diff --git a/cluster/bin/freeleaps-cluster-authenticator b/cluster/bin/freeleaps-cluster-authenticator index 4c4274a0..56e57d5d 100755 --- a/cluster/bin/freeleaps-cluster-authenticator +++ b/cluster/bin/freeleaps-cluster-authenticator @@ -2,7 +2,7 @@ set -eu -VERSION="0.0.1-20250115" +VERSION="0.0.2-20250320" CLUSTER_API_LB_IP=${CLUSTER_API_LB_IP:-4.155.160.32} CLUSTER_API_LB_PORT=${CLUSTER_API_LB_PORT:-6443} @@ -29,6 +29,8 @@ help() { echo " reset-auth,-r,--reset-auth Reset kubectl authentication state for freeleaps cluster." echo " clear,-c,--clear Clear authentication for freeleaps cluster." echo " doctor,-d,--doctor Check if all the required tools are installed." + echo " dashboard,-db,--dashboard Open the Kubernetes dashboard, forward the port to localhost and listen on 8443." + echo " get-token,-gt,--get-token Get the token for the current user, usually to using Kubernetes Dashboard authentication." echo " help,-h,--help Show this help message." echo "" echo "Environment Options:" @@ -170,6 +172,13 @@ gather_prerequisites() { else echo "[PREREQUISITES] kubelogin: ✓" fi + + if ! command -v jq > /dev/null; then + echo "[ERROR] jq is required to parse JSON output, please install it with your package manager." + exit 1 + else + echo "[PREREQUISITES] jq: ✓" + fi } setup_kubelogin() { @@ -299,6 +308,46 @@ reset_auth() { echo "[RESET] kubectl authentication state reset successfully." } +exit_dashboard() { + echo "[RUN_DASHBOARD] Kubernetes dashboard stopped." +} + +run_dashboard() { + gather_prerequisites + + echo "[RUN_DASHBOARD] Ready to run Kubernetes dashboard..." + is_target_svc_exist=$(kubectl get svc -n freeleaps-infra-system | grep kubernetes-dashboard-kong-proxy) + if [ -z "$is_target_svc_exist" ]; then + echo "[ERROR] Kubernetes dashboard service not found in namespace: freeleaps-infra-system." + exit 1 + fi + echo "[RUN_DASHBOARD] Kubernetes dashboard is running at: https://localhost:8443" + trap exit_dashboard INT HUP + kubectl port-forward svc/kubernetes-dashboard-kong-proxy -n freeleaps-infra-system 8443:443 +} + +get_token() { + gather_prerequisites + + echo "[GET_TOKEN] Getting token for the current user..." + + get_token_resp=$( + kubelogin get-token \ + --oidc-issuer-url "${MICROSOFT_ENTRA_ID_ISSUER}" \ + --oidc-client-id "${MICROSOFT_ENTRA_ID_CLIENT_ID}" \ + --oidc-client-secret "${MICROSOFT_ENTRA_ID_CLIENT_SECRET}" \ + --oidc-extra-scope "offline_access" \ + --oidc-extra-scope "profile" \ + --oidc-extra-scope "email" + ) + + token=$(echo "${get_token_resp}" | jq -r '.status.token') + expiration=$(echo "${get_token_resp}" | jq -r '.status.expirationTimestamp') + + echo "[GET_TOKEN] Token: ${token}" + echo "[GET_TOKEN] Expiration Timestamp: ${expiration}" +} + main() { if [ $# -lt 1 ]; then echo "[ERROR] No sub-command provided." @@ -321,6 +370,12 @@ main() { doctor|-d|--doctor) gather_prerequisites ;; + dashboard|-db|--dashboard) + run_dashboard + ;; + get-token|-gt|--get-token) + get_token + ;; help|-h|--help) help ;; diff --git a/cluster/manifests/freeleaps-infra-system/dashboard/values.yaml b/cluster/manifests/freeleaps-infra-system/dashboard/values.yaml new file mode 100644 index 00000000..16933ec1 --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/dashboard/values.yaml @@ -0,0 +1,352 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# General configuration shared across resources +app: + # Mode determines if chart should deploy a full Dashboard with all containers or just the API. + # - dashboard - deploys all the containers + # - api - deploys just the API + mode: 'dashboard' + image: + pullPolicy: IfNotPresent + pullSecrets: [] + scheduling: + # Node labels for pod assignment + # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + nodeSelector: {} + security: + # Allow overriding csrfKey used by API/Auth containers. + # It has to be base64 encoded random 256 bytes string. + # If empty, it will be autogenerated. + csrfKey: ~ + # SecurityContext to be added to pods + # To disable set the following configuration to null: + # securityContext: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + # ContainerSecurityContext to be added to containers + # To disable set the following configuration to null: + # containerSecurityContext: null + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 + capabilities: + drop: ["ALL"] + # Pod Disruption Budget configuration + # Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + podDisruptionBudget: + enabled: false + minAvailable: 0 + maxUnavailable: 0 + networkPolicy: + enabled: false + ingressDenyAll: false + # Raw network policy spec that overrides predefined spec + # Example: + # spec: + # egress: + # - ports: + # - port: 123 + spec: {} + + # Common labels & annotations shared across all deployed resources + labels: {} + annotations: {} + # Common priority class used for all deployed resources + priorityClassName: null + settings: + ## Global dashboard settings + global: + # # Cluster name that appears in the browser window title if it is set + clusterName: "Freeleaps Kubernetes Cluster" + # # Max number of items that can be displayed on each list page + # itemsPerPage: 10 + # # Max number of labels that are displayed by default on most views. + # labelsLimit: 3 + # # Number of seconds between every auto-refresh of logs + # logsAutoRefreshTimeInterval: 5 + # # Number of seconds between every auto-refresh of every resource. Set 0 to disable + # resourceAutoRefreshTimeInterval: 10 + # # Hide all access denied warnings in the notification panel + # disableAccessDeniedNotifications: false + # # Hide all namespaces option in namespace selection dropdown to avoid accidental selection in large clusters thus preventing OOM errors + # hideAllNamespaces: false + # # Namespace that should be selected by default after logging in. + defaultNamespace: freeleaps-infra-system + # # List of namespaces that should be presented to user without namespace list privileges. + # namespaceFallbackList: + # - default + ## Pinned resources that will be displayed in dashboard's menu + pinnedResources: + - kind: customresourcedefinition + name: certificates.cert-manager.io + displayName: Certificates + namespaced: true + - kind: customresourcedefinition + name: clusterissuers.cert-manager.io + displayName: ClusterIssuers + namespaced: false + # - kind: customresourcedefinition + # # Fully qualified name of a CRD + # name: prometheus.monitoring.coreos.com + # # Display name + # displayName: Prometheus + # # Is this CRD namespaced? + # namespaced: true + ingress: + enabled: false + +auth: + role: auth + image: + repository: docker.io/kubernetesui/dashboard-auth + tag: 1.2.4 + scaling: + replicas: 1 + revisionHistoryLimit: 10 + service: + type: ClusterIP + extraSpec: ~ + containers: + ports: + - name: auth + containerPort: 8000 + protocol: TCP + args: [] + env: [] + volumeMounts: + - mountPath: /tmp + name: tmp-volume + # TODO: Validate configuration + resources: + requests: + cpu: 50m + memory: 200Mi + limits: + cpu: 250m + memory: 400Mi + automountServiceAccountToken: true + volumes: + # Create on-disk volume to store exec logs (required) + - name: tmp-volume + emptyDir: {} + nodeSelector: {} + # Labels & annotations for Auth related resources + labels: {} + annotations: {} + serviceLabels: {} + serviceAnnotations: {} + +# API deployment configuration +api: + role: api + image: + repository: docker.io/kubernetesui/dashboard-api + tag: 1.11.1 + scaling: + replicas: 1 + revisionHistoryLimit: 10 + service: + type: ClusterIP + extraSpec: ~ + containers: + ports: + - name: api + containerPort: 8000 + protocol: TCP + # Additional container arguments + # Full list of arguments: https://github.com/kubernetes/dashboard/blob/master/docs/common/arguments.md + # args: + # - --system-banner="Welcome to the Kubernetes Dashboard" + args: [] + # Additional container environment variables + # env: + # - name: SOME_VAR + # value: 'some value' + env: [] + # Additional volume mounts + # - mountPath: /kubeconfig + # name: dashboard-kubeconfig + # readOnly: true + volumeMounts: + # Create volume mount to store exec logs (required) + - mountPath: /tmp + name: tmp-volume + # TODO: Validate configuration + resources: + requests: + cpu: 50m + memory: 128Mi + limits: + cpu: 250m + memory: 400Mi + automountServiceAccountToken: true + # Additional volumes + # - name: dashboard-kubeconfig + # secret: + # defaultMode: 420 + # secretName: dashboard-kubeconfig + volumes: + # Create on-disk volume to store exec logs (required) + - name: tmp-volume + emptyDir: {} + nodeSelector: {} + # Labels & annotations for API related resources + labels: {} + annotations: {} + serviceLabels: {} + serviceAnnotations: {} + +# WEB UI deployment configuration +web: + role: web + image: + repository: docker.io/kubernetesui/dashboard-web + tag: 1.6.2 + scaling: + replicas: 1 + revisionHistoryLimit: 10 + service: + type: ClusterIP + extraSpec: ~ + containers: + ports: + - name: web + containerPort: 8000 + protocol: TCP + # Additional container arguments + # Full list of arguments: https://github.com/kubernetes/dashboard/blob/master/docs/common/arguments.md + # args: + # - --system-banner="Welcome to the Kubernetes Dashboard" + args: [] + # Additional container environment variables + # env: + # - name: SOME_VAR + # value: 'some value' + env: [] + # Additional volume mounts + # - mountPath: /kubeconfig + # name: dashboard-kubeconfig + # readOnly: true + volumeMounts: + # Create volume mount to store logs (required) + - mountPath: /tmp + name: tmp-volume + # TODO: Validate configuration + resources: + requests: + cpu: 50m + memory: 128Mi + limits: + cpu: 250m + memory: 400Mi + automountServiceAccountToken: true + # Additional volumes + # - name: dashboard-kubeconfig + # secret: + # defaultMode: 420 + # secretName: dashboard-kubeconfig + volumes: + # Create on-disk volume to store exec logs (required) + - name: tmp-volume + emptyDir: {} + nodeSelector: {} + # Labels & annotations for WEB UI related resources + labels: {} + annotations: {} + serviceLabels: {} + serviceAnnotations: {} + +### Metrics Scraper +### Container to scrape, store, and retrieve a window of time from the Metrics Server. +### refs: https://github.com/kubernetes/dashboard/tree/master/modules/metrics-scraper +metricsScraper: + enabled: false + +## Optional Metrics Server sub-chart configuration +## Enable this if you don't already have metrics-server enabled on your cluster and +## want to use it with dashboard metrics-scraper +## refs: +## - https://github.com/kubernetes-sigs/metrics-server +## - https://github.com/kubernetes-sigs/metrics-server/tree/master/charts/metrics-server +metrics-server: + enabled: false + +## Required Kong sub-chart with DBless configuration to act as a gateway +## for our all containers. +kong: + enabled: true + ## Configuration reference: https://docs.konghq.com/gateway/3.6.x/reference/configuration + env: + dns_order: LAST,A,CNAME,AAAA,SRV + plugins: 'off' + nginx_worker_processes: 1 + ingressController: + enabled: false + manager: + enabled: false + dblessConfig: + configMap: kong-dbless-config + proxy: + type: ClusterIP + http: + enabled: false + +## Optional Cert Manager sub-chart configuration +## Enable this if you don't already have cert-manager enabled on your cluster. +cert-manager: + enabled: false + installCRDs: false + +## Optional Nginx Ingress sub-chart configuration +## Enable this if you don't already have nginx-ingress enabled on your cluster. +nginx: + enabled: false + +## Extra configurations: +## - manifests +## - predefined roles +## - prometheus +## - etc... +extras: + # Extra Kubernetes manifests to be deployed + # manifests: + # - apiVersion: v1 + # kind: ConfigMap + # metadata: + # name: additional-configmap + # data: + # mykey: myvalue + manifests: [] + serviceMonitor: + # Whether to create a Prometheus Operator service monitor. + enabled: false + # Here labels can be added to the serviceMonitor + labels: {} + # Here annotations can be added to the serviceMonitor + annotations: {} + # metrics.serviceMonitor.metricRelabelings Specify Metric Relabelings to add to the scrape endpoint + # ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + metricRelabelings: [] + # metrics.serviceMonitor.relabelings [array] Prometheus relabeling rules + relabelings: [] + # ServiceMonitor connection scheme. Defaults to HTTPS. + scheme: https + # ServiceMonitor connection tlsConfig. Defaults to {insecureSkipVerify:true}. + tlsConfig: + insecureSkipVerify: true \ No newline at end of file diff --git a/cluster/manifests/helm-repos/REPO.list b/cluster/manifests/helm-repos/REPO.list index 5376e428..746388a8 100644 --- a/cluster/manifests/helm-repos/REPO.list +++ b/cluster/manifests/helm-repos/REPO.list @@ -9,3 +9,4 @@ azure-blob-csi-driver,https://raw.githubusercontent.com/kubernetes-sigs/blob-csi godaddy-webhook,https://snowdrop.github.io/godaddy-webhook,force-update azure-disk-csi-driver,https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/master/charts,force-update descheduler,https://kubernetes-sigs.github.io/descheduler/,force-update +kubernetes-dashboard,https://kubernetes.github.io/dashboard/,force-update