no need for the list secrets perm - need to mount manually to file sy…

…stem (kiali#189)

part of: kiali/kiali#5738

kiali-server/templates/_helpers.tpl

@@ -170,4 +170,27 @@ Determine the root namespace - default is where Kiali is installed.
 {{- else }}
   {{- .Release.Namespace }}
 {{- end }}
+{{- end }}
+
+{{/*
+Autodetect remote cluster secrets if enabled - looks for secrets in the same namespace where Kiali is installed.
+Returns a JSON dict whose keys are the cluster names and values are the cluster secret data.
+*/}}
+{{- define "kiali-server.remote-cluster-secrets" -}}
+{{- $theDict := dict }}
+{{- if .Values.kiali_feature_flags.clustering.autodetect_secrets.enabled }}
+  {{- $secretLabelToLookFor := (regexSplit "=" .Values.kiali_feature_flags.clustering.autodetect_secrets.label 2) }}
+  {{- $secretLabelNameToLookFor := first $secretLabelToLookFor }}
+  {{- $secretLabelValueToLookFor := last $secretLabelToLookFor }}
+  {{- range $i, $secret := (lookup "v1" "Secret" .Release.Namespace "").items }}
+    {{- if (and (and (hasKey $secret.metadata "labels") (hasKey $secret.metadata.labels $secretLabelNameToLookFor)) (eq (get $secret.metadata.labels $secretLabelNameToLookFor) ($secretLabelValueToLookFor))) }}
+      {{- $clusterName := $secret.metadata.name }}
+      {{- if (and (hasKey $secret.metadata "annotations") (hasKey $secret.metadata.annotations "networking.istio.io/cluster")) }}
+        {{- $clusterName = get $secret.metadata.annotations "networking.istio.io/cluster" }}
+      {{- end }}
+      {{- $theDict = set $theDict $clusterName $secret.metadata.name }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- $theDict | toJson }}
 {{- end }}

kiali-server/templates/deployment.yaml

@@ -127,6 +127,14 @@ spec:
         - name: {{ .name }}
           mountPath: "{{ .mount }}"
         {{- end }}
+        {{- range $key, $_ := (include "kiali-server.remote-cluster-secrets" .) | fromJson }}
+        - name: {{ $key }}
+          mountPath: "/kiali-remote-cluster-secrets/{{ $key }}"
+        {{- end }}
+        {{- range .Values.kiali_feature_flags.clustering.clusters }}
+        - name: {{ .name }}
+          mountPath: "/kiali-remote-cluster-secrets/{{ .name }}"
+        {{- end }}
         {{- if .Values.deployment.resources }}
         resources:
         {{- toYaml .Values.deployment.resources | nindent 10 }}
@@ -161,6 +169,16 @@ spec:
           secretName: {{ .name }}
           optional: {{ .optional | default false }}
       {{- end }}
+      {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }}
+      - name: {{ $key }}
+        secret:
+          secretName: {{ $val }}
+      {{- end }}
+      {{- range .Values.kiali_feature_flags.clustering.clusters }}
+      - name: {{ .name }}
+        secret:
+          secretName: {{ .secret_name }}
+      {{- end }}
       {{- if or (.Values.deployment.affinity.node) (or (.Values.deployment.affinity.pod) (.Values.deployment.affinity.pod_anti)) }}
       affinity:
         {{- if .Values.deployment.affinity.node }}

kiali-server/templates/role-controlplane.yaml

@@ -7,13 +7,6 @@ metadata:
   labels:
     {{- include "kiali-server.labels" . | nindent 4 }}
 rules:
-{{- if .Values.kiali_feature_flags.clustering.enabled }}
-- apiGroups: [""]
-  resources:
-  - secrets
-  verbs:
-  - list
-{{- end }}
 {{- if .Values.kiali_feature_flags.certificates_information_indicators.enabled }}
 - apiGroups: [""]
   resourceNames:

kiali-server/values.yaml

@@ -94,7 +94,10 @@ kiali_feature_flags:
     - cacerts
     - istio-ca-secret
   clustering:
-    enabled: true
+    autodetect_secrets:
+      enabled: true
+      label: "istio/multiCluster=true"
+    clusters: []
   disabled_features: []
   validations:
     ignore: ["KIA1201"]