Merge branch 'master' into updateKsmNriBundle

Author: TmNguyen12

charts/agent-control-bootstrap/Chart.yaml

@@ -3,9 +3,9 @@ name: agent-control-bootstrap
 description: Bootstraps New Relic' Agent Control
 
 type: application
-version: 1.0.3
+version: 1.0.5
 # agent-control-deployment chart default version.
-appVersion: 1.0.3
+appVersion: 1.0.5
 annotations:
   # agent-control-cd chart default version.
   agentControlCdVersion: 1.0.0

charts/agent-control-deployment/Chart.yaml

@@ -4,8 +4,8 @@ description: A Helm chart to install New Relic Agent Control on Kubernetes
 
 type: application
 
-version: 1.0.3
-appVersion: "1.1.0"
+version: 1.0.5
+appVersion: "1.3.1"
 
 dependencies:
   - name: common-library

charts/agent-control-deployment/README.md

@@ -130,6 +130,12 @@ log:
 			<td>`{}`</td>
 			<td>Overrides the configuration that has been created automatically by the chart. This configuration here will be **MERGED** with the configuration specified above.</td>
 		</tr>
+		<tr>
+			<td>config.secretsProviders</td>
+			<td>object</td>
+			<td>`{}` (See <a href="values.yaml">values.yaml</a>)</td>
+			<td>List of external secrets providers configurations.  Agent Control supports the following external secrets providers types: - vault  k8s secrets and env vars are used by default.  ```yaml secretsProviders:   # -- External secret provider type   vault:     # -- List of sources from where to get secrets     sources:       # -- Source name (chosen by the user)       sourceA:         # -- URL of the vault server         url: urlA         # -- Token to access the vault         token: tokenA         # -- Vault engine version         engine: kv1       sourceB:         url: urlB         token: tokenB         engine: kv2     # -- Client timeout for requests to the vault     client_timeout: 10s     # -- Proxy settings for the vault     # -- See `proxy` value in that same file     proxy:       ... ``` </td>
+		</tr>
 		<tr>
 			<td>config.status_server</td>
 			<td>object</td>

charts/agent-control-deployment/templates/_helpers.tpl

@@ -98,6 +98,12 @@ cluster name, licenses, and custom attributes
   {{- $config = mustMerge $config (dict "proxy" .) -}}
 {{- end -}}
 
+{{- /* Add secrets providers */ -}}
+{{- with .Values.config.secretsProviders -}}
+  {{- $config = mustMerge $config (dict "secrets_providers" .) -}}
+{{- end -}}
+
+
 {{- /* Add Chart Repo url list to the allowed variants */ -}}
 {{- if (.Values.config.allowedChartRepositoryUrl) -}}
   {{- $allowedVariants := dict "variants" (dict "chart_repository_urls" .Values.config.allowedChartRepositoryUrl) -}}

charts/agent-control-deployment/tests/configmap_agentcontrol_config_test.yaml

@@ -525,3 +525,55 @@ tests:
               enabled: true
               host: 0.0.0.0
               port: 51200
+
+  - it: set up secrets providers
+    set:
+      cluster: my-cluster
+      config:
+        secretsProviders:
+          vault:
+            sources:
+              sourceA:
+                url: urlA
+                token: tokenA
+                engine: kv1
+              sourceB:
+                url: urlB
+                token: tokenB
+                engine: kv2
+    asserts:
+      - equal:
+          path: data["local_config"]
+          value: |
+            agents: {}
+            fleet_control:
+              auth_config:
+                private_key_path: /etc/newrelic-agent-control/keys/from-secret.key
+                provider: local
+                token_url: https://system-identity-oauth.service.newrelic.com/oauth2/token
+              endpoint: https://opamp.service.newrelic.com/v1/opamp
+              signature_validation:
+                public_key_server_url: https://publickeys.newrelic.com/r/blob-management/global/agentconfiguration/jwks.json
+            k8s:
+              ac_release_name: my-release
+              ac_remote_update: true
+              cd_release_name: agent-control-cd
+              cd_remote_update: true
+              cluster_name: my-cluster
+              namespace: my-namespace
+              namespace_agents: newrelic
+            secrets_providers:
+              vault:
+                sources:
+                  sourceA:
+                    engine: kv1
+                    token: tokenA
+                    url: urlA
+                  sourceB:
+                    engine: kv2
+                    token: tokenB
+                    url: urlB
+            server:
+              enabled: true
+              host: 0.0.0.0
+              port: 51200

charts/agent-control-deployment/values.yaml

@@ -174,6 +174,42 @@ config:
     # -- Specify a fleet_id to automatically connect the Agent Control to an existing fleet.
     fleet_id: ""
 
+  # -- List of external secrets providers configurations.
+  #
+  # Agent Control supports the following external secrets providers types:
+  # - vault
+  #
+  # k8s secrets and env vars are used by default.
+  #
+  # ```yaml
+  # secretsProviders:
+  #   # -- External secret provider type
+  #   vault:
+  #     # -- List of sources from where to get secrets
+  #     sources:
+  #       # -- Source name (chosen by the user)
+  #       sourceA:
+  #         # -- URL of the vault server
+  #         url: urlA
+  #         # -- Token to access the vault
+  #         token: tokenA
+  #         # -- Vault engine version
+  #         engine: kv1
+  #       sourceB:
+  #         url: urlB
+  #         token: tokenB
+  #         engine: kv2
+  #     # -- Client timeout for requests to the vault
+  #     client_timeout: 10s
+  #     # -- Proxy settings for the vault
+  #     # -- See `proxy` value in that same file
+  #     proxy:
+  #       ...
+  # ```
+  #
+  # @default -- `{}` (See <a href="values.yaml">values.yaml</a>)
+  secretsProviders: {}
+
   # -- Overrides the configuration that has been created automatically by the chart.
   # This configuration here will be **MERGED** with the configuration specified above.
   override: {}

charts/nr-k8s-otel-collector/Chart.yaml

@@ -17,7 +17,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.0
+version: 0.9.4
 
 
 dependencies:

charts/nr-k8s-otel-collector/README.md

@@ -166,6 +166,8 @@ to export data to this connector which can then be connected to the New Relic ma
 | image.tag | string | `"1.5.0"` | Overrides the image tag whose default is the chart appVersion. |
 | kube-state-metrics.enableResourceQuotaSamples | bool | `false` | Enable resource quota data exporting |
 | kube-state-metrics.enabled | bool | `true` | Install the [`kube-state-metrics` chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics) from the stable helm charts repository. This is mandatory if `infrastructure.enabled` is set to `true` and the user does not provide its own instance of KSM version >=1.8 and <=2.0. Note, kube-state-metrics v2+ disables labels/annotations metrics by default. You can enable the target labels/annotations metrics to be monitored by using the metricLabelsAllowlist/metricAnnotationsAllowList options described [here](https://github.com/prometheus-community/helm-charts/blob/159cd8e4fb89b8b107dcc100287504bb91bf30e0/charts/kube-state-metrics/values.yaml#L274) in your Kubernetes clusters. |
+| kube-state-metrics.metricAnnotationsAllowList | list | `["pods=[*]", "namespaces=[*]", "deployments=[*]"]` | List of Kubernetes annotation keys that will be used in the resources' annotations metric. By default, kube-state-metrics v2+ does not expose annotations as metric labels. This option allows you to specify which annotations should be exposed as metric dimensions. Each entry is formatted as "resource=[annotation1,annotation2,...]". Use "*" to include all annotations for a resource type. Example: ["pods=[description,owner]", "namespaces=[description]", "deployments=[change-id,jira-ticket]"] |
+| kube-state-metrics.metricLabelsAllowlist | list | `["pods=[*]", "namespaces=[*]", "deployments=[*]"]` | List of Kubernetes label keys that will be used in the resources' labels metric. By default, kube-state-metrics v2+ does not expose labels as metric labels. This option allows you to specify which labels should be exposed as metric dimensions. Each entry is formatted as "resource=[label1,label2,...]". Use "*" to include all labels for a resource type. Example: ["pods=[app,environment,team]", "namespaces=[environment]", "deployments=[app,version]"] |
 | kube-state-metrics.prometheusScrape | bool | `false` | Disable prometheus from auto-discovering KSM and potentially scraping duplicated data |
 | labels | object | `{}` | Additional labels for chart objects |
 | licenseKey | string | `""` | This set this license key to use. Can be configured also with `global.licenseKey` |
@@ -198,6 +200,7 @@ to export data to this connector which can then be connected to the New Relic ma
 | receivers.kubeletstats.enabled | bool | `true` | Specifies whether the `kubeletstats` receiver is enabled |
 | receivers.kubeletstats.scrapeInterval | string | `1m` | Sets the scrape interval for the `kubeletstats` receiver |
 | receivers.prometheus.enabled | bool | `true` | Specifies whether the `prometheus` receiver is enabled |
+| receivers.prometheus.ksmSelector | string | `app.kubernetes.io/name=kube-state-metrics` | Label selector that will be used to automatically discover an instance of kube-state-metrics running in the cluster. |
 | receivers.prometheus.scrapeInterval | string | `1m` | Sets the scrape interval for the `prometheus` receiver |
 | serviceAccount | object | See `values.yaml` | Settings controlling ServiceAccount creation |
 | serviceAccount.create | bool | `true` | Specifies whether a ServiceAccount should be created |