Kubernetes dashboard for kubernikus clusters

sapcc · Oct 7, 2019 · 6e9f37b · 6e9f37b
1 parent 2b9c5f8
commit 6e9f37b
Show file tree

Hide file tree

Showing 51 changed files with 4,884 additions and 3 deletions.
diff --git a/charts/images.yaml b/charts/images.yaml
@@ -7,6 +7,15 @@ imagesForVersion:
     cloudControllerManager:
       repository: 'sapcc/openstack-cloud-controller-manager'
       tag: 'v1.15.0-sap.2'
+    dex:
+      repository: 'hub.global.cloud.sap/monsoon/dex'
+      tag: '7abab130c718576e93f7a7cc233dfd90cb8783bb'
+    dashboardProxy:
+      repository: 'quay.io/keycloak/keycloak-gatekeeper'
+      tag: '6.0.1'
+    dashboard:
+      repository: 'kubernetesui/dashboard'
+      tag: 'v2.0.0-beta4'
   '1.14.5':
     supported: true
     hyperkube:
@@ -15,6 +24,15 @@ imagesForVersion:
     cloudControllerManager:
       repository: 'sapcc/openstack-cloud-controller-manager'
       tag: 'v1.14.0-sap.0'
+    dex:
+      repository: 'hub.global.cloud.sap/monsoon/dex'
+      tag: '7abab130c718576e93f7a7cc233dfd90cb8783bb'
+    dashboardProxy:
+      repository: 'quay.io/keycloak/keycloak-gatekeeper'
+      tag: '6.0.1'
+    dashboard:
+      repository: 'kubernetesui/dashboard'
+      tag: 'v2.0.0-beta1'
   '1.13.9':
     supported: true
     hyperkube:
@@ -23,17 +41,44 @@ imagesForVersion:
     cloudControllerManager:
       repository: 'sapcc/openstack-cloud-controller-manager'
       tag: 'v1.13.1'
+    dex:
+      repository: 'hub.global.cloud.sap/monsoon/dex'
+      tag: '7abab130c718576e93f7a7cc233dfd90cb8783bb'
+    dashboardProxy:
+      repository: 'quay.io/keycloak/keycloak-gatekeeper'
+      tag: '6.0.1'
+    dashboard:
+      repository: 'kubernetesui/dashboard'
+      tag: 'v2.0.0-beta1'
   '1.12.10':
     supported: true
     hyperkube:
       repository: 'sapcc/hyperkube'
       tag: 'v1.12.10'
+    dex:
+      repository: 'hub.global.cloud.sap/monsoon/dex'
+      tag: '7abab130c718576e93f7a7cc233dfd90cb8783bb'
+    dashboardProxy:
+      repository: 'quay.io/keycloak/keycloak-gatekeeper'
+      tag: '6.0.1'
+    dashboard:
+      repository: 'kubernetesui/dashboard'
+      tag: 'v2.0.0-beta1'
   '1.11.9':
     default: true
     supported: true
     hyperkube:
       repository: 'sapcc/hyperkube'
       tag: 'v1.11.9'
+    dex:
+      repository: 'hub.global.cloud.sap/monsoon/dex'
+      tag: '7abab130c718576e93f7a7cc233dfd90cb8783bb'
+    dashboardProxy:
+      repository: 'quay.io/keycloak/keycloak-gatekeeper'
+      tag: '6.0.1'
+    dashboard:
+      repository: 'k8s.gcr.io/kubernetes-dashboard-amd64'
+      tag: 'v1.10.1'
   '1.10.11':
     hyperkube:
       repository: 'sapcc/hyperkube'

diff --git a/charts/kube-master/templates/_helpers.tpl b/charts/kube-master/templates/_helpers.tpl
@@ -35,4 +35,39 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- $cloudControllerManager := required (printf "No cloudControllerManager image found for version %s" $imagesForVersion) (index $imagesForVersion "cloudControllerManager") }}
 {{- required (printf "repository for cloudControllerManager missing for version %s" $version) $cloudControllerManager.repository }}:
   {{- required (printf "tag for cloudControllerManager missing for version %s" $version) $cloudControllerManager.tag }}
+{{- end -}}
+
+{{- define "dex.image" }}
+{{- $images := required "imagesForVersion undefined" .Values.imagesForVersion}}
+{{- $version := required "version.kubernetes undefined" .Values.version.kubernetes }}
+{{- $imagesForVersion := required (printf "unsupported kubernetes version %s" $version) (index $images $version) }}
+{{- $dex := required (printf "No dex image found for version %s" $imagesForVersion) (index $imagesForVersion "dex") }}
+{{- required (printf "repository for dex missing for version %s" $version) $dex.repository }}:
+  {{- required (printf "tag for dex missing for version %s" $version) $dex.tag }}
+{{- end -}}
+
+{{- define "dashboard.image" }}
+{{- $images := required "imagesForVersion undefined" .Values.imagesForVersion}}
+{{- $version := required "version.kubernetes undefined" .Values.version.kubernetes }}
+{{- $imagesForVersion := required (printf "unsupported kubernetes version %s" $version) (index $images $version) }}
+{{- $dashboard := required (printf "No dashboard image found for version %s" $imagesForVersion) (index $imagesForVersion "dashboard") }}
+{{- required (printf "repository for dashboard missing for version %s" $version) $dashboard.repository }}:
+  {{- required (printf "tag for dashboard missing for version %s" $version) $dashboard.tag }}
+{{- end -}}
+
+{{- define "dashboardProxy.image" }}
+{{- $images := required "imagesForVersion undefined" .Values.imagesForVersion}}
+{{- $version := required "version.kubernetes undefined" .Values.version.kubernetes }}
+{{- $imagesForVersion := required (printf "unsupported kubernetes version %s" $version) (index $images $version) }}
+{{- $dashboardProxy := required (printf "No dashboardProxy image found for version %s" $imagesForVersion) (index $imagesForVersion "dashboardProxy") }}
+{{- required (printf "repository for dashboardProxy missing for version %s" $version) $dashboardProxy.repository }}:
+  {{- required (printf "tag for dashboardProxy missing for version %s" $version) $dashboardProxy.tag }}
+{{- end -}}
+
+{{- define "dashboard.url" -}}
+{{- printf "dashboard-%s.%s.%s.%s" (include "master.fullname" .)  .Values.dashboard.dns.zone .Values.openstack.region .Values.dashboard.dns.domain -}}
+{{- end -}}
+
+{{- define "dex.url" -}}
+{{- printf "auth-%s.%s.%s.%s" (include "master.fullname" .) .Values.dex.dns.zone .Values.openstack.region .Values.dex.dns.domain -}}
 {{- end -}}
diff --git a/charts/kube-master/templates/api.yaml b/charts/kube-master/templates/api.yaml
@@ -176,6 +176,13 @@ spec:
             - --tls-cert-file=/etc/kubernetes/certs/tls-apiserver.pem
             - --tls-private-key-file=/etc/kubernetes/certs/tls-apiserver-key.pem
             # --tls-sni-cert-key=/etc/kubernetes/certs/tls-sni.pem,/etc/kubernetes/certs/tls-sni.key
+            {{ if .Values.dex.enabled }}
+            - --oidc-issuer-url=https://{{ include "dex.url" . }} 
+            - --oidc-client-id=kubernetes
+            - --oidc-groups-claim=groups
+            - --oidc-username-prefix=-
+            - --oidc-username-claim=sub
+            {{ end }}
           volumeMounts:
             - mountPath: /etc/kubernetes/certs
               name: certs

diff --git a/charts/kube-master/templates/dashboard.yaml b/charts/kube-master/templates/dashboard.yaml
@@ -0,0 +1,154 @@
+{{/* vim: set filetype=gotexttmpl: */ -}}
+{{ if and .Values.dex.enabled .Values.dashboard.enabled }}
+kind: Deployment
+apiVersion: extensions/v1beta1
+metadata:
+  labels:
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+  name: {{ include "master.fullname" . }}-dashboard 
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ include "master.fullname" . }}-dashboard 
+      release: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: {{ include "master.fullname" . }}-dashboard 
+        release: {{ .Release.Name }}
+    spec:
+      containers:
+        - image: {{ include "dashboardProxy.image" . | quote }} 
+          name: proxy
+          args:
+            - --discovery-url=https://{{ include "dex.url" . }} # ingress of dex
+            - --listen=0.0.0.0:3000 # proxy address
+            - --enable-refresh-tokens=true
+            - --enable-authorization-header=true
+            - "--resources=uri=/*"
+            - --scopes=groups
+            - --client-id=kubernetes
+            - --upstream-url=http://localhost:9090 # kubernetes-dashboard in sidecar 
+            - --redirection-url=https://{{ include "dashboard.url" . }} # ingress of dashboard
+            - --encryption-key={{ randAlphaNum 32 }} 
+          env:
+          - name: PROXY_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "master.fullname" . }}-secret
+                key: dex-client-secret
+          ports:
+          - containerPort: 3000
+          livenessProbe:
+            httpGet:
+              path: /oauth/health
+              port: 3000
+            initialDelaySeconds: 60
+            periodSeconds: 15
+          readinessProbe:
+            httpGet:
+              path: /oauth/health
+              port: 3000
+            initialDelaySeconds: 60
+            periodSeconds: 15
+        - name: dashboard
+          image: {{ include "dashboard.image" . | quote }} 
+          ports:
+            - containerPort: 9090
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 9090
+            initialDelaySeconds: 15
+            periodSeconds: 15
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 9090
+            initialDelaySeconds: 15
+            periodSeconds: 15
+          args:
+          {{- if (semverCompare ">= 1.12.10" .Values.version.kubernetes) }}
+            - --namespace=kube-system # creates dashboard resources in the namespace, introduced in v2.0.0-beta1
+          {{- end }}
+            - --kubeconfig=/etc/kubernetes/config/kubeconfig 
+          {{- if (semverCompare ">= 1.15.2" .Values.version.kubernetes) }}
+            - --metrics-provider=none  #introduced in v2.0.0-beta3
+          {{- else }}
+            - --metric-client-check-period=2592000 # 30 days in seconds, since heapster is not installed
+          {{- end }}
+            - --enable-insecure-login # for login via header http port
+          volumeMounts:
+              # Create on-disk volume to store exec logs
+            - mountPath: /tmp
+              name: tmp-volume
+            - mountPath: /etc/kubernetes/certs
+              name: certs
+              readOnly: true
+            - mountPath: /etc/kubernetes/config
+              name: config
+              readOnly: true
+      volumes:
+        - name: tmp-volume
+          emptyDir: {}
+        - name: certs
+          secret:
+            defaultMode: 420
+            items:
+            - key: tls-ca.pem
+              path: tls-ca.pem
+            - key: apiserver-clients-cluster-admin.pem
+              path: kube-client.pem
+            - key: apiserver-clients-cluster-admin-key.pem
+              path: kube-client.key
+            secretName: {{ include "master.fullname" . }}-secret
+        - configMap:
+            defaultMode: 420
+            name: {{ include "master.fullname" . }}
+          name: config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "master.fullname" . }}-dashboard
+  labels:
+    app: {{ include "master.fullname" . }}-dashboard 
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+spec:
+  type: ClusterIP
+  ports:
+  - protocol: TCP
+    port: 3000
+    targetPort: 3000
+    name: proxy
+  selector:
+    app: {{ include "master.fullname" . }}-dashboard 
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+  labels:
+    app: {{ include "master.fullname" . }}-dashboard 
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+  name: {{ include "master.fullname" . }}-dashboard  
+spec:
+  rules:
+  - host: {{ include "dashboard.url" . }} 
+    http:
+      paths:
+      - backend:
+          serviceName: {{ include "master.fullname" . }}-dashboard  
+          servicePort: 3000
+        path: /
+  tls:
+  - hosts:
+    -  {{ include "dashboard.url" . }} 
+    secretName: {{ required "dashboard.ingressSecret undefined" .Values.dashboard.ingressSecret }}
+{{ end }}