[nr-ebpf-agent] Unified image for eBPF agent and client (#1985)

kkhandelwal-nr · burhan-nr · web-flow · commit ac983ddf308e · 2025-11-04T19:02:23.000+05:30
#### Is this a new chart No #### What this PR does / why we need it: This PR contains the following changes: - Support to deploy unified image for eBPF agent. - Update init container image to use `agent-base-image-latest`. - Introduced new env `vizierPort` to configure the vizier port. - Support for backward compatibility for older images. #### Which issue this PR fixes *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)* - fixes # #### Special notes for your reviewer: #### Checklist [Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.] - [ ] Chart Version bumped - [ ] Variables are documented in the README.md - [ ] Title of the PR starts with chart name (e.g. `[mychartname]`) # Release Notes to Publish (nr-k8s-otel-collector) If this PR contains changes in `nr-k8s-otel-collector`, please complete the following section. All other charts should ignore this section.  ## 🚀 What's Changed * Tell the world about the latest changes in the chart.  --------- Co-authored-by: bsanwarwala <bsanwarwala@newrelic.com>
diff --git a/charts/nr-ebpf-agent/Chart.yaml b/charts/nr-ebpf-agent/Chart.yaml
@@ -13,7 +13,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.1
+version: 0.4.0
 
 dependencies:
   - name: common-library
@@ -23,7 +23,7 @@ dependencies:
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.3.0"
+appVersion: "0.4.0"
 home: https://github.com/newrelic/helm-charts
 sources:
   - https://github.com/newrelic/
diff --git a/charts/nr-ebpf-agent/templates/_helpers.tpl b/charts/nr-ebpf-agent/templates/_helpers.tpl
@@ -62,6 +62,28 @@ Create otel collector receiver endpoint
 {{- printf "dns:///%s.%s.svc.%s:4317" (include "otel-collector.service.name" .) .Release.Namespace .Values.kubernetesClusterDomain }}
 {{- end }}
 
+{{/*
+Validates that user-provided tags don't contain "agent-" prefix for chart version >= 0.4.0
+*/}}
+{{- define "nr-ebpf-agent.imageTag" -}}
+{{- if .Values.ebpfAgent.image.tag -}}
+  {{- if semverCompare ">=0.4.0" .Chart.Version -}}
+    {{- if hasPrefix "agent-" .Values.ebpfAgent.image.tag -}}
+      {{- fail (printf "Error: For chart version %s (>=0.4.0), the ebpfAgent.image.tag should not contain 'agent-' prefix. Please use image tags that do not contain the prefix." .Chart.Version) -}}
+    {{- end -}}
+    {{- .Values.ebpfAgent.image.tag -}}
+  {{- else -}}
+    {{- .Values.ebpfAgent.image.tag -}}
+  {{- end -}}
+{{- else -}}
+  {{- if semverCompare ">=0.4.0" .Chart.Version -}}
+    {{- .Chart.AppVersion -}}
+  {{- else -}}
+    {{- printf "agent-%s" .Chart.AppVersion -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Validate the user inputted quantile when sampling by latency.
 */}}
diff --git a/charts/nr-ebpf-agent/templates/nr-ebpf-agent-daemonset.yaml b/charts/nr-ebpf-agent/templates/nr-ebpf-agent-daemonset.yaml
@@ -40,7 +40,8 @@ spec:
       {{- end }}
       initContainers:
       - name: kernel-header-installer
-        image: docker.io/newrelic/newrelic-ebpf-agent:agent-0.3.0
+        image: docker.io/newrelic/newrelic-ebpf-agent:agent-base-image-latest
+        imagePullPolicy: IfNotPresent
         command:
           - "/bin/bash"
           - "-c"
@@ -70,14 +71,12 @@ spec:
 
       containers:
       - name: nr-ebpf-agent
-        image: {{- if .Values.ebpfAgent.image.tag }}
-          {{ .Values.ebpfAgent.image.repository }}:{{ .Values.ebpfAgent.image.tag }}
-        {{- else }}
-          docker.io/newrelic/newrelic-ebpf-agent:agent-0.3.0
-        {{- end }}
+        image: {{ .Values.ebpfAgent.image.repository }}:{{ include "nr-ebpf-agent.imageTag" . }}
         imagePullPolicy: {{ .Values.ebpfAgent.image.pullPolicy }}
         resources: {{ .Values.ebpfAgent.resources | toYaml | nindent 10 }}
         env:
+          - name: VIZIER_PORT
+            value: "{{ .Values.ebpfAgent.vizierPort | default "12345" }}"
           - name: PL_HOST_PATH
             value: "/host"
           - name: PL_STIRLING_SOURCES
@@ -89,6 +88,16 @@ spec:
             value: "{{ .Values.logLevel }}"
           - name: NEW_RELIC_LOG_FILE_PATH
             value: "{{ .Values.logFilePath }}"
+          - name: NEW_RELIC_LICENSE_KEY
+            valueFrom:
+              secretKeyRef:
+                {{- if (include "newrelic.common.license._licenseKey" .) }}
+                key: NEW_RELIC_LICENSE_KEY
+                name: nr-ebpf-agent-secrets
+                {{- else }}
+                key: {{ include "newrelic.common.license._customSecretKey" . }}
+                name: {{ include "newrelic.common.license._customSecretName" . }}
+                {{- end }}
           - name: TABLE_STORE_DATA_LIMIT_MB
             value: "{{ .Values.tableStoreDataLimitMB }}"
           - name: TLS_ENABLED
@@ -113,32 +122,6 @@ spec:
           - name: DISTRO_KERNEL_HEADERS_PATH
             value: "{{ .Values.ebpfAgent.distroKernelHeadersPath }}"
           {{- end }}
-
-        securityContext:
-          privileged: true
-        volumeMounts:
-          - name: host-root-volume
-            mountPath: /host
-            readOnly: true
-          - name: sys-volume
-            mountPath: /sys
-            readOnly: true
-          {{- if (hasKey .Values "tls") }}
-          {{- if eq .Values.tls.enabled true }}
-          - name: cert
-            mountPath: "{{ .Values.tls.certPath }}/"
-            readOnly: true
-          {{- end }}
-          {{- end }}
-      - name: nr-ebpf-client
-        image: {{- if .Values.ebpfClient.image.tag }}
-          {{ .Values.ebpfClient.image.repository }}:{{ .Values.ebpfClient.image.tag }}
-        {{- else }}
-          docker.io/newrelic/newrelic-ebpf-agent:client-0.3.0
-        {{- end }}
-        imagePullPolicy: {{ .Values.ebpfClient.image.pullPolicy }}
-        resources: {{ .Values.ebpfClient.resources | toYaml | nindent 10 }}
-        env:
           - name: DEPLOYMENT_NAME
             value: {{ .Values.cluster }}
           - name: HOST_IP
@@ -147,8 +130,6 @@ spec:
                 fieldPath: status.hostIP
           - name: OTLP_ENDPOINT
             value: {{ include "nr-otel-collector-receiver.endpoint" .}}
-          - name: PL_STIRLING_SOURCES
-            value: "{{ .Values.stirlingSources | default "socket_tracer,tcp_stats" }}"
           {{- include "generateClientScriptEnvVars" . | nindent 10 }}
           {{- if (hasKey .Values.protocols.http "spans") }}
           {{- if .Values.protocols.http.spans.samplingErrorRate}}
@@ -157,44 +138,27 @@ spec:
             value: "{{ .Values.protocols.http.spans.samplingErrorRate | default "0"}}"
           {{- end }}
           {{- end }}
-          - name: KUBERNETES_CLUSTER_DOMAIN
-            value: "{{ .Values.kubernetesClusterDomain }}"
           - name: NAMESPACE
             value: {{ .Release.Namespace }}
           - name: AGENT_SERVICE_NAME
             value: {{ include "nr-ebpf-agent.service.name" . }}
-          # TODO(kpattaswamy): Once we implement TLS, we should make this configurable again
           - name: IS_INSECURE
             value: "True"
-          - name: NEW_RELIC_LOG_LEVEL
-            value: "{{ .Values.logLevel }}"
-          - name: NEW_RELIC_LOG_FILE_PATH
-            value: "{{ .Values.logFilePath }}"
-          - name: NEW_RELIC_LICENSE_KEY
-            valueFrom:
-              secretKeyRef:
-                {{- if (include "newrelic.common.license._licenseKey" .) }}
-                key: NEW_RELIC_LICENSE_KEY
-                name: nr-ebpf-agent-secrets
-                {{- else }}
-                key: {{ include "newrelic.common.license._customSecretKey" . }}
-                name: {{ include "newrelic.common.license._customSecretName" . }}
-                {{- end }}
-          - name: TLS_ENABLED
-          {{- if (hasKey .Values "tls") }}
-            {{- if eq .Values.tls.enabled true }}
-            value: "true"
-            {{- else }}
-            value: "false"
-            {{- end }}
-        {{- if eq .Values.tls.enabled true }}
-          - name: TLS_CERT_PATH
-            value: "{{ .Values.tls.certPath }}/"
+        securityContext:
+          privileged: true
         volumeMounts:
+          - name: host-root-volume
+            mountPath: /host
+            readOnly: true
+          - name: sys-volume
+            mountPath: /sys
+            readOnly: true
+          {{- if (hasKey .Values "tls") }}
+          {{- if eq .Values.tls.enabled true }}
           - name: cert
             mountPath: "{{ .Values.tls.certPath }}/"
             readOnly: true
-        {{- end }}
+          {{- end }}
           {{- end }}
       dnsPolicy: ClusterFirstWithHostNet
       hostNetwork: true
diff --git a/charts/nr-ebpf-agent/templates/otel-collector-daemonset.yaml b/charts/nr-ebpf-agent/templates/otel-collector-daemonset.yaml
@@ -47,11 +47,11 @@ spec:
         securityContext:
           {{- . | nindent 12 }}
         {{- end }}
-        image: {{- if .Values.otelCollector.image.tag }}
+        image: {{ if .Values.otelCollector.image.tag -}}
           {{ .Values.otelCollector.image.repository }}:{{ .Values.otelCollector.image.tag }}
-          {{- else }}
-          docker.io/newrelic/newrelic-ebpf-agent:nr-ebpf-otel-collector_0.0.1
-          {{- end }}
+        {{ else -}}
+          {{ .Values.otelCollector.image.repository }}:nr-ebpf-otel-collector_0.0.1
+        {{ end -}}
         imagePullPolicy: {{ .Values.otelCollector.image.pullPolicy }}
         resources: {{- toYaml .Values.otelCollector.resources | nindent 10}}
         ports:
diff --git a/charts/nr-ebpf-agent/values.yaml b/charts/nr-ebpf-agent/values.yaml
@@ -124,6 +124,8 @@ ebpfAgent:
   podSecurityContext: {}
   # -- Sets ebpfAgent pod containerSecurityContext. Overrides `containerSecurityContext` and `global.securityContext.container`
   containerSecurityContext: {}
+  # Vizier server port on which agent receives pxl scripts from the client. Default to 12345
+  vizierPort: ""
   # Sets the absolute path of the complete directory where the required linux headers are manually downloaded and placed for the eBPF agent to use.
   # This is useful under restricted environments where agent is not able to download required linux headers. The required headers are identified by the agent based on the kernel version.
   # The absolute path in case of K8s should also be prepended with /host when necessary.
@@ -134,26 +136,6 @@ ebpfAgent:
   # ---- USE ONLY AFTER NEW RELIC SUPPORT RECOMMENDATION. ----
   distroKernelHeadersPath: ""
 
-
-# Configuration to apply on the eBPF client daemonset.
-ebpfClient:
-  image:
-    # -- eBPF client image to be deployed.
-    repository: docker.io/newrelic/newrelic-ebpf-agent
-    # -- The pull policy is defaulted to IfNotPresent, which skips pulling an image if it already exists. If pullPolicy is defined without a specific value, it is set to Always.
-    pullPolicy: IfNotPresent
-    # -- The tag of the eBPF client image to be deployed.
-    tag: ""
-  resources:
-    limits:
-      # -- Max memory allocated to the container.
-      memory: 100Mi
-    requests:
-      # -- Min CPU allocated to the container.
-      cpu: 50m
-      # -- Min memory allocated to the container.
-      memory: 50Mi
-
 # Configuration to apply on the OpenTelemetry collector daemonset.
 otelCollector:
   image:
@@ -166,9 +148,9 @@ otelCollector:
   resources:
     limits:
       # -- Max CPU allocated to the container.
-      cpu: 100m
+      cpu: 200m
       # -- Max memory allocated to the container.
-      memory: 200Mi
+      memory: 500Mi
     requests:
       # -- Min CPU allocated to the container.
       cpu: 100m
