feat: update helm chart to work with kong as a gateway

[floreks]

Helm

This is a complete overhaul of the helm chart. It includes:

• Added DBless, single-container kong deployment as a default gateway for the Kubernetes Dashboard. This is a required dependency.
• Settings ConfigMap name/namespace is now configurable via values.yaml → web.settings.configMap entry.
• Scaling configuration has been split to allow configuring replicas per every container separately.
• Metrics scraper service name is no longer hardcoded in the API container. Its name is now generated similarly to other deployments/services.
• CSRF key is now generated by the helm and imported as an env var into the containers. This allowed us to drop generation logic and direct dependency on this secret from code.
• Image pull secrets are now properly respected by all deployments.
• RBACs for every deployment have been separated to make sure that every container gets as little permissions as possible.
• Ingress configuration has been updated to be more flexible:
  • Dashboard can now be served more easily on a subpath simply by enabling app.ingress.enabled=true and app.ingress.path=/dashboard. It would serve Dashboard on https://localhost/dashboard by default.
  • Default annotations can now be disabled via app.ingress.useDefaultAnnotations=false
  • ingressClassName can now be skipped from spec and it should fallback to using default ingress class (if configured). It is controlled by app.ingress.useDefaultIngressClass.
• Helm chart now supports API only mode meaning that you can deploy only an API container. This can be achieved by below configuration:
  • app.mode=api
  • kong.enabled=false
  • Optionally you can also disable metrics with api.containers.args={--metrics-provider=none}
• cert-manager, nginx and metrics-server are now disabled by default. Only kong dependency is required.
• clusterReadOnlyRole has been removed since it is no longer possible to use Dashboard permissions to access the cluster. User access is required at all times.

Web

• Settings save now uses user permissions instead of Dashboard.
• Removed restore settings ConfigMap logic
• Increased default resource autorefresh time interval to 10 seconds
• Added a small script to index.html to dynamically generate <base href=...> tag.

API

• Added csrf-key argument - Base64 encoded random 256 bytes key. Can be loaded from 'CSRF_KEY' environment variable.

Auth

• Added csrf-key argument - Base64 encoded random 256 bytes key. Can be loaded from 'CSRF_KEY' environment variable.

Fixes

Some other issues were fixed along the way.

Fixes #8172
Fixes #8340
Fixes #8148
Fixes #8137
Fixes #8053
Fixes #8224
Fixes #3686

[codecov]

Codecov Report

Merging #8735 (70a235d) into master (9a2e47e) will increase coverage by 0.02%.
Report is 1 commits behind head on master.
The diff coverage is 9.37%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #8735      +/-   ##
==========================================
+ Coverage   35.77%   35.80%   +0.02%     
==========================================
  Files         252      252              
  Lines       10708    10705       -3     
  Branches      156      157       +1     
==========================================
+ Hits         3831     3833       +2     
+ Misses       6626     6621       -5     
  Partials      251      251              

[maciaszczykm]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: floreks, maciaszczykm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [floreks,maciaszczykm]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment