aws-observability · musa-asad · Jun 13, 2025 · Jan 18, 2025 · Jan 21, 2025 · Feb 12, 2025
diff --git a/charts/amazon-cloudwatch-observability/templates/certmanager.yaml b/charts/amazon-cloudwatch-observability/templates/certmanager.yaml
@@ -44,7 +44,7 @@ spec:
 {{- end }}
 {{- end }}
 
-  {{- if ( .Values.agent.certManager.enabled) }}
+{{- if ( .Values.agent.certManager.enabled) }}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -100,7 +100,25 @@ spec:
   issuerRef:
     kind: Issuer
     name: "agent-ca"
-  secretName:  "amazon-cloudwatch-observability-agent-client-cert"
+  secretName: "amazon-cloudwatch-observability-agent-client-cert"
+  usages:
+    - digital signature
+    - key encipherment
+    - cert sign
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }}
+  name: "amazon-cloudwatch-observability-agent-outbound-cert"
+  namespace: {{ .Release.Namespace }}
+spec:
+  commonName: "agent-outbound"
+  issuerRef:
+    kind: Issuer
+    name: "agent-ca"
+  secretName: "amazon-cloudwatch-observability-agent-outbound-cert"
   usages:
     - digital signature
     - key encipherment
@@ -143,7 +161,14 @@ kind: Secret
 metadata:
   labels:
     {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }}
-  name:  "amazon-cloudwatch-observability-agent-client-cert"
+  name: "amazon-cloudwatch-observability-agent-client-cert"
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }}
+  name: "amazon-cloudwatch-observability-agent-outbound-cert"
   namespace: {{ .Release.Namespace }}
 {{- end }}
-
diff --git a/charts/amazon-cloudwatch-observability/templates/linux/cloudwatch-agent-custom-resource.yaml b/charts/amazon-cloudwatch-observability/templates/linux/cloudwatch-agent-custom-resource.yaml
@@ -9,6 +9,7 @@
 {{- $cert := genSignedCert ("agent") nil $altNames ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}}
 {{- $serverCert := genSignedCert ("agent-server") nil $agentAltNames ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}}
 {{- $clientCert := genSignedCert ("agent-client") nil nil ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}}
+{{- $outboundCert := genSignedCert ("agent-outbound") nil nil ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -45,6 +46,18 @@ data:
   tls.crt: {{ $clientCert.Cert | b64enc }}
   tls.key: {{ $clientCert.Key | b64enc }}
 ---
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+      {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}}
+  name: "amazon-cloudwatch-observability-agent-outbound-cert"
+  namespace: {{ .Release.Namespace }}
+data:
+  ca.crt: {{ $ca.Cert | b64enc }}
+  tls.crt: {{ $outboundCert.Cert | b64enc }}
+  tls.key: {{ $outboundCert.Key | b64enc }}
+---
 {{- end -}}
 
 {{- $clusterName := .Values.clusterName | required ".Values.clusterName is required." -}}
@@ -129,6 +142,9 @@ spec:
   - mountPath: /etc/amazon-cloudwatch-observability-agent-server-cert
     name: agentservertls
     readOnly: true
+  - mountPath: /etc/amazon-cloudwatch-observability-agent-outbound-cert
+    name: agentoutboundtls
+    readOnly: true
   - mountPath: /var/lib/kubelet/pod-resources
     name: kubelet-podresources
   volumes:
@@ -174,6 +190,14 @@ spec:
           path: server.crt
         - key: tls.key
           path: server.key
+  - name: agentoutboundtls
+    secret:
+      secretName: amazon-cloudwatch-observability-agent-outbound-cert
+      items:
+        - key: tls.crt
+          path: client.crt
+        - key: tls.key
+          path: client.key
   env:
   - name: K8S_NODE_NAME
     valueFrom: