Remove RBAC grants when App & API Protection is not enabled

Author: drcapulet

charts/datadog/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Datadog changelog
 
+## 3.162.1
+
+* Remove RBAC grants when App & API Protection is not enabled.
+
 ## 3.162.0
 
 * Add injectionMode option for APM instrumentation ([#2308](https://github.com/DataDog/helm-charts/pull/2308)).
@@ -15,9 +19,9 @@
 ## 3.161.0
 
 * Update Datadog Operator dependency to 2.17.0 for image tag 1.22.0.
-  
+
   Datadog Operator chart v2.17.0 [release notes](https://github.com/DataDog/helm-charts/releases/tag/datadog-operator-2.17.0).
-  
+
   Datadog Operator v1.22.0 [release notes](https://github.com/DataDog/datadog-operator/releases/tag/v1.22.0).
 
 ## 3.160.4

charts/datadog/Chart.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: v1
 name: datadog
-version: 3.162.0
+version: 3.162.1
 appVersion: "7"
 description: Datadog Agent
 keywords:

charts/datadog/README.md

@@ -1,6 +1,6 @@
 # Datadog
 
-![Version: 3.162.0](https://img.shields.io/badge/Version-3.162.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
+![Version: 3.162.1](https://img.shields.io/badge/Version-3.162.1-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
 
 > [!WARNING]
 > The Datadog Operator is now enabled by default since version [3.157.0](https://github.com/DataDog/helm-charts/blob/main/charts/datadog/CHANGELOG.md#31570) to collect chart metadata for display in [Fleet Automation](https://docs.datadoghq.com/agent/fleet_automation/). We are aware of issues affecting some environments and are actively working on fixes. We apologize for the inconvenience and appreciate your patience while we address these issues.

charts/datadog/templates/cluster-agent-rbac.yaml

@@ -392,6 +392,7 @@ rules:
   - get
 {{- include "orchestratorExplorer-config-crs" . }}
 {{- end }}
+{{- if .Values.datadog.appsec.injector.enabled }}
 # Used by datadog.appsec.injector feature
 - apiGroups:
     - "gateway.networking.k8s.io"
@@ -428,6 +429,7 @@ rules:
     - get
     - create
     - delete
+{{- end }}
 ---
 apiVersion: {{ template "rbac.apiVersion" . }}
 kind: ClusterRoleBinding

test/datadog/baseline/manifests/adp_enabled.yaml

@@ -884,41 +884,6 @@ rules:
       - list
       - watch
       - get
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gateways
-      - gatewayclasses
-    verbs:
-      - get
-      - list
-      - watch
-      - patch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - referencegrants
-    verbs:
-      - get
-      - delete
-      - create
-      - patch
-  - apiGroups:
-      - gateway.envoyproxy.io
-    resources:
-      - envoyextensionpolicies
-    verbs:
-      - get
-      - delete
-      - create
-  - apiGroups:
-      - networking.istio.io
-    resources:
-      - envoyfilters
-    verbs:
-      - get
-      - create
-      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

test/datadog/baseline/manifests/agent-clusterchecks-deployment_default.yaml

@@ -901,41 +901,6 @@ rules:
       - list
       - watch
       - get
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gateways
-      - gatewayclasses
-    verbs:
-      - get
-      - list
-      - watch
-      - patch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - referencegrants
-    verbs:
-      - get
-      - delete
-      - create
-      - patch
-  - apiGroups:
-      - gateway.envoyproxy.io
-    resources:
-      - envoyextensionpolicies
-    verbs:
-      - get
-      - delete
-      - create
-  - apiGroups:
-      - networking.istio.io
-    resources:
-      - envoyfilters
-    verbs:
-      - get
-      - create
-      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

test/datadog/baseline/manifests/agent-workload_exclude.yaml

@@ -884,41 +884,6 @@ rules:
       - list
       - watch
       - get
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gateways
-      - gatewayclasses
-    verbs:
-      - get
-      - list
-      - watch
-      - patch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - referencegrants
-    verbs:
-      - get
-      - delete
-      - create
-      - patch
-  - apiGroups:
-      - gateway.envoyproxy.io
-    resources:
-      - envoyextensionpolicies
-    verbs:
-      - get
-      - delete
-      - create
-  - apiGroups:
-      - networking.istio.io
-    resources:
-      - envoyfilters
-    verbs:
-      - get
-      - create
-      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

test/datadog/baseline/manifests/cluster-agent-deployment_default.yaml

@@ -897,41 +897,6 @@ rules:
       - list
       - watch
       - get
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gateways
-      - gatewayclasses
-    verbs:
-      - get
-      - list
-      - watch
-      - patch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - referencegrants
-    verbs:
-      - get
-      - delete
-      - create
-      - patch
-  - apiGroups:
-      - gateway.envoyproxy.io
-    resources:
-      - envoyextensionpolicies
-    verbs:
-      - get
-      - delete
-      - create
-  - apiGroups:
-      - networking.istio.io
-    resources:
-      - envoyfilters
-    verbs:
-      - get
-      - create
-      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

test/datadog/baseline/manifests/cluster-agent-deployment_default_advanced_AC_injection.yaml

@@ -897,41 +897,6 @@ rules:
       - list
       - watch
       - get
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gateways
-      - gatewayclasses
-    verbs:
-      - get
-      - list
-      - watch
-      - patch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - referencegrants
-    verbs:
-      - get
-      - delete
-      - create
-      - patch
-  - apiGroups:
-      - gateway.envoyproxy.io
-    resources:
-      - envoyextensionpolicies
-    verbs:
-      - get
-      - delete
-      - create
-  - apiGroups:
-      - networking.istio.io
-    resources:
-      - envoyfilters
-    verbs:
-      - get
-      - create
-      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

test/datadog/baseline/manifests/cluster-agent-deployment_default_minimal_AC_injection.yaml

@@ -897,41 +897,6 @@ rules:
       - list
       - watch
       - get
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gateways
-      - gatewayclasses
-    verbs:
-      - get
-      - list
-      - watch
-      - patch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - referencegrants
-    verbs:
-      - get
-      - delete
-      - create
-      - patch
-  - apiGroups:
-      - gateway.envoyproxy.io
-    resources:
-      - envoyextensionpolicies
-    verbs:
-      - get
-      - delete
-      - create
-  - apiGroups:
-      - networking.istio.io
-    resources:
-      - envoyfilters
-    verbs:
-      - get
-      - create
-      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole