diff --git a/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml b/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml index e10caaea..26e0c750 100644 --- a/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml +++ b/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml @@ -315,9 +315,9 @@ spec: - name: WATCHES_FILE value: "watches-os.yaml" - name: RELATED_IMAGE_kiali_default - value: "${KIALI_1_89}" - - name: RELATED_IMAGE_kiali_v1_89 - value: "${KIALI_1_89}" + value: "${KIALI_2_1}" + - name: RELATED_IMAGE_kiali_v2_1 + value: "${KIALI_2_1}" - name: RELATED_IMAGE_kiali_v1_73 value: "${KIALI_1_73}" - name: RELATED_IMAGE_kiali_v1_65 @@ -325,9 +325,9 @@ spec: - name: RELATED_IMAGE_kiali_v1_57 value: "${KIALI_1_57}" - name: RELATED_IMAGE_ossmconsole_default - value: "${OSSMCONSOLE_1_89}" - - name: RELATED_IMAGE_ossmconsole_v1_89 - value: "${OSSMCONSOLE_1_89}" + value: "${OSSMCONSOLE_2_1}" + - name: RELATED_IMAGE_ossmconsole_v2_1 + value: "${OSSMCONSOLE_2_1}" - name: RELATED_IMAGE_ossmconsole_v1_73 value: "${OSSMCONSOLE_1_73}" ports: diff --git a/playbooks/kiali-default-supported-images.yml b/playbooks/kiali-default-supported-images.yml index bedbf2fd..0d593ea7 100644 --- a/playbooks/kiali-default-supported-images.yml +++ b/playbooks/kiali-default-supported-images.yml @@ -2,4 +2,4 @@ default: {"image_name": "quay.io/kiali/kiali", "image_version": "operator_versio v1.57: {"image_name": "quay.io/kiali/kiali", "image_version": "v1.57"} v1.65: {"image_name": "quay.io/kiali/kiali", "image_version": "v1.65"} v1.73: {"image_name": "quay.io/kiali/kiali", "image_version": "v1.73"} -v1.89: {"image_name": "quay.io/kiali/kiali", "image_version": "v1.89"} +v2.1: {"image_name": "quay.io/kiali/kiali", "image_version": "v2.1"} diff --git a/playbooks/ossmconsole-default-supported-images.yml b/playbooks/ossmconsole-default-supported-images.yml index 7e829404..46da7014 100644 --- a/playbooks/ossmconsole-default-supported-images.yml +++ b/playbooks/ossmconsole-default-supported-images.yml @@ -1,3 +1,3 @@ default: {"imageName": "quay.io/kiali/ossmconsole", "imageVersion": "operator_version"} -v1.89: {"imageName": "quay.io/kiali/ossmconsole", "imageVersion": "v1.89"} +v2.1: {"imageName": "quay.io/kiali/ossmconsole", "imageVersion": "v2.1"} v1.73: {"imageName": "quay.io/kiali/ossmconsole", "imageVersion": "v1.73"} diff --git a/roles/v1.89/kiali-deploy/filter_plugins/only_accessible_namespaces.py b/roles/v1.89/kiali-deploy/filter_plugins/only_accessible_namespaces.py deleted file mode 100644 index bd171810..00000000 --- a/roles/v1.89/kiali-deploy/filter_plugins/only_accessible_namespaces.py +++ /dev/null @@ -1,34 +0,0 @@ -from __future__ import (absolute_import, division, print_function) -__metaclass__ = type - -ANSIBLE_METADATA = { - 'metadata_version': '1.1', - 'status': ['preview'], - 'supported_by': 'community' -} - -import re - -# Given a list of all known namespaces (value) and a list of accessible namespace regular expressions, -# filter out all non-accessible namespaces (i.e. return a list of only the namespaces that match an accessible namespace regex). -def only_accessible_namespaces(value, accessible_namespaces=[]): - - # cache the regex patterns for speed - accessible_namespace_regex_patterns = [] - for accessible_namespace_regex in accessible_namespaces: - accessible_namespace_regex_patterns.append(re.compile('^' + accessible_namespace_regex + '$')) - - all_accessible_namespaces = [] - for namespace in value: - for p in accessible_namespace_regex_patterns: - if re.match(p, namespace): - all_accessible_namespaces.append(namespace) - break - return all_accessible_namespaces - -# ---- Ansible filters ---- -class FilterModule(object): - def filters(self): - return { - 'only_accessible_namespaces': only_accessible_namespaces - } diff --git a/roles/v1.89/kiali-deploy/templates/kubernetes/role-controlplane.yaml b/roles/v1.89/kiali-deploy/templates/kubernetes/role-controlplane.yaml deleted file mode 100644 index 4716e17e..00000000 --- a/roles/v1.89/kiali-deploy/templates/kubernetes/role-controlplane.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ kiali_vars.deployment.instance_name }}-controlplane - namespace: "{{ kiali_vars.istio_namespace }}" - labels: {{ kiali_resource_metadata_labels }} -rules: -{% if kiali_vars.kiali_feature_flags.certificates_information_indicators.enabled|bool == True %} -- apiGroups: [""] - resourceNames: -{% for s in kiali_vars.kiali_feature_flags.certificates_information_indicators.secrets %} - - {{ s }} -{% endfor %} - resources: - - secrets - verbs: - - get - - list - - watch -{% endif %} \ No newline at end of file diff --git a/roles/v1.89/kiali-deploy/templates/kubernetes/rolebinding-controlplane.yaml b/roles/v1.89/kiali-deploy/templates/kubernetes/rolebinding-controlplane.yaml deleted file mode 100644 index 583ad214..00000000 --- a/roles/v1.89/kiali-deploy/templates/kubernetes/rolebinding-controlplane.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ kiali_vars.deployment.instance_name }}-controlplane - namespace: "{{ kiali_vars.istio_namespace }}" - labels: {{ kiali_resource_metadata_labels }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ kiali_vars.deployment.instance_name }}-controlplane -subjects: -- kind: ServiceAccount - name: {{ kiali_vars.deployment.instance_name }}-service-account - namespace: "{{ kiali_vars.deployment.namespace }}" diff --git a/roles/v1.89/kiali-deploy/templates/openshift/role-controlplane.yaml b/roles/v1.89/kiali-deploy/templates/openshift/role-controlplane.yaml deleted file mode 100644 index 4716e17e..00000000 --- a/roles/v1.89/kiali-deploy/templates/openshift/role-controlplane.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ kiali_vars.deployment.instance_name }}-controlplane - namespace: "{{ kiali_vars.istio_namespace }}" - labels: {{ kiali_resource_metadata_labels }} -rules: -{% if kiali_vars.kiali_feature_flags.certificates_information_indicators.enabled|bool == True %} -- apiGroups: [""] - resourceNames: -{% for s in kiali_vars.kiali_feature_flags.certificates_information_indicators.secrets %} - - {{ s }} -{% endfor %} - resources: - - secrets - verbs: - - get - - list - - watch -{% endif %} \ No newline at end of file diff --git a/roles/v1.89/kiali-deploy/templates/openshift/rolebinding-controlplane.yaml b/roles/v1.89/kiali-deploy/templates/openshift/rolebinding-controlplane.yaml deleted file mode 100644 index 583ad214..00000000 --- a/roles/v1.89/kiali-deploy/templates/openshift/rolebinding-controlplane.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ kiali_vars.deployment.instance_name }}-controlplane - namespace: "{{ kiali_vars.istio_namespace }}" - labels: {{ kiali_resource_metadata_labels }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ kiali_vars.deployment.instance_name }}-controlplane -subjects: -- kind: ServiceAccount - name: {{ kiali_vars.deployment.instance_name }}-service-account - namespace: "{{ kiali_vars.deployment.namespace }}" diff --git a/roles/v1.89/kiali-deploy/defaults/main.yml b/roles/v2.1/kiali-deploy/defaults/main.yml similarity index 94% rename from roles/v1.89/kiali-deploy/defaults/main.yml rename to roles/v2.1/kiali-deploy/defaults/main.yml index 183fca2c..72e2d9c9 100644 --- a/roles/v1.89/kiali-deploy/defaults/main.yml +++ b/roles/v2.1/kiali-deploy/defaults/main.yml @@ -17,18 +17,6 @@ kiali_defaults: annotation: "kiali.io/api-spec" icon_annotation: "kiali.io/api-type" - api: - namespaces: - exclude: - - "^istio-operator" - - "^kube-.*" - - "^openshift.*" - - "^ibm.*" - - "^kiali-operator" - include: [] - label_selector_exclude: "" - #label_selector_include: - auth: openid: additional_request_params: {} @@ -61,15 +49,16 @@ kiali_defaults: custom_dashboards: [] deployment: - accessible_namespaces: ["**"] #additional_service_yaml: affinity: node: {} pod: {} pod_anti: {} - #cluster_wide_access: + cluster_wide_access: true configmap_annotations: {} + custom_envs: [] custom_secrets: [] + discovery_selectors: {} dns: config: {} policy: "" @@ -108,6 +97,8 @@ kiali_defaults: version_label: "" view_only_mode: false + extensions: [] + external_services: custom_dashboards: discovery_auto_threshold: 10 @@ -159,10 +150,10 @@ kiali_defaults: - name: "Istio Performance Dashboard" - name: "Istio Wasm Extension Dashboard" enabled: true + external_url: "" health_check_url: "" - #in_cluster_url + #internal_url is_core: false - url: "" istio: component_status: enabled: true @@ -212,9 +203,10 @@ kiali_defaults: username: "" custom_headers: {} enabled: false + external_url: "" grpc_port: 9095 health_check_url: "" - in_cluster_url: "" + internal_url: "" is_core: false namespace_selector: true provider: "jaeger" @@ -223,7 +215,7 @@ kiali_defaults: tempo_config: datasource_uid: "" org_id: "" - url: "" + url_format: "" use_grpc: true whitelist_istio_system: ["jaeger-query", "istio-ingressgateway"] @@ -243,11 +235,6 @@ kiali_defaults: version_label_name: "version" kiali_feature_flags: - certificates_information_indicators: - enabled: true - secrets: - - cacerts - - istio-ca-secret disabled_features: [] istio_annotation_action: true istio_injection_action: true diff --git a/roles/v2.1/kiali-deploy/filter_plugins/parse_selectors.py b/roles/v2.1/kiali-deploy/filter_plugins/parse_selectors.py new file mode 100644 index 00000000..ee44f1cd --- /dev/null +++ b/roles/v2.1/kiali-deploy/filter_plugins/parse_selectors.py @@ -0,0 +1,110 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +from ansible.errors import AnsibleFilterError + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +# Given a list of label selectors in the standard k8s format, convert to the format that the k8s ansible collection wants. +# For example, given this input: +# - matchLabels: +# foo: bar +# - matchLabels: +# color: blue +# matchExpressions: +# - key: region +# operator: In +# values: +# - east +# - west +# an array will be returned with two items. +# The first is a list with one item that is "foo=bar". +# The second is a list with two items. The first item being "color=blue" and the second item being "region in (east, west)" +# +# See: +# * https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors +# * https://docs.ansible.com/ansible/latest/collections/kubernetes/core/k8s_info_module.html#parameter-label_selectors +def parse_selectors(value): + # these are the selectors that should be OR'ed together - this is the final result returned back from this function + selectorOr = [] + selectorOrIndex = 0 + + # for each item in the selectors list, there can be one matchLabels and one matchExpressions (both can be there, or just one of them). + for selectors in value: + selectorOr.append([]) + + # process the matchLabels (or matchLabels) - each results in "labelName=labelValue" strings + matchLabelsString = "matchLabels" + if matchLabelsString in selectors: + if (selectors[matchLabelsString] is None) or (len(selectors[matchLabelsString]) == 0): + raise AnsibleFilterError("Selector matchLabels is empty") + for k, v in selectors[matchLabelsString].items(): + expr = k + "=" + v + selectorOr[selectorOrIndex].append(expr) + + # process the matchExpressions - each results in something like "labelName notin (labelValue, labelValue2)" + matchExpressionsString = "matchExpressions" + if matchExpressionsString in selectors: + for me in selectors[matchExpressionsString]: + if "key" not in me: + raise AnsibleFilterError("Selector matchExpression is missing 'key'") + key = me["key"] + + if "operator" not in me: + raise AnsibleFilterError("Selector matchExpression is missing 'operator'") + operator = me["operator"].lower() + + if (operator == "in" or operator == "notin") and ("values" not in me or me["values"] is None or (len(me["values"]) == 0)): + raise AnsibleFilterError("Selector matchExpression is missing a non-empty 'values'") + values = me["values"] if "values" in me else [] + valuesStr = "(" + for i, v in enumerate(values): + if i > 0: + valuesStr += "," + valuesStr += v + valuesStr += ")" + + if operator == "in": + selectorOr[selectorOrIndex].append(key + " in " + valuesStr) + elif operator == "notin": + selectorOr[selectorOrIndex].append(key + " notin " + valuesStr) + elif operator == "exists": + selectorOr[selectorOrIndex].append(key) + elif operator == "doesnotexist": + selectorOr[selectorOrIndex].append("!" + key) + else: + raise AnsibleFilterError("Selector matchExpression has invalid operator: " + operator) + + selectorOrIndex = selectorOrIndex + 1 + + return selectorOr + +# ---- Ansible filters ---- +class FilterModule(object): + def filters(self): + return { + 'parse_selectors': parse_selectors + } + +# TEST +# first = { +# "matchLabels": { "sport": "football", "region": "west" }, +# "matchExpressions": [{ "key": "region", "operator": "In", "values": ["east" ]}, { "key": "sport", "operator": "Exists"}] +# } +# second = { +# "matchLabels": { "region": "east", "sport": "golf" }, +# } +# third = { +# "matchExpressions": [{ "key": "sport", "operator": "In", "values": ["baseball", "football" ]},{ "key": "region", "operator": "NotIn", "values": ["east" ]}] +# } +# fourth = { +# "matchExpressions": [{ "key": "sport", "operator": "NotIn", "values": ["baseball", "football" ]},{ "key": "region", "operator": "Exists"},{ "key": "foo", "operator": "DoesNotExist"}] +# } +# print ("\n=====The following should be successful:\n") +# print (parse_selectors([first, second, third, fourth])) +# print ("\n=====The following should result in an error:\n") +# print (parse_selectors([{"matchExpressions": [{ "key": "sport", "operator": "XIn"}]}])) diff --git a/roles/v1.89/kiali-deploy/filter_plugins/stripnone.py b/roles/v2.1/kiali-deploy/filter_plugins/stripnone.py similarity index 100% rename from roles/v1.89/kiali-deploy/filter_plugins/stripnone.py rename to roles/v2.1/kiali-deploy/filter_plugins/stripnone.py diff --git a/roles/v1.89/kiali-deploy/meta/main.yml b/roles/v2.1/kiali-deploy/meta/main.yml similarity index 100% rename from roles/v1.89/kiali-deploy/meta/main.yml rename to roles/v2.1/kiali-deploy/meta/main.yml diff --git a/roles/v1.89/kiali-deploy/tasks/clusterroles-to-remove.yml b/roles/v2.1/kiali-deploy/tasks/clusterroles-to-remove.yml similarity index 100% rename from roles/v1.89/kiali-deploy/tasks/clusterroles-to-remove.yml rename to roles/v2.1/kiali-deploy/tasks/clusterroles-to-remove.yml diff --git a/roles/v2.1/kiali-deploy/tasks/get-discovery-selector-namespaces.yml b/roles/v2.1/kiali-deploy/tasks/get-discovery-selector-namespaces.yml new file mode 100644 index 00000000..8db6e7b3 --- /dev/null +++ b/roles/v2.1/kiali-deploy/tasks/get-discovery-selector-namespaces.yml @@ -0,0 +1,65 @@ +# These tasks are not performed if cluster_wide_access is true - this is because the operator will +# grant Kiali permission to see all namespaces via ClusterRole, so the operator does not need to +# process discovery selectors. +# +# These tasks are performed if cluster wide access is false - this is because the operator will +# need to create Roles in all the namespaces found by the discovery selectors so Kiali can be +# granted permission to see those namespaces (but only those namespaces). +# +# These tasks will use discovery selectors found in the Kiali configuration setting +# spec.deployment.discovery_selectors["default"]. These discovery selectors will be used to discover +# namespaces that Kiali should be given access to. +# +# When these tasks finish, "discovery_selector_namespaces" will be a list of namespaces discovered by the selectors. +# +# NOTE: Regardless of what discovery selectors are defined, the Kiali Operator should always give the server +# access to the Kiali Server deployment namespace and the Istio control plane namespace. But that is +# not done here - these tasks simply scan all namespaces and match them to selectors. The operator +# will add those two namespaces later if appropriate. +# +# NOTE: These tasks specifically ignore Istio's own discovery selectors found in Istio meshConfig. + +- name: Get Kiali discovery selectors if they are defined + set_fact: + discovery_selectors: "{{ kiali_vars.deployment.discovery_selectors.default }}" + when: + - kiali_vars.deployment.cluster_wide_access == False + - kiali_vars.deployment.discovery_selectors.default is defined + +- name: If cluster wide access is disabled and no discovery selectors are found, warn the user that this is probably not what they want + debug: + msg: "Cluster wide access is disabled, but no discovery selectors were specified. You likely will want to define discovery selectors in the Kiali CR." + when: + - kiali_vars.deployment.cluster_wide_access == False + - kiali_vars.discovery_selectors.default is not defined + - discovery_selectors is not defined + +- name: Find namespaces selected by the discovery selectors + set_fact: + discovery_selector_namespaces_raw: "{{ (discovery_selector_namespaces_raw|default([]) + query(k8s_plugin, kind='Namespace', label_selector=(item|join(',')))) | unique }}" + loop: "{{ discovery_selectors | parse_selectors }}" + when: + - kiali_vars.deployment.cluster_wide_access == False + - discovery_selectors is defined + +- name: Get just the names of the discovered namespaces + set_fact: + discovery_selector_namespaces: "{{ discovery_selector_namespaces|default([]) + [item.metadata.name] }}" + loop: "{{ discovery_selector_namespaces_raw|default([]) }}" + when: + - kiali_vars.deployment.cluster_wide_access == False + - discovery_selector_namespaces_raw is defined + +- name: Garbage collect discovered namespaces to free up space + set_fact: + discovery_selector_namespaces_raw: [] + when: + - kiali_vars.deployment.cluster_wide_access == False + - discovery_selector_namespaces_raw is defined + +- name: If no namespaces were discovered, make sure discovery_selector_namespaces is set to an empty list + set_fact: + discovery_selector_namespaces: [] + when: + - kiali_vars.deployment.cluster_wide_access == False + - discovery_selector_namespaces is not defined \ No newline at end of file diff --git a/roles/v1.89/kiali-deploy/tasks/kubernetes/k8s-main.yml b/roles/v2.1/kiali-deploy/tasks/kubernetes/k8s-main.yml similarity index 89% rename from roles/v1.89/kiali-deploy/tasks/kubernetes/k8s-main.yml rename to roles/v2.1/kiali-deploy/tasks/kubernetes/k8s-main.yml index a707d71e..a6b27375 100644 --- a/roles/v1.89/kiali-deploy/tasks/kubernetes/k8s-main.yml +++ b/roles/v2.1/kiali-deploy/tasks/kubernetes/k8s-main.yml @@ -23,9 +23,7 @@ - "templates/kubernetes/serviceaccount.yaml" - "templates/kubernetes/configmap.yaml" - "templates/kubernetes/{{ 'role-viewer' if ((kiali_vars.deployment.view_only_mode|bool == True) or (kiali_vars.auth.strategy != 'anonymous')) else 'role' }}.yaml" - - "templates/kubernetes/role-controlplane.yaml" - "templates/kubernetes/rolebinding.yaml" - - "templates/kubernetes/rolebinding-controlplane.yaml" - "templates/kubernetes/deployment.yaml" - "templates/kubernetes/service.yaml" - "{{ 'templates/kubernetes/hpa.yaml' if kiali_vars.deployment.hpa.spec | length > 0 else '' }}" @@ -51,9 +49,9 @@ - is_k8s == True - kiali_vars.deployment.cluster_wide_access == False -- name: Create additional Kiali roles/bindings on all accessible namespaces on Kubernetes +- name: Create additional Kiali roles/bindings on all namespaces that are accessible on Kubernetes vars: - role_namespaces: "{{ kiali_vars.deployment.accessible_namespaces }}" + role_namespaces: "{{ discovery_selector_namespaces }}" k8s: template: - "templates/kubernetes/{{ 'role-viewer' if ((kiali_vars.deployment.view_only_mode|bool == True) or (kiali_vars.auth.strategy != 'anonymous')) else 'role' }}.yaml" diff --git a/roles/v1.89/kiali-deploy/tasks/main.yml b/roles/v2.1/kiali-deploy/tasks/main.yml similarity index 74% rename from roles/v1.89/kiali-deploy/tasks/main.yml rename to roles/v2.1/kiali-deploy/tasks/main.yml index 61e803fc..f2ad964c 100644 --- a/roles/v1.89/kiali-deploy/tasks/main.yml +++ b/roles/v2.1/kiali-deploy/tasks/main.yml @@ -11,7 +11,7 @@ status_vars: specVersion: "{{ kiali_vars.version }}" deployment: - accessibleNamespaces: null + discoverySelectorNamespaces: null - name: Get api group information from the cluster set_fact: @@ -91,15 +91,6 @@ - kiali_vars.deployment.ingress_enabled is defined - kiali_vars.deployment.ingress is not defined or kiali_vars.deployment.ingress.enabled is not defined -- name: api.namespaces.label_selector is deprecated but if api.namespaces.label_selector_include is not set then use the old setting - set_fact: - kiali_vars: | - {% set ls=kiali_vars['api']['namespaces'].pop('label_selector') %} - {{ kiali_vars | combine({'api': {'namespaces': {'label_selector_include': ls|bool }}}, recursive=True) }} - when: - - kiali_vars.api.namespaces.label_selector is defined - - kiali_vars.api.namespaces.label_selector_include is not defined - # convert snake case to camelCase where appropriate - include_tasks: snake_camel_case.yaml @@ -224,19 +215,19 @@ {% set kv = kv | combine({'external_services': {'istio': {'root_namespace': kv.istio_namespace}}}, recursive=True) %} {% endif %} - {# Set default Grafana in_cluster_url #} - {% if kv.external_services.grafana.in_cluster_url is not defined %} - {% set kv = kv | combine({'external_services': {'grafana': {'in_cluster_url': 'http://grafana.' + kv.istio_namespace + ':3000'}}}, recursive=True) %} + {# Set default Grafana internal_url #} + {% if kv.external_services.grafana.internal_url is not defined %} + {% set kv = kv | combine({'external_services': {'grafana': {'internal_url': 'http://grafana.' + kv.istio_namespace + ':3000'}}}, recursive=True) %} {% endif %} - {# Set default Tracing in_cluster_url for grpc consumption #} - {% if kv.external_services.tracing.in_cluster_url == "" and (kv.external_services.tracing.use_grpc is not defined or kv.external_services.tracing.use_grpc|bool == True) %} - {% set kv = kv | combine({'external_services': {'tracing': {'in_cluster_url': 'http://tracing.' + kv.istio_namespace + ':16685/jaeger'}}}, recursive=True) %} + {# Set default Tracing internal_url for grpc consumption #} + {% if kv.external_services.tracing.internal_url == "" and (kv.external_services.tracing.use_grpc is not defined or kv.external_services.tracing.use_grpc|bool == True) %} + {% set kv = kv | combine({'external_services': {'tracing': {'internal_url': 'http://tracing.' + kv.istio_namespace + ':16685/jaeger'}}}, recursive=True) %} {% endif %} - {# Set default Tracing in_cluster_url for http consumption #} - {% if kv.external_services.tracing.in_cluster_url == "" and kv.external_services.tracing.use_grpc is defined and kv.external_services.tracing.use_grpc|bool == False %} - {% set kv = kv | combine({'external_services': {'tracing': {'in_cluster_url': 'http://tracing.' + kv.istio_namespace + '/jaeger'}}}, recursive=True) %} + {# Set default Tracing internal_url for http consumption #} + {% if kv.external_services.tracing.internal_url == "" and kv.external_services.tracing.use_grpc is defined and kv.external_services.tracing.use_grpc|bool == False %} + {% set kv = kv | combine({'external_services': {'tracing': {'internal_url': 'http://tracing.' + kv.istio_namespace + '/jaeger'}}}, recursive=True) %} {% endif %} {# Set default Prometheus URL #} @@ -319,11 +310,6 @@ {% set kv = kv | combine({'external_services': {'tracing': {'auth': {'ca_file': '/kiali-cabundle/service-ca.crt'}}}}, recursive=True) %} {% endif %} - {# The default cluster_wide_access setting is determined by deployment.accessible_namespaces #} - {% if kv.deployment.cluster_wide_access is not defined %} - {% set kv = kv | combine({'deployment': {'cluster_wide_access': ('**' in kv.deployment.accessible_namespaces)}}, recursive=True) %} - {% endif %} - {# Set the yaml to the new kv dict #} {{ kv | to_nice_yaml }} set_fact: @@ -424,28 +410,11 @@ app.kubernetes.io/instance: "{{ kiali_vars.deployment.instance_name }}" app.kubernetes.io/part-of: kiali -# Determine the accessible namespaces. The user may have specified names using regex expressions. -# We need to get a list of all namespaces and match them to the regex expressions. -# Note that we replace kiali_vars.deployment.accessible_namespaces with the full list of actual namespace names -# with regex expressions removed because when the CR changes, we need to know what namespaces were granted roles in -# case we need to revoke those roles (to do this, we need to know the exact names of the namespaces). -# This must be done before the next step which is figuring out what namespaces are no longer accessible and revoking their roles. -# If the user did not specify Kiali's own namespace in accessible_namespaces, it will be added to the list automatically. -# NOTE: there is a special value of accessible_namespaces - two asterisks ("**") means Kiali is to be given access to all -# namespaces via a single cluster role (as opposed to individual roles in each accessible namespace). - -# Note that we look at deployment.cluster_wide_access to see if ClusterRoles are to be created or not. -# If deployment.cluster_wide_access is False then we create individual Roles per namespace. - -# if accessible_namespaces is "**", we must have cluster-wide-access, it is an error otherwise. -- name: Make sure cluster_wide_access does not erroneously restrict access when all namespaces are to be accessible. - fail: - msg: "deployment.cluster_wide_access must be enabled (i.e. 'true') when all namespaces are to be accessible (e.g. deployment.accessible_namespaces is undefined or has '**'). Aborting." - when: - - '"**" in kiali_vars.deployment.accessible_namespaces' - - kiali_vars.deployment.cluster_wide_access == False - -# At this point, deployment.cluster_wide_access should now be the source of truth when determining if ClusterRoles or Roles are to be managed. +# Determine the namespaces Kiali is to be given access. +# If the user did not specify Kiali's own namespace in the discovery selectors, it will be added to the list automatically. +# NOTE: if deployment.cluster_wide_access is true, that means Kiali is to be given access to all namespaces via ClusterRoles +# (as opposed to individual roles in each accessible namespace). If deployment.cluster_wide_access is False then we +# create individual Roles per namespace. - name: Determine the Role and RoleBinding kinds that the operator will create and that the role templates will use set_fact: @@ -485,7 +454,7 @@ - kiali_vars.deployment.cluster_wide_access == True - fail: - msg: "The operator cannot support deployment.accessible_namespaces being unset (or have '**') or cluster_wide_access set to 'true' because it does not have permissions to create ClusterRoles" + msg: "The operator cannot support deployment.cluster_wide_access set to 'true' because it does not have permissions to create ClusterRoles" when: - kiali_vars.deployment.cluster_wide_access == True - can_i_create_clusterroles is defined @@ -495,7 +464,7 @@ - can_i_create_clusterroles.result.status.allowed == False - fail: - msg: "The operator cannot support deployment.accessible_namespaces being unset (or have '**') or cluster_wide_access set to 'true' because it does not have permissions to create ClusterRoleBindings" + msg: "The operator cannot support deployment.cluster_wide_access set to 'true' because it does not have permissions to create ClusterRoleBindings" when: - kiali_vars.deployment.cluster_wide_access == True - can_i_create_clusterrolebindings is defined @@ -504,74 +473,42 @@ - can_i_create_clusterrolebindings.result.status.allowed is defined - can_i_create_clusterrolebindings.result.status.allowed == False -- name: Find all namespaces (this is limited to what the operator has permission to see) - set_fact: - all_namespaces: "{{ lookup(k8s_plugin, api_version='v1', kind='Namespace') | default({}) | json_query('[].metadata.name') }}" +- include_tasks: get-discovery-selector-namespaces.yml -- name: Determine all accessible namespaces, expanding regex expressions to matched namespaces +- name: Make sure the Kiali deployment namespace and the Istio control plane namespace are accessible set_fact: - all_accessible_namespaces: "{{ (all_namespaces | only_accessible_namespaces(accessible_namespaces=kiali_vars.deployment.accessible_namespaces) + [ kiali_vars.deployment.namespace, kiali_vars.istio_namespace, kiali_vars.external_services.istio.root_namespace ]) | unique | sort }}" - when: - - '"**" not in kiali_vars.deployment.accessible_namespaces' + discovery_selector_namespaces: "{{ ((discovery_selector_namespaces | default([])) + [ kiali_vars.deployment.namespace, kiali_vars.istio_namespace, kiali_vars.external_services.istio.root_namespace ]) | unique | sort }}" -- name: If accessible namespaces list has the special all-namespaces indicator, remove all other namespaces from the list - set_fact: - all_accessible_namespaces: ["**"] - when: - - '"**" in kiali_vars.deployment.accessible_namespaces' - -- name: Set deployment.accessible_namespaces to a list of full namespace names - set_fact: - kiali_vars: "{{ kiali_vars | combine({'deployment': {'accessible_namespaces': all_accessible_namespaces }}, recursive=True) }}" - -- name: Listing of all accessible namespaces (includes regex matches) +- name: Listing of all namespaces that are accessible to Kiali debug: - msg: "{{ kiali_vars.deployment.accessible_namespaces }}" + msg: "Cluster-wide Access=[{{ kiali_vars.deployment.cluster_wide_access }}], Discovered Namespaces={{ discovery_selector_namespaces }}" -# do some security checks - abort if the operator is forbidden from allowing certain accessible_namespace values - name: Abort if all namespace access is not allowed fail: - msg: "The operator is forbidden from installing Kiali with deployment.accessible_namespaces unset (or have '**') or deployment.cluster_wide_access set to 'true'" + msg: "The operator is forbidden from installing Kiali with deployment.cluster_wide_access set to 'true'" when: - kiali_vars.deployment.cluster_wide_access == True - lookup('env', 'ALLOW_ALL_ACCESSIBLE_NAMESPACES') | default('false', True) != "true" -- name: Get labeled accessible namespaces - vars: - label: "{{ lookup('env', 'ACCESSIBLE_NAMESPACES_LABEL') | default('', True) }}" - label_selector: "{{ label + ('' if label is regex('^.+=.+$') else ('=' + kiali_vars.istio_namespace)) }}" +# We want to convert discovery selectors so they use only matchExpressions values on namespace names so the server can find the exact +# namespaces we found since these namespaces are the only ones that the Kiali Server will be granted permission to see. +# Note that we only do this if cluster_wide_access is False, because that is when the operator will create the Roles for each namespace. +# If the server will have cluster wide access, all namespaces can be accessed via the main ClusterRole, so it is OK if the server +# discovers different namespaces using the original selectors. +- name: Convert the discovery selectors to all matchExpressions values so they match the namespace names. set_fact: - only_allowed_labeled_namespaces: "{{ query(k8s_plugin, kind='Namespace', api_version='v1', label_selector=label_selector) | json_query('[*].metadata.name') }}" + discovery_selectors_match_expressions: "{{ (discovery_selectors_match_expressions|default([])) + [{'matchExpressions': [{'key': 'kubernetes.io/metadata.name', 'operator': 'In', 'values': discovery_selector_namespaces }] }] }}" when: - kiali_vars.deployment.cluster_wide_access == False - - label != "" - -- name: Abort if accessible namespaces contains namespaces not labeled - vars: - ns_diff: "{{ kiali_vars.deployment.accessible_namespaces | difference(only_allowed_labeled_namespaces) }}" - fail: - msg: "Operator is forbidden to allow Kiali CR to specify one or more accessible namespaces that were not labeled: {{ ('Number of rejected namespaces=' + (ns_diff | length | string)) if (ns_diff | length > 10) else (ns_diff) }}" +- set_fact: + kiali_vars: "{{ kiali_vars | combine({'deployment': {'discovery_selectors': {'default': discovery_selectors_match_expressions}}}, recursive=True) }}" when: - - kiali_vars.deployment.cluster_wide_access == False - - only_allowed_labeled_namespaces is defined - - ns_diff | length > 0 + - discovery_selectors_match_expressions is defined -# Note that we add the instance name to the member-of key name only if the instance name is not the default 'kiali'. -# This is for backward compatibility, and for simplicity when deploying under normal default conditions. -- name: When accessible namespaces are specified and we are not to give cluster wide access, ensure label_selector_include is set +- name: Define the namespace labels that will be used when needed set_fact: - kiali_vars: "{{ kiali_vars | combine({'api': {'namespaces': {'label_selector_include': ('kiali.io/' + ((kiali_vars.deployment.instance_name + '.') if kiali_vars.deployment.instance_name != 'kiali' else '') + 'member-of=' + kiali_vars.deployment.namespace)}}}, recursive=True) }}" - when: - - kiali_vars.deployment.cluster_wide_access == False - - kiali_vars.api.namespaces.label_selector_include is not defined - -- name: Make sure label_selector_include is in the valid format name=value - fail: - msg: "The api.namespaces.label_selector_include is not valid [{{ kiali_vars.api.namespaces.label_selector_include }}] - it must be in the form of 'name=value' following Kubernetes syntax rules for label names and values." - when: - - kiali_vars.api.namespaces.label_selector_include is defined - # this regex is not 100% accurate, but we want to at least catch obvious errors - - kiali_vars.api.namespaces.label_selector_include is not regex('^[a-zA-Z0-9/_.-]+=[a-zA-Z0-9_.-]+$') + kiali_instance_label_name: "kiali.io/{{ kiali_vars.deployment.instance_name }}.home" + kiali_instance_label_value: "{{ kiali_vars.deployment.namespace }}" # If the signing key is not empty string, and is not of the special value secret:name:key, # do some validation on it's length @@ -626,8 +563,6 @@ # This allows multiple Kiali instances deployed in the same namespace to share the secret. This secret won't be removed # as long as our label exists on the secret resource. - name: Add label to kiali-signing-key secret to make it known this Kiali instance will be using it - vars: - the_label: "{{ 'kiali.io/' + ((kiali_vars.deployment.instance_name + '.') if kiali_vars.deployment.instance_name != 'kiali' else '') + 'member-of' }}" k8s: state: present definition: | @@ -637,7 +572,7 @@ namespace: "{{ kiali_vars.deployment.namespace }}" name: kiali-signing-key labels: - {{ the_label }}: {{ kiali_vars.deployment.namespace }} + {{ kiali_instance_label_name }}: {{ kiali_instance_label_value }} when: - kiali_vars.login_token.signing_key == "" @@ -656,6 +591,11 @@ {# Initialize #} {% set d = {} %} + {# Prepare the secret volume for prometheus username #} + {% if kiali_vars.external_services.prometheus.auth.username | regex_search('secret:.+:.+') %} + {% set d = d | combine({'prometheus-username': {'secret_name': kiali_vars.external_services.prometheus.auth.username | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.prometheus.auth.username | regex_replace('secret:.+:(.+)', '\\1') }}) %} + {% endif %} + {# Prepare the secret volume for prometheus password #} {% if kiali_vars.external_services.prometheus.auth.password | regex_search('secret:.+:.+') %} {% set d = d | combine({'prometheus-password': {'secret_name': kiali_vars.external_services.prometheus.auth.password | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.prometheus.auth.password | regex_replace('secret:.+:(.+)', '\\1') }}) %} @@ -666,6 +606,11 @@ {% set d = d | combine({'prometheus-token': {'secret_name': kiali_vars.external_services.prometheus.auth.token | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.prometheus.auth.token | regex_replace('secret:.+:(.+)', '\\1') }}) %} {% endif %} + {# Prepare the secret volume for tracing username #} + {% if kiali_vars.external_services.tracing.enabled|bool == True and kiali_vars.external_services.tracing.auth.username | regex_search('secret:.+:.+') %} + {% set d = d | combine({'tracing-username': {'secret_name': kiali_vars.external_services.tracing.auth.username | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.tracing.auth.username | regex_replace('secret:.+:(.+)', '\\1') }}) %} + {% endif %} + {# Prepare the secret volume for tracing password #} {% if kiali_vars.external_services.tracing.enabled|bool == True and kiali_vars.external_services.tracing.auth.password | regex_search('secret:.+:.+') %} {% set d = d | combine({'tracing-password': {'secret_name': kiali_vars.external_services.tracing.auth.password | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.tracing.auth.password | regex_replace('secret:.+:(.+)', '\\1') }}) %} @@ -676,6 +621,11 @@ {% set d = d | combine({'tracing-token': {'secret_name': kiali_vars.external_services.tracing.auth.token | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.tracing.auth.token | regex_replace('secret:.+:(.+)', '\\1') }}) %} {% endif %} + {# Prepare the secret volume for grafana username #} + {% if kiali_vars.external_services.grafana.enabled|bool == True and kiali_vars.external_services.grafana.auth.username | regex_search('secret:.+:.+') %} + {% set d = d | combine({'grafana-username': {'secret_name': kiali_vars.external_services.grafana.auth.username | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.grafana.auth.username | regex_replace('secret:.+:(.+)', '\\1') }}) %} + {% endif %} + {# Prepare the secret volume for grafana password #} {% if kiali_vars.external_services.grafana.enabled|bool == True and kiali_vars.external_services.grafana.auth.password | regex_search('secret:.+:.+') %} {% set d = d | combine({'grafana-password': {'secret_name': kiali_vars.external_services.grafana.auth.password | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.grafana.auth.password | regex_replace('secret:.+:(.+)', '\\1') }}) %} @@ -691,6 +641,21 @@ {% set d = d | combine({'login-token-signing-key': {'secret_name': kiali_vars.login_token.signing_key | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.login_token.signing_key | regex_replace('secret:.+:(.+)', '\\1') }}) %} {% endif %} + {# Prepare the secret volume for customdashboards prometheus username #} + {% if kiali_vars.external_services.custom_dashboards.prometheus.auth.username | regex_search('secret:.+:.+') %} + {% set d = d | combine({'customdashboards-prometheus-username': {'secret_name': kiali_vars.external_services.custom_dashboards.prometheus.auth.username | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.custom_dashboards.prometheus.auth.username | regex_replace('secret:.+:(.+)', '\\1') }}) %} + {% endif %} + + {# Prepare the secret volume for customdashboards prometheus password #} + {% if kiali_vars.external_services.custom_dashboards.prometheus.auth.password | regex_search('secret:.+:.+') %} + {% set d = d | combine({'customdashboards-prometheus-password': {'secret_name': kiali_vars.external_services.custom_dashboards.prometheus.auth.password | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.custom_dashboards.prometheus.auth.password | regex_replace('secret:.+:(.+)', '\\1') }}) %} + {% endif %} + + {# Prepare the secret volume for customdashboards prometheus token #} + {% if kiali_vars.external_services.custom_dashboards.prometheus.auth.token | regex_search('secret:.+:.+') %} + {% set d = d | combine({'customdashboards-prometheus-token': {'secret_name': kiali_vars.external_services.custom_dashboards.prometheus.auth.token | regex_replace('secret:(.+):.+', '\\1'), 'secret_key': kiali_vars.external_services.custom_dashboards.prometheus.auth.token | regex_replace('secret:.+:(.+)', '\\1') }}) %} + {% endif %} + {# Set the yaml to the new dict #} {{ d | to_nice_yaml }} set_fact: @@ -716,18 +681,14 @@ when: - kiali_vars.clustering.clusters | length > 0 -# The following few tasks read the current Kiali configmap (if one exists) in order to figure out what -# namespaces are no longer accessible. Those namespaces will have their Kiali roles removed. -# They will also have the Kiali labels removed. +# The following few tasks read the current Kiali configmap (if one exists) in order to find out how Kiali is currently configured. - name: Find current configmap, if it exists set_fact: current_configmap: "{{ lookup(k8s_plugin, resource_name=kiali_vars.deployment.instance_name, namespace=kiali_vars.deployment.namespace, api_version='v1', kind='ConfigMap') }}" -- name: Find some current configuration settings +- name: Find some current configuration settings, if they exist set_fact: - current_accessible_namespaces: "{{ current_configmap.data['config.yaml'] | from_yaml | json_query('deployment.accessible_namespaces') }}" - current_label_selector_include: "{{ current_configmap.data['config.yaml'] | from_yaml | json_query('api.namespaces.label_selector_include') }}" current_view_only_mode: "{{ current_configmap.data['config.yaml'] | from_yaml | json_query('deployment.view_only_mode') }}" current_image_name: "{{ current_configmap.data['config.yaml'] | from_yaml | json_query('deployment.image_name') }}" current_image_version: "{{ current_configmap.data['config.yaml'] | from_yaml | json_query('deployment.image_version') }}" @@ -739,55 +700,28 @@ - current_configmap.data is defined - current_configmap.data['config.yaml'] is defined -# Because we need to remove the labels that were created before (this only happens when cluster wide access was not given), -# we must not allow the user to change the label_selector_include. So if cluster wide access is not given but the -# label_selector_include is being changed, we need to abort since we won't know what the old labels were. If -# cluster wide access is currently True then we know we didn't create labels before so we can allow label_selector_include to change. -# -# Now that there is an independent cluster_wide_access setting introduced, we have to remember it did not exist in older Kiali versions. -# If current_cluster_wide_access is defined, that does not mean it was set - in older versions that setting never existed. -# If current_cluster_wide_access == "", that means the value was not set in the ConfigMap - so consider that as "undefined" or "not set". -# Therefore, current_cluster_wide_access|bool != True is only significant if current_cluster_wide_access != "". -# Cluster wide access was given to the current installation if -# (current_cluster_wide_access == "" AND current_accessible_namespaces == '**') [to take into account older versions] -# OR (current_cluster_wide_access != "" AND current_cluster_wide_access|bool == True) [for versions when this new setting was added]. - -# If current_cluster_wide_access is defined but "", this means it is an old install and we know cluster_wide_access is true only when AN=**. -# This task ensures if current_cluster_wide_access is defined its value is always correctly set to either True or False. -- name: Determine current cluster wide access in backward compatible way +- name: Examine namespace labels in order to determine the namespaces that Kiali currently has access to + vars: + label: "{{ kiali_instance_label_name }}={{ kiali_instance_label_value }}" set_fact: - current_cluster_wide_access: "{{ '**' in current_accessible_namespace }}" - when: - - current_accessible_namespace is defined - - current_cluster_wide_access == "" - -- name: Do not allow user to change label_selector_include - fail: - msg: "The api.namespaces.label_selector_include cannot be changed to a different value. It was [{{ current_label_selector_include }}] but is now configured to be [{{ kiali_vars.api.namespaces.label_selector_include }}]. In order to install Kiali with a different label selector than what was used before, please uninstall Kiali first." - when: - - current_accessible_namespaces is defined - - current_cluster_wide_access is defined - - current_cluster_wide_access|bool == False - - current_label_selector_include is defined - - current_label_selector_include != "" - - kiali_vars.api.namespaces.label_selector_include is defined - - current_label_selector_include != kiali_vars.api.namespaces.label_selector_include + namespaces_currently_accessible: "{{ query(k8s_plugin, kind='Namespace', label_selector=label) | default({}) | json_query('[].metadata.name') }}" - name: Determine if we are moving to cluster-wide-access in which case we need to pretend to make all namespaces inaccessible so the Roles are removed set_fact: - no_longer_accessible_namespaces: "{{ current_accessible_namespaces }}" + namespaces_no_longer_accessible: "{{ namespaces_currently_accessible }}" when: - - current_accessible_namespaces is defined + - namespaces_currently_accessible is defined - current_cluster_wide_access is defined - current_cluster_wide_access|bool == False - kiali_vars.deployment.cluster_wide_access == True - name: Determine the namespaces that were previously accessible but are now inaccessible set_fact: - no_longer_accessible_namespaces: "{{ current_accessible_namespaces | difference(kiali_vars.deployment.accessible_namespaces) }}" + namespaces_no_longer_accessible: "{{ namespaces_currently_accessible | difference(discovery_selector_namespaces) }}" when: - - no_longer_accessible_namespaces is not defined - - current_accessible_namespaces is defined + - namespaces_no_longer_accessible is not defined + - namespaces_currently_accessible is defined + - discovery_selector_namespaces is defined - current_cluster_wide_access is defined - current_cluster_wide_access|bool == False - kiali_vars.deployment.cluster_wide_access == False @@ -799,9 +733,9 @@ - name: Delete all additional Kiali roles from namespaces that Kiali no longer has access to include_tasks: remove-roles.yml vars: - role_namespaces: "{{ no_longer_accessible_namespaces }}" + role_namespaces: "{{ namespaces_no_longer_accessible }}" when: - - no_longer_accessible_namespaces is defined + - namespaces_no_longer_accessible is defined - name: Delete Kiali cluster roles if no longer given special access to all namespaces include_tasks: remove-clusterroles.yml @@ -822,7 +756,7 @@ - name: Delete all Kiali roles from namespaces if view_only_mode or auth.strategy is changing since role bindings are immutable include_tasks: remove-roles.yml vars: - role_namespaces: "{{ kiali_vars.deployment.accessible_namespaces }}" + role_namespaces: "{{ discovery_selector_namespaces }}" when: - current_cluster_wide_access is defined - current_cluster_wide_access|bool == False @@ -846,34 +780,26 @@ status_progress_message: "Processing namespace labels" - name: Remove Kiali label from namespaces that Kiali no longer has access to - vars: - # everything to the left of the = is the name of the label we want to remove - the_namespace_label_name: "{{ current_label_selector_include | regex_replace('^(.*)=.*$', '\\1') }}" # if a namespace happened to have been deleted, we do not want to (nor can we) resurrect it, hence we use state=patched k8s: state: patched definition: | - {% for namespace in no_longer_accessible_namespaces %} + {% for namespace in namespaces_no_longer_accessible %} --- apiVersion: v1 kind: Namespace metadata: name: "{{ namespace }}" labels: - {{ the_namespace_label_name }}: null + {{ kiali_instance_label_name }}: null ... {% endfor %} when: - - no_longer_accessible_namespaces is defined - - current_label_selector_include is defined - - current_label_selector_include != "" + - namespaces_no_longer_accessible is defined -- name: Create additional Kiali label on all accessible namespaces +- name: Create additional Kiali labels on all accessible namespaces vars: - namespaces: "{{ kiali_vars.deployment.accessible_namespaces }}" - # everything to the left of the = is the label name; to the right is the label value - the_namespace_label_name: "{{ kiali_vars.api.namespaces.label_selector_include | regex_replace('^(.*)=.*$', '\\1') }}" - the_namespace_label_value: "{{ kiali_vars.api.namespaces.label_selector_include | regex_replace('^.*=(.*)$', '\\1') }}" + namespaces: "{{ discovery_selector_namespaces }}" k8s: state: patched definition: | @@ -884,7 +810,7 @@ metadata: name: "{{ namespace }}" labels: - {{ the_namespace_label_name }}: "{{ the_namespace_label_value }}" + {{ kiali_instance_label_name }}: "{{ kiali_instance_label_value }}" ... {% endfor %} when: @@ -960,13 +886,19 @@ - processed_resources_dict[keyname].changed == True - processed_resources_dict[keyname].method == "update" -# Can't just populate with the list of namespaces - see https://github.com/operator-framework/operator-sdk-ansible-util/issues/12 -# So instead - if the list of namespaces is manageable, store them in a comma-separate list. -# Otherwise, we'll just log the count. The purpose of this accessibleNamespaces status field is +# If the list of namespaces is manageable, store them in a comma-separate list. +# Otherwise, we'll just log the count. The purpose of this discoverySelectorNamespaces status field is # just to inform the user how many namespaces the operator processed. +# Note that we only populate the discoverySelectorNamespaces if we are NOT in cluster wide access mode. +# This is because we really only care about what namespaces the operator discovered when +# not in cluster wide access mode as these are the namespaces where the Roles are created (they are +# the namespaces Kiali is granted permission to see). - include_tasks: update-status-progress.yml vars: + noDsn: + discoverySelectorNamespaces: null + listDsn: + discoverySelectorNamespaces: "{{ ('Number of namespaces (including control plane namespace): ' + (discovery_selector_namespaces | length | string)) if (discovery_selector_namespaces | length > 20) else (discovery_selector_namespaces | join(',')) }}" status_progress_message: "Finished all resource creation" status_vars: - deployment: - accessibleNamespaces: "{{ ('Number of accessible namespaces (including control plane namespace): ' + (kiali_vars.deployment.accessible_namespaces | length | string)) if (kiali_vars.deployment.accessible_namespaces | length > 20) else (kiali_vars.deployment.accessible_namespaces | join(',')) }}" + deployment: "{{ listDsn if (kiali_vars.deployment.cluster_wide_access == False and discovery_selector_namespaces is defined) else noDsn }}" diff --git a/roles/v1.89/kiali-deploy/tasks/openshift/os-get-kiali-route-url.yml b/roles/v2.1/kiali-deploy/tasks/openshift/os-get-kiali-route-url.yml similarity index 100% rename from roles/v1.89/kiali-deploy/tasks/openshift/os-get-kiali-route-url.yml rename to roles/v2.1/kiali-deploy/tasks/openshift/os-get-kiali-route-url.yml diff --git a/roles/v1.89/kiali-deploy/tasks/openshift/os-main.yml b/roles/v2.1/kiali-deploy/tasks/openshift/os-main.yml similarity index 89% rename from roles/v1.89/kiali-deploy/tasks/openshift/os-main.yml rename to roles/v2.1/kiali-deploy/tasks/openshift/os-main.yml index be7066c3..605a975c 100644 --- a/roles/v1.89/kiali-deploy/tasks/openshift/os-main.yml +++ b/roles/v2.1/kiali-deploy/tasks/openshift/os-main.yml @@ -34,9 +34,7 @@ - "templates/openshift/configmap.yaml" - "templates/openshift/cabundle.yaml" - "templates/openshift/{{ 'role-viewer' if ((kiali_vars.deployment.view_only_mode|bool == True) or (kiali_vars.auth.strategy != 'anonymous')) else 'role' }}.yaml" - - "templates/openshift/role-controlplane.yaml" - "templates/openshift/rolebinding.yaml" - - "templates/openshift/rolebinding-controlplane.yaml" - "{{ 'templates/openshift/clusterrole-oauth.yaml' if kiali_vars.auth.strategy == 'openshift' else '' }}" - "{{ 'templates/openshift/clusterrolebinding-oauth.yaml' if kiali_vars.auth.strategy == 'openshift' else '' }}" - "templates/openshift/deployment.yaml" @@ -64,9 +62,9 @@ - is_openshift == True - kiali_vars.deployment.cluster_wide_access == False -- name: Create additional Kiali roles/bindings on all accessible namespaces on OpenShift +- name: Create additional Kiali roles/bindings on all namespaces that are accessible on OpenShift vars: - role_namespaces: "{{ kiali_vars.deployment.accessible_namespaces }}" + role_namespaces: "{{ discovery_selector_namespaces }}" k8s: template: - "templates/openshift/{{ 'role-viewer' if ((kiali_vars.deployment.view_only_mode|bool == True) or (kiali_vars.auth.strategy != 'anonymous')) else 'role' }}.yaml" @@ -97,7 +95,7 @@ k8s: state: absent definition: | - {% for namespace in no_longer_accessible_namespaces %} + {% for namespace in namespaces_no_longer_accessible %} --- apiVersion: console.openshift.io/v1 kind: ConsoleLink @@ -109,14 +107,14 @@ - is_openshift == True - has_openshift_console is defined - has_openshift_console == True - - no_longer_accessible_namespaces is defined + - namespaces_no_longer_accessible is defined - name: Process OpenShift Console Links k8s: definition: "{{ lookup('template', 'templates/openshift/console-links.yaml') }}" vars: - namespaces: "{{ all_accessible_namespaces }}" + namespaces: "{{ discovery_selector_namespaces }}" when: - is_openshift == True - - '"**" not in all_accessible_namespaces' + - kiali_vars.deployment.cluster_wide_access == False - openshift_version is version('4.3', '>=') diff --git a/roles/v1.89/kiali-deploy/tasks/process-resource.yml b/roles/v2.1/kiali-deploy/tasks/process-resource.yml similarity index 100% rename from roles/v1.89/kiali-deploy/tasks/process-resource.yml rename to roles/v2.1/kiali-deploy/tasks/process-resource.yml diff --git a/roles/v1.89/kiali-deploy/tasks/remove-clusterroles.yml b/roles/v2.1/kiali-deploy/tasks/remove-clusterroles.yml similarity index 100% rename from roles/v1.89/kiali-deploy/tasks/remove-clusterroles.yml rename to roles/v2.1/kiali-deploy/tasks/remove-clusterroles.yml diff --git a/roles/v1.89/kiali-deploy/tasks/remove-roles.yml b/roles/v2.1/kiali-deploy/tasks/remove-roles.yml similarity index 100% rename from roles/v1.89/kiali-deploy/tasks/remove-roles.yml rename to roles/v2.1/kiali-deploy/tasks/remove-roles.yml diff --git a/roles/v1.89/kiali-deploy/tasks/snake_camel_case.yaml b/roles/v2.1/kiali-deploy/tasks/snake_camel_case.yaml similarity index 96% rename from roles/v1.89/kiali-deploy/tasks/snake_camel_case.yaml rename to roles/v2.1/kiali-deploy/tasks/snake_camel_case.yaml index 3a05b626..a6e54859 100644 --- a/roles/v1.89/kiali-deploy/tasks/snake_camel_case.yaml +++ b/roles/v2.1/kiali-deploy/tasks/snake_camel_case.yaml @@ -143,4 +143,10 @@ {% set kiali_vars=kiali_vars | combine({'external_services': {'tracing': {'custom_headers': current_cr.spec.external_services.tracing.custom_headers }}}, recursive=True) %} {% endif %} {# #} + {# deployment.discovery_selectors #} + {% if kiali_vars.deployment.discovery_selectors is defined and kiali_vars.deployment.discovery_selectors | length > 0 %} + {% set _=kiali_vars['deployment'].pop('discovery_selectors') %} + {% set kiali_vars=kiali_vars | combine({'deployment': {'discovery_selectors': current_cr.spec.deployment.discovery_selectors}}, recursive=True) %} + {% endif %} + {# #} {{ kiali_vars }} diff --git a/roles/v1.89/kiali-deploy/tasks/update-status-progress.yml b/roles/v2.1/kiali-deploy/tasks/update-status-progress.yml similarity index 100% rename from roles/v1.89/kiali-deploy/tasks/update-status-progress.yml rename to roles/v2.1/kiali-deploy/tasks/update-status-progress.yml diff --git a/roles/v1.89/kiali-deploy/tasks/update-status.yml b/roles/v2.1/kiali-deploy/tasks/update-status.yml similarity index 100% rename from roles/v1.89/kiali-deploy/tasks/update-status.yml rename to roles/v2.1/kiali-deploy/tasks/update-status.yml diff --git a/roles/v1.89/kiali-deploy/templates/kubernetes/configmap.yaml b/roles/v2.1/kiali-deploy/templates/kubernetes/configmap.yaml similarity index 100% rename from roles/v1.89/kiali-deploy/templates/kubernetes/configmap.yaml rename to roles/v2.1/kiali-deploy/templates/kubernetes/configmap.yaml diff --git a/roles/v1.89/kiali-deploy/templates/kubernetes/deployment.yaml b/roles/v2.1/kiali-deploy/templates/kubernetes/deployment.yaml similarity index 98% rename from roles/v1.89/kiali-deploy/templates/kubernetes/deployment.yaml rename to roles/v2.1/kiali-deploy/templates/kubernetes/deployment.yaml index 3bfcffb5..86387709 100644 --- a/roles/v1.89/kiali-deploy/templates/kubernetes/deployment.yaml +++ b/roles/v2.1/kiali-deploy/templates/kubernetes/deployment.yaml @@ -113,6 +113,10 @@ spec: value: "{{ kiali_vars.deployment.logger.sampler_rate }}" - name: LOG_TIME_FIELD_FORMAT value: "{{ kiali_vars.deployment.logger.time_field_format }}" +{% for env in kiali_vars.deployment.custom_envs %} + - name: "{{ env.name }}" + value: "{{ env.value }}" +{% endfor %} volumeMounts: - name: kiali-configuration mountPath: "/kiali-configuration" diff --git a/roles/v1.89/kiali-deploy/templates/kubernetes/hpa.yaml b/roles/v2.1/kiali-deploy/templates/kubernetes/hpa.yaml similarity index 100% rename from roles/v1.89/kiali-deploy/templates/kubernetes/hpa.yaml rename to roles/v2.1/kiali-deploy/templates/kubernetes/hpa.yaml diff --git a/roles/v1.89/kiali-deploy/templates/kubernetes/ingress.yaml b/roles/v2.1/kiali-deploy/templates/kubernetes/ingress.yaml similarity index 100% rename from roles/v1.89/kiali-deploy/templates/kubernetes/ingress.yaml rename to roles/v2.1/kiali-deploy/templates/kubernetes/ingress.yaml diff --git a/roles/v1.89/kiali-deploy/templates/kubernetes/role-viewer.yaml b/roles/v2.1/kiali-deploy/templates/kubernetes/role-viewer.yaml similarity index 90% rename from roles/v1.89/kiali-deploy/templates/kubernetes/role-viewer.yaml rename to roles/v2.1/kiali-deploy/templates/kubernetes/role-viewer.yaml index 5a623b2a..d560c6ff 100644 --- a/roles/v1.89/kiali-deploy/templates/kubernetes/role-viewer.yaml +++ b/roles/v2.1/kiali-deploy/templates/kubernetes/role-viewer.yaml @@ -68,4 +68,11 @@ rules: - tokenreviews verbs: - create +- apiGroups: ["admissionregistration.k8s.io"] + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch {% endfor %} diff --git a/roles/v1.89/kiali-deploy/templates/kubernetes/role.yaml b/roles/v2.1/kiali-deploy/templates/kubernetes/role.yaml similarity index 90% rename from roles/v1.89/kiali-deploy/templates/kubernetes/role.yaml rename to roles/v2.1/kiali-deploy/templates/kubernetes/role.yaml index c74d3e4f..eba6f6fb 100644 --- a/roles/v1.89/kiali-deploy/templates/kubernetes/role.yaml +++ b/roles/v2.1/kiali-deploy/templates/kubernetes/role.yaml @@ -74,4 +74,11 @@ rules: - tokenreviews verbs: - create +- apiGroups: ["admissionregistration.k8s.io"] + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch {% endfor %} diff --git a/roles/v1.89/kiali-deploy/templates/kubernetes/rolebinding.yaml b/roles/v2.1/kiali-deploy/templates/kubernetes/rolebinding.yaml similarity index 100% rename from roles/v1.89/kiali-deploy/templates/kubernetes/rolebinding.yaml rename to roles/v2.1/kiali-deploy/templates/kubernetes/rolebinding.yaml diff --git a/roles/v1.89/kiali-deploy/templates/kubernetes/service.yaml b/roles/v2.1/kiali-deploy/templates/kubernetes/service.yaml similarity index 100% rename from roles/v1.89/kiali-deploy/templates/kubernetes/service.yaml rename to roles/v2.1/kiali-deploy/templates/kubernetes/service.yaml diff --git a/roles/v1.89/kiali-deploy/templates/kubernetes/serviceaccount.yaml b/roles/v2.1/kiali-deploy/templates/kubernetes/serviceaccount.yaml similarity index 100% rename from roles/v1.89/kiali-deploy/templates/kubernetes/serviceaccount.yaml rename to roles/v2.1/kiali-deploy/templates/kubernetes/serviceaccount.yaml diff --git a/roles/v1.89/kiali-deploy/templates/openshift/cabundle.yaml b/roles/v2.1/kiali-deploy/templates/openshift/cabundle.yaml similarity index 100% rename from roles/v1.89/kiali-deploy/templates/openshift/cabundle.yaml rename to roles/v2.1/kiali-deploy/templates/openshift/cabundle.yaml diff --git a/roles/v1.89/kiali-deploy/templates/openshift/clusterrole-oauth.yaml b/roles/v2.1/kiali-deploy/templates/openshift/clusterrole-oauth.yaml similarity index 100% rename from roles/v1.89/kiali-deploy/templates/openshift/clusterrole-oauth.yaml rename to roles/v2.1/kiali-deploy/templates/openshift/clusterrole-oauth.yaml diff --git a/roles/v1.89/kiali-deploy/templates/openshift/clusterrolebinding-oauth.yaml b/roles/v2.1/kiali-deploy/templates/openshift/clusterrolebinding-oauth.yaml similarity index 100% rename from roles/v1.89/kiali-deploy/templates/openshift/clusterrolebinding-oauth.yaml rename to roles/v2.1/kiali-deploy/templates/openshift/clusterrolebinding-oauth.yaml diff --git a/roles/v1.89/kiali-deploy/templates/openshift/configmap.yaml b/roles/v2.1/kiali-deploy/templates/openshift/configmap.yaml similarity index 100% rename from roles/v1.89/kiali-deploy/templates/openshift/configmap.yaml rename to roles/v2.1/kiali-deploy/templates/openshift/configmap.yaml diff --git a/roles/v1.89/kiali-deploy/templates/openshift/console-links.yaml b/roles/v2.1/kiali-deploy/templates/openshift/console-links.yaml similarity index 73% rename from roles/v1.89/kiali-deploy/templates/openshift/console-links.yaml rename to roles/v2.1/kiali-deploy/templates/openshift/console-links.yaml index a51178c1..c0723f77 100644 --- a/roles/v1.89/kiali-deploy/templates/openshift/console-links.yaml +++ b/roles/v2.1/kiali-deploy/templates/openshift/console-links.yaml @@ -4,7 +4,7 @@ apiVersion: console.openshift.io/v1 kind: ConsoleLink metadata: name: {{ kiali_vars.deployment.instance_name }}-namespace-{{ namespace }} - labels: {{ kiali_resource_metadata_labels | combine({'kiali.io/home': ((kiali_vars.deployment.instance_name + '.') if kiali_vars.deployment.instance_name != 'kiali' else '') + kiali_vars.deployment.namespace }) }} + labels: {{ kiali_resource_metadata_labels | combine({ kiali_instance_label_name: kiali_instance_label_value }) }} spec: href: {{ kiali_route_url }}{{ '/' if kiali_vars.server.web_root == '/' else (kiali_vars.server.web_root + '/') }}console/graph/namespaces?namespaces={{ namespace }} location: NamespaceDashboard diff --git a/roles/v1.89/kiali-deploy/templates/openshift/deployment.yaml b/roles/v2.1/kiali-deploy/templates/openshift/deployment.yaml similarity index 98% rename from roles/v1.89/kiali-deploy/templates/openshift/deployment.yaml rename to roles/v2.1/kiali-deploy/templates/openshift/deployment.yaml index 7d5a4f3b..de40c8ce 100644 --- a/roles/v1.89/kiali-deploy/templates/openshift/deployment.yaml +++ b/roles/v2.1/kiali-deploy/templates/openshift/deployment.yaml @@ -113,6 +113,10 @@ spec: value: "{{ kiali_vars.deployment.logger.sampler_rate }}" - name: LOG_TIME_FIELD_FORMAT value: "{{ kiali_vars.deployment.logger.time_field_format }}" +{% for env in kiali_vars.deployment.custom_envs %} + - name: "{{ env.name }}" + value: "{{ env.value }}" +{% endfor %} volumeMounts: - name: kiali-configuration mountPath: "/kiali-configuration" diff --git a/roles/v1.89/kiali-deploy/templates/openshift/hpa.yaml b/roles/v2.1/kiali-deploy/templates/openshift/hpa.yaml similarity index 100% rename from roles/v1.89/kiali-deploy/templates/openshift/hpa.yaml rename to roles/v2.1/kiali-deploy/templates/openshift/hpa.yaml diff --git a/roles/v1.89/kiali-deploy/templates/openshift/oauth.yaml b/roles/v2.1/kiali-deploy/templates/openshift/oauth.yaml similarity index 100% rename from roles/v1.89/kiali-deploy/templates/openshift/oauth.yaml rename to roles/v2.1/kiali-deploy/templates/openshift/oauth.yaml diff --git a/roles/v1.89/kiali-deploy/templates/openshift/role-viewer.yaml b/roles/v2.1/kiali-deploy/templates/openshift/role-viewer.yaml similarity index 91% rename from roles/v1.89/kiali-deploy/templates/openshift/role-viewer.yaml rename to roles/v2.1/kiali-deploy/templates/openshift/role-viewer.yaml index 6324400d..af7e8c5e 100644 --- a/roles/v1.89/kiali-deploy/templates/openshift/role-viewer.yaml +++ b/roles/v2.1/kiali-deploy/templates/openshift/role-viewer.yaml @@ -85,4 +85,11 @@ rules: - tokenreviews verbs: - create +- apiGroups: ["admissionregistration.k8s.io"] + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch {% endfor %} diff --git a/roles/v1.89/kiali-deploy/templates/openshift/role.yaml b/roles/v2.1/kiali-deploy/templates/openshift/role.yaml similarity index 92% rename from roles/v1.89/kiali-deploy/templates/openshift/role.yaml rename to roles/v2.1/kiali-deploy/templates/openshift/role.yaml index 788ab151..fb1ea676 100644 --- a/roles/v1.89/kiali-deploy/templates/openshift/role.yaml +++ b/roles/v2.1/kiali-deploy/templates/openshift/role.yaml @@ -92,4 +92,11 @@ rules: - tokenreviews verbs: - create +- apiGroups: ["admissionregistration.k8s.io"] + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch {% endfor %} diff --git a/roles/v1.89/kiali-deploy/templates/openshift/rolebinding.yaml b/roles/v2.1/kiali-deploy/templates/openshift/rolebinding.yaml similarity index 100% rename from roles/v1.89/kiali-deploy/templates/openshift/rolebinding.yaml rename to roles/v2.1/kiali-deploy/templates/openshift/rolebinding.yaml diff --git a/roles/v1.89/kiali-deploy/templates/openshift/route.yaml b/roles/v2.1/kiali-deploy/templates/openshift/route.yaml similarity index 100% rename from roles/v1.89/kiali-deploy/templates/openshift/route.yaml rename to roles/v2.1/kiali-deploy/templates/openshift/route.yaml diff --git a/roles/v1.89/kiali-deploy/templates/openshift/service.yaml b/roles/v2.1/kiali-deploy/templates/openshift/service.yaml similarity index 100% rename from roles/v1.89/kiali-deploy/templates/openshift/service.yaml rename to roles/v2.1/kiali-deploy/templates/openshift/service.yaml diff --git a/roles/v1.89/kiali-deploy/templates/openshift/serviceaccount.yaml b/roles/v2.1/kiali-deploy/templates/openshift/serviceaccount.yaml similarity index 100% rename from roles/v1.89/kiali-deploy/templates/openshift/serviceaccount.yaml rename to roles/v2.1/kiali-deploy/templates/openshift/serviceaccount.yaml diff --git a/roles/v1.89/kiali-deploy/vars/main.yml b/roles/v2.1/kiali-deploy/vars/main.yml similarity index 96% rename from roles/v1.89/kiali-deploy/vars/main.yml rename to roles/v2.1/kiali-deploy/vars/main.yml index 0d079d92..55358361 100644 --- a/roles/v1.89/kiali-deploy/vars/main.yml +++ b/roles/v2.1/kiali-deploy/vars/main.yml @@ -24,13 +24,6 @@ kiali_vars: {{ kiali_defaults.additional_display_details }} {%- endif -%} - api: | - {%- if api is defined and api is iterable -%} - {{ kiali_defaults.api | combine((api | stripnone), recursive=True) }} - {%- else -%} - {{ kiali_defaults.api }} - {%- endif -%} - auth: | {%- if auth is defined and auth is iterable -%} {{ kiali_defaults.auth | combine((auth | stripnone), recursive=True) }} @@ -59,6 +52,13 @@ kiali_vars: {{ kiali_defaults.deployment }} {%- endif -%} + extensions: | + {%- if extensions is defined and extensions is iterable -%} + {{ extensions }} + {%- else -%} + {{ kiali_defaults.extensions }} + {%- endif -%} + external_services: | {%- if external_services is defined and external_services is iterable -%} {{ kiali_defaults.external_services | combine((external_services | stripnone), recursive=True) }} diff --git a/roles/v1.89/kiali-remove/defaults/main.yml b/roles/v2.1/kiali-remove/defaults/main.yml similarity index 88% rename from roles/v1.89/kiali-remove/defaults/main.yml rename to roles/v2.1/kiali-remove/defaults/main.yml index 312dd9f6..e3698ca4 100644 --- a/roles/v1.89/kiali-remove/defaults/main.yml +++ b/roles/v2.1/kiali-remove/defaults/main.yml @@ -2,7 +2,6 @@ kiali_defaults_remove: istio_namespace: "" deployment: - accessible_namespaces: [] hpa: api_version: "" instance_name: "kiali" diff --git a/roles/v1.89/kiali-remove/filter_plugins/stripnone.py b/roles/v2.1/kiali-remove/filter_plugins/stripnone.py similarity index 100% rename from roles/v1.89/kiali-remove/filter_plugins/stripnone.py rename to roles/v2.1/kiali-remove/filter_plugins/stripnone.py diff --git a/roles/v1.89/kiali-remove/meta/main.yml b/roles/v2.1/kiali-remove/meta/main.yml similarity index 100% rename from roles/v1.89/kiali-remove/meta/main.yml rename to roles/v2.1/kiali-remove/meta/main.yml diff --git a/roles/v1.89/kiali-remove/tasks/clusterroles-to-remove.yml b/roles/v2.1/kiali-remove/tasks/clusterroles-to-remove.yml similarity index 100% rename from roles/v1.89/kiali-remove/tasks/clusterroles-to-remove.yml rename to roles/v2.1/kiali-remove/tasks/clusterroles-to-remove.yml diff --git a/roles/v1.89/kiali-remove/tasks/main.yml b/roles/v2.1/kiali-remove/tasks/main.yml similarity index 70% rename from roles/v1.89/kiali-remove/tasks/main.yml rename to roles/v2.1/kiali-remove/tasks/main.yml index b25bf9c4..d589ade4 100644 --- a/roles/v1.89/kiali-remove/tasks/main.yml +++ b/roles/v2.1/kiali-remove/tasks/main.yml @@ -87,36 +87,24 @@ when: - kiali_vars_remove.istio_namespace == "" -- name: Find all namespaces (this is limited to what the operator has permission to see) - ignore_errors: yes +- name: Define the expected label for the namespaces and signing key secret set_fact: - all_namespaces: "{{ lookup(k8s_plugin, api_version='v1', kind='Namespace') | default({}) | json_query('[].metadata.name') }}" - -# When the Operator installed Kiali, the configmap has accessible_namespaces set. -# There are no regexes in the configmap; they are all full namespace names. -# NOTE: there is a special value of accessible_namespaces of two asterisks ("**") -# which indicates Kiali is given access to all namespaces via a single cluster role -# not individual roles in each accessible namespace. + kiali_instance_label_name: "{{ 'kiali.io/' + kiali_vars_remove.deployment.instance_name + '.home' }}" + kiali_instance_label_value: "{{ kiali_vars_remove.deployment.namespace }}" -- name: Find current configmap, if it exists +- name: Get namespaces that have Kiali roles in them ignore_errors: yes set_fact: - current_configmap: "{{ lookup(k8s_plugin, resource_name=kiali_vars_remove.deployment.instance_name, namespace=kiali_vars_remove.deployment.namespace, api_version='v1', kind='ConfigMap') }}" -- name: Find currently accessible namespaces - ignore_errors: yes - set_fact: - current_accessible_namespaces: "{{ current_configmap.data['config.yaml'] | from_yaml | json_query('deployment.accessible_namespaces') }}" + namespaces_with_kiali_roles: "{{ query(k8s_plugin, label_selector=(kiali_instance_label_name + '=' + kiali_instance_label_value), kind='Namespace', errors='ignore') | default ([]) | map(attribute='metadata.name') | list }}" when: - - current_configmap is defined - - current_configmap.data is defined - - current_configmap.data['config.yaml'] is defined + - kiali_vars_remove.deployment.cluster_wide_access == False -- name: Delete all additional Kiali roles in current accessible namespaces +- name: Delete Kiali roles ignore_errors: yes k8s: state: absent definition: | - {% for namespace in current_accessible_namespaces %} + {% for namespace in namespaces_with_kiali_roles %} --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -140,42 +128,27 @@ ... {% endfor %} when: - - current_accessible_namespaces is defined - - '"**" not in current_accessible_namespaces' - -- name: Find currently configured label selector - ignore_errors: yes - set_fact: - current_label_selector_include: "{{ current_configmap.data['config.yaml'] | from_yaml | json_query('api.namespaces.label_selector_include') }}" - when: - - current_configmap is defined - - current_configmap.data is defined - - current_configmap.data['config.yaml'] is defined + - namespaces_with_kiali_roles is defined + - namespaces_with_kiali_roles | length > 0 -- name: Remove Kiali label from namespaces found in current accessible namespaces +- name: Remote Kiali label from namespaces that are currently accessible ignore_errors: yes - vars: - # everything to the left of the = is the name of the label we want to remove - the_namespace_label_name: "{{ current_label_selector_include | regex_replace('^(.*)=.*$', '\\1') }}" - # if a namespace happened to have been deleted, we do not want to (nor can we) resurrect it, hence we use state=patched k8s: state: patched definition: | - {% for namespace in current_accessible_namespaces %} + {% for namespace in namespaces_with_kiali_roles %} --- apiVersion: v1 kind: Namespace metadata: name: "{{ namespace }}" labels: - {{ the_namespace_label_name }}: null + {{ kiali_instance_label_name }}: null ... {% endfor %} when: - - current_accessible_namespaces is defined - - '"**" not in current_accessible_namespaces' - - current_label_selector_include is defined - - current_label_selector_include != "" + - namespaces_with_kiali_roles is defined + - namespaces_with_kiali_roles | length > 0 - name: Delete Kiali cluster roles ignore_errors: yes @@ -199,8 +172,6 @@ - name: Unlabel the signing key secret if it exists to indicate this Kiali instance no longer uses it ignore_errors: yes - vars: - doomed_label: "{{ 'kiali.io/' + ((kiali_vars_remove.deployment.instance_name + '.') if kiali_vars_remove.deployment.instance_name != 'kiali' else '') + 'member-of' }}" k8s: state: present definition: | @@ -210,7 +181,7 @@ name: "kiali-signing-key" namespace: "{{ kiali_vars_remove.deployment.namespace }}" labels: - {{ doomed_label }}: null + {{ kiali_instance_label_name }}: null - name: Delete the signing key secret if no other Kiali installation is using it ignore_errors: yes @@ -225,7 +196,7 @@ name: kiali-signing-key namespace: "{{ kiali_vars_remove.deployment.namespace }}" when: - - (signing_key_secret_labels is not defined) or (signing_key_secret_labels | length == 0) or (signing_key_secret_labels | dict2items | selectattr('key', 'match', 'kiali.io/.*member-of') | list | length == 0) + - (signing_key_secret_labels is not defined) or (signing_key_secret_labels | length == 0) or (signing_key_secret_labels | dict2items | selectattr('key', 'match', 'kiali.io/.*\.home') | list | length == 0) - name: Delete OpenShift-specific Kiali resources ignore_errors: yes @@ -244,7 +215,7 @@ - name: Determine if OpenShift Console is installed and enabled ignore_errors: yes vars: - console_res: "{{ query(k8s_plugin, resource_name='cluster', api_version='operator.openshift.io/v1', kind='Console', errors='ignore') }}" + console_res: "{{ query(k8s_plugin, resource_name='cluster', api_version='operator.openshift.io/v1', kind='Console', errors='ignore') }}" set_fact: has_openshift_console: "{{ console_res | length > 0 and console_res[0].spec.managementState != 'Removed' }}" when: @@ -255,7 +226,7 @@ k8s: state: absent definition: | - {% for cl in query(k8s_plugin, kind='ConsoleLink', label_selector='kiali.io/home=' + ((kiali_vars_remove.deployment.instance_name + '.') if kiali_vars_remove.deployment.instance_name != 'kiali' else '') + kiali_vars_remove.deployment.namespace) %} + {% for cl in query(k8s_plugin, kind='ConsoleLink', label_selector=(kiali_instance_label_name + '=' + kiali_instance_label_value)) %} --- apiVersion: "{{ cl.apiVersion }}" kind: "{{ cl.kind }}" diff --git a/roles/v1.89/kiali-remove/tasks/os-resources-to-remove.yml b/roles/v2.1/kiali-remove/tasks/os-resources-to-remove.yml similarity index 100% rename from roles/v1.89/kiali-remove/tasks/os-resources-to-remove.yml rename to roles/v2.1/kiali-remove/tasks/os-resources-to-remove.yml diff --git a/roles/v1.89/kiali-remove/tasks/resources-to-remove.yml b/roles/v2.1/kiali-remove/tasks/resources-to-remove.yml similarity index 84% rename from roles/v1.89/kiali-remove/tasks/resources-to-remove.yml rename to roles/v2.1/kiali-remove/tasks/resources-to-remove.yml index 16a8cb96..f9ea3e64 100644 --- a/roles/v1.89/kiali-remove/tasks/resources-to-remove.yml +++ b/roles/v2.1/kiali-remove/tasks/resources-to-remove.yml @@ -65,14 +65,3 @@ metadata: namespace: "{{ kiali_vars_remove.deployment.namespace }}" name: {{ kiali_vars_remove.deployment.instance_name }} --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - namespace: "{{ kiali_vars_remove.istio_namespace }}" - name: {{ kiali_vars_remove.deployment.instance_name }}-controlplane ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: "{{ kiali_vars_remove.istio_namespace }}" - name: {{ kiali_vars_remove.deployment.instance_name }}-controlplane diff --git a/roles/v1.89/kiali-remove/vars/main.yml b/roles/v2.1/kiali-remove/vars/main.yml similarity index 100% rename from roles/v1.89/kiali-remove/vars/main.yml rename to roles/v2.1/kiali-remove/vars/main.yml diff --git a/roles/v1.89/ossmconsole-deploy/defaults/main.yml b/roles/v2.1/ossmconsole-deploy/defaults/main.yml similarity index 100% rename from roles/v1.89/ossmconsole-deploy/defaults/main.yml rename to roles/v2.1/ossmconsole-deploy/defaults/main.yml diff --git a/roles/v1.89/ossmconsole-deploy/filter_plugins/stripnone.py b/roles/v2.1/ossmconsole-deploy/filter_plugins/stripnone.py similarity index 100% rename from roles/v1.89/ossmconsole-deploy/filter_plugins/stripnone.py rename to roles/v2.1/ossmconsole-deploy/filter_plugins/stripnone.py diff --git a/roles/v1.89/ossmconsole-deploy/meta/main.yml b/roles/v2.1/ossmconsole-deploy/meta/main.yml similarity index 100% rename from roles/v1.89/ossmconsole-deploy/meta/main.yml rename to roles/v2.1/ossmconsole-deploy/meta/main.yml diff --git a/roles/v1.89/ossmconsole-deploy/tasks/main.yml b/roles/v2.1/ossmconsole-deploy/tasks/main.yml similarity index 100% rename from roles/v1.89/ossmconsole-deploy/tasks/main.yml rename to roles/v2.1/ossmconsole-deploy/tasks/main.yml diff --git a/roles/v1.89/ossmconsole-deploy/tasks/openshift/os-main.yml b/roles/v2.1/ossmconsole-deploy/tasks/openshift/os-main.yml similarity index 100% rename from roles/v1.89/ossmconsole-deploy/tasks/openshift/os-main.yml rename to roles/v2.1/ossmconsole-deploy/tasks/openshift/os-main.yml diff --git a/roles/v1.89/ossmconsole-deploy/tasks/process-resource.yml b/roles/v2.1/ossmconsole-deploy/tasks/process-resource.yml similarity index 100% rename from roles/v1.89/ossmconsole-deploy/tasks/process-resource.yml rename to roles/v2.1/ossmconsole-deploy/tasks/process-resource.yml diff --git a/roles/v1.89/ossmconsole-deploy/tasks/update-status-progress.yml b/roles/v2.1/ossmconsole-deploy/tasks/update-status-progress.yml similarity index 100% rename from roles/v1.89/ossmconsole-deploy/tasks/update-status-progress.yml rename to roles/v2.1/ossmconsole-deploy/tasks/update-status-progress.yml diff --git a/roles/v1.89/ossmconsole-deploy/tasks/update-status.yml b/roles/v2.1/ossmconsole-deploy/tasks/update-status.yml similarity index 100% rename from roles/v1.89/ossmconsole-deploy/tasks/update-status.yml rename to roles/v2.1/ossmconsole-deploy/tasks/update-status.yml diff --git a/roles/v1.89/ossmconsole-deploy/templates/openshift/configmap-nginx.yaml b/roles/v2.1/ossmconsole-deploy/templates/openshift/configmap-nginx.yaml similarity index 100% rename from roles/v1.89/ossmconsole-deploy/templates/openshift/configmap-nginx.yaml rename to roles/v2.1/ossmconsole-deploy/templates/openshift/configmap-nginx.yaml diff --git a/roles/v1.89/ossmconsole-deploy/templates/openshift/configmap-plugin.yaml b/roles/v2.1/ossmconsole-deploy/templates/openshift/configmap-plugin.yaml similarity index 100% rename from roles/v1.89/ossmconsole-deploy/templates/openshift/configmap-plugin.yaml rename to roles/v2.1/ossmconsole-deploy/templates/openshift/configmap-plugin.yaml diff --git a/roles/v1.89/ossmconsole-deploy/templates/openshift/consoleplugin.yaml b/roles/v2.1/ossmconsole-deploy/templates/openshift/consoleplugin.yaml similarity index 100% rename from roles/v1.89/ossmconsole-deploy/templates/openshift/consoleplugin.yaml rename to roles/v2.1/ossmconsole-deploy/templates/openshift/consoleplugin.yaml diff --git a/roles/v1.89/ossmconsole-deploy/templates/openshift/deployment.yaml b/roles/v2.1/ossmconsole-deploy/templates/openshift/deployment.yaml similarity index 100% rename from roles/v1.89/ossmconsole-deploy/templates/openshift/deployment.yaml rename to roles/v2.1/ossmconsole-deploy/templates/openshift/deployment.yaml diff --git a/roles/v1.89/ossmconsole-deploy/templates/openshift/service.yaml b/roles/v2.1/ossmconsole-deploy/templates/openshift/service.yaml similarity index 100% rename from roles/v1.89/ossmconsole-deploy/templates/openshift/service.yaml rename to roles/v2.1/ossmconsole-deploy/templates/openshift/service.yaml diff --git a/roles/v1.89/ossmconsole-deploy/vars/main.yml b/roles/v2.1/ossmconsole-deploy/vars/main.yml similarity index 100% rename from roles/v1.89/ossmconsole-deploy/vars/main.yml rename to roles/v2.1/ossmconsole-deploy/vars/main.yml diff --git a/roles/v1.89/ossmconsole-remove/defaults/main.yml b/roles/v2.1/ossmconsole-remove/defaults/main.yml similarity index 100% rename from roles/v1.89/ossmconsole-remove/defaults/main.yml rename to roles/v2.1/ossmconsole-remove/defaults/main.yml diff --git a/roles/v1.89/ossmconsole-remove/filter_plugins/stripnone.py b/roles/v2.1/ossmconsole-remove/filter_plugins/stripnone.py similarity index 100% rename from roles/v1.89/ossmconsole-remove/filter_plugins/stripnone.py rename to roles/v2.1/ossmconsole-remove/filter_plugins/stripnone.py diff --git a/roles/v1.89/ossmconsole-remove/meta/main.yml b/roles/v2.1/ossmconsole-remove/meta/main.yml similarity index 100% rename from roles/v1.89/ossmconsole-remove/meta/main.yml rename to roles/v2.1/ossmconsole-remove/meta/main.yml diff --git a/roles/v1.89/ossmconsole-remove/tasks/main.yml b/roles/v2.1/ossmconsole-remove/tasks/main.yml similarity index 100% rename from roles/v1.89/ossmconsole-remove/tasks/main.yml rename to roles/v2.1/ossmconsole-remove/tasks/main.yml diff --git a/roles/v1.89/ossmconsole-remove/tasks/resources-to-remove.yml b/roles/v2.1/ossmconsole-remove/tasks/resources-to-remove.yml similarity index 100% rename from roles/v1.89/ossmconsole-remove/tasks/resources-to-remove.yml rename to roles/v2.1/ossmconsole-remove/tasks/resources-to-remove.yml diff --git a/roles/v1.89/ossmconsole-remove/vars/main.yml b/roles/v2.1/ossmconsole-remove/vars/main.yml similarity index 100% rename from roles/v1.89/ossmconsole-remove/vars/main.yml rename to roles/v2.1/ossmconsole-remove/vars/main.yml