Add external Karpenter guard and upgrade command to kubectl-datadog

[L3n41c]

What does this PR do?

Two additions to kubectl datadog autoscaling cluster:

1. External Karpenter guard in install: Detects an active Karpenter on the cluster via webhook configurations and validates Helm release ownership. Blocks installation when an external (non-plugin) Karpenter is found, while still allowing idempotent re-installs of our own.

2. upgrade subcommand: Updates a Karpenter previously installed by the plugin. Auto-detects the installation namespace and previous parameters (cluster name) from the existing Helm release.

Motivation

• Prevent install from deploying a second Karpenter controller on top of an externally-installed one.
• Allow users to upgrade Karpenter version without having to uninstall/reinstall.

Additional Notes

Detection strategy:

• Webhook-based detection (ValidatingWebhookConfiguration / MutatingWebhookConfiguration) identifies active Karpenter installations and their namespace
• Helm release ownership check (additionalLabels["app.kubernetes.io/managed-by"] == "kubectl-datadog") distinguishes our installation from external ones
• Helm secret scanning as a fallback when webhooks are absent (e.g. pods crashed)

Upgrade command:

• No --karpenter-namespace flag — namespace is auto-detected
• Cluster name is auto-detected from existing Helm release values
• Helm values are reset to plugin defaults on each upgrade
• Shared functions exported from install package to avoid duplication

Minimum Agent Versions

N/A — this is a kubectl plugin change only.

Describe your test plan

• Unit tests for webhook detection (DetectActiveKarpenter) with various webhook configurations
• Unit tests for Helm secret scanning (FindKarpenterHelmRelease) with various secret states
• Unit tests for upgrade command validation and config extraction
• go build, go test, and go vet all pass

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label
• All commits are signed (see: signing commits)

🤖 Generated with Claude Code

[L3n41c]

@codex review

[codecov-commenter]

Codecov Report

❌ Patch coverage is 19.23077% with 189 lines in your changes missing coverage. Please review.
✅ Project coverage is 39.90%. Comparing base (5adfc81) to head (8f871c2).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...ctl-datadog/autoscaling/cluster/upgrade/upgrade.go	10.00%	108 Missing ⚠️
...ctl-datadog/autoscaling/cluster/install/install.go	0.00%	53 Missing ⚠️
...tl-datadog/autoscaling/cluster/common/helm/helm.go	0.00%	21 Missing ⚠️
...atadog/autoscaling/cluster/common/k8s/karpenter.go	84.61%	3 Missing and 3 partials ⚠️
cmd/kubectl-datadog/autoscaling/cluster/cluster.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2890      +/-   ##
==========================================
- Coverage   40.06%   39.90%   -0.17%     
==========================================
  Files         319      321       +2     
  Lines       28039    28265     +226     
==========================================
+ Hits        11233    11278      +45     
- Misses      15983    16161     +178     
- Partials      823      826       +3     

Flag	Coverage Δ
unittests	39.90% <19.23%> (-0.17%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
cmd/kubectl-datadog/autoscaling/cluster/cluster.go	0.00% <0.00%> (ø)
...atadog/autoscaling/cluster/common/k8s/karpenter.go	84.61% <84.61%> (ø)
...tl-datadog/autoscaling/cluster/common/helm/helm.go	0.00% <0.00%> (ø)
...ctl-datadog/autoscaling/cluster/install/install.go	12.76% <0.00%> (-2.43%)	⬇️
...ctl-datadog/autoscaling/cluster/upgrade/upgrade.go	10.00% <10.00%> (ø)

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5adfc81...8f871c2. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[datadog-prod-us1-3]

🎯 Code Coverage (details)
• Patch Coverage: 18.52%
• Overall Coverage: 39.98%

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 8f871c2 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f15baa9e41

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Add Helm-release fallback before proceeding with install

The new install guard only checks DetectActiveKarpenter webhooks, so when Karpenter is installed but webhook configs are absent (for example a crashed/disabled controller or manually removed webhook objects), this branch falls through and installation proceeds in the default namespace, creating a second Karpenter deployment instead of blocking or reusing the existing one. This is a production-impacting regression in the external-installation guard, especially since the commit already introduced FindKarpenterHelmRelease for exactly this fallback path.

Useful? React with 👍 / 👎.

[L3n41c]

Addressed @chatgpt-codex-connector P1 feedback in commit 8f871c2: added FindKarpenterHelmRelease as a fallback in the install path when DetectActiveKarpenter finds no webhooks. This mirrors the approach already used in the upgrade command.