[Major] Code Freeze PR

.github/workflows/terraform-release.yaml

@@ -1,25 +1,20 @@
-name: Terraform CI/CD
+name: Terraform Module Release
 on:
   workflow_dispatch:
   pull_request:
     types: [closed]
     branches:
       - main
 jobs:
-  terraform-ci-cd:
-    runs-on: 229685449397
+  terraform-release:
+    runs-on: "229685449397"
     permissions:
       contents: write
 
     steps:
       - name: Checkout code
         uses: CSVD/gh-actions-checkout@v4
 
-      - name: Setup Terraform
-        uses: CSVD/gh-actions-setup-terraform@v3
-        with:
-          terraform_version: "1.9.1"
-
       - name: Setup GITHUB Credentials
         id: github_credentials
         uses: CSVD/gh-auth@main
@@ -28,28 +23,6 @@ jobs:
           github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
           github_app_id: ${{ vars.GH_APP_ID }}
 
-
-      - name: Debug Authentication
-        run: |
-          # Print the GitHub server URL
-          echo "GitHub Server URL: ${{ github.server_url }}"
-
-          # Extract the host from the URL
-          HOST="${{ github.server_url }}"
-          HOST="${HOST#*//}"
-          HOST="${HOST%%/*}"
-          echo "GitHub Host: $HOST"
-
-          # Check if token exists
-          if [[ -n "${{ steps.github_credentials.outputs.github_token }}" ]]; then
-            echo "Token generated successfully"
-            # Test the token with a simple GitHub API call (without exposing the token)
-            STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer ${{ steps.github_credentials.outputs.github_token }}" "${{ github.server_url }}/api/v3/user")
-            echo "API Test Status Code: $STATUS"
-          else
-            echo "No token was generated!"
-          fi
-
       - name: Setup GitHub CLI
         run: |
           # Force manual authentication since setup-git might not work with GitHub Enterprise
@@ -60,14 +33,8 @@ jobs:
           # Test GitHub CLI auth status
           gh auth status || echo "GitHub CLI authentication failed"
 
-      - name: AWS Auth
-        id: aws_auth
-        uses: CSVD/aws-auth@main
-        with:
-          ecs: true
-
-      - name: Run Terraform Module Release Action
-        uses: CSVD/terraform-module-release@main
+      - name: Run Release Action
+        uses: CSVD/releaser@main
         with:
           github-token: ${{ steps.github_credentials.outputs.github_token }}
           working-directory: '.'

.github/workflows/terraform-validate.yaml

@@ -16,7 +16,7 @@ jobs:
       - name: Setup Terraform
         uses: CSVD/gh-actions-setup-terraform@v2
         with:
-          terraform_version: '1.7.3'
+          terraform_version: '1.10.5'
 
       - name: Validate Terraform Configuration
         id: validate

README.md

@@ -1,49 +1,66 @@
 # tfmod-kiali
 
+Kiali is a web console for the Istio Service Mesh. It is analogous to how the Kubernetes Dashboard is a web console for Kubernetes, ie. it is a web interface for viewing configurations and operations of the system. Additionally, the same as the Kubernetes Dashboard, we deploy Kiali in a read-only manner, given mesh objects should only be configured through code and pipelines, not modification through web or command line. Kiali provides a useful tool for reviewing configurations and topology, observing mesh health and performance, and tracing along with its associated details. Additional details about Kiali can be reviewed at the [Kiali website](https://kiali.io/).
+
+This module deploys and configures Kiali via its operator and integrates it with Istio and the other telemetry oriented tools of the cluster.
+
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.14.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.11.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.23.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.94.1 |
+| <a name="provider_aws.eecr"></a> [aws.eecr](#provider\_aws.eecr) | 5.94.1 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.17.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | 3.2.3 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_images"></a> [images](#module\_images) | git::https://github.e.it.census.gov/terraform-modules/aws-ecr-copy-images.git/ | tf-upgrade |
-| <a name="module_ingress_resources"></a> [ingress\_resources](#module\_ingress\_resources) | git::https://github.e.it.census.gov/SCT-Engineering/tfmod-istio-service-ingress.git | main |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [helm_release.kiali](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.kiali_operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_ecr_authorization_token.ecr_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source |
+| [aws_ecr_authorization_token.token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | aws account number | `string` | `""` | no |
 | <a name="input_cluster_domain"></a> [cluster\_domain](#input\_cluster\_domain) | The domain name used to reference ingresses for the cluster | `string` | n/a | yes |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name of the cluster into which the tools are deployed. | `string` | n/a | yes |
+| <a name="input_eecr_info"></a> [eecr\_info](#input\_eecr\_info) | Enterprise ECR source information | <pre>object({<br/>    account_id = string<br/>    alias      = string<br/>    profile    = string<br/>    region     = string<br/>  })</pre> | <pre>{<br/>  "account_id": "269222635945",<br/>  "alias": "lab-gov-shared-nonprod",<br/>  "profile": "269222635945-lab-gov-shared-nonprod",<br/>  "region": "us-gov-east-1"<br/>}</pre> | no |
 | <a name="input_grafana_internal_url"></a> [grafana\_internal\_url](#input\_grafana\_internal\_url) | The url within the cluster to use to access grafana. | `string` | n/a | yes |
-| <a name="input_grafana_public_url"></a> [grafana\_public\_url](#input\_grafana\_public\_url) | The URL incoming traffic from outisde the cluster uses to access grafana. | `string` | n/a | yes |
 | <a name="input_grafana_secret_name"></a> [grafana\_secret\_name](#input\_grafana\_secret\_name) | The secret in the <grafana\_namespace> holding the grafana admin password. | `string` | n/a | yes |
+| <a name="input_grafana_service_name"></a> [grafana\_service\_name](#input\_grafana\_service\_name) | The name of the service used for grafana. | `string` | `"grafana"` | no |
 | <a name="input_istio_namespace"></a> [istio\_namespace](#input\_istio\_namespace) | The namespace where istio has been deployed. | `string` | `"istio-system"` | no |
 | <a name="input_kiali_application_version"></a> [kiali\_application\_version](#input\_kiali\_application\_version) | The version of kiali to install | `string` | `"v1.73.0"` | no |
 | <a name="input_kiali_operator_version"></a> [kiali\_operator\_version](#input\_kiali\_operator\_version) | The version of kiali to install | `string` | `"1.73.0"` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | The namespace to create and into which the tools are deployed. | `string` | `"namespace"` | no |
 | <a name="input_profile"></a> [profile](#input\_profile) | The AWS\_PROFILE to use while running the scripts. | `string` | `""` | no |
 | <a name="input_prometheus_internal_url"></a> [prometheus\_internal\_url](#input\_prometheus\_internal\_url) | The url within the cluster to use to query the prometheus server. | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | region name | `string` | `"us-gov-east-1"` | no |
 | <a name="input_service_name"></a> [service\_name](#input\_service\_name) | The name of the service for Kiali. | `string` | `"kiali"` | no |
+| <a name="input_tempo_datasource_id"></a> [tempo\_datasource\_id](#input\_tempo\_datasource\_id) | The UID of the created Tempo datasource | `string` | n/a | yes |
+| <a name="input_tempo_internal_url"></a> [tempo\_internal\_url](#input\_tempo\_internal\_url) | The url within the cluster to use to query tempo tracing. | `string` | n/a | yes |
 
 ## Outputs
 
@@ -52,5 +69,5 @@
 | <a name="output_internal_endpoint"></a> [internal\_endpoint](#output\_internal\_endpoint) | The internal endpoint to use to access kiali |
 | <a name="output_module_name"></a> [module\_name](#output\_module\_name) | The name of this module. |
 | <a name="output_module_version"></a> [module\_version](#output\_module\_version) | The version of this module. |
-| <a name="output_public_endpoint"></a> [public\_endpoint](#output\_public\_endpoint) | The endpoint at which keycloak can be reached from outside the cluster. |
+| <a name="output_namespace"></a> [namespace](#output\_namespace) | The namespace in which kiali gets installed in. |
 <!-- END_TF_DOCS -->

copy_images.tf

@@ -1,6 +1,7 @@
 locals {
   kiali_operator_key = format("%v#%v", "istio-tools/kiali-operator", var.kiali_application_version)
   kiali_server_key   = format("%v#%v", "istio-tools/kiali", var.kiali_application_version)
+  ent_ecr_source     = format("%v.%v.%v.%v", var.eecr_info.account_id, "dkr.ecr", var.region, "amazonaws.com/ent-images")
 
   image_config = [
     ## Images for Kiali
@@ -9,7 +10,7 @@ locals {
       dest_path       = null
       name            = "istio-tools/kiali-operator"
       source_image    = "kiali/kiali-operator"
-      source_registry = "quay.io"
+      source_registry = format("%v/%v", local.ent_ecr_source, "quay")
       source_tag      = var.kiali_application_version
       tag             = var.kiali_application_version
     },
@@ -18,7 +19,7 @@ locals {
       dest_path       = null
       name            = "istio-tools/kiali"
       source_image    = "kiali/kiali"
-      source_registry = "quay.io"
+      source_registry = format("%v/%v", local.ent_ecr_source, "quay")
       source_tag      = var.kiali_application_version
       tag             = var.kiali_application_version
     },
@@ -33,7 +34,29 @@ module "images" {
   image_config     = local.image_config
   tags             = {}
 
-  enable_lifecycle_policy = true
-  lifecycle_policy_all    = true
-  force_delete            = true
+  enable_lifecycle_policy     = true
+  lifecycle_policy_all        = true
+  force_delete                = true
+  lifecycle_policy_keep_count = 5
+
+  source_username = data.aws_ecr_authorization_token.ecr_token.user_name
+  source_password = data.aws_ecr_authorization_token.ecr_token.password
+
+  destination_username = data.aws_ecr_authorization_token.token.user_name
+  destination_password = data.aws_ecr_authorization_token.token.password
+}
+
+data "aws_ecr_authorization_token" "token" {
+  registry_id = var.account_id
+}
+
+data "aws_ecr_authorization_token" "ecr_token" {
+  provider    = aws.eecr
+  registry_id = var.eecr_info.account_id
+}
+
+provider "aws" {
+  alias   = "eecr"
+  profile = var.eecr_info.profile
+  region  = var.eecr_info.region
 }

kiali-operator/Chart.yaml

@@ -1,20 +1,19 @@
 apiVersion: v2
-appVersion: v2.7.1
-description: Kiali is an open source project for service mesh observability, refer
-  to https://www.kiali.io for details.
+name: kiali-operator
+description: Kiali is an open source project for service mesh observability, refer to https://www.kiali.io for details.
+version: 0.0.0
+appVersion: 0.0.0
 home: https://github.com/kiali/kiali-operator
-icon: https://raw.githubusercontent.com/kiali/kiali.io/current/assets/icons/logo.svg
+maintainers:
+- name: Kiali
+  email: kiali-users@googlegroups.com
+  url: https://kiali.io
 keywords:
 - istio
 - kiali
 - operator
-maintainers:
-- email: kiali-users@googlegroups.com
-  name: Kiali
-  url: https://kiali.io
-name: kiali-operator
 sources:
 - https://github.com/kiali/kiali
 - https://github.com/kiali/kiali-operator
 - https://github.com/kiali/helm-charts
-version: 2.7.1
+icon: https://raw.githubusercontent.com/kiali/kiali.io/current/assets/icons/logo.svg

kiali-operator/templates/_helpers.tpl

@@ -36,7 +36,6 @@ Common labels
 */}}
 {{- define "kiali-operator.labels" -}}
 helm.sh/chart: {{ include "kiali-operator.chart" . }}
-app: {{ include "kiali-operator.name" . }}
 {{ include "kiali-operator.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 version: {{ .Chart.AppVersion | quote }}

kiali-server/Chart.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: v2
+name: kiali
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"

kiali-server/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kiali.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "kiali.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "kiali.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "kiali.labels" -}}
+helm.sh/chart: {{ include "kiali.chart" . }}
+{{ include "kiali.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "kiali.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "kiali.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "kiali.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "kiali.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

kiali-server/templates/kiali.yaml

@@ -0,0 +1,38 @@
+apiVersion: kiali.io/v1alpha1
+kind: Kiali
+metadata:
+  name: {{ include "kiali.fullname" . }}
+  labels:
+    {{- include "kiali.labels" . | nindent 4 }}
+spec:
+  istio_namespace: {{ .Values.istioNamespace }}
+  auth:
+    strategy: {{ .Values.auth.strategy }}
+  deployment:
+    cluster_wide_access: true
+    view_only_mode: {{ .Values.deployment.view_only_mode }}
+  external_services:
+    prometheus:
+      enabled: true
+      auth:
+        insecure_skip_verify: true
+      url: {{ .Values.prometheus.url }}
+    grafana:
+      enabled: true
+      auth:
+        insecure_skip_verify: true
+      # auth:
+      #   type: basic
+      #   username: "admin"
+      #   password: secret:{{ .Values.grafana.secretName }}:{{ .Values.grafana.passwordKey }}
+      external_url: {{ .Values.grafana.externalUrl }}
+      internal_url: {{ .Values.grafana.internalUrl }}
+    tracing:
+      enabled: true
+      internal_url: {{ .Values.tracing.internalUrl }}
+      use_grpc: false
+      provider: "tempo"
+      tempo_config:
+        org_id: "1"
+        datasource_uid: {{ .Values.tracing.tempo_config.datasource_uid }}
+        url_format: "grafana"