Merge branch 'develop' into add-api-key

.github/workflows/chart.yaml

@@ -86,7 +86,7 @@ jobs:
         uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
 
       - name: Create KinD cluster
-        uses: helm/kind-action@ae94020eaf628e9b9b9f341a10cc0cdcf5c018fb # v1.11.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
         with:
           version: v0.20.0
           node_image: kindest/node:${{ matrix.k8s-version.version }}

.github/workflows/upgrade.yaml

@@ -68,7 +68,7 @@ jobs:
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       - name: Create KinD cluster
-        uses: helm/kind-action@ae94020eaf628e9b9b9f341a10cc0cdcf5c018fb # v1.11.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
         with:
           version: v0.23.0
           node_image: kindest/node:v1.28.9

cost-analyzer/templates/_helpers.tpl

@@ -1011,6 +1011,13 @@ Begin Kubecost 2.0 templates
     - name: postgres-queries
       mountPath: /var/configs/integrations/postgres-queries
     {{- end }}
+    {{- if .Values.global.updateCaTrust.enabled }}
+    - name: ca-certs-secret
+      mountPath: {{ .Values.global.updateCaTrust.caCertsMountPath | quote }}
+    - name: ssl-path
+      mountPath: "/etc/pki/ca-trust/extracted"
+      readOnly: false
+    {{- end }}
     {{- /* Only adds extraVolumeMounts if aggregator is running as its own pod */}}
     {{- if and .Values.kubecostAggregator.extraVolumeMounts (eq (include "aggregator.deployMethod" .) "statefulset") }}
     {{- toYaml .Values.kubecostAggregator.extraVolumeMounts | nindent 4 }}
@@ -1288,6 +1295,13 @@ Begin Kubecost 2.0 templates
       name: plugins-config
       readOnly: true
     {{- end }}
+    {{- if .Values.global.updateCaTrust.enabled }}
+    - name: ca-certs-secret
+      mountPath: {{ .Values.global.updateCaTrust.caCertsMountPath | quote }}
+    - name: ssl-path
+      mountPath: "/etc/pki/ca-trust/extracted"
+      readOnly: false
+    {{- end }}
   {{- /* Only adds extraVolumeMounts when cloudcosts is running as its own pod */}}
   {{- if and .Values.kubecostAggregator.cloudCost.extraVolumeMounts (eq (include "aggregator.deployMethod" .) "statefulset") }}
     {{- toYaml .Values.kubecostAggregator.cloudCost.extraVolumeMounts | nindent 4 }}

cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml

@@ -124,6 +124,19 @@ spec:
         - name: tmp
           emptyDir: {}
         {{- end }}
+        {{- if .Values.global.updateCaTrust.enabled }}
+        - name: ca-certs-secret
+          {{- if .Values.global.updateCaTrust.caCertsSecret }}
+          secret:
+            defaultMode: 420
+            secretName: {{ .Values.global.updateCaTrust.caCertsSecret }}
+          {{- else }}
+          configMap:
+            name: {{ .Values.global.updateCaTrust.caCertsConfig }}
+          {{- end }}
+        - name: ssl-path
+          emptyDir: {}
+        {{- end }}
         {{- if .Values.kubecostAggregator.cloudCost.extraVolumes }}
         {{- toYaml .Values.kubecostAggregator.cloudCost.extraVolumes | nindent 8 }}
         {{- end }}
@@ -141,6 +154,34 @@ spec:
           - name: plugins-dir
             mountPath: {{ .Values.kubecostModel.plugins.folder }}
       {{- end }}
+      {{- if .Values.global.updateCaTrust.enabled }}
+      - name: update-ca-trust
+        image: {{ include "cost-model.image" . | trim | quote}}
+        {{- if .Values.kubecostModel.imagePullPolicy }}
+        imagePullPolicy: {{ .Values.kubecostModel.imagePullPolicy }}
+        {{- else }}
+        imagePullPolicy: Always
+        {{- end }}
+        {{- with .Values.global.updateCaTrust.securityContext }}
+        securityContext: {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- with .Values.global.updateCaTrust.resources }}
+        resources:
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
+        command:
+          - 'sh'
+          - '-c'
+          - >
+            mkdir -p /etc/pki/ca-trust/extracted/{edk2,java,openssl,pem};
+            /usr/bin/update-ca-trust extract;
+        volumeMounts:
+          - name: ca-certs-secret
+            mountPath: {{ .Values.global.updateCaTrust.caCertsMountPath | quote }}
+          - name: ssl-path
+            mountPath: "/etc/pki/ca-trust/extracted"
+            readOnly: false
+      {{- end}}
       containers:
         {{- include "aggregator.cloudCost.containerTemplate" . | nindent 8 }}
     {{- if .Values.imagePullSecrets }}

cost-analyzer/templates/aggregator-statefulset.yaml

@@ -181,9 +181,51 @@ spec:
           secret:
             secretName: kubecost-integrations-turbonomic
         {{- end }}
+        {{- if .Values.global.updateCaTrust.enabled }}
+        - name: ca-certs-secret
+          {{- if .Values.global.updateCaTrust.caCertsSecret }}
+          secret:
+            defaultMode: 420
+            secretName: {{ .Values.global.updateCaTrust.caCertsSecret }}
+          {{- else }}
+          configMap:
+            name: {{ .Values.global.updateCaTrust.caCertsConfig }}
+          {{- end }}
+        - name: ssl-path
+          emptyDir: {}
+        {{- end }}
         {{- if .Values.kubecostAggregator.extraVolumes }}
         {{- toYaml .Values.kubecostAggregator.extraVolumes | nindent 8 }}
         {{- end }}
+      initContainers:
+      {{- if .Values.global.updateCaTrust.enabled }}
+        - name: update-ca-trust
+          image: {{ include "cost-model.image" . | trim | quote}}
+          {{- if .Values.kubecostModel.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.kubecostModel.imagePullPolicy }}
+          {{- else }}
+          imagePullPolicy: Always
+          {{- end }}
+          {{- with .Values.global.updateCaTrust.securityContext }}
+          securityContext: {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.global.updateCaTrust.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          command:
+            - 'sh'
+            - '-c'
+            - >
+              mkdir -p /etc/pki/ca-trust/extracted/{edk2,java,openssl,pem};
+              /usr/bin/update-ca-trust extract;
+          volumeMounts:
+            - name: ca-certs-secret
+              mountPath: {{ .Values.global.updateCaTrust.caCertsMountPath | quote }}
+            - name: ssl-path
+              mountPath: "/etc/pki/ca-trust/extracted"
+              readOnly: false
+        {{- end}}
       containers:
         {{- include "aggregator.containerTemplate" . | nindent 8 }}
 

cost-analyzer/values-eks-cost-monitoring.yaml

@@ -18,7 +18,7 @@ kubecostModel:
   image: public.ecr.aws/kubecost/cost-model
 
 forecasting:
-  fullImageName: public.ecr.aws/kubecost/kubecost-modeling:v0.1.18
+  fullImageName: public.ecr.aws/kubecost/kubecost-modeling:v0.1.19
 
 networkCosts:
   image:

cost-analyzer/values.yaml

@@ -253,11 +253,11 @@ global:
         annotations: {}  # Add annotations to the Route.
         # host: kubecost.apps.okd4.example.com  # Add a custom host for your Route.
 
-        # OPTIONAL. The following configs only to be enabled when using a Prometheus instance already installed in the cluster.
-        createMonitoringClusterRoleBinding: false  # Create a ClusterRoleBinding to grant the Kubecost serviceaccount access to query Prometheus.
-        createMonitoringResourceReaderRoleBinding: false  # Create a Role and Role Binding to allow Prometheus to list and watch Kubecost resources.
-        monitoringServiceAccountName: prometheus-k8s  # Name of the Prometheus serviceaccount to bind to the Resource Reader Role Binding.
-        monitoringServiceAccountNamespace: openshift-monitoring  # Namespace of the Prometheus serviceaccount to bind to the Resource Reader Role Binding.
+      # OPTIONAL. The following configs only to be enabled when using a Prometheus instance already installed in the cluster.
+      createMonitoringClusterRoleBinding: false  # Create a ClusterRoleBinding to grant the Kubecost serviceaccount access to query Prometheus.
+      createMonitoringResourceReaderRoleBinding: false  # Create a Role and Role Binding to allow Prometheus to list and watch Kubecost resources.
+      monitoringServiceAccountName: prometheus-k8s  # Name of the Prometheus serviceaccount to bind to the Resource Reader Role Binding.
+      monitoringServiceAccountNamespace: openshift-monitoring  # Namespace of the Prometheus serviceaccount to bind to the Resource Reader Role Binding.
 
       # Create Security Context Constraint resources for the DaemonSets requiring additional privileges.
       scc:
@@ -1088,7 +1088,7 @@ prometheus:
       name: configmap-reload
       image:
         repository: quay.io/prometheus-operator/prometheus-config-reloader
-        tag: v0.79.1
+        tag: v0.79.2
         pullPolicy: IfNotPresent
       extraArgs: {}
       extraVolumeDirs: []
@@ -1101,7 +1101,7 @@ prometheus:
       name: configmap-reload
       image:
         repository: quay.io/prometheus-operator/prometheus-config-reloader
-        tag: v0.79.1
+        tag: v0.79.2
         pullPolicy: IfNotPresent
       extraArgs: {}
       extraVolumeDirs: []
@@ -1508,7 +1508,7 @@ forecasting:
   # fullImageName overrides the default image construction logic. The exact
   # image provided (registry, image, tag) will be used for the forecasting
   # container.
-  fullImageName: gcr.io/kubecost1/kubecost-modeling:v0.1.18
+  fullImageName: gcr.io/kubecost1/kubecost-modeling:v0.1.19
   imagePullPolicy: IfNotPresent
 
   # Resource specification block for the forecasting container.
@@ -1822,7 +1822,7 @@ clusterController:
   enabled: false
   image:
     repository: gcr.io/kubecost1/cluster-controller
-    tag: v0.16.10
+    tag: v0.16.11
   imagePullPolicy: IfNotPresent
   priorityClassName: ""
   tolerations: []
@@ -2080,7 +2080,7 @@ grafana:
   sidecar:
     image:
       repository: ghcr.io/kiwigrid/k8s-sidecar
-      tag: 1.28.1
+      tag: 1.28.4
       pullPolicy: IfNotPresent
     resources: {}
     dashboards:

kubecost.yaml

@@ -23569,7 +23569,7 @@ spec:
       restartPolicy: Always
       containers:
         - name: forecasting
-          image: gcr.io/kubecost1/kubecost-modeling:v0.1.16
+          image: gcr.io/kubecost1/kubecost-modeling:v0.1.19
           volumeMounts:
             - name: tmp
               mountPath: /tmp