elastic agents

elastic agent manifest

Warning

Unfortunately this isn’t working how I’d like. Might be worth avoiding for now.

This includes both a fleet server, an agent, and a bunch of rbac stuff necessary to run them. A lot of this may be un-tested or lightly tested.

---

apiVersion: agent.k8s.elastic.co/v1alpha1
kind: Agent
metadata:
  name: fleet-server
spec:
  version: 8.12.1
  kibanaRef:
    name: kibana
  elasticsearchRefs:
  - name: elasticsearch
  mode: fleet
  fleetServerEnabled: true
  policyID: eck-fleet-server
  deployment:
    replicas: 1
    podTemplate:
      spec:
        serviceAccountName: fleet-server
        automountServiceAccountToken: true
        securityContext:
          runAsUser: 0
        containers:
        - name: agent
          volumeMounts:
          - name: ca
            mountPath: /mnt/elastic-internal/elasticsearch-association/default/eck-lab/certs
            readOnly: true
          - name: waffleca
            mountPath: /mnt/elastic-internal/elasticsearch-association/default/eck-lab/certs2
            readOnly: true
          command:
          - bash
          - -c
          - |
            #!/usr/bin/env bash
            set -e
            if [[ -f /mnt/elastic-internal/elasticsearch-association/default/eck-lab/certs/ca.crt ]]; then
              cp /mnt/elastic-internal/elasticsearch-association/default/eck-lab/certs/ca.crt /usr/local/share/ca-certificates
              cp /mnt/elastic-internal/elasticsearch-association/default/eck-lab/certs2/wafflelab-*.crt /usr/local/share/ca-certificates
              update-ca-certificates
            fi
            /usr/bin/tini -- /usr/local/bin/docker-entrypoint -e
        volumes:
        - name: ca
          secret:
            secretName: fleet-tls
        - name: waffleca
          secret:
            secretName: waffle-ca
          
  http:
    service:
      spec:
        type: LoadBalancer
    #tls:
      #certificate:
        #secretName: fleet-tls

---

apiVersion: v1
kind: Service
metadata:
  name: apm
spec:
  selector:
    agent.k8s.elastic.co/name: elastic-agent
  ports:
  - protocol: TCP
    port: 8200

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: fleet-server
rules:
- apiGroups: [""]
  resources:
  - pods
  - namespaces
  - nodes
  verbs:
  - get
  - watch
  - list
- apiGroups: ["apps"]
  resources:
    - replicasets
  verbs:
    - get
    - watch
    - list
- apiGroups: ["batch"]
  resources:
    - jobs
  verbs:
    - get
    - watch
    - list
- apiGroups: ["coordination.k8s.io"]
  resources:
  - leases
  verbs:
  - get
  - create
  - update

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: fleet-server
  namespace: default

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: fleet-server
subjects:
- kind: ServiceAccount
  name: fleet-server
  namespace: default
roleRef:
  kind: ClusterRole
  name: fleet-server
  apiGroup: rbac.authorization.k8s.io

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: elastic-agent
rules:
- apiGroups: [""]
  resources:
  - pods
  - nodes
  - namespaces
  - events
  - services
  - configmaps
  verbs:
  - get
  - watch
  - list
- apiGroups: ["coordination.k8s.io"]
  resources:
  - leases
  verbs:
  - get
  - create
  - update
- nonResourceURLs:
  - "/metrics"
  verbs:
  - get
- apiGroups: ["extensions"]
  resources:
    - replicasets
  verbs: 
  - "get"
  - "list"
  - "watch"
- apiGroups:
  - "apps"
  resources:
  - statefulsets
  - deployments
  - replicasets
  verbs:
  - "get"
  - "list"
  - "watch"
- apiGroups:
  - ""
  resources:
  - nodes/stats
  verbs:
  - get
- apiGroups:
  - "batch"
  resources:
  - jobs
  verbs:
  - "get"
  - "list"
  - "watch"

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: elastic-agent
  namespace: default

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: elastic-agent
subjects:
- kind: ServiceAccount
  name: elastic-agent
  namespace: default
roleRef:
  kind: ClusterRole
  name: elastic-agent
  apiGroup: rbac.authorization.k8s.io


#---

#apiVersion: agent.k8s.elastic.co/v1alpha1
#kind: Agent
#metadata: 
#  name: elastic-agent
#spec:
#  version: 8.12.1
#  kibanaRef:
#    name: kibana
#  fleetServerRef: 
#    name: fleet-server
#  mode: fleet
#  policyID: eck-agent
#  daemonSet:
#    podTemplate:
#      spec:
#        serviceAccountName: elastic-agent
#        hostNetwork: true
#        dnsPolicy: ClusterFirstWithHostNet
#        automountServiceAccountToken: true
#        securityContext:
#          runAsUser: 0
#        containers:
#        - name: agent
#          volumeMounts:
#          - name: ca
#            mountPath: /mnt/elastic-internal/elasticsearch-association/default/eck-lab/certs
#            readOnly: true
#          command:
#          - bash
#          - -c
#          - |
#            #!/usr/bin/env bash
#            set -e
#            if [[ -f /mnt/elastic-internal/elasticsearch-association/default/eck-lab/certs/ca.crt ]]; then
#              cp /mnt/elastic-internal/elasticsearch-association/default/eck-lab/certs/ca.crt /usr/local/share/ca-certificates
#              update-ca-certificates
#            fi
#            /usr/bin/tini -- /usr/local/bin/docker-entrypoint -e
#        volumes:
#        - name: ca
#          secret:
#            secretName: fleet-tls

Unfortunately, this creates a new fleet server every time it’s applied. I’d love for the server to be reused, but this will do for now.

I still have to figure out how to deal with the tls cert/key properly, and I don’t know what I’m doing with APM just yet.