scottk/homelab
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/homelab.git synced 2025-10-31 01:47:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(dashboard): Deploying and exposing the Kubernetes Dashboard

Browse Source
This commit is contained in:
Vegard Hagen
2022-12-04 13:28:33 +01:00
parent e3423cd547
commit 90e7dddb0a
13 changed files with 185 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
QUICKSTART.md
View File

@@ -36,7 +36,7 @@ cilium install
## Install MetalLB for LoadBalancing ## Install MetalLB for LoadBalancing
https://raw.githubusercontent.com/metallb/metallb/v0.13.5/config/manifests/metallb-native.yaml https://raw.githubusercontent.com/metallb/metallb/v0.13.7/config/manifests/metallb-native.yaml
```shell ```shell
kubectl apply -k infra/metallb kubectl apply -k infra/metallb
@@ -44,7 +44,7 @@ kubectl apply -k infra/metallb
# Traefik # Traefik
https://doc.traefik.io/traefik/v2.8/user-guides/crd-acme/ https://doc.traefik.io/traefik/v2.9/user-guides/crd-acme/
## Run Terraform-script ## Run Terraform-script

25
README.md
View File

@@ -83,6 +83,7 @@ cilium install
``` ```
// TODO: Directly by Helm chart // TODO: Directly by Helm chart
```shell ```shell
helm template --namespace kube-system cilium cilium/cilium --version 1.12.1 --set cluster.id=0,cluster.name=kubernetes,encryption.nodeEncryption=false,kubeProxyReplacement=disabled,operator.replicas=1,serviceAccounts.cilium.name=cilium,serviceAccounts.operator.name=cilium-operator,tunnel=vxlan helm template --namespace kube-system cilium cilium/cilium --version 1.12.1 --set cluster.id=0,cluster.name=kubernetes,encryption.nodeEncryption=false,kubeProxyReplacement=disabled,operator.replicas=1,serviceAccounts.cilium.name=cilium,serviceAccounts.operator.name=cilium-operator,tunnel=vxlan
``` ```
@@ -125,7 +126,7 @@ kubectl apply -f infra/metallb/01-configuration.yml
# Traefik # Traefik
## Install using Terraform and Helm Configure `helm/traefik-values.ymal` and run
```shell ```shell
terraform init terraform init
@@ -133,6 +134,8 @@ terraform plan
terraform apply terraform apply
``` ```
to deploy Traefik using Helm
**NB:** It appears we need the "volume-permissions" init container for Traefik if using `StorageClass` with **NB:** It appears we need the "volume-permissions" init container for Traefik if using `StorageClass` with
provisioner `kubernetes.io/no-provisioner` provisioner `kubernetes.io/no-provisioner`
@@ -143,7 +146,25 @@ IP can be found with `kubectl get svc`.
# Test-application # Test-application
A test-application `whoami` should be available at `https://whoami.${DOMAIN}`. Deploy a test-application by running
```shell
kubectl apply -k apps/whoami
```
An unsecured test-application `whoami` should be available at [https://test.${DOMAIN}](https://test.${DOMAIN}).
If you configured `apps/whoami/traefik-forward-auth` correctly a secured version should be available
at [https://whoami.${DOMAIN}](https://whoami.${DOMAIN})
# Kubernetes Dashboard
An OIDC (treaefik-forward-auth)
protected [Kubernetes Dashboard](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/) can be
deployed using
```shell
kubectl apply -k infra/dashboard
```
# Cleanup # Cleanup

5
apps/whoami/ingress.yaml
View File

@@ -25,5 +25,10 @@ spec:
port: 80 port: 80
middlewares: middlewares:
- name: traefik-forward-auth - name: traefik-forward-auth
- match: Host(`test.stonegarden.dev`)
kind: Rule
services:
- name: whoami
port: 80
tls: tls:
certResolver: letsencrypt certResolver: letsencrypt

17
helm/whoami-values.yaml
View File

@@ -1,17 +0,0 @@
resources:
- apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami
namespace: whoami
spec:
entryPoints:
- websecure
routes:
- match: Host(`whoami.stonegarden.dev`)
kind: Rule
services:
- name: whoami
port: 80
tls:
certResolver: letsencrypt

12
infra/dashboard/clusterRoleBinding.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard

29
infra/dashboard/ingress.yaml Normal file
View File

@@ -0,0 +1,29 @@
#
# Auth Ingress
#
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-forward-auth
labels:
app: traefik
spec:
entryPoints:
- websecure
routes:
- match: Host(`auth-dash.stonegarden.dev`)
kind: Rule
services:
- name: traefik-forward-auth
port: 4181
middlewares:
- name: traefik-forward-auth
- match: Host(`dashboard.stonegarden.dev`)
kind: Rule
services:
- name: kubernetes-dashboard
port: 80
middlewares:
- name: traefik-forward-auth
tls:
certResolver: letsencrypt

10
infra/dashboard/kustomization.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kubernetes-dashboard
resources:
- https://raw.githubusercontent.com/kubernetes/dashboard/v2.6.1/aio/deploy/alternative.yaml
- traefik-forward-auth
- ingress.yaml
- serviceAccount.yaml
- clusterRoleBinding.yaml

5
infra/dashboard/serviceAccount.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard

5
infra/dashboard/traefik-forward-auth/configs/traefik-forward-auth.ini Normal file
View File

@@ -0,0 +1,5 @@
cookie-name = "_dash_auth"
log-level = "error"
cookie-domain = "stonegarden.dev"
auth-host = "auth-dash.stonegarden.dev"
whitelist = "veghag@gmail.com"

54
infra/dashboard/traefik-forward-auth/deployment.yaml Normal file
View File

@@ -0,0 +1,54 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-forward-auth
spec:
replicas: 1
selector:
matchLabels:
app: traefik-forward-auth
strategy:
type: Recreate
template:
metadata:
labels:
app: traefik-forward-auth
spec:
terminationGracePeriodSeconds: 60
containers:
- image: thomseddon/traefik-forward-auth:2
imagePullPolicy: Always
name: traefik-forward-auth
ports:
- containerPort: 4181
protocol: TCP
env:
- name: CONFIG
value: "/config"
- name: PROVIDERS_GOOGLE_CLIENT_ID
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: google-client-id
- name: PROVIDERS_GOOGLE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: google-client-secret
- name: SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: secret
volumeMounts:
- name: configs
mountPath: /config
subPath: traefik-forward-auth.ini
volumes:
- name: configs
configMap:
name: configs
- name: traefik-forward-auth-secrets
secret:
secretName: traefik-forward-auth-secrets

19
infra/dashboard/traefik-forward-auth/kustomization.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
app: traefik-forward-auth
resources:
- service.yaml
- deployment.yaml
- middleware.yaml
configMapGenerator:
- name: configs
files:
- configs/traefik-forward-auth.ini
secretGenerator:
- name: traefik-forward-auth-secrets
envs:
- secrets/traefik-forward-auth.env

10
infra/dashboard/traefik-forward-auth/middleware.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: traefik-forward-auth
spec:
forwardAuth:
address: http://traefik-forward-auth.kubernetes-dashboard.svc.cluster.local:4181
authResponseHeaders:
- X-Forwarded-User
trustForwardHeader: true

11
infra/dashboard/traefik-forward-auth/service.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: traefik-forward-auth
spec:
type: ClusterIP
selector:
app: traefik-forward-auth
ports:
- name: auth-http
port: 4181