From 602138c6c393bb3803a75d59207170b88ca479e1 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Mon, 23 Dec 2024 10:52:39 +0200 Subject: [PATCH] [helm] fleet mode fixes (#6345) * fix: allow fleet mode to do the necessary k8s changes for enabled integrations * fix: make kubernetes integration enabled by default * fix: enable leader election for fleet mode unless explicitly disabled by user * fix: enable hostNetwork for perNode preset (cherry picked from commit 0d94ead04ba036188d62dea2827fb29254ec04b0) # Conflicts: # deploy/helm/elastic-agent/examples/kubernetes-hints-autodiscover/rendered/manifest.yaml # deploy/helm/elastic-agent/examples/multiple-integrations/rendered/manifest.yaml # deploy/helm/elastic-agent/templates/integrations/_kubernetes/_preset_pernode.tpl --- deploy/helm/elastic-agent/README.md | 2 +- .../examples/eck/rendered/manifest.yaml | 1 + .../examples/fleet-managed/README.md | 35 +----- .../examples/fleet-managed/fleet-values.yaml | 43 +------ .../fleet-managed/rendered/manifest.yaml | 110 +++++++++++------- .../kubernetes-default/rendered/manifest.yaml | 1 + .../rendered/manifest.yaml | 4 + .../rendered/manifest.yaml | 1 + .../rendered/manifest.yaml | 4 + .../agent-system-values.yaml | 3 +- .../rendered/manifest.yaml | 1 + .../rendered/manifest.yaml | 1 + .../templates/agent/_helpers.tpl | 15 ++- .../_kubernetes/_preset_pernode.tpl | 4 + deploy/helm/elastic-agent/values.yaml | 3 +- 15 files changed, 106 insertions(+), 122 deletions(-) diff --git a/deploy/helm/elastic-agent/README.md b/deploy/helm/elastic-agent/README.md index 9afcf8625e1..5c7db4b4bfb 100644 --- a/deploy/helm/elastic-agent/README.md +++ b/deploy/helm/elastic-agent/README.md @@ -62,7 +62,7 @@ The chart built-in [kubernetes integration](https://docs.elastic.co/integrations | Key | Type | Default | Description | |-----|------|---------|-------------| -| kubernetes.enabled | bool | `false` | enable Kubernetes integration. | +| kubernetes.enabled | bool | `true` | enable Kubernetes integration. | | kubernetes.output | string | `"default"` | name of the output used in kubernetes integration. Note that this output needs to be defined in [outputs](#1-outputs) | | kubernetes.namespace | string | `"default"` | kubernetes namespace | | kubernetes.hints.enabled | bool | `false` | enable [elastic-agent autodiscovery](https://www.elastic.co/guide/en/fleet/current/elastic-agent-kubernetes-autodiscovery.html) feature | diff --git a/deploy/helm/elastic-agent/examples/eck/rendered/manifest.yaml b/deploy/helm/elastic-agent/examples/eck/rendered/manifest.yaml index 0ddb29a8241..5b62458f059 100644 --- a/deploy/helm/elastic-agent/examples/eck/rendered/manifest.yaml +++ b/deploy/helm/elastic-agent/examples/eck/rendered/manifest.yaml @@ -1141,6 +1141,7 @@ spec: name: var-lib readOnly: true dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true nodeSelector: kubernetes.io/os: linux serviceAccountName: agent-pernode-example diff --git a/deploy/helm/elastic-agent/examples/fleet-managed/README.md b/deploy/helm/elastic-agent/examples/fleet-managed/README.md index abcc0f12f86..316746a70fa 100644 --- a/deploy/helm/elastic-agent/examples/fleet-managed/README.md +++ b/deploy/helm/elastic-agent/examples/fleet-managed/README.md @@ -31,38 +31,5 @@ agent: enabled: true url: $FLEET_URL # replace with Fleet URL token: $FLEET_TOKEN # replace with Fleet Enrollment token - preset: nginx - presets: - nginx: - mode: deployment - securityContext: - runAsUser: 0 - rules: - # minimum cluster role ruleset required by agent - - apiGroups: [ "" ] - resources: - - nodes - - namespaces - - pods - verbs: - - get - - watch - - list - - apiGroups: [ "apps" ] - resources: - - replicasets - verbs: - - get - - list - - watch - - apiGroups: [ "batch" ] - resources: - - jobs - verbs: - - get - - list - - watch - providers: - kubernetes_leaderelection: - enabled: false + preset: perNode ``` diff --git a/deploy/helm/elastic-agent/examples/fleet-managed/fleet-values.yaml b/deploy/helm/elastic-agent/examples/fleet-managed/fleet-values.yaml index 4a89c783f4b..7492c20123b 100644 --- a/deploy/helm/elastic-agent/examples/fleet-managed/fleet-values.yaml +++ b/deploy/helm/elastic-agent/examples/fleet-managed/fleet-values.yaml @@ -1,43 +1,10 @@ +kubernetes: + enabled: true +system: + enabled: true agent: fleet: enabled: true url: http://localhost:8220 token: fleetToken - preset: nginx - presets: - nginx: - mode: deployment - securityContext: - runAsUser: 0 - serviceAccount: - create: true - clusterRole: - create: true - rules: - # minimum cluster role ruleset required by agent - - apiGroups: [ "" ] - resources: - - nodes - - namespaces - - pods - verbs: - - get - - watch - - list - - apiGroups: [ "apps" ] - resources: - - replicasets - verbs: - - get - - list - - watch - - apiGroups: [ "batch" ] - resources: - - jobs - verbs: - - get - - list - - watch - providers: - kubernetes_leaderelection: - enabled: false + preset: perNode diff --git a/deploy/helm/elastic-agent/examples/fleet-managed/rendered/manifest.yaml b/deploy/helm/elastic-agent/examples/fleet-managed/rendered/manifest.yaml index a79c2d75db2..5f9c9a741e6 100644 --- a/deploy/helm/elastic-agent/examples/fleet-managed/rendered/manifest.yaml +++ b/deploy/helm/elastic-agent/examples/fleet-managed/rendered/manifest.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: agent-nginx-example + name: agent-pernode-example namespace: "default" labels: helm.sh/chart: elastic-agent-8.17.1-beta @@ -15,7 +15,7 @@ metadata: apiVersion: v1 kind: Secret metadata: - name: agent-nginx-example + name: agent-pernode-example namespace: "default" labels: helm.sh/chart: elastic-agent-8.17.1-beta @@ -28,15 +28,18 @@ stringData: fleet: enabled: true providers: + kubernetes: + node: ${NODE_NAME} + scope: node kubernetes_leaderelection: - enabled: false - leader_lease: example-nginx + enabled: true + leader_lease: example-pernode --- # Source: elastic-agent/templates/agent/cluster-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: agent-nginx-example-default + name: agent-perNode-example-default labels: helm.sh/chart: elastic-agent-8.17.1-beta app.kubernetes.io/name: elastic-agent @@ -111,38 +114,12 @@ rules: - get - list - watch - - apiGroups: - - "" - resources: - - nodes - - namespaces - - pods - verbs: - - get - - watch - - list - - apiGroups: - - apps - resources: - - replicasets - verbs: - - get - - list - - watch - - apiGroups: - - batch - resources: - - jobs - verbs: - - get - - list - - watch --- # Source: elastic-agent/templates/agent/cluster-role-binding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: agent-nginx-example-default + name: agent-perNode-example-default labels: helm.sh/chart: elastic-agent-8.17.1-beta app.kubernetes.io/name: elastic-agent @@ -150,18 +127,18 @@ metadata: app.kubernetes.io/version: 8.17.1 subjects: - kind: ServiceAccount - name: agent-nginx-example + name: agent-pernode-example namespace: "default" roleRef: kind: ClusterRole - name: agent-nginx-example-default + name: agent-perNode-example-default apiGroup: rbac.authorization.k8s.io --- -# Source: elastic-agent/templates/agent/k8s/deployment.yaml +# Source: elastic-agent/templates/agent/k8s/daemonset.yaml apiVersion: apps/v1 -kind: Deployment +kind: DaemonSet metadata: - name: agent-nginx-example + name: agent-pernode-example namespace: "default" labels: helm.sh/chart: elastic-agent-8.17.1-beta @@ -171,13 +148,13 @@ metadata: spec: selector: matchLabels: - name: agent-nginx-example + name: agent-pernode-example template: metadata: labels: - name: agent-nginx-example + name: agent-pernode-example annotations: - checksum/config: 975ed05540e0d099fe1b28b15d6403aacee676d0776a69fb75eb8624e19ad2de + checksum/config: cd7c5c4f03cc8377d18ee22cf236428090959fc194ee647bd97a39b79f38c807 spec: automountServiceAccountToken: true containers: @@ -196,6 +173,8 @@ spec: fieldPath: metadata.name - name: STATE_PATH value: /usr/share/elastic-agent/state + - name: ELASTIC_NETINFO + value: "false" - name: FLEET_URL value: http://localhost:8220 - name: FLEET_ENROLLMENT_TOKEN @@ -207,9 +186,33 @@ spec: image: docker.elastic.co/beats/elastic-agent:8.17.1-SNAPSHOT imagePullPolicy: IfNotPresent name: agent + resources: + limits: + memory: 1000Mi + requests: + cpu: 100m + memory: 400Mi securityContext: runAsUser: 0 volumeMounts: + - mountPath: /hostfs/proc + name: proc + readOnly: true + - mountPath: /hostfs/sys/fs/cgroup + name: cgroup + readOnly: true + - mountPath: /var/lib/docker/containers + name: varlibdockercontainers + readOnly: true + - mountPath: /var/log + name: varlog + readOnly: true + - mountPath: /hostfs/etc + name: etc-full + readOnly: true + - mountPath: /hostfs/var/lib + name: var-lib + readOnly: true - mountPath: /usr/share/elastic-agent/state name: agent-data - mountPath: /etc/elastic-agent/agent.yml @@ -217,13 +220,34 @@ spec: readOnly: true subPath: agent.yml dnsPolicy: ClusterFirstWithHostNet - serviceAccountName: agent-nginx-example + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: agent-pernode-example volumes: - hostPath: - path: /etc/elastic-agent/default/agent-nginx-example-managed/state + path: /proc + name: proc + - hostPath: + path: /sys/fs/cgroup + name: cgroup + - hostPath: + path: /var/lib/docker/containers + name: varlibdockercontainers + - hostPath: + path: /var/log + name: varlog + - hostPath: + path: /etc + name: etc-full + - hostPath: + path: /var/lib + name: var-lib + - hostPath: + path: /etc/elastic-agent/default/agent-pernode-example-managed/state type: DirectoryOrCreate name: agent-data - name: config secret: defaultMode: 292 - secretName: agent-nginx-example + secretName: agent-pernode-example diff --git a/deploy/helm/elastic-agent/examples/kubernetes-default/rendered/manifest.yaml b/deploy/helm/elastic-agent/examples/kubernetes-default/rendered/manifest.yaml index 0cc106c2fdd..10f9d218ad3 100644 --- a/deploy/helm/elastic-agent/examples/kubernetes-default/rendered/manifest.yaml +++ b/deploy/helm/elastic-agent/examples/kubernetes-default/rendered/manifest.yaml @@ -1147,6 +1147,7 @@ spec: readOnly: true subPath: agent.yml dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true nodeSelector: kubernetes.io/os: linux serviceAccountName: agent-pernode-example diff --git a/deploy/helm/elastic-agent/examples/kubernetes-hints-autodiscover/rendered/manifest.yaml b/deploy/helm/elastic-agent/examples/kubernetes-hints-autodiscover/rendered/manifest.yaml index a295cbbb3f1..7d2a31219a8 100644 --- a/deploy/helm/elastic-agent/examples/kubernetes-hints-autodiscover/rendered/manifest.yaml +++ b/deploy/helm/elastic-agent/examples/kubernetes-hints-autodiscover/rendered/manifest.yaml @@ -1151,6 +1151,7 @@ spec: readOnly: true subPath: agent.yml dnsPolicy: ClusterFirstWithHostNet +<<<<<<< HEAD initContainers: - args: - -c @@ -1172,6 +1173,9 @@ spec: volumeMounts: - mountPath: /etc/elastic-agent/inputs.d name: external-inputs +======= + hostNetwork: true +>>>>>>> 0d94ead04 ([helm] fleet mode fixes (#6345)) nodeSelector: kubernetes.io/os: linux serviceAccountName: agent-pernode-example diff --git a/deploy/helm/elastic-agent/examples/kubernetes-only-logs/rendered/manifest.yaml b/deploy/helm/elastic-agent/examples/kubernetes-only-logs/rendered/manifest.yaml index 8a3d4954a35..f4901e8f745 100644 --- a/deploy/helm/elastic-agent/examples/kubernetes-only-logs/rendered/manifest.yaml +++ b/deploy/helm/elastic-agent/examples/kubernetes-only-logs/rendered/manifest.yaml @@ -291,6 +291,7 @@ spec: readOnly: true subPath: agent.yml dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true nodeSelector: kubernetes.io/os: linux serviceAccountName: agent-pernode-example diff --git a/deploy/helm/elastic-agent/examples/multiple-integrations/rendered/manifest.yaml b/deploy/helm/elastic-agent/examples/multiple-integrations/rendered/manifest.yaml index 3068ede6464..a6bc4492500 100644 --- a/deploy/helm/elastic-agent/examples/multiple-integrations/rendered/manifest.yaml +++ b/deploy/helm/elastic-agent/examples/multiple-integrations/rendered/manifest.yaml @@ -1167,6 +1167,7 @@ spec: readOnly: true subPath: agent.yml dnsPolicy: ClusterFirstWithHostNet +<<<<<<< HEAD initContainers: - args: - -c @@ -1188,6 +1189,9 @@ spec: volumeMounts: - mountPath: /etc/elastic-agent/inputs.d name: external-inputs +======= + hostNetwork: true +>>>>>>> 0d94ead04 ([helm] fleet mode fixes (#6345)) nodeSelector: kubernetes.io/os: linux serviceAccountName: agent-pernode-example diff --git a/deploy/helm/elastic-agent/examples/system-custom-auth-paths/agent-system-values.yaml b/deploy/helm/elastic-agent/examples/system-custom-auth-paths/agent-system-values.yaml index 52615a36cb5..008661c689f 100644 --- a/deploy/helm/elastic-agent/examples/system-custom-auth-paths/agent-system-values.yaml +++ b/deploy/helm/elastic-agent/examples/system-custom-auth-paths/agent-system-values.yaml @@ -8,6 +8,7 @@ system: vars: paths: - /var/log/custom_syslog.log - +kubernetes: + enabled: false agent: unprivileged: true diff --git a/deploy/helm/elastic-agent/examples/system-custom-auth-paths/rendered/manifest.yaml b/deploy/helm/elastic-agent/examples/system-custom-auth-paths/rendered/manifest.yaml index 0a9a232c469..b50d5558873 100644 --- a/deploy/helm/elastic-agent/examples/system-custom-auth-paths/rendered/manifest.yaml +++ b/deploy/helm/elastic-agent/examples/system-custom-auth-paths/rendered/manifest.yaml @@ -363,6 +363,7 @@ spec: readOnly: true subPath: agent.yml dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true nodeSelector: kubernetes.io/os: linux serviceAccountName: agent-pernode-example diff --git a/deploy/helm/elastic-agent/examples/user-service-account/rendered/manifest.yaml b/deploy/helm/elastic-agent/examples/user-service-account/rendered/manifest.yaml index 5d60bbb422d..271f7f41d1b 100644 --- a/deploy/helm/elastic-agent/examples/user-service-account/rendered/manifest.yaml +++ b/deploy/helm/elastic-agent/examples/user-service-account/rendered/manifest.yaml @@ -1117,6 +1117,7 @@ spec: readOnly: true subPath: agent.yml dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true nodeSelector: kubernetes.io/os: linux serviceAccountName: user-sa-perNode diff --git a/deploy/helm/elastic-agent/templates/agent/_helpers.tpl b/deploy/helm/elastic-agent/templates/agent/_helpers.tpl index 01f246ff0b2..9832dea7b25 100644 --- a/deploy/helm/elastic-agent/templates/agent/_helpers.tpl +++ b/deploy/helm/elastic-agent/templates/agent/_helpers.tpl @@ -30,8 +30,8 @@ Entrypoint for chart initialisation {{- if not (hasKey $.Values.agent "initialised") -}} {{/* init order matters */}} {{- include (printf "elasticagent.engine.%s.init" $.Values.agent.engine) $ -}} -{{- include "elasticagent.init.fleet" $ -}} {{- include "elasticagent.init.inputs" $ -}} +{{- include "elasticagent.init.fleet" $ -}} {{- include "elasticagent.init.presets" $ -}} {{- $_ := set $.Values.agent "initialised" dict -}} {{- end -}} @@ -62,10 +62,12 @@ Initialise input templates if we are not deploying as managed */}} {{- define "elasticagent.init.inputs" -}} {{- $ := . -}} -{{- if eq $.Values.agent.fleet.enabled false -}} -{{/* standalone agent so initialise inputs */}} +{{/* initialise inputs of the built-in integrations, even if fleet is enabled, + as they change the k8s configuration of presets e.g. necessary volume mounts, etc. */}} {{- include "elasticagent.kubernetes.init" $ -}} {{- include "elasticagent.system.init" $ -}} +{{/* initialise inputs the custom integrations only if fleet is disabled */}} +{{- if eq $.Values.agent.fleet.enabled false -}} {{- range $customInputName, $customInputVal := $.Values.extraIntegrations -}} {{- $customInputPresetName := ($customInputVal).preset -}} {{- $presetVal := get $.Values.agent.presets $customInputPresetName -}} @@ -97,7 +99,6 @@ Validate and initialise the defined agent presets {{- end -}} {{- end -}} {{- end -}} -{{/* by default we disable leader election but we also set the name of the leader lease in case it is explicitly enabled */}} {{- if empty ($presetVal).providers -}} {{- $_ := set $presetVal "providers" dict -}} {{- end -}} @@ -106,7 +107,13 @@ Validate and initialise the defined agent presets {{- $_ := set $presetProviders "kubernetes_leaderelection" dict -}} {{- end -}} {{- $presetLeaderLeaseName := (printf "%s-%s" $.Release.Name $presetName) | lower -}} +{{/* by default we disable leader election but we also set the name of the leader lease in case it is explicitly enabled */}} {{- $defaultLeaderElection := dict "enabled" false "leader_lease" $presetLeaderLeaseName -}} +{{- if eq $.Values.agent.fleet.enabled true -}} +{{/* for fleet mode the leader election is enabled by default */}} +{{- $_ := set $defaultLeaderElection "enabled" true -}} +{{- end -}} +{{/* merge the default leader election with the leader election from the preset giving priority to the one from the preset */}} {{- $presetLeaderElection := mergeOverwrite dict $defaultLeaderElection ($presetProviders).kubernetes_leaderelection -}} {{- $_ := set $presetProviders "kubernetes_leaderelection" $presetLeaderElection -}} {{- end -}} diff --git a/deploy/helm/elastic-agent/templates/integrations/_kubernetes/_preset_pernode.tpl b/deploy/helm/elastic-agent/templates/integrations/_kubernetes/_preset_pernode.tpl index 3f252e64868..23da443454e 100644 --- a/deploy/helm/elastic-agent/templates/integrations/_kubernetes/_preset_pernode.tpl +++ b/deploy/helm/elastic-agent/templates/integrations/_kubernetes/_preset_pernode.tpl @@ -2,8 +2,12 @@ {{- include "elasticagent.preset.mutate.volumemounts" (list $ $.Values.agent.presets.perNode "elasticagent.kubernetes.pernode.preset.volumemounts") -}} {{- include "elasticagent.preset.mutate.volumes" (list $ $.Values.agent.presets.perNode "elasticagent.kubernetes.pernode.preset.volumes") -}} {{- include "elasticagent.preset.mutate.outputs.byname" (list $ $.Values.agent.presets.perNode $.Values.kubernetes.output)}} +<<<<<<< HEAD {{- if eq $.Values.kubernetes.hints.enabled true -}} {{- include "elasticagent.preset.mutate.initcontainers" (list $ $.Values.agent.presets.perNode "elasticagent.kubernetes.pernode.preset.initcontainers") -}} +======= +{{- if and (eq $.Values.kubernetes.hints.enabled true) (eq $.Values.agent.fleet.enabled false) -}} +>>>>>>> 0d94ead04 ([helm] fleet mode fixes (#6345)) {{- include "elasticagent.preset.mutate.providers.kubernetes.hints" (list $ $.Values.agent.presets.perNode "elasticagent.kubernetes.pernode.preset.providers.kubernetes.hints") -}} {{- end -}} {{- if or (eq $.Values.kubernetes.scheduler.enabled true) (eq $.Values.kubernetes.controller_manager.enabled true) -}} diff --git a/deploy/helm/elastic-agent/values.yaml b/deploy/helm/elastic-agent/values.yaml index 53fe9f03436..89c07dfe123 100644 --- a/deploy/helm/elastic-agent/values.yaml +++ b/deploy/helm/elastic-agent/values.yaml @@ -47,7 +47,7 @@ kubernetes: # -- enable Kubernetes integration. # @section -- 2 - Kubernetes integration # @sectionDescriptionTemplate -- Kubernetes - enabled: false + enabled: true # -- name of the output used in kubernetes integration. Note that this output needs to be defined in # [outputs](#1-outputs) # @section -- 2 - Kubernetes integration @@ -438,6 +438,7 @@ agent: create: true clusterRole: create: true + hostNetwork: true resources: limits: memory: 1000Mi