Fix AppArmor annotations for absent containers in annotation overrides (#2897)

* Fix AppArmor annotations for absent containers in direct annotation overrides

The fix in a0dc8c0 added a container existence check to
overrideAppArmorProfile(), preventing invalid AppArmor annotations when
a container (e.g. security-agent with directSendFromSystemProbe=true) is
absent from the pod spec.

However, the same guard was missing from the direct annotation loop in
PodTemplateSpec(), which blindly copies spec.override.nodeAgent.annotations
to the pod template. Any AppArmor annotation set via that path would bypass
the existing fix and still produce an invalid DaemonSet.

Apply the same container existence check when iterating override.Annotations:
skip AppArmor annotations (container.apparmor.security.beta.kubernetes.io/<name>)
if <name> does not match any container in the pod spec.

* Use slices shared helper instead of duplicating same logic

* Add unit tests

---------

Co-authored-by: Timothée Bavelier <timothee.bavelier@datadoghq.com>

Author: lebauce

internal/controller/datadogagent/override/container.go

@@ -242,15 +242,7 @@ func overrideAppArmorProfile(containerName apicommon.AgentContainerName, manager
 		// Only add the AppArmor annotation if the container actually exists in the pod spec.
 		// This avoids invalid DaemonSet configurations when a container is not present
 		// (e.g. security-agent is absent when directSendFromSystemProbe is enabled).
-		containerExists := false
-		allContainers := append(manager.PodTemplateSpec().Spec.Containers, manager.PodTemplateSpec().Spec.InitContainers...)
-		for _, c := range allContainers {
-			if c.Name == effectiveName {
-				containerExists = true
-				break
-			}
-		}
-		if !containerExists {
+		if !podSpecHasContainer(&manager.PodTemplateSpec().Spec, effectiveName) {
 			return
 		}
 

internal/controller/datadogagent/override/podtemplatespec.go

@@ -193,6 +193,14 @@ func PodTemplateSpec(logger logr.Logger, manager feature.PodTemplateManagers, ov
 	manager.PodTemplateSpec().Spec.Tolerations = append(manager.PodTemplateSpec().Spec.Tolerations, override.Tolerations...)
 
 	for annotationName, annotationVal := range override.Annotations {
+		// For AppArmor annotations, skip if the referenced container doesn't exist.
+		// This mirrors the check in overrideAppArmorProfile() and prevents invalid DaemonSet
+		// configurations when a container is absent (e.g. security-agent with directSendFromSystemProbe).
+		if containerName, ok := strings.CutPrefix(annotationName, common.AppArmorAnnotationKey+"/"); ok {
+			if !podSpecHasContainer(&manager.PodTemplateSpec().Spec, containerName) {
+				continue
+			}
+		}
 		manager.Annotation().AddAnnotation(annotationName, annotationVal)
 	}
 
@@ -262,6 +270,14 @@ func overrideCustomConfigVolumes(logger logr.Logger, manager feature.PodTemplate
 	}
 }
 
+// podSpecHasContainer reports whether the pod spec contains a (init)container with the given name.
+func podSpecHasContainer(podSpec *corev1.PodSpec, name string) bool {
+	allContainers := append(podSpec.Containers, podSpec.InitContainers...)
+	return slices.ContainsFunc(allContainers, func(c corev1.Container) bool {
+		return c.Name == name
+	})
+}
+
 func sortKeys(keysMap map[v2alpha1.AgentConfigFileName]v2alpha1.CustomConfig) []v2alpha1.AgentConfigFileName {
 	sortedKeys := make([]v2alpha1.AgentConfigFileName, 0, len(keysMap))
 	for key := range keysMap {

internal/controller/datadogagent/override/podtemplatespec_test.go

@@ -1036,6 +1036,59 @@ func TestPodTemplateSpec(t *testing.T) {
 				assert.Equal(t, "gcr.io/datadoghq/ddot-collector:7.72.1", otelAgentImage, "OtelAgent should not have JMX suffix")
 			},
 		},
+		{
+			name: "AppArmor annotation in override.Annotations for existing container is added",
+			existingManager: func() *fake.PodTemplateManagers {
+				manager := fake.NewPodTemplateManagers(t, v1.PodTemplateSpec{})
+				manager.PodTemplateSpec().Spec.Containers = []v1.Container{
+					{Name: string(apicommon.CoreAgentContainerName)},
+				}
+				return manager
+			},
+			override: v2alpha1.DatadogAgentComponentOverride{
+				Annotations: map[string]string{
+					fmt.Sprintf("%s/%s", common.AppArmorAnnotationKey, apicommon.CoreAgentContainerName): "runtime/default",
+				},
+			},
+			validateManager: func(t *testing.T, manager *fake.PodTemplateManagers) {
+				annotation := fmt.Sprintf("%s/%s", common.AppArmorAnnotationKey, apicommon.CoreAgentContainerName)
+				assert.Equal(t, "runtime/default", manager.AnnotationMgr.Annotations[annotation])
+			},
+		},
+		{
+			name: "AppArmor annotation in override.Annotations for absent container is skipped",
+			existingManager: func() *fake.PodTemplateManagers {
+				manager := fake.NewPodTemplateManagers(t, v1.PodTemplateSpec{})
+				manager.PodTemplateSpec().Spec.Containers = []v1.Container{
+					{Name: string(apicommon.CoreAgentContainerName)},
+				}
+				return manager
+			},
+			override: v2alpha1.DatadogAgentComponentOverride{
+				Annotations: map[string]string{
+					fmt.Sprintf("%s/%s", common.AppArmorAnnotationKey, apicommon.SecurityAgentContainerName): "runtime/default",
+				},
+			},
+			validateManager: func(t *testing.T, manager *fake.PodTemplateManagers) {
+				annotation := fmt.Sprintf("%s/%s", common.AppArmorAnnotationKey, apicommon.SecurityAgentContainerName)
+				_, found := manager.AnnotationMgr.Annotations[annotation]
+				assert.False(t, found, "AppArmor annotation for absent container should not be added")
+			},
+		},
+		{
+			name: "non-AppArmor annotation in override.Annotations is always added",
+			existingManager: func() *fake.PodTemplateManagers {
+				return fake.NewPodTemplateManagers(t, v1.PodTemplateSpec{})
+			},
+			override: v2alpha1.DatadogAgentComponentOverride{
+				Annotations: map[string]string{
+					"some-other-annotation": "value",
+				},
+			},
+			validateManager: func(t *testing.T, manager *fake.PodTemplateManagers) {
+				assert.Equal(t, "value", manager.AnnotationMgr.Annotations["some-other-annotation"])
+			},
+		},
 		{
 			name: "Add CEL Workload Exclude",
 			existingManager: func() *fake.PodTemplateManagers {