Kiali CR Reference

Reference page for the Kiali CR. The Kiali Operator will watch for resources of this type and install Kiali according to those resources' configurations.

Example CR

(all values shown here are the defaults unless otherwise noted)
apiVersion: kiali.io/v1alpha1
kind: Kiali
metadata:
  name: kiali
  annotations:
    ansible.sdk.operatorframework.io/verbosity: "1"
spec:
  additional_display_details:
  - title: "API Documentation"
    annotation: "kiali.io/api-spec"
    icon_annotation: "kiali.io/api-type"

  installation_tag: ""

  istio_namespace: ""

  version: "default"

  api:
    namespaces:
      exclude:
      - "^istio-operator"
      - "^kube-.*"
      - "^openshift.*"
      - "^ibm.*"
      - "^kiali-operator"
      include: []
      label_selector_exclude: ""
      # default: label_selector_include is undefined
      label_selector_include: "kiali.io/member-of=istio-system"
  auth:
    strategy: ""
    openid:
      # default: additional_request_params is empty
      additional_request_params:
        openIdReqParam: "openIdReqParamValue"
      # default: allowed_domains is an empty list
      allowed_domains: ["allowed.domain"]
      api_proxy: ""
      api_proxy_ca_data: ""
      api_token: "id_token"
      authentication_timeout: 300
      authorization_endpoint: ""
      client_id: ""
      disable_rbac: false
      http_proxy: ""
      https_proxy: ""
      insecure_skip_verify_tls: false
      issuer_uri: ""
      scopes: ["openid", "profile", "email"]
      username_claim: "sub"
    openshift:
      auth_timeout: 10
      client_id_prefix: "kiali"
      #token_inactivity_timeout:
      #token_max_age:

  # default: custom_dashboards is an empty list
  custom_dashboards:
  - name: "envoy"

  deployment:
    accessible_namespaces: ["^((?!(istio-operator|kube-.*|openshift.*|ibm.*|kiali-operator)).)*$"]
    # default: additional_service_yaml is empty
    additional_service_yaml:
      externalName: "kiali.example.com"
    affinity:
      # default: node is empty
      node:
        requiredDuringSchedulingIgnoredDuringExecution:
          nodeSelectorTerms:
          - matchExpressions:
            - key: kubernetes.io/e2e-az-name
              operator: In
              values:
              - e2e-az1
              - e2e-az2
      # default: pod is empty
      pod:
        requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchExpressions:
            - key: security
              operator: In
              values:
              - S1
          topologyKey: topology.kubernetes.io/zone
      # default: pod_anti is empty
      pod_anti:
        preferredDuringSchedulingIgnoredDuringExecution:
        - weight: 100
          podAffinityTerm:
            labelSelector:
              matchExpressions:
              - key: security
                operator: In
                values:
                - S2
            topologyKey: topology.kubernetes.io/zone
    # default: configmap_annotations is empty
    configmap_annotations:
      strategy.spinnaker.io/versioned: "false"
    # default: custom_secrets is an empty list
    custom_secrets:
    - name: "a-custom-secret"
      mount: "/a-custom-secret-path"
      optional: true
    hpa:
      api_version: ""
      # default: spec is empty
      spec:
        maxReplicas: 2
        minReplicas: 1
        metrics:
        - type: Resource
          resource:
            name: cpu
            target:
              type: Utilization
              averageUtilization: 50
    # default: host_aliases is an empty list
    host_aliases:
    - ip: "192.168.1.100"
      hostnames:
      - "foo.local"
      - "bar.local"
    image_digest: ""
    image_name: ""
    image_pull_policy: "IfNotPresent"
    # default: image_pull_secrets is an empty list
    image_pull_secrets: ["image.pull.secret"]
    image_version: ""
    ingress:
      # default: additional_labels is empty
      additional_labels:
        ingressAdditionalLabel: "ingressAdditionalLabelValue"
      class_name: "nginx"
      # default: enabled is undefined
      enabled: false
      # default: override_yaml is undefined
      override_yaml:
        metadata:
          annotations:
            nginx.ingress.kubernetes.io/secure-backends: "true"
            nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
        spec:
          rules:
          - http:
              paths:
              - path: "/kiali"
                pathType: Prefix
                backend:
                  service:
                    name: "kiali"
                    port:
                      number: 20001
    instance_name: "kiali"
    logger:
      log_level: "info"
      log_format: "text"
      sampler_rate: "1"
      time_field_format: "2006-01-02T15:04:05Z07:00"
    namespace: "istio-system"
    # default: node_selector is empty
    node_selector:
      nodeSelector: "nodeSelectorValue"
    # default: pod_annotations is empty
    pod_annotations:
      podAnnotation: "podAnnotationValue"
    # default: pod_labels is empty
    pod_labels:
      sidecar.istio.io/inject: "true"
    priority_class_name: ""
    replicas: 1
    # default: resources is undefined
    resources:
      requests:
        cpu: "10m"
        memory: "64Mi"
      limits:
        memory: "1Gi"
    secret_name: "kiali"
    security_context: {}
    # default: service_annotations is empty
    service_annotations:
      svcAnnotation: "svcAnnotationValue"
    # default: service_type is undefined
    service_type: "NodePort"
    # default: tolerations is an empty list
    tolerations:
    - key: "example-key"
      operator: "Exists"
      effect: "NoSchedule"
    verbose_mode: "3"
    version_label: ""
    view_only_mode: false

  external_services:
    custom_dashboards:
      discovery_auto_threshold: 10
      discovery_enabled: "auto"
      enabled: true
      is_core: false
      namespace_label: "namespace"
      prometheus:
        auth:
          ca_file: ""
          insecure_skip_verify: false
          password: ""
          token: ""
          type: "none"
          use_kiali_token: false
          username: ""
        cache_duration: 10
        cache_enabled: true
        cache_expiration: 300
        # default: custom_headers is empty
        custom_headers:
          customHeader1: "customHeader1Value"
        health_check_url: ""
        is_core: true
        # default: query_scope is empty
        query_scope:
          mesh_id: "mesh-1"
          cluster: "cluster-east"
        thanos_proxy:
          enabled: false
          retention_period: "7d"
          scrape_interval: "30s"
        url: ""
    grafana:
      auth:
        ca_file: ""
        insecure_skip_verify: false
        password: ""
        token: ""
        type: "none"
        use_kiali_token: false
        username: ""
      dashboards:
      - name: "Istio Service Dashboard"
        variables:
          namespace: "var-namespace"
          service: "var-service"
      - name: "Istio Workload Dashboard"
        variables:
          namespace: "var-namespace"
          workload: "var-workload"
      - name: "Istio Mesh Dashboard"
      - name: "Istio Control Plane Dashboard"
      - name: "Istio Performance Dashboard"
      - name: "Istio Wasm Extension Dashboard"
      enabled: true
      health_check_url: ""
      # default: in_cluster_url is undefined
      in_cluster_url: ""
      is_core: false
      url: ""
    istio:
      component_status:
        components:
        - app_label: "istiod"
          is_core: true
          is_proxy: false
        - app_label: "istio-ingressgateway"
          is_core: true
          is_proxy: true
          # default: namespace is undefined
          namespace: istio-system
        - app_label: "istio-egressgateway"
          is_core: false
          is_proxy: true
          # default: namespace is undefined
          namespace: istio-system
        enabled: true
      config_map_name: "istio"
      envoy_admin_local_port: 15000
      gateway_api_class_name: ""
      # default: istio_canary_revision is undefined
      istio_canary_revision:
        current: "1-9-9"
        upgrade: "1-10-2"
      istio_identity_domain: "svc.cluster.local"
      istio_injection_annotation: "sidecar.istio.io/inject"
      istio_sidecar_annotation: "sidecar.istio.io/status"
      istio_sidecar_injector_config_map_name: "istio-sidecar-injector"
      istiod_deployment_name: "istiod"
      istiod_pod_monitoring_port: 15014
      root_namespace: ""
      url_service_version: ""
    prometheus:
      auth:
        ca_file: ""
        insecure_skip_verify: false
        password: ""
        token: ""
        type: "none"
        use_kiali_token: false
        username: ""
      cache_duration: 10
      cache_enabled: true
      cache_expiration: 300
      # default: custom_headers is empty
      custom_headers:
        customHeader1: "customHeader1Value"
      health_check_url: ""
      is_core: true
      # default: query_scope is empty
      query_scope:
        mesh_id: "mesh-1"
        cluster: "cluster-east"
      thanos_proxy:
        enabled: false
        retention_period: "7d"
        scrape_interval: "30s"
      url: ""
    tracing:
      auth:
        ca_file: ""
        insecure_skip_verify: false
        password: ""
        token: ""
        type: "none"
        use_kiali_token: false
        username: ""
      enabled: true
      in_cluster_url: ""
      is_core: false
      namespace_selector: true
      # default: query_scope is empty
      query_scope:
        mesh_id: "mesh-1"
        cluster: "cluster-east"
      url: ""
      use_grpc: true
      whitelist_istio_system: ["jaeger-query", "istio-ingressgateway"]

  health_config:
    # default: rate is an empty list
    rate:
    - namespace: ".*"
      kind: ".*"
      name: ".*"
      tolerance:
      - protocol: "http"
        direction: ".*"
        code: "[1234]00"
        degraded: 5
        failure: 10

  identity:
    # default: cert_file is undefined
    cert_file: ""
    # default: private_key_file is undefined
    private_key_file: ""

  istio_labels:
    app_label_name: "app"
    injection_label_name: "istio-injection"
    injection_label_rev:  "istio.io/rev"
    version_label_name: "version"

  kiali_feature_flags:
    certificates_information_indicators:
      enabled: true
      secrets:
      - "cacerts"
      - "istio-ca-secret"
    clustering:
      enabled: true
    disabled_features: []
    istio_injection_action: true
    istio_upgrade_action: false
    ui_defaults:
      graph:
        find_options:
        - description: "Find: slow edges (> 1s)"
          expression: "rt > 1000"
        - description: "Find: unhealthy nodes"
          expression:  "! healthy"
        - description: "Find: unknown nodes"
          expression:  "name = unknown"
        hide_options:
        - description: "Hide: healthy nodes"
          expression: "healthy"
        - description: "Hide: unknown nodes"
          expression:  "name = unknown"
        traffic:
          grpc: "requests"
          http: "requests"
          tcp:  "sent"
      metrics_per_refresh: "1m"
      # default: metrics_inbound is undefined
      metrics_inbound:
        aggregations:
        - display_name: "Istio Network"
          label: "topology_istio_io_network"
        - display_name: "Istio Revision"
          label: "istio_io_rev"
      # default: metrics_outbound is undefined
      metrics_outbound:
        aggregations:
        - display_name: "Istio Network"
          label: "topology_istio_io_network"
        - display_name: "Istio Revision"
          label: "istio_io_rev"
      # default: namespaces is an empty list
      namespaces: ["istio-system"]
      refresh_interval: "60s"
    validations:
      ignore: ["KIA1201"]

  kubernetes_config:
    burst: 200
    cache_duration: 300
    cache_enabled: true
    cache_istio_types:
    - "AuthorizationPolicy"
    - "DestinationRule"
    - "EnvoyFilter"
    - "Gateway"
    - "PeerAuthentication"
    - "RequestAuthentication"
    - "ServiceEntry"
    - "Sidecar"
    - "VirtualService"
    - "WorkloadEntry"
    - "WorkloadGroup"
    cache_namespaces:
    - ".*"
    cache_token_namespace_duration: 10
    excluded_workloads:
    - "CronJob"
    - "DeploymentConfig"
    - "Job"
    - "ReplicationController"
    qps: 175

  login_token:
    expiration_seconds: 86400
    signing_key: ""

  server:
    address: ""
    audit_log: true
    cors_allow_all: false
    gzip_enabled: true
    observability:
      metrics:
        enabled: true
        port: 9090
      tracing:
        collector_url: "http://jaeger-collector.istio-system:14268/api/traces"
        enabled: false
    port: 20001
    web_fqdn: ""
    web_history_mode: ""
    web_port: ""
    web_root: ""
    web_schema: ""

Validating your Kiali CR

A Kiali tool is available to allow you to check your own Kiali CR to ensure it is valid. Simply download the validation script and run it, passing in the location of the Kiali CRD you wish to validate with (e.g. the latest version is found here) and the location of your Kiali CR. You must be connected to/logged into a cluster for this validation tool to work.

For example, to validate a Kiali CR named kiali in the namespace istio-system using the latest version of the Kiali CRD, run the following:

bash <(curl -sL https://raw.githubusercontent.com/kiali/kiali-operator/master/crd-docs/bin/validate-kiali-cr.sh) \
  -crd https://raw.githubusercontent.com/kiali/kiali-operator/master/crd-docs/crd/kiali.io_kialis.yaml \
  --kiali-cr-name kiali \
  -n istio-system

If you wish to test your Kiali CR with an older version of Kiali, replace master in the above -crd option with the version you wish to test. For example, to test your Kiali CR with Kiali version v1.53.0, pass in the option -crd https://raw.githubusercontent.com/kiali/kiali-operator/v1.53.0/crd-docs/crd/kiali.io_kialis.yaml in the above command.

For additional help in using this validation tool, pass it the --help option.

Properties


.spec

(object)

This is the CRD for the resources called Kiali CRs. The Kiali Operator will watch for resources of this type and when it detects a Kiali CR has been added, deleted, or modified, it will install, uninstall, and update the associated Kiali Server installation. The settings here will configure the Kiali Server as well as the Kiali Operator. All of these settings will be stored in the Kiali ConfigMap. Do not modify the ConfigMap; it will be managed by the Kiali Operator. Only modify the Kiali CR when you want to change a configuration setting.


.spec.additional_display_details

(array)

A list of additional details that Kiali will look for in annotations. When found on any workload or service, Kiali will display the additional details in the respective workload or service details page. This is typically used to inject some CI metadata or documentation links into Kiali views. For example, by default, Kiali will recognize these annotations on a service or workload (e.g. a Deployment, StatefulSet, etc.):

annotations:
  kiali.io/api-spec: http://list/to/my/api/doc
  kiali.io/api-type: rest

Note that if you change this setting for your own custom annotations, keep in mind that it would override the current default. So you would have to add the default setting as shown in the example CR if you want to preserve the default links.


.spec.additional_display_details[*]

(object)

.spec.additional_display_details[*].annotation

(string) *Required*

The name of the annotation whose value is a URL to additional documentation useful to the user.


.spec.additional_display_details[*].icon_annotation

(string)

The name of the annotation whose value is used to determine what icon to display. The annotation name itself can be anything, but note that the value of that annotation must be one of: rest, grpc, and graphql - any other value is ignored.


.spec.additional_display_details[*].title

(string) *Required*

The title of the link that Kiali will display. The link will go to the URL specified in the value of the configured annotation.


.spec.api

(object)

.spec.api.namespaces

(object)

Settings that control what namespaces are returned by Kiali.


.spec.api.namespaces.exclude

(array)

A list of namespaces to be excluded from the list of namespaces provided by the Kiali API and Kiali UI. Regex is supported. This does not affect explicit namespace access.


.spec.api.namespaces.exclude[*]

(string)

.spec.api.namespaces.include

(array)

A list of namespaces to be included in the list of namespaces provided by the Kiali API and Kiali UI (if those namespaces exist). Regex is supported. An undefined or empty list is ignored. This does not affect explicit namespace access.


.spec.api.namespaces.include[*]

(string)

.spec.api.namespaces.label_selector_exclude

(string)

A Kubernetes label selector (e.g. myLabel=myValue) which is used for filtering out namespaces when fetching the list of available namespaces. This does not affect explicit namespace access.


.spec.api.namespaces.label_selector_include

(string)

A Kubernetes label selector (e.g. myLabel=myValue) which is used when fetching the list of available namespaces. This does not affect explicit namespace access.

If deployment.accessible_namespaces does not have the special value of '**' then the Kiali operator will add a new label to all accessible namespaces - that new label will be this label_selector_include (this label is added regardless if the namespace matches the label_selector_exclude also).

Note that if you do not set this label_selector_include setting but deployment.accessible_namespaces does not have the special “all namespaces” entry of '**' then this label_selector_include will be set to a default value of kiali.io/[<deployment.instance_name>.]member-of=<deployment.namespace> where [<deployment.instance_name>.] is the instance name assigned to the Kiali installation if it is not the default ‘kiali’ (otherwise, this is omitted) and <deployment.namespace> is the namespace where Kiali is to be installed.


.spec.auth

(object)

.spec.auth.openid

(object)

To learn more about these settings and how to configure the OpenId authentication strategy, read the documentation at https://kiali.io/docs/configuration/authentication/openid/


.spec.auth.openid.additional_request_params

(object)

.spec.auth.openid.allowed_domains

(array)

.spec.auth.openid.allowed_domains[*]

(string)

.spec.auth.openid.api_proxy

(string)

.spec.auth.openid.api_proxy_ca_data

(string)

.spec.auth.openid.api_token

(string)

.spec.auth.openid.authentication_timeout

(integer)

.spec.auth.openid.authorization_endpoint

(string)

.spec.auth.openid.client_id

(string)

.spec.auth.openid.disable_rbac

(boolean)

.spec.auth.openid.http_proxy

(string)

.spec.auth.openid.https_proxy

(string)

.spec.auth.openid.insecure_skip_verify_tls

(boolean)

.spec.auth.openid.issuer_uri

(string)

.spec.auth.openid.scopes

(array)

.spec.auth.openid.scopes[*]

(string)

.spec.auth.openid.username_claim

(string)

.spec.auth.openshift

(object)

To learn more about these settings and how to configure the OpenShift authentication strategy, read the documentation at https://kiali.io/docs/configuration/authentication/openshift/


.spec.auth.openshift.auth_timeout

(integer)

The amount of time in seconds Kiali will wait for a response from the OpenShift API server when requesting authentication results.


.spec.auth.openshift.client_id_prefix

(string)

The Route resource name and OAuthClient resource name will have this value as its prefix. This value normally should never change. The installer will ensure this value is set correctly.


.spec.auth.openshift.token_inactivity_timeout

(integer)

Timeout that overrides the default OpenShift token inactivity timeout. This value represents the maximum amount of time in seconds that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. If 0, the Kiali tokens never timeout. OpenShift may have a minimum allowed value - see the OpenShift documentation specific for the version of OpenShift you are using. WARNING: existing tokens will not be affected by changing this setting.


.spec.auth.openshift.token_max_age

(integer)

A time duration in seconds that overrides the default OpenShift access token max age. If 0 then there will be no expiration of tokens.


.spec.auth.strategy

(string)

Determines what authentication strategy to use when users log into Kiali. Options are anonymous, token, openshift, openid, or header.

  • Choose anonymous to allow full access to Kiali without requiring any credentials.
  • Choose token to allow access to Kiali using service account tokens, which controls access based on RBAC roles assigned to the service account.
  • Choose openshift to use the OpenShift OAuth login which controls access based on the individual’s RBAC roles in OpenShift. Not valid for non-OpenShift environments.
  • Choose openid to enable OpenID Connect-based authentication. Your cluster is required to be configured to accept the tokens issued by your IdP. There are additional required configurations for this strategy. See below for the additional OpenID configuration section.
  • Choose header when Kiali is running behind a reverse proxy that will inject an Authorization header and potentially impersonation headers.

When empty, this value will default to openshift on OpenShift and token on other Kubernetes environments.


.spec.custom_dashboards

(array)

A list of user-defined custom monitoring dashboards that you can use to generate metrics charts for your applications. The server has some built-in dashboards; if you define a custom dashboard here with the same name as a built-in dashboard, your custom dashboard takes precedence and will overwrite the built-in dashboard. You can disable one or more of the built-in dashboards by simply defining an empty dashboard.

An example of an additional user-defined dashboard,

- name: myapp
  title: My App Metrics
  items:
  - chart:
      name: "Thread Count"
      spans: 4
      metricName: "thread-count"
      dataType: "raw"

An example of disabling a built-in dashboard (in this case, disabling the Envoy dashboard),

- name: envoy

To learn more about custom monitoring dashboards, see the documentation at https://kiali.io/docs/configuration/custom-dashboard/


.spec.custom_dashboards[*]

(object)

.spec.deployment

(object)

.spec.deployment.accessible_namespaces

(array)

A list of namespaces Kiali is to be given access to. These namespaces have service mesh components that are to be observed by Kiali. You can provide names using regex expressions matched against all namespaces the operator can see. The default makes all namespaces accessible except for some internal namespaces that typically should be ignored. NOTE! If this has an entry with the special value of '**' (two asterisks), that will denote you want Kiali to be given access to all namespaces via a single cluster role (if using this special value of '**', you are required to have already granted the operator permissions to create cluster roles and cluster role bindings).


.spec.deployment.accessible_namespaces[*]

(string)

.spec.deployment.additional_service_yaml

(object)

Additional custom yaml to add to the service definition. This is used mainly to customize the service type. For example, if the deployment.service_type is set to ‘LoadBalancer’ and you want to set the loadBalancerIP, you can do so here with: additional_service_yaml: { 'loadBalancerIP': '78.11.24.19' }. Another example would be if the deployment.service_type is set to ‘ExternalName’ you will need to configure the name via: additional_service_yaml: { 'externalName': 'my.kiali.example.com' }. A final example would be if external IPs need to be set: additional_service_yaml: { 'externalIPs': ['80.11.12.10'] }


.spec.deployment.affinity

(object)

Affinity definitions that are to be used to define the nodes where the Kiali pod should be constrained. See the Kubernetes documentation on Assigning Pods to Nodes for the proper syntax for these three different affinity types.


.spec.deployment.affinity.node

(object)

.spec.deployment.affinity.pod

(object)

.spec.deployment.affinity.pod_anti

(object)

.spec.deployment.configmap_annotations

(object)

Custom annotations to be created on the Kiali ConfigMap.


.spec.deployment.custom_secrets

(array)

Defines additional secrets that are to be mounted in the Kiali pod.

These are useful to contain certs that are used by Kiali to securely connect to third party systems (for example, see external_services.tracing.auth.ca_file).

These secrets must be created by an external mechanism. Kiali will not generate these secrets; it is assumed these secrets are externally managed. You can define 0, 1, or more secrets. An example configuration is,

custom_secrets:
- name: mysecret
  mount: /mysecret-path
- name: my-other-secret
  mount: /my-other-secret-location
  optional: true

.spec.deployment.custom_secrets[*]

(object)

.spec.deployment.custom_secrets[*].mount

(string) *Required*

The file path location where the secret content will be mounted. The custom secret cannot be mounted on a path that the operator will use to mount its secrets. Make sure you set your custom secret mount path to a unique, unused path. Paths such as /kiali-configuration, /kiali-cert, /kiali-cabundle, and /kiali-secret should not be used as mount paths for custom secrets because the operator may want to use one of those paths.


.spec.deployment.custom_secrets[*].name

(string) *Required*

The name of the secret that is to be mounted to the Kiali pod’s file system. The name of the custom secret must not be the same name as one created by the operator. Names such as kiali, kiali-cert-secret, and kiali-cabundle should not be used as a custom secret name because the operator may want to create one with one of those names.


.spec.deployment.custom_secrets[*].optional

(boolean)

Indicates if the secret may or may not exist at the time the Kiali pod starts. This will default to ‘false’ if not specified.


.spec.deployment.host_aliases

(array)

This is content for the Kubernetes ‘hostAliases’ setting for the Kiali server. This allows you to modify the Kiali server pod ‘/etc/hosts’ file. A typical way to configure this setting is,

host_aliases:
- ip: 192.168.1.100
  hostnames:
  - "foo.local"
  - "bar.local"

For details on the content of this setting, see https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/#adding-additional-entries-with-hostaliases


.spec.deployment.host_aliases[*]

(object)

.spec.deployment.host_aliases[*].hostnames

(array)

.spec.deployment.host_aliases[*].hostnames[*]

(string)

.spec.deployment.host_aliases[*].ip

(string)

.spec.deployment.hpa

(object)

Determines what (if any) HorizontalPodAutoscaler should be created to autoscale the Kiali pod. A typical way to configure HPA for Kiali is,

hpa:
  api_version: "autoscaling/v2"
  spec:
    maxReplicas: 2
    minReplicas: 1
    metrics:
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: 50

.spec.deployment.hpa.api_version

(string)

A specific HPA API version that can be specified in case there is some HPA feature you want to use that is only supported in that specific version. If value is an empty string, an attempt will be made to determine a valid version.


.spec.deployment.hpa.spec

(object)

The spec specified here will be placed in the created HPA resource’s ‘spec’ section. If spec is left empty, no HPA resource will be created. Note that you must not specify the ‘scaleTargetRef’ section in spec; the Kiali Operator will populate that for you.


.spec.deployment.image_digest

(string)

If deployment.image_version is a digest hash, this value indicates what type of digest it is. A typical value would be ‘sha256’. Note: do NOT prefix this value with a ‘@’.


.spec.deployment.image_name

(string)

Determines which Kiali image to download and install. If you set this to a specific name (i.e. you do not leave it as the default empty string), you must make sure that image is supported by the operator. If empty, the operator will use a known supported image name based on which version was defined. Note that, as a security measure, a cluster admin may have configured the Kiali operator to ignore this setting. A cluster admin may do this to ensure the Kiali operator only installs a single, specific Kiali version, thus this setting may have no effect depending on how the operator itself was configured.


.spec.deployment.image_pull_policy

(string)

The Kubernetes pull policy for the Kiali deployment. This is overridden to be ‘Always’ if deployment.image_version is set to ‘latest’.


.spec.deployment.image_pull_secrets

(array)

The names of the secrets to be used when container images are to be pulled.


.spec.deployment.image_pull_secrets[*]

(string)

.spec.deployment.image_version

(string)

Determines which version of Kiali to install. Choose ‘lastrelease’ to use the last Kiali release. Choose ‘latest’ to use the latest image (which may or may not be a released version of Kiali). Choose ‘operator_version’ to use the image whose version is the same as the operator version. Otherwise, you can set this to any valid Kiali version (such as ‘v1.0’) or any valid Kiali digest hash (if you set this to a digest hash, you must indicate the digest in deployment.image_digest).

Note that if this is set to ‘latest’ then the deployment.image_pull_policy will be set to ‘Always’.

If you set this to a specific version (i.e. you do not leave it as the default empty string), you must make sure that image is supported by the operator.

If empty, the operator will use a known supported image version based on which ‘version’ was defined. Note that, as a security measure, a cluster admin may have configured the Kiali operator to ignore this setting. A cluster admin may do this to ensure the Kiali operator only installs a single, specific Kiali version, thus this setting may have no effect depending on how the operator itself was configured.


.spec.deployment.ingress

(object)

Configures if/how the Kiali endpoint should be exposed externally.


.spec.deployment.ingress.additional_labels

(object)

Additional labels to add to the Ingress (or Route if on OpenShift). These are added to the labels that are created by default; these do not override the default labels.


.spec.deployment.ingress.class_name

(string)

If class_name is a non-empty string, it will be used as the ‘spec.ingressClassName’ in the created Kubernetes Ingress resource. This setting is ignored if on OpenShift. This is also ignored if override_yaml.spec is defined (i.e. you must define the ‘ingressClassName’ directly in your override yaml).


.spec.deployment.ingress.enabled

(boolean)

Determines if the Kiali endpoint should be exposed externally. If ‘true’, an Ingress will be created if on Kubernetes or a Route if on OpenShift. If left undefined, this will be ‘false’ on Kubernetes and ‘true’ on OpenShift.


.spec.deployment.ingress.override_yaml

(object)

Because an Ingress into a cluster can vary wildly in its desired configuration, this setting provides a way to override complete portions of the Ingress resource configuration (Ingress on Kubernetes and Route on OpenShift). It is up to the user to ensure this override YAML configuration is valid and supports the cluster environment since the operator will blindly copy this custom configuration into the resource it creates.

This setting is not used if deployment.ingress.enabled is set to ‘false’. Note that only ‘metadata.annotations’ and ‘spec’ is valid and only they will be used to override those same sections in the created resource. You can define either one or both.

Note that override_yaml.metadata.labels is not allowed - you cannot override the labels; to add labels to the default set of labels, use the deployment.ingress.additional_labels setting. Example,

override_yaml:
  metadata:
    annotations:
      nginx.ingress.kubernetes.io/secure-backends: "true"
      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  spec:
    rules:
    - http:
        paths:
        - path: /kiali
          pathType: Prefix
          backend:
            service
              name: "kiali"
              port:
                number: 20001

.spec.deployment.ingress.override_yaml.metadata

(object)

.spec.deployment.ingress.override_yaml.metadata.annotations

(object)

.spec.deployment.ingress.override_yaml.spec

(object)

.spec.deployment.instance_name

(string)

The instance name of this Kiali installation. This instance name will be the prefix prepended to the names of all Kiali resources created by the operator and will be used to label those resources as belonging to this Kiali installation instance. You cannot change this instance name after a Kiali CR is created. If you attempt to change it, the operator will abort with an error. If you want to change it, you must first delete the original Kiali CR and create a new one. Note that this does not affect the name of the auto-generated signing key secret. If you do not supply a signing key, the operator will create one for you in a secret, but that secret will always be named ‘kiali-signing-key’ and shared across all Kiali instances in the same deployment namespace. If you want a different signing key secret, you are free to create your own and tell the operator about it via login_token.signing_key. See the docs on that setting for more details. Note also that if you are setting this value, you may also want to change the installation_tag setting, but this is not required.


.spec.deployment.logger

(object)

Configures the logger that emits messages to the Kiali server pod logs.


.spec.deployment.logger.log_format

(string)

Indicates if the logs should be written with one log message per line or using a JSON format. Must be one of: text or json.


.spec.deployment.logger.log_level

(string)

The lowest priority of messages to log. Must be one of: trace, debug, info, warn, error, or fatal.


.spec.deployment.logger.sampler_rate

(string)

With this setting every sampler_rate-th message will be logged. By default, every message is logged. As an example, setting this to '2' means every other message will be logged. The value of this setting is a string but must be parsable as an integer.


.spec.deployment.logger.time_field_format

(string)

The log message timestamp format. This supports a golang time format (see https://golang.org/pkg/time/)


.spec.deployment.namespace

(string)

The namespace into which Kiali is to be installed. If this is empty or not defined, the default will be the namespace where the Kiali CR is located.


.spec.deployment.node_selector

(object)

A set of node labels that dictate onto which node the Kiali pod will be deployed.


.spec.deployment.pod_annotations

(object)

Custom annotations to be created on the Kiali pod.


.spec.deployment.pod_labels

(object)

Custom labels to be created on the Kiali pod. An example use for this setting is to inject an Istio sidecar such as,

sidecar.istio.io/inject: "true"

.spec.deployment.priority_class_name

(string)

The priorityClassName used to assign the priority of the Kiali pod.


.spec.deployment.replicas

(integer)

The replica count for the Kiail deployment.


.spec.deployment.resources

(object)

Defines compute resources that are to be given to the Kiali pod’s container. The value is a dict as defined by Kubernetes. See the Kubernetes documentation (https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container). If you set this to an empty dict ({}) then no resources will be defined in the Deployment. If you do not set this at all, the default is,

requests:
  cpu: "10m"
  memory: "64Mi"
limits:
  memory: "1Gi"

.spec.deployment.secret_name

(string)

The name of a secret used by the Kiali. This secret is optionally used when configuring the OpenID authentication strategy. Consult the OpenID docs for more information at https://kiali.io/docs/configuration/authentication/openid/


.spec.deployment.security_context

(object)

Custom security context to be placed on the server container. The entire security context on the container will be the value of this setting if the operator is configured to allow it. Note that, as a security measure, a cluster admin may have configured the Kiali operator to not allow portions of this override setting - in this case you can specify additional security context settings but you cannot replace existing, default ones.


.spec.deployment.service_annotations

(object)

Custom annotations to be created on the Kiali Service resource.


.spec.deployment.service_type

(string)

The Kiali service type. Kubernetes determines what values are valid. Common values are ‘NodePort’, ‘ClusterIP’, and ‘LoadBalancer’.


.spec.deployment.tolerations

(array)

A list of tolerations which declare which node taints Kiali can tolerate. See the Kubernetes documentation on Taints and Tolerations for more details.


.spec.deployment.tolerations[*]

(object)

.spec.deployment.verbose_mode

(string)

DEPRECATED! Determines which priority levels of log messages Kiali will output. Use deployment.logger settings instead.


.spec.deployment.version_label

(string)

Kiali resources will be assigned a ‘version’ label when they are deployed. This setting determines what value those ‘version’ labels will have. When empty, its default will be determined as follows,

  • If deployment.image_version is ‘latest’, version_label will be fixed to ‘master’.
  • If deployment.image_version is ‘lastrelease’, version_label will be fixed to the last Kiali release version string.
  • If deployment.image_version is anything else, version_label will be that value, too.

.spec.deployment.view_only_mode

(boolean)

When true, Kiali will be in ‘view only’ mode, allowing the user to view and retrieve management and monitoring data for the service mesh, but not allow the user to modify the service mesh.


.spec.external_services

(object)

These external service configuration settings define how to connect to the external services like Prometheus, Grafana, and Jaeger.

Regarding sensitive values in the external_services ‘auth’ sections: Some external services configured below support an ‘auth’ sub-section in order to tell Kiali how it should authenticate with the external services. Credentials used to authenticate Kiali to those external services can be defined in the auth.password and auth.token values within the auth sub-section. Because these are sensitive values, you may not want to declare the actual credentials here in the Kiali CR. In this case, you may store the actual password or token string in a Kubernetes secret. If you do, you need to set the auth.password or auth.token to a value in the format secret:<secretName>:<secretKey> where <secretName> is the name of the secret object that Kiali can access, and <secretKey> is the name of the key within the named secret that contains the actual password or token string. For example, if Grafana requires a password, you can store that password in a secret named ‘myGrafanaCredentials’ in a key named ‘myGrafanaPw’. In this case, you would set external_services.grafana.auth.password to secret:myGrafanaCredentials:myGrafanaPw.


.spec.external_services.custom_dashboards

(object)

Settings for enabling and discovering custom dashboards.


.spec.external_services.custom_dashboards.discovery_auto_threshold

(integer)

Threshold of the number of pods, for a given Application or Workload, above which dashboards discovery will be skipped. This setting only takes effect when discovery_enabled is set to ‘auto’.


.spec.external_services.custom_dashboards.discovery_enabled

(string)

Enable, disable or set ‘auto’ mode to the dashboards discovery process. If set to ‘true’, Kiali will always try to discover dashboards based on metrics. Note that this can generate performance penalties while discovering dashboards for workloads having many pods (thus many metrics). When set to ‘auto’, Kiali will skip dashboards discovery for workloads with more than a configured threshold of pods (see discovery_auto_threshold). When discovery is disabled or auto/skipped, it is still possible to tie workloads with dashboards through annotations on pods (refer to the doc https://kiali.io/docs/configuration/custom-dashboard/#pod-annotations). Value must be one of: true, false, auto.


.spec.external_services.custom_dashboards.enabled

(boolean)

Enable or disable custom dashboards, including the dashboards discovery process.


.spec.external_services.custom_dashboards.is_core

(boolean)

Used in the Components health feature. When true, the unhealthy scenarios will be raised as errors. Otherwise, they will be raised as a warning.


.spec.external_services.custom_dashboards.namespace_label

(string)

The Prometheus label name used for identifying namespaces in metrics for custom dashboards. The default is namespace but you may want to use kubernetes_namespace depending on your Prometheus configuration.


.spec.external_services.custom_dashboards.prometheus

(object)

The Prometheus configuration defined here refers to the Prometheus instance that is dedicated to fetching metrics for custom dashboards. This means you can obtain these metrics for the custom dashboards from a Prometheus instance that is different from the one that Istio uses. If this section is omitted, the same Prometheus that is used to obtain the Istio metrics will also be used for retrieving custom dashboard metrics.


.spec.external_services.custom_dashboards.prometheus.auth

(object)

Settings used to authenticate with the Prometheus instance.


.spec.external_services.custom_dashboards.prometheus.auth.ca_file

(string)

The certificate authority file to use when accessing Prometheus using https. An empty string means no extra certificate authority file is used.


.spec.external_services.custom_dashboards.prometheus.auth.insecure_skip_verify

(boolean)

Set true to skip verifying certificate validity when Kiali contacts Prometheus over https.


.spec.external_services.custom_dashboards.prometheus.auth.password

(string)

Password to be used when making requests to Prometheus, for basic authentication. May refer to a secret.


.spec.external_services.custom_dashboards.prometheus.auth.token

(string)

Token / API key to access Prometheus, for token-based authentication. May refer to a secret.


.spec.external_services.custom_dashboards.prometheus.auth.type

(string)

The type of authentication to use when contacting the server. Use bearer to send the token to the Prometheus server. Use basic to connect with username and password credentials. Use none to not use any authentication (this is the default).


.spec.external_services.custom_dashboards.prometheus.auth.use_kiali_token

(boolean)

When true and if auth.type is bearer, Kiali Service Account token will be used for the API calls to Prometheus (in this case, auth.token config is ignored).


.spec.external_services.custom_dashboards.prometheus.auth.username

(string)

Username to be used when making requests to Prometheus with basic authentication.


.spec.external_services.custom_dashboards.prometheus.cache_duration

(integer)

Prometheus caching duration expressed in seconds.


.spec.external_services.custom_dashboards.prometheus.cache_enabled

(boolean)

Enable/disable Prometheus caching used for Health services.


.spec.external_services.custom_dashboards.prometheus.cache_expiration

(integer)

Prometheus caching expiration expressed in seconds.


.spec.external_services.custom_dashboards.prometheus.custom_headers

(object)

A set of name/value settings that will be passed as headers when requests are sent to Prometheus.


.spec.external_services.custom_dashboards.prometheus.health_check_url

(string)

Used in the Components health feature. This is the url which Kiali will ping to determine whether the component is reachable or not. It defaults to url when not provided.


.spec.external_services.custom_dashboards.prometheus.is_core

(boolean)

Used in the Components health feature. When true, the unhealthy scenarios will be raised as errors. Otherwise, they will be raised as a warning.


.spec.external_services.custom_dashboards.prometheus.query_scope

(object)

A set of labelName/labelValue settings applied to every Prometheus query. Used to narrow unified metrics to only those scoped to the Kiali instance.


.spec.external_services.custom_dashboards.prometheus.thanos_proxy

(object)

Define this section if Prometheus is to be queried through a Thanos proxy. Kiali will still use the url setting to query for Prometheus metrics so make sure that is set appropriately.


.spec.external_services.custom_dashboards.prometheus.thanos_proxy.enabled

(boolean)

Set to true when a Thanos proxy is in front of Prometheus.


.spec.external_services.custom_dashboards.prometheus.thanos_proxy.retention_period

(string)

Thanos Retention period value expresed as a string.


.spec.external_services.custom_dashboards.prometheus.thanos_proxy.scrape_interval

(string)

Thanos Scrape interval value expresed as a string.


.spec.external_services.custom_dashboards.prometheus.url

(string)

The URL used to query the Prometheus Server. This URL must be accessible from the Kiali pod. If empty, the default will assume Prometheus is in the Istio control plane namespace; e.g. http://prometheus.<istio_namespace>:9090.


.spec.external_services.grafana

(object)

Configuration used to access the Grafana dashboards.


.spec.external_services.grafana.auth

(object)

Settings used to authenticate with the Grafana instance.


.spec.external_services.grafana.auth.ca_file

(string)

The certificate authority file to use when accessing Grafana using https. An empty string means no extra certificate authority file is used.


.spec.external_services.grafana.auth.insecure_skip_verify

(boolean)

Set true to skip verifying certificate validity when Kiali contacts Grafana over https.


.spec.external_services.grafana.auth.password

(string)

Password to be used when making requests to Grafana, for basic authentication. May refer to a secret.


.spec.external_services.grafana.auth.token

(string)

Token / API key to access Grafana, for token-based authentication. May refer to a secret.


.spec.external_services.grafana.auth.type

(string)

The type of authentication to use when contacting the server. Use bearer to send the token to the Grafana server. Use basic to connect with username and password credentials. Use none to not use any authentication (this is the default).


.spec.external_services.grafana.auth.use_kiali_token

(boolean)

When true and if auth.type is bearer, Kiali Service Account token will be used for the API calls to Grafana (in this case, auth.token config is ignored).


.spec.external_services.grafana.auth.username

(string)

Username to be used when making requests to Grafana with basic authentication.


.spec.external_services.grafana.dashboards

(array)

A list of Grafana dashboards that Kiali can link to.


.spec.external_services.grafana.dashboards[*]

(object)

.spec.external_services.grafana.dashboards[*].name

(string)

The name of the Grafana dashboard.


.spec.external_services.grafana.dashboards[*].variables

(object)

.spec.external_services.grafana.dashboards[*].variables.app

(string)

The name of a variable that holds the app name, if used in that dashboard (else it must be omitted).


.spec.external_services.grafana.dashboards[*].variables.namespace

(string)

The name of a variable that holds the namespace, if used in that dashboard (else it must be omitted).


.spec.external_services.grafana.dashboards[*].variables.service

(string)

The name of a variable that holds the service name, if used in that dashboard (else it must be omitted).


.spec.external_services.grafana.dashboards[*].variables.workload

(string)

The name of a variable that holds the workload name, if used in that dashboard (else it must be omitted).


.spec.external_services.grafana.enabled

(boolean)

When true, Grafana support will be enabled in Kiali.


.spec.external_services.grafana.health_check_url

(string)

Used in the Components health feature. This is the URL which Kiali will ping to determine whether the component is reachable or not. It defaults to in_cluster_url when not provided.


.spec.external_services.grafana.in_cluster_url

(string)

The URL used for in-cluster access. An example would be http://grafana.istio-system:3000. This URL can contain query parameters if needed, such as ‘?orgId=1’. If not defined, it will default to http://grafana.<istio_namespace>:3000.


.spec.external_services.grafana.is_core

(boolean)

Used in the Components health feature. When true, the unhealthy scenarios will be raised as errors. Otherwise, they will be raised as a warning.


.spec.external_services.grafana.url

(string)

The URL that Kiali uses when integrating with Grafana. This URL must be accessible to clients external to the cluster in order for the integration to work properly. If empty, an attempt to auto-discover it is made. This URL can contain query parameters if needed, such as ‘?orgId=1’.


.spec.external_services.istio

(object)

Istio configuration that Kiali needs to know about in order to observe the mesh.


.spec.external_services.istio.component_status

(object)

Istio components whose status will be monitored by Kiali.


.spec.external_services.istio.component_status.components

(array)

A specific Istio component whose status will be monitored by Kiali.


.spec.external_services.istio.component_status.components[*]

(object)

.spec.external_services.istio.component_status.components[*].app_label

(string)

Istio component pod app label.


.spec.external_services.istio.component_status.components[*].is_core

(boolean)

Whether the component is to be considered a core component for your deployment.


.spec.external_services.istio.component_status.components[*].is_proxy

(boolean)

Whether the component is a native Envoy proxy.


.spec.external_services.istio.component_status.components[*].namespace

(string)

The namespace where the component is installed. It defaults to the Istio control plane namespace (e.g. istio_namespace) setting. Note that the Istio documentation suggests you install the ingress and egress to different namespaces, so you most likely will want to explicitly set this namespace value for the ingress and egress components.


.spec.external_services.istio.component_status.enabled

(boolean)

Determines if Istio component statuses will be displayed in the Kiali masthead indicator.


.spec.external_services.istio.config_map_name

(string)

The name of the istio control plane config map.


.spec.external_services.istio.envoy_admin_local_port

(integer)

The port which kiali will open to fetch envoy config data information.


.spec.external_services.istio.gateway_api_class_name

(string)

The K8s Gateway API GatewayClass’s Name used in Istio. If empty, the default value ‘istio’ is used.


.spec.external_services.istio.istio_canary_revision

(object)

These values are used in Canary upgrade/downgrade functionality when istio_upgrade_action is true.


.spec.external_services.istio.istio_canary_revision.current

(string)

The currently installed Istio revision.


.spec.external_services.istio.istio_canary_revision.upgrade

(string)

The installed Istio canary revision to upgrade to.


.spec.external_services.istio.istio_identity_domain

(string)

The annotation used by Istio to identify domains.


.spec.external_services.istio.istio_injection_annotation

(string)

The name of the field that annotates a workload to indicate a sidecar should be automatically injected by Istio. This is the name of a Kubernetes annotation. Note that some Istio implementations also support labels by the same name. In other words, if a workload has a Kubernetes label with this name, that may also trigger automatic sidecar injection.


.spec.external_services.istio.istio_sidecar_annotation

(string)

The pod annotation used by Istio to identify the sidecar.


.spec.external_services.istio.istio_sidecar_injector_config_map_name

(string)

The name of the istio-sidecar-injector config map.


.spec.external_services.istio.istiod_deployment_name

(string)

The name of the istiod deployment.


.spec.external_services.istio.istiod_pod_monitoring_port

(integer)

The monitoring port of the IstioD pod (not the Service).


.spec.external_services.istio.root_namespace

(string)

The namespace to treat as the administrative root namespace for Istio configuration.


.spec.external_services.istio.url_service_version

(string)

The Istio service used to determine the Istio version. If empty, assumes the URL for the well-known Istio version endpoint.


.spec.external_services.prometheus

(object)

The Prometheus configuration defined here refers to the Prometheus instance that is used by Istio to store its telemetry.


.spec.external_services.prometheus.auth

(object)

Settings used to authenticate with the Prometheus instance.


.spec.external_services.prometheus.auth.ca_file

(string)

The certificate authority file to use when accessing Prometheus using https. An empty string means no extra certificate authority file is used.


.spec.external_services.prometheus.auth.insecure_skip_verify

(boolean)

Set true to skip verifying certificate validity when Kiali contacts Prometheus over https.


.spec.external_services.prometheus.auth.password

(string)

Password to be used when making requests to Prometheus, for basic authentication. May refer to a secret.


.spec.external_services.prometheus.auth.token

(string)

Token / API key to access Prometheus, for token-based authentication. May refer to a secret.


.spec.external_services.prometheus.auth.type

(string)

The type of authentication to use when contacting the server. Use bearer to send the token to the Prometheus server. Use basic to connect with username and password credentials. Use none to not use any authentication (this is the default).


.spec.external_services.prometheus.auth.use_kiali_token

(boolean)

When true and if auth.type is bearer, Kiali Service Account token will be used for the API calls to Prometheus (in this case, auth.token config is ignored).


.spec.external_services.prometheus.auth.username

(string)

Username to be used when making requests to Prometheus with basic authentication.


.spec.external_services.prometheus.cache_duration

(integer)

Prometheus caching duration expressed in seconds.


.spec.external_services.prometheus.cache_enabled

(boolean)

Enable/disable Prometheus caching used for Health services.


.spec.external_services.prometheus.cache_expiration

(integer)

Prometheus caching expiration expressed in seconds.


.spec.external_services.prometheus.custom_headers

(object)

A set of name/value settings that will be passed as headers when requests are sent to Prometheus.


.spec.external_services.prometheus.health_check_url

(string)

Used in the Components health feature. This is the url which Kiali will ping to determine whether the component is reachable or not. It defaults to url when not provided.


.spec.external_services.prometheus.is_core

(boolean)

Used in the Components health feature. When true, the unhealthy scenarios will be raised as errors. Otherwise, they will be raised as a warning.


.spec.external_services.prometheus.query_scope

(object)

A set of labelName/labelValue settings applied to every Prometheus query. Used to narrow unified metrics to only those scoped to the Kiali instance.


.spec.external_services.prometheus.thanos_proxy

(object)

Define this section if Prometheus is to be queried through a Thanos proxy. Kiali will still use the url setting to query for Prometheus metrics so make sure that is set appropriately.


.spec.external_services.prometheus.thanos_proxy.enabled

(boolean)

Set to true when a Thanos proxy is in front of Prometheus.


.spec.external_services.prometheus.thanos_proxy.retention_period

(string)

Thanos Retention period value expresed as a string.


.spec.external_services.prometheus.thanos_proxy.scrape_interval

(string)

Thanos Scrape interval value expresed as a string.


.spec.external_services.prometheus.url

(string)

The URL used to query the Prometheus Server. This URL must be accessible from the Kiali pod. If empty, the default will assume Prometheus is in the Istio control plane namespace; e.g. http://prometheus.<istio_namespace>:9090.


.spec.external_services.tracing

(object)

Configuration used to access the Tracing (Jaeger) dashboards.


.spec.external_services.tracing.auth

(object)

Settings used to authenticate with the Tracing server instance.


.spec.external_services.tracing.auth.ca_file

(string)

The certificate authority file to use when accessing the Tracing server using https. An empty string means no extra certificate authority file is used.


.spec.external_services.tracing.auth.insecure_skip_verify

(boolean)

Set true to skip verifying certificate validity when Kiali contacts the Tracing server over https.


.spec.external_services.tracing.auth.password

(string)

Password to be used when making requests to the Tracing server, for basic authentication. May refer to a secret.


.spec.external_services.tracing.auth.token

(string)

Token / API key to access the Tracing server, for token-based authentication. May refer to a secret.


.spec.external_services.tracing.auth.type

(string)

The type of authentication to use when contacting the server. Use bearer to send the token to the Tracing server. Use basic to connect with username and password credentials. Use none to not use any authentication (this is the default).


.spec.external_services.tracing.auth.use_kiali_token

(boolean)

When true and if auth.type is bearer, Kiali Service Account token will be used for the API calls to the Tracing server (in this case, auth.token config is ignored).


.spec.external_services.tracing.auth.username

(string)

Username to be used when making requests to the Tracing server with basic authentication.


.spec.external_services.tracing.enabled

(boolean)

When true, connections to the Tracing server are enabled. in_cluster_url and/or url need to be provided.


.spec.external_services.tracing.in_cluster_url

(string)

Set URL for in-cluster access, which enables further integration between Kiali and Jaeger. When not provided, Kiali will only show external links using the url setting. Note: Jaeger v1.20+ has separated ports for GRPC(16685) and HTTP(16686) requests. Make sure you use the appropriate port according to the use_grpc value. Example: http://tracing.istio-system:16685


.spec.external_services.tracing.is_core

(boolean)

Used in the Components health feature. When true, the unhealthy scenarios will be raised as errors. Otherwise, they will be raised as a warning.


.spec.external_services.tracing.namespace_selector

(boolean)

Kiali use this boolean to find traces with a namespace selector : service.namespace.


.spec.external_services.tracing.query_scope

(object)

A set of tagKey/tagValue settings applied to every Jaeger query. Used to narrow unified traces to only those scoped to the Kiali instance.


.spec.external_services.tracing.url

(string)

The external URL that will be used to generate links to Jaeger. It must be accessible to clients external to the cluster (e.g: a browser) in order to generate valid links. If the tracing service is deployed with a QUERY_BASE_PATH set, set this URL like https:///. For example, https://tracing-service:8080/jaeger


.spec.external_services.tracing.use_grpc

(boolean)

Set to true in order to enable GRPC connections between Kiali and Jaeger which will speed up the queries. In some setups you might not be able to use GRPC (e.g. if Jaeger is behind some reverse proxy that doesn’t support it). If not specified, this will defalt to ‘false’ if deployed within a Maistra/OSSM+OpenShift environment, ‘true’ otherwise.


.spec.external_services.tracing.whitelist_istio_system

(array)

Kiali will get the traces of these services found in the Istio control plane namespace.


.spec.external_services.tracing.whitelist_istio_system[*]

(string)

A name of a service found in the Istio control plane namespace whose traces will be retrieved by Kiali.


.spec.health_config

(object)

This section defines what it means for nodes to be healthy. For more details, see https://kiali.io/docs/configuration/health/


.spec.health_config.rate

(array)

.spec.health_config.rate[*]

(object)

.spec.health_config.rate[*].kind

(string)

The type of resource that this configuration applies to. This is a regular expression.


.spec.health_config.rate[*].name

(string)

The name of a resource that this configuration applies to. This is a regular expression.


.spec.health_config.rate[*].namespace

(string)

The name of the namespace that this configuration applies to. This is a regular expression.


.spec.health_config.rate[*].tolerance

(array)

A list of tolerances for this configuration.


.spec.health_config.rate[*].tolerance[*]

(object)

.spec.health_config.rate[*].tolerance[*].code

(string)

The status code that applies for this tolerance. This is a regular expression.


.spec.health_config.rate[*].tolerance[*].degraded

(integer)

Health will be considered degraded when the telemetry reaches this value (specified as an integer representing a percentage).


.spec.health_config.rate[*].tolerance[*].direction

(string)

The direction that applies for this tolerance (e.g. inbound or outbound). This is a regular expression.


.spec.health_config.rate[*].tolerance[*].failure

(integer)

A failure status will be shown when the telemetry reaches this value (specified as an integer representing a percentage).


.spec.health_config.rate[*].tolerance[*].protocol

(string)

The protocol that applies for this tolerance (e.g. grpc or http). This is a regular expression.


.spec.identity

(object)

Settings that define the Kiali server identity.


.spec.identity.cert_file

(string)

Certificate file used to identify the Kiali server. If set, you must go over https to access Kiali. The Kiali operator will set this if it deploys Kiali behind https. When left undefined, the operator will attempt to generate a cluster-specific cert file that provides https by default (today, this auto-generation of a cluster-specific cert is only supported on OpenShift). When set to an empty string, https will be disabled.


.spec.identity.private_key_file

(string)

Private key file used to identify the Kiali server. If set, you must go over https to access Kiali. When left undefined, the Kiali operator will attempt to generate a cluster-specific private key file that provides https by default (today, this auto-generation of a cluster-specific private key is only supported on OpenShift). When set to an empty string, https will be disabled.


.spec.installation_tag

(string)

Tag used to identify a particular instance/installation of the Kiali server. This is merely a human-readable string that will be used within Kiali to help a user identify the Kiali being used (e.g. in the Kiali UI title bar). See deployment.instance_name for the setting used to customize Kiali resource names that are created.


.spec.istio_labels

(object)

Defines specific labels used by Istio that Kiali needs to know about.


.spec.istio_labels.app_label_name

(string)

The name of the label used to define what application a workload belongs to. This is typically something like app or app.kubernetes.io/name.


.spec.istio_labels.injection_label_name

(string)

The name of the label used to instruct Istio to automatically inject sidecar proxies when applications are deployed.


.spec.istio_labels.injection_label_rev

(string)

The label used to identify the Istio revision.


.spec.istio_labels.version_label_name

(string)

The name of the label used to define what version of the application a workload belongs to. This is typically something like version or app.kubernetes.io/version.


.spec.istio_namespace

(string)

The namespace where Istio is installed. If left empty, it is assumed to be the same namespace as where Kiali is installed (i.e. deployment.namespace).


.spec.kiali_feature_flags

(object)

Kiali features that can be enabled or disabled.


.spec.kiali_feature_flags.certificates_information_indicators

(object)

Flag to enable/disable displaying certificates information and which secrets to grant read permissions.


.spec.kiali_feature_flags.certificates_information_indicators.enabled

(boolean)

.spec.kiali_feature_flags.certificates_information_indicators.secrets

(array)

.spec.kiali_feature_flags.certificates_information_indicators.secrets[*]

(string)

.spec.kiali_feature_flags.clustering

(object)

Clustering and federation related features.


.spec.kiali_feature_flags.clustering.enabled

(boolean)

Flag to enable/disable clustering and federation related features.


.spec.kiali_feature_flags.disabled_features

(array)

There may be some features that admins do not want to be accessible to users (even in ‘view only’ mode). In this case, this setting allows you to disable one or more of those features entirely.


.spec.kiali_feature_flags.disabled_features[*]

(string)

.spec.kiali_feature_flags.istio_injection_action

(boolean)

Flag to enable/disable an Action to label a namespace for automatic Istio Sidecar injection.


.spec.kiali_feature_flags.istio_upgrade_action

(boolean)

Flag to activate the Kiali functionality of upgrading namespaces to point to an installed Istio Canary revision. Related Canary upgrade and current revisions of Istio should be defined in istio_canary_revision section.


.spec.kiali_feature_flags.ui_defaults

(object)

Default settings for the UI. These defaults apply to all users.


.spec.kiali_feature_flags.ui_defaults.graph

(object)

Default settings for the Graph UI.


.spec.kiali_feature_flags.ui_defaults.graph.find_options

(array)

A list of commonly used and useful find expressions that will be provided to the user out-of-box.


.spec.kiali_feature_flags.ui_defaults.graph.find_options[*]

(object)

.spec.kiali_feature_flags.ui_defaults.graph.find_options[*].description

(string)

Human-readable text to let the user know what the expression does.


.spec.kiali_feature_flags.ui_defaults.graph.find_options[*].expression

(string)

The find expression.


.spec.kiali_feature_flags.ui_defaults.graph.hide_options

(array)

A list of commonly used and useful hide expressions that will be provided to the user out-of-box.


.spec.kiali_feature_flags.ui_defaults.graph.hide_options[*]

(object)

.spec.kiali_feature_flags.ui_defaults.graph.hide_options[*].description

(string)

Human-readable text to let the user know what the expression does.


.spec.kiali_feature_flags.ui_defaults.graph.hide_options[*].expression

(string)

The hide expression.


.spec.kiali_feature_flags.ui_defaults.graph.traffic

(object)

These settings determine which rates are used to determine graph traffic.


.spec.kiali_feature_flags.ui_defaults.graph.traffic.grpc

(string)

gRPC traffic is measured in requests or sent/received/total messages. Value must be one of: none, requests, sent, received, or total.


.spec.kiali_feature_flags.ui_defaults.graph.traffic.http

(string)

HTTP traffic is measured in requests. Value must be one of: none or requests.


.spec.kiali_feature_flags.ui_defaults.graph.traffic.tcp

(string)

TCP traffic is measured in sent/received/total bytes. Only request traffic supplies response codes. Value must be one of: none, sent, received, or total.


.spec.kiali_feature_flags.ui_defaults.metrics_inbound

(object)

Additional label aggregation for inbound metric pages in detail pages. You will see these configurations in the ‘Metric Settings’ drop-down. An example,

metrics_inbound:
  aggregations:
  - display_name: Istio Network
    label: topology_istio_io_network
  - display_name: Istio Revision
    label: istio_io_rev

.spec.kiali_feature_flags.ui_defaults.metrics_inbound.aggregations

(array)

.spec.kiali_feature_flags.ui_defaults.metrics_inbound.aggregations[*]

(object)

.spec.kiali_feature_flags.ui_defaults.metrics_inbound.aggregations[*].display_name

(string)

.spec.kiali_feature_flags.ui_defaults.metrics_inbound.aggregations[*].label

(string)

.spec.kiali_feature_flags.ui_defaults.metrics_outbound

(object)

Additional label aggregation for outbound metric pages in detail pages. You will see these configurations in the ‘Metric Settings’ drop-down. An example,

metrics_outbound:
  aggregations:
  - display_name: Istio Network
    label: topology_istio_io_network
  - display_name: Istio Revision
    label: istio_io_rev

.spec.kiali_feature_flags.ui_defaults.metrics_outbound.aggregations

(array)

.spec.kiali_feature_flags.ui_defaults.metrics_outbound.aggregations[*]

(object)

.spec.kiali_feature_flags.ui_defaults.metrics_outbound.aggregations[*].display_name

(string)

.spec.kiali_feature_flags.ui_defaults.metrics_outbound.aggregations[*].label

(string)

.spec.kiali_feature_flags.ui_defaults.metrics_per_refresh

(string)

Duration of metrics to fetch on each refresh. Value must be one of: 1m, 2m, 5m, 10m, 30m, 1h, 3h, 6h, 12h, 1d, 7d, or 30d


.spec.kiali_feature_flags.ui_defaults.namespaces

(array)

Default selections for the namespace selection dropdown. Non-existent or inaccessible namespaces will be ignored. Omit or set to an empty array for no default namespaces.


.spec.kiali_feature_flags.ui_defaults.namespaces[*]

(string)

.spec.kiali_feature_flags.ui_defaults.refresh_interval

(string)

The automatic refresh interval for pages offering automatic refresh. Value must be one of: pause, 10s, 15s, 30s, 1m, 5m or 15m


.spec.kiali_feature_flags.validations

(object)

Features specific to the validations subsystem.


.spec.kiali_feature_flags.validations.ignore

(array)

A list of one or more validation codes whose errors are to be ignored.


.spec.kiali_feature_flags.validations.ignore[*]

(string)

A validation code (e.g. KIA0101) for a specific validation error that is to be ignored.


.spec.kubernetes_config

(object)

Configuration of Kiali’s access of the Kubernetes API.


.spec.kubernetes_config.burst

(integer)

The Burst value of the Kubernetes client.


.spec.kubernetes_config.cache_duration

(integer)

The ratio interval (expressed in seconds) used for the cache to perform a full refresh. Only used when cache_enabled is true.


.spec.kubernetes_config.cache_enabled

(boolean)

Flag to use a Kubernetes cache for watching changes and updating pods and controllers data asynchronously.


.spec.kubernetes_config.cache_istio_types

(array)

Kiali can cache VirtualService, DestinationRule, Gateway and ServiceEntry Istio resources if they are present on this list of Istio types. Other Istio types are not yet supported.


.spec.kubernetes_config.cache_istio_types[*]

(string)

.spec.kubernetes_config.cache_namespaces

(array)

List of namespaces or regex defining namespaces to include in a cache.


.spec.kubernetes_config.cache_namespaces[*]

(string)

.spec.kubernetes_config.cache_token_namespace_duration

(integer)

This Kiali cache is a list of namespaces per user. This is typically a short-lived cache compared with the duration of the namespace cache defined by the cache_duration setting. This is specified in seconds.


.spec.kubernetes_config.excluded_workloads

(array)

List of controllers that won’t be used for Workload calculation. Kiali queries Deployment, ReplicaSet, ReplicationController, DeploymentConfig, StatefulSet, Job and CronJob controllers. Deployment and ReplicaSet will be always queried, but ReplicationController, DeploymentConfig, StatefulSet, Job and CronJobs can be skipped from Kiali workloads queries if they are present in this list.


.spec.kubernetes_config.excluded_workloads[*]

(string)

.spec.kubernetes_config.qps

(integer)

The QPS value of the Kubernetes client.


.spec.login_token

(object)

.spec.login_token.expiration_seconds

(integer)

A user’s login token expiration specified in seconds. This is applicable to token and header auth strategies only.


.spec.login_token.signing_key

(string)

The signing key used to generate tokens for user authentication. Because this is potentially sensitive, you have the option to store this value in a secret. If you store this signing key value in a secret, you must indicate what key in what secret by setting this value to a string in the form of secret:<secretName>:<secretKey>. If left as an empty string, a secret with a random signing key will be generated for you. The signing key must be 16, 24 or 32 byte long.


.spec.server

(object)

Configuration that controls some core components within the Kiali Server.


.spec.server.address

(string)

Where the Kiali server is bound. The console and API server are accessible on this host.


.spec.server.audit_log

(boolean)

When true, allows additional audit logging on write operations.


.spec.server.cors_allow_all

(boolean)

When true, allows the web console to send requests to other domains other than where the console came from. Typically used for development environments only.


.spec.server.gzip_enabled

(boolean)

When true, Kiali serves http requests with gzip enabled (if the browser supports it) when the requests are over 1400 bytes.


.spec.server.observability

(object)

Settings to enable observability into the Kiali server itself.


.spec.server.observability.metrics

(object)

Settings that control how Kiali itself emits its own metrics.


.spec.server.observability.metrics.enabled

(boolean)

When true, the metrics endpoint will be available for Prometheus to scrape.


.spec.server.observability.metrics.port

(integer)

The port that the server will bind to in order to receive metric requests. This is the port Prometheus will need to scrape when collecting metrics from Kiali.


.spec.server.observability.tracing

(object)

Settings that control how the Kiali server itself emits its own tracing data.


.spec.server.observability.tracing.collector_url

(string)

The URL used to determine where the Kiali server tracing data will be stored.


.spec.server.observability.tracing.enabled

(boolean)

When true, the Kiali server itself will product its own tracing data.


.spec.server.port

(integer)

The port that the server will bind to in order to receive console and API requests.


.spec.server.web_fqdn

(string)

Defines the public domain where Kiali is being served. This is the ‘domain’ part of the URL (usually it’s a fully-qualified domain name). For example, kiali.example.org. When empty, Kiali will try to guess this value from HTTP headers. On non-OpenShift clusters, you must populate this value if you want to enable cross-linking between Kiali instances in a multi-cluster setup.


.spec.server.web_history_mode

(string)

Define the history mode of kiali UI. Value must be one of: browser or hash.


.spec.server.web_port

(string)

Defines the ingress port where the connections come from. This is usually necessary when the application responds through a proxy/ingress, and it does not forward the correct headers (when this happens, Kiali cannot guess the port). When empty, Kiali will try to guess this value from HTTP headers.


.spec.server.web_root

(string)

Defines the context root path for the Kiali console and API endpoints and readiness probes. When providing a context root path that is not /, do not add a trailing slash (i.e. use /kiali not /kiali/). When empty, this will default to / on OpenShift and /kiali on other Kubernetes environments.


.spec.server.web_schema

(string)

Defines the public HTTP schema used to serve Kiali. Value must be one of: http or https. When empty, Kiali will try to guess this value from HTTP headers. On non-OpenShift clusters, you must populate this value if you want to enable cross-linking between Kiali instances in a multi-cluster setup.


.spec.version

(string)

The version of the Ansible playbook to execute in order to install that version of Kiali. It is rare you will want to set this - if you are thinking of setting this, know what you are doing first. The only supported value today is default.

If not specified, a default version of Kiali will be installed which will be the most recent release of Kiali. Refer to this file to see where these values are defined in the master branch, https://github.com/kiali/kiali-operator/tree/master/playbooks/default-supported-images.yml

This version setting affects the defaults of the deployment.image_name and deployment.image_version settings. See the comments for those settings below for additional details. But in short, this version setting will dictate which version of the Kiali image will be deployed by default. Note that if you explicitly set deployment.image_name and/or deployment.image_version you are responsible for ensuring those settings are compatible with this setting (i.e. the Kiali image must be compatible with the rest of the configuration and resources the operator will install).


.status

(object)

The processing status of this CR as reported by the Kiali operator.

Last modified December 19, 2022 : Auto-generated CRD schema documentation (80e4d747)