ethernetdan/main.tf

## main.tf
locals {
  name  = "parca-agent"
  image = "ghcr.io/parca-dev/parca-agent@${var.image_digest}"

  labels = merge(local.selector_labels, {
    "app.kubernetes.io/version" : var.image_version
  })
  selector_labels = {
    "app.kubernetes.io/component" : "observability"
    "app.kubernetes.io/instance" : local.name
    "app.kubernetes.io/name" : local.name
  }
}

// Setup namespace with pod security
resource "kubernetes_namespace" "parca" {
  metadata {
    name = var.namespace
    labels = merge({
      for label in ["audit", "enforce", "warn"] :
      "pod-security.kubernetes.io/${label}" => "privileged"
    })
  }
}

resource "kubernetes_secret" "token" {
  metadata {
    name      = local.name
    namespace = kubernetes_namespace.parca.id
  }

  data = { token = var.token }
}

resource "kubernetes_cluster_role" "cluster_watcher" {
  metadata {
    name   = local.name
    labels = local.labels
  }

  rule {
    api_groups = [""]
    resources  = ["pods"]
    verbs      = ["list", "watch"]
  }

  rule {
    api_groups = [""]
    resources  = ["nodes"]
    verbs      = ["get"]
  }
}

resource "kubernetes_cluster_role_binding" "cluster_watcher" {
  metadata {
    name   = local.name
    labels = local.labels
  }

  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = kubernetes_cluster_role.cluster_watcher.metadata[0].name
  }

  subject {
    kind      = "ServiceAccount"
    name      = local.name
    namespace = kubernetes_namespace.parca.id
  }
}

resource "kubernetes_daemonset" "agent" {
  metadata {
    name      = local.name
    namespace = kubernetes_namespace.parca.id
    labels    = local.labels
  }

  spec {
    selector {
      match_labels = local.selector_labels
    }

    template {
      metadata {
        labels = local.labels
      }

      spec {
        container {
          name  = local.name
          image = local.image
          args = [
            "/bin/parca-agent",
            "--log-level=info",
            "--node=$(NODE_NAME)",
            "--remote-store-address=grpc.polarsignals.com:443",
            "--remote-store-bearer-token-file=/var/parca-agent/token",
            "--debuginfo-strip",
            "--debuginfo-temp-dir=/tmp",
            "--debuginfo-upload-cache-duration=5m",
          ]

          env {
            name = "NODE_NAME"
            value_from {
              field_ref { field_path = "spec.nodeName" }
            }
          }

          port {
            name           = "http"
            container_port = 7071
          }

          liveness_probe {
            http_get {
              path = "/healthy"
              port = "http"
            }
          }

          readiness_probe {
            http_get {
              path = "/ready"
              port = "http"
            }
          }

          security_context {
            privileged                = true
            read_only_root_filesystem = true
          }

          dynamic "volume_mount" {
            for_each = var.volumes

            content {
              name       = volume_mount.value.name
              mount_path = coalesce(volume_mount.value.path, "/${volume_mount.value.name}")
              read_only  = volume_mount.value.readOnly != null ? volume_mount.value.readOnly : false
            }
          }
        }

        host_pid             = true
        node_selector        = { "kubernetes.io/os" = "linux" }
        service_account_name = kubernetes_service_account.agent.metadata[0].name

        dynamic "toleration" {
          for_each = ["NoSchedule", "NoExecute"]
          content {
            effect   = toleration.value
            operator = "Exists"
          }
        }

        dynamic "volume" {
          for_each = var.volumes
          content {
            name = volume.value.name

            dynamic "empty_dir" {
              for_each = volume.value.empty != null ? [true] : []
              content {}
            }
            dynamic "host_path" {
              for_each = volume.value.empty == null && volume.value.token == null ? [true] : []
              content { path = coalesce(volume.value.path, "/${volume.value.name}") }
            }
            dynamic "secret" {
              for_each = volume.value.token != null ? [true] : []
              content { secret_name = kubernetes_secret.token.metadata[0].name }
            }
          }
        }
      }
    }
  }
}

resource "kubernetes_service_account" "agent" {
  metadata {
    name      = local.name
    namespace = kubernetes_namespace.parca.id
    labels    = local.labels
  }
}

## network.tf
resource "kubernetes_network_policy" "parca_agent" {
  metadata {
    name      = local.name
    namespace = kubernetes_namespace.parca.id
  }

  spec {
    pod_selector {
      match_labels = local.selector_labels
    }

    policy_types = ["Egress"]

    egress {
      to {
        ip_block {
          cidr = var.destination_cidr
        }
      }
    }
  }
}

## providers.tf
terraform {
  required_providers {
    kubernetes = {
      source = "hashicorp/kubernetes"
      version = "2.21.0"
    }
  }
}

provider "kubernetes" {
  config_path    = "~/.kube/config"
  config_context = "minikube"
}

## variables.tf
variable "token" {
  description = "Token used to authenticate to PolarSignals API"
  type        = string
}

variable "namespace" {
  description = "Namespace to deploy within cluster"
  type        = string
  default     = "profiling"
}

variable "image_version" {
  description = "Version of the PolarSignals agent to deploy"
  type        = string
  default     = "v0.20.0"
}

variable "image_digest" {
  description = "Digest of the PolarSignals image"
  type        = string
  default     = "sha256:f09c2b26a961e2a3ef1f7ec4f33a602e015dbe8548dfe2d43fb8bfffda893282"
}

variable "destination_cidr" {
  description = "CIDR of the destination network"
  type        = string
  default     = "35.234.93.182/32"
}

variable "volumes" {
  description = "Volumes used by the PolarSignals agent"
  type = list(object({
    name     = string
    path     = optional(string)
    token    = optional(bool)
    empty    = optional(bool)
    readOnly = optional(bool)
  }))
  default = [
    { name = "tmp", empty = true },
    { name = "run" },
    { name = "boot", readOnly = true },
    { name = "modules", path = "/lib/modules" },
    { name = "debugfs", path = "/sys/kernel/debug" },
    { name = "cgroup", path = "/sys/fs/cgroup" },
    { name = "bpffs", path = "/sys/fs/bpf" },
    { name = "dbus-system", path = "/var/run/dbus/system_bus_socket" },
    { name = "token", path = "/var/parca-agent", token = true },
  ]
}
	locals {
	name = "parca-agent"
	image = "ghcr.io/parca-dev/parca-agent@${var.image_digest}"

	labels = merge(local.selector_labels, {
	"app.kubernetes.io/version" : var.image_version
	})
	selector_labels = {
	"app.kubernetes.io/component" : "observability"
	"app.kubernetes.io/instance" : local.name
	"app.kubernetes.io/name" : local.name
	}
	}

	// Setup namespace with pod security
	resource "kubernetes_namespace" "parca" {
	metadata {
	name = var.namespace
	labels = merge({
	for label in ["audit", "enforce", "warn"] :
	"pod-security.kubernetes.io/${label}" => "privileged"
	})
	}
	}

	resource "kubernetes_secret" "token" {
	metadata {
	name = local.name
	namespace = kubernetes_namespace.parca.id
	}

	data = { token = var.token }
	}

	resource "kubernetes_cluster_role" "cluster_watcher" {
	metadata {
	name = local.name
	labels = local.labels
	}

	rule {
	api_groups = [""]
	resources = ["pods"]
	verbs = ["list", "watch"]
	}

	rule {
	api_groups = [""]
	resources = ["nodes"]
	verbs = ["get"]
	}
	}

	resource "kubernetes_cluster_role_binding" "cluster_watcher" {
	metadata {
	name = local.name
	labels = local.labels
	}

	role_ref {
	api_group = "rbac.authorization.k8s.io"
	kind = "ClusterRole"
	name = kubernetes_cluster_role.cluster_watcher.metadata[0].name
	}

	subject {
	kind = "ServiceAccount"
	name = local.name
	namespace = kubernetes_namespace.parca.id
	}
	}

	resource "kubernetes_daemonset" "agent" {
	metadata {
	name = local.name
	namespace = kubernetes_namespace.parca.id
	labels = local.labels
	}

	spec {
	selector {
	match_labels = local.selector_labels
	}

	template {
	metadata {
	labels = local.labels
	}

	spec {
	container {
	name = local.name
	image = local.image
	args = [
	"/bin/parca-agent",
	"--log-level=info",
	"--node=$(NODE_NAME)",
	"--remote-store-address=grpc.polarsignals.com:443",
	"--remote-store-bearer-token-file=/var/parca-agent/token",
	"--debuginfo-strip",
	"--debuginfo-temp-dir=/tmp",
	"--debuginfo-upload-cache-duration=5m",
	]

	env {
	name = "NODE_NAME"
	value_from {
	field_ref { field_path = "spec.nodeName" }
	}
	}

	port {
	name = "http"
	container_port = 7071
	}

	liveness_probe {
	http_get {
	path = "/healthy"
	port = "http"
	}
	}

	readiness_probe {
	http_get {
	path = "/ready"
	port = "http"
	}
	}

	security_context {
	privileged = true
	read_only_root_filesystem = true
	}

	dynamic "volume_mount" {
	for_each = var.volumes

	content {
	name = volume_mount.value.name
	mount_path = coalesce(volume_mount.value.path, "/${volume_mount.value.name}")
	read_only = volume_mount.value.readOnly != null ? volume_mount.value.readOnly : false
	}
	}
	}

	host_pid = true
	node_selector = { "kubernetes.io/os" = "linux" }
	service_account_name = kubernetes_service_account.agent.metadata[0].name

	dynamic "toleration" {
	for_each = ["NoSchedule", "NoExecute"]
	content {
	effect = toleration.value
	operator = "Exists"
	}
	}

	dynamic "volume" {
	for_each = var.volumes
	content {
	name = volume.value.name

	dynamic "empty_dir" {
	for_each = volume.value.empty != null ? [true] : []
	content {}
	}
	dynamic "host_path" {
	for_each = volume.value.empty == null && volume.value.token == null ? [true] : []
	content { path = coalesce(volume.value.path, "/${volume.value.name}") }
	}
	dynamic "secret" {
	for_each = volume.value.token != null ? [true] : []
	content { secret_name = kubernetes_secret.token.metadata[0].name }
	}
	}
	}
	}
	}
	}
	}

	resource "kubernetes_service_account" "agent" {
	metadata {
	name = local.name
	namespace = kubernetes_namespace.parca.id
	labels = local.labels
	}
	}
	resource "kubernetes_network_policy" "parca_agent" {
	metadata {
	name = local.name
	namespace = kubernetes_namespace.parca.id
	}

	spec {
	pod_selector {
	match_labels = local.selector_labels
	}

	policy_types = ["Egress"]

	egress {
	to {
	ip_block {
	cidr = var.destination_cidr
	}
	}
	}
	}
	}
	terraform {
	required_providers {
	kubernetes = {
	source = "hashicorp/kubernetes"
	version = "2.21.0"
	}
	}
	}

	provider "kubernetes" {
	config_path = "~/.kube/config"
	config_context = "minikube"
	}
	variable "token" {
	description = "Token used to authenticate to PolarSignals API"
	type = string
	}

	variable "namespace" {
	description = "Namespace to deploy within cluster"
	type = string
	default = "profiling"
	}

	variable "image_version" {
	description = "Version of the PolarSignals agent to deploy"
	type = string
	default = "v0.20.0"
	}

	variable "image_digest" {
	description = "Digest of the PolarSignals image"
	type = string
	default = "sha256:f09c2b26a961e2a3ef1f7ec4f33a602e015dbe8548dfe2d43fb8bfffda893282"
	}

	variable "destination_cidr" {
	description = "CIDR of the destination network"
	type = string
	default = "35.234.93.182/32"
	}

	variable "volumes" {
	description = "Volumes used by the PolarSignals agent"
	type = list(object({
	name = string
	path = optional(string)
	token = optional(bool)
	empty = optional(bool)
	readOnly = optional(bool)
	}))
	default = [
	{ name = "tmp", empty = true },
	{ name = "run" },
	{ name = "boot", readOnly = true },
	{ name = "modules", path = "/lib/modules" },
	{ name = "debugfs", path = "/sys/kernel/debug" },
	{ name = "cgroup", path = "/sys/fs/cgroup" },
	{ name = "bpffs", path = "/sys/fs/bpf" },
	{ name = "dbus-system", path = "/var/run/dbus/system_bus_socket" },
	{ name = "token", path = "/var/parca-agent", token = true },
	]
	}