Add sanity check for cloudIntegrationSecret

[chipzoller]

Signed-off-by: chipzoller chipzoller@gmail.com

What does this PR change?

Adds a sanity check that the cloudIntegrationSecret, when defined, both exists and has a key with the name cloud-integration.json or else fails the chart installation. This is done to prevent users from naming Secrets which don't yet exist and ensure that those Secrets have a key the chart expects. Without both, Kubecost will not be able to come into a healthy, running state.

This also fixes a bug with the name of the volume holding said cloudIntegration secret enabling secrets with a custom name to be properly mounted.

Does this PR rely on any other PRs?

No

How does this PR impact users? (This is the kind of thing that goes in release notes!)

Provides a better user experience in that the chart fails and provides feedback to users rather than succeeding in installation only to fail when running.

Links to Issues or tickets this PR addresses or fixes

Fixes #3046

What risks are associated with merging this PR? What is required to fully test this PR?

The check could be wrong or it could somehow impact installations where the cloudIntegrationSecret was not specified. It could potentially impact users who use tools or generate manifests from helm template although this behavior was tested locally and in CI.

How was this PR tested?

Various Helm templating and installation scenarios. This check should only be invoked when a "real" connection to a K8s cluster exists and not when using helm template with or without --dry-run=server.

Attempting to install when the Secret does not exist

$ yq e .kubecostProductConfigs.cloudIntegrationSecret cost-analyzer/values.yaml 
mycustomsecret

$ k -n default get secret
No resources found in default namespace.

$ helm install kubecost -n default cost-analyzer/
Error: execution error at (cost-analyzer/templates/NOTES.txt:4:4): The cloud integration secret 'mycustomsecret' does not exist or does not contain the expected key 'cloud-integration.json'

Attempting to install when the Secret exists but the cloud-integration.json key does not

$ yq e .kubecostProductConfigs.cloudIntegrationSecret cost-analyzer/values.yaml 
mycustomsecret

$ k -n default get secret mycustomsecret -o yaml | yq .data
foo: YmFy

$ helm install kubecost -n default cost-analyzer/
Error: execution error at (cost-analyzer/templates/NOTES.txt:4:4): The cloud integration secret 'mycustomsecret' does not exist or does not contain the expected key 'cloud-integration.json'

Attempting to install when the Secret exists and does contain the key cloud-integration.json

$ yq e .kubecostProductConfigs.cloudIntegrationSecret cost-analyzer/values.yaml 
mycustomsecret

$ k -n default get secret mycustomsecret -o yaml | yq .data
cloud-integration.json: YmFy

$ helm install kubecost -n default cost-analyzer/
NAME: kubecost
LAST DEPLOYED: Thu Feb  1 10:28:03 2024
NAMESPACE: default
STATUS: deployed
REVISION: 1
NOTES:
--------------------------------------------------
Kubecost 2.0.0 has been successfully installed.

Welcome to Kubecost 2.0!

Kubecost 2.0 is a major upgrade from previous versions and includes major new features including a brand new API Backend. Please review the following documentation to ensure a smooth transition: https://docs.kubecost.com/install-and-configure/install/kubecostv2

For the full list of enhancements, please see our release notes: https://github.com/kubecost/cost-analyzer-helm-chart/releases/tag/v2.0.0

When pods are Ready, you can enable port-forwarding with the following command:

    kubectl port-forward --namespace default deployment/kubecost-cost-analyzer 9090

Then, navigate to http://localhost:9090 in a web browser.

Please allow 25 minutes for Kubecost to gather metrics. A progress indicator will appear at the top of the UI.

Having installation issues? View our Troubleshooting Guide at http://docs.kubecost.com/troubleshoot-install

Have you made an update to documentation? If so, please provide the corresponding PR.

N/A

[thomasvn]

Looks great, thanks for the UX improvement here!

[thomasvn]

In order to get CI working, should we remove the cloud integration secret from the following files? https://github.com/kubecost/cost-analyzer-helm-chart/tree/develop/cost-analyzer/ci

[chipzoller]

The problem here is that the templatization will always fail if a cluster connection cannot be made (--dry-run=server) AND if the Secret is not present. This poses a couple problems in that CI will have to spin up a cluster first (not a big deal), but users who rely on templating the chart to render manifests will also have to adopt a similar practice.

Open to suggestions here but by attempting to improve UX comes with a cost for those users who define this value.

[chipzoller]

I think might have found a neat trick/workaround. By using the Capabilities call, this will implicitly only work when connected to a real cluster; otherwise it uses the local client's stored API versions.

[chipzoller]

Updated initial post with new results.

[michaelmdresser]

This is awesome, thanks Chip

[chipzoller]

I'm going to go ahead and merge this since it seems there have been enough eyes on it. Thanks to everyone.

[chipzoller]

/cherry-pick v2.0