Update Helm Chart to Support CloudWatch Agent on ROSA Clusters (#181)

* added rosa support for cloudwatch agent

Author: okankoAMZ

charts/amazon-cloudwatch-observability/templates/linux/cloudwatch-agent-custom-resource.yaml

@@ -49,7 +49,7 @@ data:
 
 {{- $clusterName := .Values.clusterName | required ".Values.clusterName is required." -}}
 {{- $region := .Values.region | required ".Values.region is required." -}}
-
+{{- $isROSA := eq $.Values.k8sMode "ROSA" -}}
 {{- range .Values.agents }}
 {{- $agent := merge . (deepCopy $.Values.agent) }}
 apiVersion: cloudwatch.aws.amazon.com/v1alpha1
@@ -64,6 +64,13 @@ spec:
   nodeSelector:
     kubernetes.io/os: linux
   serviceAccount: {{ $agent.serviceAccount.name | default (include "cloudwatch-agent.serviceAccountName" $) }}
+  {{ if $isROSA }}
+  securityContext:
+    runAsNonRoot: false
+    capabilities:
+      add:
+        - SYS_ADMIN
+  {{ end }}
   priorityClassName: {{ $agent.priorityClassName | default $.Values.agent.priorityClassName }}
   affinity:
     nodeAffinity:
@@ -111,6 +118,12 @@ spec:
     readOnly: true
   - mountPath: /run/containerd/containerd.sock
     name: containerdsock
+  - mountPath: /var/run/crio/crio.sock
+    name: criosock
+  - mountPath: /var/lib/containers
+    name: criocontainer
+  - mountPath: /var/log/pods
+    name: criologs
   - mountPath: /var/lib/docker
     name: varlibdocker
     readOnly: true
@@ -131,6 +144,10 @@ spec:
     readOnly: true
   - mountPath: /var/lib/kubelet/pod-resources
     name: kubelet-podresources
+    {{ if $isROSA }}
+  - mountPath: /etc/kubernetes/kubelet-ca.crt
+    name: kubelet-ca
+    {{ end }}
   volumes:
   - name: kubelet-podresources
     hostPath:
@@ -148,6 +165,15 @@ spec:
   - hostPath:
       path: /run/containerd/containerd.sock
     name: containerdsock
+  - hostPath:
+      path: /var/run/crio/crio.sock
+    name: criosock
+  - hostPath:
+      path:  /var/lib/containers
+    name: criocontainer
+  - hostPath:
+      path:  /var/log/pods
+    name: criologs
   - hostPath:
       path: /sys
     name: sys
@@ -174,6 +200,11 @@ spec:
           path: server.crt
         - key: tls.key
           path: server.key
+  {{ if $isROSA }}
+  - name: kubelet-ca
+    hostPath:
+      path: /etc/kubernetes/kubelet-ca.crt
+  {{end }}
   env:
   - name: K8S_NODE_NAME
     valueFrom:
@@ -191,6 +222,10 @@ spec:
     valueFrom:
       fieldRef:
         fieldPath: metadata.namespace
+  {{ if $isROSA }}
+  - name: RUN_IN_ROSA
+    value: "True"
+  {{ end }}
   - name: K8S_CLUSTER_NAME
     value: {{ $.Values.clusterName }}
   {{- with $.Values.tolerations }}

charts/amazon-cloudwatch-observability/templates/rosa/cloudwatch-agent-scc-clusterrole.yaml

@@ -0,0 +1,10 @@
+{{ if and .Values.agent.enabled (eq .Values.k8sMode "ROSA") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:openshift:scc:cloudwatch-agent-scc
+rules:
+  - apiGroups: [""]
+    resources: ["securitycontextconstraints"]
+    verbs: ["use"]
+{{- end }}

charts/amazon-cloudwatch-observability/templates/rosa/cloudwatch-agent-scc.yaml

@@ -0,0 +1,38 @@
+{{ if and .Values.agent.enabled (eq .Values.k8sMode "ROSA") }}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: cloudwatch-agent-scc
+allowHostDirVolumePlugin: true
+allowHostIPC: false
+allowHostNetwork: true
+allowHostPID: false
+allowHostPorts: true
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: true
+allowedCapabilities: null
+readOnlyRootFilesystem: false
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+defaultAddCapabilities:
+- SYS_ADMIN
+fsGroup:
+  type: RunAsAny
+groups: []
+requiredDropCapabilities:
+  - ALL
+volumes:
+  - configMap
+  - secret
+  - emptyDir
+  - hostPath
+  - projected
+users:
+  - system:serviceaccount:{{ .Release.Namespace }}:{{ template "cloudwatch-agent.serviceAccountName" . }}
+
+
+{{ end }}

charts/amazon-cloudwatch-observability/templates/rosa/cloudwatch-agent-ssc-clusterrolebinding.yaml

@@ -0,0 +1,14 @@
+{{ if and .Values.agent.enabled (eq .Values.k8sMode "ROSA") }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "cloudwatch-agent.name" . }}-scc-role-binding
+roleRef:
+  kind: ClusterRole
+  name: system:openshift:scc:cloudwatch-agent-scc
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: {{ template "cloudwatch-agent.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/amazon-cloudwatch-observability/values.yaml

@@ -10,6 +10,7 @@ nameOverride: ""
 clusterName:
 ## Provide the Region (this is a required parameter)
 region:
+k8sMode: EKS # can be EKS | ROSA | K8S
 nodeLabelKey: node.kubernetes.io/instance-type
 fargateLabelKey: eks.amazonaws.com/compute-type
 ## NVIDIA GPU instance types