Skip to content

feat(kiali): Standardize Certificate Authority Configuration Method #511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

feat(kiali): Standardize Certificate Authority Configuration Method #511

wants to merge 13 commits into from
+231 −9

Conversation

@josunect
Copy link
Contributor

@josunect josunect commented Nov 26, 2025

  • Use a CA file path in addition to the inline certificate.
  • Document the standardized pattern for future RH toolsets.

This PR keeps the inline option for back-comp, but I can remove it if it is not required.

How to manually test it:

echo | openssl s_client -showcerts -connect kiali-istio-system.apps-crc.testing:443 2>/dev/null | openssl x509 > /tmp/kiali.crt

Configuration (Using a kiali https route):

url = "https://kiali-istio-system.apps-crc.testing/"
certificate_authority = "/tmp/kiali.crt"
insecure = false

Run the MCP server:

make build
npx @modelcontextprotocol/inspector@latest $(pwd)/kubernetes-mcp-server

@Cali0707
Copy link
Collaborator

Cali0707 commented Nov 26, 2025

This PR keeps the inline option for back-comp, but I can remove it if it is not required.

@josunect I think it should be safe for you to remove this - we haven't cut a release with kiali toolset yet, so I don't think we need to maintain backwards compatability yet (cc @manusa )

@manusa manusa changed the title feat(kiali): Standardize Certificate Authority Configuration Method for Kiali mCP feat(kiali): Standardize Certificate Authority Configuration Method Nov 26, 2025
@manusa manusa self-requested a review November 26, 2025 16:26
manusa
manusa reviewed Nov 26, 2025
View reviewed changes
pkg/kiali/config_test.go Outdated
Comment on lines 79 to 93
// Create a config file with absolute path
configFile := filepath.Join(s.tempDir, "config.toml")
// Convert backslashes to forward slashes for TOML compatibility on Windows
caFileForTOML := filepath.ToSlash(s.caFile)
configContent := `
[toolset_configs.kiali]
url = "https://kiali.example/"
certificate_authority = "` + caFileForTOML + `"
`
err := os.WriteFile(configFile, []byte(configContent), 0644)
s.Require().NoError(err, "Failed to write config file")

// Read config - Read() automatically sets the config directory path
cfg, err := config.Read(configFile)
s.Require().NoError(err, "Failed to read config")
Copy link
Member

@manusa manusa Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't this be replaced with the logic we have in place for other tests e.g.

kubernetes-mcp-server/pkg/kiali/kiali_test.go

Lines 31 to 35 in 8d76426

s.Config = test.Must(config.ReadToml([]byte(`
[toolset_configs.kiali]
url = "https://kiali.example/"
insecure = true
`)))

Copy link
Contributor Author

@josunect josunect Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated!

@aljesusg
Copy link
Contributor

aljesusg commented Nov 27, 2025

This PR keeps the inline option for back-comp, but I can remove it if it is not required.

@josunect I think it should be safe for you to remove this - we haven't cut a release with kiali toolset yet, so I don't think we need to maintain backwards compatability yet (cc @manusa )

Yes please, The idea is to replace the inline CA by path

@josunect josunect requested a review from manusa November 27, 2025 10:21
@manusa
Copy link
Member

manusa commented Nov 27, 2025

@aljesusg @josunect I still se the support for inline PEM certificates.
I'm not sure if this is going to be removed in the scope of this PR or in a follow-up.

@aljesusg
Copy link
Contributor

aljesusg commented Nov 27, 2025

@aljesusg @josunect I still se the support for inline PEM certificates. I'm not sure if this is going to be removed in the scope of this PR or in a follow-up.

The idea is replace it, so yes we are going to remove it in this PR

aljesusg
aljesusg suggested changes Nov 28, 2025
View reviewed changes
Copy link
Contributor

@aljesusg aljesusg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Look good only this 2 minor things, I am going to test it locally

docs/KIALI.md Outdated
- Invalid URL → ensure `[toolset_configs.kiali].url` is a valid `http(s)://host` URL.
- TLS certificate validation:
- If `[toolset_configs.kiali].url` uses HTTPS and `[toolset_configs.kiali].insecure` is false, you must set `[toolset_configs.kiali].certificate_authority` with the PEM-encoded certificate(s) used by the Kiali server. This field expects inline PEM content, not a file path. You may concatenate multiple PEM blocks to include an intermediate chain.
- If `[toolset_configs.kiali].url` uses HTTPS and `[toolset_configs.kiali].insecure` is false, you must set `[toolset_configs.kiali].certificate_authority` with the path to the CA certificate file. Relative paths are resolved relative to the directory containing the config file. Only file paths are supported; inline PEM content is not allowed.
Copy link
Contributor

@aljesusg aljesusg Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- If `[toolset_configs.kiali].url` uses HTTPS and `[toolset_configs.kiali].insecure` is false, you must set `[toolset_configs.kiali].certificate_authority` with the path to the CA certificate file. Relative paths are resolved relative to the directory containing the config file. Only file paths are supported; inline PEM content is not allowed.
- If `[toolset_configs.kiali].url` uses HTTPS and `[toolset_configs.kiali].insecure` is false, you must set `[toolset_configs.kiali].certificate_authority` with the path to the CA certificate file. Relative paths are resolved relative to the directory containing the config file.

josunect and others added 13 commits November 28, 2025 15:29
@josunect
Get certificate by path as well
c3941cc 
Signed-off-by: josunect <[email protected]>
@josunect
Remove inline certs support
3d238c2 
Signed-off-by: josunect <[email protected]>
@josunect
Fix for windows
99d1185 
Signed-off-by: josunect <[email protected]>
@josunect
Update failing test
e5d5387 
Signed-off-by: josunect <[email protected]>
@josunect
Unify test usages
8d84afc 
Signed-off-by: josunect <[email protected]>
@josunect
Remove PEM from docs
5b6d6fc 
Signed-off-by: josunect <[email protected]>
@josunect
Missing doc
e76e3a1 
Signed-off-by: josunect <[email protected]>
@josunect
Remove PEM checks
af6a5d9 
Signed-off-by: josunect <[email protected]>
@josunect
Lint
3977490 
Signed-off-by: josunect <[email protected]>
@josunect
Update docs
e364f79 
Signed-off-by: josunect <[email protected]>
@josunect
Update test
74e927e 
Signed-off-by: josunect <[email protected]>
@josunect
Comments from review
3088765 
Signed-off-by: josunect <[email protected]>
@josunect @aljesusg
Update pkg/config/config.go
7f6ac03 
Co-authored-by: Alberto Gutierrez <[email protected]>
Signed-off-by: josunect <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@manusa manusa Awaiting requested review from manusa

1 more reviewer

@aljesusg aljesusg aljesusg requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@josunect @Cali0707 @aljesusg @manusa