Bump k8s dashboard chart to v1.8.0

charts/kubernetes-dashboard/v1.8.0/Chart.yaml

+apiVersion: v1
 name: kubernetes-dashboard
-version: 1.2.0
+version: 1.8.0
 appVersion: 1.10.1
 description: General-purpose web UI for Kubernetes clusters
 keywords:
@@ -13,4 +14,4 @@ maintainers:
   email: Kevin.Fox@pnnl.gov
 - name: desaintmartin
   email: cdesaintmartin@wiremind.fr
-icon: https://raw.githubusercontent.com/kubernetes/kubernetes/master/logo/logo.svg
+icon: file://../logo.svg

charts/kubernetes-dashboard/v1.8.0/questions.yml

-rancher_version: v2.0.7
+labels:
+  io.cattle.role: cluster # options are cluster/project
 categories:
-- dashboard
+  - dashboard
+rancher_min_version: v2.0.7
 namespace: kube-system
 questions:
 - variable: defaultImage
@@ -12,7 +14,7 @@ questions:
   group: "Container Images"
   subquestions:
   - variable: image.repository
-    default: "rancher/kubernetes-dashboard-amd64"
+    default: "ranchercharts/kubernetes-dashboard-amd64"
     description: "Docker image repository"
     type: string
     label: Image Repository
@@ -22,7 +24,8 @@ questions:
     type: string
     label: Image Tag
 - variable: enableSkipLogin
-  default: false
+  requred: true
+  default: true
   description: "Enable possibility to skip login"
   type: boolean
   label: "Enable Possibility To Skip Login"
@@ -32,3 +35,11 @@ questions:
   description: "IMPORTANT: Granting admin privileges to Dashboard's Service Account might be a security risk, makeing sure that you know what you are doing before proceeding."
   type: boolean
   label: "Enable Dashboard Cluster Admin Role (NOT RECOMMENDED)"
+  show_subquestion_if: true
+  subquestions:
+  - variable: rbac.clusterReadOnlyRole
+    required: true
+    default: true
+    description: "Same as for clusterAdminRole, it is NOT RECOMMENDED to use this version in production. Instead you should review the role and remove all potentially sensitive parts such as access to persistentvolumes, pods/log etc"
+    type: boolean
+    label: "Set ReadOnly Mode of Cluster Admin Role"

charts/kubernetes-dashboard/v1.8.0/templates/NOTES.txt

@@ -15,7 +15,7 @@ From outside the cluster, the server URL(s) are:
 {{- else if contains "NodePort" .Values.service.type }}
 
 Get the Kubernetes Dashboard URL by running:
-  export NODE_PORT=$(kubectl get -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "kubernetes-dashboard.fullname" . }})
+  export NODE_PORT=$(kubectl get -n {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "kubernetes-dashboard.fullname" . }})
   export NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}")
 {{- if .Values.enableInsecureLogin }}
   echo http://$NODE_IP:$NODE_PORT/
@@ -26,10 +26,10 @@ Get the Kubernetes Dashboard URL by running:
 {{- else if contains "LoadBalancer" .Values.service.type }}
 
   NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-        Watch the status with: 'kubectl get svc -w {{ template "kubernetes-dashboard.fullname" . }}'
+        Watch the status with: 'kubectl get svc -n {{ .Release.Namespace }} -w {{ template "kubernetes-dashboard.fullname" . }}'
 
 Get the Kubernetes Dashboard URL by running:
-  export SERVICE_IP=$(kubectl get svc {{ template "kubernetes-dashboard.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+  export SERVICE_IP=$(kubectl get svc -n {{ .Release.Namespace }} {{ template "kubernetes-dashboard.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
 {{- if .Values.enableInsecureLogin }}
   echo http://$SERVICE_IP/
 {{- else }}

charts/kubernetes-dashboard/v1.8.0/templates/clusterrole-readonly.yaml

+{{- if and .Values.rbac.create .Values.rbac.clusterReadOnlyRole (not .Values.rbac.clusterAdminRole) }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    app: {{ template "kubernetes-dashboard.name" . }}
+    chart: {{ template "kubernetes-dashboard.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: "{{ template "kubernetes-dashboard.fullname" . }}-readonly"
+  namespace: {{ .Release.Namespace }}
+rules:
+  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - kubernetes-dashboard-key-holder
+      - {{ template "kubernetes-dashboard.fullname" . }}
+    verbs:
+      - get
+      - update
+      - delete
+
+  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    resourceNames:
+      - kubernetes-dashboard-settings
+    verbs:
+      - get
+      - update
+
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - endpoints
+      - persistentvolumeclaims
+      - pods
+      - replicationcontrollers
+      - replicationcontrollers/scale
+      - serviceaccounts
+      - services
+      - nodes
+      - persistentvolumeclaims
+      - persistentvolumes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - bindings
+      - events
+      - limitranges
+      - namespaces/status
+      - pods/log
+      - pods/status
+      - replicationcontrollers/status
+      - resourcequotas
+      - resourcequotas/status
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
+      - deployments
+      - deployments/scale
+      - replicasets
+      - replicasets/scale
+      - statefulsets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - autoscaling
+    resources:
+      - horizontalpodautoscalers
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - batch
+    resources:
+      - cronjobs
+      - jobs
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - daemonsets
+      - deployments
+      - deployments/scale
+      - ingresses
+      - networkpolicies
+      - replicasets
+      - replicasets/scale
+      - replicationcontrollers/scale
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - policy
+    resources:
+      - poddisruptionbudgets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - networkpolicies
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - storage.k8s.io
+    resources:
+      - storageclasses
+      - volumeattachments
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterrolebindings
+      - clusterroles
+      - roles
+      - rolebindings
+    verbs:
+      - get
+      - list
+      - watch
+{{- end -}}

charts/kubernetes-dashboard/v1.8.0/templates/deployment.yaml

-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ template "kubernetes-dashboard.fullname" . }}
@@ -22,6 +22,11 @@ spec:
       maxSurge: 0
       maxUnavailable: 1
     type: RollingUpdate
+  selector:
+    matchLabels:
+      app: {{ template "kubernetes-dashboard.name" . }}
+      release: {{ .Release.Name }}
+      kubernetes.io/cluster-service: "true"
   template:
     metadata:
     {{- if .Values.podAnnotations }}
@@ -33,6 +38,10 @@ spec:
         release: {{ .Release.Name }}
         kubernetes.io/cluster-service: "true"
     spec:
+      {{- if .Values.securityContext }}
+      securityContext:
+{{ toYaml .Values.securityContext | indent 8 }}
+      {{- end }}
       serviceAccountName: {{ template "kubernetes-dashboard.serviceAccountName" . }}
       containers:
       - name: {{ .Chart.Name }}
@@ -50,6 +59,10 @@ spec:
 {{- if .Values.extraArgs }}
 {{ toYaml .Values.extraArgs | indent 10 }}
 {{- end }}
+{{- if .Values.extraEnv }}
+        env:
+{{ toYaml .Values.extraEnv | indent 10 }}
+{{- end }}
         ports:
 {{- if .Values.enableInsecureLogin }}
         - name: http
@@ -81,6 +94,12 @@ spec:
           timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
         resources:
 {{ toYaml .Values.resources | indent 10 }}
+    {{- if .Values.image.pullSecrets }}
+      imagePullSecrets:
+      {{- range .Values.image.pullSecrets }}
+        - name: {{ . }}
+      {{- end }}
+    {{- end }}
     {{- if .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 8 }}
@@ -96,6 +115,6 @@ spec:
 {{ toYaml .Values.tolerations | indent 8 }}
     {{- end }}
     {{- if .Values.affinity }}
-        affinity:
+      affinity:
 {{ toYaml .Values.affinity | indent 8 }}
     {{- end }}

charts/kubernetes-dashboard/v1.8.0/templates/ingress.yaml

@@ -11,6 +11,9 @@ metadata:
     chart: {{ template "kubernetes-dashboard.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
+  {{- range $key, $value := .Values.ingress.labels }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
 {{- if .Values.ingress.annotations }}
   annotations:
 {{ toYaml .Values.ingress.annotations | indent 4 }}

charts/kubernetes-dashboard/v1.8.0/templates/networkpolicy.yaml

+{{- if .Values.networkPolicy -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "kubernetes-dashboard.fullname" . }}
+  labels:
+    app: {{ template "kubernetes-dashboard.name" . }}
+    chart: {{ template "kubernetes-dashboard.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ template "kubernetes-dashboard.name" . }}
+      release: {{ .Release.Name }}
+  ingress:
+  - ports:
+    - port: 9090
+      protocol: TCP
+{{- end -}}

charts/kubernetes-dashboard/v1.8.0/templates/pdb.yaml

+{{- if .Values.podDisruptionBudget.enabled -}}
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  labels:
+    app: {{ template "kubernetes-dashboard.name" . }}
+    chart: {{ template "kubernetes-dashboard.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "kubernetes-dashboard.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+
+spec:
+  {{- if .Values.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  {{- end  }}
+  {{- if .Values.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
+  {{- end  }}
+  selector:
+    matchLabels:
+      app: {{ template "kubernetes-dashboard.name" . }}
+{{- end -}}
\ No newline at end of file

charts/kubernetes-dashboard/v1.8.0/templates/rolebinding.yaml

 {{- if .Values.rbac.create }}
 
-{{- if .Values.rbac.clusterAdminRole }}
-# Cluster role binding for clusterAdminRole == true
+{{- if or .Values.rbac.clusterAdminRole .Values.rbac.clusterReadOnlyRole }}
+# Cluster role binding for clusterAdminRole == true or clusterReadOnlyRole=true
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
@@ -14,13 +14,17 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: {{ if .Values.rbac.clusterAdminRole -}}
+cluster-admin
+{{- else if .Values.rbac.clusterReadOnlyRole -}}
+{{ template "kubernetes-dashboard.fullname" . }}-readonly
+{{- end }}
 subjects:
   - kind: ServiceAccount
     name: {{ template "kubernetes-dashboard.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
 {{- else -}}
-# Role binding for clusterAdminRole == false
+# Role binding for clusterAdminRole == false and clusterReadOnlyRole=false
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:

charts/kubernetes-dashboard/v1.8.0/templates/svc.yaml

@@ -29,6 +29,10 @@ spec:
 {{- if hasKey .Values.service "nodePort" }}
     nodePort: {{ .Values.service.nodePort }}
 {{- end }}
+{{- if .Values.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+{{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }}
+{{- end }}
   selector:
     app: {{ template "kubernetes-dashboard.name" . }}
     release: {{ .Release.Name }}

charts/kubernetes-dashboard/v1.8.0/values.yaml

@@ -5,9 +5,10 @@
 
 image:
   # repository: k8s.gcr.io/kubernetes-dashboard-amd64
-  repository: rancher/kubernetes-dashboard-amd64
+  repository: ranchercharts/kubernetes-dashboard-amd64
   tag: v1.10.1
   pullPolicy: IfNotPresent
+  pullSecrets: []
 
 replicaCount: 1
 
@@ -16,7 +17,6 @@ annotations: {}
 ## Here labels can be added to the kubernetes dashboard deployment
 ##
 labels: {}
-# kubernetes.io/cluster-service: "true"
 # kubernetes.io/name: "Kubernetes Dashboard"
 
 
@@ -33,6 +33,12 @@ enableInsecureLogin: false
 #   - --enable-insecure-login
 #   - --system-banner="Welcome to Kubernetes"
 
+## Additional container environment variables
+##
+extraEnv: []
+# - name: SOME_VAR
+#   value: 'some value'
+
 # Annotations to be added to kubernetes dashboard pods
 podAnnotations: {}
 
@@ -62,6 +68,10 @@ service:
   ##
   # nameOverride:
 
+  # LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to
+  # set allowed inbound rules on the security group assigned to the master load balancer
+  # loadBalancerSourceRanges: []
+
   ## Kubernetes Dashboard Service annotations
   ##
   ## For GCE ingress, the following annotation is required:
@@ -90,6 +100,9 @@ ingress:
 
   ## Kubernetes Dashboard Ingress annotations
   ##
+  ## Add custom labels
+  # labels:
+  #   key: value
   # annotations:
   #   kubernetes.io/ingress.class: nginx
   #   kubernetes.io/tls-acme: 'true'
@@ -129,6 +142,20 @@ rbac:
   # ServiceAccount (NOT RECOMMENDED).
   clusterAdminRole: false
 
+  # Start in ReadOnly mode.
+  # Only dashboard-related Secrets and ConfigMaps will still be available for writing.
+  #
+  # Turn OFF clusterAdminRole to use clusterReadOnlyRole.
+  #
+  # The basic idea of the clusterReadOnlyRole comparing to the clusterAdminRole
+  # is not to hide all the secrets and sensitive data but more
+  # to avoid accidental changes in the cluster outside the standard CI/CD.
+  #
+  # Same as for clusterAdminRole, it is NOT RECOMMENDED to use this version in production.
+  # Instead you should review the role and remove all potentially sensitive parts such as
+  # access to persistentvolumes, pods/log etc.
+  clusterReadOnlyRole: false
+
 serviceAccount:
   # Specifies whether a service account should be created
   create: true
@@ -141,3 +168,13 @@ livenessProbe:
   initialDelaySeconds: 30
   # Number of seconds to wait for probe response
   timeoutSeconds: 30
+
+podDisruptionBudget:
+  # https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+  enabled: false
+  minAvailable:
+  maxUnavailable:
+
+securityContext: {}
+
+networkPolicy: false