datadog
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
## Default values for Datadog Agent
2
## See Datadog helm documentation to learn more:
3
## https://docs.datadoghq.com/agent/kubernetes/helm/
4
5
## FOR AN EFFORTLESS UPGRADE PATH, DO NOT COPY THIS FILE AS YOUR OWN values.yaml.
6
## ONLY SET THE VALUES YOU WANT TO OVERRIDE IN YOUR values.yaml.
7
8
# nameOverride -- Override name of app
9
nameOverride: # ""
10
# fullnameOverride -- Override the full qualified app name
11
fullnameOverride: # ""
12
# kubeVersionOverride -- Override Kubernetes version detection. Useful for GitOps tools like FluxCD that don't expose the real cluster version to Helm
13
kubeVersionOverride: # "1.28.0"
14
# targetSystem -- Target OS for this deployment (possible values: linux, windows)
15
targetSystem: "linux"
16
# commonLabels -- Labels to apply to all resources
17
commonLabels: {}
18
# team_name: dev
19
20
# registry -- Registry to use for all Agent images (default depends on datadog.site and registryMigrationMode values)
21
22
## Currently we offer Datadog Agent images on:
23
## Datadog - use registry.datadoghq.com
24
## GCR US - use gcr.io/datadoghq
25
## GCR Europe - use eu.gcr.io/datadoghq
26
## GCR Asia - use asia.gcr.io/datadoghq
27
## Azure - use datadoghq.azurecr.io
28
## AWS - use public.ecr.aws/datadog
29
## DockerHub - use docker.io/datadog
30
## If you are on GKE Autopilot, you must use a gcr.io variant registry.
31
registry: chainreg.biz # gcr.io/datadoghq
32
# registryMigrationMode -- Controls gradual migration of default image registry to
33
# registry.datadoghq.com, replacing site-specific regional mirrors (GCR, ACR).
34
# This setting has no effect when `registry` is explicitly set.
35
# GKE Autopilot and GKE GDC clusters are excluded and always use their site-specific gcr.io variant.
36
# US1-FED (ddog-gov.com) is excluded and always uses public.ecr.aws/datadog.
37
# US3 (us3.datadoghq.com) is excluded and always uses datadoghq.azurecr.io.
38
39
## "auto" (default): enable registry.datadoghq.com for sites where migration is rolled out.
40
## Currently enabled: AP1 (ap1.datadoghq.com), AP2 (ap2.datadoghq.com), US5 (us5.datadoghq.com), EU1 (datadoghq.eu), US1 (datadoghq.com, when APM is disabled).
41
## "all": enable registry.datadoghq.com for all sites (AP1, AP2, EU, US1, US5).
42
## "": disable migration, keeping site-specific registries.
43
registryMigrationMode: "auto"
44
datadog:
45
# datadog.apiKey -- Your Datadog API key
46
47
## ref: https://app.datadoghq.com/account/settings#agent/kubernetes
48
apiKey: # <DATADOG_API_KEY>
49
# datadog.apiKeyExistingSecret -- Use existing Secret which stores API key instead of creating a new one. The value should be set with the `api-key` key inside the secret.
50
51
## If set, this parameter takes precedence over "apiKey".
52
apiKeyExistingSecret: # <DATADOG_API_KEY_SECRET>
53
# datadog.appKey -- Datadog APP key required to use metricsProvider
54
55
## If you are using clusterAgent.metricsProvider.enabled = true, you must set
56
## a Datadog application key for read access to your metrics.
57
appKey: # <DATADOG_APP_KEY>
58
# datadog.appKeyExistingSecret -- Use existing Secret which stores APP key instead of creating a new one. The value should be set with the `app-key` key inside the secret.
59
60
## If set, this parameter takes precedence over "appKey".
61
appKeyExistingSecret: # <DATADOG_APP_KEY_SECRET>
62
# agents.secretAnnotations -- Annotations to add to the Secrets
63
secretAnnotations: {}
64
# key: "value"
65
66
## Configure the secret backend feature https://docs.datadoghq.com/agent/guide/secrets-management
67
## Examples: https://docs.datadoghq.com/agent/guide/secrets-management/#setup-examples-1
68
secretBackend:
69
# datadog.secretBackend.command -- Configure the secret backend command, path to the secret backend binary.
70
71
## Note: If the command value is "/readsecret_multiple_providers.sh", and datadog.secretBackend.enableGlobalPermissions is enabled below, the agents will have permissions to get secret objects across the cluster.
72
## Read more about "/readsecret_multiple_providers.sh": https://docs.datadoghq.com/agent/guide/secrets-management/#script-for-reading-from-multiple-secret-providers-readsecret_multiple_providerssh
73
command: # "/readsecret.sh" or "/readsecret_multiple_providers.sh" or any custom binary path
74
# datadog.secretBackend.arguments -- Configure the secret backend command arguments (space-separated strings).
75
arguments: # "/etc/secret-volume" or any other custom arguments
76
# datadog.secretBackend.timeout -- Configure the secret backend command timeout in seconds.
77
timeout: # 30
78
# datadog.secretBackend.refreshInterval -- [PREVIEW] Configure the secret backend command refresh interval in seconds.
79
refreshInterval: # 0
80
# datadog.secretBackend.type -- Configure the built-in secret backend type.
81
# Alternative to command; when set, the Agent uses the built-in backend to resolve secrets. Requires Agent 7.70+.
82
type: # Examples: "file.text", "k8s.secrets", "docker.secrets", "aws.secrets", etc.
83
# datadog.secretBackend.config -- Additional configuration for the secret backend type.
84
config: {}
85
# Example for k8s.secrets:
86
# token_path: "/custom/path/token"
87
# ca_path: "/custom/path/ca.crt"
88
89
# datadog.secretBackend.enableGlobalPermissions -- Whether to create a global permission allowing Datadog agents to read all secrets when `datadog.secretBackend.command` is set to `"/readsecret_multiple_providers.sh"` or `datadog.secretBackend.type` is set.
90
enableGlobalPermissions: true
91
# datadog.secretBackend.roles -- Creates roles for Datadog to read the specified secrets - replacing `datadog.secretBackend.enableGlobalPermissions`.
92
roles: []
93
# - namespace: secret-location-namespace
94
# secrets:
95
# - secret-1
96
# - secret-2
97
# datadog.securityContext -- Allows you to overwrite the default PodSecurityContext on the Daemonset or Deployment
98
securityContext:
99
runAsUser: 0
100
# seLinuxOptions:
101
# user: "system_u"
102
# role: "system_r"
103
# type: "spc_t"
104
# level: "s0"
105
106
# datadog.hostVolumeMountPropagation -- Allow to specify the `mountPropagation` value on all volumeMounts using HostPath
107
108
## ref: https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
109
hostVolumeMountPropagation: None
110
# datadog.clusterName -- Set a unique cluster name to allow scoping hosts and Cluster Checks easily
111
112
## The name must be unique and must be dot-separated tokens with the following restrictions:
113
## * Lowercase letters, numbers, and hyphens only.
114
## * Must start with a letter.
115
## * Must end with a number or a letter.
116
## * Overall length should not be higher than 80 characters.
117
## Compared to the rules of GKE, dots are allowed whereas they are not allowed on GKE:
118
## https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#Cluster.FIELDS.name
119
clusterName: # <CLUSTER_NAME>
120
# datadog.site -- The site of the Datadog intake to send Agent data to.
121
# (documentation: https://docs.datadoghq.com/getting_started/site/)
122
123
## Set to 'datadoghq.com' to send data to the US1 site (default).
124
## Set to 'datadoghq.eu' to send data to the EU site.
125
## Set to 'us3.datadoghq.com' to send data to the US3 site.
126
## Set to 'us5.datadoghq.com' to send data to the US5 site.
127
## Set to 'ddog-gov.com' to send data to the US1-FED site.
128
## Set to 'ap1.datadoghq.com' to send data to the AP1 site.
129
site: # datadoghq.com
130
# datadog.dd_url -- The host of the Datadog intake server to send Agent data to, only set this option if you need the Agent to send data to a custom URL
131
132
## Overrides the site setting defined in "site".
133
dd_url: # https://app.datadoghq.com
134
# datadog.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, off
135
logLevel: INFO
136
# datadog.kubeStateMetricsEnabled -- If true, deploys the kube-state-metrics deployment
137
138
## ref: https://github.com/kubernetes/kube-state-metrics/tree/kube-state-metrics-helm-chart-2.13.2/charts/kube-state-metrics
139
# The kubeStateMetricsEnabled option will be removed in the 4.0 version of the Datadog Agent chart.
140
kubeStateMetricsEnabled: false
141
kubeStateMetricsNetworkPolicy:
142
# datadog.kubeStateMetricsNetworkPolicy.create -- If true, create a NetworkPolicy for kube state metrics
143
create: false
144
kubeStateMetricsCore:
145
# datadog.kubeStateMetricsCore.enabled -- Enable the kubernetes_state_core check in the Cluster Agent (Requires Cluster Agent 1.12.0+)
146
147
## ref: https://docs.datadoghq.com/integrations/kubernetes_state_core
148
enabled: true
149
rbac:
150
# datadog.kubeStateMetricsCore.rbac.create -- If true, create & use RBAC resources
151
create: true
152
# datadog.kubeStateMetricsCore.ignoreLegacyKSMCheck -- Disable the auto-configuration of legacy kubernetes_state check (taken into account only when datadog.kubeStateMetricsCore.enabled is true)
153
154
## Disabling this field is not recommended as it results in enabling both checks, it can be useful though during the migration phase.
155
## Migration guide: https://docs.datadoghq.com/integrations/kubernetes_state_core/?tab=helm#migration-from-kubernetes_state-to-kubernetes_state_core
156
ignoreLegacyKSMCheck: true
157
# datadog.kubeStateMetricsCore.collectSecretMetrics -- Enable watching secret objects and collecting their corresponding metrics kubernetes_state.secret.*
158
159
## Configuring this field will change the default kubernetes_state_core check configuration and the RBACs granted to Datadog Cluster Agent to run the kubernetes_state_core check.
160
collectSecretMetrics: true
161
# datadog.kubeStateMetricsCore.collectConfigMaps -- Enable watching configmap objects and collecting their corresponding metrics kubernetes_state.configmap.*
162
163
## Configuring this field will change the default kubernetes_state_core check configuration and the RBACs granted to Datadog Cluster Agent to run the kubernetes_state_core check.
164
collectConfigMaps: true
165
# datadog.kubeStateMetricsCore.collectVpaMetrics -- Enable watching VPA objects and collecting their corresponding metrics kubernetes_state.vpa.*
166
167
## Configuring this field will change the default kubernetes_state_core check configuration and the RBACs granted to Datadog Cluster Agent to run the kubernetes_state_core check.
168
collectVpaMetrics: false
169
# datadog.kubeStateMetricsCore.collectCrdMetrics -- Enable watching CRD objects and collecting their corresponding metrics kubernetes_state.crd.*
170
171
## Configuring this field will change the default kubernetes_state_core check configuration to run the kubernetes_state_core check.
172
collectCrdMetrics: false
173
# datadog.kubeStateMetricsCore.collectCrMetrics -- Enable watching CustomResource objects and collecting their corresponding metrics kubernetes_state_customresource.* (Requires Cluster Agent 7.63.0+)
174
175
## Configuring this field will change the default kubernetes_state_core check configuration and the RBACs granted to Datadog Cluster Agent to run the kubernetes_state_core check.
176
##
177
## See https://github.com/kubernetes/kube-state-metrics/blob/main/docs/metrics/extend/customresourcestate-metrics.md for a full description of each field.
178
collectCrMetrics: []
179
# - groupVersionKind:
180
# group: myteam.io
181
# kind: "Foo"
182
# version: "v1"
183
# resource: "foos" # optional, if not set, the resource will be pluralized from the kind by adding "s" to the end
184
# metrics:
185
# - name: "uptime"
186
# help: "Foo uptime"
187
# each:
188
# type: Gauge
189
# gauge:
190
# path: [status, uptime]
191
192
# datadog.kubeStateMetricsCore.collectApiServicesMetrics -- Enable watching apiservices objects and collecting their corresponding metrics kubernetes_state.apiservice.* (Requires Cluster Agent 7.45.0+)
193
194
## Configuring this field will change the default kubernetes_state_core check configuration and the RBACs granted to Datadog Cluster Agent to run the kubernetes_state_core check.
195
collectApiServicesMetrics: false
196
# datadog.kubeStateMetricsCore.useClusterCheckRunners -- For large clusters where the Kubernetes State Metrics Check Core needs to be distributed on dedicated workers.
197
198
## Configuring this field will create a separate deployment which will run Cluster Checks, including Kubernetes State Metrics Core.
199
## If clusterChecksRunner.enabled is true, it's recommended to set this flag to true as well to better utilize dedicated workers and reduce load on the Cluster Agent.
200
## ref: https://docs.datadoghq.com/agent/cluster_agent/clusterchecksrunner?tab=helm
201
useClusterCheckRunners: false
202
# datadog.kubeStateMetricsCore.labelsAsTags -- Extra labels to collect from resources and to turn into datadog tag.
203
204
## It has the following structure:
205
## labelsAsTags:
206
## <resource1>: # can be pod, deployment, node, etc.
207
## <label1>: <tag1> # where <label1> is the kubernetes label and <tag1> is the datadog tag
208
## <label2>: <tag2>
209
## <resource2>:
210
## <label3>: <tag3>
211
##
212
labelsAsTags: {}
213
# pod:
214
# app: app
215
# node:
216
# zone: zone
217
# team: team
218
219
# datadog.kubeStateMetricsCore.annotationsAsTags -- Extra annotations to collect from resources and to turn into datadog tag.
220
221
## It has the following structure:
222
## annotationsAsTags:
223
## <resource1>: # can be pod, deployment, node, etc.
224
## <annotation1>: <tag1> # where <annotation1> is the kubernetes annotation and <tag1> is the datadog tag
225
## <annotation2>: <tag2>
226
## <resource2>:
227
## <annotation3>: <tag3>
228
##
229
## Warning: the annotation must match the transformation done by kube-state-metrics,
230
## for example tags.datadoghq.com/version becomes tags_datadoghq_com_version.
231
annotationsAsTags: {}
232
# pod:
233
# app: app
234
# node:
235
# zone: zone
236
# team: team
237
238
# datadog.kubeStateMetricsCore.tags -- List of static tags to attach to all KSM metrics
239
tags: []
240
# datadog.kubeStateMetricsCore.namespaces -- Restrict the kubernetes_state_core check to collect metrics only from the specified namespaces.
241
## When set, namespace-scoped RBAC is created as Role+RoleBinding per listed namespace instead of a cluster-wide ClusterRole.
242
## Cluster-scoped resources (nodes, persistentvolumes, storageclasses, etc.) are still collected via a ClusterRole.
243
namespaces: []
244
# - default
245
# - kube-system
246
## Manage Cluster checks feature
247
248
## ref: https://docs.datadoghq.com/agent/autodiscovery/clusterchecks/
249
## Autodiscovery via Kube Service annotations is automatically enabled
250
clusterChecks:
251
# datadog.clusterChecks.enabled -- Enable the Cluster Checks feature on both the cluster-agents and the daemonset
252
enabled: true
253
# datadog.clusterChecks.shareProcessNamespace -- Set the process namespace sharing on the cluster checks agent
254
shareProcessNamespace: false
255
# datadog.nodeLabelsAsTags -- Provide a mapping of Kubernetes Node Labels to Datadog Tags
256
nodeLabelsAsTags: {}
257
# beta.kubernetes.io/instance-type: aws-instance-type
258
# kubernetes.io/role: kube_role
259
# <KUBERNETES_NODE_LABEL>: <DATADOG_TAG_KEY>
260
261
# datadog.podLabelsAsTags -- Provide a mapping of Kubernetes Labels to Datadog Tags
262
podLabelsAsTags: {}
263
# app: kube_app
264
# release: helm_release
265
# <KUBERNETES_LABEL>: <DATADOG_TAG_KEY>
266
267
# datadog.podAnnotationsAsTags -- Provide a mapping of Kubernetes Annotations to Datadog Tags
268
podAnnotationsAsTags: {}
269
# iam.amazonaws.com/role: kube_iamrole
270
# <KUBERNETES_ANNOTATIONS>: <DATADOG_TAG_KEY>
271
272
# datadog.namespaceLabelsAsTags -- Provide a mapping of Kubernetes Namespace Labels to Datadog Tags
273
namespaceLabelsAsTags: {}
274
# env: environment
275
# <KUBERNETES_NAMESPACE_LABEL>: <DATADOG_TAG_KEY>
276
277
# datadog.namespaceAnnotationsAsTags -- Provide a mapping of Kubernetes Namespace Annotations to Datadog Tags
278
namespaceAnnotationsAsTags: {}
279
# env: environment
280
# <KUBERNETES_NAMESPACE_ANNOTATIONS>: <DATADOG_TAG_KEY>
281
282
# datadog.kubernetesResourcesLabelsAsTags -- Provide a mapping of Kubernetes Resources Labels to Datadog Tags
283
kubernetesResourcesLabelsAsTags: {}
284
# pods:
285
# x-ref: reference
286
# namespaces:
287
# kubernetes.io/metadata.name: name-as-tag
288
# <RESOURCE_TYPE>:
289
# <KUBERNETES_RESOURCE_LABEL>: <DATADOG_TAG_KEY>
290
291
# datadog.kubernetesResourcesAnnotationsAsTags -- Provide a mapping of Kubernetes Resources Annotations to Datadog Tags
292
kubernetesResourcesAnnotationsAsTags: {}
293
# pods:
294
# x-ann: annotation-reference
295
# namespaces:
296
# stale-annotation: annotation-as-tag
297
# <RESOURCE_TYPE>:
298
# <KUBERNETES_RESOURCE_ANNOTATION>: <DATADOG_TAG_KEY>
299
300
originDetectionUnified:
301
# datadog.originDetectionUnified.enabled -- Enabled enables unified mechanism for origin detection. Default: false. (Requires Agent 7.54.0+).
302
enabled: false
303
# datadog.tags -- List of static tags to attach to every metric, event and service check collected by this Agent.
304
305
## Learn more about tagging: https://docs.datadoghq.com/tagging/
306
tags: []
307
# - "<KEY_1>:<VALUE_1>"
308
# - "<KEY_2>:<VALUE_2>"
309
310
# datadog.checksCardinality -- Sets the tag cardinality for the checks run by the Agent.
311
312
## ref: https://docs.datadoghq.com/getting_started/tagging/assigning_tags/?tab=containerizedenvironments#environment-variables
313
checksCardinality: # low, orchestrator or high (not set by default to avoid overriding existing DD_CHECKS_TAG_CARDINALITY configurations, the default value in the Agent is low)
314
# kubelet configuration
315
kubelet:
316
# datadog.kubelet.host -- Override kubelet IP
317
host:
318
valueFrom:
319
fieldRef:
320
fieldPath: status.hostIP
321
# datadog.kubelet.tlsVerify -- Toggle kubelet TLS verification
322
# @default -- true
323
tlsVerify: # false
324
# datadog.kubelet.hostCAPath -- Path (on host) where the Kubelet CA certificate is stored
325
# @default -- None (no mount from host)
326
hostCAPath:
327
# datadog.kubelet.agentCAPath -- Path (inside Agent containers) where the Kubelet CA certificate is stored
328
# @default -- /var/run/host-kubelet-ca.crt if hostCAPath else /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
329
agentCAPath:
330
# datadog.kubelet.podLogsPath -- Path (on host) where the PODs logs are located
331
# @default -- /var/log/pods on Linux, C:\var\log\pods on Windows
332
podLogsPath:
333
# datadog.kubelet.coreCheckEnabled -- Toggle if kubelet core check should be used instead of Python check. (Requires Agent/Cluster Agent 7.53.0+)
334
# @default -- true
335
coreCheckEnabled: true
336
# datadog.kubelet.podResourcesSocketDir -- Path (on host) where the kubelet.sock socket for the PodResources API is located
337
# @default -- /var/lib/kubelet/pod-resources
338
podResourcesSocketDir: /var/lib/kubelet/pod-resources
339
# datadog.kubelet.useApiServer -- Enable this to query the pod list from the API Server instead of the Kubelet. (Requires Agent 7.65.0+)
340
# @default -- false
341
useApiServer: false
342
# datadog.kubelet.fineGrainedAuthorization -- Enable fine-grained authentication for kubelet (requires: Kubernetes 1.32+)
343
fineGrainedAuthorization: false
344
# datadog.expvarPort -- Specify the port to expose pprof and expvar to not interfere with the agent metrics port from the cluster-agent, which defaults to 5000
345
expvarPort: 6000
346
## dogstatsd configuration
347
348
## ref: https://docs.datadoghq.com/agent/kubernetes/dogstatsd/
349
## To emit custom metrics from your Kubernetes application, use DogStatsD.
350
dogstatsd:
351
# datadog.dogstatsd.port -- Override the Agent DogStatsD port
352
353
## Note: Make sure your client is sending to the same UDP port.
354
port: 8125
355
# datadog.dogstatsd.originDetection -- Enable origin detection for container tagging
356
357
## ref: https://docs.datadoghq.com/developers/dogstatsd/unix_socket/#using-origin-detection-for-container-tagging
358
originDetection: false
359
# datadog.dogstatsd.tags -- List of static tags to attach to every custom metric, event and service check collected by Dogstatsd.
360
361
## Learn more about tagging: https://docs.datadoghq.com/tagging/
362
tags: []
363
# - "<KEY_1>:<VALUE_1>"
364
# - "<KEY_2>:<VALUE_2>"
365
366
# datadog.dogstatsd.tagCardinality -- Sets the tag cardinality relative to the origin detection
367
368
## ref: https://docs.datadoghq.com/developers/dogstatsd/unix_socket/#using-origin-detection-for-container-tagging
369
tagCardinality: low
370
# datadog.dogstatsd.useSocketVolume -- Enable dogstatsd over Unix Domain Socket with an HostVolume
371
372
## ref: https://docs.datadoghq.com/developers/dogstatsd/unix_socket/
373
useSocketVolume: true
374
# datadog.dogstatsd.socketPath -- Path to the DogStatsD socket
375
socketPath: /var/run/datadog/dsd.socket
376
# datadog.dogstatsd.hostSocketPath -- Host path to the DogStatsD socket
377
hostSocketPath: /var/run/datadog
378
# datadog.dogstatsd.useHostPort -- Sets the hostPort to the same value of the container port
379
380
## Needs to be used for sending custom metrics.
381
## The ports need to be available on all hosts.
382
##
383
## WARNING: Make sure that hosts using this are properly firewalled otherwise
384
## metrics and traces are accepted from any host able to connect to this host.
385
useHostPort: false
386
# datadog.dogstatsd.useHostPID -- Run the agent in the host's PID namespace
387
## DEPRECATED: use datadog.useHostPID instead.
388
389
## This is required for Dogstatsd origin detection to work.
390
## See https://docs.datadoghq.com/developers/dogstatsd/unix_socket/
391
useHostPID: false
392
# datadog.dogstatsd.nonLocalTraffic -- Enable this to make each node accept non-local statsd traffic (from outside of the pod)
393
394
## ref: https://github.com/DataDog/docker-dd-agent#environment-variables
395
nonLocalTraffic: true
396
# datadog.useHostPID -- Run the agent in the host's PID namespace, required for origin detection
397
# / unified service tagging
398
399
## This is required for Dogstatsd origin detection to work in dogstatsd and trace agent
400
## See https://docs.datadoghq.com/developers/dogstatsd/unix_socket/
401
useHostPID: true
402
# datadog.collectEvents -- Enables this to start event collection from the kubernetes API
403
404
## ref: https://docs.datadoghq.com/agent/kubernetes/#event-collection
405
collectEvents: true
406
# datadog.kubernetesUseEndpointSlices -- Enable this to map Kubernetes services to endpointslices instead of endpoints. (Requires Cluster Agent 7.62.0+).
407
kubernetesUseEndpointSlices: true
408
# datadog.kubernetesKubeServiceIgnoreReadiness -- Enable this to attach kube_service tag unconditionally. (Requires Cluster Agent 7.76.0+).
409
kubernetesKubeServiceIgnoreReadiness: false
410
# Configure Kubernetes events collection
411
kubernetesEvents:
412
# datadog.kubernetesEvents.sourceDetectionEnabled -- Enable this to map Kubernetes events to integration sources based on controller names. (Requires Cluster Agent 7.56.0+).
413
sourceDetectionEnabled: false
414
# datadog.kubernetesEvents.filteringEnabled -- Enable this to only include events that match the pre-defined allowed events. (Requires Cluster Agent 7.57.0+).
415
filteringEnabled: false
416
# datadog.kubernetesEvents.unbundleEvents -- Allow unbundling kubernetes events, 1:1 mapping between Kubernetes and Datadog events. (Requires Cluster Agent 7.42.0+).
417
unbundleEvents: false
418
# datadog.kubernetesEvents.collectedEventTypes -- Event types to be collected. This requires datadog.kubernetesEvents.unbundleEvents to be set to true.
419
collectedEventTypes:
420
# - kind: <kubernetes resource kind> # (optional if `source`` is provided)
421
# source: <controller name> # (optional if `kind`` is provided)
422
# reasons: # (optional) if empty accept all event reasons
423
# - <kubernetes event reason>
424
- kind: Pod
425
reasons:
426
- Failed
427
- BackOff
428
- Unhealthy
429
- FailedScheduling
430
- FailedMount
431
- FailedAttachVolume
432
- kind: Node
433
reasons:
434
- TerminatingEvictedPod
435
- NodeNotReady
436
- Rebooted
437
- HostPortConflict
438
- kind: CronJob
439
reasons:
440
- SawCompletedJob
441
# datadog.kubernetesEvents.maxEventsPerRun -- Maximum number of events you wish to collect per check run.
442
maxEventsPerRun:
443
# datadog.kubernetesEvents.kubernetesEventResyncPeriodS -- Specify the frequency in seconds at which the Agent should list all events to re-sync following the informer pattern
444
kubernetesEventResyncPeriodS:
445
clusterTagger:
446
# datadog.clusterTagger.collectKubernetesTags -- Enables Kubernetes resources tags collection.
447
collectKubernetesTags: false
448
# datadog.leaderElection -- Enables leader election mechanism for event collection
449
leaderElection: true
450
# datadog.leaderLeaseDuration -- Set the lease time for leader election in second
451
leaderLeaseDuration: # 60
452
# datadog.leaderElectionResource -- Selects the default resource to use for leader election.
453
# Can be:
454
# * "lease" / "leases". Only supported in agent 7.47+
455
# * "configmap" / "configmaps".
456
# "" to automatically detect which one to use.
457
leaderElectionResource: configmap
458
remoteConfiguration:
459
# datadog.remoteConfiguration.enabled -- Set to true to enable remote configuration.
460
# DEPRECATED: Consider using remoteConfiguration.enabled instead
461
enabled: true
462
privateActionRunner:
463
# datadog.privateActionRunner.enabled -- Enable the Private Action Runner on the node agent to execute workflow actions
464
enabled: false
465
# datadog.privateActionRunner.selfEnroll -- Enable self-enrollment for the Private Action Runner
466
## When enabled, the runner will automatically register itself with Datadog using the provided API/APP keys
467
## and store its identity in a local file. Requires leader election to be enabled.
468
selfEnroll: true
469
# datadog.privateActionRunner.urn -- URN of the Private Action Runner (required if selfEnroll is false)
470
## Format: urn:datadog:private-action-runner:organization:<org_id>:runner:<runner_id>
471
urn: # "urn:datadog:private-action-runner:organization:123456:runner:abc-def"
472
# datadog.privateActionRunner.privateKey -- Private key for the Private Action Runner (required if selfEnroll is false)
473
## This key is used to authenticate the runner with Datadog
474
privateKey: # "<PRIVATE_KEY>"
475
# datadog.privateActionRunner.identityFromExistingSecret -- Use existing Secret which stores the Private Action Runner URN and private key
476
## The secret should contain 'urn' and 'private_key' keys
477
## If set, this parameter takes precedence over "urn" and "privateKey"
478
identityFromExistingSecret: # "<PAR_SECRET_NAME>"
479
# datadog.privateActionRunner.actionsAllowlist -- List of actions executable by the Private Action Runner
480
actionsAllowlist: []
481
# - "com.datadoghq.http.request"
482
# - "com.datadoghq.gitlab.branches.*"
483
## Enable logs agent and provide custom configs
484
logs:
485
# datadog.logs.enabled -- Enables this to activate Datadog Agent log collection
486
487
## ref: https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/#log-collection-setup
488
enabled: false
489
# datadog.logs.containerCollectAll -- Enable this to allow log collection for all containers
490
491
## ref: https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/#log-collection-setup
492
containerCollectAll: false
493
# datadog.logs.containerCollectUsingFiles -- Collect logs from files in /var/log/pods instead of using container runtime API
494
495
## It's usually the most efficient way of collecting logs.
496
## ref: https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/#log-collection-setup
497
containerCollectUsingFiles: true
498
# datadog.logs.autoMultiLineDetection -- Allows the Agent to detect common multi-line patterns automatically.
499
500
## ref: https://docs.datadoghq.com/agent/logs/advanced_log_collection/?tab=configurationfile#automatic-multi-line-aggregation
501
autoMultiLineDetection: false
502
## Enable apm agent and provide custom configs
503
##
504
## APM is enabled by default. If local service Internal Traffic Policy is allowed (Kubernetes v1.22+), the agent service is created with the APM local traceport.
505
apm:
506
# datadog.apm.socketEnabled -- Enable APM over Socket (Unix Socket or windows named pipe)
507
508
## ref: https://docs.datadoghq.com/agent/kubernetes/apm/
509
socketEnabled: true
510
# datadog.apm.portEnabled -- Enable APM over TCP communication (hostPort 8126 by default)
511
512
## ref: https://docs.datadoghq.com/agent/kubernetes/apm/
513
portEnabled: false
514
# datadog.apm.useLocalService -- Enable APM over TCP communication to use the local service only (requires Kubernetes v1.22+)
515
# Note: The hostPort 8126 is disabled when this is enabled.
516
517
## ref: https://docs.datadoghq.com/tracing/guide/setting_up_apm_with_kubernetes_service/?tab=helm
518
useLocalService: false
519
# datadog.apm.enabled -- Enable this to enable APM and tracing, on port 8126
520
# DEPRECATED. Use datadog.apm.portEnabled instead
521
522
## ref: https://github.com/DataDog/docker-dd-agent#tracing-from-the-host
523
enabled: false
524
# datadog.apm.port -- Override the trace Agent port
525
526
## Note: Make sure your client is sending to the same UDP port.
527
port: 8126
528
# datadog.apm.useSocketVolume -- Enable APM over Unix Domain Socket
529
# DEPRECATED. Use datadog.apm.socketEnabled instead
530
531
## ref: https://docs.datadoghq.com/agent/kubernetes/apm/
532
useSocketVolume: false
533
# datadog.apm.socketPath -- Path to the trace-agent socket
534
socketPath: /var/run/datadog/apm.socket
535
# datadog.apm.hostSocketPath -- Host path to the trace-agent socket
536
hostSocketPath: /var/run/datadog
537
# Error Tracking backend
538
errorTrackingStandalone:
539
# datadog.apm.errorTrackingStandalone.enabled -- Enables Error Tracking for backend services.
540
enabled: false
541
# APM Single Step Instrumentation
542
# Requires Cluster Agent 7.49+.
543
instrumentation:
544
# datadog.apm.instrumentation.enabled -- Enable injecting the Datadog APM libraries into all pods in the cluster.
545
enabled: false
546
# datadog.apm.instrumentation.enabledNamespaces -- Enable injecting the Datadog APM libraries into pods in specific namespaces.
547
enabledNamespaces: []
548
# datadog.apm.instrumentation.disabledNamespaces -- Disable injecting the Datadog APM libraries into pods in specific namespaces.
549
disabledNamespaces: []
550
# datadog.apm.instrumentation.libVersions -- Inject specific version of tracing libraries with Single Step Instrumentation.
551
libVersions: {}
552
# datadog.apm.instrumentation.targets -- Enable target based workload selection.
553
# Requires Cluster Agent 7.64.0+.
554
#
555
# ddTraceConfigs[]valueFrom Requires Cluster Agent 7.66.0+.
556
targets: []
557
# - name: "example"
558
# podSelector:
559
# matchLabels:
560
# language: "python"
561
# namespaceSelector:
562
# matchNames:
563
# - "applications"
564
# ddTraceVersions:
565
# python: "v2"
566
# ddTraceConfigs:
567
# - name: "DD_PROFILING_ENABLED"
568
# value: "true"
569
# - name: "DD_SERVICE"
570
# valueFrom:
571
# fieldRef:
572
# fieldPath: metadata.labels[my-label]
573
574
# datadog.apm.instrumentation.skipKPITelemetry -- Disable generating Configmap for APM Instrumentation KPIs
575
skipKPITelemetry: false
576
# Language detection currently only detects languages and adds them as annotations on deployments, but doesn't use these languages for injecting libraries to applicative pods.
577
# It requires Agent 7.52+ and Cluster Agent 7.52+
578
language_detection:
579
# datadog.apm.instrumentation.language_detection.enabled -- Run language detection to automatically detect languages of user workloads (preview).
580
enabled: true
581
# datadog.apm.instrumentation.injectionMode -- The injection mode to use for libraries injection.
582
# Valid values are: "auto", "init_container", "csi" (experimental, requires Cluster Agent 7.76.0+ and Datadog CSI Driver), "image_volume" (experimental, requires Cluster Agent 7.77.0+)
583
# Empty by default so the Cluster Agent can apply its own defaults.
584
injectionMode: ""
585
# This feature is in preview. It requires Cluster Agent 7.57+.
586
injector:
587
# datadog.apm.instrumentation.injector.imageTag -- The image tag to use for the APM Injector (preview).
588
imageTag: ""
589
## Application Security Managment (ASM) configuration
590
##
591
## ASM is disabled by default and can be enabled by setting the various `enabled` fields to `true` under the `datadog.asm` section.
592
## Manually adding the various environment variables to a pod will take precedence over the ones in the Helm chart.
593
## These will only have an effect on containers that have Datadog client libraries installed, either manually or via Single Step Instrumentation (under the `datadog.apm.instrumentation` section).
594
## It requires Datadog Cluster Agent 7.53.0+.
595
asm:
596
threats:
597
# datadog.asm.threats.enabled -- Enable Application Security Management Threats App & API Protection by injecting `DD_APPSEC_ENABLED=true` environment variable to all pods in the cluster
598
enabled: false
599
sca:
600
# datadog.asm.sca.enabled -- Enable Application Security Management Software Composition Analysis by injecting `DD_APPSEC_SCA_ENABLED=true` environment variable to all pods in the cluster
601
enabled: false
602
iast:
603
# datadog.asm.iast.enabled -- Enable Application Security Management Interactive Application Security Testing by injecting `DD_IAST_ENABLED=true` environment variable to all pods in the cluster
604
enabled: false
605
## App & API Protection configuration
606
##
607
## App & API Protection is disabled by default and can be enabled by setting the `enabled` field to `true` under the `datadog.appsec.injector` section.
608
## The Datadog Helm Chart offer the option to auto-instrument supported proxies in the cluster to forward traffic to a custom security processor delegating
609
## traffic analysis, WAF capabilities and API Posture management to Datadog's App and API Protection product that has to be deployed separately. Please follow the documentation to deploy the processor:
610
## https://docs.datadoghq.com/security/application_security/setup/#proxies
611
## It requires Datadog Cluster Agent 7.73.0+.
612
appsec:
613
# App & API Protection Injector is used to automatically configure your proxy to forward traffic to a custom security processor delegating
614
# traffic analysis, WAF capabilities and API Posture management to Datadog's App and API Protection product.
615
injector:
616
# datadog.appsec.injector.enabled -- Enable App & API Protection on your cluster ingress usage across all your cluster at once
617
enabled: false
618
# datadog.appsec.injector.autoDetect -- Automatically detect and inject supported proxies in the cluster (Envoy Gateway, Istio Gateway API, native Istio Gateway)
619
autoDetect: true
620
# datadog.appsec.injector.mode -- Deployment mode for the AppSec processor. Valid values: "sidecar", "external". Leave empty to use the agent default (sidecar). Upgrading users who rely on the external-processor flow (processor.address / processor.service.*) should set this to "external" explicitly.
621
mode: ""
622
# datadog.appsec.injector.proxies -- Manually specify which proxy types to inject. Valid values: "envoy-gateway", "istio", "istio-gateway"
623
# When autoDetect is true, detected proxies are added to this list
624
# When autoDetect is false, only proxies in this list are enabled
625
proxies: []
626
# - envoy-gateway: Configures Envoy Gateway resources for AppSec injection
627
# - istio: Watches Istio-managed Kubernetes Gateway API GatewayClasses for AppSec injection
628
# - istio-gateway: Watches native Istio Gateway resources for AppSec injection
629
630
sidecar:
631
# datadog.appsec.injector.sidecar.image -- Container image for the AppSec sidecar processor
632
image: "ghcr.io/datadog/dd-trace-go/service-extensions-callout"
633
# datadog.appsec.injector.sidecar.imageTag -- Image tag for the AppSec sidecar processor
634
imageTag: "v2.6.0"
635
# datadog.appsec.injector.sidecar.port -- Listening port for the AppSec sidecar processor
636
port: 8080
637
# datadog.appsec.injector.sidecar.healthPort -- Health check port for the AppSec sidecar processor
638
healthPort: 8081
639
# datadog.appsec.injector.sidecar.bodyParsingSizeLimit -- Request body parsing size limit in bytes for the AppSec sidecar processor. Set to 0 to leave it unset (default agent behavior). Set to a negative value (e.g. -1) to disable body parsing entirely.
640
bodyParsingSizeLimit: 0
641
resources:
642
requests:
643
# datadog.appsec.injector.sidecar.resources.requests.cpu -- CPU request for the AppSec sidecar processor
644
cpu: "10m"
645
# datadog.appsec.injector.sidecar.resources.requests.memory -- Memory request for the AppSec sidecar processor
646
memory: "128Mi"
647
limits:
648
# datadog.appsec.injector.sidecar.resources.limits.cpu -- Optional CPU limit for the AppSec sidecar processor
649
cpu: ""
650
# datadog.appsec.injector.sidecar.resources.limits.memory -- Optional memory limit for the AppSec sidecar processor
651
memory: ""
652
processor:
653
# datadog.appsec.injector.processor.address -- Address of the AppSec processor service
654
# Defaults to `{service.name}.{service.namespace}.svc`
655
address: ""
656
# datadog.appsec.injector.processor.port -- Port of the AppSec processor service (defaults to 443)
657
port: 443
658
# datadog.appsec.injector.service -- Required service information to connect to the AppSec processor
659
# This service should point to a deployment of the image `ghcr.io/DataDog/dd-trace-go/service-extensions-callout:latest`
660
# This deployment is not managed by the Datadog Helm chart.
661
service:
662
# datadog.appsec.injector.processor.service.name -- Name of the AppSec processor service
663
name: ""
664
# datadog.appsec.injector.processor.service.namespace -- Namespace where the AppSec processor service is deployed
665
namespace: ""
666
## OTLP ingest related configuration
667
otlp:
668
receiver:
669
protocols:
670
# datadog.otlp.receiver.protocols.grpc - OTLP/gRPC configuration
671
grpc:
672
# datadog.otlp.receiver.protocols.grpc.enabled -- Enable the OTLP/gRPC endpoint
673
enabled: false
674
# datadog.otlp.receiver.protocols.grpc.endpoint -- OTLP/gRPC endpoint
675
endpoint: "0.0.0.0:4317"
676
# datadog.otlp.receiver.protocols.grpc.useHostPort -- Enable the Host Port for the OTLP/gRPC endpoint
677
useHostPort: true
678
# datadog.otlp.receiver.protocols.http - OTLP/HTTP configuration
679
http:
680
# datadog.otlp.receiver.protocols.http.enabled -- Enable the OTLP/HTTP endpoint
681
enabled: false
682
# datadog.otlp.receiver.protocols.http.endpoint -- OTLP/HTTP endpoint
683
endpoint: "0.0.0.0:4318"
684
# datadog.otlp.receiver.protocols.http.useHostPort -- Enable the Host Port for the OTLP/HTTP endpoint
685
useHostPort: true
686
logs:
687
# datadog.otlp.logs.enabled -- Enable logs support in the OTLP ingest endpoint
688
enabled: false
689
## Host Profiler related configuration for the host-profiler in Agent Daemonset. Note this is experimental and subject to change
690
hostProfiler:
691
# datadog.hostProfiler.enabled -- Enable the Host Profiler. This feature is experimental and subject to change.
692
enabled: false
693
# datadog.hostProfiler.image -- Image the Host Profiler. This parameter is experimental and will be removed once official image is available.
694
image: ""
695
## OTel collector related configuration for the otel-agent in Agent Daemonset
696
otelCollector:
697
# datadog.otelCollector.enabled -- Enable the OTel Collector
698
enabled: false
699
# datadog.otelCollector.ports -- Ports that OTel Collector is listening on
700
ports:
701
# Default GRPC port of OTLP receiver
702
- containerPort: "4317"
703
name: otel-grpc
704
protocol: TCP
705
# Default HTTP port of OTLP receiver
706
- containerPort: "4318"
707
name: otel-http
708
protocol: TCP
709
# datadog.otelCollector.config -- OTel collector configuration
710
config: null
711
# datadog.otelCollector.configMap -- Use an existing ConfigMap for DDOT Collector configuration
712
configMap:
713
# datadog.otelCollector.configMap.name -- Name of the existing ConfigMap that contains the DDOT Collector configuration
714
name: null
715
# datadog.otelCollector.configMap.items -- Items within the ConfigMap that contain DDOT Collector configuration
716
items:
717
# - key: otel-config.yaml
718
# path: otel-config.yaml
719
# - key: otel-config-two.yaml
720
# path: otel-config-two.yaml
721
# datadog.otelCollector.configMap.key -- Key within the ConfigMap that contains the DDOT Collector configuration
722
key: otel-config.yaml
723
# datadog.otelCollector.featureGates -- Feature gates to pass to OTel collector, as a comma separated list
724
featureGates: null
725
# datadog.otelCollector.useStandaloneImage -- If true, the OTel Collector will use the `ddot-collector` image instead of the `agent` image
726
# The tag is retrieved from the `agents.image.tag` value.
727
# This is only supported for agent versions 7.67.0+
728
# If set to false, you will need to set `agents.image.tagSuffix` to `full`
729
useStandaloneImage: true
730
## Provide OTel Collector RBAC configuration
731
rbac:
732
# datadog.otelCollector.rbac.create -- If true, check OTel Collector config for k8sattributes processor
733
# and create required ClusterRole to access Kubernetes API
734
create: true
735
# datadog.otelCollector.rbac.rules -- A set of additional RBAC rules to apply to OTel Collector's ClusterRole
736
rules: []
737
# - apiGroups: [""]
738
# resources: ["pods", "nodes"]
739
# verbs: ["get", "list", "watch"]
740
## Provide OTel Collector logs configuration
741
logs:
742
# datadog.otelCollector.logs.enabled -- Enable logs support in the OTel Collector.
743
# If true, checks OTel Collector config for filelog receiver and mounts additional volumes to collect containers
744
# and pods logs.
745
enabled: false
746
## Continuous Profiler configuration
747
##
748
## Continuous Profiler is disabled by default and can be enabled by setting the `enabled` field to
749
## either `auto` or `true` value under the `datadog.profiling` section.
750
## Manually adding the `DD_PROFILING_ENABLED` variable to a pod will take precedence over the
751
## value in the Helm chart.
752
## These will only have an effect on containers that have Datadog client libraries installed,
753
## either manually or via Single Step Instrumentation (under the `datadog.apm.instrumentation`
754
## section).
755
## It requires Datadog Cluster Agent 7.57.0+.
756
profiling:
757
# datadog.profiling.enabled -- Enable Continuous Profiler by injecting `DD_PROFILING_ENABLED`
758
# environment variable with the same value to all pods in the cluster
759
# Valid values are:
760
# - false: Profiler is turned off and can not be turned on by other means.
761
# - null: Profiler is turned off, but can be turned on by other means.
762
# - auto: Profiler is turned off, but the library will turn it on if the application is a good candidate for profiling.
763
# - true: Profiler is turned on.
764
enabled: null
765
# datadog.envFrom -- Set environment variables for all Agents directly from configMaps and/or secrets
766
767
## envFrom to pass configmaps or secrets as environment
768
envFrom: []
769
# - configMapRef:
770
# name: <CONFIGMAP_NAME>
771
# - secretRef:
772
# name: <SECRET_NAME>
773
774
# datadog.env -- Set environment variables for all Agents
775
776
## The Datadog Agent supports many environment variables.
777
## ref: https://docs.datadoghq.com/agent/docker/?tab=standard#environment-variables
778
env: []
779
# - name: <ENV_VAR_NAME>
780
# value: <ENV_VAR_VALUE>
781
782
# datadog.envDict -- Set environment variables for all Agents defined in a dict
783
envDict: {}
784
# <ENV_VAR_NAME>: <ENV_VAR_VALUE>
785
786
# datadog.confd -- Provide additional check configurations (static and Autodiscovery)
787
788
## Each key becomes a file in /conf.d
789
## ref: https://github.com/DataDog/datadog-agent/tree/main/Dockerfiles/agent#optional-volumes
790
## ref: https://docs.datadoghq.com/agent/autodiscovery/
791
confd: {}
792
# redisdb.yaml: |-
793
# init_config:
794
# instances:
795
# - host: "name"
796
# port: "6379"
797
# kubernetes_state.yaml: |-
798
# ad_identifiers:
799
# - kube-state-metrics
800
# init_config:
801
# instances:
802
# - kube_state_url: http://%%host%%:8080/metrics
803
804
# datadog.checksd -- Provide additional custom checks as python code
805
806
## Each key becomes a file in /checks.d
807
## ref: https://github.com/DataDog/datadog-agent/tree/main/Dockerfiles/agent#optional-volumes
808
checksd: {}
809
# service.py: |-
810
811
# datadog.dockerSocketPath -- Path to the docker socket
812
dockerSocketPath: # /var/run/docker.sock
813
# datadog.criSocketPath -- Path to the container runtime socket (if different from Docker)
814
criSocketPath: # /var/run/containerd/containerd.sock
815
# Configure how the agent interact with the host's container runtime
816
containerRuntimeSupport:
817
# datadog.containerRuntimeSupport.enabled -- Set this to false to disable agent access to container runtime.
818
enabled: true
819
## Enable process agent and provide custom configs
820
processAgent:
821
# datadog.processAgent.enabled -- Set this to true to enable live process monitoring agent
822
# DEPRECATED. Set `datadog.processAgent.processCollection` or `datadog.processAgent.containerCollection` instead.
823
## Note: /etc/passwd is automatically mounted when `processCollection`, `processDiscovery`, or `containerCollection` is enabled.
824
## ref: https://docs.datadoghq.com/graphing/infrastructure/process/#kubernetes-daemonset
825
enabled: true
826
# datadog.processAgent.processCollection -- Set this to true to enable process collection
827
processCollection: false
828
# datadog.processAgent.stripProcessArguments -- Set this to scrub all arguments from collected processes
829
## Requires datadog.processAgent.processCollection to be set to true to have any effect
830
## ref: https://docs.datadoghq.com/infrastructure/process/?tab=linuxwindows#process-arguments-scrubbing
831
stripProcessArguments: false
832
# datadog.processAgent.processDiscovery -- Enables or disables autodiscovery of integrations
833
processDiscovery: true
834
# datadog.processAgent.runInCoreAgent -- Set this to true to run the following features in the core agent: Live Processes, Live Containers, Process Discovery.
835
## This requires Agent 7.60.0+ and Linux.
836
## DEPRECATED: This behavior will be enabled by default for installations that meet the requirements.
837
## For Agent 7.78.0+, this setting is ignored — process checks always run in the core agent on Linux.
838
runInCoreAgent: true
839
# datadog.processAgent.containerCollection -- Set this to true to enable container collection
840
## ref: https://docs.datadoghq.com/infrastructure/containers/?tab=helm
841
containerCollection: true
842
# datadog.disableDefaultOsReleasePaths -- Set this to true to disable mounting datadog.osReleasePath in all containers
843
disableDefaultOsReleasePaths: false
844
# datadog.disablePasswdMount -- Set this to true to disable mounting /etc/passwd in all containers
845
disablePasswdMount: false
846
# datadog.osReleasePath -- Specify the path to your os-release file
847
osReleasePath: /etc/os-release
848
## Enable systemProbe agent and provide custom configs
849
systemProbe:
850
# datadog.systemProbe.debugPort -- Specify the port to expose pprof and expvar for system-probe agent
851
debugPort: 0
852
# datadog.systemProbe.enableConntrack -- Enable the system-probe agent to connect to the netlink/conntrack subsystem to add NAT information to connection data
853
854
## ref: http://conntrack-tools.netfilter.org/
855
enableConntrack: true
856
# datadog.systemProbe.seccomp -- Apply an ad-hoc seccomp profile to the system-probe agent to restrict its privileges
857
858
## Note that this will break `kubectl exec … -c system-probe -- /bin/bash`
859
seccomp: localhost/system-probe
860
# datadog.systemProbe.seccompRoot -- Specify the seccomp profile root directory
861
seccompRoot: /var/lib/kubelet/seccomp
862
# datadog.systemProbe.bpfDebug -- Enable logging for kernel debug
863
bpfDebug: false
864
# datadog.systemProbe.apparmor -- Specify a apparmor profile for system-probe
865
apparmor: unconfined
866
# datadog.systemProbe.enableTCPQueueLength -- Enable the TCP queue length eBPF-based check
867
enableTCPQueueLength: false
868
# datadog.systemProbe.enableOOMKill -- Enable the OOM kill eBPF-based check
869
enableOOMKill: false
870
# datadog.systemProbe.mountPackageManagementDirs -- Enables mounting of specific package management directories when runtime compilation is enabled
871
mountPackageManagementDirs: []
872
## For runtime compilation to be able to download kernel headers, the host's package management folders
873
## must be mounted to the /host directory. For example, for Ubuntu & Debian the following mount would be necessary:
874
# - name: "apt-config-dir"
875
# hostPath: /etc/apt
876
# mountPath: /host/etc/apt
877
## If this list is empty, then all necessary package management directories (for all supported OSs) will be mounted.
878
879
# datadog.systemProbe.runtimeCompilationAssetDir -- Specify a directory for runtime compilation assets to live in
880
runtimeCompilationAssetDir: /var/tmp/datadog-agent/system-probe
881
# datadog.systemProbe.btfPath -- Specify the path to a BTF file for your kernel
882
btfPath: ""
883
# datadog.systemProbe.collectDNSStats -- Enable DNS stat collection
884
collectDNSStats: true
885
# datadog.systemProbe.maxTrackedConnections -- the maximum number of tracked connections
886
maxTrackedConnections: 131072
887
# datadog.systemProbe.maxConnectionStateBuffered -- Maximum number of concurrent connections for Cloud Network Monitoring
888
maxConnectionStateBuffered:
889
# datadog.systemProbe.conntrackMaxStateSize -- the maximum size of the userspace conntrack cache
890
conntrackMaxStateSize: 131072 # 2 * maxTrackedConnections by default, per https://github.com/DataDog/datadog-agent/blob/d1c5de31e1bba72dfac459aed5ff9562c3fdcc20/pkg/process/config/config.go#L229
891
# datadog.systemProbe.conntrackInitTimeout -- the time to wait for conntrack to initialize before failing
892
conntrackInitTimeout: 10s
893
# DEPRECATED. Use datadog.disableDefaultOsReleasePaths instead.
894
# datadog.systemProbe.enableDefaultOsReleasePaths -- enable default os-release files mount
895
enableDefaultOsReleasePaths: true
896
# datadog.systemProbe.enableDefaultKernelHeadersPaths -- Enable mount of default paths where kernel headers are stored
897
enableDefaultKernelHeadersPaths: true
898
containerImageCollection:
899
# datadog.containerImageCollection.enabled -- Enable collection of container image metadata
900
901
# This parameter requires Agent version 7.46+
902
enabled: true
903
orchestratorExplorer:
904
# datadog.orchestratorExplorer.enabled -- Set this to false to disable the orchestrator explorer
905
906
## This requires processAgent.enabled and clusterAgent.enabled to be set to true
907
## ref: TODO - add doc link
908
enabled: true
909
# datadog.orchestratorExplorer.container_scrubbing -- Enable the scrubbing of containers in the kubernetes resource YAML for sensitive information
910
911
## The container scrubbing is taking significant resources during data collection.
912
## If you notice that the cluster-agent uses too much CPU in larger clusters
913
## turning this option off will improve the situation.
914
container_scrubbing:
915
enabled: true
916
# datadog.orchestratorExplorer.kubelet_configuration_check.enabled -- Enable the orchestrator kubelet configuration check
917
918
## this enables the collection of the kubelet configuration for viewing in the orchestrator
919
kubelet_configuration_check:
920
enabled: true
921
# datadog.orchestratorExplorer.customResources -- Defines custom resources for the orchestrator explorer to collect
922
923
# customResources is required for RBAC creation if a custom orchestrator explorer configuration is provided in `clusterAgent.confd` or `clusterAgent.advancedConfd`
924
# Each item should follow group/version/name, for example
925
# customResources:
926
# - datadoghq.com/v1alpha1/datadogmetrics
927
# - datadoghq.com/v1alpha1/watermarkpodautoscalers
928
customResources: []
929
helmCheck:
930
# datadog.helmCheck.enabled -- Set this to true to enable the Helm check (Requires Agent 7.35.0+ and Cluster Agent 1.19.0+)
931
# This requires clusterAgent.enabled to be set to true
932
enabled: false
933
# datadog.helmCheck.collectEvents -- Set this to true to enable event collection in the Helm Check (Requires Agent 7.36.0+ and Cluster Agent 1.20.0+)
934
# This requires datadog.HelmCheck.enabled to be set to true
935
collectEvents: false
936
# datadog.helmCheck.valuesAsTags -- Collects Helm values from a release and uses them as tags (Requires Agent and Cluster Agent 7.40.0+).
937
# This requires datadog.HelmCheck.enabled to be set to true
938
valuesAsTags: {}
939
# <HELM_VALUE>: <LABEL_NAME>
940
networkMonitoring:
941
# datadog.networkMonitoring.enabled -- Enable Cloud Network Monitoring
942
enabled: false
943
# datadog.networkMonitoring.dnsMonitoringPorts -- List of ports to monitor for DNS traffic
944
# @default -- `[53]` (set by agent)
945
dnsMonitoringPorts: []
946
networkPath:
947
connectionsMonitoring:
948
# datadog.networkPath.connectionsMonitoring.enabled -- Enable Network Path's "Network traffic paths" feature. Requires the `traceroute` system-probe module to be enabled.
949
enabled: false
950
collector:
951
# datadog.networkPath.collector.workers -- Override the number of workers
952
workers:
953
# datadog.networkPath.collector.pathtestTTL -- Override TTL in minutes for pathtests
954
pathtestTTL:
955
# datadog.networkPath.collector.pathtestInterval -- Override time interval between pathtest runs
956
pathtestInterval:
957
# datadog.networkPath.collector.pathtestContextsLimit -- Override maximum number of pathtests stored to run
958
pathtestContextsLimit:
959
# datadog.networkPath.collector.pathtestMaxPerMinute -- Override limit for total pathtests run, per minute
960
pathtestMaxPerMinute:
961
serviceMonitoring:
962
# datadog.serviceMonitoring.enabled -- Enable Universal Service Monitoring
963
enabled: false
964
# datadog.serviceMonitoring.httpMonitoringEnabled -- Enable HTTP monitoring for Universal Service Monitoring (Requires Agent 7.40.0+). Empty values use the default setting in the datadog agent.
965
httpMonitoringEnabled:
966
# datadog.serviceMonitoring.http2MonitoringEnabled -- Enable HTTP2 & gRPC monitoring for Universal Service Monitoring (Requires Agent 7.53.0+ and kernel 5.2 or later). Empty values use the default setting in the datadog agent.
967
http2MonitoringEnabled:
968
tls:
969
go:
970
# datadog.serviceMonitoring.tls.go.enabled -- (bool) Enable TLS monitoring for Golang services (Requires Agent 7.51.0+). Empty values use the default setting in the datadog agent.
971
enabled:
972
istio:
973
# datadog.serviceMonitoring.tls.istio.enabled -- (bool) Enable TLS monitoring for Istio services (Requires Agent 7.50.0+). Empty values use the default setting in the datadog agent.
974
enabled:
975
nodejs:
976
# datadog.serviceMonitoring.tls.nodejs.enabled -- (bool) Enable TLS monitoring for Node.js services (Requires Agent 7.54.0+). Empty values use the default setting in the datadog agent.
977
enabled:
978
native:
979
# datadog.serviceMonitoring.tls.native.enabled -- (bool) Enable TLS monitoring for native (openssl, libssl, gnutls) services (Requires Agent 7.51.0+). Empty values use the default setting in the datadog agent.
980
enabled:
981
traceroute:
982
# datadog.traceroute.enabled -- (bool) Enable traceroutes in system-probe for Network Path
983
enabled: false
984
discovery:
985
# datadog.discovery.enabled -- (bool) Enable Service Discovery. If omitted, the chart auto-enables it when the effective node Agent version resolved by the chart is >= 7.78.0, except on GKE Autopilot clusters where system-probe is not supported. If that resolution still yields a non-semver-ish tag, discovery treats it as latest. Explicit true/false always takes precedence. On supported Agent versions, the chart also enables `discovery.use_system_probe_lite` so discovery-only deployments can exec into `system-probe-lite`.
986
enabled: # false
987
# datadog.discovery.networkStats.enabled -- (bool) Enable Service Discovery Network Stats
988
networkStats:
989
enabled: true
990
gpuMonitoring:
991
# datadog.gpuMonitoring.enabled -- Enable GPU monitoring core check
992
enabled: false
993
# datadog.gpuMonitoring.privilegedMode -- Enable advanced GPU metrics and monitoring via system-probe
994
# Note: system-probe component of the agent runs with elevated privileges
995
privilegedMode: false
996
# datadog.gpuMonitoring.configureCgroupPerms -- Configure cgroup permissions for GPU monitoring
997
configureCgroupPerms: false
998
# datadog.gpuMonitoring.runtimeClassName -- Runtime class name for the agent pods to get access to NVIDIA resources. Can be left empty to use the default runtime class.
999
runtimeClassName: "nvidia"
1000
# Software Bill of Materials configuration
1001
sbom:
1002
containerImage:
1003
# datadog.sbom.containerImage.enabled -- Enable SBOM collection for container images
1004
enabled: false
1005
# datadog.sbom.containerImage.uncompressedLayersSupport -- Use container runtime snapshotter
1006
# This should be set to true when using EKS, GKE or if containerd is configured to
1007
# discard uncompressed layers.
1008
# This feature will cause the SYS_ADMIN capability to be added to the Agent container.
1009
# Setting this to false could cause a high error rate when generating SBOMs due to missing uncompressed layer.
1010
# See https://docs.datadoghq.com/security/cloud_security_management/troubleshooting/vulnerabilities/#uncompressed-container-image-layers
1011
uncompressedLayersSupport: true
1012
# datadog.sbom.containerImage.overlayFSDirectScan -- Use experimental overlayFS direct scan
1013
overlayFSDirectScan: false
1014
# datadog.sbom.containerImage.containerExclude -- Exclude containers from SBOM generation, as a space-separated list
1015
1016
## ref: https://docs.datadoghq.com/agent/guide/autodiscovery-management/?tab=containerizedagent#exclude-containers
1017
containerExclude: # "image:datadog/agent"
1018
# datadog.sbom.containerImage.containerInclude -- Include containers in SBOM generation, as a space-separated list.
1019
# If a container matches an include rule, it’s always included in SBOM generation
1020
1021
## ref: https://docs.datadoghq.com/agent/guide/autodiscovery-management/?tab=containerizedagent#include-containers
1022
containerInclude:
1023
# datadog.sbom.containerImage.analyzers -- List of analyzers to use for container image SBOM generation
1024
analyzers:
1025
- "os"
1026
host:
1027
# datadog.sbom.host.enabled -- Enable SBOM collection for host filesystems
1028
enabled: false
1029
# datadog.sbom.host.analyzers -- List of analyzers to use for host SBOM generation
1030
analyzers:
1031
- "os"
1032
enrichment:
1033
usage:
1034
# datadog.sbom.enrichment.usage.enabled -- Enable runtime "package in use" SBOM enrichment.
1035
# Requires the system-probe container (auto-enabled when set to true) for eBPF-based file
1036
# access tracking, and sets `hostPID: true` on the agent pod. Requires Agent 7.79.0+.
1037
enabled: false
1038
## Enable security agent and provide custom configs
1039
securityAgent:
1040
compliance:
1041
# datadog.securityAgent.compliance.enabled -- Set to true to enable Cloud Security Posture Management (CSPM)
1042
enabled: false
1043
# datadog.securityAgent.compliance.configMap -- Contains CSPM compliance benchmarks that will be used
1044
configMap:
1045
# datadog.securityAgent.compliance.checkInterval -- Compliance check run interval
1046
checkInterval: 20m
1047
# datadog.securityAgent.compliance.containerInclude -- Include containers in CSPM monitoring, as a space-separated list.
1048
# If a container matches an include rule, it’s always included
1049
1050
## ref: https://docs.datadoghq.com/agent/guide/autodiscovery-management/?tab=containerizedagent#include-containers
1051
containerInclude:
1052
# DEPRECATED. Use datadog.securityAgent.compliance.host_benchmarks.enabled instead.
1053
xccdf:
1054
enabled: false
1055
# datadog.securityAgent.compliance.host_benchmarks.enabled -- Set to false to disable host benchmarks. If enabled, this feature requires 160 MB extra memory for the `security-agent` container. (Requires Agent 7.47.0+)
1056
host_benchmarks:
1057
enabled: true
1058
# datadog.securityAgent.compliance.runInSystemProbe -- Set to true to run compliance checks in system-probe instead of security-agent.
1059
# When enabled in conjunction with datadog.securityAgent.runtime.directSendFromSystemProbe, the security-agent container will not be created.
1060
runInSystemProbe: false
1061
runtime:
1062
# datadog.securityAgent.runtime.enabled -- Set to true to enable Cloud Workload Security (CWS)
1063
enabled: false
1064
# datadog.securityAgent.runtime.fimEnabled -- Set to true to enable Cloud Workload Security (CWS) File Integrity Monitoring
1065
# DEPRECATED. This option has no effect. Cloud Workload Security is now only controlled by datadog.securityAgent.runtime.enabled.
1066
fimEnabled: false
1067
# datadog.securityAgent.runtime.useSecruntimeTrack -- Set to true to send Cloud Workload Security (CWS) events directly to the Agent events explorer. This value shouldn't be changed unless advised by Datadog support.
1068
useSecruntimeTrack: true
1069
# datadog.securityAgent.runtime.directSendFromSystemProbe -- Set to true to enable direct sending of CWS events from system-probe to Datadog, bypassing security-agent.
1070
# When enabled, the security-agent container will not be created for CWS functionality (it may still be created if compliance features are enabled).
1071
directSendFromSystemProbe: false
1072
## ref: https://docs.datadoghq.com/agent/guide/autodiscovery-management/?tab=containerizedagent#exclude-containers
1073
containerExclude: # "image:datadog/agent"
1074
# datadog.securityAgent.runtime.containerInclude -- Include containers in runtime security monitoring, as a space-separated list.
1075
# If a container matches an include rule, it’s always included
1076
1077
## ref: https://docs.datadoghq.com/agent/guide/autodiscovery-management/?tab=containerizedagent#include-containers
1078
containerInclude:
1079
policies:
1080
# datadog.securityAgent.runtime.policies.configMap -- Contains CWS policies that will be used
1081
configMap:
1082
syscallMonitor:
1083
# datadog.securityAgent.runtime.syscallMonitor.enabled -- Set to true to enable the Syscall monitoring (recommended for troubleshooting only)
1084
enabled: false
1085
network:
1086
# datadog.securityAgent.runtime.network.enabled -- Set to true to enable the collection of CWS network events
1087
enabled: true
1088
activityDump:
1089
# datadog.securityAgent.runtime.activityDump.enabled -- Set to true to enable the collection of CWS activity dumps
1090
enabled: true
1091
# datadog.securityAgent.runtime.activityDump.tracedCgroupsCount -- Set to the number of containers that should be traced concurrently
1092
tracedCgroupsCount: 3
1093
# datadog.securityAgent.runtime.activityDump.cgroupDumpTimeout -- Set to the desired duration of a single container tracing (in minutes)
1094
cgroupDumpTimeout: 20
1095
# datadog.securityAgent.runtime.activityDump.cgroupWaitListSize -- Set to the size of the wait list for already traced containers
1096
cgroupWaitListSize: 0
1097
pathMerge:
1098
# datadog.securityAgent.runtime.activityDump.pathMerge.enabled -- Set to true to enable the merging of similar paths
1099
enabled: false
1100
securityProfile:
1101
# datadog.securityAgent.runtime.securityProfile.enabled -- Set to true to enable CWS runtime security profiles
1102
enabled: true
1103
anomalyDetection:
1104
# datadog.securityAgent.runtime.securityProfile.anomalyDetection.enabled -- Set to true to enable CWS runtime drift events
1105
enabled: true
1106
autoSuppression:
1107
# datadog.securityAgent.runtime.securityProfile.autoSuppression.enabled -- Set to true to enable CWS runtime auto suppression
1108
enabled: true
1109
enforcement:
1110
# datadog.securityAgent.runtime.enforcement.enabled -- Set to false to disable CWS runtime enforcement
1111
enabled: true
1112
## Manage NetworkPolicy
1113
networkPolicy:
1114
# datadog.networkPolicy.create -- If true, create NetworkPolicy for all the components
1115
create: false
1116
# datadog.networkPolicy.flavor -- Flavor of the network policy to use.
1117
# Can be:
1118
# * kubernetes for networking.k8s.io/v1/NetworkPolicy
1119
# * cilium for cilium.io/v2/CiliumNetworkPolicy
1120
flavor: kubernetes
1121
cilium:
1122
# datadog.networkPolicy.cilium.dnsSelector -- Cilium selector of the DNS server entity
1123
# @default -- kube-dns in namespace kube-system
1124
dnsSelector:
1125
toEndpoints:
1126
- matchLabels:
1127
"k8s:io.kubernetes.pod.namespace": kube-system
1128
"k8s:k8s-app": kube-dns
1129
## Configure prometheus scraping autodiscovery
1130
1131
## ref: https://docs.datadoghq.com/agent/kubernetes/prometheus/
1132
prometheusScrape:
1133
# datadog.prometheusScrape.enabled -- Enable autodiscovering pods and services exposing prometheus metrics.
1134
enabled: false
1135
# datadog.prometheusScrape.serviceEndpoints -- Enable generating dedicated checks for service endpoints.
1136
serviceEndpoints: false
1137
# datadog.prometheusScrape.additionalConfigs -- Allows adding advanced openmetrics check configurations with custom discovery rules. (Requires Agent version 7.27+)
1138
additionalConfigs: []
1139
# -
1140
# autodiscovery:
1141
# kubernetes_annotations:
1142
# include:
1143
# custom_include_label: 'true'
1144
# exclude:
1145
# custom_exclude_label: 'true'
1146
# kubernetes_container_names:
1147
# - my-app
1148
# configurations:
1149
# - send_distribution_buckets: true
1150
# timeout: 5
1151
# datadog.prometheusScrape.version -- Version of the openmetrics check to schedule by default.
1152
1153
# See https://datadoghq.dev/integrations-core/legacy/prometheus/#config-changes-between-versions for the differences between the two versions.
1154
# (Version 2 requires Agent version 7.34+)
1155
version: 2
1156
# datadog.ignoreAutoConfig -- List of integration to ignore auto_conf.yaml.
1157
1158
## ref: https://docs.datadoghq.com/agent/faq/auto_conf/
1159
ignoreAutoConfig: []
1160
# - redisdb
1161
# - kubernetes_state
1162
1163
# datadog.containerExclude -- Exclude containers from Agent Autodiscovery, as a space-separated list
1164
1165
## ref: https://docs.datadoghq.com/agent/guide/autodiscovery-management/?tab=containerizedagent#exclude-containers
1166
containerExclude: # "image:datadog/agent"
1167
# datadog.containerInclude -- Include containers in Agent Autodiscovery, as a space-separated list.
1168
# If a container matches an include rule, it’s always included in Autodiscovery
1169
1170
## ref: https://docs.datadoghq.com/agent/guide/autodiscovery-management/?tab=containerizedagent#include-containers
1171
containerInclude:
1172
# datadog.containerExcludeLogs -- Exclude logs from Agent Autodiscovery, as a space-separated list
1173
containerExcludeLogs:
1174
# datadog.containerIncludeLogs -- Include logs in Agent Autodiscovery, as a space-separated list
1175
containerIncludeLogs:
1176
# datadog.containerExcludeMetrics -- Exclude metrics from Agent Autodiscovery, as a space-separated list
1177
containerExcludeMetrics:
1178
# datadog.containerIncludeMetrics -- Include metrics in Agent Autodiscovery, as a space-separated list
1179
containerIncludeMetrics:
1180
# datadog.celWorkloadExclude -- Exclude workloads using a CEL-based definition in the Agent. (Requires Agent 7.73.0+)
1181
# ref: https://docs.datadoghq.com/containers/guide/container-discovery-management/
1182
celWorkloadExclude:
1183
# datadog.excludePauseContainer -- Exclude pause containers from Agent Autodiscovery.
1184
1185
## ref: https://docs.datadoghq.com/agent/guide/autodiscovery-management/?tab=containerizedagent#pause-containers
1186
excludePauseContainer: true
1187
containerLifecycle:
1188
# datadog.containerLifecycle.enabled -- Enable container lifecycle events collection
1189
enabled: true
1190
csi:
1191
# datadog.csi.enabled -- Enable datadog csi driver
1192
# Requires version 7.67 or later of the cluster agent
1193
# Note:
1194
# - When set to true, the CSI driver subchart will be installed automatically.
1195
# - Do not install the CSI driver separately if this is enabled, or you may hit conflicts.
1196
enabled: false
1197
dataPlane:
1198
# datadog.dataPlane.enabled -- Whether or not the data plane is enabled
1199
#
1200
# Requires version 7.74 or later of the Datadog Agent.
1201
#
1202
# The data plane feature is currently in preview. Please reach out to your Datadog representative for more information.
1203
enabled: false
1204
dogstatsd:
1205
# datadog.dataPlane.dogstatsd.enabled -- Whether or not DogStatsD is enabled in the data plane
1206
enabled: true
1207
## Datadog Operator
1208
## * Enable the Datadog Operator chart dependency.
1209
## * Configure the Datadog Operator sub-chart using the values config, `operator`.
1210
## For all available Operator chart options see: https://github.com/DataDog/helm-charts/blob/main/charts/datadog-operator/values.yaml
1211
operator:
1212
# datadog.operator.enabled -- Enable the Datadog Operator.
1213
enabled: true
1214
# datadog.operator.migration.enabled -- Enable migration of Agent workloads to be managed by the Datadog Operator.
1215
# Creates a DatadogAgent manifest based on current release's values.yaml.
1216
migration:
1217
enabled: false
1218
# datadog.operator.migration.preview -- Set to true to preview the DatadogAgent manifest mapped from the
1219
# Helm release's values.yaml. Mapped DatadogAgent manifest can be viewed by checking the `dda-mapper`
1220
# container logs in the migration job.
1221
preview: false
1222
# datadog.operator.migration.userValues -- Provide datadog chart values as a YAML string to be mapped to the DatadogAgent manifest.
1223
# Use --set-file to pass the file contents: helm install datadog ./charts/datadog --set-file datadog.operator.migration.userValues=myValues.yaml -f myValues.yaml
1224
userValues: ""
1225
# Configuration related to Dynamic Instrumentation for Go services.
1226
dynamicInstrumentationGo:
1227
# datadog.dynamicInstrumentationGo.enabled -- Enable Dynamic Instrumentation and Live Debugger for Go services.
1228
enabled: false
1229
# Configuration related to Workload Autoscaling
1230
autoscaling:
1231
workload:
1232
# datadog.autoscaling.workload.enabled -- Enable Workload Autoscaling.
1233
enabled:
1234
## This is the Datadog Cluster Agent implementation that handles cluster-wide
1235
## metrics more cleanly, separates concerns for better rbac, and implements
1236
## the external metrics API so you can autoscale HPAs based on datadog metrics
1237
## ref: https://docs.datadoghq.com/agent/kubernetes/cluster/
1238
clusterAgent:
1239
# clusterAgent.enabled -- Set this to false to disable Datadog Cluster Agent
1240
enabled: true
1241
# clusterAgent.shareProcessNamespace -- Set the process namespace sharing on the Datadog Cluster Agent
1242
shareProcessNamespace: false
1243
## Define the Datadog Cluster-Agent image to work with
1244
image:
1245
# clusterAgent.image.name -- Cluster Agent image name to use (relative to `registry`)
1246
name: chainguard-private/datadog-cluster-agent-fips
1247
# clusterAgent.image.tag -- Cluster Agent image tag to use
1248
tag: latest@sha256:6b4fa9c700b4191b1d4601a4cc25d01dc5225220ad941baad38901bccf4cd917
1249
# clusterAgent.image.digest -- Cluster Agent image digest to use, takes precedence over tag if specified
1250
digest: ""
1251
# clusterAgent.image.repository -- Override default registry + image.name for Cluster Agent
1252
repository:
1253
# clusterAgent.image.pullPolicy -- Cluster Agent image pullPolicy
1254
pullPolicy: IfNotPresent
1255
# clusterAgent.image.pullSecrets -- Cluster Agent repository pullSecret (ex: specify docker registry credentials)
1256
1257
## See https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
1258
pullSecrets: []
1259
# - name: "<REG_SECRET>"
1260
1261
# clusterAgent.image.doNotCheckTag -- Skip the version and chart compatibility check
1262
1263
## By default, the version passed in clusterAgent.image.tag is checked
1264
## for compatibility with the version of the chart.
1265
## This boolean permits completely skipping this check.
1266
## This is useful, for example, for custom tags that are not
1267
## respecting semantic versioning.
1268
doNotCheckTag: # false
1269
# clusterAgent.securityContext -- Allows you to overwrite the default PodSecurityContext on the cluster-agent pods.
1270
securityContext: {}
1271
containers:
1272
clusterAgent:
1273
# clusterAgent.containers.clusterAgent.securityContext -- Specify securityContext on the cluster-agent container.
1274
securityContext:
1275
allowPrivilegeEscalation: false
1276
readOnlyRootFilesystem: true
1277
initContainers:
1278
# clusterAgent.containers.initContainers.securityContext -- Specify securityContext on the initContainers.
1279
securityContext: {}
1280
# clusterAgent.containers.initContainers.resources -- Resource requests and limits for the Cluster Agent init containers
1281
resources: {}
1282
# requests:
1283
# cpu: 100m
1284
# memory: 200Mi
1285
# limits:
1286
# cpu: 100m
1287
# memory: 200Mi
1288
# clusterAgent.command -- Command to run in the Cluster Agent container as entrypoint
1289
command: []
1290
# clusterAgent.token -- Cluster Agent token is a preshared key between node agents and cluster agent (autogenerated if empty, needs to be at least 32 characters a-zA-z)
1291
token: ""
1292
# clusterAgent.tokenExistingSecret -- Existing secret name to use for Cluster Agent token. Put the Cluster Agent token in a key named `token` inside the Secret
1293
tokenExistingSecret: ""
1294
# clusterAgent.replicas -- Specify the of cluster agent replicas, if > 1 it allow the cluster agent to work in HA mode.
1295
replicas: 1
1296
# clusterAgent.revisionHistoryLimit -- The number of old ReplicaSets to keep in this Deployment.
1297
revisionHistoryLimit: 10
1298
## Provide Cluster Agent Deployment pod(s) RBAC configuration
1299
rbac:
1300
# clusterAgent.rbac.create -- If true, create & use RBAC resources
1301
create: true
1302
# clusterAgent.rbac.flareAdditionalPermissions -- If true, add Secrets and Configmaps get/list permissions to retrieve user Datadog Helm values from Cluster Agent namespace
1303
flareAdditionalPermissions: true
1304
# clusterAgent.rbac.serviceAccountName -- Specify a preexisting ServiceAccount to use if clusterAgent.rbac.create is false
1305
serviceAccountName: default
1306
# clusterAgent.rbac.serviceAccountAnnotations -- Annotations to add to the ServiceAccount if clusterAgent.rbac.create is true
1307
serviceAccountAnnotations: {}
1308
# clusterAgent.rbac.serviceAccountAdditionalLabels -- Labels to add to the ServiceAccount if clusterAgent.rbac.create is true
1309
serviceAccountAdditionalLabels: {}
1310
# clusterAgent.rbac.automountServiceAccountToken -- If true, automatically mount the ServiceAccount's API credentials if clusterAgent.rbac.create is true
1311
automountServiceAccountToken: true
1312
## Provide Cluster Agent pod security configuration
1313
podSecurity:
1314
podSecurityPolicy:
1315
# clusterAgent.podSecurity.podSecurityPolicy.create -- If true, create a PodSecurityPolicy resource for Cluster Agent pods
1316
create: false
1317
securityContextConstraints:
1318
# clusterAgent.podSecurity.securityContextConstraints.create -- If true, create a SCC resource for Cluster Agent pods
1319
create: false
1320
# Enable the metricsProvider to be able to scale based on metrics in Datadog
1321
metricsProvider:
1322
# clusterAgent.metricsProvider.enabled -- Set this to true to enable Metrics Provider
1323
enabled: false
1324
# clusterAgent.metricsProvider.registerAPIService -- Set this to false to disable external metrics registration as an APIService
1325
registerAPIService: true
1326
# clusterAgent.metricsProvider.wpaController -- Enable informer and controller of the watermark pod autoscaler
1327
1328
## Note: You need to install the `WatermarkPodAutoscaler` CRD before
1329
wpaController: false
1330
# clusterAgent.metricsProvider.useDatadogMetrics -- Enable usage of DatadogMetric CRD to autoscale on arbitrary Datadog queries
1331
1332
## Note: It will install DatadogMetrics CRD automatically (it may conflict with previous installations)
1333
useDatadogMetrics: false
1334
# clusterAgent.metricsProvider.createReaderRbac -- Create `external-metrics-reader` RBAC automatically (to allow HPA to read data from Cluster Agent)
1335
createReaderRbac: true
1336
# clusterAgent.metricsProvider.aggregator -- Define the aggregator the cluster agent will use to process the metrics. The options are (avg, min, max, sum)
1337
aggregator: avg
1338
## Configuration for the service for the cluster-agent metrics server
1339
service:
1340
# clusterAgent.metricsProvider.service.type -- Set type of cluster-agent metrics server service
1341
type: ClusterIP
1342
# clusterAgent.metricsProvider.service.port -- Set port of cluster-agent metrics server service (Kubernetes >= 1.15)
1343
port: 8443
1344
# clusterAgent.metricsProvider.endpoint -- Override the external metrics provider endpoint. If not set, the cluster-agent defaults to `datadog.site`
1345
endpoint: # https://api.datadoghq.com
1346
# clusterAgent.env -- Set environment variables specific to Cluster Agent
1347
1348
## The Cluster-Agent supports many additional environment variables
1349
## ref: https://docs.datadoghq.com/agent/cluster_agent/commands/#cluster-agent-options
1350
env: []
1351
# clusterAgent.envFrom -- Set environment variables specific to Cluster Agent from configMaps and/or secrets
1352
1353
## The Cluster-Agent supports many additional environment variables
1354
## ref: https://docs.datadoghq.com/agent/cluster_agent/commands/#cluster-agent-options
1355
envFrom: []
1356
# - configMapRef:
1357
# name: <CONFIGMAP_NAME>
1358
# - secretRef:
1359
# name: <SECRET_NAME>
1360
1361
# clusterAgent.envDict -- Set environment variables specific to Cluster Agent defined in a dict
1362
envDict: {}
1363
# <ENV_VAR_NAME>: <ENV_VAR_VALUE>
1364
1365
admissionController:
1366
# clusterAgent.admissionController.enabled -- Enable the admissionController to be able to inject APM/Dogstatsd config and standard tags (env, service, version) automatically into your pods
1367
enabled: true
1368
# clusterAgent.admissionController.validation -- Validation Webhook configuration options
1369
validation:
1370
# clusterAgent.admissionController.validation.enabled -- Enabled enables the Admission Controller validation webhook. Default: true. (Requires Agent 7.59.0+).
1371
enabled: true
1372
# clusterAgent.admissionController.mutation -- Mutation Webhook configuration options
1373
mutation:
1374
# clusterAgent.admissionController.mutation.enabled -- Enabled enables the Admission Controller mutation webhook. Default: true. (Requires Agent 7.59.0+).
1375
enabled: true
1376
# clusterAgent.admissionController.webhookName -- Name of the validatingwebhookconfiguration and mutatingwebhookconfiguration created by the cluster-agent
1377
webhookName: datadog-webhook
1378
# clusterAgent.admissionController.mutateUnlabelled -- Enable injecting config without having the pod label 'admission.datadoghq.com/enabled="true"'
1379
mutateUnlabelled: false
1380
# clusterAgent.admissionController.configMode -- The kind of configuration to be injected, it can be "hostip", "service", "socket" or "csi".
1381
1382
## If clusterAgent.admissionController.configMode is not set:
1383
## * and datadog.apm.socketEnabled is true, the Admission Controller uses socket.
1384
## * and datadog.apm.portEnabled is true, the Admission Controller uses hostip.
1385
## * and datadog.apm.useLocalService is true and the aformentioned two are false, the Admission Controller uses service.
1386
## * Otherwise, the Admission Controller defaults to hostip.
1387
## Note: "service" mode relies on the internal traffic service to target the agent running on the local node (requires Kubernetes v1.22+).
1388
## Note: "csi" mode requires enabling csi with `datadog.csi.enabled`. If not set, the admission controller will fallback to "socket" mode.
1389
## Note: "csi" mode requires version 7.65 or later of the cluster agent.
1390
## ref: https://docs.datadoghq.com/agent/cluster_agent/admission_controller/#configure-apm-and-dogstatsd-communication-mode
1391
configMode: # "hostip", "socket", "csi" or "service"
1392
# clusterAgent.admissionController.failurePolicy -- Set the failure policy for dynamic admission control.'
1393
1394
## The default of Ignore means that pods will still be admitted even if the webhook is unavailable to inject them.
1395
## Setting to Fail will require the admission controller to be present and pods to be injected before they are allowed to run.
1396
failurePolicy: Ignore
1397
# clusterAgent.admissionController.containerRegistry -- Override the default registry for the admission controller.
1398
1399
## The clusterAgent uses this configuration for apm.instrumentation, agentSidecar, and cwsInstrumentation, if
1400
## not otherwise specified.
1401
containerRegistry:
1402
remoteInstrumentation:
1403
# clusterAgent.admissionController.remoteInstrumentation.enabled -- Enable polling and applying library injection using Remote Config.
1404
## This feature is in beta, and enables Remote Config in the Cluster Agent. It also requires Cluster Agent version 7.43+.
1405
## Enabling this feature grants the Cluster Agent the permissions to patch Deployment objects in the cluster.
1406
enabled: false
1407
# clusterAgent.admissionController.port -- Set port of cluster-agent admission controller service
1408
port: 8000
1409
cwsInstrumentation:
1410
# clusterAgent.admissionController.cwsInstrumentation.enabled -- Enable the CWS Instrumentation admission controller endpoint.
1411
enabled: false
1412
# clusterAgent.admissionController.cwsInstrumentation.mode -- Mode defines how the CWS Instrumentation should behave.
1413
# Options are "remote_copy" or "init_container"
1414
mode: remote_copy
1415
kubernetesAdmissionEvents:
1416
# clusterAgent.admissionController.kubernetesAdmissionEvents.enabled -- Enable the Kubernetes Admission Events feature.
1417
enabled: false
1418
probe:
1419
# clusterAgent.admissionController.probe.enabled -- Enable the admission controller connectivity probe.
1420
## The probe periodically sends dry-run ConfigMap creation requests to verify the webhook is reachable from the API server.
1421
## (Requires Cluster Agent 7.78.0+).
1422
enabled: false
1423
# clusterAgent.admissionController.probe.interval -- Seconds between probe executions.
1424
interval: 60
1425
# clusterAgent.admissionController.probe.gracePeriod -- Seconds to wait at startup before the first probe.
1426
gracePeriod: 60
1427
agentSidecarInjection:
1428
# clusterAgent.admissionController.agentSidecarInjection.enabled -- Enables Datadog Agent sidecar injection.
1429
1430
## When enabled, the admission controller mutating webhook will inject an Agent sidecar with minimal configuration in every pod meeting the configured criteria.
1431
enabled: false
1432
# clusterAgent.admissionController.agentSidecarInjection.provider -- Used by the admission controller to add infrastructure provider-specific configurations to the Agent sidecar.
1433
1434
## Currently only "fargate" is supported. To use the feature in other environments (including local testing) omit the config.
1435
## ref: https://docs.datadoghq.com/integrations/eks_fargate
1436
provider:
1437
# clusterAgent.admissionController.agentSidecarInjection.clusterAgentCommunicationEnabled -- Enable communication between Agent sidecars and the Cluster Agent.
1438
clusterAgentCommunicationEnabled: true
1439
# clusterAgent.admissionController.agentSidecarInjection.clusterAgentTlsVerification -- TLS verification configuration for sidecar-to-cluster-agent communication.
1440
clusterAgentTlsVerification:
1441
# clusterAgent.admissionController.agentSidecarInjection.clusterAgentTlsVerification.enabled -- Enable TLS verification for Agent sidecars communicating with the Cluster Agent.
1442
enabled: false
1443
# clusterAgent.admissionController.agentSidecarInjection.clusterAgentTlsVerification.copyCaConfigMap -- Enable automatic creation of a ConfigMap containing the Cluster Agent's CA certificate in namespaces where sidecar injection occurs.
1444
copyCaConfigMap: false
1445
# clusterAgent.admissionController.agentSidecarInjection.containerRegistry -- Override the default registry for the sidecar Agent.
1446
containerRegistry:
1447
# clusterAgent.admissionController.imageName -- Override the default agents.image.name for the Agent sidecar.
1448
imageName:
1449
# clusterAgent.admissionController.imageTag -- Override the default agents.image.tag for the Agent sidecar.
1450
imageTag:
1451
# clusterAgent.admissionController.agentSidecarInjection.selectors -- Defines the pod selector for sidecar injection, currently only one rule is supported.
1452
selectors: []
1453
# - objectSelector:
1454
# matchLabels:
1455
# "podlabelKey1": podlabelValue1
1456
# "podlabelKey2": podlabelValue2
1457
# namespaceSelector:
1458
# matchLabels:
1459
# "nsLabelKey1": nsLabelValue1
1460
# "nsLabelKey2": nsLabelValue2
1461
1462
# clusterAgent.admissionController.agentSidecarInjection.profiles -- Defines the sidecar configuration override, currently only one profile is supported.
1463
1464
## This setting allows overriding the sidecar Agent configuration by adding environment variables and providing resource settings.
1465
profiles: []
1466
# - env:
1467
# - name: DD_ORCHESTRATOR_EXPLORER_ENABLED
1468
# value: "true"
1469
# resources:
1470
# requests:
1471
# cpu: "1"
1472
# memory: "512Mi"
1473
# limits:
1474
# cpu: "2"
1475
# memory: "1024Mi"
1476
# clusterAgent.confd -- Provide additional cluster check configurations. Each key will become a file in /conf.d.
1477
1478
## ref: https://docs.datadoghq.com/agent/autodiscovery/
1479
confd: {}
1480
# mysql.yaml: |-
1481
# cluster_check: true
1482
# instances:
1483
# - host: <EXTERNAL_IP>
1484
# port: 3306
1485
# username: datadog
1486
# password: <YOUR_CHOSEN_PASSWORD>
1487
1488
# clusterAgent.advancedConfd -- Provide additional cluster check configurations. Each key is an integration containing several config files.
1489
1490
## ref: https://docs.datadoghq.com/agent/autodiscovery/
1491
advancedConfd: {}
1492
# mysql.d:
1493
# 1.yaml: |-
1494
# cluster_check: true
1495
# instances:
1496
# - host: <EXTERNAL_IP>
1497
# port: 3306
1498
# username: datadog
1499
# password: <YOUR_CHOSEN_PASSWORD>
1500
# 2.yaml: |-
1501
# cluster_check: true
1502
# instances:
1503
# - host: <EXTERNAL_IP>
1504
# port: 3306
1505
# username: datadog
1506
# password: <YOUR_CHOSEN_PASSWORD>
1507
1508
## clusterAgent.kubernetesApiserverCheck -- correspond to options for configuring the kube_apiserver integration.
1509
kubernetesApiserverCheck:
1510
# clusterAgent.kubernetesApiserverCheck.disableUseComponentStatus -- Set this to true to disable use_component_status for the kube_apiserver integration.
1511
disableUseComponentStatus: false
1512
# clusterAgent.resources -- Datadog cluster-agent resource requests and limits.
1513
resources: {}
1514
# requests:
1515
# cpu: 200m
1516
# memory: 256Mi
1517
# limits:
1518
# cpu: 200m
1519
# memory: 256Mi
1520
1521
# clusterAgent.priorityClassName -- Name of the priorityClass to apply to the Cluster Agent
1522
priorityClassName: # system-cluster-critical
1523
# clusterAgent.nodeSelector -- Allow the Cluster Agent Deployment to be scheduled on selected nodes
1524
1525
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
1526
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
1527
nodeSelector: {}
1528
# clusterAgent.tolerations -- Allow the Cluster Agent Deployment to schedule on tainted nodes ((requires Kubernetes >= 1.6))
1529
1530
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1531
tolerations: []
1532
# clusterAgent.affinity -- Allow the Cluster Agent Deployment to schedule using affinity rules
1533
1534
## By default, Cluster Agent Deployment Pods are forced to run on different Nodes.
1535
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1536
affinity: {}
1537
# clusterAgent.topologySpreadConstraints -- Allow the Cluster Agent Deployment to schedule using pod topology spreading
1538
1539
## By default, no constraints are set, allowing cluster defaults to be used for scheduling
1540
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
1541
topologySpreadConstraints: []
1542
# clusterAgent.healthPort -- Port number to use in the Cluster Agent for the healthz endpoint
1543
healthPort: 5556
1544
privateActionRunner:
1545
# clusterAgent.privateActionRunner.enabled -- Enable the Private Action Runner to execute workflow actions
1546
enabled: false
1547
# clusterAgent.privateActionRunner.selfEnroll -- Enable self-enrollment for the Private Action Runner
1548
## When enabled, the runner will automatically register itself with Datadog using the provided API/APP keys
1549
## and store its identity in a Kubernetes secret. Requires leader election to be enabled.
1550
selfEnroll: true
1551
# clusterAgent.privateActionRunner.identitySecretName -- Name of the Kubernetes secret used to store PAR identity when self-enrollment is enabled
1552
## The Cluster Agent will create and manage this secret for storing the enrolled runner's URN and private key
1553
## RBAC permissions are granted specifically for this secret name
1554
identitySecretName: "datadog-private-action-runner-identity"
1555
# clusterAgent.privateActionRunner.urn -- URN of the Private Action Runner (required if selfEnroll is false)
1556
## Format: urn:datadog:private-action-runner:organization:<org_id>:runner:<runner_id>
1557
urn: # "urn:datadog:private-action-runner:organization:123456:runner:abc-def"
1558
# clusterAgent.privateActionRunner.privateKey -- Private key for the Private Action Runner (required if selfEnroll is false)
1559
## This key is used to authenticate the runner with Datadog
1560
privateKey: # "<PRIVATE_KEY>"
1561
# clusterAgent.privateActionRunner.identityFromExistingSecret -- Use existing Secret which stores the Private Action Runner URN and private key
1562
## The secret should contain 'urn' and 'private_key' keys
1563
## If set, this parameter takes precedence over "urn" and "privateKey"
1564
identityFromExistingSecret: # "<PAR_SECRET_NAME>"
1565
# clusterAgent.privateActionRunner.actionsAllowlist -- List of actions executable by the Private Action Runner
1566
actionsAllowlist: []
1567
# - "com.datadoghq.http.request"
1568
# - "com.datadoghq.kubernetes.core.*"
1569
1570
# clusterAgent.privateActionRunner.k8sRemediationEnabled -- Enable k8s remediation RBAC for the Private Action Runner
1571
## When enabled, a ClusterRole and ClusterRoleBinding are created granting the Cluster Agent
1572
## permissions to read/patch workloads (Deployments, DaemonSets, StatefulSets, ReplicaSets, Pods)
1573
## and manage ConfigMaps and Events cluster-wide.
1574
k8sRemediationEnabled: false
1575
# clusterAgent.livenessProbe -- Override default Cluster Agent liveness probe settings
1576
# @default -- Every 15s / 6 KO / 1 OK
1577
livenessProbe:
1578
initialDelaySeconds: 15
1579
periodSeconds: 15
1580
timeoutSeconds: 5
1581
successThreshold: 1
1582
failureThreshold: 6
1583
# clusterAgent.readinessProbe -- Override default Cluster Agent readiness probe settings
1584
# @default -- Every 15s / 6 KO / 1 OK
1585
readinessProbe:
1586
initialDelaySeconds: 15
1587
periodSeconds: 15
1588
timeoutSeconds: 5
1589
successThreshold: 1
1590
failureThreshold: 6
1591
# clusterAgent.startupProbe -- Override default Cluster Agent startup probe settings
1592
# @default -- Every 15s / 6 KO / 1 OK
1593
startupProbe:
1594
initialDelaySeconds: 15
1595
periodSeconds: 15
1596
timeoutSeconds: 5
1597
successThreshold: 1
1598
failureThreshold: 6
1599
# clusterAgent.strategy -- Allow the Cluster Agent deployment to perform a rolling update on helm update
1600
1601
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
1602
strategy:
1603
type: RollingUpdate
1604
rollingUpdate:
1605
maxSurge: 1
1606
maxUnavailable: 0
1607
# clusterAgent.deploymentAnnotations -- Annotations to add to the cluster-agents's deployment
1608
deploymentAnnotations: {}
1609
# key: "value"
1610
1611
# clusterAgent.podAnnotations -- Annotations to add to the cluster-agents's pod(s)
1612
podAnnotations: {}
1613
# key: "value"
1614
1615
# clusterAgent.useHostNetwork -- Bind ports on the hostNetwork
1616
1617
## Useful for CNI networking where hostPort might
1618
## not be supported. The ports need to be available on all hosts. It can be
1619
## used for custom metrics instead of a service endpoint.
1620
##
1621
## WARNING: Make sure that hosts using this are properly firewalled otherwise
1622
## metrics and traces are accepted from any host able to connect to this host.
1623
#
1624
useHostNetwork: false
1625
# clusterAgent.dnsConfig -- Specify dns configuration options for datadog cluster agent containers e.g ndots
1626
1627
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
1628
dnsConfig: {}
1629
# options:
1630
# - name: ndots
1631
# value: "1"
1632
1633
# clusterAgent.volumes -- Specify additional volumes to mount in the cluster-agent container
1634
volumes: []
1635
# - hostPath:
1636
# path: <HOST_PATH>
1637
# name: <VOLUME_NAME>
1638
1639
# clusterAgent.volumeMounts -- Specify additional volumes to mount in the cluster-agent container
1640
volumeMounts: []
1641
# - name: <VOLUME_NAME>
1642
# mountPath: <CONTAINER_PATH>
1643
# readOnly: true
1644
1645
# clusterAgent.datadog_cluster_yaml -- Specify custom contents for the datadog cluster agent config (datadog-cluster.yaml)
1646
datadog_cluster_yaml: {}
1647
# clusterAgent.createPodDisruptionBudget -- Create pod disruption budget for Cluster Agent deployments
1648
# DEPRECATED. Use clusterAgent.pdb.create instead
1649
createPodDisruptionBudget: false
1650
pdb:
1651
# clusterAgent.pdb.create -- Enable pod disruption budget for Cluster Agent deployments.
1652
1653
## Only one of `minAvailable` or `maxUnavailable` can be set. More information: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
1654
## By default, minAvailable is set to 1 for cluster agent.
1655
create: false
1656
# clusterAgent.pdb.minAvailable -- Minimum number of pods that must remain available during a disruption -- default to 1
1657
minAvailable:
1658
# clusterAgent.pdb.maxUnavailable -- Maximum number of pods that can be unavailable during a disruption
1659
maxUnavailable:
1660
networkPolicy:
1661
# clusterAgent.networkPolicy.create -- If true, create a NetworkPolicy for the cluster agent.
1662
# DEPRECATED. Use datadog.networkPolicy.create instead
1663
create: false
1664
# clusterAgent.additionalLabels -- Adds labels to the Cluster Agent deployment and pods
1665
additionalLabels: {}
1666
# key: "value"
1667
1668
# clusterAgent.containerExclude -- Exclude containers from the Cluster Agent
1669
# Autodiscovery, as a space-separated list. (Requires Agent/Cluster Agent 7.50.0+)
1670
1671
## ref: https://docs.datadoghq.com/agent/guide/autodiscovery-management/?tab=containerizedagent#exclude-containers
1672
containerExclude: # "image:datadog/agent"
1673
# clusterAgent.containerInclude -- Include containers in the Cluster Agent Autodiscovery,
1674
# as a space-separated list. If a container matches an include rule, it’s
1675
# always included in the Autodiscovery. (Requires Agent/Cluster Agent 7.50.0+)
1676
1677
## ref: https://docs.datadoghq.com/agent/guide/autodiscovery-management/?tab=containerizedagent#include-containers
1678
containerInclude:
1679
# clusterAgent.celWorkloadExclude -- Exclude workloads using a CEL-based definition in the Cluster Agent. (Requires Agent 7.73.0+)
1680
# ref: https://docs.datadoghq.com/containers/guide/container-discovery-management/
1681
celWorkloadExclude:
1682
## This section lets you configure the agents deployed by this chart to connect to a Cluster Agent
1683
## deployed independently
1684
existingClusterAgent:
1685
# existingClusterAgent.join -- set this to true if you want the agents deployed by this chart to
1686
# connect to a Cluster Agent deployed independently
1687
join: false
1688
# existingClusterAgent.tokenSecretName -- Existing secret name to use for external Cluster Agent token
1689
tokenSecretName: # <EXISTING_DCA_SECRET_NAME>
1690
# existingClusterAgent.serviceName -- Existing service name to use for reaching the external Cluster Agent
1691
serviceName: # <EXISTING_DCA_SERVICE_NAME>
1692
# existingClusterAgent.clusterchecksEnabled -- set this to false if you don’t want the agents to run the cluster checks of the joined external cluster agent
1693
clusterchecksEnabled: true
1694
# useFIPSAgent -- Setting useFIPSAgent to true makes the helm chart use Agent images that are FIPS-compliant for use in GOVCLOUD environments.
1695
# Setting this to true disables the fips-proxy sidecar and is the recommended method for enabling FIPS compliance.
1696
useFIPSAgent: false
1697
## fips is used to enable and configure the fips-proxy sidecar.
1698
fips:
1699
# fips.enabled -- Enable fips proxy sidecar.
1700
# The fips-proxy method is getting phased out in favor of FIPS-compliant images (refer to the `useFIPSAgent` setting).
1701
enabled: false
1702
# TODO: Option to override config of the FIPS side car: /etc/datadog-fips-proxy/datadog-fips-proxy.cfg
1703
# customConfig: false
1704
1705
# fips.port -- Specifies which port is used by the containers to communicate to the FIPS sidecar.
1706
# This setting is only used for the fips-proxy sidecar.
1707
port: 9803
1708
# fips.portRange -- Specifies the number of ports used, defaults to 13 https://github.com/DataDog/datadog-agent/blob/7.44.x/pkg/config/config.go#L1564-L1577.
1709
# This setting is only used for the fips-proxy sidecar.
1710
portRange: 15
1711
# fips.use_https -- Option to enable https.
1712
# This setting is only used for the fips-proxy sidecar.
1713
use_https: false
1714
# fips.resources -- Resource requests and limits for the FIPS sidecar container.
1715
# This setting is only used for the fips-proxy sidecar.
1716
resources: {}
1717
# limits:
1718
# cpu: 100m
1719
# memory: 256Mi
1720
# requests:
1721
# cpu: 20m
1722
# memory: 64Mi
1723
1724
# fips.local_address -- Set local IP address.
1725
# This setting is only used for the fips-proxy sidecar.
1726
local_address: "127.0.0.1"
1727
## Define the Datadog image to work with
1728
image:
1729
## fips.image.name -- Define the FIPS sidecar container image name.
1730
name: fips-proxy
1731
# fips.image.tag -- Define the FIPS sidecar container version to use.
1732
tag: 1.1.23
1733
# fips.image.pullPolicy -- Datadog the FIPS sidecar image pull policy
1734
pullPolicy: IfNotPresent
1735
# fips.image.digest -- Define the FIPS sidecar image digest to use, takes precedence over `fips.image.tag` if specified.
1736
digest: ""
1737
# fips.image.repository -- Override default registry + image.name for the FIPS sidecar container.
1738
repository:
1739
# fips.customFipsConfig -- Configure a custom configMap to provide the FIPS configuration. Specify custom contents for the FIPS proxy sidecar container config (/etc/datadog-fips-proxy/datadog-fips-proxy.cfg). If empty, the default FIPS proxy sidecar container config is used.
1740
1741
## Note: Use `|` to declare multi-line configuration.
1742
## ref: https://docs.datadoghq.com/agent/guide/agent-fips-proxy
1743
customFipsConfig: {} # |
1744
# foobar
1745
# foo bar baz
1746
agents:
1747
# agents.enabled -- You should keep Datadog DaemonSet enabled!
1748
1749
## The exceptional case could be a situation when you need to run
1750
## single Datadog pod per every namespace, but you do not need to
1751
## re-create a DaemonSet for every non-default namespace install.
1752
## Note: StatsD and DogStatsD work over UDP, so you may not
1753
## get guaranteed delivery of the metrics in Datadog-per-namespace setup!
1754
enabled: true
1755
# agents.shareProcessNamespace -- Set the process namespace sharing on the Datadog Daemonset
1756
shareProcessNamespace: false
1757
# agents.revisionHistoryLimit -- The number of ControllerRevision to keep in this DaemonSet.
1758
revisionHistoryLimit: 10
1759
## Define the Datadog image to work with
1760
image:
1761
# agents.image.name -- Datadog Agent image name to use (relative to `registry`)
1762
1763
## use "dogstatsd" for Standalone Datadog Agent DogStatsD 7
1764
name: chainguard-private/datadog-agent-fips
1765
# agents.image.tag -- Define the Agent version to use
1766
tag: latest@sha256:f100f2a7dbdb6edb7c7a88955f7e928b2b2d17dff23358535840dcc8bf087ba6
1767
# agents.image.digest -- Define Agent image digest to use, takes precedence over tag if specified
1768
digest: ""
1769
# agents.image.tagSuffix -- Suffix to append to Agent tag
1770
1771
## Ex:
1772
## jmx to enable jmx fetch collection
1773
## servercore to get Windows images based on servercore
1774
## full to get as many features as possible, currently ddot-collector and jmx (e.g. 7.67.0-full)
1775
tagSuffix: ""
1776
# agents.image.repository -- Override default registry + image.name for Agent
1777
repository:
1778
# agents.image.doNotCheckTag -- Skip the version and chart compatibility check
1779
1780
## By default, the version passed in agents.image.tag is checked
1781
## for compatibility with the version of the chart.
1782
## This boolean permits to completely skip this check.
1783
## This is useful, for example, for custom tags that are not
1784
## respecting semantic versioning
1785
doNotCheckTag: # false
1786
# agents.image.pullPolicy -- Datadog Agent image pull policy
1787
pullPolicy: IfNotPresent
1788
# agents.image.pullSecrets -- Datadog Agent repository pullSecret (ex: specify docker registry credentials)
1789
1790
## See https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
1791
pullSecrets: []
1792
# - name: "<REG_SECRET>"
1793
## Provide Daemonset RBAC configuration
1794
rbac:
1795
# agents.rbac.create -- If true, create & use RBAC resources
1796
create: true
1797
# agents.rbac.serviceAccountName -- Specify a preexisting ServiceAccount to use if agents.rbac.create is false
1798
serviceAccountName: default
1799
# agents.rbac.serviceAccountAnnotations -- Annotations to add to the ServiceAccount if agents.rbac.create is true
1800
serviceAccountAnnotations: {}
1801
# agents.rbac.serviceAccountAdditionalLabels -- Labels to add to the ServiceAccount if agents.rbac.create is true
1802
serviceAccountAdditionalLabels: {}
1803
# agents.rbac.automountServiceAccountToken -- If true, automatically mount the ServiceAccount's API credentials if agents.rbac.create is true
1804
automountServiceAccountToken: true
1805
## Provide Daemonset PodSecurityPolicy configuration
1806
podSecurity:
1807
podSecurityPolicy:
1808
# agents.podSecurity.podSecurityPolicy.create -- If true, create a PodSecurityPolicy resource for Agent pods
1809
create: false
1810
securityContextConstraints:
1811
# agents.podSecurity.securityContextConstraints.create -- If true, create a SecurityContextConstraints resource for Agent pods
1812
create: false
1813
# agents.podSecurity.seLinuxContext -- Provide seLinuxContext configuration for PSP/SCC
1814
# @default -- Must run as spc_t
1815
seLinuxContext:
1816
rule: MustRunAs
1817
seLinuxOptions:
1818
user: system_u
1819
role: system_r
1820
type: spc_t
1821
level: s0
1822
# agents.podSecurity.privileged -- If true, Allow to run privileged containers
1823
privileged: false
1824
# agents.podSecurity.capabilities -- Allowed capabilities
1825
1826
## note: capabilities must contain all agents.containers.*.securityContext.capabilities.
1827
capabilities:
1828
- SYS_ADMIN
1829
- SYS_RESOURCE
1830
- SYS_PTRACE
1831
- NET_ADMIN
1832
- NET_BROADCAST
1833
- NET_RAW
1834
- IPC_LOCK
1835
- CHOWN
1836
- AUDIT_CONTROL
1837
- AUDIT_READ
1838
- DAC_READ_SEARCH
1839
- MKNOD
1840
# agents.podSecurity.allowedUnsafeSysctls -- Allowed unsafe sysclts
1841
allowedUnsafeSysctls: []
1842
# agents.podSecurity.volumes -- Allowed volumes types
1843
volumes:
1844
- configMap
1845
- downwardAPI
1846
- emptyDir
1847
- hostPath
1848
- secret
1849
# agents.podSecurity.seccompProfiles -- Allowed seccomp profiles
1850
seccompProfiles:
1851
- "runtime/default"
1852
- "localhost/system-probe"
1853
apparmor:
1854
# agents.podSecurity.apparmor.enabled -- If true, enable apparmor enforcement
1855
1856
## see: https://kubernetes.io/docs/tutorials/clusters/apparmor/
1857
enabled: true
1858
# agents.podSecurity.apparmorProfiles -- Allowed apparmor profiles
1859
apparmorProfiles:
1860
- "runtime/default"
1861
- "unconfined"
1862
# agents.podSecurity.defaultApparmor -- Default AppArmor profile for all containers but system-probe
1863
defaultApparmor: runtime/default
1864
containers:
1865
agent:
1866
# agents.containers.agent.env -- Additional environment variables for the agent container
1867
env: []
1868
# agents.containers.agent.envFrom -- Set environment variables specific to agent container from configMaps and/or secrets
1869
envFrom: []
1870
# - configMapRef:
1871
# name: <CONFIGMAP_NAME>
1872
# - secretRef:
1873
# name: <SECRET_NAME>
1874
1875
# agents.containers.agent.envDict -- Set environment variables specific to agent container defined in a dict
1876
envDict: {}
1877
# <ENV_VAR_NAME>: <ENV_VAR_VALUE>
1878
1879
# agents.containers.agent.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off.
1880
# If not set, fall back to the value of datadog.logLevel.
1881
logLevel: # INFO
1882
# agents.containers.agent.resources -- Resource requests and limits for the agent container.
1883
resources: {}
1884
# requests:
1885
# cpu: 200m
1886
# memory: 256Mi
1887
# limits:
1888
# cpu: 200m
1889
# memory: 256Mi
1890
1891
# agents.containers.agent.healthPort -- Port number to use in the node agent for the healthz endpoint
1892
healthPort: 5555
1893
# agents.containers.agent.livenessProbe -- Override default agent liveness probe settings
1894
# @default -- Every 15s / 6 KO / 1 OK
1895
livenessProbe:
1896
initialDelaySeconds: 15
1897
periodSeconds: 15
1898
timeoutSeconds: 5
1899
successThreshold: 1
1900
failureThreshold: 6
1901
# agents.containers.agent.readinessProbe -- Override default agent readiness probe settings
1902
# @default -- Every 15s / 6 KO / 1 OK
1903
readinessProbe:
1904
initialDelaySeconds: 15
1905
periodSeconds: 15
1906
timeoutSeconds: 5
1907
successThreshold: 1
1908
failureThreshold: 6
1909
# agents.containers.agent.startupProbe -- Override default agent startup probe settings
1910
# @default -- Every 15s / 6 KO / 1 OK
1911
startupProbe:
1912
initialDelaySeconds: 15
1913
periodSeconds: 15
1914
timeoutSeconds: 5
1915
successThreshold: 1
1916
failureThreshold: 6
1917
# agents.containers.agent.securityContext -- Allows you to overwrite the default container SecurityContext for the agent container.
1918
securityContext:
1919
readOnlyRootFilesystem: true
1920
# agents.containers.agent.ports -- Allows to specify extra ports (hostPorts for instance) for this container
1921
ports: []
1922
privateActionRunner:
1923
# agents.containers.privateActionRunner.env -- Additional environment variables for the private-action-runner container
1924
env: []
1925
# agents.containers.privateActionRunner.envFrom -- Set environment variables specific to private-action-runner from configMaps and/or secrets
1926
envFrom: []
1927
# agents.containers.privateActionRunner.envDict -- Set environment variables specific to private-action-runner defined in a dict
1928
envDict: {}
1929
# agents.containers.privateActionRunner.logLevel -- Set logging verbosity for the private-action-runner container
1930
logLevel:
1931
# agents.containers.privateActionRunner.resources -- Resource requests and limits for the private-action-runner container.
1932
resources: {}
1933
# requests:
1934
# cpu: 100m
1935
# memory: 128Mi
1936
# limits:
1937
# cpu: 100m
1938
# memory: 128Mi
1939
1940
# agents.containers.privateActionRunner.securityContext -- Specify securityContext on the private-action-runner container.
1941
securityContext:
1942
readOnlyRootFilesystem: true
1943
capabilities:
1944
add: ["NET_RAW"]
1945
processAgent:
1946
# agents.containers.processAgent.env -- Additional environment variables for the process-agent container
1947
env: []
1948
# agents.containers.processAgent.envFrom -- Set environment variables specific to process-agent from configMaps and/or secrets
1949
envFrom: []
1950
# - configMapRef:
1951
# name: <CONFIGMAP_NAME>
1952
# - secretRef:
1953
# name: <SECRET_NAME>
1954
1955
# agents.containers.processAgent.envDict -- Set environment variables specific to process-agent defined in a dict
1956
envDict: {}
1957
# <ENV_VAR_NAME>: <ENV_VAR_VALUE>
1958
1959
# agents.containers.processAgent.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off.
1960
# If not set, fall back to the value of datadog.logLevel.
1961
logLevel: # INFO
1962
# agents.containers.processAgent.resources -- Resource requests and limits for the process-agent container
1963
resources: {}
1964
# requests:
1965
# cpu: 100m
1966
# memory: 200Mi
1967
# limits:
1968
# cpu: 100m
1969
# memory: 200Mi
1970
1971
# agents.containers.processAgent.securityContext -- Allows you to overwrite the default container SecurityContext for the process-agent container.
1972
securityContext:
1973
readOnlyRootFilesystem: true
1974
# agents.containers.processAgent.ports -- Allows to specify extra ports (hostPorts for instance) for this container
1975
ports: []
1976
otelAgent:
1977
# agents.containers.otelAgent.env -- Additional environment variables for the otel-agent container
1978
env: []
1979
# agents.containers.otelAgent.envFrom -- Set environment variables specific to otel-agent from configMaps and/or secrets
1980
envFrom: []
1981
# - configMapRef:
1982
# name: <CONFIGMAP_NAME>
1983
# - secretRef:
1984
# name: <SECRET_NAME>
1985
1986
# agents.containers.otelAgent.envDict -- Set environment variables specific to otel-agent defined in a dict
1987
envDict: {}
1988
# <ENV_VAR_NAME>: <ENV_VAR_VALUE>
1989
1990
# agents.containers.otelAgent.resources -- Resource requests and limits for the otel-agent container
1991
resources: {}
1992
# requests:
1993
# cpu: 100m
1994
# memory: 200Mi
1995
# limits:
1996
# cpu: 100m
1997
# memory: 200Mi
1998
1999
# agents.containers.otelAgent.securityContext -- Allows you to overwrite the default container SecurityContext for the otel-agent container.
2000
securityContext:
2001
readOnlyRootFilesystem: true
2002
# agents.containers.otelAgent.ports -- Allows to specify extra ports (hostPorts for instance) for this container
2003
ports: []
2004
# agents.containers.otelAgent.volumeMounts -- Specify additional volumes to mount in the otel-agent container
2005
volumeMounts: []
2006
# - name: <VOLUME_NAME>
2007
# mountPath: <CONTAINER_PATH>
2008
# readOnly: true
2009
hostProfiler:
2010
# agents.containers.hostProfiler.env -- Additional environment variables for the host-profiler container
2011
env: []
2012
# agents.containers.hostProfiler.envFrom -- Set environment variables specific to host-profiler from configMaps and/or secrets
2013
envFrom: []
2014
# - configMapRef:
2015
# name: <CONFIGMAP_NAME>
2016
# - secretRef:
2017
# name: <SECRET_NAME>
2018
2019
# agents.containers.hostProfiler.envDict -- Set environment variables specific to host-profiler defined in a dict
2020
envDict: {}
2021
# <ENV_VAR_NAME>: <ENV_VAR_VALUE>
2022
2023
# agents.containers.hostProfiler.resources -- Resource requests and limits for the host-profiler container
2024
resources: {}
2025
# requests:
2026
# cpu: 100m
2027
# memory: 200Mi
2028
# limits:
2029
# cpu: 100m
2030
# memory: 200Mi
2031
2032
# agents.containers.hostProfiler.securityContext -- Allows you to overwrite the default container SecurityContext for the host-profiler container.
2033
securityContext:
2034
readOnlyRootFilesystem: true
2035
privileged: true
2036
# agents.containers.hostProfiler.volumeMounts -- Specify additional volumes to mount in the host-profiler container
2037
volumeMounts: []
2038
# - name: <VOLUME_NAME>
2039
# mountPath: <CONTAINER_PATH>
2040
# readOnly: true
2041
traceAgent:
2042
# agents.containers.traceAgent.env -- Additional environment variables for the trace-agent container
2043
env: []
2044
# agents.containers.traceAgent.envFrom -- Set environment variables specific to trace-agent from configMaps and/or secrets
2045
envFrom: []
2046
# - configMapRef:
2047
# name: <CONFIGMAP_NAME>
2048
# - secretRef:
2049
# name: <SECRET_NAME>
2050
2051
# agents.containers.traceAgent.envDict -- Set environment variables specific to trace-agent defined in a dict
2052
envDict: {}
2053
# <ENV_VAR_NAME>: <ENV_VAR_VALUE>
2054
2055
# agents.containers.traceAgent.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off
2056
logLevel: # INFO
2057
# agents.containers.traceAgent.resources -- Resource requests and limits for the trace-agent container
2058
resources: {}
2059
# requests:
2060
# cpu: 100m
2061
# memory: 200Mi
2062
# limits:
2063
# cpu: 100m
2064
# memory: 200Mi
2065
2066
# agents.containers.traceAgent.livenessProbe -- Override default agent liveness probe settings
2067
# @default -- Every 15s
2068
livenessProbe:
2069
initialDelaySeconds: 15
2070
periodSeconds: 15
2071
timeoutSeconds: 5
2072
# agents.containers.traceAgent.securityContext -- Allows you to overwrite the default container SecurityContext for the trace-agent container.
2073
securityContext:
2074
readOnlyRootFilesystem: true
2075
# agents.containers.traceAgent.ports -- Allows to specify extra ports (hostPorts for instance) for this container
2076
ports: []
2077
systemProbe:
2078
# agents.containers.systemProbe.env -- Additional environment variables for the system-probe container
2079
env: []
2080
# agents.containers.systemProbe.envFrom -- Set environment variables specific to system-probe from configMaps and/or secrets
2081
envFrom: []
2082
# - configMapRef:
2083
# name: <CONFIGMAP_NAME>
2084
# - secretRef:
2085
# name: <SECRET_NAME>
2086
2087
# agents.containers.systemProbe.envDict -- Set environment variables specific to system-probe defined in a dict
2088
envDict: {}
2089
# <ENV_VAR_NAME>: <ENV_VAR_VALUE>
2090
2091
# agents.containers.systemProbe.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off.
2092
# If not set, fall back to the value of datadog.logLevel.
2093
logLevel: # INFO
2094
# agents.containers.systemProbe.resources -- Resource requests and limits for the system-probe container
2095
resources: {}
2096
# requests:
2097
# cpu: 150m
2098
# memory: 200Mi
2099
# limits:
2100
# cpu: 300m
2101
# memory: 400Mi
2102
2103
# agents.containers.systemProbe.securityContext -- Allows you to overwrite the default container SecurityContext for the system-probe container.
2104
2105
## agents.podSecurity.capabilities must reflect the changed made in securityContext.capabilities.
2106
securityContext:
2107
readOnlyRootFilesystem: true
2108
privileged: false
2109
capabilities:
2110
add: ["SYS_ADMIN", "SYS_RESOURCE", "SYS_PTRACE", "NET_ADMIN", "NET_BROADCAST", "NET_RAW", "IPC_LOCK", "CHOWN", "DAC_READ_SEARCH"]
2111
# agents.containers.systemProbe.ports -- Allows to specify extra ports (hostPorts for instance) for this container
2112
ports: []
2113
securityAgent:
2114
# agents.containers.securityAgent.env -- Additional environment variables for the security-agent container
2115
env: []
2116
# agents.containers.securityAgent.envFrom -- Set environment variables specific to security-agent from configMaps and/or secrets
2117
envFrom: []
2118
# - configMapRef:
2119
# name: <CONFIGMAP_NAME>
2120
# - secretRef:
2121
# name: <SECRET_NAME>
2122
2123
# agents.containers.securityAgent.envDict -- Set environment variables specific to security-agent defined in a dict
2124
envDict: {}
2125
# <ENV_VAR_NAME>: <ENV_VAR_VALUE>
2126
2127
# agents.containers.securityAgent.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off.
2128
# If not set, fall back to the value of datadog.logLevel.
2129
logLevel: # INFO
2130
# agents.containers.securityAgent.resources -- Resource requests and limits for the security-agent container
2131
resources: {}
2132
# requests:
2133
# cpu: 100m
2134
# memory: 300Mi
2135
# limits:
2136
# cpu: 100m
2137
# memory: 300Mi
2138
2139
# agents.containers.securityAgent.securityContext -- Allows you to overwrite the default container SecurityContext for the security-agent container.
2140
securityContext:
2141
readOnlyRootFilesystem: true
2142
# agents.containers.securityAgent.ports -- Allows to specify extra ports (hostPorts for instance) for this container
2143
ports: []
2144
agentDataPlane:
2145
# agents.containers.agentDataPlane.env -- Additional environment variables for the agent-data-plane container
2146
env: []
2147
# agents.containers.agentDataPlane.envFrom -- Set environment variables specific to agent-data-plane container from configMaps and/or secrets
2148
envFrom: []
2149
# - configMapRef:
2150
# name: <CONFIGMAP_NAME>
2151
# - secretRef:
2152
# name: <SECRET_NAME>
2153
2154
# agents.containers.agentDataPlane.envDict -- Set environment variables specific to agent-data-plane container defined in a dict
2155
envDict: {}
2156
# <ENV_VAR_NAME>: <ENV_VAR_VALUE>
2157
2158
# agents.containers.agentDataPlane.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off.
2159
# If not set, fall back to the value of datadog.logLevel.
2160
logLevel: # INFO
2161
# agents.containers.agentDataPlane.resources -- Resource requests and limits for the agent-data-plane container
2162
resources: {}
2163
# requests:
2164
# cpu: 100m
2165
# memory: 200Mi
2166
# limits:
2167
# cpu: 100m
2168
# memory: 200Mi
2169
2170
# agents.containers.agentDataPlane.unprivilegedApiPort -- Port for unprivileged API server, used primarily for health checks
2171
unprivilegedApiPort: 5100
2172
# agents.containers.agentDataPlane.privilegedApiPort -- Port for privileged API server, used for lower-level operations that
2173
# can alter the state of the ADP process or expose internal information
2174
privilegedApiPort: 5101
2175
# agents.containers.agentDataPlane.telemetryApiPort -- Port for telemetry API server, used for exposing internal
2176
# telemetry to be scraped by the Agent
2177
telemetryApiPort: 5102
2178
# agents.containers.agentDataPlane.livenessProbe -- Override default agent-data-plane liveness probe settings
2179
# @default -- Every 5s / 12 KO / 1 OK
2180
livenessProbe:
2181
initialDelaySeconds: 5
2182
periodSeconds: 5
2183
timeoutSeconds: 5
2184
successThreshold: 1
2185
failureThreshold: 12
2186
# agents.containers.agentDataPlane.readinessProbe -- Override default agent-data-plane readiness probe settings
2187
# @default -- Every 5s / 12 KO / 1 OK
2188
readinessProbe:
2189
initialDelaySeconds: 5
2190
periodSeconds: 5
2191
timeoutSeconds: 5
2192
successThreshold: 1
2193
failureThreshold: 12
2194
# agents.containers.agentDataPlane.securityContext -- Allows you to overwrite the default container SecurityContext for the agent-data-plane container.
2195
securityContext:
2196
readOnlyRootFilesystem: true
2197
# agents.containers.agentDataPlane.ports -- Allows to specify extra ports (hostPorts for instance) for this container
2198
ports: []
2199
initContainers:
2200
# agents.containers.initContainers.resources -- Resource requests and limits for the init containers
2201
resources: {}
2202
# requests:
2203
# cpu: 100m
2204
# memory: 200Mi
2205
# limits:
2206
# cpu: 100m
2207
# memory: 200Mi
2208
# agents.containers.initContainers.securityContext -- Allows you to overwrite the default container SecurityContext for the init containers.
2209
securityContext: {}
2210
# agents.containers.initContainers.volumeMounts -- Specify additional volumes to mount for the init containers
2211
volumeMounts: []
2212
# agents.volumes -- Specify additional volumes to mount in the dd-agent container
2213
volumes: []
2214
# - hostPath:
2215
# path: <HOST_PATH>
2216
# name: <VOLUME_NAME>
2217
2218
# agents.volumeMounts -- Specify additional volumes to mount in all containers of the agent pod
2219
volumeMounts: []
2220
# - name: <VOLUME_NAME>
2221
# mountPath: <CONTAINER_PATH>
2222
# readOnly: true
2223
2224
# agents.useHostNetwork -- Bind ports on the hostNetwork
2225
2226
## Useful for CNI networking where hostPort might
2227
## not be supported. The ports need to be available on all hosts. It Can be
2228
## used for custom metrics instead of a service endpoint.
2229
##
2230
## WARNING: Make sure that hosts using this are properly firewalled otherwise
2231
## metrics and traces are accepted from any host able to connect to this host.
2232
useHostNetwork: false
2233
# agents.dnsConfig -- specify dns configuration options for datadog cluster agent containers e.g ndots
2234
2235
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
2236
dnsConfig: {}
2237
# options:
2238
# - name: ndots
2239
# value: "1"
2240
2241
# agents.daemonsetAnnotations -- Annotations to add to the DaemonSet
2242
daemonsetAnnotations: {}
2243
# key: "value"
2244
2245
# agents.podAnnotations -- Annotations to add to the DaemonSet's Pods
2246
podAnnotations: {}
2247
# key: "value"
2248
2249
# agents.tolerations -- Allow the DaemonSet to schedule on tainted nodes (requires Kubernetes >= 1.6)
2250
tolerations: []
2251
# agents.nodeSelector -- Allow the DaemonSet to schedule on selected nodes
2252
2253
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
2254
nodeSelector: {}
2255
# agents.affinity -- Allow the DaemonSet to schedule using affinity rules
2256
2257
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
2258
affinity: {}
2259
# agents.updateStrategy -- Allow the DaemonSet to perform a rolling update on helm update
2260
2261
## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
2262
updateStrategy:
2263
type: RollingUpdate
2264
rollingUpdate:
2265
maxUnavailable: "10%"
2266
# agents.priorityClassCreate -- Creates a priorityClass for the Datadog Agent's Daemonset pods.
2267
priorityClassCreate: false
2268
# agents.priorityClassName -- Sets PriorityClassName if defined
2269
priorityClassName:
2270
# agents.priorityPreemptionPolicyValue -- Set to "Never" to change the PriorityClass to non-preempting
2271
priorityPreemptionPolicyValue: PreemptLowerPriority
2272
# agents.priorityClassValue -- Value used to specify the priority of the scheduling of Datadog Agent's Daemonset pods.
2273
2274
## The PriorityClass uses PreemptLowerPriority.
2275
priorityClassValue: 1000000000
2276
# agents.podLabels -- Sets podLabels if defined
2277
2278
## Note: These labels are also used as label selectors so they are immutable.
2279
podLabels: {}
2280
# agents.additionalLabels -- Adds labels to the Agent daemonset and pods
2281
additionalLabels: {}
2282
# key: "value"
2283
2284
# agents.useConfigMap -- Configures a configmap to provide the agent configuration. Use this in combination with the `agents.customAgentConfig` parameter.
2285
useConfigMap: # false
2286
# agents.customAgentConfig -- Specify custom contents for the datadog agent config (datadog.yaml)
2287
2288
## ref: https://docs.datadoghq.com/agent/guide/agent-configuration-files/?tab=agentv6
2289
## ref: https://github.com/DataDog/datadog-agent/blob/main/pkg/config/config_template.yaml
2290
## Note the `agents.useConfigMap` needs to be set to `true` for this parameter to be taken into account.
2291
customAgentConfig: {}
2292
#
2293
# # Enable java cgroup handling. Only one of those options should be enabled,
2294
# # depending on the agent version you are using along that chart.
2295
#
2296
# # agent version < 6.15
2297
# # jmx_use_cgroup_memory_limit: true
2298
#
2299
# # agent version >= 6.15
2300
# # jmx_use_container_support: true
2301
2302
networkPolicy:
2303
# agents.networkPolicy.create -- If true, create a NetworkPolicy for the agents.
2304
# DEPRECATED. Use datadog.networkPolicy.create instead
2305
create: false
2306
localService:
2307
# agents.localService.overrideName -- Name of the internal traffic service to target the agent running on the local node
2308
overrideName: ""
2309
# agents.localService.forceLocalServiceEnabled -- Force the creation of the internal traffic policy service to target the agent running on the local node.
2310
# By default, the internal traffic service is created only on Kubernetes 1.22+ where the feature became beta and enabled by default.
2311
# This option allows to force the creation of the internal traffic service on kubernetes 1.21 where the feature was alpha and required a feature gate to be explicitly enabled.
2312
forceLocalServiceEnabled: false
2313
# agents.lifecycle -- Configure the lifecycle of the Agent.
2314
# Note: The `exec` lifecycle handler is not supported in GKE Autopilot.
2315
lifecycle: {}
2316
# preStop:
2317
# sleep:
2318
# seconds: 5
2319
# exec:
2320
# command: ["/bin/sh", "-c", "sleep 70"]
2321
# postStart:
2322
# exec:
2323
# command: ["/bin/sh", "-c", "sleep 70"]
2324
# sleep:
2325
# seconds: 5
2326
2327
# agents.terminationGracePeriodSeconds -- (int) Configure the termination grace period for the Agent
2328
terminationGracePeriodSeconds: # 70
2329
clusterChecksRunner:
2330
# clusterChecksRunner.enabled -- If true, deploys agent dedicated for running the Cluster Checks instead of running in the Daemonset's agents.
2331
2332
## If both clusterChecksRunner.enabled and datadog.kubeStateMetricsCore.enabled are true, consider enabling datadog.kubeStateMetricsCore.useClusterCheckRunners as well.
2333
## If datadog.kubeStateMetricsCore.useClusterCheckRunners is enabled, it's recommended to enable this flag as well so all Cluster Checks run on Cluster Checks Runners instead of node agents.
2334
## ref: https://docs.datadoghq.com/agent/autodiscovery/clusterchecks/
2335
enabled: false
2336
remoteConfiguration:
2337
# clusterChecksRunner.remoteConfiguration.enabled -- Enable remote configuration on the Cluster Checks Runner.
2338
# Set to true to enable remote configuration on the Cluster Checks Runner.
2339
enabled: false
2340
## Define the Datadog image to work with.
2341
image:
2342
# clusterChecksRunner.image.name -- Datadog Agent image name to use (relative to `registry`)
2343
name: chainguard-private/datadog-agent-fips
2344
# clusterChecksRunner.image.tag -- Define the Agent version to use
2345
tag: latest@sha256:f100f2a7dbdb6edb7c7a88955f7e928b2b2d17dff23358535840dcc8bf087ba6
2346
# clusterChecksRunner.image.digest -- Define Agent image digest to use, takes precedence over tag if specified
2347
digest: ""
2348
# clusterChecksRunner.image.tagSuffix -- Suffix to append to Agent tag
2349
2350
## Ex:
2351
## jmx to enable jmx fetch collection
2352
## servercore to get Windows images based on servercore
2353
tagSuffix: ""
2354
# clusterChecksRunner.image.repository -- Override default registry + image.name for Cluster Check Runners
2355
repository:
2356
# clusterChecksRunner.image.pullPolicy -- Datadog Agent image pull policy
2357
pullPolicy: IfNotPresent
2358
# clusterChecksRunner.image.pullSecrets -- Datadog Agent repository pullSecret (ex: specify docker registry credentials)
2359
2360
## See https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
2361
pullSecrets: []
2362
# - name: "<REG_SECRET>"
2363
# clusterChecksRunner.createPodDisruptionBudget -- Create the pod disruption budget to apply to the cluster checks agents
2364
# DEPRECATED. Use clusterChecksRunner.pdb.create instead
2365
createPodDisruptionBudget: false
2366
pdb:
2367
# clusterChecksRunner.pdb.create -- Enable pod disruption budget for Cluster Checks Runner deployments.
2368
2369
## Only one of `minAvailable` or `maxUnavailable` can be set. More information: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
2370
## By default, maxUnavailable is set to 1 for cluster checks runners.
2371
create: false
2372
# clusterChecksRunner.pdb.minAvailable -- Minimum number of pods that must remain available during a disruption
2373
minAvailable:
2374
# clusterChecksRunner.pdb.maxUnavailable -- Maximum number of pods that can be unavailable during a disruption
2375
maxUnavailable:
2376
# Provide Cluster Checks Deployment pods RBAC configuration
2377
rbac:
2378
# clusterChecksRunner.rbac.create -- If true, create & use RBAC resources
2379
create: true
2380
# clusterChecksRunner.rbac.dedicated -- If true, use a dedicated RBAC resource for the cluster checks agent(s)
2381
dedicated: false
2382
# clusterChecksRunner.rbac.serviceAccountAnnotations -- Annotations to add to the ServiceAccount if clusterChecksRunner.rbac.dedicated is true
2383
serviceAccountAnnotations: {}
2384
# clusterChecksRunner.rbac.serviceAccountAdditionalLabels -- Labels to add to the ServiceAccount if clusterChecksRunner.rbac.dedicated is true
2385
serviceAccountAdditionalLabels: {}
2386
# clusterChecksRunner.rbac.automountServiceAccountToken -- If true, automatically mount the ServiceAccount's API credentials if clusterChecksRunner.rbac.create is true
2387
automountServiceAccountToken: true
2388
# clusterChecksRunner.rbac.serviceAccountName -- Specify a preexisting ServiceAccount to use if clusterChecksRunner.rbac.create is false
2389
serviceAccountName: default
2390
# clusterChecksRunner.replicas -- Number of Cluster Checks Runner instances
2391
2392
## If you want to deploy the clusterChecks agent in HA, keep at least clusterChecksRunner.replicas set to 2.
2393
## And increase the clusterChecksRunner.replicas according to the number of Cluster Checks.
2394
replicas: 2
2395
# clusterChecksRunner.revisionHistoryLimit -- The number of old ReplicaSets to keep in this Deployment.
2396
revisionHistoryLimit: 10
2397
# clusterChecksRunner.resources -- Datadog clusterchecks-agent resource requests and limits.
2398
resources: {}
2399
# requests:
2400
# cpu: 200m
2401
# memory: 500Mi
2402
# limits:
2403
# cpu: 200m
2404
# memory: 500Mi
2405
2406
# clusterChecksRunner.affinity -- Allow the ClusterChecks Deployment to schedule using affinity rules.
2407
2408
## By default, ClusterChecks Deployment Pods are preferred to run on different Nodes.
2409
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
2410
affinity: {}
2411
# clusterChecksRunner.topologySpreadConstraints -- Allow the ClusterChecks Deployment to schedule using pod topology spreading
2412
2413
## By default, no constraints are set, allowing cluster defaults to be used for scheduling
2414
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
2415
topologySpreadConstraints: []
2416
# clusterChecksRunner.strategy -- Allow the ClusterChecks deployment to perform a rolling update on helm update
2417
2418
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
2419
strategy:
2420
type: RollingUpdate
2421
rollingUpdate:
2422
maxSurge: 1
2423
maxUnavailable: 0
2424
# clusterChecksRunner.dnsConfig -- specify dns configuration options for datadog cluster agent containers e.g ndots
2425
2426
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
2427
dnsConfig: {}
2428
# options:
2429
# - name: ndots
2430
# value: "1"
2431
2432
# clusterChecksRunner.priorityClassName -- Name of the priorityClass to apply to the Cluster checks runners
2433
priorityClassName: # system-cluster-critical
2434
# clusterChecksRunner.nodeSelector -- Allow the ClusterChecks Deployment to schedule on selected nodes
2435
2436
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
2437
nodeSelector: {}
2438
# clusterChecksRunner.tolerations -- Tolerations for pod assignment
2439
2440
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
2441
tolerations: []
2442
# clusterChecksRunner.healthPort -- Port number to use in the Cluster Checks Runner for the healthz endpoint
2443
healthPort: 5557
2444
# clusterChecksRunner.livenessProbe -- Override default agent liveness probe settings
2445
# @default -- Every 15s / 6 KO / 1 OK
2446
2447
## In case of issues with the probe, you can disable it with the
2448
## following values, to allow easier investigating:
2449
#
2450
# livenessProbe:
2451
# exec:
2452
# command: ["/bin/true"]
2453
#
2454
livenessProbe:
2455
initialDelaySeconds: 15
2456
periodSeconds: 15
2457
timeoutSeconds: 5
2458
successThreshold: 1
2459
failureThreshold: 6
2460
# clusterChecksRunner.readinessProbe -- Override default agent readiness probe settings
2461
# @default -- Every 15s / 6 KO / 1 OK
2462
2463
## In case of issues with the probe, you can disable it with the
2464
## following values, to allow easier investigating:
2465
#
2466
# readinessProbe:
2467
# exec:
2468
# command: ["/bin/true"]
2469
#
2470
readinessProbe:
2471
initialDelaySeconds: 15
2472
periodSeconds: 15
2473
timeoutSeconds: 5
2474
successThreshold: 1
2475
failureThreshold: 6
2476
# clusterChecksRunner.startupProbe -- Override default agent startup probe settings
2477
# @default -- Every 15s / 6 KO / 1 OK
2478
2479
## In case of issues with the probe, you can disable it with the
2480
## following values, to allow easier investigating:
2481
#
2482
# startupProbe:
2483
# exec:
2484
# command: ["/bin/true"]
2485
#
2486
startupProbe:
2487
initialDelaySeconds: 15
2488
periodSeconds: 15
2489
timeoutSeconds: 5
2490
successThreshold: 1
2491
failureThreshold: 6
2492
# clusterChecksRunner.deploymentAnnotations -- Annotations to add to the cluster-checks-runner's Deployment
2493
deploymentAnnotations: {}
2494
# key: "value"
2495
2496
# clusterChecksRunner.podAnnotations -- Annotations to add to the cluster-checks-runner's pod(s)
2497
podAnnotations: {}
2498
# key: "value"
2499
2500
# clusterChecksRunner.env -- Environment variables specific to Cluster Checks Runner
2501
2502
## ref: https://github.com/DataDog/datadog-agent/tree/main/Dockerfiles/agent#environment-variables
2503
env: []
2504
# - name: <ENV_VAR_NAME>
2505
# value: <ENV_VAR_VALUE>
2506
2507
# clusterChecksRunner.envFrom -- Set environment variables specific to Cluster Checks Runner from configMaps and/or secrets
2508
2509
## envFrom to pass configmaps or secrets as environment
2510
## ref: https://github.com/DataDog/datadog-agent/tree/main/Dockerfiles/agent#environment-variables
2511
envFrom: []
2512
# - configMapRef:
2513
# name: <CONFIGMAP_NAME>
2514
# - secretRef:
2515
# name: <SECRET_NAME>
2516
2517
# clusterChecksRunner.envDict -- Set environment variables specific to Cluster Checks Runner defined in a dict
2518
envDict: {}
2519
# <ENV_VAR_NAME>: <ENV_VAR_VALUE>
2520
2521
# clusterChecksRunner.volumes -- Specify additional volumes to mount in the cluster checks container
2522
volumes: []
2523
# - hostPath:
2524
# path: <HOST_PATH>
2525
# name: <VOLUME_NAME>
2526
2527
# clusterChecksRunner.volumeMounts -- Specify additional volumes to mount in the cluster checks container
2528
volumeMounts: []
2529
# - name: <VOLUME_NAME>
2530
# mountPath: <CONTAINER_PATH>
2531
# readOnly: true
2532
2533
networkPolicy:
2534
# clusterChecksRunner.networkPolicy.create -- If true, create a NetworkPolicy for the cluster checks runners.
2535
# DEPRECATED. Use datadog.networkPolicy.create instead
2536
create: false
2537
# clusterChecksRunner.additionalLabels -- Adds labels to the cluster checks runner deployment and pods
2538
additionalLabels: {}
2539
# key: "value"
2540
2541
# clusterChecksRunner.securityContext -- Allows you to overwrite the default PodSecurityContext on the clusterchecks pods.
2542
securityContext: {}
2543
containers:
2544
agent:
2545
# clusterChecksRunner.containers.agent.securityContext -- Specify securityContext on the agent container
2546
securityContext:
2547
readOnlyRootFilesystem: true
2548
initContainers:
2549
# clusterChecksRunner.containers.initContainers.securityContext -- Specify securityContext on the init containers
2550
securityContext: {}
2551
# clusterChecksRunner.ports -- Allows to specify extra ports (hostPorts for instance) for this container
2552
ports: []
2553
operator:
2554
image:
2555
# operator.image.tag -- Define the Datadog Operator version to use
2556
tag: 1.25.0
2557
datadogAgent:
2558
# operator.datadogAgent.enabled -- Enables Datadog Agent controller
2559
enabled: true
2560
datadogAgentInternal:
2561
# operator.datadogAgentInternal.enabled -- Enables the Datadog Agent Internal controller
2562
enabled: false
2563
datadogDashboard:
2564
# operator.datadogDashboard.enabled -- Enables the Datadog Dashboard controller
2565
enabled: false
2566
datadogGenericResource:
2567
# operator.datadogGenericResource.enabled -- Enables the Datadog Generic Resource controller
2568
enabled: false
2569
datadogMonitor:
2570
# operator.datadogMonitor.enabled -- Enables the Datadog Monitor controller
2571
enabled: false
2572
datadogSLO:
2573
# operator.datadogSLO.enabled -- Enables the Datadog SLO controller
2574
enabled: false
2575
datadogCRDs:
2576
# operator.datadogCRDs.keepCrds -- Set to true to keep the CRDs when the helm chart is uninstalled. This must be set to true if datadog.operator.migration.enabled is set to true.
2577
keepCrds: false
2578
crds:
2579
# operator.datadogCRDs.crds.datadogAgents -- Set to true to deploy the DatadogAgents CRD
2580
datadogAgents: true
2581
# operator.datadogCRDs.crds.datadogMonitors -- Set to true to deploy the DatadogMonitors CRD
2582
datadogMonitors: true
2583
# operator.datadogCRDs.crds.datadogSLOs -- Set to true to deploy the DatadogSLO CRD
2584
datadogSLOs: true
2585
# operator.datadogCRDs.crds.datadogDashboards -- Set to true to deploy the DatadogDashboard CRD
2586
datadogDashboards: true
2587
# operator.datadogCRDs.crds.datadogGenericResources -- Set to true to deploy the DatadogGenericResource CRD
2588
datadogGenericResources: true
2589
# operator.datadogCRDs.crds.datadogMetrics -- Set to true to deploy the DatadogMetrics CRD
2590
datadogMetrics: false
2591
# operator.datadogCRDs.crds.datadogPodAutoscalers -- Set to true to deploy the DatadogPodAutoscalers CRD
2592
datadogPodAutoscalers: false
2593
# operator.datadogCRDs.crds.datadogAgentInternals -- Set to true to deploy the DatadogAgentInternals CRD
2594
datadogAgentInternals: false
2595
datadog-crds:
2596
crds:
2597
# datadog-crds.crds.datadogMetrics -- Set to true to deploy the DatadogMetrics CRD
2598
datadogMetrics: true
2599
# datadog-crds.crds.datadogPodAutoscalers -- Set to true to deploy the DatadogPodAutoscalers CRD
2600
datadogPodAutoscalers: true
2601
kube-state-metrics:
2602
# kube-state-metrics.image.repository -- Default kube-state-metrics image repository.
2603
image:
2604
repository: registry.k8s.io/kube-state-metrics/kube-state-metrics
2605
rbac:
2606
# kube-state-metrics.rbac.create -- If true, create & use RBAC resources
2607
create: true
2608
serviceAccount:
2609
# kube-state-metrics.serviceAccount.create -- If true, create ServiceAccount, require rbac kube-state-metrics.rbac.create true
2610
create: true
2611
# kube-state-metrics.serviceAccount.name -- The name of the ServiceAccount to use.
2612
2613
## If not set and create is true, a name is generated using the fullname template
2614
name:
2615
# kube-state-metrics.resources -- Resource requests and limits for the kube-state-metrics container.
2616
resources: {}
2617
# requests:
2618
# cpu: 200m
2619
# memory: 256Mi
2620
# limits:
2621
# cpu: 200m
2622
# memory: 256Mi
2623
2624
# kube-state-metrics.nodeSelector -- Node selector for KSM. KSM only supports Linux.
2625
nodeSelector:
2626
kubernetes.io/os: linux
2627
providers:
2628
gke:
2629
# providers.gke.autopilot -- Enables Datadog Agent deployment on GKE Autopilot
2630
autopilot: false
2631
# providers.gke.cos -- Enables Datadog Agent deployment on GKE with Container-Optimized OS (COS)
2632
cos: false
2633
# providers.gke.gdc -- Enables Datadog Agent deployment on GKE on Google Distributed Cloud (GDC)
2634
gdc: false
2635
eks:
2636
# providers.eks.controlPlaneMonitoring -- Enable control plane monitoring checks in the EKS cluster.
2637
controlPlaneMonitoring: false
2638
ec2:
2639
# providers.eks.ec2.useHostnameFromFile -- Use hostname from EC2 filesystem instead of fetching from metadata endpoint.
2640
2641
## When deploying to EC2-backed EKS infrastructure, there are situations where the
2642
## IMDS metadata endpoint is not accessible to containers. This flag mounts the host's
2643
## `/var/lib/cloud/data/instance-id` and uses that for Agent's hostname instead.
2644
useHostnameFromFile: false
2645
aks:
2646
# providers.aks.enabled -- Activate all specificities related to AKS configuration. Required as currently we cannot auto-detect AKS.
2647
enabled: false
2648
openshift:
2649
# providers.openshift.controlPlaneMonitoring -- Enable control plane monitoring checks in the OpenShift cluster.
2650
# Certificates are needed to communicate with the Etcd service, which can be found in the secret `etcd-metric-client` in the `openshift-etcd-operator` namespace.
2651
# To give the Datadog Agent access to these certificates, copy them into the same namespace the Datadog Agent is running in:
2652
# `oc get secret etcd-metric-client -n openshift-etcd-operator -o yaml | sed 's/namespace: openshift-etcd-operator/namespace: <datadog agent namespace>/' | oc create -f -`
2653
controlPlaneMonitoring: false
2654
talos:
2655
# providers.talos.enabled -- Activate all required specificities related to Talos.dev configuration,
2656
# as currently the chart cannot auto-detect Talos.dev cluster.
2657
# Note: The Agent deployment requires additional privileges that are not permitted by the default pod security policy.
2658
# The annotation `pod-security.kubernetes.io/enforce=privileged` must be applied to the Datadog installation
2659
# Kubernetes namespace. For more information on pod security policies in Talos.dev clusters, see:
2660
# https://www.talos.dev/v1.8/kubernetes-guides/configuration/pod-security/
2661
enabled: false
2662
remoteConfiguration:
2663
# remoteConfiguration.enabled -- Set to true to enable remote configuration on the Cluster Agent (if set) and the node agent.
2664
# Can be overridden if `datadog.remoteConfiguration.enabled`
2665
# Preferred way to enable Remote Configuration.
2666
enabled: true
2667
## OTel collector related configuration for otel-agent in Gateway Deployment
2668
## Note this is different from the otel-agent in Daemonset (datadog.otelCollector)
2669
otelAgentGateway:
2670
# otelAgentGateway.enabled -- Enable otel-agent Gateway
2671
enabled: false
2672
# otelAgentGateway.ports -- Ports that OTel Collector is listening on
2673
ports:
2674
# Default GRPC port of OTLP receiver
2675
- containerPort: "4317"
2676
name: otel-grpc
2677
protocol: TCP
2678
# Default HTTP port of OTLP receiver
2679
- containerPort: "4318"
2680
name: otel-http
2681
protocol: TCP
2682
# otelAgentGateway.config -- Gateway OTel Agent configuration
2683
config: null
2684
## otelAgentGateway.configMap -- Use an existing ConfigMap for Gateway OTel Agent configuration
2685
configMap:
2686
# otelAgentGateway.configMap.name -- Name of the existing ConfigMap that contains the Gateway OTel Agent configuration
2687
name: null
2688
# otelAgentGateway.configMap.checksum -- Checksum of the existing ConfigMap that contains the Gateway OTel Agent configuration
2689
checksum: null
2690
# otelAgentGateway.configMap.items -- Items within the ConfigMap that contain Gateway OTel Agent configuration
2691
items:
2692
# - key: otel-gateway-config.yaml
2693
# path: otel-gateway-config.yaml
2694
# - key: otel-gateway-config-two.yaml
2695
# path: otel-gateway-config-two.yaml
2696
# otelAgentGateway.configMap.key -- Key within the ConfigMap that contains the Gateway OTel Agent configuration
2697
key: otel-gateway-config.yaml
2698
# otelAgentGateway.featureGates -- Feature gates to pass to OTel collector, as a comma separated list
2699
featureGates: null
2700
# otelAgentGateway.replicas -- Number of otel-agent instances in the Gateway Deployment
2701
replicas: 1
2702
# otelAgentGateway.revisionHistoryLimit -- The number of old ReplicaSets to keep in this Deployment.
2703
revisionHistoryLimit: 10
2704
# otelAgentGateway.deploymentAnnotations -- Annotations to add to the otel-agent Gateway Deployment
2705
deploymentAnnotations: {}
2706
# key: "value"
2707
2708
# otelAgentGateway.podAnnotations -- Annotations to add to the Gateway Deployment's Pods
2709
podAnnotations: {}
2710
# key: "value"
2711
2712
# otelAgentGateway.tolerations -- Allow the Gateway Deployment to schedule on tainted nodes (requires Kubernetes >= 1.6)
2713
tolerations: []
2714
# otelAgentGateway.useHostNetwork -- Bind ports on the hostNetwork
2715
2716
## Useful for CNI networking where hostPort might
2717
## not be supported. The ports need to be available on all hosts. It can be
2718
## used for custom metrics instead of a service endpoint.
2719
##
2720
## WARNING: Make sure that hosts using this are properly firewalled otherwise
2721
## metrics and traces are accepted from any host able to connect to this host.
2722
#
2723
useHostNetwork: false
2724
# otelAgentGateway.dnsConfig -- Specify dns configuration options for otel agent containers e.g ndots
2725
2726
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
2727
dnsConfig: {}
2728
# options:
2729
# - name: ndots
2730
# value: "1"
2731
2732
# otelAgentGateway.volumes -- Specify additional volumes to mount in the otel-agent container
2733
volumes: []
2734
# - hostPath:
2735
# path: <HOST_PATH>
2736
# name: <VOLUME_NAME>
2737
2738
# otelAgentGateway.volumeMounts -- Specify additional volumes to mount in the otel-agent container
2739
volumeMounts: []
2740
# - name: <VOLUME_NAME>
2741
# mountPath: <CONTAINER_PATH>
2742
# readOnly: true
2743
2744
# otelAgentGateway.nodeSelector -- Allow the Gateway Deployment to schedule on selected nodes
2745
2746
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
2747
nodeSelector: {}
2748
# otelAgentGateway.affinity -- Allow the Gateway Deployment to schedule using affinity rules
2749
2750
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
2751
affinity: {}
2752
# otelAgentGateway.strategy -- Allow the otel-agent Gateway Deployment to perform a rolling update on helm update
2753
2754
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
2755
strategy:
2756
type: RollingUpdate
2757
rollingUpdate:
2758
maxSurge: 1
2759
maxUnavailable: 0
2760
# otelAgentGateway.priorityClassCreate -- Creates a priorityClass for the otel-agent Gateway Deployment pods.
2761
priorityClassCreate: false
2762
# otelAgentGateway.priorityClassName -- Sets PriorityClassName if defined
2763
priorityClassName: null
2764
# otelAgentGateway.priorityPreemptionPolicyValue -- Set to "Never" to change the PriorityClass to non-preempting
2765
priorityPreemptionPolicyValue: PreemptLowerPriority
2766
# otelAgentGateway.priorityClassValue -- Value used to specify the priority of the scheduling of otel-agent Gateway Deployment pods.
2767
2768
## The PriorityClass uses PreemptLowerPriority.
2769
priorityClassValue: 1000000000
2770
# otelAgentGateway.podLabels -- Sets podLabels if defined
2771
2772
## Note: These labels are also used as label selectors so they are immutable.
2773
podLabels: {}
2774
# otelAgentGateway.additionalLabels -- Adds labels to the Agent Gateway Deployment and pods
2775
additionalLabels: {}
2776
# otelAgentGateway.shareProcessNamespace -- Set the process namespace sharing on the otel-agent
2777
shareProcessNamespace: false
2778
# otelAgentGateway.lifecycle -- Configure the lifecycle of the otel-agent
2779
lifecycle: {}
2780
# preStop:
2781
# exec:
2782
# command: ["/bin/sh", "-c", "sleep 70"]
2783
2784
# otelAgentGateway.terminationGracePeriodSeconds -- (int) Configure the termination grace period for the otel-agent
2785
terminationGracePeriodSeconds: # 70
2786
# otelAgentGateway.topologySpreadConstraints -- Allow the otel-agent Gateway Deployment to schedule using pod topology spreading
2787
2788
## By default, no constraints are set, allowing cluster defaults to be used for scheduling
2789
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
2790
topologySpreadConstraints: []
2791
## Configuration for the service for the OTel Agent Gateway
2792
service:
2793
# otelAgentGateway.service.type -- Set type of otel-agent-gateway service
2794
type: ClusterIP
2795
## Allow to override the Datadog otel-agent image
2796
image:
2797
# otelAgentGateway.image.name -- otel agent image name to use (relative to `registry`)
2798
name: ddot-collector
2799
# otelAgentGateway.image.tag -- Override the image tag of otel agent
2800
tag: ""
2801
# otelAgentGateway.image.tagSuffix -- Suffix to append to image tag of otel agent
2802
tagSuffix: ""
2803
# otelAgentGateway.image.digest -- Override the image digest of otel agent, takes precedence over tag if specified
2804
digest: ""
2805
# otelAgentGateway.image.repository -- Override the image repository to override default registry
2806
repository:
2807
# otelAgentGateway.image.doNotCheckTag -- Skip the version and chart compatibility check
2808
2809
## By default, the version passed in otelAgentGateway.image.tag is checked
2810
## for compatibility with the version of the chart.
2811
## This boolean permits completely skipping this check.
2812
## This is useful, for example, for custom tags that are not
2813
## respecting semantic versioning.
2814
doNotCheckTag: # false
2815
# otelAgentGateway.image.pullPolicy -- otel Agent image pullPolicy
2816
pullPolicy: IfNotPresent
2817
# otelAgentGateway.image.pullSecrets -- otel Agent repository pullSecret (ex: specify docker registry credentials)
2818
2819
## See https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
2820
pullSecrets: []
2821
# - name: "<REG_SECRET>"
2822
initContainers:
2823
# otelAgentGateway.initContainers.securityContext -- Allows you to overwrite the default container SecurityContext for init containers
2824
securityContext:
2825
# otelAgentGateway.initContainers.resources -- Resource requests and limits for init containers
2826
resources:
2827
# requests:
2828
# cpu: 100m
2829
# memory: 200Mi
2830
# limits:
2831
# cpu: 100m
2832
# memory: 200Mi
2833
containers:
2834
otelAgent:
2835
# otelAgentGateway.containers.otelAgent.env -- Additional environment variables for the otel-agent container
2836
env: []
2837
# otelAgentGateway.containers.otelAgent.envFrom -- Set environment variables specific to otel-agent from configMaps and/or secrets
2838
envFrom: []
2839
# - configMapRef:
2840
# name: <CONFIGMAP_NAME>
2841
# - secretRef:
2842
# name: <SECRET_NAME>
2843
2844
# otelAgentGateway.containers.otelAgent.envDict -- Set environment variables specific to otel-agent defined in a dict
2845
envDict: {}
2846
# <ENV_VAR_NAME>: <ENV_VAR_VALUE>
2847
2848
# otelAgentGateway.containers.otelAgent.resources -- Resource requests and limits for the otel-agent container
2849
resources: {}
2850
# requests:
2851
# cpu: 100m
2852
# memory: 200Mi
2853
# limits:
2854
# cpu: 100m
2855
# memory: 200Mi
2856
2857
# otelAgentGateway.containers.otelAgent.securityContext -- Allows you to overwrite the default container SecurityContext for the otel-agent container.
2858
securityContext: {}
2859
# otelAgentGateway.containers.otelAgent.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off.
2860
# If not set, fall back to the value of datadog.logLevel.
2861
logLevel: # INFO
2862
# otelAgentGateway.containers.otelAgent.healthPort -- Port number to use for the otel-agent-gateway health check endpoint (OTel health_check extension)
2863
healthPort: 13133
2864
# otelAgentGateway.containers.otelAgent.livenessProbe -- otel-agent-gateway liveness probe settings.
2865
# Set enabled to true to activate. The OTel config must expose the health_check extension
2866
# on healthPort (default 13133); the generated default config does this automatically.
2867
livenessProbe:
2868
enabled: false
2869
initialDelaySeconds: 15
2870
periodSeconds: 15
2871
timeoutSeconds: 5
2872
successThreshold: 1
2873
failureThreshold: 6
2874
# otelAgentGateway.containers.otelAgent.readinessProbe -- otel-agent-gateway readiness probe settings.
2875
# Set enabled to true to activate. The OTel config must expose the health_check extension
2876
# on healthPort (default 13133); the generated default config does this automatically.
2877
readinessProbe:
2878
enabled: false
2879
initialDelaySeconds: 15
2880
periodSeconds: 15
2881
timeoutSeconds: 5
2882
successThreshold: 1
2883
failureThreshold: 6
2884
## Provide OTel Collector RBAC configuration in Gateway
2885
rbac:
2886
# otelAgentGateway.rbac.create -- If true, check OTel Collector config for k8sattributes processor
2887
# and create required ClusterRole to access Kubernetes API
2888
create: true
2889
# otelAgentGateway.rbac.rules -- A set of additional RBAC rules to apply to OTel Collector's ClusterRole
2890
rules: []
2891
# - apiGroups: [""]
2892
# resources: ["pods", "nodes"]
2893
# verbs: ["get", "list", "watch"]
2894
## Provide OTel Collector logs configuration
2895
logs:
2896
# otelAgentGateway.logs.enabled -- Enable logs support in the OTel Collector.
2897
# If true, checks OTel Collector config for filelog receiver and mounts additional volumes to collect containers
2898
# and pods logs.
2899
enabled: false
2900
## Provide Horizontal Pod Autoscaler (HPA) configuration in OTel Agent Gateway, requires k8s 1.23.0 and above
2901
autoscaling:
2902
# otelAgentGateway.autoscaling.enabled -- enable autoscaling using Horizontal Pod Autoscaler (HPA), requires k8s 1.23.0 and above.
2903
# Will override otelAgentGateway.replicas.
2904
enabled: false
2905
# otelAgentGateway.autoscaling.annotations -- annotations for OTel Agent Gateway HPA
2906
annotations: {}
2907
# otelAgentGateway.autoscaling.minReplicas -- min number of replicas for OTel Agent Gateway HPA
2908
minReplicas: 0
2909
# otelAgentGateway.autoscaling.maxReplicas -- max number of replicas for OTel Agent Gateway HPA
2910
maxReplicas: 0
2911
# otelAgentGateway.autoscaling.metrics -- the metrics used for OTel Agent Gateway HPA
2912
metrics: []
2913
# otelAgentGateway.autoscaling.behavior -- defines the scaling behavior in OTel Agent Gateway HPA
2914
behavior:
2915
# otelAgentGateway.autoscaling.behavior.scaleUp -- defines the scaling up behavior in OTel Agent Gateway HPA
2916
scaleUp: {}
2917
# otelAgentGateway.autoscaling.behavior.scaleDown -- defines the scaling down behavior in OTel Agent Gateway HPA
2918
scaleDown: {}
2919
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.