Kiali CR Reference
Example CR
(all values shown here are the defaults unless otherwise noted)apiVersion: kiali.io/v1alpha1
kind: Kiali
metadata:
name: kiali
annotations:
ansible.sdk.operatorframework.io/verbosity: "1"
spec:
additional_display_details:
- title: "API Documentation"
annotation: "kiali.io/api-spec"
icon_annotation: "kiali.io/api-type"
installation_tag: ""
istio_namespace: ""
version: "default"
auth:
strategy: ""
openid:
# default: additional_request_params is empty
additional_request_params:
openIdReqParam: "openIdReqParamValue"
# default: allowed_domains is an empty list
allowed_domains: ["allowed.domain"]
api_proxy: ""
api_proxy_ca_data: ""
api_token: "id_token"
authentication_timeout: 300
authorization_endpoint: ""
client_id: ""
disable_rbac: false
http_proxy: ""
https_proxy: ""
insecure_skip_verify_tls: false
issuer_uri: ""
scopes: ["openid", "profile", "email"]
username_claim: "sub"
openshift:
#redirect_uris:
#token_inactivity_timeout:
#token_max_age:
clustering:
autodetect_secrets:
enabled: true
label: "kiali.io/multiCluster=true"
clusters: []
kiali_urls: []
# default: custom_dashboards is an empty list
custom_dashboards:
- name: "envoy"
deployment:
# default: additional_service_yaml is empty
additional_service_yaml:
externalName: "kiali.example.com"
affinity:
# default: node is empty
node:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/e2e-az-name
operator: In
values:
- e2e-az1
- e2e-az2
# default: pod is empty
pod:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: security
operator: In
values:
- S1
topologyKey: topology.kubernetes.io/zone
# default: pod_anti is empty
pod_anti:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: security
operator: In
values:
- S2
topologyKey: topology.kubernetes.io/zone
cluster_wide_access: true
# default: configmap_annotations is empty
configmap_annotations:
strategy.spinnaker.io/versioned: "false"
# default: custom_envs is an empty list
custom_envs:
- name: "HTTP_PROXY"
value: "http://my.proxy.com:1234"
- name: "NO_PROXY"
value: "hostname.example.com"
# default: custom_secrets is an empty list
custom_secrets:
- name: "a-custom-secret"
mount: "/a-custom-secret-path"
optional: true
- name: "a-csi-secret"
mount: "/a-csi-secret-path"
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: kiali-secretprovider
# default: discovery_selectors is empty
discovery_selectors:
default:
- matchLabels:
region: north
- matchExpressions:
- key: organization
operator: "In"
values: ["engineering", "accounting"]
- matchLabels:
region: south
matchExpressions:
- key: app
operator: "DoesNotExist"
- key: domain
operator: "NotIn"
values: ["production"]
overrides:
myRemoteCluster:
- matchLabels:
region: world
- matchExpressions:
- key: organization
operator: "NotIn"
values: ["marketing"]
- matchLabels:
region: antarctica
matchExpressions:
- key: app
operator: "DoesNotExist"
- key: domain
operator: "In"
values: ["staging"]
dns:
# default: config is empty
config:
options:
- name: ndots
value: "1"
# default: policy is empty
policy: "ClusterFirst"
hpa:
api_version: ""
# default: spec is empty
spec:
maxReplicas: 2
minReplicas: 1
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 50
# default: host_aliases is an empty list
host_aliases:
- ip: "192.168.1.100"
hostnames:
- "foo.local"
- "bar.local"
image_digest: ""
image_name: ""
image_pull_policy: "IfNotPresent"
# default: image_pull_secrets is an empty list
image_pull_secrets: ["image.pull.secret"]
image_version: ""
ingress:
# default: additional_labels is empty
additional_labels:
ingressAdditionalLabel: "ingressAdditionalLabelValue"
class_name: "nginx"
# default: enabled is undefined
enabled: false
# default: override_yaml is undefined
override_yaml:
metadata:
annotations:
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
rules:
- http:
paths:
- path: "/kiali"
pathType: Prefix
backend:
service:
name: "kiali"
port:
number: 20001
instance_name: "kiali"
logger:
log_level: "info"
log_format: "text"
sampler_rate: "1"
time_field_format: "2006-01-02T15:04:05Z07:00"
namespace: "istio-system"
# default: node_selector is empty
node_selector:
nodeSelector: "nodeSelectorValue"
# default: pod_annotations is empty
pod_annotations:
podAnnotation: "podAnnotationValue"
# default: pod_labels is empty
pod_labels:
sidecar.istio.io/inject: "true"
priority_class_name: ""
probes:
liveness:
initial_delay_seconds: 5
period_seconds: 30
readiness:
initial_delay_seconds: 5
period_seconds: 30
startup:
failure_threshold: 6
initial_delay_seconds: 30
period_seconds: 10
remote_cluster_resources_only: false
replicas: 1
# default: resources is undefined
resources:
requests:
cpu: "10m"
memory: "64Mi"
limits:
memory: "1Gi"
secret_name: "kiali"
security_context: {}
# default: service_annotations is empty
service_annotations:
svcAnnotation: "svcAnnotationValue"
# default: service_type is undefined
service_type: "NodePort"
# default: tolerations is an empty list
tolerations:
- key: "example-key"
operator: "Exists"
effect: "NoSchedule"
version_label: ""
view_only_mode: false
# default: extensions is an empty list
extensions:
- enabled: true
name: "skupper"
external_services:
custom_dashboards:
discovery_auto_threshold: 10
discovery_enabled: "auto"
enabled: true
is_core: false
namespace_label: "namespace"
prometheus:
auth:
ca_file: ""
insecure_skip_verify: false
password: ""
token: ""
type: "none"
use_kiali_token: false
username: ""
cache_duration: 10
cache_enabled: true
cache_expiration: 300
# default: custom_headers is empty
custom_headers:
customHeader1: "customHeader1Value"
health_check_url: ""
is_core: true
# default: query_scope is empty
query_scope:
mesh_id: "mesh-1"
cluster: "cluster-east"
thanos_proxy:
enabled: false
retention_period: "7d"
scrape_interval: "30s"
url: ""
grafana:
auth:
ca_file: ""
insecure_skip_verify: false
password: ""
token: ""
type: "none"
use_kiali_token: false
username: ""
dashboards:
- name: "Istio Service Dashboard"
variables:
namespace: "var-namespace"
service: "var-service"
- name: "Istio Workload Dashboard"
variables:
namespace: "var-namespace"
workload: "var-workload"
- name: "Istio Mesh Dashboard"
- name: "Istio Control Plane Dashboard"
- name: "Istio Performance Dashboard"
- name: "Istio Wasm Extension Dashboard"
enabled: true
external_url: ""
health_check_url: ""
# default: internal_url is undefined
internal_url: ""
is_core: false
istio:
component_status:
enabled: true
config_map_name: "istio"
egress_gateway_namespace: ""
envoy_admin_local_port: 15000
gateway_api_classes: []
ingress_gateway_namespace: ""
istio_api_enabled: true
# default: istio_canary_revision is undefined
istio_canary_revision:
current: "1-9-9"
upgrade: "1-10-2"
istio_identity_domain: "svc.cluster.local"
istio_injection_annotation: "sidecar.istio.io/inject"
istio_sidecar_annotation: "sidecar.istio.io/status"
istio_sidecar_injector_config_map_name: "istio-sidecar-injector"
istiod_deployment_name: "istiod"
istiod_pod_monitoring_port: 15014
root_namespace: ""
url_service_version: ""
prometheus:
auth:
ca_file: ""
insecure_skip_verify: false
password: ""
token: ""
type: "none"
use_kiali_token: false
username: ""
cache_duration: 10
cache_enabled: true
cache_expiration: 300
# default: custom_headers is empty
custom_headers:
customHeader1: "customHeader1Value"
health_check_url: ""
is_core: true
# default: query_scope is empty
query_scope:
mesh_id: "mesh-1"
cluster: "cluster-east"
thanos_proxy:
enabled: false
retention_period: "7d"
scrape_interval: "30s"
url: ""
tracing:
auth:
ca_file: ""
insecure_skip_verify: false
password: ""
token: ""
type: "none"
use_kiali_token: false
username: ""
# default: custom_headers is empty
custom_headers:
customHeader1: "customHeader1Value"
enabled: false
external_url: ""
grpc_port: 9095
health_check_url: ""
internal_url: ""
is_core: false
namespace_selector: true
provider: "jaeger"
# default: query_scope is empty
query_scope:
mesh_id: "mesh-1"
cluster: "cluster-east"
query_timeout: 5
tempo_config:
datasource_uid: ""
org_id: ""
url_format: ""
use_grpc: true
whitelist_istio_system: ["jaeger-query", "istio-ingressgateway"]
health_config:
# default: rate is an empty list
rate:
- namespace: ".*"
kind: ".*"
name: ".*"
tolerance:
- protocol: "http"
direction: ".*"
code: "[1234]00"
degraded: 5
failure: 10
identity:
# default: cert_file is undefined
cert_file: ""
# default: private_key_file is undefined
private_key_file: ""
istio_labels:
app_label_name: "app"
egress_gateway_label: "istio=egressgateway"
ingress_gateway_label: "istio=ingressgateway"
injection_label_name: "istio-injection"
injection_label_rev: "istio.io/rev"
version_label_name: "version"
kiali_feature_flags:
disabled_features: []
istio_annotation_action: true
istio_injection_action: true
istio_upgrade_action: false
ui_defaults:
graph:
find_options:
- description: "Find: slow edges (> 1s)"
expression: "rt > 1000"
- description: "Find: unhealthy nodes"
expression: "! healthy"
- description: "Find: unknown nodes"
expression: "name = unknown"
hide_options:
- description: "Hide: healthy nodes"
expression: "healthy"
- description: "Hide: unknown nodes"
expression: "name = unknown"
traffic:
grpc: "requests"
http: "requests"
tcp: "sent"
i18n:
language: "en"
show_selector: false
list:
include_health: true
include_istio_resources: true
include_validations: true
show_include_toggles: false
metrics_per_refresh: "1m"
# default: metrics_inbound is undefined
metrics_inbound:
aggregations:
- display_name: "Istio Network"
label: "topology_istio_io_network"
- display_name: "Istio Revision"
label: "istio_io_rev"
# default: metrics_outbound is undefined
metrics_outbound:
aggregations:
- display_name: "Istio Network"
label: "topology_istio_io_network"
- display_name: "Istio Revision"
label: "istio_io_rev"
# default: namespaces is an empty list
namespaces: ["istio-system"]
refresh_interval: "1m"
validations:
ignore: ["KIA1301"]
skip_wildcard_gateway_hosts: false
kubernetes_config:
burst: 200
cache_duration: 300
cache_token_namespace_duration: 10
excluded_workloads:
- "CronJob"
- "DeploymentConfig"
- "Job"
- "ReplicationController"
qps: 175
login_token:
expiration_seconds: 86400
signing_key: ""
server:
address: ""
audit_log: true
cors_allow_all: false
gzip_enabled: true
# default: node_port is undefined
node_port: 32475
observability:
metrics:
enabled: true
port: 9090
tracing:
collector_type: "jaeger"
collector_url: "http://jaeger-collector.istio-system:14268/api/traces"
enabled: false
otel:
ca_name: ""
protocol: "http"
skip_verify: false
tls_enabled: false
port: 20001
profiler:
enabled: false
web_fqdn: ""
web_history_mode: ""
web_port: ""
web_root: ""
web_schema: ""
write_timeout: 30
Validating your Kiali CR
A Kiali tool is available to allow you to check your own Kiali CR to ensure it is valid. Simply download the validation script and run it, passing in the location of the Kiali CRD you wish to validate with (e.g. the latest version is found here) and the location of your Kiali CR. You must be connected to/logged into a cluster for this validation tool to work.
For example, to validate a Kiali CR named kiali
in the namespace istio-system
using the latest version of the Kiali CRD, run the following:
bash <(curl -sL https://raw.githubusercontent.com/kiali/kiali-operator/master/crd-docs/bin/validate-kiali-cr.sh) \ -crd https://raw.githubusercontent.com/kiali/kiali-operator/master/crd-docs/crd/kiali.io_kialis.yaml \ --kiali-cr-name kiali \ -n istio-system
If you wish to test your Kiali CR with an older version of Kiali, replace master
in the above -crd
option with the version you wish to test. For example, to test your Kiali CR with Kiali version v1.53.0, pass in the option -crd https://raw.githubusercontent.com/kiali/kiali-operator/v1.53.0/crd-docs/crd/kiali.io_kialis.yaml
in the above command.
For additional help in using this validation tool, pass it the --help
option.
Properties
.spec
This is the CRD for the resources called Kiali CRs. The Kiali Operator will watch for resources of this type and when it detects a Kiali CR has been added, deleted, or modified, it will install, uninstall, and update the associated Kiali Server installation. The settings here will configure the Kiali Server as well as the Kiali Operator. All of these settings will be stored in the Kiali ConfigMap. Do not modify the ConfigMap; it will be managed by the Kiali Operator. Only modify the Kiali CR when you want to change a configuration setting.
.spec.additional_display_details
A list of additional details that Kiali will look for in annotations. When found on any workload or service, Kiali will display the additional details in the respective workload or service details page. This is typically used to inject some CI metadata or documentation links into Kiali views. For example, by default, Kiali will recognize these annotations on a service or workload (e.g. a Deployment, StatefulSet, etc.):
annotations:
kiali.io/api-spec: http://list/to/my/api/doc
kiali.io/api-type: rest
Note that if you change this setting for your own custom annotations, keep in mind that it would override the current default. So you would have to add the default setting as shown in the example CR if you want to preserve the default links.
.spec.additional_display_details[*]
.spec.additional_display_details[*].annotation
The name of the annotation whose value is a URL to additional documentation useful to the user.
.spec.additional_display_details[*].icon_annotation
The name of the annotation whose value is used to determine what icon to display. The annotation name itself can be anything, but note that the value of that annotation must be one of: rest
, grpc
, and graphql
- any other value is ignored.
.spec.additional_display_details[*].title
The title of the link that Kiali will display. The link will go to the URL specified in the value of the configured annotation
.
.spec.auth
.spec.auth.openid
To learn more about these settings and how to configure the OpenId authentication strategy, read the documentation at https://kiali.io/docs/configuration/authentication/openid/
.spec.auth.openid.additional_request_params
.spec.auth.openid.allowed_domains
.spec.auth.openid.allowed_domains[*]
.spec.auth.openid.api_proxy
.spec.auth.openid.api_proxy_ca_data
.spec.auth.openid.api_token
.spec.auth.openid.authentication_timeout
.spec.auth.openid.authorization_endpoint
.spec.auth.openid.client_id
.spec.auth.openid.disable_rbac
.spec.auth.openid.http_proxy
.spec.auth.openid.https_proxy
.spec.auth.openid.insecure_skip_verify_tls
.spec.auth.openid.issuer_uri
.spec.auth.openid.scopes
.spec.auth.openid.scopes[*]
.spec.auth.openid.username_claim
.spec.auth.openshift
To learn more about these settings and how to configure the OpenShift authentication strategy, read the documentation at https://kiali.io/docs/configuration/authentication/openshift/
.spec.auth.openshift.redirect_uris
The OAuthClient redirect URIs. You normally do not have to set this unless you are creating remote cluster resources (see deployment.remote_cluster_resources_only
) with auth.strategy
set to openshift
.
.spec.auth.openshift.redirect_uris[*]
.spec.auth.openshift.token_inactivity_timeout
Timeout that overrides the default OpenShift token inactivity timeout. This value represents the maximum amount of time in seconds that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. If 0, the Kiali tokens never timeout. OpenShift may have a minimum allowed value - see the OpenShift documentation specific for the version of OpenShift you are using. WARNING: existing tokens will not be affected by changing this setting.
.spec.auth.openshift.token_max_age
A time duration in seconds that overrides the default OpenShift access token max age. If 0 then there will be no expiration of tokens.
.spec.auth.strategy
Determines what authentication strategy to use when users log into Kiali.
Options are anonymous
, token
, openshift
, openid
, or header
.
- Choose
anonymous
to allow full access to Kiali without requiring any credentials. - Choose
token
to allow access to Kiali using service account tokens, which controls access based on RBAC roles assigned to the service account. - Choose
openshift
to use the OpenShift OAuth login which controls access based on the individual’s RBAC roles in OpenShift. Not valid for non-OpenShift environments. - Choose
openid
to enable OpenID Connect-based authentication. Your cluster is required to be configured to accept the tokens issued by your IdP. There are additional required configurations for this strategy. See below for the additional OpenID configuration section. - Choose
header
when Kiali is running behind a reverse proxy that will inject an Authorization header and potentially impersonation headers.
When empty, this value will default to openshift
on OpenShift and token
on other Kubernetes environments.
.spec.clustering
Multi-cluster related features.
.spec.clustering.autodetect_secrets
Settings to allow cluster secrets to be auto-detected. Secrets must exist in the Kiali deployment namespace.
.spec.clustering.autodetect_secrets.enabled
If true then remote cluster secrets will be autodetected during the installation of the Kiali Server Deployment. Any remote cluster secrets found in the Kiali deployment namespace will be mounted to the Kiali Server’s file system. If false, you can still manually specify the remote cluster secret information in the ‘clusters’ setting if you wish to utilize multicluster features.
.spec.clustering.autodetect_secrets.label
The name and value of a label that exists on all remote cluster secrets. Default is ‘kiali.io/multiCluster=true’.
.spec.clustering.clusters
A list of clusters that the Kiali Server can access. You need to specify the remote clusters here if ‘autodetect_secrets.enabled’ is false.
.spec.clustering.clusters[*]
.spec.clustering.clusters[*].name
The name of the cluster.
.spec.clustering.clusters[*].secret_name
The name of the secret that contains the credentials necessary to connect to the remote cluster. This secret must exist in the Kiali deployment namespace. If a secret name is not provided then it’s assumed that the cluster is inaccessible.
.spec.clustering.kiali_urls
A map between cluster name, instance name and namespace to a Kiali URL. Will be used showing the Mesh page’s Kiali URLs. The Kiali service’s ‘kiali.io/external-url’ annotation will be overridden when this property is set.
.spec.clustering.kiali_urls[*]
.spec.clustering.kiali_urls[*].cluster_name
The name of the cluster.
.spec.clustering.kiali_urls[*].instance_name
The instance name of this Kiali installation. This should be the value used in deployment.instance_name
for Kiali resource name.
.spec.clustering.kiali_urls[*].namespace
The namespace into which Kiali is installed.
.spec.clustering.kiali_urls[*].url
The URL of Kiali in the cluster.
.spec.custom_dashboards
A list of user-defined custom monitoring dashboards that you can use to generate metrics charts for your applications. The server has some built-in dashboards; if you define a custom dashboard here with the same name as a built-in dashboard, your custom dashboard takes precedence and will overwrite the built-in dashboard. You can disable one or more of the built-in dashboards by simply defining an empty dashboard.
An example of an additional user-defined dashboard,
- name: myapp
title: My App Metrics
items:
- chart:
name: "Thread Count"
spans: 4
metricName: "thread-count"
dataType: "raw"
An example of disabling a built-in dashboard (in this case, disabling the Envoy dashboard),
- name: envoy
To learn more about custom monitoring dashboards, see the documentation at https://kiali.io/docs/configuration/custom-dashboard/
.spec.custom_dashboards[*]
.spec.deployment
.spec.deployment.additional_service_yaml
Additional custom yaml to add to the service definition. This is used mainly to customize the service type. For example, if the deployment.service_type
is set to ‘LoadBalancer’ and you want to set the loadBalancerIP, you can do so here with: additional_service_yaml: { 'loadBalancerIP': '78.11.24.19' }
. Another example would be if the deployment.service_type
is set to ‘ExternalName’ you will need to configure the name via: additional_service_yaml: { 'externalName': 'my.kiali.example.com' }
. A final example would be if external IPs need to be set: additional_service_yaml: { 'externalIPs': ['80.11.12.10'] }
.spec.deployment.affinity
Affinity definitions that are to be used to define the nodes where the Kiali pod should be constrained. See the Kubernetes documentation on Assigning Pods to Nodes for the proper syntax for these three different affinity types.
.spec.deployment.affinity.node
.spec.deployment.affinity.pod
.spec.deployment.affinity.pod_anti
.spec.deployment.cluster_wide_access
Determines if the Kiali server will be granted cluster-wide permissions to see all namespaces. When true, this provides more efficient caching within the Kiali server. It must be true
if deployment.discovery_selectors.default
is left unset. To limit the namespaces for which Kiali has permissions, set to false
and define the desired selectors in deployment.discovery_selectors.default
. When not set, this value will default to true
.
.spec.deployment.configmap_annotations
Custom annotations to be created on the Kiali ConfigMap.
.spec.deployment.custom_envs
Defines additional environment variables to be set in the Kiali server pod. This is typically used for (but not limited to) setting proxy environment variables such as HTTP_PROXY, HTTPS_PROXY, and/or NO_PROXY.
.spec.deployment.custom_envs[*]
.spec.deployment.custom_envs[*].name
The name of the custom environment variable.
.spec.deployment.custom_envs[*].value
The value of the custom environment variable.
.spec.deployment.custom_secrets
Defines additional secrets that are to be mounted in the Kiali pod.
These are useful to contain certs that are used by Kiali to securely connect to third party systems
(for example, see external_services.tracing.auth.ca_file
).
These secrets must be created by an external mechanism. Kiali will not generate these secrets; it is assumed these secrets are externally managed. You can define 0, 1, or more secrets. An example configuration is,
custom_secrets:
- name: mysecret
mount: /mysecret-path
- name: my-other-secret
mount: /my-other-secret-location
optional: true
.spec.deployment.custom_secrets[*]
.spec.deployment.custom_secrets[*].csi
Defines CSI-specific settings that allows a secret from an external CSI secret store to be injected in the pod via a volume mount. For details, see https://secrets-store-csi-driver.sigs.k8s.io/
.spec.deployment.custom_secrets[*].mount
The file path location where the secret content will be mounted. The custom secret cannot be mounted on a path that the operator will use to mount its secrets. Make sure you set your custom secret mount path to a unique, unused path. Paths such as /kiali-configuration
, /kiali-cert
, /kiali-cabundle
, and /kiali-secret
should not be used as mount paths for custom secrets because the operator may want to use one of those paths.
.spec.deployment.custom_secrets[*].name
The name of the secret that is to be mounted to the Kiali pod’s file system. The name of the custom secret must not be the same name as one created by the operator. Names such as kiali
, kiali-cert-secret
, and kiali-cabundle
should not be used as a custom secret name because the operator may want to create one with one of those names.
.spec.deployment.custom_secrets[*].optional
Indicates if the secret may or may not exist at the time the Kiali pod starts. This will default to ‘false’ if not specified. This is ignored if csi
is specified - CSI secrets must exist when specified.
.spec.deployment.discovery_selectors
Discovery selectors used to determine which namespaces are accessible to Kiali and which namespaces are visible to Kiali users. You can define discovery selectors to match namespaces on the local cluster as well as remote clusters. The list of namespaces that a user can access is a subset of these namespaces, given that user’s RBAC permissions. These selectors will have similar semantics as defined by Istio ( https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig ) and the syntax of the equality-based and set-based label selectors are documented by Kubernetes here ( https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements )
.spec.deployment.discovery_selectors.default
These are label selectors for the Kiali local cluster and for all remote clusters that do not have overrides.
Namespaces that match these selectors are visible to Kiali users.
When cluster_wide_access=false
these default
selectors are used to restrict which namespaces Kiali will have access to.
If there are no default discovery selectors, then cluster_wide_access
should be true
in which case Kiali will have
permissions to access all namespaces.
.spec.deployment.discovery_selectors.default[*]
.spec.deployment.discovery_selectors.default[*].matchExpressions
.spec.deployment.discovery_selectors.default[*].matchExpressions[*]
.spec.deployment.discovery_selectors.default[*].matchExpressions[*].key
.spec.deployment.discovery_selectors.default[*].matchExpressions[*].operator
.spec.deployment.discovery_selectors.default[*].matchExpressions[*].values
.spec.deployment.discovery_selectors.default[*].matchExpressions[*].values[*]
.spec.deployment.discovery_selectors.default[*].matchLabels
.spec.deployment.discovery_selectors.overrides
If a remote cluster has different namespaces than the local cluster, these overrides provide a way for you to match those remote namespaces. Kiali will make these remote namespaces visible to users. The name of the overrides section is the name of the remote cluster. Note that the default
selectors are ignored when matching namespaces on a remote cluster if that remote cluster has overrides defined.
.spec.deployment.dns
The Kiali server pod’s DNS configuration. Kubernetes supports different DNS policies and configurations. For further details, consult the Kubernetes documentation - https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
.spec.deployment.dns.config
DNS configuration that is applied to the DNS policy. See the Kubernetes documentation for the different configuration settings that are supported.
.spec.deployment.dns.policy
DNS policy. See the Kubernetes documentation for the different policies that are supported.
.spec.deployment.host_aliases
This is content for the Kubernetes ‘hostAliases’ setting for the Kiali server. This allows you to modify the Kiali server pod ‘/etc/hosts’ file. A typical way to configure this setting is,
host_aliases:
- ip: 192.168.1.100
hostnames:
- "foo.local"
- "bar.local"
For details on the content of this setting, see https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/#adding-additional-entries-with-hostaliases
.spec.deployment.host_aliases[*]
.spec.deployment.host_aliases[*].hostnames
.spec.deployment.host_aliases[*].hostnames[*]
.spec.deployment.host_aliases[*].ip
.spec.deployment.hpa
Determines what (if any) HorizontalPodAutoscaler should be created to autoscale the Kiali pod. A typical way to configure HPA for Kiali is,
hpa:
api_version: "autoscaling/v2"
spec:
maxReplicas: 2
minReplicas: 1
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 50
.spec.deployment.hpa.api_version
A specific HPA API version that can be specified in case there is some HPA feature you want to use that is only supported in that specific version. If value is an empty string, an attempt will be made to determine a valid version.
.spec.deployment.hpa.spec
The spec
specified here will be placed in the created HPA resource’s ‘spec’ section. If spec
is left empty, no HPA resource will be created. Note that you must not specify the ‘scaleTargetRef’ section in spec
; the Kiali Operator will populate that for you.
.spec.deployment.image_digest
If deployment.image_version
is a digest hash, this value indicates what type of digest it is. A typical value would be ‘sha256’. Note: do NOT prefix this value with a ‘@’.
.spec.deployment.image_name
Determines which Kiali image to download and install. If you set this to a specific name (i.e. you do not leave it as the default empty string), you must make sure that image is supported by the operator. If empty, the operator will use a known supported image name based on which version
was defined. Note that, as a security measure, a cluster admin may have configured the Kiali operator to ignore this setting. A cluster admin may do this to ensure the Kiali operator only installs a single, specific Kiali version, thus this setting may have no effect depending on how the operator itself was configured.
.spec.deployment.image_pull_policy
The Kubernetes pull policy for the Kiali deployment. This is overridden to be ‘Always’ if deployment.image_version
is set to ‘latest’.
.spec.deployment.image_pull_secrets
The names of the secrets to be used when container images are to be pulled.
.spec.deployment.image_pull_secrets[*]
.spec.deployment.image_version
Determines which version of Kiali to install.
Choose ‘lastrelease’ to use the last Kiali release.
Choose ‘latest’ to use the latest image (which may or may not be a released version of Kiali).
Choose ‘operator_version’ to use the image whose version is the same as the operator version.
Otherwise, you can set this to any valid Kiali version (such as ‘v1.0’) or any valid Kiali
digest hash (if you set this to a digest hash, you must indicate the digest in deployment.image_digest
).
Note that if this is set to ‘latest’ then the deployment.image_pull_policy
will be set to ‘Always’.
If you set this to a specific version (i.e. you do not leave it as the default empty string), you must make sure that image is supported by the operator.
If empty, the operator will use a known supported image version based on which ‘version’ was defined. Note that, as a security measure, a cluster admin may have configured the Kiali operator to ignore this setting. A cluster admin may do this to ensure the Kiali operator only installs a single, specific Kiali version, thus this setting may have no effect depending on how the operator itself was configured.
.spec.deployment.ingress
Configures if/how the Kiali endpoint should be exposed externally.
.spec.deployment.ingress.additional_labels
Additional labels to add to the Ingress (or Route if on OpenShift). These are added to the labels that are created by default; these do not override the default labels.
.spec.deployment.ingress.class_name
If class_name
is a non-empty string, it will be used as the ‘spec.ingressClassName’ in the created Kubernetes Ingress resource. This setting is ignored if on OpenShift. This is also ignored if override_yaml.spec
is defined (i.e. you must define the ‘ingressClassName’ directly in your override yaml).
.spec.deployment.ingress.enabled
Determines if the Kiali endpoint should be exposed externally. If ‘true’, an Ingress will be created if on Kubernetes or a Route if on OpenShift. If left undefined, this will be ‘false’ on Kubernetes and ‘true’ on OpenShift.
.spec.deployment.ingress.override_yaml
Because an Ingress into a cluster can vary wildly in its desired configuration, this setting provides a way to override complete portions of the Ingress resource configuration (Ingress on Kubernetes and Route on OpenShift). It is up to the user to ensure this override YAML configuration is valid and supports the cluster environment since the operator will blindly copy this custom configuration into the resource it creates.
This setting is not used if deployment.ingress.enabled
is set to ‘false’.
Note that only ‘metadata.annotations’ and ‘spec’ is valid and only they will
be used to override those same sections in the created resource. You can define
either one or both.
Note that override_yaml.metadata.labels
is not allowed - you cannot override the labels; to add
labels to the default set of labels, use the deployment.ingress.additional_labels
setting.
Example,
override_yaml:
metadata:
annotations:
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
rules:
- http:
paths:
- path: /kiali
pathType: Prefix
backend:
service
name: "kiali"
port:
number: 20001
.spec.deployment.ingress.override_yaml.metadata
.spec.deployment.ingress.override_yaml.metadata.annotations
.spec.deployment.ingress.override_yaml.spec
.spec.deployment.instance_name
The instance name of this Kiali installation. This instance name will be the prefix prepended to the names of all Kiali resources created by the operator and will be used to label those resources as belonging to this Kiali installation instance. You cannot change this instance name after a Kiali CR is created. If you attempt to change it, the operator will abort with an error. If you want to change it, you must first delete the original Kiali CR and create a new one. Note that this does not affect the name of the auto-generated signing key secret. If you do not supply a signing key, the operator will create one for you in a secret, but that secret will always be named ‘kiali-signing-key’ and shared across all Kiali instances in the same deployment namespace. If you want a different signing key secret, you are free to create your own and tell the operator about it via login_token.signing_key
. See the docs on that setting for more details. Note also that if you are setting this value, you may also want to change the installation_tag
setting, but this is not required.
.spec.deployment.logger
Configures the logger that emits messages to the Kiali server pod logs.
.spec.deployment.logger.log_format
Indicates if the logs should be written with one log message per line or using a JSON format. Must be one of: text
or json
.
.spec.deployment.logger.log_level
The lowest priority of messages to log. Must be one of: trace
, debug
, info
, warn
, error
, or fatal
.
.spec.deployment.logger.sampler_rate
With this setting every sampler_rate-th message will be logged. By default, every message is logged. As an example, setting this to '2'
means every other message will be logged. The value of this setting is a string but must be parsable as an integer.
.spec.deployment.logger.time_field_format
The log message timestamp format. This supports a golang time format (see https://golang.org/pkg/time/)
.spec.deployment.namespace
The namespace into which Kiali is to be installed. If this is empty or not defined, the default will be the namespace where the Kiali CR is located.
.spec.deployment.node_selector
A set of node labels that dictate onto which node the Kiali pod will be deployed.
.spec.deployment.pod_annotations
Custom annotations to be created on the Kiali pod.
.spec.deployment.pod_labels
Custom labels to be created on the Kiali pod. An example use for this setting is to inject an Istio sidecar such as,
sidecar.istio.io/inject: "true"
.spec.deployment.priority_class_name
The priorityClassName used to assign the priority of the Kiali pod.
.spec.deployment.probes
Configures the liveness, readiness, and startup probes of the Kiali pod.
.spec.deployment.probes.liveness
Configures the liveness probe of the Kiali pod.
.spec.deployment.probes.liveness.initial_delay_seconds
.spec.deployment.probes.liveness.period_seconds
.spec.deployment.probes.readiness
Configures the readiness probe of the Kiali pod.
.spec.deployment.probes.readiness.initial_delay_seconds
.spec.deployment.probes.readiness.period_seconds
.spec.deployment.probes.startup
Configures the startup probe of the Kiali pod.
.spec.deployment.probes.startup.failure_threshold
.spec.deployment.probes.startup.initial_delay_seconds
.spec.deployment.probes.startup.period_seconds
.spec.deployment.remote_cluster_resources_only
When true
, only those resources necessary for a remote Kiali Server to access this cluster are created (such as the service account and roles/bindings). There will be no Kiali Server deployment/pod created when this is true
.
.spec.deployment.replicas
The replica count for the Kiail deployment. If deployment.hpa
is specified, this setting is ignored.
.spec.deployment.resources
Defines compute resources that are to be given to the Kiali pod’s container. The value is a dict as defined by Kubernetes. See the Kubernetes documentation (https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container).
If you set this to an empty dict ({}
) then no resources will be defined in the Deployment.
If you do not set this at all, the default is,
requests:
cpu: "10m"
memory: "64Mi"
limits:
memory: "1Gi"
.spec.deployment.secret_name
The name of a secret used by the Kiali. This secret is optionally used when configuring the OpenID authentication strategy. Consult the OpenID docs for more information at https://kiali.io/docs/configuration/authentication/openid/
.spec.deployment.security_context
Custom security context to be placed on the server container. The entire security context on the container will be the value of this setting if the operator is configured to allow it. Note that, as a security measure, a cluster admin may have configured the Kiali operator to not allow portions of this override setting - in this case you can specify additional security context settings but you cannot replace existing, default ones.
.spec.deployment.service_annotations
Custom annotations to be created on the Kiali Service resource.
.spec.deployment.service_type
The Kiali service type. Kubernetes determines what values are valid. Common values are ‘NodePort’, ‘ClusterIP’, and ‘LoadBalancer’.
.spec.deployment.tolerations
A list of tolerations which declare which node taints Kiali can tolerate. See the Kubernetes documentation on Taints and Tolerations for more details.
.spec.deployment.tolerations[*]
.spec.deployment.version_label
Kiali resources will be assigned a ‘version’ label when they are deployed. This setting determines what value those ‘version’ labels will have. When empty, its default will be determined as follows,
- If
deployment.image_version
is ‘latest’,version_label
will be fixed to ‘master’. - If
deployment.image_version
is ‘lastrelease’,version_label
will be fixed to the last Kiali release version string. - If
deployment.image_version
is anything else,version_label
will be that value, too.
.spec.deployment.view_only_mode
When true, Kiali will be in ‘view only’ mode, allowing the user to view and retrieve management and monitoring data for the service mesh, but not allow the user to modify the service mesh.
.spec.extensions
Defines third-party extensions whose metrics can be integrated into the Kiali traffic graph.
.spec.extensions[*]
.spec.extensions[*].enabled
Determines if the Kiali traffic graph should incorporate the extension’s metrics.
.spec.extensions[*].name
The name that is used to identify the metric time series for the extension.
.spec.external_services
These external service configuration settings define how to connect to the external services like Prometheus, Grafana, and Jaeger.
Regarding sensitive values in the external_services ‘auth’ sections:
Some external services configured below support an ‘auth’ sub-section in order to tell Kiali
how it should authenticate with the external services. Credentials used to authenticate Kiali
to those external services can be defined in the auth.password
and auth.token
values
within the auth
sub-section. Because these are sensitive values, you may not want to declare
the actual credentials here in the Kiali CR. In this case, you may store the actual password
or token string in a Kubernetes secret. If you do, you need to set the auth.password
or
auth.token
to a value in the format secret:<secretName>:<secretKey>
where <secretName>
is the name of the secret object that Kiali can access, and <secretKey>
is the name of the
key within the named secret that contains the actual password or token string. For example,
if Grafana requires a password, you can store that password in a secret named ‘myGrafanaCredentials’
in a key named ‘myGrafanaPw’. In this case, you would set external_services.grafana.auth.password
to secret:myGrafanaCredentials:myGrafanaPw
.
.spec.external_services.custom_dashboards
Settings for enabling and discovering custom dashboards.
.spec.external_services.custom_dashboards.discovery_auto_threshold
Threshold of the number of pods, for a given Application or Workload, above which dashboards discovery will be skipped. This setting only takes effect when discovery_enabled
is set to ‘auto’.
.spec.external_services.custom_dashboards.discovery_enabled
Enable, disable or set ‘auto’ mode to the dashboards discovery process. If set to ‘true’, Kiali will always try to discover dashboards based on metrics. Note that this can generate performance penalties while discovering dashboards for workloads having many pods (thus many metrics). When set to ‘auto’, Kiali will skip dashboards discovery for workloads with more than a configured threshold of pods (see discovery_auto_threshold
). When discovery is disabled or auto/skipped, it is still possible to tie workloads with dashboards through annotations on pods (refer to the doc https://kiali.io/docs/configuration/custom-dashboard/#pod-annotations). Value must be one of: true
, false
, auto
.
.spec.external_services.custom_dashboards.enabled
Enable or disable custom dashboards, including the dashboards discovery process.
.spec.external_services.custom_dashboards.is_core
Used in the Components health feature. When true, the unhealthy scenarios will be raised as errors. Otherwise, they will be raised as a warning.
.spec.external_services.custom_dashboards.namespace_label
The Prometheus label name used for identifying namespaces in metrics for custom dashboards. The default is namespace
but you may want to use kubernetes_namespace
depending on your Prometheus configuration.
.spec.external_services.custom_dashboards.prometheus
The Prometheus configuration defined here refers to the Prometheus instance that is dedicated to fetching metrics for custom dashboards. This means you can obtain these metrics for the custom dashboards from a Prometheus instance that is different from the one that Istio uses. If this section is omitted, the same Prometheus that is used to obtain the Istio metrics will also be used for retrieving custom dashboard metrics.
.spec.external_services.custom_dashboards.prometheus.auth
Settings used to authenticate with the Prometheus instance.
.spec.external_services.custom_dashboards.prometheus.auth.ca_file
The certificate authority file to use when accessing Prometheus using https. An empty string means no extra certificate authority file is used.
.spec.external_services.custom_dashboards.prometheus.auth.insecure_skip_verify
Set true to skip verifying certificate validity when Kiali contacts Prometheus over https.
.spec.external_services.custom_dashboards.prometheus.auth.password
Password to be used when making requests to Prometheus, for basic authentication. May refer to a secret.
.spec.external_services.custom_dashboards.prometheus.auth.token
Token / API key to access Prometheus, for token-based authentication. May refer to a secret.
.spec.external_services.custom_dashboards.prometheus.auth.type
The type of authentication to use when contacting the server. Use bearer
to send the token to the Prometheus server. Use basic
to connect with username and password credentials. Use none
to not use any authentication (this is the default).
.spec.external_services.custom_dashboards.prometheus.auth.use_kiali_token
When true and if auth.type
is bearer
, Kiali Service Account token will be used for the API calls to Prometheus (in this case, auth.token
config is ignored).
.spec.external_services.custom_dashboards.prometheus.auth.username
Username to be used when making requests to Prometheus with basic
authentication. May refer to a secret.
.spec.external_services.custom_dashboards.prometheus.cache_duration
Prometheus caching duration expressed in seconds.
.spec.external_services.custom_dashboards.prometheus.cache_enabled
Enable/disable Prometheus caching used for Health services.
.spec.external_services.custom_dashboards.prometheus.cache_expiration
Prometheus caching expiration expressed in seconds.
.spec.external_services.custom_dashboards.prometheus.custom_headers
A set of name/value settings that will be passed as headers when requests are sent to Prometheus.
.spec.external_services.custom_dashboards.prometheus.health_check_url
Used in the Components health feature. This is the url which Kiali will ping to determine whether the component is reachable or not. It defaults to url
when not provided.
.spec.external_services.custom_dashboards.prometheus.is_core
Used in the Components health feature. When true, the unhealthy scenarios will be raised as errors. Otherwise, they will be raised as a warning.
.spec.external_services.custom_dashboards.prometheus.query_scope
A set of labelName/labelValue settings applied to every Prometheus query. Used to narrow unified metrics to only those scoped to the Kiali instance.
.spec.external_services.custom_dashboards.prometheus.thanos_proxy
Define this section if Prometheus is to be queried through a Thanos proxy. Kiali will still use the url
setting to query for Prometheus metrics so make sure that is set appropriately.
.spec.external_services.custom_dashboards.prometheus.thanos_proxy.enabled
Set to true when a Thanos proxy is in front of Prometheus.
.spec.external_services.custom_dashboards.prometheus.thanos_proxy.retention_period
Thanos Retention period value expresed as a string.
.spec.external_services.custom_dashboards.prometheus.thanos_proxy.scrape_interval
Thanos Scrape interval value expresed as a string.
.spec.external_services.custom_dashboards.prometheus.url
The URL used to query the Prometheus Server. This URL must be accessible from the Kiali pod. If empty, the default will assume Prometheus is in the Istio control plane namespace; e.g. http://prometheus.<istio_namespace>:9090
.
.spec.external_services.grafana
Configuration used to access the Grafana dashboards.
.spec.external_services.grafana.auth
Settings used to authenticate with the Grafana instance.
.spec.external_services.grafana.auth.ca_file
The certificate authority file to use when accessing Grafana using https. An empty string means no extra certificate authority file is used.
.spec.external_services.grafana.auth.insecure_skip_verify
Set true to skip verifying certificate validity when Kiali contacts Grafana over https.
.spec.external_services.grafana.auth.password
Password to be used when making requests to Grafana, for basic authentication. May refer to a secret.
.spec.external_services.grafana.auth.token
Token / API key to access Grafana, for token-based authentication. May refer to a secret.
.spec.external_services.grafana.auth.type
The type of authentication to use when contacting the server. Use bearer
to send the token to the Grafana server. Use basic
to connect with username and password credentials. Use none
to not use any authentication (this is the default).
.spec.external_services.grafana.auth.use_kiali_token
When true and if auth.type
is bearer
, Kiali Service Account token will be used for the API calls to Grafana (in this case, auth.token
config is ignored).
.spec.external_services.grafana.auth.username
Username to be used when making requests to Grafana with basic
authentication. May refer to a secret.
.spec.external_services.grafana.dashboards
A list of Grafana dashboards that Kiali can link to.
.spec.external_services.grafana.dashboards[*]
.spec.external_services.grafana.dashboards[*].name
The name of the Grafana dashboard.
.spec.external_services.grafana.dashboards[*].variables
.spec.external_services.grafana.dashboards[*].variables.app
The name of a variable that holds the app name, if used in that dashboard (else it must be omitted).
.spec.external_services.grafana.dashboards[*].variables.namespace
The name of a variable that holds the namespace, if used in that dashboard (else it must be omitted).
.spec.external_services.grafana.dashboards[*].variables.service
The name of a variable that holds the service name, if used in that dashboard (else it must be omitted).
.spec.external_services.grafana.dashboards[*].variables.workload
The name of a variable that holds the workload name, if used in that dashboard (else it must be omitted).
.spec.external_services.grafana.enabled
When true, Grafana support will be enabled in Kiali.
.spec.external_services.grafana.external_url
The URL that the Kiali UI uses when displaying Grafana links to the user. This URL must be accessible to clients external to the cluster (e.g. a browser) in order for the integration to work properly. If empty, an attempt to auto-discover it is made. This URL can contain query parameters if needed, such as ‘?orgId=1’.
.spec.external_services.grafana.health_check_url
Used in the Components health feature. This is the URL which Kiali will ping to determine whether the component is reachable or not. It defaults to internal_url
when not provided.
.spec.external_services.grafana.internal_url
The URL used by Kiali to perform requests and queries to Grafana. An example would be http://grafana.istio-system:3000
. This URL can contain query parameters if needed, such as ‘?orgId=1’. If not defined, it will default to http://grafana.<istio_namespace>:3000
.
.spec.external_services.grafana.is_core
Used in the Components health feature. When true, the unhealthy scenarios will be raised as errors. Otherwise, they will be raised as a warning.
.spec.external_services.istio
Istio configuration that Kiali needs to know about in order to observe the mesh.
.spec.external_services.istio.component_status
Istio components whose status will be monitored by Kiali.
.spec.external_services.istio.component_status.components
A specific Istio component whose status will be monitored by Kiali.
.spec.external_services.istio.component_status.components[*]
.spec.external_services.istio.component_status.components[*].app_label
Istio component pod app label.
.spec.external_services.istio.component_status.components[*].is_core
Whether the component is to be considered a core component for your deployment.
.spec.external_services.istio.component_status.components[*].is_proxy
Whether the component is a native Envoy proxy.
.spec.external_services.istio.component_status.components[*].namespace
The namespace where the component is installed. It defaults to the Istio control plane namespace (e.g. istio_namespace
) setting. Note that the Istio documentation suggests you install the ingress and egress to different namespaces, so you most likely will want to explicitly set this namespace value for the ingress and egress components.
.spec.external_services.istio.component_status.enabled
Determines if Istio component statuses will be displayed in the Kiali masthead indicator.
.spec.external_services.istio.config_map_name
The name of the istio control plane config map.
.spec.external_services.istio.egress_gateway_namespace
The namespace where Istio EgressGateway component is read for a status check. When left empty, then istio_namespace
value is used.
.spec.external_services.istio.envoy_admin_local_port
The port which kiali will open to fetch envoy config data information.
.spec.external_services.istio.gateway_api_classes
A list declaring all the Gateways used in Istio. If left empty or undefined, the default is a single list item whose name is Istio
and class_name is istio
.
.spec.external_services.istio.gateway_api_classes[*]
.spec.external_services.istio.gateway_api_classes[*].class_name
The name of the GatewayClass.
.spec.external_services.istio.gateway_api_classes[*].name
The name of the Gateway API implementation.
.spec.external_services.istio.ingress_gateway_namespace
The namespace where Istio IngressGateway component is read for a status check. When left empty, then istio_namespace
value is used.
.spec.external_services.istio.istio_api_enabled
Indicates if Kiali has access to istiod. true by default.
.spec.external_services.istio.istio_canary_revision
These values are used in Canary upgrade/downgrade functionality when istio_upgrade_action
is true.
.spec.external_services.istio.istio_canary_revision.current
The currently installed Istio revision.
.spec.external_services.istio.istio_canary_revision.upgrade
The installed Istio canary revision to upgrade to.
.spec.external_services.istio.istio_identity_domain
The annotation used by Istio to identify domains.
.spec.external_services.istio.istio_injection_annotation
The name of the field that annotates a workload to indicate a sidecar should be automatically injected by Istio. This is the name of a Kubernetes annotation. Note that some Istio implementations also support labels by the same name. In other words, if a workload has a Kubernetes label with this name, that may also trigger automatic sidecar injection.
.spec.external_services.istio.istio_sidecar_annotation
The pod annotation used by Istio to identify the sidecar.
.spec.external_services.istio.istio_sidecar_injector_config_map_name
The name of the istio-sidecar-injector config map.
.spec.external_services.istio.istiod_deployment_name
The name of the istiod deployment.
.spec.external_services.istio.istiod_pod_monitoring_port
The monitoring port of the IstioD pod (not the Service).
.spec.external_services.istio.root_namespace
The namespace to treat as the administrative root namespace for Istio configuration.
.spec.external_services.istio.url_service_version
The Istio service used to determine the Istio version. If empty, assumes the URL for the well-known Istio version endpoint.
.spec.external_services.prometheus
The Prometheus configuration defined here refers to the Prometheus instance that is used by Istio to store its telemetry.
.spec.external_services.prometheus.auth
Settings used to authenticate with the Prometheus instance.
.spec.external_services.prometheus.auth.ca_file
The certificate authority file to use when accessing Prometheus using https. An empty string means no extra certificate authority file is used.
.spec.external_services.prometheus.auth.insecure_skip_verify
Set true to skip verifying certificate validity when Kiali contacts Prometheus over https.
.spec.external_services.prometheus.auth.password
Password to be used when making requests to Prometheus, for basic authentication. May refer to a secret.
.spec.external_services.prometheus.auth.token
Token / API key to access Prometheus, for token-based authentication. May refer to a secret.
.spec.external_services.prometheus.auth.type
The type of authentication to use when contacting the server. Use bearer
to send the token to the Prometheus server. Use basic
to connect with username and password credentials. Use none
to not use any authentication (this is the default).
.spec.external_services.prometheus.auth.use_kiali_token
When true and if auth.type
is bearer
, Kiali Service Account token will be used for the API calls to Prometheus (in this case, auth.token
config is ignored).
.spec.external_services.prometheus.auth.username
Username to be used when making requests to Prometheus with basic
authentication. May refer to a secret.
.spec.external_services.prometheus.cache_duration
Prometheus caching duration expressed in seconds.
.spec.external_services.prometheus.cache_enabled
Enable/disable Prometheus caching used for Health services.
.spec.external_services.prometheus.cache_expiration
Prometheus caching expiration expressed in seconds.
.spec.external_services.prometheus.custom_headers
A set of name/value settings that will be passed as headers when requests are sent to Prometheus.
.spec.external_services.prometheus.health_check_url
Used in the Components health feature. This is the url which Kiali will ping to determine whether the component is reachable or not. It defaults to url
when not provided.
.spec.external_services.prometheus.is_core
Used in the Components health feature. When true, the unhealthy scenarios will be raised as errors. Otherwise, they will be raised as a warning.
.spec.external_services.prometheus.query_scope
A set of labelName/labelValue settings applied to every Prometheus query. Used to narrow unified metrics to only those scoped to the Kiali instance.
.spec.external_services.prometheus.thanos_proxy
Define this section if Prometheus is to be queried through a Thanos proxy. Kiali will still use the url
setting to query for Prometheus metrics so make sure that is set appropriately.
.spec.external_services.prometheus.thanos_proxy.enabled
Set to true when a Thanos proxy is in front of Prometheus.
.spec.external_services.prometheus.thanos_proxy.retention_period
Thanos Retention period value expresed as a string.
.spec.external_services.prometheus.thanos_proxy.scrape_interval
Thanos Scrape interval value expresed as a string.
.spec.external_services.prometheus.url
The URL used to query the Prometheus Server. This URL must be accessible from the Kiali pod. If empty, the default will assume Prometheus is in the Istio control plane namespace; e.g. http://prometheus.<istio_namespace>:9090
.
.spec.external_services.tracing
Configuration used to access the Tracing (Jaeger or Tempo) dashboards.
.spec.external_services.tracing.auth
Settings used to authenticate with the Tracing server instance.
.spec.external_services.tracing.auth.ca_file
The certificate authority file to use when accessing the Tracing server using https. An empty string means no extra certificate authority file is used.
.spec.external_services.tracing.auth.insecure_skip_verify
Set true to skip verifying certificate validity when Kiali contacts the Tracing server over https.
.spec.external_services.tracing.auth.password
Password to be used when making requests to the Tracing server, for basic authentication. May refer to a secret.
.spec.external_services.tracing.auth.token
Token / API key to access the Tracing server, for token-based authentication. May refer to a secret.
.spec.external_services.tracing.auth.type
The type of authentication to use when contacting the server. Use bearer
to send the token to the Tracing server. Use basic
to connect with username and password credentials. Use none
to not use any authentication (this is the default).
.spec.external_services.tracing.auth.use_kiali_token
When true and if auth.type
is bearer
, Kiali Service Account token will be used for the API calls to the Tracing server (in this case, auth.token
config is ignored).
.spec.external_services.tracing.auth.username
Username to be used when making requests to the Tracing server with basic
authentication. May refer to a secret.
.spec.external_services.tracing.custom_headers
A set of name/value settings that will be passed as headers when requests are sent to the Tracing backend.
.spec.external_services.tracing.enabled
When true, connections to the Tracing server are enabled. internal_url
and/or external_url
need to be provided.
.spec.external_services.tracing.external_url
The URL that the Kiali UI uses when displaying Tracing UI links to the user. This URL must be accessible to clients external to the cluster (e.g. a browser) in order to generate valid links. If the tracing service is deployed with a QUERY_BASE_PATH set, set this URL like https://
.spec.external_services.tracing.grpc_port
Set port number when use_grpc
is true and provider
is tempo
. By default is 9095
.spec.external_services.tracing.health_check_url
Used in the Components health feature. This is the url which Kiali will ping to determine whether the component is reachable or not. It defaults to url
when not provided.
.spec.external_services.tracing.internal_url
The URL used by Kiali to perform requests and queries to the tracing backend which enables further integration between Kiali and the tracing server. When not provided, Kiali will only show external links using the external_url
setting. Note: Jaeger v1.20+ has separated ports for GRPC(16685) and HTTP(16686) requests. Make sure you use the appropriate port according to the use_grpc
value. Example: http://tracing.istio-system:16685
.spec.external_services.tracing.is_core
Used in the Components health feature. When true, the unhealthy scenarios will be raised as errors. Otherwise, they will be raised as a warning.
.spec.external_services.tracing.namespace_selector
Kiali use this boolean to find traces with a namespace selector : service.namespace.
.spec.external_services.tracing.provider
The trace provider to get the traces from. Value must be one of: jaeger
or tempo
.
.spec.external_services.tracing.query_scope
A set of tagKey/tagValue settings applied to every Jaeger query. Used to narrow unified traces to only those scoped to the Kiali instance.
.spec.external_services.tracing.query_timeout
The amount of time in seconds Kiali will wait for a response from ‘jaeger-query’ service when fetching traces.
.spec.external_services.tracing.tempo_config
Settings used to configure the access url to the Tempo Datasource in Grafana.
.spec.external_services.tracing.tempo_config.datasource_uid
The unique identifier (uid) of the Tempo datasource in Grafana.
.spec.external_services.tracing.tempo_config.org_id
The Id of the organization that the dashboard is in. Default to 1 (the first and default organization).
.spec.external_services.tracing.tempo_config.url_format
The URL format for the external url. Can be ‘jaeger’ or ‘grafana’. Default to ‘grafana’. Grafana will need a Grafana url in the Grafana settings.
.spec.external_services.tracing.use_grpc
Set to true in order to enable GRPC connections between Kiali and Jaeger which will speed up the queries. In some setups you might not be able to use GRPC (e.g. if Jaeger is behind some reverse proxy that doesn’t support it). If not specified, this will defalt to ‘true’.
.spec.external_services.tracing.whitelist_istio_system
Kiali will get the traces of these services found in the Istio control plane namespace.
.spec.external_services.tracing.whitelist_istio_system[*]
A name of a service found in the Istio control plane namespace whose traces will be retrieved by Kiali.
.spec.health_config
This section defines what it means for nodes to be healthy. For more details, see https://kiali.io/docs/configuration/health/
.spec.health_config.rate
.spec.health_config.rate[*]
.spec.health_config.rate[*].kind
The type of resource that this configuration applies to. This is a regular expression.
.spec.health_config.rate[*].name
The name of a resource that this configuration applies to. This is a regular expression.
.spec.health_config.rate[*].namespace
The name of the namespace that this configuration applies to. This is a regular expression.
.spec.health_config.rate[*].tolerance
A list of tolerances for this configuration.
.spec.health_config.rate[*].tolerance[*]
.spec.health_config.rate[*].tolerance[*].code
The status code that applies for this tolerance. This is a regular expression.
.spec.health_config.rate[*].tolerance[*].degraded
Health will be considered degraded when the telemetry reaches this value (specified as an integer representing a percentage).
.spec.health_config.rate[*].tolerance[*].direction
The direction that applies for this tolerance (e.g. inbound or outbound). This is a regular expression.
.spec.health_config.rate[*].tolerance[*].failure
A failure status will be shown when the telemetry reaches this value (specified as an integer representing a percentage).
.spec.health_config.rate[*].tolerance[*].protocol
The protocol that applies for this tolerance (e.g. grpc or http). This is a regular expression.
.spec.identity
Settings that define the Kiali server identity.
.spec.identity.cert_file
Certificate file used to identify the Kiali server. If set, you must go over https to access Kiali. The Kiali operator will set this if it deploys Kiali behind https. When left undefined, the operator will attempt to generate a cluster-specific cert file that provides https by default (today, this auto-generation of a cluster-specific cert is only supported on OpenShift). When set to an empty string, https will be disabled.
.spec.identity.private_key_file
Private key file used to identify the Kiali server. If set, you must go over https to access Kiali. When left undefined, the Kiali operator will attempt to generate a cluster-specific private key file that provides https by default (today, this auto-generation of a cluster-specific private key is only supported on OpenShift). When set to an empty string, https will be disabled.
.spec.installation_tag
Tag used to identify a particular instance/installation of the Kiali server. This is merely a human-readable string that will be used within Kiali to help a user identify the Kiali being used (e.g. in the Kiali UI title bar). See deployment.instance_name
for the setting used to customize Kiali resource names that are created.
.spec.istio_labels
Defines specific labels used by Istio that Kiali needs to know about.
.spec.istio_labels.app_label_name
The name of the label used to define what application a workload belongs to. This is typically something like app
or app.kubernetes.io/name
.
.spec.istio_labels.egress_gateway_label
The selector label for Egress Gateway workload. This is typically istio=egressgateway
.
.spec.istio_labels.ingress_gateway_label
The selector label for Ingress Gateway workload. This is typically istio=ingressgateway
.
.spec.istio_labels.injection_label_name
The name of the label used to instruct Istio to automatically inject sidecar proxies when applications are deployed.
.spec.istio_labels.injection_label_rev
The label used to identify the Istio revision.
.spec.istio_labels.version_label_name
The name of the label used to define what version of the application a workload belongs to. This is typically something like version
or app.kubernetes.io/version
.
.spec.istio_namespace
The namespace where Istio is installed. If left empty, it is assumed to be the same namespace as where Kiali is installed (i.e. deployment.namespace
).
.spec.kiali_feature_flags
Kiali features that can be enabled or disabled.
.spec.kiali_feature_flags.disabled_features
There may be some features that admins do not want to be accessible to users (even in ‘view only’ mode). In this case, this setting allows you to disable one or more of those features entirely.
.spec.kiali_feature_flags.disabled_features[*]
.spec.kiali_feature_flags.istio_annotation_action
Flag to enable/disable an Action to edit annotations.
.spec.kiali_feature_flags.istio_injection_action
Flag to enable/disable an Action to label a namespace for automatic Istio Sidecar injection.
.spec.kiali_feature_flags.istio_upgrade_action
Flag to activate the Kiali functionality of upgrading namespaces to point to an installed Istio Canary revision. Related Canary upgrade and current revisions of Istio should be defined in istio_canary_revision
section.
.spec.kiali_feature_flags.ui_defaults
Default settings for the UI. These defaults apply to all users.
.spec.kiali_feature_flags.ui_defaults.graph
Default settings for the Graph UI.
.spec.kiali_feature_flags.ui_defaults.graph.find_options
A list of commonly used and useful find expressions that will be provided to the user out-of-box.
.spec.kiali_feature_flags.ui_defaults.graph.find_options[*]
.spec.kiali_feature_flags.ui_defaults.graph.find_options[*].auto_select
If true this option will be selected and take effect automatically. Note that only one option in the list can have this value be set to true.
.spec.kiali_feature_flags.ui_defaults.graph.find_options[*].description
Human-readable text to let the user know what the expression does.
.spec.kiali_feature_flags.ui_defaults.graph.find_options[*].expression
The find expression.
.spec.kiali_feature_flags.ui_defaults.graph.hide_options
A list of commonly used and useful hide expressions that will be provided to the user out-of-box.
.spec.kiali_feature_flags.ui_defaults.graph.hide_options[*]
.spec.kiali_feature_flags.ui_defaults.graph.hide_options[*].auto_select
If true this option will be selected and take effect automatically. Note that only one option in the list can have this value be set to true.
.spec.kiali_feature_flags.ui_defaults.graph.hide_options[*].description
Human-readable text to let the user know what the expression does.
.spec.kiali_feature_flags.ui_defaults.graph.hide_options[*].expression
The hide expression.
.spec.kiali_feature_flags.ui_defaults.graph.traffic
These settings determine which rates are used to determine graph traffic.
.spec.kiali_feature_flags.ui_defaults.graph.traffic.grpc
gRPC traffic is measured in requests or sent/received/total messages. Value must be one of: none
, requests
, sent
, received
, or total
.
.spec.kiali_feature_flags.ui_defaults.graph.traffic.http
HTTP traffic is measured in requests. Value must be one of: none
or requests
.
.spec.kiali_feature_flags.ui_defaults.graph.traffic.tcp
TCP traffic is measured in sent/received/total bytes. Only request traffic supplies response codes. Value must be one of: none
, sent
, received
, or total
.
.spec.kiali_feature_flags.ui_defaults.i18n
Default settings for the i18n values.
.spec.kiali_feature_flags.ui_defaults.i18n.language
Default language used in Kiali application.
.spec.kiali_feature_flags.ui_defaults.i18n.show_selector
If true Kiali masthead displays language selector icon. Default is false.
.spec.kiali_feature_flags.ui_defaults.list
Default settings for the List views (Apps, Workloads, etc).
.spec.kiali_feature_flags.ui_defaults.list.include_health
Include Health column (by default) for applicable list views. Setting to false can improve performance.
.spec.kiali_feature_flags.ui_defaults.list.include_istio_resources
Include Istio resources (by default) in Details column for applicable list views. Setting to false can improve performance.
.spec.kiali_feature_flags.ui_defaults.list.include_validations
Include Configuration validation column (by default) for applicable list views. Setting to false can improve performance.
.spec.kiali_feature_flags.ui_defaults.list.show_include_toggles
If true list pages display checkbox toggles for the include options, Otherwise the configured settings are applied but can not be changed by the user. Default is false.
.spec.kiali_feature_flags.ui_defaults.metrics_inbound
Additional label aggregation for inbound metric pages in detail pages. You will see these configurations in the ‘Metric Settings’ drop-down. An example,
metrics_inbound:
aggregations:
- display_name: Istio Network
label: topology_istio_io_network
- display_name: Istio Revision
label: istio_io_rev
.spec.kiali_feature_flags.ui_defaults.metrics_inbound.aggregations
.spec.kiali_feature_flags.ui_defaults.metrics_inbound.aggregations[*]
.spec.kiali_feature_flags.ui_defaults.metrics_inbound.aggregations[*].display_name
.spec.kiali_feature_flags.ui_defaults.metrics_inbound.aggregations[*].label
.spec.kiali_feature_flags.ui_defaults.metrics_outbound
Additional label aggregation for outbound metric pages in detail pages. You will see these configurations in the ‘Metric Settings’ drop-down. An example,
metrics_outbound:
aggregations:
- display_name: Istio Network
label: topology_istio_io_network
- display_name: Istio Revision
label: istio_io_rev
.spec.kiali_feature_flags.ui_defaults.metrics_outbound.aggregations
.spec.kiali_feature_flags.ui_defaults.metrics_outbound.aggregations[*]
.spec.kiali_feature_flags.ui_defaults.metrics_outbound.aggregations[*].display_name
.spec.kiali_feature_flags.ui_defaults.metrics_outbound.aggregations[*].label
.spec.kiali_feature_flags.ui_defaults.metrics_per_refresh
Duration of metrics to fetch on each refresh. Value must be one of: 1m
, 2m
, 5m
, 10m
, 30m
, 1h
, 3h
, 6h
, 12h
, 1d
, 7d
, or 30d
.spec.kiali_feature_flags.ui_defaults.namespaces
Default selections for the namespace selection dropdown. Non-existent or inaccessible namespaces will be ignored. Omit or set to an empty array for no default namespaces.
.spec.kiali_feature_flags.ui_defaults.namespaces[*]
.spec.kiali_feature_flags.ui_defaults.refresh_interval
The automatic refresh interval for pages offering automatic refresh. Value must be one of: pause
, 10s
, 15s
, 30s
, 1m
, 5m
or 15m
.spec.kiali_feature_flags.validations
Features specific to the validations subsystem.
.spec.kiali_feature_flags.validations.ignore
A list of one or more validation codes whose errors are to be ignored.
.spec.kiali_feature_flags.validations.ignore[*]
A validation code (e.g. KIA0101
) for a specific validation error that is to be ignored.
.spec.kiali_feature_flags.validations.skip_wildcard_gateway_hosts
The KIA0301 validation checks duplicity of host and port combinations across all Istio Gateways. This includes also Gateways with ‘*’ in hosts. But Istio considers such a Gateway with a wildcard in hosts as the last in order, after the Gateways with FQDN in hosts. This option is to skip Gateways with wildcards in hosts from the KIA0301 validations but still keep Gateways with FQDN hosts.
.spec.kubernetes_config
Configuration of Kiali’s access of the Kubernetes API.
.spec.kubernetes_config.burst
The Burst value of the Kubernetes client.
.spec.kubernetes_config.cache_duration
The ratio interval (expressed in seconds) used for the cache to perform a full refresh. Only used when cache_enabled
is true.
.spec.kubernetes_config.cache_token_namespace_duration
This Kiali cache is a list of namespaces per user. This is typically a short-lived cache compared with the duration of the namespace cache defined by the cache_duration
setting. This is specified in seconds.
.spec.kubernetes_config.cluster_name
The name of the cluster Kiali is deployed in. This is only used in multi cluster environments. If not set, Kiali will try to auto detect the cluster name from the Istiod deployment or use the default ‘Kubernetes’.
.spec.kubernetes_config.excluded_workloads
List of controllers that won’t be used for Workload calculation. Kiali queries Deployment, ReplicaSet, ReplicationController, DeploymentConfig, StatefulSet, Job and CronJob controllers. Deployment and ReplicaSet will be always queried, but ReplicationController, DeploymentConfig, StatefulSet, Job and CronJobs can be skipped from Kiali workloads queries if they are present in this list.
.spec.kubernetes_config.excluded_workloads[*]
.spec.kubernetes_config.qps
The QPS value of the Kubernetes client.
.spec.login_token
.spec.login_token.expiration_seconds
A user’s login token expiration specified in seconds. This is applicable to token and header auth strategies only.
.spec.login_token.signing_key
The signing key used to generate tokens for user authentication. Because this is potentially sensitive, you have the option to store this value in a secret. If you store this signing key value in a secret, you must indicate what key in what secret by setting this value to a string in the form of secret:<secretName>:<secretKey>
. If left as an empty string, a secret with a random signing key will be generated for you. The signing key must be 16, 24 or 32 byte long.
.spec.server
Configuration that controls some core components within the Kiali Server.
.spec.server.address
Where the Kiali server is bound. The console and API server are accessible on this host.
.spec.server.audit_log
When true, allows additional audit logging on write operations.
.spec.server.cors_allow_all
When true, allows the web console to send requests to other domains other than where the console came from. Typically used for development environments only.
.spec.server.gzip_enabled
When true, Kiali serves http requests with gzip enabled (if the browser supports it) when the requests are over 1400 bytes.
.spec.server.node_port
If deployment.service_type
is ‘NodePort’ and this value is set, then this is the node port that the Kiali service will listen to.
.spec.server.observability
Settings to enable observability into the Kiali server itself.
.spec.server.observability.metrics
Settings that control how Kiali itself emits its own metrics.
.spec.server.observability.metrics.enabled
When true, the metrics endpoint will be available for Prometheus to scrape.
.spec.server.observability.metrics.port
The port that the server will bind to in order to receive metric requests. This is the port Prometheus will need to scrape when collecting metrics from Kiali.
.spec.server.observability.tracing
Settings that control how the Kiali server itself emits its own tracing data.
.spec.server.observability.tracing.collector_type
The collector type to use. Value must be one of: jaeger
or otel
.
.spec.server.observability.tracing.collector_url
The URL used to determine where the Kiali server tracing data will be stored.
.spec.server.observability.tracing.enabled
When true, the Kiali server itself will product its own tracing data.
.spec.server.observability.tracing.otel
Specific properties when the collector type is otel
.
.spec.server.observability.tracing.otel.ca_name
The name of the CA cert; this is used when tls_enabled
is true
and skip_verify
is false
.
.spec.server.observability.tracing.otel.protocol
Protocol. Supported values are: http
, https
or grpc
.
.spec.server.observability.tracing.otel.skip_verify
If true, TLS certificate verification will not be performed. This is an unsecure option and is recommended only for testing.
.spec.server.observability.tracing.otel.tls_enabled
Enable TLS for the collector. This must be specified when protocol
is https
or grpc
. When you set this to true
, you must also set a ca_name
or set skip_verify
to true.
.spec.server.port
The port that the server will bind to in order to receive console and API requests.
.spec.server.profiler
Controls the internal profiler used to debug the internals of Kiali
.spec.server.profiler.enabled
When ‘true’, the profiler will be enabled and accessible at /debug/pprof/ on the Kiali endpoint.
.spec.server.web_fqdn
Defines the public domain where Kiali is being served. This is the ‘domain’ part of the URL (usually it’s a fully-qualified domain name). For example, kiali.example.org
. When empty, Kiali will try to guess this value from HTTP headers. On non-OpenShift clusters, you must populate this value if you want to enable cross-linking between Kiali instances in a multi-cluster setup.
.spec.server.web_history_mode
Define the history mode of kiali UI. Value must be one of: browser
or hash
.
.spec.server.web_port
Defines the ingress port where the connections come from. This is usually necessary when the application responds through a proxy/ingress, and it does not forward the correct headers (when this happens, Kiali cannot guess the port). When empty, Kiali will try to guess this value from HTTP headers.
.spec.server.web_root
Defines the context root path for the Kiali console and API endpoints and readiness probes. When providing a context root path that is not /
, do not add a trailing slash (i.e. use /kiali
not /kiali/
). When empty, this will default to /
on OpenShift and /kiali
on other Kubernetes environments.
.spec.server.web_schema
Defines the public HTTP schema used to serve Kiali. Value must be one of: http
or https
. When empty, Kiali will try to guess this value from HTTP headers. On non-OpenShift clusters, you must populate this value if you want to enable cross-linking between Kiali instances in a multi-cluster setup.
.spec.server.write_timeout
The maximum duration, in seconds, before timing out writes of the HTTP response back to the client. Default is 30.
In OpenShift clusters, the route request time out should be also increased as the default is 30 seconds.
This can be done by annotating the specific route with haproxy.router.openshift.io/timeout
.
See https://docs.openshift.com/container-platform/4.16/networking/routes/route-configuration.html#nw-configuring-route-timeouts_route-configuration for further details.
.spec.version
The version of the Ansible role that will be executed in order to install Kiali.
This also indirectly determines the version of Kiali that will be installed.
You normally will want to use default
since this is the only officially supported value today.
If not specified, the value of default
is assumed which means the most recent Ansible role is used;
thus the most recent release of Kiali will be installed.
Refer to this file to see what the valid values are for this version
field (as defined in the master branch),
https://github.com/kiali/kiali-operator/blob/master/playbooks/kiali-default-supported-images.yml
This version
setting affects the defaults of the deployment.image_name
and
deployment.image_version
settings. See the documentation for those settings below for
additional details. In short, this version
setting will dictate which version of the
Kiali image will be deployed by default. However, if you explicitly set deployment.image_name
and/or deployment.image_version
to reference your own custom image, that will override the
default Kiali image to be installed; therefore, you are responsible for ensuring those settings
are compatible with the Ansible role that will be executed in order to install Kiali (i.e. your
custom Kiali image must be compatible with the rest of the configuration and resources the
operator will install).
.status
The processing status of this CR as reported by the Kiali operator.