diff --git a/.buildkite/scripts/steps/sync-k8s.sh b/.buildkite/scripts/steps/sync-k8s.sh index 02220d3f8d8..275e20d9186 100644 --- a/.buildkite/scripts/steps/sync-k8s.sh +++ b/.buildkite/scripts/steps/sync-k8s.sh @@ -26,4 +26,7 @@ make ci-clone-kibana-repository cp Makefile ./kibana cd kibana echo "--- Create Kibana PR" -make ci-create-kubernetes-templates-pull-request \ No newline at end of file +make ci-create-kubernetes-templates-pull-request + +echo "--- [File Update] Kustomize-Tempates" +GENERATEKUSTOMIZE=true make ci-create-kustomize \ No newline at end of file diff --git a/changelog/fragments/1715773969-kustomize-onboarding.yaml b/changelog/fragments/1715773969-kustomize-onboarding.yaml new file mode 100644 index 00000000000..24696195463 --- /dev/null +++ b/changelog/fragments/1715773969-kustomize-onboarding.yaml @@ -0,0 +1,32 @@ +# Kind can be one of: +# - breaking-change: a change to previously-documented behavior +# - deprecation: functionality that is being removed in a later release +# - bug-fix: fixes a problem in a previous version +# - enhancement: extends functionality but does not break or fix existing behavior +# - feature: new functionality +# - known-issue: problems that we are aware of in a given version +# - security: impacts on the security of a product or a user’s deployment. +# - upgrade: important information for someone upgrading from a prior version +# - other: does not fit into any of the other categories +kind: enhancement + +# Change summary; a 80ish characters long description of the change. +summary: kustomize templates using default manifests for k8s onboarding + +# Long description; in case the summary is not enough to describe the change +# this field accommodate a description without length limits. +# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment. +#description: + +# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc. +component: elastic-agent + +# PR URL; optional; the PR number that added the changeset. +# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. +# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. +# Please provide it if you are adding a fragment for a different PR. +#pr: https://github.com/owner/repo/1234 + +# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of). +# If not present is automatically filled by the tooling with the issue linked to the PR number. +#issue: https://github.com/owner/repo/1234 diff --git a/deploy/kubernetes/Makefile b/deploy/kubernetes/Makefile index a88fc0dca02..42000e52bbe 100644 --- a/deploy/kubernetes/Makefile +++ b/deploy/kubernetes/Makefile @@ -16,6 +16,11 @@ KUSTOMIZE=elastic-agent-kustomize KUSTOMIZE_DEFAULT=elastic-agent-kustomize/default KUSTOMIZE_KSM_AUTOSHARDING=elastic-agent-kustomize/ksm-autosharding +# variable for processor for elastic-agent-standalone +define ELASTIC_PROCESSOR +processors:\n - add_fields:\n fields:\n onboarding_id: '%ONBOARDING_ID%' +endef + .PHONY: generate-k8s $(ALL) generate-k8s: $(ALL) @@ -95,14 +100,15 @@ else endif -## ci-create-kustomize-default : Create default kustomize folder +## ci-create-kustomize : Create default kustomize folder .PHONY: ci-create-kustomize $(ALL) ci-create-kustomize: $(ALL) ifdef GENERATEKUSTOMIZE +export ELASTIC_PROCESSOR $(ALL): @echo "Generating $@ kustomize-default files" - @for f in $(shell ls $@/*.yaml); do \ + @for f in $(shell ls $@/*.yaml | grep -v elastic-agent-standalone-daemonset-configmap); do \ cp -r $$f $(KUSTOMIZE_DEFAULT)/$@/base; \ done @@ -115,9 +121,13 @@ $(ALL): mkdir -p $(KUSTOMIZE_KSM_AUTOSHARDING)/$@/extra/ sed -e "s/%VERSION%/${BEAT_VERSION}/g" -e "s/%BRANCH%/${BRANCH_VERSION}/g" -e "/name: elastic-agent-state/,+1 s/^/#/" -e "/path: \/var\/lib\/$@\/kube-system\/state/,+1 s/^/#/" $@/$@-daemonset.yaml > $(KUSTOMIZE_KSM_AUTOSHARDING)/$@/base/$@-daemonset.yaml + sed -e "s/%VERSION%/${BEAT_VERSION}/g" -e "s/%BRANCH%/${BRANCH_VERSION}/g" -e "/name: elastic-agent-state/,+1 s/^/#/" -e "/path: \/var\/lib\/$@\/kube-system\/state/,+1 s/^/#/" $@/$@-daemonset.yaml > $(KUSTOMIZE_KSM_AUTOSHARDING)/$@/base/$@-daemonset.yaml + sed -e "s/%VERSION%/${BEAT_VERSION}/g" -e "s/%BRANCH%/${BRANCH_VERSION}/g" -e "s/hostNetwork: true/hostNetwork: false/g" -e "s/DaemonSet/StatefulSet/g" -e "s/agent-node-datastreams/agent-ksm-datastreams/g" -e "/name: elastic-agent-state/,+1 s/^/#/" -e "/path: \/var\/lib\/$@\/kube-system\/state/,+1 s/^/#/" $@/$@-daemonset.yaml > $(KUSTOMIZE_KSM_AUTOSHARDING)/$@/extra/$@-statefulset.yaml + @echo "Generating processor $$ELASTIC_PROCESSOR" + sed -e "s/#/$$ELASTIC_PROCESSOR/g" elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml > $(KUSTOMIZE_DEFAULT)/elastic-agent-standalone/base/elastic-agent-standalone-daemonset-configmap.yaml + else echo "No KSM templates generated. Please run: GENERATEKUSTOMIZE=true make ci-create-kustomize " - -endif \ No newline at end of file +endif diff --git a/deploy/kubernetes/elastic-agent-kustomize/default/README.md b/deploy/kubernetes/elastic-agent-kustomize/default/README.md new file mode 100644 index 00000000000..3bcab021ef0 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-kustomize/default/README.md @@ -0,0 +1,71 @@ +# Kustomize Templates + +The list below includes the official [kustomize](https://github.com/kubernetes-sigs/kustomize) templates to run them in Kubernetes: + +Agent Scenario | Description +---- | ---- +[Elastic Agent managed - Default ](./elastic-agent-managed/) | Default Elastic Agent managed by Fleet setup. Kube-state-metrics (KSM) is installed automatically. +[Elastic Agent standalone Default ](./elastic-agent-standalone/) | Default Standalone Elastic Agent setup. Kube-state-metrics (KSM) is installed automatically. + +## Using above templates + +Users can clone this repository to use the provided kustomize templates. + +For *Managed Elastic Agent*, please update the following variables inside main kustomization.yaml: + +- %FLEET_URL%: Fleet Server URL to enroll the Elastic Agent into. FLEET_URL can be found in Kibana, go to Management > Fleet > Settings +- %ENROLLMENT_TOKEN%: Elasticsearch API key used to [enroll Elastic Agents](https://www.elastic.co/guide/en/fleet/current/fleet-enrollment-tokens.html#fleet-enrollment-tokens) in Fleet. *This should be encoded as base64 value because it will be stored as Kubernetes secret* + +Eg. + +```yaml +secretGenerator: + - name: elastic-agent-creds + literals: + - enrollment_token=%ENROLLMENT_TOKEN% +``` + +For *Standalone Elastic Agent*, please update the following secrets inside main [kustomization.yaml](./elastic-agent-managed/kustomization.yaml): + +- %ES_HOST%: The Elasticsearch host to communicate with +- %API_KEY: The API Key with access privileges to connect to Elasticsearch. See [create-api-key-standalone-agent](https://www.elastic.co/guide/en/fleet/current/grant-access-to-elasticsearch.html#create-api-key-standalone-agent). *This should be encoded as base64 value because it will be stored as Kubernetes secret* +- %CA_TRUSTED%: The ssl.ca_trusted_fingerprint in order the elastic agent to be able to trust the certificate authority of the Elasticsearch output. +- %ONBOARDING_ID%: A string that will be added as a new field and will denote a specific installation. *By default, this will be added to state_pod dataset.* + +## Remote usage of kustomize templates + +Users can use following commands: + +Managed Elastic Agent: + +```bash +❯ kubectl https://github.com/elastic/elastic-agent/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-maanged\?ref\=main | sed -e "s/JUVOUk9MTE1FTlRfVE9LRU4l/base64_ENCODED_ENROLLMENT_TOKEN/g" -e "s/%FLEET_URL%/https:\/\/localhost:9200/g" | kubectl apply -f- + +``` + +Standalone Elastic Agent: + +```bash +kubectl kustomize https://github.com/elastic/elastic-agent/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone\?ref\=main | sed -e "s/JUFQSV9LRVkl//g" -e "s/%ES_HOST%/https:\/\/localhost:9200/g" -e "s/%CA_TRUSTED%/ca_trusted_fingerprint/g" -e "s/%ONBOARDING_ID%/12345/g" | kubectl apply -f- +``` + +Examples of Base64 encoded values: + +```bash +❯ echo -n %API_KEY% | base64 +JUFQSV9LRVkl + +echo -n %ENROLLMENT_TOKEN% | base64 +JUVOUk9MTE1FTlRfVE9LRU4l + +❯ echo -n JUVOUk9MTE1FTlRfVE9LRU4l | base64 -D +%ENROLLMENT_TOKEN%% +``` + +NOTE: `echo -n` flag needs to be provided in order to have correct base64 encoding. The echo command adds an extra line by default which needs to be avoided. + +## Updating kustomize templates + +The included kustomize templates are being produced based on [Makefile](../../Makefile) by running: `GENERATEKUSTOMIZE=true make ci-create-kustomize` + +The current templates are using patches as defined [here](https://github.com/elastic/elastic-agent/blob/main/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/kustomization.yaml) diff --git a/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/base/elastic-agent-managed-daemonset.yaml b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/base/elastic-agent-managed-daemonset.yaml index c40326b22b6..d780a476286 100644 --- a/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/base/elastic-agent-managed-daemonset.yaml +++ b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/base/elastic-agent-managed-daemonset.yaml @@ -30,7 +30,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: elastic-agent - image: docker.elastic.co/beats/elastic-agent:8.8.1 + image: docker.elastic.co/beats/elastic-agent:8.15.0 env: # Set to 1 for enrollment into Fleet server. If not set, Elastic Agent is run in standalone mode - name: FLEET_ENROLL diff --git a/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/base/kustomization.yaml b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/base/kustomization.yaml index d3354575e1c..eaf83c34f96 100644 --- a/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/base/kustomization.yaml +++ b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/base/kustomization.yaml @@ -7,4 +7,4 @@ resources: - elastic-agent-managed-daemonset.yaml - elastic-agent-managed-role-binding.yaml - elastic-agent-managed-role.yaml - - elastic-agent-managed-service-account.yaml \ No newline at end of file + - elastic-agent-managed-service-account.yaml diff --git a/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/environmental-variables-remove.yaml b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/environmental-variables-remove.yaml new file mode 100644 index 00000000000..db63d7d5e6f --- /dev/null +++ b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/environmental-variables-remove.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: elastic-agent + namespace: kube-system + labels: + app: elastic-agent +spec: + selector: + matchLabels: + app: elastic-agent + template: + metadata: + labels: + app: elastic-agent + spec: + containers: + - name: elastic-agent + env: + - $patch: delete + name: FLEET_ENROLLMENT_TOKEN + - $patch: delete + name: FLEET_URL \ No newline at end of file diff --git a/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/fleet-enrollment-token-patch.yaml b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/fleet-enrollment-token-patch.yaml new file mode 100644 index 00000000000..0a804ddbb7b --- /dev/null +++ b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/fleet-enrollment-token-patch.yaml @@ -0,0 +1,19 @@ +- op: add + path: /spec/template/spec/containers/0/env/- + value: + name: FLEET_ENROLLMENT_TOKEN + valueFrom: + secretKeyRef: + name: elastic-agent-creds + key: enrollment_token + + +- op: add + path: /spec/template/spec/containers/0/env/- + value: + name: FLEET_URL + valueFrom: + configMapKeyRef: + name: elastic-agent-configs + key: host + diff --git a/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/kustomization.yaml b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/kustomization.yaml index d31a2dbe434..26742af782c 100644 --- a/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/kustomization.yaml +++ b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-managed/kustomization.yaml @@ -3,6 +3,25 @@ kind: Kustomization namespace: kube-system +secretGenerator: + - name: elastic-agent-creds + literals: + - enrollment_token=%ENROLLMENT_TOKEN% + +configMapGenerator: +- name: elastic-agent-configs + literals: + - host=%FLEET_URL% + resources: - ./base - https://github.com/kubernetes/kube-state-metrics + +patches: +- path: environmental-variables-remove.yaml +- target: + group: apps + version: v1 + kind: DaemonSet + name: elastic-agent + path: fleet-enrollment-token-patch.yaml \ No newline at end of file diff --git a/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/api-key-patch.yaml b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/api-key-patch.yaml new file mode 100644 index 00000000000..69db34aca5d --- /dev/null +++ b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/api-key-patch.yaml @@ -0,0 +1,27 @@ +- op: add + path: /spec/template/spec/containers/0/env/- + value: + name: API_KEY + valueFrom: + secretKeyRef: + name: elastic-agent-creds + key: api_key + + +- op: add + path: /spec/template/spec/containers/0/env/- + value: + name: ES_HOST + valueFrom: + configMapKeyRef: + name: elastic-agent-configs + key: host + +- op: add + path: /spec/template/spec/containers/0/env/- + value: + name: CA_TRUSTED + valueFrom: + configMapKeyRef: + name: elastic-agent-configs + key: ca_trusted \ No newline at end of file diff --git a/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/base/elastic-agent-standalone-daemonset-configmap.yaml b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/base/elastic-agent-standalone-daemonset-configmap.yaml index 9e9517435fc..196250999a0 100644 --- a/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/base/elastic-agent-standalone-daemonset-configmap.yaml +++ b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/base/elastic-agent-standalone-daemonset-configmap.yaml @@ -14,8 +14,11 @@ data: hosts: - >- ${ES_HOST} - username: ${ES_USERNAME} - password: ${ES_PASSWORD} + api_key: ${API_KEY} + ssl.ca_trusted_fingerprint: ${CA_TRUSTED} + # Uncomment username/password and remove api_key if you want to use alternative authentication method + # username: ${ES_USERNAME} + # password: ${ES_PASSWORD} agent: monitoring: enabled: true @@ -201,6 +204,10 @@ data: hosts: - 'kube-state-metrics:8080' period: 10s + processors: + - add_fields: + fields: + onboarding_id: '%ONBOARDING_ID%' # Openshift: # if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization # and/or tls termination, then configuration below should be considered: diff --git a/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/base/elastic-agent-standalone-daemonset.yaml b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/base/elastic-agent-standalone-daemonset.yaml index 35dd5612674..a87dbecb81d 100644 --- a/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/base/elastic-agent-standalone-daemonset.yaml +++ b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/base/elastic-agent-standalone-daemonset.yaml @@ -28,22 +28,27 @@ spec: # Uncomment if using hints feature #initContainers: # - name: k8s-templates-downloader - # image: busybox:1.28 - # command: ['sh'] + # image: docker.elastic.co/beats/elastic-agent:8.15.0 + # command: ['bash'] # args: # - -c # - >- - # mkdir -p /etc/elastic-agent/inputs.d && - # wget -O - https://github.com/elastic/elastic-agent/archive/main.tar.gz | tar xz -C /etc/elastic-agent/inputs.d --strip=5 "elastic-agent-main/deploy/kubernetes/elastic-agent-standalone/templates.d" + # mkdir -p /usr/share/elastic-agent/state/inputs.d && + # curl -sL https://github.com/elastic/elastic-agent/archive/8.15.tar.gz | tar xz -C /usr/share/elastic-agent/state/inputs.d --strip=5 "elastic-agent-8.15/deploy/kubernetes/elastic-agent-standalone/templates.d" + # securityContext: + # runAsUser: 0 # volumeMounts: - # - name: external-inputs - # mountPath: /etc/elastic-agent/inputs.d + # - name: elastic-agent-state + # mountPath: /usr/share/elastic-agent/state containers: - name: elastic-agent-standalone - image: docker.elastic.co/beats/elastic-agent:8.8.1 + image: docker.elastic.co/beats/elastic-agent:8.15.0 args: ["-c", "/etc/elastic-agent/agent.yml", "-e"] env: - # The basic authentication username used to connect to Elasticsearch + # The API Key with access privilleges to connect to Elasticsearch. https://www.elastic.co/guide/en/fleet/current/grant-access-to-elasticsearch.html#create-api-key-standalone-agent + - name: API_KEY + value: "" + # The basic authentication username used to connect to Elasticsearch. Alternative to API_KEY access. # This user needs the privileges required to publish events to Elasticsearch. - name: ES_USERNAME value: "elastic" @@ -61,9 +66,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - - name: STATE_PATH - value: "/etc/elastic-agent" - # The following ELASTIC_NETINFO:false variable will disable the netinfo.enabled option of add-host-metadata processor. This will remove fields host.ip and host.mac. + # The following ELASTIC_NETINFO:false variable will disable the netinfo.enabled option of add-host-metadata processor. This will remove fields host.ip and host.mac. # For more info: https://www.elastic.co/guide/en/beats/metricbeat/current/add-host-metadata.html - name: ELASTIC_NETINFO value: "false" @@ -96,9 +99,6 @@ spec: mountPath: /etc/elastic-agent/agent.yml readOnly: true subPath: agent.yml - # Uncomment if using hints feature - #- name: external-inputs - # mountPath: /etc/elastic-agent/inputs.d - name: proc mountPath: /hostfs/proc readOnly: true @@ -129,9 +129,6 @@ spec: configMap: defaultMode: 0640 name: agent-node-datastreams - # Uncomment if using hints feature - #- name: external-inputs - # emptyDir: {} - name: proc hostPath: path: /proc diff --git a/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/environmental-variables-remove.yaml b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/environmental-variables-remove.yaml new file mode 100644 index 00000000000..13d077fd961 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/environmental-variables-remove.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: elastic-agent-standalone + namespace: kube-system + labels: + app: elastic-agent-standalone +spec: + selector: + matchLabels: + app: elastic-agent-standalone + template: + metadata: + labels: + app: elastic-agent-standalone + spec: + containers: + - name: elastic-agent-standalone + env: + - $patch: delete + name: API_KEY + - $patch: delete + name: ES_HOST \ No newline at end of file diff --git a/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/kustomization.yaml b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/kustomization.yaml index 56f61fb72b4..e4a85a626b8 100644 --- a/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/kustomization.yaml +++ b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/kustomization.yaml @@ -3,7 +3,26 @@ kind: Kustomization namespace: kube-system +secretGenerator: + - name: elastic-agent-creds + literals: + - api_key=%API_KEY% + +configMapGenerator: +- name: elastic-agent-configs + literals: + - host=%ES_HOST% + - ca_trusted=%CA_TRUSTED% + resources: - ./base - https://github.com/kubernetes/kube-state-metrics/ +patches: +- path: environmental-variables-remove.yaml +- target: + group: apps + version: v1 + kind: DaemonSet + name: elastic-agent-standalone + path: api-key-patch.yaml \ No newline at end of file diff --git a/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-managed/base/elastic-agent-managed-daemonset.yaml b/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-managed/base/elastic-agent-managed-daemonset.yaml index d3b384e7a56..287a664de56 100644 --- a/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-managed/base/elastic-agent-managed-daemonset.yaml +++ b/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-managed/base/elastic-agent-managed-daemonset.yaml @@ -30,7 +30,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: elastic-agent - image: docker.elastic.co/beats/elastic-agent:8.8.1 + image: docker.elastic.co/beats/elastic-agent:8.15.0 env: # Set to 1 for enrollment into Fleet server. If not set, Elastic Agent is run in standalone mode - name: FLEET_ENROLL diff --git a/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-managed/extra/elastic-agent-managed-statefulset.yaml b/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-managed/extra/elastic-agent-managed-statefulset.yaml index bc493635411..6b243d9bdb0 100644 --- a/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-managed/extra/elastic-agent-managed-statefulset.yaml +++ b/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-managed/extra/elastic-agent-managed-statefulset.yaml @@ -30,7 +30,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: elastic-agent - image: docker.elastic.co/beats/elastic-agent:8.8.1 + image: docker.elastic.co/beats/elastic-agent:8.15.0 env: # Set to 1 for enrollment into Fleet server. If not set, Elastic Agent is run in standalone mode - name: FLEET_ENROLL diff --git a/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-standalone/base/elastic-agent-standalone-daemonset.yaml b/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-standalone/base/elastic-agent-standalone-daemonset.yaml index 7b5be3a848c..3424776f480 100644 --- a/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-standalone/base/elastic-agent-standalone-daemonset.yaml +++ b/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-standalone/base/elastic-agent-standalone-daemonset.yaml @@ -28,22 +28,27 @@ spec: # Uncomment if using hints feature #initContainers: # - name: k8s-templates-downloader - # image: busybox:1.28 - # command: ['sh'] + # image: docker.elastic.co/beats/elastic-agent:8.15.0 + # command: ['bash'] # args: # - -c # - >- - # mkdir -p /etc/elastic-agent/inputs.d && - # wget -O - https://github.com/elastic/elastic-agent/archive/main.tar.gz | tar xz -C /etc/elastic-agent/inputs.d --strip=5 "elastic-agent-main/deploy/kubernetes/elastic-agent-standalone/templates.d" + # mkdir -p /usr/share/elastic-agent/state/inputs.d && + # curl -sL https://github.com/elastic/elastic-agent/archive/8.15.tar.gz | tar xz -C /usr/share/elastic-agent/state/inputs.d --strip=5 "elastic-agent-8.15/deploy/kubernetes/elastic-agent-standalone/templates.d" + # securityContext: + # runAsUser: 0 # volumeMounts: - # - name: external-inputs - # mountPath: /etc/elastic-agent/inputs.d +# # - name: elastic-agent-state +# # mountPath: /usr/share/elastic-agent/state containers: - name: elastic-agent-standalone - image: docker.elastic.co/beats/elastic-agent:8.8.1 + image: docker.elastic.co/beats/elastic-agent:8.15.0 args: ["-c", "/etc/elastic-agent/agent.yml", "-e"] env: - # The basic authentication username used to connect to Elasticsearch + # The API Key with access privilleges to connect to Elasticsearch. https://www.elastic.co/guide/en/fleet/current/grant-access-to-elasticsearch.html#create-api-key-standalone-agent + - name: API_KEY + value: "" + # The basic authentication username used to connect to Elasticsearch. Alternative to API_KEY access. # This user needs the privileges required to publish events to Elasticsearch. - name: ES_USERNAME value: "elastic" @@ -61,8 +66,6 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - - name: STATE_PATH - value: "/etc/elastic-agent" # The following ELASTIC_NETINFO:false variable will disable the netinfo.enabled option of add-host-metadata processor. This will remove fields host.ip and host.mac. # For more info: https://www.elastic.co/guide/en/beats/metricbeat/current/add-host-metadata.html - name: ELASTIC_NETINFO @@ -96,9 +99,6 @@ spec: mountPath: /etc/elastic-agent/agent.yml readOnly: true subPath: agent.yml - # Uncomment if using hints feature - #- name: external-inputs - # mountPath: /etc/elastic-agent/inputs.d - name: proc mountPath: /hostfs/proc readOnly: true @@ -129,9 +129,6 @@ spec: configMap: defaultMode: 0640 name: agent-node-datastreams - # Uncomment if using hints feature - #- name: external-inputs - # emptyDir: {} - name: proc hostPath: path: /proc diff --git a/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-standalone/extra/elastic-agent-standalone-statefulset.yaml b/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-standalone/extra/elastic-agent-standalone-statefulset.yaml index 352b5478673..32227ef4e56 100644 --- a/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-standalone/extra/elastic-agent-standalone-statefulset.yaml +++ b/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-standalone/extra/elastic-agent-standalone-statefulset.yaml @@ -28,22 +28,27 @@ spec: # Uncomment if using hints feature #initContainers: # - name: k8s-templates-downloader - # image: busybox:1.28 - # command: ['sh'] + # image: docker.elastic.co/beats/elastic-agent:8.15.0 + # command: ['bash'] # args: # - -c # - >- - # mkdir -p /etc/elastic-agent/inputs.d && - # wget -O - https://github.com/elastic/elastic-agent/archive/main.tar.gz | tar xz -C /etc/elastic-agent/inputs.d --strip=5 "elastic-agent-main/deploy/kubernetes/elastic-agent-standalone/templates.d" + # mkdir -p /usr/share/elastic-agent/state/inputs.d && + # curl -sL https://github.com/elastic/elastic-agent/archive/8.15.tar.gz | tar xz -C /usr/share/elastic-agent/state/inputs.d --strip=5 "elastic-agent-8.15/deploy/kubernetes/elastic-agent-standalone/templates.d" + # securityContext: + # runAsUser: 0 # volumeMounts: - # - name: external-inputs - # mountPath: /etc/elastic-agent/inputs.d +# # - name: elastic-agent-state +# # mountPath: /usr/share/elastic-agent/state containers: - name: elastic-agent-standalone - image: docker.elastic.co/beats/elastic-agent:8.8.1 + image: docker.elastic.co/beats/elastic-agent:8.15.0 args: ["-c", "/etc/elastic-agent/agent.yml", "-e"] env: - # The basic authentication username used to connect to Elasticsearch + # The API Key with access privilleges to connect to Elasticsearch. https://www.elastic.co/guide/en/fleet/current/grant-access-to-elasticsearch.html#create-api-key-standalone-agent + - name: API_KEY + value: "" + # The basic authentication username used to connect to Elasticsearch. Alternative to API_KEY access. # This user needs the privileges required to publish events to Elasticsearch. - name: ES_USERNAME value: "elastic" @@ -61,8 +66,6 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - - name: STATE_PATH - value: "/etc/elastic-agent" # The following ELASTIC_NETINFO:false variable will disable the netinfo.enabled option of add-host-metadata processor. This will remove fields host.ip and host.mac. # For more info: https://www.elastic.co/guide/en/beats/metricbeat/current/add-host-metadata.html - name: ELASTIC_NETINFO @@ -96,9 +99,6 @@ spec: mountPath: /etc/elastic-agent/agent.yml readOnly: true subPath: agent.yml - # Uncomment if using hints feature - #- name: external-inputs - # mountPath: /etc/elastic-agent/inputs.d - name: proc mountPath: /hostfs/proc readOnly: true @@ -129,9 +129,6 @@ spec: configMap: defaultMode: 0640 name: agent-ksm-datastreams - # Uncomment if using hints feature - #- name: external-inputs - # emptyDir: {} - name: proc hostPath: path: /proc diff --git a/deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml b/deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml index 4df1b04131a..ba52f935d66 100644 --- a/deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml +++ b/deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml @@ -14,8 +14,11 @@ data: hosts: - >- ${ES_HOST} - username: ${ES_USERNAME} - password: ${ES_PASSWORD} + api_key: ${API_KEY} + ssl.ca_trusted_fingerprint: ${CA_TRUSTED} + # Uncomment username/password and remove api_key if you want to use alternative authentication method + # username: ${ES_USERNAME} + # password: ${ES_PASSWORD} agent: monitoring: enabled: true @@ -201,6 +204,7 @@ data: hosts: - 'kube-state-metrics:8080' period: 10s + # # Openshift: # if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization # and/or tls termination, then configuration below should be considered: @@ -707,7 +711,10 @@ spec: image: docker.elastic.co/beats/elastic-agent:8.14.2 args: ["-c", "/etc/elastic-agent/agent.yml", "-e"] env: - # The basic authentication username used to connect to Elasticsearch + # The API Key with access privilleges to connect to Elasticsearch. https://www.elastic.co/guide/en/fleet/current/grant-access-to-elasticsearch.html#create-api-key-standalone-agent + - name: API_KEY + value: "" + # The basic authentication username used to connect to Elasticsearch. Alternative to API_KEY access. # This user needs the privileges required to publish events to Elasticsearch. - name: ES_USERNAME value: "elastic" diff --git a/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml b/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml index 9e9517435fc..898666ed385 100644 --- a/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml +++ b/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml @@ -14,8 +14,11 @@ data: hosts: - >- ${ES_HOST} - username: ${ES_USERNAME} - password: ${ES_PASSWORD} + api_key: ${API_KEY} + ssl.ca_trusted_fingerprint: ${CA_TRUSTED} + # Uncomment username/password and remove api_key if you want to use alternative authentication method + # username: ${ES_USERNAME} + # password: ${ES_PASSWORD} agent: monitoring: enabled: true @@ -201,6 +204,7 @@ data: hosts: - 'kube-state-metrics:8080' period: 10s + # # Openshift: # if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization # and/or tls termination, then configuration below should be considered: diff --git a/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset.yaml b/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset.yaml index 674ab8425dd..0a0fef0c0f3 100644 --- a/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset.yaml +++ b/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset.yaml @@ -43,7 +43,10 @@ spec: image: docker.elastic.co/beats/elastic-agent:%VERSION% args: ["-c", "/etc/elastic-agent/agent.yml", "-e"] env: - # The basic authentication username used to connect to Elasticsearch + # The API Key with access privilleges to connect to Elasticsearch. https://www.elastic.co/guide/en/fleet/current/grant-access-to-elasticsearch.html#create-api-key-standalone-agent + - name: API_KEY + value: "" + # The basic authentication username used to connect to Elasticsearch. Alternative to API_KEY access. # This user needs the privileges required to publish events to Elasticsearch. - name: ES_USERNAME value: "elastic"