From 42c229ee98194c6b2fdeb48a0818aba77106cf4c Mon Sep 17 00:00:00 2001 From: Adrien Date: Thu, 27 Feb 2020 19:04:10 +0100 Subject: [PATCH] First release --- defaults/main.yml | 2 + .../dashboard-metrics-scraper-Deployment.yaml | 52 ++++++++ files/dashboard-metrics-scraper-Service.yaml | 15 +++ files/kubernetes-dashboard-ClusterRole.yaml | 13 ++ ...bernetes-dashboard-ClusterRoleBinding.yaml | 14 +++ files/kubernetes-dashboard-Deployment.yaml | 65 ++++++++++ files/kubernetes-dashboard-Namespace.yaml | 19 +++ files/kubernetes-dashboard-Role.yaml | 29 +++++ files/kubernetes-dashboard-RoleBinding.yaml | 17 +++ files/kubernetes-dashboard-Service.yaml | 15 +++ .../kubernetes-dashboard-ServiceAccount.yaml | 9 ++ files/kubernetes-dashboard-certs-Secret.yaml | 10 ++ files/kubernetes-dashboard-csrf-Secret.yaml | 12 ++ ...ubernetes-dashboard-key-holder-Secret.yaml | 10 ++ ...bernetes-dashboard-settings-ConfigMap.yaml | 9 ++ files/traefik/dashboard-traefik-auth-crb.yaml | 14 +++ files/traefik/dashboard-traefik-auth-sa.yaml | 7 ++ meta/main.yml | 7 ++ tasks/main.yml | 112 ++++++++++++++++++ templates/dashboard-ingress.yaml | 66 +++++++++++ 20 files changed, 497 insertions(+) create mode 100644 defaults/main.yml create mode 100644 files/dashboard-metrics-scraper-Deployment.yaml create mode 100644 files/dashboard-metrics-scraper-Service.yaml create mode 100644 files/kubernetes-dashboard-ClusterRole.yaml create mode 100644 files/kubernetes-dashboard-ClusterRoleBinding.yaml create mode 100644 files/kubernetes-dashboard-Deployment.yaml create mode 100644 files/kubernetes-dashboard-Namespace.yaml create mode 100644 files/kubernetes-dashboard-Role.yaml create mode 100644 files/kubernetes-dashboard-RoleBinding.yaml create mode 100644 files/kubernetes-dashboard-Service.yaml create mode 100644 files/kubernetes-dashboard-ServiceAccount.yaml create mode 100644 files/kubernetes-dashboard-certs-Secret.yaml create mode 100644 files/kubernetes-dashboard-csrf-Secret.yaml create mode 100644 files/kubernetes-dashboard-key-holder-Secret.yaml create mode 100644 files/kubernetes-dashboard-settings-ConfigMap.yaml create mode 100644 files/traefik/dashboard-traefik-auth-crb.yaml create mode 100644 files/traefik/dashboard-traefik-auth-sa.yaml create mode 100644 meta/main.yml create mode 100644 tasks/main.yml create mode 100644 templates/dashboard-ingress.yaml diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..58b219b --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,2 @@ +my_context: minikube +traefik_version: 2.1 diff --git a/files/dashboard-metrics-scraper-Deployment.yaml b/files/dashboard-metrics-scraper-Deployment.yaml new file mode 100644 index 0000000..f37529c --- /dev/null +++ b/files/dashboard-metrics-scraper-Deployment.yaml @@ -0,0 +1,52 @@ + +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: dashboard-metrics-scraper + name: dashboard-metrics-scraper + namespace: kubernetes-dashboard +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: dashboard-metrics-scraper + template: + metadata: + labels: + k8s-app: dashboard-metrics-scraper + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' + spec: + containers: + - name: dashboard-metrics-scraper + image: kubernetesui/metrics-scraper:v1.0.3 + ports: + - containerPort: 8000 + protocol: TCP + livenessProbe: + httpGet: + scheme: HTTP + path: / + port: 8000 + initialDelaySeconds: 30 + timeoutSeconds: 30 + volumeMounts: + - mountPath: /tmp + name: tmp-volume + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 + serviceAccountName: kubernetes-dashboard + nodeSelector: + "beta.kubernetes.io/os": linux + # Comment the following tolerations if Dashboard must not be deployed on master + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + volumes: + - name: tmp-volume + emptyDir: {} diff --git a/files/dashboard-metrics-scraper-Service.yaml b/files/dashboard-metrics-scraper-Service.yaml new file mode 100644 index 0000000..bec1f75 --- /dev/null +++ b/files/dashboard-metrics-scraper-Service.yaml @@ -0,0 +1,15 @@ + +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: dashboard-metrics-scraper + name: dashboard-metrics-scraper + namespace: kubernetes-dashboard +spec: + ports: + - port: 8000 + targetPort: 8000 + selector: + k8s-app: dashboard-metrics-scraper + diff --git a/files/kubernetes-dashboard-ClusterRole.yaml b/files/kubernetes-dashboard-ClusterRole.yaml new file mode 100644 index 0000000..4bcfb66 --- /dev/null +++ b/files/kubernetes-dashboard-ClusterRole.yaml @@ -0,0 +1,13 @@ + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard +rules: + # Allow Metrics Scraper to get metrics from the Metrics server + - apiGroups: ["metrics.k8s.io"] + resources: ["pods", "nodes"] + verbs: ["get", "list", "watch"] + diff --git a/files/kubernetes-dashboard-ClusterRoleBinding.yaml b/files/kubernetes-dashboard-ClusterRoleBinding.yaml new file mode 100644 index 0000000..f188ebc --- /dev/null +++ b/files/kubernetes-dashboard-ClusterRoleBinding.yaml @@ -0,0 +1,14 @@ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-dashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubernetes-dashboard +subjects: + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: kubernetes-dashboard + diff --git a/files/kubernetes-dashboard-Deployment.yaml b/files/kubernetes-dashboard-Deployment.yaml new file mode 100644 index 0000000..01bb7f8 --- /dev/null +++ b/files/kubernetes-dashboard-Deployment.yaml @@ -0,0 +1,65 @@ + +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: kubernetes-dashboard + template: + metadata: + labels: + k8s-app: kubernetes-dashboard + spec: + containers: + - name: kubernetes-dashboard + image: kubernetesui/dashboard:v2.0.0-rc5 + imagePullPolicy: Always + ports: + - containerPort: 8443 + protocol: TCP + args: + - --auto-generate-certificates + - --namespace=kubernetes-dashboard + # Uncomment the following line to manually specify Kubernetes API server Host + # If not specified, Dashboard will attempt to auto discover the API server and connect + # to it. Uncomment only if the default does not work. + # - --apiserver-host=http://my-address:port + volumeMounts: + - name: kubernetes-dashboard-certs + mountPath: /certs + # Create on-disk volume to store exec logs + - mountPath: /tmp + name: tmp-volume + livenessProbe: + httpGet: + scheme: HTTPS + path: / + port: 8443 + initialDelaySeconds: 30 + timeoutSeconds: 30 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 + volumes: + - name: kubernetes-dashboard-certs + secret: + secretName: kubernetes-dashboard-certs + - name: tmp-volume + emptyDir: {} + serviceAccountName: kubernetes-dashboard + nodeSelector: + "beta.kubernetes.io/os": linux + # Comment the following tolerations if Dashboard must not be deployed on master + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + diff --git a/files/kubernetes-dashboard-Namespace.yaml b/files/kubernetes-dashboard-Namespace.yaml new file mode 100644 index 0000000..ebe2fe9 --- /dev/null +++ b/files/kubernetes-dashboard-Namespace.yaml @@ -0,0 +1,19 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: kubernetes-dashboard + diff --git a/files/kubernetes-dashboard-Role.yaml b/files/kubernetes-dashboard-Role.yaml new file mode 100644 index 0000000..7f69676 --- /dev/null +++ b/files/kubernetes-dashboard-Role.yaml @@ -0,0 +1,29 @@ + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +rules: + # Allow Dashboard to get, update and delete Dashboard exclusive secrets. + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] + verbs: ["get", "update", "delete"] + # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["kubernetes-dashboard-settings"] + verbs: ["get", "update"] + # Allow Dashboard to get metrics. + - apiGroups: [""] + resources: ["services"] + resourceNames: ["heapster", "dashboard-metrics-scraper"] + verbs: ["proxy"] + - apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] + verbs: ["get"] + diff --git a/files/kubernetes-dashboard-RoleBinding.yaml b/files/kubernetes-dashboard-RoleBinding.yaml new file mode 100644 index 0000000..4d20c86 --- /dev/null +++ b/files/kubernetes-dashboard-RoleBinding.yaml @@ -0,0 +1,17 @@ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubernetes-dashboard +subjects: + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: kubernetes-dashboard + diff --git a/files/kubernetes-dashboard-Service.yaml b/files/kubernetes-dashboard-Service.yaml new file mode 100644 index 0000000..5f33846 --- /dev/null +++ b/files/kubernetes-dashboard-Service.yaml @@ -0,0 +1,15 @@ + +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +spec: + ports: + - port: 443 + targetPort: 8443 + selector: + k8s-app: kubernetes-dashboard + diff --git a/files/kubernetes-dashboard-ServiceAccount.yaml b/files/kubernetes-dashboard-ServiceAccount.yaml new file mode 100644 index 0000000..57c8d87 --- /dev/null +++ b/files/kubernetes-dashboard-ServiceAccount.yaml @@ -0,0 +1,9 @@ + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard + diff --git a/files/kubernetes-dashboard-certs-Secret.yaml b/files/kubernetes-dashboard-certs-Secret.yaml new file mode 100644 index 0000000..794fb41 --- /dev/null +++ b/files/kubernetes-dashboard-certs-Secret.yaml @@ -0,0 +1,10 @@ + +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-certs + namespace: kubernetes-dashboard +type: Opaque + diff --git a/files/kubernetes-dashboard-csrf-Secret.yaml b/files/kubernetes-dashboard-csrf-Secret.yaml new file mode 100644 index 0000000..1b5f1fe --- /dev/null +++ b/files/kubernetes-dashboard-csrf-Secret.yaml @@ -0,0 +1,12 @@ + +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-csrf + namespace: kubernetes-dashboard +type: Opaque +data: + csrf: "" + diff --git a/files/kubernetes-dashboard-key-holder-Secret.yaml b/files/kubernetes-dashboard-key-holder-Secret.yaml new file mode 100644 index 0000000..5248a73 --- /dev/null +++ b/files/kubernetes-dashboard-key-holder-Secret.yaml @@ -0,0 +1,10 @@ + +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-key-holder + namespace: kubernetes-dashboard +type: Opaque + diff --git a/files/kubernetes-dashboard-settings-ConfigMap.yaml b/files/kubernetes-dashboard-settings-ConfigMap.yaml new file mode 100644 index 0000000..f33807a --- /dev/null +++ b/files/kubernetes-dashboard-settings-ConfigMap.yaml @@ -0,0 +1,9 @@ + +kind: ConfigMap +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-settings + namespace: kubernetes-dashboard + diff --git a/files/traefik/dashboard-traefik-auth-crb.yaml b/files/traefik/dashboard-traefik-auth-crb.yaml new file mode 100644 index 0000000..0a1d921 --- /dev/null +++ b/files/traefik/dashboard-traefik-auth-crb.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-dashboard-traefik + labels: + k8s-app: kubernetes-dashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: kubernetes-dashboard-traefik + namespace: kubernetes-dashboard \ No newline at end of file diff --git a/files/traefik/dashboard-traefik-auth-sa.yaml b/files/traefik/dashboard-traefik-auth-sa.yaml new file mode 100644 index 0000000..d63bb41 --- /dev/null +++ b/files/traefik/dashboard-traefik-auth-sa.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-traefik + namespace: kubernetes-dashboard diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..890c43f --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,7 @@ +galaxy_info: + author: Adrien Reslinger + description: Install dashboard to a cluster + company: Personnal + min_ansible_version: 2.9 + galaxy_tags: [] + diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..3dbf9cb --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,112 @@ +- name: Dashboard setup + block: + - name: namespace + k8s: + context: "{{ my_context }}" + state: present + name: weave + api_version: v1 + kind: Namespace + + - name: Create a Secret object for basic authentification (traefik 1.7) + k8s: + state: present + context: "{{ my_context }}" + definition: + apiVersion: v1 + kind: Secret + metadata: + name: basic-auth + namespace: kubernetes-dashboard + type: Opaque + data: + basic_auth: "{{ basic_auth_data | b64encode }}" + when: + - basic_auth == true + - traefik_version is not defined or traefik_version | regex_search('(1.)') + + - name: Remove a Secret object for basic authentification (traefik 1.7) + k8s: + state: absent + context: "{{ my_context }}" + definition: + apiVersion: v1 + kind: Secret + metadata: + name: basic-auth + namespace: kubernetes-dashboard + type: Opaque + data: + basic_auth: "{{ basic_auth_data | b64encode }}" + when: + - traefik_version is defined + - traefik_version | regex_search('(2.)') + + - name: Remove old existing Ingress object + k8s: + context: "{{ my_context }}" + state: absent + api_version: extensions/v1beta1 + kind: Ingress + namespace: kubernetes-dashboard + name: kubernetes-dashboard + when: + - traefik_version is defined + - traefik_version | regex_search('(2.)') + + - name: dashboard install + k8s: + state: present + context: "{{ my_context }}" + resource_definition: "{{ lookup('file', item) | from_yaml }}" + with_items: + - "kubernetes-dashboard-Namespace.yaml" + - "kubernetes-dashboard-ServiceAccount.yaml" + - "kubernetes-dashboard-Service.yaml" + - "kubernetes-dashboard-certs-Secret.yaml" + - "kubernetes-dashboard-csrf-Secret.yaml" + - "kubernetes-dashboard-key-holder-Secret.yaml" + - "kubernetes-dashboard-settings-ConfigMap.yaml" + - "kubernetes-dashboard-Role.yaml" + - "kubernetes-dashboard-ClusterRole.yaml" + - "kubernetes-dashboard-RoleBinding.yaml" + - "kubernetes-dashboard-ClusterRoleBinding.yaml" + - "kubernetes-dashboard-Deployment.yaml" + - "dashboard-metrics-scraper-Service.yaml" + - "dashboard-metrics-scraper-Deployment.yaml" + - traefik/dashboard-traefik-auth-sa.yaml + - traefik/dashboard-traefik-auth-crb.yaml + + - name: get the dashboard-token secret name + command: kubectl --context {{ my_context }} get sa kubernetes-dashboard-traefik -n kubernetes-dashboard -o jsonpath='{.secrets[0].name}' + register: secret_name + + - name: get the sa token + command: kubectl --context {{ my_context }} get secret -n kubernetes-dashboard {{ secret_name.stdout }} -o jsonpath='{.data.token}' + register: token_value + + - name: write the token to traefik v2 middleware + k8s: + state: present + context: "{{ my_context }}" + definition: + apiVersion: traefik.containo.us/v1alpha1 + kind: Middleware + metadata: + name: kubernetes-dashboard-auth + namespace: kubernetes-dashboard + spec: + headers: + customRequestHeaders: + Authorization: "Bearer {{ token_value.stdout | b64decode }}" + when: + - traefik_version is defined + - traefik_version | regex_search('(2.)') + + - name: dashboard install + k8s: + state: present + context: "{{ my_context }}" + resource_definition: "{{ lookup('template', item) | from_yaml }}" + with_items: + - dashboard-ingress.yaml diff --git a/templates/dashboard-ingress.yaml b/templates/dashboard-ingress.yaml new file mode 100644 index 0000000..5410c8c --- /dev/null +++ b/templates/dashboard-ingress.yaml @@ -0,0 +1,66 @@ +{% if traefik_version | regex_search('(1.)') %} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + annotations: +{% if ingress_whitelist is defined %} + ingress.kubernetes.io/whitelist-source-range: "{% for acl_whitelist in ingress_whitelist %}{{ acl_whitelist }}{% if not loop.last %}, {% endif %}{% endfor %}" +{% endif %} + traefik.frontend.priority: "20" +{% if basic_auth is defined %} + traefik.ingress.kubernetes.io/auth-type: basic + traefik.ingress.kubernetes.io/auth-secret: basic-auth +{% endif %} + ingress.kubernetes.io/custom-request-headers: "Authorization:Bearer {{ token_value.stdout | b64decode }}" + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +spec: + rules: + - host: dashboard.{{ ingress_domain }} + http: + paths: + - backend: + serviceName: kubernetes-dashboard + servicePort: 443 +{% else %} +{% if traefik_version | regex_search('(2.)') %} +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +spec: + entryPoints: + - https + routes: + - kind: Rule + match: Host(`dashboard.{{ ingress_domain }}`) + priority: 12 + middlewares: +{% if ingress_whitelist is defined %} + - name: traefik-ipwhitelist + namespace: tools +{% endif %} +{% if basic_auth is defined %} + - name: basic-auth + namespace: tools +{% endif %} + - name: kubernetes-dashboard-auth + services: + - name: kubernetes-dashboard + passHostHeader: true + port: 443 + responseForwarding: + flushInterval: 100ms + weight: 1 + tls: + options: + name: default + namespace: tools + secretName: wildcard-cluster +{% endif %} +{% endif %}