Merge pull request #229 from mittal-ishaan/openshift_in_cluster_prom

Add kubeRBACProxy property to support querying in cluster prometheus in openshift
opencost · Dec 23, 2024 · 9911dbc · 9911dbc
2 parents 2485c35 + 2d48654
commit 9911dbc
Show file tree

Hide file tree

Showing 7 changed files with 81 additions and 1 deletion.
diff --git a/charts/opencost/Chart.yaml b/charts/opencost/Chart.yaml
@@ -9,7 +9,7 @@ keywords:
   - finops
   - monitoring
   - opencost
-version: 1.42.3
+version: 1.43.0
 maintainers:
   - name: mattray
     url: https://mattray.dev

diff --git a/charts/opencost/templates/_helpers.tpl b/charts/opencost/templates/_helpers.tpl
@@ -120,6 +120,15 @@ Check that either thanos external or internal is defined
   {{- end -}}
 {{- end -}}
 
+{{/*
+  Fail if both kube-rbac-proxy and bearer token are set
+*/}}
+{{- define "kubeRBACProxyBearerTokenCheck" -}}
+{{- if and .Values.opencost.prometheus.kubeRBACProxy .Values.opencost.prometheus.bearer_token }}
+  {{- fail "Both kubeRBACProxy and bearer_token are set. Please specify only one." -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Check that the config is valid
 */}}

diff --git a/charts/opencost/templates/clusterrolebinding.yaml b/charts/opencost/templates/clusterrolebinding.yaml
@@ -15,4 +15,27 @@ subjects:
   - kind: ServiceAccount
     name: {{ template "opencost.serviceAccountName" . }}
     namespace: {{ include "opencost.namespace" . }}
+---
 {{- end }}
+{{- if .Values.opencost.prometheus.createMonitoringClusterRoleBinding }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "opencost.fullname" . }}-operator
+  labels: {{- include "opencost.labels" . | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  # Grant the OpenCost ServiceAccount the cluster-monitoring-view role to enable it to query a KUBE_RBAC_PROXY enabled Prometheus.
+  # This is necessary for OpenCost to get access and query the in-cluster Prometheus instance using its service account token.
+  # https://docs.redhat.com/en/documentation/openshift_container_platform/4.2/html/monitoring/cluster-monitoring#monitoring-accessing-prometheus-alerting-ui-grafana-using-the-web-console_accessing-prometheus
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-monitoring-view
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "opencost.serviceAccountName" . }}
+    namespace: {{ include "opencost.namespace" . }}
+{{- end }}
+---
diff --git a/charts/opencost/templates/deployment.yaml b/charts/opencost/templates/deployment.yaml
@@ -1,4 +1,5 @@
 {{- include  "isPrometheusConfigValid" . }}
+{{- include  "kubeRBACProxyBearerTokenCheck" . }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -166,6 +167,10 @@ spec:
                   name: {{ .Values.opencost.prometheus.existingSecretName | default (include "opencost.prometheus.secretname" .) }}
                   key: {{ .Values.opencost.prometheus.bearer_token_key }}
             {{- end }}
+            {{- if .Values.opencost.prometheus.kubeRBACProxy }}
+            - name: KUBE_RBAC_PROXY_ENABLED
+              value: {{ (quote .Values.opencost.prometheus.kubeRBACProxy) }}
+            {{- end }}
             {{- if and .Values.opencost.exporter.persistence.enabled .Values.opencost.exporter.csv_path }}
             - name: EXPORT_CSV_FILE
               value: {{ .Values.opencost.exporter.csv_path | quote }}

diff --git a/charts/opencost/templates/monitoring-role-binding-template.yaml b/charts/opencost/templates/monitoring-role-binding-template.yaml
@@ -0,0 +1,15 @@
+{{- if (.Values.opencost.prometheus.createMonitoringResourceReaderRoleBinding) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  namespace: {{ include "opencost.namespace" . }}
+  name: {{ include "opencost.fullname" . }}-reader
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.opencost.prometheus.monitoringServiceAccountName | quote }}
+  namespace: {{ .Values.opencost.prometheus.monitoringServiceAccountNamespace | quote }}
+roleRef:
+  kind: Role
+  name: {{ include "opencost.fullname" . }}-reader
+  apiGroup: rbac.authorization.k8s.io
+{{- end -}}
diff --git a/charts/opencost/templates/monitoring-role-template.yaml b/charts/opencost/templates/monitoring-role-template.yaml
@@ -0,0 +1,17 @@
+{{- if (.Values.opencost.prometheus.createMonitoringResourceReaderRoleBinding) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: {{ include "opencost.namespace" . }}
+  name: {{ include "opencost.fullname" . }}-reader
+rules:
+  - apiGroups: 
+      - ''
+    resources:
+      - "pods"
+      - "services"
+      - "endpoints"
+    verbs:
+      - list
+      - watch
+{{- end -}}
diff --git a/charts/opencost/values.yaml b/charts/opencost/values.yaml
@@ -333,6 +333,17 @@ opencost:
     # -- Prometheus Bearer token
     bearer_token: ""
     bearer_token_key: DB_BEARER_TOKEN
+    # -- If true, opencost will use kube-rbac-proxy to authenticate with in cluster Prometheus for openshift
+    kubeRBACProxy: false
+    # OPTIONAL. The following configs only to be enabled when using a Prometheus instance already installed in the cluster.
+    # -- If true, the helm chart will create a ClusterRoleBinding to grant the OpenCost ServiceAccount access to query Prometheus.
+    createMonitoringClusterRoleBinding: false
+    # -- If true, create a Role and RoleBinding to allow Prometheus to list and watch OpenCost resources.
+    createMonitoringResourceReaderRoleBinding: false
+    # -- Name of the Prometheus serviceaccount to bind to the Resource Reader Role Binding.
+    monitoringServiceAccountName: prometheus-k8s
+    # -- Namespace of the Prometheus serviceaccount to bind to the Resource Reader Role Binding.
+    monitoringServiceAccountNamespace: openshift-monitoring
     external:
       # -- Use external Prometheus (eg. Grafana Cloud)
       enabled: false