From 90e7dddb0ab69c78f384bfb52a271bc270b49ada Mon Sep 17 00:00:00 2001 From: Vegard Hagen Date: Sun, 4 Dec 2022 13:28:33 +0100 Subject: [PATCH] feat(dashboard): Deploying and exposing the Kubernetes Dashboard --- QUICKSTART.md | 4 +- README.md | 25 ++++++++- apps/whoami/ingress.yaml | 5 ++ helm/whoami-values.yaml | 17 ------ infra/dashboard/clusterRoleBinding.yaml | 12 +++++ infra/dashboard/ingress.yaml | 29 ++++++++++ infra/dashboard/kustomization.yaml | 10 ++++ infra/dashboard/serviceAccount.yaml | 5 ++ .../configs/traefik-forward-auth.ini | 5 ++ .../traefik-forward-auth/deployment.yaml | 54 +++++++++++++++++++ .../traefik-forward-auth/kustomization.yaml | 19 +++++++ .../traefik-forward-auth/middleware.yaml | 10 ++++ .../traefik-forward-auth/service.yaml | 11 ++++ 13 files changed, 185 insertions(+), 21 deletions(-) delete mode 100644 helm/whoami-values.yaml create mode 100644 infra/dashboard/clusterRoleBinding.yaml create mode 100644 infra/dashboard/ingress.yaml create mode 100644 infra/dashboard/kustomization.yaml create mode 100644 infra/dashboard/serviceAccount.yaml create mode 100644 infra/dashboard/traefik-forward-auth/configs/traefik-forward-auth.ini create mode 100644 infra/dashboard/traefik-forward-auth/deployment.yaml create mode 100644 infra/dashboard/traefik-forward-auth/kustomization.yaml create mode 100644 infra/dashboard/traefik-forward-auth/middleware.yaml create mode 100644 infra/dashboard/traefik-forward-auth/service.yaml diff --git a/QUICKSTART.md b/QUICKSTART.md index 09d55fb..9aafc9a 100644 --- a/QUICKSTART.md +++ b/QUICKSTART.md @@ -36,7 +36,7 @@ cilium install ## Install MetalLB for LoadBalancing -https://raw.githubusercontent.com/metallb/metallb/v0.13.5/config/manifests/metallb-native.yaml +https://raw.githubusercontent.com/metallb/metallb/v0.13.7/config/manifests/metallb-native.yaml ```shell kubectl apply -k infra/metallb @@ -44,7 +44,7 @@ kubectl apply -k infra/metallb # Traefik -https://doc.traefik.io/traefik/v2.8/user-guides/crd-acme/ +https://doc.traefik.io/traefik/v2.9/user-guides/crd-acme/ ## Run Terraform-script diff --git a/README.md b/README.md index 93bbe6a..1367e43 100644 --- a/README.md +++ b/README.md @@ -83,6 +83,7 @@ cilium install ``` // TODO: Directly by Helm chart + ```shell helm template --namespace kube-system cilium cilium/cilium --version 1.12.1 --set cluster.id=0,cluster.name=kubernetes,encryption.nodeEncryption=false,kubeProxyReplacement=disabled,operator.replicas=1,serviceAccounts.cilium.name=cilium,serviceAccounts.operator.name=cilium-operator,tunnel=vxlan ``` @@ -125,7 +126,7 @@ kubectl apply -f infra/metallb/01-configuration.yml # Traefik -## Install using Terraform and Helm +Configure `helm/traefik-values.ymal` and run ```shell terraform init @@ -133,6 +134,8 @@ terraform plan terraform apply ``` +to deploy Traefik using Helm + **NB:** It appears we need the "volume-permissions" init container for Traefik if using `StorageClass` with provisioner `kubernetes.io/no-provisioner` @@ -143,7 +146,25 @@ IP can be found with `kubectl get svc`. # Test-application -A test-application `whoami` should be available at `https://whoami.${DOMAIN}`. +Deploy a test-application by running + +```shell +kubectl apply -k apps/whoami +``` + +An unsecured test-application `whoami` should be available at [https://test.${DOMAIN}](https://test.${DOMAIN}). +If you configured `apps/whoami/traefik-forward-auth` correctly a secured version should be available +at [https://whoami.${DOMAIN}](https://whoami.${DOMAIN}) + +# Kubernetes Dashboard + +An OIDC (treaefik-forward-auth) +protected [Kubernetes Dashboard](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/) can be +deployed using + +```shell +kubectl apply -k infra/dashboard +``` # Cleanup diff --git a/apps/whoami/ingress.yaml b/apps/whoami/ingress.yaml index 46b99d5..db0cfbc 100644 --- a/apps/whoami/ingress.yaml +++ b/apps/whoami/ingress.yaml @@ -25,5 +25,10 @@ spec: port: 80 middlewares: - name: traefik-forward-auth + - match: Host(`test.stonegarden.dev`) + kind: Rule + services: + - name: whoami + port: 80 tls: certResolver: letsencrypt diff --git a/helm/whoami-values.yaml b/helm/whoami-values.yaml deleted file mode 100644 index 2301fb4..0000000 --- a/helm/whoami-values.yaml +++ /dev/null @@ -1,17 +0,0 @@ -resources: - - apiVersion: traefik.containo.us/v1alpha1 - kind: IngressRoute - metadata: - name: whoami - namespace: whoami - spec: - entryPoints: - - websecure - routes: - - match: Host(`whoami.stonegarden.dev`) - kind: Rule - services: - - name: whoami - port: 80 - tls: - certResolver: letsencrypt \ No newline at end of file diff --git a/infra/dashboard/clusterRoleBinding.yaml b/infra/dashboard/clusterRoleBinding.yaml new file mode 100644 index 0000000..74d9c61 --- /dev/null +++ b/infra/dashboard/clusterRoleBinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: admin-user +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: admin-user + namespace: kubernetes-dashboard \ No newline at end of file diff --git a/infra/dashboard/ingress.yaml b/infra/dashboard/ingress.yaml new file mode 100644 index 0000000..ab88d84 --- /dev/null +++ b/infra/dashboard/ingress.yaml @@ -0,0 +1,29 @@ +# +# Auth Ingress +# +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-forward-auth + labels: + app: traefik +spec: + entryPoints: + - websecure + routes: + - match: Host(`auth-dash.stonegarden.dev`) + kind: Rule + services: + - name: traefik-forward-auth + port: 4181 + middlewares: + - name: traefik-forward-auth + - match: Host(`dashboard.stonegarden.dev`) + kind: Rule + services: + - name: kubernetes-dashboard + port: 80 + middlewares: + - name: traefik-forward-auth + tls: + certResolver: letsencrypt diff --git a/infra/dashboard/kustomization.yaml b/infra/dashboard/kustomization.yaml new file mode 100644 index 0000000..fafc1aa --- /dev/null +++ b/infra/dashboard/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubernetes-dashboard + +resources: + - https://raw.githubusercontent.com/kubernetes/dashboard/v2.6.1/aio/deploy/alternative.yaml + - traefik-forward-auth + - ingress.yaml + - serviceAccount.yaml + - clusterRoleBinding.yaml \ No newline at end of file diff --git a/infra/dashboard/serviceAccount.yaml b/infra/dashboard/serviceAccount.yaml new file mode 100644 index 0000000..219059b --- /dev/null +++ b/infra/dashboard/serviceAccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: admin-user + namespace: kubernetes-dashboard \ No newline at end of file diff --git a/infra/dashboard/traefik-forward-auth/configs/traefik-forward-auth.ini b/infra/dashboard/traefik-forward-auth/configs/traefik-forward-auth.ini new file mode 100644 index 0000000..bdb11fb --- /dev/null +++ b/infra/dashboard/traefik-forward-auth/configs/traefik-forward-auth.ini @@ -0,0 +1,5 @@ +cookie-name = "_dash_auth" +log-level = "error" +cookie-domain = "stonegarden.dev" +auth-host = "auth-dash.stonegarden.dev" +whitelist = "veghag@gmail.com" diff --git a/infra/dashboard/traefik-forward-auth/deployment.yaml b/infra/dashboard/traefik-forward-auth/deployment.yaml new file mode 100644 index 0000000..217f012 --- /dev/null +++ b/infra/dashboard/traefik-forward-auth/deployment.yaml @@ -0,0 +1,54 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: traefik-forward-auth +spec: + replicas: 1 + selector: + matchLabels: + app: traefik-forward-auth + strategy: + type: Recreate + template: + metadata: + labels: + app: traefik-forward-auth + spec: + terminationGracePeriodSeconds: 60 + containers: + - image: thomseddon/traefik-forward-auth:2 + imagePullPolicy: Always + name: traefik-forward-auth + ports: + - containerPort: 4181 + protocol: TCP + env: + - name: CONFIG + value: "/config" + - name: PROVIDERS_GOOGLE_CLIENT_ID + valueFrom: + secretKeyRef: + name: traefik-forward-auth-secrets + key: google-client-id + - name: PROVIDERS_GOOGLE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: traefik-forward-auth-secrets + key: google-client-secret + - name: SECRET + valueFrom: + secretKeyRef: + name: traefik-forward-auth-secrets + key: secret + volumeMounts: + - name: configs + mountPath: /config + subPath: traefik-forward-auth.ini + + volumes: + - name: configs + configMap: + name: configs + - name: traefik-forward-auth-secrets + secret: + secretName: traefik-forward-auth-secrets \ No newline at end of file diff --git a/infra/dashboard/traefik-forward-auth/kustomization.yaml b/infra/dashboard/traefik-forward-auth/kustomization.yaml new file mode 100644 index 0000000..b8c391f --- /dev/null +++ b/infra/dashboard/traefik-forward-auth/kustomization.yaml @@ -0,0 +1,19 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + app: traefik-forward-auth + +resources: + - service.yaml + - deployment.yaml + - middleware.yaml + +configMapGenerator: + - name: configs + files: + - configs/traefik-forward-auth.ini + +secretGenerator: + - name: traefik-forward-auth-secrets + envs: + - secrets/traefik-forward-auth.env \ No newline at end of file diff --git a/infra/dashboard/traefik-forward-auth/middleware.yaml b/infra/dashboard/traefik-forward-auth/middleware.yaml new file mode 100644 index 0000000..163b568 --- /dev/null +++ b/infra/dashboard/traefik-forward-auth/middleware.yaml @@ -0,0 +1,10 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: traefik-forward-auth +spec: + forwardAuth: + address: http://traefik-forward-auth.kubernetes-dashboard.svc.cluster.local:4181 + authResponseHeaders: + - X-Forwarded-User + trustForwardHeader: true \ No newline at end of file diff --git a/infra/dashboard/traefik-forward-auth/service.yaml b/infra/dashboard/traefik-forward-auth/service.yaml new file mode 100644 index 0000000..569ceff --- /dev/null +++ b/infra/dashboard/traefik-forward-auth/service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: traefik-forward-auth +spec: + type: ClusterIP + selector: + app: traefik-forward-auth + ports: + - name: auth-http + port: 4181