search

influxdata / tick-charts

A repository for Helm Charts for the full TICK Stack
Apache License 2.0
90 stars 74 forks source link

Allow setting of service account for telegraf-ds #105

Open sfitts opened 5 years ago

sfitts commented 5 years ago

Related to #77 and #92 (in fact I should have done this at the same time, but...)

This is more targeted than what #77 suggests since different configurations may want different accounts/bindings. However, without the ability to at least set the account in the daemonset, you can't make any progress.

skrsfix commented 4 years ago

This issue bit me today, I think the serviceaccount mapping doesnt work as expected. I had to add more perms to a default sa to get going (which is not ideal).

I need to catch up on the code changes, i really love the helm telegraf-ds - and i may just contribute and help to get this to a good state.

KannappanSomu commented 4 years ago

hi @sudhishkasabaramesh , can you let us know how to fix this problem with existing default service account ? I tried cluster admin role for default service account , but still i m not able to fix it.

jmorcar commented 4 years ago

I suggest add the serviceaccount config to the requirements documentation or maybe add yaml definition like this:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: telegraf-reader
  namespace: default
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: telegraf-cluster-reader
  labels:
    rbac.authorization.k8s.io/aggregate-view-telegraf: "true"
    rbac.authorization.k8s.io/aggregate-view-telegraf-stats: "true"
rules:
  - nonResourceURLs: ["/stats", "/stats/*"]
    verbs: ["get", "watch", "list"]
  - apiGroups: [""]
    resources: ["persistentvolumes", "nodes", "pods", "deployments", "statefulsets", "nodes/proxy"]
    verbs: ["get", "watch", "list"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: telegraf-reader-role
aggregationRule:
  clusterRoleSelectors:
    - matchLabels:
        rbac.authorization.k8s.io/aggregate-view-telegraf-stats: "true"
    - matchLabels:
        rbac.authorization.k8s.io/aggregate-view-telegraf: "true"
    - matchLabels:
        rbac.authorization.k8s.io/aggregate-to-view: "true"
rules: [] # Rules are automatically filled in by the controller manager.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: telegraf-reader-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: telegraf-reader-role
subjects:
  - kind: ServiceAccount
    name: telegraf-reader
    namespace: default

With this config kube_inventory input plugin works fine, but kubernetes input not working... always displays this error: 2020-04-03T09:09:10Z E! [inputs.kubernetes] Error in plugin: https://kubernetes/stats/summary returned HTTP status 404 Not Found I commented this here: issues/6959#

nsteinmetz commented 4 years ago

@jmorcar have a look at https://github.com/influxdata/helm-charts/tree/master/charts/telegraf-ds

This repo (tick-charts) is replaced by helm-charts one and we fixed the daemonset deployment