Merge pull request #4 from DataDog/vboulineau/gke-externalmetrics-rbac

Fix MetricsProvider RBAC setup on GKE clusters
DataDog · Aug 4, 2020 · c47dbc7 · c47dbc7
2 parents fc9d6ff + 66b7509
commit c47dbc7
Show file tree

Hide file tree

Showing 6 changed files with 223 additions and 202 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+charts/*/charts
diff --git a/charts/datadog/Chart.yaml b/charts/datadog/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: datadog
-version: 2.4.0
+version: 2.4.1
 appVersion: "7"
 description: Datadog Agent
 keywords:

diff --git a/charts/datadog/README.md b/charts/datadog/README.md
diff --git a/charts/datadog/templates/agent-rbac.yaml → ...datadog/templates/cluster-agent-rbac.yaml b/charts/datadog/templates/agent-rbac.yaml → ...datadog/templates/cluster-agent-rbac.yaml
@@ -181,7 +181,7 @@ metadata:
 
 {{- if and .Values.clusterAgent.enabled .Values.clusterAgent.rbac.create .Values.clusterAgent.metricsProvider.enabled }}
 ---
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: {{ template "rbac.apiVersion" . }}
 kind: ClusterRoleBinding
 metadata:
   labels:
@@ -203,4 +203,23 @@ subjects:
   - kind: ServiceAccount
     name: {{ template "datadog.fullname" . }}-cluster-agent
     namespace: {{ .Release.Namespace }}
+---
+apiVersion: {{ template "rbac.apiVersion" . }}
+kind: RoleBinding
+metadata:
+  labels:
+    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    app.kubernetes.io/name: "{{ template "datadog.fullname" . }}"
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+  name: "{{ template "datadog.fullname" . }}-cluster-agent"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "datadog.fullname" . }}-cluster-agent
+    namespace: {{ .Release.Namespace }}
 {{- end -}}
diff --git a/charts/datadog/templates/hpa-rbac.yaml → .../templates/hpa-external-metrics-rbac.yaml b/charts/datadog/templates/hpa-rbac.yaml → .../templates/hpa-external-metrics-rbac.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.clusterAgent.enabled .Values.clusterAgent.rbac.create .Values.clusterAgent.metricsProvider.enabled -}}
+{{- if and .Values.clusterAgent.enabled .Values.clusterAgent.rbac.create .Values.clusterAgent.metricsProvider.enabled .Values.clusterAgent.metricsProvider.createReaderRbac -}}
 apiVersion: {{ template "rbac.apiVersion" . }}
 kind: ClusterRole
 metadata:
@@ -8,7 +8,11 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name | quote }}
     app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
     app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- if contains "-gke." .Capabilities.KubeVersion.GitVersion }}
+  name: external-metrics-reader
+{{- else }}
   name: {{ template "datadog.fullname" . }}-cluster-agent-external-metrics-reader
+{{- end }}
 rules:
 - apiGroups:
   - "external.metrics.k8s.io"
@@ -28,32 +32,21 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name | quote }}
     app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
     app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- if contains "-gke." .Capabilities.KubeVersion.GitVersion }}
+  name: external-metrics-reader
+{{- else }}
   name: {{ template "datadog.fullname" . }}-cluster-agent-external-metrics-reader
+{{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
+{{- if contains "-gke." .Capabilities.KubeVersion.GitVersion }}
+  name: external-metrics-reader
+{{- else }}
   name: {{ template "datadog.fullname" . }}-cluster-agent-external-metrics-reader
+{{- end }}
 subjects:
 - kind: ServiceAccount
   name: horizontal-pod-autoscaler
   namespace: kube-system
----
-apiVersion: {{ template "rbac.apiVersion" . }}
-kind: RoleBinding
-metadata:
-  labels:
-    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
-    app.kubernetes.io/name: "{{ template "datadog.fullname" . }}"
-    app.kubernetes.io/instance: {{ .Release.Name | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-  name: "{{ template "datadog.fullname" . }}-cluster-agent"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: extension-apiserver-authentication-reader
-subjects:
-  - kind: ServiceAccount
-    name: {{ template "datadog.fullname" . }}-cluster-agent
-    namespace: {{ .Release.Namespace }}
 {{- end -}}
diff --git a/charts/datadog/values.yaml b/charts/datadog/values.yaml
@@ -474,6 +474,11 @@ clusterAgent:
     #
     useDatadogMetrics: false
 
+    ## @param createReaderRbac - boolean - optional
+    ## Create `external-metrics-reader` RBAC automatically (to allow HPA to read data from Cluster Agent)
+    #
+    createReaderRbac: true
+
     ## Configuration for the service for the cluster-agent metrics server
     #
     service: