diff --git a/DEVELOPING.adoc b/DEVELOPING.adoc index 6d18da7a..0d5c479d 100644 --- a/DEVELOPING.adoc +++ b/DEVELOPING.adoc @@ -199,10 +199,7 @@ NOTE: If you have never run the Molecule tests before, the Molecule container im - [ ] Update the golden copy of the link:./manifests/kiali-upstream[kiali-upstream CSV metadata] (_* **see link:#maintain-backward-compatibility[note] above**_) - [ ] Update the golden copy of the link:./manifests/kiali-community[kiali-community CSV metadata] (_* **see link:#maintain-backward-compatibility[note] above**_) - [ ] Update the golden copy of the link:./manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml[kiali-ossm CSV metadata] (_* **see link:#maintain-backward-compatibility[note] above**_) -- [ ] Update the link:./roles/default/kiali-deploy/templates/kubernetes/role-controlplane.yaml[Operator Kubernetes role-controlplane.yaml] -- [ ] Update the link:./roles/default/kiali-deploy/templates/openshift/role-controlplane.yaml[Operator OpenShift role-controlplane.yaml] - [ ] Update the link:https://github.com/kiali/helm-charts/tree/master/kiali-operator/templates/clusterrole.yaml[Operator Helm Chart clusterrole.yaml] -- [ ] Update the link:https://github.com/kiali/helm-charts/tree/master/kiali-server/templates/role-controlplane.yaml[Server Helm Chart role-controlplane.yaml] ### Are You Altering a Kiali Server Configuration Setting? diff --git a/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml b/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml index ce686eb9..b7c88baa 100644 --- a/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml +++ b/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml @@ -407,11 +407,6 @@ spec: version_label_name: "version" kiali_feature_flags: - certificates_information_indicators: - enabled: true - secrets: - - "cacerts" - - "istio-ca-secret" disabled_features: [] istio_annotation_action: true istio_injection_action: true diff --git a/crd-docs/crd/kiali.io_kialis.yaml b/crd-docs/crd/kiali.io_kialis.yaml index 73c36948..b03dc1a1 100644 --- a/crd-docs/crd/kiali.io_kialis.yaml +++ b/crd-docs/crd/kiali.io_kialis.yaml @@ -1141,16 +1141,6 @@ spec: description: "Kiali features that can be enabled or disabled." type: object properties: - certificates_information_indicators: - description: "Flag to enable/disable displaying certificates information and which secrets to grant read permissions." - type: object - properties: - enabled: - type: boolean - secrets: - type: array - items: - type: string disabled_features: description: "There may be some features that admins do not want to be accessible to users (even in 'view only' mode). In this case, this setting allows you to disable one or more of those features entirely." type: array diff --git a/molecule/read-certs-secrets-test/converge.yml b/molecule/read-certs-secrets-test/converge.yml deleted file mode 100644 index 8b894c9f..00000000 --- a/molecule/read-certs-secrets-test/converge.yml +++ /dev/null @@ -1,48 +0,0 @@ -- name: Tests - hosts: localhost - connection: local - collections: - - kubernetes.core - vars: - custom_resource: "{{ lookup('template', cr_file_path) | from_yaml }}" - tasks: - - import_tasks: ../common/tasks.yml - - import_tasks: ../asserts/pod_asserts.yml - - import_tasks: ../common/wait_for_kiali_running.yml - - - name: Get control plane role - vars: - instance_name: "{{ kiali.instance_name | default('kiali') }}" - k8s_info: - api_version: rbac.authorization.k8s.io/v1 - kind: Role - name: "{{ instance_name }}-controlplane" - namespace: "{{ istio.control_plane_namespace }}" - register: controlplane_role - - - name: Gather the rules that contains resource names - set_fact: - rules: "{{ controlplane_role.resources[0].rules | selectattr('resourceNames','defined') }}" - - - name: Get the needed role for reading certificates - vars: - istio_secret: "istio-ca-secret" - user_secret: "cacerts" - set_fact: - cert_role: "{{ item }}" - with_items: "{{ rules }}" - when: - - istio_secret in item.resourceNames and user_secret in item.resourceNames - - - name: Check that the role has the right verbs - vars: - get_verb: "get" - list_verb: "list" - watch_verb: "watch" - assert: - that: - - cert_role is defined - - cert_role.verbs | length == 3 - - get_verb in cert_role.verbs - - list_verb in cert_role.verbs - - watch_verb in cert_role.verbs diff --git a/molecule/read-certs-secrets-test/kiali-cr.yaml b/molecule/read-certs-secrets-test/kiali-cr.yaml deleted file mode 100644 index 9138352c..00000000 --- a/molecule/read-certs-secrets-test/kiali-cr.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: kiali.io/v1alpha1 -kind: Kiali -metadata: - name: kiali -spec: - version: {{ kiali.spec_version }} - istio_namespace: {{ istio.control_plane_namespace }} - auth: - strategy: {{ kiali.auth_strategy }} - deployment: - ingress: - enabled: true - logger: - log_level: debug - namespace: {{ kiali.install_namespace }} - image_name: "{{ kiali.image_name }}" - image_pull_policy: {{ kiali.image_pull_policy }} - image_version: "{{ kiali.image_version }}" - cluster_wide_access: {{ kiali.cluster_wide_access|bool }} - service_type: {{ 'LoadBalancer' if is_kind else 'NodePort' }} diff --git a/molecule/read-certs-secrets-test/molecule.yml b/molecule/read-certs-secrets-test/molecule.yml deleted file mode 100644 index fc7bcb11..00000000 --- a/molecule/read-certs-secrets-test/molecule.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: $DORP -platforms: -- name: default - groups: - - k8s -provisioner: - name: ansible - config_options: - defaults: - callbacks_enabled: junit - playbooks: - destroy: ../default/destroy.yml - prepare: ../default/prepare.yml - cleanup: ../default/cleanup.yml - inventory: - group_vars: - all: - cr_file_path: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/molecule/read-certs-secrets-test/kiali-cr.yaml" - cr_namespace: "{{ 'kiali-operator' if (lookup('env', 'MOLECULE_OPERATOR_INSTALLER') | default('helm', True) == 'helm') else 'istio-system' }}" # if external operator, assume CR must go in control plane namespace - wait_retries: "{{ lookup('env', 'MOLECULE_WAIT_RETRIES') | default('360', True) }}" - istio: - control_plane_namespace: istio-system - kiali: - spec_version: "{{ lookup('env', 'MOLECULE_KIALI_CR_SPEC_VERSION') | default('default', True) }}" - install_namespace: istio-system - cluster_wide_access: true - auth_strategy: anonymous - operator_namespace: "{{ 'kiali-operator' if (lookup('env', 'MOLECULE_OPERATOR_INSTALLER') | default('helm', True) == 'helm') else ('openshift-operators' if (query('kubernetes.core.k8s', kind='Namespace', resource_name='openshift-operators') | length > 0) else 'operators') }}" # if external operator, assume operator is in OLM location - operator_image_name: "{{ 'image-registry.openshift-image-registry.svc:5000/kiali/kiali-operator' if lookup('env', 'MOLECULE_KIALI_OPERATOR_IMAGE_NAME') == 'dev' else (lookup('env', 'MOLECULE_KIALI_OPERATOR_IMAGE_NAME')|default('quay.io/kiali/kiali-operator', True)) }}" - operator_version: "{{ lookup('env', 'MOLECULE_KIALI_OPERATOR_IMAGE_VERSION')|default('latest', True) }}" - operator_watch_namespace: kiali-operator - operator_cluster_role_creator: "true" - image_name: "{{ 'image-registry.openshift-image-registry.svc:5000/kiali/kiali' if lookup('env', 'MOLECULE_KIALI_IMAGE_NAME') == 'dev' else ('quay.io/kiali/kiali' if ansible_env.MOLECULE_KIALI_IMAGE_NAME is not defined else lookup('env', 'MOLECULE_KIALI_IMAGE_NAME')) }}" - image_version: "{{ 'latest' if ansible_env.MOLECULE_KIALI_IMAGE_VERSION is not defined else lookup('env', 'MOLECULE_KIALI_IMAGE_VERSION') }}" - image_pull_policy: "{{ lookup('env', 'MOLECULE_KIALI_IMAGE_PULL_POLICY')|default('Always', True) }}" - operator_image_pull_policy: "{{ lookup('env', 'MOLECULE_KIALI_OPERATOR_IMAGE_PULL_POLICY')|default('Always', True) }}" -scenario: - name: read-certs-secrets-test - test_sequence: - - prepare - - converge - - destroy diff --git a/roles/default/kiali-deploy/tasks/kubernetes/k8s-main.yml b/roles/default/kiali-deploy/tasks/kubernetes/k8s-main.yml index d553d634..a6b27375 100644 --- a/roles/default/kiali-deploy/tasks/kubernetes/k8s-main.yml +++ b/roles/default/kiali-deploy/tasks/kubernetes/k8s-main.yml @@ -23,9 +23,7 @@ - "templates/kubernetes/serviceaccount.yaml" - "templates/kubernetes/configmap.yaml" - "templates/kubernetes/{{ 'role-viewer' if ((kiali_vars.deployment.view_only_mode|bool == True) or (kiali_vars.auth.strategy != 'anonymous')) else 'role' }}.yaml" - - "templates/kubernetes/role-controlplane.yaml" - "templates/kubernetes/rolebinding.yaml" - - "templates/kubernetes/rolebinding-controlplane.yaml" - "templates/kubernetes/deployment.yaml" - "templates/kubernetes/service.yaml" - "{{ 'templates/kubernetes/hpa.yaml' if kiali_vars.deployment.hpa.spec | length > 0 else '' }}" diff --git a/roles/default/kiali-deploy/tasks/openshift/os-main.yml b/roles/default/kiali-deploy/tasks/openshift/os-main.yml index c62fd223..605a975c 100644 --- a/roles/default/kiali-deploy/tasks/openshift/os-main.yml +++ b/roles/default/kiali-deploy/tasks/openshift/os-main.yml @@ -34,9 +34,7 @@ - "templates/openshift/configmap.yaml" - "templates/openshift/cabundle.yaml" - "templates/openshift/{{ 'role-viewer' if ((kiali_vars.deployment.view_only_mode|bool == True) or (kiali_vars.auth.strategy != 'anonymous')) else 'role' }}.yaml" - - "templates/openshift/role-controlplane.yaml" - "templates/openshift/rolebinding.yaml" - - "templates/openshift/rolebinding-controlplane.yaml" - "{{ 'templates/openshift/clusterrole-oauth.yaml' if kiali_vars.auth.strategy == 'openshift' else '' }}" - "{{ 'templates/openshift/clusterrolebinding-oauth.yaml' if kiali_vars.auth.strategy == 'openshift' else '' }}" - "templates/openshift/deployment.yaml" diff --git a/roles/default/kiali-deploy/templates/kubernetes/role-controlplane.yaml b/roles/default/kiali-deploy/templates/kubernetes/role-controlplane.yaml deleted file mode 100644 index 4716e17e..00000000 --- a/roles/default/kiali-deploy/templates/kubernetes/role-controlplane.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ kiali_vars.deployment.instance_name }}-controlplane - namespace: "{{ kiali_vars.istio_namespace }}" - labels: {{ kiali_resource_metadata_labels }} -rules: -{% if kiali_vars.kiali_feature_flags.certificates_information_indicators.enabled|bool == True %} -- apiGroups: [""] - resourceNames: -{% for s in kiali_vars.kiali_feature_flags.certificates_information_indicators.secrets %} - - {{ s }} -{% endfor %} - resources: - - secrets - verbs: - - get - - list - - watch -{% endif %} \ No newline at end of file diff --git a/roles/default/kiali-deploy/templates/kubernetes/rolebinding-controlplane.yaml b/roles/default/kiali-deploy/templates/kubernetes/rolebinding-controlplane.yaml deleted file mode 100644 index 583ad214..00000000 --- a/roles/default/kiali-deploy/templates/kubernetes/rolebinding-controlplane.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ kiali_vars.deployment.instance_name }}-controlplane - namespace: "{{ kiali_vars.istio_namespace }}" - labels: {{ kiali_resource_metadata_labels }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ kiali_vars.deployment.instance_name }}-controlplane -subjects: -- kind: ServiceAccount - name: {{ kiali_vars.deployment.instance_name }}-service-account - namespace: "{{ kiali_vars.deployment.namespace }}" diff --git a/roles/default/kiali-deploy/templates/openshift/role-controlplane.yaml b/roles/default/kiali-deploy/templates/openshift/role-controlplane.yaml deleted file mode 100644 index 4716e17e..00000000 --- a/roles/default/kiali-deploy/templates/openshift/role-controlplane.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ kiali_vars.deployment.instance_name }}-controlplane - namespace: "{{ kiali_vars.istio_namespace }}" - labels: {{ kiali_resource_metadata_labels }} -rules: -{% if kiali_vars.kiali_feature_flags.certificates_information_indicators.enabled|bool == True %} -- apiGroups: [""] - resourceNames: -{% for s in kiali_vars.kiali_feature_flags.certificates_information_indicators.secrets %} - - {{ s }} -{% endfor %} - resources: - - secrets - verbs: - - get - - list - - watch -{% endif %} \ No newline at end of file diff --git a/roles/default/kiali-deploy/templates/openshift/rolebinding-controlplane.yaml b/roles/default/kiali-deploy/templates/openshift/rolebinding-controlplane.yaml deleted file mode 100644 index 583ad214..00000000 --- a/roles/default/kiali-deploy/templates/openshift/rolebinding-controlplane.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ kiali_vars.deployment.instance_name }}-controlplane - namespace: "{{ kiali_vars.istio_namespace }}" - labels: {{ kiali_resource_metadata_labels }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ kiali_vars.deployment.instance_name }}-controlplane -subjects: -- kind: ServiceAccount - name: {{ kiali_vars.deployment.instance_name }}-service-account - namespace: "{{ kiali_vars.deployment.namespace }}" diff --git a/roles/default/kiali-remove/tasks/resources-to-remove.yml b/roles/default/kiali-remove/tasks/resources-to-remove.yml index 16a8cb96..f9ea3e64 100644 --- a/roles/default/kiali-remove/tasks/resources-to-remove.yml +++ b/roles/default/kiali-remove/tasks/resources-to-remove.yml @@ -65,14 +65,3 @@ metadata: namespace: "{{ kiali_vars_remove.deployment.namespace }}" name: {{ kiali_vars_remove.deployment.instance_name }} --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - namespace: "{{ kiali_vars_remove.istio_namespace }}" - name: {{ kiali_vars_remove.deployment.instance_name }}-controlplane ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: "{{ kiali_vars_remove.istio_namespace }}" - name: {{ kiali_vars_remove.deployment.instance_name }}-controlplane