feat(autoscaling): CPURequestsRemoveLimitsMemoryRequestsAndLimits + cluster burstable default (#49314)

## Summary

### 1. `CPURequestsRemoveLimitsMemoryRequestsAndLimits` controlled value

Implements the new `CPURequestsRemoveLimitsMemoryRequestsAndLimits` container `controlledValues` enum from the datadog-operator ([c59fc90](DataDog/datadog-operator@c59fc90)).

When set on a container constraint:
- **CPU**: only requests are controlled; any existing CPU limit is actively removed from the live pod, letting the container burst freely and avoid CPU throttling.
- **Memory**: both requests and limits are controlled (standard `RequestsAndLimits` semantics).

The removal flows via a sentinel quantity (`-1`) stored on `ContainerResources.Limits[cpu]` by `applyVerticalConstraints` and recognised by the pod patcher, which actively deletes any pre-existing CPU limit from the live pod (an absent entry would mean "leave untouched").

### 2. Recognise `spec.options.burstable` in `IsBurstable()`

`IsBurstable()` now resolves from `spec.options.burstable` first, then the existing preview annotation. There is no cluster-level default — burstable mode requires an explicit per-DPA opt-in via either signal.

### 3. Report effective burstable mode in `status.options.burstable`

`BuildStatus` populates `status.options.burstable` so consumers can observe the resolved value:
- When `spec.options.burstable` is set: reported as-is (true or false).
- When the preview annotation enables burstable: reported as `true`.
- Otherwise: omitted (no opt-in).

### 4. Fix stale-sentinel propagation when the backend stops emitting a vertical recommendation

`SetActiveScalingValues` previously self-assigned `p.scalingValues.Vertical` when the active vertical source was `nil` (because `selectScalingValues(nil)` returns `p.scalingValues`). This kept any burstable sentinel from the previous cycle alive and caused `applyVerticalConstraints(burstable=false)` to early-return, suppressing the rollout when burstable was toggled off. Now `Vertical` is explicitly reset to `nil` so the next sync sees "no recommendation" and clears live state.

### 5. Dependency bump

`go.mod`: `datadog-operator/api` → `v0.0.0-20260515125012-8e158b708444`.

## Test plan

- [x] `TestApplyVerticalConstraints_CPURequestsRemoveLimits` — CPU limit stripped from recommendation, memory limit preserved, sentinel inserted.
- [x] `TestPatchContainerResources_*` / `TestPatchPod_*` — CPU limit actively removed from live pod, idempotent when already absent.
- [x] `IsBurstable priority matrix` — spec > annotation > default false.
- [x] `BuildStatus` reports `options.burstable` for spec (true/false) and for annotation-enabled, omits when neither is set.
- [x] `TestSetActiveScalingValues_NilSource_ClearsVertical` — nil vertical source clears `scalingValues.Vertical` instead of self-assigning the stale sentinel.
- [x] Full package suite passes: `dda inv test --targets=./pkg/clusteragent/autoscaling/workload/...`
- [x] Lint clean: `dda inv linter.go --targets ./pkg/clusteragent/autoscaling/workload/...`
- [x] Manual QA in kind cluster: DPA with preview annotation reports `status.options.burstable: true`; DPA without explicit opt-in reports no options (defaults to non-burstable).

🤖 PR description and code assisted by Claude:claude-opus-4-7

Co-authored-by: cedric.lamoriniere <cedric.lamoriniere@datadoghq.com>

Author: clamoriniere

go.mod

@@ -164,7 +164,7 @@ require (
 	github.com/DataDog/datadog-agent/pkg/util/winutil v0.78.1
 	github.com/DataDog/datadog-agent/pkg/version v0.78.1
 	github.com/DataDog/datadog-go/v5 v5.8.3
-	github.com/DataDog/datadog-operator/api v0.0.0-20260505153817-d1d2b65124cc
+	github.com/DataDog/datadog-operator/api v0.0.0-20260515125012-8e158b708444
 	github.com/DataDog/datadog-traceroute v1.0.15
 	github.com/DataDog/dd-trace-go/v2 v2.8.2
 	github.com/DataDog/ebpf-manager v0.7.18

go.sum

@@ -1520,6 +1520,9 @@ func TestProfileManagedDPA(t *testing.T) {
 					condition(datadoghqcommon.DatadogPodAutoscalerHorizontalAbleToScaleCondition, corev1.ConditionUnknown, "", "", testTime),
 					condition(datadoghqcommon.DatadogPodAutoscalerVerticalAbleToApply, corev1.ConditionUnknown, "", "", testTime),
 				},
+				Options: &datadoghqcommon.DatadogPodAutoscalerOptionsStatus{
+					Burstable: pointer.Ptr(true),
+				},
 			},
 		}
 		f.ExpectCreateAction(mustUnstructured(t, expectedDPA))

pkg/clusteragent/autoscaling/workload/controller_test.go

@@ -42,10 +42,9 @@ const (
 
 const inPlaceResizeSupportedCacheTTL = 15 * time.Minute
 
-// removeLimitSentinel is stored in a container Limits map by applyVerticalConstraints (burstable
-// mode) to signal "delete this limit from the pod instead of setting it to this value".
-// Negative quantities are never valid as real Kubernetes resource values, making the intent
-// unambiguous and easy to identify with quantity.Sign() < 0.
+// removeLimitSentinel is a sentinel quantity stored in ContainerResources.Limits to
+// signal that an existing limit must be actively deleted from the live pod. Negative
+// quantities are never valid Kubernetes resource values, making the intent unambiguous.
 var removeLimitSentinel = resource.MustParse("-1")
 
 // isInPlaceResizeSupported checks whether the API server exposes the pods/resize
@@ -336,9 +335,10 @@ func hasLimitIncrease(
 }
 
 // applyVerticalConstraints applies the container constraints from the PodAutoscaler spec to the
-// recommendations, and in burstable mode stores removeLimitSentinel (-1) on the CPU limit of every
-// container so that:
-//   - the ResourcesHash changes when burstable mode is toggled (triggering pod re-patches)
+// recommendations. When the CPU limit must be removed from the live pod — autoscaler-wide in
+// burstable mode, or per-container when ControlledValues is CPURequestsRemoveLimitsMemoryRequestsAndLimits —
+// it stores removeLimitSentinel (-1) on that container's CPU limit so that:
+//   - the ResourcesHash changes when the removal is toggled (triggering pod re-patches)
 //   - hasLimitIncrease sees cpuLimit.Sign() <= 0 and correctly identifies the transition as a limit increase
 //   - patchContainerResources removes the CPU limit from the pod when it encounters the sentinel
 func applyVerticalConstraints(verticalRecs *model.VerticalScalingValues, constraints *datadoghqcommon.DatadogPodAutoscalerConstraints, burstable bool) (limitErr, err error) {
@@ -380,90 +380,101 @@ func applyVerticalConstraints(verticalRecs *model.VerticalScalingValues, constra
 		if !found {
 			constraint = wildcardConstraint
 		}
-		if constraint == nil {
-			kept = append(kept, cr)
-			continue
-		}
-
-		// Enabled=false: drop this container's recommendations entirely
-		if constraint.Enabled != nil && !*constraint.Enabled {
-			modified = true
-			continue
-		}
 
-		// Resolve which resources are controlled.
-		// nil defaults to [cpu, memory]; empty list is equivalent to Enabled=false.
-		controlled := constraint.ControlledResources
-		if controlled == nil {
-			controlled = []corev1.ResourceName{corev1.ResourceCPU, corev1.ResourceMemory}
-		}
-		if len(controlled) == 0 {
-			modified = true
-			continue
-		}
+		// removeCPULimit is true when the CPU limit must be deleted from the live pod.
+		// It applies autoscaler-wide in burstable mode, and per-container when the
+		// constraint's ControlledValues requests CPU-limit removal (resolved below).
+		// The actual stamping happens once, after constraint processing.
+		removeCPULimit := burstable
 
-		// Remove resources not in the controlled list from requests and limits
-		for name := range cr.Requests {
-			if !slices.Contains(controlled, name) {
-				delete(cr.Requests, name)
+		if constraint != nil {
+			// Enabled=false: drop this container's recommendations entirely
+			if constraint.Enabled != nil && !*constraint.Enabled {
 				modified = true
+				continue
 			}
-		}
-		for name := range cr.Limits {
-			if !slices.Contains(controlled, name) {
-				delete(cr.Limits, name)
+
+			// Resolve which resources are controlled.
+			// nil defaults to [cpu, memory]; empty list is equivalent to Enabled=false.
+			controlled := constraint.ControlledResources
+			if controlled == nil {
+				controlled = []corev1.ResourceName{corev1.ResourceCPU, corev1.ResourceMemory}
+			}
+			if len(controlled) == 0 {
 				modified = true
+				continue
 			}
-		}
 
-		// ControlledValues=RequestsOnly: strip all limits
-		if constraint.ControlledValues != nil && *constraint.ControlledValues == datadoghqcommon.DatadogPodAutoscalerContainerControlledValuesRequestsOnly {
-			if len(cr.Limits) > 0 {
-				cr.Limits = nil
-				modified = true
+			// Remove resources not in the controlled list from requests and limits
+			for name := range cr.Requests {
+				if !slices.Contains(controlled, name) {
+					delete(cr.Requests, name)
+					modified = true
+				}
+			}
+			for name := range cr.Limits {
+				if !slices.Contains(controlled, name) {
+					delete(cr.Limits, name)
+					modified = true
+				}
 			}
-		}
 
-		// Resolve min/max bounds for clamping.
-		// New top-level MinAllowed/MaxAllowed apply to both requests and limits.
-		// Deprecated Requests.MinAllowed/MaxAllowed apply to requests only.
-		reqMin, reqMax, limMin, limMax := resolveMinMaxBounds(constraint)
-
-		// Clamp existing requests and limits to their respective bounds.
-		// Track which containers were clamped for the VerticalScalingLimited condition.
-		requestsClamped := clampResourceList(cr.Requests, reqMin, reqMax)
-		limitsClamped := clampResourceList(cr.Limits, limMin, limMax)
-		if requestsClamped || limitsClamped {
-			clampedContainers = append(clampedContainers, cr.Name)
-			modified = true
-		}
+			// ControlledValues=RequestsOnly: strip all limits
+			if constraint.ControlledValues != nil && *constraint.ControlledValues == datadoghqcommon.DatadogPodAutoscalerContainerControlledValuesRequestsOnly {
+				if len(cr.Limits) > 0 {
+					cr.Limits = nil
+					modified = true
+				}
+			}
+
+			// ControlledValues=CPURequestsRemoveLimitsMemoryRequestsAndLimits: like burstable,
+			// the CPU limit must be removed from the live pod (handled by the shared stamping below).
+			if constraint.ControlledValues != nil &&
+				*constraint.ControlledValues == datadoghqcommon.DatadogPodAutoscalerContainerControlledValuesCPURequestsRemoveLimitsMemoryRequestsAndLimits {
+				removeCPULimit = true
+			}
 
-		// Maintain invariant: limits >= requests for all resources where both exist
-		for resourceName, reqQty := range cr.Requests {
-			if limQty, hasLimit := cr.Limits[resourceName]; hasLimit && limQty.Cmp(reqQty) < 0 {
-				cr.Limits[resourceName] = reqQty.DeepCopy()
+			// Resolve min/max bounds for clamping.
+			// New top-level MinAllowed/MaxAllowed apply to both requests and limits.
+			// Deprecated Requests.MinAllowed/MaxAllowed apply to requests only.
+			reqMin, reqMax, limMin, limMax := resolveMinMaxBounds(constraint)
+
+			// Clamp existing requests and limits to their respective bounds.
+			// Track which containers were clamped for the VerticalScalingLimited condition.
+			requestsClamped := clampResourceList(cr.Requests, reqMin, reqMax)
+			limitsClamped := clampResourceList(cr.Limits, limMin, limMax)
+			if requestsClamped || limitsClamped {
+				clampedContainers = append(clampedContainers, cr.Name)
 				modified = true
 			}
-		}
 
-		kept = append(kept, cr)
-	}
+			// Maintain invariant: limits >= requests for all resources where both exist.
+			// Skip sentinel limits (negative) — they are internal markers, not values.
+			for resourceName, reqQty := range cr.Requests {
+				if limQty, hasLimit := cr.Limits[resourceName]; hasLimit && limQty.Sign() >= 0 && limQty.Cmp(reqQty) < 0 {
+					cr.Limits[resourceName] = reqQty.DeepCopy()
+					modified = true
+				}
+			}
+		}
 
-	// In burstable mode, stamp the CPU limit to removeLimitSentinel (-1) on every container.
-	// This has three effects:
-	//   1. The ResourcesHash changes when burstable is toggled (pods get re-patched).
-	//   2. hasLimitIncrease sees cpuLimit.Sign() <= 0, correctly identifying non-burstable →
-	//      burstable as a limit increase (unlimited > any finite limit).
-	//   3. patchContainerResources sees Sign() < 0 and removes the CPU limit from the running
-	//      pod instead of setting it.
-	if burstable {
-		for i := range kept {
-			if kept[i].Limits == nil {
-				kept[i].Limits = corev1.ResourceList{}
+		// Stamp the CPU limit with removeLimitSentinel (-1) when it must be removed from the
+		// live pod. Done after clamping/invariant so the sentinel value is never altered (both
+		// skip negative quantities). This has three effects:
+		//   1. The ResourcesHash changes when removal is toggled (pods get re-patched).
+		//   2. hasLimitIncrease sees cpuLimit.Sign() <= 0, correctly identifying the transition
+		//      to "no limit" as a limit increase (unlimited > any finite limit).
+		//   3. patchContainerResources sees Sign() < 0 and removes the CPU limit from the running
+		//      pod instead of setting it (an absent entry would mean "leave untouched").
+		if removeCPULimit {
+			if cr.Limits == nil {
+				cr.Limits = corev1.ResourceList{}
 			}
-			kept[i].Limits[corev1.ResourceCPU] = removeLimitSentinel.DeepCopy()
+			cr.Limits[corev1.ResourceCPU] = removeLimitSentinel.DeepCopy()
 			modified = true
 		}
+
+		kept = append(kept, cr)
 	}
 
 	verticalRecs.ContainerResources = kept
@@ -507,12 +518,17 @@ func resolveMinMaxBounds(c *datadoghqcommon.DatadogPodAutoscalerContainerConstra
 
 // clampResourceList clamps each resource quantity in the list to [min, max].
 // Returns true if any values were modified.
+// removeLimitSentinel entries are skipped: they are internal markers for downstream
+// consumers (signalling "delete this limit from the pod") and must survive clamping.
 func clampResourceList(rl corev1.ResourceList, minAllowed, maxAllowed corev1.ResourceList) bool {
 	if rl == nil {
 		return false
 	}
 	modified := false
 	for name, qty := range rl {
+		if qty.Cmp(removeLimitSentinel) == 0 { // preserve the remove-limit sentinel as-is
+			continue
+		}
 		clamped := false
 		if minQty, ok := minAllowed[name]; ok && qty.Cmp(minQty) < 0 {
 			qty = minQty.DeepCopy()