[operator] Support host volume mount propagation config

api/datadoghq/v2alpha1/datadogagent_types.go

@@ -1837,6 +1837,13 @@ type GlobalConfig struct {
 	// Default: 'false'
 	// +optional
 	UseVSock *bool `json:"useVSock,omitempty"`
+
+	// HostVolumeMountPropagation determines how mounts are propagated from the host to the Agent containers
+	// and the other way around for host path volumes.
+	// ref: https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
+	// +kubebuilder:validation:Enum=None;HostToContainer;Bidirectional
+	// +optional
+	HostVolumeMountPropagation *corev1.MountPropagationMode `json:"hostVolumeMountPropagation,omitempty"`
 }
 
 // DatadogCredentials is a generic structure that holds credentials to access Datadog.

cmd/yaml-mapper/mapper/mapping_datadog_helm_to_datadogagent_crd.yaml

@@ -421,7 +421,7 @@ datadog.gpuMonitoring.runtimeClassName: spec.features.gpu.requiredRuntimeClassNa
 datadog.helmCheck.collectEvents: spec.features.helmCheck.collectEvents
 datadog.helmCheck.enabled: spec.features.helmCheck.enabled
 datadog.helmCheck.valuesAsTags: spec.features.helmCheck.valuesAsTags
-datadog.hostVolumeMountPropagation: ""
+datadog.hostVolumeMountPropagation: spec.global.hostVolumeMountPropagation
 datadog.ignoreAutoConfig: ""
 datadog.kubeStateMetricsCore.annotationsAsTags: ""
 datadog.kubeStateMetricsCore.collectApiServicesMetrics: ""

config/crd/bases/v1/datadoghq.com_datadogagentinternals.yaml

@@ -3004,6 +3004,16 @@ spec:
                             Default: false
                           type: boolean
                       type: object
+                    hostVolumeMountPropagation:
+                      description: |-
+                        HostVolumeMountPropagation determines how mounts are propagated from the host to the Agent containers
+                        and the other way around for host path volumes.
+                        ref: https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
+                      enum:
+                        - None
+                        - HostToContainer
+                        - Bidirectional
+                      type: string
                     kubelet:
                       description: Kubelet contains the kubelet configuration parameters.
                       properties:

config/crd/bases/v1/datadoghq.com_datadogagentinternals_v1alpha1.json

@@ -3151,6 +3151,15 @@
               },
               "type": "object"
             },
+            "hostVolumeMountPropagation": {
+              "description": "HostVolumeMountPropagation determines how mounts are propagated from the host to the Agent containers\nand the other way around for host path volumes.\nref: https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation",
+              "enum": [
+                "None",
+                "HostToContainer",
+                "Bidirectional"
+              ],
+              "type": "string"
+            },
             "kubelet": {
               "additionalProperties": false,
               "description": "Kubelet contains the kubelet configuration parameters.",

config/crd/bases/v1/datadoghq.com_datadogagentprofiles.yaml

@@ -3004,6 +3004,16 @@ spec:
                                 Default: false
                               type: boolean
                           type: object
+                        hostVolumeMountPropagation:
+                          description: |-
+                            HostVolumeMountPropagation determines how mounts are propagated from the host to the Agent containers
+                            and the other way around for host path volumes.
+                            ref: https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
+                          enum:
+                            - None
+                            - HostToContainer
+                            - Bidirectional
+                          type: string
                         kubelet:
                           description: Kubelet contains the kubelet configuration parameters.
                           properties:

config/crd/bases/v1/datadoghq.com_datadogagentprofiles_v1alpha1.json

@@ -3155,6 +3155,15 @@
                   },
                   "type": "object"
                 },
+                "hostVolumeMountPropagation": {
+                  "description": "HostVolumeMountPropagation determines how mounts are propagated from the host to the Agent containers\nand the other way around for host path volumes.\nref: https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation",
+                  "enum": [
+                    "None",
+                    "HostToContainer",
+                    "Bidirectional"
+                  ],
+                  "type": "string"
+                },
                 "kubelet": {
                   "additionalProperties": false,
                   "description": "Kubelet contains the kubelet configuration parameters.",

config/crd/bases/v1/datadoghq.com_datadogagents.yaml

@@ -3004,6 +3004,16 @@ spec:
                             Default: false
                           type: boolean
                       type: object
+                    hostVolumeMountPropagation:
+                      description: |-
+                        HostVolumeMountPropagation determines how mounts are propagated from the host to the Agent containers
+                        and the other way around for host path volumes.
+                        ref: https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
+                      enum:
+                        - None
+                        - HostToContainer
+                        - Bidirectional
+                      type: string
                     kubelet:
                       description: Kubelet contains the kubelet configuration parameters.
                       properties:

config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json

@@ -3151,6 +3151,15 @@
               },
               "type": "object"
             },
+            "hostVolumeMountPropagation": {
+              "description": "HostVolumeMountPropagation determines how mounts are propagated from the host to the Agent containers\nand the other way around for host path volumes.\nref: https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation",
+              "enum": [
+                "None",
+                "HostToContainer",
+                "Bidirectional"
+              ],
+              "type": "string"
+            },
             "kubelet": {
               "additionalProperties": false,
               "description": "Kubelet contains the kubelet configuration parameters.",

docs/configuration.v2alpha1.md

@@ -243,6 +243,7 @@ spec:
 | global.fips.resources.limits | Resource limits for the FIPS sidecar. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-requests-and-limits-of-pod-and-container . |
 | global.fips.resources.requests | Resource requests for the FIPS sidecar. If undefined, defaults to global.fips.resources.limits (if set), then to an implementation-defined value. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-requests-and-limits-of-pod-and-container . |
 | global.fips.useHTTPS | If true, enables HTTPS on the FIPS sidecar. Default: false |
+| global.hostVolumeMountPropagation | HostVolumeMountPropagation determines how mounts are propagated from the host to the Agent containers and the other way around for host path volumes. ref: https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation |
 | global.kubelet.agentCAPath | AgentCAPath is the container path where the kubelet CA certificate is stored. Default: '/var/run/host-kubelet-ca.crt' if hostCAPath is set, else '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt' |
 | global.kubelet.host.configMapKeyRef.key | The key to select. |
 | global.kubelet.host.configMapKeyRef.name | Of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |

docs/configuration_public.md

@@ -465,6 +465,9 @@ spec:
 `global.fips`
 : FIPS contains configuration used to customize the FIPS proxy sidecar. See [link](https://github.com/DataDog/datadog-operator/blob/main/docs/configuration.v2alpha1.md) for more information.
 
+`global.hostVolumeMountPropagation`
+: HostVolumeMountPropagation determines how mounts are propagated from the host to the Agent containers and the other way around for host path volumes. ref: https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
+
 `global.kubelet.agentCAPath`
 : AgentCAPath is the container path where the kubelet CA certificate is stored. Default: '/var/run/host-kubelet-ca.crt' if hostCAPath is set, else '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
 

internal/controller/datadogagent/component_reconciler.go

@@ -20,6 +20,7 @@ import (
 	apiutils "github.com/DataDog/datadog-operator/api/utils"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/common"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/feature"
+	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/object/volume"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/override"
 	"github.com/DataDog/datadog-operator/pkg/condition"
 	"github.com/DataDog/datadog-operator/pkg/constants"
@@ -209,6 +210,11 @@ func (r *ComponentRegistry) reconcileComponent(ctx context.Context, params *Reco
 		override.Deployment(deployment, componentOverride)
 	}
 
+	// Apply host volume mount propagation from global config
+	if params.DDA.Spec.Global != nil {
+		volume.ApplyMountPropagation(podManagers.PodTemplateSpec(), params.DDA.Spec.Global.HostVolumeMountPropagation)
+	}
+
 	if r.reconciler.options.IntrospectionEnabled {
 		// Add provider label to deployment
 		if deployment.Labels == nil {

internal/controller/datadogagent/controller_reconcile_agent.go

@@ -31,6 +31,7 @@ import (
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/feature"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/global"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/object"
+	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/object/volume"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/override"
 	"github.com/DataDog/datadog-operator/pkg/agentprofile"
 	"github.com/DataDog/datadog-operator/pkg/condition"
@@ -116,6 +117,11 @@ func (r *Reconciler) reconcileV2Agent(logger logr.Logger, requiredComponents fea
 
 		experimental.ApplyExperimentalOverrides(logger, dda, podManagers)
 
+		// Apply host volume mount propagation from global config
+		if dda.Spec.Global != nil {
+			volume.ApplyMountPropagation(podManagers.PodTemplateSpec(), dda.Spec.Global.HostVolumeMountPropagation)
+		}
+
 		if disabledByOverride {
 			if agentEnabled {
 				// The override supersedes what's set in requiredComponents; update status to reflect the conflict
@@ -216,6 +222,11 @@ func (r *Reconciler) reconcileV2Agent(logger logr.Logger, requiredComponents fea
 
 	experimental.ApplyExperimentalOverrides(logger, dda, podManagers)
 
+	// Apply host volume mount propagation from global config
+	if dda.Spec.Global != nil {
+		volume.ApplyMountPropagation(podManagers.PodTemplateSpec(), dda.Spec.Global.HostVolumeMountPropagation)
+	}
+
 	if disabledByOverride {
 		if agentEnabled {
 			// The override supersedes what's set in requiredComponents; update status to reflect the conflict

internal/controller/datadogagent/object/volume/mount_propagation.go

@@ -0,0 +1,43 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+package volume
+
+import (
+	corev1 "k8s.io/api/core/v1"
+)
+
+// ApplyMountPropagation sets the MountPropagation mode on all volume mounts in the PodTemplateSpec
+// that are backed by HostPath volumes. This mirrors the Helm chart's hostVolumeMountPropagation setting.
+func ApplyMountPropagation(podTemplate *corev1.PodTemplateSpec, mode *corev1.MountPropagationMode) {
+	if mode == nil {
+		return
+	}
+
+	// Build a set of volume names that use HostPath
+	hostPathVolumes := make(map[string]struct{})
+	for _, vol := range podTemplate.Spec.Volumes {
+		if vol.VolumeSource.HostPath != nil {
+			hostPathVolumes[vol.Name] = struct{}{}
+		}
+	}
+
+	// Apply mount propagation to all containers (regular and init) for host-path-backed mounts
+	applyToContainers(podTemplate.Spec.Containers, hostPathVolumes, mode)
+	applyToContainers(podTemplate.Spec.InitContainers, hostPathVolumes, mode)
+}
+
+func applyToContainers(containers []corev1.Container, hostPathVolumes map[string]struct{}, mode *corev1.MountPropagationMode) {
+	for i := range containers {
+		for j := range containers[i].VolumeMounts {
+			if _, ok := hostPathVolumes[containers[i].VolumeMounts[j].Name]; ok {
+				// Only set if not already explicitly configured (e.g., by a per-mount override)
+				if containers[i].VolumeMounts[j].MountPropagation == nil {
+					containers[i].VolumeMounts[j].MountPropagation = mode
+				}
+			}
+		}
+	}
+}