From 2d52cdbdb9784628bf578f9106af702debb72f3e Mon Sep 17 00:00:00 2001 From: Carsten Schafer Date: Mon, 15 Jan 2024 15:41:38 -0500 Subject: [PATCH] Use basic auth for k8s dashboard and add optional Portainer deployment --- helmfile/cloud-sdk/README.md | 13 ++++- .../templates/basic-auth.yaml | 8 +++ .../templates/clusterrole.yml | 4 +- helmfile/cloud-sdk/charts/sso/values.yaml | 2 +- .../templates/k8s-dashboard.yaml | 1 + helmfile/cloud-sdk/helmfile.yaml | 52 +++++++++++++------ helmfile/cloud-sdk/secrets/dashboard.yaml | 3 ++ 7 files changed, 62 insertions(+), 21 deletions(-) create mode 100644 helmfile/cloud-sdk/charts/k8s-dashboard-roles/templates/basic-auth.yaml create mode 100644 helmfile/cloud-sdk/secrets/dashboard.yaml diff --git a/helmfile/cloud-sdk/README.md b/helmfile/cloud-sdk/README.md index eeb29fe..181036a 100644 --- a/helmfile/cloud-sdk/README.md +++ b/helmfile/cloud-sdk/README.md @@ -20,7 +20,7 @@ Currently all secrets are stored in [secrets](./secrets) directory, where you ca To work with secret, you need to have your AWS credentials set with administrator role in wifi account, then you would be able to make operations with files (for example to edit secret use `helm secrets edit $SECRET_FILE`). -If you need to encrypt new file, you simply need to write it in plaintext, then run `helm secrets enc $PLAINTEXT_SECRET_FILE` - helm secrets will automatically use encryption key defined in `.sops.yaml` +If you need to encrypt new file, you simply need to write it in plaintext, then run `helm secrets encrypt $PLAINTEXT_SECRET_FILE` - helm secrets will automatically use encryption key defined in `.sops.yaml` You can use secrets in Helmfile the same way as values: @@ -48,6 +48,17 @@ releases: - secretKey: {{ .Environment.Values.example.secretKey }} ``` +### K8S Dashboard Login + +To replace or set the users that may login to the dashboard (via basic auth): + +``` +htpasswd -c auth qa +``` +Then copy base64 version of this file into: data.auth in charts/k8s-dashboard-roles/templates/basic-auth.yaml. +The current password is encoded in secrets/dashboard.yaml. + + ## Usage 1. Set credentials that are required to connect to Kubernetes cluster diff --git a/helmfile/cloud-sdk/charts/k8s-dashboard-roles/templates/basic-auth.yaml b/helmfile/cloud-sdk/charts/k8s-dashboard-roles/templates/basic-auth.yaml new file mode 100644 index 0000000..ed8f911 --- /dev/null +++ b/helmfile/cloud-sdk/charts/k8s-dashboard-roles/templates/basic-auth.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: k8s-dashboard-basic-auth + namespace: {{ .Release.Namespace }} +data: + auth: cWE6JGFwcjEkUkZFUW5nSzkkYUV6R0hhYmpqb0VBQjlqYy9GQldPMAo= diff --git a/helmfile/cloud-sdk/charts/k8s-dashboard-roles/templates/clusterrole.yml b/helmfile/cloud-sdk/charts/k8s-dashboard-roles/templates/clusterrole.yml index 660e3fc..9033f57 100644 --- a/helmfile/cloud-sdk/charts/k8s-dashboard-roles/templates/clusterrole.yml +++ b/helmfile/cloud-sdk/charts/k8s-dashboard-roles/templates/clusterrole.yml @@ -25,9 +25,9 @@ rules: - apiGroups: - "" - resources: + resources: - "pods/exec" - verbs: + verbs: - "create" - apiGroups: diff --git a/helmfile/cloud-sdk/charts/sso/values.yaml b/helmfile/cloud-sdk/charts/sso/values.yaml index f2286d8..aacb31c 100644 --- a/helmfile/cloud-sdk/charts/sso/values.yaml +++ b/helmfile/cloud-sdk/charts/sso/values.yaml @@ -6,4 +6,4 @@ oidc: issuerUrl: 'https://telecominfraproject.auth0.com/' # workplace-integration40-dev for development clientId: clientId clientSecret: clientSecret - cookieSecret: egh24Y$GB2rh2t # arbitrary random string, not really a secret \ No newline at end of file + cookieSecret: egh24Y$GB2rh2t # arbitrary random string, not really a secret diff --git a/helmfile/cloud-sdk/charts/standalone-monitoring/templates/k8s-dashboard.yaml b/helmfile/cloud-sdk/charts/standalone-monitoring/templates/k8s-dashboard.yaml index dbf7fe2..f0b4b92 100644 --- a/helmfile/cloud-sdk/charts/standalone-monitoring/templates/k8s-dashboard.yaml +++ b/helmfile/cloud-sdk/charts/standalone-monitoring/templates/k8s-dashboard.yaml @@ -10,6 +10,7 @@ metadata: labels: k8s-app: oauth2-proxy spec: + ingressClassName: nginx-sso rules: - host: k8s-dashboard.{{ .Values.monitoring.domain }} http: diff --git a/helmfile/cloud-sdk/helmfile.yaml b/helmfile/cloud-sdk/helmfile.yaml index 7b8a564..d0ef335 100644 --- a/helmfile/cloud-sdk/helmfile.yaml +++ b/helmfile/cloud-sdk/helmfile.yaml @@ -18,7 +18,7 @@ environments: certificateARNLab: arn:aws:acm:ap-south-1:289708231103:certificate/5281be14-c5e6-45c5-8d5c-e8660c76fbcb - monitoring: namespace: monitoring - publicNamespaces: ['openwifi-qa01', 'openwifi-dev01', 'openwifi-demo'] + publicNamespaces: ['openwifi-qa01', 'openwifi-qa02', 'openwifi-dev01', 'openwifi-demo'] - domain: lab.wlan.tip.build - storageClass: gp2 - autoscaler: @@ -45,6 +45,8 @@ environments: enabled: false - k8s-dashboard: enabled: true + - portainer: + enabled: false - metrics-server: enabled: true - external-dns: @@ -99,6 +101,8 @@ repositories: url: https://braedon.github.io/helm - name: core-dump-handler url: https://ibm.github.io/core-dump-handler +- name: portainer + url: https://portainer.github.io/k8s/ helmDefaults: force: false @@ -166,14 +170,7 @@ releases: service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https service.beta.kubernetes.io/aws-load-balancer-type: elb service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp - #MAYBE TRY THESE: - #service.beta.kubernetes.io/aws-load-balancer-name: apps-ingress - #service.beta.kubernetes.io/aws-load-balancer-type: external - #service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing - #service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip - #service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http - #service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /healthz - #service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: 10254 + service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing targetPorts: http: http https: http @@ -821,6 +818,30 @@ releases: targetPort: 5514 protocol: TCP +- name: portainer + condition: portainer.enabled + namespace: {{ .Environment.Values.monitoring.namespace }} + chart: portainer/portainer + version: 1.0.49 + labels: + role: setup + group: monitoring + app: portainer + values: + - service: + type: ClusterIP + - tls: + force: true + - ingress: + ingressClassName: nginx-sso + enabled: true + annotations: + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + hosts: + - host: k8s-admin.{{ .Environment.Values.domain }} + paths: + - path: "/" + - name: k8s-dashboard-roles condition: k8s-dashboard.enabled namespace: {{ .Environment.Values.monitoring.namespace }} @@ -863,14 +884,11 @@ releases: - / - /* annotations: - #alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_302"}}' - #alb.ingress.kubernetes.io/group.name: wlan-cicd - #alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' - #alb.ingress.kubernetes.io/scheme: internet-facing - #kubernetes.io/ingress.class: alb - nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth" - nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri" - kubernetes.io/ingress.class: nginx-sso + #nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth" + #nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri" + nginx.ingress.kubernetes.io/auth-type: basic + nginx.ingress.kubernetes.io/auth-secret: k8s-dashboard-basic-auth + nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required' hosts: - k8s-dashboard.{{ .Environment.Values.domain }} diff --git a/helmfile/cloud-sdk/secrets/dashboard.yaml b/helmfile/cloud-sdk/secrets/dashboard.yaml new file mode 100644 index 0000000..bdbff14 --- /dev/null +++ b/helmfile/cloud-sdk/secrets/dashboard.yaml @@ -0,0 +1,3 @@ +dashboard: + user: qa + password: "Il83:15[G3>i"