Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add helm values for cluster controller primary access from secondary #3784

Merged
merged 11 commits into from
Feb 5, 2025
Merged

add helm values for cluster controller primary access from secondary #3784

merged 11 commits into from
Feb 5, 2025

Conversation

cliffcolvin
Copy link
Member

@cliffcolvin cliffcolvin commented Dec 18, 2024
edited by mittal-ishaan
Loading

Signed-off-by: Cliff Colvin [email protected]

What does this PR change?

Adds the ability to set primary cluster aggregator url, and define a service token/api key for access.

Does this PR rely on any other PRs?

NA

How does this PR impact users? (This is the kind of thing that goes in release notes!)

Adds ability to define url and api key for cluster-controller primary access

Links to Issues or tickets this PR addresses or fixes

What risks are associated with merging this PR? What is required to fully test this PR?

NA

How was this PR tested?

qa-eks3 for last few months

helm template from values:

clusterController:
  enabled: true
  primaryKubecostURL: "https://kubecost.myorg.com"
  kubecostAPIKey: "123"

give us:

# Source: cost-analyzer/templates/kubecost-cluster-controller-template.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cost-analyzer-cluster-controller
  namespace: default
  ...
spec:
  ...
      containers:
      - name: cost-analyzer-cluster-controller
        image: gcr.io/kubecost1/cluster-controller:v0.16.12
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          privileged: false
          readOnlyRootFilesystem: true
        volumeMounts:
        - name: cluster-controller-keys
          mountPath: /var/keys
        env:
         ...
        - name: CC_LOG_LEVEL
          value: info
        - name: CC_KUBESCALER_COST_MODEL_PATH
          value: https://kubecost.myorg.com/model
        - name: CC_CCL_COST_MODEL_PATH
          value: https://kubecost.myorg.com/model
        - name: KUBECOST_API_KEY
          valueFrom:
            secretKeyRef:
              name: controller-secrets
              key: kubecostAPIKey
        ...
      volumes:
      - name: cluster-controller-keys
        secret:
          secretName: controller-secrets
          # The secret is optional because not all of cluster controller's
          # functionality requires this secret. Cluster controller will
          # partially or fully initialize based on the presence of these keys
          # and their validity.
          optional: true
---
# Source: cost-analyzer/templates/controller-secrets.yaml
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: controller-secrets
  namespace: default
  labels:
    app.kubernetes.io/name: cost-analyzer
    helm.sh/chart: cost-analyzer-2.3.3
    app.kubernetes.io/instance: cost-analyzer
    app.kubernetes.io/managed-by: Helm
    app: cost-analyzer
data:
  kubecostAPIKey: MTIz #base64 of api key 123

Have you made an update to documentation? If so, please provide the corresponding PR.

v2.6

thomasvn
thomasvn reviewed Feb 5, 2025
View reviewed changes
cost-analyzer/values.yaml Outdated Show resolved Hide resolved
@thomasvn
Copy link
Member

thomasvn commented Feb 5, 2025

@mittal-ishaan I've made some modifications. I removed the net new controller-secret.yaml and instead created the secret within the kubecost-cluster-controller-template.yaml.

@thomasvn
Copy link
Member

thomasvn commented Feb 5, 2025

@mittal-ishaan I am seeing similar results when running the following test:

clusterController:
  enabled: true
  primaryKubecostURL: "https://kubecost.myorganization.com"
  kubecostAPIKey: "1234"
helm template . -f values-thomas.yaml --show-only templates/kubecost-cluster-controller-template.yaml

Additionally, I've validated that the secret is only created when primaryKubecostURL exists:

# primaryKubecostURL is set
$ helm template . -f values-thomas.yaml --show-only templates/kubecost-cluster-controller-template.yaml | grep "kind"
kind: ServiceAccount
kind: Secret
kind: ClusterRole
kind: ClusterRoleBinding
  kind: ClusterRole
  - kind: ServiceAccount
kind: Service
kind: Deployment

# primaryKubecostURL="" and kubecostAPIKey=""
helm template . -f values-thomas.yaml --show-only templates/kubecost-cluster-controller-template.yaml | grep "kind"
kind: ServiceAccount
kind: ClusterRole
kind: ClusterRoleBinding
  kind: ClusterRole
  - kind: ServiceAccount
kind: Service
kind: Deployment

thomasvn
thomasvn approved these changes Feb 5, 2025
View reviewed changes
Copy link
Member

@thomasvn thomasvn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm approving. @mittal-ishaan Please merge if my changes look good here.

@mittal-ishaan mittal-ishaan merged commit 7a70100 into develop Feb 5, 2025
19 checks passed
@mittal-ishaan mittal-ishaan deleted the add-api-key branch February 5, 2025 21:48
@mittal-ishaan
Copy link
Collaborator

/cherry-pick v2.6

gcp-cherry-pick-bot bot pushed a commit that referenced this pull request Feb 5, 2025
@cliffcolvin @jessegoodier
@thomasvn @mittal-ishaan
add helm values for cluster controller primary access from secondary (#…
eb1e2db 
…3784)

* add helm values for cluster controller primary access from secondary
Signed-off-by: Cliff Colvin <[email protected]>

* make secret
Signed-off-by: Cliff Colvin <[email protected]>

* controller secret creation logic

* Apply suggestions from code review

Co-authored-by: Thomas Nguyen <[email protected]>

* nit fix

* add lycheeignore url

* Move controller-secrets.yaml into the main kubecost-cluster-controller-template.yaml

---------

Co-authored-by: jesse goodier <[email protected]>
Co-authored-by: Thomas Nguyen <[email protected]>
Co-authored-by: Ishaan Mittal <[email protected]>
Co-authored-by: thomasvn <[email protected]>
@gcp-cherry-pick-bot gcp-cherry-pick-bot bot mentioned this pull request Feb 5, 2025
Merged
thomasvn added a commit that referenced this pull request Feb 5, 2025
@gcp-cherry-pick-bot @cliffcolvin
@jessegoodier @thomasvn @mittal-ishaan
add helm values for cluster controller primary access from secondary (#…
75c15db 
…3784) (#3844)

* add helm values for cluster controller primary access from secondary


* make secret


* controller secret creation logic

* Apply suggestions from code review



* nit fix

* add lycheeignore url

* Move controller-secrets.yaml into the main kubecost-cluster-controller-template.yaml

---------

Co-authored-by: Cliff Colvin <[email protected]>
Co-authored-by: jesse goodier <[email protected]>
Co-authored-by: Thomas Nguyen <[email protected]>
Co-authored-by: Ishaan Mittal <[email protected]>
Co-authored-by: thomasvn <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thomasvn thomasvn thomasvn approved these changes

@mittal-ishaan mittal-ishaan mittal-ishaan approved these changes

@nickcurie nickcurie Awaiting requested review from nickcurie

Assignees
No one assigned
Labels
needs cherry-pick v2.6
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cliffcolvin @thomasvn @mittal-ishaan @jessegoodier