From 689f2808679fa2c7a6397329ba0445adcafce030 Mon Sep 17 00:00:00 2001 From: Juan Manuel Perez Date: Wed, 24 Jul 2024 13:22:08 +0200 Subject: [PATCH 01/16] Add systemd identity creation and registration to the chart --- charts/super-agent/Chart.lock | 6 +- charts/super-agent/Chart.yaml | 4 +- .../charts/super-agent-deployment/Chart.yaml | 2 +- .../templates/_helpers.tpl | 221 +++++++++++++++--- .../templates/_temporary_helpers.tpl | 14 ++ .../templates/configmap-subagent-configs.yaml | 6 +- .../templates/deployment-superagent.yaml | 34 +-- ...einstall-job-register-system-identity.yaml | 18 +- .../templates/rbac.yaml | 6 +- .../templates/secret-sa-auth.yaml | 13 ++ .../templates/uninstall-job.yaml | 17 +- .../tests/auth_secret_test.yaml | 107 +++++++++ .../tests/configmap_fleet_configs_test.yaml | 6 +- .../configmap_superagent_config_test.yaml | 33 ++- ...ment_superagent_subagent_configs_test.yaml | 13 +- charts/super-agent/values.yaml | 72 +++--- 16 files changed, 470 insertions(+), 102 deletions(-) create mode 100644 charts/super-agent/charts/super-agent-deployment/templates/_temporary_helpers.tpl create mode 100644 charts/super-agent/charts/super-agent-deployment/templates/secret-sa-auth.yaml create mode 100644 charts/super-agent/charts/super-agent-deployment/tests/auth_secret_test.yaml diff --git a/charts/super-agent/Chart.lock b/charts/super-agent/Chart.lock index 5c68948d4..06d46d626 100644 --- a/charts/super-agent/Chart.lock +++ b/charts/super-agent/Chart.lock @@ -4,9 +4,9 @@ dependencies: version: 2.13.0 - name: super-agent-deployment repository: "" - version: 0.0.23-beta + version: 0.0.24-beta - name: common-library repository: https://helm-charts.newrelic.com version: 1.2.0 -digest: sha256:2d08c8a6be0be9f173c1ddd88fc992e80515e7cc2cb6bb7f93922c4ec96be7c9 -generated: "2024-09-10T23:50:31.41332+02:00" +digest: sha256:086b41600ab3d223dad41b20b0bec3952efef31df0f8971aa604b67e662a3a2d +generated: "2024-09-17T10:06:43.19037+02:00" diff --git a/charts/super-agent/Chart.yaml b/charts/super-agent/Chart.yaml index 1ce823f6e..a2ab0ad9b 100644 --- a/charts/super-agent/Chart.yaml +++ b/charts/super-agent/Chart.yaml @@ -3,7 +3,7 @@ name: super-agent description: Bootstraps New Relic' Super Agent type: application -version: 0.0.19-beta +version: 0.0.20-beta dependencies: - name: flux2 @@ -11,7 +11,7 @@ dependencies: version: 2.13.0 condition: flux2.enabled - name: super-agent-deployment - version: 0.0.23-beta + version: 0.0.24-beta condition: super-agent-deployment.enabled # The following dependency is needed as sub-dependency of super-agent-deployment - name: common-library diff --git a/charts/super-agent/charts/super-agent-deployment/Chart.yaml b/charts/super-agent/charts/super-agent-deployment/Chart.yaml index eed9cbd31..f55eaaec9 100644 --- a/charts/super-agent/charts/super-agent-deployment/Chart.yaml +++ b/charts/super-agent/charts/super-agent-deployment/Chart.yaml @@ -4,7 +4,7 @@ description: A Helm chart to install New Relic Super agent on Kubernetes type: application -version: 0.0.23-beta +version: 0.0.24-beta keywords: - newrelic diff --git a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl index 56bd29b08..d05b82022 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl +++ b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl @@ -2,19 +2,76 @@ Return the name of the configMap holding the Super Agent's config. Defaults to release's fill name suffiexed with "-config" */ -}} {{- define "newrelic-super-agent.config.name" -}} -{{- (include "newrelic.common.naming.truncateToDNSWithSuffix" ( dict "name" "local-data" "suffix" "superagent-config" )) -}} +{{- include "newrelic.common.naming.truncateToDNSWithSuffix" ( dict "name" "local-data" "suffix" "superagent-config" ) -}} {{- end -}} + + +{{- /* +Return the agents part that should go in the super agent config. It is created from `.Values.config.subAgents`. +*/ -}} +{{- define "newrelic-super-agent.config.agents.yaml" -}} +{{- if (.Values.config).subAgents -}} +{{- $agents := dict -}} +{{- range $subAgentName, $subAgentConfig := (.Values.config).subAgents -}} + {{- if not $subAgentConfig.type -}} + {{- fail (printf "Agent %s does not have agent type" $subAgentName) -}} + {{- end -}} + {{- $_ := dict $subAgentName (dict "agent_type" $subAgentConfig.type "content" $subAgentConfig.content) | mustMerge $agents -}} +{{- end -}} +{{- $agents | toYaml -}} +{{- else -}} +{{- /* Default agents for Kubernetes */ -}} +open-telemetry: + type: newrelic/io.opentelemetry.collector:0.2.0 + content: + chart_values: + licenseKey: ${nr-env:NR_LICENSE_KEY} + cluster: ${nr-env:NR_CLUSTER_NAME} +{{- end -}} +{{- end -}} + + + +{{- /* +Return to which endpoint should the super agent connect to get opamp data +*/ -}} +{{- define "newrelic-super-agent.config.endpoints.opamp" -}} +{{- $region := include "newrelic.common.region" . -}} + +{{- if eq $region "Staging" -}} + https://opamp.staging-service.newrelic.com/v1/opamp +{{- else if eq $region "EU" -}} + https://opamp.service.eu.newrelic.com/v1/opamp +{{- else if eq $region "US" -}} + https://opamp.service.newrelic.com/v1/opamp +{{- else if eq $region "Local" -}} + {{- /* Accessing the value directly without protection. A developer should now how to read the error. */ -}} + {{ .Values.development.backend.opamp }} +{{- else -}} + {{- fail "Unknown/unsupported region set for this chart" -}} +{{- end -}} +{{- end -}} + + + {{- /* Return to which endpoint should the super agent ask to renew its token */ -}} {{- define "newrelic-super-agent.config.endpoints.tokenRenewal" -}} -{{- if include "newrelic.common.nrStaging" . -}} +{{- $region := include "newrelic.common.region" . -}} + +{{- if eq $region "Staging" -}} https://system-identity-oauth.staging-service.newrelic.com/oauth2/token -{{- else if .Values.euEndpoints -}} +{{- else if eq $region "EU" -}} + https://system-identity-oauth.service.eu.newrelic.com/oauth2/token +{{- else if eq $region "US" -}} https://system-identity-oauth.service.newrelic.com/oauth2/token +{{- else if eq $region "Local" -}} + {{- /* Accessing the value directly without protection. A developer should now how to read the error. */ -}} + {{ .Values.development.backend.tokenRenewal }} {{- else -}} - https://system-identity-oauth.service.newrelic.com/oauth2/token + {{- fail "Unknown/unsupported region set for this chart" -}} {{- end -}} {{- end -}} @@ -24,12 +81,19 @@ Return to which endpoint should the super agent ask to renew its token Return to which endpoint should the super agent register its system identity */ -}} {{- define "newrelic-super-agent.config.endpoints.systemIdentityRegistration" -}} -{{- if include "newrelic.common.nrStaging" . -}} +{{- $region := include "newrelic.common.region" . -}} + +{{- if eq $region "Staging" -}} https://staging-api.newrelic.com/graphql -{{- else if .Values.euEndpoints -}} +{{- else if eq $region "EU" -}} https://api.eu.newrelic.com/graphql -{{- else -}} +{{- else if eq $region "US" -}} https://api.newrelic.com/graphql +{{- else if eq $region "Local" -}} + {{- /* Accessing the value directly without protection. A developer should now how to read the error. */ -}} + {{ .Values.development.backend.systemIdentityRegistration }} +{{- else -}} + {{- fail "Unknown/unsupported region set for this chart" -}} {{- end -}} {{- end -}} @@ -41,33 +105,28 @@ cluster name, licenses, and custom attributes */ -}} {{- define "newrelic-super-agent.config.content" -}} {{- /* -This snippet should execute always to block all unsupported features from the common-lirary that are not yet supported -by this chart. - -{{- /* -TODO: There are a lot of TODOs to be made in this chart yet and some of them are going to impact the YAML that holds +TODO: There are a lot of TODOs to be made in this chart yet and some of them are going to impact the YAML that holds the config. If you need a list of TODOs, just `grep TODO` on the `values.yaml` and look for things that are yet to be implemented. */ -}} -{{- $config := .Values.config.superAgent.content | default dict -}} -{{- $config = mustMergeOverwrite (dict "k8s" (dict "cluster_name" (include "newrelic.common.cluster" .))) $config -}} -{{- $config = mustMergeOverwrite (dict "k8s" (dict "namespace" .Release.Namespace)) $config -}} -{{- if .Values.config.superAgent.content -}} -{{- if .Values.config.superAgent.content.opamp -}} -{{- if .Values.config.auth }} +{{- $opamp := (dict "endpoint" (include "newrelic-super-agent.config.endpoints.opamp" .)) -}} +{{- $k8s := (dict "cluster_name" (include "newrelic.common.cluster" .) "namespace" .Release.Namespace) -}} + {{- if .Values.config.auth.enabled -}} -{{- $opamp := (dict "opamp" (dict "auth_config" (dict "token_url" (include "newrelic-super-agent.config.endpoints.tokenRenewal" .) "provider" "local" "private_key_path" "/etc/newrelic-super-agent/keys/from-secret.key"))) -}} -{{- $_ := $opamp | mustMergeOverwrite $config -}} -{{- end -}} -{{- end -}} -{{- end -}} + {{- $auth_config := dict "token_url" (include "newrelic-super-agent.config.endpoints.tokenRenewal" .) "provider" "local" "private_key_path" "/etc/newrelic-super-agent/keys/from-secret.key" -}} + {{- $_ := mustMerge $opamp (dict "auth_config" $auth_config) -}} {{- end -}} +{{- $config := dict "opamp" $opamp "k8s" $k8s "agents" (include "newrelic-super-agent.config.agents.yaml" . | fromYaml) -}} + +{{- $_ := deepCopy (.Values.config.superAgent.content | default dict) | mustMergeOverwrite $config -}} {{- $config | toYaml -}} {{- end -}} + + {{- /* These are the defaults that are used for all the containers in this chart */ -}} {{- define "newrelic-super-agent.securityContext.containerDefaults" -}} runAsUser: 1000 @@ -76,6 +135,8 @@ allowPrivilegeEscalation: false readOnlyRootFilesystem: true {{- end -}} + + {{- /* Allow to change pod defaults dynamically */ -}} {{- define "newrelic-super-agent.securityContext.container" -}} {{- $defaults := fromYaml ( include "newrelic-super-agent.securityContext.containerDefaults" . ) -}} @@ -90,8 +151,6 @@ readOnlyRootFilesystem: true - - {{- /* Return .Values.config.auth.organizationId and fails if it does not exists */ -}} @@ -105,8 +164,116 @@ Return .Values.config.auth.organizationId and fails if it does not exists {{- /* -Releases with "-auth" suffix. +Check if .Values.config.auth.secret.name exists and use it to name auth' secret. If it does not exist, fallback to the name +of the releases with "-auth" suffix. */ -}} {{- define "newrelic-super-agent.auth.secret.name" -}} - {{- include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "auth") }} +{{- $secretName := ((((.Values.config).auth).secret).name) -}} +{{- if $secretName -}} + {{- $secretName -}} +{{- else -}} + {{- include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "auth" ) }} +{{- end -}} +{{- end -}} + + + +{{- /* +Helper to toggle the creation of the job that creates and registers the system identity. +*/ -}} +{{- define "newrelic-super-agent.auth.secret.shouldRunJob" -}} +{{- $privateKey := include "newrelic-super-agent.auth.secret.privateKey.data" . -}} +{{- $clientId := include "newrelic-super-agent.auth.secret.clientId.data" . -}} + +{{- if and ((.Values.config).auth).enabled (((.Values.config).auth).secret).create (not $privateKey) (not $clientId) -}} + true +{{- end -}} +{{- end -}} + + + +{{- /* +Helper to toggle the creation of the secret that has the system identity as values. +*/ -}} +{{- define "newrelic-super-agent.auth.secret.shouldTemplate" -}} +{{- if and ((.Values.config).auth).enabled (((.Values.config).auth).secret).create -}} + {{- $privateKey := include "newrelic-super-agent.auth.secret.privateKey.data" . -}} + {{- $clientId := include "newrelic-super-agent.auth.secret.clientId.data" . -}} + + {{- if and $privateKey $clientId -}} + true + {{- else if or $privateKey $clientId -}} + {{- fail "If you provide your own system identity data you have to provide both private key and client id" -}} + {{- end -}} +{{- end -}} +{{- end -}} + + + +{{- /* +Check if .Values.config.auth.secret.private_key.secret_key exists and use it for the key in the secret contaning the private +key needed for the system identity. Fallbacks to `private_key`. +*/ -}} +{{- define "newrelic-super-agent.auth.secret.privateKey.key" -}} +{{- $key := (((((.Values.config).auth).secret).private_key).secret_key) -}} +{{- if $key -}} + {{- $key -}} +{{- else -}} + private_key +{{- end -}} +{{- end -}} + + + +{{- /* +Check if .Values.config.auth.secret.private_key.(plain_pem or base64_pem) exists and use it for as the private certificate for +auth. If no ceritifcate is provided, it defaults to `""` (empty string) so this helper can be used directly as a test. +*/ -}} +{{- define "newrelic-super-agent.auth.secret.privateKey.data" -}} +{{- $plain_pem := (((((.Values.config).auth).secret).private_key).plain_pem) -}} +{{- $base64_pem := (((((.Values.config).auth).secret).private_key).base64_pem) -}} +{{- if and $plain_pem $base64_pem -}} + {{- fail "Only one of base64_pem or plain_pem should be provided it you want to provide your own certificate." -}} +{{- else if $base64_pem -}} + {{- $base64_pem }} +{{- else if $plain_pem -}} + {{- $plain_pem | b64enc -}} +{{- else -}} + {{- /* Empty string */ -}} +{{- end -}} +{{- end -}} + + + +{{- /* +Check if .Values.config.auth.secret.client_id.secret_key exists and use it for the key in the secret containing the client id +needed for the system identity. Fallbacks to `client_id`. +*/ -}} +{{- define "newrelic-super-agent.auth.secret.clientId.key" -}} +{{- $key := (((((.Values.config).auth).secret).client_id).secret_key) -}} +{{- if $key -}} + {{- $key -}} +{{- else -}} + CLIENT_ID +{{- end -}} +{{- end -}} + + + +{{- /* +Check if .Values.config.auth.secret.client_id.(plain or base64) exists and use it for as the client id for auth. If no +value is provided, it defaults to `""` (empty string) so this helper can be used directly as a test. +*/ -}} +{{- define "newrelic-super-agent.auth.secret.clientId.data" -}} +{{- $plain := (((((.Values.config).auth).secret).client_id).plain) -}} +{{- $base64 := (((((.Values.config).auth).secret).client_id).base64) -}} +{{- if and $plain $base64 -}} + {{- fail "Only one of base64 or plain should be provided it you want to provide your own client id." -}} +{{- else if $base64 -}} + {{- $base64 }} +{{- else if $plain -}} + {{- $plain | b64enc -}} +{{- else -}} + {{- /* Empty string */ -}} +{{- end -}} {{- end -}} diff --git a/charts/super-agent/charts/super-agent-deployment/templates/_temporary_helpers.tpl b/charts/super-agent/charts/super-agent-deployment/templates/_temporary_helpers.tpl new file mode 100644 index 000000000..1b7121276 --- /dev/null +++ b/charts/super-agent/charts/super-agent-deployment/templates/_temporary_helpers.tpl @@ -0,0 +1,14 @@ +{{- /* + Auxiliary template until the PR that add these helpers to the common library are merged. +*/ -}} +{{- define "newrelic.common.apiKey.secretName" -}} +api-key-secret +{{- end -}} + +{{- define "newrelic.common.apiKey.secretKeyName" -}} +a-secret-key +{{- end -}} + +{{- define "newrelic.common.region" -}} +US +{{- end -}} diff --git a/charts/super-agent/charts/super-agent-deployment/templates/configmap-subagent-configs.yaml b/charts/super-agent/charts/super-agent-deployment/templates/configmap-subagent-configs.yaml index ea03ff1c2..cf12cea3e 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/configmap-subagent-configs.yaml +++ b/charts/super-agent/charts/super-agent-deployment/templates/configmap-subagent-configs.yaml @@ -1,4 +1,4 @@ -{{- range $subAgentName, $subAgentConfig := .Values.config.subAgents -}} +{{- range $subAgentName, $subAgentConfig := (include "newrelic-super-agent.config.agents.yaml" . | fromYaml) -}} {{- $name := include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" "local-data" "suffix" $subAgentName) }} --- kind: ConfigMap @@ -10,6 +10,10 @@ metadata: subagent: {{ $subAgentName }} apiVersion: v1 data: +{{- if not $subAgentConfig.content }} + local_config: "" +{{- else }} local_config: | {{- $subAgentConfig.content | toYaml | nindent 4 }} {{- end }} +{{- end }} diff --git a/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml b/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml index 57fd8554c..34711c4ab 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml +++ b/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml @@ -12,6 +12,15 @@ spec: template: metadata: annotations: + {{/* TODO: This hash is not reliable anymore. The identity is being generated/patched by a job. + With the introduction of this job, this charts is not configurable/instalable with ArgoCD/Flux as the reconcile loop + will empty the secret that the job has filled. + + We need the config to be splitable somehow or leave another orphan object on the cluster. + + This comment (and the mechanisim added in the PR when we left this comment) block the automatic upgrade feature. + + See: charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml */ -}} checksum/agent-config: {{ include (print $.Template.BasePath "/configmap-superagent-config.yaml") . | sha256sum }} checksum/subagent-config: {{ include (print $.Template.BasePath "/configmap-subagent-configs.yaml") . | sha256sum }} {{- with .Values.podAnnotations }} @@ -55,14 +64,12 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} env: - {{- if .Values.config.auth }} - {{- if .Values.config.auth.enabled }} + {{- if ((.Values.config).auth).enabled }} - name: NR_SA_OPAMP__AUTH_CONFIG__CLIENT_ID valueFrom: secretKeyRef: name: {{ include "newrelic-super-agent.auth.secret.name" . }} - key: CLIENT_ID - {{- end }} + key: {{ include "newrelic-super-agent.auth.secret.clientId.key" . }} {{- end }} - name: NR_LICENSE_KEY valueFrom: @@ -71,7 +78,7 @@ spec: key: {{ include "newrelic.common.license.secretKeyName" . }} - name: NR_CLUSTER_NAME value: {{ include "newrelic.common.cluster" . }} - {{- if .Values.config.superAgent.content.opamp }} + {{- if (((.Values.config).superAgent).content).opamp }} - name: NR_SA_OPAMP__HEADERS__API-KEY valueFrom: secretKeyRef: @@ -91,15 +98,15 @@ spec: - name: super-agent-config mountPath: /etc/newrelic-super-agent readOnly: true - # TODO: when releasing we should check if this is still needed and if we need to persist the data. + # TODO: when releasing we should check if this is still needed and/or if we need to persist the data. - mountPath: /var/lib/newrelic-super-agent name: var-lib-newrelic-super-agent readOnly: false - {{- if .Values.config.auth }} - {{- if .Values.config.auth.enabled }} + {{- if ((.Values.config).auth).enabled }} - name: auth-secret-private-key - mountPath: "/etc/newrelic-super-agent/keys" - {{- end }} + mountPath: "/etc/newrelic-super-agent/keys/from-secret.key" + subPath: {{ include "newrelic-super-agent.auth.secret.privateKey.key" . }} + readOnly: true {{- end }} {{- with .Values.extraVolumeMounts }} {{- toYaml . | nindent 12 }} @@ -116,16 +123,11 @@ spec: path: config.yaml - name: var-lib-newrelic-super-agent emptyDir: {} - {{- if .Values.config.auth }} - {{- if .Values.config.auth.enabled }} + {{- if ((.Values.config).auth).enabled }} - name: auth-secret-private-key secret: secretName: {{ include "newrelic-super-agent.auth.secret.name" . }} - items: - - key: private_key - path: from-secret.key {{- end }} - {{- end }} {{- with .Values.extraVolumes }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml b/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml index c916e3d81..c1bed9c0d 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml +++ b/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml @@ -1,5 +1,4 @@ -{{- if .Values.config.auth -}} -{{- if and .Values.config.auth.enabled .Values.config.auth.secret.create -}} +{{- if include "newrelic-super-agent.auth.secret.shouldRunJob" . -}} apiVersion: batch/v1 kind: Job metadata: @@ -13,10 +12,16 @@ spec: template: spec: restartPolicy: Never - serviceAccountName: {{ include "newrelic.common.serviceAccount.name" . }}-auth + serviceAccountName: {{ include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.serviceAccount.name" .) "suffix" "auth" ) }} containers: - name: register-system-identity image: alpine + env: + - name: API_KEY + valueFrom: + secretKeyRef: + name: {{ include "newrelic.common.apiKey.secretName" . }} + key: {{ include "newrelic.common.apiKey.secretKeyName" . }} command: - ash args: @@ -46,7 +51,7 @@ spec: curl \ -s -w "%{http_code}" \ -H "Content-Type: application/json" \ - -H "API-Key: {{ .Values.config.auth.userApiKey }}" \ + -H "API-Key: $API_KEY" \ -o "$TEMPORAL_FOLDER/response.json" \ --data @- \ "{{ include "newrelic-super-agent.config.endpoints.systemIdentityRegistration" . }}" @@ -111,9 +116,9 @@ subjects: - kind: ServiceAccount name: {{ include "newrelic.common.serviceAccount.name" . }}-auth namespace: {{ .Release.Namespace }} -{{- end -}} +{{- end }} -{{ if include "newrelic.common.serviceAccount.create" . }} +{{- if include "newrelic.common.serviceAccount.create" . }} --- apiVersion: v1 kind: ServiceAccount @@ -130,4 +135,3 @@ metadata: namespace: {{ .Release.Namespace }} {{- end -}} {{- end -}} -{{- end -}} diff --git a/charts/super-agent/charts/super-agent-deployment/templates/rbac.yaml b/charts/super-agent/charts/super-agent-deployment/templates/rbac.yaml index b53af418a..cd939c717 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/rbac.yaml +++ b/charts/super-agent/charts/super-agent-deployment/templates/rbac.yaml @@ -11,7 +11,7 @@ rules: - apiGroups: - source.toolkit.fluxcd.io - helm.toolkit.fluxcd.io - resources: ["*"] + resources: [ "*" ] verbs: - get - list @@ -31,7 +31,7 @@ metadata: namespace: {{ .Release.Namespace }} rules: - apiGroups: [ "" ] - resources: ["configmaps"] + resources: [ "configmaps" ] verbs: - get - list @@ -41,7 +41,7 @@ rules: - patch - update - apiGroups: [ "" ] - resources: ["namespaces"] + resources: [ "namespaces" ] verbs: - get - apiGroups: [ "apps" ] diff --git a/charts/super-agent/charts/super-agent-deployment/templates/secret-sa-auth.yaml b/charts/super-agent/charts/super-agent-deployment/templates/secret-sa-auth.yaml new file mode 100644 index 000000000..206058082 --- /dev/null +++ b/charts/super-agent/charts/super-agent-deployment/templates/secret-sa-auth.yaml @@ -0,0 +1,13 @@ +{{- if include "newrelic-super-agent.auth.secret.shouldTemplate" . -}} +--- +kind: Secret +metadata: + name: {{ include "newrelic-super-agent.auth.secret.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "newrelic.common.labels" . | nindent 4 }} +apiVersion: v1 +data: + {{ include "newrelic-super-agent.auth.secret.privateKey.key" . }}: {{ include "newrelic-super-agent.auth.secret.privateKey.data" . }} + {{ include "newrelic-super-agent.auth.secret.clientId.key" . }}: {{ include "newrelic-super-agent.auth.secret.clientId.data" . }} +{{- end }} diff --git a/charts/super-agent/charts/super-agent-deployment/templates/uninstall-job.yaml b/charts/super-agent/charts/super-agent-deployment/templates/uninstall-job.yaml index 6ee715cce..dc2e47318 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/uninstall-job.yaml +++ b/charts/super-agent/charts/super-agent-deployment/templates/uninstall-job.yaml @@ -25,7 +25,7 @@ spec: serviceAccountName: {{ include "newrelic.common.serviceAccount.name" . }} containers: - name: delete-managed-resources - image: bitnami/kubectl + image: bitnami/kubectl # TODO: Pin version to the latest that we support. command: - bash args: @@ -42,8 +42,17 @@ spec: # Delete the CRs managed by the super-agent if the corresponding CRDs exist {{ range $i, $cr := $saCRList }} if kubectl api-resources -o name |grep {{ $cr }}; then - kubectl delete {{ $cr }} -n {{ $.Release.Namespace }} -l {{ $saResourcesLabelSelector }} + kubectl -n {{ $.Release.Namespace }} delete {{ $cr }} -l {{ $saResourcesLabelSelector }} fi - {{ end -}} - + {{ end }} + {{- if include "newrelic-super-agent.auth.secret.shouldRunJob" . }} + - name: delete-system-identity + image: bitnami/kubectl # TODO: Pin version to the latest that we support. + command: + - bash + args: + - -c + - | + kubectl -n {{ $.Release.Namespace }} delete secret {{ include "newrelic-super-agent.auth.secret.name" . }} + {{- end }} {{- end -}} diff --git a/charts/super-agent/charts/super-agent-deployment/tests/auth_secret_test.yaml b/charts/super-agent/charts/super-agent-deployment/tests/auth_secret_test.yaml new file mode 100644 index 000000000..a6cbf8ba8 --- /dev/null +++ b/charts/super-agent/charts/super-agent-deployment/tests/auth_secret_test.yaml @@ -0,0 +1,107 @@ +suite: test super agent deployment's auth configurations +templates: + - templates/secret-sa-auth.yaml + - templates/configmap-superagent-config.yaml + - templates/configmap-subagent-configs.yaml + - templates/deployment-superagent.yaml +release: + name: my-release + namespace: my-namespace + +tests: + - it: authSecret is created and mounted correctly by default + set: + cluster: test + config: + auth: + secret: + private_key: + base64_pem: dGVzdC1rZXk= + client_id: + base64: dGVzdC1rZXk= + asserts: + - template: templates/deployment-superagent.yaml + equal: + path: spec.template.spec.containers[0].volumeMounts + value: + - name: super-agent-config + mountPath: /etc/newrelic-super-agent + readOnly: true + - mountPath: /var/lib/newrelic-super-agent + name: var-lib-newrelic-super-agent + readOnly: false + - mountPath: /etc/newrelic-super-agent/keys/from-secret.key + name: auth-secret-private-key + readOnly: true + subPath: private_key + - template: templates/deployment-superagent.yaml + equal: + path: spec.template.spec.volumes + value: + - name: super-agent-config + configMap: + name: local-data-super-agent + items: + - key: local_config + path: config.yaml + - name: var-lib-newrelic-super-agent + emptyDir: {} + - name: auth-secret-private-key + secret: + secretName: my-release-super-agent-deployment-auth + - template: templates/secret-sa-auth.yaml + equal: + path: metadata.name + value: my-release-super-agent-deployment-auth + - template: templates/secret-sa-auth.yaml + equal: + path: data.private_key + value: dGVzdC1rZXk= + - template: templates/secret-sa-auth.yaml + equal: + path: data.CLIENT_ID + value: dGVzdC1rZXk= + + - it: no mount and secret is created when auth is disabled + set: + cluster: test + config: + auth: + enable: false + asserts: + - template: templates/deployment-superagent.yaml + notContains: + path: spec.template.spec.containers[0].volumeMounts + value: + name: auth-secret-private-key + - template: templates/deployment-superagent.yaml + notContains: + path: spec.template.spec.volumes + value: + name: auth-secret-private-key + + - it: secre creation fails when you only provide private_key + set: + cluster: test + config: + auth: + secret: + private_key: + base64_pem: dGVzdC1rZXk= + asserts: + - template: templates/secret-sa-auth.yaml + failedTemplate: + errorMessage: If you provide your own system identity data you have to provide both private key and client id + + - it: secre creation fails when you only provide CLIENT_ID + set: + cluster: test + config: + auth: + secret: + client_id: + base64: dGVzdC1rZXk= + asserts: + - template: templates/secret-sa-auth.yaml + failedTemplate: + errorMessage: If you provide your own system identity data you have to provide both private key and client id diff --git a/charts/super-agent/charts/super-agent-deployment/tests/configmap_fleet_configs_test.yaml b/charts/super-agent/charts/super-agent-deployment/tests/configmap_fleet_configs_test.yaml index 37f04b042..5c69788c8 100644 --- a/charts/super-agent/charts/super-agent-deployment/tests/configmap_fleet_configs_test.yaml +++ b/charts/super-agent/charts/super-agent-deployment/tests/configmap_fleet_configs_test.yaml @@ -12,21 +12,25 @@ tests: open-telemetry: null asserts: - hasDocuments: - count: 0 + count: 1 + - it: super agent's config template correctly set: config: subAgents: open-telemetry: null test-0: + type: org.newrelic/test:0.0.0 content: a: test value: 0 test-1: + type: org.newrelic/test:0.0.1 content: a: test value: 1 test-2: + type: org.newrelic/test:0.0.2 content: a: test aYAML: diff --git a/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml b/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml index 06b995787..15fd642f4 100644 --- a/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml +++ b/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml @@ -24,10 +24,19 @@ tests: value: | agents: open-telemetry: - agent_type: newrelic/io.opentelemetry.collector:0.2.0 + content: + chart_values: + cluster: my-cluster + type: newrelic/io.opentelemetry.collector:0.2.0 k8s: cluster_name: my-cluster namespace: my-namespace + opamp: + auth_config: + private_key_path: /etc/newrelic-super-agent/keys/from-secret.key + provider: local + token_url: https://system-identity-oauth.vip.cf.nr-ops.net/oauth2/token + endpoint: https://opamp.service.newrelic.com/v1/opamp server: enabled: true - it: super agent's config templates @@ -44,10 +53,19 @@ tests: value: | agents: open-telemetry: - agent_type: newrelic/io.opentelemetry.collector:0.2.0 + content: + chart_values: + cluster: my-cluster + type: newrelic/io.opentelemetry.collector:0.2.0 k8s: cluster_name: my-cluster namespace: my-namespace + opamp: + auth_config: + private_key_path: /etc/newrelic-super-agent/keys/from-secret.key + provider: local + token_url: https://system-identity-oauth.vip.cf.nr-ops.net/oauth2/token + endpoint: https://opamp.service.newrelic.com/v1/opamp server: enabled: true test: value @@ -69,10 +87,19 @@ tests: value: | agents: open-telemetry: - agent_type: newrelic/io.opentelemetry.collector:0.2.0 + content: + chart_values: + cluster: my-cluster + type: newrelic/io.opentelemetry.collector:0.2.0 k8s: cluster_name: config-cluster namespace: config-namespace + opamp: + auth_config: + private_key_path: /etc/newrelic-super-agent/keys/from-secret.key + provider: local + token_url: https://system-identity-oauth.vip.cf.nr-ops.net/oauth2/token + endpoint: https://opamp.service.newrelic.com/v1/opamp server: enabled: true test: value diff --git a/charts/super-agent/charts/super-agent-deployment/tests/deployment_superagent_subagent_configs_test.yaml b/charts/super-agent/charts/super-agent-deployment/tests/deployment_superagent_subagent_configs_test.yaml index a432311de..3bcaaf8a6 100644 --- a/charts/super-agent/charts/super-agent-deployment/tests/deployment_superagent_subagent_configs_test.yaml +++ b/charts/super-agent/charts/super-agent-deployment/tests/deployment_superagent_subagent_configs_test.yaml @@ -14,14 +14,17 @@ tests: config: subAgents: test-0: + type: org.newrelic/test:0.0.0 content: a: test value: 0 test-1: + type: org.newrelic/test:0.0.1 content: a: test value: 1 test-2: + type: org.newrelic/test:0.0.2 content: a: test aYAML: @@ -37,6 +40,10 @@ tests: - mountPath: /var/lib/newrelic-super-agent name: var-lib-newrelic-super-agent readOnly: false + - mountPath: /etc/newrelic-super-agent/keys/from-secret.key + name: auth-secret-private-key + readOnly: true + subPath: private_key - template: templates/deployment-superagent.yaml equal: path: spec.template.spec.volumes @@ -49,6 +56,6 @@ tests: path: config.yaml - name: var-lib-newrelic-super-agent emptyDir: {} - - - + - name: auth-secret-private-key + secret: + secretName: my-release-super-agent-deployment-auth diff --git a/charts/super-agent/values.yaml b/charts/super-agent/values.yaml index ed762ac42..fe8cdfe98 100644 --- a/charts/super-agent/values.yaml +++ b/charts/super-agent/values.yaml @@ -10,13 +10,13 @@ super-agent-deployment: # you know what you are going. enabled: true - # -- TODO: Name of the Kubernetes cluster monitored. Can be configured also with `global.cluster`. + # -- Name of the Kubernetes cluster monitored. Can be configured also with `global.cluster`. cluster: "" - # -- TODO: This set this license key to use. Can be configured also with `global.licenseKey` + # -- This set this license key to use. Can be configured also with `global.licenseKey` licenseKey: "" - # -- TODO: In case you don't want to have the license key in you values, this allows you to point to a user created secret to get the key from there. Can be configured also with `global.customSecretName` + # -- In case you don't want to have the license key in you values, this allows you to point to a user created secret to get the key from there. Can be configured also with `global.customSecretName` customSecretName: "" - # -- TODO: In case you don't want to have the license key in you values, this allows you to point to which secret key is the license key located. Can be configured also with `global.customSecretLicenseKey` + # -- In case you don't want to have the license key in you values, this allows you to point to which secret key is the license key located. Can be configured also with `global.customSecretLicenseKey` customSecretLicenseKey: "" # -- Image for the New Relic Super Agent @@ -94,10 +94,6 @@ super-agent-deployment: # @default -- `false` nrStaging: - # -- (bool) Changes default endpoint to point to EU backend. - # @default -- `false` - euEndpoints: - fedramp: # -- (bool) TODO: Enables FedRAMP. Can be configured also with `global.fedramp.enabled` # @default -- `false` @@ -112,13 +108,6 @@ super-agent-deployment: cleanupManagedResources: true config: - auth: - enabled: false - organizationId: - userApiKey: - secret: - create: true - # -- Configuration for the Super Agent. # @default -- See `values.yaml` superAgent: @@ -127,10 +116,6 @@ super-agent-deployment: # -- Here you can set New Relic' Super Agent configuration. # @default -- See `values.yaml` for examples content: - agents: - open-telemetry: - agent_type: newrelic/io.opentelemetry.collector:0.2.0 - # opamp: # # TODO The endpoint should be set automatically based on the licenseKey and on the nrStaging option if opamp.enable=true # endpoint: https://opamp.service.newrelic.com/v1/opamp @@ -147,18 +132,43 @@ super-agent-deployment: # -- Values that the fleet is going to have in the deployment. # @default -- See `values.yaml` for examples subAgents: - # The values of the fleet depends on the deployment itself. Each subagent has a different set of variables so you have to go to the subagent documentation - # find the configuration needed for the subagent. - # - open-telemetry: - content: - # chart_version: "0.4.0" - chart_values: - licenseKey: ${nr-env:NR_LICENSE_KEY} - cluster: ${nr-env:NR_CLUSTER_NAME} - # TODO the following values are set twice in the config, we have to add some logic to improve UX either in the chart or in the agentType - # customSecretName: "" - # customSecretLicenseKey: "" + # The values of the fleet depends on the deployment itself. Each subagent has a different set of variables so you have to go to the subagent documentation + # find the configuration needed for the subagent. + # + # The example below, open-telemetry, is enabled by default if no subagent is set up. + # + # open-telemetry: + # type: newrelic/io.opentelemetry.collector:0.2.0 + # content: + # chart_version: "0.4.0" + # chart_values: + # # TODO the following values are set twice in the config, we have to add some logic to improve UX either in the chart or in the agentType + # cluster: "" + # licenseKey: "" + # customSecretName: "" + # customSecretLicenseKey: "" + + auth: + enabled: true + organization_id: + secret: + create: true + # -- Name auth' secret provided by the user. If the creation of this secret is set to `true`, this is the same the secret + # will have. + # @default -- release name suffixed with "-auth" + name: + private_key: + # -- Key inside the secret contaning the private key. + # @default -- `private_key` + secret_key: + base64_pem: + plain_pem: + client_id: + # -- Key inside the secret contaning the private key. + # @default -- `client_id` + secret_key: + base64: + plain: # -- Values for the Flux chat. Ref.: https://github.com/fluxcd-community/helm-charts/blob/flux2-2.10.2/charts/flux2/values.yaml From c8f6d8c71d02c1a7ac9cb391192fedb74e0ae628 Mon Sep 17 00:00:00 2001 From: Juan Manuel Perez Date: Wed, 24 Jul 2024 14:02:27 +0200 Subject: [PATCH 02/16] fix scripting issues --- .../templates/_helpers.tpl | 11 ++- ...einstall-job-register-system-identity.yaml | 8 +- .../templates/serviceaccount.yaml | 2 +- .../tests/auth_secret_test.yaml | 4 +- .../tests/configmap_fleet_configs_test.yaml | 9 +- .../configmap_superagent_config_test.yaml | 94 +++++++------------ .../tests/deployment_superagent_env_test.yaml | 32 +++---- charts/super-agent/ci/test-values.yaml | 3 + charts/super-agent/values.yaml | 4 +- 9 files changed, 75 insertions(+), 92 deletions(-) diff --git a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl index d05b82022..c86bfb7a3 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl +++ b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl @@ -14,7 +14,7 @@ Return the agents part that should go in the super agent config. It is created f {{- if (.Values.config).subAgents -}} {{- $agents := dict -}} {{- range $subAgentName, $subAgentConfig := (.Values.config).subAgents -}} - {{- if not $subAgentConfig.type -}} + {{- if not ($subAgentConfig).type -}} {{- fail (printf "Agent %s does not have agent type" $subAgentName) -}} {{- end -}} {{- $_ := dict $subAgentName (dict "agent_type" $subAgentConfig.type "content" $subAgentConfig.content) | mustMerge $agents -}} @@ -155,10 +155,11 @@ readOnlyRootFilesystem: true Return .Values.config.auth.organizationId and fails if it does not exists */ -}} {{- define "newrelic-super-agent.auth.organizationId" -}} -{{- if not ((.Values.config).auth).organizationId -}} - {{- fail ".Values.config.auth.organizationId is required." -}} +{{- if ((.Values.config).auth).organizationId -}} + {{- .Values.config.auth.organizationId -}} +{{- else -}} + {{- fail ".config.auth.organizationId is required." -}} {{- end -}} -{{- .Values.config.auth.organizationId -}} {{- end -}} @@ -211,7 +212,7 @@ Helper to toggle the creation of the secret that has the system identity as valu {{- /* -Check if .Values.config.auth.secret.private_key.secret_key exists and use it for the key in the secret contaning the private +Check if .Values.config.auth.secret.private_key.secret_key exists and use it for the key in the secret containing the private key needed for the system identity. Fallbacks to `private_key`. */ -}} {{- define "newrelic-super-agent.auth.secret.privateKey.key" -}} diff --git a/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml b/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml index c1bed9c0d..12f19f5fe 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml +++ b/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml @@ -5,6 +5,7 @@ metadata: annotations: helm.sh/hook: pre-install # TODO we cannot enable auth after installation, we should add pre-upgrade and check if the secret exists helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "-1005" name: {{ include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "system-identity-installer" ) }} namespace: {{ .Release.Namespace }} spec: @@ -85,6 +86,7 @@ metadata: annotations: helm.sh/hook: pre-install helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "-1010" labels: {{- include "newrelic.common.labels" . | nindent 4 }} name: {{ include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "auth") }} @@ -104,6 +106,7 @@ metadata: annotations: helm.sh/hook: pre-install helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "-1009" labels: {{- include "newrelic.common.labels" . | nindent 4 }} name: {{ include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "auth") }} @@ -114,7 +117,7 @@ roleRef: name: {{ include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "auth") }} subjects: - kind: ServiceAccount - name: {{ include "newrelic.common.serviceAccount.name" . }}-auth + name: {{ include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.serviceAccount.name" .) "suffix" "auth" ) }} namespace: {{ .Release.Namespace }} {{- end }} @@ -126,12 +129,13 @@ metadata: annotations: helm.sh/hook: pre-install helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "-1010" {{- if include "newrelic.common.serviceAccount.annotations" . }} {{- include "newrelic.common.serviceAccount.annotations" . | nindent 4 }} {{- end }} labels: {{- include "newrelic.common.labels" . | nindent 4 }} - name: {{ include "newrelic.common.serviceAccount.name" . }}-auth + name: {{ include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.serviceAccount.name" .) "suffix" "auth" ) }} namespace: {{ .Release.Namespace }} {{- end -}} {{- end -}} diff --git a/charts/super-agent/charts/super-agent-deployment/templates/serviceaccount.yaml b/charts/super-agent/charts/super-agent-deployment/templates/serviceaccount.yaml index b1e74523e..262350d8a 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/serviceaccount.yaml +++ b/charts/super-agent/charts/super-agent-deployment/templates/serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if include "newrelic.common.serviceAccount.create" . -}} +{{- if and (include "newrelic.common.serviceAccount.create" .) .Values.rbac.create -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/charts/super-agent/charts/super-agent-deployment/tests/auth_secret_test.yaml b/charts/super-agent/charts/super-agent-deployment/tests/auth_secret_test.yaml index a6cbf8ba8..0486f573a 100644 --- a/charts/super-agent/charts/super-agent-deployment/tests/auth_secret_test.yaml +++ b/charts/super-agent/charts/super-agent-deployment/tests/auth_secret_test.yaml @@ -72,12 +72,12 @@ tests: - template: templates/deployment-superagent.yaml notContains: path: spec.template.spec.containers[0].volumeMounts - value: + content: name: auth-secret-private-key - template: templates/deployment-superagent.yaml notContains: path: spec.template.spec.volumes - value: + content: name: auth-secret-private-key - it: secre creation fails when you only provide private_key diff --git a/charts/super-agent/charts/super-agent-deployment/tests/configmap_fleet_configs_test.yaml b/charts/super-agent/charts/super-agent-deployment/tests/configmap_fleet_configs_test.yaml index 5c69788c8..734334fe3 100644 --- a/charts/super-agent/charts/super-agent-deployment/tests/configmap_fleet_configs_test.yaml +++ b/charts/super-agent/charts/super-agent-deployment/tests/configmap_fleet_configs_test.yaml @@ -5,20 +5,19 @@ release: name: my-release namespace: my-namespace tests: - - it: default value can be overridden + - it: A malformed subAgent fail with a useful error message set: config: subAgents: open-telemetry: null asserts: - - hasDocuments: - count: 1 + - failedTemplate: + errorMessage: Agent open-telemetry does not have agent type - - it: super agent's config template correctly + - it: default value can be overridden set: config: subAgents: - open-telemetry: null test-0: type: org.newrelic/test:0.0.0 content: diff --git a/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml b/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml index 15fd642f4..b47db6b32 100644 --- a/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml +++ b/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml @@ -13,32 +13,6 @@ tests: asserts: - hasDocuments: count: 0 - - it: super agent's config always include cluster_name, namespace and defaults - set: - cluster: my-cluster - config: - superAgent: {} - asserts: - - equal: - path: data["local_config"] - value: | - agents: - open-telemetry: - content: - chart_values: - cluster: my-cluster - type: newrelic/io.opentelemetry.collector:0.2.0 - k8s: - cluster_name: my-cluster - namespace: my-namespace - opamp: - auth_config: - private_key_path: /etc/newrelic-super-agent/keys/from-secret.key - provider: local - token_url: https://system-identity-oauth.vip.cf.nr-ops.net/oauth2/token - endpoint: https://opamp.service.newrelic.com/v1/opamp - server: - enabled: true - it: super agent's config templates set: cluster: my-cluster @@ -55,7 +29,8 @@ tests: open-telemetry: content: chart_values: - cluster: my-cluster + cluster: ${nr-env:NR_CLUSTER_NAME} + licenseKey: ${nr-env:NR_LICENSE_KEY} type: newrelic/io.opentelemetry.collector:0.2.0 k8s: cluster_name: my-cluster @@ -64,7 +39,7 @@ tests: auth_config: private_key_path: /etc/newrelic-super-agent/keys/from-secret.key provider: local - token_url: https://system-identity-oauth.vip.cf.nr-ops.net/oauth2/token + token_url: https://system-identity-oauth.service.newrelic.com/oauth2/token endpoint: https://opamp.service.newrelic.com/v1/opamp server: enabled: true @@ -89,7 +64,8 @@ tests: open-telemetry: content: chart_values: - cluster: my-cluster + cluster: ${nr-env:NR_CLUSTER_NAME} + licenseKey: ${nr-env:NR_LICENSE_KEY} type: newrelic/io.opentelemetry.collector:0.2.0 k8s: cluster_name: config-cluster @@ -98,38 +74,38 @@ tests: auth_config: private_key_path: /etc/newrelic-super-agent/keys/from-secret.key provider: local - token_url: https://system-identity-oauth.vip.cf.nr-ops.net/oauth2/token + token_url: https://system-identity-oauth.service.newrelic.com/oauth2/token endpoint: https://opamp.service.newrelic.com/v1/opamp server: enabled: true test: value test2: value2 - - it: super agent's config always include cluster_name, namespace and defaults - set: - cluster: my-cluster - config: - superAgent: - content: - opamp: - endpoint: https://opamp.service.eu.newrelic.com/v1/opamp - auth: - enabled: true - euEndpoints: true - asserts: - - equal: - path: data["local_config"] - value: | - agents: - open-telemetry: - agent_type: newrelic/io.opentelemetry.collector:0.2.0 - k8s: - cluster_name: my-cluster - namespace: my-namespace - opamp: - auth_config: - private_key_path: /etc/newrelic-super-agent/keys/from-secret.key - provider: local - token_url: https://system-identity-oauth.service.newrelic.com/oauth2/token - endpoint: https://opamp.service.eu.newrelic.com/v1/opamp - server: - enabled: true +# - it: super agent's config always include cluster_name, namespace, defaults and honor the EU endpoint. +# set: +# cluster: my-cluster +# config: +# superAgent: +# content: +# opamp: +# endpoint: https://opamp.service.eu.newrelic.com/v1/opamp +# auth: +# enabled: true +# euEndpoints: true +# asserts: +# - equal: +# path: data["local_config"] +# value: | +# agents: +# open-telemetry: +# agent_type: newrelic/io.opentelemetry.collector:0.2.0 +# k8s: +# cluster_name: my-cluster +# namespace: my-namespace +# opamp: +# auth_config: +# private_key_path: /etc/newrelic-super-agent/keys/from-secret.key +# provider: local +# token_url: https://system-identity-oauth.service.eu.newrelic.com/oauth2/token +# endpoint: https://opamp.service.eu.newrelic.com/v1/opamp +# server: +# enabled: true diff --git a/charts/super-agent/charts/super-agent-deployment/tests/deployment_superagent_env_test.yaml b/charts/super-agent/charts/super-agent-deployment/tests/deployment_superagent_env_test.yaml index a2821bd25..9965fc177 100644 --- a/charts/super-agent/charts/super-agent-deployment/tests/deployment_superagent_env_test.yaml +++ b/charts/super-agent/charts/super-agent-deployment/tests/deployment_superagent_env_test.yaml @@ -12,9 +12,9 @@ tests: cluster: test licenseKey: fake-license asserts: - - equal: - path: spec.template.spec.containers[0].env[0] - value: + - contains: + path: spec.template.spec.containers[0].env + content: name: NR_LICENSE_KEY valueFrom: secretKeyRef: @@ -28,9 +28,9 @@ tests: customSecretName: "custom-secret" customSecretLicenseKey: "custom-key" asserts: - - equal: - path: spec.template.spec.containers[0].env[0] - value: + - contains: + path: spec.template.spec.containers[0].env + content: name: NR_LICENSE_KEY valueFrom: secretKeyRef: @@ -48,9 +48,9 @@ tests: opamp: endpoint: test asserts: - - equal: - path: spec.template.spec.containers[0].env[2] - value: + - contains: + path: spec.template.spec.containers[0].env + content: name: NR_SA_OPAMP__HEADERS__API-KEY valueFrom: secretKeyRef: @@ -69,9 +69,9 @@ tests: opamp: endpoint: test asserts: - - equal: - path: spec.template.spec.containers[0].env[2] - value: + - contains: + path: spec.template.spec.containers[0].env + content: name: NR_SA_OPAMP__HEADERS__API-KEY valueFrom: secretKeyRef: @@ -82,9 +82,9 @@ tests: set: cluster: test asserts: - - equal: - path: spec.template.spec.containers[0].env[1] - value: + - contains: + path: spec.template.spec.containers[0].env + content: name: NR_CLUSTER_NAME value: test - template: templates/deployment-superagent.yaml \ No newline at end of file + template: templates/deployment-superagent.yaml diff --git a/charts/super-agent/ci/test-values.yaml b/charts/super-agent/ci/test-values.yaml index f47bc9af8..424c20461 100644 --- a/charts/super-agent/ci/test-values.yaml +++ b/charts/super-agent/ci/test-values.yaml @@ -1,3 +1,6 @@ super-agent-deployment: cluster: sa-cluster licenseKey: test + config: + auth: + organizationId: test diff --git a/charts/super-agent/values.yaml b/charts/super-agent/values.yaml index fe8cdfe98..c202b5dd0 100644 --- a/charts/super-agent/values.yaml +++ b/charts/super-agent/values.yaml @@ -158,13 +158,13 @@ super-agent-deployment: # @default -- release name suffixed with "-auth" name: private_key: - # -- Key inside the secret contaning the private key. + # -- Key inside the secret containing the private key. # @default -- `private_key` secret_key: base64_pem: plain_pem: client_id: - # -- Key inside the secret contaning the private key. + # -- Key inside the secret containing the private key. # @default -- `client_id` secret_key: base64: From 5be2f1b4adfdbc1a2d7adfc85a99c61b26cbc4e4 Mon Sep 17 00:00:00 2001 From: Juan Manuel Perez Date: Tue, 20 Aug 2024 16:48:15 +0200 Subject: [PATCH 03/16] fail installation/ upgrade if the server is not compatible --- charts/super-agent/templates/_helpers.tpl | 19 +++++++++++++++++++ .../templates/capabilities-tester.yaml | 1 + 2 files changed, 20 insertions(+) create mode 100644 charts/super-agent/templates/_helpers.tpl create mode 100644 charts/super-agent/templates/capabilities-tester.yaml diff --git a/charts/super-agent/templates/_helpers.tpl b/charts/super-agent/templates/_helpers.tpl new file mode 100644 index 000000000..f1b6c5f22 --- /dev/null +++ b/charts/super-agent/templates/_helpers.tpl @@ -0,0 +1,19 @@ +{{- define "newrelic-super-agent.capabilites-tester" -}} +{{- /* This variable is like this so renovate can in the future use regex to upgrade this (if possible) */ -}} +{{- /* Ref: https://github.com/fluxcd/flux2/blob/cc87ffd66e243fb85fc275792fa3708e44048048/cmd/flux/check.go#L62-L64 */ -}} +{{- /* The value above could change also if we have to create objects which API break (like Ingress on 1.24) */ -}} +{{- $minimumSupportedVersion := "1.28" -}} +{{- $minimumSupportedVersion = $minimumSupportedVersion | split "." -}} + +{{- $from_cluster_major := ((.Capabilities).KubeVersion).Major | int -}} +{{- $supported_major := $minimumSupportedVersion._0 | int -}} +{{- if not (eq $from_cluster_major $supported_major) -}} + {{- fail (printf "Breaking change in Kubernetes. We only support versions %s.xx" $supported_major) -}} +{{- end -}} + +{{- $from_cluster_minor := ((.Capabilities).KubeVersion).Minor | int -}} +{{- $supported_minor := $minimumSupportedVersion._1 | int -}} +{{- if gt $supported_minor $from_cluster_minor -}} + {{- fail (printf "Kuberentes version is not supported. Condition not met: %d.%d >= %d.%d" $from_cluster_major $from_cluster_minor $supported_major $supported_minor) -}} +{{- end -}} +{{- end -}} diff --git a/charts/super-agent/templates/capabilities-tester.yaml b/charts/super-agent/templates/capabilities-tester.yaml new file mode 100644 index 000000000..e32b9ff9c --- /dev/null +++ b/charts/super-agent/templates/capabilities-tester.yaml @@ -0,0 +1 @@ +{{- include "newrelic-super-agent.capabilites-tester" . -}} \ No newline at end of file From f50e2710c7baac3373d1302bb40f96be9c2edd4b Mon Sep 17 00:00:00 2001 From: Juan Manuel Perez Date: Mon, 26 Aug 2024 11:56:00 +0200 Subject: [PATCH 04/16] add opamp enable, verboseLog and fail if cluster does not meet requirements --- .../templates/_helpers.tpl | 26 +++++++++++++++---- .../templates/deployment-superagent.yaml | 4 +++ charts/super-agent/templates/_helpers.tpl | 18 +++++-------- .../tests/cluster_capabilities_test.yaml | 23 ++++++++++++++++ charts/super-agent/tests/placeholder | 1 - charts/super-agent/values.yaml | 16 +++++++++++- 6 files changed, 69 insertions(+), 19 deletions(-) create mode 100644 charts/super-agent/tests/cluster_capabilities_test.yaml delete mode 100644 charts/super-agent/tests/placeholder diff --git a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl index c86bfb7a3..d01ee1f23 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl +++ b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl @@ -111,16 +111,32 @@ the config. If you need a list of TODOs, just `grep TODO` on the `values.yaml` and look for things that are yet to be implemented. */ -}} -{{- $opamp := (dict "endpoint" (include "newrelic-super-agent.config.endpoints.opamp" .)) -}} +{{- /* Empty config so we can populate it as we enable and disable snippets. */ -}} +{{- $config := dict -}} + +{{- /* Add to config k8s cluster and namespace config */ -}} {{- $k8s := (dict "cluster_name" (include "newrelic.common.cluster" .) "namespace" .Release.Namespace) -}} +{{- $_ := mustMerge $config (dict "k8s" $k8s) -}} + +{{- /* Add opamp if enabled */ -}} +{{- if ((.Values.config).opamp).enable -}} + {{- $opamp := (dict "endpoint" (include "newrelic-super-agent.config.endpoints.opamp" .)) -}} -{{- if .Values.config.auth.enabled -}} - {{- $auth_config := dict "token_url" (include "newrelic-super-agent.config.endpoints.tokenRenewal" .) "provider" "local" "private_key_path" "/etc/newrelic-super-agent/keys/from-secret.key" -}} - {{- $_ := mustMerge $opamp (dict "auth_config" $auth_config) -}} + {{- /* Add auth to opamp if it is enabled */ -}} + {{- if ((.Values.config).auth).enabled -}} + {{- $auth_config := dict "token_url" (include "newrelic-super-agent.config.endpoints.tokenRenewal" .) "provider" "local" "private_key_path" "/etc/newrelic-super-agent/keys/from-secret.key" -}} + {{- $_ := mustMerge $opamp (dict "auth_config" $auth_config) -}} + {{- end -}} + + {{- $_ := mustMerge $config (dict "opamp" $opamp) -}} {{- end -}} -{{- $config := dict "opamp" $opamp "k8s" $k8s "agents" (include "newrelic-super-agent.config.agents.yaml" . | fromYaml) -}} +{{- /* Add subagents to the config */ -}} +{{- $agents := include "newrelic-super-agent.config.agents.yaml" . | fromYaml -}} +{{- $_ := mustMerge $config (dict "agents" $agents) -}} + +{{- /* Overwrite $config with everything in `config.superAgent.content` if present */ -}} {{- $_ := deepCopy (.Values.config.superAgent.content | default dict) | mustMergeOverwrite $config -}} {{- $config | toYaml -}} {{- end -}} diff --git a/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml b/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml index 34711c4ab..ca3917b12 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml +++ b/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml @@ -85,6 +85,10 @@ spec: name: {{ include "newrelic.common.license.secretName" . }} key: {{ include "newrelic.common.license.secretKeyName" . }} {{- end }} + {{- if include "newrelic.common.verboseLog" . }} + - name: NR_SA_LOG__LEVEL + value: debug + {{- end }} {{- with .Values.extraEnv }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/charts/super-agent/templates/_helpers.tpl b/charts/super-agent/templates/_helpers.tpl index f1b6c5f22..4fde086da 100644 --- a/charts/super-agent/templates/_helpers.tpl +++ b/charts/super-agent/templates/_helpers.tpl @@ -1,19 +1,13 @@ {{- define "newrelic-super-agent.capabilites-tester" -}} {{- /* This variable is like this so renovate can in the future use regex to upgrade this (if possible) */ -}} {{- /* Ref: https://github.com/fluxcd/flux2/blob/cc87ffd66e243fb85fc275792fa3708e44048048/cmd/flux/check.go#L62-L64 */ -}} -{{- /* The value above could change also if we have to create objects which API break (like Ingress on 1.24) */ -}} -{{- $minimumSupportedVersion := "1.28" -}} -{{- $minimumSupportedVersion = $minimumSupportedVersion | split "." -}} +{{- /* The value above could change also if we have to create objects which API break (like Ingress on 1.24) or for testing purposes */ -}} +{{- $minimum_supported_version := ">=1.28.0-0" -}} +{{- $minimum_supported_version = (.Values.experimental).forceMinimumSupportedVersion | default $minimum_supported_version -}} -{{- $from_cluster_major := ((.Capabilities).KubeVersion).Major | int -}} -{{- $supported_major := $minimumSupportedVersion._0 | int -}} -{{- if not (eq $from_cluster_major $supported_major) -}} - {{- fail (printf "Breaking change in Kubernetes. We only support versions %s.xx" $supported_major) -}} -{{- end -}} +{{- $cluster_version := (.Values.experimental).forceKubeVersion | default .Capabilities.KubeVersion | toString -}} -{{- $from_cluster_minor := ((.Capabilities).KubeVersion).Minor | int -}} -{{- $supported_minor := $minimumSupportedVersion._1 | int -}} -{{- if gt $supported_minor $from_cluster_minor -}} - {{- fail (printf "Kuberentes version is not supported. Condition not met: %d.%d >= %d.%d" $from_cluster_major $from_cluster_minor $supported_major $supported_minor) -}} +{{- if not (semverCompare $minimum_supported_version $cluster_version) -}} + {{- fail (printf "Kubernetes version is not supported. Cluster says its on version %s and does not meet %s" $cluster_version $minimum_supported_version ) -}} {{- end -}} {{- end -}} diff --git a/charts/super-agent/tests/cluster_capabilities_test.yaml b/charts/super-agent/tests/cluster_capabilities_test.yaml new file mode 100644 index 000000000..3320c1ecf --- /dev/null +++ b/charts/super-agent/tests/cluster_capabilities_test.yaml @@ -0,0 +1,23 @@ +suite: super agent is able to fail if it does not meet cluster version +templates: + - templates/capabilities-tester.yaml +release: + name: my-release + namespace: my-namespace + +tests: + - it: Cluster above the requirements + set: + experimental: + forceMinimumSupportedVersion: ">=1.28.0-0" + forceKubeVersion: v1.29 + asserts: + - notFailedTemplate: {} + + - it: Cluster below the requirements + set: + experimental: + forceMinimumSupportedVersion: ">=1.28.0-0" + forceKubeVersion: v1.27 + asserts: + - failedTemplate: {} diff --git a/charts/super-agent/tests/placeholder b/charts/super-agent/tests/placeholder deleted file mode 100644 index dc9b039ed..000000000 --- a/charts/super-agent/tests/placeholder +++ /dev/null @@ -1 +0,0 @@ -This file is a placeholder so the CI run the unittest command for the sub charts contained here. diff --git a/charts/super-agent/values.yaml b/charts/super-agent/values.yaml index c202b5dd0..85446ae35 100644 --- a/charts/super-agent/values.yaml +++ b/charts/super-agent/values.yaml @@ -99,7 +99,7 @@ super-agent-deployment: # @default -- `false` enabled: - # -- (bool) TODO: Sets the debug logs to this integration or all integrations if it is set globally. Can be configured also with `global.verboseLog` + # -- (bool) Sets the debug logs to this integration or all integrations if it is set globally. Can be configured also with `global.verboseLog` # @default -- `false` verboseLog: @@ -108,6 +108,9 @@ super-agent-deployment: cleanupManagedResources: true config: + opamp: + enable: true + # -- Configuration for the Super Agent. # @default -- See `values.yaml` superAgent: @@ -252,3 +255,14 @@ flux2: # user want to use Flux for other purposes besides the super agent, this toggle can be used to allow Flux to work on # the whole cluster. watchAllNamespaces: false + +# -- Set of experimental configurations for super-agent chart. +# @default -- See `values.yaml` +experimental: + # Forces which is the minimal supported Kubernetes version for this chart without failing. + # Useful for development, testing, or if the chart is being templated in a unsupported way. + forceMinimumSupportedVersion: "" + # In case use uses `helm template`, helm uses the latest version supported by `helm`. This allows to + # change that version. Useful for testing, developing and to change some templates from subcharts that + # change manifests depending on the version of the cluster. + forceKubeVersion: "" From 5197ae4ad6654592ebd8453318b560167ad18fac Mon Sep 17 00:00:00 2001 From: Juan Manuel Perez Date: Mon, 2 Sep 2024 16:36:55 +0200 Subject: [PATCH 05/16] upgrade common-library chart and add missing documentation --- charts/super-agent/Chart.lock | 6 +- charts/super-agent/Chart.yaml | 4 +- charts/super-agent/README.md | 32 +++++---- .../templates/_helpers.tpl | 21 +++--- .../templates/_temporary_helpers.tpl | 14 ---- .../templates/deployment-superagent.yaml | 27 ++++--- .../configmap_superagent_config_test.yaml | 70 ++++++++----------- .../tests/deployment_superagent_env_test.yaml | 4 +- ...ment_superagent_subagent_configs_test.yaml | 1 - charts/super-agent/values.yaml | 48 ++++++------- 10 files changed, 104 insertions(+), 123 deletions(-) delete mode 100644 charts/super-agent/charts/super-agent-deployment/templates/_temporary_helpers.tpl diff --git a/charts/super-agent/Chart.lock b/charts/super-agent/Chart.lock index 06d46d626..7f169b618 100644 --- a/charts/super-agent/Chart.lock +++ b/charts/super-agent/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 0.0.24-beta - name: common-library repository: https://helm-charts.newrelic.com - version: 1.2.0 -digest: sha256:086b41600ab3d223dad41b20b0bec3952efef31df0f8971aa604b67e662a3a2d -generated: "2024-09-17T10:06:43.19037+02:00" + version: 1.3.0 +digest: sha256:b15bf716a97ac0a42a4908344bf7e145ea63d02e1902f67bfdbd2b16bf74b6f2 +generated: "2024-09-17T10:10:30.582583+02:00" diff --git a/charts/super-agent/Chart.yaml b/charts/super-agent/Chart.yaml index a2ab0ad9b..21e04b86d 100644 --- a/charts/super-agent/Chart.yaml +++ b/charts/super-agent/Chart.yaml @@ -15,7 +15,7 @@ dependencies: condition: super-agent-deployment.enabled # The following dependency is needed as sub-dependency of super-agent-deployment - name: common-library - version: 1.2.0 + version: 1.3.0 repository: https://helm-charts.newrelic.com keywords: @@ -25,8 +25,6 @@ keywords: maintainers: - name: sigilioso url: https://github.com/sigilioso - - name: gsanchezgavier - url: https://github.com/gsanchezgavier - name: kang-makes url: https://github.com/kang-makes - name: paologallinaharbur diff --git a/charts/super-agent/README.md b/charts/super-agent/README.md index 05f84c58a..87a07f133 100644 --- a/charts/super-agent/README.md +++ b/charts/super-agent/README.md @@ -37,6 +37,7 @@ As of the creation of the chart, it has no particularities and this section can | Key | Type | Default | Description | |-----|------|---------|-------------| +| experimental | object | See `values.yaml` | Set of experimental configurations for super-agent chart. | | flux2 | object | See `values.yaml` | Values for the Flux chat. Ref.: https://github.com/fluxcd-community/helm-charts/blob/flux2-2.10.2/charts/flux2/values.yaml | | flux2.clusterDomain | string | `"cluster.local"` | This is the domain name of the cluster. | | flux2.enabled | bool | `true` | Enable or disable FluxCD installation. New Relic' Super Agent need Flux to work, but the user can use an already existing Flux deployment. With that use case, the use can disable Flux and use this chart to only install the CRs to deploy the Super Agent. | @@ -49,17 +50,25 @@ As of the creation of the chart, it has no particularities and this section can | nameOverride | string | `""` | Override the name of the chart | | super-agent-deployment | object | See `values.yaml` | Values related to the super agent's Helm chart release. | | super-agent-deployment.affinity | object | `{}` | Sets pod/node affinities. Can be configured also with `global.affinity` | -| super-agent-deployment.authSecret | object | `{"create":false}` | Settings controlling authentication secret creation. If `create` is true, a Kubernetes secret will be created containing a key named `auth_key`. This secret will be mounted in the deployment pod at the path `/etc/newrelic-super-agent/auth_key` for authentication purposes. | -| super-agent-deployment.cleanupManagedResources | bool | `true` | Enable the cleanup of super-agent managed resources when the chart is uninstalled. If disabled, agents and / or agent configurations managed by the super-agent will not be deleted when the chart is uninstalled. | -| super-agent-deployment.cluster | string | `""` | TODO: Name of the Kubernetes cluster monitored. Can be configured also with `global.cluster`. | +| super-agent-deployment.cleanupManagedResources | bool | `true` | Enable the cleanup of super-agent managed resources when the chart is uninstalled. If disabled, agents and/or agent configurations managed by the super-agent will not be deleted when the chart is uninstalled. | +| super-agent-deployment.cluster | string | `""` | Name of the Kubernetes cluster monitored. Can be configured also with `global.cluster`. | +| super-agent-deployment.config.auth.enabled | bool | `true` | Enables or disables the auth against fleet control. It implies to disable any fleet communication and running the agent in stand alone mode where only the agents specified on `.config.subAgents` will be launched. | +| super-agent-deployment.config.auth.organization_id | string | `""` | Organization ID where fleets will live. | +| super-agent-deployment.config.auth.secret.client_id.base64 | string | `nil` | In case `.config.auth.secret.create` is true, you can set these keys to set client ID directly as base64. This options is mutually exclusive with `plain`. | +| super-agent-deployment.config.auth.secret.client_id.plain | string | `nil` | In case `.config.auth.secret.create` is true, you can set these keys to set client ID directly as plain text. This options is mutually exclusive with `base64`. | +| super-agent-deployment.config.auth.secret.client_id.secret_key | string | `client_id` | Key inside the secret containing the client ID. | +| super-agent-deployment.config.auth.secret.name | string | release name suffixed with "-auth" | Name auth' secret provided by the user. If the creation of this secret is set to `true`, this is the same the secret will have. | +| super-agent-deployment.config.auth.secret.private_key.base64_pem | string | `nil` | In case `.config.auth.secret.create` is true, you can set these keys to set private key directly as base64. This options is mutually exclusive with `plain_pem`. | +| super-agent-deployment.config.auth.secret.private_key.plain_pem | string | `nil` | In case `.config.auth.secret.create` is true, you can set these keys to set private key directly as plain text. This options is mutually exclusive with `base64_pem`. | +| super-agent-deployment.config.auth.secret.private_key.secret_key | string | `private_key` | Key inside the secret containing the private key. | +| super-agent-deployment.config.subAgents | string | {} (Empty. That defaults to configure the `newrelic/io.opentelemetry.collector` subagent) | Values that the fleet is going to have in the deployment. | | super-agent-deployment.config.superAgent | object | See `values.yaml` | Configuration for the Super Agent. | -| super-agent-deployment.config.superAgent.content | object | See `values.yaml` for examples | Here you can set New Relic' Super Agent configuration. | -| super-agent-deployment.config.superAgent.content.server | object | `{"enabled":true}` | And query it as `$ curl localhost:51200/status` | +| super-agent-deployment.config.superAgent.content | object | `{}` | It you are a PowerUser, you can use this to override the configuration that has been created automatically by the chart. This configuration here will be **MERGED** with the configuration specified above. If you need to have you own configuration, disabled the creation of this configMap and create your own. | | super-agent-deployment.config.superAgent.create | bool | `true` | Set if the configMap is going to be created by this chart or the user will provide its own. | | super-agent-deployment.containerSecurityContext | object | `{}` | Sets security context (at container level). Can be configured also with `global.containerSecurityContext` | | super-agent-deployment.customAttributes | object | `{}` | TODO: Adds extra attributes to the cluster and all the metrics emitted to the backend. Can be configured also with `global.customAttributes` | -| super-agent-deployment.customSecretLicenseKey | string | `""` | TODO: In case you don't want to have the license key in you values, this allows you to point to which secret key is the license key located. Can be configured also with `global.customSecretLicenseKey` | -| super-agent-deployment.customSecretName | string | `""` | TODO: In case you don't want to have the license key in you values, this allows you to point to a user created secret to get the key from there. Can be configured also with `global.customSecretName` | +| super-agent-deployment.customSecretLicenseKey | string | `""` | In case you don't want to have the license key in you values, this allows you to point to which secret key is the license key located. Can be configured also with `global.customSecretLicenseKey` | +| super-agent-deployment.customSecretName | string | `""` | In case you don't want to have the license key in you values, this allows you to point to a user created secret to get the key from there. Can be configured also with `global.customSecretName` | | super-agent-deployment.dnsConfig | object | `{}` | Sets pod's dnsConfig. Can be configured also with `global.dnsConfig` | | super-agent-deployment.enabled | bool | `true` | Enable the installation of the Super Agent. This an advanced/debug flag. It should be always be true unless you know what you are going. | | super-agent-deployment.extraEnv | list | `[]` | Add user environment variables to the agent | @@ -71,9 +80,9 @@ As of the creation of the chart, it has no particularities and this section can | super-agent-deployment.image | object | See `values.yaml` | Image for the New Relic Super Agent | | super-agent-deployment.image.pullSecrets | list | `[]` | The secrets that are needed to pull images from a custom registry. | | super-agent-deployment.labels | object | `{}` | Additional labels for chart objects. Can be configured also with `global.labels` | -| super-agent-deployment.licenseKey | string | `""` | TODO: This set this license key to use. Can be configured also with `global.licenseKey` | +| super-agent-deployment.licenseKey | string | `""` | This set this license key to use. Can be configured also with `global.licenseKey` | | super-agent-deployment.nodeSelector | object | `{}` | Sets pod's node selector. Can be configured also with `global.nodeSelector` | -| super-agent-deployment.nrStaging | bool | `false` | Send the metrics to the staging backend. Requires a valid staging license key. Can be configured also with `global.nrStaging` When enabled, in case `authSecret.create` is set to `true`, OpAMP `endpoint` and auth `token_url` need to be updated. | +| super-agent-deployment.nrStaging | bool | `false` | Send the metrics to the staging backend. Requires a valid staging license key. Can be configured also with `global.nrStaging` | | super-agent-deployment.podAnnotations | object | `{}` | Annotations to be added to all pods created by the integration. | | super-agent-deployment.podLabels | object | `{}` | Additional labels for chart pods. Can be configured also with `global.podLabels` | | super-agent-deployment.podSecurityContext | object | `{}` | Sets security context (at pod level). Can be configured also with `global.podSecurityContext` | @@ -83,14 +92,11 @@ As of the creation of the chart, it has no particularities and this section can | super-agent-deployment.resources | object | `{}` | Resource limits to be added to all pods created by the integration. | | super-agent-deployment.serviceAccount | object | See `values.yaml` | Settings controlling ServiceAccount creation. | | super-agent-deployment.serviceAccount.create | bool | `true` | Whether the chart should automatically create the ServiceAccount objects required to run. | -| super-agent-deployment.subAgents | object | See `values.yaml` for examples | Values that the fleet is going to have in the deployment. | | super-agent-deployment.tolerations | list | `[]` | Sets pod's tolerations to node taints. Can be configured also with `global.tolerations` | -| super-agent-deployment.verboseLog | bool | `false` | TODO: Sets the debug logs to this integration or all integrations if it is set globally. Can be configured also with `global.verboseLog` | +| super-agent-deployment.verboseLog | bool | `false` | Sets the debug logs to this integration or all integrations if it is set globally. Can be configured also with `global.verboseLog` | ## Maintainers * [sigilioso](https://github.com/sigilioso) -* [gsanchezgavier](https://github.com/gsanchezgavier) * [kang-makes](https://github.com/kang-makes) -* [marcsanmi](https://github.com/marcsanmi) * [paologallinaharbur](https://github.com/paologallinaharbur) diff --git a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl index d01ee1f23..7d95cc74a 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl +++ b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl @@ -111,29 +111,28 @@ the config. If you need a list of TODOs, just `grep TODO` on the `values.yaml` and look for things that are yet to be implemented. */ -}} -{{- /* Empty config so we can populate it as we enable and disable snippets. */ -}} -{{- $config := dict -}} +{{- /* config set here so we can populate it as we enable and disable snippets. */ -}} +{{- $config := dict "server" (dict "enabled" true) -}} {{- /* Add to config k8s cluster and namespace config */ -}} {{- $k8s := (dict "cluster_name" (include "newrelic.common.cluster" .) "namespace" .Release.Namespace) -}} {{- $_ := mustMerge $config (dict "k8s" $k8s) -}} -{{- /* Add opamp if enabled */ -}} -{{- if ((.Values.config).opamp).enable -}} +{{- /* Add opamp if auth enabled */ -}} +{{- if ((.Values.config).auth).enabled -}} {{- $opamp := (dict "endpoint" (include "newrelic-super-agent.config.endpoints.opamp" .)) -}} - {{- /* Add auth to opamp if it is enabled */ -}} - {{- if ((.Values.config).auth).enabled -}} - {{- $auth_config := dict "token_url" (include "newrelic-super-agent.config.endpoints.tokenRenewal" .) "provider" "local" "private_key_path" "/etc/newrelic-super-agent/keys/from-secret.key" -}} - {{- $_ := mustMerge $opamp (dict "auth_config" $auth_config) -}} - {{- end -}} + {{- $auth_config := dict "token_url" (include "newrelic-super-agent.config.endpoints.tokenRenewal" .) "provider" "local" "private_key_path" "/etc/newrelic-super-agent/keys/from-secret.key" -}} + {{- $_ := mustMerge $opamp (dict "auth_config" $auth_config) -}} {{- $_ := mustMerge $config (dict "opamp" $opamp) -}} {{- end -}} - {{- /* Add subagents to the config */ -}} -{{- $agents := include "newrelic-super-agent.config.agents.yaml" . | fromYaml -}} +{{- $agents := dict -}} +{{- range $subagent, $object := (include "newrelic-super-agent.config.agents.yaml" . | fromYaml) -}} + {{- $_ := mustMerge $agents (dict $subagent (dict "agent_type" $object.type)) -}} +{{- end -}} {{- $_ := mustMerge $config (dict "agents" $agents) -}} {{- /* Overwrite $config with everything in `config.superAgent.content` if present */ -}} diff --git a/charts/super-agent/charts/super-agent-deployment/templates/_temporary_helpers.tpl b/charts/super-agent/charts/super-agent-deployment/templates/_temporary_helpers.tpl deleted file mode 100644 index 1b7121276..000000000 --- a/charts/super-agent/charts/super-agent-deployment/templates/_temporary_helpers.tpl +++ /dev/null @@ -1,14 +0,0 @@ -{{- /* - Auxiliary template until the PR that add these helpers to the common library are merged. -*/ -}} -{{- define "newrelic.common.apiKey.secretName" -}} -api-key-secret -{{- end -}} - -{{- define "newrelic.common.apiKey.secretKeyName" -}} -a-secret-key -{{- end -}} - -{{- define "newrelic.common.region" -}} -US -{{- end -}} diff --git a/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml b/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml index ca3917b12..04f4b5cde 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml +++ b/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml @@ -70,15 +70,6 @@ spec: secretKeyRef: name: {{ include "newrelic-super-agent.auth.secret.name" . }} key: {{ include "newrelic-super-agent.auth.secret.clientId.key" . }} - {{- end }} - - name: NR_LICENSE_KEY - valueFrom: - secretKeyRef: - name: {{ include "newrelic.common.license.secretName" . }} - key: {{ include "newrelic.common.license.secretKeyName" . }} - - name: NR_CLUSTER_NAME - value: {{ include "newrelic.common.cluster" . }} - {{- if (((.Values.config).superAgent).content).opamp }} - name: NR_SA_OPAMP__HEADERS__API-KEY valueFrom: secretKeyRef: @@ -89,6 +80,21 @@ spec: - name: NR_SA_LOG__LEVEL value: debug {{- end }} + + {{- /* ----- Variables used to send data downstream to subagents */}} + - name: NR_LICENSE_KEY + valueFrom: + secretKeyRef: + name: {{ include "newrelic.common.license.secretName" . }} + key: {{ include "newrelic.common.license.secretKeyName" . }} + - name: NR_CLUSTER_NAME + value: {{ include "newrelic.common.cluster" . }} + - name: NR_VERBOSE + value: {{ include "newrelic.common.verboseLog.valueAsBoolean" . }} + - name: NR_REGION + value: {{ include "newrelic.common.region" . }} + {{- /* ----- Variables used to send data downstream to subagents */}} + {{- with .Values.extraEnv }} {{- toYaml . | nindent 12 }} {{- end }} @@ -96,7 +102,8 @@ spec: envFrom: {{- toYaml . | nindent 12 }} {{- end }} - # TODO: Add probes + + # TODO: Probe the status server. volumeMounts: - name: super-agent-config diff --git a/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml b/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml index b47db6b32..94829fbce 100644 --- a/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml +++ b/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml @@ -27,11 +27,7 @@ tests: value: | agents: open-telemetry: - content: - chart_values: - cluster: ${nr-env:NR_CLUSTER_NAME} - licenseKey: ${nr-env:NR_LICENSE_KEY} - type: newrelic/io.opentelemetry.collector:0.2.0 + agent_type: newrelic/io.opentelemetry.collector:0.2.0 k8s: cluster_name: my-cluster namespace: my-namespace @@ -62,11 +58,7 @@ tests: value: | agents: open-telemetry: - content: - chart_values: - cluster: ${nr-env:NR_CLUSTER_NAME} - licenseKey: ${nr-env:NR_LICENSE_KEY} - type: newrelic/io.opentelemetry.collector:0.2.0 + agent_type: newrelic/io.opentelemetry.collector:0.2.0 k8s: cluster_name: config-cluster namespace: config-namespace @@ -80,32 +72,32 @@ tests: enabled: true test: value test2: value2 -# - it: super agent's config always include cluster_name, namespace, defaults and honor the EU endpoint. -# set: -# cluster: my-cluster -# config: -# superAgent: -# content: -# opamp: -# endpoint: https://opamp.service.eu.newrelic.com/v1/opamp -# auth: -# enabled: true -# euEndpoints: true -# asserts: -# - equal: -# path: data["local_config"] -# value: | -# agents: -# open-telemetry: -# agent_type: newrelic/io.opentelemetry.collector:0.2.0 -# k8s: -# cluster_name: my-cluster -# namespace: my-namespace -# opamp: -# auth_config: -# private_key_path: /etc/newrelic-super-agent/keys/from-secret.key -# provider: local -# token_url: https://system-identity-oauth.service.eu.newrelic.com/oauth2/token -# endpoint: https://opamp.service.eu.newrelic.com/v1/opamp -# server: -# enabled: true + - it: super agent's config always include cluster_name, namespace, defaults, and honor the EU endpoint. + set: + cluster: my-cluster + config: + superAgent: + content: + opamp: + endpoint: https://opamp.service.eu.newrelic.com/v1/opamp + auth: + enabled: true + region: eu + asserts: + - equal: + path: data["local_config"] + value: | + agents: + open-telemetry: + agent_type: newrelic/io.opentelemetry.collector:0.2.0 + k8s: + cluster_name: my-cluster + namespace: my-namespace + opamp: + auth_config: + private_key_path: /etc/newrelic-super-agent/keys/from-secret.key + provider: local + token_url: https://system-identity-oauth.service.eu.newrelic.com/oauth2/token + endpoint: https://opamp.service.eu.newrelic.com/v1/opamp + server: + enabled: true diff --git a/charts/super-agent/charts/super-agent-deployment/tests/deployment_superagent_env_test.yaml b/charts/super-agent/charts/super-agent-deployment/tests/deployment_superagent_env_test.yaml index 9965fc177..8a937ec24 100644 --- a/charts/super-agent/charts/super-agent-deployment/tests/deployment_superagent_env_test.yaml +++ b/charts/super-agent/charts/super-agent-deployment/tests/deployment_superagent_env_test.yaml @@ -1,4 +1,4 @@ -suite: test super agent deployment's securityContext +suite: test super agent deployment's env vars are injected templates: - templates/deployment-superagent.yaml - templates/configmap-superagent-config.yaml @@ -27,6 +27,7 @@ tests: cluster: test customSecretName: "custom-secret" customSecretLicenseKey: "custom-key" + region: us # With a custom secret we cannot know the region so we have to ask for it. asserts: - contains: path: spec.template.spec.containers[0].env @@ -63,6 +64,7 @@ tests: cluster: test customSecretName: "custom-secret" customSecretLicenseKey: "custom-key" + region: us # With a custom secret we cannot know the region so we have to ask for it. config: superAgent: content: diff --git a/charts/super-agent/charts/super-agent-deployment/tests/deployment_superagent_subagent_configs_test.yaml b/charts/super-agent/charts/super-agent-deployment/tests/deployment_superagent_subagent_configs_test.yaml index 3bcaaf8a6..fb5fec557 100644 --- a/charts/super-agent/charts/super-agent-deployment/tests/deployment_superagent_subagent_configs_test.yaml +++ b/charts/super-agent/charts/super-agent-deployment/tests/deployment_superagent_subagent_configs_test.yaml @@ -7,7 +7,6 @@ release: name: my-release namespace: my-namespace tests: - - it: there is no subagent configuration set: cluster: test diff --git a/charts/super-agent/values.yaml b/charts/super-agent/values.yaml index 85446ae35..510a2e6c3 100644 --- a/charts/super-agent/values.yaml +++ b/charts/super-agent/values.yaml @@ -104,56 +104,40 @@ super-agent-deployment: verboseLog: # -- Enable the cleanup of super-agent managed resources when the chart is uninstalled. - # If disabled, agents and / or agent configurations managed by the super-agent will not be deleted when the chart is uninstalled. + # If disabled, agents and/or agent configurations managed by the super-agent will not be deleted when the chart is uninstalled. cleanupManagedResources: true config: - opamp: - enable: true - # -- Configuration for the Super Agent. # @default -- See `values.yaml` superAgent: # -- Set if the configMap is going to be created by this chart or the user will provide its own. create: true - # -- Here you can set New Relic' Super Agent configuration. - # @default -- See `values.yaml` for examples - content: - # opamp: - # # TODO The endpoint should be set automatically based on the licenseKey and on the nrStaging option if opamp.enable=true - # endpoint: https://opamp.service.newrelic.com/v1/opamp - # endpoint: https://opamp.service.eu.newrelic.com/v1/opamp - - # -- This option enables a status server that can be useful for troubleshooting. - # -- Port-forward it `$ kubectl port-forward pod/{pod-name} 51200:51200` - # -- And query it as `$ curl localhost:51200/status` - server: - enabled: true - # port: 51200 - + # -- It you are a PowerUser, you can use this to override the configuration that has been created automatically by the chart. + # This configuration here will be **MERGED** with the configuration specified above. + # If you need to have you own configuration, disabled the creation of this configMap and create your own. + content: {} # -- Values that the fleet is going to have in the deployment. - # @default -- See `values.yaml` for examples + # @default -- {} (Empty. That defaults to configure the `newrelic/io.opentelemetry.collector` subagent) subAgents: # The values of the fleet depends on the deployment itself. Each subagent has a different set of variables so you have to go to the subagent documentation # find the configuration needed for the subagent. # # The example below, open-telemetry, is enabled by default if no subagent is set up. - # # open-telemetry: # type: newrelic/io.opentelemetry.collector:0.2.0 # content: # chart_version: "0.4.0" # chart_values: - # # TODO the following values are set twice in the config, we have to add some logic to improve UX either in the chart or in the agentType - # cluster: "" - # licenseKey: "" - # customSecretName: "" - # customSecretLicenseKey: "" + # # you can set here modifications to the open telemetry chart auth: + # -- Enables or disables the auth against fleet control. It implies to disable any fleet communication and running the agent + # in stand alone mode where only the agents specified on `.config.subAgents` will be launched. enabled: true - organization_id: + # -- Organization ID where fleets will live. + organization_id: "" secret: create: true # -- Name auth' secret provided by the user. If the creation of this secret is set to `true`, this is the same the secret @@ -164,13 +148,21 @@ super-agent-deployment: # -- Key inside the secret containing the private key. # @default -- `private_key` secret_key: + # -- In case `.config.auth.secret.create` is true, you can set these keys to set private key directly as base64. + # This options is mutually exclusive with `plain_pem`. base64_pem: + # -- In case `.config.auth.secret.create` is true, you can set these keys to set private key directly as plain text. + # This options is mutually exclusive with `base64_pem`. plain_pem: client_id: - # -- Key inside the secret containing the private key. + # -- Key inside the secret containing the client ID. # @default -- `client_id` secret_key: + # -- In case `.config.auth.secret.create` is true, you can set these keys to set client ID directly as base64. + # This options is mutually exclusive with `plain`. base64: + # -- In case `.config.auth.secret.create` is true, you can set these keys to set client ID directly as plain text. + # This options is mutually exclusive with `base64`. plain: From 844347fefbc2cda28e21e4940ec3a1e9359b01c6 Mon Sep 17 00:00:00 2001 From: Juan Manuel Perez Date: Mon, 2 Sep 2024 17:17:16 +0200 Subject: [PATCH 06/16] final touches --- charts/super-agent/Chart.yaml | 4 +++ .../templates/_helpers.tpl | 8 +++-- .../templates/deployment-superagent.yaml | 2 ++ ...einstall-job-register-system-identity.yaml | 8 ++--- .../configmap_superagent_config_test.yaml | 30 ++++++++++++++----- charts/super-agent/templates/_helpers.tpl | 11 +++---- .../templates/capabilities-tester.yaml | 2 +- 7 files changed, 44 insertions(+), 21 deletions(-) diff --git a/charts/super-agent/Chart.yaml b/charts/super-agent/Chart.yaml index 21e04b86d..3fb8428f1 100644 --- a/charts/super-agent/Chart.yaml +++ b/charts/super-agent/Chart.yaml @@ -5,6 +5,10 @@ description: Bootstraps New Relic' Super Agent type: application version: 0.0.20-beta +# TODO: Can we set renovatebot here with a regex? +# Ref: https://github.com/fluxcd/flux2/blob/cc87ffd66e243fb85fc275792fa3708e44048048/cmd/flux/check.go#L62-L64 +kubeVersion: ">=1.28.0-0" + dependencies: - name: flux2 repository: https://fluxcd-community.github.io/helm-charts diff --git a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl index 7d95cc74a..afd01c1b5 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl +++ b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl @@ -26,8 +26,12 @@ open-telemetry: type: newrelic/io.opentelemetry.collector:0.2.0 content: chart_values: - licenseKey: ${nr-env:NR_LICENSE_KEY} - cluster: ${nr-env:NR_CLUSTER_NAME} + global: + licenseKey: ${nr-env:NR_LICENSE_KEY} + cluster: ${nr-env:NR_CLUSTER_NAME} + nrStaging: ${nr-env:NR_STAGING} + verboseLog: ${nr-env:NR_VERBOSE} + region: ${nr-env:NR_REGION} {{- end -}} {{- end -}} diff --git a/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml b/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml index 04f4b5cde..0654202a1 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml +++ b/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml @@ -89,6 +89,8 @@ spec: key: {{ include "newrelic.common.license.secretKeyName" . }} - name: NR_CLUSTER_NAME value: {{ include "newrelic.common.cluster" . }} + - name: NR_STAGING + value: {{ include "newrelic.common.nrStaging.value" . }} - name: NR_VERBOSE value: {{ include "newrelic.common.verboseLog.valueAsBoolean" . }} - name: NR_REGION diff --git a/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml b/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml index 12f19f5fe..b4c223621 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml +++ b/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml @@ -18,11 +18,11 @@ spec: - name: register-system-identity image: alpine env: - - name: API_KEY + - name: USER_KEY valueFrom: secretKeyRef: - name: {{ include "newrelic.common.apiKey.secretName" . }} - key: {{ include "newrelic.common.apiKey.secretKeyName" . }} + name: {{ include "newrelic.common.userKey.secretName" . }} + key: {{ include "newrelic.common.userKey.secretKeyName" . }} command: - ash args: @@ -52,7 +52,7 @@ spec: curl \ -s -w "%{http_code}" \ -H "Content-Type: application/json" \ - -H "API-Key: $API_KEY" \ + -H "API-Key: $USER_KEY" \ -o "$TEMPORAL_FOLDER/response.json" \ --data @- \ "{{ include "newrelic-super-agent.config.endpoints.systemIdentityRegistration" . }}" diff --git a/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml b/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml index 94829fbce..cef3f2cfa 100644 --- a/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml +++ b/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml @@ -13,6 +13,29 @@ tests: asserts: - hasDocuments: count: 0 + - it: super agent's config always include cluster_name, namespace and defaults + set: + cluster: my-cluster + config: + superAgent: {} + asserts: + - equal: + path: data["local_config"] + value: | + agents: + open-telemetry: + agent_type: newrelic/io.opentelemetry.collector:0.2.0 + k8s: + cluster_name: my-cluster + namespace: my-namespace + opamp: + auth_config: + private_key_path: /etc/newrelic-super-agent/keys/from-secret.key + provider: local + token_url: https://system-identity-oauth.service.newrelic.com/oauth2/token + endpoint: https://opamp.service.newrelic.com/v1/opamp + server: + enabled: true - it: super agent's config templates set: cluster: my-cluster @@ -75,13 +98,6 @@ tests: - it: super agent's config always include cluster_name, namespace, defaults, and honor the EU endpoint. set: cluster: my-cluster - config: - superAgent: - content: - opamp: - endpoint: https://opamp.service.eu.newrelic.com/v1/opamp - auth: - enabled: true region: eu asserts: - equal: diff --git a/charts/super-agent/templates/_helpers.tpl b/charts/super-agent/templates/_helpers.tpl index 4fde086da..e9d2c1ee1 100644 --- a/charts/super-agent/templates/_helpers.tpl +++ b/charts/super-agent/templates/_helpers.tpl @@ -1,13 +1,10 @@ {{- define "newrelic-super-agent.capabilites-tester" -}} -{{- /* This variable is like this so renovate can in the future use regex to upgrade this (if possible) */ -}} -{{- /* Ref: https://github.com/fluxcd/flux2/blob/cc87ffd66e243fb85fc275792fa3708e44048048/cmd/flux/check.go#L62-L64 */ -}} -{{- /* The value above could change also if we have to create objects which API break (like Ingress on 1.24) or for testing purposes */ -}} -{{- $minimum_supported_version := ">=1.28.0-0" -}} -{{- $minimum_supported_version = (.Values.experimental).forceMinimumSupportedVersion | default $minimum_supported_version -}} +{{- $minimum_supported_version := (.Values.experimental).forceMinimumSupportedVersion | default .Chart.KubeVersion -}} -{{- $cluster_version := (.Values.experimental).forceKubeVersion | default .Capabilities.KubeVersion | toString -}} +{{- $cluster_version := (.Values.experimental).forceKubeVersion | default .Capabilities.KubeVersion.Version | toString -}} {{- if not (semverCompare $minimum_supported_version $cluster_version) -}} - {{- fail (printf "Kubernetes version is not supported. Cluster says its on version %s and does not meet %s" $cluster_version $minimum_supported_version ) -}} + {{- $error_message := printf "Kubernetes version is not supported. Cluster says its on version %s and does not meet %s" $cluster_version $minimum_supported_version -}} + {{- fail $error_message -}} {{- end -}} {{- end -}} diff --git a/charts/super-agent/templates/capabilities-tester.yaml b/charts/super-agent/templates/capabilities-tester.yaml index e32b9ff9c..dbbc048cc 100644 --- a/charts/super-agent/templates/capabilities-tester.yaml +++ b/charts/super-agent/templates/capabilities-tester.yaml @@ -1 +1 @@ -{{- include "newrelic-super-agent.capabilites-tester" . -}} \ No newline at end of file +{{- include "newrelic-super-agent.capabilites-tester" . -}} From 4e67aaae32bfe34ba55ebf63b0b440480030e9a3 Mon Sep 17 00:00:00 2001 From: Juan Manuel Perez Date: Tue, 3 Sep 2024 14:19:51 +0200 Subject: [PATCH 07/16] remove feature to test kubernetes version --- charts/super-agent/Chart.yaml | 4 ---- charts/super-agent/README.md | 1 - charts/super-agent/templates/_helpers.tpl | 10 -------- .../templates/capabilities-tester.yaml | 1 - .../tests/cluster_capabilities_test.yaml | 23 ------------------- charts/super-agent/tests/placeholder | 1 + charts/super-agent/values.yaml | 11 --------- 7 files changed, 1 insertion(+), 50 deletions(-) delete mode 100644 charts/super-agent/templates/_helpers.tpl delete mode 100644 charts/super-agent/templates/capabilities-tester.yaml delete mode 100644 charts/super-agent/tests/cluster_capabilities_test.yaml create mode 100644 charts/super-agent/tests/placeholder diff --git a/charts/super-agent/Chart.yaml b/charts/super-agent/Chart.yaml index 3fb8428f1..21e04b86d 100644 --- a/charts/super-agent/Chart.yaml +++ b/charts/super-agent/Chart.yaml @@ -5,10 +5,6 @@ description: Bootstraps New Relic' Super Agent type: application version: 0.0.20-beta -# TODO: Can we set renovatebot here with a regex? -# Ref: https://github.com/fluxcd/flux2/blob/cc87ffd66e243fb85fc275792fa3708e44048048/cmd/flux/check.go#L62-L64 -kubeVersion: ">=1.28.0-0" - dependencies: - name: flux2 repository: https://fluxcd-community.github.io/helm-charts diff --git a/charts/super-agent/README.md b/charts/super-agent/README.md index 87a07f133..1261863ac 100644 --- a/charts/super-agent/README.md +++ b/charts/super-agent/README.md @@ -37,7 +37,6 @@ As of the creation of the chart, it has no particularities and this section can | Key | Type | Default | Description | |-----|------|---------|-------------| -| experimental | object | See `values.yaml` | Set of experimental configurations for super-agent chart. | | flux2 | object | See `values.yaml` | Values for the Flux chat. Ref.: https://github.com/fluxcd-community/helm-charts/blob/flux2-2.10.2/charts/flux2/values.yaml | | flux2.clusterDomain | string | `"cluster.local"` | This is the domain name of the cluster. | | flux2.enabled | bool | `true` | Enable or disable FluxCD installation. New Relic' Super Agent need Flux to work, but the user can use an already existing Flux deployment. With that use case, the use can disable Flux and use this chart to only install the CRs to deploy the Super Agent. | diff --git a/charts/super-agent/templates/_helpers.tpl b/charts/super-agent/templates/_helpers.tpl deleted file mode 100644 index e9d2c1ee1..000000000 --- a/charts/super-agent/templates/_helpers.tpl +++ /dev/null @@ -1,10 +0,0 @@ -{{- define "newrelic-super-agent.capabilites-tester" -}} -{{- $minimum_supported_version := (.Values.experimental).forceMinimumSupportedVersion | default .Chart.KubeVersion -}} - -{{- $cluster_version := (.Values.experimental).forceKubeVersion | default .Capabilities.KubeVersion.Version | toString -}} - -{{- if not (semverCompare $minimum_supported_version $cluster_version) -}} - {{- $error_message := printf "Kubernetes version is not supported. Cluster says its on version %s and does not meet %s" $cluster_version $minimum_supported_version -}} - {{- fail $error_message -}} -{{- end -}} -{{- end -}} diff --git a/charts/super-agent/templates/capabilities-tester.yaml b/charts/super-agent/templates/capabilities-tester.yaml deleted file mode 100644 index dbbc048cc..000000000 --- a/charts/super-agent/templates/capabilities-tester.yaml +++ /dev/null @@ -1 +0,0 @@ -{{- include "newrelic-super-agent.capabilites-tester" . -}} diff --git a/charts/super-agent/tests/cluster_capabilities_test.yaml b/charts/super-agent/tests/cluster_capabilities_test.yaml deleted file mode 100644 index 3320c1ecf..000000000 --- a/charts/super-agent/tests/cluster_capabilities_test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -suite: super agent is able to fail if it does not meet cluster version -templates: - - templates/capabilities-tester.yaml -release: - name: my-release - namespace: my-namespace - -tests: - - it: Cluster above the requirements - set: - experimental: - forceMinimumSupportedVersion: ">=1.28.0-0" - forceKubeVersion: v1.29 - asserts: - - notFailedTemplate: {} - - - it: Cluster below the requirements - set: - experimental: - forceMinimumSupportedVersion: ">=1.28.0-0" - forceKubeVersion: v1.27 - asserts: - - failedTemplate: {} diff --git a/charts/super-agent/tests/placeholder b/charts/super-agent/tests/placeholder new file mode 100644 index 000000000..dc9b039ed --- /dev/null +++ b/charts/super-agent/tests/placeholder @@ -0,0 +1 @@ +This file is a placeholder so the CI run the unittest command for the sub charts contained here. diff --git a/charts/super-agent/values.yaml b/charts/super-agent/values.yaml index 510a2e6c3..6869b91df 100644 --- a/charts/super-agent/values.yaml +++ b/charts/super-agent/values.yaml @@ -247,14 +247,3 @@ flux2: # user want to use Flux for other purposes besides the super agent, this toggle can be used to allow Flux to work on # the whole cluster. watchAllNamespaces: false - -# -- Set of experimental configurations for super-agent chart. -# @default -- See `values.yaml` -experimental: - # Forces which is the minimal supported Kubernetes version for this chart without failing. - # Useful for development, testing, or if the chart is being templated in a unsupported way. - forceMinimumSupportedVersion: "" - # In case use uses `helm template`, helm uses the latest version supported by `helm`. This allows to - # change that version. Useful for testing, developing and to change some templates from subcharts that - # change manifests depending on the version of the cluster. - forceKubeVersion: "" From 3ecd8733c7595cd845aa685df3dbde9438ae5df6 Mon Sep 17 00:00:00 2001 From: Juan Manuel Perez Date: Tue, 3 Sep 2024 17:30:30 +0200 Subject: [PATCH 08/16] fix ci --- .../templates/deployment-superagent.yaml | 4 +-- ...einstall-job-register-system-identity.yaml | 26 +++++++++++++++++++ charts/super-agent/ci/test-values.yaml | 8 ++++-- 3 files changed, 34 insertions(+), 4 deletions(-) diff --git a/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml b/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml index 0654202a1..c2419b6a6 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml +++ b/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml @@ -90,9 +90,9 @@ spec: - name: NR_CLUSTER_NAME value: {{ include "newrelic.common.cluster" . }} - name: NR_STAGING - value: {{ include "newrelic.common.nrStaging.value" . }} + value: {{ include "newrelic.common.nrStaging.value" . | quote }} - name: NR_VERBOSE - value: {{ include "newrelic.common.verboseLog.valueAsBoolean" . }} + value: {{ include "newrelic.common.verboseLog.valueAsBoolean" . | quote }} - name: NR_REGION value: {{ include "newrelic.common.region" . }} {{- /* ----- Variables used to send data downstream to subagents */}} diff --git a/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml b/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml index b4c223621..85eb43182 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml +++ b/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml @@ -1,4 +1,26 @@ {{- if include "newrelic-super-agent.auth.secret.shouldRunJob" . -}} +{{- /* +User key secret is used only in the step that create the system identity. +The secret that is created by the common-library does not allow to add annotations so the secret is removed +once the installation hook is finished, so I have to add it as a hook. +*/ -}} +{{- if not (include "newrelic.common.userKey._customSecretName" .) }} +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + helm.sh/hook: pre-install # TODO we cannot enable auth after installation, we should add pre-upgrade and check if the secret exists + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "-1010" + labels: + {{- include "newrelic.common.labels" . | nindent 4 }} + name: {{ include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "preinstall-user-key" ) }} + namespace: {{ .Release.Namespace }} +data: + {{ include "newrelic.common.userKey.secretKeyName" . }}: {{ include "newrelic.common.userKey._userKey" . | b64enc }} +{{- end }} +--- apiVersion: batch/v1 kind: Job metadata: @@ -21,7 +43,11 @@ spec: - name: USER_KEY valueFrom: secretKeyRef: + {{- if include "newrelic.common.userKey._customSecretName" . }} name: {{ include "newrelic.common.userKey.secretName" . }} + {{- else }} + name: {{ include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "preinstall-user-key" ) }} + {{- end }} key: {{ include "newrelic.common.userKey.secretKeyName" . }} command: - ash diff --git a/charts/super-agent/ci/test-values.yaml b/charts/super-agent/ci/test-values.yaml index 424c20461..fb6384cd2 100644 --- a/charts/super-agent/ci/test-values.yaml +++ b/charts/super-agent/ci/test-values.yaml @@ -1,6 +1,10 @@ -super-agent-deployment: +global: cluster: sa-cluster licenseKey: test + +super-agent-deployment: config: auth: - organizationId: test + # There is no way to test the auth flow for now. Tests get stuck as the pre-install job cannot succeed to create a new system identity. + # Until we have a better idea or we are able to create a fake oauth server, we have to disable this. + enabled: false From 8175f1fad293067a22ef86f8ef48e9098ff569d9 Mon Sep 17 00:00:00 2001 From: Juan Manuel Perez Date: Wed, 4 Sep 2024 16:49:02 +0200 Subject: [PATCH 09/16] Run system identity job also on pre-upgrade --- .../preinstall-job-register-system-identity.yaml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml b/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml index 85eb43182..9587ab7b3 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml +++ b/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml @@ -10,7 +10,7 @@ apiVersion: v1 kind: Secret metadata: annotations: - helm.sh/hook: pre-install # TODO we cannot enable auth after installation, we should add pre-upgrade and check if the secret exists + helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded helm.sh/hook-weight: "-1010" labels: @@ -25,7 +25,7 @@ apiVersion: batch/v1 kind: Job metadata: annotations: - helm.sh/hook: pre-install # TODO we cannot enable auth after installation, we should add pre-upgrade and check if the secret exists + helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded helm.sh/hook-weight: "-1005" name: {{ include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "system-identity-installer" ) }} @@ -54,9 +54,16 @@ spec: args: - -c - | - set -uo pipefail + set -euo pipefail apk update - apk add curl kubectl jq openssl + apk add kubectl + + if kubectl get secret {{ include "newrelic-super-agent.auth.secret.name" . }}; then + echo System identity already exists. Exiting gracefully... + exit 0 + fi + + apk add curl jq openssl TEMPORAL_FOLDER=gen-folder mkdir $TEMPORAL_FOLDER openssl genrsa -out "$TEMPORAL_FOLDER/key" 4096 From b4dfb2fd6e707173b416628536f9f9e759ab2c68 Mon Sep 17 00:00:00 2001 From: Juan Manuel Perez Date: Fri, 6 Sep 2024 11:53:21 +0200 Subject: [PATCH 10/16] remove eu endpoint for auth token retrieval --- .../charts/super-agent-deployment/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl index afd01c1b5..67189194c 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl +++ b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl @@ -68,7 +68,7 @@ Return to which endpoint should the super agent ask to renew its token {{- if eq $region "Staging" -}} https://system-identity-oauth.staging-service.newrelic.com/oauth2/token {{- else if eq $region "EU" -}} - https://system-identity-oauth.service.eu.newrelic.com/oauth2/token + https://system-identity-oauth.service.newrelic.com/oauth2/token {{- else if eq $region "US" -}} https://system-identity-oauth.service.newrelic.com/oauth2/token {{- else if eq $region "Local" -}} From 1b7d749d8f5b5424cfe887f937593ff01bbd2d3e Mon Sep 17 00:00:00 2001 From: Juan Manuel Perez Date: Tue, 10 Sep 2024 16:20:31 +0200 Subject: [PATCH 11/16] fix agent' structure creation and add a test --- .../templates/_helpers.tpl | 4 +-- .../tests/configmap_fleet_configs_test.yaml | 4 +-- .../configmap_superagent_config_test.yaml | 30 ++++++++++++++++++- 3 files changed, 33 insertions(+), 5 deletions(-) diff --git a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl index 67189194c..968f769cf 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl +++ b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl @@ -8,7 +8,7 @@ Return the name of the configMap holding the Super Agent's config. Defaults to r {{- /* -Return the agents part that should go in the super agent config. It is created from `.Values.config.subAgents`. +Test that the value of `.Values.config.subAgents` exists and its valid. If empty, returns the default. */ -}} {{- define "newrelic-super-agent.config.agents.yaml" -}} {{- if (.Values.config).subAgents -}} @@ -17,7 +17,7 @@ Return the agents part that should go in the super agent config. It is created f {{- if not ($subAgentConfig).type -}} {{- fail (printf "Agent %s does not have agent type" $subAgentName) -}} {{- end -}} - {{- $_ := dict $subAgentName (dict "agent_type" $subAgentConfig.type "content" $subAgentConfig.content) | mustMerge $agents -}} + {{- $agents = mustMerge $agents (dict $subAgentName $subAgentConfig) -}} {{- end -}} {{- $agents | toYaml -}} {{- else -}} diff --git a/charts/super-agent/charts/super-agent-deployment/tests/configmap_fleet_configs_test.yaml b/charts/super-agent/charts/super-agent-deployment/tests/configmap_fleet_configs_test.yaml index 734334fe3..fee54065e 100644 --- a/charts/super-agent/charts/super-agent-deployment/tests/configmap_fleet_configs_test.yaml +++ b/charts/super-agent/charts/super-agent-deployment/tests/configmap_fleet_configs_test.yaml @@ -9,12 +9,12 @@ tests: set: config: subAgents: - open-telemetry: null + open-telemetry: ~ asserts: - failedTemplate: errorMessage: Agent open-telemetry does not have agent type - - it: default value can be overridden + - it: default config for each subAgent can be overridden set: config: subAgents: diff --git a/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml b/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml index cef3f2cfa..bd1581c29 100644 --- a/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml +++ b/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml @@ -113,7 +113,35 @@ tests: auth_config: private_key_path: /etc/newrelic-super-agent/keys/from-secret.key provider: local - token_url: https://system-identity-oauth.service.eu.newrelic.com/oauth2/token + token_url: https://system-identity-oauth.service.newrelic.com/oauth2/token endpoint: https://opamp.service.eu.newrelic.com/v1/opamp server: enabled: true + + - it: default config for super agent can be overridden + template: templates/configmap-superagent-config.yaml + set: + cluster: my-cluster + region: eu + config: + subAgents: + test-0: + type: org.newrelic/test:0.0.0 + content: + a: test + value: 0 + test-1: + type: org.newrelic/test:0.0.1 + content: + a: test + value: 1 + test-2: + type: org.newrelic/test:0.0.2 + content: + a: test + aYAML: + canI: HaveSomeYAML + asserts: + - matchRegex: + path: data["local_config"] + pattern: "agents:\n test-0:\n agent_type: org.newrelic/test:0.0.0\n test-1:\n agent_type: org.newrelic/test:0.0.1\n test-2:\n agent_type: org.newrelic/test:0.0.2" From 9e65a95f419588daf9e1378c21800ebeceb15ef1 Mon Sep 17 00:00:00 2001 From: Juan Manuel Perez Date: Tue, 10 Sep 2024 16:28:45 +0200 Subject: [PATCH 12/16] remove hard to read dictionary merges --- .../super-agent-deployment/templates/_helpers.tpl | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl index 968f769cf..78bfc57ff 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl +++ b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl @@ -120,27 +120,27 @@ If you need a list of TODOs, just `grep TODO` on the `values.yaml` and look for {{- /* Add to config k8s cluster and namespace config */ -}} {{- $k8s := (dict "cluster_name" (include "newrelic.common.cluster" .) "namespace" .Release.Namespace) -}} -{{- $_ := mustMerge $config (dict "k8s" $k8s) -}} +{{- $config = mustMerge $config (dict "k8s" $k8s) -}} {{- /* Add opamp if auth enabled */ -}} {{- if ((.Values.config).auth).enabled -}} {{- $opamp := (dict "endpoint" (include "newrelic-super-agent.config.endpoints.opamp" .)) -}} {{- $auth_config := dict "token_url" (include "newrelic-super-agent.config.endpoints.tokenRenewal" .) "provider" "local" "private_key_path" "/etc/newrelic-super-agent/keys/from-secret.key" -}} - {{- $_ := mustMerge $opamp (dict "auth_config" $auth_config) -}} + {{- $opamp = mustMerge $opamp (dict "auth_config" $auth_config) -}} - {{- $_ := mustMerge $config (dict "opamp" $opamp) -}} + {{- $config = mustMerge $config (dict "opamp" $opamp) -}} {{- end -}} {{- /* Add subagents to the config */ -}} {{- $agents := dict -}} {{- range $subagent, $object := (include "newrelic-super-agent.config.agents.yaml" . | fromYaml) -}} - {{- $_ := mustMerge $agents (dict $subagent (dict "agent_type" $object.type)) -}} + {{- $agents = mustMerge $agents (dict $subagent (dict "agent_type" $object.type)) -}} {{- end -}} -{{- $_ := mustMerge $config (dict "agents" $agents) -}} +{{- $config = mustMerge $config (dict "agents" $agents) -}} {{- /* Overwrite $config with everything in `config.superAgent.content` if present */ -}} -{{- $_ := deepCopy (.Values.config.superAgent.content | default dict) | mustMergeOverwrite $config -}} +{{- $config = mustMergeOverwrite $config (deepCopy (((.Values.config).superAgent).content | default dict)) -}} {{- $config | toYaml -}} {{- end -}} From 59cf21aacbe9100d51d9ba9dc7c33c6698f61534 Mon Sep 17 00:00:00 2001 From: Juan Manuel Perez Date: Tue, 10 Sep 2024 17:04:25 +0200 Subject: [PATCH 13/16] changed toggle to disabled opamp to opamp instead of auth --- charts/super-agent/README.md | 2 +- .../templates/_helpers.tpl | 8 +++---- .../templates/deployment-superagent.yaml | 6 ++--- .../configmap_superagent_config_test.yaml | 23 +++++++++++++++++++ charts/super-agent/values.yaml | 4 +++- 5 files changed, 34 insertions(+), 9 deletions(-) diff --git a/charts/super-agent/README.md b/charts/super-agent/README.md index 1261863ac..e1e995c0f 100644 --- a/charts/super-agent/README.md +++ b/charts/super-agent/README.md @@ -51,7 +51,6 @@ As of the creation of the chart, it has no particularities and this section can | super-agent-deployment.affinity | object | `{}` | Sets pod/node affinities. Can be configured also with `global.affinity` | | super-agent-deployment.cleanupManagedResources | bool | `true` | Enable the cleanup of super-agent managed resources when the chart is uninstalled. If disabled, agents and/or agent configurations managed by the super-agent will not be deleted when the chart is uninstalled. | | super-agent-deployment.cluster | string | `""` | Name of the Kubernetes cluster monitored. Can be configured also with `global.cluster`. | -| super-agent-deployment.config.auth.enabled | bool | `true` | Enables or disables the auth against fleet control. It implies to disable any fleet communication and running the agent in stand alone mode where only the agents specified on `.config.subAgents` will be launched. | | super-agent-deployment.config.auth.organization_id | string | `""` | Organization ID where fleets will live. | | super-agent-deployment.config.auth.secret.client_id.base64 | string | `nil` | In case `.config.auth.secret.create` is true, you can set these keys to set client ID directly as base64. This options is mutually exclusive with `plain`. | | super-agent-deployment.config.auth.secret.client_id.plain | string | `nil` | In case `.config.auth.secret.create` is true, you can set these keys to set client ID directly as plain text. This options is mutually exclusive with `base64`. | @@ -60,6 +59,7 @@ As of the creation of the chart, it has no particularities and this section can | super-agent-deployment.config.auth.secret.private_key.base64_pem | string | `nil` | In case `.config.auth.secret.create` is true, you can set these keys to set private key directly as base64. This options is mutually exclusive with `plain_pem`. | | super-agent-deployment.config.auth.secret.private_key.plain_pem | string | `nil` | In case `.config.auth.secret.create` is true, you can set these keys to set private key directly as plain text. This options is mutually exclusive with `base64_pem`. | | super-agent-deployment.config.auth.secret.private_key.secret_key | string | `private_key` | Key inside the secret containing the private key. | +| super-agent-deployment.config.opamp.enabled | bool | `true` | Enables or disables the auth against fleet control. It implies to disable any fleet communication and running the agent in stand alone mode where only the agents specified on `.config.subAgents` will be launched. | | super-agent-deployment.config.subAgents | string | {} (Empty. That defaults to configure the `newrelic/io.opentelemetry.collector` subagent) | Values that the fleet is going to have in the deployment. | | super-agent-deployment.config.superAgent | object | See `values.yaml` | Configuration for the Super Agent. | | super-agent-deployment.config.superAgent.content | object | `{}` | It you are a PowerUser, you can use this to override the configuration that has been created automatically by the chart. This configuration here will be **MERGED** with the configuration specified above. If you need to have you own configuration, disabled the creation of this configMap and create your own. | diff --git a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl index 78bfc57ff..8c3d3613c 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl +++ b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl @@ -122,8 +122,8 @@ If you need a list of TODOs, just `grep TODO` on the `values.yaml` and look for {{- $k8s := (dict "cluster_name" (include "newrelic.common.cluster" .) "namespace" .Release.Namespace) -}} {{- $config = mustMerge $config (dict "k8s" $k8s) -}} -{{- /* Add opamp if auth enabled */ -}} -{{- if ((.Values.config).auth).enabled -}} +{{- /* Add opamp if enabled */ -}} +{{- if ((.Values.config).opamp).enabled -}} {{- $opamp := (dict "endpoint" (include "newrelic-super-agent.config.endpoints.opamp" .)) -}} {{- $auth_config := dict "token_url" (include "newrelic-super-agent.config.endpoints.tokenRenewal" .) "provider" "local" "private_key_path" "/etc/newrelic-super-agent/keys/from-secret.key" -}} @@ -205,7 +205,7 @@ Helper to toggle the creation of the job that creates and registers the system i {{- $privateKey := include "newrelic-super-agent.auth.secret.privateKey.data" . -}} {{- $clientId := include "newrelic-super-agent.auth.secret.clientId.data" . -}} -{{- if and ((.Values.config).auth).enabled (((.Values.config).auth).secret).create (not $privateKey) (not $clientId) -}} +{{- if and ((.Values.config).opamp).enabled (((.Values.config).auth).secret).create (not $privateKey) (not $clientId) -}} true {{- end -}} {{- end -}} @@ -216,7 +216,7 @@ Helper to toggle the creation of the job that creates and registers the system i Helper to toggle the creation of the secret that has the system identity as values. */ -}} {{- define "newrelic-super-agent.auth.secret.shouldTemplate" -}} -{{- if and ((.Values.config).auth).enabled (((.Values.config).auth).secret).create -}} +{{- if and ((.Values.config).opamp).enabled (((.Values.config).auth).secret).create -}} {{- $privateKey := include "newrelic-super-agent.auth.secret.privateKey.data" . -}} {{- $clientId := include "newrelic-super-agent.auth.secret.clientId.data" . -}} diff --git a/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml b/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml index c2419b6a6..2def77735 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml +++ b/charts/super-agent/charts/super-agent-deployment/templates/deployment-superagent.yaml @@ -64,7 +64,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} env: - {{- if ((.Values.config).auth).enabled }} + {{- if ((.Values.config).opamp).enabled }} - name: NR_SA_OPAMP__AUTH_CONFIG__CLIENT_ID valueFrom: secretKeyRef: @@ -115,7 +115,7 @@ spec: - mountPath: /var/lib/newrelic-super-agent name: var-lib-newrelic-super-agent readOnly: false - {{- if ((.Values.config).auth).enabled }} + {{- if ((.Values.config).opamp).enabled }} - name: auth-secret-private-key mountPath: "/etc/newrelic-super-agent/keys/from-secret.key" subPath: {{ include "newrelic-super-agent.auth.secret.privateKey.key" . }} @@ -136,7 +136,7 @@ spec: path: config.yaml - name: var-lib-newrelic-super-agent emptyDir: {} - {{- if ((.Values.config).auth).enabled }} + {{- if ((.Values.config).opamp).enabled }} - name: auth-secret-private-key secret: secretName: {{ include "newrelic-super-agent.auth.secret.name" . }} diff --git a/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml b/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml index bd1581c29..a889a30cc 100644 --- a/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml +++ b/charts/super-agent/charts/super-agent-deployment/tests/configmap_superagent_config_test.yaml @@ -13,6 +13,26 @@ tests: asserts: - hasDocuments: count: 0 + + - it: opamp can be disabled + set: + cluster: my-cluster + config: + opamp: + enabled: false + asserts: + - equal: + path: data["local_config"] + value: | + agents: + open-telemetry: + agent_type: newrelic/io.opentelemetry.collector:0.2.0 + k8s: + cluster_name: my-cluster + namespace: my-namespace + server: + enabled: true + - it: super agent's config always include cluster_name, namespace and defaults set: cluster: my-cluster @@ -36,6 +56,7 @@ tests: endpoint: https://opamp.service.newrelic.com/v1/opamp server: enabled: true + - it: super agent's config templates set: cluster: my-cluster @@ -64,6 +85,7 @@ tests: enabled: true test: value test2: value2 + - it: cluster_name and namespace from config have precedence set: cluster: my-cluster @@ -95,6 +117,7 @@ tests: enabled: true test: value test2: value2 + - it: super agent's config always include cluster_name, namespace, defaults, and honor the EU endpoint. set: cluster: my-cluster diff --git a/charts/super-agent/values.yaml b/charts/super-agent/values.yaml index 6869b91df..d813146ae 100644 --- a/charts/super-agent/values.yaml +++ b/charts/super-agent/values.yaml @@ -132,10 +132,12 @@ super-agent-deployment: # chart_values: # # you can set here modifications to the open telemetry chart - auth: + opamp: # -- Enables or disables the auth against fleet control. It implies to disable any fleet communication and running the agent # in stand alone mode where only the agents specified on `.config.subAgents` will be launched. enabled: true + + auth: # -- Organization ID where fleets will live. organization_id: "" secret: From 6603cb7200cd56830582859fd065440c896772b4 Mon Sep 17 00:00:00 2001 From: Juan Manuel Perez Date: Tue, 17 Sep 2024 11:30:37 +0200 Subject: [PATCH 14/16] address PR comments --- charts/super-agent/README.md | 2 +- charts/super-agent/values.yaml | 22 ++++++++++++++-------- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/charts/super-agent/README.md b/charts/super-agent/README.md index e1e995c0f..1e4296ec8 100644 --- a/charts/super-agent/README.md +++ b/charts/super-agent/README.md @@ -60,7 +60,7 @@ As of the creation of the chart, it has no particularities and this section can | super-agent-deployment.config.auth.secret.private_key.plain_pem | string | `nil` | In case `.config.auth.secret.create` is true, you can set these keys to set private key directly as plain text. This options is mutually exclusive with `base64_pem`. | | super-agent-deployment.config.auth.secret.private_key.secret_key | string | `private_key` | Key inside the secret containing the private key. | | super-agent-deployment.config.opamp.enabled | bool | `true` | Enables or disables the auth against fleet control. It implies to disable any fleet communication and running the agent in stand alone mode where only the agents specified on `.config.subAgents` will be launched. | -| super-agent-deployment.config.subAgents | string | {} (Empty. That defaults to configure the `newrelic/io.opentelemetry.collector` subagent) | Values that the fleet is going to have in the deployment. | +| super-agent-deployment.config.subAgents | string | `newrelic/io.opentelemetry.collector` (See `values.yaml`) | Values that the fleet is going to have in the deployment. If empty, chart will automatically add `newrelic/io.opentelemetry.collector` subagent. On the other hand, if populated the list of agent created is the one specified overwriting the default. | | super-agent-deployment.config.superAgent | object | See `values.yaml` | Configuration for the Super Agent. | | super-agent-deployment.config.superAgent.content | object | `{}` | It you are a PowerUser, you can use this to override the configuration that has been created automatically by the chart. This configuration here will be **MERGED** with the configuration specified above. If you need to have you own configuration, disabled the creation of this configMap and create your own. | | super-agent-deployment.config.superAgent.create | bool | `true` | Set if the configMap is going to be created by this chart or the user will provide its own. | diff --git a/charts/super-agent/values.yaml b/charts/super-agent/values.yaml index d813146ae..8b8edf265 100644 --- a/charts/super-agent/values.yaml +++ b/charts/super-agent/values.yaml @@ -118,19 +118,25 @@ super-agent-deployment: # If you need to have you own configuration, disabled the creation of this configMap and create your own. content: {} - # -- Values that the fleet is going to have in the deployment. - # @default -- {} (Empty. That defaults to configure the `newrelic/io.opentelemetry.collector` subagent) + # -- Values that the fleet is going to have in the deployment. If empty, chart will automatically add `newrelic/io.opentelemetry.collector` subagent. + # On the other hand, if populated the list of agent created is the one specified overwriting the default. + # @default -- `newrelic/io.opentelemetry.collector` (See `values.yaml`) subAgents: # The values of the fleet depends on the deployment itself. Each subagent has a different set of variables so you have to go to the subagent documentation # find the configuration needed for the subagent. # # The example below, open-telemetry, is enabled by default if no subagent is set up. - # open-telemetry: - # type: newrelic/io.opentelemetry.collector:0.2.0 - # content: - # chart_version: "0.4.0" - # chart_values: - # # you can set here modifications to the open telemetry chart + # open-telemetry: + # type: newrelic/io.opentelemetry.collector:0.2.0 + # content: + # chart_values: + # global: + # licenseKey: ${nr-env:NR_LICENSE_KEY} + # cluster: ${nr-env:NR_CLUSTER_NAME} + # nrStaging: ${nr-env:NR_STAGING} + # verboseLog: ${nr-env:NR_VERBOSE} + # region: ${nr-env:NR_REGION} + # # you can set here modifications to the open telemetry chart opamp: # -- Enables or disables the auth against fleet control. It implies to disable any fleet communication and running the agent From 9753a0f6229a66b9676ee44b7574aefae49549b6 Mon Sep 17 00:00:00 2001 From: Juan Manuel Perez Date: Mon, 23 Sep 2024 11:16:18 +0200 Subject: [PATCH 15/16] address PR comments --- charts/super-agent/Chart.yaml | 14 +++-- charts/super-agent/README.md | 25 ++++---- .../templates/_helpers.tpl | 20 +++---- .../tests/auth_secret_test.yaml | 36 ++++++----- charts/super-agent/values.yaml | 60 +++++++++---------- 5 files changed, 84 insertions(+), 71 deletions(-) diff --git a/charts/super-agent/Chart.yaml b/charts/super-agent/Chart.yaml index 21e04b86d..8df400508 100644 --- a/charts/super-agent/Chart.yaml +++ b/charts/super-agent/Chart.yaml @@ -23,9 +23,15 @@ keywords: - super-agent maintainers: - - name: sigilioso - url: https://github.com/sigilioso - - name: kang-makes - url: https://github.com/kang-makes + - name: alvarocabanas + url: https://github.com/alvarocabanas + - name: DavSanchez + url: https://github.com/DavSanchez + - name: gsanchezgavier + url: https://github.com/gsanchezgavier - name: paologallinaharbur url: https://github.com/paologallinaharbur + - name: rubenruizdegauna + url: https://github.com/rubenruizdegauna + - name: sigilioso + url: https://github.com/sigilioso diff --git a/charts/super-agent/README.md b/charts/super-agent/README.md index 1e4296ec8..356ecb3ba 100644 --- a/charts/super-agent/README.md +++ b/charts/super-agent/README.md @@ -51,18 +51,18 @@ As of the creation of the chart, it has no particularities and this section can | super-agent-deployment.affinity | object | `{}` | Sets pod/node affinities. Can be configured also with `global.affinity` | | super-agent-deployment.cleanupManagedResources | bool | `true` | Enable the cleanup of super-agent managed resources when the chart is uninstalled. If disabled, agents and/or agent configurations managed by the super-agent will not be deleted when the chart is uninstalled. | | super-agent-deployment.cluster | string | `""` | Name of the Kubernetes cluster monitored. Can be configured also with `global.cluster`. | -| super-agent-deployment.config.auth.organization_id | string | `""` | Organization ID where fleets will live. | -| super-agent-deployment.config.auth.secret.client_id.base64 | string | `nil` | In case `.config.auth.secret.create` is true, you can set these keys to set client ID directly as base64. This options is mutually exclusive with `plain`. | -| super-agent-deployment.config.auth.secret.client_id.plain | string | `nil` | In case `.config.auth.secret.create` is true, you can set these keys to set client ID directly as plain text. This options is mutually exclusive with `base64`. | -| super-agent-deployment.config.auth.secret.client_id.secret_key | string | `client_id` | Key inside the secret containing the client ID. | -| super-agent-deployment.config.auth.secret.name | string | release name suffixed with "-auth" | Name auth' secret provided by the user. If the creation of this secret is set to `true`, this is the same the secret will have. | -| super-agent-deployment.config.auth.secret.private_key.base64_pem | string | `nil` | In case `.config.auth.secret.create` is true, you can set these keys to set private key directly as base64. This options is mutually exclusive with `plain_pem`. | -| super-agent-deployment.config.auth.secret.private_key.plain_pem | string | `nil` | In case `.config.auth.secret.create` is true, you can set these keys to set private key directly as plain text. This options is mutually exclusive with `base64_pem`. | -| super-agent-deployment.config.auth.secret.private_key.secret_key | string | `private_key` | Key inside the secret containing the private key. | +| super-agent-deployment.config.opamp.auth.organization_id | string | `""` | Organization ID where fleets will live. | +| super-agent-deployment.config.opamp.auth.secret.client_id.base64 | string | `nil` | In case `.config.auth.secret.create` is true, you can set these keys to set client ID directly as base64. This options is mutually exclusive with `plain`. | +| super-agent-deployment.config.opamp.auth.secret.client_id.plain | string | `nil` | In case `.config.auth.secret.create` is true, you can set these keys to set client ID directly as plain text. This options is mutually exclusive with `base64`. | +| super-agent-deployment.config.opamp.auth.secret.client_id.secret_key | string | `client_id` | Key inside the secret containing the client ID. | +| super-agent-deployment.config.opamp.auth.secret.name | string | release name suffixed with "-auth" | Name auth' secret provided by the user. If the creation of this secret is set to `true`, this is the same the secret will have. | +| super-agent-deployment.config.opamp.auth.secret.private_key.base64_pem | string | `nil` | In case `.config.auth.secret.create` is true, you can set these keys to set private key directly as base64. This options is mutually exclusive with `plain_pem`. | +| super-agent-deployment.config.opamp.auth.secret.private_key.plain_pem | string | `nil` | In case `.config.auth.secret.create` is true, you can set these keys to set private key directly as plain text. This options is mutually exclusive with `base64_pem`. | +| super-agent-deployment.config.opamp.auth.secret.private_key.secret_key | string | `private_key` | Key inside the secret containing the private key. | | super-agent-deployment.config.opamp.enabled | bool | `true` | Enables or disables the auth against fleet control. It implies to disable any fleet communication and running the agent in stand alone mode where only the agents specified on `.config.subAgents` will be launched. | | super-agent-deployment.config.subAgents | string | `newrelic/io.opentelemetry.collector` (See `values.yaml`) | Values that the fleet is going to have in the deployment. If empty, chart will automatically add `newrelic/io.opentelemetry.collector` subagent. On the other hand, if populated the list of agent created is the one specified overwriting the default. | | super-agent-deployment.config.superAgent | object | See `values.yaml` | Configuration for the Super Agent. | -| super-agent-deployment.config.superAgent.content | object | `{}` | It you are a PowerUser, you can use this to override the configuration that has been created automatically by the chart. This configuration here will be **MERGED** with the configuration specified above. If you need to have you own configuration, disabled the creation of this configMap and create your own. | +| super-agent-deployment.config.superAgent.content | object | `{}` | Overrides the configuration that has been created automatically by the chart. This configuration here will be **MERGED** with the configuration specified above. If you need to have you own configuration, disabled the creation of this configMap and create your own. | | super-agent-deployment.config.superAgent.create | bool | `true` | Set if the configMap is going to be created by this chart or the user will provide its own. | | super-agent-deployment.containerSecurityContext | object | `{}` | Sets security context (at container level). Can be configured also with `global.containerSecurityContext` | | super-agent-deployment.customAttributes | object | `{}` | TODO: Adds extra attributes to the cluster and all the metrics emitted to the backend. Can be configured also with `global.customAttributes` | @@ -96,6 +96,9 @@ As of the creation of the chart, it has no particularities and this section can ## Maintainers -* [sigilioso](https://github.com/sigilioso) -* [kang-makes](https://github.com/kang-makes) +* [alvarocabanas](https://github.com/alvarocabanas) +* [DavSanchez](https://github.com/DavSanchez) +* [gsanchezgavier](https://github.com/gsanchezgavier) * [paologallinaharbur](https://github.com/paologallinaharbur) +* [rubenruizdegauna](https://github.com/rubenruizdegauna) +* [sigilioso](https://github.com/sigilioso) diff --git a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl index 8c3d3613c..ede9ef6e9 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl +++ b/charts/super-agent/charts/super-agent-deployment/templates/_helpers.tpl @@ -174,7 +174,7 @@ readOnlyRootFilesystem: true Return .Values.config.auth.organizationId and fails if it does not exists */ -}} {{- define "newrelic-super-agent.auth.organizationId" -}} -{{- if ((.Values.config).auth).organizationId -}} +{{- if (((.Values.config).opamp).auth).organizationId -}} {{- .Values.config.auth.organizationId -}} {{- else -}} {{- fail ".config.auth.organizationId is required." -}} @@ -188,7 +188,7 @@ Check if .Values.config.auth.secret.name exists and use it to name auth' secret. of the releases with "-auth" suffix. */ -}} {{- define "newrelic-super-agent.auth.secret.name" -}} -{{- $secretName := ((((.Values.config).auth).secret).name) -}} +{{- $secretName := (((((.Values.config).opamp).auth).secret).name) -}} {{- if $secretName -}} {{- $secretName -}} {{- else -}} @@ -205,7 +205,7 @@ Helper to toggle the creation of the job that creates and registers the system i {{- $privateKey := include "newrelic-super-agent.auth.secret.privateKey.data" . -}} {{- $clientId := include "newrelic-super-agent.auth.secret.clientId.data" . -}} -{{- if and ((.Values.config).opamp).enabled (((.Values.config).auth).secret).create (not $privateKey) (not $clientId) -}} +{{- if and ((.Values.config).opamp).enabled ((((.Values.config).opamp).auth).secret).create (not $privateKey) (not $clientId) -}} true {{- end -}} {{- end -}} @@ -216,7 +216,7 @@ Helper to toggle the creation of the job that creates and registers the system i Helper to toggle the creation of the secret that has the system identity as values. */ -}} {{- define "newrelic-super-agent.auth.secret.shouldTemplate" -}} -{{- if and ((.Values.config).opamp).enabled (((.Values.config).auth).secret).create -}} +{{- if and ((.Values.config).opamp).enabled ((((.Values.config).opamp).auth).secret).create -}} {{- $privateKey := include "newrelic-super-agent.auth.secret.privateKey.data" . -}} {{- $clientId := include "newrelic-super-agent.auth.secret.clientId.data" . -}} @@ -235,7 +235,7 @@ Check if .Values.config.auth.secret.private_key.secret_key exists and use it for key needed for the system identity. Fallbacks to `private_key`. */ -}} {{- define "newrelic-super-agent.auth.secret.privateKey.key" -}} -{{- $key := (((((.Values.config).auth).secret).private_key).secret_key) -}} +{{- $key := ((((((.Values.config).opamp).auth).secret).private_key).secret_key) -}} {{- if $key -}} {{- $key -}} {{- else -}} @@ -250,8 +250,8 @@ Check if .Values.config.auth.secret.private_key.(plain_pem or base64_pem) exists auth. If no ceritifcate is provided, it defaults to `""` (empty string) so this helper can be used directly as a test. */ -}} {{- define "newrelic-super-agent.auth.secret.privateKey.data" -}} -{{- $plain_pem := (((((.Values.config).auth).secret).private_key).plain_pem) -}} -{{- $base64_pem := (((((.Values.config).auth).secret).private_key).base64_pem) -}} +{{- $plain_pem := ((((((.Values.config).opamp).auth).secret).private_key).plain_pem) -}} +{{- $base64_pem := ((((((.Values.config).opamp).auth).secret).private_key).base64_pem) -}} {{- if and $plain_pem $base64_pem -}} {{- fail "Only one of base64_pem or plain_pem should be provided it you want to provide your own certificate." -}} {{- else if $base64_pem -}} @@ -270,7 +270,7 @@ Check if .Values.config.auth.secret.client_id.secret_key exists and use it for t needed for the system identity. Fallbacks to `client_id`. */ -}} {{- define "newrelic-super-agent.auth.secret.clientId.key" -}} -{{- $key := (((((.Values.config).auth).secret).client_id).secret_key) -}} +{{- $key := ((((((.Values.config).opamp).auth).secret).client_id).secret_key) -}} {{- if $key -}} {{- $key -}} {{- else -}} @@ -285,8 +285,8 @@ Check if .Values.config.auth.secret.client_id.(plain or base64) exists and use i value is provided, it defaults to `""` (empty string) so this helper can be used directly as a test. */ -}} {{- define "newrelic-super-agent.auth.secret.clientId.data" -}} -{{- $plain := (((((.Values.config).auth).secret).client_id).plain) -}} -{{- $base64 := (((((.Values.config).auth).secret).client_id).base64) -}} +{{- $plain := ((((((.Values.config).opamp).auth).secret).client_id).plain) -}} +{{- $base64 := ((((((.Values.config).opamp).auth).secret).client_id).base64) -}} {{- if and $plain $base64 -}} {{- fail "Only one of base64 or plain should be provided it you want to provide your own client id." -}} {{- else if $base64 -}} diff --git a/charts/super-agent/charts/super-agent-deployment/tests/auth_secret_test.yaml b/charts/super-agent/charts/super-agent-deployment/tests/auth_secret_test.yaml index 0486f573a..8a476f74f 100644 --- a/charts/super-agent/charts/super-agent-deployment/tests/auth_secret_test.yaml +++ b/charts/super-agent/charts/super-agent-deployment/tests/auth_secret_test.yaml @@ -13,12 +13,13 @@ tests: set: cluster: test config: - auth: - secret: - private_key: - base64_pem: dGVzdC1rZXk= - client_id: - base64: dGVzdC1rZXk= + opamp: + auth: + secret: + private_key: + base64_pem: dGVzdC1rZXk= + client_id: + base64: dGVzdC1rZXk= asserts: - template: templates/deployment-superagent.yaml equal: @@ -66,8 +67,9 @@ tests: set: cluster: test config: - auth: - enable: false + opamp: + auth: + enable: false asserts: - template: templates/deployment-superagent.yaml notContains: @@ -84,10 +86,11 @@ tests: set: cluster: test config: - auth: - secret: - private_key: - base64_pem: dGVzdC1rZXk= + opamp: + auth: + secret: + private_key: + base64_pem: dGVzdC1rZXk= asserts: - template: templates/secret-sa-auth.yaml failedTemplate: @@ -97,10 +100,11 @@ tests: set: cluster: test config: - auth: - secret: - client_id: - base64: dGVzdC1rZXk= + opamp: + auth: + secret: + client_id: + base64: dGVzdC1rZXk= asserts: - template: templates/secret-sa-auth.yaml failedTemplate: diff --git a/charts/super-agent/values.yaml b/charts/super-agent/values.yaml index 8b8edf265..7dd851b14 100644 --- a/charts/super-agent/values.yaml +++ b/charts/super-agent/values.yaml @@ -113,7 +113,7 @@ super-agent-deployment: superAgent: # -- Set if the configMap is going to be created by this chart or the user will provide its own. create: true - # -- It you are a PowerUser, you can use this to override the configuration that has been created automatically by the chart. + # -- Overrides the configuration that has been created automatically by the chart. # This configuration here will be **MERGED** with the configuration specified above. # If you need to have you own configuration, disabled the creation of this configMap and create your own. content: {} @@ -143,35 +143,35 @@ super-agent-deployment: # in stand alone mode where only the agents specified on `.config.subAgents` will be launched. enabled: true - auth: - # -- Organization ID where fleets will live. - organization_id: "" - secret: - create: true - # -- Name auth' secret provided by the user. If the creation of this secret is set to `true`, this is the same the secret - # will have. - # @default -- release name suffixed with "-auth" - name: - private_key: - # -- Key inside the secret containing the private key. - # @default -- `private_key` - secret_key: - # -- In case `.config.auth.secret.create` is true, you can set these keys to set private key directly as base64. - # This options is mutually exclusive with `plain_pem`. - base64_pem: - # -- In case `.config.auth.secret.create` is true, you can set these keys to set private key directly as plain text. - # This options is mutually exclusive with `base64_pem`. - plain_pem: - client_id: - # -- Key inside the secret containing the client ID. - # @default -- `client_id` - secret_key: - # -- In case `.config.auth.secret.create` is true, you can set these keys to set client ID directly as base64. - # This options is mutually exclusive with `plain`. - base64: - # -- In case `.config.auth.secret.create` is true, you can set these keys to set client ID directly as plain text. - # This options is mutually exclusive with `base64`. - plain: + auth: + # -- Organization ID where fleets will live. + organization_id: "" + secret: + create: true + # -- Name auth' secret provided by the user. If the creation of this secret is set to `true`, this is the same the secret + # will have. + # @default -- release name suffixed with "-auth" + name: + private_key: + # -- Key inside the secret containing the private key. + # @default -- `private_key` + secret_key: + # -- In case `.config.auth.secret.create` is true, you can set these keys to set private key directly as base64. + # This options is mutually exclusive with `plain_pem`. + base64_pem: + # -- In case `.config.auth.secret.create` is true, you can set these keys to set private key directly as plain text. + # This options is mutually exclusive with `base64_pem`. + plain_pem: + client_id: + # -- Key inside the secret containing the client ID. + # @default -- `client_id` + secret_key: + # -- In case `.config.auth.secret.create` is true, you can set these keys to set client ID directly as base64. + # This options is mutually exclusive with `plain`. + base64: + # -- In case `.config.auth.secret.create` is true, you can set these keys to set client ID directly as plain text. + # This options is mutually exclusive with `base64`. + plain: # -- Values for the Flux chat. Ref.: https://github.com/fluxcd-community/helm-charts/blob/flux2-2.10.2/charts/flux2/values.yaml From 34b7dc2572d39d398f4f6bb71344b92f5c8de7dc Mon Sep 17 00:00:00 2001 From: Juan Manuel Perez Date: Mon, 23 Sep 2024 11:21:34 +0200 Subject: [PATCH 16/16] include PR #1481 --- .../templates/preinstall-job-register-system-identity.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml b/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml index 9587ab7b3..68b6f86c3 100644 --- a/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml +++ b/charts/super-agent/charts/super-agent-deployment/templates/preinstall-job-register-system-identity.yaml @@ -101,7 +101,7 @@ spec: ERROR_MESSAGE=$(jq -r '.errors[0].message // "NOERROR"' "$TEMPORAL_FOLDER/response.json") if [ "$ERROR_MESSAGE" != "NOERROR" ]; then - echo "Error creating an identity: $ERROR_MESSAGE" + echo "Failed to create a New Relic System Identity for OpAMP communication authentication. Please verify that your User Key is valid and that your Account Organization has the necessary permissions to create a System Identity: $ERROR_MESSAGE" exit 1 fi