diff --git a/config/clusters/openscapes/support.values.yaml b/config/clusters/openscapes/support.values.yaml index d5e44b2bf9..5390d780bc 100644 --- a/config/clusters/openscapes/support.values.yaml +++ b/config/clusters/openscapes/support.values.yaml @@ -40,3 +40,11 @@ grafana: auth.github: enabled: true allowed_organizations: 2i2c-org NASA-Openscapes + +aws-ce-grafana-backend: + enabled: true + envBasedConfig: + clusterName: openscapeshub + serviceAccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::783616723547:role/aws_ce_grafana_backend_iam_role diff --git a/helm-charts/aws-ce-grafana-backend/ce-test-config.yaml b/helm-charts/aws-ce-grafana-backend/ce-test-config.yaml deleted file mode 100644 index 73ff8e30d9..0000000000 --- a/helm-charts/aws-ce-grafana-backend/ce-test-config.yaml +++ /dev/null @@ -1,7 +0,0 @@ -fullnameOverride: ce-test -serviceAccount: - annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::783616723547:role/aws_ce_grafana_backend_iam_role - -envBasedConfig: - clusterName: openscapeshub diff --git a/helm-charts/aws-ce-grafana-backend/mounted-files/README.md b/helm-charts/aws-ce-grafana-backend/mounted-files/README.md index b2d10626aa..43011a9844 100644 --- a/helm-charts/aws-ce-grafana-backend/mounted-files/README.md +++ b/helm-charts/aws-ce-grafana-backend/mounted-files/README.md @@ -1,17 +1,12 @@ # About code files -The code is meant to help serve grafana with JSON with cost related data, -initially only from AWS. +The code is meant to help serve grafana with JSON with cost related data from +AWS Cost Explorer API. It doesn't doesn't rely to other k8s services, so it can +deploy and be tested by itself. -## De-coupled from other k8s services - -This software doesn't rely to other k8s services, so it can deploy and be tested -by itself. - -## Bundling into Dockerfile vs. mounting in Helm chart - -By mounting the code files, development iterations running the code in k8s -becomes faster. +The code files in this folders are mounted instead of built into the image in +order to quicken up development iterations running the code in k8s becomes +faster. ## Development @@ -29,31 +24,52 @@ python -m flask --app=webserver run --port=8080 ### Testing Python changes in k8s -This is currently being developed in the openscapes cluster. It depends on a k8s +This was initially developed in the openscapes cluster. It depends on a k8s ServiceAccount coupled to an IAM Role there as well. The image shouldn't need to be rebuilt unless additional dependencies needs to be installed etc, so if you've only made code changes, you can do the following to re-deploy. +During development, a procedure like below can be used to iterate faster than by +using the deployer. + ```bash deployer use-cluster-credentials openscapes cd helm-charts/aws-ce-grafana-backend -helm upgrade --install --create-namespace -n ce-test --values ce-test-config.yaml ce-test . +helm upgrade --install --create-namespace -n support --values my-test-config.yaml aws-ce-grafana-backend . # note that port-forward to a service is just a way to port-forward to a pod # behind the service, so you need to do the port-forwarding again if the pod # restarts. -kubectl port-forward -n ce-test service/ce-test 8080:http +kubectl port-forward -n support service/aws-ce-grafana-backend 8080:http -# visit http://localhost:8080/aws +# visit http://localhost:8080/total-costs and other urls +``` + +It assumes that you have a `my-test-config.yaml` file looking like this: + +```yaml +serviceAccount: + annotations: + # can be setup via terraform by setting the variable + # enable_aws_ce_grafana_backend_iam = true + # + # note that the terraform managed IAM Role's assume policy is + # only granting a k8s ServiceAccount in "support" namespace + # named "aws-ce-grafana-backend" rights to assume it + # + eks.amazonaws.com/role-arn: arn:aws:iam::783616723547:role/aws_ce_grafana_backend_iam_role +envBasedConfig: + # note that this must be the AWS EKS cluster resource name, + # not what we call the cluster + clusterName: openscapeshub ``` ### Testing image changes in k8s ```bash - cd helm-charts # before doing this: commit the image change, and stash other changes diff --git a/helm-charts/aws-ce-grafana-backend/mounted-files/query.py b/helm-charts/aws-ce-grafana-backend/mounted-files/query.py index 9c79775490..46e4ad935b 100644 --- a/helm-charts/aws-ce-grafana-backend/mounted-files/query.py +++ b/helm-charts/aws-ce-grafana-backend/mounted-files/query.py @@ -76,6 +76,8 @@ def query_hub_names(from_date, to_date): # }, # } # + # The empty string is replaced with "shared" + # hub_names = [t or "shared" for t in response["Tags"]] return hub_names diff --git a/terraform/aws/aws-ce-grafana-backend-iam.tf b/terraform/aws/aws-ce-grafana-backend-iam.tf index 6209d4f8e1..6d0771f25b 100644 --- a/terraform/aws/aws-ce-grafana-backend-iam.tf +++ b/terraform/aws/aws-ce-grafana-backend-iam.tf @@ -13,11 +13,9 @@ resource "aws_iam_role" "aws_ce_grafana_backend_iam_role" { Federated = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}" }, - # FIXME: Below we have a string including ce-test:ce-test, it should be support: - Condition = { StringEquals = { - "${replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}:sub" = "system:serviceaccount:ce-test:ce-test" + "${replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}:sub" = "system:serviceaccount:support:aws-ce-grafana-backend" } }, }]