rancher-partner-charts/charts/kubecost/cost-analyzer/values.yaml

global:
  # zone: cluster.local (use only if your DNS server doesn't live in the same zone as kubecost)
  prometheus:
    enabled: true # If false, Prometheus will not be installed -- Warning: Before changing this setting, please read to understand this setting https://docs.kubecost.com/install-and-configure/install/custom-prom
    fqdn: http://cost-analyzer-prometheus-server.default.svc #example address of a prometheus to connect to. Include protocol (http:// or https://) Ignored if enabled: true
    # insecureSkipVerify : false # If true, kubecost will not check the TLS cert of prometheus
    # queryServiceBasicAuthSecretName: dbsecret # kubectl create secret generic dbsecret -n kubecost --from-file=USERNAME --from-file=PASSWORD
    # queryServiceBearerTokenSecretName: mcdbsecret  # kubectl create secret generic mcdbsecret -n kubecost --from-file=TOKEN

  # Durable storage option, product key required
  thanos:
    enabled: false
    # queryService: http://kubecost-thanos-query-frontend-http.kubecost:{{ .Values.thanos.queryFrontend.http.port }} # an address of the thanos query-frontend endpoint, if different from installed thanos
    # queryServiceBasicAuthSecretName: mcdbsecret #  kubectl create secret generic mcdbsecret -n kubecost --from-file=USERNAME --from-file=PASSWORD <---enter basic auth credentials like that
    # queryServiceBearerTokenSecretName mcdbsecret # kubectl create secret generic mcdbsecret -n kubecost --from-file=TOKEN
    # queryOffset: 3h # The offset to apply to all thanos queries in order to achieve syncronization on all cluster block stores

  grafana:
    enabled: true # If false, Grafana will not be installed
    domainName: cost-analyzer-grafana.default.svc #example grafana domain Ignored if enabled: true
    scheme: "http" # http or https, for the domain name above.
    proxy: true # If true, the kubecost frontend will route to your grafana through its service endpoint
#    fqdn: cost-analyzer-grafana.default.svc

  # Enable only when you are using GCP Marketplace ENT listing. Learn more at https://console.cloud.google.com/marketplace/product/kubecost-public/kubecost-ent
  gcpstore:
    enabled: false

  # Google Cloud Managed Service for Prometheus
  gmp:
  # Remember to set up these parameters when install the Kubecost Helm chart with `global.gmp.enabled=true` if you want to use GMP self-deployed collection (Recommended) to ultilize Kubecost scrape configs.
  # If enabling GMP, it is highly recommended to utilize Google's distribution of Prometheus.
  # Learn more at https://cloud.google.com/stackdriver/docs/managed-prometheus/setup-unmanaged
  # --set prometheus.server.image.repository="gke.gcr.io/prometheus-engine/prometheus" \
  # --set prometheus.server.image.tag="v2.35.0-gmp.2-gke.0"
    enabled: false # If true, kubecost will be configured to use GMP Prometheus image and query from Google Cloud Managed Service for Prometheus.
    prometheusServerEndpoint: http://localhost:8085/ # The prometheus service endpoint used by kubecost. The calls are forwarded through the GMP Prom proxy side car to the GMP database.
    gmpProxy:
      enabled: false
      image: gke.gcr.io/prometheus-engine/frontend:v0.4.1-gke.0 # GMP Prometheus proxy image that serve as an endpoint to query metrics from GMP
      imagePullPolicy: Always
      name: gmp-proxy
      port: 8085
      projectId: YOUR_PROJECT_ID # example GCP project ID

  # Amazon Managed Service for Prometheus
  amp:
    enabled: false # If true, kubecost will be configured to remote_write and query from Amazon Managed Service for Prometheus.
    prometheusServerEndpoint: https://localhost:8085/<workspaceId>/ # The prometheus service endpoint used by kubecost. The calls are forwarded through the SigV4Proxy side car to the AMP workspace.
    remoteWriteService: https://aps-workspaces.us-west-2.amazonaws.com/workspaces/<workspaceId>/api/v1/remote_write # The remote_write endpoint for the AMP workspace.
    sigv4:
      region: us-west-2
      # access_key: ACCESS_KEY # AWS Access key
      # secret_key: SECRET_KEY # AWS Secret key
      # role_arn: ROLE_ARN # AWS role arn
      # profile: PROFILE # AWS profile

  # Mimir Proxy to help Kubecost to query metrics from multi-tenant Grafana Mimir.
  # Set `global.mimirProxy.enabled=true` and `global.prometheus.enabled=false` to enable Mimir Proxy.
  # You also need to set `global.prometheus.fqdn=http://kubecost-cost-analyzer-mimir-proxy.kubecost.svc:8085/prometheus`
  # or `global.prometheus.fqdn=http://{{ template "cost-analyzer.fullname" . }}-mimir-proxy.{{ .Release.Namespace }}.svc:8085/prometheus'
  # Learn more at https://grafana.com/docs/mimir/latest/operators-guide/secure/authentication-and-authorization/#without-an-authenticating-reverse-proxy
  mimirProxy:
    enabled: false
    name: mimir-proxy
    image: nginxinc/nginx-unprivileged
    port: 8085
    mimirEndpoint: $mimir_endpoint #Your Mimir query endpoint. If your Mimir query endpoint is http://example.com/prometheus, replace $mimir_endpoint with http://example.com/
    orgIdentifier: $your_tenant_ID #Your Grafana Mimir tenant ID


  notifications:
    # Kubecost alerting configuration
    # Ref: http://docs.kubecost.com/alerts
    # alertConfigs:
      # frontendUrl: http://localhost:9090 # optional, used for linkbacks
      # globalSlackWebhookUrl: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX # optional, used for Slack alerts
      # globalMsTeamsWebhookUrl: https://xxxxx.webhook.office.com/webhookb2/XXXXXXXXXXXXXXXXXXXXXXXX/IncomingWebhook/XXXXXXXXXXXXXXXXXXXXXXXX # optional, used for Microsoft Teams alerts
      # globalAlertEmails:
      #   - recipient@example.com
      #   - additionalRecipient@example.com
      # globalEmailSubject: Custom Subject
      # Alerts generated by kubecost, about cluster data
      # alerts:
        # Daily namespace budget alert on namespace `kubecost`
        # - type: budget                # supported: budget, recurringUpdate
        #   threshold: 50               # optional, required for budget alerts
        #   window: daily               # or 1d
        #   aggregation: namespace
        #   filter: kubecost
        #   ownerContact:               # optional, overrides globalAlertEmails default
        #     - owner@example.com
        #     - owner2@example.com
        #   # optional, used for alert-specific Slack and Microsoft Teams alerts
        #   slackWebhookUrl: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
        #   msTeamsWebhookUrl: https://xxxxx.webhook.office.com/webhookb2/XXXXXXXXXXXXXXXXXXXXXXXX/IncomingWebhook/XXXXXXXXXXXXXXXXXXXXXXXX

        # Daily cluster budget alert on cluster `cluster-one`
        # - type: budget
        #   threshold: 200.8        # optional, required for budget alerts
        #   window: daily           # or 1d
        #   aggregation: cluster
        #   filter: cluster-one     # does not accept csv

        # Recurring weekly update (weeklyUpdate alert)
        # - type: recurringUpdate
        #   window: weekly          # or 7d
        #   aggregation: namespace
        #   filter: '*'

        # Recurring weekly namespace update on kubecost namespace
        # - type: recurringUpdate
        #   window: weekly # or 7d
        #   aggregation: namespace
        #   filter: kubecost

        # Spend Change Alert
        # - type: spendChange         # change relative to moving avg
        #   relativeThreshold: 0.20   # Proportional change relative to baseline. Must be greater than -1 (can be negative)
        #   window: 1d                # accepts ‘d’, ‘h’
        #   baselineWindow: 30d       # previous window, offset by window
        #   aggregation: namespace
        #   filter: kubecost, default # accepts csv

        # Health Score Alert
        # - type: health              # Alerts when health score changes by a threshold
        #   window: 10m
        #   threshold: 5              # Send Alert if health scores changes by 5 or more

        # Kubecost Health Diagnostic
        # - type: diagnostic          # Alerts when kubecost is unable to compute costs - ie: Prometheus unreachable
        #   window: 10m

    alertmanager: # Supply an alertmanager FQDN to receive notifications from the app.
      enabled: false # If true, allow kubecost to write to your alertmanager
      fqdn: http://cost-analyzer-prometheus-server.default.svc #example fqdn. Ignored if prometheus.enabled: true

   # Set saved Cost Allocation report(s) accessible from /reports
   # Ref: http://docs.kubecost.com/saved-reports
  savedReports:
    enabled: false # If true, overwrites report parameters set through UI
    reports:
      - title: "Example Saved Report 0"
        window: "today"
        aggregateBy: "namespace"
        chartDisplay: "category"
        idle: "separate"
        rate: "cumulative"
        accumulate: false # daily resolution
        filters:
          - property: "cluster"
            value: "cluster-one,cluster*" # supports wildcard filtering and multiple comma separated values
          - property: "namespace"
            value: "kubecost"
      - title: "Example Saved Report 1"
        window: "month"
        aggregateBy: "controllerKind"
        chartDisplay: "category"
        idle: "share"
        rate: "monthly"
        accumulate: false
        filters:
          - property: "label"
            value: "app:cost*,environment:kube*"
          - property: "namespace"
            value: "kubecost"
      - title: "Example Saved Report 2"
        window: "2020-11-11T00:00:00Z,2020-12-09T23:59:59Z"
        aggregateBy: "service"
        chartDisplay: "category"
        idle: "hide"
        rate: "daily"
        accumulate: true # entire window resolution
        filters: [] # if no filters, specify empty array

  # Set saved Asset report(s) accessible from /reports
  # Ref: http://docs.kubecost.com/saved-reports
  assetReports:
    enabled: false # If true, overwrites report parameters set through UI
    reports:
    - title: "Example Asset Report 0"
      window: "today"
      aggregateBy: "type"
      accumulate: false # daily resolution
      filters:
        - property: "cluster"
          value: "cluster-one"

  # Set saved Advanced report(s) accessible from /reports
  # Ref: http://docs.kubecost.com/saved-reports
  advancedReports:
    enabled: false # If true, overwrites report parameters set through UI
    reports:
    - title: "Example Advanced Report 0"
      window: "7d"
      aggregateBy: "namespace"
      filters:
        - property: "cluster"
          value: "cluster-one"
      cloudBreakdown: "service"
      cloudJoin: "label:kubernetes_namespace"

  # Set saved Cloud Cost report(s) accessible from /reports
  # Ref: http://docs.kubecost.com/saved-reports
  cloudCostReports:
    enabled: false # If true, overwrites report parameters set through UI
    reports:
      - title: "Cloud Cost Report 0"
        window: "today"
        aggregateBy: "service"
        accumulate: false  # daily resolution
        # filters:
        #   - property: "service"
        #     value: "service1" # corresponds to a value to filter cloud cost aggregate by service data on.

  podAnnotations: {}
    # iam.amazonaws.com/role: role-arn
  additionalLabels: {}

  containerSecuritycontext: {}
    # readOnlyRootFilesystem: true

# generated at http://kubecost.com/install, used for alerts tracking and free trials
kubecostToken: # ""

# Advanced pipeline for custom prices, enterprise key required
pricingCsv:
  enabled: false
  location:
    provider: "AWS"
    region: "us-east-1"
    URI: s3://kc-csv-test/pricing_schema.csv # a valid file URI
    csvAccessCredentials: pricing-schema-access-secret

# SAML integration for user management and RBAC, enterprise key required
# Ref: https://github.com/kubecost/docs/blob/main/user-management.md
saml:
  enabled: false
  secretName: "kubecost-authzero"
  #metadataSecretName: "kubecost-authzero-metadata" # One of metadataSecretName or idpMetadataURL must be set. defaults to metadataURL if set
  idpMetadataURL: "https://dev-elu2z98r.auth0.com/samlp/metadata/c6nY4M37rBP0qSO1IYIqBPPyIPxLS8v2"
  appRootURL: "http://localhost:9090" # sample URL
  authTimeout: 1440 # number of minutes the JWT will be valid
  redirectURL: "https://dev-elu2z98r.auth0.com/v2/logout" # callback URL redirected to after logout
  # audienceURI: "http://localhost:9090" # by convention, the same as the appRootURL, but any string uniquely identifying kubecost to your samp IDP. Optional if you follow the convention
  # nameIDFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" If your SAML provider requires a specific nameid format
  # isGLUUProvider: false # An additional URL parameter must be appended for GLUU providers
  # encryptionCertSecret: "kubecost-saml-cert" # k8s secret where the x509 certificate used to encrypt an Okta saml response is stored
  # decryptionKeySecret: "kubecost-sank-decryption-key" # k8s secret where the private key associated with the encryptionCertSecret is stored
  rbac:
    enabled: false
    groups:
      - name: admin
        enabled: false # if admin is disabled, all SAML users will be able to make configuration changes to the kubecost frontend
        assertionName: "http://schemas.auth0.com/userType" # a SAML Assertion, one of whose elements has a value that matches on of the values in assertionValues
        assertionValues:
          - "admin"
          - "superusers"
      - name: readonly
        enabled: false # if readonly is disabled, all users authorized on SAML will default to readonly
        assertionName:  "http://schemas.auth0.com/userType"
        assertionValues:
          - "readonly"
      - name: editor
        enabled: true # if editor is enabled, editors will be allowed to edit reports/alerts scoped to them, and act as readers otherwise. Users will never default to editor.
        assertionName: "http://schemas.auth0.com/userType"
        assertionValues:
          - "editor"

oidc:
  enabled: false
  clientID: "" # application/client client_id paramter obtained from provider, used to make requests to server
  clientSecret: "" # application/client client_secret paramter obtained from provider, used to make requests to server
  secretName: "kubecost-oidc-secret" # k8s secret where clientsecret will be stored
  authURL: "https://my.auth.server/authorize" # endpoint for login to auth server
  loginRedirectURL: "http://my.kubecost.url/model/oidc/authorize" # Kubecost url configured in provider for redirect after authentication
  discoveryURL: "https://my.auth.server/.well-known/openid-configuration" # url for OIDC endpoint discovery
#  hostedDomain: "example.com" # optional, blocks access to the auth domain specified in the hd claim of the provider ID token
  rbac:
    enabled: false
    groups:
      - name: admin
        enabled: false # if admin is disabled, all authenticated users will be able to make configuration changes to the kubecost frontend
        claimName: "roles" # Kubecost matches this string against the JWT's payload key containing RBAC info (this value is unique across identity providers)
        claimValues: # Kubecost matches these strings with the roles created in your identity provider
          - "admin"
          - "superusers"
      - name: readonly
        enabled: false # if readonly is disabled, all authenticated users will default to readonly
        claimName:  "roles"
        claimValues:
          - "readonly"
      - name: editor
        enabled: false # if editor is enabled, editors will be allowed to edit reports/alerts scoped to them, and act as readers otherwise. Users will never default to editor.
        claimName: "roles"
        claimValues:
          - "editor"

# Adds an httpProxy as an environment variable. systemProxy.enabled must be `true`to have any effect.
# Ref: https://www.oreilly.com/library/view/security-with-go/9781788627917/5ea6a02b-3d96-44b1-ad3c-6ab60fcbbe4f.xhtml
systemProxy:
  enabled: false
  httpProxyUrl: ""
  httpsProxyUrl: ""
  noProxy: ""

# imagePullSecrets:
# - name: "image-pull-secret"

kubecostFrontend:
  image: "gcr.io/kubecost1/frontend"
  imagePullPolicy: Always
  # extraEnv:
  # - name: NGINX_ENTRYPOINT_WORKER_PROCESSES_AUTOTUNE
  #   value: "1"
  # securityContext:
  #   readOnlyRootFilesystem: true
  resources:
    requests:
      cpu: "10m"
      memory: "55Mi"
    #limits:
    #  cpu: "100m"
    #  memory: "256Mi"
  livenessProbe:
    enabled: true
    initialDelaySeconds: 30
    periodSeconds: 10
    failureThreshold: 200
  ipv6:
    enabled: true # disable if the cluster does not support ipv6
#  api:
#    fqdn: kubecost-api.kubecost.svc.cluster.local:9001
#  model:
#    fqdn: kubecost-model.kubecost.svc.cluster.local:9003

# Kubecost Metrics deploys a separate pod which will emit kubernetes specific metrics required
# by the cost-model. This pod is designed to remain active and decoupled from the cost-model itself.
# However, disabling this service/pod deployment will flag the cost-model to emit the metrics instead.
kubecostMetrics:
  # emitPodAnnotations: false
  # emitNamespaceAnnotations: false
  # emitKsmV1Metrics: true # emit all KSM metrics in KSM v1.
  # emitKsmV1MetricsOnly: false # emit only the KSM metrics missing from KSM v2. Advanced users only.

  # Optional
  # The metrics exporter is a separate deployment and service (for prometheus scrape auto-discovery)
  # which emits metrics cost-model relies on. Enabling this deployment also removes the KSM dependency
  # from the cost-model. If the deployment is not enabled, the metrics will continue to be emitted from
  # the cost-model.
  exporter:
    enabled: false
    port: 9005
    # Adds the default Prometheus scrape annotations to the metrics exporter service.
    # Set to false and use service.annotations (below) to set custom scrape annotations.
    prometheusScrape: true
    resources: {}
      # requests:
      #  cpu: "200m"
      #  memory: "55Mi"
    ## Node tolerations for server scheduling to nodes with taints
    ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
    tolerations: []

    #  - key: "key"
    #    operator: "Equal|Exists"
    #    value: "value"
    #    effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
    affinity: {}

    service:
      annotations: {}

    # Service Monitor for Kubecost Metrics
    serviceMonitor: # the kubecost included prometheus uses scrapeConfigs and does not support service monitors. The following options assume an existing prometheus that supports serviceMonitors.
      enabled: false
      additionalLabels: {}
      metricRelabelings: []
      relabelings: []
    ## PriorityClassName
    ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
    priorityClassName: ""
    additionalLabels: {}
    nodeSelector: {}
    extraArgs: []

sigV4Proxy:
  image: public.ecr.aws/aws-observability/aws-sigv4-proxy:latest
  imagePullPolicy: Always
  name: aps
  port: 8005
  region: us-west-2 # The AWS region
  host: aps-workspaces.us-west-2.amazonaws.com # The hostname for AMP service.
  # role_arn: arn:aws:iam::<account>:role/role-name # The AWS IAM role to assume.
  extraEnv: # Pass extra env variables to sigV4Proxy
  # - name: AWS_ACCESS_KEY_ID
  #   value: <access_key>
  # - name: AWS_SECRET_ACCESS_KEY
  #   value: <secret_key>

kubecostModel:
  image: "gcr.io/kubecost1/cost-model"
  imagePullPolicy: Always
  # extraEnv:
  # - name: SOME_VARIABLE
  #   value: "some_value"
  # securityContext:
  #   readOnlyRootFilesystem: true
  # Enables the emission of the kubecost_cloud_credit_total and
  # kubecost_cloud_expense_total metrics
  outOfClusterPromMetricsEnabled: false
  # Build local cost allocation cache
  warmCache: false
  # Build local savings cache
  warmSavingsCache: true
  # Run allocation ETL pipelines
  etl: true
  # Enable the ETL filestore backing storage
  etlFileStoreEnabled: true
  # The total number of days the ETL pipelines will build
  # Set to 0 to disable daily ETL (not recommended)
  etlDailyStoreDurationDays: 91
  # The total number of hours the ETL pipelines will build
  # Set to 0 to disable hourly ETL (not recommended)
  etlHourlyStoreDurationHours: 49
  # The total number of weeks the ETL pipelines will build
  # Set to 0 to disable weekly ETL (not recommended)
  # The default is 53 to ensure at least a year of coverage (371 days)
  etlWeeklyStoreDurationWeeks: 53
  # For deploying kubecost in a cluster that does not self-monitor
  etlReadOnlyMode: false

  ## Feature to view your out-of-cluster costs and their k8s utilization
  ## Ref: https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/cloud-costs-explorer
  cloudCost:
    enabled: true
    labelList:
      IsIncludeList: false
      # format labels as comma separated string (ex. "label1,label2,label3")
      labels: ""
    topNItems: 1000

  allocation:
    # Enables or disables adding node labels to allocation data (i.e. workloads).
    # Defaults to "true" and starts with a sensible includeList for basics like
    # topology (e.g. zone, region) and instance type labels.
    # nodeLabels:
    #   enabled: true
    #   includeList: "node.kubernetes.io/instance-type,topology.kubernetes.io/region,topology.kubernetes.io/zone"

  # Enables or disables the ContainerStats pipeline, used for quantile-based
  # queries like for request sizing recommendations.
  # ContainerStats provides support for quantile-based request right-sizing
  # recommendations.
  #
  # It is disabled by default to avoid problems in extremely high-scale Thanos
  # environments. If you would like to try quantile-based request-sizing
  # recommendations, enable this! If you are in a high-scale environment,
  # please monitor Kubecost logs, Thanos query logs, and Thanos load closely.
  # We hope to make major improvements at scale here soon!
  #
  # containerStatsEnabled: false

  # max number of concurrent Prometheus queries
  maxQueryConcurrency: 5
  resources:
    requests:
      cpu: "200m"
      memory: "55Mi"
    #limits:
    #  cpu: "800m"
    #  memory: "256Mi"
  livenessProbe:
    enabled: false
    initialDelaySeconds: 30
    periodSeconds: 10
    failureThreshold: 200
  extraArgs: []

# Basic Kubecost ingress, more examples available at https://github.com/kubecost/docs/blob/main/ingress-examples.md
ingress:
  enabled: false
  # className: nginx
  labels:
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  annotations:
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  paths: ["/"] # There's no need to route specifically to the pods-- we have an nginx deployed that handles routing
  pathType: ImplementationSpecific
  hosts:
    - cost-analyzer.local
  tls: []
  #  - secretName: cost-analyzer-tls
  #    hosts:
  #      - cost-analyzer.local

nodeSelector: {}

tolerations: []
#  - key: "key"
#    operator: "Equal|Exists"
#    value: "value"
#    effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"

affinity: {}

# If true, creates a PriorityClass to be used by the cost-analyzer pod
priority:
  enabled: false
  name: "" # Provide name of existing priority class only. If left blank, upstream chart will create one from default template.
  # value: 1000000

# If true, enable creation of NetworkPolicy resources.
networkPolicy:
  enabled: false
  denyEgress: true # create a network policy that denies egress from kubecost
  sameNamespace: true # Set to true if cost analyser and prometheus are on the same namespace
#  namespace: kubecost # Namespace where prometheus is installed

  # Cost-analyzer specific vars using the new template
  costAnalyzer:
    enabled: false # If true, create a newtork policy for cost-analzyer
    annotations: {} # annotations to be added to the network policy
    additionalLabels: {} # additional labels to be added to the network policy
    # Examples rules:
    # ingressRules:
    #   - selectors: # allow ingress from self on all ports
    #     - podSelector:
    #         matchLabels:
    #           app.kubernetes.io/name: cost-analyzer
    #   - selectors: # allow egress access to prometheus
    #     - namespaceSelector:
    #         matchLabels:
    #           name: prometheus
    #       podSelector:
    #         matchLabels:
    #           app: prometheus
    #     ports:
    #       - protocol: TCP
    #         port: 9090
    # egressRules:
    #   - selectors: # restrict egress to inside cluster
    #     - namespaceSelector: {}

podSecurityPolicy:
  enabled: false

## @param extraVolumes A list of volumes to be added to the pod
##
extraVolumes: []
## @param extraVolumeMounts A list of volume mounts to be added to the pod
##
extraVolumeMounts: []

# Define persistence volume for cost-analyzer, more information at https://github.com/kubecost/docs/blob/main/storage.md
persistentVolume:
  size: 32Gi
  dbSize: 32.0Gi
  enabled: true # Note that setting this to false means configurations will be wiped out on pod restart.
  # storageClass: "-" #
  # existingClaim: kubecost-cost-analyzer # a claim in the same namespace as kubecost
  labels: {}
  annotations: {}

service:
  type: ClusterIP
  port: 9090
  targetPort: 9090
  # nodePort:
  labels: {}
  annotations: {}

# Enabling long-term durable storage with Postgres requires an enterprise license
remoteWrite:
  postgres:
    enabled: false
    initImage: "gcr.io/kubecost1/sql-init"
    initImagePullPolicy: Always
    installLocal: true
    remotePostgresAddress: "" # ignored if installing locally
    ## PriorityClassName
    ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
    priorityClassName: ""
    persistentVolume:
      size: 200Gi
    auth:
      password: admin # change me

prometheus:
  podSecurityPolicy:
    enabled: false
  extraScrapeConfigs: |
    - job_name: kubecost
      honor_labels: true
      scrape_interval: 1m
      scrape_timeout: 60s
      metrics_path: /metrics
      scheme: http
      dns_sd_configs:
      - names:
        - {{ template "cost-analyzer.serviceName" . }}
        type: 'A'
        port: 9003
    - job_name: kubecost-networking
      kubernetes_sd_configs:
        - role: pod
      relabel_configs:
      # Scrape only the the targets matching the following metadata
        - source_labels: [__meta_kubernetes_pod_label_app]
          action: keep
          regex:  {{ template "cost-analyzer.networkCostsName" . }}
  server:
    # If clusterIDConfigmap is defined, instead use user-generated configmap with key CLUSTER_ID
    # to use as unique cluster ID in kubecost cost-analyzer deployment.
    # This overrides the cluster_id set in prometheus.server.global.external_labels.
    # NOTE: This does not affect the external_labels set in prometheus config.
    # clusterIDConfigmap: cluster-id-configmap

    resources: {}
    # limits:
    #   cpu: 500m
    #   memory: 512Mi
    # requests:
    #   cpu: 500m
    #   memory: 512Mi
    global:
      scrape_interval: 1m
      scrape_timeout: 60s
      evaluation_interval: 1m
      external_labels:
        cluster_id: cluster-one # Each cluster should have a unique ID
    persistentVolume:
      size: 32Gi
      enabled: true
    extraArgs:
      query.max-concurrency: 1
      query.max-samples: 100000000
    tolerations: []
    #  - key: "key"
    #    operator: "Equal|Exists"
    #    value: "value"
    #    effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
  alertmanager:
    enabled: false
    persistentVolume:
      enabled: true
  # node-export must be disabled if there is an existing daemonset: https://guide.kubecost.com/hc/en-us/articles/4407601830679-Troubleshoot-Install#a-name-node-exporter-a-issue-failedscheduling-kubecost-prometheus-node-exporter
  nodeExporter:
    enabled: true
  # kubecost emits pre-2.0 KSM metrics, KSM is enabled by default here for backwards compatibity, but can be disabled to save resources without concern to kubecost metrics
  kubeStateMetrics:
    enabled: true
  kube-state-metrics:
    disabled: false
  pushgateway:
    enabled: false
    persistentVolume:
      enabled: true
  serverFiles:
  #  prometheus.yml: # Sample block -- enable if using an in cluster durable store.
  #      remote_write:
  #        - url: "http://pgprometheus-adapter:9201/write"
  #          write_relabel_configs:
  #            - source_labels: [__name__]
  #              regex: 'container_.*_allocation|container_.*_allocation_bytes|.*_hourly_cost|kube_pod_container_resource_requests{resource="memory", unit="byte"}|container_memory_working_set_bytes|kube_pod_container_resource_requests{resource="cpu", unit="core"}|kube_pod_container_resource_requests|pod_pvc_allocation|kube_namespace_labels|kube_pod_labels'
  #              action: keep
  #          queue_config:
  #            max_samples_per_send: 1000
        #remote_read:
        #  - url: "http://pgprometheus-adapter:9201/read"
    rules:
      groups:
        - name: CPU
          rules:
            - expr: sum(rate(container_cpu_usage_seconds_total{container!=""}[5m]))
              record: cluster:cpu_usage:rate5m
            - expr: rate(container_cpu_usage_seconds_total{container!=""}[5m])
              record: cluster:cpu_usage_nosum:rate5m
            - expr: avg(irate(container_cpu_usage_seconds_total{container!="POD", container!=""}[5m])) by (container,pod,namespace)
              record: kubecost_container_cpu_usage_irate
            - expr: sum(container_memory_working_set_bytes{container!="POD",container!=""}) by (container,pod,namespace)
              record: kubecost_container_memory_working_set_bytes
            - expr: sum(container_memory_working_set_bytes{container!="POD",container!=""})
              record: kubecost_cluster_memory_working_set_bytes
        - name: Savings
          rules:
            - expr: sum(avg(kube_pod_owner{owner_kind!="DaemonSet"}) by (pod) * sum(container_cpu_allocation) by (pod))
              record: kubecost_savings_cpu_allocation
              labels:
                daemonset: "false"
            - expr: sum(avg(kube_pod_owner{owner_kind="DaemonSet"}) by (pod) * sum(container_cpu_allocation) by (pod)) / sum(kube_node_info)
              record: kubecost_savings_cpu_allocation
              labels:
                daemonset: "true"
            - expr: sum(avg(kube_pod_owner{owner_kind!="DaemonSet"}) by (pod) * sum(container_memory_allocation_bytes) by (pod))
              record: kubecost_savings_memory_allocation_bytes
              labels:
                daemonset: "false"
            - expr: sum(avg(kube_pod_owner{owner_kind="DaemonSet"}) by (pod) * sum(container_memory_allocation_bytes) by (pod)) / sum(kube_node_info)
              record: kubecost_savings_memory_allocation_bytes
              labels:
                daemonset: "true"

## Module for measuring network costs
## Ref: https://github.com/kubecost/docs/blob/main/network-allocation.md
networkCosts:
  enabled: false
  podSecurityPolicy:
    enabled: false
  image: gcr.io/kubecost1/kubecost-network-costs:v0.16.7
  imagePullPolicy: Always
  updateStrategy:
    type: RollingUpdate
  # For existing Prometheus Installs, annotates the Service which generates Endpoints for each of the network-costs pods.
  # The Service is annotated with prometheus.io/scrape: "true" to automatically get picked up by the prometheus config.
  # NOTE: Setting this option to true and leaving the above extraScrapeConfig "job_name: kubecost-networking" configured will cause the
  # NOTE: pods to be scraped twice.
  prometheusScrape: false
  # Traffic Logging will enable logging the top 5 destinations for each source
  # every 30 minutes.
  trafficLogging: true

  # Port will set both the containerPort and hostPort to this value.
  # These must be identical due to network-costs being run on hostNetwork
  port: 3001
  # this daemonset can use significant resources on large clusters: https://guide.kubecost.com/hc/en-us/articles/4407595973527-Network-Traffic-Cost-Allocation
  resources:
    limits: # remove the limits by setting limits: {}
      cpu: 500m # can be less, will depend on cluster size
      # memory: it is not recommended to set a memory limit
    requests:
      cpu: 50m
      memory: 20Mi
  extraArgs: []
  config:
    # Configuration for traffic destinations, including specific classification
    # for IPs and CIDR blocks. This configuration will act as an override to the
    # automatic classification provided by network-costs.
    destinations:
      # In Zone contains a list of address/range that will be
      # classified as in zone.
      in-zone:
        # Loopback Addresses in "IANA IPv4 Special-Purpose Address Registry"
        - "127.0.0.0/8"
        # IPv4 Link Local Address Space
        - "169.254.0.0/16"
        # Private Address Ranges in RFC-1918
        - "10.0.0.0/8" # Remove this entry if using Multi-AZ Kubernetes
        - "172.16.0.0/12"
        - "192.168.0.0/16"

      # In Region contains a list of address/range that will be
      # classified as in region. This is synonymous with cross
      # zone traffic, where the regions between source and destinations
      # are the same, but the zone is different.
      in-region: []

      # Cross Region contains a list of address/range that will be
      # classified as non-internet egress from one region to another.
      cross-region: []

      # Internet contains a list of address/range that will be
      # classified as internet traffic. This is synonymous with traffic
      # that cannot be classified within the cluster.
      # NOTE: Internet classification filters are executed _after_
      # NOTE: direct-classification, but before in-zone, in-region,
      # NOTE: and cross-region.
      internet: []

      # Direct Classification specifically maps an ip address or range
      # to a region (required) and/or zone (optional). This classification
      # takes priority over in-zone, in-region, and cross-region configurations.
      direct-classification: []
      # - region: "us-east1"
      #   zone: "us-east1-c"
      #   ips:
      #     - "10.0.0.0/24"
    services:
      # google-cloud-services: when set to true, enables labeling traffic metrics with google cloud
      # service endpoints
      google-cloud-services: false
      # amazon-web-services: when set to true, enables labeling traffic metrics with amazon web service
      # endpoints.
      amazon-web-services: false
      # azure-cloud-services: when set to true, enables labeling traffic metrics with azure cloud service
      # endpoints
      azure-cloud-services: false
      # user defined services provide a way to define custom service endpoints which will label traffic metrics
      # falling within the defined address range.
      #services:
      #  - service: "test-service-1"
      #    ips:
      #      - "19.1.1.2"
      #  - service: "test-service-2"
      #    ips:
      #      - "15.128.15.2"
      #      - "20.0.0.0/8"

  ## Node tolerations for server scheduling to nodes with taints
  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
  ##
  tolerations: []
  #  - key: "key"
  #    operator: "Equal|Exists"
  #    value: "value"
  #    effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"

  affinity: {}

  service:
    annotations: {}
    labels: {}

  ## PriorityClassName
  ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
  priorityClassName: ""
  ## PodMonitor
  ## Allows scraping of network metrics from a dedicated prometheus operator setup
  podMonitor:
    enabled: false
    additionalLabels: {}
  additionalLabels: {}
  nodeSelector: {}
  annotations: {}
  healthCheckProbes: {}
    # readinessProbe:
    #   tcpSocket:
    #     port: 3001
    #   initialDelaySeconds: 5
    #   periodSeconds: 10
    #   failureThreshold: 5
    # livenessProbe:
    #   tcpSocket:
    #     port: 3001
    #   initialDelaySeconds: 5
    #   periodSeconds: 10
    #   failureThreshold: 5
  additionalSecurityContext: {}
    # readOnlyRootFilesystem: true

# Kubecost Deployment Configuration
# Used for HA mode in Business & Enterprise tier
kubecostDeployment:
  replicas: 1
  leaderFollower:
    enabled: false
  # deploymentStrategy:
  #   rollingUpdate:
  #     maxSurge: 1
  #     maxUnavailable: 1
  #   type: RollingUpdate

  # QueryServiceReplicas
  # Ref: https://docs.kubecost.com/install-and-configure/advanced-configuration/query-service-replicas
  queryServiceReplicas: 0
  queryService:
    resources:
      requests:
        # You can use the Kubecost savings report for 'Right-size your container requests' to determine the recommended resource requests once the pod has run for 24 hours.
        cpu: 1000m
        memory: 500Mi
    # default storage class
    storageClass: ""
    databaseVolumeSize: 100Gi
    configVolumeSize: 1Gi

# Kubecost Cluster Controller for Right Sizing and Cluster Turndown
clusterController:
  enabled: false
  image: gcr.io/kubecost1/cluster-controller:v0.11.0
  imagePullPolicy: Always
  ## PriorityClassName
  ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
  priorityClassName: ""
  kubescaler:
    # If true, will cause all (supported) workloads to be have their requests
    # automatically right-sized on a regular basis.
    defaultResizeAll: false
#  fqdn: kubecost-cluster-controller.kubecost.svc.cluster.local:9731
  namespaceTurndown:
    rbac:
      enabled: true

reporting:
  # Kubecost bug report feature: Logs access/collection limited to .Release.Namespace
  # Ref: http://docs.kubecost.com/bug-report
  logCollection: true
  # Basic frontend analytics
  productAnalytics: true

  # Report Javascript errors
  errorReporting: true
  valuesReporting: true
  # googleAnalyticsTag allows you to embed your Google Global Site Tag to track usage of Kubecost.
  # googleAnalyticsTag is only included in our Enterprise offering.
  # googleAnalyticsTag: G-XXXXXXXXX

serviceMonitor: # the kubecost included prometheus uses scrapeConfigs and does not support service monitors. The following options assume an existing prometheus that supports serviceMonitors.
  enabled: false
  additionalLabels: {}
  metricRelabelings: []
  relabelings: []
  networkCosts:
    enabled: false
    scrapeTimeout: 10s
    additionalLabels: {}
    metricRelabelings: []
    relabelings: []

prometheusRule:
  enabled: false
  additionalLabels: {}

supportNFS: false
# initChownDataImage ensures all Kubecost filepath permissions on PV or local storage are set up correctly.
initChownDataImage: "busybox" # Supports a fully qualified Docker image, e.g. registry.hub.docker.com/library/busybox:latest
initChownData:
  resources: {}
    #requests:
    #  cpu: "50m"
    #  memory: "20Mi"

grafana:
  # namespace_datasources: kubecost # override the default namespace here
  # namespace_dashboards: kubecost # override the default namespace here
  rbac:
    # Manage the Grafana Pod Security Policy
    pspEnabled: false
  datasources:
    datasources.yaml:
      apiVersion: 1
      datasources:
        - name: prometheus-kubecost
          type: prometheus
          url: http://kubecost-prometheus-server.kubecost.svc.cluster.local
          access: proxy
          isDefault: false
  sidecar:
    dashboards:
      enabled: true
      # label that the configmaps with dashboards are marked with
      label: grafana_dashboard
      # set sidecar ERROR_THROTTLE_SLEEP env var from default 5s to 0s -> fixes https://github.com/kubecost/cost-analyzer-helm-chart/issues/877
      annotations: {}
      error_throttle_sleep: 0
    datasources:
      # dataSourceFilename: foo.yml # If you need to change the name of the datasource file
      enabled: false
      error_throttle_sleep: 0
#  For grafana to be accessible, add the path to root_url. For example, if you run kubecost at www.foo.com:9090/kubecost
#  set root_url to "%(protocol)s://%(domain)s:%(http_port)s/kubecost/grafana". No change is necessary here if kubecost runs at a root URL
  grafana.ini:
    server:
      serve_from_sub_path: true
      root_url: "%(protocol)s://%(domain)s:%(http_port)s/grafana"
serviceAccount:
  create: true # Set this to false if you're bringing your own service account.
  annotations: {}
  # name: kc-test
awsstore:
  useAwsStore: false
  createServiceAccount: false
  ## PriorityClassName
  ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
  priorityClassName: ""

federatedETL:
  federatedCluster: false # whether this cluster should push data to the Federated store
  primaryCluster: false # whether this cluster should load data from the combined section of the Federated store
  useExistingS3Config: false # will attempt to use existing object-store.yaml configs for S3 backup/Thanos as config for the Federated store
  redirectS3Backup: false # changes the dir of S3 backup to the Federated combined store, for using Thanos-federated data in the Federated ETL. Note S3 backup should be enabled separately for this.
  useMultiClusterDB: false # set to true if you have a single federated PromQL DB with metrics from all monitored clusters but want to use federation for performance
  federator:
    enabled: false # enables the federator to run inside the costmodel container, federating the data in the Federated store
    clusters: [] # optional. Whitelist of clusters by cluster id. If not set, the federator will attempt to federated all clusters pushing to the federated storage.
    # primaryClusterID: "cluster_id" # optional. Used when reconciliation is expected to occur on the Primary.
    # federationCutoffDate: "2022-10-18T00:00:00.000Z" # an RFC 3339-formatted string. All ETL files with windows that fall before this time are not processed by the Federator. If this is not set, the Federator will process all files regardless of date.

kubecostAdmissionController:
  enabled: false

# Enables or disables the Cost Event Audit pipeline, which tracks recent changes at cluster level
# and provides an estimated cost impact via the Kubecost Predict API.
#
# It is disabled by default to avoid problems in high-scale environments.
costEventsAudit:
  enabled: false


#readonly: false # disable updates to kubecost from the frontend UI and via POST request

# These configs can also be set from the Settings page in the Kubecost product UI
# Values in this block override config changes in the Settings UI on pod restart
#
#kubecostProductConfigs:
# An optional list of cluster definitions that can be added for frontend access. The local
# cluster is *always* included by default, so this list is for non-local clusters.
# Ref: https://github.com/kubecost/docs/blob/main/multi-cluster.md
#  clusters:
#   - name: "Cluster A"
#     address: http://cluster-a.kubecost.com:9090
#     # Optional authentication credentials - only basic auth is currently supported.
#     auth:
#       type: basic
#       # Secret name should be a secret formatted based on: https://github.com/kubecost/docs/blob/main/ingress-examples.md
#       secretName: cluster-a-auth
#       # Or pass auth directly as base64 encoded user:pass
#       data: YWRtaW46YWRtaW4=
#       # Or user and pass directly
#       user: admin
#       pass: admin
#   - name: "Cluster B"
#     address: http://cluster-b.kubecost.com:9090
#  defaultModelPricing: # default monthly resource prices, used predominately for on-prem clusters
#    CPU: 28.0
#    spotCPU: 4.86
#    RAM: 3.09
#    spotRAM: 0.65
#    GPU: 693.50
#    spotGPU: 225.0
#    storage: 0.04
#    zoneNetworkEgress: 0.01
#    regionNetworkEgress: 0.01
#    internetNetworkEgress: 0.12
#    enabled: true
#  # The cluster profile represents a predefined set of parameters to use when calculating savings.
#  # Possible values are: [ development, production, high-availability ]
#  clusterProfile: production
#  customPricesEnabled: false # This makes the default view custom prices-- generally used for on-premises clusters
#  spotLabel: lifecycle
#  spotLabelValue: Ec2Spot
#  gpuLabel: gpu
#  gpuLabelValue: true
#  awsServiceKeyName: ACCESSKEYID
#  awsServiceKeyPassword:  fakepassword # Only use if your values.yaml are stored encrypted. Otherwise provide an existing secret via serviceKeySecretName
#  awsSpotDataRegion: us-east-1
#  awsSpotDataBucket: spot-data-feed-s3-bucket
#  awsSpotDataPrefix: dev
#  athenaProjectID: "530337586277" # The AWS AccountID where the Athena CUR is. Generally your masterpayer account
#  athenaBucketName: "s3://aws-athena-query-results-530337586277-us-east-1"
#  athenaRegion: us-east-1
#  athenaDatabase: athenacurcfn_athena_test1
#  athenaTable: "athena_test1"
#  athenaWorkgroup: "primary" # The default workgroup in AWS is 'primary'
#  masterPayerARN: ""
#  projectID: "123456789"  # Also known as AccountID on AWS -- the current account/project that this instance of Kubecost is deployed on.
#  gcpSecretName: gcp-secret # Name of a secret representing the gcp service key
#  bigQueryBillingDataDataset: billing_data.gcp_billing_export_v1_01AC9F_74CF1D_5565A2
#  labelMappingConfigs:  # names of k8s labels or annotations used to designate different allocation concepts
#    enabled: true
#    owner_label: "owner"
#    team_label: "team"
#    department_label: "dept"
#    product_label: "product"
#    environment_label: "env"
#    namespace_external_label: "kubernetes_namespace" # external labels/tags are used to map external cloud costs to kubernetes concepts
#    cluster_external_label: "kubernetes_cluster"
#    controller_external_label: "kubernetes_controller"
#    product_external_label: "kubernetes_label_app"
#    service_external_label: "kubernetes_service"
#    deployment_external_label: "kubernetes_deployment"
#    owner_external_label: "kubernetes_label_owner"
#    team_external_label: "kubernetes_label_team"
#    environment_external_label: "kubernetes_label_env"
#    department_external_label: "kubernetes_label_department"
#    statefulset_external_label: "kubernetes_statefulset"
#    daemonset_external_label: "kubernetes_daemonset"
#    pod_external_label: "kubernetes_pod"
#  grafanaURL: ""
#  clusterName: "" # clusterName is the default context name in settings.
#  clusterAccountID: "" # Manually set Account property for assets
#  currencyCode: "USD" # official support for USD, AUD, BRL, CAD, CHF, CNY, DKK, EUR, GBP, INR, JPY, NOK, PLN, SEK
#  azureBillingRegion: US # Represents 2-letter region code, e.g. West Europe = NL, Canada = CA. ref: https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes
#  azureSubscriptionID: 0bd50fdf-c923-4e1e-850c-196dd3dcc5d3
#  azureClientID: f2ef6f7d-71fb-47c8-b766-8d63a19db017
#  azureTenantID: 72faf3ff-7a3f-4597-b0d9-7b0b201bb23a
#  azureClientPassword: fake key # Only use if your values.yaml are stored encrypted. Otherwise provide an existing secret via serviceKeySecretName
#  azureOfferDurableID: "MS-AZR-0003p"
#  discount: "" # percentage discount applied to compute
#  negotiatedDiscount: "" # custom negotiated cloud provider discount
#  defaultIdle: false
#  serviceKeySecretName: "" # Use an existing AWS or Azure secret with format as in aws-service-key-secret.yaml or azure-service-key-secret.yaml. Leave blank if using createServiceKeySecret
#  createServiceKeySecret: true # Creates a secret representing your cloud service key based on data in values.yaml. If you are storing unencrypted values, add a secret manually
#  sharedNamespaces: "" # namespaces with shared workloads, example value: "kube-system\,ingress-nginx\,kubecost\,monitoring"
#  sharedOverhead: "" # value representing a fixed external cost per month to be distributed among aggregations.
#  shareTenancyCosts: true # enable or disable sharing costs such as cluster management fees (defaults to "true" on Settings page)
#  metricsConfigs: # configuration for metrics emitted by Kubecost
#    disabledMetrics: [] # list of metrics that Kubecost will not emit. Note that disabling metrics can lead to unexpected behavior in the cost-model.
#  productKey: # apply business or enterprise product license
#    key: ""
#    enabled: false
#    secretname: productkeysecret # create a secret out of a file named productkey.json of format { "key": "kc-b1325234" }. If the secretname is specified, a configmap with the key will not be created
#    mountPath: "/some/custom/path/productkey.json" # (use instead of secretname) declare the path at which the product key file is mounted (eg. by a secrets provisioner). The file must be of format { "key": "kc-b1325234" }
#  cloudIntegrationSecret: "cloud-integration"
#  ingestPodUID: false # Enables using UIDs to uniquely ID pods. This requires either Kubecost's replicated KSM metrics, or KSM v2.1.0+. This may impact performance, and changes the default cost-model allocation behavior.
#  regionOverrides: "region1,region2,region3" # list of regions which will override default costmodel provider regions

#kubecostAdmissionController:
#  enabled: true
#  secretName: webhook-server-tls
#  caBundle: ${CA_BUNDLE}

# -- Array of extra K8s manifests to deploy
## Note: Supports use of custom Helm templates
extraObjects: []
# Cloud Billing Integration:
#   - apiVersion: v1
#     kind: Secret
#     metadata:
#       name: cloud-integration
#       namespace: kubecost
#     type: Opaque
#     data:
#       cloud-integration.json: BASE64_SECRET
#  Istio:
#   - apiVersion: networking.istio.io/v1alpha3
#     kind: VirtualService
#     metadata:
#       name: my-virtualservice
#     spec:
#       hosts:
#       - kubecost.myorg.com
#       gateways:
#       - my-gateway
#       http:
#       - route:
#         - destination:
#             host: kubecost.kubecost.svc.cluster.local
#             port:
#               number: 80