diff --git a/.github/workflows/amazon-cloudwatch-observability-integration-test.yaml b/.github/workflows/amazon-cloudwatch-observability-integration-test.yaml index 91293be0..a79f09cd 100644 --- a/.github/workflows/amazon-cloudwatch-observability-integration-test.yaml +++ b/.github/workflows/amazon-cloudwatch-observability-integration-test.yaml @@ -213,4 +213,4 @@ jobs: retry_wait_seconds: 5 command: | cd integration-tests/amazon-cloudwatch-observability/terraform/eks/windows - terraform destroy --auto-approve \ No newline at end of file + terraform destroy --auto-approve diff --git a/RELEASE_NOTES b/RELEASE_NOTES index efe63b3a..fbc6adcb 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -1,3 +1,25 @@ +======================================================================= +amazon-cloudwatch-observability v4.6.0 (2025-10-16) +======================================================================= +Enhancements: +* Upgrade CWAgent Operator to v3.3.0 +* Upgrade FluentBit to v3.0.0 +* Update FluentBit config to use systemd plugin for retrieving host logs + +======================================================================= +amazon-cloudwatch-observability v4.5.0 (2025-09-24) +======================================================================= +Enhancements: +* Support custom configurations for admission webhook with managed resources +* Support ARM GPU instances with DCGM Exporter +* Upgrade CWAgent to v1.300060.0b1248 +* Upgrade CWAgent Operator to v3.2.0 +* Upgrade Fluent Bit to v2.34.0 +* Upgrade Java SDK to v2.11.5 +* Upgrade .NET SDK to v1.9.1 +* Upgrade DCGM Exporter to 4.4.0-4.5.0-ubuntu22.04 +* Upgrade Neuron Monitor to v1.6.0 + ======================================================================= amazon-cloudwatch-observability v4.4.0 (2025-09-04) ======================================================================= diff --git a/charts/amazon-cloudwatch-observability/Chart.yaml b/charts/amazon-cloudwatch-observability/Chart.yaml index 69728137..4df5a3ab 100644 --- a/charts/amazon-cloudwatch-observability/Chart.yaml +++ b/charts/amazon-cloudwatch-observability/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: amazon-cloudwatch-observability -version: 4.4.0 +version: 4.6.0 appVersion: 1.0.0 description: A Helm chart for Amazon CloudWatch Observability type: application diff --git a/charts/amazon-cloudwatch-observability/templates/_helpers.tpl b/charts/amazon-cloudwatch-observability/templates/_helpers.tpl index 85a05af3..00f5118b 100644 --- a/charts/amazon-cloudwatch-observability/templates/_helpers.tpl +++ b/charts/amazon-cloudwatch-observability/templates/_helpers.tpl @@ -320,3 +320,56 @@ Define the default service name {{- define "amazon-cloudwatch-observability.webhookServiceName" -}} {{- default (printf "%s-webhook-service" (include "amazon-cloudwatch-observability.name" .)) .Values.manager.service.name }} {{- end -}} + +{{/* +Check if a specific admission webhook is enabled +*/}} +{{- define "amazon-cloudwatch-observability.isWebhookEnabled" -}} +{{- $ctx := index . 0 -}} +{{- $webhook := index . 1 -}} +{{- $webhookConfig := index $ctx.Values.admissionWebhooks $webhook -}} +{{- if hasKey $webhookConfig "create" -}} +{{- if $webhookConfig.create }}true{{- end -}} +{{- else -}} +{{- if $ctx.Values.admissionWebhooks.create }}true{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Check if any admission webhook is enabled +*/}} +{{- define "amazon-cloudwatch-observability.webhookEnabled" -}} +{{- $webhooks := list "agents" "instrumentations" "pods" "workloads" "namespaces" -}} +{{- range $webhook := $webhooks -}} +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list $ $webhook) -}} +true +{{- break -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get namespaceSelector value for admission webhooks +*/}} +{{- define "amazon-cloudwatch-observability.namespaceSelector" -}} +{{- $ctx := index . 0 -}} +{{- $webhook := index . 1 -}} +{{- $webhookConfig := index $ctx.Values.admissionWebhooks $webhook -}} +{{- if and (hasKey $webhookConfig "namespaceSelector") (ne $webhookConfig.namespaceSelector nil) -}} +{{- $selector := $webhookConfig.namespaceSelector -}} +{{- if $selector -}} +{{- toYaml $selector | nindent 4 -}} +{{- else -}} +{} +{{- end -}} +{{- else -}} +{{- $selector := $ctx.Values.admissionWebhooks.namespaceSelector -}} +{{- if $selector -}} +{{- toYaml $selector | nindent 4 -}} +{{- else -}} +{} +{{- end -}} +{{- end -}} +{{- end -}} + + diff --git a/charts/amazon-cloudwatch-observability/templates/admission-webhooks/operator-webhook-with-cert-manager.yaml b/charts/amazon-cloudwatch-observability/templates/admission-webhooks/operator-webhook-with-cert-manager.yaml index 2d412ce9..37094952 100644 --- a/charts/amazon-cloudwatch-observability/templates/admission-webhooks/operator-webhook-with-cert-manager.yaml +++ b/charts/amazon-cloudwatch-observability/templates/admission-webhooks/operator-webhook-with-cert-manager.yaml @@ -1,4 +1,4 @@ -{{- if and (.Values.admissionWebhooks.create) (.Values.admissionWebhooks.certManager.enabled) }} +{{- if and (.Values.admissionWebhooks.certManager.enabled) (include "amazon-cloudwatch-observability.webhookEnabled" .) }} apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: @@ -8,6 +8,7 @@ metadata: {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} name: {{ template "amazon-cloudwatch-observability.name" . }}-mutating-webhook-configuration webhooks: +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list . "instrumentations") }} - admissionReviewVersions: - v1 clientConfig: @@ -15,16 +16,13 @@ webhooks: name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} namespace: {{ .Release.Namespace }} path: /mutate-cloudwatch-aws-amazon-com-v1alpha1-instrumentation - failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }} + failurePolicy: {{ .Values.admissionWebhooks.instrumentations.failurePolicy | default .Values.admissionWebhooks.failurePolicy }} name: minstrumentation.kb.io - {{- if .Values.admissionWebhooks.namespaceSelector }} - namespaceSelector: - {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} - {{- end }} - {{- if .Values.admissionWebhooks.objectSelector }} + namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "instrumentations") }} + {{- if .Values.admissionWebhooks.objectSelector }} objectSelector: - {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} - {{- end }} + {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} + {{- end }} rules: - apiGroups: - cloudwatch.aws.amazon.com @@ -37,6 +35,8 @@ webhooks: - instrumentations sideEffects: None timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} +{{- end }} +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list . "agents") }} - admissionReviewVersions: - v1 clientConfig: @@ -44,16 +44,13 @@ webhooks: name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} namespace: {{ .Release.Namespace }} path: /mutate-cloudwatch-aws-amazon-com-v1alpha1-amazoncloudwatchagent - failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }} + failurePolicy: {{ .Values.admissionWebhooks.agents.failurePolicy | default .Values.admissionWebhooks.failurePolicy }} name: mamazoncloudwatchagent.kb.io - {{- if .Values.admissionWebhooks.namespaceSelector }} - namespaceSelector: - {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} - {{- end }} - {{- if .Values.admissionWebhooks.objectSelector }} + namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "agents") }} + {{- if .Values.admissionWebhooks.objectSelector }} objectSelector: - {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} - {{- end }} + {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} + {{- end }} rules: - apiGroups: - cloudwatch.aws.amazon.com @@ -66,6 +63,8 @@ webhooks: - amazoncloudwatchagents sideEffects: None timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} +{{- end }} +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list . "pods") }} - admissionReviewVersions: - v1 clientConfig: @@ -73,16 +72,13 @@ webhooks: name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} namespace: {{ .Release.Namespace }} path: /mutate-v1-pod - failurePolicy: {{ .Values.admissionWebhooks.pods.failurePolicy }} + failurePolicy: {{ .Values.admissionWebhooks.pods.failurePolicy | default .Values.admissionWebhooks.failurePolicy }} name: mpod.kb.io - {{- if .Values.admissionWebhooks.namespaceSelector }} - namespaceSelector: - {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} - {{- end }} - {{- if .Values.admissionWebhooks.objectSelector }} + namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "pods") }} + {{- if .Values.admissionWebhooks.objectSelector }} objectSelector: - {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} - {{- end }} + {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} + {{- end }} rules: - apiGroups: - "" @@ -95,6 +91,8 @@ webhooks: - pods sideEffects: None timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} +{{- end }} +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list . "namespaces") }} - admissionReviewVersions: - v1 clientConfig: @@ -102,16 +100,13 @@ webhooks: name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} namespace: {{ .Release.Namespace }} path: /mutate-v1-namespace - failurePolicy: {{ .Values.admissionWebhooks.pods.failurePolicy }} + failurePolicy: {{ .Values.admissionWebhooks.namespaces.failurePolicy | default .Values.admissionWebhooks.pods.failurePolicy | default .Values.admissionWebhooks.failurePolicy }} name: mnamespace.kb.io - {{- if .Values.admissionWebhooks.namespaceSelector }} - namespaceSelector: - {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} - {{- end }} - {{- if .Values.admissionWebhooks.objectSelector }} + namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "namespaces") }} + {{- if .Values.admissionWebhooks.objectSelector }} objectSelector: - {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} - {{- end }} + {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} + {{- end }} rules: - apiGroups: - "" @@ -124,6 +119,8 @@ webhooks: - namespaces sideEffects: None timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} +{{- end }} +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list . "workloads") }} - admissionReviewVersions: - v1 clientConfig: @@ -131,16 +128,13 @@ webhooks: name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} namespace: {{ .Release.Namespace }} path: /mutate-v1-workload - failurePolicy: {{ .Values.admissionWebhooks.pods.failurePolicy }} + failurePolicy: {{ .Values.admissionWebhooks.workloads.failurePolicy | default .Values.admissionWebhooks.pods.failurePolicy | default .Values.admissionWebhooks.failurePolicy }} name: mworkload.kb.io - {{- if .Values.admissionWebhooks.namespaceSelector }} - namespaceSelector: - {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} - {{- end }} - {{- if .Values.admissionWebhooks.objectSelector }} + namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "workloads") }} + {{- if .Values.admissionWebhooks.objectSelector }} objectSelector: - {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} - {{- end }} + {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} + {{- end }} rules: - apiGroups: - apps @@ -155,6 +149,7 @@ webhooks: - statefulsets sideEffects: None timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} +{{- end }} --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -165,6 +160,7 @@ metadata: {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} name: {{ template "amazon-cloudwatch-observability.name" . }}-validating-webhook-configuration webhooks: +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list . "instrumentations") }} - admissionReviewVersions: - v1 clientConfig: @@ -172,16 +168,13 @@ webhooks: name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} namespace: {{ .Release.Namespace }} path: /validate-cloudwatch-aws-amazon-com-v1alpha1-instrumentation - failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }} + failurePolicy: {{ .Values.admissionWebhooks.instrumentations.failurePolicy | default .Values.admissionWebhooks.failurePolicy }} name: vinstrumentationcreateupdate.kb.io - {{- if .Values.admissionWebhooks.namespaceSelector }} - namespaceSelector: - {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} - {{- end }} - {{- if .Values.admissionWebhooks.objectSelector }} + namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "instrumentations") }} + {{- if .Values.admissionWebhooks.objectSelector }} objectSelector: - {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} - {{- end }} + {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} + {{- end }} rules: - apiGroups: - cloudwatch.aws.amazon.com @@ -194,6 +187,8 @@ webhooks: - instrumentations sideEffects: None timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} +{{- end }} +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list . "instrumentations") }} - admissionReviewVersions: - v1 clientConfig: @@ -203,14 +198,11 @@ webhooks: path: /validate-cloudwatch-aws-amazon-com-v1alpha1-instrumentation failurePolicy: Ignore name: vinstrumentationdelete.kb.io - {{- if .Values.admissionWebhooks.namespaceSelector }} - namespaceSelector: - {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} - {{- end }} - {{- if .Values.admissionWebhooks.objectSelector }} + namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "instrumentations") }} + {{- if .Values.admissionWebhooks.objectSelector }} objectSelector: - {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} - {{- end }} + {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} + {{- end }} rules: - apiGroups: - cloudwatch.aws.amazon.com @@ -222,6 +214,8 @@ webhooks: - instrumentations sideEffects: None timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} +{{- end }} +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list . "agents") }} - admissionReviewVersions: - v1 clientConfig: @@ -229,16 +223,13 @@ webhooks: name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }} namespace: {{ .Release.Namespace }} path: /validate-cloudwatch-aws-amazon-com-v1alpha1-amazoncloudwatchagent - failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }} + failurePolicy: {{ .Values.admissionWebhooks.agents.failurePolicy | default .Values.admissionWebhooks.failurePolicy }} name: vamazoncloudwatchagentcreateupdate.kb.io - {{- if .Values.admissionWebhooks.namespaceSelector }} - namespaceSelector: - {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} - {{- end }} - {{- if .Values.admissionWebhooks.objectSelector }} + namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "agents") }} + {{- if .Values.admissionWebhooks.objectSelector }} objectSelector: - {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} - {{- end }} + {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} + {{- end }} rules: - apiGroups: - cloudwatch.aws.amazon.com @@ -251,6 +242,8 @@ webhooks: - amazoncloudwatchagents sideEffects: None timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} +{{- end }} +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list . "agents") }} - admissionReviewVersions: - v1 clientConfig: @@ -260,14 +253,11 @@ webhooks: path: /validate-cloudwatch-aws-amazon-com-v1alpha1-amazoncloudwatchagent failurePolicy: Ignore name: vamazoncloudwatchagentdelete.kb.io - {{- if .Values.admissionWebhooks.namespaceSelector }} - namespaceSelector: - {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} - {{- end }} - {{- if .Values.admissionWebhooks.objectSelector }} + namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "agents") }} + {{- if .Values.admissionWebhooks.objectSelector }} objectSelector: - {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} - {{- end }} + {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} + {{- end }} rules: - apiGroups: - cloudwatch.aws.amazon.com @@ -280,3 +270,4 @@ webhooks: sideEffects: None timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} {{- end }} +{{- end }} diff --git a/charts/amazon-cloudwatch-observability/templates/admission-webhooks/operator-webhook.yaml b/charts/amazon-cloudwatch-observability/templates/admission-webhooks/operator-webhook.yaml index a0913661..616ccf8d 100644 --- a/charts/amazon-cloudwatch-observability/templates/admission-webhooks/operator-webhook.yaml +++ b/charts/amazon-cloudwatch-observability/templates/admission-webhooks/operator-webhook.yaml @@ -1,4 +1,4 @@ -{{- if and (.Values.admissionWebhooks.create) (.Values.admissionWebhooks.autoGenerateCert.enabled) (not .Values.admissionWebhooks.certManager.enabled) }} +{{- if and (.Values.admissionWebhooks.autoGenerateCert.enabled) (not .Values.admissionWebhooks.certManager.enabled) (include "amazon-cloudwatch-observability.webhookEnabled" .) }} {{- $altNames := list ( printf "%s-webhook-service.%s" (include "amazon-cloudwatch-observability.name" .) .Release.Namespace ) ( printf "%s-webhook-service.%s.svc" (include "amazon-cloudwatch-observability.name" .) .Release.Namespace ) ( printf "%s-webhook-service.%s.svc.cluster.local" (include "amazon-cloudwatch-observability.name" .) .Release.Namespace ) -}} {{- $ca := genCA ( printf "%s-ca" (include "amazon-cloudwatch-observability.name" .) ) ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) -}} {{- $cert := genSignedCert (include "amazon-cloudwatch-observability.name" .) nil $altNames ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}} @@ -21,6 +21,7 @@ metadata: {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} name: {{ template "amazon-cloudwatch-observability.name" . }}-mutating-webhook-configuration webhooks: +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list . "instrumentations") }} - admissionReviewVersions: - v1 clientConfig: @@ -29,12 +30,9 @@ webhooks: namespace: {{ .Release.Namespace }} path: /mutate-cloudwatch-aws-amazon-com-v1alpha1-instrumentation caBundle: {{ $ca.Cert | b64enc }} - failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }} + failurePolicy: {{ .Values.admissionWebhooks.instrumentations.failurePolicy | default .Values.admissionWebhooks.failurePolicy }} name: minstrumentation.kb.io - {{- if .Values.admissionWebhooks.namespaceSelector }} - namespaceSelector: - {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} - {{- end }} + namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "instrumentations") }} {{- if .Values.admissionWebhooks.objectSelector }} objectSelector: {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} @@ -51,6 +49,8 @@ webhooks: - instrumentations sideEffects: None timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} +{{- end }} +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list . "agents") }} - admissionReviewVersions: - v1 clientConfig: @@ -59,12 +59,9 @@ webhooks: namespace: {{ .Release.Namespace }} path: /mutate-cloudwatch-aws-amazon-com-v1alpha1-amazoncloudwatchagent caBundle: {{ $ca.Cert | b64enc }} - failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }} + failurePolicy: {{ .Values.admissionWebhooks.agents.failurePolicy | default .Values.admissionWebhooks.failurePolicy }} name: mamazoncloudwatchagent.kb.io - {{- if .Values.admissionWebhooks.namespaceSelector }} - namespaceSelector: - {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} - {{- end }} + namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "agents") }} {{- if .Values.admissionWebhooks.objectSelector }} objectSelector: {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} @@ -81,6 +78,8 @@ webhooks: - amazoncloudwatchagents sideEffects: None timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} +{{- end }} +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list . "pods") }} - admissionReviewVersions: - v1 clientConfig: @@ -89,12 +88,9 @@ webhooks: namespace: {{ .Release.Namespace }} path: /mutate-v1-pod caBundle: {{ $ca.Cert | b64enc }} - failurePolicy: {{ .Values.admissionWebhooks.pods.failurePolicy }} + failurePolicy: {{ .Values.admissionWebhooks.pods.failurePolicy | default .Values.admissionWebhooks.failurePolicy }} name: mpod.kb.io - {{- if .Values.admissionWebhooks.namespaceSelector }} - namespaceSelector: - {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} - {{- end }} + namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "pods") }} {{- if .Values.admissionWebhooks.objectSelector }} objectSelector: {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} @@ -111,6 +107,8 @@ webhooks: - pods sideEffects: None timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} +{{- end }} +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list . "namespaces") }} - admissionReviewVersions: - v1 clientConfig: @@ -119,12 +117,9 @@ webhooks: namespace: {{ .Release.Namespace }} path: /mutate-v1-namespace caBundle: {{ $ca.Cert | b64enc }} - failurePolicy: {{ .Values.admissionWebhooks.pods.failurePolicy }} + failurePolicy: {{ .Values.admissionWebhooks.namespaces.failurePolicy | default .Values.admissionWebhooks.pods.failurePolicy | default .Values.admissionWebhooks.failurePolicy }} name: mnamespace.kb.io - {{- if .Values.admissionWebhooks.namespaceSelector }} - namespaceSelector: - {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} - {{- end }} + namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "namespaces") }} {{- if .Values.admissionWebhooks.objectSelector }} objectSelector: {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} @@ -141,6 +136,8 @@ webhooks: - namespaces sideEffects: None timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} +{{- end }} +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list . "workloads") }} - admissionReviewVersions: - v1 clientConfig: @@ -149,12 +146,9 @@ webhooks: namespace: {{ .Release.Namespace }} path: /mutate-v1-workload caBundle: {{ $ca.Cert | b64enc }} - failurePolicy: {{ .Values.admissionWebhooks.pods.failurePolicy }} + failurePolicy: {{ .Values.admissionWebhooks.workloads.failurePolicy | default .Values.admissionWebhooks.pods.failurePolicy | default .Values.admissionWebhooks.failurePolicy }} name: mworkload.kb.io - {{- if .Values.admissionWebhooks.namespaceSelector }} - namespaceSelector: - {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} - {{- end }} + namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "workloads") }} {{- if .Values.admissionWebhooks.objectSelector }} objectSelector: {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} @@ -173,6 +167,7 @@ webhooks: - statefulsets sideEffects: None timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} +{{- end }} --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -181,6 +176,7 @@ metadata: {{- include "amazon-cloudwatch-observability.labels" . | nindent 4}} name: {{ template "amazon-cloudwatch-observability.name" . }}-validating-webhook-configuration webhooks: +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list . "instrumentations") }} - admissionReviewVersions: - v1 clientConfig: @@ -189,12 +185,9 @@ webhooks: namespace: {{ .Release.Namespace }} path: /validate-cloudwatch-aws-amazon-com-v1alpha1-instrumentation caBundle: {{ $ca.Cert | b64enc }} - failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }} + failurePolicy: {{ .Values.admissionWebhooks.instrumentations.failurePolicy | default .Values.admissionWebhooks.failurePolicy }} name: vinstrumentationcreateupdate.kb.io - {{- if .Values.admissionWebhooks.namespaceSelector }} - namespaceSelector: - {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} - {{- end }} + namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "instrumentations") }} {{- if .Values.admissionWebhooks.objectSelector }} objectSelector: {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} @@ -211,6 +204,8 @@ webhooks: - instrumentations sideEffects: None timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} +{{- end }} +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list . "instrumentations") }} - admissionReviewVersions: - v1 clientConfig: @@ -221,10 +216,7 @@ webhooks: caBundle: {{ $ca.Cert | b64enc }} failurePolicy: Ignore name: vinstrumentationdelete.kb.io - {{- if .Values.admissionWebhooks.namespaceSelector }} - namespaceSelector: - {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} - {{- end }} + namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "instrumentations") }} {{- if .Values.admissionWebhooks.objectSelector }} objectSelector: {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} @@ -240,6 +232,8 @@ webhooks: - instrumentations sideEffects: None timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} +{{- end }} +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list . "agents") }} - admissionReviewVersions: - v1 clientConfig: @@ -248,12 +242,9 @@ webhooks: namespace: {{ .Release.Namespace }} path: /validate-cloudwatch-aws-amazon-com-v1alpha1-amazoncloudwatchagent caBundle: {{ $ca.Cert | b64enc }} - failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }} + failurePolicy: {{ .Values.admissionWebhooks.agents.failurePolicy | default .Values.admissionWebhooks.failurePolicy }} name: vamazoncloudwatchagentcreateupdate.kb.io - {{- if .Values.admissionWebhooks.namespaceSelector }} - namespaceSelector: - {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} - {{- end }} + namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "agents") }} {{- if .Values.admissionWebhooks.objectSelector }} objectSelector: {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} @@ -270,6 +261,8 @@ webhooks: - amazoncloudwatchagents sideEffects: None timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} +{{- end }} +{{- if include "amazon-cloudwatch-observability.isWebhookEnabled" (list . "agents") }} - admissionReviewVersions: - v1 clientConfig: @@ -280,10 +273,7 @@ webhooks: caBundle: {{ $ca.Cert | b64enc }} failurePolicy: Ignore name: vamazoncloudwatchagentdelete.kb.io - {{- if .Values.admissionWebhooks.namespaceSelector }} - namespaceSelector: - {{- toYaml .Values.admissionWebhooks.namespaceSelector | nindent 6 }} - {{- end }} + namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "agents") }} {{- if .Values.admissionWebhooks.objectSelector }} objectSelector: {{- toYaml .Values.admissionWebhooks.objectSelector | nindent 6 }} @@ -300,3 +290,4 @@ webhooks: sideEffects: None timeoutSeconds: {{ .Values.admissionWebhooks.timeoutSeconds }} {{- end }} +{{- end }} diff --git a/charts/amazon-cloudwatch-observability/templates/cloudwatch-agent-clusterrole.yaml b/charts/amazon-cloudwatch-observability/templates/cloudwatch-agent-clusterrole.yaml index 609cedf7..2dbc0edc 100644 --- a/charts/amazon-cloudwatch-observability/templates/cloudwatch-agent-clusterrole.yaml +++ b/charts/amazon-cloudwatch-observability/templates/cloudwatch-agent-clusterrole.yaml @@ -21,12 +21,18 @@ rules: - apiGroups: [ "batch" ] resources: [ "jobs" ] verbs: [ "list", "watch" ] +- apiGroups: [ "networking.k8s.io" ] + resources: [ "ingresses" ] + verbs: [ "list", "watch", "get" ] - apiGroups: [ "" ] resources: [ "nodes/stats", "configmaps", "events" ] verbs: [ "create", "get" ] - apiGroups: [ "" ] resources: [ "configmaps" ] verbs: [ "update" ] +- apiGroups: [ "" ] + resources: [ "persistentvolumeclaims", "persistentvolumes" ] + verbs: [ "get", "list", "watch" ] - nonResourceURLs: [ "/metrics" ] verbs: [ "get", "list", "watch" ] {{- end }} diff --git a/charts/amazon-cloudwatch-observability/values.yaml b/charts/amazon-cloudwatch-observability/values.yaml index 3d4b5c53..155d1b27 100644 --- a/charts/amazon-cloudwatch-observability/values.yaml +++ b/charts/amazon-cloudwatch-observability/values.yaml @@ -19,7 +19,7 @@ containerLogs: fluentBit: image: repository: aws-for-fluent-bit - tag: 2.33.2 + tag: 3.0.0 tagWindows: 2.31.12-windowsservercore repositoryDomainMap: public: public.ecr.aws/aws-observability @@ -193,43 +193,54 @@ containerLogs: extra_user_agent container-insights host-log.conf: | [INPUT] - Name tail + Name systemd Tag host.dmesg - Path /var/log/dmesg - Key message + Systemd_Filter _TRANSPORT=kernel DB /var/fluent-bit/state/flb_dmesg.db - Mem_Buf_Limit 5MB - Skip_Long_Lines On - Refresh_Interval 10 - Read_from_Head ${READ_FROM_HEAD} + Path /var/log/journal + Read_From_Tail ${READ_FROM_TAIL} [INPUT] - Name tail + Name systemd Tag host.messages - Path /var/log/messages - Parser syslog + Systemd_Filter PRIORITY=0 + Systemd_Filter PRIORITY=1 + Systemd_Filter PRIORITY=2 + Systemd_Filter PRIORITY=3 + Systemd_Filter PRIORITY=4 + Systemd_Filter PRIORITY=5 + Systemd_Filter PRIORITY=6 DB /var/fluent-bit/state/flb_messages.db - Mem_Buf_Limit 5MB - Skip_Long_Lines On - Refresh_Interval 10 - Read_from_Head ${READ_FROM_HEAD} + Path /var/log/journal + Read_From_Tail ${READ_FROM_TAIL} [INPUT] - Name tail + Name systemd Tag host.secure - Path /var/log/secure - Parser syslog + Systemd_Filter SYSLOG_FACILITY=10 DB /var/fluent-bit/state/flb_secure.db - Mem_Buf_Limit 5MB - Skip_Long_Lines On - Refresh_Interval 10 - Read_from_Head ${READ_FROM_HEAD} + Path /var/log/journal + Read_From_Tail ${READ_FROM_TAIL} [FILTER] Name aws Match host.* imds_version v2 + [FILTER] + Name grep + Match host.messages + Exclude SYSLOG_FACILITY /^(2|9|10)$/ + + [FILTER] + Name modify + Match host.* + Rename _HOSTNAME host + Rename MESSAGE message + Rename SYSLOG_IDENTIFIER ident + Rename SYSLOG_PID pid + Remove_regex [A-Z] + [OUTPUT] Name cloudwatch_logs Match host.* @@ -1037,7 +1048,7 @@ manager: name: image: repository: cloudwatch-agent-operator - tag: 3.1.1 + tag: 3.3.0 repositoryDomainMap: public: public.ecr.aws/cloudwatch-agent cn-north-1: 934860584483.dkr.ecr.cn-north-1.amazonaws.com.cn @@ -1048,15 +1059,15 @@ manager: java: repositoryDomain: public.ecr.aws/aws-observability repository: adot-autoinstrumentation-java - tag: v2.11.2 + tag: v2.11.5 python: repositoryDomain: public.ecr.aws/aws-observability repository: adot-autoinstrumentation-python - tag: v0.9.0 + tag: v0.12.1 dotnet: repositoryDomain: public.ecr.aws/aws-observability repository: adot-autoinstrumentation-dotnet - tag: v1.9.0 + tag: v1.9.1 nodejs: repositoryDomain: public.ecr.aws/aws-observability repository: adot-autoinstrumentation-node @@ -1202,11 +1213,35 @@ admissionWebhooks: create: true failurePolicy: Ignore secretName: "" - ## Defines the sidecar injection logic in Pods. + ## Defines the sidecar injection logic for each sub-resource. + ## create: + ## - true/false, whether or not the webhook will be created. Can be used as an override if specified, + ## otherwise will default to the parent create flag. + ## failurePolicy: ## - Ignore, the injection is fail-open. The pod will be created, but the sidecar won't be injected. ## - Fail, the injection is fail-close. If the webhook pod is not ready, pods cannot be created. + ## namespaceSelector: Selector rule for particular namespaces. To override from parent to be empty, set to `{}`. + agents: + # create: true + failurePolicy: + namespaceSelector: + instrumentations: + # create: true + failurePolicy: + namespaceSelector: pods: + # create: true failurePolicy: Ignore + namespaceSelector: + ## Workloads applies Deployments, DaemonSets, and StatefulSets. + workloads: + # create: true + failurePolicy: + namespaceSelector: + namespaces: + # create: true + failurePolicy: + namespaceSelector: ## Adds a prefix to the mutating webhook name. ## This can be used to order this mutating webhook with all your cluster's mutating webhooks. namePrefix: "" @@ -1246,7 +1281,7 @@ agent: replicas: 1 # The total number non-terminated pods targeted by this AmazonCloudWatchAgent's deployment or statefulSet. image: repository: cloudwatch-agent - tag: 1.300059.0b1207 + tag: 1.300060.0b1248 repositoryDomainMap: public: public.ecr.aws/cloudwatch-agent cn-north-1: 934860584483.dkr.ecr.cn-north-1.amazonaws.com.cn @@ -1339,7 +1374,7 @@ dcgmExporter: name: image: repository: dcgm-exporter - tag: 4.3.1-4.4.0-ubuntu22.04 + tag: 4.4.0-4.5.0-ubuntu22.04 repositoryDomainMap: public: nvcr.io/nvidia/k8s cn-north-1: 934860584483.dkr.ecr.cn-north-1.amazonaws.com.cn @@ -1403,6 +1438,12 @@ dcgmExporter: - g5.24xlarge - g5.48xlarge - g5.xlarge + - g5g.2xlarge + - g5g.4xlarge + - g5g.8xlarge + - g5g.16xlarge + - g5g.metal + - g5g.xlarge - g6.2xlarge - g6.4xlarge - g6.8xlarge @@ -1457,6 +1498,12 @@ dcgmExporter: - ml.g5.24xlarge - ml.g5.48xlarge - ml.g5.xlarge + - ml.g5g.2xlarge + - ml.g5g.4xlarge + - ml.g5g.8xlarge + - ml.g5g.16xlarge + - ml.g5g.metal + - ml.g5g.xlarge - ml.g6.2xlarge - ml.g6.4xlarge - ml.g6.8xlarge @@ -1498,7 +1545,7 @@ neuronMonitor: name: image: repository: neuron-monitor - tag: 1.5.1 + tag: 1.6.0 repositoryDomainMap: public: public.ecr.aws/neuron resources: diff --git a/integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/webhooks-configured/main.tf b/integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/webhooks-configured/main.tf new file mode 100644 index 00000000..0226f331 --- /dev/null +++ b/integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/webhooks-configured/main.tf @@ -0,0 +1,26 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: MIT + +module "base" { + source = "../.." + helm_dir = var.helm_dir + helm_values_file = "${path.module}/values.yaml" +} + +variable "helm_dir" { + type = string + default = "../../../../../../charts/amazon-cloudwatch-observability" +} + +resource "null_resource" "validator" { + depends_on = [module.base.helm_release] + + provisioner "local-exec" { + command = "go test ${var.test_dir} -v -run=TestWebhooksConfigured" + } +} + +variable "test_dir" { + type = string + default = "../../../../validations/minikube/scenarios" +} diff --git a/integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/webhooks-configured/values.yaml b/integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/webhooks-configured/values.yaml new file mode 100644 index 00000000..31e8ab9b --- /dev/null +++ b/integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/webhooks-configured/values.yaml @@ -0,0 +1,30 @@ +region: us-west-2 +clusterName: minikube + +admissionWebhooks: + failurePolicy: Ignore + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system + - amazon-cloudwatch + agents: + namespaceSelector: {} + instrumentations: + create: false + pods: + failurePolicy: Fail + workloads: + failurePolicy: Fail + namespaces: + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system + - amazon-cloudwatch + - test-value diff --git a/integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/webhooks-disabled/main.tf b/integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/webhooks-disabled/main.tf new file mode 100644 index 00000000..b1809058 --- /dev/null +++ b/integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/webhooks-disabled/main.tf @@ -0,0 +1,26 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: MIT + +module "base" { + source = "../.." + helm_dir = var.helm_dir + helm_values_file = "${path.module}/values.yaml" +} + +variable "helm_dir" { + type = string + default = "../../../../../../charts/amazon-cloudwatch-observability" +} + +resource "null_resource" "validator" { + depends_on = [module.base.helm_release] + + provisioner "local-exec" { + command = "go test ${var.test_dir} -v -run=TestWebhooksDisabled" + } +} + +variable "test_dir" { + type = string + default = "../../../../validations/minikube/scenarios" +} diff --git a/integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/webhooks-disabled/values.yaml b/integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/webhooks-disabled/values.yaml new file mode 100644 index 00000000..e0d6149e --- /dev/null +++ b/integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/webhooks-disabled/values.yaml @@ -0,0 +1,5 @@ +region: us-west-2 +clusterName: minikube + +admissionWebhooks: + create: false diff --git a/integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/webhooks-partially-enabled/main.tf b/integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/webhooks-partially-enabled/main.tf new file mode 100644 index 00000000..cd6ca0a9 --- /dev/null +++ b/integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/webhooks-partially-enabled/main.tf @@ -0,0 +1,26 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: MIT + +module "base" { + source = "../.." + helm_dir = var.helm_dir + helm_values_file = "${path.module}/values.yaml" +} + +variable "helm_dir" { + type = string + default = "../../../../../../charts/amazon-cloudwatch-observability" +} + +resource "null_resource" "validator" { + depends_on = [module.base.helm_release] + + provisioner "local-exec" { + command = "go test ${var.test_dir} -v -run=TestWebhooksPartiallyEnabled" + } +} + +variable "test_dir" { + type = string + default = "../../../../validations/minikube/scenarios" +} diff --git a/integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/webhooks-partially-enabled/values.yaml b/integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/webhooks-partially-enabled/values.yaml new file mode 100644 index 00000000..fc11f546 --- /dev/null +++ b/integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/webhooks-partially-enabled/values.yaml @@ -0,0 +1,7 @@ +region: us-west-2 +clusterName: minikube + +admissionWebhooks: + create: false + pods: + create: true diff --git a/integration-tests/amazon-cloudwatch-observability/validations/minikube/common.go b/integration-tests/amazon-cloudwatch-observability/validations/minikube/common.go new file mode 100644 index 00000000..20eaf1b1 --- /dev/null +++ b/integration-tests/amazon-cloudwatch-observability/validations/minikube/common.go @@ -0,0 +1,73 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package minikube + +import ( + "encoding/json" + "strings" + "testing" + + "github.com/aws-observability/helm-charts/integration-tests/amazon-cloudwatch-observability/util" + "github.com/stretchr/testify/assert" + appsV1 "k8s.io/api/apps/v1" +) + +const ( + Namespace = "amazon-cloudwatch" + operatorName = "amazon-cloudwatch-observability-controller-manager" + + WebhookName = "amazon-cloudwatch-observability-mutating-webhook-configuration" + WebhookPathMutateInstrumentation = "/mutate-cloudwatch-aws-amazon-com-v1alpha1-instrumentation" + WebhookPathMutateAmazonCloudWatchAgent = "/mutate-cloudwatch-aws-amazon-com-v1alpha1-amazoncloudwatchagent" + WebhookPathMutatePod = "/mutate-v1-pod" + WebhookPathMutateNamespace = "/mutate-v1-namespace" + WebhookPathMutateWorkload = "/mutate-v1-workload" + WebhookPathValidateInstrumentation = "/validate-cloudwatch-aws-amazon-com-v1alpha1-instrumentation" + WebhookPathValidateAmazonCloudWatchAgent = "/validate-cloudwatch-aws-amazon-com-v1alpha1-amazoncloudwatchagent" +) + +func ValidateOperatorAutoMonitorConfig(t *testing.T, expectedConfig map[string]interface{}) { + k8sClient, err := util.NewK8sClient() + assert.NoError(t, err) + + deployments, err := k8sClient.ListDeployments(Namespace) + assert.NoError(t, err) + + // Find the operator deployment by name + var deployment *appsV1.Deployment + for i := range deployments.Items { + if deployments.Items[i].Name == operatorName { + deployment = &deployments.Items[i] + break + } + } + assert.NotNil(t, deployment, "operator deployment not found") + + // Find the auto-monitor-config argument + var autoMonitorArg string + for _, container := range deployment.Spec.Template.Spec.Containers { + for _, arg := range container.Args { + if strings.HasPrefix(arg, "--auto-monitor-config=") { + autoMonitorArg = strings.TrimPrefix(arg, "--auto-monitor-config=") + break + } + } + } + + assert.NotEmpty(t, autoMonitorArg, "auto-monitor-config argument not found") + + // Parse the JSON config + var config map[string]interface{} + err = json.Unmarshal([]byte(autoMonitorArg), &config) + assert.NoError(t, err) + + // Validate config matches expected values + for key, expectedValue := range expectedConfig { + actualValue, exists := config[key] + assert.True(t, exists, "key %s not found in config", key) + assert.Equal(t, expectedValue, actualValue, "mismatch for key %s", key) + } + + t.Logf("auto-monitor-config: %s", autoMonitorArg) +} diff --git a/integration-tests/amazon-cloudwatch-observability/validations/minikube/scenarios/webhooks_configured_test.go b/integration-tests/amazon-cloudwatch-observability/validations/minikube/scenarios/webhooks_configured_test.go new file mode 100644 index 00000000..f9e892af --- /dev/null +++ b/integration-tests/amazon-cloudwatch-observability/validations/minikube/scenarios/webhooks_configured_test.go @@ -0,0 +1,61 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package scenarios + +import ( + "testing" + + "github.com/aws-observability/helm-charts/integration-tests/amazon-cloudwatch-observability/util" + "github.com/aws-observability/helm-charts/integration-tests/amazon-cloudwatch-observability/validations/minikube" + "github.com/stretchr/testify/assert" + admission "k8s.io/api/admissionregistration/v1" + meta "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func TestWebhooksConfigured(t *testing.T) { + k8sClient, err := util.NewK8sClient() + assert.NoError(t, err) + + whs, err := k8sClient.ListMutatingWebhookConfigurations() + assert.NoError(t, err) + assert.NotEmpty(t, whs.Items) + + foundWebhookConfiguration := false + for _, item := range whs.Items { + if item.ObjectMeta.Name == minikube.WebhookName { + foundWebhookConfiguration = true + } else { + continue + } + assert.NotEmpty(t, item.Webhooks) + + for _, wh := range item.Webhooks { + // Instrumentation is not configured in this test hence the omission of it + switch path := *wh.ClientConfig.Service.Path; path { + case minikube.WebhookPathMutateAmazonCloudWatchAgent: + assert.Equal(t, admission.Ignore, *wh.FailurePolicy) + // Override namespaceSelector with null + assert.Empty(t, wh.NamespaceSelector.MatchExpressions) + case minikube.WebhookPathMutatePod, minikube.WebhookPathMutateWorkload: + assert.Equal(t, admission.Fail, *wh.FailurePolicy) + assert.Len(t, wh.NamespaceSelector.MatchExpressions, 1) + // Uses parent namespaceSelector + assert.Equal(t, "kubernetes.io/metadata.name", wh.NamespaceSelector.MatchExpressions[0].Key) + assert.Equal(t, meta.LabelSelectorOpNotIn, wh.NamespaceSelector.MatchExpressions[0].Operator) + assert.ElementsMatch(t, []string{"kube-system", "amazon-cloudwatch"}, wh.NamespaceSelector.MatchExpressions[0].Values) + case minikube.WebhookPathMutateNamespace: + assert.Equal(t, admission.Fail, *wh.FailurePolicy) + assert.Len(t, wh.NamespaceSelector.MatchExpressions, 1) + // Overrides namespaceSelector + assert.Equal(t, "kubernetes.io/metadata.name", wh.NamespaceSelector.MatchExpressions[0].Key) + assert.Equal(t, meta.LabelSelectorOpNotIn, wh.NamespaceSelector.MatchExpressions[0].Operator) + assert.ElementsMatch(t, []string{"kube-system", "amazon-cloudwatch", "test-value"}, wh.NamespaceSelector.MatchExpressions[0].Values) + default: + assert.Fail(t, "unexpected webhook found: %s", path) + } + } + } + + assert.True(t, foundWebhookConfiguration) +} diff --git a/integration-tests/amazon-cloudwatch-observability/validations/minikube/scenarios/webhooks_disabled_test.go b/integration-tests/amazon-cloudwatch-observability/validations/minikube/scenarios/webhooks_disabled_test.go new file mode 100644 index 00000000..a50eb64c --- /dev/null +++ b/integration-tests/amazon-cloudwatch-observability/validations/minikube/scenarios/webhooks_disabled_test.go @@ -0,0 +1,24 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package scenarios + +import ( + "testing" + + "github.com/aws-observability/helm-charts/integration-tests/amazon-cloudwatch-observability/util" + "github.com/aws-observability/helm-charts/integration-tests/amazon-cloudwatch-observability/validations/minikube" + "github.com/stretchr/testify/assert" +) + +func TestWebhooksDisabled(t *testing.T) { + k8sClient, err := util.NewK8sClient() + assert.NoError(t, err) + + whs, err := k8sClient.ListMutatingWebhookConfigurations() + assert.NoError(t, err) + + for _, item := range whs.Items { + assert.NotEqual(t, minikube.WebhookName, item.ObjectMeta.Name) + } +} diff --git a/integration-tests/amazon-cloudwatch-observability/validations/minikube/scenarios/webhooks_partially_enabled_test.go b/integration-tests/amazon-cloudwatch-observability/validations/minikube/scenarios/webhooks_partially_enabled_test.go new file mode 100644 index 00000000..e9f39c9b --- /dev/null +++ b/integration-tests/amazon-cloudwatch-observability/validations/minikube/scenarios/webhooks_partially_enabled_test.go @@ -0,0 +1,44 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package scenarios + +import ( + "testing" + + "github.com/aws-observability/helm-charts/integration-tests/amazon-cloudwatch-observability/util" + "github.com/aws-observability/helm-charts/integration-tests/amazon-cloudwatch-observability/validations/minikube" + "github.com/stretchr/testify/assert" + v1 "k8s.io/api/admissionregistration/v1" +) + +func TestWebhooksPartiallyEnabled(t *testing.T) { + k8sClient, err := util.NewK8sClient() + assert.NoError(t, err) + + whs, err := k8sClient.ListMutatingWebhookConfigurations() + assert.NoError(t, err) + assert.NotEmpty(t, whs.Items) + + foundWebhookConfiguration := false + for _, item := range whs.Items { + if item.ObjectMeta.Name == minikube.WebhookName { + foundWebhookConfiguration = true + } else { + continue + } + assert.NotEmpty(t, item.Webhooks) + + for _, wh := range item.Webhooks { + // Only the pod webhook is configured + switch path := *wh.ClientConfig.Service.Path; path { + case minikube.WebhookPathMutatePod: + assert.Equal(t, v1.Ignore, *wh.FailurePolicy) + default: + assert.Fail(t, "unexpected webhook found: %s", path) + } + } + } + + assert.True(t, foundWebhookConfiguration) +}