feat: upgrade Istio Knative and Kiali (#1736)

Co-authored-by: Ani Argjiri <[email protected]>

Author: srodenhuis

charts/istio-operator/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v1
 name: istio-operator
 # This version is never actually shipped. istio/release-builder will replace it at build-time
 # with the appropriate version
-version: 1.20.5
-appVersion: 1.20.5
+version: 1.0.0
+appVersion: 1.0.0
 tillerVersion: ">=2.7.2"
 description: Helm chart for deploying Istio operator
 keywords:

charts/istio-operator/templates/clusterrole.yaml

@@ -35,6 +35,18 @@ rules:
   - '*'
   verbs:
   - '*'
+- apiGroups:
+  - telemetry.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - extensions.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
 # k8s groups
 - apiGroups:
   - admissionregistration.k8s.io

charts/istio-operator/values.yaml

@@ -1,5 +1,6 @@
+
 hub: docker.io/istio
-tag: 1.20.5
+tag: 1.22.1
 
 # ImagePullSecrets for operator ServiceAccount, list of secrets in the same namespace
 # used to pull operator image. Must be set for any cluster configured with private docker registry.

charts/kiali-operator/Chart.yaml

@@ -1,20 +1,19 @@
 apiVersion: v2
-appVersion: v1.76.0
-description: Kiali is an open source project for service mesh observability, refer
-  to https://www.kiali.io for details.
+name: kiali-operator
+description: Kiali is an open source project for service mesh observability, refer to https://www.kiali.io for details.
+version: 1.86.1
+appVersion: v1.86.1
 home: https://github.com/kiali/kiali-operator
-icon: https://raw.githubusercontent.com/kiali/kiali.io/current/assets/icons/logo.svg
+maintainers:
+- name: Kiali
+  email: [email protected]
+  url: https://kiali.io
 keywords:
 - istio
 - kiali
 - operator
-maintainers:
-- email: [email protected]
-  name: Kiali
-  url: https://kiali.io
-name: kiali-operator
 sources:
 - https://github.com/kiali/kiali
 - https://github.com/kiali/kiali-operator
 - https://github.com/kiali/helm-charts
-version: 1.76.0
+icon: https://raw.githubusercontent.com/kiali/kiali.io/current/assets/icons/logo.svg

charts/kiali-operator/crds/crds.yaml

@@ -21,4 +21,4 @@ spec:
       openAPIV3Schema:
         type: object
         x-kubernetes-preserve-unknown-fields: true
-...
+---

charts/kiali-operator/templates/clusterrole.yaml

@@ -312,4 +312,4 @@ rules:
   - tokenreviews
   verbs:
   - create
-...
+---

charts/kiali-operator/templates/clusterrolebinding.yaml

@@ -13,4 +13,4 @@ roleRef:
   kind: ClusterRole
   name: {{ include "kiali-operator.fullname" . }}
   apiGroup: rbac.authorization.k8s.io
-...
+---

charts/kiali-operator/templates/deployment.yaml

@@ -49,25 +49,22 @@ spec:
         args:
         - "--zap-log-level=info"
         - "--leader-election-id={{ include "kiali-operator.fullname" . }}"
-{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
-        - "--watches-file=./watches-os.yaml"
-{{- else }}
-        - "--watches-file=./watches-k8s.yaml"
-{{- end }}
+        - "--watches-file=./$(WATCHES_FILE)"
         securityContext:
         {{- if .Values.securityContext }}
         {{- toYaml .Values.securityContext | nindent 10 }}
         {{- else }}
           allowPrivilegeEscalation: false
           privileged: false
           runAsNonRoot: true
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
             - ALL
         {{- end }}
         volumeMounts:
-        - mountPath: /tmp/ansible-operator/runner
-          name: runner
+        - mountPath: /tmp
+          name: tmp
         env:
         - name: WATCH_NAMESPACE
           value: {{ .Values.watchNamespace | default "\"\""  }}
@@ -109,6 +106,20 @@ spec:
         {{- else }}
           value: "/etc/ansible/ansible.cfg"
         {{- end }}
+        - name: ANSIBLE_LOCAL_TEMP
+          value: "/tmp/ansible/tmp"
+        - name: ANSIBLE_REMOTE_TEMP
+          value: "/tmp/ansible/tmp"
+        - name: WATCHES_FILE
+{{- if .Values.watchesFile }}
+          value: "{{ .Values.watchesFile }}"
+{{- else }}
+{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
+          value: "watches-os.yaml"
+{{- else }}
+          value: "watches-k8s.yaml"
+{{- end }}
+{{- end }}
         {{- if .Values.env }}
         {{- toYaml .Values.env | nindent 8 }}
         {{- end }}
@@ -120,8 +131,8 @@ spec:
         {{- toYaml .Values.resources | nindent 10 }}
         {{- end }}
       volumes:
-      - name: runner
+      - name: tmp
         emptyDir: {}
       affinity:
       {{- toYaml .Values.affinity | nindent 8 }}
-...
+---

charts/kiali-operator/templates/kiali-cr.yaml

@@ -18,5 +18,5 @@ metadata:
     {{- end }}
 spec:
   {{- toYaml .Values.cr.spec | nindent 2 }}
-...
+---
 {{ end }}

charts/kiali-operator/templates/ossmconsole-crd.yaml

@@ -30,5 +30,5 @@ spec:
       openAPIV3Schema:
         type: object
         x-kubernetes-preserve-unknown-fields: true
-...
+---
 {{- end }}

charts/kiali-operator/templates/serviceaccount.yaml

@@ -12,4 +12,4 @@ imagePullSecrets:
 - name: {{ . }}
 {{- end }}
 {{- end }}
-...
+---

charts/kiali-operator/values.yaml

@@ -2,8 +2,8 @@ nameOverride: ""
 fullnameOverride: ""
 
 image: # see: https://quay.io/repository/kiali/kiali-operator?tab=tags
-  repo: quay.io/kiali/kiali-operator # quay.io/kiali/kiali-operator
-  tag: v1.76.0 # version string like v1.39.0 or a digest hash
+  repo: ${HELM_IMAGE_REPO} # quay.io/kiali/kiali-operator
+  tag: ${HELM_IMAGE_TAG} # version string like v1.39.0 or a digest hash
   digest: "" # use "sha256" if tag is a sha256 hash (do NOT prefix this value with a "@")
   pullPolicy: Always
   pullSecrets: []
@@ -99,6 +99,14 @@ allowAllAccessibleNamespaces: true
 # of the Istio control plane namespace (which is typically, but not necessarily, "istio-system").
 accessibleNamespacesLabel: ""
 
+# watchesFile: If specified, this determines what watches file will be used to configure the operator. There are four different
+# files that can be selected: (a) `watches-os.yaml`, (b) `watches-os-ns.yaml`, (c) `watches-k8s.yaml` or (d) `watches-k8s-ns.yaml`.
+# The first two are for OpenShift only, the last two are for non-OpenShift Kubernetes clusters. The two with "-ns" in their name
+# enable the operator to automatically update the Kiali Server with access to new namespaces as those namespaces are created in
+# the cluster. This namespace watching feature provides some advanced capabilities but is never required. It is also not
+# the default behavior and is not necessary if your Kiali CRs will have `spec.deployment.cluster_wide_access` set to `true`.
+watchesFile: ""
+
 # For what a Kiali CR spec can look like, see:
 # https://github.com/kiali/kiali-operator/blob/master/deploy/kiali/kiali_cr.yaml
 cr: