change to redirect_uris

crd-docs/cr/kiali.io_v1alpha1_kiali.yaml

@@ -38,7 +38,7 @@ spec:
       scopes: ["openid", "profile", "email"]
       username_claim: "sub"
     openshift:
-      #kiali_route_url:
+      #redirect_uris:
       #token_inactivity_timeout:
       #token_max_age:
 

crd-docs/crd/kiali.io_kialis.yaml

@@ -148,9 +148,11 @@ spec:
                     description: "To learn more about these settings and how to configure the OpenShift authentication strategy, read the documentation at https://kiali.io/docs/configuration/authentication/openshift/"
                     type: object
                     properties:
-                      kiali_route_url:
-                        description: "The URL for the Kiali Route that will be used for the OAuth redirect URI. You normally do not have to set this unless you are creating remote cluster resources (see `deployment.remote_cluster_resources_only`) with `openshift` auth strategy enabled."
-                        type: string
+                      redirect_uris:
+                        description: "The OAuthClient redirect URIs. You normally do not have to set this unless you are creating remote cluster resources (see `deployment.remote_cluster_resources_only`) with `auth.strategy` set to `openshift`."
+                        type: array
+                        items:
+                          type: string
                       token_inactivity_timeout:
                         description: "Timeout that overrides the default OpenShift token inactivity timeout. This value represents the maximum amount of time in seconds that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. If 0, the Kiali tokens never timeout. OpenShift may have a minimum allowed value - see the OpenShift documentation specific for the version of OpenShift you are using. WARNING: existing tokens will not be affected by changing this setting."
                         type: integer

molecule/remote-cluster-resources-test/converge.yml

@@ -253,7 +253,7 @@
   - debug: msg="Change auth strategy to openshift to confirm OAuthClient is created"
   - include_tasks: ../common/set_kiali_cr.yml
     vars:
-      new_kiali_cr: "{{ kiali_cr_list.resources[0] | combine({'spec': {'auth': {'strategy': 'openshift', 'openshift': {'kiali_route_url': 'http://test-kiali-route' }}}}, recursive=True) }}"
+      new_kiali_cr: "{{ kiali_cr_list.resources[0] | combine({'spec': {'auth': {'strategy': 'openshift', 'openshift': {'redirect_uris': ['http://one-redirect-uri', 'http://two-redirect-uri'] }}}}, recursive=True) }}"
   - include_tasks: ../common/wait_for_kiali_cr_changes.yml
   - include_tasks: ../common/tasks.yml
 
@@ -272,10 +272,19 @@
       - query('k8s', kind='ConsoleLink',                              api_version=apiCoLn, label_selector=querySelector, errors='warn') | length == 0
       - query('k8s', kind='OAuthClient',                              api_version=apiOAut, label_selector=querySelector, errors='warn') | length == 1
 
+  - name: Make sure the OAuthClient has the correct redirectURIs defined
+    vars:
+      oauthclient: "{{ query('k8s', kind='OAuthClient', api_version=apiOAut, label_selector=querySelector)[0] }}"
+    assert:
+      that:
+      - oauthclient.redirectURIs | length == 2
+      - oauthclient.redirectURIs[0] == 'http://one-redirect-uri'
+      - oauthclient.redirectURIs[1] == 'http://two-redirect-uri'
+
   - debug: msg="Change auth strategy back to anonymous to see OAuthClient resource gets removed"
   - include_tasks: ../common/set_kiali_cr.yml
     vars:
-      new_kiali_cr: "{{ kiali_cr_list.resources[0] | combine({'spec': {'auth': {'strategy': 'anonymous', 'openshift': {'kiali_route_url': '' }}}}, recursive=True) }}"
+      new_kiali_cr: "{{ kiali_cr_list.resources[0] | combine({'spec': {'auth': {'strategy': 'anonymous', 'openshift': {'redirect_uris': [] }}}}, recursive=True) }}"
   - include_tasks: ../common/wait_for_kiali_cr_changes.yml
   - include_tasks: ../common/tasks.yml
 

roles/default/kiali-deploy/tasks/openshift/os-get-kiali-route-url.yml

@@ -1,23 +1,8 @@
 # All of this is ultimately to obtain the kiali_route_url
 
-- name: Check if kiali_route_url is explicitly configured
-  set_fact:
-    kiali_route_url: "{{ kiali_vars.auth.openshift.kiali_route_url }}"
-  when:
-  - kiali_vars.auth.openshift.kiali_route_url is defined
-  - kiali_vars.auth.openshift.kiali_route_url != ""
-
-- name: Fail if creating remote cluster resources with auth strategy of openshift, but the Kiali Route URL is not defined
-  fail:
-    msg: "The root URL of the Kiali Server route is not specified via auth.openshift.kiali_route_url; this is required when creating remote cluster resources with auth.strategy of openshift."
-  when:
-  - kiali_route_url is not defined
-  - kiali_vars.deployment.remote_cluster_resources_only|bool == True
-  - kiali_vars.auth.strategy == 'openshift'
-
-# We need to auto-discover the Kiali Route URL because the OAuthClient and ConsoleLink resources need it.
-# Note that we perform this auto-discovery only if we expect a Kiali Route to exist on the local cluster,
-# (that is to say, we only perform this auto-discovery if remote_cluster_resources_only is False).
+# We need to auto-discover the Kiali Route URL because the OAuthClient (for redirect URIs) and ConsoleLink resources need it.
+# Note that the user can override redirect URIs in auth.openshift.redirect_uris so this route URL will
+# be ignored in the OAuthClient template in that case.
 
 - name: Get the Kiali Route on OpenShift, which may require waiting some time for it to startup
   k8s_info:
@@ -37,34 +22,29 @@
   delay: 10
   when:
   - is_openshift == True
-  - kiali_vars.deployment.remote_cluster_resources_only|bool == False
 
 - name: Set Kiali TLS Termination from OpenShift route
   set_fact:
     kiali_route_tls_termination: "{{ kiali_route_raw['resources'][0]['spec']['tls']['termination'] }}"
   when:
   - is_openshift == True
-  - kiali_vars.deployment.remote_cluster_resources_only|bool == False
 
 - name: Detect HTTP Kiali OpenShift route protocol
   set_fact:
     kiali_route_protocol: "http"
   when:
   - is_openshift == True
-  - kiali_vars.deployment.remote_cluster_resources_only|bool == False
   - kiali_route_tls_termination == ""
 
 - name: Detect HTTPS Kiali OpenShift route protocol
   set_fact:
     kiali_route_protocol: "https"
   when:
   - is_openshift == True
-  - kiali_vars.deployment.remote_cluster_resources_only|bool == False
   - kiali_route_tls_termination != ""
 
 - name: Create URL for Kiali OpenShift route
   set_fact:
     kiali_route_url: "{{ kiali_route_protocol }}://{{ kiali_route_raw['resources'][0]['status']['ingress'][0]['host'] }}"
   when:
-  - is_openshift == True
-  - kiali_vars.deployment.remote_cluster_resources_only|bool == False
+  - is_openshift == True

roles/default/kiali-deploy/tasks/openshift/os-main.yml

@@ -90,10 +90,30 @@
   - is_openshift == True
   - kiali_vars.auth.strategy != "openshift"
 
+# For now, when creating remote cluster resources only, we are going to assume there is no way for us to determine what the redirect URIs are
+# going to be other than having the user explicitly configure them. So fail immediately if the user did not tell us what redirect URI[s] to use.
+# Note that this only comes into play when auth.strategy is "openshift".
+- name: Fail if creating remote cluster resources with auth strategy of openshift, but the Kiali redirect URIs are not defined
+  fail:
+    msg: "Redirect URIs for the Kiali Server OAuthClient are not specified via auth.openshift.redirect_uris; this is required when creating remote cluster resources with auth.strategy of openshift."
+  when:
+  - kiali_vars.deployment.remote_cluster_resources_only|bool == False
+  - kiali_vars.auth.strategy == 'openshift'
+  - kiali_vars.auth.openshift.redirect_uris | default([]) | length == 0
+
+# We only need to auto-discover the Kiali route if (a) we know it will exist and (b) we know we need it.
+# We know it will exist if we are creating the Kiali Server itself (i.e. remote_cluster_resources_only == False).
+# We know we need it for ConsoleLinks (and those are only created when we are creating the Kiali Server itself).
+# We know we need it for OAuthClient, too. That is also created when we are creating the Kiali Server itself. But it is also
+# created when creating only remote cluster resources - however, in that case, we are going to require the user to tell us
+# what redirect URIs to use (see the above fail task to ensure the user does that).
+# All of this is to say: we only need to auto-discover the route when we are creating the Kiali Server itself (we do not
+# auto-discover the route when we are creating only the remote cluster resources).
 - name: Get the Kiali Route URL
   include_tasks: openshift/os-get-kiali-route-url.yml
   when:
   - is_openshift == True
+  - kiali_vars.deployment.remote_cluster_resources_only|bool == False
 
 - name: Process OpenShift OAuth client
   k8s:

roles/default/kiali-deploy/templates/openshift/oauth.yaml

@@ -4,9 +4,15 @@ metadata:
   name: {{ kiali_vars.deployment.instance_name }}-{{ kiali_vars.deployment.namespace }}
   labels: {{ kiali_resource_metadata_labels }}
 redirectURIs:
-  - {{ kiali_route_url }}/api/auth/callback
+{% if kiali_vars.auth.openshift.redirect_uris | default([]) | length > 0 %}
+{% for uri in kiali_vars.auth.openshift.redirect_uris %}
+- "{{ uri }}"
+{% endfor %}
+{% else %}
+- {{ kiali_route_url }}/api/auth/callback
 {% if kiali_vars.server.web_port | length > 0 %}
-  - {{ kiali_route_url }}:{{ kiali_vars.server.web_port }}/api/auth/callback
+- {{ kiali_route_url }}:{{ kiali_vars.server.web_port }}/api/auth/callback
+{% endif %}
 {% endif %}
 grantMethod: auto
 {% if kiali_vars.auth.openshift.token_inactivity_timeout is defined %}