Extend secret refresh allow list to all api/app key.

[hush-hush]

What does this PR do?

Extend secret refresh allow list to all api/app key.

Describe how you validated your changes

Unit-tested

[agent-platform-auto-pr]

Uncompressed package size comparison

Comparison with ancestor 153cd143979ee9acb303aa22608e636442089005

Diff per package

package	diff	status	size	ancestor	threshold
datadog-agent-x86_64-rpm	0.01MB	⚠️	845.57MB	845.55MB	0.50MB
datadog-agent-x86_64-suse	0.01MB	⚠️	845.57MB	845.55MB	0.50MB
datadog-agent-amd64-deb	0.01MB	⚠️	835.78MB	835.76MB	0.50MB
datadog-agent-aarch64-rpm	0.01MB	⚠️	836.06MB	836.05MB	0.50MB
datadog-agent-arm64-deb	0.01MB	⚠️	826.29MB	826.28MB	0.50MB
datadog-iot-agent-x86_64-rpm	0.00MB	✅	62.10MB	62.09MB	0.50MB
datadog-iot-agent-x86_64-suse	0.00MB	✅	62.10MB	62.09MB	0.50MB
datadog-dogstatsd-arm64-deb	0.00MB	✅	37.96MB	37.96MB	0.50MB
datadog-iot-agent-amd64-deb	0.00MB	✅	62.03MB	62.02MB	0.50MB
datadog-dogstatsd-x86_64-rpm	0.00MB	✅	39.50MB	39.50MB	0.50MB
datadog-dogstatsd-x86_64-suse	0.00MB	✅	39.50MB	39.50MB	0.50MB
datadog-iot-agent-aarch64-rpm	0.00MB	✅	59.33MB	59.33MB	0.50MB
datadog-dogstatsd-amd64-deb	0.00MB	✅	39.42MB	39.42MB	0.50MB
datadog-heroku-agent-amd64-deb	0.00MB	✅	443.28MB	443.28MB	0.50MB
datadog-iot-agent-arm64-deb	0.00MB	✅	59.27MB	59.27MB	0.50MB

Decision

⚠️ Warning

[agent-platform-auto-pr]

Test changes on VM

Use this command from test-infra-definitions to manually test this PR changes on a VM:

inv aws.create-vm --pipeline-id=57029284 --os-family=ubuntu

Note: This applies to commit 2dbdf2a

[agent-platform-auto-pr]

Static quality checks ✅

Please find below the results from static quality gates

Successful checks

Info

Result	Quality gate	On disk size	On disk size limit	On wire size	On wire size limit
✅	static_quality_gate_agent_deb_amd64	808.35MiB	841.59MiB	195.31MiB	210.72MiB
✅	static_quality_gate_agent_deb_arm64	799.28MiB	830.66MiB	176.67MiB	192.1MiB
✅	static_quality_gate_agent_rpm_amd64	808.34MiB	841.52MiB	198.18MiB	214.52MiB
✅	static_quality_gate_agent_rpm_arm64	799.27MiB	830.66MiB	178.81MiB	193.64MiB
✅	static_quality_gate_agent_suse_amd64	808.34MiB	841.52MiB	198.18MiB	214.52MiB
✅	static_quality_gate_agent_suse_arm64	799.27MiB	830.66MiB	178.81MiB	194.03MiB
✅	static_quality_gate_dogstatsd_deb_amd64	37.67MiB	49.7MiB	9.78MiB	20.6MiB
✅	static_quality_gate_dogstatsd_deb_arm64	36.28MiB	48.1MiB	8.49MiB	19.1MiB
✅	static_quality_gate_dogstatsd_rpm_amd64	37.67MiB	49.7MiB	9.79MiB	20.6MiB
✅	static_quality_gate_dogstatsd_suse_amd64	37.67MiB	49.7MiB	9.79MiB	20.6MiB
✅	static_quality_gate_iot_agent_deb_amd64	59.23MiB	69.0MiB	14.89MiB	24.8MiB
✅	static_quality_gate_iot_agent_deb_arm64	56.59MiB	66.4MiB	12.84MiB	22.8MiB
✅	static_quality_gate_iot_agent_rpm_amd64	59.23MiB	69.0MiB	14.9MiB	24.8MiB
✅	static_quality_gate_iot_agent_rpm_arm64	56.59MiB	66.4MiB	12.85MiB	22.8MiB
✅	static_quality_gate_iot_agent_suse_amd64	59.23MiB	69.0MiB	14.9MiB	24.8MiB
✅	static_quality_gate_docker_agent_amd64	893.21MiB	926.0MiB	298.81MiB	317.43MiB
✅	static_quality_gate_docker_agent_arm64	907.42MiB	939.07MiB	284.53MiB	302.43MiB
✅	static_quality_gate_docker_agent_jmx_amd64	1.07GiB	1.1GiB	373.92MiB	392.54MiB
✅	static_quality_gate_docker_agent_jmx_arm64	1.07GiB	1.1GiB	355.62MiB	373.21MiB
✅	static_quality_gate_docker_dogstatsd_amd64	45.82MiB	57.88MiB	17.28MiB	28.29MiB
✅	static_quality_gate_docker_dogstatsd_arm64	44.46MiB	56.27MiB	16.16MiB	27.06MiB
✅	static_quality_gate_docker_cluster_agent_amd64	264.93MiB	274.78MiB	106.33MiB	116.28MiB
✅	static_quality_gate_docker_cluster_agent_arm64	280.9MiB	290.82MiB	101.17MiB	111.12MiB

[cit-pr-commenter]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: dbecaf62-d1e0-43b5-a2c6-5a6aac8b6094

Baseline: 153cd14
Comparison: 2dbdf2a
Diff

Optimization Goals: ✅ No significant changes detected

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	quality_gate_logs	% cpu utilization	+0.38	[-2.53, +3.30]	1	Logs
➖	file_tree	memory utilization	+0.13	[+0.07, +0.19]	1	Logs
➖	quality_gate_idle	memory utilization	+0.12	[+0.09, +0.15]	1	Logs bounds checks dashboard
➖	tcp_syslog_to_blackhole	ingress throughput	+0.12	[+0.06, +0.18]	1	Logs
➖	file_to_blackhole_0ms_latency_http1	egress throughput	+0.02	[-0.84, +0.88]	1	Logs
➖	file_to_blackhole_0ms_latency_http2	egress throughput	+0.02	[-0.76, +0.80]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	+0.02	[-0.65, +0.68]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	+0.01	[-0.76, +0.79]	1	Logs
➖	file_to_blackhole_300ms_latency	egress throughput	+0.01	[-0.62, +0.63]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	+0.00	[-0.78, +0.79]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	+0.00	[-0.29, +0.29]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	+0.00	[-0.01, +0.02]	1	Logs
➖	file_to_blackhole_1000ms_latency_linear_load	egress throughput	-0.03	[-0.50, +0.44]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	-0.04	[-0.82, +0.73]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	-0.13	[-0.20, -0.07]	1	Logs bounds checks dashboard
➖	uds_dogstatsd_to_api_cpu	% cpu utilization	-0.73	[-1.62, +0.16]	1	Logs

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	links
✅	file_to_blackhole_0ms_latency	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency	memory_usage	10/10
✅	file_to_blackhole_0ms_latency_http1	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency_http1	memory_usage	10/10
✅	file_to_blackhole_0ms_latency_http2	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency_http2	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency_linear_load	memory_usage	10/10
✅	file_to_blackhole_100ms_latency	lost_bytes	10/10
✅	file_to_blackhole_100ms_latency	memory_usage	10/10
✅	file_to_blackhole_300ms_latency	lost_bytes	10/10
✅	file_to_blackhole_300ms_latency	memory_usage	10/10
✅	file_to_blackhole_500ms_latency	lost_bytes	10/10
✅	file_to_blackhole_500ms_latency	memory_usage	10/10
✅	quality_gate_idle	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10
✅	quality_gate_logs	lost_bytes	10/10
✅	quality_gate_logs	memory_usage	10/10

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.

[agent-platform-auto-pr]

Static quality checks ❌

Please find below the results from static quality gates

Error

Result	Quality gate	On disk size	On disk size limit	On wire size	On wire size limit
❌	static_quality_gate_agent_suse_amd64	DataNotFound	841.52MiB	DataNotFound	214.52MiB

Gate failure full details

Quality gate	Error type	Error message
static_quality_gate_agent_suse_amd64	StackTrace	Traceback (most recent call last): File "/go/src/github.com/DataDog/datadog-agent/tasks/quality_gates.py", line 121, in parse_and_trigger_gates gate_mod.entrypoint(**gate_inputs) File "/go/src/github.com/DataDog/datadog-agent/tasks/static_quality_gates/static_quality_gate_agent_suse_amd64.py", line 5, in entrypoint generic_package_agent_quality_gate( File "/go/src/github.com/DataDog/datadog-agent/tasks/static_quality_gates/lib/package_agent_lib.py", line 69, in generic_package_agent_quality_gate package_on_wire_size, package_on_disk_size = calculate_package_size( ^^^^^^^^^^^^^^^^^^^^^^^ File "/go/src/github.com/DataDog/datadog-agent/tasks/static_quality_gates/lib/package_agent_lib.py", line 10, in calculate_package_size extract_package(ctx=ctx, package_os=package_os, package_path=package_path, extract_dir=extract_dir) File "/go/src/github.com/DataDog/datadog-agent/tasks/libs/package/size.py", line 72, in extract_package return extract_rpm_package(ctx, package_path, extract_dir) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/go/src/github.com/DataDog/datadog-agent/tasks/libs/package/size.py", line 65, in extract_rpm_package ctx.run(f"rpm2cpio {package_path}

Successful checks

Info

Result	Quality gate	On disk size	On disk size limit	On wire size	On wire size limit
✅	static_quality_gate_agent_deb_amd64	808.89MiB	841.59MiB	195.3MiB	210.72MiB
✅	static_quality_gate_agent_deb_arm64	799.76MiB	830.66MiB	176.82MiB	192.1MiB
✅	static_quality_gate_agent_rpm_amd64	808.85MiB	841.52MiB	198.15MiB	214.52MiB
✅	static_quality_gate_agent_rpm_arm64	799.8MiB	830.66MiB	178.79MiB	193.64MiB
✅	static_quality_gate_agent_suse_arm64	799.81MiB	830.66MiB	178.79MiB	194.03MiB
✅	static_quality_gate_dogstatsd_deb_amd64	37.67MiB	49.7MiB	9.78MiB	20.6MiB
✅	static_quality_gate_dogstatsd_deb_arm64	36.28MiB	48.1MiB	8.49MiB	19.1MiB
✅	static_quality_gate_dogstatsd_rpm_amd64	37.67MiB	49.7MiB	9.79MiB	20.6MiB
✅	static_quality_gate_dogstatsd_suse_amd64	37.67MiB	49.7MiB	9.79MiB	20.6MiB
✅	static_quality_gate_iot_agent_deb_amd64	59.23MiB	69.0MiB	14.88MiB	24.8MiB
✅	static_quality_gate_iot_agent_deb_arm64	56.59MiB	66.4MiB	12.85MiB	22.8MiB
✅	static_quality_gate_iot_agent_rpm_amd64	59.23MiB	69.0MiB	14.9MiB	24.8MiB
✅	static_quality_gate_iot_agent_rpm_arm64	56.6MiB	66.4MiB	12.85MiB	22.8MiB
✅	static_quality_gate_iot_agent_suse_amd64	59.23MiB	69.0MiB	14.9MiB	24.8MiB
✅	static_quality_gate_docker_agent_amd64	893.2MiB	926.0MiB	298.8MiB	317.43MiB
✅	static_quality_gate_docker_agent_arm64	907.42MiB	939.07MiB	284.53MiB	302.43MiB
✅	static_quality_gate_docker_agent_jmx_amd64	1.07GiB	1.1GiB	373.91MiB	392.54MiB
✅	static_quality_gate_docker_agent_jmx_arm64	1.07GiB	1.1GiB	355.6MiB	373.21MiB
✅	static_quality_gate_docker_dogstatsd_amd64	45.82MiB	57.88MiB	17.28MiB	28.29MiB
✅	static_quality_gate_docker_dogstatsd_arm64	44.46MiB	56.27MiB	16.16MiB	27.06MiB
✅	static_quality_gate_docker_cluster_agent_amd64	264.93MiB	274.78MiB	106.34MiB	116.28MiB
✅	static_quality_gate_docker_cluster_agent_arm64	280.9MiB	290.82MiB	101.18MiB	111.12MiB

[dustmop]

One fix you should make but LGTM aside from that

[GustavoCaso]

We are checking here an in line 405. Do we need both checks?

[hush-hush]

Yes, this function is used directly line 441.

[GustavoCaso]

I find weird that we have two conditions to see if we can use the allow list:

useAllowlist && allowlistEnabled

Could it be simplified?

[hush-hush]

We need to ignore the list when we first load a configuration. When a new config is loaded we notify on everything. This allows the main config to update itself at initialization. This is why Resolved ignore the filtering list.

But Refresh only notify on changed that can be handled by the code (ie API/APP key right now).

The allowlistEnabled is only used by tests.

[GustavoCaso]

Thanks for the explanation

[hush-hush]

/merge

[dd-devflow]

View all feedbacks in Devflow UI.
2025-02-26 11:35:43 UTC ℹ️ Start processing command /merge

---

2025-02-26 11:35:48 UTC ℹ️ MergeQueue: waiting for PR to be ready

This merge request is not mergeable yet, because of pending checks/missing approvals. It will be added to the queue as soon as checks pass and/or get approvals.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.

---

2025-02-26 11:50:11 UTC ℹ️ MergeQueue: merge request added to the queue

The median merge time in main is 29m.

---

2025-02-26 12:38:25 UTC ℹ️ MergeQueue: This merge request was merged