apiVersion: v1
kind: Secret
metadata:
  name: kubernetes-dashboard-certs
  namespace: devops
  labels:
    k8s-app: kubernetes-dashboard
type: Opaque

---

apiVersion: v1
kind: Secret
metadata:
  name: kubernetes-dashboard-csrf
  namespace: devops
  labels:
    k8s-app: kubernetes-dashboard
type: Opaque
data:
  csrf: ""

---

apiVersion: v1
kind: Secret
metadata:
  name: kubernetes-dashboard-key-holder
  namespace: devops
  labels:
    k8s-app: kubernetes-dashboard
type: Opaque

---

kind: Deployment
apiVersion: apps/v1
metadata:
  name: kubernetes-dashboard
  namespace: devops
  labels:
    k8s-app: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: kubernetes-dashboard
          image: kubernetesui/dashboard:v2.5.1
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --auto-generate-certificates
            - --namespace=devops
            - --token-ttl=21600
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: kubernetes-dashboard-certs
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule

---

apiVersion: v1
kind: Service
metadata:
  name: kubernetes-dashboard
  namespace: devops
  labels:
    k8s-app: kubernetes-dashboard
spec:
  type: ClusterIP
  ports:
  - port: 8443
    targetPort: 8443
    protocol: TCP
    name: dashboard
  selector:
    k8s-app: kubernetes-dashboard

---

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: k3s
  namespace: devops
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
    cert-manager.io/common-name: "dashboard.bhasher.com"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  tls:
  - hosts:
    - dashboard.bhasher.com
    secretName: k3s-tls
  rules:
  - host: dashboard.bhasher.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: kubernetes-dashboard
            port:
              number: 8443