From 98802c2a341ff9ccb91ae9264656576bff0352cc Mon Sep 17 00:00:00 2001 From: John Mazzitelli Date: Thu, 7 Nov 2024 14:53:42 -0500 Subject: [PATCH] support remote_cluster_resources_only=true and support redirect_uris for openshift oauthclient (#295) * support remote_cluster_resources_only=true and support redirect_uris for openshift oauth client refactor the way we determine if it is an OpenShift cluster (for easier testing and maintainence) * use "isOpenShift" value rather than "simulateOpenShift" --- kiali-server/templates/_helpers.tpl | 25 ++++++++++++++++--------- kiali-server/templates/cabundle.yaml | 4 +++- kiali-server/templates/deployment.yaml | 6 ++++-- kiali-server/templates/hpa.yaml | 2 ++ kiali-server/templates/ingress.yaml | 4 +++- kiali-server/templates/oauth.yaml | 10 ++++++++-- kiali-server/templates/route.yaml | 4 +++- kiali-server/templates/service.yaml | 4 +++- kiali-server/values.yaml | 1 + 9 files changed, 43 insertions(+), 17 deletions(-) diff --git a/kiali-server/templates/_helpers.tpl b/kiali-server/templates/_helpers.tpl index 79986e5..8aa926d 100644 --- a/kiali-server/templates/_helpers.tpl +++ b/kiali-server/templates/_helpers.tpl @@ -16,6 +16,13 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} +{{/* +Determine if on OpenShift (when debugging the chart for OpenShift use-cases, set "simulateOpenShift") +*/}} +{{- define "kiali-server.isOpenShift" -}} +{{- .Values.isOpenShift | default (.Capabilities.APIVersions.Has "operator.openshift.io/v1") -}} +{{- end }} + {{/* Identifies the log_level. */}} @@ -65,7 +72,7 @@ Determine the default web root. {{- .Values.server.web_root | trimSuffix "/" }} {{- end }} {{- else }} - {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} {{- "/" }} {{- else }} {{- "/kiali" }} @@ -80,7 +87,7 @@ Determine the default identity cert file. There is no default if on k8s; only on {{- if hasKey .Values.identity "cert_file" }} {{- .Values.identity.cert_file }} {{- else }} - {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} {{- "/kiali-cert/tls.crt" }} {{- else }} {{- "" }} @@ -95,7 +102,7 @@ Determine the default identity private key file. There is no default if on k8s; {{- if hasKey .Values.identity "private_key_file" }} {{- .Values.identity.private_key_file }} {{- else }} - {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} {{- "/kiali-cert/tls.key" }} {{- else }} {{- "" }} @@ -110,7 +117,7 @@ Determine the default deployment.ingress.enabled. Disable it on k8s; enable it o {{- if hasKey .Values.deployment.ingress "enabled" }} {{- .Values.deployment.ingress.enabled }} {{- else }} - {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} {{- true }} {{- else }} {{- false }} @@ -134,14 +141,14 @@ Determine the auth strategy to use - default is "token" on Kubernetes and "opens */}} {{- define "kiali-server.auth.strategy" -}} {{- if .Values.auth.strategy }} - {{- if (and (eq .Values.auth.strategy "openshift") (not .Values.kiali_route_url)) }} - {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or use a different auth strategy via the --set auth.strategy=... option." }} + {{- if (and ((and (eq .Values.auth.strategy "openshift") (not .Values.kiali_route_url))) (not .Values.auth.openshift.redirect_uris)) }} + {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either (a) set that, (b) explicitly define redirect URIs via --set auth.openshift.redirect_uris, or (c) use a different auth strategy via the --set auth.strategy=... option." }} {{- end }} {{- .Values.auth.strategy }} {{- else }} - {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} - {{- if not .Values.kiali_route_url }} - {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or explicitly indicate another auth strategy you want via the --set auth.strategy=... option." }} + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} + {{- if (and (not .Values.kiali_route_url) (not .Values.auth.openshift.redirect_uris)) }} + {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either (a) set that, (b) explicitly define redirect URIs via --set auth.openshift.redirect_uris, or (c) use a different auth strategy via the --set auth.strategy=... option." }} {{- end }} {{- "openshift" }} {{- else }} diff --git a/kiali-server/templates/cabundle.yaml b/kiali-server/templates/cabundle.yaml index 7e87ed0..e0bc1f2 100644 --- a/kiali-server/templates/cabundle.yaml +++ b/kiali-server/templates/cabundle.yaml @@ -1,4 +1,5 @@ -{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} +{{- if not .Values.deployment.remote_cluster_resources_only }} +{{- if eq "true" (include "kiali-server.isOpenShift" .) }} --- apiVersion: v1 kind: ConfigMap @@ -11,3 +12,4 @@ metadata: service.beta.openshift.io/inject-cabundle: "true" ... {{- end }} +{{- end }} \ No newline at end of file diff --git a/kiali-server/templates/deployment.yaml b/kiali-server/templates/deployment.yaml index c4bd243..2c39233 100644 --- a/kiali-server/templates/deployment.yaml +++ b/kiali-server/templates/deployment.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.deployment.remote_cluster_resources_only }} --- apiVersion: apps/v1 kind: Deployment @@ -162,7 +163,7 @@ spec: name: {{ include "kiali-server.fullname" . }} - name: {{ include "kiali-server.fullname" . }}-cert secret: - {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} secretName: {{ include "kiali-server.fullname" . }}-cert-secret {{- else }} secretName: istio.{{ include "kiali-server.fullname" . }}-service-account @@ -177,7 +178,7 @@ spec: - name: {{ include "kiali-server.fullname" . }}-cabundle configMap: name: {{ include "kiali-server.fullname" . }}-cabundle - {{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }} + {{- if not (eq "true" (include "kiali-server.isOpenShift" .)) }} optional: true {{- end }} {{- range .Values.deployment.custom_secrets }} @@ -226,3 +227,4 @@ spec: {{- toYaml .Values.deployment.node_selector | nindent 8 }} {{- end }} ... +{{- end }} \ No newline at end of file diff --git a/kiali-server/templates/hpa.yaml b/kiali-server/templates/hpa.yaml index 60e5a01..d04cb0c 100644 --- a/kiali-server/templates/hpa.yaml +++ b/kiali-server/templates/hpa.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.deployment.remote_cluster_resources_only }} {{- if .Values.deployment.hpa.spec }} --- apiVersion: {{ .Values.deployment.hpa.api_version }} @@ -15,3 +16,4 @@ spec: {{- toYaml .Values.deployment.hpa.spec | nindent 2 }} ... {{- end }} +{{- end }} \ No newline at end of file diff --git a/kiali-server/templates/ingress.yaml b/kiali-server/templates/ingress.yaml index 2a937dc..911b63c 100644 --- a/kiali-server/templates/ingress.yaml +++ b/kiali-server/templates/ingress.yaml @@ -1,4 +1,5 @@ -{{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }} +{{- if not .Values.deployment.remote_cluster_resources_only }} +{{- if not (eq "true" (include "kiali-server.isOpenShift" .)) }} {{- if eq "true" (include "kiali-server.deployment.ingress.enabled" .) }} --- {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} @@ -60,3 +61,4 @@ spec: ... {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/kiali-server/templates/oauth.yaml b/kiali-server/templates/oauth.yaml index 850c95e..223b8cd 100644 --- a/kiali-server/templates/oauth.yaml +++ b/kiali-server/templates/oauth.yaml @@ -1,5 +1,5 @@ -{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} -{{- if .Values.kiali_route_url }} +{{- if eq "true" (include "kiali-server.isOpenShift" .) }} +{{- if (or (.Values.kiali_route_url) (.Values.auth.openshift.redirect_uris)) }} --- apiVersion: oauth.openshift.io/v1 kind: OAuthClient @@ -9,10 +9,16 @@ metadata: labels: {{- include "kiali-server.labels" . | nindent 4 }} redirectURIs: +{{- if .Values.auth.openshift.redirect_uris }} +{{- range .Values.auth.openshift.redirect_uris }} +- {{ . }} +{{- end }} +{{- else }} - {{ .Values.kiali_route_url }}/api/auth/callback {{- if .Values.server.web_port }} - {{ .Values.kiali_route_url }}:{{ .Values.server.web_port }}/api/auth/callback {{- end }} +{{- end }} grantMethod: auto {{- if .Values.auth.openshift.token_inactivity_timeout }} accessTokenInactivityTimeoutSeconds: {{ .Values.auth.openshift.token_inactivity_timeout }} diff --git a/kiali-server/templates/route.yaml b/kiali-server/templates/route.yaml index eb10b01..77b2906 100644 --- a/kiali-server/templates/route.yaml +++ b/kiali-server/templates/route.yaml @@ -1,4 +1,5 @@ -{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} +{{- if not .Values.deployment.remote_cluster_resources_only }} +{{- if eq "true" (include "kiali-server.isOpenShift" .) }} {{- if eq "true" (include "kiali-server.deployment.ingress.enabled" .) }} # As of OpenShift 4.5, need to use --disable-openapi-validation when installing via Helm --- @@ -32,3 +33,4 @@ spec: ... {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/kiali-server/templates/service.yaml b/kiali-server/templates/service.yaml index af87982..89b6860 100644 --- a/kiali-server/templates/service.yaml +++ b/kiali-server/templates/service.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.deployment.remote_cluster_resources_only }} --- apiVersion: v1 kind: Service @@ -7,7 +8,7 @@ metadata: labels: {{- include "kiali-server.labels" . | nindent 4 }} annotations: - {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} service.beta.openshift.io/serving-cert-secret-name: {{ include "kiali-server.fullname" . }}-cert-secret {{- end }} {{- if and (not (empty .Values.server.web_fqdn)) (not (empty .Values.server.web_schema)) }} @@ -49,3 +50,4 @@ spec: {{- toYaml .Values.deployment.additional_service_yaml | nindent 2 }} {{- end }} ... +{{- end }} \ No newline at end of file diff --git a/kiali-server/values.yaml b/kiali-server/values.yaml index c6cfd1c..29185ba 100644 --- a/kiali-server/values.yaml +++ b/kiali-server/values.yaml @@ -69,6 +69,7 @@ deployment: pod_annotations: {} pod_labels: {} priority_class_name: "" + remote_cluster_resources_only: false # if deployment.hpa is defined, this replicas setting will be ignored replicas: 1 resources: