Add Helm Chart

.travis.yml

@@ -52,22 +52,51 @@ before_script:
 jobs:
   include:
     - stage: test
+      name: "Code check & linting"
       before_script:
         - aio/scripts/install-codegen.sh
       script: npm run check
-    - script: npm run test:coverage
+    - name: "Unit tests"
+      script: npm run test:coverage
       after_success:
         - rm -rf $TRAVIS_BUILD_DIR/.tmp
         - bash <(curl -s https://codecov.io/bash)
-    - script: npm run cluster:start && npm run e2e
+    - name: "Helm linting"
+      cache: false
+      install:
+        - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
+        - wget https://github.com/garethr/kubeval/releases/download/0.14.0/kubeval-linux-amd64.tar.gz
+        - mkdir kubeval
+        - tar xf kubeval-linux-amd64.tar.gz -C kubeval
+        - export PATH="$PATH:$(pwd)/kubeval"
+      before_script: skip  # We don't need Docker nor Go
+      script:
+        - aio/scripts/helm-lint.sh
+    - name: "e2e tests"
+      script: npm run cluster:start && npm run e2e
+
     - stage: deploy
+      name: "Development release"
       script:
         - docker login -u $DOCKER_USER -p $DOCKER_PASS
         - npm run docker:push:head
+
     - stage: release
+      name: "Release"
       script:
         - docker login -u $DOCKER_RELEASE_USER -p $DOCKER_RELEASE_PASS
         - npm run docker:push
+    # Manual step for now since it requires to add a GitHub Token to Travis which would be a security issue
+    # - name: "Helm repository generation"
+    #   cache: false
+    #   install:
+    #     - curl -L https://git.io/get_helm.sh | bash && helm init --skip-refresh --client-only
+    #     - git remote set-branches origin '*' && git fetch --unshallow
+    #     # GTHUB_WRITE_TOKEN is a travis secret variable that is generated from https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
+    #     - git remote set-url origin https://x-access-token:${GITHUB_WRITE_TOKEN}@github.com/${TRAVIS_REPO_SLUG}.git
+    #   before_script: skip  # We don't need Docker nor Go
+    #   script:
+    #     - sh ./aio/scripts/
 
 stages:
   - test

aio/deploy/helm-chart/kubernetes-dashboard/.helmignore

@@ -0,0 +1,41 @@
+# Copyright 2020 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+
+# Various IDEs
+.project
+.idea/
+*.tmproj
+OWNERS
+
+ci/

aio/deploy/helm-chart/kubernetes-dashboard/Chart.yaml

@@ -0,0 +1,30 @@
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+name: kubernetes-dashboard
+version: 2.0.1
+appVersion: 2.0.1
+description: General-purpose web UI for Kubernetes clusters
+keywords:
+- kubernetes
+- dashboard
+home: https://github.com/kubernetes/dashboard
+sources:
+- https://github.com/kubernetes/dashboard
+maintainers:
+- name: desaintmartin
+  email: cdesaintmartin@wiremind.fr
+icon: https://raw.githubusercontent.com/kubernetes/kubernetes/master/logo/logo.svg
+kubeVersion: ">=1.10.0-0"

aio/deploy/helm-chart/kubernetes-dashboard/OWNERS

@@ -0,0 +1,4 @@
+approvers:
+- desaintmartin
+reviewers:
+- desaintmartin

aio/deploy/helm-chart/kubernetes-dashboard/README.md

@@ -0,0 +1,145 @@
+# kubernetes-dashboard
+
+[Kubernetes Dashboard](https://github.com/kubernetes/dashboard) is a general purpose, web-based UI for Kubernetes clusters.
+It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself.
+
+## TL;DR
+
+```console
+# Add kubernetes-dashboard repository
+helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
+# Deploy a Helm Release named "my-release" using the kubernetes-dashboard chart
+helm install kubernetes-dashboard/kubernetes-dashboard --name my-release
+```
+
+## Introduction
+
+This chart bootstraps a [Kubernetes Dashboard](https://github.com/kubernetes/dashboard) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Installing the Chart
+
+To install the chart with the release name `my-release`:
+
+```console
+helm repository add kubernetes-dashboard https://kubernetes.github.io/dashboard/
+helm install kubernetes-dashboard/kubernetes-dashboard --name my-release
+```
+
+The command deploys kubernetes-dashboard on the Kubernetes cluster in the default configuration.
+The [configuration](#configuration) section lists the parameters that can be configured during installation.
+
+## Uninstalling the Chart
+
+To uninstall/delete the `my-release` deployment:
+
+```console
+helm delete my-release
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Upgrading an existing Release to a new major version
+
+A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an
+incompatible breaking change needing manual actions.
+
+### Upgrade from 1.x.x to 2.x.x
+
+Version 2.0.0 of this chart is the first version hosted in the kubernetes/dashboard.git repository. v1.x.x until 1.10.1 is hosted on https://github.com/helm/charts.
+
+- This version upgrades to kubernetes-dashboard v2.0.0 along with changes in RBAC management: all secrets are explicitely created and ServiceAccount do not have permission to create any secret. On top of that, it completely removes the `clusterAdminRole` parameter, being too dangerous. In order to upgrade, please update your configuration to remove `clusterAdminRole` parameter and uninstall/reinstall the chart.
+- It enables by default values for `podAnnotations` and `securityContext`, please disable them if you don't supoprt them
+- It removes `enableSkipLogin` and `enableInsecureLogin` parameters. Please use `extraEnv` instead.
+- It adds a `ProtocolHttp` parameter, allowing you to switch the backend to plain HTTP and replaces the old `enableSkipLogin` for the network part.
+- If `protocolHttp` is not set, it will automatically add to the `Ingress`, if enabled, annotations to support HTTPS backends for nginx-ingress and GKE Ingresses.
+- It updates all the labels to the new [recommended labels](https://github.com/helm/charts/blob/master/REVIEW_GUIDELINES.md#names-and-labels), most of them being immutable.
+- dashboardContainerSecurityContext has been renamed to containerSecurityContext.
+
+In order to upgrade, please update your configuration to remove `clusterAdminRole` parameter and adapt `enableSkipLogin`, `enableInsecureLogin`, `podAnnotations` and `securityContext` parameters, and uninstall/reinstall the chart.
+
+## Access control
+
+It is critical for the Kubernetes cluster to correctly setup access control of Kubernetes Dashboard.
+See this [guide](https://github.com/kubernetes/dashboard/wiki/Access-control) for best practises.
+
+It is highly recommended to use RBAC with minimal privileges needed for Dashboard to run.
+
+## Configuration
+
+The following table lists the configurable parameters of the kubernetes-dashboard chart and their default values.
+
+Parameter                                       | Description                                                                                                                      | Default
+------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------
+`image.repository`                              | Repository for container image                                                                                                   | `kubernetesui/dashboard`
+`image.tag`                                     | Image tag                                                                                                                        | `v2.0.1`
+`image.pullPolicy`                              | Image pull policy                                                                                                                | `IfNotPresent`
+`image.pullSecrets`                             | Image pull secrets                                                                                                               | `[]`
+`replicaCount`                                  | Number of replicas                                                                                                               | `1`
+`annotations`                                   | Annotations for deployment                                                                                                       | `{}`
+`labels`                                        | Labels for deployment                                                                                                            | `{}`
+`extraArgs`                                     | Additional container arguments                                                                                                   | `[]`
+`extraEnv`                                      | Additional container environment variables                                                                                       | `[]`
+`podAnnotations`                                | Annotations to be added to pods                                                                                                  | `seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'}`
+`nodeSelector`                                  | node labels for pod assignment                                                                                                   | `{}`
+`tolerations`                                   | List of node taints to tolerate (requires Kubernetes >= 1.6)                                                                     | `[]`
+`affinity`                                      | Affinity for pod assignment                                                                                                      | `[]`
+`priorityClassName`                             | Name of Priority Class to assign pods                                                                                            | `nil`
+`resources`                                     | Pod resource requests & limits                                                                                                   | `limits: {cpu: 2, memory: 100Mi}, requests: {cpu: 100m, memory: 100Mi}`
+`protocolHttp`                                  | Serve application over HTTP without TLS                                                                                          | `false`
+`service.type`                                  | Service type                                                                                                                     | `ClusterIP`
+`service.externalPort`                          | Dashboard external port                                                                                                          | `443`
+`service.loadBalancerSourceRanges`              | list of IP CIDRs allowed access to load balancer (if supported)                                                                  | `nil`
+`ingress.annotations`                           | Specify ingress class                                                                                                            | `kubernetes.io/ingress.class: nginx`
+`ingress.labels`                                | Add custom labels                                                                                                                | `[]`
+`ingress.enabled`                               | Enable ingress controller resource                                                                                               | `false`
+`ingress.paths`                                 | Paths to match against incoming requests. Both `/` and `/*` are required to work on gce ingress.                                 | `[/]`
+`ingress.hosts`                                 | Dashboard Hostnames                                                                                                              | `nil`
+`ingress.tls`                                   | Ingress TLS configuration                                                                                                        | `[]`
+`metricsScraper.enabled`                        | Wether to enable dashboard-metrics-scraper                                                                                       | `false`
+`metricsScraper.image.repository`               | Repository for metrics-scraper image                                                                                             | `kubernetesui/metrics-scraper`
+`metricsScraper.image.tag`                      | Repository for metrics-scraper image tag                                                                                         | `v1.0.4`
+`metricsScraper.containerSecurityContext`       | SecurityContext for the kubernetes dashboard metrics scraper container                                                           | `{allowPrivilegeEscalation:false, readOnlyRootFilesystem: true, runAsUser: 1001, runAsGroup: 2001}`
+`metrics-server.enabled`                        | Wether to enable metrics-server                                                                                                  | `false`
+`rbac.create`                                   | Create & use RBAC resources                                                                                                      | `true`
+`rbac.clusterRoleMetrics`                       | If set, an additional cluster role / role binding will be created to access metrics.                                             | `true`
+`rbac.clusterReadOnlyRole`                      | If set, an additional cluster role / role binding will be created with read only permissions to all resources listed inside.     | `false`
+`serviceAccount.create`                         | Whether a new service account name that the agent will use should be created.                                                    | `true`
+`serviceAccount.name`                           | Service account to be used. If not set and serviceAccount.create is `true` a name is generated using the fullname template.      |
+`livenessProbe.initialDelaySeconds`             | Number of seconds to wait before sending first probe                                                                             | `30`
+`livenessProbe.timeoutSeconds`                  | Number of seconds to wait for probe response                                                                                     | `30`
+`podDisruptionBudget.enabled`                   | Create a PodDisruptionBudget                                                                                                     | `false`
+`podDisruptionBudget.minAvailable`              | Minimum available instances; ignored if there is no PodDisruptionBudget                                                          |
+`podDisruptionBudget.maxUnavailable`            | Maximum unavailable instances; ignored if there is no PodDisruptionBudget                                                        |
+`securityContext`                               | PodSecurityContext for pod level securityContext                                                                                 | `nil`
+`containerSecurityContext`                      | SecurityContext for the kubernetes dashboard container                                                                           | `{allowPrivilegeEscalation:false, readOnlyRootFilesystem: true, runAsUser: 1001, runAsGroup: 2001}`
+`networkPolicy.enabled`                         | Whether to create a network policy that allows access to the service                                                             | `false`
+
+
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
+
+```console
+helm install kubernetes-dashboard/kubernetes-dashboard --name my-release \
+  --set=service.externalPort=8080,resources.limits.cpu=200m
+```
+
+Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
+
+```console
+helm install kubernetes-dashboard/kubernetes-dashboard --name my-release -f values.yaml
+```
+
+> **Tip**: You can use the default [values.yaml](values.yaml), which is used by default, as reference
+
+## Using the dashboard with 'kubectl proxy'
+
+When running 'kubectl proxy', the address `localhost:8001/ui` automatically expands to:
+
+- `http://localhost:8001/api/v1/namespaces/my-namespace/services/https:kubernetes-dashboard:https/proxy/`
+
+For this to reach the dashboard, the name of the service must be 'kubernetes-dashboard', not any other value as set by Helm.
+You can manually specify this using the value 'fullnameOverride':
+
+```
+fullnameOverride: 'kubernetes-dashboard'
+```

aio/deploy/helm-chart/kubernetes-dashboard/ci/ingress-values.yaml

@@ -0,0 +1,2 @@
+ingress:
+  enabled: true

aio/deploy/helm-chart/kubernetes-dashboard/ci/metrics-scraper-values.yaml

@@ -0,0 +1,8 @@
+rbac:
+  clusterRoleMetrics: true
+
+metricsScraper:
+  enabled: true
+
+metrics-server:
+  enabled: true

aio/deploy/helm-chart/kubernetes-dashboard/ci/network-policy-values.yaml

@@ -0,0 +1,2 @@
+networkPolicy:
+  enabled: true

aio/deploy/helm-chart/kubernetes-dashboard/ci/pdb-values.yaml

@@ -0,0 +1,2 @@
+podDisruptionBudget:
+  enabled: true

aio/deploy/helm-chart/kubernetes-dashboard/ci/rbac-cluster-readonly-role-values.yaml

@@ -0,0 +1,2 @@
+rbac:
+  clusterReadOnlyRole: true

aio/deploy/helm-chart/kubernetes-dashboard/requirements.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: metrics-server
+  repository: https://kubernetes-charts.storage.googleapis.com/
+  version: 2.11.1
+digest: sha256:22392d72416a0330f0c537fcc6cd306da7d25ddf511726bdf8a227d6a6ca8be1
+generated: "2020-04-23T20:58:52.074628+02:00"

aio/deploy/helm-chart/kubernetes-dashboard/requirements.yaml

@@ -0,0 +1,5 @@
+dependencies:
+  - name: metrics-server
+    version: 2.11.1
+    repository: https://kubernetes-charts.storage.googleapis.com/
+    condition: metrics-server.enabled