From 09b6e73cf21e7cbba414db6271e1e6b0779e9d4c Mon Sep 17 00:00:00 2001 From: John Mazzitelli Date: Thu, 31 Oct 2024 15:42:33 -0400 Subject: [PATCH] be able to specify kiali_route_url in auth.openshift section so OAuthClient can be created in remote cluster --- crd-docs/cr/kiali.io_v1alpha1_kiali.yaml | 1 + crd-docs/crd/kiali.io_kialis.yaml | 3 +++ roles/default/kiali-deploy/defaults/main.yml | 1 + .../openshift/os-get-kiali-route-url.yml | 26 +++++++++++++++++-- .../kiali-deploy/tasks/openshift/os-main.yml | 2 -- 5 files changed, 29 insertions(+), 4 deletions(-) diff --git a/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml b/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml index 6866a6b1..be8a06f2 100644 --- a/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml +++ b/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml @@ -38,6 +38,7 @@ spec: scopes: ["openid", "profile", "email"] username_claim: "sub" openshift: + #kiali_route_url: #token_inactivity_timeout: #token_max_age: diff --git a/crd-docs/crd/kiali.io_kialis.yaml b/crd-docs/crd/kiali.io_kialis.yaml index 155fdaea..485b8576 100644 --- a/crd-docs/crd/kiali.io_kialis.yaml +++ b/crd-docs/crd/kiali.io_kialis.yaml @@ -148,6 +148,9 @@ spec: description: "To learn more about these settings and how to configure the OpenShift authentication strategy, read the documentation at https://kiali.io/docs/configuration/authentication/openshift/" type: object properties: + kiali_route_url: + description: "The URL for the Kiali Route that will be used for the OAuth redirect URI. You normally do not have to set this unless you are creating remote cluster resources (see `deployment.remote_cluster_resources_only`) with `openshift` auth strategy enabled." + type: string token_inactivity_timeout: description: "Timeout that overrides the default OpenShift token inactivity timeout. This value represents the maximum amount of time in seconds that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. If 0, the Kiali tokens never timeout. OpenShift may have a minimum allowed value - see the OpenShift documentation specific for the version of OpenShift you are using. WARNING: existing tokens will not be affected by changing this setting." type: integer diff --git a/roles/default/kiali-deploy/defaults/main.yml b/roles/default/kiali-deploy/defaults/main.yml index eec1705d..f0a66677 100644 --- a/roles/default/kiali-deploy/defaults/main.yml +++ b/roles/default/kiali-deploy/defaults/main.yml @@ -35,6 +35,7 @@ kiali_defaults: scopes: ["openid", "profile", "email"] username_claim: "sub" openshift: + #kiali_route_url: #token_inactivity_timeout: #token_max_age: strategy: "" diff --git a/roles/default/kiali-deploy/tasks/openshift/os-get-kiali-route-url.yml b/roles/default/kiali-deploy/tasks/openshift/os-get-kiali-route-url.yml index 4610f0d3..fa838f79 100644 --- a/roles/default/kiali-deploy/tasks/openshift/os-get-kiali-route-url.yml +++ b/roles/default/kiali-deploy/tasks/openshift/os-get-kiali-route-url.yml @@ -1,8 +1,25 @@ # All of this is ultimately to obtain the kiali_route_url -# Give some time for the route to come up +- name: Check if kiali_route_url is explicitly configured + set_fact: + kiali_route_url: "{{ kiali_vars.auth.openshift.kiali_route_url }}" + when: + - kiali_vars.auth.openshift.kiali_route_url is defined + - kiali_vars.auth.openshift.kiali_route_url != "" + +- name: Fail if creating remote cluster resources with auth strategy of openshift, but the Kiali Route URL is not defined + fail: + msg: "The root URL of the Kiali Server route is not specified via auth.openshift.kiali_route_url; this is required when creating remote cluster resources with auth.strategy of openshift." + when: + - kiali_route_url is not defined + - kiali_vars.deployment.remote_cluster_resources_only|bool == True + - kiali_vars.auth.strategy == 'openshift' + +# We need to auto-discover the Kiali Route URL because the OAuthClient and ConsoleLink resources need it. +# Note that we perform this auto-discovery only if we expect a Kiali Route to exist on the local cluster, +# (that is to say, we only perform this auto-discovery if remote_cluster_resources_only is False). -- name: Detect Kiali route on OpenShift +- name: Get the Kiali Route on OpenShift, which may require waiting some time for it to startup k8s_info: api_version: route.openshift.io/v1 kind: Route @@ -20,18 +37,21 @@ delay: 10 when: - is_openshift == True + - kiali_vars.deployment.remote_cluster_resources_only|bool == False - name: Set Kiali TLS Termination from OpenShift route set_fact: kiali_route_tls_termination: "{{ kiali_route_raw['resources'][0]['spec']['tls']['termination'] }}" when: - is_openshift == True + - kiali_vars.deployment.remote_cluster_resources_only|bool == False - name: Detect HTTP Kiali OpenShift route protocol set_fact: kiali_route_protocol: "http" when: - is_openshift == True + - kiali_vars.deployment.remote_cluster_resources_only|bool == False - kiali_route_tls_termination == "" - name: Detect HTTPS Kiali OpenShift route protocol @@ -39,6 +59,7 @@ kiali_route_protocol: "https" when: - is_openshift == True + - kiali_vars.deployment.remote_cluster_resources_only|bool == False - kiali_route_tls_termination != "" - name: Create URL for Kiali OpenShift route @@ -46,3 +67,4 @@ kiali_route_url: "{{ kiali_route_protocol }}://{{ kiali_route_raw['resources'][0]['status']['ingress'][0]['host'] }}" when: - is_openshift == True + - kiali_vars.deployment.remote_cluster_resources_only|bool == False diff --git a/roles/default/kiali-deploy/tasks/openshift/os-main.yml b/roles/default/kiali-deploy/tasks/openshift/os-main.yml index cddce08b..4c5c0fd8 100644 --- a/roles/default/kiali-deploy/tasks/openshift/os-main.yml +++ b/roles/default/kiali-deploy/tasks/openshift/os-main.yml @@ -83,14 +83,12 @@ include_tasks: openshift/os-get-kiali-route-url.yml when: - is_openshift == True - - kiali_vars.deployment.remote_cluster_resources_only|bool == False - name: Process OpenShift OAuth client k8s: definition: "{{ lookup('template', 'templates/openshift/oauth.yaml') }}" when: - is_openshift == True - - kiali_vars.deployment.remote_cluster_resources_only|bool == False - kiali_vars.auth.strategy == "openshift" - name: Delete all ConsoleLinks for namespaces that are no longer accessible