From e21628ce20d615185aa80ba7ba8453026fddbd11 Mon Sep 17 00:00:00 2001
From: Ran Berant <rberant@paloaltonetworks.com>
Date: Mon, 26 May 2025 11:39:43 +0300
Subject: [PATCH] add autopilot support

---
 charts/cortex-agent/README.md                     |  1 +
 .../templates/cortex-xdr-synchronizer.yaml        | 12 ++++++++++++
 charts/cortex-agent/templates/daemonset.yaml      | 15 ++++++++++++++-
 charts/cortex-agent/values.yaml                   |  8 +++++++-
 4 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 charts/cortex-agent/templates/cortex-xdr-synchronizer.yaml

diff --git a/charts/cortex-agent/README.md b/charts/cortex-agent/README.md
index 932bbff..55826c2 100644
--- a/charts/cortex-agent/README.md
+++ b/charts/cortex-agent/README.md
@@ -97,6 +97,7 @@ Even when using `--reuse-values` (which uses the values of the previous installa
 | `platform.talos`                       | Support for TalOS platform (Required when installing on TalOS)                                             | Since 1.5.0, agent >= 8.2
 | `platform.gcos`                        | Support for GCOS (Google Container-Optimized OS) platform (Required when installing on GCOS)               | Since 1.5.0, agent >= 8.2
 | `platform.bottlerocket`                | Support for BottlerocketOS platform (Required when installing on BottlerocketOS)                           | Since 1.6.3, agent >= 8.3
+| `platform.autopilot`                   | Support for Autopilot platform (Required when installing on GKE Autopilot cluster)                         | Since 1.8.0, agent >= 8.9
 | `agent.clusterName`                    | Name of the kuberenets cluster, will be used as part of the information sent to the server                 | Since 1.5.0, agent >= 8.2
 | `namespace.name`                       | Name of the namespace the agent resides on                                                                 | Since 1.6.0
 | `namespace.create`                     | Create/Don't create namespace for the agent                                                                | Since 1.6.0
diff --git a/charts/cortex-agent/templates/cortex-xdr-synchronizer.yaml b/charts/cortex-agent/templates/cortex-xdr-synchronizer.yaml
new file mode 100644
index 0000000..a34a00e
--- /dev/null
+++ b/charts/cortex-agent/templates/cortex-xdr-synchronizer.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.platform.autopilot }}
+apiVersion: auto.gke.io/v1
+kind: AllowlistSynchronizer
+metadata:
+  name: cortex-xdr-synchronizer
+  annotations:
+    helm.sh/hook: "pre-install,pre-upgrade"
+    "helm.sh/hook-weight": "-1"
+spec:
+  allowlistPaths:
+  - Palo-Alto-Networks/cortex-agent/*
+{{- end }}
diff --git a/charts/cortex-agent/templates/daemonset.yaml b/charts/cortex-agent/templates/daemonset.yaml
index 23d91c0..4ac1b02 100644
--- a/charts/cortex-agent/templates/daemonset.yaml
+++ b/charts/cortex-agent/templates/daemonset.yaml
@@ -49,7 +49,12 @@ spec:
 
       containers:
       - name: cortex-agent
+        {{- if .Values.platform.autopilot }}
+        image: {{ .Values.daemonset.image.url }}
+        {{- else }}
         image: {{ .Values.daemonset.image.repository }}:{{ .Values.daemonset.image.tag }}
+        {{- end }}
+
         imagePullPolicy: {{ .Values.daemonset.image.pullPolicy }}
 
         securityContext:
@@ -71,7 +76,7 @@ spec:
             - SYS_ADMIN
             - SYSLOG
             - SYS_CHROOT
-            {{- if not .Values.platform.talos }}
+            {{- if not (or .Values.platform.talos .Values.platform.autopilot .Values.platform.bottlerocket) }}
             - SYS_MODULE
             {{- end }}
             - SYS_PTRACE
@@ -106,6 +111,10 @@ spec:
           value: {{ .Values.agent.clusterName | quote }}
         - name: XDR_VAR_LOG_HOST_PATH
           value:  {{ include "cortex-xdr.XdrVarLogHostPath" . | quote }}
+        {{- if .Values.platform.autopilot }}
+        - name: XDR_CLUSTER_TYPE
+          value: "autopilot"
+        {{- end }}
 
         volumeMounts:
 
@@ -116,8 +125,10 @@ spec:
         - name: var-log
           mountPath: /var/log
 
+        {{- if not (or .Values.platform.talos .Values.platform.autopilot .Values.platform.bottlerocket) }}
         - name: host-km-directory
           mountPath: /lib/modules
+        {{- end }}
 
         - name: pod-info
           mountPath: /var/run/pod-info
@@ -150,10 +161,12 @@ spec:
           path: {{ include "cortex-xdr.XdrVarLogHostPath" . | quote }}
           type: DirectoryOrCreate
 
+      {{- if not (or .Values.platform.talos .Values.platform.autopilot .Values.platform.bottlerocket) }}
       - name: host-km-directory
         hostPath:
           path: /lib/modules
           type: Directory
+      {{- end }}
 
       - name: pod-info
         downwardAPI:
diff --git a/charts/cortex-agent/values.yaml b/charts/cortex-agent/values.yaml
index 490d66c..b9dd4d3 100644
--- a/charts/cortex-agent/values.yaml
+++ b/charts/cortex-agent/values.yaml
@@ -34,6 +34,8 @@ platform:
   gcos: false
   # Deploy on bottlerocket platform
   bottlerocket: false
+  # Deploy on autopilot cluster
+  autopilot: false
 
 rbac:
   # create/don't create Cluster Role and Cluster Role Bindings
@@ -92,15 +94,19 @@ daemonset:
 
     tag: "latest"
 
+    # for autopilot
+    url: ""
+
   # These values are the recommended values for cortex agent
   # and are not recommended to change!
   resources:
     limits:
-      cpu: "1500m"
       memory: "2Gi"
+      ephemeral-storage: "10Gi"
     requests:
       cpu: "200m"
       memory: "600Mi"
+      ephemeral-storage: "5Gi"
   selinuxOptionsSpcT: false
 
 namespace: