{{- define "container-agent" -}} - name: node-agent {{- if .Values.all.hardening.enabled}} lifecycle: preStop: exec: command: [ "/bin/sh", "-c", "echo 'Giving slim.ai monitor time to submit data...'; sleep 120" ] {{- end }} image: "{{ include "stackstate-k8s-agent.imageRegistry" . }}/{{ .Values.nodeAgent.containers.agent.image.repository }}:{{ .Values.nodeAgent.containers.agent.image.tag }}" imagePullPolicy: "{{ .Values.nodeAgent.containers.agent.image.pullPolicy }}" env: - name: STS_API_KEY valueFrom: secretKeyRef: name: {{ include "stackstate-k8s-agent.fullname" . }} key: sts-api-key - name: STS_KUBERNETES_KUBELET_HOST valueFrom: fieldRef: fieldPath: status.hostIP - name: KUBERNETES_HOSTNAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: STS_HOSTNAME value: "$(KUBERNETES_HOSTNAME)-{{ .Values.stackstate.cluster.name}}" - name: AGENT_VERSION value: {{ .Values.nodeAgent.containers.agent.image.tag | quote }} - name: HOST_PROC value: "/host/proc" - name: HOST_SYS value: "/host/sys" - name: KUBERNETES value: "true" - name: STS_APM_ENABLED value: {{ .Values.nodeAgent.apm.enabled | quote }} - name: STS_APM_URL value: {{ include "stackstate-k8s-agent.stackstate.url" . }} - name: STS_CLUSTER_AGENT_ENABLED value: {{ .Values.clusterAgent.enabled | quote }} {{- if .Values.clusterAgent.enabled }} - name: STS_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME value: {{ .Release.Name }}-cluster-agent - name: STS_CLUSTER_AGENT_AUTH_TOKEN valueFrom: secretKeyRef: name: {{ include "stackstate-k8s-agent.fullname" . }} key: sts-cluster-auth-token {{- end }} - name: STS_CLUSTER_NAME value: {{ .Values.stackstate.cluster.name | quote }} - name: STS_SKIP_VALIDATE_CLUSTERNAME value: "true" - name: STS_CHECKS_TAG_CARDINALITY value: {{ .Values.nodeAgent.checksTagCardinality | quote }} {{- if .Values.checksAgent.enabled }} - name: STS_EXTRA_CONFIG_PROVIDERS value: "endpointschecks" {{- end }} - name: STS_HEALTH_PORT value: "5555" - name: STS_LEADER_ELECTION value: "false" - name: LOG_LEVEL value: {{ .Values.nodeAgent.containers.agent.logLevel | default .Values.nodeAgent.logLevel | quote }} - name: STS_LOG_LEVEL value: {{ .Values.nodeAgent.containers.agent.logLevel | default .Values.nodeAgent.logLevel | quote }} - name: STS_NETWORK_TRACING_ENABLED value: {{ .Values.nodeAgent.networkTracing.enabled | quote }} - name: STS_PROTOCOL_INSPECTION_ENABLED value: {{ .Values.nodeAgent.protocolInspection.enabled | quote }} - name: STS_PROCESS_AGENT_ENABLED value: {{ .Values.nodeAgent.containers.agent.processAgent.enabled | quote }} - name: STS_CONTAINER_CHECK_INTERVAL value: {{ .Values.processAgent.checkIntervals.container | quote }} - name: STS_CONNECTION_CHECK_INTERVAL value: {{ .Values.processAgent.checkIntervals.connections | quote }} - name: STS_PROCESS_CHECK_INTERVAL value: {{ .Values.processAgent.checkIntervals.process | quote }} - name: STS_PROCESS_AGENT_URL value: {{ include "stackstate-k8s-agent.stackstate.url" . }} - name: STS_SKIP_SSL_VALIDATION value: {{ .Values.nodeAgent.skipSslValidation | quote }} - name: STS_SKIP_KUBELET_TLS_VERIFY value: {{ .Values.nodeAgent.skipKubeletTLSVerify | quote }} - name: STS_STS_URL value: {{ include "stackstate-k8s-agent.stackstate.url" . }} {{- if .Values.nodeAgent.containerRuntime.customSocketPath }} - name: STS_CRI_SOCKET_PATH value: {{ .Values.nodeAgent.containerRuntime.customSocketPath }} {{- end }} {{- range $key, $value := .Values.nodeAgent.containers.agent.env }} - name: {{ $key }} value: {{ $value | quote }} {{- end }} {{- range $key, $value := .Values.global.extraEnv.open }} - name: {{ $key }} value: {{ $value | quote }} {{- end }} {{- range $key, $value := .Values.global.extraEnv.secret }} - name: {{ $key }} valueFrom: secretKeyRef: name: {{ include "stackstate-k8s-agent.fullname" . }} key: {{ $key }} {{- end }} {{- if .Values.nodeAgent.containers.agent.livenessProbe.enabled }} livenessProbe: httpGet: path: /health port: healthport failureThreshold: {{ .Values.nodeAgent.containers.agent.livenessProbe.failureThreshold }} initialDelaySeconds: {{ .Values.nodeAgent.containers.agent.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.nodeAgent.containers.agent.livenessProbe.periodSeconds }} successThreshold: {{ .Values.nodeAgent.containers.agent.livenessProbe.successThreshold }} timeoutSeconds: {{ .Values.nodeAgent.containers.agent.livenessProbe.timeoutSeconds }} {{- end }} {{- if .Values.nodeAgent.containers.agent.readinessProbe.enabled }} readinessProbe: httpGet: path: /health port: healthport failureThreshold: {{ .Values.nodeAgent.containers.agent.readinessProbe.failureThreshold }} initialDelaySeconds: {{ .Values.nodeAgent.containers.agent.readinessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.nodeAgent.containers.agent.readinessProbe.periodSeconds }} successThreshold: {{ .Values.nodeAgent.containers.agent.readinessProbe.successThreshold }} timeoutSeconds: {{ .Values.nodeAgent.containers.agent.readinessProbe.timeoutSeconds }} {{- end }} ports: - containerPort: 8126 name: traceport protocol: TCP - containerPort: 5555 name: healthport protocol: TCP {{- with .Values.nodeAgent.containers.agent.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: {{- if .Values.nodeAgent.containerRuntime.customSocketPath }} - name: customcrisocket mountPath: {{ .Values.nodeAgent.containerRuntime.customSocketPath }} readOnly: true {{- end }} - name: crisocket mountPath: /var/run/crio/crio.sock readOnly: true - name: containerdsocket mountPath: /var/run/containerd/containerd.sock readOnly: true - name: kubelet mountPath: /var/lib/kubelet readOnly: true - name: nfs mountPath: /var/lib/nfs readOnly: true - name: dockersocket mountPath: /var/run/docker.sock readOnly: true - name: dockernetns mountPath: /run/docker/netns readOnly: true - name: dockeroverlay2 mountPath: /var/lib/docker/overlay2 readOnly: true - name: procdir mountPath: /host/proc readOnly: true - name: cgroups mountPath: /host/sys/fs/cgroup readOnly: true {{- if .Values.nodeAgent.config.override }} {{- range .Values.nodeAgent.config.override }} - name: config-override-volume mountPath: {{ .path }}/{{ .name }} subPath: {{ .path | replace "/" "_"}}_{{ .name }} readOnly: true {{- end }} {{- end }} {{- if .Values.all.hardening.enabled}} securityContext: privileged: true runAsUser: 0 # root capabilities: add: [ "ALL" ] readOnlyRootFilesystem: false {{- else }} securityContext: privileged: false {{- end }} {{- end -}}