Installing Kiali In Anonymous and View-Only Mode Using Istioctl

1

Was looking for help installing Kiali dashboard with auth strategy anonymous as well as in view-only mode. I’ve installed kiali using istioctl. Was thinking I could pass the following flags during the generation of the manifest like:
–set values.kiali.dashboard.auth.strategy=anonymous --set values.kiali.dashboard.viewOnlyMode=true
but when I run this I get:
bad path=value (values.kiali.dashboard.auth.strategy=anonymous): unknown field “auth” in v1alpha1.KialiDashboardConfig

Even when I just pass the --set values.kiali.dashboard.viewOnlyMode=true, when I login I’m still able to edit the istio-system configurations.

Does anyone know how to get Kiali in anonymous auth and view-only mode using istioctl?

2

Interestingly, looks like the view-only mode flag is missing from the istioctl template, but the auth.strategy one is there:

So I can see why the viewonly mode flag doesn’t work, but the auth.strategy should work. You should write up a github issue on at least the view-only mode flag missing from the kiali configmap template. Check the kiali configmap and see if the auth strategy flag is set correctly.

3

Thanks for the reply. I generated a manifest file using the --set values.kiali.dashboard.viewOnlyMode=true and a second manifest file without the -set values.kiali.dashboard.viewOnlyMode=true. I then did a diff:

< name: istio-kiali-viewer-role-binding-istio-system

> name: kiali
7121c7121
< name: kiali-viewer

> name: kiali
7123,7125c7123,7125
< - kind: ServiceAccount
< name: kiali-service-account
< namespace: istio-system

> - kind: ServiceAccount
> name: kiali-service-account
> namespace: istio-system

So looks like it did add some things associated with view only mode. However when I launch the dashboard I can still edit and delete istio configuration files.
I can’t even generate a manifest file with the –set values.kiali.dashboard.auth.strategy=anonymous as I get the bad path error.

4

Oh, that’s right. The view-only flag doesn’t need to be in the configmap. That’s really a flag for the Kiali Operator (and in this case, the helm templates).

So the view-only mode is supposed to install Kiali with a role that only gives it read permissions (that’s what the kiali-viewer role is supposed to be - its supposed to be different than the kiali role - your diff seems to show it is not different other than the name).

This is the problem of having custom installation for kiali within istioctl and not using the kiali operator. The Kiali Operator handles the view only mode properly. Doesn’t look like the helm istioctl does.

I suggest you do not install kiali via istioctl. Install it via the Kiali Operator. For details on that, see: https://kiali.io/documentation/getting-started/

5

Yea, I looked at using the Kiali Operator earlier today. Based on the documentation, it says to run:
bash <(curl -L https://git.io/getLatestKialiOperator) --operator-install-kiali false
When I try this I get:
Using downloader: wget -q -O -
ERROR: Failed to determine latest Kiali release.
Make sure this URL is accessible and returning valid results:
https://api.github.com/repos/kiali/kiali/releases

6

Yes, installing Kiali separately gives you more control on your installation.
For example, here is a custom resource file that allows anonymous login:

# See:
# - https://kiali.io/documentation/getting-started
# - https://github.com/kiali/kiali/blob/f1187a590689f8cc1e75007550c7db0a20f2b951/operator/deploy/kiali/kiali_cr.yaml
apiVersion: kiali.io/v1alpha1
kind: Kiali
metadata:
  name: kiali
  namespace: kiali-operator
spec:
  auth:
    strategy: anonymous
  deployment:
    image_version: v1.14.0
    accessible_namespaces:
      - '**'
    ingress_enabled: false
    namespace: istio-system
    secret_name: kiali
    service_type: NodePort
    view_only_mode: false
  external_services:
    grafana:
      enabled: false
      url: ''
    tracing:
      enabled: false
      url: ''
  identity:
    cert_file: ''
    private_key_file: ''
  kubernetes_config:
    excluded_workloads:
      - 'CronJob'
      - 'DeploymentConfig'
      - 'Job'
      - 'ReplicationController'

Then, you can install Kiali with:

bash <(curl -s -L https://git.io/getLatestKialiOperator) -an '**' -kcr kiali-cr.yaml

… and watch the installation progress with:

kubectl logs --namespace=kiali-operator --selector=app=kiali-operator \
  --container=operator --follow
7

Thanks for the response. Any idea why this error occurs when I try and install the operator?
ERROR: Failed to determine latest Kiali release.
Make sure this URL is accessible and returning valid results:
https://api.github.com/repos/kiali/kiali/releases

8

MacOS? Make sure you have installed the latest wget.

@mithomps knows the details - he ran into this a couple weeks ago. He just used the Mac installer to install the latest wget (or was it curl?) to get it to work.

9

Do you have ‘wget’ installed? I encountered this issue when wget was not installed.

https://github.com/kiali/kiali/blob/f1187a590689f8cc1e75007550c7db0a20f2b951/operator/deploy/deploy-kiali-operator.sh#L553

I remember removing the error indirection stuff from ‘wget > /dev/null 2>&1’ to see what the actual error I was getting.

10

Ah ok. I already had wget version 1.19.4_1 installed. After upgrading to 1.20.3_2, I am no longer getting the ERROR: Failed to determine latest Kiali release. message

11

If you are on Istio 1.5, you might get an error when running kiali. See: https://github.com/kiali/kiali/issues/2440

Istio 1.5 no longer generates certs, so until Kiali 1.15 is released, try to pass in “-oiv latest -kiv latest” so the deploy script installs the latest Kiali (this is the latest master build). 1.15 should be released this week - definitely by beginning of next week.

1 Like
12

We haven’t moved over to 1.5 as of yet. Still trying to get things up and running with 1.4.6

13

Version 1.14.0 of Kiali is compatible with Istio 1.14 (you can check other releases at https://github.com/kiali/kiali/releases)

To debug the installation script do:

# If this fails, you are missing wget, which is needed by the script anyway
wget https://git.io/getLatestKialiOperator

# This traces the script execution in case something goes wrong
bash -x getLatestKialiOperator -an '**' -kcr kiali-cr.yaml
1 Like
14

Wow! Thank you all! Was able to get Kiali installed via the operator. Now trying to setup ingress for it so it can be accessed remotely

15

Is there a way to check if the kiali operator is already installed, Trying to automate the installation of the operator via Jenkins. I guess I could check for the existance of the kiali-operator namespace and then skip the stage to install the operator, but was wondering if there was some command I can run that will check like the istioctl verify-install command.

16

Istio is not integrated with Kiali Operator at all and so istioctl knows nothing about the Kiali Operator.

The way you check if the Kiali Operator is installed is see if you have the kialis.kiali.io CRD installed in your system:

$ kubectl get crd kialis.kiali.io
NAME              CREATED AT
kialis.kiali.io   2020-03-18T13:13:57Z
17

Any ideas of how to add node affinity to the kiali operator pod? Tried adding the following to the kiali-cr.yaml file:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kops.k8s.io/instancegroup
operator: In
values:
- my-job-nodes

Kiali operator doesn’t register with the node I’m trying to assign it to.

18

All Kiali CR settings are documented here.

You want spec.deployment.affinity.node - see: https://github.com/kiali/kiali/blob/ff1786aaee5e790bce8beb7ded30c77d7cdba686/operator/deploy/kiali/kiali_cr.yaml#L186-L193

Note that that only sets the node affinity for the kiali pod itself. There is no configuration for this for the operator itself.

19

Note that Kiali CR is configuration for Kiali (not the Kiali Operator). The operator is already deployed by the time you create a Kiali CR.

In operator parlance, the CR controls/configures the operand, not the operator.

20

Ah ok. Yes, would like the kiali-operator pod to run on a particular node. Here is that section of my kaili-cr.yaml:

 spec:
      auth:
        strategy: anonymous
      deployment:
        image_version: v1.14.0
        accessible_namespaces:
          - '**'
        ingress_enabled: false
        namespace: istio-system
        secret_name: kiali
        service_type: NodePort
        view_only_mode: true
        additional_service_yaml:
          ports:
          - name: web
            nodePort: 32381
            port: 20001
            protocol: TCP
            targetPort: 20001
        affinity:
          node:
            requiredDuringSchedulingIgnoredDuringExecution:
              nodeSelectorTerms:
                - matchExpressions:
                    - key: kops.k8s.io/instancegroup
                      operator: In
                      values:
                        - my-job-nodes
        tolerations: