Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[helm] fix disabling cluster role and service account #6004

Merged
merged 3 commits into from
Nov 13, 2024
+12 −220
Merged

[helm] fix disabling cluster role and service account #6004

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0fa0a23
fix: allow disabling cluster role creation without needing to specify…
pkoutsovasilis Nov 12, 2024
230f1bb
fix: fallback to default service account when creation is disabled an…
pkoutsovasilis Nov 12, 2024
e985570
fix: update nginx custom integration to disable all k8s agent providers
pkoutsovasilis Nov 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion deploy/helm/elastic-agent/examples/nginx-custom-integration/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Example: Nginx Custom Integration

In this example we define a `nginx` custom integration alongside a custom agent preset defined in [agent-nginx-values.yaml](agent-nginx-values.yaml).
In this example we define a `nginx` custom integration alongside a custom agent preset defined in [agent-nginx-values.yaml](agent-nginx-values.yaml). Also, we disable all `kubernetes` related providers and creation of cluster role and service account, as they are not required for this example.

## Prerequisites:
1. A k8s secret that contains the connection details to an Elasticsearch cluster such as the URL and the API key ([Kibana - Creating API Keys](https://www.elastic.co/guide/en/kibana/current/api-keys.html)):
Expand Down
32 changes: 4 additions & 28 deletions deploy/helm/elastic-agent/examples/nginx-custom-integration/agent-nginx-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,37 +34,13 @@ agent:
presets:
nginx:
mode: deployment
automountServiceAccountToken: false # disables all kubernetes providers
securityContext:
runAsUser: 0
serviceAccount:
create: true
create: false # disable creation of service account
clusterRole:
create: true
rules:
# minimum cluster role ruleset required by agent
- apiGroups: [ "" ]
resources:
- nodes
- namespaces
- pods
verbs:
- get
- watch
- list
- apiGroups: [ "apps" ]
resources:
- replicasets
verbs:
- get
- list
- watch
- apiGroups: [ "batch" ]
resources:
- jobs
verbs:
- get
- list
- watch
create: false # disable creation of cluster role account
providers:
kubernetes_leaderelection:
enabled: false
enabled: false # disable leader election
143 changes: 1 addition & 142 deletions deploy/helm/elastic-agent/examples/nginx-custom-integration/rendered/manifest.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,4 @@
---
# Source: elastic-agent/templates/agent/service-account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: agent-nginx-example
namespace: "default"
labels:
helm.sh/chart: elastic-agent-0.0.1
app.kubernetes.io/name: elastic-agent
app.kubernetes.io/instance: example
app.kubernetes.io/version: 9.0.0
app.kubernetes.io/managed-by: Helm
---
# Source: elastic-agent/templates/agent/k8s/secret.yaml
apiVersion: v1
kind: Secret
Expand Down Expand Up @@ -68,133 +55,6 @@ stringData:
enabled: false
leader_lease: example-nginx
---
# Source: elastic-agent/templates/agent/cluster-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: agent-nginx-example-default
labels:
helm.sh/chart: elastic-agent-0.0.1
app.kubernetes.io/name: elastic-agent
app.kubernetes.io/instance: example
app.kubernetes.io/version: 9.0.0
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups: [ "" ] # "" indicates the core API group
resources:
- nodes
- namespaces
- events
- pods
- services
- configmaps
- persistentvolumes
- persistentvolumeclaims
- persistentvolumeclaims/status
- nodes/metrics
- nodes/proxy
- nodes/stats
verbs:
- get
- watch
- list
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- watch
- list
- nonResourceURLs:
- /metrics
verbs:
- get
- watch
- list
- apiGroups: [ "coordination.k8s.io" ]
resources:
- leases
verbs:
- get
- create
- update
- nonResourceURLs:
- /healthz
- /healthz/*
- /livez
- /livez/*
- /metrics
- /metrics/slis
- /readyz
- /readyz/*
verbs:
- get
- apiGroups: [ "apps" ]
resources:
- replicasets
- deployments
- daemonsets
- statefulsets
verbs:
- get
- list
- watch
- apiGroups: [ "batch" ]
resources:
- jobs
- cronjobs
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes
- namespaces
- pods
verbs:
- get
- watch
- list
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
- watch
---
# Source: elastic-agent/templates/agent/cluster-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: agent-nginx-example-default
labels:
helm.sh/chart: elastic-agent-0.0.1
app.kubernetes.io/name: elastic-agent
app.kubernetes.io/instance: example
app.kubernetes.io/version: 9.0.0
app.kubernetes.io/managed-by: Helm
subjects:
- kind: ServiceAccount
name: agent-nginx-example
namespace: "default"
roleRef:
kind: ClusterRole
name: agent-nginx-example-default
apiGroup: rbac.authorization.k8s.io
---
# Source: elastic-agent/templates/agent/k8s/deployment.yaml
apiVersion: apps/v1
kind: Deployment
Expand All @@ -218,7 +78,7 @@ spec:
annotations:
checksum/config: 99eaac30ab163ab5f4cedbdbf3e6936d34c2b0e2c22dee59947487bab88fcc26
spec:
automountServiceAccountToken: true
automountServiceAccountToken: false
containers:
- args:
- -c
Expand Down Expand Up @@ -248,7 +108,6 @@ spec:
readOnly: true
subPath: agent.yml
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: agent-nginx-example
volumes:
- hostPath:
path: /etc/elastic-agent/default/agent-nginx-example/state
Expand Down
4 changes: 3 additions & 1 deletion deploy/helm/elastic-agent/templates/agent/cluster-role-binding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
{{- include "elasticagent.init" $ -}}
{{- range $presetName, $presetVal := $.Values.agent.presets -}}
{{- if or (eq $presetVal.clusterRole.create true) (eq $presetVal.serviceAccount.create true) -}}
{{- if or ($presetVal).clusterRole.create ($presetVal).clusterRole.name -}}
{{- if or ($presetVal).serviceAccount.create ($presetVal).serviceAccount.name -}}
{{/* cluster role binding is not namespace bound so let's try to give it a unique enough name */}}
{{- $clusterRoleName := printf "agent-%s-%s-%s" $presetName $.Release.Name $.Release.Namespace -}}
apiVersion: rbac.authorization.k8s.io/v1
Expand Down Expand Up @@ -35,3 +36,4 @@ roleRef:
---
{{- end }}
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion deploy/helm/elastic-agent/templates/agent/eck/_pod_template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ template:
{{- end }}
{{- if eq ($presetVal).serviceAccount.create true }}
serviceAccountName: {{ $agentName }}
{{- else }}
{{- else if ($presetVal).serviceAccount.name }}
serviceAccountName: {{ ($presetVal).serviceAccount.name }}
{{- end }}
{{- with ($presetVal).affinity }}
Expand Down
2 changes: 1 addition & 1 deletion deploy/helm/elastic-agent/templates/agent/k8s/_pod_template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ template:
{{- end }}
{{- if eq ($presetVal).serviceAccount.create true }}
serviceAccountName: {{ $agentName }}
{{- else }}
{{- else if ($presetVal).serviceAccount.name }}
serviceAccountName: {{ ($presetVal).serviceAccount.name }}
{{- end }}
{{- with ($presetVal).affinity }}
Expand Down
47 changes: 1 addition & 46 deletions deploy/helm/elastic-agent/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1309,27 +1309,6 @@
"create"
],
"allOf": [
{
"if": {
"properties": {
"create": {
"const": false
}
}
},
"then": {
"properties": {
"name": {
"type": "string",
"minLength": 1
}
},
"required": [
"create",
"name"
]
}
},
{
"if": {
"properties": {
Expand All @@ -1344,10 +1323,7 @@
"type": "string",
"maxLength": 0
}
},
"required": [
"create"
]
}
}
}
]
Expand Down Expand Up @@ -1379,27 +1355,6 @@
"create"
],
"allOf": [
{
"if": {
"properties": {
"create": {
"const": false
}
}
},
"then": {
"properties": {
"name": {
"type": "string",
"minLength": 1
}
},
"required": [
"create",
"name"
]
}
},
{
"if": {
"properties": {
Expand Down
Loading