Merge branch 'develop' into option-to-disable-orchestrator

kubecost · Jan 30, 2025 · 665d2d8 · 665d2d8
2 parents ff9c9fb + 6ec18e5
commit 665d2d8
Show file tree

Hide file tree

Showing 23 changed files with 590 additions and 100 deletions.
diff --git a/.github/workflows/chart.yaml b/.github/workflows/chart.yaml
@@ -21,7 +21,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
 
       # Lint all chart values including those in the ci directory.
       - name: Run chart-testing (lint)
@@ -83,10 +83,10 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
 
       - name: Create KinD cluster
-        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
         with:
           version: v0.20.0
           node_image: kindest/node:${{ matrix.k8s-version.version }}
@@ -186,8 +186,10 @@ jobs:
           --set global.platforms.openshift.route.enabled=true \
           --set global.platforms.openshift.scc.nodeExporter=true \
           --set global.platforms.openshift.scc.networkCosts=true \
+          --set global.platforms.openshift.scc.clusterController=true \
           --set networkCosts.enabled=true \
-          --set prometheus.nodeExporter.enabled=true
+          --set clusterController.enabled=true \
+          --set prometheus.nodeExporter.enabled=true 
         # run: ct install --namespace kubecost --chart-dirs=cost-analyzer/ --charts cost-analyzer/
       - name: Wait for ready 
         run: kubectl wait -n kubecost --for=condition=ready pod --selector app.kubernetes.io/name=cost-analyzer --timeout=120s

diff --git a/.github/workflows/upgrade.yaml b/.github/workflows/upgrade.yaml
@@ -68,7 +68,7 @@ jobs:
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       - name: Create KinD cluster
-        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
         with:
           version: v0.23.0
           node_image: kindest/node:v1.28.9

diff --git a/.gitignore b/.gitignore
@@ -4,3 +4,4 @@
 .gopath
 .dist
 .manifest
+.kubeconfig
diff --git a/README.md b/README.md
@@ -72,7 +72,7 @@ Parameter | Description | Default
 `ingress.hosts` | Ingress hostnames | `[cost-analyzer.local]`
 `ingress.tls` | Ingress TLS configuration (YAML) | `[]`
 `networkCosts.enabled` | If true, collect network allocation metrics [More info](https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/cost-allocation/network-allocation) | `false`
-`networkCosts.podMonitor.enabled` | If true, a [PodMonitor](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#podmonitor) for the network-cost daemonset is created | `false`
+`networkCosts.podMonitor.enabled` | If true, a PodMonitor for the network-cost daemonset is created | `false`
 `serviceMonitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false`
 `serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}`
 `prometheusRule.enabled` | Set this to `true` to create PrometheusRule for Prometheus operator | `false`
@@ -88,14 +88,23 @@ Parameter | Description | Default
 
 ## Adjusting Log Output
 
-The log output can be customized during deployment by using the `LOG_LEVEL` and/or `LOG_FORMAT` environment variables.
+You can adjust the log output by using the `logLevel` Helm value and/or the `LOG_FORMAT` environment variable.
 
 ### Adjusting Log Level
 
-Adjusting the log level increases or decreases the level of verbosity written to the logs. To set the log level to `trace`, the following flag can be added to the `helm` command.
+Adjusting the log level increases or decreases the level of verbosity written to the logs. The `logLevel` property accepts the following values:
+
+* `trace`
+* `debug`
+* `info`
+* `warn`
+* `error`
+* `fatal`
+
+For example, to set the log level to `debug`, add the following flag to the Helm command:
 
 ```sh
---set 'kubecostModel.extraEnv[0].name=LOG_LEVEL,kubecostModel.extraEnv[0].value=trace'
+--set 'kubecostModel.logLevel=debug'
 ```
 
 ### Adjusting Log Format

diff --git a/cost-analyzer/README.md b/cost-analyzer/README.md
@@ -53,7 +53,7 @@ The following table lists commonly used configuration parameters for the Kubecos
 | `ingress.hosts`                                                                    | Ingress hostnames                                                                                                                                            | `[cost-analyzer.local]`                               |
 | `ingress.tls`                                                                      | Ingress TLS configuration (YAML)                                                                                                                             | `[]`                                                  |
 | `networkCosts.enabled`                                                             | If true, collect network allocation metrics [More info](http://docs.kubecost.com/network-allocation)                                                         | `false`                                               |
-| `networkCosts.podMonitor.enabled`                                                  | If true, a [PodMonitor](https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#podmonitor) for the network-cost daemonset is created | `false`                                               |
+| `networkCosts.podMonitor.enabled`                                                  | If true, a PodMonitor for the network-cost daemonset is created | `false`                                               |
 | `serviceMonitor.enabled`                                                           | Set this to `true` to create ServiceMonitor for Prometheus operator                                                                                          | `false`                                               |
 | `serviceMonitor.additionalLabels`                                                  | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus                                                                        | `{}`                                                  |
 | `serviceMonitor.relabelings`                                                       | Sets Prometheus metric_relabel_configs on the scrape job                                                                                                     | `[]`                                                  |
@@ -75,14 +75,23 @@ The following table lists commonly used configuration parameters for the Kubecos
 
 ## Adjusting Log Output
 
-The log output can be customized during deployment by using the `LOG_LEVEL` and/or `LOG_FORMAT` environment variables.
+You can adjust the log output by using the `logLevel` Helm value and/or the `LOG_FORMAT` environment variable.
 
 ### Adjusting Log Level
 
-Adjusting the log level increases or decreases the level of verbosity written to the logs. To set the log level to `trace`, the following flag can be added to the `helm` command.
+Adjusting the log level increases or decreases the level of verbosity written to the logs. The `logLevel` property accepts the following values:
+
+* `trace`
+* `debug`
+* `info`
+* `warn`
+* `error`
+* `fatal`
+
+For example, to set the log level to `debug`, add the following flag to the Helm command:
 
 ```sh
---set 'kubecostModel.extraEnv[0].name=LOG_LEVEL,kubecostModel.extraEnv[0].value=trace'
+--set 'kubecostModel.logLevel=debug'
 ```
 
 ### Adjusting Log Format

diff --git a/cost-analyzer/templates/NOTES.txt b/cost-analyzer/templates/NOTES.txt
@@ -10,6 +10,7 @@
 {{- include "prometheusRetentionCheck" . -}}
 {{- include "clusterIDCheck" . -}}
 {{- include "kubeRBACProxyBearerTokenCheck" . -}}
+{{- include "caCertsSecretConfigCheck" . -}}
 
 {{- $servicePort := .Values.service.port | default 9090 }}
 Kubecost {{ .Chart.Version }} has been successfully installed.

diff --git a/cost-analyzer/templates/_helpers.tpl b/cost-analyzer/templates/_helpers.tpl
@@ -157,6 +157,15 @@ will result in failure. Users are asked to select one of the two presently-avail
   {{- end -}}
 {{- end -}}
 
+{{/*
+RBAC exclusivity check: make sure either simple RBAC or RBAC Teams is configured, not both
+*/}}
+{{- define "rbacCheck" -}}
+  {{- if and (or (.Values.saml).groups (.Values.oidc).groups) (.Values.teams).teamsConfig  -}}
+    {{- fail "\nSimple RBAC and RBAC Teams are mutually exclusive. Please specify only one." -}}
+  {{- end -}}
+{{- end -}}
+
 {{/*
 Federated Storage source contents check. Either the Secret must be specified or the JSON, not both.
 */}}
@@ -1005,12 +1014,27 @@ Begin Kubecost 2.0 templates
     {{- end }}
     {{- end }}
     {{- end }}
+    {{- if eq (include "rbacTeamsEnabled" .) "true" }}
+    - name: kubecost-rbac-secret
+      mountPath: /var/configs/kubecost-rbac-secret
+    {{- end }}
+    {{- if eq (include "rbacTeamsConfigEnabled" .) "true" }}
+    - name: kubecost-rbac-teams-config
+      mountPath: /var/configs/rbac-teams-configs
+    {{- end }}
     {{- if .Values.global.integrations.postgres.enabled }}
     - name: postgres-creds
       mountPath: /var/configs/integrations/postgres-creds
     - name: postgres-queries
       mountPath: /var/configs/integrations/postgres-queries
     {{- end }}
+    {{- if .Values.global.updateCaTrust.enabled }}
+    - name: ca-certs-secret
+      mountPath: {{ .Values.global.updateCaTrust.caCertsMountPath | quote }}
+    - name: ssl-path
+      mountPath: "/etc/pki/ca-trust/extracted"
+      readOnly: false
+    {{- end }}
     {{- /* Only adds extraVolumeMounts if aggregator is running as its own pod */}}
     {{- if and .Values.kubecostAggregator.extraVolumeMounts (eq (include "aggregator.deployMethod" .) "statefulset") }}
     {{- toYaml .Values.kubecostAggregator.extraVolumeMounts | nindent 4 }}
@@ -1154,6 +1178,20 @@ Begin Kubecost 2.0 templates
     - name: OIDC_SKIP_ONLINE_VALIDATION
       value: {{ (quote .Values.oidc.skipOnlineTokenValidation) | default (quote false) }}
     {{- end}}
+    {{- if eq (include "rbacTeamsEnabled" .) "true" }}
+    {{- if .Values.oidc.enabled }}
+    - name: OIDC_RBAC_TEAMS_ENABLED
+      value: "true"
+    {{- end }}
+    {{- if .Values.saml.enabled }}
+    - name: SAML_RBAC_TEAMS_ENABLED
+      value: "true"
+    {{- end }}
+    {{- end }}
+    {{- if eq (include "rbacTeamsConfigEnabled" .) "true" }}
+    - name: RBAC_TEAMS_HELM_CONFIG_PATH
+      value: "/var/configs/rbac-teams-configs/rbac-teams-configs.json"
+    {{- end }}
     {{- if .Values.kubecostAggregator }}
     {{- if .Values.kubecostAggregator.collections }}
     {{- if (((.Values.kubecostAggregator).collections).cache) }}
@@ -1195,9 +1233,11 @@ Begin Kubecost 2.0 templates
       value: {{ .Values.saml.redirectURL }}
     {{- end}}
     {{- if .Values.saml.rbac.enabled }}
+    {{- if eq (include "rbacTeamsEnabled" .) "false" }}
     - name: SAML_RBAC_ENABLED
       value: "true"
     {{- end }}
+    {{- end }}
     {{- if and .Values.saml.encryptionCertSecret .Values.saml.decryptionKeySecret }}
     - name: SAML_RESPONSE_ENCRYPTED
       value: "true"
@@ -1288,6 +1328,13 @@ Begin Kubecost 2.0 templates
       name: plugins-config
       readOnly: true
     {{- end }}
+    {{- if .Values.global.updateCaTrust.enabled }}
+    - name: ca-certs-secret
+      mountPath: {{ .Values.global.updateCaTrust.caCertsMountPath | quote }}
+    - name: ssl-path
+      mountPath: "/etc/pki/ca-trust/extracted"
+      readOnly: false
+    {{- end }}
   {{- /* Only adds extraVolumeMounts when cloudcosts is running as its own pod */}}
   {{- if and .Values.kubecostAggregator.cloudCost.extraVolumeMounts (eq (include "aggregator.deployMethod" .) "statefulset") }}
     {{- toYaml .Values.kubecostAggregator.cloudCost.extraVolumeMounts | nindent 4 }}
@@ -1343,8 +1390,8 @@ SSO enabled flag for nginx configmap
 {{- end -}}
 
 {{/*
-To use the Kubecost built-in Teams UI RBAC< you must enable SSO and RBAC and not specify any groups.
-Groups is only used when using external RBAC.
+To use the Kubecost built-in RBAC Teams UI, you must enable SSO and RBAC and not specify any groups.
+Groups is only used when using simple RBAC.
 */}}
 {{- define "rbacTeamsEnabled" -}}
   {{- if or (.Values.saml).enabled (.Values.oidc).enabled -}}
@@ -1362,6 +1409,18 @@ Groups is only used when using external RBAC.
   {{- end -}}
 {{- end -}}
 
+{{- define "rbacTeamsConfigEnabled" -}}
+    {{- if  eq (include "rbacTeamsEnabled" .) "true" -}}
+        {{- if or (.Values.teams).teamsConfig  (.Values.teams).teamsConfigMapName -}}
+            {{- printf "true" -}}
+        {{- else -}}
+            {{- printf "false" -}}
+        {{- end }}
+    {{- else -}}
+        {{- printf "false" -}}
+    {{- end }}
+{{- end }}
+
 {{/*
 Backups configured flag for nginx configmap
 */}}
@@ -1447,6 +1506,16 @@ for more information
 {{- end }}
 {{- end }}
 
+{{- define "caCertsSecretConfigCheck" }}
+  {{- if .Values.global.updateCaTrust.enabled }}
+    {{- if and .Values.global.updateCaTrust.caCertsSecret .Values.global.updateCaTrust.caCertsConfig }}
+      {{- fail "Both caCertsSecret and caCertsConfig are defined. Please specify only one." }}
+    {{- else if and (not .Values.global.updateCaTrust.caCertsSecret) (not .Values.global.updateCaTrust.caCertsConfig) }}
+      {{- fail "Neither caCertsSecret nor caCertsConfig is defined, but updateCaTrust is enabled. Please specify one." }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
 {{- define "clusterControllerEnabled" }}
 {{- if (.Values.clusterController).enabled }}
 {{- printf "true" -}}

diff --git a/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml b/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml
@@ -124,6 +124,19 @@ spec:
         - name: tmp
           emptyDir: {}
         {{- end }}
+        {{- if .Values.global.updateCaTrust.enabled }}
+        - name: ca-certs-secret
+          {{- if .Values.global.updateCaTrust.caCertsSecret }}
+          secret:
+            defaultMode: 420
+            secretName: {{ .Values.global.updateCaTrust.caCertsSecret }}
+          {{- else }}
+          configMap:
+            name: {{ .Values.global.updateCaTrust.caCertsConfig }}
+          {{- end }}
+        - name: ssl-path
+          emptyDir: {}
+        {{- end }}
         {{- if .Values.kubecostAggregator.cloudCost.extraVolumes }}
         {{- toYaml .Values.kubecostAggregator.cloudCost.extraVolumes | nindent 8 }}
         {{- end }}
@@ -141,6 +154,34 @@ spec:
           - name: plugins-dir
             mountPath: {{ .Values.kubecostModel.plugins.folder }}
       {{- end }}
+      {{- if .Values.global.updateCaTrust.enabled }}
+      - name: update-ca-trust
+        image: {{ include "cost-model.image" . | trim | quote}}
+        {{- if .Values.kubecostModel.imagePullPolicy }}
+        imagePullPolicy: {{ .Values.kubecostModel.imagePullPolicy }}
+        {{- else }}
+        imagePullPolicy: Always
+        {{- end }}
+        {{- with .Values.global.updateCaTrust.securityContext }}
+        securityContext: {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- with .Values.global.updateCaTrust.resources }}
+        resources:
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
+        command:
+          - 'sh'
+          - '-c'
+          - >
+            mkdir -p /etc/pki/ca-trust/extracted/{edk2,java,openssl,pem};
+            /usr/bin/update-ca-trust extract;
+        volumeMounts:
+          - name: ca-certs-secret
+            mountPath: {{ .Values.global.updateCaTrust.caCertsMountPath | quote }}
+          - name: ssl-path
+            mountPath: "/etc/pki/ca-trust/extracted"
+            readOnly: false
+      {{- end}}
       containers:
         {{- include "aggregator.cloudCost.containerTemplate" . | nindent 8 }}
     {{- if .Values.imagePullSecrets }}

diff --git a/cost-analyzer/templates/aggregator-statefulset.yaml b/cost-analyzer/templates/aggregator-statefulset.yaml
@@ -164,6 +164,20 @@ spec:
         {{- end }}
         {{- end }}
         {{- end }}
+        {{- if eq (include "rbacTeamsEnabled" .) "true" }}
+        - name: kubecost-rbac-secret
+          secret:
+            secretName: kubecost-rbac-secret
+        {{- end }}
+        {{- if eq (include "rbacTeamsConfigEnabled" .) "true" }}
+        - name: kubecost-rbac-teams-config
+          configMap:
+        {{- if .Values.teams.teamsConfigMapName }}
+            name: {{ .Values.teams.teamsConfigMapName }}
+        {{- else }}
+            name: kubecost-rbac-teams-config
+        {{- end }}
+        {{- end }}
         {{- if .Values.global.integrations.postgres.enabled }}
         - name: postgres-creds
           secret:
@@ -181,9 +195,51 @@ spec:
           secret:
             secretName: kubecost-integrations-turbonomic
         {{- end }}
+        {{- if .Values.global.updateCaTrust.enabled }}
+        - name: ca-certs-secret
+          {{- if .Values.global.updateCaTrust.caCertsSecret }}
+          secret:
+            defaultMode: 420
+            secretName: {{ .Values.global.updateCaTrust.caCertsSecret }}
+          {{- else }}
+          configMap:
+            name: {{ .Values.global.updateCaTrust.caCertsConfig }}
+          {{- end }}
+        - name: ssl-path
+          emptyDir: {}
+        {{- end }}
         {{- if .Values.kubecostAggregator.extraVolumes }}
         {{- toYaml .Values.kubecostAggregator.extraVolumes | nindent 8 }}
         {{- end }}
+      initContainers:
+      {{- if .Values.global.updateCaTrust.enabled }}
+        - name: update-ca-trust
+          image: {{ include "cost-model.image" . | trim | quote}}
+          {{- if .Values.kubecostModel.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.kubecostModel.imagePullPolicy }}
+          {{- else }}
+          imagePullPolicy: Always
+          {{- end }}
+          {{- with .Values.global.updateCaTrust.securityContext }}
+          securityContext: {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.global.updateCaTrust.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          command:
+            - 'sh'
+            - '-c'
+            - >
+              mkdir -p /etc/pki/ca-trust/extracted/{edk2,java,openssl,pem};
+              /usr/bin/update-ca-trust extract;
+          volumeMounts:
+            - name: ca-certs-secret
+              mountPath: {{ .Values.global.updateCaTrust.caCertsMountPath | quote }}
+            - name: ssl-path
+              mountPath: "/etc/pki/ca-trust/extracted"
+              readOnly: false
+        {{- end}}
       containers:
         {{- include "aggregator.containerTemplate" . | nindent 8 }}
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,3 +4,4 @@ @@
     .gopath
     .dist
     .manifest
+    .kubeconfig