Merge pull request #22 from Ajay-sops/main

RohitSquareops · web-flow · commit 1b024d44ca3a · 2024-02-28T11:17:13.000+05:30
added support for k8s dashboard
diff --git a/README.md b/README.md
@@ -24,6 +24,8 @@ module "eks_addons" {
   private_subnet_ids                  = [""]
   single_az_sc_config                 = [{ name = "infra-service-sc", zone = "zone-name" }]
   coredns_hpa_enabled                 = true
+  kubernetes_dashboard_enabled        = true
+  k8s_dashboard_hostname              = "dashboard.prod.in"
   kubeclarity_enabled                 = true
   kubeclarity_hostname                = "kubeclarity.prod.in"
   kubecost_enabled                    = true
@@ -265,15 +267,25 @@ Before enabling the **Kubecost** addon for your Amazon EKS cluster, please make
 | [helm_release.falco](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.internal_nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.kubeclarity](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.kubernetes-dashboard](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.metrics-server-vpa](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.vpa-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_cluster_role.eks_read_only_role](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
+| [kubernetes_cluster_role_binding.eks_read_only_role_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource |
+| [kubernetes_cluster_role_binding_v1.admin-user](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding_v1) | resource |
+| [kubernetes_ingress_v1.k8s-ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress_v1) | resource |
 | [kubernetes_ingress_v1.kubecost](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress_v1) | resource |
 | [kubernetes_namespace.defectdojo](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.falco](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.internal_nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.k8s-dashboard](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.kube_clarity](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_secret.kube_clarity](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
 | [kubernetes_secret.kubecost](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_secret_v1.admin-user](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
+| [kubernetes_secret_v1.dashboard_read_only_sa_token](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
+| [kubernetes_service_account.dashboard_admin_sa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
+| [kubernetes_service_account.dashboard_read_only_sa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
 | [random_password.kube_clarity](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [random_password.kubecost](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [aws_eks_addon_version.kubecost](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_addon_version) | data source |
@@ -316,6 +328,7 @@ Before enabling the **Kubecost** addon for your Amazon EKS cluster, please make
 | <a name="input_ipv6_enabled"></a> [ipv6\_enabled](#input\_ipv6\_enabled) | whether IPv6 enabled or not | `bool` | `false` | no |
 | <a name="input_istio_config"></a> [istio\_config](#input\_istio\_config) | Configuration to provide settings for Istio | <pre>object({<br>    ingress_gateway_enabled       = bool<br>    ingress_gateway_namespace     = optional(string, "istio-ingressgateway")<br>    egress_gateway_enabled        = bool<br>    egress_gateway_namespace      = optional(string, "istio-egressgateway")<br>    envoy_access_logs_enabled     = bool<br>    prometheus_monitoring_enabled = bool<br>    istio_values_yaml             = any<br>  })</pre> | <pre>{<br>  "egress_gateway_enabled": false,<br>  "envoy_access_logs_enabled": true,<br>  "ingress_gateway_enabled": true,<br>  "istio_values_yaml": "",<br>  "prometheus_monitoring_enabled": true<br>}</pre> | no |
 | <a name="input_istio_enabled"></a> [istio\_enabled](#input\_istio\_enabled) | Enable istio for service mesh. | `bool` | `false` | no |
+| <a name="input_k8s_dashboard_hostname"></a> [k8s\_dashboard\_hostname](#input\_k8s\_dashboard\_hostname) | Specify the hostname for the k8s dashboard. | `string` | `""` | no |
 | <a name="input_karpenter_enabled"></a> [karpenter\_enabled](#input\_karpenter\_enabled) | Enable or disable Karpenter, a Kubernetes-native, multi-tenant, and auto-scaling solution for containerized workloads on Kubernetes. | `bool` | `false` | no |
 | <a name="input_karpenter_provisioner_config"></a> [karpenter\_provisioner\_config](#input\_karpenter\_provisioner\_config) | Configuration to provide settings for Karpenter, including which private subnet to use, instance capacity types, and excluded instance types. | `any` | <pre>{<br>  "excluded_instance_type": [<br>    "nano",<br>    "micro",<br>    "small"<br>  ],<br>  "instance_capacity_type": [<br>    "spot"<br>  ],<br>  "instance_hypervisor": [<br>    "nitro"<br>  ],<br>  "private_subnet_name": ""<br>}</pre> | no |
 | <a name="input_karpenter_provisioner_enabled"></a> [karpenter\_provisioner\_enabled](#input\_karpenter\_provisioner\_enabled) | Enable or disable the installation of Karpenter, which is a Kubernetes cluster autoscaler. | `bool` | `false` | no |
@@ -327,6 +340,7 @@ Before enabling the **Kubecost** addon for your Amazon EKS cluster, please make
 | <a name="input_kubeclarity_namespace"></a> [kubeclarity\_namespace](#input\_kubeclarity\_namespace) | Name of the Kubernetes namespace where the kubeclarity deployment will be deployed. | `string` | `"kubeclarity"` | no |
 | <a name="input_kubecost_enabled"></a> [kubecost\_enabled](#input\_kubecost\_enabled) | Enable or disable the deployment of an Kubecost for Kubernetes. | `bool` | `false` | no |
 | <a name="input_kubecost_hostname"></a> [kubecost\_hostname](#input\_kubecost\_hostname) | Specify the hostname for the kubecsot. | `string` | `""` | no |
+| <a name="input_kubernetes_dashboard_enabled"></a> [kubernetes\_dashboard\_enabled](#input\_kubernetes\_dashboard\_enabled) | Determines whether k8s-dashboard is enabled or not | `bool` | `false` | no |
 | <a name="input_metrics_server_enabled"></a> [metrics\_server\_enabled](#input\_metrics\_server\_enabled) | Enable or disable the metrics server add-on for EKS cluster. | `bool` | `false` | no |
 | <a name="input_metrics_server_helm_version"></a> [metrics\_server\_helm\_version](#input\_metrics\_server\_helm\_version) | Version of the metrics server helm chart | `string` | `"3.11.0"` | no |
 | <a name="input_metrics_server_vpa_config"></a> [metrics\_server\_vpa\_config](#input\_metrics\_server\_vpa\_config) | Configuration to provide settings of vpa over metrics server | `any` | <pre>{<br>  "maxCPU": "100m",<br>  "maxMemory": "500Mi",<br>  "metricsServerDeploymentName": "metrics-server",<br>  "minCPU": "25m",<br>  "minMemory": "150Mi"<br>}</pre> | no |
@@ -355,6 +369,8 @@ Before enabling the **Kubecost** addon for your Amazon EKS cluster, please make
 | <a name="output_environment"></a> [environment](#output\_environment) | Environment Name for the EKS cluster |
 | <a name="output_internal_nginx_ingress_controller_dns_hostname"></a> [internal\_nginx\_ingress\_controller\_dns\_hostname](#output\_internal\_nginx\_ingress\_controller\_dns\_hostname) | DNS hostname of the NGINX Ingress Controller that can be used to access it from within the cluster. |
 | <a name="output_istio_ingressgateway_dns_hostname"></a> [istio\_ingressgateway\_dns\_hostname](#output\_istio\_ingressgateway\_dns\_hostname) | DNS hostname of the Istio Ingress Gateway. |
+| <a name="output_k8s-dashboard-admin-token"></a> [k8s-dashboard-admin-token](#output\_k8s-dashboard-admin-token) | n/a |
+| <a name="output_k8s-dashboard-read-only-token"></a> [k8s-dashboard-read-only-token](#output\_k8s-dashboard-read-only-token) | n/a |
 | <a name="output_kubeclarity"></a> [kubeclarity](#output\_kubeclarity) | Kubeclarity endpoint and credentials |
 | <a name="output_kubecost"></a> [kubecost](#output\_kubecost) | Kubecost endpoint and credentials |
 | <a name="output_nginx_ingress_controller_dns_hostname"></a> [nginx\_ingress\_controller\_dns\_hostname](#output\_nginx\_ingress\_controller\_dns\_hostname) | DNS hostname of the NGINX Ingress Controller. |
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -49,6 +49,8 @@ No inputs.
 | <a name="output_environment"></a> [environment](#output\_environment) | Environment Name for the EKS cluster |
 | <a name="output_internal_nginx_ingress_controller_dns_hostname"></a> [internal\_nginx\_ingress\_controller\_dns\_hostname](#output\_internal\_nginx\_ingress\_controller\_dns\_hostname) | DNS hostname of the NGINX Ingress Controller that can be used to access it from within the cluster. |
 | <a name="output_istio_ingressgateway_dns_hostname"></a> [istio\_ingressgateway\_dns\_hostname](#output\_istio\_ingressgateway\_dns\_hostname) | DNS hostname of the Istio Ingress Gateway |
+| <a name="output_k8s-dashboard-admin-token"></a> [k8s-dashboard-admin-token](#output\_k8s-dashboard-admin-token) | k8s-dashboard admin token |
+| <a name="output_k8s-dashboard-read-only-token"></a> [k8s-dashboard-read-only-token](#output\_k8s-dashboard-read-only-token) | k8s-dashboard read only  token |
 | <a name="output_kubeclarity"></a> [kubeclarity](#output\_kubeclarity) | Kubeclarity endpoint and credentials |
 | <a name="output_kubecost"></a> [kubecost](#output\_kubecost) | Kubecost endpoint and credentials |
 | <a name="output_nginx_ingress_controller_dns_hostname"></a> [nginx\_ingress\_controller\_dns\_hostname](#output\_nginx\_ingress\_controller\_dns\_hostname) | DNS hostname of the NGINX Ingress Controller. |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -21,6 +21,8 @@ module "eks-addons" {
   kms_policy_arn                          = "arn:aws:iam::xxxxxxxxxxxx:policy/policy_name" ## eks module will create kms_policy_arn
   eks_cluster_name                        = "cluster_name"
   reloader_enabled                        = true
+  kubernetes_dashboard_enabled            = true
+  k8s_dashboard_hostname                  = "dashboard.prod.in"
   karpenter_enabled                       = true
   private_subnet_ids                      = ["subnet-xxxxxxxxxxxx", "subnet-xxxxxxxxxxxx"]
   single_az_ebs_gp3_storage_class_enabled = true
diff --git a/examples/complete/output.tf b/examples/complete/output.tf
@@ -42,3 +42,13 @@ output "istio_ingressgateway_dns_hostname" {
   value       = module.eks-addons.istio_ingressgateway_dns_hostname
   description = "DNS hostname of the Istio Ingress Gateway"
 }
+
+output "k8s-dashboard-admin-token" {
+  description = "k8s-dashboard admin token"
+  value       = module.eks-addons.k8s-dashboard-admin-token
+}
+
+output "k8s-dashboard-read-only-token" {
+  description = "k8s-dashboard read only  token"
+  value       = module.eks-addons.k8s-dashboard-read-only-token
+}
diff --git a/main.tf b/main.tf
@@ -486,3 +486,226 @@ resource "helm_release" "falco" {
     })
   ]
 }
+
+resource "kubernetes_namespace" "k8s-dashboard" {
+  count = var.kubernetes_dashboard_enabled ? 1 : 0
+  metadata {
+    name = "kubernetes-dashboard"
+  }
+}
+
+resource "helm_release" "kubernetes-dashboard" {
+  count      = var.kubernetes_dashboard_enabled ? 1 : 0
+  depends_on = [kubernetes_namespace.k8s-dashboard]
+  name       = "kubernetes-dashboard"
+  namespace  = "kubernetes-dashboard"
+  chart      = "kubernetes-dashboard"
+  repository = "https://kubernetes.github.io/dashboard/"
+  timeout    = 600
+  version    = "6.0.8"
+}
+
+
+resource "kubernetes_ingress_v1" "k8s-ingress" {
+  count                  = var.kubernetes_dashboard_enabled ? 1 : 0
+  depends_on             = [helm_release.kubernetes-dashboard]
+  wait_for_load_balancer = true
+  metadata {
+    name      = "k8s-dashboard-ingress"
+    namespace = "kubernetes-dashboard"
+    annotations = {
+      "cert-manager.io/cluster-issuer" : "letsencrypt-prod"
+      "kubernetes.io/ingress.class" : "nginx"
+      "kubernetes.io/tls-acme" : "false"
+      "nginx.ingress.kubernetes.io/backend-protocol" : "HTTPS"
+      "nginx.ingress.kubernetes.io/rewrite-target" : "/$2"
+      "nginx.ingress.kubernetes.io/configuration-snippet" : <<-EOF
+        if ($uri = "/dashboard") {
+          rewrite ^(/dashboard)$ $1/ redirect;
+        }
+      EOF
+    }
+  }
+  spec {
+    rule {
+      host = var.k8s_dashboard_hostname
+      http {
+        path {
+          path = "/dashboard(/|$)(.*)"
+          backend {
+            service {
+              name = "kubernetes-dashboard"
+              port {
+                number = 443
+              }
+            }
+          }
+        }
+      }
+    }
+    tls {
+      secret_name = "tls-k8s-dashboard"
+      hosts       = [var.k8s_dashboard_hostname]
+    }
+  }
+}
+
+resource "kubernetes_service_account" "dashboard_admin_sa" {
+  count      = var.kubernetes_dashboard_enabled ? 1 : 0
+  depends_on = [helm_release.kubernetes-dashboard]
+  metadata {
+    name      = "kubernetes-dashboard-admin-sa"
+    namespace = "kube-system"
+  }
+}
+
+resource "kubernetes_secret_v1" "admin-user" {
+  count = var.kubernetes_dashboard_enabled ? 1 : 0
+  metadata {
+    name      = "admin-user-token"
+    namespace = "kube-system"
+    annotations = {
+      "kubernetes.io/service-account.name" = kubernetes_service_account.dashboard_admin_sa[0].metadata[0].name
+    }
+  }
+  type = "kubernetes.io/service-account-token"
+  depends_on = [
+    kubernetes_service_account.dashboard_admin_sa,
+    kubernetes_cluster_role_binding_v1.admin-user
+  ]
+}
+
+resource "kubernetes_cluster_role_binding_v1" "admin-user" {
+  count = var.kubernetes_dashboard_enabled ? 1 : 0
+  metadata {
+    name = "admin-user"
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "cluster-admin"
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account.dashboard_admin_sa[0].metadata[0].name
+    namespace = "kube-system"
+  }
+  depends_on = [
+    kubernetes_service_account.dashboard_admin_sa
+  ]
+}
+
+resource "kubernetes_cluster_role" "eks_read_only_role" {
+  count = var.kubernetes_dashboard_enabled ? 1 : 0
+
+  metadata {
+    name = "dashboard-viewonly"
+  }
+
+  rule {
+    api_groups = [""]
+    resources = [
+      "configmaps",
+      "endpoints",
+      "persistentvolumeclaims",
+      "pods",
+      "replicationcontrollers",
+      "replicationcontrollers/scale",
+      "serviceaccounts",
+      "services",
+      "nodes",
+      "persistentvolumes",
+      "bindings",
+      "events",
+      "limitranges",
+      "namespaces/status",
+      "pods/log",
+      "pods/status",
+      "replicationcontrollers/status",
+      "resourcequotas",
+      "resourcequotas/status",
+      "namespaces",
+      "apps/daemonsets",
+      "apps/deployments",
+      "apps/deployments/scale",
+      "apps/replicasets",
+      "apps/replicasets/scale",
+      "apps/statefulsets",
+      "autoscaling/horizontalpodautoscalers",
+      "batch/cronjobs",
+      "batch/jobs",
+      "extensions/daemonsets",
+      "extensions/deployments",
+      "extensions/deployments/scale",
+      "extensions/ingresses",
+      "extensions/networkpolicies",
+      "extensions/replicasets",
+      "extensions/replicasets/scale",
+      "extensions/replicationcontrollers/scale",
+      "policy/poddisruptionbudgets",
+      "networking.k8s.io/networkpolicies",
+      "storage.k8s.io/storageclasses",
+      "storage.k8s.io/volumeattachments",
+      "rbac.authorization.k8s.io/clusterrolebindings",
+      "rbac.authorization.k8s.io/clusterroles",
+      "rbac.authorization.k8s.io/roles",
+      "rbac.authorization.k8s.io/rolebindings",
+    ]
+    verbs = ["get", "list", "watch"]
+  }
+}
+
+# Add more rules as needed for read-only access to other Kubernetes resources
+
+resource "kubernetes_service_account" "dashboard_read_only_sa" {
+  count = var.kubernetes_dashboard_enabled ? 1 : 0
+
+  metadata {
+    name      = "dashboard-read-only-sa"
+    namespace = "kube-system"
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "eks_read_only_role_binding" {
+  count = var.kubernetes_dashboard_enabled ? 1 : 0
+
+  metadata {
+    name = "eks-read-only-role-binding"
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = kubernetes_cluster_role.eks_read_only_role[0].metadata[0].name
+  }
+
+  subject {
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account.dashboard_read_only_sa[0].metadata[0].name
+    namespace = "kube-system"
+  }
+
+  depends_on = [
+    kubernetes_cluster_role.eks_read_only_role,
+    kubernetes_service_account.dashboard_read_only_sa
+  ]
+}
+
+resource "kubernetes_secret_v1" "dashboard_read_only_sa_token" {
+  count = var.kubernetes_dashboard_enabled ? 1 : 0
+
+  metadata {
+    name      = "dashboard-read-only-sa-token"
+    namespace = "kube-system"
+    annotations = {
+      "kubernetes.io/service-account.name" = kubernetes_service_account.dashboard_read_only_sa[0].metadata[0].name
+    }
+  }
+
+  type = "kubernetes.io/service-account-token"
+
+  depends_on = [
+    kubernetes_service_account.dashboard_read_only_sa,
+    kubernetes_cluster_role_binding.eks_read_only_role_binding
+  ]
+}
diff --git a/modules/karpenter/karpenter.yaml b/modules/karpenter/karpenter.yaml
@@ -1,9 +1,11 @@
 nodeSelector:
   kubernetes.io/os: linux
-clusterName: ${eks_cluster_id}
-clusterEndpoint: ${eks_cluster_endpoint}
-aws:
-  defaultInstanceProfile: ${node_iam_instance_profile}
+
+settings:
+      aws:
+        defaultInstanceProfile: ${node_iam_instance_profile}
+        clusterName: ${eks_cluster_id}
+        clusterEndpoint: ${eks_cluster_endpoint}
 
 controller:
   resources:
diff --git a/modules/kubernetes-addons/karpenter/locals.tf b/modules/kubernetes-addons/karpenter/locals.tf
@@ -17,7 +17,7 @@ locals {
       name       = local.name
       chart      = local.name
       repository = "oci://public.ecr.aws/karpenter"
-      version    = "v0.18.1"
+      version    = "v0.30.0"
       namespace  = local.name
       values = [
         <<-EOT
diff --git a/outputs.tf b/outputs.tf
@@ -55,3 +55,11 @@ output "defectdojo" {
     url      = var.defectdojo_hostname
   } : null
 }
+
+output "k8s-dashboard-admin-token" {
+  value = var.kubernetes_dashboard_enabled ? nonsensitive(kubernetes_secret_v1.admin-user[0].data.token) : null
+}
+
+output "k8s-dashboard-read-only-token" {
+  value = var.kubernetes_dashboard_enabled ? nonsensitive(kubernetes_secret_v1.dashboard_read_only_sa_token[0].data.token) : null
+}
diff --git a/variables.tf b/variables.tf
@@ -372,3 +372,16 @@ variable "coredns_hpa_enabled" {
   default     = false
   type        = bool
 }
+
+variable "kubernetes_dashboard_enabled" {
+  description = "Determines whether k8s-dashboard is enabled or not"
+  default     = false
+  type        = bool
+}
+
+
+variable "k8s_dashboard_hostname" {
+  description = "Specify the hostname for the k8s dashboard. "
+  default     = ""
+  type        = string
+}
