Amir/amp sidecar (#131)

* feat: AWS Managed Prometheus sigv4 integration

* Bump version to 1.22.0 because of all the rolled up patches

Signed-off-by: Matt Ray <[email protected]>

---------

Signed-off-by: Matt Ray <[email protected]>
Co-authored-by: Amir Alavi <[email protected]>

charts/opencost/Chart.yaml

@@ -9,7 +9,7 @@ keywords:
   - kubecost
   - opencost
   - monitoring
-version: 1.21.4
+version: 1.22.0
 maintainers:
   - name: mattray
     url: https://mattray.dev

charts/opencost/README.md

@@ -2,7 +2,7 @@
 
 OpenCost and OpenCost UI
 
-![Version: 1.21.4](https://img.shields.io/badge/Version-1.21.4-informational?style=flat-square)
+![Version: 1.22.0](https://img.shields.io/badge/Version-1.22.0-informational?style=flat-square)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 ![AppVersion: 1.106.3](https://img.shields.io/badge/AppVersion-1.106.3-informational?style=flat-square)
 

charts/opencost/templates/_helpers.tpl

@@ -83,6 +83,10 @@ Create the name of the controller service account to use
 {{- define "opencost.prometheusServerEndpoint" -}}
   {{- if .Values.opencost.prometheus.external.enabled -}}
     {{ tpl .Values.opencost.prometheus.external.url . }}
+  {{- else if (and .Values.opencost.prometheus.amp.enabled .Values.opencost.sigV4Proxy) -}}
+    {{- $port := .Values.opencost.sigV4Proxy.port | int }}
+    {{- $ws := .Values.opencost.prometheus.amp.workspaceId }}
+    {{- printf "http://localhost:%d/workspaces/%v" $port $ws -}}
   {{- else -}}
     {{- $host := tpl .Values.opencost.prometheus.internal.serviceName . }}
     {{- $ns := tpl .Values.opencost.prometheus.internal.namespaceName . }}
@@ -109,12 +113,13 @@ Check that either thanos external or internal is defined
 Check that the config is valid
 */}}
 {{- define "isPrometheusConfigValid" -}}
-  {{- if and .Values.opencost.prometheus.external.enabled .Values.opencost.prometheus.internal.enabled -}}
-    {{- fail "Only use one of the prometheus setups, internal or external" -}}
+  {{- $prometheusModes := add .Values.opencost.prometheus.external.enabled .Values.opencost.prometheus.internal.enabled .Values.opencost.prometheus.amp.enabled | int }}
+  {{- if gt $prometheusModes 1 -}}
+    {{- fail "Only use one of the prometheus setups: internal, external, or amp" -}}
   {{- end -}}
   {{- if .Values.opencost.prometheus.thanos.enabled -}}
     {{- if and .Values.opencost.prometheus.thanos.external.enabled .Values.opencost.prometheus.thanos.internal.enabled -}}
-      {{- fail "Only use one of the thanos setups, internal or external" -}}
+      {{- fail "Only use one of the thanos setups: internal or external" -}}
     {{- end -}}
   {{- end -}}
 {{- end -}}

charts/opencost/templates/deployment.yaml

@@ -207,6 +207,39 @@ spec:
         {{- with .Values.opencost.extraContainers }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
+        {{- if and .Values.opencost.prometheus.amp.enabled .Values.opencost.sigV4Proxy }}
+        - name: sigv4proxy
+          image: {{ .Values.opencost.sigV4Proxy.image }}
+          imagePullPolicy: {{ .Values.opencost.sigV4Proxy.imagePullPolicy }}
+          args:
+          - --name
+          - {{ .Values.opencost.sigV4Proxy.name }}
+          - --region
+          - {{ .Values.opencost.sigV4Proxy.region }}
+          - --host
+          - {{ .Values.opencost.sigV4Proxy.host }}
+          {{- if .Values.opencost.sigV4Proxy.role_arn }}
+          - --role-arn
+          - {{ .Values.opencost.sigV4Proxy.role_arn }}
+          {{- end }}
+          - --port
+          - :{{ .Values.opencost.sigV4Proxy.port }}
+          ports:
+          - name: aws-sigv4-proxy
+            containerPort: {{ .Values.opencost.sigV4Proxy.port | int }}
+          {{- with .Values.opencost.sigV4Proxy.extraEnv }}
+          env:
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          {{- with .Values.opencost.sigV4Proxy.resources }}
+          resources:
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.opencost.sigV4Proxy.securityContext }}
+          securityContext:
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
+        {{- end }}
       {{- if or .Values.opencost.exporter.persistence.enabled .Values.extraVolumes .Values.opencost.customPricing.enabled}}
       volumes:
         {{- if .Values.opencost.customPricing.enabled }}

charts/opencost/values.yaml

@@ -226,6 +226,11 @@ opencost:
       namespaceName: opencost
       # -- Service port of in-cluster Prometheus
       port: 9090
+    amp:
+      # -- Use Amazon Managed Service for Prometheus (AMP)
+      enabled: false  # If true, opencost will be configured to remote_write and query from Amazon Managed Service for Prometheus.
+      # -- Workspace ID for AMP
+      workspaceId: ""
     thanos:
       enabled: false
       queryOffset: ''
@@ -316,6 +321,33 @@ opencost:
         #    hosts:
         #      - chart-example.local
 
+  sigV4Proxy:
+    image: public.ecr.aws/aws-observability/aws-sigv4-proxy:latest
+    imagePullPolicy: IfNotPresent
+    name: aps
+    port: 8005
+    region: us-west-2 # The AWS region
+    host: aps-workspaces.us-west-2.amazonaws.com # The hostname for AMP service.
+    # role_arn: arn:aws:iam::<account>:role/role-name # The AWS IAM role to assume.
+    extraEnv: # Pass extra env variables to sigV4Proxy
+    # - name: AWS_ACCESS_KEY_ID
+    #   value: <access_key>
+    # - name: AWS_SECRET_ACCESS_KEY
+    #   value: <secret_key>
+    resources: {}
+      # limits:
+      #   cpu: 200m
+      #   memory: 500Mi
+      # requests:
+      #   cpu: 20m
+      #   memory: 32Mi
+    securityContext: {}
+      # capabilities:
+      #   drop:
+      #   - ALL
+      # readOnlyRootFilesystem: true
+      # runAsNonRoot: true
+      # runAsUser: 65534
   # -- Toleration labels for pod assignment
   tolerations: []
   # -- Node labels for pod assignment