feat: allow overriding ingress tls secret name #8761
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: floreks The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
approved
floreks
added
kind/feature
sp3nx0r
referenced
this pull request
in sp3nx0r/homelab
Mar 23, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [kubernetes-dashboard](https://togithub.com/kubernetes/dashboard) | major | `6.0.8` -> `7.1.2` | --- ### Release Notes <details> <summary>kubernetes/dashboard (kubernetes-dashboard)</summary> ### [`v7.1.2`](https://togithub.com/kubernetes/dashboard/compare/kubernetes-dashboard-7.1.1...kubernetes-dashboard-7.1.2) [Compare Source](https://togithub.com/kubernetes/dashboard/compare/kubernetes-dashboard-7.1.1...kubernetes-dashboard-7.1.2) ### [`v7.1.1`](https://togithub.com/kubernetes/dashboard/releases/tag/kubernetes-dashboard-7.1.1) [Compare Source](https://togithub.com/kubernetes/dashboard/compare/kubernetes-dashboard-7.1.0...kubernetes-dashboard-7.1.1) ##### What's changed - fix: skip login screen when auth header is present by [@​floreks](https://togithub.com/floreks) in [https://github.com/kubernetes/dashboard/pull/8762](https://togithub.com/kubernetes/dashboard/pull/8762) **Full Changelog**: kubernetes/dashboard@auth/v1.1.1...kubernetes-dashboard-7.1.1 ##### Auth - add `/api/v1/me` endpoint with username and as an information if user was correctly authenticated ##### Web - update auth header handling - update user info panel with username from `/me` endpoint - update login to skip login view when auth header is present ##### Helm Chart - update gateway configuration to support `/me` endpoint routing ##### Installation ```sh helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/ helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --create-namespace --namespace kubernetes-dashboard ``` ##### Compatibility | Kubernetes version | 1.27 | 1.28 | 1.29 | |--------------------|-----|-----|-----| | Compatibility | ? | ? | ✓ | - `✓` Fully supported version range. - `?` Due to breaking changes between Kubernetes API versions, some features might not work correctly in the Dashboard. ##### Images docker.io/kubernetesui/dashboard-api:1.2.0 docker.io/kubernetesui/dashboard-auth:1.1.1 docker.io/kubernetesui/dashboard-metrics-scraper:1.1.1 docker.io/kubernetesui/dashboard-web:1.2.2 ### [`v7.1.0`](https://togithub.com/kubernetes/dashboard/releases/tag/kubernetes-dashboard-7.1.0) [Compare Source](https://togithub.com/kubernetes/dashboard/compare/kubernetes-dashboard-7.0.1...kubernetes-dashboard-7.1.0) ##### What's changed **Full Changelog**: kubernetes/dashboard@kubernetes-dashboard-7.0.1...kubernetes-dashboard-7.1.0 ##### Helm chart - feat: allow overriding ingress tls secret name by [@​floreks](https://togithub.com/floreks) in [https://github.com/kubernetes/dashboard/pull/8761](https://togithub.com/kubernetes/dashboard/pull/8761) ##### Installation ```sh helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/ helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --create-namespace --namespace kubernetes-dashboard ``` ##### Compatibility | Kubernetes version | 1.27 | 1.28 | 1.29 | |--------------------|-----|-----|-----| | Compatibility | ? | ? | ✓ | - `✓` Fully supported version range. - `?` Due to breaking changes between Kubernetes API versions, some features might not work correctly in the Dashboard. ##### Images docker.io/kubernetesui/dashboard-api:1.2.0 docker.io/kubernetesui/dashboard-auth:1.1.0 docker.io/kubernetesui/dashboard-metrics-scraper:1.1.1 docker.io/kubernetesui/dashboard-web:1.2.1 ### [`v7.0.1`](https://togithub.com/kubernetes/dashboard/releases/tag/kubernetes-dashboard-7.0.1) [Compare Source](https://togithub.com/kubernetes/dashboard/compare/kubernetes-dashboard-7.0.0...kubernetes-dashboard-7.0.1) ##### What's changed **Full Changelog**: kubernetes/dashboard@web/v1.2.1...kubernetes-dashboard-7.0.1 ##### Web container - fix(web): fix locale-config default value by [@​floreks](https://togithub.com/floreks) in [https://github.com/kubernetes/dashboard/pull/8754](https://togithub.com/kubernetes/dashboard/pull/8754) ##### Helm chart - feat(chart): update helm chart and bump to 7.0.1 by [@​floreks](https://togithub.com/floreks) in [https://github.com/kubernetes/dashboard/pull/8757](https://togithub.com/kubernetes/dashboard/pull/8757) ##### Installation ```sh helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/ helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --create-namespace --namespace kubernetes-dashboard ``` ##### Compatibility | Kubernetes version | 1.27 | 1.28 | 1.29 | |--------------------|-----|-----|-----| | Compatibility | ? | ? | ✓ | - `✓` Fully supported version range. - `?` Due to breaking changes between Kubernetes API versions, some features might not work correctly in the Dashboard. ##### Images docker.io/kubernetesui/dashboard-api:1.2.0 docker.io/kubernetesui/dashboard-auth:1.1.0 docker.io/kubernetesui/dashboard-metrics-scraper:1.1.1 docker.io/kubernetesui/dashboard-web:1.2.1 ### [`v7.0.0`](https://togithub.com/kubernetes/dashboard/releases/tag/kubernetes-dashboard-7.0.0) <h2 id="breaking-change">Breaking change</h2> This release introduces a couple of important changes to how Kubernetes Dashboard generally works. It requires clean installation. ##### API container It is now fully stateless, meaning it does not rely on Kubernetes resources to run. It will always require an authorization token to be present to authorize the request. It is no longer possible for the API container to use its own SA privileges to skip authorization. All arguments that were frontend specific have either been removed or moved to the [Web container](#web-container). - The JWE encrypted token has been removed completely and we now rely fully on standard JWT tokens. This change has significantly simplified the auth flow. - The Web container now manages Settings ConfigMap - The plugin system has been removed as it was outdated and not working anymore. Currently, there is no plan to reintroduce it as it would require too much effort to maintain. - Added `csrf-key` argument - Base64 encoded random 256 bytes key. Can be loaded from `CSRF_KEY` environment variable. ##### Auth container Authentication logic is now handled by the new dashboard auth container. Currently, it only exposes `/login` endpoint. We will also add support for OIDC with OAuth flow and `/me` endpoint in the future. - Added `csrf-key` argument - Base64 encoded random 256 bytes key. Can be loaded from `CSRF_KEY` environment variable. <h3 id="web-container">Web container</h3> - Settings save now uses user permissions instead of Dashboard. - Removed restore settings ConfigMap logic - Increased default resource autorefresh time interval to 10 seconds - Added a small script to index.html to dynamically generate <base href=...> tag. ##### Go backend - The backend now handles frontend settings and uses ConfigMap to store them. - Settings backend has been updated to handle merge with default options properly in case ConfigMap does not contain all available options. - Replaced `restful-go` with `gin` as main web framework ##### Angular frontend Since API requires from the user to always provide `Authorization: Bearer <token>` now, there is no way to skip login and act as a Dashboard. - Removed support for authentication options other than `token` on the login screen - Removed support for `skip` login option - Slightly updated login view - Fixed an issue with zero state not being correctly displayed on some pages ##### Kong gateway Since the number of our containers is growing as we split parts of the logic, we have decided to use a gateway that will connect all of them and ensure the Dashboard is working properly. There were a couple of reasons to choose Kong: - Open Source with proper license - Support for DBless configuration - Easily configurable - Popular - Single container gateway when running in DBless mode It will now be a required dependency that we use to expose the Dashboard. Users can then reconfigure it or use another proxy in front of it. It will simply act as a single point when accessing the Kubernetes Dashboard. ##### Metrics scraper - Changed `sqlite` Go dependency to used driver implementation that does not require `CGO_ENABLED=1` during the build. It is a pure Go implementation. ##### Helm chart This is a complete overhaul of the helm chart. It includes: - Added DBless, single-container kong deployment as a default gateway for the Kubernetes Dashboard. This is a required dependency. - Settings ConfigMap name/namespace is now configurable via values.yaml → web.settings.configMap entry. - Scaling configuration has been split to allow configuring replicas per every container separately. - Metrics scraper service name is no longer hardcoded in the API container. Its name is now generated similarly to other deployments/services. - CSRF key is now generated by the helm and imported as an env var into the containers. This allowed us to drop generation logic and direct dependency on this secret from code. - Image pull secrets are now properly respected by all deployments. - RBACs for every deployment have been separated to make sure that every container gets as little permissions as possible. - Ingress configuration has been updated to be more flexible: - Dashboard can now be served more easily on a subpath simply by enabling app.ingress.enabled=true and app.ingress.path=/dashboard. It would serve Dashboard on https://localhost/dashboard by default. - Default annotations can now be disabled via `app.ingress.useDefaultAnnotations=false` - `ingressClassName` can now be skipped from spec and it should fallback to using default ingress class (if configured). It is controlled by `app.ingress.useDefaultIngressClass`. - Helm chart now supports API only mode meaning that you can deploy only an API container. This can be achieved by below configuration: - `app.mode=api` - `kong.enabled=false` - Optionally you can also disable metrics with `api.containers.args={--metrics-provider=none}` - `cert-manager`, `nginx` and `metrics-server` are now disabled by default. Only `kong` dependency is required. - `clusterReadOnlyRole` has been removed since it is no longer possible to use Dashboard permissions to access the cluster. User access is required at all times. ##### Installation ```sh helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/ helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --create-namespace --namespace kubernetes-dashboard ``` ##### Compatibility | Kubernetes version | 1.27 | 1.28 | 1.29 | |--------------------|-----|-----|-----| | Compatibility | ? | ? | ✓ | - `✓` Fully supported version range. - `?` Due to breaking changes between Kubernetes API versions, some features might not work correctly in the Dashboard. ##### Images docker.io/kubernetesui/dashboard-api:1.2.0 docker.io/kubernetesui/dashboard-auth:1.1.0 docker.io/kubernetesui/dashboard-metrics-scraper:1.1.1 docker.io/kubernetesui/dashboard-web:1.2.0 ##### What's Changed - Mostly things described in [Breaking change](#breaking-change) - Dependency updates **Full Changelog**: kubernetes/dashboard@v3.0.0-alpha0...kubernetes-dashboard-7.0.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "on saturday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/sp3nx0r/homelab). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjIzOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.