new api.namespaces settings (#574)

* new api.namespaces settings

part of: kiali/kiali#5516

* molecule tests to test the include/exclude filters
fix bug that new tests uncovered

* include now implicitly has control plane namespace - you don't have to specify it

crd-docs/cr/kiali.io_v1alpha1_kiali.yaml

@@ -24,9 +24,10 @@ spec:
       - "^openshift.*"
       - "^ibm.*"
       - "^kiali-operator"
-      # default: label_selector is undefined
-      label_selector: "kiali.io/member-of=istio-system"
-
+      include: []
+      label_selector_exclude: ""
+      # default: label_selector_include is undefined
+      label_selector_include: "kiali.io/member-of=istio-system"
   auth:
     strategy: ""
     openid:

crd-docs/crd/kiali.io_kialis.yaml

@@ -92,17 +92,27 @@ spec:
                         type: array
                         items:
                           type: string
-                      label_selector:
+                      include:
+                        description: "A list of namespaces to be included in the list of namespaces provided by the Kiali API and Kiali UI (if those namespaces exist). Regex is supported. An undefined or empty list is ignored. This does not affect explicit namespace access."
+                        type: array
+                        items:
+                          type: string
+                      label_selector_exclude:
+                        description: |
+                          A Kubernetes label selector (e.g. `myLabel=myValue`) which is used for filtering out namespaces
+                          when fetching the list of available namespaces. This does not affect explicit namespace access.
+                        type: string
+                      label_selector_include:
                         description: |
                           A Kubernetes label selector (e.g. `myLabel=myValue`) which is used when fetching the list of
                           available namespaces. This does not affect explicit namespace access.
 
                           If `deployment.accessible_namespaces` does not have the special value of `'**'`
                           then the Kiali operator will add a new label to all accessible namespaces - that new
-                          label will be this `label_selector`.
+                          label will be this `label_selector_include` (this label is added regardless if the namespace matches the label_selector_exclude also).
 
-                          Note that if you do not set this `label_selector` setting but `deployment.accessible_namespaces`
-                          does not have the special "all namespaces" entry of `'**'` then this `label_selector` will be set
+                          Note that if you do not set this `label_selector_include` setting but `deployment.accessible_namespaces`
+                          does not have the special "all namespaces" entry of `'**'` then this `label_selector_include` will be set
                           to a default value of `kiali.io/[<deployment.instance_name>.]member-of=<deployment.namespace>`
                           where `[<deployment.instance_name>.]` is the instance name assigned to the Kiali installation
                           if it is not the default 'kiali' (otherwise, this is omitted) and `<deployment.namespace>`

molecule/accessible-namespaces-test/assert-api-namespaces-result.yml

@@ -0,0 +1,46 @@
+# pass in:
+# - namespaces_expected: a list of namespaces expected to be returned (if known)
+# - namespaces_not_expected: a list of namespaces that should not have been returned (if known)
+# - min_namespaces_expected: the minimum number of namespaces that are expected to be returned (if known)
+# - max_namespaces_expected: the maximum number of namespaces that are expected to be returned (if known)
+
+- name: "Call /namespaces API"
+  uri:
+    url: "{{ kiali_base_url }}/api/namespaces"
+    return_content: yes
+    validate_certs: false
+  register: api_results_raw
+
+- name: "Results of /namespaces API"
+  debug:
+    msg: "{{ api_results_raw }}"
+
+- name: Assert that we got no less than the minimum number of namespaces expected
+  assert:
+    that:
+    - api_results_raw.json | length >= min_namespaces_expected
+  when:
+  - min_namespaces_expected is defined
+
+- name: Assert that we got no more than the maximum number of namespaces expected
+  assert:
+    that:
+    - api_results_raw.json | length <= max_namespaces_expected
+  when:
+  - max_namespaces_expected is defined
+
+- name: Assert that we got the namespaces expected
+  assert:
+    that:
+    - api_results_raw.json | selectattr('name', 'equalto', item) | list | length == 1
+  loop: "{{ namespaces_expected }}"
+  when:
+  - namespaces_expected is defined
+
+- name: Assert that we did not get namespaces that were not expected
+  assert:
+    that:
+    - api_results_raw.json | selectattr('name', 'equalto', item) | list | length == 0
+  loop: "{{ namespaces_not_expected }}"
+  when:
+  - namespaces_not_expected is defined

molecule/accessible-namespaces-test/converge.yml

@@ -11,31 +11,99 @@
   - import_tasks: ../asserts/accessible_namespaces_contains.yml
     vars:
       namespace_list: [ '**' ]
-  - name: Make sure label_selector is not set since its default is nil when accessible namespaces is **
+  - name: Make sure label_selector_include is not set since its default is nil when accessible namespaces is **
     assert:
       that:
-      - kiali_configmap.api.namespaces.label_selector is not defined
+      - kiali_configmap.api.namespaces.label_selector_include is not defined
 
-  # change to accessible_namespaces to a fixed list of namespaces
-  - k8s:
-      state: present
-      definition:
-        apiVersion: v1
-        kind: Namespace
-        metadata:
-          name: kialitestns
-          labels:
-            customLabel: test
-  - k8s:
-      state: present
-      api_version: v1
-      kind: Namespace
-      name: kialitestns2
-  - k8s:
-      state: present
-      api_version: v1
-      kind: Namespace
-      name: kialianothertestns
+  - debug: msg="test to make sure the default AN=** behavior works (default include/exclude filters are in effect)"
+  - import_tasks: ./assert-api-namespaces-result.yml
+    vars:
+      min_namespaces_expected: 4
+      namespaces_expected:
+      - "{{ istio.control_plane_namespace }}"
+      - kialitestns
+      - kialitestns2
+      - kialianothertestns
+      namespaces_not_expected:
+      - kiali-operator
+
+  - debug: msg="test that include filter works when AN=**; also tests exclude filter"
+  - import_tasks: ./set-api-namespaces.yml
+    vars:
+      # include kialitest* and kialianother* but we exclude kialianother* and exclude takes precedence.
+      # Also, trying to exclude the control plane namespace is ignored - the control plane namespace is always returned.
+      # So this will return the two kialitest* namespaces and the control plane namespace.
+      api_namespaces:
+        include: [ "kialitest.*", "kialianother.*" ]
+        exclude: [ "{{ istio.control_plane_namespace }}", "kialianother.*" ]
+        label_selector_include: null
+        label_selector_exclude: null
+
+  - import_tasks: ./assert-api-namespaces-result.yml
+    vars:
+      min_namespaces_expected: 3
+      max_namespaces_expected: 3
+      namespaces_expected:
+      - "{{ istio.control_plane_namespace }}"
+      - kialitestns
+      - kialitestns2
+
+  - debug: msg="test both exclude filters (both exclude list and label selector) works"
+  - import_tasks: ./set-api-namespaces.yml
+    vars:
+      api_namespaces:
+        include: [ "kialitest.*", "kialianother.*" ]
+        exclude: [ "kialianother.*" ]
+        label_selector_include: null
+        label_selector_exclude: "customLabel=test"
+
+  - import_tasks: ./assert-api-namespaces-result.yml
+    vars:
+      min_namespaces_expected: 2
+      max_namespaces_expected: 2
+      namespaces_expected:
+      - "{{ istio.control_plane_namespace }}"
+      - kialitestns2
+
+  - debug: msg="test include label selector works when AN=**"
+  - import_tasks: ./set-api-namespaces.yml
+    vars:
+      api_namespaces:
+        include: ["{{ istio.control_plane_namespace }}"]
+        exclude: null
+        label_selector_include: "customLabel=test"
+        label_selector_exclude: null
+
+  - import_tasks: ./assert-api-namespaces-result.yml
+    vars:
+      min_namespaces_expected: 2
+      max_namespaces_expected: 2
+      namespaces_expected:
+      - "{{ istio.control_plane_namespace }}"
+      - kialitestns
+
+  - debug: msg="reset the api.namespaces so it goes back to all defaults"
+  - import_tasks: ./set-api-namespaces.yml
+    vars:
+      api_namespaces:
+        include: null
+        exclude: null
+        label_selector_include: null
+        label_selector_exclude: null
+
+  - import_tasks: ./assert-api-namespaces-result.yml
+    vars:
+      min_namespaces_expected: 4
+      namespaces_expected:
+      - "{{ istio.control_plane_namespace }}"
+      - kialitestns
+      - kialitestns2
+      - kialianothertestns
+      namespaces_not_expected:
+      - kiali-operator
+
+  - debug: msg="change to accessible_namespaces to a fixed list of namespaces"
   - import_tasks: ../common/set_accessible_namespaces_to_list.yml
     vars:
       namespace_list: [ "{{ istio.control_plane_namespace }}", 'kialitestns', 'kialianother.*' ]
@@ -46,37 +114,47 @@
   - import_tasks: ../asserts/accessible_namespaces_equals.yml
     vars:
       namespace_list: [ "{{ istio.control_plane_namespace }}", 'kialitestns', 'kialianothertestns' ]
-  - name: "Make sure label_selector is set properly"
+  - name: "Make sure label_selector_include is set properly"
     assert:
       that:
-      - kiali_configmap.api.namespaces.label_selector == "kiali.io/member-of={{ istio.control_plane_namespace }}"
+      - kiali_configmap.api.namespaces.label_selector_include == "kiali.io/member-of={{ istio.control_plane_namespace }}"
 
   - name: Make sure the new label exists, but didn't overwrite any existing labels
     vars:
       # Use query - it is the only way to ensure a list is returned; for some reason, lookup/wantList=true is not working
       namespacesWithCustomLabel: "{{ query('kubernetes.core.k8s', kind='Namespace', label_selector='customLabel=test') }}"
-      namespacesWithKialiLabel: "{{ query('kubernetes.core.k8s', kind='Namespace', label_selector=kiali_configmap.api.namespaces.label_selector) }}"
+      namespacesWithKialiLabel: "{{ query('kubernetes.core.k8s', kind='Namespace', label_selector=kiali_configmap.api.namespaces.label_selector_include) }}"
     assert:
       that:
       - namespacesWithCustomLabel | length == 1
       - namespacesWithCustomLabel[0].metadata.name == "kialitestns"
       - namespacesWithKialiLabel | length == 3
 
-  - k8s:
-      state: absent
-      api_version: v1
-      kind: Namespace
-      name: kialitestns
-  - k8s:
-      state: absent
-      api_version: v1
-      kind: Namespace
-      name: kialitestns2
-  - k8s:
-      state: absent
-      api_version: v1
-      kind: Namespace
-      name: kialianothertestns
+  - debug: msg="test the normal accessible namespaces (without custom include/exclude filters defined)"
+  - import_tasks: ./assert-api-namespaces-result.yml
+    vars:
+      min_namespaces_expected: 3
+      max_namespaces_expected: 3
+      namespaces_expected:
+      - "{{ istio.control_plane_namespace }}"
+      - kialitestns
+      - kialianothertestns
+
+  - debug: msg="test to show include is ignored when AN is not ** but exclude filters are still applied"
+  - import_tasks: ./set-api-namespaces.yml
+    vars:
+      api_namespaces:
+        include: [ ".*" ]
+        exclude: [ "kialianother.*" ]
+        label_selector_include: null
+        label_selector_exclude: "customLabel=test"
+
+  - import_tasks: ./assert-api-namespaces-result.yml
+    vars:
+      min_namespaces_expected: 1
+      max_namespaces_expected: 1
+      namespaces_expected:
+      - "{{ istio.control_plane_namespace }}"
 
   # change to accessible_namespaces back to **
   - import_tasks: ../common/set_accessible_namespaces_to_all.yml
@@ -87,7 +165,7 @@
   - import_tasks: ../asserts/accessible_namespaces_contains.yml
     vars:
       namespace_list: [ '**' ]
-  - name: Make sure label_selector is not set since its default is nil when accessible namespaces is **
+  - name: Make sure label_selector_include is not set since its default is nil when accessible namespaces is **
     assert:
       that:
-      - kiali_configmap.api.namespaces.label_selector is not defined
+      - kiali_configmap.api.namespaces.label_selector_include is not defined

molecule/accessible-namespaces-test/destroy-accessible-namespaces-test.yml

@@ -0,0 +1,13 @@
+- name: Destroy
+  hosts: localhost
+  connection: local
+  collections:
+  - kubernetes.core
+
+- name: Include the base destroy play to destroy the first kiali install
+  import_playbook: ../default/destroy.yml
+
+- name: Delete the test namespaces
+  import_playbook: ./process-namespaces.yml
+  vars:
+    state: absent

molecule/accessible-namespaces-test/molecule.yml

@@ -13,8 +13,8 @@ provisioner:
     defaults:
       callback_enabled: junit
   playbooks:
-    destroy: ../default/destroy.yml
-    prepare: ../default/prepare.yml
+    destroy: ./destroy-accessible-namespaces-test.yml
+    prepare: ./prepare-accessible-namespaces-test.yml
     cleanup: ../default/cleanup.yml
   inventory:
     group_vars:

molecule/accessible-namespaces-test/prepare-accessible-namespaces-test.yml

@@ -0,0 +1,13 @@
+- name: Prepare
+  hosts: localhost
+  connection: local
+  collections:
+  - kubernetes.core
+
+- name: Create the test namespaces
+  import_playbook: ./process-namespaces.yml
+  vars:
+    state: present
+
+- name: Include the base prepare play to create the first kiali install
+  import_playbook: ../default/prepare.yml

molecule/accessible-namespaces-test/process-namespaces.yml

@@ -0,0 +1,27 @@
+- name: "Process Test Namespaces [state={{ state }}]"
+  hosts: localhost
+  connection: local
+  collections:
+  - kubernetes.core
+
+  tasks:
+  - k8s:
+      state: "{{ state }}"
+      definition:
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: kialitestns
+          labels:
+            customLabel: test
+  - k8s:
+      state: "{{ state }}"
+      api_version: v1
+      kind: Namespace
+      name: kialitestns2
+  - k8s:
+      state: "{{ state }}"
+      api_version: v1
+      kind: Namespace
+      name: kialianothertestns
+

molecule/accessible-namespaces-test/set-api-namespaces.yml

@@ -0,0 +1,14 @@
+# Wait for the operator to finish any reconciliation currently ongoing
+- import_tasks: ../common/wait_for_kiali_cr_changes.yml
+
+- name: "Set api.namespaces"
+  vars:
+    current_kiali_cr: "{{ kiali_cr_list.resources[0] }}"
+  set_fact:
+    new_kiali_cr: "{{ current_kiali_cr | combine({'spec': {'api': {'namespaces': api_namespaces }}}, recursive=True) }}"
+
+- import_tasks: ../common/set_kiali_cr.yml
+- import_tasks: ../common/wait_for_kiali_cr_changes.yml
+- import_tasks: ../common/wait_for_kiali_running.yml
+- import_tasks: ../common/tasks.yml
+- import_tasks: ../asserts/pod_asserts.yml