From d3b8047fe235d073aec27fb4102db4198b1d6b02 Mon Sep 17 00:00:00 2001 From: Leandro Beretta Date: Fri, 27 Sep 2024 15:21:34 -0300 Subject: [PATCH] Removal of secret reader feature (#285) --- kiali-operator/templates/clusterrole.yaml | 11 --------- kiali-operator/values.yaml | 9 -------- kiali-server/templates/role-controlplane.yaml | 23 ------------------- .../templates/rolebinding-controlplane.yaml | 17 -------------- kiali-server/values.yaml | 5 ---- 5 files changed, 65 deletions(-) delete mode 100644 kiali-server/templates/role-controlplane.yaml delete mode 100644 kiali-server/templates/rolebinding-controlplane.yaml diff --git a/kiali-operator/templates/clusterrole.yaml b/kiali-operator/templates/clusterrole.yaml index fc7931e..3e648e2 100644 --- a/kiali-operator/templates/clusterrole.yaml +++ b/kiali-operator/templates/clusterrole.yaml @@ -36,17 +36,6 @@ rules: - create - list - watch -{{- if gt (len .Values.secretReader) 0 }} -- apiGroups: [""] - resourceNames: - {{- range .Values.secretReader }} - - {{ . }} - {{- end }} - resources: - - secrets - verbs: - - get -{{- end }} - apiGroups: [""] resourceNames: - kiali-signing-key diff --git a/kiali-operator/values.yaml b/kiali-operator/values.yaml index aefc617..c24a73c 100644 --- a/kiali-operator/values.yaml +++ b/kiali-operator/values.yaml @@ -44,15 +44,6 @@ watchNamespace: "" # Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.cluster_wide_access=true. clusterRoleCreator: true -# Set to a list of secrets in the cluster that the operator will be allowed to read. This is necessary if you want to -# support Kiali CRs with spec.kiali_feature_flags.certificates_information_indicators.enabled=true. -# The secrets in this list will be the only ones allowed to be specified in any Kiali CR (in the setting -# spec.kiali_feature_flags.certificates_information_indicators.secrets). -# If you set this to an empty list, the operator will not be given permission to read any additional secrets -# found in the cluster, and thus will only support a value of "false" in the Kiali CR setting -# spec.kiali_feature_flags.certificates_information_indicators.enabled. -secretReader: ['cacerts', 'istio-ca-secret'] - # Set to true if you want to allow the operator to only be able to install Kiali in view-only-mode. # The purpose for this setting is to allow you to restrict the permissions given to the operator itself. onlyViewOnlyMode: false diff --git a/kiali-server/templates/role-controlplane.yaml b/kiali-server/templates/role-controlplane.yaml deleted file mode 100644 index 07bb535..0000000 --- a/kiali-server/templates/role-controlplane.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "kiali-server.fullname" . }}-controlplane - namespace: "{{ include "kiali-server.istio_namespace" . }}" - labels: - {{- include "kiali-server.labels" . | nindent 4 }} -rules: -{{- if .Values.kiali_feature_flags.certificates_information_indicators.enabled }} -- apiGroups: [""] - resourceNames: - {{- range .Values.kiali_feature_flags.certificates_information_indicators.secrets }} - - {{ . }} - {{- end }} - resources: - - secrets - verbs: - - get - - list - - watch -{{- end }} -... diff --git a/kiali-server/templates/rolebinding-controlplane.yaml b/kiali-server/templates/rolebinding-controlplane.yaml deleted file mode 100644 index fbaa2c2..0000000 --- a/kiali-server/templates/rolebinding-controlplane.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "kiali-server.fullname" . }}-controlplane - namespace: "{{ include "kiali-server.istio_namespace" . }}" - labels: - {{- include "kiali-server.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "kiali-server.fullname" . }}-controlplane -subjects: -- kind: ServiceAccount - name: {{ include "kiali-server.fullname" . }} - namespace: "{{ .Release.Namespace }}" -... diff --git a/kiali-server/values.yaml b/kiali-server/values.yaml index ac308e0..f4561d6 100644 --- a/kiali-server/values.yaml +++ b/kiali-server/values.yaml @@ -95,11 +95,6 @@ identity: {} #private_key_file: kiali_feature_flags: - certificates_information_indicators: - enabled: true - secrets: - - cacerts - - istio-ca-secret disabled_features: [] validations: ignore: ["KIA1301"]