[helm] fix disabling cluster role and service account (#6004)

* fix: allow disabling cluster role creation without needing to specify an existing one

* fix: fallback to default service account when creation is disabled and no existing one is specified

* fix: update nginx custom integration to disable all k8s agent providers

Author: pkoutsovasilis

deploy/helm/elastic-agent/examples/nginx-custom-integration/README.md

@@ -1,6 +1,6 @@
 # Example: Nginx Custom Integration
 
-In this example we define a `nginx` custom integration alongside a custom agent preset defined in [agent-nginx-values.yaml](agent-nginx-values.yaml).
+In this example we define a `nginx` custom integration alongside a custom agent preset defined in [agent-nginx-values.yaml](agent-nginx-values.yaml). Also, we disable all `kubernetes` related providers and creation of cluster role and service account, as they are not required for this example.
 
 ## Prerequisites:
 1. A k8s secret that contains the connection details to an Elasticsearch cluster such as the URL and the API key ([Kibana - Creating API Keys](https://www.elastic.co/guide/en/kibana/current/api-keys.html)):

deploy/helm/elastic-agent/examples/nginx-custom-integration/agent-nginx-values.yaml

@@ -34,37 +34,13 @@ agent:
   presets:
     nginx:
       mode: deployment
+      automountServiceAccountToken: false # disables all kubernetes providers
       securityContext:
         runAsUser: 0
       serviceAccount:
-        create: true
+        create: false # disable creation of service account
       clusterRole:
-        create: true
-        rules:
-          # minimum cluster role ruleset required by agent
-          - apiGroups: [ "" ]
-            resources:
-              - nodes
-              - namespaces
-              - pods
-            verbs:
-              - get
-              - watch
-              - list
-          - apiGroups: [ "apps" ]
-            resources:
-              - replicasets
-            verbs:
-              - get
-              - list
-              - watch
-          - apiGroups: [ "batch" ]
-            resources:
-              - jobs
-            verbs:
-              - get
-              - list
-              - watch
+        create: false # disable creation of cluster role account
       providers:
         kubernetes_leaderelection:
-          enabled: false
+          enabled: false # disable leader election

deploy/helm/elastic-agent/examples/nginx-custom-integration/rendered/manifest.yaml

@@ -1,17 +1,4 @@
 ---
-# Source: elastic-agent/templates/agent/service-account.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: agent-nginx-example
-  namespace: "default"
-  labels:
-    helm.sh/chart: elastic-agent-0.0.1
-    app.kubernetes.io/name: elastic-agent
-    app.kubernetes.io/instance: example
-    app.kubernetes.io/version: 9.0.0
-    app.kubernetes.io/managed-by: Helm
----
 # Source: elastic-agent/templates/agent/k8s/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -68,133 +55,6 @@ stringData:
         enabled: false
         leader_lease: example-nginx
 ---
-# Source: elastic-agent/templates/agent/cluster-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: agent-nginx-example-default
-  labels:
-    helm.sh/chart: elastic-agent-0.0.1
-    app.kubernetes.io/name: elastic-agent
-    app.kubernetes.io/instance: example
-    app.kubernetes.io/version: 9.0.0
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: [ "" ] # "" indicates the core API group
-    resources:
-      - nodes
-      - namespaces
-      - events
-      - pods
-      - services
-      - configmaps
-      - persistentvolumes
-      - persistentvolumeclaims
-      - persistentvolumeclaims/status
-      - nodes/metrics
-      - nodes/proxy
-      - nodes/stats
-    verbs:
-      - get
-      - watch
-      - list
-  - apiGroups:
-      - storage.k8s.io
-    resources:
-      - storageclasses
-    verbs:
-      - get
-      - watch
-      - list
-  - nonResourceURLs:
-      - /metrics
-    verbs:
-      - get
-      - watch
-      - list
-  - apiGroups: [ "coordination.k8s.io" ]
-    resources:
-      - leases
-    verbs:
-      - get
-      - create
-      - update
-  - nonResourceURLs:
-      - /healthz
-      - /healthz/*
-      - /livez
-      - /livez/*
-      - /metrics
-      - /metrics/slis
-      - /readyz
-      - /readyz/*
-    verbs:
-      - get
-  - apiGroups: [ "apps" ]
-    resources:
-      - replicasets
-      - deployments
-      - daemonsets
-      - statefulsets
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups: [ "batch" ]
-    resources:
-      - jobs
-      - cronjobs
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-    - ""
-    resources:
-    - nodes
-    - namespaces
-    - pods
-    verbs:
-    - get
-    - watch
-    - list
-  - apiGroups:
-    - apps
-    resources:
-    - replicasets
-    verbs:
-    - get
-    - list
-    - watch
-  - apiGroups:
-    - batch
-    resources:
-    - jobs
-    verbs:
-    - get
-    - list
-    - watch
----
-# Source: elastic-agent/templates/agent/cluster-role-binding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: agent-nginx-example-default
-  labels:
-    helm.sh/chart: elastic-agent-0.0.1
-    app.kubernetes.io/name: elastic-agent
-    app.kubernetes.io/instance: example
-    app.kubernetes.io/version: 9.0.0
-    app.kubernetes.io/managed-by: Helm
-subjects:
-  - kind: ServiceAccount
-    name: agent-nginx-example
-    namespace: "default"
-roleRef:
-  kind: ClusterRole
-  name: agent-nginx-example-default
-  apiGroup: rbac.authorization.k8s.io
----
 # Source: elastic-agent/templates/agent/k8s/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
@@ -218,7 +78,7 @@ spec:
       annotations:
         checksum/config: 99eaac30ab163ab5f4cedbdbf3e6936d34c2b0e2c22dee59947487bab88fcc26
     spec:
-      automountServiceAccountToken: true
+      automountServiceAccountToken: false
       containers:
       - args:
         - -c
@@ -248,7 +108,6 @@ spec:
           readOnly: true
           subPath: agent.yml
       dnsPolicy: ClusterFirstWithHostNet
-      serviceAccountName: agent-nginx-example
       volumes:
       - hostPath:
           path: /etc/elastic-agent/default/agent-nginx-example/state

deploy/helm/elastic-agent/templates/agent/cluster-role-binding.yaml

@@ -1,6 +1,7 @@
 {{- include "elasticagent.init" $ -}}
 {{- range $presetName, $presetVal := $.Values.agent.presets -}}
-{{- if or (eq $presetVal.clusterRole.create true) (eq $presetVal.serviceAccount.create true) -}}
+{{- if or ($presetVal).clusterRole.create ($presetVal).clusterRole.name  -}}
+{{- if or ($presetVal).serviceAccount.create ($presetVal).serviceAccount.name -}}
 {{/* cluster role binding is not namespace bound so let's try to give it a unique enough name */}}
 {{- $clusterRoleName := printf "agent-%s-%s-%s" $presetName $.Release.Name $.Release.Namespace -}}
 apiVersion: rbac.authorization.k8s.io/v1
@@ -35,3 +36,4 @@ roleRef:
 ---
 {{- end }}
 {{- end }}
+{{- end }}

deploy/helm/elastic-agent/templates/agent/eck/_pod_template.yaml

@@ -24,7 +24,7 @@ template:
     {{- end }}
     {{- if eq ($presetVal).serviceAccount.create true }}
     serviceAccountName: {{ $agentName }}
-    {{- else }}
+    {{- else if ($presetVal).serviceAccount.name }}
     serviceAccountName: {{ ($presetVal).serviceAccount.name }}
     {{- end }}
     {{- with ($presetVal).affinity }}

deploy/helm/elastic-agent/templates/agent/k8s/_pod_template.yaml

@@ -24,7 +24,7 @@ template:
     {{- end }}
     {{- if eq ($presetVal).serviceAccount.create true }}
     serviceAccountName: {{ $agentName }}
-    {{- else }}
+    {{- else if ($presetVal).serviceAccount.name }}
     serviceAccountName: {{ ($presetVal).serviceAccount.name }}
     {{- end }}
     {{- with ($presetVal).affinity }}

deploy/helm/elastic-agent/values.schema.json

@@ -1309,27 +1309,6 @@
                 "create"
             ],
             "allOf": [
-                {
-                    "if": {
-                        "properties": {
-                            "create": {
-                                "const": false
-                            }
-                        }
-                    },
-                    "then": {
-                        "properties": {
-                            "name": {
-                                "type": "string",
-                                "minLength": 1
-                            }
-                        },
-                        "required": [
-                            "create",
-                            "name"
-                        ]
-                    }
-                },
                 {
                     "if": {
                         "properties": {
@@ -1344,10 +1323,7 @@
                                 "type": "string",
                                 "maxLength": 0
                             }
-                        },
-                        "required": [
-                            "create"
-                        ]
+                        }
                     }
                 }
             ]
@@ -1379,27 +1355,6 @@
                 "create"
             ],
             "allOf": [
-                {
-                    "if": {
-                        "properties": {
-                            "create": {
-                                "const": false
-                            }
-                        }
-                    },
-                    "then": {
-                        "properties": {
-                            "name": {
-                                "type": "string",
-                                "minLength": 1
-                            }
-                        },
-                        "required": [
-                            "create",
-                            "name"
-                        ]
-                    }
-                },
                 {
                     "if": {
                         "properties": {