[CASCL-1305] No-op kubectl-datadog install on a foreign Karpenter

[L3n41c]

What does this PR do?

Adds a pre-flight guard to kubectl datadog autoscaling cluster install that recognises when Karpenter is already running on the cluster — be it a Helm install in another namespace, a raw kubectl apply, or anything in between — and short-circuits with a friendly success message and a link to the Datadog Autoscaling settings page, mirroring the existing EKS auto-mode handling (no error, exit 0).

Detection lists every ClusterRole on the cluster and looks for any rule referencing the karpenter.sh API group, which the chart's clusterrole.yaml and clusterrole-core.yaml hard-code for nodepools/nodeclaims regardless of nameOverride or other metadata customizations. ClusterRoles bearing our autoscaling.datadoghq.com/installed-by=kubectl-datadog sentinel are skipped. CRDs are deliberately not used — Helm leaves them behind on helm uninstall, and re-running install after uninstall must succeed in spite of those leftovers.

The PR also switches the chart's additionalLabels from overriding standard app.kubernetes.io/managed-by and app.kubernetes.io/version to Datadog-namespaced keys, exported as constants so the writer (install.go) and reader (IsForeignKarpenterInstalled) stay in sync.

Motivation

PR #2717 (CASCL-1281) added a guard for EKS auto-mode clusters. We need a symmetric guard for any other cluster where Karpenter is already running, otherwise re-running install on such a cluster would deploy a second controller that would race with the first one on the same CRDs.

We use a structural RBAC fingerprint rather than a label selector because the Karpenter chart's karpenter.name template renders both the app.kubernetes.io/name label value and the ClusterRole's name from nameOverride. A label-based selector would silently miss any install with --set nameOverride=... and let our install deploy a second controller side-by-side. The karpenter.sh API group is invariant across nameOverride changes — every Karpenter controller needs RBAC on it.

The Datadog-namespaced label switch is required because the Karpenter chart's _helpers.tpl emits app.kubernetes.io/managed-by: {{ .Release.Service }} and app.kubernetes.io/version: ... before additionalLabels, producing duplicate YAML keys. Verified empirically on a real cluster: deduplication at the API server is non-deterministic across keys (managed-by resolves to the chart's Helm value while version resolves to ours, on the very same resource), so we cannot rely on those overrides as identity markers.

Additional Notes

Migration of existing kubectl-datadog installs. Plugin installs deployed before this change carry the old app.kubernetes.io/managed-by=kubectl-datadog value (silently dropped by the chart) and lack the new sentinel. The new code will detect them as foreign and no-op. To migrate, run once:

kubectl datadog autoscaling cluster uninstall
kubectl datadog autoscaling cluster install

Acceptable because the install command is recent and not yet broadly deployed.

Out of scope. Resources we apply directly (NodePool / EC2NodeClass via cmd/kubectl-datadog/.../install/k8s/) keep their existing app.kubernetes.io/managed-by=kubectl-datadog label — no chart helper to fight there, the label sticks, and uninstall.go continues to use it as a selector.

Minimum Agent Versions

• Agent: n/a
• Cluster Agent: n/a

Describe your test plan

Unit tests:

• go test ./cmd/kubectl-datadog/autoscaling/cluster/install/... — covers
  • IsForeignKarpenterInstalled: no Karpenter, ours-only, foreign-only, mixed, foreign sentinel value, ClusterRole with karpenter-looking labels but no karpenter.sh rules, foreign install with custom nameOverride, API list-error paths;
  • TestKarpenterAPIGroupContract pins the literal karpenter.sh API group so test fixtures using the constant cannot silently mask a typo;
  • TestKarpenterHelmValues pins the additionalLabels contract with the detector — both sides go through the same exported constants — and covers both install modes (only Fargate annotates the ServiceAccount with the IRSA role ARN);
  • TestDisplayForeignKarpenterMessage renders the box into a buffered cobra Command and asserts the user-visible strings, including the URL-encoded kube_cluster_name query that points the user at their cluster's Datadog autoscaling settings page.

End-to-end on a real EKS test cluster (AWS_PROFILE=exec-sso-container-integrations-account-admin AWS_REGION=eu-west-3):

1. No-op on a foreign Helm Karpenter — helm install karpenter oci://public.ecr.aws/karpenter/karpenter --namespace karpenter --create-namespace --set settings.clusterName=$CLUSTER. Then kubectl datadog autoscaling cluster install → message + URL, exit 0, no dd-karpenter-… CFN stacks created (aws cloudformation list-stacks).
2. No-op on a foreign Helm Karpenter with nameOverride — helm install foo oci://... --set nameOverride=foo,settings.clusterName=$CLUSTER. Then kubectl datadog autoscaling cluster install → still detected and no-op'd, even though no ClusterRole carries app.kubernetes.io/name=karpenter.
3. No-op on a raw-applied Karpenter — apply a single ClusterRole with a rule on karpenter.sh and run install → variant of the no-op message, exit 0.
4. Re-install after our uninstall (CRDs left over) — helm uninstall karpenter -n karpenter, then kubectl datadog autoscaling cluster install → succeeds in spite of the four residual CRDs.
5. Auto-mode short-circuit unchanged — on an auto-mode cluster, the auto-mode message is what shows up, not the new one.

Checklist

• PR has at least one valid label: enhancement
• PR has a milestone or the qa/skip-qa label
• All commits are signed

[codecov-commenter]

Codecov Report

❌ Patch coverage is 90.24390% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 41.19%. Comparing base (78490c3) to head (e0cef1f).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...ctl-datadog/autoscaling/cluster/install/install.go	77.77%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2949      +/-   ##
==========================================
+ Coverage   40.91%   41.19%   +0.27%     
==========================================
  Files         324      325       +1     
  Lines       28743    28951     +208     
==========================================
+ Hits        11760    11925     +165     
- Misses      16129    16170      +41     
- Partials      854      856       +2     

Flag	Coverage Δ
unittests	41.19% <90.24%> (+0.27%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...oscaling/cluster/install/guess/foreignkarpenter.go	100.00% <100.00%> (ø)
...ctl-datadog/autoscaling/cluster/install/install.go	30.68% <77.77%> (+14.90%)	⬆️

... and 3 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 78490c3...e0cef1f. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[datadog-prod-us1-4]

🎯 Code Coverage (details)
• Patch Coverage: 89.19%
• Overall Coverage: 41.28% (+0.26%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: e0cef1f | Docs | Datadog PR Page | Give us feedback!}

[L3n41c]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fd65ec0c9d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Detect nameOverride-based Karpenter installs

This selector misses existing Karpenter releases installed with the chart’s supported nameOverride value, because the upstream label app.kubernetes.io/name is rendered from that override rather than always being karpenter. In that scenario the list returns no ClusterRoles, so kubectl datadog autoscaling cluster install falls through and installs a second controller instead of no-oping; this affects Helm/Argo/raw-manifest installs that customize nameOverride.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Summary

• Updated foreign Karpenter detection to scan all ClusterRoles and identify Karpenter by RBAC rule content (karpenter.sh API group + nodepools/nodeclaims resources), instead of relying on app.kubernetes.io/name=karpenter. This makes detection robust to chart nameOverride. cmd/kubectl-datadog/autoscaling/cluster/install/guess/foreignkarpenter.goL24-L48 cmd/kubectl-datadog/autoscaling/cluster/install/guess/foreignkarpenter.goL50-L79
• Added helper matching functions (hasKarpenterAPIGroupRule, hasKarpenterResource, contains) to keep the detection logic explicit and testable. cmd/kubectl-datadog/autoscaling/cluster/install/guess/foreignkarpenter.goL50-L79
• Updated/expanded unit tests to model RBAC-rule-based detection and added a dedicated case for foreign Karpenter installed with custom nameOverride to verify renamed releases are still detected as foreign. cmd/kubectl-datadog/autoscaling/cluster/install/guess/foreignkarpenter_test.goL16-L114 cmd/kubectl-datadog/autoscaling/cluster/install/guess/foreignkarpenter_test.goL75-L82
• Committed the changes on the current branch (64986c1) and created a follow-up PR via the make_pr tool.

Testing

• ✅ gofmt -w cmd/kubectl-datadog/autoscaling/cluster/install/guess/foreignkarpenter.go cmd/kubectl-datadog/autoscaling/cluster/install/guess/foreignkarpenter_test.go
• ✅ go test ./cmd/kubectl-datadog/autoscaling/cluster/install/guess/...

View task →

[L3n41c]

Addressed in cdbb6c7: switched detection from the app.kubernetes.io/name=karpenter LabelSelector to a structural fingerprint on the karpenter.sh API group. We list every ClusterRole and look for a rule referencing that group, which the chart hard-codes for nodepools/nodeclaims regardless of nameOverride or other metadata customizations. Added a regression test foreign Karpenter installed with custom nameOverride and a defensive case to make sure a ClusterRole with karpenter-looking labels but no karpenter.sh rules does not trigger the guard.

[L3n41c]

Same fix landed on this branch as cdbb6c7 (independently arrived at the same karpenter.sh API group fingerprint). No follow-up PR needed.

[L3n41c]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 🚀

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[L3n41c]

In case a Karpenter not installed by kubectl is detected, the command returns immediately with:

$ kubectl datadog autoscaling cluster install
2026/04/28 12:15:49 Detected foreign Karpenter ClusterRole
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Karpenter is already installed on cluster lenaic-karpenter-test.                                         │
│                                                                                                          │
│ kubectl-datadog has nothing to install.                                                                  │
│                                                                                                          │
│ Navigate to the Autoscaling settings page                                                                │
│ and select cluster to start generating recommendations:                                                  │
│ https://app.datadoghq.com/orchestration/scaling/settings?query=kube_cluster_name%3Alenaic-karpenter-test │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────╯

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e0cef1fb57

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Require a real Karpenter fingerprint before no-oping

On clusters that already have the Datadog Operator installed but no Karpenter controller, this API-group-only check returns true because the operator's own ClusterRole grants karpenter.sh permissions (config/rbac/role.yaml:378-389, generated from internal/controller/datadogagent_controller.go:103). Since install.go now exits when this helper reports true, those users are incorrectly told Karpenter is installed and cannot use the plugin to install autoscaling; please exclude the operator role or match a more Karpenter-specific RBAC shape.

Useful? React with 👍 / 👎.