FinOps on EKS (#33)

* helmfile

* prometheus exporter

* Update docs

* new line

* update

* env eks file

* fix helmfile apply command

* fix opencost templates chart

* fix opencost

* update env file

* fix opencost template chart

* remove opencost from prometheus

* no aws access key needed

* add dashboard to kind

* update doc

* new line

* Re-word

* Re-word

* Update docs

* Update docs

* helmfile

* prometheus exporter

* Update docs

* new line

* update

* env eks file

* fix helmfile apply command

* fix opencost templates chart

* fix opencost

* update env file

* fix opencost template chart

* remove opencost from prometheus

* no aws access key needed

* add dashboard to kind

* update doc

* new line

* Re-word

* Add scan pipeline

* Bump golang.org/x/crypto in /scripts/chart-dep-updater (#37)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.26.0 to 0.31.0.
- [Commits](golang/crypto@v0.26.0...v0.31.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Re-word

* Update docs

* Update docs

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Jon Tutcher <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: David Collom <[email protected]>

Author: 4 people

README.md

@@ -8,7 +8,7 @@ The FinOps Stack is the blueprint for a solution to automate FinOps best practic
 
 Our goal is to empower organisations with the tools they need to manage, visualise, and optimise their cloud resources in complex, ever-changing environments.
 
-The FinOps Stack is designed to work out-of-the-box seamlessly with GKE standard/autopilot clusters using Google Managed Prometheus, and can be customised for an organisation’s business requirements and/or Kubernetes distribution.
+The FinOps Stack is designed to work out-of-the-box seamlessly with Kind, GKE standard/autopilot clusters using Google Managed Prometheus, and EKS and can be customised for an organisation’s business requirements and/or Kubernetes distribution.
 
 This repository contains the core components of FinOps Stack, including:
 

charts/opencost-config/templates/opencost/dashboards.yaml

@@ -1,3 +1,4 @@
+{{ if .Values.dashboards }}
 {{- range $path, $_ :=  .Files.Glob  "dashboards/**.json" }}
 ---
 apiVersion: v1
@@ -11,3 +12,4 @@ data:
   {{ base $path  }}: |-
     {{ ($.Files.Get $path) | nindent 6 }}
 {{ end }}
+{{ end }}

content/install.md

@@ -8,7 +8,9 @@ To simplify installation, the FinOps Stack is installed using a single Helmfile
 
 The following instructions are designed to work with a Kind cluster for quick setup. For full instructions, prerequisites and customisations, please see the [installation README](https://github.com/jetstack/finops-stack/blob/main/installation/README.md).
 
-To work with GKE standard and GKE autopilot see the [ GKE installation guide]((https://github.com/jetstack/finops-stack/blob/main/installation/README.md))
+To work with GKE standard and GKE autopilot see the [ GKE installation guide]((https://github.com/jetstack/finops-stack/blob/main/installation/gke.md))
+
+To work with EKS cluster see the [ EKS installation guide]((https://github.com/jetstack/finops-stack/blob/main/installation/eks.md))
 
 ### Helmfile 
 

installation/Helmfile_eks.yaml

@@ -0,0 +1,139 @@
+repositories:
+- name: kyverno
+  url: https://kyverno.github.io/kyverno/
+- name: prometheus-opencost-exporter
+  url: https://prometheus-community.github.io/helm-charts
+- name: prometheus
+  url: https://prometheus-community.github.io/helm-charts
+- name: grafana
+  url: https://grafana.github.io/helm-charts
+- name: vpa
+  url: https://charts.fairwinds.com/stable
+- name: cert-manager
+  url: https://charts.jetstack.io
+- name: fairwinds-stable
+  url: https://charts.fairwinds.com/stable
+
+---
+helmDefaults:
+  wait: true
+  timeout: 1200
+---
+environments:
+  default:
+    values:
+    - "./config/{{ requiredEnv "HOST_ENV" }}/enabled.yaml"
+---
+releases:
+- name: kyverno
+  version: "3.2.6"
+  chart: kyverno/kyverno
+  condition: kyverno.enabled
+  namespace: finops-stack
+  values:
+  - "./config/common/kyverno-values.yaml"
+  - "./config/{{ requiredEnv "HOST_ENV" }}/kyverno-values.yaml"  
+
+- name: finops-policies
+  version: "0.1.0"
+  chart: "../charts/finops-policies"
+  condition: finops-policies.enabled
+  namespace: finops-stack
+  disableValidationOnInstall: true
+  needs:
+  - kyverno
+
+- name: cert-manager
+  version: v1.15.3
+  chart: cert-manager/cert-manager
+  condition: cert-manager.enabled
+  namespace: cert-manager
+  values:
+  - "./config/common/cert-manager-values.yaml"
+  - "./config/{{ requiredEnv "HOST_ENV" }}/cert-manager-values.yaml"
+  - global:
+      leaderElection:
+        namespace: cert-manager
+      commonLabels:
+        cost-center-label: "xyz"
+  - serviceAccount:
+      annotations:
+        {{ env "CERT_MANAGER_SA_ANNOTATION" }}
+
+- name: cert-manager-config
+  version: "0.1.0"
+  chart: "../charts/cert-manager-config"
+  condition: cert-manager.enabled
+  namespace: finops-stack
+  disableValidationOnInstall: true
+  needs:
+  - cert-manager/cert-manager
+  values:
+  - email: {{ env "CERT_MANAGER_EMAIL" }}
+  - grafanaTLSCert:
+      hostname: {{ env "GRAFANA_FQDN" }}
+
+- name: grafana
+  version: "8.4.7"
+  chart: grafana/grafana
+  condition: grafana.enabled
+  namespace: finops-stack
+  values:
+  - "./config/common/grafana-values.yaml"
+  - "./config/{{ requiredEnv "HOST_ENV" }}/grafana-values.yaml"
+  - adminUser: {{ env "GRAFANA_ADMIN_USER" }}
+  - adminPassword: {{ env "GRAFANA_ADMIN_PW" }}
+  - serviceAccount:
+      annotations:
+        {{ env "GRAFANA_SA_ANNOTATION" }}
+
+  # If you don't require ingress via an FQDN remove this ingress section
+  - ingress:
+      enabled: {{ env "GRAFANA_INGRESS" }}
+      annotations:
+        kubernetes.io/ingress.global-static-ip-name: {{ env "GRAFANA_PUBLIC_IP_NAME" }}
+      hosts:
+      - {{ env "GRAFANA_FQDN" }}
+    # If you don't require https access to the Grafana dashboard remove this tls section
+      tls:
+      - secretName: {{ env "GRAFANA_FQDN" }}-tls
+        hosts:
+        - {{ env "GRAFANA_FQDN" }}
+  needs:
+  - cert-manager/cert-manager
+
+- name: vpa
+  version: "4.5.0"
+  chart: "vpa/vpa"
+  condition: vpa.enabled
+  namespace: finops-stack
+  values:
+  - "./config/common/vpa-values.yaml"
+
+- name: prometheus-opencost-exporter
+  version: "0.1.1"
+  chart: "prometheus-opencost-exporter/prometheus-opencost-exporter"
+  condition: opencost-exporter.enabled
+  namespace: finops-stack
+  values:
+  - "./config/common/prometheus-opencost-exporter-values.yaml"
+  - "./config/{{ requiredEnv "HOST_ENV" }}/prometheus-opencost-exporter-values.yaml"
+
+- name: finops-stack-opencost-templates
+  version: "0.1.0"
+  chart: "../charts/opencost-config"
+  condition: opencost-templates.enabled
+  namespace: finops-stack
+  disableValidationOnInstall: true
+  values:
+  - "./config/{{ requiredEnv "HOST_ENV" }}/opencost-templates-values.yaml"
+
+- name: goldilocks
+  version: "9.0.0"
+  chart: fairwinds-stable/goldilocks
+  condition: goldilocks.enabled
+  namespace: finops-stack
+  values:
+  - "./config/common/goldilocks-values.yaml"
+
+ 

installation/Makefile

@@ -1,10 +1,5 @@
 .DEFAULT_GOAL := help
 
-CLUSTER_NAME := ambient
-PROJECT_ID := "$(shell gcloud config get-value project)"
-M_TYPE := n1-standard-2
-ZONE := europe-west2-a
-
 cluster: ## Setup cluster
 	kind create cluster
 

installation/README.md

@@ -1,8 +1,12 @@
-# Installation using Helmfile
+# FinOps Stack deployment
 
-Installing Helm charts with lots of dependencies and CRDs is challenging; these instructions use Helmfile to mitigate issues with Helm. 
+This documentation provides instructions for installing the FinOps Stack in Kind cluster for a quick setup.
 
-This documentation provides instructions for installing the FinOps Stack in Kind cluster for a quick setup. For deployment on a GKE cluster, refer to the [gke docs](./gke.md).
+For deployment on a GKE cluster, refer to the [GKE docs](./gke.md) and deployment on a EKS cluster refer to the [EKS docs](./eks.md).
+
+## Using Helmfile
+
+Installing Helm charts with lots of dependencies and CRDs is challenging; these instructions use Helmfile to mitigate issues with Helm.
 
 ## Pre-requisites
 

installation/config/common/enabled.yaml

@@ -14,19 +14,19 @@ grafana:
 # -- Enable / Disable the installation of cert-manager
 cert-manager:
   enabled: false
-# -- Enable / Disable the installation of OpenCost
-opencost:
-  enabled: false
 # -- Enable / Disable the installation of OpenCost Exporter
 opencost-exporter:
   enabled: true
+# -- Enable / Disable the installation of Prometheus (required when using EKS or Kind)
+prometheus:
+  enabled: false
 
 opencost-templates:
   enabled: true
 
 # -- Enable / Disable the installation of GMP Proxy (required when using Google Managed Prometheus)
 gmp-proxy:
-  enabled: true
+  enabled: false
 
 # -- Enable / Disable the installation of Fairwinds' Goldilocks
 goldilocks:

installation/config/eks/grafana-values.yaml

@@ -0,0 +1,16 @@
+datasources:
+  datasources.yaml:
+    apiVersion: 1
+    datasources:
+      - name: Prometheus
+        type: prometheus
+        uid: "PFB5ABA51A8A585D7"
+        url: http://prometheus-server
+        isDefault: true
+        editable: true
+ingress:
+  enabled: false
+  annotations:
+    kubernetes.io/ingress.global-static-ip-name: "ip-name"
+  hosts:
+  - grafana.example.com

installation/config/eks/kyverno-values.yaml

@@ -0,0 +1,13 @@
+features:
+  backgroundScan:
+    skipResourceFilters: false # Important so that background Scan's Exclude Namespaces, etc
+config:
+  resourceFiltersIncludeNamespaces:
+    - kube-system
+  webhooks:
+    - namespaceSelector:
+        matchExpressions:
+          - key: kubernetes.io/metadata.name
+            operator: NotIn
+            values:
+              - kube-system

installation/config/eks/opencost-templates-values.yaml

@@ -0,0 +1,5 @@
+dashboards: true
+opencost:
+  customPricing:
+    # -- This is only to enable custom pricing on on-premises or kind
+    enabled: false

installation/config/eks/opencost-values.yaml

@@ -0,0 +1,18 @@
+cloudCost:
+  enabled: false
+opencost:
+  cloudCost:
+    enabled: false
+  prometheus:
+    external:
+      enabled: false
+      # url: http://prometheus-server
+    internal:
+      # -- Use in-cluster Prometheus
+      enabled: true
+      # -- Service name of in-cluster Prometheus
+      serviceName: prometheus-server
+      # -- Namespace of in-cluster Prometheus
+      namespaceName: finops-stack
+      # -- Service port of in-cluster Prometheus
+      port: 80

installation/config/eks/prometheus-opencost-exporter-values.yaml

@@ -0,0 +1,27 @@
+service:
+  enabled: true
+opencost:
+  prometheus:
+    external:
+      enabled: false
+      # url: http://prometheus-server
+    internal:
+      # -- Use in-cluster Prometheus
+      enabled: true
+      # -- Service name of in-cluster Prometheus
+      serviceName: prometheus-server
+      # -- Namespace of in-cluster Prometheus
+      namespaceName: finops-stack
+      # -- Service port of in-cluster Prometheus
+      port: 80
+  exporter:
+    persistence:
+      enabled: false
+      # -- Annotations for persistent volume
+      annotations: {}
+      # -- Access mode for persistent volume
+      accessMode: ""
+      # -- Storage class for persistent volume
+      storageClass: "standard-rwo"
+      # -- Size for persistent volume
+      size: "10g"

installation/config/eks/prometheus-values.yaml

@@ -0,0 +1,17 @@
+extraScrapeConfigs: |
+  - job_name: opencost
+    honor_labels: true
+    scrape_interval: 1m
+    scrape_timeout: 10s
+    metrics_path: /metrics
+    scheme: http
+    dns_sd_configs:
+    - names:
+      - opencost.opencost
+      type: 'A'
+      port: 9003
+
+alertmanager:
+  enabled: false
+prometheus-pushgateway:
+  enabled: false

installation/config/gke/opencost-templates-values.yaml

@@ -1,2 +1,7 @@
+dashboards: true
+opencost:
+  customPricing:
+    # -- This is only to enable custom pricing on on-premises or kind
+    enabled: false
 gke:
-  podmonitoring: true
+  podmonitoring: true

installation/config/kind/enabled.yaml

@@ -1,3 +1,4 @@
+dashboards: true
 opencost:
   configFileName: default
   provider: kind