├── .github └── workflows │ ├── amazon-cloudwatch-observability-helm-integration-test.yaml │ ├── amazon-cloudwatch-observability-image-scan.yaml │ └── release.yaml ├── .gitignore ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── NOTICE ├── README.md ├── RELEASE_NOTES ├── charts └── amazon-cloudwatch-observability │ ├── Chart.yaml │ ├── README.md │ ├── crds │ ├── cloudwatch.aws.amazon.com_amazoncloudwatchagents.yaml │ ├── cloudwatch.aws.amazon.com_dcgmexporters.yaml │ ├── cloudwatch.aws.amazon.com_instrumentations.yaml │ └── cloudwatch.aws.amazon.com_neuronmonitors.yaml │ ├── templates │ ├── _helpers.tpl │ ├── admission-webhooks │ │ ├── operator-webhook-with-cert-manager.yaml │ │ └── operator-webhook.yaml │ ├── certmanager.yaml │ ├── cloudwatch-agent-clusterrole.yaml │ ├── cloudwatch-agent-clusterrolebinding.yaml │ ├── cloudwatch-agent-serviceaccount.yaml │ ├── linux │ │ ├── cloudwatch-agent-custom-resource.yaml │ │ ├── dcgm-exporter-daemonset.yaml │ │ ├── dcgm-exporter-role.yaml │ │ ├── dcgm-exporter-rolebinding.yaml │ │ ├── fluent-bit-configmap.yaml │ │ ├── fluent-bit-daemonset.yaml │ │ ├── neuron-monitor-daemonset.yaml │ │ ├── neuron-monitor-exporter-role.yaml │ │ └── neuron-monitor-exporter-rolebinding.yaml │ ├── operator-clusterrole.yaml │ ├── operator-clusterrolebinding.yaml │ ├── operator-deployment.yaml │ ├── operator-service.yaml │ ├── operator-serviceaccount.yaml │ ├── rosa │ │ ├── cloudwatch-agent-scc-clusterrole.yaml │ │ ├── cloudwatch-agent-scc.yaml │ │ └── cloudwatch-agent-ssc-clusterrolebinding.yaml │ ├── target-allocator-clusterrole.yaml │ ├── target-allocator-clusterrolebinding.yaml │ └── windows │ │ ├── cloudwatch-agent-windows-container-insights-daemonset.yaml │ │ ├── cloudwatch-agent-windows-daemonset.yaml │ │ ├── fluent-bit-windows-configmap.yaml │ │ └── fluent-bit-windows-daemonset.yaml │ └── values.yaml ├── go.mod ├── go.sum └── integration-tests └── amazon-cloudwatch-observability ├── terraform ├── basic_components │ ├── main.tf │ └── output.tf ├── common │ ├── main.tf │ └── output.tf ├── helm-windows │ ├── main.tf │ ├── providers.tf │ └── variables.tf └── helm │ ├── main.tf │ ├── providers.tf │ └── variables.tf └── validator ├── resourceCount_linuxonly_test.go ├── resourceCount_windowslinux_test.go └── validateResources_test.go /.github/workflows/amazon-cloudwatch-observability-helm-integration-test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | name: Run Integration Test for Amazon CloudWatch Observability Helm Chart 5 | on: 6 | push: 7 | branches: 8 | - main 9 | pull_request: 10 | types: [ opened, reopened, synchronize, ready_for_review ] 11 | branches: 12 | - main 13 | workflow_dispatch: 14 | concurrency: 15 | group: ${{ github.workflow }}-${{ github.ref_name }} 16 | cancel-in-progress: true 17 | 18 | permissions: 19 | id-token: write 20 | contents: read 21 | 22 | env: 23 | TERRAFORM_AWS_ASSUME_ROLE: ${{ secrets.TERRAFORM_AWS_ASSUME_ROLE }} 24 | AWS_DEFAULT_REGION: us-west-2 25 | 26 | jobs: 27 | HelmChartsIntegrationTest: 28 | name: HelmChartsIntegrationTest 29 | runs-on: ubuntu-latest 30 | strategy: 31 | fail-fast: false 32 | steps: 33 | - uses: actions/checkout@v3 34 | with: 35 | fetch-depth: 0 36 | 37 | - name: Generate testing id 38 | run: echo TESTING_ID="${{ github.run_id }}-${{ github.run_number }}" >> $GITHUB_ENV 39 | 40 | - name: Configure AWS Credentials 41 | uses: aws-actions/configure-aws-credentials@v2 42 | with: 43 | role-to-assume: ${{ env.TERRAFORM_AWS_ASSUME_ROLE }} 44 | aws-region: ${{ env.AWS_DEFAULT_REGION }} 45 | 46 | # local directory to store the kubernetes config 47 | - name: Create kubeconfig directory 48 | run: mkdir -p ${{ github.workspace }}/../../../.kube 49 | 50 | - name: Set KUBECONFIG environment variable 51 | run: echo KUBECONFIG="${{ github.workspace }}/../../../.kube/config" >> $GITHUB_ENV 52 | 53 | - name: Install Terraform 54 | uses: hashicorp/setup-terraform@v3 55 | with: 56 | terraform_version: "1.1.7" 57 | 58 | - name: Verify Terraform version 59 | run: terraform --version 60 | 61 | - name: Terraform apply 62 | uses: nick-fields/retry@v2 63 | with: 64 | max_attempts: 1 65 | timeout_minutes: 60 # EKS takes about 20 minutes to spin up a cluster and service on the cluster 66 | retry_wait_seconds: 5 67 | command: | 68 | cd integration-tests/amazon-cloudwatch-observability/terraform/helm 69 | terraform init 70 | if terraform apply -auto-approve \ 71 | -var="kube_dir=${{ github.workspace }}/../../../.kube"; then 72 | terraform destroy -auto-approve 73 | else 74 | terraform destroy -auto-approve && exit 1 75 | fi 76 | 77 | - name: Terraform destroy 78 | if: ${{ cancelled() || failure() }} 79 | uses: nick-fields/retry@v2 80 | with: 81 | max_attempts: 3 82 | timeout_minutes: 8 83 | retry_wait_seconds: 5 84 | command: | 85 | cd integration-tests/amazon-cloudwatch-observability/terraform/helm 86 | terraform destroy --auto-approve 87 | 88 | HelmChartsIntegrationTestWindows-2022: 89 | name: HelmChartsIntegrationTestWindows-2022 90 | runs-on: ubuntu-latest 91 | strategy: 92 | fail-fast: false 93 | steps: 94 | - uses: actions/checkout@v3 95 | with: 96 | fetch-depth: 0 97 | 98 | - name: Generate testing id 99 | run: echo TESTING_ID="${{ github.run_id }}-${{ github.run_number }}" >> $GITHUB_ENV 100 | 101 | - name: Configure AWS Credentials 102 | uses: aws-actions/configure-aws-credentials@v2 103 | with: 104 | role-to-assume: ${{ env.TERRAFORM_AWS_ASSUME_ROLE }} 105 | aws-region: ${{ env.AWS_DEFAULT_REGION }} 106 | 107 | # local directory to store the kubernetes config 108 | - name: Create kubeconfig directory 109 | run: mkdir -p ${{ github.workspace }}/../../../.kube 110 | 111 | - name: Set KUBECONFIG environment variable 112 | run: echo KUBECONFIG="${{ github.workspace }}/../../../.kube/config" >> $GITHUB_ENV 113 | 114 | - name: Install Terraform 115 | uses: hashicorp/setup-terraform@v3 116 | with: 117 | terraform_version: "1.1.7" 118 | 119 | - name: Verify Terraform version 120 | run: terraform --version 121 | 122 | - name: Terraform apply 123 | uses: nick-fields/retry@v2 124 | with: 125 | max_attempts: 1 126 | timeout_minutes: 60 # EKS takes about 20 minutes to spin up a cluster and service on the cluster 127 | retry_wait_seconds: 5 128 | command: | 129 | cd integration-tests/amazon-cloudwatch-observability/terraform/helm-windows 130 | terraform init 131 | if terraform apply -auto-approve \ 132 | -var="windows_os_version=WINDOWS_CORE_2022_x86_64" -var="kube_dir=${{ github.workspace }}/../../../.kube"; then 133 | terraform destroy -auto-approve 134 | else 135 | terraform destroy -auto-approve && exit 1 136 | fi 137 | 138 | - name: Terraform destroy 139 | if: ${{ cancelled() || failure() }} 140 | uses: nick-fields/retry@v2 141 | with: 142 | max_attempts: 3 143 | timeout_minutes: 8 144 | retry_wait_seconds: 5 145 | command: | 146 | cd integration-tests/amazon-cloudwatch-observability/terraform/helm-windows 147 | terraform destroy --auto-approve 148 | 149 | HelmChartsIntegrationTestWindows-2019: 150 | name: HelmChartsIntegrationTestWindows-2019 151 | runs-on: ubuntu-latest 152 | strategy: 153 | fail-fast: false 154 | steps: 155 | - uses: actions/checkout@v3 156 | with: 157 | fetch-depth: 0 158 | 159 | - name: Generate testing id 160 | run: echo TESTING_ID="${{ github.run_id }}-${{ github.run_number }}" >> $GITHUB_ENV 161 | 162 | - name: Configure AWS Credentials 163 | uses: aws-actions/configure-aws-credentials@v2 164 | with: 165 | role-to-assume: ${{ env.TERRAFORM_AWS_ASSUME_ROLE }} 166 | aws-region: ${{ env.AWS_DEFAULT_REGION }} 167 | 168 | # local directory to store the kubernetes config 169 | - name: Create kubeconfig directory 170 | run: mkdir -p ${{ github.workspace }}/../../../.kube 171 | 172 | - name: Set KUBECONFIG environment variable 173 | run: echo KUBECONFIG="${{ github.workspace }}/../../../.kube/config" >> $GITHUB_ENV 174 | 175 | - name: Install Terraform 176 | uses: hashicorp/setup-terraform@v3 177 | with: 178 | terraform_version: "1.1.7" 179 | 180 | - name: Verify Terraform version 181 | run: terraform --version 182 | 183 | - name: Terraform apply 184 | uses: nick-fields/retry@v2 185 | with: 186 | max_attempts: 1 187 | timeout_minutes: 60 # EKS takes about 20 minutes to spin up a cluster and service on the cluster 188 | retry_wait_seconds: 5 189 | command: | 190 | cd integration-tests/amazon-cloudwatch-observability/terraform/helm-windows 191 | terraform init 192 | if terraform apply -auto-approve \ 193 | -var="windows_os_version=WINDOWS_CORE_2019_x86_64" -var="kube_dir=${{ github.workspace }}/../../../.kube"; then 194 | terraform destroy -auto-approve 195 | else 196 | terraform destroy -auto-approve && exit 1 197 | fi 198 | 199 | - name: Terraform destroy 200 | if: ${{ cancelled() || failure() }} 201 | uses: nick-fields/retry@v2 202 | with: 203 | max_attempts: 3 204 | timeout_minutes: 8 205 | retry_wait_seconds: 5 206 | command: | 207 | cd integration-tests/amazon-cloudwatch-observability/terraform/helm-windows 208 | terraform destroy --auto-approve -------------------------------------------------------------------------------- /.github/workflows/amazon-cloudwatch-observability-image-scan.yaml: -------------------------------------------------------------------------------- 1 | name: Run Image Scan for Amazon CloudWatch Observability Helm Chart 2 | 3 | on: 4 | schedule: 5 | - cron: 0 13 * * MON # Every Monday at 1PM UTC (9AM EST) 6 | workflow_dispatch: 7 | 8 | permissions: 9 | id-token: write 10 | contents: read 11 | 12 | env: 13 | TERRAFORM_AWS_ASSUME_ROLE: ${{ secrets.TERRAFORM_AWS_ASSUME_ROLE }} 14 | AWS_DEFAULT_REGION: us-west-2 15 | 16 | jobs: 17 | ContainerImageScan: 18 | runs-on: ubuntu-latest 19 | strategy: 20 | fail-fast: false 21 | matrix: 22 | container_images: 23 | - registry: ".manager.image.repositoryDomainMap.public" 24 | repository: ".manager.image.repository" 25 | tag: ".manager.image.tag" 26 | 27 | - registry: ".manager.autoInstrumentationImage.java.repositoryDomain" 28 | repository: ".manager.autoInstrumentationImage.java.repository" 29 | tag: ".manager.autoInstrumentationImage.java.tag" 30 | 31 | - registry: ".manager.autoInstrumentationImage.python.repositoryDomain" 32 | repository: ".manager.autoInstrumentationImage.python.repository" 33 | tag: ".manager.autoInstrumentationImage.python.tag" 34 | 35 | - registry: ".manager.autoInstrumentationImage.dotnet.repositoryDomain" 36 | repository: ".manager.autoInstrumentationImage.dotnet.repository" 37 | tag: ".manager.autoInstrumentationImage.dotnet.tag" 38 | 39 | - registry: ".manager.autoInstrumentationImage.nodejs.repositoryDomain" 40 | repository: ".manager.autoInstrumentationImage.nodejs.repository" 41 | tag: ".manager.autoInstrumentationImage.nodejs.tag" 42 | 43 | - registry: ".agent.image.repositoryDomainMap.public" 44 | repository: ".agent.image.repository" 45 | tag: ".agent.image.tag" 46 | 47 | - registry: ".dcgmExporter.image.repositoryDomainMap.public" 48 | repository: ".dcgmExporter.image.repository" 49 | tag: ".dcgmExporter.image.tag" 50 | 51 | - registry: ".neuronMonitor.image.repositoryDomainMap.public" 52 | repository: ".neuronMonitor.image.repository" 53 | tag: ".neuronMonitor.image.tag" 54 | 55 | steps: 56 | - uses: actions/checkout@v3 57 | with: 58 | fetch-depth: 0 59 | 60 | - name: Configure AWS Credentials 61 | uses: aws-actions/configure-aws-credentials@v2 62 | with: 63 | role-to-assume: ${{ env.TERRAFORM_AWS_ASSUME_ROLE }} 64 | aws-region: ${{ env.AWS_DEFAULT_REGION }} 65 | 66 | - name: "Get image registry" 67 | id: registry 68 | uses: mikefarah/yq@master 69 | with: 70 | cmd: yq '${{ matrix.container_images.registry }}' charts/amazon-cloudwatch-observability/values.yaml 71 | 72 | - name: "Get image repository" 73 | id: repository 74 | uses: mikefarah/yq@master 75 | with: 76 | cmd: yq '${{ matrix.container_images.repository }}' charts/amazon-cloudwatch-observability/values.yaml 77 | 78 | - name: "Get image tag" 79 | id: tag 80 | uses: mikefarah/yq@master 81 | with: 82 | cmd: yq '${{ matrix.container_images.tag }}' charts/amazon-cloudwatch-observability/values.yaml 83 | 84 | - name: "Scan for vulnerabilities" 85 | id: scan 86 | uses: crazy-max/ghaction-container-scan@v3 87 | with: 88 | image: ${{ steps.registry.outputs.result }}/${{ steps.repository.outputs.result }}:${{ steps.tag.outputs.result }} 89 | severity_threshold: HIGH 90 | annotations: true 91 | - run: cat ${{ steps.scan.outputs.json }} 92 | if: success() || failure() 93 | # from https://stackoverflow.com/questions/61919141/read-json-file-in-github-actions 94 | - run: | 95 | SCAN_RESULT=$(jq -cr '"\(.ArtifactName): " + (.Results | .[] | select(.Vulnerabilities != null) | .Vulnerabilities | map(.VulnerabilityID) | join(", "))' ${{ steps.scan.outputs.json }} | cut -c -2999) 96 | echo "SCAN_RESULT<> $GITHUB_ENV 97 | echo "$SCAN_RESULT" >> $GITHUB_ENV 98 | echo "EOF" >> $GITHUB_ENV 99 | if: success() || failure() 100 | - if: success() || failure() 101 | run: | 102 | echo '${{ env.SCAN_RESULT }}' 103 | - name: Send a saved artifact to a Slack workflow 104 | if: success() || failure() 105 | run: | 106 | curl -X POST "${{ secrets.SLACK_WEBHOOK_URL }}" \ 107 | -H "Content-Type: application/json" \ 108 | -d '{"results": "${{ env.SCAN_RESULT }}"}' 109 | -------------------------------------------------------------------------------- /.github/workflows/release.yaml: -------------------------------------------------------------------------------- 1 | name: Release Helm Charts 2 | 3 | on: 4 | workflow_dispatch: 5 | inputs: 6 | commit_sha: 7 | required: true 8 | type: string 9 | default: "" 10 | description: "Release commit SHA" 11 | 12 | jobs: 13 | release: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Checkout 17 | uses: actions/checkout@v4 18 | with: 19 | fetch-depth: 0 20 | ref: "${{ github.event.inputs.commit_sha }}" 21 | 22 | - name: Configure Git 23 | run: | 24 | git config user.name "$GITHUB_ACTOR" 25 | git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 26 | 27 | - name: Install Helm 28 | uses: azure/setup-helm@v1 29 | 30 | - name: Run chart-releaser 31 | uses: helm/chart-releaser-action@v1.4.0 32 | env: 33 | CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 34 | CR_SKIP_EXISTING: true -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | build 2 | .tmp 3 | *.iml 4 | *.DS_Store 5 | .idea 6 | .attach_pid* 7 | bin -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *main* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | -------------------------------------------------------------------------------- /NOTICE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AWS 2 | [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) 3 | 4 | ## Introduction 5 | The AWS Observability Helm Charts repository contains [Helm](https://helm.sh/) charts to provide easy mechanisms to setup the CloudWatch Agent and other collection agents to collect telemetry data such as metrics, logs and traces to send to AWS monitoring services. 6 | ## Getting Started 7 | 8 | [Helm](https://helm.sh/) must be installed to use the chart. Please refer to Helm's [documentation](https://helm.sh/docs/) to get started. 9 | 10 | ## Security 11 | 12 | See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information. 13 | 14 | ## License 15 | 16 | This project is licensed under the Apache-2.0 License. 17 | 18 | -------------------------------------------------------------------------------- /RELEASE_NOTES: -------------------------------------------------------------------------------- 1 | ======================================================================= 2 | amazon-cloudwatch-observability v4.1.0 (2025-05-27) 3 | ======================================================================== 4 | New Features: 5 | * [Container Insights] Adding support for EBS NVMe metrics using EBS CSI Driver 6 | 7 | Enhancements: 8 | * Upgrade CWAgent to v1.300056.0b1123 9 | * Upgrade CWAgent Operator to v3.0.1 10 | * Upgrade Neuron Monitor to v1.5.0 11 | 12 | ======================================================================= 13 | amazon-cloudwatch-observability v4.0.1 (2025-05-16) 14 | ======================================================================== 15 | Enhancements: 16 | * Upgrade CWAgent to v1.300055.2b1110 17 | 18 | ======================================================================= 19 | amazon-cloudwatch-observability v4.0.0 (2025-05-09) 20 | ======================================================================= 21 | New Features: 22 | * Introduce AutoMonitor for EKS Application Signals 23 | Bug Fixes: 24 | * Fix bug with cp for .net auto instrumentation when run as non-root 25 | 26 | ======================================================================= 27 | amazon-cloudwatch-observability v3.7.0 (2025-04-22) 28 | ======================================================================== 29 | Enhancements: 30 | * Upgrade CWAgent to v1.30055.0b1095 31 | * Expose update strategy to make it configurable for cloudwatch agent and fluentbit 32 | * Adding component level affinity selectors and node selectors 33 | * Support per-component tolerations (+ manager) 34 | * Upgrade CloudWatch Agent Addon to v3.7.0-eksbuild.1 35 | * Upgrade Neuron Monitor to v1.4.0 36 | * Upgrade Fluent Bit to v2.32.5.20250327 37 | * Upgrade Application Signals SDKs: 38 | * Upgrade Java SDK to v2.10.0 39 | * Upgrade Python SDK to v0.9.0 40 | * Upgrade .NET SDK to v1.7.0 41 | * Upgrade NodeJS SDK to v0.6.0 42 | 43 | Bug Fixes: 44 | * Support integer cluster names 45 | * Support trn2u.48xlarge instance types for gpu monitoring 46 | 47 | ======================================================================= 48 | amazon-cloudwatch-observability v3.6.0 (2025-03-25) 49 | ======================================================================= 50 | New Features: 51 | * Support for deploying CloudWatch Agent on Red Hat OpenShift Service on AWS (ROSA) clusters. 52 | Enhancements: 53 | * Add K8S_CLUSTER_NAME environment variable to improve cluster name detection. 54 | 55 | ======================================================================== 56 | amazon-cloudwatch-observability v3.5.0 (2025-03-17) 57 | ======================================================================== 58 | Enhancements: 59 | * Upgrade CloudWatchAgent to 1.300053.1b1058 60 | 61 | ======================================================================== 62 | amazon-cloudwatch-observability v3.4.0 (2025-03-10) 63 | ======================================================================== 64 | Enhancements: 65 | * [Application Signals] Performance fix by using EndpointSlices to reduce load on API server 66 | * Upgrade CloudWatchAgent to 1.300053.0b1046 67 | * Upgrade CloudWatchAgentOperator to 2.2.0 68 | 69 | ======================================================================== 70 | amazon-cloudwatch-observability v3.3.1 (2025-02-06) 71 | ======================================================================== 72 | Bug Fixes: 73 | * Upgrade DCGM Exporter to 3.3.9-3.6.1-ubuntu22.04-amd64 to fix arch issue 74 | 75 | ======================================================================== 76 | amazon-cloudwatch-observability v3.3.0 (2025-02-06) 77 | ======================================================================== 78 | Enhancements: 79 | * Upgrade DCGM Exporter to 3.3.9-3.6.1-ubuntu22.04 80 | 81 | ======================================================================= 82 | amazon-cloudwatch-observability v3.2.0 (2025-02-04) 83 | ======================================================================== 84 | New Features: 85 | * Support Logical NeuronCore configuration (LNC) with trn2 86 | 87 | Enhancements: 88 | * Allow both YAML string and object for OTEL config 89 | * Add runtime metrics config for Application Signals .NET 90 | * Remove unsupported Neuron Monitor metrics 91 | * Upgrade CWAgent to v1.300052.0b1024 92 | * Upgrade CWAgent Operator to v2.1.0 93 | * Upgrade Java SDK to v1.33.0 94 | * Upgrade Python SDK to v0.8.0 95 | * Upgrade .Net SDK to v1.6.0 96 | * Upgrade NodeJS SDK to v0.5.0 97 | * Upgrade Neuron Monitor to v1.3.0 98 | 99 | ======================================================================= 100 | amazon-cloudwatch-observability v3.1.0 (2025-01-08) 101 | ======================================================================== 102 | Enhancements: 103 | * Update fluent-bit to 2.32.5 to support pod identity credential 104 | 105 | ======================================================================== 106 | amazon-cloudwatch-observability v3.0.0 (2024-12-23) 107 | ======================================================================== 108 | New Features: 109 | * Add support for installing multiple AmazonCloudWatchAgent workloads (#126) 110 | * Introduce support for Prometheus scraping with the CloudWatchAgent and TargetAllocator (#126) 111 | * Set default PriorityClass as system-node-critical for CloudWatchAgent and FluentBit daemonsets (#137) 112 | 113 | Enhancements: 114 | * Unify schema for Application Signals metrics across platforms 115 | * Increment ADOT JAVA SDK to v1.32.6 for Application Signals 116 | * Support p5en instance types for GPU Enhanced Container Insights (#150) 117 | 118 | Bug Fixes: 119 | * Do not apply default tolerations to controller manager deployment (#137) 120 | * Avoid excessive logging of 404 errors when IMDS tags access is not enabled 121 | * Fix edge case that causes the CloudWatchAgent to crash with a concurrent map writes error 122 | 123 | ======================================================================= 124 | amazon-cloudwatch-observability v2.6.0 (2024-12-06) 125 | ======================================================================== 126 | Enhancements: 127 | * Support extra files fluent-bit configurations for isolated regions 128 | 129 | ======================================================================= 130 | amazon-cloudwatch-observability v2.5.0 (2024-11-20) 131 | ======================================================================== 132 | Enhancements: 133 | * Support Tranium 2 and p5e HyperPod instance types 134 | 135 | ======================================================================= 136 | amazon-cloudwatch-observability v2.4.0 (2024-11-20) 137 | ======================================================================== 138 | Enhancements: 139 | * Increment CWAgent to v1.300050.0b956 that adds ability to scraping Kueue metrics 140 | 141 | ======================================================================= 142 | amazon-cloudwatch-observability v2.3.1 (2024-11-14) 143 | ======================================================================== 144 | Bug Fixes: 145 | * Remove keyUsages in favor of usages in cert manager template (#128) 146 | 147 | ======================================================================= 148 | amazon-cloudwatch-observability v2.3.0 (2024-11-08) 149 | ======================================================================== 150 | New Features: 151 | * Add agent server port for vending entity to FluentBit 152 | 153 | Enhancements: 154 | * Upgrade CWAgent to v1.300049.1b929 155 | * Upgrade CWAgent Operator to v1.9.0 156 | * Upgrade Java SDK to v1.32.5 157 | * Upgrade Python SDK to v0.7.0 158 | * Upgrade .Net SDK to v1.4.0 159 | * Upgrade NodeJS SDK to v0.3.0 160 | 161 | ======================================================================= 162 | amazon-cloudwatch-observability v2.2.0 (2024-10-21) 163 | ======================================================================== 164 | New Features: 165 | * Adding support for supplemental YAML config for cloudwatch-agent on Linux (#110) 166 | 167 | Enhancements: 168 | * Upgrade CWAgent to v1.300048.1b904 169 | * Upgrade CWAgent Operator to v1.8.0 170 | * Upgrade Java SDK to v1.32.4 171 | * Upgrade Python SDK to v0.6.0 172 | 173 | ======================================================================= 174 | amazon-cloudwatch-observability v2.1.3 (2024-10-04) 175 | ======================================================================== 176 | Enhancements: 177 | * Upgrade CWAgent to v1.300047.0b872 178 | * Upgrade NodeJS SDK to v0.2.0 179 | 180 | ======================================================================= 181 | amazon-cloudwatch-observability v2.1.2 (2024-10-01) 182 | ======================================================================== 183 | Enhancements: 184 | * Upgrade .Net SDK to v1.3.2 185 | * Upgrade Neuron-Monitor to v1.2.1 186 | * Support G6 GPU instance types with DCGM-Exporter 187 | 188 | ======================================================================= 189 | amazon-cloudwatch-observability v2.1.1 (2024-09-17) 190 | ======================================================================== 191 | Enhancements: 192 | * Upgrade Python SDK to v0.5.0 193 | 194 | ======================================================================= 195 | amazon-cloudwatch-observability v2.1.0 (2024-09-13) 196 | ======================================================================== 197 | New Features: 198 | * Adding support for NodeJS auto instrumentation for Application Signals (#91) 199 | 200 | Enhancements: 201 | * Separate agent daemonsets on windows for container insights and application signals (#90) 202 | * Upgrade CWAgent to v1.300045.1b823 203 | * Upgrade CWAgent Operator to v1.7.0 204 | * Upgrade Python SDK to v0.4.0 205 | * Upgrade .Net SDK to v1.3.0 206 | 207 | ======================================================================= 208 | amazon-cloudwatch-observability v2.0.1 (2024-08-23) 209 | ======================================================================== 210 | Enhancements: 211 | * Upgrade DCGM-Exporter for Linux to 3.3.7-3.5.0-ubuntu22.04 212 | * Upgrade CWAgent to v1.300045.0 213 | 214 | ======================================================================= 215 | amazon-cloudwatch-observability v2.0.0 (2024-08-15) 216 | ======================================================================== 217 | Breaking Changes: 218 | * Enforce default requests and limits for auto instrumentation init containers 219 | 220 | Enhancements: 221 | * Allow configurable requests and limits for auto instrumentation init containers (#65) 222 | * Restructure resources configurations for AppSignals (#80) 223 | * Upgrade CWAgent to v1.300044.0 224 | * Upgrade CWAgent Operator to v1.6.0 225 | * Upgrade .Net SDK to v1.2.0 226 | * Upgrade FluentBit for Linux to 2.32.2.20240627 227 | 228 | ======================================================================= 229 | amazon-cloudwatch-observability v1.10.0 (2024-07-30) 230 | ======================================================================== 231 | New Features: 232 | * Adding support for .Net auto instrumentation for Application Signals (#64) 233 | 234 | Enhancements: 235 | * Upgrade CWAgent Operator to v1.5.0 236 | 237 | ======================================================================= 238 | amazon-cloudwatch-observability v1.9.0 (2024-07-22) 239 | ======================================================================== 240 | Bug Fixes: 241 | * Add nodeAffinity rule to not spin up resources on Fargate instances (#58) 242 | * Increase the default memory limit of DCGM Exporter to 500Mi to fix OOM crashing issue (#67) 243 | 244 | Enhancements: 245 | * Support parameterized resources configuration (#63) 246 | * Upgrade Java SDK to v1.32.3 247 | * Upgrade Python SDK to v0.3.0 248 | * Upgrade CWAgent to v1.300042.1 249 | 250 | ======================================================================= 251 | amazon-cloudwatch-observability v1.8.0 (2024-07-02) 252 | ======================================================================== 253 | Bug Fixes: 254 | * Add GOMEMLIMIT environment variable for Neuron Monitor to fix OOM crash issue (#56) 255 | 256 | Enhancements: 257 | * Update Windows Fluent-Bit configuration to export Kubelet and kube-proxy service logs to host log group (#45) 258 | * Upgrade CWAgent Operator to v1.4.1 259 | * Upgrade CWAgent to v1.300041.0 260 | 261 | ======================================================================= 262 | amazon-cloudwatch-observability v1.7.0 (2024-05-23) 263 | ======================================================================== 264 | Enhancements: 265 | * Add default tolerations (#41) 266 | * Add ability to customize fluent bit config via values.yaml (#43) 267 | * Add Sagemaker instances to node-affinity for DCGM and Neuron monitor (#36) 268 | * Update app_signals to application_signals (#40) 269 | * Upgrade Java SDK to v1.32.2 270 | * Upgrade Python SDK to v0.2.0 271 | * Upgrade CWAgent Operator to v1.4.0 272 | * Upgrade CWAgent to v1.300040.0 273 | 274 | ======================================================================= 275 | amazon-cloudwatch-observability v1.6.0 (2024-04-29) 276 | ======================================================================== 277 | Enhancements: 278 | * Add WorkingDir field to agent container if defined CWAgent spec to fix issue with Containerd 1.7 on Windows (#26) 279 | * Move DCGM & Neuron resource management into the operator (#19) 280 | * Upgrade neuron-monitor to v1.0.1 281 | * Upgrade CWAgent Operator to v1.3.1 282 | 283 | ======================================================================= 284 | amazon-cloudwatch-observability v1.5.5 (2024-04-26) 285 | ======================================================================== 286 | Enhancements: 287 | * Upgrade CWAgent to v1.300037.1 288 | 289 | ======================================================================= 290 | amazon-cloudwatch-observability v1.5.4 (2024-04-23) 291 | ======================================================================== 292 | Enhancements: 293 | * Upgrade python sdk to v0.1.1 (#22) 294 | 295 | ======================================================================= 296 | amazon-cloudwatch-observability v1.5.3 (2024-04-19) 297 | ======================================================================== 298 | Enhancements: 299 | * Do not create fluent bit resources if containerLogs is disabled (#23) 300 | 301 | ======================================================================= 302 | amazon-cloudwatch-observability v1.5.2 (2024-04-16) 303 | ======================================================================== 304 | Enhancements: 305 | * Updating the agent image version to support Elastic Fabric Adapter (EFA) for Container Insights 306 | * Updating Python SDK and Operator image versions 307 | 308 | ======================================================================= 309 | amazon-cloudwatch-observability v1.5.1 (2024-04-11) 310 | ======================================================================== 311 | Notes: 312 | * Re-releasing v1.5.0 with a version bump 313 | 314 | ======================================================================= 315 | amazon-cloudwatch-observability v1.5.0 (2024-04-08) 316 | ======================================================================== 317 | Enhancements: 318 | * Adding support for Windows for Container Insights (#10) 319 | * Adding support for Neuron Montor Daemonet for Container Insights (#9) 320 | * Making cluster-name a mandatory field (#12) 321 | 322 | ======================================================================= 323 | amazon-cloudwatch-observability v1.4.0 (2024-03-12) 324 | ======================================================================== 325 | Enhancements: 326 | * Adding support for dcgm exporter daemonset for Nvidia GPU metrics (#4) 327 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: amazon-cloudwatch-observability 3 | version: 4.1.0 4 | appVersion: 1.0.0 5 | description: A Helm chart for Amazon CloudWatch Observability 6 | type: application 7 | home: https://aws.amazon.com/cloudwatch/ 8 | sources: 9 | - https://github.com/aws-observability/helm-charts/tree/main/charts/amazon-cloudwatch-observability 10 | maintainers: 11 | - name: lisaguo 12 | - name: kausyas 13 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/README.md: -------------------------------------------------------------------------------- 1 | # AWS 2 | [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) 3 | 4 | ## Introduction 5 | The Amazon CloudWatch Observability Helm Chart provides easy mechanisms to setup the [Amazon CloudWatch Agent Operator](https://github.com/aws/amazon-cloudwatch-agent-operator) to manage the [CloudWatch Agent](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Install-CloudWatch-Agent.html) on Kubernetes clusters. 6 | 7 | ## Getting Started 8 | Full instructions can be found in the [AWS documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/install-CloudWatch-Observability-EKS-addon.html) 9 | 10 | ### Installation 11 | 1. You must have Helm installed to use this chart. For more information about installing Helm, see the [Helm documentation](https://helm.sh/docs/). 12 | 2. After you have installed Helm, enter the following commands. Replace my-cluster-name with the name of your cluster, and replace my-cluster-region with the Region that the cluster runs in. 13 | 14 | ```bash 15 | helm repo add aws-observability https://aws-observability.github.io/helm-charts 16 | helm repo update aws-observability 17 | helm install --wait --create-namespace --namespace amazon-cloudwatch amazon-cloudwatch aws-observability/amazon-cloudwatch-observability --set clusterName=my-cluster-name --set region=my-cluster-region 18 | ``` 19 | 20 | By default, the helm chart will enable [Container Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights.html) enhanced observability with container logging, and [CloudWatch Application Signals](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Application-Monitoring-Sections.html). This helps you to collect infrastructure metrics, application performance telemetry, and container logs from the Amazon EKS cluster. 21 | 22 | ## Windows Support 23 | CloudWatch DaemonSet on Windows is officially supported only for containerd runtime. 24 | 25 | ## Security 26 | 27 | See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information. 28 | 29 | ## License 30 | 31 | This project is licensed under the Apache-2.0 License. 32 | 33 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "amazon-cloudwatch-observability.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{- define "amazon-cloudwatch-observability.common.tolerations" -}} 9 | {{- $tolerations := .context.Values.tolerations }} 10 | {{- if .component }} 11 | {{- $componentTolerations := dig "tolerations" nil .component }} 12 | {{- if ne nil $componentTolerations }} 13 | {{- $tolerations = $componentTolerations }} 14 | {{- end }} 15 | {{- end }} 16 | {{- with $tolerations }} 17 | tolerations: 18 | {{- toYaml . | nindent 2 }} 19 | {{- end }} 20 | {{- end }} 21 | 22 | {{/* 23 | Helper function to modify cloudwatch-agent config 24 | */}} 25 | {{- define "cloudwatch-agent.config-modifier" -}} 26 | {{- $configCopy := deepCopy .Config }} 27 | 28 | {{- $agent := pluck "agent" $configCopy | first }} 29 | {{- if and (empty $agent) (empty $agent.region) }} 30 | {{- $agentRegion := dict "region" .Values.region }} 31 | {{- $agent := set $configCopy "agent" $agentRegion }} 32 | {{- end }} 33 | 34 | {{- $appSignals := pluck "application_signals" $configCopy.logs.metrics_collected | first }} 35 | {{- if and (hasKey $configCopy.logs.metrics_collected "application_signals") (empty $appSignals.hosted_in) }} 36 | {{- $clusterName := .Values.clusterName | toString | required ".Values.clusterName is required." -}} 37 | {{- $appSignals := set $appSignals "hosted_in" $clusterName }} 38 | {{- end }} 39 | 40 | {{- $containerInsights := pluck "kubernetes" $configCopy.logs.metrics_collected | first }} 41 | {{- if and (hasKey $configCopy.logs.metrics_collected "kubernetes") (empty $containerInsights.cluster_name) }} 42 | {{- $clusterName := .Values.clusterName | toString | required ".Values.clusterName is required." -}} 43 | {{- $containerInsights := set $containerInsights "cluster_name" $clusterName }} 44 | {{- end }} 45 | 46 | {{- default "" $configCopy | toJson | quote }} 47 | {{- end }} 48 | 49 | {{/* 50 | Helper function to modify customer supplied agent config if ContainerInsights or ApplicationSignals is enabled 51 | */}} 52 | {{- define "cloudwatch-agent.modify-config" -}} 53 | {{- if and (hasKey .Config "logs") (or (and (hasKey .Config.logs "metrics_collected") (hasKey .Config.logs.metrics_collected "application_signals")) (and (hasKey .Config.logs "metrics_collected") (hasKey .Config.logs.metrics_collected "kubernetes"))) }} 54 | {{- include "cloudwatch-agent.config-modifier" . }} 55 | {{- else }} 56 | {{- default "" .Config | toJson | quote }} 57 | {{- end }} 58 | {{- end }} 59 | 60 | {{/* 61 | Helper function to modify cloudwatch-agent YAML config 62 | */}} 63 | {{- define "cloudwatch-agent.modify-otel-config" -}} 64 | {{- $configCopy := deepCopy .OtelConfig }} 65 | {{- if kindIs "string" $configCopy }} 66 | {{- $configCopy = fromYaml $configCopy }} 67 | {{- end }} 68 | 69 | {{- range $name, $component := $configCopy }} 70 | {{- if and $component (kindIs "map" $component) }} 71 | {{- range $key, $value := $component }} 72 | {{- if eq $value nil }} 73 | {{- $_ := set $component $key dict }} 74 | {{- end -}} 75 | {{- end }} 76 | {{- end }} 77 | {{- end }} 78 | 79 | {{- $configCopy | toYaml | quote }} 80 | {{- end }} 81 | 82 | {{- define "cloudwatch-agent.rolloutStrategyMaxUnavailable" -}} 83 | {{- if eq .mode "daemonset" -}} 84 | 1 85 | {{- else -}} 86 | 25% 87 | {{- end -}} 88 | {{- end -}} 89 | 90 | {{- define "cloudwatch-agent.rolloutStrategyMaxSurge" -}} 91 | {{- if eq .mode "daemonset" -}} 92 | 0 93 | {{- else -}} 94 | 25% 95 | {{- end -}} 96 | {{- end -}} 97 | 98 | {{/* 99 | Name for cloudwatch-agent 100 | */}} 101 | {{- define "cloudwatch-agent.name" -}} 102 | {{- default "cloudwatch-agent" .Values.agent.name }} 103 | {{- end }} 104 | 105 | {{/* 106 | Name for dcgm-exporter 107 | */}} 108 | {{- define "dcgm-exporter.name" -}} 109 | {{- default "dcgm-exporter" .Values.dcgmExporter.name }} 110 | {{- end }} 111 | 112 | {{/* 113 | Name for neuron-monitor 114 | */}} 115 | {{- define "neuron-monitor.name" -}} 116 | {{- default "neuron-monitor" .Values.neuronMonitor.name }} 117 | {{- end }} 118 | 119 | {{/* 120 | Get the current recommended cloudwatch agent image for a region 121 | */}} 122 | {{- define "cloudwatch-agent.image" -}} 123 | {{- $imageDomain := "" -}} 124 | {{- $imageDomain = index .repositoryDomainMap .region -}} 125 | {{- if not $imageDomain -}} 126 | {{- $imageDomain = .repositoryDomainMap.public -}} 127 | {{- end -}} 128 | {{- printf "%s/%s:%s" $imageDomain .repository .tag -}} 129 | {{- end -}} 130 | 131 | {{/* 132 | Get the current recommended cloudwatch agent operator image for a region 133 | */}} 134 | {{- define "cloudwatch-agent-operator.image" -}} 135 | {{- $region := .Values.region | required ".Values.region is required." -}} 136 | {{- $imageDomain := "" -}} 137 | {{- $imageDomain = index .Values.manager.image.repositoryDomainMap .Values.region -}} 138 | {{- if not $imageDomain -}} 139 | {{- $imageDomain = .Values.manager.image.repositoryDomainMap.public -}} 140 | {{- end -}} 141 | {{- printf "%s/%s:%s" $imageDomain .Values.manager.image.repository .Values.manager.image.tag -}} 142 | {{- end -}} 143 | 144 | {{/* 145 | Get the current recommended target allocator image for a region 146 | */}} 147 | {{- define "target-allocator.image" -}} 148 | {{- $imageDomain := "" -}} 149 | {{- $imageDomain = index .repositoryDomainMap .region -}} 150 | {{- if not $imageDomain -}} 151 | {{- $imageDomain = .repositoryDomainMap.public -}} 152 | {{- end -}} 153 | {{- printf "%s/%s:%s" $imageDomain .repository .tag -}} 154 | {{- end -}} 155 | 156 | {{/* 157 | Get the current recommended fluent-bit image for a region 158 | */}} 159 | {{- define "fluent-bit.image" -}} 160 | {{- $region := .Values.region | required ".Values.region is required." -}} 161 | {{- $imageDomain := "" -}} 162 | {{- $imageDomain = index .Values.containerLogs.fluentBit.image.repositoryDomainMap .Values.region -}} 163 | {{- if not $imageDomain -}} 164 | {{- $imageDomain = .Values.containerLogs.fluentBit.image.repositoryDomainMap.public -}} 165 | {{- end -}} 166 | {{- printf "%s/%s:%s" $imageDomain .Values.containerLogs.fluentBit.image.repository .Values.containerLogs.fluentBit.image.tag -}} 167 | {{- end -}} 168 | 169 | {{/* 170 | Get the current recommended fluent-bit Windows image for a region 171 | */}} 172 | {{- define "fluent-bit-windows.image" -}} 173 | {{- $region := .Values.region | required ".Values.region is required." -}} 174 | {{- $imageDomain := "" -}} 175 | {{- $imageDomain = index .Values.containerLogs.fluentBit.image.repositoryDomainMap .Values.region -}} 176 | {{- if not $imageDomain -}} 177 | {{- $imageDomain = .Values.containerLogs.fluentBit.image.repositoryDomainMap.public -}} 178 | {{- end -}} 179 | {{- printf "%s/%s:%s" $imageDomain .Values.containerLogs.fluentBit.image.repository .Values.containerLogs.fluentBit.image.tagWindows -}} 180 | {{- end -}} 181 | 182 | {{/* 183 | Get the current recommended dcgm-exporter image for a region 184 | */}} 185 | {{- define "dcgm-exporter.image" -}} 186 | {{- $region := .Values.region | required ".Values.region is required." -}} 187 | {{- $imageDomain := "" -}} 188 | {{- $imageDomain = index .Values.dcgmExporter.image.repositoryDomainMap .Values.region -}} 189 | {{- if not $imageDomain -}} 190 | {{- $imageDomain = .Values.dcgmExporter.image.repositoryDomainMap.public -}} 191 | {{- end -}} 192 | {{- printf "%s/%s:%s" $imageDomain .Values.dcgmExporter.image.repository .Values.dcgmExporter.image.tag -}} 193 | {{- end -}} 194 | 195 | {{/* 196 | Get the current recommended neuron-monitor image for a region 197 | */}} 198 | {{- define "neuron-monitor.image" -}} 199 | {{- $imageDomain := "" -}} 200 | {{- $imageDomain = index .Values.neuronMonitor.image.repositoryDomainMap .Values.region -}} 201 | {{- if not $imageDomain -}} 202 | {{- $imageDomain = .Values.neuronMonitor.image.repositoryDomainMap.public -}} 203 | {{- end -}} 204 | {{- printf "%s/%s:%s" $imageDomain .Values.neuronMonitor.image.repository .Values.neuronMonitor.image.tag -}} 205 | {{- end -}} 206 | 207 | {{/* 208 | Get the current recommended auto instrumentation java image 209 | */}} 210 | {{- define "auto-instrumentation-java.image" -}} 211 | {{- printf "%s/%s:%s" .Values.manager.autoInstrumentationImage.java.repositoryDomain .Values.manager.autoInstrumentationImage.java.repository .Values.manager.autoInstrumentationImage.java.tag -}} 212 | {{- end -}} 213 | 214 | {{/* 215 | Get the current recommended auto instrumentation python image 216 | */}} 217 | {{- define "auto-instrumentation-python.image" -}} 218 | {{- printf "%s/%s:%s" .Values.manager.autoInstrumentationImage.python.repositoryDomain .Values.manager.autoInstrumentationImage.python.repository .Values.manager.autoInstrumentationImage.python.tag -}} 219 | {{- end -}} 220 | 221 | {{/* 222 | Get the current recommended auto instrumentation dotnet image 223 | */}} 224 | {{- define "auto-instrumentation-dotnet.image" -}} 225 | {{- printf "%s/%s:%s" .Values.manager.autoInstrumentationImage.dotnet.repositoryDomain .Values.manager.autoInstrumentationImage.dotnet.repository .Values.manager.autoInstrumentationImage.dotnet.tag -}} 226 | {{- end -}} 227 | 228 | {{/* 229 | Get the current recommended auto instrumentation nodejs image 230 | */}} 231 | {{- define "auto-instrumentation-nodejs.image" -}} 232 | {{- printf "%s/%s:%s" .Values.manager.autoInstrumentationImage.nodejs.repositoryDomain .Values.manager.autoInstrumentationImage.nodejs.repository .Values.manager.autoInstrumentationImage.nodejs.tag -}} 233 | {{- end -}} 234 | 235 | {{/* 236 | Common labels 237 | */}} 238 | {{- define "amazon-cloudwatch-observability.labels" -}} 239 | {{ include "amazon-cloudwatch-observability.selectorLabels" . }} 240 | {{- if .Chart.AppVersion }} 241 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 242 | {{- end }} 243 | app.kubernetes.io/managed-by: "amazon-cloudwatch-agent-operator" 244 | {{- end }} 245 | 246 | {{/* 247 | Selector labels 248 | */}} 249 | {{- define "amazon-cloudwatch-observability.selectorLabels" -}} 250 | app.kubernetes.io/name: {{ include "amazon-cloudwatch-observability.name" . }} 251 | app.kubernetes.io/instance: {{ .Release.Name }} 252 | {{- end }} 253 | 254 | {{/* 255 | Create the name of the service account to use 256 | */}} 257 | {{- define "amazon-cloudwatch-observability.managerServiceAccountName" -}} 258 | {{- if .Values.manager.serviceAccount.create }} 259 | {{- default (printf "%s-controller-manager" (include "amazon-cloudwatch-observability.name" .)) .Values.manager.serviceAccount.name }} 260 | {{- else }} 261 | {{- default "default" .Values.manager.serviceAccount.name }} 262 | {{- end }} 263 | {{- end }} 264 | 265 | {{/* 266 | Create the name of the service account to use 267 | */}} 268 | {{- define "cloudwatch-agent.serviceAccountName" -}} 269 | {{- if .Values.agent.enabled }} 270 | {{- default (include "cloudwatch-agent.name" .) .Values.agent.serviceAccount.name }} 271 | {{- else }} 272 | {{- default "default" .Values.agent.serviceAccount.name }} 273 | {{- end }} 274 | {{- end }} 275 | 276 | {{/* 277 | Create the name of the service account to use for dcgm exporter 278 | */}} 279 | {{- define "dcgm-exporter.serviceAccountName" -}} 280 | {{- default "dcgm-exporter-service-acct" .Values.dcgmExporter.serviceAccount.name }} 281 | {{- end }} 282 | 283 | {{/* 284 | Create the name of the service account to use for neuron monitor 285 | */}} 286 | {{- define "neuron-monitor.serviceAccountName" -}} 287 | {{- default "neuron-monitor-service-acct" .Values.neuronMonitor.serviceAccount.name }} 288 | {{- end }} 289 | 290 | {{- define "amazon-cloudwatch-observability.podAnnotations" -}} 291 | {{- if .Values.manager.podAnnotations }} 292 | {{- .Values.manager.podAnnotations | toYaml }} 293 | {{- end }} 294 | {{- end }} 295 | 296 | {{- define "amazon-cloudwatch-observability.podLabels" -}} 297 | {{- if .Values.manager.podLabels }} 298 | {{- .Values.manager.podLabels | toYaml }} 299 | {{- end }} 300 | {{- end }} 301 | 302 | {{/* 303 | Define the default certificate secret name 304 | */}} 305 | {{- define "amazon-cloudwatch-observability.certificateSecretName" -}} 306 | {{- default (printf "%s-controller-manager-service-cert" (include "amazon-cloudwatch-observability.name" .)) .Values.admissionWebhooks.secretName }} 307 | {{- end -}} 308 | 309 | {{/* 310 | Define the default service name 311 | */}} 312 | {{- define "amazon-cloudwatch-observability.webhookServiceName" -}} 313 | {{- default (printf "%s-webhook-service" (include "amazon-cloudwatch-observability.name" .)) .Values.manager.service.name }} 314 | {{- end -}} 315 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/admission-webhooks/operator-webhook-with-cert-manager.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Values.admissionWebhooks.create) (.Values.admissionWebhooks.certManager.enabled) }} 2 | apiVersion: admissionregistration.k8s.io/v1 3 | kind: MutatingWebhookConfiguration 4 | metadata: 5 | annotations: 6 | cert-manager.io/inject-ca-from: {{ printf "%s/%s-serving-cert" .Release.Namespace (include "amazon-cloudwatch-observability.name" .) }} 7 | labels: 8 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} 9 | name: {{ template "amazon-cloudwatch-observability.name" . }}-mutating-webhook-configuration 10 | webhooks: 11 | - admissionReviewVersions: 12 | - v1 13 | clientConfig: 14 | service: 15 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 16 | namespace: {{ .Release.Namespace }} 17 | path: /mutate-cloudwatch-aws-amazon-com-v1alpha1-instrumentation 18 | failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }} 19 | name: minstrumentation.kb.io 20 | {{- if .Values.admissionWebhooks.namespaceSelector }} 21 | namespaceSelector: 22 | {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} 23 | {{- end }} 24 | {{- if .Values.admissionWebhooks.objectSelector }} 25 | objectSelector: 26 | {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} 27 | {{- end }} 28 | rules: 29 | - apiGroups: 30 | - cloudwatch.aws.amazon.com 31 | apiVersions: 32 | - v1alpha1 33 | operations: 34 | - CREATE 35 | - UPDATE 36 | resources: 37 | - instrumentations 38 | sideEffects: None 39 | timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} 40 | - admissionReviewVersions: 41 | - v1 42 | clientConfig: 43 | service: 44 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 45 | namespace: {{ .Release.Namespace }} 46 | path: /mutate-cloudwatch-aws-amazon-com-v1alpha1-amazoncloudwatchagent 47 | failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }} 48 | name: mamazoncloudwatchagent.kb.io 49 | {{- if .Values.admissionWebhooks.namespaceSelector }} 50 | namespaceSelector: 51 | {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} 52 | {{- end }} 53 | {{- if .Values.admissionWebhooks.objectSelector }} 54 | objectSelector: 55 | {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} 56 | {{- end }} 57 | rules: 58 | - apiGroups: 59 | - cloudwatch.aws.amazon.com 60 | apiVersions: 61 | - v1alpha1 62 | operations: 63 | - CREATE 64 | - UPDATE 65 | resources: 66 | - amazoncloudwatchagents 67 | sideEffects: None 68 | timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} 69 | - admissionReviewVersions: 70 | - v1 71 | clientConfig: 72 | service: 73 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 74 | namespace: {{ .Release.Namespace }} 75 | path: /mutate-v1-pod 76 | failurePolicy: {{ .Values.admissionWebhooks.pods.failurePolicy }} 77 | name: mpod.kb.io 78 | {{- if .Values.admissionWebhooks.namespaceSelector }} 79 | namespaceSelector: 80 | {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} 81 | {{- end }} 82 | {{- if .Values.admissionWebhooks.objectSelector }} 83 | objectSelector: 84 | {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} 85 | {{- end }} 86 | rules: 87 | - apiGroups: 88 | - "" 89 | apiVersions: 90 | - v1 91 | operations: 92 | - CREATE 93 | - UPDATE 94 | resources: 95 | - pods 96 | sideEffects: None 97 | timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} 98 | - admissionReviewVersions: 99 | - v1 100 | clientConfig: 101 | service: 102 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 103 | namespace: {{ .Release.Namespace }} 104 | path: /mutate-v1-namespace 105 | failurePolicy: {{ .Values.admissionWebhooks.pods.failurePolicy }} 106 | name: mnamespace.kb.io 107 | {{- if .Values.admissionWebhooks.namespaceSelector }} 108 | namespaceSelector: 109 | {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} 110 | {{- end }} 111 | {{- if .Values.admissionWebhooks.objectSelector }} 112 | objectSelector: 113 | {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} 114 | {{- end }} 115 | rules: 116 | - apiGroups: 117 | - "" 118 | apiVersions: 119 | - v1 120 | operations: 121 | - CREATE 122 | - UPDATE 123 | resources: 124 | - namespaces 125 | sideEffects: None 126 | timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} 127 | - admissionReviewVersions: 128 | - v1 129 | clientConfig: 130 | service: 131 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 132 | namespace: {{ .Release.Namespace }} 133 | path: /mutate-v1-workload 134 | failurePolicy: {{ .Values.admissionWebhooks.pods.failurePolicy }} 135 | name: mworkload.kb.io 136 | {{- if .Values.admissionWebhooks.namespaceSelector }} 137 | namespaceSelector: 138 | {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} 139 | {{- end }} 140 | {{- if .Values.admissionWebhooks.objectSelector }} 141 | objectSelector: 142 | {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} 143 | {{- end }} 144 | rules: 145 | - apiGroups: 146 | - apps 147 | apiVersions: 148 | - v1 149 | operations: 150 | - CREATE 151 | - UPDATE 152 | resources: 153 | - daemonsets 154 | - deployments 155 | - statefulsets 156 | sideEffects: None 157 | timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} 158 | --- 159 | apiVersion: admissionregistration.k8s.io/v1 160 | kind: ValidatingWebhookConfiguration 161 | metadata: 162 | annotations: 163 | cert-manager.io/inject-ca-from: {{ printf "%s/%s-serving-cert" .Release.Namespace (include "amazon-cloudwatch-observability.name" .) }} 164 | labels: 165 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} 166 | name: {{ template "amazon-cloudwatch-observability.name" . }}-validating-webhook-configuration 167 | webhooks: 168 | - admissionReviewVersions: 169 | - v1 170 | clientConfig: 171 | service: 172 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 173 | namespace: {{ .Release.Namespace }} 174 | path: /validate-cloudwatch-aws-amazon-com-v1alpha1-instrumentation 175 | failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }} 176 | name: vinstrumentationcreateupdate.kb.io 177 | {{- if .Values.admissionWebhooks.namespaceSelector }} 178 | namespaceSelector: 179 | {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} 180 | {{- end }} 181 | {{- if .Values.admissionWebhooks.objectSelector }} 182 | objectSelector: 183 | {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} 184 | {{- end }} 185 | rules: 186 | - apiGroups: 187 | - cloudwatch.aws.amazon.com 188 | apiVersions: 189 | - v1alpha1 190 | operations: 191 | - CREATE 192 | - UPDATE 193 | resources: 194 | - instrumentations 195 | sideEffects: None 196 | timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} 197 | - admissionReviewVersions: 198 | - v1 199 | clientConfig: 200 | service: 201 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 202 | namespace: {{ .Release.Namespace }} 203 | path: /validate-cloudwatch-aws-amazon-com-v1alpha1-instrumentation 204 | failurePolicy: Ignore 205 | name: vinstrumentationdelete.kb.io 206 | {{- if .Values.admissionWebhooks.namespaceSelector }} 207 | namespaceSelector: 208 | {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} 209 | {{- end }} 210 | {{- if .Values.admissionWebhooks.objectSelector }} 211 | objectSelector: 212 | {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} 213 | {{- end }} 214 | rules: 215 | - apiGroups: 216 | - cloudwatch.aws.amazon.com 217 | apiVersions: 218 | - v1alpha1 219 | operations: 220 | - DELETE 221 | resources: 222 | - instrumentations 223 | sideEffects: None 224 | timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} 225 | - admissionReviewVersions: 226 | - v1 227 | clientConfig: 228 | service: 229 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 230 | namespace: {{ .Release.Namespace }} 231 | path: /validate-cloudwatch-aws-amazon-com-v1alpha1-amazoncloudwatchagent 232 | failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }} 233 | name: vamazoncloudwatchagentcreateupdate.kb.io 234 | {{- if .Values.admissionWebhooks.namespaceSelector }} 235 | namespaceSelector: 236 | {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} 237 | {{- end }} 238 | {{- if .Values.admissionWebhooks.objectSelector }} 239 | objectSelector: 240 | {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} 241 | {{- end }} 242 | rules: 243 | - apiGroups: 244 | - cloudwatch.aws.amazon.com 245 | apiVersions: 246 | - v1alpha1 247 | operations: 248 | - CREATE 249 | - UPDATE 250 | resources: 251 | - amazoncloudwatchagents 252 | sideEffects: None 253 | timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} 254 | - admissionReviewVersions: 255 | - v1 256 | clientConfig: 257 | service: 258 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 259 | namespace: {{ .Release.Namespace }} 260 | path: /validate-cloudwatch-aws-amazon-com-v1alpha1-amazoncloudwatchagent 261 | failurePolicy: Ignore 262 | name: vamazoncloudwatchagentdelete.kb.io 263 | {{- if .Values.admissionWebhooks.namespaceSelector }} 264 | namespaceSelector: 265 | {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} 266 | {{- end }} 267 | {{- if .Values.admissionWebhooks.objectSelector }} 268 | objectSelector: 269 | {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} 270 | {{- end }} 271 | rules: 272 | - apiGroups: 273 | - cloudwatch.aws.amazon.com 274 | apiVersions: 275 | - v1alpha1 276 | operations: 277 | - DELETE 278 | resources: 279 | - amazoncloudwatchagents 280 | sideEffects: None 281 | timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} 282 | {{- end }} 283 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/admission-webhooks/operator-webhook.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Values.admissionWebhooks.create) (.Values.admissionWebhooks.autoGenerateCert.enabled) (not .Values.admissionWebhooks.certManager.enabled) }} 2 | {{- $altNames := list ( printf "%s-webhook-service.%s" (include "amazon-cloudwatch-observability.name" .) .Release.Namespace ) ( printf "%s-webhook-service.%s.svc" (include "amazon-cloudwatch-observability.name" .) .Release.Namespace ) ( printf "%s-webhook-service.%s.svc.cluster.local" (include "amazon-cloudwatch-observability.name" .) .Release.Namespace ) -}} 3 | {{- $ca := genCA ( printf "%s-ca" (include "amazon-cloudwatch-observability.name" .) ) ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) -}} 4 | {{- $cert := genSignedCert (include "amazon-cloudwatch-observability.name" .) nil $altNames ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}} 5 | apiVersion: v1 6 | kind: Secret 7 | type: kubernetes.io/tls 8 | metadata: 9 | labels: 10 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} 11 | name: {{ template "amazon-cloudwatch-observability.certificateSecretName" . }} 12 | namespace: {{ .Release.Namespace }} 13 | data: 14 | tls.crt: {{ $cert.Cert | b64enc }} 15 | tls.key: {{ $cert.Key | b64enc }} 16 | --- 17 | apiVersion: admissionregistration.k8s.io/v1 18 | kind: MutatingWebhookConfiguration 19 | metadata: 20 | labels: 21 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} 22 | name: {{ template "amazon-cloudwatch-observability.name" . }}-mutating-webhook-configuration 23 | webhooks: 24 | - admissionReviewVersions: 25 | - v1 26 | clientConfig: 27 | service: 28 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 29 | namespace: {{ .Release.Namespace }} 30 | path: /mutate-cloudwatch-aws-amazon-com-v1alpha1-instrumentation 31 | caBundle: {{ $ca.Cert | b64enc }} 32 | failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }} 33 | name: minstrumentation.kb.io 34 | {{- if .Values.admissionWebhooks.namespaceSelector }} 35 | namespaceSelector: 36 | {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} 37 | {{- end }} 38 | {{- if .Values.admissionWebhooks.objectSelector }} 39 | objectSelector: 40 | {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} 41 | {{- end }} 42 | rules: 43 | - apiGroups: 44 | - cloudwatch.aws.amazon.com 45 | apiVersions: 46 | - v1alpha1 47 | operations: 48 | - CREATE 49 | - UPDATE 50 | resources: 51 | - instrumentations 52 | sideEffects: None 53 | timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} 54 | - admissionReviewVersions: 55 | - v1 56 | clientConfig: 57 | service: 58 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 59 | namespace: {{ .Release.Namespace }} 60 | path: /mutate-cloudwatch-aws-amazon-com-v1alpha1-amazoncloudwatchagent 61 | caBundle: {{ $ca.Cert | b64enc }} 62 | failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }} 63 | name: mamazoncloudwatchagent.kb.io 64 | {{- if .Values.admissionWebhooks.namespaceSelector }} 65 | namespaceSelector: 66 | {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} 67 | {{- end }} 68 | {{- if .Values.admissionWebhooks.objectSelector }} 69 | objectSelector: 70 | {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} 71 | {{- end }} 72 | rules: 73 | - apiGroups: 74 | - cloudwatch.aws.amazon.com 75 | apiVersions: 76 | - v1alpha1 77 | operations: 78 | - CREATE 79 | - UPDATE 80 | resources: 81 | - amazoncloudwatchagents 82 | sideEffects: None 83 | timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} 84 | - admissionReviewVersions: 85 | - v1 86 | clientConfig: 87 | service: 88 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 89 | namespace: {{ .Release.Namespace }} 90 | path: /mutate-v1-pod 91 | caBundle: {{ $ca.Cert | b64enc }} 92 | failurePolicy: {{ .Values.admissionWebhooks.pods.failurePolicy }} 93 | name: mpod.kb.io 94 | {{- if .Values.admissionWebhooks.namespaceSelector }} 95 | namespaceSelector: 96 | {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} 97 | {{- end }} 98 | {{- if .Values.admissionWebhooks.objectSelector }} 99 | objectSelector: 100 | {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} 101 | {{- end }} 102 | rules: 103 | - apiGroups: 104 | - "" 105 | apiVersions: 106 | - v1 107 | operations: 108 | - CREATE 109 | - UPDATE 110 | resources: 111 | - pods 112 | sideEffects: None 113 | timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} 114 | - admissionReviewVersions: 115 | - v1 116 | clientConfig: 117 | service: 118 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 119 | namespace: {{ .Release.Namespace }} 120 | path: /mutate-v1-namespace 121 | caBundle: {{ $ca.Cert | b64enc }} 122 | failurePolicy: {{ .Values.admissionWebhooks.pods.failurePolicy }} 123 | name: mnamespace.kb.io 124 | {{- if .Values.admissionWebhooks.namespaceSelector }} 125 | namespaceSelector: 126 | {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} 127 | {{- end }} 128 | {{- if .Values.admissionWebhooks.objectSelector }} 129 | objectSelector: 130 | {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} 131 | {{- end }} 132 | rules: 133 | - apiGroups: 134 | - "" 135 | apiVersions: 136 | - v1 137 | operations: 138 | - CREATE 139 | - UPDATE 140 | resources: 141 | - namespaces 142 | sideEffects: None 143 | timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} 144 | - admissionReviewVersions: 145 | - v1 146 | clientConfig: 147 | service: 148 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 149 | namespace: {{ .Release.Namespace }} 150 | path: /mutate-v1-workload 151 | caBundle: {{ $ca.Cert | b64enc }} 152 | failurePolicy: {{ .Values.admissionWebhooks.pods.failurePolicy }} 153 | name: mworkload.kb.io 154 | {{- if .Values.admissionWebhooks.namespaceSelector }} 155 | namespaceSelector: 156 | {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} 157 | {{- end }} 158 | {{- if .Values.admissionWebhooks.objectSelector }} 159 | objectSelector: 160 | {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} 161 | {{- end }} 162 | rules: 163 | - apiGroups: 164 | - apps 165 | apiVersions: 166 | - v1 167 | operations: 168 | - CREATE 169 | - UPDATE 170 | resources: 171 | - daemonsets 172 | - deployments 173 | - statefulsets 174 | sideEffects: None 175 | timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} 176 | --- 177 | apiVersion: admissionregistration.k8s.io/v1 178 | kind: ValidatingWebhookConfiguration 179 | metadata: 180 | labels: 181 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} 182 | name: {{ template "amazon-cloudwatch-observability.name" . }}-validating-webhook-configuration 183 | webhooks: 184 | - admissionReviewVersions: 185 | - v1 186 | clientConfig: 187 | service: 188 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 189 | namespace: {{ .Release.Namespace }} 190 | path: /validate-cloudwatch-aws-amazon-com-v1alpha1-instrumentation 191 | caBundle: {{ $ca.Cert | b64enc }} 192 | failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }} 193 | name: vinstrumentationcreateupdate.kb.io 194 | {{- if .Values.admissionWebhooks.namespaceSelector }} 195 | namespaceSelector: 196 | {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} 197 | {{- end }} 198 | {{- if .Values.admissionWebhooks.objectSelector }} 199 | objectSelector: 200 | {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} 201 | {{- end }} 202 | rules: 203 | - apiGroups: 204 | - cloudwatch.aws.amazon.com 205 | apiVersions: 206 | - v1alpha1 207 | operations: 208 | - CREATE 209 | - UPDATE 210 | resources: 211 | - instrumentations 212 | sideEffects: None 213 | timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} 214 | - admissionReviewVersions: 215 | - v1 216 | clientConfig: 217 | service: 218 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 219 | namespace: {{ .Release.Namespace }} 220 | path: /validate-cloudwatch-aws-amazon-com-v1alpha1-instrumentation 221 | caBundle: {{ $ca.Cert | b64enc }} 222 | failurePolicy: Ignore 223 | name: vinstrumentationdelete.kb.io 224 | {{- if .Values.admissionWebhooks.namespaceSelector }} 225 | namespaceSelector: 226 | {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} 227 | {{- end }} 228 | {{- if .Values.admissionWebhooks.objectSelector }} 229 | objectSelector: 230 | {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} 231 | {{- end }} 232 | rules: 233 | - apiGroups: 234 | - cloudwatch.aws.amazon.com 235 | apiVersions: 236 | - v1alpha1 237 | operations: 238 | - DELETE 239 | resources: 240 | - instrumentations 241 | sideEffects: None 242 | timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} 243 | - admissionReviewVersions: 244 | - v1 245 | clientConfig: 246 | service: 247 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 248 | namespace: {{ .Release.Namespace }} 249 | path: /validate-cloudwatch-aws-amazon-com-v1alpha1-amazoncloudwatchagent 250 | caBundle: {{ $ca.Cert | b64enc }} 251 | failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }} 252 | name: vamazoncloudwatchagentcreateupdate.kb.io 253 | {{- if .Values.admissionWebhooks.namespaceSelector }} 254 | namespaceSelector: 255 | {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} 256 | {{- end }} 257 | {{- if .Values.admissionWebhooks.objectSelector }} 258 | objectSelector: 259 | {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} 260 | {{- end }} 261 | rules: 262 | - apiGroups: 263 | - cloudwatch.aws.amazon.com 264 | apiVersions: 265 | - v1alpha1 266 | operations: 267 | - CREATE 268 | - UPDATE 269 | resources: 270 | - amazoncloudwatchagents 271 | sideEffects: None 272 | timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} 273 | - admissionReviewVersions: 274 | - v1 275 | clientConfig: 276 | service: 277 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 278 | namespace: {{ .Release.Namespace }} 279 | path: /validate-cloudwatch-aws-amazon-com-v1alpha1-amazoncloudwatchagent 280 | caBundle: {{ $ca.Cert | b64enc }} 281 | failurePolicy: Ignore 282 | name: vamazoncloudwatchagentdelete.kb.io 283 | {{- if .Values.admissionWebhooks.namespaceSelector }} 284 | namespaceSelector: 285 | {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} 286 | {{- end }} 287 | {{- if .Values.admissionWebhooks.objectSelector }} 288 | objectSelector: 289 | {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} 290 | {{- end }} 291 | rules: 292 | - apiGroups: 293 | - cloudwatch.aws.amazon.com 294 | apiVersions: 295 | - v1alpha1 296 | operations: 297 | - DELETE 298 | resources: 299 | - amazoncloudwatchagents 300 | sideEffects: None 301 | timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} 302 | {{- end }} 303 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/certmanager.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.admissionWebhooks.create .Values.admissionWebhooks.certManager.enabled }} 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | {{- if .Values.admissionWebhooks.certManager.certificateAnnotations }} 6 | annotations: 7 | {{- toYaml .Values.admissionWebhooks.certManager.certificateAnnotations | nindent 4 }} 8 | {{- end }} 9 | labels: 10 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }} 11 | name: {{ template "amazon-cloudwatch-observability.name" . }}-serving-cert 12 | namespace: {{ .Release.Namespace }} 13 | spec: 14 | dnsNames: 15 | - {{ template "amazon-cloudwatch-observability.name" .}}-webhook-service.{{ .Release.Namespace }} 16 | - {{ template "amazon-cloudwatch-observability.name" .}}-webhook-service.{{ .Release.Namespace }}.svc 17 | - {{ template "amazon-cloudwatch-observability.name" .}}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local 18 | issuerRef: 19 | {{- if .Values.admissionWebhooks.certManager.issuerRef }} 20 | {{- toYaml .Values.admissionWebhooks.certManager.issuerRef | nindent 4 }} 21 | {{- else }} 22 | kind: Issuer 23 | name: {{ template "amazon-cloudwatch-observability.name" . }}-selfsigned-issuer 24 | {{- end }} 25 | secretName: {{ template "amazon-cloudwatch-observability.certificateSecretName" . }} 26 | subject: 27 | organizationalUnits: 28 | - {{ template "amazon-cloudwatch-observability.name" . }} 29 | {{- if not .Values.admissionWebhooks.certManager.issuerRef }} 30 | --- 31 | apiVersion: cert-manager.io/v1 32 | kind: Issuer 33 | metadata: 34 | {{- if .Values.admissionWebhooks.certManager.issuerAnnotations }} 35 | annotations: 36 | {{- toYaml .Values.admissionWebhooks.certManager.issuerAnnotations | nindent 4 }} 37 | {{- end }} 38 | labels: 39 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }} 40 | name: {{ template "amazon-cloudwatch-observability.name" . }}-selfsigned-issuer 41 | namespace: {{ .Release.Namespace }} 42 | spec: 43 | selfSigned: { } 44 | {{- end }} 45 | {{- end }} 46 | 47 | {{- if ( .Values.agent.certManager.enabled) }} 48 | --- 49 | apiVersion: cert-manager.io/v1 50 | kind: Certificate 51 | metadata: 52 | labels: 53 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }} 54 | name: "amazon-cloudwatch-observability-agent-cert" 55 | namespace: {{ .Release.Namespace }} 56 | spec: 57 | dnsNames: 58 | {{- range $i, $customAgent := .Values.agents }} 59 | - {{( printf "%s-target-allocator-service" $customAgent.name )}} 60 | {{- end }} 61 | - "dcgm-exporter-service" 62 | - "dcgm-exporter-service.amazon-cloudwatch.svc" 63 | - "neuron-monitor-service" 64 | - "neuron-monitor-service.amazon-cloudwatch.svc" 65 | issuerRef: 66 | kind: Issuer 67 | name: "agent-ca" 68 | secretName: "amazon-cloudwatch-observability-agent-cert" 69 | --- 70 | apiVersion: cert-manager.io/v1 71 | kind: Certificate 72 | metadata: 73 | labels: 74 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }} 75 | name: "amazon-cloudwatch-observability-agent-server-cert" 76 | namespace: {{ .Release.Namespace }} 77 | spec: 78 | commonName: "agent-server" 79 | dnsNames: 80 | - "cloudwatch-agent" 81 | - "cloudwatch-agent.amazon-cloudwatch.svc" 82 | issuerRef: 83 | kind: Issuer 84 | name: "agent-ca" 85 | secretName: "amazon-cloudwatch-observability-agent-server-cert" 86 | usages: 87 | - digital signature 88 | - key encipherment 89 | - cert sign 90 | --- 91 | apiVersion: cert-manager.io/v1 92 | kind: Certificate 93 | metadata: 94 | labels: 95 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }} 96 | name: "amazon-cloudwatch-observability-agent-client-cert" 97 | namespace: {{ .Release.Namespace }} 98 | spec: 99 | commonName: "agent-client" 100 | issuerRef: 101 | kind: Issuer 102 | name: "agent-ca" 103 | secretName: "amazon-cloudwatch-observability-agent-client-cert" 104 | usages: 105 | - digital signature 106 | - key encipherment 107 | - cert sign 108 | {{- if not .Values.agent.certManager.issuerRef }} 109 | --- 110 | apiVersion: cert-manager.io/v1 111 | kind: Issuer 112 | metadata: 113 | {{- if .Values.agent.certManager.issuerAnnotations }} 114 | annotations: 115 | {{- toYaml .Values.agent.certManager.issuerAnnotations | nindent 4 }} 116 | {{- end }} 117 | labels: 118 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }} 119 | name: "agent-ca" 120 | namespace: {{ .Release.Namespace }} 121 | spec: 122 | selfSigned: { } 123 | {{- end }} 124 | --- 125 | apiVersion: v1 126 | kind: Secret 127 | metadata: 128 | labels: 129 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }} 130 | name: "amazon-cloudwatch-observability-agent-cert" 131 | namespace: {{ .Release.Namespace }} 132 | --- 133 | apiVersion: v1 134 | kind: Secret 135 | metadata: 136 | labels: 137 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }} 138 | name: "amazon-cloudwatch-observability-agent-server-cert" 139 | namespace: {{ .Release.Namespace }} 140 | --- 141 | apiVersion: v1 142 | kind: Secret 143 | metadata: 144 | labels: 145 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }} 146 | name: "amazon-cloudwatch-observability-agent-client-cert" 147 | namespace: {{ .Release.Namespace }} 148 | {{- end }} 149 | 150 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/cloudwatch-agent-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.agent.enabled }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} 7 | name: {{ template "cloudwatch-agent.name" . }}-role 8 | rules: 9 | - apiGroups: [ "" ] 10 | resources: [ "pods", "pods/logs", "nodes", "nodes/proxy", "namespaces", "endpoints" ] 11 | verbs: [ "list", "watch", "get" ] 12 | - apiGroups: ["discovery.k8s.io"] 13 | resources: ["endpointslices"] 14 | verbs: ["list", "watch", "get"] 15 | - apiGroups: [ "" ] 16 | resources: [ "services" ] 17 | verbs: [ "list", "watch" ] 18 | - apiGroups: [ "apps" ] 19 | resources: [ "replicasets", "daemonsets", "deployments", "statefulsets" ] 20 | verbs: [ "list", "watch", "get" ] 21 | - apiGroups: [ "batch" ] 22 | resources: [ "jobs" ] 23 | verbs: [ "list", "watch" ] 24 | - apiGroups: [ "" ] 25 | resources: [ "nodes/stats", "configmaps", "events" ] 26 | verbs: [ "create", "get" ] 27 | - apiGroups: [ "" ] 28 | resources: [ "configmaps" ] 29 | verbs: [ "update" ] 30 | - nonResourceURLs: [ "/metrics" ] 31 | verbs: [ "get", "list", "watch" ] 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/cloudwatch-agent-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.agent.enabled }} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "cloudwatch-agent.name" . }}-role-binding 6 | roleRef: 7 | kind: ClusterRole 8 | name: {{ template "cloudwatch-agent.name" . }}-role 9 | apiGroup: rbac.authorization.k8s.io 10 | subjects: 11 | - kind: ServiceAccount 12 | name: {{ template "cloudwatch-agent.serviceAccountName" . }} 13 | namespace: {{ .Release.Namespace }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/cloudwatch-agent-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.agent.enabled }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "cloudwatch-agent.serviceAccountName" . }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- end }} 8 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/linux/cloudwatch-agent-custom-resource.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.agent.enabled }} 2 | {{- if and (.Values.agent.autoGenerateCert.enabled) (not .Values.agent.certManager.enabled) -}} 3 | {{- $altNames := list ( printf "%s-service" (include "dcgm-exporter.name" .) ) ( printf "%s-service" (include "neuron-monitor.name" .) ) ( printf "%s-service.%s.svc" (include "dcgm-exporter.name" .) .Release.Namespace ) ( printf "%s-service.%s.svc" (include "neuron-monitor.name" .) .Release.Namespace ) -}} 4 | {{- range $i, $customAgent := .Values.agents }} 5 | {{ $altNames = append $altNames ( printf "%s-target-allocator-service" $customAgent.name )}} 6 | {{- end }} 7 | {{- $agentAltNames := list ( printf "%s" (include "cloudwatch-agent.name" .) ) ( printf "%s.%s.svc" (include "cloudwatch-agent.name" .) .Release.Namespace ) -}} 8 | {{- $ca := genCA ("agent-ca") ( .Values.agent.autoGenerateCert.expiryDays | int ) -}} 9 | {{- $cert := genSignedCert ("agent") nil $altNames ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}} 10 | {{- $serverCert := genSignedCert ("agent-server") nil $agentAltNames ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}} 11 | {{- $clientCert := genSignedCert ("agent-client") nil nil ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}} 12 | apiVersion: v1 13 | kind: Secret 14 | metadata: 15 | labels: 16 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} 17 | name: "amazon-cloudwatch-observability-agent-cert" 18 | namespace: {{ .Release.Namespace }} 19 | data: 20 | ca.crt: {{ $ca.Cert | b64enc }} 21 | tls.crt: {{ $cert.Cert | b64enc }} 22 | tls.key: {{ $cert.Key | b64enc }} 23 | --- 24 | apiVersion: v1 25 | kind: Secret 26 | metadata: 27 | labels: 28 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} 29 | name: "amazon-cloudwatch-observability-agent-server-cert" 30 | namespace: {{ .Release.Namespace }} 31 | data: 32 | ca.crt: {{ $ca.Cert | b64enc }} 33 | tls.crt: {{ $serverCert.Cert | b64enc }} 34 | tls.key: {{ $serverCert.Key | b64enc }} 35 | --- 36 | apiVersion: v1 37 | kind: Secret 38 | metadata: 39 | labels: 40 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} 41 | name: "amazon-cloudwatch-observability-agent-client-cert" 42 | namespace: {{ .Release.Namespace }} 43 | data: 44 | ca.crt: {{ $ca.Cert | b64enc }} 45 | tls.crt: {{ $clientCert.Cert | b64enc }} 46 | tls.key: {{ $clientCert.Key | b64enc }} 47 | --- 48 | {{- end -}} 49 | 50 | {{- $clusterName := .Values.clusterName | required ".Values.clusterName is required." -}} 51 | {{- $region := .Values.region | required ".Values.region is required." -}} 52 | {{- $isROSA := eq $.Values.k8sMode "ROSA" -}} 53 | {{- range .Values.agents }} 54 | {{- $agent := merge . (deepCopy $.Values.agent) }} 55 | apiVersion: cloudwatch.aws.amazon.com/v1alpha1 56 | kind: AmazonCloudWatchAgent 57 | metadata: 58 | name: {{ $agent.name | default (include "cloudwatch-agent.name" $) }} 59 | namespace: {{ $.Release.Namespace }} 60 | spec: 61 | updateStrategy: 62 | type: {{ $agent.updateStrategy.type }} 63 | {{- if eq $agent.updateStrategy.type "RollingUpdate" }} 64 | rollingUpdate: 65 | maxUnavailable: {{ $agent.updateStrategy.rollingUpdate.maxUnavailable | default (include "cloudwatch-agent.rolloutStrategyMaxUnavailable" (dict "mode" $agent.mode)) }} 66 | maxSurge: {{ $agent.updateStrategy.rollingUpdate.maxSurge | default (include "cloudwatch-agent.rolloutStrategyMaxSurge" (dict "mode" $agent.mode)) }} 67 | {{- end }} 68 | image: {{ template "cloudwatch-agent.image" (merge $agent.image (dict "region" $.Values.region)) }} 69 | mode: {{ $agent.mode }} 70 | replicas: {{ $agent.replicas }} 71 | {{- with $agent.nodeSelector }} 72 | nodeSelector: {{- toYaml . | nindent 4 }} 73 | {{- end }} 74 | serviceAccount: {{ $agent.serviceAccount.name | default (include "cloudwatch-agent.serviceAccountName" $) }} 75 | {{ if $isROSA }} 76 | securityContext: 77 | runAsNonRoot: false 78 | capabilities: 79 | add: 80 | - SYS_ADMIN 81 | {{ end }} 82 | priorityClassName: {{ $agent.priorityClassName | default $.Values.agent.priorityClassName }} 83 | {{- with $agent.affinity }} 84 | affinity: {{- toYaml . | nindent 4 }} 85 | {{- end }} 86 | hostNetwork: true 87 | {{- if $agent.config }} 88 | config: {{ include "cloudwatch-agent.modify-config" (merge (dict "Config" $agent.config) $ ) }} 89 | {{- else }} 90 | config: {{ include "cloudwatch-agent.modify-config" (merge (dict "Config" $agent.defaultConfig) $ ) }} 91 | {{- end }} 92 | {{- if $agent.otelConfig }} 93 | otelConfig: {{ include "cloudwatch-agent.modify-otel-config" (merge (dict "OtelConfig" $agent.otelConfig) . ) }} 94 | {{- end }} 95 | {{- if $agent.prometheus.config }} 96 | prometheus: 97 | {{- with $agent.prometheus.config }} 98 | config: 99 | {{- toYaml . | nindent 6 }} 100 | {{- end }} 101 | {{- end }} 102 | {{- if $agent.prometheus.targetAllocator.enabled }} 103 | targetAllocator: 104 | enabled: {{ $agent.prometheus.targetAllocator.enabled | default false }} 105 | image: {{ template "target-allocator.image" (merge $agent.prometheus.targetAllocator.image (dict "region" $.Values.region)) }} 106 | allocationStrategy: "consistent-hashing" 107 | {{- if $agent.prometheus.targetAllocator.prometheusCR.enabled }} 108 | prometheusCR: {{ $agent.prometheus.targetAllocator.prometheusCR.enabled | default false }} 109 | {{- end }} 110 | {{- end }} 111 | {{- with $agent.resources }} 112 | resources: {{- toYaml . | nindent 4}} 113 | {{- end }} 114 | volumeMounts: 115 | - mountPath: /rootfs 116 | name: rootfs 117 | readOnly: true 118 | - mountPath: /var/run/docker.sock 119 | name: dockersock 120 | readOnly: true 121 | - mountPath: /run/containerd/containerd.sock 122 | name: containerdsock 123 | - mountPath: /var/run/crio/crio.sock 124 | name: criosock 125 | readOnly: true 126 | - mountPath: /var/lib/containers 127 | name: criocontainer 128 | readOnly: true 129 | - mountPath: /var/log/pods 130 | name: criologs 131 | readOnly: true 132 | - mountPath: /var/lib/docker 133 | name: varlibdocker 134 | readOnly: true 135 | - mountPath: /sys 136 | name: sys 137 | readOnly: true 138 | - mountPath: /dev/disk 139 | name: devdisk 140 | readOnly: true 141 | - mountPath: /etc/amazon-cloudwatch-observability-agent-cert 142 | name: agenttls 143 | readOnly: true 144 | - mountPath: /etc/amazon-cloudwatch-observability-agent-client-cert 145 | name: agentclienttls 146 | readOnly: true 147 | - mountPath: /etc/amazon-cloudwatch-observability-agent-server-cert 148 | name: agentservertls 149 | readOnly: true 150 | - mountPath: /var/lib/kubelet/pod-resources 151 | name: kubelet-podresources 152 | {{ if $isROSA }} 153 | - mountPath: /etc/kubernetes/kubelet-ca.crt 154 | name: kubelet-ca 155 | readOnly: true 156 | {{ end }} 157 | volumes: 158 | - name: kubelet-podresources 159 | hostPath: 160 | path: /var/lib/kubelet/pod-resources 161 | type: Directory 162 | - name: rootfs 163 | hostPath: 164 | path: / 165 | - hostPath: 166 | path: /var/run/docker.sock 167 | name: dockersock 168 | - hostPath: 169 | path: /var/lib/docker 170 | name: varlibdocker 171 | - hostPath: 172 | path: /run/containerd/containerd.sock 173 | name: containerdsock 174 | - hostPath: 175 | path: /var/run/crio/crio.sock 176 | name: criosock 177 | - hostPath: 178 | path: /var/lib/containers 179 | name: criocontainer 180 | - hostPath: 181 | path: /var/log/pods 182 | name: criologs 183 | - hostPath: 184 | path: /sys 185 | name: sys 186 | - hostPath: 187 | path: /dev/disk/ 188 | name: devdisk 189 | - name: agenttls 190 | secret: 191 | secretName: amazon-cloudwatch-observability-agent-cert 192 | items: 193 | - key: ca.crt 194 | path: tls-ca.crt 195 | - name: agentclienttls 196 | secret: 197 | secretName: amazon-cloudwatch-observability-agent-client-cert 198 | items: 199 | - key: ca.crt 200 | path: tls-ca.crt 201 | - name: agentservertls 202 | secret: 203 | secretName: amazon-cloudwatch-observability-agent-server-cert 204 | items: 205 | - key: tls.crt 206 | path: server.crt 207 | - key: tls.key 208 | path: server.key 209 | {{ if $isROSA }} 210 | - name: kubelet-ca 211 | hostPath: 212 | path: /etc/kubernetes/kubelet-ca.crt 213 | {{end }} 214 | env: 215 | - name: K8S_NODE_NAME 216 | valueFrom: 217 | fieldRef: 218 | fieldPath: spec.nodeName 219 | - name: HOST_IP 220 | valueFrom: 221 | fieldRef: 222 | fieldPath: status.hostIP 223 | - name: HOST_NAME 224 | valueFrom: 225 | fieldRef: 226 | fieldPath: spec.nodeName 227 | - name: K8S_NAMESPACE 228 | valueFrom: 229 | fieldRef: 230 | fieldPath: metadata.namespace 231 | {{ if $isROSA }} 232 | - name: RUN_IN_ROSA 233 | value: "True" 234 | {{ end }} 235 | - name: K8S_CLUSTER_NAME 236 | value: {{ $.Values.clusterName | quote }} 237 | {{- dict "component" $agent "context" $ | include "amazon-cloudwatch-observability.common.tolerations" | nindent 2 }} 238 | --- 239 | {{- end }} 240 | {{- end }} -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/linux/dcgm-exporter-daemonset.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cloudwatch.aws.amazon.com/v1alpha1 2 | kind: DcgmExporter 3 | metadata: 4 | name: {{ include "dcgm-exporter.name" . }} 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | k8s-app: {{ include "dcgm-exporter.name" . }} 8 | version: v1 9 | spec: 10 | image: {{ template "dcgm-exporter.image" . }} 11 | {{- with .Values.dcgmExporter.nodeSelector }} 12 | nodeSelector: {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | serviceAccount: {{ template "dcgm-exporter.serviceAccountName" . }} 15 | {{- with .Values.dcgmExporter.affinity }} 16 | affinity: {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | {{- with .Values.dcgmExporter.resources }} 19 | resources: {{- toYaml . | nindent 4}} 20 | {{- end }} 21 | env: 22 | - name: "DCGM_EXPORTER_KUBERNETES" 23 | value: "true" 24 | - name: "DCGM_EXPORTER_LISTEN" 25 | value: "{{ .Values.dcgmExporter.service.address }}" 26 | - name: NODE_NAME 27 | valueFrom: 28 | fieldRef: 29 | fieldPath: spec.nodeName 30 | ports: 31 | - name: "metrics" 32 | port: {{ .Values.dcgmExporter.service.port }} 33 | volumeMounts: 34 | - name: "pod-gpu-resources" 35 | readOnly: true 36 | mountPath: "/var/lib/kubelet/pod-resources" 37 | - mountPath: /etc/amazon-cloudwatch-observability-dcgm-cert 38 | name: dcgmtls 39 | readOnly: true 40 | volumes: 41 | - name: dcgmtls 42 | secret: 43 | secretName: amazon-cloudwatch-observability-agent-cert 44 | items: 45 | - key: tls.crt 46 | path: server.crt 47 | - key: tls.key 48 | path: server.key 49 | - name: "pod-gpu-resources" 50 | hostPath: 51 | path: /var/lib/kubelet/pod-resources 52 | metricsConfig: | 53 | DCGM_FI_DEV_GPU_UTIL, gauge, GPU utilization (in %). 54 | DCGM_FI_DEV_MEM_COPY_UTIL, gauge, Memory utilization (in %). 55 | DCGM_FI_DEV_FB_FREE, gauge, Framebuffer memory free (in MiB). 56 | DCGM_FI_DEV_FB_USED, gauge, Framebuffer memory used (in MiB). 57 | DCGM_FI_DEV_FB_TOTAL, gauge, Framebuffer memory used (in MiB). 58 | DCGM_FI_DEV_FB_USED_PERCENT, gauge, Percentage used of Frame Buffer: Used/(Total - Reserved). 59 | DCGM_FI_DEV_MEMORY_TEMP, gauge, Memory temperature (in C). 60 | DCGM_FI_DEV_GPU_TEMP, gauge, GPU temperature (in C). 61 | DCGM_FI_DEV_POWER_USAGE, gauge, Power draw (in W). 62 | tlsConfig: | 63 | tls_server_config: 64 | cert_file: /etc/amazon-cloudwatch-observability-dcgm-cert/server.crt 65 | key_file: /etc/amazon-cloudwatch-observability-dcgm-cert/server.key 66 | {{- dict "component" .Values.dcgmExporter "context" . | include "amazon-cloudwatch-observability.common.tolerations" | nindent 2 }} -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/linux/dcgm-exporter-role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | name: "{{ template "dcgm-exporter.name" . }}-role" 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} 8 | rules: 9 | - apiGroups: [""] 10 | resources: ["configmaps"] 11 | resourceNames: ["{{ .Values.dcgmExporter.configmap }}"] 12 | verbs: ["get"] 13 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/linux/dcgm-exporter-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | namespace: {{ .Release.Namespace }} 5 | name: {{ template "dcgm-exporter.name" . }}-role-binding 6 | labels: 7 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} 8 | roleRef: 9 | kind: Role 10 | name: "{{ template "dcgm-exporter.name" . }}-role" 11 | apiGroup: rbac.authorization.k8s.io 12 | subjects: 13 | - kind: ServiceAccount 14 | name: {{ template "dcgm-exporter.serviceAccountName" . }} 15 | namespace: {{ .Release.Namespace }} 16 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/linux/fluent-bit-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.containerLogs.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: fluent-bit-config 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | k8s-app: fluent-bit 9 | data: 10 | fluent-bit.conf: | 11 | {{- .Values.containerLogs.fluentBit.config.service | nindent 4 }} 12 | {{- range $key, $val := .Values.containerLogs.fluentBit.config.extraFiles }} 13 | @INCLUDE {{ $key }} 14 | {{- end }} 15 | parsers.conf: | 16 | {{- .Values.containerLogs.fluentBit.config.customParsers | nindent 4 }} 17 | {{- if hasPrefix "us-iso-" .Values.region }} 18 | {{- range $key, $val := .Values.containerLogs.fluentBit.config.adcIsoExtraFiles }} 19 | {{ $key }}: | 20 | {{- (tpl $val $) | nindent 4 }} 21 | {{- end -}} 22 | {{- else if hasPrefix "us-isob-" .Values.region }} 23 | {{- range $key, $val := .Values.containerLogs.fluentBit.config.adcIsobExtraFiles }} 24 | {{ $key }}: | 25 | {{- (tpl $val $) | nindent 4 }} 26 | {{- end -}} 27 | {{- else if hasPrefix "us-isof-" .Values.region }} 28 | {{- range $key, $val := .Values.containerLogs.fluentBit.config.adcIsofExtraFiles }} 29 | {{ $key }}: | 30 | {{- (tpl $val $) | nindent 4 }} 31 | {{- end -}} 32 | {{- else if hasPrefix "eu-isoe-" .Values.region }} 33 | {{- range $key, $val := .Values.containerLogs.fluentBit.config.euAdcIsoeExtraFiles }} 34 | {{ $key }}: | 35 | {{- (tpl $val $) | nindent 4 }} 36 | {{- end -}} 37 | {{- else }} 38 | {{- range $key, $val := .Values.containerLogs.fluentBit.config.extraFiles }} 39 | {{ $key }}: | 40 | {{- (tpl $val $) | nindent 4 }} 41 | {{- end -}} 42 | {{- end -}} 43 | {{- end -}} -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/linux/fluent-bit-daemonset.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.containerLogs.enabled }} 2 | {{- $clusterName := .Values.clusterName | required ".Values.clusterName is required." -}} 3 | {{- $region := .Values.region | required ".Values.region is required." -}} 4 | apiVersion: apps/v1 5 | kind: DaemonSet 6 | metadata: 7 | name: fluent-bit 8 | namespace: {{ .Release.Namespace }} 9 | labels: 10 | k8s-app: fluent-bit 11 | version: v1 12 | kubernetes.io/cluster-service: "true" 13 | spec: 14 | selector: 15 | matchLabels: 16 | k8s-app: fluent-bit 17 | updateStrategy: 18 | type: {{ .Values.containerLogs.fluentBit.updateStrategy.type }} 19 | {{- if eq .Values.containerLogs.fluentBit.updateStrategy.type "RollingUpdate" }} 20 | rollingUpdate: 21 | maxUnavailable: {{ .Values.containerLogs.fluentBit.updateStrategy.rollingUpdate.maxUnavailable }} 22 | maxSurge: {{ .Values.containerLogs.fluentBit.updateStrategy.rollingUpdate.maxSurge }} 23 | {{- end }} 24 | template: 25 | metadata: 26 | annotations: 27 | checksum/config: {{ include (print $.Template.BasePath "/linux/fluent-bit-configmap.yaml") . | sha256sum }} 28 | labels: 29 | k8s-app: fluent-bit 30 | version: v1 31 | kubernetes.io/cluster-service: "true" 32 | spec: 33 | containers: 34 | - name: fluent-bit 35 | image: {{ template "fluent-bit.image" . }} 36 | imagePullPolicy: Always 37 | env: 38 | - name: AWS_REGION 39 | value: {{ .Values.region }} 40 | - name: CLUSTER_NAME 41 | value: {{ .Values.clusterName | quote }} 42 | - name: READ_FROM_HEAD 43 | value: "Off" 44 | - name: READ_FROM_TAIL 45 | value: "On" 46 | - name: HOST_NAME 47 | valueFrom: 48 | fieldRef: 49 | fieldPath: spec.nodeName 50 | - name: HOSTNAME 51 | valueFrom: 52 | fieldRef: 53 | apiVersion: v1 54 | fieldPath: metadata.name 55 | - name: CI_VERSION 56 | value: "k8s/1.3.17" 57 | {{- with .Values.containerLogs.fluentBit.resources }} 58 | resources: {{- toYaml . | nindent 10}} 59 | {{- end }} 60 | volumeMounts: 61 | # Please don't change below read-only permissions 62 | - name: fluentbitstate 63 | mountPath: /var/fluent-bit/state 64 | - name: varlog 65 | mountPath: /var/log 66 | readOnly: true 67 | - name: varlibdockercontainers 68 | mountPath: /var/lib/docker/containers 69 | readOnly: true 70 | - name: fluent-bit-config 71 | mountPath: /fluent-bit/etc/ 72 | - name: runlogjournal 73 | mountPath: /run/log/journal 74 | readOnly: true 75 | - name: dmesg 76 | mountPath: /var/log/dmesg 77 | readOnly: true 78 | - mountPath: /etc/amazon-cloudwatch-observability-agent-client-cert 79 | name: agentclienttls 80 | readOnly: true 81 | - mountPath: /etc/amazon-cloudwatch-observability-agent-server-cert 82 | name: agentservertls 83 | readOnly: true 84 | terminationGracePeriodSeconds: 10 85 | hostNetwork: true 86 | dnsPolicy: ClusterFirstWithHostNet 87 | priorityClassName: {{ .Values.containerLogs.fluentBit.priorityClassName }} 88 | volumes: 89 | - name: fluentbitstate 90 | hostPath: 91 | path: /var/fluent-bit/state 92 | - name: varlog 93 | hostPath: 94 | path: /var/log 95 | - name: varlibdockercontainers 96 | hostPath: 97 | path: /var/lib/docker/containers 98 | - name: fluent-bit-config 99 | configMap: 100 | name: fluent-bit-config 101 | - name: runlogjournal 102 | hostPath: 103 | path: /run/log/journal 104 | - name: dmesg 105 | hostPath: 106 | path: /var/log/dmesg 107 | - name: agentclienttls 108 | secret: 109 | secretName: amazon-cloudwatch-observability-agent-client-cert 110 | items: 111 | - key: tls.crt 112 | path: client.crt 113 | - key: tls.key 114 | path: client.key 115 | - name: agentservertls 116 | secret: 117 | secretName: amazon-cloudwatch-observability-agent-server-cert 118 | items: 119 | - key: ca.crt 120 | path: tls-ca.crt 121 | serviceAccountName: {{ template "cloudwatch-agent.serviceAccountName" . }} 122 | {{- with .Values.containerLogs.fluentBit.affinity }} 123 | affinity: {{- toYaml . | nindent 8 }} 124 | {{- end }} 125 | {{- with .Values.containerLogs.fluentBit.nodeSelector }} 126 | nodeSelector: {{- toYaml . | nindent 8 }} 127 | {{- end }} 128 | {{- dict "component" .Values.containerLogs.fluentBit "context" . | include "amazon-cloudwatch-observability.common.tolerations" | nindent 6 }} 129 | {{- end }} -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/linux/neuron-monitor-daemonset.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cloudwatch.aws.amazon.com/v1alpha1 2 | kind: NeuronMonitor 3 | metadata: 4 | name: {{ include "neuron-monitor.name" . }} 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | k8s-app: {{ include "neuron-monitor.name" . }} 8 | version: v1 9 | spec: 10 | image: {{ template "neuron-monitor.image" . }} 11 | serviceAccount: {{ template "neuron-monitor.serviceAccountName" . }} 12 | {{- with .Values.neuronMonitor.nodeSelector }} 13 | nodeSelector: {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- with .Values.neuronMonitor.affinity }} 16 | affinity: {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | {{- with .Values.neuronMonitor.resources }} 19 | resources: {{- toYaml . | nindent 4}} 20 | {{- end }} 21 | env: 22 | - name: NODE_NAME 23 | valueFrom: 24 | fieldRef: 25 | fieldPath: spec.nodeName 26 | - name: PATH 27 | value: /usr/local/bin:/usr/bin:/bin:/opt/aws/neuron/bin 28 | - name: GOMEMLIMIT 29 | value: 320MiB 30 | ports: 31 | - name: "metrics" 32 | port: {{ .Values.neuronMonitor.service.port }} 33 | command: 34 | - "/opt/bin/entrypoint.sh" 35 | args: 36 | port: "{{ .Values.neuronMonitor.service.port }}" 37 | cert-file: "/etc/amazon-cloudwatch-observability-neuron-cert/server.crt" 38 | key-file: "/etc/amazon-cloudwatch-observability-neuron-cert/server.key" 39 | securityContext: 40 | privileged: true 41 | volumeMounts: 42 | - mountPath: /etc/amazon-cloudwatch-observability-neuron-cert/ 43 | name: neurontls 44 | readOnly: true 45 | - mountPath: /opt-aws 46 | name: "aws-config" 47 | readOnly: true 48 | volumes: 49 | - name: neurontls 50 | secret: 51 | secretName: amazon-cloudwatch-observability-agent-cert 52 | items: 53 | - key: tls.crt 54 | path: server.crt 55 | - key: tls.key 56 | path: server.key 57 | - name: "aws-config" 58 | hostPath: 59 | path: /opt/aws 60 | monitorConfig: | 61 | { 62 | "period": "5s", 63 | "neuron_runtimes": [ 64 | { 65 | "tag_filter": ".*", 66 | "metrics": [ 67 | { 68 | "type": "neuroncore_counters" 69 | }, 70 | { 71 | "type": "memory_used" 72 | }, 73 | { 74 | "type": "execution_stats" 75 | } 76 | ] 77 | } 78 | ], 79 | "system_metrics": [ 80 | { 81 | "period": "5s", 82 | "type": "neuron_hw_counters" 83 | } 84 | ] 85 | } 86 | {{- dict "component" .Values.neuronMonitor "context" . | include "amazon-cloudwatch-observability.common.tolerations" | nindent 2 }} -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/linux/neuron-monitor-exporter-role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | name: "{{ include "neuron-monitor.name" . }}-role" 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} 8 | rules: 9 | - apiGroups: [""] 10 | resources: ["configmaps"] 11 | resourceNames: ["{{ .Values.neuronMonitor.configmap }}"] 12 | verbs: ["get"] 13 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/linux/neuron-monitor-exporter-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | namespace: {{ .Release.Namespace }} 5 | name: {{ include "neuron-monitor.name" . }}-role-binding 6 | labels: 7 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} 8 | roleRef: 9 | kind: Role 10 | name: "{{ include "neuron-monitor.name" . }}-role" 11 | apiGroup: rbac.authorization.k8s.io 12 | subjects: 13 | - kind: ServiceAccount 14 | name: {{ include "neuron-monitor.serviceAccountName" . }} 15 | namespace: {{ .Release.Namespace }} 16 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: {{ template "amazon-cloudwatch-observability.name" . }}-manager-role 5 | rules: 6 | - apiGroups: [ "" ] 7 | resources: [ "configmaps" ] 8 | verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ] 9 | - apiGroups: [ "" ] 10 | resources: [ "events" ] 11 | verbs: [ "create", "patch" ] 12 | - apiGroups: [ "" ] 13 | resources: [ "namespaces" ] 14 | verbs: [ "get","list","patch","update","watch" ] 15 | - apiGroups: [ "" ] 16 | resources: [ "serviceaccounts" ] 17 | verbs: [ "create","delete","get","list","patch","update","watch" ] 18 | - apiGroups: [ "" ] 19 | resources: [ "services" ] 20 | verbs: [ "create","delete","get","list","patch","update","watch" ] 21 | - apiGroups: [ "apps" ] 22 | resources: [ "daemonsets" ] 23 | verbs: [ "create","delete","get","list","patch","update","watch" ] 24 | - apiGroups: [ "apps" ] 25 | resources: [ "deployments" ] 26 | verbs: [ "create","delete","get","list","patch","update","watch" ] 27 | - apiGroups: [ "apps" ] 28 | resources: [ "statefulsets" ] 29 | verbs: [ "create","delete","get","list","patch","update","watch" ] 30 | - apiGroups: [ "apps" ] 31 | resources: [ "replicasets" ] 32 | verbs: [ "get","list","watch" ] 33 | - apiGroups: [ "cloudwatch.aws.amazon.com" ] 34 | resources: [ "amazoncloudwatchagents", "dcgmexporters", "neuronmonitors" ] 35 | verbs: [ "get","list","patch","update","watch" ] 36 | - apiGroups: [ "cloudwatch.aws.amazon.com" ] 37 | resources: [ "amazoncloudwatchagents/finalizers", "dcgmexporters/finalizers", "neuronmonitors/finalizers" ] 38 | verbs: [ "get","patch","update" ] 39 | - apiGroups: [ "cloudwatch.aws.amazon.com" ] 40 | resources: [ "amazoncloudwatchagents/status", "dcgmexporters/status", "neuronmonitors/status" ] 41 | verbs: [ "get","patch","update" ] 42 | - apiGroups: [ "cloudwatch.aws.amazon.com" ] 43 | resources: [ "instrumentations" ] 44 | verbs: [ "get","list","patch","update","watch" ] 45 | - apiGroups: [ "coordination.k8s.io" ] 46 | resources: [ "leases" ] 47 | verbs: [ "create","get","list","update" ] 48 | - apiGroups: [ "networking.k8s.io" ] 49 | resources: [ "ingresses" ] 50 | verbs: [ "create","delete","get","list","patch","update","watch" ] 51 | - apiGroups: [ "route.openshift.io" ] 52 | resources: [ "routes", "routes/custom-host" ] 53 | verbs: [ "create","delete","get","list","patch","update","watch" ] 54 | - apiGroups: [ "policy" ] 55 | resources: [ "poddisruptionbudgets" ] 56 | verbs: [ "create","delete","get","list","patch","update","watch" ] 57 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/operator-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | labels: 5 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }} 6 | name: {{ template "amazon-cloudwatch-observability.name" . }}-manager-rolebinding 7 | roleRef: 8 | apiGroup: rbac.authorization.k8s.io 9 | kind: ClusterRole 10 | name: {{ template "amazon-cloudwatch-observability.name" . }}-manager-role 11 | subjects: 12 | - kind: ServiceAccount 13 | name: {{ template "amazon-cloudwatch-observability.managerServiceAccountName" . }} 14 | namespace: {{ .Release.Namespace }} 15 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/operator-deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | labels: 5 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }} 6 | control-plane: controller-manager 7 | name: {{ template "amazon-cloudwatch-observability.name" . }}-controller-manager 8 | namespace: {{ .Release.Namespace }} 9 | spec: 10 | replicas: {{ .Values.replicaCount }} 11 | selector: 12 | matchLabels: 13 | app.kubernetes.io/name: {{ template "amazon-cloudwatch-observability.name" . }} 14 | control-plane: controller-manager 15 | template: 16 | metadata: 17 | annotations: 18 | {{- if .Values.manager.podAnnotations }} 19 | {{- include "amazon-cloudwatch-observability.podAnnotations" . | nindent 8 }} 20 | {{- end }} 21 | labels: 22 | app.kubernetes.io/name: {{ template "amazon-cloudwatch-observability.name" . }} 23 | control-plane: controller-manager 24 | {{- include "amazon-cloudwatch-observability.podLabels" . | nindent 8 }} 25 | spec: 26 | containers: 27 | - image: {{ template "cloudwatch-agent-operator.image" . }} 28 | args: 29 | - {{ printf "--auto-instrumentation-config=%s" (dict "java" (merge .Values.manager.autoInstrumentationResources.java .Values.manager.autoInstrumentationConfiguration.java) "python" (merge .Values.manager.autoInstrumentationResources.python .Values.manager.autoInstrumentationConfiguration.python) "dotnet" (merge .Values.manager.autoInstrumentationResources.dotnet .Values.manager.autoInstrumentationConfiguration.dotnet) "nodejs" (.Values.manager.autoInstrumentationResources.nodejs) | toJson) | quote }} 30 | - {{ printf "--auto-annotation-config=%s" (.Values.manager.autoAnnotateAutoInstrumentation | toJson) | quote }} 31 | - {{ printf "--auto-monitor-config=%s" (.Values.manager.applicationSignals.autoMonitor | toJson) | quote }} 32 | - "--auto-instrumentation-java-image={{ template "auto-instrumentation-java.image" . }}" 33 | - "--auto-instrumentation-python-image={{ template "auto-instrumentation-python.image" . }}" 34 | - "--auto-instrumentation-dotnet-image={{ template "auto-instrumentation-dotnet.image" . }}" 35 | - "--auto-instrumentation-nodejs-image={{ template "auto-instrumentation-nodejs.image" . }}" 36 | - "--target-allocator-image={{ template "target-allocator.image" (merge .Values.agent.prometheus.targetAllocator.image (dict "region" $.Values.region)) }}" 37 | - "--feature-gates=operator.autoinstrumentation.multi-instrumentation,operator.autoinstrumentation.multi-instrumentation.skip-container-validation" 38 | command: 39 | - /manager 40 | name: manager 41 | ports: 42 | - containerPort: {{ .Values.manager.ports.containerPort }} 43 | name: webhook-server 44 | protocol: TCP 45 | resources: {{ toYaml .Values.manager.resources | nindent 10 }} 46 | volumeMounts: 47 | - mountPath: /tmp/k8s-webhook-server/serving-certs 48 | name: cert 49 | readOnly: true 50 | {{- with .Values.manager.affinity }} 51 | affinity: {{- toYaml . | nindent 8 }} 52 | {{- end }} 53 | serviceAccountName: {{ template "amazon-cloudwatch-observability.managerServiceAccountName" . }} 54 | terminationGracePeriodSeconds: 10 55 | volumes: 56 | - name: cert 57 | secret: 58 | defaultMode: 420 59 | secretName: {{ template "amazon-cloudwatch-observability.certificateSecretName" . }} 60 | {{- with .Values.manager.nodeSelector }} 61 | nodeSelector: {{- toYaml . | nindent 8 }} 62 | {{- end }} 63 | {{- dict "component" .Values.manager "context" . | include "amazon-cloudwatch-observability.common.tolerations" | nindent 6 }} 64 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/operator-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} 6 | name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} 7 | namespace: {{ .Release.Namespace }} 8 | spec: 9 | ports: 10 | - port: 443 11 | protocol: TCP 12 | targetPort: {{ .Values.manager.ports.containerPort }} 13 | selector: 14 | app.kubernetes.io/name: {{ template "amazon-cloudwatch-observability.name" . }} 15 | control-plane: controller-manager 16 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/operator-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | labels: 5 | {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} 6 | name: {{ template "amazon-cloudwatch-observability.managerServiceAccountName" . }} 7 | namespace: {{ .Release.Namespace }} 8 | -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/rosa/cloudwatch-agent-scc-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{ if and .Values.agent.enabled (eq .Values.k8sMode "ROSA") }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: system:openshift:scc:cloudwatch-agent-scc 6 | rules: 7 | - apiGroups: [""] 8 | resources: ["securitycontextconstraints"] 9 | verbs: ["use"] 10 | {{- end }} -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/rosa/cloudwatch-agent-scc.yaml: -------------------------------------------------------------------------------- 1 | {{ if and .Values.agent.enabled (eq .Values.k8sMode "ROSA") }} 2 | apiVersion: security.openshift.io/v1 3 | kind: SecurityContextConstraints 4 | metadata: 5 | name: cloudwatch-agent-scc 6 | allowHostDirVolumePlugin: true 7 | allowHostIPC: false 8 | allowHostNetwork: true 9 | allowHostPID: false 10 | allowHostPorts: true 11 | allowPrivilegeEscalation: true 12 | allowPrivilegedContainer: true 13 | allowedCapabilities: null 14 | readOnlyRootFilesystem: false 15 | runAsUser: 16 | type: RunAsAny 17 | seLinuxContext: 18 | type: RunAsAny 19 | supplementalGroups: 20 | type: RunAsAny 21 | defaultAddCapabilities: 22 | - SYS_ADMIN 23 | fsGroup: 24 | type: RunAsAny 25 | groups: [] 26 | requiredDropCapabilities: 27 | - ALL 28 | volumes: 29 | - configMap 30 | - secret 31 | - emptyDir 32 | - hostPath 33 | - projected 34 | users: 35 | - system:serviceaccount:{{ .Release.Namespace }}:{{ template "cloudwatch-agent.serviceAccountName" . }} 36 | 37 | 38 | {{ end }} -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/rosa/cloudwatch-agent-ssc-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{ if and .Values.agent.enabled (eq .Values.k8sMode "ROSA") }} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "cloudwatch-agent.name" . }}-scc-role-binding 6 | roleRef: 7 | kind: ClusterRole 8 | name: system:openshift:scc:cloudwatch-agent-scc 9 | apiGroup: rbac.authorization.k8s.io 10 | subjects: 11 | - kind: ServiceAccount 12 | name: {{ template "cloudwatch-agent.serviceAccountName" . }} 13 | namespace: {{ .Release.Namespace }} 14 | {{- end }} -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/target-allocator-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.agent.enabled }} 2 | {{- range $i, $customAgent := .Values.agents }} 3 | {{- if and (and (hasKey ($customAgent.prometheus) "targetAllocator") (hasKey ($customAgent.prometheus.targetAllocator) "enabled")) $customAgent.prometheus.targetAllocator.enabled }} 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | kind: ClusterRole 6 | metadata: 7 | labels: 8 | {{- include "amazon-cloudwatch-observability.labels" $ | nindent 4}} 9 | name: "cloudwatch-agent-target-allocator-role" 10 | rules: 11 | - apiGroups: [ "" ] 12 | resources: [ "pods", "nodes", "nodes/metrics", "services", "endpoints" ] 13 | verbs: [ "list", "watch", "get" ] 14 | - apiGroups: [ "" ] 15 | resources: [ "configmaps" ] 16 | verbs: [ "get" ] 17 | - apiGroups: ["discovery.k8s.io"] 18 | resources: ["endpointslices"] 19 | verbs: ["get", "list", "watch"] 20 | - apiGroups: [ "networking.k8s.io"] 21 | resources: ["ingresses"] 22 | verbs: ["get", "list", "watch"] 23 | - nonResourceURLs: ["/metrics"] 24 | verbs: ["get"] 25 | {{- if and (hasKey ($customAgent.prometheus.targetAllocator) "PrometheusCR") $customAgent.prometheus.targetAllocator.PrometheusCR.enabled }} 26 | - apiGroups: [ "monitoring.coreos.com"] 27 | resources: ["podmonitors", "servicemonitors"] 28 | verbs: ["get", "list", "watch"] 29 | {{- end }} 30 | {{- end }} 31 | --- 32 | {{- end }} 33 | {{- end }} -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/target-allocator-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.agent.enabled }} 2 | {{- range $i, $customAgent := .Values.agents }} 3 | {{- if and (and (hasKey ($customAgent.prometheus) "targetAllocator") (hasKey ($customAgent.prometheus.targetAllocator) "enabled")) $customAgent.prometheus.targetAllocator.enabled }} 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | kind: ClusterRoleBinding 6 | metadata: 7 | labels: 8 | {{- include "amazon-cloudwatch-observability.labels" $ | nindent 4 }} 9 | name: "cloudwatch-agent-target-allocator-rolebinding" 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: "cloudwatch-agent-target-allocator-role" 14 | subjects: 15 | - kind: ServiceAccount 16 | name: "target-allocator-service-acct" 17 | namespace: {{ $.Release.Namespace }} 18 | {{- end }} 19 | --- 20 | {{- end }} 21 | {{- end }} -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/windows/cloudwatch-agent-windows-container-insights-daemonset.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.agent.enabled }} 2 | {{- $clusterName := .Values.clusterName | required ".Values.clusterName is required." -}} 3 | {{- $region := .Values.region | required ".Values.region is required." -}} 4 | {{- $config := `{"logs":{"metrics_collected":{"kubernetes":{"enhanced_container_insights":true}}}}` | fromJson -}} 5 | 6 | apiVersion: cloudwatch.aws.amazon.com/v1alpha1 7 | kind: AmazonCloudWatchAgent 8 | metadata: 9 | name: {{ template "cloudwatch-agent.name" . }}-windows-container-insights 10 | namespace: {{ .Release.Namespace }} 11 | spec: 12 | podSecurityContext: 13 | windowsOptions: 14 | hostProcess: true 15 | runAsUserName: "NT AUTHORITY\\System" 16 | hostNetwork: true 17 | image: {{ template "cloudwatch-agent.image" (merge .Values.agent.image (dict "region" .Values.region)) }} 18 | workingDir: "%CONTAINER_SANDBOX_MOUNT_POINT%\\Program Files\\Amazon\\AmazonCloudWatchAgent" 19 | mode: daemonset 20 | serviceAccount: {{ template "cloudwatch-agent.serviceAccountName" . }} 21 | nodeSelector: 22 | kubernetes.io/os: windows 23 | config: {{ include "cloudwatch-agent.modify-config" (merge (dict "Config" $config) .) }} 24 | {{- with .Values.agent.resources }} 25 | resources: {{- toYaml . | nindent 4}} 26 | {{- end }} 27 | env: 28 | - name: K8S_NODE_NAME 29 | valueFrom: 30 | fieldRef: 31 | fieldPath: spec.nodeName 32 | - name: HOST_IP 33 | valueFrom: 34 | fieldRef: 35 | fieldPath: status.hostIP 36 | - name: HOST_NAME 37 | valueFrom: 38 | fieldRef: 39 | fieldPath: spec.nodeName 40 | - name: K8S_NAMESPACE 41 | valueFrom: 42 | fieldRef: 43 | fieldPath: metadata.namespace 44 | - name: RUN_IN_CONTAINER 45 | value: "True" 46 | - name: RUN_AS_HOST_PROCESS_CONTAINER 47 | value: "True" 48 | {{- dict "component" .Values.agent "context" . | include "amazon-cloudwatch-observability.common.tolerations" | nindent 2 }} 49 | {{- end }} -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/windows/cloudwatch-agent-windows-daemonset.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.agent.enabled }} 2 | {{- $clusterName := .Values.clusterName | required ".Values.clusterName is required." -}} 3 | {{- $region := .Values.region | required ".Values.region is required." -}} 4 | {{- $config := `{"logs":{"metrics_collected":{"application_signals":{}}},"traces":{"traces_collected":{"application_signals":{}}}}` | fromJson -}} 5 | apiVersion: cloudwatch.aws.amazon.com/v1alpha1 6 | kind: AmazonCloudWatchAgent 7 | metadata: 8 | name: {{ template "cloudwatch-agent.name" . }}-windows 9 | namespace: {{ .Release.Namespace }} 10 | spec: 11 | podSecurityContext: 12 | windowsOptions: 13 | runAsUserName: "NT AUTHORITY\\System" 14 | image: {{ template "cloudwatch-agent.image" (merge .Values.agent.image (dict "region" .Values.region)) }} 15 | mode: daemonset 16 | serviceAccount: {{ template "cloudwatch-agent.serviceAccountName" . }} 17 | priorityClassName: {{ .Values.agent.priorityClassName }} 18 | nodeSelector: 19 | kubernetes.io/os: windows 20 | config: {{ include "cloudwatch-agent.modify-config" (merge (dict "Config" $config) .) }} 21 | {{- with .Values.agent.resources }} 22 | resources: {{- toYaml . | nindent 4}} 23 | {{- end }} 24 | env: 25 | - name: K8S_NODE_NAME 26 | valueFrom: 27 | fieldRef: 28 | fieldPath: spec.nodeName 29 | - name: HOST_IP 30 | valueFrom: 31 | fieldRef: 32 | fieldPath: status.hostIP 33 | - name: HOST_NAME 34 | valueFrom: 35 | fieldRef: 36 | fieldPath: spec.nodeName 37 | - name: K8S_NAMESPACE 38 | valueFrom: 39 | fieldRef: 40 | fieldPath: metadata.namespace 41 | {{- dict "component" .Values.agent "context" . | include "amazon-cloudwatch-observability.common.tolerations" | nindent 2 }} 42 | {{- end }} -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/windows/fluent-bit-windows-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.containerLogs.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: fluent-bit-windows-config 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | k8s-app: fluent-bit 9 | data: 10 | fluent-bit.conf: | 11 | {{- .Values.containerLogs.fluentBit.configWindows.service | nindent 4 }} 12 | {{- range $key, $val := .Values.containerLogs.fluentBit.configWindows.extraFiles }} 13 | @INCLUDE {{ $key }} 14 | {{- end }} 15 | parsers.conf: | 16 | {{- .Values.containerLogs.fluentBit.configWindows.customParsers | nindent 4 }} 17 | {{- range $key, $val := .Values.containerLogs.fluentBit.configWindows.extraFiles }} 18 | {{ $key }}: | 19 | {{- (tpl $val $) | nindent 4 }} 20 | {{- end -}} 21 | {{- end -}} -------------------------------------------------------------------------------- /charts/amazon-cloudwatch-observability/templates/windows/fluent-bit-windows-daemonset.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.containerLogs.enabled }} 2 | {{- $clusterName := .Values.clusterName | required ".Values.clusterName is required." -}} 3 | {{- $region := .Values.region | required ".Values.region is required." -}} 4 | apiVersion: apps/v1 5 | kind: DaemonSet 6 | metadata: 7 | name: fluent-bit-windows 8 | namespace: {{ .Release.Namespace }} 9 | labels: 10 | k8s-app: fluent-bit 11 | version: v1 12 | kubernetes.io/cluster-service: "true" 13 | spec: 14 | selector: 15 | matchLabels: 16 | k8s-app: fluent-bit 17 | template: 18 | metadata: 19 | annotations: 20 | checksum/config: {{ include (print $.Template.BasePath "/windows/fluent-bit-windows-configmap.yaml") . | sha256sum }} 21 | labels: 22 | k8s-app: fluent-bit 23 | version: v1 24 | kubernetes.io/cluster-service: "true" 25 | spec: 26 | securityContext: 27 | windowsOptions: 28 | hostProcess: true 29 | runAsUserName: "NT AUTHORITY\\System" 30 | hostNetwork: true 31 | priorityClassName: {{ .Values.containerLogs.fluentBit.priorityClassName }} 32 | nodeSelector: 33 | kubernetes.io/os: windows 34 | containers: 35 | - name: fluent-bit 36 | image: {{ template "fluent-bit-windows.image" . }} 37 | imagePullPolicy: Always 38 | command: ["powershell.exe", "-Command", "New-Item -ItemType Directory -Path C:\\var\\fluent-bit\\state -Force;", "%CONTAINER_SANDBOX_MOUNT_POINT%/fluent-bit/bin/fluent-bit.exe", "-e", "%CONTAINER_SANDBOX_MOUNT_POINT%/fluent-bit/kinesis.dll", "-e", "%CONTAINER_SANDBOX_MOUNT_POINT%/fluent-bit/firehose.dll", "-e", "%CONTAINER_SANDBOX_MOUNT_POINT%/fluent-bit/cloudwatch.dll", "-c", "%CONTAINER_SANDBOX_MOUNT_POINT%/fluent-bit/configuration/fluent-bit.conf"] 39 | env: 40 | - name: AWS_REGION 41 | value: {{ .Values.region }} 42 | - name: CLUSTER_NAME 43 | value: {{ .Values.clusterName | quote }} 44 | - name: READ_FROM_HEAD 45 | value: "Off" 46 | - name: HOST_NAME 47 | valueFrom: 48 | fieldRef: 49 | fieldPath: spec.nodeName 50 | - name: HOSTNAME 51 | valueFrom: 52 | fieldRef: 53 | apiVersion: v1 54 | fieldPath: metadata.name 55 | - name: CI_VERSION 56 | value: "k8s/1.3.17" 57 | {{- with .Values.containerLogs.fluentBit.resources }} 58 | resources: {{- toYaml . | nindent 10}} 59 | {{- end }} 60 | volumeMounts: 61 | - name: fluent-bit-config 62 | mountPath: fluent-bit\configuration\ 63 | volumes: 64 | - name: fluent-bit-config 65 | configMap: 66 | name: fluent-bit-windows-config 67 | terminationGracePeriodSeconds: 10 68 | dnsPolicy: ClusterFirstWithHostNet 69 | serviceAccountName: {{ template "cloudwatch-agent.serviceAccountName" . }} 70 | {{- dict "component" .Values.containerLogs.fluentBit "context" . | include "amazon-cloudwatch-observability.common.tolerations" | nindent 6 }} 71 | {{- end }} -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/aws-observability/helm-charts 2 | 3 | go 1.21.4 4 | 5 | require ( 6 | github.com/stretchr/testify v1.9.0 7 | k8s.io/api v0.29.2 8 | k8s.io/apimachinery v0.29.2 9 | k8s.io/client-go v0.29.2 10 | ) 11 | 12 | require ( 13 | github.com/davecgh/go-spew v1.1.1 // indirect 14 | github.com/emicklei/go-restful/v3 v3.11.0 // indirect 15 | github.com/go-logr/logr v1.3.0 // indirect 16 | github.com/go-openapi/jsonpointer v0.19.6 // indirect 17 | github.com/go-openapi/jsonreference v0.20.2 // indirect 18 | github.com/go-openapi/swag v0.22.3 // indirect 19 | github.com/gogo/protobuf v1.3.2 // indirect 20 | github.com/golang/protobuf v1.5.3 // indirect 21 | github.com/google/gnostic-models v0.6.8 // indirect 22 | github.com/google/gofuzz v1.2.0 // indirect 23 | github.com/google/uuid v1.3.0 // indirect 24 | github.com/imdario/mergo v0.3.6 // indirect 25 | github.com/josharian/intern v1.0.0 // indirect 26 | github.com/json-iterator/go v1.1.12 // indirect 27 | github.com/mailru/easyjson v0.7.7 // indirect 28 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect 29 | github.com/modern-go/reflect2 v1.0.2 // indirect 30 | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect 31 | github.com/pmezard/go-difflib v1.0.0 // indirect 32 | github.com/spf13/pflag v1.0.5 // indirect 33 | golang.org/x/net v0.19.0 // indirect 34 | golang.org/x/oauth2 v0.10.0 // indirect 35 | golang.org/x/sys v0.15.0 // indirect 36 | golang.org/x/term v0.15.0 // indirect 37 | golang.org/x/text v0.14.0 // indirect 38 | golang.org/x/time v0.3.0 // indirect 39 | google.golang.org/appengine v1.6.7 // indirect 40 | google.golang.org/protobuf v1.33.0 // indirect 41 | gopkg.in/inf.v0 v0.9.1 // indirect 42 | gopkg.in/yaml.v2 v2.4.0 // indirect 43 | gopkg.in/yaml.v3 v3.0.1 // indirect 44 | k8s.io/klog/v2 v2.110.1 // indirect 45 | k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect 46 | k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect 47 | sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect 48 | sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect 49 | sigs.k8s.io/yaml v1.3.0 // indirect 50 | ) 51 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= 2 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 3 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 4 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 5 | github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= 6 | github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= 7 | github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= 8 | github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= 9 | github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= 10 | github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= 11 | github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= 12 | github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= 13 | github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= 14 | github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= 15 | github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= 16 | github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= 17 | github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= 18 | github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= 19 | github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 20 | github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= 21 | github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= 22 | github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= 23 | github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= 24 | github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= 25 | github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 26 | github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= 27 | github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= 28 | github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= 29 | github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= 30 | github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= 31 | github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= 32 | github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= 33 | github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= 34 | github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= 35 | github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= 36 | github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28= 37 | github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= 38 | github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= 39 | github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= 40 | github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= 41 | github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= 42 | github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= 43 | github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= 44 | github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= 45 | github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= 46 | github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= 47 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= 48 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= 49 | github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= 50 | github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= 51 | github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= 52 | github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= 53 | github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 54 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= 55 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 56 | github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= 57 | github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= 58 | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= 59 | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= 60 | github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= 61 | github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= 62 | github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg= 63 | github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= 64 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 65 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 66 | github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= 67 | github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= 68 | github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= 69 | github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= 70 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 71 | github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= 72 | github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= 73 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= 74 | github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 75 | github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= 76 | github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= 77 | github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= 78 | github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= 79 | github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 80 | github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 81 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 82 | golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 83 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 84 | golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 85 | golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 86 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 87 | golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= 88 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 89 | golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 90 | golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= 91 | golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= 92 | golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= 93 | golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= 94 | golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= 95 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 96 | golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 97 | golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 98 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 99 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 100 | golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 101 | golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= 102 | golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= 103 | golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= 104 | golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= 105 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 106 | golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= 107 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 108 | golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= 109 | golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= 110 | golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= 111 | golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 112 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 113 | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 114 | golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 115 | golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= 116 | golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= 117 | golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= 118 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 119 | golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 120 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 121 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 122 | google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= 123 | google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= 124 | google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= 125 | google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= 126 | google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= 127 | google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= 128 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 129 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= 130 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= 131 | gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= 132 | gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= 133 | gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 134 | gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= 135 | gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= 136 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 137 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 138 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 139 | k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A= 140 | k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0= 141 | k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8= 142 | k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= 143 | k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg= 144 | k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA= 145 | k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= 146 | k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= 147 | k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= 148 | k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= 149 | k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= 150 | k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= 151 | sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= 152 | sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= 153 | sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= 154 | sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= 155 | sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= 156 | sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= 157 | -------------------------------------------------------------------------------- /integration-tests/amazon-cloudwatch-observability/terraform/basic_components/main.tf: -------------------------------------------------------------------------------- 1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | // SPDX-License-Identifier: MIT 3 | 4 | module "common" { 5 | source = "../common" 6 | } 7 | 8 | data "aws_iam_role" "cwagent_iam_role" { 9 | name = module.common.cwa_iam_role 10 | } 11 | 12 | data "aws_vpc" "vpc" { 13 | default = true 14 | } 15 | 16 | data "aws_subnets" "public_subnet_ids" { 17 | filter { 18 | name = "vpc-id" 19 | values = [data.aws_vpc.vpc.id] 20 | } 21 | } 22 | 23 | data "aws_security_group" "security_group" { 24 | name = module.common.vpc_security_group 25 | } 26 | -------------------------------------------------------------------------------- /integration-tests/amazon-cloudwatch-observability/terraform/basic_components/output.tf: -------------------------------------------------------------------------------- 1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | // SPDX-License-Identifier: MIT 3 | 4 | output "security_group" { 5 | value = data.aws_security_group.security_group.id 6 | } 7 | 8 | output "public_subnet_ids" { 9 | value = data.aws_subnets.public_subnet_ids.ids 10 | } 11 | 12 | output "role_arn" { 13 | value = data.aws_iam_role.cwagent_iam_role.arn 14 | } 15 | -------------------------------------------------------------------------------- /integration-tests/amazon-cloudwatch-observability/terraform/common/main.tf: -------------------------------------------------------------------------------- 1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | // SPDX-License-Identifier: MIT 3 | 4 | resource "random_id" "testing_id" { 5 | byte_length = 8 6 | } -------------------------------------------------------------------------------- /integration-tests/amazon-cloudwatch-observability/terraform/common/output.tf: -------------------------------------------------------------------------------- 1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | // SPDX-License-Identifier: MIT 3 | 4 | output "testing_id" { 5 | value = random_id.testing_id.hex 6 | } 7 | 8 | output "cwa_iam_role" { 9 | value = "cwa-e2e-iam-role" 10 | } 11 | 12 | output "vpc_security_group" { 13 | value = "vpc_security_group" 14 | } 15 | -------------------------------------------------------------------------------- /integration-tests/amazon-cloudwatch-observability/terraform/helm-windows/main.tf: -------------------------------------------------------------------------------- 1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | // SPDX-License-Identifier: MIT 3 | 4 | module "common" { 5 | source = "../common" 6 | } 7 | 8 | module "basic_components" { 9 | source = "../basic_components" 10 | } 11 | 12 | locals { 13 | aws_eks = "aws eks --region ${var.region}" 14 | cluster_name = var.cluster_name != "" ? var.cluster_name : "cwagent-helm-chart-integ" 15 | } 16 | 17 | data "aws_eks_cluster_auth" "this" { 18 | name = aws_eks_cluster.this.name 19 | } 20 | 21 | data "aws_caller_identity" "account_id" {} 22 | 23 | data "aws_eks_cluster" "eks_windows_cluster_ca" { 24 | name = aws_eks_cluster.this.name 25 | } 26 | 27 | output "account_id" { 28 | value = data.aws_caller_identity.account_id.account_id 29 | } 30 | 31 | resource "aws_eks_cluster" "this" { 32 | name = "${local.cluster_name}-${module.common.testing_id}" 33 | role_arn = module.basic_components.role_arn 34 | version = var.k8s_version 35 | vpc_config { 36 | subnet_ids = module.basic_components.public_subnet_ids 37 | security_group_ids = [module.basic_components.security_group] 38 | } 39 | } 40 | 41 | ## EKS Cluster Addon 42 | 43 | resource "aws_eks_addon" "eks_windows_addon" { 44 | cluster_name = aws_eks_cluster.this.name 45 | addon_name = "vpc-cni" 46 | } 47 | 48 | ## Enable VPC CNI Windows Support 49 | 50 | resource "kubernetes_config_map_v1_data" "amazon_vpc_cni_windows" { 51 | depends_on = [ 52 | aws_eks_cluster.this, 53 | aws_eks_addon.eks_windows_addon 54 | ] 55 | metadata { 56 | name = "amazon-vpc-cni" 57 | namespace = "kube-system" 58 | } 59 | 60 | force = true 61 | 62 | data = { 63 | enable-windows-ipam : "true" 64 | } 65 | } 66 | 67 | ## AWS CONFIGMAP 68 | 69 | resource "kubernetes_config_map" "configmap" { 70 | data = { 71 | "mapRoles" = <