Skip to content

Commit

Permalink
[8.16](backport #5593) [helm] support using user-created serviceAccou…
Browse files Browse the repository at this point in the history
…nt and clusterRole (#5976)

* [helm] support using user-created serviceAccount and clusterRole (#5593)

* feat: support using user-created serviceAccount and clusterRole

* feat: add support for defining automountServiceAccountToken per preset

* fix: add preset-wide annotations to serviceaccount, clusterrole, clusterrolebinding

(cherry picked from commit 5ac225d)

* fix: render helm chart examples

---------

Co-authored-by: Panos Koutsovasilis <[email protected]>
  • Loading branch information
mergify[bot] and pkoutsovasilis authored Nov 8, 2024
1 parent 3f07f2f commit ca434de
Show file tree
Hide file tree
Showing 16 changed files with 1,962 additions and 83 deletions.
54 changes: 29 additions & 25 deletions deploy/helm/elastic-agent/examples/fleet-managed/fleet-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,31 +9,35 @@ agent:
mode: deployment
securityContext:
runAsUser: 0
rules:
# minimum cluster role ruleset required by agent
- apiGroups: [ "" ]
resources:
- nodes
- namespaces
- pods
verbs:
- get
- watch
- list
- apiGroups: [ "apps" ]
resources:
- replicasets
verbs:
- get
- list
- watch
- apiGroups: [ "batch" ]
resources:
- jobs
verbs:
- get
- list
- watch
serviceAccount:
create: true
clusterRole:
create: true
rules:
# minimum cluster role ruleset required by agent
- apiGroups: [ "" ]
resources:
- nodes
- namespaces
- pods
verbs:
- get
- watch
- list
- apiGroups: [ "apps" ]
resources:
- replicasets
verbs:
- get
- list
- watch
- apiGroups: [ "batch" ]
resources:
- jobs
verbs:
- get
- list
- watch
providers:
kubernetes_leaderelection:
enabled: false
Original file line number Diff line number Diff line change
Expand Up @@ -36,31 +36,35 @@ agent:
mode: deployment
securityContext:
runAsUser: 0
rules:
# minimum cluster role ruleset required by agent
- apiGroups: [ "" ]
resources:
- nodes
- namespaces
- pods
verbs:
- get
- watch
- list
- apiGroups: [ "apps" ]
resources:
- replicasets
verbs:
- get
- list
- watch
- apiGroups: [ "batch" ]
resources:
- jobs
verbs:
- get
- list
- watch
serviceAccount:
create: true
clusterRole:
create: true
rules:
# minimum cluster role ruleset required by agent
- apiGroups: [ "" ]
resources:
- nodes
- namespaces
- pods
verbs:
- get
- watch
- list
- apiGroups: [ "apps" ]
resources:
- replicasets
verbs:
- get
- list
- watch
- apiGroups: [ "batch" ]
resources:
- jobs
verbs:
- get
- list
- watch
providers:
kubernetes_leaderelection:
enabled: false
37 changes: 37 additions & 0 deletions deploy/helm/elastic-agent/examples/user-cluster-role/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# Example: Kubernetes Integration with User-created cluster role

In this example we define a `nginx` custom integration alongside a custom agent preset defined in [agent-nginx-values.yaml](agent-nginx-values.yaml) including the use of a user-created cluster role. Note that the user is responsible for assigning the correct permissions to the cluster role.

## Prerequisites:
1. A k8s secret that contains the connection details to an Elasticsearch cluster such as the URL and the API key ([Kibana - Creating API Keys](https://www.elastic.co/guide/en/kibana/current/api-keys.html)):
```console
kubectl create secret generic es-api-secret \
--from-literal=api_key=... \
--from-literal=url=...
```

2. `nginx` integration assets are installed through Kibana

3. Create a cluster role.

```console
kubectl create clusterrole user-cr --verb=get,list,watch --resource=pods,namespaces,nodes,replicasets,jobs
```

## Run:
1. Install Helm chart
```console
helm install elastic-agent ../../ \
-f ./agent-nginx-values.yaml \
--set outputs.default.type=ESSecretAuthAPI \
--set outputs.default.secretName=es-api-secret
```

2. Install the nginx deployment
```console
kubectl apply -f ./nginx.yaml
```

## Validate:

1. The Kibana `nginx`-related dashboards should start showing nginx related data.
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
kubernetes:
enabled: false

extraIntegrations:
nginx/metrics:
id: nginx/metrics-nginx-69240207-6fcc-4d19-aee3-dbf716e3bb0f
preset: nginx
name: nginx-1
revision: 1
type: nginx/metrics
use_output: default
meta:
package:
name: nginx
version: 1.19.1
data_stream:
namespace: default
package_policy_id: 69240207-6fcc-4d19-aee3-dbf716e3bb0f
streams:
- id: nginx/metrics-nginx.stubstatus-69240207-6fcc-4d19-aee3-dbf716e3bb0f
data_stream:
dataset: nginx.stubstatus
type: metrics
metricsets:
- stubstatus
hosts:
- 'http://nginx.default.svc.cluster.local:80'
tags:
- nginx-stubstatus
period: 10s
server_status_path: /nginx_status

agent:
presets:
nginx:
annotations:
elastic-agent.k8s.elastic.co/preset: nginx
mode: deployment
securityContext:
runAsUser: 0
serviceAccount:
create: true
annotations:
elastic-agent.k8s.elastic.co/sa: nginx
clusterRole:
create: false
name: user-cr
providers:
kubernetes_leaderelection:
enabled: false
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
---
# Source: elastic-agent/templates/agent/service-account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: agent-nginx-example
namespace: "default"
labels:
helm.sh/chart: elastic-agent-0.0.1
app.kubernetes.io/name: elastic-agent
app.kubernetes.io/instance: example
app.kubernetes.io/version: 8.16.0
app.kubernetes.io/managed-by: Helm
annotations:
elastic-agent.k8s.elastic.co/preset: nginx
elastic-agent.k8s.elastic.co/sa: nginx
---
# Source: elastic-agent/templates/agent/k8s/secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: agent-nginx-example
namespace: "default"
labels:
helm.sh/chart: elastic-agent-0.0.1
app.kubernetes.io/name: elastic-agent
app.kubernetes.io/instance: example
app.kubernetes.io/version: 8.16.0
app.kubernetes.io/managed-by: Helm
annotations:
elastic-agent.k8s.elastic.co/preset: nginx
stringData:

agent.yml: |-
id: agent-nginx-example
outputs:
default:
hosts:
- http://elasticsearch:9200
password: changeme
type: elasticsearch
username: elastic
secret_references: []
inputs:
- data_stream:
namespace: default
id: nginx/metrics-nginx-69240207-6fcc-4d19-aee3-dbf716e3bb0f
meta:
package:
name: nginx
version: 1.19.1
name: nginx-1
package_policy_id: 69240207-6fcc-4d19-aee3-dbf716e3bb0f
preset: nginx
revision: 1
streams:
- data_stream:
dataset: nginx.stubstatus
type: metrics
hosts:
- http://nginx.default.svc.cluster.local:80
id: nginx/metrics-nginx.stubstatus-69240207-6fcc-4d19-aee3-dbf716e3bb0f
metricsets:
- stubstatus
period: 10s
server_status_path: /nginx_status
tags:
- nginx-stubstatus
type: nginx/metrics
use_output: default
providers:
kubernetes_leaderelection:
enabled: false
leader_lease: example-nginx
---
# Source: elastic-agent/templates/agent/cluster-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: agent-nginx-example-default
labels:
helm.sh/chart: elastic-agent-0.0.1
app.kubernetes.io/name: elastic-agent
app.kubernetes.io/instance: example
app.kubernetes.io/version: 8.16.0
app.kubernetes.io/managed-by: Helm
annotations:
elastic-agent.k8s.elastic.co/preset: nginx
subjects:
- kind: ServiceAccount
name: agent-nginx-example
namespace: "default"
roleRef:
kind: ClusterRole
name: user-cr
apiGroup: rbac.authorization.k8s.io
---
# Source: elastic-agent/templates/agent/k8s/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: agent-nginx-example
namespace: "default"
labels:
helm.sh/chart: elastic-agent-0.0.1
app.kubernetes.io/name: elastic-agent
app.kubernetes.io/instance: example
app.kubernetes.io/version: 8.16.0
app.kubernetes.io/managed-by: Helm
spec:
selector:
matchLabels:
name: agent-nginx-example
template:
metadata:
labels:
name: agent-nginx-example
annotations:
checksum/config: 99eaac30ab163ab5f4cedbdbf3e6936d34c2b0e2c22dee59947487bab88fcc26
elastic-agent.k8s.elastic.co/preset: nginx
spec:
automountServiceAccountToken: true
containers:
- args:
- -c
- /etc/elastic-agent/agent.yml
- -e
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: STATE_PATH
value: /usr/share/elastic-agent/state
image: docker.elastic.co/beats/elastic-agent:8.16.0-SNAPSHOT
imagePullPolicy: IfNotPresent
name: agent
securityContext:
runAsUser: 0
volumeMounts:
- mountPath: /usr/share/elastic-agent/state
name: agent-data
- mountPath: /etc/elastic-agent/agent.yml
name: config
readOnly: true
subPath: agent.yml
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: agent-nginx-example
volumes:
- hostPath:
path: /etc/elastic-agent/default/agent-nginx-example/state
type: DirectoryOrCreate
name: agent-data
- name: config
secret:
defaultMode: 292
secretName: agent-nginx-example
Loading

0 comments on commit ca434de

Please sign in to comment.