From ad91fe5c06ab7e5cde58498cf8c41f51e672b5e7 Mon Sep 17 00:00:00 2001 From: John Mazzitelli Date: Fri, 27 Dec 2024 04:29:42 -0500 Subject: [PATCH] . do not create things that need route if ingress is disabled . abort if ingress is disabled but using openshift auth strategy --- molecule/common/tasks.yml | 2 ++ molecule/os-console-links-test/converge.yml | 14 ++++++++++++++ molecule/os-console-links-test/kiali-cr.yaml | 2 +- molecule/os-console-links-test/molecule.yml | 2 +- .../kiali-deploy/tasks/openshift/os-main.yml | 9 +++++++-- 5 files changed, 25 insertions(+), 4 deletions(-) diff --git a/molecule/common/tasks.yml b/molecule/common/tasks.yml index 4ed51f4f..6aec5b52 100644 --- a/molecule/common/tasks.yml +++ b/molecule/common/tasks.yml @@ -111,6 +111,8 @@ when: - is_openshift == True - kiali_configmap.deployment.remote_cluster_resources_only == False + - kiali_route is defined + - kiali_route.resources | length > 0 # To avoid problems with Ingress/Minikube conflicts, if installing multiple kiali instances set web_root to the instance name - name: Determine the Kiali Ingress URL on minikube diff --git a/molecule/os-console-links-test/converge.yml b/molecule/os-console-links-test/converge.yml index 4a528e54..4db6378b 100644 --- a/molecule/os-console-links-test/converge.yml +++ b/molecule/os-console-links-test/converge.yml @@ -13,6 +13,20 @@ namespace_list: - "{{ istio.control_plane_namespace }}" + # The ingress is disabled at the start of this test - without this, the Route is not created and thus no ConsoleLinks are created + - name: Assert that there is no Route (and no ConsoleLinks) because the ingress was disabled + assert: + that: + - "{{ kiali_route.resources | length == 0 }}" + - "{{ query('k8s', kind='ConsoleLink', api_version='console.openshift.io/v1', errors='warn') | length == 0 }}" + + # Turn on ingress which allows the creation of the Route and ConsoleLinks + - import_tasks: ../common/set_kiali_cr.yml + vars: + new_kiali_cr: "{{ kiali_cr | combine({'spec': {'deployment': {'ingress': {'enabled': true }}}}, recursive=True) }}" + - import_tasks: ../common/wait_for_kiali_cr_changes.yml + - import_tasks: ../common/tasks.yml + # Test that there are no main masthead console links (we used to create these, but no longer) - name: Get app links if exist k8s_info: diff --git a/molecule/os-console-links-test/kiali-cr.yaml b/molecule/os-console-links-test/kiali-cr.yaml index 2ed97d1b..d2f41c22 100644 --- a/molecule/os-console-links-test/kiali-cr.yaml +++ b/molecule/os-console-links-test/kiali-cr.yaml @@ -9,7 +9,7 @@ spec: strategy: {{ kiali.auth_strategy }} deployment: ingress: - enabled: true + enabled: false logger: log_level: debug namespace: {{ kiali.install_namespace }} diff --git a/molecule/os-console-links-test/molecule.yml b/molecule/os-console-links-test/molecule.yml index 9a0cb552..087a2f92 100644 --- a/molecule/os-console-links-test/molecule.yml +++ b/molecule/os-console-links-test/molecule.yml @@ -31,7 +31,7 @@ provisioner: discovery_selectors: - matchLabels: kubernetes.io/metadata.name: istio-system - auth_strategy: openshift + auth_strategy: anonymous operator_namespace: "{{ 'kiali-operator' if (lookup('env', 'MOLECULE_OPERATOR_INSTALLER') | default('helm', True) == 'helm') else ('openshift-operators' if (query('kubernetes.core.k8s', kind='Namespace', resource_name='openshift-operators') | length > 0) else 'operators') }}" # if external operator, assume operator is in OLM location operator_image_name: "{{ 'image-registry.openshift-image-registry.svc:5000/kiali/kiali-operator' if lookup('env', 'MOLECULE_KIALI_OPERATOR_IMAGE_NAME') == 'dev' else (lookup('env', 'MOLECULE_KIALI_OPERATOR_IMAGE_NAME')|default('quay.io/kiali/kiali-operator', True)) }}" operator_version: "{{ lookup('env', 'MOLECULE_KIALI_OPERATOR_IMAGE_VERSION')|default('latest', True) }}" diff --git a/roles/default/kiali-deploy/tasks/openshift/os-main.yml b/roles/default/kiali-deploy/tasks/openshift/os-main.yml index a64d8e0e..54f1d7ed 100644 --- a/roles/default/kiali-deploy/tasks/openshift/os-main.yml +++ b/roles/default/kiali-deploy/tasks/openshift/os-main.yml @@ -109,10 +109,12 @@ # what redirect URIs to use (see the above fail task to ensure the user does that). # All of this is to say: we only need to auto-discover the route when we are creating the Kiali Server itself (we do not # auto-discover the route when we are creating only the remote cluster resources). +# We also don't expect the Route if it was disabled (which also disables other features like OAuthClient -- see https://github.com/kiali/kiali/issues/8023) - name: Get the Kiali Route URL include_tasks: openshift/os-get-kiali-route-url.yml when: - is_openshift == True + - kiali_vars.deployment.ingress.enabled|bool == True - kiali_vars.deployment.remote_cluster_resources_only|bool == False - name: Process OpenShift OAuth client @@ -120,6 +122,7 @@ definition: "{{ lookup('template', 'templates/openshift/oauth.yaml') }}" when: - is_openshift == True + - kiali_vars.deployment.ingress.enabled|bool == True - kiali_vars.auth.strategy == "openshift" - name: Delete all ConsoleLinks for namespaces that are no longer accessible @@ -147,6 +150,8 @@ namespaces: "{{ discovery_selector_namespaces }}" when: - is_openshift == True + - has_openshift_console is defined + - has_openshift_console == True + - kiali_route_url is defined - kiali_vars.deployment.remote_cluster_resources_only|bool == False - - kiali_vars.deployment.cluster_wide_access == False - - openshift_version is version('4.3', '>=') + - kiali_vars.deployment.cluster_wide_access == False \ No newline at end of file