From 254403a11319414404753de5ab90f8649703e6db Mon Sep 17 00:00:00 2001 From: longwan Date: Tue, 28 Oct 2025 00:33:35 +0000 Subject: [PATCH 01/47] addon chart --- .../ama-logs.yaml | 1893 +++++++++++++++++ 1 file changed, 1893 insertions(+) create mode 100644 charts/azuremonitor-containerinsights/ama-logs.yaml diff --git a/charts/azuremonitor-containerinsights/ama-logs.yaml b/charts/azuremonitor-containerinsights/ama-logs.yaml new file mode 100644 index 000000000..8faea5590 --- /dev/null +++ b/charts/azuremonitor-containerinsights/ama-logs.yaml @@ -0,0 +1,1893 @@ +{{- $amalogsLinuxDefaultImageTag := dict "component" "ama-logs-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }} +{{- $amalogsWindowsDefaultImageTag := dict "component" "ama-logs-win" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }} +{{- $addonTokenAdapterLinuxDefaultImageTag := dict "component" "addon-token-adapter-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} +{{- $addonTokenAdapterWindowsDefaultImageTag := dict "component" "addon-token-adapter-windows" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} +{{- $amalogsRSVPAImageTag := dict "component" "addon-resizer" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" -}} +{{- $WinImageTag := default $amalogsWindowsDefaultImageTag .Values.OmsAgent.imageTagWindows -}} +apiVersion: v1 +kind: Secret +metadata: + name: ama-logs-secret + namespace: kube-system + labels: +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +type: Opaque +data: + WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} + KEY: {{ .Values.OmsAgent.workspaceKey | b64enc | quote }} +{{- if .Values.OmsAgent.isMoonCake }} + DOMAIN: {{ b64enc "opinsights.azure.cn" }} +{{- end }} +{{- if .Values.OmsAgent.isFairfax }} + DOMAIN: {{ b64enc "opinsights.azure.us" }} +{{- end }} +{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT" }} + DOMAIN: {{ b64enc "opinsights.azure.eaglex.ic.gov" }} +{{- end }} +{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC" }} + DOMAIN: {{ b64enc "opinsights.azure.microsoft.scloud" }} +{{- end }} +{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD" }} + DOMAIN: {{ b64enc "opinsights.sovcloud-api.fr" }} +{{- end }} +{{- if .Values.OmsAgent.httpsProxy }} + PROXY: {{ .Values.OmsAgent.httpsProxy | b64enc | quote }} +{{- else if .Values.OmsAgent.httpProxy }} + PROXY: {{ .Values.OmsAgent.httpProxy | b64enc | quote }} +{{- end}} +{{- if .Values.OmsAgent.trustedCA }} + PROXYCERT.crt: {{ .Values.OmsAgent.trustedCA | quote }} +{{- end}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ama-logs + namespace: kube-system + labels: +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +--- +kind: ClusterRole +{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- end }} +metadata: + name: ama-logs-reader + labels: +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +rules: +- apiGroups: [""] + resources: ["pods", "events", "nodes", "nodes/stats", "nodes/metrics", "nodes/spec", "nodes/proxy", "namespaces", "services", "persistentvolumes"] + verbs: ["list", "get", "watch"] +- apiGroups: ["apps", "extensions", "autoscaling"] + resources: ["replicasets", "deployments", "horizontalpodautoscalers"] + verbs: ["list"] +{{- if .Values.OmsAgent.isRSVPAEnabled }} +- apiGroups: ["apps"] + resources: ["deployments"] + resourceNames: [ "ama-logs-rs" ] + verbs: ["get", "patch"] +{{- end }} +{{- if .Values.OmsAgent.isUsingAADAuth }} +- apiGroups: [""] + resources: ["secrets"] + resourceNames: [{{ .Values.OmsAgent.accessTokenSecretName | quote }}] + verbs: ["get", "watch"] +{{- end }} +- nonResourceURLs: ["/metrics"] + verbs: ["get"] +--- +kind: ClusterRoleBinding +{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- end }} +metadata: + name: amalogsclusterrolebinding + labels: +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +subjects: + - kind: ServiceAccount + name: ama-logs + namespace: kube-system +roleRef: + kind: ClusterRole + name: ama-logs-reader + apiGroup: rbac.authorization.k8s.io +--- +kind: ConfigMap +apiVersion: v1 +data: + CLUSTER_RESOURCE_ID: "{{ .Values.OmsAgent.aksResourceID }}" +metadata: + name: container-azm-ms-aks-k8scluster + namespace: kube-system + labels: +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +--- +kind: ConfigMap +apiVersion: v1 +data: + kube.conf: |- + # Fluentd config file for OMS Docker - cluster components (kubeAPI) + #fluent forward plugin + + type forward + port "#{ENV['HEALTHMODEL_REPLICASET_SERVICE_SERVICE_PORT']}" + bind 0.0.0.0 + chunk_size_limit 4m + + + #Kubernetes pod inventory + + type kubepodinventory + tag oms.containerinsights.KubePodInventory + run_interval 60 + log_level debug + + + #Kubernetes Persistent Volume inventory + + type kubepvinventory + tag oms.containerinsights.KubePVInventory + run_interval 60 + log_level debug + + + #Kubernetes events + + type kubeevents + tag oms.containerinsights.KubeEvents + run_interval 60 + log_level debug + + + #Kubernetes Nodes + + type kubenodeinventory + tag oms.containerinsights.KubeNodeInventory + run_interval 60 + log_level debug + + + #Kubernetes health + + type kubehealth + tag kubehealth.ReplicaSet + run_interval 60 + log_level debug + + + #cadvisor perf- Windows nodes + + type wincadvisorperf + tag oms.api.wincadvisorperf + run_interval 60 + log_level debug + + + #Kubernetes object state - deployments + + type kubestatedeployments + tag oms.containerinsights.KubeStateDeployments + run_interval 60 + log_level debug + + + #Kubernetes object state - HPA + + type kubestatehpa + tag oms.containerinsights.KubeStateHpa + run_interval 60 + log_level debug + + + + type filter_inventory2mdm + log_level info + + + #custom_metrics_mdm filter plugin for perf data from windows nodes + + type filter_cadvisor2mdm + metrics_to_collect cpuUsageNanoCores,memoryWorkingSetBytes,pvUsedBytes + log_level info + + + #health model aggregation filter + + type filter_health_model_builder + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubepods*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/state/out_oms_kubepv*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubeevents*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubeservices*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/state/out_oms_kubenodes*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 3 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_containernodeinventory*.buffer + buffer_queue_limit 20 + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubeperf*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_mdm + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_mdm_*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + retry_mdm_post_wait_minutes 30 + + + + type out_oms + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_api_wincadvisorperf*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_mdm + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_mdm_cdvisorperf*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + retry_mdm_post_wait_minutes 30 + + + + type out_oms + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubehealth*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + type out_oms + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_insightsmetrics*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + +metadata: + name: ama-logs-rs-config + namespace: kube-system + labels: +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +--- +{{/* Get sizes */}} +{{- $useDaemonSetSizing := and .Values.global.commonGlobals.isAutomaticSKU .Values.OmsAgent.enableDaemonSetSizing -}} +{{- $singleSize := dict "containers" (dict "addon-token-adapter" (dict "cpuLimit" "100m" "memoryLimit" "100Mi" "cpuRequest" "20m" "memoryRequest" "50Mi") "ama-logs" (dict "cpuLimit" .Values.OmsAgent.omsAgentDsCPULimitLinux "memoryLimit" .Values.OmsAgent.omsAgentDsMemoryLimitLinux "cpuRequest" "75m" "memoryRequest" "325Mi") "ama-logs-prometheus" (dict "cpuLimit" .Values.OmsAgent.omsAgentPrometheusSidecarCPULimit "memoryLimit" .Values.OmsAgent.omsAgentPrometheusSidecarMemoryLimit "cpuRequest" "75m" "memoryRequest" "225Mi")) -}} +{{- $sizes := list ($singleSize) -}} +{{- if $useDaemonSetSizing -}} + {{- $singleSize = .Values.OmsAgent.daemonSetSizingValues.singleSize -}} + {{- $sizes = list ($singleSize) -}} + {{- $sizes = prepend .Values.OmsAgent.daemonSetSizingValues.tShirtSizes $singleSize -}} +{{- end -}} +{{/* Generate DaemonSets */}} +{{- $prevmaxCPU := 0 -}} +{{- range $index, $size := $sizes -}} +{{- if gt $index 0 }} +--- +{{ end -}} +{{- if semverCompare ">=1.16.0" $.Values.global.commonGlobals.Versions.Kubernetes -}} +apiVersion: apps/v1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: DaemonSet +metadata: + labels: + component: ama-logs-agent + tier: node + kubernetes.azure.com/managedby: aks +{{- if $.Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} + {{- if and $useDaemonSetSizing $size.name }} + kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} + {{- end }} + name: ama-logs{{- if and $useDaemonSetSizing $size.name }}-{{ $size.name }}{{- end }} + namespace: kube-system +spec: + selector: + matchLabels: + component: ama-logs-agent + tier: node + {{- if and $useDaemonSetSizing $size.name }} + kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} + {{- end }} + template: + metadata: + annotations: + agentVersion: "azure-mdsd-1.37.0" + dockerProviderVersion: "18.0.1-0" + schema-versions: "v1" + WSID: {{ $.Values.OmsAgent.workspaceID | b64enc | quote }} + kubernetes.azure.com/no-http-proxy-vars: "true" + labels: + component: ama-logs-agent + tier: node + kubernetes.azure.com/managedby: aks + {{- if and $useDaemonSetSizing $size.name }} + kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} + {{- end }} +{{- if semverCompare "<1.11.0" $.Values.global.commonGlobals.Versions.Kubernetes }} + annotations: + scheduler.alpha.kubernetes.io/critical-pod: "" +{{- end }} + spec: +{{- if semverCompare ">=1.11.0" $.Values.global.commonGlobals.Versions.Kubernetes }} + priorityClassName: system-node-critical +{{- end }} + serviceAccountName: ama-logs + dnsConfig: + options: + - name: ndots + value: "3" + containers: +{{- if $.Values.OmsAgent.isUsingAADAuth }} + - name: addon-token-adapter + command: + - /addon-token-adapter + args: + - --secret-namespace=kube-system + - --secret-name={{ $.Values.OmsAgent.accessTokenSecretName}} + - --token-server-listening-port=8888 + - --health-server-listening-port=9999 + - --restart-pod-waiting-minutes-on-broken-connection=240 + image: "{{ template "addon_mcr_repository_base" $ }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterLinuxDefaultImageTag -}}" + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + livenessProbe: + httpGet: + path: /healthz + port: 9999 + initialDelaySeconds: 10 + periodSeconds: 60 + resources: + limits: + {{- $containerResources := index $size.containers "addon-token-adapter" }} + cpu: {{ $containerResources.cpuLimit }} + memory: {{ $containerResources.memoryLimit }} + requests: + cpu: {{ $containerResources.cpuRequest }} + memory: {{ $containerResources.memoryRequest }} + securityContext: + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW +{{- end }} + - name: ama-logs + image: "{{ template "addon_mcr_repository_base" $ }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag $.Values.OmsAgent.imageTagLinux -}}" + {{- if $.Values.OmsAgent.isImagePullPolicyAlways }} + imagePullPolicy: Always + {{- else }} + imagePullPolicy: IfNotPresent + {{- end }} + resources: + limits: + {{- $containerResources := index $size.containers "ama-logs" }} + cpu: {{ $containerResources.cpuLimit }} + memory: {{ $containerResources.memoryLimit }} + requests: + {{- $containerResources := index $size.containers "ama-logs" }} + cpu: {{ $containerResources.cpuRequest }} + memory: {{ $containerResources.memoryRequest }} + env: + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.memory + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: FBIT_SERVICE_FLUSH_INTERVAL + value: "15" + - name: FBIT_TAIL_BUFFER_CHUNK_SIZE + value: "1" + - name: FBIT_TAIL_BUFFER_MAX_SIZE + value: "1" + - name: AKS_CLUSTER_NAME + value: "{{ $.Values.OmsAgent.aksClusterName }}" + - name: AKS_RESOURCE_ID + value: "{{ $.Values.OmsAgent.aksResourceID }}" + - name: AKS_NODE_RESOURCE_GROUP + value: "{{ $.Values.OmsAgent.aksNodeResourceGroup }}" + - name: AKS_REGION + value: "{{ $.Values.OmsAgent.aksRegion }}" + - name: CONTROLLER_TYPE + value: "DaemonSet" + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: "{{ $.Values.OmsAgent.identityClientID }}" + - name: AZMON_CONTAINERLOGS_ONEAGENT_REGIONS + value: "koreacentral,norwayeast,eastus2" + - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED + value: "{{ $.Values.AppmonitoringAgent.enabled }}" + - name: APPMONITORING_OPENTELEMETRYLOGS_ENABLED + value: "{{ $.Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false }}" + - name: APPMONITORING_OPENTELEMETRYLOGS_PORT + value: "{{ $.Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }}" + - name: AZMON_OPENTELEMETRYLOGS_CONTAINER_PORT + value: "4319" + - name: PROMETHEUS_METRICS_SCRAPING_DISABLED + value: "{{ $.Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USNat") }} + - name: MCR_URL + value: "https://mcr.microsoft.eaglex.ic.gov/v2/" + {{- end }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USSec") }} + - name: MCR_URL + value: "https://mcr.microsoft.scloud/v2/" + {{- end }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} + - name: MCR_URL + value: "https://mcr.microsoft.sovcloud-api.fr/v2/" + {{- end }} + {{- if $.Values.OmsAgent.isUsingAADAuth }} + - name: USING_AAD_MSI_AUTH + value: "true" + {{- else }} + - name: USING_AAD_MSI_AUTH + value: "false" + {{- end }} + {{- if eq ($.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} + - name: SYSLOG_HOST_PORT + value: {{ $.Values.OmsAgent.syslogHostPort | default 28330 | quote}} + {{- end }} + - name: AZMON_RETINA_FLOW_LOGS_ENABLED + value: "{{ $.Values.OmsAgent.isRetinaFlowLogsEnabled | default false }}" + - name: AZMON_RESOURCE_OPTIMIZATION_ENABLED + value: "{{ $.Values.OmsAgent.isResourceOptimizationEnabled | default false }}" + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: "{{ $.Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ $.Values.global.commonGlobals.CloudEnvironment | lower }}" + livenessProbe: + exec: + command: + - /bin/bash + - "-c" + - "/opt/livenessprobe.sh" + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + ports: + - containerPort: 25225 + protocol: TCP + - containerPort: 25224 + protocol: UDP + {{- if eq ($.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} + - name: syslog + containerPort: 28330 + hostPort: {{ $.Values.OmsAgent.syslogHostPort | default 28330 }} + protocol: TCP + {{- end }} + {{- if eq ($.Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false) true }} + - name: otlp-logs + containerPort: 4319 + hostPort: {{ $.Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }} + protocol: TCP + {{- end }} + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + volumeMounts: + - mountPath: /hostfs + name: host-root + readOnly: true + mountPropagation: HostToContainer + - mountPath: /var/log + name: host-log + {{- if $.Values.OmsAgent.isSyslogEnabled }} + - mountPath: /var/run/mdsd-ci + name: mdsd-sock + {{- end }} + {{- if $.Values.OmsAgent.isRetinaFlowLogsEnabled }} + - mountPath: /var/log/acns/hubble + name: acns-hubble + {{- end }} + - mountPath: /var/run/mdsd-PrometheusSidecar + name: mdsd-prometheus-sock + - mountPath: /var/lib/docker/containers + name: containerlog-path + readOnly: true + - mountPath: /mnt/docker + name: containerlog-path-2 + readOnly: true + - mountPath: /mnt/containers + name: containerlog-path-3 + readOnly: true + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + - mountPath: /etc/omsagent-secret + name: ama-logs-secret + readOnly: true + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + - mountPath: /etc/config/settings/adx + name: ama-logs-adx-secret + readOnly: true + {{- if (eq (include "should_mount_hostca" $ ) "true" ) }} + # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host + # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below + - mountPath: /anchors/mariner + name: anchors-mariner + readOnly: true + - mountPath: /anchors/ubuntu + name: anchors-ubuntu + readOnly: true + {{- end }} + {{- if $.Values.OmsAgent.trustedCA }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} + {{- if and (not $.Values.OmsAgent.isPrometheusMetricsScrapingDisabled) $.Values.OmsAgent.isSidecarScrapingEnabled }} + - name: ama-logs-prometheus + image: "{{ template "addon_mcr_repository_base" $ }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag $.Values.OmsAgent.imageTagLinux -}}" + {{- if $.Values.OmsAgent.isImagePullPolicyAlways }} + imagePullPolicy: Always + {{- else }} + imagePullPolicy: IfNotPresent + {{- end }} + resources: + limits: + {{- $containerResources := index $size.containers "ama-logs-prometheus" }} + cpu: {{ $containerResources.cpuLimit }} + memory: {{ $containerResources.memoryLimit }} + requests: + {{- $containerResources := index $size.containers "ama-logs-prometheus" }} + cpu: {{ $containerResources.cpuRequest }} + memory: {{ $containerResources.memoryRequest }} + env: + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs-prometheus + resource: limits.memory + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: AKS_CLUSTER_NAME + value: "{{ $.Values.OmsAgent.aksClusterName }}" + - name: AKS_RESOURCE_ID + value: "{{ $.Values.OmsAgent.aksResourceID }}" + - name: AKS_NODE_RESOURCE_GROUP + value: "{{ $.Values.OmsAgent.aksNodeResourceGroup }}" + - name: AKS_REGION + value: "{{ $.Values.OmsAgent.aksRegion }}" + - name: CONTROLLER_TYPE + value: "DaemonSet" + - name: CONTAINER_TYPE + value: "PrometheusSidecar" + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: "{{ $.Values.OmsAgent.identityClientID }}" + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USNat") }} + - name: MCR_URL + value: "https://mcr.microsoft.eaglex.ic.gov/v2/" + {{- end }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USSec") }} + - name: MCR_URL + value: "https://mcr.microsoft.scloud/v2/" + {{- end }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} + - name: MCR_URL + value: "https://mcr.microsoft.sovcloud-api.fr/v2/" + {{- end }} + {{- if $.Values.OmsAgent.isUsingAADAuth }} + - name: USING_AAD_MSI_AUTH + value: "true" + {{- else }} + - name: USING_AAD_MSI_AUTH + value: "false" + {{- end }} + {{- if eq ($.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} + - name: SYSLOG_HOST_PORT + value: {{ $.Values.OmsAgent.syslogHostPort | default 28330 | quote}} + {{- end }} + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: "{{ $.Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ $.Values.global.commonGlobals.CloudEnvironment | lower }}" + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + volumeMounts: + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + - mountPath: /etc/omsagent-secret + name: ama-logs-secret + readOnly: true + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + - mountPath: /etc/config/osm-settings + name: osm-settings-vol-config + readOnly: true + - mountPath: /var/run/mdsd-PrometheusSidecar + name: mdsd-prometheus-sock + {{- if (eq (include "should_mount_hostca" $ ) "true" ) }} + # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host + # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below + - mountPath: /anchors/mariner + name: anchors-mariner + readOnly: true + - mountPath: /anchors/ubuntu + name: anchors-ubuntu + readOnly: true + {{- end }} + {{- if $.Values.OmsAgent.trustedCA }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} + {{- if $.Values.OmsAgent.isSyslogEnabled }} + - mountPath: /var/run/mdsd-ci + name: mdsd-sock + {{- end }} + livenessProbe: + exec: + command: + - /bin/bash + - -c + - /opt/livenessprobe.sh + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + {{- end }} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: +{{- if semverCompare ">=1.16.0" $.Values.global.commonGlobals.Versions.Kubernetes }} + - key: kubernetes.io/os +{{- else }} + - key: beta.kubernetes.io/os +{{- end }} + operator: In + values: + - linux + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet + {{- if $useDaemonSetSizing -}} + {{- if eq $size.name $singleSize.name -}} + {{/* Target non-Karpenter nodes */}} + - key: karpenter.azure.com/aksnodeclass + operator: DoesNotExist + {{- else }} + {{/* Target Karpenter nodes with CPU range */}} + {{- if gt $prevmaxCPU 0 -}} + - key: karpenter.azure.com/sku-cpu + operator: Gt + values: + - "{{ $prevmaxCPU }}" + {{- end -}} + {{/* Add new line. */}} + {{- if and $prevmaxCPU $size.maxCPU }} + {{ end -}} + {{- if $size.maxCPU -}} + - key: karpenter.azure.com/sku-cpu + operator: Lt + values: + - "{{ add ($size.maxCPU | int) 1 }}" + {{- end -}} + {{- end -}} + {{- end }} + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + - operator: "Exists" + effect: NoExecute + - operator: "Exists" + effect: NoSchedule + - operator: "Exists" + effect: PreferNoSchedule + volumes: + - name: host-root + hostPath: + path: / + - name: mdsd-prometheus-sock + emptyDir: {} + - name: container-hostname + hostPath: + path: /etc/hostname + - name: host-log + hostPath: + path: /var/log + {{- if $.Values.OmsAgent.isSyslogEnabled }} + - name: mdsd-sock + hostPath: + path: /var/run/mdsd-ci + {{- end }} + {{- if $.Values.OmsAgent.isRetinaFlowLogsEnabled }} + - name: acns-hubble + hostPath: + path: /var/log/acns/hubble + {{- end }} + - name: containerlog-path + hostPath: + path: /var/lib/docker/containers + - name: containerlog-path-2 + hostPath: + path: /mnt/docker + - name: containerlog-path-3 + hostPath: + path: /mnt/containers + - name: azure-json-path + hostPath: + path: /etc/kubernetes + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true + - name: osm-settings-vol-config + configMap: + name: container-azm-ms-osmconfig + optional: true + {{- if (eq (include "should_mount_hostca" $ ) "true" ) }} + - name: anchors-ubuntu + hostPath: + path: /usr/local/share/ca-certificates/ + type: DirectoryOrCreate + - name: anchors-mariner + hostPath: + path: /etc/pki/ca-trust/source/anchors + type: DirectoryOrCreate + {{- end }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 50% + +{{- if and (ne (default "" $size.name) (default "" $singleSize.name)) $size.maxCPU }} +{{- $prevmaxCPU = $size.maxCPU | int }} +{{- end }} +{{- end }} +--- +{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: ama-logs-rs + namespace: kube-system + labels: + component: ama-logs-agent + tier: node + kubernetes.azure.com/managedby: aks +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +spec: + replicas: 1 + revisionHistoryLimit: 2 + paused: false + selector: + matchLabels: + rsName: "ama-logs-rs" + strategy: + type: RollingUpdate + template: + metadata: + labels: + rsName: "ama-logs-rs" + kubernetes.azure.com/managedby: aks + annotations: + agentVersion: "azure-mdsd-1.37.0" + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + dockerProviderVersion: "18.0.1-0" + schema-versions: "v1" + WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} + kubernetes.azure.com/no-http-proxy-vars: "true" +{{- if semverCompare "<1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} + scheduler.alpha.kubernetes.io/critical-pod: "" +{{- end }} + spec: +{{- if semverCompare ">=1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} + priorityClassName: system-node-critical +{{- end }} + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + serviceAccountName: ama-logs + containers: +{{- if .Values.OmsAgent.isRSVPAEnabled }} + - name: ama-logs-vpa + image: "{{ template "addon_mcr_repository_base" . }}/oss/v2/kubernetes/autoscaler/addon-resizer:{{- $amalogsRSVPAImageTag -}}" + imagePullPolicy: IfNotPresent + resources: + limits: + cpu: 100m + memory: 300Mi + requests: + cpu: 5m + memory: 30Mi + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: ama-logs-rs-vpa-config-volume + mountPath: /etc/config + command: + - /pod_nanny + - --config-dir=/etc/config + - --cpu=200m + - --extra-cpu=2m + - --memory=300Mi + - --extra-memory=4Mi + - --poll-period=180000 + - --threshold=5 + - --namespace=kube-system + - --deployment=ama-logs-rs + - --container=ama-logs +{{- end }} +{{- if .Values.OmsAgent.isUsingAADAuth }} + - name: addon-token-adapter + command: + - /addon-token-adapter + args: + - --secret-namespace=kube-system + - --secret-name={{ .Values.OmsAgent.accessTokenSecretName}} + - --token-server-listening-port=8888 + - --health-server-listening-port=9999 + - --restart-pod-waiting-minutes-on-broken-connection=240 + image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterLinuxDefaultImageTag -}}" + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + livenessProbe: + httpGet: + path: /healthz + port: 9999 + initialDelaySeconds: 10 + periodSeconds: 60 + resources: + limits: + cpu: 500m + memory: 500Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW +{{- end }} + - name: ama-logs + image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag .Values.OmsAgent.imageTagLinux -}}" + {{- if .Values.OmsAgent.isImagePullPolicyAlways }} + imagePullPolicy: Always + {{- else }} + imagePullPolicy: IfNotPresent + {{- end }} + {{- if not .Values.OmsAgent.isRSVPAEnabled }} + resources: + limits: + cpu: "{{ .Values.OmsAgent.omsAgentRsCPULimit }}" + memory: "{{ .Values.OmsAgent.omsAgentRsMemoryLimit }}" + requests: + cpu: 150m + memory: 250Mi + {{- end }} + env: + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: AKS_CLUSTER_NAME + value: "{{ .Values.OmsAgent.aksClusterName }}" + - name: AKS_RESOURCE_ID + value: "{{ .Values.OmsAgent.aksResourceID }}" + - name: AKS_NODE_RESOURCE_GROUP + value: "{{ .Values.OmsAgent.aksNodeResourceGroup }}" + - name: AKS_REGION + value: "{{ .Values.OmsAgent.aksRegion }}" + - name: CONTROLLER_TYPE + value: "ReplicaSet" + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: "{{ .Values.OmsAgent.identityClientID }}" + - name: NUM_OF_FLUENTD_WORKERS + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.cpu + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.memory + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.OmsAgent.isSidecarScrapingEnabled }} + - name: SIDECAR_SCRAPING_ENABLED + value: "true" + {{- else }} + - name: SIDECAR_SCRAPING_ENABLED + value: "false" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} + - name: MCR_URL + value: "https://mcr.microsoft.eaglex.ic.gov/v2/" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} + - name: MCR_URL + value: "https://mcr.microsoft.scloud/v2/" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} + - name: MCR_URL + value: "https://mcr.microsoft.sovcloud-api.fr/v2/" + {{- end }} + {{- if .Values.OmsAgent.isUsingAADAuth }} + - name: USING_AAD_MSI_AUTH + value: "true" + {{- else }} + - name: USING_AAD_MSI_AUTH + value: "false" + {{- end }} + {{- if .Values.OmsAgent.isRSVPAEnabled }} + - name: RS_ADDON-RESIZER_VPA_ENABLED + value: "true" + {{- end }} + - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED + value: "{{ .Values.AppmonitoringAgent.enabled }}" + - name: PROMETHEUS_METRICS_SCRAPING_DISABLED + value: "{{ .Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: "{{ .Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" + - name: AZMON_WINDOWS_FLUENT_BIT_ENABLED + value: "{{ .Values.OmsAgent.isWindowsAMAFluentBitEnabled | default false }}" + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + ports: + - containerPort: 25225 + protocol: TCP + - containerPort: 25224 + protocol: UDP + - containerPort: 25227 + protocol: TCP + name: in-rs-tcp + volumeMounts: + - mountPath: /var/log + name: host-log + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + - mountPath: /etc/omsagent-secret + name: ama-logs-secret + readOnly: true + - mountPath: /etc/config + name: ama-logs-rs-config + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + - mountPath: /etc/config/settings/adx + name: ama-logs-adx-secret + readOnly: true + - mountPath: /etc/config/osm-settings + name: osm-settings-vol-config + readOnly: true + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host + # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below + - mountPath: /anchors/mariner + name: anchors-mariner + readOnly: true + - mountPath: /anchors/ubuntu + name: anchors-ubuntu + readOnly: true + {{- end }} + {{- if .Values.OmsAgent.trustedCA }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} + livenessProbe: + exec: + command: + - /bin/bash + - -c + - /opt/livenessprobe.sh + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.azure.com/mode + operator: In + values: + - system + - weight: 1 + preference: + matchExpressions: + - key: storageprofile + operator: NotIn + values: + - managed + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: +{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} + - key: kubernetes.io/os +{{- else }} + - key: beta.kubernetes.io/os +{{- end }} + operator: In + values: + - linux + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet + volumes: + - name: container-hostname + hostPath: + path: /etc/hostname + - name: host-log + hostPath: + path: /var/log + - name: azure-json-path + hostPath: + path: /etc/kubernetes + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: ama-logs-rs-config + configMap: + name: ama-logs-rs-config + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true + - name: osm-settings-vol-config + configMap: + name: container-azm-ms-osmconfig + optional: true + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + - name: anchors-ubuntu + hostPath: + path: /usr/local/share/ca-certificates/ + type: DirectoryOrCreate + - name: anchors-mariner + hostPath: + path: /etc/pki/ca-trust/source/anchors + type: DirectoryOrCreate + {{- end }} + {{- if .Values.OmsAgent.isRSVPAEnabled }} + - name: ama-logs-rs-vpa-config-volume + configMap: + name: ama-logs-rs-vpa-config + optional: true + {{- end }} +--- +{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: DaemonSet +metadata: + name: ama-logs-windows + namespace: kube-system + labels: + component: ama-logs-agent-windows + tier: node-win + kubernetes.azure.com/managedby: aks +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +spec: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 50% + selector: + matchLabels: + component: ama-logs-agent-windows + tier: node-win + template: + metadata: + labels: + component: ama-logs-agent-windows + tier: node-win + kubernetes.azure.com/managedby: aks + annotations: + agentVersion: "46.17.2" + dockerProviderVersion: "18.0.1-0" + schema-versions: "v1" + WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} + kubernetes.azure.com/no-http-proxy-vars: "true" +{{- if semverCompare "<1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} + scheduler.alpha.kubernetes.io/critical-pod: "" +{{- end }} + spec: +{{- if semverCompare ">=1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} + priorityClassName: system-node-critical +{{- end }} + serviceAccountName: ama-logs + dnsConfig: + options: + - name: ndots + value: "3" + containers: + - name: ama-logs-windows + image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsWindowsDefaultImageTag .Values.OmsAgent.imageTagWindows -}}" + {{- if .Values.OmsAgent.isImagePullPolicyAlways }} + imagePullPolicy: Always + {{- else }} + imagePullPolicy: IfNotPresent + {{- end }} + {{- if .Values.OmsAgent.isWindowsBurstableQoSEnabled }} + resources: + requests: + cpu: "{{ .Values.OmsAgent.omsAgentDsCPURequestWindows }}" + memory: "{{ .Values.OmsAgent.omsAgentDsMemoryRequestWindows }}" + limits: + cpu: "{{ .Values.OmsAgent.omsAgentDsCPULimitWindows }}" + memory: "{{ .Values.OmsAgent.omsAgentDsMemoryLimitWindows }}" + {{- else }} + resources: + limits: + cpu: "{{ .Values.OmsAgent.omsAgentDsCPULimitWindows }}" + memory: "{{ .Values.OmsAgent.omsAgentDsMemoryLimitWindows }}" + {{- end }} + securityContext: + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + env: + - name: FBIT_SERVICE_FLUSH_INTERVAL + value: "15" + - name: FBIT_TAIL_BUFFER_CHUNK_SIZE + value: "1" + - name: FBIT_TAIL_BUFFER_MAX_SIZE + value: "1" + - name: AKS_RESOURCE_ID + value: "{{ .Values.OmsAgent.aksResourceID }}" + - name: AKS_REGION + value: "{{ .Values.OmsAgent.aksRegion }}" + - name: CONTROLLER_TYPE + value: "DaemonSet" + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: "{{ .Values.OmsAgent.identityClientID }}" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PODNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs-windows + resource: limits.memory + {{- if .Values.OmsAgent.isSidecarScrapingEnabled }} + - name: SIDECAR_SCRAPING_ENABLED + value: "true" + {{- else }} + - name: SIDECAR_SCRAPING_ENABLED + value: "false" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} + - name: REQUIRES_CERT_BOOTSTRAP + value: "true" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} + - name: REQUIRES_CERT_BOOTSTRAP + value: "true" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} + - name: REQUIRES_CERT_BOOTSTRAP + value: "true" + {{- end }} + {{- if .Values.OmsAgent.isUsingAADAuth }} + - name: USING_AAD_MSI_AUTH + value: "true" + {{- else }} + - name: USING_AAD_MSI_AUTH + value: "false" + {{- end }} + - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED + value: "{{ .Values.AppmonitoringAgent.enabled }}" + - name: APPMONITORING_OPENTELEMETRYLOGS_ENABLED + value: "{{ .Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false }}" + - name: APPMONITORING_OPENTELEMETRYLOGS_PORT + value: "{{ .Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }}" + - name: PROMETHEUS_METRICS_SCRAPING_DISABLED + value: "{{ .Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: "{{ .Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" + - name: AZMON_WINDOWS_FLUENT_BIT_ENABLED + value: "{{ .Values.OmsAgent.isWindowsAMAFluentBitEnabled | default false }}" + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" + volumeMounts: + - mountPath: C:\ProgramData\docker\containers + name: docker-windows-containers + readOnly: true + - mountPath: C:\var + name: docker-windows-kuberenetes-container-logs + - mountPath: C:\etc\config\settings + name: settings-vol-config + readOnly: true + - mountPath: C:\etc\ama-logs-secret + name: ama-logs-secret + readOnly: true + - mountPath: C:\etc\omsagent-secret + name: ama-logs-secret + readOnly: true + - mountPath: C:\etc\config\adx + name: ama-logs-adx-secret + readOnly: true + - mountPath: C:\etc\kubernetes\host + name: azure-json-path + readOnly: true + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + - mountPath: C:\ca + name: ca-certs + readOnly: true + {{- end }} + {{- if .Values.OmsAgent.isUsingAADAuth }} + - mountPath: C:\etc\IMDS-access-token + name: imds-token + readOnly: true + {{- end }} + livenessProbe: + exec: + command: + - cmd + - /c + - C:\opt\amalogswindows\scripts\cmd\livenessprobe.exe + - fluent-bit.exe + - fluentdwinaks + - "C:\\etc\\amalogswindows\\filesystemwatcher.txt" + - "C:\\etc\\amalogswindows\\renewcertificate.txt" + {{- if and .Values.OmsAgent.isUsingAADAuth .Values.OmsAgent.isWindowsAMAEnabled }} + - "MonAgentCore.exe" + {{- end }} + periodSeconds: 60 + initialDelaySeconds: 180 + timeoutSeconds: 15 +{{- if and (and .Values.OmsAgent.isUsingAADAuth .Values.OmsAgent.isWindowsAMAEnabled) (not .Values.OmsAgent.isWindowsAddonTokenAdapterDisabled) }} + - name: addon-token-adapter-win + command: + - addon-token-adapter-win + args: + - --secret-namespace=kube-system + - --secret-name={{ .Values.OmsAgent.accessTokenSecretName}} + - --token-server-listening-port=8888 + - --health-server-listening-port=9999 + - --restart-pod-waiting-minutes-on-broken-connection=240 + image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterWindowsDefaultImageTag -}}" + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + livenessProbe: + httpGet: + path: /healthz + port: 9999 + initialDelaySeconds: 10 + periodSeconds: 60 + resources: + limits: + cpu: 400m + memory: 400Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW +{{- end}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.azure.com/cluster + operator: Exists +{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} + - key: kubernetes.io/os +{{- else }} + - key: beta.kubernetes.io/os +{{- end }} + operator: In + values: + - windows + - key: type + operator: NotIn + values: + - virtual-kubelet + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + - operator: "Exists" + effect: NoExecute + - operator: "Exists" + effect: NoSchedule + - operator: "Exists" + effect: PreferNoSchedule + volumes: + - name: docker-windows-kuberenetes-container-logs + hostPath: + path: C:\var + - name: azure-json-path + hostPath: + path: C:\k + - name: docker-windows-containers + hostPath: + path: C:\ProgramData\docker\containers + type: DirectoryOrCreate + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + - name: ca-certs + hostPath: + path: C:\ca + {{- end }} + {{- if .Values.OmsAgent.isUsingAADAuth }} + - name: imds-token + secret: + secretName: {{ .Values.OmsAgent.accessTokenSecretName}} + {{- end }} +{{- if and .Values.OmsAgent.isUsingAADAuth .Values.OmsAgent.isMultitenancyLogsEnabled }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: ama-logs-hpa + namespace: kube-system + labels: +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: ama-logs-multitenancy + minReplicas: {{ .Values.OmsAgent.omsAgentMultitenancyLogsHPAMinReplicas }} + maxReplicas: {{ .Values.OmsAgent.omsAgentMultitenancyLogsHPAMaxReplicas }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.OmsAgent.omsAgentMultitenancyHPAAvgCPUUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.OmsAgent.omsAgentMultitenancyHPAAvgMemoryUtilization}} + behavior: + scaleDown: + stabilizationWindowSeconds: 1200 + policies: + - type: Percent + value: 5 + periodSeconds: 180 + scaleUp: + stabilizationWindowSeconds: 0 + policies: + - type: Pods + value: 5 + periodSeconds: 5 + - type: Percent + value: 100 + periodSeconds: 5 + selectPolicy: Max +--- +apiVersion: v1 +kind: Service +metadata: + name: ama-logs-service + namespace: kube-system + labels: +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +spec: + type: ClusterIP + ports: + - port: 24225 + targetPort: 24225 + protocol: TCP + name: fluentbit-fwd + selector: + rsName: "ama-logs-multitenancy" +--- +{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: ama-logs-multitenancy + namespace: kube-system + labels: + component: ama-logs-agent + tier: node + kubernetes.azure.com/managedby: aks +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +spec: + replicas: 1 + selector: + matchLabels: + rsName: "ama-logs-multitenancy" + strategy: + type: RollingUpdate + template: + metadata: + labels: + rsName: "ama-logs-multitenancy" + kubernetes.azure.com/managedby: aks + annotations: + agentVersion: "azure-mdsd-1.37.0" + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + dockerProviderVersion: "18.0.1-0" + schema-versions: "v1" + WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} + kubernetes.azure.com/no-http-proxy-vars: "true" +{{- if semverCompare "<1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} + scheduler.alpha.kubernetes.io/critical-pod: "" +{{- end }} + spec: +{{- if semverCompare ">=1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} + priorityClassName: system-node-critical +{{- end }} + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + volumes: + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + - name: anchors-ubuntu + hostPath: + path: /usr/local/share/ca-certificates/ + type: DirectoryOrCreate + - name: anchors-mariner + hostPath: + path: /etc/pki/ca-trust/source/anchors + type: DirectoryOrCreate + {{- end }} + serviceAccountName: ama-logs + containers: + - name: addon-token-adapter + command: + - /addon-token-adapter + args: + - --secret-namespace=kube-system + - --secret-name=aad-msi-auth-token + - --token-server-listening-port=8888 + - --health-server-listening-port=9999 + - --restart-pod-waiting-minutes-on-broken-connection=240 + image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterLinuxDefaultImageTag -}}" + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + livenessProbe: + httpGet: + path: /healthz + port: 9999 + initialDelaySeconds: 10 + periodSeconds: 60 + resources: + limits: + cpu: 500m + memory: 500Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW + - name: ama-logs + image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag .Values.OmsAgent.imageTagLinux -}}" + {{- if .Values.OmsAgent.isImagePullPolicyAlways }} + imagePullPolicy: Always + {{- else }} + imagePullPolicy: IfNotPresent + {{- end }} + resources: + limits: + cpu: "{{ .Values.OmsAgent.omsAgentMultitenancyCPULimitLinux }}" + memory: "{{ .Values.OmsAgent.omsAgentMultitenancyMemoryLimitLinux }}" + requests: + cpu: "{{ .Values.OmsAgent.omsAgentMultitenancyCPURequestLinux }}" + memory: "{{ .Values.OmsAgent.omsAgentMultitenancyMemoryRequestLinux }}" + env: + - name: AZMON_MULTI_TENANCY_LOG_COLLECTION + value: "true" + - name: AZMON_MULTI_TENANCY_LOGS_SERVICE_MODE + value: "true" + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.memory + - name: AKS_CLUSTER_NAME + value: "{{ .Values.OmsAgent.aksClusterName }}" + - name: AKS_RESOURCE_ID + value: "{{ .Values.OmsAgent.aksResourceID }}" + - name: AKS_NODE_RESOURCE_GROUP + value: "{{ .Values.OmsAgent.aksNodeResourceGroup }}" + - name: AKS_REGION + value: "{{ .Values.OmsAgent.aksRegion }}" + - name: CONTROLLER_TYPE + value: "ReplicaSet" + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} + - name: MCR_URL + value: "https://mcr.microsoft.eaglex.ic.gov/v2/" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} + - name: MCR_URL + value: "https://mcr.microsoft.scloud/v2/" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} + - name: MCR_URL + value: "https://mcr.microsoft.sovcloud-api.fr/v2/" + {{- end }} + - name: USING_AAD_MSI_AUTH + value: "true" + - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED + value: "{{ .Values.AppmonitoringAgent.enabled }}" + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + ports: + - name: http + containerPort: 24225 + protocol: TCP + volumeMounts: + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host + # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below + - mountPath: /anchors/mariner + name: anchors-mariner + readOnly: true + - mountPath: /anchors/ubuntu + name: anchors-ubuntu + readOnly: true + {{- end }} + {{- if .Values.OmsAgent.trustedCA }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} + lifecycle: + preStop: + exec: + command: [ + "sh", "-c", + # Introduce a delay to the shutdown sequence to wait for the + # pod eviction event to propagate. Then, gracefully shutdown + "sleep 5" + ] + livenessProbe: + exec: + command: + - /bin/bash + - -c + - /opt/livenessprobe.sh + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + readinessProbe: + tcpSocket: + port: 24225 + initialDelaySeconds: 10 + periodSeconds: 30 + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet + - key: kubernetes.io/os + operator: In + values: + - linux + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.azure.com/mode + operator: In + values: + - system +{{- end }} \ No newline at end of file From c54e35c4d1bcf95ff965bbae77388dd66e149b0b Mon Sep 17 00:00:00 2001 From: longwan Date: Tue, 28 Oct 2025 01:03:58 +0000 Subject: [PATCH 02/47] extension chart --- .../ama-logs.yaml | 110 +++++++++--------- 1 file changed, 56 insertions(+), 54 deletions(-) diff --git a/charts/azuremonitor-containerinsights/ama-logs.yaml b/charts/azuremonitor-containerinsights/ama-logs.yaml index 8faea5590..cfacea23c 100644 --- a/charts/azuremonitor-containerinsights/ama-logs.yaml +++ b/charts/azuremonitor-containerinsights/ama-logs.yaml @@ -4,6 +4,17 @@ {{- $addonTokenAdapterWindowsDefaultImageTag := dict "component" "addon-token-adapter-windows" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} {{- $amalogsRSVPAImageTag := dict "component" "addon-resizer" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" -}} {{- $WinImageTag := default $amalogsWindowsDefaultImageTag .Values.OmsAgent.imageTagWindows -}} +{{/* Determine isusingaadauth value from OmsAgent.isUsingAADAuth */}} +{{- $isusingaadauth := false -}} +{{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} + {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} +{{- end -}} +{{/* Extract cluster information from aksresourceid */}} +{{- $resourceParts := splitList "/" .Values.OmsAgent.aksResourceID -}} +{{- $aksclustername := last $resourceParts -}} +{{- $aksResourceGroup := index $resourceParts 4 -}} +{{- $region := .Values.global.commonGlobals.Region -}} +{{- $aksnoderesourcegroup := printf "MC_%s_%s_%s" $aksResourceGroup $aksclustername $region -}} apiVersion: v1 kind: Secret metadata: @@ -24,13 +35,13 @@ data: {{- if .Values.OmsAgent.isFairfax }} DOMAIN: {{ b64enc "opinsights.azure.us" }} {{- end }} -{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT" }} +{{- if eq .Values.global.commonGlobals.CloudEnvironment "USNat" }} DOMAIN: {{ b64enc "opinsights.azure.eaglex.ic.gov" }} {{- end }} -{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC" }} +{{- if eq .Values.global.commonGlobals.CloudEnvironment "USSec" }} DOMAIN: {{ b64enc "opinsights.azure.microsoft.scloud" }} {{- end }} -{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD" }} +{{- if eq .Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud" }} DOMAIN: {{ b64enc "opinsights.sovcloud-api.fr" }} {{- end }} {{- if .Values.OmsAgent.httpsProxy }} @@ -79,7 +90,7 @@ rules: resourceNames: [ "ama-logs-rs" ] verbs: ["get", "patch"] {{- end }} -{{- if .Values.OmsAgent.isUsingAADAuth }} +{{- if $isusingaadauth }} - apiGroups: [""] resources: ["secrets"] resourceNames: [{{ .Values.OmsAgent.accessTokenSecretName | quote }}] @@ -409,12 +420,6 @@ metadata: {{- $useDaemonSetSizing := and .Values.global.commonGlobals.isAutomaticSKU .Values.OmsAgent.enableDaemonSetSizing -}} {{- $singleSize := dict "containers" (dict "addon-token-adapter" (dict "cpuLimit" "100m" "memoryLimit" "100Mi" "cpuRequest" "20m" "memoryRequest" "50Mi") "ama-logs" (dict "cpuLimit" .Values.OmsAgent.omsAgentDsCPULimitLinux "memoryLimit" .Values.OmsAgent.omsAgentDsMemoryLimitLinux "cpuRequest" "75m" "memoryRequest" "325Mi") "ama-logs-prometheus" (dict "cpuLimit" .Values.OmsAgent.omsAgentPrometheusSidecarCPULimit "memoryLimit" .Values.OmsAgent.omsAgentPrometheusSidecarMemoryLimit "cpuRequest" "75m" "memoryRequest" "225Mi")) -}} {{- $sizes := list ($singleSize) -}} -{{- if $useDaemonSetSizing -}} - {{- $singleSize = .Values.OmsAgent.daemonSetSizingValues.singleSize -}} - {{- $sizes = list ($singleSize) -}} - {{- $sizes = prepend .Values.OmsAgent.daemonSetSizingValues.tShirtSizes $singleSize -}} -{{- end -}} -{{/* Generate DaemonSets */}} {{- $prevmaxCPU := 0 -}} {{- range $index, $size := $sizes -}} {{- if gt $index 0 }} @@ -435,23 +440,17 @@ metadata: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile {{- end }} - {{- if and $useDaemonSetSizing $size.name }} - kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} - {{- end }} - name: ama-logs{{- if and $useDaemonSetSizing $size.name }}-{{ $size.name }}{{- end }} + name: ama-logs namespace: kube-system spec: selector: matchLabels: component: ama-logs-agent tier: node - {{- if and $useDaemonSetSizing $size.name }} - kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} - {{- end }} template: metadata: annotations: - agentVersion: "azure-mdsd-1.37.0" + agentVersion: "azure-mdsd-1.35.7" dockerProviderVersion: "18.0.1-0" schema-versions: "v1" WSID: {{ $.Values.OmsAgent.workspaceID | b64enc | quote }} @@ -460,9 +459,6 @@ spec: component: ama-logs-agent tier: node kubernetes.azure.com/managedby: aks - {{- if and $useDaemonSetSizing $size.name }} - kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} - {{- end }} {{- if semverCompare "<1.11.0" $.Values.global.commonGlobals.Versions.Kubernetes }} annotations: scheduler.alpha.kubernetes.io/critical-pod: "" @@ -477,13 +473,13 @@ spec: - name: ndots value: "3" containers: -{{- if $.Values.OmsAgent.isUsingAADAuth }} +{{- if $isusingaadauth }} - name: addon-token-adapter command: - /addon-token-adapter args: - --secret-namespace=kube-system - - --secret-name={{ $.Values.OmsAgent.accessTokenSecretName}} + - --secret-name={{ $.Values.OmsAgent.accessTokenSecretName }} - --token-server-listening-port=8888 - --health-server-listening-port=9999 - --restart-pod-waiting-minutes-on-broken-connection=240 @@ -557,7 +553,7 @@ spec: - name: AKS_NODE_RESOURCE_GROUP value: "{{ $.Values.OmsAgent.aksNodeResourceGroup }}" - name: AKS_REGION - value: "{{ $.Values.OmsAgent.aksRegion }}" + value: "{{ $.Values.global.commonGlobals.Region }}" - name: CONTROLLER_TYPE value: "DaemonSet" - name: USER_ASSIGNED_IDENTITY_CLIENT_ID @@ -586,7 +582,7 @@ spec: - name: MCR_URL value: "https://mcr.microsoft.sovcloud-api.fr/v2/" {{- end }} - {{- if $.Values.OmsAgent.isUsingAADAuth }} + {{- if $isusingaadauth }} - name: USING_AAD_MSI_AUTH value: "true" {{- else }} @@ -732,7 +728,7 @@ spec: - name: AKS_NODE_RESOURCE_GROUP value: "{{ $.Values.OmsAgent.aksNodeResourceGroup }}" - name: AKS_REGION - value: "{{ $.Values.OmsAgent.aksRegion }}" + value: "{{ $.Values.global.commonGlobals.Region }}" - name: CONTROLLER_TYPE value: "DaemonSet" - name: CONTAINER_TYPE @@ -751,7 +747,7 @@ spec: - name: MCR_URL value: "https://mcr.microsoft.sovcloud-api.fr/v2/" {{- end }} - {{- if $.Values.OmsAgent.isUsingAADAuth }} + {{- if $isusingaadauth }} - name: USING_AAD_MSI_AUTH value: "true" {{- else }} @@ -973,7 +969,7 @@ spec: rsName: "ama-logs-rs" kubernetes.azure.com/managedby: aks annotations: - agentVersion: "azure-mdsd-1.37.0" + agentVersion: "azure-mdsd-1.35.7" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" dockerProviderVersion: "18.0.1-0" schema-versions: "v1" @@ -1027,13 +1023,13 @@ spec: - --deployment=ama-logs-rs - --container=ama-logs {{- end }} -{{- if .Values.OmsAgent.isUsingAADAuth }} +{{- if $isusingaadauth }} - name: addon-token-adapter command: - /addon-token-adapter args: - --secret-namespace=kube-system - - --secret-name={{ .Values.OmsAgent.accessTokenSecretName}} + - --secret-name={{ .Values.OmsAgent.accessTokenSecretName }} - --token-server-listening-port=8888 - --health-server-listening-port=9999 - --restart-pod-waiting-minutes-on-broken-connection=240 @@ -1091,7 +1087,7 @@ spec: - name: AKS_NODE_RESOURCE_GROUP value: "{{ .Values.OmsAgent.aksNodeResourceGroup }}" - name: AKS_REGION - value: "{{ .Values.OmsAgent.aksRegion }}" + value: "{{ $.Values.global.commonGlobals.Region }}" - name: CONTROLLER_TYPE value: "ReplicaSet" - name: USER_ASSIGNED_IDENTITY_CLIENT_ID @@ -1117,19 +1113,19 @@ spec: - name: SIDECAR_SCRAPING_ENABLED value: "false" {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} + {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USNat") }} - name: MCR_URL value: "https://mcr.microsoft.eaglex.ic.gov/v2/" {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} + {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USSec") }} - name: MCR_URL value: "https://mcr.microsoft.scloud/v2/" {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} + {{- if (eq .Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} - name: MCR_URL value: "https://mcr.microsoft.sovcloud-api.fr/v2/" {{- end }} - {{- if .Values.OmsAgent.isUsingAADAuth }} + {{- if $isusingaadauth }} - name: USING_AAD_MSI_AUTH value: "true" {{- else }} @@ -1379,7 +1375,7 @@ spec: - name: AKS_RESOURCE_ID value: "{{ .Values.OmsAgent.aksResourceID }}" - name: AKS_REGION - value: "{{ .Values.OmsAgent.aksRegion }}" + value: "{{ $.Values.global.commonGlobals.Region }}" - name: CONTROLLER_TYPE value: "DaemonSet" - name: USER_ASSIGNED_IDENTITY_CLIENT_ID @@ -1408,19 +1404,19 @@ spec: - name: SIDECAR_SCRAPING_ENABLED value: "false" {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} + {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USNat") }} - name: REQUIRES_CERT_BOOTSTRAP value: "true" {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} + {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USSec") }} - name: REQUIRES_CERT_BOOTSTRAP value: "true" {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} + {{- if (eq .Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} - name: REQUIRES_CERT_BOOTSTRAP value: "true" {{- end }} - {{- if .Values.OmsAgent.isUsingAADAuth }} + {{- if $isusingaadauth }} - name: USING_AAD_MSI_AUTH value: "true" {{- else }} @@ -1467,7 +1463,7 @@ spec: name: ca-certs readOnly: true {{- end }} - {{- if .Values.OmsAgent.isUsingAADAuth }} + {{- if $isusingaadauth }} - mountPath: C:\etc\IMDS-access-token name: imds-token readOnly: true @@ -1482,19 +1478,19 @@ spec: - fluentdwinaks - "C:\\etc\\amalogswindows\\filesystemwatcher.txt" - "C:\\etc\\amalogswindows\\renewcertificate.txt" - {{- if and .Values.OmsAgent.isUsingAADAuth .Values.OmsAgent.isWindowsAMAEnabled }} + {{- if and $isusingaadauth .Values.OmsAgent.isWindowsAMAEnabled }} - "MonAgentCore.exe" {{- end }} periodSeconds: 60 initialDelaySeconds: 180 timeoutSeconds: 15 -{{- if and (and .Values.OmsAgent.isUsingAADAuth .Values.OmsAgent.isWindowsAMAEnabled) (not .Values.OmsAgent.isWindowsAddonTokenAdapterDisabled) }} +{{- if and (and $isusingaadauth .Values.OmsAgent.isWindowsAMAEnabled) (not .Values.OmsAgent.isWindowsAddonTokenAdapterDisabled) }} - name: addon-token-adapter-win command: - addon-token-adapter-win args: - --secret-namespace=kube-system - - --secret-name={{ .Values.OmsAgent.accessTokenSecretName}} + - --secret-name={{ .Values.OmsAgent.accessTokenSecretName }} - --token-server-listening-port=8888 - --health-server-listening-port=9999 - --restart-pod-waiting-minutes-on-broken-connection=240 @@ -1579,12 +1575,12 @@ spec: hostPath: path: C:\ca {{- end }} - {{- if .Values.OmsAgent.isUsingAADAuth }} + {{- if $isusingaadauth }} - name: imds-token secret: - secretName: {{ .Values.OmsAgent.accessTokenSecretName}} + secretName: {{ .Values.OmsAgent.accessTokenSecretName }} {{- end }} -{{- if and .Values.OmsAgent.isUsingAADAuth .Values.OmsAgent.isMultitenancyLogsEnabled }} +{{- if and $isusingaadauth .Values.OmsAgent.isMultitenancyLogsEnabled }} --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler @@ -1615,7 +1611,7 @@ spec: name: memory target: type: Utilization - averageUtilization: {{ .Values.OmsAgent.omsAgentMultitenancyHPAAvgMemoryUtilization}} + averageUtilization: {{ .Values.OmsAgent.omsAgentMultitenancyHPAAvgMemoryUtilization }} behavior: scaleDown: stabilizationWindowSeconds: 1200 @@ -1684,7 +1680,7 @@ spec: rsName: "ama-logs-multitenancy" kubernetes.azure.com/managedby: aks annotations: - agentVersion: "azure-mdsd-1.37.0" + agentVersion: "azure-mdsd-1.35.7" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" dockerProviderVersion: "18.0.1-0" schema-versions: "v1" @@ -1785,22 +1781,22 @@ spec: - name: AKS_NODE_RESOURCE_GROUP value: "{{ .Values.OmsAgent.aksNodeResourceGroup }}" - name: AKS_REGION - value: "{{ .Values.OmsAgent.aksRegion }}" + value: "{{ $.Values.global.commonGlobals.Region }}" - name: CONTROLLER_TYPE value: "ReplicaSet" - name: NODE_IP valueFrom: fieldRef: fieldPath: status.hostIP - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} + {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USNat") }} - name: MCR_URL value: "https://mcr.microsoft.eaglex.ic.gov/v2/" {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} + {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USSec") }} - name: MCR_URL value: "https://mcr.microsoft.scloud/v2/" {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} + {{- if (eq .Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} - name: MCR_URL value: "https://mcr.microsoft.sovcloud-api.fr/v2/" {{- end }} @@ -1890,4 +1886,10 @@ spec: operator: In values: - system -{{- end }} \ No newline at end of file +{{- end }} + + + + + + From f433e0ca9bffa151b1c6943c0b130e8f79b7fc34 Mon Sep 17 00:00:00 2001 From: longwan Date: Wed, 29 Oct 2025 23:04:12 +0000 Subject: [PATCH 03/47] update chart --- .../azuremonitor-containerinsights/Chart.yaml | 4 + .../templates/_aks_addon-images.tpl | 377 ++++++++++ .../templates/_aks_common.tpl | 153 ++++ .../templates/_aks_helpers.tpl | 303 ++++++++ .../templates/_aks_hostaliases.tpl | 21 + .../templates/_aks_images.tpl | 655 ++++++++++++++++++ .../{ => templates}/ama-logs.yaml | 0 .../values.yaml | 201 ++++++ 8 files changed, 1714 insertions(+) create mode 100644 charts/azuremonitor-containerinsights/Chart.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/_aks_addon-images.tpl create mode 100644 charts/azuremonitor-containerinsights/templates/_aks_common.tpl create mode 100644 charts/azuremonitor-containerinsights/templates/_aks_helpers.tpl create mode 100644 charts/azuremonitor-containerinsights/templates/_aks_hostaliases.tpl create mode 100644 charts/azuremonitor-containerinsights/templates/_aks_images.tpl rename charts/azuremonitor-containerinsights/{ => templates}/ama-logs.yaml (100%) create mode 100644 charts/azuremonitor-containerinsights/values.yaml diff --git a/charts/azuremonitor-containerinsights/Chart.yaml b/charts/azuremonitor-containerinsights/Chart.yaml new file mode 100644 index 000000000..b546f01b6 --- /dev/null +++ b/charts/azuremonitor-containerinsights/Chart.yaml @@ -0,0 +1,4 @@ +apiVersion: v2 +description: azure-monitor-containers helm chart +name: azuremonitor-containers +version: 3.2.0 diff --git a/charts/azuremonitor-containerinsights/templates/_aks_addon-images.tpl b/charts/azuremonitor-containerinsights/templates/_aks_addon-images.tpl new file mode 100644 index 000000000..623f2472d --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/_aks_addon-images.tpl @@ -0,0 +1,377 @@ +{{/* Auto-generated by versioning tooling, do not edit. See /toolkit/versioning/README.md for more information. */}} +{{- define "get.addonImageTag" -}} + {{- if eq .component "aci-connector-linux" -}} + {{- if semverCompare ">=1.26.0" .version -}}1.6.2 + {{- else if semverCompare ">=1.25.0" .version -}}1.6.1 + {{- else if semverCompare ">=1.24.0" .version -}}1.6.0 + {{- else -}}1.4.16 + {{- end -}} + {{- else if eq .component "addon-resizer" -}} +v1.8.23-4 + {{- else if eq .component "ai-toolchain-operator" -}} +0.6.0 + {{- else if eq .component "aks-windows-gpu-device-plugin" -}} +0.0.19 + {{- else if eq .component "ama-logs-linux" -}} +3.1.28 + {{- else if eq .component "ama-logs-win" -}} +win-3.1.28 + {{- else if eq .component "app-routing-operator" -}} +0.0.3 + {{- else if eq .component "azure-monitor-metrics-cfg-reader" -}} +6.21.1-main-08-15-2025-f5f679d6-cfg + {{- else if eq .component "azure-monitor-metrics-ksm" -}} +v2.15.0-4 + {{- else if eq .component "azure-monitor-metrics-linux" -}} +6.21.1-main-08-15-2025-f5f679d6 + {{- else if eq .component "azure-monitor-metrics-target-allocator" -}} +6.21.1-main-08-15-2025-f5f679d6-targetallocator + {{- else if eq .component "azure-monitor-metrics-windows" -}} +6.21.1-main-08-15-2025-f5f679d6-win + {{- else if eq .component "azure-npm-image" -}} +v1.6.33 + {{- else if eq .component "azure-npm-image-windows" -}} +v1.5.5 + {{- else if eq .component "azure-policy" -}} + {{- if semverCompare ">=1.27.0" .version -}}1.13.0 + {{- else if semverCompare ">=1.25.0" .version -}}1.4.0 + {{- else if semverCompare ">=1.24.0" .version -}}1.0.1 + {{- else if semverCompare ">=1.21.0" .version -}}0.0.3 + {{- else -}}0.0.1 + {{- end -}} + {{- else if eq .component "azure-policy-webhook" -}} + {{- if semverCompare ">=1.27.0" .version -}}1.13.0 + {{- else if semverCompare ">=1.25.0" .version -}}1.4.0 + {{- else if semverCompare ">=1.24.0" .version -}}1.0.1 + {{- else if semverCompare ">=1.21.0" .version -}}0.0.3 + {{- else if semverCompare ">=1.18.0" .version -}}0.0.2 + {{- else -}}0.0.1 + {{- end -}} + {{- else if eq .component "certgen" -}} +v0.1.9 + {{- else if eq .component "cilium-agent" -}} + {{- if semverCompare ">=1.29.0" .version -}}1.14.10-1 + {{- else if semverCompare ">=1.27.0" .version -}}1.13.13-3 + {{- else -}}1.12.10-5 + {{- end -}} + {{- else if eq .component "cilium-envoy" -}} +v1.31.5-250218 + {{- else if eq .component "cilium-operator-generic" -}} + {{- if semverCompare ">=1.29.0" .version -}}1.14.10 + {{- else if semverCompare ">=1.27.0" .version -}}1.13.13 + {{- else -}}1.12.10 + {{- end -}} + {{- else if eq .component "cloud-provider-node-manager-linux" -}} + {{- if semverCompare ">=1.33.0" .version -}}v1.33.0 + {{- else if semverCompare ">=1.32.0" .version -}}v1.32.5 + {{- else if semverCompare ">=1.31.0" .version -}}v1.31.6 + {{- else if semverCompare ">=1.30.0" .version -}}v1.30.12 + {{- else if semverCompare ">=1.29.0" .version -}}v1.29.15 + {{- else if semverCompare ">=1.28.0" .version -}}v1.28.14 + {{- else if semverCompare ">=1.27.0" .version -}}v1.27.21 + {{- else if semverCompare ">=1.26.0" .version -}}v1.26.22 + {{- else if semverCompare ">=1.25.0" .version -}}v1.25.24 + {{- else if semverCompare ">=1.24.0" .version -}}v1.24.21 + {{- else if semverCompare ">=1.23.0" .version -}}v1.23.24 + {{- else if semverCompare ">=1.22.0" .version -}}v1.1.14 + {{- else if semverCompare ">=1.21.0" .version -}}v1.0.18 + {{- else if semverCompare ">=1.20.0" .version -}}v0.7.21 + {{- else if semverCompare ">=1.19.0" .version -}}v0.6.0 + {{- else -}}v0.5.1.4 + {{- end -}} + {{- else if eq .component "cloud-provider-node-manager-windows" -}} + {{- if semverCompare ">=1.33.0" .version -}}v1.33.0 + {{- else if semverCompare ">=1.32.0" .version -}}v1.32.5 + {{- else if semverCompare ">=1.31.0" .version -}}v1.31.6 + {{- else if semverCompare ">=1.30.0" .version -}}v1.30.12 + {{- else if semverCompare ">=1.29.0" .version -}}v1.29.15 + {{- else if semverCompare ">=1.28.0" .version -}}v1.28.14 + {{- else if semverCompare ">=1.27.0" .version -}}v1.27.21 + {{- else if semverCompare ">=1.26.0" .version -}}v1.26.22 + {{- else if semverCompare ">=1.25.0" .version -}}v1.25.24 + {{- else if semverCompare ">=1.24.0" .version -}}v1.24.21 + {{- else if semverCompare ">=1.23.0" .version -}}v1.23.24 + {{- else if semverCompare ">=1.22.0" .version -}}v1.1.14 + {{- else if semverCompare ">=1.21.0" .version -}}v1.0.18 + {{- else if semverCompare ">=1.20.0" .version -}}v0.7.21 + {{- else if semverCompare ">=1.19.0" .version -}}v0.6.0 + {{- else -}}v0.5.1 + {{- end -}} + {{- else if eq .component "cluster-proportional-autoscaler" -}} + {{- if semverCompare ">=1.32.0" .version -}}v1.9.0-2 + {{- else if semverCompare ">=1.27.0" .version -}}v1.8.11-5 + {{- else if semverCompare ">=1.22.0" .version -}}v1.8.8 + {{- else if semverCompare ">=1.18.0" .version -}}1.8.3 + {{- else -}}1.7.1-hotfix.20200403 + {{- end -}} + {{- else if eq .component "container-networking-cilium-agent" -}} + {{- if semverCompare ">=1.31.0" .version -}}v1.16.6-250129 + {{- else if semverCompare ">=1.29.0" .version -}}v1.14.19-250129 + {{- else if semverCompare ">=1.27.0" .version -}}v1.13.18-241024 + {{- else -}}v1.14.19-250129 + {{- end -}} + {{- else if eq .component "container-networking-cilium-operator-generic" -}} + {{- if semverCompare ">=1.31.0" .version -}}v1.16.6-250129 + {{- else if semverCompare ">=1.29.0" .version -}}v1.14.19-250129 + {{- else if semverCompare ">=1.27.0" .version -}}v1.13.18-241024 + {{- else -}}v1.14.19-250129 + {{- end -}} + {{- else if eq .component "coredns" -}} + {{- if semverCompare ">=1.33.0" .version -}}v1.12.1-2 + {{- else if semverCompare ">=1.32.0" .version -}}v1.11.3-8 + {{- else if semverCompare ">=1.24.0" .version -}}v1.9.4-6 + {{- else if semverCompare ">=1.20.0" .version -}}v1.8.7 + {{- else -}}1.6.6 + {{- end -}} + {{- else if eq .component "cost-analysis-agent" -}} +v0.0.24 + {{- else if eq .component "cost-analysis-opencost" -}} +v1.111.0 + {{- else if eq .component "cost-analysis-prometheus" -}} +v2.54.1 + {{- else if eq .component "cost-analysis-victoria-metrics" -}} +v1.103.0 + {{- else if eq .component "extension-config-agent" -}} +1.28.0 + {{- else if eq .component "extension-manager" -}} +1.28.0 + {{- else if eq .component "fqdn-policy" -}} + {{- if semverCompare ">=1.31.0" .version -}}v1.16.6-250129 + {{- else -}}v1.14.19-250129 + {{- end -}} + {{- else if eq .component "gpu-provisioner" -}} +0.3.5 + {{- else if eq .component "health-probe-proxy" -}} +v1.29.1 + {{- else if eq .component "hubble-relay" -}} +v1.15.0 + {{- else if eq .component "identity-binding-workload-identity-webhook" -}} +v1.6.0-alpha.1 + {{- else if eq .component "image-cleaner" -}} +v1.4.0-4 + {{- else if eq .component "ingress-appgw" -}} + {{- if semverCompare ">=1.27.0" .version -}}1.8.1 + {{- else if semverCompare ">=1.19.0" .version -}}1.5.3 + {{- else -}}1.4.0 + {{- end -}} + {{- else if eq .component "ip-masq-agent-v2" -}} +v0.1.15-2 + {{- else if eq .component "ipv6-hp-bpf" -}} + {{- if semverCompare ">=1.29.0" .version -}}v0.0.1 + {{- else -}}v0.0.1 + {{- end -}} + {{- else if eq .component "keda" -}} + {{- if semverCompare ">=1.33.0" .version -}}2.17.1 + {{- else if semverCompare ">=1.32.0" .version -}}v2.16.1 + {{- else if semverCompare ">=1.30.0" .version -}}2.14.1 + {{- else if semverCompare ">=1.27.0" .version -}}2.11.2 + {{- else if semverCompare ">=1.26.0" .version -}}2.10.1 + {{- else if semverCompare ">=1.23.0" .version -}}2.9.3 + {{- else -}}2.8.1 + {{- end -}} + {{- else if eq .component "keda-admission-webhooks" -}} + {{- if semverCompare ">=1.33.0" .version -}}2.17.1 + {{- else if semverCompare ">=1.32.0" .version -}}v2.16.1 + {{- else if semverCompare ">=1.30.0" .version -}}2.14.1 + {{- else if semverCompare ">=1.27.0" .version -}}2.11.2 + {{- else -}}2.10.1 + {{- end -}} + {{- else if eq .component "keda-metrics-apiserver" -}} + {{- if semverCompare ">=1.33.0" .version -}}2.17.1 + {{- else if semverCompare ">=1.32.0" .version -}}v2.16.1 + {{- else if semverCompare ">=1.30.0" .version -}}2.14.1 + {{- else if semverCompare ">=1.27.0" .version -}}2.11.2 + {{- else if semverCompare ">=1.26.0" .version -}}2.10.1 + {{- else if semverCompare ">=1.23.0" .version -}}2.9.3 + {{- else -}}2.8.1 + {{- end -}} + {{- else if eq .component "kube-egress-gateway-cni" -}} + {{- if semverCompare ">=1.34.0" .version -}}v0.1.1 + {{- else -}}v0.0.21 + {{- end -}} + {{- else if eq .component "kube-egress-gateway-cni-ipam" -}} + {{- if semverCompare ">=1.34.0" .version -}}v0.1.1 + {{- else -}}v0.0.21 + {{- end -}} + {{- else if eq .component "kube-egress-gateway-cnimanager" -}} + {{- if semverCompare ">=1.34.0" .version -}}v0.1.1 + {{- else -}}v0.0.21 + {{- end -}} + {{- else if eq .component "kube-egress-gateway-daemon" -}} + {{- if semverCompare ">=1.34.0" .version -}}v0.1.1 + {{- else -}}v0.0.21 + {{- end -}} + {{- else if eq .component "kube-egress-gateway-daemon-init" -}} + {{- if semverCompare ">=1.34.0" .version -}}v0.1.1 + {{- else -}}v0.0.21 + {{- end -}} + {{- else if eq .component "local-csi-driver" -}} +v0.2.4 + {{- else if eq .component "local-csi-driver-csi-provisioner" -}} +v5.2.0 + {{- else if eq .component "local-csi-driver-csi-resizer" -}} +v1.13.2 + {{- else if eq .component "local-csi-driver-registrar" -}} +v2.13.0 + {{- else if eq .component "metrics-server" -}} + {{- if semverCompare ">=1.32.0" .version -}}v0.7.2-7 + {{- else if semverCompare ">=1.24.0" .version -}}v0.6.3-6 + {{- else if semverCompare ">=1.22.0" .version -}}v0.5.2 + {{- else if semverCompare ">=1.21.0" .version -}}v0.4.5 + {{- else if semverCompare ">=1.8.0" .version -}}v0.3.6 + {{- else -}}v0.2.1 + {{- end -}} + {{- else if eq .component "microsoft-defender-admission-controller" -}} +20250706.3 + {{- else if eq .component "microsoft-defender-low-level-collector" -}} + {{- if semverCompare ">=1.25.0" .version -}}2.0.221 + {{- else -}}1.3.81 + {{- end -}} + {{- else if eq .component "microsoft-defender-low-level-init" -}} +1.3.81 + {{- else if eq .component "microsoft-defender-old-file-cleaner" -}} +1.0.273 + {{- else if eq .component "microsoft-defender-pod-collector" -}} +1.0.202 + {{- else if eq .component "microsoft-defender-security-publisher" -}} +1.0.273 + {{- else if eq .component "open-policy-agent-gatekeeper" -}} + {{- if semverCompare ">=1.27.0" .version -}}v3.20.0-1 + {{- else if semverCompare ">=1.25.0" .version -}}v3.14.2 + {{- else if semverCompare ">=1.24.0" .version -}}v3.11.1 + {{- else if semverCompare ">=1.21.0" .version -}}v3.8.1 + {{- else if semverCompare ">=1.18.0" .version -}}v3.7.1 + {{- else -}}v3.4.1 + {{- end -}} + {{- else if eq .component "osm-bootstrap" -}} + {{- if semverCompare ">=1.24.0" .version -}}v1.2.9 + {{- else if semverCompare ">=1.23.5" .version -}}v1.1.3 + {{- else -}}v1.0.0 + {{- end -}} + {{- else if eq .component "osm-controller" -}} + {{- if semverCompare ">=1.24.0" .version -}}v1.2.9 + {{- else if semverCompare ">=1.23.5" .version -}}v1.1.3 + {{- else -}}v1.0.0 + {{- end -}} + {{- else if eq .component "osm-crds" -}} + {{- if semverCompare ">=1.24.0" .version -}}v1.2.9 + {{- else if semverCompare ">=1.23.5" .version -}}v1.1.3 + {{- else -}}v1.0.0 + {{- end -}} + {{- else if eq .component "osm-healthcheck" -}} + {{- if semverCompare ">=1.24.0" .version -}}v1.2.9 + {{- else if semverCompare ">=1.23.5" .version -}}v1.1.3 + {{- else -}}v1.1.0 + {{- end -}} + {{- else if eq .component "osm-init" -}} + {{- if semverCompare ">=1.24.0" .version -}}v1.2.9 + {{- else if semverCompare ">=1.23.5" .version -}}v1.1.3 + {{- else -}}v1.0.0 + {{- end -}} + {{- else if eq .component "osm-injector" -}} + {{- if semverCompare ">=1.24.0" .version -}}v1.2.9 + {{- else if semverCompare ">=1.23.5" .version -}}v1.1.3 + {{- else -}}v1.0.0 + {{- end -}} + {{- else if eq .component "osm-sidecar" -}} + {{- if semverCompare ">=1.25.0" .version -}}v1.32.2-hotfix.20241216 + {{- else if semverCompare ">=1.24.0" .version -}}v1.25.9-hotfix.20231002 + {{- else -}}v1.19.1 + {{- end -}} + {{- else if eq .component "overlay-vpa" -}} + {{- if semverCompare ">=1.31.0" .version -}}v1.2.1-1 + {{- else if semverCompare ">=1.27.0" .version -}}v1.0.0-1 + {{- else if semverCompare ">=1.25.0" .version -}}0.13.0 + {{- else -}}0.11.0 + {{- end -}} + {{- else if eq .component "overlay-vpa-webhook-generation" -}} +master.250827.1 + {{- else if eq .component "ratify-base" -}} +v1.2.3 + {{- else if eq .component "retina-agent" -}} +v1.0.0-rc2 + {{- else if eq .component "retina-agent-enterprise" -}} +v0.1.11 + {{- else if eq .component "retina-agent-win" -}} +v1.0.0-rc2 + {{- else if eq .component "retina-operator" -}} +v0.1.11 + {{- else if eq .component "secrets-store-csi-driver" -}} + {{- if semverCompare ">=1.26.0" .version -}}v1.5.3 + {{- else if semverCompare ">=1.24.0" .version -}}v1.3.4-1 + {{- else -}}v1.3.0.3 + {{- end -}} + {{- else if eq .component "secrets-store-csi-driver-windows" -}} + {{- if semverCompare ">=1.26.0" .version -}}v1.5.3 + {{- else if semverCompare ">=1.24.0" .version -}}v1.3.4 + {{- else -}}v1.3.0 + {{- end -}} + {{- else if eq .component "secrets-store-driver-registrar-linux" -}} + {{- if semverCompare ">=1.26.0" .version -}}v2.13.0 + {{- else if semverCompare ">=1.24.0" .version -}}v2.8.0 + {{- else -}}v2.6.2 + {{- end -}} + {{- else if eq .component "secrets-store-driver-registrar-windows" -}} + {{- if semverCompare ">=1.26.0" .version -}}v2.13.0 + {{- else if semverCompare ">=1.24.0" .version -}}v2.8.0 + {{- else -}}v2.6.2 + {{- end -}} + {{- else if eq .component "secrets-store-livenessprobe-linux" -}} + {{- if semverCompare ">=1.26.0" .version -}}v2.15.0 + {{- else if semverCompare ">=1.24.0" .version -}}v2.10.0 + {{- else -}}v2.8.0 + {{- end -}} + {{- else if eq .component "secrets-store-livenessprobe-windows" -}} + {{- if semverCompare ">=1.26.0" .version -}}v2.15.0 + {{- else if semverCompare ">=1.24.0" .version -}}v2.10.0 + {{- else -}}v2.8.0 + {{- end -}} + {{- else if eq .component "secrets-store-provider-azure" -}} + {{- if semverCompare ">=1.26.0" .version -}}v1.7.0 + {{- else if semverCompare ">=1.24.0" .version -}}v1.4.1 + {{- else -}}v1.4.0 + {{- end -}} + {{- else if eq .component "secrets-store-provider-azure-windows" -}} + {{- if semverCompare ">=1.26.0" .version -}}v1.7.0 + {{- else if semverCompare ">=1.24.0" .version -}}v1.4.1 + {{- else -}}v1.4.0 + {{- end -}} + {{- else if eq .component "sgx-attestation" -}} +3.3.1 + {{- else if eq .component "sgx-plugin" -}} +1.0.0 + {{- else if eq .component "sgx-webhook" -}} +1.2.2 + {{- else if eq .component "tigera-operator" -}} + {{- if semverCompare ">=1.33.0" .version -}}v1.38.3 + {{- else if semverCompare ">=1.32.0" .version -}}v1.36.11 + {{- else if semverCompare ">=1.30.0" .version -}}v1.34.13 + {{- else if semverCompare ">=1.29.0" .version -}}v1.30.11 + {{- else if semverCompare ">=1.24.0" .version -}}v1.28.13 + {{- else -}}v1.23.8 + {{- end -}} + {{- else if eq .component "windows-gmsa-webhook-image" -}} +v0.12.1-2 + {{- else if eq .component "workload-identity-webhook" -}} +v1.5.1 + {{- end -}} +{{- end -}} + +{{/* Auto-generated by servicemesh tooling, do not edit. See /toolkit/servicemesh/README.md for more information. */}} +{{- define "get.istioImageTag" -}} + {{- if eq .component "azure-service-mesh-istio" -}} + {{- if eq "asm-1-27" .revision -}}1.27.0-1 + {{- else if eq "asm-1-26" .revision -}}1.26.3-2 + {{- else if eq "asm-1-25" .revision -}}1.25.3-4 + {{- else if eq "asm-1-24" .revision -}}1.24.6 + {{- else if eq "asm-1-23" .revision -}}1.23.6-hotfix.20250515 + {{- else if eq "asm-1-22" .revision -}}1.22.7 + {{- else if eq "asm-1-21" .revision -}}1.21.6 + {{- else if eq "asm-1-20" .revision -}}1.20.8 + {{- else if eq "asm-1-19" .revision -}}1.19.10-hotfix.20240528 + {{- else if eq "asm-1-18" .revision -}}1.18.7-hotfix.20240210 + {{- else if eq "asm-1-17" .revision -}}1.17.8 + {{- else -}}not-in-use-9.99.9 + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/charts/azuremonitor-containerinsights/templates/_aks_common.tpl b/charts/azuremonitor-containerinsights/templates/_aks_common.tpl new file mode 100644 index 000000000..29c0c4610 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/_aks_common.tpl @@ -0,0 +1,153 @@ +{{/* MCR repository template for adapter charts */}} +{{- define "mcr_repository_base_adapter_chart" }} +{{- $cloud_environment := ((index .Values.v1 "commonGlobals").CloudEnvironment | default "AZUREPUBLICCLOUD") }} +{{- if (eq $cloud_environment "AZURECHINACLOUD") }} +{{- "mcr.azk8s.cn" }} +{{- else if (eq $cloud_environment "USNat") }} +{{- "mcr.microsoft.eaglex.ic.gov" }} +{{- else if (eq $cloud_environment "USSec") }} +{{- "mcr.microsoft.scloud" }} +{{- else }} +{{- "mcr.microsoft.com" }} +{{- end }} +{{- end }} + +{{/* MCR repository template for addon charts */}} +{{- define "mcr_repository_base" }} +{{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment| default "AZUREPUBLICCLOUD") }} +{{- if (eq $cloud_environment "AZURECHINACLOUD") }} +{{- "mcr.azk8s.cn" }} +{{- else if (eq $cloud_environment "USNat") }} +{{- "mcr.microsoft.eaglex.ic.gov" }} +{{- else if (eq $cloud_environment "USSec") }} +{{- "mcr.microsoft.scloud" }} +{{- else }} +{{- "mcr.microsoft.com" }} +{{- end }} +{{- end }} + +{{- define "addon_mcr_repository_base" }} +{{- template "mcr_repository_base" . }} +{{- end }} + +{{/* ccp_image_repository_base_by_component returns the image repository to use for a ccp component. + Caller should provide the "component" (the ccp component name), "version" (the ccp k8s version) and "Values" (the helm values object) parameters: + + {{- with $image_settings := (dict "component" "kube-apiserver" "version" .Values.global.commonGlobals.Versions.Kubernetes "Values" .Values) }} + {{ include "ccp_image_repository_base_by_component" $image_settings }} + {{- end }} + + The component name and k8s version will be concatenated as "-" to look up the override in the toggle. + + When the `use-internal-container-image-override-component` toggle is enabled for the specified component and k8s version, a cloud based + private repository will be used, otherwise, the value will fallback to `mcr_repoistory_base`. + Components that expect to be included in the embargo process should use this ACR repository. */}} +{{- define "ccp_image_repository_base_by_component" }} + {{- $key := (print .component "-" .version) }} + {{- if (hasKey .Values.global.commonGlobals.InternalContainerRegistry.enabledComponentOverrides $key) }} + {{- template "ccp_image_repository_base" . }} + {{- else }} + {{- template "mcr_repository_base" . }} + {{- end }} +{{- end }} + +{{/* ccp_image_repository_base returns the ACR repository for embargoed CVE images. + This template is intended to be called by ccp_image_repository_base_by_component and acr pull template only. + Caller should use ccp_image_repository_base_by_component for component based value. */}} +{{- define "ccp_image_repository_base" }} + {{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment | upper | default "AZUREPUBLICCLOUD") }} + {{- if (or (eq $cloud_environment "AZUREUSGOVCLOUD") (eq $cloud_environment "AZUREUSGOVERNMENTCLOUD")) }} + {{- "acsdeployment.azurecr.us"}} + {{- else if (eq $cloud_environment "AZURECHINACLOUD") }} + {{- "acsdeployment.azurecr.cn" }} + {{- else if (eq $cloud_environment "USNAT") }} + {{- "acsdeployment.azurecr.eaglex.ic.gov" }} + {{- else if (eq $cloud_environment "USSEC") }} + {{- "acsdeployment.azurecr.microsoft.scloud" }} + {{- else }} + {{- "acsproddeployment.azurecr.io" }} + {{- end }} +{{- end }} + +{{/* ccp_get_imagetag_by_component returns the image tag to use for a ccp component. + Caller should provide the "component" (the ccp component name), "version" (the ccp k8s version) and "Values" (the helm values object) parameters: + + {{- with $image_settings := (dict "component" "kube-apiserver" "version" .Values.global.commonGlobals.Versions.Kubernetes "Values" .Values) }} + {{ include "ccp_get_imagetag_by_component" $image_settings }} + {{- end }} + + When the `use-internal-container-image-override-component` toggle is enabled for the specified component and k8s version, + the override tag will be used, otherwise, the value will fallback to `get.imagetag`. + + See also: ccp_image_repository_base_by_component */}} +{{- define "ccp_get_imagetag_by_component" }} + {{- $key := (print .component "-" .version) }} + {{- if (hasKey .Values.global.commonGlobals.InternalContainerRegistry.enabledComponentOverrides $key) }} + {{- (index .Values.global.commonGlobals.InternalContainerRegistry.enabledComponentOverrides $key) }} + {{- else }} + {{- template "get.imagetag" . }} + {{- end }} +{{- end }} + +{{/* ccp_get_ccpImageTag_by_component uses "get.ccpImageTag" as fallback. + + See also: ccp_get_imagetag_by_component */}} +{{- define "ccp_get_ccpImageTag_by_component" }} + {{- $key := (print .component "-" .version) }} + {{- if (hasKey .Values.global.commonGlobals.InternalContainerRegistry.enabledComponentOverrides $key) }} + {{- (index .Values.global.commonGlobals.InternalContainerRegistry.enabledComponentOverrides $key) }} + {{- else }} + {{- template "get.ccpImageTag" . }} + {{- end }} +{{- end }} + +{{/* nodeaffinity on nodepool */}} +{{- define "nodepool_affinity" -}} +{{- if .Values.global.commonGlobals.requireDedicatedNodepool -}} +preferredDuringSchedulingIgnoredDuringExecution: +- weight: 100 + preference: + matchExpressions: + - key: agentpool + operator: In + values: + - cx-{{ .Values.global.CCPID }} +{{- else -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: agentpool + operator: In + values: + - agentpool1 +{{- end -}} +{{- end -}} + +{{- define "addon_nodepool_mode_affinity_hard" -}} +{{- if .Values.global.commonGlobals.addonRequireSystemPool }} +- key: kubernetes.azure.com/mode + operator: In + values: + - system +{{- end -}} +{{- end -}} + +{{- define "addon_nodepool_mode_affinity_soft" -}} +{{- if not .Values.global.commonGlobals.addonRequireSystemPool }} +- weight: 100 + preference: + matchExpressions: + - key: kubernetes.azure.com/mode + operator: In + values: + - system +{{- end -}} +{{- end -}} + +{{/* tolerations on nodepool */}} +{{- define "nodepool_toleration" -}} +- key: "agentpool" + operator: "Equal" + value: "cx-{{ .Values.global.CCPID }}" + effect: "NoExecute" +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/_aks_helpers.tpl b/charts/azuremonitor-containerinsights/templates/_aks_helpers.tpl new file mode 100644 index 000000000..f14bd9147 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/_aks_helpers.tpl @@ -0,0 +1,303 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Values.global.commonGlobals.CCPID $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* Both formats are needed because the template is used by other adapter charts */}} +{{- define "enableKonnectivity" -}} +{{- $commonGlobals := "" }} +{{- if .Values.v1 }} +{{- $commonGlobals = (index .Values.v1 "commonGlobals") }} +{{- else }} +{{- $commonGlobals = .Values.global.commonGlobals }} +{{- end -}} +{{- if $commonGlobals.Konnectivity -}} +{{- if kindIs "invalid" $commonGlobals.Konnectivity.Enabled -}} +true +{{- else if $commonGlobals.Konnectivity.Enabled -}} +true +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* apiserver endpoint */}} +{{- define "apiserver_endpoint" }} +{{- if .Values.global.commonGlobals.PrivateConnect.enabled }} +{{- .Values.global.commonGlobals.PrivateConnect.privateIP }} +{{- else }} +{{- .Values.global.commonGlobals.endpointFQDN }} +{{- end }} +{{- end }} + +{{- define "enableApiserverProxyForKms" -}} +{{- if and .Values.global.commonGlobals.PrivateConnect.enabled (ne .Values.global.AzureKeyVaultKms.keyVaultNetworkAccess "Private") -}} +true +{{- else if not (or .Values.global.commonGlobals.TunnelOpenVPN.Enabled (include "enableKonnectivityWithEgressSelector" .)) -}} +true +{{- end -}} +{{- end -}} + +{{- define "enableAzureKmsProviderProxy" -}} +{{- if and .Values.global.AzureKeyVaultKms.enabled (include "enableKonnectivityWithEgressSelector" .) -}} +{{- if eq .Values.global.AzureKeyVaultKms.keyVaultNetworkAccess "Private" -}} +true +{{- else if .Values.global.AzureKeyVaultKms.previousKey -}} +{{- if eq .Values.global.AzureKeyVaultKms.previousKey.keyVaultNetworkAccess "Private" -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "enableKonnectivityProxyPodAndSvcCIDROnly" -}} +{{- if (include "enableKonnectivity" .) -}} +{{- if .Values.global.commonGlobals.Konnectivity.ProxyPodAndSvcCIDROnly -}} +true +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "enableKonnectivityWithEgressSelector" -}} +{{- if (include "enableKonnectivity" .) -}} +{{- if not .Values.global.commonGlobals.Konnectivity.ProxyPodAndSvcCIDROnly -}} +true +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "enableKonnectivityServerPreStop" -}} +{{- if (include "enableKonnectivity" .) -}} +{{- if .Values.global.commonGlobals.Konnectivity.enableKonnectivityServerPreStop -}} +{{- if semverCompare ">=1.28.0" .Values.global.commonGlobals.Versions.Kubernetes -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "enableKonnectivityServerSeparateCert" -}} + {{- if (include "enableKonnectivity" .) -}} + {{- if .Values.global.commonGlobals.Konnectivity.EnableSeparateServerCert -}} + {{- if semverCompare (printf ">=%s" .Values.global.commonGlobals.Konnectivity.EnableSeparateServerCertFromK8sVersion) .Values.global.commonGlobals.Versions.Kubernetes -}} + true + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "loggingResourceId" -}} +{{- if .Values.global.commonGlobals.FleetHubProfile.isHubCluster }} +{{- .Values.global.commonGlobals.FleetHubProfile.fleetResourceID }} +{{- else }} +{{- .Values.global.commonGlobals.Customer.AzureResourceID }} +{{- end }} +{{- end }} + +{{/* +Get the value of override update mode annotation, +default is "disabled" and only support "enabled" and "disabled" currently. +Return none and fall back to "disabled" if the value is not supported or current VPA is not existed. +*/}} +{{- define "getOverrideUpdateModeAnnotation" -}} +{{- if .current }} + {{- if eq (index .current.metadata.annotations "kubernetes.azure.com/override-update-mode") "enabled" }} + {{- "enabled" }} + {{- end }} +{{- end }} +{{- end -}} + +{{/* +Try to get the override updateMode value if the override update mode annotation is enabled, +and the current VPA cr is existed. If not, return none and use the default updateMode "Initial" +*/}} +{{- define "getUpdateMode" -}} +{{- if .current }} + {{- if eq (index .current.metadata.annotations "kubernetes.azure.com/override-update-mode") "enabled" }} + {{- dict "current" .current | include "getOverrideUpdateMode" }} + {{- end }} +{{- end }} +{{- end -}} + +{{/* +Get the value of override VPA update mode, user can override the updateMode in VPA cr +when the override update mode annotation is enabled, return none and use the default +updateMode value if the user input is invalid or any property is not existed +*/}} +{{- define "getOverrideUpdateMode" -}} +{{- /* +Use parentheses () to check the nested values existed due to the limitation of Helm +https://github.com/helm/helm/issues/8026 +*/}} +{{- if ((((.current).spec).updatePolicy).updateMode) }} + {{- if (dict "updateMode" .current.spec.updatePolicy.updateMode | include "isValidUpdateMode" ) }} + {{- .current.spec.updatePolicy.updateMode | quote }} + {{- end }} +{{- end }} +{{- end -}} + +{{/* +Check if the update mode is valid, +only support "Off", "Initial" and "Auto" update mode currently +*/}} +{{- define "isValidUpdateMode" -}} +{{- if not (has .updateMode (list "Recreate")) }} +true +{{- end }} +{{- end -}} + +{{/* +Get the value of override min/max annotation, +default is "disabled" and only support "enabled" and "disabled" currently. +Return none and fall back to "disabled" if the value is not supported. +*/}} +{{- define "getOverrideMinMaxAnnotation" -}} +{{- if .current }} + {{- if eq (index .current.metadata.annotations "kubernetes.azure.com/override-min-max") "enabled" }} + {{- "enabled" }} + {{- end }} +{{- end }} +{{- end -}} + +{{/* +Try to get the user override vpa min/max allowed value if the override min/max allowed annotation is enabled, +and the current VPA cr is existed. +If not, return none and use the default min/max allowed value. +*/}} +{{- define "getAllowedValue" -}} +{{- if .current }} + {{- if eq (index .current.metadata.annotations "kubernetes.azure.com/override-min-max") "enabled" }} + {{- (dict "current" .current "containerName" .containerName "resource" .resource) | include "getOverrideAllowedValue" }} + {{- end }} +{{- end }} +{{- end -}} + +{{/* +Find the target container policy in VPA containerPolicies array +*/}} +{{- define "getVpaContainer" -}} + {{- $name := .containerName }} + {{- range $container := .containerPolicies }} + {{- if eq $name $container.containerName }} + {{- toYaml $container }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Get the user override vpa min/max allowed value from target container in current existing vpa cr +*/}} +{{- define "getOverrideAllowedValue" -}} +{{- /* +Use parentheses () to check the nested values existed due to the limitation of Helm +https://github.com/helm/helm/issues/8026 +*/}} +{{- $container := (dict "containerName" .containerName "containerPolicies" .current.spec.resourcePolicy.containerPolicies) | include "getVpaContainer" | fromYaml }} +{{- if eq .resource "maxCPU" }} + {{- if ((($container).maxAllowed).cpu) }} + {{- $container.maxAllowed.cpu }} + {{- end }} +{{- end }} +{{- if eq .resource "maxMemory" }} + {{- if ((($container).maxAllowed).memory) }} + {{- $container.maxAllowed.memory }} + {{- end }} +{{- end }} +{{- if eq .resource "minCPU" }} + {{- if ((($container).minAllowed).cpu) }} + {{- $container.minAllowed.cpu }} + {{- end }} +{{- end }} +{{- if eq .resource "minMemory" }} + {{- if ((($container).minAllowed).memory) }} + {{- $container.minAllowed.memory }} + {{- end }} +{{- end }} +{{- end -}} + +{{/* +Get the value of override requests limits annotation, +default is "disabled" and only support "enabled" and "disabled" currently. +Return none and fall back to "disabled" if the value is not supported. +*/}} +{{- define "getOverrideRequestsLimitsAnnotation" -}} +{{- if .current }} + {{- if eq (index .current.metadata.annotations "kubernetes.azure.com/override-requests-limits") "enabled" }} + {{- "enabled" }} + {{- end }} +{{- end }} +{{- end -}} + +{{/* +Find target container in deployment / daemonset containers property +*/}} +{{- define "getContainer" -}} + {{- $name := .containerName }} + {{- range $container := .containers }} + {{- if eq $name $container.name }} + {{- toYaml $container }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Get user override resource requests/limits value from target container in existing deployment / daemonset +*/}} +{{- define "getOverrideRequestsLimitsValue" -}} +{{- $container := (dict "containerName" .containerName "containers" .current.spec.template.spec.containers) | include "getContainer" | fromYaml }} +{{- if eq .resource "requestCPU" }} + {{- if (((($container).resources).requests).cpu) }} + {{- $container.resources.requests.cpu }} + {{- end }} +{{- end }} +{{- if eq .resource "requestMemory" }} + {{- if (((($container).resources).requests).memory) }} + {{- $container.resources.requests.memory }} + {{- end }} +{{- end }} +{{- if eq .resource "limitCPU" }} + {{- if (((($container).resources).limits).cpu) }} + {{- $container.resources.limits.cpu }} + {{- end }} +{{- end }} +{{- if eq .resource "limitMemory" }} + {{- if (((($container).resources).limits).memory) }} + {{- $container.resources.limits.memory }} + {{- end }} +{{- end }} +{{- end -}} + +{{/* +Get user override requests/limits value when current deployment/daemonset and override annotation is existed, +if not, this function will return none and caller should set the default/fallback resource requests/limits value. +*/}} +{{- define "getRequestsLimitsValue" -}} +{{- if .current }} + {{- if eq (index .current.metadata.annotations "kubernetes.azure.com/override-requests-limits") "enabled" }} + {{- (dict "current" .current "containerName" .containerName "resource" .resource) | include "getOverrideRequestsLimitsValue" }} + {{- end }} +{{- end }} +{{- end -}} + +{{/* should use AzureStackCloud */}} +{{- define "should_use_azurestackcloud" -}} + {{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment | default "azurepubliccloud" | lower) }} + {{- has $cloud_environment (list "usnat" "ussec" "azurebleucloud") -}} +{{- end }} + +{{/* should mount ca certs from host */}} +{{- define "should_mount_hostca" -}} + {{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment | default "azurepubliccloud" | lower) }} + {{- has $cloud_environment (list "usnat" "ussec" "azurebleucloud") -}} +{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containerinsights/templates/_aks_hostaliases.tpl b/charts/azuremonitor-containerinsights/templates/_aks_hostaliases.tpl new file mode 100644 index 000000000..1b1637a91 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/_aks_hostaliases.tpl @@ -0,0 +1,21 @@ +{- /* + This function adds the hostAliases for tigera operator. +*/ -}} +{{- define "podspec.tigeraHostaliases" -}} +{{- if and .Values.global.commonGlobals.PrivateLink.privateIP -}} +hostAliases: +- hostnames: + - {{ .Values.global.commonGlobals.endpointFQDN }} + ip: {{ .Values.global.commonGlobals.PrivateLink.privateIP }} +{{- else if and .Values.global.commonGlobals.PrivateConnect.enabled .Values.global.commonGlobals.PrivateConnect.privateIP -}} +hostAliases: +- hostnames: + - {{ .Values.global.commonGlobals.endpointFQDN }} + ip: {{ .Values.global.commonGlobals.PrivateConnect.privateIP }} +{{- else if and .Values.global.commonGlobals.CCPPool.enabled .Values.global.commonGlobals.CCPPool.ccpSvcIP -}} +hostAliases: +- hostnames: + - {{ .Values.global.commonGlobals.endpointFQDN }} + ip: {{ .Values.global.commonGlobals.CCPPool.ccpSvcIP }} +{{- end -}} +{{- end -}} diff --git a/charts/azuremonitor-containerinsights/templates/_aks_images.tpl b/charts/azuremonitor-containerinsights/templates/_aks_images.tpl new file mode 100644 index 000000000..86380c455 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/_aks_images.tpl @@ -0,0 +1,655 @@ +{{- define "get.imagetag" -}} +{{- if eq .component "kube-addon-manager" -}} + {{- if semverCompare "<1.7.0" .version -}}v6.5 + {{- else if semverCompare "<1.10.0" .version -}}v8.6 + {{- else if semverCompare "<1.13.0" .version -}}v8.9.1 + {{- else -}}v9.0.2_v0.0.5.9 + {{- end -}} +{{- else if eq .component "kube-apiserver" -}} + {{- if semverCompare "=1.17.3" .version -}}v1.17.3-hotfix.20200601 + {{- else if semverCompare "=1.17.7" .version -}}v1.17.7-hotfix.20200624 + {{- else if semverCompare "=1.17.9" .version -}}v1.17.9-hotfix.20200714 + {{- else if semverCompare "=1.17.11" .version -}}v1.17.11-hotfix.20200901 + {{- else if semverCompare "=1.17.13" .version -}}v1.17.13-hotfix.20210310.1 + {{- else if semverCompare "=1.17.16" .version -}}v1.17.16-hotfix.20210310.1 + {{- else if semverCompare "=1.18.4" .version -}}v1.18.4-hotfix.20200624 + {{- else if semverCompare "=1.18.6" .version -}}v1.18.6-hotfix.20200723 + {{- else if semverCompare "=1.18.8" .version -}}v1.18.8-hotfix.20200924 + {{- else if semverCompare "=1.18.10" .version -}}v1.18.10-hotfix.20210310.1 + {{- else if semverCompare "=1.18.14" .version -}}v1.18.14-hotfix.20210322.1 + {{- else if semverCompare "=1.18.17" .version -}}v1.18.17-hotfix.20210525.3 + {{- else if semverCompare "=1.18.19" .version -}}v1.18.19-hotfix.20210522.3 + {{- else if semverCompare "=1.19.1" .version -}}v1.19.1-hotfix.20200923 + {{- else if semverCompare "=1.19.6" .version -}}v1.19.6-hotfix.20210310 + {{- else if semverCompare "=1.19.7" .version -}}v1.19.7-hotfix.20210310 + {{- else if semverCompare "=1.19.9" .version -}}v1.19.9-hotfix.20210526 + {{- else if semverCompare "=1.19.11" .version -}}v1.19.11-hotfix.20211101 + {{- else if semverCompare "=1.19.13" .version -}}v1.19.13-hotfix.20211101 + {{- else if semverCompare "=1.20.2" .version -}}v1.20.2-hotfix.20210310 + {{- else if semverCompare "=1.20.5" .version -}}v1.20.5-hotfix.20210603 + {{- else if semverCompare "=1.20.7" .version -}}v1.20.7-hotfix.20211115 + {{- else if semverCompare "=1.20.9" .version -}}v1.20.9-hotfix.20211115 + {{- else if semverCompare "=1.20.13" .version -}}v1.20.13-hotfix.20220210 + {{- else if semverCompare "=1.20.15" .version -}}v1.20.15-hotfix.20220201 + {{- else if semverCompare "=1.21.1" .version -}}v1.21.1-hotfix.20211115 + {{- else if semverCompare "=1.21.2" .version -}}v1.21.2-hotfix.20211115 + {{- else if semverCompare "=1.21.7" .version -}}v1.21.7-hotfix.20220601 + {{- else if semverCompare "=1.21.9" .version -}}v1.21.9-hotfix.20220601 + {{- else if semverCompare "=1.21.14" .version -}}v1.21.14-hotfix.20220620 + {{- else if semverCompare "=1.22.1" .version -}}v1.22.1-hotfix.20211115 + {{- else if semverCompare "=1.22.2" .version -}}v1.22.2-hotfix.20211115 + {{- else if semverCompare "=1.22.4" .version -}}v1.22.4-hotfix.20220615 + {{- else if semverCompare "=1.22.6" .version -}}v1.22.6-hotfix.20220916 + {{- else if semverCompare "=1.22.11" .version -}}v1.22.11-hotfix.20221109 + {{- else if semverCompare "=1.22.15" .version -}}v1.22.15-hotfix.20221109 + {{- else if semverCompare "=1.23.3" .version -}}v1.23.3-hotfix.20220615 + {{- else if semverCompare "=1.23.5" .version -}}v1.23.5-hotfix.20220916 + {{- else if semverCompare "=1.23.8" .version -}}v1.23.8-hotfix.20221109 + {{- else if semverCompare "=1.23.12" .version -}}v1.23.12-hotfix.20230208 + {{- else if semverCompare "=1.23.15" .version -}}v1.23.15-hotfix.20230208 + {{- else if semverCompare "=1.24.0" .version -}}v1.24.0-hotfix.20220916 + {{- else if semverCompare "=1.24.3" .version -}}v1.24.3-hotfix.20221216 + {{- else if semverCompare "=1.24.6" .version -}}v1.24.6-hotfix.20230208 + {{- else if semverCompare "=1.24.9" .version -}}v1.24.9-hotfix.20230612 + {{- else if semverCompare "=1.24.10" .version -}}v1.24.10-hotfix.20230612 + {{- else if semverCompare "=1.25.2" .version -}}v1.25.2-hotfix.20221216 + {{- else if semverCompare "=1.25.4" .version -}}v1.25.4-hotfix.20230208 + {{- else if semverCompare "=1.25.5" .version -}}v1.25.5-hotfix.20230612 + {{- else if semverCompare "=1.25.6" .version -}}v1.25.6-hotfix.20231009 + {{- else if semverCompare "=1.25.11" .version -}}v1.25.11-hotfix.20231102 + {{- else if semverCompare "=1.25.15" .version -}}v1.25.15-hotfix.20231103 + {{- else if semverCompare "=1.26.0" .version -}}v1.26.0-hotfix.20230612 + {{- else if semverCompare "=1.26.3" .version -}}v1.26.3-hotfix.20231009 + {{- else if semverCompare "=1.26.6" .version -}}v1.26.6-hotfix.20231102 + {{- else if semverCompare "=1.26.10" .version -}}v1.26.10-hotfix.20231103 + {{- else if semverCompare "=1.26.12" .version -}}v1.26.12 + {{- else if semverCompare "=1.27.1" .version -}}v1.27.1-hotfix.20231009 + {{- else if semverCompare "=1.27.3" .version -}}v1.27.3-hotfix.20231102 + {{- else if semverCompare "=1.27.7" .version -}}v1.27.7-hotfix.20240411 + {{- else if semverCompare "=1.27.9" .version -}}v1.27.9-hotfix.20240411 + {{- else if semverCompare "=1.27.13" .version -}}v1.27.13 + {{- else if semverCompare "=1.28.0" .version -}}v1.28.0-hotfix.20240712-1 + {{- else if semverCompare "=1.28.3" .version -}}v1.28.3-hotfix.20240712-1 + {{- else if semverCompare "=1.28.5" .version -}}v1.28.5-hotfix.20240712-1 + {{- else if semverCompare "=1.28.9" .version -}}v1.28.9-hotfix.20240712-1 + {{- else if semverCompare "=1.28.10" .version -}}v1.28.10-hotfix.20240712-1 + {{- else if semverCompare "=1.28.11" .version -}}v1.28.11-hotfix.20240712-1 + {{- else if semverCompare "=1.29.0" .version -}}v1.29.0-hotfix.20240712 + {{- else if semverCompare "=1.29.2" .version -}}v1.29.2-hotfix.20240712 + {{- else if semverCompare "=1.29.4" .version -}}v1.29.4-hotfix.20240712 + {{- else if semverCompare "=1.29.14" .version -}}v1.29.14-hotfix.20250703 + {{- else if semverCompare "=1.29.15" .version -}}v1.29.15-hotfix.20250703 + {{- else if semverCompare "=1.30.0" .version -}}v1.30.0-hotfix.20240712 + {{- else if semverCompare "=1.30.2" .version -}}v1.30.2-hotfix.20240712 + {{- else if and (semverCompare ">=1.30.11" .version) (semverCompare "<=1.30.14" .version) -}}v{{.version}}-hotfix.20250703 + {{- else if and (semverCompare ">=1.31.0" .version) (semverCompare "<=1.31.11" .version) -}}v{{.version}}-hotfix.20250703 + {{- else if and (semverCompare ">=1.32.0" .version) (semverCompare "<=1.32.7" .version) -}}v{{.version}}-hotfix.20250703 + {{- else if and (semverCompare ">=1.33.0" .version) (semverCompare "<=1.33.3" .version) -}}v{{.version}}-hotfix.20250703 + {{- else if semverCompare ">=1.34.0" .version -}}v{{ .version }}-1 + {{- else if and (semverCompare ">=1.28.100" .version) (semverCompare "<=1.28.101" .version) -}}v{{.version}}-akslts-hotfix.20250703 + {{- else if and (semverCompare ">=1.27.0" .version) (ge ((semver .version).Patch) 100) -}}v{{.version}}-akslts + {{- else -}}v{{ .version }} + {{- end -}} +{{- else if eq .component "kube-scheduler" -}} + {{- if semverCompare "=1.17.3" .version -}}v1.17.3-hotfix.20200601 + {{- else if semverCompare "=1.17.7" .version -}}v1.17.7-hotfix.20200624 + {{- else if semverCompare "=1.17.9" .version -}}v1.17.9-hotfix.20200714 + {{- else if semverCompare "=1.17.11" .version -}}v1.17.11-hotfix.20200901 + {{- else if semverCompare "=1.17.13" .version -}}v1.17.13-hotfix.20210310.1 + {{- else if semverCompare "=1.17.16" .version -}}v1.17.16-hotfix.20210310.1 + {{- else if semverCompare "=1.18.4" .version -}}v1.18.4-hotfix.20200624 + {{- else if semverCompare "=1.18.6" .version -}}v1.18.6-hotfix.20200723 + {{- else if semverCompare "=1.18.8" .version -}}v1.18.8-hotfix.20200924 + {{- else if semverCompare "=1.18.10" .version -}}v1.18.10-hotfix.20210310.1 + {{- else if semverCompare "=1.18.14" .version -}}v1.18.14-hotfix.20210322.1 + {{- else if semverCompare "=1.18.17" .version -}}v1.18.17-hotfix.20210525.3 + {{- else if semverCompare "=1.18.19" .version -}}v1.18.19-hotfix.20210522.3 + {{- else if semverCompare "=1.19.1" .version -}}v1.19.1-hotfix.20200923 + {{- else if semverCompare "=1.19.6" .version -}}v1.19.6-hotfix.20210310 + {{- else if semverCompare "=1.19.7" .version -}}v1.19.7-hotfix.20210310 + {{- else if semverCompare "=1.19.9" .version -}}v1.19.9-hotfix.20210526 + {{- else if semverCompare "=1.19.11" .version -}}v1.19.11-hotfix.20211101 + {{- else if semverCompare "=1.19.13" .version -}}v1.19.13-hotfix.20211101 + {{- else if semverCompare "=1.20.2" .version -}}v1.20.2-hotfix.20210310 + {{- else if semverCompare "=1.20.5" .version -}}v1.20.5-hotfix.20210603 + {{- else if semverCompare "=1.20.7" .version -}}v1.20.7-hotfix.20211115 + {{- else if semverCompare "=1.20.9" .version -}}v1.20.9-hotfix.20211115 + {{- else if semverCompare "=1.20.13" .version -}}v1.20.13-hotfix.20220210 + {{- else if semverCompare "=1.20.15" .version -}}v1.20.15-hotfix.20220201 + {{- else if semverCompare "=1.21.1" .version -}}v1.21.1-hotfix.20211115 + {{- else if semverCompare "=1.21.2" .version -}}v1.21.2-hotfix.20211115 + {{- else if semverCompare "=1.21.7" .version -}}v1.21.7-hotfix.20220601 + {{- else if semverCompare "=1.21.9" .version -}}v1.21.9-hotfix.20220601 + {{- else if semverCompare "=1.21.14" .version -}}v1.21.14-hotfix.20220620 + {{- else if semverCompare "=1.22.1" .version -}}v1.22.1-hotfix.20211115 + {{- else if semverCompare "=1.22.2" .version -}}v1.22.2-hotfix.20211115 + {{- else if semverCompare "=1.22.4" .version -}}v1.22.4-hotfix.20220615 + {{- else if semverCompare "=1.22.6" .version -}}v1.22.6-hotfix.20220916 + {{- else if semverCompare "=1.22.11" .version -}}v1.22.11-hotfix.20221109 + {{- else if semverCompare "=1.22.15" .version -}}v1.22.15-hotfix.20221109 + {{- else if semverCompare "=1.23.3" .version -}}v1.23.3-hotfix.20220615 + {{- else if semverCompare "=1.23.5" .version -}}v1.23.5-hotfix.20220916 + {{- else if semverCompare "=1.23.8" .version -}}v1.23.8-hotfix.20221109 + {{- else if semverCompare "=1.23.12" .version -}}v1.23.12-hotfix.20230208 + {{- else if semverCompare "=1.23.15" .version -}}v1.23.15-hotfix.20230208 + {{- else if semverCompare "=1.24.0" .version -}}v1.24.0-hotfix.20220916 + {{- else if semverCompare "=1.24.3" .version -}}v1.24.3-hotfix.20221216 + {{- else if semverCompare "=1.24.6" .version -}}v1.24.6-hotfix.20230208 + {{- else if semverCompare "=1.24.9" .version -}}v1.24.9-hotfix.20230612 + {{- else if semverCompare "=1.24.10" .version -}}v1.24.10-hotfix.20230612 + {{- else if semverCompare "=1.25.2" .version -}}v1.25.2-hotfix.20221216 + {{- else if semverCompare "=1.25.4" .version -}}v1.25.4-hotfix.20230208 + {{- else if semverCompare "=1.25.5" .version -}}v1.25.5-hotfix.20230612 + {{- else if semverCompare "=1.25.6" .version -}}v1.25.6-hotfix.20230728 + {{- else if semverCompare "=1.25.11" .version -}}v1.25.11-hotfix.20231102 + {{- else if semverCompare "=1.25.15" .version -}}v1.25.15-hotfix.20231103 + {{- else if semverCompare "=1.26.0" .version -}}v1.26.0-hotfix.20230612 + {{- else if semverCompare "=1.26.3" .version -}}v1.26.3-hotfix.20230728 + {{- else if semverCompare "=1.26.6" .version -}}v1.26.6-hotfix.20231102 + {{- else if semverCompare "=1.26.10" .version -}}v1.26.10-hotfix.20231103 + {{- else if semverCompare "=1.26.12" .version -}}v1.26.12 + {{- else if semverCompare "=1.27.1" .version -}}v1.27.1-hotfix.20230728 + {{- else if semverCompare "=1.27.3" .version -}}v1.27.3-hotfix.20231102 + {{- else if semverCompare "=1.27.7" .version -}}v1.27.7-hotfix.20240411 + {{- else if semverCompare "=1.27.9" .version -}}v1.27.9-hotfix.20240411 + {{- else if semverCompare "=1.27.14" .version -}}v1.27.15 + {{- else if semverCompare "=1.28.0" .version -}}v1.28.0-hotfix.20240712-1 + {{- else if semverCompare "=1.28.3" .version -}}v1.28.3-hotfix.20240712-1 + {{- else if semverCompare "=1.28.5" .version -}}v1.28.5-hotfix.20240712-1 + {{- else if semverCompare "=1.28.10" .version -}}v1.28.11-hotfix.20240712-1 + {{- else if semverCompare "=1.28.11" .version -}}v1.28.11-hotfix.20240712-1 + {{- else if semverCompare "=1.29.0" .version -}}v1.29.0-hotfix.20240712 + {{- else if semverCompare "=1.29.2" .version -}}v1.29.2-hotfix.20240712 + {{- else if semverCompare "=1.29.5" .version -}}v1.29.6-hotfix.20240712 + {{- else if semverCompare "=1.29.6" .version -}}v1.29.6-hotfix.20240712 + {{- else if semverCompare "=1.30.0" .version -}}v1.30.0-hotfix.20240712 + {{- else if semverCompare "=1.30.2" .version -}}v1.30.2-hotfix.20240712 + {{- else if and (semverCompare ">=1.27.0" .version) (ge ((semver .version).Patch | int) 100) -}}v{{.version}}-akslts + {{- else if semverCompare ">=1.34.0" .version -}}v{{ .version }}-1 + {{- else -}}v{{ .version }} + {{- end -}} +{{- else if eq .component "kube-controller-manager" -}} + {{- if semverCompare "=1.17.3" .version -}}v1.17.3-hotfix.20200601 + {{- else if semverCompare "=1.17.7" .version -}}v1.17.7-hotfix.20200917 + {{- else if semverCompare "=1.17.9" .version -}}v1.17.9-hotfix.20200917 + {{- else if semverCompare "=1.17.11" .version -}}v1.17.11-hotfix.20200901 + {{- else if semverCompare "=1.17.13" .version -}}v1.17.13-hotfix.20210310.1 + {{- else if semverCompare "=1.17.16" .version -}}v1.17.16-hotfix.20210310.1 + {{- else if semverCompare "=1.18.4" .version -}}v1.18.4-hotfix.20200624 + {{- else if semverCompare "=1.18.6" .version -}}v1.18.6-hotfix.20200917 + {{- else if semverCompare "=1.18.8" .version -}}v1.18.8-hotfix.20200924 + {{- else if semverCompare "=1.18.10" .version -}}v1.18.10-hotfix.20210310.1 + {{- else if semverCompare "=1.18.14" .version -}}v1.18.14-hotfix.20210525 + {{- else if semverCompare "=1.18.17" .version -}}v1.18.17-hotfix.20210525.3 + {{- else if semverCompare "=1.18.19" .version -}}v1.18.19-hotfix.20210522.3 + {{- else if semverCompare "=1.19.1" .version -}}v1.19.1-hotfix.20200923 + {{- else if semverCompare "=1.19.6" .version -}}v1.19.6-hotfix.20210310 + {{- else if semverCompare "=1.19.7" .version -}}v1.19.7-hotfix.20210525 + {{- else if semverCompare "=1.19.9" .version -}}v1.19.9-hotfix.20210526 + {{- else if semverCompare "=1.19.11" .version -}}v1.19.11-hotfix.20211101 + {{- else if semverCompare "=1.19.13" .version -}}v1.19.13-hotfix.20211101 + {{- else if semverCompare "=1.20.2" .version -}}v1.20.2-hotfix.20210525 + {{- else if semverCompare "=1.20.5" .version -}}v1.20.5-hotfix.20210603 + {{- else if semverCompare "=1.20.7" .version -}}v1.20.7-hotfix.20211115 + {{- else if semverCompare "=1.20.9" .version -}}v1.20.9-hotfix.20220126 + {{- else if semverCompare "=1.20.13" .version -}}v1.20.13-hotfix.20220210 + {{- else if semverCompare "=1.20.15" .version -}}v1.20.15-hotfix.20220201 + {{- else if semverCompare "=1.21.1" .version -}}v1.21.1-hotfix.20211115 + {{- else if semverCompare "=1.21.2" .version -}}v1.21.2-hotfix.20220126 + {{- else if semverCompare "=1.21.7" .version -}}v1.21.7-hotfix.20220601 + {{- else if semverCompare "=1.21.9" .version -}}v1.21.9-hotfix.20220601 + {{- else if semverCompare "=1.21.14" .version -}}v1.21.14-hotfix.20220620 + {{- else if semverCompare "=1.22.1" .version -}}v1.22.1-hotfix.20211115 + {{- else if semverCompare "=1.22.2" .version -}}v1.22.2-hotfix.20211115 + {{- else if semverCompare "=1.22.4" .version -}}v1.22.4-hotfix.20220615 + {{- else if semverCompare "=1.22.6" .version -}}v1.22.6-hotfix.20220916 + {{- else if semverCompare "=1.22.11" .version -}}v1.22.11-hotfix.20221109 + {{- else if semverCompare "=1.22.15" .version -}}v1.22.15-hotfix.20221109 + {{- else if semverCompare "=1.23.3" .version -}}v1.23.3-hotfix.20220615 + {{- else if semverCompare "=1.23.5" .version -}}v1.23.5-hotfix.20220916 + {{- else if semverCompare "=1.23.8" .version -}}v1.23.8-hotfix.20221109 + {{- else if semverCompare "=1.23.12" .version -}}v1.23.12-hotfix.20230208 + {{- else if semverCompare "=1.23.15" .version -}}v1.23.15-hotfix.20230208 + {{- else if semverCompare "=1.24.0" .version -}}v1.24.0-hotfix.20220916 + {{- else if semverCompare "=1.24.3" .version -}}v1.24.3-hotfix.20221216 + {{- else if semverCompare "=1.24.6" .version -}}v1.24.6-hotfix.20230208 + {{- else if semverCompare "=1.24.9" .version -}}v1.24.9-hotfix.20230612 + {{- else if semverCompare "=1.24.10" .version -}}v1.24.10-hotfix.20230612 + {{- else if semverCompare "=1.25.2" .version -}}v1.25.2-hotfix.20221216 + {{- else if semverCompare "=1.25.4" .version -}}v1.25.4-hotfix.20230208 + {{- else if semverCompare "=1.25.5" .version -}}v1.25.5-hotfix.20230612 + {{- else if semverCompare "=1.25.6" .version -}}v1.25.6-hotfix.20230728 + {{- else if semverCompare "=1.25.11" .version -}}v1.25.11-hotfix.20231102 + {{- else if semverCompare "=1.25.15" .version -}}v1.25.15-hotfix.20231103 + {{- else if semverCompare "=1.26.0" .version -}}v1.26.0-hotfix.20230612 + {{- else if semverCompare "=1.26.3" .version -}}v1.26.3-hotfix.20230728 + {{- else if semverCompare "=1.26.6" .version -}}v1.26.6-hotfix.20231102 + {{- else if semverCompare "=1.26.10" .version -}}v1.26.10-hotfix.20231103 + {{- else if semverCompare "=1.26.12" .version -}}v1.26.12 + {{- else if semverCompare "=1.27.1" .version -}}v1.27.1-hotfix.20230728 + {{- else if semverCompare "=1.27.3" .version -}}v1.27.3-hotfix.20231102 + {{- else if semverCompare "=1.27.7" .version -}}v1.27.7-hotfix.20240411 + {{- else if semverCompare "=1.27.9" .version -}}v1.27.9-hotfix.20240411 + {{- else if semverCompare "=1.27.13" .version -}}v1.27.13 + {{- else if semverCompare "=1.28.0" .version -}}v1.28.0-hotfix.20240712-1 + {{- else if semverCompare "=1.28.3" .version -}}v1.28.3-hotfix.20240712-1 + {{- else if semverCompare "=1.28.5" .version -}}v1.28.5-hotfix.20240712-1 + {{- else if semverCompare "=1.28.9" .version -}}v1.28.9-hotfix.20240712-1 + {{- else if semverCompare "=1.28.10" .version -}}v1.28.10-hotfix.20240712-1 + {{- else if semverCompare "=1.28.11" .version -}}v1.28.11-hotfix.20240712-1 + {{- else if semverCompare "=1.29.0" .version -}}v1.29.0-hotfix.20240712 + {{- else if semverCompare "=1.29.2" .version -}}v1.29.2-hotfix.20240712 + {{- else if semverCompare "=1.29.4" .version -}}v1.29.4-hotfix.20240712 + {{- else if semverCompare "=1.30.0" .version -}}v1.30.0-hotfix.20240712 + {{- else if semverCompare "=1.30.2" .version -}}v1.30.2-hotfix.20240712 + {{- else if and (semverCompare ">=1.27.0" .version) (ge ((semver .version).Patch) 100) -}}v{{.version}}-akslts + {{- else if semverCompare ">=1.34.0" .version -}}v{{ .version }}-1 + {{- else -}}v{{ .version }} + {{- end -}} +{{- else if eq .component "hyperkube" -}} + {{- if semverCompare "=1.12.8" .version -}}v1.12.8_v0.0.5 + {{- else if semverCompare "=1.13.10" .version -}}v1.13.10_v0.0.5 + {{- else if semverCompare "=1.13.11" .version -}}v1.13.11_v0.0.5 + {{- else if semverCompare "=1.13.12" .version -}}v1.13.12_v0.0.5 + {{- else if semverCompare "=1.14.6" .version -}}v1.14.6_v0.0.5 + {{- else if semverCompare "=1.14.7" .version -}}v1.14.7-hotfix.20200408.1 + {{- else if semverCompare "=1.14.8" .version -}}v1.14.8-hotfix.20200529.1 + {{- else if semverCompare "=1.15.3" .version -}}v1.15.3_v0.0.5 + {{- else if semverCompare "=1.15.4" .version -}}v1.15.4_v0.0.5 + {{- else if semverCompare "=1.15.5" .version -}}v1.15.5_v0.0.5 + {{- else if semverCompare "=1.15.7" .version -}}v1.15.7-hotfix.20200408.1 + {{- else if semverCompare "=1.15.10" .version -}}v1.15.10-hotfix.20200408.1 + {{- else if semverCompare "=1.15.11" .version -}}v1.15.11-hotfix.20201203 + {{- else if semverCompare "=1.15.12" .version -}}v1.15.12-hotfix.20200824.2 + {{- else if semverCompare "=1.16.0" .version -}}v1.16.0_v0.0.5 + {{- else if semverCompare "=1.16.7" .version -}}v1.16.7-hotfix.20200601.3 + {{- else if semverCompare "=1.16.8" .version -}}v1.16.8.2 + {{- else if semverCompare "=1.16.9" .version -}}v1.16.9-hotfix.20200529.7 + {{- else if semverCompare "=1.16.10" .version -}}v1.16.10-hotfix.20200917.3 + {{- else if semverCompare "=1.16.13" .version -}}v1.16.13-hotfix.20210118.2 + {{- else if semverCompare "=1.16.14" .version -}}v1.16.14-hotfix.20200901.4 + {{- else if semverCompare "=1.16.15" .version -}}v1.16.15-hotfix.20210118.4 + {{- else if semverCompare "=1.17.3" .version -}}v1.17.3-hotfix.20200601.3 + {{- else if semverCompare "=1.17.4" .version -}}v1.17.4.2 + {{- else if semverCompare "=1.17.5" .version -}}v1.17.5.2 + {{- else if semverCompare "=1.17.7" .version -}}v1.17.7-hotfix.20200917.3 + {{- else if semverCompare "=1.17.9" .version -}}v1.17.9-hotfix.20200917.3 + {{- else if semverCompare "=1.17.11" .version -}}v1.17.11-hotfix.20200901.4 + {{- else if semverCompare "=1.17.13" .version -}}v1.17.13-hotfix.20210310.2 + {{- else if semverCompare "=1.17.16" .version -}}v1.17.16-hotfix.20210310.2 + {{- else if semverCompare "=1.18.1" .version -}}v1.18.1.6 + {{- else if semverCompare "=1.18.2" .version -}}v1.18.2-hotfix.20200626.7 + {{- else if semverCompare "=1.18.4" .version -}}v1.18.4-hotfix.20200626.7 + {{- else if semverCompare "=1.18.6" .version -}}v1.18.6-hotfix.20200917.5 + {{- else if semverCompare "=1.18.8" .version -}}v1.18.8-hotfix.20201112.4 + {{- else if semverCompare "=1.18.10" .version -}}v1.18.10-hotfix.20210310.4 + {{- else if semverCompare "=1.18.14" .version -}}v1.18.14-hotfix.20210525.2 + {{- else if semverCompare "=1.18.17" .version -}}v1.18.17-hotfix.20210525.2 + {{- else if semverCompare "=1.18.19" .version -}}v1.18.19-hotfix.20210522.2 + {{- else -}}v{{ .version }} + {{- end -}} +{{- else if eq .component "kubectl" -}} + {{- if semverCompare "=1.17.3" .version -}}v1.17.3-hotfix.20200601 + {{- else if semverCompare "=1.17.7" .version -}}v1.17.7-hotfix.20200624 + {{- else if semverCompare "=1.17.9" .version -}}v1.17.9-hotfix.20200714 + {{- else if semverCompare "=1.17.11" .version -}}v1.17.11-hotfix.20200901 + {{- else if semverCompare "=1.17.13" .version -}}v1.17.13-hotfix.20210310.1 + {{- else if semverCompare "=1.17.16" .version -}}v1.17.16-hotfix.20210310.1 + {{- else if semverCompare "=1.18.4" .version -}}v1.18.4-hotfix.20200624 + {{- else if semverCompare "=1.18.6" .version -}}v1.18.6-hotfix.20200723 + {{- else if semverCompare "=1.18.8" .version -}}v1.18.8-hotfix.20200924 + {{- else if semverCompare "=1.18.10" .version -}}v1.18.10-hotfix.20210310.1 + {{- else if semverCompare "=1.18.14" .version -}}v1.18.14-hotfix.20210322 + {{- else if semverCompare "=1.18.17" .version -}}v1.18.17-hotfix.20210525.2 + {{- else if semverCompare "=1.18.19" .version -}}v1.18.19-hotfix.20210522.2 + {{- else if semverCompare "=1.19.1" .version -}}v1.19.1-hotfix.20200923 + {{- else if semverCompare "=1.19.6" .version -}}v1.19.6-hotfix.20210310.1 + {{- else if semverCompare "=1.19.7" .version -}}v1.19.7-hotfix.20210310.1 + {{- else if semverCompare "=1.19.9" .version -}}v1.19.9-hotfix.20210526.2 + {{- else if semverCompare "=1.19.11" .version -}}v1.19.11-hotfix.20211101.1 + {{- else if semverCompare "=1.19.13" .version -}}v1.19.13-hotfix.20211101.1 + {{- else if semverCompare "=1.20.2" .version -}}v1.20.2-hotfix.20210310.1 + {{- else if semverCompare "=1.20.5" .version -}}v1.20.5-hotfix.20210603.2 + {{- else if semverCompare "=1.20.7" .version -}}v1.20.7-hotfix.20211115 + {{- else if semverCompare "=1.20.9" .version -}}v1.20.9-hotfix.20211115.1 + {{- else if semverCompare "=1.20.13" .version -}}v1.20.13-hotfix.20220210.2 + {{- else if semverCompare "=1.20.15" .version -}}v1.20.15-hotfix.20220201.2 + {{- else if semverCompare "=1.21.1" .version -}}v1.21.1-hotfix.20211115 + {{- else if semverCompare "=1.21.2" .version -}}v1.21.2-hotfix.20211115.1 + {{- else if semverCompare "=1.21.7" .version -}}v1.21.7-hotfix.20220601 + {{- else if semverCompare "=1.21.9" .version -}}v1.21.9-hotfix.20220601.1 + {{- else if semverCompare "=1.21.14" .version -}}v1.21.14-hotfix.20220620.1 + {{- else if semverCompare "=1.22.1" .version -}}v1.22.1-hotfix.20211115.1 + {{- else if semverCompare "=1.22.2" .version -}}v1.22.2-hotfix.20211115.1 + {{- else if semverCompare "=1.22.4" .version -}}v1.22.4-hotfix.20220615 + {{- else if semverCompare "=1.22.6" .version -}}v1.22.6-hotfix.20220916 + {{- else if semverCompare "=1.22.11" .version -}}v1.22.11-hotfix.20221109.1 + {{- else if semverCompare "=1.22.15" .version -}}v1.22.15-hotfix.20221109.1 + {{- else if semverCompare "=1.23.3" .version -}}v1.23.3-hotfix.20220615 + {{- else if semverCompare "=1.23.5" .version -}}v1.23.5-hotfix.20220916 + {{- else if semverCompare "=1.23.8" .version -}}v1.23.8-hotfix.20221109.2 + {{- else if semverCompare "=1.23.12" .version -}}v1.23.12-hotfix.20230208.1 + {{- else if semverCompare "=1.23.15" .version -}}v1.23.15-hotfix.20230208.1 + {{- else if semverCompare "=1.24.0" .version -}}v1.24.0-hotfix.20220916 + {{- else if semverCompare "=1.24.3" .version -}}v1.24.3-hotfix.20221216 + {{- else if semverCompare "=1.24.6" .version -}}v1.24.6-hotfix.20230208.1 + {{- else if semverCompare "=1.24.9" .version -}}v1.24.9-hotfix.20230612 + {{- else if semverCompare "=1.24.10" .version -}}v1.24.10-hotfix.20230612 + {{- else if semverCompare "=1.25.2" .version -}}v1.25.2-hotfix.20221216.1 + {{- else if semverCompare "=1.25.4" .version -}}v1.25.4-hotfix.20230208.1 + {{- else if semverCompare "=1.25.5" .version -}}v1.25.5-hotfix.20230612 + {{- else if semverCompare "=1.25.6" .version -}}v1.25.6-hotfix.20230728 + {{- else if semverCompare "=1.25.11" .version -}}v1.25.11-hotfix.20231102 + {{- else if semverCompare "=1.25.15" .version -}}v1.25.15-hotfix.20231103 + {{- else if semverCompare "=1.26.0" .version -}}v1.26.0-hotfix.20230612 + {{- else if semverCompare "=1.26.3" .version -}}v1.26.3-hotfix.20230728 + {{- else if semverCompare "=1.26.6" .version -}}v1.26.6-hotfix.20231102 + {{- else if semverCompare "=1.26.10" .version -}}v1.26.10-hotfix.20231103-1 + {{- else if semverCompare "=1.26.12" .version -}}v1.26.12-1 + {{- else if semverCompare "=1.27.1" .version -}}v1.27.1-hotfix.20230728 + {{- else if semverCompare "=1.27.3" .version -}}v1.27.3-hotfix.20240125 + {{- else if semverCompare "=1.27.7" .version -}}v1.27.7-hotfix.20240712-4 + {{- else if semverCompare "=1.27.9" .version -}}v1.27.9-hotfix.20240712-4 + {{- else if semverCompare "=1.27.13" .version -}}v1.27.13-2 + {{- else if semverCompare "=1.28.0" .version -}}v1.28.0-hotfix.20240712-4 + {{- else if semverCompare "=1.28.3" .version -}}v1.28.3-hotfix.20240712-4 + {{- else if semverCompare "=1.28.5" .version -}}v1.28.5-hotfix.20240712-4 + {{- else if and (semverCompare ">=1.27.0" .version) (ge ((semver .version).Patch) 100) -}}v{{.version}}-akslts + {{- else if and (semverCompare ">=1.29.0" .version) (semverCompare "<1.30.0" .version) -}}v1.29.13 + {{- else if semverCompare "=1.30.0" .version -}}v1.30.0-1 + {{- else if semverCompare "=1.30.1" .version -}}v1.30.1-1 + {{- else if semverCompare "=1.30.2" .version -}}v1.30.2-hotfix.20240613 + {{- else if semverCompare ">=1.34.0" .version -}}v{{ .version }}-1 + {{- else -}}v{{ .version }} + {{- end -}} +{{- else if eq .component "kube-proxy" -}} + {{- if semverCompare "=1.17.3" .version -}}v1.17.3-hotfix.20200601.3 + {{- else if semverCompare "=1.17.7" .version -}}v1.17.7-hotfix.20200917.3 + {{- else if semverCompare "=1.17.9" .version -}}v1.17.9-hotfix.20200917.3 + {{- else if semverCompare "=1.17.11" .version -}}v1.17.11-hotfix.20200901.2 + {{- else if semverCompare "=1.17.13" .version -}}v1.17.13-hotfix.20210310.2 + {{- else if semverCompare "=1.17.16" .version -}}v1.17.16-hotfix.20210310.2 + {{- else if semverCompare "=1.18.2" .version -}}v1.18.2-hotfix.20200626.4 + {{- else if semverCompare "=1.18.4" .version -}}v1.18.4-hotfix.20200626.5 + {{- else if semverCompare "=1.18.6" .version -}}v1.18.6-hotfix.20200917.4 + {{- else if semverCompare "=1.18.8" .version -}}v1.18.8-hotfix.20201112.2 + {{- else if semverCompare "=1.18.10" .version -}}v1.18.10-hotfix.20210310.2 + {{- else if semverCompare "=1.18.14" .version -}}v1.18.14-hotfix.20210525 + {{- else if semverCompare "=1.18.17" .version -}}v1.18.17-hotfix.20210525.3 + {{- else if semverCompare "=1.18.19" .version -}}v1.18.19-hotfix.20210522.3 + {{- else if semverCompare "=1.19.7" .version -}}v1.19.7-hotfix.20210525 + {{- else if semverCompare "=1.19.9" .version -}}v1.19.9-hotfix.20210526.3 + {{- else if semverCompare "=1.19.11" .version -}}v1.19.11-hotfix.20211101.1 + {{- else if semverCompare "=1.19.13" .version -}}v1.19.13-hotfix.20211101.1 + {{- else if semverCompare "=1.20.2" .version -}}v1.20.2-hotfix.20210525 + {{- else if semverCompare "=1.20.5" .version -}}v1.20.5-hotfix.20210603.3 + {{- else if semverCompare "=1.20.7" .version -}}v1.20.7-hotfix.20211021.1 + {{- else if semverCompare "=1.20.9" .version -}}v1.20.9-hotfix.20211115.2 + {{- else if semverCompare "=1.20.13" .version -}}v1.20.13-hotfix.20220210.3 + {{- else if semverCompare "=1.20.15" .version -}}v1.20.15-hotfix.20220201.3 + {{- else if semverCompare "=1.21.1" .version -}}v1.21.1-hotfix.20211022.1 + {{- else if semverCompare "=1.21.2" .version -}}v1.21.2-hotfix.20211115.2 + {{- else if semverCompare "=1.21.7" .version -}}v1.21.7-hotfix.20220601.1 + {{- else if semverCompare "=1.21.9" .version -}}v1.21.9-hotfix.20220601.2 + {{- else if semverCompare "=1.21.14" .version -}}v1.21.14-hotfix.20220620.3 + {{- else if semverCompare "=1.22.1" .version -}}v1.22.1-hotfix.20211115.1 + {{- else if semverCompare "=1.22.2" .version -}}v1.22.2-hotfix.20211115.1 + {{- else if semverCompare "=1.22.4" .version -}}v1.22.4-hotfix.20220615.1 + {{- else if semverCompare "=1.22.6" .version -}}v1.22.6-hotfix.20220728.2 + {{- else if semverCompare "=1.22.11" .version -}}v1.22.11-hotfix.20221109.1 + {{- else if semverCompare "=1.22.15" .version -}}v1.22.15-hotfix.20221109.1 + {{- else if semverCompare "=1.23.3" .version -}}v1.23.3-hotfix.20220615.1 + {{- else if semverCompare "=1.23.5" .version -}}v1.23.5-hotfix.20220728.4 + {{- else if semverCompare "=1.23.8" .version -}}v1.23.8-hotfix.20221109.3 + {{- else if semverCompare "=1.23.12" .version -}}v1.23.12-hotfix.20230208.2 + {{- else if semverCompare "=1.23.15" .version -}}v1.23.15-hotfix.20230208.2 + {{- else if semverCompare "=1.24.0" .version -}}v1.24.0-hotfix.20220615.4 + {{- else if semverCompare "=1.24.3" .version -}}v1.24.3-hotfix.20221216.1 + {{- else if semverCompare "=1.24.6" .version -}}v1.24.6-hotfix.20230208.2 + {{- else if semverCompare "=1.24.9" .version -}}v1.24.9-hotfix.20230612 + {{- else if semverCompare "=1.24.10" .version -}}v1.24.10-hotfix.20230612-1 + {{- else if semverCompare "=1.25.2" .version -}}v1.25.2-hotfix.20221216 + {{- else if semverCompare "=1.25.4" .version -}}v1.25.4-hotfix.20230208 + {{- else if semverCompare "=1.25.5" .version -}}v1.25.5-hotfix.20230612 + {{- else if semverCompare "=1.25.6" .version -}}v1.25.6-hotfix.20231009-3 + {{- else if semverCompare "=1.25.11" .version -}}v1.25.11-hotfix.20231102-1 + {{- else if semverCompare "=1.25.15" .version -}}v1.25.15-hotfix.20231103-1 + {{- else if semverCompare "=1.26.0" .version -}}v1.26.0-hotfix.20230612 + {{- else if semverCompare "=1.26.3" .version -}}v1.26.3-hotfix.20231009-2 + {{- else if semverCompare "=1.26.6" .version -}}v1.26.6-hotfix.20231102 + {{- else if semverCompare "=1.26.10" .version -}}v1.26.10-hotfix.20231103-8 + {{- else if semverCompare "=1.27.1" .version -}}v1.27.1-hotfix.20231009 + {{- else if semverCompare "=1.27.3" .version -}}v1.27.3-hotfix.20240125 + {{- else if semverCompare "=1.27.7" .version -}}v1.27.7-hotfix.20240411 + {{- else if semverCompare "=1.27.9" .version -}}v1.27.9-hotfix.20240411 + {{- else if semverCompare "=1.27.14" .version -}}v1.27.14-1 + {{- else if semverCompare "=1.28.0" .version -}}v1.28.0-hotfix.20240125 + {{- else if semverCompare "=1.28.3" .version -}}v1.28.3-hotfix.20240411 + {{- else if semverCompare "=1.28.5" .version -}}v1.28.5-hotfix.20240411 + {{- else if semverCompare "=1.28.10" .version -}}v1.28.10-1 + {{- else if semverCompare "=1.29.2" .version -}}v1.29.2-hotfix.20240411 + {{- else if semverCompare "=1.29.5" .version -}}v1.29.5-1 + {{- else if semverCompare "=1.30.0" .version -}}v1.30.0-hotfix.20240712-3 + {{- else if semverCompare "=1.30.1" .version -}}v1.30.1-hotfix.20240712-3 + {{- else if semverCompare "=1.30.2" .version -}}v1.30.2-hotfix.20240712-3 + {{- else if semverCompare "=1.30.6" .version -}}v1.30.6-1 + {{- else if semverCompare "=1.31.1" .version -}}v1.31.1-2 + {{- else if and (semverCompare ">=1.27.0" .version) (ge ((semver .version).Patch) 100) -}}v{{.version}}-akslts + {{- else if semverCompare ">=1.34.0" .version -}}v{{ .version }}-1 + {{- else -}}v{{ .version }} + {{- end -}} +{{- else if eq .component "cloud-provider-controller-manager" -}} + {{- if semverCompare ">=1.33.0" .version -}}v1.33.2 + {{- else if semverCompare ">=1.32.0" .version -}}v1.32.7 + {{- else if semverCompare ">=1.31.0" .version -}}v1.31.8 + {{- else if semverCompare ">=1.30.0" .version -}}v1.30.14 + {{- else if semverCompare ">=1.29.0" .version -}}v1.29.15 + {{- else if semverCompare ">=1.28.0" .version -}}v1.28.14 + {{- else if semverCompare ">=1.27.0" .version -}}v1.27.21 + {{- else if semverCompare ">=1.26.0" .version -}}v1.26.22 + {{- else if semverCompare ">=1.25.0" .version -}}v1.25.24 + {{- else if semverCompare ">=1.24.0" .version -}}v1.24.22 + {{- else if semverCompare ">=1.23.0" .version -}}v1.23.30 + {{- else if semverCompare ">=1.22.0" .version -}}v1.1.26 + {{- else if semverCompare ">=1.21.0" .version -}}v1.0.23 + {{- else if semverCompare ">=1.20.0" .version -}}v0.7.21 + {{- else if semverCompare ">=1.19.0" .version -}}v0.6.0 + {{- else -}}v0.5.1.4 + {{- end -}} +{{- else if eq .component "appmonitoring-webhook" -}} +1.0.0-beta.8 +{{- else if eq .component "tunnel-front" -}} +master.250401.1 +{{- else if eq .component "tunnel-end" -}} +master.250401.1 +{{- else if eq .component "tunnel-openvpn-front" -}} +master.241001.1 +{{- else if eq .component "tunnel-openvpn-end" -}} +master.241001.1 +{{- else if eq .component "apiserver-network-proxy-agent" -}} +v0.30.3-5 +{{- else if eq .component "aad-pod-identity-nmi" -}} +v1.8.18 +{{- else if eq .component "gitops-manager-config-operator" -}} +1.7.0 +{{- else if eq .component "gitops-manager-config-agent" -}} +1.7.0 +{{- else if eq .component "resourcesync-operator" -}} +1.7.1 +{{- else if eq .component "http-application-routing-nginx-ingress-controller" -}} + {{- if semverCompare ">=1.22.0" .version -}}1.2.1 + {{- else if semverCompare ">=1.21.0" .version -}}0.49.3 + {{- else -}}0.19.0 + {{- end -}} +{{- else if eq .component "http-application-routing-external-dns" -}} + {{- if semverCompare ">=1.22.0" .version -}}v0.10.2 + {{- else if semverCompare ">=1.21.0" .version -}}v0.8.0 + {{- else -}}v0.6.0-hotfix-20200228 + {{- end -}} +{{- else if eq .component "http-application-routing-defaultbackend" -}} +1.4 +{{- else if eq .component "ip-masq-agent" -}} +v2.5.0.12 +{{- else if eq .component "azuredisk-csi-v2" -}} +v2.0.0-beta.10 +{{- else if eq .component "azdiskschedulerextender-csi" -}} +v2.0.0-beta.10 +{{- else if eq .component "csi-node-driver-registrar" -}} + {{- if semverCompare ">=1.31.0" .version -}}v2.14.0 + {{- else if semverCompare ">=1.29.0" .version -}}v2.13.0 + {{- else if semverCompare ">=1.28.0" .version -}}v2.12.0 + {{- else if semverCompare ">=1.27.0" .version -}}v2.10.1 + {{- else if semverCompare ">=1.24.0" .version -}}v2.8.0 + {{- else if semverCompare ">=1.21.0" .version -}}v2.5.0 + {{- else -}}v2.3.0 + {{- end -}} +{{- else if eq .component "csi-livenessprobe" -}} + {{- if semverCompare ">=1.31.0" .version -}}v2.16.0 + {{- else if semverCompare ">=1.29.0" .version -}}v2.15.0 + {{- else if semverCompare ">=1.28.0" .version -}}v2.14.0 + {{- else if semverCompare ">=1.27.0" .version -}}v2.12.0 + {{- else if semverCompare ">=1.24.0" .version -}}v2.10.0 + {{- else if semverCompare ">=1.21.0" .version -}}v2.6.0 + {{- else -}}v2.2.0 + {{- end -}} +{{- else if eq .component "azuredisk-csi-linux" -}} + {{- if semverCompare ">=1.33.0" .version -}}v1.33.4-2 + {{- else if semverCompare ">=1.32.0" .version -}}v1.32.10-2 + {{- else if semverCompare ">=1.31.0" .version -}}v1.31.11 + {{- else if semverCompare ">=1.30.0" .version -}}v1.30.12 + {{- else if semverCompare ">=1.28.0" .version -}}v1.29.14 + {{- else if semverCompare ">=1.27.0" .version -}}v1.28.12 + {{- else if semverCompare ">=1.26.0" .version -}}v1.26.9 + {{- else if semverCompare ">=1.24.0" .version -}}v1.26.8 + {{- else if semverCompare ">=1.21.0" .version -}}v1.26.2.2 + {{- else -}}v1.2.2.5 + {{- end -}} +{{- else if eq .component "azuredisk-csi-windows" -}} + {{- if semverCompare ">=1.33.0" .version -}}v1.33.4 + {{- else if semverCompare ">=1.32.0" .version -}}v1.32.10 + {{- else if semverCompare ">=1.31.0" .version -}}v1.31.11 + {{- else if semverCompare ">=1.30.0" .version -}}v1.30.12 + {{- else if semverCompare ">=1.28.0" .version -}}v1.29.14 + {{- else if semverCompare ">=1.27.0" .version -}}v1.28.12 + {{- else if semverCompare ">=1.26.0" .version -}}v1.26.9 + {{- else if semverCompare ">=1.24.0" .version -}}v1.26.8 + {{- else if semverCompare ">=1.21.0" .version -}}v1.26.2 + {{- else -}}v1.2.2.5 + {{- end -}} +{{- else if eq .component "azurefile-csi-linux" -}} + {{- if semverCompare ">=1.33.0" .version -}}v1.33.4-2 + {{- else if semverCompare ">=1.32.0" .version -}}v1.32.5 + {{- else if semverCompare ">=1.31.0" .version -}}v1.31.7 + {{- else if semverCompare ">=1.29.0" .version -}}v1.30.10 + {{- else if semverCompare ">=1.28.0" .version -}}v1.29.12 + {{- else if semverCompare ">=1.27.0" .version -}}v1.28.14 + {{- else if semverCompare ">=1.26.0" .version -}}v1.26.11-2 + {{- else if semverCompare ">=1.24.0" .version -}}v1.24.11 + {{- else if semverCompare ">=1.21.0" .version -}}v1.24.0 + {{- else -}}v1.2.2 + {{- end -}} +{{- else if eq .component "azurefile-csi-windows" -}} + {{- if semverCompare ">=1.33.0" .version -}}v1.33.4 + {{- else if semverCompare ">=1.32.0" .version -}}v1.32.5 + {{- else if semverCompare ">=1.31.0" .version -}}v1.31.7 + {{- else if semverCompare ">=1.29.0" .version -}}v1.30.10 + {{- else if semverCompare ">=1.28.0" .version -}}v1.29.12 + {{- else if semverCompare ">=1.27.0" .version -}}v1.28.14 + {{- else if semverCompare ">=1.26.0" .version -}}v1.26.11 + {{- else if semverCompare ">=1.24.0" .version -}}v1.24.11 + {{- else if semverCompare ">=1.21.0" .version -}}v1.24.0 + {{- else -}}v1.2.2 + {{- end -}} +{{- else if eq .component "blob-csi" -}} + {{- if semverCompare ">=1.33.0" .version -}}v1.26.7 + {{- else if semverCompare ">=1.32.0" .version -}}v1.26.6 + {{- else if semverCompare ">=1.31.0" .version -}}v1.25.9 + {{- else if semverCompare ">=1.30.0" .version -}}v1.24.11 + {{- else if semverCompare ">=1.28.0" .version -}}v1.23.11 + {{- else if semverCompare ">=1.27.0" .version -}}v1.22.9 + {{- else if semverCompare ">=1.26.0" .version -}}v1.21.7-2 + {{- else if semverCompare ">=1.24.0" .version -}}v1.19.5-7 + {{- else -}}v1.19.2 + {{- end -}} +{{- else if eq .component "csi-provisioner" -}} + {{- if semverCompare ">=1.29.0" .version -}}v5.2.0 + {{- else if semverCompare ">=1.28.0" .version -}}v3.6.2 + {{- else if semverCompare ">=1.24.0" .version -}}v3.5.0 + {{- else if semverCompare ">=1.21.0" .version -}}v3.1.0 + {{- else -}}v2.1.1-hotfix.20220128-aks + {{- end -}} +{{- else if eq .component "csi-attacher" -}} + {{- if semverCompare ">=1.32.0" .version -}}v4.9.0 + {{- else if semverCompare ">=1.29.0" .version -}}v4.8.1 + {{- else if semverCompare ">=1.28.0" .version -}}v4.4.2 + {{- else if semverCompare ">=1.27.0" .version -}}v4.3.0 + {{- else if semverCompare ">=1.21.0" .version -}}v3.4.0 + {{- else -}}v3.1.0-hotfix.20220128-aks + {{- end -}} +{{- else if eq .component "csi-resizer" -}} + {{- if semverCompare ">=1.29.0" .version -}}v1.13.2 + {{- else if semverCompare ">=1.28.0" .version -}}v1.9.3 + {{- else if semverCompare ">=1.27.0" .version -}}v1.8.0 + {{- else if semverCompare ">=1.21.0" .version -}}v1.4.0 + {{- else -}}v1.1.0-hotfix.20220128-aks + {{- end -}} +{{- else if eq .component "csi-snapshotter" -}} + {{- if semverCompare ">=1.33.0" .version -}}v8.3.0 + {{- else if semverCompare ">=1.29.0" .version -}}v8.2.0 + {{- else if semverCompare ">=1.27.0" .version -}}v6.2.2 + {{- else if semverCompare ">=1.21.0" .version -}}v5.0.1 + {{- else -}}v3.0.3-hotfix.20220128-aks + {{- end -}} +{{- else if eq .component "snapshot-controller" -}} + {{- if semverCompare ">=1.33.0" .version -}}v8.3.0 + {{- else if semverCompare ">=1.29.0" .version -}}v8.2.0 + {{- else if semverCompare ">=1.27.0" .version -}}v6.2.2 + {{- else if semverCompare ">=1.21.0" .version -}}v5.0.1 + {{- else -}}v3.0.3-hotfix.20220128-aks + {{- end -}} +{{- else if eq .component "azure-cns-image" -}} +v1.4.44.5 +{{- else if eq .component "azure-cns-image-windows" -}} +v1.4.44.5 +{{- else if eq .component "azure-cni-networkmonitor" -}} +v1.1.8_hotfix +{{- else if eq .component "calico-typha-image" -}} +v3.8.9 +{{- else if eq .component "calico-pod2daemon-flexvol-image" -}} +v3.8.9.1 +{{- else if eq .component "calico-cni-image" -}} +v3.8.9.3 +{{- else if eq .component "calico-node-image" -}} +v3.8.9.5 +{{- else if eq .component "ccp-initializer" -}} +master.250807.1 +{{- else if eq .component "ccp-auto-thrust" -}} + {{- if semverCompare ">=1.27.0" .version -}}master.250505.2 + {{- else -}}master.250108.7 + {{- end -}} +{{- else if eq .component "ccp-auto-thrust-csi" -}} + {{- if semverCompare ">=1.27.0" .version -}}master.250307.1 + {{- else -}}master.250108.7 + {{- end -}} +{{- else if eq .component "admissionsenforcer" -}} +master.250822.2 +{{- else if eq .component "msi-adapter" -}} +master.250822.1 +{{- else if eq .component "private-connect-router" -}} +master.250811.1 +{{- else if eq .component "private-connect-balancer" -}} +master.250731.2 +{{- else if eq .component "addon-token-adapter-linux" -}} +master.250902.1 +{{- else if eq .component "addon-token-adapter-windows" -}} +master.250902.1 +{{- else if eq .component "addon-token-reconciler" -}} +master.250819.2 +{{- else if eq .component "aks-kube-addon-manager" -}} +master.250528.2 +{{- else if eq .component "kms-plugin" -}} +v0.8.0 +{{- else if eq .component "ccp-coredns" -}} +v1.12.0-1 +{{- end -}} +{{- end -}} diff --git a/charts/azuremonitor-containerinsights/ama-logs.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs.yaml similarity index 100% rename from charts/azuremonitor-containerinsights/ama-logs.yaml rename to charts/azuremonitor-containerinsights/templates/ama-logs.yaml diff --git a/charts/azuremonitor-containerinsights/values.yaml b/charts/azuremonitor-containerinsights/values.yaml new file mode 100644 index 000000000..bf48c5669 --- /dev/null +++ b/charts/azuremonitor-containerinsights/values.yaml @@ -0,0 +1,201 @@ +# Add this section to fix the AppmonitoringAgent references +AppmonitoringAgent: + enabled: false + isOpenTelemetryLogsEnabled: false + openTelemetryLogsPort: 28331 + +# Add complete global section +global: + commonGlobals: + CloudEnvironment: + isAutomaticSKU: false + Region: + Versions: + Kubernetes: "1.32.7" + +legacyAddonDelivery: false + +# Default values for ama-logs configuration +# omsagent configuration +OmsAgent: + aksResourceID: + enableDaemonSetSizing: false + isAppMonitoringAgentEnabled: false + isOpenTelemetryLogsEnabled: false + isCustomMetricsDisabled: false + isUsingAADAuth: "true" + openTelemetryLogsPort: 28331 + retinaFlowLogsEnabled: false + workspaceID: "" + accessTokenSecretName: "ama-logs-secret" + # Cloud environment + isMoonCake: false + isFairfax: false + workspaceKey: "" + + # Image configuration + imageTagLinux: "3.1.31" + imageTagWindows: "win-3.1.31" + isImagePullPolicyAlways: false + + # Resource ID and cluster information + # aksResourceID: "" + # aksClusterName: "" + # aksNodeResourceGroup: "" + # aksRegion: "" + + # Resource limits and requests + omsAgentDsCPULimitLinux: "500m" + omsAgentDsMemoryLimitLinux: "1Gi" + omsAgentDsCPULimitWindows: "2" + omsAgentDsMemoryLimitWindows: "2Gi" + omsAgentDsCPURequestWindows: "100m" + omsAgentDsMemoryRequestWindows: "150Mi" + omsAgentRsCPULimit: "1" + omsAgentRsMemoryLimit: "1.5Gi" + omsAgentPrometheusSidecarCPULimit: "500m" + omsAgentPrometheusSidecarMemoryLimit: "1Gi" + + # Multitenancy settings + omsAgentMultitenancyCPULimitLinux: "1" + omsAgentMultitenancyMemoryLimitLinux: "1Gi" + omsAgentMultitenancyCPURequestLinux: "100m" + omsAgentMultitenancyMemoryRequestLinux: "100Mi" + omsAgentMultitenancyLogsHPAMinReplicas: 2 + omsAgentMultitenancyLogsHPAMaxReplicas: 50 + omsAgentMultitenancyHPAAvgCPUUtilization: 700 + omsAgentMultitenancyHPAAvgMemoryUtilization: 700 + + # Feature flags + isSyslogEnabled: false + isPrometheusMetricsScrapingDisabled: false + isSidecarScrapingEnabled: true + isRSVPAEnabled: false + isRetinaFlowLogsEnabled: false + isResourceOptimizationEnabled: false + isWindowsAMAFluentBitEnabled: false + isMultitenancyLogsEnabled: false + isWindowsBurstableQoSEnabled: false + isTelegrafLivenessprobeEnabled: false + isWindowsAMAEnabled: false + isWindowsAddonTokenAdapterDisabled: false + legacyAddonDelivery: false + + # # Network settings + # syslogHostPort: "28330" + # shouldMountSyslogHostPort: false + # httpProxy: "" + # httpsProxy: "" + # trustedCA: "" + + # # Identity settings + # identityClientID: "" + # accessTokenSecretName: "aad-msi-auth-token" + + # # DaemonSet sizing configuration + # enableDaemonSetSizing: false + # daemonSetSizingValues: + # singleSize: + # containers: + # addon-token-adapter: + # cpuLimit: "100m" + # memoryLimit: "100Mi" + # cpuRequest: "20m" + # memoryRequest: "50Mi" + # ama-logs: + # cpuLimit: "150m" + # memoryLimit: "750Mi" + # cpuRequest: "75m" + # memoryRequest: "325Mi" + # ama-logs-prometheus: + # cpuLimit: "500m" + # memoryLimit: "1Gi" + # cpuRequest: "75m" + # memoryRequest: "225Mi" + # tShirtSizes: + # - name: "small" + # maxCPU: 4 + # containers: + # addon-token-adapter: + # cpuLimit: "100m" + # memoryLimit: "100Mi" + # cpuRequest: "20m" + # memoryRequest: "50Mi" + # ama-logs: + # cpuLimit: "150m" + # memoryLimit: "750Mi" + # cpuRequest: "75m" + # memoryRequest: "325Mi" + # ama-logs-prometheus: + # cpuLimit: "500m" + # memoryLimit: "1Gi" + # cpuRequest: "75m" + # memoryRequest: "225Mi" + # - name: "medium" + # maxCPU: 8 + # containers: + # addon-token-adapter: + # cpuLimit: "200m" + # memoryLimit: "200Mi" + # cpuRequest: "40m" + # memoryRequest: "100Mi" + # ama-logs: + # cpuLimit: "300m" + # memoryLimit: "1.5Gi" + # cpuRequest: "150m" + # memoryRequest: "650Mi" + # ama-logs-prometheus: + # cpuLimit: "1" + # memoryLimit: "2Gi" + # cpuRequest: "150m" + # memoryRequest: "450Mi" + # - name: "large" + # maxCPU: 16 + # containers: + # addon-token-adapter: + # cpuLimit: "400m" + # memoryLimit: "400Mi" + # cpuRequest: "80m" + # memoryRequest: "200Mi" + # ama-logs: + # cpuLimit: "600m" + # memoryLimit: "3Gi" + # cpuRequest: "300m" + # memoryRequest: "1.3Gi" + # ama-logs-prometheus: + # cpuLimit: "2" + # memoryLimit: "4Gi" + # cpuRequest: "300m" + # memoryRequest: "900Mi" + +# # Application monitoring settings +# AppmonitoringAgent: +# enabled: false +# isOpenTelemetryLogsEnabled: false +# openTelemetryLogsPort: "28331" + +# # Azure-specific settings +# Azure: +# Cluster: +# Cloud: "" +# Region: "" +# ResourceId: "" +# Extension: +# Name: "" +# ResourceId: "" +# proxySettings: +# isProxyEnabled: false +# httpProxy: "" +# httpsProxy: "" +# noProxy: "" +# proxyCert: "" +# isCustomCert: false +# autonomousFqdn: "" + +# # Global settings +# global: +# commonGlobals: +# CloudEnvironment: "AzurePublicCloud" +# Versions: +# Kubernetes: "1.25.0" +# isAutomaticSKU: false From 4a8294744e4c2c2a5c1a599b578ef82d900ddf9e Mon Sep 17 00:00:00 2001 From: longwan Date: Wed, 29 Oct 2025 23:06:39 +0000 Subject: [PATCH 04/47] update chart --- .../azuremonitor-containerinsights/templates/ama-logs.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs.yaml index cfacea23c..b3a6750e5 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs.yaml @@ -450,7 +450,7 @@ spec: template: metadata: annotations: - agentVersion: "azure-mdsd-1.35.7" + agentVersion: "azure-mdsd-1.37.0" dockerProviderVersion: "18.0.1-0" schema-versions: "v1" WSID: {{ $.Values.OmsAgent.workspaceID | b64enc | quote }} @@ -969,7 +969,7 @@ spec: rsName: "ama-logs-rs" kubernetes.azure.com/managedby: aks annotations: - agentVersion: "azure-mdsd-1.35.7" + agentVersion: "azure-mdsd-1.37.0" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" dockerProviderVersion: "18.0.1-0" schema-versions: "v1" @@ -1680,7 +1680,7 @@ spec: rsName: "ama-logs-multitenancy" kubernetes.azure.com/managedby: aks annotations: - agentVersion: "azure-mdsd-1.35.7" + agentVersion: "azure-mdsd-1.37.0" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" dockerProviderVersion: "18.0.1-0" schema-versions: "v1" From fb2cc1f801a34350736899565e9fefdde27c6b56 Mon Sep 17 00:00:00 2001 From: longwan Date: Wed, 29 Oct 2025 23:21:37 +0000 Subject: [PATCH 05/47] update chart --- .../templates/ama-logs.yaml | 37 ++++++++++--------- 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs.yaml index b3a6750e5..5c5c84ea3 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs.yaml @@ -9,6 +9,7 @@ {{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} {{- end -}} +{{/* TODO This needs to be fixed post Canary validation */}} {{/* Extract cluster information from aksresourceid */}} {{- $resourceParts := splitList "/" .Values.OmsAgent.aksResourceID -}} {{- $aksclustername := last $resourceParts -}} @@ -35,13 +36,13 @@ data: {{- if .Values.OmsAgent.isFairfax }} DOMAIN: {{ b64enc "opinsights.azure.us" }} {{- end }} -{{- if eq .Values.global.commonGlobals.CloudEnvironment "USNat" }} +{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT" }} DOMAIN: {{ b64enc "opinsights.azure.eaglex.ic.gov" }} {{- end }} -{{- if eq .Values.global.commonGlobals.CloudEnvironment "USSec" }} +{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC" }} DOMAIN: {{ b64enc "opinsights.azure.microsoft.scloud" }} {{- end }} -{{- if eq .Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud" }} +{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD" }} DOMAIN: {{ b64enc "opinsights.sovcloud-api.fr" }} {{- end }} {{- if .Values.OmsAgent.httpsProxy }} @@ -570,15 +571,15 @@ spec: value: "4319" - name: PROMETHEUS_METRICS_SCRAPING_DISABLED value: "{{ $.Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USNat") }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} - name: MCR_URL value: "https://mcr.microsoft.eaglex.ic.gov/v2/" {{- end }} - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USSec") }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} - name: MCR_URL value: "https://mcr.microsoft.scloud/v2/" {{- end }} - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} - name: MCR_URL value: "https://mcr.microsoft.sovcloud-api.fr/v2/" {{- end }} @@ -735,15 +736,15 @@ spec: value: "PrometheusSidecar" - name: USER_ASSIGNED_IDENTITY_CLIENT_ID value: "{{ $.Values.OmsAgent.identityClientID }}" - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USNat") }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} - name: MCR_URL value: "https://mcr.microsoft.eaglex.ic.gov/v2/" {{- end }} - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USSec") }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} - name: MCR_URL value: "https://mcr.microsoft.scloud/v2/" {{- end }} - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} - name: MCR_URL value: "https://mcr.microsoft.sovcloud-api.fr/v2/" {{- end }} @@ -1113,15 +1114,15 @@ spec: - name: SIDECAR_SCRAPING_ENABLED value: "false" {{- end }} - {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USNat") }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} - name: MCR_URL value: "https://mcr.microsoft.eaglex.ic.gov/v2/" {{- end }} - {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USSec") }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} - name: MCR_URL value: "https://mcr.microsoft.scloud/v2/" {{- end }} - {{- if (eq .Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} - name: MCR_URL value: "https://mcr.microsoft.sovcloud-api.fr/v2/" {{- end }} @@ -1404,15 +1405,15 @@ spec: - name: SIDECAR_SCRAPING_ENABLED value: "false" {{- end }} - {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USNat") }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} - name: REQUIRES_CERT_BOOTSTRAP value: "true" {{- end }} - {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USSec") }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} - name: REQUIRES_CERT_BOOTSTRAP value: "true" {{- end }} - {{- if (eq .Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} - name: REQUIRES_CERT_BOOTSTRAP value: "true" {{- end }} @@ -1788,15 +1789,15 @@ spec: valueFrom: fieldRef: fieldPath: status.hostIP - {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USNat") }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} - name: MCR_URL value: "https://mcr.microsoft.eaglex.ic.gov/v2/" {{- end }} - {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USSec") }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} - name: MCR_URL value: "https://mcr.microsoft.scloud/v2/" {{- end }} - {{- if (eq .Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} - name: MCR_URL value: "https://mcr.microsoft.sovcloud-api.fr/v2/" {{- end }} From 27b6488b06d8a5eed283af6c31edd051f22c2ee7 Mon Sep 17 00:00:00 2001 From: longwan Date: Wed, 29 Oct 2025 23:38:38 +0000 Subject: [PATCH 06/47] update chart --- .../templates/ama-logs.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs.yaml index 5c5c84ea3..292e3c607 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs.yaml @@ -571,15 +571,15 @@ spec: value: "4319" - name: PROMETHEUS_METRICS_SCRAPING_DISABLED value: "{{ $.Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USNat") }} - name: MCR_URL value: "https://mcr.microsoft.eaglex.ic.gov/v2/" {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USSec") }} - name: MCR_URL value: "https://mcr.microsoft.scloud/v2/" {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} - name: MCR_URL value: "https://mcr.microsoft.sovcloud-api.fr/v2/" {{- end }} @@ -736,15 +736,15 @@ spec: value: "PrometheusSidecar" - name: USER_ASSIGNED_IDENTITY_CLIENT_ID value: "{{ $.Values.OmsAgent.identityClientID }}" - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USNat") }} - name: MCR_URL value: "https://mcr.microsoft.eaglex.ic.gov/v2/" {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USSec") }} - name: MCR_URL value: "https://mcr.microsoft.scloud/v2/" {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "AZUREBLEUCLOUD") }} - name: MCR_URL value: "https://mcr.microsoft.sovcloud-api.fr/v2/" {{- end }} From 2ca623986b7ea49b94e1b825ba79e1baf60e63c4 Mon Sep 17 00:00:00 2001 From: longwan Date: Thu, 30 Oct 2025 23:28:31 +0000 Subject: [PATCH 07/47] update chart --- charts/azuremonitor-containerinsights/Chart.yaml | 4 ++-- charts/azuremonitor-containerinsights/templates/ama-logs.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/azuremonitor-containerinsights/Chart.yaml b/charts/azuremonitor-containerinsights/Chart.yaml index b546f01b6..adaf47c50 100644 --- a/charts/azuremonitor-containerinsights/Chart.yaml +++ b/charts/azuremonitor-containerinsights/Chart.yaml @@ -1,4 +1,4 @@ apiVersion: v2 description: azure-monitor-containers helm chart -name: azuremonitor-containers -version: 3.2.0 +name: azuremonitor-containers-extension +version: 3.2.1-aks-beta-1 diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs.yaml index 292e3c607..4f4b7588b 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs.yaml @@ -744,7 +744,7 @@ spec: - name: MCR_URL value: "https://mcr.microsoft.scloud/v2/" {{- end }} - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "AZUREBLEUCLOUD") }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} - name: MCR_URL value: "https://mcr.microsoft.sovcloud-api.fr/v2/" {{- end }} From 5943b1fe364111ff31bd07b8dd02942566b4ba17 Mon Sep 17 00:00:00 2001 From: longwan Date: Thu, 30 Oct 2025 23:42:45 +0000 Subject: [PATCH 08/47] update chart --- .../templates/ama-logs.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs.yaml index 4f4b7588b..84c02b0bb 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs.yaml @@ -91,6 +91,7 @@ rules: resourceNames: [ "ama-logs-rs" ] verbs: ["get", "patch"] {{- end }} +{{/* - if .Values.OmsAgent.isUsingAADAuth */}} {{- if $isusingaadauth }} - apiGroups: [""] resources: ["secrets"] @@ -553,6 +554,7 @@ spec: value: "{{ $.Values.OmsAgent.aksResourceID }}" - name: AKS_NODE_RESOURCE_GROUP value: "{{ $.Values.OmsAgent.aksNodeResourceGroup }}" + {{/* TODO This needs to be fixed post Canary validation */}} - name: AKS_REGION value: "{{ $.Values.global.commonGlobals.Region }}" - name: CONTROLLER_TYPE @@ -728,6 +730,7 @@ spec: value: "{{ $.Values.OmsAgent.aksResourceID }}" - name: AKS_NODE_RESOURCE_GROUP value: "{{ $.Values.OmsAgent.aksNodeResourceGroup }}" + {{/* TODO This needs to be fixed post Canary validation */}} - name: AKS_REGION value: "{{ $.Values.global.commonGlobals.Region }}" - name: CONTROLLER_TYPE @@ -1087,6 +1090,7 @@ spec: value: "{{ .Values.OmsAgent.aksResourceID }}" - name: AKS_NODE_RESOURCE_GROUP value: "{{ .Values.OmsAgent.aksNodeResourceGroup }}" + {{/* TODO This needs to be fixed post Canary validation */}} - name: AKS_REGION value: "{{ $.Values.global.commonGlobals.Region }}" - name: CONTROLLER_TYPE @@ -1375,6 +1379,7 @@ spec: value: "1" - name: AKS_RESOURCE_ID value: "{{ .Values.OmsAgent.aksResourceID }}" + {{/* TODO This needs to be fixed post Canary validation */}} - name: AKS_REGION value: "{{ $.Values.global.commonGlobals.Region }}" - name: CONTROLLER_TYPE @@ -1781,6 +1786,7 @@ spec: value: "{{ .Values.OmsAgent.aksResourceID }}" - name: AKS_NODE_RESOURCE_GROUP value: "{{ .Values.OmsAgent.aksNodeResourceGroup }}" + {{/* TODO This needs to be fixed post Canary validation */}} - name: AKS_REGION value: "{{ $.Values.global.commonGlobals.Region }}" - name: CONTROLLER_TYPE @@ -1888,9 +1894,3 @@ spec: values: - system {{- end }} - - - - - - From 9f85bdc099d7f611f9a97a7b1fa9f1eb7aff1026 Mon Sep 17 00:00:00 2001 From: longwan Date: Thu, 30 Oct 2025 23:43:30 +0000 Subject: [PATCH 09/47] update chart --- charts/azuremonitor-containerinsights/templates/ama-logs.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs.yaml index 84c02b0bb..ce8f6aba3 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs.yaml @@ -91,7 +91,6 @@ rules: resourceNames: [ "ama-logs-rs" ] verbs: ["get", "patch"] {{- end }} -{{/* - if .Values.OmsAgent.isUsingAADAuth */}} {{- if $isusingaadauth }} - apiGroups: [""] resources: ["secrets"] From 30afd39b88e1d0ed2c8149acfac6ecc1d3846662 Mon Sep 17 00:00:00 2001 From: longwan Date: Thu, 30 Oct 2025 23:55:26 +0000 Subject: [PATCH 10/47] update chart --- .../templates/ama-logs.yaml | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs.yaml index ce8f6aba3..2a2f82e00 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs.yaml @@ -421,6 +421,13 @@ metadata: {{- $useDaemonSetSizing := and .Values.global.commonGlobals.isAutomaticSKU .Values.OmsAgent.enableDaemonSetSizing -}} {{- $singleSize := dict "containers" (dict "addon-token-adapter" (dict "cpuLimit" "100m" "memoryLimit" "100Mi" "cpuRequest" "20m" "memoryRequest" "50Mi") "ama-logs" (dict "cpuLimit" .Values.OmsAgent.omsAgentDsCPULimitLinux "memoryLimit" .Values.OmsAgent.omsAgentDsMemoryLimitLinux "cpuRequest" "75m" "memoryRequest" "325Mi") "ama-logs-prometheus" (dict "cpuLimit" .Values.OmsAgent.omsAgentPrometheusSidecarCPULimit "memoryLimit" .Values.OmsAgent.omsAgentPrometheusSidecarMemoryLimit "cpuRequest" "75m" "memoryRequest" "225Mi")) -}} {{- $sizes := list ($singleSize) -}} +{{/* - if $useDaemonSetSizing - */}} + {{/* - $singleSize = .Values.OmsAgent.daemonSetSizingValues.singleSize - */}} + {{/* - $sizes = .Values.OmsAgent.daemonSetSizingValues.tShirtSizes - */}} + {{/* - $sizes = list ($singleSize) - */}} + {{/* - $sizes = prepend .Values.OmsAgent.daemonSetSizingValues.tShirtSizes $singleSize - */}} +{{/* - end - */}} +{{/* Generate DaemonSets */}} {{- $prevmaxCPU := 0 -}} {{- range $index, $size := $sizes -}} {{- if gt $index 0 }} @@ -441,13 +448,23 @@ metadata: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile {{- end }} - name: ama-logs + {{/* + {{- if and $useDaemonSetSizing $size.name }} + kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} + {{- end }} + */}} + name: ama-logs{{/* {{- if and $useDaemonSetSizing $size.name }}-{{ $size.name }}{{- end }} */}} namespace: kube-system spec: selector: matchLabels: component: ama-logs-agent tier: node + {{/* + {{- if and $useDaemonSetSizing $size.name }} + kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} + {{- end }} + */}} template: metadata: annotations: @@ -460,6 +477,11 @@ spec: component: ama-logs-agent tier: node kubernetes.azure.com/managedby: aks + {{/* + {{- if and $useDaemonSetSizing $size.name }} + kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} + {{- end }} + */}} {{- if semverCompare "<1.11.0" $.Values.global.commonGlobals.Versions.Kubernetes }} annotations: scheduler.alpha.kubernetes.io/critical-pod: "" From 5bd1a759ed2683091659720060a8128af106fc12 Mon Sep 17 00:00:00 2001 From: longwan Date: Thu, 30 Oct 2025 23:57:26 +0000 Subject: [PATCH 11/47] update chart --- charts/azuremonitor-containerinsights/templates/ama-logs.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs.yaml index 2a2f82e00..5f7a7d864 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs.yaml @@ -423,7 +423,6 @@ metadata: {{- $sizes := list ($singleSize) -}} {{/* - if $useDaemonSetSizing - */}} {{/* - $singleSize = .Values.OmsAgent.daemonSetSizingValues.singleSize - */}} - {{/* - $sizes = .Values.OmsAgent.daemonSetSizingValues.tShirtSizes - */}} {{/* - $sizes = list ($singleSize) - */}} {{/* - $sizes = prepend .Values.OmsAgent.daemonSetSizingValues.tShirtSizes $singleSize - */}} {{/* - end - */}} From a7081919e31d310a233cac19a91be7577b53a808 Mon Sep 17 00:00:00 2001 From: longwan Date: Fri, 31 Oct 2025 00:03:52 +0000 Subject: [PATCH 12/47] update pipeline --- .../ServiceGroupRoot/Scripts/pushChartToAcr.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh b/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh index 25dc091e8..18348dff5 100644 --- a/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh +++ b/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh @@ -70,7 +70,7 @@ push_local_chart_to_canary_region() { fi echo "generate chart package file" - export CHART_FILE=$(helm package charts/azuremonitor-containers/ | awk -F'[:]' '{gsub(/ /, "", $2); print $2}') + export CHART_FILE=$(helm package charts/azuremonitor-containerinsights/ | awk -F'[:]' '{gsub(/ /, "", $2); print $2}') if [ $? -eq 0 ]; then echo "chart package file generated successfully." else From c32265cb624d5a6da9c0e1033dd721d8c91ec6ab Mon Sep 17 00:00:00 2001 From: longwan Date: Fri, 31 Oct 2025 00:05:14 +0000 Subject: [PATCH 13/47] update pipeline --- charts/azuremonitor-containerinsights/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/azuremonitor-containerinsights/values.yaml b/charts/azuremonitor-containerinsights/values.yaml index bf48c5669..6dd640f5f 100644 --- a/charts/azuremonitor-containerinsights/values.yaml +++ b/charts/azuremonitor-containerinsights/values.yaml @@ -34,8 +34,8 @@ OmsAgent: workspaceKey: "" # Image configuration - imageTagLinux: "3.1.31" - imageTagWindows: "win-3.1.31" + imageTagLinux: "3.1.30 + imageTagWindows: "win-3.1.30 isImagePullPolicyAlways: false # Resource ID and cluster information From 89032ea3496adb2c746ba431edf6a14f72929516 Mon Sep 17 00:00:00 2001 From: longwan Date: Fri, 31 Oct 2025 21:05:25 +0000 Subject: [PATCH 14/47] update pipeline --- .pipelines/azure_pipeline_mergedbranches.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/azure_pipeline_mergedbranches.yaml b/.pipelines/azure_pipeline_mergedbranches.yaml index 291772961..62a78d622 100644 --- a/.pipelines/azure_pipeline_mergedbranches.yaml +++ b/.pipelines/azure_pipeline_mergedbranches.yaml @@ -90,7 +90,7 @@ extends: cd $(Build.SourcesDirectory)/deployment/mergebranch-multiarch-agent-deployment/ServiceGroupRoot/Scripts tar -czvf ../artifacts.tar.gz pushAgentToAcr.sh cd $(Build.SourcesDirectory)/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts - tar -czvf ../artifacts.tar.gz ../../../../charts/azuremonitor-containers/ pushChartToAcr.sh + tar -czvf ../artifacts.tar.gz ../../../../charts/azuremonitor-containers/ ../../../../charts/azuremonitor-containerinsights/ ../../../../charts/azuremonitor-containers-geneva/ pushChartToAcr.sh cd $(Build.SourcesDirectory)/deployment/arc-k8s-extension-release-v2/ServiceGroupRoot/Scripts tar -czvf ../artifacts.tar.gz arcExtensionRelease.sh windowsAMAUrl="" From b72dcceed8ffe0f3a915bcffdf1c4d06bb06cab8 Mon Sep 17 00:00:00 2001 From: longwan Date: Fri, 31 Oct 2025 22:57:34 +0000 Subject: [PATCH 15/47] update chart --- charts/azuremonitor-containerinsights/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/azuremonitor-containerinsights/values.yaml b/charts/azuremonitor-containerinsights/values.yaml index 6dd640f5f..1eed6b9bb 100644 --- a/charts/azuremonitor-containerinsights/values.yaml +++ b/charts/azuremonitor-containerinsights/values.yaml @@ -34,8 +34,8 @@ OmsAgent: workspaceKey: "" # Image configuration - imageTagLinux: "3.1.30 - imageTagWindows: "win-3.1.30 + imageTagLinux: "3.1.30" + imageTagWindows: "win-3.1.30" isImagePullPolicyAlways: false # Resource ID and cluster information From 49447f2a7feec053a5bbbe1dcfd0446263dcc157 Mon Sep 17 00:00:00 2001 From: longwan Date: Mon, 3 Nov 2025 21:12:25 +0000 Subject: [PATCH 16/47] use existing chart name --- charts/azuremonitor-containerinsights/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/azuremonitor-containerinsights/Chart.yaml b/charts/azuremonitor-containerinsights/Chart.yaml index adaf47c50..1f28ac685 100644 --- a/charts/azuremonitor-containerinsights/Chart.yaml +++ b/charts/azuremonitor-containerinsights/Chart.yaml @@ -1,4 +1,4 @@ apiVersion: v2 description: azure-monitor-containers helm chart -name: azuremonitor-containers-extension +name: azuremonitor-containers version: 3.2.1-aks-beta-1 From ed44b859c23e134af36560a9dbce25250d4bdc4e Mon Sep 17 00:00:00 2001 From: longwan Date: Thu, 20 Nov 2025 23:35:26 +0000 Subject: [PATCH 17/47] add and change default values for toggle --- charts/azuremonitor-containerinsights/values.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/azuremonitor-containerinsights/values.yaml b/charts/azuremonitor-containerinsights/values.yaml index 1eed6b9bb..ffef5de38 100644 --- a/charts/azuremonitor-containerinsights/values.yaml +++ b/charts/azuremonitor-containerinsights/values.yaml @@ -67,7 +67,7 @@ OmsAgent: omsAgentMultitenancyHPAAvgMemoryUtilization: 700 # Feature flags - isSyslogEnabled: false + isSyslogEnabled: true isPrometheusMetricsScrapingDisabled: false isSidecarScrapingEnabled: true isRSVPAEnabled: false @@ -75,15 +75,15 @@ OmsAgent: isResourceOptimizationEnabled: false isWindowsAMAFluentBitEnabled: false isMultitenancyLogsEnabled: false - isWindowsBurstableQoSEnabled: false + isWindowsBurstableQoSEnabled: true isTelegrafLivenessprobeEnabled: false - isWindowsAMAEnabled: false + isWindowsAMAEnabled: true isWindowsAddonTokenAdapterDisabled: false legacyAddonDelivery: false - # # Network settings - # syslogHostPort: "28330" - # shouldMountSyslogHostPort: false + # Network settings + syslogHostPort: "28330" + shouldMountSyslogHostPort: true # httpProxy: "" # httpsProxy: "" # trustedCA: "" From 9b38e1c8fde8fe4e544780455559e1bfad33be72 Mon Sep 17 00:00:00 2001 From: longwan Date: Fri, 21 Nov 2025 19:11:50 +0000 Subject: [PATCH 18/47] removed unsed tql --- .../templates/_aks_hostaliases.tpl | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 charts/azuremonitor-containerinsights/templates/_aks_hostaliases.tpl diff --git a/charts/azuremonitor-containerinsights/templates/_aks_hostaliases.tpl b/charts/azuremonitor-containerinsights/templates/_aks_hostaliases.tpl deleted file mode 100644 index 1b1637a91..000000000 --- a/charts/azuremonitor-containerinsights/templates/_aks_hostaliases.tpl +++ /dev/null @@ -1,21 +0,0 @@ -{- /* - This function adds the hostAliases for tigera operator. -*/ -}} -{{- define "podspec.tigeraHostaliases" -}} -{{- if and .Values.global.commonGlobals.PrivateLink.privateIP -}} -hostAliases: -- hostnames: - - {{ .Values.global.commonGlobals.endpointFQDN }} - ip: {{ .Values.global.commonGlobals.PrivateLink.privateIP }} -{{- else if and .Values.global.commonGlobals.PrivateConnect.enabled .Values.global.commonGlobals.PrivateConnect.privateIP -}} -hostAliases: -- hostnames: - - {{ .Values.global.commonGlobals.endpointFQDN }} - ip: {{ .Values.global.commonGlobals.PrivateConnect.privateIP }} -{{- else if and .Values.global.commonGlobals.CCPPool.enabled .Values.global.commonGlobals.CCPPool.ccpSvcIP -}} -hostAliases: -- hostnames: - - {{ .Values.global.commonGlobals.endpointFQDN }} - ip: {{ .Values.global.commonGlobals.CCPPool.ccpSvcIP }} -{{- end -}} -{{- end -}} From be97f6b4052691386561e677c94ac998c39227e0 Mon Sep 17 00:00:00 2001 From: longwan Date: Fri, 21 Nov 2025 19:40:24 +0000 Subject: [PATCH 19/47] bump chart version --- charts/azuremonitor-containerinsights/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/azuremonitor-containerinsights/Chart.yaml b/charts/azuremonitor-containerinsights/Chart.yaml index 1f28ac685..3442e6c44 100644 --- a/charts/azuremonitor-containerinsights/Chart.yaml +++ b/charts/azuremonitor-containerinsights/Chart.yaml @@ -1,4 +1,4 @@ apiVersion: v2 description: azure-monitor-containers helm chart name: azuremonitor-containers -version: 3.2.1-aks-beta-1 +version: 3.2.1-aks-beta-2 From 8022eed4a83e1f6ec82b939e8aa8e483fe1fe35b Mon Sep 17 00:00:00 2001 From: longwan Date: Wed, 4 Feb 2026 19:43:16 +0000 Subject: [PATCH 20/47] bump chart version --- charts/azuremonitor-containerinsights/Chart.yaml | 2 +- charts/azuremonitor-containerinsights/values.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/azuremonitor-containerinsights/Chart.yaml b/charts/azuremonitor-containerinsights/Chart.yaml index 3442e6c44..824b36023 100644 --- a/charts/azuremonitor-containerinsights/Chart.yaml +++ b/charts/azuremonitor-containerinsights/Chart.yaml @@ -1,4 +1,4 @@ apiVersion: v2 description: azure-monitor-containers helm chart name: azuremonitor-containers -version: 3.2.1-aks-beta-2 +version: 3.2.1-aks-beta-3 diff --git a/charts/azuremonitor-containerinsights/values.yaml b/charts/azuremonitor-containerinsights/values.yaml index ffef5de38..8b8369a5a 100644 --- a/charts/azuremonitor-containerinsights/values.yaml +++ b/charts/azuremonitor-containerinsights/values.yaml @@ -34,8 +34,8 @@ OmsAgent: workspaceKey: "" # Image configuration - imageTagLinux: "3.1.30" - imageTagWindows: "win-3.1.30" + imageTagLinux: "3.1.34" + imageTagWindows: "win-3.1.34" isImagePullPolicyAlways: false # Resource ID and cluster information From 93d1e6baa8551dec36066cfaf64eca36784009ef Mon Sep 17 00:00:00 2001 From: longwan Date: Fri, 6 Feb 2026 22:37:34 +0000 Subject: [PATCH 21/47] update and consolidate helper method --- .../templates/_aks_addon-images.tpl | 377 ---------- .../templates/_aks_common.tpl | 153 ---- .../templates/_aks_helpers.tpl | 303 -------- .../templates/_aks_images.tpl | 655 ------------------ .../templates/_helpers.tpl | 67 ++ 5 files changed, 67 insertions(+), 1488 deletions(-) delete mode 100644 charts/azuremonitor-containerinsights/templates/_aks_addon-images.tpl delete mode 100644 charts/azuremonitor-containerinsights/templates/_aks_common.tpl delete mode 100644 charts/azuremonitor-containerinsights/templates/_aks_helpers.tpl delete mode 100644 charts/azuremonitor-containerinsights/templates/_aks_images.tpl create mode 100644 charts/azuremonitor-containerinsights/templates/_helpers.tpl diff --git a/charts/azuremonitor-containerinsights/templates/_aks_addon-images.tpl b/charts/azuremonitor-containerinsights/templates/_aks_addon-images.tpl deleted file mode 100644 index 623f2472d..000000000 --- a/charts/azuremonitor-containerinsights/templates/_aks_addon-images.tpl +++ /dev/null @@ -1,377 +0,0 @@ -{{/* Auto-generated by versioning tooling, do not edit. See /toolkit/versioning/README.md for more information. */}} -{{- define "get.addonImageTag" -}} - {{- if eq .component "aci-connector-linux" -}} - {{- if semverCompare ">=1.26.0" .version -}}1.6.2 - {{- else if semverCompare ">=1.25.0" .version -}}1.6.1 - {{- else if semverCompare ">=1.24.0" .version -}}1.6.0 - {{- else -}}1.4.16 - {{- end -}} - {{- else if eq .component "addon-resizer" -}} -v1.8.23-4 - {{- else if eq .component "ai-toolchain-operator" -}} -0.6.0 - {{- else if eq .component "aks-windows-gpu-device-plugin" -}} -0.0.19 - {{- else if eq .component "ama-logs-linux" -}} -3.1.28 - {{- else if eq .component "ama-logs-win" -}} -win-3.1.28 - {{- else if eq .component "app-routing-operator" -}} -0.0.3 - {{- else if eq .component "azure-monitor-metrics-cfg-reader" -}} -6.21.1-main-08-15-2025-f5f679d6-cfg - {{- else if eq .component "azure-monitor-metrics-ksm" -}} -v2.15.0-4 - {{- else if eq .component "azure-monitor-metrics-linux" -}} -6.21.1-main-08-15-2025-f5f679d6 - {{- else if eq .component "azure-monitor-metrics-target-allocator" -}} -6.21.1-main-08-15-2025-f5f679d6-targetallocator - {{- else if eq .component "azure-monitor-metrics-windows" -}} -6.21.1-main-08-15-2025-f5f679d6-win - {{- else if eq .component "azure-npm-image" -}} -v1.6.33 - {{- else if eq .component "azure-npm-image-windows" -}} -v1.5.5 - {{- else if eq .component "azure-policy" -}} - {{- if semverCompare ">=1.27.0" .version -}}1.13.0 - {{- else if semverCompare ">=1.25.0" .version -}}1.4.0 - {{- else if semverCompare ">=1.24.0" .version -}}1.0.1 - {{- else if semverCompare ">=1.21.0" .version -}}0.0.3 - {{- else -}}0.0.1 - {{- end -}} - {{- else if eq .component "azure-policy-webhook" -}} - {{- if semverCompare ">=1.27.0" .version -}}1.13.0 - {{- else if semverCompare ">=1.25.0" .version -}}1.4.0 - {{- else if semverCompare ">=1.24.0" .version -}}1.0.1 - {{- else if semverCompare ">=1.21.0" .version -}}0.0.3 - {{- else if semverCompare ">=1.18.0" .version -}}0.0.2 - {{- else -}}0.0.1 - {{- end -}} - {{- else if eq .component "certgen" -}} -v0.1.9 - {{- else if eq .component "cilium-agent" -}} - {{- if semverCompare ">=1.29.0" .version -}}1.14.10-1 - {{- else if semverCompare ">=1.27.0" .version -}}1.13.13-3 - {{- else -}}1.12.10-5 - {{- end -}} - {{- else if eq .component "cilium-envoy" -}} -v1.31.5-250218 - {{- else if eq .component "cilium-operator-generic" -}} - {{- if semverCompare ">=1.29.0" .version -}}1.14.10 - {{- else if semverCompare ">=1.27.0" .version -}}1.13.13 - {{- else -}}1.12.10 - {{- end -}} - {{- else if eq .component "cloud-provider-node-manager-linux" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.33.0 - {{- else if semverCompare ">=1.32.0" .version -}}v1.32.5 - {{- else if semverCompare ">=1.31.0" .version -}}v1.31.6 - {{- else if semverCompare ">=1.30.0" .version -}}v1.30.12 - {{- else if semverCompare ">=1.29.0" .version -}}v1.29.15 - {{- else if semverCompare ">=1.28.0" .version -}}v1.28.14 - {{- else if semverCompare ">=1.27.0" .version -}}v1.27.21 - {{- else if semverCompare ">=1.26.0" .version -}}v1.26.22 - {{- else if semverCompare ">=1.25.0" .version -}}v1.25.24 - {{- else if semverCompare ">=1.24.0" .version -}}v1.24.21 - {{- else if semverCompare ">=1.23.0" .version -}}v1.23.24 - {{- else if semverCompare ">=1.22.0" .version -}}v1.1.14 - {{- else if semverCompare ">=1.21.0" .version -}}v1.0.18 - {{- else if semverCompare ">=1.20.0" .version -}}v0.7.21 - {{- else if semverCompare ">=1.19.0" .version -}}v0.6.0 - {{- else -}}v0.5.1.4 - {{- end -}} - {{- else if eq .component "cloud-provider-node-manager-windows" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.33.0 - {{- else if semverCompare ">=1.32.0" .version -}}v1.32.5 - {{- else if semverCompare ">=1.31.0" .version -}}v1.31.6 - {{- else if semverCompare ">=1.30.0" .version -}}v1.30.12 - {{- else if semverCompare ">=1.29.0" .version -}}v1.29.15 - {{- else if semverCompare ">=1.28.0" .version -}}v1.28.14 - {{- else if semverCompare ">=1.27.0" .version -}}v1.27.21 - {{- else if semverCompare ">=1.26.0" .version -}}v1.26.22 - {{- else if semverCompare ">=1.25.0" .version -}}v1.25.24 - {{- else if semverCompare ">=1.24.0" .version -}}v1.24.21 - {{- else if semverCompare ">=1.23.0" .version -}}v1.23.24 - {{- else if semverCompare ">=1.22.0" .version -}}v1.1.14 - {{- else if semverCompare ">=1.21.0" .version -}}v1.0.18 - {{- else if semverCompare ">=1.20.0" .version -}}v0.7.21 - {{- else if semverCompare ">=1.19.0" .version -}}v0.6.0 - {{- else -}}v0.5.1 - {{- end -}} - {{- else if eq .component "cluster-proportional-autoscaler" -}} - {{- if semverCompare ">=1.32.0" .version -}}v1.9.0-2 - {{- else if semverCompare ">=1.27.0" .version -}}v1.8.11-5 - {{- else if semverCompare ">=1.22.0" .version -}}v1.8.8 - {{- else if semverCompare ">=1.18.0" .version -}}1.8.3 - {{- else -}}1.7.1-hotfix.20200403 - {{- end -}} - {{- else if eq .component "container-networking-cilium-agent" -}} - {{- if semverCompare ">=1.31.0" .version -}}v1.16.6-250129 - {{- else if semverCompare ">=1.29.0" .version -}}v1.14.19-250129 - {{- else if semverCompare ">=1.27.0" .version -}}v1.13.18-241024 - {{- else -}}v1.14.19-250129 - {{- end -}} - {{- else if eq .component "container-networking-cilium-operator-generic" -}} - {{- if semverCompare ">=1.31.0" .version -}}v1.16.6-250129 - {{- else if semverCompare ">=1.29.0" .version -}}v1.14.19-250129 - {{- else if semverCompare ">=1.27.0" .version -}}v1.13.18-241024 - {{- else -}}v1.14.19-250129 - {{- end -}} - {{- else if eq .component "coredns" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.12.1-2 - {{- else if semverCompare ">=1.32.0" .version -}}v1.11.3-8 - {{- else if semverCompare ">=1.24.0" .version -}}v1.9.4-6 - {{- else if semverCompare ">=1.20.0" .version -}}v1.8.7 - {{- else -}}1.6.6 - {{- end -}} - {{- else if eq .component "cost-analysis-agent" -}} -v0.0.24 - {{- else if eq .component "cost-analysis-opencost" -}} -v1.111.0 - {{- else if eq .component "cost-analysis-prometheus" -}} -v2.54.1 - {{- else if eq .component "cost-analysis-victoria-metrics" -}} -v1.103.0 - {{- else if eq .component "extension-config-agent" -}} -1.28.0 - {{- else if eq .component "extension-manager" -}} -1.28.0 - {{- else if eq .component "fqdn-policy" -}} - {{- if semverCompare ">=1.31.0" .version -}}v1.16.6-250129 - {{- else -}}v1.14.19-250129 - {{- end -}} - {{- else if eq .component "gpu-provisioner" -}} -0.3.5 - {{- else if eq .component "health-probe-proxy" -}} -v1.29.1 - {{- else if eq .component "hubble-relay" -}} -v1.15.0 - {{- else if eq .component "identity-binding-workload-identity-webhook" -}} -v1.6.0-alpha.1 - {{- else if eq .component "image-cleaner" -}} -v1.4.0-4 - {{- else if eq .component "ingress-appgw" -}} - {{- if semverCompare ">=1.27.0" .version -}}1.8.1 - {{- else if semverCompare ">=1.19.0" .version -}}1.5.3 - {{- else -}}1.4.0 - {{- end -}} - {{- else if eq .component "ip-masq-agent-v2" -}} -v0.1.15-2 - {{- else if eq .component "ipv6-hp-bpf" -}} - {{- if semverCompare ">=1.29.0" .version -}}v0.0.1 - {{- else -}}v0.0.1 - {{- end -}} - {{- else if eq .component "keda" -}} - {{- if semverCompare ">=1.33.0" .version -}}2.17.1 - {{- else if semverCompare ">=1.32.0" .version -}}v2.16.1 - {{- else if semverCompare ">=1.30.0" .version -}}2.14.1 - {{- else if semverCompare ">=1.27.0" .version -}}2.11.2 - {{- else if semverCompare ">=1.26.0" .version -}}2.10.1 - {{- else if semverCompare ">=1.23.0" .version -}}2.9.3 - {{- else -}}2.8.1 - {{- end -}} - {{- else if eq .component "keda-admission-webhooks" -}} - {{- if semverCompare ">=1.33.0" .version -}}2.17.1 - {{- else if semverCompare ">=1.32.0" .version -}}v2.16.1 - {{- else if semverCompare ">=1.30.0" .version -}}2.14.1 - {{- else if semverCompare ">=1.27.0" .version -}}2.11.2 - {{- else -}}2.10.1 - {{- end -}} - {{- else if eq .component "keda-metrics-apiserver" -}} - {{- if semverCompare ">=1.33.0" .version -}}2.17.1 - {{- else if semverCompare ">=1.32.0" .version -}}v2.16.1 - {{- else if semverCompare ">=1.30.0" .version -}}2.14.1 - {{- else if semverCompare ">=1.27.0" .version -}}2.11.2 - {{- else if semverCompare ">=1.26.0" .version -}}2.10.1 - {{- else if semverCompare ">=1.23.0" .version -}}2.9.3 - {{- else -}}2.8.1 - {{- end -}} - {{- else if eq .component "kube-egress-gateway-cni" -}} - {{- if semverCompare ">=1.34.0" .version -}}v0.1.1 - {{- else -}}v0.0.21 - {{- end -}} - {{- else if eq .component "kube-egress-gateway-cni-ipam" -}} - {{- if semverCompare ">=1.34.0" .version -}}v0.1.1 - {{- else -}}v0.0.21 - {{- end -}} - {{- else if eq .component "kube-egress-gateway-cnimanager" -}} - {{- if semverCompare ">=1.34.0" .version -}}v0.1.1 - {{- else -}}v0.0.21 - {{- end -}} - {{- else if eq .component "kube-egress-gateway-daemon" -}} - {{- if semverCompare ">=1.34.0" .version -}}v0.1.1 - {{- else -}}v0.0.21 - {{- end -}} - {{- else if eq .component "kube-egress-gateway-daemon-init" -}} - {{- if semverCompare ">=1.34.0" .version -}}v0.1.1 - {{- else -}}v0.0.21 - {{- end -}} - {{- else if eq .component "local-csi-driver" -}} -v0.2.4 - {{- else if eq .component "local-csi-driver-csi-provisioner" -}} -v5.2.0 - {{- else if eq .component "local-csi-driver-csi-resizer" -}} -v1.13.2 - {{- else if eq .component "local-csi-driver-registrar" -}} -v2.13.0 - {{- else if eq .component "metrics-server" -}} - {{- if semverCompare ">=1.32.0" .version -}}v0.7.2-7 - {{- else if semverCompare ">=1.24.0" .version -}}v0.6.3-6 - {{- else if semverCompare ">=1.22.0" .version -}}v0.5.2 - {{- else if semverCompare ">=1.21.0" .version -}}v0.4.5 - {{- else if semverCompare ">=1.8.0" .version -}}v0.3.6 - {{- else -}}v0.2.1 - {{- end -}} - {{- else if eq .component "microsoft-defender-admission-controller" -}} -20250706.3 - {{- else if eq .component "microsoft-defender-low-level-collector" -}} - {{- if semverCompare ">=1.25.0" .version -}}2.0.221 - {{- else -}}1.3.81 - {{- end -}} - {{- else if eq .component "microsoft-defender-low-level-init" -}} -1.3.81 - {{- else if eq .component "microsoft-defender-old-file-cleaner" -}} -1.0.273 - {{- else if eq .component "microsoft-defender-pod-collector" -}} -1.0.202 - {{- else if eq .component "microsoft-defender-security-publisher" -}} -1.0.273 - {{- else if eq .component "open-policy-agent-gatekeeper" -}} - {{- if semverCompare ">=1.27.0" .version -}}v3.20.0-1 - {{- else if semverCompare ">=1.25.0" .version -}}v3.14.2 - {{- else if semverCompare ">=1.24.0" .version -}}v3.11.1 - {{- else if semverCompare ">=1.21.0" .version -}}v3.8.1 - {{- else if semverCompare ">=1.18.0" .version -}}v3.7.1 - {{- else -}}v3.4.1 - {{- end -}} - {{- else if eq .component "osm-bootstrap" -}} - {{- if semverCompare ">=1.24.0" .version -}}v1.2.9 - {{- else if semverCompare ">=1.23.5" .version -}}v1.1.3 - {{- else -}}v1.0.0 - {{- end -}} - {{- else if eq .component "osm-controller" -}} - {{- if semverCompare ">=1.24.0" .version -}}v1.2.9 - {{- else if semverCompare ">=1.23.5" .version -}}v1.1.3 - {{- else -}}v1.0.0 - {{- end -}} - {{- else if eq .component "osm-crds" -}} - {{- if semverCompare ">=1.24.0" .version -}}v1.2.9 - {{- else if semverCompare ">=1.23.5" .version -}}v1.1.3 - {{- else -}}v1.0.0 - {{- end -}} - {{- else if eq .component "osm-healthcheck" -}} - {{- if semverCompare ">=1.24.0" .version -}}v1.2.9 - {{- else if semverCompare ">=1.23.5" .version -}}v1.1.3 - {{- else -}}v1.1.0 - {{- end -}} - {{- else if eq .component "osm-init" -}} - {{- if semverCompare ">=1.24.0" .version -}}v1.2.9 - {{- else if semverCompare ">=1.23.5" .version -}}v1.1.3 - {{- else -}}v1.0.0 - {{- end -}} - {{- else if eq .component "osm-injector" -}} - {{- if semverCompare ">=1.24.0" .version -}}v1.2.9 - {{- else if semverCompare ">=1.23.5" .version -}}v1.1.3 - {{- else -}}v1.0.0 - {{- end -}} - {{- else if eq .component "osm-sidecar" -}} - {{- if semverCompare ">=1.25.0" .version -}}v1.32.2-hotfix.20241216 - {{- else if semverCompare ">=1.24.0" .version -}}v1.25.9-hotfix.20231002 - {{- else -}}v1.19.1 - {{- end -}} - {{- else if eq .component "overlay-vpa" -}} - {{- if semverCompare ">=1.31.0" .version -}}v1.2.1-1 - {{- else if semverCompare ">=1.27.0" .version -}}v1.0.0-1 - {{- else if semverCompare ">=1.25.0" .version -}}0.13.0 - {{- else -}}0.11.0 - {{- end -}} - {{- else if eq .component "overlay-vpa-webhook-generation" -}} -master.250827.1 - {{- else if eq .component "ratify-base" -}} -v1.2.3 - {{- else if eq .component "retina-agent" -}} -v1.0.0-rc2 - {{- else if eq .component "retina-agent-enterprise" -}} -v0.1.11 - {{- else if eq .component "retina-agent-win" -}} -v1.0.0-rc2 - {{- else if eq .component "retina-operator" -}} -v0.1.11 - {{- else if eq .component "secrets-store-csi-driver" -}} - {{- if semverCompare ">=1.26.0" .version -}}v1.5.3 - {{- else if semverCompare ">=1.24.0" .version -}}v1.3.4-1 - {{- else -}}v1.3.0.3 - {{- end -}} - {{- else if eq .component "secrets-store-csi-driver-windows" -}} - {{- if semverCompare ">=1.26.0" .version -}}v1.5.3 - {{- else if semverCompare ">=1.24.0" .version -}}v1.3.4 - {{- else -}}v1.3.0 - {{- end -}} - {{- else if eq .component "secrets-store-driver-registrar-linux" -}} - {{- if semverCompare ">=1.26.0" .version -}}v2.13.0 - {{- else if semverCompare ">=1.24.0" .version -}}v2.8.0 - {{- else -}}v2.6.2 - {{- end -}} - {{- else if eq .component "secrets-store-driver-registrar-windows" -}} - {{- if semverCompare ">=1.26.0" .version -}}v2.13.0 - {{- else if semverCompare ">=1.24.0" .version -}}v2.8.0 - {{- else -}}v2.6.2 - {{- end -}} - {{- else if eq .component "secrets-store-livenessprobe-linux" -}} - {{- if semverCompare ">=1.26.0" .version -}}v2.15.0 - {{- else if semverCompare ">=1.24.0" .version -}}v2.10.0 - {{- else -}}v2.8.0 - {{- end -}} - {{- else if eq .component "secrets-store-livenessprobe-windows" -}} - {{- if semverCompare ">=1.26.0" .version -}}v2.15.0 - {{- else if semverCompare ">=1.24.0" .version -}}v2.10.0 - {{- else -}}v2.8.0 - {{- end -}} - {{- else if eq .component "secrets-store-provider-azure" -}} - {{- if semverCompare ">=1.26.0" .version -}}v1.7.0 - {{- else if semverCompare ">=1.24.0" .version -}}v1.4.1 - {{- else -}}v1.4.0 - {{- end -}} - {{- else if eq .component "secrets-store-provider-azure-windows" -}} - {{- if semverCompare ">=1.26.0" .version -}}v1.7.0 - {{- else if semverCompare ">=1.24.0" .version -}}v1.4.1 - {{- else -}}v1.4.0 - {{- end -}} - {{- else if eq .component "sgx-attestation" -}} -3.3.1 - {{- else if eq .component "sgx-plugin" -}} -1.0.0 - {{- else if eq .component "sgx-webhook" -}} -1.2.2 - {{- else if eq .component "tigera-operator" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.38.3 - {{- else if semverCompare ">=1.32.0" .version -}}v1.36.11 - {{- else if semverCompare ">=1.30.0" .version -}}v1.34.13 - {{- else if semverCompare ">=1.29.0" .version -}}v1.30.11 - {{- else if semverCompare ">=1.24.0" .version -}}v1.28.13 - {{- else -}}v1.23.8 - {{- end -}} - {{- else if eq .component "windows-gmsa-webhook-image" -}} -v0.12.1-2 - {{- else if eq .component "workload-identity-webhook" -}} -v1.5.1 - {{- end -}} -{{- end -}} - -{{/* Auto-generated by servicemesh tooling, do not edit. See /toolkit/servicemesh/README.md for more information. */}} -{{- define "get.istioImageTag" -}} - {{- if eq .component "azure-service-mesh-istio" -}} - {{- if eq "asm-1-27" .revision -}}1.27.0-1 - {{- else if eq "asm-1-26" .revision -}}1.26.3-2 - {{- else if eq "asm-1-25" .revision -}}1.25.3-4 - {{- else if eq "asm-1-24" .revision -}}1.24.6 - {{- else if eq "asm-1-23" .revision -}}1.23.6-hotfix.20250515 - {{- else if eq "asm-1-22" .revision -}}1.22.7 - {{- else if eq "asm-1-21" .revision -}}1.21.6 - {{- else if eq "asm-1-20" .revision -}}1.20.8 - {{- else if eq "asm-1-19" .revision -}}1.19.10-hotfix.20240528 - {{- else if eq "asm-1-18" .revision -}}1.18.7-hotfix.20240210 - {{- else if eq "asm-1-17" .revision -}}1.17.8 - {{- else -}}not-in-use-9.99.9 - {{- end -}} - {{- end -}} -{{- end -}} diff --git a/charts/azuremonitor-containerinsights/templates/_aks_common.tpl b/charts/azuremonitor-containerinsights/templates/_aks_common.tpl deleted file mode 100644 index 29c0c4610..000000000 --- a/charts/azuremonitor-containerinsights/templates/_aks_common.tpl +++ /dev/null @@ -1,153 +0,0 @@ -{{/* MCR repository template for adapter charts */}} -{{- define "mcr_repository_base_adapter_chart" }} -{{- $cloud_environment := ((index .Values.v1 "commonGlobals").CloudEnvironment | default "AZUREPUBLICCLOUD") }} -{{- if (eq $cloud_environment "AZURECHINACLOUD") }} -{{- "mcr.azk8s.cn" }} -{{- else if (eq $cloud_environment "USNat") }} -{{- "mcr.microsoft.eaglex.ic.gov" }} -{{- else if (eq $cloud_environment "USSec") }} -{{- "mcr.microsoft.scloud" }} -{{- else }} -{{- "mcr.microsoft.com" }} -{{- end }} -{{- end }} - -{{/* MCR repository template for addon charts */}} -{{- define "mcr_repository_base" }} -{{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment| default "AZUREPUBLICCLOUD") }} -{{- if (eq $cloud_environment "AZURECHINACLOUD") }} -{{- "mcr.azk8s.cn" }} -{{- else if (eq $cloud_environment "USNat") }} -{{- "mcr.microsoft.eaglex.ic.gov" }} -{{- else if (eq $cloud_environment "USSec") }} -{{- "mcr.microsoft.scloud" }} -{{- else }} -{{- "mcr.microsoft.com" }} -{{- end }} -{{- end }} - -{{- define "addon_mcr_repository_base" }} -{{- template "mcr_repository_base" . }} -{{- end }} - -{{/* ccp_image_repository_base_by_component returns the image repository to use for a ccp component. - Caller should provide the "component" (the ccp component name), "version" (the ccp k8s version) and "Values" (the helm values object) parameters: - - {{- with $image_settings := (dict "component" "kube-apiserver" "version" .Values.global.commonGlobals.Versions.Kubernetes "Values" .Values) }} - {{ include "ccp_image_repository_base_by_component" $image_settings }} - {{- end }} - - The component name and k8s version will be concatenated as "-" to look up the override in the toggle. - - When the `use-internal-container-image-override-component` toggle is enabled for the specified component and k8s version, a cloud based - private repository will be used, otherwise, the value will fallback to `mcr_repoistory_base`. - Components that expect to be included in the embargo process should use this ACR repository. */}} -{{- define "ccp_image_repository_base_by_component" }} - {{- $key := (print .component "-" .version) }} - {{- if (hasKey .Values.global.commonGlobals.InternalContainerRegistry.enabledComponentOverrides $key) }} - {{- template "ccp_image_repository_base" . }} - {{- else }} - {{- template "mcr_repository_base" . }} - {{- end }} -{{- end }} - -{{/* ccp_image_repository_base returns the ACR repository for embargoed CVE images. - This template is intended to be called by ccp_image_repository_base_by_component and acr pull template only. - Caller should use ccp_image_repository_base_by_component for component based value. */}} -{{- define "ccp_image_repository_base" }} - {{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment | upper | default "AZUREPUBLICCLOUD") }} - {{- if (or (eq $cloud_environment "AZUREUSGOVCLOUD") (eq $cloud_environment "AZUREUSGOVERNMENTCLOUD")) }} - {{- "acsdeployment.azurecr.us"}} - {{- else if (eq $cloud_environment "AZURECHINACLOUD") }} - {{- "acsdeployment.azurecr.cn" }} - {{- else if (eq $cloud_environment "USNAT") }} - {{- "acsdeployment.azurecr.eaglex.ic.gov" }} - {{- else if (eq $cloud_environment "USSEC") }} - {{- "acsdeployment.azurecr.microsoft.scloud" }} - {{- else }} - {{- "acsproddeployment.azurecr.io" }} - {{- end }} -{{- end }} - -{{/* ccp_get_imagetag_by_component returns the image tag to use for a ccp component. - Caller should provide the "component" (the ccp component name), "version" (the ccp k8s version) and "Values" (the helm values object) parameters: - - {{- with $image_settings := (dict "component" "kube-apiserver" "version" .Values.global.commonGlobals.Versions.Kubernetes "Values" .Values) }} - {{ include "ccp_get_imagetag_by_component" $image_settings }} - {{- end }} - - When the `use-internal-container-image-override-component` toggle is enabled for the specified component and k8s version, - the override tag will be used, otherwise, the value will fallback to `get.imagetag`. - - See also: ccp_image_repository_base_by_component */}} -{{- define "ccp_get_imagetag_by_component" }} - {{- $key := (print .component "-" .version) }} - {{- if (hasKey .Values.global.commonGlobals.InternalContainerRegistry.enabledComponentOverrides $key) }} - {{- (index .Values.global.commonGlobals.InternalContainerRegistry.enabledComponentOverrides $key) }} - {{- else }} - {{- template "get.imagetag" . }} - {{- end }} -{{- end }} - -{{/* ccp_get_ccpImageTag_by_component uses "get.ccpImageTag" as fallback. - - See also: ccp_get_imagetag_by_component */}} -{{- define "ccp_get_ccpImageTag_by_component" }} - {{- $key := (print .component "-" .version) }} - {{- if (hasKey .Values.global.commonGlobals.InternalContainerRegistry.enabledComponentOverrides $key) }} - {{- (index .Values.global.commonGlobals.InternalContainerRegistry.enabledComponentOverrides $key) }} - {{- else }} - {{- template "get.ccpImageTag" . }} - {{- end }} -{{- end }} - -{{/* nodeaffinity on nodepool */}} -{{- define "nodepool_affinity" -}} -{{- if .Values.global.commonGlobals.requireDedicatedNodepool -}} -preferredDuringSchedulingIgnoredDuringExecution: -- weight: 100 - preference: - matchExpressions: - - key: agentpool - operator: In - values: - - cx-{{ .Values.global.CCPID }} -{{- else -}} -requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: agentpool - operator: In - values: - - agentpool1 -{{- end -}} -{{- end -}} - -{{- define "addon_nodepool_mode_affinity_hard" -}} -{{- if .Values.global.commonGlobals.addonRequireSystemPool }} -- key: kubernetes.azure.com/mode - operator: In - values: - - system -{{- end -}} -{{- end -}} - -{{- define "addon_nodepool_mode_affinity_soft" -}} -{{- if not .Values.global.commonGlobals.addonRequireSystemPool }} -- weight: 100 - preference: - matchExpressions: - - key: kubernetes.azure.com/mode - operator: In - values: - - system -{{- end -}} -{{- end -}} - -{{/* tolerations on nodepool */}} -{{- define "nodepool_toleration" -}} -- key: "agentpool" - operator: "Equal" - value: "cx-{{ .Values.global.CCPID }}" - effect: "NoExecute" -{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/_aks_helpers.tpl b/charts/azuremonitor-containerinsights/templates/_aks_helpers.tpl deleted file mode 100644 index f14bd9147..000000000 --- a/charts/azuremonitor-containerinsights/templates/_aks_helpers.tpl +++ /dev/null @@ -1,303 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s" .Values.global.commonGlobals.CCPID $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* Both formats are needed because the template is used by other adapter charts */}} -{{- define "enableKonnectivity" -}} -{{- $commonGlobals := "" }} -{{- if .Values.v1 }} -{{- $commonGlobals = (index .Values.v1 "commonGlobals") }} -{{- else }} -{{- $commonGlobals = .Values.global.commonGlobals }} -{{- end -}} -{{- if $commonGlobals.Konnectivity -}} -{{- if kindIs "invalid" $commonGlobals.Konnectivity.Enabled -}} -true -{{- else if $commonGlobals.Konnectivity.Enabled -}} -true -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* apiserver endpoint */}} -{{- define "apiserver_endpoint" }} -{{- if .Values.global.commonGlobals.PrivateConnect.enabled }} -{{- .Values.global.commonGlobals.PrivateConnect.privateIP }} -{{- else }} -{{- .Values.global.commonGlobals.endpointFQDN }} -{{- end }} -{{- end }} - -{{- define "enableApiserverProxyForKms" -}} -{{- if and .Values.global.commonGlobals.PrivateConnect.enabled (ne .Values.global.AzureKeyVaultKms.keyVaultNetworkAccess "Private") -}} -true -{{- else if not (or .Values.global.commonGlobals.TunnelOpenVPN.Enabled (include "enableKonnectivityWithEgressSelector" .)) -}} -true -{{- end -}} -{{- end -}} - -{{- define "enableAzureKmsProviderProxy" -}} -{{- if and .Values.global.AzureKeyVaultKms.enabled (include "enableKonnectivityWithEgressSelector" .) -}} -{{- if eq .Values.global.AzureKeyVaultKms.keyVaultNetworkAccess "Private" -}} -true -{{- else if .Values.global.AzureKeyVaultKms.previousKey -}} -{{- if eq .Values.global.AzureKeyVaultKms.previousKey.keyVaultNetworkAccess "Private" -}} -true -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "enableKonnectivityProxyPodAndSvcCIDROnly" -}} -{{- if (include "enableKonnectivity" .) -}} -{{- if .Values.global.commonGlobals.Konnectivity.ProxyPodAndSvcCIDROnly -}} -true -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "enableKonnectivityWithEgressSelector" -}} -{{- if (include "enableKonnectivity" .) -}} -{{- if not .Values.global.commonGlobals.Konnectivity.ProxyPodAndSvcCIDROnly -}} -true -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "enableKonnectivityServerPreStop" -}} -{{- if (include "enableKonnectivity" .) -}} -{{- if .Values.global.commonGlobals.Konnectivity.enableKonnectivityServerPreStop -}} -{{- if semverCompare ">=1.28.0" .Values.global.commonGlobals.Versions.Kubernetes -}} -true -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "enableKonnectivityServerSeparateCert" -}} - {{- if (include "enableKonnectivity" .) -}} - {{- if .Values.global.commonGlobals.Konnectivity.EnableSeparateServerCert -}} - {{- if semverCompare (printf ">=%s" .Values.global.commonGlobals.Konnectivity.EnableSeparateServerCertFromK8sVersion) .Values.global.commonGlobals.Versions.Kubernetes -}} - true - {{- end -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "loggingResourceId" -}} -{{- if .Values.global.commonGlobals.FleetHubProfile.isHubCluster }} -{{- .Values.global.commonGlobals.FleetHubProfile.fleetResourceID }} -{{- else }} -{{- .Values.global.commonGlobals.Customer.AzureResourceID }} -{{- end }} -{{- end }} - -{{/* -Get the value of override update mode annotation, -default is "disabled" and only support "enabled" and "disabled" currently. -Return none and fall back to "disabled" if the value is not supported or current VPA is not existed. -*/}} -{{- define "getOverrideUpdateModeAnnotation" -}} -{{- if .current }} - {{- if eq (index .current.metadata.annotations "kubernetes.azure.com/override-update-mode") "enabled" }} - {{- "enabled" }} - {{- end }} -{{- end }} -{{- end -}} - -{{/* -Try to get the override updateMode value if the override update mode annotation is enabled, -and the current VPA cr is existed. If not, return none and use the default updateMode "Initial" -*/}} -{{- define "getUpdateMode" -}} -{{- if .current }} - {{- if eq (index .current.metadata.annotations "kubernetes.azure.com/override-update-mode") "enabled" }} - {{- dict "current" .current | include "getOverrideUpdateMode" }} - {{- end }} -{{- end }} -{{- end -}} - -{{/* -Get the value of override VPA update mode, user can override the updateMode in VPA cr -when the override update mode annotation is enabled, return none and use the default -updateMode value if the user input is invalid or any property is not existed -*/}} -{{- define "getOverrideUpdateMode" -}} -{{- /* -Use parentheses () to check the nested values existed due to the limitation of Helm -https://github.com/helm/helm/issues/8026 -*/}} -{{- if ((((.current).spec).updatePolicy).updateMode) }} - {{- if (dict "updateMode" .current.spec.updatePolicy.updateMode | include "isValidUpdateMode" ) }} - {{- .current.spec.updatePolicy.updateMode | quote }} - {{- end }} -{{- end }} -{{- end -}} - -{{/* -Check if the update mode is valid, -only support "Off", "Initial" and "Auto" update mode currently -*/}} -{{- define "isValidUpdateMode" -}} -{{- if not (has .updateMode (list "Recreate")) }} -true -{{- end }} -{{- end -}} - -{{/* -Get the value of override min/max annotation, -default is "disabled" and only support "enabled" and "disabled" currently. -Return none and fall back to "disabled" if the value is not supported. -*/}} -{{- define "getOverrideMinMaxAnnotation" -}} -{{- if .current }} - {{- if eq (index .current.metadata.annotations "kubernetes.azure.com/override-min-max") "enabled" }} - {{- "enabled" }} - {{- end }} -{{- end }} -{{- end -}} - -{{/* -Try to get the user override vpa min/max allowed value if the override min/max allowed annotation is enabled, -and the current VPA cr is existed. -If not, return none and use the default min/max allowed value. -*/}} -{{- define "getAllowedValue" -}} -{{- if .current }} - {{- if eq (index .current.metadata.annotations "kubernetes.azure.com/override-min-max") "enabled" }} - {{- (dict "current" .current "containerName" .containerName "resource" .resource) | include "getOverrideAllowedValue" }} - {{- end }} -{{- end }} -{{- end -}} - -{{/* -Find the target container policy in VPA containerPolicies array -*/}} -{{- define "getVpaContainer" -}} - {{- $name := .containerName }} - {{- range $container := .containerPolicies }} - {{- if eq $name $container.containerName }} - {{- toYaml $container }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Get the user override vpa min/max allowed value from target container in current existing vpa cr -*/}} -{{- define "getOverrideAllowedValue" -}} -{{- /* -Use parentheses () to check the nested values existed due to the limitation of Helm -https://github.com/helm/helm/issues/8026 -*/}} -{{- $container := (dict "containerName" .containerName "containerPolicies" .current.spec.resourcePolicy.containerPolicies) | include "getVpaContainer" | fromYaml }} -{{- if eq .resource "maxCPU" }} - {{- if ((($container).maxAllowed).cpu) }} - {{- $container.maxAllowed.cpu }} - {{- end }} -{{- end }} -{{- if eq .resource "maxMemory" }} - {{- if ((($container).maxAllowed).memory) }} - {{- $container.maxAllowed.memory }} - {{- end }} -{{- end }} -{{- if eq .resource "minCPU" }} - {{- if ((($container).minAllowed).cpu) }} - {{- $container.minAllowed.cpu }} - {{- end }} -{{- end }} -{{- if eq .resource "minMemory" }} - {{- if ((($container).minAllowed).memory) }} - {{- $container.minAllowed.memory }} - {{- end }} -{{- end }} -{{- end -}} - -{{/* -Get the value of override requests limits annotation, -default is "disabled" and only support "enabled" and "disabled" currently. -Return none and fall back to "disabled" if the value is not supported. -*/}} -{{- define "getOverrideRequestsLimitsAnnotation" -}} -{{- if .current }} - {{- if eq (index .current.metadata.annotations "kubernetes.azure.com/override-requests-limits") "enabled" }} - {{- "enabled" }} - {{- end }} -{{- end }} -{{- end -}} - -{{/* -Find target container in deployment / daemonset containers property -*/}} -{{- define "getContainer" -}} - {{- $name := .containerName }} - {{- range $container := .containers }} - {{- if eq $name $container.name }} - {{- toYaml $container }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Get user override resource requests/limits value from target container in existing deployment / daemonset -*/}} -{{- define "getOverrideRequestsLimitsValue" -}} -{{- $container := (dict "containerName" .containerName "containers" .current.spec.template.spec.containers) | include "getContainer" | fromYaml }} -{{- if eq .resource "requestCPU" }} - {{- if (((($container).resources).requests).cpu) }} - {{- $container.resources.requests.cpu }} - {{- end }} -{{- end }} -{{- if eq .resource "requestMemory" }} - {{- if (((($container).resources).requests).memory) }} - {{- $container.resources.requests.memory }} - {{- end }} -{{- end }} -{{- if eq .resource "limitCPU" }} - {{- if (((($container).resources).limits).cpu) }} - {{- $container.resources.limits.cpu }} - {{- end }} -{{- end }} -{{- if eq .resource "limitMemory" }} - {{- if (((($container).resources).limits).memory) }} - {{- $container.resources.limits.memory }} - {{- end }} -{{- end }} -{{- end -}} - -{{/* -Get user override requests/limits value when current deployment/daemonset and override annotation is existed, -if not, this function will return none and caller should set the default/fallback resource requests/limits value. -*/}} -{{- define "getRequestsLimitsValue" -}} -{{- if .current }} - {{- if eq (index .current.metadata.annotations "kubernetes.azure.com/override-requests-limits") "enabled" }} - {{- (dict "current" .current "containerName" .containerName "resource" .resource) | include "getOverrideRequestsLimitsValue" }} - {{- end }} -{{- end }} -{{- end -}} - -{{/* should use AzureStackCloud */}} -{{- define "should_use_azurestackcloud" -}} - {{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment | default "azurepubliccloud" | lower) }} - {{- has $cloud_environment (list "usnat" "ussec" "azurebleucloud") -}} -{{- end }} - -{{/* should mount ca certs from host */}} -{{- define "should_mount_hostca" -}} - {{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment | default "azurepubliccloud" | lower) }} - {{- has $cloud_environment (list "usnat" "ussec" "azurebleucloud") -}} -{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containerinsights/templates/_aks_images.tpl b/charts/azuremonitor-containerinsights/templates/_aks_images.tpl deleted file mode 100644 index 86380c455..000000000 --- a/charts/azuremonitor-containerinsights/templates/_aks_images.tpl +++ /dev/null @@ -1,655 +0,0 @@ -{{- define "get.imagetag" -}} -{{- if eq .component "kube-addon-manager" -}} - {{- if semverCompare "<1.7.0" .version -}}v6.5 - {{- else if semverCompare "<1.10.0" .version -}}v8.6 - {{- else if semverCompare "<1.13.0" .version -}}v8.9.1 - {{- else -}}v9.0.2_v0.0.5.9 - {{- end -}} -{{- else if eq .component "kube-apiserver" -}} - {{- if semverCompare "=1.17.3" .version -}}v1.17.3-hotfix.20200601 - {{- else if semverCompare "=1.17.7" .version -}}v1.17.7-hotfix.20200624 - {{- else if semverCompare "=1.17.9" .version -}}v1.17.9-hotfix.20200714 - {{- else if semverCompare "=1.17.11" .version -}}v1.17.11-hotfix.20200901 - {{- else if semverCompare "=1.17.13" .version -}}v1.17.13-hotfix.20210310.1 - {{- else if semverCompare "=1.17.16" .version -}}v1.17.16-hotfix.20210310.1 - {{- else if semverCompare "=1.18.4" .version -}}v1.18.4-hotfix.20200624 - {{- else if semverCompare "=1.18.6" .version -}}v1.18.6-hotfix.20200723 - {{- else if semverCompare "=1.18.8" .version -}}v1.18.8-hotfix.20200924 - {{- else if semverCompare "=1.18.10" .version -}}v1.18.10-hotfix.20210310.1 - {{- else if semverCompare "=1.18.14" .version -}}v1.18.14-hotfix.20210322.1 - {{- else if semverCompare "=1.18.17" .version -}}v1.18.17-hotfix.20210525.3 - {{- else if semverCompare "=1.18.19" .version -}}v1.18.19-hotfix.20210522.3 - {{- else if semverCompare "=1.19.1" .version -}}v1.19.1-hotfix.20200923 - {{- else if semverCompare "=1.19.6" .version -}}v1.19.6-hotfix.20210310 - {{- else if semverCompare "=1.19.7" .version -}}v1.19.7-hotfix.20210310 - {{- else if semverCompare "=1.19.9" .version -}}v1.19.9-hotfix.20210526 - {{- else if semverCompare "=1.19.11" .version -}}v1.19.11-hotfix.20211101 - {{- else if semverCompare "=1.19.13" .version -}}v1.19.13-hotfix.20211101 - {{- else if semverCompare "=1.20.2" .version -}}v1.20.2-hotfix.20210310 - {{- else if semverCompare "=1.20.5" .version -}}v1.20.5-hotfix.20210603 - {{- else if semverCompare "=1.20.7" .version -}}v1.20.7-hotfix.20211115 - {{- else if semverCompare "=1.20.9" .version -}}v1.20.9-hotfix.20211115 - {{- else if semverCompare "=1.20.13" .version -}}v1.20.13-hotfix.20220210 - {{- else if semverCompare "=1.20.15" .version -}}v1.20.15-hotfix.20220201 - {{- else if semverCompare "=1.21.1" .version -}}v1.21.1-hotfix.20211115 - {{- else if semverCompare "=1.21.2" .version -}}v1.21.2-hotfix.20211115 - {{- else if semverCompare "=1.21.7" .version -}}v1.21.7-hotfix.20220601 - {{- else if semverCompare "=1.21.9" .version -}}v1.21.9-hotfix.20220601 - {{- else if semverCompare "=1.21.14" .version -}}v1.21.14-hotfix.20220620 - {{- else if semverCompare "=1.22.1" .version -}}v1.22.1-hotfix.20211115 - {{- else if semverCompare "=1.22.2" .version -}}v1.22.2-hotfix.20211115 - {{- else if semverCompare "=1.22.4" .version -}}v1.22.4-hotfix.20220615 - {{- else if semverCompare "=1.22.6" .version -}}v1.22.6-hotfix.20220916 - {{- else if semverCompare "=1.22.11" .version -}}v1.22.11-hotfix.20221109 - {{- else if semverCompare "=1.22.15" .version -}}v1.22.15-hotfix.20221109 - {{- else if semverCompare "=1.23.3" .version -}}v1.23.3-hotfix.20220615 - {{- else if semverCompare "=1.23.5" .version -}}v1.23.5-hotfix.20220916 - {{- else if semverCompare "=1.23.8" .version -}}v1.23.8-hotfix.20221109 - {{- else if semverCompare "=1.23.12" .version -}}v1.23.12-hotfix.20230208 - {{- else if semverCompare "=1.23.15" .version -}}v1.23.15-hotfix.20230208 - {{- else if semverCompare "=1.24.0" .version -}}v1.24.0-hotfix.20220916 - {{- else if semverCompare "=1.24.3" .version -}}v1.24.3-hotfix.20221216 - {{- else if semverCompare "=1.24.6" .version -}}v1.24.6-hotfix.20230208 - {{- else if semverCompare "=1.24.9" .version -}}v1.24.9-hotfix.20230612 - {{- else if semverCompare "=1.24.10" .version -}}v1.24.10-hotfix.20230612 - {{- else if semverCompare "=1.25.2" .version -}}v1.25.2-hotfix.20221216 - {{- else if semverCompare "=1.25.4" .version -}}v1.25.4-hotfix.20230208 - {{- else if semverCompare "=1.25.5" .version -}}v1.25.5-hotfix.20230612 - {{- else if semverCompare "=1.25.6" .version -}}v1.25.6-hotfix.20231009 - {{- else if semverCompare "=1.25.11" .version -}}v1.25.11-hotfix.20231102 - {{- else if semverCompare "=1.25.15" .version -}}v1.25.15-hotfix.20231103 - {{- else if semverCompare "=1.26.0" .version -}}v1.26.0-hotfix.20230612 - {{- else if semverCompare "=1.26.3" .version -}}v1.26.3-hotfix.20231009 - {{- else if semverCompare "=1.26.6" .version -}}v1.26.6-hotfix.20231102 - {{- else if semverCompare "=1.26.10" .version -}}v1.26.10-hotfix.20231103 - {{- else if semverCompare "=1.26.12" .version -}}v1.26.12 - {{- else if semverCompare "=1.27.1" .version -}}v1.27.1-hotfix.20231009 - {{- else if semverCompare "=1.27.3" .version -}}v1.27.3-hotfix.20231102 - {{- else if semverCompare "=1.27.7" .version -}}v1.27.7-hotfix.20240411 - {{- else if semverCompare "=1.27.9" .version -}}v1.27.9-hotfix.20240411 - {{- else if semverCompare "=1.27.13" .version -}}v1.27.13 - {{- else if semverCompare "=1.28.0" .version -}}v1.28.0-hotfix.20240712-1 - {{- else if semverCompare "=1.28.3" .version -}}v1.28.3-hotfix.20240712-1 - {{- else if semverCompare "=1.28.5" .version -}}v1.28.5-hotfix.20240712-1 - {{- else if semverCompare "=1.28.9" .version -}}v1.28.9-hotfix.20240712-1 - {{- else if semverCompare "=1.28.10" .version -}}v1.28.10-hotfix.20240712-1 - {{- else if semverCompare "=1.28.11" .version -}}v1.28.11-hotfix.20240712-1 - {{- else if semverCompare "=1.29.0" .version -}}v1.29.0-hotfix.20240712 - {{- else if semverCompare "=1.29.2" .version -}}v1.29.2-hotfix.20240712 - {{- else if semverCompare "=1.29.4" .version -}}v1.29.4-hotfix.20240712 - {{- else if semverCompare "=1.29.14" .version -}}v1.29.14-hotfix.20250703 - {{- else if semverCompare "=1.29.15" .version -}}v1.29.15-hotfix.20250703 - {{- else if semverCompare "=1.30.0" .version -}}v1.30.0-hotfix.20240712 - {{- else if semverCompare "=1.30.2" .version -}}v1.30.2-hotfix.20240712 - {{- else if and (semverCompare ">=1.30.11" .version) (semverCompare "<=1.30.14" .version) -}}v{{.version}}-hotfix.20250703 - {{- else if and (semverCompare ">=1.31.0" .version) (semverCompare "<=1.31.11" .version) -}}v{{.version}}-hotfix.20250703 - {{- else if and (semverCompare ">=1.32.0" .version) (semverCompare "<=1.32.7" .version) -}}v{{.version}}-hotfix.20250703 - {{- else if and (semverCompare ">=1.33.0" .version) (semverCompare "<=1.33.3" .version) -}}v{{.version}}-hotfix.20250703 - {{- else if semverCompare ">=1.34.0" .version -}}v{{ .version }}-1 - {{- else if and (semverCompare ">=1.28.100" .version) (semverCompare "<=1.28.101" .version) -}}v{{.version}}-akslts-hotfix.20250703 - {{- else if and (semverCompare ">=1.27.0" .version) (ge ((semver .version).Patch) 100) -}}v{{.version}}-akslts - {{- else -}}v{{ .version }} - {{- end -}} -{{- else if eq .component "kube-scheduler" -}} - {{- if semverCompare "=1.17.3" .version -}}v1.17.3-hotfix.20200601 - {{- else if semverCompare "=1.17.7" .version -}}v1.17.7-hotfix.20200624 - {{- else if semverCompare "=1.17.9" .version -}}v1.17.9-hotfix.20200714 - {{- else if semverCompare "=1.17.11" .version -}}v1.17.11-hotfix.20200901 - {{- else if semverCompare "=1.17.13" .version -}}v1.17.13-hotfix.20210310.1 - {{- else if semverCompare "=1.17.16" .version -}}v1.17.16-hotfix.20210310.1 - {{- else if semverCompare "=1.18.4" .version -}}v1.18.4-hotfix.20200624 - {{- else if semverCompare "=1.18.6" .version -}}v1.18.6-hotfix.20200723 - {{- else if semverCompare "=1.18.8" .version -}}v1.18.8-hotfix.20200924 - {{- else if semverCompare "=1.18.10" .version -}}v1.18.10-hotfix.20210310.1 - {{- else if semverCompare "=1.18.14" .version -}}v1.18.14-hotfix.20210322.1 - {{- else if semverCompare "=1.18.17" .version -}}v1.18.17-hotfix.20210525.3 - {{- else if semverCompare "=1.18.19" .version -}}v1.18.19-hotfix.20210522.3 - {{- else if semverCompare "=1.19.1" .version -}}v1.19.1-hotfix.20200923 - {{- else if semverCompare "=1.19.6" .version -}}v1.19.6-hotfix.20210310 - {{- else if semverCompare "=1.19.7" .version -}}v1.19.7-hotfix.20210310 - {{- else if semverCompare "=1.19.9" .version -}}v1.19.9-hotfix.20210526 - {{- else if semverCompare "=1.19.11" .version -}}v1.19.11-hotfix.20211101 - {{- else if semverCompare "=1.19.13" .version -}}v1.19.13-hotfix.20211101 - {{- else if semverCompare "=1.20.2" .version -}}v1.20.2-hotfix.20210310 - {{- else if semverCompare "=1.20.5" .version -}}v1.20.5-hotfix.20210603 - {{- else if semverCompare "=1.20.7" .version -}}v1.20.7-hotfix.20211115 - {{- else if semverCompare "=1.20.9" .version -}}v1.20.9-hotfix.20211115 - {{- else if semverCompare "=1.20.13" .version -}}v1.20.13-hotfix.20220210 - {{- else if semverCompare "=1.20.15" .version -}}v1.20.15-hotfix.20220201 - {{- else if semverCompare "=1.21.1" .version -}}v1.21.1-hotfix.20211115 - {{- else if semverCompare "=1.21.2" .version -}}v1.21.2-hotfix.20211115 - {{- else if semverCompare "=1.21.7" .version -}}v1.21.7-hotfix.20220601 - {{- else if semverCompare "=1.21.9" .version -}}v1.21.9-hotfix.20220601 - {{- else if semverCompare "=1.21.14" .version -}}v1.21.14-hotfix.20220620 - {{- else if semverCompare "=1.22.1" .version -}}v1.22.1-hotfix.20211115 - {{- else if semverCompare "=1.22.2" .version -}}v1.22.2-hotfix.20211115 - {{- else if semverCompare "=1.22.4" .version -}}v1.22.4-hotfix.20220615 - {{- else if semverCompare "=1.22.6" .version -}}v1.22.6-hotfix.20220916 - {{- else if semverCompare "=1.22.11" .version -}}v1.22.11-hotfix.20221109 - {{- else if semverCompare "=1.22.15" .version -}}v1.22.15-hotfix.20221109 - {{- else if semverCompare "=1.23.3" .version -}}v1.23.3-hotfix.20220615 - {{- else if semverCompare "=1.23.5" .version -}}v1.23.5-hotfix.20220916 - {{- else if semverCompare "=1.23.8" .version -}}v1.23.8-hotfix.20221109 - {{- else if semverCompare "=1.23.12" .version -}}v1.23.12-hotfix.20230208 - {{- else if semverCompare "=1.23.15" .version -}}v1.23.15-hotfix.20230208 - {{- else if semverCompare "=1.24.0" .version -}}v1.24.0-hotfix.20220916 - {{- else if semverCompare "=1.24.3" .version -}}v1.24.3-hotfix.20221216 - {{- else if semverCompare "=1.24.6" .version -}}v1.24.6-hotfix.20230208 - {{- else if semverCompare "=1.24.9" .version -}}v1.24.9-hotfix.20230612 - {{- else if semverCompare "=1.24.10" .version -}}v1.24.10-hotfix.20230612 - {{- else if semverCompare "=1.25.2" .version -}}v1.25.2-hotfix.20221216 - {{- else if semverCompare "=1.25.4" .version -}}v1.25.4-hotfix.20230208 - {{- else if semverCompare "=1.25.5" .version -}}v1.25.5-hotfix.20230612 - {{- else if semverCompare "=1.25.6" .version -}}v1.25.6-hotfix.20230728 - {{- else if semverCompare "=1.25.11" .version -}}v1.25.11-hotfix.20231102 - {{- else if semverCompare "=1.25.15" .version -}}v1.25.15-hotfix.20231103 - {{- else if semverCompare "=1.26.0" .version -}}v1.26.0-hotfix.20230612 - {{- else if semverCompare "=1.26.3" .version -}}v1.26.3-hotfix.20230728 - {{- else if semverCompare "=1.26.6" .version -}}v1.26.6-hotfix.20231102 - {{- else if semverCompare "=1.26.10" .version -}}v1.26.10-hotfix.20231103 - {{- else if semverCompare "=1.26.12" .version -}}v1.26.12 - {{- else if semverCompare "=1.27.1" .version -}}v1.27.1-hotfix.20230728 - {{- else if semverCompare "=1.27.3" .version -}}v1.27.3-hotfix.20231102 - {{- else if semverCompare "=1.27.7" .version -}}v1.27.7-hotfix.20240411 - {{- else if semverCompare "=1.27.9" .version -}}v1.27.9-hotfix.20240411 - {{- else if semverCompare "=1.27.14" .version -}}v1.27.15 - {{- else if semverCompare "=1.28.0" .version -}}v1.28.0-hotfix.20240712-1 - {{- else if semverCompare "=1.28.3" .version -}}v1.28.3-hotfix.20240712-1 - {{- else if semverCompare "=1.28.5" .version -}}v1.28.5-hotfix.20240712-1 - {{- else if semverCompare "=1.28.10" .version -}}v1.28.11-hotfix.20240712-1 - {{- else if semverCompare "=1.28.11" .version -}}v1.28.11-hotfix.20240712-1 - {{- else if semverCompare "=1.29.0" .version -}}v1.29.0-hotfix.20240712 - {{- else if semverCompare "=1.29.2" .version -}}v1.29.2-hotfix.20240712 - {{- else if semverCompare "=1.29.5" .version -}}v1.29.6-hotfix.20240712 - {{- else if semverCompare "=1.29.6" .version -}}v1.29.6-hotfix.20240712 - {{- else if semverCompare "=1.30.0" .version -}}v1.30.0-hotfix.20240712 - {{- else if semverCompare "=1.30.2" .version -}}v1.30.2-hotfix.20240712 - {{- else if and (semverCompare ">=1.27.0" .version) (ge ((semver .version).Patch | int) 100) -}}v{{.version}}-akslts - {{- else if semverCompare ">=1.34.0" .version -}}v{{ .version }}-1 - {{- else -}}v{{ .version }} - {{- end -}} -{{- else if eq .component "kube-controller-manager" -}} - {{- if semverCompare "=1.17.3" .version -}}v1.17.3-hotfix.20200601 - {{- else if semverCompare "=1.17.7" .version -}}v1.17.7-hotfix.20200917 - {{- else if semverCompare "=1.17.9" .version -}}v1.17.9-hotfix.20200917 - {{- else if semverCompare "=1.17.11" .version -}}v1.17.11-hotfix.20200901 - {{- else if semverCompare "=1.17.13" .version -}}v1.17.13-hotfix.20210310.1 - {{- else if semverCompare "=1.17.16" .version -}}v1.17.16-hotfix.20210310.1 - {{- else if semverCompare "=1.18.4" .version -}}v1.18.4-hotfix.20200624 - {{- else if semverCompare "=1.18.6" .version -}}v1.18.6-hotfix.20200917 - {{- else if semverCompare "=1.18.8" .version -}}v1.18.8-hotfix.20200924 - {{- else if semverCompare "=1.18.10" .version -}}v1.18.10-hotfix.20210310.1 - {{- else if semverCompare "=1.18.14" .version -}}v1.18.14-hotfix.20210525 - {{- else if semverCompare "=1.18.17" .version -}}v1.18.17-hotfix.20210525.3 - {{- else if semverCompare "=1.18.19" .version -}}v1.18.19-hotfix.20210522.3 - {{- else if semverCompare "=1.19.1" .version -}}v1.19.1-hotfix.20200923 - {{- else if semverCompare "=1.19.6" .version -}}v1.19.6-hotfix.20210310 - {{- else if semverCompare "=1.19.7" .version -}}v1.19.7-hotfix.20210525 - {{- else if semverCompare "=1.19.9" .version -}}v1.19.9-hotfix.20210526 - {{- else if semverCompare "=1.19.11" .version -}}v1.19.11-hotfix.20211101 - {{- else if semverCompare "=1.19.13" .version -}}v1.19.13-hotfix.20211101 - {{- else if semverCompare "=1.20.2" .version -}}v1.20.2-hotfix.20210525 - {{- else if semverCompare "=1.20.5" .version -}}v1.20.5-hotfix.20210603 - {{- else if semverCompare "=1.20.7" .version -}}v1.20.7-hotfix.20211115 - {{- else if semverCompare "=1.20.9" .version -}}v1.20.9-hotfix.20220126 - {{- else if semverCompare "=1.20.13" .version -}}v1.20.13-hotfix.20220210 - {{- else if semverCompare "=1.20.15" .version -}}v1.20.15-hotfix.20220201 - {{- else if semverCompare "=1.21.1" .version -}}v1.21.1-hotfix.20211115 - {{- else if semverCompare "=1.21.2" .version -}}v1.21.2-hotfix.20220126 - {{- else if semverCompare "=1.21.7" .version -}}v1.21.7-hotfix.20220601 - {{- else if semverCompare "=1.21.9" .version -}}v1.21.9-hotfix.20220601 - {{- else if semverCompare "=1.21.14" .version -}}v1.21.14-hotfix.20220620 - {{- else if semverCompare "=1.22.1" .version -}}v1.22.1-hotfix.20211115 - {{- else if semverCompare "=1.22.2" .version -}}v1.22.2-hotfix.20211115 - {{- else if semverCompare "=1.22.4" .version -}}v1.22.4-hotfix.20220615 - {{- else if semverCompare "=1.22.6" .version -}}v1.22.6-hotfix.20220916 - {{- else if semverCompare "=1.22.11" .version -}}v1.22.11-hotfix.20221109 - {{- else if semverCompare "=1.22.15" .version -}}v1.22.15-hotfix.20221109 - {{- else if semverCompare "=1.23.3" .version -}}v1.23.3-hotfix.20220615 - {{- else if semverCompare "=1.23.5" .version -}}v1.23.5-hotfix.20220916 - {{- else if semverCompare "=1.23.8" .version -}}v1.23.8-hotfix.20221109 - {{- else if semverCompare "=1.23.12" .version -}}v1.23.12-hotfix.20230208 - {{- else if semverCompare "=1.23.15" .version -}}v1.23.15-hotfix.20230208 - {{- else if semverCompare "=1.24.0" .version -}}v1.24.0-hotfix.20220916 - {{- else if semverCompare "=1.24.3" .version -}}v1.24.3-hotfix.20221216 - {{- else if semverCompare "=1.24.6" .version -}}v1.24.6-hotfix.20230208 - {{- else if semverCompare "=1.24.9" .version -}}v1.24.9-hotfix.20230612 - {{- else if semverCompare "=1.24.10" .version -}}v1.24.10-hotfix.20230612 - {{- else if semverCompare "=1.25.2" .version -}}v1.25.2-hotfix.20221216 - {{- else if semverCompare "=1.25.4" .version -}}v1.25.4-hotfix.20230208 - {{- else if semverCompare "=1.25.5" .version -}}v1.25.5-hotfix.20230612 - {{- else if semverCompare "=1.25.6" .version -}}v1.25.6-hotfix.20230728 - {{- else if semverCompare "=1.25.11" .version -}}v1.25.11-hotfix.20231102 - {{- else if semverCompare "=1.25.15" .version -}}v1.25.15-hotfix.20231103 - {{- else if semverCompare "=1.26.0" .version -}}v1.26.0-hotfix.20230612 - {{- else if semverCompare "=1.26.3" .version -}}v1.26.3-hotfix.20230728 - {{- else if semverCompare "=1.26.6" .version -}}v1.26.6-hotfix.20231102 - {{- else if semverCompare "=1.26.10" .version -}}v1.26.10-hotfix.20231103 - {{- else if semverCompare "=1.26.12" .version -}}v1.26.12 - {{- else if semverCompare "=1.27.1" .version -}}v1.27.1-hotfix.20230728 - {{- else if semverCompare "=1.27.3" .version -}}v1.27.3-hotfix.20231102 - {{- else if semverCompare "=1.27.7" .version -}}v1.27.7-hotfix.20240411 - {{- else if semverCompare "=1.27.9" .version -}}v1.27.9-hotfix.20240411 - {{- else if semverCompare "=1.27.13" .version -}}v1.27.13 - {{- else if semverCompare "=1.28.0" .version -}}v1.28.0-hotfix.20240712-1 - {{- else if semverCompare "=1.28.3" .version -}}v1.28.3-hotfix.20240712-1 - {{- else if semverCompare "=1.28.5" .version -}}v1.28.5-hotfix.20240712-1 - {{- else if semverCompare "=1.28.9" .version -}}v1.28.9-hotfix.20240712-1 - {{- else if semverCompare "=1.28.10" .version -}}v1.28.10-hotfix.20240712-1 - {{- else if semverCompare "=1.28.11" .version -}}v1.28.11-hotfix.20240712-1 - {{- else if semverCompare "=1.29.0" .version -}}v1.29.0-hotfix.20240712 - {{- else if semverCompare "=1.29.2" .version -}}v1.29.2-hotfix.20240712 - {{- else if semverCompare "=1.29.4" .version -}}v1.29.4-hotfix.20240712 - {{- else if semverCompare "=1.30.0" .version -}}v1.30.0-hotfix.20240712 - {{- else if semverCompare "=1.30.2" .version -}}v1.30.2-hotfix.20240712 - {{- else if and (semverCompare ">=1.27.0" .version) (ge ((semver .version).Patch) 100) -}}v{{.version}}-akslts - {{- else if semverCompare ">=1.34.0" .version -}}v{{ .version }}-1 - {{- else -}}v{{ .version }} - {{- end -}} -{{- else if eq .component "hyperkube" -}} - {{- if semverCompare "=1.12.8" .version -}}v1.12.8_v0.0.5 - {{- else if semverCompare "=1.13.10" .version -}}v1.13.10_v0.0.5 - {{- else if semverCompare "=1.13.11" .version -}}v1.13.11_v0.0.5 - {{- else if semverCompare "=1.13.12" .version -}}v1.13.12_v0.0.5 - {{- else if semverCompare "=1.14.6" .version -}}v1.14.6_v0.0.5 - {{- else if semverCompare "=1.14.7" .version -}}v1.14.7-hotfix.20200408.1 - {{- else if semverCompare "=1.14.8" .version -}}v1.14.8-hotfix.20200529.1 - {{- else if semverCompare "=1.15.3" .version -}}v1.15.3_v0.0.5 - {{- else if semverCompare "=1.15.4" .version -}}v1.15.4_v0.0.5 - {{- else if semverCompare "=1.15.5" .version -}}v1.15.5_v0.0.5 - {{- else if semverCompare "=1.15.7" .version -}}v1.15.7-hotfix.20200408.1 - {{- else if semverCompare "=1.15.10" .version -}}v1.15.10-hotfix.20200408.1 - {{- else if semverCompare "=1.15.11" .version -}}v1.15.11-hotfix.20201203 - {{- else if semverCompare "=1.15.12" .version -}}v1.15.12-hotfix.20200824.2 - {{- else if semverCompare "=1.16.0" .version -}}v1.16.0_v0.0.5 - {{- else if semverCompare "=1.16.7" .version -}}v1.16.7-hotfix.20200601.3 - {{- else if semverCompare "=1.16.8" .version -}}v1.16.8.2 - {{- else if semverCompare "=1.16.9" .version -}}v1.16.9-hotfix.20200529.7 - {{- else if semverCompare "=1.16.10" .version -}}v1.16.10-hotfix.20200917.3 - {{- else if semverCompare "=1.16.13" .version -}}v1.16.13-hotfix.20210118.2 - {{- else if semverCompare "=1.16.14" .version -}}v1.16.14-hotfix.20200901.4 - {{- else if semverCompare "=1.16.15" .version -}}v1.16.15-hotfix.20210118.4 - {{- else if semverCompare "=1.17.3" .version -}}v1.17.3-hotfix.20200601.3 - {{- else if semverCompare "=1.17.4" .version -}}v1.17.4.2 - {{- else if semverCompare "=1.17.5" .version -}}v1.17.5.2 - {{- else if semverCompare "=1.17.7" .version -}}v1.17.7-hotfix.20200917.3 - {{- else if semverCompare "=1.17.9" .version -}}v1.17.9-hotfix.20200917.3 - {{- else if semverCompare "=1.17.11" .version -}}v1.17.11-hotfix.20200901.4 - {{- else if semverCompare "=1.17.13" .version -}}v1.17.13-hotfix.20210310.2 - {{- else if semverCompare "=1.17.16" .version -}}v1.17.16-hotfix.20210310.2 - {{- else if semverCompare "=1.18.1" .version -}}v1.18.1.6 - {{- else if semverCompare "=1.18.2" .version -}}v1.18.2-hotfix.20200626.7 - {{- else if semverCompare "=1.18.4" .version -}}v1.18.4-hotfix.20200626.7 - {{- else if semverCompare "=1.18.6" .version -}}v1.18.6-hotfix.20200917.5 - {{- else if semverCompare "=1.18.8" .version -}}v1.18.8-hotfix.20201112.4 - {{- else if semverCompare "=1.18.10" .version -}}v1.18.10-hotfix.20210310.4 - {{- else if semverCompare "=1.18.14" .version -}}v1.18.14-hotfix.20210525.2 - {{- else if semverCompare "=1.18.17" .version -}}v1.18.17-hotfix.20210525.2 - {{- else if semverCompare "=1.18.19" .version -}}v1.18.19-hotfix.20210522.2 - {{- else -}}v{{ .version }} - {{- end -}} -{{- else if eq .component "kubectl" -}} - {{- if semverCompare "=1.17.3" .version -}}v1.17.3-hotfix.20200601 - {{- else if semverCompare "=1.17.7" .version -}}v1.17.7-hotfix.20200624 - {{- else if semverCompare "=1.17.9" .version -}}v1.17.9-hotfix.20200714 - {{- else if semverCompare "=1.17.11" .version -}}v1.17.11-hotfix.20200901 - {{- else if semverCompare "=1.17.13" .version -}}v1.17.13-hotfix.20210310.1 - {{- else if semverCompare "=1.17.16" .version -}}v1.17.16-hotfix.20210310.1 - {{- else if semverCompare "=1.18.4" .version -}}v1.18.4-hotfix.20200624 - {{- else if semverCompare "=1.18.6" .version -}}v1.18.6-hotfix.20200723 - {{- else if semverCompare "=1.18.8" .version -}}v1.18.8-hotfix.20200924 - {{- else if semverCompare "=1.18.10" .version -}}v1.18.10-hotfix.20210310.1 - {{- else if semverCompare "=1.18.14" .version -}}v1.18.14-hotfix.20210322 - {{- else if semverCompare "=1.18.17" .version -}}v1.18.17-hotfix.20210525.2 - {{- else if semverCompare "=1.18.19" .version -}}v1.18.19-hotfix.20210522.2 - {{- else if semverCompare "=1.19.1" .version -}}v1.19.1-hotfix.20200923 - {{- else if semverCompare "=1.19.6" .version -}}v1.19.6-hotfix.20210310.1 - {{- else if semverCompare "=1.19.7" .version -}}v1.19.7-hotfix.20210310.1 - {{- else if semverCompare "=1.19.9" .version -}}v1.19.9-hotfix.20210526.2 - {{- else if semverCompare "=1.19.11" .version -}}v1.19.11-hotfix.20211101.1 - {{- else if semverCompare "=1.19.13" .version -}}v1.19.13-hotfix.20211101.1 - {{- else if semverCompare "=1.20.2" .version -}}v1.20.2-hotfix.20210310.1 - {{- else if semverCompare "=1.20.5" .version -}}v1.20.5-hotfix.20210603.2 - {{- else if semverCompare "=1.20.7" .version -}}v1.20.7-hotfix.20211115 - {{- else if semverCompare "=1.20.9" .version -}}v1.20.9-hotfix.20211115.1 - {{- else if semverCompare "=1.20.13" .version -}}v1.20.13-hotfix.20220210.2 - {{- else if semverCompare "=1.20.15" .version -}}v1.20.15-hotfix.20220201.2 - {{- else if semverCompare "=1.21.1" .version -}}v1.21.1-hotfix.20211115 - {{- else if semverCompare "=1.21.2" .version -}}v1.21.2-hotfix.20211115.1 - {{- else if semverCompare "=1.21.7" .version -}}v1.21.7-hotfix.20220601 - {{- else if semverCompare "=1.21.9" .version -}}v1.21.9-hotfix.20220601.1 - {{- else if semverCompare "=1.21.14" .version -}}v1.21.14-hotfix.20220620.1 - {{- else if semverCompare "=1.22.1" .version -}}v1.22.1-hotfix.20211115.1 - {{- else if semverCompare "=1.22.2" .version -}}v1.22.2-hotfix.20211115.1 - {{- else if semverCompare "=1.22.4" .version -}}v1.22.4-hotfix.20220615 - {{- else if semverCompare "=1.22.6" .version -}}v1.22.6-hotfix.20220916 - {{- else if semverCompare "=1.22.11" .version -}}v1.22.11-hotfix.20221109.1 - {{- else if semverCompare "=1.22.15" .version -}}v1.22.15-hotfix.20221109.1 - {{- else if semverCompare "=1.23.3" .version -}}v1.23.3-hotfix.20220615 - {{- else if semverCompare "=1.23.5" .version -}}v1.23.5-hotfix.20220916 - {{- else if semverCompare "=1.23.8" .version -}}v1.23.8-hotfix.20221109.2 - {{- else if semverCompare "=1.23.12" .version -}}v1.23.12-hotfix.20230208.1 - {{- else if semverCompare "=1.23.15" .version -}}v1.23.15-hotfix.20230208.1 - {{- else if semverCompare "=1.24.0" .version -}}v1.24.0-hotfix.20220916 - {{- else if semverCompare "=1.24.3" .version -}}v1.24.3-hotfix.20221216 - {{- else if semverCompare "=1.24.6" .version -}}v1.24.6-hotfix.20230208.1 - {{- else if semverCompare "=1.24.9" .version -}}v1.24.9-hotfix.20230612 - {{- else if semverCompare "=1.24.10" .version -}}v1.24.10-hotfix.20230612 - {{- else if semverCompare "=1.25.2" .version -}}v1.25.2-hotfix.20221216.1 - {{- else if semverCompare "=1.25.4" .version -}}v1.25.4-hotfix.20230208.1 - {{- else if semverCompare "=1.25.5" .version -}}v1.25.5-hotfix.20230612 - {{- else if semverCompare "=1.25.6" .version -}}v1.25.6-hotfix.20230728 - {{- else if semverCompare "=1.25.11" .version -}}v1.25.11-hotfix.20231102 - {{- else if semverCompare "=1.25.15" .version -}}v1.25.15-hotfix.20231103 - {{- else if semverCompare "=1.26.0" .version -}}v1.26.0-hotfix.20230612 - {{- else if semverCompare "=1.26.3" .version -}}v1.26.3-hotfix.20230728 - {{- else if semverCompare "=1.26.6" .version -}}v1.26.6-hotfix.20231102 - {{- else if semverCompare "=1.26.10" .version -}}v1.26.10-hotfix.20231103-1 - {{- else if semverCompare "=1.26.12" .version -}}v1.26.12-1 - {{- else if semverCompare "=1.27.1" .version -}}v1.27.1-hotfix.20230728 - {{- else if semverCompare "=1.27.3" .version -}}v1.27.3-hotfix.20240125 - {{- else if semverCompare "=1.27.7" .version -}}v1.27.7-hotfix.20240712-4 - {{- else if semverCompare "=1.27.9" .version -}}v1.27.9-hotfix.20240712-4 - {{- else if semverCompare "=1.27.13" .version -}}v1.27.13-2 - {{- else if semverCompare "=1.28.0" .version -}}v1.28.0-hotfix.20240712-4 - {{- else if semverCompare "=1.28.3" .version -}}v1.28.3-hotfix.20240712-4 - {{- else if semverCompare "=1.28.5" .version -}}v1.28.5-hotfix.20240712-4 - {{- else if and (semverCompare ">=1.27.0" .version) (ge ((semver .version).Patch) 100) -}}v{{.version}}-akslts - {{- else if and (semverCompare ">=1.29.0" .version) (semverCompare "<1.30.0" .version) -}}v1.29.13 - {{- else if semverCompare "=1.30.0" .version -}}v1.30.0-1 - {{- else if semverCompare "=1.30.1" .version -}}v1.30.1-1 - {{- else if semverCompare "=1.30.2" .version -}}v1.30.2-hotfix.20240613 - {{- else if semverCompare ">=1.34.0" .version -}}v{{ .version }}-1 - {{- else -}}v{{ .version }} - {{- end -}} -{{- else if eq .component "kube-proxy" -}} - {{- if semverCompare "=1.17.3" .version -}}v1.17.3-hotfix.20200601.3 - {{- else if semverCompare "=1.17.7" .version -}}v1.17.7-hotfix.20200917.3 - {{- else if semverCompare "=1.17.9" .version -}}v1.17.9-hotfix.20200917.3 - {{- else if semverCompare "=1.17.11" .version -}}v1.17.11-hotfix.20200901.2 - {{- else if semverCompare "=1.17.13" .version -}}v1.17.13-hotfix.20210310.2 - {{- else if semverCompare "=1.17.16" .version -}}v1.17.16-hotfix.20210310.2 - {{- else if semverCompare "=1.18.2" .version -}}v1.18.2-hotfix.20200626.4 - {{- else if semverCompare "=1.18.4" .version -}}v1.18.4-hotfix.20200626.5 - {{- else if semverCompare "=1.18.6" .version -}}v1.18.6-hotfix.20200917.4 - {{- else if semverCompare "=1.18.8" .version -}}v1.18.8-hotfix.20201112.2 - {{- else if semverCompare "=1.18.10" .version -}}v1.18.10-hotfix.20210310.2 - {{- else if semverCompare "=1.18.14" .version -}}v1.18.14-hotfix.20210525 - {{- else if semverCompare "=1.18.17" .version -}}v1.18.17-hotfix.20210525.3 - {{- else if semverCompare "=1.18.19" .version -}}v1.18.19-hotfix.20210522.3 - {{- else if semverCompare "=1.19.7" .version -}}v1.19.7-hotfix.20210525 - {{- else if semverCompare "=1.19.9" .version -}}v1.19.9-hotfix.20210526.3 - {{- else if semverCompare "=1.19.11" .version -}}v1.19.11-hotfix.20211101.1 - {{- else if semverCompare "=1.19.13" .version -}}v1.19.13-hotfix.20211101.1 - {{- else if semverCompare "=1.20.2" .version -}}v1.20.2-hotfix.20210525 - {{- else if semverCompare "=1.20.5" .version -}}v1.20.5-hotfix.20210603.3 - {{- else if semverCompare "=1.20.7" .version -}}v1.20.7-hotfix.20211021.1 - {{- else if semverCompare "=1.20.9" .version -}}v1.20.9-hotfix.20211115.2 - {{- else if semverCompare "=1.20.13" .version -}}v1.20.13-hotfix.20220210.3 - {{- else if semverCompare "=1.20.15" .version -}}v1.20.15-hotfix.20220201.3 - {{- else if semverCompare "=1.21.1" .version -}}v1.21.1-hotfix.20211022.1 - {{- else if semverCompare "=1.21.2" .version -}}v1.21.2-hotfix.20211115.2 - {{- else if semverCompare "=1.21.7" .version -}}v1.21.7-hotfix.20220601.1 - {{- else if semverCompare "=1.21.9" .version -}}v1.21.9-hotfix.20220601.2 - {{- else if semverCompare "=1.21.14" .version -}}v1.21.14-hotfix.20220620.3 - {{- else if semverCompare "=1.22.1" .version -}}v1.22.1-hotfix.20211115.1 - {{- else if semverCompare "=1.22.2" .version -}}v1.22.2-hotfix.20211115.1 - {{- else if semverCompare "=1.22.4" .version -}}v1.22.4-hotfix.20220615.1 - {{- else if semverCompare "=1.22.6" .version -}}v1.22.6-hotfix.20220728.2 - {{- else if semverCompare "=1.22.11" .version -}}v1.22.11-hotfix.20221109.1 - {{- else if semverCompare "=1.22.15" .version -}}v1.22.15-hotfix.20221109.1 - {{- else if semverCompare "=1.23.3" .version -}}v1.23.3-hotfix.20220615.1 - {{- else if semverCompare "=1.23.5" .version -}}v1.23.5-hotfix.20220728.4 - {{- else if semverCompare "=1.23.8" .version -}}v1.23.8-hotfix.20221109.3 - {{- else if semverCompare "=1.23.12" .version -}}v1.23.12-hotfix.20230208.2 - {{- else if semverCompare "=1.23.15" .version -}}v1.23.15-hotfix.20230208.2 - {{- else if semverCompare "=1.24.0" .version -}}v1.24.0-hotfix.20220615.4 - {{- else if semverCompare "=1.24.3" .version -}}v1.24.3-hotfix.20221216.1 - {{- else if semverCompare "=1.24.6" .version -}}v1.24.6-hotfix.20230208.2 - {{- else if semverCompare "=1.24.9" .version -}}v1.24.9-hotfix.20230612 - {{- else if semverCompare "=1.24.10" .version -}}v1.24.10-hotfix.20230612-1 - {{- else if semverCompare "=1.25.2" .version -}}v1.25.2-hotfix.20221216 - {{- else if semverCompare "=1.25.4" .version -}}v1.25.4-hotfix.20230208 - {{- else if semverCompare "=1.25.5" .version -}}v1.25.5-hotfix.20230612 - {{- else if semverCompare "=1.25.6" .version -}}v1.25.6-hotfix.20231009-3 - {{- else if semverCompare "=1.25.11" .version -}}v1.25.11-hotfix.20231102-1 - {{- else if semverCompare "=1.25.15" .version -}}v1.25.15-hotfix.20231103-1 - {{- else if semverCompare "=1.26.0" .version -}}v1.26.0-hotfix.20230612 - {{- else if semverCompare "=1.26.3" .version -}}v1.26.3-hotfix.20231009-2 - {{- else if semverCompare "=1.26.6" .version -}}v1.26.6-hotfix.20231102 - {{- else if semverCompare "=1.26.10" .version -}}v1.26.10-hotfix.20231103-8 - {{- else if semverCompare "=1.27.1" .version -}}v1.27.1-hotfix.20231009 - {{- else if semverCompare "=1.27.3" .version -}}v1.27.3-hotfix.20240125 - {{- else if semverCompare "=1.27.7" .version -}}v1.27.7-hotfix.20240411 - {{- else if semverCompare "=1.27.9" .version -}}v1.27.9-hotfix.20240411 - {{- else if semverCompare "=1.27.14" .version -}}v1.27.14-1 - {{- else if semverCompare "=1.28.0" .version -}}v1.28.0-hotfix.20240125 - {{- else if semverCompare "=1.28.3" .version -}}v1.28.3-hotfix.20240411 - {{- else if semverCompare "=1.28.5" .version -}}v1.28.5-hotfix.20240411 - {{- else if semverCompare "=1.28.10" .version -}}v1.28.10-1 - {{- else if semverCompare "=1.29.2" .version -}}v1.29.2-hotfix.20240411 - {{- else if semverCompare "=1.29.5" .version -}}v1.29.5-1 - {{- else if semverCompare "=1.30.0" .version -}}v1.30.0-hotfix.20240712-3 - {{- else if semverCompare "=1.30.1" .version -}}v1.30.1-hotfix.20240712-3 - {{- else if semverCompare "=1.30.2" .version -}}v1.30.2-hotfix.20240712-3 - {{- else if semverCompare "=1.30.6" .version -}}v1.30.6-1 - {{- else if semverCompare "=1.31.1" .version -}}v1.31.1-2 - {{- else if and (semverCompare ">=1.27.0" .version) (ge ((semver .version).Patch) 100) -}}v{{.version}}-akslts - {{- else if semverCompare ">=1.34.0" .version -}}v{{ .version }}-1 - {{- else -}}v{{ .version }} - {{- end -}} -{{- else if eq .component "cloud-provider-controller-manager" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.33.2 - {{- else if semverCompare ">=1.32.0" .version -}}v1.32.7 - {{- else if semverCompare ">=1.31.0" .version -}}v1.31.8 - {{- else if semverCompare ">=1.30.0" .version -}}v1.30.14 - {{- else if semverCompare ">=1.29.0" .version -}}v1.29.15 - {{- else if semverCompare ">=1.28.0" .version -}}v1.28.14 - {{- else if semverCompare ">=1.27.0" .version -}}v1.27.21 - {{- else if semverCompare ">=1.26.0" .version -}}v1.26.22 - {{- else if semverCompare ">=1.25.0" .version -}}v1.25.24 - {{- else if semverCompare ">=1.24.0" .version -}}v1.24.22 - {{- else if semverCompare ">=1.23.0" .version -}}v1.23.30 - {{- else if semverCompare ">=1.22.0" .version -}}v1.1.26 - {{- else if semverCompare ">=1.21.0" .version -}}v1.0.23 - {{- else if semverCompare ">=1.20.0" .version -}}v0.7.21 - {{- else if semverCompare ">=1.19.0" .version -}}v0.6.0 - {{- else -}}v0.5.1.4 - {{- end -}} -{{- else if eq .component "appmonitoring-webhook" -}} -1.0.0-beta.8 -{{- else if eq .component "tunnel-front" -}} -master.250401.1 -{{- else if eq .component "tunnel-end" -}} -master.250401.1 -{{- else if eq .component "tunnel-openvpn-front" -}} -master.241001.1 -{{- else if eq .component "tunnel-openvpn-end" -}} -master.241001.1 -{{- else if eq .component "apiserver-network-proxy-agent" -}} -v0.30.3-5 -{{- else if eq .component "aad-pod-identity-nmi" -}} -v1.8.18 -{{- else if eq .component "gitops-manager-config-operator" -}} -1.7.0 -{{- else if eq .component "gitops-manager-config-agent" -}} -1.7.0 -{{- else if eq .component "resourcesync-operator" -}} -1.7.1 -{{- else if eq .component "http-application-routing-nginx-ingress-controller" -}} - {{- if semverCompare ">=1.22.0" .version -}}1.2.1 - {{- else if semverCompare ">=1.21.0" .version -}}0.49.3 - {{- else -}}0.19.0 - {{- end -}} -{{- else if eq .component "http-application-routing-external-dns" -}} - {{- if semverCompare ">=1.22.0" .version -}}v0.10.2 - {{- else if semverCompare ">=1.21.0" .version -}}v0.8.0 - {{- else -}}v0.6.0-hotfix-20200228 - {{- end -}} -{{- else if eq .component "http-application-routing-defaultbackend" -}} -1.4 -{{- else if eq .component "ip-masq-agent" -}} -v2.5.0.12 -{{- else if eq .component "azuredisk-csi-v2" -}} -v2.0.0-beta.10 -{{- else if eq .component "azdiskschedulerextender-csi" -}} -v2.0.0-beta.10 -{{- else if eq .component "csi-node-driver-registrar" -}} - {{- if semverCompare ">=1.31.0" .version -}}v2.14.0 - {{- else if semverCompare ">=1.29.0" .version -}}v2.13.0 - {{- else if semverCompare ">=1.28.0" .version -}}v2.12.0 - {{- else if semverCompare ">=1.27.0" .version -}}v2.10.1 - {{- else if semverCompare ">=1.24.0" .version -}}v2.8.0 - {{- else if semverCompare ">=1.21.0" .version -}}v2.5.0 - {{- else -}}v2.3.0 - {{- end -}} -{{- else if eq .component "csi-livenessprobe" -}} - {{- if semverCompare ">=1.31.0" .version -}}v2.16.0 - {{- else if semverCompare ">=1.29.0" .version -}}v2.15.0 - {{- else if semverCompare ">=1.28.0" .version -}}v2.14.0 - {{- else if semverCompare ">=1.27.0" .version -}}v2.12.0 - {{- else if semverCompare ">=1.24.0" .version -}}v2.10.0 - {{- else if semverCompare ">=1.21.0" .version -}}v2.6.0 - {{- else -}}v2.2.0 - {{- end -}} -{{- else if eq .component "azuredisk-csi-linux" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.33.4-2 - {{- else if semverCompare ">=1.32.0" .version -}}v1.32.10-2 - {{- else if semverCompare ">=1.31.0" .version -}}v1.31.11 - {{- else if semverCompare ">=1.30.0" .version -}}v1.30.12 - {{- else if semverCompare ">=1.28.0" .version -}}v1.29.14 - {{- else if semverCompare ">=1.27.0" .version -}}v1.28.12 - {{- else if semverCompare ">=1.26.0" .version -}}v1.26.9 - {{- else if semverCompare ">=1.24.0" .version -}}v1.26.8 - {{- else if semverCompare ">=1.21.0" .version -}}v1.26.2.2 - {{- else -}}v1.2.2.5 - {{- end -}} -{{- else if eq .component "azuredisk-csi-windows" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.33.4 - {{- else if semverCompare ">=1.32.0" .version -}}v1.32.10 - {{- else if semverCompare ">=1.31.0" .version -}}v1.31.11 - {{- else if semverCompare ">=1.30.0" .version -}}v1.30.12 - {{- else if semverCompare ">=1.28.0" .version -}}v1.29.14 - {{- else if semverCompare ">=1.27.0" .version -}}v1.28.12 - {{- else if semverCompare ">=1.26.0" .version -}}v1.26.9 - {{- else if semverCompare ">=1.24.0" .version -}}v1.26.8 - {{- else if semverCompare ">=1.21.0" .version -}}v1.26.2 - {{- else -}}v1.2.2.5 - {{- end -}} -{{- else if eq .component "azurefile-csi-linux" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.33.4-2 - {{- else if semverCompare ">=1.32.0" .version -}}v1.32.5 - {{- else if semverCompare ">=1.31.0" .version -}}v1.31.7 - {{- else if semverCompare ">=1.29.0" .version -}}v1.30.10 - {{- else if semverCompare ">=1.28.0" .version -}}v1.29.12 - {{- else if semverCompare ">=1.27.0" .version -}}v1.28.14 - {{- else if semverCompare ">=1.26.0" .version -}}v1.26.11-2 - {{- else if semverCompare ">=1.24.0" .version -}}v1.24.11 - {{- else if semverCompare ">=1.21.0" .version -}}v1.24.0 - {{- else -}}v1.2.2 - {{- end -}} -{{- else if eq .component "azurefile-csi-windows" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.33.4 - {{- else if semverCompare ">=1.32.0" .version -}}v1.32.5 - {{- else if semverCompare ">=1.31.0" .version -}}v1.31.7 - {{- else if semverCompare ">=1.29.0" .version -}}v1.30.10 - {{- else if semverCompare ">=1.28.0" .version -}}v1.29.12 - {{- else if semverCompare ">=1.27.0" .version -}}v1.28.14 - {{- else if semverCompare ">=1.26.0" .version -}}v1.26.11 - {{- else if semverCompare ">=1.24.0" .version -}}v1.24.11 - {{- else if semverCompare ">=1.21.0" .version -}}v1.24.0 - {{- else -}}v1.2.2 - {{- end -}} -{{- else if eq .component "blob-csi" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.26.7 - {{- else if semverCompare ">=1.32.0" .version -}}v1.26.6 - {{- else if semverCompare ">=1.31.0" .version -}}v1.25.9 - {{- else if semverCompare ">=1.30.0" .version -}}v1.24.11 - {{- else if semverCompare ">=1.28.0" .version -}}v1.23.11 - {{- else if semverCompare ">=1.27.0" .version -}}v1.22.9 - {{- else if semverCompare ">=1.26.0" .version -}}v1.21.7-2 - {{- else if semverCompare ">=1.24.0" .version -}}v1.19.5-7 - {{- else -}}v1.19.2 - {{- end -}} -{{- else if eq .component "csi-provisioner" -}} - {{- if semverCompare ">=1.29.0" .version -}}v5.2.0 - {{- else if semverCompare ">=1.28.0" .version -}}v3.6.2 - {{- else if semverCompare ">=1.24.0" .version -}}v3.5.0 - {{- else if semverCompare ">=1.21.0" .version -}}v3.1.0 - {{- else -}}v2.1.1-hotfix.20220128-aks - {{- end -}} -{{- else if eq .component "csi-attacher" -}} - {{- if semverCompare ">=1.32.0" .version -}}v4.9.0 - {{- else if semverCompare ">=1.29.0" .version -}}v4.8.1 - {{- else if semverCompare ">=1.28.0" .version -}}v4.4.2 - {{- else if semverCompare ">=1.27.0" .version -}}v4.3.0 - {{- else if semverCompare ">=1.21.0" .version -}}v3.4.0 - {{- else -}}v3.1.0-hotfix.20220128-aks - {{- end -}} -{{- else if eq .component "csi-resizer" -}} - {{- if semverCompare ">=1.29.0" .version -}}v1.13.2 - {{- else if semverCompare ">=1.28.0" .version -}}v1.9.3 - {{- else if semverCompare ">=1.27.0" .version -}}v1.8.0 - {{- else if semverCompare ">=1.21.0" .version -}}v1.4.0 - {{- else -}}v1.1.0-hotfix.20220128-aks - {{- end -}} -{{- else if eq .component "csi-snapshotter" -}} - {{- if semverCompare ">=1.33.0" .version -}}v8.3.0 - {{- else if semverCompare ">=1.29.0" .version -}}v8.2.0 - {{- else if semverCompare ">=1.27.0" .version -}}v6.2.2 - {{- else if semverCompare ">=1.21.0" .version -}}v5.0.1 - {{- else -}}v3.0.3-hotfix.20220128-aks - {{- end -}} -{{- else if eq .component "snapshot-controller" -}} - {{- if semverCompare ">=1.33.0" .version -}}v8.3.0 - {{- else if semverCompare ">=1.29.0" .version -}}v8.2.0 - {{- else if semverCompare ">=1.27.0" .version -}}v6.2.2 - {{- else if semverCompare ">=1.21.0" .version -}}v5.0.1 - {{- else -}}v3.0.3-hotfix.20220128-aks - {{- end -}} -{{- else if eq .component "azure-cns-image" -}} -v1.4.44.5 -{{- else if eq .component "azure-cns-image-windows" -}} -v1.4.44.5 -{{- else if eq .component "azure-cni-networkmonitor" -}} -v1.1.8_hotfix -{{- else if eq .component "calico-typha-image" -}} -v3.8.9 -{{- else if eq .component "calico-pod2daemon-flexvol-image" -}} -v3.8.9.1 -{{- else if eq .component "calico-cni-image" -}} -v3.8.9.3 -{{- else if eq .component "calico-node-image" -}} -v3.8.9.5 -{{- else if eq .component "ccp-initializer" -}} -master.250807.1 -{{- else if eq .component "ccp-auto-thrust" -}} - {{- if semverCompare ">=1.27.0" .version -}}master.250505.2 - {{- else -}}master.250108.7 - {{- end -}} -{{- else if eq .component "ccp-auto-thrust-csi" -}} - {{- if semverCompare ">=1.27.0" .version -}}master.250307.1 - {{- else -}}master.250108.7 - {{- end -}} -{{- else if eq .component "admissionsenforcer" -}} -master.250822.2 -{{- else if eq .component "msi-adapter" -}} -master.250822.1 -{{- else if eq .component "private-connect-router" -}} -master.250811.1 -{{- else if eq .component "private-connect-balancer" -}} -master.250731.2 -{{- else if eq .component "addon-token-adapter-linux" -}} -master.250902.1 -{{- else if eq .component "addon-token-adapter-windows" -}} -master.250902.1 -{{- else if eq .component "addon-token-reconciler" -}} -master.250819.2 -{{- else if eq .component "aks-kube-addon-manager" -}} -master.250528.2 -{{- else if eq .component "kms-plugin" -}} -v0.8.0 -{{- else if eq .component "ccp-coredns" -}} -v1.12.0-1 -{{- end -}} -{{- end -}} diff --git a/charts/azuremonitor-containerinsights/templates/_helpers.tpl b/charts/azuremonitor-containerinsights/templates/_helpers.tpl new file mode 100644 index 000000000..aceb79c04 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/_helpers.tpl @@ -0,0 +1,67 @@ +{{/* +Consolidated helper functions for azuremonitor-containerinsights chart +Merged from: _aks_addon-images.tpl, _aks_images.tpl, _aks_helpers.tpl, _aks_common.tpl +*/}} + +{{/* +============================================================================= +Image Tags Section +============================================================================= +*/}} + +{{/* Get addon image tag - used for ama-logs and addon-resizer */}} +{{- define "get.addonImageTag" -}} + {{- if eq .component "addon-resizer" -}} +v1.8.23-4 + {{- else if eq .component "ama-logs-linux" -}} +3.1.34 + {{- else if eq .component "ama-logs-win" -}} +win-3.1.34 + {{- end -}} +{{- end -}} + +{{/* Get image tag - used for addon-token-adapter */}} +{{- define "get.imagetag" -}} +{{- if eq .component "addon-token-adapter-linux" -}} +master.250902.1 +{{- else if eq .component "addon-token-adapter-windows" -}} +master.250902.1 +{{- end -}} +{{- end -}} + +{{/* +============================================================================= +MCR Repository Section +============================================================================= +*/}} + +{{/* MCR repository base - returns cloud-specific MCR URL */}} +{{- define "mcr_repository_base" }} +{{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment| default "AZUREPUBLICCLOUD") }} +{{- if (eq $cloud_environment "AZURECHINACLOUD") }} +{{- "mcr.azk8s.cn" }} +{{- else if (eq $cloud_environment "USNat") }} +{{- "mcr.microsoft.eaglex.ic.gov" }} +{{- else if (eq $cloud_environment "USSec") }} +{{- "mcr.microsoft.scloud" }} +{{- else }} +{{- "mcr.microsoft.com" }} +{{- end }} +{{- end }} + +{{/* MCR repository template for addon charts */}} +{{- define "addon_mcr_repository_base" }} +{{- template "mcr_repository_base" . }} +{{- end }} + +{{/* +============================================================================= +Host CA Certificate Mounting Section +============================================================================= +*/}} + +{{/* Check if host CA certs should be mounted for specific cloud environments */}} +{{- define "should_mount_hostca" -}} + {{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment | default "azurepubliccloud" | lower) }} + {{- has $cloud_environment (list "usnat" "ussec" "azurebleucloud") -}} +{{- end }} \ No newline at end of file From e004c7ab402355c4f813bd5dfbe6ba5d9804c368 Mon Sep 17 00:00:00 2001 From: longwan Date: Tue, 10 Feb 2026 23:15:28 +0000 Subject: [PATCH 22/47] merge chart --- .../.helmignore | 28 + .../azuremonitor-containers-merged/Chart.yaml | 38 + .../templates/_arc-extension-settings.tpl | 237 +++++++ .../templates/_helpers.tpl | 66 ++ .../templates/ama-logs-arc-k8s-crd.yaml | 45 ++ .../templates/ama-logs-configmap.yaml | 16 + .../templates/ama-logs-daemonset.yaml | 671 ++++++++++++++++++ .../templates/ama-logs-openshift-scc.yaml | 35 + .../templates/ama-logs-priorityclass.yaml | 14 + .../templates/ama-logs-rbac.yaml | 65 ++ .../templates/ama-logs-secret.yaml | 30 + .../values.yaml | 272 +++++++ 12 files changed, 1517 insertions(+) create mode 100644 charts/azuremonitor-containers-merged/.helmignore create mode 100644 charts/azuremonitor-containers-merged/Chart.yaml create mode 100644 charts/azuremonitor-containers-merged/templates/_arc-extension-settings.tpl create mode 100644 charts/azuremonitor-containers-merged/templates/_helpers.tpl create mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-arc-k8s-crd.yaml create mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-configmap.yaml create mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-daemonset.yaml create mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-openshift-scc.yaml create mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-priorityclass.yaml create mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-rbac.yaml create mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-secret.yaml create mode 100644 charts/azuremonitor-containers-merged/values.yaml diff --git a/charts/azuremonitor-containers-merged/.helmignore b/charts/azuremonitor-containers-merged/.helmignore new file mode 100644 index 000000000..32ec676a1 --- /dev/null +++ b/charts/azuremonitor-containers-merged/.helmignore @@ -0,0 +1,28 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +# Test files +test-values*.yaml +*-test.yaml +IMPLEMENTATION_SUMMARY.md +INTEGRATION_EXAMPLE.md \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/Chart.yaml b/charts/azuremonitor-containers-merged/Chart.yaml new file mode 100644 index 000000000..3d0d46622 --- /dev/null +++ b/charts/azuremonitor-containers-merged/Chart.yaml @@ -0,0 +1,38 @@ +apiVersion: v2 +name: azuremonitor-containers +description: Azure Monitor container monitoring agent Helm chart for Kubernetes (supports both AKS addon and Arc K8s extension) +version: 3.2.1-aks-beta-5 +kubeVersion: "^1.10.0-0" +keywords: + - monitoring + - azuremonitor + - azure + - ama + - containerinsights + - metric + - event + - logs + - containerhealth + - kubernetesmonitoring + - acs-engine + - aks-engine + - azurestack + - openshift v4 + - azure redhat openshift v4 + - on-prem kubernetes monitoring + - arc-k8s + - containerlogs + - containerhealth + - containermonitoring + - hybrid kubernetes monitoring + - kubernetes + - kuberneteshealth +home: https://docs.microsoft.com/en-us/azure/monitoring/monitoring-container-health +icon: https://raw.githubusercontent.com/microsoft/Docker-Provider/ci_prod/img/azuremonitor-containers.svg +sources: + - https://github.com/microsoft/Docker-Provider/tree/ci_prod +maintainers: + - name: vishiy + email: visnara@microsoft.com + - name: ganga1980 + email: gangams@microsoft.com \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/templates/_arc-extension-settings.tpl b/charts/azuremonitor-containers-merged/templates/_arc-extension-settings.tpl new file mode 100644 index 000000000..82feeea02 --- /dev/null +++ b/charts/azuremonitor-containers-merged/templates/_arc-extension-settings.tpl @@ -0,0 +1,237 @@ +{{/* +Arc K8s Extension Settings Helper +Following the pattern from prometheus-collector's arc-extension-settings +This consolidates all deployment-mode-specific configuration logic +*/}} +{{- define "arc-extension-settings" -}} + +{{/* Detect deployment mode */}} +{{- $isArcExtension := or (ne .Values.Azure.Extension.Name "") (ne .Values.Azure.Extension.ResourceId "") -}} +{{- $hasArcClusterResourceId := and (hasKey .Values "Azure") (hasKey .Values.Azure "Cluster") (ne .Values.Azure.Cluster.ResourceId "") -}} +{{- $isAKSAddon := and (hasKey .Values "OmsAgent") (ne .Values.OmsAgent.aksResourceID "") (not $isArcExtension) -}} +{{- $isStandalone := and (not $isArcExtension) (not $isAKSAddon) -}} + +{{/* Deployment mode detection */}} +deploymentMode: {{ if $isArcExtension }}arc-extension{{ else if $isAKSAddon }}aks-addon{{ else }}standalone{{ end }} +isArcExtension: {{ $isArcExtension }} +isAKSAddon: {{ $isAKSAddon }} +isStandalone: {{ $isStandalone }} + +{{/* Cluster information - unified from both Arc and AKS sources */}} +{{- if $isArcExtension }} +resourceId: {{ .Values.Azure.Cluster.ResourceId }} +region: {{ .Values.Azure.Cluster.Region }} +clusterName: {{ .Values.amalogs.env.clusterName }} +{{- else if $isAKSAddon }} +resourceId: {{ .Values.OmsAgent.aksResourceID }} +region: {{ default .Values.OmsAgent.aksRegion .Values.global.commonGlobals.Region }} +clusterName: {{ .Values.OmsAgent.aksClusterName | default "" }} +{{- else }} +resourceId: {{ .Values.amalogs.env.clusterId | default "" }} +region: {{ .Values.amalogs.env.clusterRegion | default .Values.global.commonGlobals.Region }} +clusterName: {{ .Values.amalogs.env.clusterName }} +{{- end }} + +{{/* Cloud environment - prefer global setting, fall back to Arc value */}} +cloudEnvironment: {{ default (lower .Values.Azure.Cluster.Cloud) (lower .Values.global.commonGlobals.CloudEnvironment) }} + +{{/* Distribution - e.g., openshift, aks_edge_k3s, etc. */}} +distribution: {{ .Values.Azure.Cluster.Distribution | default "generic" }} + +{{/* Authentication configuration */}} +{{- if $isArcExtension }} +usingAADAuth: {{ .Values.amalogs.useAADAuth | default false }} +{{- else if $isAKSAddon }} +usingAADAuth: {{ eq .Values.OmsAgent.isUsingAADAuth "true" }} +{{- else }} +usingAADAuth: false +{{- end }} + +{{/* Access token secret name */}} +accessTokenSecretName: {{ .Values.OmsAgent.accessTokenSecretName | default "ama-logs-secret" }} + +{{/* Arc Extension specific settings */}} +{{- if $isArcExtension }} +arcExtensionName: {{ .Values.Azure.Extension.Name }} +arcExtensionResourceId: {{ .Values.Azure.Extension.ResourceId }} + +{{/* Proxy settings for Arc */}} +isProxyEnabled: {{ and (.Values.Azure.proxySettings.isProxyEnabled) (not .Values.amalogs.ignoreExtensionProxySettings) }} +httpProxy: {{ .Values.Azure.proxySettings.httpProxy }} +httpsProxy: {{ .Values.Azure.proxySettings.httpsProxy }} +noProxy: {{ .Values.Azure.proxySettings.noProxy }} +proxyCert: {{ .Values.Azure.proxySettings.proxyCert }} +isCustomCert: {{ .Values.Azure.proxySettings.isCustomCert }} +ignoreProxySettings: {{ .Values.amalogs.ignoreExtensionProxySettings | default false }} +{{- else }} +isProxyEnabled: false +httpProxy: "" +httpsProxy: "" +noProxy: "" +proxyCert: "" +isCustomCert: false +ignoreProxySettings: false +{{- end }} + +{{/* Workspace credentials */}} +{{- if $isArcExtension }} +workspaceID: {{ .Values.amalogs.secret.wsid }} +workspaceKey: {{ .Values.amalogs.secret.key }} +{{- else if $isAKSAddon }} +workspaceID: {{ .Values.OmsAgent.workspaceID }} +workspaceKey: {{ .Values.OmsAgent.workspaceKey }} +{{- else }} +workspaceID: {{ .Values.amalogs.secret.wsid }} +workspaceKey: {{ .Values.amalogs.secret.key }} +{{- end }} + +{{/* Domain configuration based on cloud environment */}} +{{- $cloudEnv := default (lower .Values.Azure.Cluster.Cloud) (lower .Values.global.commonGlobals.CloudEnvironment) | upper -}} +domain: {{ if eq $cloudEnv "AZURECHINACLOUD" }}opinsights.azure.cn{{ else if or (eq $cloudEnv "AZUREUSGOVERNMENT") (.Values.OmsAgent.isFairfax) }}opinsights.azure.us{{ else if eq $cloudEnv "USNAT" }}opinsights.azure.eaglex.ic.gov{{ else if eq $cloudEnv "USSEC" }}opinsights.azure.microsoft.scloud{{ else if eq $cloudEnv "AZUREBLEUCLOUD" }}opinsights.sovcloud-api.fr{{ else }}opinsights.azure.com{{ end }} + +{{/* Feature flags - unified from both value structures */}} +{{- if $isAKSAddon }} +multitenancyEnabled: {{ .Values.OmsAgent.isMultitenancyLogsEnabled | default false }} +rsvpaEnabled: {{ .Values.OmsAgent.isRSVPAEnabled | default false }} +syslogEnabled: {{ .Values.OmsAgent.isSyslogEnabled | default false }} +sidecarScrapingEnabled: {{ .Values.OmsAgent.isSidecarScrapingEnabled | default true }} +prometheusScrapingDisabled: {{ .Values.OmsAgent.isPrometheusMetricsScrapingDisabled | default false }} +retinaFlowLogsEnabled: {{ .Values.OmsAgent.isRetinaFlowLogsEnabled | default false }} +resourceOptimizationEnabled: {{ .Values.OmsAgent.isResourceOptimizationEnabled | default false }} +windowsAMAEnabled: {{ .Values.OmsAgent.isWindowsAMAEnabled | default true }} +windowsFluentBitEnabled: {{ .Values.OmsAgent.isWindowsAMAFluentBitEnabled | default false }} +windowsBurstableQoSEnabled: {{ .Values.OmsAgent.isWindowsBurstableQoSEnabled | default true }} +windowsAddonTokenAdapterDisabled: {{ .Values.OmsAgent.isWindowsAddonTokenAdapterDisabled | default false }} +customMetricsEnabled: {{ not .Values.OmsAgent.isCustomMetricsDisabled }} +telegrafLivenessprobeEnabled: {{ .Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }} +openTelemetryLogsEnabled: {{ .Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false }} +openTelemetryLogsPort: {{ .Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }} +appMonitoringEnabled: {{ .Values.AppmonitoringAgent.enabled | default false }} +legacyAddonDelivery: {{ .Values.legacyAddonDelivery | default false }} +{{- else }} +multitenancyEnabled: false +rsvpaEnabled: false +syslogEnabled: {{ .Values.amalogs.syslog.enabled | default false }} +sidecarScrapingEnabled: {{ .Values.amalogs.sidecarscraping | default true }} +prometheusScrapingDisabled: false +retinaFlowLogsEnabled: false +resourceOptimizationEnabled: false +windowsAMAEnabled: true +windowsFluentBitEnabled: false +windowsBurstableQoSEnabled: true +windowsAddonTokenAdapterDisabled: false +customMetricsEnabled: {{ .Values.amalogs.enableCustomMetrics | default false }} +telegrafLivenessprobeEnabled: {{ .Values.amalogs.enableTelegrafLivenessprobe | default false }} +openTelemetryLogsEnabled: false +openTelemetryLogsPort: 28331 +appMonitoringEnabled: false +legacyAddonDelivery: false +{{- end }} + +{{/* Scheduling configuration */}} +{{- if $isArcExtension }} +scheduleOnTaintedNodes: {{ .Values.amalogs.scheduleOnTaintedNodes | default false }} +priority: {{ .Values.amalogs.priority | default 10 }} +rbacEnabled: {{ .Values.amalogs.rbac | default true }} +{{- else }} +scheduleOnTaintedNodes: false +priority: 10 +rbacEnabled: true +{{- end }} + +{{/* Service account token configuration */}} +{{- if $isArcExtension }} +enableServiceAccountTimeBoundToken: {{ .Values.amalogs.enableServiceAccountTimeBoundToken | default true }} +{{- else }} +enableServiceAccountTimeBoundToken: true +{{- end }} + +{{/* Dynamic sizing configuration (AKS addon only) */}} +{{- if $isAKSAddon }} +enableDaemonSetSizing: {{ and .Values.global.commonGlobals.isAutomaticSKU .Values.OmsAgent.enableDaemonSetSizing }} +{{- else }} +enableDaemonSetSizing: false +{{- end }} + +{{/* Image configuration */}} +{{- if $isAKSAddon }} +imageRepo: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod" +imageTagLinux: {{ .Values.OmsAgent.imageTagLinux | default "3.1.34" }} +imageTagWindows: {{ .Values.OmsAgent.imageTagWindows | default "win-3.1.34" }} +imagePullPolicy: {{ if .Values.OmsAgent.isImagePullPolicyAlways }}Always{{ else }}IfNotPresent{{ end }} +{{- else }} +imageRepo: {{ .Values.amalogs.image.repo | default "mcr.microsoft.com/azuremonitor/containerinsights/ciprod" }} +imageTagLinux: {{ .Values.amalogs.image.tag | default "3.1.34" }} +imageTagWindows: {{ .Values.amalogs.image.tagWindows | default "win-3.1.34" }} +imagePullPolicy: {{ .Values.amalogs.image.pullPolicy | default "IfNotPresent" }} +{{- end }} + +{{/* Certificate mounting for sovereign clouds */}} +{{- $shouldMountCerts := or (eq $cloudEnv "USNAT") (eq $cloudEnv "USSEC") (eq $cloudEnv "AZUREBLEUCLOUD") -}} +mountMarinerCerts: {{ $shouldMountCerts }} +mountUbuntuCerts: {{ $shouldMountCerts }} +{{- if or (eq .Values.Azure.Cluster.Distribution "aks_edge_k3s") (eq .Values.Azure.Cluster.Distribution "aks_edge_k8s") }} +mountUbuntuCerts: false +{{- end }} + +{{/* Test mode */}} +{{- if $isArcExtension }} +isTestMode: {{ .Values.amalogs.ISTEST | default false }} +{{- else }} +isTestMode: false +{{- end }} + +{{/* High log scale mode */}} +{{- if $isArcExtension }} +enableHighLogScaleMode: {{ .Values.amalogs.enableHighLogScaleMode | default false }} +{{- else }} +enableHighLogScaleMode: false +{{- end }} + +{{/* ArcA cluster flag */}} +{{- if $isArcExtension }} +isArcACluster: {{ .Values.amalogs.isArcACluster | default false }} +{{- else }} +isArcACluster: false +{{- end }} + +{{/* Syslog port configuration */}} +{{- if $isAKSAddon }} +syslogPort: {{ .Values.OmsAgent.syslogHostPort | default "28330" }} +shouldMountSyslogHostPort: {{ .Values.OmsAgent.shouldMountSyslogHostPort | default true }} +{{- else if $isArcExtension }} +syslogPort: {{ .Values.amalogs.syslog.syslogPort | default "28330" }} +shouldMountSyslogHostPort: {{ .Values.amalogs.syslog.enabled | default false }} +{{- else }} +syslogPort: "28330" +shouldMountSyslogHostPort: false +{{- end }} + +{{/* Identity client ID */}} +{{- if $isAKSAddon }} +identityClientID: {{ .Values.OmsAgent.identityClientID | default "" }} +{{- else }} +identityClientID: "" +{{- end }} + +{{/* Custom metrics endpoint */}} +{{- if $isArcExtension }} + {{- if ne .Values.amalogs.metricsEndpoint "" }} +customMetricsEndpoint: {{ .Values.amalogs.metricsEndpoint }} + {{- else if ne .Values.Azure.proxySettings.autonomousFqdn "" }} +customMetricsEndpoint: "https://metricsingestiongateway.monitoring.{{ .Values.Azure.proxySettings.autonomousFqdn }}" + {{- else }} +customMetricsEndpoint: "" + {{- end }} +{{- else }} +customMetricsEndpoint: "" +{{- end }} + +{{/* Token audience for custom endpoints */}} +{{- if and $isArcExtension (ne .Values.amalogs.tokenAudience "") }} +tokenAudience: {{ .Values.amalogs.tokenAudience }} +{{- else }} +tokenAudience: "" +{{- end }} + +{{- end -}} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/templates/_helpers.tpl b/charts/azuremonitor-containers-merged/templates/_helpers.tpl new file mode 100644 index 000000000..7dd294391 --- /dev/null +++ b/charts/azuremonitor-containers-merged/templates/_helpers.tpl @@ -0,0 +1,66 @@ +{{/* +Consolidated helper functions for azuremonitor-containers unified chart +*/}} + +{{/* +============================================================================= +Image Tags Section +============================================================================= +*/}} + +{{/* Get addon image tag - used for ama-logs and addon-resizer */}} +{{- define "get.addonImageTag" -}} + {{- if eq .component "addon-resizer" -}} +v1.8.23-4 + {{- else if eq .component "ama-logs-linux" -}} +3.1.34 + {{- else if eq .component "ama-logs-win" -}} +win-3.1.34 + {{- end -}} +{{- end -}} + +{{/* Get image tag - used for addon-token-adapter */}} +{{- define "get.imagetag" -}} +{{- if eq .component "addon-token-adapter-linux" -}} +master.250902.1 +{{- else if eq .component "addon-token-adapter-windows" -}} +master.250902.1 +{{- end -}} +{{- end -}} + +{{/* +============================================================================= +MCR Repository Section +============================================================================= +*/}} + +{{/* MCR repository base - returns cloud-specific MCR URL */}} +{{- define "mcr_repository_base" }} +{{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment| default "AZUREPUBLICCLOUD") }} +{{- if (eq $cloud_environment "AZURECHINACLOUD") }} +{{- "mcr.azk8s.cn" }} +{{- else if (eq $cloud_environment "USNat") }} +{{- "mcr.microsoft.eaglex.ic.gov" }} +{{- else if (eq $cloud_environment "USSec") }} +{{- "mcr.microsoft.scloud" }} +{{- else }} +{{- "mcr.microsoft.com" }} +{{- end }} +{{- end }} + +{{/* MCR repository template for addon charts */}} +{{- define "addon_mcr_repository_base" }} +{{- template "mcr_repository_base" . }} +{{- end }} + +{{/* +============================================================================= +Host CA Certificate Mounting Section +============================================================================= +*/}} + +{{/* Check if host CA certs should be mounted for specific cloud environments */}} +{{- define "should_mount_hostca" -}} + {{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment | default "azurepubliccloud" | lower) }} + {{- has $cloud_environment (list "usnat" "ussec" "azurebleucloud") -}} +{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-arc-k8s-crd.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-arc-k8s-crd.yaml new file mode 100644 index 000000000..be73e7f34 --- /dev/null +++ b/charts/azuremonitor-containers-merged/templates/ama-logs-arc-k8s-crd.yaml @@ -0,0 +1,45 @@ +{{- $settings := include "arc-extension-settings" . | fromYaml }} +{{- if $settings.isArcExtension }} +{{- if or (contains "microsoft.kubernetes/connectedclusters" ($settings.resourceId | lower)) (contains "microsoft.hybridcontainerservice/provisionedclusters" ($settings.resourceId | lower)) }} +# +# Arc K8s Extension Identity Resources +# These CRDs are required for Arc K8s extension authentication +# +{{- if not (empty $settings.arcExtensionName) }} +apiVersion: clusterconfig.azure.com/v1beta1 +kind: AzureExtensionIdentity +metadata: + name: {{ $settings.arcExtensionName }} + namespace: azure-arc +spec: + serviceAccounts: + - name: ama-logs + namespace: kube-system + tokenNamespace: azure-arc +--- +{{- end }} +apiVersion: clusterconfig.azure.com/v1beta1 +kind: AzureClusterIdentityRequest +metadata: + name: container-insights-clusteridentityrequest + namespace: azure-arc +spec: + {{- $cloudEnv := $settings.cloudEnvironment | upper }} + {{- if eq $cloudEnv "AZUREPUBLICCLOUD" }} + audience: https://monitor.azure.com/ + {{- else if eq $cloudEnv "AZURECHINACLOUD" }} + audience: https://monitor.azure.cn/ + {{- else if eq $cloudEnv "AZUREBLEUCLOUD" }} + audience: https://monitor.sovcloud-api.fr/ + {{- else if eq $cloudEnv "AZUREUSGOVERNMENTCLOUD" }} + audience: https://monitor.azure.us/ + {{- else if and $settings.isArcACluster (ne $settings.tokenAudience "") }} + audience: {{ $settings.tokenAudience | quote }} + {{- else }} + audience: https://monitor.azure.com/ + {{- end }} + {{- if not (empty $settings.arcExtensionName) }} + resourceId: {{ $settings.arcExtensionName }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-configmap.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-configmap.yaml new file mode 100644 index 000000000..b59a50f0a --- /dev/null +++ b/charts/azuremonitor-containers-merged/templates/ama-logs-configmap.yaml @@ -0,0 +1,16 @@ +{{- $settings := include "arc-extension-settings" . | fromYaml }} +# +# ConfigMap for cluster resource ID +# +apiVersion: v1 +kind: ConfigMap +metadata: + name: container-azm-ms-aks-k8scluster + namespace: kube-system + labels: +{{- if $settings.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +data: + CLUSTER_RESOURCE_ID: {{ $settings.resourceId | quote }} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-daemonset.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-daemonset.yaml new file mode 100644 index 000000000..e5efc8f61 --- /dev/null +++ b/charts/azuremonitor-containers-merged/templates/ama-logs-daemonset.yaml @@ -0,0 +1,671 @@ +{{- $settings := include "arc-extension-settings" . | fromYaml }} +{{- if and (ne $settings.workspaceID "") (ne $settings.workspaceID "") }} +# +# Linux DaemonSet for ama-logs +# Supports both Arc K8s Extension and AKS Addon deployment modes +# +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: ama-logs + namespace: kube-system + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: ama-logs-agent + tier: node + kubernetes.azure.com/managedby: aks +{{- if $settings.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +spec: + updateStrategy: + type: RollingUpdate + {{- if $settings.isAKSAddon }} + rollingUpdate: + maxUnavailable: 50% + {{- end }} + selector: + matchLabels: + {{- if $settings.isArcExtension }} + dsName: "ama-logs-ds" + {{- else }} + component: ama-logs-agent + tier: node + {{- end }} + template: + metadata: + labels: + {{- if $settings.isArcExtension }} + dsName: "ama-logs-ds" + {{- else }} + component: ama-logs-agent + tier: node + kubernetes.azure.com/managedby: aks + {{- end }} + annotations: + {{- if $settings.isArcExtension }} + agentVersion: {{ .Values.amalogs.image.agentVersion }} + dockerProviderVersion: {{ .Values.amalogs.image.dockerProviderVersion }} + {{- else }} + agentVersion: "azure-mdsd-1.37.0" + dockerProviderVersion: "18.0.1-0" + {{- end }} + schema-versions: "v1" + WSID: {{ $settings.workspaceID | b64enc | quote }} + kubernetes.azure.com/no-http-proxy-vars: "true" + {{- if $settings.isArcExtension }} + checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} + checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} + checksum/logsettings: {{ toYaml .Values.amalogs.logsettings | sha256sum }} + {{- end }} + spec: + {{- if $settings.isArcExtension }} + priorityClassName: ama-logs + {{- else }} + priorityClassName: system-node-critical + {{- end }} + dnsConfig: + options: + - name: ndots + value: "3" + {{- if $settings.rbacEnabled }} + serviceAccountName: ama-logs + {{- end }} + containers: +{{- if and $settings.isArcExtension $settings.usingAADAuth }} + {{- if ne $settings.distribution "openshift" }} + - name: addon-token-adapter + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + - name: TOKEN_NAMESPACE + value: "azure-arc" +{{- .Values.Azure.Identity.MSIAdapterYaml | nindent 7 }} + {{- else }} + - name: msi-adapter + env: + - name: AZMON_COLLECT_ENV + value: "false" + - name: TOKEN_NAMESPACE + value: azure-arc + - name: CLUSTER_IDENTITY + value: "false" + - name: CLUSTER_TYPE + value: {{ (split "/" $settings.resourceId)._7 }} + - name: EXTENSION_ARMID + value: {{ $settings.arcExtensionResourceId }} + - name: EXTENSION_NAME + value: {{ $settings.arcExtensionName }} + - name: MSI_ADAPTER_LISTENING_PORT + value: "8421" + - name: MANAGED_IDENTITY_AUTH + value: "true" + - name: MSI_ADAPTER_LIVENESS_PORT + value: "9090" + - name: TEST_MODE + value: "false" + - name: TEST_FILE + value: /data/token + image: mcr.microsoft.com/azurearck8s/msi-adapter:1.29.3 + securityContext: + privileged: true + capabilities: + add: + - NET_ADMIN + - NET_RAW + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 9090 + scheme: "HTTP" + initialDelaySeconds: 10 + periodSeconds: 15 + resources: + limits: + cpu: 50m + memory: 100Mi + requests: + cpu: 20m + memory: 50Mi + lifecycle: + postStart: + exec: + command: ["/data/msi-adapter-ready-watcher"] + {{- end }} +{{- else if and $settings.isAKSAddon $settings.usingAADAuth }} + - name: addon-token-adapter + command: + - /addon-token-adapter + args: + - --secret-namespace=kube-system + - --secret-name={{ $settings.accessTokenSecretName }} + - --token-server-listening-port=8888 + - --health-server-listening-port=9999 + - --restart-pod-waiting-minutes-on-broken-connection=240 + image: "{{ template "addon_mcr_repository_base" $ }}/aks/msi/addon-token-adapter:{{ dict "component" "addon-token-adapter-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag" }}" + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + livenessProbe: + httpGet: + path: /healthz + port: 9999 + initialDelaySeconds: 10 + periodSeconds: 60 + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 20m + memory: 50Mi + securityContext: + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW +{{- end }} + - name: ama-logs + image: "{{ $settings.imageRepo }}:{{ $settings.imageTagLinux }}" + imagePullPolicy: {{ $settings.imagePullPolicy }} + resources: + {{- if $settings.isArcExtension }} +{{ toYaml .Values.amalogs.resources.daemonsetlinux | indent 9 }} + {{- else }} + limits: + cpu: {{ .Values.OmsAgent.omsAgentDsCPULimitLinux }} + memory: {{ .Values.OmsAgent.omsAgentDsMemoryLimitLinux }} + requests: + cpu: 75m + memory: 325Mi + {{- end }} + env: + - name: AKS_RESOURCE_ID + value: {{ $settings.resourceId | quote }} + - name: AKS_REGION + value: {{ $settings.region | quote }} + {{- if $settings.isAKSAddon }} + - name: AKS_CLUSTER_NAME + value: {{ $settings.clusterName | quote }} + - name: AKS_NODE_RESOURCE_GROUP + value: {{ .Values.OmsAgent.aksNodeResourceGroup | quote }} + {{- end }} + - name: CONTROLLER_TYPE + value: "DaemonSet" + {{- if $settings.isArcExtension }} + - name: USING_AAD_MSI_AUTH + value: {{ $settings.usingAADAuth | quote }} + {{- if not (empty $settings.arcExtensionName) }} + - name: ARC_K8S_EXTENSION_NAME + value: {{ $settings.arcExtensionName | quote }} + {{- end }} + {{- if $settings.enableHighLogScaleMode }} + - name: ENABLE_HIGH_LOG_SCALE_MODE + value: {{ $settings.enableHighLogScaleMode | quote }} + {{- end }} + {{- if $settings.isTestMode }} + - name: AZMON_KUBERNETES_METADATA_ENABLED + value: "true" + {{- end }} + {{- if $settings.isArcACluster }} + - name: IS_ARCA_CLUSTER + value: {{ $settings.isArcACluster | quote }} + {{- end }} + {{- if ne $settings.customMetricsEndpoint "" }} + - name: CUSTOM_METRICS_ENDPOINT + value: {{ $settings.customMetricsEndpoint | quote }} + {{- end }} + {{- if ne $settings.tokenAudience "" }} + - name: customResourceEndpoint + value: {{ $settings.tokenAudience | quote }} + {{- end }} + - name: IS_CUSTOM_CERT + value: {{ $settings.isCustomCert | quote }} + - name: ENABLE_CUSTOM_METRICS + value: {{ $settings.customMetricsEnabled | quote }} + {{- else }} + - name: USING_AAD_MSI_AUTH + value: {{ if $settings.usingAADAuth }}"true"{{ else }}"false"{{ end }} + {{- if $settings.appMonitoringEnabled }} + - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED + value: "{{ $settings.appMonitoringEnabled }}" + - name: APPMONITORING_OPENTELEMETRYLOGS_ENABLED + value: "{{ $settings.openTelemetryLogsEnabled }}" + - name: APPMONITORING_OPENTELEMETRYLOGS_PORT + value: "{{ $settings.openTelemetryLogsPort }}" + - name: AZMON_OPENTELEMETRYLOGS_CONTAINER_PORT + value: "4319" + {{- end }} + - name: PROMETHEUS_METRICS_SCRAPING_DISABLED + value: "{{ $settings.prometheusScrapingDisabled }}" + {{- if $settings.retinaFlowLogsEnabled }} + - name: AZMON_RETINA_FLOW_LOGS_ENABLED + value: "true" + {{- end }} + {{- if $settings.resourceOptimizationEnabled }} + - name: AZMON_RESOURCE_OPTIMIZATION_ENABLED + value: "true" + {{- end }} + {{- end }} + {{- if $settings.shouldMountSyslogHostPort }} + - name: SYSLOG_HOST_PORT + value: {{ $settings.syslogPort | quote }} + {{- end }} + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: {{ $settings.identityClientID | quote }} + {{- if $settings.isArcExtension }} + {{- if .Values.amalogs.logsettings.logflushintervalsecs }} + - name: FBIT_SERVICE_FLUSH_INTERVAL + value: {{ .Values.amalogs.logsettings.logflushintervalsecs | quote }} + {{- end }} + {{- if .Values.amalogs.logsettings.tailbufchunksizemegabytes }} + - name: FBIT_TAIL_BUFFER_CHUNK_SIZE + value: {{ .Values.amalogs.logsettings.tailbufchunksizemegabytes | quote }} + {{- end }} + {{- if .Values.amalogs.logsettings.tailbufmaxsizemegabytes }} + - name: FBIT_TAIL_BUFFER_MAX_SIZE + value: {{ .Values.amalogs.logsettings.tailbufmaxsizemegabytes | quote }} + {{- end }} + - name: ISTEST + value: {{ $settings.isTestMode | quote }} + {{- else }} + - name: FBIT_SERVICE_FLUSH_INTERVAL + value: "15" + - name: FBIT_TAIL_BUFFER_CHUNK_SIZE + value: "1" + - name: FBIT_TAIL_BUFFER_MAX_SIZE + value: "1" + {{- end }} + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: "{{ $settings.telegrafLivenessprobeEnabled }}" + - name: CLUSTER_CLOUD_ENVIRONMENT + value: {{ $settings.cloudEnvironment | quote }} + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.memory + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + ports: + - containerPort: 25225 + protocol: TCP + - containerPort: 25224 + protocol: UDP + {{- if $settings.shouldMountSyslogHostPort }} + - name: syslog + containerPort: {{ $settings.syslogPort }} + hostPort: {{ $settings.syslogPort }} + protocol: TCP + {{- end }} + {{- if and $settings.isAKSAddon $settings.openTelemetryLogsEnabled }} + - name: otlp-logs + containerPort: 4319 + hostPort: {{ $settings.openTelemetryLogsPort }} + protocol: TCP + {{- end }} + volumeMounts: + {{- if $settings.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + {{- end }} + - mountPath: /hostfs + name: host-root + readOnly: true + mountPropagation: HostToContainer + - mountPath: /var/log + name: host-log + {{- if $settings.isAKSAddon }} + {{- if $settings.syslogEnabled }} + - mountPath: /var/run/mdsd-ci + name: mdsd-sock + {{- end }} + {{- if $settings.retinaFlowLogsEnabled }} + - mountPath: /var/log/acns/hubble + name: acns-hubble + {{- end }} + - mountPath: /var/run/mdsd-PrometheusSidecar + name: mdsd-prometheus-sock + {{- end }} + - mountPath: /var/lib/docker/containers + name: containerlog-path + readOnly: true + {{- if $settings.isAKSAddon }} + - mountPath: /mnt/docker + name: containerlog-path-2 + readOnly: true + - mountPath: /mnt/containers + name: containerlog-path-3 + readOnly: true + {{- end }} + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + {{- if $settings.isAKSAddon }} + - mountPath: /etc/omsagent-secret + name: ama-logs-secret + readOnly: true + {{- end }} + {{- if and $settings.isProxyEnabled $settings.proxyCert }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + {{- if $settings.isArcExtension }} + {{- if .Values.amalogs.logsettings.custommountpath }} + - mountPath: {{ .Values.amalogs.logsettings.custommountpath }} + name: custom-mount-path + {{- end }} + {{- end }} + - mountPath: /etc/config/settings/adx + name: ama-logs-adx-secret + readOnly: true + {{- if $settings.isArcExtension }} + - mountPath: /etc/config/osm-settings + name: osm-settings-vol-config + readOnly: true + {{- end }} + {{- if $settings.mountMarinerCerts }} + - mountPath: /anchors/mariner + name: anchors-mariner + readOnly: true + {{- end }} + {{- if $settings.mountUbuntuCerts }} + - mountPath: /anchors/ubuntu + name: anchors-ubuntu + readOnly: true + {{- end }} + livenessProbe: + exec: + command: + - /bin/bash + - -c + - "/opt/livenessprobe.sh" + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + {{- if $settings.sidecarScrapingEnabled }} + - name: ama-logs-prometheus + image: "{{ $settings.imageRepo }}:{{ $settings.imageTagLinux }}" + imagePullPolicy: {{ $settings.imagePullPolicy }} + resources: + {{- if $settings.isArcExtension }} +{{ toYaml .Values.amalogs.resources.daemonsetlinuxsidecar | indent 9 }} + {{- else }} + limits: + cpu: {{ .Values.OmsAgent.omsAgentPrometheusSidecarCPULimit }} + memory: {{ .Values.OmsAgent.omsAgentPrometheusSidecarMemoryLimit }} + requests: + cpu: 75m + memory: 225Mi + {{- end }} + env: + - name: AKS_RESOURCE_ID + value: {{ $settings.resourceId | quote }} + - name: AKS_REGION + value: {{ $settings.region | quote }} + {{- if $settings.isAKSAddon }} + - name: AKS_CLUSTER_NAME + value: {{ $settings.clusterName | quote }} + - name: AKS_NODE_RESOURCE_GROUP + value: {{ .Values.OmsAgent.aksNodeResourceGroup | quote }} + {{- end }} + - name: USING_AAD_MSI_AUTH + value: {{ if $settings.usingAADAuth }}"true"{{ else }}"false"{{ end }} + - name: CONTROLLER_TYPE + value: "DaemonSet" + - name: CONTAINER_TYPE + value: "PrometheusSidecar" + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: {{ $settings.identityClientID | quote }} + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs-prometheus + resource: limits.memory + {{- if $settings.isArcExtension }} + - name: ISTEST + value: {{ $settings.isTestMode | quote }} + {{- else if $settings.shouldMountSyslogHostPort }} + - name: SYSLOG_HOST_PORT + value: {{ $settings.syslogPort | quote }} + {{- end }} + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: "{{ $settings.telegrafLivenessprobeEnabled }}" + - name: CLUSTER_CLOUD_ENVIRONMENT + value: {{ $settings.cloudEnvironment | quote }} + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + volumeMounts: + {{- if $settings.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + {{- end }} + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + {{- if $settings.isAKSAddon }} + - mountPath: /etc/omsagent-secret + name: ama-logs-secret + readOnly: true + {{- if $settings.syslogEnabled }} + - mountPath: /var/run/mdsd-ci + name: mdsd-sock + {{- end }} + - mountPath: /var/run/mdsd-PrometheusSidecar + name: mdsd-prometheus-sock + {{- end }} + {{- if and $settings.isProxyEnabled $settings.proxyCert }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + {{- if $settings.isArcExtension }} + - mountPath: /etc/config/osm-settings + name: osm-settings-vol-config + readOnly: true + {{- end }} + {{- if $settings.mountMarinerCerts }} + - mountPath: /anchors/mariner + name: anchors-mariner + readOnly: true + {{- end }} + {{- if $settings.mountUbuntuCerts }} + - mountPath: /anchors/ubuntu + name: anchors-ubuntu + readOnly: true + {{- end }} + livenessProbe: + exec: + command: + - /bin/bash + - -c + - /opt/livenessprobe.sh + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + {{- end }} + affinity: + {{- if $settings.isArcExtension }} + {{- with .Values.amalogs.daemonset.affinity }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- else }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet + {{- end }} + tolerations: + {{- if $settings.isArcExtension }} + {{- if $settings.scheduleOnTaintedNodes }} + {{- with .Values.amalogs.tolerationsUnrestricted }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- else }} + {{- with .Values.amalogs.tolerations }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- end }} + {{- else }} + - key: "CriticalAddonsOnly" + operator: "Exists" + - operator: "Exists" + effect: NoExecute + - operator: "Exists" + effect: NoSchedule + - operator: "Exists" + effect: PreferNoSchedule + {{- end }} + volumes: + {{- if $settings.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + {{- end }} + - name: host-root + hostPath: + path: / + - name: container-hostname + hostPath: + path: /etc/hostname + - name: host-log + hostPath: + path: /var/log + {{- if $settings.isAKSAddon }} + {{- if $settings.syslogEnabled }} + - name: mdsd-sock + hostPath: + path: /var/run/mdsd-ci + {{- end }} + {{- if $settings.retinaFlowLogsEnabled }} + - name: acns-hubble + hostPath: + path: /var/log/acns/hubble + {{- end }} + - name: mdsd-prometheus-sock + emptyDir: {} + {{- end }} + - name: containerlog-path + hostPath: + path: /var/lib/docker/containers + {{- if $settings.isAKSAddon }} + - name: containerlog-path-2 + hostPath: + path: /mnt/docker + - name: containerlog-path-3 + hostPath: + path: /mnt/containers + {{- end }} + - name: azure-json-path + hostPath: + path: /etc/kubernetes + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + {{- if $settings.isArcExtension }} + {{- if .Values.amalogs.logsettings.custommountpath }} + - name: custom-mount-path + hostPath: + path: {{ .Values.amalogs.logsettings.custommountpath }} + {{- end }} + {{- end }} + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true + {{- if $settings.isArcExtension }} + - name: osm-settings-vol-config + configMap: + name: container-azm-ms-osmconfig + optional: true + {{- end }} + {{- if $settings.mountMarinerCerts }} + - name: anchors-mariner + hostPath: + path: /etc/pki/ca-trust/source/anchors + type: DirectoryOrCreate + {{- end }} + {{- if $settings.mountUbuntuCerts }} + - name: anchors-ubuntu + hostPath: + path: /usr/local/share/ca-certificates/ + type: DirectoryOrCreate + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-openshift-scc.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-openshift-scc.yaml new file mode 100644 index 000000000..8435e0103 --- /dev/null +++ b/charts/azuremonitor-containers-merged/templates/ama-logs-openshift-scc.yaml @@ -0,0 +1,35 @@ +{{- $settings := include "arc-extension-settings" . | fromYaml }} +{{- if and $settings.isArcExtension (eq $settings.distribution "openshift") }} +# +# OpenShift Security Context Constraint +# Required for running ama-logs with elevated privileges on OpenShift +# +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: ama-logs-scc +allowPrivilegedContainer: true +allowPrivilegeEscalation: true +allowHostDirVolumePlugin: true +allowedCapabilities: +- NET_ADMIN +- NET_RAW +readOnlyRootFilesystem: false +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +volumes: +- hostPath +- configMap +- secret +- projected +- emptyDir +- downwardAPI +users: +- system:serviceaccount:kube-system:ama-logs +{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-priorityclass.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-priorityclass.yaml new file mode 100644 index 000000000..ee868781f --- /dev/null +++ b/charts/azuremonitor-containers-merged/templates/ama-logs-priorityclass.yaml @@ -0,0 +1,14 @@ +{{- $settings := include "arc-extension-settings" . | fromYaml }} +{{- if $settings.isArcExtension }} +# +# PriorityClass for Arc K8s Extension +# Ensures ama-logs pods are scheduled with priority +# +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: ama-logs +value: {{ $settings.priority }} +globalDefault: false +description: "Priority class for Azure Monitor ama-logs agent in Arc K8s extension mode" +{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-rbac.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-rbac.yaml new file mode 100644 index 000000000..2a2cbd263 --- /dev/null +++ b/charts/azuremonitor-containers-merged/templates/ama-logs-rbac.yaml @@ -0,0 +1,65 @@ +{{- $settings := include "arc-extension-settings" . | fromYaml }} +{{- if $settings.rbacEnabled }} +# +# RBAC Resources for ama-logs +# +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ama-logs + namespace: kube-system + labels: +{{- if $settings.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ama-logs-reader + labels: +{{- if $settings.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +rules: +- apiGroups: [""] + resources: ["pods", "events", "nodes", "nodes/stats", "nodes/metrics", "nodes/spec", "nodes/proxy", "namespaces", "services", "persistentvolumes"] + verbs: ["list", "get", "watch"] +- apiGroups: ["apps", "extensions", "autoscaling"] + resources: ["replicasets", "deployments", "horizontalpodautoscalers"] + verbs: ["list"] +{{- if $settings.rsvpaEnabled }} +- apiGroups: ["apps"] + resources: ["deployments"] + resourceNames: ["ama-logs-rs"] + verbs: ["get", "patch"] +{{- end }} +{{- if $settings.usingAADAuth }} +- apiGroups: [""] + resources: ["secrets"] + resourceNames: [{{ $settings.accessTokenSecretName | quote }}] + verbs: ["get", "watch"] +{{- end }} +- nonResourceURLs: ["/metrics"] + verbs: ["get"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: amalogsclusterrolebinding + labels: +{{- if $settings.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +subjects: + - kind: ServiceAccount + name: ama-logs + namespace: kube-system +roleRef: + kind: ClusterRole + name: ama-logs-reader + apiGroup: rbac.authorization.k8s.io +{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-secret.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-secret.yaml new file mode 100644 index 000000000..95eedfa9c --- /dev/null +++ b/charts/azuremonitor-containers-merged/templates/ama-logs-secret.yaml @@ -0,0 +1,30 @@ +{{- $settings := include "arc-extension-settings" . | fromYaml }} +# +# Workspace Secret +# Stores Log Analytics workspace credentials +# +apiVersion: v1 +kind: Secret +metadata: + name: ama-logs-secret + namespace: kube-system + labels: +{{- if $settings.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +type: Opaque +data: + WSID: {{ $settings.workspaceID | b64enc | quote }} + KEY: {{ $settings.workspaceKey | b64enc | quote }} + DOMAIN: {{ $settings.domain | b64enc | quote }} +{{- if $settings.isProxyEnabled }} + {{- if $settings.httpsProxy }} + PROXY: {{ $settings.httpsProxy | b64enc | quote }} + {{- else if $settings.httpProxy }} + PROXY: {{ $settings.httpProxy | b64enc | quote }} + {{- end }} +{{- end }} +{{- if and $settings.isProxyEnabled $settings.proxyCert }} + PROXYCERT.crt: {{ $settings.proxyCert | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/values.yaml b/charts/azuremonitor-containers-merged/values.yaml new file mode 100644 index 000000000..7e363ae03 --- /dev/null +++ b/charts/azuremonitor-containers-merged/values.yaml @@ -0,0 +1,272 @@ +# Unified values for Azure Monitor Containers +# Supports both AKS Addon and Arc K8s Extension deployment modes + +# ============================================================================ +# Azure Arc K8s Extension Parameters +# These are populated automatically by Azure Arc K8s Resource Provider +# ============================================================================ +Azure: + Cluster: + Cloud: + Region: + ResourceId: + Distribution: "" # e.g., "openshift", "aks_edge_k3s", "aks_edge_k8s", etc. + Extension: + Name: "" + ResourceId: "" + proxySettings: + isProxyEnabled: false + httpProxy: "" + httpsProxy: "" + noProxy: "" + proxyCert: "" + isCustomCert: false + autonomousFqdn: "" + Identity: + MSIAdapterYaml: "" # OpenShift-specific MSI adapter configuration + +# ============================================================================ +# Arc K8s Specific Configuration (amalogs.*) +# ============================================================================ +amalogs: + # Image configuration + image: + repo: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod" + tag: "3.1.34" + tagWindows: "win-3.1.34" + pullPolicy: IfNotPresent + dockerProviderVersion: "18.0.1-0" + agentVersion: "azure-mdsd-1.37.0" + winAgentVersion: "46.31.3" + + # Pod priority (must be > 0 for proper scheduling) + priority: 10 + + # Feature flags + enableHighLogScaleMode: false + ISTEST: false + useAADAuth: false + isArcACluster: false + ignoreExtensionProxySettings: false + scheduleOnTaintedNodes: false + enableServiceAccountTimeBoundToken: true + enableCustomMetrics: false + enableTelegrafLivenessprobe: false + + # Workspace credentials + secret: + wsid: + key: + + # Domain (auto-configured based on cloud) + domain: opinsights.azure.com + + # Proxy and endpoints + proxy: + metricsEndpoint: + tokenAudience: + + # Cluster environment + env: + clusterName: + clusterId: + clusterRegion: + + # RBAC + rbac: true + + # Prometheus sidecar + sidecarscraping: true + + # Syslog + syslog: + enabled: false + syslogPort: 28330 + + # Log settings + logsettings: + logflushintervalsecs: "15" + tailbufchunksizemegabytes: "1" + tailbufmaxsizemegabytes: "1" + custommountpath: "" + + # Tolerations + tolerations: + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoExecute" + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + + tolerationsUnrestricted: + - operator: "Exists" + effect: "NoSchedule" + - operator: "Exists" + effect: "NoExecute" + - operator: "Exists" + effect: "PreferNoSchedule" + + # Affinity + daemonset: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + - key: type + operator: NotIn + values: + - virtual-kubelet + + deployment: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + - key: type + operator: NotIn + values: + - virtual-kubelet + + # Resources + resources: + daemonsetlinux: + requests: + cpu: 75m + memory: 325Mi + limits: + cpu: 150m + memory: 750Mi + daemonsetwindows: + requests: + cpu: 500m + memory: 700Mi + limits: + cpu: 2 + memory: 2Gi + deployment: + requests: + cpu: 150m + memory: 250Mi + limits: + cpu: 1 + memory: 1Gi + daemonsetlinuxsidecar: + requests: + cpu: 75m + memory: 225Mi + limits: + cpu: 500m + memory: 1Gi + +# ============================================================================ +# AKS Addon Configuration (OmsAgent.*) +# ============================================================================ +OmsAgent: + # Cluster information + aksResourceID: + aksClusterName: "" + aksNodeResourceGroup: "" + aksRegion: "" + + # Workspace + workspaceID: "" + workspaceKey: "" + + # Authentication + isUsingAADAuth: "true" + identityClientID: "" + accessTokenSecretName: "ama-logs-secret" + + # Cloud environment + isMoonCake: false + isFairfax: false + + # Feature flags + isMultitenancyLogsEnabled: false + isRSVPAEnabled: false + isSyslogEnabled: true + isSidecarScrapingEnabled: true + isPrometheusMetricsScrapingDisabled: false + isRetinaFlowLogsEnabled: false + isResourceOptimizationEnabled: false + isWindowsAMAEnabled: true + isWindowsAMAFluentBitEnabled: false + isWindowsBurstableQoSEnabled: true + isWindowsAddonTokenAdapterDisabled: false + isCustomMetricsDisabled: true + isTelegrafLivenessprobeEnabled: false + + # Image configuration + imageTagLinux: "3.1.34" + imageTagWindows: "win-3.1.34" + isImagePullPolicyAlways: false + + # Dynamic sizing + enableDaemonSetSizing: false + + # Resource limits + omsAgentDsCPULimitLinux: "500m" + omsAgentDsMemoryLimitLinux: "1Gi" + omsAgentDsCPULimitWindows: "2" + omsAgentDsMemoryLimitWindows: "2Gi" + omsAgentDsCPURequestWindows: "100m" + omsAgentDsMemoryRequestWindows: "150Mi" + omsAgentRsCPULimit: "1" + omsAgentRsMemoryLimit: "1.5Gi" + omsAgentPrometheusSidecarCPULimit: "500m" + omsAgentPrometheusSidecarMemoryLimit: "1Gi" + + # Multitenancy + omsAgentMultitenancyCPULimitLinux: "1" + omsAgentMultitenancyMemoryLimitLinux: "1Gi" + omsAgentMultitenancyCPURequestLinux: "100m" + omsAgentMultitenancyMemoryRequestLinux: "100Mi" + omsAgentMultitenancyLogsHPAMinReplicas: 2 + omsAgentMultitenancyLogsHPAMaxReplicas: 50 + omsAgentMultitenancyHPAAvgCPUUtilization: 700 + omsAgentMultitenancyHPAAvgMemoryUtilization: 700 + + # Syslog + syslogHostPort: "28330" + shouldMountSyslogHostPort: true + + # Proxy + httpProxy: "" + httpsProxy: "" + trustedCA: "" + +# ============================================================================ +# Application Monitoring +# ============================================================================ +AppmonitoringAgent: + enabled: false + isOpenTelemetryLogsEnabled: false + openTelemetryLogsPort: 28331 + +# ============================================================================ +# Global Settings +# ============================================================================ +global: + commonGlobals: + CloudEnvironment: + isAutomaticSKU: false + Region: + Versions: + Kubernetes: "1.29.0" + +# Legacy addon delivery mode +legacyAddonDelivery: false \ No newline at end of file From 6b20ab0344d24a8eed180369d3ef8b604ee1c843 Mon Sep 17 00:00:00 2001 From: longwan Date: Mon, 23 Feb 2026 01:29:03 +0000 Subject: [PATCH 23/47] renaming --- .pipelines/azure_pipeline_mergedbranches.yaml | 2 +- .../Chart.yaml | 0 .../templates/_helpers.tpl | 0 .../templates/ama-logs.yaml | 0 .../values.yaml | 0 .../ServiceGroupRoot/Scripts/pushChartToAcr.sh | 2 +- 6 files changed, 2 insertions(+), 2 deletions(-) rename charts/{azuremonitor-containerinsights => azuremonitor-containerinsights-aks}/Chart.yaml (100%) rename charts/{azuremonitor-containerinsights => azuremonitor-containerinsights-aks}/templates/_helpers.tpl (100%) rename charts/{azuremonitor-containerinsights => azuremonitor-containerinsights-aks}/templates/ama-logs.yaml (100%) rename charts/{azuremonitor-containerinsights => azuremonitor-containerinsights-aks}/values.yaml (100%) diff --git a/.pipelines/azure_pipeline_mergedbranches.yaml b/.pipelines/azure_pipeline_mergedbranches.yaml index 62a78d622..0cd5a809a 100644 --- a/.pipelines/azure_pipeline_mergedbranches.yaml +++ b/.pipelines/azure_pipeline_mergedbranches.yaml @@ -90,7 +90,7 @@ extends: cd $(Build.SourcesDirectory)/deployment/mergebranch-multiarch-agent-deployment/ServiceGroupRoot/Scripts tar -czvf ../artifacts.tar.gz pushAgentToAcr.sh cd $(Build.SourcesDirectory)/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts - tar -czvf ../artifacts.tar.gz ../../../../charts/azuremonitor-containers/ ../../../../charts/azuremonitor-containerinsights/ ../../../../charts/azuremonitor-containers-geneva/ pushChartToAcr.sh + tar -czvf ../artifacts.tar.gz ../../../../charts/azuremonitor-containers/ ../../../../charts/azuremonitor-containerinsights-aks/ ../../../../charts/azuremonitor-containers-geneva/ pushChartToAcr.sh cd $(Build.SourcesDirectory)/deployment/arc-k8s-extension-release-v2/ServiceGroupRoot/Scripts tar -czvf ../artifacts.tar.gz arcExtensionRelease.sh windowsAMAUrl="" diff --git a/charts/azuremonitor-containerinsights/Chart.yaml b/charts/azuremonitor-containerinsights-aks/Chart.yaml similarity index 100% rename from charts/azuremonitor-containerinsights/Chart.yaml rename to charts/azuremonitor-containerinsights-aks/Chart.yaml diff --git a/charts/azuremonitor-containerinsights/templates/_helpers.tpl b/charts/azuremonitor-containerinsights-aks/templates/_helpers.tpl similarity index 100% rename from charts/azuremonitor-containerinsights/templates/_helpers.tpl rename to charts/azuremonitor-containerinsights-aks/templates/_helpers.tpl diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs.yaml b/charts/azuremonitor-containerinsights-aks/templates/ama-logs.yaml similarity index 100% rename from charts/azuremonitor-containerinsights/templates/ama-logs.yaml rename to charts/azuremonitor-containerinsights-aks/templates/ama-logs.yaml diff --git a/charts/azuremonitor-containerinsights/values.yaml b/charts/azuremonitor-containerinsights-aks/values.yaml similarity index 100% rename from charts/azuremonitor-containerinsights/values.yaml rename to charts/azuremonitor-containerinsights-aks/values.yaml diff --git a/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh b/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh index 18348dff5..8ce02b203 100644 --- a/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh +++ b/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh @@ -70,7 +70,7 @@ push_local_chart_to_canary_region() { fi echo "generate chart package file" - export CHART_FILE=$(helm package charts/azuremonitor-containerinsights/ | awk -F'[:]' '{gsub(/ /, "", $2); print $2}') + export CHART_FILE=$(helm package charts/azuremonitor-containerinsights-aks/ | awk -F'[:]' '{gsub(/ /, "", $2); print $2}') if [ $? -eq 0 ]; then echo "chart package file generated successfully." else From a46424cfd565b1e64c52a71503e6be220ef3f408 Mon Sep 17 00:00:00 2001 From: longwan Date: Mon, 23 Feb 2026 02:06:20 +0000 Subject: [PATCH 24/47] update merge chart with rs windows and rbac --- .../templates/_arc-extension-settings.tpl | 44 +- .../templates/ama-logs-daemonset-windows.yaml | 328 ++++++++++++ .../templates/ama-logs-daemonset.yaml | 4 +- .../templates/ama-logs-multitenancy.yaml | 281 ++++++++++ .../templates/ama-logs-rbac.yaml | 19 +- .../templates/ama-logs-replicaset.yaml | 495 ++++++++++++++++++ .../templates/ama-logs-rs-configmap.yaml | 264 ++++++++++ .../templates/ama-logs-secret.yaml | 8 +- .../values.yaml | 23 +- 9 files changed, 1442 insertions(+), 24 deletions(-) create mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-daemonset-windows.yaml create mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-multitenancy.yaml create mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-replicaset.yaml create mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-rs-configmap.yaml diff --git a/charts/azuremonitor-containers-merged/templates/_arc-extension-settings.tpl b/charts/azuremonitor-containers-merged/templates/_arc-extension-settings.tpl index 82feeea02..80fb85624 100644 --- a/charts/azuremonitor-containers-merged/templates/_arc-extension-settings.tpl +++ b/charts/azuremonitor-containers-merged/templates/_arc-extension-settings.tpl @@ -5,8 +5,9 @@ This consolidates all deployment-mode-specific configuration logic */}} {{- define "arc-extension-settings" -}} -{{/* Detect deployment mode */}} -{{- $isArcExtension := or (ne .Values.Azure.Extension.Name "") (ne .Values.Azure.Extension.ResourceId "") -}} +{{/* Detect deployment mode - guard Azure for AKS-only or standalone values */}} +{{- $hasAzure := and (hasKey .Values "Azure") (hasKey .Values.Azure "Extension") -}} +{{- $isArcExtension := and $hasAzure (or (ne .Values.Azure.Extension.Name "") (ne .Values.Azure.Extension.ResourceId "")) -}} {{- $hasArcClusterResourceId := and (hasKey .Values "Azure") (hasKey .Values.Azure "Cluster") (ne .Values.Azure.Cluster.ResourceId "") -}} {{- $isAKSAddon := and (hasKey .Values "OmsAgent") (ne .Values.OmsAgent.aksResourceID "") (not $isArcExtension) -}} {{- $isStandalone := and (not $isArcExtension) (not $isAKSAddon) -}} @@ -32,11 +33,13 @@ region: {{ .Values.amalogs.env.clusterRegion | default .Values.global.commonGlob clusterName: {{ .Values.amalogs.env.clusterName }} {{- end }} -{{/* Cloud environment - prefer global setting, fall back to Arc value */}} -cloudEnvironment: {{ default (lower .Values.Azure.Cluster.Cloud) (lower .Values.global.commonGlobals.CloudEnvironment) }} +{{/* Cloud environment - safe when Azure absent (AKS-only values) */}} +{{- $azureCloud := "" }} +{{- if and (hasKey .Values "Azure") (hasKey .Values.Azure "Cluster") }}{{ $azureCloud = lower .Values.Azure.Cluster.Cloud }}{{ end }} +cloudEnvironment: {{ default $azureCloud (lower .Values.global.commonGlobals.CloudEnvironment | default "azurepubliccloud") }} {{/* Distribution - e.g., openshift, aks_edge_k3s, etc. */}} -distribution: {{ .Values.Azure.Cluster.Distribution | default "generic" }} +distribution: {{ if and (hasKey .Values "Azure") (hasKey .Values.Azure "Cluster") }}{{ .Values.Azure.Cluster.Distribution | default "generic" }}{{ else }}generic{{ end }} {{/* Authentication configuration */}} {{- if $isArcExtension }} @@ -47,8 +50,8 @@ usingAADAuth: {{ eq .Values.OmsAgent.isUsingAADAuth "true" }} usingAADAuth: false {{- end }} -{{/* Access token secret name */}} -accessTokenSecretName: {{ .Values.OmsAgent.accessTokenSecretName | default "ama-logs-secret" }} +{{/* Access token secret name - safe when OmsAgent absent (standalone) */}} +accessTokenSecretName: {{ if hasKey .Values "OmsAgent" }}{{ .Values.OmsAgent.accessTokenSecretName | default "ama-logs-secret" }}{{ else }}ama-logs-secret{{ end }} {{/* Arc Extension specific settings */}} {{- if $isArcExtension }} @@ -64,11 +67,13 @@ proxyCert: {{ .Values.Azure.proxySettings.proxyCert }} isCustomCert: {{ .Values.Azure.proxySettings.isCustomCert }} ignoreProxySettings: {{ .Values.amalogs.ignoreExtensionProxySettings | default false }} {{- else }} -isProxyEnabled: false -httpProxy: "" -httpsProxy: "" +{{/* AKS addon: proxy from OmsAgent. Standalone: no proxy in settings (use Arc path if needed). */}} +{{- $hasProxy := and (hasKey .Values "OmsAgent") (or .Values.OmsAgent.httpProxy .Values.OmsAgent.httpsProxy) }} +isProxyEnabled: {{ $hasProxy }} +httpProxy: {{ if hasKey .Values "OmsAgent" }}{{ .Values.OmsAgent.httpProxy | default "" }}{{ else }}{{ "" }}{{ end }} +httpsProxy: {{ if hasKey .Values "OmsAgent" }}{{ .Values.OmsAgent.httpsProxy | default "" }}{{ else }}{{ "" }}{{ end }} noProxy: "" -proxyCert: "" +proxyCert: {{ if hasKey .Values "OmsAgent" }}{{ .Values.OmsAgent.trustedCA | default "" }}{{ else }}{{ "" }}{{ end }} isCustomCert: false ignoreProxySettings: false {{- end }} @@ -85,9 +90,16 @@ workspaceID: {{ .Values.amalogs.secret.wsid }} workspaceKey: {{ .Values.amalogs.secret.key }} {{- end }} -{{/* Domain configuration based on cloud environment */}} -{{- $cloudEnv := default (lower .Values.Azure.Cluster.Cloud) (lower .Values.global.commonGlobals.CloudEnvironment) | upper -}} -domain: {{ if eq $cloudEnv "AZURECHINACLOUD" }}opinsights.azure.cn{{ else if or (eq $cloudEnv "AZUREUSGOVERNMENT") (.Values.OmsAgent.isFairfax) }}opinsights.azure.us{{ else if eq $cloudEnv "USNAT" }}opinsights.azure.eaglex.ic.gov{{ else if eq $cloudEnv "USSEC" }}opinsights.azure.microsoft.scloud{{ else if eq $cloudEnv "AZUREBLEUCLOUD" }}opinsights.sovcloud-api.fr{{ else }}opinsights.azure.com{{ end }} +{{/* Domain configuration based on cloud environment - safe when Azure/OmsAgent absent. Output string only (no boolean). */}} +{{- $cloudEnv := default $azureCloud (lower .Values.global.commonGlobals.CloudEnvironment | default "azurepubliccloud") | upper -}} +{{- $isFairfax := and (hasKey .Values "OmsAgent") (eq .Values.OmsAgent.isFairfax true) -}} +{{- $domain := "opinsights.azure.com" -}} +{{- if eq $cloudEnv "AZURECHINACLOUD" }}{{ $domain = "opinsights.azure.cn" }}{{ end -}} +{{- if or (eq $cloudEnv "AZUREUSGOVERNMENT") $isFairfax }}{{ $domain = "opinsights.azure.us" }}{{ end -}} +{{- if eq $cloudEnv "USNAT" }}{{ $domain = "opinsights.azure.eaglex.ic.gov" }}{{ end -}} +{{- if eq $cloudEnv "USSEC" }}{{ $domain = "opinsights.azure.microsoft.scloud" }}{{ end -}} +{{- if eq $cloudEnv "AZUREBLEUCLOUD" }}{{ $domain = "opinsights.sovcloud-api.fr" }}{{ end -}} +domain: {{ $domain }} {{/* Feature flags - unified from both value structures */}} {{- if $isAKSAddon }} @@ -170,11 +182,11 @@ imagePullPolicy: {{ .Values.amalogs.image.pullPolicy | default "IfNotPresent" }} {{- $shouldMountCerts := or (eq $cloudEnv "USNAT") (eq $cloudEnv "USSEC") (eq $cloudEnv "AZUREBLEUCLOUD") -}} mountMarinerCerts: {{ $shouldMountCerts }} mountUbuntuCerts: {{ $shouldMountCerts }} -{{- if or (eq .Values.Azure.Cluster.Distribution "aks_edge_k3s") (eq .Values.Azure.Cluster.Distribution "aks_edge_k8s") }} +{{- if and (hasKey .Values "Azure") (hasKey .Values.Azure "Cluster") (or (eq .Values.Azure.Cluster.Distribution "aks_edge_k3s") (eq .Values.Azure.Cluster.Distribution "aks_edge_k8s")) }} mountUbuntuCerts: false {{- end }} -{{/* Test mode */}} +{{/* Test mode - templates should use $settings.isTestMode (this is the single source) */}} {{- if $isArcExtension }} isTestMode: {{ .Values.amalogs.ISTEST | default false }} {{- else }} diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-daemonset-windows.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-daemonset-windows.yaml new file mode 100644 index 000000000..75c9453f4 --- /dev/null +++ b/charts/azuremonitor-containers-merged/templates/ama-logs-daemonset-windows.yaml @@ -0,0 +1,328 @@ +{{- $settings := include "arc-extension-settings" . | fromYaml }} +{{- $renderWindows := false }} +{{- if $settings.isAKSAddon }} +{{- if $settings.windowsAMAEnabled }} +{{- $renderWindows = true }} +{{- end }} +{{- else if and $settings.isArcExtension (not $settings.usingAADAuth) (ne $settings.workspaceID "") (ne $settings.workspaceID "") }} +{{- $renderWindows = true }} +{{- end }} +{{- if $renderWindows }} +# +# Windows DaemonSet for ama-logs +# AKS: when windowsAMAEnabled; Arc: when not using AAD auth and workspace configured +# +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: ama-logs-windows + namespace: kube-system + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: ama-logs-agent-windows + tier: node-win +{{- if $settings.isAKSAddon }} + kubernetes.azure.com/managedby: aks +{{- end }} +{{- if $settings.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +spec: + updateStrategy: + type: RollingUpdate +{{- if $settings.isAKSAddon }} + rollingUpdate: + maxUnavailable: 50% +{{- end }} + selector: + matchLabels: +{{- if $settings.isArcExtension }} + dsName: "ama-logs-ds" +{{- else }} + component: ama-logs-agent-windows + tier: node-win +{{- end }} + template: + metadata: + labels: +{{- if $settings.isArcExtension }} + dsName: "ama-logs-ds" +{{- else }} + component: ama-logs-agent-windows + tier: node-win + kubernetes.azure.com/managedby: aks +{{- end }} + annotations: + agentVersion: {{ if $settings.isArcExtension }}{{ .Values.amalogs.image.winAgentVersion }}{{ else }}46.17.2{{ end }} + dockerProviderVersion: {{ if $settings.isArcExtension }}{{ .Values.amalogs.image.dockerProviderVersion }}{{ else }}18.0.1-0{{ end }} + schema-versions: "v1" + WSID: {{ $settings.workspaceID | b64enc | quote }} + kubernetes.azure.com/no-http-proxy-vars: "true" +{{- if $settings.isArcExtension }} + checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} + checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} +{{- end }} + spec: +{{- if $settings.isAKSAddon }} + priorityClassName: system-node-critical +{{- else }} + priorityClassName: ama-logs +{{- end }} + dnsConfig: + options: + - name: ndots + value: "3" + nodeSelector: + kubernetes.io/os: windows +{{- if $settings.rbacEnabled }} + serviceAccountName: ama-logs +{{- end }} + containers: +{{- if and $settings.isAKSAddon $settings.usingAADAuth (not $settings.windowsAddonTokenAdapterDisabled) }} + - name: addon-token-adapter-win + command: + - addon-token-adapter-win + args: + - --secret-namespace=kube-system + - --secret-name={{ $settings.accessTokenSecretName }} + - --token-server-listening-port=8888 + - --health-server-listening-port=9999 + - --restart-pod-waiting-minutes-on-broken-connection=240 + image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{ dict "component" "addon-token-adapter-windows" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag" }}" + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + livenessProbe: + httpGet: + path: /healthz + port: 9999 + initialDelaySeconds: 10 + periodSeconds: 60 + resources: + limits: + cpu: 400m + memory: 400Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW +{{- end }} + - name: ama-logs-windows + image: "{{ $settings.imageRepo }}:{{ $settings.imageTagWindows }}" + imagePullPolicy: {{ $settings.imagePullPolicy }} + resources: +{{- if $settings.isArcExtension }} +{{ toYaml .Values.amalogs.resources.daemonsetwindows | indent 12 }} +{{- else }} +{{- if .Values.OmsAgent.isWindowsBurstableQoSEnabled }} + requests: + cpu: {{ .Values.OmsAgent.omsAgentDsCPURequestWindows }} + memory: {{ .Values.OmsAgent.omsAgentDsMemoryRequestWindows }} + limits: + cpu: {{ .Values.OmsAgent.omsAgentDsCPULimitWindows }} + memory: {{ .Values.OmsAgent.omsAgentDsMemoryLimitWindows }} +{{- else }} + limits: + cpu: {{ .Values.OmsAgent.omsAgentDsCPULimitWindows }} + memory: {{ .Values.OmsAgent.omsAgentDsMemoryLimitWindows }} +{{- end }} +{{- end }} + securityContext: + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + env: + - name: FBIT_SERVICE_FLUSH_INTERVAL + value: "15" + - name: FBIT_TAIL_BUFFER_CHUNK_SIZE + value: "1" + - name: FBIT_TAIL_BUFFER_MAX_SIZE + value: "1" + - name: AKS_RESOURCE_ID + value: {{ $settings.resourceId | quote }} + - name: AKS_REGION + value: {{ $settings.region | quote }} + - name: CONTROLLER_TYPE + value: "DaemonSet" + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: {{ $settings.identityClientID | quote }} + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PODNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs-windows + resource: limits.memory + - name: SIDECAR_SCRAPING_ENABLED + value: {{ $settings.sidecarScrapingEnabled | quote }} + - name: ENABLE_CUSTOM_METRICS + value: {{ $settings.customMetricsEnabled | quote }} + - name: CLUSTER_CLOUD_ENVIRONMENT + value: {{ $settings.cloudEnvironment | quote }} +{{- if $settings.isAKSAddon }} + - name: USING_AAD_MSI_AUTH + value: {{ if $settings.usingAADAuth }}"true"{{ else }}"false"{{ end }} + - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED + value: "{{ $settings.appMonitoringEnabled }}" + - name: PROMETHEUS_METRICS_SCRAPING_DISABLED + value: "{{ $settings.prometheusScrapingDisabled }}" + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: "{{ $settings.telegrafLivenessprobeEnabled }}" + - name: AZMON_WINDOWS_FLUENT_BIT_ENABLED + value: "{{ $settings.windowsFluentBitEnabled }}" +{{- if or (eq $settings.cloudEnvironment "usnat") (eq $settings.cloudEnvironment "ussec") (eq $settings.cloudEnvironment "azurebleucloud") }} + - name: REQUIRES_CERT_BOOTSTRAP + value: "true" +{{- end }} +{{- else }} + - name: USING_AAD_MSI_AUTH + value: {{ $settings.usingAADAuth | quote }} +{{- if $settings.isTestMode }} + - name: AZMON_KUBERNETES_METADATA_ENABLED + value: "true" +{{- end }} +{{- end }} + volumeMounts: + - mountPath: C:\ProgramData\docker\containers + name: docker-windows-containers + readOnly: true + - mountPath: C:\var + name: docker-windows-kuberenetes-container-logs + - mountPath: C:\etc\config\settings + name: settings-vol-config + readOnly: true + - mountPath: C:\etc\ama-logs-secret + name: ama-logs-secret + readOnly: true +{{- if $settings.isAKSAddon }} + - mountPath: C:\etc\omsagent-secret + name: ama-logs-secret + readOnly: true + - mountPath: C:\etc\config\adx + name: ama-logs-adx-secret + readOnly: true + - mountPath: C:\etc\kubernetes\host + name: azure-json-path + readOnly: true +{{- if and $settings.usingAADAuth (eq (include "should_mount_hostca" .) "true") }} + - mountPath: C:\ca + name: ca-certs + readOnly: true +{{- end }} +{{- if $settings.usingAADAuth }} + - mountPath: C:\etc\IMDS-access-token + name: imds-token + readOnly: true +{{- end }} +{{- end }} + livenessProbe: + exec: + command: + - cmd + - /c + - C:\opt\amalogswindows\scripts\cmd\livenessprobe.exe + - fluent-bit.exe + - fluentdwinaks + - "C:\\etc\\amalogswindows\\filesystemwatcher.txt" + - "C:\\etc\\amalogswindows\\renewcertificate.txt" +{{- if and $settings.isAKSAddon $settings.usingAADAuth }} + - "MonAgentCore.exe" +{{- end }} + periodSeconds: 60 + initialDelaySeconds: 180 + timeoutSeconds: 15 + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - windows + - key: type + operator: NotIn + values: + - virtual-kubelet +{{- if $settings.isAKSAddon }} + - key: kubernetes.azure.com/cluster + operator: Exists +{{- end }} + tolerations: +{{- if $settings.isAKSAddon }} + - key: "CriticalAddonsOnly" + operator: "Exists" + - operator: "Exists" + effect: NoExecute + - operator: "Exists" + effect: NoSchedule + - operator: "Exists" + effect: PreferNoSchedule +{{- else }} +{{- if $settings.scheduleOnTaintedNodes }} +{{- with .Values.amalogs.tolerationsUnrestricted }} + {{- toYaml . | nindent 8 }} +{{- end }} +{{- else }} +{{- with .Values.amalogs.tolerations }} + {{- toYaml . | nindent 8 }} +{{- end }} +{{- end }} +{{- end }} + volumes: + - name: docker-windows-kuberenetes-container-logs + hostPath: + path: C:\var + - name: docker-windows-containers + hostPath: + path: C:\ProgramData\docker\containers + type: DirectoryOrCreate + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true +{{- if $settings.isAKSAddon }} + - name: azure-json-path + hostPath: + path: C:\k +{{- if (eq (include "should_mount_hostca" .) "true") }} + - name: ca-certs + hostPath: + path: C:\ca +{{- end }} +{{- if $settings.usingAADAuth }} + - name: imds-token + secret: + secretName: {{ $settings.accessTokenSecretName }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-daemonset.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-daemonset.yaml index e5efc8f61..59557ebfa 100644 --- a/charts/azuremonitor-containers-merged/templates/ama-logs-daemonset.yaml +++ b/charts/azuremonitor-containers-merged/templates/ama-logs-daemonset.yaml @@ -84,7 +84,9 @@ spec: value: "false" - name: TOKEN_NAMESPACE value: "azure-arc" -{{- .Values.Azure.Identity.MSIAdapterYaml | nindent 7 }} +{{- if and (hasKey .Values "Azure") (hasKey .Values.Azure "Identity") (ne (toString .Values.Azure.Identity.MSIAdapterYaml) "") }} +{{- .Values.Azure.Identity.MSIAdapterYaml | nindent 7 }} +{{- end }} {{- else }} - name: msi-adapter env: diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-multitenancy.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-multitenancy.yaml new file mode 100644 index 000000000..2d9509234 --- /dev/null +++ b/charts/azuremonitor-containers-merged/templates/ama-logs-multitenancy.yaml @@ -0,0 +1,281 @@ +{{- $settings := include "arc-extension-settings" . | fromYaml }} +{{- if and $settings.isAKSAddon $settings.usingAADAuth $settings.multitenancyEnabled }} +# +# AKS-only: Multitenancy logs - HPA, Service, and Deployment +# +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: ama-logs-hpa + namespace: kube-system + labels: +{{- if $settings.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: ama-logs-multitenancy + minReplicas: {{ .Values.OmsAgent.omsAgentMultitenancyLogsHPAMinReplicas }} + maxReplicas: {{ .Values.OmsAgent.omsAgentMultitenancyLogsHPAMaxReplicas }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.OmsAgent.omsAgentMultitenancyHPAAvgCPUUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.OmsAgent.omsAgentMultitenancyHPAAvgMemoryUtilization }} + behavior: + scaleDown: + stabilizationWindowSeconds: 1200 + policies: + - type: Percent + value: 5 + periodSeconds: 180 + scaleUp: + stabilizationWindowSeconds: 0 + policies: + - type: Pods + value: 5 + periodSeconds: 5 + - type: Percent + value: 100 + periodSeconds: 5 + selectPolicy: Max +--- +apiVersion: v1 +kind: Service +metadata: + name: ama-logs-service + namespace: kube-system + labels: +{{- if $settings.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +spec: + type: ClusterIP + ports: + - port: 24225 + targetPort: 24225 + protocol: TCP + name: fluentbit-fwd + selector: + rsName: "ama-logs-multitenancy" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ama-logs-multitenancy + namespace: kube-system + labels: + component: ama-logs-agent + tier: node + kubernetes.azure.com/managedby: aks +{{- if $settings.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +spec: + replicas: 1 + selector: + matchLabels: + rsName: "ama-logs-multitenancy" + strategy: + type: RollingUpdate + template: + metadata: + labels: + rsName: "ama-logs-multitenancy" + kubernetes.azure.com/managedby: aks + annotations: + agentVersion: "azure-mdsd-1.37.0" + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + dockerProviderVersion: "18.0.1-0" + schema-versions: "v1" + WSID: {{ $settings.workspaceID | b64enc | quote }} + kubernetes.azure.com/no-http-proxy-vars: "true" + spec: + priorityClassName: system-node-critical + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + volumes: + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true +{{- if (eq (include "should_mount_hostca" .) "true") }} + - name: anchors-ubuntu + hostPath: + path: /usr/local/share/ca-certificates/ + type: DirectoryOrCreate + - name: anchors-mariner + hostPath: + path: /etc/pki/ca-trust/source/anchors + type: DirectoryOrCreate +{{- end }} + serviceAccountName: ama-logs + containers: + - name: addon-token-adapter + command: + - /addon-token-adapter + args: + - --secret-namespace=kube-system + - --secret-name={{ $settings.accessTokenSecretName }} + - --token-server-listening-port=8888 + - --health-server-listening-port=9999 + - --restart-pod-waiting-minutes-on-broken-connection=240 + image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{ dict "component" "addon-token-adapter-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag" }}" + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + livenessProbe: + httpGet: + path: /healthz + port: 9999 + initialDelaySeconds: 10 + periodSeconds: 60 + resources: + limits: + cpu: 500m + memory: 500Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW + - name: ama-logs + image: "{{ $settings.imageRepo }}:{{ $settings.imageTagLinux }}" + imagePullPolicy: {{ $settings.imagePullPolicy }} + resources: + limits: + cpu: {{ .Values.OmsAgent.omsAgentMultitenancyCPULimitLinux }} + memory: {{ .Values.OmsAgent.omsAgentMultitenancyMemoryLimitLinux }} + requests: + cpu: {{ .Values.OmsAgent.omsAgentMultitenancyCPURequestLinux }} + memory: {{ .Values.OmsAgent.omsAgentMultitenancyMemoryRequestLinux }} + env: + - name: AZMON_MULTI_TENANCY_LOG_COLLECTION + value: "true" + - name: AZMON_MULTI_TENANCY_LOGS_SERVICE_MODE + value: "true" + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.memory + - name: AKS_CLUSTER_NAME + value: {{ $settings.clusterName | quote }} + - name: AKS_RESOURCE_ID + value: {{ $settings.resourceId | quote }} + - name: AKS_NODE_RESOURCE_GROUP + value: {{ .Values.OmsAgent.aksNodeResourceGroup | quote }} + - name: AKS_REGION + value: {{ $settings.region | quote }} + - name: CONTROLLER_TYPE + value: "ReplicaSet" + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: USING_AAD_MSI_AUTH + value: "true" + - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED + value: "{{ $settings.appMonitoringEnabled }}" + - name: CLUSTER_CLOUD_ENVIRONMENT + value: {{ $settings.cloudEnvironment | quote }} + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + ports: + - name: http + containerPort: 24225 + protocol: TCP + volumeMounts: + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true +{{- if (eq (include "should_mount_hostca" .) "true") }} + - mountPath: /anchors/mariner + name: anchors-mariner + readOnly: true + - mountPath: /anchors/ubuntu + name: anchors-ubuntu + readOnly: true +{{- end }} +{{- if $settings.isProxyEnabled }} +{{- if $settings.proxyCert }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true +{{- end }} +{{- end }} + lifecycle: + preStop: + exec: + command: ["sh", "-c", "sleep 5"] + livenessProbe: + exec: + command: + - /bin/bash + - -c + - /opt/livenessprobe.sh + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + readinessProbe: + tcpSocket: + port: 24225 + initialDelaySeconds: 10 + periodSeconds: 30 + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet + - key: kubernetes.io/os + operator: In + values: + - linux + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.azure.com/mode + operator: In + values: + - system +{{- end }} diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-rbac.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-rbac.yaml index 2a2cbd263..a5e913d3e 100644 --- a/charts/azuremonitor-containers-merged/templates/ama-logs-rbac.yaml +++ b/charts/azuremonitor-containers-merged/templates/ama-logs-rbac.yaml @@ -1,4 +1,8 @@ {{- $settings := include "arc-extension-settings" . | fromYaml }} +{{- $rbacApiVersion := "rbac.authorization.k8s.io/v1" }} +{{- if not (semverCompare ">=1.16.0" .Capabilities.KubeVersion.Version) }} +{{- $rbacApiVersion = "rbac.authorization.k8s.io/v1beta1" }} +{{- end }} {{- if $settings.rbacEnabled }} # # RBAC Resources for ama-logs @@ -15,7 +19,7 @@ metadata: {{- end }} --- kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 +apiVersion: {{ $rbacApiVersion }} metadata: name: ama-logs-reader labels: @@ -30,6 +34,11 @@ rules: - apiGroups: ["apps", "extensions", "autoscaling"] resources: ["replicasets", "deployments", "horizontalpodautoscalers"] verbs: ["list"] +{{- if $settings.isArcExtension }} +- apiGroups: ["clusterconfig.azure.com"] + resources: ["azureclusteridentityrequests", "azureclusteridentityrequests/status"] + verbs: ["get", "create", "patch", "list", "update", "delete"] +{{- end }} {{- if $settings.rsvpaEnabled }} - apiGroups: ["apps"] resources: ["deployments"] @@ -42,11 +51,17 @@ rules: resourceNames: [{{ $settings.accessTokenSecretName | quote }}] verbs: ["get", "watch"] {{- end }} +{{- if and $settings.isArcExtension (empty $settings.arcExtensionName) }} +- apiGroups: [""] + resources: ["secrets"] + resourceNames: ["container-insights-clusteridentityrequest-token"] + verbs: ["get"] +{{- end }} - nonResourceURLs: ["/metrics"] verbs: ["get"] --- kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 +apiVersion: {{ $rbacApiVersion }} metadata: name: amalogsclusterrolebinding labels: diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-replicaset.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-replicaset.yaml new file mode 100644 index 000000000..3da8b5608 --- /dev/null +++ b/charts/azuremonitor-containers-merged/templates/ama-logs-replicaset.yaml @@ -0,0 +1,495 @@ +{{- $settings := include "arc-extension-settings" . | fromYaml }} +{{- if and (ne $settings.workspaceID "") (ne $settings.workspaceID "") (or $settings.isAKSAddon $settings.isArcExtension) }} +# +# Deployment ama-logs-rs - cluster-level component collection (ReplicaSet controller type) +# Renders for both AKS addon and Arc extension when workspace is configured. +# +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ama-logs-rs + namespace: kube-system + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: ama-logs-agent + tier: node +{{- if $settings.legacyAddonDelivery }} + kubernetes.azure.com/managedby: aks + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + rsName: "ama-logs-rs" + strategy: + type: RollingUpdate + template: + metadata: + labels: + rsName: "ama-logs-rs" +{{- if $settings.isAKSAddon }} + kubernetes.azure.com/managedby: aks +{{- end }} + annotations: + agentVersion: {{ if $settings.isArcExtension }}{{ .Values.amalogs.image.agentVersion }}{{ else }}azure-mdsd-1.37.0{{ end }} + dockerProviderVersion: {{ if $settings.isArcExtension }}{{ .Values.amalogs.image.dockerProviderVersion }}{{ else }}18.0.1-0{{ end }} + schema-versions: "v1" + WSID: {{ $settings.workspaceID | b64enc | quote }} + kubernetes.azure.com/no-http-proxy-vars: "true" +{{- if $settings.isArcExtension }} + checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} + checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} + checksum/logsettings: {{ toYaml .Values.amalogs.logsettings | sha256sum }} +{{- end }} +{{- if $settings.isAKSAddon }} + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" +{{- end }} + spec: +{{- if $settings.isAKSAddon }} + priorityClassName: system-node-critical + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" +{{- else }} +{{- if $settings.isArcExtension }} + {{- if .Values.amalogs.priority }} + priorityClassName: ama-logs + {{- end }} + {{- if $settings.scheduleOnTaintedNodes }} + {{- with .Values.amalogs.tolerationsUnrestricted }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- else }} + {{- with .Values.amalogs.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} + {{- if $settings.rbacEnabled }} + serviceAccountName: ama-logs + {{- end }} + containers: +{{- if $settings.isAKSAddon }} +{{- if $settings.rsvpaEnabled }} + - name: ama-logs-vpa + image: "{{ template "addon_mcr_repository_base" . }}/oss/v2/kubernetes/autoscaler/addon-resizer:{{ dict "component" "addon-resizer" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }}" + imagePullPolicy: IfNotPresent + resources: + limits: + cpu: 100m + memory: 300Mi + requests: + cpu: 5m + memory: 30Mi + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: ama-logs-rs-vpa-config-volume + mountPath: /etc/config + command: + - /pod_nanny + - --config-dir=/etc/config + - --cpu=200m + - --extra-cpu=2m + - --memory=300Mi + - --extra-memory=4Mi + - --poll-period=180000 + - --threshold=5 + - --namespace=kube-system + - --deployment=ama-logs-rs + - --container=ama-logs +{{- end }} +{{- end }} +{{- if and $settings.isArcExtension $settings.usingAADAuth }} + {{- if ne $settings.distribution "openshift" }} + - name: addon-token-adapter + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + - name: TOKEN_NAMESPACE + value: "azure-arc" +{{- if and (hasKey .Values "Azure") (hasKey .Values.Azure "Identity") (ne (toString .Values.Azure.Identity.MSIAdapterYaml) "") }} +{{- .Values.Azure.Identity.MSIAdapterYaml | nindent 10 }} +{{- end }} + {{- else }} + - name: msi-adapter + image: mcr.microsoft.com/azurearck8s/msi-adapter:1.29.3 + env: + - name: AZMON_COLLECT_ENV + value: "false" + - name: TOKEN_NAMESPACE + value: azure-arc + - name: CLUSTER_IDENTITY + value: "false" + - name: CLUSTER_TYPE + value: {{ (split "/" $settings.resourceId)._7 }} + - name: EXTENSION_ARMID + value: {{ $settings.arcExtensionResourceId }} + - name: EXTENSION_NAME + value: {{ $settings.arcExtensionName }} + - name: MSI_ADAPTER_LISTENING_PORT + value: "8421" + - name: MANAGED_IDENTITY_AUTH + value: "true" + - name: MSI_ADAPTER_LIVENESS_PORT + value: "9090" + - name: TEST_MODE + value: "false" + - name: TEST_FILE + value: /data/token + securityContext: + privileged: true + capabilities: + add: + - NET_ADMIN + - NET_RAW + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 9090 + scheme: "HTTP" + initialDelaySeconds: 10 + periodSeconds: 15 + resources: + limits: + cpu: 50m + memory: 100Mi + requests: + cpu: 20m + memory: 50Mi + lifecycle: + postStart: + exec: + command: ["/data/msi-adapter-ready-watcher"] + {{- end }} +{{- else if and $settings.isAKSAddon $settings.usingAADAuth }} + - name: addon-token-adapter + command: + - /addon-token-adapter + args: + - --secret-namespace=kube-system + - --secret-name={{ $settings.accessTokenSecretName }} + - --token-server-listening-port=8888 + - --health-server-listening-port=9999 + - --restart-pod-waiting-minutes-on-broken-connection=240 + image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{ dict "component" "addon-token-adapter-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag" }}" + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + livenessProbe: + httpGet: + path: /healthz + port: 9999 + initialDelaySeconds: 10 + periodSeconds: 60 + resources: + limits: + cpu: 500m + memory: 500Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW +{{- end }} + - name: ama-logs + image: "{{ $settings.imageRepo }}:{{ $settings.imageTagLinux }}" + imagePullPolicy: {{ $settings.imagePullPolicy }} + resources: +{{- if $settings.isArcExtension }} +{{ toYaml .Values.amalogs.resources.deployment | indent 10 }} +{{- else }} +{{- if not $settings.rsvpaEnabled }} + limits: + cpu: {{ .Values.OmsAgent.omsAgentRsCPULimit }} + memory: {{ .Values.OmsAgent.omsAgentRsMemoryLimit }} + requests: + cpu: 150m + memory: 250Mi +{{- end }} +{{- end }} + env: + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: AKS_RESOURCE_ID + value: {{ $settings.resourceId | quote }} + - name: AKS_REGION + value: {{ $settings.region | quote }} + - name: CONTROLLER_TYPE + value: "ReplicaSet" + - name: NUM_OF_FLUENTD_WORKERS + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.cpu + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.memory + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: {{ $settings.identityClientID | quote }} + - name: SIDECAR_SCRAPING_ENABLED + value: {{ $settings.sidecarScrapingEnabled | quote }} + - name: CLUSTER_CLOUD_ENVIRONMENT + value: {{ $settings.cloudEnvironment | quote }} +{{- if $settings.isAKSAddon }} + - name: AKS_CLUSTER_NAME + value: {{ $settings.clusterName | quote }} + - name: AKS_NODE_RESOURCE_GROUP + value: {{ .Values.OmsAgent.aksNodeResourceGroup | quote }} + - name: USING_AAD_MSI_AUTH + value: {{ if $settings.usingAADAuth }}"true"{{ else }}"false"{{ end }} +{{- if $settings.rsvpaEnabled }} + - name: RS_ADDON-RESIZER_VPA_ENABLED + value: "true" +{{- end }} + - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED + value: "{{ $settings.appMonitoringEnabled }}" + - name: PROMETHEUS_METRICS_SCRAPING_DISABLED + value: "{{ $settings.prometheusScrapingDisabled }}" + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: "{{ $settings.telegrafLivenessprobeEnabled }}" + - name: AZMON_WINDOWS_FLUENT_BIT_ENABLED + value: "{{ $settings.windowsFluentBitEnabled }}" +{{- else }} +{{- if not (empty $settings.arcExtensionName) }} + - name: ARC_K8S_EXTENSION_NAME + value: {{ $settings.arcExtensionName | quote }} +{{- end }} + - name: USING_AAD_MSI_AUTH + value: {{ $settings.usingAADAuth | quote }} + - name: ISTEST + value: {{ $settings.isTestMode | quote }} +{{- if $settings.isTestMode }} + - name: AZMON_CLUSTER_COLLECT_ALL_KUBE_EVENTS + value: "true" +{{- end }} +{{- if $settings.isArcACluster }} + - name: IS_ARCA_CLUSTER + value: {{ $settings.isArcACluster | quote }} +{{- end }} +{{- if ne $settings.customMetricsEndpoint "" }} + - name: CUSTOM_METRICS_ENDPOINT + value: {{ $settings.customMetricsEndpoint | quote }} +{{- end }} +{{- if ne $settings.tokenAudience "" }} + - name: customResourceEndpoint + value: {{ $settings.tokenAudience | quote }} +{{- end }} + - name: IS_CUSTOM_CERT + value: {{ $settings.isCustomCert | quote }} + - name: ENABLE_CUSTOM_METRICS + value: {{ $settings.customMetricsEnabled | quote }} + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: {{ $settings.telegrafLivenessprobeEnabled | quote }} +{{- end }} + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + ports: + - containerPort: 25225 + protocol: TCP + - containerPort: 25224 + protocol: UDP +{{- if $settings.isAKSAddon }} + - containerPort: 25227 + protocol: TCP + name: in-rs-tcp +{{- end }} + volumeMounts: + - mountPath: /var/log + name: host-log + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true +{{- if $settings.isAKSAddon }} + - mountPath: /etc/omsagent-secret + name: ama-logs-secret + readOnly: true +{{- end }} + - mountPath: /etc/config + name: ama-logs-rs-config + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + - mountPath: /etc/config/settings/adx + name: ama-logs-adx-secret + readOnly: true + - mountPath: /etc/config/osm-settings + name: osm-settings-vol-config + readOnly: true +{{- if and $settings.isArcExtension $settings.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true +{{- end }} +{{- if and $settings.isProxyEnabled $settings.proxyCert }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true +{{- end }} +{{- if and $settings.isArcExtension .Values.amalogs.logsettings.custommountpath }} + - mountPath: {{ .Values.amalogs.logsettings.custommountpath }} + name: custom-mount-path +{{- end }} +{{- if $settings.mountMarinerCerts }} + - mountPath: /anchors/mariner + name: anchors-mariner + readOnly: true +{{- end }} +{{- if $settings.mountUbuntuCerts }} + - mountPath: /anchors/ubuntu + name: anchors-ubuntu + readOnly: true +{{- end }} + livenessProbe: + exec: + command: + - /bin/bash + - -c + - "/opt/livenessprobe.sh" + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + affinity: +{{- if $settings.isArcExtension }} +{{- with .Values.amalogs.deployment.affinity }} + {{- toYaml . | nindent 8 }} +{{- end }} +{{- else }} + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.azure.com/mode + operator: In + values: + - system + - weight: 1 + preference: + matchExpressions: + - key: storageprofile + operator: NotIn + values: + - managed + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet +{{- end }} + volumes: + - name: container-hostname + hostPath: + path: /etc/hostname + - name: host-log + hostPath: + path: /var/log + - name: azure-json-path + hostPath: + path: /etc/kubernetes + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: ama-logs-rs-config + configMap: + name: ama-logs-rs-config + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true + - name: osm-settings-vol-config + configMap: + name: container-azm-ms-osmconfig + optional: true +{{- if and $settings.isArcExtension $settings.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace +{{- end }} +{{- if and $settings.isArcExtension .Values.amalogs.logsettings.custommountpath }} + - name: custom-mount-path + hostPath: + path: {{ .Values.amalogs.logsettings.custommountpath }} +{{- end }} +{{- if $settings.mountMarinerCerts }} + - name: anchors-mariner + hostPath: + path: /etc/pki/ca-trust/source/anchors + type: DirectoryOrCreate +{{- end }} +{{- if $settings.mountUbuntuCerts }} + - name: anchors-ubuntu + hostPath: + path: /usr/local/share/ca-certificates/ + type: DirectoryOrCreate +{{- end }} +{{- if and $settings.isAKSAddon $settings.rsvpaEnabled }} + - name: ama-logs-rs-vpa-config-volume + configMap: + name: ama-logs-rs-vpa-config + optional: true +{{- end }} +{{- end }} diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-rs-configmap.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-rs-configmap.yaml new file mode 100644 index 000000000..4acf68278 --- /dev/null +++ b/charts/azuremonitor-containers-merged/templates/ama-logs-rs-configmap.yaml @@ -0,0 +1,264 @@ +{{- $settings := include "arc-extension-settings" . | fromYaml }} +{{- if and (ne $settings.workspaceID "") (ne $settings.workspaceID "") (or $settings.isAKSAddon $settings.isArcExtension) }} +# +# ConfigMap for ReplicaSet (ama-logs-rs) - kube.conf Fluentd config +# +apiVersion: v1 +kind: ConfigMap +metadata: + name: ama-logs-rs-config + namespace: kube-system + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if $settings.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +data: + kube.conf: | + # Fluentd config file for OMS Docker - cluster components (kubeAPI) +{{- if $settings.isAKSAddon }} + #fluent forward plugin (AKS - receive from DaemonSet) + + type forward + port "#{ENV['HEALTHMODEL_REPLICASET_SERVICE_SERVICE_PORT']}" + bind 0.0.0.0 + chunk_size_limit 4m + + +{{- end }} + #Kubernetes pod inventory + + type kubepodinventory + tag oms.containerinsights.KubePodInventory + run_interval 60 + log_level debug + + + #Kubernetes Persistent Volume inventory + + type kubepvinventory + tag oms.containerinsights.KubePVInventory + run_interval 60 + log_level debug + + + #Kubernetes events + + type kubeevents + tag oms.containerinsights.KubeEvents + run_interval 60 + log_level debug + + + #Kubernetes Nodes + + type kubenodeinventory + tag oms.containerinsights.KubeNodeInventory + run_interval 60 + log_level debug + + + #cadvisor perf- Windows nodes + + type wincadvisorperf + tag oms.api.wincadvisorperf + run_interval 60 + log_level debug + + + #Kubernetes object state - deployments + + type kubestatedeployments + tag oms.containerinsights.KubeStateDeployments + run_interval 60 + log_level debug + + + #Kubernetes object state - HPA + + type kubestatehpa + tag oms.containerinsights.KubeStateHpa + run_interval 60 + log_level debug + + + type filter_inventory2mdm + log_level info + + + # custom_metrics_mdm filter plugin for perf data from windows nodes + + type filter_cadvisor2mdm + metrics_to_collect cpuUsageNanoCores,memoryWorkingSetBytes + log_level info + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubepods*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/state/out_oms_kubepv*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubeevents*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubeservices*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/state/out_oms_kubenodes*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 3 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_containernodeinventory*.buffer + buffer_queue_limit 20 + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubeperf*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_mdm + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_mdm_*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 30s + max_retry_wait 9m + retry_mdm_post_wait_minutes 30 + + + + type out_oms + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_api_wincadvisorperf*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_mdm + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_mdm_cdvisorperf*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + retry_mdm_post_wait_minutes 30 + + + + type out_oms + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_insightsmetrics*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + +{{- end }} diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-secret.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-secret.yaml index 95eedfa9c..14c853f4c 100644 --- a/charts/azuremonitor-containers-merged/templates/ama-logs-secret.yaml +++ b/charts/azuremonitor-containers-merged/templates/ama-logs-secret.yaml @@ -15,9 +15,9 @@ metadata: {{- end }} type: Opaque data: - WSID: {{ $settings.workspaceID | b64enc | quote }} - KEY: {{ $settings.workspaceKey | b64enc | quote }} - DOMAIN: {{ $settings.domain | b64enc | quote }} + WSID: {{ $settings.workspaceID | toString | b64enc | quote }} + KEY: {{ $settings.workspaceKey | toString | b64enc | quote }} + DOMAIN: {{ $settings.domain | toString | b64enc | quote }} {{- if $settings.isProxyEnabled }} {{- if $settings.httpsProxy }} PROXY: {{ $settings.httpsProxy | b64enc | quote }} @@ -26,5 +26,5 @@ data: {{- end }} {{- end }} {{- if and $settings.isProxyEnabled $settings.proxyCert }} - PROXYCERT.crt: {{ $settings.proxyCert | quote }} + PROXYCERT.crt: {{ $settings.proxyCert | b64enc | quote }} {{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/values.yaml b/charts/azuremonitor-containers-merged/values.yaml index 7e363ae03..bb12bda3c 100644 --- a/charts/azuremonitor-containers-merged/values.yaml +++ b/charts/azuremonitor-containers-merged/values.yaml @@ -90,7 +90,7 @@ amalogs: tailbufmaxsizemegabytes: "1" custommountpath: "" - # Tolerations + # Tolerations (aligned with Arc source for control-plane and master) tolerations: - key: "node-role.kubernetes.io/control-plane" operator: "Exists" @@ -98,9 +98,18 @@ amalogs: - key: "node-role.kubernetes.io/control-plane" operator: "Exists" effect: "NoExecute" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "PreferNoSchedule" - key: "node-role.kubernetes.io/master" operator: "Exists" effect: "NoSchedule" + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoExecute" + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "PreferNoSchedule" tolerationsUnrestricted: - operator: "Exists" @@ -129,6 +138,14 @@ amalogs: deployment: affinity: nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: storageprofile + operator: NotIn + values: + - managed requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: @@ -140,6 +157,10 @@ amalogs: operator: NotIn values: - virtual-kubelet + - key: kubernetes.io/role + operator: NotIn + values: + - master # Resources resources: From 84c29d9839ac79d28a73b45107a9f955b7c3f757 Mon Sep 17 00:00:00 2001 From: longwan Date: Mon, 23 Feb 2026 02:11:33 +0000 Subject: [PATCH 25/47] update remove legacy --- .../Chart.yaml | 4 - .../templates/_aks_addon-images.tpl | 377 ---- .../templates/_aks_common.tpl | 153 -- .../templates/_aks_helpers.tpl | 303 --- .../templates/_aks_images.tpl | 655 ------ .../templates/ama-logs.yaml | 1916 ----------------- .../values.yaml | 201 -- 7 files changed, 3609 deletions(-) delete mode 100644 charts/azuremonitor-containerinsights-for-prod-clusters/Chart.yaml delete mode 100644 charts/azuremonitor-containerinsights-for-prod-clusters/templates/_aks_addon-images.tpl delete mode 100644 charts/azuremonitor-containerinsights-for-prod-clusters/templates/_aks_common.tpl delete mode 100644 charts/azuremonitor-containerinsights-for-prod-clusters/templates/_aks_helpers.tpl delete mode 100644 charts/azuremonitor-containerinsights-for-prod-clusters/templates/_aks_images.tpl delete mode 100644 charts/azuremonitor-containerinsights-for-prod-clusters/templates/ama-logs.yaml delete mode 100644 charts/azuremonitor-containerinsights-for-prod-clusters/values.yaml diff --git a/charts/azuremonitor-containerinsights-for-prod-clusters/Chart.yaml b/charts/azuremonitor-containerinsights-for-prod-clusters/Chart.yaml deleted file mode 100644 index cc83a72cd..000000000 --- a/charts/azuremonitor-containerinsights-for-prod-clusters/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v2 -description: azure-monitor-containers helm chart -name: azuremonitor-containers -version: 3.2.1-dev-test diff --git a/charts/azuremonitor-containerinsights-for-prod-clusters/templates/_aks_addon-images.tpl b/charts/azuremonitor-containerinsights-for-prod-clusters/templates/_aks_addon-images.tpl deleted file mode 100644 index 623f2472d..000000000 --- a/charts/azuremonitor-containerinsights-for-prod-clusters/templates/_aks_addon-images.tpl +++ /dev/null @@ -1,377 +0,0 @@ -{{/* Auto-generated by versioning tooling, do not edit. See /toolkit/versioning/README.md for more information. */}} -{{- define "get.addonImageTag" -}} - {{- if eq .component "aci-connector-linux" -}} - {{- if semverCompare ">=1.26.0" .version -}}1.6.2 - {{- else if semverCompare ">=1.25.0" .version -}}1.6.1 - {{- else if semverCompare ">=1.24.0" .version -}}1.6.0 - {{- else -}}1.4.16 - {{- end -}} - {{- else if eq .component "addon-resizer" -}} -v1.8.23-4 - {{- else if eq .component "ai-toolchain-operator" -}} -0.6.0 - {{- else if eq .component "aks-windows-gpu-device-plugin" -}} -0.0.19 - {{- else if eq .component "ama-logs-linux" -}} -3.1.28 - {{- else if eq .component "ama-logs-win" -}} -win-3.1.28 - {{- else if eq .component "app-routing-operator" -}} -0.0.3 - {{- else if eq .component "azure-monitor-metrics-cfg-reader" -}} -6.21.1-main-08-15-2025-f5f679d6-cfg - {{- else if eq .component "azure-monitor-metrics-ksm" -}} -v2.15.0-4 - {{- else if eq .component "azure-monitor-metrics-linux" -}} -6.21.1-main-08-15-2025-f5f679d6 - {{- else if eq .component "azure-monitor-metrics-target-allocator" -}} -6.21.1-main-08-15-2025-f5f679d6-targetallocator - {{- else if eq .component "azure-monitor-metrics-windows" -}} -6.21.1-main-08-15-2025-f5f679d6-win - {{- else if eq .component "azure-npm-image" -}} -v1.6.33 - {{- else if eq .component "azure-npm-image-windows" -}} -v1.5.5 - {{- else if eq .component "azure-policy" -}} - {{- if semverCompare ">=1.27.0" .version -}}1.13.0 - {{- else if semverCompare ">=1.25.0" .version -}}1.4.0 - {{- else if semverCompare ">=1.24.0" .version -}}1.0.1 - {{- else if semverCompare ">=1.21.0" .version -}}0.0.3 - {{- else -}}0.0.1 - {{- end -}} - {{- else if eq .component "azure-policy-webhook" -}} - {{- if semverCompare ">=1.27.0" .version -}}1.13.0 - {{- else if semverCompare ">=1.25.0" .version -}}1.4.0 - {{- else if semverCompare ">=1.24.0" .version -}}1.0.1 - {{- else if semverCompare ">=1.21.0" .version -}}0.0.3 - {{- else if semverCompare ">=1.18.0" .version -}}0.0.2 - {{- else -}}0.0.1 - {{- end -}} - {{- else if eq .component "certgen" -}} -v0.1.9 - {{- else if eq .component "cilium-agent" -}} - {{- if semverCompare ">=1.29.0" .version -}}1.14.10-1 - {{- else if semverCompare ">=1.27.0" .version -}}1.13.13-3 - {{- else -}}1.12.10-5 - {{- end -}} - {{- else if eq .component "cilium-envoy" -}} -v1.31.5-250218 - {{- else if eq .component "cilium-operator-generic" -}} - {{- if semverCompare ">=1.29.0" .version -}}1.14.10 - {{- else if semverCompare ">=1.27.0" .version -}}1.13.13 - {{- else -}}1.12.10 - {{- end -}} - {{- else if eq .component "cloud-provider-node-manager-linux" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.33.0 - {{- else if semverCompare ">=1.32.0" .version -}}v1.32.5 - {{- else if semverCompare ">=1.31.0" .version -}}v1.31.6 - {{- else if semverCompare ">=1.30.0" .version -}}v1.30.12 - {{- else if semverCompare ">=1.29.0" .version -}}v1.29.15 - {{- else if semverCompare ">=1.28.0" .version -}}v1.28.14 - {{- else if semverCompare ">=1.27.0" .version -}}v1.27.21 - {{- else if semverCompare ">=1.26.0" .version -}}v1.26.22 - {{- else if semverCompare ">=1.25.0" .version -}}v1.25.24 - {{- else if semverCompare ">=1.24.0" .version -}}v1.24.21 - {{- else if semverCompare ">=1.23.0" .version -}}v1.23.24 - {{- else if semverCompare ">=1.22.0" .version -}}v1.1.14 - {{- else if semverCompare ">=1.21.0" .version -}}v1.0.18 - {{- else if semverCompare ">=1.20.0" .version -}}v0.7.21 - {{- else if semverCompare ">=1.19.0" .version -}}v0.6.0 - {{- else -}}v0.5.1.4 - {{- end -}} - {{- else if eq .component "cloud-provider-node-manager-windows" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.33.0 - {{- else if semverCompare ">=1.32.0" .version -}}v1.32.5 - {{- else if semverCompare ">=1.31.0" .version -}}v1.31.6 - {{- else if semverCompare ">=1.30.0" .version -}}v1.30.12 - {{- else if semverCompare ">=1.29.0" .version -}}v1.29.15 - {{- else if semverCompare ">=1.28.0" .version -}}v1.28.14 - {{- else if semverCompare ">=1.27.0" .version -}}v1.27.21 - {{- else if semverCompare ">=1.26.0" .version -}}v1.26.22 - {{- else if semverCompare ">=1.25.0" .version -}}v1.25.24 - {{- else if semverCompare ">=1.24.0" .version -}}v1.24.21 - {{- else if semverCompare ">=1.23.0" .version -}}v1.23.24 - {{- else if semverCompare ">=1.22.0" .version -}}v1.1.14 - {{- else if semverCompare ">=1.21.0" .version -}}v1.0.18 - {{- else if semverCompare ">=1.20.0" .version -}}v0.7.21 - {{- else if semverCompare ">=1.19.0" .version -}}v0.6.0 - {{- else -}}v0.5.1 - {{- end -}} - {{- else if eq .component "cluster-proportional-autoscaler" -}} - {{- if semverCompare ">=1.32.0" .version -}}v1.9.0-2 - {{- else if semverCompare ">=1.27.0" .version -}}v1.8.11-5 - {{- else if semverCompare ">=1.22.0" .version -}}v1.8.8 - {{- else if semverCompare ">=1.18.0" .version -}}1.8.3 - {{- else -}}1.7.1-hotfix.20200403 - {{- end -}} - {{- else if eq .component "container-networking-cilium-agent" -}} - {{- if semverCompare ">=1.31.0" .version -}}v1.16.6-250129 - {{- else if semverCompare ">=1.29.0" .version -}}v1.14.19-250129 - {{- else if semverCompare ">=1.27.0" .version -}}v1.13.18-241024 - {{- else -}}v1.14.19-250129 - {{- end -}} - {{- else if eq .component "container-networking-cilium-operator-generic" -}} - {{- if semverCompare ">=1.31.0" .version -}}v1.16.6-250129 - {{- else if semverCompare ">=1.29.0" .version -}}v1.14.19-250129 - {{- else if semverCompare ">=1.27.0" .version -}}v1.13.18-241024 - {{- else -}}v1.14.19-250129 - {{- end -}} - {{- else if eq .component "coredns" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.12.1-2 - {{- else if semverCompare ">=1.32.0" .version -}}v1.11.3-8 - {{- else if semverCompare ">=1.24.0" .version -}}v1.9.4-6 - {{- else if semverCompare ">=1.20.0" .version -}}v1.8.7 - {{- else -}}1.6.6 - {{- end -}} - {{- else if eq .component "cost-analysis-agent" -}} -v0.0.24 - {{- else if eq .component "cost-analysis-opencost" -}} -v1.111.0 - {{- else if eq .component "cost-analysis-prometheus" -}} -v2.54.1 - {{- else if eq .component "cost-analysis-victoria-metrics" -}} -v1.103.0 - {{- else if eq .component "extension-config-agent" -}} -1.28.0 - {{- else if eq .component "extension-manager" -}} -1.28.0 - {{- else if eq .component "fqdn-policy" -}} - {{- if semverCompare ">=1.31.0" .version -}}v1.16.6-250129 - {{- else -}}v1.14.19-250129 - {{- end -}} - {{- else if eq .component "gpu-provisioner" -}} -0.3.5 - {{- else if eq .component "health-probe-proxy" -}} -v1.29.1 - {{- else if eq .component "hubble-relay" -}} -v1.15.0 - {{- else if eq .component "identity-binding-workload-identity-webhook" -}} -v1.6.0-alpha.1 - {{- else if eq .component "image-cleaner" -}} -v1.4.0-4 - {{- else if eq .component "ingress-appgw" -}} - {{- if semverCompare ">=1.27.0" .version -}}1.8.1 - {{- else if semverCompare ">=1.19.0" .version -}}1.5.3 - {{- else -}}1.4.0 - {{- end -}} - {{- else if eq .component "ip-masq-agent-v2" -}} -v0.1.15-2 - {{- else if eq .component "ipv6-hp-bpf" -}} - {{- if semverCompare ">=1.29.0" .version -}}v0.0.1 - {{- else -}}v0.0.1 - {{- end -}} - {{- else if eq .component "keda" -}} - {{- if semverCompare ">=1.33.0" .version -}}2.17.1 - {{- else if semverCompare ">=1.32.0" .version -}}v2.16.1 - {{- else if semverCompare ">=1.30.0" .version -}}2.14.1 - {{- else if semverCompare ">=1.27.0" .version -}}2.11.2 - {{- else if semverCompare ">=1.26.0" .version -}}2.10.1 - {{- else if semverCompare ">=1.23.0" .version -}}2.9.3 - {{- else -}}2.8.1 - {{- end -}} - {{- else if eq .component "keda-admission-webhooks" -}} - {{- if semverCompare ">=1.33.0" .version -}}2.17.1 - {{- else if semverCompare ">=1.32.0" .version -}}v2.16.1 - {{- else if semverCompare ">=1.30.0" .version -}}2.14.1 - {{- else if semverCompare ">=1.27.0" .version -}}2.11.2 - {{- else -}}2.10.1 - {{- end -}} - {{- else if eq .component "keda-metrics-apiserver" -}} - {{- if semverCompare ">=1.33.0" .version -}}2.17.1 - {{- else if semverCompare ">=1.32.0" .version -}}v2.16.1 - {{- else if semverCompare ">=1.30.0" .version -}}2.14.1 - {{- else if semverCompare ">=1.27.0" .version -}}2.11.2 - {{- else if semverCompare ">=1.26.0" .version -}}2.10.1 - {{- else if semverCompare ">=1.23.0" .version -}}2.9.3 - {{- else -}}2.8.1 - {{- end -}} - {{- else if eq .component "kube-egress-gateway-cni" -}} - {{- if semverCompare ">=1.34.0" .version -}}v0.1.1 - {{- else -}}v0.0.21 - {{- end -}} - {{- else if eq .component "kube-egress-gateway-cni-ipam" -}} - {{- if semverCompare ">=1.34.0" .version -}}v0.1.1 - {{- else -}}v0.0.21 - {{- end -}} - {{- else if eq .component "kube-egress-gateway-cnimanager" -}} - {{- if semverCompare ">=1.34.0" .version -}}v0.1.1 - {{- else -}}v0.0.21 - {{- end -}} - {{- else if eq .component "kube-egress-gateway-daemon" -}} - {{- if semverCompare ">=1.34.0" .version -}}v0.1.1 - {{- else -}}v0.0.21 - {{- end -}} - {{- else if eq .component "kube-egress-gateway-daemon-init" -}} - {{- if semverCompare ">=1.34.0" .version -}}v0.1.1 - {{- else -}}v0.0.21 - {{- end -}} - {{- else if eq .component "local-csi-driver" -}} -v0.2.4 - {{- else if eq .component "local-csi-driver-csi-provisioner" -}} -v5.2.0 - {{- else if eq .component "local-csi-driver-csi-resizer" -}} -v1.13.2 - {{- else if eq .component "local-csi-driver-registrar" -}} -v2.13.0 - {{- else if eq .component "metrics-server" -}} - {{- if semverCompare ">=1.32.0" .version -}}v0.7.2-7 - {{- else if semverCompare ">=1.24.0" .version -}}v0.6.3-6 - {{- else if semverCompare ">=1.22.0" .version -}}v0.5.2 - {{- else if semverCompare ">=1.21.0" .version -}}v0.4.5 - {{- else if semverCompare ">=1.8.0" .version -}}v0.3.6 - {{- else -}}v0.2.1 - {{- end -}} - {{- else if eq .component "microsoft-defender-admission-controller" -}} -20250706.3 - {{- else if eq .component "microsoft-defender-low-level-collector" -}} - {{- if semverCompare ">=1.25.0" .version -}}2.0.221 - {{- else -}}1.3.81 - {{- end -}} - {{- else if eq .component "microsoft-defender-low-level-init" -}} -1.3.81 - {{- else if eq .component "microsoft-defender-old-file-cleaner" -}} -1.0.273 - {{- else if eq .component "microsoft-defender-pod-collector" -}} -1.0.202 - {{- else if eq .component "microsoft-defender-security-publisher" -}} -1.0.273 - {{- else if eq .component "open-policy-agent-gatekeeper" -}} - {{- if semverCompare ">=1.27.0" .version -}}v3.20.0-1 - {{- else if semverCompare ">=1.25.0" .version -}}v3.14.2 - {{- else if semverCompare ">=1.24.0" .version -}}v3.11.1 - {{- else if semverCompare ">=1.21.0" .version -}}v3.8.1 - {{- else if semverCompare ">=1.18.0" .version -}}v3.7.1 - {{- else -}}v3.4.1 - {{- end -}} - {{- else if eq .component "osm-bootstrap" -}} - {{- if semverCompare ">=1.24.0" .version -}}v1.2.9 - {{- else if semverCompare ">=1.23.5" .version -}}v1.1.3 - {{- else -}}v1.0.0 - {{- end -}} - {{- else if eq .component "osm-controller" -}} - {{- if semverCompare ">=1.24.0" .version -}}v1.2.9 - {{- else if semverCompare ">=1.23.5" .version -}}v1.1.3 - {{- else -}}v1.0.0 - {{- end -}} - {{- else if eq .component "osm-crds" -}} - {{- if semverCompare ">=1.24.0" .version -}}v1.2.9 - {{- else if semverCompare ">=1.23.5" .version -}}v1.1.3 - {{- else -}}v1.0.0 - {{- end -}} - {{- else if eq .component "osm-healthcheck" -}} - {{- if semverCompare ">=1.24.0" .version -}}v1.2.9 - {{- else if semverCompare ">=1.23.5" .version -}}v1.1.3 - {{- else -}}v1.1.0 - {{- end -}} - {{- else if eq .component "osm-init" -}} - {{- if semverCompare ">=1.24.0" .version -}}v1.2.9 - {{- else if semverCompare ">=1.23.5" .version -}}v1.1.3 - {{- else -}}v1.0.0 - {{- end -}} - {{- else if eq .component "osm-injector" -}} - {{- if semverCompare ">=1.24.0" .version -}}v1.2.9 - {{- else if semverCompare ">=1.23.5" .version -}}v1.1.3 - {{- else -}}v1.0.0 - {{- end -}} - {{- else if eq .component "osm-sidecar" -}} - {{- if semverCompare ">=1.25.0" .version -}}v1.32.2-hotfix.20241216 - {{- else if semverCompare ">=1.24.0" .version -}}v1.25.9-hotfix.20231002 - {{- else -}}v1.19.1 - {{- end -}} - {{- else if eq .component "overlay-vpa" -}} - {{- if semverCompare ">=1.31.0" .version -}}v1.2.1-1 - {{- else if semverCompare ">=1.27.0" .version -}}v1.0.0-1 - {{- else if semverCompare ">=1.25.0" .version -}}0.13.0 - {{- else -}}0.11.0 - {{- end -}} - {{- else if eq .component "overlay-vpa-webhook-generation" -}} -master.250827.1 - {{- else if eq .component "ratify-base" -}} -v1.2.3 - {{- else if eq .component "retina-agent" -}} -v1.0.0-rc2 - {{- else if eq .component "retina-agent-enterprise" -}} -v0.1.11 - {{- else if eq .component "retina-agent-win" -}} -v1.0.0-rc2 - {{- else if eq .component "retina-operator" -}} -v0.1.11 - {{- else if eq .component "secrets-store-csi-driver" -}} - {{- if semverCompare ">=1.26.0" .version -}}v1.5.3 - {{- else if semverCompare ">=1.24.0" .version -}}v1.3.4-1 - {{- else -}}v1.3.0.3 - {{- end -}} - {{- else if eq .component "secrets-store-csi-driver-windows" -}} - {{- if semverCompare ">=1.26.0" .version -}}v1.5.3 - {{- else if semverCompare ">=1.24.0" .version -}}v1.3.4 - {{- else -}}v1.3.0 - {{- end -}} - {{- else if eq .component "secrets-store-driver-registrar-linux" -}} - {{- if semverCompare ">=1.26.0" .version -}}v2.13.0 - {{- else if semverCompare ">=1.24.0" .version -}}v2.8.0 - {{- else -}}v2.6.2 - {{- end -}} - {{- else if eq .component "secrets-store-driver-registrar-windows" -}} - {{- if semverCompare ">=1.26.0" .version -}}v2.13.0 - {{- else if semverCompare ">=1.24.0" .version -}}v2.8.0 - {{- else -}}v2.6.2 - {{- end -}} - {{- else if eq .component "secrets-store-livenessprobe-linux" -}} - {{- if semverCompare ">=1.26.0" .version -}}v2.15.0 - {{- else if semverCompare ">=1.24.0" .version -}}v2.10.0 - {{- else -}}v2.8.0 - {{- end -}} - {{- else if eq .component "secrets-store-livenessprobe-windows" -}} - {{- if semverCompare ">=1.26.0" .version -}}v2.15.0 - {{- else if semverCompare ">=1.24.0" .version -}}v2.10.0 - {{- else -}}v2.8.0 - {{- end -}} - {{- else if eq .component "secrets-store-provider-azure" -}} - {{- if semverCompare ">=1.26.0" .version -}}v1.7.0 - {{- else if semverCompare ">=1.24.0" .version -}}v1.4.1 - {{- else -}}v1.4.0 - {{- end -}} - {{- else if eq .component "secrets-store-provider-azure-windows" -}} - {{- if semverCompare ">=1.26.0" .version -}}v1.7.0 - {{- else if semverCompare ">=1.24.0" .version -}}v1.4.1 - {{- else -}}v1.4.0 - {{- end -}} - {{- else if eq .component "sgx-attestation" -}} -3.3.1 - {{- else if eq .component "sgx-plugin" -}} -1.0.0 - {{- else if eq .component "sgx-webhook" -}} -1.2.2 - {{- else if eq .component "tigera-operator" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.38.3 - {{- else if semverCompare ">=1.32.0" .version -}}v1.36.11 - {{- else if semverCompare ">=1.30.0" .version -}}v1.34.13 - {{- else if semverCompare ">=1.29.0" .version -}}v1.30.11 - {{- else if semverCompare ">=1.24.0" .version -}}v1.28.13 - {{- else -}}v1.23.8 - {{- end -}} - {{- else if eq .component "windows-gmsa-webhook-image" -}} -v0.12.1-2 - {{- else if eq .component "workload-identity-webhook" -}} -v1.5.1 - {{- end -}} -{{- end -}} - -{{/* Auto-generated by servicemesh tooling, do not edit. See /toolkit/servicemesh/README.md for more information. */}} -{{- define "get.istioImageTag" -}} - {{- if eq .component "azure-service-mesh-istio" -}} - {{- if eq "asm-1-27" .revision -}}1.27.0-1 - {{- else if eq "asm-1-26" .revision -}}1.26.3-2 - {{- else if eq "asm-1-25" .revision -}}1.25.3-4 - {{- else if eq "asm-1-24" .revision -}}1.24.6 - {{- else if eq "asm-1-23" .revision -}}1.23.6-hotfix.20250515 - {{- else if eq "asm-1-22" .revision -}}1.22.7 - {{- else if eq "asm-1-21" .revision -}}1.21.6 - {{- else if eq "asm-1-20" .revision -}}1.20.8 - {{- else if eq "asm-1-19" .revision -}}1.19.10-hotfix.20240528 - {{- else if eq "asm-1-18" .revision -}}1.18.7-hotfix.20240210 - {{- else if eq "asm-1-17" .revision -}}1.17.8 - {{- else -}}not-in-use-9.99.9 - {{- end -}} - {{- end -}} -{{- end -}} diff --git a/charts/azuremonitor-containerinsights-for-prod-clusters/templates/_aks_common.tpl b/charts/azuremonitor-containerinsights-for-prod-clusters/templates/_aks_common.tpl deleted file mode 100644 index 29c0c4610..000000000 --- a/charts/azuremonitor-containerinsights-for-prod-clusters/templates/_aks_common.tpl +++ /dev/null @@ -1,153 +0,0 @@ -{{/* MCR repository template for adapter charts */}} -{{- define "mcr_repository_base_adapter_chart" }} -{{- $cloud_environment := ((index .Values.v1 "commonGlobals").CloudEnvironment | default "AZUREPUBLICCLOUD") }} -{{- if (eq $cloud_environment "AZURECHINACLOUD") }} -{{- "mcr.azk8s.cn" }} -{{- else if (eq $cloud_environment "USNat") }} -{{- "mcr.microsoft.eaglex.ic.gov" }} -{{- else if (eq $cloud_environment "USSec") }} -{{- "mcr.microsoft.scloud" }} -{{- else }} -{{- "mcr.microsoft.com" }} -{{- end }} -{{- end }} - -{{/* MCR repository template for addon charts */}} -{{- define "mcr_repository_base" }} -{{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment| default "AZUREPUBLICCLOUD") }} -{{- if (eq $cloud_environment "AZURECHINACLOUD") }} -{{- "mcr.azk8s.cn" }} -{{- else if (eq $cloud_environment "USNat") }} -{{- "mcr.microsoft.eaglex.ic.gov" }} -{{- else if (eq $cloud_environment "USSec") }} -{{- "mcr.microsoft.scloud" }} -{{- else }} -{{- "mcr.microsoft.com" }} -{{- end }} -{{- end }} - -{{- define "addon_mcr_repository_base" }} -{{- template "mcr_repository_base" . }} -{{- end }} - -{{/* ccp_image_repository_base_by_component returns the image repository to use for a ccp component. - Caller should provide the "component" (the ccp component name), "version" (the ccp k8s version) and "Values" (the helm values object) parameters: - - {{- with $image_settings := (dict "component" "kube-apiserver" "version" .Values.global.commonGlobals.Versions.Kubernetes "Values" .Values) }} - {{ include "ccp_image_repository_base_by_component" $image_settings }} - {{- end }} - - The component name and k8s version will be concatenated as "-" to look up the override in the toggle. - - When the `use-internal-container-image-override-component` toggle is enabled for the specified component and k8s version, a cloud based - private repository will be used, otherwise, the value will fallback to `mcr_repoistory_base`. - Components that expect to be included in the embargo process should use this ACR repository. */}} -{{- define "ccp_image_repository_base_by_component" }} - {{- $key := (print .component "-" .version) }} - {{- if (hasKey .Values.global.commonGlobals.InternalContainerRegistry.enabledComponentOverrides $key) }} - {{- template "ccp_image_repository_base" . }} - {{- else }} - {{- template "mcr_repository_base" . }} - {{- end }} -{{- end }} - -{{/* ccp_image_repository_base returns the ACR repository for embargoed CVE images. - This template is intended to be called by ccp_image_repository_base_by_component and acr pull template only. - Caller should use ccp_image_repository_base_by_component for component based value. */}} -{{- define "ccp_image_repository_base" }} - {{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment | upper | default "AZUREPUBLICCLOUD") }} - {{- if (or (eq $cloud_environment "AZUREUSGOVCLOUD") (eq $cloud_environment "AZUREUSGOVERNMENTCLOUD")) }} - {{- "acsdeployment.azurecr.us"}} - {{- else if (eq $cloud_environment "AZURECHINACLOUD") }} - {{- "acsdeployment.azurecr.cn" }} - {{- else if (eq $cloud_environment "USNAT") }} - {{- "acsdeployment.azurecr.eaglex.ic.gov" }} - {{- else if (eq $cloud_environment "USSEC") }} - {{- "acsdeployment.azurecr.microsoft.scloud" }} - {{- else }} - {{- "acsproddeployment.azurecr.io" }} - {{- end }} -{{- end }} - -{{/* ccp_get_imagetag_by_component returns the image tag to use for a ccp component. - Caller should provide the "component" (the ccp component name), "version" (the ccp k8s version) and "Values" (the helm values object) parameters: - - {{- with $image_settings := (dict "component" "kube-apiserver" "version" .Values.global.commonGlobals.Versions.Kubernetes "Values" .Values) }} - {{ include "ccp_get_imagetag_by_component" $image_settings }} - {{- end }} - - When the `use-internal-container-image-override-component` toggle is enabled for the specified component and k8s version, - the override tag will be used, otherwise, the value will fallback to `get.imagetag`. - - See also: ccp_image_repository_base_by_component */}} -{{- define "ccp_get_imagetag_by_component" }} - {{- $key := (print .component "-" .version) }} - {{- if (hasKey .Values.global.commonGlobals.InternalContainerRegistry.enabledComponentOverrides $key) }} - {{- (index .Values.global.commonGlobals.InternalContainerRegistry.enabledComponentOverrides $key) }} - {{- else }} - {{- template "get.imagetag" . }} - {{- end }} -{{- end }} - -{{/* ccp_get_ccpImageTag_by_component uses "get.ccpImageTag" as fallback. - - See also: ccp_get_imagetag_by_component */}} -{{- define "ccp_get_ccpImageTag_by_component" }} - {{- $key := (print .component "-" .version) }} - {{- if (hasKey .Values.global.commonGlobals.InternalContainerRegistry.enabledComponentOverrides $key) }} - {{- (index .Values.global.commonGlobals.InternalContainerRegistry.enabledComponentOverrides $key) }} - {{- else }} - {{- template "get.ccpImageTag" . }} - {{- end }} -{{- end }} - -{{/* nodeaffinity on nodepool */}} -{{- define "nodepool_affinity" -}} -{{- if .Values.global.commonGlobals.requireDedicatedNodepool -}} -preferredDuringSchedulingIgnoredDuringExecution: -- weight: 100 - preference: - matchExpressions: - - key: agentpool - operator: In - values: - - cx-{{ .Values.global.CCPID }} -{{- else -}} -requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: agentpool - operator: In - values: - - agentpool1 -{{- end -}} -{{- end -}} - -{{- define "addon_nodepool_mode_affinity_hard" -}} -{{- if .Values.global.commonGlobals.addonRequireSystemPool }} -- key: kubernetes.azure.com/mode - operator: In - values: - - system -{{- end -}} -{{- end -}} - -{{- define "addon_nodepool_mode_affinity_soft" -}} -{{- if not .Values.global.commonGlobals.addonRequireSystemPool }} -- weight: 100 - preference: - matchExpressions: - - key: kubernetes.azure.com/mode - operator: In - values: - - system -{{- end -}} -{{- end -}} - -{{/* tolerations on nodepool */}} -{{- define "nodepool_toleration" -}} -- key: "agentpool" - operator: "Equal" - value: "cx-{{ .Values.global.CCPID }}" - effect: "NoExecute" -{{- end }} diff --git a/charts/azuremonitor-containerinsights-for-prod-clusters/templates/_aks_helpers.tpl b/charts/azuremonitor-containerinsights-for-prod-clusters/templates/_aks_helpers.tpl deleted file mode 100644 index f14bd9147..000000000 --- a/charts/azuremonitor-containerinsights-for-prod-clusters/templates/_aks_helpers.tpl +++ /dev/null @@ -1,303 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s" .Values.global.commonGlobals.CCPID $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* Both formats are needed because the template is used by other adapter charts */}} -{{- define "enableKonnectivity" -}} -{{- $commonGlobals := "" }} -{{- if .Values.v1 }} -{{- $commonGlobals = (index .Values.v1 "commonGlobals") }} -{{- else }} -{{- $commonGlobals = .Values.global.commonGlobals }} -{{- end -}} -{{- if $commonGlobals.Konnectivity -}} -{{- if kindIs "invalid" $commonGlobals.Konnectivity.Enabled -}} -true -{{- else if $commonGlobals.Konnectivity.Enabled -}} -true -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* apiserver endpoint */}} -{{- define "apiserver_endpoint" }} -{{- if .Values.global.commonGlobals.PrivateConnect.enabled }} -{{- .Values.global.commonGlobals.PrivateConnect.privateIP }} -{{- else }} -{{- .Values.global.commonGlobals.endpointFQDN }} -{{- end }} -{{- end }} - -{{- define "enableApiserverProxyForKms" -}} -{{- if and .Values.global.commonGlobals.PrivateConnect.enabled (ne .Values.global.AzureKeyVaultKms.keyVaultNetworkAccess "Private") -}} -true -{{- else if not (or .Values.global.commonGlobals.TunnelOpenVPN.Enabled (include "enableKonnectivityWithEgressSelector" .)) -}} -true -{{- end -}} -{{- end -}} - -{{- define "enableAzureKmsProviderProxy" -}} -{{- if and .Values.global.AzureKeyVaultKms.enabled (include "enableKonnectivityWithEgressSelector" .) -}} -{{- if eq .Values.global.AzureKeyVaultKms.keyVaultNetworkAccess "Private" -}} -true -{{- else if .Values.global.AzureKeyVaultKms.previousKey -}} -{{- if eq .Values.global.AzureKeyVaultKms.previousKey.keyVaultNetworkAccess "Private" -}} -true -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "enableKonnectivityProxyPodAndSvcCIDROnly" -}} -{{- if (include "enableKonnectivity" .) -}} -{{- if .Values.global.commonGlobals.Konnectivity.ProxyPodAndSvcCIDROnly -}} -true -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "enableKonnectivityWithEgressSelector" -}} -{{- if (include "enableKonnectivity" .) -}} -{{- if not .Values.global.commonGlobals.Konnectivity.ProxyPodAndSvcCIDROnly -}} -true -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "enableKonnectivityServerPreStop" -}} -{{- if (include "enableKonnectivity" .) -}} -{{- if .Values.global.commonGlobals.Konnectivity.enableKonnectivityServerPreStop -}} -{{- if semverCompare ">=1.28.0" .Values.global.commonGlobals.Versions.Kubernetes -}} -true -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "enableKonnectivityServerSeparateCert" -}} - {{- if (include "enableKonnectivity" .) -}} - {{- if .Values.global.commonGlobals.Konnectivity.EnableSeparateServerCert -}} - {{- if semverCompare (printf ">=%s" .Values.global.commonGlobals.Konnectivity.EnableSeparateServerCertFromK8sVersion) .Values.global.commonGlobals.Versions.Kubernetes -}} - true - {{- end -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "loggingResourceId" -}} -{{- if .Values.global.commonGlobals.FleetHubProfile.isHubCluster }} -{{- .Values.global.commonGlobals.FleetHubProfile.fleetResourceID }} -{{- else }} -{{- .Values.global.commonGlobals.Customer.AzureResourceID }} -{{- end }} -{{- end }} - -{{/* -Get the value of override update mode annotation, -default is "disabled" and only support "enabled" and "disabled" currently. -Return none and fall back to "disabled" if the value is not supported or current VPA is not existed. -*/}} -{{- define "getOverrideUpdateModeAnnotation" -}} -{{- if .current }} - {{- if eq (index .current.metadata.annotations "kubernetes.azure.com/override-update-mode") "enabled" }} - {{- "enabled" }} - {{- end }} -{{- end }} -{{- end -}} - -{{/* -Try to get the override updateMode value if the override update mode annotation is enabled, -and the current VPA cr is existed. If not, return none and use the default updateMode "Initial" -*/}} -{{- define "getUpdateMode" -}} -{{- if .current }} - {{- if eq (index .current.metadata.annotations "kubernetes.azure.com/override-update-mode") "enabled" }} - {{- dict "current" .current | include "getOverrideUpdateMode" }} - {{- end }} -{{- end }} -{{- end -}} - -{{/* -Get the value of override VPA update mode, user can override the updateMode in VPA cr -when the override update mode annotation is enabled, return none and use the default -updateMode value if the user input is invalid or any property is not existed -*/}} -{{- define "getOverrideUpdateMode" -}} -{{- /* -Use parentheses () to check the nested values existed due to the limitation of Helm -https://github.com/helm/helm/issues/8026 -*/}} -{{- if ((((.current).spec).updatePolicy).updateMode) }} - {{- if (dict "updateMode" .current.spec.updatePolicy.updateMode | include "isValidUpdateMode" ) }} - {{- .current.spec.updatePolicy.updateMode | quote }} - {{- end }} -{{- end }} -{{- end -}} - -{{/* -Check if the update mode is valid, -only support "Off", "Initial" and "Auto" update mode currently -*/}} -{{- define "isValidUpdateMode" -}} -{{- if not (has .updateMode (list "Recreate")) }} -true -{{- end }} -{{- end -}} - -{{/* -Get the value of override min/max annotation, -default is "disabled" and only support "enabled" and "disabled" currently. -Return none and fall back to "disabled" if the value is not supported. -*/}} -{{- define "getOverrideMinMaxAnnotation" -}} -{{- if .current }} - {{- if eq (index .current.metadata.annotations "kubernetes.azure.com/override-min-max") "enabled" }} - {{- "enabled" }} - {{- end }} -{{- end }} -{{- end -}} - -{{/* -Try to get the user override vpa min/max allowed value if the override min/max allowed annotation is enabled, -and the current VPA cr is existed. -If not, return none and use the default min/max allowed value. -*/}} -{{- define "getAllowedValue" -}} -{{- if .current }} - {{- if eq (index .current.metadata.annotations "kubernetes.azure.com/override-min-max") "enabled" }} - {{- (dict "current" .current "containerName" .containerName "resource" .resource) | include "getOverrideAllowedValue" }} - {{- end }} -{{- end }} -{{- end -}} - -{{/* -Find the target container policy in VPA containerPolicies array -*/}} -{{- define "getVpaContainer" -}} - {{- $name := .containerName }} - {{- range $container := .containerPolicies }} - {{- if eq $name $container.containerName }} - {{- toYaml $container }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Get the user override vpa min/max allowed value from target container in current existing vpa cr -*/}} -{{- define "getOverrideAllowedValue" -}} -{{- /* -Use parentheses () to check the nested values existed due to the limitation of Helm -https://github.com/helm/helm/issues/8026 -*/}} -{{- $container := (dict "containerName" .containerName "containerPolicies" .current.spec.resourcePolicy.containerPolicies) | include "getVpaContainer" | fromYaml }} -{{- if eq .resource "maxCPU" }} - {{- if ((($container).maxAllowed).cpu) }} - {{- $container.maxAllowed.cpu }} - {{- end }} -{{- end }} -{{- if eq .resource "maxMemory" }} - {{- if ((($container).maxAllowed).memory) }} - {{- $container.maxAllowed.memory }} - {{- end }} -{{- end }} -{{- if eq .resource "minCPU" }} - {{- if ((($container).minAllowed).cpu) }} - {{- $container.minAllowed.cpu }} - {{- end }} -{{- end }} -{{- if eq .resource "minMemory" }} - {{- if ((($container).minAllowed).memory) }} - {{- $container.minAllowed.memory }} - {{- end }} -{{- end }} -{{- end -}} - -{{/* -Get the value of override requests limits annotation, -default is "disabled" and only support "enabled" and "disabled" currently. -Return none and fall back to "disabled" if the value is not supported. -*/}} -{{- define "getOverrideRequestsLimitsAnnotation" -}} -{{- if .current }} - {{- if eq (index .current.metadata.annotations "kubernetes.azure.com/override-requests-limits") "enabled" }} - {{- "enabled" }} - {{- end }} -{{- end }} -{{- end -}} - -{{/* -Find target container in deployment / daemonset containers property -*/}} -{{- define "getContainer" -}} - {{- $name := .containerName }} - {{- range $container := .containers }} - {{- if eq $name $container.name }} - {{- toYaml $container }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Get user override resource requests/limits value from target container in existing deployment / daemonset -*/}} -{{- define "getOverrideRequestsLimitsValue" -}} -{{- $container := (dict "containerName" .containerName "containers" .current.spec.template.spec.containers) | include "getContainer" | fromYaml }} -{{- if eq .resource "requestCPU" }} - {{- if (((($container).resources).requests).cpu) }} - {{- $container.resources.requests.cpu }} - {{- end }} -{{- end }} -{{- if eq .resource "requestMemory" }} - {{- if (((($container).resources).requests).memory) }} - {{- $container.resources.requests.memory }} - {{- end }} -{{- end }} -{{- if eq .resource "limitCPU" }} - {{- if (((($container).resources).limits).cpu) }} - {{- $container.resources.limits.cpu }} - {{- end }} -{{- end }} -{{- if eq .resource "limitMemory" }} - {{- if (((($container).resources).limits).memory) }} - {{- $container.resources.limits.memory }} - {{- end }} -{{- end }} -{{- end -}} - -{{/* -Get user override requests/limits value when current deployment/daemonset and override annotation is existed, -if not, this function will return none and caller should set the default/fallback resource requests/limits value. -*/}} -{{- define "getRequestsLimitsValue" -}} -{{- if .current }} - {{- if eq (index .current.metadata.annotations "kubernetes.azure.com/override-requests-limits") "enabled" }} - {{- (dict "current" .current "containerName" .containerName "resource" .resource) | include "getOverrideRequestsLimitsValue" }} - {{- end }} -{{- end }} -{{- end -}} - -{{/* should use AzureStackCloud */}} -{{- define "should_use_azurestackcloud" -}} - {{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment | default "azurepubliccloud" | lower) }} - {{- has $cloud_environment (list "usnat" "ussec" "azurebleucloud") -}} -{{- end }} - -{{/* should mount ca certs from host */}} -{{- define "should_mount_hostca" -}} - {{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment | default "azurepubliccloud" | lower) }} - {{- has $cloud_environment (list "usnat" "ussec" "azurebleucloud") -}} -{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containerinsights-for-prod-clusters/templates/_aks_images.tpl b/charts/azuremonitor-containerinsights-for-prod-clusters/templates/_aks_images.tpl deleted file mode 100644 index 86380c455..000000000 --- a/charts/azuremonitor-containerinsights-for-prod-clusters/templates/_aks_images.tpl +++ /dev/null @@ -1,655 +0,0 @@ -{{- define "get.imagetag" -}} -{{- if eq .component "kube-addon-manager" -}} - {{- if semverCompare "<1.7.0" .version -}}v6.5 - {{- else if semverCompare "<1.10.0" .version -}}v8.6 - {{- else if semverCompare "<1.13.0" .version -}}v8.9.1 - {{- else -}}v9.0.2_v0.0.5.9 - {{- end -}} -{{- else if eq .component "kube-apiserver" -}} - {{- if semverCompare "=1.17.3" .version -}}v1.17.3-hotfix.20200601 - {{- else if semverCompare "=1.17.7" .version -}}v1.17.7-hotfix.20200624 - {{- else if semverCompare "=1.17.9" .version -}}v1.17.9-hotfix.20200714 - {{- else if semverCompare "=1.17.11" .version -}}v1.17.11-hotfix.20200901 - {{- else if semverCompare "=1.17.13" .version -}}v1.17.13-hotfix.20210310.1 - {{- else if semverCompare "=1.17.16" .version -}}v1.17.16-hotfix.20210310.1 - {{- else if semverCompare "=1.18.4" .version -}}v1.18.4-hotfix.20200624 - {{- else if semverCompare "=1.18.6" .version -}}v1.18.6-hotfix.20200723 - {{- else if semverCompare "=1.18.8" .version -}}v1.18.8-hotfix.20200924 - {{- else if semverCompare "=1.18.10" .version -}}v1.18.10-hotfix.20210310.1 - {{- else if semverCompare "=1.18.14" .version -}}v1.18.14-hotfix.20210322.1 - {{- else if semverCompare "=1.18.17" .version -}}v1.18.17-hotfix.20210525.3 - {{- else if semverCompare "=1.18.19" .version -}}v1.18.19-hotfix.20210522.3 - {{- else if semverCompare "=1.19.1" .version -}}v1.19.1-hotfix.20200923 - {{- else if semverCompare "=1.19.6" .version -}}v1.19.6-hotfix.20210310 - {{- else if semverCompare "=1.19.7" .version -}}v1.19.7-hotfix.20210310 - {{- else if semverCompare "=1.19.9" .version -}}v1.19.9-hotfix.20210526 - {{- else if semverCompare "=1.19.11" .version -}}v1.19.11-hotfix.20211101 - {{- else if semverCompare "=1.19.13" .version -}}v1.19.13-hotfix.20211101 - {{- else if semverCompare "=1.20.2" .version -}}v1.20.2-hotfix.20210310 - {{- else if semverCompare "=1.20.5" .version -}}v1.20.5-hotfix.20210603 - {{- else if semverCompare "=1.20.7" .version -}}v1.20.7-hotfix.20211115 - {{- else if semverCompare "=1.20.9" .version -}}v1.20.9-hotfix.20211115 - {{- else if semverCompare "=1.20.13" .version -}}v1.20.13-hotfix.20220210 - {{- else if semverCompare "=1.20.15" .version -}}v1.20.15-hotfix.20220201 - {{- else if semverCompare "=1.21.1" .version -}}v1.21.1-hotfix.20211115 - {{- else if semverCompare "=1.21.2" .version -}}v1.21.2-hotfix.20211115 - {{- else if semverCompare "=1.21.7" .version -}}v1.21.7-hotfix.20220601 - {{- else if semverCompare "=1.21.9" .version -}}v1.21.9-hotfix.20220601 - {{- else if semverCompare "=1.21.14" .version -}}v1.21.14-hotfix.20220620 - {{- else if semverCompare "=1.22.1" .version -}}v1.22.1-hotfix.20211115 - {{- else if semverCompare "=1.22.2" .version -}}v1.22.2-hotfix.20211115 - {{- else if semverCompare "=1.22.4" .version -}}v1.22.4-hotfix.20220615 - {{- else if semverCompare "=1.22.6" .version -}}v1.22.6-hotfix.20220916 - {{- else if semverCompare "=1.22.11" .version -}}v1.22.11-hotfix.20221109 - {{- else if semverCompare "=1.22.15" .version -}}v1.22.15-hotfix.20221109 - {{- else if semverCompare "=1.23.3" .version -}}v1.23.3-hotfix.20220615 - {{- else if semverCompare "=1.23.5" .version -}}v1.23.5-hotfix.20220916 - {{- else if semverCompare "=1.23.8" .version -}}v1.23.8-hotfix.20221109 - {{- else if semverCompare "=1.23.12" .version -}}v1.23.12-hotfix.20230208 - {{- else if semverCompare "=1.23.15" .version -}}v1.23.15-hotfix.20230208 - {{- else if semverCompare "=1.24.0" .version -}}v1.24.0-hotfix.20220916 - {{- else if semverCompare "=1.24.3" .version -}}v1.24.3-hotfix.20221216 - {{- else if semverCompare "=1.24.6" .version -}}v1.24.6-hotfix.20230208 - {{- else if semverCompare "=1.24.9" .version -}}v1.24.9-hotfix.20230612 - {{- else if semverCompare "=1.24.10" .version -}}v1.24.10-hotfix.20230612 - {{- else if semverCompare "=1.25.2" .version -}}v1.25.2-hotfix.20221216 - {{- else if semverCompare "=1.25.4" .version -}}v1.25.4-hotfix.20230208 - {{- else if semverCompare "=1.25.5" .version -}}v1.25.5-hotfix.20230612 - {{- else if semverCompare "=1.25.6" .version -}}v1.25.6-hotfix.20231009 - {{- else if semverCompare "=1.25.11" .version -}}v1.25.11-hotfix.20231102 - {{- else if semverCompare "=1.25.15" .version -}}v1.25.15-hotfix.20231103 - {{- else if semverCompare "=1.26.0" .version -}}v1.26.0-hotfix.20230612 - {{- else if semverCompare "=1.26.3" .version -}}v1.26.3-hotfix.20231009 - {{- else if semverCompare "=1.26.6" .version -}}v1.26.6-hotfix.20231102 - {{- else if semverCompare "=1.26.10" .version -}}v1.26.10-hotfix.20231103 - {{- else if semverCompare "=1.26.12" .version -}}v1.26.12 - {{- else if semverCompare "=1.27.1" .version -}}v1.27.1-hotfix.20231009 - {{- else if semverCompare "=1.27.3" .version -}}v1.27.3-hotfix.20231102 - {{- else if semverCompare "=1.27.7" .version -}}v1.27.7-hotfix.20240411 - {{- else if semverCompare "=1.27.9" .version -}}v1.27.9-hotfix.20240411 - {{- else if semverCompare "=1.27.13" .version -}}v1.27.13 - {{- else if semverCompare "=1.28.0" .version -}}v1.28.0-hotfix.20240712-1 - {{- else if semverCompare "=1.28.3" .version -}}v1.28.3-hotfix.20240712-1 - {{- else if semverCompare "=1.28.5" .version -}}v1.28.5-hotfix.20240712-1 - {{- else if semverCompare "=1.28.9" .version -}}v1.28.9-hotfix.20240712-1 - {{- else if semverCompare "=1.28.10" .version -}}v1.28.10-hotfix.20240712-1 - {{- else if semverCompare "=1.28.11" .version -}}v1.28.11-hotfix.20240712-1 - {{- else if semverCompare "=1.29.0" .version -}}v1.29.0-hotfix.20240712 - {{- else if semverCompare "=1.29.2" .version -}}v1.29.2-hotfix.20240712 - {{- else if semverCompare "=1.29.4" .version -}}v1.29.4-hotfix.20240712 - {{- else if semverCompare "=1.29.14" .version -}}v1.29.14-hotfix.20250703 - {{- else if semverCompare "=1.29.15" .version -}}v1.29.15-hotfix.20250703 - {{- else if semverCompare "=1.30.0" .version -}}v1.30.0-hotfix.20240712 - {{- else if semverCompare "=1.30.2" .version -}}v1.30.2-hotfix.20240712 - {{- else if and (semverCompare ">=1.30.11" .version) (semverCompare "<=1.30.14" .version) -}}v{{.version}}-hotfix.20250703 - {{- else if and (semverCompare ">=1.31.0" .version) (semverCompare "<=1.31.11" .version) -}}v{{.version}}-hotfix.20250703 - {{- else if and (semverCompare ">=1.32.0" .version) (semverCompare "<=1.32.7" .version) -}}v{{.version}}-hotfix.20250703 - {{- else if and (semverCompare ">=1.33.0" .version) (semverCompare "<=1.33.3" .version) -}}v{{.version}}-hotfix.20250703 - {{- else if semverCompare ">=1.34.0" .version -}}v{{ .version }}-1 - {{- else if and (semverCompare ">=1.28.100" .version) (semverCompare "<=1.28.101" .version) -}}v{{.version}}-akslts-hotfix.20250703 - {{- else if and (semverCompare ">=1.27.0" .version) (ge ((semver .version).Patch) 100) -}}v{{.version}}-akslts - {{- else -}}v{{ .version }} - {{- end -}} -{{- else if eq .component "kube-scheduler" -}} - {{- if semverCompare "=1.17.3" .version -}}v1.17.3-hotfix.20200601 - {{- else if semverCompare "=1.17.7" .version -}}v1.17.7-hotfix.20200624 - {{- else if semverCompare "=1.17.9" .version -}}v1.17.9-hotfix.20200714 - {{- else if semverCompare "=1.17.11" .version -}}v1.17.11-hotfix.20200901 - {{- else if semverCompare "=1.17.13" .version -}}v1.17.13-hotfix.20210310.1 - {{- else if semverCompare "=1.17.16" .version -}}v1.17.16-hotfix.20210310.1 - {{- else if semverCompare "=1.18.4" .version -}}v1.18.4-hotfix.20200624 - {{- else if semverCompare "=1.18.6" .version -}}v1.18.6-hotfix.20200723 - {{- else if semverCompare "=1.18.8" .version -}}v1.18.8-hotfix.20200924 - {{- else if semverCompare "=1.18.10" .version -}}v1.18.10-hotfix.20210310.1 - {{- else if semverCompare "=1.18.14" .version -}}v1.18.14-hotfix.20210322.1 - {{- else if semverCompare "=1.18.17" .version -}}v1.18.17-hotfix.20210525.3 - {{- else if semverCompare "=1.18.19" .version -}}v1.18.19-hotfix.20210522.3 - {{- else if semverCompare "=1.19.1" .version -}}v1.19.1-hotfix.20200923 - {{- else if semverCompare "=1.19.6" .version -}}v1.19.6-hotfix.20210310 - {{- else if semverCompare "=1.19.7" .version -}}v1.19.7-hotfix.20210310 - {{- else if semverCompare "=1.19.9" .version -}}v1.19.9-hotfix.20210526 - {{- else if semverCompare "=1.19.11" .version -}}v1.19.11-hotfix.20211101 - {{- else if semverCompare "=1.19.13" .version -}}v1.19.13-hotfix.20211101 - {{- else if semverCompare "=1.20.2" .version -}}v1.20.2-hotfix.20210310 - {{- else if semverCompare "=1.20.5" .version -}}v1.20.5-hotfix.20210603 - {{- else if semverCompare "=1.20.7" .version -}}v1.20.7-hotfix.20211115 - {{- else if semverCompare "=1.20.9" .version -}}v1.20.9-hotfix.20211115 - {{- else if semverCompare "=1.20.13" .version -}}v1.20.13-hotfix.20220210 - {{- else if semverCompare "=1.20.15" .version -}}v1.20.15-hotfix.20220201 - {{- else if semverCompare "=1.21.1" .version -}}v1.21.1-hotfix.20211115 - {{- else if semverCompare "=1.21.2" .version -}}v1.21.2-hotfix.20211115 - {{- else if semverCompare "=1.21.7" .version -}}v1.21.7-hotfix.20220601 - {{- else if semverCompare "=1.21.9" .version -}}v1.21.9-hotfix.20220601 - {{- else if semverCompare "=1.21.14" .version -}}v1.21.14-hotfix.20220620 - {{- else if semverCompare "=1.22.1" .version -}}v1.22.1-hotfix.20211115 - {{- else if semverCompare "=1.22.2" .version -}}v1.22.2-hotfix.20211115 - {{- else if semverCompare "=1.22.4" .version -}}v1.22.4-hotfix.20220615 - {{- else if semverCompare "=1.22.6" .version -}}v1.22.6-hotfix.20220916 - {{- else if semverCompare "=1.22.11" .version -}}v1.22.11-hotfix.20221109 - {{- else if semverCompare "=1.22.15" .version -}}v1.22.15-hotfix.20221109 - {{- else if semverCompare "=1.23.3" .version -}}v1.23.3-hotfix.20220615 - {{- else if semverCompare "=1.23.5" .version -}}v1.23.5-hotfix.20220916 - {{- else if semverCompare "=1.23.8" .version -}}v1.23.8-hotfix.20221109 - {{- else if semverCompare "=1.23.12" .version -}}v1.23.12-hotfix.20230208 - {{- else if semverCompare "=1.23.15" .version -}}v1.23.15-hotfix.20230208 - {{- else if semverCompare "=1.24.0" .version -}}v1.24.0-hotfix.20220916 - {{- else if semverCompare "=1.24.3" .version -}}v1.24.3-hotfix.20221216 - {{- else if semverCompare "=1.24.6" .version -}}v1.24.6-hotfix.20230208 - {{- else if semverCompare "=1.24.9" .version -}}v1.24.9-hotfix.20230612 - {{- else if semverCompare "=1.24.10" .version -}}v1.24.10-hotfix.20230612 - {{- else if semverCompare "=1.25.2" .version -}}v1.25.2-hotfix.20221216 - {{- else if semverCompare "=1.25.4" .version -}}v1.25.4-hotfix.20230208 - {{- else if semverCompare "=1.25.5" .version -}}v1.25.5-hotfix.20230612 - {{- else if semverCompare "=1.25.6" .version -}}v1.25.6-hotfix.20230728 - {{- else if semverCompare "=1.25.11" .version -}}v1.25.11-hotfix.20231102 - {{- else if semverCompare "=1.25.15" .version -}}v1.25.15-hotfix.20231103 - {{- else if semverCompare "=1.26.0" .version -}}v1.26.0-hotfix.20230612 - {{- else if semverCompare "=1.26.3" .version -}}v1.26.3-hotfix.20230728 - {{- else if semverCompare "=1.26.6" .version -}}v1.26.6-hotfix.20231102 - {{- else if semverCompare "=1.26.10" .version -}}v1.26.10-hotfix.20231103 - {{- else if semverCompare "=1.26.12" .version -}}v1.26.12 - {{- else if semverCompare "=1.27.1" .version -}}v1.27.1-hotfix.20230728 - {{- else if semverCompare "=1.27.3" .version -}}v1.27.3-hotfix.20231102 - {{- else if semverCompare "=1.27.7" .version -}}v1.27.7-hotfix.20240411 - {{- else if semverCompare "=1.27.9" .version -}}v1.27.9-hotfix.20240411 - {{- else if semverCompare "=1.27.14" .version -}}v1.27.15 - {{- else if semverCompare "=1.28.0" .version -}}v1.28.0-hotfix.20240712-1 - {{- else if semverCompare "=1.28.3" .version -}}v1.28.3-hotfix.20240712-1 - {{- else if semverCompare "=1.28.5" .version -}}v1.28.5-hotfix.20240712-1 - {{- else if semverCompare "=1.28.10" .version -}}v1.28.11-hotfix.20240712-1 - {{- else if semverCompare "=1.28.11" .version -}}v1.28.11-hotfix.20240712-1 - {{- else if semverCompare "=1.29.0" .version -}}v1.29.0-hotfix.20240712 - {{- else if semverCompare "=1.29.2" .version -}}v1.29.2-hotfix.20240712 - {{- else if semverCompare "=1.29.5" .version -}}v1.29.6-hotfix.20240712 - {{- else if semverCompare "=1.29.6" .version -}}v1.29.6-hotfix.20240712 - {{- else if semverCompare "=1.30.0" .version -}}v1.30.0-hotfix.20240712 - {{- else if semverCompare "=1.30.2" .version -}}v1.30.2-hotfix.20240712 - {{- else if and (semverCompare ">=1.27.0" .version) (ge ((semver .version).Patch | int) 100) -}}v{{.version}}-akslts - {{- else if semverCompare ">=1.34.0" .version -}}v{{ .version }}-1 - {{- else -}}v{{ .version }} - {{- end -}} -{{- else if eq .component "kube-controller-manager" -}} - {{- if semverCompare "=1.17.3" .version -}}v1.17.3-hotfix.20200601 - {{- else if semverCompare "=1.17.7" .version -}}v1.17.7-hotfix.20200917 - {{- else if semverCompare "=1.17.9" .version -}}v1.17.9-hotfix.20200917 - {{- else if semverCompare "=1.17.11" .version -}}v1.17.11-hotfix.20200901 - {{- else if semverCompare "=1.17.13" .version -}}v1.17.13-hotfix.20210310.1 - {{- else if semverCompare "=1.17.16" .version -}}v1.17.16-hotfix.20210310.1 - {{- else if semverCompare "=1.18.4" .version -}}v1.18.4-hotfix.20200624 - {{- else if semverCompare "=1.18.6" .version -}}v1.18.6-hotfix.20200917 - {{- else if semverCompare "=1.18.8" .version -}}v1.18.8-hotfix.20200924 - {{- else if semverCompare "=1.18.10" .version -}}v1.18.10-hotfix.20210310.1 - {{- else if semverCompare "=1.18.14" .version -}}v1.18.14-hotfix.20210525 - {{- else if semverCompare "=1.18.17" .version -}}v1.18.17-hotfix.20210525.3 - {{- else if semverCompare "=1.18.19" .version -}}v1.18.19-hotfix.20210522.3 - {{- else if semverCompare "=1.19.1" .version -}}v1.19.1-hotfix.20200923 - {{- else if semverCompare "=1.19.6" .version -}}v1.19.6-hotfix.20210310 - {{- else if semverCompare "=1.19.7" .version -}}v1.19.7-hotfix.20210525 - {{- else if semverCompare "=1.19.9" .version -}}v1.19.9-hotfix.20210526 - {{- else if semverCompare "=1.19.11" .version -}}v1.19.11-hotfix.20211101 - {{- else if semverCompare "=1.19.13" .version -}}v1.19.13-hotfix.20211101 - {{- else if semverCompare "=1.20.2" .version -}}v1.20.2-hotfix.20210525 - {{- else if semverCompare "=1.20.5" .version -}}v1.20.5-hotfix.20210603 - {{- else if semverCompare "=1.20.7" .version -}}v1.20.7-hotfix.20211115 - {{- else if semverCompare "=1.20.9" .version -}}v1.20.9-hotfix.20220126 - {{- else if semverCompare "=1.20.13" .version -}}v1.20.13-hotfix.20220210 - {{- else if semverCompare "=1.20.15" .version -}}v1.20.15-hotfix.20220201 - {{- else if semverCompare "=1.21.1" .version -}}v1.21.1-hotfix.20211115 - {{- else if semverCompare "=1.21.2" .version -}}v1.21.2-hotfix.20220126 - {{- else if semverCompare "=1.21.7" .version -}}v1.21.7-hotfix.20220601 - {{- else if semverCompare "=1.21.9" .version -}}v1.21.9-hotfix.20220601 - {{- else if semverCompare "=1.21.14" .version -}}v1.21.14-hotfix.20220620 - {{- else if semverCompare "=1.22.1" .version -}}v1.22.1-hotfix.20211115 - {{- else if semverCompare "=1.22.2" .version -}}v1.22.2-hotfix.20211115 - {{- else if semverCompare "=1.22.4" .version -}}v1.22.4-hotfix.20220615 - {{- else if semverCompare "=1.22.6" .version -}}v1.22.6-hotfix.20220916 - {{- else if semverCompare "=1.22.11" .version -}}v1.22.11-hotfix.20221109 - {{- else if semverCompare "=1.22.15" .version -}}v1.22.15-hotfix.20221109 - {{- else if semverCompare "=1.23.3" .version -}}v1.23.3-hotfix.20220615 - {{- else if semverCompare "=1.23.5" .version -}}v1.23.5-hotfix.20220916 - {{- else if semverCompare "=1.23.8" .version -}}v1.23.8-hotfix.20221109 - {{- else if semverCompare "=1.23.12" .version -}}v1.23.12-hotfix.20230208 - {{- else if semverCompare "=1.23.15" .version -}}v1.23.15-hotfix.20230208 - {{- else if semverCompare "=1.24.0" .version -}}v1.24.0-hotfix.20220916 - {{- else if semverCompare "=1.24.3" .version -}}v1.24.3-hotfix.20221216 - {{- else if semverCompare "=1.24.6" .version -}}v1.24.6-hotfix.20230208 - {{- else if semverCompare "=1.24.9" .version -}}v1.24.9-hotfix.20230612 - {{- else if semverCompare "=1.24.10" .version -}}v1.24.10-hotfix.20230612 - {{- else if semverCompare "=1.25.2" .version -}}v1.25.2-hotfix.20221216 - {{- else if semverCompare "=1.25.4" .version -}}v1.25.4-hotfix.20230208 - {{- else if semverCompare "=1.25.5" .version -}}v1.25.5-hotfix.20230612 - {{- else if semverCompare "=1.25.6" .version -}}v1.25.6-hotfix.20230728 - {{- else if semverCompare "=1.25.11" .version -}}v1.25.11-hotfix.20231102 - {{- else if semverCompare "=1.25.15" .version -}}v1.25.15-hotfix.20231103 - {{- else if semverCompare "=1.26.0" .version -}}v1.26.0-hotfix.20230612 - {{- else if semverCompare "=1.26.3" .version -}}v1.26.3-hotfix.20230728 - {{- else if semverCompare "=1.26.6" .version -}}v1.26.6-hotfix.20231102 - {{- else if semverCompare "=1.26.10" .version -}}v1.26.10-hotfix.20231103 - {{- else if semverCompare "=1.26.12" .version -}}v1.26.12 - {{- else if semverCompare "=1.27.1" .version -}}v1.27.1-hotfix.20230728 - {{- else if semverCompare "=1.27.3" .version -}}v1.27.3-hotfix.20231102 - {{- else if semverCompare "=1.27.7" .version -}}v1.27.7-hotfix.20240411 - {{- else if semverCompare "=1.27.9" .version -}}v1.27.9-hotfix.20240411 - {{- else if semverCompare "=1.27.13" .version -}}v1.27.13 - {{- else if semverCompare "=1.28.0" .version -}}v1.28.0-hotfix.20240712-1 - {{- else if semverCompare "=1.28.3" .version -}}v1.28.3-hotfix.20240712-1 - {{- else if semverCompare "=1.28.5" .version -}}v1.28.5-hotfix.20240712-1 - {{- else if semverCompare "=1.28.9" .version -}}v1.28.9-hotfix.20240712-1 - {{- else if semverCompare "=1.28.10" .version -}}v1.28.10-hotfix.20240712-1 - {{- else if semverCompare "=1.28.11" .version -}}v1.28.11-hotfix.20240712-1 - {{- else if semverCompare "=1.29.0" .version -}}v1.29.0-hotfix.20240712 - {{- else if semverCompare "=1.29.2" .version -}}v1.29.2-hotfix.20240712 - {{- else if semverCompare "=1.29.4" .version -}}v1.29.4-hotfix.20240712 - {{- else if semverCompare "=1.30.0" .version -}}v1.30.0-hotfix.20240712 - {{- else if semverCompare "=1.30.2" .version -}}v1.30.2-hotfix.20240712 - {{- else if and (semverCompare ">=1.27.0" .version) (ge ((semver .version).Patch) 100) -}}v{{.version}}-akslts - {{- else if semverCompare ">=1.34.0" .version -}}v{{ .version }}-1 - {{- else -}}v{{ .version }} - {{- end -}} -{{- else if eq .component "hyperkube" -}} - {{- if semverCompare "=1.12.8" .version -}}v1.12.8_v0.0.5 - {{- else if semverCompare "=1.13.10" .version -}}v1.13.10_v0.0.5 - {{- else if semverCompare "=1.13.11" .version -}}v1.13.11_v0.0.5 - {{- else if semverCompare "=1.13.12" .version -}}v1.13.12_v0.0.5 - {{- else if semverCompare "=1.14.6" .version -}}v1.14.6_v0.0.5 - {{- else if semverCompare "=1.14.7" .version -}}v1.14.7-hotfix.20200408.1 - {{- else if semverCompare "=1.14.8" .version -}}v1.14.8-hotfix.20200529.1 - {{- else if semverCompare "=1.15.3" .version -}}v1.15.3_v0.0.5 - {{- else if semverCompare "=1.15.4" .version -}}v1.15.4_v0.0.5 - {{- else if semverCompare "=1.15.5" .version -}}v1.15.5_v0.0.5 - {{- else if semverCompare "=1.15.7" .version -}}v1.15.7-hotfix.20200408.1 - {{- else if semverCompare "=1.15.10" .version -}}v1.15.10-hotfix.20200408.1 - {{- else if semverCompare "=1.15.11" .version -}}v1.15.11-hotfix.20201203 - {{- else if semverCompare "=1.15.12" .version -}}v1.15.12-hotfix.20200824.2 - {{- else if semverCompare "=1.16.0" .version -}}v1.16.0_v0.0.5 - {{- else if semverCompare "=1.16.7" .version -}}v1.16.7-hotfix.20200601.3 - {{- else if semverCompare "=1.16.8" .version -}}v1.16.8.2 - {{- else if semverCompare "=1.16.9" .version -}}v1.16.9-hotfix.20200529.7 - {{- else if semverCompare "=1.16.10" .version -}}v1.16.10-hotfix.20200917.3 - {{- else if semverCompare "=1.16.13" .version -}}v1.16.13-hotfix.20210118.2 - {{- else if semverCompare "=1.16.14" .version -}}v1.16.14-hotfix.20200901.4 - {{- else if semverCompare "=1.16.15" .version -}}v1.16.15-hotfix.20210118.4 - {{- else if semverCompare "=1.17.3" .version -}}v1.17.3-hotfix.20200601.3 - {{- else if semverCompare "=1.17.4" .version -}}v1.17.4.2 - {{- else if semverCompare "=1.17.5" .version -}}v1.17.5.2 - {{- else if semverCompare "=1.17.7" .version -}}v1.17.7-hotfix.20200917.3 - {{- else if semverCompare "=1.17.9" .version -}}v1.17.9-hotfix.20200917.3 - {{- else if semverCompare "=1.17.11" .version -}}v1.17.11-hotfix.20200901.4 - {{- else if semverCompare "=1.17.13" .version -}}v1.17.13-hotfix.20210310.2 - {{- else if semverCompare "=1.17.16" .version -}}v1.17.16-hotfix.20210310.2 - {{- else if semverCompare "=1.18.1" .version -}}v1.18.1.6 - {{- else if semverCompare "=1.18.2" .version -}}v1.18.2-hotfix.20200626.7 - {{- else if semverCompare "=1.18.4" .version -}}v1.18.4-hotfix.20200626.7 - {{- else if semverCompare "=1.18.6" .version -}}v1.18.6-hotfix.20200917.5 - {{- else if semverCompare "=1.18.8" .version -}}v1.18.8-hotfix.20201112.4 - {{- else if semverCompare "=1.18.10" .version -}}v1.18.10-hotfix.20210310.4 - {{- else if semverCompare "=1.18.14" .version -}}v1.18.14-hotfix.20210525.2 - {{- else if semverCompare "=1.18.17" .version -}}v1.18.17-hotfix.20210525.2 - {{- else if semverCompare "=1.18.19" .version -}}v1.18.19-hotfix.20210522.2 - {{- else -}}v{{ .version }} - {{- end -}} -{{- else if eq .component "kubectl" -}} - {{- if semverCompare "=1.17.3" .version -}}v1.17.3-hotfix.20200601 - {{- else if semverCompare "=1.17.7" .version -}}v1.17.7-hotfix.20200624 - {{- else if semverCompare "=1.17.9" .version -}}v1.17.9-hotfix.20200714 - {{- else if semverCompare "=1.17.11" .version -}}v1.17.11-hotfix.20200901 - {{- else if semverCompare "=1.17.13" .version -}}v1.17.13-hotfix.20210310.1 - {{- else if semverCompare "=1.17.16" .version -}}v1.17.16-hotfix.20210310.1 - {{- else if semverCompare "=1.18.4" .version -}}v1.18.4-hotfix.20200624 - {{- else if semverCompare "=1.18.6" .version -}}v1.18.6-hotfix.20200723 - {{- else if semverCompare "=1.18.8" .version -}}v1.18.8-hotfix.20200924 - {{- else if semverCompare "=1.18.10" .version -}}v1.18.10-hotfix.20210310.1 - {{- else if semverCompare "=1.18.14" .version -}}v1.18.14-hotfix.20210322 - {{- else if semverCompare "=1.18.17" .version -}}v1.18.17-hotfix.20210525.2 - {{- else if semverCompare "=1.18.19" .version -}}v1.18.19-hotfix.20210522.2 - {{- else if semverCompare "=1.19.1" .version -}}v1.19.1-hotfix.20200923 - {{- else if semverCompare "=1.19.6" .version -}}v1.19.6-hotfix.20210310.1 - {{- else if semverCompare "=1.19.7" .version -}}v1.19.7-hotfix.20210310.1 - {{- else if semverCompare "=1.19.9" .version -}}v1.19.9-hotfix.20210526.2 - {{- else if semverCompare "=1.19.11" .version -}}v1.19.11-hotfix.20211101.1 - {{- else if semverCompare "=1.19.13" .version -}}v1.19.13-hotfix.20211101.1 - {{- else if semverCompare "=1.20.2" .version -}}v1.20.2-hotfix.20210310.1 - {{- else if semverCompare "=1.20.5" .version -}}v1.20.5-hotfix.20210603.2 - {{- else if semverCompare "=1.20.7" .version -}}v1.20.7-hotfix.20211115 - {{- else if semverCompare "=1.20.9" .version -}}v1.20.9-hotfix.20211115.1 - {{- else if semverCompare "=1.20.13" .version -}}v1.20.13-hotfix.20220210.2 - {{- else if semverCompare "=1.20.15" .version -}}v1.20.15-hotfix.20220201.2 - {{- else if semverCompare "=1.21.1" .version -}}v1.21.1-hotfix.20211115 - {{- else if semverCompare "=1.21.2" .version -}}v1.21.2-hotfix.20211115.1 - {{- else if semverCompare "=1.21.7" .version -}}v1.21.7-hotfix.20220601 - {{- else if semverCompare "=1.21.9" .version -}}v1.21.9-hotfix.20220601.1 - {{- else if semverCompare "=1.21.14" .version -}}v1.21.14-hotfix.20220620.1 - {{- else if semverCompare "=1.22.1" .version -}}v1.22.1-hotfix.20211115.1 - {{- else if semverCompare "=1.22.2" .version -}}v1.22.2-hotfix.20211115.1 - {{- else if semverCompare "=1.22.4" .version -}}v1.22.4-hotfix.20220615 - {{- else if semverCompare "=1.22.6" .version -}}v1.22.6-hotfix.20220916 - {{- else if semverCompare "=1.22.11" .version -}}v1.22.11-hotfix.20221109.1 - {{- else if semverCompare "=1.22.15" .version -}}v1.22.15-hotfix.20221109.1 - {{- else if semverCompare "=1.23.3" .version -}}v1.23.3-hotfix.20220615 - {{- else if semverCompare "=1.23.5" .version -}}v1.23.5-hotfix.20220916 - {{- else if semverCompare "=1.23.8" .version -}}v1.23.8-hotfix.20221109.2 - {{- else if semverCompare "=1.23.12" .version -}}v1.23.12-hotfix.20230208.1 - {{- else if semverCompare "=1.23.15" .version -}}v1.23.15-hotfix.20230208.1 - {{- else if semverCompare "=1.24.0" .version -}}v1.24.0-hotfix.20220916 - {{- else if semverCompare "=1.24.3" .version -}}v1.24.3-hotfix.20221216 - {{- else if semverCompare "=1.24.6" .version -}}v1.24.6-hotfix.20230208.1 - {{- else if semverCompare "=1.24.9" .version -}}v1.24.9-hotfix.20230612 - {{- else if semverCompare "=1.24.10" .version -}}v1.24.10-hotfix.20230612 - {{- else if semverCompare "=1.25.2" .version -}}v1.25.2-hotfix.20221216.1 - {{- else if semverCompare "=1.25.4" .version -}}v1.25.4-hotfix.20230208.1 - {{- else if semverCompare "=1.25.5" .version -}}v1.25.5-hotfix.20230612 - {{- else if semverCompare "=1.25.6" .version -}}v1.25.6-hotfix.20230728 - {{- else if semverCompare "=1.25.11" .version -}}v1.25.11-hotfix.20231102 - {{- else if semverCompare "=1.25.15" .version -}}v1.25.15-hotfix.20231103 - {{- else if semverCompare "=1.26.0" .version -}}v1.26.0-hotfix.20230612 - {{- else if semverCompare "=1.26.3" .version -}}v1.26.3-hotfix.20230728 - {{- else if semverCompare "=1.26.6" .version -}}v1.26.6-hotfix.20231102 - {{- else if semverCompare "=1.26.10" .version -}}v1.26.10-hotfix.20231103-1 - {{- else if semverCompare "=1.26.12" .version -}}v1.26.12-1 - {{- else if semverCompare "=1.27.1" .version -}}v1.27.1-hotfix.20230728 - {{- else if semverCompare "=1.27.3" .version -}}v1.27.3-hotfix.20240125 - {{- else if semverCompare "=1.27.7" .version -}}v1.27.7-hotfix.20240712-4 - {{- else if semverCompare "=1.27.9" .version -}}v1.27.9-hotfix.20240712-4 - {{- else if semverCompare "=1.27.13" .version -}}v1.27.13-2 - {{- else if semverCompare "=1.28.0" .version -}}v1.28.0-hotfix.20240712-4 - {{- else if semverCompare "=1.28.3" .version -}}v1.28.3-hotfix.20240712-4 - {{- else if semverCompare "=1.28.5" .version -}}v1.28.5-hotfix.20240712-4 - {{- else if and (semverCompare ">=1.27.0" .version) (ge ((semver .version).Patch) 100) -}}v{{.version}}-akslts - {{- else if and (semverCompare ">=1.29.0" .version) (semverCompare "<1.30.0" .version) -}}v1.29.13 - {{- else if semverCompare "=1.30.0" .version -}}v1.30.0-1 - {{- else if semverCompare "=1.30.1" .version -}}v1.30.1-1 - {{- else if semverCompare "=1.30.2" .version -}}v1.30.2-hotfix.20240613 - {{- else if semverCompare ">=1.34.0" .version -}}v{{ .version }}-1 - {{- else -}}v{{ .version }} - {{- end -}} -{{- else if eq .component "kube-proxy" -}} - {{- if semverCompare "=1.17.3" .version -}}v1.17.3-hotfix.20200601.3 - {{- else if semverCompare "=1.17.7" .version -}}v1.17.7-hotfix.20200917.3 - {{- else if semverCompare "=1.17.9" .version -}}v1.17.9-hotfix.20200917.3 - {{- else if semverCompare "=1.17.11" .version -}}v1.17.11-hotfix.20200901.2 - {{- else if semverCompare "=1.17.13" .version -}}v1.17.13-hotfix.20210310.2 - {{- else if semverCompare "=1.17.16" .version -}}v1.17.16-hotfix.20210310.2 - {{- else if semverCompare "=1.18.2" .version -}}v1.18.2-hotfix.20200626.4 - {{- else if semverCompare "=1.18.4" .version -}}v1.18.4-hotfix.20200626.5 - {{- else if semverCompare "=1.18.6" .version -}}v1.18.6-hotfix.20200917.4 - {{- else if semverCompare "=1.18.8" .version -}}v1.18.8-hotfix.20201112.2 - {{- else if semverCompare "=1.18.10" .version -}}v1.18.10-hotfix.20210310.2 - {{- else if semverCompare "=1.18.14" .version -}}v1.18.14-hotfix.20210525 - {{- else if semverCompare "=1.18.17" .version -}}v1.18.17-hotfix.20210525.3 - {{- else if semverCompare "=1.18.19" .version -}}v1.18.19-hotfix.20210522.3 - {{- else if semverCompare "=1.19.7" .version -}}v1.19.7-hotfix.20210525 - {{- else if semverCompare "=1.19.9" .version -}}v1.19.9-hotfix.20210526.3 - {{- else if semverCompare "=1.19.11" .version -}}v1.19.11-hotfix.20211101.1 - {{- else if semverCompare "=1.19.13" .version -}}v1.19.13-hotfix.20211101.1 - {{- else if semverCompare "=1.20.2" .version -}}v1.20.2-hotfix.20210525 - {{- else if semverCompare "=1.20.5" .version -}}v1.20.5-hotfix.20210603.3 - {{- else if semverCompare "=1.20.7" .version -}}v1.20.7-hotfix.20211021.1 - {{- else if semverCompare "=1.20.9" .version -}}v1.20.9-hotfix.20211115.2 - {{- else if semverCompare "=1.20.13" .version -}}v1.20.13-hotfix.20220210.3 - {{- else if semverCompare "=1.20.15" .version -}}v1.20.15-hotfix.20220201.3 - {{- else if semverCompare "=1.21.1" .version -}}v1.21.1-hotfix.20211022.1 - {{- else if semverCompare "=1.21.2" .version -}}v1.21.2-hotfix.20211115.2 - {{- else if semverCompare "=1.21.7" .version -}}v1.21.7-hotfix.20220601.1 - {{- else if semverCompare "=1.21.9" .version -}}v1.21.9-hotfix.20220601.2 - {{- else if semverCompare "=1.21.14" .version -}}v1.21.14-hotfix.20220620.3 - {{- else if semverCompare "=1.22.1" .version -}}v1.22.1-hotfix.20211115.1 - {{- else if semverCompare "=1.22.2" .version -}}v1.22.2-hotfix.20211115.1 - {{- else if semverCompare "=1.22.4" .version -}}v1.22.4-hotfix.20220615.1 - {{- else if semverCompare "=1.22.6" .version -}}v1.22.6-hotfix.20220728.2 - {{- else if semverCompare "=1.22.11" .version -}}v1.22.11-hotfix.20221109.1 - {{- else if semverCompare "=1.22.15" .version -}}v1.22.15-hotfix.20221109.1 - {{- else if semverCompare "=1.23.3" .version -}}v1.23.3-hotfix.20220615.1 - {{- else if semverCompare "=1.23.5" .version -}}v1.23.5-hotfix.20220728.4 - {{- else if semverCompare "=1.23.8" .version -}}v1.23.8-hotfix.20221109.3 - {{- else if semverCompare "=1.23.12" .version -}}v1.23.12-hotfix.20230208.2 - {{- else if semverCompare "=1.23.15" .version -}}v1.23.15-hotfix.20230208.2 - {{- else if semverCompare "=1.24.0" .version -}}v1.24.0-hotfix.20220615.4 - {{- else if semverCompare "=1.24.3" .version -}}v1.24.3-hotfix.20221216.1 - {{- else if semverCompare "=1.24.6" .version -}}v1.24.6-hotfix.20230208.2 - {{- else if semverCompare "=1.24.9" .version -}}v1.24.9-hotfix.20230612 - {{- else if semverCompare "=1.24.10" .version -}}v1.24.10-hotfix.20230612-1 - {{- else if semverCompare "=1.25.2" .version -}}v1.25.2-hotfix.20221216 - {{- else if semverCompare "=1.25.4" .version -}}v1.25.4-hotfix.20230208 - {{- else if semverCompare "=1.25.5" .version -}}v1.25.5-hotfix.20230612 - {{- else if semverCompare "=1.25.6" .version -}}v1.25.6-hotfix.20231009-3 - {{- else if semverCompare "=1.25.11" .version -}}v1.25.11-hotfix.20231102-1 - {{- else if semverCompare "=1.25.15" .version -}}v1.25.15-hotfix.20231103-1 - {{- else if semverCompare "=1.26.0" .version -}}v1.26.0-hotfix.20230612 - {{- else if semverCompare "=1.26.3" .version -}}v1.26.3-hotfix.20231009-2 - {{- else if semverCompare "=1.26.6" .version -}}v1.26.6-hotfix.20231102 - {{- else if semverCompare "=1.26.10" .version -}}v1.26.10-hotfix.20231103-8 - {{- else if semverCompare "=1.27.1" .version -}}v1.27.1-hotfix.20231009 - {{- else if semverCompare "=1.27.3" .version -}}v1.27.3-hotfix.20240125 - {{- else if semverCompare "=1.27.7" .version -}}v1.27.7-hotfix.20240411 - {{- else if semverCompare "=1.27.9" .version -}}v1.27.9-hotfix.20240411 - {{- else if semverCompare "=1.27.14" .version -}}v1.27.14-1 - {{- else if semverCompare "=1.28.0" .version -}}v1.28.0-hotfix.20240125 - {{- else if semverCompare "=1.28.3" .version -}}v1.28.3-hotfix.20240411 - {{- else if semverCompare "=1.28.5" .version -}}v1.28.5-hotfix.20240411 - {{- else if semverCompare "=1.28.10" .version -}}v1.28.10-1 - {{- else if semverCompare "=1.29.2" .version -}}v1.29.2-hotfix.20240411 - {{- else if semverCompare "=1.29.5" .version -}}v1.29.5-1 - {{- else if semverCompare "=1.30.0" .version -}}v1.30.0-hotfix.20240712-3 - {{- else if semverCompare "=1.30.1" .version -}}v1.30.1-hotfix.20240712-3 - {{- else if semverCompare "=1.30.2" .version -}}v1.30.2-hotfix.20240712-3 - {{- else if semverCompare "=1.30.6" .version -}}v1.30.6-1 - {{- else if semverCompare "=1.31.1" .version -}}v1.31.1-2 - {{- else if and (semverCompare ">=1.27.0" .version) (ge ((semver .version).Patch) 100) -}}v{{.version}}-akslts - {{- else if semverCompare ">=1.34.0" .version -}}v{{ .version }}-1 - {{- else -}}v{{ .version }} - {{- end -}} -{{- else if eq .component "cloud-provider-controller-manager" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.33.2 - {{- else if semverCompare ">=1.32.0" .version -}}v1.32.7 - {{- else if semverCompare ">=1.31.0" .version -}}v1.31.8 - {{- else if semverCompare ">=1.30.0" .version -}}v1.30.14 - {{- else if semverCompare ">=1.29.0" .version -}}v1.29.15 - {{- else if semverCompare ">=1.28.0" .version -}}v1.28.14 - {{- else if semverCompare ">=1.27.0" .version -}}v1.27.21 - {{- else if semverCompare ">=1.26.0" .version -}}v1.26.22 - {{- else if semverCompare ">=1.25.0" .version -}}v1.25.24 - {{- else if semverCompare ">=1.24.0" .version -}}v1.24.22 - {{- else if semverCompare ">=1.23.0" .version -}}v1.23.30 - {{- else if semverCompare ">=1.22.0" .version -}}v1.1.26 - {{- else if semverCompare ">=1.21.0" .version -}}v1.0.23 - {{- else if semverCompare ">=1.20.0" .version -}}v0.7.21 - {{- else if semverCompare ">=1.19.0" .version -}}v0.6.0 - {{- else -}}v0.5.1.4 - {{- end -}} -{{- else if eq .component "appmonitoring-webhook" -}} -1.0.0-beta.8 -{{- else if eq .component "tunnel-front" -}} -master.250401.1 -{{- else if eq .component "tunnel-end" -}} -master.250401.1 -{{- else if eq .component "tunnel-openvpn-front" -}} -master.241001.1 -{{- else if eq .component "tunnel-openvpn-end" -}} -master.241001.1 -{{- else if eq .component "apiserver-network-proxy-agent" -}} -v0.30.3-5 -{{- else if eq .component "aad-pod-identity-nmi" -}} -v1.8.18 -{{- else if eq .component "gitops-manager-config-operator" -}} -1.7.0 -{{- else if eq .component "gitops-manager-config-agent" -}} -1.7.0 -{{- else if eq .component "resourcesync-operator" -}} -1.7.1 -{{- else if eq .component "http-application-routing-nginx-ingress-controller" -}} - {{- if semverCompare ">=1.22.0" .version -}}1.2.1 - {{- else if semverCompare ">=1.21.0" .version -}}0.49.3 - {{- else -}}0.19.0 - {{- end -}} -{{- else if eq .component "http-application-routing-external-dns" -}} - {{- if semverCompare ">=1.22.0" .version -}}v0.10.2 - {{- else if semverCompare ">=1.21.0" .version -}}v0.8.0 - {{- else -}}v0.6.0-hotfix-20200228 - {{- end -}} -{{- else if eq .component "http-application-routing-defaultbackend" -}} -1.4 -{{- else if eq .component "ip-masq-agent" -}} -v2.5.0.12 -{{- else if eq .component "azuredisk-csi-v2" -}} -v2.0.0-beta.10 -{{- else if eq .component "azdiskschedulerextender-csi" -}} -v2.0.0-beta.10 -{{- else if eq .component "csi-node-driver-registrar" -}} - {{- if semverCompare ">=1.31.0" .version -}}v2.14.0 - {{- else if semverCompare ">=1.29.0" .version -}}v2.13.0 - {{- else if semverCompare ">=1.28.0" .version -}}v2.12.0 - {{- else if semverCompare ">=1.27.0" .version -}}v2.10.1 - {{- else if semverCompare ">=1.24.0" .version -}}v2.8.0 - {{- else if semverCompare ">=1.21.0" .version -}}v2.5.0 - {{- else -}}v2.3.0 - {{- end -}} -{{- else if eq .component "csi-livenessprobe" -}} - {{- if semverCompare ">=1.31.0" .version -}}v2.16.0 - {{- else if semverCompare ">=1.29.0" .version -}}v2.15.0 - {{- else if semverCompare ">=1.28.0" .version -}}v2.14.0 - {{- else if semverCompare ">=1.27.0" .version -}}v2.12.0 - {{- else if semverCompare ">=1.24.0" .version -}}v2.10.0 - {{- else if semverCompare ">=1.21.0" .version -}}v2.6.0 - {{- else -}}v2.2.0 - {{- end -}} -{{- else if eq .component "azuredisk-csi-linux" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.33.4-2 - {{- else if semverCompare ">=1.32.0" .version -}}v1.32.10-2 - {{- else if semverCompare ">=1.31.0" .version -}}v1.31.11 - {{- else if semverCompare ">=1.30.0" .version -}}v1.30.12 - {{- else if semverCompare ">=1.28.0" .version -}}v1.29.14 - {{- else if semverCompare ">=1.27.0" .version -}}v1.28.12 - {{- else if semverCompare ">=1.26.0" .version -}}v1.26.9 - {{- else if semverCompare ">=1.24.0" .version -}}v1.26.8 - {{- else if semverCompare ">=1.21.0" .version -}}v1.26.2.2 - {{- else -}}v1.2.2.5 - {{- end -}} -{{- else if eq .component "azuredisk-csi-windows" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.33.4 - {{- else if semverCompare ">=1.32.0" .version -}}v1.32.10 - {{- else if semverCompare ">=1.31.0" .version -}}v1.31.11 - {{- else if semverCompare ">=1.30.0" .version -}}v1.30.12 - {{- else if semverCompare ">=1.28.0" .version -}}v1.29.14 - {{- else if semverCompare ">=1.27.0" .version -}}v1.28.12 - {{- else if semverCompare ">=1.26.0" .version -}}v1.26.9 - {{- else if semverCompare ">=1.24.0" .version -}}v1.26.8 - {{- else if semverCompare ">=1.21.0" .version -}}v1.26.2 - {{- else -}}v1.2.2.5 - {{- end -}} -{{- else if eq .component "azurefile-csi-linux" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.33.4-2 - {{- else if semverCompare ">=1.32.0" .version -}}v1.32.5 - {{- else if semverCompare ">=1.31.0" .version -}}v1.31.7 - {{- else if semverCompare ">=1.29.0" .version -}}v1.30.10 - {{- else if semverCompare ">=1.28.0" .version -}}v1.29.12 - {{- else if semverCompare ">=1.27.0" .version -}}v1.28.14 - {{- else if semverCompare ">=1.26.0" .version -}}v1.26.11-2 - {{- else if semverCompare ">=1.24.0" .version -}}v1.24.11 - {{- else if semverCompare ">=1.21.0" .version -}}v1.24.0 - {{- else -}}v1.2.2 - {{- end -}} -{{- else if eq .component "azurefile-csi-windows" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.33.4 - {{- else if semverCompare ">=1.32.0" .version -}}v1.32.5 - {{- else if semverCompare ">=1.31.0" .version -}}v1.31.7 - {{- else if semverCompare ">=1.29.0" .version -}}v1.30.10 - {{- else if semverCompare ">=1.28.0" .version -}}v1.29.12 - {{- else if semverCompare ">=1.27.0" .version -}}v1.28.14 - {{- else if semverCompare ">=1.26.0" .version -}}v1.26.11 - {{- else if semverCompare ">=1.24.0" .version -}}v1.24.11 - {{- else if semverCompare ">=1.21.0" .version -}}v1.24.0 - {{- else -}}v1.2.2 - {{- end -}} -{{- else if eq .component "blob-csi" -}} - {{- if semverCompare ">=1.33.0" .version -}}v1.26.7 - {{- else if semverCompare ">=1.32.0" .version -}}v1.26.6 - {{- else if semverCompare ">=1.31.0" .version -}}v1.25.9 - {{- else if semverCompare ">=1.30.0" .version -}}v1.24.11 - {{- else if semverCompare ">=1.28.0" .version -}}v1.23.11 - {{- else if semverCompare ">=1.27.0" .version -}}v1.22.9 - {{- else if semverCompare ">=1.26.0" .version -}}v1.21.7-2 - {{- else if semverCompare ">=1.24.0" .version -}}v1.19.5-7 - {{- else -}}v1.19.2 - {{- end -}} -{{- else if eq .component "csi-provisioner" -}} - {{- if semverCompare ">=1.29.0" .version -}}v5.2.0 - {{- else if semverCompare ">=1.28.0" .version -}}v3.6.2 - {{- else if semverCompare ">=1.24.0" .version -}}v3.5.0 - {{- else if semverCompare ">=1.21.0" .version -}}v3.1.0 - {{- else -}}v2.1.1-hotfix.20220128-aks - {{- end -}} -{{- else if eq .component "csi-attacher" -}} - {{- if semverCompare ">=1.32.0" .version -}}v4.9.0 - {{- else if semverCompare ">=1.29.0" .version -}}v4.8.1 - {{- else if semverCompare ">=1.28.0" .version -}}v4.4.2 - {{- else if semverCompare ">=1.27.0" .version -}}v4.3.0 - {{- else if semverCompare ">=1.21.0" .version -}}v3.4.0 - {{- else -}}v3.1.0-hotfix.20220128-aks - {{- end -}} -{{- else if eq .component "csi-resizer" -}} - {{- if semverCompare ">=1.29.0" .version -}}v1.13.2 - {{- else if semverCompare ">=1.28.0" .version -}}v1.9.3 - {{- else if semverCompare ">=1.27.0" .version -}}v1.8.0 - {{- else if semverCompare ">=1.21.0" .version -}}v1.4.0 - {{- else -}}v1.1.0-hotfix.20220128-aks - {{- end -}} -{{- else if eq .component "csi-snapshotter" -}} - {{- if semverCompare ">=1.33.0" .version -}}v8.3.0 - {{- else if semverCompare ">=1.29.0" .version -}}v8.2.0 - {{- else if semverCompare ">=1.27.0" .version -}}v6.2.2 - {{- else if semverCompare ">=1.21.0" .version -}}v5.0.1 - {{- else -}}v3.0.3-hotfix.20220128-aks - {{- end -}} -{{- else if eq .component "snapshot-controller" -}} - {{- if semverCompare ">=1.33.0" .version -}}v8.3.0 - {{- else if semverCompare ">=1.29.0" .version -}}v8.2.0 - {{- else if semverCompare ">=1.27.0" .version -}}v6.2.2 - {{- else if semverCompare ">=1.21.0" .version -}}v5.0.1 - {{- else -}}v3.0.3-hotfix.20220128-aks - {{- end -}} -{{- else if eq .component "azure-cns-image" -}} -v1.4.44.5 -{{- else if eq .component "azure-cns-image-windows" -}} -v1.4.44.5 -{{- else if eq .component "azure-cni-networkmonitor" -}} -v1.1.8_hotfix -{{- else if eq .component "calico-typha-image" -}} -v3.8.9 -{{- else if eq .component "calico-pod2daemon-flexvol-image" -}} -v3.8.9.1 -{{- else if eq .component "calico-cni-image" -}} -v3.8.9.3 -{{- else if eq .component "calico-node-image" -}} -v3.8.9.5 -{{- else if eq .component "ccp-initializer" -}} -master.250807.1 -{{- else if eq .component "ccp-auto-thrust" -}} - {{- if semverCompare ">=1.27.0" .version -}}master.250505.2 - {{- else -}}master.250108.7 - {{- end -}} -{{- else if eq .component "ccp-auto-thrust-csi" -}} - {{- if semverCompare ">=1.27.0" .version -}}master.250307.1 - {{- else -}}master.250108.7 - {{- end -}} -{{- else if eq .component "admissionsenforcer" -}} -master.250822.2 -{{- else if eq .component "msi-adapter" -}} -master.250822.1 -{{- else if eq .component "private-connect-router" -}} -master.250811.1 -{{- else if eq .component "private-connect-balancer" -}} -master.250731.2 -{{- else if eq .component "addon-token-adapter-linux" -}} -master.250902.1 -{{- else if eq .component "addon-token-adapter-windows" -}} -master.250902.1 -{{- else if eq .component "addon-token-reconciler" -}} -master.250819.2 -{{- else if eq .component "aks-kube-addon-manager" -}} -master.250528.2 -{{- else if eq .component "kms-plugin" -}} -v0.8.0 -{{- else if eq .component "ccp-coredns" -}} -v1.12.0-1 -{{- end -}} -{{- end -}} diff --git a/charts/azuremonitor-containerinsights-for-prod-clusters/templates/ama-logs.yaml b/charts/azuremonitor-containerinsights-for-prod-clusters/templates/ama-logs.yaml deleted file mode 100644 index 5f7a7d864..000000000 --- a/charts/azuremonitor-containerinsights-for-prod-clusters/templates/ama-logs.yaml +++ /dev/null @@ -1,1916 +0,0 @@ -{{- $amalogsLinuxDefaultImageTag := dict "component" "ama-logs-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }} -{{- $amalogsWindowsDefaultImageTag := dict "component" "ama-logs-win" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }} -{{- $addonTokenAdapterLinuxDefaultImageTag := dict "component" "addon-token-adapter-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} -{{- $addonTokenAdapterWindowsDefaultImageTag := dict "component" "addon-token-adapter-windows" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} -{{- $amalogsRSVPAImageTag := dict "component" "addon-resizer" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" -}} -{{- $WinImageTag := default $amalogsWindowsDefaultImageTag .Values.OmsAgent.imageTagWindows -}} -{{/* Determine isusingaadauth value from OmsAgent.isUsingAADAuth */}} -{{- $isusingaadauth := false -}} -{{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} - {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} -{{- end -}} -{{/* TODO This needs to be fixed post Canary validation */}} -{{/* Extract cluster information from aksresourceid */}} -{{- $resourceParts := splitList "/" .Values.OmsAgent.aksResourceID -}} -{{- $aksclustername := last $resourceParts -}} -{{- $aksResourceGroup := index $resourceParts 4 -}} -{{- $region := .Values.global.commonGlobals.Region -}} -{{- $aksnoderesourcegroup := printf "MC_%s_%s_%s" $aksResourceGroup $aksclustername $region -}} -apiVersion: v1 -kind: Secret -metadata: - name: ama-logs-secret - namespace: kube-system - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -type: Opaque -data: - WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} - KEY: {{ .Values.OmsAgent.workspaceKey | b64enc | quote }} -{{- if .Values.OmsAgent.isMoonCake }} - DOMAIN: {{ b64enc "opinsights.azure.cn" }} -{{- end }} -{{- if .Values.OmsAgent.isFairfax }} - DOMAIN: {{ b64enc "opinsights.azure.us" }} -{{- end }} -{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT" }} - DOMAIN: {{ b64enc "opinsights.azure.eaglex.ic.gov" }} -{{- end }} -{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC" }} - DOMAIN: {{ b64enc "opinsights.azure.microsoft.scloud" }} -{{- end }} -{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD" }} - DOMAIN: {{ b64enc "opinsights.sovcloud-api.fr" }} -{{- end }} -{{- if .Values.OmsAgent.httpsProxy }} - PROXY: {{ .Values.OmsAgent.httpsProxy | b64enc | quote }} -{{- else if .Values.OmsAgent.httpProxy }} - PROXY: {{ .Values.OmsAgent.httpProxy | b64enc | quote }} -{{- end}} -{{- if .Values.OmsAgent.trustedCA }} - PROXYCERT.crt: {{ .Values.OmsAgent.trustedCA | quote }} -{{- end}} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ama-logs - namespace: kube-system - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} ---- -kind: ClusterRole -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: rbac.authorization.k8s.io/v1beta1 -{{- end }} -metadata: - name: ama-logs-reader - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -rules: -- apiGroups: [""] - resources: ["pods", "events", "nodes", "nodes/stats", "nodes/metrics", "nodes/spec", "nodes/proxy", "namespaces", "services", "persistentvolumes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["apps", "extensions", "autoscaling"] - resources: ["replicasets", "deployments", "horizontalpodautoscalers"] - verbs: ["list"] -{{- if .Values.OmsAgent.isRSVPAEnabled }} -- apiGroups: ["apps"] - resources: ["deployments"] - resourceNames: [ "ama-logs-rs" ] - verbs: ["get", "patch"] -{{- end }} -{{- if $isusingaadauth }} -- apiGroups: [""] - resources: ["secrets"] - resourceNames: [{{ .Values.OmsAgent.accessTokenSecretName | quote }}] - verbs: ["get", "watch"] -{{- end }} -- nonResourceURLs: ["/metrics"] - verbs: ["get"] ---- -kind: ClusterRoleBinding -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: rbac.authorization.k8s.io/v1beta1 -{{- end }} -metadata: - name: amalogsclusterrolebinding - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -subjects: - - kind: ServiceAccount - name: ama-logs - namespace: kube-system -roleRef: - kind: ClusterRole - name: ama-logs-reader - apiGroup: rbac.authorization.k8s.io ---- -kind: ConfigMap -apiVersion: v1 -data: - CLUSTER_RESOURCE_ID: "{{ .Values.OmsAgent.aksResourceID }}" -metadata: - name: container-azm-ms-aks-k8scluster - namespace: kube-system - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} ---- -kind: ConfigMap -apiVersion: v1 -data: - kube.conf: |- - # Fluentd config file for OMS Docker - cluster components (kubeAPI) - #fluent forward plugin - - type forward - port "#{ENV['HEALTHMODEL_REPLICASET_SERVICE_SERVICE_PORT']}" - bind 0.0.0.0 - chunk_size_limit 4m - - - #Kubernetes pod inventory - - type kubepodinventory - tag oms.containerinsights.KubePodInventory - run_interval 60 - log_level debug - - - #Kubernetes Persistent Volume inventory - - type kubepvinventory - tag oms.containerinsights.KubePVInventory - run_interval 60 - log_level debug - - - #Kubernetes events - - type kubeevents - tag oms.containerinsights.KubeEvents - run_interval 60 - log_level debug - - - #Kubernetes Nodes - - type kubenodeinventory - tag oms.containerinsights.KubeNodeInventory - run_interval 60 - log_level debug - - - #Kubernetes health - - type kubehealth - tag kubehealth.ReplicaSet - run_interval 60 - log_level debug - - - #cadvisor perf- Windows nodes - - type wincadvisorperf - tag oms.api.wincadvisorperf - run_interval 60 - log_level debug - - - #Kubernetes object state - deployments - - type kubestatedeployments - tag oms.containerinsights.KubeStateDeployments - run_interval 60 - log_level debug - - - #Kubernetes object state - HPA - - type kubestatehpa - tag oms.containerinsights.KubeStateHpa - run_interval 60 - log_level debug - - - - type filter_inventory2mdm - log_level info - - - #custom_metrics_mdm filter plugin for perf data from windows nodes - - type filter_cadvisor2mdm - metrics_to_collect cpuUsageNanoCores,memoryWorkingSetBytes,pvUsedBytes - log_level info - - - #health model aggregation filter - - type filter_health_model_builder - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_kubepods*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/state/out_oms_kubepv*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_kubeevents*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_kubeservices*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/state/out_oms_kubenodes*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 3 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_containernodeinventory*.buffer - buffer_queue_limit 20 - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_kubeperf*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_mdm - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_mdm_*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - retry_mdm_post_wait_minutes 30 - - - - type out_oms - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_api_wincadvisorperf*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_mdm - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_mdm_cdvisorperf*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - retry_mdm_post_wait_minutes 30 - - - - type out_oms - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_kubehealth*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - type out_oms - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_insightsmetrics*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - -metadata: - name: ama-logs-rs-config - namespace: kube-system - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} ---- -{{/* Get sizes */}} -{{- $useDaemonSetSizing := and .Values.global.commonGlobals.isAutomaticSKU .Values.OmsAgent.enableDaemonSetSizing -}} -{{- $singleSize := dict "containers" (dict "addon-token-adapter" (dict "cpuLimit" "100m" "memoryLimit" "100Mi" "cpuRequest" "20m" "memoryRequest" "50Mi") "ama-logs" (dict "cpuLimit" .Values.OmsAgent.omsAgentDsCPULimitLinux "memoryLimit" .Values.OmsAgent.omsAgentDsMemoryLimitLinux "cpuRequest" "75m" "memoryRequest" "325Mi") "ama-logs-prometheus" (dict "cpuLimit" .Values.OmsAgent.omsAgentPrometheusSidecarCPULimit "memoryLimit" .Values.OmsAgent.omsAgentPrometheusSidecarMemoryLimit "cpuRequest" "75m" "memoryRequest" "225Mi")) -}} -{{- $sizes := list ($singleSize) -}} -{{/* - if $useDaemonSetSizing - */}} - {{/* - $singleSize = .Values.OmsAgent.daemonSetSizingValues.singleSize - */}} - {{/* - $sizes = list ($singleSize) - */}} - {{/* - $sizes = prepend .Values.OmsAgent.daemonSetSizingValues.tShirtSizes $singleSize - */}} -{{/* - end - */}} -{{/* Generate DaemonSets */}} -{{- $prevmaxCPU := 0 -}} -{{- range $index, $size := $sizes -}} -{{- if gt $index 0 }} ---- -{{ end -}} -{{- if semverCompare ">=1.16.0" $.Values.global.commonGlobals.Versions.Kubernetes -}} -apiVersion: apps/v1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} -kind: DaemonSet -metadata: - labels: - component: ama-logs-agent - tier: node - kubernetes.azure.com/managedby: aks -{{- if $.Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} - {{/* - {{- if and $useDaemonSetSizing $size.name }} - kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} - {{- end }} - */}} - name: ama-logs{{/* {{- if and $useDaemonSetSizing $size.name }}-{{ $size.name }}{{- end }} */}} - namespace: kube-system -spec: - selector: - matchLabels: - component: ama-logs-agent - tier: node - {{/* - {{- if and $useDaemonSetSizing $size.name }} - kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} - {{- end }} - */}} - template: - metadata: - annotations: - agentVersion: "azure-mdsd-1.37.0" - dockerProviderVersion: "18.0.1-0" - schema-versions: "v1" - WSID: {{ $.Values.OmsAgent.workspaceID | b64enc | quote }} - kubernetes.azure.com/no-http-proxy-vars: "true" - labels: - component: ama-logs-agent - tier: node - kubernetes.azure.com/managedby: aks - {{/* - {{- if and $useDaemonSetSizing $size.name }} - kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} - {{- end }} - */}} -{{- if semverCompare "<1.11.0" $.Values.global.commonGlobals.Versions.Kubernetes }} - annotations: - scheduler.alpha.kubernetes.io/critical-pod: "" -{{- end }} - spec: -{{- if semverCompare ">=1.11.0" $.Values.global.commonGlobals.Versions.Kubernetes }} - priorityClassName: system-node-critical -{{- end }} - serviceAccountName: ama-logs - dnsConfig: - options: - - name: ndots - value: "3" - containers: -{{- if $isusingaadauth }} - - name: addon-token-adapter - command: - - /addon-token-adapter - args: - - --secret-namespace=kube-system - - --secret-name={{ $.Values.OmsAgent.accessTokenSecretName }} - - --token-server-listening-port=8888 - - --health-server-listening-port=9999 - - --restart-pod-waiting-minutes-on-broken-connection=240 - image: "{{ template "addon_mcr_repository_base" $ }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterLinuxDefaultImageTag -}}" - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - livenessProbe: - httpGet: - path: /healthz - port: 9999 - initialDelaySeconds: 10 - periodSeconds: 60 - resources: - limits: - {{- $containerResources := index $size.containers "addon-token-adapter" }} - cpu: {{ $containerResources.cpuLimit }} - memory: {{ $containerResources.memoryLimit }} - requests: - cpu: {{ $containerResources.cpuRequest }} - memory: {{ $containerResources.memoryRequest }} - securityContext: - capabilities: - drop: - - ALL - add: - - NET_ADMIN - - NET_RAW -{{- end }} - - name: ama-logs - image: "{{ template "addon_mcr_repository_base" $ }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag $.Values.OmsAgent.imageTagLinux -}}" - {{- if $.Values.OmsAgent.isImagePullPolicyAlways }} - imagePullPolicy: Always - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - resources: - limits: - {{- $containerResources := index $size.containers "ama-logs" }} - cpu: {{ $containerResources.cpuLimit }} - memory: {{ $containerResources.memoryLimit }} - requests: - {{- $containerResources := index $size.containers "ama-logs" }} - cpu: {{ $containerResources.cpuRequest }} - memory: {{ $containerResources.memoryRequest }} - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs - resource: limits.memory - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: FBIT_SERVICE_FLUSH_INTERVAL - value: "15" - - name: FBIT_TAIL_BUFFER_CHUNK_SIZE - value: "1" - - name: FBIT_TAIL_BUFFER_MAX_SIZE - value: "1" - - name: AKS_CLUSTER_NAME - value: "{{ $.Values.OmsAgent.aksClusterName }}" - - name: AKS_RESOURCE_ID - value: "{{ $.Values.OmsAgent.aksResourceID }}" - - name: AKS_NODE_RESOURCE_GROUP - value: "{{ $.Values.OmsAgent.aksNodeResourceGroup }}" - {{/* TODO This needs to be fixed post Canary validation */}} - - name: AKS_REGION - value: "{{ $.Values.global.commonGlobals.Region }}" - - name: CONTROLLER_TYPE - value: "DaemonSet" - - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: "{{ $.Values.OmsAgent.identityClientID }}" - - name: AZMON_CONTAINERLOGS_ONEAGENT_REGIONS - value: "koreacentral,norwayeast,eastus2" - - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED - value: "{{ $.Values.AppmonitoringAgent.enabled }}" - - name: APPMONITORING_OPENTELEMETRYLOGS_ENABLED - value: "{{ $.Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false }}" - - name: APPMONITORING_OPENTELEMETRYLOGS_PORT - value: "{{ $.Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }}" - - name: AZMON_OPENTELEMETRYLOGS_CONTAINER_PORT - value: "4319" - - name: PROMETHEUS_METRICS_SCRAPING_DISABLED - value: "{{ $.Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USNat") }} - - name: MCR_URL - value: "https://mcr.microsoft.eaglex.ic.gov/v2/" - {{- end }} - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USSec") }} - - name: MCR_URL - value: "https://mcr.microsoft.scloud/v2/" - {{- end }} - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} - - name: MCR_URL - value: "https://mcr.microsoft.sovcloud-api.fr/v2/" - {{- end }} - {{- if $isusingaadauth }} - - name: USING_AAD_MSI_AUTH - value: "true" - {{- else }} - - name: USING_AAD_MSI_AUTH - value: "false" - {{- end }} - {{- if eq ($.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} - - name: SYSLOG_HOST_PORT - value: {{ $.Values.OmsAgent.syslogHostPort | default 28330 | quote}} - {{- end }} - - name: AZMON_RETINA_FLOW_LOGS_ENABLED - value: "{{ $.Values.OmsAgent.isRetinaFlowLogsEnabled | default false }}" - - name: AZMON_RESOURCE_OPTIMIZATION_ENABLED - value: "{{ $.Values.OmsAgent.isResourceOptimizationEnabled | default false }}" - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: "{{ $.Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ $.Values.global.commonGlobals.CloudEnvironment | lower }}" - livenessProbe: - exec: - command: - - /bin/bash - - "-c" - - "/opt/livenessprobe.sh" - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 15 - ports: - - containerPort: 25225 - protocol: TCP - - containerPort: 25224 - protocol: UDP - {{- if eq ($.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} - - name: syslog - containerPort: 28330 - hostPort: {{ $.Values.OmsAgent.syslogHostPort | default 28330 }} - protocol: TCP - {{- end }} - {{- if eq ($.Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false) true }} - - name: otlp-logs - containerPort: 4319 - hostPort: {{ $.Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }} - protocol: TCP - {{- end }} - securityContext: - privileged: true - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - volumeMounts: - - mountPath: /hostfs - name: host-root - readOnly: true - mountPropagation: HostToContainer - - mountPath: /var/log - name: host-log - {{- if $.Values.OmsAgent.isSyslogEnabled }} - - mountPath: /var/run/mdsd-ci - name: mdsd-sock - {{- end }} - {{- if $.Values.OmsAgent.isRetinaFlowLogsEnabled }} - - mountPath: /var/log/acns/hubble - name: acns-hubble - {{- end }} - - mountPath: /var/run/mdsd-PrometheusSidecar - name: mdsd-prometheus-sock - - mountPath: /var/lib/docker/containers - name: containerlog-path - readOnly: true - - mountPath: /mnt/docker - name: containerlog-path-2 - readOnly: true - - mountPath: /mnt/containers - name: containerlog-path-3 - readOnly: true - - mountPath: /etc/kubernetes/host - name: azure-json-path - - mountPath: /etc/ama-logs-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/omsagent-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/config/settings - name: settings-vol-config - readOnly: true - - mountPath: /etc/config/settings/adx - name: ama-logs-adx-secret - readOnly: true - {{- if (eq (include "should_mount_hostca" $ ) "true" ) }} - # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host - # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below - - mountPath: /anchors/mariner - name: anchors-mariner - readOnly: true - - mountPath: /anchors/ubuntu - name: anchors-ubuntu - readOnly: true - {{- end }} - {{- if $.Values.OmsAgent.trustedCA }} - - mountPath: /etc/ssl/certs/proxy-cert.crt - subPath: PROXYCERT.crt - name: ama-logs-secret - readOnly: true - {{- end }} - {{- if and (not $.Values.OmsAgent.isPrometheusMetricsScrapingDisabled) $.Values.OmsAgent.isSidecarScrapingEnabled }} - - name: ama-logs-prometheus - image: "{{ template "addon_mcr_repository_base" $ }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag $.Values.OmsAgent.imageTagLinux -}}" - {{- if $.Values.OmsAgent.isImagePullPolicyAlways }} - imagePullPolicy: Always - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - resources: - limits: - {{- $containerResources := index $size.containers "ama-logs-prometheus" }} - cpu: {{ $containerResources.cpuLimit }} - memory: {{ $containerResources.memoryLimit }} - requests: - {{- $containerResources := index $size.containers "ama-logs-prometheus" }} - cpu: {{ $containerResources.cpuRequest }} - memory: {{ $containerResources.memoryRequest }} - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs-prometheus - resource: limits.memory - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: AKS_CLUSTER_NAME - value: "{{ $.Values.OmsAgent.aksClusterName }}" - - name: AKS_RESOURCE_ID - value: "{{ $.Values.OmsAgent.aksResourceID }}" - - name: AKS_NODE_RESOURCE_GROUP - value: "{{ $.Values.OmsAgent.aksNodeResourceGroup }}" - {{/* TODO This needs to be fixed post Canary validation */}} - - name: AKS_REGION - value: "{{ $.Values.global.commonGlobals.Region }}" - - name: CONTROLLER_TYPE - value: "DaemonSet" - - name: CONTAINER_TYPE - value: "PrometheusSidecar" - - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: "{{ $.Values.OmsAgent.identityClientID }}" - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USNat") }} - - name: MCR_URL - value: "https://mcr.microsoft.eaglex.ic.gov/v2/" - {{- end }} - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USSec") }} - - name: MCR_URL - value: "https://mcr.microsoft.scloud/v2/" - {{- end }} - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} - - name: MCR_URL - value: "https://mcr.microsoft.sovcloud-api.fr/v2/" - {{- end }} - {{- if $isusingaadauth }} - - name: USING_AAD_MSI_AUTH - value: "true" - {{- else }} - - name: USING_AAD_MSI_AUTH - value: "false" - {{- end }} - {{- if eq ($.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} - - name: SYSLOG_HOST_PORT - value: {{ $.Values.OmsAgent.syslogHostPort | default 28330 | quote}} - {{- end }} - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: "{{ $.Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ $.Values.global.commonGlobals.CloudEnvironment | lower }}" - securityContext: - privileged: true - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - volumeMounts: - - mountPath: /etc/kubernetes/host - name: azure-json-path - - mountPath: /etc/ama-logs-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/omsagent-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/config/settings - name: settings-vol-config - readOnly: true - - mountPath: /etc/config/osm-settings - name: osm-settings-vol-config - readOnly: true - - mountPath: /var/run/mdsd-PrometheusSidecar - name: mdsd-prometheus-sock - {{- if (eq (include "should_mount_hostca" $ ) "true" ) }} - # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host - # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below - - mountPath: /anchors/mariner - name: anchors-mariner - readOnly: true - - mountPath: /anchors/ubuntu - name: anchors-ubuntu - readOnly: true - {{- end }} - {{- if $.Values.OmsAgent.trustedCA }} - - mountPath: /etc/ssl/certs/proxy-cert.crt - subPath: PROXYCERT.crt - name: ama-logs-secret - readOnly: true - {{- end }} - {{- if $.Values.OmsAgent.isSyslogEnabled }} - - mountPath: /var/run/mdsd-ci - name: mdsd-sock - {{- end }} - livenessProbe: - exec: - command: - - /bin/bash - - -c - - /opt/livenessprobe.sh - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 15 - {{- end }} - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: -{{- if semverCompare ">=1.16.0" $.Values.global.commonGlobals.Versions.Kubernetes }} - - key: kubernetes.io/os -{{- else }} - - key: beta.kubernetes.io/os -{{- end }} - operator: In - values: - - linux - - key: kubernetes.azure.com/cluster - operator: Exists - - key: type - operator: NotIn - values: - - virtual-kubelet - {{- if $useDaemonSetSizing -}} - {{- if eq $size.name $singleSize.name -}} - {{/* Target non-Karpenter nodes */}} - - key: karpenter.azure.com/aksnodeclass - operator: DoesNotExist - {{- else }} - {{/* Target Karpenter nodes with CPU range */}} - {{- if gt $prevmaxCPU 0 -}} - - key: karpenter.azure.com/sku-cpu - operator: Gt - values: - - "{{ $prevmaxCPU }}" - {{- end -}} - {{/* Add new line. */}} - {{- if and $prevmaxCPU $size.maxCPU }} - {{ end -}} - {{- if $size.maxCPU -}} - - key: karpenter.azure.com/sku-cpu - operator: Lt - values: - - "{{ add ($size.maxCPU | int) 1 }}" - {{- end -}} - {{- end -}} - {{- end }} - tolerations: - - key: "CriticalAddonsOnly" - operator: "Exists" - - operator: "Exists" - effect: NoExecute - - operator: "Exists" - effect: NoSchedule - - operator: "Exists" - effect: PreferNoSchedule - volumes: - - name: host-root - hostPath: - path: / - - name: mdsd-prometheus-sock - emptyDir: {} - - name: container-hostname - hostPath: - path: /etc/hostname - - name: host-log - hostPath: - path: /var/log - {{- if $.Values.OmsAgent.isSyslogEnabled }} - - name: mdsd-sock - hostPath: - path: /var/run/mdsd-ci - {{- end }} - {{- if $.Values.OmsAgent.isRetinaFlowLogsEnabled }} - - name: acns-hubble - hostPath: - path: /var/log/acns/hubble - {{- end }} - - name: containerlog-path - hostPath: - path: /var/lib/docker/containers - - name: containerlog-path-2 - hostPath: - path: /mnt/docker - - name: containerlog-path-3 - hostPath: - path: /mnt/containers - - name: azure-json-path - hostPath: - path: /etc/kubernetes - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true - - name: ama-logs-adx-secret - secret: - secretName: ama-logs-adx-secret - optional: true - - name: osm-settings-vol-config - configMap: - name: container-azm-ms-osmconfig - optional: true - {{- if (eq (include "should_mount_hostca" $ ) "true" ) }} - - name: anchors-ubuntu - hostPath: - path: /usr/local/share/ca-certificates/ - type: DirectoryOrCreate - - name: anchors-mariner - hostPath: - path: /etc/pki/ca-trust/source/anchors - type: DirectoryOrCreate - {{- end }} - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 50% - -{{- if and (ne (default "" $size.name) (default "" $singleSize.name)) $size.maxCPU }} -{{- $prevmaxCPU = $size.maxCPU | int }} -{{- end }} -{{- end }} ---- -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} -apiVersion: apps/v1 -{{- else }} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Deployment -metadata: - name: ama-logs-rs - namespace: kube-system - labels: - component: ama-logs-agent - tier: node - kubernetes.azure.com/managedby: aks -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -spec: - replicas: 1 - revisionHistoryLimit: 2 - paused: false - selector: - matchLabels: - rsName: "ama-logs-rs" - strategy: - type: RollingUpdate - template: - metadata: - labels: - rsName: "ama-logs-rs" - kubernetes.azure.com/managedby: aks - annotations: - agentVersion: "azure-mdsd-1.37.0" - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" - dockerProviderVersion: "18.0.1-0" - schema-versions: "v1" - WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} - kubernetes.azure.com/no-http-proxy-vars: "true" -{{- if semverCompare "<1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} - scheduler.alpha.kubernetes.io/critical-pod: "" -{{- end }} - spec: -{{- if semverCompare ">=1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} - priorityClassName: system-node-critical -{{- end }} - tolerations: - - key: "CriticalAddonsOnly" - operator: "Exists" - serviceAccountName: ama-logs - containers: -{{- if .Values.OmsAgent.isRSVPAEnabled }} - - name: ama-logs-vpa - image: "{{ template "addon_mcr_repository_base" . }}/oss/v2/kubernetes/autoscaler/addon-resizer:{{- $amalogsRSVPAImageTag -}}" - imagePullPolicy: IfNotPresent - resources: - limits: - cpu: 100m - memory: 300Mi - requests: - cpu: 5m - memory: 30Mi - env: - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeMounts: - - name: ama-logs-rs-vpa-config-volume - mountPath: /etc/config - command: - - /pod_nanny - - --config-dir=/etc/config - - --cpu=200m - - --extra-cpu=2m - - --memory=300Mi - - --extra-memory=4Mi - - --poll-period=180000 - - --threshold=5 - - --namespace=kube-system - - --deployment=ama-logs-rs - - --container=ama-logs -{{- end }} -{{- if $isusingaadauth }} - - name: addon-token-adapter - command: - - /addon-token-adapter - args: - - --secret-namespace=kube-system - - --secret-name={{ .Values.OmsAgent.accessTokenSecretName }} - - --token-server-listening-port=8888 - - --health-server-listening-port=9999 - - --restart-pod-waiting-minutes-on-broken-connection=240 - image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterLinuxDefaultImageTag -}}" - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - livenessProbe: - httpGet: - path: /healthz - port: 9999 - initialDelaySeconds: 10 - periodSeconds: 60 - resources: - limits: - cpu: 500m - memory: 500Mi - requests: - cpu: 100m - memory: 100Mi - securityContext: - capabilities: - drop: - - ALL - add: - - NET_ADMIN - - NET_RAW -{{- end }} - - name: ama-logs - image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag .Values.OmsAgent.imageTagLinux -}}" - {{- if .Values.OmsAgent.isImagePullPolicyAlways }} - imagePullPolicy: Always - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - {{- if not .Values.OmsAgent.isRSVPAEnabled }} - resources: - limits: - cpu: "{{ .Values.OmsAgent.omsAgentRsCPULimit }}" - memory: "{{ .Values.OmsAgent.omsAgentRsMemoryLimit }}" - requests: - cpu: 150m - memory: 250Mi - {{- end }} - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: AKS_CLUSTER_NAME - value: "{{ .Values.OmsAgent.aksClusterName }}" - - name: AKS_RESOURCE_ID - value: "{{ .Values.OmsAgent.aksResourceID }}" - - name: AKS_NODE_RESOURCE_GROUP - value: "{{ .Values.OmsAgent.aksNodeResourceGroup }}" - {{/* TODO This needs to be fixed post Canary validation */}} - - name: AKS_REGION - value: "{{ $.Values.global.commonGlobals.Region }}" - - name: CONTROLLER_TYPE - value: "ReplicaSet" - - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: "{{ .Values.OmsAgent.identityClientID }}" - - name: NUM_OF_FLUENTD_WORKERS - valueFrom: - resourceFieldRef: - containerName: ama-logs - resource: limits.cpu - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs - resource: limits.memory - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.OmsAgent.isSidecarScrapingEnabled }} - - name: SIDECAR_SCRAPING_ENABLED - value: "true" - {{- else }} - - name: SIDECAR_SCRAPING_ENABLED - value: "false" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} - - name: MCR_URL - value: "https://mcr.microsoft.eaglex.ic.gov/v2/" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} - - name: MCR_URL - value: "https://mcr.microsoft.scloud/v2/" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} - - name: MCR_URL - value: "https://mcr.microsoft.sovcloud-api.fr/v2/" - {{- end }} - {{- if $isusingaadauth }} - - name: USING_AAD_MSI_AUTH - value: "true" - {{- else }} - - name: USING_AAD_MSI_AUTH - value: "false" - {{- end }} - {{- if .Values.OmsAgent.isRSVPAEnabled }} - - name: RS_ADDON-RESIZER_VPA_ENABLED - value: "true" - {{- end }} - - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED - value: "{{ .Values.AppmonitoringAgent.enabled }}" - - name: PROMETHEUS_METRICS_SCRAPING_DISABLED - value: "{{ .Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: "{{ .Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" - - name: AZMON_WINDOWS_FLUENT_BIT_ENABLED - value: "{{ .Values.OmsAgent.isWindowsAMAFluentBitEnabled | default false }}" - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" - securityContext: - privileged: true - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - ports: - - containerPort: 25225 - protocol: TCP - - containerPort: 25224 - protocol: UDP - - containerPort: 25227 - protocol: TCP - name: in-rs-tcp - volumeMounts: - - mountPath: /var/log - name: host-log - - mountPath: /etc/kubernetes/host - name: azure-json-path - - mountPath: /etc/ama-logs-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/omsagent-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/config - name: ama-logs-rs-config - - mountPath: /etc/config/settings - name: settings-vol-config - readOnly: true - - mountPath: /etc/config/settings/adx - name: ama-logs-adx-secret - readOnly: true - - mountPath: /etc/config/osm-settings - name: osm-settings-vol-config - readOnly: true - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} - # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host - # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below - - mountPath: /anchors/mariner - name: anchors-mariner - readOnly: true - - mountPath: /anchors/ubuntu - name: anchors-ubuntu - readOnly: true - {{- end }} - {{- if .Values.OmsAgent.trustedCA }} - - mountPath: /etc/ssl/certs/proxy-cert.crt - subPath: PROXYCERT.crt - name: ama-logs-secret - readOnly: true - {{- end }} - livenessProbe: - exec: - command: - - /bin/bash - - -c - - /opt/livenessprobe.sh - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 15 - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - preference: - matchExpressions: - - key: kubernetes.azure.com/mode - operator: In - values: - - system - - weight: 1 - preference: - matchExpressions: - - key: storageprofile - operator: NotIn - values: - - managed - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} - - key: kubernetes.io/os -{{- else }} - - key: beta.kubernetes.io/os -{{- end }} - operator: In - values: - - linux - - key: kubernetes.azure.com/cluster - operator: Exists - - key: type - operator: NotIn - values: - - virtual-kubelet - volumes: - - name: container-hostname - hostPath: - path: /etc/hostname - - name: host-log - hostPath: - path: /var/log - - name: azure-json-path - hostPath: - path: /etc/kubernetes - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: ama-logs-rs-config - configMap: - name: ama-logs-rs-config - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true - - name: ama-logs-adx-secret - secret: - secretName: ama-logs-adx-secret - optional: true - - name: osm-settings-vol-config - configMap: - name: container-azm-ms-osmconfig - optional: true - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} - - name: anchors-ubuntu - hostPath: - path: /usr/local/share/ca-certificates/ - type: DirectoryOrCreate - - name: anchors-mariner - hostPath: - path: /etc/pki/ca-trust/source/anchors - type: DirectoryOrCreate - {{- end }} - {{- if .Values.OmsAgent.isRSVPAEnabled }} - - name: ama-logs-rs-vpa-config-volume - configMap: - name: ama-logs-rs-vpa-config - optional: true - {{- end }} ---- -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} -apiVersion: apps/v1 -{{- else }} -apiVersion: extensions/v1beta1 -{{- end }} -kind: DaemonSet -metadata: - name: ama-logs-windows - namespace: kube-system - labels: - component: ama-logs-agent-windows - tier: node-win - kubernetes.azure.com/managedby: aks -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -spec: - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 50% - selector: - matchLabels: - component: ama-logs-agent-windows - tier: node-win - template: - metadata: - labels: - component: ama-logs-agent-windows - tier: node-win - kubernetes.azure.com/managedby: aks - annotations: - agentVersion: "46.17.2" - dockerProviderVersion: "18.0.1-0" - schema-versions: "v1" - WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} - kubernetes.azure.com/no-http-proxy-vars: "true" -{{- if semverCompare "<1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} - scheduler.alpha.kubernetes.io/critical-pod: "" -{{- end }} - spec: -{{- if semverCompare ">=1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} - priorityClassName: system-node-critical -{{- end }} - serviceAccountName: ama-logs - dnsConfig: - options: - - name: ndots - value: "3" - containers: - - name: ama-logs-windows - image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsWindowsDefaultImageTag .Values.OmsAgent.imageTagWindows -}}" - {{- if .Values.OmsAgent.isImagePullPolicyAlways }} - imagePullPolicy: Always - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - {{- if .Values.OmsAgent.isWindowsBurstableQoSEnabled }} - resources: - requests: - cpu: "{{ .Values.OmsAgent.omsAgentDsCPURequestWindows }}" - memory: "{{ .Values.OmsAgent.omsAgentDsMemoryRequestWindows }}" - limits: - cpu: "{{ .Values.OmsAgent.omsAgentDsCPULimitWindows }}" - memory: "{{ .Values.OmsAgent.omsAgentDsMemoryLimitWindows }}" - {{- else }} - resources: - limits: - cpu: "{{ .Values.OmsAgent.omsAgentDsCPULimitWindows }}" - memory: "{{ .Values.OmsAgent.omsAgentDsMemoryLimitWindows }}" - {{- end }} - securityContext: - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - env: - - name: FBIT_SERVICE_FLUSH_INTERVAL - value: "15" - - name: FBIT_TAIL_BUFFER_CHUNK_SIZE - value: "1" - - name: FBIT_TAIL_BUFFER_MAX_SIZE - value: "1" - - name: AKS_RESOURCE_ID - value: "{{ .Values.OmsAgent.aksResourceID }}" - {{/* TODO This needs to be fixed post Canary validation */}} - - name: AKS_REGION - value: "{{ $.Values.global.commonGlobals.Region }}" - - name: CONTROLLER_TYPE - value: "DaemonSet" - - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: "{{ .Values.OmsAgent.identityClientID }}" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PODNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs-windows - resource: limits.memory - {{- if .Values.OmsAgent.isSidecarScrapingEnabled }} - - name: SIDECAR_SCRAPING_ENABLED - value: "true" - {{- else }} - - name: SIDECAR_SCRAPING_ENABLED - value: "false" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} - - name: REQUIRES_CERT_BOOTSTRAP - value: "true" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} - - name: REQUIRES_CERT_BOOTSTRAP - value: "true" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} - - name: REQUIRES_CERT_BOOTSTRAP - value: "true" - {{- end }} - {{- if $isusingaadauth }} - - name: USING_AAD_MSI_AUTH - value: "true" - {{- else }} - - name: USING_AAD_MSI_AUTH - value: "false" - {{- end }} - - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED - value: "{{ .Values.AppmonitoringAgent.enabled }}" - - name: APPMONITORING_OPENTELEMETRYLOGS_ENABLED - value: "{{ .Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false }}" - - name: APPMONITORING_OPENTELEMETRYLOGS_PORT - value: "{{ .Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }}" - - name: PROMETHEUS_METRICS_SCRAPING_DISABLED - value: "{{ .Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: "{{ .Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" - - name: AZMON_WINDOWS_FLUENT_BIT_ENABLED - value: "{{ .Values.OmsAgent.isWindowsAMAFluentBitEnabled | default false }}" - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" - volumeMounts: - - mountPath: C:\ProgramData\docker\containers - name: docker-windows-containers - readOnly: true - - mountPath: C:\var - name: docker-windows-kuberenetes-container-logs - - mountPath: C:\etc\config\settings - name: settings-vol-config - readOnly: true - - mountPath: C:\etc\ama-logs-secret - name: ama-logs-secret - readOnly: true - - mountPath: C:\etc\omsagent-secret - name: ama-logs-secret - readOnly: true - - mountPath: C:\etc\config\adx - name: ama-logs-adx-secret - readOnly: true - - mountPath: C:\etc\kubernetes\host - name: azure-json-path - readOnly: true - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} - - mountPath: C:\ca - name: ca-certs - readOnly: true - {{- end }} - {{- if $isusingaadauth }} - - mountPath: C:\etc\IMDS-access-token - name: imds-token - readOnly: true - {{- end }} - livenessProbe: - exec: - command: - - cmd - - /c - - C:\opt\amalogswindows\scripts\cmd\livenessprobe.exe - - fluent-bit.exe - - fluentdwinaks - - "C:\\etc\\amalogswindows\\filesystemwatcher.txt" - - "C:\\etc\\amalogswindows\\renewcertificate.txt" - {{- if and $isusingaadauth .Values.OmsAgent.isWindowsAMAEnabled }} - - "MonAgentCore.exe" - {{- end }} - periodSeconds: 60 - initialDelaySeconds: 180 - timeoutSeconds: 15 -{{- if and (and $isusingaadauth .Values.OmsAgent.isWindowsAMAEnabled) (not .Values.OmsAgent.isWindowsAddonTokenAdapterDisabled) }} - - name: addon-token-adapter-win - command: - - addon-token-adapter-win - args: - - --secret-namespace=kube-system - - --secret-name={{ .Values.OmsAgent.accessTokenSecretName }} - - --token-server-listening-port=8888 - - --health-server-listening-port=9999 - - --restart-pod-waiting-minutes-on-broken-connection=240 - image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterWindowsDefaultImageTag -}}" - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - livenessProbe: - httpGet: - path: /healthz - port: 9999 - initialDelaySeconds: 10 - periodSeconds: 60 - resources: - limits: - cpu: 400m - memory: 400Mi - requests: - cpu: 100m - memory: 100Mi - securityContext: - capabilities: - drop: - - ALL - add: - - NET_ADMIN - - NET_RAW -{{- end}} - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.azure.com/cluster - operator: Exists -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} - - key: kubernetes.io/os -{{- else }} - - key: beta.kubernetes.io/os -{{- end }} - operator: In - values: - - windows - - key: type - operator: NotIn - values: - - virtual-kubelet - tolerations: - - key: "CriticalAddonsOnly" - operator: "Exists" - - operator: "Exists" - effect: NoExecute - - operator: "Exists" - effect: NoSchedule - - operator: "Exists" - effect: PreferNoSchedule - volumes: - - name: docker-windows-kuberenetes-container-logs - hostPath: - path: C:\var - - name: azure-json-path - hostPath: - path: C:\k - - name: docker-windows-containers - hostPath: - path: C:\ProgramData\docker\containers - type: DirectoryOrCreate - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: ama-logs-adx-secret - secret: - secretName: ama-logs-adx-secret - optional: true - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} - - name: ca-certs - hostPath: - path: C:\ca - {{- end }} - {{- if $isusingaadauth }} - - name: imds-token - secret: - secretName: {{ .Values.OmsAgent.accessTokenSecretName }} - {{- end }} -{{- if and $isusingaadauth .Values.OmsAgent.isMultitenancyLogsEnabled }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: ama-logs-hpa - namespace: kube-system - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: ama-logs-multitenancy - minReplicas: {{ .Values.OmsAgent.omsAgentMultitenancyLogsHPAMinReplicas }} - maxReplicas: {{ .Values.OmsAgent.omsAgentMultitenancyLogsHPAMaxReplicas }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.OmsAgent.omsAgentMultitenancyHPAAvgCPUUtilization }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.OmsAgent.omsAgentMultitenancyHPAAvgMemoryUtilization }} - behavior: - scaleDown: - stabilizationWindowSeconds: 1200 - policies: - - type: Percent - value: 5 - periodSeconds: 180 - scaleUp: - stabilizationWindowSeconds: 0 - policies: - - type: Pods - value: 5 - periodSeconds: 5 - - type: Percent - value: 100 - periodSeconds: 5 - selectPolicy: Max ---- -apiVersion: v1 -kind: Service -metadata: - name: ama-logs-service - namespace: kube-system - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -spec: - type: ClusterIP - ports: - - port: 24225 - targetPort: 24225 - protocol: TCP - name: fluentbit-fwd - selector: - rsName: "ama-logs-multitenancy" ---- -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} -apiVersion: apps/v1 -{{- else }} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Deployment -metadata: - name: ama-logs-multitenancy - namespace: kube-system - labels: - component: ama-logs-agent - tier: node - kubernetes.azure.com/managedby: aks -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -spec: - replicas: 1 - selector: - matchLabels: - rsName: "ama-logs-multitenancy" - strategy: - type: RollingUpdate - template: - metadata: - labels: - rsName: "ama-logs-multitenancy" - kubernetes.azure.com/managedby: aks - annotations: - agentVersion: "azure-mdsd-1.37.0" - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" - dockerProviderVersion: "18.0.1-0" - schema-versions: "v1" - WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} - kubernetes.azure.com/no-http-proxy-vars: "true" -{{- if semverCompare "<1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} - scheduler.alpha.kubernetes.io/critical-pod: "" -{{- end }} - spec: -{{- if semverCompare ">=1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} - priorityClassName: system-node-critical -{{- end }} - tolerations: - - key: "CriticalAddonsOnly" - operator: "Exists" - volumes: - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} - - name: anchors-ubuntu - hostPath: - path: /usr/local/share/ca-certificates/ - type: DirectoryOrCreate - - name: anchors-mariner - hostPath: - path: /etc/pki/ca-trust/source/anchors - type: DirectoryOrCreate - {{- end }} - serviceAccountName: ama-logs - containers: - - name: addon-token-adapter - command: - - /addon-token-adapter - args: - - --secret-namespace=kube-system - - --secret-name=aad-msi-auth-token - - --token-server-listening-port=8888 - - --health-server-listening-port=9999 - - --restart-pod-waiting-minutes-on-broken-connection=240 - image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterLinuxDefaultImageTag -}}" - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - livenessProbe: - httpGet: - path: /healthz - port: 9999 - initialDelaySeconds: 10 - periodSeconds: 60 - resources: - limits: - cpu: 500m - memory: 500Mi - requests: - cpu: 100m - memory: 100Mi - securityContext: - capabilities: - drop: - - ALL - add: - - NET_ADMIN - - NET_RAW - - name: ama-logs - image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag .Values.OmsAgent.imageTagLinux -}}" - {{- if .Values.OmsAgent.isImagePullPolicyAlways }} - imagePullPolicy: Always - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - resources: - limits: - cpu: "{{ .Values.OmsAgent.omsAgentMultitenancyCPULimitLinux }}" - memory: "{{ .Values.OmsAgent.omsAgentMultitenancyMemoryLimitLinux }}" - requests: - cpu: "{{ .Values.OmsAgent.omsAgentMultitenancyCPURequestLinux }}" - memory: "{{ .Values.OmsAgent.omsAgentMultitenancyMemoryRequestLinux }}" - env: - - name: AZMON_MULTI_TENANCY_LOG_COLLECTION - value: "true" - - name: AZMON_MULTI_TENANCY_LOGS_SERVICE_MODE - value: "true" - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs - resource: limits.memory - - name: AKS_CLUSTER_NAME - value: "{{ .Values.OmsAgent.aksClusterName }}" - - name: AKS_RESOURCE_ID - value: "{{ .Values.OmsAgent.aksResourceID }}" - - name: AKS_NODE_RESOURCE_GROUP - value: "{{ .Values.OmsAgent.aksNodeResourceGroup }}" - {{/* TODO This needs to be fixed post Canary validation */}} - - name: AKS_REGION - value: "{{ $.Values.global.commonGlobals.Region }}" - - name: CONTROLLER_TYPE - value: "ReplicaSet" - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} - - name: MCR_URL - value: "https://mcr.microsoft.eaglex.ic.gov/v2/" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} - - name: MCR_URL - value: "https://mcr.microsoft.scloud/v2/" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} - - name: MCR_URL - value: "https://mcr.microsoft.sovcloud-api.fr/v2/" - {{- end }} - - name: USING_AAD_MSI_AUTH - value: "true" - - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED - value: "{{ .Values.AppmonitoringAgent.enabled }}" - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" - securityContext: - privileged: true - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - ports: - - name: http - containerPort: 24225 - protocol: TCP - volumeMounts: - - mountPath: /etc/ama-logs-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/config/settings - name: settings-vol-config - readOnly: true - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} - # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host - # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below - - mountPath: /anchors/mariner - name: anchors-mariner - readOnly: true - - mountPath: /anchors/ubuntu - name: anchors-ubuntu - readOnly: true - {{- end }} - {{- if .Values.OmsAgent.trustedCA }} - - mountPath: /etc/ssl/certs/proxy-cert.crt - subPath: PROXYCERT.crt - name: ama-logs-secret - readOnly: true - {{- end }} - lifecycle: - preStop: - exec: - command: [ - "sh", "-c", - # Introduce a delay to the shutdown sequence to wait for the - # pod eviction event to propagate. Then, gracefully shutdown - "sleep 5" - ] - livenessProbe: - exec: - command: - - /bin/bash - - -c - - /opt/livenessprobe.sh - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 15 - readinessProbe: - tcpSocket: - port: 24225 - initialDelaySeconds: 10 - periodSeconds: 30 - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.azure.com/cluster - operator: Exists - - key: type - operator: NotIn - values: - - virtual-kubelet - - key: kubernetes.io/os - operator: In - values: - - linux - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - preference: - matchExpressions: - - key: kubernetes.azure.com/mode - operator: In - values: - - system -{{- end }} diff --git a/charts/azuremonitor-containerinsights-for-prod-clusters/values.yaml b/charts/azuremonitor-containerinsights-for-prod-clusters/values.yaml deleted file mode 100644 index 20e5de3f8..000000000 --- a/charts/azuremonitor-containerinsights-for-prod-clusters/values.yaml +++ /dev/null @@ -1,201 +0,0 @@ -# Add this section to fix the AppmonitoringAgent references -AppmonitoringAgent: - enabled: false - isOpenTelemetryLogsEnabled: false - openTelemetryLogsPort: 28331 - -# Add complete global section -global: - commonGlobals: - CloudEnvironment: - isAutomaticSKU: false - Region: - Versions: - Kubernetes: "1.32.7" - -legacyAddonDelivery: false - -# Default values for ama-logs configuration -# omsagent configuration -OmsAgent: - aksResourceID: - enableDaemonSetSizing: false - isAppMonitoringAgentEnabled: false - isOpenTelemetryLogsEnabled: false - isCustomMetricsDisabled: false - isUsingAADAuth: "true" - openTelemetryLogsPort: 28331 - retinaFlowLogsEnabled: false - workspaceID: "" - accessTokenSecretName: "aad-msi-auth-token" - # Cloud environment - isMoonCake: false - isFairfax: false - workspaceKey: "" - - # Image configuration - imageTagLinux: - imageTagWindows: - isImagePullPolicyAlways: false - - # Resource ID and cluster information - # aksResourceID: "" - # aksClusterName: "" - # aksNodeResourceGroup: "" - # aksRegion: "" - - # Resource limits and requests - omsAgentDsCPULimitLinux: "500m" - omsAgentDsMemoryLimitLinux: "1Gi" - omsAgentDsCPULimitWindows: "2" - omsAgentDsMemoryLimitWindows: "2Gi" - omsAgentDsCPURequestWindows: "100m" - omsAgentDsMemoryRequestWindows: "150Mi" - omsAgentRsCPULimit: "1" - omsAgentRsMemoryLimit: "1.5Gi" - omsAgentPrometheusSidecarCPULimit: "500m" - omsAgentPrometheusSidecarMemoryLimit: "1Gi" - - # Multitenancy settings - omsAgentMultitenancyCPULimitLinux: "1" - omsAgentMultitenancyMemoryLimitLinux: "1Gi" - omsAgentMultitenancyCPURequestLinux: "100m" - omsAgentMultitenancyMemoryRequestLinux: "100Mi" - omsAgentMultitenancyLogsHPAMinReplicas: 2 - omsAgentMultitenancyLogsHPAMaxReplicas: 50 - omsAgentMultitenancyHPAAvgCPUUtilization: 700 - omsAgentMultitenancyHPAAvgMemoryUtilization: 700 - - # Feature flags - isSyslogEnabled: true - isPrometheusMetricsScrapingDisabled: false - isSidecarScrapingEnabled: true - isRSVPAEnabled: false - isRetinaFlowLogsEnabled: false - isResourceOptimizationEnabled: false - isWindowsAMAFluentBitEnabled: false - isMultitenancyLogsEnabled: false - isWindowsBurstableQoSEnabled: true - isTelegrafLivenessprobeEnabled: false - isWindowsAMAEnabled: true - isWindowsAddonTokenAdapterDisabled: false - legacyAddonDelivery: false - - # Network settings - syslogHostPort: "28330" - shouldMountSyslogHostPort: true - # httpProxy: "" - # httpsProxy: "" - # trustedCA: "" - - # # Identity settings - # identityClientID: "" - # accessTokenSecretName: "aad-msi-auth-token" - - # # DaemonSet sizing configuration - # enableDaemonSetSizing: false - # daemonSetSizingValues: - # singleSize: - # containers: - # addon-token-adapter: - # cpuLimit: "100m" - # memoryLimit: "100Mi" - # cpuRequest: "20m" - # memoryRequest: "50Mi" - # ama-logs: - # cpuLimit: "150m" - # memoryLimit: "750Mi" - # cpuRequest: "75m" - # memoryRequest: "325Mi" - # ama-logs-prometheus: - # cpuLimit: "500m" - # memoryLimit: "1Gi" - # cpuRequest: "75m" - # memoryRequest: "225Mi" - # tShirtSizes: - # - name: "small" - # maxCPU: 4 - # containers: - # addon-token-adapter: - # cpuLimit: "100m" - # memoryLimit: "100Mi" - # cpuRequest: "20m" - # memoryRequest: "50Mi" - # ama-logs: - # cpuLimit: "150m" - # memoryLimit: "750Mi" - # cpuRequest: "75m" - # memoryRequest: "325Mi" - # ama-logs-prometheus: - # cpuLimit: "500m" - # memoryLimit: "1Gi" - # cpuRequest: "75m" - # memoryRequest: "225Mi" - # - name: "medium" - # maxCPU: 8 - # containers: - # addon-token-adapter: - # cpuLimit: "200m" - # memoryLimit: "200Mi" - # cpuRequest: "40m" - # memoryRequest: "100Mi" - # ama-logs: - # cpuLimit: "300m" - # memoryLimit: "1.5Gi" - # cpuRequest: "150m" - # memoryRequest: "650Mi" - # ama-logs-prometheus: - # cpuLimit: "1" - # memoryLimit: "2Gi" - # cpuRequest: "150m" - # memoryRequest: "450Mi" - # - name: "large" - # maxCPU: 16 - # containers: - # addon-token-adapter: - # cpuLimit: "400m" - # memoryLimit: "400Mi" - # cpuRequest: "80m" - # memoryRequest: "200Mi" - # ama-logs: - # cpuLimit: "600m" - # memoryLimit: "3Gi" - # cpuRequest: "300m" - # memoryRequest: "1.3Gi" - # ama-logs-prometheus: - # cpuLimit: "2" - # memoryLimit: "4Gi" - # cpuRequest: "300m" - # memoryRequest: "900Mi" - -# # Application monitoring settings -# AppmonitoringAgent: -# enabled: false -# isOpenTelemetryLogsEnabled: false -# openTelemetryLogsPort: "28331" - -# # Azure-specific settings -# Azure: -# Cluster: -# Cloud: "" -# Region: "" -# ResourceId: "" -# Extension: -# Name: "" -# ResourceId: "" -# proxySettings: -# isProxyEnabled: false -# httpProxy: "" -# httpsProxy: "" -# noProxy: "" -# proxyCert: "" -# isCustomCert: false -# autonomousFqdn: "" - -# # Global settings -# global: -# commonGlobals: -# CloudEnvironment: "AzurePublicCloud" -# Versions: -# Kubernetes: "1.25.0" -# isAutomaticSKU: false From f6b76d19e7ff26fbf184c99ef665d7a7645446a5 Mon Sep 17 00:00:00 2001 From: longwan Date: Mon, 23 Feb 2026 04:00:36 +0000 Subject: [PATCH 26/47] merge values and chart yamls --- .../azuremonitor-containerinsights/Chart.yaml | 41 ++ .../values.yaml | 392 ++++++++++++++++++ 2 files changed, 433 insertions(+) create mode 100644 charts/azuremonitor-containerinsights/Chart.yaml create mode 100644 charts/azuremonitor-containerinsights/values.yaml diff --git a/charts/azuremonitor-containerinsights/Chart.yaml b/charts/azuremonitor-containerinsights/Chart.yaml new file mode 100644 index 000000000..4c817c338 --- /dev/null +++ b/charts/azuremonitor-containerinsights/Chart.yaml @@ -0,0 +1,41 @@ +apiVersion: v2 +name: azuremonitor-containerinsights +description: Azure Monitor container monitoring agent Helm chart for Kubernetes (supports both AKS addon and Arc K8s extension) +version: 3.2.1-aks-beta-5 +appVersion: 7.0.0-1 +kubeVersion: "^1.10.0-0" +keywords: + - monitoring + - azuremonitor + - azure + - ama + - containerinsights + - metric + - event + - logs + - containerhealth + - kubernetesmonitoring + - acs-engine + - aks-engine + - azurestack + - openshift v4 + - azure redhat openshift v4 + - on-prem kubernetes monitoring + - arc-k8s + - containerlogs + - containerhealth + - containermonitoring + - hybrid kubernetes monitoring + - kubernetes + - kuberneteshealth +home: https://docs.microsoft.com/en-us/azure/monitoring/monitoring-container-health +icon: https://raw.githubusercontent.com/microsoft/Docker-Provider/ci_prod/img/azuremonitor-containers.svg +sources: + - https://github.com/microsoft/Docker-Provider/tree/ci_prod +maintainers: + - name: rashmichandrashekar + email: rashmy@microsoft.com + - name: ganga1980 + email: gangams@microsoft.com + - name: wanlonghenry + email: longwan@microsoft.com \ No newline at end of file diff --git a/charts/azuremonitor-containerinsights/values.yaml b/charts/azuremonitor-containerinsights/values.yaml new file mode 100644 index 000000000..6d29d7295 --- /dev/null +++ b/charts/azuremonitor-containerinsights/values.yaml @@ -0,0 +1,392 @@ +# Unified values for Azure Monitor Container Insights +# This chart supports both AKS Addon and Arc K8s Extension deployment modes + +# ============================================================================ +# SHARED CONFIGURATION (at top to match AKS chart order) +# ============================================================================ +# Global settings +global: + commonGlobals: + CloudEnvironment: + isAutomaticSKU: false + Region: + Versions: + Kubernetes: "1.32.7" + +# Application monitoring settings +AppmonitoringAgent: + enabled: false + isOpenTelemetryLogsEnabled: false + openTelemetryLogsPort: 28331 + +legacyAddonDelivery: false + +# ============================================================================ +# amaLogsAKS - AKS ADDON VALUES (from azuremonitor-containerinsights-aks) +# Exact order preserved from OmsAgent section in AKS chart +# ============================================================================ +# Default values for ama-logs configuration +# omsagent configuration +amaLogsAKS: + aksResourceID: + enableDaemonSetSizing: false + isAppMonitoringAgentEnabled: false + isOpenTelemetryLogsEnabled: false + isCustomMetricsDisabled: false + isUsingAADAuth: "true" + openTelemetryLogsPort: 28331 + retinaFlowLogsEnabled: false + workspaceID: "" + accessTokenSecretName: "ama-logs-secret" + # Cloud environment + isMoonCake: false + isFairfax: false + workspaceKey: "" + + # Image configuration + imageTagLinux: "3.1.34" + imageTagWindows: "win-3.1.34" + isImagePullPolicyAlways: false + + # Resource ID and cluster information + # aksResourceID: "" + # aksClusterName: "" + # aksNodeResourceGroup: "" + # aksRegion: "" + + # Resource limits and requests + omsAgentDsCPULimitLinux: "500m" + omsAgentDsMemoryLimitLinux: "1Gi" + omsAgentDsCPULimitWindows: "2" + omsAgentDsMemoryLimitWindows: "2Gi" + omsAgentDsCPURequestWindows: "100m" + omsAgentDsMemoryRequestWindows: "150Mi" + omsAgentRsCPULimit: "1" + omsAgentRsMemoryLimit: "1.5Gi" + omsAgentPrometheusSidecarCPULimit: "500m" + omsAgentPrometheusSidecarMemoryLimit: "1Gi" + + # Multitenancy settings + omsAgentMultitenancyCPULimitLinux: "1" + omsAgentMultitenancyMemoryLimitLinux: "1Gi" + omsAgentMultitenancyCPURequestLinux: "100m" + omsAgentMultitenancyMemoryRequestLinux: "100Mi" + omsAgentMultitenancyLogsHPAMinReplicas: 2 + omsAgentMultitenancyLogsHPAMaxReplicas: 50 + omsAgentMultitenancyHPAAvgCPUUtilization: 700 + omsAgentMultitenancyHPAAvgMemoryUtilization: 700 + + # Feature flags + isSyslogEnabled: true + isPrometheusMetricsScrapingDisabled: false + isSidecarScrapingEnabled: true + isRSVPAEnabled: false + isRetinaFlowLogsEnabled: false + isResourceOptimizationEnabled: false + isWindowsAMAFluentBitEnabled: false + isMultitenancyLogsEnabled: false + isWindowsBurstableQoSEnabled: true + isTelegrafLivenessprobeEnabled: false + isWindowsAMAEnabled: true + isWindowsAddonTokenAdapterDisabled: false + legacyAddonDelivery: false + + # Network settings + syslogHostPort: "28330" + shouldMountSyslogHostPort: true + # httpProxy: "" + # httpsProxy: "" + # trustedCA: "" + + # # Identity settings + # identityClientID: "" + # accessTokenSecretName: "aad-msi-auth-token" + + # # DaemonSet sizing configuration + # enableDaemonSetSizing: false + # daemonSetSizingValues: + # singleSize: + # containers: + # addon-token-adapter: + # cpuLimit: "100m" + # memoryLimit: "100Mi" + # cpuRequest: "20m" + # memoryRequest: "50Mi" + # ama-logs: + # cpuLimit: "150m" + # memoryLimit: "750Mi" + # cpuRequest: "75m" + # memoryRequest: "325Mi" + # ama-logs-prometheus: + # cpuLimit: "500m" + # memoryLimit: "1Gi" + # cpuRequest: "75m" + # memoryRequest: "225Mi" + # tShirtSizes: + # - name: "small" + # maxCPU: 4 + # containers: + # addon-token-adapter: + # cpuLimit: "100m" + # memoryLimit: "100Mi" + # cpuRequest: "20m" + # memoryRequest: "50Mi" + # ama-logs: + # cpuLimit: "150m" + # memoryLimit: "750Mi" + # cpuRequest: "75m" + # memoryRequest: "325Mi" + # ama-logs-prometheus: + # cpuLimit: "500m" + # memoryLimit: "1Gi" + # cpuRequest: "75m" + # memoryRequest: "225Mi" + # - name: "medium" + # maxCPU: 8 + # containers: + # addon-token-adapter: + # cpuLimit: "200m" + # memoryLimit: "200Mi" + # cpuRequest: "40m" + # memoryRequest: "100Mi" + # ama-logs: + # cpuLimit: "300m" + # memoryLimit: "1.5Gi" + # cpuRequest: "150m" + # memoryRequest: "650Mi" + # ama-logs-prometheus: + # cpuLimit: "1" + # memoryLimit: "2Gi" + # cpuRequest: "150m" + # memoryRequest: "450Mi" + # - name: "large" + # maxCPU: 16 + # containers: + # addon-token-adapter: + # cpuLimit: "400m" + # memoryLimit: "400Mi" + # cpuRequest: "80m" + # memoryRequest: "200Mi" + # ama-logs: + # cpuLimit: "600m" + # memoryLimit: "3Gi" + # cpuRequest: "300m" + # memoryRequest: "1.3Gi" + # ama-logs-prometheus: + # cpuLimit: "2" + # memoryLimit: "4Gi" + # cpuRequest: "300m" + # memoryRequest: "900Mi" + +# ============================================================================ +# amaLogsARC - ARC K8S EXTENSION VALUES (from azuremonitor-containers) +# Exact order preserved from Arc chart +# ============================================================================ +amaLogsARC: + image: + repo: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod" + tag: "3.1.34" + tagWindows: "win-3.1.34" + pullPolicy: IfNotPresent + dockerProviderVersion: "18.0.1-0" + agentVersion: "azure-mdsd-1.37.0" + winAgentVersion: "46.31.3" # there is no base agent version for windows agent + + # The priority used by the ama-logs priority class for the daemonset pods + # Note that this is not execution piority - it is scheduling priority, as + # in getting scheduled to the node. This needs to be greater than 0 such + # that the daemonset pods, which can not schedule onto different nodes as + # they are defined to run on specific nodes, are not accidentally frozen + # out of a node due to other pods showing up earlier in scheduling. + # (DaemonSet pods by definition only are created once the node exists for + # them to be created for and thus it is possible to have "normal" pods + # already in line to run on the node before the DeamonSet controller got a + # chance to build pod for the node and give it to the scheduler) + # Should be some number greater than default (0) + priority: 10 + + # This flag used to determine whether to run is high log scale mode or not + enableHighLogScaleMode: false + + # This used for running agent pods in test mode. + # if set to true additional agent workflow logs will be emitted which are used for e2e and arc k8s conformance testing + ISTEST: false + + # This flag used to determine whether to use AAD MSI auth or not for Arc K8s cluster + useAADAuth: false + + # This flag used to determine whether this cluster is connected to ArcA control plane. This value will be setup before pushed into on-premise ArcA ACR. + isArcACluster: false + + # This flag used to ignore the proxy settings + ignoreExtensionProxySettings: false + + # This flag allows ama-logs pods to be scheduled on nodes with taints + scheduleOnTaintedNodes: false + + # This flag to enable and disable service account timebound token and default is enabled + enableServiceAccountTimeBoundToken: true + + # This flag to enable and disable custom metrics. Custom metrics is getting deprecated so default is disabled + enableCustomMetrics: false + + # This flag to enable and disable Telegraf livenessprobe and default is disabled + enableTelegrafLivenessprobe: false + + ## To get your workspace id and key do the following + ## You can create a Azure Loganalytics workspace from portal.azure.com and get its ID & PRIMARY KEY from 'Advanced Settings' tab in the Ux. + + secret: + wsid: + key: + domain: opinsights.azure.com + proxy: + # This metricsEndpoint used to define the endpoint custom metrics emit to. If not defined, default public Azure monitoring endpoint '{aks_region}.monitoring.azure.com' will be used. + metricsEndpoint: + tokenAudience: + env: + clusterName: + ## Applicable for only managed clusters hosted in Azure + clusterId: + clusterRegion: + rbac: true + sidecarscraping: true + # Syslog collection on Arc K8s clusters requires additional config dependencies on the node and is currently not supported. Please open a service ticket if there is a syslog collection requirement. + syslog: + enabled: false + syslogPort: 28330 + logsettings: + logflushintervalsecs: "15" + tailbufchunksizemegabytes: "1" + tailbufmaxsizemegabytes: "1" + ## Applicable for only Azure Stack Edge K8s since it has custom mount path for container logs which will have symlink to /var/log path + custommountpath: "" + + ## Configure node tolerations for scheduling onto nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## https://kubernetes.io/blog/2022/04/07/upcoming-changes-in-kubernetes-1-24/ + ## + tolerations: + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoExecute" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "PreferNoSchedule" + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoExecute" + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "PreferNoSchedule" + tolerationsUnrestricted: + - operator: "Exists" + effect: "NoSchedule" + - operator: "Exists" + effect: "NoExecute" + - operator: "Exists" + effect: "PreferNoSchedule" + + ## Pod scheduling preferences. + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + daemonset: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + - key: type + operator: NotIn + values: + - virtual-kubelet + deployment: + affinity: + nodeAffinity: + # affinity to schedule on to ephemeral os node if its available + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: storageprofile + operator: NotIn + values: + - managed + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + - key: type + operator: NotIn + values: + - virtual-kubelet + - key: kubernetes.io/role + operator: NotIn + values: + - master + ## Configure resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + daemonsetlinux: + requests: + cpu: 75m + memory: 325Mi + limits: + cpu: 150m + memory: 750Mi + daemonsetwindows: + requests: + cpu: 500m + memory: 700Mi + limits: + cpu: 2 + memory: 2Gi + deployment: + requests: + cpu: 150m + memory: 250Mi + limits: + cpu: 1 + memory: 1Gi + daemonsetlinuxsidecar: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 75m + memory: 225Mi + +# ============================================================================ +# AZURE ARC K8S EXTENSION METADATA +# ============================================================================ +Azure: + Cluster: + Cloud: + Region: + ResourceId: + Distribution: "" # e.g., "openshift", "aks_edge_k3s", "aks_edge_k8s", etc. + Extension: + Name: "" + ResourceId: "" + proxySettings: + isProxyEnabled: false + httpProxy: "" + httpsProxy: "" + noProxy: "" + proxyCert: "" + isCustomCert: false + autonomousFqdn: "" From 6c4e541d768d26b6e7476059a34228ff4b105b4d Mon Sep 17 00:00:00 2001 From: longwan Date: Mon, 23 Feb 2026 04:05:03 +0000 Subject: [PATCH 27/47] merge help --- .../templates/_helpers.tpl | 106 ++++++++++++++++++ .../values.yaml | 2 +- 2 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 charts/azuremonitor-containerinsights/templates/_helpers.tpl diff --git a/charts/azuremonitor-containerinsights/templates/_helpers.tpl b/charts/azuremonitor-containerinsights/templates/_helpers.tpl new file mode 100644 index 000000000..b859282a6 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/_helpers.tpl @@ -0,0 +1,106 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Unified helper functions for azuremonitor-containerinsights chart +This file merges helpers from both AKS addon and Arc K8s extension charts +*/}} + +{{/* +============================================================================= +CHART NAMING HELPERS (from Arc chart) +============================================================================= +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "azuremonitor-containers.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "azuremonitor-containers.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "azuremonitor-containers.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +============================================================================= +IMAGE TAGS SECTION (from AKS chart) +============================================================================= +*/}} + +{{/* Get addon image tag - used for ama-logs and addon-resizer */}} +{{- define "get.addonImageTag" -}} + {{- if eq .component "addon-resizer" -}} +v1.8.23-4 + {{- else if eq .component "ama-logs-linux" -}} +3.1.34 + {{- else if eq .component "ama-logs-win" -}} +win-3.1.34 + {{- end -}} +{{- end -}} + +{{/* Get image tag - used for addon-token-adapter */}} +{{- define "get.imagetag" -}} +{{- if eq .component "addon-token-adapter-linux" -}} +master.250902.1 +{{- else if eq .component "addon-token-adapter-windows" -}} +master.250902.1 +{{- end -}} +{{- end -}} + +{{/* +============================================================================= +MCR REPOSITORY SECTION (from AKS chart) +============================================================================= +*/}} + +{{/* MCR repository base - returns cloud-specific MCR URL */}} +{{- define "mcr_repository_base" }} +{{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment| default "AZUREPUBLICCLOUD") }} +{{- if (eq $cloud_environment "AZURECHINACLOUD") }} +{{- "mcr.azk8s.cn" }} +{{- else if (eq $cloud_environment "USNat") }} +{{- "mcr.microsoft.eaglex.ic.gov" }} +{{- else if (eq $cloud_environment "USSec") }} +{{- "mcr.microsoft.scloud" }} +{{- else }} +{{- "mcr.microsoft.com" }} +{{- end }} +{{- end }} + +{{/* MCR repository template for addon charts */}} +{{- define "addon_mcr_repository_base" }} +{{- template "mcr_repository_base" . }} +{{- end }} + +{{/* +============================================================================= +HOST CA CERTIFICATE MOUNTING SECTION (from AKS chart) +============================================================================= +*/}} + +{{/* Check if host CA certs should be mounted for specific cloud environments */}} +{{- define "should_mount_hostca" -}} + {{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment | default "azurepubliccloud" | lower) }} + {{- has $cloud_environment (list "usnat" "ussec" "azurebleucloud") -}} +{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containerinsights/values.yaml b/charts/azuremonitor-containerinsights/values.yaml index 6d29d7295..93b01879c 100644 --- a/charts/azuremonitor-containerinsights/values.yaml +++ b/charts/azuremonitor-containerinsights/values.yaml @@ -389,4 +389,4 @@ Azure: noProxy: "" proxyCert: "" isCustomCert: false - autonomousFqdn: "" + autonomousFqdn: "" \ No newline at end of file From 52883e8d1791642cdd80d8b81d9b72765b30a0c2 Mon Sep 17 00:00:00 2001 From: wanlonghenry Date: Mon, 23 Feb 2026 06:25:12 +0000 Subject: [PATCH 28/47] split aks charts --- .../templates/ama-logs-clusterrole-aks.yaml | 40 ++ .../ama-logs-clusterrolebinding-aks.yaml | 22 + .../ama-logs-configmap-cluster-aks.yaml | 13 + .../templates/ama-logs-daemonset-aks.yaml | 549 ++++++++++++++++++ .../ama-logs-daemonset-windows-aks.yaml | 302 ++++++++++ .../templates/ama-logs-deployment-aks.yaml | 358 ++++++++++++ .../ama-logs-deployment-multitenancy-aks.yaml | 240 ++++++++ .../templates/ama-logs-hpa-aks.yaml | 48 ++ .../templates/ama-logs-rs-configmap-aks.yaml | 282 +++++++++ .../templates/ama-logs-secret-aks.yaml | 41 ++ .../templates/ama-logs-service-aks.yaml | 20 + .../ama-logs-serviceaccount-aks.yaml | 11 + .../ama-metrics-prometheus-config-node.yaml | 32 + 13 files changed, 1958 insertions(+) create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-clusterrole-aks.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-clusterrolebinding-aks.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-configmap-cluster-aks.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-aks.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-aks.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-deployment-aks.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-deployment-multitenancy-aks.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-hpa-aks.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-rs-configmap-aks.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-secret-aks.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-service-aks.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-serviceaccount-aks.yaml create mode 100644 test/networkflow-scale-tests/ama-metrics-prometheus-config-node.yaml diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-clusterrole-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-clusterrole-aks.yaml new file mode 100644 index 000000000..26d8531d9 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-clusterrole-aks.yaml @@ -0,0 +1,40 @@ +{{/* Determine isusingaadauth value from OmsAgent.isUsingAADAuth */}} +{{- $isusingaadauth := false -}} +{{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} + {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} +{{- end -}} +--- +kind: ClusterRole +{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- end }} +metadata: + name: ama-logs-reader + labels: +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +rules: +- apiGroups: [""] + resources: ["pods", "events", "nodes", "nodes/stats", "nodes/metrics", "nodes/spec", "nodes/proxy", "namespaces", "services", "persistentvolumes"] + verbs: ["list", "get", "watch"] +- apiGroups: ["apps", "extensions", "autoscaling"] + resources: ["replicasets", "deployments", "horizontalpodautoscalers"] + verbs: ["list"] +{{- if .Values.OmsAgent.isRSVPAEnabled }} +- apiGroups: ["apps"] + resources: ["deployments"] + resourceNames: [ "ama-logs-rs" ] + verbs: ["get", "patch"] +{{- end }} +{{- if $isusingaadauth }} +- apiGroups: [""] + resources: ["secrets"] + resourceNames: [{{ .Values.OmsAgent.accessTokenSecretName | quote }}] + verbs: ["get", "watch"] +{{- end }} +- nonResourceURLs: ["/metrics"] + verbs: ["get"] diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-clusterrolebinding-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-clusterrolebinding-aks.yaml new file mode 100644 index 000000000..33c53a4ed --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-clusterrolebinding-aks.yaml @@ -0,0 +1,22 @@ +--- +kind: ClusterRoleBinding +{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- end }} +metadata: + name: amalogsclusterrolebinding + labels: +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +subjects: + - kind: ServiceAccount + name: ama-logs + namespace: kube-system +roleRef: + kind: ClusterRole + name: ama-logs-reader + apiGroup: rbac.authorization.k8s.io diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-configmap-cluster-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-configmap-cluster-aks.yaml new file mode 100644 index 000000000..3beee292c --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-configmap-cluster-aks.yaml @@ -0,0 +1,13 @@ +--- +kind: ConfigMap +apiVersion: v1 +data: + CLUSTER_RESOURCE_ID: "{{ .Values.OmsAgent.aksResourceID }}" +metadata: + name: container-azm-ms-aks-k8scluster + namespace: kube-system + labels: +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-aks.yaml new file mode 100644 index 000000000..544681ca3 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-aks.yaml @@ -0,0 +1,549 @@ +{{- $amalogsLinuxDefaultImageTag := dict "component" "ama-logs-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }} +{{- $addonTokenAdapterLinuxDefaultImageTag := dict "component" "addon-token-adapter-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} +{{/* Determine isusingaadauth value from OmsAgent.isUsingAADAuth */}} +{{- $isusingaadauth := false -}} +{{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} + {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} +{{- end -}} +--- +{{/* Get sizes */}} +{{- $useDaemonSetSizing := and .Values.global.commonGlobals.isAutomaticSKU .Values.OmsAgent.enableDaemonSetSizing -}} +{{- $singleSize := dict "containers" (dict "addon-token-adapter" (dict "cpuLimit" "100m" "memoryLimit" "100Mi" "cpuRequest" "20m" "memoryRequest" "50Mi") "ama-logs" (dict "cpuLimit" .Values.OmsAgent.omsAgentDsCPULimitLinux "memoryLimit" .Values.OmsAgent.omsAgentDsMemoryLimitLinux "cpuRequest" "75m" "memoryRequest" "325Mi") "ama-logs-prometheus" (dict "cpuLimit" .Values.OmsAgent.omsAgentPrometheusSidecarCPULimit "memoryLimit" .Values.OmsAgent.omsAgentPrometheusSidecarMemoryLimit "cpuRequest" "75m" "memoryRequest" "225Mi")) -}} +{{- $sizes := list ($singleSize) -}} +{{/* - if $useDaemonSetSizing - */}} + {{/* - $singleSize = .Values.OmsAgent.daemonSetSizingValues.singleSize - */}} + {{/* - $sizes = list ($singleSize) - */}} + {{/* - $sizes = prepend .Values.OmsAgent.daemonSetSizingValues.tShirtSizes $singleSize - */}} +{{/* - end - */}} +{{/* Generate DaemonSets */}} +{{- $prevmaxCPU := 0 -}} +{{- range $index, $size := $sizes -}} +{{- if gt $index 0 }} +--- +{{ end -}} +{{- if semverCompare ">=1.16.0" $.Values.global.commonGlobals.Versions.Kubernetes -}} +apiVersion: apps/v1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: DaemonSet +metadata: + labels: + component: ama-logs-agent + tier: node + kubernetes.azure.com/managedby: aks +{{- if $.Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} + {{/* + {{- if and $useDaemonSetSizing $size.name }} + kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} + {{- end }} + */}} + name: ama-logs{{/* {{- if and $useDaemonSetSizing $size.name }}-{{ $size.name }}{{- end }} */}} + namespace: kube-system +spec: + selector: + matchLabels: + component: ama-logs-agent + tier: node + {{/* + {{- if and $useDaemonSetSizing $size.name }} + kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} + {{- end }} + */}} + template: + metadata: + annotations: + agentVersion: "azure-mdsd-1.37.0" + dockerProviderVersion: "18.0.1-0" + schema-versions: "v1" + WSID: {{ $.Values.OmsAgent.workspaceID | b64enc | quote }} + kubernetes.azure.com/no-http-proxy-vars: "true" + labels: + component: ama-logs-agent + tier: node + kubernetes.azure.com/managedby: aks + {{/* + {{- if and $useDaemonSetSizing $size.name }} + kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} + {{- end }} + */}} +{{- if semverCompare "<1.11.0" $.Values.global.commonGlobals.Versions.Kubernetes }} + annotations: + scheduler.alpha.kubernetes.io/critical-pod: "" +{{- end }} + spec: +{{- if semverCompare ">=1.11.0" $.Values.global.commonGlobals.Versions.Kubernetes }} + priorityClassName: system-node-critical +{{- end }} + serviceAccountName: ama-logs + dnsConfig: + options: + - name: ndots + value: "3" + containers: +{{- if $isusingaadauth }} + - name: addon-token-adapter + command: + - /addon-token-adapter + args: + - --secret-namespace=kube-system + - --secret-name={{ $.Values.OmsAgent.accessTokenSecretName }} + - --token-server-listening-port=8888 + - --health-server-listening-port=9999 + - --restart-pod-waiting-minutes-on-broken-connection=240 + image: "{{ template "addon_mcr_repository_base" $ }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterLinuxDefaultImageTag -}}" + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + livenessProbe: + httpGet: + path: /healthz + port: 9999 + initialDelaySeconds: 10 + periodSeconds: 60 + resources: + limits: + {{- $containerResources := index $size.containers "addon-token-adapter" }} + cpu: {{ $containerResources.cpuLimit }} + memory: {{ $containerResources.memoryLimit }} + requests: + cpu: {{ $containerResources.cpuRequest }} + memory: {{ $containerResources.memoryRequest }} + securityContext: + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW +{{- end }} + - name: ama-logs + image: "{{ template "addon_mcr_repository_base" $ }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag $.Values.OmsAgent.imageTagLinux -}}" + {{- if $.Values.OmsAgent.isImagePullPolicyAlways }} + imagePullPolicy: Always + {{- else }} + imagePullPolicy: IfNotPresent + {{- end }} + resources: + limits: + {{- $containerResources := index $size.containers "ama-logs" }} + cpu: {{ $containerResources.cpuLimit }} + memory: {{ $containerResources.memoryLimit }} + requests: + {{- $containerResources := index $size.containers "ama-logs" }} + cpu: {{ $containerResources.cpuRequest }} + memory: {{ $containerResources.memoryRequest }} + env: + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.memory + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: FBIT_SERVICE_FLUSH_INTERVAL + value: "15" + - name: FBIT_TAIL_BUFFER_CHUNK_SIZE + value: "1" + - name: FBIT_TAIL_BUFFER_MAX_SIZE + value: "1" + - name: AKS_CLUSTER_NAME + value: "{{ $.Values.OmsAgent.aksClusterName }}" + - name: AKS_RESOURCE_ID + value: "{{ $.Values.OmsAgent.aksResourceID }}" + - name: AKS_NODE_RESOURCE_GROUP + value: "{{ $.Values.OmsAgent.aksNodeResourceGroup }}" + - name: AKS_REGION + value: "{{ $.Values.global.commonGlobals.Region }}" + - name: CONTROLLER_TYPE + value: "DaemonSet" + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: "{{ $.Values.OmsAgent.identityClientID }}" + - name: AZMON_CONTAINERLOGS_ONEAGENT_REGIONS + value: "koreacentral,norwayeast,eastus2" + - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED + value: "{{ $.Values.AppmonitoringAgent.enabled }}" + - name: APPMONITORING_OPENTELEMETRYLOGS_ENABLED + value: "{{ $.Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false }}" + - name: APPMONITORING_OPENTELEMETRYLOGS_PORT + value: "{{ $.Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }}" + - name: AZMON_OPENTELEMETRYLOGS_CONTAINER_PORT + value: "4319" + - name: PROMETHEUS_METRICS_SCRAPING_DISABLED + value: "{{ $.Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USNat") }} + - name: MCR_URL + value: "https://mcr.microsoft.eaglex.ic.gov/v2/" + {{- end }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USSec") }} + - name: MCR_URL + value: "https://mcr.microsoft.scloud/v2/" + {{- end }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} + - name: MCR_URL + value: "https://mcr.microsoft.sovcloud-api.fr/v2/" + {{- end }} + {{- if $isusingaadauth }} + - name: USING_AAD_MSI_AUTH + value: "true" + {{- else }} + - name: USING_AAD_MSI_AUTH + value: "false" + {{- end }} + {{- if eq ($.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} + - name: SYSLOG_HOST_PORT + value: {{ $.Values.OmsAgent.syslogHostPort | default 28330 | quote}} + {{- end }} + - name: AZMON_RETINA_FLOW_LOGS_ENABLED + value: "{{ $.Values.OmsAgent.isRetinaFlowLogsEnabled | default false }}" + - name: AZMON_RESOURCE_OPTIMIZATION_ENABLED + value: "{{ $.Values.OmsAgent.isResourceOptimizationEnabled | default false }}" + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: "{{ $.Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ $.Values.global.commonGlobals.CloudEnvironment | lower }}" + livenessProbe: + exec: + command: + - /bin/bash + - "-c" + - "/opt/livenessprobe.sh" + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + ports: + - containerPort: 25225 + protocol: TCP + - containerPort: 25224 + protocol: UDP + {{- if eq ($.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} + - name: syslog + containerPort: 28330 + hostPort: {{ $.Values.OmsAgent.syslogHostPort | default 28330 }} + protocol: TCP + {{- end }} + {{- if eq ($.Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false) true }} + - name: otlp-logs + containerPort: 4319 + hostPort: {{ $.Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }} + protocol: TCP + {{- end }} + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + volumeMounts: + - mountPath: /hostfs + name: host-root + readOnly: true + mountPropagation: HostToContainer + - mountPath: /var/log + name: host-log + {{- if $.Values.OmsAgent.isSyslogEnabled }} + - mountPath: /var/run/mdsd-ci + name: mdsd-sock + {{- end }} + {{- if $.Values.OmsAgent.isRetinaFlowLogsEnabled }} + - mountPath: /var/log/acns/hubble + name: acns-hubble + {{- end }} + - mountPath: /var/run/mdsd-PrometheusSidecar + name: mdsd-prometheus-sock + - mountPath: /var/lib/docker/containers + name: containerlog-path + readOnly: true + - mountPath: /mnt/docker + name: containerlog-path-2 + readOnly: true + - mountPath: /mnt/containers + name: containerlog-path-3 + readOnly: true + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + - mountPath: /etc/omsagent-secret + name: ama-logs-secret + readOnly: true + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + - mountPath: /etc/config/settings/adx + name: ama-logs-adx-secret + readOnly: true + {{- if (eq (include "should_mount_hostca" $ ) "true" ) }} + # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host + # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below + - mountPath: /anchors/mariner + name: anchors-mariner + readOnly: true + - mountPath: /anchors/ubuntu + name: anchors-ubuntu + readOnly: true + {{- end }} + {{- if $.Values.OmsAgent.trustedCA }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} + {{- if and (not $.Values.OmsAgent.isPrometheusMetricsScrapingDisabled) $.Values.OmsAgent.isSidecarScrapingEnabled }} + - name: ama-logs-prometheus + image: "{{ template "addon_mcr_repository_base" $ }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag $.Values.OmsAgent.imageTagLinux -}}" + {{- if $.Values.OmsAgent.isImagePullPolicyAlways }} + imagePullPolicy: Always + {{- else }} + imagePullPolicy: IfNotPresent + {{- end }} + resources: + limits: + {{- $containerResources := index $size.containers "ama-logs-prometheus" }} + cpu: {{ $containerResources.cpuLimit }} + memory: {{ $containerResources.memoryLimit }} + requests: + {{- $containerResources := index $size.containers "ama-logs-prometheus" }} + cpu: {{ $containerResources.cpuRequest }} + memory: {{ $containerResources.memoryRequest }} + env: + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs-prometheus + resource: limits.memory + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: AKS_CLUSTER_NAME + value: "{{ $.Values.OmsAgent.aksClusterName }}" + - name: AKS_RESOURCE_ID + value: "{{ $.Values.OmsAgent.aksResourceID }}" + - name: AKS_NODE_RESOURCE_GROUP + value: "{{ $.Values.OmsAgent.aksNodeResourceGroup }}" + - name: AKS_REGION + value: "{{ $.Values.global.commonGlobals.Region }}" + - name: CONTROLLER_TYPE + value: "DaemonSet" + - name: CONTAINER_TYPE + value: "PrometheusSidecar" + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: "{{ $.Values.OmsAgent.identityClientID }}" + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USNat") }} + - name: MCR_URL + value: "https://mcr.microsoft.eaglex.ic.gov/v2/" + {{- end }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USSec") }} + - name: MCR_URL + value: "https://mcr.microsoft.scloud/v2/" + {{- end }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} + - name: MCR_URL + value: "https://mcr.microsoft.sovcloud-api.fr/v2/" + {{- end }} + {{- if $isusingaadauth }} + - name: USING_AAD_MSI_AUTH + value: "true" + {{- else }} + - name: USING_AAD_MSI_AUTH + value: "false" + {{- end }} + {{- if eq ($.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} + - name: SYSLOG_HOST_PORT + value: {{ $.Values.OmsAgent.syslogHostPort | default 28330 | quote}} + {{- end }} + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: "{{ $.Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ $.Values.global.commonGlobals.CloudEnvironment | lower }}" + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + volumeMounts: + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + - mountPath: /etc/omsagent-secret + name: ama-logs-secret + readOnly: true + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + - mountPath: /etc/config/osm-settings + name: osm-settings-vol-config + readOnly: true + - mountPath: /var/run/mdsd-PrometheusSidecar + name: mdsd-prometheus-sock + {{- if (eq (include "should_mount_hostca" $ ) "true" ) }} + # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host + # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below + - mountPath: /anchors/mariner + name: anchors-mariner + readOnly: true + - mountPath: /anchors/ubuntu + name: anchors-ubuntu + readOnly: true + {{- end }} + {{- if $.Values.OmsAgent.trustedCA }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} + {{- if $.Values.OmsAgent.isSyslogEnabled }} + - mountPath: /var/run/mdsd-ci + name: mdsd-sock + {{- end }} + livenessProbe: + exec: + command: + - /bin/bash + - -c + - /opt/livenessprobe.sh + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + {{- end }} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: +{{- if semverCompare ">=1.16.0" $.Values.global.commonGlobals.Versions.Kubernetes }} + - key: kubernetes.io/os +{{- else }} + - key: beta.kubernetes.io/os +{{- end }} + operator: In + values: + - linux + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet + {{- if $useDaemonSetSizing -}} + {{- if eq $size.name $singleSize.name -}} + {{/* Target non-Karpenter nodes */}} + - key: karpenter.azure.com/aksnodeclass + operator: DoesNotExist + {{- else }} + {{/* Target Karpenter nodes with CPU range */}} + {{- if gt $prevmaxCPU 0 -}} + - key: karpenter.azure.com/sku-cpu + operator: Gt + values: + - "{{ $prevmaxCPU }}" + {{- end -}} + {{/* Add new line. */}} + {{- if and $prevmaxCPU $size.maxCPU }} + {{ end -}} + {{- if $size.maxCPU -}} + - key: karpenter.azure.com/sku-cpu + operator: Lt + values: + - "{{ add ($size.maxCPU | int) 1 }}" + {{- end -}} + {{- end -}} + {{- end }} + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + - operator: "Exists" + effect: NoExecute + - operator: "Exists" + effect: NoSchedule + - operator: "Exists" + effect: PreferNoSchedule + volumes: + - name: host-root + hostPath: + path: / + - name: mdsd-prometheus-sock + emptyDir: {} + - name: container-hostname + hostPath: + path: /etc/hostname + - name: host-log + hostPath: + path: /var/log + {{- if $.Values.OmsAgent.isSyslogEnabled }} + - name: mdsd-sock + hostPath: + path: /var/run/mdsd-ci + {{- end }} + {{- if $.Values.OmsAgent.isRetinaFlowLogsEnabled }} + - name: acns-hubble + hostPath: + path: /var/log/acns/hubble + {{- end }} + - name: containerlog-path + hostPath: + path: /var/lib/docker/containers + - name: containerlog-path-2 + hostPath: + path: /mnt/docker + - name: containerlog-path-3 + hostPath: + path: /mnt/containers + - name: azure-json-path + hostPath: + path: /etc/kubernetes + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true + - name: osm-settings-vol-config + configMap: + name: container-azm-ms-osmconfig + optional: true + {{- if (eq (include "should_mount_hostca" $ ) "true" ) }} + - name: anchors-ubuntu + hostPath: + path: /usr/local/share/ca-certificates/ + type: DirectoryOrCreate + - name: anchors-mariner + hostPath: + path: /etc/pki/ca-trust/source/anchors + type: DirectoryOrCreate + {{- end }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 50% + +{{- if and (ne (default "" $size.name) (default "" $singleSize.name)) $size.maxCPU }} +{{- $prevmaxCPU = $size.maxCPU | int }} +{{- end }} +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-aks.yaml new file mode 100644 index 000000000..6778d4e8e --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-aks.yaml @@ -0,0 +1,302 @@ +{{- $amalogsWindowsDefaultImageTag := dict "component" "ama-logs-win" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }} +{{- $addonTokenAdapterWindowsDefaultImageTag := dict "component" "addon-token-adapter-windows" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} +{{/* Determine isusingaadauth value from OmsAgent.isUsingAADAuth */}} +{{- $isusingaadauth := false -}} +{{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} + {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} +{{- end -}} +--- +{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: DaemonSet +metadata: + name: ama-logs-windows + namespace: kube-system + labels: + component: ama-logs-agent-windows + tier: node-win + kubernetes.azure.com/managedby: aks +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +spec: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 50% + selector: + matchLabels: + component: ama-logs-agent-windows + tier: node-win + template: + metadata: + labels: + component: ama-logs-agent-windows + tier: node-win + kubernetes.azure.com/managedby: aks + annotations: + agentVersion: "46.17.2" + dockerProviderVersion: "18.0.1-0" + schema-versions: "v1" + WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} + kubernetes.azure.com/no-http-proxy-vars: "true" +{{- if semverCompare "<1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} + scheduler.alpha.kubernetes.io/critical-pod: "" +{{- end }} + spec: +{{- if semverCompare ">=1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} + priorityClassName: system-node-critical +{{- end }} + serviceAccountName: ama-logs + dnsConfig: + options: + - name: ndots + value: "3" + containers: + - name: ama-logs-windows + image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsWindowsDefaultImageTag .Values.OmsAgent.imageTagWindows -}}" + {{- if .Values.OmsAgent.isImagePullPolicyAlways }} + imagePullPolicy: Always + {{- else }} + imagePullPolicy: IfNotPresent + {{- end }} + {{- if .Values.OmsAgent.isWindowsBurstableQoSEnabled }} + resources: + requests: + cpu: "{{ .Values.OmsAgent.omsAgentDsCPURequestWindows }}" + memory: "{{ .Values.OmsAgent.omsAgentDsMemoryRequestWindows }}" + limits: + cpu: "{{ .Values.OmsAgent.omsAgentDsCPULimitWindows }}" + memory: "{{ .Values.OmsAgent.omsAgentDsMemoryLimitWindows }}" + {{- else }} + resources: + limits: + cpu: "{{ .Values.OmsAgent.omsAgentDsCPULimitWindows }}" + memory: "{{ .Values.OmsAgent.omsAgentDsMemoryLimitWindows }}" + {{- end }} + securityContext: + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + env: + - name: FBIT_SERVICE_FLUSH_INTERVAL + value: "15" + - name: FBIT_TAIL_BUFFER_CHUNK_SIZE + value: "1" + - name: FBIT_TAIL_BUFFER_MAX_SIZE + value: "1" + - name: AKS_RESOURCE_ID + value: "{{ .Values.OmsAgent.aksResourceID }}" + - name: AKS_REGION + value: "{{ $.Values.global.commonGlobals.Region }}" + - name: CONTROLLER_TYPE + value: "DaemonSet" + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: "{{ .Values.OmsAgent.identityClientID }}" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PODNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs-windows + resource: limits.memory + {{- if .Values.OmsAgent.isSidecarScrapingEnabled }} + - name: SIDECAR_SCRAPING_ENABLED + value: "true" + {{- else }} + - name: SIDECAR_SCRAPING_ENABLED + value: "false" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} + - name: REQUIRES_CERT_BOOTSTRAP + value: "true" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} + - name: REQUIRES_CERT_BOOTSTRAP + value: "true" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} + - name: REQUIRES_CERT_BOOTSTRAP + value: "true" + {{- end }} + {{- if $isusingaadauth }} + - name: USING_AAD_MSI_AUTH + value: "true" + {{- else }} + - name: USING_AAD_MSI_AUTH + value: "false" + {{- end }} + - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED + value: "{{ .Values.AppmonitoringAgent.enabled }}" + - name: APPMONITORING_OPENTELEMETRYLOGS_ENABLED + value: "{{ .Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false }}" + - name: APPMONITORING_OPENTELEMETRYLOGS_PORT + value: "{{ .Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }}" + - name: PROMETHEUS_METRICS_SCRAPING_DISABLED + value: "{{ .Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: "{{ .Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" + - name: AZMON_WINDOWS_FLUENT_BIT_ENABLED + value: "{{ .Values.OmsAgent.isWindowsAMAFluentBitEnabled | default false }}" + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" + volumeMounts: + - mountPath: C:\ProgramData\docker\containers + name: docker-windows-containers + readOnly: true + - mountPath: C:\var + name: docker-windows-kuberenetes-container-logs + - mountPath: C:\etc\config\settings + name: settings-vol-config + readOnly: true + - mountPath: C:\etc\ama-logs-secret + name: ama-logs-secret + readOnly: true + - mountPath: C:\etc\omsagent-secret + name: ama-logs-secret + readOnly: true + - mountPath: C:\etc\config\adx + name: ama-logs-adx-secret + readOnly: true + - mountPath: C:\etc\kubernetes\host + name: azure-json-path + readOnly: true + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + - mountPath: C:\ca + name: ca-certs + readOnly: true + {{- end }} + {{- if $isusingaadauth }} + - mountPath: C:\etc\IMDS-access-token + name: imds-token + readOnly: true + {{- end }} + livenessProbe: + exec: + command: + - cmd + - /c + - C:\opt\amalogswindows\scripts\cmd\livenessprobe.exe + - fluent-bit.exe + - fluentdwinaks + - "C:\\etc\\amalogswindows\\filesystemwatcher.txt" + - "C:\\etc\\amalogswindows\\renewcertificate.txt" + {{- if and $isusingaadauth .Values.OmsAgent.isWindowsAMAEnabled }} + - "MonAgentCore.exe" + {{- end }} + periodSeconds: 60 + initialDelaySeconds: 180 + timeoutSeconds: 15 +{{- if and (and $isusingaadauth .Values.OmsAgent.isWindowsAMAEnabled) (not .Values.OmsAgent.isWindowsAddonTokenAdapterDisabled) }} + - name: addon-token-adapter-win + command: + - addon-token-adapter-win + args: + - --secret-namespace=kube-system + - --secret-name={{ .Values.OmsAgent.accessTokenSecretName }} + - --token-server-listening-port=8888 + - --health-server-listening-port=9999 + - --restart-pod-waiting-minutes-on-broken-connection=240 + image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterWindowsDefaultImageTag -}}" + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + livenessProbe: + httpGet: + path: /healthz + port: 9999 + initialDelaySeconds: 10 + periodSeconds: 60 + resources: + limits: + cpu: 400m + memory: 400Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW +{{- end}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.azure.com/cluster + operator: Exists +{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} + - key: kubernetes.io/os +{{- else }} + - key: beta.kubernetes.io/os +{{- end }} + operator: In + values: + - windows + - key: type + operator: NotIn + values: + - virtual-kubelet + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + - operator: "Exists" + effect: NoExecute + - operator: "Exists" + effect: NoSchedule + - operator: "Exists" + effect: PreferNoSchedule + volumes: + - name: docker-windows-kuberenetes-container-logs + hostPath: + path: C:\var + - name: azure-json-path + hostPath: + path: C:\k + - name: docker-windows-containers + hostPath: + path: C:\ProgramData\docker\containers + type: DirectoryOrCreate + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + - name: ca-certs + hostPath: + path: C:\ca + {{- end }} + {{- if $isusingaadauth }} + - name: imds-token + secret: + secretName: {{ .Values.OmsAgent.accessTokenSecretName }} + {{- end }} +{{- if and $isusingaadauth .Values.OmsAgent.isMultitenancyLogsEnabled }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-aks.yaml new file mode 100644 index 000000000..b693e8fb5 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-aks.yaml @@ -0,0 +1,358 @@ +{{- $amalogsLinuxDefaultImageTag := dict "component" "ama-logs-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }} +{{- $amalogsRSVPAImageTag := dict "component" "addon-resizer" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" -}} +{{- $addonTokenAdapterLinuxDefaultImageTag := dict "component" "addon-token-adapter-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} +{{/* Determine isusingaadauth value from OmsAgent.isUsingAADAuth */}} +{{- $isusingaadauth := false -}} +{{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} + {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} +{{- end -}} +--- +{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: ama-logs-rs + namespace: kube-system + labels: + component: ama-logs-agent + tier: node + kubernetes.azure.com/managedby: aks +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +spec: + replicas: 1 + revisionHistoryLimit: 2 + paused: false + selector: + matchLabels: + rsName: "ama-logs-rs" + strategy: + type: RollingUpdate + template: + metadata: + labels: + rsName: "ama-logs-rs" + kubernetes.azure.com/managedby: aks + annotations: + agentVersion: "azure-mdsd-1.37.0" + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + dockerProviderVersion: "18.0.1-0" + schema-versions: "v1" + WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} + kubernetes.azure.com/no-http-proxy-vars: "true" +{{- if semverCompare "<1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} + scheduler.alpha.kubernetes.io/critical-pod: "" +{{- end }} + spec: +{{- if semverCompare ">=1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} + priorityClassName: system-node-critical +{{- end }} + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + serviceAccountName: ama-logs + containers: +{{- if .Values.OmsAgent.isRSVPAEnabled }} + - name: ama-logs-vpa + image: "{{ template "addon_mcr_repository_base" . }}/oss/v2/kubernetes/autoscaler/addon-resizer:{{- $amalogsRSVPAImageTag -}}" + imagePullPolicy: IfNotPresent + resources: + limits: + cpu: 100m + memory: 300Mi + requests: + cpu: 5m + memory: 30Mi + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: ama-logs-rs-vpa-config-volume + mountPath: /etc/config + command: + - /pod_nanny + - --config-dir=/etc/config + - --cpu=200m + - --extra-cpu=2m + - --memory=300Mi + - --extra-memory=4Mi + - --poll-period=180000 + - --threshold=5 + - --namespace=kube-system + - --deployment=ama-logs-rs + - --container=ama-logs +{{- end }} +{{- if $isusingaadauth }} + - name: addon-token-adapter + command: + - /addon-token-adapter + args: + - --secret-namespace=kube-system + - --secret-name={{ .Values.OmsAgent.accessTokenSecretName }} + - --token-server-listening-port=8888 + - --health-server-listening-port=9999 + - --restart-pod-waiting-minutes-on-broken-connection=240 + image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterLinuxDefaultImageTag -}}" + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + livenessProbe: + httpGet: + path: /healthz + port: 9999 + initialDelaySeconds: 10 + periodSeconds: 60 + resources: + limits: + cpu: 500m + memory: 500Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW +{{- end }} + - name: ama-logs + image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag .Values.OmsAgent.imageTagLinux -}}" + {{- if .Values.OmsAgent.isImagePullPolicyAlways }} + imagePullPolicy: Always + {{- else }} + imagePullPolicy: IfNotPresent + {{- end }} + {{- if not .Values.OmsAgent.isRSVPAEnabled }} + resources: + limits: + cpu: "{{ .Values.OmsAgent.omsAgentRsCPULimit }}" + memory: "{{ .Values.OmsAgent.omsAgentRsMemoryLimit }}" + requests: + cpu: 150m + memory: 250Mi + {{- end }} + env: + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: AKS_CLUSTER_NAME + value: "{{ .Values.OmsAgent.aksClusterName }}" + - name: AKS_RESOURCE_ID + value: "{{ .Values.OmsAgent.aksResourceID }}" + - name: AKS_NODE_RESOURCE_GROUP + value: "{{ .Values.OmsAgent.aksNodeResourceGroup }}" + - name: AKS_REGION + value: "{{ $.Values.global.commonGlobals.Region }}" + - name: CONTROLLER_TYPE + value: "ReplicaSet" + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: "{{ .Values.OmsAgent.identityClientID }}" + - name: NUM_OF_FLUENTD_WORKERS + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.cpu + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.memory + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.OmsAgent.isSidecarScrapingEnabled }} + - name: SIDECAR_SCRAPING_ENABLED + value: "true" + {{- else }} + - name: SIDECAR_SCRAPING_ENABLED + value: "false" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} + - name: MCR_URL + value: "https://mcr.microsoft.eaglex.ic.gov/v2/" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} + - name: MCR_URL + value: "https://mcr.microsoft.scloud/v2/" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} + - name: MCR_URL + value: "https://mcr.microsoft.sovcloud-api.fr/v2/" + {{- end }} + {{- if $isusingaadauth }} + - name: USING_AAD_MSI_AUTH + value: "true" + {{- else }} + - name: USING_AAD_MSI_AUTH + value: "false" + {{- end }} + {{- if .Values.OmsAgent.isRSVPAEnabled }} + - name: RS_ADDON-RESIZER_VPA_ENABLED + value: "true" + {{- end }} + - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED + value: "{{ .Values.AppmonitoringAgent.enabled }}" + - name: PROMETHEUS_METRICS_SCRAPING_DISABLED + value: "{{ .Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: "{{ .Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" + - name: AZMON_WINDOWS_FLUENT_BIT_ENABLED + value: "{{ .Values.OmsAgent.isWindowsAMAFluentBitEnabled | default false }}" + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + ports: + - containerPort: 25225 + protocol: TCP + - containerPort: 25224 + protocol: UDP + - containerPort: 25227 + protocol: TCP + name: in-rs-tcp + volumeMounts: + - mountPath: /var/log + name: host-log + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + - mountPath: /etc/omsagent-secret + name: ama-logs-secret + readOnly: true + - mountPath: /etc/config + name: ama-logs-rs-config + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + - mountPath: /etc/config/settings/adx + name: ama-logs-adx-secret + readOnly: true + - mountPath: /etc/config/osm-settings + name: osm-settings-vol-config + readOnly: true + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host + # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below + - mountPath: /anchors/mariner + name: anchors-mariner + readOnly: true + - mountPath: /anchors/ubuntu + name: anchors-ubuntu + readOnly: true + {{- end }} + {{- if .Values.OmsAgent.trustedCA }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} + livenessProbe: + exec: + command: + - /bin/bash + - -c + - /opt/livenessprobe.sh + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.azure.com/mode + operator: In + values: + - system + - weight: 1 + preference: + matchExpressions: + - key: storageprofile + operator: NotIn + values: + - managed + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: +{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} + - key: kubernetes.io/os +{{- else }} + - key: beta.kubernetes.io/os +{{- end }} + operator: In + values: + - linux + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet + volumes: + - name: container-hostname + hostPath: + path: /etc/hostname + - name: host-log + hostPath: + path: /var/log + - name: azure-json-path + hostPath: + path: /etc/kubernetes + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: ama-logs-rs-config + configMap: + name: ama-logs-rs-config + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true + - name: osm-settings-vol-config + configMap: + name: container-azm-ms-osmconfig + optional: true + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + - name: anchors-ubuntu + hostPath: + path: /usr/local/share/ca-certificates/ + type: DirectoryOrCreate + - name: anchors-mariner + hostPath: + path: /etc/pki/ca-trust/source/anchors + type: DirectoryOrCreate + {{- end }} + {{- if .Values.OmsAgent.isRSVPAEnabled }} + - name: ama-logs-rs-vpa-config-volume + configMap: + name: ama-logs-rs-vpa-config + optional: true + {{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-multitenancy-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-multitenancy-aks.yaml new file mode 100644 index 000000000..17fd6f410 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-multitenancy-aks.yaml @@ -0,0 +1,240 @@ +{{- $amalogsLinuxDefaultImageTag := dict "component" "ama-logs-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }} +{{- $addonTokenAdapterLinuxDefaultImageTag := dict "component" "addon-token-adapter-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} +--- +{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: ama-logs-multitenancy + namespace: kube-system + labels: + component: ama-logs-agent + tier: node + kubernetes.azure.com/managedby: aks +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +spec: + replicas: 1 + selector: + matchLabels: + rsName: "ama-logs-multitenancy" + strategy: + type: RollingUpdate + template: + metadata: + labels: + rsName: "ama-logs-multitenancy" + kubernetes.azure.com/managedby: aks + annotations: + agentVersion: "azure-mdsd-1.37.0" + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + dockerProviderVersion: "18.0.1-0" + schema-versions: "v1" + WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} + kubernetes.azure.com/no-http-proxy-vars: "true" +{{- if semverCompare "<1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} + scheduler.alpha.kubernetes.io/critical-pod: "" +{{- end }} + spec: +{{- if semverCompare ">=1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} + priorityClassName: system-node-critical +{{- end }} + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + volumes: + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + - name: anchors-ubuntu + hostPath: + path: /usr/local/share/ca-certificates/ + type: DirectoryOrCreate + - name: anchors-mariner + hostPath: + path: /etc/pki/ca-trust/source/anchors + type: DirectoryOrCreate + {{- end }} + serviceAccountName: ama-logs + containers: + - name: addon-token-adapter + command: + - /addon-token-adapter + args: + - --secret-namespace=kube-system + - --secret-name=aad-msi-auth-token + - --token-server-listening-port=8888 + - --health-server-listening-port=9999 + - --restart-pod-waiting-minutes-on-broken-connection=240 + image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterLinuxDefaultImageTag -}}" + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + livenessProbe: + httpGet: + path: /healthz + port: 9999 + initialDelaySeconds: 10 + periodSeconds: 60 + resources: + limits: + cpu: 500m + memory: 500Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW + - name: ama-logs + image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag .Values.OmsAgent.imageTagLinux -}}" + {{- if .Values.OmsAgent.isImagePullPolicyAlways }} + imagePullPolicy: Always + {{- else }} + imagePullPolicy: IfNotPresent + {{- end }} + resources: + limits: + cpu: "{{ .Values.OmsAgent.omsAgentMultitenancyCPULimitLinux }}" + memory: "{{ .Values.OmsAgent.omsAgentMultitenancyMemoryLimitLinux }}" + requests: + cpu: "{{ .Values.OmsAgent.omsAgentMultitenancyCPURequestLinux }}" + memory: "{{ .Values.OmsAgent.omsAgentMultitenancyMemoryRequestLinux }}" + env: + - name: AZMON_MULTI_TENANCY_LOG_COLLECTION + value: "true" + - name: AZMON_MULTI_TENANCY_LOGS_SERVICE_MODE + value: "true" + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.memory + - name: AKS_CLUSTER_NAME + value: "{{ .Values.OmsAgent.aksClusterName }}" + - name: AKS_RESOURCE_ID + value: "{{ .Values.OmsAgent.aksResourceID }}" + - name: AKS_NODE_RESOURCE_GROUP + value: "{{ .Values.OmsAgent.aksNodeResourceGroup }}" + - name: AKS_REGION + value: "{{ $.Values.global.commonGlobals.Region }}" + - name: CONTROLLER_TYPE + value: "ReplicaSet" + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} + - name: MCR_URL + value: "https://mcr.microsoft.eaglex.ic.gov/v2/" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} + - name: MCR_URL + value: "https://mcr.microsoft.scloud/v2/" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} + - name: MCR_URL + value: "https://mcr.microsoft.sovcloud-api.fr/v2/" + {{- end }} + - name: USING_AAD_MSI_AUTH + value: "true" + - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED + value: "{{ .Values.AppmonitoringAgent.enabled }}" + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + ports: + - name: http + containerPort: 24225 + protocol: TCP + volumeMounts: + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host + # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below + - mountPath: /anchors/mariner + name: anchors-mariner + readOnly: true + - mountPath: /anchors/ubuntu + name: anchors-ubuntu + readOnly: true + {{- end }} + {{- if .Values.OmsAgent.trustedCA }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} + lifecycle: + preStop: + exec: + command: [ + "sh", "-c", + # Introduce a delay to the shutdown sequence to wait for the + # pod eviction event to propagate. Then, gracefully shutdown + "sleep 5" + ] + livenessProbe: + exec: + command: + - /bin/bash + - -c + - /opt/livenessprobe.sh + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + readinessProbe: + tcpSocket: + port: 24225 + initialDelaySeconds: 10 + periodSeconds: 30 + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet + - key: kubernetes.io/os + operator: In + values: + - linux + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.azure.com/mode + operator: In + values: + - system +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-hpa-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-hpa-aks.yaml new file mode 100644 index 000000000..287c90951 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-hpa-aks.yaml @@ -0,0 +1,48 @@ +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: ama-logs-hpa + namespace: kube-system + labels: +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: ama-logs-multitenancy + minReplicas: {{ .Values.OmsAgent.omsAgentMultitenancyLogsHPAMinReplicas }} + maxReplicas: {{ .Values.OmsAgent.omsAgentMultitenancyLogsHPAMaxReplicas }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.OmsAgent.omsAgentMultitenancyHPAAvgCPUUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.OmsAgent.omsAgentMultitenancyHPAAvgMemoryUtilization }} + behavior: + scaleDown: + stabilizationWindowSeconds: 1200 + policies: + - type: Percent + value: 5 + periodSeconds: 180 + scaleUp: + stabilizationWindowSeconds: 0 + policies: + - type: Pods + value: 5 + periodSeconds: 5 + - type: Percent + value: 100 + periodSeconds: 5 + selectPolicy: Max diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-rs-configmap-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-rs-configmap-aks.yaml new file mode 100644 index 000000000..7c82ff5f3 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-rs-configmap-aks.yaml @@ -0,0 +1,282 @@ +--- +kind: ConfigMap +apiVersion: v1 +data: + kube.conf: |- + # Fluentd config file for OMS Docker - cluster components (kubeAPI) + #fluent forward plugin + + type forward + port "#{ENV['HEALTHMODEL_REPLICASET_SERVICE_SERVICE_PORT']}" + bind 0.0.0.0 + chunk_size_limit 4m + + + #Kubernetes pod inventory + + type kubepodinventory + tag oms.containerinsights.KubePodInventory + run_interval 60 + log_level debug + + + #Kubernetes Persistent Volume inventory + + type kubepvinventory + tag oms.containerinsights.KubePVInventory + run_interval 60 + log_level debug + + + #Kubernetes events + + type kubeevents + tag oms.containerinsights.KubeEvents + run_interval 60 + log_level debug + + + #Kubernetes Nodes + + type kubenodeinventory + tag oms.containerinsights.KubeNodeInventory + run_interval 60 + log_level debug + + + #Kubernetes health + + type kubehealth + tag kubehealth.ReplicaSet + run_interval 60 + log_level debug + + + #cadvisor perf- Windows nodes + + type wincadvisorperf + tag oms.api.wincadvisorperf + run_interval 60 + log_level debug + + + #Kubernetes object state - deployments + + type kubestatedeployments + tag oms.containerinsights.KubeStateDeployments + run_interval 60 + log_level debug + + + #Kubernetes object state - HPA + + type kubestatehpa + tag oms.containerinsights.KubeStateHpa + run_interval 60 + log_level debug + + + + type filter_inventory2mdm + log_level info + + + #custom_metrics_mdm filter plugin for perf data from windows nodes + + type filter_cadvisor2mdm + metrics_to_collect cpuUsageNanoCores,memoryWorkingSetBytes,pvUsedBytes + log_level info + + + #health model aggregation filter + + type filter_health_model_builder + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubepods*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/state/out_oms_kubepv*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubeevents*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubeservices*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/state/out_oms_kubenodes*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 3 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_containernodeinventory*.buffer + buffer_queue_limit 20 + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubeperf*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_mdm + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_mdm_*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + retry_mdm_post_wait_minutes 30 + + + + type out_oms + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_api_wincadvisorperf*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_mdm + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_mdm_cdvisorperf*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + retry_mdm_post_wait_minutes 30 + + + + type out_oms + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubehealth*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + type out_oms + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_insightsmetrics*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + +metadata: + name: ama-logs-rs-config + namespace: kube-system + labels: +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-secret-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-secret-aks.yaml new file mode 100644 index 000000000..f77f829c6 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-secret-aks.yaml @@ -0,0 +1,41 @@ + + + + +apiVersion: v1 +kind: Secret +metadata: + name: ama-logs-secret + namespace: kube-system + labels: +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +type: Opaque +data: + WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} + KEY: {{ .Values.OmsAgent.workspaceKey | b64enc | quote }} +{{- if .Values.OmsAgent.isMoonCake }} + DOMAIN: {{ b64enc "opinsights.azure.cn" }} +{{- end }} +{{- if .Values.OmsAgent.isFairfax }} + DOMAIN: {{ b64enc "opinsights.azure.us" }} +{{- end }} +{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT" }} + DOMAIN: {{ b64enc "opinsights.azure.eaglex.ic.gov" }} +{{- end }} +{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC" }} + DOMAIN: {{ b64enc "opinsights.azure.microsoft.scloud" }} +{{- end }} +{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD" }} + DOMAIN: {{ b64enc "opinsights.sovcloud-api.fr" }} +{{- end }} +{{- if .Values.OmsAgent.httpsProxy }} + PROXY: {{ .Values.OmsAgent.httpsProxy | b64enc | quote }} +{{- else if .Values.OmsAgent.httpProxy }} + PROXY: {{ .Values.OmsAgent.httpProxy | b64enc | quote }} +{{- end}} +{{- if .Values.OmsAgent.trustedCA }} + PROXYCERT.crt: {{ .Values.OmsAgent.trustedCA | quote }} +{{- end}} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-service-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-service-aks.yaml new file mode 100644 index 000000000..da2bce089 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-service-aks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: ama-logs-service + namespace: kube-system + labels: +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +spec: + type: ClusterIP + ports: + - port: 24225 + targetPort: 24225 + protocol: TCP + name: fluentbit-fwd + selector: + rsName: "ama-logs-multitenancy" diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-serviceaccount-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-serviceaccount-aks.yaml new file mode 100644 index 000000000..61bcc7224 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-serviceaccount-aks.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ama-logs + namespace: kube-system + labels: +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} diff --git a/test/networkflow-scale-tests/ama-metrics-prometheus-config-node.yaml b/test/networkflow-scale-tests/ama-metrics-prometheus-config-node.yaml new file mode 100644 index 000000000..028638c78 --- /dev/null +++ b/test/networkflow-scale-tests/ama-metrics-prometheus-config-node.yaml @@ -0,0 +1,32 @@ +kind: ConfigMap +apiVersion: v1 +data: + prometheus-config: |- + scrape_configs: + - job_name: ama-logs-daemonset + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_controller_kind] + action: keep + regex: 'DaemonSet' + - source_labels: [__meta_kubernetes_pod_controller_name] + regex: ^(ama-logs|ama-logs-windows)$ + action: keep + - source_labels: [__address__] + action: replace + target_label: __address__ + regex: (.+?)(\:\d+)? + replacement: $1:9102 + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: instance + - source_labels: [__meta_kubernetes_pod_node_name] + action: replace + target_label: node + - source_labels: [__meta_kubernetes_pod_node_name] + action: keep + regex: $NODE_NAME +metadata: + name: ama-metrics-prometheus-config-node + namespace: kube-system From 097ca2b5056993bb2bfc7547c714dd78ad7ff327 Mon Sep 17 00:00:00 2001 From: longwan Date: Mon, 23 Feb 2026 06:33:21 +0000 Subject: [PATCH 29/47] arc charts --- .../templates/ama-logs-arc-k8s-crd-arc.yaml | 38 ++ .../templates/ama-logs-daemonset-arc.yaml | 418 ++++++++++++++++++ .../ama-logs-daemonset-windows-arc.yaml | 194 ++++++++ .../templates/ama-logs-deployment-arc.yaml | 308 +++++++++++++ .../templates/ama-logs-openshift-scc-arc.yaml | 27 ++ .../templates/ama-logs-priorityclass-arc.yaml | 22 + .../templates/ama-logs-rbac-arc.yaml | 65 +++ .../templates/ama-logs-rs-configmap-arc.yaml | 247 +++++++++++ .../templates/ama-logs-secret-arc.yaml | 26 ++ 9 files changed, 1345 insertions(+) create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-arc-k8s-crd-arc.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-arc.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-arc.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-deployment-arc.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-openshift-scc-arc.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-priorityclass-arc.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-rbac-arc.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-rs-configmap-arc.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-secret-arc.yaml diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-arc-k8s-crd-arc.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-arc-k8s-crd-arc.yaml new file mode 100644 index 000000000..d4326ef6b --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-arc-k8s-crd-arc.yaml @@ -0,0 +1,38 @@ +{{- if or ( contains "microsoft.kubernetes/connectedclusters" (.Values.Azure.Cluster.ResourceId | lower)) ( contains "microsoft.hybridcontainerservice/provisionedclusters" (.Values.Azure.Cluster.ResourceId | lower)) }} +#extension model +{{- if not (empty .Values.Azure.Extension.Name) }} +apiVersion: clusterconfig.azure.com/v1beta1 +kind: AzureExtensionIdentity +metadata: + name: {{ .Values.Azure.Extension.Name }} + namespace: azure-arc +spec: + serviceAccounts: + - name: ama-logs + namespace: kube-system + tokenNamespace: azure-arc +--- +{{- end }} +apiVersion: clusterconfig.azure.com/v1beta1 +kind: AzureClusterIdentityRequest +metadata: + name: container-insights-clusteridentityrequest + namespace: azure-arc +spec: + {{- if eq (.Values.Azure.Cluster.Cloud | lower) "azurepubliccloud" }} + audience: https://monitor.azure.com/ + {{- else if eq (.Values.Azure.Cluster.Cloud | lower) "azurechinacloud" }} + audience: https://monitor.azure.cn/ + {{- else if eq (.Values.Azure.Cluster.Cloud | lower) "azurebleucloud" }} + audience: https://monitor.sovcloud-api.fr/ + {{- else if eq (.Values.Azure.Cluster.Cloud | lower) "azureusgovernmentcloud" }} + audience: https://monitor.azure.us/ + {{- else if and .Values.amalogs.isArcACluster (ne .Values.amalogs.tokenAudience "") }} + audience: {{ .Values.amalogs.tokenAudience | quote }} + {{- else }} + audience: https://monitor.azure.com/ + {{- end }} + {{- if not (empty .Values.Azure.Extension.Name) }} + resourceId: {{ .Values.Azure.Extension.Name }} + {{- end }} +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-arc.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-arc.yaml new file mode 100644 index 000000000..e195b9bfd --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-arc.yaml @@ -0,0 +1,418 @@ +{{- if and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "") )}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: ama-logs + namespace: kube-system + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: ama-logs-agent + tier: node +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + dsName: "ama-logs-ds" + template: + metadata: + labels: + dsName: "ama-logs-ds" + annotations: + agentVersion: {{ .Values.amalogs.image.agentVersion }} + dockerProviderVersion: {{ .Values.amalogs.image.dockerProviderVersion }} + schema-versions: "v1" + checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} + checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} + checksum/logsettings: {{ toYaml .Values.amalogs.logsettings | sha256sum }} + spec: + priorityClassName: ama-logs + dnsConfig: + options: + - name: ndots + value: "3" + {{- if .Values.amalogs.rbac }} + serviceAccountName: ama-logs + {{- end }} + containers: +{{- if and (ne .Values.Azure.Cluster.ResourceId "") (.Values.amalogs.useAADAuth) }} + {{- if not (eq .Values.Azure.Cluster.Distribution "openshift") }} + - name: addon-token-adapter + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + - name: TOKEN_NAMESPACE + value: "azure-arc" +{{- .Values.Azure.Identity.MSIAdapterYaml | nindent 7 }} + {{- else }} + - name: msi-adapter + env: + - name: AZMON_COLLECT_ENV + value: "false" + - name: TOKEN_NAMESPACE + value: azure-arc + - name: CLUSTER_IDENTITY + value: "false" + - name: CLUSTER_TYPE + value: {{ (split "/" .Values.Azure.Cluster.ResourceId)._7 }} + - name: EXTENSION_ARMID + value: {{ .Values.Azure.Extension.ResourceId }} + - name: EXTENSION_NAME + value: {{ .Values.Azure.Extension.Name }} + - name: MSI_ADAPTER_LISTENING_PORT + value: "8421" + - name: MANAGED_IDENTITY_AUTH + value: "true" + - name: MSI_ADAPTER_LIVENESS_PORT + value: "9090" + - name: TEST_MODE + value: "false" + - name: TEST_FILE + value: /data/token + image: mcr.microsoft.com/azurearck8s/msi-adapter:1.29.3 + securityContext: + privileged: true + capabilities: + add: + - NET_ADMIN + - NET_RAW + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 9090 + scheme: "HTTP" + initialDelaySeconds: 10 + periodSeconds: 15 + resources: + limits: + cpu: 50m + memory: 100Mi + requests: + cpu: 20m + memory: 50Mi + lifecycle: + postStart: + exec: + command: ["/data/msi-adapter-ready-watcher"] + {{- end }} +{{- end }} + - name: ama-logs + image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tag }} + imagePullPolicy: IfNotPresent + resources: +{{ toYaml .Values.amalogs.resources.daemonsetlinux | indent 9 }} + env: + {{- if ne .Values.amalogs.env.clusterId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.amalogs.env.clusterId | quote }} + {{- if ne .Values.amalogs.env.clusterRegion "" }} + - name: AKS_REGION + value: {{ .Values.amalogs.env.clusterRegion | quote }} + {{- end }} + {{- else if ne .Values.Azure.Cluster.ResourceId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.Azure.Cluster.ResourceId | quote }} + - name: USING_AAD_MSI_AUTH + value: {{ .Values.amalogs.useAADAuth | quote }} + {{- if ne .Values.Azure.Cluster.Region "" }} + - name: AKS_REGION + value: {{ .Values.Azure.Cluster.Region | quote }} + {{- end }} + {{- else }} + - name: ACS_RESOURCE_NAME + value: {{ .Values.amalogs.env.clusterName | quote }} + {{- end }} + - name: CONTROLLER_TYPE + value: "DaemonSet" + {{- if .Values.amalogs.enableHighLogScaleMode }} + - name: ENABLE_HIGH_LOG_SCALE_MODE + value: {{ .Values.amalogs.enableHighLogScaleMode | quote }} + {{- end }} + {{- if .Values.amalogs.syslog.enabled }} + - name: SYSLOG_HOST_PORT + value: {{ .Values.amalogs.syslog.syslogPort | quote }} + {{- end }} + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.memory + {{- if not (empty .Values.Azure.Extension.Name) }} + - name: ARC_K8S_EXTENSION_NAME + value: {{ .Values.Azure.Extension.Name | quote }} + {{- end }} + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: "" + {{- if .Values.amalogs.logsettings.logflushintervalsecs }} + - name: FBIT_SERVICE_FLUSH_INTERVAL + value: {{ .Values.amalogs.logsettings.logflushintervalsecs | quote }} + {{- end }} + {{- if .Values.amalogs.logsettings.tailbufchunksizemegabytes }} + - name: FBIT_TAIL_BUFFER_CHUNK_SIZE + value: {{ .Values.amalogs.logsettings.tailbufchunksizemegabytes | quote }} + {{- end }} + {{- if .Values.amalogs.logsettings.tailbufmaxsizemegabytes }} + - name: FBIT_TAIL_BUFFER_MAX_SIZE + value: {{ .Values.amalogs.logsettings.tailbufmaxsizemegabytes | quote }} + {{- end }} + - name: ISTEST + value: {{ .Values.amalogs.ISTEST | quote }} + {{ if .Values.amalogs.isArcACluster }} + - name: IS_ARCA_CLUSTER + value: {{ .Values.amalogs.isArcACluster | quote }} + {{- end }} + {{- if ne .Values.amalogs.metricsEndpoint "" }} + - name: CUSTOM_METRICS_ENDPOINT + value: {{ .Values.amalogs.metricsEndpoint | quote }} + {{- else if ne .Values.Azure.proxySettings.autonomousFqdn "" }} + - name: CUSTOM_METRICS_ENDPOINT + value: "https://metricsingestiongateway.monitoring.{{ .Values.Azure.proxySettings.autonomousFqdn }}" + {{- end }} + {{- if ne .Values.amalogs.tokenAudience "" }} + - name: customResourceEndpoint + value: {{ .Values.amalogs.tokenAudience | quote }} + {{- end }} + - name: IS_CUSTOM_CERT + value: {{ .Values.Azure.proxySettings.isCustomCert | quote }} + - name: ENABLE_CUSTOM_METRICS + value: {{ .Values.amalogs.enableCustomMetrics | quote }} + {{ if .Values.amalogs.ISTEST }} + - name: AZMON_KUBERNETES_METADATA_ENABLED + value: "true" + {{- end }} + {{- if .Values.amalogs.enableTelegrafLivenessprobe }} + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: {{ .Values.amalogs.enableTelegrafLivenessprobe | quote }} + {{- end }} + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.Azure.Cluster.Cloud | lower }}" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + ports: + - containerPort: 25225 + protocol: TCP + - containerPort: 25224 + protocol: UDP + {{- if .Values.amalogs.syslog.enabled }} + - name: syslog + containerPort: {{ .Values.amalogs.syslog.syslogPort }} + hostPort: {{ .Values.amalogs.syslog.syslogPort }} + protocol: TCP + {{- end }} + volumeMounts: + {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + {{- end }} + - mountPath: /hostfs + name: host-root + readOnly: true + mountPropagation: HostToContainer + - mountPath: /var/log + name: host-log + - mountPath: /var/lib/docker/containers + name: containerlog-path + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + {{- if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.proxyCert) (not .Values.amalogs.ignoreExtensionProxySettings) }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + {{- if .Values.amalogs.logsettings.custommountpath }} + - mountPath: {{ .Values.amalogs.logsettings.custommountpath }} + name: custom-mount-path + {{- end }} + - mountPath: /etc/config/settings/adx + name: ama-logs-adx-secret + readOnly: true + livenessProbe: + exec: + command: + - /bin/bash + - -c + - "/opt/livenessprobe.sh" + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + {{- if .Values.amalogs.sidecarscraping }} + - name: ama-logs-prometheus + image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tag }} + imagePullPolicy: IfNotPresent + resources: +{{ toYaml .Values.amalogs.resources.daemonsetlinuxsidecar | indent 9 }} + env: + {{- if ne .Values.amalogs.env.clusterId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.amalogs.env.clusterId | quote }} + {{- if ne .Values.amalogs.env.clusterRegion "" }} + - name: AKS_REGION + value: {{ .Values.amalogs.env.clusterRegion | quote }} + {{- end }} + {{- else if ne .Values.Azure.Cluster.ResourceId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.Azure.Cluster.ResourceId | quote }} + - name: USING_AAD_MSI_AUTH + value: {{ .Values.amalogs.useAADAuth | quote }} + {{- if ne .Values.Azure.Cluster.Region "" }} + - name: AKS_REGION + value: {{ .Values.Azure.Cluster.Region | quote }} + {{- end }} + {{- else }} + - name: ACS_RESOURCE_NAME + value: {{ .Values.amalogs.env.clusterName | quote }} + {{- end }} + - name: CONTROLLER_TYPE + value: "DaemonSet" + - name: CONTAINER_TYPE + value: "PrometheusSidecar" + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs-prometheus + resource: limits.memory + - name: ISTEST + value: {{ .Values.amalogs.ISTEST | quote }} + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.Azure.Cluster.Cloud | lower }}" + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + volumeMounts: + {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + {{- end }} + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + {{- if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.proxyCert) (not .Values.amalogs.ignoreExtensionProxySettings) }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + - mountPath: /etc/config/osm-settings + name: osm-settings-vol-config + readOnly: true + livenessProbe: + exec: + command: + - /bin/bash + - -c + - /opt/livenessprobe.sh + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + {{- end }} + {{- with .Values.amalogs.daemonset.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.amalogs.scheduleOnTaintedNodes }} + {{- with .Values.amalogs.tolerationsUnrestricted }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- else }} + {{- with .Values.amalogs.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + volumes: + {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + {{- end }} + - name: host-root + hostPath: + path: / + - name: container-hostname + hostPath: + path: /etc/hostname + - name: host-log + hostPath: + path: /var/log + - name: containerlog-path + hostPath: + path: /var/lib/docker/containers + - name: azure-json-path + hostPath: + path: /etc/kubernetes + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + {{- if .Values.amalogs.logsettings.custommountpath }} + - name: custom-mount-path + hostPath: + path: {{ .Values.amalogs.logsettings.custommountpath }} + {{- end }} + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true + - name: osm-settings-vol-config + configMap: + name: container-azm-ms-osmconfig + optional: true +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-arc.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-arc.yaml new file mode 100644 index 000000000..7b0904f03 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-arc.yaml @@ -0,0 +1,194 @@ +{{- if not (.Values.amalogs.useAADAuth) }} +{{- if and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "") )}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: ama-logs-windows + namespace: kube-system + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: ama-logs-agent-windows + tier: node-win +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + dsName: "ama-logs-ds" + template: + metadata: + labels: + dsName: "ama-logs-ds" + annotations: + agentVersion: {{ .Values.amalogs.image.winAgentVersion }} + dockerProviderVersion: {{ .Values.amalogs.image.dockerProviderVersion }} + schema-versions: "v1" + checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} + checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} + spec: + priorityClassName: ama-logs + dnsConfig: + options: + - name: ndots + value: "3" +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.Version }} + nodeSelector: + kubernetes.io/os: windows +{{- else }} + nodeSelector: + kubernetes.io/os: windows +{{- end }} + {{- if .Values.amalogs.rbac }} + serviceAccountName: ama-logs + {{- end }} + containers: + - name: ama-logs-windows + image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tagWindows }} + imagePullPolicy: IfNotPresent + resources: +{{ toYaml .Values.amalogs.resources.daemonsetwindows | indent 9 }} + securityContext: + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + env: + - name: FBIT_SERVICE_FLUSH_INTERVAL + value: "15" + - name: FBIT_TAIL_BUFFER_CHUNK_SIZE + value: "1" + - name: FBIT_TAIL_BUFFER_MAX_SIZE + value: "1" + {{- if ne .Values.amalogs.env.clusterId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.amalogs.env.clusterId | quote }} + {{- if ne .Values.amalogs.env.clusterRegion "" }} + - name: AKS_REGION + value: {{ .Values.amalogs.env.clusterRegion | quote }} + {{- end }} + {{- else if ne .Values.Azure.Cluster.ResourceId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.Azure.Cluster.ResourceId | quote }} + - name: USING_AAD_MSI_AUTH + value: {{ .Values.amalogs.useAADAuth | quote }} + {{- if ne .Values.Azure.Cluster.Region "" }} + - name: AKS_REGION + value: {{ .Values.Azure.Cluster.Region | quote }} + {{- end }} + {{- else }} + - name: ACS_RESOURCE_NAME + value: {{ .Values.amalogs.env.clusterName | quote }} + {{- end }} + - name: CONTROLLER_TYPE + value: "DaemonSet" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs-windows + resource: limits.memory + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PODNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SIDECAR_SCRAPING_ENABLED + value: {{ .Values.amalogs.sidecarscraping | quote }} + - name: ENABLE_CUSTOM_METRICS + value: {{ .Values.amalogs.enableCustomMetrics | quote }} + {{ if .Values.amalogs.ISTEST }} + - name: AZMON_KUBERNETES_METADATA_ENABLED + value: "true" + {{- end }} + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.Azure.Cluster.Cloud | lower }}" + volumeMounts: + # Uncomment when telegraf upgraded to 1.28.5 or higher + # {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + # - name: kube-api-access + # mountPath: /var/run/secrets/kubernetes.io/serviceaccount + # readOnly: true + # {{- end }} + - mountPath: C:\ProgramData\docker\containers + name: docker-windows-containers + readOnly: true + - mountPath: C:\var #Read + Write access on this for position file + name: docker-windows-kuberenetes-container-logs + - mountPath: C:\etc\config\settings + name: settings-vol-config + readOnly: true + - mountPath: C:\etc\ama-logs-secret + name: ama-logs-secret + readOnly: true + livenessProbe: + exec: + command: + - cmd + - /c + - C:\opt\amalogswindows\scripts\cmd\livenessprobe.exe + - fluent-bit.exe + - fluentdwinaks + - "C:\\etc\\amalogswindows\\filesystemwatcher.txt" + - "C:\\etc\\amalogswindows\\renewcertificate.txt" + periodSeconds: 60 + initialDelaySeconds: 180 + timeoutSeconds: 15 + {{- if .Values.amalogs.scheduleOnTaintedNodes }} + {{- with .Values.amalogs.tolerationsUnrestricted }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- else }} + {{- with .Values.amalogs.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + volumes: + # Uncomment when telegraf upgraded to 1.28.5 or higher + # {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + # - name: kube-api-access + # projected: + # sources: + # - serviceAccountToken: + # path: token + # expirationSeconds: 3600 + # - configMap: + # items: + # - key: ca.crt + # path: ca.crt + # name: kube-root-ca.crt + # - downwardAPI: + # items: + # - fieldRef: + # apiVersion: v1 + # fieldPath: metadata.namespace + # path: namespace + # {{- end }} + - name: docker-windows-kuberenetes-container-logs + hostPath: + path: C:\var + - name: docker-windows-containers + hostPath: + path: C:\ProgramData\docker\containers + type: DirectoryOrCreate + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true +{{- end }} +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-arc.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-arc.yaml new file mode 100644 index 000000000..2faf4db7d --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-arc.yaml @@ -0,0 +1,308 @@ +{{- if and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "") )}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ama-logs-rs + namespace: kube-system + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: ama-logs-agent + tier: node +spec: + replicas: 1 + selector: + matchLabels: + rsName: "ama-logs-rs" + strategy: + type: RollingUpdate + template: + metadata: + labels: + rsName: "ama-logs-rs" + annotations: + agentVersion: {{ .Values.amalogs.image.agentVersion }} + dockerProviderVersion: {{ .Values.amalogs.image.dockerProviderVersion }} + schema-versions: "v1" + checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} + checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} + checksum/logsettings: {{ toYaml .Values.amalogs.logsettings | sha256sum }} + spec: + {{- if .Values.amalogs.rbac }} + serviceAccountName: ama-logs + {{- end }} + containers: +{{- if and (ne .Values.Azure.Cluster.ResourceId "") (.Values.amalogs.useAADAuth) }} + {{- if not (eq .Values.Azure.Cluster.Distribution "openshift") }} + - name: addon-token-adapter + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + - name: TOKEN_NAMESPACE + value: "azure-arc" +{{- .Values.Azure.Identity.MSIAdapterYaml | nindent 7 }} + {{- else }} + - name: msi-adapter + env: + - name: AZMON_COLLECT_ENV + value: "false" + - name: TOKEN_NAMESPACE + value: azure-arc + - name: CLUSTER_IDENTITY + value: "false" + - name: CLUSTER_TYPE + value: {{ (split "/" .Values.Azure.Cluster.ResourceId)._7 }} + - name: EXTENSION_ARMID + value: {{ .Values.Azure.Extension.ResourceId }} + - name: EXTENSION_NAME + value: {{ .Values.Azure.Extension.Name }} + - name: MSI_ADAPTER_LISTENING_PORT + value: "8421" + - name: MANAGED_IDENTITY_AUTH + value: "true" + - name: MSI_ADAPTER_LIVENESS_PORT + value: "9090" + - name: TEST_MODE + value: "false" + - name: TEST_FILE + value: /data/token + image: mcr.microsoft.com/azurearck8s/msi-adapter:1.29.3 + securityContext: + privileged: true + capabilities: + add: + - NET_ADMIN + - NET_RAW + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 9090 + scheme: "HTTP" + initialDelaySeconds: 10 + periodSeconds: 15 + resources: + limits: + cpu: 50m + memory: 100Mi + requests: + cpu: 20m + memory: 50Mi + lifecycle: + postStart: + exec: + command: ["/data/msi-adapter-ready-watcher"] + {{- end }} +{{- end }} + - name: ama-logs + image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tag }} + imagePullPolicy: IfNotPresent + resources: +{{ toYaml .Values.amalogs.resources.deployment | indent 9 }} + env: + - name: NUM_OF_FLUENTD_WORKERS + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.cpu + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.memory + {{- if ne .Values.amalogs.env.clusterId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.amalogs.env.clusterId | quote }} + {{- if ne .Values.amalogs.env.clusterRegion "" }} + - name: AKS_REGION + value: {{ .Values.amalogs.env.clusterRegion | quote }} + {{- end }} + {{- else if ne .Values.Azure.Cluster.ResourceId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.Azure.Cluster.ResourceId | quote }} + - name: USING_AAD_MSI_AUTH + value: {{ .Values.amalogs.useAADAuth | quote }} + {{- if ne .Values.Azure.Cluster.Region "" }} + - name: AKS_REGION + value: {{ .Values.Azure.Cluster.Region | quote }} + {{- end }} + {{- else }} + - name: ACS_RESOURCE_NAME + value: {{ .Values.amalogs.env.clusterName | quote }} + {{- end }} + - name: CONTROLLER_TYPE + value: "ReplicaSet" + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if not (empty .Values.Azure.Extension.Name) }} + - name: ARC_K8S_EXTENSION_NAME + value: {{ .Values.Azure.Extension.Name | quote }} + {{- end }} + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: "" + - name: SIDECAR_SCRAPING_ENABLED + value: {{ .Values.amalogs.sidecarscraping | quote }} + - name: ISTEST + value: {{ .Values.amalogs.ISTEST | quote }} + {{ if .Values.amalogs.isArcACluster }} + - name: IS_ARCA_CLUSTER + value: {{ .Values.amalogs.isArcACluster | quote }} + {{- end }} + {{- if ne .Values.amalogs.metricsEndpoint "" }} + - name: CUSTOM_METRICS_ENDPOINT + value: {{ .Values.amalogs.metricsEndpoint | quote }} + {{- else if ne .Values.Azure.proxySettings.autonomousFqdn "" }} + - name: CUSTOM_METRICS_ENDPOINT + value: "https://metricsingestiongateway.monitoring.{{ .Values.Azure.proxySettings.autonomousFqdn }}" + {{- end }} + {{- if ne .Values.amalogs.tokenAudience "" }} + - name: customResourceEndpoint + value: {{ .Values.amalogs.tokenAudience | quote }} + {{- end }} + - name: IS_CUSTOM_CERT + value: {{ .Values.Azure.proxySettings.isCustomCert | quote }} + - name: ENABLE_CUSTOM_METRICS + value: {{ .Values.amalogs.enableCustomMetrics | quote }} + {{ if .Values.amalogs.ISTEST }} + - name: AZMON_CLUSTER_COLLECT_ALL_KUBE_EVENTS + value: "true" + {{- end }} + {{- if .Values.amalogs.enableTelegrafLivenessprobe }} + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: {{ .Values.amalogs.enableTelegrafLivenessprobe | quote }} + {{- end }} + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.Azure.Cluster.Cloud | lower }}" + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + ports: + - containerPort: 25225 + protocol: TCP + - containerPort: 25224 + protocol: UDP + volumeMounts: + {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + {{- end }} + - mountPath: /var/log + name: host-log + - mountPath: /var/lib/docker/containers + name: containerlog-path + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + {{- if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.proxyCert) (not .Values.amalogs.ignoreExtensionProxySettings) }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} + - mountPath : /etc/config + name: ama-logs-rs-config + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + {{- if .Values.amalogs.logsettings.custommountpath }} + - mountPath: {{ .Values.amalogs.logsettings.custommountpath }} + name: custom-mount-path + {{- end }} + - mountPath: /etc/config/settings/adx + name: ama-logs-adx-secret + readOnly: true + - mountPath: /etc/config/osm-settings + name: osm-settings-vol-config + readOnly: true + livenessProbe: + exec: + command: + - /bin/bash + - -c + - "/opt/livenessprobe.sh" + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + {{- with .Values.amalogs.deployment.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.amalogs.scheduleOnTaintedNodes }} + {{- with .Values.amalogs.tolerationsUnrestricted }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- else }} + {{- with .Values.amalogs.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + volumes: + {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + {{- end }} + - name: container-hostname + hostPath: + path: /etc/hostname + - name: host-log + hostPath: + path: /var/log + - name: containerlog-path + hostPath: + path: /var/lib/docker/containers + - name: azure-json-path + hostPath: + path: /etc/kubernetes + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: ama-logs-rs-config + configMap: + name: ama-logs-rs-config + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + {{- if .Values.amalogs.logsettings.custommountpath }} + - name: custom-mount-path + hostPath: + path: {{ .Values.amalogs.logsettings.custommountpath }} + {{- end }} + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true + - name: osm-settings-vol-config + configMap: + name: container-azm-ms-osmconfig + optional: true +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-openshift-scc-arc.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-openshift-scc-arc.yaml new file mode 100644 index 000000000..abc8c3896 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-openshift-scc-arc.yaml @@ -0,0 +1,27 @@ +{{- if eq .Values.Azure.Cluster.Distribution "openshift" }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: ama-logs-scc +allowPrivilegedContainer: true +allowPrivilegeEscalation: true +allowHostDirVolumePlugin: true +allowedCapabilities: +- NET_ADMIN +- NET_RAW +readOnlyRootFilesystem: false +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +volumes: +- hostPath +- configMap +- secret +users: +- system:serviceaccount:kube-system:ama-logs +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-priorityclass-arc.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-priorityclass-arc.yaml new file mode 100644 index 000000000..cfc93372d --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-priorityclass-arc.yaml @@ -0,0 +1,22 @@ +{{- if and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "") )}} +# This pod priority class is used for daemonsets to allow them to have priority +# over pods that can be scheduled elsewhere. Without a priority class, it is +# possible for a node to fill up with pods before the daemonset pods get to be +# created for the node or get scheduled. Note that pods are not "daemonset" +# pods - they are just pods created by the daemonset controller but they have +# a specific affinity set during creation to the specific node each pod was +# created to run on (daemonset controller takes care of that) +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: ama-logs + # Priority classes don't have labels :-) + annotations: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: ama-logs-agent +value: {{ .Values.amalogs.priority }} +globalDefault: false +description: "This is the daemonset priority class for ama-logs" +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-rbac-arc.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-rbac-arc.yaml new file mode 100644 index 000000000..ae1de444c --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-rbac-arc.yaml @@ -0,0 +1,65 @@ +{{- if .Values.amalogs.rbac }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ama-logs + namespace: kube-system + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +--- +kind: ClusterRole +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- end }} +metadata: + name: ama-logs-reader + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: [""] + resources: ["pods", "events", "nodes", "nodes/stats", "nodes/metrics", "nodes/spec", "nodes/proxy","namespaces", "services", "persistentvolumes"] + verbs: ["list", "get", "watch"] +- apiGroups: ["apps", "extensions", "autoscaling"] + resources: ["replicasets", "deployments", "horizontalpodautoscalers"] + verbs: ["list"] +- apiGroups: ["clusterconfig.azure.com"] + resources: ["azureclusteridentityrequests", "azureclusteridentityrequests/status"] + verbs: ["get", "create", "patch", "list", "update", "delete"] +- nonResourceURLs: ["/metrics"] + verbs: ["get"] +#arc k8s extension model grants access as part of the extension msi +#remove this explicit permission once the extension available in public preview +{{- if (empty .Values.Azure.Extension.Name) }} +- apiGroups: [""] + resources: ["secrets"] + resourceNames: ["container-insights-clusteridentityrequest-token"] + verbs: ["get"] +{{- end }} +--- +kind: ClusterRoleBinding +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- end }} +metadata: + name: amalogsclusterrolebinding + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +subjects: + - kind: ServiceAccount + name: ama-logs + namespace: kube-system +roleRef: + kind: ClusterRole + name: ama-logs-reader + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-rs-configmap-arc.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-rs-configmap-arc.yaml new file mode 100644 index 000000000..b48cdd7b8 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-rs-configmap-arc.yaml @@ -0,0 +1,247 @@ +{{- if and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "") )}} +kind: ConfigMap +apiVersion: v1 +data: + kube.conf: | + # Fluentd config file for OMS Docker - cluster components (kubeAPI) + + #Kubernetes pod inventory + + type kubepodinventory + tag oms.containerinsights.KubePodInventory + run_interval 60 + log_level debug + + + #Kubernetes Persistent Volume inventory + + type kubepvinventory + tag oms.containerinsights.KubePVInventory + run_interval 60 + log_level debug + + + #Kubernetes events + + type kubeevents + tag oms.containerinsights.KubeEvents + run_interval 60 + log_level debug + + + #Kubernetes Nodes + + type kubenodeinventory + tag oms.containerinsights.KubeNodeInventory + run_interval 60 + log_level debug + + + #cadvisor perf- Windows nodes + + type wincadvisorperf + tag oms.api.wincadvisorperf + run_interval 60 + log_level debug + + + #Kubernetes object state - deployments + + type kubestatedeployments + tag oms.containerinsights.KubeStateDeployments + run_interval 60 + log_level debug + + + #Kubernetes object state - HPA + + type kubestatehpa + tag oms.containerinsights.KubeStateHpa + run_interval 60 + log_level debug + + + type filter_inventory2mdm + log_level info + + + # custom_metrics_mdm filter plugin for perf data from windows nodes + + type filter_cadvisor2mdm + metrics_to_collect cpuUsageNanoCores,memoryWorkingSetBytes + log_level info + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubepods*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/state/out_oms_kubepv*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubeevents*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubeservices*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/state/out_oms_kubenodes*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 3 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_containernodeinventory*.buffer + buffer_queue_limit 20 + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_oms + log_level debug + num_threads 2 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_kubeperf*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_mdm + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_mdm_*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 30s + max_retry_wait 9m + retry_mdm_post_wait_minutes 30 + + + + type out_oms + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_api_wincadvisorperf*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + + + + type out_mdm + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_mdm_cdvisorperf*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + retry_mdm_post_wait_minutes 30 + + + + type out_oms + log_level debug + num_threads 5 + buffer_chunk_limit 4m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_insightsmetrics*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 5s + max_retry_wait 5m + +metadata: + name: ama-logs-rs-config + namespace: kube-system + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-secret-arc.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-secret-arc.yaml new file mode 100644 index 000000000..0d9219d77 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-secret-arc.yaml @@ -0,0 +1,26 @@ +{{- if and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "") )}} +apiVersion: v1 +kind: Secret +metadata: + name: ama-logs-secret + namespace: kube-system + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +data: + WSID: {{ required "A valid workspace id is required!" .Values.amalogs.secret.wsid | b64enc | quote }} + KEY: {{ required "A valid workspace key is required!" .Values.amalogs.secret.key | b64enc | quote }} + DOMAIN: {{ .Values.amalogs.domain | b64enc | quote }} + {{- if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.httpsProxy) (not .Values.amalogs.ignoreExtensionProxySettings) }} + PROXY: {{ .Values.Azure.proxySettings.httpsProxy | b64enc | quote }} + {{- else if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.httpProxy) (not .Values.amalogs.ignoreExtensionProxySettings) }} + PROXY: {{ .Values.Azure.proxySettings.httpProxy | b64enc | quote }} + {{- else if ne .Values.amalogs.proxy "" }} + PROXY: {{ .Values.amalogs.proxy | b64enc | quote }} + {{- end }} + {{- if and (or .Values.Azure.proxySettings.isProxyEnabled .Values.Azure.proxySettings.isCustomCert) (.Values.Azure.proxySettings.proxyCert) (not .Values.amalogs.ignoreExtensionProxySettings) }} + PROXYCERT.crt: {{.Values.Azure.proxySettings.proxyCert | b64enc | quote}} + {{- end }} +{{- end }} From cf525b402218a89729127e344052612c9f611cb5 Mon Sep 17 00:00:00 2001 From: longwan Date: Mon, 23 Feb 2026 06:48:04 +0000 Subject: [PATCH 30/47] rename --- .../templates/ama-logs-secret-aks.yaml | 4 ---- charts/azuremonitor-containerinsights/values.yaml | 10 +++++----- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-secret-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-secret-aks.yaml index f77f829c6..121ef2551 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-secret-aks.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-secret-aks.yaml @@ -1,7 +1,3 @@ - - - - apiVersion: v1 kind: Secret metadata: diff --git a/charts/azuremonitor-containerinsights/values.yaml b/charts/azuremonitor-containerinsights/values.yaml index 93b01879c..de606aca0 100644 --- a/charts/azuremonitor-containerinsights/values.yaml +++ b/charts/azuremonitor-containerinsights/values.yaml @@ -22,12 +22,12 @@ AppmonitoringAgent: legacyAddonDelivery: false # ============================================================================ -# amaLogsAKS - AKS ADDON VALUES (from azuremonitor-containerinsights-aks) +# OmsAgent - AKS ADDON VALUES (from azuremonitor-containerinsights-aks) # Exact order preserved from OmsAgent section in AKS chart # ============================================================================ # Default values for ama-logs configuration -# omsagent configuration -amaLogsAKS: +# OmsAgent configuration +OmsAgent: aksResourceID: enableDaemonSetSizing: false isAppMonitoringAgentEnabled: false @@ -179,10 +179,10 @@ amaLogsAKS: # memoryRequest: "900Mi" # ============================================================================ -# amaLogsARC - ARC K8S EXTENSION VALUES (from azuremonitor-containers) +# amalogs - ARC K8S EXTENSION VALUES (from azuremonitor-containers) # Exact order preserved from Arc chart # ============================================================================ -amaLogsARC: +amalogs: image: repo: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod" tag: "3.1.34" From 44a60fcabe16b1857261dad6c90932c774743b78 Mon Sep 17 00:00:00 2001 From: longwan Date: Wed, 25 Feb 2026 23:51:39 +0000 Subject: [PATCH 31/47] merge windows ds --- .../templates/_arc-extension-helpers.tpl | 23 + .../templates/ama-logs-daemonset-windows.yaml | 400 ++++++++++++++++++ .../ama-logs-deployment-multitenancy-aks.yaml | 1 + .../templates/ama-logs-hpa-aks.yaml | 2 + .../templates/ama-logs-service-aks.yaml | 2 + 5 files changed, 428 insertions(+) create mode 100644 charts/azuremonitor-containerinsights/templates/_arc-extension-helpers.tpl create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows.yaml diff --git a/charts/azuremonitor-containerinsights/templates/_arc-extension-helpers.tpl b/charts/azuremonitor-containerinsights/templates/_arc-extension-helpers.tpl new file mode 100644 index 000000000..ab72cb622 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/_arc-extension-helpers.tpl @@ -0,0 +1,23 @@ +{{/* +Arc extension helper to determine if this is an ARC or AKS deployment +*/}} + +{{ define "arc-extension-settings" }} +# Get resource ID from multiple possible sources +{{- $resourceId := "" }} +{{- if and .Values.Azure .Values.Azure.Cluster .Values.Azure.Cluster.ResourceId }} + {{- $resourceId = .Values.Azure.Cluster.ResourceId }} +{{- else if and .Values.OmsAgent .Values.OmsAgent.aksResourceID }} + {{- $resourceId = .Values.OmsAgent.aksResourceID }} +{{- else if and .Values.global .Values.global.commonGlobals .Values.global.commonGlobals.Customer .Values.global.commonGlobals.Customer.AzureResourceID }} + {{- $resourceId = .Values.global.commonGlobals.Customer.AzureResourceID }} +{{- end }} + +# If resource ID contains managedclusters it's AKS, otherwise it's Arc +{{- if and $resourceId (contains "microsoft.containerservice/managedclusters" (lower $resourceId)) }} +isArcExtension: false +{{- else }} +isArcExtension: true +{{- end }} + +{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows.yaml new file mode 100644 index 000000000..23d32c09e --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows.yaml @@ -0,0 +1,400 @@ +{{- $arcSettings := include "arc-extension-settings" . | fromYaml }} +{{- $isArcExtension := $arcSettings.isArcExtension }} +{{- $amalogsWindowsDefaultImageTag := dict "component" "ama-logs-win" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }} +{{- $addonTokenAdapterWindowsDefaultImageTag := dict "component" "addon-token-adapter-windows" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} +{{/* Determine isusingaadauth value */}} +{{- $isusingaadauth := false -}} +{{- if not $isArcExtension -}} + {{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} + {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} + {{- end -}} +{{- else -}} + {{- if and .Values.amalogs (hasKey .Values.amalogs "useAADAuth") -}} + {{- $isusingaadauth = .Values.amalogs.useAADAuth -}} + {{- end -}} +{{- end -}} +{{/* Outer condition: AKS always renders, Arc only renders for non-AAD with valid credentials */}} +{{- if or (not $isArcExtension) (and $isArcExtension (not $isusingaadauth) (and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "")))) }} +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: ama-logs-windows + namespace: kube-system + labels: +{{- if $isArcExtension }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- else }} + kubernetes.azure.com/managedby: aks +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +{{- end }} + component: ama-logs-agent-windows + tier: node-win +spec: + updateStrategy: + type: RollingUpdate +{{- if not $isArcExtension }} + rollingUpdate: + maxUnavailable: 50% +{{- end }} + selector: + matchLabels: +{{- if $isArcExtension }} + dsName: "ama-logs-ds" +{{- else }} + component: ama-logs-agent-windows + tier: node-win +{{- end }} + template: + metadata: + labels: +{{- if $isArcExtension }} + dsName: "ama-logs-ds" +{{- else }} + component: ama-logs-agent-windows + tier: node-win + kubernetes.azure.com/managedby: aks +{{- end }} + annotations: +{{- if $isArcExtension }} + agentVersion: {{ .Values.amalogs.image.winAgentVersion }} + dockerProviderVersion: {{ .Values.amalogs.image.dockerProviderVersion }} + schema-versions: "v1" + checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} + checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} +{{- else }} + agentVersion: "46.17.2" + dockerProviderVersion: "18.0.1-0" + schema-versions: "v1" + WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} + kubernetes.azure.com/no-http-proxy-vars: "true" +{{- end }} + spec: +{{- if $isArcExtension }} + priorityClassName: ama-logs +{{- else }} + priorityClassName: system-node-critical +{{- end }} +{{- if $isArcExtension }} +{{- if .Values.amalogs.rbac }} + serviceAccountName: ama-logs +{{- end }} +{{- else }} + serviceAccountName: ama-logs +{{- end }} + dnsConfig: + options: + - name: ndots + value: "3" +{{- if $isArcExtension }} + nodeSelector: + kubernetes.io/os: windows +{{- end }} + containers: + - name: ama-logs-windows +{{- if $isArcExtension }} + image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tagWindows }} + imagePullPolicy: IfNotPresent + resources: +{{ toYaml .Values.amalogs.resources.daemonsetwindows | indent 12 }} +{{- else }} + image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsWindowsDefaultImageTag .Values.OmsAgent.imageTagWindows -}}" + {{- if .Values.OmsAgent.isImagePullPolicyAlways }} + imagePullPolicy: Always + {{- else }} + imagePullPolicy: IfNotPresent + {{- end }} + {{- if .Values.OmsAgent.isWindowsBurstableQoSEnabled }} + resources: + requests: + cpu: "{{ .Values.OmsAgent.omsAgentDsCPURequestWindows }}" + memory: "{{ .Values.OmsAgent.omsAgentDsMemoryRequestWindows }}" + limits: + cpu: "{{ .Values.OmsAgent.omsAgentDsCPULimitWindows }}" + memory: "{{ .Values.OmsAgent.omsAgentDsMemoryLimitWindows }}" + {{- else }} + resources: + limits: + cpu: "{{ .Values.OmsAgent.omsAgentDsCPULimitWindows }}" + memory: "{{ .Values.OmsAgent.omsAgentDsMemoryLimitWindows }}" + {{- end }} +{{- end }} + securityContext: + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + env: + - name: FBIT_SERVICE_FLUSH_INTERVAL + value: "15" + - name: FBIT_TAIL_BUFFER_CHUNK_SIZE + value: "1" + - name: FBIT_TAIL_BUFFER_MAX_SIZE + value: "1" +{{- if $isArcExtension }} + {{- if ne .Values.amalogs.env.clusterId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.amalogs.env.clusterId | quote }} + {{- if ne .Values.amalogs.env.clusterRegion "" }} + - name: AKS_REGION + value: {{ .Values.amalogs.env.clusterRegion | quote }} + {{- end }} + {{- else if ne .Values.Azure.Cluster.ResourceId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.Azure.Cluster.ResourceId | quote }} + - name: USING_AAD_MSI_AUTH + value: {{ .Values.amalogs.useAADAuth | quote }} + {{- if ne .Values.Azure.Cluster.Region "" }} + - name: AKS_REGION + value: {{ .Values.Azure.Cluster.Region | quote }} + {{- end }} + {{- else }} + - name: ACS_RESOURCE_NAME + value: {{ .Values.amalogs.env.clusterName | quote }} + {{- end }} +{{- else }} + - name: AKS_RESOURCE_ID + value: "{{ .Values.OmsAgent.aksResourceID }}" + - name: AKS_REGION + value: "{{ .Values.global.commonGlobals.Region }}" + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: "{{ .Values.OmsAgent.identityClientID }}" +{{- end }} + - name: CONTROLLER_TYPE + value: "DaemonSet" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PODNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs-windows + resource: limits.memory +{{- if $isArcExtension }} + - name: SIDECAR_SCRAPING_ENABLED + value: {{ .Values.amalogs.sidecarscraping | quote }} + - name: ENABLE_CUSTOM_METRICS + value: {{ .Values.amalogs.enableCustomMetrics | quote }} + {{- if .Values.amalogs.ISTEST }} + - name: AZMON_KUBERNETES_METADATA_ENABLED + value: "true" + {{- end }} + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.Azure.Cluster.Cloud | lower }}" +{{- else }} + {{- if .Values.OmsAgent.isSidecarScrapingEnabled }} + - name: SIDECAR_SCRAPING_ENABLED + value: "true" + {{- else }} + - name: SIDECAR_SCRAPING_ENABLED + value: "false" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} + - name: REQUIRES_CERT_BOOTSTRAP + value: "true" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} + - name: REQUIRES_CERT_BOOTSTRAP + value: "true" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} + - name: REQUIRES_CERT_BOOTSTRAP + value: "true" + {{- end }} + {{- if $isusingaadauth }} + - name: USING_AAD_MSI_AUTH + value: "true" + {{- else }} + - name: USING_AAD_MSI_AUTH + value: "false" + {{- end }} + - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED + value: "{{ .Values.AppmonitoringAgent.enabled }}" + - name: APPMONITORING_OPENTELEMETRYLOGS_ENABLED + value: "{{ .Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false }}" + - name: APPMONITORING_OPENTELEMETRYLOGS_PORT + value: "{{ .Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }}" + - name: PROMETHEUS_METRICS_SCRAPING_DISABLED + value: "{{ .Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: "{{ .Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" + - name: AZMON_WINDOWS_FLUENT_BIT_ENABLED + value: "{{ .Values.OmsAgent.isWindowsAMAFluentBitEnabled | default false }}" + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" +{{- end }} + volumeMounts: + - mountPath: C:\ProgramData\docker\containers + name: docker-windows-containers + readOnly: true + - mountPath: C:\var + name: docker-windows-kuberenetes-container-logs + - mountPath: C:\etc\config\settings + name: settings-vol-config + readOnly: true + - mountPath: C:\etc\ama-logs-secret + name: ama-logs-secret + readOnly: true +{{- if not $isArcExtension }} + - mountPath: C:\etc\omsagent-secret + name: ama-logs-secret + readOnly: true + - mountPath: C:\etc\config\adx + name: ama-logs-adx-secret + readOnly: true + - mountPath: C:\etc\kubernetes\host + name: azure-json-path + readOnly: true + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + - mountPath: C:\ca + name: ca-certs + readOnly: true + {{- end }} + {{- if $isusingaadauth }} + - mountPath: C:\etc\IMDS-access-token + name: imds-token + readOnly: true + {{- end }} +{{- end }} + livenessProbe: + exec: + command: + - cmd + - /c + - C:\opt\amalogswindows\scripts\cmd\livenessprobe.exe + - fluent-bit.exe + - fluentdwinaks + - "C:\\etc\\amalogswindows\\filesystemwatcher.txt" + - "C:\\etc\\amalogswindows\\renewcertificate.txt" +{{- if not $isArcExtension }} + {{- if and $isusingaadauth .Values.OmsAgent.isWindowsAMAEnabled }} + - "MonAgentCore.exe" + {{- end }} +{{- end }} + periodSeconds: 60 + initialDelaySeconds: 180 + timeoutSeconds: 15 +{{- if not $isArcExtension }} +{{- if and (and $isusingaadauth .Values.OmsAgent.isWindowsAMAEnabled) (not .Values.OmsAgent.isWindowsAddonTokenAdapterDisabled) }} + - name: addon-token-adapter-win + command: + - addon-token-adapter-win + args: + - --secret-namespace=kube-system + - --secret-name={{ .Values.OmsAgent.accessTokenSecretName }} + - --token-server-listening-port=8888 + - --health-server-listening-port=9999 + - --restart-pod-waiting-minutes-on-broken-connection=240 + image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterWindowsDefaultImageTag -}}" + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + livenessProbe: + httpGet: + path: /healthz + port: 9999 + initialDelaySeconds: 10 + periodSeconds: 60 + resources: + limits: + cpu: 400m + memory: 400Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW +{{- end }} +{{- end }} +{{- if $isArcExtension }} + {{- if .Values.amalogs.scheduleOnTaintedNodes }} + {{- with .Values.amalogs.tolerationsUnrestricted }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- else }} + {{- with .Values.amalogs.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} +{{- else }} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.azure.com/cluster + operator: Exists + - key: kubernetes.io/os + operator: In + values: + - windows + - key: type + operator: NotIn + values: + - virtual-kubelet + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + - operator: "Exists" + effect: NoExecute + - operator: "Exists" + effect: NoSchedule + - operator: "Exists" + effect: PreferNoSchedule +{{- end }} + volumes: + - name: docker-windows-kuberenetes-container-logs + hostPath: + path: C:\var + - name: docker-windows-containers + hostPath: + path: C:\ProgramData\docker\containers + type: DirectoryOrCreate + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true +{{- if not $isArcExtension }} + - name: azure-json-path + hostPath: + path: C:\k + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + - name: ca-certs + hostPath: + path: C:\ca + {{- end }} + {{- if $isusingaadauth }} + - name: imds-token + secret: + secretName: {{ .Values.OmsAgent.accessTokenSecretName }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-multitenancy-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-multitenancy-aks.yaml index 17fd6f410..46f255533 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-multitenancy-aks.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-multitenancy-aks.yaml @@ -1,5 +1,6 @@ {{- $amalogsLinuxDefaultImageTag := dict "component" "ama-logs-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }} {{- $addonTokenAdapterLinuxDefaultImageTag := dict "component" "addon-token-adapter-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} +{{- if and $isusingaadauth .Values.OmsAgent.isMultitenancyLogsEnabled }} --- {{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} apiVersion: apps/v1 diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-hpa-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-hpa-aks.yaml index 287c90951..a30bdd7f9 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-hpa-aks.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-hpa-aks.yaml @@ -1,3 +1,4 @@ +{{- if and $isusingaadauth .Values.OmsAgent.isMultitenancyLogsEnabled }} --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler @@ -46,3 +47,4 @@ spec: value: 100 periodSeconds: 5 selectPolicy: Max +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-service-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-service-aks.yaml index da2bce089..8dbb6b7b3 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-service-aks.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-service-aks.yaml @@ -1,3 +1,4 @@ +{{- if and $isusingaadauth .Values.OmsAgent.isMultitenancyLogsEnabled }} --- apiVersion: v1 kind: Service @@ -18,3 +19,4 @@ spec: name: fluentbit-fwd selector: rsName: "ama-logs-multitenancy" +{{- end }} \ No newline at end of file From a08e12559604d62bcaca0e045841322b62306743 Mon Sep 17 00:00:00 2001 From: longwan Date: Tue, 3 Mar 2026 23:31:50 +0000 Subject: [PATCH 32/47] merge with ama-logs ds rs yaml and aks arc only resrouces --- .../templates/ama-logs-arc-k8s-crd.yaml | 43 + ...s.yaml => ama-logs-configmap-cluster.yaml} | 5 + .../ama-logs-daemonset-windows-aks.yaml | 1 - .../templates/ama-logs-daemonset.yaml | 935 ++++++++++++++++++ ... => ama-logs-deployment-multitenancy.yaml} | 10 + .../templates/ama-logs-deployment.yaml | 620 ++++++++++++ ...ma-logs-hpa-aks.yaml => ama-logs-hpa.yaml} | 10 + ...c-arc.yaml => ama-logs-openshift-scc.yaml} | 5 + ...s-arc.yaml => ama-logs-priorityclass.yaml} | 5 + ...service-aks.yaml => ama-logs-service.yaml} | 12 +- 10 files changed, 1644 insertions(+), 2 deletions(-) create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-arc-k8s-crd.yaml rename charts/azuremonitor-containerinsights/templates/{ama-logs-configmap-cluster-aks.yaml => ama-logs-configmap-cluster.yaml} (62%) create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml rename charts/azuremonitor-containerinsights/templates/{ama-logs-deployment-multitenancy-aks.yaml => ama-logs-deployment-multitenancy.yaml} (95%) create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-deployment.yaml rename charts/azuremonitor-containerinsights/templates/{ama-logs-hpa-aks.yaml => ama-logs-hpa.yaml} (77%) rename charts/azuremonitor-containerinsights/templates/{ama-logs-openshift-scc-arc.yaml => ama-logs-openshift-scc.yaml} (74%) rename charts/azuremonitor-containerinsights/templates/{ama-logs-priorityclass-arc.yaml => ama-logs-priorityclass.yaml} (87%) rename charts/azuremonitor-containerinsights/templates/{ama-logs-service-aks.yaml => ama-logs-service.yaml} (54%) diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-arc-k8s-crd.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-arc-k8s-crd.yaml new file mode 100644 index 000000000..5fe5809fd --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-arc-k8s-crd.yaml @@ -0,0 +1,43 @@ +{{- $arcSettings := include "arc-extension-settings" . | fromYaml }} +{{- $isArcExtension := $arcSettings.isArcExtension }} +{{/* Arc-only resource */}} +{{- if $isArcExtension }} +{{- if or ( contains "microsoft.kubernetes/connectedclusters" (.Values.Azure.Cluster.ResourceId | lower)) ( contains "microsoft.hybridcontainerservice/provisionedclusters" (.Values.Azure.Cluster.ResourceId | lower)) }} +#extension model +{{- if not (empty .Values.Azure.Extension.Name) }} +apiVersion: clusterconfig.azure.com/v1beta1 +kind: AzureExtensionIdentity +metadata: + name: {{ .Values.Azure.Extension.Name }} + namespace: azure-arc +spec: + serviceAccounts: + - name: ama-logs + namespace: kube-system + tokenNamespace: azure-arc +--- +{{- end }} +apiVersion: clusterconfig.azure.com/v1beta1 +kind: AzureClusterIdentityRequest +metadata: + name: container-insights-clusteridentityrequest + namespace: azure-arc +spec: + {{- if eq (.Values.Azure.Cluster.Cloud | lower) "azurepubliccloud" }} + audience: https://monitor.azure.com/ + {{- else if eq (.Values.Azure.Cluster.Cloud | lower) "azurechinacloud" }} + audience: https://monitor.azure.cn/ + {{- else if eq (.Values.Azure.Cluster.Cloud | lower) "azurebleucloud" }} + audience: https://monitor.sovcloud-api.fr/ + {{- else if eq (.Values.Azure.Cluster.Cloud | lower) "azureusgovernmentcloud" }} + audience: https://monitor.azure.us/ + {{- else if and .Values.amalogs.isArcACluster (ne .Values.amalogs.tokenAudience "") }} + audience: {{ .Values.amalogs.tokenAudience | quote }} + {{- else }} + audience: https://monitor.azure.com/ + {{- end }} + {{- if not (empty .Values.Azure.Extension.Name) }} + resourceId: {{ .Values.Azure.Extension.Name }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-configmap-cluster-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-configmap-cluster.yaml similarity index 62% rename from charts/azuremonitor-containerinsights/templates/ama-logs-configmap-cluster-aks.yaml rename to charts/azuremonitor-containerinsights/templates/ama-logs-configmap-cluster.yaml index 3beee292c..817d8c253 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-configmap-cluster-aks.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-configmap-cluster.yaml @@ -1,3 +1,7 @@ +{{- $arcSettings := include "arc-extension-settings" . | fromYaml }} +{{- $isArcExtension := $arcSettings.isArcExtension }} +{{/* AKS-only resource */}} +{{- if not $isArcExtension }} --- kind: ConfigMap apiVersion: v1 @@ -11,3 +15,4 @@ metadata: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile {{- end }} +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-aks.yaml index 6778d4e8e..c49bd6be0 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-aks.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-aks.yaml @@ -299,4 +299,3 @@ spec: secret: secretName: {{ .Values.OmsAgent.accessTokenSecretName }} {{- end }} -{{- if and $isusingaadauth .Values.OmsAgent.isMultitenancyLogsEnabled }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml new file mode 100644 index 000000000..88dc88dcf --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml @@ -0,0 +1,935 @@ +{{- $arcSettings := include "arc-extension-settings" . | fromYaml }} +{{- $isArcExtension := $arcSettings.isArcExtension }} +{{- $amalogsLinuxDefaultImageTag := dict "component" "ama-logs-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }} +{{- $addonTokenAdapterLinuxDefaultImageTag := dict "component" "addon-token-adapter-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} +{{/* Determine isusingaadauth value */}} +{{- $isusingaadauth := false -}} +{{- if not $isArcExtension -}} + {{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} + {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} + {{- end -}} +{{- else -}} + {{- if and .Values.amalogs (hasKey .Values.amalogs "useAADAuth") -}} + {{- $isusingaadauth = .Values.amalogs.useAADAuth -}} + {{- end -}} +{{- end -}} +{{/* Outer condition: AKS always renders, Arc renders with valid credentials */}} +{{- if or (not $isArcExtension) (and $isArcExtension (and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "")))) }} +{{/* AKS DaemonSet Sizing - only for AKS */}} +{{- if not $isArcExtension }} +{{- $useDaemonSetSizing := and .Values.global.commonGlobals.isAutomaticSKU .Values.OmsAgent.enableDaemonSetSizing -}} +{{- $singleSize := dict "containers" (dict "addon-token-adapter" (dict "cpuLimit" "100m" "memoryLimit" "100Mi" "cpuRequest" "20m" "memoryRequest" "50Mi") "ama-logs" (dict "cpuLimit" .Values.OmsAgent.omsAgentDsCPULimitLinux "memoryLimit" .Values.OmsAgent.omsAgentDsMemoryLimitLinux "cpuRequest" "75m" "memoryRequest" "325Mi") "ama-logs-prometheus" (dict "cpuLimit" .Values.OmsAgent.omsAgentPrometheusSidecarCPULimit "memoryLimit" .Values.OmsAgent.omsAgentPrometheusSidecarMemoryLimit "cpuRequest" "75m" "memoryRequest" "225Mi")) -}} +{{- $sizes := list ($singleSize) -}} +{{/* - if $useDaemonSetSizing - */}} + {{/* - $singleSize = .Values.OmsAgent.daemonSetSizingValues.singleSize - */}} + {{/* - $sizes = list ($singleSize) - */}} + {{/* - $sizes = prepend .Values.OmsAgent.daemonSetSizingValues.tShirtSizes $singleSize - */}} +{{/* - end - */}} +{{/* Generate DaemonSets */}} +{{- $prevmaxCPU := 0 -}} +{{- range $index, $size := $sizes -}} +{{- if gt $index 0 }} +--- +{{ end -}} +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: ama-logs + namespace: kube-system + labels: +{{- if $isArcExtension }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- else }} + kubernetes.azure.com/managedby: aks +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +{{/* + {{- if and $useDaemonSetSizing $size.name }} + kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} + {{- end }} + */}} +{{- end }} + component: ama-logs-agent + tier: node +spec: + updateStrategy: + type: RollingUpdate +{{- if not $isArcExtension }} + rollingUpdate: + maxUnavailable: 50% +{{- end }} + selector: + matchLabels: +{{- if $isArcExtension }} + dsName: "ama-logs-ds" +{{- else }} + component: ama-logs-agent + tier: node + {{/* + {{- if and $useDaemonSetSizing $size.name }} + kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} + {{- end }} + */}} +{{- end }} + template: + metadata: + labels: +{{- if $isArcExtension }} + dsName: "ama-logs-ds" +{{- else }} + component: ama-logs-agent + tier: node + kubernetes.azure.com/managedby: aks + {{/* + {{- if and $useDaemonSetSizing $size.name }} + kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} + {{- end }} + */}} +{{- end }} + annotations: +{{- if $isArcExtension }} + agentVersion: {{ .Values.amalogs.image.agentVersion }} + dockerProviderVersion: {{ .Values.amalogs.image.dockerProviderVersion }} + schema-versions: "v1" + checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} + checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} + checksum/logsettings: {{ toYaml .Values.amalogs.logsettings | sha256sum }} +{{- else }} + agentVersion: "azure-mdsd-1.37.0" + dockerProviderVersion: "18.0.1-0" + schema-versions: "v1" + WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} + kubernetes.azure.com/no-http-proxy-vars: "true" +{{- end }} + spec: +{{- if $isArcExtension }} + priorityClassName: ama-logs +{{- else }} + priorityClassName: system-node-critical +{{- end }} +{{- if $isArcExtension }} +{{- if .Values.amalogs.rbac }} + serviceAccountName: ama-logs +{{- end }} +{{- else }} + serviceAccountName: ama-logs +{{- end }} + dnsConfig: + options: + - name: ndots + value: "3" + containers: +{{/* Addon Token Adapter Container */}} +{{- if $isArcExtension }} +{{- if and (ne .Values.Azure.Cluster.ResourceId "") (.Values.amalogs.useAADAuth) }} + {{- if not (eq .Values.Azure.Cluster.Distribution "openshift") }} + - name: addon-token-adapter + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + - name: TOKEN_NAMESPACE + value: "azure-arc" +{{- .Values.Azure.Identity.MSIAdapterYaml | nindent 10 }} + {{- else }} + - name: msi-adapter + env: + - name: AZMON_COLLECT_ENV + value: "false" + - name: TOKEN_NAMESPACE + value: azure-arc + - name: CLUSTER_IDENTITY + value: "false" + - name: CLUSTER_TYPE + value: {{ (split "/" .Values.Azure.Cluster.ResourceId)._7 }} + - name: EXTENSION_ARMID + value: {{ .Values.Azure.Extension.ResourceId }} + - name: EXTENSION_NAME + value: {{ .Values.Azure.Extension.Name }} + - name: MSI_ADAPTER_LISTENING_PORT + value: "8421" + - name: MANAGED_IDENTITY_AUTH + value: "true" + - name: MSI_ADAPTER_LIVENESS_PORT + value: "9090" + - name: TEST_MODE + value: "false" + - name: TEST_FILE + value: /data/token + image: mcr.microsoft.com/azurearck8s/msi-adapter:1.29.3 + securityContext: + privileged: true + capabilities: + add: + - NET_ADMIN + - NET_RAW + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 9090 + scheme: "HTTP" + initialDelaySeconds: 10 + periodSeconds: 15 + resources: + limits: + cpu: 50m + memory: 100Mi + requests: + cpu: 20m + memory: 50Mi + lifecycle: + postStart: + exec: + command: ["/data/msi-adapter-ready-watcher"] + {{- end }} +{{- end }} +{{- else }} +{{- if $isusingaadauth }} + - name: addon-token-adapter + command: + - /addon-token-adapter + args: + - --secret-namespace=kube-system + - --secret-name={{ .Values.OmsAgent.accessTokenSecretName }} + - --token-server-listening-port=8888 + - --health-server-listening-port=9999 + - --restart-pod-waiting-minutes-on-broken-connection=240 + image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterLinuxDefaultImageTag -}}" + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + livenessProbe: + httpGet: + path: /healthz + port: 9999 + initialDelaySeconds: 10 + periodSeconds: 60 + resources: + limits: + {{- $containerResources := index $size.containers "addon-token-adapter" }} + cpu: {{ $containerResources.cpuLimit }} + memory: {{ $containerResources.memoryLimit }} + requests: + cpu: {{ $containerResources.cpuRequest }} + memory: {{ $containerResources.memoryRequest }} + securityContext: + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW +{{- end }} +{{- end }} +{{/* Main ama-logs Container */}} + - name: ama-logs +{{- if $isArcExtension }} + image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tag }} + imagePullPolicy: IfNotPresent + resources: +{{ toYaml .Values.amalogs.resources.daemonsetlinux | indent 12 }} +{{- else }} + image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag .Values.OmsAgent.imageTagLinux -}}" + {{- if .Values.OmsAgent.isImagePullPolicyAlways }} + imagePullPolicy: Always + {{- else }} + imagePullPolicy: IfNotPresent + {{- end }} + resources: + limits: + {{- $containerResources := index $size.containers "ama-logs" }} + cpu: {{ $containerResources.cpuLimit }} + memory: {{ $containerResources.memoryLimit }} + requests: + {{- $containerResources := index $size.containers "ama-logs" }} + cpu: {{ $containerResources.cpuRequest }} + memory: {{ $containerResources.memoryRequest }} +{{- end }} + env: +{{- if $isArcExtension }} + {{- if ne .Values.amalogs.env.clusterId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.amalogs.env.clusterId | quote }} + {{- if ne .Values.amalogs.env.clusterRegion "" }} + - name: AKS_REGION + value: {{ .Values.amalogs.env.clusterRegion | quote }} + {{- end }} + {{- else if ne .Values.Azure.Cluster.ResourceId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.Azure.Cluster.ResourceId | quote }} + - name: USING_AAD_MSI_AUTH + value: {{ .Values.amalogs.useAADAuth | quote }} + {{- if ne .Values.Azure.Cluster.Region "" }} + - name: AKS_REGION + value: {{ .Values.Azure.Cluster.Region | quote }} + {{- end }} + {{- else }} + - name: ACS_RESOURCE_NAME + value: {{ .Values.amalogs.env.clusterName | quote }} + {{- end }} +{{- else }} + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.memory + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: FBIT_SERVICE_FLUSH_INTERVAL + value: "15" + - name: FBIT_TAIL_BUFFER_CHUNK_SIZE + value: "1" + - name: FBIT_TAIL_BUFFER_MAX_SIZE + value: "1" + - name: AKS_CLUSTER_NAME + value: "{{ .Values.OmsAgent.aksClusterName }}" + - name: AKS_RESOURCE_ID + value: "{{ .Values.OmsAgent.aksResourceID }}" + - name: AKS_NODE_RESOURCE_GROUP + value: "{{ .Values.OmsAgent.aksNodeResourceGroup }}" + - name: AKS_REGION + value: "{{ .Values.global.commonGlobals.Region }}" + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: "{{ .Values.OmsAgent.identityClientID }}" + - name: AZMON_CONTAINERLOGS_ONEAGENT_REGIONS + value: "koreacentral,norwayeast,eastus2" + - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED + value: "{{ .Values.AppmonitoringAgent.enabled }}" + - name: APPMONITORING_OPENTELEMETRYLOGS_ENABLED + value: "{{ .Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false }}" + - name: APPMONITORING_OPENTELEMETRYLOGS_PORT + value: "{{ .Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }}" + - name: AZMON_OPENTELEMETRYLOGS_CONTAINER_PORT + value: "4319" + - name: PROMETHEUS_METRICS_SCRAPING_DISABLED + value: "{{ .Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" + {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USNat") }} + - name: MCR_URL + value: "https://mcr.microsoft.eaglex.ic.gov/v2/" + {{- end }} + {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USSec") }} + - name: MCR_URL + value: "https://mcr.microsoft.scloud/v2/" + {{- end }} + {{- if (eq .Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} + - name: MCR_URL + value: "https://mcr.microsoft.sovcloud-api.fr/v2/" + {{- end }} + {{- if $isusingaadauth }} + - name: USING_AAD_MSI_AUTH + value: "true" + {{- else }} + - name: USING_AAD_MSI_AUTH + value: "false" + {{- end }} + {{- if eq (.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} + - name: SYSLOG_HOST_PORT + value: {{ .Values.OmsAgent.syslogHostPort | default 28330 | quote}} + {{- end }} + - name: AZMON_RETINA_FLOW_LOGS_ENABLED + value: "{{ .Values.OmsAgent.isRetinaFlowLogsEnabled | default false }}" + - name: AZMON_RESOURCE_OPTIMIZATION_ENABLED + value: "{{ .Values.OmsAgent.isResourceOptimizationEnabled | default false }}" + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: "{{ .Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" +{{- end }} + - name: CONTROLLER_TYPE + value: "DaemonSet" +{{- if $isArcExtension }} + {{- if .Values.amalogs.enableHighLogScaleMode }} + - name: ENABLE_HIGH_LOG_SCALE_MODE + value: {{ .Values.amalogs.enableHighLogScaleMode | quote }} + {{- end }} + {{- if .Values.amalogs.syslog.enabled }} + - name: SYSLOG_HOST_PORT + value: {{ .Values.amalogs.syslog.syslogPort | quote }} + {{- end }} + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.memory + {{- if not (empty .Values.Azure.Extension.Name) }} + - name: ARC_K8S_EXTENSION_NAME + value: {{ .Values.Azure.Extension.Name | quote }} + {{- end }} + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: "" + {{- if .Values.amalogs.logsettings.logflushintervalsecs }} + - name: FBIT_SERVICE_FLUSH_INTERVAL + value: {{ .Values.amalogs.logsettings.logflushintervalsecs | quote }} + {{- end }} + {{- if .Values.amalogs.logsettings.tailbufchunksizemegabytes }} + - name: FBIT_TAIL_BUFFER_CHUNK_SIZE + value: {{ .Values.amalogs.logsettings.tailbufchunksizemegabytes | quote }} + {{- end }} + {{- if .Values.amalogs.logsettings.tailbufmaxsizemegabytes }} + - name: FBIT_TAIL_BUFFER_MAX_SIZE + value: {{ .Values.amalogs.logsettings.tailbufmaxsizemegabytes | quote }} + {{- end }} + - name: ISTEST + value: {{ .Values.amalogs.ISTEST | quote }} + {{- if .Values.amalogs.isArcACluster }} + - name: IS_ARCA_CLUSTER + value: {{ .Values.amalogs.isArcACluster | quote }} + {{- end }} + {{- if ne .Values.amalogs.metricsEndpoint "" }} + - name: CUSTOM_METRICS_ENDPOINT + value: {{ .Values.amalogs.metricsEndpoint | quote }} + {{- else if ne .Values.Azure.proxySettings.autonomousFqdn "" }} + - name: CUSTOM_METRICS_ENDPOINT + value: "https://metricsingestiongateway.monitoring.{{ .Values.Azure.proxySettings.autonomousFqdn }}" + {{- end }} + {{- if ne .Values.amalogs.tokenAudience "" }} + - name: customResourceEndpoint + value: {{ .Values.amalogs.tokenAudience | quote }} + {{- end }} + - name: IS_CUSTOM_CERT + value: {{ .Values.Azure.proxySettings.isCustomCert | quote }} + - name: ENABLE_CUSTOM_METRICS + value: {{ .Values.amalogs.enableCustomMetrics | quote }} + {{- if .Values.amalogs.ISTEST }} + - name: AZMON_KUBERNETES_METADATA_ENABLED + value: "true" + {{- end }} + {{- if .Values.amalogs.enableTelegrafLivenessprobe }} + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: {{ .Values.amalogs.enableTelegrafLivenessprobe | quote }} + {{- end }} + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.Azure.Cluster.Cloud | lower }}" +{{- else }} + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" +{{- end }} + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + ports: + - containerPort: 25225 + protocol: TCP + - containerPort: 25224 + protocol: UDP +{{- if $isArcExtension }} + {{- if .Values.amalogs.syslog.enabled }} + - name: syslog + containerPort: {{ .Values.amalogs.syslog.syslogPort }} + hostPort: {{ .Values.amalogs.syslog.syslogPort }} + protocol: TCP + {{- end }} +{{- else }} + {{- if eq (.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} + - name: syslog + containerPort: 28330 + hostPort: {{ .Values.OmsAgent.syslogHostPort | default 28330 }} + protocol: TCP + {{- end }} + {{- if eq (.Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false) true }} + - name: otlp-logs + containerPort: 4319 + hostPort: {{ .Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }} + protocol: TCP + {{- end }} +{{- end }} + volumeMounts: +{{- if $isArcExtension }} + {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + {{- end }} +{{- end }} + - mountPath: /hostfs + name: host-root + readOnly: true + mountPropagation: HostToContainer + - mountPath: /var/log + name: host-log +{{- if not $isArcExtension }} + {{- if .Values.OmsAgent.isSyslogEnabled }} + - mountPath: /var/run/mdsd-ci + name: mdsd-sock + {{- end }} + {{- if .Values.OmsAgent.isRetinaFlowLogsEnabled }} + - mountPath: /var/log/acns/hubble + name: acns-hubble + {{- end }} + - mountPath: /var/run/mdsd-PrometheusSidecar + name: mdsd-prometheus-sock +{{- end }} + - mountPath: /var/lib/docker/containers + name: containerlog-path + readOnly: true +{{- if not $isArcExtension }} + - mountPath: /mnt/docker + name: containerlog-path-2 + readOnly: true + - mountPath: /mnt/containers + name: containerlog-path-3 + readOnly: true +{{- end }} + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true +{{- if not $isArcExtension }} + - mountPath: /etc/omsagent-secret + name: ama-logs-secret + readOnly: true +{{- end }} +{{- if $isArcExtension }} + {{- if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.proxyCert) (not .Values.amalogs.ignoreExtensionProxySettings) }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} +{{- end }} + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true +{{- if $isArcExtension }} + {{- if .Values.amalogs.logsettings.custommountpath }} + - mountPath: {{ .Values.amalogs.logsettings.custommountpath }} + name: custom-mount-path + {{- end }} +{{- end }} + - mountPath: /etc/config/settings/adx + name: ama-logs-adx-secret + readOnly: true +{{- if not $isArcExtension }} + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + - mountPath: /anchors/mariner + name: anchors-mariner + readOnly: true + - mountPath: /anchors/ubuntu + name: anchors-ubuntu + readOnly: true + {{- end }} + {{- if .Values.OmsAgent.trustedCA }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} +{{- end }} + livenessProbe: + exec: + command: + - /bin/bash + - -c + - /opt/livenessprobe.sh + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 +{{/* Prometheus Sidecar Container */}} +{{- if $isArcExtension }} + {{- if .Values.amalogs.sidecarscraping }} + - name: ama-logs-prometheus + image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tag }} + imagePullPolicy: IfNotPresent + resources: +{{ toYaml .Values.amalogs.resources.daemonsetlinuxsidecar | indent 12 }} + env: + {{- if ne .Values.amalogs.env.clusterId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.amalogs.env.clusterId | quote }} + {{- if ne .Values.amalogs.env.clusterRegion "" }} + - name: AKS_REGION + value: {{ .Values.amalogs.env.clusterRegion | quote }} + {{- end }} + {{- else if ne .Values.Azure.Cluster.ResourceId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.Azure.Cluster.ResourceId | quote }} + - name: USING_AAD_MSI_AUTH + value: {{ .Values.amalogs.useAADAuth | quote }} + {{- if ne .Values.Azure.Cluster.Region "" }} + - name: AKS_REGION + value: {{ .Values.Azure.Cluster.Region | quote }} + {{- end }} + {{- else }} + - name: ACS_RESOURCE_NAME + value: {{ .Values.amalogs.env.clusterName | quote }} + {{- end }} + - name: CONTROLLER_TYPE + value: "DaemonSet" + - name: CONTAINER_TYPE + value: "PrometheusSidecar" + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs-prometheus + resource: limits.memory + - name: ISTEST + value: {{ .Values.amalogs.ISTEST | quote }} + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.Azure.Cluster.Cloud | lower }}" + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + volumeMounts: + {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + {{- end }} + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + {{- if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.proxyCert) (not .Values.amalogs.ignoreExtensionProxySettings) }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + - mountPath: /etc/config/osm-settings + name: osm-settings-vol-config + readOnly: true + livenessProbe: + exec: + command: + - /bin/bash + - -c + - /opt/livenessprobe.sh + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + {{- end }} +{{- else }} + {{- if and (not .Values.OmsAgent.isPrometheusMetricsScrapingDisabled) .Values.OmsAgent.isSidecarScrapingEnabled }} + - name: ama-logs-prometheus + image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag .Values.OmsAgent.imageTagLinux -}}" + {{- if .Values.OmsAgent.isImagePullPolicyAlways }} + imagePullPolicy: Always + {{- else }} + imagePullPolicy: IfNotPresent + {{- end }} + resources: + limits: + {{- $containerResources := index $size.containers "ama-logs-prometheus" }} + cpu: {{ $containerResources.cpuLimit }} + memory: {{ $containerResources.memoryLimit }} + requests: + {{- $containerResources := index $size.containers "ama-logs-prometheus" }} + cpu: {{ $containerResources.cpuRequest }} + memory: {{ $containerResources.memoryRequest }} + env: + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs-prometheus + resource: limits.memory + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: AKS_CLUSTER_NAME + value: "{{ .Values.OmsAgent.aksClusterName }}" + - name: AKS_RESOURCE_ID + value: "{{ .Values.OmsAgent.aksResourceID }}" + - name: AKS_NODE_RESOURCE_GROUP + value: "{{ .Values.OmsAgent.aksNodeResourceGroup }}" + - name: AKS_REGION + value: "{{ .Values.global.commonGlobals.Region }}" + - name: CONTROLLER_TYPE + value: "DaemonSet" + - name: CONTAINER_TYPE + value: "PrometheusSidecar" + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: "{{ .Values.OmsAgent.identityClientID }}" + {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USNat") }} + - name: MCR_URL + value: "https://mcr.microsoft.eaglex.ic.gov/v2/" + {{- end }} + {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USSec") }} + - name: MCR_URL + value: "https://mcr.microsoft.scloud/v2/" + {{- end }} + {{- if (eq .Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} + - name: MCR_URL + value: "https://mcr.microsoft.sovcloud-api.fr/v2/" + {{- end }} + {{- if $isusingaadauth }} + - name: USING_AAD_MSI_AUTH + value: "true" + {{- else }} + - name: USING_AAD_MSI_AUTH + value: "false" + {{- end }} + {{- if eq (.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} + - name: SYSLOG_HOST_PORT + value: {{ .Values.OmsAgent.syslogHostPort | default 28330 | quote}} + {{- end }} + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: "{{ .Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + volumeMounts: + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true + - mountPath: /etc/omsagent-secret + name: ama-logs-secret + readOnly: true + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true + - mountPath: /etc/config/osm-settings + name: osm-settings-vol-config + readOnly: true + - mountPath: /var/run/mdsd-PrometheusSidecar + name: mdsd-prometheus-sock + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + - mountPath: /anchors/mariner + name: anchors-mariner + readOnly: true + - mountPath: /anchors/ubuntu + name: anchors-ubuntu + readOnly: true + {{- end }} + {{- if .Values.OmsAgent.trustedCA }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} + {{- if .Values.OmsAgent.isSyslogEnabled }} + - mountPath: /var/run/mdsd-ci + name: mdsd-sock + {{- end }} + livenessProbe: + exec: + command: + - /bin/bash + - -c + - /opt/livenessprobe.sh + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 + {{- end }} +{{- end }} +{{/* Affinity and Tolerations */}} +{{- if $isArcExtension }} + {{- with .Values.amalogs.daemonset.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.amalogs.scheduleOnTaintedNodes }} + {{- with .Values.amalogs.tolerationsUnrestricted }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- else }} + {{- with .Values.amalogs.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} +{{- else }} +{{- $useDaemonSetSizing := and .Values.global.commonGlobals.isAutomaticSKU .Values.OmsAgent.enableDaemonSetSizing -}} +{{- $singleSize := dict "name" "" -}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet + {{- if $useDaemonSetSizing -}} + {{- if eq (default "" $size.name) (default "" $singleSize.name) -}} + {{/* Target non-Karpenter nodes */}} + - key: karpenter.azure.com/aksnodeclass + operator: DoesNotExist + {{- else }} + {{/* Target Karpenter nodes with CPU range */}} + {{- if gt $prevmaxCPU 0 -}} + - key: karpenter.azure.com/sku-cpu + operator: Gt + values: + - "{{ $prevmaxCPU }}" + {{- end -}} + {{/* Add new line. */}} + {{- if and $prevmaxCPU $size.maxCPU }} + {{ end -}} + {{- if $size.maxCPU -}} + - key: karpenter.azure.com/sku-cpu + operator: Lt + values: + - "{{ add ($size.maxCPU | int) 1 }}" + {{- end -}} + {{- end -}} + {{- end }} + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + - operator: "Exists" + effect: NoExecute + - operator: "Exists" + effect: NoSchedule + - operator: "Exists" + effect: PreferNoSchedule +{{- end }} +{{/* Volumes */}} + volumes: +{{- if $isArcExtension }} + {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + {{- end }} +{{- end }} + - name: host-root + hostPath: + path: / +{{- if not $isArcExtension }} + - name: mdsd-prometheus-sock + emptyDir: {} +{{- end }} + - name: container-hostname + hostPath: + path: /etc/hostname + - name: host-log + hostPath: + path: /var/log +{{- if not $isArcExtension }} + {{- if .Values.OmsAgent.isSyslogEnabled }} + - name: mdsd-sock + hostPath: + path: /var/run/mdsd-ci + {{- end }} + {{- if .Values.OmsAgent.isRetinaFlowLogsEnabled }} + - name: acns-hubble + hostPath: + path: /var/log/acns/hubble + {{- end }} +{{- end }} + - name: containerlog-path + hostPath: + path: /var/lib/docker/containers +{{- if not $isArcExtension }} + - name: containerlog-path-2 + hostPath: + path: /mnt/docker + - name: containerlog-path-3 + hostPath: + path: /mnt/containers +{{- end }} + - name: azure-json-path + hostPath: + path: /etc/kubernetes + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true +{{- if $isArcExtension }} + {{- if .Values.amalogs.logsettings.custommountpath }} + - name: custom-mount-path + hostPath: + path: {{ .Values.amalogs.logsettings.custommountpath }} + {{- end }} +{{- end }} + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true + - name: osm-settings-vol-config + configMap: + name: container-azm-ms-osmconfig + optional: true +{{- if not $isArcExtension }} + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + - name: anchors-ubuntu + hostPath: + path: /usr/local/share/ca-certificates/ + type: DirectoryOrCreate + - name: anchors-mariner + hostPath: + path: /etc/pki/ca-trust/source/anchors + type: DirectoryOrCreate + {{- end }} + +{{- if and (ne (default "" $size.name) (default "" $singleSize.name)) $size.maxCPU }} +{{- $prevmaxCPU = $size.maxCPU | int }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-multitenancy-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-multitenancy.yaml similarity index 95% rename from charts/azuremonitor-containerinsights/templates/ama-logs-deployment-multitenancy-aks.yaml rename to charts/azuremonitor-containerinsights/templates/ama-logs-deployment-multitenancy.yaml index 46f255533..5ea250d9c 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-multitenancy-aks.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-multitenancy.yaml @@ -1,5 +1,14 @@ +{{- $arcSettings := include "arc-extension-settings" . | fromYaml }} +{{- $isArcExtension := $arcSettings.isArcExtension }} +{{/* AKS-only resource */}} +{{- if not $isArcExtension }} {{- $amalogsLinuxDefaultImageTag := dict "component" "ama-logs-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }} {{- $addonTokenAdapterLinuxDefaultImageTag := dict "component" "addon-token-adapter-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} +{{/* Determine isusingaadauth value */}} +{{- $isusingaadauth := false -}} +{{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} + {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} +{{- end -}} {{- if and $isusingaadauth .Values.OmsAgent.isMultitenancyLogsEnabled }} --- {{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} @@ -239,3 +248,4 @@ spec: values: - system {{- end }} +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-deployment.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-deployment.yaml new file mode 100644 index 000000000..13447be9d --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-deployment.yaml @@ -0,0 +1,620 @@ +{{- $arcSettings := include "arc-extension-settings" . | fromYaml }} +{{- $isArcExtension := $arcSettings.isArcExtension }} +{{- $amalogsLinuxDefaultImageTag := dict "component" "ama-logs-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }} +{{- $amalogsRSVPAImageTag := dict "component" "addon-resizer" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" -}} +{{- $addonTokenAdapterLinuxDefaultImageTag := dict "component" "addon-token-adapter-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} +{{/* Determine isusingaadauth value */}} +{{- $isusingaadauth := false -}} +{{- if not $isArcExtension -}} + {{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} + {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} + {{- end -}} +{{- else -}} + {{- if and .Values.amalogs (hasKey .Values.amalogs "useAADAuth") -}} + {{- $isusingaadauth = .Values.amalogs.useAADAuth -}} + {{- end -}} +{{- end -}} +{{/* Outer condition: AKS always renders, Arc renders with valid credentials */}} +{{- if or (not $isArcExtension) (and $isArcExtension (and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "")))) }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ama-logs-rs + namespace: kube-system + labels: +{{- if $isArcExtension }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- else }} + kubernetes.azure.com/managedby: aks +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +{{- end }} + component: ama-logs-agent + tier: node +spec: + replicas: 1 +{{- if not $isArcExtension }} + revisionHistoryLimit: 2 + paused: false +{{- end }} + selector: + matchLabels: + rsName: "ama-logs-rs" + strategy: + type: RollingUpdate + template: + metadata: + labels: + rsName: "ama-logs-rs" +{{- if not $isArcExtension }} + kubernetes.azure.com/managedby: aks +{{- end }} + annotations: +{{- if $isArcExtension }} + agentVersion: {{ .Values.amalogs.image.agentVersion }} + dockerProviderVersion: {{ .Values.amalogs.image.dockerProviderVersion }} + schema-versions: "v1" + checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} + checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} + checksum/logsettings: {{ toYaml .Values.amalogs.logsettings | sha256sum }} +{{- else }} + agentVersion: "azure-mdsd-1.37.0" + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + dockerProviderVersion: "18.0.1-0" + schema-versions: "v1" + WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} + kubernetes.azure.com/no-http-proxy-vars: "true" +{{- end }} + spec: +{{- if not $isArcExtension }} + priorityClassName: system-node-critical + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" +{{- end }} +{{- if $isArcExtension }} +{{- if .Values.amalogs.rbac }} + serviceAccountName: ama-logs +{{- end }} +{{- else }} + serviceAccountName: ama-logs +{{- end }} + containers: +{{/* VPA Container - AKS only */}} +{{- if not $isArcExtension }} +{{- if .Values.OmsAgent.isRSVPAEnabled }} + - name: ama-logs-vpa + image: "{{ template "addon_mcr_repository_base" . }}/oss/v2/kubernetes/autoscaler/addon-resizer:{{- $amalogsRSVPAImageTag -}}" + imagePullPolicy: IfNotPresent + resources: + limits: + cpu: 100m + memory: 300Mi + requests: + cpu: 5m + memory: 30Mi + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: ama-logs-rs-vpa-config-volume + mountPath: /etc/config + command: + - /pod_nanny + - --config-dir=/etc/config + - --cpu=200m + - --extra-cpu=2m + - --memory=300Mi + - --extra-memory=4Mi + - --poll-period=180000 + - --threshold=5 + - --namespace=kube-system + - --deployment=ama-logs-rs + - --container=ama-logs +{{- end }} +{{- end }} +{{/* Addon Token Adapter Container */}} +{{- if $isArcExtension }} +{{- if and (ne .Values.Azure.Cluster.ResourceId "") (.Values.amalogs.useAADAuth) }} + {{- if not (eq .Values.Azure.Cluster.Distribution "openshift") }} + - name: addon-token-adapter + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + - name: TOKEN_NAMESPACE + value: "azure-arc" +{{- .Values.Azure.Identity.MSIAdapterYaml | nindent 10 }} + {{- else }} + - name: msi-adapter + env: + - name: AZMON_COLLECT_ENV + value: "false" + - name: TOKEN_NAMESPACE + value: azure-arc + - name: CLUSTER_IDENTITY + value: "false" + - name: CLUSTER_TYPE + value: {{ (split "/" .Values.Azure.Cluster.ResourceId)._7 }} + - name: EXTENSION_ARMID + value: {{ .Values.Azure.Extension.ResourceId }} + - name: EXTENSION_NAME + value: {{ .Values.Azure.Extension.Name }} + - name: MSI_ADAPTER_LISTENING_PORT + value: "8421" + - name: MANAGED_IDENTITY_AUTH + value: "true" + - name: MSI_ADAPTER_LIVENESS_PORT + value: "9090" + - name: TEST_MODE + value: "false" + - name: TEST_FILE + value: /data/token + image: mcr.microsoft.com/azurearck8s/msi-adapter:1.29.3 + securityContext: + privileged: true + capabilities: + add: + - NET_ADMIN + - NET_RAW + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 9090 + scheme: "HTTP" + initialDelaySeconds: 10 + periodSeconds: 15 + resources: + limits: + cpu: 50m + memory: 100Mi + requests: + cpu: 20m + memory: 50Mi + lifecycle: + postStart: + exec: + command: ["/data/msi-adapter-ready-watcher"] + {{- end }} +{{- end }} +{{- else }} +{{- if $isusingaadauth }} + - name: addon-token-adapter + command: + - /addon-token-adapter + args: + - --secret-namespace=kube-system + - --secret-name={{ .Values.OmsAgent.accessTokenSecretName }} + - --token-server-listening-port=8888 + - --health-server-listening-port=9999 + - --restart-pod-waiting-minutes-on-broken-connection=240 + image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterLinuxDefaultImageTag -}}" + imagePullPolicy: IfNotPresent + env: + - name: AZMON_COLLECT_ENV + value: "false" + livenessProbe: + httpGet: + path: /healthz + port: 9999 + initialDelaySeconds: 10 + periodSeconds: 60 + resources: + limits: + cpu: 500m + memory: 500Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW +{{- end }} +{{- end }} +{{/* Main ama-logs Container */}} + - name: ama-logs +{{- if $isArcExtension }} + image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tag }} + imagePullPolicy: IfNotPresent + resources: +{{ toYaml .Values.amalogs.resources.deployment | indent 12 }} +{{- else }} + image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag .Values.OmsAgent.imageTagLinux -}}" + {{- if .Values.OmsAgent.isImagePullPolicyAlways }} + imagePullPolicy: Always + {{- else }} + imagePullPolicy: IfNotPresent + {{- end }} + {{- if not .Values.OmsAgent.isRSVPAEnabled }} + resources: + limits: + cpu: "{{ .Values.OmsAgent.omsAgentRsCPULimit }}" + memory: "{{ .Values.OmsAgent.omsAgentRsMemoryLimit }}" + requests: + cpu: 150m + memory: 250Mi + {{- end }} +{{- end }} + env: + - name: NUM_OF_FLUENTD_WORKERS + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.cpu + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs + resource: limits.memory +{{- if $isArcExtension }} + {{- if ne .Values.amalogs.env.clusterId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.amalogs.env.clusterId | quote }} + {{- if ne .Values.amalogs.env.clusterRegion "" }} + - name: AKS_REGION + value: {{ .Values.amalogs.env.clusterRegion | quote }} + {{- end }} + {{- else if ne .Values.Azure.Cluster.ResourceId "" }} + - name: AKS_RESOURCE_ID + value: {{ .Values.Azure.Cluster.ResourceId | quote }} + - name: USING_AAD_MSI_AUTH + value: {{ .Values.amalogs.useAADAuth | quote }} + {{- if ne .Values.Azure.Cluster.Region "" }} + - name: AKS_REGION + value: {{ .Values.Azure.Cluster.Region | quote }} + {{- end }} + {{- else }} + - name: ACS_RESOURCE_NAME + value: {{ .Values.amalogs.env.clusterName | quote }} + {{- end }} +{{- else }} + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: AKS_CLUSTER_NAME + value: "{{ .Values.OmsAgent.aksClusterName }}" + - name: AKS_RESOURCE_ID + value: "{{ .Values.OmsAgent.aksResourceID }}" + - name: AKS_NODE_RESOURCE_GROUP + value: "{{ .Values.OmsAgent.aksNodeResourceGroup }}" + - name: AKS_REGION + value: "{{ .Values.global.commonGlobals.Region }}" + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: "{{ .Values.OmsAgent.identityClientID }}" +{{- end }} + - name: CONTROLLER_TYPE + value: "ReplicaSet" +{{- if $isArcExtension }} + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if not (empty .Values.Azure.Extension.Name) }} + - name: ARC_K8S_EXTENSION_NAME + value: {{ .Values.Azure.Extension.Name | quote }} + {{- end }} + - name: USER_ASSIGNED_IDENTITY_CLIENT_ID + value: "" + - name: SIDECAR_SCRAPING_ENABLED + value: {{ .Values.amalogs.sidecarscraping | quote }} + - name: ISTEST + value: {{ .Values.amalogs.ISTEST | quote }} + {{- if .Values.amalogs.isArcACluster }} + - name: IS_ARCA_CLUSTER + value: {{ .Values.amalogs.isArcACluster | quote }} + {{- end }} + {{- if ne .Values.amalogs.metricsEndpoint "" }} + - name: CUSTOM_METRICS_ENDPOINT + value: {{ .Values.amalogs.metricsEndpoint | quote }} + {{- else if ne .Values.Azure.proxySettings.autonomousFqdn "" }} + - name: CUSTOM_METRICS_ENDPOINT + value: "https://metricsingestiongateway.monitoring.{{ .Values.Azure.proxySettings.autonomousFqdn }}" + {{- end }} + {{- if ne .Values.amalogs.tokenAudience "" }} + - name: customResourceEndpoint + value: {{ .Values.amalogs.tokenAudience | quote }} + {{- end }} + - name: IS_CUSTOM_CERT + value: {{ .Values.Azure.proxySettings.isCustomCert | quote }} + - name: ENABLE_CUSTOM_METRICS + value: {{ .Values.amalogs.enableCustomMetrics | quote }} + {{- if .Values.amalogs.ISTEST }} + - name: AZMON_CLUSTER_COLLECT_ALL_KUBE_EVENTS + value: "true" + {{- end }} + {{- if .Values.amalogs.enableTelegrafLivenessprobe }} + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: {{ .Values.amalogs.enableTelegrafLivenessprobe | quote }} + {{- end }} +{{- else }} + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.OmsAgent.isSidecarScrapingEnabled }} + - name: SIDECAR_SCRAPING_ENABLED + value: "true" + {{- else }} + - name: SIDECAR_SCRAPING_ENABLED + value: "false" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} + - name: MCR_URL + value: "https://mcr.microsoft.eaglex.ic.gov/v2/" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} + - name: MCR_URL + value: "https://mcr.microsoft.scloud/v2/" + {{- end }} + {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} + - name: MCR_URL + value: "https://mcr.microsoft.sovcloud-api.fr/v2/" + {{- end }} + {{- if $isusingaadauth }} + - name: USING_AAD_MSI_AUTH + value: "true" + {{- else }} + - name: USING_AAD_MSI_AUTH + value: "false" + {{- end }} + {{- if .Values.OmsAgent.isRSVPAEnabled }} + - name: RS_ADDON-RESIZER_VPA_ENABLED + value: "true" + {{- end }} + - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED + value: "{{ .Values.AppmonitoringAgent.enabled }}" + - name: PROMETHEUS_METRICS_SCRAPING_DISABLED + value: "{{ .Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" + - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED + value: "{{ .Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" + - name: AZMON_WINDOWS_FLUENT_BIT_ENABLED + value: "{{ .Values.OmsAgent.isWindowsAMAFluentBitEnabled | default false }}" +{{- end }} +{{- if $isArcExtension }} + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.Azure.Cluster.Cloud | lower }}" +{{- else }} + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" +{{- end }} + securityContext: + privileged: true + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + ports: + - containerPort: 25225 + protocol: TCP + - containerPort: 25224 + protocol: UDP +{{- if not $isArcExtension }} + - containerPort: 25227 + protocol: TCP + name: in-rs-tcp +{{- end }} + volumeMounts: +{{- if $isArcExtension }} + {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + {{- end }} +{{- end }} + - mountPath: /var/log + name: host-log +{{- if $isArcExtension }} + - mountPath: /var/lib/docker/containers + name: containerlog-path +{{- end }} + - mountPath: /etc/kubernetes/host + name: azure-json-path + - mountPath: /etc/ama-logs-secret + name: ama-logs-secret + readOnly: true +{{- if not $isArcExtension }} + - mountPath: /etc/omsagent-secret + name: ama-logs-secret + readOnly: true +{{- end }} +{{- if $isArcExtension }} + {{- if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.proxyCert) (not .Values.amalogs.ignoreExtensionProxySettings) }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} +{{- end }} + - mountPath: /etc/config + name: ama-logs-rs-config + - mountPath: /etc/config/settings + name: settings-vol-config + readOnly: true +{{- if $isArcExtension }} + {{- if .Values.amalogs.logsettings.custommountpath }} + - mountPath: {{ .Values.amalogs.logsettings.custommountpath }} + name: custom-mount-path + {{- end }} +{{- end }} + - mountPath: /etc/config/settings/adx + name: ama-logs-adx-secret + readOnly: true + - mountPath: /etc/config/osm-settings + name: osm-settings-vol-config + readOnly: true +{{- if not $isArcExtension }} + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host + # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below + - mountPath: /anchors/mariner + name: anchors-mariner + readOnly: true + - mountPath: /anchors/ubuntu + name: anchors-ubuntu + readOnly: true + {{- end }} + {{- if .Values.OmsAgent.trustedCA }} + - mountPath: /etc/ssl/certs/proxy-cert.crt + subPath: PROXYCERT.crt + name: ama-logs-secret + readOnly: true + {{- end }} +{{- end }} + livenessProbe: + exec: + command: + - /bin/bash + - -c + - /opt/livenessprobe.sh + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 15 +{{/* Affinity and Tolerations */}} +{{- if $isArcExtension }} + {{- with .Values.amalogs.deployment.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.amalogs.scheduleOnTaintedNodes }} + {{- with .Values.amalogs.tolerationsUnrestricted }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- else }} + {{- with .Values.amalogs.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} +{{- else }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.azure.com/mode + operator: In + values: + - system + - weight: 1 + preference: + matchExpressions: + - key: storageprofile + operator: NotIn + values: + - managed + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet +{{- end }} +{{/* Volumes */}} + volumes: +{{- if $isArcExtension }} + {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + - name: kube-api-access + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + {{- end }} +{{- end }} + - name: container-hostname + hostPath: + path: /etc/hostname + - name: host-log + hostPath: + path: /var/log +{{- if $isArcExtension }} + - name: containerlog-path + hostPath: + path: /var/lib/docker/containers +{{- end }} + - name: azure-json-path + hostPath: + path: /etc/kubernetes + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: ama-logs-rs-config + configMap: + name: ama-logs-rs-config + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true +{{- if $isArcExtension }} + {{- if .Values.amalogs.logsettings.custommountpath }} + - name: custom-mount-path + hostPath: + path: {{ .Values.amalogs.logsettings.custommountpath }} + {{- end }} +{{- end }} + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true + - name: osm-settings-vol-config + configMap: + name: container-azm-ms-osmconfig + optional: true +{{- if not $isArcExtension }} + {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + - name: anchors-ubuntu + hostPath: + path: /usr/local/share/ca-certificates/ + type: DirectoryOrCreate + - name: anchors-mariner + hostPath: + path: /etc/pki/ca-trust/source/anchors + type: DirectoryOrCreate + {{- end }} + {{- if .Values.OmsAgent.isRSVPAEnabled }} + - name: ama-logs-rs-vpa-config-volume + configMap: + name: ama-logs-rs-vpa-config + optional: true + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-hpa-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-hpa.yaml similarity index 77% rename from charts/azuremonitor-containerinsights/templates/ama-logs-hpa-aks.yaml rename to charts/azuremonitor-containerinsights/templates/ama-logs-hpa.yaml index a30bdd7f9..0d3249b05 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-hpa-aks.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-hpa.yaml @@ -1,3 +1,12 @@ +{{- $arcSettings := include "arc-extension-settings" . | fromYaml }} +{{- $isArcExtension := $arcSettings.isArcExtension }} +{{/* AKS-only resource */}} +{{- if not $isArcExtension }} +{{/* Determine isusingaadauth value */}} +{{- $isusingaadauth := false -}} +{{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} + {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} +{{- end -}} {{- if and $isusingaadauth .Values.OmsAgent.isMultitenancyLogsEnabled }} --- apiVersion: autoscaling/v2 @@ -48,3 +57,4 @@ spec: periodSeconds: 5 selectPolicy: Max {{- end }} +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-openshift-scc-arc.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-openshift-scc.yaml similarity index 74% rename from charts/azuremonitor-containerinsights/templates/ama-logs-openshift-scc-arc.yaml rename to charts/azuremonitor-containerinsights/templates/ama-logs-openshift-scc.yaml index abc8c3896..eb151dee3 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-openshift-scc-arc.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-openshift-scc.yaml @@ -1,3 +1,7 @@ +{{- $arcSettings := include "arc-extension-settings" . | fromYaml }} +{{- $isArcExtension := $arcSettings.isArcExtension }} +{{/* Arc-only resource */}} +{{- if $isArcExtension }} {{- if eq .Values.Azure.Cluster.Distribution "openshift" }} apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints @@ -25,3 +29,4 @@ volumes: users: - system:serviceaccount:kube-system:ama-logs {{- end }} +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-priorityclass-arc.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-priorityclass.yaml similarity index 87% rename from charts/azuremonitor-containerinsights/templates/ama-logs-priorityclass-arc.yaml rename to charts/azuremonitor-containerinsights/templates/ama-logs-priorityclass.yaml index cfc93372d..1713a84e2 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-priorityclass-arc.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-priorityclass.yaml @@ -1,3 +1,7 @@ +{{- $arcSettings := include "arc-extension-settings" . | fromYaml }} +{{- $isArcExtension := $arcSettings.isArcExtension }} +{{/* Arc-only resource */}} +{{- if $isArcExtension }} {{- if and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "") )}} # This pod priority class is used for daemonsets to allow them to have priority # over pods that can be scheduled elsewhere. Without a priority class, it is @@ -20,3 +24,4 @@ value: {{ .Values.amalogs.priority }} globalDefault: false description: "This is the daemonset priority class for ama-logs" {{- end }} +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-service-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-service.yaml similarity index 54% rename from charts/azuremonitor-containerinsights/templates/ama-logs-service-aks.yaml rename to charts/azuremonitor-containerinsights/templates/ama-logs-service.yaml index 8dbb6b7b3..4a1cf3a5a 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-service-aks.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-service.yaml @@ -1,3 +1,12 @@ +{{- $arcSettings := include "arc-extension-settings" . | fromYaml }} +{{- $isArcExtension := $arcSettings.isArcExtension }} +{{/* AKS-only resource */}} +{{- if not $isArcExtension }} +{{/* Determine isusingaadauth value */}} +{{- $isusingaadauth := false -}} +{{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} + {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} +{{- end -}} {{- if and $isusingaadauth .Values.OmsAgent.isMultitenancyLogsEnabled }} --- apiVersion: v1 @@ -19,4 +28,5 @@ spec: name: fluentbit-fwd selector: rsName: "ama-logs-multitenancy" -{{- end }} \ No newline at end of file +{{- end }} +{{- end }} From deddf9d7ea9515dae42c4c7acd2b087b1d4fe403 Mon Sep 17 00:00:00 2001 From: longwan Date: Wed, 4 Mar 2026 21:41:22 +0000 Subject: [PATCH 33/47] update chart with common secret rbac rs configmap --- .../templates/ama-logs-arc-k8s-crd-arc.yaml | 38 --- .../templates/ama-logs-arc-k8s-crd.yaml | 2 +- .../templates/ama-logs-clusterrole-aks.yaml | 40 --- .../ama-logs-clusterrolebinding-aks.yaml | 22 -- ...-logs-rbac-arc.yaml => ama-logs-rbac.yaml} | 61 ++++- .../templates/ama-logs-rs-configmap-arc.yaml | 247 ------------------ ...ap-aks.yaml => ama-logs-rs-configmap.yaml} | 32 +++ .../templates/ama-logs-secret-aks.yaml | 37 --- .../templates/ama-logs-secret-arc.yaml | 26 -- .../templates/ama-logs-secret.yaml | 64 +++++ .../ama-logs-serviceaccount-aks.yaml | 11 - 11 files changed, 156 insertions(+), 424 deletions(-) delete mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-arc-k8s-crd-arc.yaml delete mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-clusterrole-aks.yaml delete mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-clusterrolebinding-aks.yaml rename charts/azuremonitor-containerinsights/templates/{ama-logs-rbac-arc.yaml => ama-logs-rbac.yaml} (53%) delete mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-rs-configmap-arc.yaml rename charts/azuremonitor-containerinsights/templates/{ama-logs-rs-configmap-aks.yaml => ama-logs-rs-configmap.yaml} (85%) delete mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-secret-aks.yaml delete mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-secret-arc.yaml create mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-secret.yaml delete mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-serviceaccount-aks.yaml diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-arc-k8s-crd-arc.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-arc-k8s-crd-arc.yaml deleted file mode 100644 index d4326ef6b..000000000 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-arc-k8s-crd-arc.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- if or ( contains "microsoft.kubernetes/connectedclusters" (.Values.Azure.Cluster.ResourceId | lower)) ( contains "microsoft.hybridcontainerservice/provisionedclusters" (.Values.Azure.Cluster.ResourceId | lower)) }} -#extension model -{{- if not (empty .Values.Azure.Extension.Name) }} -apiVersion: clusterconfig.azure.com/v1beta1 -kind: AzureExtensionIdentity -metadata: - name: {{ .Values.Azure.Extension.Name }} - namespace: azure-arc -spec: - serviceAccounts: - - name: ama-logs - namespace: kube-system - tokenNamespace: azure-arc ---- -{{- end }} -apiVersion: clusterconfig.azure.com/v1beta1 -kind: AzureClusterIdentityRequest -metadata: - name: container-insights-clusteridentityrequest - namespace: azure-arc -spec: - {{- if eq (.Values.Azure.Cluster.Cloud | lower) "azurepubliccloud" }} - audience: https://monitor.azure.com/ - {{- else if eq (.Values.Azure.Cluster.Cloud | lower) "azurechinacloud" }} - audience: https://monitor.azure.cn/ - {{- else if eq (.Values.Azure.Cluster.Cloud | lower) "azurebleucloud" }} - audience: https://monitor.sovcloud-api.fr/ - {{- else if eq (.Values.Azure.Cluster.Cloud | lower) "azureusgovernmentcloud" }} - audience: https://monitor.azure.us/ - {{- else if and .Values.amalogs.isArcACluster (ne .Values.amalogs.tokenAudience "") }} - audience: {{ .Values.amalogs.tokenAudience | quote }} - {{- else }} - audience: https://monitor.azure.com/ - {{- end }} - {{- if not (empty .Values.Azure.Extension.Name) }} - resourceId: {{ .Values.Azure.Extension.Name }} - {{- end }} -{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-arc-k8s-crd.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-arc-k8s-crd.yaml index 5fe5809fd..3fa04ffd6 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-arc-k8s-crd.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-arc-k8s-crd.yaml @@ -40,4 +40,4 @@ spec: resourceId: {{ .Values.Azure.Extension.Name }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-clusterrole-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-clusterrole-aks.yaml deleted file mode 100644 index 26d8531d9..000000000 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-clusterrole-aks.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* Determine isusingaadauth value from OmsAgent.isUsingAADAuth */}} -{{- $isusingaadauth := false -}} -{{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} - {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} -{{- end -}} ---- -kind: ClusterRole -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: rbac.authorization.k8s.io/v1beta1 -{{- end }} -metadata: - name: ama-logs-reader - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -rules: -- apiGroups: [""] - resources: ["pods", "events", "nodes", "nodes/stats", "nodes/metrics", "nodes/spec", "nodes/proxy", "namespaces", "services", "persistentvolumes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["apps", "extensions", "autoscaling"] - resources: ["replicasets", "deployments", "horizontalpodautoscalers"] - verbs: ["list"] -{{- if .Values.OmsAgent.isRSVPAEnabled }} -- apiGroups: ["apps"] - resources: ["deployments"] - resourceNames: [ "ama-logs-rs" ] - verbs: ["get", "patch"] -{{- end }} -{{- if $isusingaadauth }} -- apiGroups: [""] - resources: ["secrets"] - resourceNames: [{{ .Values.OmsAgent.accessTokenSecretName | quote }}] - verbs: ["get", "watch"] -{{- end }} -- nonResourceURLs: ["/metrics"] - verbs: ["get"] diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-clusterrolebinding-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-clusterrolebinding-aks.yaml deleted file mode 100644 index 33c53a4ed..000000000 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-clusterrolebinding-aks.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -kind: ClusterRoleBinding -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: rbac.authorization.k8s.io/v1beta1 -{{- end }} -metadata: - name: amalogsclusterrolebinding - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -subjects: - - kind: ServiceAccount - name: ama-logs - namespace: kube-system -roleRef: - kind: ClusterRole - name: ama-logs-reader - apiGroup: rbac.authorization.k8s.io diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-rbac-arc.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-rbac.yaml similarity index 53% rename from charts/azuremonitor-containerinsights/templates/ama-logs-rbac-arc.yaml rename to charts/azuremonitor-containerinsights/templates/ama-logs-rbac.yaml index ae1de444c..3748e4b08 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-rbac-arc.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-rbac.yaml @@ -1,38 +1,83 @@ -{{- if .Values.amalogs.rbac }} +{{- $arcSettings := include "arc-extension-settings" . | fromYaml }} +{{- $isArcExtension := $arcSettings.isArcExtension }} +{{/* Determine isusingaadauth value */}} +{{- $isusingaadauth := false -}} +{{- if not $isArcExtension -}} + {{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} + {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} + {{- end -}} +{{- end -}} +{{/* Arc has rbac condition, AKS always renders */}} +{{- if or (not $isArcExtension) (and $isArcExtension .Values.amalogs.rbac) }} +--- apiVersion: v1 kind: ServiceAccount metadata: name: ama-logs namespace: kube-system labels: +{{- if $isArcExtension }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} +{{- else }} +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +{{- end }} --- kind: ClusterRole +{{- if $isArcExtension }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} apiVersion: rbac.authorization.k8s.io/v1beta1 {{- end }} +{{- else }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- end }} metadata: name: ama-logs-reader labels: +{{- if $isArcExtension }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} +{{- else }} +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +{{- end }} rules: - apiGroups: [""] - resources: ["pods", "events", "nodes", "nodes/stats", "nodes/metrics", "nodes/spec", "nodes/proxy","namespaces", "services", "persistentvolumes"] + resources: ["pods", "events", "nodes", "nodes/stats", "nodes/metrics", "nodes/spec", "nodes/proxy", "namespaces", "services", "persistentvolumes"] verbs: ["list", "get", "watch"] - apiGroups: ["apps", "extensions", "autoscaling"] resources: ["replicasets", "deployments", "horizontalpodautoscalers"] verbs: ["list"] +{{- if $isArcExtension }} - apiGroups: ["clusterconfig.azure.com"] resources: ["azureclusteridentityrequests", "azureclusteridentityrequests/status"] verbs: ["get", "create", "patch", "list", "update", "delete"] +{{- else }} +{{- if .Values.OmsAgent.isRSVPAEnabled }} +- apiGroups: ["apps"] + resources: ["deployments"] + resourceNames: [ "ama-logs-rs" ] + verbs: ["get", "patch"] +{{- end }} +{{- if $isusingaadauth }} +- apiGroups: [""] + resources: ["secrets"] + resourceNames: [{{ .Values.OmsAgent.accessTokenSecretName | quote }}] + verbs: ["get", "watch"] +{{- end }} +{{- end }} - nonResourceURLs: ["/metrics"] verbs: ["get"] +{{- if $isArcExtension }} #arc k8s extension model grants access as part of the extension msi #remove this explicit permission once the extension available in public preview {{- if (empty .Values.Azure.Extension.Name) }} @@ -41,19 +86,31 @@ rules: resourceNames: ["container-insights-clusteridentityrequest-token"] verbs: ["get"] {{- end }} +{{- end }} --- kind: ClusterRoleBinding +{{- if $isArcExtension }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} apiVersion: rbac.authorization.k8s.io/v1beta1 {{- end }} +{{- else }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- end }} metadata: name: amalogsclusterrolebinding labels: +{{- if $isArcExtension }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} +{{- else }} +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +{{- end }} subjects: - kind: ServiceAccount name: ama-logs diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-rs-configmap-arc.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-rs-configmap-arc.yaml deleted file mode 100644 index b48cdd7b8..000000000 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-rs-configmap-arc.yaml +++ /dev/null @@ -1,247 +0,0 @@ -{{- if and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "") )}} -kind: ConfigMap -apiVersion: v1 -data: - kube.conf: | - # Fluentd config file for OMS Docker - cluster components (kubeAPI) - - #Kubernetes pod inventory - - type kubepodinventory - tag oms.containerinsights.KubePodInventory - run_interval 60 - log_level debug - - - #Kubernetes Persistent Volume inventory - - type kubepvinventory - tag oms.containerinsights.KubePVInventory - run_interval 60 - log_level debug - - - #Kubernetes events - - type kubeevents - tag oms.containerinsights.KubeEvents - run_interval 60 - log_level debug - - - #Kubernetes Nodes - - type kubenodeinventory - tag oms.containerinsights.KubeNodeInventory - run_interval 60 - log_level debug - - - #cadvisor perf- Windows nodes - - type wincadvisorperf - tag oms.api.wincadvisorperf - run_interval 60 - log_level debug - - - #Kubernetes object state - deployments - - type kubestatedeployments - tag oms.containerinsights.KubeStateDeployments - run_interval 60 - log_level debug - - - #Kubernetes object state - HPA - - type kubestatehpa - tag oms.containerinsights.KubeStateHpa - run_interval 60 - log_level debug - - - type filter_inventory2mdm - log_level info - - - # custom_metrics_mdm filter plugin for perf data from windows nodes - - type filter_cadvisor2mdm - metrics_to_collect cpuUsageNanoCores,memoryWorkingSetBytes - log_level info - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_kubepods*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/state/out_oms_kubepv*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_kubeevents*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_kubeservices*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/state/out_oms_kubenodes*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 3 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_containernodeinventory*.buffer - buffer_queue_limit 20 - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_kubeperf*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_mdm - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_mdm_*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 30s - max_retry_wait 9m - retry_mdm_post_wait_minutes 30 - - - - type out_oms - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_api_wincadvisorperf*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_mdm - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_mdm_cdvisorperf*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - retry_mdm_post_wait_minutes 30 - - - - type out_oms - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_insightsmetrics*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - -metadata: - name: ama-logs-rs-config - namespace: kube-system - labels: - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-rs-configmap-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-rs-configmap.yaml similarity index 85% rename from charts/azuremonitor-containerinsights/templates/ama-logs-rs-configmap-aks.yaml rename to charts/azuremonitor-containerinsights/templates/ama-logs-rs-configmap.yaml index 7c82ff5f3..07cdc4a78 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-rs-configmap-aks.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-rs-configmap.yaml @@ -1,9 +1,14 @@ +{{- $arcSettings := include "arc-extension-settings" . | fromYaml }} +{{- $isArcExtension := $arcSettings.isArcExtension }} +{{/* Arc has credential validation, AKS always renders */}} +{{- if or (not $isArcExtension) (and $isArcExtension (and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "")))) }} --- kind: ConfigMap apiVersion: v1 data: kube.conf: |- # Fluentd config file for OMS Docker - cluster components (kubeAPI) +{{- if not $isArcExtension }} #fluent forward plugin type forward @@ -11,6 +16,7 @@ data: bind 0.0.0.0 chunk_size_limit 4m +{{- end }} #Kubernetes pod inventory @@ -44,6 +50,7 @@ data: log_level debug +{{- if not $isArcExtension }} #Kubernetes health type kubehealth @@ -51,6 +58,7 @@ data: run_interval 60 log_level debug +{{- end }} #cadvisor perf- Windows nodes @@ -84,14 +92,20 @@ data: #custom_metrics_mdm filter plugin for perf data from windows nodes type filter_cadvisor2mdm +{{- if $isArcExtension }} + metrics_to_collect cpuUsageNanoCores,memoryWorkingSetBytes +{{- else }} metrics_to_collect cpuUsageNanoCores,memoryWorkingSetBytes,pvUsedBytes +{{- end }} log_level info +{{- if not $isArcExtension }} #health model aggregation filter type filter_health_model_builder +{{- end }} type out_oms @@ -168,7 +182,11 @@ data: max_retry_wait 5m +{{- if $isArcExtension }} + +{{- else }} +{{- end }} type out_oms log_level debug num_threads 3 @@ -208,8 +226,13 @@ data: buffer_queue_full_action drop_oldest_chunk flush_interval 20s retry_limit 10 +{{- if $isArcExtension }} + retry_wait 30s + max_retry_wait 9m +{{- else }} retry_wait 5s max_retry_wait 5m +{{- end }} retry_mdm_post_wait_minutes 30 @@ -244,6 +267,7 @@ data: retry_mdm_post_wait_minutes 30 +{{- if not $isArcExtension }} type out_oms log_level debug @@ -258,6 +282,7 @@ data: retry_wait 5s max_retry_wait 5m +{{- end }} type out_oms log_level debug @@ -276,7 +301,14 @@ metadata: name: ama-logs-rs-config namespace: kube-system labels: +{{- if $isArcExtension }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- else }} {{- if .Values.legacyAddonDelivery }} kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile {{- end }} +{{- end }} +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-secret-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-secret-aks.yaml deleted file mode 100644 index 121ef2551..000000000 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-secret-aks.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: ama-logs-secret - namespace: kube-system - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -type: Opaque -data: - WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} - KEY: {{ .Values.OmsAgent.workspaceKey | b64enc | quote }} -{{- if .Values.OmsAgent.isMoonCake }} - DOMAIN: {{ b64enc "opinsights.azure.cn" }} -{{- end }} -{{- if .Values.OmsAgent.isFairfax }} - DOMAIN: {{ b64enc "opinsights.azure.us" }} -{{- end }} -{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT" }} - DOMAIN: {{ b64enc "opinsights.azure.eaglex.ic.gov" }} -{{- end }} -{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC" }} - DOMAIN: {{ b64enc "opinsights.azure.microsoft.scloud" }} -{{- end }} -{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD" }} - DOMAIN: {{ b64enc "opinsights.sovcloud-api.fr" }} -{{- end }} -{{- if .Values.OmsAgent.httpsProxy }} - PROXY: {{ .Values.OmsAgent.httpsProxy | b64enc | quote }} -{{- else if .Values.OmsAgent.httpProxy }} - PROXY: {{ .Values.OmsAgent.httpProxy | b64enc | quote }} -{{- end}} -{{- if .Values.OmsAgent.trustedCA }} - PROXYCERT.crt: {{ .Values.OmsAgent.trustedCA | quote }} -{{- end}} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-secret-arc.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-secret-arc.yaml deleted file mode 100644 index 0d9219d77..000000000 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-secret-arc.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "") )}} -apiVersion: v1 -kind: Secret -metadata: - name: ama-logs-secret - namespace: kube-system - labels: - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -type: Opaque -data: - WSID: {{ required "A valid workspace id is required!" .Values.amalogs.secret.wsid | b64enc | quote }} - KEY: {{ required "A valid workspace key is required!" .Values.amalogs.secret.key | b64enc | quote }} - DOMAIN: {{ .Values.amalogs.domain | b64enc | quote }} - {{- if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.httpsProxy) (not .Values.amalogs.ignoreExtensionProxySettings) }} - PROXY: {{ .Values.Azure.proxySettings.httpsProxy | b64enc | quote }} - {{- else if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.httpProxy) (not .Values.amalogs.ignoreExtensionProxySettings) }} - PROXY: {{ .Values.Azure.proxySettings.httpProxy | b64enc | quote }} - {{- else if ne .Values.amalogs.proxy "" }} - PROXY: {{ .Values.amalogs.proxy | b64enc | quote }} - {{- end }} - {{- if and (or .Values.Azure.proxySettings.isProxyEnabled .Values.Azure.proxySettings.isCustomCert) (.Values.Azure.proxySettings.proxyCert) (not .Values.amalogs.ignoreExtensionProxySettings) }} - PROXYCERT.crt: {{.Values.Azure.proxySettings.proxyCert | b64enc | quote}} - {{- end }} -{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-secret.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-secret.yaml new file mode 100644 index 000000000..073df3f81 --- /dev/null +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-secret.yaml @@ -0,0 +1,64 @@ +{{- $arcSettings := include "arc-extension-settings" . | fromYaml }} +{{- $isArcExtension := $arcSettings.isArcExtension }} +{{/* Arc has credential validation, AKS always renders */}} +{{- if or (not $isArcExtension) (and $isArcExtension (and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "")))) }} +apiVersion: v1 +kind: Secret +metadata: + name: ama-logs-secret + namespace: kube-system + labels: +{{- if $isArcExtension }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- else }} +{{- if .Values.legacyAddonDelivery }} + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +{{- end }} +{{- end }} +type: Opaque +data: +{{- if $isArcExtension }} + WSID: {{ required "A valid workspace id is required!" .Values.amalogs.secret.wsid | b64enc | quote }} + KEY: {{ required "A valid workspace key is required!" .Values.amalogs.secret.key | b64enc | quote }} + DOMAIN: {{ .Values.amalogs.domain | b64enc | quote }} + {{- if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.httpsProxy) (not .Values.amalogs.ignoreExtensionProxySettings) }} + PROXY: {{ .Values.Azure.proxySettings.httpsProxy | b64enc | quote }} + {{- else if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.httpProxy) (not .Values.amalogs.ignoreExtensionProxySettings) }} + PROXY: {{ .Values.Azure.proxySettings.httpProxy | b64enc | quote }} + {{- else if ne .Values.amalogs.proxy "" }} + PROXY: {{ .Values.amalogs.proxy | b64enc | quote }} + {{- end }} + {{- if and (or .Values.Azure.proxySettings.isProxyEnabled .Values.Azure.proxySettings.isCustomCert) (.Values.Azure.proxySettings.proxyCert) (not .Values.amalogs.ignoreExtensionProxySettings) }} + PROXYCERT.crt: {{.Values.Azure.proxySettings.proxyCert | b64enc | quote}} + {{- end }} +{{- else }} + WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} + KEY: {{ .Values.OmsAgent.workspaceKey | b64enc | quote }} +{{- if .Values.OmsAgent.isMoonCake }} + DOMAIN: {{ b64enc "opinsights.azure.cn" }} +{{- end }} +{{- if .Values.OmsAgent.isFairfax }} + DOMAIN: {{ b64enc "opinsights.azure.us" }} +{{- end }} +{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT" }} + DOMAIN: {{ b64enc "opinsights.azure.eaglex.ic.gov" }} +{{- end }} +{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC" }} + DOMAIN: {{ b64enc "opinsights.azure.microsoft.scloud" }} +{{- end }} +{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD" }} + DOMAIN: {{ b64enc "opinsights.sovcloud-api.fr" }} +{{- end }} +{{- if .Values.OmsAgent.httpsProxy }} + PROXY: {{ .Values.OmsAgent.httpsProxy | b64enc | quote }} +{{- else if .Values.OmsAgent.httpProxy }} + PROXY: {{ .Values.OmsAgent.httpProxy | b64enc | quote }} +{{- end}} +{{- if .Values.OmsAgent.trustedCA }} + PROXYCERT.crt: {{ .Values.OmsAgent.trustedCA | quote }} +{{- end}} +{{- end }} +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-serviceaccount-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-serviceaccount-aks.yaml deleted file mode 100644 index 61bcc7224..000000000 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-serviceaccount-aks.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ama-logs - namespace: kube-system - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} From 43986996fd15ef0b9474b3bcaf7ada2687ac731c Mon Sep 17 00:00:00 2001 From: longwan Date: Wed, 4 Mar 2026 21:43:11 +0000 Subject: [PATCH 34/47] bump image version from to 35 --- charts/azuremonitor-containerinsights-aks/values.yaml | 4 ++-- charts/azuremonitor-containerinsights/values.yaml | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/azuremonitor-containerinsights-aks/values.yaml b/charts/azuremonitor-containerinsights-aks/values.yaml index 8b8369a5a..d8acf8f6a 100644 --- a/charts/azuremonitor-containerinsights-aks/values.yaml +++ b/charts/azuremonitor-containerinsights-aks/values.yaml @@ -34,8 +34,8 @@ OmsAgent: workspaceKey: "" # Image configuration - imageTagLinux: "3.1.34" - imageTagWindows: "win-3.1.34" + imageTagLinux: "3.1.35" + imageTagWindows: "win-3.1.35" isImagePullPolicyAlways: false # Resource ID and cluster information diff --git a/charts/azuremonitor-containerinsights/values.yaml b/charts/azuremonitor-containerinsights/values.yaml index de606aca0..69d76b81c 100644 --- a/charts/azuremonitor-containerinsights/values.yaml +++ b/charts/azuremonitor-containerinsights/values.yaml @@ -44,8 +44,8 @@ OmsAgent: workspaceKey: "" # Image configuration - imageTagLinux: "3.1.34" - imageTagWindows: "win-3.1.34" + imageTagLinux: "3.1.35" + imageTagWindows: "win-3.1.35" isImagePullPolicyAlways: false # Resource ID and cluster information @@ -185,8 +185,8 @@ OmsAgent: amalogs: image: repo: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod" - tag: "3.1.34" - tagWindows: "win-3.1.34" + tag: "3.1.35" + tagWindows: "win-3.1.35" pullPolicy: IfNotPresent dockerProviderVersion: "18.0.1-0" agentVersion: "azure-mdsd-1.37.0" From f0f833f2f7a241a1a44b710468ccd5d1d6e47e4d Mon Sep 17 00:00:00 2001 From: suyadav1 <87668410+suyadav1@users.noreply.github.com> Date: Wed, 4 Mar 2026 14:11:57 -0800 Subject: [PATCH 35/47] Add OpenTelemetry gRPC chart configuration --- .../templates/ama-logs-daemonset.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml index 88dc88dcf..f46d6c8c1 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml @@ -312,8 +312,12 @@ spec: value: "{{ .Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false }}" - name: APPMONITORING_OPENTELEMETRYLOGS_PORT value: "{{ .Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }}" + - name: APPMONITORING_OPENTELEMETRYLOGS_PORT_GRPC + value: "{{ $.Values.AppmonitoringAgent.openTelemetryLogsPortGrpc | default 28332 }}" - name: AZMON_OPENTELEMETRYLOGS_CONTAINER_PORT value: "4319" + - name: AZMON_OPENTELEMETRYLOGS_CONTAINER_PORT_GRPC + value: "4320" - name: PROMETHEUS_METRICS_SCRAPING_DISABLED value: "{{ .Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USNat") }} @@ -454,6 +458,10 @@ spec: containerPort: 4319 hostPort: {{ .Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }} protocol: TCP + - name: otlp-logs-grpc + containerPort: 4320 + hostPort: {{ $.Values.AppmonitoringAgent.openTelemetryLogsPortGrpc | default 28332 }} + protocol: TCP {{- end }} {{- end }} volumeMounts: From e59a6620ed33d8b1508a1519ae3207747cf0b8a5 Mon Sep 17 00:00:00 2001 From: suyadav1 <87668410+suyadav1@users.noreply.github.com> Date: Wed, 4 Mar 2026 14:14:18 -0800 Subject: [PATCH 36/47] Add gRPC port for OpenTelemetry logs --- .../templates/ama-logs-daemonset-windows.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows.yaml index 23d32c09e..b3755bd4b 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows.yaml @@ -229,6 +229,8 @@ spec: value: "{{ .Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false }}" - name: APPMONITORING_OPENTELEMETRYLOGS_PORT value: "{{ .Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }}" + - name: APPMONITORING_OPENTELEMETRYLOGS_PORT_GRPC + value: "{{ .Values.AppmonitoringAgent.openTelemetryLogsPortGrpc | default 28332 }}" - name: PROMETHEUS_METRICS_SCRAPING_DISABLED value: "{{ .Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED From ef6a5b70ef5e5943eae5e45080536d751e0ac8e1 Mon Sep 17 00:00:00 2001 From: suyadav1 <87668410+suyadav1@users.noreply.github.com> Date: Wed, 4 Mar 2026 14:19:10 -0800 Subject: [PATCH 37/47] Add openTelemetryLogsPortGrpc to values.yaml Added openTelemetryLogsPortGrpc configuration for AppmonitoringAgent and cleaned up old otel values --- charts/azuremonitor-containerinsights/values.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/charts/azuremonitor-containerinsights/values.yaml b/charts/azuremonitor-containerinsights/values.yaml index 69d76b81c..f50ca8e51 100644 --- a/charts/azuremonitor-containerinsights/values.yaml +++ b/charts/azuremonitor-containerinsights/values.yaml @@ -18,6 +18,7 @@ AppmonitoringAgent: enabled: false isOpenTelemetryLogsEnabled: false openTelemetryLogsPort: 28331 + openTelemetryLogsPortGrpc: 28332 legacyAddonDelivery: false @@ -30,11 +31,8 @@ legacyAddonDelivery: false OmsAgent: aksResourceID: enableDaemonSetSizing: false - isAppMonitoringAgentEnabled: false - isOpenTelemetryLogsEnabled: false isCustomMetricsDisabled: false isUsingAADAuth: "true" - openTelemetryLogsPort: 28331 retinaFlowLogsEnabled: false workspaceID: "" accessTokenSecretName: "ama-logs-secret" @@ -389,4 +387,4 @@ Azure: noProxy: "" proxyCert: "" isCustomCert: false - autonomousFqdn: "" \ No newline at end of file + autonomousFqdn: "" From 17cc94f15dd6927d9799bcd98d0422cad2ae758c Mon Sep 17 00:00:00 2001 From: longwan Date: Wed, 4 Mar 2026 22:20:37 +0000 Subject: [PATCH 38/47] update chart version --- .../Chart.yaml | 2 +- .../azuremonitor-containerinsights/Chart.yaml | 2 +- .../.helmignore | 28 - .../azuremonitor-containers-merged/Chart.yaml | 38 - .../templates/_arc-extension-settings.tpl | 249 ------- .../templates/_helpers.tpl | 66 -- .../templates/ama-logs-arc-k8s-crd.yaml | 45 -- .../templates/ama-logs-configmap.yaml | 16 - .../templates/ama-logs-daemonset-windows.yaml | 328 --------- .../templates/ama-logs-daemonset.yaml | 673 ------------------ .../templates/ama-logs-multitenancy.yaml | 281 -------- .../templates/ama-logs-openshift-scc.yaml | 35 - .../templates/ama-logs-priorityclass.yaml | 14 - .../templates/ama-logs-rbac.yaml | 80 --- .../templates/ama-logs-replicaset.yaml | 495 ------------- .../templates/ama-logs-rs-configmap.yaml | 264 ------- .../templates/ama-logs-secret.yaml | 30 - .../values.yaml | 293 -------- 18 files changed, 2 insertions(+), 2937 deletions(-) delete mode 100644 charts/azuremonitor-containers-merged/.helmignore delete mode 100644 charts/azuremonitor-containers-merged/Chart.yaml delete mode 100644 charts/azuremonitor-containers-merged/templates/_arc-extension-settings.tpl delete mode 100644 charts/azuremonitor-containers-merged/templates/_helpers.tpl delete mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-arc-k8s-crd.yaml delete mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-configmap.yaml delete mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-daemonset-windows.yaml delete mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-daemonset.yaml delete mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-multitenancy.yaml delete mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-openshift-scc.yaml delete mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-priorityclass.yaml delete mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-rbac.yaml delete mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-replicaset.yaml delete mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-rs-configmap.yaml delete mode 100644 charts/azuremonitor-containers-merged/templates/ama-logs-secret.yaml delete mode 100644 charts/azuremonitor-containers-merged/values.yaml diff --git a/charts/azuremonitor-containerinsights-aks/Chart.yaml b/charts/azuremonitor-containerinsights-aks/Chart.yaml index 824b36023..cd9a39eec 100644 --- a/charts/azuremonitor-containerinsights-aks/Chart.yaml +++ b/charts/azuremonitor-containerinsights-aks/Chart.yaml @@ -1,4 +1,4 @@ apiVersion: v2 description: azure-monitor-containers helm chart name: azuremonitor-containers -version: 3.2.1-aks-beta-3 +version: 3.2.1-aks-main-1 diff --git a/charts/azuremonitor-containerinsights/Chart.yaml b/charts/azuremonitor-containerinsights/Chart.yaml index 4c817c338..0af3f3d64 100644 --- a/charts/azuremonitor-containerinsights/Chart.yaml +++ b/charts/azuremonitor-containerinsights/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: azuremonitor-containerinsights description: Azure Monitor container monitoring agent Helm chart for Kubernetes (supports both AKS addon and Arc K8s extension) -version: 3.2.1-aks-beta-5 +version: 3.2.1-merged-main-1 appVersion: 7.0.0-1 kubeVersion: "^1.10.0-0" keywords: diff --git a/charts/azuremonitor-containers-merged/.helmignore b/charts/azuremonitor-containers-merged/.helmignore deleted file mode 100644 index 32ec676a1..000000000 --- a/charts/azuremonitor-containers-merged/.helmignore +++ /dev/null @@ -1,28 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ -# Test files -test-values*.yaml -*-test.yaml -IMPLEMENTATION_SUMMARY.md -INTEGRATION_EXAMPLE.md \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/Chart.yaml b/charts/azuremonitor-containers-merged/Chart.yaml deleted file mode 100644 index 3d0d46622..000000000 --- a/charts/azuremonitor-containers-merged/Chart.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: v2 -name: azuremonitor-containers -description: Azure Monitor container monitoring agent Helm chart for Kubernetes (supports both AKS addon and Arc K8s extension) -version: 3.2.1-aks-beta-5 -kubeVersion: "^1.10.0-0" -keywords: - - monitoring - - azuremonitor - - azure - - ama - - containerinsights - - metric - - event - - logs - - containerhealth - - kubernetesmonitoring - - acs-engine - - aks-engine - - azurestack - - openshift v4 - - azure redhat openshift v4 - - on-prem kubernetes monitoring - - arc-k8s - - containerlogs - - containerhealth - - containermonitoring - - hybrid kubernetes monitoring - - kubernetes - - kuberneteshealth -home: https://docs.microsoft.com/en-us/azure/monitoring/monitoring-container-health -icon: https://raw.githubusercontent.com/microsoft/Docker-Provider/ci_prod/img/azuremonitor-containers.svg -sources: - - https://github.com/microsoft/Docker-Provider/tree/ci_prod -maintainers: - - name: vishiy - email: visnara@microsoft.com - - name: ganga1980 - email: gangams@microsoft.com \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/templates/_arc-extension-settings.tpl b/charts/azuremonitor-containers-merged/templates/_arc-extension-settings.tpl deleted file mode 100644 index 80fb85624..000000000 --- a/charts/azuremonitor-containers-merged/templates/_arc-extension-settings.tpl +++ /dev/null @@ -1,249 +0,0 @@ -{{/* -Arc K8s Extension Settings Helper -Following the pattern from prometheus-collector's arc-extension-settings -This consolidates all deployment-mode-specific configuration logic -*/}} -{{- define "arc-extension-settings" -}} - -{{/* Detect deployment mode - guard Azure for AKS-only or standalone values */}} -{{- $hasAzure := and (hasKey .Values "Azure") (hasKey .Values.Azure "Extension") -}} -{{- $isArcExtension := and $hasAzure (or (ne .Values.Azure.Extension.Name "") (ne .Values.Azure.Extension.ResourceId "")) -}} -{{- $hasArcClusterResourceId := and (hasKey .Values "Azure") (hasKey .Values.Azure "Cluster") (ne .Values.Azure.Cluster.ResourceId "") -}} -{{- $isAKSAddon := and (hasKey .Values "OmsAgent") (ne .Values.OmsAgent.aksResourceID "") (not $isArcExtension) -}} -{{- $isStandalone := and (not $isArcExtension) (not $isAKSAddon) -}} - -{{/* Deployment mode detection */}} -deploymentMode: {{ if $isArcExtension }}arc-extension{{ else if $isAKSAddon }}aks-addon{{ else }}standalone{{ end }} -isArcExtension: {{ $isArcExtension }} -isAKSAddon: {{ $isAKSAddon }} -isStandalone: {{ $isStandalone }} - -{{/* Cluster information - unified from both Arc and AKS sources */}} -{{- if $isArcExtension }} -resourceId: {{ .Values.Azure.Cluster.ResourceId }} -region: {{ .Values.Azure.Cluster.Region }} -clusterName: {{ .Values.amalogs.env.clusterName }} -{{- else if $isAKSAddon }} -resourceId: {{ .Values.OmsAgent.aksResourceID }} -region: {{ default .Values.OmsAgent.aksRegion .Values.global.commonGlobals.Region }} -clusterName: {{ .Values.OmsAgent.aksClusterName | default "" }} -{{- else }} -resourceId: {{ .Values.amalogs.env.clusterId | default "" }} -region: {{ .Values.amalogs.env.clusterRegion | default .Values.global.commonGlobals.Region }} -clusterName: {{ .Values.amalogs.env.clusterName }} -{{- end }} - -{{/* Cloud environment - safe when Azure absent (AKS-only values) */}} -{{- $azureCloud := "" }} -{{- if and (hasKey .Values "Azure") (hasKey .Values.Azure "Cluster") }}{{ $azureCloud = lower .Values.Azure.Cluster.Cloud }}{{ end }} -cloudEnvironment: {{ default $azureCloud (lower .Values.global.commonGlobals.CloudEnvironment | default "azurepubliccloud") }} - -{{/* Distribution - e.g., openshift, aks_edge_k3s, etc. */}} -distribution: {{ if and (hasKey .Values "Azure") (hasKey .Values.Azure "Cluster") }}{{ .Values.Azure.Cluster.Distribution | default "generic" }}{{ else }}generic{{ end }} - -{{/* Authentication configuration */}} -{{- if $isArcExtension }} -usingAADAuth: {{ .Values.amalogs.useAADAuth | default false }} -{{- else if $isAKSAddon }} -usingAADAuth: {{ eq .Values.OmsAgent.isUsingAADAuth "true" }} -{{- else }} -usingAADAuth: false -{{- end }} - -{{/* Access token secret name - safe when OmsAgent absent (standalone) */}} -accessTokenSecretName: {{ if hasKey .Values "OmsAgent" }}{{ .Values.OmsAgent.accessTokenSecretName | default "ama-logs-secret" }}{{ else }}ama-logs-secret{{ end }} - -{{/* Arc Extension specific settings */}} -{{- if $isArcExtension }} -arcExtensionName: {{ .Values.Azure.Extension.Name }} -arcExtensionResourceId: {{ .Values.Azure.Extension.ResourceId }} - -{{/* Proxy settings for Arc */}} -isProxyEnabled: {{ and (.Values.Azure.proxySettings.isProxyEnabled) (not .Values.amalogs.ignoreExtensionProxySettings) }} -httpProxy: {{ .Values.Azure.proxySettings.httpProxy }} -httpsProxy: {{ .Values.Azure.proxySettings.httpsProxy }} -noProxy: {{ .Values.Azure.proxySettings.noProxy }} -proxyCert: {{ .Values.Azure.proxySettings.proxyCert }} -isCustomCert: {{ .Values.Azure.proxySettings.isCustomCert }} -ignoreProxySettings: {{ .Values.amalogs.ignoreExtensionProxySettings | default false }} -{{- else }} -{{/* AKS addon: proxy from OmsAgent. Standalone: no proxy in settings (use Arc path if needed). */}} -{{- $hasProxy := and (hasKey .Values "OmsAgent") (or .Values.OmsAgent.httpProxy .Values.OmsAgent.httpsProxy) }} -isProxyEnabled: {{ $hasProxy }} -httpProxy: {{ if hasKey .Values "OmsAgent" }}{{ .Values.OmsAgent.httpProxy | default "" }}{{ else }}{{ "" }}{{ end }} -httpsProxy: {{ if hasKey .Values "OmsAgent" }}{{ .Values.OmsAgent.httpsProxy | default "" }}{{ else }}{{ "" }}{{ end }} -noProxy: "" -proxyCert: {{ if hasKey .Values "OmsAgent" }}{{ .Values.OmsAgent.trustedCA | default "" }}{{ else }}{{ "" }}{{ end }} -isCustomCert: false -ignoreProxySettings: false -{{- end }} - -{{/* Workspace credentials */}} -{{- if $isArcExtension }} -workspaceID: {{ .Values.amalogs.secret.wsid }} -workspaceKey: {{ .Values.amalogs.secret.key }} -{{- else if $isAKSAddon }} -workspaceID: {{ .Values.OmsAgent.workspaceID }} -workspaceKey: {{ .Values.OmsAgent.workspaceKey }} -{{- else }} -workspaceID: {{ .Values.amalogs.secret.wsid }} -workspaceKey: {{ .Values.amalogs.secret.key }} -{{- end }} - -{{/* Domain configuration based on cloud environment - safe when Azure/OmsAgent absent. Output string only (no boolean). */}} -{{- $cloudEnv := default $azureCloud (lower .Values.global.commonGlobals.CloudEnvironment | default "azurepubliccloud") | upper -}} -{{- $isFairfax := and (hasKey .Values "OmsAgent") (eq .Values.OmsAgent.isFairfax true) -}} -{{- $domain := "opinsights.azure.com" -}} -{{- if eq $cloudEnv "AZURECHINACLOUD" }}{{ $domain = "opinsights.azure.cn" }}{{ end -}} -{{- if or (eq $cloudEnv "AZUREUSGOVERNMENT") $isFairfax }}{{ $domain = "opinsights.azure.us" }}{{ end -}} -{{- if eq $cloudEnv "USNAT" }}{{ $domain = "opinsights.azure.eaglex.ic.gov" }}{{ end -}} -{{- if eq $cloudEnv "USSEC" }}{{ $domain = "opinsights.azure.microsoft.scloud" }}{{ end -}} -{{- if eq $cloudEnv "AZUREBLEUCLOUD" }}{{ $domain = "opinsights.sovcloud-api.fr" }}{{ end -}} -domain: {{ $domain }} - -{{/* Feature flags - unified from both value structures */}} -{{- if $isAKSAddon }} -multitenancyEnabled: {{ .Values.OmsAgent.isMultitenancyLogsEnabled | default false }} -rsvpaEnabled: {{ .Values.OmsAgent.isRSVPAEnabled | default false }} -syslogEnabled: {{ .Values.OmsAgent.isSyslogEnabled | default false }} -sidecarScrapingEnabled: {{ .Values.OmsAgent.isSidecarScrapingEnabled | default true }} -prometheusScrapingDisabled: {{ .Values.OmsAgent.isPrometheusMetricsScrapingDisabled | default false }} -retinaFlowLogsEnabled: {{ .Values.OmsAgent.isRetinaFlowLogsEnabled | default false }} -resourceOptimizationEnabled: {{ .Values.OmsAgent.isResourceOptimizationEnabled | default false }} -windowsAMAEnabled: {{ .Values.OmsAgent.isWindowsAMAEnabled | default true }} -windowsFluentBitEnabled: {{ .Values.OmsAgent.isWindowsAMAFluentBitEnabled | default false }} -windowsBurstableQoSEnabled: {{ .Values.OmsAgent.isWindowsBurstableQoSEnabled | default true }} -windowsAddonTokenAdapterDisabled: {{ .Values.OmsAgent.isWindowsAddonTokenAdapterDisabled | default false }} -customMetricsEnabled: {{ not .Values.OmsAgent.isCustomMetricsDisabled }} -telegrafLivenessprobeEnabled: {{ .Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }} -openTelemetryLogsEnabled: {{ .Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false }} -openTelemetryLogsPort: {{ .Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }} -appMonitoringEnabled: {{ .Values.AppmonitoringAgent.enabled | default false }} -legacyAddonDelivery: {{ .Values.legacyAddonDelivery | default false }} -{{- else }} -multitenancyEnabled: false -rsvpaEnabled: false -syslogEnabled: {{ .Values.amalogs.syslog.enabled | default false }} -sidecarScrapingEnabled: {{ .Values.amalogs.sidecarscraping | default true }} -prometheusScrapingDisabled: false -retinaFlowLogsEnabled: false -resourceOptimizationEnabled: false -windowsAMAEnabled: true -windowsFluentBitEnabled: false -windowsBurstableQoSEnabled: true -windowsAddonTokenAdapterDisabled: false -customMetricsEnabled: {{ .Values.amalogs.enableCustomMetrics | default false }} -telegrafLivenessprobeEnabled: {{ .Values.amalogs.enableTelegrafLivenessprobe | default false }} -openTelemetryLogsEnabled: false -openTelemetryLogsPort: 28331 -appMonitoringEnabled: false -legacyAddonDelivery: false -{{- end }} - -{{/* Scheduling configuration */}} -{{- if $isArcExtension }} -scheduleOnTaintedNodes: {{ .Values.amalogs.scheduleOnTaintedNodes | default false }} -priority: {{ .Values.amalogs.priority | default 10 }} -rbacEnabled: {{ .Values.amalogs.rbac | default true }} -{{- else }} -scheduleOnTaintedNodes: false -priority: 10 -rbacEnabled: true -{{- end }} - -{{/* Service account token configuration */}} -{{- if $isArcExtension }} -enableServiceAccountTimeBoundToken: {{ .Values.amalogs.enableServiceAccountTimeBoundToken | default true }} -{{- else }} -enableServiceAccountTimeBoundToken: true -{{- end }} - -{{/* Dynamic sizing configuration (AKS addon only) */}} -{{- if $isAKSAddon }} -enableDaemonSetSizing: {{ and .Values.global.commonGlobals.isAutomaticSKU .Values.OmsAgent.enableDaemonSetSizing }} -{{- else }} -enableDaemonSetSizing: false -{{- end }} - -{{/* Image configuration */}} -{{- if $isAKSAddon }} -imageRepo: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod" -imageTagLinux: {{ .Values.OmsAgent.imageTagLinux | default "3.1.34" }} -imageTagWindows: {{ .Values.OmsAgent.imageTagWindows | default "win-3.1.34" }} -imagePullPolicy: {{ if .Values.OmsAgent.isImagePullPolicyAlways }}Always{{ else }}IfNotPresent{{ end }} -{{- else }} -imageRepo: {{ .Values.amalogs.image.repo | default "mcr.microsoft.com/azuremonitor/containerinsights/ciprod" }} -imageTagLinux: {{ .Values.amalogs.image.tag | default "3.1.34" }} -imageTagWindows: {{ .Values.amalogs.image.tagWindows | default "win-3.1.34" }} -imagePullPolicy: {{ .Values.amalogs.image.pullPolicy | default "IfNotPresent" }} -{{- end }} - -{{/* Certificate mounting for sovereign clouds */}} -{{- $shouldMountCerts := or (eq $cloudEnv "USNAT") (eq $cloudEnv "USSEC") (eq $cloudEnv "AZUREBLEUCLOUD") -}} -mountMarinerCerts: {{ $shouldMountCerts }} -mountUbuntuCerts: {{ $shouldMountCerts }} -{{- if and (hasKey .Values "Azure") (hasKey .Values.Azure "Cluster") (or (eq .Values.Azure.Cluster.Distribution "aks_edge_k3s") (eq .Values.Azure.Cluster.Distribution "aks_edge_k8s")) }} -mountUbuntuCerts: false -{{- end }} - -{{/* Test mode - templates should use $settings.isTestMode (this is the single source) */}} -{{- if $isArcExtension }} -isTestMode: {{ .Values.amalogs.ISTEST | default false }} -{{- else }} -isTestMode: false -{{- end }} - -{{/* High log scale mode */}} -{{- if $isArcExtension }} -enableHighLogScaleMode: {{ .Values.amalogs.enableHighLogScaleMode | default false }} -{{- else }} -enableHighLogScaleMode: false -{{- end }} - -{{/* ArcA cluster flag */}} -{{- if $isArcExtension }} -isArcACluster: {{ .Values.amalogs.isArcACluster | default false }} -{{- else }} -isArcACluster: false -{{- end }} - -{{/* Syslog port configuration */}} -{{- if $isAKSAddon }} -syslogPort: {{ .Values.OmsAgent.syslogHostPort | default "28330" }} -shouldMountSyslogHostPort: {{ .Values.OmsAgent.shouldMountSyslogHostPort | default true }} -{{- else if $isArcExtension }} -syslogPort: {{ .Values.amalogs.syslog.syslogPort | default "28330" }} -shouldMountSyslogHostPort: {{ .Values.amalogs.syslog.enabled | default false }} -{{- else }} -syslogPort: "28330" -shouldMountSyslogHostPort: false -{{- end }} - -{{/* Identity client ID */}} -{{- if $isAKSAddon }} -identityClientID: {{ .Values.OmsAgent.identityClientID | default "" }} -{{- else }} -identityClientID: "" -{{- end }} - -{{/* Custom metrics endpoint */}} -{{- if $isArcExtension }} - {{- if ne .Values.amalogs.metricsEndpoint "" }} -customMetricsEndpoint: {{ .Values.amalogs.metricsEndpoint }} - {{- else if ne .Values.Azure.proxySettings.autonomousFqdn "" }} -customMetricsEndpoint: "https://metricsingestiongateway.monitoring.{{ .Values.Azure.proxySettings.autonomousFqdn }}" - {{- else }} -customMetricsEndpoint: "" - {{- end }} -{{- else }} -customMetricsEndpoint: "" -{{- end }} - -{{/* Token audience for custom endpoints */}} -{{- if and $isArcExtension (ne .Values.amalogs.tokenAudience "") }} -tokenAudience: {{ .Values.amalogs.tokenAudience }} -{{- else }} -tokenAudience: "" -{{- end }} - -{{- end -}} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/templates/_helpers.tpl b/charts/azuremonitor-containers-merged/templates/_helpers.tpl deleted file mode 100644 index 7dd294391..000000000 --- a/charts/azuremonitor-containers-merged/templates/_helpers.tpl +++ /dev/null @@ -1,66 +0,0 @@ -{{/* -Consolidated helper functions for azuremonitor-containers unified chart -*/}} - -{{/* -============================================================================= -Image Tags Section -============================================================================= -*/}} - -{{/* Get addon image tag - used for ama-logs and addon-resizer */}} -{{- define "get.addonImageTag" -}} - {{- if eq .component "addon-resizer" -}} -v1.8.23-4 - {{- else if eq .component "ama-logs-linux" -}} -3.1.34 - {{- else if eq .component "ama-logs-win" -}} -win-3.1.34 - {{- end -}} -{{- end -}} - -{{/* Get image tag - used for addon-token-adapter */}} -{{- define "get.imagetag" -}} -{{- if eq .component "addon-token-adapter-linux" -}} -master.250902.1 -{{- else if eq .component "addon-token-adapter-windows" -}} -master.250902.1 -{{- end -}} -{{- end -}} - -{{/* -============================================================================= -MCR Repository Section -============================================================================= -*/}} - -{{/* MCR repository base - returns cloud-specific MCR URL */}} -{{- define "mcr_repository_base" }} -{{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment| default "AZUREPUBLICCLOUD") }} -{{- if (eq $cloud_environment "AZURECHINACLOUD") }} -{{- "mcr.azk8s.cn" }} -{{- else if (eq $cloud_environment "USNat") }} -{{- "mcr.microsoft.eaglex.ic.gov" }} -{{- else if (eq $cloud_environment "USSec") }} -{{- "mcr.microsoft.scloud" }} -{{- else }} -{{- "mcr.microsoft.com" }} -{{- end }} -{{- end }} - -{{/* MCR repository template for addon charts */}} -{{- define "addon_mcr_repository_base" }} -{{- template "mcr_repository_base" . }} -{{- end }} - -{{/* -============================================================================= -Host CA Certificate Mounting Section -============================================================================= -*/}} - -{{/* Check if host CA certs should be mounted for specific cloud environments */}} -{{- define "should_mount_hostca" -}} - {{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment | default "azurepubliccloud" | lower) }} - {{- has $cloud_environment (list "usnat" "ussec" "azurebleucloud") -}} -{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-arc-k8s-crd.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-arc-k8s-crd.yaml deleted file mode 100644 index be73e7f34..000000000 --- a/charts/azuremonitor-containers-merged/templates/ama-logs-arc-k8s-crd.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- $settings := include "arc-extension-settings" . | fromYaml }} -{{- if $settings.isArcExtension }} -{{- if or (contains "microsoft.kubernetes/connectedclusters" ($settings.resourceId | lower)) (contains "microsoft.hybridcontainerservice/provisionedclusters" ($settings.resourceId | lower)) }} -# -# Arc K8s Extension Identity Resources -# These CRDs are required for Arc K8s extension authentication -# -{{- if not (empty $settings.arcExtensionName) }} -apiVersion: clusterconfig.azure.com/v1beta1 -kind: AzureExtensionIdentity -metadata: - name: {{ $settings.arcExtensionName }} - namespace: azure-arc -spec: - serviceAccounts: - - name: ama-logs - namespace: kube-system - tokenNamespace: azure-arc ---- -{{- end }} -apiVersion: clusterconfig.azure.com/v1beta1 -kind: AzureClusterIdentityRequest -metadata: - name: container-insights-clusteridentityrequest - namespace: azure-arc -spec: - {{- $cloudEnv := $settings.cloudEnvironment | upper }} - {{- if eq $cloudEnv "AZUREPUBLICCLOUD" }} - audience: https://monitor.azure.com/ - {{- else if eq $cloudEnv "AZURECHINACLOUD" }} - audience: https://monitor.azure.cn/ - {{- else if eq $cloudEnv "AZUREBLEUCLOUD" }} - audience: https://monitor.sovcloud-api.fr/ - {{- else if eq $cloudEnv "AZUREUSGOVERNMENTCLOUD" }} - audience: https://monitor.azure.us/ - {{- else if and $settings.isArcACluster (ne $settings.tokenAudience "") }} - audience: {{ $settings.tokenAudience | quote }} - {{- else }} - audience: https://monitor.azure.com/ - {{- end }} - {{- if not (empty $settings.arcExtensionName) }} - resourceId: {{ $settings.arcExtensionName }} - {{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-configmap.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-configmap.yaml deleted file mode 100644 index b59a50f0a..000000000 --- a/charts/azuremonitor-containers-merged/templates/ama-logs-configmap.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- $settings := include "arc-extension-settings" . | fromYaml }} -# -# ConfigMap for cluster resource ID -# -apiVersion: v1 -kind: ConfigMap -metadata: - name: container-azm-ms-aks-k8scluster - namespace: kube-system - labels: -{{- if $settings.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -data: - CLUSTER_RESOURCE_ID: {{ $settings.resourceId | quote }} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-daemonset-windows.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-daemonset-windows.yaml deleted file mode 100644 index 75c9453f4..000000000 --- a/charts/azuremonitor-containers-merged/templates/ama-logs-daemonset-windows.yaml +++ /dev/null @@ -1,328 +0,0 @@ -{{- $settings := include "arc-extension-settings" . | fromYaml }} -{{- $renderWindows := false }} -{{- if $settings.isAKSAddon }} -{{- if $settings.windowsAMAEnabled }} -{{- $renderWindows = true }} -{{- end }} -{{- else if and $settings.isArcExtension (not $settings.usingAADAuth) (ne $settings.workspaceID "") (ne $settings.workspaceID "") }} -{{- $renderWindows = true }} -{{- end }} -{{- if $renderWindows }} -# -# Windows DaemonSet for ama-logs -# AKS: when windowsAMAEnabled; Arc: when not using AAD auth and workspace configured -# -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: ama-logs-windows - namespace: kube-system - labels: - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - component: ama-logs-agent-windows - tier: node-win -{{- if $settings.isAKSAddon }} - kubernetes.azure.com/managedby: aks -{{- end }} -{{- if $settings.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -spec: - updateStrategy: - type: RollingUpdate -{{- if $settings.isAKSAddon }} - rollingUpdate: - maxUnavailable: 50% -{{- end }} - selector: - matchLabels: -{{- if $settings.isArcExtension }} - dsName: "ama-logs-ds" -{{- else }} - component: ama-logs-agent-windows - tier: node-win -{{- end }} - template: - metadata: - labels: -{{- if $settings.isArcExtension }} - dsName: "ama-logs-ds" -{{- else }} - component: ama-logs-agent-windows - tier: node-win - kubernetes.azure.com/managedby: aks -{{- end }} - annotations: - agentVersion: {{ if $settings.isArcExtension }}{{ .Values.amalogs.image.winAgentVersion }}{{ else }}46.17.2{{ end }} - dockerProviderVersion: {{ if $settings.isArcExtension }}{{ .Values.amalogs.image.dockerProviderVersion }}{{ else }}18.0.1-0{{ end }} - schema-versions: "v1" - WSID: {{ $settings.workspaceID | b64enc | quote }} - kubernetes.azure.com/no-http-proxy-vars: "true" -{{- if $settings.isArcExtension }} - checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} - checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} -{{- end }} - spec: -{{- if $settings.isAKSAddon }} - priorityClassName: system-node-critical -{{- else }} - priorityClassName: ama-logs -{{- end }} - dnsConfig: - options: - - name: ndots - value: "3" - nodeSelector: - kubernetes.io/os: windows -{{- if $settings.rbacEnabled }} - serviceAccountName: ama-logs -{{- end }} - containers: -{{- if and $settings.isAKSAddon $settings.usingAADAuth (not $settings.windowsAddonTokenAdapterDisabled) }} - - name: addon-token-adapter-win - command: - - addon-token-adapter-win - args: - - --secret-namespace=kube-system - - --secret-name={{ $settings.accessTokenSecretName }} - - --token-server-listening-port=8888 - - --health-server-listening-port=9999 - - --restart-pod-waiting-minutes-on-broken-connection=240 - image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{ dict "component" "addon-token-adapter-windows" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag" }}" - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - livenessProbe: - httpGet: - path: /healthz - port: 9999 - initialDelaySeconds: 10 - periodSeconds: 60 - resources: - limits: - cpu: 400m - memory: 400Mi - requests: - cpu: 100m - memory: 100Mi - securityContext: - capabilities: - drop: - - ALL - add: - - NET_ADMIN - - NET_RAW -{{- end }} - - name: ama-logs-windows - image: "{{ $settings.imageRepo }}:{{ $settings.imageTagWindows }}" - imagePullPolicy: {{ $settings.imagePullPolicy }} - resources: -{{- if $settings.isArcExtension }} -{{ toYaml .Values.amalogs.resources.daemonsetwindows | indent 12 }} -{{- else }} -{{- if .Values.OmsAgent.isWindowsBurstableQoSEnabled }} - requests: - cpu: {{ .Values.OmsAgent.omsAgentDsCPURequestWindows }} - memory: {{ .Values.OmsAgent.omsAgentDsMemoryRequestWindows }} - limits: - cpu: {{ .Values.OmsAgent.omsAgentDsCPULimitWindows }} - memory: {{ .Values.OmsAgent.omsAgentDsMemoryLimitWindows }} -{{- else }} - limits: - cpu: {{ .Values.OmsAgent.omsAgentDsCPULimitWindows }} - memory: {{ .Values.OmsAgent.omsAgentDsMemoryLimitWindows }} -{{- end }} -{{- end }} - securityContext: - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - env: - - name: FBIT_SERVICE_FLUSH_INTERVAL - value: "15" - - name: FBIT_TAIL_BUFFER_CHUNK_SIZE - value: "1" - - name: FBIT_TAIL_BUFFER_MAX_SIZE - value: "1" - - name: AKS_RESOURCE_ID - value: {{ $settings.resourceId | quote }} - - name: AKS_REGION - value: {{ $settings.region | quote }} - - name: CONTROLLER_TYPE - value: "DaemonSet" - - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: {{ $settings.identityClientID | quote }} - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PODNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs-windows - resource: limits.memory - - name: SIDECAR_SCRAPING_ENABLED - value: {{ $settings.sidecarScrapingEnabled | quote }} - - name: ENABLE_CUSTOM_METRICS - value: {{ $settings.customMetricsEnabled | quote }} - - name: CLUSTER_CLOUD_ENVIRONMENT - value: {{ $settings.cloudEnvironment | quote }} -{{- if $settings.isAKSAddon }} - - name: USING_AAD_MSI_AUTH - value: {{ if $settings.usingAADAuth }}"true"{{ else }}"false"{{ end }} - - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED - value: "{{ $settings.appMonitoringEnabled }}" - - name: PROMETHEUS_METRICS_SCRAPING_DISABLED - value: "{{ $settings.prometheusScrapingDisabled }}" - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: "{{ $settings.telegrafLivenessprobeEnabled }}" - - name: AZMON_WINDOWS_FLUENT_BIT_ENABLED - value: "{{ $settings.windowsFluentBitEnabled }}" -{{- if or (eq $settings.cloudEnvironment "usnat") (eq $settings.cloudEnvironment "ussec") (eq $settings.cloudEnvironment "azurebleucloud") }} - - name: REQUIRES_CERT_BOOTSTRAP - value: "true" -{{- end }} -{{- else }} - - name: USING_AAD_MSI_AUTH - value: {{ $settings.usingAADAuth | quote }} -{{- if $settings.isTestMode }} - - name: AZMON_KUBERNETES_METADATA_ENABLED - value: "true" -{{- end }} -{{- end }} - volumeMounts: - - mountPath: C:\ProgramData\docker\containers - name: docker-windows-containers - readOnly: true - - mountPath: C:\var - name: docker-windows-kuberenetes-container-logs - - mountPath: C:\etc\config\settings - name: settings-vol-config - readOnly: true - - mountPath: C:\etc\ama-logs-secret - name: ama-logs-secret - readOnly: true -{{- if $settings.isAKSAddon }} - - mountPath: C:\etc\omsagent-secret - name: ama-logs-secret - readOnly: true - - mountPath: C:\etc\config\adx - name: ama-logs-adx-secret - readOnly: true - - mountPath: C:\etc\kubernetes\host - name: azure-json-path - readOnly: true -{{- if and $settings.usingAADAuth (eq (include "should_mount_hostca" .) "true") }} - - mountPath: C:\ca - name: ca-certs - readOnly: true -{{- end }} -{{- if $settings.usingAADAuth }} - - mountPath: C:\etc\IMDS-access-token - name: imds-token - readOnly: true -{{- end }} -{{- end }} - livenessProbe: - exec: - command: - - cmd - - /c - - C:\opt\amalogswindows\scripts\cmd\livenessprobe.exe - - fluent-bit.exe - - fluentdwinaks - - "C:\\etc\\amalogswindows\\filesystemwatcher.txt" - - "C:\\etc\\amalogswindows\\renewcertificate.txt" -{{- if and $settings.isAKSAddon $settings.usingAADAuth }} - - "MonAgentCore.exe" -{{- end }} - periodSeconds: 60 - initialDelaySeconds: 180 - timeoutSeconds: 15 - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - windows - - key: type - operator: NotIn - values: - - virtual-kubelet -{{- if $settings.isAKSAddon }} - - key: kubernetes.azure.com/cluster - operator: Exists -{{- end }} - tolerations: -{{- if $settings.isAKSAddon }} - - key: "CriticalAddonsOnly" - operator: "Exists" - - operator: "Exists" - effect: NoExecute - - operator: "Exists" - effect: NoSchedule - - operator: "Exists" - effect: PreferNoSchedule -{{- else }} -{{- if $settings.scheduleOnTaintedNodes }} -{{- with .Values.amalogs.tolerationsUnrestricted }} - {{- toYaml . | nindent 8 }} -{{- end }} -{{- else }} -{{- with .Values.amalogs.tolerations }} - {{- toYaml . | nindent 8 }} -{{- end }} -{{- end }} -{{- end }} - volumes: - - name: docker-windows-kuberenetes-container-logs - hostPath: - path: C:\var - - name: docker-windows-containers - hostPath: - path: C:\ProgramData\docker\containers - type: DirectoryOrCreate - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: ama-logs-adx-secret - secret: - secretName: ama-logs-adx-secret - optional: true -{{- if $settings.isAKSAddon }} - - name: azure-json-path - hostPath: - path: C:\k -{{- if (eq (include "should_mount_hostca" .) "true") }} - - name: ca-certs - hostPath: - path: C:\ca -{{- end }} -{{- if $settings.usingAADAuth }} - - name: imds-token - secret: - secretName: {{ $settings.accessTokenSecretName }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-daemonset.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-daemonset.yaml deleted file mode 100644 index 59557ebfa..000000000 --- a/charts/azuremonitor-containers-merged/templates/ama-logs-daemonset.yaml +++ /dev/null @@ -1,673 +0,0 @@ -{{- $settings := include "arc-extension-settings" . | fromYaml }} -{{- if and (ne $settings.workspaceID "") (ne $settings.workspaceID "") }} -# -# Linux DaemonSet for ama-logs -# Supports both Arc K8s Extension and AKS Addon deployment modes -# -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: ama-logs - namespace: kube-system - labels: - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - component: ama-logs-agent - tier: node - kubernetes.azure.com/managedby: aks -{{- if $settings.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -spec: - updateStrategy: - type: RollingUpdate - {{- if $settings.isAKSAddon }} - rollingUpdate: - maxUnavailable: 50% - {{- end }} - selector: - matchLabels: - {{- if $settings.isArcExtension }} - dsName: "ama-logs-ds" - {{- else }} - component: ama-logs-agent - tier: node - {{- end }} - template: - metadata: - labels: - {{- if $settings.isArcExtension }} - dsName: "ama-logs-ds" - {{- else }} - component: ama-logs-agent - tier: node - kubernetes.azure.com/managedby: aks - {{- end }} - annotations: - {{- if $settings.isArcExtension }} - agentVersion: {{ .Values.amalogs.image.agentVersion }} - dockerProviderVersion: {{ .Values.amalogs.image.dockerProviderVersion }} - {{- else }} - agentVersion: "azure-mdsd-1.37.0" - dockerProviderVersion: "18.0.1-0" - {{- end }} - schema-versions: "v1" - WSID: {{ $settings.workspaceID | b64enc | quote }} - kubernetes.azure.com/no-http-proxy-vars: "true" - {{- if $settings.isArcExtension }} - checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} - checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} - checksum/logsettings: {{ toYaml .Values.amalogs.logsettings | sha256sum }} - {{- end }} - spec: - {{- if $settings.isArcExtension }} - priorityClassName: ama-logs - {{- else }} - priorityClassName: system-node-critical - {{- end }} - dnsConfig: - options: - - name: ndots - value: "3" - {{- if $settings.rbacEnabled }} - serviceAccountName: ama-logs - {{- end }} - containers: -{{- if and $settings.isArcExtension $settings.usingAADAuth }} - {{- if ne $settings.distribution "openshift" }} - - name: addon-token-adapter - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - - name: TOKEN_NAMESPACE - value: "azure-arc" -{{- if and (hasKey .Values "Azure") (hasKey .Values.Azure "Identity") (ne (toString .Values.Azure.Identity.MSIAdapterYaml) "") }} -{{- .Values.Azure.Identity.MSIAdapterYaml | nindent 7 }} -{{- end }} - {{- else }} - - name: msi-adapter - env: - - name: AZMON_COLLECT_ENV - value: "false" - - name: TOKEN_NAMESPACE - value: azure-arc - - name: CLUSTER_IDENTITY - value: "false" - - name: CLUSTER_TYPE - value: {{ (split "/" $settings.resourceId)._7 }} - - name: EXTENSION_ARMID - value: {{ $settings.arcExtensionResourceId }} - - name: EXTENSION_NAME - value: {{ $settings.arcExtensionName }} - - name: MSI_ADAPTER_LISTENING_PORT - value: "8421" - - name: MANAGED_IDENTITY_AUTH - value: "true" - - name: MSI_ADAPTER_LIVENESS_PORT - value: "9090" - - name: TEST_MODE - value: "false" - - name: TEST_FILE - value: /data/token - image: mcr.microsoft.com/azurearck8s/msi-adapter:1.29.3 - securityContext: - privileged: true - capabilities: - add: - - NET_ADMIN - - NET_RAW - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 9090 - scheme: "HTTP" - initialDelaySeconds: 10 - periodSeconds: 15 - resources: - limits: - cpu: 50m - memory: 100Mi - requests: - cpu: 20m - memory: 50Mi - lifecycle: - postStart: - exec: - command: ["/data/msi-adapter-ready-watcher"] - {{- end }} -{{- else if and $settings.isAKSAddon $settings.usingAADAuth }} - - name: addon-token-adapter - command: - - /addon-token-adapter - args: - - --secret-namespace=kube-system - - --secret-name={{ $settings.accessTokenSecretName }} - - --token-server-listening-port=8888 - - --health-server-listening-port=9999 - - --restart-pod-waiting-minutes-on-broken-connection=240 - image: "{{ template "addon_mcr_repository_base" $ }}/aks/msi/addon-token-adapter:{{ dict "component" "addon-token-adapter-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag" }}" - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - livenessProbe: - httpGet: - path: /healthz - port: 9999 - initialDelaySeconds: 10 - periodSeconds: 60 - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 20m - memory: 50Mi - securityContext: - capabilities: - drop: - - ALL - add: - - NET_ADMIN - - NET_RAW -{{- end }} - - name: ama-logs - image: "{{ $settings.imageRepo }}:{{ $settings.imageTagLinux }}" - imagePullPolicy: {{ $settings.imagePullPolicy }} - resources: - {{- if $settings.isArcExtension }} -{{ toYaml .Values.amalogs.resources.daemonsetlinux | indent 9 }} - {{- else }} - limits: - cpu: {{ .Values.OmsAgent.omsAgentDsCPULimitLinux }} - memory: {{ .Values.OmsAgent.omsAgentDsMemoryLimitLinux }} - requests: - cpu: 75m - memory: 325Mi - {{- end }} - env: - - name: AKS_RESOURCE_ID - value: {{ $settings.resourceId | quote }} - - name: AKS_REGION - value: {{ $settings.region | quote }} - {{- if $settings.isAKSAddon }} - - name: AKS_CLUSTER_NAME - value: {{ $settings.clusterName | quote }} - - name: AKS_NODE_RESOURCE_GROUP - value: {{ .Values.OmsAgent.aksNodeResourceGroup | quote }} - {{- end }} - - name: CONTROLLER_TYPE - value: "DaemonSet" - {{- if $settings.isArcExtension }} - - name: USING_AAD_MSI_AUTH - value: {{ $settings.usingAADAuth | quote }} - {{- if not (empty $settings.arcExtensionName) }} - - name: ARC_K8S_EXTENSION_NAME - value: {{ $settings.arcExtensionName | quote }} - {{- end }} - {{- if $settings.enableHighLogScaleMode }} - - name: ENABLE_HIGH_LOG_SCALE_MODE - value: {{ $settings.enableHighLogScaleMode | quote }} - {{- end }} - {{- if $settings.isTestMode }} - - name: AZMON_KUBERNETES_METADATA_ENABLED - value: "true" - {{- end }} - {{- if $settings.isArcACluster }} - - name: IS_ARCA_CLUSTER - value: {{ $settings.isArcACluster | quote }} - {{- end }} - {{- if ne $settings.customMetricsEndpoint "" }} - - name: CUSTOM_METRICS_ENDPOINT - value: {{ $settings.customMetricsEndpoint | quote }} - {{- end }} - {{- if ne $settings.tokenAudience "" }} - - name: customResourceEndpoint - value: {{ $settings.tokenAudience | quote }} - {{- end }} - - name: IS_CUSTOM_CERT - value: {{ $settings.isCustomCert | quote }} - - name: ENABLE_CUSTOM_METRICS - value: {{ $settings.customMetricsEnabled | quote }} - {{- else }} - - name: USING_AAD_MSI_AUTH - value: {{ if $settings.usingAADAuth }}"true"{{ else }}"false"{{ end }} - {{- if $settings.appMonitoringEnabled }} - - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED - value: "{{ $settings.appMonitoringEnabled }}" - - name: APPMONITORING_OPENTELEMETRYLOGS_ENABLED - value: "{{ $settings.openTelemetryLogsEnabled }}" - - name: APPMONITORING_OPENTELEMETRYLOGS_PORT - value: "{{ $settings.openTelemetryLogsPort }}" - - name: AZMON_OPENTELEMETRYLOGS_CONTAINER_PORT - value: "4319" - {{- end }} - - name: PROMETHEUS_METRICS_SCRAPING_DISABLED - value: "{{ $settings.prometheusScrapingDisabled }}" - {{- if $settings.retinaFlowLogsEnabled }} - - name: AZMON_RETINA_FLOW_LOGS_ENABLED - value: "true" - {{- end }} - {{- if $settings.resourceOptimizationEnabled }} - - name: AZMON_RESOURCE_OPTIMIZATION_ENABLED - value: "true" - {{- end }} - {{- end }} - {{- if $settings.shouldMountSyslogHostPort }} - - name: SYSLOG_HOST_PORT - value: {{ $settings.syslogPort | quote }} - {{- end }} - - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: {{ $settings.identityClientID | quote }} - {{- if $settings.isArcExtension }} - {{- if .Values.amalogs.logsettings.logflushintervalsecs }} - - name: FBIT_SERVICE_FLUSH_INTERVAL - value: {{ .Values.amalogs.logsettings.logflushintervalsecs | quote }} - {{- end }} - {{- if .Values.amalogs.logsettings.tailbufchunksizemegabytes }} - - name: FBIT_TAIL_BUFFER_CHUNK_SIZE - value: {{ .Values.amalogs.logsettings.tailbufchunksizemegabytes | quote }} - {{- end }} - {{- if .Values.amalogs.logsettings.tailbufmaxsizemegabytes }} - - name: FBIT_TAIL_BUFFER_MAX_SIZE - value: {{ .Values.amalogs.logsettings.tailbufmaxsizemegabytes | quote }} - {{- end }} - - name: ISTEST - value: {{ $settings.isTestMode | quote }} - {{- else }} - - name: FBIT_SERVICE_FLUSH_INTERVAL - value: "15" - - name: FBIT_TAIL_BUFFER_CHUNK_SIZE - value: "1" - - name: FBIT_TAIL_BUFFER_MAX_SIZE - value: "1" - {{- end }} - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: "{{ $settings.telegrafLivenessprobeEnabled }}" - - name: CLUSTER_CLOUD_ENVIRONMENT - value: {{ $settings.cloudEnvironment | quote }} - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs - resource: limits.memory - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - securityContext: - privileged: true - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - ports: - - containerPort: 25225 - protocol: TCP - - containerPort: 25224 - protocol: UDP - {{- if $settings.shouldMountSyslogHostPort }} - - name: syslog - containerPort: {{ $settings.syslogPort }} - hostPort: {{ $settings.syslogPort }} - protocol: TCP - {{- end }} - {{- if and $settings.isAKSAddon $settings.openTelemetryLogsEnabled }} - - name: otlp-logs - containerPort: 4319 - hostPort: {{ $settings.openTelemetryLogsPort }} - protocol: TCP - {{- end }} - volumeMounts: - {{- if $settings.enableServiceAccountTimeBoundToken }} - - name: kube-api-access - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - readOnly: true - {{- end }} - - mountPath: /hostfs - name: host-root - readOnly: true - mountPropagation: HostToContainer - - mountPath: /var/log - name: host-log - {{- if $settings.isAKSAddon }} - {{- if $settings.syslogEnabled }} - - mountPath: /var/run/mdsd-ci - name: mdsd-sock - {{- end }} - {{- if $settings.retinaFlowLogsEnabled }} - - mountPath: /var/log/acns/hubble - name: acns-hubble - {{- end }} - - mountPath: /var/run/mdsd-PrometheusSidecar - name: mdsd-prometheus-sock - {{- end }} - - mountPath: /var/lib/docker/containers - name: containerlog-path - readOnly: true - {{- if $settings.isAKSAddon }} - - mountPath: /mnt/docker - name: containerlog-path-2 - readOnly: true - - mountPath: /mnt/containers - name: containerlog-path-3 - readOnly: true - {{- end }} - - mountPath: /etc/kubernetes/host - name: azure-json-path - - mountPath: /etc/ama-logs-secret - name: ama-logs-secret - readOnly: true - {{- if $settings.isAKSAddon }} - - mountPath: /etc/omsagent-secret - name: ama-logs-secret - readOnly: true - {{- end }} - {{- if and $settings.isProxyEnabled $settings.proxyCert }} - - mountPath: /etc/ssl/certs/proxy-cert.crt - subPath: PROXYCERT.crt - name: ama-logs-secret - readOnly: true - {{- end }} - - mountPath: /etc/config/settings - name: settings-vol-config - readOnly: true - {{- if $settings.isArcExtension }} - {{- if .Values.amalogs.logsettings.custommountpath }} - - mountPath: {{ .Values.amalogs.logsettings.custommountpath }} - name: custom-mount-path - {{- end }} - {{- end }} - - mountPath: /etc/config/settings/adx - name: ama-logs-adx-secret - readOnly: true - {{- if $settings.isArcExtension }} - - mountPath: /etc/config/osm-settings - name: osm-settings-vol-config - readOnly: true - {{- end }} - {{- if $settings.mountMarinerCerts }} - - mountPath: /anchors/mariner - name: anchors-mariner - readOnly: true - {{- end }} - {{- if $settings.mountUbuntuCerts }} - - mountPath: /anchors/ubuntu - name: anchors-ubuntu - readOnly: true - {{- end }} - livenessProbe: - exec: - command: - - /bin/bash - - -c - - "/opt/livenessprobe.sh" - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 15 - {{- if $settings.sidecarScrapingEnabled }} - - name: ama-logs-prometheus - image: "{{ $settings.imageRepo }}:{{ $settings.imageTagLinux }}" - imagePullPolicy: {{ $settings.imagePullPolicy }} - resources: - {{- if $settings.isArcExtension }} -{{ toYaml .Values.amalogs.resources.daemonsetlinuxsidecar | indent 9 }} - {{- else }} - limits: - cpu: {{ .Values.OmsAgent.omsAgentPrometheusSidecarCPULimit }} - memory: {{ .Values.OmsAgent.omsAgentPrometheusSidecarMemoryLimit }} - requests: - cpu: 75m - memory: 225Mi - {{- end }} - env: - - name: AKS_RESOURCE_ID - value: {{ $settings.resourceId | quote }} - - name: AKS_REGION - value: {{ $settings.region | quote }} - {{- if $settings.isAKSAddon }} - - name: AKS_CLUSTER_NAME - value: {{ $settings.clusterName | quote }} - - name: AKS_NODE_RESOURCE_GROUP - value: {{ .Values.OmsAgent.aksNodeResourceGroup | quote }} - {{- end }} - - name: USING_AAD_MSI_AUTH - value: {{ if $settings.usingAADAuth }}"true"{{ else }}"false"{{ end }} - - name: CONTROLLER_TYPE - value: "DaemonSet" - - name: CONTAINER_TYPE - value: "PrometheusSidecar" - - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: {{ $settings.identityClientID | quote }} - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs-prometheus - resource: limits.memory - {{- if $settings.isArcExtension }} - - name: ISTEST - value: {{ $settings.isTestMode | quote }} - {{- else if $settings.shouldMountSyslogHostPort }} - - name: SYSLOG_HOST_PORT - value: {{ $settings.syslogPort | quote }} - {{- end }} - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: "{{ $settings.telegrafLivenessprobeEnabled }}" - - name: CLUSTER_CLOUD_ENVIRONMENT - value: {{ $settings.cloudEnvironment | quote }} - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - securityContext: - privileged: true - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - volumeMounts: - {{- if $settings.enableServiceAccountTimeBoundToken }} - - name: kube-api-access - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - readOnly: true - {{- end }} - - mountPath: /etc/kubernetes/host - name: azure-json-path - - mountPath: /etc/ama-logs-secret - name: ama-logs-secret - readOnly: true - {{- if $settings.isAKSAddon }} - - mountPath: /etc/omsagent-secret - name: ama-logs-secret - readOnly: true - {{- if $settings.syslogEnabled }} - - mountPath: /var/run/mdsd-ci - name: mdsd-sock - {{- end }} - - mountPath: /var/run/mdsd-PrometheusSidecar - name: mdsd-prometheus-sock - {{- end }} - {{- if and $settings.isProxyEnabled $settings.proxyCert }} - - mountPath: /etc/ssl/certs/proxy-cert.crt - subPath: PROXYCERT.crt - name: ama-logs-secret - readOnly: true - {{- end }} - - mountPath: /etc/config/settings - name: settings-vol-config - readOnly: true - {{- if $settings.isArcExtension }} - - mountPath: /etc/config/osm-settings - name: osm-settings-vol-config - readOnly: true - {{- end }} - {{- if $settings.mountMarinerCerts }} - - mountPath: /anchors/mariner - name: anchors-mariner - readOnly: true - {{- end }} - {{- if $settings.mountUbuntuCerts }} - - mountPath: /anchors/ubuntu - name: anchors-ubuntu - readOnly: true - {{- end }} - livenessProbe: - exec: - command: - - /bin/bash - - -c - - /opt/livenessprobe.sh - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 15 - {{- end }} - affinity: - {{- if $settings.isArcExtension }} - {{- with .Values.amalogs.daemonset.affinity }} - {{- toYaml . | nindent 6 }} - {{- end }} - {{- else }} - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux - - key: kubernetes.azure.com/cluster - operator: Exists - - key: type - operator: NotIn - values: - - virtual-kubelet - {{- end }} - tolerations: - {{- if $settings.isArcExtension }} - {{- if $settings.scheduleOnTaintedNodes }} - {{- with .Values.amalogs.tolerationsUnrestricted }} - {{- toYaml . | nindent 6 }} - {{- end }} - {{- else }} - {{- with .Values.amalogs.tolerations }} - {{- toYaml . | nindent 6 }} - {{- end }} - {{- end }} - {{- else }} - - key: "CriticalAddonsOnly" - operator: "Exists" - - operator: "Exists" - effect: NoExecute - - operator: "Exists" - effect: NoSchedule - - operator: "Exists" - effect: PreferNoSchedule - {{- end }} - volumes: - {{- if $settings.enableServiceAccountTimeBoundToken }} - - name: kube-api-access - projected: - sources: - - serviceAccountToken: - path: token - expirationSeconds: 3600 - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace - {{- end }} - - name: host-root - hostPath: - path: / - - name: container-hostname - hostPath: - path: /etc/hostname - - name: host-log - hostPath: - path: /var/log - {{- if $settings.isAKSAddon }} - {{- if $settings.syslogEnabled }} - - name: mdsd-sock - hostPath: - path: /var/run/mdsd-ci - {{- end }} - {{- if $settings.retinaFlowLogsEnabled }} - - name: acns-hubble - hostPath: - path: /var/log/acns/hubble - {{- end }} - - name: mdsd-prometheus-sock - emptyDir: {} - {{- end }} - - name: containerlog-path - hostPath: - path: /var/lib/docker/containers - {{- if $settings.isAKSAddon }} - - name: containerlog-path-2 - hostPath: - path: /mnt/docker - - name: containerlog-path-3 - hostPath: - path: /mnt/containers - {{- end }} - - name: azure-json-path - hostPath: - path: /etc/kubernetes - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true - {{- if $settings.isArcExtension }} - {{- if .Values.amalogs.logsettings.custommountpath }} - - name: custom-mount-path - hostPath: - path: {{ .Values.amalogs.logsettings.custommountpath }} - {{- end }} - {{- end }} - - name: ama-logs-adx-secret - secret: - secretName: ama-logs-adx-secret - optional: true - {{- if $settings.isArcExtension }} - - name: osm-settings-vol-config - configMap: - name: container-azm-ms-osmconfig - optional: true - {{- end }} - {{- if $settings.mountMarinerCerts }} - - name: anchors-mariner - hostPath: - path: /etc/pki/ca-trust/source/anchors - type: DirectoryOrCreate - {{- end }} - {{- if $settings.mountUbuntuCerts }} - - name: anchors-ubuntu - hostPath: - path: /usr/local/share/ca-certificates/ - type: DirectoryOrCreate - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-multitenancy.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-multitenancy.yaml deleted file mode 100644 index 2d9509234..000000000 --- a/charts/azuremonitor-containers-merged/templates/ama-logs-multitenancy.yaml +++ /dev/null @@ -1,281 +0,0 @@ -{{- $settings := include "arc-extension-settings" . | fromYaml }} -{{- if and $settings.isAKSAddon $settings.usingAADAuth $settings.multitenancyEnabled }} -# -# AKS-only: Multitenancy logs - HPA, Service, and Deployment -# ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: ama-logs-hpa - namespace: kube-system - labels: -{{- if $settings.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: ama-logs-multitenancy - minReplicas: {{ .Values.OmsAgent.omsAgentMultitenancyLogsHPAMinReplicas }} - maxReplicas: {{ .Values.OmsAgent.omsAgentMultitenancyLogsHPAMaxReplicas }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.OmsAgent.omsAgentMultitenancyHPAAvgCPUUtilization }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.OmsAgent.omsAgentMultitenancyHPAAvgMemoryUtilization }} - behavior: - scaleDown: - stabilizationWindowSeconds: 1200 - policies: - - type: Percent - value: 5 - periodSeconds: 180 - scaleUp: - stabilizationWindowSeconds: 0 - policies: - - type: Pods - value: 5 - periodSeconds: 5 - - type: Percent - value: 100 - periodSeconds: 5 - selectPolicy: Max ---- -apiVersion: v1 -kind: Service -metadata: - name: ama-logs-service - namespace: kube-system - labels: -{{- if $settings.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -spec: - type: ClusterIP - ports: - - port: 24225 - targetPort: 24225 - protocol: TCP - name: fluentbit-fwd - selector: - rsName: "ama-logs-multitenancy" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ama-logs-multitenancy - namespace: kube-system - labels: - component: ama-logs-agent - tier: node - kubernetes.azure.com/managedby: aks -{{- if $settings.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -spec: - replicas: 1 - selector: - matchLabels: - rsName: "ama-logs-multitenancy" - strategy: - type: RollingUpdate - template: - metadata: - labels: - rsName: "ama-logs-multitenancy" - kubernetes.azure.com/managedby: aks - annotations: - agentVersion: "azure-mdsd-1.37.0" - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" - dockerProviderVersion: "18.0.1-0" - schema-versions: "v1" - WSID: {{ $settings.workspaceID | b64enc | quote }} - kubernetes.azure.com/no-http-proxy-vars: "true" - spec: - priorityClassName: system-node-critical - tolerations: - - key: "CriticalAddonsOnly" - operator: "Exists" - volumes: - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true -{{- if (eq (include "should_mount_hostca" .) "true") }} - - name: anchors-ubuntu - hostPath: - path: /usr/local/share/ca-certificates/ - type: DirectoryOrCreate - - name: anchors-mariner - hostPath: - path: /etc/pki/ca-trust/source/anchors - type: DirectoryOrCreate -{{- end }} - serviceAccountName: ama-logs - containers: - - name: addon-token-adapter - command: - - /addon-token-adapter - args: - - --secret-namespace=kube-system - - --secret-name={{ $settings.accessTokenSecretName }} - - --token-server-listening-port=8888 - - --health-server-listening-port=9999 - - --restart-pod-waiting-minutes-on-broken-connection=240 - image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{ dict "component" "addon-token-adapter-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag" }}" - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - livenessProbe: - httpGet: - path: /healthz - port: 9999 - initialDelaySeconds: 10 - periodSeconds: 60 - resources: - limits: - cpu: 500m - memory: 500Mi - requests: - cpu: 100m - memory: 100Mi - securityContext: - capabilities: - drop: - - ALL - add: - - NET_ADMIN - - NET_RAW - - name: ama-logs - image: "{{ $settings.imageRepo }}:{{ $settings.imageTagLinux }}" - imagePullPolicy: {{ $settings.imagePullPolicy }} - resources: - limits: - cpu: {{ .Values.OmsAgent.omsAgentMultitenancyCPULimitLinux }} - memory: {{ .Values.OmsAgent.omsAgentMultitenancyMemoryLimitLinux }} - requests: - cpu: {{ .Values.OmsAgent.omsAgentMultitenancyCPURequestLinux }} - memory: {{ .Values.OmsAgent.omsAgentMultitenancyMemoryRequestLinux }} - env: - - name: AZMON_MULTI_TENANCY_LOG_COLLECTION - value: "true" - - name: AZMON_MULTI_TENANCY_LOGS_SERVICE_MODE - value: "true" - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs - resource: limits.memory - - name: AKS_CLUSTER_NAME - value: {{ $settings.clusterName | quote }} - - name: AKS_RESOURCE_ID - value: {{ $settings.resourceId | quote }} - - name: AKS_NODE_RESOURCE_GROUP - value: {{ .Values.OmsAgent.aksNodeResourceGroup | quote }} - - name: AKS_REGION - value: {{ $settings.region | quote }} - - name: CONTROLLER_TYPE - value: "ReplicaSet" - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: USING_AAD_MSI_AUTH - value: "true" - - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED - value: "{{ $settings.appMonitoringEnabled }}" - - name: CLUSTER_CLOUD_ENVIRONMENT - value: {{ $settings.cloudEnvironment | quote }} - securityContext: - privileged: true - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - ports: - - name: http - containerPort: 24225 - protocol: TCP - volumeMounts: - - mountPath: /etc/ama-logs-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/config/settings - name: settings-vol-config - readOnly: true -{{- if (eq (include "should_mount_hostca" .) "true") }} - - mountPath: /anchors/mariner - name: anchors-mariner - readOnly: true - - mountPath: /anchors/ubuntu - name: anchors-ubuntu - readOnly: true -{{- end }} -{{- if $settings.isProxyEnabled }} -{{- if $settings.proxyCert }} - - mountPath: /etc/ssl/certs/proxy-cert.crt - subPath: PROXYCERT.crt - name: ama-logs-secret - readOnly: true -{{- end }} -{{- end }} - lifecycle: - preStop: - exec: - command: ["sh", "-c", "sleep 5"] - livenessProbe: - exec: - command: - - /bin/bash - - -c - - /opt/livenessprobe.sh - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 15 - readinessProbe: - tcpSocket: - port: 24225 - initialDelaySeconds: 10 - periodSeconds: 30 - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.azure.com/cluster - operator: Exists - - key: type - operator: NotIn - values: - - virtual-kubelet - - key: kubernetes.io/os - operator: In - values: - - linux - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - preference: - matchExpressions: - - key: kubernetes.azure.com/mode - operator: In - values: - - system -{{- end }} diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-openshift-scc.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-openshift-scc.yaml deleted file mode 100644 index 8435e0103..000000000 --- a/charts/azuremonitor-containers-merged/templates/ama-logs-openshift-scc.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- $settings := include "arc-extension-settings" . | fromYaml }} -{{- if and $settings.isArcExtension (eq $settings.distribution "openshift") }} -# -# OpenShift Security Context Constraint -# Required for running ama-logs with elevated privileges on OpenShift -# -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - name: ama-logs-scc -allowPrivilegedContainer: true -allowPrivilegeEscalation: true -allowHostDirVolumePlugin: true -allowedCapabilities: -- NET_ADMIN -- NET_RAW -readOnlyRootFilesystem: false -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -fsGroup: - type: RunAsAny -supplementalGroups: - type: RunAsAny -volumes: -- hostPath -- configMap -- secret -- projected -- emptyDir -- downwardAPI -users: -- system:serviceaccount:kube-system:ama-logs -{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-priorityclass.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-priorityclass.yaml deleted file mode 100644 index ee868781f..000000000 --- a/charts/azuremonitor-containers-merged/templates/ama-logs-priorityclass.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- $settings := include "arc-extension-settings" . | fromYaml }} -{{- if $settings.isArcExtension }} -# -# PriorityClass for Arc K8s Extension -# Ensures ama-logs pods are scheduled with priority -# -apiVersion: scheduling.k8s.io/v1 -kind: PriorityClass -metadata: - name: ama-logs -value: {{ $settings.priority }} -globalDefault: false -description: "Priority class for Azure Monitor ama-logs agent in Arc K8s extension mode" -{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-rbac.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-rbac.yaml deleted file mode 100644 index a5e913d3e..000000000 --- a/charts/azuremonitor-containers-merged/templates/ama-logs-rbac.yaml +++ /dev/null @@ -1,80 +0,0 @@ -{{- $settings := include "arc-extension-settings" . | fromYaml }} -{{- $rbacApiVersion := "rbac.authorization.k8s.io/v1" }} -{{- if not (semverCompare ">=1.16.0" .Capabilities.KubeVersion.Version) }} -{{- $rbacApiVersion = "rbac.authorization.k8s.io/v1beta1" }} -{{- end }} -{{- if $settings.rbacEnabled }} -# -# RBAC Resources for ama-logs -# -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ama-logs - namespace: kube-system - labels: -{{- if $settings.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} ---- -kind: ClusterRole -apiVersion: {{ $rbacApiVersion }} -metadata: - name: ama-logs-reader - labels: -{{- if $settings.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -rules: -- apiGroups: [""] - resources: ["pods", "events", "nodes", "nodes/stats", "nodes/metrics", "nodes/spec", "nodes/proxy", "namespaces", "services", "persistentvolumes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["apps", "extensions", "autoscaling"] - resources: ["replicasets", "deployments", "horizontalpodautoscalers"] - verbs: ["list"] -{{- if $settings.isArcExtension }} -- apiGroups: ["clusterconfig.azure.com"] - resources: ["azureclusteridentityrequests", "azureclusteridentityrequests/status"] - verbs: ["get", "create", "patch", "list", "update", "delete"] -{{- end }} -{{- if $settings.rsvpaEnabled }} -- apiGroups: ["apps"] - resources: ["deployments"] - resourceNames: ["ama-logs-rs"] - verbs: ["get", "patch"] -{{- end }} -{{- if $settings.usingAADAuth }} -- apiGroups: [""] - resources: ["secrets"] - resourceNames: [{{ $settings.accessTokenSecretName | quote }}] - verbs: ["get", "watch"] -{{- end }} -{{- if and $settings.isArcExtension (empty $settings.arcExtensionName) }} -- apiGroups: [""] - resources: ["secrets"] - resourceNames: ["container-insights-clusteridentityrequest-token"] - verbs: ["get"] -{{- end }} -- nonResourceURLs: ["/metrics"] - verbs: ["get"] ---- -kind: ClusterRoleBinding -apiVersion: {{ $rbacApiVersion }} -metadata: - name: amalogsclusterrolebinding - labels: -{{- if $settings.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -subjects: - - kind: ServiceAccount - name: ama-logs - namespace: kube-system -roleRef: - kind: ClusterRole - name: ama-logs-reader - apiGroup: rbac.authorization.k8s.io -{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-replicaset.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-replicaset.yaml deleted file mode 100644 index 3da8b5608..000000000 --- a/charts/azuremonitor-containers-merged/templates/ama-logs-replicaset.yaml +++ /dev/null @@ -1,495 +0,0 @@ -{{- $settings := include "arc-extension-settings" . | fromYaml }} -{{- if and (ne $settings.workspaceID "") (ne $settings.workspaceID "") (or $settings.isAKSAddon $settings.isArcExtension) }} -# -# Deployment ama-logs-rs - cluster-level component collection (ReplicaSet controller type) -# Renders for both AKS addon and Arc extension when workspace is configured. -# -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ama-logs-rs - namespace: kube-system - labels: - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - component: ama-logs-agent - tier: node -{{- if $settings.legacyAddonDelivery }} - kubernetes.azure.com/managedby: aks - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -spec: - replicas: 1 - revisionHistoryLimit: 2 - selector: - matchLabels: - rsName: "ama-logs-rs" - strategy: - type: RollingUpdate - template: - metadata: - labels: - rsName: "ama-logs-rs" -{{- if $settings.isAKSAddon }} - kubernetes.azure.com/managedby: aks -{{- end }} - annotations: - agentVersion: {{ if $settings.isArcExtension }}{{ .Values.amalogs.image.agentVersion }}{{ else }}azure-mdsd-1.37.0{{ end }} - dockerProviderVersion: {{ if $settings.isArcExtension }}{{ .Values.amalogs.image.dockerProviderVersion }}{{ else }}18.0.1-0{{ end }} - schema-versions: "v1" - WSID: {{ $settings.workspaceID | b64enc | quote }} - kubernetes.azure.com/no-http-proxy-vars: "true" -{{- if $settings.isArcExtension }} - checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} - checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} - checksum/logsettings: {{ toYaml .Values.amalogs.logsettings | sha256sum }} -{{- end }} -{{- if $settings.isAKSAddon }} - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" -{{- end }} - spec: -{{- if $settings.isAKSAddon }} - priorityClassName: system-node-critical - tolerations: - - key: "CriticalAddonsOnly" - operator: "Exists" -{{- else }} -{{- if $settings.isArcExtension }} - {{- if .Values.amalogs.priority }} - priorityClassName: ama-logs - {{- end }} - {{- if $settings.scheduleOnTaintedNodes }} - {{- with .Values.amalogs.tolerationsUnrestricted }} - tolerations: {{- toYaml . | nindent 8 }} - {{- end }} - {{- else }} - {{- with .Values.amalogs.tolerations }} - tolerations: {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} -{{- end }} -{{- end }} - {{- if $settings.rbacEnabled }} - serviceAccountName: ama-logs - {{- end }} - containers: -{{- if $settings.isAKSAddon }} -{{- if $settings.rsvpaEnabled }} - - name: ama-logs-vpa - image: "{{ template "addon_mcr_repository_base" . }}/oss/v2/kubernetes/autoscaler/addon-resizer:{{ dict "component" "addon-resizer" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }}" - imagePullPolicy: IfNotPresent - resources: - limits: - cpu: 100m - memory: 300Mi - requests: - cpu: 5m - memory: 30Mi - env: - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeMounts: - - name: ama-logs-rs-vpa-config-volume - mountPath: /etc/config - command: - - /pod_nanny - - --config-dir=/etc/config - - --cpu=200m - - --extra-cpu=2m - - --memory=300Mi - - --extra-memory=4Mi - - --poll-period=180000 - - --threshold=5 - - --namespace=kube-system - - --deployment=ama-logs-rs - - --container=ama-logs -{{- end }} -{{- end }} -{{- if and $settings.isArcExtension $settings.usingAADAuth }} - {{- if ne $settings.distribution "openshift" }} - - name: addon-token-adapter - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - - name: TOKEN_NAMESPACE - value: "azure-arc" -{{- if and (hasKey .Values "Azure") (hasKey .Values.Azure "Identity") (ne (toString .Values.Azure.Identity.MSIAdapterYaml) "") }} -{{- .Values.Azure.Identity.MSIAdapterYaml | nindent 10 }} -{{- end }} - {{- else }} - - name: msi-adapter - image: mcr.microsoft.com/azurearck8s/msi-adapter:1.29.3 - env: - - name: AZMON_COLLECT_ENV - value: "false" - - name: TOKEN_NAMESPACE - value: azure-arc - - name: CLUSTER_IDENTITY - value: "false" - - name: CLUSTER_TYPE - value: {{ (split "/" $settings.resourceId)._7 }} - - name: EXTENSION_ARMID - value: {{ $settings.arcExtensionResourceId }} - - name: EXTENSION_NAME - value: {{ $settings.arcExtensionName }} - - name: MSI_ADAPTER_LISTENING_PORT - value: "8421" - - name: MANAGED_IDENTITY_AUTH - value: "true" - - name: MSI_ADAPTER_LIVENESS_PORT - value: "9090" - - name: TEST_MODE - value: "false" - - name: TEST_FILE - value: /data/token - securityContext: - privileged: true - capabilities: - add: - - NET_ADMIN - - NET_RAW - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 9090 - scheme: "HTTP" - initialDelaySeconds: 10 - periodSeconds: 15 - resources: - limits: - cpu: 50m - memory: 100Mi - requests: - cpu: 20m - memory: 50Mi - lifecycle: - postStart: - exec: - command: ["/data/msi-adapter-ready-watcher"] - {{- end }} -{{- else if and $settings.isAKSAddon $settings.usingAADAuth }} - - name: addon-token-adapter - command: - - /addon-token-adapter - args: - - --secret-namespace=kube-system - - --secret-name={{ $settings.accessTokenSecretName }} - - --token-server-listening-port=8888 - - --health-server-listening-port=9999 - - --restart-pod-waiting-minutes-on-broken-connection=240 - image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{ dict "component" "addon-token-adapter-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag" }}" - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - livenessProbe: - httpGet: - path: /healthz - port: 9999 - initialDelaySeconds: 10 - periodSeconds: 60 - resources: - limits: - cpu: 500m - memory: 500Mi - requests: - cpu: 100m - memory: 100Mi - securityContext: - capabilities: - drop: - - ALL - add: - - NET_ADMIN - - NET_RAW -{{- end }} - - name: ama-logs - image: "{{ $settings.imageRepo }}:{{ $settings.imageTagLinux }}" - imagePullPolicy: {{ $settings.imagePullPolicy }} - resources: -{{- if $settings.isArcExtension }} -{{ toYaml .Values.amalogs.resources.deployment | indent 10 }} -{{- else }} -{{- if not $settings.rsvpaEnabled }} - limits: - cpu: {{ .Values.OmsAgent.omsAgentRsCPULimit }} - memory: {{ .Values.OmsAgent.omsAgentRsMemoryLimit }} - requests: - cpu: 150m - memory: 250Mi -{{- end }} -{{- end }} - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: AKS_RESOURCE_ID - value: {{ $settings.resourceId | quote }} - - name: AKS_REGION - value: {{ $settings.region | quote }} - - name: CONTROLLER_TYPE - value: "ReplicaSet" - - name: NUM_OF_FLUENTD_WORKERS - valueFrom: - resourceFieldRef: - containerName: ama-logs - resource: limits.cpu - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs - resource: limits.memory - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: {{ $settings.identityClientID | quote }} - - name: SIDECAR_SCRAPING_ENABLED - value: {{ $settings.sidecarScrapingEnabled | quote }} - - name: CLUSTER_CLOUD_ENVIRONMENT - value: {{ $settings.cloudEnvironment | quote }} -{{- if $settings.isAKSAddon }} - - name: AKS_CLUSTER_NAME - value: {{ $settings.clusterName | quote }} - - name: AKS_NODE_RESOURCE_GROUP - value: {{ .Values.OmsAgent.aksNodeResourceGroup | quote }} - - name: USING_AAD_MSI_AUTH - value: {{ if $settings.usingAADAuth }}"true"{{ else }}"false"{{ end }} -{{- if $settings.rsvpaEnabled }} - - name: RS_ADDON-RESIZER_VPA_ENABLED - value: "true" -{{- end }} - - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED - value: "{{ $settings.appMonitoringEnabled }}" - - name: PROMETHEUS_METRICS_SCRAPING_DISABLED - value: "{{ $settings.prometheusScrapingDisabled }}" - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: "{{ $settings.telegrafLivenessprobeEnabled }}" - - name: AZMON_WINDOWS_FLUENT_BIT_ENABLED - value: "{{ $settings.windowsFluentBitEnabled }}" -{{- else }} -{{- if not (empty $settings.arcExtensionName) }} - - name: ARC_K8S_EXTENSION_NAME - value: {{ $settings.arcExtensionName | quote }} -{{- end }} - - name: USING_AAD_MSI_AUTH - value: {{ $settings.usingAADAuth | quote }} - - name: ISTEST - value: {{ $settings.isTestMode | quote }} -{{- if $settings.isTestMode }} - - name: AZMON_CLUSTER_COLLECT_ALL_KUBE_EVENTS - value: "true" -{{- end }} -{{- if $settings.isArcACluster }} - - name: IS_ARCA_CLUSTER - value: {{ $settings.isArcACluster | quote }} -{{- end }} -{{- if ne $settings.customMetricsEndpoint "" }} - - name: CUSTOM_METRICS_ENDPOINT - value: {{ $settings.customMetricsEndpoint | quote }} -{{- end }} -{{- if ne $settings.tokenAudience "" }} - - name: customResourceEndpoint - value: {{ $settings.tokenAudience | quote }} -{{- end }} - - name: IS_CUSTOM_CERT - value: {{ $settings.isCustomCert | quote }} - - name: ENABLE_CUSTOM_METRICS - value: {{ $settings.customMetricsEnabled | quote }} - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: {{ $settings.telegrafLivenessprobeEnabled | quote }} -{{- end }} - securityContext: - privileged: true - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - ports: - - containerPort: 25225 - protocol: TCP - - containerPort: 25224 - protocol: UDP -{{- if $settings.isAKSAddon }} - - containerPort: 25227 - protocol: TCP - name: in-rs-tcp -{{- end }} - volumeMounts: - - mountPath: /var/log - name: host-log - - mountPath: /etc/kubernetes/host - name: azure-json-path - - mountPath: /etc/ama-logs-secret - name: ama-logs-secret - readOnly: true -{{- if $settings.isAKSAddon }} - - mountPath: /etc/omsagent-secret - name: ama-logs-secret - readOnly: true -{{- end }} - - mountPath: /etc/config - name: ama-logs-rs-config - - mountPath: /etc/config/settings - name: settings-vol-config - readOnly: true - - mountPath: /etc/config/settings/adx - name: ama-logs-adx-secret - readOnly: true - - mountPath: /etc/config/osm-settings - name: osm-settings-vol-config - readOnly: true -{{- if and $settings.isArcExtension $settings.enableServiceAccountTimeBoundToken }} - - name: kube-api-access - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - readOnly: true -{{- end }} -{{- if and $settings.isProxyEnabled $settings.proxyCert }} - - mountPath: /etc/ssl/certs/proxy-cert.crt - subPath: PROXYCERT.crt - name: ama-logs-secret - readOnly: true -{{- end }} -{{- if and $settings.isArcExtension .Values.amalogs.logsettings.custommountpath }} - - mountPath: {{ .Values.amalogs.logsettings.custommountpath }} - name: custom-mount-path -{{- end }} -{{- if $settings.mountMarinerCerts }} - - mountPath: /anchors/mariner - name: anchors-mariner - readOnly: true -{{- end }} -{{- if $settings.mountUbuntuCerts }} - - mountPath: /anchors/ubuntu - name: anchors-ubuntu - readOnly: true -{{- end }} - livenessProbe: - exec: - command: - - /bin/bash - - -c - - "/opt/livenessprobe.sh" - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 15 - affinity: -{{- if $settings.isArcExtension }} -{{- with .Values.amalogs.deployment.affinity }} - {{- toYaml . | nindent 8 }} -{{- end }} -{{- else }} - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - preference: - matchExpressions: - - key: kubernetes.azure.com/mode - operator: In - values: - - system - - weight: 1 - preference: - matchExpressions: - - key: storageprofile - operator: NotIn - values: - - managed - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux - - key: kubernetes.azure.com/cluster - operator: Exists - - key: type - operator: NotIn - values: - - virtual-kubelet -{{- end }} - volumes: - - name: container-hostname - hostPath: - path: /etc/hostname - - name: host-log - hostPath: - path: /var/log - - name: azure-json-path - hostPath: - path: /etc/kubernetes - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: ama-logs-rs-config - configMap: - name: ama-logs-rs-config - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true - - name: ama-logs-adx-secret - secret: - secretName: ama-logs-adx-secret - optional: true - - name: osm-settings-vol-config - configMap: - name: container-azm-ms-osmconfig - optional: true -{{- if and $settings.isArcExtension $settings.enableServiceAccountTimeBoundToken }} - - name: kube-api-access - projected: - sources: - - serviceAccountToken: - path: token - expirationSeconds: 3600 - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace -{{- end }} -{{- if and $settings.isArcExtension .Values.amalogs.logsettings.custommountpath }} - - name: custom-mount-path - hostPath: - path: {{ .Values.amalogs.logsettings.custommountpath }} -{{- end }} -{{- if $settings.mountMarinerCerts }} - - name: anchors-mariner - hostPath: - path: /etc/pki/ca-trust/source/anchors - type: DirectoryOrCreate -{{- end }} -{{- if $settings.mountUbuntuCerts }} - - name: anchors-ubuntu - hostPath: - path: /usr/local/share/ca-certificates/ - type: DirectoryOrCreate -{{- end }} -{{- if and $settings.isAKSAddon $settings.rsvpaEnabled }} - - name: ama-logs-rs-vpa-config-volume - configMap: - name: ama-logs-rs-vpa-config - optional: true -{{- end }} -{{- end }} diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-rs-configmap.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-rs-configmap.yaml deleted file mode 100644 index 4acf68278..000000000 --- a/charts/azuremonitor-containers-merged/templates/ama-logs-rs-configmap.yaml +++ /dev/null @@ -1,264 +0,0 @@ -{{- $settings := include "arc-extension-settings" . | fromYaml }} -{{- if and (ne $settings.workspaceID "") (ne $settings.workspaceID "") (or $settings.isAKSAddon $settings.isArcExtension) }} -# -# ConfigMap for ReplicaSet (ama-logs-rs) - kube.conf Fluentd config -# -apiVersion: v1 -kind: ConfigMap -metadata: - name: ama-logs-rs-config - namespace: kube-system - labels: - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if $settings.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -data: - kube.conf: | - # Fluentd config file for OMS Docker - cluster components (kubeAPI) -{{- if $settings.isAKSAddon }} - #fluent forward plugin (AKS - receive from DaemonSet) - - type forward - port "#{ENV['HEALTHMODEL_REPLICASET_SERVICE_SERVICE_PORT']}" - bind 0.0.0.0 - chunk_size_limit 4m - - -{{- end }} - #Kubernetes pod inventory - - type kubepodinventory - tag oms.containerinsights.KubePodInventory - run_interval 60 - log_level debug - - - #Kubernetes Persistent Volume inventory - - type kubepvinventory - tag oms.containerinsights.KubePVInventory - run_interval 60 - log_level debug - - - #Kubernetes events - - type kubeevents - tag oms.containerinsights.KubeEvents - run_interval 60 - log_level debug - - - #Kubernetes Nodes - - type kubenodeinventory - tag oms.containerinsights.KubeNodeInventory - run_interval 60 - log_level debug - - - #cadvisor perf- Windows nodes - - type wincadvisorperf - tag oms.api.wincadvisorperf - run_interval 60 - log_level debug - - - #Kubernetes object state - deployments - - type kubestatedeployments - tag oms.containerinsights.KubeStateDeployments - run_interval 60 - log_level debug - - - #Kubernetes object state - HPA - - type kubestatehpa - tag oms.containerinsights.KubeStateHpa - run_interval 60 - log_level debug - - - type filter_inventory2mdm - log_level info - - - # custom_metrics_mdm filter plugin for perf data from windows nodes - - type filter_cadvisor2mdm - metrics_to_collect cpuUsageNanoCores,memoryWorkingSetBytes - log_level info - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_kubepods*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/state/out_oms_kubepv*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_kubeevents*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_kubeservices*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/state/out_oms_kubenodes*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 3 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_containernodeinventory*.buffer - buffer_queue_limit 20 - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_kubeperf*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_mdm - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_mdm_*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 30s - max_retry_wait 9m - retry_mdm_post_wait_minutes 30 - - - - type out_oms - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_api_wincadvisorperf*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_mdm - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_mdm_cdvisorperf*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - retry_mdm_post_wait_minutes 30 - - - - type out_oms - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_insightsmetrics*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - -{{- end }} diff --git a/charts/azuremonitor-containers-merged/templates/ama-logs-secret.yaml b/charts/azuremonitor-containers-merged/templates/ama-logs-secret.yaml deleted file mode 100644 index 14c853f4c..000000000 --- a/charts/azuremonitor-containers-merged/templates/ama-logs-secret.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- $settings := include "arc-extension-settings" . | fromYaml }} -# -# Workspace Secret -# Stores Log Analytics workspace credentials -# -apiVersion: v1 -kind: Secret -metadata: - name: ama-logs-secret - namespace: kube-system - labels: -{{- if $settings.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -type: Opaque -data: - WSID: {{ $settings.workspaceID | toString | b64enc | quote }} - KEY: {{ $settings.workspaceKey | toString | b64enc | quote }} - DOMAIN: {{ $settings.domain | toString | b64enc | quote }} -{{- if $settings.isProxyEnabled }} - {{- if $settings.httpsProxy }} - PROXY: {{ $settings.httpsProxy | b64enc | quote }} - {{- else if $settings.httpProxy }} - PROXY: {{ $settings.httpProxy | b64enc | quote }} - {{- end }} -{{- end }} -{{- if and $settings.isProxyEnabled $settings.proxyCert }} - PROXYCERT.crt: {{ $settings.proxyCert | b64enc | quote }} -{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containers-merged/values.yaml b/charts/azuremonitor-containers-merged/values.yaml deleted file mode 100644 index bb12bda3c..000000000 --- a/charts/azuremonitor-containers-merged/values.yaml +++ /dev/null @@ -1,293 +0,0 @@ -# Unified values for Azure Monitor Containers -# Supports both AKS Addon and Arc K8s Extension deployment modes - -# ============================================================================ -# Azure Arc K8s Extension Parameters -# These are populated automatically by Azure Arc K8s Resource Provider -# ============================================================================ -Azure: - Cluster: - Cloud: - Region: - ResourceId: - Distribution: "" # e.g., "openshift", "aks_edge_k3s", "aks_edge_k8s", etc. - Extension: - Name: "" - ResourceId: "" - proxySettings: - isProxyEnabled: false - httpProxy: "" - httpsProxy: "" - noProxy: "" - proxyCert: "" - isCustomCert: false - autonomousFqdn: "" - Identity: - MSIAdapterYaml: "" # OpenShift-specific MSI adapter configuration - -# ============================================================================ -# Arc K8s Specific Configuration (amalogs.*) -# ============================================================================ -amalogs: - # Image configuration - image: - repo: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod" - tag: "3.1.34" - tagWindows: "win-3.1.34" - pullPolicy: IfNotPresent - dockerProviderVersion: "18.0.1-0" - agentVersion: "azure-mdsd-1.37.0" - winAgentVersion: "46.31.3" - - # Pod priority (must be > 0 for proper scheduling) - priority: 10 - - # Feature flags - enableHighLogScaleMode: false - ISTEST: false - useAADAuth: false - isArcACluster: false - ignoreExtensionProxySettings: false - scheduleOnTaintedNodes: false - enableServiceAccountTimeBoundToken: true - enableCustomMetrics: false - enableTelegrafLivenessprobe: false - - # Workspace credentials - secret: - wsid: - key: - - # Domain (auto-configured based on cloud) - domain: opinsights.azure.com - - # Proxy and endpoints - proxy: - metricsEndpoint: - tokenAudience: - - # Cluster environment - env: - clusterName: - clusterId: - clusterRegion: - - # RBAC - rbac: true - - # Prometheus sidecar - sidecarscraping: true - - # Syslog - syslog: - enabled: false - syslogPort: 28330 - - # Log settings - logsettings: - logflushintervalsecs: "15" - tailbufchunksizemegabytes: "1" - tailbufmaxsizemegabytes: "1" - custommountpath: "" - - # Tolerations (aligned with Arc source for control-plane and master) - tolerations: - - key: "node-role.kubernetes.io/control-plane" - operator: "Exists" - effect: "NoSchedule" - - key: "node-role.kubernetes.io/control-plane" - operator: "Exists" - effect: "NoExecute" - - key: "node-role.kubernetes.io/control-plane" - operator: "Exists" - effect: "PreferNoSchedule" - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoExecute" - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "PreferNoSchedule" - - tolerationsUnrestricted: - - operator: "Exists" - effect: "NoSchedule" - - operator: "Exists" - effect: "NoExecute" - - operator: "Exists" - effect: "PreferNoSchedule" - - # Affinity - daemonset: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux - - key: type - operator: NotIn - values: - - virtual-kubelet - - deployment: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - preference: - matchExpressions: - - key: storageprofile - operator: NotIn - values: - - managed - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux - - key: type - operator: NotIn - values: - - virtual-kubelet - - key: kubernetes.io/role - operator: NotIn - values: - - master - - # Resources - resources: - daemonsetlinux: - requests: - cpu: 75m - memory: 325Mi - limits: - cpu: 150m - memory: 750Mi - daemonsetwindows: - requests: - cpu: 500m - memory: 700Mi - limits: - cpu: 2 - memory: 2Gi - deployment: - requests: - cpu: 150m - memory: 250Mi - limits: - cpu: 1 - memory: 1Gi - daemonsetlinuxsidecar: - requests: - cpu: 75m - memory: 225Mi - limits: - cpu: 500m - memory: 1Gi - -# ============================================================================ -# AKS Addon Configuration (OmsAgent.*) -# ============================================================================ -OmsAgent: - # Cluster information - aksResourceID: - aksClusterName: "" - aksNodeResourceGroup: "" - aksRegion: "" - - # Workspace - workspaceID: "" - workspaceKey: "" - - # Authentication - isUsingAADAuth: "true" - identityClientID: "" - accessTokenSecretName: "ama-logs-secret" - - # Cloud environment - isMoonCake: false - isFairfax: false - - # Feature flags - isMultitenancyLogsEnabled: false - isRSVPAEnabled: false - isSyslogEnabled: true - isSidecarScrapingEnabled: true - isPrometheusMetricsScrapingDisabled: false - isRetinaFlowLogsEnabled: false - isResourceOptimizationEnabled: false - isWindowsAMAEnabled: true - isWindowsAMAFluentBitEnabled: false - isWindowsBurstableQoSEnabled: true - isWindowsAddonTokenAdapterDisabled: false - isCustomMetricsDisabled: true - isTelegrafLivenessprobeEnabled: false - - # Image configuration - imageTagLinux: "3.1.34" - imageTagWindows: "win-3.1.34" - isImagePullPolicyAlways: false - - # Dynamic sizing - enableDaemonSetSizing: false - - # Resource limits - omsAgentDsCPULimitLinux: "500m" - omsAgentDsMemoryLimitLinux: "1Gi" - omsAgentDsCPULimitWindows: "2" - omsAgentDsMemoryLimitWindows: "2Gi" - omsAgentDsCPURequestWindows: "100m" - omsAgentDsMemoryRequestWindows: "150Mi" - omsAgentRsCPULimit: "1" - omsAgentRsMemoryLimit: "1.5Gi" - omsAgentPrometheusSidecarCPULimit: "500m" - omsAgentPrometheusSidecarMemoryLimit: "1Gi" - - # Multitenancy - omsAgentMultitenancyCPULimitLinux: "1" - omsAgentMultitenancyMemoryLimitLinux: "1Gi" - omsAgentMultitenancyCPURequestLinux: "100m" - omsAgentMultitenancyMemoryRequestLinux: "100Mi" - omsAgentMultitenancyLogsHPAMinReplicas: 2 - omsAgentMultitenancyLogsHPAMaxReplicas: 50 - omsAgentMultitenancyHPAAvgCPUUtilization: 700 - omsAgentMultitenancyHPAAvgMemoryUtilization: 700 - - # Syslog - syslogHostPort: "28330" - shouldMountSyslogHostPort: true - - # Proxy - httpProxy: "" - httpsProxy: "" - trustedCA: "" - -# ============================================================================ -# Application Monitoring -# ============================================================================ -AppmonitoringAgent: - enabled: false - isOpenTelemetryLogsEnabled: false - openTelemetryLogsPort: 28331 - -# ============================================================================ -# Global Settings -# ============================================================================ -global: - commonGlobals: - CloudEnvironment: - isAutomaticSKU: false - Region: - Versions: - Kubernetes: "1.29.0" - -# Legacy addon delivery mode -legacyAddonDelivery: false \ No newline at end of file From b3c45127c57d8aa7ae293c1e05a1a5b1eaadaa13 Mon Sep 17 00:00:00 2001 From: longwan Date: Fri, 6 Mar 2026 00:17:05 +0000 Subject: [PATCH 39/47] add helmignore and cleanup --- .../.helmignore | 21 + .../templates/ama-logs-daemonset-aks.yaml | 549 ------------------ .../templates/ama-logs-daemonset-arc.yaml | 418 ------------- .../ama-logs-daemonset-windows-aks.yaml | 301 ---------- .../ama-logs-daemonset-windows-arc.yaml | 194 ------- .../templates/ama-logs-deployment-aks.yaml | 358 ------------ .../templates/ama-logs-deployment-arc.yaml | 308 ---------- 7 files changed, 21 insertions(+), 2128 deletions(-) create mode 100644 charts/azuremonitor-containerinsights/.helmignore delete mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-aks.yaml delete mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-arc.yaml delete mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-aks.yaml delete mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-arc.yaml delete mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-deployment-aks.yaml delete mode 100644 charts/azuremonitor-containerinsights/templates/ama-logs-deployment-arc.yaml diff --git a/charts/azuremonitor-containerinsights/.helmignore b/charts/azuremonitor-containerinsights/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/azuremonitor-containerinsights/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-aks.yaml deleted file mode 100644 index 544681ca3..000000000 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-aks.yaml +++ /dev/null @@ -1,549 +0,0 @@ -{{- $amalogsLinuxDefaultImageTag := dict "component" "ama-logs-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }} -{{- $addonTokenAdapterLinuxDefaultImageTag := dict "component" "addon-token-adapter-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} -{{/* Determine isusingaadauth value from OmsAgent.isUsingAADAuth */}} -{{- $isusingaadauth := false -}} -{{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} - {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} -{{- end -}} ---- -{{/* Get sizes */}} -{{- $useDaemonSetSizing := and .Values.global.commonGlobals.isAutomaticSKU .Values.OmsAgent.enableDaemonSetSizing -}} -{{- $singleSize := dict "containers" (dict "addon-token-adapter" (dict "cpuLimit" "100m" "memoryLimit" "100Mi" "cpuRequest" "20m" "memoryRequest" "50Mi") "ama-logs" (dict "cpuLimit" .Values.OmsAgent.omsAgentDsCPULimitLinux "memoryLimit" .Values.OmsAgent.omsAgentDsMemoryLimitLinux "cpuRequest" "75m" "memoryRequest" "325Mi") "ama-logs-prometheus" (dict "cpuLimit" .Values.OmsAgent.omsAgentPrometheusSidecarCPULimit "memoryLimit" .Values.OmsAgent.omsAgentPrometheusSidecarMemoryLimit "cpuRequest" "75m" "memoryRequest" "225Mi")) -}} -{{- $sizes := list ($singleSize) -}} -{{/* - if $useDaemonSetSizing - */}} - {{/* - $singleSize = .Values.OmsAgent.daemonSetSizingValues.singleSize - */}} - {{/* - $sizes = list ($singleSize) - */}} - {{/* - $sizes = prepend .Values.OmsAgent.daemonSetSizingValues.tShirtSizes $singleSize - */}} -{{/* - end - */}} -{{/* Generate DaemonSets */}} -{{- $prevmaxCPU := 0 -}} -{{- range $index, $size := $sizes -}} -{{- if gt $index 0 }} ---- -{{ end -}} -{{- if semverCompare ">=1.16.0" $.Values.global.commonGlobals.Versions.Kubernetes -}} -apiVersion: apps/v1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} -kind: DaemonSet -metadata: - labels: - component: ama-logs-agent - tier: node - kubernetes.azure.com/managedby: aks -{{- if $.Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} - {{/* - {{- if and $useDaemonSetSizing $size.name }} - kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} - {{- end }} - */}} - name: ama-logs{{/* {{- if and $useDaemonSetSizing $size.name }}-{{ $size.name }}{{- end }} */}} - namespace: kube-system -spec: - selector: - matchLabels: - component: ama-logs-agent - tier: node - {{/* - {{- if and $useDaemonSetSizing $size.name }} - kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} - {{- end }} - */}} - template: - metadata: - annotations: - agentVersion: "azure-mdsd-1.37.0" - dockerProviderVersion: "18.0.1-0" - schema-versions: "v1" - WSID: {{ $.Values.OmsAgent.workspaceID | b64enc | quote }} - kubernetes.azure.com/no-http-proxy-vars: "true" - labels: - component: ama-logs-agent - tier: node - kubernetes.azure.com/managedby: aks - {{/* - {{- if and $useDaemonSetSizing $size.name }} - kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} - {{- end }} - */}} -{{- if semverCompare "<1.11.0" $.Values.global.commonGlobals.Versions.Kubernetes }} - annotations: - scheduler.alpha.kubernetes.io/critical-pod: "" -{{- end }} - spec: -{{- if semverCompare ">=1.11.0" $.Values.global.commonGlobals.Versions.Kubernetes }} - priorityClassName: system-node-critical -{{- end }} - serviceAccountName: ama-logs - dnsConfig: - options: - - name: ndots - value: "3" - containers: -{{- if $isusingaadauth }} - - name: addon-token-adapter - command: - - /addon-token-adapter - args: - - --secret-namespace=kube-system - - --secret-name={{ $.Values.OmsAgent.accessTokenSecretName }} - - --token-server-listening-port=8888 - - --health-server-listening-port=9999 - - --restart-pod-waiting-minutes-on-broken-connection=240 - image: "{{ template "addon_mcr_repository_base" $ }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterLinuxDefaultImageTag -}}" - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - livenessProbe: - httpGet: - path: /healthz - port: 9999 - initialDelaySeconds: 10 - periodSeconds: 60 - resources: - limits: - {{- $containerResources := index $size.containers "addon-token-adapter" }} - cpu: {{ $containerResources.cpuLimit }} - memory: {{ $containerResources.memoryLimit }} - requests: - cpu: {{ $containerResources.cpuRequest }} - memory: {{ $containerResources.memoryRequest }} - securityContext: - capabilities: - drop: - - ALL - add: - - NET_ADMIN - - NET_RAW -{{- end }} - - name: ama-logs - image: "{{ template "addon_mcr_repository_base" $ }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag $.Values.OmsAgent.imageTagLinux -}}" - {{- if $.Values.OmsAgent.isImagePullPolicyAlways }} - imagePullPolicy: Always - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - resources: - limits: - {{- $containerResources := index $size.containers "ama-logs" }} - cpu: {{ $containerResources.cpuLimit }} - memory: {{ $containerResources.memoryLimit }} - requests: - {{- $containerResources := index $size.containers "ama-logs" }} - cpu: {{ $containerResources.cpuRequest }} - memory: {{ $containerResources.memoryRequest }} - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs - resource: limits.memory - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: FBIT_SERVICE_FLUSH_INTERVAL - value: "15" - - name: FBIT_TAIL_BUFFER_CHUNK_SIZE - value: "1" - - name: FBIT_TAIL_BUFFER_MAX_SIZE - value: "1" - - name: AKS_CLUSTER_NAME - value: "{{ $.Values.OmsAgent.aksClusterName }}" - - name: AKS_RESOURCE_ID - value: "{{ $.Values.OmsAgent.aksResourceID }}" - - name: AKS_NODE_RESOURCE_GROUP - value: "{{ $.Values.OmsAgent.aksNodeResourceGroup }}" - - name: AKS_REGION - value: "{{ $.Values.global.commonGlobals.Region }}" - - name: CONTROLLER_TYPE - value: "DaemonSet" - - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: "{{ $.Values.OmsAgent.identityClientID }}" - - name: AZMON_CONTAINERLOGS_ONEAGENT_REGIONS - value: "koreacentral,norwayeast,eastus2" - - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED - value: "{{ $.Values.AppmonitoringAgent.enabled }}" - - name: APPMONITORING_OPENTELEMETRYLOGS_ENABLED - value: "{{ $.Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false }}" - - name: APPMONITORING_OPENTELEMETRYLOGS_PORT - value: "{{ $.Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }}" - - name: AZMON_OPENTELEMETRYLOGS_CONTAINER_PORT - value: "4319" - - name: PROMETHEUS_METRICS_SCRAPING_DISABLED - value: "{{ $.Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USNat") }} - - name: MCR_URL - value: "https://mcr.microsoft.eaglex.ic.gov/v2/" - {{- end }} - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USSec") }} - - name: MCR_URL - value: "https://mcr.microsoft.scloud/v2/" - {{- end }} - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} - - name: MCR_URL - value: "https://mcr.microsoft.sovcloud-api.fr/v2/" - {{- end }} - {{- if $isusingaadauth }} - - name: USING_AAD_MSI_AUTH - value: "true" - {{- else }} - - name: USING_AAD_MSI_AUTH - value: "false" - {{- end }} - {{- if eq ($.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} - - name: SYSLOG_HOST_PORT - value: {{ $.Values.OmsAgent.syslogHostPort | default 28330 | quote}} - {{- end }} - - name: AZMON_RETINA_FLOW_LOGS_ENABLED - value: "{{ $.Values.OmsAgent.isRetinaFlowLogsEnabled | default false }}" - - name: AZMON_RESOURCE_OPTIMIZATION_ENABLED - value: "{{ $.Values.OmsAgent.isResourceOptimizationEnabled | default false }}" - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: "{{ $.Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ $.Values.global.commonGlobals.CloudEnvironment | lower }}" - livenessProbe: - exec: - command: - - /bin/bash - - "-c" - - "/opt/livenessprobe.sh" - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 15 - ports: - - containerPort: 25225 - protocol: TCP - - containerPort: 25224 - protocol: UDP - {{- if eq ($.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} - - name: syslog - containerPort: 28330 - hostPort: {{ $.Values.OmsAgent.syslogHostPort | default 28330 }} - protocol: TCP - {{- end }} - {{- if eq ($.Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false) true }} - - name: otlp-logs - containerPort: 4319 - hostPort: {{ $.Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }} - protocol: TCP - {{- end }} - securityContext: - privileged: true - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - volumeMounts: - - mountPath: /hostfs - name: host-root - readOnly: true - mountPropagation: HostToContainer - - mountPath: /var/log - name: host-log - {{- if $.Values.OmsAgent.isSyslogEnabled }} - - mountPath: /var/run/mdsd-ci - name: mdsd-sock - {{- end }} - {{- if $.Values.OmsAgent.isRetinaFlowLogsEnabled }} - - mountPath: /var/log/acns/hubble - name: acns-hubble - {{- end }} - - mountPath: /var/run/mdsd-PrometheusSidecar - name: mdsd-prometheus-sock - - mountPath: /var/lib/docker/containers - name: containerlog-path - readOnly: true - - mountPath: /mnt/docker - name: containerlog-path-2 - readOnly: true - - mountPath: /mnt/containers - name: containerlog-path-3 - readOnly: true - - mountPath: /etc/kubernetes/host - name: azure-json-path - - mountPath: /etc/ama-logs-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/omsagent-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/config/settings - name: settings-vol-config - readOnly: true - - mountPath: /etc/config/settings/adx - name: ama-logs-adx-secret - readOnly: true - {{- if (eq (include "should_mount_hostca" $ ) "true" ) }} - # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host - # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below - - mountPath: /anchors/mariner - name: anchors-mariner - readOnly: true - - mountPath: /anchors/ubuntu - name: anchors-ubuntu - readOnly: true - {{- end }} - {{- if $.Values.OmsAgent.trustedCA }} - - mountPath: /etc/ssl/certs/proxy-cert.crt - subPath: PROXYCERT.crt - name: ama-logs-secret - readOnly: true - {{- end }} - {{- if and (not $.Values.OmsAgent.isPrometheusMetricsScrapingDisabled) $.Values.OmsAgent.isSidecarScrapingEnabled }} - - name: ama-logs-prometheus - image: "{{ template "addon_mcr_repository_base" $ }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag $.Values.OmsAgent.imageTagLinux -}}" - {{- if $.Values.OmsAgent.isImagePullPolicyAlways }} - imagePullPolicy: Always - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - resources: - limits: - {{- $containerResources := index $size.containers "ama-logs-prometheus" }} - cpu: {{ $containerResources.cpuLimit }} - memory: {{ $containerResources.memoryLimit }} - requests: - {{- $containerResources := index $size.containers "ama-logs-prometheus" }} - cpu: {{ $containerResources.cpuRequest }} - memory: {{ $containerResources.memoryRequest }} - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs-prometheus - resource: limits.memory - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: AKS_CLUSTER_NAME - value: "{{ $.Values.OmsAgent.aksClusterName }}" - - name: AKS_RESOURCE_ID - value: "{{ $.Values.OmsAgent.aksResourceID }}" - - name: AKS_NODE_RESOURCE_GROUP - value: "{{ $.Values.OmsAgent.aksNodeResourceGroup }}" - - name: AKS_REGION - value: "{{ $.Values.global.commonGlobals.Region }}" - - name: CONTROLLER_TYPE - value: "DaemonSet" - - name: CONTAINER_TYPE - value: "PrometheusSidecar" - - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: "{{ $.Values.OmsAgent.identityClientID }}" - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USNat") }} - - name: MCR_URL - value: "https://mcr.microsoft.eaglex.ic.gov/v2/" - {{- end }} - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USSec") }} - - name: MCR_URL - value: "https://mcr.microsoft.scloud/v2/" - {{- end }} - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} - - name: MCR_URL - value: "https://mcr.microsoft.sovcloud-api.fr/v2/" - {{- end }} - {{- if $isusingaadauth }} - - name: USING_AAD_MSI_AUTH - value: "true" - {{- else }} - - name: USING_AAD_MSI_AUTH - value: "false" - {{- end }} - {{- if eq ($.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} - - name: SYSLOG_HOST_PORT - value: {{ $.Values.OmsAgent.syslogHostPort | default 28330 | quote}} - {{- end }} - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: "{{ $.Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ $.Values.global.commonGlobals.CloudEnvironment | lower }}" - securityContext: - privileged: true - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - volumeMounts: - - mountPath: /etc/kubernetes/host - name: azure-json-path - - mountPath: /etc/ama-logs-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/omsagent-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/config/settings - name: settings-vol-config - readOnly: true - - mountPath: /etc/config/osm-settings - name: osm-settings-vol-config - readOnly: true - - mountPath: /var/run/mdsd-PrometheusSidecar - name: mdsd-prometheus-sock - {{- if (eq (include "should_mount_hostca" $ ) "true" ) }} - # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host - # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below - - mountPath: /anchors/mariner - name: anchors-mariner - readOnly: true - - mountPath: /anchors/ubuntu - name: anchors-ubuntu - readOnly: true - {{- end }} - {{- if $.Values.OmsAgent.trustedCA }} - - mountPath: /etc/ssl/certs/proxy-cert.crt - subPath: PROXYCERT.crt - name: ama-logs-secret - readOnly: true - {{- end }} - {{- if $.Values.OmsAgent.isSyslogEnabled }} - - mountPath: /var/run/mdsd-ci - name: mdsd-sock - {{- end }} - livenessProbe: - exec: - command: - - /bin/bash - - -c - - /opt/livenessprobe.sh - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 15 - {{- end }} - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: -{{- if semverCompare ">=1.16.0" $.Values.global.commonGlobals.Versions.Kubernetes }} - - key: kubernetes.io/os -{{- else }} - - key: beta.kubernetes.io/os -{{- end }} - operator: In - values: - - linux - - key: kubernetes.azure.com/cluster - operator: Exists - - key: type - operator: NotIn - values: - - virtual-kubelet - {{- if $useDaemonSetSizing -}} - {{- if eq $size.name $singleSize.name -}} - {{/* Target non-Karpenter nodes */}} - - key: karpenter.azure.com/aksnodeclass - operator: DoesNotExist - {{- else }} - {{/* Target Karpenter nodes with CPU range */}} - {{- if gt $prevmaxCPU 0 -}} - - key: karpenter.azure.com/sku-cpu - operator: Gt - values: - - "{{ $prevmaxCPU }}" - {{- end -}} - {{/* Add new line. */}} - {{- if and $prevmaxCPU $size.maxCPU }} - {{ end -}} - {{- if $size.maxCPU -}} - - key: karpenter.azure.com/sku-cpu - operator: Lt - values: - - "{{ add ($size.maxCPU | int) 1 }}" - {{- end -}} - {{- end -}} - {{- end }} - tolerations: - - key: "CriticalAddonsOnly" - operator: "Exists" - - operator: "Exists" - effect: NoExecute - - operator: "Exists" - effect: NoSchedule - - operator: "Exists" - effect: PreferNoSchedule - volumes: - - name: host-root - hostPath: - path: / - - name: mdsd-prometheus-sock - emptyDir: {} - - name: container-hostname - hostPath: - path: /etc/hostname - - name: host-log - hostPath: - path: /var/log - {{- if $.Values.OmsAgent.isSyslogEnabled }} - - name: mdsd-sock - hostPath: - path: /var/run/mdsd-ci - {{- end }} - {{- if $.Values.OmsAgent.isRetinaFlowLogsEnabled }} - - name: acns-hubble - hostPath: - path: /var/log/acns/hubble - {{- end }} - - name: containerlog-path - hostPath: - path: /var/lib/docker/containers - - name: containerlog-path-2 - hostPath: - path: /mnt/docker - - name: containerlog-path-3 - hostPath: - path: /mnt/containers - - name: azure-json-path - hostPath: - path: /etc/kubernetes - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true - - name: ama-logs-adx-secret - secret: - secretName: ama-logs-adx-secret - optional: true - - name: osm-settings-vol-config - configMap: - name: container-azm-ms-osmconfig - optional: true - {{- if (eq (include "should_mount_hostca" $ ) "true" ) }} - - name: anchors-ubuntu - hostPath: - path: /usr/local/share/ca-certificates/ - type: DirectoryOrCreate - - name: anchors-mariner - hostPath: - path: /etc/pki/ca-trust/source/anchors - type: DirectoryOrCreate - {{- end }} - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 50% - -{{- if and (ne (default "" $size.name) (default "" $singleSize.name)) $size.maxCPU }} -{{- $prevmaxCPU = $size.maxCPU | int }} -{{- end }} -{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-arc.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-arc.yaml deleted file mode 100644 index e195b9bfd..000000000 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-arc.yaml +++ /dev/null @@ -1,418 +0,0 @@ -{{- if and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "") )}} -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: ama-logs - namespace: kube-system - labels: - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - component: ama-logs-agent - tier: node -spec: - updateStrategy: - type: RollingUpdate - selector: - matchLabels: - dsName: "ama-logs-ds" - template: - metadata: - labels: - dsName: "ama-logs-ds" - annotations: - agentVersion: {{ .Values.amalogs.image.agentVersion }} - dockerProviderVersion: {{ .Values.amalogs.image.dockerProviderVersion }} - schema-versions: "v1" - checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} - checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} - checksum/logsettings: {{ toYaml .Values.amalogs.logsettings | sha256sum }} - spec: - priorityClassName: ama-logs - dnsConfig: - options: - - name: ndots - value: "3" - {{- if .Values.amalogs.rbac }} - serviceAccountName: ama-logs - {{- end }} - containers: -{{- if and (ne .Values.Azure.Cluster.ResourceId "") (.Values.amalogs.useAADAuth) }} - {{- if not (eq .Values.Azure.Cluster.Distribution "openshift") }} - - name: addon-token-adapter - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - - name: TOKEN_NAMESPACE - value: "azure-arc" -{{- .Values.Azure.Identity.MSIAdapterYaml | nindent 7 }} - {{- else }} - - name: msi-adapter - env: - - name: AZMON_COLLECT_ENV - value: "false" - - name: TOKEN_NAMESPACE - value: azure-arc - - name: CLUSTER_IDENTITY - value: "false" - - name: CLUSTER_TYPE - value: {{ (split "/" .Values.Azure.Cluster.ResourceId)._7 }} - - name: EXTENSION_ARMID - value: {{ .Values.Azure.Extension.ResourceId }} - - name: EXTENSION_NAME - value: {{ .Values.Azure.Extension.Name }} - - name: MSI_ADAPTER_LISTENING_PORT - value: "8421" - - name: MANAGED_IDENTITY_AUTH - value: "true" - - name: MSI_ADAPTER_LIVENESS_PORT - value: "9090" - - name: TEST_MODE - value: "false" - - name: TEST_FILE - value: /data/token - image: mcr.microsoft.com/azurearck8s/msi-adapter:1.29.3 - securityContext: - privileged: true - capabilities: - add: - - NET_ADMIN - - NET_RAW - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 9090 - scheme: "HTTP" - initialDelaySeconds: 10 - periodSeconds: 15 - resources: - limits: - cpu: 50m - memory: 100Mi - requests: - cpu: 20m - memory: 50Mi - lifecycle: - postStart: - exec: - command: ["/data/msi-adapter-ready-watcher"] - {{- end }} -{{- end }} - - name: ama-logs - image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tag }} - imagePullPolicy: IfNotPresent - resources: -{{ toYaml .Values.amalogs.resources.daemonsetlinux | indent 9 }} - env: - {{- if ne .Values.amalogs.env.clusterId "" }} - - name: AKS_RESOURCE_ID - value: {{ .Values.amalogs.env.clusterId | quote }} - {{- if ne .Values.amalogs.env.clusterRegion "" }} - - name: AKS_REGION - value: {{ .Values.amalogs.env.clusterRegion | quote }} - {{- end }} - {{- else if ne .Values.Azure.Cluster.ResourceId "" }} - - name: AKS_RESOURCE_ID - value: {{ .Values.Azure.Cluster.ResourceId | quote }} - - name: USING_AAD_MSI_AUTH - value: {{ .Values.amalogs.useAADAuth | quote }} - {{- if ne .Values.Azure.Cluster.Region "" }} - - name: AKS_REGION - value: {{ .Values.Azure.Cluster.Region | quote }} - {{- end }} - {{- else }} - - name: ACS_RESOURCE_NAME - value: {{ .Values.amalogs.env.clusterName | quote }} - {{- end }} - - name: CONTROLLER_TYPE - value: "DaemonSet" - {{- if .Values.amalogs.enableHighLogScaleMode }} - - name: ENABLE_HIGH_LOG_SCALE_MODE - value: {{ .Values.amalogs.enableHighLogScaleMode | quote }} - {{- end }} - {{- if .Values.amalogs.syslog.enabled }} - - name: SYSLOG_HOST_PORT - value: {{ .Values.amalogs.syslog.syslogPort | quote }} - {{- end }} - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs - resource: limits.memory - {{- if not (empty .Values.Azure.Extension.Name) }} - - name: ARC_K8S_EXTENSION_NAME - value: {{ .Values.Azure.Extension.Name | quote }} - {{- end }} - - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: "" - {{- if .Values.amalogs.logsettings.logflushintervalsecs }} - - name: FBIT_SERVICE_FLUSH_INTERVAL - value: {{ .Values.amalogs.logsettings.logflushintervalsecs | quote }} - {{- end }} - {{- if .Values.amalogs.logsettings.tailbufchunksizemegabytes }} - - name: FBIT_TAIL_BUFFER_CHUNK_SIZE - value: {{ .Values.amalogs.logsettings.tailbufchunksizemegabytes | quote }} - {{- end }} - {{- if .Values.amalogs.logsettings.tailbufmaxsizemegabytes }} - - name: FBIT_TAIL_BUFFER_MAX_SIZE - value: {{ .Values.amalogs.logsettings.tailbufmaxsizemegabytes | quote }} - {{- end }} - - name: ISTEST - value: {{ .Values.amalogs.ISTEST | quote }} - {{ if .Values.amalogs.isArcACluster }} - - name: IS_ARCA_CLUSTER - value: {{ .Values.amalogs.isArcACluster | quote }} - {{- end }} - {{- if ne .Values.amalogs.metricsEndpoint "" }} - - name: CUSTOM_METRICS_ENDPOINT - value: {{ .Values.amalogs.metricsEndpoint | quote }} - {{- else if ne .Values.Azure.proxySettings.autonomousFqdn "" }} - - name: CUSTOM_METRICS_ENDPOINT - value: "https://metricsingestiongateway.monitoring.{{ .Values.Azure.proxySettings.autonomousFqdn }}" - {{- end }} - {{- if ne .Values.amalogs.tokenAudience "" }} - - name: customResourceEndpoint - value: {{ .Values.amalogs.tokenAudience | quote }} - {{- end }} - - name: IS_CUSTOM_CERT - value: {{ .Values.Azure.proxySettings.isCustomCert | quote }} - - name: ENABLE_CUSTOM_METRICS - value: {{ .Values.amalogs.enableCustomMetrics | quote }} - {{ if .Values.amalogs.ISTEST }} - - name: AZMON_KUBERNETES_METADATA_ENABLED - value: "true" - {{- end }} - {{- if .Values.amalogs.enableTelegrafLivenessprobe }} - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: {{ .Values.amalogs.enableTelegrafLivenessprobe | quote }} - {{- end }} - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ .Values.Azure.Cluster.Cloud | lower }}" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - securityContext: - privileged: true - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - ports: - - containerPort: 25225 - protocol: TCP - - containerPort: 25224 - protocol: UDP - {{- if .Values.amalogs.syslog.enabled }} - - name: syslog - containerPort: {{ .Values.amalogs.syslog.syslogPort }} - hostPort: {{ .Values.amalogs.syslog.syslogPort }} - protocol: TCP - {{- end }} - volumeMounts: - {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} - - name: kube-api-access - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - readOnly: true - {{- end }} - - mountPath: /hostfs - name: host-root - readOnly: true - mountPropagation: HostToContainer - - mountPath: /var/log - name: host-log - - mountPath: /var/lib/docker/containers - name: containerlog-path - - mountPath: /etc/kubernetes/host - name: azure-json-path - - mountPath: /etc/ama-logs-secret - name: ama-logs-secret - readOnly: true - {{- if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.proxyCert) (not .Values.amalogs.ignoreExtensionProxySettings) }} - - mountPath: /etc/ssl/certs/proxy-cert.crt - subPath: PROXYCERT.crt - name: ama-logs-secret - readOnly: true - {{- end }} - - mountPath: /etc/config/settings - name: settings-vol-config - readOnly: true - {{- if .Values.amalogs.logsettings.custommountpath }} - - mountPath: {{ .Values.amalogs.logsettings.custommountpath }} - name: custom-mount-path - {{- end }} - - mountPath: /etc/config/settings/adx - name: ama-logs-adx-secret - readOnly: true - livenessProbe: - exec: - command: - - /bin/bash - - -c - - "/opt/livenessprobe.sh" - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 15 - {{- if .Values.amalogs.sidecarscraping }} - - name: ama-logs-prometheus - image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tag }} - imagePullPolicy: IfNotPresent - resources: -{{ toYaml .Values.amalogs.resources.daemonsetlinuxsidecar | indent 9 }} - env: - {{- if ne .Values.amalogs.env.clusterId "" }} - - name: AKS_RESOURCE_ID - value: {{ .Values.amalogs.env.clusterId | quote }} - {{- if ne .Values.amalogs.env.clusterRegion "" }} - - name: AKS_REGION - value: {{ .Values.amalogs.env.clusterRegion | quote }} - {{- end }} - {{- else if ne .Values.Azure.Cluster.ResourceId "" }} - - name: AKS_RESOURCE_ID - value: {{ .Values.Azure.Cluster.ResourceId | quote }} - - name: USING_AAD_MSI_AUTH - value: {{ .Values.amalogs.useAADAuth | quote }} - {{- if ne .Values.Azure.Cluster.Region "" }} - - name: AKS_REGION - value: {{ .Values.Azure.Cluster.Region | quote }} - {{- end }} - {{- else }} - - name: ACS_RESOURCE_NAME - value: {{ .Values.amalogs.env.clusterName | quote }} - {{- end }} - - name: CONTROLLER_TYPE - value: "DaemonSet" - - name: CONTAINER_TYPE - value: "PrometheusSidecar" - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs-prometheus - resource: limits.memory - - name: ISTEST - value: {{ .Values.amalogs.ISTEST | quote }} - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ .Values.Azure.Cluster.Cloud | lower }}" - securityContext: - privileged: true - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - volumeMounts: - {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} - - name: kube-api-access - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - readOnly: true - {{- end }} - - mountPath: /etc/kubernetes/host - name: azure-json-path - - mountPath: /etc/ama-logs-secret - name: ama-logs-secret - readOnly: true - {{- if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.proxyCert) (not .Values.amalogs.ignoreExtensionProxySettings) }} - - mountPath: /etc/ssl/certs/proxy-cert.crt - subPath: PROXYCERT.crt - name: ama-logs-secret - readOnly: true - {{- end }} - - mountPath: /etc/config/settings - name: settings-vol-config - readOnly: true - - mountPath: /etc/config/osm-settings - name: osm-settings-vol-config - readOnly: true - livenessProbe: - exec: - command: - - /bin/bash - - -c - - /opt/livenessprobe.sh - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 15 - {{- end }} - {{- with .Values.amalogs.daemonset.affinity }} - affinity: {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.amalogs.scheduleOnTaintedNodes }} - {{- with .Values.amalogs.tolerationsUnrestricted }} - tolerations: {{- toYaml . | nindent 8 }} - {{- end }} - {{- else }} - {{- with .Values.amalogs.tolerations }} - tolerations: {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - volumes: - {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} - - name: kube-api-access - projected: - sources: - - serviceAccountToken: - path: token - expirationSeconds: 3600 - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace - {{- end }} - - name: host-root - hostPath: - path: / - - name: container-hostname - hostPath: - path: /etc/hostname - - name: host-log - hostPath: - path: /var/log - - name: containerlog-path - hostPath: - path: /var/lib/docker/containers - - name: azure-json-path - hostPath: - path: /etc/kubernetes - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true - {{- if .Values.amalogs.logsettings.custommountpath }} - - name: custom-mount-path - hostPath: - path: {{ .Values.amalogs.logsettings.custommountpath }} - {{- end }} - - name: ama-logs-adx-secret - secret: - secretName: ama-logs-adx-secret - optional: true - - name: osm-settings-vol-config - configMap: - name: container-azm-ms-osmconfig - optional: true -{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-aks.yaml deleted file mode 100644 index c49bd6be0..000000000 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-aks.yaml +++ /dev/null @@ -1,301 +0,0 @@ -{{- $amalogsWindowsDefaultImageTag := dict "component" "ama-logs-win" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }} -{{- $addonTokenAdapterWindowsDefaultImageTag := dict "component" "addon-token-adapter-windows" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} -{{/* Determine isusingaadauth value from OmsAgent.isUsingAADAuth */}} -{{- $isusingaadauth := false -}} -{{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} - {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} -{{- end -}} ---- -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} -apiVersion: apps/v1 -{{- else }} -apiVersion: extensions/v1beta1 -{{- end }} -kind: DaemonSet -metadata: - name: ama-logs-windows - namespace: kube-system - labels: - component: ama-logs-agent-windows - tier: node-win - kubernetes.azure.com/managedby: aks -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -spec: - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 50% - selector: - matchLabels: - component: ama-logs-agent-windows - tier: node-win - template: - metadata: - labels: - component: ama-logs-agent-windows - tier: node-win - kubernetes.azure.com/managedby: aks - annotations: - agentVersion: "46.17.2" - dockerProviderVersion: "18.0.1-0" - schema-versions: "v1" - WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} - kubernetes.azure.com/no-http-proxy-vars: "true" -{{- if semverCompare "<1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} - scheduler.alpha.kubernetes.io/critical-pod: "" -{{- end }} - spec: -{{- if semverCompare ">=1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} - priorityClassName: system-node-critical -{{- end }} - serviceAccountName: ama-logs - dnsConfig: - options: - - name: ndots - value: "3" - containers: - - name: ama-logs-windows - image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsWindowsDefaultImageTag .Values.OmsAgent.imageTagWindows -}}" - {{- if .Values.OmsAgent.isImagePullPolicyAlways }} - imagePullPolicy: Always - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - {{- if .Values.OmsAgent.isWindowsBurstableQoSEnabled }} - resources: - requests: - cpu: "{{ .Values.OmsAgent.omsAgentDsCPURequestWindows }}" - memory: "{{ .Values.OmsAgent.omsAgentDsMemoryRequestWindows }}" - limits: - cpu: "{{ .Values.OmsAgent.omsAgentDsCPULimitWindows }}" - memory: "{{ .Values.OmsAgent.omsAgentDsMemoryLimitWindows }}" - {{- else }} - resources: - limits: - cpu: "{{ .Values.OmsAgent.omsAgentDsCPULimitWindows }}" - memory: "{{ .Values.OmsAgent.omsAgentDsMemoryLimitWindows }}" - {{- end }} - securityContext: - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - env: - - name: FBIT_SERVICE_FLUSH_INTERVAL - value: "15" - - name: FBIT_TAIL_BUFFER_CHUNK_SIZE - value: "1" - - name: FBIT_TAIL_BUFFER_MAX_SIZE - value: "1" - - name: AKS_RESOURCE_ID - value: "{{ .Values.OmsAgent.aksResourceID }}" - - name: AKS_REGION - value: "{{ $.Values.global.commonGlobals.Region }}" - - name: CONTROLLER_TYPE - value: "DaemonSet" - - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: "{{ .Values.OmsAgent.identityClientID }}" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PODNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs-windows - resource: limits.memory - {{- if .Values.OmsAgent.isSidecarScrapingEnabled }} - - name: SIDECAR_SCRAPING_ENABLED - value: "true" - {{- else }} - - name: SIDECAR_SCRAPING_ENABLED - value: "false" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} - - name: REQUIRES_CERT_BOOTSTRAP - value: "true" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} - - name: REQUIRES_CERT_BOOTSTRAP - value: "true" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} - - name: REQUIRES_CERT_BOOTSTRAP - value: "true" - {{- end }} - {{- if $isusingaadauth }} - - name: USING_AAD_MSI_AUTH - value: "true" - {{- else }} - - name: USING_AAD_MSI_AUTH - value: "false" - {{- end }} - - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED - value: "{{ .Values.AppmonitoringAgent.enabled }}" - - name: APPMONITORING_OPENTELEMETRYLOGS_ENABLED - value: "{{ .Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false }}" - - name: APPMONITORING_OPENTELEMETRYLOGS_PORT - value: "{{ .Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }}" - - name: PROMETHEUS_METRICS_SCRAPING_DISABLED - value: "{{ .Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: "{{ .Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" - - name: AZMON_WINDOWS_FLUENT_BIT_ENABLED - value: "{{ .Values.OmsAgent.isWindowsAMAFluentBitEnabled | default false }}" - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" - volumeMounts: - - mountPath: C:\ProgramData\docker\containers - name: docker-windows-containers - readOnly: true - - mountPath: C:\var - name: docker-windows-kuberenetes-container-logs - - mountPath: C:\etc\config\settings - name: settings-vol-config - readOnly: true - - mountPath: C:\etc\ama-logs-secret - name: ama-logs-secret - readOnly: true - - mountPath: C:\etc\omsagent-secret - name: ama-logs-secret - readOnly: true - - mountPath: C:\etc\config\adx - name: ama-logs-adx-secret - readOnly: true - - mountPath: C:\etc\kubernetes\host - name: azure-json-path - readOnly: true - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} - - mountPath: C:\ca - name: ca-certs - readOnly: true - {{- end }} - {{- if $isusingaadauth }} - - mountPath: C:\etc\IMDS-access-token - name: imds-token - readOnly: true - {{- end }} - livenessProbe: - exec: - command: - - cmd - - /c - - C:\opt\amalogswindows\scripts\cmd\livenessprobe.exe - - fluent-bit.exe - - fluentdwinaks - - "C:\\etc\\amalogswindows\\filesystemwatcher.txt" - - "C:\\etc\\amalogswindows\\renewcertificate.txt" - {{- if and $isusingaadauth .Values.OmsAgent.isWindowsAMAEnabled }} - - "MonAgentCore.exe" - {{- end }} - periodSeconds: 60 - initialDelaySeconds: 180 - timeoutSeconds: 15 -{{- if and (and $isusingaadauth .Values.OmsAgent.isWindowsAMAEnabled) (not .Values.OmsAgent.isWindowsAddonTokenAdapterDisabled) }} - - name: addon-token-adapter-win - command: - - addon-token-adapter-win - args: - - --secret-namespace=kube-system - - --secret-name={{ .Values.OmsAgent.accessTokenSecretName }} - - --token-server-listening-port=8888 - - --health-server-listening-port=9999 - - --restart-pod-waiting-minutes-on-broken-connection=240 - image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterWindowsDefaultImageTag -}}" - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - livenessProbe: - httpGet: - path: /healthz - port: 9999 - initialDelaySeconds: 10 - periodSeconds: 60 - resources: - limits: - cpu: 400m - memory: 400Mi - requests: - cpu: 100m - memory: 100Mi - securityContext: - capabilities: - drop: - - ALL - add: - - NET_ADMIN - - NET_RAW -{{- end}} - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.azure.com/cluster - operator: Exists -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} - - key: kubernetes.io/os -{{- else }} - - key: beta.kubernetes.io/os -{{- end }} - operator: In - values: - - windows - - key: type - operator: NotIn - values: - - virtual-kubelet - tolerations: - - key: "CriticalAddonsOnly" - operator: "Exists" - - operator: "Exists" - effect: NoExecute - - operator: "Exists" - effect: NoSchedule - - operator: "Exists" - effect: PreferNoSchedule - volumes: - - name: docker-windows-kuberenetes-container-logs - hostPath: - path: C:\var - - name: azure-json-path - hostPath: - path: C:\k - - name: docker-windows-containers - hostPath: - path: C:\ProgramData\docker\containers - type: DirectoryOrCreate - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: ama-logs-adx-secret - secret: - secretName: ama-logs-adx-secret - optional: true - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} - - name: ca-certs - hostPath: - path: C:\ca - {{- end }} - {{- if $isusingaadauth }} - - name: imds-token - secret: - secretName: {{ .Values.OmsAgent.accessTokenSecretName }} - {{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-arc.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-arc.yaml deleted file mode 100644 index 7b0904f03..000000000 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset-windows-arc.yaml +++ /dev/null @@ -1,194 +0,0 @@ -{{- if not (.Values.amalogs.useAADAuth) }} -{{- if and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "") )}} -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: ama-logs-windows - namespace: kube-system - labels: - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - component: ama-logs-agent-windows - tier: node-win -spec: - updateStrategy: - type: RollingUpdate - selector: - matchLabels: - dsName: "ama-logs-ds" - template: - metadata: - labels: - dsName: "ama-logs-ds" - annotations: - agentVersion: {{ .Values.amalogs.image.winAgentVersion }} - dockerProviderVersion: {{ .Values.amalogs.image.dockerProviderVersion }} - schema-versions: "v1" - checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} - checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} - spec: - priorityClassName: ama-logs - dnsConfig: - options: - - name: ndots - value: "3" -{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.Version }} - nodeSelector: - kubernetes.io/os: windows -{{- else }} - nodeSelector: - kubernetes.io/os: windows -{{- end }} - {{- if .Values.amalogs.rbac }} - serviceAccountName: ama-logs - {{- end }} - containers: - - name: ama-logs-windows - image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tagWindows }} - imagePullPolicy: IfNotPresent - resources: -{{ toYaml .Values.amalogs.resources.daemonsetwindows | indent 9 }} - securityContext: - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - env: - - name: FBIT_SERVICE_FLUSH_INTERVAL - value: "15" - - name: FBIT_TAIL_BUFFER_CHUNK_SIZE - value: "1" - - name: FBIT_TAIL_BUFFER_MAX_SIZE - value: "1" - {{- if ne .Values.amalogs.env.clusterId "" }} - - name: AKS_RESOURCE_ID - value: {{ .Values.amalogs.env.clusterId | quote }} - {{- if ne .Values.amalogs.env.clusterRegion "" }} - - name: AKS_REGION - value: {{ .Values.amalogs.env.clusterRegion | quote }} - {{- end }} - {{- else if ne .Values.Azure.Cluster.ResourceId "" }} - - name: AKS_RESOURCE_ID - value: {{ .Values.Azure.Cluster.ResourceId | quote }} - - name: USING_AAD_MSI_AUTH - value: {{ .Values.amalogs.useAADAuth | quote }} - {{- if ne .Values.Azure.Cluster.Region "" }} - - name: AKS_REGION - value: {{ .Values.Azure.Cluster.Region | quote }} - {{- end }} - {{- else }} - - name: ACS_RESOURCE_NAME - value: {{ .Values.amalogs.env.clusterName | quote }} - {{- end }} - - name: CONTROLLER_TYPE - value: "DaemonSet" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs-windows - resource: limits.memory - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PODNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: SIDECAR_SCRAPING_ENABLED - value: {{ .Values.amalogs.sidecarscraping | quote }} - - name: ENABLE_CUSTOM_METRICS - value: {{ .Values.amalogs.enableCustomMetrics | quote }} - {{ if .Values.amalogs.ISTEST }} - - name: AZMON_KUBERNETES_METADATA_ENABLED - value: "true" - {{- end }} - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ .Values.Azure.Cluster.Cloud | lower }}" - volumeMounts: - # Uncomment when telegraf upgraded to 1.28.5 or higher - # {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} - # - name: kube-api-access - # mountPath: /var/run/secrets/kubernetes.io/serviceaccount - # readOnly: true - # {{- end }} - - mountPath: C:\ProgramData\docker\containers - name: docker-windows-containers - readOnly: true - - mountPath: C:\var #Read + Write access on this for position file - name: docker-windows-kuberenetes-container-logs - - mountPath: C:\etc\config\settings - name: settings-vol-config - readOnly: true - - mountPath: C:\etc\ama-logs-secret - name: ama-logs-secret - readOnly: true - livenessProbe: - exec: - command: - - cmd - - /c - - C:\opt\amalogswindows\scripts\cmd\livenessprobe.exe - - fluent-bit.exe - - fluentdwinaks - - "C:\\etc\\amalogswindows\\filesystemwatcher.txt" - - "C:\\etc\\amalogswindows\\renewcertificate.txt" - periodSeconds: 60 - initialDelaySeconds: 180 - timeoutSeconds: 15 - {{- if .Values.amalogs.scheduleOnTaintedNodes }} - {{- with .Values.amalogs.tolerationsUnrestricted }} - tolerations: {{- toYaml . | nindent 8 }} - {{- end }} - {{- else }} - {{- with .Values.amalogs.tolerations }} - tolerations: {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - volumes: - # Uncomment when telegraf upgraded to 1.28.5 or higher - # {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} - # - name: kube-api-access - # projected: - # sources: - # - serviceAccountToken: - # path: token - # expirationSeconds: 3600 - # - configMap: - # items: - # - key: ca.crt - # path: ca.crt - # name: kube-root-ca.crt - # - downwardAPI: - # items: - # - fieldRef: - # apiVersion: v1 - # fieldPath: metadata.namespace - # path: namespace - # {{- end }} - - name: docker-windows-kuberenetes-container-logs - hostPath: - path: C:\var - - name: docker-windows-containers - hostPath: - path: C:\ProgramData\docker\containers - type: DirectoryOrCreate - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: ama-logs-adx-secret - secret: - secretName: ama-logs-adx-secret - optional: true -{{- end }} -{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-aks.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-aks.yaml deleted file mode 100644 index b693e8fb5..000000000 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-aks.yaml +++ /dev/null @@ -1,358 +0,0 @@ -{{- $amalogsLinuxDefaultImageTag := dict "component" "ama-logs-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }} -{{- $amalogsRSVPAImageTag := dict "component" "addon-resizer" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" -}} -{{- $addonTokenAdapterLinuxDefaultImageTag := dict "component" "addon-token-adapter-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} -{{/* Determine isusingaadauth value from OmsAgent.isUsingAADAuth */}} -{{- $isusingaadauth := false -}} -{{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} - {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} -{{- end -}} ---- -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} -apiVersion: apps/v1 -{{- else }} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Deployment -metadata: - name: ama-logs-rs - namespace: kube-system - labels: - component: ama-logs-agent - tier: node - kubernetes.azure.com/managedby: aks -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -spec: - replicas: 1 - revisionHistoryLimit: 2 - paused: false - selector: - matchLabels: - rsName: "ama-logs-rs" - strategy: - type: RollingUpdate - template: - metadata: - labels: - rsName: "ama-logs-rs" - kubernetes.azure.com/managedby: aks - annotations: - agentVersion: "azure-mdsd-1.37.0" - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" - dockerProviderVersion: "18.0.1-0" - schema-versions: "v1" - WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} - kubernetes.azure.com/no-http-proxy-vars: "true" -{{- if semverCompare "<1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} - scheduler.alpha.kubernetes.io/critical-pod: "" -{{- end }} - spec: -{{- if semverCompare ">=1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} - priorityClassName: system-node-critical -{{- end }} - tolerations: - - key: "CriticalAddonsOnly" - operator: "Exists" - serviceAccountName: ama-logs - containers: -{{- if .Values.OmsAgent.isRSVPAEnabled }} - - name: ama-logs-vpa - image: "{{ template "addon_mcr_repository_base" . }}/oss/v2/kubernetes/autoscaler/addon-resizer:{{- $amalogsRSVPAImageTag -}}" - imagePullPolicy: IfNotPresent - resources: - limits: - cpu: 100m - memory: 300Mi - requests: - cpu: 5m - memory: 30Mi - env: - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeMounts: - - name: ama-logs-rs-vpa-config-volume - mountPath: /etc/config - command: - - /pod_nanny - - --config-dir=/etc/config - - --cpu=200m - - --extra-cpu=2m - - --memory=300Mi - - --extra-memory=4Mi - - --poll-period=180000 - - --threshold=5 - - --namespace=kube-system - - --deployment=ama-logs-rs - - --container=ama-logs -{{- end }} -{{- if $isusingaadauth }} - - name: addon-token-adapter - command: - - /addon-token-adapter - args: - - --secret-namespace=kube-system - - --secret-name={{ .Values.OmsAgent.accessTokenSecretName }} - - --token-server-listening-port=8888 - - --health-server-listening-port=9999 - - --restart-pod-waiting-minutes-on-broken-connection=240 - image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterLinuxDefaultImageTag -}}" - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - livenessProbe: - httpGet: - path: /healthz - port: 9999 - initialDelaySeconds: 10 - periodSeconds: 60 - resources: - limits: - cpu: 500m - memory: 500Mi - requests: - cpu: 100m - memory: 100Mi - securityContext: - capabilities: - drop: - - ALL - add: - - NET_ADMIN - - NET_RAW -{{- end }} - - name: ama-logs - image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag .Values.OmsAgent.imageTagLinux -}}" - {{- if .Values.OmsAgent.isImagePullPolicyAlways }} - imagePullPolicy: Always - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - {{- if not .Values.OmsAgent.isRSVPAEnabled }} - resources: - limits: - cpu: "{{ .Values.OmsAgent.omsAgentRsCPULimit }}" - memory: "{{ .Values.OmsAgent.omsAgentRsMemoryLimit }}" - requests: - cpu: 150m - memory: 250Mi - {{- end }} - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: AKS_CLUSTER_NAME - value: "{{ .Values.OmsAgent.aksClusterName }}" - - name: AKS_RESOURCE_ID - value: "{{ .Values.OmsAgent.aksResourceID }}" - - name: AKS_NODE_RESOURCE_GROUP - value: "{{ .Values.OmsAgent.aksNodeResourceGroup }}" - - name: AKS_REGION - value: "{{ $.Values.global.commonGlobals.Region }}" - - name: CONTROLLER_TYPE - value: "ReplicaSet" - - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: "{{ .Values.OmsAgent.identityClientID }}" - - name: NUM_OF_FLUENTD_WORKERS - valueFrom: - resourceFieldRef: - containerName: ama-logs - resource: limits.cpu - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs - resource: limits.memory - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.OmsAgent.isSidecarScrapingEnabled }} - - name: SIDECAR_SCRAPING_ENABLED - value: "true" - {{- else }} - - name: SIDECAR_SCRAPING_ENABLED - value: "false" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} - - name: MCR_URL - value: "https://mcr.microsoft.eaglex.ic.gov/v2/" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} - - name: MCR_URL - value: "https://mcr.microsoft.scloud/v2/" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} - - name: MCR_URL - value: "https://mcr.microsoft.sovcloud-api.fr/v2/" - {{- end }} - {{- if $isusingaadauth }} - - name: USING_AAD_MSI_AUTH - value: "true" - {{- else }} - - name: USING_AAD_MSI_AUTH - value: "false" - {{- end }} - {{- if .Values.OmsAgent.isRSVPAEnabled }} - - name: RS_ADDON-RESIZER_VPA_ENABLED - value: "true" - {{- end }} - - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED - value: "{{ .Values.AppmonitoringAgent.enabled }}" - - name: PROMETHEUS_METRICS_SCRAPING_DISABLED - value: "{{ .Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: "{{ .Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" - - name: AZMON_WINDOWS_FLUENT_BIT_ENABLED - value: "{{ .Values.OmsAgent.isWindowsAMAFluentBitEnabled | default false }}" - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" - securityContext: - privileged: true - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - ports: - - containerPort: 25225 - protocol: TCP - - containerPort: 25224 - protocol: UDP - - containerPort: 25227 - protocol: TCP - name: in-rs-tcp - volumeMounts: - - mountPath: /var/log - name: host-log - - mountPath: /etc/kubernetes/host - name: azure-json-path - - mountPath: /etc/ama-logs-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/omsagent-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/config - name: ama-logs-rs-config - - mountPath: /etc/config/settings - name: settings-vol-config - readOnly: true - - mountPath: /etc/config/settings/adx - name: ama-logs-adx-secret - readOnly: true - - mountPath: /etc/config/osm-settings - name: osm-settings-vol-config - readOnly: true - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} - # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host - # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below - - mountPath: /anchors/mariner - name: anchors-mariner - readOnly: true - - mountPath: /anchors/ubuntu - name: anchors-ubuntu - readOnly: true - {{- end }} - {{- if .Values.OmsAgent.trustedCA }} - - mountPath: /etc/ssl/certs/proxy-cert.crt - subPath: PROXYCERT.crt - name: ama-logs-secret - readOnly: true - {{- end }} - livenessProbe: - exec: - command: - - /bin/bash - - -c - - /opt/livenessprobe.sh - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 15 - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - preference: - matchExpressions: - - key: kubernetes.azure.com/mode - operator: In - values: - - system - - weight: 1 - preference: - matchExpressions: - - key: storageprofile - operator: NotIn - values: - - managed - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} - - key: kubernetes.io/os -{{- else }} - - key: beta.kubernetes.io/os -{{- end }} - operator: In - values: - - linux - - key: kubernetes.azure.com/cluster - operator: Exists - - key: type - operator: NotIn - values: - - virtual-kubelet - volumes: - - name: container-hostname - hostPath: - path: /etc/hostname - - name: host-log - hostPath: - path: /var/log - - name: azure-json-path - hostPath: - path: /etc/kubernetes - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: ama-logs-rs-config - configMap: - name: ama-logs-rs-config - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true - - name: ama-logs-adx-secret - secret: - secretName: ama-logs-adx-secret - optional: true - - name: osm-settings-vol-config - configMap: - name: container-azm-ms-osmconfig - optional: true - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} - - name: anchors-ubuntu - hostPath: - path: /usr/local/share/ca-certificates/ - type: DirectoryOrCreate - - name: anchors-mariner - hostPath: - path: /etc/pki/ca-trust/source/anchors - type: DirectoryOrCreate - {{- end }} - {{- if .Values.OmsAgent.isRSVPAEnabled }} - - name: ama-logs-rs-vpa-config-volume - configMap: - name: ama-logs-rs-vpa-config - optional: true - {{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-arc.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-arc.yaml deleted file mode 100644 index 2faf4db7d..000000000 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-deployment-arc.yaml +++ /dev/null @@ -1,308 +0,0 @@ -{{- if and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "") )}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ama-logs-rs - namespace: kube-system - labels: - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - component: ama-logs-agent - tier: node -spec: - replicas: 1 - selector: - matchLabels: - rsName: "ama-logs-rs" - strategy: - type: RollingUpdate - template: - metadata: - labels: - rsName: "ama-logs-rs" - annotations: - agentVersion: {{ .Values.amalogs.image.agentVersion }} - dockerProviderVersion: {{ .Values.amalogs.image.dockerProviderVersion }} - schema-versions: "v1" - checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} - checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} - checksum/logsettings: {{ toYaml .Values.amalogs.logsettings | sha256sum }} - spec: - {{- if .Values.amalogs.rbac }} - serviceAccountName: ama-logs - {{- end }} - containers: -{{- if and (ne .Values.Azure.Cluster.ResourceId "") (.Values.amalogs.useAADAuth) }} - {{- if not (eq .Values.Azure.Cluster.Distribution "openshift") }} - - name: addon-token-adapter - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - - name: TOKEN_NAMESPACE - value: "azure-arc" -{{- .Values.Azure.Identity.MSIAdapterYaml | nindent 7 }} - {{- else }} - - name: msi-adapter - env: - - name: AZMON_COLLECT_ENV - value: "false" - - name: TOKEN_NAMESPACE - value: azure-arc - - name: CLUSTER_IDENTITY - value: "false" - - name: CLUSTER_TYPE - value: {{ (split "/" .Values.Azure.Cluster.ResourceId)._7 }} - - name: EXTENSION_ARMID - value: {{ .Values.Azure.Extension.ResourceId }} - - name: EXTENSION_NAME - value: {{ .Values.Azure.Extension.Name }} - - name: MSI_ADAPTER_LISTENING_PORT - value: "8421" - - name: MANAGED_IDENTITY_AUTH - value: "true" - - name: MSI_ADAPTER_LIVENESS_PORT - value: "9090" - - name: TEST_MODE - value: "false" - - name: TEST_FILE - value: /data/token - image: mcr.microsoft.com/azurearck8s/msi-adapter:1.29.3 - securityContext: - privileged: true - capabilities: - add: - - NET_ADMIN - - NET_RAW - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 9090 - scheme: "HTTP" - initialDelaySeconds: 10 - periodSeconds: 15 - resources: - limits: - cpu: 50m - memory: 100Mi - requests: - cpu: 20m - memory: 50Mi - lifecycle: - postStart: - exec: - command: ["/data/msi-adapter-ready-watcher"] - {{- end }} -{{- end }} - - name: ama-logs - image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tag }} - imagePullPolicy: IfNotPresent - resources: -{{ toYaml .Values.amalogs.resources.deployment | indent 9 }} - env: - - name: NUM_OF_FLUENTD_WORKERS - valueFrom: - resourceFieldRef: - containerName: ama-logs - resource: limits.cpu - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs - resource: limits.memory - {{- if ne .Values.amalogs.env.clusterId "" }} - - name: AKS_RESOURCE_ID - value: {{ .Values.amalogs.env.clusterId | quote }} - {{- if ne .Values.amalogs.env.clusterRegion "" }} - - name: AKS_REGION - value: {{ .Values.amalogs.env.clusterRegion | quote }} - {{- end }} - {{- else if ne .Values.Azure.Cluster.ResourceId "" }} - - name: AKS_RESOURCE_ID - value: {{ .Values.Azure.Cluster.ResourceId | quote }} - - name: USING_AAD_MSI_AUTH - value: {{ .Values.amalogs.useAADAuth | quote }} - {{- if ne .Values.Azure.Cluster.Region "" }} - - name: AKS_REGION - value: {{ .Values.Azure.Cluster.Region | quote }} - {{- end }} - {{- else }} - - name: ACS_RESOURCE_NAME - value: {{ .Values.amalogs.env.clusterName | quote }} - {{- end }} - - name: CONTROLLER_TYPE - value: "ReplicaSet" - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - {{- if not (empty .Values.Azure.Extension.Name) }} - - name: ARC_K8S_EXTENSION_NAME - value: {{ .Values.Azure.Extension.Name | quote }} - {{- end }} - - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: "" - - name: SIDECAR_SCRAPING_ENABLED - value: {{ .Values.amalogs.sidecarscraping | quote }} - - name: ISTEST - value: {{ .Values.amalogs.ISTEST | quote }} - {{ if .Values.amalogs.isArcACluster }} - - name: IS_ARCA_CLUSTER - value: {{ .Values.amalogs.isArcACluster | quote }} - {{- end }} - {{- if ne .Values.amalogs.metricsEndpoint "" }} - - name: CUSTOM_METRICS_ENDPOINT - value: {{ .Values.amalogs.metricsEndpoint | quote }} - {{- else if ne .Values.Azure.proxySettings.autonomousFqdn "" }} - - name: CUSTOM_METRICS_ENDPOINT - value: "https://metricsingestiongateway.monitoring.{{ .Values.Azure.proxySettings.autonomousFqdn }}" - {{- end }} - {{- if ne .Values.amalogs.tokenAudience "" }} - - name: customResourceEndpoint - value: {{ .Values.amalogs.tokenAudience | quote }} - {{- end }} - - name: IS_CUSTOM_CERT - value: {{ .Values.Azure.proxySettings.isCustomCert | quote }} - - name: ENABLE_CUSTOM_METRICS - value: {{ .Values.amalogs.enableCustomMetrics | quote }} - {{ if .Values.amalogs.ISTEST }} - - name: AZMON_CLUSTER_COLLECT_ALL_KUBE_EVENTS - value: "true" - {{- end }} - {{- if .Values.amalogs.enableTelegrafLivenessprobe }} - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: {{ .Values.amalogs.enableTelegrafLivenessprobe | quote }} - {{- end }} - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ .Values.Azure.Cluster.Cloud | lower }}" - securityContext: - privileged: true - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - ports: - - containerPort: 25225 - protocol: TCP - - containerPort: 25224 - protocol: UDP - volumeMounts: - {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} - - name: kube-api-access - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - readOnly: true - {{- end }} - - mountPath: /var/log - name: host-log - - mountPath: /var/lib/docker/containers - name: containerlog-path - - mountPath: /etc/kubernetes/host - name: azure-json-path - - mountPath: /etc/ama-logs-secret - name: ama-logs-secret - readOnly: true - {{- if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.proxyCert) (not .Values.amalogs.ignoreExtensionProxySettings) }} - - mountPath: /etc/ssl/certs/proxy-cert.crt - subPath: PROXYCERT.crt - name: ama-logs-secret - readOnly: true - {{- end }} - - mountPath : /etc/config - name: ama-logs-rs-config - - mountPath: /etc/config/settings - name: settings-vol-config - readOnly: true - {{- if .Values.amalogs.logsettings.custommountpath }} - - mountPath: {{ .Values.amalogs.logsettings.custommountpath }} - name: custom-mount-path - {{- end }} - - mountPath: /etc/config/settings/adx - name: ama-logs-adx-secret - readOnly: true - - mountPath: /etc/config/osm-settings - name: osm-settings-vol-config - readOnly: true - livenessProbe: - exec: - command: - - /bin/bash - - -c - - "/opt/livenessprobe.sh" - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 15 - {{- with .Values.amalogs.deployment.affinity }} - affinity: {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.amalogs.scheduleOnTaintedNodes }} - {{- with .Values.amalogs.tolerationsUnrestricted }} - tolerations: {{- toYaml . | nindent 8 }} - {{- end }} - {{- else }} - {{- with .Values.amalogs.tolerations }} - tolerations: {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - volumes: - {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} - - name: kube-api-access - projected: - sources: - - serviceAccountToken: - path: token - expirationSeconds: 3600 - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace - {{- end }} - - name: container-hostname - hostPath: - path: /etc/hostname - - name: host-log - hostPath: - path: /var/log - - name: containerlog-path - hostPath: - path: /var/lib/docker/containers - - name: azure-json-path - hostPath: - path: /etc/kubernetes - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: ama-logs-rs-config - configMap: - name: ama-logs-rs-config - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true - {{- if .Values.amalogs.logsettings.custommountpath }} - - name: custom-mount-path - hostPath: - path: {{ .Values.amalogs.logsettings.custommountpath }} - {{- end }} - - name: ama-logs-adx-secret - secret: - secretName: ama-logs-adx-secret - optional: true - - name: osm-settings-vol-config - configMap: - name: container-azm-ms-osmconfig - optional: true -{{- end }} From 6d2fafae0841974fdaedfa61f43509a88ea1ea15 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Mon, 23 Mar 2026 23:25:57 -0700 Subject: [PATCH 40/47] update all feilds --- .../templates/ama-logs-daemonset.yaml | 280 +++++++++--------- 1 file changed, 140 insertions(+), 140 deletions(-) diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml index f46d6c8c1..d87b10f46 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml @@ -39,12 +39,12 @@ metadata: namespace: kube-system labels: {{- if $isArcExtension }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} + release: {{ $.Release.Name }} + heritage: {{ $.Release.Service }} {{- else }} kubernetes.azure.com/managedby: aks -{{- if .Values.legacyAddonDelivery }} +{{- if $.Values.legacyAddonDelivery }} kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile {{- end }} @@ -93,17 +93,17 @@ spec: {{- end }} annotations: {{- if $isArcExtension }} - agentVersion: {{ .Values.amalogs.image.agentVersion }} - dockerProviderVersion: {{ .Values.amalogs.image.dockerProviderVersion }} + agentVersion: {{ $.Values.amalogs.image.agentVersion }} + dockerProviderVersion: {{ $.Values.amalogs.image.dockerProviderVersion }} schema-versions: "v1" - checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") . | sha256sum }} - checksum/config: {{ toYaml .Values.amalogs.resources | sha256sum }} - checksum/logsettings: {{ toYaml .Values.amalogs.logsettings | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/ama-logs-secret.yaml") $ | sha256sum }} + checksum/config: {{ toYaml $.Values.amalogs.resources | sha256sum }} + checksum/logsettings: {{ toYaml $.Values.amalogs.logsettings | sha256sum }} {{- else }} agentVersion: "azure-mdsd-1.37.0" dockerProviderVersion: "18.0.1-0" schema-versions: "v1" - WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} + WSID: {{ $.Values.OmsAgent.workspaceID | b64enc | quote }} kubernetes.azure.com/no-http-proxy-vars: "true" {{- end }} spec: @@ -113,7 +113,7 @@ spec: priorityClassName: system-node-critical {{- end }} {{- if $isArcExtension }} -{{- if .Values.amalogs.rbac }} +{{- if $.Values.amalogs.rbac }} serviceAccountName: ama-logs {{- end }} {{- else }} @@ -126,8 +126,8 @@ spec: containers: {{/* Addon Token Adapter Container */}} {{- if $isArcExtension }} -{{- if and (ne .Values.Azure.Cluster.ResourceId "") (.Values.amalogs.useAADAuth) }} - {{- if not (eq .Values.Azure.Cluster.Distribution "openshift") }} +{{- if and (ne $.Values.Azure.Cluster.ResourceId "") ($.Values.amalogs.useAADAuth) }} + {{- if not (eq $.Values.Azure.Cluster.Distribution "openshift") }} - name: addon-token-adapter imagePullPolicy: IfNotPresent env: @@ -135,7 +135,7 @@ spec: value: "false" - name: TOKEN_NAMESPACE value: "azure-arc" -{{- .Values.Azure.Identity.MSIAdapterYaml | nindent 10 }} +{{- $.Values.Azure.Identity.MSIAdapterYaml | nindent 10 }} {{- else }} - name: msi-adapter env: @@ -146,11 +146,11 @@ spec: - name: CLUSTER_IDENTITY value: "false" - name: CLUSTER_TYPE - value: {{ (split "/" .Values.Azure.Cluster.ResourceId)._7 }} + value: {{ (split "/" $.Values.Azure.Cluster.ResourceId)._7 }} - name: EXTENSION_ARMID - value: {{ .Values.Azure.Extension.ResourceId }} + value: {{ $.Values.Azure.Extension.ResourceId }} - name: EXTENSION_NAME - value: {{ .Values.Azure.Extension.Name }} + value: {{ $.Values.Azure.Extension.Name }} - name: MSI_ADAPTER_LISTENING_PORT value: "8421" - name: MANAGED_IDENTITY_AUTH @@ -196,11 +196,11 @@ spec: - /addon-token-adapter args: - --secret-namespace=kube-system - - --secret-name={{ .Values.OmsAgent.accessTokenSecretName }} + - --secret-name={{ $.Values.OmsAgent.accessTokenSecretName }} - --token-server-listening-port=8888 - --health-server-listening-port=9999 - --restart-pod-waiting-minutes-on-broken-connection=240 - image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterLinuxDefaultImageTag -}}" + image: "{{ template "addon_mcr_repository_base" $ }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterLinuxDefaultImageTag -}}" imagePullPolicy: IfNotPresent env: - name: AZMON_COLLECT_ENV @@ -231,13 +231,13 @@ spec: {{/* Main ama-logs Container */}} - name: ama-logs {{- if $isArcExtension }} - image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tag }} + image: {{ printf "%s:%s" $.Values.amalogs.image.repo $.Values.amalogs.image.tag }} imagePullPolicy: IfNotPresent resources: -{{ toYaml .Values.amalogs.resources.daemonsetlinux | indent 12 }} +{{ toYaml $.Values.amalogs.resources.daemonsetlinux | indent 12 }} {{- else }} - image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag .Values.OmsAgent.imageTagLinux -}}" - {{- if .Values.OmsAgent.isImagePullPolicyAlways }} + image: "{{ template "addon_mcr_repository_base" $ }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag $.Values.OmsAgent.imageTagLinux -}}" + {{- if $.Values.OmsAgent.isImagePullPolicyAlways }} imagePullPolicy: Always {{- else }} imagePullPolicy: IfNotPresent @@ -254,25 +254,25 @@ spec: {{- end }} env: {{- if $isArcExtension }} - {{- if ne .Values.amalogs.env.clusterId "" }} + {{- if ne $.Values.amalogs.env.clusterId "" }} - name: AKS_RESOURCE_ID - value: {{ .Values.amalogs.env.clusterId | quote }} - {{- if ne .Values.amalogs.env.clusterRegion "" }} + value: {{ $.Values.amalogs.env.clusterId | quote }} + {{- if ne $.Values.amalogs.env.clusterRegion "" }} - name: AKS_REGION - value: {{ .Values.amalogs.env.clusterRegion | quote }} + value: {{ $.Values.amalogs.env.clusterRegion | quote }} {{- end }} - {{- else if ne .Values.Azure.Cluster.ResourceId "" }} + {{- else if ne $.Values.Azure.Cluster.ResourceId "" }} - name: AKS_RESOURCE_ID - value: {{ .Values.Azure.Cluster.ResourceId | quote }} + value: {{ $.Values.Azure.Cluster.ResourceId | quote }} - name: USING_AAD_MSI_AUTH - value: {{ .Values.amalogs.useAADAuth | quote }} - {{- if ne .Values.Azure.Cluster.Region "" }} + value: {{ $.Values.amalogs.useAADAuth | quote }} + {{- if ne $.Values.Azure.Cluster.Region "" }} - name: AKS_REGION - value: {{ .Values.Azure.Cluster.Region | quote }} + value: {{ $.Values.Azure.Cluster.Region | quote }} {{- end }} {{- else }} - name: ACS_RESOURCE_NAME - value: {{ .Values.amalogs.env.clusterName | quote }} + value: {{ $.Values.amalogs.env.clusterName | quote }} {{- end }} {{- else }} - name: NODE_IP @@ -295,23 +295,23 @@ spec: - name: FBIT_TAIL_BUFFER_MAX_SIZE value: "1" - name: AKS_CLUSTER_NAME - value: "{{ .Values.OmsAgent.aksClusterName }}" + value: "{{ $.Values.OmsAgent.aksClusterName }}" - name: AKS_RESOURCE_ID - value: "{{ .Values.OmsAgent.aksResourceID }}" + value: "{{ $.Values.OmsAgent.aksResourceID }}" - name: AKS_NODE_RESOURCE_GROUP - value: "{{ .Values.OmsAgent.aksNodeResourceGroup }}" + value: "{{ $.Values.OmsAgent.aksNodeResourceGroup }}" - name: AKS_REGION - value: "{{ .Values.global.commonGlobals.Region }}" + value: "{{ $.Values.global.commonGlobals.Region }}" - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: "{{ .Values.OmsAgent.identityClientID }}" + value: "{{ $.Values.OmsAgent.identityClientID }}" - name: AZMON_CONTAINERLOGS_ONEAGENT_REGIONS value: "koreacentral,norwayeast,eastus2" - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED - value: "{{ .Values.AppmonitoringAgent.enabled }}" + value: "{{ $.Values.AppmonitoringAgent.enabled }}" - name: APPMONITORING_OPENTELEMETRYLOGS_ENABLED - value: "{{ .Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false }}" + value: "{{ $.Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false }}" - name: APPMONITORING_OPENTELEMETRYLOGS_PORT - value: "{{ .Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }}" + value: "{{ $.Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }}" - name: APPMONITORING_OPENTELEMETRYLOGS_PORT_GRPC value: "{{ $.Values.AppmonitoringAgent.openTelemetryLogsPortGrpc | default 28332 }}" - name: AZMON_OPENTELEMETRYLOGS_CONTAINER_PORT @@ -319,16 +319,16 @@ spec: - name: AZMON_OPENTELEMETRYLOGS_CONTAINER_PORT_GRPC value: "4320" - name: PROMETHEUS_METRICS_SCRAPING_DISABLED - value: "{{ .Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" - {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USNat") }} + value: "{{ $.Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USNat") }} - name: MCR_URL value: "https://mcr.microsoft.eaglex.ic.gov/v2/" {{- end }} - {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USSec") }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USSec") }} - name: MCR_URL value: "https://mcr.microsoft.scloud/v2/" {{- end }} - {{- if (eq .Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} - name: MCR_URL value: "https://mcr.microsoft.sovcloud-api.fr/v2/" {{- end }} @@ -339,27 +339,27 @@ spec: - name: USING_AAD_MSI_AUTH value: "false" {{- end }} - {{- if eq (.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} + {{- if eq ($.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} - name: SYSLOG_HOST_PORT - value: {{ .Values.OmsAgent.syslogHostPort | default 28330 | quote}} + value: {{ $.Values.OmsAgent.syslogHostPort | default 28330 | quote}} {{- end }} - name: AZMON_RETINA_FLOW_LOGS_ENABLED - value: "{{ .Values.OmsAgent.isRetinaFlowLogsEnabled | default false }}" + value: "{{ $.Values.OmsAgent.isRetinaFlowLogsEnabled | default false }}" - name: AZMON_RESOURCE_OPTIMIZATION_ENABLED - value: "{{ .Values.OmsAgent.isResourceOptimizationEnabled | default false }}" + value: "{{ $.Values.OmsAgent.isResourceOptimizationEnabled | default false }}" - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: "{{ .Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" + value: "{{ $.Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" {{- end }} - name: CONTROLLER_TYPE value: "DaemonSet" {{- if $isArcExtension }} - {{- if .Values.amalogs.enableHighLogScaleMode }} + {{- if $.Values.amalogs.enableHighLogScaleMode }} - name: ENABLE_HIGH_LOG_SCALE_MODE - value: {{ .Values.amalogs.enableHighLogScaleMode | quote }} + value: {{ $.Values.amalogs.enableHighLogScaleMode | quote }} {{- end }} - {{- if .Values.amalogs.syslog.enabled }} + {{- if $.Values.amalogs.syslog.enabled }} - name: SYSLOG_HOST_PORT - value: {{ .Values.amalogs.syslog.syslogPort | quote }} + value: {{ $.Values.amalogs.syslog.syslogPort | quote }} {{- end }} - name: NODE_IP valueFrom: @@ -370,62 +370,62 @@ spec: resourceFieldRef: containerName: ama-logs resource: limits.memory - {{- if not (empty .Values.Azure.Extension.Name) }} + {{- if not (empty $.Values.Azure.Extension.Name) }} - name: ARC_K8S_EXTENSION_NAME - value: {{ .Values.Azure.Extension.Name | quote }} + value: {{ $.Values.Azure.Extension.Name | quote }} {{- end }} - name: USER_ASSIGNED_IDENTITY_CLIENT_ID value: "" - {{- if .Values.amalogs.logsettings.logflushintervalsecs }} + {{- if $.Values.amalogs.logsettings.logflushintervalsecs }} - name: FBIT_SERVICE_FLUSH_INTERVAL - value: {{ .Values.amalogs.logsettings.logflushintervalsecs | quote }} + value: {{ $.Values.amalogs.logsettings.logflushintervalsecs | quote }} {{- end }} - {{- if .Values.amalogs.logsettings.tailbufchunksizemegabytes }} + {{- if $.Values.amalogs.logsettings.tailbufchunksizemegabytes }} - name: FBIT_TAIL_BUFFER_CHUNK_SIZE - value: {{ .Values.amalogs.logsettings.tailbufchunksizemegabytes | quote }} + value: {{ $.Values.amalogs.logsettings.tailbufchunksizemegabytes | quote }} {{- end }} - {{- if .Values.amalogs.logsettings.tailbufmaxsizemegabytes }} + {{- if $.Values.amalogs.logsettings.tailbufmaxsizemegabytes }} - name: FBIT_TAIL_BUFFER_MAX_SIZE - value: {{ .Values.amalogs.logsettings.tailbufmaxsizemegabytes | quote }} + value: {{ $.Values.amalogs.logsettings.tailbufmaxsizemegabytes | quote }} {{- end }} - name: ISTEST - value: {{ .Values.amalogs.ISTEST | quote }} - {{- if .Values.amalogs.isArcACluster }} + value: {{ $.Values.amalogs.ISTEST | quote }} + {{- if $.Values.amalogs.isArcACluster }} - name: IS_ARCA_CLUSTER - value: {{ .Values.amalogs.isArcACluster | quote }} + value: {{ $.Values.amalogs.isArcACluster | quote }} {{- end }} - {{- if ne .Values.amalogs.metricsEndpoint "" }} + {{- if ne $.Values.amalogs.metricsEndpoint "" }} - name: CUSTOM_METRICS_ENDPOINT - value: {{ .Values.amalogs.metricsEndpoint | quote }} - {{- else if ne .Values.Azure.proxySettings.autonomousFqdn "" }} + value: {{ $.Values.amalogs.metricsEndpoint | quote }} + {{- else if ne $.Values.Azure.proxySettings.autonomousFqdn "" }} - name: CUSTOM_METRICS_ENDPOINT - value: "https://metricsingestiongateway.monitoring.{{ .Values.Azure.proxySettings.autonomousFqdn }}" + value: "https://metricsingestiongateway.monitoring.{{ $.Values.Azure.proxySettings.autonomousFqdn }}" {{- end }} - {{- if ne .Values.amalogs.tokenAudience "" }} + {{- if ne $.Values.amalogs.tokenAudience "" }} - name: customResourceEndpoint - value: {{ .Values.amalogs.tokenAudience | quote }} + value: {{ $.Values.amalogs.tokenAudience | quote }} {{- end }} - name: IS_CUSTOM_CERT - value: {{ .Values.Azure.proxySettings.isCustomCert | quote }} + value: {{ $.Values.Azure.proxySettings.isCustomCert | quote }} - name: ENABLE_CUSTOM_METRICS - value: {{ .Values.amalogs.enableCustomMetrics | quote }} - {{- if .Values.amalogs.ISTEST }} + value: {{ $.Values.amalogs.enableCustomMetrics | quote }} + {{- if $.Values.amalogs.ISTEST }} - name: AZMON_KUBERNETES_METADATA_ENABLED value: "true" {{- end }} - {{- if .Values.amalogs.enableTelegrafLivenessprobe }} + {{- if $.Values.amalogs.enableTelegrafLivenessprobe }} - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: {{ .Values.amalogs.enableTelegrafLivenessprobe | quote }} + value: {{ $.Values.amalogs.enableTelegrafLivenessprobe | quote }} {{- end }} - name: HOSTNAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ .Values.Azure.Cluster.Cloud | lower }}" + value: "{{ $.Values.Azure.Cluster.Cloud | lower }}" {{- else }} - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" + value: "{{ $.Values.global.commonGlobals.CloudEnvironment | lower }}" {{- end }} securityContext: privileged: true @@ -440,23 +440,23 @@ spec: - containerPort: 25224 protocol: UDP {{- if $isArcExtension }} - {{- if .Values.amalogs.syslog.enabled }} + {{- if $.Values.amalogs.syslog.enabled }} - name: syslog - containerPort: {{ .Values.amalogs.syslog.syslogPort }} - hostPort: {{ .Values.amalogs.syslog.syslogPort }} + containerPort: {{ $.Values.amalogs.syslog.syslogPort }} + hostPort: {{ $.Values.amalogs.syslog.syslogPort }} protocol: TCP {{- end }} {{- else }} - {{- if eq (.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} + {{- if eq ($.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} - name: syslog containerPort: 28330 - hostPort: {{ .Values.OmsAgent.syslogHostPort | default 28330 }} + hostPort: {{ $.Values.OmsAgent.syslogHostPort | default 28330 }} protocol: TCP {{- end }} - {{- if eq (.Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false) true }} + {{- if eq ($.Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false) true }} - name: otlp-logs containerPort: 4319 - hostPort: {{ .Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }} + hostPort: {{ $.Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }} protocol: TCP - name: otlp-logs-grpc containerPort: 4320 @@ -466,7 +466,7 @@ spec: {{- end }} volumeMounts: {{- if $isArcExtension }} - {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + {{- if $.Values.amalogs.enableServiceAccountTimeBoundToken }} - name: kube-api-access mountPath: /var/run/secrets/kubernetes.io/serviceaccount readOnly: true @@ -479,11 +479,11 @@ spec: - mountPath: /var/log name: host-log {{- if not $isArcExtension }} - {{- if .Values.OmsAgent.isSyslogEnabled }} + {{- if $.Values.OmsAgent.isSyslogEnabled }} - mountPath: /var/run/mdsd-ci name: mdsd-sock {{- end }} - {{- if .Values.OmsAgent.isRetinaFlowLogsEnabled }} + {{- if $.Values.OmsAgent.isRetinaFlowLogsEnabled }} - mountPath: /var/log/acns/hubble name: acns-hubble {{- end }} @@ -512,7 +512,7 @@ spec: readOnly: true {{- end }} {{- if $isArcExtension }} - {{- if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.proxyCert) (not .Values.amalogs.ignoreExtensionProxySettings) }} + {{- if and ($.Values.Azure.proxySettings.isProxyEnabled) ($.Values.Azure.proxySettings.proxyCert) (not $.Values.amalogs.ignoreExtensionProxySettings) }} - mountPath: /etc/ssl/certs/proxy-cert.crt subPath: PROXYCERT.crt name: ama-logs-secret @@ -523,8 +523,8 @@ spec: name: settings-vol-config readOnly: true {{- if $isArcExtension }} - {{- if .Values.amalogs.logsettings.custommountpath }} - - mountPath: {{ .Values.amalogs.logsettings.custommountpath }} + {{- if $.Values.amalogs.logsettings.custommountpath }} + - mountPath: {{ $.Values.amalogs.logsettings.custommountpath }} name: custom-mount-path {{- end }} {{- end }} @@ -532,7 +532,7 @@ spec: name: ama-logs-adx-secret readOnly: true {{- if not $isArcExtension }} - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + {{- if (eq (include "should_mount_hostca" $ ) "true" ) }} - mountPath: /anchors/mariner name: anchors-mariner readOnly: true @@ -540,7 +540,7 @@ spec: name: anchors-ubuntu readOnly: true {{- end }} - {{- if .Values.OmsAgent.trustedCA }} + {{- if $.Values.OmsAgent.trustedCA }} - mountPath: /etc/ssl/certs/proxy-cert.crt subPath: PROXYCERT.crt name: ama-logs-secret @@ -558,32 +558,32 @@ spec: timeoutSeconds: 15 {{/* Prometheus Sidecar Container */}} {{- if $isArcExtension }} - {{- if .Values.amalogs.sidecarscraping }} + {{- if $.Values.amalogs.sidecarscraping }} - name: ama-logs-prometheus - image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tag }} + image: {{ printf "%s:%s" $.Values.amalogs.image.repo $.Values.amalogs.image.tag }} imagePullPolicy: IfNotPresent resources: -{{ toYaml .Values.amalogs.resources.daemonsetlinuxsidecar | indent 12 }} +{{ toYaml $.Values.amalogs.resources.daemonsetlinuxsidecar | indent 12 }} env: - {{- if ne .Values.amalogs.env.clusterId "" }} + {{- if ne $.Values.amalogs.env.clusterId "" }} - name: AKS_RESOURCE_ID - value: {{ .Values.amalogs.env.clusterId | quote }} - {{- if ne .Values.amalogs.env.clusterRegion "" }} + value: {{ $.Values.amalogs.env.clusterId | quote }} + {{- if ne $.Values.amalogs.env.clusterRegion "" }} - name: AKS_REGION - value: {{ .Values.amalogs.env.clusterRegion | quote }} + value: {{ $.Values.amalogs.env.clusterRegion | quote }} {{- end }} - {{- else if ne .Values.Azure.Cluster.ResourceId "" }} + {{- else if ne $.Values.Azure.Cluster.ResourceId "" }} - name: AKS_RESOURCE_ID - value: {{ .Values.Azure.Cluster.ResourceId | quote }} + value: {{ $.Values.Azure.Cluster.ResourceId | quote }} - name: USING_AAD_MSI_AUTH - value: {{ .Values.amalogs.useAADAuth | quote }} - {{- if ne .Values.Azure.Cluster.Region "" }} + value: {{ $.Values.amalogs.useAADAuth | quote }} + {{- if ne $.Values.Azure.Cluster.Region "" }} - name: AKS_REGION - value: {{ .Values.Azure.Cluster.Region | quote }} + value: {{ $.Values.Azure.Cluster.Region | quote }} {{- end }} {{- else }} - name: ACS_RESOURCE_NAME - value: {{ .Values.amalogs.env.clusterName | quote }} + value: {{ $.Values.amalogs.env.clusterName | quote }} {{- end }} - name: CONTROLLER_TYPE value: "DaemonSet" @@ -599,13 +599,13 @@ spec: containerName: ama-logs-prometheus resource: limits.memory - name: ISTEST - value: {{ .Values.amalogs.ISTEST | quote }} + value: {{ $.Values.amalogs.ISTEST | quote }} - name: HOSTNAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ .Values.Azure.Cluster.Cloud | lower }}" + value: "{{ $.Values.Azure.Cluster.Cloud | lower }}" securityContext: privileged: true capabilities: @@ -614,7 +614,7 @@ spec: add: - DAC_OVERRIDE volumeMounts: - {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + {{- if $.Values.amalogs.enableServiceAccountTimeBoundToken }} - name: kube-api-access mountPath: /var/run/secrets/kubernetes.io/serviceaccount readOnly: true @@ -624,7 +624,7 @@ spec: - mountPath: /etc/ama-logs-secret name: ama-logs-secret readOnly: true - {{- if and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.proxyCert) (not .Values.amalogs.ignoreExtensionProxySettings) }} + {{- if and ($.Values.Azure.proxySettings.isProxyEnabled) ($.Values.Azure.proxySettings.proxyCert) (not $.Values.amalogs.ignoreExtensionProxySettings) }} - mountPath: /etc/ssl/certs/proxy-cert.crt subPath: PROXYCERT.crt name: ama-logs-secret @@ -647,10 +647,10 @@ spec: timeoutSeconds: 15 {{- end }} {{- else }} - {{- if and (not .Values.OmsAgent.isPrometheusMetricsScrapingDisabled) .Values.OmsAgent.isSidecarScrapingEnabled }} + {{- if and (not $.Values.OmsAgent.isPrometheusMetricsScrapingDisabled) $.Values.OmsAgent.isSidecarScrapingEnabled }} - name: ama-logs-prometheus - image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag .Values.OmsAgent.imageTagLinux -}}" - {{- if .Values.OmsAgent.isImagePullPolicyAlways }} + image: "{{ template "addon_mcr_repository_base" $ }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag $.Values.OmsAgent.imageTagLinux -}}" + {{- if $.Values.OmsAgent.isImagePullPolicyAlways }} imagePullPolicy: Always {{- else }} imagePullPolicy: IfNotPresent @@ -679,28 +679,28 @@ spec: fieldRef: fieldPath: spec.nodeName - name: AKS_CLUSTER_NAME - value: "{{ .Values.OmsAgent.aksClusterName }}" + value: "{{ $.Values.OmsAgent.aksClusterName }}" - name: AKS_RESOURCE_ID - value: "{{ .Values.OmsAgent.aksResourceID }}" + value: "{{ $.Values.OmsAgent.aksResourceID }}" - name: AKS_NODE_RESOURCE_GROUP - value: "{{ .Values.OmsAgent.aksNodeResourceGroup }}" + value: "{{ $.Values.OmsAgent.aksNodeResourceGroup }}" - name: AKS_REGION - value: "{{ .Values.global.commonGlobals.Region }}" + value: "{{ $.Values.global.commonGlobals.Region }}" - name: CONTROLLER_TYPE value: "DaemonSet" - name: CONTAINER_TYPE value: "PrometheusSidecar" - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: "{{ .Values.OmsAgent.identityClientID }}" - {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USNat") }} + value: "{{ $.Values.OmsAgent.identityClientID }}" + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USNat") }} - name: MCR_URL value: "https://mcr.microsoft.eaglex.ic.gov/v2/" {{- end }} - {{- if (eq .Values.global.commonGlobals.CloudEnvironment "USSec") }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USSec") }} - name: MCR_URL value: "https://mcr.microsoft.scloud/v2/" {{- end }} - {{- if (eq .Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} + {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} - name: MCR_URL value: "https://mcr.microsoft.sovcloud-api.fr/v2/" {{- end }} @@ -711,14 +711,14 @@ spec: - name: USING_AAD_MSI_AUTH value: "false" {{- end }} - {{- if eq (.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} + {{- if eq ($.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} - name: SYSLOG_HOST_PORT - value: {{ .Values.OmsAgent.syslogHostPort | default 28330 | quote}} + value: {{ $.Values.OmsAgent.syslogHostPort | default 28330 | quote}} {{- end }} - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: "{{ .Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" + value: "{{ $.Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" + value: "{{ $.Values.global.commonGlobals.CloudEnvironment | lower }}" securityContext: privileged: true capabilities: @@ -743,7 +743,7 @@ spec: readOnly: true - mountPath: /var/run/mdsd-PrometheusSidecar name: mdsd-prometheus-sock - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + {{- if (eq (include "should_mount_hostca" $ ) "true" ) }} - mountPath: /anchors/mariner name: anchors-mariner readOnly: true @@ -751,13 +751,13 @@ spec: name: anchors-ubuntu readOnly: true {{- end }} - {{- if .Values.OmsAgent.trustedCA }} + {{- if $.Values.OmsAgent.trustedCA }} - mountPath: /etc/ssl/certs/proxy-cert.crt subPath: PROXYCERT.crt name: ama-logs-secret readOnly: true {{- end }} - {{- if .Values.OmsAgent.isSyslogEnabled }} + {{- if $.Values.OmsAgent.isSyslogEnabled }} - mountPath: /var/run/mdsd-ci name: mdsd-sock {{- end }} @@ -774,21 +774,21 @@ spec: {{- end }} {{/* Affinity and Tolerations */}} {{- if $isArcExtension }} - {{- with .Values.amalogs.daemonset.affinity }} + {{- with $.Values.amalogs.daemonset.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.amalogs.scheduleOnTaintedNodes }} - {{- with .Values.amalogs.tolerationsUnrestricted }} + {{- if $.Values.amalogs.scheduleOnTaintedNodes }} + {{- with $.Values.amalogs.tolerationsUnrestricted }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} {{- else }} - {{- with .Values.amalogs.tolerations }} + {{- with $.Values.amalogs.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} {{- else }} -{{- $useDaemonSetSizing := and .Values.global.commonGlobals.isAutomaticSKU .Values.OmsAgent.enableDaemonSetSizing -}} -{{- $singleSize := dict "name" "" -}} +{{- $useDaemonSetSizing := and $.Values.global.commonGlobals.isAutomaticSKU $.Values.OmsAgent.enableDaemonSetSizing -}} +{{- $singleSize := dict "name" "" }} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -841,7 +841,7 @@ spec: {{/* Volumes */}} volumes: {{- if $isArcExtension }} - {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }} + {{- if $.Values.amalogs.enableServiceAccountTimeBoundToken }} - name: kube-api-access projected: sources: @@ -875,12 +875,12 @@ spec: hostPath: path: /var/log {{- if not $isArcExtension }} - {{- if .Values.OmsAgent.isSyslogEnabled }} + {{- if $.Values.OmsAgent.isSyslogEnabled }} - name: mdsd-sock hostPath: path: /var/run/mdsd-ci {{- end }} - {{- if .Values.OmsAgent.isRetinaFlowLogsEnabled }} + {{- if $.Values.OmsAgent.isRetinaFlowLogsEnabled }} - name: acns-hubble hostPath: path: /var/log/acns/hubble @@ -908,10 +908,10 @@ spec: name: container-azm-ms-agentconfig optional: true {{- if $isArcExtension }} - {{- if .Values.amalogs.logsettings.custommountpath }} + {{- if $.Values.amalogs.logsettings.custommountpath }} - name: custom-mount-path hostPath: - path: {{ .Values.amalogs.logsettings.custommountpath }} + path: {{ $.Values.amalogs.logsettings.custommountpath }} {{- end }} {{- end }} - name: ama-logs-adx-secret @@ -923,7 +923,7 @@ spec: name: container-azm-ms-osmconfig optional: true {{- if not $isArcExtension }} - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} + {{- if (eq (include "should_mount_hostca" $ ) "true" ) }} - name: anchors-ubuntu hostPath: path: /usr/local/share/ca-certificates/ From 4e330600c27331759fec99c79b77429f7cacd037 Mon Sep 17 00:00:00 2001 From: NicAtMS <106997212+NicAtMS@users.noreply.github.com> Date: Thu, 26 Mar 2026 09:27:56 -0700 Subject: [PATCH 41/47] Nicchambers/daemonsetvaluechanges (#1622) * value and template updates for t-shirt sizing on container insights * use regex for number and suffix extraction * Moved sizing variables outside the if not $isArcExtension block, defaulting to a single empty-dict for Arc --------- Co-authored-by: LONG WAN (from Dev Box) --- .../templates/_helpers.tpl | 119 ++++++++++- .../templates/ama-logs-daemonset.yaml | 43 ++-- .../values.yaml | 188 +++++++++++------- 3 files changed, 249 insertions(+), 101 deletions(-) diff --git a/charts/azuremonitor-containerinsights/templates/_helpers.tpl b/charts/azuremonitor-containerinsights/templates/_helpers.tpl index b859282a6..012e99e28 100644 --- a/charts/azuremonitor-containerinsights/templates/_helpers.tpl +++ b/charts/azuremonitor-containerinsights/templates/_helpers.tpl @@ -103,4 +103,121 @@ HOST CA CERTIFICATE MOUNTING SECTION (from AKS chart) {{- define "should_mount_hostca" -}} {{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment | default "azurepubliccloud" | lower) }} {{- has $cloud_environment (list "usnat" "ussec" "azurebleucloud") -}} -{{- end }} \ No newline at end of file +{{- end }} +{{/* +============================================================================= +RESOURCE QUANTITY HELPERS (for toggle processing) +============================================================================= +*/}} + +{{/* +Compare two resource quantities and return the maximum. +This replicates the Go maxResourceValue function using Kubernetes resource.ParseQuantity logic. +Supports all Kubernetes quantity formats: decimal fractions, binary/decimal units, CPU millicores. +Usage: {{ include "maxResourceValue" (list "1.5Gi" "2196Mi") }} +*/}} +{{- define "maxResourceValue" -}} +{{- $val1 := index . 0 -}} +{{- $val2 := index . 1 -}} + +{{/* Parse val1 to bytes/millicores */}} +{{- $val1Parsed := include "parseQuantity" $val1 -}} +{{- $val2Parsed := include "parseQuantity" $val2 -}} + +{{/* Compare parsed values */}} +{{- if ge ($val1Parsed | int64) ($val2Parsed | int64) -}} +{{- $val1 -}} +{{- else -}} +{{- $val2 -}} +{{- end -}} +{{- end }} + +{{/* +Parse a Kubernetes resource quantity to comparable integer value. +Mimics k8s.io/apimachinery/pkg/api/resource.ParseQuantity behavior. +Returns value in smallest unit (bytes for memory, millicores for CPU). +*/}} +{{- define "parseQuantity" -}} +{{- $quantity := . -}} +{{- $quantity = trim $quantity -}} + +{{/* Handle zero/empty */}} +{{- if or (eq $quantity "") (eq $quantity "0") -}} +0 +{{- else -}} + +{{/* Extract number and suffix using regex */}} +{{- $number := regexFind "^[0-9.]+" $quantity -}} +{{- $suffix := trimPrefix $number $quantity -}} + +{{/* Parse the numeric part - handle decimals */}} +{{- $intPart := 0 -}} +{{- $fracPart := 0 -}} +{{- $fracDivisor := 1 -}} + +{{- if contains "." $number -}} + {{- $parts := split "." $number -}} + {{- $intPart = index $parts 0 | int -}} + {{- $fracStr := index $parts 1 -}} + {{- $fracPart = $fracStr | int -}} + {{- $fracLen := len $fracStr -}} + {{- if eq $fracLen 1 -}}{{- $fracDivisor = 10 -}} + {{- else if eq $fracLen 2 -}}{{- $fracDivisor = 100 -}} + {{- else if eq $fracLen 3 -}}{{- $fracDivisor = 1000 -}} + {{- else if eq $fracLen 4 -}}{{- $fracDivisor = 10000 -}} + {{- else if eq $fracLen 5 -}}{{- $fracDivisor = 100000 -}} + {{- else -}}{{- $fracDivisor = 1000000 -}} + {{- end -}} +{{- else -}} + {{- $intPart = $number | int -}} +{{- end -}} + +{{/* Convert based on suffix - return in base units (bytes for memory, millicores for CPU) */}} +{{- $result := 0 -}} + +{{/* Binary suffixes (1024-based) */}} +{{- if eq $suffix "Ki" -}} + {{- $result = add (mul $intPart 1024) (div (mul $fracPart 1024) $fracDivisor) -}} +{{- else if eq $suffix "Mi" -}} + {{- $result = add (mul $intPart 1048576) (div (mul $fracPart 1048576) $fracDivisor) -}} +{{- else if eq $suffix "Gi" -}} + {{- $result = add (mul $intPart 1073741824) (div (mul $fracPart 1073741824) $fracDivisor) -}} +{{- else if eq $suffix "Ti" -}} + {{- $result = add (mul $intPart 1099511627776) (div (mul $fracPart 1099511627776) $fracDivisor) -}} +{{- else if eq $suffix "Pi" -}} + {{- $result = add (mul $intPart 1125899906842624) (div (mul $fracPart 1125899906842624) $fracDivisor) -}} + +{{/* Decimal suffixes (1000-based) */}} +{{- else if eq $suffix "k" -}} + {{- $result = add (mul $intPart 1000) (div (mul $fracPart 1000) $fracDivisor) -}} +{{- else if eq $suffix "M" -}} + {{- $result = add (mul $intPart 1000000) (div (mul $fracPart 1000000) $fracDivisor) -}} +{{- else if eq $suffix "G" -}} + {{- $result = add (mul $intPart 1000000000) (div (mul $fracPart 1000000000) $fracDivisor) -}} +{{- else if eq $suffix "T" -}} + {{- $result = add (mul $intPart 1000000000000) (div (mul $fracPart 1000000000000) $fracDivisor) -}} +{{- else if eq $suffix "P" -}} + {{- $result = add (mul $intPart 1000000000000000) (div (mul $fracPart 1000000000000000) $fracDivisor) -}} + +{{/* CPU millicores */}} +{{- else if eq $suffix "m" -}} + {{- $result = add (mul $intPart 1) (div $fracPart $fracDivisor) -}} + +{{/* No suffix - treat as base unit */}} +{{- else if eq $suffix "" -}} + {{- if contains "." $number -}} + {{/* Decimal number without suffix - assume CPU cores, convert to millicores */}} + {{- $result = add (mul $intPart 1000) (div (mul $fracPart 1000) $fracDivisor) -}} + {{- else -}} + {{/* Integer without suffix - could be bytes or cores */}} + {{- $result = $intPart -}} + {{- end -}} + +{{/* Unknown suffix - treat as base unit */}} +{{- else -}} + {{- $result = $intPart -}} +{{- end -}} + +{{- $result -}} +{{- end -}} +{{- end }} diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml index d87b10f46..84fdef2ed 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml @@ -15,18 +15,22 @@ {{- end -}} {{/* Outer condition: AKS always renders, Arc renders with valid credentials */}} {{- if or (not $isArcExtension) (and $isArcExtension (and (ne .Values.amalogs.secret.key "") (ne .Values.amalogs.secret.wsid "") (or (ne .Values.amalogs.env.clusterName "") (ne .Values.amalogs.env.clusterId "") (ne .Values.Azure.Cluster.ResourceId "")))) }} -{{/* AKS DaemonSet Sizing - only for AKS */}} +{{/* DaemonSet Sizing: AKS uses t-shirt sizing loop, Arc generates a single DaemonSet */}} +{{- $useDaemonSetSizing := false -}} +{{- $singleSize := dict -}} +{{- $sizes := list (dict) -}} +{{- $prevmaxCPU := 0 -}} {{- if not $isArcExtension }} -{{- $useDaemonSetSizing := and .Values.global.commonGlobals.isAutomaticSKU .Values.OmsAgent.enableDaemonSetSizing -}} -{{- $singleSize := dict "containers" (dict "addon-token-adapter" (dict "cpuLimit" "100m" "memoryLimit" "100Mi" "cpuRequest" "20m" "memoryRequest" "50Mi") "ama-logs" (dict "cpuLimit" .Values.OmsAgent.omsAgentDsCPULimitLinux "memoryLimit" .Values.OmsAgent.omsAgentDsMemoryLimitLinux "cpuRequest" "75m" "memoryRequest" "325Mi") "ama-logs-prometheus" (dict "cpuLimit" .Values.OmsAgent.omsAgentPrometheusSidecarCPULimit "memoryLimit" .Values.OmsAgent.omsAgentPrometheusSidecarMemoryLimit "cpuRequest" "75m" "memoryRequest" "225Mi")) -}} -{{- $sizes := list ($singleSize) -}} -{{/* - if $useDaemonSetSizing - */}} - {{/* - $singleSize = .Values.OmsAgent.daemonSetSizingValues.singleSize - */}} - {{/* - $sizes = list ($singleSize) - */}} - {{/* - $sizes = prepend .Values.OmsAgent.daemonSetSizingValues.tShirtSizes $singleSize - */}} -{{/* - end - */}} +{{- $useDaemonSetSizing = and (eq .Values.Azure.Cluster.Kind "automatic") .Values.OmsAgent.enableDaemonSetSizing -}} +{{- $singleSize = .Values.OmsAgent.daemonSetSizingValues.singleSize -}} +{{- $sizes = list $singleSize -}} +{{- if $useDaemonSetSizing -}} + {{- $sizes = prepend .Values.OmsAgent.daemonSetSizingValues.tShirtSizes $singleSize -}} +{{- else -}} + {{- $sizes = list $singleSize -}} +{{- end -}} +{{- end }} {{/* Generate DaemonSets */}} -{{- $prevmaxCPU := 0 -}} {{- range $index, $size := $sizes -}} {{- if gt $index 0 }} --- @@ -35,7 +39,7 @@ apiVersion: apps/v1 kind: DaemonSet metadata: - name: ama-logs + name: ama-logs{{- if gt $index 0 }}-{{ $size.name }}{{- end }} namespace: kube-system labels: {{- if $isArcExtension }} @@ -48,11 +52,9 @@ metadata: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile {{- end }} -{{/* {{- if and $useDaemonSetSizing $size.name }} kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} {{- end }} - */}} {{- end }} component: ama-logs-agent tier: node @@ -70,11 +72,9 @@ spec: {{- else }} component: ama-logs-agent tier: node - {{/* {{- if and $useDaemonSetSizing $size.name }} kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} {{- end }} - */}} {{- end }} template: metadata: @@ -85,11 +85,9 @@ spec: component: ama-logs-agent tier: node kubernetes.azure.com/managedby: aks - {{/* {{- if and $useDaemonSetSizing $size.name }} kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} {{- end }} - */}} {{- end }} annotations: {{- if $isArcExtension }} @@ -245,8 +243,8 @@ spec: resources: limits: {{- $containerResources := index $size.containers "ama-logs" }} - cpu: {{ $containerResources.cpuLimit }} - memory: {{ $containerResources.memoryLimit }} + cpu: {{ include "maxResourceValue" (list $.Values.OmsAgent.omsAgentDsCPULimitLinux $containerResources.cpuLimit) }} + memory: {{ include "maxResourceValue" (list $.Values.OmsAgent.omsAgentDsMemoryLimitLinux $containerResources.memoryLimit) }} requests: {{- $containerResources := index $size.containers "ama-logs" }} cpu: {{ $containerResources.cpuRequest }} @@ -658,8 +656,8 @@ spec: resources: limits: {{- $containerResources := index $size.containers "ama-logs-prometheus" }} - cpu: {{ $containerResources.cpuLimit }} - memory: {{ $containerResources.memoryLimit }} + cpu: {{ include "maxResourceValue" (list $.Values.OmsAgent.omsAgentPrometheusSidecarCPULimit $containerResources.cpuLimit) }} + memory: {{ include "maxResourceValue" (list $.Values.OmsAgent.omsAgentPrometheusSidecarMemoryLimit $containerResources.memoryLimit) }} requests: {{- $containerResources := index $size.containers "ama-logs-prometheus" }} cpu: {{ $containerResources.cpuRequest }} @@ -787,7 +785,7 @@ spec: {{- end }} {{- end }} {{- else }} -{{- $useDaemonSetSizing := and $.Values.global.commonGlobals.isAutomaticSKU $.Values.OmsAgent.enableDaemonSetSizing -}} +{{- $useDaemonSetSizing := and (eq $.Values.Azure.Cluster.Kind "automatic") $.Values.OmsAgent.enableDaemonSetSizing }} {{- $singleSize := dict "name" "" }} affinity: nodeAffinity: @@ -940,4 +938,3 @@ spec: {{- end }} {{- end }} {{- end }} -{{- end }} diff --git a/charts/azuremonitor-containerinsights/values.yaml b/charts/azuremonitor-containerinsights/values.yaml index f50ca8e51..9cc83e245 100644 --- a/charts/azuremonitor-containerinsights/values.yaml +++ b/charts/azuremonitor-containerinsights/values.yaml @@ -30,7 +30,7 @@ legacyAddonDelivery: false # OmsAgent configuration OmsAgent: aksResourceID: - enableDaemonSetSizing: false + enableDaemonSetSizing: true isCustomMetricsDisabled: false isUsingAADAuth: "true" retinaFlowLogsEnabled: false @@ -100,82 +100,115 @@ OmsAgent: # identityClientID: "" # accessTokenSecretName: "aad-msi-auth-token" - # # DaemonSet sizing configuration - # enableDaemonSetSizing: false - # daemonSetSizingValues: - # singleSize: - # containers: - # addon-token-adapter: - # cpuLimit: "100m" - # memoryLimit: "100Mi" - # cpuRequest: "20m" - # memoryRequest: "50Mi" - # ama-logs: - # cpuLimit: "150m" - # memoryLimit: "750Mi" - # cpuRequest: "75m" - # memoryRequest: "325Mi" - # ama-logs-prometheus: - # cpuLimit: "500m" - # memoryLimit: "1Gi" - # cpuRequest: "75m" - # memoryRequest: "225Mi" - # tShirtSizes: - # - name: "small" - # maxCPU: 4 - # containers: - # addon-token-adapter: - # cpuLimit: "100m" - # memoryLimit: "100Mi" - # cpuRequest: "20m" - # memoryRequest: "50Mi" - # ama-logs: - # cpuLimit: "150m" - # memoryLimit: "750Mi" - # cpuRequest: "75m" - # memoryRequest: "325Mi" - # ama-logs-prometheus: - # cpuLimit: "500m" - # memoryLimit: "1Gi" - # cpuRequest: "75m" - # memoryRequest: "225Mi" - # - name: "medium" - # maxCPU: 8 - # containers: - # addon-token-adapter: - # cpuLimit: "200m" - # memoryLimit: "200Mi" - # cpuRequest: "40m" - # memoryRequest: "100Mi" - # ama-logs: - # cpuLimit: "300m" - # memoryLimit: "1.5Gi" - # cpuRequest: "150m" - # memoryRequest: "650Mi" - # ama-logs-prometheus: - # cpuLimit: "1" - # memoryLimit: "2Gi" - # cpuRequest: "150m" - # memoryRequest: "450Mi" - # - name: "large" - # maxCPU: 16 - # containers: - # addon-token-adapter: - # cpuLimit: "400m" - # memoryLimit: "400Mi" - # cpuRequest: "80m" - # memoryRequest: "200Mi" - # ama-logs: - # cpuLimit: "600m" - # memoryLimit: "3Gi" - # cpuRequest: "300m" - # memoryRequest: "1.3Gi" - # ama-logs-prometheus: - # cpuLimit: "2" - # memoryLimit: "4Gi" - # cpuRequest: "300m" - # memoryRequest: "900Mi" - + # DaemonSet sizing configuration + daemonSetSizingValues: + singleSize: + containers: + addon-token-adapter: + cpuLimit: "100m" + memoryLimit: "100Mi" + cpuRequest: "20m" + memoryRequest: "50Mi" + ama-logs: + cpuLimit: "0" # Toggle always wins - no tier minimum + memoryLimit: "0" # Toggle always wins - no tier minimum + cpuRequest: "75m" + memoryRequest: "325Mi" + ama-logs-prometheus: + cpuLimit: "0" # Toggle always wins - no tier minimum + memoryLimit: "0" # Toggle always wins - no tier minimum + cpuRequest: "75m" + memoryRequest: "225Mi" + tShirtSizes: + - name: "xs" + maxCPU: 2 + containers: + addon-token-adapter: + cpuLimit: "100m" + memoryLimit: "100Mi" + cpuRequest: "10m" + memoryRequest: "20Mi" + ama-logs: + cpuLimit: "0" # Toggle always wins - no tier minimum + memoryLimit: "0" # Toggle always wins - no tier minimum + cpuRequest: "45m" + memoryRequest: "343Mi" + ama-logs-prometheus: + cpuLimit: "0" # Toggle always wins - no tier minimum + memoryLimit: "0" # Toggle always wins - no tier minimum + cpuRequest: "20m" + memoryRequest: "100Mi" + - name: "s" + maxCPU: 4 + containers: + addon-token-adapter: + cpuLimit: "100m" + memoryLimit: "100Mi" + cpuRequest: "10m" + memoryRequest: "20Mi" + ama-logs: + cpuLimit: "0" # Toggle always wins - no tier minimum + memoryLimit: "0" # Toggle always wins - no tier minimum + cpuRequest: "100m" + memoryRequest: "476Mi" + ama-logs-prometheus: + cpuLimit: "0" # Toggle always wins - no tier minimum + memoryLimit: "0" # Toggle always wins - no tier minimum + cpuRequest: "20m" + memoryRequest: "100Mi" + - name: "m" + maxCPU: 8 + containers: + addon-token-adapter: + cpuLimit: "100m" + memoryLimit: "100Mi" + cpuRequest: "10m" + memoryRequest: "20Mi" + ama-logs: + cpuLimit: "0" # Toggle always wins - no tier minimum + memoryLimit: "2196Mi" # Tier-specific minimum - will be max of toggle vs this + cpuRequest: "161m" + memoryRequest: "978Mi" + ama-logs-prometheus: + cpuLimit: "0" # Toggle always wins - no tier minimum + memoryLimit: "0" # Toggle always wins - no tier minimum + cpuRequest: "20m" + memoryRequest: "100Mi" + - name: "l" + maxCPU: 16 + containers: + addon-token-adapter: + cpuLimit: "100m" + memoryLimit: "100Mi" + cpuRequest: "10m" + memoryRequest: "20Mi" + ama-logs: + cpuLimit: "0" # Toggle always wins - no tier minimum + memoryLimit: "2356Mi" # Tier-specific minimum - will be max of toggle vs this + cpuRequest: "229m" + memoryRequest: "1058Mi" + ama-logs-prometheus: + cpuLimit: "0" # Toggle always wins - no tier minimum + memoryLimit: "0" # Toggle always wins - no tier minimum + cpuRequest: "20m" + memoryRequest: "100Mi" + - name: "xl" + containers: + addon-token-adapter: + cpuLimit: "100m" + memoryLimit: "100Mi" + cpuRequest: "10m" + memoryRequest: "20Mi" + ama-logs: + cpuLimit: "0" # Toggle always wins - no tier minimum + memoryLimit: "2918Mi" # Tier-specific minimum - will be max of toggle vs this + cpuRequest: "404m" + memoryRequest: "1339Mi" + ama-logs-prometheus: + cpuLimit: "0" # Toggle always wins - no tier minimum + memoryLimit: "0" # Toggle always wins - no tier minimum + cpuRequest: "20m" + memoryRequest: "100Mi" # ============================================================================ # amalogs - ARC K8S EXTENSION VALUES (from azuremonitor-containers) # Exact order preserved from Arc chart @@ -376,6 +409,7 @@ Azure: Cloud: Region: ResourceId: + Kind: "base" # Can be "automatic" or "base" Distribution: "" # e.g., "openshift", "aks_edge_k3s", "aks_edge_k8s", etc. Extension: Name: "" From ee8a54e50a647458397893c69c480ca8a38afd1b Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Thu, 26 Mar 2026 09:31:55 -0700 Subject: [PATCH 42/47] update trivy --- .trivyignore | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.trivyignore b/.trivyignore index e4ff696d3..8dc1c37b7 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,2 +1,5 @@ # to merge trivy scan PR, temporarily ignore CVE-2026-24051 until a fix is available -CVE-2026-24051 \ No newline at end of file +CVE-2026-24051 +CVE-2026-33186 +CVE-2026-25679 +CVE-2026-27142 From 0963ac829a79799820ec7a16213c007b053fef42 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Thu, 26 Mar 2026 14:03:47 -0700 Subject: [PATCH 43/47] cleanup aks dev chart --- .pipelines/azure_pipeline_mergedbranches.yaml | 2 +- .../Chart.yaml | 4 - .../templates/_helpers.tpl | 67 - .../templates/ama-logs.yaml | 1916 ----------------- .../values.yaml | 201 -- .../values.yaml | 6 +- .../Scripts/pushChartToAcr.sh | 2 +- .../ama-metrics-prometheus-config-node.yaml | 32 - 8 files changed, 4 insertions(+), 2226 deletions(-) delete mode 100644 charts/azuremonitor-containerinsights-aks/Chart.yaml delete mode 100644 charts/azuremonitor-containerinsights-aks/templates/_helpers.tpl delete mode 100644 charts/azuremonitor-containerinsights-aks/templates/ama-logs.yaml delete mode 100644 charts/azuremonitor-containerinsights-aks/values.yaml delete mode 100644 test/networkflow-scale-tests/ama-metrics-prometheus-config-node.yaml diff --git a/.pipelines/azure_pipeline_mergedbranches.yaml b/.pipelines/azure_pipeline_mergedbranches.yaml index 334ba9492..8aebaef08 100644 --- a/.pipelines/azure_pipeline_mergedbranches.yaml +++ b/.pipelines/azure_pipeline_mergedbranches.yaml @@ -90,7 +90,7 @@ extends: cd $(Build.SourcesDirectory)/deployment/mergebranch-multiarch-agent-deployment/ServiceGroupRoot/Scripts tar -czvf ../artifacts.tar.gz pushAgentToAcr.sh cd $(Build.SourcesDirectory)/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts - tar -czvf ../artifacts.tar.gz ../../../../charts/azuremonitor-containers/ ../../../../charts/azuremonitor-containerinsights-aks/ ../../../../charts/azuremonitor-containers-geneva/ pushChartToAcr.sh + tar -czvf ../artifacts.tar.gz ../../../../charts/azuremonitor-containers/ ../../../../charts/azuremonitor-containerinsights/ ../../../../charts/azuremonitor-containers-geneva/ pushChartToAcr.sh cd $(Build.SourcesDirectory)/deployment/arc-k8s-extension-release-v2/ServiceGroupRoot/Scripts tar -czvf ../artifacts.tar.gz arcExtensionRelease.sh windowsAMAUrl="" diff --git a/charts/azuremonitor-containerinsights-aks/Chart.yaml b/charts/azuremonitor-containerinsights-aks/Chart.yaml deleted file mode 100644 index cd9a39eec..000000000 --- a/charts/azuremonitor-containerinsights-aks/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v2 -description: azure-monitor-containers helm chart -name: azuremonitor-containers -version: 3.2.1-aks-main-1 diff --git a/charts/azuremonitor-containerinsights-aks/templates/_helpers.tpl b/charts/azuremonitor-containerinsights-aks/templates/_helpers.tpl deleted file mode 100644 index aceb79c04..000000000 --- a/charts/azuremonitor-containerinsights-aks/templates/_helpers.tpl +++ /dev/null @@ -1,67 +0,0 @@ -{{/* -Consolidated helper functions for azuremonitor-containerinsights chart -Merged from: _aks_addon-images.tpl, _aks_images.tpl, _aks_helpers.tpl, _aks_common.tpl -*/}} - -{{/* -============================================================================= -Image Tags Section -============================================================================= -*/}} - -{{/* Get addon image tag - used for ama-logs and addon-resizer */}} -{{- define "get.addonImageTag" -}} - {{- if eq .component "addon-resizer" -}} -v1.8.23-4 - {{- else if eq .component "ama-logs-linux" -}} -3.1.34 - {{- else if eq .component "ama-logs-win" -}} -win-3.1.34 - {{- end -}} -{{- end -}} - -{{/* Get image tag - used for addon-token-adapter */}} -{{- define "get.imagetag" -}} -{{- if eq .component "addon-token-adapter-linux" -}} -master.250902.1 -{{- else if eq .component "addon-token-adapter-windows" -}} -master.250902.1 -{{- end -}} -{{- end -}} - -{{/* -============================================================================= -MCR Repository Section -============================================================================= -*/}} - -{{/* MCR repository base - returns cloud-specific MCR URL */}} -{{- define "mcr_repository_base" }} -{{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment| default "AZUREPUBLICCLOUD") }} -{{- if (eq $cloud_environment "AZURECHINACLOUD") }} -{{- "mcr.azk8s.cn" }} -{{- else if (eq $cloud_environment "USNat") }} -{{- "mcr.microsoft.eaglex.ic.gov" }} -{{- else if (eq $cloud_environment "USSec") }} -{{- "mcr.microsoft.scloud" }} -{{- else }} -{{- "mcr.microsoft.com" }} -{{- end }} -{{- end }} - -{{/* MCR repository template for addon charts */}} -{{- define "addon_mcr_repository_base" }} -{{- template "mcr_repository_base" . }} -{{- end }} - -{{/* -============================================================================= -Host CA Certificate Mounting Section -============================================================================= -*/}} - -{{/* Check if host CA certs should be mounted for specific cloud environments */}} -{{- define "should_mount_hostca" -}} - {{- $cloud_environment := (.Values.global.commonGlobals.CloudEnvironment | default "azurepubliccloud" | lower) }} - {{- has $cloud_environment (list "usnat" "ussec" "azurebleucloud") -}} -{{- end }} \ No newline at end of file diff --git a/charts/azuremonitor-containerinsights-aks/templates/ama-logs.yaml b/charts/azuremonitor-containerinsights-aks/templates/ama-logs.yaml deleted file mode 100644 index 5f7a7d864..000000000 --- a/charts/azuremonitor-containerinsights-aks/templates/ama-logs.yaml +++ /dev/null @@ -1,1916 +0,0 @@ -{{- $amalogsLinuxDefaultImageTag := dict "component" "ama-logs-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }} -{{- $amalogsWindowsDefaultImageTag := dict "component" "ama-logs-win" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" }} -{{- $addonTokenAdapterLinuxDefaultImageTag := dict "component" "addon-token-adapter-linux" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} -{{- $addonTokenAdapterWindowsDefaultImageTag := dict "component" "addon-token-adapter-windows" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.imagetag"}} -{{- $amalogsRSVPAImageTag := dict "component" "addon-resizer" "version" .Values.global.commonGlobals.Versions.Kubernetes | include "get.addonImageTag" -}} -{{- $WinImageTag := default $amalogsWindowsDefaultImageTag .Values.OmsAgent.imageTagWindows -}} -{{/* Determine isusingaadauth value from OmsAgent.isUsingAADAuth */}} -{{- $isusingaadauth := false -}} -{{- if hasKey .Values.OmsAgent "isUsingAADAuth" -}} - {{- $isusingaadauth = .Values.OmsAgent.isUsingAADAuth -}} -{{- end -}} -{{/* TODO This needs to be fixed post Canary validation */}} -{{/* Extract cluster information from aksresourceid */}} -{{- $resourceParts := splitList "/" .Values.OmsAgent.aksResourceID -}} -{{- $aksclustername := last $resourceParts -}} -{{- $aksResourceGroup := index $resourceParts 4 -}} -{{- $region := .Values.global.commonGlobals.Region -}} -{{- $aksnoderesourcegroup := printf "MC_%s_%s_%s" $aksResourceGroup $aksclustername $region -}} -apiVersion: v1 -kind: Secret -metadata: - name: ama-logs-secret - namespace: kube-system - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -type: Opaque -data: - WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} - KEY: {{ .Values.OmsAgent.workspaceKey | b64enc | quote }} -{{- if .Values.OmsAgent.isMoonCake }} - DOMAIN: {{ b64enc "opinsights.azure.cn" }} -{{- end }} -{{- if .Values.OmsAgent.isFairfax }} - DOMAIN: {{ b64enc "opinsights.azure.us" }} -{{- end }} -{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT" }} - DOMAIN: {{ b64enc "opinsights.azure.eaglex.ic.gov" }} -{{- end }} -{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC" }} - DOMAIN: {{ b64enc "opinsights.azure.microsoft.scloud" }} -{{- end }} -{{- if eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD" }} - DOMAIN: {{ b64enc "opinsights.sovcloud-api.fr" }} -{{- end }} -{{- if .Values.OmsAgent.httpsProxy }} - PROXY: {{ .Values.OmsAgent.httpsProxy | b64enc | quote }} -{{- else if .Values.OmsAgent.httpProxy }} - PROXY: {{ .Values.OmsAgent.httpProxy | b64enc | quote }} -{{- end}} -{{- if .Values.OmsAgent.trustedCA }} - PROXYCERT.crt: {{ .Values.OmsAgent.trustedCA | quote }} -{{- end}} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ama-logs - namespace: kube-system - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} ---- -kind: ClusterRole -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: rbac.authorization.k8s.io/v1beta1 -{{- end }} -metadata: - name: ama-logs-reader - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -rules: -- apiGroups: [""] - resources: ["pods", "events", "nodes", "nodes/stats", "nodes/metrics", "nodes/spec", "nodes/proxy", "namespaces", "services", "persistentvolumes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["apps", "extensions", "autoscaling"] - resources: ["replicasets", "deployments", "horizontalpodautoscalers"] - verbs: ["list"] -{{- if .Values.OmsAgent.isRSVPAEnabled }} -- apiGroups: ["apps"] - resources: ["deployments"] - resourceNames: [ "ama-logs-rs" ] - verbs: ["get", "patch"] -{{- end }} -{{- if $isusingaadauth }} -- apiGroups: [""] - resources: ["secrets"] - resourceNames: [{{ .Values.OmsAgent.accessTokenSecretName | quote }}] - verbs: ["get", "watch"] -{{- end }} -- nonResourceURLs: ["/metrics"] - verbs: ["get"] ---- -kind: ClusterRoleBinding -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: rbac.authorization.k8s.io/v1beta1 -{{- end }} -metadata: - name: amalogsclusterrolebinding - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -subjects: - - kind: ServiceAccount - name: ama-logs - namespace: kube-system -roleRef: - kind: ClusterRole - name: ama-logs-reader - apiGroup: rbac.authorization.k8s.io ---- -kind: ConfigMap -apiVersion: v1 -data: - CLUSTER_RESOURCE_ID: "{{ .Values.OmsAgent.aksResourceID }}" -metadata: - name: container-azm-ms-aks-k8scluster - namespace: kube-system - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} ---- -kind: ConfigMap -apiVersion: v1 -data: - kube.conf: |- - # Fluentd config file for OMS Docker - cluster components (kubeAPI) - #fluent forward plugin - - type forward - port "#{ENV['HEALTHMODEL_REPLICASET_SERVICE_SERVICE_PORT']}" - bind 0.0.0.0 - chunk_size_limit 4m - - - #Kubernetes pod inventory - - type kubepodinventory - tag oms.containerinsights.KubePodInventory - run_interval 60 - log_level debug - - - #Kubernetes Persistent Volume inventory - - type kubepvinventory - tag oms.containerinsights.KubePVInventory - run_interval 60 - log_level debug - - - #Kubernetes events - - type kubeevents - tag oms.containerinsights.KubeEvents - run_interval 60 - log_level debug - - - #Kubernetes Nodes - - type kubenodeinventory - tag oms.containerinsights.KubeNodeInventory - run_interval 60 - log_level debug - - - #Kubernetes health - - type kubehealth - tag kubehealth.ReplicaSet - run_interval 60 - log_level debug - - - #cadvisor perf- Windows nodes - - type wincadvisorperf - tag oms.api.wincadvisorperf - run_interval 60 - log_level debug - - - #Kubernetes object state - deployments - - type kubestatedeployments - tag oms.containerinsights.KubeStateDeployments - run_interval 60 - log_level debug - - - #Kubernetes object state - HPA - - type kubestatehpa - tag oms.containerinsights.KubeStateHpa - run_interval 60 - log_level debug - - - - type filter_inventory2mdm - log_level info - - - #custom_metrics_mdm filter plugin for perf data from windows nodes - - type filter_cadvisor2mdm - metrics_to_collect cpuUsageNanoCores,memoryWorkingSetBytes,pvUsedBytes - log_level info - - - #health model aggregation filter - - type filter_health_model_builder - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_kubepods*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/state/out_oms_kubepv*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_kubeevents*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_kubeservices*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/state/out_oms_kubenodes*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 3 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_containernodeinventory*.buffer - buffer_queue_limit 20 - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_oms - log_level debug - num_threads 2 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_kubeperf*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_mdm - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_mdm_*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - retry_mdm_post_wait_minutes 30 - - - - type out_oms - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_api_wincadvisorperf*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - - type out_mdm - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_mdm_cdvisorperf*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - retry_mdm_post_wait_minutes 30 - - - - type out_oms - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_kubehealth*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - - - type out_oms - log_level debug - num_threads 5 - buffer_chunk_limit 4m - buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_insightsmetrics*.buffer - buffer_queue_limit 20 - buffer_queue_full_action drop_oldest_chunk - flush_interval 20s - retry_limit 10 - retry_wait 5s - max_retry_wait 5m - -metadata: - name: ama-logs-rs-config - namespace: kube-system - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} ---- -{{/* Get sizes */}} -{{- $useDaemonSetSizing := and .Values.global.commonGlobals.isAutomaticSKU .Values.OmsAgent.enableDaemonSetSizing -}} -{{- $singleSize := dict "containers" (dict "addon-token-adapter" (dict "cpuLimit" "100m" "memoryLimit" "100Mi" "cpuRequest" "20m" "memoryRequest" "50Mi") "ama-logs" (dict "cpuLimit" .Values.OmsAgent.omsAgentDsCPULimitLinux "memoryLimit" .Values.OmsAgent.omsAgentDsMemoryLimitLinux "cpuRequest" "75m" "memoryRequest" "325Mi") "ama-logs-prometheus" (dict "cpuLimit" .Values.OmsAgent.omsAgentPrometheusSidecarCPULimit "memoryLimit" .Values.OmsAgent.omsAgentPrometheusSidecarMemoryLimit "cpuRequest" "75m" "memoryRequest" "225Mi")) -}} -{{- $sizes := list ($singleSize) -}} -{{/* - if $useDaemonSetSizing - */}} - {{/* - $singleSize = .Values.OmsAgent.daemonSetSizingValues.singleSize - */}} - {{/* - $sizes = list ($singleSize) - */}} - {{/* - $sizes = prepend .Values.OmsAgent.daemonSetSizingValues.tShirtSizes $singleSize - */}} -{{/* - end - */}} -{{/* Generate DaemonSets */}} -{{- $prevmaxCPU := 0 -}} -{{- range $index, $size := $sizes -}} -{{- if gt $index 0 }} ---- -{{ end -}} -{{- if semverCompare ">=1.16.0" $.Values.global.commonGlobals.Versions.Kubernetes -}} -apiVersion: apps/v1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} -kind: DaemonSet -metadata: - labels: - component: ama-logs-agent - tier: node - kubernetes.azure.com/managedby: aks -{{- if $.Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} - {{/* - {{- if and $useDaemonSetSizing $size.name }} - kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} - {{- end }} - */}} - name: ama-logs{{/* {{- if and $useDaemonSetSizing $size.name }}-{{ $size.name }}{{- end }} */}} - namespace: kube-system -spec: - selector: - matchLabels: - component: ama-logs-agent - tier: node - {{/* - {{- if and $useDaemonSetSizing $size.name }} - kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} - {{- end }} - */}} - template: - metadata: - annotations: - agentVersion: "azure-mdsd-1.37.0" - dockerProviderVersion: "18.0.1-0" - schema-versions: "v1" - WSID: {{ $.Values.OmsAgent.workspaceID | b64enc | quote }} - kubernetes.azure.com/no-http-proxy-vars: "true" - labels: - component: ama-logs-agent - tier: node - kubernetes.azure.com/managedby: aks - {{/* - {{- if and $useDaemonSetSizing $size.name }} - kubernetes.azure.com/ds-tshirt-size: {{ $size.name }} - {{- end }} - */}} -{{- if semverCompare "<1.11.0" $.Values.global.commonGlobals.Versions.Kubernetes }} - annotations: - scheduler.alpha.kubernetes.io/critical-pod: "" -{{- end }} - spec: -{{- if semverCompare ">=1.11.0" $.Values.global.commonGlobals.Versions.Kubernetes }} - priorityClassName: system-node-critical -{{- end }} - serviceAccountName: ama-logs - dnsConfig: - options: - - name: ndots - value: "3" - containers: -{{- if $isusingaadauth }} - - name: addon-token-adapter - command: - - /addon-token-adapter - args: - - --secret-namespace=kube-system - - --secret-name={{ $.Values.OmsAgent.accessTokenSecretName }} - - --token-server-listening-port=8888 - - --health-server-listening-port=9999 - - --restart-pod-waiting-minutes-on-broken-connection=240 - image: "{{ template "addon_mcr_repository_base" $ }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterLinuxDefaultImageTag -}}" - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - livenessProbe: - httpGet: - path: /healthz - port: 9999 - initialDelaySeconds: 10 - periodSeconds: 60 - resources: - limits: - {{- $containerResources := index $size.containers "addon-token-adapter" }} - cpu: {{ $containerResources.cpuLimit }} - memory: {{ $containerResources.memoryLimit }} - requests: - cpu: {{ $containerResources.cpuRequest }} - memory: {{ $containerResources.memoryRequest }} - securityContext: - capabilities: - drop: - - ALL - add: - - NET_ADMIN - - NET_RAW -{{- end }} - - name: ama-logs - image: "{{ template "addon_mcr_repository_base" $ }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag $.Values.OmsAgent.imageTagLinux -}}" - {{- if $.Values.OmsAgent.isImagePullPolicyAlways }} - imagePullPolicy: Always - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - resources: - limits: - {{- $containerResources := index $size.containers "ama-logs" }} - cpu: {{ $containerResources.cpuLimit }} - memory: {{ $containerResources.memoryLimit }} - requests: - {{- $containerResources := index $size.containers "ama-logs" }} - cpu: {{ $containerResources.cpuRequest }} - memory: {{ $containerResources.memoryRequest }} - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs - resource: limits.memory - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: FBIT_SERVICE_FLUSH_INTERVAL - value: "15" - - name: FBIT_TAIL_BUFFER_CHUNK_SIZE - value: "1" - - name: FBIT_TAIL_BUFFER_MAX_SIZE - value: "1" - - name: AKS_CLUSTER_NAME - value: "{{ $.Values.OmsAgent.aksClusterName }}" - - name: AKS_RESOURCE_ID - value: "{{ $.Values.OmsAgent.aksResourceID }}" - - name: AKS_NODE_RESOURCE_GROUP - value: "{{ $.Values.OmsAgent.aksNodeResourceGroup }}" - {{/* TODO This needs to be fixed post Canary validation */}} - - name: AKS_REGION - value: "{{ $.Values.global.commonGlobals.Region }}" - - name: CONTROLLER_TYPE - value: "DaemonSet" - - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: "{{ $.Values.OmsAgent.identityClientID }}" - - name: AZMON_CONTAINERLOGS_ONEAGENT_REGIONS - value: "koreacentral,norwayeast,eastus2" - - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED - value: "{{ $.Values.AppmonitoringAgent.enabled }}" - - name: APPMONITORING_OPENTELEMETRYLOGS_ENABLED - value: "{{ $.Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false }}" - - name: APPMONITORING_OPENTELEMETRYLOGS_PORT - value: "{{ $.Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }}" - - name: AZMON_OPENTELEMETRYLOGS_CONTAINER_PORT - value: "4319" - - name: PROMETHEUS_METRICS_SCRAPING_DISABLED - value: "{{ $.Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USNat") }} - - name: MCR_URL - value: "https://mcr.microsoft.eaglex.ic.gov/v2/" - {{- end }} - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USSec") }} - - name: MCR_URL - value: "https://mcr.microsoft.scloud/v2/" - {{- end }} - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} - - name: MCR_URL - value: "https://mcr.microsoft.sovcloud-api.fr/v2/" - {{- end }} - {{- if $isusingaadauth }} - - name: USING_AAD_MSI_AUTH - value: "true" - {{- else }} - - name: USING_AAD_MSI_AUTH - value: "false" - {{- end }} - {{- if eq ($.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} - - name: SYSLOG_HOST_PORT - value: {{ $.Values.OmsAgent.syslogHostPort | default 28330 | quote}} - {{- end }} - - name: AZMON_RETINA_FLOW_LOGS_ENABLED - value: "{{ $.Values.OmsAgent.isRetinaFlowLogsEnabled | default false }}" - - name: AZMON_RESOURCE_OPTIMIZATION_ENABLED - value: "{{ $.Values.OmsAgent.isResourceOptimizationEnabled | default false }}" - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: "{{ $.Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ $.Values.global.commonGlobals.CloudEnvironment | lower }}" - livenessProbe: - exec: - command: - - /bin/bash - - "-c" - - "/opt/livenessprobe.sh" - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 15 - ports: - - containerPort: 25225 - protocol: TCP - - containerPort: 25224 - protocol: UDP - {{- if eq ($.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} - - name: syslog - containerPort: 28330 - hostPort: {{ $.Values.OmsAgent.syslogHostPort | default 28330 }} - protocol: TCP - {{- end }} - {{- if eq ($.Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false) true }} - - name: otlp-logs - containerPort: 4319 - hostPort: {{ $.Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }} - protocol: TCP - {{- end }} - securityContext: - privileged: true - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - volumeMounts: - - mountPath: /hostfs - name: host-root - readOnly: true - mountPropagation: HostToContainer - - mountPath: /var/log - name: host-log - {{- if $.Values.OmsAgent.isSyslogEnabled }} - - mountPath: /var/run/mdsd-ci - name: mdsd-sock - {{- end }} - {{- if $.Values.OmsAgent.isRetinaFlowLogsEnabled }} - - mountPath: /var/log/acns/hubble - name: acns-hubble - {{- end }} - - mountPath: /var/run/mdsd-PrometheusSidecar - name: mdsd-prometheus-sock - - mountPath: /var/lib/docker/containers - name: containerlog-path - readOnly: true - - mountPath: /mnt/docker - name: containerlog-path-2 - readOnly: true - - mountPath: /mnt/containers - name: containerlog-path-3 - readOnly: true - - mountPath: /etc/kubernetes/host - name: azure-json-path - - mountPath: /etc/ama-logs-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/omsagent-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/config/settings - name: settings-vol-config - readOnly: true - - mountPath: /etc/config/settings/adx - name: ama-logs-adx-secret - readOnly: true - {{- if (eq (include "should_mount_hostca" $ ) "true" ) }} - # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host - # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below - - mountPath: /anchors/mariner - name: anchors-mariner - readOnly: true - - mountPath: /anchors/ubuntu - name: anchors-ubuntu - readOnly: true - {{- end }} - {{- if $.Values.OmsAgent.trustedCA }} - - mountPath: /etc/ssl/certs/proxy-cert.crt - subPath: PROXYCERT.crt - name: ama-logs-secret - readOnly: true - {{- end }} - {{- if and (not $.Values.OmsAgent.isPrometheusMetricsScrapingDisabled) $.Values.OmsAgent.isSidecarScrapingEnabled }} - - name: ama-logs-prometheus - image: "{{ template "addon_mcr_repository_base" $ }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag $.Values.OmsAgent.imageTagLinux -}}" - {{- if $.Values.OmsAgent.isImagePullPolicyAlways }} - imagePullPolicy: Always - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - resources: - limits: - {{- $containerResources := index $size.containers "ama-logs-prometheus" }} - cpu: {{ $containerResources.cpuLimit }} - memory: {{ $containerResources.memoryLimit }} - requests: - {{- $containerResources := index $size.containers "ama-logs-prometheus" }} - cpu: {{ $containerResources.cpuRequest }} - memory: {{ $containerResources.memoryRequest }} - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs-prometheus - resource: limits.memory - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: AKS_CLUSTER_NAME - value: "{{ $.Values.OmsAgent.aksClusterName }}" - - name: AKS_RESOURCE_ID - value: "{{ $.Values.OmsAgent.aksResourceID }}" - - name: AKS_NODE_RESOURCE_GROUP - value: "{{ $.Values.OmsAgent.aksNodeResourceGroup }}" - {{/* TODO This needs to be fixed post Canary validation */}} - - name: AKS_REGION - value: "{{ $.Values.global.commonGlobals.Region }}" - - name: CONTROLLER_TYPE - value: "DaemonSet" - - name: CONTAINER_TYPE - value: "PrometheusSidecar" - - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: "{{ $.Values.OmsAgent.identityClientID }}" - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USNat") }} - - name: MCR_URL - value: "https://mcr.microsoft.eaglex.ic.gov/v2/" - {{- end }} - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "USSec") }} - - name: MCR_URL - value: "https://mcr.microsoft.scloud/v2/" - {{- end }} - {{- if (eq $.Values.global.commonGlobals.CloudEnvironment "AzureBleuCloud") }} - - name: MCR_URL - value: "https://mcr.microsoft.sovcloud-api.fr/v2/" - {{- end }} - {{- if $isusingaadauth }} - - name: USING_AAD_MSI_AUTH - value: "true" - {{- else }} - - name: USING_AAD_MSI_AUTH - value: "false" - {{- end }} - {{- if eq ($.Values.OmsAgent.shouldMountSyslogHostPort | default false) true }} - - name: SYSLOG_HOST_PORT - value: {{ $.Values.OmsAgent.syslogHostPort | default 28330 | quote}} - {{- end }} - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: "{{ $.Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ $.Values.global.commonGlobals.CloudEnvironment | lower }}" - securityContext: - privileged: true - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - volumeMounts: - - mountPath: /etc/kubernetes/host - name: azure-json-path - - mountPath: /etc/ama-logs-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/omsagent-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/config/settings - name: settings-vol-config - readOnly: true - - mountPath: /etc/config/osm-settings - name: osm-settings-vol-config - readOnly: true - - mountPath: /var/run/mdsd-PrometheusSidecar - name: mdsd-prometheus-sock - {{- if (eq (include "should_mount_hostca" $ ) "true" ) }} - # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host - # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below - - mountPath: /anchors/mariner - name: anchors-mariner - readOnly: true - - mountPath: /anchors/ubuntu - name: anchors-ubuntu - readOnly: true - {{- end }} - {{- if $.Values.OmsAgent.trustedCA }} - - mountPath: /etc/ssl/certs/proxy-cert.crt - subPath: PROXYCERT.crt - name: ama-logs-secret - readOnly: true - {{- end }} - {{- if $.Values.OmsAgent.isSyslogEnabled }} - - mountPath: /var/run/mdsd-ci - name: mdsd-sock - {{- end }} - livenessProbe: - exec: - command: - - /bin/bash - - -c - - /opt/livenessprobe.sh - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 15 - {{- end }} - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: -{{- if semverCompare ">=1.16.0" $.Values.global.commonGlobals.Versions.Kubernetes }} - - key: kubernetes.io/os -{{- else }} - - key: beta.kubernetes.io/os -{{- end }} - operator: In - values: - - linux - - key: kubernetes.azure.com/cluster - operator: Exists - - key: type - operator: NotIn - values: - - virtual-kubelet - {{- if $useDaemonSetSizing -}} - {{- if eq $size.name $singleSize.name -}} - {{/* Target non-Karpenter nodes */}} - - key: karpenter.azure.com/aksnodeclass - operator: DoesNotExist - {{- else }} - {{/* Target Karpenter nodes with CPU range */}} - {{- if gt $prevmaxCPU 0 -}} - - key: karpenter.azure.com/sku-cpu - operator: Gt - values: - - "{{ $prevmaxCPU }}" - {{- end -}} - {{/* Add new line. */}} - {{- if and $prevmaxCPU $size.maxCPU }} - {{ end -}} - {{- if $size.maxCPU -}} - - key: karpenter.azure.com/sku-cpu - operator: Lt - values: - - "{{ add ($size.maxCPU | int) 1 }}" - {{- end -}} - {{- end -}} - {{- end }} - tolerations: - - key: "CriticalAddonsOnly" - operator: "Exists" - - operator: "Exists" - effect: NoExecute - - operator: "Exists" - effect: NoSchedule - - operator: "Exists" - effect: PreferNoSchedule - volumes: - - name: host-root - hostPath: - path: / - - name: mdsd-prometheus-sock - emptyDir: {} - - name: container-hostname - hostPath: - path: /etc/hostname - - name: host-log - hostPath: - path: /var/log - {{- if $.Values.OmsAgent.isSyslogEnabled }} - - name: mdsd-sock - hostPath: - path: /var/run/mdsd-ci - {{- end }} - {{- if $.Values.OmsAgent.isRetinaFlowLogsEnabled }} - - name: acns-hubble - hostPath: - path: /var/log/acns/hubble - {{- end }} - - name: containerlog-path - hostPath: - path: /var/lib/docker/containers - - name: containerlog-path-2 - hostPath: - path: /mnt/docker - - name: containerlog-path-3 - hostPath: - path: /mnt/containers - - name: azure-json-path - hostPath: - path: /etc/kubernetes - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true - - name: ama-logs-adx-secret - secret: - secretName: ama-logs-adx-secret - optional: true - - name: osm-settings-vol-config - configMap: - name: container-azm-ms-osmconfig - optional: true - {{- if (eq (include "should_mount_hostca" $ ) "true" ) }} - - name: anchors-ubuntu - hostPath: - path: /usr/local/share/ca-certificates/ - type: DirectoryOrCreate - - name: anchors-mariner - hostPath: - path: /etc/pki/ca-trust/source/anchors - type: DirectoryOrCreate - {{- end }} - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 50% - -{{- if and (ne (default "" $size.name) (default "" $singleSize.name)) $size.maxCPU }} -{{- $prevmaxCPU = $size.maxCPU | int }} -{{- end }} -{{- end }} ---- -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} -apiVersion: apps/v1 -{{- else }} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Deployment -metadata: - name: ama-logs-rs - namespace: kube-system - labels: - component: ama-logs-agent - tier: node - kubernetes.azure.com/managedby: aks -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -spec: - replicas: 1 - revisionHistoryLimit: 2 - paused: false - selector: - matchLabels: - rsName: "ama-logs-rs" - strategy: - type: RollingUpdate - template: - metadata: - labels: - rsName: "ama-logs-rs" - kubernetes.azure.com/managedby: aks - annotations: - agentVersion: "azure-mdsd-1.37.0" - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" - dockerProviderVersion: "18.0.1-0" - schema-versions: "v1" - WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} - kubernetes.azure.com/no-http-proxy-vars: "true" -{{- if semverCompare "<1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} - scheduler.alpha.kubernetes.io/critical-pod: "" -{{- end }} - spec: -{{- if semverCompare ">=1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} - priorityClassName: system-node-critical -{{- end }} - tolerations: - - key: "CriticalAddonsOnly" - operator: "Exists" - serviceAccountName: ama-logs - containers: -{{- if .Values.OmsAgent.isRSVPAEnabled }} - - name: ama-logs-vpa - image: "{{ template "addon_mcr_repository_base" . }}/oss/v2/kubernetes/autoscaler/addon-resizer:{{- $amalogsRSVPAImageTag -}}" - imagePullPolicy: IfNotPresent - resources: - limits: - cpu: 100m - memory: 300Mi - requests: - cpu: 5m - memory: 30Mi - env: - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeMounts: - - name: ama-logs-rs-vpa-config-volume - mountPath: /etc/config - command: - - /pod_nanny - - --config-dir=/etc/config - - --cpu=200m - - --extra-cpu=2m - - --memory=300Mi - - --extra-memory=4Mi - - --poll-period=180000 - - --threshold=5 - - --namespace=kube-system - - --deployment=ama-logs-rs - - --container=ama-logs -{{- end }} -{{- if $isusingaadauth }} - - name: addon-token-adapter - command: - - /addon-token-adapter - args: - - --secret-namespace=kube-system - - --secret-name={{ .Values.OmsAgent.accessTokenSecretName }} - - --token-server-listening-port=8888 - - --health-server-listening-port=9999 - - --restart-pod-waiting-minutes-on-broken-connection=240 - image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterLinuxDefaultImageTag -}}" - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - livenessProbe: - httpGet: - path: /healthz - port: 9999 - initialDelaySeconds: 10 - periodSeconds: 60 - resources: - limits: - cpu: 500m - memory: 500Mi - requests: - cpu: 100m - memory: 100Mi - securityContext: - capabilities: - drop: - - ALL - add: - - NET_ADMIN - - NET_RAW -{{- end }} - - name: ama-logs - image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag .Values.OmsAgent.imageTagLinux -}}" - {{- if .Values.OmsAgent.isImagePullPolicyAlways }} - imagePullPolicy: Always - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - {{- if not .Values.OmsAgent.isRSVPAEnabled }} - resources: - limits: - cpu: "{{ .Values.OmsAgent.omsAgentRsCPULimit }}" - memory: "{{ .Values.OmsAgent.omsAgentRsMemoryLimit }}" - requests: - cpu: 150m - memory: 250Mi - {{- end }} - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: AKS_CLUSTER_NAME - value: "{{ .Values.OmsAgent.aksClusterName }}" - - name: AKS_RESOURCE_ID - value: "{{ .Values.OmsAgent.aksResourceID }}" - - name: AKS_NODE_RESOURCE_GROUP - value: "{{ .Values.OmsAgent.aksNodeResourceGroup }}" - {{/* TODO This needs to be fixed post Canary validation */}} - - name: AKS_REGION - value: "{{ $.Values.global.commonGlobals.Region }}" - - name: CONTROLLER_TYPE - value: "ReplicaSet" - - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: "{{ .Values.OmsAgent.identityClientID }}" - - name: NUM_OF_FLUENTD_WORKERS - valueFrom: - resourceFieldRef: - containerName: ama-logs - resource: limits.cpu - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs - resource: limits.memory - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.OmsAgent.isSidecarScrapingEnabled }} - - name: SIDECAR_SCRAPING_ENABLED - value: "true" - {{- else }} - - name: SIDECAR_SCRAPING_ENABLED - value: "false" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} - - name: MCR_URL - value: "https://mcr.microsoft.eaglex.ic.gov/v2/" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} - - name: MCR_URL - value: "https://mcr.microsoft.scloud/v2/" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} - - name: MCR_URL - value: "https://mcr.microsoft.sovcloud-api.fr/v2/" - {{- end }} - {{- if $isusingaadauth }} - - name: USING_AAD_MSI_AUTH - value: "true" - {{- else }} - - name: USING_AAD_MSI_AUTH - value: "false" - {{- end }} - {{- if .Values.OmsAgent.isRSVPAEnabled }} - - name: RS_ADDON-RESIZER_VPA_ENABLED - value: "true" - {{- end }} - - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED - value: "{{ .Values.AppmonitoringAgent.enabled }}" - - name: PROMETHEUS_METRICS_SCRAPING_DISABLED - value: "{{ .Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: "{{ .Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" - - name: AZMON_WINDOWS_FLUENT_BIT_ENABLED - value: "{{ .Values.OmsAgent.isWindowsAMAFluentBitEnabled | default false }}" - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" - securityContext: - privileged: true - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - ports: - - containerPort: 25225 - protocol: TCP - - containerPort: 25224 - protocol: UDP - - containerPort: 25227 - protocol: TCP - name: in-rs-tcp - volumeMounts: - - mountPath: /var/log - name: host-log - - mountPath: /etc/kubernetes/host - name: azure-json-path - - mountPath: /etc/ama-logs-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/omsagent-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/config - name: ama-logs-rs-config - - mountPath: /etc/config/settings - name: settings-vol-config - readOnly: true - - mountPath: /etc/config/settings/adx - name: ama-logs-adx-secret - readOnly: true - - mountPath: /etc/config/osm-settings - name: osm-settings-vol-config - readOnly: true - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} - # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host - # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below - - mountPath: /anchors/mariner - name: anchors-mariner - readOnly: true - - mountPath: /anchors/ubuntu - name: anchors-ubuntu - readOnly: true - {{- end }} - {{- if .Values.OmsAgent.trustedCA }} - - mountPath: /etc/ssl/certs/proxy-cert.crt - subPath: PROXYCERT.crt - name: ama-logs-secret - readOnly: true - {{- end }} - livenessProbe: - exec: - command: - - /bin/bash - - -c - - /opt/livenessprobe.sh - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 15 - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - preference: - matchExpressions: - - key: kubernetes.azure.com/mode - operator: In - values: - - system - - weight: 1 - preference: - matchExpressions: - - key: storageprofile - operator: NotIn - values: - - managed - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} - - key: kubernetes.io/os -{{- else }} - - key: beta.kubernetes.io/os -{{- end }} - operator: In - values: - - linux - - key: kubernetes.azure.com/cluster - operator: Exists - - key: type - operator: NotIn - values: - - virtual-kubelet - volumes: - - name: container-hostname - hostPath: - path: /etc/hostname - - name: host-log - hostPath: - path: /var/log - - name: azure-json-path - hostPath: - path: /etc/kubernetes - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: ama-logs-rs-config - configMap: - name: ama-logs-rs-config - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true - - name: ama-logs-adx-secret - secret: - secretName: ama-logs-adx-secret - optional: true - - name: osm-settings-vol-config - configMap: - name: container-azm-ms-osmconfig - optional: true - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} - - name: anchors-ubuntu - hostPath: - path: /usr/local/share/ca-certificates/ - type: DirectoryOrCreate - - name: anchors-mariner - hostPath: - path: /etc/pki/ca-trust/source/anchors - type: DirectoryOrCreate - {{- end }} - {{- if .Values.OmsAgent.isRSVPAEnabled }} - - name: ama-logs-rs-vpa-config-volume - configMap: - name: ama-logs-rs-vpa-config - optional: true - {{- end }} ---- -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} -apiVersion: apps/v1 -{{- else }} -apiVersion: extensions/v1beta1 -{{- end }} -kind: DaemonSet -metadata: - name: ama-logs-windows - namespace: kube-system - labels: - component: ama-logs-agent-windows - tier: node-win - kubernetes.azure.com/managedby: aks -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -spec: - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 50% - selector: - matchLabels: - component: ama-logs-agent-windows - tier: node-win - template: - metadata: - labels: - component: ama-logs-agent-windows - tier: node-win - kubernetes.azure.com/managedby: aks - annotations: - agentVersion: "46.17.2" - dockerProviderVersion: "18.0.1-0" - schema-versions: "v1" - WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} - kubernetes.azure.com/no-http-proxy-vars: "true" -{{- if semverCompare "<1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} - scheduler.alpha.kubernetes.io/critical-pod: "" -{{- end }} - spec: -{{- if semverCompare ">=1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} - priorityClassName: system-node-critical -{{- end }} - serviceAccountName: ama-logs - dnsConfig: - options: - - name: ndots - value: "3" - containers: - - name: ama-logs-windows - image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsWindowsDefaultImageTag .Values.OmsAgent.imageTagWindows -}}" - {{- if .Values.OmsAgent.isImagePullPolicyAlways }} - imagePullPolicy: Always - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - {{- if .Values.OmsAgent.isWindowsBurstableQoSEnabled }} - resources: - requests: - cpu: "{{ .Values.OmsAgent.omsAgentDsCPURequestWindows }}" - memory: "{{ .Values.OmsAgent.omsAgentDsMemoryRequestWindows }}" - limits: - cpu: "{{ .Values.OmsAgent.omsAgentDsCPULimitWindows }}" - memory: "{{ .Values.OmsAgent.omsAgentDsMemoryLimitWindows }}" - {{- else }} - resources: - limits: - cpu: "{{ .Values.OmsAgent.omsAgentDsCPULimitWindows }}" - memory: "{{ .Values.OmsAgent.omsAgentDsMemoryLimitWindows }}" - {{- end }} - securityContext: - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - env: - - name: FBIT_SERVICE_FLUSH_INTERVAL - value: "15" - - name: FBIT_TAIL_BUFFER_CHUNK_SIZE - value: "1" - - name: FBIT_TAIL_BUFFER_MAX_SIZE - value: "1" - - name: AKS_RESOURCE_ID - value: "{{ .Values.OmsAgent.aksResourceID }}" - {{/* TODO This needs to be fixed post Canary validation */}} - - name: AKS_REGION - value: "{{ $.Values.global.commonGlobals.Region }}" - - name: CONTROLLER_TYPE - value: "DaemonSet" - - name: USER_ASSIGNED_IDENTITY_CLIENT_ID - value: "{{ .Values.OmsAgent.identityClientID }}" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PODNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs-windows - resource: limits.memory - {{- if .Values.OmsAgent.isSidecarScrapingEnabled }} - - name: SIDECAR_SCRAPING_ENABLED - value: "true" - {{- else }} - - name: SIDECAR_SCRAPING_ENABLED - value: "false" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} - - name: REQUIRES_CERT_BOOTSTRAP - value: "true" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} - - name: REQUIRES_CERT_BOOTSTRAP - value: "true" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} - - name: REQUIRES_CERT_BOOTSTRAP - value: "true" - {{- end }} - {{- if $isusingaadauth }} - - name: USING_AAD_MSI_AUTH - value: "true" - {{- else }} - - name: USING_AAD_MSI_AUTH - value: "false" - {{- end }} - - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED - value: "{{ .Values.AppmonitoringAgent.enabled }}" - - name: APPMONITORING_OPENTELEMETRYLOGS_ENABLED - value: "{{ .Values.AppmonitoringAgent.isOpenTelemetryLogsEnabled | default false }}" - - name: APPMONITORING_OPENTELEMETRYLOGS_PORT - value: "{{ .Values.AppmonitoringAgent.openTelemetryLogsPort | default 28331 }}" - - name: PROMETHEUS_METRICS_SCRAPING_DISABLED - value: "{{ .Values.OmsAgent.isPrometheusMetricsScrapingDisabled }}" - - name: AZMON_TELEGRAF_LIVENESSPROBE_ENABLED - value: "{{ .Values.OmsAgent.isTelegrafLivenessprobeEnabled | default false }}" - - name: AZMON_WINDOWS_FLUENT_BIT_ENABLED - value: "{{ .Values.OmsAgent.isWindowsAMAFluentBitEnabled | default false }}" - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" - volumeMounts: - - mountPath: C:\ProgramData\docker\containers - name: docker-windows-containers - readOnly: true - - mountPath: C:\var - name: docker-windows-kuberenetes-container-logs - - mountPath: C:\etc\config\settings - name: settings-vol-config - readOnly: true - - mountPath: C:\etc\ama-logs-secret - name: ama-logs-secret - readOnly: true - - mountPath: C:\etc\omsagent-secret - name: ama-logs-secret - readOnly: true - - mountPath: C:\etc\config\adx - name: ama-logs-adx-secret - readOnly: true - - mountPath: C:\etc\kubernetes\host - name: azure-json-path - readOnly: true - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} - - mountPath: C:\ca - name: ca-certs - readOnly: true - {{- end }} - {{- if $isusingaadauth }} - - mountPath: C:\etc\IMDS-access-token - name: imds-token - readOnly: true - {{- end }} - livenessProbe: - exec: - command: - - cmd - - /c - - C:\opt\amalogswindows\scripts\cmd\livenessprobe.exe - - fluent-bit.exe - - fluentdwinaks - - "C:\\etc\\amalogswindows\\filesystemwatcher.txt" - - "C:\\etc\\amalogswindows\\renewcertificate.txt" - {{- if and $isusingaadauth .Values.OmsAgent.isWindowsAMAEnabled }} - - "MonAgentCore.exe" - {{- end }} - periodSeconds: 60 - initialDelaySeconds: 180 - timeoutSeconds: 15 -{{- if and (and $isusingaadauth .Values.OmsAgent.isWindowsAMAEnabled) (not .Values.OmsAgent.isWindowsAddonTokenAdapterDisabled) }} - - name: addon-token-adapter-win - command: - - addon-token-adapter-win - args: - - --secret-namespace=kube-system - - --secret-name={{ .Values.OmsAgent.accessTokenSecretName }} - - --token-server-listening-port=8888 - - --health-server-listening-port=9999 - - --restart-pod-waiting-minutes-on-broken-connection=240 - image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterWindowsDefaultImageTag -}}" - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - livenessProbe: - httpGet: - path: /healthz - port: 9999 - initialDelaySeconds: 10 - periodSeconds: 60 - resources: - limits: - cpu: 400m - memory: 400Mi - requests: - cpu: 100m - memory: 100Mi - securityContext: - capabilities: - drop: - - ALL - add: - - NET_ADMIN - - NET_RAW -{{- end}} - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.azure.com/cluster - operator: Exists -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} - - key: kubernetes.io/os -{{- else }} - - key: beta.kubernetes.io/os -{{- end }} - operator: In - values: - - windows - - key: type - operator: NotIn - values: - - virtual-kubelet - tolerations: - - key: "CriticalAddonsOnly" - operator: "Exists" - - operator: "Exists" - effect: NoExecute - - operator: "Exists" - effect: NoSchedule - - operator: "Exists" - effect: PreferNoSchedule - volumes: - - name: docker-windows-kuberenetes-container-logs - hostPath: - path: C:\var - - name: azure-json-path - hostPath: - path: C:\k - - name: docker-windows-containers - hostPath: - path: C:\ProgramData\docker\containers - type: DirectoryOrCreate - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: ama-logs-adx-secret - secret: - secretName: ama-logs-adx-secret - optional: true - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} - - name: ca-certs - hostPath: - path: C:\ca - {{- end }} - {{- if $isusingaadauth }} - - name: imds-token - secret: - secretName: {{ .Values.OmsAgent.accessTokenSecretName }} - {{- end }} -{{- if and $isusingaadauth .Values.OmsAgent.isMultitenancyLogsEnabled }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: ama-logs-hpa - namespace: kube-system - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: ama-logs-multitenancy - minReplicas: {{ .Values.OmsAgent.omsAgentMultitenancyLogsHPAMinReplicas }} - maxReplicas: {{ .Values.OmsAgent.omsAgentMultitenancyLogsHPAMaxReplicas }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.OmsAgent.omsAgentMultitenancyHPAAvgCPUUtilization }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.OmsAgent.omsAgentMultitenancyHPAAvgMemoryUtilization }} - behavior: - scaleDown: - stabilizationWindowSeconds: 1200 - policies: - - type: Percent - value: 5 - periodSeconds: 180 - scaleUp: - stabilizationWindowSeconds: 0 - policies: - - type: Pods - value: 5 - periodSeconds: 5 - - type: Percent - value: 100 - periodSeconds: 5 - selectPolicy: Max ---- -apiVersion: v1 -kind: Service -metadata: - name: ama-logs-service - namespace: kube-system - labels: -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -spec: - type: ClusterIP - ports: - - port: 24225 - targetPort: 24225 - protocol: TCP - name: fluentbit-fwd - selector: - rsName: "ama-logs-multitenancy" ---- -{{- if semverCompare ">=1.16.0" .Values.global.commonGlobals.Versions.Kubernetes }} -apiVersion: apps/v1 -{{- else }} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Deployment -metadata: - name: ama-logs-multitenancy - namespace: kube-system - labels: - component: ama-logs-agent - tier: node - kubernetes.azure.com/managedby: aks -{{- if .Values.legacyAddonDelivery }} - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -{{- end }} -spec: - replicas: 1 - selector: - matchLabels: - rsName: "ama-logs-multitenancy" - strategy: - type: RollingUpdate - template: - metadata: - labels: - rsName: "ama-logs-multitenancy" - kubernetes.azure.com/managedby: aks - annotations: - agentVersion: "azure-mdsd-1.37.0" - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" - dockerProviderVersion: "18.0.1-0" - schema-versions: "v1" - WSID: {{ .Values.OmsAgent.workspaceID | b64enc | quote }} - kubernetes.azure.com/no-http-proxy-vars: "true" -{{- if semverCompare "<1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} - scheduler.alpha.kubernetes.io/critical-pod: "" -{{- end }} - spec: -{{- if semverCompare ">=1.11.0" .Values.global.commonGlobals.Versions.Kubernetes }} - priorityClassName: system-node-critical -{{- end }} - tolerations: - - key: "CriticalAddonsOnly" - operator: "Exists" - volumes: - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} - - name: anchors-ubuntu - hostPath: - path: /usr/local/share/ca-certificates/ - type: DirectoryOrCreate - - name: anchors-mariner - hostPath: - path: /etc/pki/ca-trust/source/anchors - type: DirectoryOrCreate - {{- end }} - serviceAccountName: ama-logs - containers: - - name: addon-token-adapter - command: - - /addon-token-adapter - args: - - --secret-namespace=kube-system - - --secret-name=aad-msi-auth-token - - --token-server-listening-port=8888 - - --health-server-listening-port=9999 - - --restart-pod-waiting-minutes-on-broken-connection=240 - image: "{{ template "addon_mcr_repository_base" . }}/aks/msi/addon-token-adapter:{{- $addonTokenAdapterLinuxDefaultImageTag -}}" - imagePullPolicy: IfNotPresent - env: - - name: AZMON_COLLECT_ENV - value: "false" - livenessProbe: - httpGet: - path: /healthz - port: 9999 - initialDelaySeconds: 10 - periodSeconds: 60 - resources: - limits: - cpu: 500m - memory: 500Mi - requests: - cpu: 100m - memory: 100Mi - securityContext: - capabilities: - drop: - - ALL - add: - - NET_ADMIN - - NET_RAW - - name: ama-logs - image: "{{ template "addon_mcr_repository_base" . }}/azuremonitor/containerinsights/ciprod:{{- default $amalogsLinuxDefaultImageTag .Values.OmsAgent.imageTagLinux -}}" - {{- if .Values.OmsAgent.isImagePullPolicyAlways }} - imagePullPolicy: Always - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - resources: - limits: - cpu: "{{ .Values.OmsAgent.omsAgentMultitenancyCPULimitLinux }}" - memory: "{{ .Values.OmsAgent.omsAgentMultitenancyMemoryLimitLinux }}" - requests: - cpu: "{{ .Values.OmsAgent.omsAgentMultitenancyCPURequestLinux }}" - memory: "{{ .Values.OmsAgent.omsAgentMultitenancyMemoryRequestLinux }}" - env: - - name: AZMON_MULTI_TENANCY_LOG_COLLECTION - value: "true" - - name: AZMON_MULTI_TENANCY_LOGS_SERVICE_MODE - value: "true" - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs - resource: limits.memory - - name: AKS_CLUSTER_NAME - value: "{{ .Values.OmsAgent.aksClusterName }}" - - name: AKS_RESOURCE_ID - value: "{{ .Values.OmsAgent.aksResourceID }}" - - name: AKS_NODE_RESOURCE_GROUP - value: "{{ .Values.OmsAgent.aksNodeResourceGroup }}" - {{/* TODO This needs to be fixed post Canary validation */}} - - name: AKS_REGION - value: "{{ $.Values.global.commonGlobals.Region }}" - - name: CONTROLLER_TYPE - value: "ReplicaSet" - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USNAT") }} - - name: MCR_URL - value: "https://mcr.microsoft.eaglex.ic.gov/v2/" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "USSEC") }} - - name: MCR_URL - value: "https://mcr.microsoft.scloud/v2/" - {{- end }} - {{- if (eq (upper .Values.global.commonGlobals.CloudEnvironment) "AZUREBLEUCLOUD") }} - - name: MCR_URL - value: "https://mcr.microsoft.sovcloud-api.fr/v2/" - {{- end }} - - name: USING_AAD_MSI_AUTH - value: "true" - - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED - value: "{{ .Values.AppmonitoringAgent.enabled }}" - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "{{ .Values.global.commonGlobals.CloudEnvironment | lower }}" - securityContext: - privileged: true - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - ports: - - name: http - containerPort: 24225 - protocol: TCP - volumeMounts: - - mountPath: /etc/ama-logs-secret - name: ama-logs-secret - readOnly: true - - mountPath: /etc/config/settings - name: settings-vol-config - readOnly: true - {{- if (eq (include "should_mount_hostca" . ) "true" ) }} - # USSec and USNat have cloud-specific Root and Intermediate CAs that must be mounted into all running containers from the host - # Container Insights has logic to update the trust store in the image based on certs present in /anchors/ mounts below - - mountPath: /anchors/mariner - name: anchors-mariner - readOnly: true - - mountPath: /anchors/ubuntu - name: anchors-ubuntu - readOnly: true - {{- end }} - {{- if .Values.OmsAgent.trustedCA }} - - mountPath: /etc/ssl/certs/proxy-cert.crt - subPath: PROXYCERT.crt - name: ama-logs-secret - readOnly: true - {{- end }} - lifecycle: - preStop: - exec: - command: [ - "sh", "-c", - # Introduce a delay to the shutdown sequence to wait for the - # pod eviction event to propagate. Then, gracefully shutdown - "sleep 5" - ] - livenessProbe: - exec: - command: - - /bin/bash - - -c - - /opt/livenessprobe.sh - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 15 - readinessProbe: - tcpSocket: - port: 24225 - initialDelaySeconds: 10 - periodSeconds: 30 - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.azure.com/cluster - operator: Exists - - key: type - operator: NotIn - values: - - virtual-kubelet - - key: kubernetes.io/os - operator: In - values: - - linux - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - preference: - matchExpressions: - - key: kubernetes.azure.com/mode - operator: In - values: - - system -{{- end }} diff --git a/charts/azuremonitor-containerinsights-aks/values.yaml b/charts/azuremonitor-containerinsights-aks/values.yaml deleted file mode 100644 index d8acf8f6a..000000000 --- a/charts/azuremonitor-containerinsights-aks/values.yaml +++ /dev/null @@ -1,201 +0,0 @@ -# Add this section to fix the AppmonitoringAgent references -AppmonitoringAgent: - enabled: false - isOpenTelemetryLogsEnabled: false - openTelemetryLogsPort: 28331 - -# Add complete global section -global: - commonGlobals: - CloudEnvironment: - isAutomaticSKU: false - Region: - Versions: - Kubernetes: "1.32.7" - -legacyAddonDelivery: false - -# Default values for ama-logs configuration -# omsagent configuration -OmsAgent: - aksResourceID: - enableDaemonSetSizing: false - isAppMonitoringAgentEnabled: false - isOpenTelemetryLogsEnabled: false - isCustomMetricsDisabled: false - isUsingAADAuth: "true" - openTelemetryLogsPort: 28331 - retinaFlowLogsEnabled: false - workspaceID: "" - accessTokenSecretName: "ama-logs-secret" - # Cloud environment - isMoonCake: false - isFairfax: false - workspaceKey: "" - - # Image configuration - imageTagLinux: "3.1.35" - imageTagWindows: "win-3.1.35" - isImagePullPolicyAlways: false - - # Resource ID and cluster information - # aksResourceID: "" - # aksClusterName: "" - # aksNodeResourceGroup: "" - # aksRegion: "" - - # Resource limits and requests - omsAgentDsCPULimitLinux: "500m" - omsAgentDsMemoryLimitLinux: "1Gi" - omsAgentDsCPULimitWindows: "2" - omsAgentDsMemoryLimitWindows: "2Gi" - omsAgentDsCPURequestWindows: "100m" - omsAgentDsMemoryRequestWindows: "150Mi" - omsAgentRsCPULimit: "1" - omsAgentRsMemoryLimit: "1.5Gi" - omsAgentPrometheusSidecarCPULimit: "500m" - omsAgentPrometheusSidecarMemoryLimit: "1Gi" - - # Multitenancy settings - omsAgentMultitenancyCPULimitLinux: "1" - omsAgentMultitenancyMemoryLimitLinux: "1Gi" - omsAgentMultitenancyCPURequestLinux: "100m" - omsAgentMultitenancyMemoryRequestLinux: "100Mi" - omsAgentMultitenancyLogsHPAMinReplicas: 2 - omsAgentMultitenancyLogsHPAMaxReplicas: 50 - omsAgentMultitenancyHPAAvgCPUUtilization: 700 - omsAgentMultitenancyHPAAvgMemoryUtilization: 700 - - # Feature flags - isSyslogEnabled: true - isPrometheusMetricsScrapingDisabled: false - isSidecarScrapingEnabled: true - isRSVPAEnabled: false - isRetinaFlowLogsEnabled: false - isResourceOptimizationEnabled: false - isWindowsAMAFluentBitEnabled: false - isMultitenancyLogsEnabled: false - isWindowsBurstableQoSEnabled: true - isTelegrafLivenessprobeEnabled: false - isWindowsAMAEnabled: true - isWindowsAddonTokenAdapterDisabled: false - legacyAddonDelivery: false - - # Network settings - syslogHostPort: "28330" - shouldMountSyslogHostPort: true - # httpProxy: "" - # httpsProxy: "" - # trustedCA: "" - - # # Identity settings - # identityClientID: "" - # accessTokenSecretName: "aad-msi-auth-token" - - # # DaemonSet sizing configuration - # enableDaemonSetSizing: false - # daemonSetSizingValues: - # singleSize: - # containers: - # addon-token-adapter: - # cpuLimit: "100m" - # memoryLimit: "100Mi" - # cpuRequest: "20m" - # memoryRequest: "50Mi" - # ama-logs: - # cpuLimit: "150m" - # memoryLimit: "750Mi" - # cpuRequest: "75m" - # memoryRequest: "325Mi" - # ama-logs-prometheus: - # cpuLimit: "500m" - # memoryLimit: "1Gi" - # cpuRequest: "75m" - # memoryRequest: "225Mi" - # tShirtSizes: - # - name: "small" - # maxCPU: 4 - # containers: - # addon-token-adapter: - # cpuLimit: "100m" - # memoryLimit: "100Mi" - # cpuRequest: "20m" - # memoryRequest: "50Mi" - # ama-logs: - # cpuLimit: "150m" - # memoryLimit: "750Mi" - # cpuRequest: "75m" - # memoryRequest: "325Mi" - # ama-logs-prometheus: - # cpuLimit: "500m" - # memoryLimit: "1Gi" - # cpuRequest: "75m" - # memoryRequest: "225Mi" - # - name: "medium" - # maxCPU: 8 - # containers: - # addon-token-adapter: - # cpuLimit: "200m" - # memoryLimit: "200Mi" - # cpuRequest: "40m" - # memoryRequest: "100Mi" - # ama-logs: - # cpuLimit: "300m" - # memoryLimit: "1.5Gi" - # cpuRequest: "150m" - # memoryRequest: "650Mi" - # ama-logs-prometheus: - # cpuLimit: "1" - # memoryLimit: "2Gi" - # cpuRequest: "150m" - # memoryRequest: "450Mi" - # - name: "large" - # maxCPU: 16 - # containers: - # addon-token-adapter: - # cpuLimit: "400m" - # memoryLimit: "400Mi" - # cpuRequest: "80m" - # memoryRequest: "200Mi" - # ama-logs: - # cpuLimit: "600m" - # memoryLimit: "3Gi" - # cpuRequest: "300m" - # memoryRequest: "1.3Gi" - # ama-logs-prometheus: - # cpuLimit: "2" - # memoryLimit: "4Gi" - # cpuRequest: "300m" - # memoryRequest: "900Mi" - -# # Application monitoring settings -# AppmonitoringAgent: -# enabled: false -# isOpenTelemetryLogsEnabled: false -# openTelemetryLogsPort: "28331" - -# # Azure-specific settings -# Azure: -# Cluster: -# Cloud: "" -# Region: "" -# ResourceId: "" -# Extension: -# Name: "" -# ResourceId: "" -# proxySettings: -# isProxyEnabled: false -# httpProxy: "" -# httpsProxy: "" -# noProxy: "" -# proxyCert: "" -# isCustomCert: false -# autonomousFqdn: "" - -# # Global settings -# global: -# commonGlobals: -# CloudEnvironment: "AzurePublicCloud" -# Versions: -# Kubernetes: "1.25.0" -# isAutomaticSKU: false diff --git a/charts/azuremonitor-containerinsights/values.yaml b/charts/azuremonitor-containerinsights/values.yaml index 9cc83e245..1cc236810 100644 --- a/charts/azuremonitor-containerinsights/values.yaml +++ b/charts/azuremonitor-containerinsights/values.yaml @@ -23,8 +23,7 @@ AppmonitoringAgent: legacyAddonDelivery: false # ============================================================================ -# OmsAgent - AKS ADDON VALUES (from azuremonitor-containerinsights-aks) -# Exact order preserved from OmsAgent section in AKS chart +# OmsAgent - AKS ADDON VALUES # ============================================================================ # Default values for ama-logs configuration # OmsAgent configuration @@ -210,8 +209,7 @@ OmsAgent: cpuRequest: "20m" memoryRequest: "100Mi" # ============================================================================ -# amalogs - ARC K8S EXTENSION VALUES (from azuremonitor-containers) -# Exact order preserved from Arc chart +# amalogs - ARC K8S EXTENSION VALUES # ============================================================================ amalogs: image: diff --git a/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh b/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh index 8ce02b203..18348dff5 100644 --- a/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh +++ b/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh @@ -70,7 +70,7 @@ push_local_chart_to_canary_region() { fi echo "generate chart package file" - export CHART_FILE=$(helm package charts/azuremonitor-containerinsights-aks/ | awk -F'[:]' '{gsub(/ /, "", $2); print $2}') + export CHART_FILE=$(helm package charts/azuremonitor-containerinsights/ | awk -F'[:]' '{gsub(/ /, "", $2); print $2}') if [ $? -eq 0 ]; then echo "chart package file generated successfully." else diff --git a/test/networkflow-scale-tests/ama-metrics-prometheus-config-node.yaml b/test/networkflow-scale-tests/ama-metrics-prometheus-config-node.yaml deleted file mode 100644 index 028638c78..000000000 --- a/test/networkflow-scale-tests/ama-metrics-prometheus-config-node.yaml +++ /dev/null @@ -1,32 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -data: - prometheus-config: |- - scrape_configs: - - job_name: ama-logs-daemonset - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: [__meta_kubernetes_pod_controller_kind] - action: keep - regex: 'DaemonSet' - - source_labels: [__meta_kubernetes_pod_controller_name] - regex: ^(ama-logs|ama-logs-windows)$ - action: keep - - source_labels: [__address__] - action: replace - target_label: __address__ - regex: (.+?)(\:\d+)? - replacement: $1:9102 - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: instance - - source_labels: [__meta_kubernetes_pod_node_name] - action: replace - target_label: node - - source_labels: [__meta_kubernetes_pod_node_name] - action: keep - regex: $NODE_NAME -metadata: - name: ama-metrics-prometheus-config-node - namespace: kube-system From 2867a2c5d5ffddcd370f23e26d8ab732d4925dc7 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Thu, 26 Mar 2026 17:00:22 -0700 Subject: [PATCH 44/47] update chart name --- charts/azuremonitor-containerinsights/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/azuremonitor-containerinsights/Chart.yaml b/charts/azuremonitor-containerinsights/Chart.yaml index 0af3f3d64..55fafd40d 100644 --- a/charts/azuremonitor-containerinsights/Chart.yaml +++ b/charts/azuremonitor-containerinsights/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: azuremonitor-containerinsights +name: azuremonitor-containers description: Azure Monitor container monitoring agent Helm chart for Kubernetes (supports both AKS addon and Arc K8s extension) version: 3.2.1-merged-main-1 appVersion: 7.0.0-1 From 1168c57fd2fc064cb8a857d1d71cbcd682b90741 Mon Sep 17 00:00:00 2001 From: NicAtMS <106997212+NicAtMS@users.noreply.github.com> Date: Wed, 1 Apr 2026 14:40:04 -0700 Subject: [PATCH 45/47] Nicchambers/daemonsetvaluechanges (#1628) * convert to enableDaemonsetSizingForExtensions * Update ama-logs-daemonset.yaml --------- Co-authored-by: LONG WAN (from Dev Box) --- .../templates/ama-logs-daemonset.yaml | 4 ++-- charts/azuremonitor-containerinsights/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml index 84fdef2ed..9688a157d 100644 --- a/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml +++ b/charts/azuremonitor-containerinsights/templates/ama-logs-daemonset.yaml @@ -21,7 +21,7 @@ {{- $sizes := list (dict) -}} {{- $prevmaxCPU := 0 -}} {{- if not $isArcExtension }} -{{- $useDaemonSetSizing = and (eq .Values.Azure.Cluster.Kind "automatic") .Values.OmsAgent.enableDaemonSetSizing -}} +{{- $useDaemonSetSizing = and (eq .Values.Azure.Cluster.Kind "automatic") .Values.OmsAgent.enableDaemonsetSizingForExtensions -}} {{- $singleSize = .Values.OmsAgent.daemonSetSizingValues.singleSize -}} {{- $sizes = list $singleSize -}} {{- if $useDaemonSetSizing -}} @@ -785,7 +785,7 @@ spec: {{- end }} {{- end }} {{- else }} -{{- $useDaemonSetSizing := and (eq $.Values.Azure.Cluster.Kind "automatic") $.Values.OmsAgent.enableDaemonSetSizing }} +{{- $useDaemonSetSizing := and (eq $.Values.Azure.Cluster.Kind "automatic") $.Values.OmsAgent.enableDaemonsetSizingForExtensions }} {{- $singleSize := dict "name" "" }} affinity: nodeAffinity: diff --git a/charts/azuremonitor-containerinsights/values.yaml b/charts/azuremonitor-containerinsights/values.yaml index 1cc236810..f3ed94f5e 100644 --- a/charts/azuremonitor-containerinsights/values.yaml +++ b/charts/azuremonitor-containerinsights/values.yaml @@ -29,7 +29,7 @@ legacyAddonDelivery: false # OmsAgent configuration OmsAgent: aksResourceID: - enableDaemonSetSizing: true + enableDaemonsetSizingForExtensions: true isCustomMetricsDisabled: false isUsingAADAuth: "true" retinaFlowLogsEnabled: false From a95126ee4947988f7d627f120ad73616245b13ef Mon Sep 17 00:00:00 2001 From: longwan Date: Wed, 1 Apr 2026 21:48:37 +0000 Subject: [PATCH 46/47] update trivy --- .trivyignore | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/.trivyignore b/.trivyignore index 8dc1c37b7..f181b87ec 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,5 +1,21 @@ -# to merge trivy scan PR, temporarily ignore CVE-2026-24051 until a fix is available +# telegraf CVE-2026-24051 +CVE-2026-32287 +CVE-2026-34040 +CVE-2026-33997 +CVE-2026-27889 +CVE-2026-29785 +CVE-2026-33216 +CVE-2026-33217 +CVE-2026-33218 +CVE-2026-33247 +CVE-2026-33215 +CVE-2026-33219 +CVE-2026-33222 +CVE-2026-33223 +CVE-2026-33246 +CVE-2026-33248 +CVE-2026-33249 CVE-2026-33186 CVE-2026-25679 CVE-2026-27142 From 096e7560e6e1d7c588a7da438d322ceabafea6ab Mon Sep 17 00:00:00 2001 From: longwan Date: Wed, 1 Apr 2026 21:54:37 +0000 Subject: [PATCH 47/47] bump chart version --- charts/azuremonitor-containerinsights/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/azuremonitor-containerinsights/Chart.yaml b/charts/azuremonitor-containerinsights/Chart.yaml index 55fafd40d..5b2f2a4e3 100644 --- a/charts/azuremonitor-containerinsights/Chart.yaml +++ b/charts/azuremonitor-containerinsights/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: azuremonitor-containers description: Azure Monitor container monitoring agent Helm chart for Kubernetes (supports both AKS addon and Arc K8s extension) -version: 3.2.1-merged-main-1 +version: 3.2.1-merged-main-2 appVersion: 7.0.0-1 kubeVersion: "^1.10.0-0" keywords: