newrelic · Philip-R-Beckwith · Jan 30, 2025 · Dec 5, 2024 · Dec 5, 2024 · Dec 5, 2024
diff --git a/.github/workflows/lint_test_charts.yaml b/.github/workflows/lint_test_charts.yaml
@@ -32,7 +32,7 @@ jobs:
       - uses: helm/[email protected]
       - uses: azure/setup-helm@v4
         with:
-          version: 'v3.0.0'
+          version: 'v3.2.0'
 
       - name: Set up helm-unittest
         run: helm plugin install https://github.com/helm-unittest/helm-unittest
@@ -76,7 +76,7 @@ jobs:
       - uses: helm/[email protected]
       - uses: azure/setup-helm@v4
         with:
-          version: 'v3.0.0'
+          version: 'v3.2.0'
 
       - name: Install Minikube
         uses: manusa/[email protected]
@@ -109,7 +109,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: azure/setup-helm@v4
         with:
-          version: 'v3.0.0'
+          version: 'v3.2.0'
 
       - name: Add helm repositories
         run: |
@@ -157,7 +157,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: azure/setup-helm@v4
         with:
-          version: 'v3.0.0'
+          version: 'v3.2.0'
 
       - name: Add helm repositories
         run: |

@@ -13,7 +13,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.13
+version: 0.1.14
 dependencies:
   - name: common-library
     version: 1.3.0

@@ -90,3 +90,10 @@ Return the customSecretLicenseKey
     {{- "" -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Create otel collector receiver endpoint
+*/}}
+{{- define "nr-otel-collector-receiver.endpoint" -}}
+{{- printf "dns:///%s.%s.svc.%s:4317" (include "otel-collector.service.name" .) .Release.Namespace .Values.kubernetesClusterDomain }}
+{{- end }}
@@ -0,0 +1,12 @@
+{{/* Controller manager service certificate's secret. */}}
+{{- define "nr-ebpf-agent-certificates.certificateSecret.name" -}}
+{{- include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "controller-manager-service-cert") -}}
+{{- end }}
+
+{{- define "nr-ebpf-agent.service.name" -}}
+{{- include "newrelic.common.naming.truncateToDNS" (include "newrelic.common.naming.fullname" .) }}
+{{- end }}
+
+{{- define "otel-collector.service.name" -}}
+{{- include "newrelic.common.naming.truncateToDNS" "otel-collector" }}
+{{- end }}
@@ -0,0 +1,36 @@
+{{/*
+Return certificate and CA for ebpf.
+It handles variants when a cert has to be generated by Helm,
+a cert is loaded from an existing secret or is provided via `.Values`
+*/}}
+{{- define "nr-ebpf-agent-certificates.ebpfCert" -}}
+{{- $caCert := "" }}
+{{- $clientCert := "" }}
+{{- $clientKey := "" }}
+{{- if .Values.tls.autoGenerateCert.enabled }}
+    {{- $prevSecret := (lookup "v1" "Secret" .Release.Namespace  (include "nr-ebpf-agent-certificates.certificateSecret.name" . )) }}
+    {{- if and (not .Values.tls.autoGenerateCert.recreate) $prevSecret }}
+        {{- $clientCert = index $prevSecret "data" "tls.crt" }}
+        {{- $clientKey = index $prevSecret "data" "tls.key" }}
+        {{- $caCert = index $prevSecret "data" "ca.crt" }}
+    {{- else }}
+        {{- $certValidity := int .Values.tls.autoGenerateCert.certPeriodDays | default 365 }}
+        {{- $ca := genCA "nr-ebpf-agent-certificates-ca" $certValidity }}
+        {{- $domain1 := printf "%s.%s.svc"  (include "nr-ebpf-agent.service.name" .) $.Release.Namespace }}
+        {{- $domain2 := printf "%s.%s.svc.%s" (include "nr-ebpf-agent.service.name" .) $.Release.Namespace $.Values.kubernetesClusterDomain }}
+        {{- $domain3 := printf "%s.%s.svc"  (include "otel-collector.service.name" .) $.Release.Namespace }}
+        {{- $domain4 := printf "%s.%s.svc.%s" (include "otel-collector.service.name" .) $.Release.Namespace $.Values.kubernetesClusterDomain }}
+        {{- $domains := list $domain1 $domain2 $domain3 $domain4 }}
+        {{- $cert := genSignedCert (include "newrelic.common.naming.fullname" .) nil $domains $certValidity $ca }}
+        {{- $clientCert = b64enc $cert.Cert }}
+        {{- $clientKey = b64enc $cert.Key }}
+        {{- $caCert = b64enc $ca.Cert }}
+    {{- end }}
+{{- else }}
+    {{- $clientCert = .Files.Get .Values.tls.certFile | b64enc }}
+    {{- $clientKey = .Files.Get .Values.tls.keyFile | b64enc }}
+    {{- $caCert = .Files.Get .Values.tls.caFile | b64enc }}
+{{- end }}
+{{- $result := dict "clientCert" $clientCert "clientKey" $clientKey "caCert" $caCert }}
+{{- $result | toYaml }}
+{{- end }}
@@ -1,16 +1,23 @@
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: nr-ebpf-agent
   labels:
+    app: nr-ebpf-agent
+    component: agent
     {{- include "newrelic.common.labels" . | nindent 4 }}
 spec:
   selector:
     matchLabels:
+      app: nr-ebpf-agent
+      component: agent
       {{- include "newrelic.common.labels.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       labels:
+        app: nr-ebpf-agent
+        component: agent
         {{- include "newrelic.common.labels.podLabels" . | nindent 8 }}
     spec:
       containers:
@@ -35,6 +42,16 @@ spec:
             value: "cluster.local"
           - name: PL_TABLE_STORE_DATA_LIMIT_MB
             value: "{{ .Values.tableStoreDataLimitMB }}"
+          - name: PX_DISABLE_TLS
+          {{- if eq .Values.tls.enabled true }}
+            value: "0"
+          {{- else }}
+            value: "1"
+          {{- end }}
+          {{- if eq .Values.tls.enabled true }}
+          - name: CERT_PATH
+            value: "{{ .Values.tls.autoGenerateCert.certPath }}"
+          {{- end }}
         securityContext:
           privileged: true
         volumeMounts:
@@ -44,6 +61,11 @@ spec:
           - name: sys-volume
             mountPath: /sys
             readOnly: true
+          {{- if eq .Values.tls.enabled true }}
+          - name: cert
+            mountPath: "{{ .Values.tls.autoGenerateCert.certPath }}"
+            readOnly: true
+          {{- end }}
       - name: nr-ebpf-client
         image: {{ .Values.ebpfClient.image.repository }}:{{ .Values.ebpfClient.image.tag }}
         imagePullPolicy: {{ .Values.ebpfClient.image.pullPolicy }}
@@ -58,7 +80,7 @@ spec:
               fieldRef:
                 fieldPath: status.hostIP
           - name: ENDPOINT
-            value: "$(HOST_IP):4317"
+            value: {{ include "nr-otel-collector-receiver.endpoint" .}}
           - name: PL_STIRLING_SOURCES
             value: "{{ .Values.stirlingSources }}"
           {{- if .Values.protocols }}
@@ -76,8 +98,24 @@ spec:
           # TODO(kpattaswamy): Once we implement TLS, we should make this configurable again
           - name: IS_INSECURE
             value: "True"
+          - name: PX_DISABLE_TLS
+          {{- if eq .Values.tls.enabled true }}
+            value: "0"
+          {{- else }}
+            value: "1"
+          {{- end }}
           - name: KUBERNETES_CLUSTER_DOMAIN
-            value: "cluster.local"
+            value: "{{ .Values.kubernetesClusterDomain }}"
+        {{- if eq .Values.tls.enabled true }}
+          - name: CERT_PATH
+            value: "{{ .Values.tls.autoGenerateCert.certPath }}"
+          - name: NAMESPACE
+            value: {{ .Release.Namespace }}
+        volumeMounts:
+          - name: cert
+            mountPath: "{{ .Values.tls.autoGenerateCert.certPath }}"
+            readOnly: true
+        {{- end }}
         envFrom:
         - secretRef:
             name: nr-ebpf-agent-secrets
@@ -106,3 +144,9 @@ spec:
       tolerations:
         {{- . | nindent 8 -}}
       {{- end }}
+      {{- if eq .Values.tls.enabled true }}
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: {{ include "nr-ebpf-agent-certificates.certificateSecret.name" . }}
+      {{- end }}
@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "nr-ebpf-agent.service.name" . }}
+  labels:
+    app: nr-ebpf-agent
+    component: agent
+    {{- include "newrelic.common.labels" . | nindent 4 }}
+spec:
+  # The Agent pod will use a service containing a clusterIP and port 12345 to interface via.
+  type: ClusterIP
+  selector:
+    {{- include "newrelic.common.labels.selectorLabels" . | nindent 4 }}
+    component: agent
+  ports:
+    - name: agent-grpc
+      port: 12345
+      protocol: TCP
+      targetPort: 12345
@@ -12,6 +12,11 @@ data:
           protocols:
             grpc:
               endpoint: $RECEIVER_ENDPOINT:4317
+              {{- if eq .Values.tls.enabled true }}
+              tls:
+                cert_file: "{{ .Values.tls.autoGenerateCert.certPath }}tls.crt"
+                key_file: "{{ .Values.tls.autoGenerateCert.certPath }}tls.key"
+              {{- end}}
       processors:
         k8sattributes/local_k8s_md:
           auth_type: 'serviceAccount'

@@ -1,3 +1,4 @@
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -71,6 +72,11 @@ spec:
             mountPath: /etc/otel/config.yaml
             subPath: config.yaml
             readOnly: true
+          {{- if eq .Values.tls.enabled true }}
+          - name: cert
+            mountPath: "{{ .Values.tls.autoGenerateCert.certPath }}"
+            readOnly: true
+          {{- end }}
       dnsPolicy: ClusterFirstWithHostNet
       hostNetwork: true
       serviceAccountName: {{ include "nr-ebpf-agent.fullname" . }}-collector
@@ -91,3 +97,9 @@ spec:
       tolerations:
         {{- . | nindent 8 -}}
       {{- end }}
+      {{- if eq .Values.tls.enabled true }}
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: {{ include "nr-ebpf-agent-certificates.certificateSecret.name" . }}
+      {{- end }}
@@ -1,7 +1,8 @@
+---
 apiVersion: v1
 kind: Service
 metadata:
-  name: otel-collector
+  name: {{ include "otel-collector.service.name" . }}
   labels:
     app: opentelemetry
     component: otel-collector

@@ -1,3 +1,4 @@
+---
 {{- $licenseKey := include "nr-ebpf-agent.licenseKey" . -}}
 {{- $customSecretLicenseKey := include "nr-ebpf-agent.customSecretKey" . -}}
 apiVersion: v1
@@ -15,3 +16,22 @@ data:
   {{- else }}
   NR_LICENSE_KEY: {{ required "secrets.licenseKey is required" .Values.licenseKey | b64enc | quote }}
   {{ end }}
+---
+{{- $tls := fromYaml (include "nr-ebpf-agent-certificates.ebpfCert" .) }}
+{{- if .Values.tls.autoGenerateCert.enabled }}
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/tls
+metadata:
+  name: {{ include "nr-ebpf-agent-certificates.certificateSecret.name" . }}
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+  labels:
+    {{- include "newrelic.common.labels" . | nindent 4 }}
+  namespace: {{ .Release.Namespace }}
+data:
+  tls.crt: {{ $tls.clientCert }}
+  tls.key: {{ $tls.clientKey }}
+  ca.crt: {{ $tls.caCert }}
+{{- end }}
@@ -131,3 +131,33 @@ nodeSelector: {}
 tolerations: []
 # -- Sets all pods' affinities. Can be configured also with `global.affinity`
 affinity: {}
+# --  Kubernetes cluster domain
+kubernetesClusterDomain: cluster.local
+
+# -- tls make sure only requests with correctly formatted rules will get into the Operator
+tls:
+  enabled: true
+
+  ## TLS Certificate Option 1: Use Helm to automatically generate self-signed certificate.
+  ## autoGenerateCert must be enabled.
+  autoGenerateCert:
+    # -- If true, Helm will automatically create a self-signed cert and secret for you.
+    enabled: true
+    # -- If set to true, new key/certificate is generated on helm upgrade.
+    recreate: true
+    # -- Cert validity period time in days.
+    certPeriodDays: 365
+    # -- Certificates path
+    certPath: "/tmp/ebpf/certs/"
+
+  ## TLS Certificate Option 2: Use your own self-signed certificate.
+  ## autoGenerateCert must be disabled and certFile, keyFile, and caFile must be set.
+  ## The chart reads the contents of the file paths with the helm .Files.Get function.
+  ## Refer to this doc https://helm.sh/docs/chart_template_guide/accessing_files/ to understand
+  ## limitations of file paths accessible to the chart.
+  # -- Path to your own PEM-encoded certificate.
+  certFile: ""
+  # -- Path to your own PEM-encoded private key.
+  keyFile: ""
+  # -- Path to the CA cert.
+  caFile: ""