diff --git a/.pipelines/azure-pipeline-aks-extension-managed-ev2-sdp.yml b/.pipelines/azure-pipeline-aks-extension-managed-ev2-sdp.yml new file mode 100644 index 000000000..7a5b9b2c8 --- /dev/null +++ b/.pipelines/azure-pipeline-aks-extension-managed-ev2-sdp.yml @@ -0,0 +1,179 @@ +################################################################################# +# OneBranch Pipelines # +# Documentation: https://aka.ms/obpipelines # +# Yaml Schema: https://aka.ms/obpipelines/yaml/schema # +# Reference doc: https://msazure.visualstudio.com/One/_wiki/wikis/One.wiki/ # +# 671961/Automating-release-of-new-versions-using-ev2 # +# # +# Purpose: Roll out new versions of the extension type # +# microsoft.azuremonitor.containers (Container Insights logs / ama-logs) # +# to AKS (Managed) clusters via the central Ev2 extension rollout artifacts. # +# # +# This is the ama-logs analogue of prometheus-collector's # +# .pipelines/azure-pipeline-aks-extension-managed-ev2-sdp.yml. It delivers the # +# unified extension Helm chart from MCR and lets the cluster-extension platform # +# (central SDP policy) auto-install/upgrade it on AKS managed clusters. # +# # +# ACTIVATION DEPENDENCY (P0, cross-team): # +# The ClusterConfig / Cluster-Extensions partner team must first register # +# `microsoft.azuremonitor.containers` as an AKS managed-cluster extension # +# type and create the AKS packageConfig + serviceGroup. Until then this # +# pipeline authors the rollout but cannot successfully run. All values marked # +# TODO(P0) below must be confirmed with that team before first run. DevSkim: ignore DS176209 +################################################################################# + +trigger: none + +parameters: + - name: 'overrideExtensionVersion' + displayName: 'Override Extension Version (leave blank to use upstream build runName)' + type: string + default: '' + + - name: 'releaseTrain' + displayName: 'Release Train' + type: string + default: 'preview' + values: + - preview + - stable + + - name: 'rolloutType' + displayName: 'SDP rollout type' + type: string + default: 'normal' + values: + - normal + - emergency + - globaloutage + + - name: 'overrideManagedValidationDuration' + displayName: 'Override standard SDP duration?' + type: boolean + default: false + + - name: 'managedValidationDurationInHours' + displayName: 'Override standard SDP duration (in hours)' + type: number + default: 0 + + - name: 'icmIncidentId' + displayName: 'IcM Incident Id (required when rollout type is globaloutage)' + type: number + default: 0 + +resources: + repositories: + - repository: templates + type: git + name: OneBranch.Pipelines/GovernedTemplates + ref: refs/heads/main + pipelines: + # Upstream build pipeline that publishes the unified extension helm chart to MCR. + # runName is used as the extension/chart version unless overridden. + - pipeline: '_ci-build' + project: 'microsoft' + source: 'CDPX\docker-provider\ContainerInsights-MultiArch-MergedBranches' + +variables: + # ---- Identifiers --------------------------------------------------------- + # Container Insights service tree id (same value used in the existing + # deployment/**/ServiceGroupRoot/ServiceModel.json and ci-*-release pipelines). + - name: serviceIdentifier + value: '3170cdd2-19f0-4027-912b-1027311691a2' + + # Ev2 ServiceGroup registered with the extension platform team for AKS + # Managed central rollout of microsoft.azuremonitor.containers. + # TODO(P0): confirm exact name with ClusterConfig/Extensions partner team DevSkim: ignore DS176209 + # (modelled on the metrics example: + # Microsoft.Azure.InfrastructureInsights.ContainerInsights.AzureMonitorMetrics). + - name: serviceGroup + value: 'Microsoft.Azure.InfrastructureInsights.ContainerInsights.AzureMonitorLogs' + + # ---- Version selection --------------------------------------------------- + - ${{ if ne(parameters.overrideExtensionVersion, '') }}: + - name: extensionVersionValue + value: '${{ parameters.overrideExtensionVersion }}' + - ${{ if eq(parameters.overrideExtensionVersion, '') }}: + - name: extensionVersionValue + value: '$(resources.pipeline._ci-build.runName)' + + # ---- ConfigurationOverrides (per cloud) --------------------------------- + # TODO(P0): packageConfig must be the AKS package config name the partner team DevSkim: ignore DS176209 + # creates for microsoft.azuremonitor.containers (logs equivalent of + # Microsoft.AzureMonitor.Containers.Metrics-PromAks052926). + # userAssignedIdentity is the existing ci-prod ev2-agent-release MSI used by the + # current agent Ev2 release (deployment/.../Configurations.Public.Prod.json), and + # must be the MSI registered in the extension type registration `msiClientIds`. + - name: ProdConfigurationOverrides + value: | + { + "ConfigurationSpecification": { + "settings": { + "extensionTypeName": "microsoft.azuremonitor.containers", + "packageConfig": "TODO_P0_AKS_PACKAGE_CONFIG_NAME", + "helmChartUrl": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod/ama-logs", + "userAssignedIdentity": "/subscriptions/30c56c3a-54da-46ea-b004-06eb33432687/resourceGroups/containerinsightsprod/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ev2-agent-release", + "version": "$(extensionVersionValue)", + "releaseTrain": "${{ parameters.releaseTrain }}" + } + } + } + + - name: LinuxContainerImage + value: 'mcr.microsoft.com/oss/go/microsoft/golang:1.24.2-fips-azurelinux3.0' + - name: RevisionCounter + value: $[counter('0', 1)] + - name: CustomBuildVersion + value: "Build - $(extensionVersionValue) Release - $(RevisionCounter) ReleaseTrain - ${{ parameters.releaseTrain }}" + +# Disable showing the last commit message. +appendCommitMessageToRunName: false + +extends: + template: v2/OneBranch.Official.CrossPlat.yml@templates + parameters: + ev2ManagedSdpRolloutConfig: + rolloutType: ${{ parameters.rolloutType }} + overrideManagedValidationDuration: ${{ parameters.overrideManagedValidationDuration }} + managedValidationOverrideDurationInHours: ${{ parameters.managedValidationDurationInHours }} + icmIncidentId: ${{ parameters.icmIncidentId }} + + stages: + - stage: PROD_Managed_SDP + displayName: "PROD: Managed SDP" + variables: + ob_release_environment: Production + jobs: + - job: PROD_Managed_SDP + displayName: "PROD: Managed SDP" + pool: + type: release + steps: + - task: onebranch.pipeline.version@1 + condition: ne(variables['CustomBuildVersion'], '') + displayName: "Setup BuildNumber" + inputs: + system: 'Custom' + customVersion: '$(CustomBuildVersion)' + - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 + displayName: "Ev2 Managed SDP Rollout (Prod)" + inputs: + EndpointProviderType: ApprovalService + ApprovalServiceEnvironment: Production + TaskAction: CentralArtifactsRollout + CentralArtifactsServiceIdentifier: 2bbbdccc-fa4c-4f81-b9fd-12cd0234701c + CentralArtifactsPolicyName: CentralArtifactsPolicy + ServiceIdentifier: $(serviceIdentifier) + ServiceGroup: $(serviceGroup) + ConfigurationOverrides: $(ProdConfigurationOverrides) + # For first-run / canary testing of the pipeline itself, + # temporarily replace the line below with an explicit + # region filter, e.g.: + # Select: regions(eastus2euap) + # to roll out to the 2 EUAP regions only. Once validated, + # restore `regions(*)` so the central SDP policy controls + # the wave order (Canary -> Pilot -> ... -> HighAvailability). + Select: regions(centraluseuap,eastus2euap) + #Select: regions(*) + ArtifactsVersionOverride: $(extensionVersionValue) diff --git a/.pipelines/azure_pipeline_mergedbranches.yaml b/.pipelines/azure_pipeline_mergedbranches.yaml index be9396c5d..91c634ceb 100644 --- a/.pipelines/azure_pipeline_mergedbranches.yaml +++ b/.pipelines/azure_pipeline_mergedbranches.yaml @@ -902,6 +902,83 @@ extends: FileDirPath: '$(Build.ArtifactStagingDirectory)' DisableRemediation: false AcceptableOutdatedSignatureInHours: 72 + # --------------------------------------------------------------------------- + # Package + push the AKS extension Helm chart (ama-logs) to MCR. + # + # Consumed by the central-artifacts Ev2 Managed-SDP rollout pipeline: + # .pipelines/azure-pipeline-aks-extension-managed-ev2-sdp.yml (AKS Managed) + # + # INCUBATION: gated on BUILD_EXTENSION_CHART=true so it does NOT affect normal + # builds until charts/azuremonitor-containers-extension is production-ready + # (see that chart's EXTENSION-MIGRATION.md). Set the pipeline variable to enable. + # --------------------------------------------------------------------------- + - job: package_extension_chart + displayName: "Package and push ama-logs extension helm chart" + condition: and(succeeded(), eq(variables['BUILD_EXTENSION_CHART'], 'true')) + dependsOn: + - common + - build_linux + - build_windows_multi_arc + variables: + linuxTelemetryTag: $[ dependencies.common.outputs['setup.linuxTelemetryTag'] ] + windowsTelemetryTag: $[ dependencies.common.outputs['setup.windowsTelemetryTag'] ] + Codeql.SkipTaskAutoInjection: true + # Extension chart repo path in ACR/MCR (mirrors the agent image namespace). + extensionChartAcrPath: 'public/azuremonitor/containerinsights/cidev/ama-logs' + templateContext: + outputs: + - output: pipelineArtifact + targetPath: '$(Build.ArtifactStagingDirectory)/extension-chart' + artifactName: extension-chart-drop + steps: + - task: HelmInstaller@1 + displayName: Install Helm + inputs: + helmVersionToInstall: 3.19.0 + - task: AzureCLI@2 + displayName: "Package + push extension chart (AKS)" + inputs: + azureSubscription: ${{ variables.armServiceConnectionName }} + scriptType: bash + scriptLocation: inlineScript + inlineScript: | + set -euo pipefail + sudo apt-get update && sudo apt-get install -y gettext-base + mkdir -p $(Build.ArtifactStagingDirectory)/extension-chart + + # Chart version must be SemVer2. Use the telemetry tag for release builds, + # otherwise a dev prerelease derived from the image tag. + CHART_VERSION="$(linuxTelemetryTag)" + if [ "$(IS_RELEASE)" != "True" ]; then + CHART_VERSION="0.0.0-$(echo "$(linuxTelemetryTag)" | tr '._/' '-' )" + fi + echo "Extension chart version: $CHART_VERSION" + + cd charts/azuremonitor-containers-extension + export HELM_SEMVER="$CHART_VERSION" + export IMAGE_TAG="$(linuxTelemetryTag)" + export IMAGE_TAG_WINDOWS="$(windowsTelemetryTag)" + envsubst < Chart-template.yaml > Chart.yaml + envsubst < values-template.yaml > values.yaml + + echo "=== helm lint ===" + helm lint . + + helm package . --version "$CHART_VERSION" + cp ./azuremonitor-containers-extension-*.tgz $(Build.ArtifactStagingDirectory)/extension-chart/ + + # Only push on non-PR builds. + if [ "$(IS_PR)" == "True" ]; then + echo "PR build - skipping chart push to ACR." + exit 0 + fi + + export HELM_EXPERIMENTAL_OCI=1 + az acr login -n ${{ variables.containerRegistry }} + CHART_TGZ=$(ls ./azuremonitor-containers-extension-*.tgz) + DEST="oci://${{ variables.containerRegistry }}.azurecr.io/$(extensionChartAcrPath)" + echo "Pushing $CHART_TGZ -> $DEST (version $CHART_VERSION)" + helm push "$CHART_TGZ" "$DEST" - stage: Deploy_and_Test_Images_In_Dev_Clusters displayName: Deploy and Test Images in Dev Clusters diff --git a/Documentation/AgentRelease/extension-release.md b/Documentation/AgentRelease/extension-release.md new file mode 100644 index 000000000..063c617d9 --- /dev/null +++ b/Documentation/AgentRelease/extension-release.md @@ -0,0 +1,63 @@ +# ama-logs independent AKS extension-based release (WIP) + +This document describes the in-progress migration of the Container Insights logs agent +(`ama-logs`) to an **independent, extension-based release on AKS** — owning the Safe +Deployment Process (SDP) to customer clusters ourselves, instead of releasing through the +AKS team. It mirrors prometheus-collector's `aks/extension-charts` work. + +> Scope is **AKS only** for now. Arc continues to use the existing rollout +> (`deployment/arc-k8s-extension*`). Modernizing the Arc rollout to the same +> central-artifacts model is a possible later step, out of scope here. + +## Why +Today the AKS logs agent ships via **AgentBaker** (image baked into the AKS node VHD) + +a version bump in **aks-rp**, then rolls out on **AKS's** release train. We do not control +the cadence or region waves. The target model delivers `ama-logs` as a **cluster extension +chart published to MCR**; the AKS cluster-extension platform auto-installs/upgrades it, and +**our** pipeline owns the version, cadence and SDP waves — the same model the metrics +(ama-metrics) agent already uses. + +See the session migration analysis for the full background (two delivery models: +AgentBaker+RP vs MCR-chart+extension). + +## Components added in this repo +| Artifact | Purpose | +|---|---| +| `charts/azuremonitor-containers-extension/` | New parallel Helm chart delivering `ama-logs` as an **AKS managed-cluster extension**. Existing `charts/azuremonitor-containers` is untouched. | +| `.pipelines/azure-pipeline-aks-extension-managed-ev2-sdp.yml` | Central-artifacts Ev2 Managed-SDP rollout of `microsoft.azuremonitor.containers` to **AKS Managed** clusters. | +| `package_extension_chart` job in `azure_pipeline_mergedbranches.yaml` | Packages + pushes the extension chart to MCR. Gated on `BUILD_EXTENSION_CHART=true` during incubation. | + +## End-to-end flow (target) +1. Build (`azure_pipeline_mergedbranches.yaml`) builds multi-arch images and, with + `BUILD_EXTENSION_CHART=true`, packages + pushes the chart to MCR (`ama-logs`). +2. Images are promoted to prod MCR by the existing agent Ev2 release. +3. The AKS extension rollout pipeline registers the new chart version with the + cluster-extension platform via **central artifacts** (`Ev2RARollout@2` / + `CentralArtifactsRollout`), starting in canary (`centraluseuap,eastus2euap`). +4. The platform's **central SDP policy** advances the version region by region + (Canary -> Pilot -> ... -> HighAvailability) with bake times. +5. The in-cluster extension-manager pulls the chart from MCR and installs/upgrades the + agent automatically — no AgentBaker, no aks-rp version bump, no manual helm install. + +## Per-release version handling +The rollout pipeline defaults the extension version to the upstream build `runName` +(`overrideExtensionVersion` to pin a specific validated build, e.g. for rollback). For +incubation off a feature branch you may pin a known-good `ci-prod` image tag, mirroring +prometheus-collector's `update-extension-dev` skill. + +## Cross-team dependency (P0 — gates ACTIVATION, not authoring) +The **ClusterConfig / Cluster-Extensions partner team** must: +- register `microsoft.azuremonitor.containers` as an **AKS managed-cluster extension type** + (with our `ev2-agent-release` MSI in `msiClientIds`), +- create the AKS **`packageConfig`** name, +- confirm the **`serviceGroup`** name for central rollout. + +All such values are marked `TODO(P0)` in the rollout pipeline. Note prometheus-collector +has the same open TODO for AKS — coordinate with the same partner-team contacts. + +## Remaining repo work +- Complete the chart template rework (token adapter via values, prune base-chart Arc-only + resources, schedulability). See + `charts/azuremonitor-containers-extension/EXTENSION-MIGRATION.md`. +- After validation + P0: cut over, drop the AgentBaker PR + aks-rp version bump, and retire + the legacy CDPX build files (`.pipelines/pipeline.user.*.yml`, `pull-from-cdpx-*.sh`). diff --git a/charts/azuremonitor-containers-extension/.gitignore b/charts/azuremonitor-containers-extension/.gitignore new file mode 100644 index 000000000..01e664f71 --- /dev/null +++ b/charts/azuremonitor-containers-extension/.gitignore @@ -0,0 +1,4 @@ +# Generated by envsubst from *-template.yaml at build time +Chart.yaml +values.yaml +*.tgz \ No newline at end of file diff --git a/charts/azuremonitor-containers-extension/.helmignore b/charts/azuremonitor-containers-extension/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/azuremonitor-containers-extension/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/azuremonitor-containers-extension/Chart-template.yaml b/charts/azuremonitor-containers-extension/Chart-template.yaml new file mode 100644 index 000000000..0d94eddc9 --- /dev/null +++ b/charts/azuremonitor-containers-extension/Chart-template.yaml @@ -0,0 +1,29 @@ +apiVersion: v2 +type: application +# appVersion is the agent image tag this chart deploys; injected at package time. +appVersion: "${IMAGE_TAG}" +description: Helm chart for deploying the Azure Monitor Container Insights (ama-logs) agent as a managed cluster extension on AKS (Managed) clusters +name: azuremonitor-containers-extension +# Chart version is decoupled from appVersion so the extension/chart version can be +# stamped independently at package time (envsubst). See azure_pipeline_mergedbranches.yaml. +version: ${HELM_SEMVER} +kubeVersion: "^1.10.0-0" +keywords: + - monitoring + - azuremonitor + - azure + - ama + - containerinsights + - logs + - containerhealth + - kubernetesmonitoring + - kubernetes +home: https://docs.microsoft.com/en-us/azure/monitoring/monitoring-container-health +icon: https://raw.githubusercontent.com/microsoft/Docker-Provider/ci_prod/img/azuremonitor-containers.svg +sources: + - https://github.com/microsoft/Docker-Provider/tree/ci_prod +maintainers: + - name: vishiy + email: visnara@microsoft.com + - name: ganga1980 + email: gangams@microsoft.com diff --git a/charts/azuremonitor-containers-extension/EXTENSION-MIGRATION.md b/charts/azuremonitor-containers-extension/EXTENSION-MIGRATION.md new file mode 100644 index 000000000..e8cddfcb0 --- /dev/null +++ b/charts/azuremonitor-containers-extension/EXTENSION-MIGRATION.md @@ -0,0 +1,59 @@ +# azuremonitor-containers-extension (ama-logs AKS extension chart) + +Parallel, **work-in-progress** Helm chart that delivers the Container Insights logs +agent (`ama-logs`) as an **AKS managed-cluster extension**, via the central-artifacts +Ev2 Managed-SDP rollout (`.pipelines/azure-pipeline-aks-extension-managed-ev2-sdp.yml`). + +It is the ama-logs analogue of prometheus-collector's +`otelcollector/deploy/addon-chart/azure-monitor-metrics-addon`. + +> Scope is **AKS only** for now. The existing `charts/azuremonitor-containers` chart +> (the live Arc/RP path) is left untouched. This new chart runs in parallel until +> validated and cut over. + +## Why a new delivery model +Today the AKS logs agent ships via **AgentBaker** (image baked into the AKS node VHD) + +a version bump in **aks-rp** on AKS's release train. This chart moves it to the +**extension model**: the chart is published to MCR and the AKS cluster-extension platform +auto-installs/upgrades it, with **our** pipeline owning the version, cadence and SDP +region waves. See `Documentation/AgentRelease/extension-release.md` and the session +migration plan. + +## What is implemented here (scaffold) +- `Chart-template.yaml` / `values-template.yaml` — envsubst sources; the build stamps + `${HELM_SEMVER}`, `${IMAGE_TAG}`, `${IMAGE_TAG_WINDOWS}`. +- `values-template.yaml` additions: `global.commonGlobals`, `Azure.Identity` token-adapter + placeholders. + +## Remaining work (TODO before activation) +These require the AKS extension values schema (still being finalized on the prometheus +`aks/extension-charts` branch) and confirmation from the ClusterConfig/Extensions partner +team. Use the prom branch chart diff + its `update-extension-dev/SKILL.md` change table as +the spec. + +1. **Token adapter via values.** Rework `ama-logs-daemonset.yaml`, + `ama-logs-daemonset-windows.yaml` and `ama-logs-deployment.yaml` to inject the MSI + token adapter from `Azure.Identity.AADMsiTokenAdapter{Linux,Windows}Yaml` instead of any + baked addon-token-adapter. +2. **Prune base-chart Arc-only resources.** This chart was seeded from the Arc-derived + `azuremonitor-containers` chart. Remove/guard Arc-specific base templates that are not + needed for AKS (e.g. `ama-logs-arc-k8s-crd.yaml`). +3. **Schedulability.** Re-evaluate `tolerations` / `nodeAffinity` for managed-cluster + extension constraints (prom removed several `NoExecute`/`PreferNoSchedule` tolerations + and `nodeSelector` blocks for extension compatibility). +4. **Dependent charts / `global` guards.** If dependent subcharts are added, wrap their + templates with `{{- if .Values.global }}` guards as prom did for node-exporter. +5. **P0 registration.** Partner team registers `microsoft.azuremonitor.containers` as an + AKS managed-cluster extension type + AKS `packageConfig` + `serviceGroup`; fill the + `TODO(P0)` values in `.pipelines/azure-pipeline-aks-extension-managed-ev2-sdp.yml`. + +## Local validation +``` +wsl bash -c 'cd charts/azuremonitor-containers-extension && \ + IMAGE_TAG=dev IMAGE_TAG_WINDOWS=win-dev HELM_SEMVER=0.0.0-dev \ + envsubst < Chart-template.yaml > Chart.yaml && \ + envsubst < values-template.yaml > values.yaml && \ + helm lint . && helm template . \ + --set global.commonGlobals.Customer.AzureResourceID=/subscriptions/x/managedClusters/y; \ + rm -f Chart.yaml values.yaml' +``` diff --git a/charts/azuremonitor-containers-extension/local_testing_aks.ps1 b/charts/azuremonitor-containers-extension/local_testing_aks.ps1 new file mode 100644 index 000000000..c62f3d5dc --- /dev/null +++ b/charts/azuremonitor-containers-extension/local_testing_aks.ps1 @@ -0,0 +1,44 @@ +# This script is only for AKS cluster testing. It reads the template files (Chart-template.yaml and values-template.yaml), +# replaces placeholders with actual values, and then writes the modified content back to new files (Chart.yaml and values.yaml). +# The placeholders replaced include HELM_SEMVER, IMAGE_TAG, and IMAGE_TAG_WINDOWS. +# +# NOTE: this renders the chart for a plain `helm install`, which BYPASSES the cluster-extension platform. +# The platform-injected identity / token adapter (Azure.Identity.AADMsiTokenAdapter*Yaml) will NOT be present, +# so use this to validate templating and that pods come up - not the managed-extension identity path. + +# Define variables +$ImageTag = "3.4.0" +$ImageTagWindows = "win-3.4.0" +$ChartVersion = "0.0.0-localtest" +$AKSResourceId = "/subscriptions//resourceGroups//providers/Microsoft.ContainerService/managedClusters/" + +# Read files +$chartTemplatePath = ".\Chart-template.yaml" +$valuesTemplatePath = ".\values-template.yaml" + +$chartTemplateContent = Get-Content -Path $chartTemplatePath -Raw +$valuesTemplateContent = Get-Content -Path $valuesTemplatePath -Raw + +# Create copies of the files +$chartOutputPath = ".\Chart.yaml" +$valuesOutputPath = ".\values.yaml" +$chartTemplateContent | Out-File -FilePath $chartOutputPath +$valuesTemplateContent | Out-File -FilePath $valuesOutputPath + +# Replace placeholders in Chart-template.yaml +$chartTemplateContent = $chartTemplateContent -replace '\$\{HELM_SEMVER\}', $ChartVersion +$chartTemplateContent = $chartTemplateContent -replace '\$\{IMAGE_TAG\}', $ImageTag + +# Replace placeholders in values-template.yaml +$valuesTemplateContent = $valuesTemplateContent -replace '\$\{IMAGE_TAG\}', $ImageTag +$valuesTemplateContent = $valuesTemplateContent -replace '\$\{IMAGE_TAG_WINDOWS\}', $ImageTagWindows +$valuesTemplateContent = $valuesTemplateContent -replace '\$\{HELM_SEMVER\}', $ChartVersion + +# Write the modified content back to the files +$chartTemplateContent | Out-File -FilePath $chartOutputPath +$valuesTemplateContent | Out-File -FilePath $valuesOutputPath + +Write-Host "Files have been processed and saved as Chart.yaml and values.yaml" + +# To install onto the AKS cluster in your current kube context, run: +# helm upgrade --install ama-logs-ext-test . --namespace kube-system --create-namespace --set global.commonGlobals.Customer.AzureResourceID=$AKSResourceId diff --git a/charts/azuremonitor-containers-extension/templates/_helpers.tpl b/charts/azuremonitor-containers-extension/templates/_helpers.tpl new file mode 100644 index 000000000..d6ae95ae1 --- /dev/null +++ b/charts/azuremonitor-containers-extension/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "azuremonitor-containers.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "azuremonitor-containers.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "azuremonitor-containers.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/azuremonitor-containers-extension/templates/ama-logs-arc-k8s-crd.yaml b/charts/azuremonitor-containers-extension/templates/ama-logs-arc-k8s-crd.yaml new file mode 100644 index 000000000..ba4ef3fc1 --- /dev/null +++ b/charts/azuremonitor-containers-extension/templates/ama-logs-arc-k8s-crd.yaml @@ -0,0 +1,40 @@ +{{- if or ( contains "microsoft.kubernetes/connectedclusters" (.Values.Azure.Cluster.ResourceId | lower)) ( contains "microsoft.hybridcontainerservice/provisionedclusters" (.Values.Azure.Cluster.ResourceId | lower)) }} +#extension model +{{- if not (empty .Values.Azure.Extension.Name) }} +apiVersion: clusterconfig.azure.com/v1beta1 +kind: AzureExtensionIdentity +metadata: + name: {{ .Values.Azure.Extension.Name }} + namespace: azure-arc +spec: + serviceAccounts: + - name: ama-logs + namespace: kube-system + tokenNamespace: azure-arc +--- +{{- end }} +apiVersion: clusterconfig.azure.com/v1beta1 +kind: AzureClusterIdentityRequest +metadata: + name: container-insights-clusteridentityrequest + namespace: azure-arc +spec: + {{- if eq (.Values.Azure.Cluster.Cloud | lower) "azurepubliccloud" }} + audience: https://monitor.azure.com/ + {{- else if eq (.Values.Azure.Cluster.Cloud | lower) "azurechinacloud" }} + audience: https://monitor.azure.cn/ + {{- else if eq (.Values.Azure.Cluster.Cloud | lower) "azurebleucloud" }} + audience: https://monitor.sovcloud-api.fr/ + {{- else if eq (.Values.Azure.Cluster.Cloud | lower) "azuredeloscloud" }} + audience: https://monitor.sovcloud-api.de/ + {{- else if eq (.Values.Azure.Cluster.Cloud | lower) "azureusgovernmentcloud" }} + audience: https://monitor.azure.us/ + {{- else if and .Values.amalogs.isArcACluster (ne .Values.amalogs.tokenAudience "") }} + audience: {{ .Values.amalogs.tokenAudience | quote }} + {{- else }} + audience: https://monitor.azure.com/ + {{- end }} + {{- if not (empty .Values.Azure.Extension.Name) }} + resourceId: {{ .Values.Azure.Extension.Name }} + {{- end }} +{{- end }} diff --git a/charts/azuremonitor-containers-extension/templates/ama-logs-daemonset-windows.yaml b/charts/azuremonitor-containers-extension/templates/ama-logs-daemonset-windows.yaml new file mode 100644 index 000000000..7ac6ae51e --- /dev/null +++ b/charts/azuremonitor-containers-extension/templates/ama-logs-daemonset-windows.yaml @@ -0,0 +1,189 @@ +{{- if not (.Values.amalogs.useAADAuth) }} +{{- if and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "") )}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: ama-logs-windows + namespace: kube-system + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: ama-logs-agent-windows + tier: node-win +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + dsName: "ama-logs-ds" + template: + metadata: + labels: + dsName: "ama-logs-ds" + annotations: + agentVersion: {{ .Values.amalogs.image.winAgentVersion }} + dockerProviderVersion: {{ .Values.amalogs.image.dockerProviderVersion }} + schema-versions: "v1" + checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} + checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} + spec: + priorityClassName: ama-logs + dnsConfig: + options: + - name: ndots + value: "3" + nodeSelector: + kubernetes.io/os: windows + {{- if .Values.amalogs.rbac }} + serviceAccountName: ama-logs + {{- end }} + containers: + - name: ama-logs-windows + image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tagWindows }} + imagePullPolicy: IfNotPresent + resources: +{{ toYaml .Values.amalogs.resources.daemonsetwindows | indent 9 }} + securityContext: + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + env: + - name: FBIT_SERVICE_FLUSH_INTERVAL + value: "15" + - name: FBIT_TAIL_BUFFER_CHUNK_SIZE + value: "1" + - name: FBIT_TAIL_BUFFER_MAX_SIZE + value: "1" + {{- if ne .Values.amalogs.env.clusterId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.amalogs.env.clusterId | quote }} + {{- if ne .Values.amalogs.env.clusterRegion "" }} + - name: AKS_REGION + value: {{ .Values.amalogs.env.clusterRegion | quote }} + {{- end }} + {{- else if ne .Values.Azure.Cluster.ResourceId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.Azure.Cluster.ResourceId | quote }} + - name: USING_AAD_MSI_AUTH + value: {{ .Values.amalogs.useAADAuth | quote }} + {{- if ne .Values.Azure.Cluster.Region "" }} + - name: AKS_REGION + value: {{ .Values.Azure.Cluster.Region | quote }} + {{- end }} + {{- else }} + - name: ACS_RESOURCE_NAME + value: {{ .Values.amalogs.env.clusterName | quote }} + {{- end }} + - name: CONTROLLER_TYPE + value: "DaemonSet" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs-windows + resource: limits.memory + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PODNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SIDECAR_SCRAPING_ENABLED + value: {{ .Values.amalogs.sidecarscraping | quote }} + - name: ENABLE_CUSTOM_METRICS + value: {{ .Values.amalogs.enableCustomMetrics | quote }} + {{ if .Values.amalogs.ISTEST }} + - name: AZMON_KUBERNETES_METADATA_ENABLED + value: "true" + {{- end }} + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.Azure.Cluster.Cloud | lower }}" + volumeMounts: + # Uncomment when telegraf upgraded to 1.28.5 or higher + # {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + # - name: kube-api-access + # mountPath: /var/run/secrets/kubernetes.io/serviceaccount + # readOnly: true + # {{- end }} + - mountPath: C:\ProgramData\docker\containers + name: docker-windows-containers + readOnly: true + - mountPath: C:\var #Read + Write access on this for position file + name: docker-windows-kuberenetes-container-logs + - mountPath: C:\etc\config\settings + name: settings-vol-config + readOnly: true + - mountPath: C:\etc\ama-logs-secret + name: ama-logs-secret + readOnly: true + livenessProbe: + exec: + command: + - cmd + - /c + - C:\opt\amalogswindows\scripts\cmd\livenessprobe.exe + - fluent-bit.exe + - fluentdwinaks + - "C:\\etc\\amalogswindows\\filesystemwatcher.txt" + - "C:\\etc\\amalogswindows\\renewcertificate.txt" + periodSeconds: 60 + initialDelaySeconds: 180 + timeoutSeconds: 15 + {{- if .Values.amalogs.scheduleOnTaintedNodes }} + {{- with .Values.amalogs.tolerationsUnrestricted }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- else }} + {{- with .Values.amalogs.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + volumes: + # Uncomment when telegraf upgraded to 1.28.5 or higher + # {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + # - name: kube-api-access + # projected: + # sources: + # - serviceAccountToken: + # path: token + # expirationSeconds: 3600 + # - configMap: + # items: + # - key: ca.crt + # path: ca.crt + # name: kube-root-ca.crt + # - downwardAPI: + # items: + # - fieldRef: + # apiVersion: v1 + # fieldPath: metadata.namespace + # path: namespace + # {{- end }} + - name: docker-windows-kuberenetes-container-logs + hostPath: + path: C:\var + - name: docker-windows-containers + hostPath: + path: C:\ProgramData\docker\containers + type: DirectoryOrCreate + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true +{{- end }} +{{- end }} diff --git a/charts/azuremonitor-containers-extension/templates/ama-logs-daemonset.yaml b/charts/azuremonitor-containers-extension/templates/ama-logs-daemonset.yaml new file mode 100644 index 000000000..8fe2c6e74 --- /dev/null +++ b/charts/azuremonitor-containers-extension/templates/ama-logs-daemonset.yaml @@ -0,0 +1,418 @@ +{{- if and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "") )}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: ama-logs + namespace: kube-system + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: ama-logs-agent + tier: node +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + dsName: "ama-logs-ds" + template: + metadata: + labels: + dsName: "ama-logs-ds" + annotations: + agentVersion: {{ .Values.amalogs.image.agentVersion }} + dockerProviderVersion: {{ .Values.amalogs.image.dockerProviderVersion }} + schema-versions: "v1" + checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} + checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} + checksum/logsettings: {{ toYaml .Values.amalogs.logsettings | sha256sum }} + spec: + priorityClassName: ama-logs + dnsConfig: + options: + - name: ndots + value: "3" + {{- if .Values.amalogs.rbac }} + serviceAccountName: ama-logs + {{- end }} + containers: +{{- if and (ne .Values.Azure.Cluster.ResourceId "") (.Values.amalogs.useAADAuth) }} + {{- if not (eq .Values.Azure.Cluster.Distribution "openshift") }} + - name: addon-token-adapter + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + - name: TOKEN_NAMESPACE + value: "azure-arc" +{{- .Values.Azure.Identity.AADMsiTokenAdapterLinuxYaml | nindent 7 }} + {{- else }} + - name: msi-adapter + env: + - name: AZMON_COLLECT_ENV + value: "false" + - name: TOKEN_NAMESPACE + value: azure-arc + - name: CLUSTER_IDENTITY + value: "false" + - name: CLUSTER_TYPE + value: {{ (split "/" .Values.Azure.Cluster.ResourceId)._7 }} + - name: EXTENSION_ARMID + value: {{ .Values.Azure.Extension.ResourceId }} + - name: EXTENSION_NAME + value: {{ .Values.Azure.Extension.Name }} + - name: MSI_ADAPTER_LISTENING_PORT + value: "8421" + - name: MANAGED_IDENTITY_AUTH + value: "true" + - name: MSI_ADAPTER_LIVENESS_PORT + value: "9090" + - name: TEST_MODE + value: "false" + - name: TEST_FILE + value: /data/token + image: mcr.microsoft.com/azurearck8s/msi-adapter:1.29.3 + securityContext: + privileged: true + capabilities: + add: + - NET_ADMIN + - NET_RAW + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 9090 + scheme: "HTTP" + initialDelaySeconds: 10 + periodSeconds: 15 + resources: + limits: + cpu: 50m + memory: 100Mi + requests: + cpu: 20m + memory: 50Mi + lifecycle: + postStart: + exec: + command: ["/data/msi-adapter-ready-watcher"] + {{- end }} +{{- end }} + - name: ama-logs + image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tag }} + imagePullPolicy: IfNotPresent + resources: +{{ toYaml .Values.amalogs.resources.daemonsetlinux | indent 9 }} + env: + {{- if ne .Values.amalogs.env.clusterId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.amalogs.env.clusterId | quote }} + {{- if ne .Values.amalogs.env.clusterRegion "" }} + - name: AKS_REGION + value: {{ .Values.amalogs.env.clusterRegion | quote }} + {{- end }} + {{- else if ne .Values.Azure.Cluster.ResourceId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.Azure.Cluster.ResourceId | quote }} + - name: USING_AAD_MSI_AUTH + value: {{ .Values.amalogs.useAADAuth | quote }} + {{- if ne .Values.Azure.Cluster.Region "" }} + - name: AKS_REGION + value: {{ .Values.Azure.Cluster.Region | quote }} + {{- end }} + {{- else }} + - name: ACS_RESOURCE_NAME + value: {{ .Values.amalogs.env.clusterName | quote }} + {{- end }} + - name: CONTROLLER_TYPE + value: "DaemonSet" + {{- if .Values.amalogs.enableHighLogScaleMode }} + - name: ENABLE_HIGH_LOG_SCALE_MODE + value: {{ .Values.amalogs.enableHighLogScaleMode | quote }} + {{- end }} + {{- if .Values.amalogs.syslog.enabled }} + - name: SYSLOG_HOST_PORT + value: {{ .Values.amalogs.syslog.syslogPort | quote }} + {{- end }} + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.memory + {{- if not (empty .Values.Azure.Extension.Name) }} + - name: ARC_K8S_EXTENSION_NAME + value: {{ .Values.Azure.Extension.Name | quote }} + {{- end }} + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: "" + {{- if .Values.amalogs.logsettings.logflushintervalsecs }} + - name: FBIT_SERVICE_FLUSH_INTERVAL + value: {{ .Values.amalogs.logsettings.logflushintervalsecs | quote }} + {{- end }} + {{- if .Values.amalogs.logsettings.tailbufchunksizemegabytes }} + - name: FBIT_TAIL_BUFFER_CHUNK_SIZE + value: {{ .Values.amalogs.logsettings.tailbufchunksizemegabytes | quote }} + {{- end }} + {{- if .Values.amalogs.logsettings.tailbufmaxsizemegabytes }} + - name: FBIT_TAIL_BUFFER_MAX_SIZE + value: {{ .Values.amalogs.logsettings.tailbufmaxsizemegabytes | quote }} + {{- end }} + - name: ISTEST + value: {{ .Values.amalogs.ISTEST | quote }} + {{ if .Values.amalogs.isArcACluster }} + - name: IS_ARCA_CLUSTER + value: {{ .Values.amalogs.isArcACluster | quote }} + {{- end }} + {{- if ne .Values.amalogs.metricsEndpoint "" }} + - name: CUSTOM_METRICS_ENDPOINT + value: {{ .Values.amalogs.metricsEndpoint | quote }} + {{- else if ne .Values.Azure.proxySettings.autonomousFqdn "" }} + - name: CUSTOM_METRICS_ENDPOINT + value: "https://metricsingestiongateway.monitoring.{{ .Values.Azure.proxySettings.autonomousFqdn }}" + {{- end }} + {{- if ne .Values.amalogs.tokenAudience "" }} + - name: customResourceEndpoint + value: {{ .Values.amalogs.tokenAudience | quote }} + {{- end }} + - name: IS_CUSTOM_CERT + value: {{ .Values.Azure.proxySettings.isCustomCert | quote }} + - name: ENABLE_CUSTOM_METRICS + value: {{ .Values.amalogs.enableCustomMetrics | quote }} + {{ if .Values.amalogs.ISTEST }} + - name: AZMON_KUBERNETES_METADATA_ENABLED + value: "true" + {{- end }} + {{- if .Values.amalogs.enableTelegrafLivenessprobe }} + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: {{ .Values.amalogs.enableTelegrafLivenessprobe | quote }} + {{- end }} + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.Azure.Cluster.Cloud | lower }}" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + ports: + - containerPort: 25225 + protocol: TCP + - containerPort: 25224 + protocol: UDP + {{- if .Values.amalogs.syslog.enabled }} + - name: syslog + containerPort: {{ .Values.amalogs.syslog.syslogPort }} + hostPort: {{ .Values.amalogs.syslog.syslogPort }} + protocol: TCP + {{- end }} + volumeMounts: + {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + {{- end }} + - mountPath: /hostfs + name: host-root + readOnly: true + mountPropagation: HostToContainer + - mountPath: /var/log + name: host-log + - mountPath: /var/lib/docker/containers + name: containerlog-path + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + {{- if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.proxyCert) (not .Values.amalogs.ignoreExtensionProxySettings) }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + {{- if .Values.amalogs.logsettings.custommountpath }} + - mountPath: {{ .Values.amalogs.logsettings.custommountpath }} + name: custom-mount-path + {{- end }} + - mountPath: /etc/config/settings/adx + name: ama-logs-adx-secret + readOnly: true + livenessProbe: + exec: + command: + - /bin/bash + - -c + - "/opt/livenessprobe.sh" + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + {{- if .Values.amalogs.sidecarscraping }} + - name: ama-logs-prometheus + image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tag }} + imagePullPolicy: IfNotPresent + resources: +{{ toYaml .Values.amalogs.resources.daemonsetlinuxsidecar | indent 9 }} + env: + {{- if ne .Values.amalogs.env.clusterId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.amalogs.env.clusterId | quote }} + {{- if ne .Values.amalogs.env.clusterRegion "" }} + - name: AKS_REGION + value: {{ .Values.amalogs.env.clusterRegion | quote }} + {{- end }} + {{- else if ne .Values.Azure.Cluster.ResourceId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.Azure.Cluster.ResourceId | quote }} + - name: USING_AAD_MSI_AUTH + value: {{ .Values.amalogs.useAADAuth | quote }} + {{- if ne .Values.Azure.Cluster.Region "" }} + - name: AKS_REGION + value: {{ .Values.Azure.Cluster.Region | quote }} + {{- end }} + {{- else }} + - name: ACS_RESOURCE_NAME + value: {{ .Values.amalogs.env.clusterName | quote }} + {{- end }} + - name: CONTROLLER_TYPE + value: "DaemonSet" + - name: CONTAINER_TYPE + value: "PrometheusSidecar" + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs-prometheus + resource: limits.memory + - name: ISTEST + value: {{ .Values.amalogs.ISTEST | quote }} + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.Azure.Cluster.Cloud | lower }}" + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + volumeMounts: + {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + {{- end }} + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + {{- if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.proxyCert) (not .Values.amalogs.ignoreExtensionProxySettings) }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + - mountPath: /etc/config/osm-settings + name: osm-settings-vol-config + readOnly: true + livenessProbe: + exec: + command: + - /bin/bash + - -c + - /opt/livenessprobe.sh + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + {{- end }} + {{- with .Values.amalogs.daemonset.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.amalogs.scheduleOnTaintedNodes }} + {{- with .Values.amalogs.tolerationsUnrestricted }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- else }} + {{- with .Values.amalogs.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + volumes: + {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + {{- end }} + - name: host-root + hostPath: + path: / + - name: container-hostname + hostPath: + path: /etc/hostname + - name: host-log + hostPath: + path: /var/log + - name: containerlog-path + hostPath: + path: /var/lib/docker/containers + - name: azure-json-path + hostPath: + path: /etc/kubernetes + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + {{- if .Values.amalogs.logsettings.custommountpath }} + - name: custom-mount-path + hostPath: + path: {{ .Values.amalogs.logsettings.custommountpath }} + {{- end }} + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true + - name: osm-settings-vol-config + configMap: + name: container-azm-ms-osmconfig + optional: true +{{- end }} diff --git a/charts/azuremonitor-containers-extension/templates/ama-logs-deployment.yaml b/charts/azuremonitor-containers-extension/templates/ama-logs-deployment.yaml new file mode 100644 index 000000000..ae82db954 --- /dev/null +++ b/charts/azuremonitor-containers-extension/templates/ama-logs-deployment.yaml @@ -0,0 +1,308 @@ +{{- if and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "") )}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ama-logs-rs + namespace: kube-system + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: ama-logs-agent + tier: node +spec: + replicas: 1 + selector: + matchLabels: + rsName: "ama-logs-rs" + strategy: + type: RollingUpdate + template: + metadata: + labels: + rsName: "ama-logs-rs" + annotations: + agentVersion: {{ .Values.amalogs.image.agentVersion }} + dockerProviderVersion: {{ .Values.amalogs.image.dockerProviderVersion }} + schema-versions: "v1" + checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} + checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} + checksum/logsettings: {{ toYaml .Values.amalogs.logsettings | sha256sum }} + spec: + {{- if .Values.amalogs.rbac }} + serviceAccountName: ama-logs + {{- end }} + containers: +{{- if and (ne .Values.Azure.Cluster.ResourceId "") (.Values.amalogs.useAADAuth) }} + {{- if not (eq .Values.Azure.Cluster.Distribution "openshift") }} + - name: addon-token-adapter + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + - name: TOKEN_NAMESPACE + value: "azure-arc" +{{- .Values.Azure.Identity.AADMsiTokenAdapterLinuxYaml | nindent 7 }} + {{- else }} + - name: msi-adapter + env: + - name: AZMON_COLLECT_ENV + value: "false" + - name: TOKEN_NAMESPACE + value: azure-arc + - name: CLUSTER_IDENTITY + value: "false" + - name: CLUSTER_TYPE + value: {{ (split "/" .Values.Azure.Cluster.ResourceId)._7 }} + - name: EXTENSION_ARMID + value: {{ .Values.Azure.Extension.ResourceId }} + - name: EXTENSION_NAME + value: {{ .Values.Azure.Extension.Name }} + - name: MSI_ADAPTER_LISTENING_PORT + value: "8421" + - name: MANAGED_IDENTITY_AUTH + value: "true" + - name: MSI_ADAPTER_LIVENESS_PORT + value: "9090" + - name: TEST_MODE + value: "false" + - name: TEST_FILE + value: /data/token + image: mcr.microsoft.com/azurearck8s/msi-adapter:1.29.3 + securityContext: + privileged: true + capabilities: + add: + - NET_ADMIN + - NET_RAW + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 9090 + scheme: "HTTP" + initialDelaySeconds: 10 + periodSeconds: 15 + resources: + limits: + cpu: 50m + memory: 100Mi + requests: + cpu: 20m + memory: 50Mi + lifecycle: + postStart: + exec: + command: ["/data/msi-adapter-ready-watcher"] + {{- end }} +{{- end }} + - name: ama-logs + image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tag }} + imagePullPolicy: IfNotPresent + resources: +{{ toYaml .Values.amalogs.resources.deployment | indent 9 }} + env: + - name: NUM_OF_FLUENTD_WORKERS + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.cpu + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.memory + {{- if ne .Values.amalogs.env.clusterId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.amalogs.env.clusterId | quote }} + {{- if ne .Values.amalogs.env.clusterRegion "" }} + - name: AKS_REGION + value: {{ .Values.amalogs.env.clusterRegion | quote }} + {{- end }} + {{- else if ne .Values.Azure.Cluster.ResourceId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.Azure.Cluster.ResourceId | quote }} + - name: USING_AAD_MSI_AUTH + value: {{ .Values.amalogs.useAADAuth | quote }} + {{- if ne .Values.Azure.Cluster.Region "" }} + - name: AKS_REGION + value: {{ .Values.Azure.Cluster.Region | quote }} + {{- end }} + {{- else }} + - name: ACS_RESOURCE_NAME + value: {{ .Values.amalogs.env.clusterName | quote }} + {{- end }} + - name: CONTROLLER_TYPE + value: "ReplicaSet" + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if not (empty .Values.Azure.Extension.Name) }} + - name: ARC_K8S_EXTENSION_NAME + value: {{ .Values.Azure.Extension.Name | quote }} + {{- end }} + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: "" + - name: SIDECAR_SCRAPING_ENABLED + value: {{ .Values.amalogs.sidecarscraping | quote }} + - name: ISTEST + value: {{ .Values.amalogs.ISTEST | quote }} + {{ if .Values.amalogs.isArcACluster }} + - name: IS_ARCA_CLUSTER + value: {{ .Values.amalogs.isArcACluster | quote }} + {{- end }} + {{- if ne .Values.amalogs.metricsEndpoint "" }} + - name: CUSTOM_METRICS_ENDPOINT + value: {{ .Values.amalogs.metricsEndpoint | quote }} + {{- else if ne .Values.Azure.proxySettings.autonomousFqdn "" }} + - name: CUSTOM_METRICS_ENDPOINT + value: "https://metricsingestiongateway.monitoring.{{ .Values.Azure.proxySettings.autonomousFqdn }}" + {{- end }} + {{- if ne .Values.amalogs.tokenAudience "" }} + - name: customResourceEndpoint + value: {{ .Values.amalogs.tokenAudience | quote }} + {{- end }} + - name: IS_CUSTOM_CERT + value: {{ .Values.Azure.proxySettings.isCustomCert | quote }} + - name: ENABLE_CUSTOM_METRICS + value: {{ .Values.amalogs.enableCustomMetrics | quote }} + {{ if .Values.amalogs.ISTEST }} + - name: AZMON_CLUSTER_COLLECT_ALL_KUBE_EVENTS + value: "true" + {{- end }} + {{- if .Values.amalogs.enableTelegrafLivenessprobe }} + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: {{ .Values.amalogs.enableTelegrafLivenessprobe | quote }} + {{- end }} + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.Azure.Cluster.Cloud | lower }}" + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + ports: + - containerPort: 25225 + protocol: TCP + - containerPort: 25224 + protocol: UDP + volumeMounts: + {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + {{- end }} + - mountPath: /var/log + name: host-log + - mountPath: /var/lib/docker/containers + name: containerlog-path + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + {{- if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.proxyCert) (not .Values.amalogs.ignoreExtensionProxySettings) }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} + - mountPath : /etc/config + name: ama-logs-rs-config + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + {{- if .Values.amalogs.logsettings.custommountpath }} + - mountPath: {{ .Values.amalogs.logsettings.custommountpath }} + name: custom-mount-path + {{- end }} + - mountPath: /etc/config/settings/adx + name: ama-logs-adx-secret + readOnly: true + - mountPath: /etc/config/osm-settings + name: osm-settings-vol-config + readOnly: true + livenessProbe: + exec: + command: + - /bin/bash + - -c + - "/opt/livenessprobe.sh" + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + {{- with .Values.amalogs.deployment.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.amalogs.scheduleOnTaintedNodes }} + {{- with .Values.amalogs.tolerationsUnrestricted }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- else }} + {{- with .Values.amalogs.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + volumes: + {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + {{- end }} + - name: container-hostname + hostPath: + path: /etc/hostname + - name: host-log + hostPath: + path: /var/log + - name: containerlog-path + hostPath: + path: /var/lib/docker/containers + - name: azure-json-path + hostPath: + path: /etc/kubernetes + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: ama-logs-rs-config + configMap: + name: ama-logs-rs-config + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + {{- if .Values.amalogs.logsettings.custommountpath }} + - name: custom-mount-path + hostPath: + path: {{ .Values.amalogs.logsettings.custommountpath }} + {{- end }} + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true + - name: osm-settings-vol-config + configMap: + name: container-azm-ms-osmconfig + optional: true +{{- end }} diff --git a/charts/azuremonitor-containers-extension/templates/ama-logs-openshift-scc.yaml b/charts/azuremonitor-containers-extension/templates/ama-logs-openshift-scc.yaml new file mode 100644 index 000000000..abc8c3896 --- /dev/null +++ b/charts/azuremonitor-containers-extension/templates/ama-logs-openshift-scc.yaml @@ -0,0 +1,27 @@ +{{- if eq .Values.Azure.Cluster.Distribution "openshift" }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: ama-logs-scc +allowPrivilegedContainer: true +allowPrivilegeEscalation: true +allowHostDirVolumePlugin: true +allowedCapabilities: +- NET_ADMIN +- NET_RAW +readOnlyRootFilesystem: false +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +volumes: +- hostPath +- configMap +- secret +users: +- system:serviceaccount:kube-system:ama-logs +{{- end }} diff --git a/charts/azuremonitor-containers-extension/templates/ama-logs-priorityclass.yaml b/charts/azuremonitor-containers-extension/templates/ama-logs-priorityclass.yaml new file mode 100644 index 000000000..cfc93372d --- /dev/null +++ b/charts/azuremonitor-containers-extension/templates/ama-logs-priorityclass.yaml @@ -0,0 +1,22 @@ +{{- if and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "") )}} +# This pod priority class is used for daemonsets to allow them to have priority +# over pods that can be scheduled elsewhere. Without a priority class, it is +# possible for a node to fill up with pods before the daemonset pods get to be +# created for the node or get scheduled. Note that pods are not "daemonset" +# pods - they are just pods created by the daemonset controller but they have +# a specific affinity set during creation to the specific node each pod was +# created to run on (daemonset controller takes care of that) +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: ama-logs + # Priority classes don't have labels :-) + annotations: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: ama-logs-agent +value: {{ .Values.amalogs.priority }} +globalDefault: false +description: "This is the daemonset priority class for ama-logs" +{{- end }} diff --git a/charts/azuremonitor-containers-extension/templates/ama-logs-rbac.yaml b/charts/azuremonitor-containers-extension/templates/ama-logs-rbac.yaml new file mode 100644 index 000000000..39beb991b --- /dev/null +++ b/charts/azuremonitor-containers-extension/templates/ama-logs-rbac.yaml @@ -0,0 +1,74 @@ +{{- if .Values.amalogs.rbac }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ama-logs + namespace: kube-system + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +--- +kind: ClusterRole +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- end }} +metadata: + name: ama-logs-reader + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: [""] + resources: ["pods", "events", "nodes", "nodes/stats", "nodes/metrics", "nodes/spec", "namespaces", "services", "persistentvolumes"] + verbs: ["list", "get", "watch"] +{{- if semverCompare ">=1.33-0" .Capabilities.KubeVersion.Version }} +- apiGroups: [""] + resources: ["nodes/pods"] + verbs: ["list", "get", "watch"] +{{- else }} +- apiGroups: [""] + resources: ["nodes/proxy"] + verbs: ["list", "get", "watch"] +{{- end }} +- apiGroups: ["apps", "extensions", "autoscaling"] + resources: ["replicasets", "deployments", "horizontalpodautoscalers"] + verbs: ["list"] +- apiGroups: ["clusterconfig.azure.com"] + resources: ["azureclusteridentityrequests", "azureclusteridentityrequests/status"] + verbs: ["get", "create", "patch", "list", "update", "delete"] +- nonResourceURLs: ["/metrics"] + verbs: ["get"] +#arc k8s extension model grants access as part of the extension msi +#remove this explicit permission once the extension available in public preview +{{- if (empty .Values.Azure.Extension.Name) }} +- apiGroups: [""] + resources: ["secrets"] + resourceNames: ["container-insights-clusteridentityrequest-token"] + verbs: ["get"] +{{- end }} +--- +kind: ClusterRoleBinding +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- end }} +metadata: + name: amalogsclusterrolebinding + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +subjects: + - kind: ServiceAccount + name: ama-logs + namespace: kube-system +roleRef: + kind: ClusterRole + name: ama-logs-reader + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/azuremonitor-containers-extension/templates/ama-logs-rs-configmap.yaml b/charts/azuremonitor-containers-extension/templates/ama-logs-rs-configmap.yaml new file mode 100644 index 000000000..b48cdd7b8 --- /dev/null +++ b/charts/azuremonitor-containers-extension/templates/ama-logs-rs-configmap.yaml @@ -0,0 +1,247 @@ +{{- if and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "") )}} +kind: ConfigMap +apiVersion: v1 +data: + kube.conf: | + # Fluentd config file for OMS Docker - cluster components (kubeAPI) + + #Kubernetes pod inventory + + type kubepodinventory + tag oms.containerinsights.KubePodInventory + run_interval 60 + log_level debug + + + #Kubernetes Persistent Volume inventory + + type kubepvinventory + tag oms.containerinsights.KubePVInventory + run_interval 60 + log_level debug + + + #Kubernetes events + + type kubeevents + tag oms.containerinsights.KubeEvents + run_interval 60 + log_level debug + + + #Kubernetes Nodes + + type kubenodeinventory + tag oms.containerinsights.KubeNodeInventory + run_interval 60 + log_level debug + + + #cadvisor perf- Windows nodes + + type wincadvisorperf + tag oms.api.wincadvisorperf + run_interval 60 + log_level debug + + + #Kubernetes object state - deployments + + type kubestatedeployments + tag oms.containerinsights.KubeStateDeployments + run_interval 60 + log_level debug + + + #Kubernetes object state - HPA + + type kubestatehpa + tag oms.containerinsights.KubeStateHpa + run_interval 60 + log_level debug + + + type filter_inventory2mdm + log_level info + + + # custom_metrics_mdm filter plugin for perf data from windows nodes + + type filter_cadvisor2mdm + metrics_to_collect cpuUsageNanoCores,memoryWorkingSetBytes + log_level info + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubepods*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/state/out_oms_kubepv*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubeevents*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubeservices*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/state/out_oms_kubenodes*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 3 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_containernodeinventory*.buffer + buffer_queue_limit 20 + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubeperf*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_mdm + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_mdm_*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 30s + max_retry_wait 9m + retry_mdm_post_wait_minutes 30 + + + + type out_oms + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_api_wincadvisorperf*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_mdm + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_mdm_cdvisorperf*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + retry_mdm_post_wait_minutes 30 + + + + type out_oms + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_insightsmetrics*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + +metadata: + name: ama-logs-rs-config + namespace: kube-system + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- end }} diff --git a/charts/azuremonitor-containers-extension/templates/ama-logs-secret.yaml b/charts/azuremonitor-containers-extension/templates/ama-logs-secret.yaml new file mode 100644 index 000000000..0d9219d77 --- /dev/null +++ b/charts/azuremonitor-containers-extension/templates/ama-logs-secret.yaml @@ -0,0 +1,26 @@ +{{- if and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "") )}} +apiVersion: v1 +kind: Secret +metadata: + name: ama-logs-secret + namespace: kube-system + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +data: + WSID: {{ required "A valid workspace id is required!" .Values.amalogs.secret.wsid | b64enc | quote }} + KEY: {{ required "A valid workspace key is required!" .Values.amalogs.secret.key | b64enc | quote }} + DOMAIN: {{ .Values.amalogs.domain | b64enc | quote }} + {{- if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.httpsProxy) (not .Values.amalogs.ignoreExtensionProxySettings) }} + PROXY: {{ .Values.Azure.proxySettings.httpsProxy | b64enc | quote }} + {{- else if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.httpProxy) (not .Values.amalogs.ignoreExtensionProxySettings) }} + PROXY: {{ .Values.Azure.proxySettings.httpProxy | b64enc | quote }} + {{- else if ne .Values.amalogs.proxy "" }} + PROXY: {{ .Values.amalogs.proxy | b64enc | quote }} + {{- end }} + {{- if and (or .Values.Azure.proxySettings.isProxyEnabled .Values.Azure.proxySettings.isCustomCert) (.Values.Azure.proxySettings.proxyCert) (not .Values.amalogs.ignoreExtensionProxySettings) }} + PROXYCERT.crt: {{.Values.Azure.proxySettings.proxyCert | b64enc | quote}} + {{- end }} +{{- end }} diff --git a/charts/azuremonitor-containers-extension/values-template.yaml b/charts/azuremonitor-containers-extension/values-template.yaml new file mode 100644 index 000000000..41f41f0ec --- /dev/null +++ b/charts/azuremonitor-containers-extension/values-template.yaml @@ -0,0 +1,198 @@ +# Default values for azuremonitor-containers-extension (envsubst template). +# +# This file is the envsubst SOURCE for values.yaml. The build pipeline +# (.pipelines/azure_pipeline_mergedbranches.yaml) runs: +# envsubst < values-template.yaml > values.yaml +# substituting ${IMAGE_TAG} and ${IMAGE_TAG_WINDOWS}. +# +# It mirrors charts/azuremonitor-containers/values.yaml plus the additions required +# by the AKS cluster-extension framework (Azure.Identity token adapter). + +## global is populated by the AKS cluster-extension framework at install time. +global: + commonGlobals: + Customer: + AzureResourceID: "" + +## Values under Azure are populated by the AKS extension platform during install. +Azure: + Cluster: + Cloud: + Region: + ResourceId: + Extension: + Name: "" + ResourceId: "" + ## Identity is injected by the AKS extension framework: the managed-addon token + ## adapter sidecar yaml is supplied here by the platform. + ## TODO(P0): confirm the exact token-adapter values the partner team injects. DevSkim: ignore DS176209 + Identity: + AADMsiTokenAdapterLinuxYaml: "" + AADMsiTokenAdapterWindowsYaml: "" + proxySettings: + isProxyEnabled: false + httpProxy: "" + httpsProxy: "" + noProxy: "" + proxyCert: "" + isCustomCert: false + autonomousFqdn: "" +amalogs: + image: + # Fixed MCR repo for the extension delivery (chart pulls images from prod MCR). + repo: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod" + tag: "${IMAGE_TAG}" + tagWindows: "${IMAGE_TAG_WINDOWS}" + pullPolicy: IfNotPresent + dockerProviderVersion: "18.0.1-0" + agentVersion: "azure-mdsd-1.40.3" + winAgentVersion: "47.7.1" # there is no base agent version for windows agent + + # Scheduling priority for the ama-logs daemonset pods (must be > 0). + priority: 10 + + # Run in high log scale mode or not. + enableHighLogScaleMode: false + + # When true, additional agent workflow logs are emitted (used for e2e and Arc conformance testing). + ISTEST: false + + # Use AAD MSI auth (Arc K8s). + useAADAuth: false + + # True if this cluster is connected to the ArcA control plane. + isArcACluster: false + + # Ignore the proxy settings. + ignoreExtensionProxySettings: false + + # Allow ama-logs pods to be scheduled on nodes with taints. + scheduleOnTaintedNodes: false + + # Enable/disable service account timebound token. + enableServiceAccountTimeBoundToken: true + + # Enable/disable custom metrics (deprecated; disabled by default). + enableCustomMetrics: false + + # Enable/disable Telegraf livenessprobe. + enableTelegrafLivenessprobe: false + + secret: + wsid: + key: + domain: opinsights.azure.com + proxy: + metricsEndpoint: + tokenAudience: + env: + clusterName: + clusterId: + clusterRegion: + rbac: true + sidecarscraping: true + syslog: + enabled: false + syslogPort: 28330 + logsettings: + logflushintervalsecs: "15" + tailbufchunksizemegabytes: "1" + tailbufmaxsizemegabytes: "1" + custommountpath: "" + + tolerations: + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoExecute" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "PreferNoSchedule" + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoExecute" + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "PreferNoSchedule" + tolerationsUnrestricted: + - operator: "Exists" + effect: "NoSchedule" + - operator: "Exists" + effect: "NoExecute" + - operator: "Exists" + effect: "PreferNoSchedule" + + daemonset: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + - key: type + operator: NotIn + values: + - virtual-kubelet + deployment: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: storageprofile + operator: NotIn + values: + - managed + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + - key: type + operator: NotIn + values: + - virtual-kubelet + - key: kubernetes.io/role + operator: NotIn + values: + - master + resources: + daemonsetlinux: + requests: + cpu: 75m + memory: 325Mi + limits: + cpu: 150m + memory: 750Mi + daemonsetwindows: + requests: + cpu: 500m + memory: 700Mi + limits: + cpu: 2 + memory: 2Gi + deployment: + requests: + cpu: 150m + memory: 250Mi + limits: + cpu: 1 + memory: 1Gi + daemonsetlinuxsidecar: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 75m + memory: 225Mi