feat(dashboard): Deploying and exposing the Kubernetes Dashboard

QUICKSTART.md

@@ -36,7 +36,7 @@ cilium install
 
 ## Install MetalLB for LoadBalancing
 
-https://raw.githubusercontent.com/metallb/metallb/v0.13.5/config/manifests/metallb-native.yaml
+https://raw.githubusercontent.com/metallb/metallb/v0.13.7/config/manifests/metallb-native.yaml
 
 ```shell
 kubectl apply -k infra/metallb
@@ -44,7 +44,7 @@ kubectl apply -k infra/metallb
 
 # Traefik
 
-https://doc.traefik.io/traefik/v2.8/user-guides/crd-acme/
+https://doc.traefik.io/traefik/v2.9/user-guides/crd-acme/
 
 ## Run Terraform-script
 

README.md

@@ -83,6 +83,7 @@ cilium install
 ```
 
 // TODO: Directly by Helm chart
+
 ```shell
 helm template --namespace kube-system cilium cilium/cilium --version 1.12.1 --set cluster.id=0,cluster.name=kubernetes,encryption.nodeEncryption=false,kubeProxyReplacement=disabled,operator.replicas=1,serviceAccounts.cilium.name=cilium,serviceAccounts.operator.name=cilium-operator,tunnel=vxlan
 ```
@@ -125,7 +126,7 @@ kubectl apply -f infra/metallb/01-configuration.yml
 
 # Traefik
 
-## Install using Terraform and Helm
+Configure `helm/traefik-values.ymal` and run
 
 ```shell
 terraform init
@@ -133,6 +134,8 @@ terraform plan
 terraform apply
 ```
 
+to deploy Traefik using Helm
+
 **NB:** It appears we need the "volume-permissions" init container for Traefik if using `StorageClass` with
 provisioner `kubernetes.io/no-provisioner`
 
@@ -143,7 +146,25 @@ IP can be found with `kubectl get svc`.
 
 # Test-application
 
-A test-application `whoami` should be available at `https://whoami.${DOMAIN}`.
+Deploy a test-application by running
+
+```shell
+kubectl apply -k apps/whoami
+```
+
+An unsecured test-application `whoami` should be available at [https://test.${DOMAIN}](https://test.${DOMAIN}).
+If you configured `apps/whoami/traefik-forward-auth` correctly a secured version should be available
+at [https://whoami.${DOMAIN}](https://whoami.${DOMAIN})
+
+# Kubernetes Dashboard
+
+An OIDC (treaefik-forward-auth)
+protected [Kubernetes Dashboard](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/) can be
+deployed using
+
+```shell
+kubectl apply -k infra/dashboard
+```
 
 # Cleanup
 

apps/whoami/ingress.yaml

@@ -25,5 +25,10 @@ spec:
           port: 80
       middlewares:
         - name: traefik-forward-auth
+    - match: Host(`test.stonegarden.dev`)
+      kind: Rule
+      services:
+        - name: whoami
+          port: 80
   tls:
     certResolver: letsencrypt

helm/whoami-values.yaml

@@ -1,17 +0,0 @@
-resources:
-  - apiVersion: traefik.containo.us/v1alpha1
-    kind: IngressRoute
-    metadata:
-      name: whoami
-      namespace: whoami
-    spec:
-      entryPoints:
-        - websecure
-      routes:
-        - match: Host(`whoami.stonegarden.dev`)
-          kind: Rule
-          services:
-            - name: whoami
-              port: 80
-      tls:
-        certResolver: letsencrypt

infra/dashboard/clusterRoleBinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: admin-user
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: admin-user
+    namespace: kubernetes-dashboard

infra/dashboard/ingress.yaml

@@ -0,0 +1,29 @@
+#
+# Auth Ingress
+#
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`auth-dash.stonegarden.dev`)
+      kind: Rule
+      services:
+        - name: traefik-forward-auth
+          port: 4181
+      middlewares:
+        - name: traefik-forward-auth
+    - match: Host(`dashboard.stonegarden.dev`)
+      kind: Rule
+      services:
+        - name: kubernetes-dashboard
+          port: 80
+      middlewares:
+        - name: traefik-forward-auth
+  tls:
+    certResolver: letsencrypt

infra/dashboard/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubernetes-dashboard
+
+resources:
+  - https://raw.githubusercontent.com/kubernetes/dashboard/v2.6.1/aio/deploy/alternative.yaml
+  - traefik-forward-auth
+  - ingress.yaml
+  - serviceAccount.yaml
+  - clusterRoleBinding.yaml

infra/dashboard/serviceAccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: admin-user
+  namespace: kubernetes-dashboard

infra/dashboard/traefik-forward-auth/configs/traefik-forward-auth.ini

@@ -0,0 +1,5 @@
+cookie-name = "_dash_auth"
+log-level = "error"
+cookie-domain = "stonegarden.dev"
+auth-host = "auth-dash.stonegarden.dev"
+whitelist = "veghag@gmail.com"

infra/dashboard/traefik-forward-auth/deployment.yaml

@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: traefik-forward-auth
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik-forward-auth
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: traefik-forward-auth
+    spec:
+      terminationGracePeriodSeconds: 60
+      containers:
+        - image: thomseddon/traefik-forward-auth:2
+          imagePullPolicy: Always
+          name: traefik-forward-auth
+          ports:
+            - containerPort: 4181
+              protocol: TCP
+          env:
+            - name: CONFIG
+              value: "/config"
+            - name: PROVIDERS_GOOGLE_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: traefik-forward-auth-secrets
+                  key: google-client-id
+            - name: PROVIDERS_GOOGLE_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: traefik-forward-auth-secrets
+                  key: google-client-secret
+            - name: SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: traefik-forward-auth-secrets
+                  key: secret
+          volumeMounts:
+            - name: configs
+              mountPath: /config
+              subPath: traefik-forward-auth.ini
+
+      volumes:
+        - name: configs
+          configMap:
+            name: configs
+        - name: traefik-forward-auth-secrets
+          secret:
+            secretName: traefik-forward-auth-secrets

infra/dashboard/traefik-forward-auth/kustomization.yaml

@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  app: traefik-forward-auth
+
+resources:
+  - service.yaml
+  - deployment.yaml
+  - middleware.yaml
+
+configMapGenerator:
+  - name: configs
+    files:
+      - configs/traefik-forward-auth.ini
+
+secretGenerator:
+  - name: traefik-forward-auth-secrets
+    envs:
+      - secrets/traefik-forward-auth.env

infra/dashboard/traefik-forward-auth/middleware.yaml

@@ -0,0 +1,10 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-forward-auth
+spec:
+  forwardAuth:
+    address: http://traefik-forward-auth.kubernetes-dashboard.svc.cluster.local:4181
+    authResponseHeaders:
+      - X-Forwarded-User
+    trustForwardHeader: true

infra/dashboard/traefik-forward-auth/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-forward-auth
+spec:
+  type: ClusterIP
+  selector:
+    app: traefik-forward-auth
+  ports:
+    - name: auth-http
+      port: 4181