diff --git a/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml b/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml index 3f985504..4e5b2cc6 100644 --- a/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml +++ b/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml @@ -239,13 +239,13 @@ spec: - name: ANSIBLE_CONFIG value: "/etc/ansible/ansible.cfg" - name: RELATED_IMAGE_kiali_default - value: "${KIALI_1_57}" + value: "${KIALI_1_65}" + - name: RELATED_IMAGE_kiali_v1_65 + value: "${KIALI_1_65}" - name: RELATED_IMAGE_kiali_v1_57 value: "${KIALI_1_57}" - name: RELATED_IMAGE_kiali_v1_48 value: "${KIALI_1_48}" - - name: RELATED_IMAGE_kiali_v1_36 - value: "${KIALI_1_36}" ports: - name: http-metrics containerPort: 8080 diff --git a/playbooks/default-supported-images.yml b/playbooks/default-supported-images.yml index 94486bfd..0c666b21 100644 --- a/playbooks/default-supported-images.yml +++ b/playbooks/default-supported-images.yml @@ -1,4 +1,4 @@ default: {"image_name": "quay.io/kiali/kiali", "image_version": "operator_version"} -v1.36: {"image_name": "quay.io/kiali/kiali", "image_version": "v1.36"} v1.48: {"image_name": "quay.io/kiali/kiali", "image_version": "v1.48"} v1.57: {"image_name": "quay.io/kiali/kiali", "image_version": "v1.57"} +v1.65: {"image_name": "quay.io/kiali/kiali", "image_version": "v1.65"} diff --git a/roles/v1.36/kiali-deploy/templates/openshift/oauth.yaml b/roles/v1.36/kiali-deploy/templates/openshift/oauth.yaml deleted file mode 100644 index 1188605c..00000000 --- a/roles/v1.36/kiali-deploy/templates/openshift/oauth.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: oauth.openshift.io/v1 -kind: OAuthClient -metadata: - name: {{ kiali_vars.deployment.instance_name }}-{{ kiali_vars.deployment.namespace }} - labels: {{ kiali_resource_metadata_labels }} -redirectURIs: - - {{ kiali_route_url }} -grantMethod: auto -allowAnyScope: true diff --git a/roles/v1.36/kiali-deploy/defaults/main.yml b/roles/v1.65/kiali-deploy/defaults/main.yml similarity index 72% rename from roles/v1.36/kiali-deploy/defaults/main.yml rename to roles/v1.65/kiali-deploy/defaults/main.yml index d43a741c..dc7a3c65 100644 --- a/roles/v1.36/kiali-deploy/defaults/main.yml +++ b/roles/v1.65/kiali-deploy/defaults/main.yml @@ -1,4 +1,4 @@ -# Defaults for all user-facing Kiali settings. These are documented in kiali_cr.yaml. +# Defaults for all user-facing Kiali settings. # # Note that these are under the main dictionary group "kiali_defaults". # The actual vars used by the role are found in the vars/ directory. @@ -20,16 +20,19 @@ kiali_defaults: api: namespaces: exclude: - - "istio-operator" - - "kube-.*" - - "openshift.*" - - "ibm.*" - - "kiali-operator" - #label_selector: + - "^istio-operator" + - "^kube-.*" + - "^openshift.*" + - "^ibm.*" + - "^kiali-operator" + include: [] + label_selector_exclude: "" + #label_selector_include: auth: openid: additional_request_params: {} + allowed_domains: [] api_proxy: "" api_proxy_ca_data: "" api_token: "id_token" @@ -44,7 +47,10 @@ kiali_defaults: scopes: ["openid", "profile", "email"] username_claim: "sub" openshift: + auth_timeout: 10 client_id_prefix: "kiali" + #token_inactivity_timeout: + #token_max_age: strategy: "" custom_dashboards: [] @@ -56,16 +62,22 @@ kiali_defaults: node: {} pod: {} pod_anti: {} + configmap_annotations: {} + custom_secrets: [] + host_aliases: [] hpa: - api_version: "autoscaling/v2beta2" + api_version: "" spec: {} + image_digest: "" image_name: "" image_pull_policy: "IfNotPresent" image_pull_secrets: [] image_version: "" ingress: additional_labels: {} - ingress_enabled: true + class_name: "nginx" + #enabled: + #override_yaml: instance_name: "kiali" logger: log_format: "text" @@ -74,23 +86,19 @@ kiali_defaults: time_field_format: "2006-01-02T15:04:05Z07:00" namespace: "" node_selector: {} - #override_ingress_yaml: pod_annotations: {} pod_labels: {} priority_class_name: "" replicas: 1 #resources: secret_name: "kiali" + security_context: {} service_annotations: {} #service_type: "NodePort" tolerations: [] version_label: "" view_only_mode: false - extensions: - iter_8: - enabled: false - external_services: custom_dashboards: discovery_auto_threshold: 10 @@ -107,7 +115,17 @@ kiali_defaults: type: "none" use_kiali_token: false username: "" + cache_duration: 7 + cache_enabled: true + cache_expiration: 300 + custom_headers: {} health_check_url: "" + is_core: true + query_scope: {} + thanos_proxy: + enabled: false + retention_period: "7d" + scrape_interval: "30s" url: "" grafana: auth: @@ -133,7 +151,7 @@ kiali_defaults: - name: "Istio Wasm Extension Dashboard" enabled: true health_check_url: "" - in_cluster_url: "" + #in_cluster_url is_core: false url: "" istio: @@ -154,11 +172,18 @@ kiali_defaults: enabled: true config_map_name: "istio" envoy_admin_local_port: 15000 + gateway_api_class_name: "" + istio_api_enabled: true + #istio_canary_revision: + #current: prod + #upgrade: canary istio_identity_domain: "svc.cluster.local" istio_injection_annotation: "sidecar.istio.io/inject" istio_sidecar_annotation: "sidecar.istio.io/status" istio_sidecar_injector_config_map_name: "istio-sidecar-injector" istiod_deployment_name: "istiod" + istiod_pod_monitoring_port: 15014 + root_namespace: "" url_service_version: "" prometheus: auth: @@ -172,8 +197,14 @@ kiali_defaults: cache_duration: 7 cache_enabled: true cache_expiration: 300 + custom_headers: {} health_check_url: "" is_core: true + query_scope: {} + thanos_proxy: + enabled: false + retention_period: "7d" + scrape_interval: "30s" url: "" tracing: auth: @@ -185,12 +216,13 @@ kiali_defaults: use_kiali_token: false username: "" enabled: true - health_check_url: "" in_cluster_url: "" is_core: false namespace_selector: true + query_scope: {} + query_timeout: 5 url: "" - #use_grpc: + use_grpc: true whitelist_istio_system: ["jaeger-query", "istio-ingressgateway"] health_config: @@ -203,10 +235,24 @@ kiali_defaults: istio_labels: app_label_name: "app" injection_label_name: "istio-injection" + injection_label_rev: "istio.io/rev" version_label_name: "version" kiali_feature_flags: + certificates_information_indicators: + enabled: true + secrets: + - cacerts + - istio-ca-secret + clustering: + autodetect_secrets: + enabled: true + label: "kiali.io/multiCluster=true" + clusters: [] + disabled_features: [] + istio_annotation_action: true istio_injection_action: true + istio_upgrade_action: false ui_defaults: graph: find_options: @@ -216,19 +262,37 @@ kiali_defaults: expression: "! healthy" - description: "Find: unknown nodes" expression: "name = unknown" + - description: "Find: nodes with the 2 top rankings" + expression: "rank <= 2" hide_options: - description: "Hide: healthy nodes" expression: "healthy" - description: "Hide: unknown nodes" expression: "name = unknown" + - description: "Hide: nodes ranked lower than the 2 top rankings" + expression: "rank > 2" + settings: + font_label: 13 + min_font_badge: 7 + min_font_label: 10 + traffic: + grpc: "requests" + http: "requests" + tcp: "sent" + metrics_inbound: + aggregations: [] + metrics_outbound: + aggregations: [] metrics_per_refresh: "1m" namespaces: [] - refresh_interval: "15s" + refresh_interval: "60s" + validations: + ignore: ["KIA1201"] + skip_wildcard_gateway_hosts: false kubernetes_config: burst: 200 cache_duration: 300 - cache_enabled: true cache_istio_types: - "AuthorizationPolicy" - "DestinationRule" @@ -261,8 +325,13 @@ kiali_defaults: audit_log: true cors_allow_all: false gzip_enabled: true - metrics_enabled: true - metrics_port: 9090 + observability: + metrics: + enabled: true + port: 9090 + tracing: + collector_url: http://jaeger-collector.istio-system:14268/api/traces + enabled: false port: 20001 web_fqdn: "" web_history_mode: "" diff --git a/roles/v1.36/kiali-deploy/filter_plugins/only_accessible_namespaces.py b/roles/v1.65/kiali-deploy/filter_plugins/only_accessible_namespaces.py similarity index 100% rename from roles/v1.36/kiali-deploy/filter_plugins/only_accessible_namespaces.py rename to roles/v1.65/kiali-deploy/filter_plugins/only_accessible_namespaces.py diff --git a/roles/v1.36/kiali-deploy/filter_plugins/stripnone.py b/roles/v1.65/kiali-deploy/filter_plugins/stripnone.py similarity index 100% rename from roles/v1.36/kiali-deploy/filter_plugins/stripnone.py rename to roles/v1.65/kiali-deploy/filter_plugins/stripnone.py diff --git a/roles/v1.36/kiali-deploy/meta/main.yml b/roles/v1.65/kiali-deploy/meta/main.yml similarity index 100% rename from roles/v1.36/kiali-deploy/meta/main.yml rename to roles/v1.65/kiali-deploy/meta/main.yml diff --git a/roles/v1.36/kiali-deploy/tasks/kubernetes/k8s-main.yml b/roles/v1.65/kiali-deploy/tasks/kubernetes/k8s-main.yml similarity index 86% rename from roles/v1.36/kiali-deploy/tasks/kubernetes/k8s-main.yml rename to roles/v1.65/kiali-deploy/tasks/kubernetes/k8s-main.yml index f0759f64..c5bb3d41 100644 --- a/roles/v1.36/kiali-deploy/tasks/kubernetes/k8s-main.yml +++ b/roles/v1.65/kiali-deploy/tasks/kubernetes/k8s-main.yml @@ -12,7 +12,7 @@ loop: - serviceaccount - configmap - - "{{ 'role-viewer' if kiali_vars.deployment.view_only_mode|bool == True else 'role' }}" + - "{{ 'role-viewer' if ((kiali_vars.deployment.view_only_mode|bool == True) or (kiali_vars.auth.strategy != 'anonymous')) else 'role' }}" - role-controlplane - rolebinding - rolebinding-controlplane @@ -47,7 +47,7 @@ loop_var: process_resource_item when: - is_k8s == True - - kiali_vars.deployment.ingress_enabled|bool == True + - kiali_vars.deployment.ingress.enabled|bool == True - name: Delete Ingress on Kubernetes if disabled k8s: @@ -58,7 +58,7 @@ name: "{{ kiali_vars.deployment.instance_name }}" when: - is_k8s == True - - kiali_vars.deployment.ingress_enabled|bool == False + - kiali_vars.deployment.ingress.enabled|bool == False - include_tasks: update-status-progress.yml vars: @@ -71,7 +71,7 @@ vars: role_namespaces: "{{ kiali_vars.deployment.accessible_namespaces }}" k8s: - definition: "{{ lookup('template', 'templates/kubernetes/' + ('role-viewer' if kiali_vars.deployment.view_only_mode|bool == True else 'role') + '.yaml') }}" + definition: "{{ lookup('template', 'templates/kubernetes/' + ('role-viewer' if ((kiali_vars.deployment.view_only_mode|bool == True) or (kiali_vars.auth.strategy != 'anonymous')) else 'role') + '.yaml') }}" when: - is_k8s == True - '"**" not in kiali_vars.deployment.accessible_namespaces' diff --git a/roles/v1.36/kiali-deploy/tasks/main.yml b/roles/v1.65/kiali-deploy/tasks/main.yml similarity index 67% rename from roles/v1.36/kiali-deploy/tasks/main.yml rename to roles/v1.65/kiali-deploy/tasks/main.yml index f8c0e584..7ba66fef 100644 --- a/roles/v1.36/kiali-deploy/tasks/main.yml +++ b/roles/v1.65/kiali-deploy/tasks/main.yml @@ -13,13 +13,17 @@ deployment: accessibleNamespaces: null -- name: Get information about the cluster +- name: Get api group information from the cluster set_fact: api_groups: "{{ lookup(k8s_plugin, cluster_info='api_groups') }}" when: - is_openshift == False - is_k8s == False +- name: Get api version information from the cluster + k8s_cluster_info: + register: api_status + - name: Determine the cluster type set_fact: is_openshift: "{{ True if 'route.openshift.io' in api_groups else False }}" @@ -79,121 +83,29 @@ - debug: msg: "OPERATOR VERSION: [{{ operator_version }}]" -# Because we are passing through some yaml directly to Kubernetes resources, we have to retain the camelCase keys. -# All CR parameters are converted to snake_case, but the original yaml is found in the special _kiali_io_kiali param. -# We need to copy that original yaml into our vars where appropriate to keep the camelCase. - -- name: Replace snake_case with camelCase in deployment.affinity.node - set_fact: - kiali_vars: | - {% set a=kiali_vars['deployment']['affinity'].pop('node') %} - {{ kiali_vars | combine({'deployment': {'affinity': {'node': current_cr.spec.deployment.affinity.node }}}, recursive=True) }} - when: - - kiali_vars.deployment.affinity is defined - - kiali_vars.deployment.affinity.node is defined - - kiali_vars.deployment.affinity.node | length > 0 - -- name: Replace snake_case with camelCase in deployment.affinity.pod - set_fact: - kiali_vars: | - {% set a=kiali_vars['deployment']['affinity'].pop('pod') %} - {{ kiali_vars | combine({'deployment': {'affinity': {'pod': current_cr.spec.deployment.affinity.pod }}}, recursive=True) }} - when: - - kiali_vars.deployment.affinity is defined - - kiali_vars.deployment.affinity.pod is defined - - kiali_vars.deployment.affinity.pod | length > 0 - -- name: Replace snake_case with camelCase in deployment.affinity.pod_anti - set_fact: - kiali_vars: | - {% set a=kiali_vars['deployment']['affinity'].pop('pod_anti') %} - {{ kiali_vars | combine({'deployment': {'affinity': {'pod_anti': current_cr.spec.deployment.affinity.pod_anti }}}, recursive=True) }} - when: - - kiali_vars.deployment.affinity is defined - - kiali_vars.deployment.affinity.pod_anti is defined - - kiali_vars.deployment.affinity.pod_anti | length > 0 - -- name: Replace snake_case with camelCase in deployment.tolerations - set_fact: - kiali_vars: | - {% set a=kiali_vars['deployment'].pop('tolerations') %} - {{ kiali_vars | combine({'deployment': {'tolerations': current_cr.spec.deployment.tolerations }}, recursive=True) }} - when: - - kiali_vars.deployment.tolerations is defined - - kiali_vars.deployment.tolerations | length > 0 - -- name: Replace snake_case with camelCase in deployment.additional_service_yaml - set_fact: - kiali_vars: | - {% set a=kiali_vars['deployment'].pop('additional_service_yaml') %} - {{ kiali_vars | combine({'deployment': {'additional_service_yaml': current_cr.spec.deployment.additional_service_yaml }}, recursive=True) }} - when: - - kiali_vars.deployment.additional_service_yaml is defined - - kiali_vars.deployment.additional_service_yaml | length > 0 - -- name: Replace snake_case with camelCase in deployment.resources - set_fact: - kiali_vars: | - {% set a=kiali_vars['deployment'].pop('resources') %} - {{ kiali_vars | combine({'deployment': {'resources': current_cr.spec.deployment.resources }}, recursive=True) }} - when: - - kiali_vars.deployment.resources is defined - - kiali_vars.deployment.resources | length > 0 - -- name: Replace snake_case with camelCase in deployment.override_ingress_yaml - set_fact: - kiali_vars: | - {% set a=kiali_vars['deployment'].pop('override_ingress_yaml') %} - {{ kiali_vars | combine({'deployment': {'override_ingress_yaml': current_cr.spec.deployment.override_ingress_yaml }}, recursive=True) }} - when: - - kiali_vars.deployment.override_ingress_yaml is defined - - kiali_vars.deployment.override_ingress_yaml | length > 0 - -- name: Replace snake_case with camelCase in deployment.pod_annotations - set_fact: - kiali_vars: | - {% set a=kiali_vars['deployment'].pop('pod_annotations') %} - {{ kiali_vars | combine({'deployment': {'pod_annotations': current_cr.spec.deployment.pod_annotations }}, recursive=True) }} - when: - - kiali_vars.deployment.pod_annotations is defined - - kiali_vars.deployment.pod_annotations | length > 0 - -- name: Replace snake_case with camelCase in deployment.pod_labels - set_fact: - kiali_vars: | - {% set a=kiali_vars['deployment'].pop('pod_labels') %} - {{ kiali_vars | combine({'deployment': {'pod_labels': current_cr.spec.deployment.pod_labels }}, recursive=True) }} - when: - - kiali_vars.deployment.pod_labels is defined - - kiali_vars.deployment.pod_labels | length > 0 +# To remain backward compatible with some settings that have changed in later releases, +# let's take some deprecated settings and set the current settings appropriately. -- name: Replace snake_case with camelCase in deployment.service_annotations +- name: deployment.ingress_enabled is deprecated but if deployment.ingress.enabled is not set then use the old setting set_fact: kiali_vars: | - {% set a=kiali_vars['deployment'].pop('service_annotations') %} - {{ kiali_vars | combine({'deployment': {'service_annotations': current_cr.spec.deployment.service_annotations }}, recursive=True) }} + {% set ie=kiali_vars['deployment'].pop('ingress_enabled') %} + {{ kiali_vars | combine({'deployment': {'ingress': {'enabled': ie|bool }}}, recursive=True) }} when: - - kiali_vars.deployment.service_annotations is defined - - kiali_vars.deployment.service_annotations | length > 0 + - kiali_vars.deployment.ingress_enabled is defined + - kiali_vars.deployment.ingress is not defined or kiali_vars.deployment.ingress.enabled is not defined -- name: Replace snake_case with camelCase in deployment.hpa.spec +- name: api.namespaces.label_selector is deprecated but if api.namespaces.label_selector_include is not set then use the old setting set_fact: kiali_vars: | - {% set a=kiali_vars['deployment']['hpa'].pop('spec') %} - {{ kiali_vars | combine({'deployment': {'hpa': {'spec': current_cr.spec.deployment.hpa.spec }}}, recursive=True) }} + {% set ls=kiali_vars['api']['namespaces'].pop('label_selector') %} + {{ kiali_vars | combine({'api': {'namespaces': {'label_selector_include': ls|bool }}}, recursive=True) }} when: - - kiali_vars.deployment.hpa is defined - - kiali_vars.deployment.hpa.spec is defined - - kiali_vars.deployment.hpa.spec | length > 0 + - kiali_vars.api.namespaces.label_selector is defined + - kiali_vars.api.namespaces.label_selector_include is not defined -- name: Replace snake_case with camelCase in deployment.node_selector - set_fact: - kiali_vars: | - {% set a=kiali_vars['deployment'].pop('node_selector') %} - {{ kiali_vars | combine({'deployment': {'node_selector': current_cr.spec.deployment.node_selector }}, recursive=True) }} - when: - - kiali_vars.deployment.node_selector is defined - - kiali_vars.deployment.node_selector | length > 0 +# convert snake case to camelCase where appropriate +- include_tasks: snake_camel_case.yaml - name: Print some debug information vars: @@ -203,7 +115,6 @@ {{ kiali_vars | to_nice_yaml }} debug: msg: "{{ msg.split('\n') }}" - tags: test - name: Set default deployment namespace to the same namespace where the CR lives set_fact: @@ -277,11 +188,17 @@ when: - kiali_vars.istio_namespace == "" +- name: Set default root namespace + set_fact: + kiali_vars: "{{ kiali_vars | combine({'external_services': {'istio': {'root_namespace': kiali_vars.istio_namespace}}}, recursive=True) }}" + when: + - kiali_vars.external_services.istio.root_namespace == "" + - name: Set default Grafana in_cluster_url set_fact: kiali_vars: "{{ kiali_vars | combine({'external_services': {'grafana': {'in_cluster_url': 'http://grafana.' + kiali_vars.istio_namespace + ':3000'}}}, recursive=True) }}" when: - kiali_vars.external_services.grafana.in_cluster_url == "" + kiali_vars.external_services.grafana.in_cluster_url is not defined - name: Set default Tracing in_cluster_url for Maistra set_fact: @@ -289,15 +206,26 @@ when: kiali_vars.external_services.tracing.in_cluster_url == "" and is_maistra -- name: Set default Tracing in_cluster_url +- name: Set default Tracing in_cluster_url for grpc consumption + set_fact: + kiali_vars: "{{ kiali_vars | combine({'external_services': {'tracing': {'in_cluster_url': 'http://tracing.' + kiali_vars.istio_namespace + ':16685/jaeger'}}}, recursive=True) }}" + when: + - is_maistra == False + - kiali_vars.external_services.tracing.in_cluster_url == "" + - kiali_vars.external_services.tracing.use_grpc is not defined or kiali_vars.external_services.tracing.use_grpc|bool == True + +- name: Set default Tracing in_cluster_url for http consumption set_fact: kiali_vars: "{{ kiali_vars | combine({'external_services': {'tracing': {'in_cluster_url': 'http://tracing.' + kiali_vars.istio_namespace + '/jaeger'}}}, recursive=True) }}" when: - kiali_vars.external_services.tracing.in_cluster_url == "" and is_maistra == False + - is_maistra == False + - kiali_vars.external_services.tracing.in_cluster_url == "" + - kiali_vars.external_services.tracing.use_grpc is defined + - kiali_vars.external_services.tracing.use_grpc|bool == False - name: Set default Istio service that provides version info (istiod service that was introduced in Istio 1.6) set_fact: - kiali_vars: "{{ kiali_vars | combine({'external_services': {'istio': {'url_service_version': 'http://istiod.' + kiali_vars.istio_namespace + ':15014/version'}}}, recursive=True) }}" + kiali_vars: "{{ kiali_vars | combine({'external_services': {'istio': {'url_service_version': 'http://' + kiali_vars.external_services.istio.istiod_deployment_name + '.' + kiali_vars.istio_namespace + ':15014/version'}}}, recursive=True) }}" when: - kiali_vars.external_services.istio.url_service_version == "" @@ -309,6 +237,12 @@ # Determine some more defaults. +- name: Set default HPA api_version + set_fact: + kiali_vars: "{{ kiali_vars | combine({'deployment': {'hpa': {'api_version': 'autoscaling/v2' if (api_status.apis['autoscaling/v2'] is defined) else 'autoscaling/v2beta2' }}}, recursive=True) }}" + when: + - kiali_vars.deployment.hpa.api_version == "" + - name: Provide some default resource limits vars: res: @@ -322,6 +256,12 @@ when: - kiali_vars.deployment.resources is not defined +- name: Set default deployment.ingress.enabled based on cluster type (disable on k8s; enable on OpenShift) + set_fact: + kiali_vars: "{{ kiali_vars | combine({'deployment': {'ingress': {'enabled': true if is_openshift else false }}}, recursive=True) }}" + when: + - kiali_vars.deployment.ingress.enabled is not defined or kiali_vars.deployment.ingress.enabled == "" + - name: Set default tracing use_grpc setting set_fact: kiali_vars: "{{ kiali_vars | combine({'external_services': {'tracing': { 'use_grpc': False if is_maistra else True }}}, recursive=True) }}" @@ -356,12 +296,12 @@ - kiali_vars.server.web_history_mode != 'browser' - kiali_vars.server.web_history_mode != 'hash' -- name: Set default identity cert_file based on cluster type +- name: Set default identity cert_file based on cluster type (non-OpenShift clusters do not get a default identity) set_fact: kiali_vars: "{{ kiali_vars | combine({'identity': {'cert_file': '/kiali-cert/tls.crt' if is_openshift else ''}}, recursive=True) }}" when: - kiali_vars.identity.cert_file is not defined -- name: Set default identity private_key_file based on cluster type +- name: Set default identity private_key_file based on cluster type (non-OpenShift clusters do not get a default identity) set_fact: kiali_vars: "{{ kiali_vars | combine({'identity': {'private_key_file': '/kiali-cert/tls.key' if is_openshift else ''}}, recursive=True) }}" when: @@ -369,9 +309,9 @@ - name: Only allow ad-hoc kiali image when appropriate fail: - msg: "The operator is forbidden from accepting a Kiali CR that defines an ad hoc Kiali image [{{ kiali_vars.deployment.image_name }}:{{ kiali_vars.deployment.image_version }}]. Remove spec.deployment.image_name and spec.deployment.image_version from the Kiali CR." + msg: "The operator is forbidden from accepting a Kiali CR that defines an ad hoc Kiali image [{{ kiali_vars.deployment.image_name }}{{ '@' + kiali_vars.deployment.image_digest if kiali_vars.deployment.image_digest != '' else '' }}:{{ kiali_vars.deployment.image_version }}]. Remove spec.deployment.image_name, spec.deployment.image_version, and spec.deployment.image_digest from the Kiali CR." when: - - kiali_vars.deployment.image_name != "" or kiali_vars.deployment.image_version != "" + - kiali_vars.deployment.image_name != "" or kiali_vars.deployment.image_version != "" or kiali_vars.deployment.image_digest != "" - lookup('env', 'ALLOW_AD_HOC_KIALI_IMAGE') | default('false', True) != "true" - name: Default the image name to a known supported image. @@ -462,10 +402,10 @@ # requires OAuth Client which requires a Route. So ingress must be enabled if strategy is openshift. - name: Ensure Ingress is Enabled if Auth Strategy is openshift fail: - msg: "The auth.strategy is 'openshift' which requires a Route, but deployment.ingress_enabled is false. Aborting." + msg: "The auth.strategy is 'openshift' which requires a Route, but deployment.ingress.enabled is false. Aborting." when: - kiali_vars.auth.strategy == "openshift" - - kiali_vars.deployment.ingress_enabled|bool == False + - kiali_vars.deployment.ingress.enabled|bool == False - name: Confirm the cluster can access github.com when it needs to determine the last release of Kiali uri: @@ -535,13 +475,65 @@ role_kind: "{{ 'ClusterRole' if '**' in kiali_vars.deployment.accessible_namespaces else 'Role' }}" role_binding_kind: "{{ 'ClusterRoleBinding' if '**' in kiali_vars.deployment.accessible_namespaces else 'RoleBinding' }}" +- name: Determine if the operator can support accessible_namespaces=** - can_i create clusterroles + register: can_i_create_clusterroles + ignore_errors: yes + k8s: + state: present + definition: + apiVersion: authorization.k8s.io/v1 + kind: SelfSubjectAccessReview + spec: + resourceAttributes: + group: rbac.authorization.k8s.io + resource: clusterroles + verb: create + when: + - '"**" in kiali_vars.deployment.accessible_namespaces' + +- name: Determine if the operator can support accessible_namespaces=** - can_i create clusterrolebindings + register: can_i_create_clusterrolebindings + ignore_errors: yes + k8s: + state: present + definition: + apiVersion: authorization.k8s.io/v1 + kind: SelfSubjectAccessReview + spec: + resourceAttributes: + group: rbac.authorization.k8s.io + resource: clusterrolebindings + verb: create + when: + - '"**" in kiali_vars.deployment.accessible_namespaces' + +- fail: + msg: "The operator cannot support deployment.accessible_namespaces set to ['**'] because it does not have permissions to create clusterroles" + when: + - '"**" in kiali_vars.deployment.accessible_namespaces' + - can_i_create_clusterroles is defined + - can_i_create_clusterroles.result is defined + - can_i_create_clusterroles.result.status is defined + - can_i_create_clusterroles.result.status.allowed is defined + - can_i_create_clusterroles.result.status.allowed == False + +- fail: + msg: "The operator cannot support deployment.accessible_namespaces set to ['**'] because it does not have permissions to create clusterrolebindings" + when: + - '"**" in kiali_vars.deployment.accessible_namespaces' + - can_i_create_clusterrolebindings is defined + - can_i_create_clusterrolebindings.result is defined + - can_i_create_clusterrolebindings.result.status is defined + - can_i_create_clusterrolebindings.result.status.allowed is defined + - can_i_create_clusterrolebindings.result.status.allowed == False + - name: Find all namespaces (this is limited to what the operator has permission to see) set_fact: all_namespaces: "{{ lookup(k8s_plugin, api_version='v1', kind='Namespace') | default({}) | json_query('[].metadata.name') }}" - name: Determine all accessible namespaces, expanding regex expressions to matched namespaces set_fact: - all_accessible_namespaces: "{{ (all_namespaces | only_accessible_namespaces(accessible_namespaces=kiali_vars.deployment.accessible_namespaces) + [ kiali_vars.deployment.namespace, kiali_vars.istio_namespace ]) | unique | sort }}" + all_accessible_namespaces: "{{ (all_namespaces | only_accessible_namespaces(accessible_namespaces=kiali_vars.deployment.accessible_namespaces) + [ kiali_vars.deployment.namespace, kiali_vars.istio_namespace, kiali_vars.external_services.istio.root_namespace ]) | unique | sort }}" when: - '"**" not in kiali_vars.deployment.accessible_namespaces' @@ -559,22 +551,63 @@ debug: msg: "{{ kiali_vars.deployment.accessible_namespaces }}" +# do some security checks - abort if the operator is forbidden from allowing certain accessible_namespace values +- name: Abort if all namespace access is not allowed + fail: + msg: "The operator is forbidden from installing Kiali with deployment.accessible_namespaces set to ['**']" + when: + - '"**" in kiali_vars.deployment.accessible_namespaces' + - lookup('env', 'ALLOW_ALL_ACCESSIBLE_NAMESPACES') | default('false', True) != "true" + +- name: Get labeled accessible namespaces + vars: + label: "{{ lookup('env', 'ACCESSIBLE_NAMESPACES_LABEL') | default('', True) }}" + label_selector: "{{ label + ('' if label is regex('^.+=.+$') else ('=' + kiali_vars.istio_namespace)) }}" + set_fact: + only_allowed_labeled_namespaces: "{{ query(k8s_plugin, kind='Namespace', api_version='v1', label_selector=label_selector) | json_query('[*].metadata.name') }}" + when: + - '"**" not in kiali_vars.deployment.accessible_namespaces' + - label != "" + +- name: Abort if accessible namespaces contains namespaces not labeled + vars: + ns_diff: "{{ kiali_vars.deployment.accessible_namespaces | difference(only_allowed_labeled_namespaces) }}" + fail: + msg: "Operator is forbidden to allow Kiali CR to specify one or more accessible namespaces that were not labeled: {{ ('Number of rejected namespaces=' + (ns_diff | length | string)) if (ns_diff | length > 10) else (ns_diff) }}" + when: + - '"**" not in kiali_vars.deployment.accessible_namespaces' + - only_allowed_labeled_namespaces is defined + - ns_diff | length > 0 + # Note that we add the instance name to the member-of key name only if the instance name is not the default 'kiali'. # This is for backward compatibility, and for simplicity when deploying under normal default conditions. -- name: When accessible namespaces are specified, ensure label selector is set +- name: When accessible namespaces are specified, ensure label_selector_include is set set_fact: - kiali_vars: "{{ kiali_vars | combine({'api': {'namespaces': {'label_selector': ('kiali.io/' + ((kiali_vars.deployment.instance_name + '.') if kiali_vars.deployment.instance_name != 'kiali' else '') + 'member-of=' + kiali_vars.deployment.namespace)}}}, recursive=True) }}" + kiali_vars: "{{ kiali_vars | combine({'api': {'namespaces': {'label_selector_include': ('kiali.io/' + ((kiali_vars.deployment.instance_name + '.') if kiali_vars.deployment.instance_name != 'kiali' else '') + 'member-of=' + kiali_vars.deployment.namespace)}}}, recursive=True) }}" when: - '"**" not in kiali_vars.deployment.accessible_namespaces' - - kiali_vars.api.namespaces.label_selector is not defined + - kiali_vars.api.namespaces.label_selector_include is not defined -- name: Make sure label selector is in the valid format name=value +- name: Make sure label_selector_include is in the valid format name=value fail: - msg: "The api.namespaces.label_selector is not valid [{{ kiali_vars.api.namespaces.label_selector }}] - it must be in the form of 'name=value' following Kubernetes syntax rules for label names and values." + msg: "The api.namespaces.label_selector_include is not valid [{{ kiali_vars.api.namespaces.label_selector_include }}] - it must be in the form of 'name=value' following Kubernetes syntax rules for label names and values." when: - - kiali_vars.api.namespaces.label_selector is defined + - kiali_vars.api.namespaces.label_selector_include is defined # this regex is not 100% accurate, but we want to at least catch obvious errors - - kiali_vars.api.namespaces.label_selector is not regex('^[a-zA-Z0-9/_.-]+=[a-zA-Z0-9_.-]+$') + - kiali_vars.api.namespaces.label_selector_include is not regex('^[a-zA-Z0-9/_.-]+=[a-zA-Z0-9_.-]+$') + +# If the signing key is not empty string, and is not of the special value secret:name:key, +# do some validation on it's length +- name: Validate signing key, if it is set in the CR + fail: + msg: "Signing key must be 16, 24 or 32 byte length" + when: + - kiali_vars.auth.strategy != 'anonymous' + - kiali_vars.login_token.signing_key != "" + - not(kiali_vars.login_token.signing_key | regex_search('secret:.+:.+')) + - kiali_vars.login_token.signing_key | length != 16 + - kiali_vars.login_token.signing_key | length != 24 + - kiali_vars.login_token.signing_key | length != 32 # If the signing key is empty string, we need to ensure a signing key secret exists. If one does not exist, we need to generate one. # Note that to avoid granting to the operator the very powerful permission to CRUD all secrets in all namespaces, we always generate @@ -637,53 +670,78 @@ when: - kiali_vars.login_token.signing_key == "" -# Prepare any additional environment variables that need to be defined in the deployment +# Some credentials in the config can be overridden by secrets that are to be mounted on the file system. +# Prepare these overrides that need to be defined as volumes in the deployment. - set_fact: - kiali_deployment_environment_variables: {} + kiali_deployment_secret_volumes: {} -- name: Prepare environment variable for prometheus password +- name: Prepare the secret volume for prometheus password set_fact: - kiali_deployment_environment_variables: "{{ kiali_deployment_environment_variables | combine({'PROMETHEUS_PASSWORD': {'secret_name': kiali_vars.external_services.prometheus.auth.password | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.prometheus.auth.password | regex_replace('secret:.+:(.+)', '\\1') }}) }}" + kiali_deployment_secret_volumes: "{{ kiali_deployment_secret_volumes | combine({'prometheus-password': {'secret_name': kiali_vars.external_services.prometheus.auth.password | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.prometheus.auth.password | regex_replace('secret:.+:(.+)', '\\1') }}) }}" when: - kiali_vars.external_services.prometheus.auth.password | regex_search('secret:.+:.+') -- name: Prepare environment variable for prometheus token +- name: Prepare the secret volume for prometheus token set_fact: - kiali_deployment_environment_variables: "{{ kiali_deployment_environment_variables | combine({'PROMETHEUS_TOKEN': {'secret_name': kiali_vars.external_services.prometheus.auth.token | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.prometheus.auth.token | regex_replace('secret:.+:(.+)', '\\1') }}) }}" + kiali_deployment_secret_volumes: "{{ kiali_deployment_secret_volumes | combine({'prometheus-token': {'secret_name': kiali_vars.external_services.prometheus.auth.token | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.prometheus.auth.token | regex_replace('secret:.+:(.+)', '\\1') }}) }}" when: - kiali_vars.external_services.prometheus.auth.token | regex_search('secret:.+:.+') -- name: Prepare environment variable for tracing password +- name: Prepare the secret volume for tracing password set_fact: - kiali_deployment_environment_variables: "{{ kiali_deployment_environment_variables | combine({'TRACING_PASSWORD': {'secret_name': kiali_vars.external_services.tracing.auth.password | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.tracing.auth.password | regex_replace('secret:.+:(.+)', '\\1') }}) }}" + kiali_deployment_secret_volumes: "{{ kiali_deployment_secret_volumes | combine({'tracing-password': {'secret_name': kiali_vars.external_services.tracing.auth.password | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.tracing.auth.password | regex_replace('secret:.+:(.+)', '\\1') }}) }}" when: + - kiali_vars.external_services.tracing.enabled|bool == True - kiali_vars.external_services.tracing.auth.password | regex_search('secret:.+:.+') -- name: Prepare environment variable for tracing token +- name: Prepare the secret volume for tracing token set_fact: - kiali_deployment_environment_variables: "{{ kiali_deployment_environment_variables | combine({'TRACING_TOKEN': {'secret_name': kiali_vars.external_services.tracing.auth.token | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.tracing.auth.token | regex_replace('secret:.+:(.+)', '\\1') }}) }}" + kiali_deployment_secret_volumes: "{{ kiali_deployment_secret_volumes | combine({'tracing-token': {'secret_name': kiali_vars.external_services.tracing.auth.token | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.tracing.auth.token | regex_replace('secret:.+:(.+)', '\\1') }}) }}" when: + - kiali_vars.external_services.tracing.enabled|bool == True - kiali_vars.external_services.tracing.auth.token | regex_search('secret:.+:.+') -- name: Prepare environment variable for grafana password +- name: Prepare the secret volume for grafana password set_fact: - kiali_deployment_environment_variables: "{{ kiali_deployment_environment_variables | combine({'GRAFANA_PASSWORD': {'secret_name': kiali_vars.external_services.grafana.auth.password | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.grafana.auth.password | regex_replace('secret:.+:(.+)', '\\1') }}) }}" + kiali_deployment_secret_volumes: "{{ kiali_deployment_secret_volumes | combine({'grafana-password': {'secret_name': kiali_vars.external_services.grafana.auth.password | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.grafana.auth.password | regex_replace('secret:.+:(.+)', '\\1') }}) }}" when: + - kiali_vars.external_services.grafana.enabled|bool == True - kiali_vars.external_services.grafana.auth.password | regex_search('secret:.+:.+') -- name: Prepare environment variable for grafana token +- name: Prepare the secret volume for grafana token set_fact: - kiali_deployment_environment_variables: "{{ kiali_deployment_environment_variables | combine({'GRAFANA_TOKEN': {'secret_name': kiali_vars.external_services.grafana.auth.token | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.grafana.auth.token | regex_replace('secret:.+:(.+)', '\\1') }}) }}" + kiali_deployment_secret_volumes: "{{ kiali_deployment_secret_volumes | combine({'grafana-token': {'secret_name': kiali_vars.external_services.grafana.auth.token | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.grafana.auth.token | regex_replace('secret:.+:(.+)', '\\1') }}) }}" when: + - kiali_vars.external_services.grafana.enabled|bool == True - kiali_vars.external_services.grafana.auth.token | regex_search('secret:.+:.+') -- name: Prepare environment variable for login token signing key +- name: Prepare the secret volume for login token signing key set_fact: - kiali_deployment_environment_variables: "{{ kiali_deployment_environment_variables | combine({'LOGIN_TOKEN_SIGNING_KEY': {'secret_name': kiali_vars.login_token.signing_key | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.login_token.signing_key | regex_replace('secret:.+:(.+)', '\\1') }}) }}" + kiali_deployment_secret_volumes: "{{ kiali_deployment_secret_volumes | combine({'login-token-signing-key': {'secret_name': kiali_vars.login_token.signing_key | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.login_token.signing_key | regex_replace('secret:.+:(.+)', '\\1') }}) }}" when: - kiali_vars.login_token.signing_key | regex_search('secret:.+:.+') +# Prepare to mount remote cluster secrets. These must exist in the Kiali deployment namespace because that is required in order to mount them to the pod. +- set_fact: + kiali_deployment_remote_cluster_secret_volumes: {} + +- name: Autodetect remote cluster secrets within the Kiali deployment namespace + vars: + all_remote_cluster_secrets: "{{ query(k8s_plugin, namespace=kiali_vars.deployment.namespace, api_version='v1', kind='Secret', label_selector=kiali_vars.kiali_feature_flags.clustering.autodetect_secrets.label) }}" + loop: "{{ all_remote_cluster_secrets }}" + set_fact: + kiali_deployment_remote_cluster_secret_volumes: "{{ kiali_deployment_remote_cluster_secret_volumes | combine({ item.metadata.annotations['kiali.io/cluster']|default(item.metadata.name): {'secret_name': item.metadata.name }}) }}" + when: + - kiali_vars.kiali_feature_flags.clustering.autodetect_secrets.enabled + +- name: Prepare the manually declared remote clusters + loop: "{{ kiali_vars.kiali_feature_flags.clustering.clusters }}" + set_fact: + kiali_deployment_remote_cluster_secret_volumes: "{{ kiali_deployment_remote_cluster_secret_volumes | combine({ item.name: {'secret_name': item.secret_name }}) }}" + when: + - kiali_vars.kiali_feature_flags.clustering.clusters | length > 0 + # The following few tasks read the current Kiali configmap (if one exists) in order to figure out what # namespaces are no longer accessible. Those namespaces will have their Kiali roles removed. # They will also have the Kiali labels removed. @@ -695,29 +753,30 @@ - name: Find some current configuration settings set_fact: current_accessible_namespaces: "{{ current_configmap.data['config.yaml'] | from_yaml | json_query('deployment.accessible_namespaces') }}" - current_label_selector: "{{ current_configmap.data['config.yaml'] | from_yaml | json_query('api.namespaces.label_selector') }}" + current_label_selector_include: "{{ current_configmap.data['config.yaml'] | from_yaml | json_query('api.namespaces.label_selector_include') }}" current_view_only_mode: "{{ current_configmap.data['config.yaml'] | from_yaml | json_query('deployment.view_only_mode') }}" current_image_name: "{{ current_configmap.data['config.yaml'] | from_yaml | json_query('deployment.image_name') }}" current_image_version: "{{ current_configmap.data['config.yaml'] | from_yaml | json_query('deployment.image_version') }}" current_instance_name: "{{ current_configmap.data['config.yaml'] | from_yaml | json_query('deployment.instance_name') }}" + current_auth_strategy: "{{ current_configmap.data['config.yaml'] | from_yaml | json_query('auth.strategy') }}" when: - current_configmap is defined - current_configmap.data is defined - current_configmap.data['config.yaml'] is defined # Because we need to remove the labels that were created before, we must not allow the user to change -# the label_selector. So if the current accessible_namespaces is not ** but the label_select is being changed, +# the label_selector_include. So if the current accessible_namespaces is not ** but the label_selector_include is being changed, # we need to abort since we won't know what the old labels were. If current accessible_namespaces is ** then -# we know we didn't create labels before so we can allow label_selector to change. -- name: Do not allow user to change label selector +# we know we didn't create labels before so we can allow label_selector_include to change. +- name: Do not allow user to change label_selector_include fail: - msg: "The api.namespaces.label_selector cannot be changed to a different value. It was [{{ current_label_selector }}] but is now configured to be [{{ kiali_vars.api.namespaces.label_selector }}]. In order to install Kiali with a different label selector than what was used before, please uninstall Kiali first." + msg: "The api.namespaces.label_selector_include cannot be changed to a different value. It was [{{ current_label_selector_include }}] but is now configured to be [{{ kiali_vars.api.namespaces.label_selector_include }}]. In order to install Kiali with a different label selector than what was used before, please uninstall Kiali first." when: - current_accessible_namespaces is defined - '"**" not in current_accessible_namespaces' - - current_label_selector is defined - - kiali_vars.api.namespaces.label_selector is defined - - current_label_selector != kiali_vars.api.namespaces.label_selector + - current_label_selector_include is defined + - kiali_vars.api.namespaces.label_selector_include is defined + - current_label_selector_include != kiali_vars.api.namespaces.label_selector_include - name: Determine the namespaces that were previously accessible but are now inaccessible set_fact: @@ -744,21 +803,32 @@ - '"**" in current_accessible_namespaces' - '"**" not in kiali_vars.deployment.accessible_namespaces' -- name: Delete all Kiali roles from namespaces if view_only_mode is changing since role bindings are immutable +# Role Bindings are always "view-only" unless auth.strategy is anonymous and view_only_mode is false. +# If the view_only_mode or auth.strategy changes, we'll delete the roles to make sure we create the correct ones. +# We need to see if the currently installed role binding is view-only - this is used to not break upgrades. See: https://github.com/kiali/kiali/issues/5695 +- name: Determine if the currently installed role binding in the deployment namespace is view-only + vars: + current_rolebinding: "{{ query(k8s_plugin, resource_name=kiali_vars.deployment.instance_name, namespace=kiali_vars.deployment.namespace, api_version='rbac.authorization.k8s.io/v1', kind=role_binding_kind, errors='ignore') }}" + set_fact: + current_rolebinding_view_only: "{{ (current_rolebinding | length == 1) and (current_rolebinding[0].roleRef.name is regex('^.*-viewer$')) }}" + +- name: Delete all Kiali roles from namespaces if view_only_mode or auth.strategy is changing since role bindings are immutable include_tasks: remove-roles.yml vars: role_namespaces: "{{ kiali_vars.deployment.accessible_namespaces }}" when: - current_view_only_mode is defined - - current_view_only_mode|bool != kiali_vars.deployment.view_only_mode|bool + - current_auth_strategy is defined + - (current_view_only_mode|bool != kiali_vars.deployment.view_only_mode|bool) or (current_auth_strategy != kiali_vars.auth.strategy) or (current_rolebinding_view_only|bool == False and kiali_vars.auth.strategy != 'anonymous') - current_accessible_namespaces is defined - '"**" not in current_accessible_namespaces' -- name: Delete Kiali cluster roles if view_only_mode is changing since role bindings are immutable +- name: Delete Kiali cluster roles if view_only_mode or auth.strategy is changing since role bindings are immutable include_tasks: remove-clusterroles.yml when: - current_view_only_mode is defined - - current_view_only_mode|bool != kiali_vars.deployment.view_only_mode|bool + - current_auth_strategy is defined + - (current_view_only_mode|bool != kiali_vars.deployment.view_only_mode|bool) or (current_auth_strategy != kiali_vars.auth.strategy) or (current_rolebinding_view_only|bool == False and kiali_vars.auth.strategy != 'anonymous') - current_accessible_namespaces is defined - '"**" in current_accessible_namespaces' @@ -769,13 +839,12 @@ - name: Remove Kiali label from namespaces that Kiali no longer has access to vars: # everything to the left of the = is the name of the label we want to remove - the_namespace_label_name: "{{ current_label_selector | regex_replace('^(.*)=.*$', '\\1') }}" - # if a namespace happened to have been deleted, we do not want to (nor can we) resurrect it, hence we check for its existence + the_namespace_label_name: "{{ current_label_selector_include | regex_replace('^(.*)=.*$', '\\1') }}" + # if a namespace happened to have been deleted, we do not want to (nor can we) resurrect it, hence we use state=patched k8s: - state: present + state: patched definition: | {% for namespace in no_longer_accessible_namespaces %} - {% if namespace in all_namespaces %} --- apiVersion: v1 kind: Namespace @@ -784,20 +853,19 @@ labels: {{ the_namespace_label_name }}: null ... - {% endif %} {% endfor %} when: - no_longer_accessible_namespaces is defined - - current_label_selector is defined + - current_label_selector_include is defined - name: Create additional Kiali label on all accessible namespaces vars: namespaces: "{{ kiali_vars.deployment.accessible_namespaces }}" # everything to the left of the = is the label name; to the right is the label value - the_namespace_label_name: "{{ kiali_vars.api.namespaces.label_selector | regex_replace('^(.*)=.*$', '\\1') }}" - the_namespace_label_value: "{{ kiali_vars.api.namespaces.label_selector | regex_replace('^.*=(.*)$', '\\1') }}" + the_namespace_label_name: "{{ kiali_vars.api.namespaces.label_selector_include | regex_replace('^(.*)=.*$', '\\1') }}" + the_namespace_label_value: "{{ kiali_vars.api.namespaces.label_selector_include | regex_replace('^.*=(.*)$', '\\1') }}" k8s: - state: present + state: patched definition: | {% for namespace in namespaces %} --- @@ -806,7 +874,7 @@ metadata: name: "{{ namespace }}" labels: - {{ the_namespace_label_name }}: {{ the_namespace_label_value }} + {{ the_namespace_label_name }}: "{{ the_namespace_label_value }}" ... {% endfor %} when: diff --git a/roles/v1.36/kiali-deploy/tasks/openshift/os-get-kiali-route-url.yml b/roles/v1.65/kiali-deploy/tasks/openshift/os-get-kiali-route-url.yml similarity index 100% rename from roles/v1.36/kiali-deploy/tasks/openshift/os-get-kiali-route-url.yml rename to roles/v1.65/kiali-deploy/tasks/openshift/os-get-kiali-route-url.yml diff --git a/roles/v1.36/kiali-deploy/tasks/openshift/os-main.yml b/roles/v1.65/kiali-deploy/tasks/openshift/os-main.yml similarity index 91% rename from roles/v1.36/kiali-deploy/tasks/openshift/os-main.yml rename to roles/v1.65/kiali-deploy/tasks/openshift/os-main.yml index 934bfc6f..37e1560b 100644 --- a/roles/v1.36/kiali-deploy/tasks/openshift/os-main.yml +++ b/roles/v1.65/kiali-deploy/tasks/openshift/os-main.yml @@ -13,7 +13,7 @@ - serviceaccount - configmap - cabundle - - "{{ 'role-viewer' if kiali_vars.deployment.view_only_mode|bool == True else 'role' }}" + - "{{ 'role-viewer' if ((kiali_vars.deployment.view_only_mode|bool == True) or (kiali_vars.auth.strategy != 'anonymous')) else 'role' }}" - role-controlplane - rolebinding - rolebinding-controlplane @@ -48,7 +48,7 @@ loop_var: process_resource_item when: - is_openshift == True - - kiali_vars.deployment.ingress_enabled|bool == True + - kiali_vars.deployment.ingress.enabled|bool == True - name: Delete Route on OpenShift if disabled k8s: @@ -59,7 +59,7 @@ name: "{{ kiali_vars.deployment.instance_name }}" when: - is_openshift == True - - kiali_vars.deployment.ingress_enabled|bool == False + - kiali_vars.deployment.ingress.enabled|bool == False - include_tasks: update-status-progress.yml vars: @@ -72,7 +72,7 @@ vars: role_namespaces: "{{ kiali_vars.deployment.accessible_namespaces }}" k8s: - definition: "{{ lookup('template', 'templates/openshift/' + ('role-viewer' if kiali_vars.deployment.view_only_mode|bool == True else 'role') + '.yaml') }}" + definition: "{{ lookup('template', 'templates/openshift/' + ('role-viewer' if ((kiali_vars.deployment.view_only_mode|bool == True) or (kiali_vars.auth.strategy != 'anonymous')) else 'role') + '.yaml') }}" when: - is_openshift == True - '"**" not in kiali_vars.deployment.accessible_namespaces' diff --git a/roles/v1.36/kiali-deploy/tasks/process-resource.yml b/roles/v1.65/kiali-deploy/tasks/process-resource.yml similarity index 100% rename from roles/v1.36/kiali-deploy/tasks/process-resource.yml rename to roles/v1.65/kiali-deploy/tasks/process-resource.yml diff --git a/roles/v1.36/kiali-deploy/tasks/remove-clusterroles.yml b/roles/v1.65/kiali-deploy/tasks/remove-clusterroles.yml similarity index 100% rename from roles/v1.36/kiali-deploy/tasks/remove-clusterroles.yml rename to roles/v1.65/kiali-deploy/tasks/remove-clusterroles.yml diff --git a/roles/v1.36/kiali-deploy/tasks/remove-roles.yml b/roles/v1.65/kiali-deploy/tasks/remove-roles.yml similarity index 100% rename from roles/v1.36/kiali-deploy/tasks/remove-roles.yml rename to roles/v1.65/kiali-deploy/tasks/remove-roles.yml diff --git a/roles/v1.65/kiali-deploy/tasks/snake_camel_case.yaml b/roles/v1.65/kiali-deploy/tasks/snake_camel_case.yaml new file mode 100644 index 00000000..b7e78604 --- /dev/null +++ b/roles/v1.65/kiali-deploy/tasks/snake_camel_case.yaml @@ -0,0 +1,178 @@ +# Because we are passing through some yaml directly to Kubernetes resources, we have to retain the camelCase keys. +# All CR parameters are converted to snake_case, but the original yaml is found in the special _kiali_io_kiali param. +# We need to copy that original yaml into our vars where appropriate to keep the camelCase. + +- name: Replace snake_case with camelCase in deployment.affinity.node + set_fact: + kiali_vars: | + {% set a=kiali_vars['deployment']['affinity'].pop('node') %} + {{ kiali_vars | combine({'deployment': {'affinity': {'node': current_cr.spec.deployment.affinity.node }}}, recursive=True) }} + when: + - kiali_vars.deployment.affinity is defined + - kiali_vars.deployment.affinity.node is defined + - kiali_vars.deployment.affinity.node | length > 0 + +- name: Replace snake_case with camelCase in deployment.affinity.pod + set_fact: + kiali_vars: | + {% set a=kiali_vars['deployment']['affinity'].pop('pod') %} + {{ kiali_vars | combine({'deployment': {'affinity': {'pod': current_cr.spec.deployment.affinity.pod }}}, recursive=True) }} + when: + - kiali_vars.deployment.affinity is defined + - kiali_vars.deployment.affinity.pod is defined + - kiali_vars.deployment.affinity.pod | length > 0 + +- name: Replace snake_case with camelCase in deployment.affinity.pod_anti + set_fact: + kiali_vars: | + {% set a=kiali_vars['deployment']['affinity'].pop('pod_anti') %} + {{ kiali_vars | combine({'deployment': {'affinity': {'pod_anti': current_cr.spec.deployment.affinity.pod_anti }}}, recursive=True) }} + when: + - kiali_vars.deployment.affinity is defined + - kiali_vars.deployment.affinity.pod_anti is defined + - kiali_vars.deployment.affinity.pod_anti | length > 0 + +- name: Replace snake_case with camelCase in deployment.tolerations + set_fact: + kiali_vars: | + {% set a=kiali_vars['deployment'].pop('tolerations') %} + {{ kiali_vars | combine({'deployment': {'tolerations': current_cr.spec.deployment.tolerations }}, recursive=True) }} + when: + - kiali_vars.deployment.tolerations is defined + - kiali_vars.deployment.tolerations | length > 0 + +- name: Replace snake_case with camelCase in deployment.additional_service_yaml + set_fact: + kiali_vars: | + {% set a=kiali_vars['deployment'].pop('additional_service_yaml') %} + {{ kiali_vars | combine({'deployment': {'additional_service_yaml': current_cr.spec.deployment.additional_service_yaml }}, recursive=True) }} + when: + - kiali_vars.deployment.additional_service_yaml is defined + - kiali_vars.deployment.additional_service_yaml | length > 0 + +- name: Replace snake_case with camelCase in deployment.resources + set_fact: + kiali_vars: | + {% set a=kiali_vars['deployment'].pop('resources') %} + {{ kiali_vars | combine({'deployment': {'resources': current_cr.spec.deployment.resources }}, recursive=True) }} + when: + - kiali_vars.deployment.resources is defined + - kiali_vars.deployment.resources | length > 0 + +- name: Replace snake_case with camelCase in deployment.ingress.override_yaml + set_fact: + kiali_vars: | + {% set a=kiali_vars['deployment']['ingress'].pop('override_yaml') %} + {{ kiali_vars | combine({'deployment': {'ingress': {'override_yaml': current_cr.spec.deployment.ingress.override_yaml }}}, recursive=True) }} + when: + - kiali_vars.deployment.ingress.override_yaml is defined + - kiali_vars.deployment.ingress.override_yaml | length > 0 + +- name: Replace snake_case with camelCase in deployment.pod_annotations + set_fact: + kiali_vars: | + {% set a=kiali_vars['deployment'].pop('pod_annotations') %} + {{ kiali_vars | combine({'deployment': {'pod_annotations': current_cr.spec.deployment.pod_annotations }}, recursive=True) }} + when: + - kiali_vars.deployment.pod_annotations is defined + - kiali_vars.deployment.pod_annotations | length > 0 + +- name: Replace snake_case with camelCase in deployment.pod_labels + set_fact: + kiali_vars: | + {% set a=kiali_vars['deployment'].pop('pod_labels') %} + {{ kiali_vars | combine({'deployment': {'pod_labels': current_cr.spec.deployment.pod_labels }}, recursive=True) }} + when: + - kiali_vars.deployment.pod_labels is defined + - kiali_vars.deployment.pod_labels | length > 0 + +- name: Replace snake_case with camelCase in deployment.service_annotations + set_fact: + kiali_vars: | + {% set a=kiali_vars['deployment'].pop('service_annotations') %} + {{ kiali_vars | combine({'deployment': {'service_annotations': current_cr.spec.deployment.service_annotations }}, recursive=True) }} + when: + - kiali_vars.deployment.service_annotations is defined + - kiali_vars.deployment.service_annotations | length > 0 + +- name: Replace snake_case with camelCase in deployment.hpa.spec + set_fact: + kiali_vars: | + {% set a=kiali_vars['deployment']['hpa'].pop('spec') %} + {{ kiali_vars | combine({'deployment': {'hpa': {'spec': current_cr.spec.deployment.hpa.spec }}}, recursive=True) }} + when: + - kiali_vars.deployment.hpa is defined + - kiali_vars.deployment.hpa.spec is defined + - kiali_vars.deployment.hpa.spec | length > 0 + +- name: Replace snake_case with camelCase in deployment.node_selector + set_fact: + kiali_vars: | + {% set a=kiali_vars['deployment'].pop('node_selector') %} + {{ kiali_vars | combine({'deployment': {'node_selector': current_cr.spec.deployment.node_selector }}, recursive=True) }} + when: + - kiali_vars.deployment.node_selector is defined + - kiali_vars.deployment.node_selector | length > 0 + +- name: Replace snake_case with camelCase in external_services.custom_dashboards.prometheus.custom_headers + set_fact: + kiali_vars: | + {% set a=kiali_vars['external_services']['custom_dashboards']['prometheus'].pop('custom_headers') %} + {{ kiali_vars | combine({'external_services': {'custom_dashboards': {'prometheus': {'custom_headers': current_cr.spec.external_services.custom_dashboards.prometheus.custom_headers }}}}, recursive=True) }} + when: + - kiali_vars.external_services.custom_dashboards.prometheus.custom_headers is defined + - kiali_vars.external_services.custom_dashboards.prometheus.custom_headers | length > 0 + +- name: Replace snake_case with camelCase in external_services.custom_dashboards.prometheus.query_scope + set_fact: + kiali_vars: | + {% set a=kiali_vars['external_services']['custom_dashboards']['prometheus'].pop('query_scope') %} + {{ kiali_vars | combine({'external_services': {'custom_dashboards': {'prometheus': {'query_scope': current_cr.spec.external_services.custom_dashboards.prometheus.query_scope }}}}, recursive=True) }} + when: + - kiali_vars.external_services.custom_dashboards.prometheus.query_scope is defined + - kiali_vars.external_services.custom_dashboards.prometheus.query_scope | length > 0 + +- name: Replace snake_case with camelCase in external_services.prometheus.custom_headers + set_fact: + kiali_vars: | + {% set a=kiali_vars['external_services']['prometheus'].pop('custom_headers') %} + {{ kiali_vars | combine({'external_services': {'prometheus': {'custom_headers': current_cr.spec.external_services.prometheus.custom_headers }}}, recursive=True) }} + when: + - kiali_vars.external_services.prometheus.custom_headers is defined + - kiali_vars.external_services.prometheus.custom_headers | length > 0 + +- name: Replace snake_case with camelCase in external_services.prometheus.query_scope + set_fact: + kiali_vars: | + {% set a=kiali_vars['external_services']['prometheus'].pop('query_scope') %} + {{ kiali_vars | combine({'external_services': {'prometheus': {'query_scope': current_cr.spec.external_services.prometheus.query_scope }}}, recursive=True) }} + when: + - kiali_vars.external_services.prometheus.query_scope is defined + - kiali_vars.external_services.prometheus.query_scope | length > 0 + +- name: Replace snake_case with camelCase in deployment.configmap_annotations + set_fact: + kiali_vars: | + {% set a=kiali_vars['deployment'].pop('configmap_annotations') %} + {{ kiali_vars | combine({'deployment': {'configmap_annotations': current_cr.spec.deployment.configmap_annotations }}, recursive=True) }} + when: + - kiali_vars.deployment.configmap_annotations is defined + - kiali_vars.deployment.configmap_annotations | length > 0 + +- name: Replace snake_case with camelCase in external_services.tracing.query_scope + set_fact: + kiali_vars: | + {% set a=kiali_vars['external_services']['tracing'].pop('query_scope') %} + {{ kiali_vars | combine({'external_services': {'tracing': {'query_scope': current_cr.spec.external_services.tracing.query_scope }}}, recursive=True) }} + when: + - kiali_vars.external_services.tracing.query_scope is defined + - kiali_vars.external_services.tracing.query_scope | length > 0 + +- name: Replace snake_case with camelCase in deployment.security_context + set_fact: + kiali_vars: | + {% set a=kiali_vars['deployment'].pop('security_context') %} + {{ kiali_vars | combine({'deployment': {'security_context': current_cr.spec.deployment.security_context}}, recursive=True) }} + when: + - kiali_vars.deployment.security_context is defined + - kiali_vars.deployment.security_context | length > 0 diff --git a/roles/v1.36/kiali-deploy/tasks/update-status-progress.yml b/roles/v1.65/kiali-deploy/tasks/update-status-progress.yml similarity index 100% rename from roles/v1.36/kiali-deploy/tasks/update-status-progress.yml rename to roles/v1.65/kiali-deploy/tasks/update-status-progress.yml diff --git a/roles/v1.36/kiali-deploy/tasks/update-status.yml b/roles/v1.65/kiali-deploy/tasks/update-status.yml similarity index 100% rename from roles/v1.36/kiali-deploy/tasks/update-status.yml rename to roles/v1.65/kiali-deploy/tasks/update-status.yml diff --git a/roles/v1.36/kiali-deploy/templates/kubernetes/configmap.yaml b/roles/v1.65/kiali-deploy/templates/kubernetes/configmap.yaml similarity index 52% rename from roles/v1.36/kiali-deploy/templates/kubernetes/configmap.yaml rename to roles/v1.65/kiali-deploy/templates/kubernetes/configmap.yaml index 43f8ae0e..933f4ca2 100644 --- a/roles/v1.36/kiali-deploy/templates/kubernetes/configmap.yaml +++ b/roles/v1.65/kiali-deploy/templates/kubernetes/configmap.yaml @@ -4,6 +4,10 @@ metadata: name: {{ kiali_vars.deployment.instance_name }} namespace: {{ kiali_vars.deployment.namespace }} labels: {{ kiali_resource_metadata_labels }} +{% if kiali_vars.deployment.configmap_annotations is defined and kiali_vars.deployment.configmap_annotations|length > 0 %} + annotations: + {{ kiali_vars.deployment.configmap_annotations | to_nice_yaml(indent=0) | trim | indent(4) }} +{% endif %} data: config.yaml: | {{ kiali_vars | to_nice_yaml(indent=0) | trim | indent(4) }} diff --git a/roles/v1.36/kiali-deploy/templates/kubernetes/deployment.yaml b/roles/v1.65/kiali-deploy/templates/kubernetes/deployment.yaml similarity index 67% rename from roles/v1.36/kiali-deploy/templates/kubernetes/deployment.yaml rename to roles/v1.65/kiali-deploy/templates/kubernetes/deployment.yaml index f8c06bc1..f63b88f3 100644 --- a/roles/v1.36/kiali-deploy/templates/kubernetes/deployment.yaml +++ b/roles/v1.65/kiali-deploy/templates/kubernetes/deployment.yaml @@ -20,9 +20,9 @@ spec: name: {{ kiali_vars.deployment.instance_name }} labels: {{ kiali_resource_metadata_labels | combine(kiali_vars.deployment.pod_labels) }} annotations: -{% if kiali_vars.server.metrics_enabled|bool == True %} +{% if kiali_vars.server.observability.metrics.enabled|bool == True %} prometheus.io/scrape: "true" - prometheus.io/port: "{{ kiali_vars.server.metrics_port }}" + prometheus.io/port: "{{ kiali_vars.server.observability.metrics.port }}" {% else %} prometheus.io/scrape: "false" prometheus.io/port: null @@ -42,9 +42,13 @@ spec: {% for n in kiali_vars.deployment.image_pull_secrets %} - name: {{ n }} {% endfor %} +{% endif %} +{% if kiali_vars.deployment.host_aliases|length > 0 %} + hostAliases: + {{ kiali_vars.deployment.host_aliases | to_nice_yaml(indent=0) | trim | indent(8) }} {% endif %} containers: - - image: {{ kiali_vars.deployment.image_name }}:{{ kiali_vars.deployment.image_version }} + - image: {{ kiali_vars.deployment.image_name }}{{ '@' + kiali_vars.deployment.image_digest if kiali_vars.deployment.image_digest != '' else '' }}:{{ kiali_vars.deployment.image_version }} imagePullPolicy: {{ kiali_vars.deployment.image_pull_policy }} name: kiali command: @@ -52,16 +56,24 @@ spec: - "-config" - "/kiali-configuration/config.yaml" securityContext: +{% if kiali_vars.deployment.security_context|length > 0 %} + {{ kiali_vars.deployment.security_context | to_nice_yaml(indent=0) | trim | indent(10) }} +{% endif %} +{% if kiali_vars.deployment.security_context|length == 0 or lookup('env', 'ALLOW_SECURITY_CONTEXT_OVERRIDE') != "true" %} allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + capabilities: + drop: + - ALL +{% endif %} ports: - name: api-port containerPort: {{ kiali_vars.server.port }} -{% if kiali_vars.server.metrics_enabled|bool == True %} +{% if kiali_vars.server.observability.metrics.enabled|bool == True %} - name: http-metrics - containerPort: {{ kiali_vars.server.metrics_port }} + containerPort: {{ kiali_vars.server.observability.metrics.port }} {% endif %} readinessProbe: httpGet: @@ -90,20 +102,27 @@ spec: value: "{{ kiali_vars.deployment.logger.sampler_rate }}" - name: LOG_TIME_FIELD_FORMAT value: "{{ kiali_vars.deployment.logger.time_field_format }}" -{% for env in kiali_deployment_environment_variables %} - - name: {{ env }} - valueFrom: - secretKeyRef: - name: {{ kiali_deployment_environment_variables[env].secret_name }} - key: {{ kiali_deployment_environment_variables[env].secret_key }} -{% endfor %} volumeMounts: - name: kiali-configuration mountPath: "/kiali-configuration" - - name: kiali-cert - mountPath: "/kiali-cert" - name: kiali-secret mountPath: "/kiali-secret" + - name: kiali-cabundle + mountPath: "/kiali-cabundle" +{% for sec in kiali_deployment_secret_volumes %} + - name: {{ sec }} + mountPath: "/kiali-override-secrets/{{ sec }}" + readOnly: true +{% endfor %} +{% for secret in kiali_vars.deployment.custom_secrets %} + - name: {{ secret.name }} + mountPath: "{{ secret.mount }}" +{% endfor %} +{% for sec in kiali_deployment_remote_cluster_secret_volumes %} + - name: {{ sec }} + mountPath: "/kiali-remote-cluster-secrets/{{ kiali_deployment_remote_cluster_secret_volumes[sec].secret_name }}" + readOnly: true +{% endfor %} {% if kiali_vars.deployment.resources|length > 0 %} resources: {{ kiali_vars.deployment.resources | to_nice_yaml(indent=0) | trim | indent(10) }} @@ -114,16 +133,36 @@ spec: - name: kiali-configuration configMap: name: {{ kiali_vars.deployment.instance_name }} - - name: kiali-cert - secret: - secretName: "istio.{{ kiali_vars.deployment.instance_name }}-service-account" -{% if kiali_vars.identity.cert_file == "" %} - optional: true -{% endif %} - name: kiali-secret secret: secretName: {{ kiali_vars.deployment.secret_name }} optional: true + - name: kiali-cabundle + configMap: + name: {{ kiali_vars.deployment.instance_name }}-cabundle + optional: true +{% for sec in kiali_deployment_secret_volumes %} + - name: {{ sec }} + secret: + secretName: {{ kiali_deployment_secret_volumes[sec].secret_name }} + items: + - key: {{ kiali_deployment_secret_volumes[sec].secret_key }} + path: value.txt + optional: false +{% endfor %} +{% for secret in kiali_vars.deployment.custom_secrets %} + - name: {{ secret.name }} + secret: + secretName: {{ secret.name }} +{% if secret.optional is defined %} + optional: {{ secret.optional }} +{% endif %} +{% endfor %} +{% for sec in kiali_deployment_remote_cluster_secret_volumes %} + - name: {{ sec }} + secret: + secretName: {{ kiali_deployment_remote_cluster_secret_volumes[sec].secret_name }} +{% endfor %} {% if kiali_vars.deployment.affinity.node|length > 0 or kiali_vars.deployment.affinity.pod|length > 0 or kiali_vars.deployment.affinity.pod_anti|length > 0 %} affinity: {% if kiali_vars.deployment.affinity.node|length > 0 %} diff --git a/roles/v1.36/kiali-deploy/templates/kubernetes/hpa.yaml b/roles/v1.65/kiali-deploy/templates/kubernetes/hpa.yaml similarity index 100% rename from roles/v1.36/kiali-deploy/templates/kubernetes/hpa.yaml rename to roles/v1.65/kiali-deploy/templates/kubernetes/hpa.yaml diff --git a/roles/v1.36/kiali-deploy/templates/kubernetes/ingress.yaml b/roles/v1.65/kiali-deploy/templates/kubernetes/ingress.yaml similarity index 73% rename from roles/v1.36/kiali-deploy/templates/kubernetes/ingress.yaml rename to roles/v1.65/kiali-deploy/templates/kubernetes/ingress.yaml index 51458419..c8ddafed 100644 --- a/roles/v1.36/kiali-deploy/templates/kubernetes/ingress.yaml +++ b/roles/v1.65/kiali-deploy/templates/kubernetes/ingress.yaml @@ -4,8 +4,8 @@ metadata: name: {{ kiali_vars.deployment.instance_name }} namespace: {{ kiali_vars.deployment.namespace }} labels: {{ kiali_vars.deployment.ingress.additional_labels | combine(kiali_resource_metadata_labels) }} -{% if kiali_vars.deployment.override_ingress_yaml is defined and kiali_vars.deployment.override_ingress_yaml.metadata is defined and kiali_vars.deployment.override_ingress_yaml.metadata.annotations is defined %} - {{ kiali_vars.deployment.override_ingress_yaml.metadata | to_nice_yaml(indent=0) | trim | indent(2) }} +{% if kiali_vars.deployment.ingress.override_yaml is defined and kiali_vars.deployment.ingress.override_yaml.metadata is defined and kiali_vars.deployment.ingress.override_yaml.metadata.annotations is defined %} + {{ kiali_vars.deployment.ingress.override_yaml.metadata | to_nice_yaml(indent=0) | trim | indent(2) }} {% else %} annotations: # For ingress-nginx versions older than 0.20.0 @@ -15,9 +15,12 @@ metadata: nginx.ingress.kubernetes.io/backend-protocol: "{{ 'HTTP' if kiali_vars.identity.cert_file == "" else 'HTTPS' }}" {% endif %} spec: -{% if kiali_vars.deployment.override_ingress_yaml is defined and kiali_vars.deployment.override_ingress_yaml.spec is defined %} - {{ kiali_vars.deployment.override_ingress_yaml.spec | to_nice_yaml(indent=0) | trim | indent(2) }} +{% if kiali_vars.deployment.ingress.override_yaml is defined and kiali_vars.deployment.ingress.override_yaml.spec is defined %} + {{ kiali_vars.deployment.ingress.override_yaml.spec | to_nice_yaml(indent=0) | trim | indent(2) }} {% else %} +{% if kiali_vars.deployment.ingress.class_name != "" %} + ingressClassName: {{ kiali_vars.deployment.ingress.class_name }} +{% endif %} rules: - http: paths: diff --git a/roles/v1.36/kiali-deploy/templates/kubernetes/role-controlplane.yaml b/roles/v1.65/kiali-deploy/templates/kubernetes/role-controlplane.yaml similarity index 52% rename from roles/v1.36/kiali-deploy/templates/kubernetes/role-controlplane.yaml rename to roles/v1.65/kiali-deploy/templates/kubernetes/role-controlplane.yaml index 8f206bf0..fe51fead 100644 --- a/roles/v1.36/kiali-deploy/templates/kubernetes/role-controlplane.yaml +++ b/roles/v1.65/kiali-deploy/templates/kubernetes/role-controlplane.yaml @@ -5,8 +5,16 @@ metadata: namespace: {{ kiali_vars.istio_namespace }} labels: {{ kiali_resource_metadata_labels }} rules: +{% if kiali_vars.kiali_feature_flags.certificates_information_indicators.enabled|bool == True %} - apiGroups: [""] + resourceNames: +{% for s in kiali_vars.kiali_feature_flags.certificates_information_indicators.secrets %} + - {{ s }} +{% endfor %} resources: - secrets verbs: + - get - list + - watch +{% endif %} \ No newline at end of file diff --git a/roles/v1.36/kiali-deploy/templates/kubernetes/role-viewer.yaml b/roles/v1.65/kiali-deploy/templates/kubernetes/role-viewer.yaml similarity index 86% rename from roles/v1.36/kiali-deploy/templates/kubernetes/role-viewer.yaml rename to roles/v1.65/kiali-deploy/templates/kubernetes/role-viewer.yaml index 5d723f93..a2423ced 100644 --- a/roles/v1.36/kiali-deploy/templates/kubernetes/role-viewer.yaml +++ b/roles/v1.65/kiali-deploy/templates/kubernetes/role-viewer.yaml @@ -11,8 +11,9 @@ rules: resources: - configmaps - endpoints +{% if 'logs-tab' not in kiali_vars.kiali_feature_flags.disabled_features %} - pods/log - - pods/proxy +{% endif %} verbs: - get - list @@ -54,18 +55,14 @@ rules: - apiGroups: - networking.istio.io - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io resources: ["*"] verbs: - get - list - watch -- apiGroups: ["iter8.tools"] - resources: - - experiments - verbs: - - get - - list - - watch - apiGroups: ["authentication.k8s.io"] resources: - tokenreviews diff --git a/roles/v1.36/kiali-deploy/templates/kubernetes/role.yaml b/roles/v1.65/kiali-deploy/templates/kubernetes/role.yaml similarity index 86% rename from roles/v1.36/kiali-deploy/templates/kubernetes/role.yaml rename to roles/v1.65/kiali-deploy/templates/kubernetes/role.yaml index 90c68712..7afdc53c 100644 --- a/roles/v1.36/kiali-deploy/templates/kubernetes/role.yaml +++ b/roles/v1.65/kiali-deploy/templates/kubernetes/role.yaml @@ -11,8 +11,9 @@ rules: resources: - configmaps - endpoints +{% if 'logs-tab' not in kiali_vars.kiali_feature_flags.disabled_features %} - pods/log - - pods/proxy +{% endif %} verbs: - get - list @@ -57,6 +58,9 @@ rules: - apiGroups: - networking.istio.io - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io resources: ["*"] verbs: - get @@ -65,16 +69,6 @@ rules: - create - delete - patch -- apiGroups: ["iter8.tools"] - resources: - - experiments - verbs: - - get - - list - - watch - - create - - delete - - patch - apiGroups: ["authentication.k8s.io"] resources: - tokenreviews diff --git a/roles/v1.36/kiali-deploy/templates/kubernetes/rolebinding-controlplane.yaml b/roles/v1.65/kiali-deploy/templates/kubernetes/rolebinding-controlplane.yaml similarity index 100% rename from roles/v1.36/kiali-deploy/templates/kubernetes/rolebinding-controlplane.yaml rename to roles/v1.65/kiali-deploy/templates/kubernetes/rolebinding-controlplane.yaml diff --git a/roles/v1.36/kiali-deploy/templates/kubernetes/rolebinding.yaml b/roles/v1.65/kiali-deploy/templates/kubernetes/rolebinding.yaml similarity index 79% rename from roles/v1.36/kiali-deploy/templates/kubernetes/rolebinding.yaml rename to roles/v1.65/kiali-deploy/templates/kubernetes/rolebinding.yaml index d450ed83..22e1e860 100644 --- a/roles/v1.36/kiali-deploy/templates/kubernetes/rolebinding.yaml +++ b/roles/v1.65/kiali-deploy/templates/kubernetes/rolebinding.yaml @@ -9,7 +9,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: {{ role_kind }} - name: {{ (kiali_vars.deployment.instance_name + '-viewer') if kiali_vars.deployment.view_only_mode|bool == True else kiali_vars.deployment.instance_name }} + name: {{ (kiali_vars.deployment.instance_name + '-viewer') if ((kiali_vars.deployment.view_only_mode|bool == True) or (kiali_vars.auth.strategy != 'anonymous')) else kiali_vars.deployment.instance_name }} subjects: - kind: ServiceAccount name: {{ kiali_vars.deployment.instance_name }}-service-account diff --git a/roles/v1.36/kiali-deploy/templates/kubernetes/service.yaml b/roles/v1.65/kiali-deploy/templates/kubernetes/service.yaml similarity index 79% rename from roles/v1.36/kiali-deploy/templates/kubernetes/service.yaml rename to roles/v1.65/kiali-deploy/templates/kubernetes/service.yaml index 08c4872e..80e19cf0 100644 --- a/roles/v1.36/kiali-deploy/templates/kubernetes/service.yaml +++ b/roles/v1.65/kiali-deploy/templates/kubernetes/service.yaml @@ -18,11 +18,17 @@ spec: ports: - name: {{ 'http' if kiali_vars.identity.cert_file == "" else 'tcp' }} protocol: TCP +{% if k8s_version is defined and k8s_version is version('1.20', '>=') %} + appProtocol: {{ 'http' if kiali_vars.identity.cert_file == "" else 'https' }} +{% endif %} port: {{ kiali_vars.server.port }} -{% if kiali_vars.server.metrics_enabled|bool == True %} +{% if kiali_vars.server.observability.metrics.enabled|bool == True %} - name: http-metrics protocol: TCP - port: {{ kiali_vars.server.metrics_port }} +{% if k8s_version is defined and k8s_version is version('1.20', '>=') %} + appProtocol: http +{% endif %} + port: {{ kiali_vars.server.observability.metrics.port }} {% endif %} selector: {% if query(k8s_plugin, kind='Service', resource_name=kiali_vars.deployment.instance_name, namespace=kiali_vars.deployment.namespace) | length > 0 %} diff --git a/roles/v1.36/kiali-deploy/templates/kubernetes/serviceaccount.yaml b/roles/v1.65/kiali-deploy/templates/kubernetes/serviceaccount.yaml similarity index 100% rename from roles/v1.36/kiali-deploy/templates/kubernetes/serviceaccount.yaml rename to roles/v1.65/kiali-deploy/templates/kubernetes/serviceaccount.yaml diff --git a/roles/v1.36/kiali-deploy/templates/openshift/cabundle.yaml b/roles/v1.65/kiali-deploy/templates/openshift/cabundle.yaml similarity index 100% rename from roles/v1.36/kiali-deploy/templates/openshift/cabundle.yaml rename to roles/v1.65/kiali-deploy/templates/openshift/cabundle.yaml diff --git a/roles/v1.36/kiali-deploy/templates/openshift/configmap.yaml b/roles/v1.65/kiali-deploy/templates/openshift/configmap.yaml similarity index 52% rename from roles/v1.36/kiali-deploy/templates/openshift/configmap.yaml rename to roles/v1.65/kiali-deploy/templates/openshift/configmap.yaml index 43f8ae0e..933f4ca2 100644 --- a/roles/v1.36/kiali-deploy/templates/openshift/configmap.yaml +++ b/roles/v1.65/kiali-deploy/templates/openshift/configmap.yaml @@ -4,6 +4,10 @@ metadata: name: {{ kiali_vars.deployment.instance_name }} namespace: {{ kiali_vars.deployment.namespace }} labels: {{ kiali_resource_metadata_labels }} +{% if kiali_vars.deployment.configmap_annotations is defined and kiali_vars.deployment.configmap_annotations|length > 0 %} + annotations: + {{ kiali_vars.deployment.configmap_annotations | to_nice_yaml(indent=0) | trim | indent(4) }} +{% endif %} data: config.yaml: | {{ kiali_vars | to_nice_yaml(indent=0) | trim | indent(4) }} diff --git a/roles/v1.36/kiali-deploy/templates/openshift/console-links.yaml b/roles/v1.65/kiali-deploy/templates/openshift/console-links.yaml similarity index 100% rename from roles/v1.36/kiali-deploy/templates/openshift/console-links.yaml rename to roles/v1.65/kiali-deploy/templates/openshift/console-links.yaml diff --git a/roles/v1.36/kiali-deploy/templates/openshift/deployment.yaml b/roles/v1.65/kiali-deploy/templates/openshift/deployment.yaml similarity index 69% rename from roles/v1.36/kiali-deploy/templates/openshift/deployment.yaml rename to roles/v1.65/kiali-deploy/templates/openshift/deployment.yaml index 5a7e276e..909ab6a9 100644 --- a/roles/v1.36/kiali-deploy/templates/openshift/deployment.yaml +++ b/roles/v1.65/kiali-deploy/templates/openshift/deployment.yaml @@ -15,9 +15,9 @@ spec: name: {{ kiali_vars.deployment.instance_name }} labels: {{ kiali_resource_metadata_labels | combine(kiali_vars.deployment.pod_labels) }} annotations: -{% if kiali_vars.server.metrics_enabled|bool == True %} +{% if kiali_vars.server.observability.metrics.enabled|bool == True %} prometheus.io/scrape: "true" - prometheus.io/port: "{{ kiali_vars.server.metrics_port }}" + prometheus.io/port: "{{ kiali_vars.server.observability.metrics.port }}" {% else %} prometheus.io/scrape: "false" prometheus.io/port: null @@ -42,9 +42,13 @@ spec: {% for n in kiali_vars.deployment.image_pull_secrets %} - name: {{ n }} {% endfor %} +{% endif %} +{% if kiali_vars.deployment.host_aliases|length > 0 %} + hostAliases: + {{ kiali_vars.deployment.host_aliases | to_nice_yaml(indent=0) | trim | indent(8) }} {% endif %} containers: - - image: {{ kiali_vars.deployment.image_name }}:{{ kiali_vars.deployment.image_version }} + - image: {{ kiali_vars.deployment.image_name }}{{ '@' + kiali_vars.deployment.image_digest if kiali_vars.deployment.image_digest != '' else '' }}:{{ kiali_vars.deployment.image_version }} imagePullPolicy: {{ kiali_vars.deployment.image_pull_policy }} name: kiali command: @@ -52,16 +56,24 @@ spec: - "-config" - "/kiali-configuration/config.yaml" securityContext: +{% if kiali_vars.deployment.security_context|length > 0 %} + {{ kiali_vars.deployment.security_context | to_nice_yaml(indent=0) | trim | indent(10) }} +{% endif %} +{% if kiali_vars.deployment.security_context|length == 0 or lookup('env', 'ALLOW_SECURITY_CONTEXT_OVERRIDE') != "true" %} allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + capabilities: + drop: + - ALL +{% endif %} ports: - name: api-port containerPort: {{ kiali_vars.server.port }} -{% if kiali_vars.server.metrics_enabled|bool == True %} +{% if kiali_vars.server.observability.metrics.enabled|bool == True %} - name: http-metrics - containerPort: {{ kiali_vars.server.metrics_port }} + containerPort: {{ kiali_vars.server.observability.metrics.port }} {% endif %} readinessProbe: httpGet: @@ -90,22 +102,31 @@ spec: value: "{{ kiali_vars.deployment.logger.sampler_rate }}" - name: LOG_TIME_FIELD_FORMAT value: "{{ kiali_vars.deployment.logger.time_field_format }}" -{% for env in kiali_deployment_environment_variables %} - - name: {{ env }} - valueFrom: - secretKeyRef: - name: {{ kiali_deployment_environment_variables[env].secret_name }} - key: {{ kiali_deployment_environment_variables[env].secret_key }} -{% endfor %} volumeMounts: - name: kiali-configuration mountPath: "/kiali-configuration" +{% if kiali_vars.identity.cert_file == "/kiali-cert/tls.crt" %} - name: kiali-cert mountPath: "/kiali-cert" +{% endif %} - name: kiali-secret mountPath: "/kiali-secret" - name: kiali-cabundle mountPath: "/kiali-cabundle" +{% for sec in kiali_deployment_secret_volumes %} + - name: {{ sec }} + mountPath: "/kiali-override-secrets/{{ sec }}" + readOnly: true +{% endfor %} +{% for secret in kiali_vars.deployment.custom_secrets %} + - name: {{ secret.name }} + mountPath: "{{ secret.mount }}" +{% endfor %} +{% for sec in kiali_deployment_remote_cluster_secret_volumes %} + - name: {{ sec }} + mountPath: "/kiali-remote-cluster-secrets/{{ kiali_deployment_remote_cluster_secret_volumes[sec].secret_name }}" + readOnly: true +{% endfor %} {% if kiali_vars.deployment.resources|length > 0 %} resources: {{ kiali_vars.deployment.resources | to_nice_yaml(indent=0) | trim | indent(10) }} @@ -116,11 +137,10 @@ spec: - name: kiali-configuration configMap: name: {{ kiali_vars.deployment.instance_name }} +{% if kiali_vars.identity.cert_file == "/kiali-cert/tls.crt" %} - name: kiali-cert secret: secretName: {{ kiali_vars.deployment.instance_name }}-cert-secret -{% if kiali_vars.identity.cert_file == "" %} - optional: true {% endif %} - name: kiali-secret secret: @@ -129,6 +149,28 @@ spec: - name: kiali-cabundle configMap: name: {{ kiali_vars.deployment.instance_name }}-cabundle +{% for sec in kiali_deployment_secret_volumes %} + - name: {{ sec }} + secret: + secretName: {{ kiali_deployment_secret_volumes[sec].secret_name }} + items: + - key: {{ kiali_deployment_secret_volumes[sec].secret_key }} + path: value.txt + optional: false +{% endfor %} +{% for secret in kiali_vars.deployment.custom_secrets %} + - name: {{ secret.name }} + secret: + secretName: {{ secret.name }} +{% if secret.optional is defined %} + optional: {{ secret.optional }} +{% endif %} +{% endfor %} +{% for sec in kiali_deployment_remote_cluster_secret_volumes %} + - name: {{ sec }} + secret: + secretName: {{ kiali_deployment_remote_cluster_secret_volumes[sec].secret_name }} +{% endfor %} {% if kiali_vars.deployment.affinity.node|length > 0 or kiali_vars.deployment.affinity.pod|length > 0 or kiali_vars.deployment.affinity.pod_anti|length > 0 %} affinity: {% if kiali_vars.deployment.affinity.node|length > 0 %} diff --git a/roles/v1.36/kiali-deploy/templates/openshift/hpa.yaml b/roles/v1.65/kiali-deploy/templates/openshift/hpa.yaml similarity index 100% rename from roles/v1.36/kiali-deploy/templates/openshift/hpa.yaml rename to roles/v1.65/kiali-deploy/templates/openshift/hpa.yaml diff --git a/roles/v1.65/kiali-deploy/templates/openshift/oauth.yaml b/roles/v1.65/kiali-deploy/templates/openshift/oauth.yaml new file mode 100644 index 00000000..6f548ffb --- /dev/null +++ b/roles/v1.65/kiali-deploy/templates/openshift/oauth.yaml @@ -0,0 +1,14 @@ +apiVersion: oauth.openshift.io/v1 +kind: OAuthClient +metadata: + name: {{ kiali_vars.deployment.instance_name }}-{{ kiali_vars.deployment.namespace }} + labels: {{ kiali_resource_metadata_labels }} +redirectURIs: + - {{ kiali_route_url }} +grantMethod: auto +{% if kiali_vars.auth.openshift.token_inactivity_timeout is defined %} +accessTokenInactivityTimeoutSeconds: {{ kiali_vars.auth.openshift.token_inactivity_timeout }} +{% endif %} +{% if kiali_vars.auth.openshift.token_max_age is defined %} +accessTokenMaxAgeSeconds: {{ kiali_vars.auth.openshift.token_max_age }} +{% endif %} diff --git a/roles/v1.36/kiali-deploy/templates/openshift/role-controlplane.yaml b/roles/v1.65/kiali-deploy/templates/openshift/role-controlplane.yaml similarity index 52% rename from roles/v1.36/kiali-deploy/templates/openshift/role-controlplane.yaml rename to roles/v1.65/kiali-deploy/templates/openshift/role-controlplane.yaml index 8f206bf0..fe51fead 100644 --- a/roles/v1.36/kiali-deploy/templates/openshift/role-controlplane.yaml +++ b/roles/v1.65/kiali-deploy/templates/openshift/role-controlplane.yaml @@ -5,8 +5,16 @@ metadata: namespace: {{ kiali_vars.istio_namespace }} labels: {{ kiali_resource_metadata_labels }} rules: +{% if kiali_vars.kiali_feature_flags.certificates_information_indicators.enabled|bool == True %} - apiGroups: [""] + resourceNames: +{% for s in kiali_vars.kiali_feature_flags.certificates_information_indicators.secrets %} + - {{ s }} +{% endfor %} resources: - secrets verbs: + - get - list + - watch +{% endif %} \ No newline at end of file diff --git a/roles/v1.36/kiali-deploy/templates/openshift/role-viewer.yaml b/roles/v1.65/kiali-deploy/templates/openshift/role-viewer.yaml similarity index 88% rename from roles/v1.36/kiali-deploy/templates/openshift/role-viewer.yaml rename to roles/v1.65/kiali-deploy/templates/openshift/role-viewer.yaml index 425e444d..a4923386 100644 --- a/roles/v1.36/kiali-deploy/templates/openshift/role-viewer.yaml +++ b/roles/v1.65/kiali-deploy/templates/openshift/role-viewer.yaml @@ -11,8 +11,9 @@ rules: resources: - configmaps - endpoints +{% if 'logs-tab' not in kiali_vars.kiali_feature_flags.disabled_features %} - pods/log - - pods/proxy +{% endif %} verbs: - get - list @@ -54,6 +55,9 @@ rules: - apiGroups: - networking.istio.io - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io resources: ["*"] verbs: - get @@ -76,13 +80,6 @@ rules: - routes verbs: - get -- apiGroups: ["iter8.tools"] - resources: - - experiments - verbs: - - get - - list - - watch - apiGroups: ["authentication.k8s.io"] resources: - tokenreviews diff --git a/roles/v1.36/kiali-deploy/templates/openshift/role.yaml b/roles/v1.65/kiali-deploy/templates/openshift/role.yaml similarity index 89% rename from roles/v1.36/kiali-deploy/templates/openshift/role.yaml rename to roles/v1.65/kiali-deploy/templates/openshift/role.yaml index c5d25750..e6314ed4 100644 --- a/roles/v1.36/kiali-deploy/templates/openshift/role.yaml +++ b/roles/v1.65/kiali-deploy/templates/openshift/role.yaml @@ -11,8 +11,9 @@ rules: resources: - configmaps - endpoints +{% if 'logs-tab' not in kiali_vars.kiali_feature_flags.disabled_features %} - pods/log - - pods/proxy +{% endif %} verbs: - get - list @@ -57,6 +58,9 @@ rules: - apiGroups: - networking.istio.io - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io resources: ["*"] verbs: - get @@ -83,16 +87,6 @@ rules: - routes verbs: - get -- apiGroups: ["iter8.tools"] - resources: - - experiments - verbs: - - get - - list - - watch - - create - - delete - - patch - apiGroups: ["authentication.k8s.io"] resources: - tokenreviews diff --git a/roles/v1.36/kiali-deploy/templates/openshift/rolebinding-controlplane.yaml b/roles/v1.65/kiali-deploy/templates/openshift/rolebinding-controlplane.yaml similarity index 100% rename from roles/v1.36/kiali-deploy/templates/openshift/rolebinding-controlplane.yaml rename to roles/v1.65/kiali-deploy/templates/openshift/rolebinding-controlplane.yaml diff --git a/roles/v1.36/kiali-deploy/templates/openshift/rolebinding.yaml b/roles/v1.65/kiali-deploy/templates/openshift/rolebinding.yaml similarity index 79% rename from roles/v1.36/kiali-deploy/templates/openshift/rolebinding.yaml rename to roles/v1.65/kiali-deploy/templates/openshift/rolebinding.yaml index d450ed83..22e1e860 100644 --- a/roles/v1.36/kiali-deploy/templates/openshift/rolebinding.yaml +++ b/roles/v1.65/kiali-deploy/templates/openshift/rolebinding.yaml @@ -9,7 +9,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: {{ role_kind }} - name: {{ (kiali_vars.deployment.instance_name + '-viewer') if kiali_vars.deployment.view_only_mode|bool == True else kiali_vars.deployment.instance_name }} + name: {{ (kiali_vars.deployment.instance_name + '-viewer') if ((kiali_vars.deployment.view_only_mode|bool == True) or (kiali_vars.auth.strategy != 'anonymous')) else kiali_vars.deployment.instance_name }} subjects: - kind: ServiceAccount name: {{ kiali_vars.deployment.instance_name }}-service-account diff --git a/roles/v1.36/kiali-deploy/templates/openshift/route.yaml b/roles/v1.65/kiali-deploy/templates/openshift/route.yaml similarity index 57% rename from roles/v1.36/kiali-deploy/templates/openshift/route.yaml rename to roles/v1.65/kiali-deploy/templates/openshift/route.yaml index 9f069098..c10b0ad5 100644 --- a/roles/v1.36/kiali-deploy/templates/openshift/route.yaml +++ b/roles/v1.65/kiali-deploy/templates/openshift/route.yaml @@ -4,12 +4,12 @@ metadata: name: {{ kiali_vars.deployment.instance_name }} namespace: {{ kiali_vars.deployment.namespace }} labels: {{ kiali_vars.deployment.ingress.additional_labels | combine(kiali_resource_metadata_labels) }} -{% if kiali_vars.deployment.override_ingress_yaml is defined and kiali_vars.deployment.override_ingress_yaml.metadata is defined and kiali_vars.deployment.override_ingress_yaml.metadata.annotations is defined %} - {{ kiali_vars.deployment.override_ingress_yaml.metadata | to_nice_yaml(indent=0) | trim | indent(2) }} +{% if kiali_vars.deployment.ingress.override_yaml is defined and kiali_vars.deployment.ingress.override_yaml.metadata is defined and kiali_vars.deployment.ingress.override_yaml.metadata.annotations is defined %} + {{ kiali_vars.deployment.ingress.override_yaml.metadata | to_nice_yaml(indent=0) | trim | indent(2) }} {% endif %} spec: -{% if kiali_vars.deployment.override_ingress_yaml is defined and kiali_vars.deployment.override_ingress_yaml.spec is defined %} - {{ kiali_vars.deployment.override_ingress_yaml.spec | to_nice_yaml(indent=0) | trim | indent(2) }} +{% if kiali_vars.deployment.ingress.override_yaml is defined and kiali_vars.deployment.ingress.override_yaml.spec is defined %} + {{ kiali_vars.deployment.ingress.override_yaml.spec | to_nice_yaml(indent=0) | trim | indent(2) }} {% else %} tls: termination: reencrypt diff --git a/roles/v1.36/kiali-deploy/templates/openshift/service.yaml b/roles/v1.65/kiali-deploy/templates/openshift/service.yaml similarity index 76% rename from roles/v1.36/kiali-deploy/templates/openshift/service.yaml rename to roles/v1.65/kiali-deploy/templates/openshift/service.yaml index 0d14b14f..cef7a730 100644 --- a/roles/v1.36/kiali-deploy/templates/openshift/service.yaml +++ b/roles/v1.65/kiali-deploy/templates/openshift/service.yaml @@ -16,11 +16,17 @@ spec: ports: - name: {{ 'http' if kiali_vars.identity.cert_file == "" else 'tcp' }} protocol: TCP +{% if k8s_version is defined and k8s_version is version('1.20', '>=') %} + appProtocol: {{ 'http' if kiali_vars.identity.cert_file == "" else 'https' }} +{% endif %} port: {{ kiali_vars.server.port }} -{% if kiali_vars.server.metrics_enabled|bool == True %} +{% if kiali_vars.server.observability.metrics.enabled|bool == True %} - name: http-metrics protocol: TCP - port: {{ kiali_vars.server.metrics_port }} +{% if k8s_version is defined and k8s_version is version('1.20', '>=') %} + appProtocol: http +{% endif %} + port: {{ kiali_vars.server.observability.metrics.port }} {% endif %} selector: {% if query(k8s_plugin, kind='Service', resource_name=kiali_vars.deployment.instance_name, namespace=kiali_vars.deployment.namespace) | length > 0 %} diff --git a/roles/v1.36/kiali-deploy/templates/openshift/serviceaccount.yaml b/roles/v1.65/kiali-deploy/templates/openshift/serviceaccount.yaml similarity index 100% rename from roles/v1.36/kiali-deploy/templates/openshift/serviceaccount.yaml rename to roles/v1.65/kiali-deploy/templates/openshift/serviceaccount.yaml diff --git a/roles/v1.36/kiali-deploy/vars/main.yml b/roles/v1.65/kiali-deploy/vars/main.yml similarity index 94% rename from roles/v1.36/kiali-deploy/vars/main.yml rename to roles/v1.65/kiali-deploy/vars/main.yml index 593c6124..0931404f 100644 --- a/roles/v1.36/kiali-deploy/vars/main.yml +++ b/roles/v1.65/kiali-deploy/vars/main.yml @@ -52,13 +52,6 @@ kiali_vars: {{ kiali_defaults.deployment }} {%- endif -%} - extensions: | - {%- if extensions is defined and extensions is iterable -%} - {{ kiali_defaults.extensions | combine((extensions | stripnone), recursive=True) }} - {%- else -%} - {{ kiali_defaults.extensions }} - {%- endif -%} - external_services: | {%- if external_services is defined and external_services is iterable -%} {{ kiali_defaults.external_services | combine((external_services | stripnone), recursive=True) }} diff --git a/roles/v1.36/kiali-remove/defaults/main.yml b/roles/v1.65/kiali-remove/defaults/main.yml similarity index 85% rename from roles/v1.36/kiali-remove/defaults/main.yml rename to roles/v1.65/kiali-remove/defaults/main.yml index f947b6e5..afcbe7a2 100644 --- a/roles/v1.36/kiali-remove/defaults/main.yml +++ b/roles/v1.65/kiali-remove/defaults/main.yml @@ -4,7 +4,7 @@ kiali_defaults: deployment: accessible_namespaces: [] hpa: - api_version: "autoscaling/v2beta2" + api_version: "" instance_name: "kiali" # Will be auto-detected, but for debugging purposes you can force one of these to true diff --git a/roles/v1.36/kiali-remove/filter_plugins/stripnone.py b/roles/v1.65/kiali-remove/filter_plugins/stripnone.py similarity index 100% rename from roles/v1.36/kiali-remove/filter_plugins/stripnone.py rename to roles/v1.65/kiali-remove/filter_plugins/stripnone.py diff --git a/roles/v1.36/kiali-remove/meta/main.yml b/roles/v1.65/kiali-remove/meta/main.yml similarity index 100% rename from roles/v1.36/kiali-remove/meta/main.yml rename to roles/v1.65/kiali-remove/meta/main.yml diff --git a/roles/v1.36/kiali-remove/tasks/main.yml b/roles/v1.65/kiali-remove/tasks/main.yml similarity index 93% rename from roles/v1.36/kiali-remove/tasks/main.yml rename to roles/v1.65/kiali-remove/tasks/main.yml index a0e67433..586e0f42 100644 --- a/roles/v1.36/kiali-remove/tasks/main.yml +++ b/roles/v1.65/kiali-remove/tasks/main.yml @@ -14,7 +14,7 @@ set_fact: current_cr: "{{ _kiali_io_kiali }}" -- name: Get information about the cluster +- name: Get api group information from the cluster ignore_errors: yes set_fact: api_groups: "{{ lookup(k8s_plugin, cluster_info='api_groups') }}" @@ -22,6 +22,11 @@ - is_openshift == False - is_k8s == False +- name: Get api version information from the cluster + ignore_errors: yes + k8s_cluster_info: + register: api_status + - name: Determine the cluster type ignore_errors: yes set_fact: @@ -46,6 +51,13 @@ debug: msg: "{{ msg.split('\n') }}" +- name: Set default HPA api_version + ignore_errors: yes + set_fact: + kiali_vars: "{{ kiali_vars | combine({'deployment': {'hpa': {'api_version': 'autoscaling/v2' if (api_status.apis['autoscaling/v2'] is defined) else 'autoscaling/v2beta2' }}}, recursive=True) }}" + when: + - kiali_vars.deployment.hpa.api_version == "" + # There is an edge case where a user installed Kiali with one instance name, then changed the instance name in the CR. # This is not allowed. When this happens, the operator will abort with an error message telling the user to uninstall Kiali. # The user will do this by deleting the Kiali CR, at which time this ansible role is executed. @@ -134,7 +146,7 @@ - name: Find currently configured label selector ignore_errors: yes set_fact: - current_label_selector: "{{ current_configmap.data['config.yaml'] | from_yaml | json_query('api.namespaces.label_selector') }}" + current_label_selector_include: "{{ current_configmap.data['config.yaml'] | from_yaml | json_query('api.namespaces.label_selector_include') }}" when: - current_configmap is defined - current_configmap.data is defined @@ -144,13 +156,12 @@ ignore_errors: yes vars: # everything to the left of the = is the name of the label we want to remove - the_namespace_label_name: "{{ current_label_selector | regex_replace('^(.*)=.*$', '\\1') }}" - # if a namespace happened to have been deleted, we do not want to (nor can we) resurrect it, hence we check for its existence + the_namespace_label_name: "{{ current_label_selector_include | regex_replace('^(.*)=.*$', '\\1') }}" + # if a namespace happened to have been deleted, we do not want to (nor can we) resurrect it, hence we use state=patched k8s: - state: present + state: patched definition: | {% for namespace in current_accessible_namespaces %} - {% if namespace in all_namespaces %} --- apiVersion: v1 kind: Namespace @@ -159,12 +170,11 @@ labels: {{ the_namespace_label_name }}: null ... - {% endif %} {% endfor %} when: - current_accessible_namespaces is defined - '"**" not in current_accessible_namespaces' - - current_label_selector is defined + - current_label_selector_include is defined - name: Delete Kiali cluster roles ignore_errors: yes diff --git a/roles/v1.36/kiali-remove/tasks/remove-clusterroles.yml b/roles/v1.65/kiali-remove/tasks/remove-clusterroles.yml similarity index 100% rename from roles/v1.36/kiali-remove/tasks/remove-clusterroles.yml rename to roles/v1.65/kiali-remove/tasks/remove-clusterroles.yml diff --git a/roles/v1.36/kiali-remove/vars/main.yml b/roles/v1.65/kiali-remove/vars/main.yml similarity index 100% rename from roles/v1.36/kiali-remove/vars/main.yml rename to roles/v1.65/kiali-remove/vars/main.yml