From 1bf17a250569ac6d08d3fa132c3a3a0b623cdc15 Mon Sep 17 00:00:00 2001 From: Kaelan Patel Date: Mon, 16 Dec 2024 21:10:22 -0800 Subject: [PATCH 1/5] teams rewrite secret/env functionality --- cost-analyzer/templates/_helpers.tpl | 21 ++++++++ .../templates/aggregator-statefulset.yaml | 10 ++++ .../cost-analyzer-deployment-template.yaml | 26 +++++++++- ...analyzer-frontend-config-map-template.yaml | 48 +++++++++++++++++++ .../kubecost-rbac-secret-template.yaml | 22 +++++++++ cost-analyzer/values.yaml | 2 + 6 files changed, 127 insertions(+), 2 deletions(-) create mode 100644 cost-analyzer/templates/kubecost-rbac-secret-template.yaml diff --git a/cost-analyzer/templates/_helpers.tpl b/cost-analyzer/templates/_helpers.tpl index faf94e1b5..43a9f05b9 100755 --- a/cost-analyzer/templates/_helpers.tpl +++ b/cost-analyzer/templates/_helpers.tpl @@ -157,6 +157,15 @@ will result in failure. Users are asked to select one of the two presently-avail {{- end -}} {{- end -}} +{{/* +RBAC exclusivity check: make sure either RBAC or RBAC Teams is enabled, not both +*/}} +{{- define "rbacCheck" -}} + {{- if or (and ((.Values.saml).rbac).teamsEnabled ((.Values.saml).rbac).enabled) (and ((.Values.oidc).rbac).teamsEnabled ((.Values.oidc).rbac).enabled) -}} + {{- fail "\nSimple RBAC and RBAC Teams are mutually exclusive. Please specify only one." -}} + {{- end -}} +{{- end -}} + {{/* Federated Storage source contents check. Either the Secret must be specified or the JSON, not both. */}} @@ -1005,6 +1014,10 @@ Begin Kubecost 2.0 templates {{- end }} {{- end }} {{- end }} + {{- if or .Values.oidc.rbac.teamsEnabled .Values.saml.rbac.teamsEnabled }} + - name: kubecost-rbac-secret + mountPath: /var/configs/kubecost-rbac-secret + {{- end }} {{- if .Values.global.integrations.postgres.enabled }} - name: postgres-creds mountPath: /var/configs/integrations/postgres-creds @@ -1153,6 +1166,10 @@ Begin Kubecost 2.0 templates value: "true" - name: OIDC_SKIP_ONLINE_VALIDATION value: {{ (quote .Values.oidc.skipOnlineTokenValidation) | default (quote false) }} + {{- if .Values.oidc.rbac.teamsEnabled }} + - name: OIDC_RBAC_TEAMS_ENABLED + value: "true" + {{- end }} {{- end}} {{- if .Values.kubecostAggregator }} {{- if .Values.kubecostAggregator.collections }} @@ -1198,6 +1215,10 @@ Begin Kubecost 2.0 templates - name: SAML_RBAC_ENABLED value: "true" {{- end }} + {{- if .Values.saml.rbac.teamsEnabled }} + - name: SAML_RBAC_TEAMS_ENABLED + value: "true" + {{- end }} {{- if and .Values.saml.encryptionCertSecret .Values.saml.decryptionKeySecret }} - name: SAML_RESPONSE_ENCRYPTED value: "true" diff --git a/cost-analyzer/templates/aggregator-statefulset.yaml b/cost-analyzer/templates/aggregator-statefulset.yaml index 3432d13e6..655279ab6 100644 --- a/cost-analyzer/templates/aggregator-statefulset.yaml +++ b/cost-analyzer/templates/aggregator-statefulset.yaml @@ -145,6 +145,11 @@ spec: configMap: name: {{ template "cost-analyzer.fullname" . }}-saml {{- end }} + {{- if .Values.saml.rbac.teamsEnabled }} + - name: kubecost-rbac-secret + secret: + secretName: kubecost-rbac-secret + {{- end }} {{- end }} {{- end }} {{- if .Values.oidc }} @@ -162,6 +167,11 @@ spec: secret: secretName: {{ .Values.oidc.existingCustomSecret.name }} {{- end }} + {{- if .Values.oidc.rbac.teamsEnabled }} + - name: kubecost-rbac-secret + secret: + secretName: kubecost-rbac-secret + {{- end }} {{- end }} {{- end }} {{- if .Values.global.integrations.postgres.enabled }} diff --git a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml index d1e6d6069..123ef791d 100644 --- a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml +++ b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml @@ -248,6 +248,11 @@ spec: configMap: name: {{ template "cost-analyzer.fullname" . }}-saml {{- end }} + {{- if .Values.saml.rbac.teamsEnabled }} + - name: kubecost-rbac-secret + secret: + secretName: kubecost-rbac-secret + {{- end }} {{- end }} {{- end }} {{- if .Values.oidc }} @@ -265,6 +270,11 @@ spec: secret: secretName: {{ .Values.oidc.existingCustomSecret.name }} {{- end }} + {{- if .Values.oidc.rbac.teamsEnabled }} + - name: kubecost-rbac-secret + secret: + secretName: kubecost-rbac-secret + {{- end }} {{- end }} {{- end }} {{- if .Values.extraVolumes }} @@ -689,6 +699,10 @@ spec: {{- end }} {{- end }} {{- end }} + {{- if or .Values.oidc.rbac.teamsEnabled .Values.saml.rbac.teamsEnabled }} + - name: kubecost-rbac-secret + mountPath: /var/configs/kubecost-rbac-secret + {{- end }} env: - name: CONTAINER_IMAGE_TAG value: {{ include "cost-model.imagetag" . }} @@ -954,7 +968,7 @@ spec: {{- else}} - name: ADVANCED_NETWORK_STATS value: "false" - {{- end}} + {{- end }} {{- end }} {{- end }} {{- end }} @@ -963,7 +977,11 @@ spec: value: "true" - name: OIDC_SKIP_ONLINE_VALIDATION value: {{ (quote .Values.oidc.skipOnlineTokenValidation) | default (quote false) }} - {{- end}} + {{- if .Values.oidc.rbac.teamsEnabled }} + - name: OIDC_RBAC_TEAMS_ENABLED + value: "true" + {{- end }} + {{- end }} {{- if .Values.saml }} {{- if .Values.saml.enabled }} - name: SAML_ENABLED @@ -1000,6 +1018,10 @@ spec: - name: SAML_RESPONSE_ENCRYPTED value: "true" {{- end}} + {{- if .Values.saml.rbac.teamsEnabled }} + - name: SAML_RBAC_TEAMS_ENABLED + value: "true" + {{- end }} {{- end }} {{- end }} {{- if and (.Values.prometheus.server.global.external_labels.cluster_id) (not .Values.prometheus.server.clusterIDConfigmap) }} diff --git a/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml b/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml index cd86f866b..9390da726 100755 --- a/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml +++ b/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml @@ -986,6 +986,54 @@ data: proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } + location = /model/rbac/teams { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/rbac/teams; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/rbac/team { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/rbac/team; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/rbac/roles { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/rbac/roles; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/rbac/role { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/rbac/role; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/rbac/currentTeams { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/rbac/currentTeams; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/rbac/currentPermissions { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/rbac/currentPermissions; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } location = /model/debug/orchestrator { proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/debug/orchestrator; diff --git a/cost-analyzer/templates/kubecost-rbac-secret-template.yaml b/cost-analyzer/templates/kubecost-rbac-secret-template.yaml new file mode 100644 index 000000000..a19ff318f --- /dev/null +++ b/cost-analyzer/templates/kubecost-rbac-secret-template.yaml @@ -0,0 +1,22 @@ +{{- if or .Values.oidc.enabled .Values.saml.enabled }} +{{- if and (not .Values.oidc.rbac.enabled) (not .Values.saml.rbac.enabled) }} +{{- if or .Values.oidc.rbac.teamsEnabled .Values.saml.rbac.teamsEnabled }} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: kubecost-rbac-secret + namespace: {{ .Release.Namespace }} + labels: + {{- include "cost-analyzer.commonLabels" . | nindent 4 }} +stringData: + key: + {{- if .Values.oidc.enabled }} + {{ .Values.oidc.authSecret | default (randAlphaNum 32 | quote) }} + {{- end }} + {{- if .Values.saml.enabled }} + {{ .Values.saml.authSecret | default (randAlphaNum 32 | quote) }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/cost-analyzer/values.yaml b/cost-analyzer/values.yaml index 8847fae5d..5b7cdc600 100644 --- a/cost-analyzer/values.yaml +++ b/cost-analyzer/values.yaml @@ -351,6 +351,7 @@ saml: # authSecretName: "" # Name of K8s secret where the authSecret will be stored. Defaults to "kubecost-saml-secret" if not provided. rbac: enabled: false + teamsEnabled: false # groups: # - name: admin # enabled: false # If admin is disabled, all SAML users will be able to make configuration changes to the Kubecost frontend @@ -387,6 +388,7 @@ oidc: hostedDomain: "" # Optional, blocks access to the auth domain specified in the hd claim of the provider ID token rbac: enabled: false + teamsEnabled: false # groups: # - name: admin # Admins have permissions to edit Kubecost settings and save reports # enabled: false From 4b98aea0e210f1ec2c5978d0373184bf86f27ed9 Mon Sep 17 00:00:00 2001 From: Sean Holcomb Date: Tue, 7 Jan 2025 15:16:51 -0800 Subject: [PATCH 2/5] Add configmap mounting for RBAC teams Signed-off-by: Sean Holcomb --- cost-analyzer/templates/_helpers.tpl | 16 ++++++++++++++++ .../templates/aggregator-statefulset.yaml | 5 +++++ .../cost-analyzer-deployment-template.yaml | 5 +++++ .../kubecost-rbac-teams-configmap-template.yaml | 11 +++++++++++ 4 files changed, 37 insertions(+) create mode 100644 cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml diff --git a/cost-analyzer/templates/_helpers.tpl b/cost-analyzer/templates/_helpers.tpl index 43a9f05b9..088262838 100755 --- a/cost-analyzer/templates/_helpers.tpl +++ b/cost-analyzer/templates/_helpers.tpl @@ -1018,6 +1018,10 @@ Begin Kubecost 2.0 templates - name: kubecost-rbac-secret mountPath: /var/configs/kubecost-rbac-secret {{- end }} + {{- if eq (include "rbacTeamsConfig" .) "true" }} + - name: kubecost-rbac-teams-config + mountPath: /var/configs/rbac-teams-configs + {{- end }} {{- if .Values.global.integrations.postgres.enabled }} - name: postgres-creds mountPath: /var/configs/integrations/postgres-creds @@ -1171,6 +1175,10 @@ Begin Kubecost 2.0 templates value: "true" {{- end }} {{- end}} + {{- if eq (include "rbacTeamsConfig" .) "true" }} + - name: RBAC_TEAMS_HELM_CONFIG_PATH + value: "/var/configs/rbac-teams-configs/rbac-teams-configs.json" + {{- end }} {{- if .Values.kubecostAggregator }} {{- if .Values.kubecostAggregator.collections }} {{- if (((.Values.kubecostAggregator).collections).cache) }} @@ -1383,6 +1391,14 @@ Groups is only used when using external RBAC. {{- end -}} {{- end -}} +{{- define "rbacTeamsConfig" -}} + {{- if (.Values.rbac).teamsConfig -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end }} +{{- end }} + {{/* Backups configured flag for nginx configmap */}} diff --git a/cost-analyzer/templates/aggregator-statefulset.yaml b/cost-analyzer/templates/aggregator-statefulset.yaml index 655279ab6..0c6656aaf 100644 --- a/cost-analyzer/templates/aggregator-statefulset.yaml +++ b/cost-analyzer/templates/aggregator-statefulset.yaml @@ -174,6 +174,11 @@ spec: {{- end }} {{- end }} {{- end }} + {{- if eq (include "rbacTeamsConfig" .) "true" }} + - name: kubecost-rbac-teams-config + configMap: + name: kubecost-rbac-teams-config + {{- end }} {{- if .Values.global.integrations.postgres.enabled }} - name: postgres-creds secret: diff --git a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml index 123ef791d..52c1a4148 100644 --- a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml +++ b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml @@ -277,6 +277,11 @@ spec: {{- end }} {{- end }} {{- end }} + {{- if eq (include "rbacTeamsConfig" .) "true" }} + - name: kubecost-rbac-teams-config + configMap: + name: kubecost-rbac-teams-config + {{- end }} {{- if .Values.extraVolumes }} # Extra volume(s) {{- toYaml .Values.extraVolumes | nindent 8 }} diff --git a/cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml b/cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml new file mode 100644 index 000000000..df1931a4a --- /dev/null +++ b/cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml @@ -0,0 +1,11 @@ +{{- if eq (include "rbacTeamsConfig" .) "true" }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "kubecost-rbac-teams-config" + namespace: {{ .Release.Namespace }} + labels: + {{- include "cost-analyzer.commonLabels" . | nindent 4 }} +data: + rbac-teams-configs.json: '{{ toJson .Values.rbac.teamsConfig }}' +{{- end }} \ No newline at end of file From 71deaf4a6ad74adf029d2d6ddb2b530eb9a67a29 Mon Sep 17 00:00:00 2001 From: Sean Holcomb Date: Wed, 8 Jan 2025 14:05:05 -0800 Subject: [PATCH 3/5] Unify variables and redefine values structure Signed-off-by: Sean Holcomb --- cost-analyzer/templates/_helpers.tpl | 60 +++++++++++++------ .../templates/aggregator-statefulset.yaml | 13 ++-- .../cost-analyzer-deployment-template.yaml | 33 +++++----- ...analyzer-frontend-config-map-template.yaml | 2 +- .../kubecost-rbac-secret-template.yaml | 6 +- ...ubecost-rbac-teams-configmap-template.yaml | 4 +- 6 files changed, 66 insertions(+), 52 deletions(-) diff --git a/cost-analyzer/templates/_helpers.tpl b/cost-analyzer/templates/_helpers.tpl index 088262838..bf7b82c98 100755 --- a/cost-analyzer/templates/_helpers.tpl +++ b/cost-analyzer/templates/_helpers.tpl @@ -161,7 +161,7 @@ will result in failure. Users are asked to select one of the two presently-avail RBAC exclusivity check: make sure either RBAC or RBAC Teams is enabled, not both */}} {{- define "rbacCheck" -}} - {{- if or (and ((.Values.saml).rbac).teamsEnabled ((.Values.saml).rbac).enabled) (and ((.Values.oidc).rbac).teamsEnabled ((.Values.oidc).rbac).enabled) -}} + {{- if and (or ((.Values.saml).rbac).enabled ((.Values.oidc).rbac).enabled) (.Values.rbacTeams).enabled -}} {{- fail "\nSimple RBAC and RBAC Teams are mutually exclusive. Please specify only one." -}} {{- end -}} {{- end -}} @@ -1014,11 +1014,11 @@ Begin Kubecost 2.0 templates {{- end }} {{- end }} {{- end }} - {{- if or .Values.oidc.rbac.teamsEnabled .Values.saml.rbac.teamsEnabled }} + {{- if eq (include "rbacTeamsEnabled" .) "true" }} - name: kubecost-rbac-secret mountPath: /var/configs/kubecost-rbac-secret {{- end }} - {{- if eq (include "rbacTeamsConfig" .) "true" }} + {{- if eq (include "rbacTeamsConfigEnabled" .) "true" }} - name: kubecost-rbac-teams-config mountPath: /var/configs/rbac-teams-configs {{- end }} @@ -1170,12 +1170,18 @@ Begin Kubecost 2.0 templates value: "true" - name: OIDC_SKIP_ONLINE_VALIDATION value: {{ (quote .Values.oidc.skipOnlineTokenValidation) | default (quote false) }} - {{- if .Values.oidc.rbac.teamsEnabled }} + {{- end}} + {{- if eq (include "rbacTeamsEnabled" .) "true" }} + {{- if .Values.oidc.enabled }} - name: OIDC_RBAC_TEAMS_ENABLED value: "true" {{- end }} - {{- end}} - {{- if eq (include "rbacTeamsConfig" .) "true" }} + {{- if .Values.saml.enabled }} + - name: SAML_RBAC_TEAMS_ENABLED + value: "true" + {{- end }} + {{- end }} + {{- if eq (include "rbacTeamsConfigEnabled" .) "true" }} - name: RBAC_TEAMS_HELM_CONFIG_PATH value: "/var/configs/rbac-teams-configs/rbac-teams-configs.json" {{- end }} @@ -1223,10 +1229,6 @@ Begin Kubecost 2.0 templates - name: SAML_RBAC_ENABLED value: "true" {{- end }} - {{- if .Values.saml.rbac.teamsEnabled }} - - name: SAML_RBAC_TEAMS_ENABLED - value: "true" - {{- end }} {{- if and .Values.saml.encryptionCertSecret .Values.saml.decryptionKeySecret }} - name: SAML_RESPONSE_ENCRYPTED value: "true" @@ -1375,7 +1377,7 @@ SSO enabled flag for nginx configmap To use the Kubecost built-in Teams UI RBAC< you must enable SSO and RBAC and not specify any groups. Groups is only used when using external RBAC. */}} -{{- define "rbacTeamsEnabled" -}} +{{- define "rbacTeamsLegacyEnabled" -}} {{- if or (.Values.saml).enabled (.Values.oidc).enabled -}} {{- if or ((.Values.saml).rbac).enabled ((.Values.oidc).rbac).enabled -}} {{- if not (or (.Values.saml).groups (.Values.oidc).groups) -}} @@ -1391,12 +1393,36 @@ Groups is only used when using external RBAC. {{- end -}} {{- end -}} -{{- define "rbacTeamsConfig" -}} - {{- if (.Values.rbac).teamsConfig -}} - {{- printf "true" -}} - {{- else -}} - {{- printf "false" -}} - {{- end }} +{{/* +RBAC teams enabled requires that it be explicitly enabled in addition to SAML or OIDC being enabled +and legacy RBAC being disabled. +*/}} +{{- define "rbacTeamsEnabled" -}} + {{- if or (.Values.saml).enabled (.Values.oidc).enabled -}} + {{- if and (not ((.Values.saml).rbac).enabled) (not ((.Values.oidc).rbac).enabled) -}} + {{- if (.Values.rbacTeams).enabled -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end }} + +{{- define "rbacTeamsConfigEnabled" -}} + {{- if eq (include "rbacTeamsEnabled" .) "true" -}} + {{- if (.Values.rbacTeams).teamsConfig -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end }} + {{- else -}} + {{- printf "false" -}} + {{- end }} {{- end }} {{/* diff --git a/cost-analyzer/templates/aggregator-statefulset.yaml b/cost-analyzer/templates/aggregator-statefulset.yaml index 0c6656aaf..6c72fb85b 100644 --- a/cost-analyzer/templates/aggregator-statefulset.yaml +++ b/cost-analyzer/templates/aggregator-statefulset.yaml @@ -145,11 +145,6 @@ spec: configMap: name: {{ template "cost-analyzer.fullname" . }}-saml {{- end }} - {{- if .Values.saml.rbac.teamsEnabled }} - - name: kubecost-rbac-secret - secret: - secretName: kubecost-rbac-secret - {{- end }} {{- end }} {{- end }} {{- if .Values.oidc }} @@ -167,14 +162,14 @@ spec: secret: secretName: {{ .Values.oidc.existingCustomSecret.name }} {{- end }} - {{- if .Values.oidc.rbac.teamsEnabled }} + {{- end }} + {{- end }} + {{- if eq (include "rbacTeamsEnabled" .) "true" }} - name: kubecost-rbac-secret secret: secretName: kubecost-rbac-secret {{- end }} - {{- end }} - {{- end }} - {{- if eq (include "rbacTeamsConfig" .) "true" }} + {{- if eq (include "rbacTeamsConfigEnabled" .) "true" }} - name: kubecost-rbac-teams-config configMap: name: kubecost-rbac-teams-config diff --git a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml index 52c1a4148..a155a3e52 100644 --- a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml +++ b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml @@ -248,11 +248,6 @@ spec: configMap: name: {{ template "cost-analyzer.fullname" . }}-saml {{- end }} - {{- if .Values.saml.rbac.teamsEnabled }} - - name: kubecost-rbac-secret - secret: - secretName: kubecost-rbac-secret - {{- end }} {{- end }} {{- end }} {{- if .Values.oidc }} @@ -270,14 +265,14 @@ spec: secret: secretName: {{ .Values.oidc.existingCustomSecret.name }} {{- end }} - {{- if .Values.oidc.rbac.teamsEnabled }} + {{- end }} + {{- end }} + {{- if eq (include "rbacTeamsEnabled" .) "true" }} - name: kubecost-rbac-secret secret: secretName: kubecost-rbac-secret {{- end }} - {{- end }} - {{- end }} - {{- if eq (include "rbacTeamsConfig" .) "true" }} + {{- if eq (include "rbacTeamsConfigEnabled" .) "true" }} - name: kubecost-rbac-teams-config configMap: name: kubecost-rbac-teams-config @@ -704,7 +699,7 @@ spec: {{- end }} {{- end }} {{- end }} - {{- if or .Values.oidc.rbac.teamsEnabled .Values.saml.rbac.teamsEnabled }} + {{- if eq (include "rbacTeamsEnabled" .) "true" }} - name: kubecost-rbac-secret mountPath: /var/configs/kubecost-rbac-secret {{- end }} @@ -751,8 +746,8 @@ spec: value: {{ .Values.assetReportConfigmapName }} {{- end }} {{- if .Values.cloudCostReportConfigmapName }} - - name: CLOUD_COST_REPORT_CONFIGMAP_NAME - value: {{ .Values.cloudCostReportConfigmapName }} + - name: CLOUD_COST_REPORT_CONFIGMAP_NAME + value: {{ .Values.cloudCostReportConfigmapName }} {{- end }} {{- if .Values.savedReportConfigmapName }} - name: SAVED_REPORT_CONFIGMAP_NAME @@ -982,10 +977,6 @@ spec: value: "true" - name: OIDC_SKIP_ONLINE_VALIDATION value: {{ (quote .Values.oidc.skipOnlineTokenValidation) | default (quote false) }} - {{- if .Values.oidc.rbac.teamsEnabled }} - - name: OIDC_RBAC_TEAMS_ENABLED - value: "true" - {{- end }} {{- end }} {{- if .Values.saml }} {{- if .Values.saml.enabled }} @@ -1023,10 +1014,16 @@ spec: - name: SAML_RESPONSE_ENCRYPTED value: "true" {{- end}} - {{- if .Values.saml.rbac.teamsEnabled }} - - name: SAML_RBAC_TEAMS_ENABLED + {{- end }} + {{- end }} + {{- if eq (include "rbacTeamsEnabled" .) "true" }} + {{- if .Values.oidc.enabled }} + - name: OIDC_RBAC_TEAMS_ENABLED value: "true" {{- end }} + {{- if .Values.saml.enabled }} + - name: SAML_RBAC_TEAMS_ENABLED + value: "true" {{- end }} {{- end }} {{- if and (.Values.prometheus.server.global.external_labels.cluster_id) (not .Values.prometheus.server.clusterIDConfigmap) }} diff --git a/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml b/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml index 9390da726..fc19c3e93 100755 --- a/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml +++ b/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml @@ -1531,7 +1531,7 @@ data: return 200 '\n { "ssoConfigured": "{{ template "ssoEnabled" . }}", - "rbacTeamsEnabled": "{{ template "rbacTeamsEnabled" . }}", + "rbacTeamsEnabled": "{{ template "rbacTeamsLegacyEnabled" . }}", "dataBackupConfigured": "{{ template "dataBackupConfigured" . }}", "costEventsAuditEnabled": "{{ template "costEventsAuditEnabled" . }}", "frontendDeployMethod": "{{ template "frontend.deployMethod" . }}", diff --git a/cost-analyzer/templates/kubecost-rbac-secret-template.yaml b/cost-analyzer/templates/kubecost-rbac-secret-template.yaml index a19ff318f..4f2116035 100644 --- a/cost-analyzer/templates/kubecost-rbac-secret-template.yaml +++ b/cost-analyzer/templates/kubecost-rbac-secret-template.yaml @@ -1,6 +1,4 @@ -{{- if or .Values.oidc.enabled .Values.saml.enabled }} -{{- if and (not .Values.oidc.rbac.enabled) (not .Values.saml.rbac.enabled) }} -{{- if or .Values.oidc.rbac.teamsEnabled .Values.saml.rbac.teamsEnabled }} +{{- if eq (include "rbacTeamsEnabled" .) "true" }} apiVersion: v1 kind: Secret type: Opaque @@ -18,5 +16,3 @@ stringData: {{ .Values.saml.authSecret | default (randAlphaNum 32 | quote) }} {{- end }} {{- end }} -{{- end }} -{{- end }} diff --git a/cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml b/cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml index df1931a4a..1a8922c3a 100644 --- a/cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml +++ b/cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml @@ -1,4 +1,4 @@ -{{- if eq (include "rbacTeamsConfig" .) "true" }} +{{- if eq (include "rbacTeamsConfigEnabled" .) "true" }} apiVersion: v1 kind: ConfigMap metadata: @@ -7,5 +7,5 @@ metadata: labels: {{- include "cost-analyzer.commonLabels" . | nindent 4 }} data: - rbac-teams-configs.json: '{{ toJson .Values.rbac.teamsConfig }}' + rbac-teams-configs.json: '{{ toJson .Values.rbacTeams.teamsConfig }}' {{- end }} \ No newline at end of file From f51b0e6fcff0556e843bb1f929036587c97e9b0d Mon Sep 17 00:00:00 2001 From: Kaelan Patel Date: Thu, 9 Jan 2025 13:17:53 -0800 Subject: [PATCH 4/5] Update values file w/ new changes + an example team --- cost-analyzer/values.yaml | 40 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/cost-analyzer/values.yaml b/cost-analyzer/values.yaml index 5b7cdc600..b092b628a 100644 --- a/cost-analyzer/values.yaml +++ b/cost-analyzer/values.yaml @@ -351,7 +351,6 @@ saml: # authSecretName: "" # Name of K8s secret where the authSecret will be stored. Defaults to "kubecost-saml-secret" if not provided. rbac: enabled: false - teamsEnabled: false # groups: # - name: admin # enabled: false # If admin is disabled, all SAML users will be able to make configuration changes to the Kubecost frontend @@ -388,7 +387,6 @@ oidc: hostedDomain: "" # Optional, blocks access to the auth domain specified in the hd claim of the provider ID token rbac: enabled: false - teamsEnabled: false # groups: # - name: admin # Admins have permissions to edit Kubecost settings and save reports # enabled: false @@ -407,6 +405,44 @@ oidc: # claimValues: # - "editor" +rbacTeams: + enabled: false + # teamsConfig: + # - id: '' + # name: helm-team + # roles: + # - id: '' + # name: helm-role + # description: helm configrured role + # pages: + # showOverview: true + # showAllocation: true + # showAsset: true + # showCloudCost: true + # showClusters: true + # showExternalCosts: true + # showNetwork: true + # showCollections: true + # showReports: true + # showInsights: true + # showActions: true + # showAlerts: true + # showBudgets: true + # showAnomalies: true + # showEfficiency: true + # showSettings: true + # permissions: admin + # routes: [] + # allocationFilters: + # - key: cluster + # operator: ":" + # value: cluster-one + # assetFilters: [] + # cloudCostFilters: [] + # claims: + # NameID: email@domain.com + + ## Adds the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables to all ## containers. Typically used in environments that have firewall rules which ## prevent kubecost from accessing cloud provider resources. From e85b0e66279095f98f234f4d9ee854275fb9b532 Mon Sep 17 00:00:00 2001 From: Kaelan Patel Date: Thu, 9 Jan 2025 15:41:15 -0800 Subject: [PATCH 5/5] Fix indent --- cost-analyzer/values.yaml | 70 +++++++++++++++++++-------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/cost-analyzer/values.yaml b/cost-analyzer/values.yaml index b092b628a..e655e1646 100644 --- a/cost-analyzer/values.yaml +++ b/cost-analyzer/values.yaml @@ -406,41 +406,41 @@ oidc: # - "editor" rbacTeams: - enabled: false - # teamsConfig: - # - id: '' - # name: helm-team - # roles: - # - id: '' - # name: helm-role - # description: helm configrured role - # pages: - # showOverview: true - # showAllocation: true - # showAsset: true - # showCloudCost: true - # showClusters: true - # showExternalCosts: true - # showNetwork: true - # showCollections: true - # showReports: true - # showInsights: true - # showActions: true - # showAlerts: true - # showBudgets: true - # showAnomalies: true - # showEfficiency: true - # showSettings: true - # permissions: admin - # routes: [] - # allocationFilters: - # - key: cluster - # operator: ":" - # value: cluster-one - # assetFilters: [] - # cloudCostFilters: [] - # claims: - # NameID: email@domain.com + enabled: false + # teamsConfig: + # - id: '' + # name: helm-team + # roles: + # - id: '' + # name: helm-role + # description: helm configrured role + # pages: + # showOverview: true + # showAllocation: true + # showAsset: true + # showCloudCost: true + # showClusters: true + # showExternalCosts: true + # showNetwork: true + # showCollections: true + # showReports: true + # showInsights: true + # showActions: true + # showAlerts: true + # showBudgets: true + # showAnomalies: true + # showEfficiency: true + # showSettings: true + # permissions: admin + # routes: [] + # allocationFilters: + # - key: cluster + # operator: ":" + # value: cluster-one + # assetFilters: [] + # cloudCostFilters: [] + # claims: + # NameID: email@domain.com ## Adds the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables to all