be able to add containers to Kiali pod

jmazzitelli · jmazzitelli · commit a658bbe0f7d5 · 2022-10-03T11:09:33.000-04:00
fixes: kiali/kiali#5028
diff --git a/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml b/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml
@@ -57,6 +57,7 @@ spec:
 
   deployment:
     accessible_namespaces: ["^((?!(istio-operator|kube-.*|openshift.*|ibm.*|kiali-operator)).)*$"]
+    additional_pod_containers_yaml: {}
     # default: additional_service_yaml is empty
     additional_service_yaml:
       externalName: "kiali.example.com"
diff --git a/crd-docs/crd/kiali.io_kialis.yaml b/crd-docs/crd/kiali.io_kialis.yaml
@@ -217,6 +217,10 @@ spec:
                     type: array
                     items:
                       type: string
+                  additional_pod_containers_yaml:
+                    description: "Additional containers to add to the list of pod containers. Use this to add sidecar(s) to the Kiali pod. Use with care since sidecars may cause the Kiali container itself to operate incorrectly. It is up to the user who added the additional containers to ensure it works properly inside the Kiali pod; Kiali makes no guarantee additional containers will work. You can utilize container environment variables to pass data to the containers via mounted custom secrets (see spec.deployment.custom_secrets)."
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
                   additional_service_yaml:
                     description: "Additional custom yaml to add to the service definition. This is used mainly to customize the service type. For example, if the `deployment.service_type` is set to 'LoadBalancer' and you want to set the loadBalancerIP, you can do so here with: `additional_service_yaml: { 'loadBalancerIP': '78.11.24.19' }`. Another example would be if the `deployment.service_type` is set to 'ExternalName' you will need to configure the name via: `additional_service_yaml: { 'externalName': 'my.kiali.example.com' }`. A final example would be if external IPs need to be set: `additional_service_yaml: { 'externalIPs': ['80.11.12.10'] }`"
                     type: object
diff --git a/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml b/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml
@@ -264,6 +264,8 @@ spec:
                   value: "false"
                 - name: ALLOW_AD_HOC_KIALI_IMAGE
                   value: "false"
+                - name: ALLOW_AD_HOC_CONTAINERS
+                  value: "false"
                 - name: ALLOW_SECURITY_CONTEXT_OVERRIDE
                   value: "false"
                 - name: PROFILE_TASKS_TASK_OUTPUT_LIMIT
diff --git a/roles/default/kiali-deploy/defaults/main.yml b/roles/default/kiali-deploy/defaults/main.yml
@@ -52,6 +52,7 @@ kiali_defaults:
 
   deployment:
     accessible_namespaces: ["^((?!(istio-operator|kube-.*|openshift.*|ibm.*|kiali-operator)).)*$"]
+    additional_pod_containers_yaml: {}
     #additional_service_yaml:
     affinity:
       node: {}
diff --git a/roles/default/kiali-deploy/tasks/main.yml b/roles/default/kiali-deploy/tasks/main.yml
@@ -143,6 +143,13 @@
   # restrict to 40 chars, not 63, because instance_name is a prefix and we need to prepend additional chars for some resource names (like "-service-account")
   - kiali_vars.deployment.instance_name is not regex('^(?![0-9]+$)(?!-)[a-z0-9-]{,40}(?<!-)$')
 
+- name: Only allow ad-hoc containers when appropriate
+  fail:
+    msg: "The operator is forbidden from installing additional containers into the Kiali pod."
+  when:
+  - kiali_vars.deployment.additional_pod_containers_yaml|length > 0
+  - lookup('env', 'ALLOW_AD_HOC_CONTAINERS') | default('false', True) != "true"
+
 - set_fact:
     status_environment: "{{ status_environment | default({}) | combine({item.0: item.1}) }}"
   loop: "{{ data[0] | zip(data[1]) | list }}"
diff --git a/roles/default/kiali-deploy/tasks/snake_camel_case.yaml b/roles/default/kiali-deploy/tasks/snake_camel_case.yaml
@@ -176,3 +176,12 @@
   when:
   - kiali_vars.deployment.security_context is defined
   - kiali_vars.deployment.security_context | length > 0
+
+- name: Replace snake_case with camelCase in deployment.additional_pod_containers_yaml
+  set_fact:
+    kiali_vars: |
+      {% set a=kiali_vars['deployment'].pop('additional_pod_containers_yaml') %}
+      {{ kiali_vars | combine({'deployment': {'additional_pod_containers_yaml': current_cr.spec.deployment.additional_pod_containers_yaml }}, recursive=True) }}
+  when:
+  - kiali_vars.deployment.additional_pod_containers_yaml is defined
+  - kiali_vars.deployment.additional_pod_containers_yaml | length > 0
diff --git a/roles/default/kiali-deploy/templates/kubernetes/deployment.yaml b/roles/default/kiali-deploy/templates/kubernetes/deployment.yaml
@@ -125,6 +125,9 @@ spec:
           {{ kiali_vars.deployment.resources | to_nice_yaml(indent=0) | trim | indent(10) }}
 {% else %}
         resources: null
+{% endif %}
+{% if kiali_vars.deployment.additional_pod_containers_yaml|length > 0 %}
+      {{ kiali_vars.deployment.additional_pod_containers_yaml | to_nice_yaml(indent=0) | trim | indent(6) }}
 {% endif %}
       volumes:
       - name: kiali-configuration
diff --git a/roles/default/kiali-deploy/templates/openshift/deployment.yaml b/roles/default/kiali-deploy/templates/openshift/deployment.yaml
@@ -129,6 +129,9 @@ spec:
           {{ kiali_vars.deployment.resources | to_nice_yaml(indent=0) | trim | indent(10) }}
 {% else %}
         resources: null
+{% endif %}
+{% if kiali_vars.deployment.additional_pod_containers_yaml|length > 0 %}
+      {{ kiali_vars.deployment.additional_pod_containers_yaml | to_nice_yaml(indent=0) | trim | indent(6) }}
 {% endif %}
       volumes:
       - name: kiali-configuration
