[charts/newrelic-metadata-injection] imported (#34)

* [charts/newrelic-metadata-injection] imported from nri-bundle

* Delete OWNERS

Co-authored-by: Douglas Camata <[email protected]>

Author: jorikvdwerf

charts/newrelic-mutation-webhook/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+description: A Helm chart to deploy the New Relic metadata injection webhook.
+name: nri-metadata-injection
+version: 1.0.0
+appVersion: 1.2.0
+home: https://hub.docker.com/r/newrelic/k8s-metadata-injection
+source:
+  - https://github.com/newrelic/k8s-metadata-injection
+engine: gotpl
+icon: https://newrelic.com/assets/newrelic/source/NewRelic-logo-square.svg
+maintainers:
+  - name: douglascamata
+  - name: jorikvdwerf
+keywords:
+  - infrastructure
+  - newrelic
+  - monitoring

charts/newrelic-mutation-webhook/README.md

@@ -0,0 +1,48 @@
+# newrelic-mutation-webhook
+
+## Chart Details
+
+This chart will deploy the [New Relic Infrastructure metadata injection webhook][1].
+
+## Configuration
+
+| Parameter                     | Description                                                  | Default                    |
+| ----------------------------- | ------------------------------------------------------------ | -------------------------- |
+| `cluster`                     | The cluster name for the Kubernetes cluster.                 |                            |
+| `injectOnlyLabeledNamespaces` | Limit the injection of metadata only to specific namespaces that match the label `newrelic-metadata-injection: enabled`. | false |
+| `image.repository`            | The container to pull.                                       | `newrelic/k8s-metadata-injection`   |
+| `image.pullPolicy`            | The pull policy.                                             | `IfNotPresent`                      |
+| `image.tag`                   | The version of the container to pull.                        | `1.2.0`                             |
+| `imageJob.repository`         | The job container to pull.                                   | `newrelic/k8s-webhook-cert-manager` |
+| `imageJob.pullPolicy`         | The job pull policy.                                         | `IfNotPresent`                      |
+| `imageJob.tag`                | The job version of the container to pull.                    | `1.2.1`                             |
+| `resources`                   | Any resources you wish to assign to the pod.                 | See Resources below                 |
+| `serviveAccount.create`       | If true a service account would be created and assigned for the webhook and the job. | `true` |
+| `serviveAccount.name`         | The service account to assign to the webhook and the job. If `serviveAccount.create` is true then this name will be used when creating the service account; if this value is not set or it evaluates to false, then when creating the account the returned value from the template `nr-metadata-injection.fullname` will be used as name. | |
+| `customTLSCertificate`        | Use custom TLS certificate. Setting this options means that you will have to do some post install work as detailed in the *Manage custom certificates* section of the [official docs][1]. | `false` |
+| `nodeSelector`                | Node label to use for scheduling                             | `{}`                                |
+| `tolerations`                 | List of node taints to tolerate (requires Kubernetes >= 1.6) | `[]`                                |
+| `affinity`                    | Node affinity to use for scheduling                          | `{}`                                |
+
+## Example
+
+Make sure you have [added the New Relic chart repository.](../../README.md#installing-charts)
+
+Then, to install this chart, run the following command:
+
+```sh
+helm install newrelic/newrelic-mutation-webhook --set cluster=my_cluster_name
+```
+
+## Resources
+
+The default set of resources assigned to the pods is shown below:
+
+    resources:
+      limits:
+        memory: 80M
+      requests:
+        cpu: 100m
+        memory: 30M
+
+[1]: https://docs.newrelic.com/docs/integrations/kubernetes-integration/link-your-applications/link-your-applications-kubernetes#configure-injection

charts/newrelic-mutation-webhook/templates/NOTES.txt

@@ -0,0 +1,39 @@
+{{- if (include "nri-metadata-injection.cluster" .) }}
+Your deployment of the New Relic metadata injection webhook is complete. You can check on the progress of this by running the following command:
+
+    kubectl get deployments -o wide -w --namespace {{ .Release.Namespace }} {{ template "nri-metadata-injection.fullname" . }}
+
+{{- if .Values.customTLSCertificate }}
+You have configure the chart to use a custom tls certificate, make sure to read the 'Manage custom certificates' section of the official docs to find the instructions on how to finish setting up the webhook.
+
+https://docs.newrelic.com/docs/integrations/kubernetes-integration/link-your-applications/link-your-applications-kubernetes#configure-injection
+{{- end }}
+
+To validate the injection of metadata create a dummy pod containing Busybox by running:
+
+    kubectl create -f https://git.io/vPieo
+
+Check if New Relic environment variables were injected:
+
+    kubectl exec busybox0 -- env | grep NEW_RELIC_METADATA_KUBERNETES
+
+    NEW_RELIC_METADATA_KUBERNETES_CLUSTER_NAME=fsi
+    NEW_RELIC_METADATA_KUBERNETES_NODE_NAME=nodea
+    NEW_RELIC_METADATA_KUBERNETES_NAMESPACE_NAME=default
+    NEW_RELIC_METADATA_KUBERNETES_POD_NAME=busybox0
+    NEW_RELIC_METADATA_KUBERNETES_CONTAINER_NAME=busybox
+
+{{- else -}}
+###############################################################
+####       ERROR: You did not set a cluster name.          ####
+###############################################################
+
+This deployment will be incomplete until you set a cluster name.
+
+Run:
+
+    helm upgrade {{ .Release.Name }} \
+        --set cluster=YOUR-CLUSTER-NAME \
+        newrelic/nri-metadata-injection
+
+{{- end -}}

charts/newrelic-mutation-webhook/templates/_helpers.tpl

@@ -0,0 +1,78 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "nri-metadata-injection.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "nri-metadata-injection.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "nri-metadata-injection.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common app label
+*/}}
+{{- define "nri-metadata-injection.appLabel" -}}
+app.kubernetes.io/name: {{ include "nri-metadata-injection.name" . }}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "nri-metadata-injection.labels" -}}
+{{ include "nri-metadata-injection.appLabel" . }}
+helm.sh/chart: {{ include "nri-metadata-injection.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "nri-metadata-injection.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "nri-metadata-injection.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the cluster
+*/}}
+{{- define "nri-metadata-injection.cluster" -}}
+{{- if .Values.global -}}
+  {{- if .Values.global.cluster -}}
+      {{- .Values.global.cluster -}}
+  {{- else -}}
+      {{- .Values.cluster | default "" -}}
+  {{- end -}}
+{{- else -}}
+  {{- .Values.cluster | default "" -}}
+{{- end -}}
+{{- end -}}

charts/newrelic-mutation-webhook/templates/clusterrole.yaml

@@ -0,0 +1,30 @@
+{{- if not .Values.customTLSCertificate }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "nri-metadata-injection.fullname" . }}
+  labels:
+    {{- include "nri-metadata-injection.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "create", "patch"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["certificatesigningrequests"]
+    verbs: ["create", "get", "delete"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["certificatesigningrequests/approval"]
+    verbs: ["update"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create", "get", "patch"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "signers"
+    resourceNames:
+      - "kubernetes.io/legacy-unknown"
+    verbs: ["approve"]
+{{- end }}

charts/newrelic-mutation-webhook/templates/clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if not .Values.customTLSCertificate }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "nri-metadata-injection.fullname" . }}
+  labels:
+    {{- include "nri-metadata-injection.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "nri-metadata-injection.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "nri-metadata-injection.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}

charts/newrelic-mutation-webhook/templates/deployment.yaml

@@ -0,0 +1,58 @@
+{{- if (include "nri-metadata-injection.cluster" .) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "nri-metadata-injection.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "nri-metadata-injection.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "nri-metadata-injection.appLabel" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "nri-metadata-injection.labels" . | nindent 8 }}
+    spec:
+      {{- if not .Values.customTLSCertificate }}
+      serviceAccountName: {{ template "nri-metadata-injection.serviceAccountName" . }}
+      {{- end }}
+      containers:
+      - name: {{ template "nri-metadata-injection.name" . }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+        env:
+        - name: clusterName
+          value: {{ include "nri-metadata-injection.cluster" . }}
+        volumeMounts:
+        - name: tls-key-cert-pair
+          mountPath: /etc/tls-key-cert-pair
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: 8080
+          initialDelaySeconds: 1
+          periodSeconds: 1
+        {{- if .Values.resources }}
+        resources:
+{{ toYaml .Values.resources | indent 10 }}
+        {{- end }}
+      volumes:
+      - name: tls-key-cert-pair
+        secret:
+          secretName: {{ template "nri-metadata-injection.fullname" . }}
+      {{- if $.Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml $.Values.nodeSelector | indent 8 }}
+      {{- end }}
+      {{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | indent 8 }}
+      {{- end }}
+      {{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | indent 8 }}
+      {{- end }}
+{{- end }}

charts/newrelic-mutation-webhook/templates/job.yaml

@@ -0,0 +1,33 @@
+{{- if not .Values.customTLSCertificate }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "nri-metadata-injection.fullname" . }}-job
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "nri-metadata-injection.labels" . | nindent 4 }}
+spec:
+  template:
+    metadata:
+      labels:
+        {{- include "nri-metadata-injection.labels" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ template "nri-metadata-injection.serviceAccountName" . }}
+      containers:
+      - name: {{ template "nri-metadata-injection.name" . }}-job
+        # This is a minimal kubectl image based on Alpine Linux that sings certificates using the k8s extension api server
+        image: "{{ .Values.jobImage.repository }}:{{ .Values.jobImage.tag }}"
+        imagePullPolicy: "{{ .Values.jobImage.pullPolicy }}"
+        command: ["./generate_certificate.sh"]
+        args:
+          - "--service"
+          - {{ template "nri-metadata-injection.fullname" . }}
+          - "--webhook"
+          - {{ template "nri-metadata-injection.fullname" . }}
+          - "--secret"
+          - {{ template "nri-metadata-injection.fullname" . }}
+          - "--namespace"
+          - {{ .Release.Namespace }}
+      restartPolicy: Never
+  backoffLimit: 1
+{{- end }}

charts/newrelic-mutation-webhook/templates/mutationwebhookconfiguration.yaml

@@ -0,0 +1,25 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ template "nri-metadata-injection.fullname" . }}
+  labels:
+    {{- include "nri-metadata-injection.labels" . | nindent 4 }}
+webhooks:
+- name: metadata-injection.newrelic.com
+  clientConfig:
+    service:
+      name: {{ template "nri-metadata-injection.fullname" . }}
+      namespace: {{ .Release.Namespace }}
+      path: "/mutate"
+    caBundle: ""
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  {{- if .Values.injectOnlyLabeledNamespaces }}
+    namespaceSelector:
+      matchLabels:
+        newrelic-metadata-injection: enabled
+  {{- end }}
+  failurePolicy: Ignore

charts/newrelic-mutation-webhook/templates/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "nri-metadata-injection.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "nri-metadata-injection.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: 443
+    targetPort: 8443
+  selector:
+    {{- include "nri-metadata-injection.appLabel" . | nindent 4 }}

charts/newrelic-mutation-webhook/templates/serviceaccount.yaml

@@ -0,0 +1,9 @@
+{{- if (and .Values.serviceAccount.create (not .Values.customTLSCertificate)) }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "nri-metadata-injection.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "nri-metadata-injection.labels" . | nindent 4 }}
+{{- end -}}