From 5fa28b484ca06c7e332484502942c9ed1604db4e Mon Sep 17 00:00:00 2001 From: Cliff Colvin Date: Mon, 16 Dec 2024 07:32:53 -0600 Subject: [PATCH 01/10] bump modeling 0.1.19 fix cve-2024-12254 Signed-off-by: Cliff Colvin --- cost-analyzer/values-eks-cost-monitoring.yaml | 2 +- cost-analyzer/values.yaml | 2 +- kubecost.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cost-analyzer/values-eks-cost-monitoring.yaml b/cost-analyzer/values-eks-cost-monitoring.yaml index 75181b4ba..1eece0085 100644 --- a/cost-analyzer/values-eks-cost-monitoring.yaml +++ b/cost-analyzer/values-eks-cost-monitoring.yaml @@ -18,7 +18,7 @@ kubecostModel: image: public.ecr.aws/kubecost/cost-model forecasting: - fullImageName: public.ecr.aws/kubecost/kubecost-modeling:v0.1.18 + fullImageName: public.ecr.aws/kubecost/kubecost-modeling:v0.1.19 networkCosts: image: diff --git a/cost-analyzer/values.yaml b/cost-analyzer/values.yaml index b3f53bae5..945532446 100644 --- a/cost-analyzer/values.yaml +++ b/cost-analyzer/values.yaml @@ -1509,7 +1509,7 @@ forecasting: # fullImageName overrides the default image construction logic. The exact # image provided (registry, image, tag) will be used for the forecasting # container. - fullImageName: gcr.io/kubecost1/kubecost-modeling:v0.1.18 + fullImageName: gcr.io/kubecost1/kubecost-modeling:v0.1.19 imagePullPolicy: IfNotPresent # Resource specification block for the forecasting container. diff --git a/kubecost.yaml b/kubecost.yaml index ac9cc1b9d..1440d5dde 100644 --- a/kubecost.yaml +++ b/kubecost.yaml @@ -23569,7 +23569,7 @@ spec: restartPolicy: Always containers: - name: forecasting - image: gcr.io/kubecost1/kubecost-modeling:v0.1.16 + image: gcr.io/kubecost1/kubecost-modeling:v0.1.19 volumeMounts: - name: tmp mountPath: /tmp From 187c747965c83fd4ceda15006258054e3020ced9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Dec 2024 18:35:06 +0000 Subject: [PATCH 02/10] Bump prometheus-operator/prometheus-config-reloader in /cost-analyzer Bumps prometheus-operator/prometheus-config-reloader from v0.79.1 to v0.79.2. --- updated-dependencies: - dependency-name: prometheus-operator/prometheus-config-reloader dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- cost-analyzer/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cost-analyzer/values.yaml b/cost-analyzer/values.yaml index bb2fc2919..6e498e7b6 100644 --- a/cost-analyzer/values.yaml +++ b/cost-analyzer/values.yaml @@ -1088,7 +1088,7 @@ prometheus: name: configmap-reload image: repository: quay.io/prometheus-operator/prometheus-config-reloader - tag: v0.79.1 + tag: v0.79.2 pullPolicy: IfNotPresent extraArgs: {} extraVolumeDirs: [] @@ -1101,7 +1101,7 @@ prometheus: name: configmap-reload image: repository: quay.io/prometheus-operator/prometheus-config-reloader - tag: v0.79.1 + tag: v0.79.2 pullPolicy: IfNotPresent extraArgs: {} extraVolumeDirs: [] From 690e79de8a0f99b4d1e7f5f34256e4bf042ec426 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Dec 2024 18:47:29 +0000 Subject: [PATCH 03/10] Bump helm/kind-action from 1.11.0 to 1.12.0 Bumps [helm/kind-action](https://github.com/helm/kind-action) from 1.11.0 to 1.12.0. - [Release notes](https://github.com/helm/kind-action/releases) - [Commits](https://github.com/helm/kind-action/compare/ae94020eaf628e9b9b9f341a10cc0cdcf5c018fb...a1b0e391336a6ee6713a0583f8c6240d70863de3) --- updated-dependencies: - dependency-name: helm/kind-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/chart.yaml | 2 +- .github/workflows/upgrade.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/chart.yaml b/.github/workflows/chart.yaml index a12104703..0288bd1bb 100644 --- a/.github/workflows/chart.yaml +++ b/.github/workflows/chart.yaml @@ -86,7 +86,7 @@ jobs: uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - name: Create KinD cluster - uses: helm/kind-action@ae94020eaf628e9b9b9f341a10cc0cdcf5c018fb # v1.11.0 + uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0 with: version: v0.20.0 node_image: kindest/node:${{ matrix.k8s-version.version }} diff --git a/.github/workflows/upgrade.yaml b/.github/workflows/upgrade.yaml index 4dec2d14b..05b5a570f 100644 --- a/.github/workflows/upgrade.yaml +++ b/.github/workflows/upgrade.yaml @@ -68,7 +68,7 @@ jobs: uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Create KinD cluster - uses: helm/kind-action@ae94020eaf628e9b9b9f341a10cc0cdcf5c018fb # v1.11.0 + uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0 with: version: v0.23.0 node_image: kindest/node:v1.28.9 From cb96f2d0d1aa0f46a6eaf0f17e07b75b0a9f20cf Mon Sep 17 00:00:00 2001 From: Ishaan Mittal Date: Fri, 3 Jan 2025 21:49:48 +0530 Subject: [PATCH 04/10] remove extra tab spaces in Helm values file (#3793) --- cost-analyzer/values.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cost-analyzer/values.yaml b/cost-analyzer/values.yaml index 6e498e7b6..f87aff1f1 100644 --- a/cost-analyzer/values.yaml +++ b/cost-analyzer/values.yaml @@ -253,11 +253,11 @@ global: annotations: {} # Add annotations to the Route. # host: kubecost.apps.okd4.example.com # Add a custom host for your Route. - # OPTIONAL. The following configs only to be enabled when using a Prometheus instance already installed in the cluster. - createMonitoringClusterRoleBinding: false # Create a ClusterRoleBinding to grant the Kubecost serviceaccount access to query Prometheus. - createMonitoringResourceReaderRoleBinding: false # Create a Role and Role Binding to allow Prometheus to list and watch Kubecost resources. - monitoringServiceAccountName: prometheus-k8s # Name of the Prometheus serviceaccount to bind to the Resource Reader Role Binding. - monitoringServiceAccountNamespace: openshift-monitoring # Namespace of the Prometheus serviceaccount to bind to the Resource Reader Role Binding. + # OPTIONAL. The following configs only to be enabled when using a Prometheus instance already installed in the cluster. + createMonitoringClusterRoleBinding: false # Create a ClusterRoleBinding to grant the Kubecost serviceaccount access to query Prometheus. + createMonitoringResourceReaderRoleBinding: false # Create a Role and Role Binding to allow Prometheus to list and watch Kubecost resources. + monitoringServiceAccountName: prometheus-k8s # Name of the Prometheus serviceaccount to bind to the Resource Reader Role Binding. + monitoringServiceAccountNamespace: openshift-monitoring # Namespace of the Prometheus serviceaccount to bind to the Resource Reader Role Binding. # Create Security Context Constraint resources for the DaemonSets requiring additional privileges. scc: From e86c9ee256c6181f34764660cc75f6da631c0e1d Mon Sep 17 00:00:00 2001 From: Ishaan Mittal Date: Fri, 3 Jan 2025 22:01:07 +0530 Subject: [PATCH 05/10] update ca cert in cloud cost and aggregator too (#3794) --- cost-analyzer/templates/_helpers.tpl | 14 +++++++ .../aggregator-cloud-cost-deployment.yaml | 41 ++++++++++++++++++ .../templates/aggregator-statefulset.yaml | 42 +++++++++++++++++++ 3 files changed, 97 insertions(+) diff --git a/cost-analyzer/templates/_helpers.tpl b/cost-analyzer/templates/_helpers.tpl index 67ff512f5..a62f7ef54 100755 --- a/cost-analyzer/templates/_helpers.tpl +++ b/cost-analyzer/templates/_helpers.tpl @@ -1011,6 +1011,13 @@ Begin Kubecost 2.0 templates - name: postgres-queries mountPath: /var/configs/integrations/postgres-queries {{- end }} + {{- if .Values.global.updateCaTrust.enabled }} + - name: ca-certs-secret + mountPath: {{ .Values.global.updateCaTrust.caCertsMountPath | quote }} + - name: ssl-path + mountPath: "/etc/pki/ca-trust/extracted" + readOnly: false + {{- end }} {{- /* Only adds extraVolumeMounts if aggregator is running as its own pod */}} {{- if and .Values.kubecostAggregator.extraVolumeMounts (eq (include "aggregator.deployMethod" .) "statefulset") }} {{- toYaml .Values.kubecostAggregator.extraVolumeMounts | nindent 4 }} @@ -1288,6 +1295,13 @@ Begin Kubecost 2.0 templates name: plugins-config readOnly: true {{- end }} + {{- if .Values.global.updateCaTrust.enabled }} + - name: ca-certs-secret + mountPath: {{ .Values.global.updateCaTrust.caCertsMountPath | quote }} + - name: ssl-path + mountPath: "/etc/pki/ca-trust/extracted" + readOnly: false + {{- end }} {{- /* Only adds extraVolumeMounts when cloudcosts is running as its own pod */}} {{- if and .Values.kubecostAggregator.cloudCost.extraVolumeMounts (eq (include "aggregator.deployMethod" .) "statefulset") }} {{- toYaml .Values.kubecostAggregator.cloudCost.extraVolumeMounts | nindent 4 }} diff --git a/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml b/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml index c862f9c34..a8461c0d2 100644 --- a/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml +++ b/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml @@ -124,6 +124,19 @@ spec: - name: tmp emptyDir: {} {{- end }} + {{- if .Values.global.updateCaTrust.enabled }} + - name: ca-certs-secret + {{- if .Values.global.updateCaTrust.caCertsSecret }} + secret: + defaultMode: 420 + secretName: {{ .Values.global.updateCaTrust.caCertsSecret }} + {{- else }} + configMap: + name: {{ .Values.global.updateCaTrust.caCertsConfig }} + {{- end }} + - name: ssl-path + emptyDir: {} + {{- end }} {{- if .Values.kubecostAggregator.cloudCost.extraVolumes }} {{- toYaml .Values.kubecostAggregator.cloudCost.extraVolumes | nindent 8 }} {{- end }} @@ -141,6 +154,34 @@ spec: - name: plugins-dir mountPath: {{ .Values.kubecostModel.plugins.folder }} {{- end }} + {{- if .Values.global.updateCaTrust.enabled }} + - name: update-ca-trust + image: {{ include "cost-model.image" . | trim | quote}} + {{- if .Values.kubecostModel.imagePullPolicy }} + imagePullPolicy: {{ .Values.kubecostModel.imagePullPolicy }} + {{- else }} + imagePullPolicy: Always + {{- end }} + {{- with .Values.global.updateCaTrust.securityContext }} + securityContext: {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.global.updateCaTrust.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + command: + - 'sh' + - '-c' + - > + mkdir -p /etc/pki/ca-trust/extracted/{edk2,java,openssl,pem}; + /usr/bin/update-ca-trust extract; + volumeMounts: + - name: ca-certs-secret + mountPath: {{ .Values.global.updateCaTrust.caCertsMountPath | quote }} + - name: ssl-path + mountPath: "/etc/pki/ca-trust/extracted" + readOnly: false + {{- end}} containers: {{- include "aggregator.cloudCost.containerTemplate" . | nindent 8 }} {{- if .Values.imagePullSecrets }} diff --git a/cost-analyzer/templates/aggregator-statefulset.yaml b/cost-analyzer/templates/aggregator-statefulset.yaml index 3432d13e6..2ccc0c502 100644 --- a/cost-analyzer/templates/aggregator-statefulset.yaml +++ b/cost-analyzer/templates/aggregator-statefulset.yaml @@ -181,9 +181,51 @@ spec: secret: secretName: kubecost-integrations-turbonomic {{- end }} + {{- if .Values.global.updateCaTrust.enabled }} + - name: ca-certs-secret + {{- if .Values.global.updateCaTrust.caCertsSecret }} + secret: + defaultMode: 420 + secretName: {{ .Values.global.updateCaTrust.caCertsSecret }} + {{- else }} + configMap: + name: {{ .Values.global.updateCaTrust.caCertsConfig }} + {{- end }} + - name: ssl-path + emptyDir: {} + {{- end }} {{- if .Values.kubecostAggregator.extraVolumes }} {{- toYaml .Values.kubecostAggregator.extraVolumes | nindent 8 }} {{- end }} + initContainers: + {{- if .Values.global.updateCaTrust.enabled }} + - name: update-ca-trust + image: {{ include "cost-model.image" . | trim | quote}} + {{- if .Values.kubecostModel.imagePullPolicy }} + imagePullPolicy: {{ .Values.kubecostModel.imagePullPolicy }} + {{- else }} + imagePullPolicy: Always + {{- end }} + {{- with .Values.global.updateCaTrust.securityContext }} + securityContext: {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.global.updateCaTrust.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + command: + - 'sh' + - '-c' + - > + mkdir -p /etc/pki/ca-trust/extracted/{edk2,java,openssl,pem}; + /usr/bin/update-ca-trust extract; + volumeMounts: + - name: ca-certs-secret + mountPath: {{ .Values.global.updateCaTrust.caCertsMountPath | quote }} + - name: ssl-path + mountPath: "/etc/pki/ca-trust/extracted" + readOnly: false + {{- end}} containers: {{- include "aggregator.containerTemplate" . | nindent 8 }} From dc11c452df9d38149b8c10e31447a104c477ec60 Mon Sep 17 00:00:00 2001 From: Cliff Colvin Date: Fri, 3 Jan 2025 10:32:31 -0600 Subject: [PATCH 06/10] bump cluster controller Signed-off-by: Cliff Colvin --- cost-analyzer/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cost-analyzer/values.yaml b/cost-analyzer/values.yaml index f87aff1f1..2fc0aaf05 100644 --- a/cost-analyzer/values.yaml +++ b/cost-analyzer/values.yaml @@ -1822,7 +1822,7 @@ clusterController: enabled: false image: repository: gcr.io/kubecost1/cluster-controller - tag: v0.16.10 + tag: v0.16.11 imagePullPolicy: IfNotPresent priorityClassName: "" tolerations: [] From 570dda71ccee1f656baa456221b814c5e6273626 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 Jan 2025 18:26:53 +0000 Subject: [PATCH 07/10] Bump kiwigrid/k8s-sidecar from 1.28.1 to 1.28.4 in /cost-analyzer Bumps [kiwigrid/k8s-sidecar](https://github.com/kiwigrid/k8s-sidecar) from 1.28.1 to 1.28.4. - [Release notes](https://github.com/kiwigrid/k8s-sidecar/releases) - [Commits](https://github.com/kiwigrid/k8s-sidecar/compare/1.28.1...1.28.4) --- updated-dependencies: - dependency-name: kiwigrid/k8s-sidecar dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- cost-analyzer/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cost-analyzer/values.yaml b/cost-analyzer/values.yaml index 2fc0aaf05..aedac7522 100644 --- a/cost-analyzer/values.yaml +++ b/cost-analyzer/values.yaml @@ -2077,7 +2077,7 @@ grafana: sidecar: image: repository: ghcr.io/kiwigrid/k8s-sidecar - tag: 1.28.1 + tag: 1.28.4 pullPolicy: IfNotPresent resources: {} dashboards: From 3695244ccb4ec6118870f4edb131398c5dc1b863 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Jan 2025 18:50:41 +0000 Subject: [PATCH 08/10] Bump prometheus/prometheus from v3.0.1 to v3.1.0 in /cost-analyzer Bumps [prometheus/prometheus](https://github.com/prometheus/prometheus) from v3.0.1 to v3.1.0. - [Release notes](https://github.com/prometheus/prometheus/releases) - [Changelog](https://github.com/prometheus/prometheus/blob/main/CHANGELOG.md) - [Commits](https://github.com/prometheus/prometheus/compare/v3.0.1...v3.1.0) --- updated-dependencies: - dependency-name: prometheus/prometheus dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- cost-analyzer/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cost-analyzer/values.yaml b/cost-analyzer/values.yaml index c94cc9592..3c98902fb 100644 --- a/cost-analyzer/values.yaml +++ b/cost-analyzer/values.yaml @@ -853,7 +853,7 @@ prometheus: rollingUpdate: null image: repository: quay.io/prometheus/prometheus - tag: v3.0.1 + tag: v3.1.0 pullPolicy: IfNotPresent priorityClassName: "" prefixURL: "" From 360c5802d132ee182e87cf545cdd282dfbeb4d3b Mon Sep 17 00:00:00 2001 From: jesse goodier <31039225+jessegoodier@users.noreply.github.com> Date: Wed, 15 Jan 2025 15:33:12 -0500 Subject: [PATCH 09/10] remove unused timezone offset values --- cost-analyzer/templates/cost-analyzer-deployment-template.yaml | 2 -- cost-analyzer/values.yaml | 1 - 2 files changed, 3 deletions(-) diff --git a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml index ae4abf4eb..48068445c 100644 --- a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml +++ b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml @@ -985,8 +985,6 @@ spec: value: {{ (quote .Values.persistentVolume.enabled) | default (quote true) }} - name: MAX_QUERY_CONCURRENCY value: {{ (quote .Values.kubecostModel.maxQueryConcurrency) | default (quote 5) }} - - name: UTC_OFFSET - value: {{ (quote .Values.kubecostModel.utcOffset) | default (quote ) }} {{- if .Values.networkCosts }} {{- if .Values.networkCosts.enabled }} - name: NETWORK_COSTS_PORT diff --git a/cost-analyzer/values.yaml b/cost-analyzer/values.yaml index 3c98902fb..d14a694b6 100644 --- a/cost-analyzer/values.yaml +++ b/cost-analyzer/values.yaml @@ -685,7 +685,6 @@ kubecostModel: # - name: ASSET_INCLUDE_LOCAL_DISK_COST # value: "true" - utcOffset: "+00:00" extraPorts: [] ## etlUtils is a utility typically used by Enterprise customers transitioning From 492878dccff0f3d51d007e0e59c3e0a21eccea0a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 Jan 2025 01:53:00 +0000 Subject: [PATCH 10/10] Bump kiwigrid/k8s-sidecar from 1.28.4 to 1.29.0 in /cost-analyzer Bumps [kiwigrid/k8s-sidecar](https://github.com/kiwigrid/k8s-sidecar) from 1.28.4 to 1.29.0. - [Release notes](https://github.com/kiwigrid/k8s-sidecar/releases) - [Commits](https://github.com/kiwigrid/k8s-sidecar/compare/1.28.4...1.29.0) --- updated-dependencies: - dependency-name: kiwigrid/k8s-sidecar dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- cost-analyzer/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cost-analyzer/values.yaml b/cost-analyzer/values.yaml index d14a694b6..dd735726c 100644 --- a/cost-analyzer/values.yaml +++ b/cost-analyzer/values.yaml @@ -2076,7 +2076,7 @@ grafana: sidecar: image: repository: ghcr.io/kiwigrid/k8s-sidecar - tag: 1.28.4 + tag: 1.29.0 pullPolicy: IfNotPresent resources: {} dashboards: