[CONTP-1569] Add KSM CollectSecretMetrics and CollectConfigMaps to CRD

[zhuminyi]

Adds two additive boolean toggles to KubeStateMetricsCoreFeatureConfig that gate one entry each in the KSM check-instance collector list and one resource each in the ClusterRole's core-API rule.

Field	Type	Default	Effect
collectSecretMetrics	*bool	true	when false, drops the secrets collector from the rendered KSM check instance and drops SecretsResource from the ClusterRole core-API rule
collectConfigMaps	*bool	true	when false, drops the configmaps collector and drops ConfigMapsResource from the ClusterRole

Example

DatadogAgent CR opting out of both collectors:

apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
metadata:
  name: datadog
spec:
  features:
    kubeStateMetricsCore:
      enabled: true
      collectSecretMetrics: false       # new — drop secrets collector + RBAC
      collectConfigMaps: false          # new — drop configmaps collector + RBAC

Rendered KSM check instance (datadog-kube-state-metrics-core-config ConfigMap, relevant excerpt — secrets and configmaps are absent from the collectors list):

instances:
  - skip_leader_election: true
    collectors:
      - pods
      - replicationcontrollers
      - statefulsets
      ...                # other entries unchanged
      - resourcequotas
      - namespaces       # secrets WOULD have been between resourcequotas and namespaces
      - persistentvolumeclaims
      ...

Rendered ClusterRole (datadog-datadog-ksm-core-ccr, core-API rule — 11 resources instead of the default 13):

rules:
  - apiGroups: [""]
    resources:
      - endpoints
      - events
      - limitranges
      - namespaces
      - nodes
      - persistentvolumeclaims
      - persistentvolumes
      - pods
      - replicationcontrollers
      - resourcequotas
      - services
    verbs: [list, watch]
  ...

Notes

Shape of collectSecretMetrics / collectConfigMaps matches the Helm chart
datadog.kubeStateMetricsCore.collectSecretMetrics and
datadog.kubeStateMetricsCore.collectConfigMaps (both default to true in Helm).

# helm-chart config
datadog:
  kubeStateMetricsCore:                  # <-- this section
    enabled: true
    collectSecretMetrics: true            # ✅ this PR
    collectConfigMaps: true               # ✅ this PR

Independent of #2937 (parallel labelsAsTags / annotationsAsTags / tags PR). Both PRs touch feature.go and configmap.go in different
functions; whichever lands first will require the other to do a small mechanical rebase (regenerate codegen).

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 41.12%. Comparing base (953ade2) to head (d4c8573).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2948      +/-   ##
==========================================
+ Coverage   40.91%   41.12%   +0.21%     
==========================================
  Files         324      324              
  Lines       28743    28940     +197     
==========================================
+ Hits        11760    11902     +142     
- Misses      16129    16175      +46     
- Partials      854      863       +9     

Flag	Coverage Δ
unittests	41.12% <100.00%> (+0.21%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...adogagent/feature/kubernetesstatecore/configmap.go	97.36% <100.00%> (+0.14%)	⬆️
...atadogagent/feature/kubernetesstatecore/feature.go	81.20% <100.00%> (+1.94%)	⬆️
...r/datadogagent/feature/kubernetesstatecore/rbac.go	100.00% <100.00%> (ø)
pkg/testutils/builder.go	3.50% <100.00%> (+3.50%)	⬆️

... and 3 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 953ade2...d4c8573. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[datadog-official]

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 41.20% (+0.16%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: d4c8573 | Docs | Datadog PR Page | Give us feedback!}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8cd5a40bb8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".