From d92ddbdf98e00f23ff143a0203f259b6525d56a9 Mon Sep 17 00:00:00 2001
From: Sebastian Florek <sebastian@plural.sh>
Date: Fri, 5 Apr 2024 14:41:54 +0200
Subject: [PATCH 1/3] remove rollme annotation and use checksum based on csrf
 secret content

---
 Makefile                                               |  2 +-
 charts/kubernetes-dashboard/templates/_helpers.tpl     | 10 ++++++++++
 .../templates/deployments/api.yaml                     |  3 +--
 .../templates/deployments/auth.yaml                    |  3 +--
 .../kubernetes-dashboard/templates/secrets/csrf.yaml   |  2 +-
 charts/kubernetes-dashboard/values.yaml                |  4 ++--
 6 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/Makefile b/Makefile
index 71fac7b7f82..e30d67aff73 100644
--- a/Makefile
+++ b/Makefile
@@ -134,7 +134,7 @@ endif
 # Note: Requires kind to set up and run.
 # Note #2: Make sure that the port 443 (HTTPS) is free on your localhost.
 .PHONY: helm
-helm: --ensure-kind-cluster --ensure-kind-ingress-nginx --ensure-helm-dependencies image --kind-load-images ## Install Kubernetes Dashboard dev helm chart in the dev kind cluster
+helm: # --ensure-kind-cluster --ensure-kind-ingress-nginx --ensure-helm-dependencies image --kind-load-images ## Install Kubernetes Dashboard dev helm chart in the dev kind cluster
 	@helm upgrade \
 		--create-namespace \
 		--namespace dashboard \
diff --git a/charts/kubernetes-dashboard/templates/_helpers.tpl b/charts/kubernetes-dashboard/templates/_helpers.tpl
index 55c42e85556..0c4143c9e83 100644
--- a/charts/kubernetes-dashboard/templates/_helpers.tpl
+++ b/charts/kubernetes-dashboard/templates/_helpers.tpl
@@ -75,6 +75,16 @@ app.kubernetes.io/part-of: {{ include "kubernetes-dashboard.name" . }}
 {{- printf "private.key" }}
 {{- end -}}
 
+{{- define "kubernetes-dashboard.app.csrf.secret.value" -}}
+{{- $secretName := (include "kubernetes-dashboard.app.csrf.secret.name" .) -}}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName -}}
+{{- if and $secret (hasKey $secret "data") (hasKey $secret.data "private.key") (index $secret.data "private.key") -}}
+private.key: {{ index $secret.data "private.key" }}
+{{- else -}}
+private.key: {{ randBytes 256 | b64enc | quote }}
+{{- end -}}
+{{- end -}}
+
 {{- define "kubernetes-dashboard.metrics-scraper.name" -}}
 {{- printf "%s-%s" ( include "kubernetes-dashboard.fullname" . ) ( .Values.metricsScraper.role )}}
 {{- end -}}
diff --git a/charts/kubernetes-dashboard/templates/deployments/api.yaml b/charts/kubernetes-dashboard/templates/deployments/api.yaml
index 5efefd807de..ab680e491ec 100644
--- a/charts/kubernetes-dashboard/templates/deployments/api.yaml
+++ b/charts/kubernetes-dashboard/templates/deployments/api.yaml
@@ -46,8 +46,7 @@ spec:
         app.kubernetes.io/version: {{ .Values.api.image.tag }}
         app.kubernetes.io/component: {{ .Values.api.role }}
       annotations:
-        {{/* Ensure that the deployment is rolled on upgrade since CSRF key will be regenerated. */}}
-        rollme: {{ randAlphaNum 5 | quote }}
+        checksum/config: {{ include (print $.Template.BasePath "/secrets/csrf.yaml") . | sha256sum }}
         {{- with .Values.api.annotations }}
         {{ toYaml . | nindent 8 }}
         {{- end }}
diff --git a/charts/kubernetes-dashboard/templates/deployments/auth.yaml b/charts/kubernetes-dashboard/templates/deployments/auth.yaml
index 727dad9c497..67fe28a4531 100644
--- a/charts/kubernetes-dashboard/templates/deployments/auth.yaml
+++ b/charts/kubernetes-dashboard/templates/deployments/auth.yaml
@@ -49,8 +49,7 @@ spec:
         app.kubernetes.io/version: {{ .Values.auth.image.tag }}
         app.kubernetes.io/component: {{ .Values.auth.role }}
       annotations:
-        {{/* Ensure that the deployment is rolled on upgrade since CSRF key will be regenerated. */}}
-        rollme: {{ randAlphaNum 5 | quote }}
+        checksum/config: {{ include (print $.Template.BasePath "/secrets/csrf.yaml") . | sha256sum }}
         {{- with .Values.auth.annotations }}
         {{ toYaml . | nindent 8 }}
         {{- end }}
diff --git a/charts/kubernetes-dashboard/templates/secrets/csrf.yaml b/charts/kubernetes-dashboard/templates/secrets/csrf.yaml
index 0dfad11b305..4ddaf63f6d8 100644
--- a/charts/kubernetes-dashboard/templates/secrets/csrf.yaml
+++ b/charts/kubernetes-dashboard/templates/secrets/csrf.yaml
@@ -19,4 +19,4 @@ metadata:
     {{- include "kubernetes-dashboard.labels" . | nindent 4 }}
   name: {{ template "kubernetes-dashboard.app.csrf.secret.name" . }}
 data:
-  {{ template "kubernetes-dashboard.app.csrf.secret.key" . }}: {{ randBytes 256 | b64enc | quote }}
+  {{ (include "kubernetes-dashboard.app.csrf.secret.value" . ) -}}
diff --git a/charts/kubernetes-dashboard/values.yaml b/charts/kubernetes-dashboard/values.yaml
index c1424e16a12..94f6e38772d 100644
--- a/charts/kubernetes-dashboard/values.yaml
+++ b/charts/kubernetes-dashboard/values.yaml
@@ -143,7 +143,7 @@ auth:
       limits:
         cpu: 250m
         memory: 400Mi
-  automountServiceAccountToken: false
+  automountServiceAccountToken: true
   volumes:
     # Create on-disk volume to store exec logs (required)
     - name: tmp-volume
@@ -341,7 +341,7 @@ kong:
   enabled: true
   ## Configuration reference: https://docs.konghq.com/gateway/3.6.x/reference/configuration
   env:
-    dns_order: A,CNAME,LAST,SRV
+    dns_order: A,CNAME,LAST,AAAA,SRV
     plugins: 'off'
     nginx_worker_processes: 1
   ingressController:

From 2517e48465682174f20c1b46e78ecaf4c9acc09b Mon Sep 17 00:00:00 2001
From: Sebastian Florek <sebastian@plural.sh>
Date: Fri, 5 Apr 2024 14:44:05 +0200
Subject: [PATCH 2/3] bump chart to 7.2.0

---
 Makefile                               | 2 +-
 charts/kubernetes-dashboard/Chart.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index e30d67aff73..71fac7b7f82 100644
--- a/Makefile
+++ b/Makefile
@@ -134,7 +134,7 @@ endif
 # Note: Requires kind to set up and run.
 # Note #2: Make sure that the port 443 (HTTPS) is free on your localhost.
 .PHONY: helm
-helm: # --ensure-kind-cluster --ensure-kind-ingress-nginx --ensure-helm-dependencies image --kind-load-images ## Install Kubernetes Dashboard dev helm chart in the dev kind cluster
+helm: --ensure-kind-cluster --ensure-kind-ingress-nginx --ensure-helm-dependencies image --kind-load-images ## Install Kubernetes Dashboard dev helm chart in the dev kind cluster
 	@helm upgrade \
 		--create-namespace \
 		--namespace dashboard \
diff --git a/charts/kubernetes-dashboard/Chart.yaml b/charts/kubernetes-dashboard/Chart.yaml
index 9ebb5e903c1..cfeda75d99a 100644
--- a/charts/kubernetes-dashboard/Chart.yaml
+++ b/charts/kubernetes-dashboard/Chart.yaml
@@ -14,7 +14,7 @@
 
 apiVersion: v2
 name: kubernetes-dashboard
-version: 7.1.3
+version: 7.2.0
 description: General-purpose web UI for Kubernetes clusters
 keywords:
   - kubernetes

From d0f1a947eba91fb09e162e6eadc5b0789e675555 Mon Sep 17 00:00:00 2001
From: Sebastian Florek <sebastian@plural.sh>
Date: Fri, 5 Apr 2024 14:49:02 +0200
Subject: [PATCH 3/3] bump api image to 1.4.1

---
 charts/kubernetes-dashboard/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/kubernetes-dashboard/values.yaml b/charts/kubernetes-dashboard/values.yaml
index 94f6e38772d..6ba09a0c052 100644
--- a/charts/kubernetes-dashboard/values.yaml
+++ b/charts/kubernetes-dashboard/values.yaml
@@ -158,7 +158,7 @@ api:
   role: api
   image:
     repository: docker.io/kubernetesui/dashboard-api
-    tag: 1.4.0
+    tag: 1.4.1
   scaling:
     replicas: 1
     revisionHistoryLimit: 10