feat: add k8s dashboard (using helm chart) (#68)

* feat: add k8s dashboard (using helm chart)

* chore: tf format

Author: lorenzocorallo

main.tf

@@ -86,6 +86,17 @@ module "monitoring" {
   grafana_admin_password = data.azurerm_key_vault_secret.grafana_admin_password.value
 }
 
+module "kubernetes-dashboard" {
+  depends_on = [
+    module.aks
+  ]
+
+  source = "./modules/kubernetes-dashboard/"
+
+  // variables
+  namespace = "kubernetes-dashboard"
+}
+
 module "keyvault" {
   source = "./modules/keyvault/"
 

modules/kubernetes-dashboard/dashboard.tf

@@ -0,0 +1,68 @@
+resource "kubernetes_namespace" "namespace" {
+  metadata {
+    name = var.namespace
+  }
+}
+
+resource "helm_release" "kubernetes-dashboard" {
+  name       = "kubernetes-dashboard"
+  repository = "https://kubernetes.github.io/dashboard/"
+  chart      = "kubernetes-dashboard"
+  version    = "7.14.0"
+  namespace  = var.namespace
+
+  cleanup_on_fail  = true
+  create_namespace = false
+
+  values = [
+    templatefile("${path.module}/values/dashboard.yaml.tftpl", {})
+  ]
+
+  depends_on = [
+    kubernetes_namespace.namespace,
+  ]
+}
+
+# RBAC Explanation:
+# 
+# With default authentication, users authenticate by providing their own Kubernetes tokens
+# (ServiceAccount tokens, user tokens, etc.). The dashboard acts as a proxy - when a user
+# makes a request through the dashboard UI, the dashboard forwards that request to the
+# Kubernetes API server using the user's token. The dashboard containers themselves don't
+# need special permissions because they're just proxying requests.
+#
+# Login to the UI is done using Cloudflare Tunnel + Cloudflare Access.
+# We create a authorization token linked to this service account that expires in 104 years
+# starting from today (31/10/2025). 
+# If you are still there when this expires, you can generate a new one by running the 
+# following command in the terminal (with kubectl configured):
+#   kubectl create token admin-user -n kubernetes-dashboard
+# Then change it in the header value "Authorization" found in
+# the Cloudflare Rules section in our Cloudflare account.
+resource "kubernetes_service_account" "admin_user" {
+  metadata {
+    name      = "admin-user"
+    namespace = var.namespace
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "admin_user" {
+  metadata {
+    name = "admin-user-binding"
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "cluster-admin"
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = "admin-user"
+    namespace = var.namespace
+  }
+
+  depends_on = [
+    helm_release.kubernetes-dashboard
+  ]
+}
+

modules/kubernetes-dashboard/outputs.tf

@@ -0,0 +1,4 @@
+output "namespace" {
+  description = "Namespace where Kubernetes Dashboard is deployed"
+  value       = var.namespace
+}

modules/kubernetes-dashboard/providers.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = "~> 1.0"
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.21.1"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "2.17.0"
+    }
+  }
+}
+

modules/kubernetes-dashboard/values/dashboard.yaml.tftpl

@@ -0,0 +1,47 @@
+# General app configuration
+app:
+  # Disable ingress since we're using Cloudflare tunnels
+  ingress:
+    enabled: false
+
+# Kong gateway configuration - this is the main service entry point
+# Kong acts as the gateway/router for all dashboard components (auth, api, web)
+kong:
+  enabled: true
+  proxy:
+    type: ClusterIP
+    # Enable HTTP mode since Cloudflare tunnel handles TLS termination
+    # The dashboard will be accessible via HTTP internally, Cloudflare encrypts externally
+    http:
+      enabled: true
+
+# Metrics scraper - reduce CPU request to avoid scheduling issues on small clusters
+metricsScraper:
+  containers:
+    resources:
+      requests:
+        cpu: 10m  # Reduced from default 100m to avoid scheduling issues
+        memory: 100Mi  # Reduced from default 200Mi
+      limits:
+        cpu: 250m  # Keep limit high to allow burst if needed
+        memory: 400Mi
+
+api:
+  containers:
+    resources:
+      requests:
+        cpu: 50m  # Reduced from default 100m
+        memory: 150Mi
+      limits:
+        cpu: 250m
+        memory: 400Mi
+
+web:
+  containers:
+    resources:
+      requests:
+        cpu: 50m  # Reduced from default 100m
+        memory: 150Mi
+      limits:
+        cpu: 250m
+        memory: 400Mi