Add configs to mount custom ca certs to opencost container (#303)

* Add configs to mount custom ca certs to opencost container
Signed-off-by: Ishaan Mittal <ishaanmittal123@gmail.com>

Author: mittal-ishaan

charts/opencost/Chart.yaml

@@ -4,16 +4,16 @@ name: opencost
 description: OpenCost and OpenCost UI
 type: application
 keywords:
-  - cloud-costs
-  - cost-optimization
-  - finops
-  - monitoring
-  - opencost
-version: 2.2.9
+- cloud-costs
+- cost-optimization
+- finops
+- monitoring
+- opencost
+version: 2.3.0
 maintainers:
-  - name: jessegoodier
-  - name: toscott
-  - name: mittal-ishaan
-  - name: brito-rafa
-    email: rafa@stormforge.io
+- name: jessegoodier
+- name: toscott
+- name: mittal-ishaan
+- name: brito-rafa
+  email: rafa@stormforge.io
 home: https://github.com/opencost/opencost-helm-chart

charts/opencost/README.md

@@ -215,6 +215,11 @@ $ helm install opencost opencost/opencost
 | opencost.ui.uiPath | string | `/` | Base path for serving the UI. Requires building a custom image using the build argument "ui_path". |
 | opencost.ui.useDefaultFqdn | bool | `false` |  |
 | opencost.ui.useIPv6 | bool | `true` |  |
+| opencost.updateCaTrust.enabled | bool | `false` | Enable update of CA trust(Mount custom CA certificates to the opencost container) |
+| opencost.updateCaTrust.securityContext | object | `{}` | Security context for the init container that mounts the custom CA certificates |
+| opencost.updateCaTrust.caCertsSecret | string | `"ca-certs-secret"` | Name of the Secret containing custom CA certificates to mount to the opencost container |
+| opencost.updateCaTrust.caCertsConfig | string | `"ca-certs-config"` | Name of the ConfigMap containing CA certificates to mount to the opencost container |
+| opencost.updateCaTrust.resources | object | `{}` | Resources for the init container |
 | pdb.enabled | bool | `false` |  |
 | pdb.minAvailable | int | `nil` | Minimum number of pods that must be available after the eviction |
 | pdb.maxUnavailable | int | `nil` | Maximum number of pods that can be unavailable after the eviction |

charts/opencost/templates/_helpers.tpl

@@ -222,3 +222,12 @@ apiVersion: networking.k8s.io/v1beta1
 {{- $checksum | sha256sum -}}
 {{- end -}}
 
+{{- define "opencost.caCertsSecretConfig.check" }}
+  {{- if .Values.opencost.updateCaTrust.enabled }}
+    {{- if and .Values.opencost.updateCaTrust.caCertsSecret .Values.opencost.updateCaTrust.caCertsConfig }}
+      {{- fail "Both caCertsSecret and caCertsConfig are defined. Please specify only one." }}
+    {{- else if and (not .Values.opencost.updateCaTrust.caCertsSecret) (not .Values.opencost.updateCaTrust.caCertsConfig) }}
+      {{- fail "Neither caCertsSecret nor caCertsConfig is defined, but updateCaTrust is enabled. Please specify one." }}
+    {{- end }}
+  {{- end }}
+{{- end }}

charts/opencost/templates/deployment.yaml

@@ -1,5 +1,6 @@
 {{- include  "isPrometheusConfigValid" . }}
 {{- include  "kubeRBACProxyBearerTokenCheck" . }}
+{{ include "opencost.caCertsSecretConfig.check" . }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -50,20 +51,44 @@ spec:
       {{- with.Values.opencost.topologySpreadConstraints }}
       topologySpreadConstraints: {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if (and .Values.plugins.enabled .Values.plugins.install.enabled )}}
       initContainers:
+        {{- if (and .Values.plugins.enabled .Values.plugins.install.enabled ) }}
         - name: plugin-installer
           image: {{ .Values.plugins.install.fullImageName }}
           command: ["sh", "/install/install_plugins.sh"]
-      {{- with .Values.plugins.install.securityContext }}
+          {{- with .Values.plugins.install.securityContext }}
           securityContext: {{- toYaml . | nindent 12 }}
-      {{- end }}
+          {{- end }}
           volumeMounts:
             - name: install-script
               mountPath: /install
             - name: plugins-dir
               mountPath: {{ .Values.plugins.folder }}
-      {{- end }}
+        {{- end }}
+        {{- if .Values.opencost.updateCaTrust.enabled }}
+        - name: update-ca-trust
+          image: {{ include "opencost.fullImageName" . }}
+          imagePullPolicy: {{ .Values.opencost.exporter.image.pullPolicy }}
+          {{- with .Values.opencost.updateCaTrust.securityContext }}
+          securityContext: {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.opencost.updateCaTrust.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          command:
+            - 'sh'
+            - '-c'
+            - >
+              mkdir -p /etc/ssl/certs;
+              update-ca-certificates;
+          volumeMounts:
+            - name: ca-certs-secret
+              mountPath: "/usr/local/share/ca-certificates"
+            - name: ssl-path
+              mountPath: "/etc/ssl/certs"
+              readOnly: false
+          {{- end}}
       containers:
         - name: {{ include "opencost.fullname" . }}
           image: {{ include "opencost.fullImageName" . }}
@@ -281,7 +306,7 @@ spec:
             - name: {{ $key }}
               value: {{ $value | quote }}
             {{- end }}
-          {{- if or .Values.plugins.enabled .Values.opencost.exporter.persistence.enabled .Values.opencost.exporter.extraVolumeMounts .Values.opencost.customPricing.enabled .Values.opencost.cloudIntegrationSecret}}
+          {{- if or .Values.plugins.enabled .Values.opencost.exporter.persistence.enabled .Values.opencost.exporter.extraVolumeMounts .Values.opencost.customPricing.enabled .Values.opencost.cloudIntegrationSecret .Values.opencost.updateCaTrust.enabled}}
           volumeMounts:
             {{- if .Values.plugins.enabled }}
             - mountPath: /opt/opencost/plugin
@@ -315,6 +340,13 @@ spec:
             - name: cloud-integration
               mountPath: /var/configs/cloud-integration
             {{- end }}
+            {{- if .Values.opencost.updateCaTrust.enabled }}
+            - name: ca-certs-secret
+              mountPath: "/usr/local/share/ca-certificates"
+            - name: ssl-path
+              mountPath: "/etc/ssl/certs"
+              readOnly: false
+            {{- end }}
             {{- with .Values.opencost.exporter.extraVolumeMounts }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -412,7 +444,7 @@ spec:
           {{- toYaml . | nindent 12 }}
           {{- end }}
         {{- end }}
-      {{- if or .Values.plugins.enabled .Values.opencost.exporter.persistence.enabled .Values.extraVolumes .Values.opencost.customPricing.enabled .Values.opencost.cloudIntegrationSecret .Values.opencost.ui.enabled }}
+      {{- if or .Values.plugins.enabled .Values.opencost.exporter.persistence.enabled .Values.extraVolumes .Values.opencost.customPricing.enabled .Values.opencost.cloudIntegrationSecret .Values.opencost.ui.enabled .Values.opencost.updateCaTrust.enabled }}
       volumes:
         {{- if .Values.plugins.enabled  }}
         {{- if .Values.plugins.install.enabled}}
@@ -461,6 +493,19 @@ spec:
           emptyDir: {}
         {{- end }}
         {{- end }}
+        {{- if .Values.opencost.updateCaTrust.enabled }}
+        - name: ca-certs-secret
+          {{- if .Values.opencost.updateCaTrust.caCertsSecret }}
+          secret:
+            defaultMode: 420
+            secretName: {{ .Values.opencost.updateCaTrust.caCertsSecret }}
+          {{- else }}
+          configMap:
+            name: {{ .Values.opencost.updateCaTrust.caCertsConfig }}
+          {{- end }}
+        - name: ssl-path
+          emptyDir: {}
+        {{- end }}
         {{- with .Values.extraVolumes }}
           {{- toYaml . | nindent 8 }}
         {{- end }}

charts/opencost/values.yaml

@@ -209,7 +209,6 @@ opencost:
     # Path of CSV file
     csv_path: ""
 
-
     prometheusDataSource:
       # Set the resolution in second that prometheus queries will be performed at
       queryResolutionSeconds: 300
@@ -269,10 +268,10 @@ opencost:
       # -- A list of host rules used to configure the Ingress
       # @default -- See [values.yaml](values.yaml)
       hosts:
-        - host: example.local
-          paths:
-            - path: /
-              pathType: Prefix
+      - host: example.local
+        paths:
+        - path: /
+          pathType: Prefix
       # -- Redirect ingress to an extraPort defined on the service such as oauth-proxy
       servicePort: http
       # servicePort: oauth-proxy
@@ -324,7 +323,6 @@ opencost:
     # -- The max number of days that any single query will be made to construct Cloud Costs
     queryWindowDays: 7
 
-
   metrics:
     kubeStateMetrics:
       # -- (bool) Enable emission of pod annotations
@@ -394,7 +392,7 @@ opencost:
     bearer_token_key: DB_BEARER_TOKEN
     # -- If true, opencost will use kube-rbac-proxy to authenticate with in cluster Prometheus for openshift
     kubeRBACProxy: false
-     # -- Whether to disable SSL certificate verification
+    # -- Whether to disable SSL certificate verification
     insecureSkipVerify: false
     external:
       # -- Use external Prometheus (eg. Grafana Cloud)
@@ -416,7 +414,7 @@ opencost:
       scheme: http
     amp:
       # -- Use Amazon Managed Service for Prometheus (AMP)
-      enabled: false  # If true, opencost will be configured to remote_write and query from Amazon Managed Service for Prometheus.
+      enabled: false # If true, opencost will be configured to remote_write and query from Amazon Managed Service for Prometheus.
       # -- Workspace ID for AMP
       workspaceId: ""
     thanos:
@@ -520,9 +518,9 @@ opencost:
       # -- A list of host rules used to configure the Ingress
       # @default -- See [values.yaml](values.yaml)
       hosts:
-        - host: example.local
-          paths:
-            - /
+      - host: example.local
+        paths:
+        - /
       # -- Redirect ingress to an extraPort defined on the service such as oauth-proxy
       servicePort: http-ui
       # servicePort: oauth-proxy
@@ -602,6 +600,21 @@ opencost:
     #       protocol: TCP
     #   resources: {}
 
+  updateCaTrust:
+    enabled: false
+    ## Security context settings for the init container.
+    securityContext:
+      runAsUser: 0
+      runAsGroup: 0
+      runAsNonRoot: false
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      seccompProfile:
+        type: RuntimeDefault
+    caCertsSecret: ca-certs-secret # The name of the Secret containing custom CA certificates to mount to the opencost container.
+    # caCertsConfig: ca-certs-config  # The name of the ConfigMap containing the CA trust configuration.
+    resources: {}
+
   platforms:
     openshift:
       # -- Enable OpenShift specific configurations