Docker Image and Helm Chart

[unibeck]

Describe the solution you'd like I would like to be able to run flux webui using the the same frameworks I use to run flux. That is, using docker and helm charts.

Describe alternatives you've considered Bundling the releases into a private docker image and create a helm chart from that.

[adberger]

I agree, my issue got closed: #24

Until there is a better way of using the webui, I created my own docker image: https://github.com/adberger/fluxcd-webui

[chriscowley]

@adberger One issue I am having is running that image within K8s itself - namely permissions.

One should be able to create a deployment using your image, create a Role with the necessary permissions, then bind that role to a service account attached to the Deployment. This should remove the need for a kubeconfig file.

However, it seems to me that the webui insists on using a kubeconfig file as it is unable to get any resources. kubectl added to that same container is able to do so.

[adberger]

@chriscowley Unfortunately the kubeconfig is still needed even in the cluster itself.

Additionally I'm asking myself, if its possible to get the RBAC directly from the ServiceAccount token in a Pod instead of loading the kubeconfig-File

I can't say that I am 100% familiar with that use case, but eventually, you may be able to specify some other kubeconfig file to use for cluster authentication.

For now, we have an initContainer which creates a kubeconfig from the ServiceAccount:

      initContainers:
        - name: init-myservice
          image: "{{ .Values.image.busybox.repository }}:{{ .Values.image.busybox.tag | default "latest" }}"
          imagePullPolicy: {{ .Values.image.busybox.pullPolicy }}
          command:
            - 'sh'
            - '-c'
            - |
              DOMAIN={{ .Values.kubeconfig.domain | quote }}
              CLUSTER={{ .Values.kubeconfig.cluster | quote }}
              SERVICE_ACCOUNT={{ include "flux-webui.serviceAccountName" . | quote }}
              SECRET_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
              SECRET_CACERT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | base64 | tr -d \\n)
              cat <<EOF > /config/config
              apiVersion: v1
              clusters:
              - cluster:
                  certificate-authority-data: ${SECRET_CACERT}
                  server: https://api.${CLUSTER}.${DOMAIN}
                name: ${CLUSTER}
              contexts:
              - context:
                  cluster: ${CLUSTER}
                  user: ${SERVICE_ACCOUNT}
                name: ${CLUSTER}
              current-context: ${CLUSTER}
              kind: Config
              preferences: {}
              users:
              - name: ${SERVICE_ACCOUNT}
                user:
                  as-user-extra: {}
                  token: ${SECRET_TOKEN}
              EOF
          volumeMounts:
            - name: config
              mountPath: /config
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          ports:
            - name: http
              containerPort: 9000
              protocol: TCP
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          volumeMounts:
            - name: config
              mountPath: /root/.kube
      volumes:
        - name: config
          emptyDir: {}

This works pretty well.