diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml
index 828052673f57fc56be42a7f54bbdf28b71553160..414943842851e5121a0889f46ff87df5aa7e7d50 100644
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -42,6 +42,8 @@ netchecker_server_memory_requests: 64M
dashboard_enabled: true
dashboard_image_repo: gcr.io/google_containers/kubernetes-dashboard-amd64
dashboard_image_tag: v1.8.0
+dashboard_init_image_repo: gcr.io/google_containers/kubernetes-dashboard-init-amd64
+dashboard_init_image_tag: v1.0.1
# Limits for dashboard
dashboard_cpu_limit: 100m
@@ -53,6 +55,13 @@ dashboard_memory_requests: 64M
etcd_cert_dir: "/etc/ssl/etcd/ssl"
canal_cert_dir: "/etc/canal/certs"
+# Set dashboard_use_custom_certs to true if overriding dashboard_certs_secret_name with a secret that
+# contains dashboard_tls_key_file and dashboard_tls_cert_file instead of using the initContainer provisioned certs
+dashboard_use_custom_certs: false
+dashboard_certs_secret_name: kubernetes-dashboard-certs
+dashboard_tls_key_file: dashboard.key
+dashboard_tls_cert_file: dashboard.crt
+
rbac_resources:
- sa
- clusterrole
diff --git a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
index 90eee47ba3fce5a11eb60270656073d3d76a1dfc..cf222011c8d5e52a4e5bf300f94c8294f3607127 100644
--- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
@@ -91,6 +91,34 @@ subjects:
name: kubernetes-dashboard
namespace: {{ system_namespace }}
+---
+# ------------------- Gross Hack For anonymous auth through api proxy ------------------- #
+# Allows users to reach login page and other proxied dashboard URLs
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kubernetes-dashboard-anonymous
+rules:
+- apiGroups: [""]
+ resources: ["services/proxy"]
+ resourceNames: ["https:kubernetes-dashboard:"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/{{ system_namespace }}/services/https:kubernetes-dashboard:/proxy/*"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: kubernetes-dashboard-anonymous
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kubernetes-dashboard-anonymous
+subjects:
+- kind: User
+ name: system:anonymous
+
---
# ------------------- Dashboard Deployment ------------------- #
@@ -112,6 +140,14 @@ spec:
labels:
k8s-app: kubernetes-dashboard
spec:
+{% if not dashboard_use_custom_certs %}
+ initContainers:
+ - name: kubernetes-dashboard-init
+ image: {{ dashboard_init_image_repo }}:{{ dashboard_init_image_tag }}
+ volumeMounts:
+ - name: kubernetes-dashboard-certs
+ mountPath: /certs
+{% endif %}
containers:
- name: kubernetes-dashboard
image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }}
@@ -127,7 +163,14 @@ spec:
- containerPort: 8443
protocol: TCP
args:
+{% if not dashboard_use_custom_certs %}
+ - --tls-key-file=/certs/{{ dashboard_tls_key_file }}
+ - --tls-cert-file=/certs/{{ dashboard_tls_cert_file }}
+ - --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %}
+{% else %}
- --auto-generate-certificates
+{% endif %}
+{% endif %}
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.