Merge branch 'main' into mtls

Author: musa-asad

.github/workflows/amazon-cloudwatch-observability-helm-integration-test.yaml

@@ -50,6 +50,11 @@ jobs:
       - name: Set KUBECONFIG environment variable
         run: echo KUBECONFIG="${{ github.workspace }}/../../../.kube/config" >> $GITHUB_ENV
 
+      - name: Install Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.1.7"
+
       - name: Verify Terraform version
         run: terraform --version
 
@@ -106,6 +111,11 @@ jobs:
       - name: Set KUBECONFIG environment variable
         run: echo KUBECONFIG="${{ github.workspace }}/../../../.kube/config" >> $GITHUB_ENV
 
+      - name: Install Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.1.7"
+
       - name: Verify Terraform version
         run: terraform --version
 
@@ -161,6 +171,11 @@ jobs:
 
       - name: Set KUBECONFIG environment variable
         run: echo KUBECONFIG="${{ github.workspace }}/../../../.kube/config" >> $GITHUB_ENV
+        
+      - name: Install Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.1.7"
 
       - name: Verify Terraform version
         run: terraform --version

RELEASE_NOTES

@@ -1,3 +1,21 @@
+=======================================================================
+amazon-cloudwatch-observability v3.2.0 (2025-02-04)
+========================================================================
+New Features:
+* Support Logical NeuronCore configuration (LNC) with trn2
+
+Enhancements:
+* Allow both YAML string and object for OTEL config
+* Add runtime metrics config for Application Signals .NET
+* Remove unsupported Neuron Monitor metrics
+* Upgrade CWAgent to v1.300052.0b1024
+* Upgrade CWAgent Operator to v2.1.0
+* Upgrade Java SDK to v1.33.0
+* Upgrade Python SDK to v0.8.0
+* Upgrade .Net SDK to v1.6.0
+* Upgrade NodeJS SDK to v0.5.0
+* Upgrade Neuron Monitor to v1.3.0
+
 =======================================================================
 amazon-cloudwatch-observability v3.1.0 (2025-01-08)
 ========================================================================

charts/amazon-cloudwatch-observability/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: amazon-cloudwatch-observability
-version: 3.1.0
+version: 3.2.0
 appVersion: 1.0.0
 description: A Helm chart for Amazon CloudWatch Observability
 type: application

charts/amazon-cloudwatch-observability/templates/_helpers.tpl

@@ -46,14 +46,17 @@ Helper function to modify customer supplied agent config if ContainerInsights or
 {{/*
 Helper function to modify cloudwatch-agent YAML config
 */}}
-{{- define "cloudwatch-agent.modify-yaml-config" -}}
+{{- define "cloudwatch-agent.modify-otel-config" -}}
 {{- $configCopy := deepCopy .OtelConfig }}
+{{- if kindIs "string" $configCopy }}
+  {{- $configCopy = fromYaml $configCopy }}
+{{- end }}
 
 {{- range $name, $component := $configCopy }}
-{{- if $component -}}
+{{- if and $component (kindIs "map" $component) }}
   {{- range $key, $value := $component }}
-    {{- if (and (quote $value | empty) (not (hasKey $component $key))) }}
-      {{- $component = set $component $key (dict) }}
+    {{- if eq $value nil }}
+      {{- $_ := set $component $key dict }}
     {{- end -}}
   {{- end }}
 {{- end }}

charts/amazon-cloudwatch-observability/templates/cloudwatch-agent-clusterrole.yaml

@@ -9,6 +9,9 @@ rules:
 - apiGroups: [ "" ]
   resources: [ "pods", "pods/logs", "nodes", "nodes/proxy", "namespaces", "endpoints" ]
   verbs: [ "list", "watch", "get" ]
+- apiGroups: ["discovery.k8s.io"]
+  resources: ["endpointslices"]
+  verbs: ["list", "watch", "get"]
 - apiGroups: [ "" ]
   resources: [ "services" ]
   verbs: [ "list", "watch" ]

charts/amazon-cloudwatch-observability/templates/linux/cloudwatch-agent-custom-resource.yaml

@@ -62,7 +62,7 @@ data:
 
 {{- $clusterName := .Values.clusterName | required ".Values.clusterName is required." -}}
 {{- $region := .Values.region | required ".Values.region is required." -}}
-
+{{- $isROSA := eq $.Values.k8sMode "ROSA" -}}
 {{- range .Values.agents }}
 {{- $agent := merge . (deepCopy $.Values.agent) }}
 apiVersion: cloudwatch.aws.amazon.com/v1alpha1
@@ -77,6 +77,13 @@ spec:
   nodeSelector:
     kubernetes.io/os: linux
   serviceAccount: {{ $agent.serviceAccount.name | default (include "cloudwatch-agent.serviceAccountName" $) }}
+  {{ if $isROSA }}
+  securityContext:
+    runAsNonRoot: false
+    capabilities:
+      add:
+        - SYS_ADMIN
+  {{ end }}
   priorityClassName: {{ $agent.priorityClassName | default $.Values.agent.priorityClassName }}
   affinity:
     nodeAffinity:
@@ -94,7 +101,7 @@ spec:
   config: {{ include "cloudwatch-agent.modify-config" (merge (dict "Config" $agent.defaultConfig) $ ) }}
   {{- end }}
   {{- if $agent.otelConfig }}
-  otelConfig: {{ include "cloudwatch-agent.modify-yaml-config" (merge (dict "OtelConfig" $agent.otelConfig) . ) }}
+  otelConfig: {{ include "cloudwatch-agent.modify-otel-config" (merge (dict "OtelConfig" $agent.otelConfig) . ) }}
   {{- end }}
   {{- if $agent.prometheus.config }}
   prometheus:
@@ -124,6 +131,12 @@ spec:
     readOnly: true
   - mountPath: /run/containerd/containerd.sock
     name: containerdsock
+  - mountPath: /var/run/crio/crio.sock
+    name: criosock
+  - mountPath: /var/lib/containers
+    name: criocontainer
+  - mountPath: /var/log/pods
+    name: criologs
   - mountPath: /var/lib/docker
     name: varlibdocker
     readOnly: true
@@ -147,6 +160,10 @@ spec:
     readOnly: true
   - mountPath: /var/lib/kubelet/pod-resources
     name: kubelet-podresources
+    {{ if $isROSA }}
+  - mountPath: /etc/kubernetes/kubelet-ca.crt
+    name: kubelet-ca
+    {{ end }}
   volumes:
   - name: kubelet-podresources
     hostPath:
@@ -164,6 +181,15 @@ spec:
   - hostPath:
       path: /run/containerd/containerd.sock
     name: containerdsock
+  - hostPath:
+      path: /var/run/crio/crio.sock
+    name: criosock
+  - hostPath:
+      path:  /var/lib/containers
+    name: criocontainer
+  - hostPath:
+      path:  /var/log/pods
+    name: criologs
   - hostPath:
       path: /sys
     name: sys
@@ -198,6 +224,11 @@ spec:
           path: client.crt
         - key: tls.key
           path: client.key
+  {{ if $isROSA }}
+  - name: kubelet-ca
+    hostPath:
+      path: /etc/kubernetes/kubelet-ca.crt
+  {{end }}
   env:
   - name: K8S_NODE_NAME
     valueFrom:
@@ -215,6 +246,12 @@ spec:
     valueFrom:
       fieldRef:
         fieldPath: metadata.namespace
+  {{ if $isROSA }}
+  - name: RUN_IN_ROSA
+    value: "True"
+  {{ end }}
+  - name: K8S_CLUSTER_NAME
+    value: {{ $.Values.clusterName }}
   {{- with $.Values.tolerations }}
   tolerations: {{- toYaml . | nindent 2}}
   {{- end }}

charts/amazon-cloudwatch-observability/templates/linux/neuron-monitor-daemonset.yaml

@@ -36,7 +36,7 @@ spec:
   - name: PATH
     value: /usr/local/bin:/usr/bin:/bin:/opt/aws/neuron/bin
   - name: GOMEMLIMIT
-    value: 160MiB
+    value: 320MiB
   ports:
   - name: "metrics"
     port: {{ .Values.neuronMonitor.service.port }}
@@ -52,6 +52,9 @@ spec:
   - mountPath: /etc/amazon-cloudwatch-observability-neuron-cert/
     name: neurontls
     readOnly: true
+  - mountPath: /opt-aws
+    name: "aws-config"
+    readOnly: true
   volumes:
   - name: neurontls
     secret:
@@ -61,6 +64,9 @@ spec:
           path: server.crt
         - key: tls.key
           path: server.key
+  - name: "aws-config"
+    hostPath:
+      path: /opt/aws
   monitorConfig: |
     {
       "period": "5s",
@@ -74,19 +80,13 @@ spec:
             {
               "type": "memory_used"
             },
-            {
-              "type": "neuron_runtime_vcpu_usage"
-            },
             {
               "type": "execution_stats"
             }
           ]
         }
       ],
       "system_metrics": [
-        {
-          "type": "memory_info"
-        },
         {
           "period": "5s",
           "type": "neuron_hw_counters"

charts/amazon-cloudwatch-observability/templates/rosa/cloudwatch-agent-scc-clusterrole.yaml

@@ -0,0 +1,10 @@
+{{ if and .Values.agent.enabled (eq .Values.k8sMode "ROSA") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:openshift:scc:cloudwatch-agent-scc
+rules:
+  - apiGroups: [""]
+    resources: ["securitycontextconstraints"]
+    verbs: ["use"]
+{{- end }}

charts/amazon-cloudwatch-observability/templates/rosa/cloudwatch-agent-scc.yaml

@@ -0,0 +1,38 @@
+{{ if and .Values.agent.enabled (eq .Values.k8sMode "ROSA") }}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: cloudwatch-agent-scc
+allowHostDirVolumePlugin: true
+allowHostIPC: false
+allowHostNetwork: true
+allowHostPID: false
+allowHostPorts: true
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: true
+allowedCapabilities: null
+readOnlyRootFilesystem: false
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+defaultAddCapabilities:
+- SYS_ADMIN
+fsGroup:
+  type: RunAsAny
+groups: []
+requiredDropCapabilities:
+  - ALL
+volumes:
+  - configMap
+  - secret
+  - emptyDir
+  - hostPath
+  - projected
+users:
+  - system:serviceaccount:{{ .Release.Namespace }}:{{ template "cloudwatch-agent.serviceAccountName" . }}
+
+
+{{ end }}

charts/amazon-cloudwatch-observability/templates/rosa/cloudwatch-agent-ssc-clusterrolebinding.yaml

@@ -0,0 +1,14 @@
+{{ if and .Values.agent.enabled (eq .Values.k8sMode "ROSA") }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "cloudwatch-agent.name" . }}-scc-role-binding
+roleRef:
+  kind: ClusterRole
+  name: system:openshift:scc:cloudwatch-agent-scc
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: {{ template "cloudwatch-agent.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/amazon-cloudwatch-observability/values.yaml

@@ -10,6 +10,7 @@ nameOverride: ""
 clusterName:
 ## Provide the Region (this is a required parameter)
 region:
+k8sMode: EKS # can be EKS | ROSA | K8S
 nodeLabelKey: node.kubernetes.io/instance-type
 fargateLabelKey: eks.amazonaws.com/compute-type
 ## NVIDIA GPU instance types
@@ -1170,7 +1171,7 @@ manager:
   name:
   image:
     repository: cloudwatch-agent-operator
-    tag: 2.0.1
+    tag: 2.1.0
     repositoryDomainMap:
       public: public.ecr.aws/cloudwatch-agent
       cn-north-1: 934860584483.dkr.ecr.cn-north-1.amazonaws.com.cn
@@ -1181,19 +1182,19 @@ manager:
     java:
       repositoryDomain: public.ecr.aws/aws-observability
       repository: adot-autoinstrumentation-java
-      tag: v1.32.6
+      tag: v1.33.0
     python:
       repositoryDomain: public.ecr.aws/aws-observability
       repository: adot-autoinstrumentation-python
-      tag: v0.7.0
+      tag: v0.8.0
     dotnet:
       repositoryDomain: public.ecr.aws/aws-observability
       repository: adot-autoinstrumentation-dotnet
-      tag: v1.4.0
+      tag: v1.6.0
     nodejs:
       repositoryDomain: public.ecr.aws/aws-observability
       repository: adot-autoinstrumentation-node
-      tag: v0.3.0
+      tag: v0.5.0
   autoInstrumentationConfiguration:
     java:
       runtime_metrics:
@@ -1324,7 +1325,7 @@ agent:
   replicas: 1 # The total number non-terminated pods targeted by this AmazonCloudWatchAgent's deployment or statefulSet.
   image:
     repository: cloudwatch-agent
-    tag: 1.300051.0b992
+    tag: 1.300052.0b1024
     repositoryDomainMap:
       public: public.ecr.aws/cloudwatch-agent
       cn-north-1: 934860584483.dkr.ecr.cn-north-1.amazonaws.com.cn
@@ -1426,13 +1427,13 @@ neuronMonitor:
   name:
   image:
     repository: neuron-monitor
-    tag: 1.2.1
+    tag: 1.3.0
     repositoryDomainMap:
       public: public.ecr.aws/neuron
   resources:
     limits:
       cpu: 500m
-      memory: 256Mi
+      memory: 500Mi
     requests:
       cpu: 256m
       memory: 128Mi