feat: The following variables have been removed: log_analysis_instance_name, log_analysis_resource_group_id, cloud_monitoring_instance_name, cloud_monitoring_resource_group_id and have been replaced by log_analysis_endpoint_type, log_analysis_instance_region, cloud_monitoring_endpoint_type and cloud_monitoring_instance_region.<br>* The following new variables are available for extra customisation: cloud_monitoring_agent_tolerations, cloud_monitoring_agent_namespace, cloud_monitoring_agent_name, cloud_monitoring_secret_name, log_analysis_agent_tolerations, log_analysis_agent_namespace, log_analysis_agent_name, log_analysis_secret_name<br>* Added an initContainer which sets the permissions on /var/lib/logdna which are required for the agent container to use the database which is required to enable the loopback feature. (#268)

Author: ocofaigh

README.md

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: logdna-agent
-description: A Helm chart for a logdna or activity tracker agent
+description: A Helm chart for a logdna agent
 
 type: application
 

catalogValidationValues.json.template

@@ -13,3 +13,16 @@ rules:
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["get","list", "watch"]
+
+  # Below rules are not included in the Openshift yaml so are commented out below:
+  # https://assets.<REGION>.logging.cloud.ibm.com/clients/logdna-agent/<VERSION>/agent-resources-openshift-private.yaml
+
+  # - apiGroups: [""]
+  #   resources: ["nodes"]
+  #   verbs: ["get","list", "watch"]
+  # - apiGroups: ["metrics.k8s.io"]
+  #   resources: ["pods"]
+  #   verbs: ["get","list", "watch"]
+  # - apiGroups: ["metrics.k8s.io"]
+  #   resources: ["nodes"]
+  #   verbs: ["get","list", "watch"]

chart/logdna-agent/Chart.yaml

@@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: "{{ .Values.metadata.name }}"
-  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: "{{ .Values.metadata.name }}"
     app.kubernetes.io/instance: "{{ .Values.metadata.name }}"

chart/logdna-agent/templates/clusterrole.yaml

@@ -7,6 +7,10 @@ metadata:
     app.kubernetes.io/name: "{{ .Values.metadata.name }}"
     app.kubernetes.io/instance: "{{ .Values.metadata.name }}"
     app.kubernetes.io/version: {{ .Values.image.version }}
+  annotations:
+    {{- range .Values.checkov_skips }}
+    {{- . | toYaml | nindent 4 -}}
+    {{- end }}
 spec:
   updateStrategy:
     type: RollingUpdate
@@ -25,11 +29,23 @@ spec:
     spec:
       serviceAccountName: "{{ .Values.metadata.name }}"
       priorityClassName: "{{ .Values.metadata.name }}-ds-priority"
+      initContainers:
+        - name: logdna-db-permissions
+          image: icr.io/goldeneye_images/ubi8-cluster-tools:stable
+          imagePullPolicy: IfNotPresent # Not setting to 'Always' as it can prevent a pod from starting if the image registry can not be reached.
+          command: ["sh", "-c", "chmod -R 775 {{.Values.agent.dbPath}} && chown -R 5000:5000 {{.Values.agent.dbPath}}"]
+          securityContext:
+            privileged: true
+            runAsUser: 0 # must run as root to set directory privileges up for agent container
+          volumeMounts:
+          - name: varliblogdna
+            mountPath: {{.Values.agent.dbPath}}
       containers:
         - name: "{{ .Values.metadata.name }}"
           image: '{{ .Values.image.registry }}:{{ required "Agent version must be provided" .Values.image.version }}'
-          imagePullPolicy: Always
+          imagePullPolicy: IfNotPresent # Not setting to 'Always' as it can prevent a pod from starting if the image registry can not be reached.
           securityContext:
+            privileged: true
             # run the agent as non-root
             runAsUser: 5000
             runAsGroup: 5000
@@ -44,21 +60,16 @@ spec:
                 secretKeyRef:
                   key: logdna-agent-key
                   name: {{ .Values.secret.name }}
-            {{- if ne .Values.metadata.name "logdna-agent-activity-tracker" }}
-            - name: LOGDNA_HOST
-              value: logs.private.{{ .Values.env.region }}.logging.cloud.ibm.com
-            {{- else }}
             - name: LOGDNA_HOST
-              value: ingest.private.{{ .Values.env.region }}.atracker.cloud.ibm.com
-            {{- end }}
+              value: {{ .Values.env.host }}
             - name: LOGDNA_LOOKBACK
               value: smallfiles
             {{- if .Values.agent.tags }}
             - name: LOGDNA_TAGS
               value: {{.Values.agent.tags}}
             {{- end }}
             - name: LOGDNA_DB_PATH
-              value: /var/lib/logdna
+              value: {{.Values.agent.dbPath}}
             - name: LOGDNA_REDACT_REGEX
               # regex to redact secret values from logs. The regex is set to match base64-encoded values for each of {"kid":, {"typ":, and {"alg":, respectively.
               value: 'eyJ(?:raWQ|0eXA|hbGc)iOi[^"]+'
@@ -91,16 +102,12 @@ spec:
             limits:
               memory: 500Mi
           volumeMounts:
-            {{- if eq .Values.metadata.name "logdna-agent-activity-tracker" }}
-            - name: varlogat
-              mountPath: /var/log/at
-            {{- end }}
             - name: varlog
               mountPath: /var/log
             - name: vardata
               mountPath: /var/data
             - name: varliblogdna
-              mountPath: /var/lib/logdna
+              mountPath: {{.Values.agent.dbPath}}
             - name: varlibdockercontainers
               mountPath: /var/lib/docker/containers
               readOnly: true
@@ -112,11 +119,6 @@ spec:
             - name: logdnahostname
               mountPath: /etc/logdna-hostname
       volumes:
-        {{- if eq .Values.metadata.name "logdna-agent-activity-tracker" }}
-        - name: varlogat
-          hostPath:
-            path: /var/log/at
-        {{- end }}
         - name: varlog
           hostPath:
             path: /var/log
@@ -125,7 +127,7 @@ spec:
             path: /var/data
         - name: varliblogdna
           hostPath:
-            path: /var/lib/logdna
+            path: {{.Values.agent.dbPath}}
         - name: varlibdockercontainers
           hostPath:
             path: /var/lib/docker/containers
@@ -139,4 +141,10 @@ spec:
           hostPath:
             path: /etc/hostname
       tolerations:
-        - operator: Exists
+      {{- range $val := .Values.tolerations }}
+        - effect: {{ $val.effect | quote }}
+          key: {{ $val.key | quote }}
+          value: {{ $val.value | quote }}
+          operator: {{ $val.operator | quote }}
+          tolerationSeconds: {{ $val.tolerationSeconds }}
+      {{- end}}

chart/logdna-agent/templates/clusterrolebinding.yaml

@@ -7,6 +7,10 @@ metadata:
     app.kubernetes.io/name: "{{ .Values.metadata.name }}"
     app.kubernetes.io/instance: "{{ .Values.metadata.name }}"
     app.kubernetes.io/version: {{ .Values.image.version }}
+  annotations:
+    {{- range .Values.checkov_skips }}
+    {{- . | toYaml | nindent 4 -}}
+    {{- end }}
 rules:
   - apiGroups: [""]
     resources: ["configmaps"]

chart/logdna-agent/templates/daemonset.yaml

@@ -7,6 +7,10 @@ metadata:
     app.kubernetes.io/name: "{{ .Values.metadata.name }}"
     app.kubernetes.io/instance: "{{ .Values.metadata.name }}"
     app.kubernetes.io/version: {{ .Values.image.version }}
+  annotations:
+    {{- range .Values.checkov_skips }}
+    {{- . | toYaml | nindent 4 -}}
+    {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

chart/logdna-agent/templates/role.yaml

@@ -1,4 +1,3 @@
-{{- if (eq .Values.metadata.name "logdna-agent") }}
 apiVersion: v1
 data:
   logdna-agent-key: '{{ required "LogDNA Ingest key must be provided" .Values.secret.key | b64enc }}'
@@ -10,5 +9,8 @@ metadata:
     app.kubernetes.io/name: {{ .Values.metadata.name }}
     app.kubernetes.io/instance: {{ .Values.metadata.name }}
     app.kubernetes.io/version: {{ .Values.image.version }}
+  annotations:
+    {{- range .Values.checkov_skips }}
+    {{- . | toYaml | nindent 4 -}}
+    {{- end }}
 type: Opaque
-{{- end }}

chart/logdna-agent/templates/rolebinding.yaml

@@ -7,3 +7,7 @@ metadata:
     app.kubernetes.io/name: "{{ .Values.metadata.name }}"
     app.kubernetes.io/instance: "{{ .Values.metadata.name }}"
     app.kubernetes.io/version: {{ .Values.image.version }}
+  annotations:
+    {{- range .Values.checkov_skips }}
+    {{- . | toYaml | nindent 4 -}}
+    {{- end }}