Fluentd-Cloudwatch Changes (helm#3229)

Jon Whitcraft · k8s-ci-robot · commit cd01e327b937 · 2018-01-18T10:38:37.000-08:00
* Fluentd-Cloudwatch Changes

- Add support for awsRoles vai kube2iam role
- Add rbac create support
- Standardize helpers with other charts

* Fix the lint errors

* Forgot to update the secrets

* Address Code Review Comments
diff --git a/incubator/fluentd-cloudwatch/Chart.yaml b/incubator/fluentd-cloudwatch/Chart.yaml
@@ -1,5 +1,5 @@
 name: fluentd-cloudwatch
-version: 0.1.2
+version: 0.2.0
 appVersion: 0.1.1
 description: A Fluentd CloudWatch Helm chart for Kubernetes.
 icon: https://raw.githubusercontent.com/fluent/fluentd-docs/master/public/logo/Fluentd_square.png
diff --git a/incubator/fluentd-cloudwatch/README.md b/incubator/fluentd-cloudwatch/README.md
@@ -15,6 +15,7 @@ This chart bootstraps a [Fluentd](https://www.fluentd.org/) [Cloudwatch](https:/
 ## Prerequisites
 
 - Kubernetes 1.4+ with Beta APIs enabled
+- [kube2iam](../../stable/kube2iam) installed to used the **awsRole** config option
 
 ## Installing the Chart
 
@@ -23,6 +24,8 @@ To install the chart with the release name `my-release`:
 ```console
 $ # edit secrets/aws_access_key_id and secrets/aws_access_key_id with the key/password of a AWS user with a policy to access  Cloudwatch
 $ helm install --name my-release incubator/fluentd-cloudwatch
+$ # or add a role to aws with the correct policy to add to cloud watch
+$ helm install --name my-release incubator/fluentd-cloudwatch --set awsRole=roll_name_here
 ```
 
 The command deploys Fluentd Cloudwatch on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
@@ -53,8 +56,11 @@ The following tables lists the configurable parameters of the Fluentd Cloudwatch
 | `hostNetwork`                   | Host network                               | `false`                                                    |
 | `annotations` (removed for now) | Annotations                                | `nil`                                                      |
 | `awsRegion`                     | AWS Cloudwatch region                      | `us-east-1`                                                |
+| `awsRole`                       | AWS IAM Role To Use                        | `nil`                                                      |
 | `fluentdConfig`                 | Fluentd configuration                      | `example configuration`                                    |
 | `logGroupName`                  | AWS Cloudwatch log group                   | `kubernetes`                                               |
+| `rbac.create`                   | If true, create & use RBAC resources       | `false`                                                    |
+| `rbac.serviceAccountName`       | existing ServiceAccount to use (ignored if rbac.create=true) | `default`                                |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 
diff --git a/incubator/fluentd-cloudwatch/templates/_helpers.tpl b/incubator/fluentd-cloudwatch/templates/_helpers.tpl
@@ -3,7 +3,7 @@
 Expand the name of the chart.
 */}}
 {{- define "fluentd-cloudwatch.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 24 -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{/*
@@ -12,5 +12,6 @@ We truncate at 24 chars because some Kubernetes name fields are limited to this
 */}}
 {{- define "fluentd-cloudwatch.fullname" -}}
 {{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 24 -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
diff --git a/incubator/fluentd-cloudwatch/templates/clusterrole.yaml b/incubator/fluentd-cloudwatch/templates/clusterrole.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: {{ template "fluentd-cloudwatch.fullname" . }}
+  labels:
+    app: {{ template "fluentd-cloudwatch.name" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+rules:
+- apiGroups: [""]
+  resources: ["fluentd-cloudwatch.namespaces", "pods"]
+  verbs: ["get", "list", "watch"]
+{{- end }}
diff --git a/incubator/fluentd-cloudwatch/templates/clusterrolebinding.yaml b/incubator/fluentd-cloudwatch/templates/clusterrolebinding.yaml
@@ -0,0 +1,19 @@
+{{ if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "fluentd-cloudwatch.fullname" . }}
+  labels:
+    app: {{ template "fluentd-cloudwatch.name" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+subjects:
+- kind: ServiceAccount
+  name: {{ template "fluentd-cloudwatch.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ template "fluentd-cloudwatch.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{ end }}
diff --git a/incubator/fluentd-cloudwatch/templates/daemonset.yaml b/incubator/fluentd-cloudwatch/templates/daemonset.yaml
@@ -14,8 +14,12 @@ spec:
         app: {{ template "fluentd-cloudwatch.name" . }}
         release: "{{ .Release.Name }}"
       annotations:
+        {{ if .Values.awsRole }}iam.amazonaws.com/role: {{ .Values.awsRole }}{{ end }}
+{{- if .Values.podAnnotations }}
 {{ toYaml .Values.annotations | indent 8 }}
+{{- end }}
     spec:
+      serviceAccountName: {{ if .Values.rbac.create }}{{ template "fluentd-cloudwatch.fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }}
       containers:
       - name: {{ template "fluentd-cloudwatch.fullname" . }}
         image: "{{ .Values.image }}:{{ .Values.imageTag }}"
@@ -26,7 +30,7 @@ spec:
           value: {{ .Values.awsRegion }}
         - name: LOG_GROUP_NAME
           value: {{ .Values.logGroupName }}
-
+{{- if not .Values.awsRole }}
         - name: AWS_ACCESS_KEY_ID
           valueFrom:
             secretKeyRef:
@@ -37,7 +41,7 @@ spec:
             secretKeyRef:
               key: aws_secret_access_key
               name: {{ template "fluentd-cloudwatch.fullname" . }}
-
+{{- end }}
         resources:
 {{ toYaml .Values.resources | indent 10 }}
         volumeMounts:
diff --git a/incubator/fluentd-cloudwatch/templates/secrets.yaml b/incubator/fluentd-cloudwatch/templates/secrets.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.awsRole }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -10,3 +11,4 @@ metadata:
 type: Opaque
 data:
 {{ (.Files.Glob "secrets/*").AsSecrets | indent 2 }}
+{{- end }}
diff --git a/incubator/fluentd-cloudwatch/templates/serviceaccount.yaml b/incubator/fluentd-cloudwatch/templates/serviceaccount.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.rbac.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "fluentd-cloudwatch.fullname" . }}
+  labels:
+    app: {{ template "fluentd-cloudwatch.name" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+{{- end }}
diff --git a/incubator/fluentd-cloudwatch/values.yaml b/incubator/fluentd-cloudwatch/values.yaml
@@ -23,8 +23,16 @@ resources:
 annotations: {}
 
 awsRegion: us-east-1
+awsRole:
 logGroupName: kubernetes
 
+rbac:
+  ## If true, create and use RBAC resources
+  create: false
+
+  ## Ignored if rbac.create is true
+  serviceAccountName: default
+
 fluentdConfig: |
   <match fluent.**>
     type null
