Skip to content

[ACTP] add private action runner to datadog operator #2516

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dd-gplassard wants to merge 8 commits into
base: main
Choose a base branch
from
Open

[ACTP] add private action runner to datadog operator #2516

dd-gplassard wants to merge 8 commits into from
+1,051 −10

Conversation

@dd-gplassard
Copy link

@dd-gplassard dd-gplassard commented Jan 23, 2026
edited
Loading

What does this PR do?

Add deployment option of the Private Action Runner container on node agent

Motivation

We want to provide node agent deployment capabilities of the private action runner

Additional Notes

We're only targeting node agent in this PR but there will be a clusterAgent PR in the future (hence the wrapping of the settings)

Minimum Agent Versions

Are there minimum versions of the Datadog Agent and/or Cluster Agent required?

  • Agent: v7.77.0

The PAR in agent is available in 7.76.0 but it needs a few changes that will be available in 7.77.0 to work properly

Describe your test plan

Built the datadog operator locally, deployed it to a docker-desktop cluster with this configuration

apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
metadata:
  name: datadog
spec:
  global:
    clusterName: gplassard-docker-desktop
    site: datad0g.com
    credentials:
      apiSecret:
        secretName: datadog-secret
        keyName: api-key
      appSecret:
        secretName: datadog-secret
        keyName: app-key
    kubelet:
      tlsVerify: false
  override:
    agent:
      image:
        name: gcr.io/datadoghq/cluster-agent:7.73.3
        pullPolicy: IfNotPresent
    nodeAgent:
      image:
        name: <local_image_of_agent_with_fixes>
        pullPolicy: Always
    clusterAgent:
      image:
        name: gcr.io/datadoghq/cluster-agent:7.73.3
        pullPolicy: IfNotPresent
  features:
    logCollection:
      enabled: true
      containerCollectAll: true
    liveContainerCollection:
      enabled: true
    privateActionRunner:
      enabled: true
      nodeAgent:
        selfEnroll: true
        actionsAllowlist:
          - "com.datadoghq.script.testConnection"
          - "com.datadoghq.script.enrichScript"
          - "com.datadoghq.script.runPredefinedScript"
          - "com.datadoghq.kubernetes.core.listPod"
          - "com.datadoghq.kubernetes.core.testConnection"

I verified it deployed and worked correctly

Checklist

  • PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
  • PR has a milestone or the qa/skip-qa label
  • All commits are signed (see: signing commits)

@codecov-commenter
Copy link

codecov-commenter commented Jan 23, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 74.13793% with 30 lines in your changes missing coverage. Please review.
✅ Project coverage is 37.97%. Comparing base (c5cf124) to head (8c9b7f4).
⚠️ Report is 11 commits behind head on main.

Files with missing lines Patch % Lines
pkg/testutils/builder.go 0.00% 26 Missing ⚠️
...atadogagent/feature/privateactionrunner/feature.go 93.93% 2 Missing and 2 partials ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #2516      +/-   ##
==========================================
+ Coverage   37.91%   37.97%   +0.06%     
==========================================
  Files         303      304       +1     
  Lines       25962    26559     +597     
==========================================
+ Hits         9843    10086     +243     
- Misses      15376    15717     +341     
- Partials      743      756      +13
Flag Coverage Δ
unittests 37.97% <74.13%> (+0.06%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
...controller/datadogagent/component/agent/default.go 44.65% <100.00%> (+8.29%) ⬆️
internal/controller/datadogagent/controller.go 53.57% <ø> (ø)
...ontroller/datadogagent/override/podtemplatespec.go 77.55% <100.00%> (+0.15%) ⬆️
...atadogagent/feature/privateactionrunner/feature.go 93.93% <93.93%> (ø)
pkg/testutils/builder.go 0.00% <0.00%> (ø)

... and 8 files with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c5cf124...8c9b7f4. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@dd-gplassard dd-gplassard added the enhancement New feature or request label Jan 28, 2026
@dd-gplassard dd-gplassard added this to the v1.23.0 milestone Jan 28, 2026
@dd-gplassard dd-gplassard marked this pull request as ready for review January 28, 2026 18:41
@dd-gplassard dd-gplassard requested review from a team as code owners January 28, 2026 18:41
@maycmlee maycmlee self-assigned this Jan 28, 2026
maycmlee
maycmlee reviewed Jan 28, 2026
View reviewed changes
Copy link
Contributor

@maycmlee maycmlee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some suggestions and a question

docs/configuration.v2alpha1.md
| features.otlp.receiver.protocols.http.endpoint | For OTLP/HTTP. Default: '0.0.0.0:4318'. |
| features.otlp.receiver.protocols.http.hostPortConfig.enabled | Enables host port configuration |
| features.otlp.receiver.protocols.http.hostPortConfig.hostPort | Port takes a port number (0 < x < 65536) to expose on the host. (Most containers do not need this.) If HostNetwork is enabled, this value must match the ContainerPort. |
| features.privateActionRunner.enabled | Is the main switch for Private Action Runner feature. Default: false |
Copy link
Contributor

@maycmlee maycmlee Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| features.privateActionRunner.enabled | Is the main switch for Private Action Runner feature. Default: false |
| features.privateActionRunner.enabled | Enables Private Action Runner. Default: false |

docs/configuration.v2alpha1.md
| features.privateActionRunner.enabled | Is the main switch for Private Action Runner feature. Default: false |
| features.privateActionRunner.nodeAgent.actionsAllowlist | ActionsAllowlist specifies the list of actions that are allowed to be executed. |
| features.privateActionRunner.nodeAgent.enabled | Enables Private Action Runner on the Node Agent. Default: true (when parent Enabled is true) |
| features.privateActionRunner.nodeAgent.selfEnroll | SelfEnroll enables automatic self-enrollment for the node-level runner. |
Copy link
Contributor

@maycmlee maycmlee Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| features.privateActionRunner.nodeAgent.selfEnroll | SelfEnroll enables automatic self-enrollment for the node-level runner. |
| features.privateActionRunner.nodeAgent.selfEnroll | Enables automatic self-enrollment for the node-level runner. |

docs/configuration.v2alpha1.md
| features.otlp.receiver.protocols.http.hostPortConfig.enabled | Enables host port configuration |
| features.otlp.receiver.protocols.http.hostPortConfig.hostPort | Port takes a port number (0 < x < 65536) to expose on the host. (Most containers do not need this.) If HostNetwork is enabled, this value must match the ContainerPort. |
| features.privateActionRunner.enabled | Is the main switch for Private Action Runner feature. Default: false |
| features.privateActionRunner.nodeAgent.actionsAllowlist | ActionsAllowlist specifies the list of actions that are allowed to be executed. |
Copy link
Contributor

@maycmlee maycmlee Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| features.privateActionRunner.nodeAgent.actionsAllowlist | ActionsAllowlist specifies the list of actions that are allowed to be executed. |
| features.privateActionRunner.nodeAgent.actionsAllowlist | Specifies the list of actions that are allowed to be executed. |

docs/configuration.v2alpha1.md
| features.otlp.receiver.protocols.http.hostPortConfig.hostPort | Port takes a port number (0 < x < 65536) to expose on the host. (Most containers do not need this.) If HostNetwork is enabled, this value must match the ContainerPort. |
| features.privateActionRunner.enabled | Is the main switch for Private Action Runner feature. Default: false |
| features.privateActionRunner.nodeAgent.actionsAllowlist | ActionsAllowlist specifies the list of actions that are allowed to be executed. |
| features.privateActionRunner.nodeAgent.enabled | Enables Private Action Runner on the Node Agent. Default: true (when parent Enabled is true) |
Copy link
Contributor

@maycmlee maycmlee Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the parent?

Suggested change
| features.privateActionRunner.nodeAgent.enabled | Enables Private Action Runner on the Node Agent. Default: true (when parent Enabled is true) |
| features.privateActionRunner.nodeAgent.enabled | Enables Private Action Runner on the node Agent. Default: true (when parent Enabled is true) |

docs/configuration_public.md
: OTLP ingest configuration See [link](https://docs.datadoghq.com/opentelemetry/setup/otlp_ingest_in_the_agent/?tab=kubernetesoperator) for more information.

`features.privateActionRunner.enabled`
: Is the main switch for Private Action Runner feature. Default: false
Copy link
Contributor

@maycmlee maycmlee Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
: Is the main switch for Private Action Runner feature. Default: false
: Enables Private Action Runner. Default: false

docs/configuration_public.md
Comment on lines +349 to +355
: ActionsAllowlist specifies the list of actions that are allowed to be executed.

`features.privateActionRunner.nodeAgent.enabled`
: Enables Private Action Runner on the Node Agent. Default: true (when parent Enabled is true)

`features.privateActionRunner.nodeAgent.selfEnroll`
: SelfEnroll enables automatic self-enrollment for the node-level runner.
Copy link
Contributor

@maycmlee maycmlee Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same question, what's the parent?

Suggested change
: ActionsAllowlist specifies the list of actions that are allowed to be executed.
`features.privateActionRunner.nodeAgent.enabled`
: Enables Private Action Runner on the Node Agent. Default: true (when parent Enabled is true)
`features.privateActionRunner.nodeAgent.selfEnroll`
: SelfEnroll enables automatic self-enrollment for the node-level runner.
: Specifies the list of actions that are allowed to be executed.
`features.privateActionRunner.nodeAgent.enabled`
: Enables Private Action Runner on the node Agent. Default: true (when parent Enabled is true)
`features.privateActionRunner.nodeAgent.selfEnroll`
: Wnables automatic self-enrollment for the node-level runner.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maycmlee maycmlee maycmlee left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@maycmlee maycmlee

Labels

enhancement New feature or request

Projects

None yet

Milestone

v1.23.0

Development

Successfully merging this pull request may close these issues.

4 participants

@dd-gplassard @codecov-commenter @maycmlee