aws-observability
diff --git a/‎.github/workflows/amazon-cloudwatch-observability-integration-test.yaml‎
Lines changed: 4 additions & 0 deletions b/‎.github/workflows/amazon-cloudwatch-observability-integration-test.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎RELEASE_NOTES‎
Lines changed: 22 additions & 0 deletions b/‎RELEASE_NOTES‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎charts/amazon-cloudwatch-observability/Chart.yaml‎
Lines changed: 1 addition & 1 deletion b/‎charts/amazon-cloudwatch-observability/Chart.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎charts/amazon-cloudwatch-observability/templates/_helpers.tpl‎
Lines changed: 30 additions & 0 deletions b/‎charts/amazon-cloudwatch-observability/templates/_helpers.tpl‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎charts/amazon-cloudwatch-observability/templates/admission-webhooks/operator-webhook.yaml‎
Lines changed: 12 additions & 14 deletions b/‎charts/amazon-cloudwatch-observability/templates/admission-webhooks/operator-webhook.yaml‎
Lines changed: 12 additions & 14 deletions
diff --git a/‎charts/amazon-cloudwatch-observability/templates/operator-deployment.yaml‎
Lines changed: 15 additions & 0 deletions b/‎charts/amazon-cloudwatch-observability/templates/operator-deployment.yaml‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎charts/amazon-cloudwatch-observability/values.yaml‎
Lines changed: 43 additions & 29 deletions b/‎charts/amazon-cloudwatch-observability/values.yaml‎
Lines changed: 43 additions & 29 deletions
diff --git a/‎integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/certificate-recreate-disabled/main.tf‎
Lines changed: 31 additions & 0 deletions b/‎integration-tests/amazon-cloudwatch-observability/terraform/minikube/scenarios/certificate-recreate-disabled/main.tf‎
Lines changed: 31 additions & 0 deletions
@@ -48,6 +48,10 @@ jobs:
           - appsignals-unsupported
           - webhooks-partially-enabled
           - webhooks-configured
+          - deployment-rolling-enabled
+          - deployment-rolling-disabled
+          - certificate-recreate-enabled
+          - certificate-recreate-disabled
     steps:
       - uses: actions/checkout@v3
 
 
@@ -1,3 +1,25 @@
+=======================================================================
+amazon-cloudwatch-observability v4.6.0 (2025-10-16)
+=======================================================================
+Enhancements:
+* Upgrade CWAgent Operator to v3.3.0
+* Upgrade FluentBit to v3.0.0
+* Update FluentBit config to use systemd plugin for retrieving host logs
+
+=======================================================================
+amazon-cloudwatch-observability v4.5.0 (2025-09-24)
+=======================================================================
+Enhancements:
+* Support custom configurations for admission webhook with managed resources
+* Support ARM GPU instances with DCGM Exporter
+* Upgrade CWAgent to v1.300060.0b1248
+* Upgrade CWAgent Operator to v3.2.0
+* Upgrade Fluent Bit to v2.34.0
+* Upgrade Java SDK to v2.11.5
+* Upgrade .NET SDK to v1.9.1
+* Upgrade DCGM Exporter to 4.4.0-4.5.0-ubuntu22.04
+* Upgrade Neuron Monitor to v1.6.0
+
 =======================================================================
 amazon-cloudwatch-observability v4.4.0 (2025-09-04)
 =======================================================================
 
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: amazon-cloudwatch-observability
-version: 4.4.0
+version: 4.6.0
 appVersion: 1.0.0
 description: A Helm chart for Amazon CloudWatch Observability
 type: application
 
@@ -427,3 +427,33 @@ Get namespaceSelector value for admission webhooks
 {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Returns auto-generated certificate and CA for admission webhooks.
+*/}}
+{{- define "amazon-cloudwatch-observability.webhookCert" -}}
+{{- $tlsCrt := "" }}
+{{- $tlsKey := "" }}
+{{- $caCrt := "" }}
+{{- if .Values.admissionWebhooks.autoGenerateCert.enabled }}
+{{- $existingCert := ( lookup "v1" "Secret" .Release.Namespace (include "amazon-cloudwatch-observability.certificateSecretName" .) ) }}
+{{- if and (not .Values.admissionWebhooks.autoGenerateCert.recreate) $existingCert }}
+{{- $tlsCrt = index $existingCert "data" "tls.crt" }}
+{{- $tlsKey = index $existingCert "data" "tls.key" }}
+{{- $caCrt = index $existingCert "data" "ca.crt" }}
+{{- if not $caCrt }}
+{{- $existingWebhook := ( lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" "" (printf "%s-mutating-webhook-configuration" (include "amazon-cloudwatch-observability.name" .)) ) }}
+{{- $caCrt = (first $existingWebhook.webhooks).clientConfig.caBundle }}
+{{- end }}
+{{- else }}
+{{- $altNames := list ( printf "%s-webhook-service.%s" (include "amazon-cloudwatch-observability.name" .) .Release.Namespace ) ( printf "%s-webhook-service.%s.svc" (include "amazon-cloudwatch-observability.name" .) .Release.Namespace ) ( printf "%s-webhook-service.%s.svc.cluster.local" (include "amazon-cloudwatch-observability.name" .) .Release.Namespace ) -}}
+{{- $ca := genCA ( printf "%s-ca" (include "amazon-cloudwatch-observability.name" .) ) ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) -}}
+{{- $cert := genSignedCert (include "amazon-cloudwatch-observability.name" .) nil $altNames ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}}
+{{- $tlsCrt = b64enc $cert.Cert }}
+{{- $tlsKey = b64enc $cert.Key }}
+{{- $caCrt = b64enc $ca.Cert }}
+{{- end }}
+{{- $result := dict "Cert" $tlsCrt "Key" $tlsKey "Ca" $caCrt }}
+{{- $result | toYaml }}
+{{- end }}
+{{- end }}
@@ -1,7 +1,5 @@
 {{- if and (.Values.admissionWebhooks.autoGenerateCert.enabled) (not .Values.admissionWebhooks.certManager.enabled) (include "amazon-cloudwatch-observability.webhookEnabled" .) }}
-{{- $altNames := list ( printf "%s-webhook-service.%s" (include "amazon-cloudwatch-observability.name" .) .Release.Namespace ) ( printf "%s-webhook-service.%s.svc" (include "amazon-cloudwatch-observability.name" .) .Release.Namespace ) ( printf "%s-webhook-service.%s.svc.cluster.local" (include "amazon-cloudwatch-observability.name" .) .Release.Namespace ) -}}
-{{- $ca := genCA ( printf "%s-ca" (include "amazon-cloudwatch-observability.name" .) ) ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) -}}
-{{- $cert := genSignedCert (include "amazon-cloudwatch-observability.name" .) nil $altNames ( .Values.admissionWebhooks.autoGenerateCert.expiryDays | int ) $ca -}}
+{{- $cert := fromYaml (include "amazon-cloudwatch-observability.webhookCert" .) }}
 apiVersion: v1
 kind: Secret
 type: kubernetes.io/tls
@@ -11,8 +9,8 @@ metadata:
   name: {{ template "amazon-cloudwatch-observability.certificateSecretName" . }}
   namespace: {{ .Release.Namespace }}
 data:
-  tls.crt: {{ $cert.Cert | b64enc }}
-  tls.key: {{ $cert.Key | b64enc }}
+  tls.crt: {{ $cert.Cert }}
+  tls.key: {{ $cert.Key }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
@@ -29,7 +27,7 @@ webhooks:
       name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }}
       namespace: {{ .Release.Namespace }}
       path: /mutate-cloudwatch-aws-amazon-com-v1alpha1-instrumentation
-    caBundle: {{ $ca.Cert | b64enc }}
+    caBundle: {{ $cert.Ca }}
   failurePolicy: {{ .Values.admissionWebhooks.instrumentations.failurePolicy | default .Values.admissionWebhooks.failurePolicy }}
   name: minstrumentation.kb.io
   namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "instrumentations") }}
@@ -58,7 +56,7 @@ webhooks:
       name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }}
       namespace: {{ .Release.Namespace }}
       path: /mutate-cloudwatch-aws-amazon-com-v1alpha1-amazoncloudwatchagent
-    caBundle: {{ $ca.Cert | b64enc }}
+    caBundle: {{ $cert.Ca }}
   failurePolicy: {{ .Values.admissionWebhooks.agents.failurePolicy | default .Values.admissionWebhooks.failurePolicy }}
   name: mamazoncloudwatchagent.kb.io
   namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "agents") }}
@@ -87,7 +85,7 @@ webhooks:
       name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }}
       namespace: {{ .Release.Namespace }}
       path: /mutate-v1-pod
-    caBundle: {{ $ca.Cert | b64enc }}
+    caBundle: {{ $cert.Ca }}
   failurePolicy: {{ .Values.admissionWebhooks.pods.failurePolicy | default .Values.admissionWebhooks.failurePolicy }}
   name: mpod.kb.io
   namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "pods") }}
@@ -116,7 +114,7 @@ webhooks:
       name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }}
       namespace: {{ .Release.Namespace }}
       path: /mutate-v1-namespace
-    caBundle: {{ $ca.Cert | b64enc }}
+    caBundle: {{ $cert.Ca }}
   failurePolicy: {{ .Values.admissionWebhooks.namespaces.failurePolicy | default .Values.admissionWebhooks.pods.failurePolicy | default .Values.admissionWebhooks.failurePolicy }}
   name: mnamespace.kb.io
   namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "namespaces") }}
@@ -145,7 +143,7 @@ webhooks:
       name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }}
       namespace: {{ .Release.Namespace }}
       path: /mutate-v1-workload
-    caBundle: {{ $ca.Cert | b64enc }}
+    caBundle: {{ $cert.Ca }}
   failurePolicy: {{ .Values.admissionWebhooks.workloads.failurePolicy | default .Values.admissionWebhooks.pods.failurePolicy | default .Values.admissionWebhooks.failurePolicy }}
   name: mworkload.kb.io
   namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "workloads") }}
@@ -184,7 +182,7 @@ webhooks:
       name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }}
       namespace: {{ .Release.Namespace }}
       path: /validate-cloudwatch-aws-amazon-com-v1alpha1-instrumentation
-    caBundle: {{ $ca.Cert | b64enc }}
+    caBundle: {{ $cert.Ca }}
   failurePolicy: {{ .Values.admissionWebhooks.instrumentations.failurePolicy | default .Values.admissionWebhooks.failurePolicy }}
   name: vinstrumentationcreateupdate.kb.io
   namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "instrumentations") }}
@@ -213,7 +211,7 @@ webhooks:
       name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }}
       namespace: {{ .Release.Namespace }}
       path: /validate-cloudwatch-aws-amazon-com-v1alpha1-instrumentation
-    caBundle: {{ $ca.Cert | b64enc }}
+    caBundle: {{ $cert.Ca }}
   failurePolicy: Ignore
   name: vinstrumentationdelete.kb.io
   namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "instrumentations") }}
@@ -241,7 +239,7 @@ webhooks:
       name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }}
       namespace: {{ .Release.Namespace }}
       path: /validate-cloudwatch-aws-amazon-com-v1alpha1-amazoncloudwatchagent
-    caBundle: {{ $ca.Cert | b64enc }}
+    caBundle: {{ $cert.Ca }}
   failurePolicy: {{ .Values.admissionWebhooks.agents.failurePolicy | default .Values.admissionWebhooks.failurePolicy }}
   name: vamazoncloudwatchagentcreateupdate.kb.io
   namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "agents") }}
@@ -270,7 +268,7 @@ webhooks:
       name: {{ template "amazon-cloudwatch-observability.webhookServiceName" . }}
       namespace: {{ .Release.Namespace }}
       path: /validate-cloudwatch-aws-amazon-com-v1alpha1-amazoncloudwatchagent
-    caBundle: {{ $ca.Cert | b64enc }}
+    caBundle: {{ $cert.Ca }}
   failurePolicy: Ignore
   name: vamazoncloudwatchagentdelete.kb.io
   namespaceSelector: {{ include "amazon-cloudwatch-observability.namespaceSelector" (list . "agents") }}
 
@@ -18,6 +18,9 @@ spec:
         {{- if .Values.manager.podAnnotations }}
         {{- include "amazon-cloudwatch-observability.podAnnotations" . | nindent 8 }}
         {{- end }}
+        {{- if .Values.manager.rolling }}
+        rollme: {{ randAlphaNum 5 | quote }}
+        {{- end }}
       labels:
         app.kubernetes.io/name: {{ template "amazon-cloudwatch-observability.name" . }}
         control-plane: controller-manager
@@ -42,6 +45,18 @@ spec:
         - containerPort: {{ .Values.manager.ports.containerPort }}
           name: webhook-server
           protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
         resources: {{ toYaml .Values.manager.resources | nindent 10 }}
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
 
@@ -19,7 +19,7 @@ containerLogs:
   fluentBit:
     image:
       repository: aws-for-fluent-bit
-      tag: 2.33.2
+      tag: 3.0.0
       tagWindows: 2.31.12-windowsservercore
       repositoryDomainMap:
         public: public.ecr.aws/aws-observability
@@ -193,43 +193,54 @@ containerLogs:
             extra_user_agent    container-insights
         host-log.conf: |
           [INPUT]
-            Name                tail
+            Name                systemd
             Tag                 host.dmesg
-            Path                /var/log/dmesg
-            Key                 message
+            Systemd_Filter      _TRANSPORT=kernel
             DB                  /var/fluent-bit/state/flb_dmesg.db
-            Mem_Buf_Limit       5MB
-            Skip_Long_Lines     On
-            Refresh_Interval    10
-            Read_from_Head      ${READ_FROM_HEAD}
+            Path                /var/log/journal
+            Read_From_Tail      ${READ_FROM_TAIL}
 
           [INPUT]
-            Name                tail
+            Name                systemd
             Tag                 host.messages
-            Path                /var/log/messages
-            Parser              syslog
+            Systemd_Filter      PRIORITY=0
+            Systemd_Filter      PRIORITY=1
+            Systemd_Filter      PRIORITY=2
+            Systemd_Filter      PRIORITY=3
+            Systemd_Filter      PRIORITY=4
+            Systemd_Filter      PRIORITY=5
+            Systemd_Filter      PRIORITY=6
             DB                  /var/fluent-bit/state/flb_messages.db
-            Mem_Buf_Limit       5MB
-            Skip_Long_Lines     On
-            Refresh_Interval    10
-            Read_from_Head      ${READ_FROM_HEAD}
+            Path                /var/log/journal
+            Read_From_Tail      ${READ_FROM_TAIL}
 
           [INPUT]
-            Name                tail
+            Name                systemd
             Tag                 host.secure
-            Path                /var/log/secure
-            Parser              syslog
+            Systemd_Filter      SYSLOG_FACILITY=10
             DB                  /var/fluent-bit/state/flb_secure.db
-            Mem_Buf_Limit       5MB
-            Skip_Long_Lines     On
-            Refresh_Interval    10
-            Read_from_Head      ${READ_FROM_HEAD}
+            Path                /var/log/journal
+            Read_From_Tail      ${READ_FROM_TAIL}
 
           [FILTER]
             Name                aws
             Match               host.*
             imds_version        v2
 
+          [FILTER]
+            Name                grep
+            Match               host.messages
+            Exclude             SYSLOG_FACILITY /^(2|9|10)$/
+
+          [FILTER]
+            Name                modify
+            Match               host.*
+            Rename             _HOSTNAME host
+            Rename             MESSAGE message
+            Rename             SYSLOG_IDENTIFIER ident
+            Rename             SYSLOG_PID pid
+            Remove_regex       [A-Z]
+
           [OUTPUT]
             Name                cloudwatch_logs
             Match               host.*
@@ -1037,7 +1048,7 @@ manager:
   name:
   image:
     repository: cloudwatch-agent-operator
-    tag: 3.1.1
+    tag: 3.3.0
     repositoryDomainMap:
       public: public.ecr.aws/cloudwatch-agent
       cn-north-1: 934860584483.dkr.ecr.cn-north-1.amazonaws.com.cn
@@ -1048,15 +1059,15 @@ manager:
     java:
       repositoryDomain: public.ecr.aws/aws-observability
       repository: adot-autoinstrumentation-java
-      tag: v2.11.2
+      tag: v2.11.5
     python:
       repositoryDomain: public.ecr.aws/aws-observability
       repository: adot-autoinstrumentation-python
-      tag: v0.9.0
+      tag: v0.12.1
     dotnet:
       repositoryDomain: public.ecr.aws/aws-observability
       repository: adot-autoinstrumentation-dotnet
-      tag: v1.9.0
+      tag: v1.9.1
     nodejs:
       repositoryDomain: public.ecr.aws/aws-observability
       repository: adot-autoinstrumentation-node
@@ -1197,6 +1208,8 @@ manager:
   affinity: {}
   nodeSelector:
     kubernetes.io/os: linux
+  # Enable automatic rolling by forcing a deployment spec change
+  rolling: false
 ## Admission webhooks make sure only requests with correctly formatted rules will get into the Operator.
 admissionWebhooks:
   create: true
@@ -1245,6 +1258,7 @@ admissionWebhooks:
   autoGenerateCert:
     enabled: true
     expiryDays: 3650 # 10 years
+    recreate: true
   ## TLS Certificate Option 2: Use certManager to generate self-signed certificate.
   ## certManager must be enabled. If enabled, it takes precedence over option 1.
   certManager:
@@ -1270,7 +1284,7 @@ agent:
   replicas: 1 # The total number non-terminated pods targeted by this AmazonCloudWatchAgent's deployment or statefulSet.
   image:
     repository: cloudwatch-agent
-    tag: 1.300059.0b1207
+    tag: 1.300060.0b1248
     repositoryDomainMap:
       public: public.ecr.aws/cloudwatch-agent
       cn-north-1: 934860584483.dkr.ecr.cn-north-1.amazonaws.com.cn
@@ -1363,7 +1377,7 @@ dcgmExporter:
   name:
   image:
     repository: dcgm-exporter
-    tag: 4.3.1-4.4.0-ubuntu22.04
+    tag: 4.4.0-4.5.0-ubuntu22.04
     repositoryDomainMap:
       public: nvcr.io/nvidia/k8s
       cn-north-1: 934860584483.dkr.ecr.cn-north-1.amazonaws.com.cn
@@ -1534,7 +1548,7 @@ neuronMonitor:
   name:
   image:
     repository: neuron-monitor
-    tag: 1.5.1
+    tag: 1.6.0
     repositoryDomainMap:
       public: public.ecr.aws/neuron
   resources:
 
@@ -0,0 +1,31 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT
+
+module "base" {
+  source           = "../.."
+  helm_dir         = var.helm_dir
+  helm_values_file = "${path.module}/values.yaml"
+}
+
+variable "helm_dir" {
+  type    = string
+  default = "../../../../../../charts/amazon-cloudwatch-observability"
+}
+
+resource "null_resource" "validator" {
+  depends_on = [module.base.helm_release]
+
+  provisioner "local-exec" {
+    command = <<-EOT
+      go test ${var.test_dir} -v -run=TestCertificateRecreateDisabled_Save
+      helm upgrade --wait --create-namespace --namespace amazon-cloudwatch amazon-cloudwatch-observability ${var.helm_dir} -f ${path.module}/values.yaml
+      go test ${var.test_dir} -v -run=TestCertificateRecreateDisabled_Compare
+    EOT
+  }
+}
+
+variable "test_dir" {
+  type    = string
+  default = "../../../../validations/minikube/scenarios"
+}
+