Moves setup files into embedded package.

internal/setup/cluster-services/kubernetes-dashboard/install.sh

@@ -0,0 +1,91 @@
+#!/bin/bash
+set -e
+set -o pipefail
+
+# Ensure WILD_INSTANCE is set
+if [ -z "${WILD_INSTANCE}" ]; then
+    echo "❌ ERROR: WILD_INSTANCE is not set"
+    exit 1
+fi
+
+# Ensure WILD_CENTRAL_DATA is set
+if [ -z "${WILD_CENTRAL_DATA}" ]; then
+    echo "❌ ERROR: WILD_CENTRAL_DATA is not set"
+    exit 1
+fi
+
+# Ensure KUBECONFIG is set
+if [ -z "${KUBECONFIG}" ]; then
+    echo "❌ ERROR: KUBECONFIG is not set"
+    exit 1
+fi
+
+INSTANCE_DIR="${WILD_CENTRAL_DATA}/instances/${WILD_INSTANCE}"
+CLUSTER_SETUP_DIR="${INSTANCE_DIR}/setup/cluster-services"
+KUBERNETES_DASHBOARD_DIR="${CLUSTER_SETUP_DIR}/kubernetes-dashboard"
+
+echo "🎮 === Setting up Kubernetes Dashboard ==="
+echo ""
+
+# Templates should already be compiled
+echo "📦 Using pre-compiled Dashboard templates..."
+if [ ! -d "${KUBERNETES_DASHBOARD_DIR}/kustomize" ]; then
+    echo "❌ ERROR: Compiled templates not found at ${KUBERNETES_DASHBOARD_DIR}/kustomize"
+    echo "Templates should be compiled before deployment."
+    exit 1
+fi
+
+NAMESPACE="kubernetes-dashboard"
+
+# Apply the official dashboard installation
+echo "🚀 Installing Kubernetes Dashboard core components..."
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
+
+# Wait for cert-manager certificates to be ready
+echo "🔐 Waiting for cert-manager certificates to be ready..."
+kubectl wait --for=condition=Ready certificate wildcard-internal-wild-cloud -n cert-manager --timeout=300s || echo "⚠️  Warning: Internal wildcard certificate not ready yet"
+kubectl wait --for=condition=Ready certificate wildcard-wild-cloud -n cert-manager --timeout=300s || echo "⚠️  Warning: Wildcard certificate not ready yet"
+
+# Copying cert-manager secrets to the dashboard namespace (if available)
+echo "📋 Copying cert-manager secrets to dashboard namespace..."
+if kubectl get secret wildcard-internal-wild-cloud-tls -n cert-manager >/dev/null 2>&1; then
+    kubectl get secret wildcard-internal-wild-cloud-tls -n cert-manager -o yaml | \
+        sed "s/namespace: cert-manager/namespace: ${NAMESPACE}/" | \
+        kubectl apply -f -
+else
+    echo "⚠️  Warning: wildcard-internal-wild-cloud-tls secret not yet available"
+fi
+
+if kubectl get secret wildcard-wild-cloud-tls -n cert-manager >/dev/null 2>&1; then
+    kubectl get secret wildcard-wild-cloud-tls -n cert-manager -o yaml | \
+        sed "s/namespace: cert-manager/namespace: ${NAMESPACE}/" | \
+        kubectl apply -f -
+else
+    echo "⚠️  Warning: wildcard-wild-cloud-tls secret not yet available"
+fi
+
+# Apply dashboard customizations using kustomize
+echo "🔧 Applying dashboard customizations..."
+kubectl apply -k "${KUBERNETES_DASHBOARD_DIR}/kustomize"
+
+# Restart CoreDNS to pick up the changes
+# echo "🔄 Restarting CoreDNS to pick up DNS changes..."
+# kubectl delete pods -n kube-system -l k8s-app=kube-dns
+
+# Wait for dashboard to be ready
+echo "⏳ Waiting for Kubernetes Dashboard to be ready..."
+kubectl rollout status deployment/kubernetes-dashboard -n $NAMESPACE --timeout=60s
+
+echo ""
+echo "✅ Kubernetes Dashboard installed successfully"
+echo ""
+# INTERNAL_DOMAIN should be available in environment (set from config before deployment)
+if [ -n "${INTERNAL_DOMAIN}" ]; then
+    echo "🌐 Access the dashboard at: https://dashboard.${INTERNAL_DOMAIN}"
+else
+    echo "💡 Access the dashboard via the configured internal domain"
+fi
+echo ""
+echo "💡 To get the authentication token:"
+echo "  kubectl create token admin-user -n kubernetes-dashboard"
+echo ""

internal/setup/cluster-services/kubernetes-dashboard/kustomize.template/dashboard-admin-rbac.yaml

@@ -0,0 +1,32 @@
+---
+# Service Account and RBAC for Dashboard admin access
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dashboard-admin
+  namespace: kubernetes-dashboard
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dashboard-admin
+subjects:
+  - kind: ServiceAccount
+    name: dashboard-admin
+    namespace: kubernetes-dashboard
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
+
+---
+# Token for dashboard-admin
+apiVersion: v1
+kind: Secret
+metadata:
+  name: dashboard-admin-token
+  namespace: kubernetes-dashboard
+  annotations:
+    kubernetes.io/service-account.name: dashboard-admin
+type: kubernetes.io/service-account-token

internal/setup/cluster-services/kubernetes-dashboard/kustomize.template/dashboard-kube-system.yaml

@@ -0,0 +1,84 @@
+---
+# Internal-only middleware
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: internal-only
+  namespace: kubernetes-dashboard
+spec:
+  ipWhiteList:
+    # Restrict to local private network ranges
+    sourceRange:
+      - 127.0.0.1/32 # localhost
+      - 10.0.0.0/8 # Private network
+      - 172.16.0.0/12 # Private network
+      - 192.168.0.0/16 # Private network
+
+---
+# HTTPS redirect middleware
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: dashboard-redirect-scheme
+  namespace: kubernetes-dashboard
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+
+---
+# IngressRoute for Dashboard
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kubernetes-dashboard-https
+  namespace: kubernetes-dashboard
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`dashboard.{{ .cloud.internalDomain }}`)
+      kind: Rule
+      middlewares:
+        - name: internal-only
+          namespace: kubernetes-dashboard
+      services:
+        - name: kubernetes-dashboard
+          port: 443
+          serversTransport: dashboard-transport
+  tls:
+    secretName: wildcard-internal-wild-cloud-tls
+
+---
+# HTTP to HTTPS redirect.
+# FIXME: Is this needed?
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kubernetes-dashboard-http
+  namespace: kubernetes-dashboard
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`dashboard.{{ .cloud.internalDomain }}`)
+      kind: Rule
+      middlewares:
+        - name: dashboard-redirect-scheme
+          namespace: kubernetes-dashboard
+      services:
+        - name: kubernetes-dashboard
+          port: 443
+          serversTransport: dashboard-transport
+
+---
+# ServersTransport for HTTPS backend with skip verify.
+# FIXME: Is this needed?
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: dashboard-transport
+  namespace: kubernetes-dashboard
+spec:
+  insecureSkipVerify: true
+  serverName: dashboard.{{ .cloud.internalDomain }}

internal/setup/cluster-services/kubernetes-dashboard/kustomize.template/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- dashboard-admin-rbac.yaml
+- dashboard-kube-system.yaml

internal/setup/cluster-services/kubernetes-dashboard/wild-manifest.yaml

@@ -0,0 +1,11 @@
+name: kubernetes-dashboard
+description: Web-based Kubernetes user interface
+namespace: kubernetes-dashboard
+category: infrastructure
+
+dependencies:
+  - traefik
+  - cert-manager
+
+configReferences:
+  - cloud.internalDomain