k8s-ocp-web-console.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: console
  namespace: auth-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: console
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: console
  namespace: auth-system
---
apiVersion: v1
kind: Secret
metadata:
  name: console
  namespace: auth-system
  annotations:
    kubernetes.io/service-account.name: console
type: kubernetes.io/service-account-token
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: console
  namespace: auth-system
  labels:
    app: console
spec:
  replicas: 1
  selector:
    matchLabels:
      app: console
  template:
    metadata:
      labels:
        app: console
    spec:
      containers:
      - name: console-app
        # OCP K8s version map (https://gist.github.com/jeyaramashok/ebbd25f36338de4422fd584fea841c08)
        # Image (https://quay.io/repository/openshift/origin-console?tab=tags)
        # Till image (origin-console:4.11) Virtualizattion menu is available
        # Create Dex CA (kubectl create cm dex-cert --from-file=ssl/ca.crt -n kube-system)
        image: quay.io/openshift/origin-console:4.10
        env:
        - name: BRIDGE_K8S_MODE
          value: "off-cluster"
        - name: BRIDGE_K8S_MODE_OFF_CLUSTER_ENDPOINT
          value: https://kubernetes.default #master api
        - name: BRIDGE_K8S_MODE_OFF_CLUSTER_SKIP_VERIFY_TLS
          value: "true" # no tls enabled
        - name: BRIDGE_PLUGINS
          value: "monitoring-plugin=http://localhost" # Plugins URL (sidecar)
        - name: BRIDGE_V
          value: "7"
        - name: BRIDGE_K8S_MODE_OFF_CLUSTER_THANOS
          value: "http://kubemon-prometheus.monitoring.svc.cluster.local:9090"
        - name: BRIDGE_K8S_MODE_OFF_CLUSTER_ALERTMANAGER
          value: "http://kubemon-alertmanager.monitoring.svc.cluster.local:9093"
        - name: BRIDGE_K8S_AUTH
          value: oidc
        - name: BRIDGE_USER_AUTH
          value: oidc
        - name: BRIDGE_BASE_ADDRESS
          value: "https://console.apps.k8s.cloudcafe.tech" # Console URL
        - name: BRIDGE_DEX_API_HOST
          value: "https://auth.apps.k8s.cloudcafe.tech"
        - name: BRIDGE_USER_AUTH_OIDC_ISSUER_URL
          value: "https://auth.apps.k8s.cloudcafe.tech/"
        - name: BRIDGE_USER_AUTH_OIDC_CLIENT_ID
          value: oidc-auth-client
        - name: BRIDGE_USER_AUTH_OIDC_CLIENT_SECRET
          value: secret
        - name: BRIDGE_USER_AUTH_OIDC_CA_FILE
          value: "/tmp/tls.crt"
        volumeMounts:
        - mountPath: /tmp/tls.crt
          name: dex-cert
          subPath: tls.crt
      #- name: monitoring-plugin
        #image: docker.io/prasenforu/ocp-mon-plug:1.0.0
      volumes:
      - name: dex-cert
        secret:
          defaultMode: 420
          secretName: dex
---
kind: Service
apiVersion: v1
metadata:
  name: console
  namespace: auth-system
spec:
  selector:
    app: console
  type: NodePort
  ports:
  - name: http
    port: 9000
    targetPort: 9000
    protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: console
  namespace: auth-system
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
    #cert-manager.io/cluster-issuer: "private-ca"
    cert-manager.io/cluster-issuer: "selfsigned-issuer"    
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - console.apps.k8s.cloudcafe.tech
    secretName: console-cert
  rules:
  - host: console.apps.k8s.cloudcafe.tech
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: console
            port:
              number: 9000