provide a way to tell the operator to create only the remote cluster …

…resources (#836) * provide a way to tell the operator to create only the remote cluster resources fixes: kiali/kiali#7861 * support restricting resource creation in ad hoc namespace for remote resources * always create cm * do not allow the new setting to be changed * molecule test * during uninstall, do not create the signing key if it doesn't already exist * when testing on non-OpenShift, ignore lookup failures of OpenShift specific resources - we know they aren't there on non-OpenShift clusters * docs * be able to specify kiali_route_url in auth.openshift section so OAuthClient can be created in remote cluster * delete oauthclient if not needed (this looks like a bug we've had for a while) * oauthclient testing in molecule * change to redirect_uris * wrong test - this check should only happen when we ARE creating remote cluster resources only
kiali · Nov 7, 2024 · fd3fd35 · fd3fd35
1 parent 29455b1
commit fd3fd35
Show file tree

Hide file tree

Showing 17 changed files with 547 additions and 36 deletions.
diff --git a/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml b/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml
@@ -38,6 +38,7 @@ spec:
       scopes: ["openid", "profile", "email"]
       username_claim: "sub"
     openshift:
+      #redirect_uris:
       #token_inactivity_timeout:
       #token_max_age:
 
@@ -218,6 +219,7 @@ spec:
     pod_labels:
       sidecar.istio.io/inject: "true"
     priority_class_name: ""
+    remote_cluster_resources_only: false
     replicas: 1
     # default: resources is undefined
     resources:

diff --git a/crd-docs/crd/kiali.io_kialis.yaml b/crd-docs/crd/kiali.io_kialis.yaml
@@ -148,6 +148,11 @@ spec:
                     description: "To learn more about these settings and how to configure the OpenShift authentication strategy, read the documentation at https://kiali.io/docs/configuration/authentication/openshift/"
                     type: object
                     properties:
+                      redirect_uris:
+                        description: "The OAuthClient redirect URIs. You normally do not have to set this unless you are creating remote cluster resources (see `deployment.remote_cluster_resources_only`) with `auth.strategy` set to `openshift`."
+                        type: array
+                        items:
+                          type: string
                       token_inactivity_timeout:
                         description: "Timeout that overrides the default OpenShift token inactivity timeout. This value represents the maximum amount of time in seconds that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. If 0, the Kiali tokens never timeout. OpenShift may have a minimum allowed value - see the OpenShift documentation specific for the version of OpenShift you are using. WARNING: existing tokens will not be affected by changing this setting."
                         type: integer
@@ -594,6 +599,9 @@ spec:
                   priority_class_name:
                     description: "The priorityClassName used to assign the priority of the Kiali pod."
                     type: string
+                  remote_cluster_resources_only:
+                    description: "When `true`, only those resources necessary for a remote Kiali Server to access this cluster are created (such as the service account and roles/bindings). There will be no Kiali Server deployment/pod created when this is `true`."
+                    type: boolean
                   replicas:
                     description: "The replica count for the Kiail deployment. If `deployment.hpa` is specified, this setting is ignored."
                     type: integer

diff --git a/molecule/common/tasks.yml b/molecule/common/tasks.yml
@@ -14,6 +14,18 @@
 - debug:
     msg: "Present Kiali CR: {{ kiali_cr }}"
 
+- name: Get Kiali Configmap
+  vars:
+    instance_name: "{{ kiali.instance_name | default('kiali') }}"
+  set_fact:
+    kiali_configmap_resource: "{{ lookup('kubernetes.core.k8s', api_version='v1', kind='ConfigMap', namespace=kiali.install_namespace, resource_name=instance_name) }}"
+
+- name: Format Configmap
+  set_fact:
+    kiali_configmap: "{{ kiali_configmap_resource.data['config.yaml'] | from_yaml }}"
+- debug:
+    msg: "Present Kiali ConfigMap: {{ kiali_configmap }}"
+
 - name: Get Kiali Operator Pod
   k8s_info:
     api_version: v1
@@ -33,18 +45,8 @@
     label_selectors:
     - "app.kubernetes.io/instance={{ instance_name }}"
   register: kiali_pod
-
-- name: Get Kiali Configmap
-  vars:
-    instance_name: "{{ kiali.instance_name | default('kiali') }}"
-  set_fact:
-    kiali_configmap_resource: "{{ lookup('kubernetes.core.k8s', api_version='v1', kind='ConfigMap', namespace=kiali.install_namespace, resource_name=instance_name) }}"
-
-- name: Format Configmap
-  set_fact:
-    kiali_configmap: "{{ kiali_configmap_resource.data['config.yaml'] | from_yaml }}"
-- debug:
-    msg: "Present Kiali ConfigMap: {{ kiali_configmap }}"
+  when:
+  - kiali_configmap.deployment.remote_cluster_resources_only == False
 
 - name: Get Kiali Deployment
   vars:
@@ -56,6 +58,8 @@
     label_selectors:
     - "app.kubernetes.io/instance={{ instance_name }}"
   register: kiali_deployment
+  when:
+  - kiali_configmap.deployment.remote_cluster_resources_only == False
 
 - name: Get Kiali Service
   vars:
@@ -67,6 +71,8 @@
     label_selectors:
     - "app.kubernetes.io/instance={{ instance_name }}"
   register: kiali_service
+  when:
+  - kiali_configmap.deployment.remote_cluster_resources_only == False
 
 - name: Get Kiali Route
   vars:
@@ -80,6 +86,7 @@
   register: kiali_route
   when:
   - is_openshift == True
+  - kiali_configmap.deployment.remote_cluster_resources_only == False
 
 - name: Get Kiali Ingress
   ignore_errors: yes
@@ -93,7 +100,8 @@
     - "app.kubernetes.io/instance={{ instance_name }}"
   register: kiali_ingress
   when:
-  - is_openshift != True
+  - is_openshift == False
+  - kiali_configmap.deployment.remote_cluster_resources_only == False
 
 - name: Determine the Kiali Route URL on OpenShift
   vars:
@@ -102,6 +110,7 @@
     kiali_base_url: "https://{{ kiali_route.resources[0].spec.host }}{{ web_root }}"
   when:
   - is_openshift == True
+  - kiali_configmap.deployment.remote_cluster_resources_only == False
 
 # To avoid problems with Ingress/Minikube conflicts, if installing multiple kiali instances set web_root to the instance name
 - name: Determine the Kiali Ingress URL on minikube
@@ -112,9 +121,11 @@
     kiali_base_url: "https://{{ lookup('env', 'MOLECULE_MINIKUBE_IP') }}{{ web_root }}"
   when:
   - is_minikube == True
+  - kiali_configmap.deployment.remote_cluster_resources_only == False
 
 - name: Determine the Kiali Ingress URL on kind
   set_fact:
     kiali_base_url: "http://{{ kiali_service.resources[0].status.loadBalancer.ingress[0].ip }}:20001/kiali"
   when:
   - is_kind == True
+  - kiali_configmap.deployment.remote_cluster_resources_only == False
diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
@@ -110,6 +110,9 @@
       namespace: "{{ cr_namespace }}"
       definition: "{{ kiali_cr_definition }}"
 
+  # We normally always want to wait for kiali to be deployed, but for those tests
+  # where this is not wanted (e.g. when remote_cluster_resources_only==true), then
+  # import this playbook with the var "wait_for_kiali_pod_after_prepare" set to false.
   - name: Asserting that Kiali is Deployed
     vars:
       instance_name: "{{ kiali.instance_name | default('kiali') }}"
@@ -127,3 +130,5 @@
     - kiali_deployment.resources[0].status.availableReplicas == 1
     retries: "{{ wait_retries }}"
     delay: 5
+    when:
+    - wait_for_kiali_pod_after_prepare | default(true) == True