Skip to content

Instantly share code, notes, and snippets.

@hanikesn

hanikesn/dashboard.yaml

Last active April 6, 2020 22:35
Show Gist options
  • Save hanikesn/336ae235c1045c9f2b3dcca017359ad4 to your computer and use it in GitHub Desktop.
Save hanikesn/336ae235c1045c9f2b3dcca017359ad4 to your computer and use it in GitHub Desktop.
Download ZIP
OpenID Connect Kubernetes Dashboard
Raw
dashboard.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
spec:
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
version: v1.5.1
kubernetes.io/cluster-service: "true"
spec:
serviceAccountName: dashboard # Note that this service account must have access to the api version
volumes:
- name: sites
configMap:
name: dashboard-nginx
items:
- key: proxy.conf
path: proxy.conf
- name: lua
configMap:
name: dashboard-nginx
items:
- key: access.lua
path: access.lua
containers:
- name: dashboard
image: flixtech/kubernetes-dashboard-amd64:head-auth
imagePullPolicy: Always
resources:
# keep request = limit to keep this container in guaranteed class
limits:
cpu: 200m
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
args:
- --bind-address=127.0.0.1
- name: proxy
image: flixtech/openresty-oidc-proxy:1.11.2.2-r1
volumeMounts:
- name: sites
mountPath: /usr/local/openresty/nginx/conf/sites
- name: lua
mountPath: /usr/local/openresty/nginx/lua
env:
- name: OID_SESSION_SECRET
value: 'RANDOMSTRING'
- name: OID_SESSION_CHECK_SSI
value: 'off'
- name: OID_SESSION_NAME
value: 'dashboard_session'
- name: OID_DISCOVERY
value: 'https://accounts.google.com/.well-known/openid-configuration'
- name: OID_CLIENT_ID
value: 'client_id'
- name: OID_CLIENT_SECRET
value: 'client_secret'
- name: OID_REDIRECT_PATH
value: '/dashboard_callback'
- name: PROXY_HOST
value: '127.0.0.1'
- name: PROXY_PORT
value: '9090'
- name: PROXY_PROTOCOL
value: 'http'
ports:
- containerPort: 80
---
apiVersion: v1
kind: ConfigMap
metadata:
name: dashboard-nginx
namespace: kube-system
data:
proxy.conf: |
server {
listen 80;
server_name _;
set $id_token '';
set_by_lua $session_secret 'return os.getenv("OID_SESSION_SECRET")';
set_by_lua $session_check_ssi 'return os.getenv("OID_SESSION_CHECK_SSI")';
set_by_lua $session_name 'return os.getenv("OID_SESSION_NAME")';
set_by_lua $proxy_host 'return os.getenv("PROXY_HOST")';
set_by_lua $proxy_port 'return os.getenv("PROXY_PORT")';
set_by_lua $proxy_protocol 'return os.getenv("PROXY_PROTOCOL")';
location / {
access_by_lua_file lua/access.lua;
proxy_set_header Host $http_host;
proxy_set_header Authorization "Bearer $id_token";
proxy_pass $proxy_protocol://$proxy_host:$proxy_port;
}
}
access.lua: |
local opts = {
redirect_uri_path = os.getenv("OID_REDIRECT_PATH"),
discovery = os.getenv("OID_DISCOVERY"),
client_id = os.getenv("OID_CLIENT_ID"),
client_secret = os.getenv("OID_CLIENT_SECRET"),
scope = "openid",
iat_slack = 600,
}
local session = require("resty.session").start()
-- call authenticate for OpenID Connect user authentication
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 500
ngx.header.content_type = 'text/html';
ngx.say("There was an error while logging in: " .. err)
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
end
ngx.var.id_token = session.data.enc_id_token
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: kube-system
name: dashboard
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment