3838 serviceAccountName : {{ include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.serviceAccount.name" .) "suffix" "auth" ) }}
3939 containers :
4040 - name : register-system-identity
41- image : " {{ (.Values.systemIdentity .image).repository }}:{{ ( .Values.systemIdentity.image).tag }}"
42- imagePullPolicy : {{ .Values.systemIdentity.image .pullPolicy }}
41+ image : {{ include "newrelic.common.images .image" ( dict "imageRoot" .Values.toolkitImage "context" .) }}
42+ imagePullPolicy : {{ .Values.toolkitImage .pullPolicy }}
4343 securityContext :
4444 allowPrivilegeEscalation : false
4545 resources :
@@ -57,81 +57,18 @@ spec:
5757 args :
5858 - -c
5959 - |
60- set -euo pipefail
61-
62- echo Checking if the secret '{{ include "newrelic-agent-control.auth.secret.name" . }}' is already present in the cluster
63- if kubectl get secret {{ include "newrelic-agent-control.auth.secret.name" . }}; then
64- echo System identity already exists. Exiting gracefully...
65- exit 0
66- fi
67-
68- echo "Secret not present, creating a new System Identity..."
69-
70- REGION={{ include "newrelic.common.region" . }}
71- echo "Authenticating with New Relic ($REGION)..."
72-
73- ACCESS_TOKEN=""
74- if [ -n "$NEW_RELIC_AUTH_TOKEN" ]; then
75- echo "Access token obtained via config"
76- ACCESS_TOKEN=$NEW_RELIC_AUTH_TOKEN
77- else
78- for RETRY in 1 2 3; do
79-
80- ACCESS_TOKEN=$(newrelic-auth-cli {{ with .Values.proxy }} {{ with .url }} --proxy-url "{{.}}" {{ end }} {{ with .ca_bundle_dir }} --proxy-ca-dir "{{.}}" {{ end }} {{ with .ca_bundle_file }} --proxy-ca-file "{{.}}" {{ end }} {{ end }} authenticate --client-id "$NEW_RELIC_AUTH_CLIENT_ID" --client-secret "$NEW_RELIC_AUTH_CLIENT_SECRET" --environment "$REGION" --output-token-format Plain)
81-
82- if [ -n "$ACCESS_TOKEN" ]; then
83- echo "Access token obtained successfully via client secret"
84- break
85- fi
86-
87- if [ -z $ACCESS_TOKEN ]; then
88- echo "Network error occurred or no HTTP response was received. Retrying ($RETRY/3)..."
89- sleep 2
90- continue
91- fi
92- done
93-
94- if [ -z "$ACCESS_TOKEN" ]; then
95- echo "Error getting system identity auth token"
96- exit 99
97- fi
98- echo "Authenticated successfully"
99- fi
100-
101- echo "Creating System Identity..."
102-
103- ORG_ID={{ (.Values.systemIdentity).organizationId }}
104- TEMPORAL_FOLDER=/tmp/gen-folder
105- mkdir $TEMPORAL_FOLDER
106- CLIENT_ID=""
107- DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
108- NAME="System Identity for $(hostname) - $DATE"
109- for RETRY in 1 2 3; do
110- OUTPUT=$(newrelic-auth-cli {{ with .Values.proxy }} {{ with .url }} --proxy-url "{{.}}" {{ end }} {{ with .ca_bundle_dir }} --proxy-ca-dir "{{.}}" {{ end }} {{ with .ca_bundle_file }} --proxy-ca-file "{{.}}" {{ end }} {{ end }} create-identity key --name "$NAME" --organization-id "$ORG_ID" --client-id "$NEW_RELIC_AUTH_CLIENT_ID" --environment "$REGION" --bearer-access-token "$ACCESS_TOKEN" --output-platform "local-file" --output-local-filepath "$TEMPORAL_FOLDER/key")
111- CLIENT_ID=$(echo "$OUTPUT" | jq -r '.client_id // empty')
112-
113- if [ -n "$CLIENT_ID" ]; then
114- echo "System identity created successfully"
115- break
116- fi
117- if [ -z "$CLIENT_ID" ]; then
118- echo "Network error occurred or no HTTP response was received. Retrying ($RETRY/3)..."
119- sleep 2
120- continue
121- fi
122- done
123- if [ -z "$CLIENT_ID" ]; then
124- echo "Error creating system identity"
125- exit 99
126- fi
127-
128- echo Creating the secret '{{ include "newrelic-agent-control.auth.secret.name" . }}'...
129- kubectl create secret generic --dry-run=client -o json \
130- {{ include "newrelic-agent-control.auth.secret.name" . }} \
131- --from-literal=CLIENT_ID=$CLIENT_ID \
132- --from-file="private_key=$TEMPORAL_FOLDER/key" | \
133- jq '.metadata.labels += ({{ include "newrelic.common.labels" . | fromYaml | toJson }} + {"app.kubernetes.io/managed-by": "newrelic-agent-control"} + {"newrelic.io/agent-id": "agent-control"} )' | \
134- kubectl apply -n "{{ .Release.Namespace }}" -f -
60+ set -eo pipefail
61+ # Auth env vars (CLIENT_ID, CLIENT_SECRET, AUTH_TOKEN) are conditionally populated
62+ # depending on the auth method configured (clientSecret vs authToken vs fromSecret).
63+ # Unset variables are intentionally allowed; the CLI handles empty values.
64+ newrelic-agent-control-cli register-system-identity --namespace "{{ .Release.Namespace }}" \
65+ --secret-name "{{ include "newrelic-agent-control.auth.secret.name" . }}" \
66+ --region "{{ include "newrelic.common.region" . }}" \
67+ --auth-parent-client-id "$NEW_RELIC_AUTH_CLIENT_ID" \
68+ --auth-parent-client-secret "$NEW_RELIC_AUTH_CLIENT_SECRET" \
69+ --auth-parent-token "$NEW_RELIC_AUTH_TOKEN" \
70+ --organization-id "{{ .Values.systemIdentity.organizationId }}" \
71+ --log-level "debug" {{ with .Values.proxy }} {{ with .url }} --proxy-url "{{.}}" {{ end }} {{ with .ca_bundle_dir }} --proxy-ca-dir "{{.}}" {{ end }} {{ with .ca_bundle_file }} --proxy-ca-file "{{.}}" {{ end }} {{ end }}
13572 volumeMounts :
13673 {{- with .Values.systemIdentity.extraVolumeMounts }}
13774 {{- toYaml . | nindent 12 }}
@@ -161,6 +98,8 @@ rules:
16198 - patch
16299 - update
163100 - get
101+ - list
102+ - watch
164103---
165104apiVersion : rbac.authorization.k8s.io/v1
166105kind : RoleBinding
0 commit comments