Use basic auth for k8s dashboard and add optional Portainer deployment

2025-10-29 10:02:33 +00:00 · 2024-01-15 15:41:38 -05:00
parent e5d3bac2fd
commit 2d52cdbdb9
7 changed files with 62 additions and 21 deletions
--- a/helmfile/cloud-sdk/README.md
+++ b/helmfile/cloud-sdk/README.md
@@ -20,7 +20,7 @@ Currently all secrets are stored in [secrets](./secrets) directory, where you ca

 To work with secret, you need to have your AWS credentials set with administrator role in wifi account, then you would be able to make operations with files (for example to edit secret use `helm secrets edit $SECRET_FILE`).

-If you need to encrypt new file, you simply need to write it in plaintext, then run `helm secrets enc $PLAINTEXT_SECRET_FILE` - helm secrets will automatically use encryption key defined in `.sops.yaml`
+If you need to encrypt new file, you simply need to write it in plaintext, then run `helm secrets encrypt $PLAINTEXT_SECRET_FILE` - helm secrets will automatically use encryption key defined in `.sops.yaml`

 You can use secrets in Helmfile the same way as values:

@@ -48,6 +48,17 @@ releases:
  - secretKey: {{ .Environment.Values.example.secretKey }}
 ```

+### K8S Dashboard Login
+
+To replace or set the users that may login to the dashboard (via basic auth):
+
+```
+htpasswd -c auth qa
+```
+Then copy base64 version of this file into: data.auth in charts/k8s-dashboard-roles/templates/basic-auth.yaml.
+The current password is encoded in secrets/dashboard.yaml.
+
+
 ## Usage

 1. Set credentials that are required to connect to Kubernetes cluster
--- a/helmfile/cloud-sdk/charts/k8s-dashboard-roles/templates/basic-auth.yaml
+++ b/helmfile/cloud-sdk/charts/k8s-dashboard-roles/templates/basic-auth.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: k8s-dashboard-basic-auth
+  namespace: {{ .Release.Namespace }}
+data:
+  auth: cWE6JGFwcjEkUkZFUW5nSzkkYUV6R0hhYmpqb0VBQjlqYy9GQldPMAo=
--- a/helmfile/cloud-sdk/charts/k8s-dashboard-roles/templates/clusterrole.yml
+++ b/helmfile/cloud-sdk/charts/k8s-dashboard-roles/templates/clusterrole.yml
@@ -25,9 +25,9 @@ rules:

 - apiGroups:
  - ""
-  resources: 
+  resources:
  - "pods/exec"
-  verbs: 
+  verbs:
  - "create"

 - apiGroups:
--- a/helmfile/cloud-sdk/charts/sso/values.yaml
+++ b/helmfile/cloud-sdk/charts/sso/values.yaml
@@ -6,4 +6,4 @@ oidc:
  issuerUrl: 'https://telecominfraproject.auth0.com/' # workplace-integration40-dev for development
  clientId: clientId
  clientSecret: clientSecret
-  cookieSecret: egh24Y$GB2rh2t # arbitrary random string, not really a secret
+  cookieSecret: egh24Y$GB2rh2t # arbitrary random string, not really a secret
--- a/helmfile/cloud-sdk/charts/standalone-monitoring/templates/k8s-dashboard.yaml
+++ b/helmfile/cloud-sdk/charts/standalone-monitoring/templates/k8s-dashboard.yaml
@@ -10,6 +10,7 @@ metadata:
  labels:
    k8s-app: oauth2-proxy
 spec:
+  ingressClassName: nginx-sso
  rules:
  - host: k8s-dashboard.{{ .Values.monitoring.domain }}
    http:
--- a/helmfile/cloud-sdk/helmfile.yaml
+++ b/helmfile/cloud-sdk/helmfile.yaml
@@ -18,7 +18,7 @@ environments:
        certificateARNLab: arn:aws:acm:ap-south-1:289708231103:certificate/5281be14-c5e6-45c5-8d5c-e8660c76fbcb
    - monitoring:
        namespace: monitoring
-        publicNamespaces: ['openwifi-qa01', 'openwifi-dev01', 'openwifi-demo']
+        publicNamespaces: ['openwifi-qa01', 'openwifi-qa02', 'openwifi-dev01', 'openwifi-demo']
    - domain: lab.wlan.tip.build
    - storageClass: gp2
    - autoscaler:
@@ -45,6 +45,8 @@ environments:
        enabled: false
    - k8s-dashboard:
        enabled: true
+    - portainer:
+        enabled: false
    - metrics-server:
        enabled: true
    - external-dns:
@@ -99,6 +101,8 @@ repositories:
  url: https://braedon.github.io/helm
 - name: core-dump-handler
  url: https://ibm.github.io/core-dump-handler
+- name: portainer
+  url: https://portainer.github.io/k8s/

 helmDefaults:
  force: false
@@ -166,14 +170,7 @@ releases:
          service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
          service.beta.kubernetes.io/aws-load-balancer-type: elb
          service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
-          #MAYBE TRY THESE:
-          #service.beta.kubernetes.io/aws-load-balancer-name: apps-ingress
-          #service.beta.kubernetes.io/aws-load-balancer-type: external
-          #service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
-          #service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
-          #service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http
-          #service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /healthz
-          #service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: 10254
+          service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
        targetPorts:
          http: http
          https: http
@@ -821,6 +818,30 @@ releases:
          targetPort: 5514
          protocol: TCP

+- name: portainer
+  condition: portainer.enabled
+  namespace: {{ .Environment.Values.monitoring.namespace }}
+  chart: portainer/portainer
+  version: 1.0.49
+  labels:
+    role: setup
+    group: monitoring
+    app: portainer
+  values:
+    - service:
+        type: ClusterIP
+    - tls:
+        force: true
+    - ingress:
+        ingressClassName: nginx-sso
+        enabled: true
+        annotations:
+          nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+        hosts:
+        - host: k8s-admin.{{ .Environment.Values.domain }}
+          paths:
+          - path: "/"
+
 - name: k8s-dashboard-roles
  condition: k8s-dashboard.enabled
  namespace: {{ .Environment.Values.monitoring.namespace }}
@@ -863,14 +884,11 @@ releases:
        - /
        - /*
      annotations:
-        #alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_302"}}'
-        #alb.ingress.kubernetes.io/group.name: wlan-cicd
-        #alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
-        #alb.ingress.kubernetes.io/scheme: internet-facing
-        #kubernetes.io/ingress.class: alb
-        nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
-        nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
-        kubernetes.io/ingress.class: nginx-sso
+        #nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
+        #nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
+        nginx.ingress.kubernetes.io/auth-type: basic
+        nginx.ingress.kubernetes.io/auth-secret: k8s-dashboard-basic-auth
+        nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
      hosts:
        - k8s-dashboard.{{ .Environment.Values.domain }}

--- a/helmfile/cloud-sdk/secrets/dashboard.yaml
+++ b/helmfile/cloud-sdk/secrets/dashboard.yaml
@@ -0,0 +1,3 @@
+dashboard:
+  user: qa
+  password: "Il83:15[G3>i"