From 43174a9adad0db47370de3ede17bb32b5b8e3cb9 Mon Sep 17 00:00:00 2001 From: Chad Wilson Date: Sun, 7 Jan 2024 22:57:30 +0800 Subject: [PATCH] Upgrade Kubernetes Elastic Agent Plugin to latest version, with better default auto-configuration. Fixes #98 - Default to non-DIND images for new installs - Default to non-privileged containers for new installs - Don't automount service account tokens on agents by default --- gocd/CHANGELOG.md | 10 ++++++ gocd/Chart.yaml | 2 +- gocd/templates/gocd-agent-deployment.yaml | 1 + ...figmap.yaml => gocd-server-configmap.yaml} | 32 ++++--------------- gocd/templates/gocd-server-deployment.yaml | 1 + gocd/templates/ingress.yaml | 4 +-- gocd/values.yaml | 5 +-- 7 files changed, 23 insertions(+), 32 deletions(-) rename gocd/templates/{configmap.yaml => gocd-server-configmap.yaml} (83%) diff --git a/gocd/CHANGELOG.md b/gocd/CHANGELOG.md index 54c5520..f75266b 100644 --- a/gocd/CHANGELOG.md +++ b/gocd/CHANGELOG.md @@ -1,3 +1,13 @@ +### 2.6.0 +* Upgrades the elastic agent plugin to `v4`, which enables auto-configuration and auto-refresh of service account tokens + when installed via this Helm chart. If you run your server in namespace `xxx` but rely on the plugin to create pods in + the `default` namespace, you will need to set the namespace in your elastic profiles to `default` before upgrading. + See [v4.0.0-505](https://github.com/gocd/kubernetes-elastic-agents/releases/tag/v4.0.0-505). +* For new servers, the default elastic agent profiles are no longer privileged, and use the same image as the Helm chart + rather than the `dind` image. Since Kubernetes no longer defaults to use of dockerd, it no longer makes sense to default + or suggest dind images as elastic agent images. +* Preconfigure script config map is no longer installed during an agent-only installation. +* Agent service account tokens are no longer auto-mounted into pods by default. ### 2.5.2 * Bump elastic agent plugin to [v3.9.1-501](https://github.com/gocd/kubernetes-elastic-agents/releases/tag/v3.9.1-501) ### 2.5.1 diff --git a/gocd/Chart.yaml b/gocd/Chart.yaml index d770bf4..483ff10 100644 --- a/gocd/Chart.yaml +++ b/gocd/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: gocd home: https://www.gocd.org/ -version: 2.5.2 +version: 2.6.0 appVersion: 23.5.0 description: GoCD is an open-source continuous delivery server to model and visualize complex workflows with ease. icon: https://gocd.github.io/assets/images/go-icon-black-192x192.png diff --git a/gocd/templates/gocd-agent-deployment.yaml b/gocd/templates/gocd-agent-deployment.yaml index 9ae4d5e..f3dfc86 100644 --- a/gocd/templates/gocd-agent-deployment.yaml +++ b/gocd/templates/gocd-agent-deployment.yaml @@ -41,6 +41,7 @@ spec: {{- end }} spec: serviceAccountName: {{ template "gocd.agentServiceAccountName" . }} + automountServiceAccountToken: {{ .Values.agent.serviceAccount.automountServiceAccountToken }} securityContext: runAsUser: {{ .Values.agent.securityContext.runAsUser }} runAsGroup: {{ .Values.agent.securityContext.runAsGroup }} diff --git a/gocd/templates/configmap.yaml b/gocd/templates/gocd-server-configmap.yaml similarity index 83% rename from gocd/templates/configmap.yaml rename to gocd/templates/gocd-server-configmap.yaml index 4f59619..af20dc9 100644 --- a/gocd/templates/configmap.yaml +++ b/gocd/templates/gocd-server-configmap.yaml @@ -1,4 +1,4 @@ -{{- if .Values.server.shouldPreconfigure }} +{{- if and .Values.server.enabled .Values.server.shouldPreconfigure }} apiVersion: v1 kind: ConfigMap metadata: @@ -11,10 +11,6 @@ metadata: data: preconfigure_server.sh: |- #!/bin/bash - - SERVICE_ACCOUNT_PATH=/var/run/secrets/kubernetes.io/serviceaccount - KUBE_TOKEN=$(<${SERVICE_ACCOUNT_PATH}/token) - while true do status_code=$(curl 'http://localhost:8153/go/api/v1/health' -o /dev/null -w "%{http_code}") @@ -39,28 +35,16 @@ data: echo "Trying to configure cluster profile." >> /godata/logs/preconfigure.log (curl --fail -i 'http://localhost:8153/go/api/admin/elastic/cluster_profiles' \ - -H'Accept: application/vnd.go.cd+json' \ + -H 'Accept: application/vnd.go.cd+json' \ -H 'Content-Type: application/json' \ -X POST -d '{ "id": "k8-cluster-profile", "plugin_id": "cd.go.contrib.elasticagent.kubernetes", "properties": [ - { + { "key": "go_server_url", "value": "http://{{ template "gocd.fullname" . }}-server.{{ .Release.Namespace }}:{{ .Values.server.service.httpPort }}/go" - }, - { - "key": "kubernetes_cluster_url", - "value": "https://'$KUBERNETES_SERVICE_HOST':'$KUBERNETES_SERVICE_PORT_HTTPS'" - }, - { - "key": "namespace", - "value": "{{ .Release.Namespace }}" - }, - { - "key": "security_token", - "value": "'$KUBE_TOKEN'" - } + } ] }' >> /godata/logs/preconfigure.log) @@ -75,19 +59,15 @@ data: "properties": [ { "key": "Image", - "value": "gocd/gocd-agent-docker-dind:v{{ .Chart.AppVersion }}" + "value": "{{ .Values.agent.image.repository }}:v{{ .Chart.AppVersion }}" }, { "key": "PodConfiguration", - "value": "apiVersion: v1\nkind: Pod\nmetadata:\n name: gocd-agent-{{ `{{ POD_POSTFIX }}` }}\n labels:\n app: web\nspec:\n serviceAccountName: {{ template "gocd.agentServiceAccountName" . }}\n containers:\n - name: gocd-agent-container-{{ `{{ CONTAINER_POSTFIX }}` }}\n image: gocd/gocd-agent-docker-dind:v{{ .Chart.AppVersion }}\n securityContext:\n privileged: true" + "value": "apiVersion: v1\nkind: Pod\nmetadata:\n name: gocd-agent-{{ `{{ POD_POSTFIX }}` }}\n labels:\n app: web\nspec:\n serviceAccountName: {{ template "gocd.agentServiceAccountName" . }}\n containers:\n - name: gocd-agent-container-{{ `{{ CONTAINER_POSTFIX }}` }}\n image: {{ .Values.agent.image.repository }}:v{{ .Chart.AppVersion }}" }, { "key": "PodSpecType", "value": "yaml" - }, - { - "key": "Privileged", - "value": "true" } ] }' >> /godata/logs/preconfigure.log) diff --git a/gocd/templates/gocd-server-deployment.yaml b/gocd/templates/gocd-server-deployment.yaml index f788cf2..1f57295 100644 --- a/gocd/templates/gocd-server-deployment.yaml +++ b/gocd/templates/gocd-server-deployment.yaml @@ -45,6 +45,7 @@ spec: fsGroup: {{ .Values.server.securityContext.fsGroup }} fsGroupChangePolicy: {{ .Values.server.securityContext.fsGroupChangePolicy }} serviceAccountName: {{ template "gocd.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} {{- if or .Values.server.shouldPreconfigure (or .Values.server.persistence.enabled (or .Values.server.security.ssh.enabled .Values.server.persistence.extraVolumes)) }} volumes: {{- end }} diff --git a/gocd/templates/ingress.yaml b/gocd/templates/ingress.yaml index cd70d48..2eb3e5e 100644 --- a/gocd/templates/ingress.yaml +++ b/gocd/templates/ingress.yaml @@ -1,5 +1,4 @@ -{{- if .Values.server.enabled }} -{{- if .Values.server.ingress.enabled -}} +{{- if and .Values.server.enabled .Values.server.ingress.enabled -}} {{- $extraPaths := .Values.server.ingress.extraPaths -}} apiVersion: networking.k8s.io/v1 kind: Ingress @@ -49,4 +48,3 @@ spec: {{ toYaml .Values.server.ingress.tls | indent 4 }} {{- end -}} {{- end -}} -{{- end -}} diff --git a/gocd/values.yaml b/gocd/values.yaml index 11c3a22..57c1e06 100644 --- a/gocd/values.yaml +++ b/gocd/values.yaml @@ -25,6 +25,7 @@ serviceAccount: name: annotations: # eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here + automountServiceAccountToken: true server: # server.enabled is the toggle to run GoCD Server. Change to false for Agent Only Deployment. @@ -53,7 +54,6 @@ server: # Specify the policy for checking volume permissions fsGroupChangePolicy: "OnRootMismatch" # server.shouldPreconfigure is used to invoke a script to pre configure the elastic agent profile and the plugin settings in the GoCD server. - # Note: If this value is set to true, then, the serviceAccount.name is configured for the GoCD server pod. The service account token is mounted as a secret and is used in the lifecycle hook. # Note: An attempt to preconfigure the GoCD server is made. There are cases where the pre-configuration can fail and the GoCD server starts with an empty config. shouldPreconfigure: true preconfigureCommand: @@ -144,7 +144,7 @@ server: # server.env.extraEnvVars is the list of environment variables passed to GoCD Server extraEnvVars: - name: GOCD_PLUGIN_INSTALL_kubernetes-elastic-agents - value: https://github.com/gocd/kubernetes-elastic-agents/releases/download/v3.9.1-501/kubernetes-elastic-agent-3.9.1-501.jar + value: https://github.com/gocd/kubernetes-elastic-agents/releases/download/v4.0.0-505/kubernetes-elastic-agent-4.0.0-505.jar - name: GOCD_PLUGIN_INSTALL_docker-registry-artifact-plugin value: https://github.com/gocd/docker-registry-artifact-plugin/releases/download/v1.4.0-587/docker-registry-artifact-plugin-1.4.0-587.jar service: @@ -264,6 +264,7 @@ agent: # if reuseTopLevelServiceAccount is false, this field specifies the name of an existing service account to be associated with gocd agents # If field is empty, the service account "default" will be used. name: + automountServiceAccountToken: false # agent.deployment.labels is the labels for the GoCD Agent Deployment deployment: