[stable/telegraf] Configurable service account (#19456)

* [stable/telegraf] Configurable service account By default the telegraf service runs with the default RBAC permissions this PR adds the option to create a service account with configurable rules. Signed-off-by: Cees-Jan Kiewiet <ceesjank@gmail.com> * [stable/telegraf] Move RBAD flag one level up Co-Authored-By: Naseem <naseemkullah@gmail.com> Signed-off-by: Cees-Jan Kiewiet <ceesjank@gmail.com> * [stable/telegraf] Align templates with charts Signed-off-by: Cees-Jan Kiewiet <ceesjank@gmail.com> * [stable/telegraf] Update RBAC deployment conditional Signed-off-by: Cees-Jan Kiewiet <ceesjank@gmail.com> * [stable/telegraf] Make role and binding kind configurable Signed-off-by: Cees-Jan Kiewiet <ceesjank@gmail.com> * [stable/telegraf] Move comments about values Signed-off-by: Cees-Jan Kiewiet <ceesjank@gmail.com> * [stable/telegraf] Simplify (cluster)role values Signed-off-by: Cees-Jan Kiewiet <ceesjank@gmail.com> * [stable/telegraf] prometheus input rules example Signed-off-by: Cees-Jan Kiewiet <ceesjank@gmail.com> * [stable/telegraf] Applied @naseemkullah suggestions Signed-off-by: Cees-Jan Kiewiet <ceesjank@gmail.com> * [stable/telegraf] Corrected bad copy pasta Signed-off-by: Cees-Jan Kiewiet <ceesjank@gmail.com> Co-authored-by: Naseem <naseemkullah@gmail.com>

[stable/telegraf] Configurable service account (#19456)
ad270310 · Cees-Jan Kiewiet · Kubernetes Prow Robot · d594cfb7 · ad270310 · ad270310
Commit ad270310 authored Dec 26, 2019 by Cees-Jan Kiewiet Committed by Kubernetes Prow Robot Dec 26, 2019
7 changed files
--- a/stable/telegraf/Chart.yaml
+++ b/stable/telegraf/Chart.yaml
 apiVersion: v1
 name: telegraf
-version: 1.4.0
+version: 1.5.0
 appVersion: 1.12
 deprecated: false
 description: Telegraf is an agent written in Go for collecting, processing, aggregating, and writing metrics.

--- a/stable/telegraf/templates/_helpers.tpl
+++ b/stable/telegraf/templates/_helpers.tpl
@@ -334,3 +334,14 @@ Create chart name and version as used by the chart label.
    {{ end }}
 {{- end }}
 {{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "telegraf.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "telegraf.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
--- a/stable/telegraf/templates/deployment.yaml
+++ b/stable/telegraf/templates/deployment.yaml
@@ -23,6 +23,7 @@ spec:
 {{ toYaml .Values.podAnnotations | indent 8 }}
        {{- end }}
    spec:
+      serviceAccountName: {{ template "telegraf.serviceAccountName" . }}
      containers:
      - name: {{ .Chart.Name }}
        image: "{{ .Values.image.repo }}:{{ .Values.image.tag }}"
@@ -30,7 +31,7 @@ spec:
        resources:
 {{ toYaml .Values.resources | indent 10 }}
        env:
-{{ toYaml .Values.env | indent 8 }}       
+{{ toYaml .Values.env | indent 8 }}
        volumeMounts:
        - name: config
          mountPath: /etc/telegraf

--- a/stable/telegraf/templates/role.yaml
+++ b/stable/telegraf/templates/role.yaml
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+{{- if .Values.rbac.clusterWide }}
+kind: ClusterRole
+{{- else }}
+kind: Role
+{{- end }}
+metadata:
+  name: {{ template "telegraf.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+rules:
+{{ toYaml .Values.rbac.rules | indent 2 }}
+{{- end }}
\ No newline at end of file
--- a/stable/telegraf/templates/rolebinding.yaml
+++ b/stable/telegraf/templates/rolebinding.yaml
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+{{- if .Values.rbac.clusterWide }}
+kind: ClusterRoleBinding
+{{- else }}
+kind: RoleBinding
+{{- end }}
+metadata:
+  name: {{ template "telegraf.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "telegraf.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  {{- if .Values.rbac.clusterWide }}
+  kind: ClusterRole
+  {{- else }}
+  kind: Role
+  {{- end }}
+  name: {{ template "telegraf.fullname" . }}
+{{- end }}
\ No newline at end of file
--- a/stable/telegraf/templates/serviceaccount.yaml
+++ b/stable/telegraf/templates/serviceaccount.yaml
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "telegraf.serviceAccountName" . }}
+  labels:
+    app: {{ template "telegraf.name" . }}
+    chart: {{ template "telegraf.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+{{- end }}
--- a/stable/telegraf/values.yaml
+++ b/stable/telegraf/values.yaml
@@ -32,6 +32,52 @@ service:
  type: ClusterIP
  annotations: {}

+rbac:
+  # Specifies whether RBAC resources should be created
+  create: true
+  # Create only for the release namespace or cluster wide (Role vs ClusterRole)
+  clusterWide: false
+  # Rules for the created rule
+  rules: []
+# When using the prometheus input to scrape all pods you need extra rules set to the ClusterRole to be
+# able to scan the pods for scraping labels. The following rules have been taken from:
+# https://github.com/helm/charts/blob/master/stable/prometheus/templates/server-clusterrole.yaml#L8-L46
+#    - apiGroups:
+#        - ""
+#      resources:
+#        - nodes
+#        - nodes/proxy
+#        - nodes/metrics
+#        - services
+#        - endpoints
+#        - pods
+#        - ingresses
+#        - configmaps
+#      verbs:
+#        - get
+#        - list
+#        - watch
+#    - apiGroups:
+#        - "extensions"
+#      resources:
+#        - ingresses/status
+#        - ingresses
+#      verbs:
+#        - get
+#        - list
+#        - watch
+#    - nonResourceURLs:
+#        - "/metrics"
+#      verbs:
+#        - get
+
+serviceAccount:
+  # Specifies whether a ServiceAccount should be created
+  create: true
+  # The name of the ServiceAccount to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+
 ## Exposed telegraf configuration
 ## For full list of possible values see `/docs/all-config-values.yaml` and `/docs/all-config-values.toml`
 ## ref: https://docs.influxdata.com/telegraf/v1.1/administration/configuration/