deprov dashboard

9b634966 · Tom Teichler · eaffdf44 · 9b634966 · eaffdf44 · eaffdf44
Verified Commit 9b634966 authored 8 months ago by Tom Teichler
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -48,39 +48,6 @@ deploy_cert_manager:
        -f values/cert_manager.yaml
    - kubectl -n $KUBE_NAMESPACE apply -f resources/letsencrypt-issuers.yaml
-deploy_dashboard:
-  stage: deploy
-  rules:
-    - if: $CI_COMMIT_REF_NAME == "main"
-      changes:
-      - values/dashboard.yaml
-      - values/oauth2_proxy.yaml
-      - .gitlab-ci.yml
-  tags:
-    - teckids-trusted
-  environment:
-    name: production/teckids/dashboard
-  before_script:
-    - helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
-    - helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
-    - helm repo update
-  script:
-    - export KUBE_NAMESPACE=kubernetes-dashboard
-    - echo $KUBECONFIG | base64 -d > /tmp/kubeconfig
-    - export KUBECONFIG=/tmp/kubeconfig
-    - helm upgrade --install -n $KUBE_NAMESPACE teckids-dashboard kubernetes-dashboard/kubernetes-dashboard
-        --set podAnnotations.'app\.gitlab\.com'/env=$CI_ENVIRONMENT_SLUG
-        --set podAnnotations.'app\.gitlab\.com'/app=$CI_PROJECT_PATH_SLUG
-        --set ingress.annotations.'nginx\.ingress\.kubernetes\.io'/auth-url="http://teckids-oauth-oauth2-proxy.$KUBE_NAMESPACE.svc.cluster.local/oauth2/auth"
-        -f values/dashboard.yaml
-    - helm upgrade --install -n $KUBE_NAMESPACE teckids-oauth oauth2-proxy/oauth2-proxy
-        --set podAnnotations.'app\.gitlab\.com'/env=$CI_ENVIRONMENT_SLUG
-        --set podAnnotations.'app\.gitlab\.com'/app=$CI_PROJECT_PATH_SLUG
-        --set config.clientID=$OAUTH2ID
-        --set config.clientSecret=$OAUTH2SECRET
-        --set config.cookieSecret=$OAUTH2COOKIE
-        -f values/oauth2_proxy.yaml
 deploy_general_resources:
  stage: deploy
  rules:

--- a/values/dashboard.yaml
+++ b/values/dashboard.yaml
-# Copyright 2020 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-# Default values for kubernetes-dashboard
-# This is a YAML-formatted file.
-# Declare name/value pairs to be passed into your templates.
-# name: value
-image:
-  ## Repository for container
-  repository: kubernetesui/dashboard
-  tag: v2.7.0
-  pullPolicy: IfNotPresent
-  pullSecrets: []
-## Number of replicas
-replicaCount: 2
-## Here annotations can be added to the kubernetes dashboard deployment
-annotations: {}
-## Here labels can be added to the kubernetes dashboard deployment
-labels: {}
-## Additional container arguments
-##
-# extraArgs:
-#   - --enable-skip-login
-#   - --enable-insecure-login
-#   - --system-banner="Welcome to Kubernetes"
-## Additional container environment variables
-##
-extraEnv: []
-# - name: SOME_VAR
-#   value: 'some value'
-## Additional volumes to be added to kubernetes dashboard pods
-##
-extraVolumes: []
-# - name: dashboard-kubeconfig
-#   secret:
-#     defaultMode: 420
-#     secretName: dashboard-kubeconfig
-## Additional volumeMounts to be added to kubernetes dashboard container
-##
-extraVolumeMounts: []
-# - mountPath: /kubeconfig
-#   name: dashboard-kubeconfig
-#   readOnly: true
-## Annotations to be added to kubernetes dashboard pods
-# podAnnotations:
-# SecurityContext to be added to kubernetes dashboard pods
-securityContext:
-  seccompProfile:
-    type: RuntimeDefault
-# Labels to be added to kubernetes dashboard pods
-podLabels: {}
-## Node labels for pod assignment
-## Ref: https://kubernetes.io/docs/user-guide/node-selection/
-##
-nodeSelector: {}
-## List of node taints to tolerate (requires Kubernetes >= 1.6)
-tolerations: []
-#  - key: "key"
-#    operator: "Equal|Exists"
-#    value: "value"
-#    effect: "NoSchedule|PreferNoSchedule|NoExecute"
-## Affinity for pod assignment
-## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
-affinity: {}
-## Name of Priority Class of pods
-# priorityClassName: ""
-## Pod resource requests & limits
-resources:
-  requests:
-    cpu: 100m
-    memory: 200Mi
-  limits:
-    cpu: 2
-    memory: 200Mi
-## Serve application over HTTP without TLS
-##
-## Note: If set to true, you may want to add --enable-insecure-login to extraArgs
-protocolHttp: false
-service:
-  type: ClusterIP
-  # Dashboard service port
-  externalPort: 443
-  ## LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to
-  ## set allowed inbound rules on the security group assigned to the master load balancer
-#  loadBalancerSourceRanges:
-#    - "188.246.4.204/32"
-#    - "46.41.20.17/28"
-#    - "213.239.195.102/32"
-#    - "91.204.44.72/32"
-#    - "91.204.44.73/32"
-#    - "62.154.226.94/32"
-#    - "46.243.120.67/32"
-#    - "46.243.121.252/32"
-#    - "46.243.120.69/32"
-#    - "46.243.121.250/32"
-#    - "46.243.120.67/32"
-#    - "81.16.18.29/32"
-#    - "87.162.124.119/32"
-#    - "2a02:a00:e00f:ffff::7:1717"
-#    - "2a01:4f8:222:1451:d01f:ea75:bad:f00d"
-#    - "2a03:4000:20:205::/64"
-#    - "2a03:4000:20:210::/64"
-#    - "2003:5b:203b:200::/64"
-#    - "2003:5b:203b:101::/64"
-#    - "2003:5b:203b:100::/64"
-#    - "2003:5b:203b:ca00::/56"
-#    - "2a03:4000:20:243::1/64"
-  ## A user-specified IP address for load balancer to use as External IP (if supported)
-  # loadBalancerIP:
-  ## Additional Kubernetes Dashboard Service annotations
-  annotations: {}
-  ## Here labels can be added to the Kubernetes Dashboard service
-  labels: {}
-  ## Enable or disable the kubernetes.io/cluster-service label. Should be disabled for GKE clusters >=1.15.
-  ## Otherwise, the addon manager will presume ownership of the service and try to delete it.
-  clusterServiceLabel:
-    enabled: true
-    key: "kubernetes.io/cluster-service"
-ingress:
-  ## If true, Kubernetes Dashboard Ingress will be created.
-  ##
-  enabled: true
-  className: "nginx"
-  annotations:
-    kubernetes.io/tls-acme: "true"
-    nginx.ingress.kubernetes.io/auth-response-headers: x-auth-request-email, x-auth-request-user
-    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      auth_request_set $token $upstream_http_authorization;
-      proxy_set_header Authorization $token;
-    nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-  paths:
-    - /
-  hosts:
-    - dashboard.kube.teckids.org
-  tls:
-  - hosts:
-    - dashboard.kube.teckids.org
-    secretName: dashboard-tls
-settings:
-  ## Cluster name that appears in the browser window title if it is set
-  clusterName: "Teckids-Prod"
-  ## Max number of items that can be displayed on each list page
-  itemsPerPage: 10
-  ## Number of seconds between every auto-refresh of logs
-  logsAutoRefreshTimeInterval: 5
-  ## Number of seconds between every auto-refresh of every resource. Set 0 to disable
-  resourceAutoRefreshTimeInterval: 5
-  ## Hide all access denied warnings in the notification panel
-  disableAccessDeniedNotifications: false
-## Pinned CRDs that will be displayed in dashboard's menu
-pinnedCRDs:
-  []
-  # - kind: customresourcedefinition
-  ##  Fully qualified name of a CRD
-  #   name: prometheuses.monitoring.coreos.com
-  ##  Display name
-  #   displayName: Prometheus
-  ##  Is this CRD namespaced?
-  #   namespaced: true
-## Metrics Scraper
-## Container to scrape, store, and retrieve a window of time from the Metrics Server.
-## refs: https://github.com/kubernetes-sigs/dashboard-metrics-scraper
-metricsScraper:
-  ## Wether to enable dashboard-metrics-scraper
-  enabled: true
-  image:
-    repository: kubernetesui/metrics-scraper
-    tag: v1.0.8
-  resources: {}
-  ## SecurityContext for the kubernetes dashboard metrics scraper container
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    readOnlyRootFilesystem: true
-    runAsUser: 1001
-    runAsGroup: 2001
-metrics-server:
-  enabled: true
-  ## Example for additional args
-  args:
-   - --kubelet-insecure-tls
-rbac:
-  # Specifies whether namespaced RBAC resources (Role, Rolebinding) should be created
-  create: true
-  # Specifies whether cluster-wide RBAC resources (ClusterRole, ClusterRolebinding) to access metrics should be created
-  # Independent from rbac.create parameter.
-  clusterRoleMetrics: true
-  # Start in ReadOnly mode.
-  # Specifies whether cluster-wide RBAC resources (ClusterRole, ClusterRolebinding) with read only permissions to all resources listed inside the cluster should be created
-  # Only dashboard-related Secrets and ConfigMaps will still be available for writing.
-  #
-  # The basic idea of the clusterReadOnlyRole
-  # is not to hide all the secrets and sensitive data but more
-  # to avoid accidental changes in the cluster outside the standard CI/CD.
-  #
-  # It is NOT RECOMMENDED to use this version in production.
-  # Instead you should review the role and remove all potentially sensitive parts such as
-  # access to persistentvolumes, pods/log etc.
-  #
-  # Independent from rbac.create parameter.
-  clusterReadOnlyRole: false
-serviceAccount:
-  # Specifies whether a service account should be created
-  create: true
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name:
-livenessProbe:
-  # Number of seconds to wait before sending first probe
-  initialDelaySeconds: 30
-  # Number of seconds to wait for probe response
-  timeoutSeconds: 30
-## podDisruptionBudget
-## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
-podDisruptionBudget:
-  enabled: true
-  ## Minimum available instances; ignored if there is no PodDisruptionBudget
-  minAvailable: 1
-  ## Maximum unavailable instances; ignored if there is no PodDisruptionBudget
-  # maxUnavailable:
-## PodSecurityContext for pod level securityContext
-# securityContext:
-#   runAsUser: 1001
-#   runAsGroup: 2001
-## SecurityContext for the kubernetes dashboard container
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  readOnlyRootFilesystem: true
-  runAsUser: 1001
-  runAsGroup: 2001
-networkPolicy:
-  # Whether to create a network policy that allows/restricts access to the service
-  enabled: false
-## podSecurityPolicy for fine-grained authorization of pod creation and updates
-podSecurityPolicy:
-  # Specifies whether a pod security policy should be created
-  enabled: false
--- a/values/oauth2_proxy.yaml
+++ b/values/oauth2_proxy.yaml
-# Oauth client configuration specifics
-config:
-  # OAuth client ID
-  clientID: "" # Set by ci
-  # OAuth client secret
-  clientSecret: "" # Set by variable
-  # Create a new secret with the following command
-  # openssl rand -base64 32 | head -c 32 | base64
-  # Use an existing secret for OAuth2 credentials (see secret.yaml for required fields)
-  # Example:
-  # existingSecret: secret
-  cookieSecret: "" # Set by ci variable
-  # The name of the cookie that oauth2-proxy will create
-  # If left empty, it will default to the release name
-  cookieName: ""
-  configFile: |-
-    email_domains = [ "*" ]
-    upstreams = [ "file:///dev/null" ]
-  # Custom configuration file: oauth2_proxy.cfg
-  # configFile: |-
-  #   pass_basic_auth = false
-  #   pass_access_token = true
-  # Use an existing config map (see configmap.yaml for required fields)
-  # Example:
-  # existingConfig: config
-image:
-  repository: "quay.io/oauth2-proxy/oauth2-proxy"
-  tag: "v7.3.0"
-  pullPolicy: "IfNotPresent"
-extraArgs:
- provider: oidc
- redirect-url: $(REDIRECT_URL)
- oidc-issuer-url: $(OIDC_ISSUER_URL)
- set-authorization-header: true
- email-domain: '*'
- cookie-expire: 6h
- scope: openid profile email
- pass-access-token: true
- skip-jwt-bearer-tokens: true
-extraEnv:
- - name: REDIRECT_URL
-   value: "https://dashboard.kube.teckids.org/oauth2/callback"
- - name: OIDC_ISSUER_URL
-   value: "https://ticdesk.teckids.org/oauth"
-# To authorize individual email addresses
-# That is part of extraArgs but since this needs special treatment we need to do a separate section
-authenticatedEmailsFile:
-  enabled: false
-  # Defines how the email addresses file will be projected, via a configmap or secret
-  persistence: configmap
-  # template is the name of the configmap what contains the email user list but has been configured without this chart.
-  # It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service.
-  # Be aware the value name in the extern config map in data needs to be named to "restricted_user_access" or to the
-  # provided value in restrictedUserAccessKey field.
-  template: ""
-  # The configmap/secret key under which the list of email access is stored
-  # Defaults to "restricted_user_access" if not filled-in, but can be overridden to allow flexibility
-  restrictedUserAccessKey: ""
-  # One email per line
-  # example:
-  # restricted_access: |-
-  #   name1@domain
-  #   name2@domain
-  # If you override the config with restricted_access it will configure a user list within this chart what takes care of the
-  # config map resource.
-  restricted_access: ""
-  annotations: {}
-  # helm.sh/resource-policy: keep
-service:
-  type: ClusterIP
-  # when service.type is ClusterIP ...
-  # clusterIP: 192.0.2.20
-  # when service.type is LoadBalancer ...
-  # loadBalancerIP: 198.51.100.40
-  # loadBalancerSourceRanges: 203.0.113.0/24
-  portNumber: 80
-  annotations: {}
-  # foo.io/bar: "true"
-## Create or use ServiceAccount
-serviceAccount:
-  ## Specifies whether a ServiceAccount should be created
-  enabled: true
-  ## The name of the ServiceAccount to use.
-  ## If not set and create is true, a name is generated using the fullname template
-  name:
-  annotations: {}
-ingress:
-  enabled: true
-  className: nginx
-  path: /oauth2
-  # Only used if API capabilities (networking.k8s.io/v1) allow it
-  pathType: ImplementationSpecific
-  # Used to create an Ingress record.
-  hosts:
-    - dashboard.kube.teckids.org
-  tls:
-  - hosts:
-    - dashboard.kube.teckids.org
-    secretName: dashboard-tls
-  # Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
-  # Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1)
-  # extraPaths:
-  # - path: /*
-  #   pathType: ImplementationSpecific
-  #   backend:
-  #     service:
-  #       name: ssl-redirect
-  #       port:
-  #         name: use-annotation
-  # annotations:
-  #   kubernetes.io/ingress.class: nginx
-  #   kubernetes.io/tls-acme: "true"
-  # tls:
-    # Secrets must be manually created in the namespace.
-    # - secretName: chart-example-tls
-    #   hosts:
-    #     - chart-example.local
-resources: {}
-  # limits:
-  #   cpu: 100m
-  #   memory: 300Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 300Mi
-extraVolumes: []
-  # - name: ca-bundle-cert
-  #   secret:
-  #     secretName: <secret-name>
-extraVolumeMounts: []
-  # - mountPath: /etc/ssl/certs/
-  #   name: ca-bundle-cert
-priorityClassName: ""
-# Affinity for pod assignment
-# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
-# affinity: {}
-# Tolerations for pod assignment
-# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
-tolerations: []
-# Node labels for pod assignment
-# Ref: https://kubernetes.io/docs/user-guide/node-selection/
-nodeSelector: {}
-# Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables
-proxyVarsAsSecrets: true
-# Configure Kubernetes liveness and readiness probes.
-# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
-# Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks
-livenessProbe:
-  enabled: true
-  initialDelaySeconds: 0
-  timeoutSeconds: 1
-readinessProbe:
-  enabled: true
-  initialDelaySeconds: 0
-  timeoutSeconds: 1
-  periodSeconds: 10
-  successThreshold: 1
-# Configure Kubernetes security context for container
-# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-securityContext:
-  enabled: false
-  runAsNonRoot: true
-podAnnotations: {}
-podLabels: {}
-replicaCount: 2
-## PodDisruptionBudget settings
-## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
-podDisruptionBudget:
-  enabled: true
-  minAvailable: 1
-# Configure Kubernetes security context for pod
-# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-podSecurityContext: {}
-# whether to use http or https
-httpScheme: http
-# Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption.
-# Alternatively supply an existing secret which contains the required information.
-htpasswdFile:
-  enabled: false
-  existingSecret: ""
-  entries: {}
-  # One row for each user
-  # example:
-  # entries:
-  #  - testuser:{SHA}EWhzdhgoYJWy0z2gyzhRYlN9DSiv
-# Configure the session storage type, between cookie and redis
-sessionStorage:
-  # Can be one of the supported session storage cookie/redis
-  type: cookie
-  redis:
-    # Secret name that holds the redis-password and redis-sentinel-password values
-    existingSecret: ""
-    password: ""
-    # Can be one of sentinel/cluster/standalone
-    clientType: "standalone"
-    standalone:
-      # If empty and sessionStorage type is redis, will automatically be generated.
-      connectionUrl: ""
-    cluster:
-      # connectionUrls: ["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]
-      connectionUrls: []
-    sentinel:
-      password: ""
-      masterName: ""
-      # connectionUrls: ["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]
-      connectionUrls: []
-# Enables and configure the automatic deployment of the redis subchart
-redis:
-  # provision an instance of the redis sub-chart
-  enabled: false
-  # Redis specific helm chart settings, please see:
-  # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
-  # redisPort: 6379
-  # cluster:
-  #   enabled: false
-  #   slaveCount: 1
-# Enables apiVersion deprecation checks
-checkDeprecation: true
-metrics:
-  # Enable Prometheus metrics endpoint
-  enabled: true
-  # Serve Prometheus metrics on this port
-  port: 44180
-  servicemonitor:
-    enabled: true
-    prometheusInstance: kube-prometheus-stack-prometheus
-    interval: 60s
-    scrapeTimeout: 30s