fix(AdmissionController): Unify Caching for Secrets within DCA

[gabedos]

What does this PR do?

Eliminates the 5-minute certificate cache in the admission webhook HTTP server by using the shared Secret informer cache instead. Using multiple independent caches produced problems whenever the Secret value updated in informer cache but not the HTTP server's cache (5 min delay).

Motivation

During certificate rotation, there was a potential 5-minute downtime window where:

1. Secret Controller updates the certificate Secret (detects soon expiration)
2. Webhook Controller updates the MutatingWebhookConfiguration with the new CA bundle
3. HTTP Server continues serving the old certificate from cache (up to 5 minutes)
4. Kubernetes API server rejects the webhook call because the old cert doesn't match the new CA bundle

By using the same informer cache that the Webhook Controller uses, both components stay synchronized.

Describe how you validated your changes

Unit Tests: Existing secret controller tests verify that secret rotations/refreshes still propagate smoothly.

Manual: Deploy the admission controller with mutateUnlabelled:true and failurePolicy:fail.

Before the patch, when you delete the secret (to trigger a rotation), you will see FailedCreate events like the following for 5 minutes:

k delete secret webhook-certificate -n datadog-agent
### Deploy some workloads (CronJob)
kubectl get events --field-selector reason=FailedCreate -A

NAMESPACE   LAST SEEN   TYPE      REASON         OBJECT                           MESSAGE
default     4m         Warning   FailedCreate   job/webhook-load-test-29495340   Error creating: Internal error occurred: failed calling webhook "datadog.webhook.agent.config": failed to call webhook: Post "https://datadog-agent-linux-cluster-agent-admission-controller.datadog-agent.svc:443/injectconfig?timeout=10s": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2026-01-29T21:00:00Z is after 2026-01-29T20:57:55Z

Now, deleting the secret and deploying new workloads will cause no errors!

k delete secret webhook-certificate -n datadog-agent
###  Deploy some workloads (CronJob)
kubectl get events --field-selector reason=FailedCreate -A
No resources found

Additional Notes

Original implementation considered storing 2 certificates within the CA Bundle with overlapping lifetimes. For example C1 is valid from T1-T10 and C2 is valid from T5-T15. Both the certificates are stored in the secret. When we hit a time like T8 when we want to transition to the next valid certificate, it is already present throughout all the relevant clients.

Before this change, the admission controller went uncertified for worst case 5 minutes. Now, the worst case is simply how long the API request to update the mutatingwebhook controller with the new configuration takes. The shared informed on the cluster agent is notified of a change to the secret cert. It's possible a request comes in to the HTTP server and the new cert is used, however, under a race, the mutating webhook configuration has not been updated yet with the new cert.

From an initial search online, API Server requests can operate on the order of 100ms. Our cache had a lifetime of 300,000ms and so this would be a 3000x increase in availability of the admission controller which can land us a quick easy win.

[agent-platform-auto-pr]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor 1576f3a
📊 Static Quality Gates Dashboard

Successful checks

Info

	Quality gate	Change	Size (prev → curr → max)
✅	docker_cluster_agent_amd64	-7.99 KiB (0.00% reduction)	181.177 → 181.169 → 181.200

30 successful checks with minimal change (< 2 KiB)

	Quality gate	Current Size
✅	agent_deb_amd64	752.126 MiB
✅	agent_deb_amd64_fips	700.803 MiB
✅	agent_heroku_amd64	326.418 MiB
✅	agent_msi	662.890 MiB
✅	agent_rpm_amd64	752.109 MiB
✅	agent_rpm_amd64_fips	700.787 MiB
✅	agent_rpm_arm64	730.855 MiB
✅	agent_rpm_arm64_fips	682.918 MiB
✅	agent_suse_amd64	752.109 MiB
✅	agent_suse_amd64_fips	700.787 MiB
✅	agent_suse_arm64	730.855 MiB
✅	agent_suse_arm64_fips	682.918 MiB
✅	docker_agent_amd64	814.253 MiB
✅	docker_agent_arm64	817.629 MiB
✅	docker_agent_jmx_amd64	1005.132 MiB
✅	docker_agent_jmx_arm64	997.227 MiB
✅	docker_cluster_agent_arm64	196.983 MiB
✅	docker_cws_instrumentation_amd64	7.135 MiB
✅	docker_cws_instrumentation_arm64	6.689 MiB
✅	docker_dogstatsd_amd64	38.819 MiB
✅	docker_dogstatsd_arm64	37.127 MiB
✅	dogstatsd_deb_amd64	30.035 MiB
✅	dogstatsd_deb_arm64	28.184 MiB
✅	dogstatsd_rpm_amd64	30.035 MiB
✅	dogstatsd_suse_amd64	30.035 MiB
✅	iot_agent_deb_amd64	43.013 MiB
✅	iot_agent_deb_arm64	40.119 MiB
✅	iot_agent_deb_armhf	40.689 MiB
✅	iot_agent_rpm_amd64	43.014 MiB
✅	iot_agent_suse_amd64	43.014 MiB

On-wire sizes (compressed)

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	-19.33 KiB (0.01% reduction)	183.872 → 183.853 → 184.810
✅	agent_deb_amd64_fips	+38.48 KiB (0.02% increase)	172.587 → 172.624 → 173.790
✅	agent_heroku_amd64	-8.42 KiB (0.01% reduction)	87.186 → 87.178 → 88.450
✅	agent_msi	+28.0 KiB (0.02% increase)	143.098 → 143.125 → 143.300
✅	agent_rpm_amd64	+59.14 KiB (0.03% increase)	186.900 → 186.958 → 188.160
✅	agent_rpm_amd64_fips	-4.37 KiB (0.00% reduction)	175.627 → 175.623 → 176.600
✅	agent_rpm_arm64	-22.6 KiB (0.01% reduction)	168.463 → 168.441 → 169.930
✅	agent_rpm_arm64_fips	+26.41 KiB (0.02% increase)	159.075 → 159.101 → 160.550
✅	agent_suse_amd64	+59.14 KiB (0.03% increase)	186.900 → 186.958 → 188.160
✅	agent_suse_amd64_fips	-4.37 KiB (0.00% reduction)	175.627 → 175.623 → 176.600
✅	agent_suse_arm64	-22.6 KiB (0.01% reduction)	168.463 → 168.441 → 169.930
✅	agent_suse_arm64_fips	+26.41 KiB (0.02% increase)	159.075 → 159.101 → 160.550
✅	docker_agent_amd64	neutral	276.540 MiB → 277.400
✅	docker_agent_arm64	neutral	263.935 MiB → 266.040
✅	docker_agent_jmx_amd64	neutral	345.171 MiB → 346.020
✅	docker_agent_jmx_arm64	neutral	328.554 MiB → 330.660
✅	docker_cluster_agent_amd64	neutral	64.003 MiB → 64.510
✅	docker_cluster_agent_arm64	neutral	60.270 MiB → 61.170
✅	docker_cws_instrumentation_amd64	neutral	2.994 MiB → 3.330
✅	docker_cws_instrumentation_arm64	neutral	2.726 MiB → 3.090
✅	docker_dogstatsd_amd64	neutral	15.024 MiB → 15.820
✅	docker_dogstatsd_arm64	neutral	14.346 MiB → 14.830
✅	dogstatsd_deb_amd64	neutral	7.938 MiB → 8.790
✅	dogstatsd_deb_arm64	neutral	6.821 MiB → 7.710
✅	dogstatsd_rpm_amd64	neutral	7.950 MiB → 8.800
✅	dogstatsd_suse_amd64	neutral	7.950 MiB → 8.800
✅	iot_agent_deb_amd64	-2.93 KiB (0.03% reduction)	11.287 → 11.284 → 12.040
✅	iot_agent_deb_arm64	neutral	9.645 MiB → 10.450
✅	iot_agent_deb_armhf	+2.52 KiB (0.02% increase)	9.842 → 9.844 → 10.620
✅	iot_agent_rpm_amd64	-3.14 KiB (0.03% reduction)	11.308 → 11.304 → 12.060
✅	iot_agent_suse_amd64	-3.14 KiB (0.03% reduction)	11.308 → 11.304 → 12.060

[cit-pr-commenter-54b7da]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 1ddee7d6-55ff-4ad3-818d-ed6cb6eb0204

Baseline: 1576f3a
Comparison: 80044bf
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	-4.79	[-7.81, -1.77]	1	Logs

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	quality_gate_logs	% cpu utilization	+1.31	[-0.21, +2.84]	1	Logs bounds checks dashboard
➖	tcp_syslog_to_blackhole	ingress throughput	+1.03	[+0.91, +1.15]	1	Logs
➖	quality_gate_metrics_logs	memory utilization	+0.70	[+0.48, +0.92]	1	Logs bounds checks dashboard
➖	otlp_ingest_metrics	memory utilization	+0.62	[+0.46, +0.77]	1	Logs
➖	ddot_metrics	memory utilization	+0.56	[+0.34, +0.78]	1	Logs
➖	ddot_metrics_sum_delta	memory utilization	+0.44	[+0.23, +0.64]	1	Logs
➖	ddot_metrics_sum_cumulativetodelta_exporter	memory utilization	+0.38	[+0.15, +0.61]	1	Logs
➖	docker_containers_memory	memory utilization	+0.32	[+0.24, +0.39]	1	Logs
➖	file_tree	memory utilization	+0.21	[+0.16, +0.26]	1	Logs
➖	quality_gate_idle	memory utilization	+0.12	[+0.08, +0.17]	1	Logs bounds checks dashboard
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	+0.11	[+0.06, +0.16]	1	Logs
➖	otlp_ingest_logs	memory utilization	+0.10	[-0.02, +0.21]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	+0.05	[-0.35, +0.46]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	+0.04	[-0.01, +0.08]	1	Logs
➖	ddot_metrics_sum_cumulative	memory utilization	+0.04	[-0.13, +0.20]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	-0.00	[-0.53, +0.52]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	-0.00	[-0.39, +0.38]	1	Logs
➖	uds_dogstatsd_to_api_v3	ingress throughput	-0.01	[-0.13, +0.11]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	-0.01	[-0.14, +0.13]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	-0.01	[-0.10, +0.09]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	-0.05	[-0.08, -0.01]	1	Logs bounds checks dashboard
➖	ddot_logs	memory utilization	-0.54	[-0.61, -0.48]	1	Logs
➖	docker_containers_cpu	% cpu utilization	-4.79	[-7.81, -1.77]	1	Logs

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	links
✅	docker_containers_cpu	simple_check_run	10/10
✅	docker_containers_memory	memory_usage	10/10
✅	docker_containers_memory	simple_check_run	10/10
✅	file_to_blackhole_0ms_latency	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency	lost_bytes	10/10
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10
✅	file_to_blackhole_100ms_latency	lost_bytes	10/10
✅	file_to_blackhole_100ms_latency	memory_usage	10/10
✅	file_to_blackhole_500ms_latency	lost_bytes	10/10
✅	file_to_blackhole_500ms_latency	memory_usage	10/10
✅	quality_gate_idle	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_logs	lost_bytes	10/10	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	lost_bytes	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.