Merge pull request #337 from opencost/cloud-integration-json

ameijer · web-flow · commit 982e3cc60b86 · 2026-03-05T10:34:17.000-05:00
Add cloudIntegrationJSON support
diff --git a/charts/opencost/Chart.yaml b/charts/opencost/Chart.yaml
@@ -4,12 +4,12 @@ name: opencost
 description: OpenCost and OpenCost UI
 type: application
 keywords:
-- cloud-costs
-- cost-optimization
-- finops
-- monitoring
-- opencost
-version: 2.5.9
+  - cloud-costs
+  - cost-optimization
+  - finops
+  - monitoring
+  - opencost
+version: 2.5.10
 maintainers:
   - name: jessegoodier
   - name: toscott
diff --git a/charts/opencost/README.md b/charts/opencost/README.md
@@ -50,7 +50,8 @@ $ helm install opencost opencost/opencost
 | opencost.cloudCost.queryWindowDays | int | `7` | The max number of days that any single query will be made to construct Cloud Costs |
 | opencost.cloudCost.refreshRateHours | int | `6` | Number of hours between each run of the Cloud Cost pipeline |
 | opencost.cloudCost.runWindowDays | int | `3` | Number of days into the past that a Cloud Cost standard run will query for |
-| opencost.cloudIntegrationSecret | string | `""` |  |
+| opencost.cloudIntegrationSecret | string | `""` | Existing secret name containing `cloud-integration.json` for Cloud Costs. Mutually exclusive with `opencost.cloudIntegrationJSON`. |
+| opencost.cloudIntegrationJSON | string | `""` | Raw JSON string for `cloud-integration.json`. Creates `<fullname>-cloud-integration` in the release namespace. Mutually exclusive with `opencost.cloudIntegrationSecret`. |
 | opencost.customPricing.configPath | string | `"/tmp/custom-config"` | Path for the pricing configuration. |
 | opencost.customPricing.configmapName | string | `"custom-pricing-model"` | Customize the configmap name used for custom pricing |
 | opencost.customPricing.costModel | object | `{"CPU":1.25,"GPU":0.95,"RAM":0.5,"description":"Modified pricing configuration.","internetNetworkEgress":0.12,"regionNetworkEgress":0.01,"spotCPU":0.006655,"spotRAM":0.000892,"storage":0.25,"zoneNetworkEgress":0.01}` | More information about these values here: https://www.opencost.io/docs/configuration/on-prem#custom-pricing-using-the-opencost-helm-chart |
diff --git a/charts/opencost/templates/_helpers.tpl b/charts/opencost/templates/_helpers.tpl
@@ -53,6 +53,28 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
   {{- end -}}
 {{- end -}}
 
+{{/*
+Cloud integration source contents check. Either the Secret must be specified or the JSON, not both.
+*/}}
+{{- define "opencost.cloudIntegration.secretConfigCheck" -}}
+  {{- if and .Values.opencost.cloudIntegrationSecret .Values.opencost.cloudIntegrationJSON -}}
+    {{- fail "opencost.cloudIntegrationSecret and opencost.cloudIntegrationJSON are mutually exclusive. Please specify only one." -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Compute the cloud integration secret name when enabled.
+*/}}
+{{- define "opencost.cloudIntegration.secretName" -}}
+  {{- if or .Values.opencost.cloudIntegrationSecret .Values.opencost.cloudIntegrationJSON -}}
+    {{- if .Values.opencost.cloudIntegrationSecret -}}
+      {{- .Values.opencost.cloudIntegrationSecret -}}
+    {{- else -}}
+      {{- printf "%s-cloud-integration" (include "opencost.fullname" .) -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
 {{/*
 Common labels
 */}}
@@ -212,6 +234,7 @@ apiVersion: networking.k8s.io/v1beta1
   "configmap-custom-pricing.yaml"
   "configmap-frontend.yaml"
   "configmap-metrics-config.yaml"
+  "secret-cloud-integration.yaml"
   "secret.yaml"
 -}}
 {{- $checksum := "" -}}
diff --git a/charts/opencost/templates/deployment.yaml b/charts/opencost/templates/deployment.yaml
@@ -1,6 +1,8 @@
 {{- include  "isPrometheusConfigValid" . }}
 {{- include  "kubeRBACProxyBearerTokenCheck" . }}
 {{ include "opencost.caCertsSecretConfig.check" . }}
+{{ include "opencost.cloudIntegration.secretConfigCheck" . }}
+{{- $cloudIntegrationSecretName := include "opencost.cloudIntegration.secretName" . -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -331,7 +333,7 @@ spec:
             - name: MCP_SERVER_ENABLED
               value: "false"
             {{- end }}
-          {{- if or .Values.plugins.enabled .Values.opencost.exporter.persistence.enabled .Values.opencost.exporter.extraVolumeMounts .Values.opencost.customPricing.enabled .Values.opencost.cloudIntegrationSecret .Values.opencost.updateCaTrust.enabled}}
+          {{- if or .Values.plugins.enabled .Values.opencost.exporter.persistence.enabled .Values.opencost.exporter.extraVolumeMounts .Values.opencost.customPricing.enabled .Values.opencost.metrics.config.enabled $cloudIntegrationSecretName .Values.opencost.updateCaTrust.enabled}}
           volumeMounts:
             {{- if .Values.plugins.enabled }}
             - mountPath: /opt/opencost/plugin
@@ -353,7 +355,7 @@ spec:
             - mountPath: {{ .Values.opencost.customPricing.configPath }}
               name: custom-configs
             {{- end }}
-            {{- if .Values.opencost.cloudIntegrationSecret }}
+            {{- if $cloudIntegrationSecretName }}
             - name: cloud-integration
               mountPath: /var/configs/cloud-integration.json
               subPath: cloud-integration.json
@@ -463,7 +465,7 @@ spec:
           {{- toYaml . | nindent 12 }}
           {{- end }}
         {{- end }}
-      {{- if or .Values.plugins.enabled .Values.opencost.exporter.persistence.enabled .Values.extraVolumes .Values.opencost.customPricing.enabled .Values.opencost.cloudIntegrationSecret .Values.opencost.ui.enabled .Values.opencost.updateCaTrust.enabled }}
+      {{- if or .Values.plugins.enabled .Values.opencost.exporter.persistence.enabled .Values.extraVolumes .Values.opencost.customPricing.enabled .Values.opencost.metrics.config.enabled $cloudIntegrationSecretName .Values.opencost.ui.enabled .Values.opencost.updateCaTrust.enabled }}
       volumes:
         {{- if .Values.plugins.enabled  }}
         {{- if .Values.plugins.install.enabled}}
@@ -486,10 +488,10 @@ spec:
           persistentVolumeClaim:
             claimName: {{ include "opencost.fullname" . }}-pvc
         {{- end }}
-        {{- if .Values.opencost.cloudIntegrationSecret }}
+        {{- if $cloudIntegrationSecretName }}
         - name: cloud-integration
           secret:
-            secretName: {{ .Values.opencost.cloudIntegrationSecret }}
+            secretName: {{ $cloudIntegrationSecretName }}
             items:
               - key: cloud-integration.json
                 path: cloud-integration.json
diff --git a/charts/opencost/templates/secret-cloud-integration.yaml b/charts/opencost/templates/secret-cloud-integration.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.opencost.cloudIntegrationJSON }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "opencost.cloudIntegration.secretName" . }}
+  namespace: {{ include "opencost.namespace" . }}
+  labels:
+    {{- include "opencost.labels" . | nindent 4 }}
+data:
+  cloud-integration.json: {{ .Values.opencost.cloudIntegrationJSON | trimSuffix "\n" | b64enc | quote }}
+{{- end }}
diff --git a/charts/opencost/tests/cloud_integration_test.yaml b/charts/opencost/tests/cloud_integration_test.yaml
@@ -0,0 +1,82 @@
+suite: cloud integration deployment
+templates:
+  - templates/deployment.yaml
+release:
+  name: opencost
+  namespace: default
+tests:
+  - it: should mount existing cloud integration secret
+    set:
+      opencost.cloudIntegrationSecret: cloud-costs
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: cloud-integration
+            secret:
+              secretName: cloud-costs
+              items:
+                - key: cloud-integration.json
+                  path: cloud-integration.json
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: cloud-integration
+            mountPath: /var/configs/cloud-integration.json
+            subPath: cloud-integration.json
+            readOnly: true
+  - it: should mount generated cloud integration secret
+    set:
+      opencost.cloudIntegrationJSON: '{"aws":[]}'
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: cloud-integration
+            secret:
+              secretName: opencost-cloud-integration
+              items:
+                - key: cloud-integration.json
+                  path: cloud-integration.json
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: cloud-integration
+            mountPath: /var/configs/cloud-integration.json
+            subPath: cloud-integration.json
+            readOnly: true
+---
+suite: cloud integration secret
+templates:
+  - templates/secret-cloud-integration.yaml
+release:
+  name: opencost
+  namespace: default
+tests:
+  - it: should render secret when cloudIntegrationJSON is set
+    set:
+      opencost.cloudIntegrationJSON: '{"aws":[]}'
+    asserts:
+      - isKind:
+          of: Secret
+      - equal:
+          path: metadata.name
+          value: opencost-cloud-integration
+      - equal:
+          path: data.cloud-integration.json
+          value: eyJhd3MiOltdfQ==
+---
+suite: cloud integration validation
+templates:
+  - templates/deployment.yaml
+release:
+  name: opencost
+  namespace: default
+tests:
+  - it: should fail when cloudIntegrationSecret and cloudIntegrationJSON are set
+    set:
+      opencost.cloudIntegrationSecret: cloud-costs
+      opencost.cloudIntegrationJSON: '{"aws":[]}'
+    asserts:
+      - failedTemplate:
+          errorMessage: opencost.cloudIntegrationSecret and opencost.cloudIntegrationJSON are mutually exclusive. Please specify only one.
diff --git a/charts/opencost/values.yaml b/charts/opencost/values.yaml
@@ -127,7 +127,52 @@ pdb:
 opencost:
   # -- <SECRET_NAME> for the secret containing the Cloud Costs cloud-integration.json https://www.opencost.io/docs/configuration/#cloud-costs
   # -- kubectl create secret generic <SECRET_NAME> --from-file=cloud-integration.json -n opencost
+  # -- Mutually exclusive with opencost.cloudIntegrationJSON.
   cloudIntegrationSecret: ""
+  # -- Specify the cloud integration information in JSON form. This will create a Secret named
+  # -- "<fullname>-cloud-integration" in the release namespace. Mutually exclusive with
+  # -- opencost.cloudIntegrationSecret.
+  cloudIntegrationJSON: ""
+  # cloudIntegrationJSON: |-
+  #   {
+  #     "aws": [
+  #       {
+  #         "athenaBucketName": "s3://AWS_cloud_integration_athenaBucketName",
+  #         "athenaRegion": "AWS_cloud_integration_athenaRegion",
+  #         "athenaDatabase": "AWS_cloud_integration_athenaDatabase",
+  #         "athenaTable": "AWS_cloud_integration_athenaTable",
+  #         "projectID": "AWS_cloud_integration_athena_projectID",
+  #         "serviceKeyName": "AWS_cloud_integration_athena_serviceKeyName",
+  #         "serviceKeySecret": "AWS_cloud_integration_athena_serviceKeySecret"
+  #       }
+  #     ],
+  #     "azure": [
+  #       {
+  #         "azureSubscriptionID": "my-subscription-id",
+  #         "azureStorageAccount": "my-storage-account",
+  #         "azureStorageAccessKey": "my-storage-access-key",
+  #         "azureStorageContainer": "my-storage-container"
+  #       }
+  #     ],
+  #     "gcp": [
+  #       {
+  #         "projectID": "my-project-id",
+  #         "billingDataDataset": "detailedbilling.my-billing-dataset",
+  #         "key": {
+  #           "type": "service_account",
+  #           "project_id": "my-project-id",
+  #           "private_key_id": "my-private-key-id",
+  #           "private_key": "my-pem-encoded-private-key",
+  #           "client_email": "my-service-account-name@my-project-id.iam.gserviceaccount.com",
+  #           "client_id": "my-client-id",
+  #           "auth_uri": "auth-uri",
+  #           "token_uri": "token-uri",
+  #           "auth_provider_x509_cert_url": "my-x509-provider-cert",
+  #           "client_x509_cert_url": "my-x509-cert-url"
+  #         }
+  #       }
+  #     ]
+  #   }
 
   # -- MCP (Model Context Protocol) Server Configuration
   # The MCP server provides AI agents with access to cost allocation and asset data
