scottk/wlan-toolsmith
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/wlan-toolsmith.git synced 2025-10-29 18:12:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use basic auth for k8s dashboard and add optional Portainer deployment

Browse Source
This commit is contained in:
Carsten Schafer
2024-01-15 15:41:38 -05:00
parent e5d3bac2fd
commit 2d52cdbdb9
7 changed files with 62 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
helmfile/cloud-sdk/README.md
View File

@@ -20,7 +20,7 @@ Currently all secrets are stored in [secrets](./secrets) directory, where you ca
To work with secret, you need to have your AWS credentials set with administrator role in wifi account, then you would be able to make operations with files (for example to edit secret use `helm secrets edit $SECRET_FILE`). To work with secret, you need to have your AWS credentials set with administrator role in wifi account, then you would be able to make operations with files (for example to edit secret use `helm secrets edit $SECRET_FILE`).
If you need to encrypt new file, you simply need to write it in plaintext, then run `helm secrets enc $PLAINTEXT_SECRET_FILE` - helm secrets will automatically use encryption key defined in `.sops.yaml` If you need to encrypt new file, you simply need to write it in plaintext, then run `helm secrets encrypt $PLAINTEXT_SECRET_FILE` - helm secrets will automatically use encryption key defined in `.sops.yaml`
You can use secrets in Helmfile the same way as values: You can use secrets in Helmfile the same way as values:
@@ -48,6 +48,17 @@ releases:
- secretKey: {{ .Environment.Values.example.secretKey }} - secretKey: {{ .Environment.Values.example.secretKey }}
``` ```
### K8S Dashboard Login
To replace or set the users that may login to the dashboard (via basic auth):
```
htpasswd -c auth qa
```
Then copy base64 version of this file into: data.auth in charts/k8s-dashboard-roles/templates/basic-auth.yaml.
The current password is encoded in secrets/dashboard.yaml.
## Usage ## Usage
1. Set credentials that are required to connect to Kubernetes cluster 1. Set credentials that are required to connect to Kubernetes cluster

8
helmfile/cloud-sdk/charts/k8s-dashboard-roles/templates/basic-auth.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: k8s-dashboard-basic-auth
namespace: {{ .Release.Namespace }}
data:
auth: cWE6JGFwcjEkUkZFUW5nSzkkYUV6R0hhYmpqb0VBQjlqYy9GQldPMAo=

4
helmfile/cloud-sdk/charts/k8s-dashboard-roles/templates/clusterrole.yml
View File

@@ -25,9 +25,9 @@ rules:
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
- "pods/exec" - "pods/exec"
verbs: verbs:
- "create" - "create"
- apiGroups: - apiGroups:

2
helmfile/cloud-sdk/charts/sso/values.yaml
View File

@@ -6,4 +6,4 @@ oidc:
issuerUrl: 'https://telecominfraproject.auth0.com/' # workplace-integration40-dev for development issuerUrl: 'https://telecominfraproject.auth0.com/' # workplace-integration40-dev for development
clientId: clientId clientId: clientId
clientSecret: clientSecret clientSecret: clientSecret
cookieSecret: egh24Y$GB2rh2t # arbitrary random string, not really a secret cookieSecret: egh24Y$GB2rh2t # arbitrary random string, not really a secret

1
helmfile/cloud-sdk/charts/standalone-monitoring/templates/k8s-dashboard.yaml
View File

@@ -10,6 +10,7 @@ metadata:
labels: labels:
k8s-app: oauth2-proxy k8s-app: oauth2-proxy
spec: spec:
ingressClassName: nginx-sso
rules: rules:
- host: k8s-dashboard.{{ .Values.monitoring.domain }} - host: k8s-dashboard.{{ .Values.monitoring.domain }}
http: http:

52
helmfile/cloud-sdk/helmfile.yaml
View File

@@ -18,7 +18,7 @@ environments:
certificateARNLab: arn:aws:acm:ap-south-1:289708231103:certificate/5281be14-c5e6-45c5-8d5c-e8660c76fbcb certificateARNLab: arn:aws:acm:ap-south-1:289708231103:certificate/5281be14-c5e6-45c5-8d5c-e8660c76fbcb
- monitoring: - monitoring:
namespace: monitoring namespace: monitoring
publicNamespaces: ['openwifi-qa01', 'openwifi-dev01', 'openwifi-demo'] publicNamespaces: ['openwifi-qa01', 'openwifi-qa02', 'openwifi-dev01', 'openwifi-demo']
- domain: lab.wlan.tip.build - domain: lab.wlan.tip.build
- storageClass: gp2 - storageClass: gp2
- autoscaler: - autoscaler:
@@ -45,6 +45,8 @@ environments:
enabled: false enabled: false
- k8s-dashboard: - k8s-dashboard:
enabled: true enabled: true
- portainer:
enabled: false
- metrics-server: - metrics-server:
enabled: true enabled: true
- external-dns: - external-dns:
@@ -99,6 +101,8 @@ repositories:
url: https://braedon.github.io/helm url: https://braedon.github.io/helm
- name: core-dump-handler - name: core-dump-handler
url: https://ibm.github.io/core-dump-handler url: https://ibm.github.io/core-dump-handler
- name: portainer
url: https://portainer.github.io/k8s/
helmDefaults: helmDefaults:
force: false force: false
@@ -166,14 +170,7 @@ releases:
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
service.beta.kubernetes.io/aws-load-balancer-type: elb service.beta.kubernetes.io/aws-load-balancer-type: elb
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
#MAYBE TRY THESE: service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
#service.beta.kubernetes.io/aws-load-balancer-name: apps-ingress
#service.beta.kubernetes.io/aws-load-balancer-type: external
#service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
#service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
#service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http
#service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /healthz
#service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: 10254
targetPorts: targetPorts:
http: http http: http
https: http https: http
@@ -821,6 +818,30 @@ releases:
targetPort: 5514 targetPort: 5514
protocol: TCP protocol: TCP
- name: portainer
condition: portainer.enabled
namespace: {{ .Environment.Values.monitoring.namespace }}
chart: portainer/portainer
version: 1.0.49
labels:
role: setup
group: monitoring
app: portainer
values:
- service:
type: ClusterIP
- tls:
force: true
- ingress:
ingressClassName: nginx-sso
enabled: true
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
hosts:
- host: k8s-admin.{{ .Environment.Values.domain }}
paths:
- path: "/"
- name: k8s-dashboard-roles - name: k8s-dashboard-roles
condition: k8s-dashboard.enabled condition: k8s-dashboard.enabled
namespace: {{ .Environment.Values.monitoring.namespace }} namespace: {{ .Environment.Values.monitoring.namespace }}
@@ -863,14 +884,11 @@ releases:
- / - /
- /* - /*
annotations: annotations:
#alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_302"}}' #nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
#alb.ingress.kubernetes.io/group.name: wlan-cicd #nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
#alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' nginx.ingress.kubernetes.io/auth-type: basic
#alb.ingress.kubernetes.io/scheme: internet-facing nginx.ingress.kubernetes.io/auth-secret: k8s-dashboard-basic-auth
#kubernetes.io/ingress.class: alb nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
kubernetes.io/ingress.class: nginx-sso
hosts: hosts:
- k8s-dashboard.{{ .Environment.Values.domain }} - k8s-dashboard.{{ .Environment.Values.domain }}

3
helmfile/cloud-sdk/secrets/dashboard.yaml Normal file
View File

@@ -0,0 +1,3 @@
dashboard:
user: qa
password: "Il83:15[G3>i"