ECK resources Helm chart - Elastic Agent & Elastic Fleet Server Agent #5889
Conversation
Edit templates to reference helm chart name properly Attempt to handle missing namespace in elasticref. convert to supporting multiple agent instances working on SAs/clusterRoles fix agent template Adding service accounts, cluster roles, and cluster role bindings to agent templates. Updating values documentation.
Adjusting installation notes for elastic-agent to be consistent. Removing any reference to appVersion for consistency. Adjusting annotations in all templates. Removing unneeded bits in agent helm tests. Adjusting default values for Elastic agent chart. Adjusting wording in fleet-agent example in Elastic agent chart.
deploy/eck-elastic-agent/Chart.yaml
Outdated
| sources: | ||
| - https://github.com/elastic/cloud-on-k8s | ||
| - https://github.com/elastic/elastic-agent | ||
| icon: https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/blt77c2da6e0198746e/620ac24e6662ca0a6f617114/icon-agent-32-color.svg |
There was a problem hiding this comment.
Anyone know a better icon location than this?
naemono
added
>enhancement
I would love to make this easier for the user, but I'm not sure the Helm chart is the right place to do it. If we wanted to ensure that rbac rules were sufficient to the configuration, that logic would likely make more sense, and be easier to maintain in the operator itself, as complex logic in Helm charts just comes across as complex, ugly, and difficult to maintain. I can certainly go down that road and attempt this within the Helm charts. Please let me know and I'll make the changes, and see what they look like. |
I don't have something that is ready to implement. I feel like Agent is special enough, compared to Kibana and Elasticsearch, to warrant doing a bit of design work for the Helm chart. For example one idea I had was to make two different Helm charts one for Fleet Server and one for Elastic Agents. Behind the scenes it is the same CRD of course still. That would allow us to configure two different sets of default RBAC permissions. More far reaching permissions for Agent, roughly oriented maybe on the Kubernetes observability recipe or maybe the DaemonSet published by the Agents team And less permissions for the Fleet server chart. User could then override the default RBAC permissions for each of these charts to either restrict them further (e.g. for an APM integration we don't need all the K8s API permissions that K8s observability needs) or expand them where necessary. With a Fleet server chart and an Elastic Agent chart we should be able to cover most if not all use cases we have currently in the recipes section of the repository. This is just an idea at this stage and not ready to implement. Probably worth discussing with the team. My motivation is to find a solution how we can keep the templating logic minimal in the Charts but still add value for our users by starting with sane defaults that cover the most common case. |
|
We met and had a discussion about the current implementation, vs a more specialized implementation for, say, Fleet, and comparing what the user experience was like between the two, we decided to implement the more specialized Helm chart for Fleet, which simplifies what the Agent helm chart looks like. I'll move this back to a WIP, and update when there's more information. |
naemono
changed the title
Add fleet chart.
Add additional tests Updated README
Update notes to remove cluster. Update names of tests
remove icon for fleet server
deploy/eck-elastic-agent/values.yaml
Outdated
| # Configuration of Agent, specifically used in Agent standalone mode. | ||
| # ref: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-elastic-agent.html | ||
| # | ||
| config: {} |
There was a problem hiding this comment.
Should we let the user set config and elasticsearchRefs explicitly? In fleet mode, using the provided example deploy/eck-elastic-agent/examples/fleet-agents.yaml, it fails with:
Error: INSTALLATION FAILED: admission webhook "elastic-agent-validation-v1alpha1.k8s.elastic.co" denied the request: Agent.agent.k8s.elastic.co "my-agents-eck-elastic-agent" is invalid:
[spec.config: Invalid value: v1.Config{Data:map[string]interface {}{}}: remove config, it can't be set in fleet mode, spec.fleetServerEnabled: Invalid value: false: remove Elasticsearch reference, it can't be enabled in fleet mode when Fleet Server is not enabled as well]
There was a problem hiding this comment.
I've disabled them explicitly in the examples now. We have to allow these to be adjustable, as the agent chart supports both fleet, and standalone, so config is required in some cases. Are you thinking that config should just be set to null in the default values instead of {}, and the ES ref left empty?
deploy/eck-elastic-agent/values.yaml
Outdated
| # At least one is required of [daemonSet, deployment]. | ||
| # ref: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-elastic-agent-fleet-configuration.html#k8s-elastic-agent-fleet-configuration-chose-the-deployment-model | ||
| # | ||
| daemonSet: |
There was a problem hiding this comment.
How do we switch to a Deployment?
I get this error when I try to replace daemonSet with deployment in deploy/eck-elastic-agent/examples/fleet-agents.yaml:
admission webhook "elastic-agent-validation-v1alpha1.k8s.elastic.co" denied the request: Agent.agent.k8s.elastic.co "my-agents-eck-elastic-agent" is invalid: [spec.daemonSet: Forbidden: Specify either daemonSet or deployment, not both,
There was a problem hiding this comment.
You'd have to set spec.daemonSet: null since it's defined in the default values. This is unfortunate, as we're trying to make the default useful, but this is never really user friendly when making modifications, as you have to set default values to null to disable them.
Update fleet-agents example to disable config, and ES refs. Update fleet-server template to explicitly set mode, and fleetServerEnabled. Add notes to eck-agent fleet-agents, and system-integration examples.
Consistently name fleet server (removing agent)
Update wording in eck-stack/readme
|
Is it intentional that labels/annotations are managed differently in the ClusterRoleBinding/ClusterRole/ServiceAccount between the two charts? The eck-agent chart supports dedicated labels/annotations but for labels we also get the labels of the agent, while for the eck-fleet-server no annotation at all and only the labels from the fleet-server. |
…agent, and fleet charts.
This absolutely was not intentional, and has been resolved. Thanks for catching that @thbkrkr. I think I'll also add additional tests around labels/annotations similar to https://github.com/elastic/cloud-on-k8s/pull/6004/files#diff-9612072d3cca4f0281e66e5bd8fdb713f35792862686355d89ff507348419028R41 |
…account/clusterrole/clusterrolebinding map. Adding tests for all scenarios
|
@thbkrkr While adding tests, I noticed that |
Rename child chart in eck-stack/Chart.yaml properly.
…xisting webhook validation
pebrc
added
>feature
…elastic#5889) ECK Elastic Agent and Fleet Helm Charts
related to #5505
This PR contains the 2nd version of the ECK-managed resources helm charts including
eck-elastic-agent chart for installing elastic-agent
eck-fleet-server for managing fleet server as an Elastic Agent
minor updates to the eck-stack chart.
Note that this Chart allows multiple instances of Elastic Agent to be installed, along with allowing multiple instances of serviceAccounts, clusterRoles, and clusterRoleBindings.cc @jmlrt @Kushmaro @framsouza
In Progress