Skip to content

Commit

Permalink
introduce discovery_selectors and remove accessible_namespaces
Browse files Browse the repository at this point in the history
  • Loading branch information
@jmazzitelli
jmazzitelli committed Aug 3, 2024
1 parent ab89595 commit 28f494e
Show file tree
Hide file tree
Showing 79 changed files with 1,051 additions and 710 deletions.
50 changes: 34 additions & 16 deletions crd-docs/cr/kiali.io_v1alpha1_kiali.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,18 +16,6 @@ spec:

version: "default"

api:
namespaces:
exclude:
- "^istio-operator"
- "^kube-.*"
- "^openshift.*"
- "^ibm.*"
- "^kiali-operator"
include: []
label_selector_exclude: ""
# default: label_selector_include is undefined
label_selector_include: "kiali.io/member-of=istio-system"
auth:
strategy: ""
openid:
Expand Down Expand Up @@ -65,8 +53,6 @@ spec:
- name: "envoy"

deployment:
# default: accessible_namespaces is undefined
accessible_namespaces: ["my-mesh.*"]
# default: additional_service_yaml is empty
additional_service_yaml:
externalName: "kiali.example.com"
Expand Down Expand Up @@ -103,8 +89,7 @@ spec:
values:
- S2
topologyKey: topology.kubernetes.io/zone
# default: cluster_wide_access is undefined
cluster_wide_access: false
cluster_wide_access: true
# default: configmap_annotations is empty
configmap_annotations:
strategy.spinnaker.io/versioned: "false"
Expand All @@ -120,6 +105,39 @@ spec:
readOnly: true
volumeAttributes:
secretProviderClass: kiali-secretprovider
# default: discovery_selectors is empty
discovery_selectors:
default:
- matchLabels:
region: north
- matchExpressions:
- key: organization
operator: "In"
values: ["engineering", "accounting"]
- matchLabels:
region: south
matchExpressions:
- key: app
operator: "DoesNotExist"
- key: domain
operator: "NotIn"
values: ["production"]
overrides:
myRemoteCluster:
- matchLabels:
region: world
- matchExpressions:
- key: organization
operator: "NotIn"
values: ["marketing"]
- matchLabels:
region: antarctica
matchExpressions:
- key: app
operator: "DoesNotExist"
- key: domain
operator: "In"
values: ["staging"]
dns:
# default: config is empty
config:
Expand Down
130 changes: 84 additions & 46 deletions crd-docs/crd/kiali.io_kialis.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,45 +80,6 @@ spec:
with the rest of the configuration and resources the operator will install).
type: string

api:
type: object
properties:
namespaces:
description: "Settings that control what namespaces are returned by Kiali."
type: object
properties:
exclude:
description: "A list of namespaces to be excluded from the list of namespaces provided by the Kiali API and Kiali UI. Regex is supported. This does not affect explicit namespace access."
type: array
items:
type: string
include:
description: "A list of namespaces to be included in the list of namespaces provided by the Kiali API and Kiali UI (if those namespaces exist). Regex is supported. An undefined or empty list is ignored. This does not affect explicit namespace access."
type: array
items:
type: string
label_selector_exclude:
description: |
A Kubernetes label selector (e.g. `myLabel=myValue`) which is used for filtering out namespaces
when fetching the list of available namespaces. This does not affect explicit namespace access.
type: string
label_selector_include:
description: |
A Kubernetes label selector (e.g. `myLabel=myValue`) which is used when fetching the list of
available namespaces. This does not affect explicit namespace access.
If `deployment.accessible_namespaces` does not have the special value of `'**'`
then the Kiali operator will add a new label to all accessible namespaces - that new
label will be this `label_selector_include` (this label is added regardless if the namespace matches the label_selector_exclude also).
Note that if you do not set this `label_selector_include` setting but `deployment.accessible_namespaces`
does not have the special "all namespaces" entry of `'**'` then this `label_selector_include` will be set
to a default value of `kiali.io/[<deployment.instance_name>.]member-of=<deployment.namespace>`
where `[<deployment.instance_name>.]` is the instance name assigned to the Kiali installation
if it is not the default 'kiali' (otherwise, this is omitted) and `<deployment.namespace>`
is the namespace where Kiali is to be installed.
type: string

auth:
type: object
properties:
Expand Down Expand Up @@ -270,11 +231,6 @@ spec:
deployment:
type: object
properties:
accessible_namespaces:
description: "When `cluster_wide_access=false` this must be set to the list of namespaces to which Kiali is to be given permissions. You can provide names using regex expressions matched against all namespaces the operator can see. If left unset it is required that `cluster_wide_access` be `true`, and Kiali will have permissions to all namespaces. The list of namespaces that a user can access is a subset of these namespaces, given that user's RBAC settings."
type: array
items:
type: string
additional_service_yaml:
description: "Additional custom yaml to add to the service definition. This is used mainly to customize the service type. For example, if the `deployment.service_type` is set to 'LoadBalancer' and you want to set the loadBalancerIP, you can do so here with: `additional_service_yaml: { 'loadBalancerIP': '78.11.24.19' }`. Another example would be if the `deployment.service_type` is set to 'ExternalName' you will need to configure the name via: `additional_service_yaml: { 'externalName': 'my.kiali.example.com' }`. A final example would be if external IPs need to be set: `additional_service_yaml: { 'externalIPs': ['80.11.12.10'] }`"
type: object
Expand All @@ -293,7 +249,7 @@ spec:
type: object
x-kubernetes-preserve-unknown-fields: true
cluster_wide_access:
description: "Determines if the Kiali server will be granted cluster-wide permissions to see all namespaces. When true, this provides more efficient caching within the Kiali server. It must be `true` if `deployment.accessible_namespaces` is left unset. To limit the namespaces for which Kiali has permissions, set to `false` and list the desired namespaces in `deployment.accessible_namespaces`. When not set, this value will default to `false` if `deployment.accessible_namespaces` is set to a list of namespaces; otherwise this will be `true`."
description: "Determines if the Kiali server will be granted cluster-wide permissions to see all namespaces. When true, this provides more efficient caching within the Kiali server. It must be `true` if `deployment.discovery_selectors` is left unset and there are no discovery selectors defined within Istio. To limit the namespaces for which Kiali has permissions, set to `false` and define the desired set-based selectors in `deployment.discovery_selectors`. When not set, this value will default to `true`."
type: boolean
configmap_annotations:
description: "Custom annotations to be created on the Kiali ConfigMap."
Expand Down Expand Up @@ -335,6 +291,88 @@ spec:
optional:
description: "Indicates if the secret may or may not exist at the time the Kiali pod starts. This will default to 'false' if not specified. This is ignored if `csi` is specified - CSI secrets must exist when specified."
type: boolean
discovery_selectors:
description: |
When `cluster_wide_access=false` this must be the set-based selectors grouped by cluster name, with the `default` group being
the selectors used for the host cluster where the operator is deployed as well as all other unnamed clusters (that is, those
without overrides). These default selectors select those namespaces to which Kiali is to be given permissions. If left unset,
it is required that `cluster_wide_access` be `true`, and Kiali will have permissions to all namespaces. The list of namespaces
that a user can access is a subset of these namespaces, given that user's RBAC settings. These set-based selectors will have
similar semantics as defined by Istio here ( https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig )
and the syntax of the set-based selectors are documented by Kubernetes here
( https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements )
type: object
properties:
default:
description: "The set-based selectors for the Kiali home cluster and for all other clusters that do not have overrides."
type: array
items:
type: object
properties:
matchLabels:
type: object
additionalProperties:
type: string
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
type: string
enum:
- In
- NotIn
- Exists
- DoesNotExist
values:
type: array
items:
type: string
required:
- key
- operator
anyOf:
- required: ["matchLabels"]
- required: ["matchExpressions"]
overrides:
description: "If a remote cluster needs access to different namespaces, create a override section with those selectors, with the name of the overrides section being the same name as the remote cluster."
type: object
additionalProperties:
type: array
items:
type: object
properties:
matchLabels:
type: object
additionalProperties:
type: string
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
type: string
enum:
- In
- NotIn
- Exists
- DoesNotExist
values:
type: array
items:
type: string
required:
- key
- operator
anyOf:
- required: ["matchLabels"]
- required: ["matchExpressions"]
dns:
description: |
The Kiali server pod's DNS configuration. Kubernetes supports different DNS policies and configurations.
Expand Down Expand Up @@ -1389,7 +1427,7 @@ spec:
write_timeout:
description: |
The maximum duration, in seconds, before timing out writes of the HTTP response back to the client. Default is 30.
In OpenShift clusters, the route request time out should be also increased as the default is 30 seconds.
This can be done by annotating the specific route with `haproxy.router.openshift.io/timeout`.
See https://docs.openshift.com/container-platform/4.16/networking/routes/route-configuration.html#nw-configuring-route-timeouts_route-configuration for further details.
Expand Down
Loading

0 comments on commit 28f494e

Please sign in to comment.