diff --git a/config/metrics.tf b/config/metrics.tf index 8c5d5d7..a2327f8 100644 --- a/config/metrics.tf +++ b/config/metrics.tf @@ -15,6 +15,152 @@ resource "helm_release" "metrics_server" { wait = true } -output "metrics_server_metadata" { - value = var.enable_metrics ? helm_release.metrics_server[0].metadata : null +resource "kubernetes_namespace" "kubernetes_dashboard" { + count = var.enable_metrics ? 1 : 0 + + metadata { + name = "kubernetes-dashboard" + } +} + +resource "helm_release" "kubernetes_dashboard" { + count = var.enable_metrics ? 1 : 0 + + name = "kubernetes-dashboard" + repository = "https://kubernetes.github.io/dashboard/" + chart = "kubernetes-dashboard" + namespace = kubernetes_namespace.kubernetes_dashboard[0].metadata[0].name + version = var.kubernetes_dashboard_version + + depends_on = [kubernetes_namespace.kubernetes_dashboard] + +} + +resource "kubernetes_service_account_v1" "dashboard_user" { + count = var.enable_metrics ? 1 : 0 + + metadata { + name = "dashboard-user" + namespace = helm_release.kubernetes_dashboard[0].name + } + + depends_on = [ + helm_release.kubernetes_dashboard + ] +} + +resource "kubernetes_secret_v1" "dashboard_user" { + count = var.enable_metrics ? 1 : 0 + + metadata { + name = "dashboard-user-token" + namespace = kubernetes_namespace.kubernetes_dashboard[0].metadata[0].name + annotations = { + "kubernetes.io/service-account.name" = kubernetes_service_account_v1.dashboard_user[0].metadata[0].name + } + } + type = "kubernetes.io/service-account-token" + wait_for_service_account_token = true + + depends_on = [ + helm_release.kubernetes_dashboard + ] +} + +resource "kubernetes_cluster_role_v1" "read_only" { + count = var.enable_metrics ? 1 : 0 + + metadata { + name = "read-only-cluster-role" + } + + rule { + api_groups = [""] + resources = [ + "bindings", "configmaps", "deployments", "endpoints", "events", "ingressclasses", + "limitranges", "namespaces", "namespaces/status", "nodes", "persistentvolumeclaims", "persistentvolumes", + "pods", "pods/log", "pods/status", "replicasets", "replicationcontrollers", "replicationcontrollers", + "replicationcontrollers/scale", "replicationcontrollers/status", "resourcequotas", "resourcequotas/status", + "secrets", "serviceaccounts", "services", "services", + ] + verbs = ["get", "list", "watch"] + } + + rule { + api_groups = ["apps"] + resources = ["daemonsets", "deployments", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"] + verbs = ["get", "list", "watch"] + } + + rule { + api_groups = ["autoscaling"] + resources = ["horizontalpodautoscalers"] + verbs = ["get", "list", "watch"] + } + + rule { + api_groups = ["batch"] + resources = ["cronjobs", "jobs"] + verbs = ["get", "list", "watch"] + } + + rule { + api_groups = ["extensions"] + resources = [ + "daemonsets", "deployments", "deployments/scale", "ingresses", "networkpolicies", + "replicasets", "replicasets/scale", "replicationcontrollers/scale", + ] + verbs = ["get", "list", "watch"] + } + + rule { + api_groups = ["networking.k8s.io"] + resources = ["ingresses", "ingressclasses", "networkpolicies"] + verbs = ["get", "list", "watch"] + } + + rule { + api_groups = ["policy"] + resources = ["poddisruptionbudgets"] + verbs = ["get", "list", "watch"] + } + + rule { + api_groups = ["rbac.authorization.k8s.io"] + resources = ["clusterroles", "clusterrolebindings", "roles", "rolebindings"] + verbs = ["get", "list", "watch"] + } + + rule { + api_groups = ["storage.k8s.io"] + resources = ["storageclasses", "volumeattachments"] + verbs = ["get", "list", "watch"] + } +} + +resource "kubernetes_cluster_role_binding_v1" "dashboard_user" { + count = var.enable_metrics ? 1 : 0 + + metadata { + name = "dashboard-user" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = kubernetes_cluster_role_v1.read_only[0].metadata[0].name + } + subject { + kind = "ServiceAccount" + name = kubernetes_service_account_v1.dashboard_user[0].metadata[0].name + namespace = kubernetes_namespace.kubernetes_dashboard[0].metadata[0].name + } + depends_on = [ + helm_release.kubernetes_dashboard, + kubernetes_service_account_v1.dashboard_user + ] +} + +output "radar_base_k8s_dashboard_user_token" { + value = var.enable_metrics ? kubernetes_secret_v1.dashboard_user[0].data.token : null + sensitive = true } diff --git a/config/s3.tf b/config/s3.tf index 1d78622..8f7852c 100644 --- a/config/s3.tf +++ b/config/s3.tf @@ -101,7 +101,8 @@ output "radar_base_s3_velero_bucket_name" { } output "radar_base_s3_access_key" { - value = var.enable_s3 ? aws_iam_access_key.s3_access[0].id : null + value = var.enable_s3 ? aws_iam_access_key.s3_access[0].id : null + sensitive = true } output "radar_base_s3_secret_key" { diff --git a/config/terraform.tfvars b/config/terraform.tfvars index 1953e27..c895eaa 100644 --- a/config/terraform.tfvars +++ b/config/terraform.tfvars @@ -1,6 +1,6 @@ AWS_REGION = "eu-west-2" environment = "dev" -domain_name = {} # Pair of top level domain and hosted zone ID for deployed applications +domain_name = {} # Pair of top level domain and hosted zone ID for deployed applications, e.g., { "radar-base.org" : "ZABCDEFGHIJKLMNOPQRST" } with_dmz_pods = false enable_metrics = false enable_karpenter = false diff --git a/config/variables.tf b/config/variables.tf index 8823705..707066c 100644 --- a/config/variables.tf +++ b/config/variables.tf @@ -75,6 +75,11 @@ variable "metrics_server_version" { default = "3.12.1" } +variable "kubernetes_dashboard_version" { + type = string + default = "7.3.2" +} + variable "kafka_version" { type = string default = "3.2.0"