support operator config for controlling accessible namespaces (kiali#175

)
israel-hdez · Oct 26, 2022 · 14e18a7 · 14e18a7
1 parent 4241da9
commit 14e18a7
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/kiali-operator/templates/deployment.yaml b/kiali-operator/templates/deployment.yaml
@@ -75,6 +75,10 @@ spec:
           value: {{ .Values.allowAdHocKialiImage | quote }}
         - name: ALLOW_SECURITY_CONTEXT_OVERRIDE
           value: {{ .Values.allowSecurityContextOverride | quote }}
+        - name: ALLOW_ALL_ACCESSIBLE_NAMESPACES
+          value: {{ or (and (.Values.cr.create) (has "**" .Values.cr.spec.deployment.accessible_namespaces)) (.Values.allowAllAccessibleNamespaces) | quote }}
+        - name: ACCESSIBLE_NAMESPACES_LABEL
+          value: {{ .Values.accessibleNamespacesLabel | quote }}
         - name: PROFILE_TASKS_TASK_OUTPUT_LIMIT
           value: "100"
         - name: ANSIBLE_DEBUG_LOGS

diff --git a/kiali-operator/values.yaml b/kiali-operator/values.yaml
@@ -39,6 +39,7 @@ watchNamespace: ""
 
 # Set to true if you want the operator to be able to create cluster roles. This is necessary
 # if you want to support Kiali CRs with spec.deployment.accessible_namespaces of '**'.
+# Setting this to "true" requires allowAllAccessibleNamespaces to be "true" also.
 # Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.accessible_namespaces is ['**'].
 clusterRoleCreator: true
 
@@ -73,6 +74,23 @@ allowAdHocKialiImage: false
 # container and any attempt to override them will be ignored.
 allowSecurityContextOverride: false
 
+# allowAllAccessibleNamespaces tells the operator to allow a user to be able to configure Kiali
+# to access all namespaces in the cluster via spec.deployment.accessible_namespaces=['**'].
+# If this is false, the user must specify an explicit list of namespaces in the Kiali CR.
+# Setting this to "true" requires clusterRoleCreator to be "true" also.
+# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.accessible_namespaces is ['**'].
+allowAllAccessibleNamespaces: true
+
+# accessibleNamespacesLabel restricts the namespaces that a user can add to the Kiali CR spec.deployment.accessible_namespaces.
+# This value is either an empty string (which disables this feature) or a label name with an optional label value
+# (e.g. "mylabel" or "mylabel=myvalue"). Only namespaces that have that label will be permitted in
+# spec.deployment.accessible_namespaces. Any namespace not labeled properly but specified in accessible_namespaces will cause
+# the operator to abort the Kiali installation.
+# If just a label name (but no label value) is specified, the label value the operator will look for is the value of
+# the Kiali CR's spec.istio_namespace. In other words, the operator will look for the named label whose value must be the name
+# of the Istio control plane namespace (which is typically, but not necessarily, "istio-system").
+accessibleNamespacesLabel: ""
+
 # For what a Kiali CR spec can look like, see:
 # https://github.com/kiali/kiali-operator/blob/master/deploy/kiali/kiali_cr.yaml
 cr: