chore(ssi): add e2e tests (#44034)

### What does this PR do?
This commit adds several e2e tests for SSI. These tests focus on configuration options for SSI and how they impact mutation.

### Motivation
We have e2e test coverage through the Kubernetes tests that run on every platform:
https://github.com/DataDog/datadog-agent/blob/35e4f67132c64cf58c989fe20762878efcc5ebc1/test/new-e2e/tests/containers/k8s_test.go#L1196-L1206

However, these tests don't allow us to test more advanced configuration scenarios and more nuanced assertions. We want to add dedicated SSI end to end tests that focus on user configuration. For now, these new tests will be in addtion to the existing tests that focus on basic functionality on every platform we support.

See [SSI Kubernetes | Platform Stability](https://docs.google.com/document/d/1NqrPEUn3RfcdS_hQUQB-pJFJN9N-x5I202CB7s7CnwQ/edit?usp=sharing) for how this change fits into a larger initiative.

### Describe how you validated your changes
The attached build. Locally, these can be run like so:
```bash
inv new-e2e-tests.run --targets=./tests/ssi --run='^TestWorkloadSelectionSuite$'
```
```bash
inv new-e2e-tests.run --targets=./tests/ssi --run='^TestLocalSDKInjectionSuite$'
```
```bash
inv new-e2e-tests.run --targets=./tests/ssi --run='^TestNamespaceSelectionSuite$'
```
### Additional Notes
Every version is pinned. The injector is pinned, the python tracer is pinned, and the test app is pinned. So nothing should change outside of a commit for these tests.

Co-authored-by: mark.spicer <mark.spicer@datadoghq.com>

Author: betterengineering

.github/CODEOWNERS

@@ -776,6 +776,7 @@
 /test/new-e2e/tests/windows                   @DataDog/windows-products @DataDog/windows-products
 /test/new-e2e/tests/apm                       @DataDog/agent-apm
 /test/new-e2e/tests/remote-config             @DataDog/remote-config
+/test/new-e2e/tests/ssi                       @DataDog/injection-platform
 /test/new-e2e/tests/fleet                     @DataDog/fleet @DataDog/windows-products
 /test/new-e2e/tests/installer                 @DataDog/fleet @DataDog/windows-products
 /test/new-e2e/tests/installer/script          @DataDog/fleet @DataDog/data-jobs-monitoring

.gitlab-ci.yml

@@ -968,6 +968,22 @@ workflow:
       compare_to: $COMPARE_TO_BRANCH
     when: on_success
 
+.on_ssi_or_e2e_changes:
+  - !reference [.on_e2e_main_release_or_rc]
+  - changes:
+      paths:
+        - pkg/clusteragent/admission/mutate/autoinstrumentation/**/*
+        - pkg/clusteragent/admission/mutate/common/**/*
+        - pkg/clusteragent/admission/mutate/config/**/*
+        - pkg/clusteragent/admission/mutate/tagsfromlabels/**/*
+        - pkg/clusteragent/admission/common/**/*
+        - pkg/clusteragent/admission/controllers/webhook/**/*
+        - comp/core/workloadmeta/collectors/internal/kubeapiserver/**/*
+        - comp/languagedetection/**/*
+        - test/new-e2e/tests/ssi/**/*
+      compare_to: $COMPARE_TO_BRANCH
+    when: on_success
+
 .on_windows_service_or_e2e_changes:
   - !reference [.on_e2e_main_release_or_rc]
   - changes:

.gitlab/e2e/e2e.yml

@@ -955,6 +955,20 @@ new-e2e-otel:
     TEAM: otel
     ON_NIGHTLY_FIPS: "true"
 
+new-e2e-ssi:
+  extends: .new_e2e_template
+  rules:
+    - !reference [.on_ssi_or_e2e_changes]
+    - !reference [.manual]
+  needs:
+    - !reference [.needs_new_e2e_template]
+    - qa_dca
+    - qa_agent
+    - qa_agent_full
+  variables:
+    TARGETS: ./tests/ssi
+    TEAM: injection-platform
+
 .new-e2e_package_signing:
   variables:
     TARGETS: ./tests/agent-platform/package-signing

test/e2e-framework/scenarios/aws/kindvm/run.go

@@ -185,6 +185,7 @@ func RunWithEnv(ctx *pulumi.Context, awsEnv resAws.Environment, env *environment
 		if err != nil {
 			return err
 		}
+		dependsOnDDAgent = utils.PulumiDependsOn(operatorComp)
 	}
 
 	if params.deployDogstatsd {
@@ -236,12 +237,6 @@ func RunWithEnv(ctx *pulumi.Context, awsEnv resAws.Environment, env *environment
 			if _, err := cpustress.K8sAppDefinition(&awsEnv, kubeProvider, "workload-cpustress"); err != nil {
 				return err
 			}
-			for _, appFunc := range params.depWorkloadAppFuncs {
-				_, err := appFunc(&awsEnv, kubeProvider, dependsOnDDAgent)
-				if err != nil {
-					return err
-				}
-			}
 		}
 
 		if params.deployArgoRollout {
@@ -250,6 +245,16 @@ func RunWithEnv(ctx *pulumi.Context, awsEnv resAws.Environment, env *environment
 			}
 		}
 	}
+
+	if dependsOnDDAgent != nil {
+		for _, appFunc := range params.depWorkloadAppFuncs {
+			_, err := appFunc(&awsEnv, kubeProvider, dependsOnDDAgent)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
 	for _, appFunc := range params.workloadAppFuncs {
 		_, err := appFunc(&awsEnv, kubeProvider)
 		if err != nil {

test/new-e2e/go.mod

@@ -220,6 +220,7 @@ require (
 	github.com/DataDog/datadog-agent/comp/otelcol/ddflareextension/types v0.65.0-devel
 	github.com/DataDog/datadog-agent/pkg/metrics v0.73.0-rc.9
 	github.com/DataDog/datadog-agent/pkg/networkpath/payload v0.0.0-20250128160050-7ac9ccd58c07
+	github.com/DataDog/datadog-agent/pkg/ssi/testutils v0.0.0-00010101000000-000000000000
 	github.com/DataDog/datadog-agent/pkg/trace v0.73.0-rc.9
 	github.com/DataDog/datadog-go/v5 v5.8.2
 	github.com/DataDog/dd-trace-go/v2 v2.4.1

test/new-e2e/tests/ssi/doc.go

@@ -0,0 +1,8 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+// Package ssi provides end to end tests for Single Step Instrumentation. It focuses on user configuration and how that
+// impacts targeting in Kubernetes.
+package ssi

test/new-e2e/tests/ssi/local_sdk_injection_test.go

@@ -0,0 +1,98 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+package ssi
+
+import (
+	"os"
+	"testing"
+	"time"
+
+	"github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes"
+	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+	"github.com/stretchr/testify/require"
+
+	"github.com/DataDog/datadog-agent/pkg/ssi/testutils"
+	"github.com/DataDog/datadog-agent/test/e2e-framework/common/config"
+	"github.com/DataDog/datadog-agent/test/e2e-framework/components/datadog/apps/singlestep"
+	"github.com/DataDog/datadog-agent/test/e2e-framework/components/datadog/kubernetesagentparams"
+	compkube "github.com/DataDog/datadog-agent/test/e2e-framework/components/kubernetes"
+	"github.com/DataDog/datadog-agent/test/e2e-framework/scenarios/aws/kindvm"
+	"github.com/DataDog/datadog-agent/test/e2e-framework/testing/e2e"
+	"github.com/DataDog/datadog-agent/test/e2e-framework/testing/environments"
+	provkindvm "github.com/DataDog/datadog-agent/test/e2e-framework/testing/provisioners/aws/kubernetes/kindvm"
+)
+
+type localSDKInjectionSuite struct {
+	e2e.BaseSuite[environments.Kubernetes]
+}
+
+func TestLocalSDKInjectionSuite(t *testing.T) {
+	helmValues, err := os.ReadFile("testdata/local_sdk_injection.yaml")
+	require.NoError(t, err, "Could not open helm values file for test")
+	e2e.Run(t, &localSDKInjectionSuite{}, e2e.WithProvisioner(provkindvm.Provisioner(
+		provkindvm.WithRunOptions(
+			kindvm.WithAgentDependentWorkloadApp(func(e config.Env, kubeProvider *kubernetes.Provider, dependsOnAgent pulumi.ResourceOption) (*compkube.Workload, error) {
+				return singlestep.Scenario(e, kubeProvider, "local-sdk-injection", []singlestep.Namespace{
+					{
+						Name: "application",
+						Apps: []singlestep.App{
+							{
+								Name:    DefaultAppName,
+								Image:   "gcr.io/datadoghq/injector-dev/python",
+								Version: "d425e7df",
+								Port:    8080,
+								PodLabels: map[string]string{
+									"admission.datadoghq.com/enabled": "true",
+									"tags.datadoghq.com/service":      DefaultAppName,
+								},
+								PodAnnotations: map[string]string{
+									"admission.datadoghq.com/python-lib.version": "v3.18.1",
+								},
+							},
+							{
+								Name:    "expect-no-injection",
+								Image:   "gcr.io/datadoghq/injector-dev/python",
+								Version: "d425e7df",
+								Port:    8080,
+							},
+						},
+					},
+				}, dependsOnAgent)
+			}),
+			kindvm.WithAgentOptions(kubernetesagentparams.WithHelmValues(string(helmValues))),
+		),
+	)))
+}
+
+func (v *localSDKInjectionSuite) TestClusterAgentInstalled() {
+	FindPodInNamespace(v.T(), v.Env().KubernetesCluster.Client(), "datadog", "cluster-agent")
+}
+
+func (v *localSDKInjectionSuite) TestExpectInjection() {
+	// Get clients.
+	intake := v.Env().FakeIntake.Client()
+	k8s := v.Env().KubernetesCluster.Client()
+
+	// Ensure the pod was injected.
+	pod := FindPodInNamespace(v.T(), k8s, "application", DefaultAppName)
+	podValidator := testutils.NewPodValidator(pod)
+	podValidator.RequireInjection(v.T(), DefaultExpectedContainers)
+	podValidator.RequireLibraryVersions(v.T(), map[string]string{
+		"python": "v3.18.1",
+	})
+	podValidator.RequireInjectorVersion(v.T(), "0.52.0")
+
+	// Ensure the service has traces.
+	require.Eventually(v.T(), func() bool {
+		traces := FindTracesForService(v.T(), intake, DefaultAppName)
+		return len(traces) != 0
+	}, 1*time.Minute, 10*time.Second, "did not find any traces at intake for DD_SERVICE %s", DefaultAppName)
+}
+
+func (v *localSDKInjectionSuite) TestExpectNoInjection() {
+	pod := FindPodInNamespace(v.T(), v.Env().KubernetesCluster.Client(), "application", "expect-no-injection")
+	podValidator := testutils.NewPodValidator(pod)
+	podValidator.RequireNoInjection(v.T())
+}

test/new-e2e/tests/ssi/namespace_selection_test.go

@@ -0,0 +1,99 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+package ssi
+
+import (
+	"os"
+	"testing"
+	"time"
+
+	"github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes"
+	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+	"github.com/stretchr/testify/require"
+
+	"github.com/DataDog/datadog-agent/pkg/ssi/testutils"
+	"github.com/DataDog/datadog-agent/test/e2e-framework/common/config"
+	"github.com/DataDog/datadog-agent/test/e2e-framework/components/datadog/apps/singlestep"
+	"github.com/DataDog/datadog-agent/test/e2e-framework/components/datadog/kubernetesagentparams"
+	compkube "github.com/DataDog/datadog-agent/test/e2e-framework/components/kubernetes"
+	"github.com/DataDog/datadog-agent/test/e2e-framework/scenarios/aws/kindvm"
+	"github.com/DataDog/datadog-agent/test/e2e-framework/testing/e2e"
+	"github.com/DataDog/datadog-agent/test/e2e-framework/testing/environments"
+	provkindvm "github.com/DataDog/datadog-agent/test/e2e-framework/testing/provisioners/aws/kubernetes/kindvm"
+)
+
+type namespaceSelectionSuite struct {
+	e2e.BaseSuite[environments.Kubernetes]
+}
+
+func TestNamespaceSelectionSuite(t *testing.T) {
+	helmValues, err := os.ReadFile("testdata/namespace_selection.yaml")
+	require.NoError(t, err, "Could not open helm values file for test")
+	e2e.Run(t, &namespaceSelectionSuite{}, e2e.WithProvisioner(provkindvm.Provisioner(
+		provkindvm.WithRunOptions(
+			kindvm.WithAgentDependentWorkloadApp(func(e config.Env, kubeProvider *kubernetes.Provider, dependsOnAgent pulumi.ResourceOption) (*compkube.Workload, error) {
+				return singlestep.Scenario(e, kubeProvider, "namespace-selection", []singlestep.Namespace{
+					{
+						Name: "expect-injection",
+						Apps: []singlestep.App{
+							{
+								Name:    DefaultAppName,
+								Image:   "gcr.io/datadoghq/injector-dev/python",
+								Version: "d425e7df",
+								Port:    8080,
+							},
+						},
+					},
+					{
+						Name: "expect-no-injection",
+						Apps: []singlestep.App{
+							{
+								Name:    DefaultAppName,
+								Image:   "gcr.io/datadoghq/injector-dev/python",
+								Version: "d425e7df",
+								Port:    8080,
+							},
+						},
+					},
+				}, dependsOnAgent)
+			}),
+			kindvm.WithAgentOptions(kubernetesagentparams.WithHelmValues(string(helmValues))),
+		),
+	)))
+}
+
+func (v *namespaceSelectionSuite) TestClusterAgentInstalled() {
+	FindPodInNamespace(v.T(), v.Env().KubernetesCluster.Client(), "datadog", "cluster-agent")
+}
+
+func (v *namespaceSelectionSuite) TestExpectInjection() {
+	// Get clients.
+	intake := v.Env().FakeIntake.Client()
+	k8s := v.Env().KubernetesCluster.Client()
+
+	// Ensure the pod was injected.
+	pod := FindPodInNamespace(v.T(), k8s, "expect-injection", DefaultAppName)
+	podValidator := testutils.NewPodValidator(pod)
+	podValidator.RequireInjection(v.T(), DefaultExpectedContainers)
+	podValidator.RequireLibraryVersions(v.T(), map[string]string{
+		"python": "v3.18.1",
+	})
+	podValidator.RequireInjectorVersion(v.T(), "0.52.0")
+
+	// Ensure the service has traces.
+	require.Eventually(v.T(), func() bool {
+		traces := FindTracesForService(v.T(), intake, DefaultAppName)
+		return len(traces) != 0
+	}, 1*time.Minute, 10*time.Second, "did not find any traces at intake for DD_SERVICE %s", DefaultAppName)
+}
+
+func (v *namespaceSelectionSuite) TestExpectNoInjection() {
+	pods := GetPodsInNamespace(v.T(), v.Env().KubernetesCluster.Client(), "expect-no-injection")
+	for _, pod := range pods {
+		podValidator := testutils.NewPodValidator(&pod)
+		podValidator.RequireNoInjection(v.T())
+	}
+}

test/new-e2e/tests/ssi/testdata/local_sdk_injection.yaml

@@ -0,0 +1,11 @@
+---
+clusterAgent:
+  admissionController:
+    configMode: "hostip"
+datadog:
+  apm:
+    instrumentation:
+      enabled: false
+      enabledNamespaces: []
+      injector:
+        imageTag: "0.52.0"

test/new-e2e/tests/ssi/testdata/namespace_selection.yaml

@@ -0,0 +1,14 @@
+---
+clusterAgent:
+  admissionController:
+    configMode: "hostip"
+datadog:
+  apm:
+    instrumentation:
+      enabled: true
+      injector:
+        imageTag: "0.52.0"
+      enabledNamespaces:
+        - "expect-injection"
+      libVersions:
+        python: "v3.18.1"