Merge pull request #339 from opencost/atm/admin-token

ameijer · web-flow · commit fbee83dd86bc · 2026-03-12T09:03:01.000-04:00
add admin token infra support
diff --git a/charts/opencost/Chart.yaml b/charts/opencost/Chart.yaml
@@ -9,7 +9,7 @@ keywords:
   - finops
   - monitoring
   - opencost
-version: 2.5.10
+version: 2.5.11
 maintainers:
   - name: jessegoodier
   - name: toscott
diff --git a/charts/opencost/README.md b/charts/opencost/README.md
@@ -87,6 +87,10 @@ $ helm install opencost opencost/opencost
 | opencost.exporter.env | list | `[]` | List of additional environment variables to set in the container |
 | opencost.exporter.extraArgs | list | `[]` | List of extra arguments for the command, e.g.: log-format=json |
 | opencost.exporter.extraEnv | object | `{}` | Any extra environment variables you would like to pass on to the pod |
+| opencost.exporter.adminToken.enabled | bool | `false` | When true, set ADMIN_TOKEN from value or existingSecret; when false, ADMIN_TOKEN is not set and no admin-token Secret is deployed. |
+| opencost.exporter.adminToken.value | string | `""` | If set, the chart creates a Secret with this value and sets ADMIN_TOKEN from it (use existingSecret in production). |
+| opencost.exporter.adminToken.existingSecret | string | `""` | Use an existing Secret for the admin token; must contain the key in adminToken.secretKey. |
+| opencost.exporter.adminToken.secretKey | string | `"ADMIN_TOKEN"` | Key in the Secret that holds the admin token (for write operations: POST /serviceKey, cloud config endpoints). |
 | opencost.exporter.extraVolumeMounts | list | `[]` | A list of volume mounts to be added to the pod |
 | opencost.exporter.image | object | `{"fullImageName":null,"pullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"opencost/opencost","tag":"1.118.0@sha256:c1a08767fe3c3b2964a75885c145bae0cba32225c0b4c1e0382a77566aef93e9"}` | This overrides the above defaultClusterId. Ensure the ConfigMap exists and contains the required CLUSTER_ID key. clusterIdConfigmap: cluster-id-configmap |
 | opencost.exporter.image.fullImageName | string | `nil` | Override the full image name for development purposes |
diff --git a/charts/opencost/templates/_helpers.tpl b/charts/opencost/templates/_helpers.tpl
@@ -236,6 +236,7 @@ apiVersion: networking.k8s.io/v1beta1
   "configmap-metrics-config.yaml"
   "secret-cloud-integration.yaml"
   "secret.yaml"
+  "secret-admin-token.yaml"
 -}}
 {{- $checksum := "" -}}
 {{- range $files -}}
diff --git a/charts/opencost/templates/deployment.yaml b/charts/opencost/templates/deployment.yaml
@@ -323,6 +323,13 @@ spec:
             - name: {{ $key }}
               value: {{ $value | quote }}
             {{- end }}
+            {{- if and .Values.opencost.exporter.adminToken.enabled (or .Values.opencost.exporter.adminToken.value .Values.opencost.exporter.adminToken.existingSecret) }}
+            - name: ADMIN_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.opencost.exporter.adminToken.existingSecret | default (printf "%s-admin-token" (include "opencost.fullname" .)) }}
+                  key: {{ .Values.opencost.exporter.adminToken.secretKey | default "ADMIN_TOKEN" }}
+            {{- end }}
             {{- if .Values.opencost.mcp.enabled }}
             # MCP Server Configuration
             - name: MCP_SERVER_ENABLED
diff --git a/charts/opencost/templates/secret-admin-token.yaml b/charts/opencost/templates/secret-admin-token.yaml
@@ -0,0 +1,14 @@
+{{- if and .Values.opencost.exporter.adminToken.enabled .Values.opencost.exporter.adminToken.value (not .Values.opencost.exporter.adminToken.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "opencost.fullname" . }}-admin-token
+  namespace: {{ include "opencost.namespace" . }}
+  labels: {{- include "opencost.labels" . | nindent 4 }}
+  {{- with .Values.secretAnnotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+type: Opaque
+data:
+  {{ .Values.opencost.exporter.adminToken.secretKey | default "ADMIN_TOKEN" }}: {{ .Values.opencost.exporter.adminToken.value | toString | b64enc | quote }}
+{{- end }}
diff --git a/charts/opencost/values.yaml b/charts/opencost/values.yaml
@@ -363,6 +363,17 @@ opencost:
       # FOO: BAR
       # For example, if accessing mimir directly and getting 401 Unauthorized
       # PROMETHEUS_HEADER_X_SCOPE_ORGID: anonymous
+    # Admin token for write operations (e.g. POST /serviceKey, cloud config endpoints).
+    # Set ADMIN_TOKEN env from a chart-created secret or an existing secret.
+    adminToken:
+      # -- When true, the chart creates the admin-token Secret (if value is set) or mounts existingSecret as ADMIN_TOKEN. When false, ADMIN_TOKEN is not set and no secret is deployed.
+      enabled: false
+      # -- If set, the chart creates a Secret with this value and sets ADMIN_TOKEN from it (not recommended for production; use existingSecret instead).
+      value: ""
+      # -- Use an existing Secret for the admin token (recommended). Secret must contain the key below.
+      existingSecret: ""
+      # -- Key in the Secret that holds the admin token (used for both value-created and existing secrets).
+      secretKey: "ADMIN_TOKEN"
     apiIngress:
       # -- Ingress for OpenCost API
       enabled: false
