Skip to content

Kubeapps

Kubeapps is a dashboard for helm. You can use Kubeapps to deploy and manage your confidential applications. While we expect that most confidential applications will be deployed via the helm CLI, using a dashboard is a convenient way to inspect the running confidential as well as native applications. Moreover, the dashboard informs you when updates of the applications are available to be installed.

Prerequisites

A Kubernetes cluster and the helm setup was already performed.

Deploy and Manage

We provide a catalog with sconeapps, i.e., curated, confidential applications that can be installed with the help of helm or via point and click using Kubeapps.

Kubeapps provides you with a view of available sconeapps, like this:

SCONE Workflow

You can select an application that you want to start and deploy it as described below.

Deploy a sconeapp

When deploying an application, you can customize its configuration values. For example, for LAS, i.e., the SCONE's local attestation service, you will be able to configure the parameters of the Helm chart that is used to install this application:

SCONE Workflow

Inspecting Applications

Kubeapps is a dashboard that can show you all running applications. You can select an application for inspection.

SCONE Workflow

Inspecting LAS

A view of the LAS application that we started above, will look as follows:

SCONE Workflow

Software Updates

Kubeapps shows that software updates are available in the dashboard view as well as for the individual applications:

center> SCONE Software Update

Note that before you press Upgrade, you need to ensure that your policy permits this upgrade: This requires that your policy is set up to permit software updates. If software updates are not permitted, the services will not be permitted to get access to its secrets. Hence, one would need to downgrade the service again.

Deploying Kubeapps

sconeapps is a private Helm repository. Hence, we need to grant you access and you need a GitHub token to access the sconeapps repo.

Define an environment variable that contains this token:

export GH_TOKEN=...

Use the token to give Kubeapps access to the sconeapps repository:

if [ -z "$GH_TOKEN" ] ; then
  echo "You need to set you github token: https://github.com/settings/tokens/new"
else
  cat > kubeapps_values.yml <<EOF
  apprepository:
    initialRepos:
      - name: sconeapps
        url: https://${GH_TOKEN}@raw.githubusercontent.com/scontain/sconeapps/master/
      - name: bitnami
        url: https://charts.bitnami.com/bitnami
EOF
fi

You can now start Kubeapps with the help of helm as follows:

kubectl create namespace  kubeapps || echo "Does namespace 'kubeapps' already exists?"
helm install -f kubeapps_values.yml kubeapps --namespace kubeapps bitnami/kubeapps --set useHelm3=true

Port Forwarding

To display the dashboard on your browser, you need to forward the kubeapp port to your local machine. Say, you want to present this on localhost:8080, then you can forward the kubeapp port as follows:

kubectl port-forward -n kubeapps services/kubeapps 8090:80

The Kubeapps dashboard can now be viewed at:

http://localhost:8090/

Access Control

For production mode, you should define a Role-based Access Control. For testing, you might want to create a simple service account:

kubectl create serviceaccount kubeapps-operator
kubectl create clusterrolebinding kubeapps-operator --clusterrole=cluster-admin --serviceaccount=default:kubeapps-operator

To log into the Kubeapps dashboard, you need to determine the API Token:

APITOKEN=$(kubectl get -n default secret $(kubectl get -n default serviceaccount kubeapps-operator -o jsonpath='{.secrets[].name}') -o go-template='{{.data.token | base64decode}}' && echo)
echo $APITOKEN