Add RBAC configuration for dashboard admin and update TLS secret reference

2025-05-05 09:43:56 -07:00
parent 405a4bc306
commit f80f0e97ca
2 changed files with 37 additions and 23 deletions
--- a/infrastructure_setup/kubernetes-dashboard/dashboard-admin-rbac.yaml
+++ b/infrastructure_setup/kubernetes-dashboard/dashboard-admin-rbac.yaml
@@ -0,0 +1,32 @@
+---
+# Service Account and RBAC for Dashboard admin access
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dashboard-admin
+  namespace: kubernetes-dashboard
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dashboard-admin
+subjects:
+  - kind: ServiceAccount
+    name: dashboard-admin
+    namespace: kubernetes-dashboard
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
+
+---
+# Token for dashboard-admin
+apiVersion: v1
+kind: Secret
+metadata:
+  name: dashboard-admin-token
+  namespace: kubernetes-dashboard
+  annotations:
+    kubernetes.io/service-account.name: dashboard-admin
+type: kubernetes.io/service-account-token
--- a/infrastructure_setup/kubernetes-dashboard/dashboard-kube-system.yaml
+++ b/infrastructure_setup/kubernetes-dashboard/dashboard-kube-system.yaml
@@ -1,23 +1,3 @@
---
-# Certificate for the dashboard
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: kubernetes-dashboard-tls
-  namespace: kubernetes-dashboard
-spec:
-  secretName: kubernetes-dashboard-tls
-  issuerRef:
-    name: letsencrypt-prod
-    kind: ClusterIssuer
-  dnsNames:
-    - "dashboard.internal.${DOMAIN}"
-  duration: 2160h # 90 days
-  renewBefore: 360h # 15 days
-  privateKey:
-    algorithm: RSA
-    size: 2048
-
 ---
 # Internal-only middleware
 apiVersion: traefik.containo.us/v1alpha1
@@ -67,10 +47,11 @@ spec:
          port: 443
          serversTransport: dashboard-transport
  tls:
-    secretName: kubernetes-dashboard-tls
+    secretName: wildcard-internal-sovereign-cloud-tls

 ---
-# HTTP to HTTPS redirect
+# HTTP to HTTPS redirect.
+# FIXME: Is this needed?
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
@@ -91,7 +72,8 @@ spec:
          serversTransport: dashboard-transport

 ---
-# ServersTransport for HTTPS backend with skip verify
+# ServersTransport for HTTPS backend with skip verify.
+# FIXME: Is this needed?
 apiVersion: traefik.containo.us/v1alpha1
 kind: ServersTransport
 metadata: