Skip to content

Commit

Permalink
[8.16](backport #6004) [helm] fix disabling cluster role and service …
Browse files Browse the repository at this point in the history 
…account (#6008)

* [helm] fix disabling cluster role and service account (#6004)

* fix: allow disabling cluster role creation without needing to specify an existing one

* fix: fallback to default service account when creation is disabled and no existing one is specified

* fix: update nginx custom integration to disable all k8s agent providers

(cherry picked from commit a0111f1)

# Conflicts:
#	deploy/helm/elastic-agent/examples/nginx-custom-integration/rendered/manifest.yaml

* fix: resolve conflicts

---------

Co-authored-by: Panos Koutsovasilis <panos.koutsovasilis@elastic.co>
  • Loading branch information
@mergify @pkoutsovasilis
mergify[bot] and pkoutsovasilis authored Nov 13, 2024
1 parent 3550331 commit b659537
Show file tree
Hide file tree
Showing 7 changed files with 12 additions and 220 deletions.
2 changes: 1 addition & 1 deletion deploy/helm/elastic-agent/examples/nginx-custom-integration/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Example: Nginx Custom Integration

In this example we define a `nginx` custom integration alongside a custom agent preset defined in [agent-nginx-values.yaml](agent-nginx-values.yaml).
In this example we define a `nginx` custom integration alongside a custom agent preset defined in [agent-nginx-values.yaml](agent-nginx-values.yaml). Also, we disable all `kubernetes` related providers and creation of cluster role and service account, as they are not required for this example.

## Prerequisites:
1. A k8s secret that contains the connection details to an Elasticsearch cluster such as the URL and the API key ([Kibana - Creating API Keys](https://www.elastic.co/guide/en/kibana/current/api-keys.html)):
Expand Down
32 changes: 4 additions & 28 deletions deploy/helm/elastic-agent/examples/nginx-custom-integration/agent-nginx-values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,37 +34,13 @@ agent:
presets:
nginx:
mode: deployment
automountServiceAccountToken: false # disables all kubernetes providers
securityContext:
runAsUser: 0
serviceAccount:
create: true
create: false # disable creation of service account
clusterRole:
create: true
rules:
# minimum cluster role ruleset required by agent
- apiGroups: [ "" ]
resources:
- nodes
- namespaces
- pods
verbs:
- get
- watch
- list
- apiGroups: [ "apps" ]
resources:
- replicasets
verbs:
- get
- list
- watch
- apiGroups: [ "batch" ]
resources:
- jobs
verbs:
- get
- list
- watch
create: false # disable creation of cluster role account
providers:
kubernetes_leaderelection:
enabled: false
enabled: false # disable leader election
143 changes: 1 addition & 142 deletions deploy/helm/elastic-agent/examples/nginx-custom-integration/rendered/manifest.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,4 @@
---
# Source: elastic-agent/templates/agent/service-account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: agent-nginx-example
namespace: "default"
labels:
helm.sh/chart: elastic-agent-0.0.1
app.kubernetes.io/name: elastic-agent
app.kubernetes.io/instance: example
app.kubernetes.io/version: 8.16.0
app.kubernetes.io/managed-by: Helm
---
# Source: elastic-agent/templates/agent/k8s/secret.yaml
apiVersion: v1
kind: Secret
Expand Down Expand Up @@ -68,133 +55,6 @@ stringData:
enabled: false
leader_lease: example-nginx
---
# Source: elastic-agent/templates/agent/cluster-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: agent-nginx-example-default
labels:
helm.sh/chart: elastic-agent-0.0.1
app.kubernetes.io/name: elastic-agent
app.kubernetes.io/instance: example
app.kubernetes.io/version: 8.16.0
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups: [ "" ] # "" indicates the core API group
resources:
- nodes
- namespaces
- events
- pods
- services
- configmaps
- persistentvolumes
- persistentvolumeclaims
- persistentvolumeclaims/status
- nodes/metrics
- nodes/proxy
- nodes/stats
verbs:
- get
- watch
- list
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- watch
- list
- nonResourceURLs:
- /metrics
verbs:
- get
- watch
- list
- apiGroups: [ "coordination.k8s.io" ]
resources:
- leases
verbs:
- get
- create
- update
- nonResourceURLs:
- /healthz
- /healthz/*
- /livez
- /livez/*
- /metrics
- /metrics/slis
- /readyz
- /readyz/*
verbs:
- get
- apiGroups: [ "apps" ]
resources:
- replicasets
- deployments
- daemonsets
- statefulsets
verbs:
- get
- list
- watch
- apiGroups: [ "batch" ]
resources:
- jobs
- cronjobs
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes
- namespaces
- pods
verbs:
- get
- watch
- list
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
- watch
---
# Source: elastic-agent/templates/agent/cluster-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: agent-nginx-example-default
labels:
helm.sh/chart: elastic-agent-0.0.1
app.kubernetes.io/name: elastic-agent
app.kubernetes.io/instance: example
app.kubernetes.io/version: 8.16.0
app.kubernetes.io/managed-by: Helm
subjects:
- kind: ServiceAccount
name: agent-nginx-example
namespace: "default"
roleRef:
kind: ClusterRole
name: agent-nginx-example-default
apiGroup: rbac.authorization.k8s.io
---
# Source: elastic-agent/templates/agent/k8s/deployment.yaml
apiVersion: apps/v1
kind: Deployment
Expand All @@ -218,7 +78,7 @@ spec:
annotations:
checksum/config: 99eaac30ab163ab5f4cedbdbf3e6936d34c2b0e2c22dee59947487bab88fcc26
spec:
automountServiceAccountToken: true
automountServiceAccountToken: false
containers:
- args:
- -c
Expand Down Expand Up @@ -248,7 +108,6 @@ spec:
readOnly: true
subPath: agent.yml
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: agent-nginx-example
volumes:
- hostPath:
path: /etc/elastic-agent/default/agent-nginx-example/state
Expand Down
4 changes: 3 additions & 1 deletion deploy/helm/elastic-agent/templates/agent/cluster-role-binding.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
{{- include "elasticagent.init" $ -}}
{{- range $presetName, $presetVal := $.Values.agent.presets -}}
{{- if or (eq $presetVal.clusterRole.create true) (eq $presetVal.serviceAccount.create true) -}}
{{- if or ($presetVal).clusterRole.create ($presetVal).clusterRole.name -}}
{{- if or ($presetVal).serviceAccount.create ($presetVal).serviceAccount.name -}}
{{/* cluster role binding is not namespace bound so let's try to give it a unique enough name */}}
{{- $clusterRoleName := printf "agent-%s-%s-%s" $presetName $.Release.Name $.Release.Namespace -}}
apiVersion: rbac.authorization.k8s.io/v1
Expand Down Expand Up @@ -35,3 +36,4 @@ roleRef:
---
{{- end }}
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion deploy/helm/elastic-agent/templates/agent/eck/_pod_template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ template:
{{- end }}
{{- if eq ($presetVal).serviceAccount.create true }}
serviceAccountName: {{ $agentName }}
{{- else }}
{{- else if ($presetVal).serviceAccount.name }}
serviceAccountName: {{ ($presetVal).serviceAccount.name }}
{{- end }}
{{- with ($presetVal).affinity }}
Expand Down
2 changes: 1 addition & 1 deletion deploy/helm/elastic-agent/templates/agent/k8s/_pod_template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ template:
{{- end }}
{{- if eq ($presetVal).serviceAccount.create true }}
serviceAccountName: {{ $agentName }}
{{- else }}
{{- else if ($presetVal).serviceAccount.name }}
serviceAccountName: {{ ($presetVal).serviceAccount.name }}
{{- end }}
{{- with ($presetVal).affinity }}
Expand Down
47 changes: 1 addition & 46 deletions deploy/helm/elastic-agent/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1309,27 +1309,6 @@
"create"
],
"allOf": [
{
"if": {
"properties": {
"create": {
"const": false
}
}
},
"then": {
"properties": {
"name": {
"type": "string",
"minLength": 1
}
},
"required": [
"create",
"name"
]
}
},
{
"if": {
"properties": {
Expand All @@ -1344,10 +1323,7 @@
"type": "string",
"maxLength": 0
}
},
"required": [
"create"
]
}
}
}
]
Expand Down Expand Up @@ -1379,27 +1355,6 @@
"create"
],
"allOf": [
{
"if": {
"properties": {
"create": {
"const": false
}
}
},
"then": {
"properties": {
"name": {
"type": "string",
"minLength": 1
}
},
"required": [
"create",
"name"
]
}
},
{
"if": {
"properties": {
Expand Down

0 comments on commit b659537

Please sign in to comment.