Merge pull request #22 from Ajay-sops/main

added support for k8s dashboard

README.md

@@ -24,6 +24,8 @@ module "eks_addons" {
  private_subnet_ids = [""]
  single_az_sc_config = [{ name = "infra-service-sc", zone = "zone-name" }]
  coredns_hpa_enabled = true
+ kubernetes_dashboard_enabled = true
+ k8s_dashboard_hostname = "dashboard.prod.in"
  kubeclarity_enabled = true
  kubeclarity_hostname = "kubeclarity.prod.in"
  kubecost_enabled = true
@@ -265,15 +267,25 @@ Before enabling the **Kubecost** addon for your Amazon EKS cluster, please make
 | [helm_release.falco](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.internal_nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.kubeclarity](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.kubernetes-dashboard](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.metrics-server-vpa](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.vpa-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_cluster_role.eks_read_only_role](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
+| [kubernetes_cluster_role_binding.eks_read_only_role_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource |
+| [kubernetes_cluster_role_binding_v1.admin-user](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding_v1) | resource |
+| [kubernetes_ingress_v1.k8s-ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress_v1) | resource |
 | [kubernetes_ingress_v1.kubecost](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress_v1) | resource |
 | [kubernetes_namespace.defectdojo](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.falco](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.internal_nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.k8s-dashboard](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.kube_clarity](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_secret.kube_clarity](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
 | [kubernetes_secret.kubecost](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_secret_v1.admin-user](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
+| [kubernetes_secret_v1.dashboard_read_only_sa_token](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
+| [kubernetes_service_account.dashboard_admin_sa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
+| [kubernetes_service_account.dashboard_read_only_sa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
 | [random_password.kube_clarity](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [random_password.kubecost](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [aws_eks_addon_version.kubecost](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_addon_version) | data source |
@@ -316,6 +328,7 @@ Before enabling the **Kubecost** addon for your Amazon EKS cluster, please make
 | <a name="input_ipv6_enabled"></a> [ipv6\_enabled](#input\_ipv6\_enabled) | whether IPv6 enabled or not | `bool` | `false` | no |
 | <a name="input_istio_config"></a> [istio\_config](#input\_istio\_config) | Configuration to provide settings for Istio | <pre>object({<br> ingress_gateway_enabled = bool<br> ingress_gateway_namespace = optional(string, "istio-ingressgateway")<br> egress_gateway_enabled = bool<br> egress_gateway_namespace = optional(string, "istio-egressgateway")<br> envoy_access_logs_enabled = bool<br> prometheus_monitoring_enabled = bool<br> istio_values_yaml = any<br> })</pre> | <pre>{<br> "egress_gateway_enabled": false,<br> "envoy_access_logs_enabled": true,<br> "ingress_gateway_enabled": true,<br> "istio_values_yaml": "",<br> "prometheus_monitoring_enabled": true<br>}</pre> | no |
 | <a name="input_istio_enabled"></a> [istio\_enabled](#input\_istio\_enabled) | Enable istio for service mesh. | `bool` | `false` | no |
+| <a name="input_k8s_dashboard_hostname"></a> [k8s\_dashboard\_hostname](#input\_k8s\_dashboard\_hostname) | Specify the hostname for the k8s dashboard. | `string` | `""` | no |
 | <a name="input_karpenter_enabled"></a> [karpenter\_enabled](#input\_karpenter\_enabled) | Enable or disable Karpenter, a Kubernetes-native, multi-tenant, and auto-scaling solution for containerized workloads on Kubernetes. | `bool` | `false` | no |
 | <a name="input_karpenter_provisioner_config"></a> [karpenter\_provisioner\_config](#input\_karpenter\_provisioner\_config) | Configuration to provide settings for Karpenter, including which private subnet to use, instance capacity types, and excluded instance types. | `any` | <pre>{<br> "excluded_instance_type": [<br> "nano",<br> "micro",<br> "small"<br> ],<br> "instance_capacity_type": [<br> "spot"<br> ],<br> "instance_hypervisor": [<br> "nitro"<br> ],<br> "private_subnet_name": ""<br>}</pre> | no |
 | <a name="input_karpenter_provisioner_enabled"></a> [karpenter\_provisioner\_enabled](#input\_karpenter\_provisioner\_enabled) | Enable or disable the installation of Karpenter, which is a Kubernetes cluster autoscaler. | `bool` | `false` | no |
@@ -327,6 +340,7 @@ Before enabling the **Kubecost** addon for your Amazon EKS cluster, please make
 | <a name="input_kubeclarity_namespace"></a> [kubeclarity\_namespace](#input\_kubeclarity\_namespace) | Name of the Kubernetes namespace where the kubeclarity deployment will be deployed. | `string` | `"kubeclarity"` | no |
 | <a name="input_kubecost_enabled"></a> [kubecost\_enabled](#input\_kubecost\_enabled) | Enable or disable the deployment of an Kubecost for Kubernetes. | `bool` | `false` | no |
 | <a name="input_kubecost_hostname"></a> [kubecost\_hostname](#input\_kubecost\_hostname) | Specify the hostname for the kubecsot. | `string` | `""` | no |
+| <a name="input_kubernetes_dashboard_enabled"></a> [kubernetes\_dashboard\_enabled](#input\_kubernetes\_dashboard\_enabled) | Determines whether k8s-dashboard is enabled or not | `bool` | `false` | no |
 | <a name="input_metrics_server_enabled"></a> [metrics\_server\_enabled](#input\_metrics\_server\_enabled) | Enable or disable the metrics server add-on for EKS cluster. | `bool` | `false` | no |
 | <a name="input_metrics_server_helm_version"></a> [metrics\_server\_helm\_version](#input\_metrics\_server\_helm\_version) | Version of the metrics server helm chart | `string` | `"3.11.0"` | no |
 | <a name="input_metrics_server_vpa_config"></a> [metrics\_server\_vpa\_config](#input\_metrics\_server\_vpa\_config) | Configuration to provide settings of vpa over metrics server | `any` | <pre>{<br> "maxCPU": "100m",<br> "maxMemory": "500Mi",<br> "metricsServerDeploymentName": "metrics-server",<br> "minCPU": "25m",<br> "minMemory": "150Mi"<br>}</pre> | no |
@@ -355,6 +369,8 @@ Before enabling the **Kubecost** addon for your Amazon EKS cluster, please make
 | <a name="output_environment"></a> [environment](#output\_environment) | Environment Name for the EKS cluster |
 | <a name="output_internal_nginx_ingress_controller_dns_hostname"></a> [internal\_nginx\_ingress\_controller\_dns\_hostname](#output\_internal\_nginx\_ingress\_controller\_dns\_hostname) | DNS hostname of the NGINX Ingress Controller that can be used to access it from within the cluster. |
 | <a name="output_istio_ingressgateway_dns_hostname"></a> [istio\_ingressgateway\_dns\_hostname](#output\_istio\_ingressgateway\_dns\_hostname) | DNS hostname of the Istio Ingress Gateway. |
+| <a name="output_k8s-dashboard-admin-token"></a> [k8s-dashboard-admin-token](#output\_k8s-dashboard-admin-token) | n/a |
+| <a name="output_k8s-dashboard-read-only-token"></a> [k8s-dashboard-read-only-token](#output\_k8s-dashboard-read-only-token) | n/a |
 | <a name="output_kubeclarity"></a> [kubeclarity](#output\_kubeclarity) | Kubeclarity endpoint and credentials |
 | <a name="output_kubecost"></a> [kubecost](#output\_kubecost) | Kubecost endpoint and credentials |
 | <a name="output_nginx_ingress_controller_dns_hostname"></a> [nginx\_ingress\_controller\_dns\_hostname](#output\_nginx\_ingress\_controller\_dns\_hostname) | DNS hostname of the NGINX Ingress Controller. |

examples/complete/README.md

@@ -49,6 +49,8 @@ No inputs.
 | <a name="output_environment"></a> [environment](#output\_environment) | Environment Name for the EKS cluster |
 | <a name="output_internal_nginx_ingress_controller_dns_hostname"></a> [internal\_nginx\_ingress\_controller\_dns\_hostname](#output\_internal\_nginx\_ingress\_controller\_dns\_hostname) | DNS hostname of the NGINX Ingress Controller that can be used to access it from within the cluster. |
 | <a name="output_istio_ingressgateway_dns_hostname"></a> [istio\_ingressgateway\_dns\_hostname](#output\_istio\_ingressgateway\_dns\_hostname) | DNS hostname of the Istio Ingress Gateway |
+| <a name="output_k8s-dashboard-admin-token"></a> [k8s-dashboard-admin-token](#output\_k8s-dashboard-admin-token) | k8s-dashboard admin token |
+| <a name="output_k8s-dashboard-read-only-token"></a> [k8s-dashboard-read-only-token](#output\_k8s-dashboard-read-only-token) | k8s-dashboard read only token |
 | <a name="output_kubeclarity"></a> [kubeclarity](#output\_kubeclarity) | Kubeclarity endpoint and credentials |
 | <a name="output_kubecost"></a> [kubecost](#output\_kubecost) | Kubecost endpoint and credentials |
 | <a name="output_nginx_ingress_controller_dns_hostname"></a> [nginx\_ingress\_controller\_dns\_hostname](#output\_nginx\_ingress\_controller\_dns\_hostname) | DNS hostname of the NGINX Ingress Controller. |

examples/complete/main.tf

@@ -21,6 +21,8 @@ module "eks-addons" {
  kms_policy_arn = "arn:aws:iam::xxxxxxxxxxxx:policy/policy_name" ## eks module will create kms_policy_arn
  eks_cluster_name = "cluster_name"
  reloader_enabled = true
+ kubernetes_dashboard_enabled = true
+ k8s_dashboard_hostname = "dashboard.prod.in"
  karpenter_enabled = true
  private_subnet_ids = ["subnet-xxxxxxxxxxxx", "subnet-xxxxxxxxxxxx"]
  single_az_ebs_gp3_storage_class_enabled = true

examples/complete/output.tf

@@ -42,3 +42,13 @@ output "istio_ingressgateway_dns_hostname" {
  value = module.eks-addons.istio_ingressgateway_dns_hostname
  description = "DNS hostname of the Istio Ingress Gateway"
 }
+
+output "k8s-dashboard-admin-token" {
+ description = "k8s-dashboard admin token"
+ value = module.eks-addons.k8s-dashboard-admin-token
+}
+
+output "k8s-dashboard-read-only-token" {
+ description = "k8s-dashboard read only token"
+ value = module.eks-addons.k8s-dashboard-read-only-token
+}

main.tf

@@ -486,3 +486,226 @@ resource "helm_release" "falco" {
  })
  ]
 }
+
+resource "kubernetes_namespace" "k8s-dashboard" {
+ count = var.kubernetes_dashboard_enabled ? 1 : 0
+ metadata {
+ name = "kubernetes-dashboard"
+ }
+}
+
+resource "helm_release" "kubernetes-dashboard" {
+ count = var.kubernetes_dashboard_enabled ? 1 : 0
+ depends_on = [kubernetes_namespace.k8s-dashboard]
+ name = "kubernetes-dashboard"
+ namespace = "kubernetes-dashboard"
+ chart = "kubernetes-dashboard"
+ repository = "https://kubernetes.github.io/dashboard/"
+ timeout = 600
+ version = "6.0.8"
+}
+
+
+resource "kubernetes_ingress_v1" "k8s-ingress" {
+ count = var.kubernetes_dashboard_enabled ? 1 : 0
+ depends_on = [helm_release.kubernetes-dashboard]
+ wait_for_load_balancer = true
+ metadata {
+ name = "k8s-dashboard-ingress"
+ namespace = "kubernetes-dashboard"
+ annotations = {
+ "cert-manager.io/cluster-issuer" : "letsencrypt-prod"
+ "kubernetes.io/ingress.class" : "nginx"
+ "kubernetes.io/tls-acme" : "false"
+ "nginx.ingress.kubernetes.io/backend-protocol" : "HTTPS"
+ "nginx.ingress.kubernetes.io/rewrite-target" : "/$2"
+ "nginx.ingress.kubernetes.io/configuration-snippet" : <<-EOF
+ if ($uri = "/dashboard") {
+ rewrite ^(/dashboard)$ $1/ redirect;
+ }
+ EOF
+ }
+ }
+ spec {
+ rule {
+ host = var.k8s_dashboard_hostname
+ http {
+ path {
+ path = "/dashboard(/|$)(.*)"
+ backend {
+ service {
+ name = "kubernetes-dashboard"
+ port {
+ number = 443
+ }
+ }
+ }
+ }
+ }
+ }
+ tls {
+ secret_name = "tls-k8s-dashboard"
+ hosts = [var.k8s_dashboard_hostname]
+ }
+ }
+}
+
+resource "kubernetes_service_account" "dashboard_admin_sa" {
+ count = var.kubernetes_dashboard_enabled ? 1 : 0
+ depends_on = [helm_release.kubernetes-dashboard]
+ metadata {
+ name = "kubernetes-dashboard-admin-sa"
+ namespace = "kube-system"
+ }
+}
+
+resource "kubernetes_secret_v1" "admin-user" {
+ count = var.kubernetes_dashboard_enabled ? 1 : 0
+ metadata {
+ name = "admin-user-token"
+ namespace = "kube-system"
+ annotations = {
+ "kubernetes.io/service-account.name" = kubernetes_service_account.dashboard_admin_sa[0].metadata[0].name
+ }
+ }
+ type = "kubernetes.io/service-account-token"
+ depends_on = [
+ kubernetes_service_account.dashboard_admin_sa,
+ kubernetes_cluster_role_binding_v1.admin-user
+ ]
+}
+
+resource "kubernetes_cluster_role_binding_v1" "admin-user" {
+ count = var.kubernetes_dashboard_enabled ? 1 : 0
+ metadata {
+ name = "admin-user"
+ }
+ role_ref {
+ api_group = "rbac.authorization.k8s.io"
+ kind = "ClusterRole"
+ name = "cluster-admin"
+ }
+ subject {
+ kind = "ServiceAccount"
+ name = kubernetes_service_account.dashboard_admin_sa[0].metadata[0].name
+ namespace = "kube-system"
+ }
+ depends_on = [
+ kubernetes_service_account.dashboard_admin_sa
+ ]
+}
+
+resource "kubernetes_cluster_role" "eks_read_only_role" {
+ count = var.kubernetes_dashboard_enabled ? 1 : 0
+
+ metadata {
+ name = "dashboard-viewonly"
+ }
+
+ rule {
+ api_groups = [""]
+ resources = [
+ "configmaps",
+ "endpoints",
+ "persistentvolumeclaims",
+ "pods",
+ "replicationcontrollers",
+ "replicationcontrollers/scale",
+ "serviceaccounts",
+ "services",
+ "nodes",
+ "persistentvolumes",
+ "bindings",
+ "events",
+ "limitranges",
+ "namespaces/status",
+ "pods/log",
+ "pods/status",
+ "replicationcontrollers/status",
+ "resourcequotas",
+ "resourcequotas/status",
+ "namespaces",
+ "apps/daemonsets",
+ "apps/deployments",
+ "apps/deployments/scale",
+ "apps/replicasets",
+ "apps/replicasets/scale",
+ "apps/statefulsets",
+ "autoscaling/horizontalpodautoscalers",
+ "batch/cronjobs",
+ "batch/jobs",
+ "extensions/daemonsets",
+ "extensions/deployments",
+ "extensions/deployments/scale",
+ "extensions/ingresses",
+ "extensions/networkpolicies",
+ "extensions/replicasets",
+ "extensions/replicasets/scale",
+ "extensions/replicationcontrollers/scale",
+ "policy/poddisruptionbudgets",
+ "networking.k8s.io/networkpolicies",
+ "storage.k8s.io/storageclasses",
+ "storage.k8s.io/volumeattachments",
+ "rbac.authorization.k8s.io/clusterrolebindings",
+ "rbac.authorization.k8s.io/clusterroles",
+ "rbac.authorization.k8s.io/roles",
+ "rbac.authorization.k8s.io/rolebindings",
+ ]
+ verbs = ["get", "list", "watch"]
+ }
+}
+
+# Add more rules as needed for read-only access to other Kubernetes resources
+
+resource "kubernetes_service_account" "dashboard_read_only_sa" {
+ count = var.kubernetes_dashboard_enabled ? 1 : 0
+
+ metadata {
+ name = "dashboard-read-only-sa"
+ namespace = "kube-system"
+ }
+}
+
+resource "kubernetes_cluster_role_binding" "eks_read_only_role_binding" {
+ count = var.kubernetes_dashboard_enabled ? 1 : 0
+
+ metadata {
+ name = "eks-read-only-role-binding"
+ }
+
+ role_ref {
+ api_group = "rbac.authorization.k8s.io"
+ kind = "ClusterRole"
+ name = kubernetes_cluster_role.eks_read_only_role[0].metadata[0].name
+ }
+
+ subject {
+ kind = "ServiceAccount"
+ name = kubernetes_service_account.dashboard_read_only_sa[0].metadata[0].name
+ namespace = "kube-system"
+ }
+
+ depends_on = [
+ kubernetes_cluster_role.eks_read_only_role,
+ kubernetes_service_account.dashboard_read_only_sa
+ ]
+}
+
+resource "kubernetes_secret_v1" "dashboard_read_only_sa_token" {
+ count = var.kubernetes_dashboard_enabled ? 1 : 0
+
+ metadata {
+ name = "dashboard-read-only-sa-token"
+ namespace = "kube-system"
+ annotations = {
+ "kubernetes.io/service-account.name" = kubernetes_service_account.dashboard_read_only_sa[0].metadata[0].name
+ }
+ }
+
+ type = "kubernetes.io/service-account-token"
+
+ depends_on = [
+ kubernetes_service_account.dashboard_read_only_sa,
+ kubernetes_cluster_role_binding.eks_read_only_role_binding
+ ]
+}

modules/karpenter/karpenter.yaml

@@ -1,9 +1,11 @@
 nodeSelector:
  kubernetes.io/os: linux
-clusterName: ${eks_cluster_id}
-clusterEndpoint: ${eks_cluster_endpoint}
-aws:
- defaultInstanceProfile: ${node_iam_instance_profile}
+
+settings:
+ aws:
+ defaultInstanceProfile: ${node_iam_instance_profile}
+ clusterName: ${eks_cluster_id}
+ clusterEndpoint: ${eks_cluster_endpoint}
 
 controller:
  resources:

modules/kubernetes-addons/karpenter/locals.tf

@@ -17,7 +17,7 @@ locals {
  name = local.name
  chart = local.name
  repository = "oci://public.ecr.aws/karpenter"
- version = "v0.18.1"
+ version = "v0.30.0"
  namespace = local.name
  values = [
  <<-EOT

outputs.tf

@@ -55,3 +55,11 @@ output "defectdojo" {
  url = var.defectdojo_hostname
  } : null
 }
+
+output "k8s-dashboard-admin-token" {
+ value = var.kubernetes_dashboard_enabled ? nonsensitive(kubernetes_secret_v1.admin-user[0].data.token) : null
+}
+
+output "k8s-dashboard-read-only-token" {
+ value = var.kubernetes_dashboard_enabled ? nonsensitive(kubernetes_secret_v1.dashboard_read_only_sa_token[0].data.token) : null
+}

variables.tf

@@ -372,3 +372,16 @@ variable "coredns_hpa_enabled" {
  default = false
  type = bool
 }
+
+variable "kubernetes_dashboard_enabled" {
+ description = "Determines whether k8s-dashboard is enabled or not"
+ default = false
+ type = bool
+}
+
+
+variable "k8s_dashboard_hostname" {
+ description = "Specify the hostname for the k8s dashboard. "
+ default = ""
+ type = string
+}