Add KSPM Settings reconciler

[0sewa0]

Description

https://dt-rnd.atlassian.net/browse/DAQ-18391

Creates a new builtin:kubernetes.security-posture-management Settings object in case KSPM is turned on.

The following scenarios have to be covered:

• Settings object for the cluster already exists:
  • Don’t do anything
• KSPM and kubemon are disabled
  • Don't do anything
• KSPM is enabled
  • Create the KSPM settings object, set configurationDatasetPipelineEnabled to true
• KSPM is disabled, but kubernetes monitoring is turned on
  • (I am challenging this, reason for being in draft) Reasons were given in comment on the ticket
  • Create the KSPM settings object, but set configurationDatasetPipelineEnabled to false

How can this be tested?

Deploy a DK with KSPM enabled or just Kubernetes Monitoring

Example:

apiVersion: dynatrace.com/v1beta6
kind: DynaKube
metadata:
  name: kspm-test
  namespace: dynatrace
spec:
  apiUrl: https://tenant.dev.dynatracelabs.com/api
  kspm: {}
  activeGate:
    capabilities:
      - kubernetes-monitoring
  templates:
       kspmNodeConfigurationCollector:
         imageRef:
           repository: public.ecr.aws/dynatrace/dynatrace-k8s-node-config-collector
           tag: "1.5.2"
         tolerations:
          - effect: NoSchedule
            key: kubernetes.io/arch
            value: arm64
          - effect: NoSchedule
            key: node-role.kubernetes.io/master
            operator: Exists
          - effect: NoSchedule
            key: node-role.kubernetes.io/control-plane
            operator: Exists

Warning

The settings API requires settings:objects:write and settings:objects:read. Please don’t forget to check for them.

In addition the securityProblems.write is currently required. This requirement will be lifted in the future. For this PR you can just add this permission to your token and assume the requirement will be dropped later.

Currently on some dev tenants it is not possible to create a token with the securityProblem.write permission in the UI. In this case you need to use the apiToken-API: check ticket for details

How to create an API token with securityProblems.write scope:

1. Create an API token with apiTokens.write in the Access Tokens UI (yeah, don't know how else, maybe personal access tokens 🤷 )
2. Use the following curl to create a token with this extra permission:

curl -X 'POST' \
  'https://<YOUR TENANT>dev.dynatracelabs.com/api/v2/apiTokens' \
  -H 'accept: application/json; charset=utf-8' \
  -H 'Authorization: Api-Token <INSERT YOUR TOKEN FROM STEP 1.>' \
  -H 'Content-Type: application/json; charset=utf-8' \
  -d '{
  "name": "kspm-test",
  "personalAccessToken": false,
  "scopes": [
    "activeGateTokenManagement.create",
    "entities.read",
    "settings.read",
    "settings.write",
    "DataExport",
    "InstallerDownload",
    "securityProblems.write"
  ]
}'

[avorima]

👨‍🍳