be able to add containers to Kiali pod

fixes: kiali/kiali#5028
kiali · Oct 3, 2022 · a658bbe · a658bbe
1 parent 071020f
commit a658bbe
Show file tree

Hide file tree

Showing 8 changed files with 30 additions and 0 deletions.
diff --git a/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml b/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml
@@ -57,6 +57,7 @@ spec:
 
   deployment:
     accessible_namespaces: ["^((?!(istio-operator|kube-.*|openshift.*|ibm.*|kiali-operator)).)*$"]
+    additional_pod_containers_yaml: {}
     # default: additional_service_yaml is empty
     additional_service_yaml:
       externalName: "kiali.example.com"

diff --git a/crd-docs/crd/kiali.io_kialis.yaml b/crd-docs/crd/kiali.io_kialis.yaml
@@ -217,6 +217,10 @@ spec:
                     type: array
                     items:
                       type: string
+                  additional_pod_containers_yaml:
+                    description: "Additional containers to add to the list of pod containers. Use this to add sidecar(s) to the Kiali pod. Use with care since sidecars may cause the Kiali container itself to operate incorrectly. It is up to the user who added the additional containers to ensure it works properly inside the Kiali pod; Kiali makes no guarantee additional containers will work. You can utilize container environment variables to pass data to the containers via mounted custom secrets (see spec.deployment.custom_secrets)."
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
                   additional_service_yaml:
                     description: "Additional custom yaml to add to the service definition. This is used mainly to customize the service type. For example, if the `deployment.service_type` is set to 'LoadBalancer' and you want to set the loadBalancerIP, you can do so here with: `additional_service_yaml: { 'loadBalancerIP': '78.11.24.19' }`. Another example would be if the `deployment.service_type` is set to 'ExternalName' you will need to configure the name via: `additional_service_yaml: { 'externalName': 'my.kiali.example.com' }`. A final example would be if external IPs need to be set: `additional_service_yaml: { 'externalIPs': ['80.11.12.10'] }`"
                     type: object

diff --git a/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml b/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml
@@ -264,6 +264,8 @@ spec:
                   value: "false"
                 - name: ALLOW_AD_HOC_KIALI_IMAGE
                   value: "false"
+                - name: ALLOW_AD_HOC_CONTAINERS
+                  value: "false"
                 - name: ALLOW_SECURITY_CONTEXT_OVERRIDE
                   value: "false"
                 - name: PROFILE_TASKS_TASK_OUTPUT_LIMIT

diff --git a/roles/default/kiali-deploy/defaults/main.yml b/roles/default/kiali-deploy/defaults/main.yml
@@ -52,6 +52,7 @@ kiali_defaults:
 
   deployment:
     accessible_namespaces: ["^((?!(istio-operator|kube-.*|openshift.*|ibm.*|kiali-operator)).)*$"]
+    additional_pod_containers_yaml: {}
     #additional_service_yaml:
     affinity:
       node: {}

diff --git a/roles/default/kiali-deploy/tasks/main.yml b/roles/default/kiali-deploy/tasks/main.yml
@@ -143,6 +143,13 @@
   # restrict to 40 chars, not 63, because instance_name is a prefix and we need to prepend additional chars for some resource names (like "-service-account")
   - kiali_vars.deployment.instance_name is not regex('^(?![0-9]+$)(?!-)[a-z0-9-]{,40}(?<!-)$')
 
+- name: Only allow ad-hoc containers when appropriate
+  fail:
+    msg: "The operator is forbidden from installing additional containers into the Kiali pod."
+  when:
+  - kiali_vars.deployment.additional_pod_containers_yaml|length > 0
+  - lookup('env', 'ALLOW_AD_HOC_CONTAINERS') | default('false', True) != "true"
+
 - set_fact:
     status_environment: "{{ status_environment | default({}) | combine({item.0: item.1}) }}"
   loop: "{{ data[0] | zip(data[1]) | list }}"

diff --git a/roles/default/kiali-deploy/tasks/snake_camel_case.yaml b/roles/default/kiali-deploy/tasks/snake_camel_case.yaml
@@ -176,3 +176,12 @@
   when:
   - kiali_vars.deployment.security_context is defined
   - kiali_vars.deployment.security_context | length > 0
+
+- name: Replace snake_case with camelCase in deployment.additional_pod_containers_yaml
+  set_fact:
+    kiali_vars: |
+      {% set a=kiali_vars['deployment'].pop('additional_pod_containers_yaml') %}
+      {{ kiali_vars | combine({'deployment': {'additional_pod_containers_yaml': current_cr.spec.deployment.additional_pod_containers_yaml }}, recursive=True) }}
+  when:
+  - kiali_vars.deployment.additional_pod_containers_yaml is defined
+  - kiali_vars.deployment.additional_pod_containers_yaml | length > 0
diff --git a/roles/default/kiali-deploy/templates/kubernetes/deployment.yaml b/roles/default/kiali-deploy/templates/kubernetes/deployment.yaml
@@ -125,6 +125,9 @@ spec:
           {{ kiali_vars.deployment.resources | to_nice_yaml(indent=0) | trim | indent(10) }}
 {% else %}
         resources: null
+{% endif %}
+{% if kiali_vars.deployment.additional_pod_containers_yaml|length > 0 %}
+      {{ kiali_vars.deployment.additional_pod_containers_yaml | to_nice_yaml(indent=0) | trim | indent(6) }}
 {% endif %}
       volumes:
       - name: kiali-configuration

diff --git a/roles/default/kiali-deploy/templates/openshift/deployment.yaml b/roles/default/kiali-deploy/templates/openshift/deployment.yaml
@@ -129,6 +129,9 @@ spec:
           {{ kiali_vars.deployment.resources | to_nice_yaml(indent=0) | trim | indent(10) }}
 {% else %}
         resources: null
+{% endif %}
+{% if kiali_vars.deployment.additional_pod_containers_yaml|length > 0 %}
+      {{ kiali_vars.deployment.additional_pod_containers_yaml | to_nice_yaml(indent=0) | trim | indent(6) }}
 {% endif %}
       volumes:
       - name: kiali-configuration