[Bug] Argo CD ComparisonError (SSO with RBAC is enabled)

aashishshrestha09 commented 1 month ago

Kubecost Helm Chart Version

v2.3.4

Kubernetes Version

1.26

Kubernetes Platform

OpenShift

Description

I'm encountering a ComparisonError when trying to enable RBAC in Kubecost 2.3.4. The error message is:

Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc =helm template . --name-template kubecost --namespace kubecost --kube-version 1.28 --values /infrastructure/lk3-poc-use1-a/kubecost/cost-analyzer/values.yaml --include-crdsfailed exit status 1: Error: execution error at (cost-analyzer/templates/NOTES.txt:2:4): SSO with RBAC is enabled. Note that Kubecost 2.x has significant architectural changes that may impact RBAC. This should be tested before giving end-users access to the UI. Kubecost has tested various configurations and believe that 2.x will be 100% compatible with existing configurations. Refer to the following documentation for more information: https://docs.kubecost.com/install-and-configure/install/kubecostv2 When ready to upgrade, add--set upgrade.toV2=true. Use --debug flag to render out invalid YAML

Note: I have enabled these values in the chart.

Steps to reproduce

Enable RBAC in the Kubecost values.yaml file with the following configuration:

oidc:
  enabled: true
  # THIS IS REQUIRED FOR AZURE. Azure communicates roles via the id_token instead of the access_token.
  useIDToken: true
  rbac:
    enabled: true
    groups:
      - name: admin
        # If admin is disabled, all authenticated users will be able to make configuration changes to the kubecost frontend
        enabled: true
        # SET THIS EXACT VALUE FOR ENTRA ID. This is the string Entra ID uses in its OIDC tokens.
        claimName: "roles"
        # These strings need to exactly match with the app roles created in Entra ID
        claimValues:
          - "admins"
          - "superusers"
      - name: readonly
        # If readonly is disabled, all authenticated users will default to readonly
        enabled: true
        claimName: "roles"
        claimValues:
          - "readonly"

Expected behavior

RBAC should be enabled without causing an error.

Impact

This issue prevents us from properly enabling RBAC in Kubecost, which is critical for managing user access and roles. Without RBAC, all authenticated users might have unintended access levels, impacting security and compliance. This prevents us from leveraging Kubecost's full capabilities in a secure and controlled manner.

Screenshots

Logs

Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = `helm template . --name-template kubecost --namespace kubecost --kube-version 1.28 --values <path to cached source>/infrastructure/lk3-poc-use1-a/kubecost/cost-analyzer/values.yaml <api versions removed> --include-crds` failed exit status 1: Error: execution error at (cost-analyzer/templates/NOTES.txt:2:4): SSO with RBAC is enabled. Note that Kubecost 2.x has significant architectural changes that may impact RBAC. This should be tested before giving end-users access to the UI. Kubecost has tested various configurations and believe that 2.x will be 100% compatible with existing configurations. Refer to the following documentation for more information: https://docs.kubecost.com/install-and-configure/install/kubecostv2 When ready to upgrade, add `--set upgrade.toV2=true`. Use --debug flag to render out invalid YAML

Slack discussion

No response

Troubleshooting

[X] I have read and followed the issue guidelines and this is a bug impacting only the Helm chart.
[X] I have searched other issues in this repository and mine is not recorded.

chipzoller commented 1 month ago

cc @jessegoodier

thomasvn commented 1 month ago

@aashishshrestha09 I believe this is a warning message which comes from the following code:

https://github.com/kubecost/cost-analyzer-helm-chart/blob/fd41a4043e19c7af71f5c460609653946e5aea1e/cost-analyzer/templates/_helpers.tpl#L76-L80

To resolve please add the following to your Helm values.

upgrade:
  toV2: true

aashishshrestha09 commented 1 month ago

@thomasvn it appears that the template needs to be updated to prevent errors. Since I'm not migrating from v1.x to v2.x, there shouldn't be a need to set upgrade.toV2 to true in the Helm values.

thomasvn commented 1 month ago

@aashishshrestha09 Yes, for now the Helm chart expects .Values.upgrade.toV2=true to be set on all new upgrades. There have been discussions about removing this Helm config in a future release!

kubecost / cost-analyzer-helm-chart