Support request ro HTTPS oauth proxy sidecar

[debMan]

In the environments with oauth-proxy as as reverse proxy to authenticate users (like OpenShift), the command fails. Neither with --use-proxy, not without it.

Setup

• An opencost pod with a sidecar container having image quay.io/openshift/origin-oauth-proxy:4.10.0 as an oauth-proxy which listens on 8443, checks users authorization with kubernetes SAR and proxies to localhost:9090
• A service with clusterIP type which maps port 443 on service to 8443 on pod

Logs

Command which failed with --use-proxy:

kubectl cost --service-name opencost --kubecost-namespace costs --allocation-path /allocation/compute label -l team --window 1d --service-port 443 --log-level debug --use-proxy

Output

2023-10-18T18:23:24.493238+03:30 DBG failed to get currency code, displaying as empty string: failed to proxy get kubecost. err: the server is currently unable to handle
the request (get services opencost:ƻ); data: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"no endpoints available for service \"spc
ld-opencost:ƻ\"","reason":"ServiceUnavailable","code":503}

Error: failed to query allocation API: failed to proxy get kubecost. err: the server rejected our request for an unknown reason (get services opencost:443); data: C
lient sent an HTTP request to an HTTPS server.

Command which failed without --use-proxy:

kubectl cost --service-name opencost --kubecost-namespace costs --allocation-path /allocation/compute label -l team --window 1d --service-port 8443 --log-level debug

Output

2023-10-18T18:15:41.18618+03:30 DBG checking readiness of 'opencost-5766b5f4bb-vtnqn'
2023-10-18T18:15:41.186484+03:30 DBG selected pod to forward: opencost-5766b5f4bb-vtnqn
2023-10-18T18:15:41.334582+03:30 DBG Port-forward set up at: http://localhost:60877
2023-10-18T18:15:41.335083+03:30 DBG Executing GET to: http://localhost:60877/model/getConfigs
2023-10-18T18:15:42.463207+03:30 DBG failed to get currency code, displaying as empty string: failed to forward get kubecost: received non-200 status code 400 and data: C
lient sent an HTTP request to an HTTPS server.

2023-10-18T18:15:42.463384+03:30 DBG Executing GET to: http://localhost:60877/allocation/compute?accumulate=true&aggregate=cluster%2Clabel%3Ateamteam&window=1
d
Error: failed to query allocation API: failed to port forward query: received non-200 status code 400 and data: Client sent an HTTP request to an HTTPS server.

This command's parameter --service-port has been set to 8443 due to failure. Seems it points to pod's port, not service's port in port-forward mode according to the logs:

2023-10-18T18:15:41.186484+03:30 DBG selected pod to forward: opencost-5766b5f4bb-vtnqn
2023-10-18T18:15:41.334582+03:30 DBG Port-forward set up at: http://localhost:60877

Suggestion

I think there are two solutions might resolve this:

• Provide an option to send request directly to the opencost/kubecost API server (#128)
• Provide an option to send request as HTTPS to the service-port, with optionally pass CA. This method is different from first one, and might have other use cases, and eliminates need to expose the cost API publicly.

[michaelmdresser]

Thank you for the clear, detailed issue report and suggested approaches. I'm a bit swamped at the moment, but I'm always willing to review contributions if you'd like this functionality soon -- I'd be particularly amenable to a community contribution of "Provide an option to send request as HTTPS to the service-port, with optionally pass CA" because I see it as a relatively small change with high impact.

cc @kwombach12 so you're aware.