From 11e0cca952df18298ac75aa3cde34b7be533ef82 Mon Sep 17 00:00:00 2001
From: Sean Hobbs <sehobbs@microsoft.com>
Date: Wed, 11 Mar 2026 13:05:24 -0700
Subject: [PATCH] POC wip

---
 charts/member-agent-arc/charts_test.go        |  34 ++
 charts/member-agent-arc/configs/fluent.conf   |  65 +++
 .../templates/configmap-fluentd.yaml          |  48 +++
 .../templates/configmap-mdm.yaml              |  11 +
 .../templates/deployment.yaml                 | 397 +++++++++++++++++-
 charts/member-agent-arc/values.yaml           |  26 ++
 6 files changed, 579 insertions(+), 2 deletions(-)
 create mode 100644 charts/member-agent-arc/configs/fluent.conf
 create mode 100644 charts/member-agent-arc/templates/configmap-fluentd.yaml
 create mode 100644 charts/member-agent-arc/templates/configmap-mdm.yaml

diff --git a/charts/member-agent-arc/charts_test.go b/charts/member-agent-arc/charts_test.go
index 29d0e5fa9..b380e91ee 100644
--- a/charts/member-agent-arc/charts_test.go
+++ b/charts/member-agent-arc/charts_test.go
@@ -52,6 +52,38 @@ func TestHelmChartTemplatesRenderValidYAML(t *testing.T) {
 		"enableTrafficManagerFeature": true,
 		"enableNetworkingFeatures":    true,
 		"propertyProvider":            "azure",
+		"geneva": map[string]interface{}{
+			"mdsd": map[string]interface{}{
+				"repository": "linuxgeneva-microsoft.azurecr.io/genevamdsd",
+				"tag":        "v1.0.0",
+			},
+			"fluentd": map[string]interface{}{
+				"repository": "linuxgeneva-microsoft.azurecr.io/genevafluentd_td-agent",
+				"tag":        "v1.0.0",
+			},
+			"mdm": map[string]interface{}{
+				"repository": "linuxgeneva-microsoft.azurecr.io/genevamdm",
+				"tag":        "v1.0.0",
+				"account":    "test-mdm-account",
+			},
+			"gcs": map[string]interface{}{
+				"environment":   "Test",
+				"account":       "test-account",
+				"region":        "test-region",
+				"namespace":     "test-namespace",
+				"configVersion": "1.0",
+				"authIdType":    "AuthMSIToken",
+			},
+			"config": map[string]interface{}{
+				"tenant":              "test-tenant",
+				"role":                "test-role",
+				"azureEnvironment":    "AzurePublicCloud",
+				"enableGigBridgeMode": "1",
+			},
+			"debugging": map[string]interface{}{
+				"dockerLogging": "false",
+			},
+		},
 		"Azure": map[string]interface{}{
 			"proxySettings": map[string]interface{}{
 				"isProxyEnabled": true,
@@ -91,6 +123,8 @@ func TestHelmChartTemplatesRenderValidYAML(t *testing.T) {
 		{name: "rbac template", templateFile: "rbac.yaml"},
 		{name: "serviceaccount template", templateFile: "serviceaccount.yaml"},
 		{name: "azure-proxy-secrets template", templateFile: "azure-proxy-secrets.yaml"},
+		{name: "configmap-fluentd template", templateFile: "configmap-fluentd.yaml"},
+		{name: "configmap-mdm template", templateFile: "configmap-mdm.yaml"},
 	}
 
 	for _, tt := range tests {
diff --git a/charts/member-agent-arc/configs/fluent.conf b/charts/member-agent-arc/configs/fluent.conf
new file mode 100644
index 000000000..117b7d5fb
--- /dev/null
+++ b/charts/member-agent-arc/configs/fluent.conf
@@ -0,0 +1,65 @@
+<source>
+    @type tail
+    # Matching the following log files:
+    #   fleet-hub-agent-*_fleet-hub-agent-*.log
+    #   fleet-member-agent-*_msi-adapter-*.log
+    #   fleet-member-agent-*_refresh-tokent-*.log
+    #   fleet-member-agent-*_fleet-member-agent-*.log
+    path /var/log/containers/fleet-*-agent-*.log
+    path_key tailed_path
+    pos_file /var/log/td-agent.fleet-agent.log.pos
+    tag arc-extension.fleet-agent.*
+    read_from_head true
+    <parse>
+        @type regexp
+        time_format %Y-%m-%dT%H:%M:%S.%L%z
+        expression /^(?<time>.+)\s*(?<stream>stdout|stderr)\s*(?<partitiontag>[PF])\s*(?<log>.*)$/
+    </parse>
+</source>
+# Collect logs for fleet networking controller managers, which are pods with names like fleet-*-controller-manager-*.log
+# Same as fleet-agent, these logs are tagged with `arc-extension.fleet-agent.*` and will show up in the same table.
+<source>
+    @type tail
+    # Matching the following log files:
+    #   fleet-hub-net-controller-manager-*_fleet-hub-net-controller-manager-*.log
+    #   fleet-member-net-controller-manager-*_msi-adapter-*.log
+    #   fleet-member-net-controller-manager-*_refresh-tokent-*.log
+    #   fleet-member-net-controller-manager-*_fleet-member-net-controller-manager-*.log
+    #   fleet-mcs-controller-manager-*_fleet-mcs-controller-manager-*.log
+    path /var/log/containers/fleet-*-controller-manager-*.log
+    path_key tailed_path
+    pos_file /var/log/td-agent.fleet-net-controller-manager.log.pos
+    tag arc-extension.fleet-agent.*
+    read_from_head true
+    <parse>
+        @type regexp
+        time_format %Y-%m-%dT%H:%M:%S.%L%z
+        expression /^(?<time>.+)\s*(?<stream>stdout|stderr)\s*(?<partitiontag>[PF])\s*(?<log>.*)$/
+    </parse>
+</source>
+# Collect logs for CRD installer, which are pods with names like crd-installer-*.log
+# Same as fleet-agent, these logs are tagged with `arc-extension.fleet-agent.*` and will show up in the same table.
+# <source>
+#     @type tail
+#     # Matching the following log files:
+#     #   crd-installer-*_crd-installer-*.log
+#     path /var/log/containers/crd-installer-*.log
+#     path_key tailed_path
+#     pos_file /var/log/td-agent.crd-installer.log.pos
+#     tag arc-extension.fleet-agent.*
+#     read_from_head true
+#     <parse>
+#         @type regexp
+#         time_format %Y-%m-%dT%H:%M:%S.%L%z
+#         expression /^(?<time>.+)\s*(?<stream>stdout|stderr)\s*(?<partitiontag>[PF])\s*(?<log>.*)$/
+#     </parse>
+# </source>
+# Add tag arc.fleetagent to logs from fleet agents, which are running under CCP namespaces.
+<match arc-extension.fleet-agent.**>
+    @type rewrite_tag_filter
+    <rule>
+        key namespace
+        pattern ^.*$
+        tag arc.fleetagent
+    </rule>
+</match>
\ No newline at end of file
diff --git a/charts/member-agent-arc/templates/configmap-fluentd.yaml b/charts/member-agent-arc/templates/configmap-fluentd.yaml
new file mode 100644
index 000000000..9caa7fb65
--- /dev/null
+++ b/charts/member-agent-arc/templates/configmap-fluentd.yaml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fluentd-config
+  namespace: {{ .Values.namespace }}
+data:
+  fluentd.conf: |
+    <source>
+        @type tail
+        # Matching the following log files:
+        #   fleet-hub-agent-*_fleet-hub-agent-*.log
+        #   fleet-member-agent-*_msi-adapter-*.log
+        #   fleet-member-agent-*_refresh-tokent-*.log
+        #   fleet-member-agent-*_fleet-member-agent-*.log
+        path /var/log/containers/fleet-*-agent-*.log
+        path_key tailed_path
+        pos_file /var/log/td-agent.fleet-agent.log.pos
+        tag arc-extension.fleet-agent.*
+        read_from_head true
+        <parse>
+            @type regexp
+            time_format %Y-%m-%dT%H:%M:%S.%L%z
+            expression /^(?<time>.+)\s*(?<stream>stdout|stderr)\s*(?<partitiontag>[PF])\s*(?<log>.*)$/
+        </parse>
+    </source>
+    # Collect logs for fleet networking controller managers
+    <source>
+        @type tail
+        path /var/log/containers/fleet-*-controller-manager-*.log
+        path_key tailed_path
+        pos_file /var/log/td-agent.fleet-net-controller-manager.log.pos
+        tag arc-extension.fleet-agent.*
+        read_from_head true
+        <parse>
+            @type regexp
+            time_format %Y-%m-%dT%H:%M:%S.%L%z
+            expression /^(?<time>.+)\s*(?<stream>stdout|stderr)\s*(?<partitiontag>[PF])\s*(?<log>.*)$/
+        </parse>
+    </source>
+    # Add tag arc.fleetagent to logs from fleet agents
+    <match arc-extension.fleet-agent.**>
+        @type rewrite_tag_filter
+        <rule>
+            key namespace
+            pattern ^.*$
+            tag arc.fleetagent
+        </rule>
+    </match>
diff --git a/charts/member-agent-arc/templates/configmap-mdm.yaml b/charts/member-agent-arc/templates/configmap-mdm.yaml
new file mode 100644
index 000000000..50de33d37
--- /dev/null
+++ b/charts/member-agent-arc/templates/configmap-mdm.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mdm-config
+  namespace: {{ .Values.namespace }}
+data:
+  mdmconfig.json: |
+    {
+      "account": "{{ .Values.geneva.mdm.account }}",
+      "input": "influxdb_udp"
+    }
diff --git a/charts/member-agent-arc/templates/deployment.yaml b/charts/member-agent-arc/templates/deployment.yaml
index 30f8ef5ff..06ac44a1a 100644
--- a/charts/member-agent-arc/templates/deployment.yaml
+++ b/charts/member-agent-arc/templates/deployment.yaml
@@ -130,6 +130,116 @@ spec:
             subPath: azure-proxy-cert.crt
             readOnly: true
           {{- end }}
+        - name: mdsd
+          image: "{{ .Values.geneva.mdsd.repository }}:{{ .Values.geneva.mdsd.tag }}"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: ENABLE_GIG_BRIDGE_MODE
+              value: {{ .Values.geneva.config.enableGigBridgeMode | quote }}
+            - name: MONITORING_GCS_ENVIRONMENT
+              value: {{ .Values.geneva.gcs.environment | quote }}
+            - name: MONITORING_GCS_ACCOUNT
+              value: {{ .Values.geneva.gcs.account | quote }}
+            - name: MONITORING_GCS_REGION
+              value: {{ .Values.geneva.gcs.region | quote }}
+            - name: MONITORING_GCS_NAMESPACE
+              value: {{ .Values.geneva.gcs.namespace | quote }}
+            - name: MONITORING_CONFIG_VERSION
+              value: {{ .Values.geneva.gcs.configVersion | quote }}
+            - name: MONITORING_GCS_AUTH_ID_TYPE
+              value: {{ .Values.geneva.gcs.authIdType | quote }}
+            - name: MONITORING_TENANT
+              value: {{ .Values.geneva.config.tenant | quote }}
+            - name: MONITORING_ROLE
+              value: {{ .Values.geneva.config.role | quote }}
+            - name: MONITORING_ROLE_INSTANCE
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: DOCKER_LOGGING
+              value: {{ .Values.geneva.debugging.dockerLogging | quote }}
+            - name: SKIP_IMDS_LOOKUP_FOR_LEGACY_AUTH
+              value: "true"
+          resources:
+            limits:
+              cpu: 200m
+              memory: 512Mi
+            requests:
+              cpu: 10m
+              memory: 64Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+          volumeMounts:
+            - name: mdsd-run-vol
+              mountPath: /var/run/mdsd
+            - name: mdsd-logs-vol
+              mountPath: /geneva/geneva_logs
+        - name: fluentd
+          image: "{{ .Values.geneva.fluentd.repository }}:{{ .Values.geneva.fluentd.tag }}"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: FLUENTD_CONF
+              value: /etc/fluentd/fluentd.conf
+          resources:
+            limits:
+              cpu: 200m
+              memory: 512Mi
+            requests:
+              cpu: 10m
+              memory: 64Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+          volumeMounts:
+            - name: fluentd-conf-vol
+              mountPath: /etc/fluentd
+            - name: fluentd-buffer-vol
+              mountPath: /var/log/td-agent
+            - name: mdsd-run-vol
+              mountPath: /var/run/mdsd
+            - name: docker-log-vol
+              mountPath: /var/lib/docker/containers
+              readOnly: true
+            - name: var-log-vol
+              mountPath: /var/log
+            - name: run-journal-vol
+              mountPath: /run/log/journal
+              readOnly: true
+        - name: mdm
+          image: "{{ .Values.geneva.mdm.repository }}:{{ .Values.geneva.mdm.tag }}"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: ROLEINSTANCE
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: CONFIG_OVERRIDES_FILE
+              value: /tmp/geneva_mdm/mdmconfig.json
+            - name: MDM_INPUT
+              value: influxdb_udp
+            - name: MDM_LOG_LEVEL
+              value: "Info"
+            - name: MDM_ACCOUNT
+              value: {{ .Values.geneva.mdm.account | quote }}
+            - name: ME_AZURE_ENV
+              value: {{ .Values.geneva.config.azureEnvironment | quote }}
+          resources:
+            limits:
+              cpu: 200m
+              memory: 512Mi
+            requests:
+              cpu: 10m
+              memory: 64Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+          volumeMounts:
+            - name: mdm-config
+              mountPath: /tmp/geneva_mdm
       volumes:
       - name: provider-token
         emptyDir: { }
@@ -138,6 +248,27 @@ spec:
         secret:
           secretName: azure-proxy-cert
       {{- end }}
+      - name: mdsd-run-vol
+        emptyDir: {}
+      - name: mdsd-logs-vol
+        emptyDir: {}
+      - name: fluentd-conf-vol
+        configMap:
+          name: fluentd-config
+      - name: fluentd-buffer-vol
+        emptyDir: {}
+      - name: docker-log-vol
+        hostPath:
+          path: /var/lib/docker/containers
+      - name: var-log-vol
+        hostPath:
+          path: /var/log
+      - name: run-journal-vol
+        hostPath:
+          path: /run/log/journal
+      - name: mdm-config
+        configMap:
+          name: mdm-config
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -255,14 +386,145 @@ spec:
               subPath: azure-proxy-cert.crt
               readOnly: true
             {{- end }}
+        - name: mdsd
+          image: "{{ .Values.geneva.mdsd.repository }}:{{ .Values.geneva.mdsd.tag }}"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: ENABLE_GIG_BRIDGE_MODE
+              value: {{ .Values.geneva.config.enableGigBridgeMode | quote }}
+            - name: MONITORING_GCS_ENVIRONMENT
+              value: {{ .Values.geneva.gcs.environment | quote }}
+            - name: MONITORING_GCS_ACCOUNT
+              value: {{ .Values.geneva.gcs.account | quote }}
+            - name: MONITORING_GCS_REGION
+              value: {{ .Values.geneva.gcs.region | quote }}
+            - name: MONITORING_GCS_NAMESPACE
+              value: {{ .Values.geneva.gcs.namespace | quote }}
+            - name: MONITORING_CONFIG_VERSION
+              value: {{ .Values.geneva.gcs.configVersion | quote }}
+            - name: MONITORING_GCS_AUTH_ID_TYPE
+              value: {{ .Values.geneva.gcs.authIdType | quote }}
+            - name: MONITORING_TENANT
+              value: {{ .Values.geneva.config.tenant | quote }}
+            - name: MONITORING_ROLE
+              value: {{ .Values.geneva.config.role | quote }}
+            - name: MONITORING_ROLE_INSTANCE
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: DOCKER_LOGGING
+              value: {{ .Values.geneva.debugging.dockerLogging | quote }}
+            - name: SKIP_IMDS_LOOKUP_FOR_LEGACY_AUTH
+              value: "true"
+          resources:
+            limits:
+              cpu: 200m
+              memory: 512Mi
+            requests:
+              cpu: 10m
+              memory: 64Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+          volumeMounts:
+            - name: mdsd-run-vol
+              mountPath: /var/run/mdsd
+            - name: mdsd-logs-vol
+              mountPath: /geneva/geneva_logs
+        - name: fluentd
+          image: "{{ .Values.geneva.fluentd.repository }}:{{ .Values.geneva.fluentd.tag }}"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: FLUENTD_CONF
+              value: /etc/fluentd/fluentd.conf
+          resources:
+            limits:
+              cpu: 200m
+              memory: 512Mi
+            requests:
+              cpu: 10m
+              memory: 64Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+          volumeMounts:
+            - name: fluentd-conf-vol
+              mountPath: /etc/fluentd
+            - name: fluentd-buffer-vol
+              mountPath: /var/log/td-agent
+            - name: mdsd-run-vol
+              mountPath: /var/run/mdsd
+            - name: docker-log-vol
+              mountPath: /var/lib/docker/containers
+              readOnly: true
+            - name: var-log-vol
+              mountPath: /var/log
+            - name: run-journal-vol
+              mountPath: /run/log/journal
+              readOnly: true
+        - name: mdm
+          image: "{{ .Values.geneva.mdm.repository }}:{{ .Values.geneva.mdm.tag }}"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: ROLEINSTANCE
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: CONFIG_OVERRIDES_FILE
+              value: /tmp/geneva_mdm/mdmconfig.json
+            - name: MDM_INPUT
+              value: influxdb_udp
+            - name: MDM_LOG_LEVEL
+              value: "Info"
+            - name: MDM_ACCOUNT
+              value: {{ .Values.geneva.mdm.account | quote }}
+            - name: ME_AZURE_ENV
+              value: {{ .Values.geneva.config.azureEnvironment | quote }}
+          resources:
+            limits:
+              cpu: 200m
+              memory: 512Mi
+            requests:
+              cpu: 10m
+              memory: 64Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+          volumeMounts:
+            - name: mdm-config
+              mountPath: /tmp/geneva_mdm
       volumes:
         - name: provider-token
-          emptyDir: { }
+          emptyDir: {}
         {{- if and .Values.Azure.proxySettings.isProxyEnabled .Values.Azure.proxySettings.proxyCert }}
         - name: azure-proxy-cert-store
           secret:
             secretName: azure-proxy-cert
         {{- end }}
+        - name: mdsd-run-vol
+          emptyDir: {}
+        - name: mdsd-logs-vol
+          emptyDir: {}
+        - name: fluentd-conf-vol
+          configMap:
+            name: fluentd-config
+        - name: fluentd-buffer-vol
+          emptyDir: {}
+        - name: docker-log-vol
+          hostPath:
+            path: /var/lib/docker/containers
+        - name: var-log-vol
+          hostPath:
+            path: /var/log
+        - name: run-journal-vol
+          hostPath:
+            path: /run/log/journal
+        - name: mdm-config
+          configMap:
+            name: mdm-config
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -381,11 +643,142 @@ spec:
               subPath: azure-proxy-cert.crt
               readOnly: true
             {{- end }}
+        - name: mdsd
+          image: "{{ .Values.geneva.mdsd.repository }}:{{ .Values.geneva.mdsd.tag }}"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: ENABLE_GIG_BRIDGE_MODE
+              value: {{ .Values.geneva.config.enableGigBridgeMode | quote }}
+            - name: MONITORING_GCS_ENVIRONMENT
+              value: {{ .Values.geneva.gcs.environment | quote }}
+            - name: MONITORING_GCS_ACCOUNT
+              value: {{ .Values.geneva.gcs.account | quote }}
+            - name: MONITORING_GCS_REGION
+              value: {{ .Values.geneva.gcs.region | quote }}
+            - name: MONITORING_GCS_NAMESPACE
+              value: {{ .Values.geneva.gcs.namespace | quote }}
+            - name: MONITORING_CONFIG_VERSION
+              value: {{ .Values.geneva.gcs.configVersion | quote }}
+            - name: MONITORING_GCS_AUTH_ID_TYPE
+              value: {{ .Values.geneva.gcs.authIdType | quote }}
+            - name: MONITORING_TENANT
+              value: {{ .Values.geneva.config.tenant | quote }}
+            - name: MONITORING_ROLE
+              value: {{ .Values.geneva.config.role | quote }}
+            - name: MONITORING_ROLE_INSTANCE
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: DOCKER_LOGGING
+              value: {{ .Values.geneva.debugging.dockerLogging | quote }}
+            - name: SKIP_IMDS_LOOKUP_FOR_LEGACY_AUTH
+              value: "true"
+          resources:
+            limits:
+              cpu: 200m
+              memory: 512Mi
+            requests:
+              cpu: 10m
+              memory: 64Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+          volumeMounts:
+            - name: mdsd-run-vol
+              mountPath: /var/run/mdsd
+            - name: mdsd-logs-vol
+              mountPath: /geneva/geneva_logs
+        - name: fluentd
+          image: "{{ .Values.geneva.fluentd.repository }}:{{ .Values.geneva.fluentd.tag }}"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: FLUENTD_CONF
+              value: /etc/fluentd/fluentd.conf
+          resources:
+            limits:
+              cpu: 200m
+              memory: 512Mi
+            requests:
+              cpu: 10m
+              memory: 64Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+          volumeMounts:
+            - name: fluentd-conf-vol
+              mountPath: /etc/fluentd
+            - name: fluentd-buffer-vol
+              mountPath: /var/log/td-agent
+            - name: mdsd-run-vol
+              mountPath: /var/run/mdsd
+            - name: docker-log-vol
+              mountPath: /var/lib/docker/containers
+              readOnly: true
+            - name: var-log-vol
+              mountPath: /var/log
+            - name: run-journal-vol
+              mountPath: /run/log/journal
+              readOnly: true
+        - name: mdm
+          image: "{{ .Values.geneva.mdm.repository }}:{{ .Values.geneva.mdm.tag }}"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: ROLEINSTANCE
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: CONFIG_OVERRIDES_FILE
+              value: /tmp/geneva_mdm/mdmconfig.json
+            - name: MDM_INPUT
+              value: influxdb_udp
+            - name: MDM_LOG_LEVEL
+              value: "Info"
+            - name: MDM_ACCOUNT
+              value: {{ .Values.geneva.mdm.account | quote }}
+            - name: ME_AZURE_ENV
+              value: {{ .Values.geneva.config.azureEnvironment | quote }}
+          resources:
+            limits:
+              cpu: 200m
+              memory: 512Mi
+            requests:
+              cpu: 10m
+              memory: 64Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+          volumeMounts:
+            - name: mdm-config
+              mountPath: /tmp/geneva_mdm
       volumes:
         - name: provider-token
-          emptyDir: { }
+          emptyDir: {}
         {{- if and .Values.Azure.proxySettings.isProxyEnabled .Values.Azure.proxySettings.proxyCert }}
         - name: azure-proxy-cert-store
           secret:
             secretName: azure-proxy-cert
         {{- end }}
+        - name: mdsd-run-vol
+          emptyDir: {}
+        - name: mdsd-logs-vol
+          emptyDir: {}
+        - name: fluentd-conf-vol
+          configMap:
+            name: fluentd-config
+        - name: fluentd-buffer-vol
+          emptyDir: {}
+        - name: docker-log-vol
+          hostPath:
+            path: /var/lib/docker/containers
+        - name: var-log-vol
+          hostPath:
+            path: /var/log
+        - name: run-journal-vol
+          hostPath:
+            path: /run/log/journal
+        - name: mdm-config
+          configMap:
+            name: mdm-config
diff --git a/charts/member-agent-arc/values.yaml b/charts/member-agent-arc/values.yaml
index 003da94f5..803437aab 100644
--- a/charts/member-agent-arc/values.yaml
+++ b/charts/member-agent-arc/values.yaml
@@ -34,6 +34,32 @@ enableV1Beta1APIs: true
 enableTrafficManagerFeature: false
 enableNetworkingFeatures: false
 
+geneva:
+  mdsd:
+    repository: linuxgeneva-microsoft.azurecr.io/genevamdsd
+    tag: "${GENEVA_MDSD_IMAGE_VERSION}"
+  fluentd:
+    repository: linuxgeneva-microsoft.azurecr.io/genevafluentd_td-agent
+    tag: "${GENEVA_FLUENTD_IMAGE_VERSION}"
+  mdm:
+    repository: linuxgeneva-microsoft.azurecr.io/genevamdm
+    tag: "${GENEVA_MDM_IMAGE_VERSION}"
+    account: ""
+  gcs:
+    environment: ""
+    account: ""
+    region: ""
+    namespace: ""
+    configVersion: ""
+    authIdType: "AuthMSIToken"
+  config:
+    tenant: ""
+    role: ""
+    azureEnvironment: ""
+    enableGigBridgeMode: "1"
+  debugging:
+    dockerLogging: "false"
+
 Azure:
   proxySettings:
     isProxyEnabled: "false"