Resources labels/annotations as tags renders invalid RBAC rules

[jscaltreto]

When using datadog.kubernetesResourcesAnnotationsAsTags and/or datadog.kubernetesResourcesLabelsAsTags, the RBAC rules are not rendered correctly when the resource key include more than one period (such as is often the case with CRDs). Instead of splitting the resource name from the group, it puts the entire key in the "resources" list of the core ("") group, which is incorrect and invalid.

There is another related issue with how the maps are merged when generating RBAC where the contents of kubernetesResourcesLabelsAsTags are getting merged into kubernetesResourcesAnnotationsAsTags resulting in an incorrect value for DD_KUBERNETES_RESOURCES_ANNOTATIONS_AS_TAGS.

There is a similar issue with datadog-agent itself, which has also been reported: DataDog/datadog-agent#33646 (along with a proposed fix). I will submit a PR to propose a fix for this, as well.

Example

Consider the following values:

datadog:
  kubernetesResourcesAnnotationsAsTags:
    pods:
      some-annotation: "some-value"
    deployments.apps:
      another-annotation: "another-value"
    customs.example.com:
      custom-annotation: "custom-value"
  kubernetesResourcesLabelsAsTags:
    services:
      some-label: "some-value"
    statefulsets.apps:
      another-label: "another-value"
    anotercustoms.example.com:
      custom-label: "custom-value"

Expected

RBAC:

rules:

# Iterate through the apiGroups and create rules for each resource
- apiGroups:
  - ""
  resources:
  - pods
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - "apps"
  resources:
  - deployments
  - statefulsets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - "example.com"
  resources:
  - anotercustoms
  - customs
  verbs:
  - get
  - list
  - watch

Env vars:

- name: DD_KUBERNETES_RESOURCES_LABELS_AS_TAGS
  value: '{"anotercustoms.example.com":{"custom-label":"custom-value"},"services":{"some-label":"some-value"},"statefulsets.apps":{"another-label":"another-value"}}'
- name: DD_KUBERNETES_RESOURCES_ANNOTATIONS_AS_TAGS
  value: '{"customs.example.com":{"custom-annotation":"custom-value"},"deployments.apps":{"another-annotation":"another-value"},"pods":{"some-annotation":"some-value"}}'

Actual

RBAC:

rules:

# Iterate through the apiGroups and create rules for each resource
- apiGroups:
  - ""
  resources:
  - anotercustoms.example.com
  - customs.example.com
  - pods
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - "apps"
  resources:
  - deployments
  - statefulsets
  verbs:
  - get
  - list
  - watch

Env vars:

- name: DD_KUBERNETES_RESOURCES_LABELS_AS_TAGS
  value: '{"anotercustoms.example.com":{"custom-label":"custom-value"},"services":{"some-label":"some-value"},"statefulsets.apps":{"another-label":"another-value"}}'
- name: DD_KUBERNETES_RESOURCES_ANNOTATIONS_AS_TAGS
  value: '{"anotercustoms.example.com":{"custom-label":"custom-value"},"customs.example.com":{"custom-annotation":"custom-value"},"deployments.apps":{"another-annotation":"another-value"},"pods":{"some-annotation":"some-value"},"services":{"some-label":"some-value"},"statefulsets.apps":{"another-label":"another-value"}}'