OpenCost Deployment for Microsoft Azure

This guide explains how to deploy OpenCost for an AKS cluster.

Prerequisites

Before starting the deployment, ensure you have the following:

• Infrastructure & permissions:

  • AKS cluster

  • Administrator access to the cluster

• Cloud permissions:

  • Contributor role at the subscription or resource group level

  • User Access Administrator role (required for managing service principals)

  • Storage Blob Data Reader role on the Storage Account

• Tools:

  • az CLI tool

  • kubectl CLI tool

  • helm CLI tool (v3.x or later)

STEP 1. Service principal setup

Create a service principal

1. In the Azure Portal, navigate to Microsoft Entra ID → App registrations.

2. Click New registration.

3. Set the following:

   • Name: opencost-sp

   • Supported account types: Single tenant

4. After creating the application, note:

   • Application (client) ID

   • Directory (tenant) ID

Create a client secret

1. Open the newly created application.

2. Navigate to Certificates & secrets. Click New client secret.

3. Set a description and expiry period.

4. Copy and save the generated secret value – this value cannot be retrieved later.

Assign permissions

1. Navigate to your Subscription or Resource group.

2. Click Access control (IAM).

3. Click +Add -> Add role assignment.

4. Assign the following roles to the service principal:

   • Reader (required for cost metrics)

   • Storage Blob Data Contributor (required for Parquet exports)

STEP 2. Storage account setup

1. In the Azure Portal, navigate to Storage accounts.

2. Click Create and configure the following:

   • Name: exampleopencost

   • Performance: Standard

   • Redundancy: LRS

3. Open the newly created storage account.

4. Navigate to Containers and create a new container:

   • Name: opencost-exports

   • Public access level: Private

STEP 3. Connect to cluster

1. Go to Kubernetes services.

2. Select your cluster.

3. Click Connect.

4. Copy and run the az aks get-credentials command.

STEP 4. Prometheus deployment

1. Add the Prometheus Helm repository:

   CODE

   helm repo add prometheus-community https://prometheus-community.github.io/helm-charts

2. Create the Prometheus namespace:

   CODE

   kubectl create namespace prometheus

3. Install Prometheus:

   CODE

   helm install prometheus prometheus-community/prometheus \
     --namespace prometheus \
     --set prometheus-pushgateway.enabled=false \
     --set alertmanager.enabled=false \

STEP 5. OpenCost deployment

1. Add the OpenCost Helm repository:

   CODE

   helm repo add opencost https://opencost.github.io/opencost-helm-chart

2. Create the OpenCost namespace:

   CODE

   kubectl create namespace opencost

3. Create a Kubernetes secret for the service principal credentials. Replace <YOUR_CLIENT_SECRET> with the value created in Step 1:

   CODE

   kubectl create secret generic azure-secret \
     --from-literal=password=<YOUR_CLIENT_SECRET> \
     --namespace opencost

4. Install OpenCost:

   CODE

   helm --namespace opencost upgrade --install opencost opencost/opencost -f - <<EOF
   serviceAccount:
     create: true
     name: opencost-sa
   opencost:
     prometheus:
       namespaceName: prometheus
   podAnnotations:
     prometheus.io/path: /metrics
     prometheus.io/port: "9003"
     prometheus.io/scrape: "true"
   EOF

These podAnnotations ensure that Prometheus scrapes metrics from the OpenCost pods, enabling label-based cost attribution in reports.

STEP 6. Parquet Exporter setup

Install the OpenCost Parquet Exporter. Replace <YOUR_AKS_CLUSTER_ID>, <YOUR_OPENCOST_STORAGE>, <YOUR_TENANT_ID>, and <YOUR_CLIENT_ID> in the command below:

helm install parquet-exporter opencost/opencost-parquet-exporter \
  --namespace opencost \
  --set schedule="0 */12 * * *" \
  --set existingServiceAccount=opencost-sa \
  --values - <<EOF
resources:
  limits:
    cpu: "1"
    memory: 1Gi
  requests:
    cpu: 100m
    memory: 100Mi
env:
  - name: OPENCOST_PARQUET_SVC_HOSTNAME
    value: opencost.opencost.svc.cluster.local
  - name: OPENCOST_PARQUET_STORAGE_BACKEND
    value: azure
  - name: OPENCOST_PARQUET_FILE_KEY_PREFIX
    value: kubernetes_clusters/<YOUR_AKS_CLUSTER_ID>
  - name: OPENCOST_PARQUET_JSON_SEPARATOR
    value: "_"
  - name: OPENCOST_PARQUET_AZURE_STORAGE_ACCOUNT_NAME
    value: <YOUR_OPENCOST_STORAGE>
  - name: OPENCOST_PARQUET_AZURE_CONTAINER_NAME
    value: opencost
  - name: OPENCOST_PARQUET_AZURE_TENANT
    value: <YOUR_TENANT_ID>
  - name: OPENCOST_PARQUET_AZURE_APPLICATION_ID
    value: <YOUR_CLIENT_ID>
  - name: OPENCOST_PARQUET_AZURE_APPLICATION_SECRET
    valueFrom:
      secretKeyRef:
        name: azure-secret
        key: password
EOF

^*For multi-cluster environments, deploy the Parquet Explorer separately on each cluster.

STEP 7. Verification

1. Check that all pods are running:

   CODE

   kubectl get pods -n prometheus
   kubectl get pods -n opencost

2. Access the OpenCost UI:

   CODE

   kubectl port-forward -n opencost service/opencost 9090:9090

   Open http://localhost:9090 in your browser.
   

The first Parquet export may take up to 24 hours. To verify the export, check your Azure Storage container for newly created files.