GitOps Dashboard All tiers
Weave GitOps provides a web UI to help you quickly understand your Application deployments and perform common operations, such as adding a new Application to be deployed to your cluster. The gitops binary contains an HTTP server that can be used to start this browser interface as per the instructions below:
To run the dashboard:
$ gitops ui run
INFO[0000] Opening browser at https://0.0.0.0:9001/
INFO[0000] Serving on 0.0.0.0:9001
Opening in existing browser session.
Your browser should open to the Weave GitOps UI:
What information can I discover about my Applications?​
Applications being managed by Weave GitOps are displayed in a list. Clicking the name of an Application allows you to view more details including:
- It's name, deployment type (Kustomize or Helm), URL for the source repository being synchronized to the cluster and the specific Path within the repository where we are looking for deployment manifests.
- A reconciliation graph detailing the on-cluster components which have been created as a result of the deployment.
- Information from Flux regarding the state of the reconciliation
- A list of the 10 most recent commits to the source git repository helping you to verify which change has been applied to the cluster. This includes a hyperlink back to your git provider for each commit.
TLS configuration​
By default the dashboard will listen on 0.0.0.0:9001 with TLS enabled. A self-signed certificate and key pair are generated when the server starts. As the certificate is self-signed, Chrome and other browser will show a warning you will have to click through to view the dashboard.
| Parameter | Type | Description | Default |
|---|---|---|---|
--no-tls | bool | Disable TLS, access the dashboard on default port via http | false |
--tls-private-key | string | Filename for the TLS certficate, in-memory generated if omitted | |
--tls-cert-file | string | Filename for the TLS key, in-memory generated if omitted | |
--host | string | Host to listen on | 0.0.0.0 |
Dashboard Login​
There are 2 supported methods for logging in to the dashboard:
- Login via an OIDC provider
- Login via a cluster user account
The recommended method is to integrate with an OIDC provider, as this will let you control permissions for existing users and groups that have already been configured to use OIDC. However, it is also possible to use a cluster user account to login, if an OIDC provider is not available to use. Both methods work with standard Kubernetes RBAC.
FEATURE TOGGLE
The following instructions describe a feature that is behind a feature toggle. To enable this feature, set the following OS environment variable:
export WEAVE_GITOPS_AUTH_ENABLED=true
Login via an OIDC provider​
Securing the dashboard using OIDC and Kubernetes RBAC​
You may decide to give your engineering teams access to the dashboard, in order to view and manage their workloads. In this case, you will want to secure access to the dashboard and restrict who can interact with it. Weave GitOps integrates with your OIDC provider and uses standard Kubernetes RBAC to give you fine-grained control of the permissions for the dashboard users.
Background​
OIDC extends the OAuth2 authorization protocol by including an additional field (ID Token) that contains information (claims) about a user's identity. After a user successfully authenticates with the OIDC provider, this information is used by Weave GitOps to impersonate the user in any calls to the Kubernetes API. This allows cluster administrators to use RBAC rules to control access to the cluster and also the dashboard.
Configuration​
In order to login via your OIDC provider, you need to create a Kubernetes secret to store the OIDC configuration. This configuration consists of the following parameters:
| Parameter | Description | Default |
|---|---|---|
IssuerURL | The URL of the issuer, typically the discovery URL without a path | |
ClientID | The client ID that has been setup for Weave GitOps in the issuer | |
ClientSecret | The client secret that has been setup for Weave GitOps in the issuer | |
RedirectURL | The redirect URL that has been setup for Weave GitOps in the issuer, typically the dashboard URL followed by /oauth2/callback | |
TokenDuration | The time duration that the ID Token will remain valid, after successful authentication | "1h0m0s" |
Ensure that your OIDC provider has been setup with a client ID/secret and the redirect URL of the dashboard.
Create a secret named oidc-auth in the wego-system namespace with these parameters set:
kubectl create secret generic oidc-auth \
--namespace wego-system \
--from-literal=issuerURL=<oidc-issuer-url> \
--from-literal=clientID=<client-id> \
--from-literal=clientSecret=<client-secret> \
--from-literal=redirectURL=<redirect-url> \
--from-literal=tokenDuration=<token-duration>
Running gitops ui run should now load the dashboard and show the option to login via your OIDC provider.
Once the HTTP server starts, it will redirect unauthenticated users to the provider's login page to authenticate them. Upon successful authentication, the users' identity will be impersonated in any calls made to the Kubernetes API, as part of any action they take in the dashboard. At this point, the dashboard will fail to render correctly unless RBAC has been configured accordingly. Follow the instructions in the RBAC authorization section in order to configure RBAC correctly.
Login via a cluster user account​
Before you login via the cluster user account, you need to generate a bcrypt hash for your chosen password and store it as a secret in Kubernetes. There are several different ways to generate a bcrypt hash, this guide uses an Alpine Docker image to generate one:
Run an Alpine Docker image interactively and supply the password of your choice as an environment variable:
docker run -e CLEAR_PASSWORD="super secret password" -it alpine
Once inside the shell environment of the Alpine image, install the bcrypt library dependencies as well as the bcrypt library itself:
apk add --update musl-dev gcc libffi-dev python3 python3-dev py3-pip
pip install bcrypt
Run the following Python script to generate a hash:
python3 -c 'import bcrypt, os; print(bcrypt.hashpw(os.getenv("CLEAR_PASSWORD").encode(), bcrypt.gensalt()))'
b'$2b$12$nLfl7lKBiYzgAN2aI3ii6exZSZ9KRsj18C7CEWY8kscj9.c6bRXim'
Now create a Kubernetes secret to store your chosen username and the password hash:
kubectl create secret generic admin-password-hash \
--namespace wego-system \
--from-literal=username=admin
--from-literal=password='$2b$12$nLfl7lKBiYzgAN2aI3ii6exZSZ9KRsj18C7CEWY8kscj9.c6bRXim'
You should now be able to login via the cluster user account using your chosen username and password. Follow the instructions in the next section in order to configure RBAC correctly.
RBAC authorization​
Both login methods work with standard Kubernetes RBAC. The following roles represent the minimal set of permissions needed to view applications, commits and profiles from the dashboard:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: apps-reader
namespace: wego-system
rules:
- apiGroups: ["wego.weave.works"]
resources: ["apps"]
verbs: ["get", "list"]
- apiGroups: ["source.toolkit.fluxcd.io"]
resources: ["gitrepositories"]
verbs: ["get"]
- apiGroups: ["source.toolkit.fluxcd.io"]
resources: ["helmrepositories"]
verbs: ["get"]
- apiGroups: ["kustomize.toolkit.fluxcd.io"]
resources: ["kustomizations"]
verbs: ["get"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames: ["wego-github-dev-cluster"] # name of secret created by Weave GitOps that contains the deploy key for the git repository
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: profiles-reader
namespace: wego-system
rules:
- apiGroups: ["source.toolkit.fluxcd.io"]
resources: ["helmrepositories"]
verbs: ["get"]
resourceNames: ["weaveworks-charts"]
The following role represents the minimal set of permissions needed to add applications from the dashboard:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: apps-writer
rules:
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get"]
resourceNames: ["apps.wego.weave.works"]
The table below contains all the permissions that the dashboard uses:
| Resource | API Group | Action | Description |
|---|---|---|---|
apps | wego.weave.works | list | Required to list all applications |
apps | wego.weave.works | get | Required to retrieve a single application |
gitrepositories | source.toolkit.fluxcd.io | get | Required to retrieve a single application |
kustomizations | kustomize.toolkit.fluxcd.io | get | Required to retrieve a single application |
gitrepositories | source.toolkit.fluxcd.io | update | Required to sync an application |
helmrepositories | source.toolkit.fluxcd.io | update | Required to sync an application |
kustomizations | kustomize.toolkit.fluxcd.io | update | Required to sync an application |
secrets | get | Required to read deploy key secret in order to retrieve the list of commits | |
customresourcedefinitions | apiextensions.k8s.io | get | Required to read custom resources of type apps.wego.weave.works when adding an application |
In order to assign permissions to a user, create a RoleBinding/ClusterRoleBinding. For example, the following role bindings assign all dashboard permissions to the admin user:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-apps
namespace: wego-system
subjects:
- kind: User
name: admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: apps-reader
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-profiles
namespace: wego-system
subjects:
- kind: User
name: admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: profiles-reader
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: write-apps
subjects:
- kind: User
name: admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: apps-writer
apiGroup: rbac.authorization.k8s.io
To test whether permissions have been setup correctly for a specific user/group use the kubectl auth can-i subcommand:
kubectl auth can-i list apps --as "admin" --namespace wego-system
For more information about RBAC authorization visit the Kubernetes reference documentation.
Future development​
The GitOps Dashboard is under active development, watch this space for exciting new features.