diff --git a/.github/workflows/terraform-release.yaml b/.github/workflows/terraform-release.yaml
new file mode 100644
index 0000000..90910bc
--- /dev/null
+++ b/.github/workflows/terraform-release.yaml
@@ -0,0 +1,73 @@
+name: Terraform CI/CD
+on:
+ workflow_dispatch:
+ pull_request:
+ types: [closed]
+ branches:
+ - main
+jobs:
+ terraform-ci-cd:
+ runs-on: 229685449397
+ permissions:
+ contents: write
+
+ steps:
+ - name: Checkout code
+ uses: CSVD/gh-actions-checkout@v4
+
+ - name: Setup Terraform
+ uses: CSVD/gh-actions-setup-terraform@v3
+ with:
+ terraform_version: "1.9.1"
+
+ - name: Setup GITHUB Credentials
+ id: github_credentials
+ uses: CSVD/gh-auth@main
+ with:
+ github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }}
+ github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
+ github_app_id: ${{ vars.GH_APP_ID }}
+
+
+ - name: Debug Authentication
+ run: |
+ # Print the GitHub server URL
+ echo "GitHub Server URL: ${{ github.server_url }}"
+
+ # Extract the host from the URL
+ HOST="${{ github.server_url }}"
+ HOST="${HOST#*//}"
+ HOST="${HOST%%/*}"
+ echo "GitHub Host: $HOST"
+
+ # Check if token exists
+ if [[ -n "${{ steps.github_credentials.outputs.github_token }}" ]]; then
+ echo "Token generated successfully"
+ # Test the token with a simple GitHub API call (without exposing the token)
+ STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer ${{ steps.github_credentials.outputs.github_token }}" "${{ github.server_url }}/api/v3/user")
+ echo "API Test Status Code: $STATUS"
+ else
+ echo "No token was generated!"
+ fi
+
+ - name: Setup GitHub CLI
+ run: |
+ # Force manual authentication since setup-git might not work with GitHub Enterprise
+ echo "${{ steps.github_credentials.outputs.github_token }}" > /tmp/token.txt
+ gh auth login --with-token --hostname "github.e.it.census.gov" < /tmp/token.txt
+ rm /tmp/token.txt
+
+ # Test GitHub CLI auth status
+ gh auth status || echo "GitHub CLI authentication failed"
+
+ - name: AWS Auth
+ id: aws_auth
+ uses: CSVD/aws-auth@main
+ with:
+ ecs: true
+
+ - name: Run Terraform Module Release Action
+ uses: CSVD/terraform-module-release@main
+ with:
+ github-token: ${{ steps.github_credentials.outputs.github_token }}
+ working-directory: '.'
diff --git a/.github/workflows/terraform-validate.yaml b/.github/workflows/terraform-validate.yaml
new file mode 100644
index 0000000..04b96db
--- /dev/null
+++ b/.github/workflows/terraform-validate.yaml
@@ -0,0 +1,40 @@
+name: Terraform CI/CD
+on:
+ workflow_dispatch:
+ pull_request:
+ types: [closed]
+ branches:
+ - main
+jobs:
+ terraform-ci-cd:
+ runs-on: 229685449397
+ permissions:
+ contents: write
+
+ steps:
+ - name: Checkout code
+ uses: CSVD/gh-actions-checkout@v4
+
+ - name: Setup GITHUB Credentials
+ id: github_credentials
+ uses: CSVD/gh-auth@main
+ with:
+ github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }}
+ github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
+ github_app_id: ${{ vars.GH_APP_ID }}
+
+ - name: Setup GitHub CLI
+ run: |
+ # Force manual authentication since setup-git might not work with GitHub Enterprise
+ echo "${{ steps.github_credentials.outputs.github_token }}" > /tmp/token.txt
+ gh auth login --with-token --hostname "github.e.it.census.gov" < /tmp/token.txt
+ rm /tmp/token.txt
+
+ # Test GitHub CLI auth status
+ gh auth status || echo "GitHub CLI authentication failed"
+
+ - name: Run Release Action
+ uses: CSVD/releaser@main
+ with:
+ github-token: ${{ steps.github_credentials.outputs.github_token }}
+ working-directory: '.'
diff --git a/.github/workflows/terragrunt-cicd.yml b/.github/workflows/terragrunt-cicd.yml
deleted file mode 100644
index a78523e..0000000
--- a/.github/workflows/terragrunt-cicd.yml
+++ /dev/null
@@ -1,101 +0,0 @@
-name: 'Terraform Module CI'
-
-on:
- push:
- branches:
- - main
- paths:
- - '**/*.hcl'
- - '**/*.tf'
- pull_request:
- branches:
- - main
- paths:
- - '**/*.hcl'
- - '**/*.tf'
-
-permissions:
- contents: read
- pull-requests: write
-
-jobs:
- validate:
- name: 'Validate Module'
- runs-on: self-hosted
-
- steps:
- - name: Checkout
- uses: actions/checkout@v3
-
- - name: Setup Terraform
- uses: hashicorp/setup-terraform@v2
- with:
- terraform_version: 1.5.0
-
- - name: Terraform Init
- run: |
- terraform init -backend=false
-
- - name: Terraform Format
- run: |
- terraform fmt -check
-
- - name: Terraform Validate
- run: |
- terraform validate
-
- - name: Run tflint
- uses: terraform-linters/setup-tflint@v3
- if: github.event_name == 'pull_request'
-
- - name: Lint Terraform
- if: github.event_name == 'pull_request'
- run: |
- tflint --format compact
-
- release:
- name: 'Create Release'
- needs: validate
- if: github.ref == 'refs/heads/main' && github.event_name == 'push'
- runs-on: self-hosted
- permissions:
- contents: write
-
- steps:
- - name: Checkout
- uses: actions/checkout@v3
- with:
- fetch-depth: 0
- token: ${{ secrets.GITHUB_TOKEN }}
-
- - name: Setup Python
- uses: actions/setup-python@v4
- with:
- python-version: '3.9'
-
- - name: Install Commitizen
- run: |
- pip install commitizen
-
- - name: Configure Git
- run: |
- git config --local user.email "action@github.com"
- git config --local user.name "GitHub Action"
-
- - name: Bump Version and Generate Changelog
- id: cz
- run: |
- cz bump --yes
- echo "new_version=$(cz version --project)" >> $GITHUB_OUTPUT
- echo "changelog=$(cz changelog --dry-run)" >> $GITHUB_OUTPUT
-
- - name: Create Release
- uses: actions/create-release@v1
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- tag_name: v${{ steps.cz.outputs.new_version }}
- release_name: Release v${{ steps.cz.outputs.new_version }}
- draft: false
- prerelease: false
- body: ${{ steps.cz.outputs.changelog }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index a4f80c1..0b83d4d 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -37,7 +37,7 @@ repos:
# Terraform Hooks
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.96.1 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+ rev: v1.98.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
hooks:
- id: terraform_fmt
args:
@@ -94,6 +94,6 @@ repos:
# - --hook-config=--parallelism-ci-cpu-cores=2
- repo: https://github.com/ljnsn/cz-conventional-gitmoji
- rev: v0.6.1
+ rev: v0.7.0
hooks:
- id: conventional-gitmoji
diff --git a/README.md b/README.md
index 271170e..6dce16e 100644
--- a/README.md
+++ b/README.md
@@ -19,19 +19,20 @@
| Name | Source | Version |
|------|--------|---------|
-| [images](#module\_images) | git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git/ | tf-upgrade |
-| [ingress\_resources](#module\_ingress\_resources) | git@github.e.it.census.gov:SCT-Engineering/tfmod-istio-service-ingress.git | main |
+| [images](#module\_images) | git::https://github.e.it.census.gov/terraform-modules/aws-ecr-copy-images.git/ | tf-upgrade |
## Resources
| Name | Type |
|------|------|
+| [helm_release.kiali](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.kiali_operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [account\_id](#input\_account\_id) | aws account number | `string` | `""` | no |
| [cluster\_domain](#input\_cluster\_domain) | The domain name used to reference ingresses for the cluster | `string` | n/a | yes |
| [cluster\_name](#input\_cluster\_name) | The name of the cluster into which the tools are deployed. | `string` | n/a | yes |
| [grafana\_internal\_url](#input\_grafana\_internal\_url) | The url within the cluster to use to access grafana. | `string` | n/a | yes |
@@ -43,7 +44,10 @@
| [namespace](#input\_namespace) | The namespace to create and into which the tools are deployed. | `string` | `"namespace"` | no |
| [profile](#input\_profile) | The AWS\_PROFILE to use while running the scripts. | `string` | `""` | no |
| [prometheus\_internal\_url](#input\_prometheus\_internal\_url) | The url within the cluster to use to query the prometheus server. | `string` | n/a | yes |
+| [region](#input\_region) | region name | `string` | `"us-gov-east-1"` | no |
| [service\_name](#input\_service\_name) | The name of the service for Kiali. | `string` | `"kiali"` | no |
+| [tempo\_datasource\_id](#input\_tempo\_datasource\_id) | The UID of the created Tempo datasource | `string` | n/a | yes |
+| [tempo\_internal\_url](#input\_tempo\_internal\_url) | The url within the cluster to use to query tempo tracing. | `string` | n/a | yes |
## Outputs
@@ -52,5 +56,5 @@
| [internal\_endpoint](#output\_internal\_endpoint) | The internal endpoint to use to access kiali |
| [module\_name](#output\_module\_name) | The name of this module. |
| [module\_version](#output\_module\_version) | The version of this module. |
-| [public\_endpoint](#output\_public\_endpoint) | The endpoint at which keycloak can be reached from outside the cluster. |
+| [namespace](#output\_namespace) | The namespace in which kiali gets installed in. |
diff --git a/copy_images.tf b/copy_images.tf
index acf2a39..82edd1e 100644
--- a/copy_images.tf
+++ b/copy_images.tf
@@ -1,6 +1,7 @@
locals {
kiali_operator_key = format("%v#%v", "istio-tools/kiali-operator", var.kiali_application_version)
kiali_server_key = format("%v#%v", "istio-tools/kiali", var.kiali_application_version)
+ # ent_ecr_source = format("%v.%v.%v.%v", var.account_id, "dkr.ecr", var.region, "amazonaws.com/ent-images")
image_config = [
## Images for Kiali
@@ -26,14 +27,29 @@ locals {
}
module "images" {
- source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git/?ref=tf-upgrade"
+ source = "git::https://github.e.it.census.gov/terraform-modules/aws-ecr-copy-images.git/?ref=tf-upgrade"
profile = var.profile
application_name = var.cluster_name
image_config = local.image_config
tags = {}
- enable_lifecycle_policy = true
- lifecycle_policy_all = true
- force_delete = true
+ enable_lifecycle_policy = true
+ lifecycle_policy_all = true
+ force_delete = true
+ lifecycle_policy_keep_count = 5
+
+ # source_username = data.aws_ecr_authorization_token.ecr_token.user_name
+ # source_password = data.aws_ecr_authorization_token.ecr_token.password
+
+ # destination_username = data.aws_ecr_authorization_token.token.user_name
+ # destination_password = data.aws_ecr_authorization_token.token.password
}
+
+# data "aws_ecr_authorization_token" "ecr_token" {
+# registry_id = var.account_id
+# }
+
+# data "aws_ecr_authorization_token" "token" {
+# registry_id = var.account_id
+# }
diff --git a/kiali-operator/Chart.yaml b/kiali-operator/Chart.yaml
new file mode 100644
index 0000000..b447748
--- /dev/null
+++ b/kiali-operator/Chart.yaml
@@ -0,0 +1,20 @@
+apiVersion: v2
+appVersion: v2.7.1
+description: Kiali is an open source project for service mesh observability, refer
+ to https://www.kiali.io for details.
+home: https://github.com/kiali/kiali-operator
+icon: https://raw.githubusercontent.com/kiali/kiali.io/current/assets/icons/logo.svg
+keywords:
+- istio
+- kiali
+- operator
+maintainers:
+- email: kiali-users@googlegroups.com
+ name: Kiali
+ url: https://kiali.io
+name: kiali-operator
+sources:
+- https://github.com/kiali/kiali
+- https://github.com/kiali/kiali-operator
+- https://github.com/kiali/helm-charts
+version: 2.7.1
diff --git a/kiali-operator/crds/crds.yaml b/kiali-operator/crds/crds.yaml
new file mode 100644
index 0000000..8e98412
--- /dev/null
+++ b/kiali-operator/crds/crds.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: kialis.kiali.io
+spec:
+ group: kiali.io
+ names:
+ kind: Kiali
+ listKind: KialiList
+ plural: kialis
+ singular: kiali
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ schema:
+ openAPIV3Schema:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+...
diff --git a/kiali-operator/templates/NOTES.txt b/kiali-operator/templates/NOTES.txt
new file mode 100644
index 0000000..4f22052
--- /dev/null
+++ b/kiali-operator/templates/NOTES.txt
@@ -0,0 +1,30 @@
+Welcome to Kiali! For more details on Kiali, see: https://kiali.io
+
+The Kiali Operator [{{ .Chart.AppVersion }}] has been installed in namespace [{{ .Release.Namespace }}]. It will be ready soon.
+
+{{- if .Values.cr.create }}
+ {{- if or (and (not .Values.watchNamespace) (not .Values.cr.namespace)) (and (.Values.watchNamespace) (eq .Values.watchNamespace .Release.Namespace)) (and (.Values.cr.namespace) (eq .Values.cr.namespace .Release.Namespace)) }}
+You have elected to install a Kiali CR in the same namespace as the operator [{{ .Release.Namespace }}]. You should be able to access Kiali soon.
+
+================================
+PLEASE READ THIS WARNING NOTICE:
+Because the Kiali CR lives in the same namespace as the operator, DO NOT uninstall the operator or delete the operator namespace without first removing the Kiali CR. If you do not follow this advice then the Kiali Operator deletion will hang indefinitely until you remove the finalizer from the Kiali CR, and then you may find your Kubernetes environment still has Kiali Server remnants left behind.
+================================
+ {{- else if .Values.watchNamespace }}
+You have elected to install a Kiali CR in the operator watch namespace [{{ .Values.watchNamespace }}]. You should be able to access Kiali soon.
+ {{- else if .Values.cr.namespace }}
+You have elected to install a Kiali CR in the namespace [{{ .Values.cr.namespace }}]. You should be able to access Kiali soon.
+ {{- else }}
+You have elected to install a Kiali CR. You should be able to access Kiali soon.
+ {{- end }}
+{{- else }}
+ {{- if (not .Values.watchNamespace) }}
+You have elected not to install a Kiali CR. You must first install a Kiali CR before you can access Kiali. The operator is watching all namespaces, so you can create the Kiali CR anywhere.
+ {{- else }}
+You have elected not to install a Kiali CR. You must first install a Kiali CR in the operator watch namespace [{{ .Values.watchNamespace }}] before you can access Kiali.
+ {{- end }}
+{{- end }}
+
+If you ever want to uninstall the Kiali Operator, remember to delete the Kiali CR first before uninstalling the operator to give the operator a chance to uninstall and remove all the Kiali Server resources.
+
+(Helm: Chart=[{{ .Chart.Name }}], Release=[{{ .Release.Name }}], Version=[{{ .Chart.Version }}])
diff --git a/kiali-server/templates/_helpers.tpl b/kiali-operator/templates/_helpers.tpl
similarity index 93%
rename from kiali-server/templates/_helpers.tpl
rename to kiali-operator/templates/_helpers.tpl
index 25040c8..ae2a13b 100644
--- a/kiali-server/templates/_helpers.tpl
+++ b/kiali-operator/templates/_helpers.tpl
@@ -1,4 +1,4 @@
----
+{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
@@ -38,9 +38,10 @@ Common labels
helm.sh/chart: {{ include "kiali.chart" . }}
{{ include "kiali.selectorLabels" . }}
{{- if .Chart.AppVersion }}
+version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/part-of: "kiali-operator"
{{- end }}
{{/*
diff --git a/kiali-operator/templates/clusterrole.yaml b/kiali-operator/templates/clusterrole.yaml
new file mode 100644
index 0000000..3e648e2
--- /dev/null
+++ b/kiali-operator/templates/clusterrole.yaml
@@ -0,0 +1,311 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "kiali-operator.fullname" . }}
+ labels:
+ {{- include "kiali-operator.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+ resources:
+ - configmaps
+ - endpoints
+ - pods
+ - serviceaccounts
+ - services
+ - services/finalizers
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups: [""]
+ resources:
+ - namespaces
+ verbs:
+ - get
+ - list
+ - patch
+- apiGroups: [""]
+ resources:
+ - secrets
+ verbs:
+ - create
+ - list
+ - watch
+- apiGroups: [""]
+ resourceNames:
+ - kiali-signing-key
+ resources:
+ - secrets
+ verbs:
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups: ["apps"]
+ resources:
+ - deployments
+ - replicasets
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups: ["autoscaling"]
+ resources:
+ - horizontalpodautoscalers
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups: ["monitoring.coreos.com"]
+ resources:
+ - servicemonitors
+ verbs:
+ - create
+ - get
+- apiGroups: ["apps"]
+ resourceNames:
+ - kiali-operator
+ resources:
+ - deployments/finalizers
+ verbs:
+ - update
+- apiGroups: ["kiali.io"]
+ resources:
+ - '*'
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups: ["authorization.k8s.io"]
+ resources:
+ - selfsubjectaccessreviews
+ verbs:
+ - list
+- apiGroups: ["rbac.authorization.k8s.io"]
+ resources:
+ {{- if or (and (.Values.cr.create) (.Values.cr.spec.deployment.cluster_wide_access)) (.Values.clusterRoleCreator) }}
+ - clusterrolebindings
+ - clusterroles
+ {{- end }}
+ - rolebindings
+ - roles
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups: ["apiextensions.k8s.io"]
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups: ["extensions", "networking.k8s.io"]
+ resources:
+ - ingresses
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups: ["route.openshift.io"]
+ resources:
+ - routes
+ - routes/custom-host
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups: ["oauth.openshift.io"]
+ resources:
+ - oauthclients
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups: ["config.openshift.io"]
+ resources:
+ - clusteroperators
+ verbs:
+ - list
+ - watch
+- apiGroups: ["config.openshift.io"]
+ resourceNames:
+ - kube-apiserver
+ resources:
+ - clusteroperators
+ verbs:
+ - get
+- apiGroups: ["console.openshift.io"]
+ resources:
+ - consolelinks
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
+# The permissions below are for OSSMC operator capabilities
+- apiGroups: ["console.openshift.io"]
+ resources:
+ - consoleplugins
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups: ["operator.openshift.io"]
+ resources:
+ - consoles
+ verbs:
+ - get
+ - list
+ - patch
+ - update
+ - watch
+{{- end }}
+# The permissions below are for Kiali itself; operator needs these so it can escalate when creating Kiali's roles
+- apiGroups: [""]
+ resources:
+ - configmaps
+ - endpoints
+ - pods/log
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups: [""]
+ resources:
+ - namespaces
+ - pods
+ - replicationcontrollers
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ {{- if eq .Values.onlyViewOnlyMode false }}
+ - patch
+ {{- end }}
+- apiGroups: [""]
+ resources:
+ - pods/portforward
+ verbs:
+ - create
+ - post
+- apiGroups: ["extensions", "apps"]
+ resources:
+ - daemonsets
+ - deployments
+ - replicasets
+ - statefulsets
+ verbs:
+ - get
+ - list
+ - watch
+ {{- if eq .Values.onlyViewOnlyMode false }}
+ - patch
+ {{- end }}
+- apiGroups: ["batch"]
+ resources:
+ - cronjobs
+ - jobs
+ verbs:
+ - get
+ - list
+ - watch
+ {{- if eq .Values.onlyViewOnlyMode false }}
+ - patch
+ {{- end }}
+- apiGroups:
+ - config.istio.io
+ - networking.istio.io
+ - authentication.istio.io
+ - rbac.istio.io
+ - security.istio.io
+ - extensions.istio.io
+ - telemetry.istio.io
+ - gateway.networking.k8s.io
+ resources: ["*"]
+ verbs:
+ - get
+ - list
+ - watch
+ {{- if eq .Values.onlyViewOnlyMode false }}
+ - create
+ - delete
+ - patch
+ {{- end }}
+- apiGroups: ["apps.openshift.io"]
+ resources:
+ - deploymentconfigs
+ verbs:
+ - get
+ - list
+ - watch
+ {{- if eq .Values.onlyViewOnlyMode false }}
+ - patch
+ {{- end }}
+- apiGroups: ["project.openshift.io"]
+ resources:
+ - projects
+ verbs:
+ - get
+- apiGroups: ["route.openshift.io"]
+ resources:
+ - routes
+ verbs:
+ - get
+- apiGroups: ["authentication.k8s.io"]
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+- apiGroups: ["admissionregistration.k8s.io"]
+ resources:
+ - mutatingwebhookconfigurations
+ verbs:
+ - get
+ - list
+ - watch
+...
diff --git a/kiali-operator/templates/clusterrolebinding.yaml b/kiali-operator/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000..747939b
--- /dev/null
+++ b/kiali-operator/templates/clusterrolebinding.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "kiali-operator.fullname" . }}
+ labels:
+ {{- include "kiali-operator.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+ name: {{ include "kiali-operator.fullname" . }}
+ namespace: "{{ .Release.Namespace }}"
+roleRef:
+ kind: ClusterRole
+ name: {{ include "kiali-operator.fullname" . }}
+ apiGroup: rbac.authorization.k8s.io
+...
diff --git a/kiali-operator/templates/deployment.yaml b/kiali-operator/templates/deployment.yaml
new file mode 100644
index 0000000..bd99ece
--- /dev/null
+++ b/kiali-operator/templates/deployment.yaml
@@ -0,0 +1,156 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "kiali-operator.fullname" . }}
+ namespace: "{{ .Release.Namespace }}"
+ labels:
+ {{- include "kiali-operator.labels" . | nindent 4 }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ selector:
+ matchLabels:
+ {{- include "kiali-operator.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ name: {{ include "kiali-operator.fullname" . }}
+ namespace: "{{ .Release.Namespace }}"
+ labels:
+ # required for the operator SDK metric service selector
+ name: {{ include "kiali-operator.fullname" . }}
+ {{- include "kiali-operator.labels" . | nindent 8 }}
+ {{- if .Values.podLabels }}
+ {{- toYaml .Values.podLabels | nindent 8 }}
+ {{- end }}
+ annotations:
+ prometheus.io/scrape: {{ .Values.metrics.enabled | quote }}
+ prometheus.io/path: /metrics
+ prometheus.io/port: "8080"
+ {{- if .Values.podAnnotations }}
+ {{- toYaml .Values.podAnnotations | nindent 8 }}
+ {{- end }}
+ spec:
+ serviceAccountName: {{ include "kiali-operator.fullname" . }}
+ {{- if .Values.priorityClassName }}
+ priorityClassName: {{ .Values.priorityClassName | quote }}
+ {{- end }}
+ {{- if .Values.tolerations }}
+ tolerations:
+ {{- toYaml .Values.tolerations | nindent 8 }}
+ {{- end }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end }}
+ containers:
+ - name: operator
+ image: "{{ .Values.image.repo }}{{ if .Values.image.digest }}@{{ .Values.image.digest }}{{ end }}:{{ .Values.image.tag }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+ args:
+ - "--zap-log-level=info"
+ - "--leader-election-id={{ include "kiali-operator.fullname" . }}"
+ - "--watches-file=./$(WATCHES_FILE)"
+ - "--health-probe-bind-address=:6789"
+ - "--metrics-bind-address=:8080"
+ terminationMessagePolicy: FallbackToLogsOnError
+ readinessProbe:
+ httpGet:
+ path: /readyz
+ port: 6789
+ periodSeconds: 30
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: 6789
+ periodSeconds: 30
+ startupProbe:
+ httpGet:
+ path: /healthz
+ port: 6789
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ failureThreshold: 6
+ securityContext:
+ {{- if .Values.securityContext }}
+ {{- toYaml .Values.securityContext | nindent 10 }}
+ {{- else }}
+ allowPrivilegeEscalation: false
+ privileged: false
+ runAsNonRoot: true
+ readOnlyRootFilesystem: true
+ capabilities:
+ drop:
+ - ALL
+ {{- end }}
+ volumeMounts:
+ - mountPath: /tmp
+ name: tmp
+ env:
+ - name: WATCH_NAMESPACE
+ value: {{ .Values.watchNamespace | default "\"\"" }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: ALLOW_AD_HOC_KIALI_NAMESPACE
+ value: {{ .Values.allowAdHocKialiNamespace | quote }}
+ - name: ALLOW_AD_HOC_KIALI_IMAGE
+ value: {{ .Values.allowAdHocKialiImage | quote }}
+{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
+ - name: ALLOW_AD_HOC_OSSMCONSOLE_IMAGE
+ value: {{ .Values.allowAdHocOSSMConsoleImage | quote }}
+{{- end }}
+ - name: ALLOW_SECURITY_CONTEXT_OVERRIDE
+ value: {{ .Values.allowSecurityContextOverride | quote }}
+ - name: ALLOW_ALL_ACCESSIBLE_NAMESPACES
+ value: {{ or (and (.Values.cr.create) (.Values.cr.spec.deployment.cluster_wide_access)) (.Values.allowAllAccessibleNamespaces) | quote }}
+ - name: PROFILE_TASKS_TASK_OUTPUT_LIMIT
+ value: "100"
+ - name: ANSIBLE_DEBUG_LOGS
+ value: {{ .Values.debug.enabled | quote }}
+ - name: ANSIBLE_VERBOSITY_KIALI_KIALI_IO
+ value: {{ .Values.debug.verbosity | quote }}
+{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
+ - name: ANSIBLE_VERBOSITY_OSSMCONSOLE_KIALI_IO
+ value: {{ .Values.debug.verbosity | quote }}
+{{- end }}
+ - name: ANSIBLE_CONFIG
+ {{- if .Values.debug.enableProfiler }}
+ value: "/opt/ansible/ansible-profiler.cfg"
+ {{- else }}
+ value: "/etc/ansible/ansible.cfg"
+ {{- end }}
+ - name: ANSIBLE_LOCAL_TEMP
+ value: "/tmp/ansible/tmp"
+ - name: ANSIBLE_REMOTE_TEMP
+ value: "/tmp/ansible/tmp"
+ - name: WATCHES_FILE
+{{- if .Values.watchesFile }}
+ value: "{{ .Values.watchesFile }}"
+{{- else }}
+{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
+ value: "watches-os.yaml"
+{{- else }}
+ value: "watches-k8s.yaml"
+{{- end }}
+{{- end }}
+ {{- if .Values.env }}
+ {{- toYaml .Values.env | nindent 8 }}
+ {{- end }}
+ ports:
+ - name: http-metrics
+ containerPort: 8080
+ {{- if .Values.resources }}
+ resources:
+ {{- toYaml .Values.resources | nindent 10 }}
+ {{- end }}
+ volumes:
+ - name: tmp
+ emptyDir: {}
+ affinity:
+ {{- toYaml .Values.affinity | nindent 8 }}
+...
diff --git a/kiali-operator/templates/kiali-cr.yaml b/kiali-operator/templates/kiali-cr.yaml
new file mode 100644
index 0000000..ef77353
--- /dev/null
+++ b/kiali-operator/templates/kiali-cr.yaml
@@ -0,0 +1,22 @@
+{{ if .Values.cr.create }}
+---
+apiVersion: kiali.io/v1alpha1
+kind: Kiali
+metadata:
+ {{- if .Values.watchNamespace }}
+ namespace: "{{ .Values.watchNamespace }}"
+ {{- else if .Values.cr.namespace }}
+ namespace: "{{ .Values.cr.namespace }}"
+ {{- end }}
+ name: {{ .Values.cr.name }}
+ labels:
+ {{- include "kiali-operator.labels" . | nindent 4 }}
+ annotations:
+ ansible.sdk.operatorframework.io/verbosity: {{ .Values.debug.verbosity | quote }}
+ {{- if .Values.cr.annotations }}
+ {{- toYaml .Values.cr.annotations | nindent 4 }}
+ {{- end }}
+spec:
+ {{- toYaml .Values.cr.spec | nindent 2 }}
+...
+{{ end }}
diff --git a/kiali-operator/templates/ossmconsole-crd.yaml b/kiali-operator/templates/ossmconsole-crd.yaml
new file mode 100644
index 0000000..85a4a07
--- /dev/null
+++ b/kiali-operator/templates/ossmconsole-crd.yaml
@@ -0,0 +1,34 @@
+# The operator will watch resources of this kind and install OSSMC when one is found.
+# This CRD needs to be templated because we do not want it installed on non-OpenShift clusters.
+# However, the crds/ directory is not templated by Helm. See the Helm documentation on this here:
+# https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-1-let-helm-do-it-for-you
+# Therefore, this CRD declaration is in templates/. The operator helm chart does not create resources
+# of this kind, so this should be OK. Just realize if you uninstall the operator, this CRD will also
+# be uninstalled (and thus any existing OSSMC CR will also be purged).
+
+{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: ossmconsoles.kiali.io
+spec:
+ group: kiali.io
+ names:
+ kind: OSSMConsole
+ listKind: OSSMConsoleList
+ plural: ossmconsoles
+ singular: ossmconsole
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ schema:
+ openAPIV3Schema:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+...
+{{- end }}
diff --git a/kiali-operator/templates/serviceaccount.yaml b/kiali-operator/templates/serviceaccount.yaml
new file mode 100644
index 0000000..64e8238
--- /dev/null
+++ b/kiali-operator/templates/serviceaccount.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "kiali-operator.fullname" . }}
+ namespace: "{{ .Release.Namespace }}"
+ labels:
+ {{- include "kiali-operator.labels" . | nindent 4 }}
+{{- if .Values.image.pullSecrets }}
+imagePullSecrets:
+{{- range .Values.image.pullSecrets }}
+- name: {{ . }}
+{{- end }}
+{{- end }}
+...
diff --git a/kiali-operator/values.yaml b/kiali-operator/values.yaml
new file mode 100644
index 0000000..386b69a
--- /dev/null
+++ b/kiali-operator/values.yaml
@@ -0,0 +1,105 @@
+nameOverride: ""
+fullnameOverride: ""
+
+image: # see: https://quay.io/repository/kiali/kiali-operator?tab=tags
+ repo: quay.io/kiali/kiali-operator # quay.io/kiali/kiali-operator
+ tag: v2.7.1 # version string like v1.39.0 or a digest hash
+ digest: "" # use "sha256" if tag is a sha256 hash (do NOT prefix this value with a "@")
+ pullPolicy: Always
+ pullSecrets: []
+
+# Deployment options for the operator pod.
+nodeSelector: {}
+podAnnotations: {}
+podLabels: {}
+env: []
+tolerations: []
+resources:
+ requests:
+ cpu: "10m"
+ memory: "64Mi"
+affinity: {}
+replicaCount: 1
+priorityClassName: ""
+securityContext: {}
+
+# metrics.enabled: set to true if you want Prometheus to collect metrics from the operator
+metrics:
+ enabled: true
+
+# debug.enabled: when true the full ansible logs are dumped after each reconciliation run
+# debug.verbosity: defines the amount of details the operator will log (higher numbers are more noisy)
+# debug.enableProfiler: when true (regardless of debug.enabled), timings for the most expensive tasks will be logged after each reconciliation loop
+debug:
+ enabled: true
+ verbosity: "1"
+ enableProfiler: false
+
+# Defines where the operator will look for Kial CR resources. "" means "all namespaces".
+watchNamespace: ""
+
+# Set to true if you want the operator to be able to create cluster roles. This is necessary
+# if you want to support Kiali CRs with spec.deployment.cluster_wide_access=true.
+# Setting this to "true" requires allowAllAccessibleNamespaces to be "true" also.
+# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.cluster_wide_access=true.
+clusterRoleCreator: true
+
+# Set to true if you want to allow the operator to only be able to install Kiali in view-only-mode.
+# The purpose for this setting is to allow you to restrict the permissions given to the operator itself.
+onlyViewOnlyMode: false
+
+# allowAdHocKialiNamespace tells the operator to allow a user to be able to install a Kiali CR in one namespace but
+# be able to install Kiali in another namespace. In other words, it will allow the Kiali CR spec.deployment.namespace
+# to be something other than the namespace where the CR is installed. You may want to disable this if you are
+# running in a multi-tenant scenario in which you only want a user to be able to install Kiali in the same namespace
+# where the user has permissions to install a Kiali CR.
+allowAdHocKialiNamespace: true
+
+# allowAdHocKialiImage tells the operator to allow a user to be able to install a custom Kiali image as opposed
+# to the image the operator will install by default. In other words, it will allow the
+# Kiali CR spec.deployment.image_name and spec.deployment.image_version to be configured by the user.
+# You may want to disable this if you do not want users to install their own Kiali images.
+allowAdHocKialiImage: false
+
+# allowAdHocOSSMConsoleImage tells the operator to allow a user to be able to install a custom OSSMC image as opposed
+# to the image the operator will install by default. In other words, it will allow the
+# OSSMConsole CR spec.deployment.imageName and spec.deployment.imageVersion to be configured by the user.
+# You may want to disable this if you do not want users to install their own OSSMC images.
+# This is only applicable when running on OpenShift.
+allowAdHocOSSMConsoleImage: false
+
+# allowSecurityContextOverride tells the operator to allow a user to be able to fully override the Kiali
+# container securityContext. If this is false, certain securityContext settings must exist on the Kiali
+# container and any attempt to override them will be ignored.
+allowSecurityContextOverride: false
+
+# allowAllAccessibleNamespaces tells the operator to allow a user to be able to configure Kiali
+# to access all namespaces in the cluster via spec.deployment.cluster_wide_access=true.
+# If this is false, the user must specify an explicit set of namespaces in the Kiali CR via spec.deployment.discovery_selectors.
+# Setting this to "true" requires clusterRoleCreator to be "true" also.
+# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.cluster_wide_access=true.
+allowAllAccessibleNamespaces: true
+
+# watchesFile: If specified, this determines what watches file will be used to configure the operator. There are four different
+# files that can be selected: (a) `watches-os.yaml`, (b) `watches-os-ns.yaml`, (c) `watches-k8s.yaml` or (d) `watches-k8s-ns.yaml`.
+# The first two are for OpenShift only, the last two are for non-OpenShift Kubernetes clusters. The two with "-ns" in their name
+# enable the operator to automatically update the Kiali Server with access to new namespaces as those namespaces are created in
+# the cluster. This namespace watching feature provides some advanced capabilities but is never required. It is also not
+# the default behavior and is not necessary if your Kiali CRs will have `spec.deployment.cluster_wide_access` set to `true`.
+watchesFile: ""
+
+# For what a Kiali CR spec can look like, see: https://kiali.io/docs/configuration/kialis.kiali.io/
+cr:
+ create: false
+ name: kiali
+ # If you elect to create a Kiali CR (--set cr.create=true)
+ # and the operator is watching all namespaces (--set watchNamespace="")
+ # then this is the namespace where the CR will be created (the default will be the operator namespace).
+ namespace: ""
+
+ # Annotations to place in the Kiali CR metadata.
+ annotations: {}
+
+ spec:
+ deployment:
+ cluster_wide_access: true
diff --git a/kiali-server/.helmignore b/kiali-server/.helmignore
deleted file mode 100644
index 0e8a0eb..0000000
--- a/kiali-server/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/kiali-server/templates/NOTES.txt b/kiali-server/templates/NOTES.txt
deleted file mode 100644
index c3b3453..0000000
--- a/kiali-server/templates/NOTES.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-1. Get the application URL by running these commands:
-
diff --git a/kiali-server/templates/kiali.yaml b/kiali-server/templates/kiali.yaml
index 5ecebd8..c408a51 100644
--- a/kiali-server/templates/kiali.yaml
+++ b/kiali-server/templates/kiali.yaml
@@ -19,7 +19,7 @@ spec:
url: {{ .Values.prometheus.url }}
grafana:
enabled: true
- auth:
+ auth:
insecure_skip_verify: true
# auth:
# type: basic
diff --git a/kiali-server/values.yaml b/kiali-server/values.yaml
index f37e21b..dc3c460 100644
--- a/kiali-server/values.yaml
+++ b/kiali-server/values.yaml
@@ -19,17 +19,17 @@ grafana:
auth:
type: basic
username: "admin"
- secretName:
- passwordKey:
- externalUrl:
- internalUrl:
+ secretName:
+ passwordKey:
+ externalUrl:
+ internalUrl:
tracing:
enabled: true
- internalUrl:
+ internalUrl:
use_grpc: false
provider: "tempo"
tempo_config:
org_id: "1"
- datasource_uid:
+ datasource_uid:
url_format: "grafana"
diff --git a/main.tf b/main.tf
index cbcfed3..985e176 100644
--- a/main.tf
+++ b/main.tf
@@ -5,7 +5,7 @@ locals {
}
resource "helm_release" "kiali_operator" {
-
+
chart = "kiali-operator"
version = var.kiali_operator_version
name = "kiali-operator"
@@ -75,9 +75,9 @@ resource "helm_release" "kiali" {
helm_release.kiali_operator,
]
- chart = "./kiali-server"
- name = "kiali"
- namespace = var.namespace
+ chart = "./kiali-server"
+ name = "kiali"
+ namespace = var.namespace
set {
name = "auth.strategy"
diff --git a/variables.tf b/variables.tf
index 2168d18..be9f8b0 100644
--- a/variables.tf
+++ b/variables.tf
@@ -77,3 +77,17 @@ variable "service_name" {
type = string
default = "kiali"
}
+
+# tflint-ignore: terraform_unused_declarations
+variable "account_id" {
+ description = "aws account number"
+ type = string
+ default = ""
+}
+
+# tflint-ignore: terraform_unused_declarations
+variable "region" {
+ description = "region name"
+ type = string
+ default = "us-gov-east-1"
+}