Skip to content

feat(nr-ebpf-agent): support global.images registry, pullSecrets, and pullPolicy #2004

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

feat(nr-ebpf-agent): support global.images registry, pullSecrets, and pullPolicy #2004

wants to merge 4 commits into from

Conversation

@dpacheconr
Copy link
Contributor

@dpacheconr dpacheconr commented Nov 14, 2025
edited
Loading

Summary

Add support for cascading registry, pullSecrets, and pullPolicy from global settings to nr-ebpf-agent.

Phase 1: Global.Images.Registry Support ✅

  • Updated values.yaml with clarifying comments for all 3 images
  • Added kernelHeaderInstaller configuration (previously hardcoded)
  • Added helpers to _helpers.tpl for all 3 images
  • Updated both daemonset templates to use new image helpers

Phase 2: Global.Images.PullSecrets Support ✅

  • Updated both daemonsets (nr-ebpf-agent-daemonset.yaml, otel-collector-daemonset.yaml)
  • Both use common library renderPullSecrets helper with concat
  • Global and chart-level pullSecrets are concatenated together

Phase 3: Global.Images.PullPolicy Support ✅ (NEW)

  • Added pullPolicy helpers to _helpers.tpl for all 3 images
  • Updated both daemonsets to use pullPolicy helpers
  • Configuration respects hierarchy: global setting → chart-level setting → default (IfNotPresent)

Configuration Hierarchy

For Image Registry:

  1. global.images.registry (if set AND repository matches default)
  2. Explicit repository configuration (takes precedence)

For ImagePullSecrets:

  1. global.images.pullSecrets (highest priority)
  2. Chart-level pullSecrets
    Both sources are concatenated to support flexible secret management.

For ImagePullPolicy:

  1. global.images.pullPolicy (highest priority)
  2. Chart-level image pullPolicy
  3. Default: IfNotPresent

Implementation Details

Images covered:

  • Kernel header installer init container

  • eBPF agent main container

  • OpenTelemetry collector container

  • If global.images.registry is set AND repository matches default, uses global registry

  • If repository is explicitly set to custom value, that takes precedence

  • If global registry is not set, defaults to original docker.io paths

  • kernel-header-installer is now configurable (was previously hardcoded)

  • PullPolicy hierarchy ensures global settings cascade down when no explicit chart configuration is provided

Test Plan

Phase 1 (Registry):

  • ✓ Global registry is used when set: my.private.registry.com/newrelic/newrelic-ebpf-agent
  • ✓ Defaults to docker.io when global registry not configured
  • ✓ Explicit repository configuration overrides global
  • ✓ All 3 images respect the same configuration hierarchy

Phase 2 (PullSecrets):

  • ✓ No pullSecrets set → No imagePullSecrets section rendered
  • ✓ Global pullSecrets only → Uses global across all daemonsets
  • ✓ Both global + chart pullSecrets → Uses both (global items first)

Phase 3 (PullPolicy):

  • ✓ Global pullPolicy is used when set and no chart-level policy exists
  • ✓ Defaults to IfNotPresent when neither global nor chart policy is set
  • ✓ Explicit chart-level pullPolicy overrides global setting

Impact

Once merged, users can now configure nr-ebpf-agent with comprehensive global image settings:

```yaml
global:
images:
registry: "my.private.registry.com"
pullSecrets:
- name: my-registry-credentials
pullPolicy: Always
```

@dpacheconr dpacheconr requested a review from a team as a code owner November 14, 2025 13:43
@dpacheconr dpacheconr mentioned this pull request Nov 14, 2025
Closed
@dpacheconr dpacheconr requested a review from a team as a code owner November 14, 2025 16:30
@dpacheconr dpacheconr force-pushed the support/nr-ebpf-agent-final branch 3 times, most recently from d194a94 to a5fb434 Compare November 14, 2025 17:58
@dpacheconr dpacheconr changed the title feat(nr-ebpf-agent): support global.images.registry for all container images feat(nr-ebpf-agent): support global.images registry, pullSecrets, and pullPolicy Nov 14, 2025
@dpacheconr dpacheconr force-pushed the support/nr-ebpf-agent-final branch from a5fb434 to 6e8a4f8 Compare November 14, 2025 18:04
@dpacheconr
feat(nr-ebpf-agent): support global.images.registry for all container…
7c5c077 
… images

Make all nr-ebpf-agent container images respect the global.images.registry
setting, enabling consistent private registry configuration across nri-bundle.

Changes:
- Updated values.yaml with clarifying comments for all 3 images
- Added kernelHeaderInstaller configuration (previously hardcoded)
- Added helpers to _helpers.tpl for all 3 images
- Updated both daemonset templates to use new image helpers

Implementation details:
- If global.images.registry is set AND repository matches default, uses global registry
- If repository is explicitly set to custom value, that takes precedence
- If global registry is not set, defaults to original docker.io paths
- kernel-header-installer is now configurable (was previously hardcoded)
@dpacheconr
feat(nr-ebpf-agent): add global.images.pullSecrets support to daemonsets
6116d96 
Update imagePullSecrets handling to cascade from global.images.pullSecrets:
- Updated both daemonsets (nr-ebpf-agent-daemonset.yaml, otel-collector-daemonset.yaml)
- Both use common library renderPullSecrets helper with concat
- Global and chart-level pullSecrets are concatenated together

Configuration hierarchy:
1. global.images.pullSecrets (highest priority)
2. Chart-level pullSecrets
Both sources are concatenated to support flexible secret management.
@dpacheconr
feat(nr-ebpf-agent): add global.images.pullPolicy support
bf93d6b 
Add support for cascading pullPolicy from global.images.pullPolicy setting:
- Added pullPolicy helpers to _helpers.tpl for all 3 images
- Updated both daemonsets to use pullPolicy helpers

Configuration hierarchy for pullPolicy:
1. global.images.pullPolicy (highest priority)
2. Chart-level image.pullPolicy
3. Default: IfNotPresent

Users can now configure pull policy globally:
  global:
    images:
      pullPolicy: Always
@dpacheconr dpacheconr force-pushed the support/nr-ebpf-agent-final branch from 6e8a4f8 to bf93d6b Compare November 14, 2025 18:18
@dpacheconr
fix(nr-ebpf-agent): remove docker.io prefix from image repositories t…
b9cafe3 
…o enable global.images.registry

- Remove docker.io/ prefix from ebpfAgent.image.repository
- Remove docker.io/ prefix from ebpfAgent.kernelHeaderInstaller.repository
- Remove docker.io/ prefix from otelCollector.image.repository

The docker.io/ prefix prevents common-library helpers from correctly
applying global.images.registry. This fix enables air-gapped/private
registry support that was implemented in the template helpers.

Without this fix, global registry results in double-prefix:
  harbor.corp.net/docker.io/newrelic/newrelic-ebpf-agent

With this fix, global registry works correctly:
  harbor.corp.net/newrelic/newrelic-ebpf-agent
dpacheconr added a commit to dpacheconr/helm-charts that referenced this pull request Nov 28, 2025
@dpacheconr
feat: add comprehensive global value inheritance support and test cov…
736db0c 
…erage

- Add support for global.serviceAccount.annotations for IAM roles (IRSA/Workload Identity/Pod Identity)
- Add 24 comprehensive unit tests validating global value inheritance
- Tests cover: images, serviceAccount, labels, podLabels, nodeSelector, tolerations, affinity, priorityClassName, dnsConfig, pullSecrets, privileged mode

Note: Requires PR newrelic#2004 to be merged first for global.images.registry support

Test Results: 24/24 passing (100%)
- All global value inheritance scenarios validated
- Override precedence working correctly
- Backward compatibility maintained
@dpacheconr dpacheconr mentioned this pull request Nov 28, 2025
Open
dpacheconr added a commit to dpacheconr/helm-charts that referenced this pull request Nov 28, 2025
@dpacheconr
feat: add comprehensive global value inheritance support and test cov…
26ef441 
…erage

- Add support for global.serviceAccount.annotations for IAM roles (IRSA/Workload Identity/Pod Identity)
- Add 24 comprehensive unit tests validating global value inheritance
- Tests cover: images, serviceAccount, labels, podLabels, nodeSelector, tolerations, affinity, priorityClassName, dnsConfig, pullSecrets, privileged mode

Note: Requires PR newrelic#2004 to be merged first for global.images.registry support

Test Results: 24/24 passing (100%)
- All global value inheritance scenarios validated
- Override precedence working correctly
- Backward compatibility maintained
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dpacheconr