-
Notifications
You must be signed in to change notification settings - Fork 118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
provide a way to tell the operator to create only the remote cluster resources #836
provide a way to tell the operator to create only the remote cluster resources #836
Conversation
this really is a draft right now - strictly PoC. It's just some noodling in my head and me trying something. |
Some quick smoke testing shows this is (surprisingly :-) working pretty good; very small amount of code changes, too. I will write some molecule tests to exercise this functionality more completely before marking this PR as "ready for review". |
f0db2d4
to
c54806b
Compare
Test procedures (it is basically the same for both OpenShift and minikube) Quick TestIf you can't run molecule tests for whatever reason, or just want to run a quick test, you can do the following (I'll assume you have an OpenShift or minikube cluster with Istio installed and the dev image of the operator pushed to your cluster via the make target "cluster-push"):
OpenShift
Minikube
|
…ecific resources - we know they aren't there on non-OpenShift clusters
I ran the full suite of molecule tests and things look good. |
For OpenShift, we will still need an And we need a way of passing a redirectURI to the |
OK. Here's the OAuthClient that is created when deploying Kiali Server normally. We'll want to reuse that (just as this PR reuses all the other templates). This looks doable, because the only thing that looks like we need to be able to set (that isn't already configurable in the Kiali CR) is that Interestingly, I think at one point in the past we considered making that configurable in the I think things will work if we add this to the Kiali CR (inside the So we'd now have: spec:
auth:
openshift:
kiali_route_url: http://blahblah That would not be defined by default, thus retaining backward compat and enabling the operator's auto-discovery. But if the user defines that, the operator would skip auto-discovery and use (side note: kiali_route_url is also used in one other place, and is unrelated to auth -- in the ConsoleLink. That's why I did not propose the new config name to be "redirect_uri" and whose value is different than the root route URL - because the console link would also want to use it. Console links are not created in the remote cluster, BTW. |
|
…Client can be created in remote cluster
Because:
I'm torn between the name because if we set it to I'm know that's confusing, but it makes sense to me :) |
You indicate this might be plural (more than one URI) -- is that true? If so, then we might just make this a separate thing (separate from the ConsoleLink). So, would this actually be a valid thing to want to do? spec:
auth:
openshift:
redirect_uri:
- http://first
- http://second |
5a87a9f
to
93870e3
Compare
The current code in this PR as of now passes the new molecule tests and has the new OAuthClient functionality. But need to think more about the name of the new setting and how we want it to be configurable; more changes might be coming |
@nrfox OK, I just realized that OAuthClient is able to be configured with multiple redirectURIs (as of our latest release, we only define one - using the kiali route). If we are going to be able to allow a user to provide custom redirect URI, we might as well support them being able to give us multiple ones. So, I will change this implementation slightly so spec:
auth:
openshift:
redirect_uris:
- http://foo
- http://bar Is that reasonable? |
I changed the code to now be able to set |
d7deddb
to
1317619
Compare
The way that the openshift oauth service is implemented is that when Kiali connects to the remote cluster, it will just choose the first redirect_uri: https://github.com/kiali/kiali/blob/a9f4d727243affd113809bc3d398403ee174f3b4/business/openshift_oauth.go#L142 That being said, I think it makes sense for the field to support multiple values because if you want to set this outside of the multi-cluster use case then you might want multiple values there and it's just a pass through from the Kiali CR to the |
…e cluster resources only
molecule tests all pass on OpenShift:
|
Now I think we'll need to update the |
That is already supported: |
Are you also going to look at the 3 other PRs for this issue, or should we get others to review? PRs are listed here: kiali/kiali#7861 (comment) |
This adds a new deployment flag in Kiali CR:
The default is
false
, which means it all behaves like before. But when set totrue
, only the remote cluster resources are created by the operator (only SA, role/bindings, configmap - no secrets, deployment/pod, ingress/route, or service resources are created; also, no OpenShift specific resources (ConsoleLink, OAuthClient) are created).The ConfigMap, while not needed by the server when accessing the remote cluster, it is needed by the operator for future reconciliation of the CR, hence that is why the ConfigMap is created along with the SA and roles/bindings.
This supports the typical
deployment.discovery_selectors.default
anddeployment.cluster_wide_access
behavior - they determine which roles/bindings are created - if CWA is false the accessible namespaces defined by discovery selectors will get Role / RoleBindings created. If CWA is true, the cluster role/binding pair are created. This is no different than when deploying the server normally (it's all the same code).fixes: kiali/kiali#7861