Vary datadog.yaml in test/antithesis

.claude/scheduled_tasks.lock

@@ -0,0 +1 @@
+{"sessionId":"477c57ec-b319-4603-b0be-745a689f9811","pid":2891480,"procStart":"153930906","acquiredAt":1780165254895}

test/antithesis/deploy/Dockerfile

@@ -74,11 +74,13 @@ RUN --mount=type=cache,target=/tools/target,id=antithesis-tools-target \
     --mount=type=cache,target=/root/.cargo/git,id=cargo-git \
     cargo build --release \
         --bin datadog-intake --bin millstone \
-        --bin parallel_driver_send_dogstatsd --bin finally_verify_delivery && \
+        --bin parallel_driver_send_dogstatsd --bin finally_verify_delivery \
+        --bin datadog_yaml_config_gen && \
     cp /tools/target/release/datadog-intake /usr/local/bin/datadog-intake && \
     cp /tools/target/release/millstone /usr/local/bin/millstone && \
     cp /tools/target/release/parallel_driver_send_dogstatsd /usr/local/bin/parallel_driver_send_dogstatsd && \
-    cp /tools/target/release/finally_verify_delivery /usr/local/bin/finally_verify_delivery
+    cp /tools/target/release/finally_verify_delivery /usr/local/bin/finally_verify_delivery && \
+    cp /tools/target/release/datadog_yaml_config_gen /usr/local/bin/datadog_yaml_config_gen
 
 # ---------------------------------------------------------------------------
 # Runtime: Agent Data Plane (SUT).
@@ -92,8 +94,12 @@ RUN apt-get update && \
 COPY --from=adp-builder /usr/local/bin/agent-data-plane /usr/local/bin/agent-data-plane
 # Expose DWARF/build-id symbols to Antithesis for symbolization (one-hop symlink to the unstripped binary).
 RUN mkdir -p /symbols && ln -s /usr/local/bin/agent-data-plane /symbols/agent-data-plane
-# main.rs requires the bootstrap config file to exist at the default path; ship a minimal standalone config.
+# main.rs requires the bootstrap config file to exist at the default path; ship a minimal standalone
+# config as a fallback. The boot wrapper overwrites it with the per-replay config drawn by the
+# datadog-yaml-config-gen service onto the shared `agent-config` volume.
 COPY test/antithesis/deploy/adp/datadog.yaml /etc/datadog-agent/datadog.yaml
+# Boot wrapper: waits for the drawn config sentinel, copies the config into place, then execs ADP.
+COPY --chmod=755 test/antithesis/deploy/adp/entrypoint.sh /entrypoint.sh
 # ADP's control-plane secure API requires an IPC TLS cert (a single PEM holding both certificate and
 # private key) that the Core Agent normally generates. In standalone mode there is no Core Agent, so
 # generate a self-signed cert+key. An empty auth_token satisfies the IPC auth config at startup.
@@ -103,7 +109,7 @@ RUN openssl req -x509 -newkey rsa:2048 -nodes -days 3650 \
     cat /tmp/ipc_cert.pem /tmp/ipc_key.pem > /etc/datadog-agent/ipc_cert.pem && \
     rm -f /tmp/ipc_cert.pem /tmp/ipc_key.pem && \
     touch /etc/datadog-agent/auth_token
-ENTRYPOINT ["/usr/local/bin/agent-data-plane"]
+ENTRYPOINT ["/entrypoint.sh"]
 CMD ["run"]
 
 # ---------------------------------------------------------------------------
@@ -114,6 +120,18 @@ ENV NO_COLOR=1
 COPY --from=tools-builder /usr/local/bin/datadog-intake /usr/local/bin/datadog-intake
 ENTRYPOINT ["/usr/local/bin/datadog-intake"]
 
+# ---------------------------------------------------------------------------
+# Runtime: datadog-yaml-config-gen (one-shot per-replay datadog.yaml generator).
+#
+# Fires the Antithesis setup_complete snapshot, generates a randomized datadog.yaml using SDK
+# randomness, writes it to the shared `agent-config` volume with a `ready` sentinel, then exits. ADP
+# gates its boot on the sentinel. Uninstrumented harness tooling, not the SUT.
+# ---------------------------------------------------------------------------
+FROM ${APP_IMAGE} AS datadog-yaml-config-gen
+ENV NO_COLOR=1
+COPY --from=tools-builder /usr/local/bin/datadog_yaml_config_gen /usr/local/bin/datadog_yaml_config_gen
+ENTRYPOINT ["/usr/local/bin/datadog_yaml_config_gen"]
+
 # ---------------------------------------------------------------------------
 # Runtime: workload client (millstone load generator + test templates).
 # ---------------------------------------------------------------------------

test/antithesis/deploy/adp/entrypoint.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Agent Data Plane boot wrapper.
+#
+# The datadog-yaml-config-gen service generates a per-replay datadog.yaml (post-snapshot) onto
+# the shared `agent-config` volume and touches a `ready` sentinel. We block on
+# that sentinel, copy the config into place, then exec ADP. docker-compose also
+# gates this container on datadog-yaml-config-gen completing successfully, so the wait below
+# is a defensive belt-and-suspenders for the file actually landing.
+
+CONFIG_DIR="${AGENT_CONFIG_DIR:-/agent-config}"
+
+tries=120
+while [ ! -f "${CONFIG_DIR}/ready" ]; do
+  tries=$((tries - 1))
+  if [ "${tries}" -le 0 ]; then
+    echo "timeout waiting for ${CONFIG_DIR}/ready" >&2
+    exit 1
+  fi
+  sleep 1
+done
+
+cp "${CONFIG_DIR}/datadog.yaml" /etc/datadog-agent/datadog.yaml
+
+exec /usr/local/bin/agent-data-plane "$@"

test/antithesis/deploy/docker-compose.yaml

@@ -20,6 +20,25 @@ services:
       timeout: 2s
       retries: 30
 
+  datadog-yaml-config-gen:
+    container_name: datadog-yaml-config-gen
+    hostname: datadog-yaml-config-gen
+    platform: linux/amd64
+    init: true
+    build:
+      context: ../../..
+      dockerfile: test/antithesis/deploy/Dockerfile
+      target: datadog-yaml-config-gen
+    image: datadog-yaml-config-gen:latest
+    environment:
+      NO_COLOR: "1"
+    volumes:
+      - agent-config:/agent-config
+    depends_on:
+      intake:
+        condition: service_healthy
+    # One-shot: fires setup_complete, generates the per-replay datadog.yaml, then exits 0.
+
   adp:
     container_name: adp
     hostname: adp
@@ -40,9 +59,13 @@ services:
       DD_DATA_PLANE_DOGSTATSD_ENABLED: "true"
     volumes:
       - dogstatsd-socket:/var/run/datadog
+      # Read-only: the boot wrapper copies the drawn datadog.yaml from here into /etc/datadog-agent.
+      - agent-config:/agent-config:ro
     depends_on:
       intake:
         condition: service_healthy
+      datadog-yaml-config-gen:
+        condition: service_completed_successfully
     healthcheck:
       # ADP's unprivileged API listens on TCP :5100 once the internal supervisor is up.
       test: ["CMD-SHELL", "bash -c 'exec 3<>/dev/tcp/localhost/5100'"]
@@ -78,3 +101,4 @@ services:
 
 volumes:
   dogstatsd-socket:
+  agent-config:

test/antithesis/deploy/workload/entrypoint.sh

@@ -4,9 +4,13 @@ set -euo pipefail
 # Workload client entrypoint.
 #
 # By the time this runs, docker-compose has gated startup on the `adp` and `intake` services being
-# healthy (depends_on: condition: service_healthy). We re-confirm reachability defensively, emit the
-# Antithesis `setup_complete` signal, then idle so Antithesis can run test commands from the test
-# template at /opt/antithesis/test/v1/.
+# healthy (depends_on: condition: service_healthy). We re-confirm reachability defensively, then idle
+# so Antithesis can run test commands from the test template at /opt/antithesis/test/v1/.
+#
+# The Antithesis `setup_complete` signal is NOT emitted here. The datadog-yaml-config-gen service owns it: it
+# fires `setup_complete` (the snapshot boundary) before ADP boots, then draws a per-replay
+# datadog.yaml. Emitting setup_complete here (after ADP is healthy) would freeze ADP's config across
+# every replay branch.
 
 ADP_HOST="${ADP_HOST:-adp}"
 ADP_API_PORT="${ADP_API_PORT:-5100}"
@@ -46,8 +50,7 @@ wait_for_tcp "${ADP_HOST}" "${ADP_API_PORT}" "agent-data-plane API"
 wait_for_socket "${DSD_SOCKET}" "agent-data-plane DogStatsD socket"
 wait_for_tcp "${INTAKE_HOST}" "${INTAKE_PORT}" "datadog-intake"
 
-echo "System is ready. Emitting setup_complete."
-/opt/antithesis/setup-complete.sh
+echo "System is ready. setup_complete is emitted by the datadog-yaml-config-gen service, not here."
 
 echo "Workload client idle; awaiting Antithesis test commands."
 exec tail -f /dev/null

test/antithesis/harness/Cargo.toml

@@ -16,8 +16,12 @@ clap = { workspace = true, features = [
   "std",
   "usage",
 ] }
+num-traits = { workspace = true }
 rand = { workspace = true }
+rand_distr = { workspace = true }
+serde = { workspace = true }
 serde_json = { workspace = true }
+serde_yaml = { workspace = true }
 
 [lints.clippy]
 all = "deny"