Merge pull request #87 from oracle-quickstart/extraenv_1.5.0

Add extraEnv to Management Agent, hostPath ownership change support, update agent image to 1.6.0, update metrics-server to 0.7.2

Author: prasebha

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Change Log
 
+## 2024-11-05
+### Added
+- Support of extraEnv for Management Agent
+- Option to override hostPath permission for Management Agent DaemonSet deployment
+### Changed
+- Management Agent docker image has been updated to version 1.6.0
+- Default metrics-server has been updated to version 0.7.2
+
 ## 2024-09-19
 ### Changed
 - Fluentd collector container image uptake to 1.5.0 having OS update, Ruby 3.3.1 upgrade and other dependency gem updates.

charts/mgmt-agent/Chart.yaml

@@ -18,7 +18,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.0.3
+version: 3.0.4
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/mgmt-agent/README.md

@@ -29,6 +29,7 @@ A Helm chart for collecting Kubernetes Metrics using OCI Management Agent into O
 | mgmtagent.image.url | string | `nil` | Replace this value with actual docker image URL for Management Agent |
 | mgmtagent.installKey | string | `"resources/input.rsp"` | Copy the downloaded Management Agent Install Key file under root helm directory as resources/input.rsp |
 | mgmtagent.installKeyFileContent | string | `nil` | Provide the base64 encoded content of the Management Agent Install Key file (e.g. `cat input.rsp \| base64 -w 0`) |
+| mgmtagent.extraEnv | string | `nil` | Please specify additional environment variables in name:value pairs |
 | namespace | string | `"{{ .Values.global.namespace }}"` | Kubernetes namespace to create and install this helm chart in |
 | oci-onm-common.createNamespace | bool | `true` | If createNamespace is set to true, it tries to create the namespace defined in 'namespace' variable. |
 | oci-onm-common.createServiceAccount | bool | `true` | By default, a cluster role, cluster role binding and serviceaccount will be created for the monitoring pods to be able to (readonly) access various objects within the cluster, to support collection of various telemetry data. You may set this to false and provide your own serviceaccount (in the parent chart(s)) which has the necessary cluster role(s) binded to it. Refer, README for the cluster role definition and other details. |
@@ -42,6 +43,7 @@ A Helm chart for collecting Kubernetes Metrics using OCI Management Agent into O
 | deployment.cleanupEpochTime | integer | `nil` | Please provide the current epoch time in seconds (Eg: Executing the following command in a bash shell will provide the epoch time: "date +%s") to clean up the agent installation directory from previous deployment |
 | deployment.daemonSetDeployment | bool | `false` | Setting the daemonset deployment to true, will deploy the Management Agents as a daemonset in addition to deploying the Management Agent as a statefulset. This is done to to distribute the node metrics collection to agents running on the node |
 | deployment.daemonSet.hostPath | string | `nil` |  The host path to store data, if Agent is deployed as DaemonSet. Management Agent Pod should have read-write access to it |
+| deployment.daemonSet.overrideOwnership | bool | `true` |  Override the ownership and permissions on the hostPath. The hostPath will be owned by the runAsUser and runAsGroup provided under security context and the permission as 750. </br>Note: This requires oraclelinux:8-slim image </br></br>Setting overrideOwnership to false will disable the ownership change. |
 | deployment.resource.request.cpuCore | string | `200m` | Minimum CPU cores(millicore) for each agent instance |
 | deployment.resource.request.memory | string | `500Mi` | Minimum memory(mebibytes) for each agent instance |
 | deployment.resource.request.storage | string | `2Gi` | Minimum storage(gibibyte) for StatefulSet's PVC |

charts/mgmt-agent/templates/env-configmap.yaml

@@ -15,11 +15,3 @@ data:
   {{- if .Values.deployment.cleanupEpochTime }}
   POD_CLEANUP_ID: "{{ .Values.deployment.cleanupEpochTime }}"
   {{- end }}
-
-  # Modifiable properties
-  # Add new or change the below existing properties as required
-
-  # Openjdk on RHEL with FIPS requires the default security property to be disabled, 
-  # so that Management Agent can use its own bcfips security provider.
-  # Set this to true to disable, and pass disableJREDefaultSecurityPropertiesFile=true via the rsp file.
-  DISABLE_JRE_DEFAULT_SECURITY_PROPERTIES_FILE: "false"

charts/mgmt-agent/templates/metric_server.yaml

@@ -138,15 +138,15 @@ spec:
       containers:
       - args:
         - --cert-dir=/tmp
-        - --secure-port=4443
+        - --secure-port=10250
         - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
         - --kubelet-use-node-status-port
         - --metric-resolution=15s
-        image: registry.k8s.io/metrics-server/metrics-server:v0.6.3
+        image: registry.k8s.io/metrics-server/metrics-server:v0.7.2
         imagePullPolicy: IfNotPresent
         name: metrics-server
         ports:
-        - containerPort: 4443
+        - containerPort: 10250
           name: https
           protocol: TCP
         resources:
@@ -155,9 +155,14 @@ spec:
             memory: 200Mi
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
         volumeMounts:
         - mountPath: /tmp
           name: tmp-dir

charts/mgmt-agent/templates/mgmt-agent-daemonset.yaml

@@ -38,6 +38,13 @@ spec:
           envFrom:
           - configMapRef:
               name: {{ include "mgmt-agent.resourceNamePrefix" . }}-env
+          env:
+            {{- if .Values.mgmtagent.extraEnv }}
+            {{- range .Values.mgmtagent.extraEnv }}
+            - name: {{ .name }}
+              value: {{ .value | quote }}
+            {{- end }}
+            {{- end }}
           resources:
             requests:
               cpu: {{ .Values.deployment.resource.request.cpuCore }}
@@ -62,6 +69,18 @@ spec:
           securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
+      {{- if .Values.deployment.daemonSet.overrideOwnership }}
+      initContainers:
+        - name: change-ownership-container
+          image: container-registry.oracle.com/os/oraclelinux:8-slim
+          command: ["/bin/sh", "-c", "chmod 750 /opt/oracle && chown -R {{ .Values.deployment.security.runAsUser }}:{{ .Values.deployment.security.runAsGroup }} /opt/oracle"]
+          securityContext:
+            runAsUser: 0
+            privileged: true
+          volumeMounts:
+          - name: mgmtagent-hostpath
+            mountPath: /opt/oracle
+      {{- end }}
       volumes:
         - name: mgmtagent-secret
           secret:
@@ -77,7 +96,10 @@ spec:
             name: {{ include "mgmt-agent.resourceNamePrefix" . }}-agent
         - name: mgmtagent-hostpath
           hostPath: 
-            path: {{ required "deployment.daemonSet.hostPath is required" .Values.deployment.daemonSet.hostPath }}
+            path: "{{ required "deployment.daemonSet.hostPath is required" .Values.deployment.daemonSet.hostPath }}"
+            {{- if regexMatch "^/opt/oracle/*$" .Values.deployment.daemonSet.hostPath }}
+            {{- fail "Error: deployment.daemonSet.hostPath cannot be /opt/oracle. Please provide another location or create a sub-directory under /opt/oracle and use that as hostPath" }}
+            {{- end }}
         - emptyDir: {}
           name: tmp
 {{- end }}

charts/mgmt-agent/templates/mgmt-agent-statefulset.yaml

@@ -39,6 +39,13 @@ spec:
           envFrom:
           - configMapRef:
               name: {{ include "mgmt-agent.resourceNamePrefix" . }}-env
+          env:
+            {{- if .Values.mgmtagent.extraEnv }}
+            {{- range .Values.mgmtagent.extraEnv }}
+            - name: {{ .name }}
+              value: {{ .value | quote }}
+            {{- end }}
+            {{- end }}
           resources:
             requests:
               cpu: {{ .Values.deployment.resource.request.cpuCore }}

charts/mgmt-agent/values.yaml

@@ -32,6 +32,13 @@ mgmtagent:
       url:
       # -- Image secrets to use for pulling container image (base64 encoded content of ~/.docker/config.json file)
       secret:
+   # Please specify additional environment variables in name:value pairs
+   extraEnv:
+      # Openjdk on RHEL with FIPS requires the default security property to be disabled, 
+      # so that Management Agent can use its own bcfips security provider.
+      # Set this to true to disable, and pass disableJREDefaultSecurityPropertiesFile=true via the rsp file.
+      - name: DISABLE_JRE_DEFAULT_SECURITY_PROPERTIES_FILE
+        value: "false"
 
 # -- Kubernetes namespace to create and install this helm chart in
 namespace: "{{ .Values.global.namespace }}"
@@ -78,7 +85,13 @@ deployment:
 
    daemonSet:
       # Provide the host path if Agent is deployed as DaemonSet. Management Agent Pod should have read-write access to it.
+      # Note: The hostPath cannot point to /opt/oracle, please provide another location or create a sub-directory under /opt/oracle and use that as hostPath.
+      # The Management Agent helm chart will attempt to change ownership and permissions on the host path provided here.
       hostPath:
+      # Override the ownership and permissions on the hostPath. The hostPath will be owned by the runAsUser and runAsGroup provided under security context above and the permission as 750. 
+      # Note: This requires oraclelinux:8-slim image
+      # Setting overrideOwnership to false will disable the ownership change.
+      overrideOwnership: true
 
    # Provide the agent resources as per Kubernetes resource quantity
    resource:

charts/oci-onm/Chart.yaml

@@ -18,7 +18,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.5.1
+version: 3.5.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -36,6 +36,6 @@ dependencies:
   repository: "file://../logan"
   condition: oci-onm-logan.enabled
 - name: oci-onm-mgmt-agent
-  version: "3.0.3"
+  version: "3.0.4"
   repository: "file://../mgmt-agent"
   condition: oci-onm-mgmt-agent.enabled

charts/oci-onm/values.yaml

@@ -52,6 +52,6 @@ oci-onm-mgmt-agent:
     # Follow steps documented at https://github.com/oracle/docker-images/tree/main/OracleManagementAgent to build docker image.
     image:
       # Replace this value with actual docker image URL for Management Agent
-      url: container-registry.oracle.com/oci_observability_management/oci-management-agent:1.4.0
+      url: container-registry.oracle.com/oci_observability_management/oci-management-agent:1.6.0
       # Image secrets to use for pulling container image (base64 encoded content of ~/.docker/config.json file)
       secret: