Removing accessible namespaces as part of the new discovery selector …

…support.

part of: kiali/kiali#7546
part of KEP: https://github.com/kiali/kiali/blob/master/design/KEPS/namespace-discovery/proposal.md

README.adoc

@@ -65,7 +65,7 @@ helm uninstall -n kiali-operator kiali-operator
 
 ==== Overriding values
 
-You can pass `--set` options to the above commands if you wish to override the default values. You can set nested dictionary values using dot notation: `--set deployment.logger.log_level=debug`. For a list of items, comma-separate the values and wrap the list in curly braces: `--set "deployment.accessible_namespaces={bookinfo,demo2}"`. You can set individual list items using square brackets: `--set deployment.accessible_namespaces[0]=bookinfo`.
+You can pass `--set` options to the above commands if you wish to override the default values. You can set nested dictionary values using dot notation: `--set deployment.logger.log_level=debug`. For a list of items, comma-separate the values and wrap the list in curly braces: `--set "kubernetes_config.excluded_workloads={CronJob,Job}"`. You can set individual list items using square brackets: `--set kubernetes_config.excluded_workloads[0]=CronJob`.
 
 If you locally built and pushed your Kiali server and Kiali operator images to your cluster, you can have the helm chart installations pull those images by the following settings:
 

kiali-operator/templates/clusterrole.yaml

@@ -113,7 +113,7 @@ rules:
   - list
 - apiGroups: ["rbac.authorization.k8s.io"]
   resources:
-  {{- if or (and (.Values.cr.create) (has "**" .Values.cr.spec.deployment.accessible_namespaces)) (.Values.clusterRoleCreator) }}
+  {{- if or (and (.Values.cr.create) (.Values.cr.spec.deployment.cluster_wide_access)) (.Values.clusterRoleCreator) }}
   - clusterrolebindings
   - clusterroles
   {{- end }}

kiali-operator/templates/deployment.yaml

@@ -87,9 +87,7 @@ spec:
         - name: ALLOW_SECURITY_CONTEXT_OVERRIDE
           value: {{ .Values.allowSecurityContextOverride | quote }}
         - name: ALLOW_ALL_ACCESSIBLE_NAMESPACES
-          value: {{ or (and (.Values.cr.create) (has "**" .Values.cr.spec.deployment.accessible_namespaces)) (.Values.allowAllAccessibleNamespaces) | quote }}
-        - name: ACCESSIBLE_NAMESPACES_LABEL
-          value: {{ .Values.accessibleNamespacesLabel | quote }}
+          value: {{ or (and (.Values.cr.create) (.Values.cr.spec.deployment.cluster_wide_access)) (.Values.allowAllAccessibleNamespaces) | quote }}
         - name: PROFILE_TASKS_TASK_OUTPUT_LIMIT
           value: "100"
         - name: ANSIBLE_DEBUG_LOGS

kiali-operator/values.yaml

@@ -39,9 +39,9 @@ debug:
 watchNamespace: ""
 
 # Set to true if you want the operator to be able to create cluster roles. This is necessary
-# if you want to support Kiali CRs with spec.deployment.accessible_namespaces of '**'.
+# if you want to support Kiali CRs with spec.deployment.cluster_wide_access=true.
 # Setting this to "true" requires allowAllAccessibleNamespaces to be "true" also.
-# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.accessible_namespaces is ['**'].
+# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.cluster_wide_access=true.
 clusterRoleCreator: true
 
 # Set to a list of secrets in the cluster that the operator will be allowed to read. This is necessary if you want to
@@ -83,22 +83,12 @@ allowAdHocOSSMConsoleImage: false
 allowSecurityContextOverride: false
 
 # allowAllAccessibleNamespaces tells the operator to allow a user to be able to configure Kiali
-# to access all namespaces in the cluster via spec.deployment.accessible_namespaces=['**'].
-# If this is false, the user must specify an explicit list of namespaces in the Kiali CR.
+# to access all namespaces in the cluster via spec.deployment.cluster_wide_access=true.
+# If this is false, the user must specify an explicit set of namespaces in the Kiali CR via spec.deployment.discovery_selectors.
 # Setting this to "true" requires clusterRoleCreator to be "true" also.
-# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.accessible_namespaces is ['**'].
+# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.cluster_wide_access=true.
 allowAllAccessibleNamespaces: true
 
-# accessibleNamespacesLabel restricts the namespaces that a user can add to the Kiali CR spec.deployment.accessible_namespaces.
-# This value is either an empty string (which disables this feature) or a label name with an optional label value
-# (e.g. "mylabel" or "mylabel=myvalue"). Only namespaces that have that label will be permitted in
-# spec.deployment.accessible_namespaces. Any namespace not labeled properly but specified in accessible_namespaces will cause
-# the operator to abort the Kiali installation.
-# If just a label name (but no label value) is specified, the label value the operator will look for is the value of
-# the Kiali CR's spec.istio_namespace. In other words, the operator will look for the named label whose value must be the name
-# of the Istio control plane namespace (which is typically, but not necessarily, "istio-system").
-accessibleNamespacesLabel: ""
-
 # watchesFile: If specified, this determines what watches file will be used to configure the operator. There are four different
 # files that can be selected: (a) `watches-os.yaml`, (b) `watches-os-ns.yaml`, (c) `watches-k8s.yaml` or (d) `watches-k8s-ns.yaml`.
 # The first two are for OpenShift only, the last two are for non-OpenShift Kubernetes clusters. The two with "-ns" in their name
@@ -107,8 +97,7 @@ accessibleNamespacesLabel: ""
 # the default behavior and is not necessary if your Kiali CRs will have `spec.deployment.cluster_wide_access` set to `true`.
 watchesFile: ""
 
-# For what a Kiali CR spec can look like, see:
-# https://github.com/kiali/kiali-operator/blob/master/deploy/kiali/kiali_cr.yaml
+# For what a Kiali CR spec can look like, see: https://kiali.io/docs/configuration/kialis.kiali.io/
 cr:
   create: false
   name: kiali
@@ -122,5 +111,4 @@ cr:
 
   spec:
     deployment:
-      accessible_namespaces:
-      - '**'
+      cluster_wide_access: true

kiali-server/templates/NOTES.txt

@@ -2,4 +2,19 @@ Welcome to Kiali! For more details on Kiali, see: https://kiali.io
 
 The Kiali Server [{{ .Chart.AppVersion }}] has been installed in namespace [{{ .Release.Namespace }}]. It will be ready soon.
 
+{{- if not .Values.deployment.cluster_wide_access }}
+===============
+!!! WARNING !!!
+===============
+This Kiali Server Helm Chart does NOT support "deployment.cluster_wide_access" set to "false"!
+
+This feature, as well as others, is only available when using the Kiali Operator to install
+the Kiali Server. It is for this reason this Kiali Server Helm Chart, while provided for
+convenience, is not the recommended installation mechanism for installing the Kiali Server.
+{{- end }}
+
+When installing with "deployment.cluster_wide_access=false" using this Kiali Server Helm Chart,
+it is your responsibility to manually create the proper Roles and RoleBindings for the Kiali Server
+to have the correct permissions to access the service mesh namespaces.
+
 (Helm: Chart=[{{ .Chart.Name }}], Release=[{{ .Release.Name }}], Version=[{{ .Chart.Version }}])

kiali-server/templates/_helpers.tpl

@@ -3,16 +3,10 @@
 {{/*
 Create a default fully qualified instance name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-To simulate the way the operator works, use deployment.instance_name rather than the old fullnameOverride.
-For backwards compatibility, if fullnameOverride is not kiali but deployment.instance_name is kiali,
-use fullnameOverride, otherwise use deployment.instance_name.
+To simulate the way the operator works, use deployment.instance_name.
 */}}
 {{- define "kiali-server.fullname" -}}
-{{- if (and (eq .Values.deployment.instance_name "kiali") (ne .Values.fullnameOverride "kiali")) }}
-  {{- .Values.fullnameOverride | trunc 63 }}
-{{- else }}
-  {{- .Values.deployment.instance_name | trunc 63 }}
-{{- end }}
+{{- .Values.deployment.instance_name | trunc 63 }}
 {{- end }}
 
 {{/*

kiali-server/templates/configmap.yaml

@@ -13,7 +13,7 @@ metadata:
 data:
   config.yaml: |
     {{- /* Most of .Values is simply the ConfigMap - strip out the keys that are not part of the ConfigMap */}}
-    {{- $cm := omit .Values "nameOverride" "fullnameOverride" "kiali_route_url" }}
+    {{- $cm := omit .Values "kiali_route_url" }}
     {{- /* The helm chart defines namespace for us, but pass it to the ConfigMap in case the server needs it */}}
     {{- $_ := set $cm.deployment "namespace" .Release.Namespace }}
     {{- /* Some values of the ConfigMap are generated, but might not be identical, from .Values */}}

kiali-server/values.yaml

@@ -1,10 +1,3 @@
-# 'fullnameOverride' is deprecated. Use 'deployment.instance_name' instead.
-# This is only supported for backward compatibility and will be removed in a future version.
-# If 'fullnameOverride' is not "kiali" and 'deployment.instance_name' is "kiali",
-# then 'deployment.instance_name' will take the value of 'fullnameOverride' value.
-# Otherwise, 'fullnameOverride' is ignored and 'deployment.instance_name' is used.
-fullnameOverride: "kiali"
-
 # This is required for "openshift" auth strategy.
 # You have to know ahead of time what your Route URL will be because
 # right now the helm chart can't figure this out at runtime (it would
@@ -37,15 +30,14 @@ clustering:
   clusters: []
 
 deployment:
-  # This only limits what Kiali will attempt to see, but Kiali Service Account has permissions to see everything.
-  # For more control over what the Kial Service Account can see, use the Kiali Operator
-  accessible_namespaces:
-  - "**"
   additional_service_yaml: {}
   affinity:
     node: {}
     pod: {}
     pod_anti: {}
+  # The Kiali server helm chart only supports cluster-wide access; setting cluster_wide_access to false is not supported.
+  # For more control over what the Kial Service Account can see, use the Kiali Operator.
+  cluster_wide_access: true
   configmap_annotations: {}
   custom_secrets: []
   dns: