From 0a97ed16d6ed8eca590528c2840879f2577bfa3e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20de=20Saint=20Martin?= Date: Mon, 4 Nov 2019 11:12:20 +0100 Subject: [PATCH 01/20] Add Helm Chart. --- .travis.yml | 48 ++++- .../kubernetes-dashboard/.helmignore | 38 ++++ .../kubernetes-dashboard/Chart.yaml | 30 +++ .../helm-chart/kubernetes-dashboard/OWNERS | 4 + .../helm-chart/kubernetes-dashboard/README.md | 133 ++++++++++++ .../ci/default-values.yaml | 0 .../ci/ingress-values.yaml | 2 + .../ci/network-policy-values.yaml | 2 + .../kubernetes-dashboard/ci/pdb-values.yaml | 2 + .../ci/rbac-cluster-readonly-role-values.yaml | 2 + .../kubernetes-dashboard/templates/NOTES.txt | 49 +++++ .../templates/_helpers.tpl | 78 +++++++ .../templates/clusterrole-metrics.yaml | 27 +++ .../templates/clusterrole-readonly.yaml | 146 +++++++++++++ .../templates/clusterrolebinding-metrics.yaml | 30 +++ .../clusterrolebinding-readonly.yaml | 30 +++ .../templates/deployment.yaml | 131 ++++++++++++ .../templates/ingress.yaml | 67 ++++++ .../templates/networkpolicy.yaml | 38 ++++ .../kubernetes-dashboard/templates/pdb.yaml | 32 +++ .../kubernetes-dashboard/templates/role.yaml | 42 ++++ .../templates/rolebinding.yaml | 30 +++ .../templates/secret.yaml | 41 ++++ .../templates/serviceaccount.yaml | 23 +++ .../kubernetes-dashboard/templates/svc.yaml | 48 +++++ .../kubernetes-dashboard/values.yaml | 191 ++++++++++++++++++ license-checker-config.json | 2 +- 27 files changed, 1263 insertions(+), 3 deletions(-) create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/.helmignore create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/Chart.yaml create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/OWNERS create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/README.md create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/ci/default-values.yaml create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/ci/ingress-values.yaml create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/ci/network-policy-values.yaml create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/ci/pdb-values.yaml create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/ci/rbac-cluster-readonly-role-values.yaml create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/templates/NOTES.txt create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/templates/_helpers.tpl create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrole-metrics.yaml create mode 100755 aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrole-readonly.yaml create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrolebinding-readonly.yaml create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/templates/ingress.yaml create mode 100755 aio/deploy/helm-chart/kubernetes-dashboard/templates/networkpolicy.yaml create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/templates/pdb.yaml create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/templates/role.yaml create mode 100755 aio/deploy/helm-chart/kubernetes-dashboard/templates/rolebinding.yaml create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/templates/secret.yaml create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/templates/serviceaccount.yaml create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/templates/svc.yaml create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/values.yaml diff --git a/.travis.yml b/.travis.yml index fa0d74e90b45..fa8a9ffd7543 100644 --- a/.travis.yml +++ b/.travis.yml @@ -52,22 +52,66 @@ before_script: jobs: include: - stage: test + name: "Code check & linting" before_script: - aio/scripts/install-codegen.sh script: npm run check - - script: npm run test:coverage + - name: "Unit tests" + script: npm run test:coverage after_success: - rm -rf $TRAVIS_BUILD_DIR/.tmp - bash <(curl -s https://codecov.io/bash) - - script: npm run cluster:start && npm run e2e + - name: "Helm linting" + cache: false + install: + - cd aio/deploy/helm-chart/kubernetes-dashboard + - curl -L https://git.io/get_helm.sh | bash && helm init --skip-refresh --client-only + - wget https://github.com/garethr/kubeval/releases/download/0.14.0/kubeval-linux-amd64.tar.gz + - tar xf kubeval-linux-amd64.tar.gz + before_script: skip # We don't need Docker nor Go + script: + - | + set -e; + for VALUES_FILE in $(ls ci); do + echo "Linting and validating Helm Chart using $VALUES_FILE values file..." + # Simple lint + helm lint --values ci/$VALUES_FILE; + + # Validate all generated manifest against Kubernetes json schema + mkdir helm-output; + helm template --values ci/$VALUES_FILE --output-dir helm-output .; + find helm-output -type f -exec \ + ./kubeval \ + --kubernetes-version 1.16.0 \ + --schema-location https://raw.githubusercontent.com/instrumenta/kubernetes-json-schema/master \ + {} +; + rm -rf helm-output; + done; + - name: "e2e tests" + script: npm run cluster:start && npm run e2e + - stage: deploy + name: "Development release" script: - docker login -u $DOCKER_USER -p $DOCKER_PASS - npm run docker:push:head + - stage: release + name: "Release" script: - docker login -u $DOCKER_RELEASE_USER -p $DOCKER_RELEASE_PASS - npm run docker:push + # Manual step for now since it requires to add a GitHub Token to Travis which would be a security issue + # - name: "Helm repository generation" + # cache: false + # install: + # - curl -L https://git.io/get_helm.sh | bash && helm init --skip-refresh --client-only + # - git remote set-branches origin '*' && git fetch --unshallow + # # GTHUB_WRITE_TOKEN is a travis secret variable that is generated from https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line + # - git remote set-url origin https://x-access-token:${GITHUB_WRITE_TOKEN}@github.com/${TRAVIS_REPO_SLUG}.git + # before_script: skip # We don't need Docker nor Go + # script: + # - sh ./aio/scripts/ stages: - test diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/.helmignore b/aio/deploy/helm-chart/kubernetes-dashboard/.helmignore new file mode 100644 index 000000000000..8a8a5b6096ed --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/.helmignore @@ -0,0 +1,38 @@ +# Copyright 2020 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +OWNERS + +ci/ diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/Chart.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/Chart.yaml new file mode 100644 index 000000000000..f85d0c35051f --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/Chart.yaml @@ -0,0 +1,30 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +name: kubernetes-dashboard +version: 2.0.0 +appVersion: 2.0.0 +description: General-purpose web UI for Kubernetes clusters +keywords: +- kubernetes +- dashboard +home: https://github.com/kubernetes/dashboard +sources: +- https://github.com/kubernetes/dashboard +maintainers: +- name: desaintmartin + email: cdesaintmartin@wiremind.fr +icon: https://raw.githubusercontent.com/kubernetes/kubernetes/master/logo/logo.svg +kubeVersion: ">=1.10.0-0" diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/OWNERS b/aio/deploy/helm-chart/kubernetes-dashboard/OWNERS new file mode 100644 index 000000000000..0ecc0f4833ae --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/OWNERS @@ -0,0 +1,4 @@ +approvers: +- desaintmartin +reviewers: +- desaintmartin diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/README.md b/aio/deploy/helm-chart/kubernetes-dashboard/README.md new file mode 100644 index 000000000000..d332de688b15 --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/README.md @@ -0,0 +1,133 @@ +# kubernetes-dashboard + +[Kubernetes Dashboard](https://github.com/kubernetes/dashboard) is a general purpose, web-based UI for Kubernetes clusters. +It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself. + +## TL;DR + +```console +helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/ +helm install kubernetes-dashboard/kubernetes-dashboard --name my-release +``` + +## Introduction + +This chart bootstraps a [Kubernetes Dashboard](https://github.com/kubernetes/dashboard) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +helm repository add kubernetes-dashboard https://kubernetes.github.io/dashboard/ +helm install kubernetes-dashboard/kubernetes-dashboard --name my-release +``` + +The command deploys kubernetes-dashboard on the Kubernetes cluster in the default configuration. +The [configuration](#configuration) section lists the parameters that can be configured during installation. + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Upgrading an existing Release to a new major version + +A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an +incompatible breaking change needing manual actions. + +### Upgrade from 1.x.x to 2.x.x + +Version 2.0.0 is the first version hosted in the kubernetes/dashboard repository. + +- This version upgrades to kubernetes-dashboard v2.0.0 along with changes in RBAC management: all secrets are explicitely created and ServiceAccount do not have permission to create any secret. On top of that, it completely removes the `clusterAdminRole` parameter, being too dangerous. In order to upgrade, please update your configuration to remove `clusterAdminRole` parameter and uninstall/reinstall the chart. +- It enables by default values for `podAnnotations` and `securityContext`, please disable them if you don't supoprt them +- It removes `enableSkipLogin` and `enableInsecureLogin` parameters. Please use `extraEnv` instead. +- It adds a `ProtocolHttp` parameter, allowing you to switch the backend to plain HTTP and replaces the old `enableSkipLogin` for the network part. +- If `ProtocolHttp` is not set, it will automatically add to the `Ingress`, if enabled, annotations to support HTTPS backends for nginx-ingress and GKE Ingresses. +- It updates all the labels to the new [recommended labels](https://github.com/helm/charts/blob/master/REVIEW_GUIDELINES.md#names-and-labels), most of them being immutable. + +In order to upgrade, please update your configuration to remove `clusterAdminRole` parameter and adapt `enableSkipLogin`, `enableInsecureLogin`, `podAnnotations` and `securityContext` parameters, and uninstall/reinstall the chart. + +## Access control + +It is critical for the Kubernetes cluster to correctly setup access control of Kubernetes Dashboard. +See this [guide](https://github.com/kubernetes/dashboard/wiki/Access-control) for best practises. + +It is highly recommended to use RBAC with minimal privileges needed for Dashboard to run. + +## Configuration + +The following table lists the configurable parameters of the kubernetes-dashboard chart and their default values. + +Parameter | Description | Default +------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------ +`image.repository` | Repository for container image | `kubernetesui/dashboard` +`image.tag` | Image tag | `v2.0.0` +`image.pullPolicy` | Image pull policy | `IfNotPresent` +`image.pullSecrets` | Image pull secrets | `[]` +`annotations` | Annotations for deployment | `{}` +`replicaCount` | Number of replicas | `1` +`extraArgs` | Additional container arguments | `[]` +`extraEnv` | Additional container environment variables | `[]` +`podAnnotations` | Annotations to be added to pods | `seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'}` +`nodeSelector` | node labels for pod assignment | `{}` +`tolerations` | List of node taints to tolerate (requires Kubernetes >= 1.6) | `[]` +`affinity` | Affinity for pod assignment | `[]` +`priorityClassName` | Name of Priority Class to assign pods | `nil` +`service.externalPort` | Dashboard external port | `443` +`service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `nil` +`ingress.labels` | Add custom labels | `[]` +`ingress.annotations` | Specify ingress class | `kubernetes.io/ingress.class: nginx` +`ingress.enabled` | Enable ingress controller resource | `false` +`ingress.paths` | Paths to match against incoming requests. Both `/` and `/*` are required to work on gce ingress. | `[/]` +`ingress.hosts` | Dashboard Hostnames | `nil` +`ingress.tls` | Ingress TLS configuration | `[]` +`resources` | Pod resource requests & limits | `limits: {cpu: 2, memory: 100Mi}, requests: {cpu: 100m, memory: 100Mi}` +`rbac.create` | Create & use RBAC resources | `true` +`rbac.clusterRoleMetrics` | If set, an additional cluster role / role binding will be created to access metrics. | `true` +`rbac.clusterReadOnlyRole` | If set, an additional cluster role / role binding will be created with read only permissions to all resources listed inside.| `false` +`serviceAccount.create` | Whether a new service account name that the agent will use should be created. | `true` +`serviceAccount.name` | Service account to be used. If not set and serviceAccount.create is `true` a name is generated using the fullname template. | +`livenessProbe.initialDelaySeconds` | Number of seconds to wait before sending first probe | `30` +`livenessProbe.timeoutSeconds` | Number of seconds to wait for probe response | `30` +`podDisruptionBudget.enabled` | Create a PodDisruptionBudget | `false` +`podDisruptionBudget.minAvailable` | Minimum available instances; ignored if there is no PodDisruptionBudget | +`podDisruptionBudget.maxUnavailable`| Maximum unavailable instances; ignored if there is no PodDisruptionBudget | +`securityContext` | PodSecurityContext for pod level securityContext | `{}` +`dashboardContainerSecurityContext` | SecurityContext for the kubernetes dashboard container | `{allowPrivilegeEscalation:false, readOnlyRootFilesystem: true, runAsUser: 1001, runAsGroup: 2001}` +`networkPolicy` | Whether to create a network policy that allows access to the service | `false` +`protocolHttp` | Serve application over HTTP without TLS | `false` + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm install kubernetes-dashboard/kubernetes-dashboard --name my-release \ + --set=service.externalPort=8080,resources.limits.cpu=200m +``` + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, + +```console +helm install kubernetes-dashboard/kubernetes-dashboard --name my-release -f values.yaml +``` + +> **Tip**: You can use the default [values.yaml](values.yaml), which is used by default, as reference + +## Using the dashboard with 'kubectl proxy' + +When running 'kubectl proxy', the address `localhost:8001/ui` automatically expands to: + +- `http://localhost:8001/api/v1/namespaces/my-namespace/services/https:kubernetes-dashboard:https/proxy/` + +For this to reach the dashboard, the name of the service must be 'kubernetes-dashboard', not any other value as set by Helm. +You can manually specify this using the value 'fullnameOverride': + +``` +fullnameOverride: 'kubernetes-dashboard' +``` diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/ci/default-values.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/ci/default-values.yaml new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/ci/ingress-values.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/ci/ingress-values.yaml new file mode 100644 index 000000000000..f6ccc628a900 --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/ci/ingress-values.yaml @@ -0,0 +1,2 @@ +ingress: + enabled: true diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/ci/network-policy-values.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/ci/network-policy-values.yaml new file mode 100644 index 000000000000..12e4a94ac8e1 --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/ci/network-policy-values.yaml @@ -0,0 +1,2 @@ +networkPolicy: + enabled: true diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/ci/pdb-values.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/ci/pdb-values.yaml new file mode 100644 index 000000000000..cf6d1f5d2a59 --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/ci/pdb-values.yaml @@ -0,0 +1,2 @@ +podDisruptionBudget: + enabled: true diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/ci/rbac-cluster-readonly-role-values.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/ci/rbac-cluster-readonly-role-values.yaml new file mode 100644 index 000000000000..fccc51cb40bc --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/ci/rbac-cluster-readonly-role-values.yaml @@ -0,0 +1,2 @@ +rbac: + clusterReadOnlyRole: true diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/NOTES.txt b/aio/deploy/helm-chart/kubernetes-dashboard/templates/NOTES.txt new file mode 100644 index 000000000000..d4c7eaa59f24 --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/NOTES.txt @@ -0,0 +1,49 @@ +********************************************************************************* +*** PLEASE BE PATIENT: kubernetes-dashboard may take a few minutes to install *** +********************************************************************************* + +{{- if .Values.ingress.enabled }} +From outside the cluster, the server URL(s) are: +{{- range .Values.ingress.hosts }} +{{- if $.Values.protocolHttp }} + http://{{ . }} +{{- else }} + https://{{ . }} +{{- end }} +{{- end }} + +{{- else if contains "NodePort" .Values.service.type }} + +Get the Kubernetes Dashboard URL by running: + export NODE_PORT=$(kubectl get -n {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "kubernetes-dashboard.fullname" . }}) + export NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}") +{{- if .Values.protocolHttp }} + echo http://$NODE_IP:$NODE_PORT/ +{{- else }} + echo https://$NODE_IP:$NODE_PORT/ +{{- end }} + +{{- else if contains "LoadBalancer" .Values.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc -n {{ .Release.Namespace }} -w {{ template "kubernetes-dashboard.fullname" . }}' + +Get the Kubernetes Dashboard URL by running: + export SERVICE_IP=$(kubectl get svc -n {{ .Release.Namespace }} {{ template "kubernetes-dashboard.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +{{- if .Values.protocolHttp }} + echo http://$SERVICE_IP/ +{{- else }} + echo https://$SERVICE_IP/ +{{- end }} +{{- else if contains "ClusterIP" .Values.service.type }} + +Get the Kubernetes Dashboard URL by running: + export POD_NAME=$(kubectl get pods -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "kubernetes-dashboard.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") +{{- if .Values.protocolHttp }} + echo http://127.0.0.1:9090/ + kubectl -n {{ .Release.Namespace }} port-forward $POD_NAME 9090:9090 +{{- else }} + echo https://127.0.0.1:8443/ + kubectl -n {{ .Release.Namespace }} port-forward $POD_NAME 8443:8443 +{{- end }} +{{- end }} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/_helpers.tpl b/aio/deploy/helm-chart/kubernetes-dashboard/templates/_helpers.tpl new file mode 100644 index 000000000000..f52a3029488a --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/_helpers.tpl @@ -0,0 +1,78 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-dashboard.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-dashboard.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-dashboard.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "kubernetes-dashboard.labels" -}} +app.kubernetes.io/name: {{ include "kubernetes-dashboard.name" . }} +helm.sh/chart: {{ include "kubernetes-dashboard.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Common label selectors +*/}} +{{- define "kubernetes-dashboard.matchLabels" -}} +app.kubernetes.io/name: {{ include "kubernetes-dashboard.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Name of the service account to use +*/}} +{{- define "kubernetes-dashboard.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-dashboard.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrole-metrics.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrole-metrics.yaml new file mode 100644 index 000000000000..5ba5558328df --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrole-metrics.yaml @@ -0,0 +1,27 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ if .Values.rbac.clusterRoleMetrics -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: "{{ template "kubernetes-dashboard.fullname" . }}" + labels: +{{ include "kubernetes-dashboard.labels" . | indent 4 }} +rules: + # Allow Metrics Scraper to get metrics from the Metrics server + - apiGroups: ["metrics.k8s.io"] + resources: ["pods", "nodes"] + verbs: ["get", "list", "watch"] +{{- end }} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrole-readonly.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrole-readonly.yaml new file mode 100755 index 000000000000..059e04613c90 --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrole-readonly.yaml @@ -0,0 +1,146 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ if .Values.rbac.clusterReadOnlyRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: "{{ template "kubernetes-dashboard.fullname" . }}-readonly" + labels: +{{ include "kubernetes-dashboard.labels" . | indent 4 }} +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - pods + - replicationcontrollers + - replicationcontrollers/scale + - serviceaccounts + - services + - nodes + - persistentvolumeclaims + - persistentvolumes + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - bindings + - events + - limitranges + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - daemonsets + - deployments + - deployments/scale + - replicasets + - replicasets/scale + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - daemonsets + - deployments + - deployments/scale + - ingresses + - networkpolicies + - replicasets + - replicasets/scale + - replicationcontrollers/scale + verbs: + - get + - list + - watch + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + - volumeattachments + verbs: + - get + - list + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - roles + - rolebindings + verbs: + - get + - list + - watch +{{- end -}} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml new file mode 100644 index 000000000000..8ac8a39e6487 --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml @@ -0,0 +1,30 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ if .Values.rbac.clusterRoleMetrics -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: "{{ template "kubernetes-dashboard.fullname" . }}" + labels: +{{ include "kubernetes-dashboard.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kubernetes-dashboard.fullname" . }} +subjects: + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrolebinding-readonly.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrolebinding-readonly.yaml new file mode 100644 index 000000000000..c52647a339ae --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrolebinding-readonly.yaml @@ -0,0 +1,30 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ if .Values.rbac.clusterReadOnlyRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "kubernetes-dashboard.fullname" . }}-readonly + labels: +{{ include "kubernetes-dashboard.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kubernetes-dashboard.fullname" . }}-readonly +subjects: + - kind: ServiceAccount + name: {{ template "kubernetes-dashboard.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml new file mode 100644 index 000000000000..9f40125b4210 --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml @@ -0,0 +1,131 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "kubernetes-dashboard.fullname" . }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: +{{ include "kubernetes-dashboard.labels" . | indent 4 }} +{{- if .Values.labels }} +{{ toYaml .Values.labels | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicaCount }} + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: +{{ include "kubernetes-dashboard.matchLabels" . | indent 6 }} + template: + metadata: +{{- with .Values.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + labels: +{{ include "kubernetes-dashboard.labels" . | indent 8 }} + spec: + {{- if .Values.securityContext }} + securityContext: +{{ toYaml .Values.securityContext | indent 8 }} + {{- end }} + serviceAccountName: {{ template "kubernetes-dashboard.serviceAccountName" . }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - --namespace={{ .Release.Namespace }} +{{- if not .Values.protocolHttp }} + - --auto-generate-certificates +{{- end }} +{{- if .Values.extraArgs }} +{{ toYaml .Values.extraArgs | indent 10 }} +{{- end }} +{{- with .Values.extraEnv }} + env: +{{ toYaml . | indent 10 }} +{{- end }} + ports: +{{- if .Values.protocolHttp }} + - name: http + containerPort: 9090 + protocol: TCP +{{- else }} + - name: https + containerPort: 8443 + protocol: TCP +{{- end }} + volumeMounts: + - name: kubernetes-dashboard-certs + mountPath: /certs + # Create on-disk volume to store exec logs + - mountPath: /tmp + name: tmp-volume + livenessProbe: + httpGet: +{{- if .Values.protocolHttp }} + scheme: HTTP + path: / + port: 9090 +{{- else }} + scheme: HTTPS + path: / + port: 8443 +{{- end }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} +{{- if .Values.dashboardContainerSecurityContext }} + securityContext: +{{ toYaml .Values.dashboardContainerSecurityContext | indent 10 }} +{{- end }} +{{- with .Values.resources }} + resources: +{{ toYaml . | indent 10 }} +{{- end }} +{{- with .Values.image.pullSecrets }} + imagePullSecrets: +{{- range . }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.priorityClassName }} + priorityClassName: "{{ . }}" +{{- end }} + volumes: + - name: kubernetes-dashboard-certs + secret: + secretName: {{ template "kubernetes-dashboard.fullname" . }}-certs + - name: tmp-volume + emptyDir: {} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/ingress.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/ingress.yaml new file mode 100644 index 000000000000..cd4fb8ec490f --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/ingress.yaml @@ -0,0 +1,67 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ if .Values.ingress.enabled -}} +{{- $serviceName := include "kubernetes-dashboard.fullname" . -}} +{{- $servicePort := .Values.service.externalPort -}} +{{- $paths := .Values.ingress.paths -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ template "kubernetes-dashboard.fullname" . }} + labels: +{{ include "kubernetes-dashboard.labels" . | indent 4 }} + {{- range $key, $value := .Values.ingress.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + + annotations: +{{- if not .Values.protocolHttp }} + # Add https backend protocol support for ingress-nginx + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # Add https backend protocol support for GKE + service.alpha.kubernetes.io/app-protocols: '{"https":"HTTPS"}' +{{- end }} +{{- with .Values.ingress.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} +spec: + rules: + {{- if .Values.ingress.hosts }} + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host }} + http: + paths: + {{- range $p := $paths }} + - path: {{ $p }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end -}} + {{- end -}} + {{- else }} + - http: + paths: + {{- range $p := $paths }} + - path: {{ $p }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end -}} + {{- end -}} + {{- if .Values.ingress.tls }} + tls: +{{ toYaml .Values.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/networkpolicy.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/networkpolicy.yaml new file mode 100755 index 000000000000..a550bd2eb202 --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/networkpolicy.yaml @@ -0,0 +1,38 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ if .Values.networkPolicy.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "kubernetes-dashboard.fullname" . }} + labels: + app: {{ template "kubernetes-dashboard.name" . }} + chart: {{ template "kubernetes-dashboard.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: +{{ include "kubernetes-dashboard.matchLabels" . | indent 6 }} + ingress: + - ports: +{{- if .Values.protocolHttp }} + - port: http + protocol: TCP +{{- else }} + - port: https + protocol: TCP +{{- end -}} +{{- end -}} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/pdb.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/pdb.yaml new file mode 100644 index 000000000000..c044658baea8 --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/pdb.yaml @@ -0,0 +1,32 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ if .Values.podDisruptionBudget.enabled -}} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: +{{ include "kubernetes-dashboard.labels" . | indent 4 }} + name: {{ template "kubernetes-dashboard.fullname" . }} +spec: + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} + selector: + matchLabels: +{{ include "kubernetes-dashboard.matchLabels" . | indent 6 }} +{{- end -}} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/role.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/role.yaml new file mode 100644 index 000000000000..ef9a84a73184 --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/role.yaml @@ -0,0 +1,42 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "kubernetes-dashboard.fullname" . }} + labels: +{{ include "kubernetes-dashboard.labels" . | indent 4 }} +rules: + # Allow Dashboard to get, update and delete Dashboard exclusive secrets. + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] + verbs: ["get", "update", "delete"] + # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["kubernetes-dashboard-settings"] + verbs: ["get", "update"] + # Allow Dashboard to get metrics. + - apiGroups: [""] + resources: ["services"] + resourceNames: ["heapster", "dashboard-metrics-scraper"] + verbs: ["proxy"] + - apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] + verbs: ["get"] +{{- end -}} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/rolebinding.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/rolebinding.yaml new file mode 100755 index 000000000000..01fb7638a5b6 --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/rolebinding.yaml @@ -0,0 +1,30 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "kubernetes-dashboard.fullname" . }} + labels: +{{ include "kubernetes-dashboard.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kubernetes-dashboard.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kubernetes-dashboard.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/secret.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/secret.yaml new file mode 100644 index 000000000000..18ec60ee80af --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/secret.yaml @@ -0,0 +1,41 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# kubernetes-dashboard-certs +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "kubernetes-dashboard.labels" . | indent 4 }} + name: {{ template "kubernetes-dashboard.fullname" . }}-certs + namespace: {{ .Release.Namespace }} +type: Opaque +--- +# kubernetes-dashboard-csrf +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "kubernetes-dashboard.labels" . | indent 4 }} + name: kubernetes-dashboard-csrf +type: Opaque +--- +# kubernetes-dashboard-key-holder +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "kubernetes-dashboard.labels" . | indent 4 }} + name: kubernetes-dashboard-key-holder +type: Opaque diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/serviceaccount.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/serviceaccount.yaml new file mode 100644 index 000000000000..09d13655c872 --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/serviceaccount.yaml @@ -0,0 +1,23 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: +{{ include "kubernetes-dashboard.labels" . | indent 4 }} + name: {{ template "kubernetes-dashboard.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/svc.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/svc.yaml new file mode 100644 index 000000000000..c0b72d864e23 --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/svc.yaml @@ -0,0 +1,48 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kubernetes-dashboard.fullname" . }} + labels: +{{ include "kubernetes-dashboard.labels" . | indent 4 }} + kubernetes.io/cluster-service: "true" +{{- if .Values.service.labels }} +{{ toYaml .Values.service.labels | indent 4 }} +{{- end }} +{{- if .Values.service.annotations }} + annotations: +{{ toYaml .Values.service.annotations | indent 4 }} +{{- end }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.externalPort }} +{{- if .Values.protocolHttp }} + targetPort: http + name: http +{{- else }} + targetPort: https + name: https +{{- end }} +{{- if hasKey .Values.service "nodePort" }} + nodePort: {{ .Values.service.nodePort }} +{{- end }} +{{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} + selector: +{{ include "kubernetes-dashboard.matchLabels" . | indent 4 }} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml new file mode 100644 index 000000000000..8a95f8192e6c --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml @@ -0,0 +1,191 @@ +# Copyright 2020 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for kubernetes-dashboard +# This is a YAML-formatted file. +# Declare name/value pairs to be passed into your templates. +# name: value + +image: + repository: kubernetesui/dashboard + tag: v2.0.0-rc6 + pullPolicy: IfNotPresent + pullSecrets: [] + +replicaCount: 1 + +## Here annotations can be added to the kubernetes dashboard deployment +annotations: {} +## Here labels can be added to the kubernetes dashboard deployment +labels: {} + +## Serve application over HTTP without TLS +## +## Note: If set to true, you may want to add --enable-insecure-login to extraArgs +protocolHttp: false + +## Additional container arguments +## +# extraArgs: +# - --enable-skip-login +# - --enable-insecure-login +# - --system-banner="Welcome to Kubernetes" + +## Additional container environment variables +## +extraEnv: [] +# - name: SOME_VAR +# value: 'some value' + +# Annotations to be added to kubernetes dashboard pods +podAnnotations: + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] +# - key: "key" +# operator: "Equal|Exists" +# value: "value" +# effect: "NoSchedule|PreferNoSchedule|NoExecute" + +## Affinity +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +affinity: {} + +# priorityClassName: "" + +service: + type: ClusterIP + externalPort: 443 + + # LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to + # set allowed inbound rules on the security group assigned to the master load balancer + # loadBalancerSourceRanges: [] + + ## Additional Kubernetes Dashboard Service annotations + annotations: {} + + ## Here labels can be added to the Kubernetes Dashboard service + labels: {} + +resources: + requests: + cpu: 100m + memory: 200Mi + limits: + cpu: 2 + memory: 200Mi + +ingress: + ## If true, Kubernetes Dashboard Ingress will be created. + ## + enabled: false + + ## Kubernetes Dashboard Ingress annotations + ## + ## Add custom labels + # labels: + # key: value + # annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + ## If you plan to use TLS backend with enableInsecureLogin set to false + ## (default), you need to uncomment the below. + ## If you use ingress-nginx < 0.21.0 + # nginx.ingress.kubernetes.io/secure-backends: "true" + ## if you use ingress-nginx >= 0.21.0 + # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + + + ## Kubernetes Dashboard Ingress paths + ## + paths: + - / + # - /* + + ## Kubernetes Dashboard Ingress hostnames + ## Must be provided if Ingress is enabled + ## + # hosts: + # - kubernetes-dashboard.domain.com + + ## Kubernetes Dashboard Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + # tls: + # - secretName: kubernetes-dashboard-tls + # hosts: + # - kubernetes-dashboard.domain.com + +rbac: + # Specifies whether namespaced RBAC resources (Role, Rolebinding) should be created + create: true + + # Specifies whether cluster-wide RBAC resources (ClusterRole, ClusterRolebinding) to access metrics should be created + # Independent from rbac.create parameter. + clusterRoleMetrics: true + + # Start in ReadOnly mode. + # Only dashboard-related Secrets and ConfigMaps will still be available for writing. + # + # The basic idea of the clusterReadOnlyRole + # is not to hide all the secrets and sensitive data but more + # to avoid accidental changes in the cluster outside the standard CI/CD. + # + # It is NOT RECOMMENDED to use this version in production. + # Instead you should review the role and remove all potentially sensitive parts such as + # access to persistentvolumes, pods/log etc. + # + # Independent from rbac.create parameter. + clusterReadOnlyRole: false + +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + +livenessProbe: + # Number of seconds to wait before sending first probe + initialDelaySeconds: 30 + # Number of seconds to wait for probe response + timeoutSeconds: 30 + +## podDisruptionBudget +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +podDisruptionBudget: + enabled: false + minAvailable: + maxUnavailable: + +## PodSecurityContext for pod level securityContext +# securityContext: +# runAsUser: 1001 +# runAsGroup: 2001 + +## SecurityContext for the kubernetes dashboard container +dashboardContainerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 + +networkPolicy: + enabled: false diff --git a/license-checker-config.json b/license-checker-config.json index 6526f2a812d3..79da2cfd129f 100644 --- a/license-checker-config.json +++ b/license-checker-config.json @@ -3,7 +3,7 @@ "*", "docs", "i18n", ".cached_tools", ".git", ".github", ".tmp", "coverage", "cypress", "aio/test-resources", - "**/*.json", "**/*.svg", "**/*.txt" + "**/*.json", "**/*.yaml", "**/*.svg", "**/*.txt", "**/*.md", "**/OWNERS", "**/.helmignore" ], "license": "aio/scripts/license-header.txt", "defaultFormat": { From 2c13be10d338c361fa16b10be92a7f45128885d4 Mon Sep 17 00:00:00 2001 From: David Alger Date: Thu, 2 Jan 2020 15:01:18 -0600 Subject: [PATCH 02/20] Added dashboard-metrics-scraper support to chart per recommended deployment This amends work done on kubernetes/dashboard#4502 per request from bskim45 and as needed to support my own needs. Functionality works with a simple deployment of the metrics-server (successor to heapster): helm install metrics-server -n kube-system stable/metrics-server --- .../templates/metrics-scraper/_helpers.tpl | 35 +++++++ .../templates/metrics-scraper/deployment.yaml | 95 +++++++++++++++++++ .../templates/metrics-scraper/service.yaml | 31 ++++++ .../kubernetes-dashboard/values.yaml | 22 +++++ 4 files changed, 183 insertions(+) create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/_helpers.tpl create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/deployment.yaml create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/service.yaml diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/_helpers.tpl b/aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/_helpers.tpl new file mode 100644 index 000000000000..9964877318dd --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/_helpers.tpl @@ -0,0 +1,35 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{/* vim: set filetype=mustache: */}} +{{/* +Common labels +*/}} +{{- define "dashboard-metrics-scraper.labels" -}} +app.kubernetes.io/name: {{ .Values.metricsScraper.name }} +helm.sh/chart: {{ include "kubernetes-dashboard.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Common label selectors +*/}} +{{- define "dashboard-metrics-scraper.matchLabels" -}} +app.kubernetes.io/name: {{ .Values.metricsScraper.name }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/deployment.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/deployment.yaml new file mode 100644 index 000000000000..8271a0105c7d --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/deployment.yaml @@ -0,0 +1,95 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ if .Values.metricsScraper.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.metricsScraper.name }} +{{- with .Values.metricsScraper.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: +{{ include "dashboard-metrics-scraper.labels" . | indent 4 }} +{{- if .Values.metricsScraper.labels }} +{{ toYaml .Values.metricsScraper.labels | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.metricsScraper.replicaCount }} + revisionHistoryLimit: {{ .Values.metricsScraper.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "dashboard-metrics-scraper.matchLabels" . | indent 6 }} + template: + metadata: +{{- with .Values.metricsScraper.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + labels: +{{ include "dashboard-metrics-scraper.labels" . | indent 8 }} + spec: + {{- if .Values.securityContext }} + securityContext: +{{ toYaml .Values.securityContext | indent 8 }} + {{- end }} + serviceAccountName: {{ template "kubernetes-dashboard.serviceAccountName" . }} + containers: + - name: {{ .Values.metricsScraper.name }} + image: "{{ .Values.metricsScraper.image.repository }}:{{ .Values.metricsScraper.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - containerPort: 8000 + protocol: TCP + livenessProbe: + httpGet: + scheme: HTTP + path: / + port: 8000 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + volumeMounts: + - mountPath: /tmp + name: tmp-volume +{{- if .Values.metricsScraperContainerSecurityContext }} + securityContext: +{{ toYaml .Values.metricsScraperContainerSecurityContext | indent 10 }} +{{- end }} +{{- with .Values.metricsScraper.resources }} + resources: +{{ toYaml . | indent 10 }} +{{- end }} +{{- with .Values.image.pullSecrets }} + imagePullSecrets: +{{- range . }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: tmp-volume + emptyDir: {} +{{- end }} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/service.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/service.yaml new file mode 100644 index 000000000000..98c366bde68b --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/service.yaml @@ -0,0 +1,31 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ if .Values.metricsScraper.enabled -}} +kind: Service +apiVersion: v1 +metadata: + name: {{ .Values.metricsScraper.name }} + labels: +{{ include "dashboard-metrics-scraper.labels" . | indent 4 }} +{{- if .Values.metricsScraper.labels }} +{{ toYaml .Values.metricsScraper.labels | indent 4 }} +{{- end }} +spec: + ports: + - port: 8000 + targetPort: 8000 + selector: +{{ include "dashboard-metrics-scraper.matchLabels" . | indent 4 }} +{{- end }} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml index 8a95f8192e6c..10359810ce53 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml @@ -92,6 +92,21 @@ resources: cpu: 2 memory: 200Mi +metricsScraper: + enabled: true + name: dashboard-metrics-scraper + annotations: {} + labels: {} + revisionHistoryLimit: 10 + podAnnotations: + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' + image: + repository: kubernetesui/metrics-scraper + tag: v1.0.1 + resources: + requests: {} + limits: {} + ingress: ## If true, Kubernetes Dashboard Ingress will be created. ## @@ -187,5 +202,12 @@ dashboardContainerSecurityContext: runAsUser: 1001 runAsGroup: 2001 +## SecurityContext for the dashboard metrics scraper container +metricsScraperContainerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 + networkPolicy: enabled: false From 902f6a9d24167e0aada3de18bb9bd6bbe075c791 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20de=20Saint=20Martin?= Date: Mon, 23 Mar 2020 11:25:03 +0100 Subject: [PATCH 03/20] Update aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml Co-Authored-By: Denys Havrysh --- .../templates/clusterrolebinding-metrics.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml index 8ac8a39e6487..88463ec5bb73 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml @@ -25,6 +25,6 @@ roleRef: name: {{ template "kubernetes-dashboard.fullname" . }} subjects: - kind: ServiceAccount - name: kubernetes-dashboard + name: {{ template "kubernetes-dashboard.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end }} From 8f0912bbfe227022a843e63f4e7be13be6bb6826 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20de=20Saint=20Martin?= Date: Mon, 23 Mar 2020 22:07:16 +0100 Subject: [PATCH 04/20] Helm chart: add metrics-server subchart and make dashboard-metrics-scraper a sidecar container. Also document more values and add release script. --- .../helm-chart/kubernetes-dashboard/README.md | 19 ++-- .../ci/metrics-scraper-values.yaml | 8 ++ .../kubernetes-dashboard/requirements.lock | 6 ++ .../kubernetes-dashboard/requirements.yaml | 5 + .../templates/clusterrole-metrics.yaml | 2 +- .../templates/clusterrolebinding-metrics.yaml | 4 +- .../templates/deployment.yaml | 44 +++++++-- .../templates/metrics-scraper/_helpers.tpl | 35 ------- .../templates/metrics-scraper/deployment.yaml | 95 ------------------- .../templates/metrics-scraper/service.yaml | 31 ------ .../templates/{svc.yaml => service.yaml} | 2 + .../kubernetes-dashboard/values.yaml | 65 +++++++------ aio/scripts/release-helm-chart.sh | 54 +++++++++++ 13 files changed, 166 insertions(+), 204 deletions(-) create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/ci/metrics-scraper-values.yaml create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/requirements.lock create mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/requirements.yaml delete mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/_helpers.tpl delete mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/deployment.yaml delete mode 100644 aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/service.yaml rename aio/deploy/helm-chart/kubernetes-dashboard/templates/{svc.yaml => service.yaml} (93%) create mode 100755 aio/scripts/release-helm-chart.sh diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/README.md b/aio/deploy/helm-chart/kubernetes-dashboard/README.md index d332de688b15..bb25874d4578 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/README.md +++ b/aio/deploy/helm-chart/kubernetes-dashboard/README.md @@ -71,24 +71,29 @@ Parameter | Description `image.tag` | Image tag | `v2.0.0` `image.pullPolicy` | Image pull policy | `IfNotPresent` `image.pullSecrets` | Image pull secrets | `[]` -`annotations` | Annotations for deployment | `{}` `replicaCount` | Number of replicas | `1` +`annotations` | Annotations for deployment | `{}` +`labels` | Labels for deployment | `{}` `extraArgs` | Additional container arguments | `[]` `extraEnv` | Additional container environment variables | `[]` `podAnnotations` | Annotations to be added to pods | `seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'}` `nodeSelector` | node labels for pod assignment | `{}` `tolerations` | List of node taints to tolerate (requires Kubernetes >= 1.6) | `[]` -`affinity` | Affinity for pod assignment | `[]` +`affinity` | Affinity for pod assignment | `[]` `priorityClassName` | Name of Priority Class to assign pods | `nil` +`resources` | Pod resource requests & limits | `limits: {cpu: 2, memory: 100Mi}, requests: {cpu: 100m, memory: 100Mi}` +`protocolHttp` | Serve application over HTTP without TLS | `false` +`service.type` | Service type | `ClusterIP` `service.externalPort` | Dashboard external port | `443` `service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `nil` -`ingress.labels` | Add custom labels | `[]` `ingress.annotations` | Specify ingress class | `kubernetes.io/ingress.class: nginx` +`ingress.labels` | Add custom labels | `[]` `ingress.enabled` | Enable ingress controller resource | `false` `ingress.paths` | Paths to match against incoming requests. Both `/` and `/*` are required to work on gce ingress. | `[/]` `ingress.hosts` | Dashboard Hostnames | `nil` `ingress.tls` | Ingress TLS configuration | `[]` -`resources` | Pod resource requests & limits | `limits: {cpu: 2, memory: 100Mi}, requests: {cpu: 100m, memory: 100Mi}` +`metricsScraper.enabled` | Wether to enable dashboard-metrics-scraper | `false` +`metrics-server.enabled` | Wether to enable metrics-server | `false` `rbac.create` | Create & use RBAC resources | `true` `rbac.clusterRoleMetrics` | If set, an additional cluster role / role binding will be created to access metrics. | `true` `rbac.clusterReadOnlyRole` | If set, an additional cluster role / role binding will be created with read only permissions to all resources listed inside.| `false` @@ -99,10 +104,12 @@ Parameter | Description `podDisruptionBudget.enabled` | Create a PodDisruptionBudget | `false` `podDisruptionBudget.minAvailable` | Minimum available instances; ignored if there is no PodDisruptionBudget | `podDisruptionBudget.maxUnavailable`| Maximum unavailable instances; ignored if there is no PodDisruptionBudget | -`securityContext` | PodSecurityContext for pod level securityContext | `{}` +`securityContext` | PodSecurityContext for pod level securityContext | `nil` `dashboardContainerSecurityContext` | SecurityContext for the kubernetes dashboard container | `{allowPrivilegeEscalation:false, readOnlyRootFilesystem: true, runAsUser: 1001, runAsGroup: 2001}` +`metricsScraperContainerSecurityContext` | SecurityContext for the kubernetes dashboard metrics scraper container | `{allowPrivilegeEscalation:false, readOnlyRootFilesystem: true, runAsUser: 1001, runAsGroup: 2001}` `networkPolicy` | Whether to create a network policy that allows access to the service | `false` -`protocolHttp` | Serve application over HTTP without TLS | `false` + + Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/ci/metrics-scraper-values.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/ci/metrics-scraper-values.yaml new file mode 100644 index 000000000000..abdda1bee989 --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/ci/metrics-scraper-values.yaml @@ -0,0 +1,8 @@ +rbac: + clusterRoleMetrics: true + +metricsScraper: + enabled: true + +metrics-server: + enabled: true diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/requirements.lock b/aio/deploy/helm-chart/kubernetes-dashboard/requirements.lock new file mode 100644 index 000000000000..d44b4c0402a1 --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: metrics-server + repository: https://kubernetes-charts.storage.googleapis.com/ + version: 2.10.1 +digest: sha256:59c065ae6fe9995972069d7a8693c290c5986e79d522c24967f13d2c6ab3d29d +generated: "2020-03-23T11:28:57.635935+01:00" diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/requirements.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/requirements.yaml new file mode 100644 index 000000000000..9c2e65e6cc4a --- /dev/null +++ b/aio/deploy/helm-chart/kubernetes-dashboard/requirements.yaml @@ -0,0 +1,5 @@ +dependencies: + - name: metrics-server + version: 2.x.x + repository: https://kubernetes-charts.storage.googleapis.com/ + condition: metricsServer.enabled diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrole-metrics.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrole-metrics.yaml index 5ba5558328df..441795f94641 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrole-metrics.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrole-metrics.yaml @@ -16,7 +16,7 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: "{{ template "kubernetes-dashboard.fullname" . }}" + name: "{{ template "kubernetes-dashboard.fullname" . }}-metrics" labels: {{ include "kubernetes-dashboard.labels" . | indent 4 }} rules: diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml index 88463ec5bb73..d88c8192c990 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml @@ -16,13 +16,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: "{{ template "kubernetes-dashboard.fullname" . }}" + name: "{{ template "kubernetes-dashboard.fullname" . }}-metrics" labels: {{ include "kubernetes-dashboard.labels" . | indent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "kubernetes-dashboard.fullname" . }} + name: {{ template "kubernetes-dashboard.fullname" . }}-metrics subjects: - kind: ServiceAccount name: {{ template "kubernetes-dashboard.serviceAccountName" . }} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml index 9f40125b4210..6529a0fbb464 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml @@ -22,8 +22,9 @@ metadata: {{- end }} labels: {{ include "kubernetes-dashboard.labels" . | indent 4 }} -{{- if .Values.labels }} -{{ toYaml .Values.labels | indent 4 }} + app.kubernetes.io/component: kubernetes-dashboard +{{- with .Values.labels }} +{{ toYaml . | indent 4 }} {{- end }} spec: replicas: {{ .Values.replicaCount }} @@ -35,6 +36,7 @@ spec: selector: matchLabels: {{ include "kubernetes-dashboard.matchLabels" . | indent 6 }} + app.kubernetes.io/component: kubernetes-dashboard template: metadata: {{- with .Values.podAnnotations }} @@ -43,6 +45,7 @@ spec: {{- end }} labels: {{ include "kubernetes-dashboard.labels" . | indent 8 }} + app.kubernetes.io/component: kubernetes-dashboard spec: {{- if .Values.securityContext }} securityContext: @@ -58,8 +61,11 @@ spec: {{- if not .Values.protocolHttp }} - --auto-generate-certificates {{- end }} -{{- if .Values.extraArgs }} -{{ toYaml .Values.extraArgs | indent 10 }} +{{- if .Values.metricsScraper.enabled }} + - --sidecar-host=http://127.0.0.1:8000 +{{- end }} +{{- with .Values.extraArgs }} +{{ toYaml . | indent 10 }} {{- end }} {{- with .Values.extraEnv }} env: @@ -94,9 +100,35 @@ spec: {{- end }} initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} -{{- if .Values.dashboardContainerSecurityContext }} +{{- if .Values.metricsScraper.enabled }} + - name: dashboard-metrics-scraper + image: "{{ .Values.metricsScraper.image.repository }}:{{ .Values.metricsScraper.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - containerPort: 8000 + protocol: TCP + livenessProbe: + httpGet: + scheme: HTTP + path: / + port: 8000 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + volumeMounts: + - mountPath: /tmp + name: tmp-volume +{{- if .Values.metricsScraperContainerSecurityContext }} + securityContext: +{{ toYaml .Values.metricsScraperContainerSecurityContext | indent 10 }} +{{- end }} +{{- with .Values.metricsScraper.resources }} + resources: +{{ toYaml . | indent 10 }} +{{- end }} +{{- end }} +{{- with .Values.dashboardContainerSecurityContext }} securityContext: -{{ toYaml .Values.dashboardContainerSecurityContext | indent 10 }} +{{ toYaml . | indent 10 }} {{- end }} {{- with .Values.resources }} resources: diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/_helpers.tpl b/aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/_helpers.tpl deleted file mode 100644 index 9964877318dd..000000000000 --- a/aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/_helpers.tpl +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2017 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -{{/* vim: set filetype=mustache: */}} -{{/* -Common labels -*/}} -{{- define "dashboard-metrics-scraper.labels" -}} -app.kubernetes.io/name: {{ .Values.metricsScraper.name }} -helm.sh/chart: {{ include "kubernetes-dashboard.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Common label selectors -*/}} -{{- define "dashboard-metrics-scraper.matchLabels" -}} -app.kubernetes.io/name: {{ .Values.metricsScraper.name }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/deployment.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/deployment.yaml deleted file mode 100644 index 8271a0105c7d..000000000000 --- a/aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/deployment.yaml +++ /dev/null @@ -1,95 +0,0 @@ -# Copyright 2017 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -{{ if .Values.metricsScraper.enabled -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Values.metricsScraper.name }} -{{- with .Values.metricsScraper.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} - labels: -{{ include "dashboard-metrics-scraper.labels" . | indent 4 }} -{{- if .Values.metricsScraper.labels }} -{{ toYaml .Values.metricsScraper.labels | indent 4 }} -{{- end }} -spec: - replicas: {{ .Values.metricsScraper.replicaCount }} - revisionHistoryLimit: {{ .Values.metricsScraper.revisionHistoryLimit }} - selector: - matchLabels: -{{ include "dashboard-metrics-scraper.matchLabels" . | indent 6 }} - template: - metadata: -{{- with .Values.metricsScraper.podAnnotations }} - annotations: -{{ toYaml . | indent 8 }} -{{- end }} - labels: -{{ include "dashboard-metrics-scraper.labels" . | indent 8 }} - spec: - {{- if .Values.securityContext }} - securityContext: -{{ toYaml .Values.securityContext | indent 8 }} - {{- end }} - serviceAccountName: {{ template "kubernetes-dashboard.serviceAccountName" . }} - containers: - - name: {{ .Values.metricsScraper.name }} - image: "{{ .Values.metricsScraper.image.repository }}:{{ .Values.metricsScraper.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - containerPort: 8000 - protocol: TCP - livenessProbe: - httpGet: - scheme: HTTP - path: / - port: 8000 - initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} - timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} - volumeMounts: - - mountPath: /tmp - name: tmp-volume -{{- if .Values.metricsScraperContainerSecurityContext }} - securityContext: -{{ toYaml .Values.metricsScraperContainerSecurityContext | indent 10 }} -{{- end }} -{{- with .Values.metricsScraper.resources }} - resources: -{{ toYaml . | indent 10 }} -{{- end }} -{{- with .Values.image.pullSecrets }} - imagePullSecrets: -{{- range . }} - - name: {{ . }} -{{- end }} -{{- end }} -{{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} -{{- end }} -{{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} -{{- end }} - volumes: - - name: tmp-volume - emptyDir: {} -{{- end }} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/service.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/service.yaml deleted file mode 100644 index 98c366bde68b..000000000000 --- a/aio/deploy/helm-chart/kubernetes-dashboard/templates/metrics-scraper/service.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2017 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -{{ if .Values.metricsScraper.enabled -}} -kind: Service -apiVersion: v1 -metadata: - name: {{ .Values.metricsScraper.name }} - labels: -{{ include "dashboard-metrics-scraper.labels" . | indent 4 }} -{{- if .Values.metricsScraper.labels }} -{{ toYaml .Values.metricsScraper.labels | indent 4 }} -{{- end }} -spec: - ports: - - port: 8000 - targetPort: 8000 - selector: -{{ include "dashboard-metrics-scraper.matchLabels" . | indent 4 }} -{{- end }} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/svc.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/service.yaml similarity index 93% rename from aio/deploy/helm-chart/kubernetes-dashboard/templates/svc.yaml rename to aio/deploy/helm-chart/kubernetes-dashboard/templates/service.yaml index c0b72d864e23..9abefd30178d 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/templates/svc.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/service.yaml @@ -18,6 +18,7 @@ metadata: name: {{ template "kubernetes-dashboard.fullname" . }} labels: {{ include "kubernetes-dashboard.labels" . | indent 4 }} + app.kubernetes.io/component: kubernetes-dashboard kubernetes.io/cluster-service: "true" {{- if .Values.service.labels }} {{ toYaml .Values.service.labels | indent 4 }} @@ -46,3 +47,4 @@ spec: {{- end }} selector: {{ include "kubernetes-dashboard.matchLabels" . | indent 4 }} + app.kubernetes.io/component: kubernetes-dashboard diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml index 10359810ce53..25578a6ea42b 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml @@ -30,11 +30,6 @@ annotations: {} ## Here labels can be added to the kubernetes dashboard deployment labels: {} -## Serve application over HTTP without TLS -## -## Note: If set to true, you may want to add --enable-insecure-login to extraArgs -protocolHttp: false - ## Additional container arguments ## # extraArgs: @@ -70,6 +65,19 @@ affinity: {} # priorityClassName: "" +resources: + requests: + cpu: 100m + memory: 200Mi + limits: + cpu: 2 + memory: 200Mi + +## Serve application over HTTP without TLS +## +## Note: If set to true, you may want to add --enable-insecure-login to extraArgs +protocolHttp: false + service: type: ClusterIP externalPort: 443 @@ -84,29 +92,6 @@ service: ## Here labels can be added to the Kubernetes Dashboard service labels: {} -resources: - requests: - cpu: 100m - memory: 200Mi - limits: - cpu: 2 - memory: 200Mi - -metricsScraper: - enabled: true - name: dashboard-metrics-scraper - annotations: {} - labels: {} - revisionHistoryLimit: 10 - podAnnotations: - seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' - image: - repository: kubernetesui/metrics-scraper - tag: v1.0.1 - resources: - requests: {} - limits: {} - ingress: ## If true, Kubernetes Dashboard Ingress will be created. ## @@ -148,6 +133,30 @@ ingress: # hosts: # - kubernetes-dashboard.domain.com +## Metrics Scraper +## Container to scrape, store, and retrieve a window of time from the Metrics Server. +## refs: https://github.com/kubernetes-sigs/dashboard-metrics-scraper +metricsScraper: + enabled: false + revisionHistoryLimit: 10 + image: + repository: kubernetesui/metrics-scraper + tag: v1.0.3 + resources: {} + +## Optional Metrics Server sub-chart +## Enable this is you don't already have metrics-server enabled on your cluster and +## want to use it with dashboard metrics-scraper +## refs: +## - https://hub.helm.sh/charts/stable/metrics-server +## - https://github.com/kubernetes-sigs/metrics-server +metrics-server: + enabled: false + ## Example for additional args + # args: + # - --kubelet-preferred-address-types=InternalIP + # - --kubelet-insecure-tls + rbac: # Specifies whether namespaced RBAC resources (Role, Rolebinding) should be created create: true diff --git a/aio/scripts/release-helm-chart.sh b/aio/scripts/release-helm-chart.sh new file mode 100755 index 000000000000..b2d3ce8b9942 --- /dev/null +++ b/aio/scripts/release-helm-chart.sh @@ -0,0 +1,54 @@ +#!/usr/bin/env bash +# Copyright 2019 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This script takes an argument: the tag name ("v1.2.3") to release from. + +# Exit on error. +set -e + +# Declare variables. +UPSTREAM_REPOSITORY_NAME="upstream" +TAG="$1" + +# Import config. +ROOT_DIR="$(cd $(dirname "${BASH_SOURCE}")/../.. && pwd -P)" +. "${ROOT_DIR}/aio/scripts/conf.sh" + +function release-helm-chart { + if [ -z "$TAG" ]; then + saye "\nPlease specify tag (like v1.2.3) as first and only argument." + exit 1 + fi + if [ -n "$(git status --porcelain)" ]; then + saye "\nGit working tree not clean, aborting." + exit 1 + fi + say "\nChanging current branch to $TAG." + git checkout "$TAG" + say "\nGenerating Helm Chart package for new version." + helm dependency build "$AIO_DIR/deploy/helm-chart/kubernetes-dashboard" + helm package "$AIO_DIR/deploy/helm-chart/kubernetes-dashboard" + say "\nSwitching git branch to gh-pages so that we can commit package along the previous versions." + git checkout gh-pages + say "\nGenerating new Helm index, containing all existing versions in gh-pages (previous ones + new one)." + helm repo index . + say "\nCommit new package and index." + git add -A "./kubernetes-dashboard-*.tgz" ./index.yaml && git commit -m "Update Helm repository from CI." + say "\nPush the gh-pages branch (no force)." + git push $UPSTREAM_REPOSITORY_NAME gh-pages +} + +# Execute script. +release-helm-chart From 39a02dd21a35d8b368179ada7e84e86b5eb6b033 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20de=20Saint=20Martin?= Date: Mon, 23 Mar 2020 22:48:32 +0100 Subject: [PATCH 05/20] Update aio/deploy/helm-chart/kubernetes-dashboard/README.md to fix networkpolicy documentation Co-Authored-By: atoato88 --- aio/deploy/helm-chart/kubernetes-dashboard/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/README.md b/aio/deploy/helm-chart/kubernetes-dashboard/README.md index bb25874d4578..0b3897306830 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/README.md +++ b/aio/deploy/helm-chart/kubernetes-dashboard/README.md @@ -107,7 +107,7 @@ Parameter | Description `securityContext` | PodSecurityContext for pod level securityContext | `nil` `dashboardContainerSecurityContext` | SecurityContext for the kubernetes dashboard container | `{allowPrivilegeEscalation:false, readOnlyRootFilesystem: true, runAsUser: 1001, runAsGroup: 2001}` `metricsScraperContainerSecurityContext` | SecurityContext for the kubernetes dashboard metrics scraper container | `{allowPrivilegeEscalation:false, readOnlyRootFilesystem: true, runAsUser: 1001, runAsGroup: 2001}` -`networkPolicy` | Whether to create a network policy that allows access to the service | `false` +`networkPolicy.enabled` | Whether to create a network policy that allows access to the service | `false` From 10d4ebfe5233e7acc4851ea3451f0a1cafe5008e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20de=20Saint=20Martin?= Date: Mon, 23 Mar 2020 22:53:25 +0100 Subject: [PATCH 06/20] Update aio/deploy/helm-chart/kubernetes-dashboard/README.md Co-Authored-By: Peter Rifel --- aio/deploy/helm-chart/kubernetes-dashboard/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/README.md b/aio/deploy/helm-chart/kubernetes-dashboard/README.md index 0b3897306830..6f82f66b7fb2 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/README.md +++ b/aio/deploy/helm-chart/kubernetes-dashboard/README.md @@ -49,7 +49,7 @@ Version 2.0.0 is the first version hosted in the kubernetes/dashboard repository - It enables by default values for `podAnnotations` and `securityContext`, please disable them if you don't supoprt them - It removes `enableSkipLogin` and `enableInsecureLogin` parameters. Please use `extraEnv` instead. - It adds a `ProtocolHttp` parameter, allowing you to switch the backend to plain HTTP and replaces the old `enableSkipLogin` for the network part. -- If `ProtocolHttp` is not set, it will automatically add to the `Ingress`, if enabled, annotations to support HTTPS backends for nginx-ingress and GKE Ingresses. +- If `protocolHttp` is not set, it will automatically add to the `Ingress`, if enabled, annotations to support HTTPS backends for nginx-ingress and GKE Ingresses. - It updates all the labels to the new [recommended labels](https://github.com/helm/charts/blob/master/REVIEW_GUIDELINES.md#names-and-labels), most of them being immutable. In order to upgrade, please update your configuration to remove `clusterAdminRole` parameter and adapt `enableSkipLogin`, `enableInsecureLogin`, `podAnnotations` and `securityContext` parameters, and uninstall/reinstall the chart. From adf4c7f65a00e682bb37ee1a133427de83755786 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20de=20Saint=20Martin?= Date: Mon, 23 Mar 2020 23:30:57 +0100 Subject: [PATCH 07/20] Helm chart: extract travis linting job to its own script. --- .travis.yml | 25 +++-------- aio/scripts/helm-lint.sh | 43 +++++++++++++++++++ ...se-helm-chart.sh => helm-release-chart.sh} | 3 +- license-checker-config.json | 2 +- 4 files changed, 51 insertions(+), 22 deletions(-) create mode 100755 aio/scripts/helm-lint.sh rename aio/scripts/{release-helm-chart.sh => helm-release-chart.sh} (94%) diff --git a/.travis.yml b/.travis.yml index fa8a9ffd7543..55fbed044f1f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -64,29 +64,14 @@ jobs: - name: "Helm linting" cache: false install: - - cd aio/deploy/helm-chart/kubernetes-dashboard - - curl -L https://git.io/get_helm.sh | bash && helm init --skip-refresh --client-only + - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash - wget https://github.com/garethr/kubeval/releases/download/0.14.0/kubeval-linux-amd64.tar.gz - - tar xf kubeval-linux-amd64.tar.gz + - mkdir kubeval + - tar xf kubeval-linux-amd64.tar.gz -C kubeval + - export PATH="$PATH:$(pwd)/kubeval" before_script: skip # We don't need Docker nor Go script: - - | - set -e; - for VALUES_FILE in $(ls ci); do - echo "Linting and validating Helm Chart using $VALUES_FILE values file..." - # Simple lint - helm lint --values ci/$VALUES_FILE; - - # Validate all generated manifest against Kubernetes json schema - mkdir helm-output; - helm template --values ci/$VALUES_FILE --output-dir helm-output .; - find helm-output -type f -exec \ - ./kubeval \ - --kubernetes-version 1.16.0 \ - --schema-location https://raw.githubusercontent.com/instrumenta/kubernetes-json-schema/master \ - {} +; - rm -rf helm-output; - done; + - aio/scripts/helm-lint.sh - name: "e2e tests" script: npm run cluster:start && npm run e2e diff --git a/aio/scripts/helm-lint.sh b/aio/scripts/helm-lint.sh new file mode 100755 index 000000000000..f5cc967a7b40 --- /dev/null +++ b/aio/scripts/helm-lint.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This script takes an argument: the tag name ("v1.2.3") to release from. + +# Exit on error. +set -e; + +# Import config. +ROOT_DIR="$(cd $(dirname "${BASH_SOURCE}")/../.. && pwd -P)" +. "${ROOT_DIR}/aio/scripts/conf.sh" + +cd "$AIO_DIR/deploy/helm-chart/kubernetes-dashboard" +say "\nBuildint Helm Chart dependencies..." +helm repo add stable https://kubernetes-charts.storage.googleapis.com/ +helm dependency build +for VALUES_FILE in ci/*; do + say "\nLinting and validating Helm Chart using $VALUES_FILE values file..." + # Simple lint + helm lint --values "$VALUES_FILE"; + + # Validate all generated manifest against Kubernetes json schema + mkdir helm-output; + helm template --values "$VALUES_FILE" --output-dir helm-output .; + find helm-output -type f -exec \ + kubeval \ + --kubernetes-version 1.16.0 \ + --schema-location https://raw.githubusercontent.com/instrumenta/kubernetes-json-schema/master \ + {} +; + rm -rf helm-output; +done; diff --git a/aio/scripts/release-helm-chart.sh b/aio/scripts/helm-release-chart.sh similarity index 94% rename from aio/scripts/release-helm-chart.sh rename to aio/scripts/helm-release-chart.sh index b2d3ce8b9942..76827799f63c 100755 --- a/aio/scripts/release-helm-chart.sh +++ b/aio/scripts/helm-release-chart.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -# Copyright 2019 The Kubernetes Authors. +# Copyright 2017 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -38,6 +38,7 @@ function release-helm-chart { say "\nChanging current branch to $TAG." git checkout "$TAG" say "\nGenerating Helm Chart package for new version." + helm repo add stable https://kubernetes-charts.storage.googleapis.com/ helm dependency build "$AIO_DIR/deploy/helm-chart/kubernetes-dashboard" helm package "$AIO_DIR/deploy/helm-chart/kubernetes-dashboard" say "\nSwitching git branch to gh-pages so that we can commit package along the previous versions." diff --git a/license-checker-config.json b/license-checker-config.json index 79da2cfd129f..fec63ff547e3 100644 --- a/license-checker-config.json +++ b/license-checker-config.json @@ -3,7 +3,7 @@ "*", "docs", "i18n", ".cached_tools", ".git", ".github", ".tmp", "coverage", "cypress", "aio/test-resources", - "**/*.json", "**/*.yaml", "**/*.svg", "**/*.txt", "**/*.md", "**/OWNERS", "**/.helmignore" + "**/*.json", "**/*.yaml", "**/*.svg", "**/*.txt", "**/*.md", "**/OWNERS", "**/.helmignore", "**/*.lock" ], "license": "aio/scripts/license-header.txt", "defaultFormat": { From 9df8c97fb670c5931b0ea90d480e4df0a63e6f0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20de=20Saint=20Martin?= Date: Sun, 29 Mar 2020 17:39:36 +0200 Subject: [PATCH 08/20] Fix metrics-server sub-chart condition. --- aio/deploy/helm-chart/kubernetes-dashboard/requirements.lock | 4 ++-- aio/deploy/helm-chart/kubernetes-dashboard/requirements.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/requirements.lock b/aio/deploy/helm-chart/kubernetes-dashboard/requirements.lock index d44b4c0402a1..8b1cbfcd5594 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/requirements.lock +++ b/aio/deploy/helm-chart/kubernetes-dashboard/requirements.lock @@ -2,5 +2,5 @@ dependencies: - name: metrics-server repository: https://kubernetes-charts.storage.googleapis.com/ version: 2.10.1 -digest: sha256:59c065ae6fe9995972069d7a8693c290c5986e79d522c24967f13d2c6ab3d29d -generated: "2020-03-23T11:28:57.635935+01:00" +digest: sha256:e6d8deb84afd35472e8b1a3a63138702f445d4de95dbd6b3878b4b9bb83a0c8f +generated: "2020-03-29T17:40:58.688504+02:00" diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/requirements.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/requirements.yaml index 9c2e65e6cc4a..24e005d0c87c 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/requirements.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/requirements.yaml @@ -2,4 +2,4 @@ dependencies: - name: metrics-server version: 2.x.x repository: https://kubernetes-charts.storage.googleapis.com/ - condition: metricsServer.enabled + condition: metrics-server.enabled From 3a0463cb9d2e8e552ff52bdfc7d2cc4f89af6814 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20de=20Saint=20Martin?= Date: Thu, 2 Apr 2020 08:55:13 +0200 Subject: [PATCH 09/20] Update to 2.0.0. --- aio/deploy/helm-chart/kubernetes-dashboard/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml index 25578a6ea42b..a3ee3ed95a8d 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml @@ -19,7 +19,7 @@ image: repository: kubernetesui/dashboard - tag: v2.0.0-rc6 + tag: v2.0.0 pullPolicy: IfNotPresent pullSecrets: [] From a0cee9dffdc02f4faca6e4d03594222f5ae6157c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20de=20Saint=20Martin?= Date: Thu, 23 Apr 2020 20:36:03 +0200 Subject: [PATCH 10/20] fix: remove unused metricsScraper.revisionHistory value and update metrics scraper to 1.0.4. --- aio/deploy/helm-chart/kubernetes-dashboard/values.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml index a3ee3ed95a8d..7273117db122 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml @@ -138,10 +138,9 @@ ingress: ## refs: https://github.com/kubernetes-sigs/dashboard-metrics-scraper metricsScraper: enabled: false - revisionHistoryLimit: 10 image: repository: kubernetesui/metrics-scraper - tag: v1.0.3 + tag: v1.0.4 resources: {} ## Optional Metrics Server sub-chart From 9710b52102f6503e6ff835b830f963dfcdd74933 Mon Sep 17 00:00:00 2001 From: David Young Date: Fri, 17 Apr 2020 14:08:47 +1200 Subject: [PATCH 11/20] Put dashboard resources in the right container MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: David Young Signed-off-by: Cédric de Saint Martin --- .../kubernetes-dashboard/templates/deployment.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml index 6529a0fbb464..2af5d3940911 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml @@ -100,6 +100,10 @@ spec: {{- end }} initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} +{{- with .Values.resources }} + resources: +{{ toYaml . | indent 10 }} +{{- end }} {{- if .Values.metricsScraper.enabled }} - name: dashboard-metrics-scraper image: "{{ .Values.metricsScraper.image.repository }}:{{ .Values.metricsScraper.image.tag }}" @@ -130,10 +134,6 @@ spec: securityContext: {{ toYaml . | indent 10 }} {{- end }} -{{- with .Values.resources }} - resources: -{{ toYaml . | indent 10 }} -{{- end }} {{- with .Values.image.pullSecrets }} imagePullSecrets: {{- range . }} From f1d1485b1d7e1f2f6ff76028405a6885f4792c6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20de=20Saint=20Martin?= Date: Thu, 23 Apr 2020 20:51:45 +0200 Subject: [PATCH 12/20] Fix container securityContext location, rename metricsScraperContainerSecurityContext to metricsScraper.ContainerSecurityContext, upgrade metrics-server subchart to 2.11.1. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Cédric de Saint Martin --- .../helm-chart/kubernetes-dashboard/README.md | 4 ++-- .../kubernetes-dashboard/requirements.lock | 6 +++--- .../kubernetes-dashboard/requirements.yaml | 2 +- .../templates/deployment.yaml | 12 ++++++------ .../helm-chart/kubernetes-dashboard/values.yaml | 16 ++++++++-------- 5 files changed, 20 insertions(+), 20 deletions(-) diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/README.md b/aio/deploy/helm-chart/kubernetes-dashboard/README.md index 6f82f66b7fb2..2a06f21c178a 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/README.md +++ b/aio/deploy/helm-chart/kubernetes-dashboard/README.md @@ -105,8 +105,8 @@ Parameter | Description `podDisruptionBudget.minAvailable` | Minimum available instances; ignored if there is no PodDisruptionBudget | `podDisruptionBudget.maxUnavailable`| Maximum unavailable instances; ignored if there is no PodDisruptionBudget | `securityContext` | PodSecurityContext for pod level securityContext | `nil` -`dashboardContainerSecurityContext` | SecurityContext for the kubernetes dashboard container | `{allowPrivilegeEscalation:false, readOnlyRootFilesystem: true, runAsUser: 1001, runAsGroup: 2001}` -`metricsScraperContainerSecurityContext` | SecurityContext for the kubernetes dashboard metrics scraper container | `{allowPrivilegeEscalation:false, readOnlyRootFilesystem: true, runAsUser: 1001, runAsGroup: 2001}` +`containerSecurityContext` | SecurityContext for the kubernetes dashboard container | `{allowPrivilegeEscalation:false, readOnlyRootFilesystem: true, runAsUser: 1001, runAsGroup: 2001}` +`metricsScraper.containerSecurityContext` | SecurityContext for the kubernetes dashboard metrics scraper container | `{allowPrivilegeEscalation:false, readOnlyRootFilesystem: true, runAsUser: 1001, runAsGroup: 2001}` `networkPolicy.enabled` | Whether to create a network policy that allows access to the service | `false` diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/requirements.lock b/aio/deploy/helm-chart/kubernetes-dashboard/requirements.lock index 8b1cbfcd5594..320712403041 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/requirements.lock +++ b/aio/deploy/helm-chart/kubernetes-dashboard/requirements.lock @@ -1,6 +1,6 @@ dependencies: - name: metrics-server repository: https://kubernetes-charts.storage.googleapis.com/ - version: 2.10.1 -digest: sha256:e6d8deb84afd35472e8b1a3a63138702f445d4de95dbd6b3878b4b9bb83a0c8f -generated: "2020-03-29T17:40:58.688504+02:00" + version: 2.11.1 +digest: sha256:22392d72416a0330f0c537fcc6cd306da7d25ddf511726bdf8a227d6a6ca8be1 +generated: "2020-04-23T20:58:52.074628+02:00" diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/requirements.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/requirements.yaml index 24e005d0c87c..7c253f6d9e9c 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/requirements.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/requirements.yaml @@ -1,5 +1,5 @@ dependencies: - name: metrics-server - version: 2.x.x + version: 2.11.1 repository: https://kubernetes-charts.storage.googleapis.com/ condition: metrics-server.enabled diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml index 2af5d3940911..ce0135014853 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml @@ -104,6 +104,10 @@ spec: resources: {{ toYaml . | indent 10 }} {{- end }} +{{- with .Values.containerSecurityContext }} + securityContext: +{{ toYaml . | indent 10 }} +{{- end }} {{- if .Values.metricsScraper.enabled }} - name: dashboard-metrics-scraper image: "{{ .Values.metricsScraper.image.repository }}:{{ .Values.metricsScraper.image.tag }}" @@ -121,19 +125,15 @@ spec: volumeMounts: - mountPath: /tmp name: tmp-volume -{{- if .Values.metricsScraperContainerSecurityContext }} +{{- with .Values.metricsScraper.containerSecurityContext }} securityContext: -{{ toYaml .Values.metricsScraperContainerSecurityContext | indent 10 }} +{{ toYaml . | indent 10 }} {{- end }} {{- with .Values.metricsScraper.resources }} resources: {{ toYaml . | indent 10 }} {{- end }} {{- end }} -{{- with .Values.dashboardContainerSecurityContext }} - securityContext: -{{ toYaml . | indent 10 }} -{{- end }} {{- with .Values.image.pullSecrets }} imagePullSecrets: {{- range . }} diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml index 7273117db122..3aa79703e4f3 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml @@ -142,6 +142,13 @@ metricsScraper: repository: kubernetesui/metrics-scraper tag: v1.0.4 resources: {} + ## SecurityContext for the metrics scraper container + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 + ## Optional Metrics Server sub-chart ## Enable this is you don't already have metrics-server enabled on your cluster and @@ -204,14 +211,7 @@ podDisruptionBudget: # runAsGroup: 2001 ## SecurityContext for the kubernetes dashboard container -dashboardContainerSecurityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 1001 - runAsGroup: 2001 - -## SecurityContext for the dashboard metrics scraper container -metricsScraperContainerSecurityContext: +containerSecurityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 From 13fd273ace8f2df9c8bbe679153a7d08b36b94d1 Mon Sep 17 00:00:00 2001 From: ReSearchITEng Date: Sat, 25 Apr 2020 12:18:01 +0300 Subject: [PATCH 13/20] update README with metricsScraper.image.* entries --- aio/deploy/helm-chart/kubernetes-dashboard/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/README.md b/aio/deploy/helm-chart/kubernetes-dashboard/README.md index 2a06f21c178a..f70e7341c7cb 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/README.md +++ b/aio/deploy/helm-chart/kubernetes-dashboard/README.md @@ -93,6 +93,8 @@ Parameter | Description `ingress.hosts` | Dashboard Hostnames | `nil` `ingress.tls` | Ingress TLS configuration | `[]` `metricsScraper.enabled` | Wether to enable dashboard-metrics-scraper | `false` +`metricsScraper.image.repository` | Repository for metrics-scraper image | `kubernetesui/metrics-scraper` +`metricsScraper.image.tag` | Repository for metrics-scraper image tag | `v1.0.4` `metrics-server.enabled` | Wether to enable metrics-server | `false` `rbac.create` | Create & use RBAC resources | `true` `rbac.clusterRoleMetrics` | If set, an additional cluster role / role binding will be created to access metrics. | `true` From 4da9a412e27c474546212f50895391cecaa01b4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20de=20Saint=20Martin?= Date: Mon, 27 Apr 2020 18:23:36 +0200 Subject: [PATCH 14/20] Improving breaking changes documentation and values ordering/layout in README. --- .../helm-chart/kubernetes-dashboard/README.md | 93 ++++++++++--------- 1 file changed, 47 insertions(+), 46 deletions(-) diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/README.md b/aio/deploy/helm-chart/kubernetes-dashboard/README.md index f70e7341c7cb..b0e446ceca62 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/README.md +++ b/aio/deploy/helm-chart/kubernetes-dashboard/README.md @@ -43,7 +43,7 @@ incompatible breaking change needing manual actions. ### Upgrade from 1.x.x to 2.x.x -Version 2.0.0 is the first version hosted in the kubernetes/dashboard repository. +Version 2.0.0 of this chart is the first version hosted in the kubernetes/dashboard.git repository. v1.x.x until 1.10.1 is hosted on https://github.com/helm/charts. - This version upgrades to kubernetes-dashboard v2.0.0 along with changes in RBAC management: all secrets are explicitely created and ServiceAccount do not have permission to create any secret. On top of that, it completely removes the `clusterAdminRole` parameter, being too dangerous. In order to upgrade, please update your configuration to remove `clusterAdminRole` parameter and uninstall/reinstall the chart. - It enables by default values for `podAnnotations` and `securityContext`, please disable them if you don't supoprt them @@ -51,6 +51,7 @@ Version 2.0.0 is the first version hosted in the kubernetes/dashboard repository - It adds a `ProtocolHttp` parameter, allowing you to switch the backend to plain HTTP and replaces the old `enableSkipLogin` for the network part. - If `protocolHttp` is not set, it will automatically add to the `Ingress`, if enabled, annotations to support HTTPS backends for nginx-ingress and GKE Ingresses. - It updates all the labels to the new [recommended labels](https://github.com/helm/charts/blob/master/REVIEW_GUIDELINES.md#names-and-labels), most of them being immutable. +- dashboardContainerSecurityContext has been renamed to containerSecurityContext. In order to upgrade, please update your configuration to remove `clusterAdminRole` parameter and adapt `enableSkipLogin`, `enableInsecureLogin`, `podAnnotations` and `securityContext` parameters, and uninstall/reinstall the chart. @@ -65,51 +66,51 @@ It is highly recommended to use RBAC with minimal privileges needed for Dashboar The following table lists the configurable parameters of the kubernetes-dashboard chart and their default values. -Parameter | Description | Default -------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------ -`image.repository` | Repository for container image | `kubernetesui/dashboard` -`image.tag` | Image tag | `v2.0.0` -`image.pullPolicy` | Image pull policy | `IfNotPresent` -`image.pullSecrets` | Image pull secrets | `[]` -`replicaCount` | Number of replicas | `1` -`annotations` | Annotations for deployment | `{}` -`labels` | Labels for deployment | `{}` -`extraArgs` | Additional container arguments | `[]` -`extraEnv` | Additional container environment variables | `[]` -`podAnnotations` | Annotations to be added to pods | `seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'}` -`nodeSelector` | node labels for pod assignment | `{}` -`tolerations` | List of node taints to tolerate (requires Kubernetes >= 1.6) | `[]` -`affinity` | Affinity for pod assignment | `[]` -`priorityClassName` | Name of Priority Class to assign pods | `nil` -`resources` | Pod resource requests & limits | `limits: {cpu: 2, memory: 100Mi}, requests: {cpu: 100m, memory: 100Mi}` -`protocolHttp` | Serve application over HTTP without TLS | `false` -`service.type` | Service type | `ClusterIP` -`service.externalPort` | Dashboard external port | `443` -`service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `nil` -`ingress.annotations` | Specify ingress class | `kubernetes.io/ingress.class: nginx` -`ingress.labels` | Add custom labels | `[]` -`ingress.enabled` | Enable ingress controller resource | `false` -`ingress.paths` | Paths to match against incoming requests. Both `/` and `/*` are required to work on gce ingress. | `[/]` -`ingress.hosts` | Dashboard Hostnames | `nil` -`ingress.tls` | Ingress TLS configuration | `[]` -`metricsScraper.enabled` | Wether to enable dashboard-metrics-scraper | `false` -`metricsScraper.image.repository` | Repository for metrics-scraper image | `kubernetesui/metrics-scraper` -`metricsScraper.image.tag` | Repository for metrics-scraper image tag | `v1.0.4` -`metrics-server.enabled` | Wether to enable metrics-server | `false` -`rbac.create` | Create & use RBAC resources | `true` -`rbac.clusterRoleMetrics` | If set, an additional cluster role / role binding will be created to access metrics. | `true` -`rbac.clusterReadOnlyRole` | If set, an additional cluster role / role binding will be created with read only permissions to all resources listed inside.| `false` -`serviceAccount.create` | Whether a new service account name that the agent will use should be created. | `true` -`serviceAccount.name` | Service account to be used. If not set and serviceAccount.create is `true` a name is generated using the fullname template. | -`livenessProbe.initialDelaySeconds` | Number of seconds to wait before sending first probe | `30` -`livenessProbe.timeoutSeconds` | Number of seconds to wait for probe response | `30` -`podDisruptionBudget.enabled` | Create a PodDisruptionBudget | `false` -`podDisruptionBudget.minAvailable` | Minimum available instances; ignored if there is no PodDisruptionBudget | -`podDisruptionBudget.maxUnavailable`| Maximum unavailable instances; ignored if there is no PodDisruptionBudget | -`securityContext` | PodSecurityContext for pod level securityContext | `nil` -`containerSecurityContext` | SecurityContext for the kubernetes dashboard container | `{allowPrivilegeEscalation:false, readOnlyRootFilesystem: true, runAsUser: 1001, runAsGroup: 2001}` -`metricsScraper.containerSecurityContext` | SecurityContext for the kubernetes dashboard metrics scraper container | `{allowPrivilegeEscalation:false, readOnlyRootFilesystem: true, runAsUser: 1001, runAsGroup: 2001}` -`networkPolicy.enabled` | Whether to create a network policy that allows access to the service | `false` +Parameter | Description | Default +------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------ +`image.repository` | Repository for container image | `kubernetesui/dashboard` +`image.tag` | Image tag | `v2.0.0` +`image.pullPolicy` | Image pull policy | `IfNotPresent` +`image.pullSecrets` | Image pull secrets | `[]` +`replicaCount` | Number of replicas | `1` +`annotations` | Annotations for deployment | `{}` +`labels` | Labels for deployment | `{}` +`extraArgs` | Additional container arguments | `[]` +`extraEnv` | Additional container environment variables | `[]` +`podAnnotations` | Annotations to be added to pods | `seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'}` +`nodeSelector` | node labels for pod assignment | `{}` +`tolerations` | List of node taints to tolerate (requires Kubernetes >= 1.6) | `[]` +`affinity` | Affinity for pod assignment | `[]` +`priorityClassName` | Name of Priority Class to assign pods | `nil` +`resources` | Pod resource requests & limits | `limits: {cpu: 2, memory: 100Mi}, requests: {cpu: 100m, memory: 100Mi}` +`protocolHttp` | Serve application over HTTP without TLS | `false` +`service.type` | Service type | `ClusterIP` +`service.externalPort` | Dashboard external port | `443` +`service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `nil` +`ingress.annotations` | Specify ingress class | `kubernetes.io/ingress.class: nginx` +`ingress.labels` | Add custom labels | `[]` +`ingress.enabled` | Enable ingress controller resource | `false` +`ingress.paths` | Paths to match against incoming requests. Both `/` and `/*` are required to work on gce ingress. | `[/]` +`ingress.hosts` | Dashboard Hostnames | `nil` +`ingress.tls` | Ingress TLS configuration | `[]` +`metricsScraper.enabled` | Wether to enable dashboard-metrics-scraper | `false` +`metricsScraper.image.repository` | Repository for metrics-scraper image | `kubernetesui/metrics-scraper` +`metricsScraper.image.tag` | Repository for metrics-scraper image tag | `v1.0.4` +`metricsScraper.containerSecurityContext` | SecurityContext for the kubernetes dashboard metrics scraper container | `{allowPrivilegeEscalation:false, readOnlyRootFilesystem: true, runAsUser: 1001, runAsGroup: 2001}` +`metrics-server.enabled` | Wether to enable metrics-server | `false` +`rbac.create` | Create & use RBAC resources | `true` +`rbac.clusterRoleMetrics` | If set, an additional cluster role / role binding will be created to access metrics. | `true` +`rbac.clusterReadOnlyRole` | If set, an additional cluster role / role binding will be created with read only permissions to all resources listed inside. | `false` +`serviceAccount.create` | Whether a new service account name that the agent will use should be created. | `true` +`serviceAccount.name` | Service account to be used. If not set and serviceAccount.create is `true` a name is generated using the fullname template. | +`livenessProbe.initialDelaySeconds` | Number of seconds to wait before sending first probe | `30` +`livenessProbe.timeoutSeconds` | Number of seconds to wait for probe response | `30` +`podDisruptionBudget.enabled` | Create a PodDisruptionBudget | `false` +`podDisruptionBudget.minAvailable` | Minimum available instances; ignored if there is no PodDisruptionBudget | +`podDisruptionBudget.maxUnavailable` | Maximum unavailable instances; ignored if there is no PodDisruptionBudget | +`securityContext` | PodSecurityContext for pod level securityContext | `nil` +`containerSecurityContext` | SecurityContext for the kubernetes dashboard container | `{allowPrivilegeEscalation:false, readOnlyRootFilesystem: true, runAsUser: 1001, runAsGroup: 2001}` +`networkPolicy.enabled` | Whether to create a network policy that allows access to the service | `false` From e71bb7735a907549a3e68db41cbfb2ba67fa0d3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20de=20Saint=20Martin?= Date: Mon, 27 Apr 2020 18:32:49 +0200 Subject: [PATCH 15/20] Remove unnecessary namespace declaration in ServiceAccount and Secret. --- aio/deploy/helm-chart/kubernetes-dashboard/templates/secret.yaml | 1 - .../kubernetes-dashboard/templates/serviceaccount.yaml | 1 - 2 files changed, 2 deletions(-) diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/secret.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/secret.yaml index 18ec60ee80af..72a28ac39f3e 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/templates/secret.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/secret.yaml @@ -19,7 +19,6 @@ metadata: labels: {{ include "kubernetes-dashboard.labels" . | indent 4 }} name: {{ template "kubernetes-dashboard.fullname" . }}-certs - namespace: {{ .Release.Namespace }} type: Opaque --- # kubernetes-dashboard-csrf diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/serviceaccount.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/serviceaccount.yaml index 09d13655c872..c276abadc4e1 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/templates/serviceaccount.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/serviceaccount.yaml @@ -19,5 +19,4 @@ metadata: labels: {{ include "kubernetes-dashboard.labels" . | indent 4 }} name: {{ template "kubernetes-dashboard.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} {{- end -}} From 40458417244146c4a1a08015765ae03dd9a6adc8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20de=20Saint=20Martin?= Date: Thu, 30 Apr 2020 09:41:03 +0200 Subject: [PATCH 16/20] Small deployment cleanup, safer helm release script asking maintainer to manually push, release script does no longer depend on git tag to release. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Cédric de Saint Martin --- .../templates/deployment.yaml | 6 ++--- aio/scripts/helm-release-chart.sh | 23 ++++++++----------- 2 files changed, 12 insertions(+), 17 deletions(-) diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml index ce0135014853..741b9bfb06a2 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/templates/deployment.yaml @@ -47,10 +47,10 @@ spec: {{ include "kubernetes-dashboard.labels" . | indent 8 }} app.kubernetes.io/component: kubernetes-dashboard spec: - {{- if .Values.securityContext }} +{{- with .Values.securityContext }} securityContext: -{{ toYaml .Values.securityContext | indent 8 }} - {{- end }} +{{ toYaml . | indent 8 }} +{{- end }} serviceAccountName: {{ template "kubernetes-dashboard.serviceAccountName" . }} containers: - name: {{ .Chart.Name }} diff --git a/aio/scripts/helm-release-chart.sh b/aio/scripts/helm-release-chart.sh index 76827799f63c..f54fc9daf4b5 100755 --- a/aio/scripts/helm-release-chart.sh +++ b/aio/scripts/helm-release-chart.sh @@ -18,37 +18,32 @@ # Exit on error. set -e -# Declare variables. -UPSTREAM_REPOSITORY_NAME="upstream" -TAG="$1" - # Import config. ROOT_DIR="$(cd $(dirname "${BASH_SOURCE}")/../.. && pwd -P)" . "${ROOT_DIR}/aio/scripts/conf.sh" +# Declare variables. +HELM_CHART_DIR="$AIO_DIR/deploy/helm-chart/kubernetes-dashboard" + function release-helm-chart { - if [ -z "$TAG" ]; then - saye "\nPlease specify tag (like v1.2.3) as first and only argument." - exit 1 - fi if [ -n "$(git status --porcelain)" ]; then saye "\nGit working tree not clean, aborting." exit 1 fi - say "\nChanging current branch to $TAG." - git checkout "$TAG" say "\nGenerating Helm Chart package for new version." + say "Please note that your gh-pages branch, if it locally exists, should be up-to-date." helm repo add stable https://kubernetes-charts.storage.googleapis.com/ - helm dependency build "$AIO_DIR/deploy/helm-chart/kubernetes-dashboard" - helm package "$AIO_DIR/deploy/helm-chart/kubernetes-dashboard" + helm dependency build "$HELM_CHART_DIR" + helm package "$HELM_CHART_DIR" + rm -rf "$HELM_CHART_DIR/charts/" say "\nSwitching git branch to gh-pages so that we can commit package along the previous versions." git checkout gh-pages say "\nGenerating new Helm index, containing all existing versions in gh-pages (previous ones + new one)." helm repo index . say "\nCommit new package and index." git add -A "./kubernetes-dashboard-*.tgz" ./index.yaml && git commit -m "Update Helm repository from CI." - say "\nPush the gh-pages branch (no force)." - git push $UPSTREAM_REPOSITORY_NAME gh-pages + say "\nIf you are happy with the changes, please manually push to the gh-pages branch. No force should be needed." + say "Assuming upstream is your remote, please run: git push upstream gh-pages." } # Execute script. From bf795c76fe4a10dad7fb4e8dd69851d45b2553e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20de=20Saint=20Martin?= Date: Mon, 25 May 2020 19:59:00 +0200 Subject: [PATCH 17/20] Upgrade to v2.0.1. --- aio/deploy/helm-chart/kubernetes-dashboard/Chart.yaml | 4 ++-- aio/deploy/helm-chart/kubernetes-dashboard/README.md | 2 +- aio/deploy/helm-chart/kubernetes-dashboard/values.yaml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/Chart.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/Chart.yaml index f85d0c35051f..a3ce40df9f7e 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/Chart.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/Chart.yaml @@ -14,8 +14,8 @@ apiVersion: v1 name: kubernetes-dashboard -version: 2.0.0 -appVersion: 2.0.0 +version: 2.0.1 +appVersion: 2.0.1 description: General-purpose web UI for Kubernetes clusters keywords: - kubernetes diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/README.md b/aio/deploy/helm-chart/kubernetes-dashboard/README.md index b0e446ceca62..2fd57d9f6d2d 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/README.md +++ b/aio/deploy/helm-chart/kubernetes-dashboard/README.md @@ -69,7 +69,7 @@ The following table lists the configurable parameters of the kubernetes-dashboar Parameter | Description | Default ------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------ `image.repository` | Repository for container image | `kubernetesui/dashboard` -`image.tag` | Image tag | `v2.0.0` +`image.tag` | Image tag | `v2.0.1` `image.pullPolicy` | Image pull policy | `IfNotPresent` `image.pullSecrets` | Image pull secrets | `[]` `replicaCount` | Number of replicas | `1` diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml b/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml index 3aa79703e4f3..6667a7743d59 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml +++ b/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml @@ -19,7 +19,7 @@ image: repository: kubernetesui/dashboard - tag: v2.0.0 + tag: v2.0.1 pullPolicy: IfNotPresent pullSecrets: [] From ddd980956426a7548241fb7c8f04e8a1db5dcd0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20de=20Saint=20Martin?= Date: Wed, 27 May 2020 17:37:17 +0200 Subject: [PATCH 18/20] Document how to release Helm Chart. --- docs/developer/release-procedures.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/developer/release-procedures.md b/docs/developer/release-procedures.md index c3bb827f8bb3..5149ae60ac94 100644 --- a/docs/developer/release-procedures.md +++ b/docs/developer/release-procedures.md @@ -9,11 +9,13 @@ After significant improvements have been done it is worth to release a new versi * `package.json` and `package-lock.json` * `aio/gulp/conf.js` * YAML files from `aio/deploy` + * Helm Chart from `aio/deploy/helm-chart/kubernetes-dashboard`: `image.tag` of `README.md` and `values.yaml`, `version` and `appVersion` of `Chart.yaml` 3. Get the pull request reviewed and merged. 4. Create a git [release](https://github.com/kubernetes/dashboard/releases/) tag for the merged pull request. Release description should include a changelog. 5. Update add-ons on the [Kubernetes](https://github.com/kubernetes/kubernetes/tree/master/cluster/addons/dashboard) repository. If the update is minor, all that needs to be done is to change image version number in the main controller config file (`dashboard-controller.yaml`), and other configs, as described in the header of the config. If the release is major, this needs coordination with Kubernetes core team and possibly alignment with the schedule of the core. 6. Update addon config in the [minikube](https://github.com/kubernetes/minikube/tree/master/deploy/addons) repository. 7. Update addon config in the [kops](https://github.com/kubernetes/kops/tree/master/addons/kubernetes-dashboard) repository. +8. Release Helm Chart by running the `aio/scripts/helm-release-chart.sh` script from the newly created git tag, then push the git `gh-pages` branch of your `https://github.com/kubernetes/dashboard/` git remote. Official release procedures are done by CI after successful TAG build automatically, that are pushed to [`kubernetesui/dashboard*`](https://hub.docker.com/u/kubernetesui) repositories. From f222aeb0889bdbc91930c69a4834cab0ec29ecab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20de=20Saint=20Martin?= Date: Fri, 29 May 2020 17:10:47 +0200 Subject: [PATCH 19/20] helm-chart ignore file: Put an empty line before comments section. --- aio/deploy/helm-chart/kubernetes-dashboard/.helmignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/.helmignore b/aio/deploy/helm-chart/kubernetes-dashboard/.helmignore index 8a8a5b6096ed..91b6b7530950 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/.helmignore +++ b/aio/deploy/helm-chart/kubernetes-dashboard/.helmignore @@ -16,6 +16,7 @@ # This supports shell glob matching, relative path matching, and # negation (prefixed with !). Only one pattern per line. .DS_Store + # Common VCS dirs .git/ .gitignore @@ -24,11 +25,13 @@ .hg/ .hgignore .svn/ + # Common backup files *.swp *.bak *.tmp *~ + # Various IDEs .project .idea/ From 6b28bd8ec9d10b35f0b14193f372fb7d398e2201 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20de=20Saint=20Martin?= Date: Fri, 29 May 2020 17:13:03 +0200 Subject: [PATCH 20/20] helm-chart: document the tl;dr commands. --- aio/deploy/helm-chart/kubernetes-dashboard/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/aio/deploy/helm-chart/kubernetes-dashboard/README.md b/aio/deploy/helm-chart/kubernetes-dashboard/README.md index 2fd57d9f6d2d..09a1936e54e5 100644 --- a/aio/deploy/helm-chart/kubernetes-dashboard/README.md +++ b/aio/deploy/helm-chart/kubernetes-dashboard/README.md @@ -6,7 +6,9 @@ It allows users to manage applications running in the cluster and troubleshoot t ## TL;DR ```console +# Add kubernetes-dashboard repository helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/ +# Deploy a Helm Release named "my-release" using the kubernetes-dashboard chart helm install kubernetes-dashboard/kubernetes-dashboard --name my-release ```