. do not create things that need route if ingress is disabled

. abort if ingress is disabled but using openshift auth strategy
kiali · Dec 29, 2024 · ad91fe5 · ad91fe5
1 parent 1acbf39
commit ad91fe5
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 4 deletions.
diff --git a/molecule/common/tasks.yml b/molecule/common/tasks.yml
@@ -111,6 +111,8 @@
   when:
   - is_openshift == True
   - kiali_configmap.deployment.remote_cluster_resources_only == False
+  - kiali_route is defined
+  - kiali_route.resources | length > 0
 
 # To avoid problems with Ingress/Minikube conflicts, if installing multiple kiali instances set web_root to the instance name
 - name: Determine the Kiali Ingress URL on minikube

diff --git a/molecule/os-console-links-test/converge.yml b/molecule/os-console-links-test/converge.yml
@@ -13,6 +13,20 @@
       namespace_list:
       - "{{ istio.control_plane_namespace }}"
 
+  # The ingress is disabled at the start of this test - without this, the Route is not created and thus no ConsoleLinks are created
+  - name: Assert that there is no Route (and no ConsoleLinks) because the ingress was disabled
+    assert:
+      that:
+      - "{{ kiali_route.resources | length == 0 }}"
+      - "{{ query('k8s', kind='ConsoleLink', api_version='console.openshift.io/v1', errors='warn') | length == 0 }}"
+
+  # Turn on ingress which allows the creation of the Route and ConsoleLinks
+  - import_tasks: ../common/set_kiali_cr.yml
+    vars:
+      new_kiali_cr: "{{ kiali_cr | combine({'spec': {'deployment': {'ingress': {'enabled': true }}}}, recursive=True) }}"
+  - import_tasks: ../common/wait_for_kiali_cr_changes.yml
+  - import_tasks: ../common/tasks.yml
+
   # Test that there are no main masthead console links (we used to create these, but no longer)
   - name: Get app links if exist
     k8s_info:

diff --git a/molecule/os-console-links-test/kiali-cr.yaml b/molecule/os-console-links-test/kiali-cr.yaml
@@ -9,7 +9,7 @@ spec:
     strategy: {{ kiali.auth_strategy }}
   deployment:
     ingress:
-      enabled: true
+      enabled: false
     logger:
       log_level: debug
     namespace: {{ kiali.install_namespace }}

diff --git a/molecule/os-console-links-test/molecule.yml b/molecule/os-console-links-test/molecule.yml
@@ -31,7 +31,7 @@ provisioner:
           discovery_selectors:
           - matchLabels:
               kubernetes.io/metadata.name: istio-system
-          auth_strategy: openshift
+          auth_strategy: anonymous
           operator_namespace: "{{ 'kiali-operator' if (lookup('env', 'MOLECULE_OPERATOR_INSTALLER') | default('helm', True) == 'helm') else ('openshift-operators' if (query('kubernetes.core.k8s', kind='Namespace', resource_name='openshift-operators') | length > 0) else 'operators') }}" # if external operator, assume operator is in OLM location
           operator_image_name: "{{ 'image-registry.openshift-image-registry.svc:5000/kiali/kiali-operator' if lookup('env', 'MOLECULE_KIALI_OPERATOR_IMAGE_NAME') == 'dev' else (lookup('env', 'MOLECULE_KIALI_OPERATOR_IMAGE_NAME')|default('quay.io/kiali/kiali-operator', True)) }}"
           operator_version: "{{ lookup('env', 'MOLECULE_KIALI_OPERATOR_IMAGE_VERSION')|default('latest', True) }}"

diff --git a/roles/default/kiali-deploy/tasks/openshift/os-main.yml b/roles/default/kiali-deploy/tasks/openshift/os-main.yml
@@ -109,17 +109,20 @@
 # what redirect URIs to use (see the above fail task to ensure the user does that).
 # All of this is to say: we only need to auto-discover the route when we are creating the Kiali Server itself (we do not
 # auto-discover the route when we are creating only the remote cluster resources).
+# We also don't expect the Route if it was disabled (which also disables other features like OAuthClient -- see https://github.com/kiali/kiali/issues/8023)
 - name: Get the Kiali Route URL
   include_tasks: openshift/os-get-kiali-route-url.yml
   when:
   - is_openshift == True
+  - kiali_vars.deployment.ingress.enabled|bool == True
   - kiali_vars.deployment.remote_cluster_resources_only|bool == False
 
 - name: Process OpenShift OAuth client
   k8s:
     definition: "{{ lookup('template', 'templates/openshift/oauth.yaml') }}"
   when:
   - is_openshift == True
+  - kiali_vars.deployment.ingress.enabled|bool == True
   - kiali_vars.auth.strategy == "openshift"
 
 - name: Delete all ConsoleLinks for namespaces that are no longer accessible
@@ -147,6 +150,8 @@
     namespaces: "{{ discovery_selector_namespaces }}"
   when:
   - is_openshift == True
+  - has_openshift_console is defined
+  - has_openshift_console == True
+  - kiali_route_url is defined
   - kiali_vars.deployment.remote_cluster_resources_only|bool == False
-  - kiali_vars.deployment.cluster_wide_access == False
-  - openshift_version is version('4.3', '>=')
+  - kiali_vars.deployment.cluster_wide_access == False