[super-agent] L2 identity creation (#1546)

#### Is this a new chart No #### What this PR does / why we need it: This PR adds L2 identity creation from L1 ClientID and ClientSecret. It maintains backwards compatibility so `userKey` can still be used, but if ClientID and ClientSecret are present, the latter will be used. As with `userKey`, a custom secret can be used to pass the ClientID and ClientSecret. #### Which issue this PR fixes - fixes https://new-relic.atlassian.net/browse/NR-343393 #### Special notes for your reviewer: #### Checklist [Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.] - [x] Chart Version bumped - [x] Variables are documented in the README.md - [x] Title of the PR starts with chart name (e.g. `[mychartname]`)
newrelic · Dec 12, 2024 · cbfffa9 · cbfffa9
1 parent 72f82cd
commit cbfffa9
Show file tree

Hide file tree

Showing 9 changed files with 444 additions and 59 deletions.
diff --git a/charts/super-agent/Chart.lock b/charts/super-agent/Chart.lock
@@ -4,9 +4,9 @@ dependencies:
   version: 2.13.0
 - name: super-agent-deployment
   repository: ""
-  version: 0.0.29-beta
+  version: 0.0.30-beta
 - name: common-library
   repository: https://helm-charts.newrelic.com
   version: 1.3.0
-digest: sha256:c827e90c8a5deac2f2795887c33a545109ea2a8755121cfc0818da87c3effa6e
-generated: "2024-12-06T10:45:07.728045+01:00"
+digest: sha256:d1ea9058d5ee20966f89ad75a47904ebaaa639999b03e86d0cc0bf117ca68c72
+generated: "2024-12-12T09:50:14.896089+01:00"
diff --git a/charts/super-agent/Chart.yaml b/charts/super-agent/Chart.yaml
@@ -3,15 +3,15 @@ name: super-agent
 description: Bootstraps New Relic' Super Agent
 
 type: application
-version: 0.0.28-beta
+version: 0.0.29-beta
 
 dependencies:
   - name: flux2
     repository: https://fluxcd-community.github.io/helm-charts
     version: 2.13.0
     condition: flux2.enabled
   - name: super-agent-deployment
-    version: 0.0.29-beta
+    version: 0.0.30-beta
     condition: super-agent-deployment.enabled
     # The following dependency is needed as sub-dependency of super-agent-deployment
   - name: common-library

diff --git a/charts/super-agent/README.md b/charts/super-agent/README.md
@@ -60,7 +60,6 @@ low data modes or any other quirk that it could have.
 
 As of the creation of the chart, it has no particularities and this section can be removed safely.
 
-
 ## Values
 
 | Key | Type | Default | Description |
@@ -94,6 +93,7 @@ As of the creation of the chart, it has no particularities and this section can
 | super-agent-deployment.config.superAgent.create | bool | `true` | Set if the configMap is going to be created by this chart or the user will provide its own. |
 | super-agent-deployment.containerSecurityContext | object | `{}` | Sets security context (at container level). Can be configured also with `global.containerSecurityContext` |
 | super-agent-deployment.customAttributes | object | `{}` | TODO: Adds extra attributes to the cluster and all the metrics emitted to the backend. Can be configured also with `global.customAttributes` |
+| super-agent-deployment.customL1IdentitySecretName | string | `""` | In case you don't want to have the client_id and client_secret in your values, this allows you to point to a user created secret to get the key from there. |
 | super-agent-deployment.customSecretLicenseKey | string | `""` | In case you don't want to have the license key in you values, this allows you to point to which secret key is the license key located. Can be configured also with `global.customSecretLicenseKey` |
 | super-agent-deployment.customSecretName | string | `""` | In case you don't want to have the license key in you values, this allows you to point to a user created secret to get the key from there. Can be configured also with `global.customSecretName` |
 | super-agent-deployment.dnsConfig | object | `{}` | Sets pod's dnsConfig. Can be configured also with `global.dnsConfig` |
@@ -106,6 +106,8 @@ As of the creation of the chart, it has no particularities and this section can
 | super-agent-deployment.hostNetwork | bool | `false` | Sets pod's hostNetwork. Can be configured also with `global.hostNetwork` |
 | super-agent-deployment.image | object | See `values.yaml` | Image for the New Relic Super Agent |
 | super-agent-deployment.image.pullSecrets | list | `[]` | The secrets that are needed to pull images from a custom registry. |
+| super-agent-deployment.l1IdentityClientId | string | `""` | L1 identity client_id to use. |
+| super-agent-deployment.l1IdentityClientSecret | string | `""` | L1 identity client_secret to use. |
 | super-agent-deployment.labels | object | `{}` | Additional labels for chart objects. Can be configured also with `global.labels` |
 | super-agent-deployment.licenseKey | string | `""` | This set this license key to use. Can be configured also with `global.licenseKey` |
 | super-agent-deployment.nodeSelector | object | `{}` | Sets pod's node selector. Can be configured also with `global.nodeSelector` |

diff --git a/charts/super-agent/README.md.gotmpl b/charts/super-agent/README.md.gotmpl
@@ -31,6 +31,33 @@ means that it honors a wide range of defaults and globals common to most New Rel
 Options that can be defined globally include `affinity`, `nodeSelector`, `tolerations`, `proxy` and others. The full list can be found at
 [user's guide of the common library](https://github.com/newrelic/helm-charts/blob/master/library/common-library/README.md).
 
+## Test custom agentTypes
+
+In order to test custom agentTypes is possible to leverage `extraVolumeMounts` and `extraVolumes` once you have created the configMap in the namespace.
+
+You can run the following commands to create in the newrelic namespace a configMap containing a dynamic agentType:
+```bash
+$ kubectl create configmap dynamic-agent --from-file=dynamic-agent-type=./local/values-dynamic-agent-type.yaml -n default
+```
+
+Then you can mount such agentType leveraging extra volumes in the values.yaml
+```yaml
+super-agent-deployment:
+# [...]
+  extraVolumeMounts:
+    - name: dynamic
+      mountPath: /etc/newrelic-super-agent/dynamic-agent-type.yaml
+      subPath: dynamic-agent-type.yaml
+      readOnly: true
+  extraVolumes:
+    - name: dynamic
+      configMap:
+        name: dynamic-agent
+        items:
+          - key: dynamic-agent-type
+            path: dynamic-agent-type.yaml
+```
+
 ## Chart particularities
 
 > **TODO:** Here is where you should add particularities for this chart like what does the chart do with the privileged and

diff --git a/charts/super-agent/charts/super-agent-deployment/Chart.yaml b/charts/super-agent/charts/super-agent-deployment/Chart.yaml
@@ -4,7 +4,7 @@ description: A Helm chart to install New Relic Super agent on Kubernetes
 
 type: application
 
-version: 0.0.29-beta
+version: 0.0.30-beta
 
 keywords:
   - newrelic

diff --git a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl
@@ -283,3 +283,100 @@ value is provided, it defaults to `""` (empty string) so this helper can be used
   {{- /* Empty string */ -}}
 {{- end -}}
 {{- end -}}
+
+{{/* check if both L1 ClientID and ClientSecret are provided */}}
+{{- define "newrelic-super-agent.auth.l1Identity" -}}
+{{- if and (include "newrelic-super-agent.auth.l1IdentityClientId" .) (include "newrelic-super-agent.auth.l1IdentityClientSecret" .) -}}
+    true
+{{- end -}}
+{{- end -}}
+
+{{/* return L1 ClientID */}}
+{{- define "newrelic-super-agent.auth.l1IdentityClientId" -}}
+{{- if .Values.l1IdentityClientId -}}
+  {{- .Values.l1IdentityClientId -}}
+{{- end -}}
+{{- end -}}
+
+{{/* return L1 ClientSecret */}}
+{{- define "newrelic-super-agent.auth.l1IdentityClientSecret" -}}
+{{- if .Values.l1IdentityClientSecret -}}
+  {{- .Values.l1IdentityClientSecret -}}
+{{- end -}}
+{{- end -}}
+
+{{- /*
+Return to which endpoint should the super agent register its system identity
+*/ -}}
+{{- define "newrelic-super-agent.config.endpoints.systemIdentityCreation" -}}
+{{- $region := include "newrelic.common.region" . -}}
+
+{{- if eq $region "Staging" -}}
+  https://ng-iam-service.staging-service.nr-ops.net/system-identity/graphql
+{{- else if eq $region "EU" -}}
+  https://ng-iam-service.service.eu.nr-ops.net/system-identity/graphql
+{{- else if eq $region "US" -}}
+  https://ng-iam-service.service.nr-ops.net/system-identity/graphql
+{{- else if eq $region "Local" -}}
+  {{- /* Accessing the value directly without protection. A developer should now how to read the error. */ -}}
+  {{ .Values.development.backend.systemIdentityCreation }}
+{{- else -}}
+  {{- fail "Unknown/unsupported region set for this chart" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the name key for the ClientId Key inside the secret.
+*/}}
+{{- define "newrelic-super-agent.auth.l1IdentityCredentialsKey.clientIdKeyName" -}}
+{{- include "newrelic-super-agent.auth.identityCredentialsL1._customClientIdKey" . | default "clientIdKey" -}}
+{{- end -}}
+
+{{/*
+Return the name key for the ClientSecret Key inside the secret.
+*/}}
+{{- define "newrelic-super-agent.auth.l1IdentityCredentialsKey.clientSecretKeyName" -}}
+{{- include "newrelic-super-agent.auth.identityCredentialsL1._customClientSecretKey" . | default "clientSecretKey" -}}
+{{- end -}}
+
+{{/*
+Return the name of the secret holding the clientdId and ClientSecret
+*/}}
+{{- define "newrelic-super-agent.auth.customl1IdentitySecretName" -}}
+{{- if .Values.customL1IdentitySecretName -}}
+  {{- .Values.customL1IdentitySecretName -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the name key for the ClientID inside the secret.
+*/}}
+{{- define "newrelic-super-agent.auth.identityCredentialsL1._customClientIdKey" -}}
+{{- if .Values.customL1IdentityClientIdSecretKey -}}
+  {{- .Values.customL1IdentityClientIdSecretKey -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the name key for the ClientSecret inside the secret.
+*/}}
+{{- define "newrelic-super-agent.auth.identityCredentialsL1._customClientSecretKey" -}}
+{{- if .Values.customL1IdentityClientSecretSecretKey -}}
+  {{- .Values.customL1IdentityClientSecretSecretKey -}}
+{{- end -}}
+{{- end -}}
+
+{{/* Return the generated secret name for the CliendId and ClientSecret*/}}
+{{- define "newrelic.common.userKey.generatedSecretName" -}}
+{{ include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "preinstall-user-key" ) }}
+{{- end -}}
+
+{{/* Return the custom secret name for the CliendId and ClientSecret with fallback to the generated one */}}
+{{- define "newrelic-super-agent.auth.identityCredentialsSecretName" -}}
+{{- $default := include "newrelic-super-agent.auth.generatedIdentityCredentialsSecretName" . -}}
+{{- include "newrelic-super-agent.auth.customl1IdentitySecretName" . | default $default -}}
+{{- end -}}
+
+{{- define "newrelic-super-agent.auth.generatedIdentityCredentialsSecretName" -}}
+{{ include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "preinstall-client-credentials" ) }}
+{{- end -}}