From eba2026b1d0ddeebc25819ab3c1f7d7594afb015 Mon Sep 17 00:00:00 2001
From: Hidetake Iwata <int128@gmail.com>
Date: Fri, 27 Jul 2018 10:55:20 +0900
Subject: [PATCH] Add kubernetes dashboard and kibana

---
 01-env.sh     | 16 +++++++++---
 README.md     | 30 ++++++++++++++++++----
 helmfile.yaml | 70 ++++++++++++++++++++++++++++++++++++++++++++++++---
 3 files changed, 104 insertions(+), 12 deletions(-)

diff --git a/01-env.sh b/01-env.sh
index 6518313..77096e6 100755
--- a/01-env.sh
+++ b/01-env.sh
@@ -2,13 +2,13 @@
 set -x
 
 # Domain name for the external ALB.
-kubernetes_ingress_domain=dev.example.com
+export kubernetes_ingress_domain=dev.example.com
 
 # Kubernetes cluster name.
-kubernetes_cluster_name=hello.k8s.local
+export kubernetes_cluster_name=hello.k8s.local
 
 # Bucket name for state store of kops and Terraform.
-state_store_bucket_name="state.$kubernetes_cluster_name"
+export state_store_bucket_name="state.$kubernetes_cluster_name"
 
 # AWS Profile.
 export AWS_PROFILE=example
@@ -16,6 +16,16 @@ export AWS_PROFILE=example
 # AWS Region.
 export AWS_DEFAULT_REGION=us-west-2
 
+## OIDC provider for Kubernetes Dashboard and Kibana.
+## See also https://github.com/int128/kubernetes-dashboard-proxy
+#export oidc_discovery_url=https://accounts.google.com
+#export oidc_kubernetes_dashboard_client_id=xxx-xxx.apps.googleusercontent.com
+#export oidc_kubernetes_dashboard_client_secret=xxxxxx
+#export oidc_kibana_client_id=xxx-xxx.apps.googleusercontent.com
+#export oidc_kibana_client_secret=xxxxxx
+
+
+
 # Load environment values excluded from VCS
 if [ -f .env ]; then
   source .env
diff --git a/README.md b/README.md
index 0692732..75fa353 100644
--- a/README.md
+++ b/README.md
@@ -109,10 +109,13 @@ By default the script will create the following components:
   - Create `ServiceAccount` and `ClusterRoleBinding` for the Helm tiller
   - Patch `StorageClass/gp2` to remove the default storage class
 - Helm
-  - `nginx-ingress`
-  - `efs-provisioner`
-  - `fluent-bit`
-  - `kibana`
+  - [`stable/nginx-ingress`](https://github.com/kubernetes/charts/tree/master/stable/nginx-ingress)
+  - [`stable/kubernetes-dashboard`](https://github.com/kubernetes/charts/tree/master/stable/kubernetes-dashboard)
+  - [`int128.github.io/kubernetes-dashboard-proxy`](https://github.com/int128/kubernetes-dashboard-proxy)
+  - [`stable/heapster`](https://github.com/kubernetes/charts/tree/master/stable/heapster)
+  - [`stable/efs-provisioner`](https://github.com/helm/charts/tree/master/stable/efs-provisioner)
+  - [`stable/fluent-bit`](https://github.com/helm/charts/tree/master/stable/fluent-bit)
+  - [`stable/kibana`](https://github.com/helm/charts/tree/master/stable/kibana)
 
 Bootstrap a cluster.
 
@@ -200,7 +203,24 @@ terraform apply
 ```
 
 
-#### 4-4. Working with managed services
+#### 4-4. OIDC authentication
+
+You can setup OIDC authentication for exposing Kubernetes Dashboard and Kibana.
+
+If you want to use your Google Account, create an OAuth client on [Google APIs Console](https://console.developers.google.com/apis/credentials) and change the client ID and secret in `01-env.sh` as follows:
+
+```sh
+export oidc_discovery_url=https://accounts.google.com
+export oidc_kubernetes_dashboard_client_id=xxx-xxx.apps.googleusercontent.com
+export oidc_kubernetes_dashboard_client_secret=xxxxxx
+export oidc_kibana_client_id=xxx-xxx.apps.googleusercontent.com
+export oidc_kibana_client_secret=xxxxxx
+```
+
+See also the tutorial at [int128/kubernetes-dashboard-proxy](https://github.com/int128/kubernetes-dashboard-proxy).
+
+
+#### 4-5. Working with managed services
 
 Terraform creates the security group `allow-from-nodes.hello.k8s.local` which allows access from the Kubernetes nodes.
 You can attach the security group to managed services such as RDS or Elasticsearch.
diff --git a/helmfile.yaml b/helmfile.yaml
index 0fed89f..2096383 100644
--- a/helmfile.yaml
+++ b/helmfile.yaml
@@ -1,9 +1,9 @@
 releases:
+  # https://github.com/kubernetes/charts/tree/master/stable/nginx-ingress
   - name: nginx-ingress
     namespace: kube-system
     chart: stable/nginx-ingress
     values:
-      # https://github.com/kubernetes/charts/tree/master/stable/nginx-ingress
       - rbac:
           create: true
         controller:
@@ -19,8 +19,8 @@ releases:
               http: 30080
           stats:
             enabled: true
-          # https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/configmap.md
           config:
+            # https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/configmap.md
             proxy-read-timeout: "180"
             proxy-send-timeout: "180"
             # Large request header (e.g. OIDC proxy)
@@ -36,11 +36,11 @@ releases:
             requests:
               memory: 16Mi
 
+  # https://github.com/helm/charts/tree/master/stable/efs-provisioner
   - name: efs-provisioner
     namespace: kube-system
     chart: stable/efs-provisioner
     values:
-      # https://github.com/helm/charts/tree/master/stable/efs-provisioner
       - efsProvisioner:
           efsFileSystemId: {{ requiredEnv "efs_provisoner_file_system_id" }}
           awsRegion: {{ requiredEnv "AWS_DEFAULT_REGION" }}
@@ -49,11 +49,44 @@ releases:
             name: efs
             isDefault: true
 
+  # https://github.com/kubernetes/charts/tree/master/stable/kubernetes-dashboard
+  - name: kubernetes-dashboard
+    namespace: kube-system
+    chart: stable/kubernetes-dashboard
+
+  # https://github.com/kubernetes/charts/tree/master/stable/heapster
+  - name: heapster
+    namespace: kube-system
+    chart: stable/heapster
+
+#{{ if env "oidc_kubernetes_dashboard_client_id" }}
+  # https://github.com/int128/kubernetes-dashboard-proxy
+  - name: kubernetes-dashboard-proxy
+    namespace: kube-system
+    chart: int128.github.io/kubernetes-dashboard-proxy
+    values:
+      - ingress:
+          enabled: true
+          hosts:
+            - kubernetes-dashboard.{{ requiredEnv "kubernetes_ingress_domain" }}
+        proxy:
+          oidc:
+            discoveryURL: {{ requiredEnv "oidc_discovery_url" }}
+            redirectURL: https://kubernetes-dashboard.{{ requiredEnv "kubernetes_ingress_domain" }}
+            clientID: {{ requiredEnv "oidc_kubernetes_dashboard_client_id" }}
+            clientSecret: {{ requiredEnv "oidc_kubernetes_dashboard_client_secret" }}
+        resources:
+          limits:
+            memory: 32Mi
+          requests:
+            memory: 32Mi
+#{{ end }}
+
+  # https://github.com/helm/charts/tree/master/stable/fluent-bit
   - name: fluent-bit
     namespace: kube-system
     chart: stable/fluent-bit
     values:
-      # https://github.com/helm/charts/tree/master/stable/fluent-bit
       - backend:
           type: es
           es:
@@ -82,3 +115,32 @@ releases:
             memory: 256Mi
           requests:
             memory: 256Mi
+
+#{{ if env "oidc_kibana_client_id" }}
+  # https://github.com/int128/kubernetes-dashboard-proxy
+  - name: kibana-proxy
+    namespace: kube-system
+    chart: int128.github.io/kubernetes-dashboard-proxy
+    values:
+      - ingress:
+          enabled: true
+          hosts:
+            - kibana.{{ requiredEnv "kubernetes_ingress_domain" }}
+        proxy:
+          upstreamURL: http://kibana.kube-system.svc.cluster.local:443
+          enableAuthorizationHeader: false
+          oidc:
+            discoveryURL: {{ requiredEnv "oidc_discovery_url" }}
+            redirectURL: https://kibana.{{ requiredEnv "kubernetes_ingress_domain" }}
+            clientID: {{ requiredEnv "oidc_kibana_client_id" }}
+            clientSecret: {{ requiredEnv "oidc_kibana_client_secret" }}
+        resources:
+          limits:
+            memory: 32Mi
+          requests:
+            memory: 32Mi
+#{{ end }}
+
+repositories:
+  - name: int128.github.io
+    url: https://int128.github.io/helm-charts