diff --git a/deploy/helm/elastic-agent/examples/nginx-custom-integration/README.md b/deploy/helm/elastic-agent/examples/nginx-custom-integration/README.md index 61ed825a44..5b554a84c0 100644 --- a/deploy/helm/elastic-agent/examples/nginx-custom-integration/README.md +++ b/deploy/helm/elastic-agent/examples/nginx-custom-integration/README.md @@ -1,6 +1,6 @@ # Example: Nginx Custom Integration -In this example we define a `nginx` custom integration alongside a custom agent preset defined in [agent-nginx-values.yaml](agent-nginx-values.yaml). +In this example we define a `nginx` custom integration alongside a custom agent preset defined in [agent-nginx-values.yaml](agent-nginx-values.yaml). Also, we disable all `kubernetes` related providers and creation of cluster role and service account, as they are not required for this example. ## Prerequisites: 1. A k8s secret that contains the connection details to an Elasticsearch cluster such as the URL and the API key ([Kibana - Creating API Keys](https://www.elastic.co/guide/en/kibana/current/api-keys.html)): diff --git a/deploy/helm/elastic-agent/examples/nginx-custom-integration/agent-nginx-values.yaml b/deploy/helm/elastic-agent/examples/nginx-custom-integration/agent-nginx-values.yaml index ef7158164c..c39a168f75 100644 --- a/deploy/helm/elastic-agent/examples/nginx-custom-integration/agent-nginx-values.yaml +++ b/deploy/helm/elastic-agent/examples/nginx-custom-integration/agent-nginx-values.yaml @@ -34,37 +34,13 @@ agent: presets: nginx: mode: deployment + automountServiceAccountToken: false # disables all kubernetes providers securityContext: runAsUser: 0 serviceAccount: - create: true + create: false # disable creation of service account clusterRole: - create: true - rules: - # minimum cluster role ruleset required by agent - - apiGroups: [ "" ] - resources: - - nodes - - namespaces - - pods - verbs: - - get - - watch - - list - - apiGroups: [ "apps" ] - resources: - - replicasets - verbs: - - get - - list - - watch - - apiGroups: [ "batch" ] - resources: - - jobs - verbs: - - get - - list - - watch + create: false # disable creation of cluster role account providers: kubernetes_leaderelection: - enabled: false + enabled: false # disable leader election diff --git a/deploy/helm/elastic-agent/examples/nginx-custom-integration/rendered/manifest.yaml b/deploy/helm/elastic-agent/examples/nginx-custom-integration/rendered/manifest.yaml index 0080aff0b1..e548e365ef 100644 --- a/deploy/helm/elastic-agent/examples/nginx-custom-integration/rendered/manifest.yaml +++ b/deploy/helm/elastic-agent/examples/nginx-custom-integration/rendered/manifest.yaml @@ -1,17 +1,4 @@ --- -# Source: elastic-agent/templates/agent/service-account.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: agent-nginx-example - namespace: "default" - labels: - helm.sh/chart: elastic-agent-0.0.1 - app.kubernetes.io/name: elastic-agent - app.kubernetes.io/instance: example - app.kubernetes.io/version: 8.16.0 - app.kubernetes.io/managed-by: Helm ---- # Source: elastic-agent/templates/agent/k8s/secret.yaml apiVersion: v1 kind: Secret @@ -68,133 +55,6 @@ stringData: enabled: false leader_lease: example-nginx --- -# Source: elastic-agent/templates/agent/cluster-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: agent-nginx-example-default - labels: - helm.sh/chart: elastic-agent-0.0.1 - app.kubernetes.io/name: elastic-agent - app.kubernetes.io/instance: example - app.kubernetes.io/version: 8.16.0 - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: [ "" ] # "" indicates the core API group - resources: - - nodes - - namespaces - - events - - pods - - services - - configmaps - - persistentvolumes - - persistentvolumeclaims - - persistentvolumeclaims/status - - nodes/metrics - - nodes/proxy - - nodes/stats - verbs: - - get - - watch - - list - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - watch - - list - - nonResourceURLs: - - /metrics - verbs: - - get - - watch - - list - - apiGroups: [ "coordination.k8s.io" ] - resources: - - leases - verbs: - - get - - create - - update - - nonResourceURLs: - - /healthz - - /healthz/* - - /livez - - /livez/* - - /metrics - - /metrics/slis - - /readyz - - /readyz/* - verbs: - - get - - apiGroups: [ "apps" ] - resources: - - replicasets - - deployments - - daemonsets - - statefulsets - verbs: - - get - - list - - watch - - apiGroups: [ "batch" ] - resources: - - jobs - - cronjobs - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - nodes - - namespaces - - pods - verbs: - - get - - watch - - list - - apiGroups: - - apps - resources: - - replicasets - verbs: - - get - - list - - watch - - apiGroups: - - batch - resources: - - jobs - verbs: - - get - - list - - watch ---- -# Source: elastic-agent/templates/agent/cluster-role-binding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: agent-nginx-example-default - labels: - helm.sh/chart: elastic-agent-0.0.1 - app.kubernetes.io/name: elastic-agent - app.kubernetes.io/instance: example - app.kubernetes.io/version: 8.16.0 - app.kubernetes.io/managed-by: Helm -subjects: - - kind: ServiceAccount - name: agent-nginx-example - namespace: "default" -roleRef: - kind: ClusterRole - name: agent-nginx-example-default - apiGroup: rbac.authorization.k8s.io ---- # Source: elastic-agent/templates/agent/k8s/deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -218,7 +78,7 @@ spec: annotations: checksum/config: 99eaac30ab163ab5f4cedbdbf3e6936d34c2b0e2c22dee59947487bab88fcc26 spec: - automountServiceAccountToken: true + automountServiceAccountToken: false containers: - args: - -c @@ -248,7 +108,6 @@ spec: readOnly: true subPath: agent.yml dnsPolicy: ClusterFirstWithHostNet - serviceAccountName: agent-nginx-example volumes: - hostPath: path: /etc/elastic-agent/default/agent-nginx-example/state diff --git a/deploy/helm/elastic-agent/templates/agent/cluster-role-binding.yaml b/deploy/helm/elastic-agent/templates/agent/cluster-role-binding.yaml index 2b6521a176..c0eb1879b3 100644 --- a/deploy/helm/elastic-agent/templates/agent/cluster-role-binding.yaml +++ b/deploy/helm/elastic-agent/templates/agent/cluster-role-binding.yaml @@ -1,6 +1,7 @@ {{- include "elasticagent.init" $ -}} {{- range $presetName, $presetVal := $.Values.agent.presets -}} -{{- if or (eq $presetVal.clusterRole.create true) (eq $presetVal.serviceAccount.create true) -}} +{{- if or ($presetVal).clusterRole.create ($presetVal).clusterRole.name -}} +{{- if or ($presetVal).serviceAccount.create ($presetVal).serviceAccount.name -}} {{/* cluster role binding is not namespace bound so let's try to give it a unique enough name */}} {{- $clusterRoleName := printf "agent-%s-%s-%s" $presetName $.Release.Name $.Release.Namespace -}} apiVersion: rbac.authorization.k8s.io/v1 @@ -35,3 +36,4 @@ roleRef: --- {{- end }} {{- end }} +{{- end }} diff --git a/deploy/helm/elastic-agent/templates/agent/eck/_pod_template.yaml b/deploy/helm/elastic-agent/templates/agent/eck/_pod_template.yaml index b1eed38427..1bc118743d 100644 --- a/deploy/helm/elastic-agent/templates/agent/eck/_pod_template.yaml +++ b/deploy/helm/elastic-agent/templates/agent/eck/_pod_template.yaml @@ -24,7 +24,7 @@ template: {{- end }} {{- if eq ($presetVal).serviceAccount.create true }} serviceAccountName: {{ $agentName }} - {{- else }} + {{- else if ($presetVal).serviceAccount.name }} serviceAccountName: {{ ($presetVal).serviceAccount.name }} {{- end }} {{- with ($presetVal).affinity }} diff --git a/deploy/helm/elastic-agent/templates/agent/k8s/_pod_template.yaml b/deploy/helm/elastic-agent/templates/agent/k8s/_pod_template.yaml index 5563531e97..d21de31631 100644 --- a/deploy/helm/elastic-agent/templates/agent/k8s/_pod_template.yaml +++ b/deploy/helm/elastic-agent/templates/agent/k8s/_pod_template.yaml @@ -24,7 +24,7 @@ template: {{- end }} {{- if eq ($presetVal).serviceAccount.create true }} serviceAccountName: {{ $agentName }} - {{- else }} + {{- else if ($presetVal).serviceAccount.name }} serviceAccountName: {{ ($presetVal).serviceAccount.name }} {{- end }} {{- with ($presetVal).affinity }} diff --git a/deploy/helm/elastic-agent/values.schema.json b/deploy/helm/elastic-agent/values.schema.json index 7903255695..5cae987e65 100644 --- a/deploy/helm/elastic-agent/values.schema.json +++ b/deploy/helm/elastic-agent/values.schema.json @@ -1309,27 +1309,6 @@ "create" ], "allOf": [ - { - "if": { - "properties": { - "create": { - "const": false - } - } - }, - "then": { - "properties": { - "name": { - "type": "string", - "minLength": 1 - } - }, - "required": [ - "create", - "name" - ] - } - }, { "if": { "properties": { @@ -1344,10 +1323,7 @@ "type": "string", "maxLength": 0 } - }, - "required": [ - "create" - ] + } } } ] @@ -1379,27 +1355,6 @@ "create" ], "allOf": [ - { - "if": { - "properties": { - "create": { - "const": false - } - } - }, - "then": { - "properties": { - "name": { - "type": "string", - "minLength": 1 - } - }, - "required": [ - "create", - "name" - ] - } - }, { "if": { "properties": {