diff --git a/kubernetes-dashboard/helmrelease-kubernetes-dashboard.yaml b/kubernetes-dashboard/helmrelease-kubernetes-dashboard.yaml new file mode 100644 index 0000000..5a08f78 --- /dev/null +++ b/kubernetes-dashboard/helmrelease-kubernetes-dashboard.yaml @@ -0,0 +1,387 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: kubernetes-dashboard + namespace: kubernetes-system +spec: + chart: + spec: + chart: kubernetes-dashboard + sourceRef: + kind: HelmRepository + name: kubernetes-dashboard + namespace: flux-system + interval: 15m0s + timeout: 5m + releaseName: kubernetes-dashboard + values: + # Copyright 2017 The Kubernetes Authors. + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + + # Default values for kubernetes-dashboard + # This is a YAML-formatted file. + # Declare name/value pairs to be passed into your templates. + # name: value + + image: + ## Repository for container + repository: kubernetesui/dashboard + tag: "" # If not defined, uses appVersion of Chart.yaml + pullPolicy: IfNotPresent + pullSecrets: [] + + ## Number of replicas + replicaCount: 1 + + ## @param commonLabels Labels to add to all deployed objects + ## + commonLabels: {} + ## @param commonAnnotations Annotations to add to all deployed objects + ## + commonAnnotations: {} + + ## Here annotations can be added to the kubernetes dashboard deployment + annotations: {} + ## Here labels can be added to the kubernetes dashboard deployment + labels: {} + + ## Additional container arguments + ## + # extraArgs: + # - --enable-skip-login + # - --enable-insecure-login + # - --system-banner="Welcome to Kubernetes" + + ## Additional container environment variables + ## + extraEnv: [] + # - name: SOME_VAR + # value: 'some value' + + ## Additional volumes to be added to kubernetes dashboard pods + ## + extraVolumes: [] + # - name: dashboard-kubeconfig + # secret: + # defaultMode: 420 + # secretName: dashboard-kubeconfig + + ## Additional volumeMounts to be added to kubernetes dashboard container + ## + extraVolumeMounts: [] + # - mountPath: /kubeconfig + # name: dashboard-kubeconfig + # readOnly: true + + ## Array of extra K8s manifests to deploy + ## + extraManifests: [] + # - apiVersion: v1 + # kind: ConfigMap + # metadata: + # name: additional-configmap + # data: + # mykey: myvalue + + ## Annotations to be added to kubernetes dashboard pods + # podAnnotations: + + ## SecurityContext to be added to kubernetes dashboard pods + ## To disable set the following configuration to null: + # securityContext: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + + ## SecurityContext defaults for the kubernetes dashboard container and metrics scraper container + ## To disable set the following configuration to null: + # containerSecurityContext: null + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 + capabilities: + drop: ["ALL"] + + ## @param podLabels Extra labels for OAuth2 Proxy pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param podAnnotations Annotations for OAuth2 Proxy pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + + ## Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## List of node taints to tolerate (requires Kubernetes >= 1.6) + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute" + + ## Affinity for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Name of Priority Class of pods + # priorityClassName: "" + + ## Pod resource requests & limits + resources: + requests: + cpu: 100m + memory: 200Mi + limits: + cpu: 2 + memory: 200Mi + + ## Serve application over HTTP without TLS + ## + ## Note: If set to true, you may want to add --enable-insecure-login to extraArgs + protocolHttp: false + + service: + type: LoadBalancer + # Dashboard service port + externalPort: 443 + + ## LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to + ## set allowed inbound rules on the security group assigned to the master load balancer + # loadBalancerSourceRanges: [] + + # clusterIP: "" + + ## A user-specified IP address for load balancer to use as External IP (if supported) + # loadBalancerIP: + + ## Additional Kubernetes Dashboard Service annotations + annotations: {} + + ## Here labels can be added to the Kubernetes Dashboard service + labels: {} + + ## Enable or disable the kubernetes.io/cluster-service label. Should be disabled for GKE clusters >=1.15. + ## Otherwise, the addon manager will presume ownership of the service and try to delete it. + clusterServiceLabel: + enabled: true + key: "kubernetes.io/cluster-service" + + ingress: + ## If true, Kubernetes Dashboard Ingress will be created. + ## + enabled: false + + ## Kubernetes Dashboard Ingress labels + # labels: + # key: value + + ## Kubernetes Dashboard Ingress annotations + # annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## If you plan to use TLS backend with enableInsecureLogin set to false + ## (default), you need to uncomment the below. + ## If you use ingress-nginx < 0.21.0 + # nginx.ingress.kubernetes.io/secure-backends: "true" + ## if you use ingress-nginx >= 0.21.0 + # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + + ## Kubernetes Dashboard Ingress Class + # className: "example-lb" + + ## Kubernetes Dashboard Ingress paths + ## Both `/` and `/*` are required to work on gce ingress. + paths: + - / + # - /* + + ## Custom Kubernetes Dashboard Ingress paths. Will override default paths. + ## + customPaths: [] + # - pathType: ImplementationSpecific + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + # - pathType: ImplementationSpecific + # backend: + # service: + # name: >- + # {{ include "kubernetes-dashboard.fullname" . }} + # port: + # # Don't use string here, use only integer value! + # number: 443 + ## Kubernetes Dashboard Ingress hostnames + ## Must be provided if Ingress is enabled + ## + # hosts: + # - kubernetes-dashboard.domain.com + ## Kubernetes Dashboard Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + # tls: + # - secretName: kubernetes-dashboard-tls + # hosts: + # - kubernetes-dashboard.domain.com + + # Global dashboard settings + settings: + {} + ## Cluster name that appears in the browser window title if it is set + # clusterName: "" + ## Max number of items that can be displayed on each list page + # itemsPerPage: 10 + ## Number of seconds between every auto-refresh of logs + # logsAutoRefreshTimeInterval: 5 + ## Number of seconds between every auto-refresh of every resource. Set 0 to disable + # resourceAutoRefreshTimeInterval: 5 + ## Hide all access denied warnings in the notification panel + # disableAccessDeniedNotifications: false + + ## Pinned CRDs that will be displayed in dashboard's menu + pinnedCRDs: + [] + # - kind: customresourcedefinition + ## Fully qualified name of a CRD + # name: prometheuses.monitoring.coreos.com + ## Display name + # displayName: Prometheus + ## Is this CRD namespaced? + # namespaced: true + + ## Metrics Scraper + ## Container to scrape, store, and retrieve a window of time from the Metrics Server. + ## refs: https://github.com/kubernetes-sigs/dashboard-metrics-scraper + metricsScraper: + ## Wether to enable dashboard-metrics-scraper + enabled: false + image: + repository: kubernetesui/metrics-scraper + tag: v1.0.9 + resources: {} + ## SecurityContext especially for the kubernetes dashboard metrics scraper container + ## If not set, the global containterSecurityContext values will define these values + # containerSecurityContext: + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # runAsUser: 1001 + # runAsGroup: 2001 + # args: + # - --log-level=info + # - --logtostderr=true + + ## Optional Metrics Server sub-chart + ## Enable this if you don't already have metrics-server enabled on your cluster and + ## want to use it with dashboard metrics-scraper + ## refs: + ## - https://github.com/kubernetes-sigs/metrics-server + ## - https://github.com/kubernetes-sigs/metrics-server/tree/master/charts/metrics-server + metrics-server: + enabled: false + ## Example for additional args + # args: + # - --kubelet-preferred-address-types=InternalIP + # - --kubelet-insecure-tls + + rbac: + # Specifies whether namespaced RBAC resources (Role, Rolebinding) should be created + create: true + + # Specifies whether cluster-wide RBAC resources (ClusterRole, ClusterRolebinding) to access metrics should be created + # Independent from rbac.create parameter. + clusterRoleMetrics: true + + # Start in ReadOnly mode. + # Specifies whether cluster-wide RBAC resources (ClusterRole, ClusterRolebinding) with read only permissions to all resources listed inside the cluster should be created + # Only dashboard-related Secrets and ConfigMaps will still be available for writing. + # + # The basic idea of the clusterReadOnlyRole + # is not to hide all the secrets and sensitive data but more + # to avoid accidental changes in the cluster outside the standard CI/CD. + # + # It is NOT RECOMMENDED to use this version in production. + # Instead you should review the role and remove all potentially sensitive parts such as + # access to persistentvolumes, pods/log etc. + # + # Independent from rbac.create parameter. + clusterReadOnlyRole: false + # It is possible to add additional rules if read only role is enabled. + # This can be useful, for example, to show CRD resources. + # clusterReadOnlyRoleAdditionalRules: [] + + # If the default role permissions are not enough, it is possible to add additional permissions. + # roleAdditionalRules: [] + + serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + + livenessProbe: + # Number of seconds to wait before sending first probe + initialDelaySeconds: 30 + # Number of seconds to wait for probe response + timeoutSeconds: 30 + + ## podDisruptionBudget + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + podDisruptionBudget: + enabled: false + ## Minimum available instances; ignored if there is no PodDisruptionBudget + minAvailable: + ## Maximum unavailable instances; ignored if there is no PodDisruptionBudget + maxUnavailable: + + ## PodSecurityContext for pod level securityContext + # securityContext: + # runAsUser: 1001 + # runAsGroup: 2001 + + networkPolicy: + # Whether to create a network policy that allows/restricts access to the service + enabled: false + + # Whether to set network policy to deny all ingress traffic for the kubernetes-dashboard + ingressDenyAll: false + + ## podSecurityPolicy for fine-grained authorization of pod creation and updates + ## Note that PSP is deprecated and has been removed from kubernetes 1.25 onwards. + ## For 1.25+ consider enabling PodSecurityAdmission, refer to chart README.md. + podSecurityPolicy: + # Specifies whether a pod security policy should be created + enabled: false + + serviceMonitor: + # Whether or not to create a Prometheus Operator service monitor. + enabled: false + ## Here labels can be added to the serviceMonitor + labels: {} + ## Here annotations can be added to the serviceMonitor + annotations: {} + + ## Optional containers, i.e. for auth addons. + optionalContainers: + enabled: false + containers: []