From 42f238794114d1acc24a4367475ffb97b729addb Mon Sep 17 00:00:00 2001 From: John Mazzitelli Date: Tue, 23 Jul 2024 14:32:30 -0400 Subject: [PATCH] Removing accessible namespaces as part of the new discovery selector support. part of: kiali/kiali#7546 part of KEP: https://github.com/kiali/kiali/blob/master/design/KEPS/namespace-discovery/proposal.md --- README.adoc | 2 +- kiali-operator/templates/clusterrole.yaml | 2 +- kiali-operator/templates/deployment.yaml | 4 +--- kiali-operator/values.yaml | 26 ++++++----------------- kiali-server/templates/NOTES.txt | 15 +++++++++++++ kiali-server/templates/_helpers.tpl | 10 ++------- kiali-server/templates/configmap.yaml | 2 +- kiali-server/values.yaml | 14 +++--------- 8 files changed, 31 insertions(+), 44 deletions(-) diff --git a/README.adoc b/README.adoc index 7584d81..fd4346b 100644 --- a/README.adoc +++ b/README.adoc @@ -65,7 +65,7 @@ helm uninstall -n kiali-operator kiali-operator ==== Overriding values -You can pass `--set` options to the above commands if you wish to override the default values. You can set nested dictionary values using dot notation: `--set deployment.logger.log_level=debug`. For a list of items, comma-separate the values and wrap the list in curly braces: `--set "deployment.accessible_namespaces={bookinfo,demo2}"`. You can set individual list items using square brackets: `--set deployment.accessible_namespaces[0]=bookinfo`. +You can pass `--set` options to the above commands if you wish to override the default values. You can set nested dictionary values using dot notation: `--set deployment.logger.log_level=debug`. For a list of items, comma-separate the values and wrap the list in curly braces: `--set "kubernetes_config.excluded_workloads={CronJob,Job}"`. You can set individual list items using square brackets: `--set kubernetes_config.excluded_workloads[0]=CronJob`. If you locally built and pushed your Kiali server and Kiali operator images to your cluster, you can have the helm chart installations pull those images by the following settings: diff --git a/kiali-operator/templates/clusterrole.yaml b/kiali-operator/templates/clusterrole.yaml index 961b56b..23bfb28 100644 --- a/kiali-operator/templates/clusterrole.yaml +++ b/kiali-operator/templates/clusterrole.yaml @@ -113,7 +113,7 @@ rules: - list - apiGroups: ["rbac.authorization.k8s.io"] resources: - {{- if or (and (.Values.cr.create) (has "**" .Values.cr.spec.deployment.accessible_namespaces)) (.Values.clusterRoleCreator) }} + {{- if or (and (.Values.cr.create) (.Values.cr.spec.deployment.cluster_wide_access)) (.Values.clusterRoleCreator) }} - clusterrolebindings - clusterroles {{- end }} diff --git a/kiali-operator/templates/deployment.yaml b/kiali-operator/templates/deployment.yaml index ced80b4..a46074e 100644 --- a/kiali-operator/templates/deployment.yaml +++ b/kiali-operator/templates/deployment.yaml @@ -87,9 +87,7 @@ spec: - name: ALLOW_SECURITY_CONTEXT_OVERRIDE value: {{ .Values.allowSecurityContextOverride | quote }} - name: ALLOW_ALL_ACCESSIBLE_NAMESPACES - value: {{ or (and (.Values.cr.create) (has "**" .Values.cr.spec.deployment.accessible_namespaces)) (.Values.allowAllAccessibleNamespaces) | quote }} - - name: ACCESSIBLE_NAMESPACES_LABEL - value: {{ .Values.accessibleNamespacesLabel | quote }} + value: {{ or (and (.Values.cr.create) (.Values.cr.spec.deployment.cluster_wide_access)) (.Values.allowAllAccessibleNamespaces) | quote }} - name: PROFILE_TASKS_TASK_OUTPUT_LIMIT value: "100" - name: ANSIBLE_DEBUG_LOGS diff --git a/kiali-operator/values.yaml b/kiali-operator/values.yaml index 0ece40f..aefc617 100644 --- a/kiali-operator/values.yaml +++ b/kiali-operator/values.yaml @@ -39,9 +39,9 @@ debug: watchNamespace: "" # Set to true if you want the operator to be able to create cluster roles. This is necessary -# if you want to support Kiali CRs with spec.deployment.accessible_namespaces of '**'. +# if you want to support Kiali CRs with spec.deployment.cluster_wide_access=true. # Setting this to "true" requires allowAllAccessibleNamespaces to be "true" also. -# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.accessible_namespaces is ['**']. +# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.cluster_wide_access=true. clusterRoleCreator: true # Set to a list of secrets in the cluster that the operator will be allowed to read. This is necessary if you want to @@ -83,22 +83,12 @@ allowAdHocOSSMConsoleImage: false allowSecurityContextOverride: false # allowAllAccessibleNamespaces tells the operator to allow a user to be able to configure Kiali -# to access all namespaces in the cluster via spec.deployment.accessible_namespaces=['**']. -# If this is false, the user must specify an explicit list of namespaces in the Kiali CR. +# to access all namespaces in the cluster via spec.deployment.cluster_wide_access=true. +# If this is false, the user must specify an explicit set of namespaces in the Kiali CR via spec.deployment.discovery_selectors. # Setting this to "true" requires clusterRoleCreator to be "true" also. -# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.accessible_namespaces is ['**']. +# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.cluster_wide_access=true. allowAllAccessibleNamespaces: true -# accessibleNamespacesLabel restricts the namespaces that a user can add to the Kiali CR spec.deployment.accessible_namespaces. -# This value is either an empty string (which disables this feature) or a label name with an optional label value -# (e.g. "mylabel" or "mylabel=myvalue"). Only namespaces that have that label will be permitted in -# spec.deployment.accessible_namespaces. Any namespace not labeled properly but specified in accessible_namespaces will cause -# the operator to abort the Kiali installation. -# If just a label name (but no label value) is specified, the label value the operator will look for is the value of -# the Kiali CR's spec.istio_namespace. In other words, the operator will look for the named label whose value must be the name -# of the Istio control plane namespace (which is typically, but not necessarily, "istio-system"). -accessibleNamespacesLabel: "" - # watchesFile: If specified, this determines what watches file will be used to configure the operator. There are four different # files that can be selected: (a) `watches-os.yaml`, (b) `watches-os-ns.yaml`, (c) `watches-k8s.yaml` or (d) `watches-k8s-ns.yaml`. # The first two are for OpenShift only, the last two are for non-OpenShift Kubernetes clusters. The two with "-ns" in their name @@ -107,8 +97,7 @@ accessibleNamespacesLabel: "" # the default behavior and is not necessary if your Kiali CRs will have `spec.deployment.cluster_wide_access` set to `true`. watchesFile: "" -# For what a Kiali CR spec can look like, see: -# https://github.com/kiali/kiali-operator/blob/master/deploy/kiali/kiali_cr.yaml +# For what a Kiali CR spec can look like, see: https://kiali.io/docs/configuration/kialis.kiali.io/ cr: create: false name: kiali @@ -122,5 +111,4 @@ cr: spec: deployment: - accessible_namespaces: - - '**' + cluster_wide_access: true \ No newline at end of file diff --git a/kiali-server/templates/NOTES.txt b/kiali-server/templates/NOTES.txt index 7510194..fac4e8d 100644 --- a/kiali-server/templates/NOTES.txt +++ b/kiali-server/templates/NOTES.txt @@ -2,4 +2,19 @@ Welcome to Kiali! For more details on Kiali, see: https://kiali.io The Kiali Server [{{ .Chart.AppVersion }}] has been installed in namespace [{{ .Release.Namespace }}]. It will be ready soon. +{{- if not .Values.deployment.cluster_wide_access }} +=============== +!!! WARNING !!! +=============== +This Kiali Server Helm Chart does NOT support "deployment.cluster_wide_access" set to "false"! + +This feature, as well as others, is only available when using the Kiali Operator to install +the Kiali Server. It is for this reason this Kiali Server Helm Chart, while provided for +convenience, is not the recommended installation mechanism for installing the Kiali Server. +{{- end }} + +When installing with "deployment.cluster_wide_access=false" using this Kiali Server Helm Chart, +it is your responsibility to manually create the proper Roles and RoleBindings for the Kiali Server +to have the correct permissions to access the service mesh namespaces. + (Helm: Chart=[{{ .Chart.Name }}], Release=[{{ .Release.Name }}], Version=[{{ .Chart.Version }}]) diff --git a/kiali-server/templates/_helpers.tpl b/kiali-server/templates/_helpers.tpl index 8382678..1ef7281 100644 --- a/kiali-server/templates/_helpers.tpl +++ b/kiali-server/templates/_helpers.tpl @@ -3,16 +3,10 @@ {{/* Create a default fully qualified instance name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -To simulate the way the operator works, use deployment.instance_name rather than the old fullnameOverride. -For backwards compatibility, if fullnameOverride is not kiali but deployment.instance_name is kiali, -use fullnameOverride, otherwise use deployment.instance_name. +To simulate the way the operator works, use deployment.instance_name. */}} {{- define "kiali-server.fullname" -}} -{{- if (and (eq .Values.deployment.instance_name "kiali") (ne .Values.fullnameOverride "kiali")) }} - {{- .Values.fullnameOverride | trunc 63 }} -{{- else }} - {{- .Values.deployment.instance_name | trunc 63 }} -{{- end }} +{{- .Values.deployment.instance_name | trunc 63 }} {{- end }} {{/* diff --git a/kiali-server/templates/configmap.yaml b/kiali-server/templates/configmap.yaml index f7b6829..f97d6da 100644 --- a/kiali-server/templates/configmap.yaml +++ b/kiali-server/templates/configmap.yaml @@ -13,7 +13,7 @@ metadata: data: config.yaml: | {{- /* Most of .Values is simply the ConfigMap - strip out the keys that are not part of the ConfigMap */}} - {{- $cm := omit .Values "nameOverride" "fullnameOverride" "kiali_route_url" }} + {{- $cm := omit .Values "kiali_route_url" }} {{- /* The helm chart defines namespace for us, but pass it to the ConfigMap in case the server needs it */}} {{- $_ := set $cm.deployment "namespace" .Release.Namespace }} {{- /* Some values of the ConfigMap are generated, but might not be identical, from .Values */}} diff --git a/kiali-server/values.yaml b/kiali-server/values.yaml index a3d0bdd..ac308e0 100644 --- a/kiali-server/values.yaml +++ b/kiali-server/values.yaml @@ -1,10 +1,3 @@ -# 'fullnameOverride' is deprecated. Use 'deployment.instance_name' instead. -# This is only supported for backward compatibility and will be removed in a future version. -# If 'fullnameOverride' is not "kiali" and 'deployment.instance_name' is "kiali", -# then 'deployment.instance_name' will take the value of 'fullnameOverride' value. -# Otherwise, 'fullnameOverride' is ignored and 'deployment.instance_name' is used. -fullnameOverride: "kiali" - # This is required for "openshift" auth strategy. # You have to know ahead of time what your Route URL will be because # right now the helm chart can't figure this out at runtime (it would @@ -37,15 +30,14 @@ clustering: clusters: [] deployment: - # This only limits what Kiali will attempt to see, but Kiali Service Account has permissions to see everything. - # For more control over what the Kial Service Account can see, use the Kiali Operator - accessible_namespaces: - - "**" additional_service_yaml: {} affinity: node: {} pod: {} pod_anti: {} + # The Kiali server helm chart only supports cluster-wide access; setting cluster_wide_access to false is not supported. + # For more control over what the Kial Service Account can see, use the Kiali Operator. + cluster_wide_access: true configmap_annotations: {} custom_secrets: [] dns: