newrelic/k8s-metadata-injectionPublic

NotificationsYou must be signed in to change notification settings
Fork19
Star29

Kubernetes metadata injection for New Relic APM to make a linkage between APM and Infrastructure data.

License

Apache-2.0 license

29 stars 19 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 737 Commits
.github		.github
charts/nri-metadata-injection		charts/nri-metadata-injection
cmd/server		cmd/server
docs		docs
e2e-tests		e2e-tests
src/server		src/server
.gitignore		.gitignore
.golangci.yml		.golangci.yml
.trivyignore		.trivyignore
CHANGELOG.md		CHANGELOG.md
CONTRIBUTING.md		CONTRIBUTING.md
Dockerfile		Dockerfile
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
THIRD_PARTY_NOTICES.md		THIRD_PARTY_NOTICES.md
entrypoint.sh		entrypoint.sh
go.mod		go.mod
go.sum		go.sum
openapi.yaml		openapi.yaml

Repository files navigation

Kubernetes Metadata injection for New Relic APM agents

Documentation

If you wish to read higher-level documentation about this project, please, visit theofficial documentation site.

How does it work?

New Relic APM agents requires the following environment variables to provide Kubernetes object information in the context of an specific application distributed trace, transaction trace or error trace.

NEW_RELIC_METADATA_KUBERNETES_CLUSTER_NAME
NEW_RELIC_METADATA_KUBERNETES_NODE_NAME
NEW_RELIC_METADATA_KUBERNETES_NAMESPACE_NAME
NEW_RELIC_METADATA_KUBERNETES_DEPLOYMENT_NAME
NEW_RELIC_METADATA_KUBERNETES_POD_NAME
NEW_RELIC_METADATA_KUBERNETES_CONTAINER_NAME
NEW_RELIC_METADATA_KUBERNETES_CONTAINER_IMAGE_NAME

These environment variables are automatically injected in the pods using a MutatingAdmissionWebhook provided by this project.

Please refer to theofficial documentation to learn more about the reasoning behind this project.

Helm chart

You can install this integration usingnri-bundle helm chart located in thehelm-charts repository or directly from this repository by adding this Helm repository:

helm repo add nri-metadata-injection https://newrelic.github.io/k8s-metadata-injectionhelm upgrade --install nri-metadata-injection/nri-metadata-injection -f your-custom-values.yaml

For further information of the configuration needed for the chart just read thechart's README.

Development

Prerequisites

For the development processMinikube andSkaffold tools are used.

Currently the project compiles withGo 1.11.4.

Dependency management

Go modules are used for managing dependencies. This project does not need to be in your GOROOT, if you wish so.

Currently for K8s libraries it uses version 1.13.1. Only couple of libraries are direct dependencies, the rest are indirect. You need to point all of them to the same K8s version to make sure that everything works as expected. For the moment this process is manual.

Configuration

Copy the deployment filedeploy/newrelic-metadata-injection.yaml todeploy/local.yaml.
Edit the file and set the following value as container image:internal/k8s-metadata-injector.
Make sure thatimagePullPolicy: Always is not present in the file (otherwise, the image won't be pulled).

Run

Runskaffold run. This will build a docker image, build the webhook server inside it, and finally deploy the webhook server to your Minikube and use the Kubernetes API server to sign its TLS certificate (see section about certificates).

To follow the logs, you can runskaffold run --tail. To delete the resources created by Skaffold you can runskaffold delete.

If you would like to enable automatic redeploy on changes to the repository, you can runskaffold dev. It automatically tails the logs and delete the resources when interrupted (i.e. with aCtrl + C).

Tests

For running unit tests, use

maketest

For running benchmark tests, use:

make benchmark-test

There are also some basic E2E tests, they are prepared to run usingMinikube. To run them, execute:

make e2e-test

The e2e tests make the assumption that you are running on an AMD system so in case the test doesn't generate the needed binary, run the below command.For instance if you run on an M2 mac arm64 is the target arch but it is not made by default.

make compile-multiarch

You can specify against which version of K8s you want to execute the tests:

E2E_KUBERNETES_VERSION=v1.10.0 E2E_START_MINIKUBE=yes make e2e-test

API Documentation

Please use theOpen Api 3.0 spec file as documentation reference. Note that it describes the schema of the requests the webhook server replies to. This schema depends on the currently supported Kubernetes versions.

You can go toeditor.swagger.io and paste its contents there to see a rendered version.

Performance

Please refer todocs/performance.md.

Certificates management

Admission webhooks are called by the Kubernetes API server and it needs to authenticate the webhooks using TLS. In this project we offer 2 different options of certificate management.

Either certificate management choice made, the important thing is to have the secret created with the correct name and namespace, and also to have the correct CA bundle in the MutatingWebhookConfiguration resource. As long as this is done the webhook server will be able to pick it up.

Automatic

Please refer to thesetup instructions in the official documentation.

For the automatic certificate management, thek8s-webhook-cert-manager is used. Feel free to check the repository to know more about it.

The manifest file atdeploy/job.yaml contains a service account that has the followingcluster permissions (RBAC based) to be capable of automatically manage the certificates:

MutatingWebhookConfiguration -get,create andpatch: to be able to create the webhook and patch its CA bundle.
CertificateSigningRequests -create,get anddelete: to be able to sign the certificate required for the webhook server without leaving duplicates.
CertificateSigningRequests/Approval -update: to be able to approve CertificateSigningRequests.
Secrets -create,get andpatch: to be able to manage the TLS secret used to store the key/cert pair used in the webhook server.
ConfigMaps -get: to be able go get the k8s api server's CA bundle, used in the MutatingWebhookConfiguration.

If you wish to learn more about TLS certificates management inside Kubernetes, check outthe official documentation for Managing TLS Certificates in a Cluster.

Custom

Otherwise, if you want to use the custom certificate management option you have to create the TLS secret with the signed certificate/key pair and patch the webhook's CA bundle:

$ kubectl create secret tls newrelic-metadata-injection-secret \      --key=server-key.pem \      --cert=signed-server-cert.pem \      --dry-run -o yaml|  kubectl -n default apply -f -$ caBundle=$(cat caBundle.pem| base64| td -d'\n')$ kubectl patch mutatingwebhookconfiguration newrelic-metadata-injection-cfg --type='json' -p"[{'op': 'replace', 'path': '/webhooks/0/clientConfig/caBundle', 'value':'${caBundle}'}]"

Release a new version

Update the version indeploy/newrelic-metadata-injection.yaml.
Update the version inWEBHOOK_DOCKER_IMAGE_TAG in theMakefile.
Create a Github release.
Launch thek8s-metadata-injection-release job in Jenkins.

Support

Should you need assistance with New Relic products, you are in good hands with several support diagnostic tools and support channels.

New Relic offers NRDiag,a client-side diagnostic utility that automatically detects common problems with New Relic agents. If NRDiag detects a problem, it suggests troubleshooting steps. NRDiag can also automatically attach troubleshooting data to a New Relic Support ticket. Remove this section if it doesn't apply.

If the issue has been confirmed as a bug or is a feature request, file a GitHub issue.

Support Channels

New Relic Documentation: Comprehensive guidance for using our platform
New Relic Community: The best place to engage in troubleshooting questions
New Relic Developer: Resources for building a custom observability applications
New Relic University: A range of online training for New Relic users of every level
New Relic Technical Support 24/7/365 ticketed support. Read more about ourTechnical Support Offerings.

Privacy

At New Relic we take your privacy and the security of your information seriously, and are committed to protecting your information. We must emphasize the importance of not sharing personal data in public forums, and ask all users to scrub logs and diagnostic information for sensitive information, whether personal, proprietary, or otherwise.

We define “Personal Data” as any information relating to an identified or identifiable individual, including, for example, your name, phone number, post code or zip code, Device ID, IP address, and email address.

For more information, reviewNew Relic’s General Data Privacy Notice.

Contribute

We encourage your contributions to improve this project! Keep in mind that when you submit your pull request, you'll need to sign the CLA via the click-through using CLA-Assistant. You only have to sign the CLA one time per project.

If you have any questions, or to execute our corporate CLA (which is required if your contribution is on behalf of a company), drop us an email atopensource@newrelic.com.

A note about vulnerabilities

As noted in oursecurity policy, New Relic is committed to the privacy and security of our customers and their data. We believe that providing coordinated disclosure by security researchers and engaging with the security community are important means to achieve our security goals.

If you believe you have found a security vulnerability in this project or any of New Relic's products or websites, we welcome and greatly appreciate you reporting it to New Relic throughHackerour bug bounty program.

If you would like to contribute to this project, reviewthese guidelines.

To all contributors, we thank you! Without your contribution, this project would not be what it is today.