Add health probe, SA, and APM mappingProcessors

[fanny-jiang]

What does this PR do?

Adds new mapping processors for the yaml-mapper:

• mapHealthPortWithProbes: Maps custom *.healthPort (if configured properly, otherwise skips mapping)
• mapTraceAgentLivenessProbe: Maps trace-agent liveness probe with tcpSocket.port (if configured properly)
• mapServiceAccountName: Maps serviceAccountName only when rbac.create: false
• mapApmPortToContainerPort: Maps traceAgent hostPort to containerPort

Also:

• Updates mapSecretKeyName to always skip mapping if no value provided
• Adds normalizeToInt helper for port normalization
• Minor cleanup in mapOverrideType

Motivation

Previously, the yaml-mapper was mapping each helm field directly without additional processing. This resulted in DDA CRs that when applied, caused pod restarts and failing health checks. The new mapping processors handle each source helm field in the same manner as the datadog chart by mapping or adding the relevant specs to the DDA CR.

• mapHealthPortWithProbes: fixes failing health checks in the agent, DCA, and CCR
• mapTraceAgentLivenessProbe: fixes failing health check in the trace-agent container
• mapServiceAccountName: fixes missing DCA serviceAccount and failure in the DCA to detect cluster name
• mapApmPortToContainerPort: fixes edge case where a user specifies a custom APM hostPort and containerPort is not updated to match

Additional Notes

Anything else we should know when reviewing?

Minimum Agent Versions

Are there minimum versions of the Datadog Agent and/or Cluster Agent required?

• Agent: vX.Y.Z
• Cluster Agent: vX.Y.Z

Describe your test plan

1. Build mapper binary: make kubectl-datadog
2. Migrate helm values.yaml to DDA:

bin/kubectl-datadog helm2dda --sourcePath <values.yaml>  --mappingPath "cmd/yaml-mapper/mapper/mapping_datadog_helm_to_datadogagent_crd.yaml" -d dda.yaml

Smoke test

1. Migrate a minimal values.yaml and apply the resulting dda.yaml onto a kind cluster running the operator.
2. Validate that pods become healthy and there are no restarts

Testing the mappingProcessors

1) Configured healthPort maps to probes properly:

1a) All probes that match healthPort → should map

Example values.yaml:

datadog:
  apiKeyExistingSecret: datadog-secret 
  appKeyExistingSecret: datadog-secret
  kubelet:
    tlsVerify: false

clusterAgent:
  healthPort: 8888
  livenessProbe:
    initialDelaySeconds: 20   # default: 10
    httpGet:
      port: 8888
  readinessProbe:
    httpGet:
      port: 8888
  startupProbe:
    httpGet:
      port: 8888

agents:
  containers:
    agent:
      healthPort: 8889
      livenessProbe:
        httpGet:
          port: 8889
      readinessProbe:
        httpGet:
          port: 8889
      startupProbe:
        httpGet:
          port: 8889

clusterChecksRunner:
  enabled: true
  healthPort: 8887
  livenessProbe:
    httpGet:
      port: 8887
  readinessProbe:
    httpGet:
      port: 8887
  startupProbe:
    httpGet:
      port: 8887

Checklist:

• Run mapper and apply resulting DDA
• Verify that all daemonset/deployments have the appropriate DD_HEALTH_PORT env var and their probe httpGet.ports have the correct value
• Verify all pods are healthy (no restarts)

1b) Partial probes or mismatch → should NOT map

• Change 1 or more of the probes to use a port that does not match healthPort in the values.yaml

Checklist:

• Run mapper and apply resulting DDA
• Verify that resulting DDA does NOT have healthPort or probe port overrides
• Operator should set default health port and probe port (5555) on pods

2) Trace Agent Liveness Probe
2a) No livenessProbe set → operator sets defaults

• Verify DDA has no trace-agent livenessProbe container override
• Verify trace-agent container has default livenessProbe set (tcpSocket.port: 8126)

2b) Operator updates livenessProbe to use custom set APM port

datadog:
  apiKeyExistingSecret: datadog-secret 
  appKeyExistingSecret: datadog-secret
  kubelet:
    tlsVerify: false
  
  apm:
    port: 9000

Checklist:

• Run mapper with updated values.yaml and verify DDA has trace-agent does NOT have livenessProbe overrides
• Apply the resulting DDA and verify trace-agent pod is healthy

2c) Mapper sets livenessProbe override with using custom set APM port

datadog:
  apiKeyExistingSecret: datadog-secret 
  appKeyExistingSecret: datadog-secret
  kubelet:
    tlsVerify: false
  
  apm:
    port: 9000
  
  agents:
    containers:
      traceAgent:
        livenessProbe:
          initialDelaySeconds: 20

Checklist:

• Run mapper with updated values.yaml and verify DDA has trace-agent container livenessProbe overrides: tcpSocket.port: 9000 and initialDelaySeconds: 20
• Apply the resulting DDA and verify trace-agent pod is healthy

3) Service Account Name
3a) rbac.create not set → should NOT map serviceAccountName

• Verify DDA has no serviceAccountName override

3b) rbac.create: false → should map

Checklist:

• Create custom SA: kubectl create sa my-cluster-agent-sa
• Verify DDA has spec.override.clusterAgent.serviceAccountName: my-cluster-agent-sa
• Verify cluster-agent deployment uses my-cluster-agent-sa
• Verify cluster-agent can still detect cluster name

4) Cluster Token Secret Key Mapping

• Create custom k8s secret with a token key: kubectl create secret generic my-custom-dca-token --from-literal token=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

4a) Existing secret set → should map and set appropriate secret key

datadog:
  apiKeyExistingSecret: datadog-secret 
  appKeyExistingSecret: datadog-secret
  kubelet:
    tlsVerify: false
  
clusterAgent:  
  tokenExistingSecret: my-custom-token
  # token: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

• Verify DDA has clusterAgentTokenSecret.secretName: my-custom-token

4b) Empty/not set → should NOT map

• With no tokenExistingSecret, verify DDA has no clusterAgentTokenSecret override
• Operator generates its own token

4c) Token is set → should map

• Resulting DDA is populated with provided token
• Operator generates k8s secret using the provided token

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label
• All commits are signed (see: signing commits)

[codecov-commenter]

Codecov Report

❌ Patch coverage is 49.70760% with 86 lines in your changes missing coverage. Please review.
✅ Project coverage is 37.33%. Comparing base (c16f392) to head (74f35ef).

Files with missing lines	Patch %	Lines
cmd/yaml-mapper/mapper/map_processors.go	54.54%	55 Missing and 15 partials ⚠️
cmd/yaml-mapper/utils/utils.go	0.00%	15 Missing ⚠️
cmd/yaml-mapper/mapper/mapper.go	50.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2460      +/-   ##
==========================================
+ Coverage   37.30%   37.33%   +0.03%     
==========================================
  Files         290      290              
  Lines       24699    24837     +138     
==========================================
+ Hits         9213     9274      +61     
- Misses      14773    14840      +67     
- Partials      713      723      +10     

Flag	Coverage Δ
unittests	37.33% <49.70%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
cmd/yaml-mapper/mapper/mapper.go	50.50% <50.00%> (ø)
cmd/yaml-mapper/utils/utils.go	0.00% <0.00%> (ø)
cmd/yaml-mapper/mapper/map_processors.go	64.59% <54.54%> (-12.23%)	⬇️

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c16f392...74f35ef. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.