Merge pull request #100 from squareops/release-4.1.0

ns-squareops · web-flow · commit bcbff9fa78aa · 2025-02-28T11:38:47.000+05:30
Release 4.1.0
diff --git a/examples/complete/config/kubernetes-dashboard.yaml b/examples/complete/config/kubernetes-dashboard.yaml
@@ -0,0 +1,22 @@
+## Number of replicas
+replicaCount: 1
+
+affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+            - key: "Addons-Services"
+              operator: In
+              values:
+              - "true"
+
+resources:
+  requests:
+    cpu: 100m
+    memory: 200Mi
+  limits:
+    cpu: 2
+    memory: 400Mi
+
+
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -23,7 +23,7 @@ locals {
 
 module "eks-addons" {
   source               = "squareops/eks-addons/aws"
-  version              = "4.0.2"
+  version              = "4.1.0"
   name                 = local.name
   tags                 = local.additional_tags
   vpc_id               = local.vpc_id
@@ -38,7 +38,7 @@ module "eks-addons" {
   eks_cluster_name     = data.aws_eks_cluster.cluster.name
 
   #VPC-CNI-DRIVER
-  amazon_eks_vpc_cni_enabled = true # enable VPC-CNI
+  amazon_eks_vpc_cni_enabled = false # enable VPC-CNI
   vpc_cni_version            = "v1.19.2-eksbuild.1"
 
   #EBS-CSI-DRIVER
@@ -168,11 +168,13 @@ module "eks-addons" {
   kubernetes_dashboard_enabled = false
   kubernetes_dashboard_version = "6.0.8"
   kubernetes_dashboard_config = {
+    values_yaml                         = file("${path.module}/config/kubernetes-dashboard.yaml")
     k8s_dashboard_ingress_load_balancer = "nlb"                            # Pass either "nlb/alb" to choose load balancer controller as ingress-nginx controller or ALB controller
     private_alb_enabled                 = false                            # to enable Internal (Private) ALB , set this and aws_load_balancer_controller_enabled "true" together
     alb_acm_certificate_arn             = ""                               # If using ALB in above parameter, ensure you provide the ACM certificate ARN for SSL.
     k8s_dashboard_hostname              = "k8s-dashboard.rnd.squareops.in" # Enter Hostname
     ingress_class_name                  = "nginx"                          # For public nlb use "nginx", for private NLB use "private-nginx", For ALB, use "alb"
+    enable_service_monitor              = false                         
   }
 
   ## ArgoCD
@@ -256,4 +258,4 @@ module "eks-addons" {
   falco_enabled = false # to enable falco
   falco_version = "4.0.0"
   slack_webhook = "xoxb-379541400966-iibMHnnoaPzVl"
-}
+}
diff --git a/main.tf b/main.tf
@@ -239,13 +239,17 @@ module "kubernetes-dashboard" {
   source                              = "./modules/kubernetes-dashboard"
   count                               = var.kubernetes_dashboard_enabled ? 1 : 0
   depends_on                          = [module.cert-manager-le-http-issuer, module.ingress-nginx, module.private-ingress-nginx, module.aws-load-balancer-controller]
+  addon_version                       = var.kubernetes_dashboard_version
+  kubernetes_dashboard_config = {
+  values_yaml                         = var.kubernetes_dashboard_config.values_yaml
   k8s_dashboard_hostname              = var.kubernetes_dashboard_config.k8s_dashboard_hostname
   alb_acm_certificate_arn             = var.kubernetes_dashboard_config.alb_acm_certificate_arn
   k8s_dashboard_ingress_load_balancer = var.kubernetes_dashboard_config.k8s_dashboard_ingress_load_balancer
   private_alb_enabled                 = var.kubernetes_dashboard_config.private_alb_enabled
   ingress_class_name                  = var.kubernetes_dashboard_config.ingress_class_name
   subnet_ids                          = var.kubernetes_dashboard_config.private_alb_enabled == true ? var.private_subnet_ids : var.public_subnet_ids
-  addon_version                       = var.kubernetes_dashboard_version
+  enable_service_monitor              = var.kubernetes_dashboard_config.enable_service_monitor
+}
 }
 
 ## KEDA
diff --git a/modules/kubernetes-dashboard/config/values.yaml b/modules/kubernetes-dashboard/config/values.yaml
@@ -0,0 +1,169 @@
+## Number of replicas
+replicaCount: 1
+
+annotations: {}
+## Here labels can be added to the kubernetes dashboard deployment
+
+securityContext:
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+
+## SecurityContext defaults for the kubernetes dashboard container and metrics scraper container
+## To disable set the following configuration to null:
+# containerSecurityContext: null
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  runAsUser: 1001
+  runAsGroup: 2001
+  capabilities:
+    drop: ["ALL"]
+
+## @param podLabels Extra labels for OAuth2 Proxy pods
+## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+##
+podLabels: {}
+## @param podAnnotations Annotations for OAuth2 Proxy pods
+## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+##
+podAnnotations: 
+  co.elastic.logs/enabled: "true"
+
+## Node labels for pod assignment
+## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+##
+nodeSelector: 
+  kubernetes.io/os: linux
+
+## List of node taints to tolerate (requires Kubernetes >= 1.6)
+tolerations: []
+
+## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+            - key: "Addons-Services"
+              operator: In
+              values:
+              - "true"
+
+## Name of Priority Class of pods
+# priorityClassName: ""
+
+## Pod resource requests & limits
+resources:
+  requests:
+    cpu: 100m
+    memory: 200Mi
+  limits:
+    cpu: 2
+    memory: 200Mi
+
+## Serve application over HTTP without TLS
+##
+## Note: If set to true, you may want to add --enable-insecure-login to extraArgs
+protocolHttp: false
+
+service:
+  type: ClusterIP
+  # Dashboard service port
+  externalPort: 443
+  annotations: {}
+
+  ## Here labels can be added to the Kubernetes Dashboard service
+  labels: {}
+
+  ## Enable or disable the kubernetes.io/cluster-service label. Should be disabled for GKE clusters >=1.15.
+  ## Otherwise, the addon manager will presume ownership of the service and try to delete it.
+  clusterServiceLabel:
+    enabled: true
+    key: "kubernetes.io/cluster-service"
+
+ingress:
+  enabled: true
+  annotations: {}
+  ingressClassName: ${ingress_class_name}
+  hostname: ${hostname}
+
+  paths:
+    - /
+  #  - /*
+
+  ## Custom Kubernetes Dashboard Ingress paths. Will override default paths.
+  ##
+  customPaths: []
+
+settings:
+  {}
+ 
+## Pinned CRDs that will be displayed in dashboard's menu
+metricsScraper:
+  ## Wether to enable dashboard-metrics-scraper
+  enabled: false
+  image:
+    repository: kubernetesui/metrics-scraper
+    tag: v1.0.9
+  resources: {}
+  
+metrics-server:
+  enabled: false
+  ## Example for additional args
+  # args:
+  #  - --kubelet-preferred-address-types=InternalIP
+  #  - --kubelet-insecure-tls
+
+rbac:
+  # Specifies whether namespaced RBAC resources (Role, Rolebinding) should be created
+  create: true
+
+  # Specifies whether cluster-wide RBAC resources (ClusterRole, ClusterRolebinding) to access metrics should be created
+  # Independent from rbac.create parameter.
+  clusterRoleMetrics: true
+  clusterReadOnlyRole: false
+
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+
+livenessProbe:
+  # Number of seconds to wait before sending first probe
+  initialDelaySeconds: 30
+  # Number of seconds to wait for probe response
+  timeoutSeconds: 30
+
+## podDisruptionBudget
+## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+podDisruptionBudget:
+  enabled: false
+  ## Minimum available instances; ignored if there is no PodDisruptionBudget
+  minAvailable:
+  ## Maximum unavailable instances; ignored if there is no PodDisruptionBudget
+  maxUnavailable:
+
+
+networkPolicy:
+  # Whether to create a network policy that allows/restricts access to the service
+  enabled: false
+
+  # Whether to set network policy to deny all ingress traffic for the kubernetes-dashboard
+  ingressDenyAll: false
+
+podSecurityPolicy:
+  # Specifies whether a pod security policy should be created
+  enabled: false
+
+serviceMonitor:
+  # Whether or not to create a Prometheus Operator service monitor.
+  enabled: ${enable_service_monitor}
+  ## Here labels can be added to the serviceMonitor
+  labels: {}
+  ## Here annotations can be added to the serviceMonitor
+  annotations: {}
+
diff --git a/modules/kubernetes-dashboard/main.tf b/modules/kubernetes-dashboard/main.tf
@@ -1,5 +1,5 @@
 locals {
-  alb_scheme = var.private_alb_enabled ? "internal" : "internet-facing"
+  alb_scheme = var.kubernetes_dashboard_config.private_alb_enabled ? "internal" : "internet-facing"
 }
 
 resource "kubernetes_namespace" "k8s-dashboard" {
@@ -16,6 +16,14 @@ resource "helm_release" "kubernetes-dashboard" {
   repository = "https://kubernetes.github.io/dashboard/"
   timeout    = 600
   version    = var.addon_version
+   values = [
+    templatefile("${path.module}/config/values.yaml", {
+      hostname                  = var.kubernetes_dashboard_config.k8s_dashboard_hostname
+      ingress_class_name        = var.kubernetes_dashboard_config.ingress_class_name
+      enable_service_monitor    = var.kubernetes_dashboard_config.enable_service_monitor
+    }),
+    var.kubernetes_dashboard_config.values_yaml
+  ]
 }
 
 resource "kubernetes_ingress_v1" "k8s-ingress" {
@@ -28,17 +36,17 @@ resource "kubernetes_ingress_v1" "k8s-ingress" {
       "kubernetes.io/ingress.class"                    = "alb"
       "alb.ingress.kubernetes.io/scheme"               = local.alb_scheme
       "alb.ingress.kubernetes.io/target-type"          = "ip"
-      "alb.ingress.kubernetes.io/certificate-arn"      = var.alb_acm_certificate_arn,
+      "alb.ingress.kubernetes.io/certificate-arn"      = var.kubernetes_dashboard_config.alb_acm_certificate_arn,
       "alb.ingress.kubernetes.io/healthcheck-path"     = "/"
       "alb.ingress.kubernetes.io/healthcheck-protocol" = "HTTPS"
       "alb.ingress.kubernetes.io/backend-protocol"     = "HTTPS"
       "alb.ingress.kubernetes.io/listen-ports"         = "[{\"HTTPS\":443}]"
       "alb.ingress.kubernetes.io/ssl-redirect"         = "443"
       "alb.ingress.kubernetes.io/group.name"           = local.alb_scheme == "internet-facing" ? "public-alb-ingress" : "private-alb-ingress"
-      "alb.ingress.kubernetes.io/subnets"              = join(",", var.subnet_ids)
+      "alb.ingress.kubernetes.io/subnets"              = join(",", var.kubernetes_dashboard_config.subnet_ids)
       } : {
       "cert-manager.io/cluster-issuer"                    = "letsencrypt-prod"
-      "kubernetes.io/ingress.class"                       = var.ingress_class_name
+      "kubernetes.io/ingress.class"                       = var.kubernetes_dashboard_config.ingress_class_name
       "kubernetes.io/tls-acme"                            = "false"
       "nginx.ingress.kubernetes.io/backend-protocol"      = "HTTPS"
       "nginx.ingress.kubernetes.io/rewrite-target"        = "/$2"
@@ -50,13 +58,12 @@ resource "kubernetes_ingress_v1" "k8s-ingress" {
     }
   }
   spec {
-    ingress_class_name = var.ingress_class_name
+    ingress_class_name = var.kubernetes_dashboard_config.ingress_class_name
     rule {
-      host = var.k8s_dashboard_hostname
+      host = var.kubernetes_dashboard_config.k8s_dashboard_hostname
       http {
         path {
-          path      = var.k8s_dashboard_ingress_load_balancer == "alb" ? "/" : "/dashboard(/|$)(.*)"
-          path_type = var.k8s_dashboard_ingress_load_balancer == "alb" ? "Prefix" : "ImplementationSpecific"
+          path      = var.kubernetes_dashboard_config.k8s_dashboard_ingress_load_balancer == "alb" ? "/" : "/dashboard(/|$)(.*)"
           backend {
             service {
               name = "kubernetes-dashboard"
@@ -69,8 +76,8 @@ resource "kubernetes_ingress_v1" "k8s-ingress" {
       }
     }
     tls {
-      secret_name = var.k8s_dashboard_ingress_load_balancer == "alb" ? "" : "tls-k8s-dashboard"
-      hosts       = var.k8s_dashboard_ingress_load_balancer == "alb" ? [] : [var.k8s_dashboard_hostname]
+      secret_name = var.kubernetes_dashboard_config.k8s_dashboard_ingress_load_balancer == "alb" ? "" : "tls-k8s-dashboard"
+      hosts       = var.kubernetes_dashboard_config.k8s_dashboard_ingress_load_balancer == "alb" ? [] : [var.kubernetes_dashboard_config.k8s_dashboard_hostname]
     }
   }
 }
diff --git a/modules/kubernetes-dashboard/variables.tf b/modules/kubernetes-dashboard/variables.tf
@@ -36,6 +36,18 @@ variable "subnet_ids" {
 
 variable "addon_version" {
   description = "Helm Chart version for Kubernetes-dashboard"
-  default     = ""
+  default     = "6.0.8"
   type        = string
 }
+
+variable "kubernetes_dashboard_config" {
+  type = any
+  default = {
+    hostname                     = ""
+    values_yaml                  = ""
+    ingress_class_name           = ""
+    enable_service_monitor       = ""
+    subnet_ids                   = []
+  }
+  description = "Specify the configuration settings for kubernetes-dashboard , including the hostname, and custom YAML values."
+}
diff --git a/variables.tf b/variables.tf
@@ -520,17 +520,21 @@ variable "kubernetes_dashboard_enabled" {
 variable "kubernetes_dashboard_config" {
   description = "Specify all the configuration setup here"
   type = object({
+    k8s_dashboard_hostname              = string
+    values_yaml                         = any
+    enable_service_monitor              = bool
     k8s_dashboard_ingress_load_balancer = string
     alb_acm_certificate_arn             = string
-    k8s_dashboard_hostname              = string
     private_alb_enabled                 = bool
     ingress_class_name                  = string
   })
 
   default = {
+    k8s_dashboard_hostname              = ""
+    values_yaml                         = {}
+    enable_service_monitor              = false
     k8s_dashboard_ingress_load_balancer = ""
     alb_acm_certificate_arn             = ""
-    k8s_dashboard_hostname              = ""
     private_alb_enabled                 = false
     ingress_class_name                  = ""
   }
