[helm] support using user-created serviceAccount and clusterRole

deploy/helm/elastic-agent/examples/eck/rendered/manifest.yaml

@@ -11,8 +11,6 @@ metadata:
     app.kubernetes.io/instance: example
     app.kubernetes.io/version: 9.0.0
     app.kubernetes.io/managed-by: Helm
-  annotations:
-    eck.k8s.elastic.co/license: basic
 ---
 # Source: elastic-agent/templates/agent/service-account.yaml
 apiVersion: v1
@@ -26,8 +24,6 @@ metadata:
     app.kubernetes.io/instance: example
     app.kubernetes.io/version: 9.0.0
     app.kubernetes.io/managed-by: Helm
-  annotations:
-    eck.k8s.elastic.co/license: basic
 ---
 # Source: elastic-agent/templates/agent/service-account.yaml
 apiVersion: v1
@@ -41,8 +37,6 @@ metadata:
     app.kubernetes.io/instance: example
     app.kubernetes.io/version: 9.0.0
     app.kubernetes.io/managed-by: Helm
-  annotations:
-    eck.k8s.elastic.co/license: basic
 ---
 # Source: elastic-agent/templates/agent/eck/secret.yaml
 apiVersion: v1
@@ -577,8 +571,6 @@ metadata:
     app.kubernetes.io/instance: example
     app.kubernetes.io/version: 9.0.0
     app.kubernetes.io/managed-by: Helm
-  annotations:
-    eck.k8s.elastic.co/license: basic
 rules:
   - apiGroups: [ "" ] # "" indicates the core API group
     resources:
@@ -702,8 +694,6 @@ metadata:
     app.kubernetes.io/instance: example
     app.kubernetes.io/version: 9.0.0
     app.kubernetes.io/managed-by: Helm
-  annotations:
-    eck.k8s.elastic.co/license: basic
 rules:
   - apiGroups: [ "" ] # "" indicates the core API group
     resources:
@@ -936,8 +926,6 @@ metadata:
     app.kubernetes.io/instance: example
     app.kubernetes.io/version: 9.0.0
     app.kubernetes.io/managed-by: Helm
-  annotations:
-    eck.k8s.elastic.co/license: basic
 rules:
   - apiGroups: [ "" ] # "" indicates the core API group
     resources:
@@ -1019,8 +1007,6 @@ metadata:
     app.kubernetes.io/instance: example
     app.kubernetes.io/version: 9.0.0
     app.kubernetes.io/managed-by: Helm
-  annotations:
-    eck.k8s.elastic.co/license: basic
 subjects:
   - kind: ServiceAccount
     name: agent-clusterwide-example
@@ -1041,8 +1027,6 @@ metadata:
     app.kubernetes.io/instance: example
     app.kubernetes.io/version: 9.0.0
     app.kubernetes.io/managed-by: Helm
-  annotations:
-    eck.k8s.elastic.co/license: basic
 subjects:
   - kind: ServiceAccount
     name: agent-ksmsharded-example
@@ -1063,8 +1047,6 @@ metadata:
     app.kubernetes.io/instance: example
     app.kubernetes.io/version: 9.0.0
     app.kubernetes.io/managed-by: Helm
-  annotations:
-    eck.k8s.elastic.co/license: basic
 subjects:
   - kind: ServiceAccount
     name: agent-pernode-example

deploy/helm/elastic-agent/examples/fleet-managed/fleet-values.yaml

@@ -9,31 +9,35 @@ agent:
       mode: deployment
       securityContext:
         runAsUser: 0
-      rules:
-        # minimum cluster role ruleset required by agent
-        - apiGroups: [ "" ]
-          resources:
-            - nodes
-            - namespaces
-            - pods
-          verbs:
-            - get
-            - watch
-            - list
-        - apiGroups: [ "apps" ]
-          resources:
-            - replicasets
-          verbs:
-            - get
-            - list
-            - watch
-        - apiGroups: [ "batch" ]
-          resources:
-            - jobs
-          verbs:
-            - get
-            - list
-            - watch
+      serviceAccount:
+        create: true
+      clusterRole:
+        create: true
+        rules:
+          # minimum cluster role ruleset required by agent
+          - apiGroups: [ "" ]
+            resources:
+              - nodes
+              - namespaces
+              - pods
+            verbs:
+              - get
+              - watch
+              - list
+          - apiGroups: [ "apps" ]
+            resources:
+              - replicasets
+            verbs:
+              - get
+              - list
+              - watch
+          - apiGroups: [ "batch" ]
+            resources:
+              - jobs
+            verbs:
+              - get
+              - list
+              - watch
       providers:
         kubernetes_leaderelection:
           enabled: false

deploy/helm/elastic-agent/examples/nginx-custom-integration/agent-nginx-values.yaml

@@ -36,31 +36,35 @@ agent:
       mode: deployment
       securityContext:
         runAsUser: 0
-      rules:
-        # minimum cluster role ruleset required by agent
-        - apiGroups: [ "" ]
-          resources:
-            - nodes
-            - namespaces
-            - pods
-          verbs:
-            - get
-            - watch
-            - list
-        - apiGroups: [ "apps" ]
-          resources:
-            - replicasets
-          verbs:
-            - get
-            - list
-            - watch
-        - apiGroups: [ "batch" ]
-          resources:
-            - jobs
-          verbs:
-            - get
-            - list
-            - watch
+      serviceAccount:
+        create: true
+      clusterRole:
+        create: true
+        rules:
+          # minimum cluster role ruleset required by agent
+          - apiGroups: [ "" ]
+            resources:
+              - nodes
+              - namespaces
+              - pods
+            verbs:
+              - get
+              - watch
+              - list
+          - apiGroups: [ "apps" ]
+            resources:
+              - replicasets
+            verbs:
+              - get
+              - list
+              - watch
+          - apiGroups: [ "batch" ]
+            resources:
+              - jobs
+            verbs:
+              - get
+              - list
+              - watch
       providers:
         kubernetes_leaderelection:
           enabled: false

deploy/helm/elastic-agent/examples/user-cluster-role/README.md

@@ -0,0 +1,37 @@
+# Example: Kubernetes Integration with User-created cluster role
+
+In this example we define a `nginx` custom integration alongside a custom agent preset defined in [agent-nginx-values.yaml](agent-nginx-values.yaml) including the use of a user-created cluster role. Note that the user is responsible for assigning the correct permissions to the cluster role.
+
+## Prerequisites:
+1. A k8s secret that contains the connection details to an Elasticsearch cluster such as the URL and the API key ([Kibana - Creating API Keys](https://www.elastic.co/guide/en/kibana/current/api-keys.html)):
+    ```console
+    kubectl create secret generic es-api-secret \
+       --from-literal=api_key=... \
+       --from-literal=url=...
+    ```
+
+2. `nginx` integration assets are installed through Kibana
+
+3. Create a cluster role.
+
+    ```console
+    kubectl create clusterrole user-cr --verb=get,list,watch --resource=pods,namespaces,nodes,replicasets,jobs
+    ```
+
+## Run:
+1. Install Helm chart
+    ```console
+    helm install elastic-agent ../../ \
+         -f ./agent-nginx-values.yaml \
+         --set outputs.default.type=ESSecretAuthAPI \
+         --set outputs.default.secretName=es-api-secret
+    ```
+
+2. Install the nginx deployment
+    ```console
+   kubectl apply -f ./nginx.yaml
+    ```
+
+## Validate:
+
+1. The Kibana `nginx`-related dashboards should start showing nginx related data.

deploy/helm/elastic-agent/examples/user-cluster-role/agent-nginx-values.yaml

@@ -0,0 +1,46 @@
+kubernetes:
+  enabled: false
+
+extraIntegrations:
+  nginx/metrics:
+    id: nginx/metrics-nginx-69240207-6fcc-4d19-aee3-dbf716e3bb0f
+    preset: nginx
+    name: nginx-1
+    revision: 1
+    type: nginx/metrics
+    use_output: default
+    meta:
+      package:
+        name: nginx
+        version: 1.19.1
+    data_stream:
+      namespace: default
+    package_policy_id: 69240207-6fcc-4d19-aee3-dbf716e3bb0f
+    streams:
+      - id: nginx/metrics-nginx.stubstatus-69240207-6fcc-4d19-aee3-dbf716e3bb0f
+        data_stream:
+          dataset: nginx.stubstatus
+          type: metrics
+        metricsets:
+          - stubstatus
+        hosts:
+          - 'http://nginx.default.svc.cluster.local:80'
+        tags:
+          - nginx-stubstatus
+        period: 10s
+        server_status_path: /nginx_status
+
+agent:
+  presets:
+    nginx:
+      mode: deployment
+      securityContext:
+        runAsUser: 0
+      serviceAccount:
+        create: true
+      clusterRole:
+        create: false
+        name: user-cr
+      providers:
+        kubernetes_leaderelection:
+          enabled: false