Update agent helm chart

rancher · May 10, 2022 · 2d75ac9 · 2d75ac9
1 parent 25464f8
commit 2d75ac9
Show file tree

Hide file tree

Showing 14 changed files with 813 additions and 86 deletions.
diff --git a/packages/opni-agent/opni-agent/charts/Chart.yaml b/packages/opni-agent/opni-agent/charts/Chart.yaml
@@ -1,10 +1,16 @@
+annotations:
+  catalog.cattle.io/auto-install: opni-agent-crd=match
+  catalog.cattle.io/display-name: Opni Agent
+  catalog.cattle.io/os: linux
+  catalog.rancher.io/namespace: opni-system
+  catalog.rancher.io/release-name: opni-agent
 apiVersion: v2
 appVersion: 0.4.1
 dependencies:
 - condition: kube-prometheus-stack.enabled
   name: kube-prometheus-stack
   repository: file://./charts/kube-prometheus-stack
-description: Opni Monitoring Agent
-name: opni-monitoring-agent
+description: Opni Agent
+name: opni-agent
 type: application
 version: 0.4.1
diff --git a/packages/opni-agent/opni-agent/charts/questions.yaml b/packages/opni-agent/opni-agent/charts/questions.yaml
@@ -0,0 +1,55 @@
+questions:
+- variable: token
+  label: Bootstrap Token
+  type: string
+  required: true
+- variable: pin
+  label: Certificate Pin
+  type: string
+  required: true
+- variable: address
+  label: Gateway URL
+  type: string
+  required: true
+  valid_chars: 'http(s)?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)'
+- variable: kube-prometheus-stack.enabled
+  label: Install Prometheus Operator
+  default: "false"
+  type: boolean
+  group: "Metrics"
+- variable: metrics.enabled
+  label: Install Metrics Agent
+  default: "false"
+  type: boolean
+  group: "Metrics"
+  show_subquestion_if: true
+  subquestions:
+  - variable: metrics.insecure
+    label: Disable Gateway TLS Security
+    type: boolean
+- variable: logging.enabled
+  label: Install Logging Agent
+  default: "false"
+  type: boolean
+  group: "Logging"
+  show_subquestion_if: true
+  subquestions:
+  - variable: logging.insecure
+    label: Disable Gateway TLS Security
+    type: boolean
+  - variable: logging.disableOpensearchTLSVerify
+    label: Disable Opensearch TLS Verification
+    type: boolean
+  - variable: logging.provider
+    label: Kubernetes Distribution
+    type: enum
+    options:
+    - generic
+    - rke
+    - rke2
+    - k3s
+    - eks
+    - aks
+    - gke
+
+
diff --git a/packages/opni-agent/opni-agent/charts/templates/_helpers.tpl b/packages/opni-agent/opni-agent/charts/templates/_helpers.tpl
@@ -1,7 +1,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "opni-monitoring-agent.name" -}}
+{{- define "opni-agent.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
@@ -10,7 +10,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "opni-monitoring-agent.fullname" -}}
+{{- define "opni-agent.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "opni-monitoring-agent.chart" -}}
+{{- define "opni-agent.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "opni-monitoring-agent.labels" -}}
-helm.sh/chart: {{ include "opni-monitoring-agent.chart" . }}
-{{ include "opni-monitoring-agent.selectorLabels" . }}
+{{- define "opni-agent.labels" -}}
+helm.sh/chart: {{ include "opni-agent.chart" . }}
+{{ include "opni-agent.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -45,18 +45,37 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "opni-monitoring-agent.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "opni-monitoring-agent.name" . }}
+{{- define "opni-agent.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "opni-agent.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
 Create the name of the service account to use
 */}}
-{{- define "opni-monitoring-agent.serviceAccountName" -}}
+{{- define "opni-agent.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
-{{- default (include "opni-monitoring-agent.fullname" .) .Values.serviceAccount.name }}
+{{- default (include "opni-agent.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Provides the namespace the chart will be installed in using the builtin .Release.Namespace,
+or, if provided, a manually overwritten namespace value.
+*/}}
+{{- define "opni-agent.namespace" -}}
+{{- if .Values.namespaceOverride -}}
+{{ .Values.namespaceOverride -}}
+{{- else -}}
+{{ .Release.Namespace }}
+{{- end -}}
+{{- end -}}
+
+# Rancher
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- end -}}
+{{- end -}}
diff --git a/packages/opni-agent/opni-agent/charts/templates/agent-config.yaml b/packages/opni-agent/opni-agent/charts/templates/agent-config.yaml
@@ -1,10 +1,11 @@
-{{- if (and .Values.token .Values.pin .Values.address) }}
+{{- if (and .Values.token .Values.metrics.enabled) }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: agent-config
+  namespace: {{ include "opni-agent.namespace" . }}
   labels:
-    {{- include "opni-monitoring-agent.labels" . | nindent 4 }}
+    {{- include "opni-agent.labels" . | nindent 4 }}
 stringData:
   config.yaml: |-
     apiVersion: v1beta1
@@ -13,6 +14,7 @@ stringData:
       gatewayAddress: {{ .Values.address }}
       identityProvider: kubernetes
       listenAddress: :8080
+      trustStrategy: {{ .Values.metrics.insecure | ternary "insecure" "pkp" }}
       rules:
         discovery:
           prometheusRules: {}

diff --git a/packages/opni-agent/opni-agent/charts/templates/certs.yaml b/packages/opni-agent/opni-agent/charts/templates/certs.yaml
@@ -0,0 +1,23 @@
+{{- $namespace := printf "%s" (include "opni-agent.namespace" .) }}
+{{- if .Values.logging.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: opni-selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: opni-serving-cert
+  namespace: {{ $namespace }}
+spec:
+  dnsNames:
+    - "opni-webhook.{{ $namespace }}.svc"
+    - "opni-webhook.{{ $namespace }}.svc.cluster.local"
+  issuerRef:
+    kind: Issuer
+    name: opni-selfsigned-issuer
+  secretName: webhook-server-cert
+{{- end }}
diff --git a/packages/opni-agent/opni-agent/charts/templates/deployment.yaml b/packages/opni-agent/opni-agent/charts/templates/deployment.yaml
@@ -1,50 +1,67 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "opni-monitoring-agent.fullname" . }}
+  name: {{ include "opni-agent.fullname" . }}
+  namespace: {{ include "opni-agent.namespace" . }}
   labels:
-    {{- include "opni-monitoring-agent.labels" . | nindent 4 }}
+    {{- include "opni-agent.labels" . | nindent 4 }}
 spec:
   replicas: 1
   selector:
     matchLabels:
-      {{- include "opni-monitoring-agent.selectorLabels" . | nindent 6 }}
+      {{- include "opni-agent.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       {{- with .Values.podAnnotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
-        {{- include "opni-monitoring-agent.selectorLabels" . | nindent 8 }}
+        {{- include "opni-agent.selectorLabels" . | nindent 8 }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      serviceAccountName: {{ include "opni-monitoring-agent.serviceAccountName" . }}
+      serviceAccountName: opni-agent
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
         - name: agent
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: "{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
             - agent
+          {{- if .Values.metrics.enabled }}
+            - --metrics
+          {{- if .Values.metrics.insecure }}
+            - --insecure
+          {{- end }}
+          {{- end }}
+          {{- if .Values.logging.enabled }}
+            - --logging
+          {{- end }}
           ports:
             - name: http
-              containerPort: 8080
+              containerPort: {{ .Values.metrics.enabled | ternary "8080" "8081" }}
               protocol: TCP
           env:
             - name: POD_NAMESPACE
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
           volumeMounts:
+          {{- if .Values.metrics.enabled }}
             - name: config
               mountPath: /etc/opni-monitoring
+          {{- end }}
+          {{- if .Values.logging.enabled }}
+            - mountPath: /tmp/k8s-webhook-server/serving-certs
+              name: cert
+              readOnly: true
+          {{- end }}
           livenessProbe:
             httpGet:
               path: /healthz
@@ -87,10 +104,18 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
+      {{- if .Values.metrics.enabled }}
         - name: config
           secret:
             secretName: agent-config
             items:
               - key: config.yaml
                 path: config.yaml
             defaultMode: 256
+      {{- end }}
+      {{- if .Values.logging.enabled }}
+        - name: cert
+          secret:
+            defaultMode: 420
+            secretName: webhook-server-cert
+    {{- end }}
diff --git a/packages/opni-agent/opni-agent/charts/templates/job.yaml b/packages/opni-agent/opni-agent/charts/templates/job.yaml
@@ -0,0 +1,44 @@
+{{- if .Values.logging.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: opni-logging-bootstrap
+  namespace: {{ include "opni-agent.namespace" . }}
+  labels:
+    {{- include "opni-agent.labels" . | nindent 4 }}
+spec:
+  {{- if .Values.logging.jobTTL }}
+  ttlSecondsAfterFinished: {{ .Values.logging.jobTTL }}
+  {{- end }}
+  template:
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: opni-agent
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: bootstrap
+        image: "{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        args:
+        - bootstrap
+        - logging
+        - {{ .Release.Name }}
+        - --in-cluster
+        - --provider={{ .Values.logging.provider }}
+        - --token={{ .Values.token }}
+        - --pin={{ .Values.pin }}
+        - --gateway-url={{ .Values.address }}
+        - --namespace={{ include "opni-agent.namespace" . }}
+        {{- if .Values.logging.insecure }}
+        - --insecure
+        {{- end }}
+        {{- if .Values.logging.disableOpensearchTLSVerify }}
+        - --opensearch-insecure
+        {{- end }}
+      restartPolicy: Never
+  backoffLimit: 3
+{{- end }}
diff --git a/packages/opni-agent/opni-agent/charts/templates/prometheus-agent.yaml b/packages/opni-agent/opni-agent/charts/templates/prometheus-agent.yaml
@@ -1,8 +1,9 @@
-{{- if .Values.prometheusAgent.enabled }}
+{{- if (and .Values.metrics.prometheusAgent.enabled .Values.metrics.enabled) }}
 apiVersion: monitoring.coreos.com/v1
 kind: Prometheus
 metadata:
   name: opni-prometheus-agent
+  namespace: {{ include "opni-agent.namespace" . }}
 spec:
   image: quay.io/prometheus/prometheus:latest
   containers:
@@ -13,7 +14,7 @@ spec:
         - "--storage.agent.path=/prometheus"
         - "--enable-feature=agent"
   remoteWrite:
-    - url: "http://opni-monitoring-agent.{{ .Release.Namespace }}.svc/api/agent/push"
+    - url: "http://opni-agent.{{ .Release.Namespace }}.svc/api/agent/push"
   replicas: 1
   podMonitorNamespaceSelector: {}
   podMonitorSelector: {}
@@ -23,11 +24,12 @@ spec:
   serviceMonitorSelector: {}
   serviceAccountName: opni-prometheus-agent
 ---
-{{- if .Values.prometheusAgent.rbac }}
+{{- if .Values.metrics.prometheusAgent.rbac }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: opni-prometheus-agent
+  namespace: {{ include "opni-agent.namespace" . }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -65,7 +67,7 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: opni-prometheus-agent
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "opni-agent.namespace" . }}
 {{- end }}
 
 {{- end }}