Merge branch 'main' into unit-tests

Signed-off-by: Don O'Neill <[email protected]>
opencost · Oct 27, 2023 · 9fb298d · 9fb298d
2 parents d3ebe41 + c32332b
commit 9fb298d
Show file tree

Hide file tree

Showing 10 changed files with 170 additions and 25 deletions.
diff --git a/charts/opencost/Chart.yaml b/charts/opencost/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.106.1
+appVersion: 1.106.4
 name: opencost
 description: OpenCost and OpenCost UI
 type: application
@@ -9,8 +9,9 @@ keywords:
   - kubecost
   - opencost
   - monitoring
-version: 1.20.0
+version: 1.22.1
 maintainers:
   - name: mattray
     url: https://mattray.dev
   - name: toscott
+home: https://github.com/opencost/opencost-helm-chart
diff --git a/charts/opencost/README.md b/charts/opencost/README.md
@@ -2,9 +2,9 @@
 
 OpenCost and OpenCost UI
 
-![Version: 1.20.0](https://img.shields.io/badge/Version-1.20.0-informational?style=flat-square)
+![Version: 1.22.1](https://img.shields.io/badge/Version-1.22.1-informational?style=flat-square)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
-![AppVersion: 1.106.1](https://img.shields.io/badge/AppVersion-1.106.1-informational?style=flat-square)
+![AppVersion: 1.106.4](https://img.shields.io/badge/AppVersion-1.106.4-informational?style=flat-square)
 
 ## Maintainers
 
@@ -71,7 +71,10 @@ $ helm install opencost opencost/opencost
 | opencost.metrics.serviceMonitor.metricRelabelings | list | `[]` | MetricRelabelConfigs to apply to samples before ingestion |
 | opencost.metrics.serviceMonitor.namespace | string | `""` | Specify if the ServiceMonitor will be deployed into a different namespace (blank deploys into same namespace as chart) |
 | opencost.metrics.serviceMonitor.relabelings | list | `[]` | RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields |
+| opencost.metrics.serviceMonitor.scheme | string | `"http"` | HTTP scheme used for scraping. Defaults to `http` |
 | opencost.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | Interval at which metrics should be scraped |
+| opencost.metrics.serviceMonitor.scrapeTimeout | string | `"10s"` | Timeout after which the scrape is ended |
+| opencost.metrics.serviceMonitor.tlsConfig | object | `{}` | TLS configuration for scraping metrics |
 | opencost.nodeSelector | object | `{}` | Node labels for pod assignment |
 | opencost.prometheus.bearer_token | string | `""` | Prometheus Bearer token |
 | opencost.prometheus.bearer_token_key | string | `"DB_BEARER_TOKEN"` |  |

diff --git a/charts/opencost/templates/_helpers.tpl b/charts/opencost/templates/_helpers.tpl
@@ -83,36 +83,43 @@ Create the name of the controller service account to use
 {{- define "opencost.prometheusServerEndpoint" -}}
   {{- if .Values.opencost.prometheus.external.enabled -}}
     {{ tpl .Values.opencost.prometheus.external.url . }}
+  {{- else if (and .Values.opencost.prometheus.amp.enabled .Values.opencost.sigV4Proxy) -}}
+    {{- $port := .Values.opencost.sigV4Proxy.port | int }}
+    {{- $ws := .Values.opencost.prometheus.amp.workspaceId }}
+    {{- printf "http://localhost:%d/workspaces/%v" $port $ws -}}
   {{- else -}}
     {{- $host := tpl .Values.opencost.prometheus.internal.serviceName . }}
     {{- $ns := tpl .Values.opencost.prometheus.internal.namespaceName . }}
     {{- $port := .Values.opencost.prometheus.internal.port | int }}
-    {{- printf "http://%s.%s.svc:%d" $host $ns $port -}}
+    {{- printf "http://%s.%s.svc.cluster.local:%d" $host $ns $port -}}
   {{- end -}}
 {{- end -}}
 
-
+{{/*
+Check that either thanos external or internal is defined
+*/}}
 {{- define "opencost.thanosServerEndpoint" -}}
   {{- if .Values.opencost.prometheus.thanos.external.enabled -}}
     {{ .Values.opencost.prometheus.thanos.external.url }}
   {{- else -}}
     {{- $host := .Values.opencost.prometheus.thanos.internal.serviceName }}
     {{- $ns := .Values.opencost.prometheus.thanos.internal.namespaceName }}
     {{- $port := .Values.opencost.prometheus.thanos.internal.port | int }}
-    {{- printf "http://%s.%s.svc:%d" $host $ns $port -}}
+    {{- printf "http://%s.%s.svc.cluster.local:%d" $host $ns $port -}}
   {{- end -}}
 {{- end -}}
 
 {{/*
-Check that either prometheus external or internal is defined
+Check that the config is valid
 */}}
 {{- define "isPrometheusConfigValid" -}}
-  {{- if and .Values.opencost.prometheus.external.enabled .Values.opencost.prometheus.internal.enabled -}}
-    {{- fail "Only use one of the prometheus setups, internal or external" -}}
+  {{- $prometheusModes := add .Values.opencost.prometheus.external.enabled .Values.opencost.prometheus.internal.enabled .Values.opencost.prometheus.amp.enabled | int }}
+  {{- if gt $prometheusModes 1 -}}
+    {{- fail "Only use one of the prometheus setups: internal, external, or amp" -}}
   {{- end -}}
   {{- if .Values.opencost.prometheus.thanos.enabled -}}
     {{- if and .Values.opencost.prometheus.thanos.external.enabled .Values.opencost.prometheus.thanos.internal.enabled -}}
-      {{- fail "Only use one of the thanos setups, internal or external" -}}
+      {{- fail "Only use one of the thanos setups: internal or external" -}}
     {{- end -}}
   {{- end -}}
 {{- end -}}
diff --git a/charts/opencost/templates/deployment.yaml b/charts/opencost/templates/deployment.yaml
@@ -11,11 +11,7 @@ spec:
   replicas: {{ .Values.opencost.exporter.replicas }}
   selector:
     matchLabels: {{- include "opencost.selectorLabels" . | nindent 6 }}
-  strategy:
-    rollingUpdate:
-      maxSurge: 1
-      maxUnavailable: 1
-    type: RollingUpdate
+  strategy: {{ toYaml .Values.updateStrategy | nindent 4 }}
   template:
     metadata:
       labels:
@@ -53,6 +49,10 @@ spec:
         - name: {{ include "opencost.fullname" . }}
           image: "{{ .Values.opencost.exporter.image.registry }}/{{ .Values.opencost.exporter.image.repository }}:{{ .Values.opencost.exporter.image.tag | default (printf "prod-%s" .Chart.AppVersion) }}"
           imagePullPolicy: {{ .Values.opencost.exporter.image.pullPolicy }}
+          args:
+          {{- range .Values.opencost.exporter.extraArgs }}
+          - --{{ . }}
+          {{- end }}
           ports:
             - containerPort: 9003
               name: http
@@ -83,7 +83,10 @@ spec:
               value: {{ include "opencost.prometheusServerEndpoint" . | quote }}
             {{- if .Values.opencost.exporter.cloudProviderApiKey }}
             - name: CLOUD_PROVIDER_API_KEY
-              value: {{ .Values.opencost.exporter.cloudProviderApiKey | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "opencost.prometheus.secretname" . }}
+                  key: CLOUD_PROVIDER_API_KEY
             {{- end }}
             - name: CLUSTER_ID
               value: {{ .Values.opencost.exporter.defaultClusterId | quote }}
@@ -201,6 +204,42 @@ spec:
           volumeMounts: {{- toYaml . | nindent 12 }}
           {{- end }}
         {{- end }}
+        {{- with .Values.opencost.extraContainers }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- if and .Values.opencost.prometheus.amp.enabled .Values.opencost.sigV4Proxy }}
+        - name: sigv4proxy
+          image: {{ .Values.opencost.sigV4Proxy.image }}
+          imagePullPolicy: {{ .Values.opencost.sigV4Proxy.imagePullPolicy }}
+          args:
+          - --name
+          - {{ .Values.opencost.sigV4Proxy.name }}
+          - --region
+          - {{ .Values.opencost.sigV4Proxy.region }}
+          - --host
+          - {{ .Values.opencost.sigV4Proxy.host }}
+          {{- if .Values.opencost.sigV4Proxy.role_arn }}
+          - --role-arn
+          - {{ .Values.opencost.sigV4Proxy.role_arn }}
+          {{- end }}
+          - --port
+          - :{{ .Values.opencost.sigV4Proxy.port }}
+          ports:
+          - name: aws-sigv4-proxy
+            containerPort: {{ .Values.opencost.sigV4Proxy.port | int }}
+          {{- with .Values.opencost.sigV4Proxy.extraEnv }}
+          env:
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          {{- with .Values.opencost.sigV4Proxy.resources }}
+          resources:
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.opencost.sigV4Proxy.securityContext }}
+          securityContext:
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
+        {{- end }}
       {{- if or .Values.opencost.exporter.persistence.enabled .Values.extraVolumes .Values.opencost.customPricing.enabled}}
       volumes:
         {{- if .Values.opencost.customPricing.enabled }}

diff --git a/charts/opencost/templates/ingress.yaml b/charts/opencost/templates/ingress.yaml
@@ -33,7 +33,7 @@ spec:
               service:
                 name: {{ include "opencost.fullname" $ }}
                 port:
-                  name: http-ui
-          {{- end }}
-    {{- end }}
-{{- end }}
+                  name: {{ $.Values.opencost.ui.ingress.servicePort }}
+        {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/charts/opencost/templates/secret.yaml b/charts/opencost/templates/secret.yaml
@@ -1,4 +1,4 @@
-{{- if or .Values.opencost.prometheus.username .Values.opencost.prometheus.password .Values.opencost.prometheus.bearer_token .Values.opencost.exporter.aws.access_key_id }}
+{{- if or .Values.opencost.prometheus.username .Values.opencost.prometheus.password .Values.opencost.prometheus.bearer_token .Values.opencost.exporter.aws.access_key_id .Values.opencost.exporter.cloudProviderApiKey }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -23,4 +23,7 @@ data:
   {{- if .Values.opencost.exporter.aws.access_key_id }}
   AWS_SECRET_ACCESS_KEY: {{ .Values.opencost.exporter.aws.secret_access_key | b64enc | quote }}
   {{- end }}
+  {{- if .Values.opencost.exporter.cloudProviderApiKey }}
+  CLOUD_PROVIDER_API_KEY: {{ .Values.opencost.exporter.cloudProviderApiKey | b64enc | quote }}
+  {{- end }}
 {{- end }}
diff --git a/charts/opencost/templates/service.yaml b/charts/opencost/templates/service.yaml
@@ -23,4 +23,7 @@ spec:
       port: 9090
       targetPort: 9090
     {{- end }}
-{{- end }}
+    {{- with .Values.service.extraPorts }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}
diff --git a/charts/opencost/templates/servicemonitor.yaml b/charts/opencost/templates/servicemonitor.yaml
@@ -14,7 +14,7 @@ metadata:
 spec:
   endpoints:
     - port: http
-      scheme: http
+      scheme: {{ .Values.opencost.metrics.serviceMonitor.scheme }}
       path: /metrics
       interval: {{ .Values.opencost.metrics.serviceMonitor.scrapeInterval }}
       scrapeTimeout: {{ .Values.opencost.metrics.serviceMonitor.scrapeTimeout }}
@@ -27,6 +27,13 @@ spec:
       {{- with .Values.opencost.metrics.serviceMonitor.metricRelabelings }}
       metricRelabelings: {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.opencost.metrics.serviceMonitor.extraEndpoints }}
+      {{- toYaml . | nindent 4 }}
+      {{- end }}
+      {{- with .Values.opencost.metrics.serviceMonitor.tlsConfig }}
+      tlsConfig:
+      {{- toYaml . | nindent 8}}
+      {{- end }}
   selector:
     matchLabels: {{- include "opencost.selectorLabels" . | nindent 6 }}
   namespaceSelector:

diff --git a/charts/opencost/values.yaml b/charts/opencost/values.yaml
@@ -18,6 +18,12 @@ serviceAccount:
   # -- Whether pods running as this service account should have an API token automatically mounted
   automountServiceAccountToken: true
 
+# --  Strategy to be used for the Deployment
+updateStrategy:
+  rollingUpdate:
+    maxSurge: 1
+    maxUnavailable: 1
+  type: RollingUpdate
 # --  Annotations to add to the all the resources
 annotations: {}
 # --  Annotations to add to the OpenCost Pod
@@ -41,6 +47,14 @@ service:
   labels: {}
   # --  Kubernetes Service type
   type: ClusterIP
+  # -- extra ports.  Useful for sidecar pods such as oauth-proxy
+  extraPorts: []
+    # - name: oauth-proxy
+    #   port: 8081
+    #   targetPort: 8081
+    # - name: oauth-metrics
+    #   port: 8082
+    #   targetPort: 8082
 
 # Create cluster role policies
 rbac:
@@ -62,6 +76,8 @@ opencost:
       tag: ""
       # -- Exporter container image pull policy
       pullPolicy: IfNotPresent
+    # -- List of extra arguments for the command, e.g.: log-format=json
+    extraArgs: []
     # -- Number of OpenCost replicas to run
     replicas: 1
     resources:
@@ -169,6 +185,18 @@ opencost:
       relabelings: []
       # -- MetricRelabelConfigs to apply to samples before ingestion
       metricRelabelings: []
+      # -- extra Endpoints to add to the ServiceMonitor.  Useful for scraping sidecars
+      extraEndpoints: []
+        # - port: oauth-metrics
+        #   path: /metrics
+      # -- HTTP scheme used for scraping. Defaults to `http`
+      scheme: http
+      # -- TLS configuration for scraping metrics
+      tlsConfig: {}
+        # caFile: /etc/prom-certs/root-cert.pem
+        # certFile: /etc/prom-certs/cert-chain.pem
+        # insecureSkipVerify: true
+        # keyFile: /etc/prom-certs/key.pem
 
   prometheus:
     # -- Secret name that contains credentials for Prometheus
@@ -198,6 +226,11 @@ opencost:
       namespaceName: opencost
       # -- Service port of in-cluster Prometheus
       port: 9090
+    amp:
+      # -- Use Amazon Managed Service for Prometheus (AMP)
+      enabled: false  # If true, opencost will be configured to remote_write and query from Amazon Managed Service for Prometheus.
+      # -- Workspace ID for AMP
+      workspaceId: ""
     thanos:
       enabled: false
       queryOffset: ''
@@ -279,11 +312,42 @@ opencost:
         - host: example.local
           paths:
             - /
+      # -- Redirect ingress to an extraPort defined on the service such as oauth-proxy
+      servicePort: http-ui
+      # servicePort: oauth-proxy
       # -- Ingress TLS configuration
       tls: []
         #  - secretName: chart-example-tls
         #    hosts:
         #      - chart-example.local
+
+  sigV4Proxy:
+    image: public.ecr.aws/aws-observability/aws-sigv4-proxy:latest
+    imagePullPolicy: IfNotPresent
+    name: aps
+    port: 8005
+    region: us-west-2 # The AWS region
+    host: aps-workspaces.us-west-2.amazonaws.com # The hostname for AMP service.
+    # role_arn: arn:aws:iam::<account>:role/role-name # The AWS IAM role to assume.
+    extraEnv: # Pass extra env variables to sigV4Proxy
+    # - name: AWS_ACCESS_KEY_ID
+    #   value: <access_key>
+    # - name: AWS_SECRET_ACCESS_KEY
+    #   value: <secret_key>
+    resources: {}
+      # limits:
+      #   cpu: 200m
+      #   memory: 500Mi
+      # requests:
+      #   cpu: 20m
+      #   memory: 32Mi
+    securityContext: {}
+      # capabilities:
+      #   drop:
+      #   - ALL
+      # readOnlyRootFilesystem: true
+      # runAsNonRoot: true
+      # runAsUser: 65534
   # -- Toleration labels for pod assignment
   tolerations: []
   # -- Node labels for pod assignment
@@ -293,5 +357,23 @@ opencost:
   # -- Assign custom TopologySpreadConstraints rules
   topologySpreadConstraints: []
 
+  # -- extra sidecars to add to the pod.  Useful for things like oauth-proxy for the UI
+  extraContainers: []
+    # - name: oauth-proxy
+    #   image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
+    #   args:
+    #     - --upstream=http://127.0.0.1:9090
+    #     - --http-address=0.0.0.0:8081
+    #     - --metrics-address=0.0.0.0:8082
+    #     - ...
+    #   ports:
+    #     - name: oauth-proxy
+    #       containerPort: 8081
+    #       protocol: TCP
+    #     - name: oauth-metrics
+    #       containerPort: 8082
+    #       protocol: TCP
+    #   resources: {}
+
 # -- A list of volumes to be added to the pod
 extraVolumes: []
diff --git a/examples/dashboard/kube-prometheus-stack-opencost-dashboard.json b/examples/dashboard/kube-prometheus-stack-opencost-dashboard.json
@@ -2658,7 +2658,7 @@
     "refresh_intervals": ["5s", "10s", "30s", "1m", "5m", "15m", "30m", "1h", "2h", "1d"]
   },
   "timezone": "",
-  "title": "Opencost Dashboard",
+  "title": "OpenCost Dashboard",
   "uid": "fARuElT4z",
   "version": 30,
   "weekStart": ""