Upgrade k8s-dashboard and ingress-nginx to latest version (#108) (#110)

Upgrade k8s-dashboard and ingress-nginx to latest version
k8s-dashboard from 6.0.8 to 7.11.1
ingress-nginx from 4.11.0 to 4.12.1

Author: ns-squareops

examples/complete/config/kubernetes-dashboard.yaml

@@ -1,7 +1,5 @@
-## Number of replicas
-replicaCount: 1
-
-affinity:
+app:
+  affinity:
     nodeAffinity:
       requiredDuringSchedulingIgnoredDuringExecution:
         nodeSelectorTerms:
@@ -11,10 +9,43 @@ affinity:
               values:
               - "true"
 
-resources:
-  requests:
-    cpu: 100m
-    memory: 200Mi
-  limits:
-    cpu: 2
-    memory: 400Mi
+auth:
+  service:
+    resources:
+      requests:
+        cpu: 100m
+        memory: 200Mi
+      limits:
+        cpu: 250m
+        memory: 400Mi
+
+api:
+  service:
+    resources:
+      requests:
+        cpu: 100m
+        memory: 200Mi
+      limits:
+        cpu: 250m
+        memory: 400Mi
+  
+web:
+  service:
+    resources:
+      requests:
+        cpu: 100m
+        memory: 200Mi
+      limits:
+        cpu: 250m
+        memory: 400Mi
+
+
+metricsScraper:
+  service:
+    resources:
+      requests:
+        cpu: 100m
+        memory: 200Mi
+      limits:
+        cpu: 250m
+        memory: 400Mi

examples/complete/main.tf

@@ -22,7 +22,7 @@ locals {
 }
 module "eks-addons" {
   source               = "squareops/eks-addons/aws"
-  version              = "4.3.0"
+  version              = "4.3.1"
   name                 = local.name
   tags                 = local.additional_tags
   vpc_id               = local.vpc_id
@@ -137,7 +137,7 @@ module "eks-addons" {
 
   ## INGRESS-NGINX
   ingress_nginx_enabled = false # to enable ingress nginx
-  ingress_nginx_version = "4.11.0"
+  ingress_nginx_version = "4.12.1"
   ingress_nginx_config = {
     values                 = [file("${path.module}/config/ingress-nginx.yaml")]
     enable_service_monitor = false   # enable monitoring in nginx ingress
@@ -166,7 +166,7 @@ module "eks-addons" {
 
   ## KUBERNETES-DASHBOARD
   kubernetes_dashboard_enabled = false
-  kubernetes_dashboard_version = "6.0.8"
+  kubernetes_dashboard_version = "7.11.1"
   kubernetes_dashboard_config = {
     values_yaml                         = file("${path.module}/config/kubernetes-dashboard.yaml")
     k8s_dashboard_ingress_load_balancer = "nlb"                            # Pass either "nlb/alb" to choose load balancer controller as ingress-nginx controller or ALB controller

modules/ingress-nginx/config/ingress_nginx.yaml

@@ -59,6 +59,8 @@ controller:
             values:
             - "true"
   allowSnippetAnnotations: true
+  config:
+    annotations-risk-level: "Critical"
 ## Enabling metrics for prometheus monitoring
 
   metrics:

modules/kubernetes-dashboard/config/values.yaml

@@ -1,46 +1,14 @@
-## Number of replicas
-replicaCount: 1
-
-annotations: {}
-## Here labels can be added to the kubernetes dashboard deployment
-
-securityContext:
-  runAsNonRoot: true
-  seccompProfile:
-    type: RuntimeDefault
-
-## SecurityContext defaults for the kubernetes dashboard container and metrics scraper container
-## To disable set the following configuration to null:
-# containerSecurityContext: null
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  readOnlyRootFilesystem: true
-  runAsUser: 1001
-  runAsGroup: 2001
-  capabilities:
-    drop: ["ALL"]
-
-## @param podLabels Extra labels for OAuth2 Proxy pods
-## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
-##
-podLabels: {}
-## @param podAnnotations Annotations for OAuth2 Proxy pods
-## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
-##
-podAnnotations:
-  co.elastic.logs/enabled: "true"
-
-## Node labels for pod assignment
-## Ref: https://kubernetes.io/docs/user-guide/node-selection/
-##
-nodeSelector:
-  kubernetes.io/os: linux
-
-## List of node taints to tolerate (requires Kubernetes >= 1.6)
-tolerations: []
-
-## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
-affinity:
+# General configuration shared across resources
+app:
+  # Mode determines if chart should deploy a full Dashboard with all containers or just the API.
+  # - dashboard - deploys all the containers
+  # - api - deploys just the API
+  mode: 'dashboard'
+  scheduling:
+    nodeSelector:
+      kubernetes.io/os: linux
+  tolerations: []
+  affinity:
     nodeAffinity:
       requiredDuringSchedulingIgnoredDuringExecution:
         nodeSelectorTerms:
@@ -50,119 +18,89 @@ affinity:
               values:
               - "true"
 
-## Name of Priority Class of pods
-# priorityClassName: ""
-
-## Pod resource requests & limits
-resources:
-  requests:
-    cpu: 100m
-    memory: 200Mi
-  limits:
-    cpu: 2
-    memory: 200Mi
-
-## Serve application over HTTP without TLS
-##
-## Note: If set to true, you may want to add --enable-insecure-login to extraArgs
-protocolHttp: false
-
-service:
-  type: ClusterIP
-  # Dashboard service port
-  externalPort: 443
-  annotations: {}
-
-  ## Here labels can be added to the Kubernetes Dashboard service
-  labels: {}
-
-  ## Enable or disable the kubernetes.io/cluster-service label. Should be disabled for GKE clusters >=1.15.
-  ## Otherwise, the addon manager will presume ownership of the service and try to delete it.
-  clusterServiceLabel:
-    enabled: true
-    key: "kubernetes.io/cluster-service"
-
-ingress:
-  enabled: false
-  annotations: {}
-  ingressClassName: ${ingress_class_name}
-  hostname: ${hostname}
-
-  paths:
-    - /
-  #  - /*
-
-  ## Custom Kubernetes Dashboard Ingress paths. Will override default paths.
-  ##
-  customPaths: []
-
-settings:
-  {}
+auth:
+  role: auth
+  scaling:
+    replicas: 1
+    revisionHistoryLimit: 10
+  service:
+    type: ClusterIP
+    resources:
+      requests:
+        cpu: 100m
+        memory: 200Mi
+      limits:
+        cpu: 250m
+        memory: 400Mi
+  nodeSelector:
+      kubernetes.io/os: linux
+
+# API deployment configuration
+api:
+  role: api
+  scaling:
+    replicas: 1
+    revisionHistoryLimit: 10
+  service:
+    type: ClusterIP
+    resources:
+      requests:
+        cpu: 100m
+        memory: 200Mi
+      limits:
+        cpu: 250m
+        memory: 400Mi
+  nodeSelector:
+      kubernetes.io/os: linux
+
+# WEB UI deployment configuration
+web:
+  role: web
+  scaling:
+    replicas: 1
+    revisionHistoryLimit: 10
+  service:
+    type: ClusterIP
+    resources:
+      requests:
+        cpu: 100m
+        memory: 200Mi
+      limits:
+        cpu: 250m
+        memory: 400Mi
+  nodeSelector:
+      kubernetes.io/os: linux
 
-## Pinned CRDs that will be displayed in dashboard's menu
 metricsScraper:
-  ## Wether to enable dashboard-metrics-scraper
-  enabled: false
-  image:
-    repository: kubernetesui/metrics-scraper
-    tag: v1.0.9
-  resources: {}
-
-metrics-server:
-  enabled: false
-  ## Example for additional args
-  # args:
-  #  - --kubelet-preferred-address-types=InternalIP
-  #  - --kubelet-insecure-tls
-
-rbac:
-  # Specifies whether namespaced RBAC resources (Role, Rolebinding) should be created
-  create: true
-
-  # Specifies whether cluster-wide RBAC resources (ClusterRole, ClusterRolebinding) to access metrics should be created
-  # Independent from rbac.create parameter.
-  clusterRoleMetrics: true
-  clusterReadOnlyRole: false
-
-
-serviceAccount:
-  # Specifies whether a service account should be created
-  create: true
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name:
+  enabled: true
+  role: metrics-scraper
+  scaling:
+    replicas: 1
+    revisionHistoryLimit: 10
+  service:
+    type: ClusterIP
+    resources:
+      requests:
+        cpu: 100m
+        memory: 200Mi
+      limits:
+        cpu: 250m
+        memory: 400Mi
+  nodeSelector:
+      kubernetes.io/os: linux
 
-livenessProbe:
-  # Number of seconds to wait before sending first probe
-  initialDelaySeconds: 30
-  # Number of seconds to wait for probe response
-  timeoutSeconds: 30
 
-## podDisruptionBudget
-## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
-podDisruptionBudget:
-  enabled: false
-  ## Minimum available instances; ignored if there is no PodDisruptionBudget
-  minAvailable:
-  ## Maximum unavailable instances; ignored if there is no PodDisruptionBudget
-  maxUnavailable:
-
-
-networkPolicy:
-  # Whether to create a network policy that allows/restricts access to the service
-  enabled: false
-
-  # Whether to set network policy to deny all ingress traffic for the kubernetes-dashboard
-  ingressDenyAll: false
-
-podSecurityPolicy:
-  # Specifies whether a pod security policy should be created
+metrics-server:
   enabled: false
-
-serviceMonitor:
-  # Whether or not to create a Prometheus Operator service monitor.
-  enabled: ${enable_service_monitor}
-  ## Here labels can be added to the serviceMonitor
-  labels: {}
-  ## Here annotations can be added to the serviceMonitor
-  annotations: {}
+  args:
+    - --kubelet-preferred-address-types=InternalIP
+    - --kubelet-insecure-tls
+
+## Required Kong sub-chart with DBless configuration to act as a gateway
+## for our all containers.
+kong:
+  enabled: true
+  ## Configuration reference: https://docs.konghq.com/gateway/3.6.x/reference/configuration
+  serviceMonitor:
+    # Whether to create a Prometheus Operator service monitor.
+    enabled: ${enable_service_monitor}

modules/kubernetes-dashboard/main.tf

@@ -51,8 +51,8 @@ resource "kubernetes_ingress_v1" "k8s-ingress" {
       "nginx.ingress.kubernetes.io/backend-protocol"      = "HTTPS"
       "nginx.ingress.kubernetes.io/rewrite-target"        = "/$2"
       "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF
-        if ($uri = "/dashboard") {
-          rewrite ^(/dashboard)$ $1/ redirect;
+        if ($request_uri = /) {
+          return 301 /dashboard/;
         }
       EOF
     }
@@ -68,7 +68,7 @@ resource "kubernetes_ingress_v1" "k8s-ingress" {
 
           backend {
             service {
-              name = "kubernetes-dashboard"
+              name = "kubernetes-dashboard-kong-proxy"
               port {
                 number = 443
               }