[CONTP-1448] Add Windows node support

[zhuminyi]

What does this PR do?

Adds opt-in Windows node Agent support via spec.override.windowsNodeAgent. When configured, the Operator creates a Windows-targeted Agent DaemonSet alongside the existing Linux Agent DaemonSet.

Motivation

Enable Datadog Agent deployment on mixed Linux/Windows Kubernetes clusters managed by the Datadog Operator.
Key Changes:

1. internal/controller/datadogagent/component/agent/windows.go
   New Windows Agent DaemonSet builder and Windows-specific pod sanitization. Handles Windows node targeting, init config, safe container allowlisting, Linux-only field stripping, -servercore image handling, non-local APM/DogStatsD traffic, and Windows log collection mounts.

2. internal/controller/datadogagentinternal/controller_reconcile_windows_agent.go
   New Windows Agent reconciler. Handles opt-in behavior, unsupported FIPS/EDS cleanup, disabled cleanup, Windows container selection, feature filtering, pod sanitization, image normalization, intake reachability, log mounts, and DaemonSet create/update.

3. internal/controller/datadogagentinternal/controller_reconcile_agent.go
   Chains Windows reconciliation into the existing node Agent flow so Linux and Windows DaemonSets stay in sync across normal, disabled, and EDS paths. reconcileV2WindowsAgent is called on every DDAI reconcile, for linux only DDA that means ensureWindowsDaemonSetAbsent will be always called on each reconcile.

4. API/status generated files
   Adds status.agentWindows and the agent-windows printer column for both DatadogAgent and DatadogAgentInternal. Also fixes status handling so AgentWindows is preserved and compared correctly.

5. examples/datadogagent/datadog-agent-with-windows-nodes.yaml
   Adds an example Windows configuration and documents current limitations, especially that local APM/DogStatsD services do not yet route to Windows pods.

Gaps addressed

#	Gap	Root cause	Addressed by
1	Windows taint not tolerated	The DaemonSet ships tolerations: []. Every Kubernetes distribution (GKE, EKS, AKS, kubeadm) automatically applies node.kubernetes.io/os=windows:NoSchedule to Windows nodes via kubelet, so no Windows pod is ever scheduled.	NewDefaultWindowsAgentPodTemplateSpec adds the node.kubernetes.io/os=windows:NoSchedule toleration + nodeSelector os=windows (windows.go).
2	No Windows DaemonSet	The operator generates a single DaemonSet with no OS awareness. Even if the taint were tolerated, the Linux pod spec would fail on all remaining gaps.	New reconcileV2WindowsAgent builds a dedicated datadog-agent-windows DaemonSet, chained after the Linux DS on every reconcile path (controller_reconcile_windows_agent.go, controller_reconcile_agent.go).
3	Linux-only container image	The operator always uses agent:X.Y.Z — a Linux binary. Windows requires a separate image (agent:X.Y.Z-servercore) compiled for Windows APIs. No Windows image reference exists anywhere in the codebase.	GetLatestWindowsAgentImage + EnsureWindowsServercoreImage coerce the default agent image to the -servercore tag (pkg/images/images.go, windows.go).
4	Linux-specific securityContext	Linux capabilities (SYS_ADMIN, NET_RAW, etc.), seccomp profiles, and readOnlyRootFilesystem are all rejected by the Windows container runtime.	StripLinuxOnlySettings (allowlist) clears capabilities, seccomp, SELinux, AppArmor, readOnlyRootFilesystem, hostPID/hostIPC, and uses a nil pod SecurityContext (windows.go).
5	Linux-only hostPath volumes	/proc, /sys/fs/cgroup, /etc/passwd, and Unix sockets at /var/run do not exist on Windows. The pod would fail to start.	StripLinuxOnlySettings allowlist drops every mount/volume with a /-prefixed path and every *SOCKET*/DOCKER_HOST/DD_VSOCK_ADDR env var; AddWindowsLogCollectionVolumes adds the Windows C:/ log hostPaths (windows.go).
6	system-probe / security-agent always injected	Both use eBPF (Linux kernel only). They are unconditionally added when features like liveProcessCollection or CSPM are enabled.	windowsContainersFromFeatures + windowsSupportedFeatures allowlist keep only core/trace/process-agent; the strip allowlist removes any other container (controller_reconcile_windows_agent.go, windows.go).
7	Linux init containers	The three init containers use bash and Linux paths. Windows has no bash. The trace-agent also requires a config file at C:\ProgramData\Datadog\datadog.yaml, which the Windows image does not include.	Single PowerShell init-config-windows init container creates C:\ProgramData\Datadog\datadog.yaml + auth dir; all Linux init containers are stripped (windowsInitContainers in windows.go).
8	No Windows API surface	No field in the DatadogAgent CRD to opt in to Windows or configure a Windows-specific image, resources, or tolerations.	New spec.override.windowsNodeAgent component (WindowsNodeAgentComponentName) optrride fields (image, resources, etc.)(api/datadoghq/v2alpha1/datadogagent_types.go).

Additional Notes

Windows support is currently limited to the core Agent, trace Agent, and process Agent. Linux-only containers, mounts, security settings, and socket/env configuration are stripped from the Windows DaemonSet.

Current limitations:

• Not supported with ExtendedDaemonSet.
• Not supported with global.useFIPSAgent.
• APM/DogStatsD require hostPort for Windows workload traffic because the existing local service selects Linux Agent pods only.

Describe your test plan

1. Added unit tests for Windows DaemonSet construction, image selection, pod sanitization, status propagation, and cleanup behavior.
2. E2E test on a cluster with a Linux node pool (operator, cluster-agent) and a Windows node pool, Deploy a DatadogAgent(DDA) that opts into Windows

apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
metadata: {name: datadog, namespace: datadog}
spec:
  global:
    credentials: {apiSecret: {secretName: datadog-secret, keyName: api-key}}
    site: datadoghq.com
  features:
    apm: {enabled: true}
  override:
    windowsNodeAgent: {}   # opt in

3. Verify the two DaemonSets and the Windows pod

kubectl get ds -n datadog
#   datadog-agent           <linux node count>   NODE SELECTOR: <none>
#   datadog-agent-windows   <win node count>     NODE SELECTOR: kubernetes.io/os=windows

kubectl get pods -n datadog -o wide
#   datadog-agent-windows-xxxx   2/2 Running   <on the Windows node>
Expect: the Windows pod is 2/2 Running (agent + trace-agent) on the Windows node; the Linux DaemonSet is unchanged.

4. Verify the status field & printer column

kubectl get datadogagent datadog -n datadog -o wide
# AGENT  AGENT-WINDOWS  CLUSTER-AGENT ...
# Running (n/n/n)  Running (m/m/m)  Running (1/1/1)
Expect: distinct AGENT and AGENT-WINDOWS columns; the Linux AGENT status is not overwritten.

5. Verify the allowlist strip with eBPF/Linux features enabled (key test)
   Enable Linux-only features, then inspect the Windows DaemonSet — the allowlist guarantees it stays clean:

kubectl patch datadogagent datadog -n datadog --type merge -p \
  '{"spec":{"features":{"npm":{"enabled":true},"cspm":{"enabled":true},"sbom":{"enabled":true,"host":{"enabled":true}}}}}'
kubectl get ds datadog-agent-windows -n datadog -o json | jq '{
  containers: [.spec.template.spec.containers[].name],
  hostPathVolumes: [.spec.template.spec.volumes[].hostPath.path] | map(select(.)),
  hostPID: .spec.template.spec.hostPID,
  hostIPC: .spec.template.spec.hostIPC,
  linuxEnvLeaks: [.spec.template.spec.containers[].env[]? | select(.name|test("SOCKET|DOCKER_HOST|KUBELET_CLIENT_CA|VSOCK")) | .name]
}'

Result:
{
  "containers": ["agent", "trace-agent", "process-agent"],
  "hostPathVolumes": [],
  "hostPID": null,
  "hostIPC": null,
  "linuxEnvLeaks": []
}

6. Verify cleanup on opt-out

kubectl patch datadogagent datadog -n datadog --type=json \
  -p='[{"op":"remove","path":"/spec/override/windowsNodeAgent"}]'
kubectl get ds datadog-agent-windows -n datadog        # → NotFound (deleted)
kubectl get datadogagent datadog -n datadog -o jsonpath='{.status.agentWindows}'   # → empty
kubectl get pods -n datadog | grep '^nt still Running

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label
• All commits are signed (see: signing commits)

[datadog-prod-us1-5]

✨ Fix all issues with BitsAI

🛑 Gate Violations

🎯 1 Code Coverage issue detected

A Patch coverage percentage gate may be blocking this PR.

• Patch coverage: 72.84% (threshold: 80.00%)

ℹ️ Info

🎯 Code Coverage (details)
• Patch Coverage: 72.84%
• Overall Coverage: 44.89% (+0.63%)

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 2dd7823 | Docs | Datadog PR Page | Give us feedback!}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: aae4ee0813

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".