[super-agent-deployment]: add authSecret configuration and validation (…

…#1393)

<!--
Thank you for contributing to New Relic's Helm charts. Before you submit
this PR we'd like to
make sure you are aware of our technical requirements:

*
https://github.com/newrelic-experimental/helm-charts/blob/master/CONTRIBUTING.md#technical-requirements

For a quick overview across what we will look at reviewing your PR,
please read
our review guidelines:

*
https://github.com/newrelic-experimental/helm-charts/blob/master/REVIEW_GUIDELINES.md

Following our best practices right from the start will accelerate the
review process and
help get your PR merged quicker.

When updates to your PR are requested, please add new commits and do not
squash the
history. This will make it easier to identify new changes. The PR will
be squashed
anyways when it is merged. Thanks.

For fast feedback, please @-mention maintainers that are listed in the
Chart.yaml file.

Please make sure you test your changes before you push them. Once
pushed, a Github Action
will run across your changes and do some initial checks and linting.
These checks run
very quickly. Please check the results. We would like these checks to
pass before we
even continue reviewing your changes.
-->
#### Is this a new chart
no

#### What this PR does / why we need it:

This PR introduces a new configuration option for managing
authentication secrets within the Helm chart:

1. **authSecret Configuration**: Added to the values.yaml, allowing
users to specify and create an authentication secret.
2. **Helper Function**: Ensures auth_key is provided when
authSecret.create is true, preventing misconfigurations.
3. **Deployment Template Updates**: Includes the new authSecret in the
deployment, ensuring it is correctly mounted.
4. **Helm Unittest**: Added test cases to validate the correct creation,
mounting, and error handling of authSecret.

Please review the changes and let me know if any adjustments are needed

#### Which issue this PR fixes
*(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)`
format, will close that issue when PR gets merged)*
  - fixes #

#### Special notes for your reviewer:

#### Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove
unrelated fields.]
- [x] Chart Version bumped
- [x] Variables are documented in the README.md
- [x] Title of the PR starts with chart name (e.g. `[mychartname]`)

charts/super-agent-deployment/Chart.yaml

@@ -4,8 +4,8 @@ description: A Helm chart to install New Relic Super agent on Kubernetes
 
 type: application
 
-version: 0.0.16-beta
-appVersion: 0.14.0
+version: 0.0.17-beta
+appVersion: 0.16.0
 
 dependencies:
   - name: common-library

charts/super-agent-deployment/README.md

@@ -2,7 +2,7 @@
 
 # super-agent-deployment
 
-![Version: 0.0.16-beta](https://img.shields.io/badge/Version-0.0.16--beta-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.13.1](https://img.shields.io/badge/AppVersion-0.13.1-informational?style=flat-square)
+![Version: 0.0.17-beta](https://img.shields.io/badge/Version-0.0.17--beta-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.14.0](https://img.shields.io/badge/AppVersion-0.14.0-informational?style=flat-square)
 
 A Helm chart to install New Relic Super agent on Kubernetes
 
@@ -35,6 +35,7 @@ At the point of the creation of the chart, it has no particularities and this se
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Sets pod/node affinities. Can be configured also with `global.affinity` |
+| authSecret | object | `{"create":false}` | Settings controlling authentication secret creation. If `create` is true, a Kubernetes secret will be created containing a key named `auth_key`. This secret will be mounted in the deployment pod at the path `/etc/newrelic-super-agent/auth_key` for authentication purposes. |
 | cleanupManagedResources | bool | `true` | Enable the cleanup of super-agent managed resources when the chart is uninstalled. If disabled, agents and / or agent configurations managed by the super-agent will not be deleted when the chart is uninstalled. |
 | cluster | string | `""` | TODO: Name of the Kubernetes cluster monitored. Can be configured also with `global.cluster`. |
 | config.subAgents | object | See `values.yaml` for examples | Values that the fleet is going to have in the deployment. |

charts/super-agent-deployment/README.md.gotmpl

@@ -3,8 +3,6 @@
 {{ template "chart.header" . }}
 {{ template "chart.deprecationWarning" . }}
 
-{{ template "chart.badgesSection" . }}
-
 {{ template "chart.description" . }}
 
 {{ template "chart.homepageLine" . }}

charts/super-agent-deployment/templates/_helpers.tpl

@@ -52,3 +52,32 @@ readOnlyRootFilesystem: true
     {{- toYaml $defaults -}}
 {{- end -}}
 {{- end -}}
+
+{{- /*
+Check if authSecret.create is explicitly set to true. If authSecret is not empty and create is not defined, default it to false.
+*/ -}}
+{{- define "newrelic-super-agent.shouldCreateAuthSecret" -}}
+{{- $authSecret := .Values.authSecret }}
+{{- if and (hasKey $authSecret "create") }}
+  {{- toYaml $authSecret.create -}}
+{{- else if not (empty $authSecret) }}
+  {{- toYaml false -}}
+{{- else }}
+  {{- toYaml false -}}
+{{- end }}
+{{- end -}}
+
+{{- /*
+Check if authSecret.data and auth_key are provided. Fail if not.
+*/ -}}
+{{- define "newrelic-super-agent.authSecret.validateData" -}}
+{{- $authSecret := .Values.authSecret }}
+{{- if and $authSecret (not (empty $authSecret)) }}
+  {{- if not $authSecret.data }}
+    {{- fail "authSecret.data must be provided when authSecret.create is true" }}
+  {{- end }}
+  {{- if not $authSecret.data.auth_key }}
+    {{- fail "auth_key must be provided when authSecret.create is true" }}
+  {{- end }}
+{{- end }}
+{{- end -}}

charts/super-agent-deployment/templates/auth-secret.yaml

@@ -0,0 +1,10 @@
+{{- if eq (include "newrelic-super-agent.shouldCreateAuthSecret" .) "true" }}
+{{- include "newrelic-super-agent.authSecret.validateData" . }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.authSecret.name | default (include "newrelic.common.naming.fullname" .) }}
+type: Opaque
+data:
+  auth_key: {{ .Values.authSecret.data.auth_key | b64enc }}
+{{- end }}

charts/super-agent-deployment/templates/deployment-superagent.yaml

@@ -75,6 +75,11 @@ spec:
             {{- with .Values.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
+            {{- if eq (include "newrelic-super-agent.shouldCreateAuthSecret" .) "true" }}
+            - name: auth-secret-volume
+              mountPath: "/etc/newrelic-super-agent"
+              readOnly: true
+            {{- end }}
 
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
@@ -90,6 +95,11 @@ spec:
         {{- with .Values.extraVolumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
+        {{- if eq (include "newrelic-super-agent.shouldCreateAuthSecret" .) "true" }}
+        - name: auth-secret-volume
+          secret:
+            secretName: {{ .Values.authSecret.name | default .Release.Name }}
+        {{- end }}
 
       {{- with include "newrelic.common.nodeSelector" . }}
       nodeSelector:

charts/super-agent-deployment/tests/auth_secret_test.yaml

@@ -0,0 +1,128 @@
+suite: test super agent deployment's authSecret configurations
+templates:
+  - templates/auth-secret.yaml
+  - templates/configmap-superagent-config.yaml
+  - templates/configmap-subagent-configs.yaml
+  - templates/deployment-superagent.yaml
+release:
+  name: my-release
+  namespace: my-namespace
+
+tests:
+  - it: authSecret is created and mounted correctly
+    set:
+      cluster: test
+      authSecret:
+        create: true
+        name: auth-credentials
+        data:
+          auth_key: test-key
+    asserts:
+      - template: templates/deployment-superagent.yaml
+        equal:
+          path: spec.template.spec.containers[0].volumeMounts
+          value:
+            - name: super-agent-config
+              mountPath: /etc/newrelic-super-agent
+              readOnly: true
+            - mountPath: /var/lib/newrelic-super-agent
+              name: var-lib-newrelic-super-agent
+              readOnly: false
+            - name: auth-secret-volume
+              mountPath: /etc/newrelic-super-agent
+              readOnly: true
+      - template: templates/deployment-superagent.yaml
+        equal:
+          path: spec.template.spec.volumes
+          value:
+            - name: super-agent-config
+              configMap:
+                name: local-data-super-agent
+                items:
+                  - key: local_config
+                    path: config.yaml
+            - name: var-lib-newrelic-super-agent
+              emptyDir: {}
+            - name: auth-secret-volume
+              secret:
+                secretName: auth-credentials
+      - template: templates/auth-secret.yaml
+        equal:
+          path: metadata.name
+          value: auth-credentials
+      - template: templates/auth-secret.yaml
+        equal:
+          path: data.auth_key
+          value: dGVzdC1rZXk= # base64 for "test-key"
+
+  - it: no mount and secret is created when authSecret.create is false
+    set:
+      cluster: test
+      authSecret:
+        create: false
+    asserts:
+      - template: templates/deployment-superagent.yaml
+        notContains:
+          path: spec.template.spec.containers[0].volumeMounts
+          value:
+            name: auth-secret-volume
+      - template: templates/deployment-superagent.yaml
+        notContains:
+          path: spec.template.spec.volumes
+          value:
+            name: auth-secret-volume
+
+  - it: authSecret is empty and defaults to authSecret.create=false
+    set:
+      cluster: test
+      authSecret:
+    asserts:
+      - template: templates/deployment-superagent.yaml
+        notContains:
+          path: spec.template.spec.containers[0].volumeMounts
+          value:
+            name: auth-secret-volume
+      - template: templates/deployment-superagent.yaml
+        notContains:
+          path: spec.template.spec.volumes
+          value:
+            name: auth-secret-volume
+
+  - it: authSecret create is empty with other fields set and defaults to authSecret.create=false
+    set:
+      cluster: test
+      authSecret:
+        name: test
+    asserts:
+      - template: templates/deployment-superagent.yaml
+        notContains:
+          path: spec.template.spec.containers[0].volumeMounts
+          value:
+            name: auth-secret-volume
+      - template: templates/deployment-superagent.yaml
+        notContains:
+          path: spec.template.spec.volumes
+          value:
+            name: auth-secret-volume
+
+  - it: authSecret creation fails when data is not provided
+    set:
+      cluster: test
+      authSecret:
+        create: true
+    asserts:
+      - template: templates/auth-secret.yaml
+        failedTemplate:
+          errorMessage: authSecret.data must be provided when authSecret.create is true
+
+  - it: authSecret creation fails when no auth_key is provided
+    set:
+      cluster: test
+      authSecret:
+        create: true
+        data:
+          auth_key:
+    asserts:
+      - template: templates/auth-secret.yaml
+        failedTemplate:
+          errorMessage: auth_key must be provided when authSecret.create is true

charts/super-agent-deployment/values.yaml

@@ -84,8 +84,9 @@ customAttributes: {}
 proxy: ""
 
 # -- (bool) Send the metrics to the staging backend. Requires a valid staging license key. Can be configured also with `global.nrStaging`
+# When enabled, in case `authSecret.create` is set to `true`, OpAMP `endpoint` and auth `token_url` need to be updated.
 # @default -- `false`
-nrStaging:
+nrStaging:  # TODO: Update OpAMP `endpoint` and auth `token_url` for staging and Europe when nrStaging is enabled.
 
 fedramp:
   # -- (bool) TODO: Enables FedRAMP. Can be configured also with `global.fedramp.enabled`
@@ -100,6 +101,18 @@ verboseLog:
 # If disabled, agents and / or agent configurations managed by the super-agent will not be deleted when the chart is uninstalled.
 cleanupManagedResources: true
 
+# -- Settings controlling authentication secret creation.
+# If `create` is true, a Kubernetes secret will be created containing a key named `auth_key`.
+# This secret will be mounted in the deployment pod at the path `/etc/newrelic-super-agent/auth_key`
+# for authentication purposes.
+authSecret:
+  create: false
+  # -- The name of the Kubernetes secret to use or create.
+  # name: auth-secret
+  # -- Data to include in the secret. The key should be an RSA256 value.
+  # data:
+  #   auth_key: ""
+
 config:
   # -- Configuration for the Super Agent.
   # @default -- See `values.yaml`
@@ -116,6 +129,11 @@ config:
       #    endpoint: https://opamp.service.newrelic.com/v1/opamp
       #    headers:
       #      api-key: LICENSE_KEY
+      #    auth_config:
+      #      token_url: "http://fake.com/oauth2/v1/token"
+      #      client_id: "fake"
+      # -- Note: To use the authentication configuration, ensure authSecret.create is set to true.
+
       #  -- This option enables a status server that can be useful for troubleshooting.
       #  -- Port-forward it `$ kubectl port-forward pod/{pod-name} 51200:51200`
       #  -- And query it as `$ curl localhost:51200/status`