[8.x](backport #5593) [helm] support using user-created serviceAccount and clusterRole

deploy/helm/elastic-agent/examples/fleet-managed/fleet-values.yaml

@@ -9,31 +9,35 @@ agent:
       mode: deployment
       securityContext:
         runAsUser: 0
-      rules:
-        # minimum cluster role ruleset required by agent
-        - apiGroups: [ "" ]
-          resources:
-            - nodes
-            - namespaces
-            - pods
-          verbs:
-            - get
-            - watch
-            - list
-        - apiGroups: [ "apps" ]
-          resources:
-            - replicasets
-          verbs:
-            - get
-            - list
-            - watch
-        - apiGroups: [ "batch" ]
-          resources:
-            - jobs
-          verbs:
-            - get
-            - list
-            - watch
+      serviceAccount:
+        create: true
+      clusterRole:
+        create: true
+        rules:
+          # minimum cluster role ruleset required by agent
+          - apiGroups: [ "" ]
+            resources:
+              - nodes
+              - namespaces
+              - pods
+            verbs:
+              - get
+              - watch
+              - list
+          - apiGroups: [ "apps" ]
+            resources:
+              - replicasets
+            verbs:
+              - get
+              - list
+              - watch
+          - apiGroups: [ "batch" ]
+            resources:
+              - jobs
+            verbs:
+              - get
+              - list
+              - watch
       providers:
         kubernetes_leaderelection:
           enabled: false

deploy/helm/elastic-agent/examples/nginx-custom-integration/agent-nginx-values.yaml

@@ -36,31 +36,35 @@ agent:
       mode: deployment
       securityContext:
         runAsUser: 0
-      rules:
-        # minimum cluster role ruleset required by agent
-        - apiGroups: [ "" ]
-          resources:
-            - nodes
-            - namespaces
-            - pods
-          verbs:
-            - get
-            - watch
-            - list
-        - apiGroups: [ "apps" ]
-          resources:
-            - replicasets
-          verbs:
-            - get
-            - list
-            - watch
-        - apiGroups: [ "batch" ]
-          resources:
-            - jobs
-          verbs:
-            - get
-            - list
-            - watch
+      serviceAccount:
+        create: true
+      clusterRole:
+        create: true
+        rules:
+          # minimum cluster role ruleset required by agent
+          - apiGroups: [ "" ]
+            resources:
+              - nodes
+              - namespaces
+              - pods
+            verbs:
+              - get
+              - watch
+              - list
+          - apiGroups: [ "apps" ]
+            resources:
+              - replicasets
+            verbs:
+              - get
+              - list
+              - watch
+          - apiGroups: [ "batch" ]
+            resources:
+              - jobs
+            verbs:
+              - get
+              - list
+              - watch
       providers:
         kubernetes_leaderelection:
           enabled: false

deploy/helm/elastic-agent/examples/user-cluster-role/README.md

@@ -0,0 +1,37 @@
+# Example: Kubernetes Integration with User-created cluster role
+
+In this example we define a `nginx` custom integration alongside a custom agent preset defined in [agent-nginx-values.yaml](agent-nginx-values.yaml) including the use of a user-created cluster role. Note that the user is responsible for assigning the correct permissions to the cluster role.
+
+## Prerequisites:
+1. A k8s secret that contains the connection details to an Elasticsearch cluster such as the URL and the API key ([Kibana - Creating API Keys](https://www.elastic.co/guide/en/kibana/current/api-keys.html)):
+    ```console
+    kubectl create secret generic es-api-secret \
+       --from-literal=api_key=... \
+       --from-literal=url=...
+    ```
+
+2. `nginx` integration assets are installed through Kibana
+
+3. Create a cluster role.
+
+    ```console
+    kubectl create clusterrole user-cr --verb=get,list,watch --resource=pods,namespaces,nodes,replicasets,jobs
+    ```
+
+## Run:
+1. Install Helm chart
+    ```console
+    helm install elastic-agent ../../ \
+         -f ./agent-nginx-values.yaml \
+         --set outputs.default.type=ESSecretAuthAPI \
+         --set outputs.default.secretName=es-api-secret
+    ```
+
+2. Install the nginx deployment
+    ```console
+   kubectl apply -f ./nginx.yaml
+    ```
+
+## Validate:
+
+1. The Kibana `nginx`-related dashboards should start showing nginx related data.

deploy/helm/elastic-agent/examples/user-cluster-role/agent-nginx-values.yaml

@@ -0,0 +1,50 @@
+kubernetes:
+  enabled: false
+
+extraIntegrations:
+  nginx/metrics:
+    id: nginx/metrics-nginx-69240207-6fcc-4d19-aee3-dbf716e3bb0f
+    preset: nginx
+    name: nginx-1
+    revision: 1
+    type: nginx/metrics
+    use_output: default
+    meta:
+      package:
+        name: nginx
+        version: 1.19.1
+    data_stream:
+      namespace: default
+    package_policy_id: 69240207-6fcc-4d19-aee3-dbf716e3bb0f
+    streams:
+      - id: nginx/metrics-nginx.stubstatus-69240207-6fcc-4d19-aee3-dbf716e3bb0f
+        data_stream:
+          dataset: nginx.stubstatus
+          type: metrics
+        metricsets:
+          - stubstatus
+        hosts:
+          - 'http://nginx.default.svc.cluster.local:80'
+        tags:
+          - nginx-stubstatus
+        period: 10s
+        server_status_path: /nginx_status
+
+agent:
+  presets:
+    nginx:
+      annotations:
+        elastic-agent.k8s.elastic.co/preset: nginx
+      mode: deployment
+      securityContext:
+        runAsUser: 0
+      serviceAccount:
+        create: true
+        annotations:
+          elastic-agent.k8s.elastic.co/sa: nginx
+      clusterRole:
+        create: false
+        name: user-cr
+      providers:
+        kubernetes_leaderelection:
+          enabled: false

deploy/helm/elastic-agent/examples/user-cluster-role/rendered/manifest.yaml

@@ -0,0 +1,161 @@
+---
+# Source: elastic-agent/templates/agent/service-account.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: agent-nginx-example
+  namespace: "default"
+  labels:
+    helm.sh/chart: elastic-agent-0.0.1
+    app.kubernetes.io/name: elastic-agent
+    app.kubernetes.io/instance: example
+    app.kubernetes.io/version: 8.17.0
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    elastic-agent.k8s.elastic.co/preset: nginx
+    elastic-agent.k8s.elastic.co/sa: nginx
+---
+# Source: elastic-agent/templates/agent/k8s/secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: agent-nginx-example
+  namespace: "default"
+  labels:
+    helm.sh/chart: elastic-agent-0.0.1
+    app.kubernetes.io/name: elastic-agent
+    app.kubernetes.io/instance: example
+    app.kubernetes.io/version: 8.17.0
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    elastic-agent.k8s.elastic.co/preset: nginx
+stringData:
+
+  agent.yml: |-
+    id: agent-nginx-example
+    outputs:
+      default:
+        hosts:
+        - http://elasticsearch:9200
+        password: changeme
+        type: elasticsearch
+        username: elastic
+    secret_references: []
+    inputs:
+      - data_stream:
+          namespace: default
+        id: nginx/metrics-nginx-69240207-6fcc-4d19-aee3-dbf716e3bb0f
+        meta:
+          package:
+            name: nginx
+            version: 1.19.1
+        name: nginx-1
+        package_policy_id: 69240207-6fcc-4d19-aee3-dbf716e3bb0f
+        preset: nginx
+        revision: 1
+        streams:
+        - data_stream:
+            dataset: nginx.stubstatus
+            type: metrics
+          hosts:
+          - http://nginx.default.svc.cluster.local:80
+          id: nginx/metrics-nginx.stubstatus-69240207-6fcc-4d19-aee3-dbf716e3bb0f
+          metricsets:
+          - stubstatus
+          period: 10s
+          server_status_path: /nginx_status
+          tags:
+          - nginx-stubstatus
+        type: nginx/metrics
+        use_output: default
+    providers:
+      kubernetes_leaderelection:
+        enabled: false
+        leader_lease: example-nginx
+---
+# Source: elastic-agent/templates/agent/cluster-role-binding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: agent-nginx-example-default
+  labels:
+    helm.sh/chart: elastic-agent-0.0.1
+    app.kubernetes.io/name: elastic-agent
+    app.kubernetes.io/instance: example
+    app.kubernetes.io/version: 8.17.0
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    elastic-agent.k8s.elastic.co/preset: nginx
+subjects:
+  - kind: ServiceAccount
+    name: agent-nginx-example
+    namespace: "default"
+roleRef:
+  kind: ClusterRole
+  name: user-cr
+  apiGroup: rbac.authorization.k8s.io
+---
+# Source: elastic-agent/templates/agent/k8s/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: agent-nginx-example
+  namespace: "default"
+  labels:
+    helm.sh/chart: elastic-agent-0.0.1
+    app.kubernetes.io/name: elastic-agent
+    app.kubernetes.io/instance: example
+    app.kubernetes.io/version: 8.17.0
+    app.kubernetes.io/managed-by: Helm
+spec:
+  selector:
+    matchLabels:
+      name: agent-nginx-example
+  template:
+    metadata:
+      labels:
+        name: agent-nginx-example
+      annotations:
+        checksum/config: 99eaac30ab163ab5f4cedbdbf3e6936d34c2b0e2c22dee59947487bab88fcc26
+        elastic-agent.k8s.elastic.co/preset: nginx
+    spec:
+      automountServiceAccountToken: true
+      containers:
+      - args:
+        - -c
+        - /etc/elastic-agent/agent.yml
+        - -e
+        env:
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: STATE_PATH
+          value: /usr/share/elastic-agent/state
+        image: docker.elastic.co/beats/elastic-agent:8.17.0-SNAPSHOT
+        imagePullPolicy: IfNotPresent
+        name: agent
+        securityContext:
+          runAsUser: 0
+        volumeMounts:
+        - mountPath: /usr/share/elastic-agent/state
+          name: agent-data
+        - mountPath: /etc/elastic-agent/agent.yml
+          name: config
+          readOnly: true
+          subPath: agent.yml
+      dnsPolicy: ClusterFirstWithHostNet
+      serviceAccountName: agent-nginx-example
+      volumes:
+      - hostPath:
+          path: /etc/elastic-agent/default/agent-nginx-example/state
+          type: DirectoryOrCreate
+        name: agent-data
+      - name: config
+        secret:
+          defaultMode: 292
+          secretName: agent-nginx-example