kiali · jmazzitelli · May 2, 2022
diff --git a/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml b/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml
@@ -62,6 +62,7 @@ spec:
   deployment:
     # default: accessible_namespaces is undefined
     accessible_namespaces: [ "my-mesh.*" ]
+    additional_pod_containers_yaml: {}
     # default: additional_service_yaml is empty
     additional_service_yaml:
       externalName: "kiali.example.com"

diff --git a/crd-docs/crd/kiali.io_kialis.yaml b/crd-docs/crd/kiali.io_kialis.yaml
@@ -236,6 +236,10 @@ spec:
                     type: array
                     items:
                       type: string
+                  additional_pod_containers_yaml:
+                    description: "Additional containers to add to the list of pod containers. Use this to add sidecar(s) to the Kiali pod. Use with care since sidecars may cause the Kiali container itself to operate incorrectly. It is up to the user who added the additional containers to ensure it works properly inside the Kiali pod; Kiali makes no guarantee additional containers will work. You can utilize container environment variables to pass data to the containers via mounted custom secrets (see spec.deployment.custom_secrets)."
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
                   additional_service_yaml:
                     description: "Additional custom yaml to add to the service definition. This is used mainly to customize the service type. For example, if the `deployment.service_type` is set to 'LoadBalancer' and you want to set the loadBalancerIP, you can do so here with: `additional_service_yaml: { 'loadBalancerIP': '78.11.24.19' }`. Another example would be if the `deployment.service_type` is set to 'ExternalName' you will need to configure the name via: `additional_service_yaml: { 'externalName': 'my.kiali.example.com' }`. A final example would be if external IPs need to be set: `additional_service_yaml: { 'externalIPs': ['80.11.12.10'] }`"
                     type: object

diff --git a/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml b/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml
@@ -290,6 +290,8 @@ spec:
                   value: "false"
                 - name: ALLOW_AD_HOC_OSSMCONSOLE_IMAGE
                   value: "false"
+                - name: ALLOW_AD_HOC_CONTAINERS
+                  value: "false"
                 - name: ALLOW_SECURITY_CONTEXT_OVERRIDE
                   value: "false"
                 - name: ALLOW_ALL_ACCESSIBLE_NAMESPACES

diff --git a/roles/default/kiali-deploy/defaults/main.yml b/roles/default/kiali-deploy/defaults/main.yml
@@ -57,6 +57,7 @@ kiali_defaults:
 
   deployment:
     accessible_namespaces: ["**"]
+    additional_pod_containers_yaml: {}
     #additional_service_yaml:
     affinity:
       node: {}

diff --git a/roles/default/kiali-deploy/tasks/main.yml b/roles/default/kiali-deploy/tasks/main.yml
@@ -152,6 +152,13 @@
   # restrict to 40 chars, not 63, because instance_name is a prefix and we need to prepend additional chars for some resource names (like "-service-account")
   - kiali_vars.deployment.instance_name is not regex('^(?![0-9]+$)(?!-)[a-z0-9-]{,40}(?<!-)$')
 
+- name: Only allow ad-hoc containers when appropriate
+  fail:
+    msg: "The operator is forbidden from installing additional containers into the Kiali pod."
+  when:
+  - kiali_vars.deployment.additional_pod_containers_yaml|length > 0
+  - lookup('env', 'ALLOW_AD_HOC_CONTAINERS') | default('false', True) != "true"
+
 - name: "Determine environment to store in status"
   set_fact:
     status_environment: "{{ status_environment | default({}) | combine({item.0: item.1}) }}"

diff --git a/roles/default/kiali-deploy/tasks/snake_camel_case.yaml b/roles/default/kiali-deploy/tasks/snake_camel_case.yaml
@@ -125,4 +125,9 @@
       {%   set kiali_vars=kiali_vars | combine({'deployment': {'security_context': current_cr.spec.deployment.security_context}}, recursive=True) %}
       {% endif %}
       {# #}
+      {# deployment.additional_pod_containers_yaml #}
+      {% if kiali_vars.deployment.additional_pod_containers_yaml is defined and kiali_vars.deployment.additional_pod_containers_yaml | length > 0 %}
+      {%   set _=kiali_vars['deployment'].pop('additional_pod_containers_yaml') %}
+      {%   set kiali_vars=kiali_vars | combine({'deployment': {'additional_pod_containers_yaml': current_cr.spec.deployment.additional_pod_containers_yaml }}, recursive=True) %}
+      {% endif %}
       {{ kiali_vars }}
diff --git a/roles/default/kiali-deploy/templates/kubernetes/deployment.yaml b/roles/default/kiali-deploy/templates/kubernetes/deployment.yaml
@@ -128,6 +128,9 @@ spec:
           {{ kiali_vars.deployment.resources | to_nice_yaml(indent=0) | trim | indent(10) }}
 {% else %}
         resources: null
+{% endif %}
+{% if kiali_vars.deployment.additional_pod_containers_yaml|length > 0 %}
+      {{ kiali_vars.deployment.additional_pod_containers_yaml | to_nice_yaml(indent=0) | trim | indent(6) }}
 {% endif %}
       volumes:
       - name: kiali-configuration

diff --git a/roles/default/kiali-deploy/templates/openshift/deployment.yaml b/roles/default/kiali-deploy/templates/openshift/deployment.yaml
@@ -132,6 +132,9 @@ spec:
           {{ kiali_vars.deployment.resources | to_nice_yaml(indent=0) | trim | indent(10) }}
 {% else %}
         resources: null
+{% endif %}
+{% if kiali_vars.deployment.additional_pod_containers_yaml|length > 0 %}
+      {{ kiali_vars.deployment.additional_pod_containers_yaml | to_nice_yaml(indent=0) | trim | indent(6) }}
 {% endif %}
       volumes:
       - name: kiali-configuration