[8.16](backport #6345) [helm] fleet mode fixes (#6424)

* [helm] fleet mode fixes (#6345)

* fix: allow fleet mode to do the necessary k8s changes for enabled integrations

* fix: make kubernetes integration enabled by default

* fix: enable leader election for fleet mode unless explicitly disabled by user

* fix: enable hostNetwork for perNode preset

(cherry picked from commit 0d94ead)

# Conflicts:
#	deploy/helm/elastic-agent/examples/kubernetes-hints-autodiscover/rendered/manifest.yaml
#	deploy/helm/elastic-agent/examples/multiple-integrations/rendered/manifest.yaml
#	deploy/helm/elastic-agent/templates/integrations/_kubernetes/_preset_pernode.tpl

* fix: resolve conflicts

---------

Co-authored-by: Panos Koutsovasilis <[email protected]>

deploy/helm/elastic-agent/README.md

@@ -62,7 +62,7 @@ The chart built-in [kubernetes integration](https://docs.elastic.co/integrations
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| kubernetes.enabled | bool | `false` | enable Kubernetes integration. |
+| kubernetes.enabled | bool | `true` | enable Kubernetes integration. |
 | kubernetes.output | string | `"default"` | name of the output used in kubernetes integration. Note that this output needs to be defined in [outputs](#1-outputs) |
 | kubernetes.namespace | string | `"default"` | kubernetes namespace |
 | kubernetes.hints.enabled | bool | `false` | enable [elastic-agent autodiscovery](https://www.elastic.co/guide/en/fleet/current/elastic-agent-kubernetes-autodiscovery.html) feature |

deploy/helm/elastic-agent/examples/eck/rendered/manifest.yaml

@@ -1141,6 +1141,7 @@ spec:
             name: var-lib
             readOnly: true
         dnsPolicy: ClusterFirstWithHostNet
+        hostNetwork: true
         nodeSelector:
           kubernetes.io/os: linux
         serviceAccountName: agent-pernode-example

deploy/helm/elastic-agent/examples/fleet-managed/README.md

@@ -31,38 +31,5 @@ agent:
     enabled: true
     url: $FLEET_URL # replace with Fleet URL
     token: $FLEET_TOKEN # replace with Fleet Enrollment token
-    preset: nginx
-  presets:
-    nginx:
-      mode: deployment
-      securityContext:
-        runAsUser: 0
-      rules:
-        # minimum cluster role ruleset required by agent
-        - apiGroups: [ "" ]
-          resources:
-            - nodes
-            - namespaces
-            - pods
-          verbs:
-            - get
-            - watch
-            - list
-        - apiGroups: [ "apps" ]
-          resources:
-            - replicasets
-          verbs:
-            - get
-            - list
-            - watch
-        - apiGroups: [ "batch" ]
-          resources:
-            - jobs
-          verbs:
-            - get
-            - list
-            - watch
-      providers:
-        kubernetes_leaderelection:
-          enabled: false
+    preset: perNode
 ```

deploy/helm/elastic-agent/examples/fleet-managed/fleet-values.yaml

@@ -1,43 +1,10 @@
+kubernetes:
+  enabled: true
+system:
+  enabled: true
 agent:
   fleet:
     enabled: true
     url: http://localhost:8220
     token: fleetToken
-    preset: nginx
-  presets:
-    nginx:
-      mode: deployment
-      securityContext:
-        runAsUser: 0
-      serviceAccount:
-        create: true
-      clusterRole:
-        create: true
-        rules:
-          # minimum cluster role ruleset required by agent
-          - apiGroups: [ "" ]
-            resources:
-              - nodes
-              - namespaces
-              - pods
-            verbs:
-              - get
-              - watch
-              - list
-          - apiGroups: [ "apps" ]
-            resources:
-              - replicasets
-            verbs:
-              - get
-              - list
-              - watch
-          - apiGroups: [ "batch" ]
-            resources:
-              - jobs
-            verbs:
-              - get
-              - list
-              - watch
-      providers:
-        kubernetes_leaderelection:
-          enabled: false
+    preset: perNode

deploy/helm/elastic-agent/examples/fleet-managed/rendered/manifest.yaml

@@ -3,7 +3,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: agent-nginx-example
+  name: agent-pernode-example
   namespace: "default"
   labels:
     helm.sh/chart: elastic-agent-8.16.3-beta
@@ -15,7 +15,7 @@ metadata:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: agent-nginx-example
+  name: agent-pernode-example
   namespace: "default"
   labels:
     helm.sh/chart: elastic-agent-8.16.3-beta
@@ -28,15 +28,18 @@ stringData:
     fleet:
       enabled: true
     providers:
+      kubernetes:
+        node: ${NODE_NAME}
+        scope: node
       kubernetes_leaderelection:
-        enabled: false
-        leader_lease: example-nginx
+        enabled: true
+        leader_lease: example-pernode
 ---
 # Source: elastic-agent/templates/agent/cluster-role.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: agent-nginx-example-default
+  name: agent-perNode-example-default
   labels:
     helm.sh/chart: elastic-agent-8.16.3-beta
     app.kubernetes.io/name: elastic-agent
@@ -111,57 +114,31 @@ rules:
       - get
       - list
       - watch
-  - apiGroups:
-    - ""
-    resources:
-    - nodes
-    - namespaces
-    - pods
-    verbs:
-    - get
-    - watch
-    - list
-  - apiGroups:
-    - apps
-    resources:
-    - replicasets
-    verbs:
-    - get
-    - list
-    - watch
-  - apiGroups:
-    - batch
-    resources:
-    - jobs
-    verbs:
-    - get
-    - list
-    - watch
 ---
 # Source: elastic-agent/templates/agent/cluster-role-binding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: agent-nginx-example-default
+  name: agent-perNode-example-default
   labels:
     helm.sh/chart: elastic-agent-8.16.3-beta
     app.kubernetes.io/name: elastic-agent
     app.kubernetes.io/instance: example
     app.kubernetes.io/version: 8.16.3
 subjects:
   - kind: ServiceAccount
-    name: agent-nginx-example
+    name: agent-pernode-example
     namespace: "default"
 roleRef:
   kind: ClusterRole
-  name: agent-nginx-example-default
+  name: agent-perNode-example-default
   apiGroup: rbac.authorization.k8s.io
 ---
-# Source: elastic-agent/templates/agent/k8s/deployment.yaml
+# Source: elastic-agent/templates/agent/k8s/daemonset.yaml
 apiVersion: apps/v1
-kind: Deployment
+kind: DaemonSet
 metadata:
-  name: agent-nginx-example
+  name: agent-pernode-example
   namespace: "default"
   labels:
     helm.sh/chart: elastic-agent-8.16.3-beta
@@ -171,13 +148,13 @@ metadata:
 spec:
   selector:
     matchLabels:
-      name: agent-nginx-example
+      name: agent-pernode-example
   template:
     metadata:
       labels:
-        name: agent-nginx-example
+        name: agent-pernode-example
       annotations:
-        checksum/config: 975ed05540e0d099fe1b28b15d6403aacee676d0776a69fb75eb8624e19ad2de
+        checksum/config: cd7c5c4f03cc8377d18ee22cf236428090959fc194ee647bd97a39b79f38c807
     spec:
       automountServiceAccountToken: true
       containers:
@@ -196,6 +173,8 @@ spec:
               fieldPath: metadata.name
         - name: STATE_PATH
           value: /usr/share/elastic-agent/state
+        - name: ELASTIC_NETINFO
+          value: "false"
         - name: FLEET_URL
           value: http://localhost:8220
         - name: FLEET_ENROLLMENT_TOKEN
@@ -207,23 +186,68 @@ spec:
         image: docker.elastic.co/beats/elastic-agent:8.16.3-SNAPSHOT
         imagePullPolicy: IfNotPresent
         name: agent
+        resources:
+          limits:
+            memory: 1000Mi
+          requests:
+            cpu: 100m
+            memory: 400Mi
         securityContext:
           runAsUser: 0
         volumeMounts:
+        - mountPath: /hostfs/proc
+          name: proc
+          readOnly: true
+        - mountPath: /hostfs/sys/fs/cgroup
+          name: cgroup
+          readOnly: true
+        - mountPath: /var/lib/docker/containers
+          name: varlibdockercontainers
+          readOnly: true
+        - mountPath: /var/log
+          name: varlog
+          readOnly: true
+        - mountPath: /hostfs/etc
+          name: etc-full
+          readOnly: true
+        - mountPath: /hostfs/var/lib
+          name: var-lib
+          readOnly: true
         - mountPath: /usr/share/elastic-agent/state
           name: agent-data
         - mountPath: /etc/elastic-agent/agent.yml
           name: config
           readOnly: true
           subPath: agent.yml
       dnsPolicy: ClusterFirstWithHostNet
-      serviceAccountName: agent-nginx-example
+      hostNetwork: true
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: agent-pernode-example
       volumes:
       - hostPath:
-          path: /etc/elastic-agent/default/agent-nginx-example-managed/state
+          path: /proc
+        name: proc
+      - hostPath:
+          path: /sys/fs/cgroup
+        name: cgroup
+      - hostPath:
+          path: /var/lib/docker/containers
+        name: varlibdockercontainers
+      - hostPath:
+          path: /var/log
+        name: varlog
+      - hostPath:
+          path: /etc
+        name: etc-full
+      - hostPath:
+          path: /var/lib
+        name: var-lib
+      - hostPath:
+          path: /etc/elastic-agent/default/agent-pernode-example-managed/state
           type: DirectoryOrCreate
         name: agent-data
       - name: config
         secret:
           defaultMode: 292
-          secretName: agent-nginx-example
+          secretName: agent-pernode-example

deploy/helm/elastic-agent/examples/kubernetes-default/rendered/manifest.yaml

@@ -1147,6 +1147,7 @@ spec:
           readOnly: true
           subPath: agent.yml
       dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: agent-pernode-example

deploy/helm/elastic-agent/examples/kubernetes-hints-autodiscover/rendered/manifest.yaml

@@ -1151,6 +1151,7 @@ spec:
           readOnly: true
           subPath: agent.yml
       dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
       initContainers:
       - args:
         - -c

deploy/helm/elastic-agent/examples/kubernetes-only-logs/rendered/manifest.yaml

@@ -291,6 +291,7 @@ spec:
           readOnly: true
           subPath: agent.yml
       dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: agent-pernode-example

deploy/helm/elastic-agent/examples/multiple-integrations/rendered/manifest.yaml

@@ -1167,6 +1167,7 @@ spec:
           readOnly: true
           subPath: agent.yml
       dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
       initContainers:
       - args:
         - -c

deploy/helm/elastic-agent/examples/system-custom-auth-paths/agent-system-values.yaml

@@ -8,6 +8,7 @@ system:
     vars:
       paths:
         - /var/log/custom_syslog.log
-
+kubernetes:
+  enabled: false
 agent:
   unprivileged: true

deploy/helm/elastic-agent/examples/system-custom-auth-paths/rendered/manifest.yaml

@@ -363,6 +363,7 @@ spec:
           readOnly: true
           subPath: agent.yml
       dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: agent-pernode-example

deploy/helm/elastic-agent/examples/user-service-account/rendered/manifest.yaml

@@ -1117,6 +1117,7 @@ spec:
           readOnly: true
           subPath: agent.yml
       dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: user-sa-perNode