[CONTINT-5028] Add permissions to collect Argo and Flux CRDs and use kustomize SA for e2e-tests (#2486)

tbavelier · web-flow · commit 08c7140cd173 · 2026-01-15T13:04:47.000+01:00
* add timeout to e2e to see dumps instead of waiting CI job time out

* fix RBAC for fluxcd

* Do not use Helm chart SA and rely on kustomize one

* clean up DDA before finishing test

* Make cleanup more robust
diff --git a/Makefile b/Makefile
@@ -52,6 +52,10 @@ IMG_CHECK ?= gcr.io/datadoghq/operator-check:latest
 
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.30
+# Default timeout for `go test` when running E2E tests.
+# (E2E provisioning can hang; having a finite timeout ensures we get goroutine dumps
+# instead of the CI job timing out with no actionable logs.)
+E2E_GO_TEST_TIMEOUT ?= 55m
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -205,10 +209,10 @@ integration-tests: $(ENVTEST) ## Run integration tests with reconciler
 .PHONY: e2e-tests
 e2e-tests: ## Run E2E tests and destroy environment stacks after tests complete. To run locally, complete pre-reqs (see docs/how-to-contribute.md) and prepend command with `aws-vault exec sso-agent-sandbox-account-admin --`. E.g. `aws-vault exec sso-agent-sandbox-account-admin -- make e2e-tests`.
 	@if [ -z "$(E2E_RUN_REGEX)" ]; then \
-		KUBEBUILDER_ASSETS="$(ROOT)/bin/$(PLATFORM)/" go test -C test/e2e/ ./... -count=1 --tags=e2e -v -run TestAWSKindSuite -timeout 0s -coverprofile cover_e2e.out; \
+		KUBEBUILDER_ASSETS="$(ROOT)/bin/$(PLATFORM)/" go test -C test/e2e/ ./... -count=1 --tags=e2e -v -run TestAWSKindSuite -timeout $(E2E_GO_TEST_TIMEOUT) -coverprofile cover_e2e.out; \
 	else \
 	    echo "Running e2e test: $(E2E_RUN_REGEX)"; \
-		KUBEBUILDER_ASSETS="$(ROOT)/bin/$(PLATFORM)/" go test -C test/e2e/ ./... -count=1 --tags=e2e -v -run $(E2E_RUN_REGEX) -timeout 0s -coverprofile cover_e2e.out; \
+		KUBEBUILDER_ASSETS="$(ROOT)/bin/$(PLATFORM)/" go test -C test/e2e/ ./... -count=1 --tags=e2e -v -run $(E2E_RUN_REGEX) -timeout $(E2E_GO_TEST_TIMEOUT) -coverprofile cover_e2e.out; \
 	fi
 
 .PHONY: yaml-mapper-tests
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -128,6 +128,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - applicationsets
+  verbs:
+  - list
+  - watch
 - apiGroups:
   - argoproj.io
   resources:
@@ -352,6 +360,13 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - kustomize.toolkit.fluxcd.io
+  resources:
+  - kustomizations
+  verbs:
+  - list
+  - watch
 - apiGroups:
   - metrics.eks.amazonaws.com
   resources:
@@ -442,6 +457,18 @@ rules:
   - securitycontextconstraints
   verbs:
   - use
+- apiGroups:
+  - source.toolkit.fluxcd.io
+  resources:
+  - buckets
+  - externalartifacts
+  - gitrepositories
+  - helmcharts
+  - helmrepositories
+  - ocirepositories
+  verbs:
+  - list
+  - watch
 - apiGroups:
   - storage.k8s.io
   resources:
diff --git a/internal/controller/datadogagent/feature/orchestratorexplorer/rbac.go b/internal/controller/datadogagent/feature/orchestratorexplorer/rbac.go
@@ -109,7 +109,22 @@ func getRBACPolicyRules(logger logr.Logger, crs []string) []rbacv1.PolicyRule {
 		},
 		{
 			APIGroups: []string{rbac.ArgoProjAPIGroup},
-			Resources: []string{rbac.Rollout},
+			Resources: []string{rbac.Rollout, rbac.Applications, rbac.Applicationsets},
+		},
+		{
+			APIGroups: []string{rbac.FluxSourceToolkitAPIGroup},
+			Resources: []string{
+				rbac.Buckets,
+				rbac.Helmcharts,
+				rbac.Externalartifacts,
+				rbac.Gitrepositories,
+				rbac.Helmrepositories,
+				rbac.Ocirepositories,
+			},
+		},
+		{
+			APIGroups: []string{rbac.FluxKustomizeToolkitAPIGroup},
+			Resources: []string{rbac.Kustomizations},
 		},
 		{
 			APIGroups: []string{rbac.KarpenterAPIGroup},
diff --git a/internal/controller/datadogagent_controller.go b/internal/controller/datadogagent_controller.go
@@ -164,6 +164,15 @@ type DatadogAgentReconciler struct {
 // +kubebuilder:rbac:groups=discovery.k8s.io,resources=endpointslices,verbs=list;watch
 // +kubebuilder:rbac:groups=datadoghq.com,resources="*",verbs=list;watch
 // +kubebuilder:rbac:groups=argoproj.io,resources=rollouts,verbs=list;watch
+// +kubebuilder:rbac:groups=argoproj.io,resources=applications,verbs=list;watch
+// +kubebuilder:rbac:groups=argoproj.io,resources=applicationsets,verbs=list;watch
+// +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=buckets,verbs=list;watch
+// +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=externalartifacts,verbs=list;watch
+// +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=gitrepositories,verbs=list;watch
+// +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=helmcharts,verbs=list;watch
+// +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=helmrepositories,verbs=list;watch
+// +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=ocirepositories,verbs=list;watch
+// +kubebuilder:rbac:groups=kustomize.toolkit.fluxcd.io,resources=kustomizations,verbs=list;watch
 // +kubebuilder:rbac:groups=karpenter.sh,resources="*",verbs=get;list;watch;create;patch;update;delete
 // +kubebuilder:rbac:groups=karpenter.k8s.aws,resources="*",verbs=get;list;watch
 // +kubebuilder:rbac:groups=karpenter.azure.com,resources="*",verbs=list;watch
diff --git a/pkg/kubernetes/rbac/const.go b/pkg/kubernetes/rbac/const.go
@@ -11,32 +11,35 @@ const (
 	Wildcard = "*"
 
 	// API Groups
-	AdmissionAPIGroup        = "admissionregistration.k8s.io"
-	APIExtensionsAPIGroup    = "apiextensions.k8s.io"
-	AppsAPIGroup             = "apps"
-	ArgoProjAPIGroup         = "argoproj.io"
-	AuthorizationAPIGroup    = "authorization.k8s.io"
-	AutoscalingAPIGroup      = "autoscaling"
-	AutoscalingK8sIoAPIGroup = "autoscaling.k8s.io"
-	BatchAPIGroup            = "batch"
-	CertificatesAPIGroup     = "certificates.k8s.io"
-	CoordinationAPIGroup     = "coordination.k8s.io"
-	CoreAPIGroup             = ""
-	DatadogAPIGroup          = "datadoghq.com"
-	DiscoveryAPIGroup        = "discovery.k8s.io"
-	ExtensionsAPIGroup       = "extensions"
-	ExternalMetricsAPIGroup  = "external.metrics.k8s.io"
-	GatewayAPIGroup          = "gateway.networking.k8s.io"
-	NetworkingAPIGroup       = "networking.k8s.io"
-	OpenShiftQuotaAPIGroup   = "quota.openshift.io"
-	PolicyAPIGroup           = "policy"
-	RbacAPIGroup             = "rbac.authorization.k8s.io"
-	RegistrationAPIGroup     = "apiregistration.k8s.io"
-	StorageAPIGroup          = "storage.k8s.io"
-	EKSMetricsAPIGroup       = "metrics.eks.amazonaws.com"
-	KarpenterAPIGroup        = "karpenter.sh"
-	KarpenterAWSAPIGroup     = "karpenter.k8s.aws"
-	KarpenterAzureAPIGroup   = "karpenter.azure.com"
+	AdmissionAPIGroup     = "admissionregistration.k8s.io"
+	APIExtensionsAPIGroup = "apiextensions.k8s.io"
+	AppsAPIGroup          = "apps"
+	ArgoProjAPIGroup      = "argoproj.io"
+	// Flux CD API groups (Flux does not use a single "fluxcd.io" API group for these CRDs)
+	FluxSourceToolkitAPIGroup    = "source.toolkit.fluxcd.io"
+	FluxKustomizeToolkitAPIGroup = "kustomize.toolkit.fluxcd.io"
+	AuthorizationAPIGroup        = "authorization.k8s.io"
+	AutoscalingAPIGroup          = "autoscaling"
+	AutoscalingK8sIoAPIGroup     = "autoscaling.k8s.io"
+	BatchAPIGroup                = "batch"
+	CertificatesAPIGroup         = "certificates.k8s.io"
+	CoordinationAPIGroup         = "coordination.k8s.io"
+	CoreAPIGroup                 = ""
+	DatadogAPIGroup              = "datadoghq.com"
+	DiscoveryAPIGroup            = "discovery.k8s.io"
+	ExtensionsAPIGroup           = "extensions"
+	ExternalMetricsAPIGroup      = "external.metrics.k8s.io"
+	GatewayAPIGroup              = "gateway.networking.k8s.io"
+	NetworkingAPIGroup           = "networking.k8s.io"
+	OpenShiftQuotaAPIGroup       = "quota.openshift.io"
+	PolicyAPIGroup               = "policy"
+	RbacAPIGroup                 = "rbac.authorization.k8s.io"
+	RegistrationAPIGroup         = "apiregistration.k8s.io"
+	StorageAPIGroup              = "storage.k8s.io"
+	EKSMetricsAPIGroup           = "metrics.eks.amazonaws.com"
+	KarpenterAPIGroup            = "karpenter.sh"
+	KarpenterAWSAPIGroup         = "karpenter.k8s.aws"
+	KarpenterAzureAPIGroup       = "karpenter.azure.com"
 
 	// Resources
 
@@ -90,6 +93,15 @@ const (
 	RoleBindingResource                 = "rolebindings"
 	RoleResource                        = "roles"
 	Rollout                             = "rollouts"
+	Applications                        = "applications"
+	Applicationsets                     = "applicationsets"
+	Buckets                             = "buckets"
+	Helmcharts                          = "helmcharts"
+	Externalartifacts                   = "externalartifacts"
+	Gitrepositories                     = "gitrepositories"
+	Helmrepositories                    = "helmrepositories"
+	Ocirepositories                     = "ocirepositories"
+	Kustomizations                      = "kustomizations"
 	SecretsResource                     = "secrets"
 	ServiceAccountResource              = "serviceaccounts"
 	ServicesResource                    = "services"
diff --git a/test/e2e/tests/k8s_suite/k8s_suite_test.go b/test/e2e/tests/k8s_suite/k8s_suite_test.go
@@ -44,7 +44,16 @@ func (s *k8sSuite) TestGenericK8s() {
 	defaultOperatorOpts := []operatorparams.Option{
 		operatorparams.WithNamespace(common.NamespaceName),
 		operatorparams.WithOperatorFullImagePath(common.OperatorImageName),
-		operatorparams.WithHelmValues("installCRDs: false"),
+		// RBAC/CRDs are installed via our e2e kustomize (`config/new-e2e`, namePrefix: datadog-operator-e2e-).
+		// Ensure the Helm-installed operator uses the same ServiceAccount (and doesn't create its own RBAC),
+		// otherwise it may run under a different SA (e.g. datadog-operator-linux) lacking new permissions.
+		operatorparams.WithHelmValues(`installCRDs: false
+rbac:
+  create: false
+serviceAccount:
+  create: false
+  name: datadog-operator-e2e-controller-manager
+`),
 	}
 
 	defaultProvisionerOpts := []provisioners.KubernetesProvisionerOption{
@@ -57,6 +66,33 @@ func (s *k8sSuite) TestGenericK8s() {
 		agentwithoperatorparams.WithNamespace(common.NamespaceName),
 	}
 
+	// --- Suite-level cleanup (registered before any subtests run) ---
+	//
+	// We need to ensure the final env of the suite is left without a DatadogAgent before the
+	// underlying Pulumi teardown happens; otherwise CRD deletion may race with DDA deletion.
+	//
+	// This runs ONCE, at the very end of the whole suite (not after each subtest).
+	t := s.T()
+	var lastTestName string
+	updateEnv := func(testName string, opts []provisioners.KubernetesProvisionerOption) {
+		lastTestName = testName
+		s.UpdateEnv(provisioners.KubernetesProvisioner(opts...))
+	}
+	t.Cleanup(func() {
+		if lastTestName == "" {
+			return
+		}
+
+		cleanupOpts := []provisioners.KubernetesProvisionerOption{
+			provisioners.WithTestName(lastTestName),
+			provisioners.WithK8sVersion(common.K8sVersion),
+			provisioners.WithOperatorOptions(defaultOperatorOpts...),
+			provisioners.WithoutDDA(),
+			provisioners.WithLocal(s.local),
+		}
+		s.UpdateEnv(provisioners.KubernetesProvisioner(cleanupOpts...))
+	})
+
 	s.T().Run("Verify Operator", func(t *testing.T) {
 		s.Assert().EventuallyWithT(func(c *assert.CollectT) {
 			utils.VerifyOperator(s.T(), c, common.NamespaceName, s.Env().KubernetesCluster.Client())
@@ -83,7 +119,7 @@ func (s *k8sSuite) TestGenericK8s() {
 			provisioners.WithLocal(s.local),
 		}
 
-		s.UpdateEnv(provisioners.KubernetesProvisioner(provisionerOptions...))
+		updateEnv("e2e-operator-minimal-dda", provisionerOptions)
 
 		err = s.Env().FakeIntake.Client().FlushServerAndResetAggregators()
 		s.Assert().NoError(err)
@@ -149,7 +185,7 @@ func (s *k8sSuite) TestGenericK8s() {
 			provisioners.WithLocal(s.local),
 		}
 
-		s.UpdateEnv(provisioners.KubernetesProvisioner(provisionerOptions...))
+		updateEnv("e2e-operator-ksm-ccr", provisionerOptions)
 
 		err = s.Env().FakeIntake.Client().FlushServerAndResetAggregators()
 		s.Assert().NoError(err)
@@ -190,7 +226,7 @@ func (s *k8sSuite) TestGenericK8s() {
 		provisionerOptions = append(provisionerOptions, defaultProvisionerOpts...)
 
 		// Add nginx with annotations
-		s.UpdateEnv(provisioners.KubernetesProvisioner(provisionerOptions...))
+		updateEnv("e2e-operator-autodiscovery", provisionerOptions)
 
 		err = s.Env().FakeIntake.Client().FlushServerAndResetAggregators()
 		s.Assert().NoError(err)
@@ -236,7 +272,7 @@ func (s *k8sSuite) TestGenericK8s() {
 			provisioners.WithLocal(s.local),
 		}
 
-		s.UpdateEnv(provisioners.KubernetesProvisioner(provisionerOptions...))
+		updateEnv("e2e-operator-logs-collection", provisionerOptions)
 
 		// Verify logs collection on agent pod
 		s.Assert().EventuallyWithTf(func(c *assert.CollectT) {
@@ -265,7 +301,7 @@ func (s *k8sSuite) TestGenericK8s() {
 			provisioners.WithLocal(s.local),
 		}
 		withoutDDAProvisionerOptions = append(withoutDDAProvisionerOptions, defaultProvisionerOpts...)
-		s.UpdateEnv(provisioners.KubernetesProvisioner(withoutDDAProvisionerOptions...))
+		updateEnv("e2e-operator-apm", withoutDDAProvisionerOptions)
 
 		var apmAgentSelector = ",agent.datadoghq.com/name=datadog-agent-apm"
 		ddaConfigPath, err := common.GetAbsPath(filepath.Join(common.ManifestsPath, "apm", "datadog-agent-apm.yaml"))
@@ -291,7 +327,7 @@ func (s *k8sSuite) TestGenericK8s() {
 		ddaProvisionerOptions = append(ddaProvisionerOptions, defaultProvisionerOpts...)
 
 		// Deploy APM DatadogAgent and tracegen
-		s.UpdateEnv(provisioners.KubernetesProvisioner(ddaProvisionerOptions...))
+		updateEnv("e2e-operator-apm", ddaProvisionerOptions)
 
 		// Verify traces collection on agent pod
 		s.EventuallyWithTf(func(c *assert.CollectT) {
diff --git a/test/e2e/tests/k8s_suite/kind_aws_test.go b/test/e2e/tests/k8s_suite/kind_aws_test.go
@@ -23,7 +23,13 @@ func TestAWSKindSuite(t *testing.T) {
 	operatorOptions := []operatorparams.Option{
 		operatorparams.WithNamespace(common.NamespaceName),
 		operatorparams.WithOperatorFullImagePath(common.OperatorImageName),
-		operatorparams.WithHelmValues("installCRDs: false"),
+		operatorparams.WithHelmValues(`installCRDs: false
+rbac:
+  create: false
+serviceAccount:
+  create: false
+  name: datadog-operator-e2e-controller-manager
+`),
 	}
 
 	provisionerOptions := []provisioners.KubernetesProvisionerOption{
diff --git a/test/e2e/tests/k8s_suite/kind_local_test.go b/test/e2e/tests/k8s_suite/kind_local_test.go
@@ -7,12 +7,13 @@ package k8ssuite
 
 import (
 	"fmt"
+	"strings"
+	"testing"
+
 	"github.com/DataDog/datadog-agent/test/new-e2e/pkg/e2e"
 	"github.com/DataDog/datadog-operator/test/e2e/common"
 	"github.com/DataDog/datadog-operator/test/e2e/provisioners"
 	"github.com/DataDog/test-infra-definitions/components/datadog/operatorparams"
-	"strings"
-	"testing"
 )
 
 type localKindSuite struct {
@@ -29,7 +30,13 @@ func TestLocalKindSuite(t *testing.T) {
 	operatorOptions := []operatorparams.Option{
 		operatorparams.WithNamespace(common.NamespaceName),
 		operatorparams.WithOperatorFullImagePath(common.OperatorImageName),
-		operatorparams.WithHelmValues("installCRDs: false"),
+		operatorparams.WithHelmValues(`installCRDs: false
+rbac:
+  create: false
+serviceAccount:
+  create: false
+  name: datadog-operator-e2e-controller-manager
+`),
 	}
 
 	provisionerOptions := []provisioners.KubernetesProvisionerOption{
