Upgrade Kubernetes Elastic Agent Plugin to latest version, with bette…

…r default auto-configuration.

Fixes #98

- Default to non-DIND images for new installs
- Default to non-privileged containers for new installs
- Don't automount service account tokens on agents by default

gocd/CHANGELOG.md

@@ -1,3 +1,13 @@
+### 2.6.0
+* Upgrades the elastic agent plugin to `v4`, which enables auto-configuration and auto-refresh of service account tokens
+  when installed via this Helm chart. If you run your server in namespace `xxx` but rely on the plugin to create pods in
+  the `default` namespace, you will need to set the namespace in your elastic profiles to `default` before upgrading.
+  See [v4.0.0-505](https://github.com/gocd/kubernetes-elastic-agents/releases/tag/v4.0.0-505).
+* For new servers, the default elastic agent profiles are no longer privileged, and use the same image as the Helm chart
+  rather than the `dind` image. Since Kubernetes no longer defaults to use of dockerd, it no longer makes sense to default
+  or suggest dind images as elastic agent images. 
+* Preconfigure script config map is no longer installed during an agent-only installation.
+* Agent service account tokens are no longer auto-mounted into pods by default.
 ### 2.5.2
 * Bump elastic agent plugin to [v3.9.1-501](https://github.com/gocd/kubernetes-elastic-agents/releases/tag/v3.9.1-501)
 ### 2.5.1

gocd/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: gocd
 home: https://www.gocd.org/
-version: 2.5.2
+version: 2.6.0
 appVersion: 23.5.0
 description: GoCD is an open-source continuous delivery server to model and visualize complex workflows with ease.
 icon: https://gocd.github.io/assets/images/go-icon-black-192x192.png

gocd/templates/gocd-agent-deployment.yaml

@@ -41,6 +41,7 @@ spec:
       {{- end }}
     spec:
       serviceAccountName: {{ template "gocd.agentServiceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.agent.serviceAccount.automountServiceAccountToken }}
       securityContext:
         runAsUser: {{ .Values.agent.securityContext.runAsUser }}
         runAsGroup: {{ .Values.agent.securityContext.runAsGroup }}

gocd/templates/configmap.yaml → gocd/templates/gocd-server-configmap.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.server.shouldPreconfigure }}
+{{- if and .Values.server.enabled .Values.server.shouldPreconfigure }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -11,10 +11,6 @@ metadata:
 data:
   preconfigure_server.sh: |-
     #!/bin/bash
-
-    SERVICE_ACCOUNT_PATH=/var/run/secrets/kubernetes.io/serviceaccount
-    KUBE_TOKEN=$(<${SERVICE_ACCOUNT_PATH}/token)
-
     while true
     do
       status_code=$(curl 'http://localhost:8153/go/api/v1/health' -o /dev/null -w "%{http_code}")
@@ -39,28 +35,16 @@ data:
     echo "Trying to configure cluster profile." >> /godata/logs/preconfigure.log
 
     (curl --fail -i 'http://localhost:8153/go/api/admin/elastic/cluster_profiles' \
-      -H'Accept: application/vnd.go.cd+json'  \
+      -H 'Accept: application/vnd.go.cd+json'  \
       -H 'Content-Type: application/json' \
       -X POST -d '{
         "id": "k8-cluster-profile",
         "plugin_id": "cd.go.contrib.elasticagent.kubernetes",
         "properties": [
-              {
+            {
                 "key": "go_server_url",
                 "value": "http://{{ template "gocd.fullname" . }}-server.{{ .Release.Namespace }}:{{ .Values.server.service.httpPort }}/go"
-            },
-            {
-                "key": "kubernetes_cluster_url",
-                "value": "https://'$KUBERNETES_SERVICE_HOST':'$KUBERNETES_SERVICE_PORT_HTTPS'"
-              },
-              {
-                "key": "namespace",
-                "value": "{{ .Release.Namespace }}"
-              },
-              {
-                "key": "security_token",
-                "value": "'$KUBE_TOKEN'"
-              }
+            }
           ]
       }' >> /godata/logs/preconfigure.log)
 
@@ -75,19 +59,15 @@ data:
         "properties": [
           {
             "key": "Image",
-            "value": "gocd/gocd-agent-docker-dind:v{{ .Chart.AppVersion }}"
+            "value": "{{ .Values.agent.image.repository }}:v{{ .Chart.AppVersion }}"
           },
           {
             "key": "PodConfiguration",
-            "value": "apiVersion: v1\nkind: Pod\nmetadata:\n  name: gocd-agent-{{ `{{ POD_POSTFIX }}` }}\n  labels:\n    app: web\nspec:\n  serviceAccountName: {{ template "gocd.agentServiceAccountName" . }}\n  containers:\n    - name: gocd-agent-container-{{ `{{ CONTAINER_POSTFIX }}` }}\n      image: gocd/gocd-agent-docker-dind:v{{ .Chart.AppVersion }}\n      securityContext:\n        privileged: true"
+            "value": "apiVersion: v1\nkind: Pod\nmetadata:\n  name: gocd-agent-{{ `{{ POD_POSTFIX }}` }}\n  labels:\n    app: web\nspec:\n  serviceAccountName: {{ template "gocd.agentServiceAccountName" . }}\n  containers:\n    - name: gocd-agent-container-{{ `{{ CONTAINER_POSTFIX }}` }}\n      image: {{ .Values.agent.image.repository }}:v{{ .Chart.AppVersion }}"
           },
           {
             "key": "PodSpecType",
             "value": "yaml"
-          },
-          {
-            "key": "Privileged",
-            "value": "true"
           }
         ]
       }' >> /godata/logs/preconfigure.log)

gocd/templates/gocd-server-deployment.yaml

@@ -45,6 +45,7 @@ spec:
         fsGroup: {{ .Values.server.securityContext.fsGroup }}
         fsGroupChangePolicy: {{ .Values.server.securityContext.fsGroupChangePolicy }}
       serviceAccountName: {{ template "gocd.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
       {{- if or .Values.server.shouldPreconfigure (or .Values.server.persistence.enabled (or .Values.server.security.ssh.enabled .Values.server.persistence.extraVolumes)) }}
       volumes:
       {{- end }}

gocd/templates/ingress.yaml

@@ -1,5 +1,4 @@
-{{- if .Values.server.enabled }}
-{{- if .Values.server.ingress.enabled -}}
+{{- if and .Values.server.enabled .Values.server.ingress.enabled -}}
 {{- $extraPaths := .Values.server.ingress.extraPaths -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -49,4 +48,3 @@ spec:
 {{ toYaml .Values.server.ingress.tls | indent 4 }}
   {{- end -}}
 {{- end -}}
-{{- end -}}

gocd/values.yaml

@@ -25,6 +25,7 @@ serviceAccount:
   name:
   annotations:
     # eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here
+  automountServiceAccountToken: true
 
 server:
   # server.enabled is the toggle to run GoCD Server. Change to false for Agent Only Deployment.
@@ -53,7 +54,6 @@ server:
     # Specify the policy for checking volume permissions
     fsGroupChangePolicy: "OnRootMismatch"
   # server.shouldPreconfigure is used to invoke a script to pre configure the elastic agent profile and the plugin settings in the GoCD server.
-  # Note: If this value is set to true, then, the serviceAccount.name is configured for the GoCD server pod. The service account token is mounted as a secret and is used in the lifecycle hook.
   # Note: An attempt to preconfigure the GoCD server is made. There are cases where the pre-configuration can fail and the GoCD server starts with an empty config.
   shouldPreconfigure: true
   preconfigureCommand:
@@ -144,7 +144,7 @@ server:
     #  server.env.extraEnvVars is the list of environment variables passed to GoCD Server
     extraEnvVars:
       - name: GOCD_PLUGIN_INSTALL_kubernetes-elastic-agents
-        value: https://github.com/gocd/kubernetes-elastic-agents/releases/download/v3.9.1-501/kubernetes-elastic-agent-3.9.1-501.jar
+        value: https://github.com/gocd/kubernetes-elastic-agents/releases/download/v4.0.0-505/kubernetes-elastic-agent-4.0.0-505.jar
       - name: GOCD_PLUGIN_INSTALL_docker-registry-artifact-plugin
         value: https://github.com/gocd/docker-registry-artifact-plugin/releases/download/v1.4.0-587/docker-registry-artifact-plugin-1.4.0-587.jar
   service:
@@ -264,6 +264,7 @@ agent:
     # if reuseTopLevelServiceAccount is false, this field specifies the name of an existing service account to be associated with gocd agents
     # If field is empty, the service account "default" will be used.
     name:
+    automountServiceAccountToken: false
 
   # agent.deployment.labels is the labels for the GoCD Agent Deployment
   deployment: