support remote_cluster_resources_only=true and support redirect_uris for openshift oauthclient

[jmazzitelli]

this refactor the way we determine if it is an OpenShift cluster (for easier testing and maintenance)

part of kiali/kiali#7861

To test quickly run this 4-part command:

echo -e "\nK8s full install:\n" && helm template -n istio-system --set deployment.ingress.enabled=true --set isOpenShift=false kiali-server _output/charts/kiali-server-*.tgz | grep "^kind:" && echo -e "\nOpenShift full install\n" && helm template -n istio-system --set deployment.ingress.enabled=true --set auth.openshift.redirect_uris[0]=foo --set isOpenShift=true kiali-server _output/charts/kiali-server-*.tgz | grep "^kind:" && echo -e "\nK8s remote only install:\n" && helm template -n istio-system --set deployment.ingress.enabled=true --set deployment.remote_cluster_resources_only=true --set isOpenShift=false kiali-server _output/charts/kiali-server-*.tgz | grep "^kind:" && echo -e "\nOpenShift remote only install\n" && helm template -n istio-system --set deployment.remote_cluster_resources_only=true --set deployment.ingress.enabled=true --set auth.openshift.redirect_uris[0]=foo --set isOpenShift=true kiali-server _output/charts/kiali-server-*.tgz | grep "^kind:"

and see that only some resources are created when remote_cluster_resources_only is true:

K8s full install:

kind: ServiceAccount
kind: ConfigMap
kind: ClusterRole
kind: ClusterRoleBinding
kind: Service
kind: Deployment
kind: Ingress

OpenShift full install

kind: ServiceAccount
kind: ConfigMap
kind: ConfigMap
kind: ClusterRole
kind: ClusterRoleBinding
kind: Service
kind: Deployment
kind: OAuthClient
kind: Route

K8s remote only install:

kind: ServiceAccount
kind: ConfigMap
kind: ClusterRole
kind: ClusterRoleBinding

OpenShift remote only install

kind: ServiceAccount
kind: ConfigMap
kind: ClusterRole
kind: ClusterRoleBinding
kind: OAuthClient

Notice things like the ingress/route, service, and deployment are not installed when we just want the remote cluster resources created.

[jmazzitelli]

another test is to see the OAuthClient is not created in any case when auth.strategy is not openshift:

full install:

$ helm template -n istio-system --set auth.strategy=anonymous --set isOpenShift=true kiali-server _output/charts/kiali-server-*.tgz | grep "^kind:"
kind: ServiceAccount
kind: ConfigMap
kind: ConfigMap
kind: ClusterRole
kind: ClusterRoleBinding
kind: Service
kind: Deployment
kind: Route

remote cluster resources only:

$ helm template -n istio-system --set auth.strategy=anonymous --set deployment.remote_cluster_resources_only=true --set isOpenShift=true kiali-server _output/charts/kiali-server-*.tgz | grep "^kind:"
kind: ServiceAccount
kind: ConfigMap
kind: ClusterRole
kind: ClusterRoleBinding

[nrfox]

Instead of having another simulateOpenShift variable, we could just make isOpenShift (or maybe something like platform: openshift?) a variable and we only do the .Capabilities.APIVersions.Has "operator.openshift.io/v1" check if it's not defined?

[jmazzitelli]

See latest commit.

There really isn't any other option for "platform" .. it's either OpenShift or it's not. So I just made it look for "isOpenShift" and only do the .Capabilities check if its not defined.

I updated the test procedures in earlier comments to now use --set isOpenShift=true"and --set isOpenShift=false... you can omit the --set isOpenShift=false since this will work without having to tell "helm template" that (because the .Capabilities will always return false anyway with "helm template").