprofilingextension/impl/go.sum # comp/otelcol/logsagentpipeline/go.sum # comp/otelcol/logsagentpipeline/logsagentpipelineimpl/go.sum # comp/otelcol/otlp/components/exporter/datadogexporter/go.sum # comp/otelcol/otlp/components/exporter/logsagentexporter/go.sum # comp/otelcol/otlp/components/exporter/serializerexporter/go.sum # comp/otelcol/otlp/components/processor/infraattributesprocessor/go.sum # comp/otelcol/otlp/testutil/go.sum # comp/otelcol/status/impl/go.sum # comp/serializer/logscompression/go.sum # comp/serializer/metricscompression/go.sum # go.mod # go.sum # pkg/api/go.mod # pkg/api/go.sum # pkg/config/create/go.sum # pkg/config/env/go.mod # pkg/config/env/go.sum # pkg/config/helper/go.sum # pkg/config/mock/go.mod # pkg/config/mock/go.sum # pkg/config/nodetreemodel/go.sum # pkg/config/remote/go.mod # pkg/config/remote/go.sum # pkg/config/setup/go.mod # pkg/config/setup/go.sum # pkg/config/structure/go.sum # pkg/config/utils/go.mod # pkg/config/utils/go.sum # pkg/config/viperconfig/go.sum # pkg/fleet/installer/go.sum # pkg/gohai/go.sum # pkg/logs/client/go.sum # pkg/logs/diagnostic/go.sum # pkg/logs/message/go.mod # pkg/logs/message/go.sum # pkg/logs/pipeline/go.sum # pkg/logs/processor/go.sum # pkg/logs/sender/go.sum # pkg/logs/sources/go.mod # pkg/logs/sources/go.sum # pkg/logs/util/testutils/go.mod # pkg/logs/util/testutils/go.sum # pkg/metrics/go.sum # pkg/network/driver/go.sum # pkg/opentelemetry-mapping-go/inframetadata/gohai/internal/gohaitest/go.sum # pkg/opentelemetry-mapping-go/otlp/logs/go.sum # pkg/process/util/api/go.sum # pkg/security/seclwin/go.mod # pkg/serializer/go.sum # pkg/trace/go.sum # pkg/trace/otel/go.sum # pkg/trace/stats/go.sum # pkg/util/cgroups/go.sum # pkg/util/compression/go.sum # pkg/util/defaultpaths/go.sum # pkg/util/filesystem/go.mod # pkg/util/filesystem/go.sum # pkg/util/flavor/go.mod # pkg/util/flavor/go.sum # pkg/util/grpc/go.sum # pkg/util/hostinfo/go.sum # pkg/util/http/go.mod # pkg/util/http/go.sum # pkg/util/kubernetes/apiserver/common/namespace/go.mod # pkg/util/kubernetes/apiserver/common/namespace/go.sum # pkg/util/log/setup/go.mod # pkg/util/log/setup/go.sum # pkg/util/system/go.mod # pkg/util/system/go.sum # pkg/util/uuid/go.sum # pkg/util/winutil/go.sum # test/e2e-framework/go.sum # test/new-e2e/go.sum # test/otel/go.sum
hush-hush
reviewed
Jan 27, 2026
| "go.uber.org/fx" | ||
|
|
||
| delegatedauth "github.com/DataDog/datadog-agent/comp/core/delegatedauth/def" | ||
| "github.com/DataDog/datadog-agent/pkg/util/fxutil" |
Member
There was a problem hiding this comment.
We're moving away from FX for tests, we want each implementation to be usable by OTEL or serverless which don't use FX.
So we don't need fx wrapper for mocks. See https://github.com/DataDog/datadog-agent/tree/main/comp/core/secrets for example.
Comment on lines
20
to
23
| // Provider is an interface for getting a delegated token utilizing different methods. | ||
| type Provider interface { | ||
| GetAPIKey(cfg pkgconfigmodel.Reader, config *AuthConfig) (*string, error) | ||
| } |
Member
There was a problem hiding this comment.
Would the part where they fetch an API key from Datadog not be generic for all of them ? I would have guessed that we get a token for each provider and then use that token in a generic way to convert it into an API key.
comp/core/bundle_mock.go
Outdated
Comment on lines
46
to
48
| fx.Provide(func() delegatedauth.Component { | ||
| return delegatedauthimpl.NewComponent().Comp | ||
| }), |
| // Config is the config component used to read settings and write the API key. | ||
| // This must be provided as a config.Component, but is declared as interface{} to avoid import cycles. | ||
| // The implementation will type-assert to config.Component. | ||
| Config interface{} |
Member
There was a problem hiding this comment.
You should be able to depend on pkg/config/model:ReaderWriter, no ?
|
|
||
| // Provides list the provided interfaces from the delegatedauth Component | ||
| type Provides struct { | ||
| Comp delegatedauth.Component |
Member
There was a problem hiding this comment.
We should provide a status.Provider too so we can display information and errors in the status page. See https://datadoghq.dev/datadog-agent/components/shared_features/status/
| // Update the config value using the Writer interface | ||
| // This will trigger OnUpdate callbacks for any components listening to this config | ||
| d.config.Set(instance.apiKeyConfigKey, apiKey, pkgconfigmodel.SourceAgentRuntime) | ||
| log.Infof("Updated config key '%s' with new delegated API key", instance.apiKeyConfigKey) |
Member
There was a problem hiding this comment.
Suggested change
| log.Infof("Updated config key '%s' with new delegated API key", instance.apiKeyConfigKey) | |
| log.Infof("Updated config key '%s' with new delegated API key ending with: %s", instance.apiKeyConfigKey, scrubber.HideKeyExceptLastFiveChars(apiKey)) |
pkg/config/setup/config.go
Outdated
Comment on lines
2578
to
2591
| // List of config prefixes and their corresponding API key config keys | ||
| // This allows any config that has an api_key to support delegated authentication | ||
| // To add delegated auth support for a new config, add an entry here and call | ||
| // bindDelegatedAuthConfig(config, prefix) during config initialization | ||
| delegatedAuthConfigs := []struct { | ||
| prefix string // Config prefix (empty for global) | ||
| apiKeyConfigKey string // The config key where the API key should be written | ||
| }{ | ||
| {"", "api_key"}, // Global api_key | ||
| {"logs_config", "logs_config.api_key"}, // Logs-specific api_key | ||
| {"evp_proxy_config", "evp_proxy_config.api_key"}, // EVP proxy api_key | ||
| {"ol_proxy_config", "ol_proxy_config.api_key"}, // OL proxy api_key | ||
| {"remote_configuration", "remote_configuration.api_key"}, // Remote config api_key | ||
| } |
Member
There was a problem hiding this comment.
Could we build this list from bindDelegatedAuthConfig to avoid duplicating the information ?
|
|
||
| // Configure initializes delegated auth for a specific API key configuration. | ||
| // Can be called multiple times with different APIKeyConfigKey values. | ||
| func (d *delegatedAuthComponent) Configure(params delegatedauth.ConfigParams) { |
Member
There was a problem hiding this comment.
I think we should split the configure and resolve steps. This would make the API clearer and avoid resolving the Cloud provider N times.
| // Configure delegated auth after secrets are resolved but before other components initialize | ||
| // Cloud provider detection happens automatically within the delegatedauth component | ||
| if err := configureDelegatedAuth(config, delegatedAuthComp); err != nil { | ||
| return err |
Member
There was a problem hiding this comment.
I think this would prevent the Agent from starting. Are we sure this is what we want ?
| } | ||
|
|
||
| // GetSourceName returns the source used to pull information for EC2 | ||
| func GetSourceName() string { |
Member
There was a problem hiding this comment.
It's OK to remove the duplication in another PR but we have to do it right after this one is merged. The IMDS integration is sensitive since it's linked to hostname resolution and we don't want the duplicates to diverge from each other.
We could create a dedicated IMDS package use by both.
# Conflicts: # cmd/otel-agent/config/agent_config.go # comp/core/tagger/fx-remote/go.sum # comp/core/tagger/impl-remote/go.sum # comp/otelcol/ddflareextension/impl/go.sum # comp/otelcol/otlp/components/processor/infraattributesprocessor/go.sum # go.mod # go.sum # pkg/api/go.sum # pkg/config/utils/go.sum # pkg/linters/components/pkgconfigusage/go.mod # pkg/process/util/api/go.sum # pkg/security/seclwin/go.mod # test/e2e-framework/go.sum # test/new-e2e/go.sum
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This adds the ability to exchange a AWS Cloud Auth Proof for an API key which is automatically managed and rotated on behalf of the customer. This is essentially extending the https://docs.datadoghq.com/account_management/cloud_provider_authentication into the agent.
The flow is as so:
Motivation
This should enable customers to not need to manage the API used by the agent and instead use the AWS credentials in the AWS environment the agent is deploy to.
Describe how you validated your changes
Ran the agent locally to validate changes. Will deploy to testing environments.
Additional Notes