microsoft · zanejohnson-azure · Feb 9, 2026 · Jan 28, 2026 · Jan 28, 2026 · Jan 29, 2026
@@ -475,3 +475,39 @@ extends:
           displayName: Ev2 - Monitoring
           inputs:
             Ev2MonintoringUrl: $(Ev2MonintoringUrl)
+
+
+    # =============================================================================
+    # Stage 3: Deploy ama-logs to AKS Clusters via Helm
+    # =============================================================================
+    # To add a new cluster, simply add an entry to the template list below.
+    # Each cluster only needs: clusterName, resourceGroup, region, subscriptionId, workspaceId, and imageTag.
+    # =============================================================================
+    - stage: Stage_3
+      displayName: Deploy ama-logs to CI AKS Prod Clusters via Helm
+      dependsOn: Stage_2
+      pool:
+        name: Azure-Pipelines-CI-Test-EO
+        image: ci-1es-managed-ubuntu-2204
+        os: linux
+      jobs:
+      # Monitoring-Model-Cluster-WCUS
+      - template: .pipelines/helm-deploy-templates/ama-logs-helm-deploy.yaml@self
+        parameters:
+          clusterName: 'Monitoring-Model-Cluster-WCUS'
+          resourceGroup: 'monitoring-model-cluster-wcus'
+          region: 'westcentralus'
+          subscriptionId: '9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb'
+          workspaceId: '22f38e11-4f59-480c-b4b8-2573156b6e06' # "Monitoring-Model-Cluster-WCUS"
+          imageTag: '$(AgentImageTagSuffix)'
+          environment: 'CI-Deploy-To-Prod-Cluster-1'
+      # Monitoring-Model-Cluster-WEU
+      - template: .pipelines/helm-deploy-templates/ama-logs-helm-deploy.yaml@self
+        parameters:
+          clusterName: 'Monitoring-Model-Cluster-WEU'
+          resourceGroup: 'monitoring-model-cluster-weu'
+          region: 'westeurope'
+          subscriptionId: '9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb'
+          workspaceId: '5c269467-32a9-4468-a1d6-ec1cac551e74' # "Monitoring-Model-Cluster-WEU"
+          imageTag: '$(AgentImageTagSuffix)'
+          environment: 'CI-Deploy-To-Prod-Cluster-2'
@@ -0,0 +1,258 @@
+# Template for deploying ama-logs to an AKS cluster via Helm
+# Usage: 
+#   - template: helm-deploy-templates/ama-logs-helm-deploy.yaml
+#     parameters:
+#       clusterName: 'my-cluster'
+#       resourceGroup: 'my-rg'
+#       region: 'eastus'
+#       subscriptionId: '9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb'
+#       workspaceId: 'your-workspace-id'
+#       imageTag: '$(AgentImageTagSuffix)'  # e.g., 3.1.32
+#       environment: 'deployment environment'
+
+parameters:
+# Required cluster parameters
+- name: clusterName
+  type: string
+- name: resourceGroup
+  type: string
+- name: region
+  type: string
+- name: subscriptionId
+  type: string
+- name: workspaceId
+  type: string
+  displayName: 'Log Analytics Workspace ID'
+- name: imageTag
+  type: string
+  displayName: 'Image tag suffix (e.g., 3.1.32)'
+- name: environment
+  type: string
+  displayName: 'Azure DevOps Environment name'
+
+# Optional parameters with defaults
+- name: cloudEnvironment
+  type: string
+  default: 'azurepubliccloud'
+- name: kubernetesVersion
+  type: string
+  default: '1.32.7'
+- name: azureSubscription
+  type: string
+  default: 'ContainerInsights_Build_Subscription_CI'
+- name: namespace
+  type: string
+  default: 'default'
+- name: releaseName
+  type: string
+  default: 'azuremonitor-containers'
+- name: helmVersion
+  type: string
+  default: '3.12.3'
+- name: dependsOn
+  type: object
+  default: []
+
+jobs:
+- deployment: Deploy_AmaLogs_${{ replace(parameters.clusterName, '-', '_') }}
+  displayName: 'Deploy: ama-logs to ${{ parameters.clusterName }}'
+  environment: ${{ parameters.environment }}
+  dependsOn: ${{ parameters.dependsOn }}
+  variables:
+  - name: OneESPT
+    value: true
+    readonly: true
+  - name: OneESPT.BuildType
+    value: Official
+    readonly: true
+  - name: OneESPT.OS
+    value: linux
+    readonly: true
+  - name: skipComponentGovernanceDetection
+    value: true
+  - name: Codeql.SkipTaskAutoInjection
+    value: true
+  - name: AKS_RESOURCE_ID
+    value: '/subscriptions/${{ parameters.subscriptionId }}/resourceGroups/${{ parameters.resourceGroup }}/providers/Microsoft.ContainerService/managedClusters/${{ parameters.clusterName }}'
+  strategy:
+    runOnce:
+      deploy:
+        steps:
+        - checkout: self
+          displayName: Checkout repository
+        - task: HelmInstaller@1
+          displayName: Install Helm
+          inputs:
+            helmVersionToInstall: '${{ parameters.helmVersion }}'
+        - task: HelmDeploy@0
+          displayName: 'Helm Deploy: ama-logs to ${{ parameters.clusterName }}'
+          inputs:
+            connectionType: 'Azure Resource Manager'
+            azureSubscription: '${{ parameters.azureSubscription }}'
+            azureResourceGroup: '${{ parameters.resourceGroup }}'
+            kubernetesCluster: '${{ parameters.clusterName }}'
+            useClusterAdmin: true
+            namespace: '${{ parameters.namespace }}'
+            command: 'upgrade'
+            chartType: 'FilePath'
+            # The following chart is copied over from feature branch https://github.com/microsoft/Docker-Provider/tree/longw/addon-to-extension-quick-Test
+            # TODO: When it is merged to ci_prod, the following chartPath will be updated accordingly.
+            chartPath: '$(Build.SourcesDirectory)/charts/azuremonitor-containerinsights-for-prod-clusters'
+            releaseName: '${{ parameters.releaseName }}'
+            overrideValues: 'global.commonGlobals.CloudEnvironment=${{ parameters.cloudEnvironment }},global.commonGlobals.Region=${{ parameters.region }},OmsAgent.aksResourceID=$(AKS_RESOURCE_ID),OmsAgent.workspaceID=${{ parameters.workspaceId }},OmsAgent.imageTagLinux=${{ parameters.imageTag }},OmsAgent.imageTagWindows=win-${{ parameters.imageTag }}'
+            waitForExecution: false
+            arguments: '--timeout 10m --install'
+        - task: AzureCLI@2
+          displayName: Verify Deployment
+          inputs:
+            azureSubscription: '${{ parameters.azureSubscription }}'
+            scriptType: bash
+            scriptLocation: inlineScript
+            inlineScript: |
+              echo "=========================================="
+              echo "Deployment Summary"
+              echo "=========================================="
+              echo "Cluster: ${{ parameters.clusterName }}"
+              echo "Resource Group: ${{ parameters.resourceGroup }}"
+              echo "Region: ${{ parameters.region }}"
+              echo "Linux Image Tag: ${{ parameters.imageTag }}"
+              echo "Windows Image Tag: win-${{ parameters.imageTag }}"
+              echo ""
+
+              echo "Getting AKS credentials..."
+              az aks get-credentials --resource-group ${{ parameters.resourceGroup }} --name ${{ parameters.clusterName }} --overwrite-existing --admin
+
+              echo ""
+              echo "=========================================="
+              echo "Waiting for pods to be ready (60s max)..."
+              echo "=========================================="
+
+              # Wait for daemonset pods (pods are always deployed to kube-system namespace)
+              kubectl rollout status daemonset/ama-logs -n kube-system --timeout=60s || echo "Warning: Daemonset rollout not complete within timeout"
+
+              # Wait for replicaset pod
+              kubectl rollout status deployment/ama-logs-rs -n kube-system --timeout=60s 2>/dev/null || \
+                kubectl rollout status replicaset -l rsName=ama-logs-rs -n kube-system --timeout=60s 2>/dev/null || \
+                echo "Warning: ReplicaSet rollout status check skipped"
+
+              echo ""
+              echo "=========================================="
+              echo "Pod Status"
+              echo "=========================================="
+              kubectl get pods -n kube-system | grep ama-logs || echo "No ama-logs pods found"
+
+              echo ""
+              echo "=========================================="
+              echo "Helm Release Status"
+              echo "=========================================="
+              helm status ${{ parameters.releaseName }} -n ${{ parameters.namespace }} 2>/dev/null || echo "Helm release status not available"
+
+              echo ""
+              echo "=========================================="
+              echo "Image Verification"
+              echo "=========================================="
+              EXPECTED_LINUX_TAG="${{ parameters.imageTag }}"
+              EXPECTED_WINDOWS_TAG="win-${{ parameters.imageTag }}"
+              VERIFICATION_PASSED=true
+
+              echo "Expected Linux image tag: $EXPECTED_LINUX_TAG"
+              echo "Expected Windows image tag: $EXPECTED_WINDOWS_TAG"
+              echo ""
+
+              # ---- 1. Linux DaemonSet Pod Verification (ama-logs + ama-logs-prometheus containers) ----
+              # Note: Pods are always deployed to kube-system namespace regardless of helm release namespace
+              echo "--- 1. Linux DaemonSet Verification ---"
+
+              # Check ama-logs container
+              LINUX_AMA_LOGS_IMAGE=$(kubectl get pods -n kube-system -l component=ama-logs-agent -o jsonpath='{.items[0].spec.containers[?(@.name=="ama-logs")].image}' 2>/dev/null)
+
+              if [ -z "$LINUX_AMA_LOGS_IMAGE" ]; then
+                echo "❌ ERROR: Could not retrieve ama-logs container image from Linux DaemonSet"
+                VERIFICATION_PASSED=false
+              else
+                echo "ama-logs container image: $LINUX_AMA_LOGS_IMAGE"
+                LINUX_AMA_LOGS_TAG=$(echo "$LINUX_AMA_LOGS_IMAGE" | cut -d':' -f2)
+                if [ "$LINUX_AMA_LOGS_TAG" == "$EXPECTED_LINUX_TAG" ]; then
+                  echo "✅ ama-logs container: PASSED"
+                else
+                  echo "❌ ama-logs container MISMATCH! Expected: $EXPECTED_LINUX_TAG, Actual: $LINUX_AMA_LOGS_TAG"
+                  VERIFICATION_PASSED=false
+                fi
+              fi
+
+              # Check ama-logs-prometheus container
+              LINUX_PROM_IMAGE=$(kubectl get pods -n kube-system -l component=ama-logs-agent -o jsonpath='{.items[0].spec.containers[?(@.name=="ama-logs-prometheus")].image}' 2>/dev/null)
+
+              if [ -z "$LINUX_PROM_IMAGE" ]; then
+                echo "❌ ERROR: Could not retrieve ama-logs-prometheus container image from Linux DaemonSet"
+                VERIFICATION_PASSED=false
+              else
+                echo "ama-logs-prometheus container image: $LINUX_PROM_IMAGE"
+                LINUX_PROM_TAG=$(echo "$LINUX_PROM_IMAGE" | cut -d':' -f2)
+                if [ "$LINUX_PROM_TAG" == "$EXPECTED_LINUX_TAG" ]; then
+                  echo "✅ ama-logs-prometheus container: PASSED"
+                else
+                  echo "❌ ama-logs-prometheus container MISMATCH! Expected: $EXPECTED_LINUX_TAG, Actual: $LINUX_PROM_TAG"
+                  VERIFICATION_PASSED=false
+                fi
+              fi
+
+              echo ""
+
+              # ---- 2. ReplicaSet Pod Verification (ama-logs container) ----
+              echo "--- 2. ReplicaSet Verification ---"
+
+              RS_AMA_LOGS_IMAGE=$(kubectl get pods -n kube-system -l rsName=ama-logs-rs -o jsonpath='{.items[0].spec.containers[?(@.name=="ama-logs")].image}' 2>/dev/null)
+
+              if [ -z "$RS_AMA_LOGS_IMAGE" ]; then
+                echo "❌ ERROR: Could not retrieve ama-logs container image from ReplicaSet"
+                VERIFICATION_PASSED=false
+              else
+                echo "ama-logs container image: $RS_AMA_LOGS_IMAGE"
+                RS_AMA_LOGS_TAG=$(echo "$RS_AMA_LOGS_IMAGE" | cut -d':' -f2)
+                if [ "$RS_AMA_LOGS_TAG" == "$EXPECTED_LINUX_TAG" ]; then
+                  echo "✅ ReplicaSet ama-logs container: PASSED"
+                else
+                  echo "❌ ReplicaSet ama-logs container MISMATCH! Expected: $EXPECTED_LINUX_TAG, Actual: $RS_AMA_LOGS_TAG"
+                  VERIFICATION_PASSED=false
+                fi
+              fi
+
+              echo ""
+
+              # ---- 3. Windows DaemonSet Pod Verification (ama-logs-windows container) ----
+              echo "--- 3. Windows DaemonSet Verification ---"
+
+              WINDOWS_POD_EXISTS=$(kubectl get pods -n kube-system -l component=ama-logs-agent-windows -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
+
+              if [ -z "$WINDOWS_POD_EXISTS" ]; then
+                echo "INFO: No Windows ama-logs pods found (cluster may not have Windows nodes)"
+                echo "Skipping Windows verification"
+              else
+                WINDOWS_IMAGE=$(kubectl get pods -n kube-system -l component=ama-logs-agent-windows -o jsonpath='{.items[0].spec.containers[?(@.name=="ama-logs-windows")].image}' 2>/dev/null)
+
+                if [ -z "$WINDOWS_IMAGE" ]; then
+                  echo "❌ ERROR: Could not retrieve ama-logs-windows container image"
+                  VERIFICATION_PASSED=false
+                else
+                  echo "ama-logs-windows container image: $WINDOWS_IMAGE"
+                  WINDOWS_TAG=$(echo "$WINDOWS_IMAGE" | cut -d':' -f2)
+                  if [ "$WINDOWS_TAG" == "$EXPECTED_WINDOWS_TAG" ]; then
+                    echo "✅ Windows ama-logs-windows container: PASSED"
+                  else
+                    echo "❌ Windows ama-logs-windows container MISMATCH! Expected: $EXPECTED_WINDOWS_TAG, Actual: $WINDOWS_TAG"
+                    VERIFICATION_PASSED=false
+                  fi
+                fi
+              fi
+
+              echo ""
+              echo "=========================================="
+              echo "Final Verification Result"
+              echo "=========================================="
+              if [ "$VERIFICATION_PASSED" = true ]; then
+                echo "✅ SUCCESS: All image tag verifications PASSED"
+              else
+                echo "❌ FAILED: One or more image tag verifications failed"
+                exit 1
+              fi
@@ -0,0 +1,4 @@
+apiVersion: v2
+description: azure-monitor-containers helm chart
+name: azuremonitor-containers
+version: 3.2.1-dev-test