fix openshift values to default with in-cluster prometheus (#3721)

* fix openshift values to default with in-cluster prometheus * improve openshift values example and make default values as one source of truth
kubecost · Nov 26, 2024 · 44cb68f · 44cb68f
1 parent a4e421e
commit 44cb68f
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 33 deletions.
diff --git a/cost-analyzer/templates/cost-analyzer-cluster-role-binding-template.yaml b/cost-analyzer/templates/cost-analyzer-cluster-role-binding-template.yaml
@@ -43,6 +43,9 @@ metadata:
   labels:
     {{ include "cost-analyzer.commonLabels" . | nindent 4 }}
 roleRef:
+  # Grant the kubecost service account the cluster-monitoring-view role to enable it to query OpenShift Prometheus.
+  # This is necessary for Kubecost to get access and query the in-cluster Prometheus instance using its service account token.
+  # https://docs.redhat.com/en/documentation/openshift_container_platform/4.2/html/monitoring/cluster-monitoring#monitoring-accessing-prometheus-alerting-ui-grafana-using-the-web-console_accessing-prometheus
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cluster-monitoring-view

diff --git a/cost-analyzer/templates/monitoring-role-binding-template.yaml b/cost-analyzer/templates/monitoring-role-binding-template.yaml
@@ -8,7 +8,7 @@ metadata:
 subjects:
 - kind: ServiceAccount
   name: {{ .Values.global.platforms.openshift.monitoringServiceAccountName | quote }}
-  namespace: openshift-monitoring
+  namespace: {{ .Values.global.platforms.openshift.monitoringServiceAccountNamespace | quote }}
 roleRef:
   kind: Role
   name: {{ template "cost-analyzer.fullname" . }}-reader

diff --git a/cost-analyzer/values-openshift-cluster-prometheus.yaml b/cost-analyzer/values-openshift-cluster-prometheus.yaml
@@ -0,0 +1,26 @@
+# This Helm values file is a modified version of `values-openshift.yaml`.
+# The primary difference is that this file is configured to disable the Kubecost-bundled Prometheus, and instead leverage the Prometheus instance that is typically pre-installed in OpenShift clusters.
+global:
+  prometheus:
+    enabled: false  # Kubecost depends on Prometheus data, it is not optional. When enabled: false, Prometheus will not be installed and you must configure your in-cluster Prometheus to scrape kubecost as well as provide the fqdn below. -- Warning: Before changing using this setting, please read to understand the risks https://docs.kubecost.com/install-and-configure/install/custom-prom
+    fqdn: https://prometheus-k8s.openshift-monitoring.svc.cluster.local:9091  # example address of a Prometheus to connect to. Include protocol (http:// or https://) Ignored if enabled: true
+    kubeRBACProxy: true # If true, kubecost will use kube-rbac-proxy to authenticate with in cluster Prometheus for openshift
+  grafana:
+    enabled: false  # If false, Grafana will not be installed
+    domainName: grafana.grafana
+    proxy: false
+
+  platforms:
+    # Deploying to OpenShift (OCP) requires enabling this option.
+    openshift:
+      enabled: true  # Deploy Kubecost to OpenShift.
+      createMonitoringClusterRoleBinding: true  # Create a ClusterRoleBinding to grant the Kubecost serviceaccount access to query Prometheus.
+      createMonitoringResourceReaderRoleBinding: true  # Create a Role and Role Binding to allow Prometheus to list and watch Kubecost resources.
+      monitoringServiceAccountName: prometheus-k8s  # Name of the Prometheus serviceaccount to bind to the Resource Reader Role Binding.
+      monitoringServiceAccountNamespace: openshift-monitoring  # Namespace of the Prometheus serviceaccount to bind to the Resource Reader Role Binding.
+
+serviceMonitor:
+  enabled: true
+
+prometheusRule:
+  enabled: true
diff --git a/cost-analyzer/values-openshift.yaml b/cost-analyzer/values-openshift.yaml
@@ -1,35 +1,8 @@
+# This Helm values file is a modified version of `values.yaml`.
+# This file is meant to be used by users deploying Kubecost to OpenShift (OCP) clusters. For more configuration options, see `values.yaml`.
 global:
-  prometheus:
-    enabled: true  # Kubecost depends on Prometheus data, it is not optional. When enabled: false, Prometheus will not be installed and you must configure your own Prometheus to scrape kubecost as well as provide the fqdn below. -- Warning: Before changing this setting, please read to understand the risks https://docs.kubecost.com/install-and-configure/install/custom-prom
-    fqdn: https://prometheus-k8s.openshift-monitoring.svc.cluster.local:9091  # example address of a prometheus to connect to. Include protocol (http:// or https://) Ignored if enabled: true
-    # insecureSkipVerify: false  # If true, kubecost will not check the TLS cert of prometheus
-    # queryServiceBearerTokenSecretName: mcdbsecret  # kubectl create secret generic mcdbsecret -n kubecost --from-file=TOKEN
-    # kubeRBACProxy: false # If true, kubecost will use kube-rbac-proxy to authenticate with in cluster Prometheus for openshift
-
   # Platforms is a higher-level abstraction for platform-specific values and settings.
   platforms:
     # Deploying to OpenShift (OCP) requires enabling this option.
     openshift:
-      enabled: true  # Deploy Kubecost to OpenShift.
-      # createMonitoringClusterRoleBinding: false  # Create a Cluster Role Binding to allow using in-cluster prometheus or thanos.
-      # createMonitoringResourceReaderRoleBinding: false  # Create a Role and Role Binding to allow in-cluster prometheus or thanos to list and watch resources. This will be necessary if you are not using bundled prometheus and need to add scrape config for resources.
-      # monitoringServiceAccountName: prometheus-k8s  # Name of the service account to bind to the Resource Reader Role Binding.
-      route:
-        enabled: false  # Create an OpenShift Route.
-        annotations: {}  # Add annotations to the Route.
-        # host: kubecost.apps.okd4.example.com  # Add a custom host for your Route.
-      # Create Security Context Constraint resources for the DaemonSets requiring additional privileges.
-      scc:
-        nodeExporter: false  # Creates an SCC for Prometheus Node Exporter. This requires Node Exporter be enabled.
-        networkCosts: false  # Creates an SCC for Kubecost network-costs. This requires network-costs be enabled.
-      # When OpenShift is enabled, the following securityContext will be applied to all resources unless they define their own.
-      securityContext:
-        runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
-
-# networkCosts:
-#   enabled: true  # Enable network costs.
-# prometheus:
-#   nodeExporter:
-#     enabled: true  # Enable Prometheus Node Exporter.
+      enabled: true  # Deploy Kubecost to OpenShift.
diff --git a/cost-analyzer/values.yaml b/cost-analyzer/values.yaml
@@ -3,10 +3,10 @@ global:
   prometheus:
     enabled: true  # Kubecost depends on Prometheus data, it is not optional. When enabled: false, Prometheus will not be installed and you must configure your own Prometheus to scrape kubecost as well as provide the fqdn below. -- Warning: Before changing this setting, please read to understand the risks https://docs.kubecost.com/install-and-configure/install/custom-prom
     fqdn: http://cost-analyzer-prometheus-server.default.svc  # example address of a prometheus to connect to. Include protocol (http:// or https://) Ignored if enabled: true
-    # insecureSkipVerify: false  # If true, kubecost will not check the TLS cert of prometheus
+    insecureSkipVerify: false  # If true, kubecost will not check the TLS cert of prometheus
     # queryServiceBasicAuthSecretName: dbsecret # kubectl create secret generic dbsecret -n kubecost --from-file=USERNAME --from-file=PASSWORD
     # queryServiceBearerTokenSecretName: mcdbsecret  # kubectl create secret generic mcdbsecret -n kubecost --from-file=TOKEN
-    # kubeRBACProxy: false # If true, kubecost will use kube-rbac-proxy to authenticate with in cluster Prometheus for openshift
+    kubeRBACProxy: false  # If true, kubecost will use kube-rbac-proxy to authenticate with in cluster Prometheus for openshift
 
   grafana:
     enabled: true  # If false, Grafana will not be installed
@@ -235,6 +235,13 @@ global:
         enabled: false  # Create an OpenShift Route.
         annotations: {}  # Add annotations to the Route.
         # host: kubecost.apps.okd4.example.com  # Add a custom host for your Route.
+
+        # OPTIONAL. The following configs only to be enabled when using a Prometheus instance already installed in the cluster.
+        createMonitoringClusterRoleBinding: false  # Create a ClusterRoleBinding to grant the Kubecost serviceaccount access to query Prometheus.
+        createMonitoringResourceReaderRoleBinding: false  # Create a Role and Role Binding to allow Prometheus to list and watch Kubecost resources.
+        monitoringServiceAccountName: prometheus-k8s  # Name of the Prometheus serviceaccount to bind to the Resource Reader Role Binding.
+        monitoringServiceAccountNamespace: openshift-monitoring  # Namespace of the Prometheus serviceaccount to bind to the Resource Reader Role Binding.
+
       # Create Security Context Constraint resources for the DaemonSets requiring additional privileges.
       scc:
         nodeExporter: false  # Creates an SCC for Prometheus Node Exporter. This requires Node Exporter be enabled.