Windows update helm chart

CHANGELOG.md

@@ -9,7 +9,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ### 🚀 Enhancements
 - Add options for Windows server 2019 and Windows server 2022 deployments in E2E-resources @TmNguyen12 [#1149](https://github.com/newrelic/nri-kubernetes/pull/1149)
-
+- Add Windows Helm templates and unit tests for kubelet support @TmNguyen12 [#1176] (https://github.com/newrelic/nri-kubernetes/pull/1176)
 
 ## v3.33.3 - 2025-02-17
 

charts/newrelic-infrastructure/README.md

@@ -136,6 +136,7 @@ integrations that you have configured.
 | customSecretName | string | `""` | In case you don't want to have the license key in you values, this allows you to point to a user created secret to get the key from there. Can be configured also with `global.customSecretName` |
 | dnsConfig | object | `{}` | Sets pod's dnsConfig. Can be configured also with `global.dnsConfig` |
 | enableProcessMetrics | bool | `false` | Collect detailed metrics from processes running in the host. This defaults to true for accounts created before July 20, 2020. ref: https://docs.newrelic.com/docs/release-notes/infrastructure-release-notes/infrastructure-agent-release-notes/new-relic-infrastructure-agent-1120 |
+| enableWindows | bool | `false` | Enables collection of metrics from Windows containers. Refer to the [Windows support](#tbd) section for more details. |
 | fedramp.enabled | bool | `false` | Enables FedRAMP. Can be configured also with `global.fedramp.enabled` |
 | fullnameOverride | string | `""` | Override the full name of the release |
 | hostNetwork | bool | `false` | Sets pod's hostNetwork. Can be configured also with `global.hostNetwork` |
@@ -192,6 +193,20 @@ integrations that you have configured.
 | tolerations | list | `[]` | Sets pod's tolerations to node taints almost globally. (See [Affinities and tolerations](README.md#affinities-and-tolerations)) |
 | updateStrategy | object | See `values.yaml` | Update strategy for the deployed DaemonSets. |
 | verboseLog | bool | `false` | Sets the debug logs to this integration or all integrations if it is set globally. Can be configured also with `global.verboseLog` |
+| windowsNodeSelector | object |  `{ kubernetes.io/os: windows, node.kubernetes.io/windows-build: BUILD_NUMBER }` | Sets windows pod's selector. Refer to [Windows support](#tbd) |
+| windowsOsList.agentImage | string | `""` | Overrides the infrastructure-agent windows image |
+| windowsOsList.integrationImage | string | `""` | Overrides the nri-kubernetes windows image |
+
+## Running tests locally
+
+- Install Helm's 'chart-testing' utilities
+  - `brew install chart-testing`
+  - `brew install yamllint`
+  - `helm plugin install https://github.com/helm-unittest/helm-unittest`
+- Run linter and yaml validation
+  - `ct lint-and-install`
+- Run unit tests: 
+  - `helm unittest charts/newrelic-logging`
 
 ## Maintainers
 

charts/newrelic-infrastructure/templates/NOTES.txt

@@ -110,10 +110,6 @@ future. Please migrate your agent config to the new format in the `common.agentC
 {{ $errors = printf "%s\n\n%s" $errors (include "newrelic.compatibility.message.image" . ) }}
 {{- end }}
 
-{{- if .Values.enableWindows }}
-{{ $errors = printf "%s\n\n%s" $errors (include "newrelic.compatibility.message.windows" . ) }}
-{{- end }}
-
 {{- if ( or .Values.controllerManagerEndpointUrl  .Values.schedulerEndpointUrl .Values.etcdEndpointUrl .Values.apiServerEndpointUrl )}}
 {{ $errors = printf "%s\n\n%s" $errors (include "newrelic.compatibility.message.apiURL" . ) }}
 {{- end }}

charts/newrelic-infrastructure/templates/_helpers.tpl

@@ -33,8 +33,8 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 
 {{- /* Return a YAML with the mode to be added to the labels */ -}}
 {{- define "nriKubernetes._mode" -}}
-{{- if include "newrelic.common.privileged" . -}}
-    mode: privileged
+{{- if and (include "newrelic.common.privileged" .) (not .Values.enableWindows) -}}
+  mode: privileged
 {{- else -}}
     mode: unprivileged
 {{- end -}}
@@ -116,3 +116,12 @@ readOnlyRootFilesystem: true
 
 {{- toYaml $finalSecurityContext -}}
 {{- end -}}
+
+{{- define "windowsIntegrationImage" -}}
+  {{ include "newrelic.common.images.image" ( dict "imageRoot" $.Values.images.integration "context" $ "imageTagSuffix" .imageTagSuffix) }}
+{{- end}}
+
+
+{{- define "windowsAgentImage" -}}
+  {{ include "newrelic.common.images.image" ( dict "imageRoot" $.Values.images.agent "context" $ "imageTagSuffix" .imageTagSuffix) }}
+{{- end}}

charts/newrelic-infrastructure/templates/kubelet/daemonset-windows.yaml

@@ -0,0 +1,234 @@
+{{- if and (.Values.kubelet.enabled) (.Values.enableWindows) }}
+{{- range .Values.windowsOsList }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    kubernetes.io/os: windows
+    {{- include "nriKubernetes.labels" $ | nindent 4 }}
+  name: {{ join "-" (list (include "nriKubernetes.kubelet.fullname" $) .imageTagSuffix) }}
+  {{- $legacyAnnotation:= fromYaml (include "newrelic.compatibility.annotations" $) -}}
+  {{- with  include "newrelic.compatibility.valueWithFallback" (dict "legacy" $legacyAnnotation "supported" $.Values.kubelet.annotations )}}
+  annotations: {{ . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with $.Values.updateStrategy }}
+  updateStrategy: {{ toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "newrelic.common.labels.selectorLabels" $ | nindent 6 }}
+      app.kubernetes.io/component: kubelet
+  template:
+    metadata:
+      annotations:
+        checksum/nri-kubernetes: {{ include (print $.Template.BasePath "/kubelet/scraper-configmap.yaml") $ | sha256sum }}
+        checksum/agent-config: {{ include (print $.Template.BasePath "/kubelet/agent-configmap.yaml") $ | sha256sum }}
+        {{- if include "newrelic.common.license.secret" $ }}{{- /* If the is secret to template */}}
+        checksum/license-secret: {{ include (print $.Template.BasePath "/secret.yaml") $ | sha256sum }}
+        {{- end }}
+        checksum/integrations_config: {{ include (print $.Template.BasePath "/kubelet/integrations-configmap.yaml") $ | sha256sum }}
+        {{- with $.Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      labels:
+        {{- include "nriKubernetes.labels.podLabels" $ | nindent 8 }}
+        app.kubernetes.io/component: kubelet
+    spec:
+      {{- with include "newrelic.common.images.renderPullSecrets" ( dict "pullSecrets" (list $.Values.images.pullSecrets) "context" $) }}
+      imagePullSecrets:
+        {{- . | nindent 8 }}
+      {{- end }}
+      {{- with include "newrelic.common.dnsConfig" $ }}
+      dnsConfig:
+        {{- . | nindent 8 }}
+      {{- end }}
+      {{- with include "newrelic.common.priorityClassName" $ }}
+      priorityClassName: {{ $ }}
+      {{- end }}
+      serviceAccountName: {{ include "newrelic.common.serviceAccount.name" $ }}
+      hostNetwork: {{ include "nriKubernetes.kubelet.hostNetwork.value" $ }}
+      {{- if include "nriKubernetes.kubelet.hostNetwork" $ }}
+      dnsPolicy: ClusterFirstWithHostNet
+      {{- end }}
+
+      {{- if $.Values.kubelet.initContainers }}
+      initContainers: {{- tpl ($.Values.kubelet.initContainers | toYaml) $ | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: kubelet
+          image: {{ .integrationImage | default (include "windowsIntegrationImage" $) }}
+          imagePullPolicy: {{ $.Values.images.integration.pullPolicy }}
+          securityContext:
+            windowsOptions:
+              runAsUserName: "ContainerUser"
+          env:
+            - name: "NRI_KUBERNETES_SINK_HTTP_PORT"
+              value: {{ get (fromYaml (include "nriKubernetes.kubelet.agentConfig" $)) "http_server_port" | quote }}
+            - name: "NRI_KUBERNETES_CLUSTERNAME"
+              value: {{ include "newrelic.common.cluster" $ }}
+            - name: "NRI_KUBERNETES_VERBOSE"
+              value: {{ include "newrelic.common.verboseLog.valueAsBoolean" $ | quote }}
+
+            - name: "NRI_KUBERNETES_NODENAME"
+              valueFrom:
+                fieldRef:
+                  apiVersion: "v1"
+                  fieldPath: "spec.nodeName"
+            # Required to connect to the kubelet
+            - name: "NRI_KUBERNETES_NODEIP"
+              valueFrom:
+                fieldRef:
+                  apiVersion: "v1"
+                  fieldPath: "status.hostIP"
+
+            {{- with $.Values.kubelet.extraEnv }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- with $.Values.kubelet.extraEnvFrom }}
+          envFrom: {{ toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - name: nri-kubernetes-config
+              mountPath: /etc/newrelic-infra/nri-kubernetes.yml
+              subPath: nri-kubernetes.yml
+            {{- with $.Values.kubelet.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- with $.Values.kubelet.resources }}
+          resources: {{ toYaml . | nindent 12 }}
+          {{- end }}
+        - name: agent
+          image: {{ .agentImage | default (include "windowsAgentImage" $)}}
+          args: [ "newrelic-infra" ]
+          imagePullPolicy: {{ $.Values.images.agent.pullPolicy }}
+          securityContext:
+            windowsOptions:
+              runAsUserName: "ContainerAdministrator"
+          ports:
+            - containerPort: {{ get (fromYaml (include "nriKubernetes.kubelet.agentConfig" $)) "http_server_port" }}
+          env:
+            - name: NRIA_LICENSE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "newrelic.common.license.secretName" $ }}
+                  key: {{ include "newrelic.common.license.secretKeyName" $ }}
+
+            - name: "NRIA_OVERRIDE_HOSTNAME_SHORT"
+              valueFrom:
+                fieldRef:
+                  apiVersion: "v1"
+                  fieldPath: "spec.nodeName"
+
+            - name: "NRIA_OVERRIDE_HOSTNAME"
+              valueFrom:
+                fieldRef:
+                  apiVersion: "v1"
+                  fieldPath: "spec.nodeName"
+
+            # Override NRIA_OVERRIDE_HOST_ROOT to empty if unprivileged. This must be done as an env var as the
+            # `k8s-events-forwarder` and `infrastructure-bundle` images ship this very same env var set to /host.
+            # Currently windows only runs in unprivileged mode.
+            - name: "NRIA_OVERRIDE_HOST_ROOT"
+              value: ""
+
+            - name: "NRI_KUBERNETES_NODE_NAME"
+              valueFrom:
+                fieldRef:
+                  apiVersion: "v1"
+                  fieldPath: "spec.nodeName"
+
+            {{- if $.Values.useNodeNameAsDisplayName }}
+            - name: "NRIA_DISPLAY_NAME"
+            {{- if $.Values.prefixDisplayNameWithCluster }}
+              value: "{{ include "newrelic.common.cluster" $ }}:$(NRI_KUBERNETES_NODE_NAME)"
+            {{- else }}
+              valueFrom:
+                fieldRef:
+                  apiVersion: "v1"
+                  fieldPath: "spec.nodeName"
+            {{- end }}
+            {{- end }}
+
+            {{- /* Needed to populate clustername in integration metrics */}}
+            - name: "CLUSTER_NAME"
+              value: {{ include "newrelic.common.cluster" $ }}
+            - name: "NRIA_PASSTHROUGH_ENVIRONMENT"
+              value: "CLUSTER_NAME"
+
+            {{- /* Needed for autodiscovery since hostNetwork=false */}}
+            - name: "NRIA_HOST"
+              valueFrom:
+                fieldRef:
+                  apiVersion: "v1"
+                  fieldPath: "status.hostIP"
+
+            {{- with $.Values.kubelet.extraEnv }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- with $.Values.kubelet.extraEnvFrom }}
+          envFrom: {{ toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - name: config
+              mountPath: C:\etc\newrelic-infra.yml
+              subPath: newrelic-infra.yml
+            - name: nri-integrations-cfg-volume
+              mountPath: C:\etc\newrelic-infra\integrations.d\
+            - name: agent-tmpfs-data
+              mountPath: C:\var\db\nnewrelic-infra\data
+            - name: agent-tmpfs-user-data
+              mountPath: C:\var\db\newrelic-infra\user_data
+            - name: agent-tmpfs-tmp
+              mountPath: C:\tmp
+            {{- with $.Values.kubelet.extraVolumeMounts }}
+            {{- toYaml $ | nindent 12 }}
+            {{- end }}
+          {{- with $.Values.kubelet.resources }}
+          resources: {{ toYaml . | nindent 12 }}
+          {{- end }}
+      volumes:
+        - name: agent-tmpfs-data
+          emptyDir: {}
+        - name: agent-tmpfs-user-data
+          emptyDir: {}
+        - name: agent-tmpfs-tmp
+          emptyDir: {}
+        - name: nri-kubernetes-config
+          configMap:
+            name: {{ include "nriKubernetes.kubelet.fullname" $ }}
+            items:
+              - key: nri-kubernetes.yml
+                path: nri-kubernetes.yml
+        - name: config
+          configMap:
+            name: {{ include "nriKubernetes.kubelet.fullname.agent" $ }}
+            items:
+              - key: newrelic-infra.yml
+                path: newrelic-infra.yml
+        - name: nri-integrations-cfg-volume
+          configMap:
+            name: {{ include "nriKubernetes.kubelet.fullname.integrations" $ }}
+        {{- with $.Values.kubelet.extraVolumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with include "nriKubernetes.kubelet.affinity" $ }}
+      affinity:
+        {{- . | nindent 8 }}
+      {{- end }}
+      {{- with include "nriKubernetes.kubelet.tolerations" $ }}
+      tolerations:
+        {{- . | nindent 8 }}
+      {{- end }}
+      nodeSelector:
+        {{- if $.Values.kubelet.windowsNodeSelector }}
+{{ toYaml $.Values.kubelet.windowsNodeSelector | indent 8 }}
+        {{- else }}
+        kubernetes.io/os: windows
+        # Windows containers can only be deployed on hosts with the same Windows version
+        node.kubernetes.io/windows-build: {{ .buildNumber }} 
+        {{- end }}
+---
+{{- end }}
+{{- end }}

charts/newrelic-infrastructure/templates/podsecuritypolicy.yaml

@@ -4,8 +4,10 @@ kind: PodSecurityPolicy
 metadata:
   name: privileged-{{ include "newrelic.common.naming.fullname" . }}
 spec:
+{{- if not .Values.enableWindows }}
   allowedCapabilities:
   - '*'
+{{- end }}
   fsGroup:
     rule: RunAsAny
   privileged: true