rancher-partner-charts/charts/stackstate/stackstate-k8s-agent/templates/_container-agent.yaml

{{- define "container-agent" -}}
- name: node-agent
{{- if .Values.all.hardening.enabled}}
  lifecycle:
    preStop:
      exec:
        command: [ "/bin/sh", "-c", "echo 'Giving slim.ai monitor time to submit data...'; sleep 120" ]
{{- end }}
  image: "{{ include "stackstate-k8s-agent.imageRegistry" . }}/{{ .Values.nodeAgent.containers.agent.image.repository }}:{{ .Values.nodeAgent.containers.agent.image.tag }}"
  imagePullPolicy: "{{ .Values.nodeAgent.containers.agent.image.pullPolicy }}"
  env:
    {{ include "stackstate-k8s-agent.apiKeyEnv" . | nindent 4 }}
    - name: STS_KUBERNETES_KUBELET_HOST
      valueFrom:
        fieldRef:
          fieldPath: status.hostIP
    - name: KUBERNETES_HOSTNAME
      valueFrom:
        fieldRef:
          fieldPath: spec.nodeName
    - name: STS_HOSTNAME
      value: "$(KUBERNETES_HOSTNAME)-{{ .Values.stackstate.cluster.name}}"
    - name: AGENT_VERSION
      value: {{ .Values.nodeAgent.containers.agent.image.tag | quote }}
    - name: HOST_PROC
      value: "/host/proc"
    - name: HOST_SYS
      value: "/host/sys"
    - name: KUBERNETES
      value: "true"
    - name: STS_APM_ENABLED
      value: {{ .Values.nodeAgent.apm.enabled | quote }}
    - name: STS_APM_URL
      value: {{ include "stackstate-k8s-agent.stackstate.url" . }}
    - name: STS_CLUSTER_AGENT_ENABLED
      value: {{ .Values.clusterAgent.enabled | quote }}
    {{- if .Values.clusterAgent.enabled }}
    - name: STS_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME
      value: {{ .Release.Name }}-cluster-agent
    {{ include "stackstate-k8s-agent.clusterAgentAuthTokenEnv" . | nindent 4 }}
    {{- end }}
    - name: STS_CLUSTER_NAME
      value: {{ .Values.stackstate.cluster.name | quote }}
    - name: STS_SKIP_VALIDATE_CLUSTERNAME
      value: "true"
    - name: STS_CHECKS_TAG_CARDINALITY
      value: {{ .Values.nodeAgent.checksTagCardinality | quote }}
    {{- if .Values.checksAgent.enabled }}
    - name: STS_EXTRA_CONFIG_PROVIDERS
      value: "endpointschecks"
    {{- end }}
    - name: STS_HEALTH_PORT
      value: "5555"
    - name: STS_LEADER_ELECTION
      value: "false"
    - name: LOG_LEVEL
      value: {{ .Values.nodeAgent.containers.agent.logLevel | default .Values.nodeAgent.logLevel | quote }}
    - name: STS_LOG_LEVEL
      value: {{ .Values.nodeAgent.containers.agent.logLevel | default .Values.nodeAgent.logLevel | quote }}
    - name: STS_NETWORK_TRACING_ENABLED
      value: {{ .Values.nodeAgent.networkTracing.enabled | quote }}
    - name: STS_PROTOCOL_INSPECTION_ENABLED
      value: {{ .Values.nodeAgent.protocolInspection.enabled | quote }}
    - name: STS_PROCESS_AGENT_ENABLED
      value: {{ .Values.nodeAgent.containers.agent.processAgent.enabled | quote }}
    - name: STS_CONTAINER_CHECK_INTERVAL
      value: {{ .Values.processAgent.checkIntervals.container | quote }}
    - name: STS_CONNECTION_CHECK_INTERVAL
      value: {{ .Values.processAgent.checkIntervals.connections | quote }}
    - name: STS_PROCESS_CHECK_INTERVAL
      value: {{ .Values.processAgent.checkIntervals.process | quote }}
    - name: STS_PROCESS_AGENT_URL
      value: {{ include "stackstate-k8s-agent.stackstate.url" . }}

    - name: STS_SKIP_SSL_VALIDATION
      value: {{ or .Values.global.skipSslValidation .Values.nodeAgent.skipSslValidation | quote }}
    - name: STS_SKIP_KUBELET_TLS_VERIFY
      value: {{ .Values.nodeAgent.skipKubeletTLSVerify | quote }}
    - name: STS_STS_URL
      value: {{ include "stackstate-k8s-agent.stackstate.url" . }}
    {{- if .Values.nodeAgent.containerRuntime.customSocketPath }}
    - name: STS_CRI_SOCKET_PATH
      value: {{ .Values.nodeAgent.containerRuntime.customSocketPath }}
    {{- end }}
    {{- if .Values.global.proxy.url }}
    - name: STS_PROXY_HTTPS
      value: {{ .Values.global.proxy.url | quote }}
    - name: STS_PROXY_HTTP
      value: {{ .Values.global.proxy.url | quote }}
    {{- end }}
    {{- range $key, $value := .Values.global.extraEnv.open }}
    - name: {{ $key }}
      value: {{ $value | quote }}
    {{- end }}
    {{- range $key, $value := .Values.global.extraEnv.secret }}
    - name: {{ $key }}
      valueFrom:
        secretKeyRef:
          name: {{ include "stackstate-k8s-agent.fullname" . }}
          key: {{ $key }}
    {{- end }}
    {{- range $key, $value := .Values.nodeAgent.containers.agent.env }}
    - name: {{ $key }}
      value: {{ $value | quote }}
    {{- end }}
  {{- if .Values.nodeAgent.containers.agent.livenessProbe.enabled }}
  livenessProbe:
    httpGet:
      path: /health
      port: healthport
    failureThreshold: {{ .Values.nodeAgent.containers.agent.livenessProbe.failureThreshold }}
    initialDelaySeconds: {{ .Values.nodeAgent.containers.agent.livenessProbe.initialDelaySeconds }}
    periodSeconds: {{ .Values.nodeAgent.containers.agent.livenessProbe.periodSeconds }}
    successThreshold: {{ .Values.nodeAgent.containers.agent.livenessProbe.successThreshold }}
    timeoutSeconds: {{ .Values.nodeAgent.containers.agent.livenessProbe.timeoutSeconds }}
  {{- end }}
  {{- if .Values.nodeAgent.containers.agent.readinessProbe.enabled }}
  readinessProbe:
    httpGet:
      path: /health
      port: healthport
    failureThreshold: {{ .Values.nodeAgent.containers.agent.readinessProbe.failureThreshold }}
    initialDelaySeconds: {{ .Values.nodeAgent.containers.agent.readinessProbe.initialDelaySeconds }}
    periodSeconds: {{ .Values.nodeAgent.containers.agent.readinessProbe.periodSeconds }}
    successThreshold: {{ .Values.nodeAgent.containers.agent.readinessProbe.successThreshold }}
    timeoutSeconds: {{ .Values.nodeAgent.containers.agent.readinessProbe.timeoutSeconds }}
  {{- end }}
  ports:
  - containerPort: 8126
    name: traceport
    protocol: TCP
  - containerPort: 5555
    name: healthport
    protocol: TCP
  {{- with .Values.nodeAgent.containers.agent.resources }}
  resources:
    {{- toYaml . | nindent 12 }}
  {{- end }}
  volumeMounts:
  {{- if .Values.nodeAgent.containerRuntime.customSocketPath }}
  - name: customcrisocket
    mountPath: {{ .Values.nodeAgent.containerRuntime.customSocketPath }}
    readOnly: true
  {{- end }}
  - name: crisocket
    mountPath: /var/run/crio/crio.sock
    readOnly: true
  - name: containerdsocket
    mountPath: /var/run/containerd/containerd.sock
    readOnly: true
  - name: kubelet
    mountPath: /var/lib/kubelet
    readOnly: true
  - name: nfs
    mountPath: /var/lib/nfs
    readOnly: true
  - name: dockersocket
    mountPath: /var/run/docker.sock
    readOnly: true
  - name: dockernetns
    mountPath: /run/docker/netns
    readOnly: true
  - name: dockeroverlay2
    mountPath: /var/lib/docker/overlay2
    readOnly: true
  - name: procdir
    mountPath: /host/proc
    readOnly: true
  - name: cgroups
    mountPath: /host/sys/fs/cgroup
    readOnly: true
  {{- if .Values.nodeAgent.config.override }}
  {{- range .Values.nodeAgent.config.override }}
  - name: config-override-volume
    mountPath: {{ .path }}/{{ .name }}
    subPath: {{ .path | replace "/" "_"}}_{{ .name }}
    readOnly: true
  {{- end }}
  {{- end }}
{{- if .Values.all.hardening.enabled}}
  securityContext:
    privileged: true
    runAsUser: 0  # root
    capabilities:
      add: [ "ALL" ]
    readOnlyRootFilesystem: false
{{- else }}
  securityContext:
    privileged: false
{{- end }}
{{- end -}}