feat: update helm chart to work with kong as a gateway (#8735)

* update helm chart to work with kong as a gateway

* improve helm chart and dev pipeline

* disable settings config map autorestore

* update settings config map handling

* make fix

* update helm chart

* update chart and api csrf protection flag name

* restore image pull secrets support

* restore image pull secrets support

* add support for affinity to deployments

* allow disabling default ingress annotations

* fix nodeSelector templating issue

* add support for dynamic base href and simplify serving dashboard on a subpath

* fix make helm target

* update values.yaml docs

* make fix

* fix helm lint

* update DEVELOPMENT.md

* yarn fix lint

* revert formatting change

* fix unit tests

* update yarn.lock

---------

Co-authored-by: Marcin Maciaszczyk <marcin9yk@icloud.com>

.ct.yml

@@ -17,6 +17,7 @@ chart-repos:
   - metrics-server=https://kubernetes-sigs.github.io/metrics-server/
   - cert-manager=https://charts.jetstack.io
   - ingress-nginx=https://kubernetes.github.io/ingress-nginx
+  - kong=https://charts.konghq.com
 debug: false
 # additional-commands:
 #  - helm kubeconform {{ .Path }} --config charts/helm-chart/.kubeconform

DEVELOPMENT.md

@@ -38,7 +38,17 @@ After cloning the repository, install web dependencies with `cd modules/web && y
 
 Then you can start the development version of the application with `make serve` It will create local kind cluster and run all the modules with Docker compose.
 
-If you would like to run production version use `make run`
+If you would like to run production version of the application use `make run`.
+
+To run a full end-to-end test use `make helm`. It will:
+- spin up a local kind dev cluster and expose 443 port (make sure that this port is free on your host)
+- install ingress-nginx for kind
+- update local helm dependencies
+- build all production ready docker images
+- load built images into the kind dev cluster
+- install Kubernetes Dashboard via helm chart inside kind dev cluster
+
+Kubernetes Dashboard should be then available directly on your localhost: https://localhost
 
 To create Docker images locally use `make image`.
 

Makefile

@@ -2,6 +2,7 @@ ROOT_DIRECTORY := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 
 include $(ROOT_DIRECTORY)/hack/include/config.mk
 include $(ROOT_DIRECTORY)/hack/include/ensure.mk
+include $(ROOT_DIRECTORY)/hack/include/kind.mk
 
 include $(API_DIRECTORY)/hack/include/config.mk
 include $(WEB_DIRECTORY)/hack/include/config.mk
@@ -66,7 +67,7 @@ tools: $(PRE) ## Installs required tools
 #
 # Note: Make sure that the port 8080 (Web HTTP) is free on your localhost
 .PHONY: serve
-serve: $(PRE) --ensure-kind-cluster ## Starts development version of the application on http://localhost:8080
+serve: $(PRE) --ensure-kind-cluster --ensure-metrics-server ## Starts development version of the application on http://localhost:8080
 	@KUBECONFIG=$(KIND_CLUSTER_INTERNAL_KUBECONFIG_PATH) \
 	SYSTEM_BANNER=$(SYSTEM_BANNER) \
 	SYSTEM_BANNER_SEVERITY=$(SYSTEM_BANNER_SEVERITY) \
@@ -85,7 +86,7 @@ serve: $(PRE) --ensure-kind-cluster ## Starts development version of the applica
 #
 # Note: Make sure that the ports 8443 (Gateway HTTPS) and 8080 (Gateway HTTP) are free on your localhost
 .PHONY: run
-run: $(PRE) --ensure-kind-cluster ## Starts production version of the application on https://localhost:8443 and https://localhost:8000
+run: $(PRE) --ensure-kind-cluster --ensure-metrics-server ## Starts production version of the application on https://localhost:8443 and https://localhost:8000
 	@KUBECONFIG=$(KIND_CLUSTER_INTERNAL_KUBECONFIG_PATH) \
 	SYSTEM_BANNER=$(SYSTEM_BANNER) \
 	SYSTEM_BANNER_SEVERITY=$(SYSTEM_BANNER_SEVERITY) \
@@ -100,17 +101,63 @@ run: $(PRE) --ensure-kind-cluster ## Starts production version of the applicatio
 
 .PHONY: image
 image:
+ifndef NO_BUILD
 		@KUBECONFIG=$(KIND_CLUSTER_INTERNAL_KUBECONFIG_PATH) \
-  	SYSTEM_BANNER=$(SYSTEM_BANNER) \
-  	SYSTEM_BANNER_SEVERITY=$(SYSTEM_BANNER_SEVERITY) \
-  	SIDECAR_HOST=$(SIDECAR_HOST) \
-  	VERSION="v0.0.0-prod" \
-  	docker compose -f $(DOCKER_COMPOSE_PATH) --project-name=$(PROJECT_NAME) build \
-  	--no-cache
+		SYSTEM_BANNER=$(SYSTEM_BANNER) \
+		SYSTEM_BANNER_SEVERITY=$(SYSTEM_BANNER_SEVERITY) \
+		SIDECAR_HOST=$(SIDECAR_HOST) \
+		VERSION="v0.0.0-prod" \
+		docker compose -f $(DOCKER_COMPOSE_PATH) --project-name=$(PROJECT_NAME) build \
+		--no-cache
+endif
+
+# Prepares and installs local dev version of Kubernetes Dashboard in our dedicated kind cluster.
+#
+# 1. Build all docker images
+# 2. Load images into kind cluster
+# 3. Run helm install using loaded dev images
+#
+# Run "NO_BUILD=true make helm" to skip building images.
+#
+# URL: https://localhost
+#
+# Note: Requires kind to set up and run.
+# Note #2: Make sure that the port 443 (HTTPS) is free on your localhost.
+.PHONY: helm
+helm: --ensure-kind-cluster --ensure-kind-ingress-nginx --ensure-helm-dependencies image --kind-load-images ## Install Kubernetes Dashboard helm chart in the dev kind cluster
+	@helm upgrade \
+		--create-namespace \
+		--namespace kubernetes-dashboard \
+		--install kubernetes-dashboard \
+		--set auth.image.repository=dashboard-auth \
+		--set auth.image.tag=latest \
+		--set api.image.repository=dashboard-api \
+		--set api.image.tag=latest \
+		--set web.image.repository=dashboard-web \
+		--set web.image.tag=latest \
+		--set metricsScraper.image.repository=dashboard-scraper \
+		--set metricsScraper.image.tag=latest \
+		--set metrics-server.enabled=true \
+		--set app.ingress.enabled=true \
+		--set app.ingress.ingressClassName=nginx \
+		--set api.scaling.replicas=3 \
+		charts/kubernetes-dashboard
+
+# To serve Dashboard under a different path than root (/) use:
+#		--set app.ingress.path=/dashboard \
+
+# To test API mode with helm below options can be used:
+#		--set app.mode=api \
+#		--set kong.enabled=false \
+#		--set api.containers.args={--metrics-provider=none} \
+
+.PHONY: helm-uninstall
+helm-uninstall: ## Uninstall helm dev installation of Kubernetes Dashboard
+	@helm uninstall -n kubernetes-dashboard kubernetes-dashboard
 
 # ============================ Private ============================ #
 
 .PHONY: --clean
 --clean:
-	@echo "[Global] Cleaning up"
+	@echo "[root] Cleaning up"
 	@rm -rf $(TMP_DIRECTORY)

README.md

@@ -16,17 +16,20 @@ Kubernetes Dashboard is a general purpose, web-based UI for Kubernetes clusters.
 
 ## Installation
 
-Kubernetes Dashboard supports both Helm and Manifest-based installation. Since release `v3.0.0` using Helm Chart should be faster and simpler in general as it will install
-dependencies such as `cert-manager`, `nginx-ingress-controller` and `metrics-server` for you. In case you are using different software to handle certificates, ingress/egress traffic, etc.
-it is possible to disable those dependencies by overriding [helm chart values](charts/kubernetes-dashboard/values.yaml).
-
-### Helm
-
-You can install Dashboard using Helm as described [here](https://artifacthub.io/packages/helm/k8s-dashboard/kubernetes-dashboard).
-
-### Manifest
-
-You can install Dashboard using `kubectl` as described in the installation instructions that can be found in the [latest release](https://github.com/kubernetes/dashboard/releases/latest).
+Kubernetes Dashboard supports only Helm-based installation currently as it is faster and gives us better control
+over all dependencies required by Dashboard to run. We now use a single-container, DBless [Kong](https://hub.docker.com/r/kong/kong-gateway) installation
+as a gateway that connects all our containers and exposes the UI. Users can then use any ingress controller or proxy
+in front of kong gateway. To find out more about ways to customize your installation check out [helm chart values](charts/kubernetes-dashboard/values.yaml).
+
+In order install Kubernetes Dashboard simply run:
+```console
+# Add kubernetes-dashboard repository
+helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
+# Deploy a Helm Release named "kubernetes-dashboard" using the kubernetes-dashboard chart
+helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --create-namespace --namespace kubernetes-dashboard
+```
+
+For more information about our Helm chart visit [ArtifactHub](https://artifacthub.io/packages/helm/k8s-dashboard/kubernetes-dashboard).
 
 ## Access
 

charts/kubernetes-dashboard/Chart.lock

@@ -1,12 +1,15 @@
 dependencies:
 - name: ingress-nginx
   repository: https://kubernetes.github.io/ingress-nginx
-  version: 4.7.1
+  version: 4.10.0
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: v1.11.2
+  version: v1.14.3
 - name: metrics-server
   repository: https://kubernetes-sigs.github.io/metrics-server/
-  version: 3.8.4
-digest: sha256:a55a0d3f36aa4d4a38218c7f79224b273ce6388743574de2d679400c93d2b2d6
-generated: "2023-07-08T19:07:40.182171996+02:00"
+  version: 3.12.0
+- name: kong
+  repository: https://charts.konghq.com
+  version: 2.38.0
+digest: sha256:94e8aff5185ff5f76481ed0cc71bb3fbb272fa2ab06068079fcceb002bd47ef2
+generated: "2024-03-02T00:46:32.54460399+01:00"

charts/kubernetes-dashboard/Chart.yaml

@@ -33,14 +33,18 @@ kubeVersion: ">=1.21.0-0"
 dependencies:
   - name: ingress-nginx
     alias: nginx
-    version: 4.7.1
+    version: 4.10.0
     repository: https://kubernetes.github.io/ingress-nginx
     condition: nginx.enabled
   - name: cert-manager
-    version: v1.11.2
+    version: v1.14.3
     repository: https://charts.jetstack.io
     condition: cert-manager.enabled
   - name: metrics-server
-    version: 3.8.4
+    version: 3.12.0
     repository: https://kubernetes-sigs.github.io/metrics-server/
     condition: metrics-server.enabled
+  - name: kong
+    version: 2.38.0
+    repository: https://charts.konghq.com
+    condition: kong.enabled

charts/kubernetes-dashboard/README.md

@@ -5,17 +5,6 @@
 [![GitHub release](https://img.shields.io/github/release/kubernetes/dashboard.svg)](https://github.com/kubernetes/dashboard/releases/latest)
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/kubernetes/dashboard/blob/master/LICENSE)
 
-# ! Breaking change !
-Starting from the release `v7` for the Helm chart and `v3` for the Kubernetes Dashboard, underlying architecture has changed, and it requires a clean installation. Please remove previous installation first.
-
-Kubernetes Dashboard now uses `cert-manager` and `nginx-ingress-controller` by default to work properly. They will be automatically installed with the Helm chart. 
-In case you already have them installed, simply set `--set=nginx.enabled=false` and `--set=cert-manager.enabled=false` when installing the chart to disable installation of those dependencies.
-If you want to use different software in addition to disabling `nginx` and `cert-manager` you also need to set `--set=app.ingress.enabled=false` to make sure our default `Ingress` resource will not be installed.
-
-## Introduction
-
-[Kubernetes Dashboard](https://github.com/kubernetes/dashboard) is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself.
-
 ## TL;DR
 
 ```console
@@ -25,7 +14,7 @@ helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
 helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --create-namespace --namespace kubernetes-dashboard
 ```
 
-## Introduction
+# Introduction
 
 This chart bootstraps a [Kubernetes Dashboard](https://github.com/kubernetes/dashboard) deployment on
 a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
@@ -109,6 +98,13 @@ kubectl label --overwrite ns kubernetes-dashboard pod-security.kubernetes.io/enf
 A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an
 incompatible breaking change needing manual actions.
 
+### Update from 7.x.x-alphaX to 7.x.x
+
+Due to further architecture changes do a clean installation of Kubernetes Dashboard when upgrading from alpha chart version.
+Default dependency on both `nginx-ingress-controller` and `cert-manager` have been removed in favor of using a single-container, DBless
+`kong` installation as a gateway that connects all our containers and exposes the UI. Users can then use any ingress controller or proxy
+in front of kong gateway.
+
 ### Upgrade from 6.x.x to 7.x.x
 
 We recommend doing a clean installation. Kubernetes Dashboard `v3` introduced a big architecture changes and now uses `cert-manager`, 
@@ -164,17 +160,3 @@ To do that you can follow the [guide](https://helm.sh/blog/migrate-from-helm-v2-
 
 For information about how to access, please read
 the [kubernetes-dashboard manual](https://github.com/kubernetes/dashboard)
-
-### Using the dashboard with 'kubectl proxy'
-
-When running 'kubectl proxy', the address `localhost:8001/ui` automatically expands to:
-
-- `http://localhost:8001/api/v1/namespaces/my-namespace/services/https:kubernetes-dashboard:https/proxy/`
-
-For this to reach the dashboard, the name of the service must be 'kubernetes-dashboard', not any other value as set by
-Helm.
-You can manually specify this using the value 'fullnameOverride':
-
-```yaml
-fullnameOverride: 'kubernetes-dashboard'
-```

charts/kubernetes-dashboard/templates/NOTES.txt

@@ -3,23 +3,25 @@
 *************************************************************************************************
 
 Congratulations! You have just installed Kubernetes Dashboard in your cluster.
-{{ if and (has "localhost" .Values.app.ingress.hosts) (eq .Values.app.ingress.ingressClassName "internal-nginx") (.Values.nginx.enabled) }}
+{{ if not (.Values.nginx.enabled) }}
 To access Dashboard run:
-  kubectl -n kubernetes-dashboard port-forward svc/kubernetes-dashboard-nginx-controller 8443:443
+  kubectl -n kubernetes-dashboard port-forward svc/kubernetes-dashboard-kong-proxy 8443:443
 
-NOTE: In case port-forward command does not work, make sure that nginx service name is correct.
+NOTE: In case port-forward command does not work, make sure that kong service name is correct.
       Check the services in Kubernetes Dashboard namespace using:
         kubectl -n {{ .Release.Namespace }} get svc
 
 Dashboard will be available at:
   https://localhost:8443
 {{- end }}
 
-{{- if and (has "localhost" .Values.app.ingress.hosts) (eq .Values.app.ingress.ingressClassName "internal-nginx") (not .Values.nginx.enabled) }}
-It looks like you already have nginx installed in your cluster. First find the namespace where it is installed and then find its main service name. By default, it should be located in namespace called nginx or nginx-ingress and service name should be nginx-controller.
+{{ if and (has "localhost" .Values.app.ingress.hosts) (eq .Values.app.ingress.ingressClassName "internal-nginx") (.Values.nginx.enabled) }}
+To access Dashboard run:
+    kubectl -n kubernetes-dashboard port-forward svc/kubernetes-dashboard-nginx-controller 8443:443
 
-To access Dashboard run (replace placeholders with actual names):
-  kubectl -n <nginx-namespace> port-forward svc/<nginx-service> 8443:443
+NOTE: In case port-forward command does not work, make sure that nginx service name is correct.
+      Check the services in Kubernetes Dashboard namespace using:
+        kubectl -n {{ .Release.Namespace }} get svc
 
 Dashboard will be available at:
   https://localhost:8443
@@ -36,8 +38,3 @@ Dashboard should be accessible on your configured domain(s) soon:
 {{- end }}
 {{- end }}
 {{- end }}
-
-NOTE: It may take a few minutes for the Ingress IP/Domain to be available.
-      It does not apply to local dev Kubernetes installations such as kind, etc.
-      You can watch the status using:
-        kubectl -n {{ .Release.Namespace }} get ing {{ template "kubernetes-dashboard.fullname" . }} -w

charts/kubernetes-dashboard/templates/_helpers.tpl

@@ -62,3 +62,19 @@ Common label selectors
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ include "kubernetes-dashboard.name" . }}
 {{- end -}}
+
+{{- define "kubernetes-dashboard.metrics-scraper.name" -}}
+{{- printf "%s-%s" ( include "kubernetes-dashboard.fullname" . ) ( .Values.metricsScraper.role )}}
+{{- end -}}
+
+{{- define "kubernetes-dashboard.validate.mode" -}}
+{{- if not (or (eq .Values.app.mode "dashboard") (eq .Values.app.mode "api")) -}}
+{{- fail "value of .Values.app.mode must be one of [dashboard, api]"}}
+{{- end -}}
+{{- end -}}
+
+{{- define "kubernetes-dashboard.validate.ingressIssuerScope" -}}
+{{- if not (or (eq .Values.app.ingress.issuer.scope "disabled") (eq .Values.app.ingress.issuer.scope "default") (eq .Values.app.ingress.issuer.scope "cluster")) }}
+{{- fail "value of .Values.app.ingress.issuer.scope must be one of [default, cluster, disabled]"}}
+{{- end -}}
+{{- end -}}

charts/kubernetes-dashboard/templates/config/gateway.yaml

@@ -0,0 +1,63 @@
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if eq .Values.app.mode "dashboard" }}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    {{- include "kubernetes-dashboard.labels" . | nindent 4 }}
+  name: {{ .Values.kong.dblessConfig.configMap }}
+data:
+  kong.yml: |
+    _format_version: "3.0"
+    services:
+      - name: auth
+        host: {{ template "kubernetes-dashboard.fullname" . }}-{{ .Values.auth.role }}
+        port: 8000
+        protocol: http
+        routes:
+          - name: authLogin
+            paths:
+              - /api/v1/login
+            strip_path: false
+          - name: authCsrf
+            paths:
+              - /api/v1/csrftoken/login
+            strip_path: false
+      - name: api
+        host: {{ template "kubernetes-dashboard.fullname" . }}-{{ .Values.api.role }}
+        port: 8000
+        protocol: http
+        routes:
+          - name: api
+            paths:
+              - /api
+            strip_path: false
+          - name: metrics
+            paths:
+              - /metrics
+            strip_path: false
+      - name: web
+        host: {{ template "kubernetes-dashboard.fullname" . }}-{{ .Values.web.role }}
+        port: 8000
+        protocol: http
+        routes:
+          - name: root
+            paths:
+              - /
+            strip_path: false
+
+{{- end -}}