From c82c5ffd74f4a244dacbc658dac73d030195bc95 Mon Sep 17 00:00:00 2001 From: wboughattas Date: Sun, 28 Dec 2025 11:18:16 -0500 Subject: [PATCH] added kubernetes dashboard --- README.md | 24 ++++++++++++++++++------ infra/dashboard/dashboard-admin.yaml | 19 +++++++++++++++++++ infra/dashboard/permanent-token.yaml | 8 ++++++++ infra/dashboard/traefik-config.yaml | 9 +++++++++ 4 files changed, 54 insertions(+), 6 deletions(-) create mode 100644 infra/dashboard/dashboard-admin.yaml create mode 100644 infra/dashboard/permanent-token.yaml create mode 100644 infra/dashboard/traefik-config.yaml diff --git a/README.md b/README.md index ba1b8e4..e222898 100644 --- a/README.md +++ b/README.md @@ -86,12 +86,13 @@ kubectl apply -f apps/ ## Access Points -| Service | URL | Credentials / Notes | -|------------------|------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------| -| **Severed Blog** | [http://blog.localhost:8080](https://www.google.com/search?q=http://blog.localhost:8080) | Public Access | -| **Grafana** | [http://grafana.localhost:8080](https://www.google.com/search?q=http://grafana.localhost:8080) | **User:** `admin` / **Pass:** `severed_secure_password`

*(Anonymous View Access Enabled)* | -| **Prometheus** | *Internal Only* | Accessed via Alloy/Grafana | -| **Loki** | *Internal Only* | Accessed via Alloy/Grafana | +| Service | URL | Credentials / Notes | +|-------------------|------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------| +| **Severed Blog** | [http://blog.localhost:8080](https://www.google.com/search?q=http://blog.localhost:8080) | Public Access | +| **Grafana** | [http://grafana.localhost:8080](https://www.google.com/search?q=http://grafana.localhost:8080) | **User:** `admin` / **Pass:** `severed_secure_password`

*(Anonymous View Access Enabled)* | +| **Prometheus** | *Internal Only* | Accessed via Alloy/Grafana | +| **Loki** | *Internal Only* | Accessed via Alloy/Grafana | +| **K8s Dashboard** | `https://localhost:8443` | **Auth:** Token-based. Access via `kubectl port-forward svc/kubernetes-dashboard-kong-proxy 8443:443 -n kubernetes-dashboard`. | ## Observability Features @@ -120,3 +121,14 @@ This stack uses **Grafana Alloy** to automatically scrape metrics and tail logs * [ ] Add Cert-Manager for TLS (HTTPS). * [ ] Implement ArgoCD for automated GitOps syncing. * [ ] Move to a physical Home Server. + +--- + +### todos/bugfixes + +* **[ ] Automate Dashboard Auth:** Rotate/retrieve the `admin-user` token to avoid manually `create token` every session. +* **[ ] External Secret Management:** Replace generic secrets with HashiCorp Vault to encrypt `grafana-secrets` and dashboard tokens. +* **[ ] Ingress Hardening:** Resolve the `localhost` 401 loop using **Cert-Manager** with self-signed certificates, which allows Kong to see valid HTTPS traffic and accept session cookies natively. +* **[ ] Persistence Layer:** Deploy a **Local Path Provisioner** or **HostPath** storage class for Loki and Prometheus + so that metrics and dashboard configurations survive a `k3d cluster stop`. +* **[ ] Resource Quotas:** Define `resources: requests/limits` for the LGTM stack. diff --git a/infra/dashboard/dashboard-admin.yaml b/infra/dashboard/dashboard-admin.yaml new file mode 100644 index 0000000..14311f1 --- /dev/null +++ b/infra/dashboard/dashboard-admin.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: admin-user + namespace: kubernetes-dashboard + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: admin-user +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: admin-user + namespace: kubernetes-dashboard diff --git a/infra/dashboard/permanent-token.yaml b/infra/dashboard/permanent-token.yaml new file mode 100644 index 0000000..9246026 --- /dev/null +++ b/infra/dashboard/permanent-token.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: admin-user-token + namespace: kubernetes-dashboard + annotations: + kubernetes.io/service-account.name: "admin-user" +type: kubernetes.io/service-account-token diff --git a/infra/dashboard/traefik-config.yaml b/infra/dashboard/traefik-config.yaml new file mode 100644 index 0000000..7139931 --- /dev/null +++ b/infra/dashboard/traefik-config.yaml @@ -0,0 +1,9 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: traefik + namespace: kube-system +spec: + valuesContent: |- + additionalArguments: + - "--serversTransport.insecureSkipVerify=true"