Longw/arc openshift (#1511)

* add support for arc openshift

Author: wanlonghenry

charts/azuremonitor-containers/templates/ama-logs-daemonset.yaml

@@ -38,6 +38,7 @@ spec:
    {{- end }}
    containers:
 {{- if and (ne .Values.Azure.Cluster.ResourceId "<your_cluster_id>") (.Values.amalogs.useAADAuth) }}
+     {{- if not (eq .Values.Azure.Cluster.Distribution "openshift") }}
      - name: addon-token-adapter
        imagePullPolicy: IfNotPresent
        env:
@@ -46,6 +47,58 @@ spec:
        - name: TOKEN_NAMESPACE
          value: "azure-arc"
 {{-  .Values.Azure.Identity.MSIAdapterYaml | nindent 7 }}
+     {{- else }}
+     - name: msi-adapter
+       env:
+       - name: AZMON_COLLECT_ENV
+         value: "false"
+       - name: TOKEN_NAMESPACE
+         value: azure-arc
+       - name: CLUSTER_IDENTITY
+         value: "false"
+       - name: CLUSTER_TYPE
+         value: {{ (split "/" .Values.Azure.Cluster.ResourceId)._7 }}
+       - name: EXTENSION_ARMID
+         value: {{ .Values.Azure.Extension.ResourceId }}
+       - name: EXTENSION_NAME
+         value: {{ .Values.Azure.Extension.Name }}
+       - name: MSI_ADAPTER_LISTENING_PORT
+         value: "8421"
+       - name: MANAGED_IDENTITY_AUTH
+         value: "true"
+       - name: MSI_ADAPTER_LIVENESS_PORT
+         value: "9090"
+       - name: TEST_MODE
+         value: "false"
+       - name: TEST_FILE
+         value: /data/token
+       image: mcr.microsoft.com/azurearck8s/msi-adapter:1.29.3
+       securityContext:
+         privileged: true
+         capabilities:
+           add:
+             - NET_ADMIN
+             - NET_RAW
+       livenessProbe:
+         failureThreshold: 3
+         httpGet:
+           path: /healthz
+           port: 9090
+           scheme: "HTTP"
+         initialDelaySeconds: 10
+         periodSeconds: 15
+       resources:
+         limits:
+           cpu: 50m
+           memory: 100Mi
+         requests:
+           cpu: 20m
+           memory: 50Mi
+       lifecycle:
+         postStart:
+           exec:
+             command: ["/data/msi-adapter-ready-watcher"]
+     {{- end }}
 {{- end }}
      - name: ama-logs
        image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tag }}

charts/azuremonitor-containers/templates/ama-logs-deployment.yaml

@@ -34,6 +34,7 @@ spec:
   {{- end }}
    containers:
 {{- if and (ne .Values.Azure.Cluster.ResourceId "<your_cluster_id>") (.Values.amalogs.useAADAuth) }}
+     {{- if not (eq .Values.Azure.Cluster.Distribution "openshift") }}
      - name: addon-token-adapter
        imagePullPolicy: IfNotPresent
        env:
@@ -42,6 +43,58 @@ spec:
        - name: TOKEN_NAMESPACE
          value: "azure-arc"
 {{-  .Values.Azure.Identity.MSIAdapterYaml | nindent 7 }}
+     {{- else }}
+     - name: msi-adapter
+       env:
+       - name: AZMON_COLLECT_ENV
+         value: "false"
+       - name: TOKEN_NAMESPACE
+         value: azure-arc
+       - name: CLUSTER_IDENTITY
+         value: "false"
+       - name: CLUSTER_TYPE
+         value: {{ (split "/" .Values.Azure.Cluster.ResourceId)._7 }}
+       - name: EXTENSION_ARMID
+         value: {{ .Values.Azure.Extension.ResourceId }}
+       - name: EXTENSION_NAME
+         value: {{ .Values.Azure.Extension.Name }}
+       - name: MSI_ADAPTER_LISTENING_PORT
+         value: "8421"
+       - name: MANAGED_IDENTITY_AUTH
+         value: "true"
+       - name: MSI_ADAPTER_LIVENESS_PORT
+         value: "9090"
+       - name: TEST_MODE
+         value: "false"
+       - name: TEST_FILE
+         value: /data/token
+       image: mcr.microsoft.com/azurearck8s/msi-adapter:1.29.3
+       securityContext:
+         privileged: true
+         capabilities:
+           add:
+             - NET_ADMIN
+             - NET_RAW
+       livenessProbe:
+         failureThreshold: 3
+         httpGet:
+           path: /healthz
+           port: 9090
+           scheme: "HTTP"
+         initialDelaySeconds: 10
+         periodSeconds: 15
+       resources:
+         limits:
+           cpu: 50m
+           memory: 100Mi
+         requests:
+           cpu: 20m
+           memory: 50Mi
+       lifecycle:
+         postStart:
+           exec:
+             command: ["/data/msi-adapter-ready-watcher"]
+     {{- end }}
 {{- end }}
      - name: ama-logs
        image: {{ printf "%s:%s" .Values.amalogs.image.repo .Values.amalogs.image.tag }}

charts/azuremonitor-containers/templates/ama-logs-openshift-scc.yaml

@@ -0,0 +1,27 @@
+{{- if eq .Values.Azure.Cluster.Distribution "openshift" }}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: ama-logs-scc
+allowPrivilegedContainer: true
+allowPrivilegeEscalation: true
+allowHostDirVolumePlugin: true
+allowedCapabilities:
+- NET_ADMIN
+- NET_RAW
+readOnlyRootFilesystem: false
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+fsGroup:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+volumes:
+- hostPath
+- configMap
+- secret
+users:
+- system:serviceaccount:kube-system:ama-logs
+{{- end }}

deployment/arc-k8s-extension-release-v2/ServiceGroupRoot/Scripts/arcExtensionRelease.sh

@@ -9,7 +9,7 @@ REGISTER_REGIONS_BATCH='"'$(echo "$REGISTER_REGIONS_BATCH" | sed 's/,/","/g')'"'
 IS_CUSTOMER_HIDDEN=$IS_CUSTOMER_HIDDEN
 CHART_VERSION=${CHART_VERSION}
 
-PACKAGE_CONFIG_NAME="${PACKAGE_CONFIG_NAME:-microsoft.azuremonitor.containers-pkg022022}"
+PACKAGE_CONFIG_NAME="${PACKAGE_CONFIG_NAME:-microsoft.azuremonitor.containers-pkg092025}"
 API_VERSION="${API_VERSION:-2021-05-01}"
 METHOD="${METHOD:-put}"
 REGISTRY_PATH_CANARY_STABLE="https://mcr.microsoft.com/azuremonitor/containerinsights/canary/stable/azuremonitor-containers"