discovery: add system-probe-lite support

Yumasi · Yumasi · commit b2a82451733a · 2026-03-24T16:49:22.000+01:00
diff --git a/internal/controller/datadogagent/feature/servicediscovery/feature.go b/internal/controller/datadogagent/feature/servicediscovery/feature.go
@@ -6,6 +6,8 @@
 package servicediscovery
 
 import (
+	"fmt"
+
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -31,6 +33,7 @@ func buildFeature(*feature.Options) feature.Feature {
 
 type serviceDiscoveryFeature struct {
 	networkStatsEnabled bool
+	useSystemProbeLite  bool
 }
 
 // ID returns the ID of the Feature
@@ -40,21 +43,51 @@ func (f *serviceDiscoveryFeature) ID() feature.IDType {
 
 // Configure is used to configure the feature from a v2alpha1.DatadogAgent instance.
 func (f *serviceDiscoveryFeature) Configure(_ metav1.Object, ddaSpec *v2alpha1.DatadogAgentSpec, _ *v2alpha1.RemoteConfigConfiguration) (reqComp feature.RequiredComponents) {
-	if ddaSpec.Features != nil && ddaSpec.Features.ServiceDiscovery != nil && apiutils.BoolValue(ddaSpec.Features.ServiceDiscovery.Enabled) {
-		reqComp.Agent = feature.RequiredComponent{
-			IsRequired: apiutils.NewBoolPointer(true),
-			Containers: []apicommon.AgentContainerName{apicommon.CoreAgentContainerName, apicommon.SystemProbeContainerName},
-		}
+	if ddaSpec.Features == nil || ddaSpec.Features.ServiceDiscovery == nil {
+		return reqComp
+	}
 
-		f.networkStatsEnabled = true
-		if ddaSpec.Features.ServiceDiscovery.NetworkStats != nil {
-			f.networkStatsEnabled = apiutils.BoolValue(ddaSpec.Features.ServiceDiscovery.NetworkStats.Enabled)
-		}
+	sd := ddaSpec.Features.ServiceDiscovery
+	if !apiutils.BoolValue(sd.Enabled) {
+		return reqComp
 	}
 
+	reqComp.Agent = feature.RequiredComponent{
+		IsRequired: apiutils.NewBoolPointer(true),
+		Containers: []apicommon.AgentContainerName{apicommon.CoreAgentContainerName, apicommon.SystemProbeContainerName},
+	}
+
+	f.networkStatsEnabled = true
+	if sd.NetworkStats != nil {
+		f.networkStatsEnabled = apiutils.BoolValue(sd.NetworkStats.Enabled)
+	}
+
+	f.useSystemProbeLite = !hasOtherSystemProbeFeatures(ddaSpec.Features)
+
 	return reqComp
 }
 
+func systemProbeLiteCommand(socketPath string) string {
+	return fmt.Sprintf("if command -v system-probe-lite > /dev/null 2>&1; then exec system-probe-lite run --socket %s --log-level ${DD_LOG_LEVEL:-info}; else exec system-probe --config=/etc/datadog-agent/system-probe.yaml; fi",
+		socketPath)
+}
+
+// hasOtherSystemProbeFeatures returns true if any feature besides service discovery
+// requires the full system-probe binary. When true, system-probe-lite cannot be used.
+func hasOtherSystemProbeFeatures(features *v2alpha1.DatadogFeatures) bool {
+	if features == nil {
+		return false
+	}
+	return (features.NPM != nil && apiutils.BoolValue(features.NPM.Enabled)) ||
+		(features.CWS != nil && apiutils.BoolValue(features.CWS.Enabled)) ||
+		(features.CSPM != nil && apiutils.BoolValue(features.CSPM.Enabled) && apiutils.BoolValue(features.CSPM.RunInSystemProbe)) ||
+		(features.USM != nil && apiutils.BoolValue(features.USM.Enabled)) ||
+		(features.OOMKill != nil && apiutils.BoolValue(features.OOMKill.Enabled)) ||
+		(features.TCPQueueLength != nil && apiutils.BoolValue(features.TCPQueueLength.Enabled)) ||
+		(features.EBPFCheck != nil && apiutils.BoolValue(features.EBPFCheck.Enabled)) ||
+		(features.GPU != nil && apiutils.BoolValue(features.GPU.Enabled) && apiutils.BoolValue(features.GPU.PrivilegedMode))
+}
+
 // ManageDependencies allows a feature to manage its dependencies.
 // Feature's dependencies should be added in the store.
 func (f *serviceDiscoveryFeature) ManageDependencies(managers feature.ResourceManagers, provider string) error {
@@ -136,6 +169,18 @@ func (f *serviceDiscoveryFeature) ManageNodeAgent(managers feature.PodTemplateMa
 	managers.EnvVar().AddEnvVarToContainer(apicommon.CoreAgentContainerName, socketEnvVar)
 	managers.EnvVar().AddEnvVarToContainer(apicommon.SystemProbeContainerName, socketEnvVar)
 
+	// Direct PodTemplateSpec mutation: no managers API for command overrides.
+	if f.useSystemProbeLite {
+		for i := range managers.PodTemplateSpec().Spec.Containers {
+			c := &managers.PodTemplateSpec().Spec.Containers[i]
+			if c.Name == string(apicommon.SystemProbeContainerName) {
+				c.Command = []string{"/bin/sh", "-c"}
+				c.Args = []string{systemProbeLiteCommand(common.DefaultSystemProbeSocketPath)}
+				break
+			}
+		}
+	}
+
 	return nil
 }
 
diff --git a/internal/controller/datadogagent/feature/servicediscovery/feature_test.go b/internal/controller/datadogagent/feature/servicediscovery/feature_test.go
@@ -44,6 +44,32 @@ func Test_serviceDiscoveryFeature_Configure(t *testing.T) {
 		ddaServiceDiscoveryEnabledWithNetStats.Spec.Features.ServiceDiscovery.NetworkStats.Enabled = apiutils.NewBoolPointer(true)
 	}
 
+	ddaWithNPM := v2alpha1.DatadogAgent{
+		Spec: v2alpha1.DatadogAgentSpec{
+			Features: &v2alpha1.DatadogFeatures{
+				ServiceDiscovery: &v2alpha1.ServiceDiscoveryFeatureConfig{
+					Enabled: apiutils.NewBoolPointer(true),
+				},
+				NPM: &v2alpha1.NPMFeatureConfig{
+					Enabled: apiutils.NewBoolPointer(true),
+				},
+			},
+		},
+	}
+
+	ddaWithCWS := v2alpha1.DatadogAgent{
+		Spec: v2alpha1.DatadogAgentSpec{
+			Features: &v2alpha1.DatadogFeatures{
+				ServiceDiscovery: &v2alpha1.ServiceDiscoveryFeatureConfig{
+					Enabled: apiutils.NewBoolPointer(true),
+				},
+				CWS: &v2alpha1.CWSFeatureConfig{
+					Enabled: apiutils.NewBoolPointer(true),
+				},
+			},
+		},
+	}
+
 	tests := test.FeatureTestSuite{
 		{
 			Name:          "service discovery not enabled",
@@ -54,25 +80,168 @@ func Test_serviceDiscoveryFeature_Configure(t *testing.T) {
 			Name:          "service discovery enabled - no network stats",
 			DDA:           ddaServiceDiscoveryEnabledNoNetStats,
 			WantConfigure: true,
-			Agent:         test.NewDefaultComponentTest().WithWantFunc(getWantFunc(noNetStats)),
+			Agent: test.NewDefaultComponentTest().
+				WithCreateFunc(createFuncWithSystemProbeContainer()).
+				WithWantFunc(getWantFunc(noNetStats, true)),
 		},
 		{
 			Name:          "service discovery enabled - with network stats",
 			DDA:           ddaServiceDiscoveryEnabledWithNetStats,
 			WantConfigure: true,
-			Agent:         test.NewDefaultComponentTest().WithWantFunc(getWantFunc(withNetStats)),
+			Agent: test.NewDefaultComponentTest().
+				WithCreateFunc(createFuncWithSystemProbeContainer()).
+				WithWantFunc(getWantFunc(withNetStats, true)),
+		},
+		{
+			Name:          "system-probe-lite not used when NPM also enabled",
+			DDA:           &ddaWithNPM,
+			WantConfigure: true,
+			Agent: test.NewDefaultComponentTest().
+				WithCreateFunc(createFuncWithSystemProbeContainer()).
+				WithWantFunc(getWantFunc(withNetStats, false)),
+		},
+		{
+			Name:          "system-probe-lite not used when CWS also enabled",
+			DDA:           &ddaWithCWS,
+			WantConfigure: true,
+			Agent: test.NewDefaultComponentTest().
+				WithCreateFunc(createFuncWithSystemProbeContainer()).
+				WithWantFunc(getWantFunc(withNetStats, false)),
 		},
 	}
 
 	tests.Run(t, buildFeature)
 }
 
+func Test_hasOtherSystemProbeFeatures(t *testing.T) {
+	tests := []struct {
+		name     string
+		features *v2alpha1.DatadogFeatures
+		want     bool
+	}{
+		{
+			name:     "nil features",
+			features: nil,
+			want:     false,
+		},
+		{
+			name:     "no other features",
+			features: &v2alpha1.DatadogFeatures{},
+			want:     false,
+		},
+		{
+			name: "NPM enabled",
+			features: &v2alpha1.DatadogFeatures{
+				NPM: &v2alpha1.NPMFeatureConfig{Enabled: apiutils.NewBoolPointer(true)},
+			},
+			want: true,
+		},
+		{
+			name: "CWS enabled",
+			features: &v2alpha1.DatadogFeatures{
+				CWS: &v2alpha1.CWSFeatureConfig{Enabled: apiutils.NewBoolPointer(true)},
+			},
+			want: true,
+		},
+		{
+			name: "USM enabled",
+			features: &v2alpha1.DatadogFeatures{
+				USM: &v2alpha1.USMFeatureConfig{Enabled: apiutils.NewBoolPointer(true)},
+			},
+			want: true,
+		},
+		{
+			name: "OOMKill enabled",
+			features: &v2alpha1.DatadogFeatures{
+				OOMKill: &v2alpha1.OOMKillFeatureConfig{Enabled: apiutils.NewBoolPointer(true)},
+			},
+			want: true,
+		},
+		{
+			name: "TCPQueueLength enabled",
+			features: &v2alpha1.DatadogFeatures{
+				TCPQueueLength: &v2alpha1.TCPQueueLengthFeatureConfig{Enabled: apiutils.NewBoolPointer(true)},
+			},
+			want: true,
+		},
+		{
+			name: "EBPFCheck enabled",
+			features: &v2alpha1.DatadogFeatures{
+				EBPFCheck: &v2alpha1.EBPFCheckFeatureConfig{Enabled: apiutils.NewBoolPointer(true)},
+			},
+			want: true,
+		},
+		{
+			name: "CSPM enabled with RunInSystemProbe",
+			features: &v2alpha1.DatadogFeatures{
+				CSPM: &v2alpha1.CSPMFeatureConfig{
+					Enabled:          apiutils.NewBoolPointer(true),
+					RunInSystemProbe: apiutils.NewBoolPointer(true),
+				},
+			},
+			want: true,
+		},
+		{
+			name: "CSPM enabled without RunInSystemProbe",
+			features: &v2alpha1.DatadogFeatures{
+				CSPM: &v2alpha1.CSPMFeatureConfig{
+					Enabled: apiutils.NewBoolPointer(true),
+				},
+			},
+			want: false,
+		},
+		{
+			name: "GPU enabled with PrivilegedMode",
+			features: &v2alpha1.DatadogFeatures{
+				GPU: &v2alpha1.GPUFeatureConfig{
+					Enabled:        apiutils.NewBoolPointer(true),
+					PrivilegedMode: apiutils.NewBoolPointer(true),
+				},
+			},
+			want: true,
+		},
+		{
+			name: "GPU enabled without PrivilegedMode",
+			features: &v2alpha1.DatadogFeatures{
+				GPU: &v2alpha1.GPUFeatureConfig{
+					Enabled: apiutils.NewBoolPointer(true),
+				},
+			},
+			want: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.want, hasOtherSystemProbeFeatures(tt.features))
+		})
+	}
+}
+
 const (
 	noNetStats   = false
 	withNetStats = true
 )
 
-func getWantFunc(withNetStats bool) func(t testing.TB, mgrInterface feature.PodTemplateManagers) {
+func createFuncWithSystemProbeContainer() func(testing.TB) (feature.PodTemplateManagers, string) {
+	return func(t testing.TB) (feature.PodTemplateManagers, string) {
+		newPTS := corev1.PodTemplateSpec{
+			Spec: corev1.PodSpec{
+				Containers: []corev1.Container{
+					{
+						Name: string(apicommon.CoreAgentContainerName),
+					},
+					{
+						Name: string(apicommon.SystemProbeContainerName),
+					},
+				},
+			},
+		}
+		return fake.NewPodTemplateManagers(t, newPTS), ""
+	}
+}
+
+func getWantFunc(withNetStats bool, useSPL bool) func(t testing.TB, mgrInterface feature.PodTemplateManagers) {
 	return func(t testing.TB, mgrInterface feature.PodTemplateManagers) {
 		mgr := mgrInterface.(*fake.PodTemplateManagers)
 
@@ -200,7 +369,6 @@ func getWantFunc(withNetStats bool) func(t testing.TB, mgrInterface feature.PodT
 			},
 		}
 
-		// check env vars
 		wantSPEnvVars := []*corev1.EnvVar{
 			{
 				Name:  DDServiceDiscoveryEnabled,
@@ -221,6 +389,20 @@ func getWantFunc(withNetStats bool) func(t testing.TB, mgrInterface feature.PodT
 
 		systemProbeEnvVars := mgr.EnvVarMgr.EnvVarsByC[apicommon.SystemProbeContainerName]
 		assert.True(t, apiutils.IsEqualStruct(systemProbeEnvVars, wantSPEnvVars), "System Probe envvars \ndiff = %s", cmp.Diff(systemProbeEnvVars, wantSPEnvVars))
+
+		// check system-probe container command override
+		for _, c := range mgr.PodTemplateSpec().Spec.Containers {
+			if c.Name == string(apicommon.SystemProbeContainerName) {
+				if useSPL {
+					assert.Equal(t, []string{"/bin/sh", "-c"}, c.Command, "System Probe command should be overridden for system-probe-lite")
+					assert.Equal(t, []string{systemProbeLiteCommand(common.DefaultSystemProbeSocketPath)}, c.Args, "System Probe args mismatch")
+				} else {
+					assert.Empty(t, c.Command, "System Probe command should not be overridden")
+					assert.Empty(t, c.Args, "System Probe args should not be overridden")
+				}
+				break
+			}
+		}
 	}
 }
 
