From b309aa580d7361648b984848179419e855ff8f1d Mon Sep 17 00:00:00 2001
From: musa-asad <musaasad@amazon.com>
Date: Sat, 18 Jan 2025 02:08:19 -0500
Subject: [PATCH 1/3] set up mtls resources

---
 .../templates/certmanager.yaml                | 33 ++++++++++++++++---
 .../cloudwatch-agent-custom-resource.yaml     | 24 ++++++++++++++
 2 files changed, 53 insertions(+), 4 deletions(-)

diff --git a/charts/amazon-cloudwatch-observability/templates/certmanager.yaml b/charts/amazon-cloudwatch-observability/templates/certmanager.yaml
index 5d5726b..1001cb5 100644
--- a/charts/amazon-cloudwatch-observability/templates/certmanager.yaml
+++ b/charts/amazon-cloudwatch-observability/templates/certmanager.yaml
@@ -44,7 +44,7 @@ spec:
 {{- end }}
 {{- end }}
 
-  {{- if ( .Values.agent.certManager.enabled) }}
+{{- if ( .Values.agent.certManager.enabled) }}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -100,7 +100,25 @@ spec:
   issuerRef:
     kind: Issuer
     name: "agent-ca"
-  secretName:  "amazon-cloudwatch-observability-agent-client-cert"
+  secretName: "amazon-cloudwatch-observability-agent-client-cert"
+  usages:
+    - digital signature
+    - key encipherment
+    - cert sign
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }}
+  name: "amazon-cloudwatch-observability-agent-outbound-cert"
+  namespace: {{ .Release.Namespace }}
+spec:
+  commonName: "agent-outbound-client"
+  issuerRef:
+    kind: Issuer
+    name: "agent-ca"
+  secretName: "amazon-cloudwatch-observability-agent-outbound-cert"
   usages:
     - digital signature
     - key encipherment
@@ -143,7 +161,14 @@ kind: Secret
 metadata:
   labels:
     {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }}
-  name:  "amazon-cloudwatch-observability-agent-client-cert"
+  name: "amazon-cloudwatch-observability-agent-client-cert"
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }}
+  name: "amazon-cloudwatch-observability-agent-outbound-cert"
   namespace: {{ .Release.Namespace }}
 {{- end }}
-
diff --git a/charts/amazon-cloudwatch-observability/templates/linux/cloudwatch-agent-custom-resource.yaml b/charts/amazon-cloudwatch-observability/templates/linux/cloudwatch-agent-custom-resource.yaml
index ad93d7e..67c00f3 100644
--- a/charts/amazon-cloudwatch-observability/templates/linux/cloudwatch-agent-custom-resource.yaml
+++ b/charts/amazon-cloudwatch-observability/templates/linux/cloudwatch-agent-custom-resource.yaml
@@ -9,6 +9,7 @@
 {{- $cert := genSignedCert ("agent") nil $altNames ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}}
 {{- $serverCert := genSignedCert ("agent-server") nil $agentAltNames ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}}
 {{- $clientCert := genSignedCert ("agent-client") nil nil ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}}
+{{- $outboundCert := genSignedCert ("agent-outbound") nil nil ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -45,6 +46,18 @@ data:
   tls.crt: {{ $clientCert.Cert | b64enc }}
   tls.key: {{ $clientCert.Key | b64enc }}
 ---
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+      {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}}
+  name: "amazon-cloudwatch-observability-agent-outbound-cert"
+  namespace: {{ .Release.Namespace }}
+data:
+  ca.crt: {{ $ca.Cert | b64enc }}
+  tls.crt: {{ $outboundCert.Cert | b64enc }}
+  tls.key: {{ $outboundCert.Key | b64enc }}
+---
 {{- end -}}
 
 {{- $clusterName := .Values.clusterName | required ".Values.clusterName is required." -}}
@@ -129,6 +142,9 @@ spec:
   - mountPath: /etc/amazon-cloudwatch-observability-agent-server-cert
     name: agentservertls
     readOnly: true
+  - mountPath: /etc/amazon-cloudwatch-observability-agent-outbound-cert
+    name: agentoutboundtls
+    readOnly: true
   - mountPath: /var/lib/kubelet/pod-resources
     name: kubelet-podresources
   volumes:
@@ -174,6 +190,14 @@ spec:
           path: server.crt
         - key: tls.key
           path: server.key
+  - name: agentoutboundtls
+    secret:
+      secretName: amazon-cloudwatch-observability-agent-outbound-cert
+      items:
+        - key: tls.crt
+          path: client.crt
+        - key: tls.key
+          path: client.key
   env:
   - name: K8S_NODE_NAME
     valueFrom:

From 5a3792ed0ec94f89c0cad7304f972d29d9fbf997 Mon Sep 17 00:00:00 2001
From: musa-asad <musaasad@amazon.com>
Date: Tue, 21 Jan 2025 00:06:33 -0500
Subject: [PATCH 2/3] fix naming

---
 .../amazon-cloudwatch-observability/templates/certmanager.yaml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/amazon-cloudwatch-observability/templates/certmanager.yaml b/charts/amazon-cloudwatch-observability/templates/certmanager.yaml
index 1001cb5..f70267c 100644
--- a/charts/amazon-cloudwatch-observability/templates/certmanager.yaml
+++ b/charts/amazon-cloudwatch-observability/templates/certmanager.yaml
@@ -114,7 +114,7 @@ metadata:
   name: "amazon-cloudwatch-observability-agent-outbound-cert"
   namespace: {{ .Release.Namespace }}
 spec:
-  commonName: "agent-outbound-client"
+  commonName: "agent-outbound"
   issuerRef:
     kind: Issuer
     name: "agent-ca"

From 26a5bbab9d6770945ae5720c38e72b4e40ad1cbb Mon Sep 17 00:00:00 2001
From: musa-asad <musaasad@amazon.com>
Date: Wed, 12 Feb 2025 16:11:14 -0500
Subject: [PATCH 3/3] update naming

---
 .../templates/certmanager.yaml                   |  8 ++++----
 .../linux/cloudwatch-agent-custom-resource.yaml  | 16 ++++++++--------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/charts/amazon-cloudwatch-observability/templates/certmanager.yaml b/charts/amazon-cloudwatch-observability/templates/certmanager.yaml
index f70267c..3fa7329 100644
--- a/charts/amazon-cloudwatch-observability/templates/certmanager.yaml
+++ b/charts/amazon-cloudwatch-observability/templates/certmanager.yaml
@@ -111,14 +111,14 @@ kind: Certificate
 metadata:
   labels:
     {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }}
-  name: "amazon-cloudwatch-observability-agent-outbound-cert"
+  name: "amazon-cloudwatch-observability-agent-ta-client-cert"
   namespace: {{ .Release.Namespace }}
 spec:
-  commonName: "agent-outbound"
+  commonName: "agent-ta-client"
   issuerRef:
     kind: Issuer
     name: "agent-ca"
-  secretName: "amazon-cloudwatch-observability-agent-outbound-cert"
+  secretName: "amazon-cloudwatch-observability-agent-ta-client-cert"
   usages:
     - digital signature
     - key encipherment
@@ -169,6 +169,6 @@ kind: Secret
 metadata:
   labels:
     {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }}
-  name: "amazon-cloudwatch-observability-agent-outbound-cert"
+  name: "amazon-cloudwatch-observability-agent-ta-client-cert"
   namespace: {{ .Release.Namespace }}
 {{- end }}
diff --git a/charts/amazon-cloudwatch-observability/templates/linux/cloudwatch-agent-custom-resource.yaml b/charts/amazon-cloudwatch-observability/templates/linux/cloudwatch-agent-custom-resource.yaml
index 67c00f3..c2e8294 100644
--- a/charts/amazon-cloudwatch-observability/templates/linux/cloudwatch-agent-custom-resource.yaml
+++ b/charts/amazon-cloudwatch-observability/templates/linux/cloudwatch-agent-custom-resource.yaml
@@ -9,7 +9,7 @@
 {{- $cert := genSignedCert ("agent") nil $altNames ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}}
 {{- $serverCert := genSignedCert ("agent-server") nil $agentAltNames ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}}
 {{- $clientCert := genSignedCert ("agent-client") nil nil ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}}
-{{- $outboundCert := genSignedCert ("agent-outbound") nil nil ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}}
+{{- $agentTAClientCert := genSignedCert ("agent-ta-client") nil nil ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -51,12 +51,12 @@ kind: Secret
 metadata:
   labels:
       {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}}
-  name: "amazon-cloudwatch-observability-agent-outbound-cert"
+  name: "amazon-cloudwatch-observability-agent-ta-client-cert"
   namespace: {{ .Release.Namespace }}
 data:
   ca.crt: {{ $ca.Cert | b64enc }}
-  tls.crt: {{ $outboundCert.Cert | b64enc }}
-  tls.key: {{ $outboundCert.Key | b64enc }}
+  tls.crt: {{ $agentTAClientCert.Cert | b64enc }}
+  tls.key: {{ $agentTAClientCert.Key | b64enc }}
 ---
 {{- end -}}
 
@@ -142,8 +142,8 @@ spec:
   - mountPath: /etc/amazon-cloudwatch-observability-agent-server-cert
     name: agentservertls
     readOnly: true
-  - mountPath: /etc/amazon-cloudwatch-observability-agent-outbound-cert
-    name: agentoutboundtls
+  - mountPath: /etc/amazon-cloudwatch-observability-agent-ta-client-cert
+    name: agenttaclienttls
     readOnly: true
   - mountPath: /var/lib/kubelet/pod-resources
     name: kubelet-podresources
@@ -190,9 +190,9 @@ spec:
           path: server.crt
         - key: tls.key
           path: server.key
-  - name: agentoutboundtls
+  - name: agenttaclienttls
     secret:
-      secretName: amazon-cloudwatch-observability-agent-outbound-cert
+      secretName: amazon-cloudwatch-observability-agent-ta-client-cert
       items:
         - key: tls.crt
           path: client.crt