Skip to content

Commit

Permalink
be able to specify kiali_route_url in auth.openshift section so OAuth…
Browse files Browse the repository at this point in the history
…Client can be created in remote cluster
  • Loading branch information
jmazzitelli committed Oct 31, 2024
1 parent 750e409 commit 09b6e73
Show file tree
Hide file tree
Showing 5 changed files with 29 additions and 4 deletions.
1 change: 1 addition & 0 deletions crd-docs/cr/kiali.io_v1alpha1_kiali.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ spec:
scopes: ["openid", "profile", "email"]
username_claim: "sub"
openshift:
#kiali_route_url:
#token_inactivity_timeout:
#token_max_age:

Expand Down
3 changes: 3 additions & 0 deletions crd-docs/crd/kiali.io_kialis.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,9 @@ spec:
description: "To learn more about these settings and how to configure the OpenShift authentication strategy, read the documentation at https://kiali.io/docs/configuration/authentication/openshift/"
type: object
properties:
kiali_route_url:
description: "The URL for the Kiali Route that will be used for the OAuth redirect URI. You normally do not have to set this unless you are creating remote cluster resources (see `deployment.remote_cluster_resources_only`) with `openshift` auth strategy enabled."
type: string
token_inactivity_timeout:
description: "Timeout that overrides the default OpenShift token inactivity timeout. This value represents the maximum amount of time in seconds that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. If 0, the Kiali tokens never timeout. OpenShift may have a minimum allowed value - see the OpenShift documentation specific for the version of OpenShift you are using. WARNING: existing tokens will not be affected by changing this setting."
type: integer
Expand Down
1 change: 1 addition & 0 deletions roles/default/kiali-deploy/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ kiali_defaults:
scopes: ["openid", "profile", "email"]
username_claim: "sub"
openshift:
#kiali_route_url:
#token_inactivity_timeout:
#token_max_age:
strategy: ""
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,25 @@
# All of this is ultimately to obtain the kiali_route_url

# Give some time for the route to come up
- name: Check if kiali_route_url is explicitly configured
set_fact:
kiali_route_url: "{{ kiali_vars.auth.openshift.kiali_route_url }}"
when:
- kiali_vars.auth.openshift.kiali_route_url is defined
- kiali_vars.auth.openshift.kiali_route_url != ""

- name: Fail if creating remote cluster resources with auth strategy of openshift, but the Kiali Route URL is not defined
fail:
msg: "The root URL of the Kiali Server route is not specified via auth.openshift.kiali_route_url; this is required when creating remote cluster resources with auth.strategy of openshift."
when:
- kiali_route_url is not defined
- kiali_vars.deployment.remote_cluster_resources_only|bool == True
- kiali_vars.auth.strategy == 'openshift'

# We need to auto-discover the Kiali Route URL because the OAuthClient and ConsoleLink resources need it.
# Note that we perform this auto-discovery only if we expect a Kiali Route to exist on the local cluster,
# (that is to say, we only perform this auto-discovery if remote_cluster_resources_only is False).

- name: Detect Kiali route on OpenShift
- name: Get the Kiali Route on OpenShift, which may require waiting some time for it to startup
k8s_info:
api_version: route.openshift.io/v1
kind: Route
Expand All @@ -20,29 +37,34 @@
delay: 10
when:
- is_openshift == True
- kiali_vars.deployment.remote_cluster_resources_only|bool == False

- name: Set Kiali TLS Termination from OpenShift route
set_fact:
kiali_route_tls_termination: "{{ kiali_route_raw['resources'][0]['spec']['tls']['termination'] }}"
when:
- is_openshift == True
- kiali_vars.deployment.remote_cluster_resources_only|bool == False

- name: Detect HTTP Kiali OpenShift route protocol
set_fact:
kiali_route_protocol: "http"
when:
- is_openshift == True
- kiali_vars.deployment.remote_cluster_resources_only|bool == False
- kiali_route_tls_termination == ""

- name: Detect HTTPS Kiali OpenShift route protocol
set_fact:
kiali_route_protocol: "https"
when:
- is_openshift == True
- kiali_vars.deployment.remote_cluster_resources_only|bool == False
- kiali_route_tls_termination != ""

- name: Create URL for Kiali OpenShift route
set_fact:
kiali_route_url: "{{ kiali_route_protocol }}://{{ kiali_route_raw['resources'][0]['status']['ingress'][0]['host'] }}"
when:
- is_openshift == True
- kiali_vars.deployment.remote_cluster_resources_only|bool == False
2 changes: 0 additions & 2 deletions roles/default/kiali-deploy/tasks/openshift/os-main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -83,14 +83,12 @@
include_tasks: openshift/os-get-kiali-route-url.yml
when:
- is_openshift == True
- kiali_vars.deployment.remote_cluster_resources_only|bool == False

- name: Process OpenShift OAuth client
k8s:
definition: "{{ lookup('template', 'templates/openshift/oauth.yaml') }}"
when:
- is_openshift == True
- kiali_vars.deployment.remote_cluster_resources_only|bool == False
- kiali_vars.auth.strategy == "openshift"

- name: Delete all ConsoleLinks for namespaces that are no longer accessible
Expand Down

0 comments on commit 09b6e73

Please sign in to comment.