support remote_cluster_resources_only=true and support redirect_uris …

…for openshift oauthclient (#295) * support remote_cluster_resources_only=true and support redirect_uris for openshift oauth client refactor the way we determine if it is an OpenShift cluster (for easier testing and maintainence) * use "isOpenShift" value rather than "simulateOpenShift"
kiali · Nov 7, 2024 · 98802c2 · 98802c2
1 parent e73c85b
commit 98802c2
Show file tree

Hide file tree

Showing 9 changed files with 43 additions and 17 deletions.
diff --git a/kiali-server/templates/_helpers.tpl b/kiali-server/templates/_helpers.tpl
@@ -16,6 +16,13 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
+{{/*
+Determine if on OpenShift (when debugging the chart for OpenShift use-cases, set "simulateOpenShift")
+*/}}
+{{- define "kiali-server.isOpenShift" -}}
+{{- .Values.isOpenShift | default (.Capabilities.APIVersions.Has "operator.openshift.io/v1") -}}
+{{- end }}
+
 {{/*
 Identifies the log_level.
 */}}
@@ -65,7 +72,7 @@ Determine the default web root.
     {{- .Values.server.web_root | trimSuffix "/" }}
   {{- end }}
 {{- else }}
-  {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
+  {{- if eq "true" (include "kiali-server.isOpenShift" .) }}
     {{- "/" }}
   {{- else }}
     {{- "/kiali" }}
@@ -80,7 +87,7 @@ Determine the default identity cert file. There is no default if on k8s; only on
 {{- if hasKey .Values.identity "cert_file" }}
   {{- .Values.identity.cert_file }}
 {{- else }}
-  {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
+  {{- if eq "true" (include "kiali-server.isOpenShift" .) }}
     {{- "/kiali-cert/tls.crt" }}
   {{- else }}
     {{- "" }}
@@ -95,7 +102,7 @@ Determine the default identity private key file. There is no default if on k8s;
 {{- if hasKey .Values.identity "private_key_file" }}
   {{- .Values.identity.private_key_file }}
 {{- else }}
-  {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
+  {{- if eq "true" (include "kiali-server.isOpenShift" .) }}
     {{- "/kiali-cert/tls.key" }}
   {{- else }}
     {{- "" }}
@@ -110,7 +117,7 @@ Determine the default deployment.ingress.enabled. Disable it on k8s; enable it o
 {{- if hasKey .Values.deployment.ingress "enabled" }}
   {{- .Values.deployment.ingress.enabled }}
 {{- else }}
-  {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
+  {{- if eq "true" (include "kiali-server.isOpenShift" .) }}
     {{- true }}
   {{- else }}
     {{- false }}
@@ -134,14 +141,14 @@ Determine the auth strategy to use - default is "token" on Kubernetes and "opens
 */}}
 {{- define "kiali-server.auth.strategy" -}}
 {{- if .Values.auth.strategy }}
-  {{- if (and (eq .Values.auth.strategy "openshift") (not .Values.kiali_route_url)) }}
-    {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or use a different auth strategy via the --set auth.strategy=... option." }}
+  {{- if (and ((and (eq .Values.auth.strategy "openshift") (not .Values.kiali_route_url))) (not .Values.auth.openshift.redirect_uris)) }}
+    {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either (a) set that, (b) explicitly define redirect URIs via --set auth.openshift.redirect_uris, or (c) use a different auth strategy via the --set auth.strategy=... option." }}
   {{- end }}
   {{- .Values.auth.strategy }}
 {{- else }}
-  {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
-    {{- if not .Values.kiali_route_url }}
-      {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or explicitly indicate another auth strategy you want via the --set auth.strategy=... option." }}
+  {{- if eq "true" (include "kiali-server.isOpenShift" .) }}
+    {{- if (and (not .Values.kiali_route_url) (not .Values.auth.openshift.redirect_uris)) }}
+      {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either (a) set that, (b) explicitly define redirect URIs via --set auth.openshift.redirect_uris, or (c) use a different auth strategy via the --set auth.strategy=... option." }}
     {{- end }}
     {{- "openshift" }}
   {{- else }}

diff --git a/kiali-server/templates/cabundle.yaml b/kiali-server/templates/cabundle.yaml
@@ -1,4 +1,5 @@
-{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
+{{- if not .Values.deployment.remote_cluster_resources_only }}
+{{- if eq "true" (include "kiali-server.isOpenShift" .) }}
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -11,3 +12,4 @@ metadata:
     service.beta.openshift.io/inject-cabundle: "true"
 ...
 {{- end }}
+{{- end }}
diff --git a/kiali-server/templates/deployment.yaml b/kiali-server/templates/deployment.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.deployment.remote_cluster_resources_only }}
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -162,7 +163,7 @@ spec:
           name: {{ include "kiali-server.fullname" . }}
       - name: {{ include "kiali-server.fullname" . }}-cert
         secret:
-          {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
+          {{- if eq "true" (include "kiali-server.isOpenShift" .) }}
           secretName: {{ include "kiali-server.fullname" . }}-cert-secret
           {{- else }}
           secretName: istio.{{ include "kiali-server.fullname" . }}-service-account
@@ -177,7 +178,7 @@ spec:
       - name: {{ include "kiali-server.fullname" . }}-cabundle
         configMap:
           name: {{ include "kiali-server.fullname" . }}-cabundle
-      {{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }}
+      {{- if not (eq "true" (include "kiali-server.isOpenShift" .)) }}
           optional: true
       {{- end }}
       {{- range .Values.deployment.custom_secrets }}
@@ -226,3 +227,4 @@ spec:
       {{- toYaml .Values.deployment.node_selector | nindent 8 }}
       {{- end }}
 ...
+{{- end }}
diff --git a/kiali-server/templates/hpa.yaml b/kiali-server/templates/hpa.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.deployment.remote_cluster_resources_only }}
 {{- if .Values.deployment.hpa.spec }}
 ---
 apiVersion: {{ .Values.deployment.hpa.api_version }}
@@ -15,3 +16,4 @@ spec:
   {{- toYaml .Values.deployment.hpa.spec | nindent 2 }}
 ...
 {{- end }}
+{{- end }}
diff --git a/kiali-server/templates/ingress.yaml b/kiali-server/templates/ingress.yaml
@@ -1,4 +1,5 @@
-{{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }}
+{{- if not .Values.deployment.remote_cluster_resources_only }}
+{{- if not (eq "true" (include "kiali-server.isOpenShift" .)) }}
 {{- if eq "true" (include "kiali-server.deployment.ingress.enabled" .) }}
 ---
 {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
@@ -60,3 +61,4 @@ spec:
 ...
 {{- end }}
 {{- end }}
+{{- end }}
diff --git a/kiali-server/templates/oauth.yaml b/kiali-server/templates/oauth.yaml
@@ -1,5 +1,5 @@
-{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
-{{- if .Values.kiali_route_url }}
+{{- if eq "true" (include "kiali-server.isOpenShift" .) }}
+{{- if (or (.Values.kiali_route_url) (.Values.auth.openshift.redirect_uris)) }}
 ---
 apiVersion: oauth.openshift.io/v1
 kind: OAuthClient
@@ -9,10 +9,16 @@ metadata:
   labels:
     {{- include "kiali-server.labels" . | nindent 4 }}
 redirectURIs:
+{{- if .Values.auth.openshift.redirect_uris }}
+{{- range .Values.auth.openshift.redirect_uris }}
+- {{ . }}
+{{- end }}
+{{- else }}
 - {{ .Values.kiali_route_url }}/api/auth/callback
 {{- if .Values.server.web_port }}
 - {{ .Values.kiali_route_url }}:{{ .Values.server.web_port }}/api/auth/callback
 {{- end }}
+{{- end }}
 grantMethod: auto
 {{- if .Values.auth.openshift.token_inactivity_timeout }}
 accessTokenInactivityTimeoutSeconds: {{ .Values.auth.openshift.token_inactivity_timeout }}

diff --git a/kiali-server/templates/route.yaml b/kiali-server/templates/route.yaml
@@ -1,4 +1,5 @@
-{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
+{{- if not .Values.deployment.remote_cluster_resources_only }}
+{{- if eq "true" (include "kiali-server.isOpenShift" .) }}
 {{- if eq "true" (include "kiali-server.deployment.ingress.enabled" .) }}
 # As of OpenShift 4.5, need to use --disable-openapi-validation when installing via Helm
 ---
@@ -32,3 +33,4 @@ spec:
 ...
 {{- end }}
 {{- end }}
+{{- end }}
diff --git a/kiali-server/templates/service.yaml b/kiali-server/templates/service.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.deployment.remote_cluster_resources_only }}
 ---
 apiVersion: v1
 kind: Service
@@ -7,7 +8,7 @@ metadata:
   labels:
     {{- include "kiali-server.labels" . | nindent 4 }}
   annotations:
-    {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
+    {{- if eq "true" (include "kiali-server.isOpenShift" .) }}
     service.beta.openshift.io/serving-cert-secret-name: {{ include "kiali-server.fullname" . }}-cert-secret
     {{- end }}
     {{- if and (not (empty .Values.server.web_fqdn)) (not (empty .Values.server.web_schema)) }}
@@ -49,3 +50,4 @@ spec:
   {{- toYaml .Values.deployment.additional_service_yaml | nindent 2  }}
   {{- end }}
 ...
+{{- end }}
diff --git a/kiali-server/values.yaml b/kiali-server/values.yaml
@@ -69,6 +69,7 @@ deployment:
   pod_annotations: {}
   pod_labels: {}
   priority_class_name: ""
+  remote_cluster_resources_only: false
   # if deployment.hpa is defined, this replicas setting will be ignored
   replicas: 1
   resources: