Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add helm config option to mount ca certs to cost model container #3760

Merged
merged 4 commits into from
Dec 4, 2024
Merged

add helm config option to mount ca certs to cost model container #3760

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
af7bbf0
add helm config option to mount ca certs to cost model container
mittal-ishaan Dec 4, 2024
de689f8
update it to be configmap
mittal-ishaan Dec 4, 2024
9a7e007
shift from config map tp secret
mittal-ishaan Dec 4, 2024
6705eed
nit fix
mittal-ishaan Dec 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions cost-analyzer/templates/cost-analyzer-deployment-template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,12 @@ spec:
defaultMode: 420
secretName: {{ .Values.kubecostModel.federatedStorageConfigSecret | default "federated-store" }}
{{- end }}
{{- if .Values.kubecostModel.caCertsSecret }}
- name: ca-certs-secret
secret:
defaultMode: 420
secretName: {{ .Values.kubecostModel.caCertsSecret}}
{{- end }}
{{- if .Values.kubecostProductConfigs }}
{{- if and ((.Values.kubecostProductConfigs).productKey).enabled ((.Values.kubecostProductConfigs).productKey).secretname }}
- name: productkey-secret
Expand Down Expand Up @@ -615,6 +621,10 @@ spec:
mountPath: /var/configs/etl/federated
readOnly: true
{{- end }}
{{- if .Values.kubecostModel.caCertsSecret }}
- name: ca-certs-secret
mountPath: /etc/pki/ca-trust/source/anchors
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good start, but are we sure this should be hard-coded? This mountPath should probably be a helm config? I think that different OS's will look at different paths for its trust store. For example /etc/ssl/certs, or /etc/pki/tls/certs, or /usr/local/share/ca-certificates/?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on the information from the Fedora documentation and the user's request, for now, we only need to mount the certificate to /etc/pki/ca-trust/source/anchors. While other scenarios might require different mount paths in the future, this setup works well for our current needs. We can include it in the Helm config as the default for now but it might remain unused. thoughts?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, let's leave it hard-coded for now due to user-specific request. Let's make a task to update it in the future?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure 👍

{{- end }}
{{- if .Values.kubecostAdmissionController }}
{{- if .Values.kubecostAdmissionController.enabled }}
{{- if .Values.kubecostAdmissionController.secretName }}
Expand Down
3 changes: 3 additions & 0 deletions cost-analyzer/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -575,6 +575,9 @@ kubecostModel:
# "client_x509_cert_url": ""
# }

# the name of the Secret containing custom CA certs to mount to cost model container
# caCertsSecret: ca-certs-secret

# Installs Kubecost/OpenCost plugins
plugins:
enabled: false
Expand Down
Loading