Cloudzero · dmepham · Nov 14, 2024 · Nov 11, 2024 · Nov 11, 2024 · Nov 11, 2024
@@ -2,8 +2,8 @@ dependencies:
 - name: kube-state-metrics
   repository: https://prometheus-community.github.io/helm-charts
   version: 5.15.3
-- name: prometheus-node-exporter
-  repository: https://prometheus-community.github.io/helm-charts
-  version: 4.24.0
-digest: sha256:827a33fa07fde17be0bf808e0beba3ca7b23c9fc1960580b2ba6d0ecc0b57a3f
-generated: "2024-03-20T11:42:44.034766-04:00"
+- name: insights-controller
+  repository: file:///Users/daniel.mepham/cloudzero/cloudzero-charts/charts/cloudzero-insights-controller/
+  version: 0.0.1
+digest: sha256:9f1e04b36572f13aeece7dae1e0345b3141055d8e385985c24136102653acdc0
+generated: "2024-11-08T11:45:14.430851+01:00"
@@ -12,7 +12,8 @@ dependencies:
     version: "5.15.*"
     repository: https://prometheus-community.github.io/helm-charts
     condition: kube-state-metrics.enabled
-  - name: prometheus-node-exporter
-    version: "4.24.*"
-    repository: https://prometheus-community.github.io/helm-charts
-    condition: prometheus-node-exporter.enabled
+  - name: cloudzero-insights-controller
+    version: "0.0.1"
+    repository: https://cloudzero.github.io/cloudzero-charts
+    condition: cloudzero-insights-controller.enabled
+    alias: tags
@@ -31,16 +31,55 @@ _See [`helm repo`](https://helm.sh/docs/helm/helm_repo/) for command documentati
 
 The chart can be installed directly with Helm or any other common Kubernetes deployment tools.
 
-If installing with Helm directly, the following command will install the chart:
+If installing with Helm directly, execute the following steps:
 
+1. Ensure that the most recent chart version is available:
+```console
+helm repo update
+```
+
+2. Ensure that required CRDs are installed for certifiacte management. If you have more specific requirements around managing TLS certificates, see the **Certificate Management** secion below.
 ```console
 helm install <RELEASE_NAME> cloudzero/cloudzero-agent \
-    --set existingSecretName=<NAME_OF_SECRET> \
-    --set clusterName=<CLUSTER_NAME> \
-    --set-string cloudAccountId=<CLOUD_ACCOUNT_ID> \
-    --set region=<REGION> \
-    # optionally deploy kube-state-metrics if it doesn't exist in the cluster already
-    --set kube-state-metrics.enabled=<true|false>
+    --set tags.webhook.issuer.enabled=false \
+    --set tags.webhook.certificate.enabled=false \
+    --set tags.cert-manager.installCRDs=true
+```
+
+3. Fill out all required fields in the `configuration.example.yaml` file in this directory. Rename the file as necessary. Below is an example of a completed configuration file:
+```yaml
+# -- Account ID of the account the cluster is running in. This must be a string - even if it is a number in your system.
+cloudAccountId: YOUR_CLOUD_ACCOUNT_ID
+# -- Name of the clusters.
+clusterName: YOUR_CLUSTER_NAME
+# -- Region the cluster is running in.
+region: YOUR_CLOUD_REGION
+# -- CloudZero API key. Required if useExistingSecret is false.
+apiKey: YOUR_CLOUDZERO_API_KEY
+# -- If set, the agent will use the API key in this Secret to authenticate with CloudZero.
+existingSecretName: YOUR_EXISTING_API_KEY_K8S_SECRET
+
+# label and annotation configuration:
+tags:
+  # -- By default, a ValidatingAdmissionWebhook will be deployed that records all created labels and annotations
+  enabled: true
+  labels:
+    # -- This value MUST be set to either true or false. The installation will fail otherwise
+    enabled: true
+    # -- This value MUST be set to a list of regular expressions which will be used to gather labels from pods, deployments, statefulsets, daemonsets, cronjobs, jobs, nodes, and namespaces
+    patterns:
+      - '^foo' # -- match all labels whose key starts with "foo"
+      - 'bar$' # -- match all labels whose key ends with "bar"
+  annotations:
+    # -- By default, the gathering of annotations is not enabled. To enable, set this field to true
+    enabled: false
+    patterns:
+      - '.*'
+```
+
+4. Install the helm chart using the completed configuration file:
+```console
+helm install <RELEASE_NAME> cloudzero/cloudzero-agent -f configuration.example.yaml
 ```
 
 ### Update Helm Chart
@@ -53,12 +92,7 @@ helm repo update
 Next, upgrade the installation to the latest chart version:
 
 ```console
-helm upgrade <RELEASE_NAME> cloudzero/cloudzero-agent \
-    --set existingSecretName=<NAME_OF_SECRET> \
-    --set clusterName=<CLUSTER_NAME> \
-    --set-string cloudAccountId=<CLOUD_ACCOUNT_ID> \
-    --set region=<REGION> \
-    --set kube-state-metrics.enabled=<true|false>
+helm upgrade --install <RELEASE_NAME> cloudzero/cloudzero-agent -f configuration.example.yaml
 ```
 
 ### Mandatory Values
@@ -73,10 +107,12 @@ There are several mandatory values that must be specified for the chart to insta
 | apiKey            | string | `nil`                 | The CloudZero API key to use for exporting metrics. Only used if `existingSecretName` is not set.                       |
 | existingSecretName| string | `nil`                 | Name of the secret that contains the CloudZero API key. Required if not providing the API key via `apiKey`.             |
 | region            | string | `nil`                 | Region where the cluster is running (e.g., `us-east-1`, `eastus`). For more information, see AWS or Azure documentation. |
+| tags.labels.enabled            | string | `nil`                 | If enabled, labels for pods, deployments, statefulsets, daemonsets, cronjobs, jobs, nodes, and namespaces |
+| tags.labels.patterns            | string | `nil`                 | An array of regular expressions, which are used to match specific label keys |
 
 #### Overriding Default Values
 
-Default values are specified in the chart's `values.yaml` file. If you need to change any of these values, it is recommended to create a `values-override.yaml` file for your customizations.
+Default values are specified in the chart's `values.yaml` file. If you need to change any of these values, it is recommended to create a `values-override.yaml` based on the `configuration.example.yaml`  file for your customizations.
 
 ##### Using the `--values` Flag
 

@@ -0,0 +1,26 @@
+# -- Account ID of the account the cluster is running in. This must be a string - even if it is a number in your system.
+cloudAccountId: null
+# -- Name of the clusters.
+clusterName: null
+# -- Region the cluster is running in.
+region: null
+# -- CloudZero API key. Required if useExistingSecret is false.
+apiKey: null
+# -- If set, the agent will use the API key in this Secret to authenticate with CloudZero.
+existingSecretName: null
+
+# label and annotation configuration:
+tags:
+  # -- By default, a ValidatingAdmissionWebhook will be deployed that records all created labels and annotations
+  enabled: true
+  labels:
+    # -- This value MUST be set to either true or false. The installation will fail otherwise
+    enabled: null
+    # -- This value MUST be set to a list of regular expressions which wil lbe used to gather labels from pods, deployments, statefulsets, daemonsets, cronjobs, jobs, nodes, and namespaces
+    patterns:
+      # - '.*' # -- This option enables gathering ALL labels from the above resources. Use with caution, as the number of labels can be large.
+  annotations:
+    # -- By default, the gathering of annotations is not enabled. To enable, set this field to true
+    enabled: false
+    patterns:
+      - '.*'
@@ -23,7 +23,11 @@ Create chart name and version as used by the chart label.
 {{- end}}
 
 {{ define "cloudzero-agent.configMapName" -}}
-{{ .Values.prometheusConfig.configMapNameOverride | default (printf "%s-configuration" .Release.Name) }}
+{{ .Values.configMapNameOverride | default (printf "%s-configuration" .Release.Name) }}
+{{- end}}
+
+{{ define "cloudzero-agent.cloudzeroConfigMapName" -}}
+{{ .Values.cloudzeroConfigMapNameOverride | default (printf "%s-cloudzero-configuration" .Release.Name) }}
 {{- end}}
 
 {{ define "cloudzero-agent.validatorConfigMapName" -}}

@@ -166,3 +166,23 @@ data:
             action: keep
         metadata_config:
           send: false
+{{- if .Values.tags.enabled }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    {{- include "cloudzero-agent.server.labels" . | nindent 4 }}
+  name: {{ include "cloudzero-agent.cloudzeroConfigMapName" . }}
+  namespace: {{ include "cloudzero-agent.namespace" . }}
+  {{- with .Values.prometheusConfig.configMapAnnotations }}
+  annotations:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+data:
+  cloudzero-config.yaml: |-
+    cloud_account_id: {{ .Values.cloudAccountId }}
+    region: {{ .Values.region }}
+    cluster_name: {{ .Values.clusterName }}
+    host: {{ .Values.host }}
+{{- end }}
@@ -47,10 +47,20 @@ prometheusConfig:
     # -- Any items added to this list will be added to the Prometheus scrape configuration.
     additionalScrapeJobs: []
 
+tags:
+  enabled: true
+  labels:
+    enabled:
+    patterns:
+      # - '.*'
+  annotations:
+    enabled: false
+    patterns:
+      - '.*'
+
+
 kube-state-metrics:
   enabled: false
-  extraArgs:
-    - --metric-labels-allowlist=pods=[app.kubernetes.io/component]
 prometheus-node-exporter:
   enabled: false
 
@@ -89,7 +99,6 @@ server:
       memory: 1024Mi
   deploymentAnnotations: {}
   podAnnotations: {}
-  configMapOverrideName: configuration
   args:
   - --config.file=/etc/config/prometheus/configmaps/prometheus.yml
   - --web.enable-lifecycle
@@ -137,3 +146,11 @@ configmapReload:
 
     containerSecurityContext: {}
     resources: {}
+
+# -- Values that we need for this chart, and may want to share with child charts. It is unlikely that these need to be modified
+global:
+  # -- General configuration for CloudZero components
+  configMapOverrideName: configuration
+  foo: "{{ .Values.host }}-worked"
+  cloudzeroConfigMapName: '{{ include "cloudzero-agent.configMapName" . }}'
+  cloudzeroSecretName: '{{ include "cloudzero-agent.secretName" . }}'
@@ -0,0 +1,6 @@
+dependencies:
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v1.15.3
+digest: sha256:9027951628db45ef674f00e5baeca157f95755de9818a9d1e78396b86971f527
+generated: "2024-08-29T11:00:51.842705-04:00"
@@ -0,0 +1,12 @@
+apiVersion: v2
+name: insights-controller
+description: Provides telemetry to the CloudZero platform to enabling complex cost allocation and analysis.
+type: application
+version: 0.0.1
+appVersion: "0.0.1"
+dependencies:
+  - name: cert-manager
+    version: v1.15.3
+    repository: https://charts.jetstack.io
+    alias: cert-manager
+    condition: cert-manager.enabled
@@ -0,0 +1,145 @@
+# Cloudzero Insights Controller Helm Chart
+
+[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](CODE-OF-CONDUCT.md)
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE)
+![GitHub release](https://img.shields.io/github/release/Cloudzero/cloudzero-charts.svg)
+
+A Helm chart for a validating admission webhook to send cluster metrics to the CloudZero platform.
+
+## Overview
+
+This Validating Admission Webhook monitors and intercepts `CREATE` and `UPDATE` operations on the following Kubernetes resources:
+
+- `Pod`
+- `Deployment`
+- `StatefulSet`
+- `Daemonset`
+- `Job`
+- `CronJob`
+- `Node`
+- `Namespace`
+
+The webhook captures the labels from these resources and uploads them to the CloudZero API endpoint. For both `CREATE` and `UPDATE` operations, the full set of labels is sent to the API, ensuring that the most up-to-date labels are always uploaded. For `Deployment` and `Statefulset` resources, annotations are also uploaded.
+
+
+## Prerequisites
+
+- Kubernetes 1.23+
+- Helm 3+
+- A CloudZero API key
+
+## Installation
+
+This helm chart is best used alongside the [cloudzero-agent](https://github.com/Cloudzero/cloudzero-charts/tree/develop/charts/cloudzero-agent) chart. In this case, the same API key can be used for both installations.
+
+### Get Helm Repository Info
+
+```console
+helm repo add cloudzero https://cloudzero.github.io/cloudzero-charts
+helm repo update
+```
+
+_See [`helm repo`](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+The chart can be installed directly with Helm or any other common Kubernetes deployment tools. See the next section for different deployment configurations.
+
+### Deployment Configurations and Certificate Management
+
+This chart contains a `ValidatingWebhookConfiguration` resource, which uses a certificate in order validate requests to the webhook server. See related Kubernetes documentation [here](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#configure-admission-webhooks-on-the-fly).
+
+
+**There are two ways to install the chart as it relates to certificate management:**
+
+1. (Default) Manage certificates using [cert-manager](https://github.com/cert-manager/cert-manager/tree/master).
+By default, the chart installs [cert-manager](https://github.com/cert-manager/cert-manager/tree/master) as a subchart. `cert-manager` handles the creation of the certificate and injects the CA bundle into the `ValidatingWebhookConfiguration` resource. For details on how cert-manager does this, see [here](https://cert-manager.io/docs/concepts/ca-injector/).
+
+To install the chart with this configuration, install the chart with the following helm command. The default configuration uses cert-manager to create the certificate:
+
+```console
+helm install <RELEASE_NAME> cloudzero/insights-controller \
+    --set existingSecretName=<NAME_OF_SECRET> \
+    --set clusterName=<CLUSTER_NAME> \
+    --set-string cloudAccountId=<CLOUD_ACCOUNT_ID> \
+    --set region=<REGION>
+```
+
+If `cert-manager` CRDs are not already installed, the installation may fail with the error message that contains:
+```console
+no matches for kind "Certificate" in version "cert-manager.io/v1"
+```
+
+If this happens, run the following:
+
+```bash
+helm install <RELEASE_NAME> cloudzero/insights-controller \
+    --set webhook.issuer.enabled=false \
+    --set webhook.certificate.enabled=false \
+    --set cert-manager.installCRDs=true
+```
+Or, alternatively, [install the cert-manager CRDs yourself](https://cert-manager.io/docs/installation/helm/).
+Then rerun the original command:
+```console
+helm install <RELEASE_NAME> cloudzero/insights-controller \
+    --set existingSecretName=<NAME_OF_SECRET> \
+    --set clusterName=<CLUSTER_NAME> \
+    --set-string cloudAccountId=<CLOUD_ACCOUNT_ID> \
+    --set region=<REGION>
+```
+
+2. The second option is to bring your own certificate. In this case, the tls information must be mounted to the server Deployment at the `/etc/certs/` path in a file formatted as:
+```
+ca.crt: <CA_CRT>
+tls.crt: <TLS_CERT>
+tls.key: <TLS_KEY>
+```
+An example command would be:
+```bash
+helm install <RELEASE_NAME> cloudzero/insights-controller \
+    --set existingSecretName=<NAME_OF_SECRET> \
+    --set clusterName=<CLUSTER_NAME> \
+    --set-string cloudAccountId=<CLOUD_ACCOUNT_ID> \
+    --set region=<REGION> \
+    -f config.yaml
+```
+where `config.yaml` is:
+```
+server:
+  tls:
+    useManagedSecret: false
+  volumeMounts:
+    - name: your-tls-volume
+      mountPath: /etc/certs
+      readOnly: true
+  volumes:
+    - name: tls-certs
+      secret:
+        secretName: your-tls-secret-name
+webhook:
+  issuer:
+    enabled: false
+  certificate:
+    enabled: false
+  caBundle: '<YOUR_CA_BUNDLE>'
+
+cert-manager:
+  enabled: false
+```
+
+## Troubleshooting
+
+### `<RELEASE-NAME>-server` pod stuck in `Pending` state
+  The server pod, which handles incoming webhook requests, may be stuck in this state if the TLS secret is not available. Confirm this is the case by describing the server pod:
+  ```console
+  kubectl describe pod -l app.kubernetes.io/name=insights-controller
+  ```
+  If the event log shows that the pod cannot be created due to a missing volume, check that the TLS secret has been created successfully:
+  ```console
+  kubectl get secret -l app.kubernetes.io/name=insights-controller
+  ```
+  If no secrets are returned by that command, then cert-manager did not provision a certificate. Consult the `cert-manager` pod logs and/or the cert-manager CRDs for more infomration:
+  ```console
+  kubectl get certificaterequests
+  kubectl get certificates
+  kubectl get certificatesigningrequests
+  kubectl get issuers
+  ```