Skip to content

Commit 8c3b88b

Browse files
authored
[agent-control-deployment] use cli to register system identity [NR-537956] (#2189)
1 parent 187ed36 commit 8c3b88b

5 files changed

Lines changed: 59 additions & 94 deletions

File tree

charts/agent-control-deployment/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ description: A Helm chart to install New Relic Agent Control on Kubernetes
44

55
type: application
66

7-
version: 1.6.5
7+
version: 1.6.6
88

99
dependencies:
1010
- name: common-library

charts/agent-control-deployment/README.md

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -428,6 +428,24 @@ proxy:
428428
<td>`[]`</td>
429429
<td>Sets pod's tolerations to node taints. Can be configured also with `global.tolerations`</td>
430430
</tr>
431+
<tr>
432+
<td>toolkitImage</td>
433+
<td>object</td>
434+
<td>See <a href="values.yaml">values.yaml</a></td>
435+
<td>The image that contains the necessary tools to setup Agent Control</td>
436+
</tr>
437+
<tr>
438+
<td>toolkitImage.pullSecrets</td>
439+
<td>list</td>
440+
<td>`[]`</td>
441+
<td>The secrets that are needed to pull images from a custom registry.</td>
442+
</tr>
443+
<tr>
444+
<td>toolkitImage.tag</td>
445+
<td>string</td>
446+
<td>`"1.11.0"`</td>
447+
<td>Should be aligned with `image.tag`</td>
448+
</tr>
431449
<tr>
432450
<td>verboseLog</td>
433451
<td>bool</td>

charts/agent-control-deployment/templates/preinstall-job-register-system-identity.yaml

Lines changed: 16 additions & 77 deletions
Original file line numberDiff line numberDiff line change
@@ -38,8 +38,8 @@ spec:
3838
serviceAccountName: {{ include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.serviceAccount.name" .) "suffix" "auth" ) }}
3939
containers:
4040
- name: register-system-identity
41-
image: "{{ (.Values.systemIdentity.image).repository }}:{{ (.Values.systemIdentity.image).tag }}"
42-
imagePullPolicy: {{ .Values.systemIdentity.image.pullPolicy }}
41+
image: {{ include "newrelic.common.images.image" ( dict "imageRoot" .Values.toolkitImage "context" .) }}
42+
imagePullPolicy: {{ .Values.toolkitImage.pullPolicy }}
4343
securityContext:
4444
allowPrivilegeEscalation: false
4545
resources:
@@ -57,81 +57,18 @@ spec:
5757
args:
5858
- -c
5959
- |
60-
set -euo pipefail
61-
62-
echo Checking if the secret '{{ include "newrelic-agent-control.auth.secret.name" . }}' is already present in the cluster
63-
if kubectl get secret {{ include "newrelic-agent-control.auth.secret.name" . }}; then
64-
echo System identity already exists. Exiting gracefully...
65-
exit 0
66-
fi
67-
68-
echo "Secret not present, creating a new System Identity..."
69-
70-
REGION={{ include "newrelic.common.region" . }}
71-
echo "Authenticating with New Relic ($REGION)..."
72-
73-
ACCESS_TOKEN=""
74-
if [ -n "$NEW_RELIC_AUTH_TOKEN" ]; then
75-
echo "Access token obtained via config"
76-
ACCESS_TOKEN=$NEW_RELIC_AUTH_TOKEN
77-
else
78-
for RETRY in 1 2 3; do
79-
80-
ACCESS_TOKEN=$(newrelic-auth-cli {{ with .Values.proxy }} {{ with .url }} --proxy-url "{{.}}" {{ end }} {{ with .ca_bundle_dir }} --proxy-ca-dir "{{.}}" {{ end }} {{ with .ca_bundle_file }} --proxy-ca-file "{{.}}" {{ end }} {{ end }} authenticate --client-id "$NEW_RELIC_AUTH_CLIENT_ID" --client-secret "$NEW_RELIC_AUTH_CLIENT_SECRET" --environment "$REGION" --output-token-format Plain)
81-
82-
if [ -n "$ACCESS_TOKEN" ]; then
83-
echo "Access token obtained successfully via client secret"
84-
break
85-
fi
86-
87-
if [ -z $ACCESS_TOKEN ]; then
88-
echo "Network error occurred or no HTTP response was received. Retrying ($RETRY/3)..."
89-
sleep 2
90-
continue
91-
fi
92-
done
93-
94-
if [ -z "$ACCESS_TOKEN" ]; then
95-
echo "Error getting system identity auth token"
96-
exit 99
97-
fi
98-
echo "Authenticated successfully"
99-
fi
100-
101-
echo "Creating System Identity..."
102-
103-
ORG_ID={{ (.Values.systemIdentity).organizationId }}
104-
TEMPORAL_FOLDER=/tmp/gen-folder
105-
mkdir $TEMPORAL_FOLDER
106-
CLIENT_ID=""
107-
DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
108-
NAME="System Identity for $(hostname) - $DATE"
109-
for RETRY in 1 2 3; do
110-
OUTPUT=$(newrelic-auth-cli {{ with .Values.proxy }} {{ with .url }} --proxy-url "{{.}}" {{ end }} {{ with .ca_bundle_dir }} --proxy-ca-dir "{{.}}" {{ end }} {{ with .ca_bundle_file }} --proxy-ca-file "{{.}}" {{ end }} {{ end }} create-identity key --name "$NAME" --organization-id "$ORG_ID" --client-id "$NEW_RELIC_AUTH_CLIENT_ID" --environment "$REGION" --bearer-access-token "$ACCESS_TOKEN" --output-platform "local-file" --output-local-filepath "$TEMPORAL_FOLDER/key")
111-
CLIENT_ID=$(echo "$OUTPUT" | jq -r '.client_id // empty')
112-
113-
if [ -n "$CLIENT_ID" ]; then
114-
echo "System identity created successfully"
115-
break
116-
fi
117-
if [ -z "$CLIENT_ID" ]; then
118-
echo "Network error occurred or no HTTP response was received. Retrying ($RETRY/3)..."
119-
sleep 2
120-
continue
121-
fi
122-
done
123-
if [ -z "$CLIENT_ID" ]; then
124-
echo "Error creating system identity"
125-
exit 99
126-
fi
127-
128-
echo Creating the secret '{{ include "newrelic-agent-control.auth.secret.name" . }}'...
129-
kubectl create secret generic --dry-run=client -o json \
130-
{{ include "newrelic-agent-control.auth.secret.name" . }} \
131-
--from-literal=CLIENT_ID=$CLIENT_ID \
132-
--from-file="private_key=$TEMPORAL_FOLDER/key" | \
133-
jq '.metadata.labels += ({{ include "newrelic.common.labels" . | fromYaml | toJson }} + {"app.kubernetes.io/managed-by": "newrelic-agent-control"} + {"newrelic.io/agent-id": "agent-control"} )' | \
134-
kubectl apply -n "{{ .Release.Namespace }}" -f -
60+
set -eo pipefail
61+
# Auth env vars (CLIENT_ID, CLIENT_SECRET, AUTH_TOKEN) are conditionally populated
62+
# depending on the auth method configured (clientSecret vs authToken vs fromSecret).
63+
# Unset variables are intentionally allowed; the CLI handles empty values.
64+
newrelic-agent-control-cli register-system-identity --namespace "{{ .Release.Namespace }}" \
65+
--secret-name "{{ include "newrelic-agent-control.auth.secret.name" . }}" \
66+
--region "{{ include "newrelic.common.region" . }}" \
67+
--auth-parent-client-id "$NEW_RELIC_AUTH_CLIENT_ID" \
68+
--auth-parent-client-secret "$NEW_RELIC_AUTH_CLIENT_SECRET" \
69+
--auth-parent-token "$NEW_RELIC_AUTH_TOKEN" \
70+
--organization-id "{{ .Values.systemIdentity.organizationId }}" \
71+
--log-level "debug" {{ with .Values.proxy }} {{ with .url }} --proxy-url "{{.}}" {{ end }} {{ with .ca_bundle_dir }} --proxy-ca-dir "{{.}}" {{ end }} {{ with .ca_bundle_file }} --proxy-ca-file "{{.}}" {{ end }} {{ end }}
13572
volumeMounts:
13673
{{- with .Values.systemIdentity.extraVolumeMounts }}
13774
{{- toYaml . | nindent 12 }}
@@ -161,6 +98,8 @@ rules:
16198
- patch
16299
- update
163100
- get
101+
- list
102+
- watch
164103
---
165104
apiVersion: rbac.authorization.k8s.io/v1
166105
kind: RoleBinding

charts/agent-control-deployment/tests/preinstall_job_test.yaml

Lines changed: 12 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -132,43 +132,44 @@ tests:
132132
- secretRef:
133133
name: test-client-name
134134

135-
- it: setting specific image for system identity registration with tag should use the provided tag
135+
- it: setting specific image for CLI with tag should use the provided tag
136136
set:
137137
systemIdentity:
138138
parentIdentity:
139139
fromSecret: test-client-name
140140
organizationId: test
141-
image:
142-
tag: 1.0.0
141+
toolkitImage:
142+
tag: 0.0.100
143143
asserts:
144144
- documentIndex: 0
145145
equal:
146146
path: spec.template.spec.containers[0].image
147-
value: newrelic/agent-control-system-identity-registration:1.0.0
147+
value: docker.io/newrelic/newrelic-agent-control-cli:0.0.100
148148

149-
- it: setting specific image for system identity registration with tag should use the provided data
149+
- it: setting specific image for CLI should be honored
150150
set:
151151
systemIdentity:
152152
parentIdentity:
153153
fromSecret: test-client-name
154154
organizationId: test
155-
image:
156-
repository: some_namespace/test-image
157-
tag: 1.0.0
155+
toolkitImage:
156+
registry: some-registry
157+
repository: some_namespace/test-image
158+
tag: 0.0.100
158159
asserts:
159160
- documentIndex: 0
160161
equal:
161162
path: spec.template.spec.containers[0].image
162-
value: some_namespace/test-image:1.0.0
163+
value: some-registry/some_namespace/test-image:0.0.100
163164

164165
- it: setting specific pullPolicy for system identity registration image should use the provided data
165166
set:
166167
systemIdentity:
167168
parentIdentity:
168169
fromSecret: test-client-name
169170
organizationId: test
170-
image:
171-
pullPolicy: Always
171+
toolkitImage:
172+
pullPolicy: Always
172173
asserts:
173174
- documentIndex: 0
174175
equal:

charts/agent-control-deployment/values.yaml

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,18 @@ image:
2525
pullSecrets: []
2626
# - name: regsecret
2727

28+
# -- The image that contains the necessary tools to setup Agent Control
29+
# The tag should be aligned with `image.tag`.
30+
# @default -- See <a href="values.yaml">values.yaml</a>
31+
toolkitImage:
32+
registry:
33+
repository: newrelic/newrelic-agent-control-cli
34+
tag: "1.12.0"
35+
pullPolicy: IfNotPresent
36+
# -- The secrets that are needed to pull images from a custom registry.
37+
pullSecrets: []
38+
# - name: regsecret
39+
2840
# -- Add user environment variables to the agent
2941
extraEnv: []
3042
# -- Add user environment from configMaps or secrets as variables to the agent
@@ -262,11 +274,6 @@ systemIdentity:
262274
# -- Organization ID used to create the system identity.
263275
organizationId: ""
264276

265-
image:
266-
repository: newrelic/agent-control-system-identity-registration
267-
tag: "0.4.0"
268-
pullPolicy: IfNotPresent
269-
270277
# -- Configuration for the parent identity
271278
# You can either authenticate via ClientId/ClientSecret or pass directly an `AuthToken` and manage locally the authentication.
272279
# The authToken can be retrieve via the cli command "newrelic-auth-cli authenticate ...".

0 commit comments

Comments
 (0)