Add RBAC configuration for dashboard admin and update TLS secret reference
This commit is contained in:
@@ -0,0 +1,32 @@
|
|||||||
|
---
|
||||||
|
# Service Account and RBAC for Dashboard admin access
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: dashboard-admin
|
||||||
|
namespace: kubernetes-dashboard
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: dashboard-admin
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: dashboard-admin
|
||||||
|
namespace: kubernetes-dashboard
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: cluster-admin
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
|
||||||
|
---
|
||||||
|
# Token for dashboard-admin
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: dashboard-admin-token
|
||||||
|
namespace: kubernetes-dashboard
|
||||||
|
annotations:
|
||||||
|
kubernetes.io/service-account.name: dashboard-admin
|
||||||
|
type: kubernetes.io/service-account-token
|
||||||
@@ -1,23 +1,3 @@
|
|||||||
---
|
|
||||||
# Certificate for the dashboard
|
|
||||||
apiVersion: cert-manager.io/v1
|
|
||||||
kind: Certificate
|
|
||||||
metadata:
|
|
||||||
name: kubernetes-dashboard-tls
|
|
||||||
namespace: kubernetes-dashboard
|
|
||||||
spec:
|
|
||||||
secretName: kubernetes-dashboard-tls
|
|
||||||
issuerRef:
|
|
||||||
name: letsencrypt-prod
|
|
||||||
kind: ClusterIssuer
|
|
||||||
dnsNames:
|
|
||||||
- "dashboard.internal.${DOMAIN}"
|
|
||||||
duration: 2160h # 90 days
|
|
||||||
renewBefore: 360h # 15 days
|
|
||||||
privateKey:
|
|
||||||
algorithm: RSA
|
|
||||||
size: 2048
|
|
||||||
|
|
||||||
---
|
---
|
||||||
# Internal-only middleware
|
# Internal-only middleware
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
@@ -67,10 +47,11 @@ spec:
|
|||||||
port: 443
|
port: 443
|
||||||
serversTransport: dashboard-transport
|
serversTransport: dashboard-transport
|
||||||
tls:
|
tls:
|
||||||
secretName: kubernetes-dashboard-tls
|
secretName: wildcard-internal-sovereign-cloud-tls
|
||||||
|
|
||||||
---
|
---
|
||||||
# HTTP to HTTPS redirect
|
# HTTP to HTTPS redirect.
|
||||||
|
# FIXME: Is this needed?
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
kind: IngressRoute
|
kind: IngressRoute
|
||||||
metadata:
|
metadata:
|
||||||
@@ -91,7 +72,8 @@ spec:
|
|||||||
serversTransport: dashboard-transport
|
serversTransport: dashboard-transport
|
||||||
|
|
||||||
---
|
---
|
||||||
# ServersTransport for HTTPS backend with skip verify
|
# ServersTransport for HTTPS backend with skip verify.
|
||||||
|
# FIXME: Is this needed?
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
kind: ServersTransport
|
kind: ServersTransport
|
||||||
metadata:
|
metadata:
|
||||||
|
|||||||
Reference in New Issue
Block a user