[operator] Support host volume mount propagation config

[gabedos]

What does this PR do?

Adds spec.global.hostVolumeMountPropagation to the DatadogAgent CRD, enabling users to configure mount propagation on host path volume mounts. This brings the operator to parity with the Helm chart's datadog.hostVolumeMountPropagation setting.

Accepted values: None, HostToContainer, Bidirectional.

apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
spec:
  global:
    hostVolumeMountPropagation: HostToContainer

Motivation

Resolves CONTP-1417 — the Helm chart supports hostVolumeMountPropagation but the operator had no equivalent.

Additional Notes

This is the simpler alternative to #2866, which threads the propagation through every feature's GetVolumes() call (30+ files, 56 call sites). That approach treats mount propagation as a per-feature concern, but it isn't — it's a pod-level infrastructure setting that should apply uniformly to all host path mounts regardless of which feature created them.

This PR instead applies mount propagation as a post-processing step after all features and overrides have built the PodTemplateSpec. This is a better fit because:

• Mount propagation isn't a feature concern. Features don't decide propagation policy — they just need host paths mounted. The global config owns this setting.
• It covers everything. Default agent mounts (proc, cgroups, runtime socket), feature-added mounts, and any future host path mounts all get the setting automatically — no per-feature opt-in needed.
• Overrides still win. The post-processing only sets MountPropagation on mounts where it's nil, so any explicit value set via spec.override.<component>.containers.<container>.volumeMounts takes final precedence.
• Minimal diff. 17 files changed vs 32+, with zero changes to feature code.

The implementation walks the finalized PodTemplateSpec, identifies volume mounts backed by HostPath volumes, and sets their MountPropagation to the configured mode. This runs in both the datadogagent and datadogagentinternal controller paths (Deployment, DaemonSet, and ExtendedDaemonSet).

Minimum Agent Versions

• Agent: N/A (operator-only change)
• Cluster Agent: N/A

Describe your test plan

• Unit tests for ApplyMountPropagation covering: nil mode no-op, host-path-only targeting, preserving explicit per-mount overrides, init containers, and multi-container pods
• All existing controller and feature tests pass
• go vet ./... passes
• CRDs regenerated and validated

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label
• All commits are signed (see: signing commits)

[codecov-commenter]

Codecov Report

❌ Patch coverage is 70.37037% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 39.41%. Comparing base (3ef9c91) to head (07c4ac7).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...datadogagentinternal/controller_reconcile_agent.go	0.00%	4 Missing ⚠️
...troller/datadogagent/controller_reconcile_agent.go	50.00%	2 Missing ⚠️
...oller/datadogagentinternal/component_reconciler.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2867      +/-   ##
==========================================
+ Coverage   39.24%   39.41%   +0.17%     
==========================================
  Files         314      315       +1     
  Lines       27288    27395     +107     
==========================================
+ Hits        10708    10797      +89     
- Misses      15792    15808      +16     
- Partials      788      790       +2     

Flag	Coverage Δ
unittests	39.41% <70.37%> (+0.17%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...al/controller/datadogagent/component_reconciler.go	75.25% <100.00%> (+0.52%)	⬆️
...er/datadogagent/object/volume/mount_propagation.go	100.00% <100.00%> (ø)
...troller/datadogagent/controller_reconcile_agent.go	66.25% <50.00%> (-0.21%)	⬇️
...oller/datadogagentinternal/component_reconciler.go	0.00% <0.00%> (ø)
...datadogagentinternal/controller_reconcile_agent.go	4.23% <0.00%> (-0.15%)	⬇️

... and 1 file with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3ef9c91...07c4ac7. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.