newrelic · TmNguyen12 · Mar 7, 2025 · Mar 7, 2025 · Mar 7, 2025 · Mar 7, 2025
@@ -136,6 +136,7 @@ integrations that you have configured.
 | customSecretName | string | `""` | In case you don't want to have the license key in you values, this allows you to point to a user created secret to get the key from there. Can be configured also with `global.customSecretName` |
 | dnsConfig | object | `{}` | Sets pod's dnsConfig. Can be configured also with `global.dnsConfig` |
 | enableProcessMetrics | bool | `false` | Collect detailed metrics from processes running in the host. This defaults to true for accounts created before July 20, 2020. ref: https://docs.newrelic.com/docs/release-notes/infrastructure-release-notes/infrastructure-agent-release-notes/new-relic-infrastructure-agent-1120 |
+| enableWindows | bool | `false` | Enables collection of metrics from Windows containers. Refer to the [Windows support](#tbd) section for more details. |
 | fedramp.enabled | bool | `false` | Enables FedRAMP. Can be configured also with `global.fedramp.enabled` |
 | fullnameOverride | string | `""` | Override the full name of the release |
 | hostNetwork | bool | `false` | Sets pod's hostNetwork. Can be configured also with `global.hostNetwork` |
@@ -192,6 +193,10 @@ integrations that you have configured.
 | tolerations | list | `[]` | Sets pod's tolerations to node taints almost globally. (See [Affinities and tolerations](README.md#affinities-and-tolerations)) |
 | updateStrategy | object | See `values.yaml` | Update strategy for the deployed DaemonSets. |
 | verboseLog | bool | `false` | Sets the debug logs to this integration or all integrations if it is set globally. Can be configured also with `global.verboseLog` |
+| windowsNodeSelector | object |  `{ kubernetes.io/os: windows, node.kubernetes.io/windows-build: BUILD_NUMBER }` | Sets windows pod's selector. Refer to [Windows support](#tbd) |
+| windowsOsList.agentImage | string | `""` | Overrides the infrastructure-agent windows image |
+| windowsOsList.integrationImage | string | `""` | Overrides the nri-kubernetes windows image |
+
 
 ## Maintainers
 

@@ -110,10 +110,6 @@ future. Please migrate your agent config to the new format in the `common.agentC
 {{ $errors = printf "%s\n\n%s" $errors (include "newrelic.compatibility.message.image" . ) }}
 {{- end }}
 
-{{- if .Values.enableWindows }}
-{{ $errors = printf "%s\n\n%s" $errors (include "newrelic.compatibility.message.windows" . ) }}
-{{- end }}
-
 {{- if ( or .Values.controllerManagerEndpointUrl  .Values.schedulerEndpointUrl .Values.etcdEndpointUrl .Values.apiServerEndpointUrl )}}
 {{ $errors = printf "%s\n\n%s" $errors (include "newrelic.compatibility.message.apiURL" . ) }}
 {{- end }}

@@ -33,8 +33,8 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 
 {{- /* Return a YAML with the mode to be added to the labels */ -}}
 {{- define "nriKubernetes._mode" -}}
-{{- if include "newrelic.common.privileged" . -}}
-    mode: privileged
+{{- if and (include "newrelic.common.privileged" .) (not .Values.enableWindows) -}}
+  mode: privileged
 {{- else -}}
     mode: unprivileged
 {{- end -}}
@@ -116,3 +116,12 @@ readOnlyRootFilesystem: true
 
 {{- toYaml $finalSecurityContext -}}
 {{- end -}}
+
+{{- define "windowsIntegrationImage" -}}
+  {{ include "newrelic.common.images.image" ( dict "imageRoot" $.Values.images.integration "context" $ "imageTagSuffix" .imageTagSuffix) }}
+{{- end}}
+
+
+{{- define "windowsAgentImage" -}}
+  {{ include "newrelic.common.images.image" ( dict "imageRoot" $.Values.images.agent "context" $ "imageTagSuffix" .imageTagSuffix) }}
+{{- end}}
@@ -0,0 +1,240 @@
+{{- if and (.Values.kubelet.enabled) (.Values.enableWindows) }}
+{{- range .Values.windowsOsList }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    kubernetes.io/os: windows
+    {{- include "nriKubernetes.labels" $ | nindent 4 }}
+  name: {{ join "-" (list (include "nriKubernetes.kubelet.fullname" $) .imageTagSuffix) }}
+  {{- $legacyAnnotation:= fromYaml (include "newrelic.compatibility.annotations" $) -}}
+  {{- with  include "newrelic.compatibility.valueWithFallback" (dict "legacy" $legacyAnnotation "supported" $.Values.kubelet.annotations )}}
+  annotations: {{ $ | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with $.Values.updateStrategy }}
+  updateStrategy: {{ toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "newrelic.common.labels.selectorLabels" $ | nindent 6 }}
+      app.kubernetes.io/component: kubelet
+  template:
+    metadata:
+      annotations:
+        checksum/nri-kubernetes: {{ include (print $.Template.BasePath "/kubelet/scraper-configmap.yaml") $ | sha256sum }}
+        checksum/agent-config: {{ include (print $.Template.BasePath "/kubelet/agent-configmap.yaml") $ | sha256sum }}
+        {{- if include "newrelic.common.license.secret" $ }}{{- /* If the is secret to template */}}
+        checksum/license-secret: {{ include (print $.Template.BasePath "/secret.yaml") $ | sha256sum }}
+        {{- end }}
+        checksum/integrations_config: {{ include (print $.Template.BasePath "/kubelet/integrations-configmap.yaml") $ | sha256sum }}
+        {{- with $.Values.podAnnotations }}
+        {{- toYaml $ | nindent 8 }}
+        {{- end }}
+      labels:
+        {{- include "nriKubernetes.labels.podLabels" $ | nindent 8 }}
+        app.kubernetes.io/component: kubelet
+    spec:
+      {{- with include "newrelic.common.images.renderPullSecrets" ( dict "pullSecrets" (list $.Values.images.pullSecrets) "context" $) }}
+      imagePullSecrets:
+        {{- $ | nindent 8 }}
+      {{- end }}
+      {{- with include "newrelic.common.dnsConfig" $ }}
+      dnsConfig:
+        {{- $ | nindent 8 }}
+      {{- end }}
+      {{- with include "newrelic.common.priorityClassName" $ }}
+      priorityClassName: {{ $ }}
+      {{- end }}
+      {{- with include "newrelic.common.securityContext.pod" $ }}
+      securityContext:
+        {{- $ | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "newrelic.common.serviceAccount.name" $ }}
+      hostNetwork: {{ include "nriKubernetes.kubelet.hostNetwork.value" $ }}
+      {{- if include "nriKubernetes.kubelet.hostNetwork" $ }}
+      dnsPolicy: ClusterFirstWithHostNet
+      {{- end }}
+
+      {{- if $.Values.kubelet.initContainers }}
+      initContainers: {{- tpl ($.Values.kubelet.initContainers | toYaml) $ | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: kubelet
+          image: {{ .integrationImage | default (include "windowsIntegrationImage" $) }}
+          imagePullPolicy: {{ $.Values.images.integration.pullPolicy }}
+          {{- with include "nriKubernetes.securityContext.container" $ | fromYaml }}
+          securityContext:
+            {{- toYaml $ | nindent 12 }}
+          {{- end }}
+          env:
+            - name: "NRI_KUBERNETES_SINK_HTTP_PORT"
+              value: {{ get (fromYaml (include "nriKubernetes.kubelet.agentConfig" $)) "http_server_port" | quote }}
+            - name: "NRI_KUBERNETES_CLUSTERNAME"
+              value: {{ include "newrelic.common.cluster" $ }}
+            - name: "NRI_KUBERNETES_VERBOSE"
+              value: {{ include "newrelic.common.verboseLog.valueAsBoolean" $ | quote }}
+
+            - name: "NRI_KUBERNETES_NODENAME"
+              valueFrom:
+                fieldRef:
+                  apiVersion: "v1"
+                  fieldPath: "spec.nodeName"
+            # Required to connect to the kubelet
+            - name: "NRI_KUBERNETES_NODEIP"
+              valueFrom:
+                fieldRef:
+                  apiVersion: "v1"
+                  fieldPath: "status.hostIP"
+
+            {{- with $.Values.kubelet.extraEnv }}
+            {{- toYaml $ | nindent 12 }}
+            {{- end }}
+          {{- with $.Values.kubelet.extraEnvFrom }}
+          envFrom: {{ toYaml $ | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - name: nri-kubernetes-config
+              mountPath: /etc/newrelic-infra/nri-kubernetes.yml
+              subPath: nri-kubernetes.yml
+            {{- with $.Values.kubelet.extraVolumeMounts }}
+            {{- toYaml $ | nindent 12 }}
+            {{- end }}
+          {{- with $.Values.kubelet.resources }}
+          resources: {{ toYaml $ | nindent 12 }}
+          {{- end }}
+        - name: agent
+          image: {{ .agentImage | default (include "windowsAgentImage" $)}}
+          args: [ "newrelic-infra" ]
+          imagePullPolicy: {{ $.Values.images.agent.pullPolicy }}
+          {{- with include "nriKubernetes.kubelet.securityContext.agentContainer" $ | fromYaml }}
+          securityContext:
+            {{- toYaml $ | nindent 12 }}
+          {{- end }}
+          ports:
+            - containerPort: {{ get (fromYaml (include "nriKubernetes.kubelet.agentConfig" $)) "http_server_port" }}
+          env:
+            - name: NRIA_LICENSE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "newrelic.common.license.secretName" $ }}
+                  key: {{ include "newrelic.common.license.secretKeyName" $ }}
+
+            - name: "NRIA_OVERRIDE_HOSTNAME_SHORT"
+              valueFrom:
+                fieldRef:
+                  apiVersion: "v1"
+                  fieldPath: "spec.nodeName"
+
+            - name: "NRIA_OVERRIDE_HOSTNAME"
+              valueFrom:
+                fieldRef:
+                  apiVersion: "v1"
+                  fieldPath: "spec.nodeName"
+
+            # Override NRIA_OVERRIDE_HOST_ROOT to empty if unprivileged. This must be done as an env var as the
+            # `k8s-events-forwarder` and `infrastructure-bundle` images ship this very same env var set to /host.
+            # Currently windows only runs in unprivileged mode.
+            - name: "NRIA_OVERRIDE_HOST_ROOT"
+              value: ""
+
+            - name: "NRI_KUBERNETES_NODE_NAME"
+              valueFrom:
+                fieldRef:
+                  apiVersion: "v1"
+                  fieldPath: "spec.nodeName"
+
+            {{- if $.Values.useNodeNameAsDisplayName }}
+            - name: "NRIA_DISPLAY_NAME"
+            {{- if $.Values.prefixDisplayNameWithCluster }}
+              value: "{{ include "newrelic.common.cluster" $ }}:$(NRI_KUBERNETES_NODE_NAME)"
+            {{- else }}
+              valueFrom:
+                fieldRef:
+                  apiVersion: "v1"
+                  fieldPath: "spec.nodeName"
+            {{- end }}
+            {{- end }}
+
+            {{- /* Needed to populate clustername in integration metrics */}}
+            - name: "CLUSTER_NAME"
+              value: {{ include "newrelic.common.cluster" $ }}
+            - name: "NRIA_PASSTHROUGH_ENVIRONMENT"
+              value: "CLUSTER_NAME"
+
+            {{- /* Needed for autodiscovery since hostNetwork=false */}}
+            - name: "NRIA_HOST"
+              valueFrom:
+                fieldRef:
+                  apiVersion: "v1"
+                  fieldPath: "status.hostIP"
+
+            {{- with $.Values.kubelet.extraEnv }}
+            {{- toYaml $ | nindent 12 }}
+            {{- end }}
+          {{- with $.Values.kubelet.extraEnvFrom }}
+          envFrom: {{ toYaml $ | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - name: config
+              mountPath: C:\etc\newrelic-infra.yml
+              subPath: newrelic-infra.yml
+            - name: nri-integrations-cfg-volume
+              mountPath: C:\etc\newrelic-infra\integrations.d\
+            - name: agent-tmpfs-data
+              mountPath: C:\var\db\nnewrelic-infra\data
+            - name: agent-tmpfs-user-data
+              mountPath: C:\var\db\newrelic-infra\user_data
+            - name: agent-tmpfs-tmp
+              mountPath: C:\tmp
+            {{- with $.Values.kubelet.extraVolumeMounts }}
+            {{- toYaml $ | nindent 12 }}
+            {{- end }}
+          {{- with $.Values.kubelet.resources }}
+          resources: {{ toYaml $ | nindent 12 }}
+          {{- end }}
+      volumes:
+        - name: agent-tmpfs-data
+          emptyDir: {}
+        - name: agent-tmpfs-user-data
+          emptyDir: {}
+        - name: agent-tmpfs-tmp
+          emptyDir: {}
+        - name: nri-kubernetes-config
+          configMap:
+            name: {{ include "nriKubernetes.kubelet.fullname" $ }}
+            items:
+              - key: nri-kubernetes.yml
+                path: nri-kubernetes.yml
+        - name: config
+          configMap:
+            name: {{ include "nriKubernetes.kubelet.fullname.agent" $ }}
+            items:
+              - key: newrelic-infra.yml
+                path: newrelic-infra.yml
+        - name: nri-integrations-cfg-volume
+          configMap:
+            name: {{ include "nriKubernetes.kubelet.fullname.integrations" $ }}
+        {{- with $.Values.kubelet.extraVolumes }}
+        {{- toYaml $ | nindent 8 }}
+        {{- end }}
+      {{- with include "nriKubernetes.kubelet.affinity" $ }}
+      affinity:
+        {{- . | nindent 8 }}
+      {{- end }}
+      {{- with include "nriKubernetes.kubelet.tolerations" $ }}
+      tolerations:
+        {{- . | nindent 8 }}
+      {{- end }}
+      nodeSelector:
+        {{- if $.Values.kubelet.windowsNodeSelector }}
+{{ toYaml $.Values.kubelet.windowsNodeSelector | indent 8 }}
-{{ toYaml $.Values.kubelet.windowsNodeSelector | indent 8 }}
+        {{- toYaml $.Values.kubelet.windowsNodeSelector | indent 8 }}
-{{ toYaml $.Values.kubelet.windowsNodeSelector | indent 8 }}
+        {{- toYaml $.Values.kubelet.windowsNodeSelector | indent 8 }}
+        {{- else }}
+        kubernetes.io/os: windows
+        # Windows containers can only be deployed on hosts with the same Windows version
+        node.kubernetes.io/windows-build: {{ .buildNumber }} 
+        {{- end }}
+---
+{{- end }}
+{{- end }}
@@ -40,6 +40,25 @@
     tag:
     pullPolicy: IfNotPresent
 
+enableWindows: false
+# For every entry in this Windows OS list, we will create an independent DaemonSet which will get deployed
+# on Windows nodes running each specific Windows version and build number. Note that
+# Windows containers can only be executed on hosts running the exact same Windows version and build number,
+# because Kubernetes only supports process isolation and not Hyper-V isolation (as of March 2025).
+windowsOsList:
+  # Limited support for only LTSC2019/LTSC2022 
+  # https://kubernetes.io/docs/setup/production-environment/windows/intro-windows-in-kubernetes/#windows-os-version-support
+  - version: ltsc2019
+    imageTagSuffix: windows-ltsc-2019
+    buildNumber: 10.0.17763
+    agentImage: ""
+    integrationImage: ""
+  - version: ltsc2022
+    imageTagSuffix: windows-ltsc-2022
+    buildNumber: 10.0.20348
+    agentImage: ""
+    integrationImage: ""
+
 # -- Config that applies to all instances of the solution: kubelet, ksm, control plane and sidecars.
 # @default -- See `values.yaml`
 common:
@@ -92,6 +111,13 @@
     - operator: "Exists"
       effect: "NoExecute"
   nodeSelector: {}
+
+  # Note that the Windows DaemonSet already contains a node selector label based on their OS (kubernetes.io/os: windows).
+  # and build number (node.kubernetes.io/windows-build: {{ .buildNumber }}, to ensure that each version of the DaemonSet
+  # gets deployed only on those Windows nodes running the exact same Windows version and build number. Note that
+  # Windows containers can only be executed on hosts running the exact same Windows version and build number.
+  windowsNodeSelector: {}
+
   # -- (bool) Sets pod's hostNetwork. When set bypasses global/common variable
   # @default -- Not set
   hostNetwork: