From 03b49e46192565db217f99b658b333b5026e6ea2 Mon Sep 17 00:00:00 2001 From: nravada Date: Thu, 30 Jan 2025 06:37:08 +0530 Subject: [PATCH] [nr-ebpf-agent] Sync the latest updates to the nr-ebpf-agent chart (#1537) #### Is this a new chart No #### What this PR does / why we need it: Updates the helm chart with the latest changes made. #### Which issue this PR fixes *(optional, in `fixes #(, fixes #, ...)` format, will close that issue when PR gets merged)* - fixes # #### Special notes for your reviewer: #### Checklist [Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.] - [x] Chart Version bumped - [x] Variables are documented in the README.md - [x] Title of the PR starts with chart name (e.g. `[mychartname]`) --------- Signed-off-by: kpattaswamy Co-authored-by: Philip-R-Beckwith <74079252+Philip-R-Beckwith@users.noreply.github.com> Co-authored-by: kpattaswamy --- charts/nr-ebpf-agent/Chart.yaml | 2 +- charts/nr-ebpf-agent/README.md | 78 +++++++-- charts/nr-ebpf-agent/templates/_affinity.tpl | 21 +++ charts/nr-ebpf-agent/templates/_helpers.tpl | 92 +++++++--- charts/nr-ebpf-agent/templates/_naming.tpl | 24 +++ .../templates/_security-context.tpl | 43 +++++ charts/nr-ebpf-agent/templates/_tls.tpl | 37 ++++ .../nr-ebpf-agent/templates/_tolerations.tpl | 21 +++ .../templates/nr-ebpf-agent-daemonset.yaml | 105 ++++++++--- .../templates/nr-ebpf-agent-service.yaml | 20 +++ .../templates/otel-collector-config.yaml | 26 ++- .../templates/otel-collector-daemonset.yaml | 60 +++++-- .../templates/otel-collector-rbac.yaml | 8 +- .../otel-collector-service-account.yaml | 4 +- ...ector.yaml => otel-collector-service.yaml} | 3 +- charts/nr-ebpf-agent/templates/secrets.yaml | 28 ++- charts/nr-ebpf-agent/values.yaml | 165 ++++++++++++++---- 17 files changed, 618 insertions(+), 119 deletions(-) create mode 100644 charts/nr-ebpf-agent/templates/_affinity.tpl create mode 100644 charts/nr-ebpf-agent/templates/_naming.tpl create mode 100644 charts/nr-ebpf-agent/templates/_security-context.tpl create mode 100644 charts/nr-ebpf-agent/templates/_tls.tpl create mode 100644 charts/nr-ebpf-agent/templates/_tolerations.tpl create mode 100644 charts/nr-ebpf-agent/templates/nr-ebpf-agent-service.yaml rename charts/nr-ebpf-agent/templates/{otel-collector.yaml => otel-collector-service.yaml} (89%) diff --git a/charts/nr-ebpf-agent/Chart.yaml b/charts/nr-ebpf-agent/Chart.yaml index 934a21c76..4834aeb48 100644 --- a/charts/nr-ebpf-agent/Chart.yaml +++ b/charts/nr-ebpf-agent/Chart.yaml @@ -13,7 +13,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.14 +version: 0.1.15 dependencies: - name: common-library version: 1.3.1 diff --git a/charts/nr-ebpf-agent/README.md b/charts/nr-ebpf-agent/README.md index cdfffd042..a780945ea 100644 --- a/charts/nr-ebpf-agent/README.md +++ b/charts/nr-ebpf-agent/README.md @@ -75,42 +75,94 @@ Options that can be defined globally include `affinity`, `nodeSelector`, `tolera | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Sets all pods' affinities. Can be configured also with `global.affinity` | +| allowServiceNameRegex | string | `""` | This config acts as a bypass for the dropDataServiceNameRegex config. Service names that match this regex will not have their data dropped by the dropDataServiceNameRegex. If dropDataServiceNameRegex is not defined, this config has no impact on the eBPF agent. | | cluster | string | `""` | Name of the Kubernetes cluster to be monitored. Mandatory. Can be configured with `global.cluster` | +| containerSecurityContext | object | `{}` | Sets all pods' containerSecurityContext. Can be configured also with `global.securityContext.container` | +| customSecretLicenseKey | string | `""` | In case you don't want to have the license key in your values, this allows you to point to which secret key is the license key located. Can be configured also with `global.customSecretLicenseKey` | +| customSecretName | string | `""` | In case you don't want to have the license key in your values, this allows you to point to a user created secret to get the key from there. Can be configured also with `global.customSecretName` | +| dnsConfig | object | `{}` | Sets pod's dnsConfig. Can be configured also with `global.dnsConfig` | +| dropAPMEnabledPods | bool | `true` | Drop data from pods that are monitored by New Relic APM via auto attach. | | dropDataIpServiceNames | bool | `true` | Drop data when service names map to an IP address. | | dropDataKubeSystem | bool | `true` | Drop data from the kube-system namespace. | | dropDataNewRelic | bool | `true` | Drop data from the newrelic namespace. | -| dropDataServiceNameRegex | string | `"gmp-.*"` | Define a regex to mach service names to drop. Example "kube-dns|otel-collector|\\bblah\\b" see Golang Docs for Regex syntax https://github.com/google/re2/wiki/Syntax | +| dropDataServiceNameRegex | string | `""` | Define a regex to match service names to drop. Example "kube-dns|otel-collector|\\bblah\\b" see Golang Docs for Regex syntax https://github.com/google/re2/wiki/Syntax | +| ebpfAgent.affinity | object | `{}` | Sets ebpfAgent pod affinities. Overrides `affinity` and `global.affinity` | +| ebpfAgent.containerSecurityContext | object | `{"privileged":true}` | Sets ebpfAgent pod containerSecurityContext. Overrides `containerSecurityContext` and `global.securityContext.container` | | ebpfAgent.image.pullPolicy | string | `"IfNotPresent"` | The pull policy is defaulted to IfNotPresent, which skips pulling an image if it already exists. If pullPolicy is defined without a specific value, it is also set to Always. | -| ebpfAgent.image.repository | string | `"us-west1-docker.pkg.dev/pl-dev-infra/nr-ebpf-agent-lp/ebpf-agent"` | eBPF agent image to be deployed. | -| ebpfAgent.image.tag | string | `"0.0.5"` | The tag of the eBPF agent image to be deployed. | +| ebpfAgent.image.repository | string | `"docker.io/newrelic/newrelic-ebpf-agent"` | eBPF agent image to be deployed. | +| ebpfAgent.image.tag | string | `"nr-ebpf-agent_0.0.5"` | The tag of the eBPF agent image to be deployed. | +| ebpfAgent.podAnnotations | object | `{}` | Sets ebpfAgent pod Annotations. Overrides `podAnnotations` and `global.podAnnotations` | +| ebpfAgent.podSecurityContext | object | `{}` | Sets ebpfAgent pod podSecurityContext. Overrides `podSecurityContext` and `global.securityContext.pod` | | ebpfAgent.resources.limits.memory | string | `"2Gi"` | Max memory allocated to the container. | | ebpfAgent.resources.requests.cpu | string | `"100m"` | Min CPU allocated to the container. | | ebpfAgent.resources.requests.memory | string | `"250Mi"` | Min memory allocated to the container. | +| ebpfAgent.tolerations | list | `[]` | Sets ebpfAgent pod tolerations. Overrides `tolerations` and `global.tolerations` | | ebpfClient.image.pullPolicy | string | `"IfNotPresent"` | The pull policy is defaulted to IfNotPresent, which skips pulling an image if it already exists. If pullPolicy is defined without a specific value, it is set to Always. | -| ebpfClient.image.repository | string | `"us-west1-docker.pkg.dev/pl-dev-infra/nr-ebpf-agent-lp/ebpf-client"` | eBPF client image to be deployed. | -| ebpfClient.image.tag | string | `"0.0.7"` | The tag of the eBPF client image to be deployed. | +| ebpfClient.image.repository | string | `"docker.io/newrelic/newrelic-ebpf-agent"` | eBPF client image to be deployed. | +| ebpfClient.image.tag | string | `"nr-ebpf-client_0.0.7"` | The tag of the eBPF client image to be deployed. | | ebpfClient.resources.limits.memory | string | `"100Mi"` | Max memory allocated to the container. | | ebpfClient.resources.requests.cpu | string | `"50m"` | Min CPU allocated to the container. | | ebpfClient.resources.requests.memory | string | `"50Mi"` | Min memory allocated to the container. | -| labels | object | `{}` | Additional labels for chart objects | +| kubernetesClusterDomain | string | `"cluster.local"` | Kubernetes cluster domain. | +| labels | object | `{}` | Additional labels for chart objects. | | licenseKey | string | `""` | The license key to use. Can be configured with `global.licenseKey` | | nodeSelector | object | `{}` | Sets all pods' node selector. Can be configured also with `global.nodeSelector` | -| nrStaging | bool | `false` | Endpoint to export data to via the otel collector. NR prod (otlp.nr-data.net:4317) by default. Staging (staging-otlp.nr-data.net:4317) otherwise. Requires a valid staging license key. Can also be configured with global.nrStaging. | +| nrStaging | bool | `false` | Endpoint to export data to via the otel collector. NR prod (otlp.nr-data.net:4317) by default. Staging (staging-otlp.nr-data.net:4317) otherwise. | +| otelCollector.affinity | object | `{}` | Sets otelCollector pod affinities. Overrides `affinity` and `global.affinity` | | otelCollector.collector.serviceAccount.annotations | object | `{}` | Annotations for the OTel collector service account. | +| otelCollector.containerSecurityContext | object | `{}` | Sets otelCollector pod containerSecurityContext. Overrides `containerSecurityContext` and `global.securityContext.container` | | otelCollector.image.pullPolicy | string | `"IfNotPresent"` | The pull policy is defaulted to IfNotPresent, which skips pulling an image if it already exists. If pullPolicy is defined without a specific value, it is set to Always. | -| otelCollector.image.repository | string | `"us-west1-docker.pkg.dev/pl-dev-infra/nr-ebpf-agent-lp/nr-ebpf-otel-collector"` | OpenTelemetry collector image to be deployed. | -| otelCollector.image.tag | string | `"0.0.1"` | The tag of the OpenTelemetry collector image to be deployed. | +| otelCollector.image.repository | string | `"docker.io/newrelic/newrelic-ebpf-agent"` | OpenTelemetry collector image to be deployed. | +| otelCollector.image.tag | string | `"nr-ebpf-otel-collector_0.0.1"` | The tag of the OpenTelemetry collector image to be deployed. | +| otelCollector.podAnnotations | object | `{}` | Sets otelCollector pod Annotations. Overrides `podAnnotations` and `global.podAnnotations` | +| otelCollector.podSecurityContext | object | `{}` | Sets otelCollector pod podSecurityContext. Overrides `podSecurityContext` and `global.securityContext.pod` | | otelCollector.resources.limits.cpu | string | `"100m"` | Max CPU allocated to the container. | | otelCollector.resources.limits.memory | string | `"200Mi"` | Max memory allocated to the container. | | otelCollector.resources.requests.cpu | string | `"100m"` | Min CPU allocated to the container. | | otelCollector.resources.requests.memory | string | `"200Mi"` | Min memory allocated to the container. | -| podLabels | object | `{}` | Additional labels for chart pods | -| protocols | object | `{"amqp":{"enabled":true,"samplingLatency":""},"cass":{"enabled":true,"samplingLatency":""},"dns":{"enabled":true,"samplingLatency":""},"http":{"enabled":true,"samplingLatency":""},"kafka":{"enabled":true,"samplingLatency":""},"mongodb":{"enabled":true,"samplingLatency":""},"mysql":{"enabled":true,"samplingLatency":""},"pgsql":{"enabled":true,"samplingLatency":""},"redis":{"enabled":true,"samplingLatency":""}}` | The protocols to enable for tracing in the socket_tracer. samplingLatency represents the sampling latency threshold for the spans to export. Options: p1, p10, p50, p90, p99. | +| otelCollector.tolerations | list | `[]` | Sets otelCollector pod tolerations. Overrides `tolerations` and `global.tolerations` | +| podLabels | object | `{}` | Additional labels for chart pods. | +| podSecurityContext | object | `{}` | Sets all pods' podSecurityContext. Can be configured also with `global.securityContext.pod` | +| priorityClassName | string | `""` | Sets pod's priorityClassName. Can be configured also with `global.priorityClassName` | +| protocols.amqp.spans.enabled | bool | `false` | | +| protocols.amqp.spans.samplingLatency | string | `""` | | +| protocols.cass.metrics.enabled | bool | `true` | | +| protocols.cass.spans.enabled | bool | `false` | | +| protocols.cass.spans.samplingLatency | string | `""` | | +| protocols.dns.spans.enabled | bool | `false` | | +| protocols.dns.spans.samplingLatency | string | `""` | | +| protocols.http.metrics.enabled | bool | `true` | | +| protocols.http.spans.enabled | bool | `true` | | +| protocols.http.spans.samplingErrorRate | string | `""` | samplingErrorRate represents the error rate threshold for an HTTP route where surpassing it would mean the corresponds spans of the route are exported. Options: 1-100 | +| protocols.http.spans.samplingLatency | string | `""` | | +| protocols.kafka.spans.enabled | bool | `false` | | +| protocols.kafka.spans.samplingLatency | string | `""` | | +| protocols.mongodb.metrics.enabled | bool | `true` | | +| protocols.mongodb.spans.enabled | bool | `false` | | +| protocols.mongodb.spans.samplingLatency | string | `""` | | +| protocols.mysql.metrics.enabled | bool | `true` | | +| protocols.mysql.spans.enabled | bool | `false` | | +| protocols.mysql.spans.samplingLatency | string | `""` | | +| protocols.pgsql.metrics.enabled | bool | `true` | | +| protocols.pgsql.spans.enabled | bool | `false` | | +| protocols.pgsql.spans.samplingLatency | string | `""` | | +| protocols.redis.metrics.enabled | bool | `true` | | +| protocols.redis.spans.enabled | bool | `false` | | +| protocols.redis.spans.samplingLatency | string | `""` | | | proxy | string | `""` | Configures the agent to send all data through the proxy specified via the otel collector. | -| pushPeriod | string | `"15"` | The periodicity in seconds at which the eBPF agent pushes data to the OTel collector for export to NR. The eBPF agent applies a request path clustering algorithm to reduce cardinality in exported HTTP data. The algorithm only looks for similar request paths within data of the same push period. To increase the window under consideration for cardinality reduction, increase this value. Accepted range: 15-60. | +| pushPeriod | string | `"15"` | - The periodicity in seconds at which the eBPF agent pushes data to the OTel collector for export to NR. The eBPF agent applies a request path clustering algorithm to reduce cardinality in exported HTTP data. The algorithm only looks for similar request paths within data of the same push period. To increase the window under consideration for cardinality reduction, increase this value. Accepted range: 15-60. | | stirlingSources | string | `"socket_tracer,tcp_stats"` | The source connectors (and data export scripts) to enable. Note that socket_tracer tracks http, mysql, redis, mongodb, amqp, cassandra, dns, and postgresql while tcp_stats tracks TCP metrics. | | tableStoreDataLimitMB | string | `"250"` | The primary lever to control RAM use of the eBPF agent. Specified in MiB. | +| tls.autoGenerateCert.certPath | string | `"/tmp/ebpf/certs/"` | Certificates path. | +| tls.autoGenerateCert.certPeriodDays | int | `365` | Cert validity period time in days. | +| tls.autoGenerateCert.enabled | bool | `true` | If true, Helm will automatically create a self-signed cert and secret for you. | +| tls.autoGenerateCert.recreate | bool | `true` | If set to true, a new key/certificate is generated on helm upgrade. | +| tls.caFile | string | `""` | Path to the CA cert. | +| tls.certFile | string | `""` | Path to your own PEM-encoded certificate. | +| tls.enabled | bool | `true` | Enable TLS communication between the eBPF client and agent. | +| tls.keyFile | string | `""` | Path to your own PEM-encoded private key. | | tolerations | list | `[]` | Sets all pods' tolerations to node taints. Can be configured also with `global.tolerations` | +| verboseLog | bool | `false` | Sets the debug logs to this integration or all integrations if it is set globally. Can be configured also with `global.verboseLog` | ## Common Errors @@ -122,4 +174,4 @@ If the `nr-ebpf-client` or `nr-ebpf-agent` container logs indicate that the scri * ramkrishankumarN * kpattaswamy -* benkilimnik \ No newline at end of file +* benkilimnik diff --git a/charts/nr-ebpf-agent/templates/_affinity.tpl b/charts/nr-ebpf-agent/templates/_affinity.tpl new file mode 100644 index 000000000..2fbbddc9e --- /dev/null +++ b/charts/nr-ebpf-agent/templates/_affinity.tpl @@ -0,0 +1,21 @@ +{{- /* +A helper to return the affinity to apply to the ebpf daemonset. +*/ -}} +{{- define "nrEbpfAgent.ebpfAgent.affinity" -}} +{{- if .Values.ebpfAgent.affinity -}} + {{- toYaml .Values.ebpfAgent.affinity -}} +{{- else if include "newrelic.common.affinity" . -}} + {{- include "newrelic.common.affinity" . -}} +{{- end -}} +{{- end -}} + +{{- /* +A helper to return the affinity to apply to the Otel daemonset. +*/ -}} +{{- define "nrEbpfAgent.otelCollector.affinity" -}} +{{- if .Values.otelCollector.affinity -}} + {{- toYaml .Values.otelCollector.affinity -}} +{{- else if include "newrelic.common.affinity" . -}} + {{- include "newrelic.common.affinity" . -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/nr-ebpf-agent/templates/_helpers.tpl b/charts/nr-ebpf-agent/templates/_helpers.tpl index e0e45b52b..3f3dd51f8 100644 --- a/charts/nr-ebpf-agent/templates/_helpers.tpl +++ b/charts/nr-ebpf-agent/templates/_helpers.tpl @@ -52,41 +52,83 @@ Return the cluster name {{- end -}} {{- end -}} + + + {{/* -Return the licenseKey +Create otel collector receiver endpoint */}} -{{- define "nr-ebpf-agent.licenseKey" -}} -{{- if .Values.global }} - {{- if .Values.global.licenseKey }} - {{- .Values.global.licenseKey -}} - {{ else if .Values.global.insightsKey }} - {{- .Values.global.insightsKey -}} - {{ else }} - {{- .Values.licenseKey | default "" -}} - {{ end }} -{{- else -}} - {{- .Values.licenseKey | default "" -}} +{{- define "nr-otel-collector-receiver.endpoint" -}} +{{- printf "dns:///%s.%s.svc.%s:4317" (include "otel-collector.service.name" .) .Release.Namespace .Values.kubernetesClusterDomain }} +{{- end }} + +{{/* +Validate the user inputted quantile when sampling by latency. +*/}} +{{- define "validate.samplingLatency" -}} +{{- $validOptions := list "" "p1" "p10" "p50" "p90" "p99" -}} +{{- $protocol := .protocol -}} +{{- $latency := .latency -}} +{{- if not (has $latency $validOptions) -}} +{{- fail (printf "Invalid samplingLatency '%s' for protocol '%s'. Valid options are: %v" $latency $protocol $validOptions) -}} {{- end -}} {{- end -}} {{/* -Return the customSecretName +Validate the user inputted value when sampling by error rate. */}} -{{- define "nr-ebpf-agent.customSecretName" -}} -{{- if .Values.global }} - {{- .Values.global.customSecretName | default "" -}} -{{- else -}} - {{- "" -}} +{{- define "validate.samplingErrorRate" -}} +{{- $protocol := .protocol -}} +{{- $errorRateString := .errorRate -}} +{{- $errorRate := .errorRate | int -}} +{{- if or (lt $errorRate 1) (gt $errorRate 100) -}} +{{- fail (printf "Invalid samplingErrorRate '%s' for protocol '%s'. Valid range is between 1 and 100" $errorRateString $protocol) -}} {{- end -}} {{- end -}} {{/* -Return the customSecretLicenseKey +Pass environment variables to the agent container if tracing a specific protocol is to be disabled. */}} -{{- define "nr-ebpf-agent.customSecretKey" -}} -{{- if .Values.global }} - {{- .Values.customSecretLicenseKey | default "" -}} -{{- else -}} - {{- "" -}} -{{- end -}} +{{- define "generateTracingEnvVars" -}} +{{- range $protocol, $config := .Values.protocols }} + {{- $metricsEnabled := false }} + {{- if (hasKey $config "metrics") }} + {{- $metricsEnabled := eq $config.metrics.enabled true }} + {{- end }} + {{- $spansEnabled := false }} + {{- if (hasKey $config "spans") }} + {{- $spansEnabled := eq $config.spans.enabled true }} + {{- if or (and (not $metricsEnabled) (not $spansEnabled)) (and (not (hasKey $config "metrics")) (not $spansEnabled)) }} + {{- end }} +- name: PX_STIRLING_ENABLE_{{ upper $protocol }}_TRACING + value: "0" + {{- end }} +{{- end }} {{- end -}} + +{{/* +Generate environment variables for disabling protocols and setting sampling latency. +*/}} +{{- define "generateClientScriptEnvVars" -}} +{{- if .Values.protocols }} +{{- range $protocol, $config := .Values.protocols }} + {{- if (hasKey $config "metrics") }} + {{- if eq $config.metrics.enabled false }} +- name: NR_EBPF_ENABLE_{{ upper $protocol }}_METRICS + value: "0" + {{- end }} + {{- end }} + {{- if (hasKey $config "spans") }} + {{- if (eq $config.spans.enabled false) }} +- name: NR_EBPF_ENABLE_{{ upper $protocol }}_SPANS + value: "0" + {{- end }} + {{- if (eq $config.spans.enabled true) }} + {{- include "validate.samplingLatency" (dict "protocol" $protocol "latency" $config.spans.samplingLatency) }} +- name: SAMPLE_{{ upper $protocol }}_LATENCY + value: "{{ $config.spans.samplingLatency | regexMatch "p1|p10|p50|p90|p99" | ternary $config.spans.samplingLatency "" }}" + {{- end }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nr-ebpf-agent/templates/_naming.tpl b/charts/nr-ebpf-agent/templates/_naming.tpl new file mode 100644 index 000000000..9257c5680 --- /dev/null +++ b/charts/nr-ebpf-agent/templates/_naming.tpl @@ -0,0 +1,24 @@ +{{/* Controller manager service certificate's secret. */}} +{{- define "nr-ebpf-agent-certificates.certificateSecret.name" -}} +{{- include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "controller-manager-service-cert") -}} +{{- end }} + +{{- define "nr-ebpf-agent.service.name" -}} +{{- include "newrelic.common.naming.truncateToDNS" (include "newrelic.common.naming.fullname" .) }} +{{- end }} + +{{- define "otel-collector.service.name" -}} +{{- include "newrelic.common.naming.truncateToDNS" "otel-collector" }} +{{- end }} + +{{- define "nr-ebpf-agent.otelconfig.name" -}} +{{- include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "config") -}} +{{- end -}} + +{{- define "nr-ebpf-agent.otelcollector.name" -}} +{{- include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "otel-collector") -}} +{{- end -}} + +{{- define "nr-ebpf-agent.collector.name" -}} +{{- include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "collector") -}} +{{- end -}} diff --git a/charts/nr-ebpf-agent/templates/_security-context.tpl b/charts/nr-ebpf-agent/templates/_security-context.tpl new file mode 100644 index 000000000..613aa877f --- /dev/null +++ b/charts/nr-ebpf-agent/templates/_security-context.tpl @@ -0,0 +1,43 @@ +{{- /* +A helper to return the pod security context apply to the ebpf daemonset. +*/ -}} +{{- define "nrEbpfAgent.ebpfAgent.securityContext.pod" -}} +{{- if .Values.ebpfAgent.podSecurityContext -}} + {{- toYaml .Values.ebpfAgent.podSecurityContext -}} +{{- else if include "newrelic.common.securityContext.pod" . -}} + {{- include "newrelic.common.securityContext.pod" . -}} +{{- end -}} +{{- end -}} + +{{- /* +A helper to return the pod security context apply to the Otel daemonset. +*/ -}} +{{- define "nrEbpfAgent.otelCollector.securityContext.pod" -}} +{{- if .Values.otelCollector.podSecurityContext -}} + {{- toYaml .Values.otelCollector.podSecurityContext -}} +{{- else if include "newrelic.common.securityContext.pod" . -}} + {{- include "newrelic.common.securityContext.pod" . -}} +{{- end -}} +{{- end -}} + +{{- /* +A helper to return the container security context apply to the ebpf daemonset. +*/ -}} +{{- define "nrEbpfAgent.ebpfAgent.securityContext.container" -}} +{{- if .Values.ebpfAgent.containerSecurityContext -}} + {{- toYaml .Values.ebpfAgent.containerSecurityContext -}} +{{- else if include "newrelic.common.securityContext.container" . -}} + {{- include "newrelic.common.securityContext.container" . -}} +{{- end -}} +{{- end -}} + +{{- /* +A helper to return the container security context apply to the Otel daemonset. +*/ -}} +{{- define "nrEbpfAgent.otelCollector.securityContext.container" -}} +{{- if .Values.otelCollector.containerSecurityContext -}} + {{- toYaml .Values.otelCollector.containerSecurityContext -}} +{{- else if include "newrelic.common.securityContext.container" . -}} + {{- include "newrelic.common.securityContext.container" . -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/nr-ebpf-agent/templates/_tls.tpl b/charts/nr-ebpf-agent/templates/_tls.tpl new file mode 100644 index 000000000..3c2fb4dba --- /dev/null +++ b/charts/nr-ebpf-agent/templates/_tls.tpl @@ -0,0 +1,37 @@ +{{/* +Return certificate and CA for ebpf. +It handles variants when a cert has to be generated by Helm, +a cert is loaded from an existing secret or is provided via `.Values` +*/}} +{{- define "nr-ebpf-agent-certificates.ebpfCert" -}} +{{- $caCert := "" }} +{{- $clientCert := "" }} +{{- $clientKey := "" }} +{{- if .Values.tls.autoGenerateCert.enabled }} +{{/*TODO Enable this section once the helm Chart repo supports the lookup function*/}} +{{/* {{- $prevSecret := (lookup "v1" "Secret" "" (include "nr-ebpf-agent-certificates.certificateSecret.name" . )) }}*/}} +{{/* {{- if and (not .Values.tls.autoGenerateCert.recreate) $prevSecret }}*/}} +{{/* {{- $clientCert = index $prevSecret "data" "tls.crt" }}*/}} +{{/* {{- $clientKey = index $prevSecret "data" "tls.key" }}*/}} +{{/* {{- $caCert = index $prevSecret "data" "ca.crt" }}*/}} +{{/* {{- else }}*/}} + {{- $certValidity := int .Values.tls.autoGenerateCert.certPeriodDays | default 365 }} + {{- $ca := genCA "nr-ebpf-agent-certificates-ca" $certValidity }} + {{- $domain1 := printf "%s.%s.svc" (include "nr-ebpf-agent.service.name" .) $.Release.Namespace }} + {{- $domain2 := printf "%s.%s.svc.%s" (include "nr-ebpf-agent.service.name" .) $.Release.Namespace $.Values.kubernetesClusterDomain }} + {{- $domain3 := printf "%s.%s.svc" (include "otel-collector.service.name" .) $.Release.Namespace }} + {{- $domain4 := printf "%s.%s.svc.%s" (include "otel-collector.service.name" .) $.Release.Namespace $.Values.kubernetesClusterDomain }} + {{- $domains := list $domain1 $domain2 $domain3 $domain4 }} + {{- $cert := genSignedCert (include "newrelic.common.naming.fullname" .) nil $domains $certValidity $ca }} + {{- $clientCert = b64enc $cert.Cert }} + {{- $clientKey = b64enc $cert.Key }} + {{- $caCert = b64enc $ca.Cert }} +{{/* {{- end }}*/}} +{{- else }} + {{- $clientCert = .Files.Get .Values.tls.certFile | b64enc }} + {{- $clientKey = .Files.Get .Values.tls.keyFile | b64enc }} + {{- $caCert = .Files.Get .Values.tls.caFile | b64enc }} +{{- end }} +{{- $result := dict "clientCert" $clientCert "clientKey" $clientKey "caCert" $caCert }} +{{- $result | toYaml }} +{{- end }} diff --git a/charts/nr-ebpf-agent/templates/_tolerations.tpl b/charts/nr-ebpf-agent/templates/_tolerations.tpl new file mode 100644 index 000000000..f29efba98 --- /dev/null +++ b/charts/nr-ebpf-agent/templates/_tolerations.tpl @@ -0,0 +1,21 @@ +{{- /* +A helper to return the tolerations to apply to the ebpf daemonset. +*/ -}} +{{- define "nrEbpfAgent.ebpfAgent.tolerations" -}} +{{- if .Values.ebpfAgent.tolerations -}} + {{- toYaml .Values.ebpfAgent.tolerations -}} +{{- else if include "newrelic.common.tolerations" . -}} + {{- include "newrelic.common.tolerations" . -}} +{{- end -}} +{{- end -}} + +{{- /* +A helper to return the tolerations to apply to the Otel daemonset. +*/ -}} +{{- define "nrEbpfAgent.otelCollector.tolerations" -}} +{{- if .Values.otelCollector.tolerations -}} + {{- toYaml .Values.otelCollector.tolerations -}} +{{- else if include "newrelic.common.tolerations" . -}} + {{- include "newrelic.common.tolerations" . -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/nr-ebpf-agent/templates/nr-ebpf-agent-daemonset.yaml b/charts/nr-ebpf-agent/templates/nr-ebpf-agent-daemonset.yaml index 33924e752..3b28be46c 100644 --- a/charts/nr-ebpf-agent/templates/nr-ebpf-agent-daemonset.yaml +++ b/charts/nr-ebpf-agent/templates/nr-ebpf-agent-daemonset.yaml @@ -1,8 +1,11 @@ +--- apiVersion: apps/v1 kind: DaemonSet metadata: name: nr-ebpf-agent labels: + app: nr-ebpf-agent + component: agent {{- include "newrelic.common.labels" . | nindent 4 }} spec: selector: @@ -11,8 +14,26 @@ spec: template: metadata: labels: + app: nr-ebpf-agent + component: agent {{- include "newrelic.common.labels.podLabels" . | nindent 8 }} + annotations: + checksum/config: "" + {{- with .Values.ebpfAgent.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: + {{- with include "nrEbpfAgent.ebpfAgent.securityContext.pod" . }} + securityContext: + {{- . | nindent 8 }} + {{- end }} + {{- with include "newrelic.common.priorityClassName" . }} + priorityClassName: {{ . }} + {{- end }} + {{- with include "newrelic.common.dnsConfig" . }} + dnsConfig: + {{- . | nindent 8 }} + {{- end }} containers: - name: nr-ebpf-agent image: {{ .Values.ebpfAgent.image.repository }}:{{ .Values.ebpfAgent.image.tag }} @@ -23,18 +44,23 @@ spec: value: "/host" - name: PL_STIRLING_SOURCES value: "{{ .Values.stirlingSources }}" - {{- if .Values.protocols }} - {{- range $protocol, $config := .Values.protocols }} - {{- if (eq $config.enabled false) }} - - name: PX_STIRLING_ENABLE_{{ upper $protocol }}_TRACING - value: "0" - {{- end }} - {{- end }} - {{- end }} + {{- include "generateTracingEnvVars" . | indent 10 }} - name: KUBERNETES_CLUSTER_DOMAIN value: "cluster.local" - name: PL_TABLE_STORE_DATA_LIMIT_MB value: "{{ .Values.tableStoreDataLimitMB }}" + - name: PX_DISABLE_TLS + {{- if (hasKey .Values "tls") }} + {{- if eq .Values.tls.enabled true }} + value: "0" + {{- else }} + value: "1" + {{- end }} + {{- if eq .Values.tls.enabled true }} + - name: CERT_PATH + value: "{{ .Values.tls.autoGenerateCert.certPath }}" + {{- end }} + {{- end }} securityContext: privileged: true volumeMounts: @@ -44,6 +70,13 @@ spec: - name: sys-volume mountPath: /sys readOnly: true + {{- if (hasKey .Values "tls") }} + {{- if eq .Values.tls.enabled true }} + - name: cert + mountPath: "{{ .Values.tls.autoGenerateCert.certPath }}" + readOnly: true + {{- end }} + {{- end }} - name: nr-ebpf-client image: {{ .Values.ebpfClient.image.repository }}:{{ .Values.ebpfClient.image.tag }} imagePullPolicy: {{ .Values.ebpfClient.image.pullPolicy }} @@ -58,26 +91,40 @@ spec: fieldRef: fieldPath: status.hostIP - name: ENDPOINT - value: "$(HOST_IP):4317" + value: {{ include "nr-otel-collector-receiver.endpoint" .}} - name: PL_STIRLING_SOURCES value: "{{ .Values.stirlingSources }}" - {{- if .Values.protocols }} - {{- range $protocol, $config := .Values.protocols }} - {{- if (eq $config.enabled false) }} - - name: PX_STIRLING_ENABLE_{{ upper $protocol }}_TRACING - value: "0" - {{- end }} - {{- if (eq $config.enabled true) }} - - name: SAMPLE_{{ upper $protocol }}_LATENCY - value: {{ $config.samplingLatency | regexMatch "p1|p10|p50|p90|p99" | ternary $config.samplingLatency "p1" }} - {{- end }} + {{- include "generateClientScriptEnvVars" . | nindent 10 }} + {{- if (hasKey .Values.protocols.http "spans") }} + {{- if .Values.protocols.http.spans.samplingErrorRate}} + {{- include "validate.samplingErrorRate" (dict "protocol" "http" "errorRate" .Values.protocols.http.spans.samplingErrorRate) }} + - name: SAMPLE_HTTP_ERROR_RATE + value: "{{ .Values.protocols.http.spans.samplingErrorRate | default "0"}}" {{- end }} {{- end }} + - name: KUBERNETES_CLUSTER_DOMAIN + value: "{{ .Values.kubernetesClusterDomain }}" + - name: NAMESPACE + value: {{ .Release.Namespace }} # TODO(kpattaswamy): Once we implement TLS, we should make this configurable again - name: IS_INSECURE value: "True" - - name: KUBERNETES_CLUSTER_DOMAIN - value: "cluster.local" + - name: PX_DISABLE_TLS + {{- if (hasKey .Values "tls") }} + {{- if eq .Values.tls.enabled true }} + value: "0" + {{- else }} + value: "1" + {{- end }} + {{- if eq .Values.tls.enabled true }} + - name: CERT_PATH + value: "{{ .Values.tls.autoGenerateCert.certPath }}" + volumeMounts: + - name: cert + mountPath: "{{ .Values.tls.autoGenerateCert.certPath }}" + readOnly: true + {{- end }} + {{- end }} envFrom: - secretRef: name: nr-ebpf-agent-secrets @@ -98,11 +145,19 @@ spec: nodeSelector: {{- . | nindent 8 -}} {{- end }} - {{- with include "newrelic.common.affinity" . }} + {{- if (hasKey .Values "tls") }} + {{- if eq .Values.tls.enabled true }} + - name: cert + secret: + defaultMode: 420 + secretName: {{ include "nr-ebpf-agent-certificates.certificateSecret.name" . }} + {{- end }} + {{- end }} + {{- with include "nrEbpfAgent.ebpfAgent.affinity" . }} affinity: - {{- . | nindent 8 -}} + {{- . | nindent 8 }} {{- end }} - {{- with include "newrelic.common.tolerations" . }} + {{- with include "nrEbpfAgent.ebpfAgent.tolerations" . }} tolerations: - {{- . | nindent 8 -}} + {{- . | nindent 8 }} {{- end }} diff --git a/charts/nr-ebpf-agent/templates/nr-ebpf-agent-service.yaml b/charts/nr-ebpf-agent/templates/nr-ebpf-agent-service.yaml new file mode 100644 index 000000000..84bfb262c --- /dev/null +++ b/charts/nr-ebpf-agent/templates/nr-ebpf-agent-service.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nr-ebpf-agent.service.name" . }} + labels: + app: nr-ebpf-agent + component: agent + {{- include "newrelic.common.labels" . | nindent 4 }} +spec: + # The Agent pod will use a service containing a clusterIP and port 12345 to interface via. + type: ClusterIP + selector: + {{- include "newrelic.common.labels.selectorLabels" . | nindent 4 }} + component: agent + ports: + - name: agent-grpc + port: 12345 + protocol: TCP + targetPort: 12345 diff --git a/charts/nr-ebpf-agent/templates/otel-collector-config.yaml b/charts/nr-ebpf-agent/templates/otel-collector-config.yaml index f132eb7a0..caca266a6 100644 --- a/charts/nr-ebpf-agent/templates/otel-collector-config.yaml +++ b/charts/nr-ebpf-agent/templates/otel-collector-config.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "nr-ebpf-agent.fullname" . }}-config + name: {{ include "nr-ebpf-agent.otelconfig.name" . }} labels: {{- include "newrelic.common.labels" . | nindent 4 }} data: @@ -12,6 +12,13 @@ data: protocols: grpc: endpoint: $RECEIVER_ENDPOINT:4317 + {{- if (hasKey .Values "tls") }} + {{- if eq .Values.tls.enabled true }} + tls: + cert_file: "{{ .Values.tls.autoGenerateCert.certPath }}tls.crt" + key_file: "{{ .Values.tls.autoGenerateCert.certPath }}tls.key" + {{- end }} + {{- end }} processors: k8sattributes/local_k8s_md: auth_type: 'serviceAccount' @@ -128,10 +135,18 @@ data: error_mode: ignore # If for some reason this throws an exception we'll log it and not drop data. traces: span: + {{- if .Values.allowServiceNameRegex }} + - 'not IsMatch(resource.attributes["k8s.service.name"], "${ALLOW_SERVICE_NAME_REGEX}") and IsMatch(resource.attributes["k8s.service.name"], "${DROP_SERVICE_NAME_REGEX}")' + {{- else }} - 'IsMatch(resource.attributes["k8s.service.name"], "${DROP_SERVICE_NAME_REGEX}")' + {{- end }} metrics: metric: + {{- if .Values.allowServiceNameRegex }} + - 'not IsMatch(resource.attributes["k8s.service.name"], "${ALLOW_SERVICE_NAME_REGEX}") and IsMatch(resource.attributes["k8s.service.name"], "${DROP_SERVICE_NAME_REGEX}")' + {{- else }} - 'IsMatch(resource.attributes["k8s.service.name"], "${DROP_SERVICE_NAME_REGEX}")' + {{- end }} resource/setup_for_export: # Setup the resource attr. to export to the endpoint. @@ -169,6 +184,11 @@ data: headers: "api-key": "$NR_LICENSE_KEY" service: + {{- if include "newrelic.common.verboseLog" . }} + telemetry: + logs: + level: "debug" + {{- end }} pipelines: traces: receivers: @@ -177,7 +197,9 @@ data: - resource/setup_for_local_k8s_md - k8sattributes/local_k8s_md - filter/nill_service_names + {{- if .Values.dropAPMEnabledPods}} - filter/apm_instrumented_pods + {{- end}} {{- if .Values.dropDataKubeSystem}} - filter/kube_system {{- end}} @@ -202,7 +224,9 @@ data: - resource/setup_for_local_k8s_md - k8sattributes/local_k8s_md - filter/nill_service_names + {{- if .Values.dropAPMEnabledPods}} - filter/apm_instrumented_pods + {{- end}} {{- if .Values.dropDataKubeSystem}} - filter/kube_system {{- end}} diff --git a/charts/nr-ebpf-agent/templates/otel-collector-daemonset.yaml b/charts/nr-ebpf-agent/templates/otel-collector-daemonset.yaml index a5720b5b9..4625de463 100644 --- a/charts/nr-ebpf-agent/templates/otel-collector-daemonset.yaml +++ b/charts/nr-ebpf-agent/templates/otel-collector-daemonset.yaml @@ -1,3 +1,4 @@ +--- apiVersion: apps/v1 kind: DaemonSet metadata: @@ -18,9 +19,29 @@ spec: app: opentelemetry component: otel-collector {{- include "newrelic.common.labels.podLabels" . | nindent 8 }} + annotations: + checksum/config: "" + {{- with .Values.otelCollector.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: + {{- with include "nrEbpfAgent.otelCollector.securityContext.pod" . }} + securityContext: + {{- . | nindent 8 }} + {{- end }} + {{- with include "newrelic.common.priorityClassName" . }} + priorityClassName: {{ . }} + {{- end }} + {{- with include "newrelic.common.dnsConfig" . }} + dnsConfig: + {{- . | nindent 8 }} + {{- end }} containers: - name: otel-collector + {{- with include "nrEbpfAgent.otelCollector.securityContext.container" . }} + securityContext: + {{- . | nindent 12 }} + {{- end }} image: {{ .Values.otelCollector.image.repository }}:{{ .Values.otelCollector.image.tag | default .Chart.AppVersion }} imagePullPolicy: {{ .Values.otelCollector.image.pullPolicy }} resources: {{- toYaml .Values.otelCollector.resources | nindent 10}} @@ -38,15 +59,15 @@ spec: - name: NR_LICENSE_KEY valueFrom: secretKeyRef: - {{- if (include "nr-ebpf-agent.licenseKey" .) }} + {{- if (include "newrelic.common.license._licenseKey" .) }} key: NR_LICENSE_KEY name: nr-ebpf-agent-secrets {{- else }} - name: {{ include "nr-ebpf-agent.customSecretName" . }} - key: {{ include "nr-ebpf-agent.customSecretLicenseKey" . }} + name: {{ include "newrelic.common.license._customSecretName" . }} + key: {{ include "newrelic.common.license._customSecretKey" . }} {{- end }} - name: NR_OTLP_ENDPOINT - {{- if .Values.nrStaging }} + {{- if (include "newrelic.common.nrStaging" .) }} value: "staging-otlp.nr-data.net:4317" {{- else }} value: "otlp.nr-data.net:4317" @@ -60,10 +81,12 @@ spec: - name: CLUSTER_NAME valueFrom: configMapKeyRef: - name: {{ include "nr-ebpf-agent.fullname" . }}-config + name: {{ include "nr-ebpf-agent.otelconfig.name" . }} key: clusterName - name: DROP_SERVICE_NAME_REGEX value: "{{- .Values.dropDataServiceNameRegex }}" + - name: ALLOW_SERVICE_NAME_REGEX + value: "{{- .Values.allowServiceNameRegex }}" ports: - containerPort: 4317 volumeMounts: @@ -71,23 +94,38 @@ spec: mountPath: /etc/otel/config.yaml subPath: config.yaml readOnly: true + {{- if (hasKey .Values "tls") }} + {{- if eq .Values.tls.enabled true }} + - name: cert + mountPath: "{{ .Values.tls.autoGenerateCert.certPath }}" + readOnly: true + {{- end }} + {{- end }} dnsPolicy: ClusterFirstWithHostNet hostNetwork: true - serviceAccountName: {{ include "nr-ebpf-agent.fullname" . }}-collector + serviceAccountName: {{ include "nr-ebpf-agent.collector.name" . }} terminationGracePeriodSeconds: 30 volumes: - name: data configMap: - name: {{ include "nr-ebpf-agent.fullname" . }}-config + name: {{ include "nr-ebpf-agent.otelconfig.name" . }} {{- with include "newrelic.common.nodeSelector" . }} nodeSelector: {{- . | nindent 8 -}} {{- end }} - {{- with include "newrelic.common.affinity" . }} + {{- if (hasKey .Values "tls") }} + {{- if eq .Values.tls.enabled true }} + - name: cert + secret: + defaultMode: 420 + secretName: {{ include "nr-ebpf-agent-certificates.certificateSecret.name" . }} + {{- end }} + {{- end }} + {{- with include "nrEbpfAgent.otelCollector.affinity" . }} affinity: - {{- . | nindent 8 -}} + {{- . | nindent 8 }} {{- end }} - {{- with include "newrelic.common.tolerations" . }} + {{- with include "nrEbpfAgent.otelCollector.tolerations" . }} tolerations: - {{- . | nindent 8 -}} + {{- . | nindent 8 }} {{- end }} diff --git a/charts/nr-ebpf-agent/templates/otel-collector-rbac.yaml b/charts/nr-ebpf-agent/templates/otel-collector-rbac.yaml index 161f04c89..ef19c30be 100644 --- a/charts/nr-ebpf-agent/templates/otel-collector-rbac.yaml +++ b/charts/nr-ebpf-agent/templates/otel-collector-rbac.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "nr-ebpf-agent.fullname" . }}-otel-collector + name: {{ include "nr-ebpf-agent.otelcollector.name" . }} labels: {{- include "newrelic.common.labels" . | nindent 4 }} rules: @@ -29,14 +29,14 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "nr-ebpf-agent.fullname" . }}-otel-collector + name: {{ include "nr-ebpf-agent.otelcollector.name" . }} labels: {{- include "newrelic.common.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: '{{ include "nr-ebpf-agent.fullname" . }}-otel-collector' + name: {{ include "nr-ebpf-agent.otelcollector.name" . }} subjects: - kind: ServiceAccount - name: '{{ include "nr-ebpf-agent.fullname" . }}-collector' + name: {{ include "nr-ebpf-agent.collector.name" . }} namespace: '{{ .Release.Namespace }}' diff --git a/charts/nr-ebpf-agent/templates/otel-collector-service-account.yaml b/charts/nr-ebpf-agent/templates/otel-collector-service-account.yaml index b86016be3..10e6f220d 100644 --- a/charts/nr-ebpf-agent/templates/otel-collector-service-account.yaml +++ b/charts/nr-ebpf-agent/templates/otel-collector-service-account.yaml @@ -1,8 +1,10 @@ +{{- if include "newrelic.common.serviceAccount.create" . }} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "nr-ebpf-agent.fullname" . }}-collector + name: {{ include "nr-ebpf-agent.collector.name" . }} labels: {{- include "newrelic.common.labels" . | nindent 4 }} annotations: {{- toYaml .Values.otelCollector.collector.serviceAccount.annotations | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/nr-ebpf-agent/templates/otel-collector.yaml b/charts/nr-ebpf-agent/templates/otel-collector-service.yaml similarity index 89% rename from charts/nr-ebpf-agent/templates/otel-collector.yaml rename to charts/nr-ebpf-agent/templates/otel-collector-service.yaml index 6a58cf44c..80f5a2a7b 100644 --- a/charts/nr-ebpf-agent/templates/otel-collector.yaml +++ b/charts/nr-ebpf-agent/templates/otel-collector-service.yaml @@ -1,7 +1,8 @@ +--- apiVersion: v1 kind: Service metadata: - name: otel-collector + name: {{ include "otel-collector.service.name" . }} labels: app: opentelemetry component: otel-collector diff --git a/charts/nr-ebpf-agent/templates/secrets.yaml b/charts/nr-ebpf-agent/templates/secrets.yaml index 3379ec4d9..d6f7d4f85 100644 --- a/charts/nr-ebpf-agent/templates/secrets.yaml +++ b/charts/nr-ebpf-agent/templates/secrets.yaml @@ -1,5 +1,6 @@ -{{- $licenseKey := include "nr-ebpf-agent.licenseKey" . -}} -{{- $customSecretLicenseKey := include "nr-ebpf-agent.customSecretKey" . -}} +--- +{{- $licenseKey := include "newrelic.common.license._licenseKey" . -}} +{{- $customSecretLicenseKey := include "newrelic.common.license._customSecretKey" . -}} apiVersion: v1 kind: Secret metadata: @@ -14,4 +15,25 @@ data: NR_LICENSE_KEY: "" {{- else }} NR_LICENSE_KEY: {{ required "secrets.licenseKey is required" .Values.licenseKey | b64enc | quote }} - {{ end }} + {{- end }} +--- +{{- if (hasKey .Values "tls") }} +{{- $tls := fromYaml (include "nr-ebpf-agent-certificates.ebpfCert" .) }} +{{- if .Values.tls.autoGenerateCert.enabled }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "nr-ebpf-agent-certificates.certificateSecret.name" . }} + annotations: + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/hook-delete-policy": "before-hook-creation" + labels: + {{- include "newrelic.common.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +data: + tls.crt: {{ $tls.clientCert }} + tls.key: {{ $tls.clientKey }} + ca.crt: {{ $tls.caCert }} +{{- end }} +{{- end }} diff --git a/charts/nr-ebpf-agent/values.yaml b/charts/nr-ebpf-agent/values.yaml index 3a6f6da9b..623ecc74f 100644 --- a/charts/nr-ebpf-agent/values.yaml +++ b/charts/nr-ebpf-agent/values.yaml @@ -1,8 +1,14 @@ +--- # -- Name of the Kubernetes cluster to be monitored. Mandatory. Can be configured with `global.cluster` cluster: "" # -- The license key to use. Can be configured with `global.licenseKey` licenseKey: "" -# -- Endpoint to export data to via the otel collector. NR prod (otlp.nr-data.net:4317) by default. Staging (staging-otlp.nr-data.net:4317) otherwise. Requires a valid staging license key. Can also be configured with global.nrStaging. +# -- In case you don't want to have the license key in your values, this allows you to point to a user created secret to get the key from there. Can be configured also with `global.customSecretName` +customSecretName: "" +# -- In case you don't want to have the license key in your values, this allows you to point to which secret key is the license key located. Can be configured also with `global.customSecretLicenseKey` +customSecretLicenseKey: "" +# -- Endpoint to export data to via the otel collector. NR prod (otlp.nr-data.net:4317) by default. +# Staging (staging-otlp.nr-data.net:4317) otherwise. nrStaging: false # -- Configures the agent to send all data through the proxy specified via the otel collector. proxy: "" @@ -12,47 +18,78 @@ dropDataIpServiceNames: true dropDataKubeSystem: true # -- Drop data from the newrelic namespace. dropDataNewRelic: true -# -- Define a regex to mach service names to drop. Example "kube-dns|otel-collector|\\bblah\\b" see Golang Docs for Regex syntax https://github.com/google/re2/wiki/Syntax -dropDataServiceNameRegex: "gmp-.*" +# -- Drop data from pods that are monitored by New Relic APM via auto attach. +dropAPMEnabledPods: true +# -- Define a regex to match service names to drop. Example "kube-dns|otel-collector|\\bblah\\b" +# see Golang Docs for Regex syntax https://github.com/google/re2/wiki/Syntax +dropDataServiceNameRegex: "" +# -- This config acts as a bypass for the dropDataServiceNameRegex config. +# Service names that match this regex will not have their data dropped by the dropDataServiceNameRegex. +# If dropDataServiceNameRegex is not defined, this config has no impact on the eBPF agent. +allowServiceNameRegex: "" # -- The primary lever to control RAM use of the eBPF agent. Specified in MiB. tableStoreDataLimitMB: "250" # -- The source connectors (and data export scripts) to enable. # Note that socket_tracer tracks http, mysql, redis, mongodb, amqp, cassandra, dns, and postgresql # while tcp_stats tracks TCP metrics. stirlingSources: "socket_tracer,tcp_stats" -# -- The protocols to enable for tracing in the socket_tracer. +# The protocols to enable for tracing in the socket_tracer. # samplingLatency represents the sampling latency threshold for the spans to export. # Options: p1, p10, p50, p90, p99. protocols: http: - enabled: true - samplingLatency: "" - kafka: - enabled: true - samplingLatency: "" + metrics: + enabled: true + spans: + enabled: true + samplingLatency: "" + # -- samplingErrorRate represents the error rate threshold for an HTTP route where surpassing it would mean the corresponds spans of the route are exported. + # Options: 1-100 + samplingErrorRate: "" mysql: - enabled: true - samplingLatency: "" + metrics: + enabled: true + spans: + enabled: false + samplingLatency: "" + pgsql: + metrics: + enabled: true + spans: + enabled: false + samplingLatency: "" + cass: + metrics: + enabled: true + spans: + enabled: false + samplingLatency: "" redis: - enabled: true - samplingLatency: "" + metrics: + enabled: true + spans: + enabled: false + samplingLatency: "" mongodb: - enabled: true - samplingLatency: "" + metrics: + enabled: true + spans: + enabled: false + samplingLatency: "" + kafka: + spans: + enabled: false + samplingLatency: "" amqp: - enabled: true - samplingLatency: "" - cass: - enabled: true - samplingLatency: "" + spans: + enabled: false + samplingLatency: "" dns: - enabled: true - samplingLatency: "" - pgsql: - enabled: true - samplingLatency: "" + spans: + enabled: false + samplingLatency: "" -# -- The periodicity in seconds at which the eBPF agent pushes data to the OTel collector for export to NR. +# --- The periodicity in seconds at which the eBPF agent pushes data to the OTel collector for export to NR. # The eBPF agent applies a request path clustering algorithm to reduce cardinality in exported HTTP data. # The algorithm only looks for similar request paths within data of the same push period. # To increase the window under consideration for cardinality reduction, increase this value. Accepted range: 15-60. @@ -62,11 +99,11 @@ pushPeriod: "15" ebpfAgent: image: # -- eBPF agent image to be deployed. - repository: us-west1-docker.pkg.dev/pl-dev-infra/nr-ebpf-agent-lp/ebpf-agent + repository: docker.io/newrelic/newrelic-ebpf-agent # -- The pull policy is defaulted to IfNotPresent, which skips pulling an image if it already exists. If pullPolicy is defined without a specific value, it is also set to Always. pullPolicy: IfNotPresent # -- The tag of the eBPF agent image to be deployed. - tag: 0.0.5 + tag: agent-nr-ebpf-agent_0.0.6 resources: limits: # -- Max memory allocated to the container. @@ -76,16 +113,26 @@ ebpfAgent: cpu: 100m # -- Min memory allocated to the container. memory: 250Mi + # -- Sets ebpfAgent pod tolerations. Overrides `tolerations` and `global.tolerations` + tolerations: [] + # -- Sets ebpfAgent pod affinities. Overrides `affinity` and `global.affinity` + affinity: {} + # -- Sets ebpfAgent pod Annotations. Overrides `podAnnotations` and `global.podAnnotations` + podAnnotations: {} + # -- Sets ebpfAgent pod podSecurityContext. Overrides `podSecurityContext` and `global.securityContext.pod` + podSecurityContext: {} + # -- Sets ebpfAgent pod containerSecurityContext. Overrides `containerSecurityContext` and `global.securityContext.container` + containerSecurityContext: {} # Configuration to apply on the eBPF client daemonset. ebpfClient: image: # -- eBPF client image to be deployed. - repository: us-west1-docker.pkg.dev/pl-dev-infra/nr-ebpf-agent-lp/ebpf-client + repository: docker.io/newrelic/newrelic-ebpf-agent # -- The pull policy is defaulted to IfNotPresent, which skips pulling an image if it already exists. If pullPolicy is defined without a specific value, it is set to Always. pullPolicy: IfNotPresent # -- The tag of the eBPF client image to be deployed. - tag: 0.0.7 + tag: client-nr-ebpf-client_0.0.8 resources: limits: # -- Max memory allocated to the container. @@ -100,11 +147,11 @@ ebpfClient: otelCollector: image: # -- OpenTelemetry collector image to be deployed. - repository: us-west1-docker.pkg.dev/pl-dev-infra/nr-ebpf-agent-lp/nr-ebpf-otel-collector + repository: docker.io/newrelic/newrelic-ebpf-agent # -- The pull policy is defaulted to IfNotPresent, which skips pulling an image if it already exists. If pullPolicy is defined without a specific value, it is set to Always. pullPolicy: IfNotPresent # -- The tag of the OpenTelemetry collector image to be deployed. - tag: 0.0.1 + tag: nr-ebpf-otel-collector_0.0.1 resources: limits: # -- Max CPU allocated to the container. @@ -116,18 +163,68 @@ otelCollector: cpu: 100m # -- Min memory allocated to the container. memory: 200Mi + # -- Sets otelCollector pod tolerations. Overrides `tolerations` and `global.tolerations` + tolerations: [] + # -- Sets otelCollector pod affinities. Overrides `affinity` and `global.affinity` + affinity: {} + # -- Sets otelCollector pod Annotations. Overrides `podAnnotations` and `global.podAnnotations` + podAnnotations: {} + # -- Sets otelCollector pod podSecurityContext. Overrides `podSecurityContext` and `global.securityContext.pod` + podSecurityContext: {} + # -- Sets otelCollector pod containerSecurityContext. Overrides `containerSecurityContext` and `global.securityContext.container` + containerSecurityContext: {} collector: serviceAccount: # -- Annotations for the OTel collector service account. annotations: {} -# -- Additional labels for chart pods +# -- Additional labels for chart pods. podLabels: {} -# -- Additional labels for chart objects +# -- Additional labels for chart objects. labels: {} +# -- Sets pod's priorityClassName. Can be configured also with `global.priorityClassName` +priorityClassName: "" +# -- Sets pod's dnsConfig. Can be configured also with `global.dnsConfig` +dnsConfig: {} # -- Sets all pods' node selector. Can be configured also with `global.nodeSelector` nodeSelector: {} # -- Sets all pods' tolerations to node taints. Can be configured also with `global.tolerations` tolerations: [] # -- Sets all pods' affinities. Can be configured also with `global.affinity` affinity: {} +# -- Sets all pods' podSecurityContext. Can be configured also with `global.securityContext.pod` +podSecurityContext: {} +# -- Sets all pods' containerSecurityContext. Can be configured also with `global.securityContext.container` +containerSecurityContext: {} +# -- Kubernetes cluster domain. +kubernetesClusterDomain: cluster.local +# -- (bool) Sets the debug logs to this integration or all integrations if it is set globally. Can be configured also with `global.verboseLog` +# @default -- `false` +verboseLog: +# tls makes sure only requests with correctly formatted rules will get into the operator. +tls: + # -- Enable TLS communication between the eBPF client and agent. + enabled: true + # TLS Certificate Option 1: Use Helm to automatically generate a self-signed certificate. + # autoGenerateCert must be enabled. + autoGenerateCert: + # -- If true, Helm will automatically create a self-signed cert and secret for you. + enabled: true + # -- If set to true, a new key/certificate is generated on helm upgrade. + recreate: true + # -- Cert validity period time in days. + certPeriodDays: 365 + # -- Certificates path. + certPath: "/tmp/ebpf/certs/" + + # TLS Certificate Option 2: Use your own self-signed certificate. + # autoGenerateCert must be disabled, and certFile, keyFile, and caFile must be set. + # The chart reads the contents of the file paths with the helm. Files.Get function. + # Refer to this doc https://helm.sh/docs/chart_template_guide/accessing_files/ to understand + # limitations of file paths accessible to the chart. + # -- Path to your own PEM-encoded certificate. + certFile: "" + # -- Path to your own PEM-encoded private key. + keyFile: "" + # -- Path to the CA cert. + caFile: ""