News

• 1: Release Notes
• 2: Security Bulletins
• 2.1: KIALI-SECURITY-003 - Installation into ad-hoc namespaces
• 2.2: KIALI-SECURITY-002 - Authentication bypass when using the OpenID login strategy
• 2.3: KIALI-SECURITY-001 - Authentication bypass using forged credentials

1 - Release Notes

For additional information check our sprint demo videos and blogs.

1.83.0

Sprint Release: Apr 12, 2024

Features:

• n/a

Fixes:

• Namespace selector order is random
• The Istio config list page does not update when switching from a forbidden namespace to an accessible one
• token & OpenShift authentication not working
• automaxprocs removed from kiali
• Graph for Ambient ns is not generated correctly when the traffic is not generated throw a Gateway
• (e2e) Tests should check status code before attempting to unmarshal into json
• (molecule) flake in molecule test “os-console-links-test”

1.82.0

Sprint Release: Mar 22, 2024

Features:

• Multicluster - External controlplane support
• Multicluster - Token per cluster
• Tracing - Include a health_check_url for tracing external service
• Tracing - Update Tempo resource usage
• Auth - Enhancing Kiali OIDC process by supporting CSI secrets

Fixes:

• Kiali tracing URLs don’t work with Grafana 10+
• Warning in workload ‘istio-ingressgateway’ in non control-plane namespace
• Distributed Tracing menu item active when there is no public URL defined
• Graph - crash in DeadNode appender in multi mesh-setup

1.81.0

Sprint Release: Mar 01, 2024

Features:

• Kiali Server Helm Chart Support Custom NodePort

Fixes:

• envoy access log entry doc links are broken
• Istio config href is broken
• TLS information is not available
• AlertUtils Kiali messages are not shown in OSSMC
• Kiali operator does not preserve camel case on additional ingress labels
• The duration label is confusing in the Overview control plane charts
• Fix help text for graph Security Display option.
• (graph) ServiceEntry ExportTo is not handled correctly

1.80.0

Sprint Release: Feb 09, 2024

Features:

• Make support of “ExportTo” feature of Istio config configurable
• Use client-go’s service account token client refresh
• Kiali v1.73.x compatible with Istio 1.20 and GW API v1
• Upgrade Patternfly to version 5.2
• Add pprof endpoints for debugging perf issues

Fixes:

• Multicluster - delete traffic routing on “remote” cluster 404
• Switching namespaces does not work on Istio Config page
• Error fetching Istio deployment status of the remote control plane in the Primary remote deployment
• Validations: Missing KIA0005 in objects details page when wrongly exported
• PFT Graph not handling graph background clicks
• Close button on the Certificates information does not do anything

1.79.0

Sprint Release: Jan 19, 2024

Features:

• Tempo - Initial Support Complete
• Multicluster - provide links to external Kialis without requiring istio secrets
• Multicluster - Add documentation for configuring Kiali with primary-primary
• K8s GW API - Support of TCP/TLS/GRPC Routes
• K8s GW API - Support of ReferenceGrant
• Use the Prometheus /-/healthy endpoint for the default value for health_check_url
• Ambient - Workload graph reports the istio-waypoint proxies as “Out of Mesh”
• re-enable ARM builds
• Remove graph “Compress-On-Hide” Display option

Fixes:

• Bug after v1.72.0 release with oAuth2 strategy when DisableRBAC is true
• Potential runtime error in kube_cache.GetK8sGateways
• Prometheus retention config not resolved correctly when using defaults in prom
• Incorrect spacing and icon sizing in Graph Summary Panel
• Istio config bug
• kiali operator cannot determine kiali version when installing ossmc
• Tracing client must use the Kiali SA Token (Not the user token)
• Double istio rev in configmap name
• debug info shows incorrect log level
• Fix rank options in the graph
• Update axios HTTP client library
• Kiali render hostnames as individual service instead of serviceentry as whole
• Scrollbar in Workloads Logs view
• UI Error after deleting Istio Config
• Extra padding in long namespace names
• Graph: Link to App which does not exist

1.78.0

Sprint Release: Dec 08, 2023

Features:

• Update Patternfly library to version 5.1
• Add labels and annotations in wizards
• Multicluster - When istiod is unavailable portforwarding requests scale with namespaces
• Multicluster - Create an istio registry per primary
• Tempo Integration - Use select for query in Tempo 2.2
• Apply new eslint rules only to edited files
• (Kiali-operator Helm Chart) Mount /tmp instead of /tmp/ansible-operator/runner as emptyDir to enable read-only root filesystem
• Workload logs - improve appearance of checkboxes
• Set Secure Attribute on Session Cookie

Fixes:

• Info icon in yaml editor’s overview panel is not aligned properly
• patternfly graph not showing node decorators
• Kiali UI not showing API Docs
• (Multicluster) Not all reviews workloads are visible in Kiali
• Integration tests - Kiali 1.73 is not compatible with Istio 1.20
• Istio 1.20 incompatibility
• Jaeger traces: Filter by percentile no returning any trace
• tracing UI - hover over trace dots “flickers” the heat map
• Health icon in Application summary panel graph looks weird
• panic when observability section does not configure the tracing endpoint correctly
• Show kiali own traces
• Disalignment in API Documentation info for Workloads and Services
• Link to trace does not always open trace details

Deprecations:

• Kiali is deprecating use of the Jaeger exporter for Kiali’s own traces. Kiali will move to supporting only the OTel exporter.

1.77.0

Sprint Release: Nov 17, 2023

Features:

• Tempo - Wrong Distributed Tracing link for nav menu
• Tempo - Span query returning emptly results
• PF5 - Upgrade to patternfly 5
• PF5 - Move table deprecated component
• OSSMC - add version fields to operator CSV metadata for display in OS Console UI

Fixes:

• helm-charts smoke test GH action fails to start
• Traces are duplicated across both clusters
• getNamespaceMetrics includes cluster in query params
• (operator) only process one OSSMConsole CR
• ossmc package.json did not get updated version during last build
• empty tree entry in kiali.io installation menu and goes to incorrect place
• Repeatedly refreshing causes the UI to crash
• Extra space between left nav and top nav
• Multicluster - Missing cluster param in Show traces
• Trace link in Graph - Trace is not loaded when clicked
• (run-kiali) Error fetching availability of the tracing service
• Error deploying istio 1.20 with hack script in OpenShift

1.76.0

Sprint Release: Oct 27, 2023

Features:

• Update go version 1.20.10
• Tempo - Update the main external link to distributed tracing
• Tempo - Update documentation
• Tempo - Update Trace data on hover
• Add cluster_name support for run-kiali.sh hack script
• Istio warning/error status for situations where eastwestgateway is not healthy.
• istio hack script: cluster name should not be set to empty string
• OSSMC - build and release ossmc plugin at end of sprint
• OSSMC - Add scrollbar environment variable
• PF5 - Move deprecated component Dropdown

Fixes:

• Kiali Crashing in sidecar validation (without a sidecar)
• (CI) Test flake - workload logs
• Unable to reach API Server ‘istio APIs and resources are not present in cluster (Kubernetes)’
• Multi mesh setup results in an error when fetching workloads
• Double istio rev in configmap name
• Selecting a trace in the Graph does not mark the edges when using Tempo
• Service of a remote app/workload is not reported in the detail view
• Tempo - Incomplete span data
• Invalid AuthorizationPolicy generated from Overview page
• Envoy is duplicated across both clusters
• Traffic tab in Apps details is duplicated for both clusters
• (ci) need to fix CI script for running molecule tests on openshift
• Gateway badge is not being applied to gateways in the graph
• Inbound Metrics tab for the Service detail is duplicated for services in different clusters
• setup-kind-ci.sh script fails if it is not executed from root folder

1.75.0

Sprint Release: Oct 06, 2023

Features:

• GW API Multiple implementations
• Support K8s native sidecars
• PF5 Move deprecated Select
• Tempo tempo reading traces
• Tempo Rename to Tracing instead of Jaeger when applicable
• Tempo Update hack script to support OpenShift
• Focus selector support in PF graph
• Include Ambient annotations as configuration settings
• FAQ on how to get Kiali and Istio versions

Fixes:

• Remote cluster istio-system namespace card show data from primary control plane
• “Cannot load the graph: json: cannot unmarshal object into Go value of type ()*kubernetes.RegistryEndpoint”
• Multicluster - Traffic routings created via Graph page are always located in the local cluster
• Breadcrumb click on Istio Type filter - Filter type is reset
• Grafana, Ingress, Egress pods not running in Openshift after installing istio via istioctl
• K8sGateway Validations - Inconsistency in lists
• Little disalignments in Kiali UI
• Wrong cluster when double tapping on a service/application in node graph
• molecule tests are broken due to upstream galaxy changes
• Annotation wizard behaviour is not correct when user add/deletes some annotations

1.74.0

Sprint Release: Sep 15, 2023

Features:

• Added support of multiple Gateway API classes
• Ensure Tempo works using jaeger-query
• Update Releasing doc
• Adjust PFT graph-tour
• document minimum helm version
• Make Kiali compatible with OSSMC
• Minimal upgrade to PF5

Fixes:

• Duplicate test ID related to Overview page in Multicluster mode
• PFGraph throws console error when hovering an application label
• Graph not showing traffic from portals to travels in west cluster
• IstioType in istioconfigList is propagated to other views
• kiali pod stay in Error status after node shutdown
• Graph side-panel has multi-cluster issues
• (make) work around opm render bug when building for OLM
• Double tap on a node redirects to wrong cluster
• UI issues in Graph replay for OSSMC
• Sorting by cluster does not work in the list view located in the Overview page

1.73.0

Sprint Release: Aug 25, 2023

Features:

• Tutorial for Multicluster
• Support for dark mode
• Ambient for Istio 1.19, experimental support
• Fixed help icon in Envoy tab
• Update Releasing doc
• OSSMC: update user guide/install guide for 0.4.0

Fixes:

• Incorrect save commit may be triggered while editing yaml
• Data race when accessing IsGatewayAPI
• Kiali Istio Config page – KIA0104 validation (failed)
• Traffic tab - ‘View metrics’ link broken
• Wrong cluster badge shown in the page for reviews app detail when accessing it from a graph
• Multicluster - Namespace Validations in Graph
• operator installed via OLM cannot set kiali server pod securityContext.readOnlyRootFilesystem to false
• Kiali fails on OCP cluster

1.72.0

Sprint Release: Aug 04, 2023

Features:

• Remove option to disable kube caching
• Multi-cluster view for Istio config wizards
• Multi-cluster - hack scripts work with kind
• K8s Gateway API - improve graph support
• create Istio configs for services in Ambient Namespace

Fixes:

• Multi-cluster Some pages are broken when meshID is not set
• Unwanted “fit” on refresh
• Helm Chart 1.66.1 is missing
• Multicluster - unbound variable in kiali-deploy
• App health - Inconsistency in Overview page
• Kiali pod fails to start because of “failed to list *v1beta1.Gateway: gateways.gateway.networking.k8s.io is forbidden”
• openshift auth logout not behaving
• Traces tab - 500 errors
• Service Traffic Wizard - Autogenerated Gateways shown
• (hack) run-kiali.sh not working with OpenShift
• Slider CSS affects Openshift console look and feel (OSSMC plugin)
• Add global typestyle to OSSMC top HTML element
• Convert all custom static CSS to typestyle

1.71.0

Sprint Release: Jul 14, 2023

Features:

• Multicluster - Config validation from remote cluster
• Add documentation for ‘Kiali Internal Metrics’ dashboard
• Operator - speed up the setting up of configuration
• Align Patternfly version with Openshift 4.13
• Auto-enable find/hide filters via Kiali CR
• Add edit actions in contextual menu for remote clusters
• Get rid of the experimental warning in the Mesh section

Fixes:

• Graph IdleNodes option is broken
• Grafana link is not available in Kiali
• Cluster and ClusterName params in the same API url
• kiali_feature_flags.clustering.autodetect_secrets.label default is incorrect
• Incorrect ServiceAccount used for Multi-cluster when using OpenID without RBAC

1.70.0

Sprint Release: Jun 23, 2023

Features:

• Update Kiali to build with Go 1.20
• Use ExecPlugin for remote cluster secret
• Multicluster - add kiali.io docs
• Blog post for Multicluster
• Video demo for multi cluster
• Multicluster - Edit Istio Configs in remote clusters
• show more control plane info in OverView page
• Verify Kiali using Istio 1.18 Ambient alpha
• Upgrade Typescript version

Fixes:

• Using LISTENER_FILTER within an EnvoyFilter leads to a cache error
• K8Gateway object not visible in the Istio Config List.
• Wrong IstioObject field types
• Create ServiceEntry - Required Ports - Empty Accepted
• Service details of ServiceEntry fails
• kiali.io Architecture is outdated - direct istio dependency

1.69.0

Sprint Release: Jun 02, 2023

Features:

• Multicluster - details Views
• Multicluster - Remove warning “Not all remote clusters have reachable Kiali instances”
• Multicluster - Overview page istio status
• Multicluster - Add contextual menu in the nodes for the remote cluster
• Multicluster - Add cluster column in traffic details tab
• Graph - Improve graph node labels - remove parentheses
• Operator - Add new server configuration for ClusterName

Fixes:

• UI - Styling in the Overview page in the UI for cards with long namespace names pushes out kebab menu into adjacent card
• Multicluster Workload list - Wrong details column content
• edge colors get “stuck” as yellow / red after service health recovers
• Workload List gets Validations from backend but do not use them
• Multicluster Graph page - Validations error in logs
• Typo in accessibleNamespaces field of server config get API
• Multicluster support Namespace Validations
• Failed to update kiali-server helm chart value view_only_mode in standalone Kiali installation
• Multicluster - Propagate Cluster param in graph nodes
• need to document the auth.openshift settings
• support openshift route over non-standard port
• Graph - hiding an entire namespace or cluster keeps the namespace/boxes
• After navigating to the Service graph, all other graphs are displayed with injectServiceNodes=false
• Multicluster - Add sort by Cluster column
• Multi-cluster graph - error when user lacks access to remote cluster

1.68.0

Sprint Release: May 12, 2023

Features:

• Kiali initial Istio Ambient support
• Multi-cluster List Views
• Multi-cluster view for overview page
• Multi-cluster list view - Istio Config
• Multi-cluster Update the namespace health service
• Multi-cluster Services details view
• Multi-cluster Workloads details view
• Multi-cluster Istio config details view
• Multi-cluster Health calculation for workload/app/svc
• Multi-cluster Applications details view
• Operator Remove ansible loops for better performance
• Update log level getting istio-cni-config configmap
• Cluster badges in details pages should be only visible in Multi cluster
• Cypress test coverage for #5718
• Cypress Add validation references to K8S Gateways validations

Fixes:

• Multi-cluster - Istio Configs duplicated
• Client generating 503 metric requests for some node graphs
• no_istiod_test integration test is not working in ocp
• Operator Support ingress override_yaml to set OpenShift Route spec.host
• Crash in graph appender due to excluded namespace
• Improve Grafana integration documentation
• Cache tries to list cluster scoped resource but it is namespace scoped
• hardcoded label name

1.67.0

Sprint Release: Apr 21, 2023

Features:

• Support for Istio’s discoverySelectors
• Updated documentatation for Namespace Management (discovery selectors, cluster-wide-access, accessible namespaces_ and namespace watching
• (operator) use “include_tasks:”, not the deprecated “include:”
• Multi-cluster - way to create roles/SA in remote clusters
• Multi-cluster - Home cluster name should match Istio cluster name
• Multi-cluster - Combine duplicated namespaces in dropdown selector
• Multi-cluster - list view - Services
• Multi-cluster - list view - Applications

Fixes:

• List page toggles to help with performance issues with the Kiali UI
• Missing horizontal scrollbar when seeing logs
• validation error (KIA0202) for auto generated destination rule
• Perf regression when fetching workloads
• validation error (KIA0401) when AutoMtls is enabled in istio MeshConfig
• CRD does not validate correctly
• Error fetching app health when a namespace only exist in the remote clusters

Notes:

• There have been changes to Namespace Management. The changes are backward compatible but it is recommended to understand the changes regarding Discovery Selector support, cluster-wide access, and accessible-namespaces. For more see here.

Deprecations:

• The following settings are deprecated and may be removed in a future release:
  • api.namespaces.exclude
  • api.namespaces.include
  • api.namespaces.label_selector_exclude
  • api.namespaces.label_selector_include

It is recommended to instead use Istio Discovery Selectors to limit the namespaces in the mesh.

1.66.1

Sprint Release: Mar 31, 2023

Features:

• make - run-operator should enable the profiler
• No install-crd reference on README
• Multicluster - list view - Workloads
• Multicluster - Services view
• Multicluster - Hack script for setup a primary-remote scenario
• Multicluster - Update each business layer to read from each configured backend kube cluster
• Multicluster - Kiali supports reading from/writing to multiple clusters
• Multicluster - Update the namespace cache which caches the user token per namespace
• Multicluster - distributed errors demo for testing
• Multicluster - Modify the Kube Cache to allow whether to cache Istio types
• core-ui - Need the configuration and endpoints
• core-ui - Remove IstioConfigList elements and pull them from library

Fixes:

• Error fetching Istiod resource thresholds on Web UI
• make - Error to create operator pull secret
• Missing scraping parameters in kiali-operator helm chart
• ansible option we use in operator code is being renamed
• CORS issue with library API
• fix flaky test failure

Notes:

• To avoid a known performance degradation, update to v1.66.1 (or later) from v1.66.0.

Deprecations:

• Given that the Kiali cache is now mandatory and that there have been several changes to the cache implementation, the .spec.kubernetes_config.cache_* settings have all deprecated and will be removed from the CRD. It is recommended to remove these settings from your CR, if defined.

1.65.0

Sprint Release: Mar 10, 2023

Features:

• K8sGateway Object Validation - Add References
• Improve KIA0301 (more than one gateway warning) to treat a single * as not a warning
• document how to upgrade Go in the Kiali builds
• Error page could be more than just a text message
• log the version of go that was used to build the server

Fixes:

• remove monitoringdashboard CRD (when supporting kiali >= 1.25)
• bad printf - missing param
• Istio 1.17.0 image is not available in gcr.io
• Istio Config doesn’t show correct yaml for Sidecar OutboundTrafficPolicy.Mode
• Application crash when accessing service from K8s Gateway
• envoy listeners tab - match column shows does not show correct dest port when destination_port is specified
• navigating from envoy listeners tab to a named route incorrectly highlights the clusters tab
• Don’t let the graph generation panic on bad telemetry

1.64.0

Sprint Release: Feb 17, 2023

Features:

• Mesh wide settings should take the MeshConfig defaults
• Don’t use the anonymous account to fetch cluster version (OpenShift authentication)
• Editable Istio config annotations for workloads and services
• Configure Kiali timeouts while fetching traces from jaeger
• Build Kiali with a newer minor version of Golang
• K8s GW API Support - v1alpha2 is deprecated
• document for contributors in operator and helm chart repos
• Consistent way to resolve Kiali version from Istio version
• reponse type id_token check in Open ID authentication is no longer needed
• Pod labels for Kiali Operator Helm Chart

Fixes:

• (Cypress) Improve test coverage for Istio Config Wizards
• Format frontend code with prettier standards
• remove implicit flow from documentation
• Remove @webcomponents/custom-elements from package.json since Firefox ESR supports it natively
• remove compat matrix/version checking
• Rework RBAC documentation
• Form to add port should start empty
• No istiod: Disable validations also in the Overview page
• Investigate possible flaky test in Cypress suite
• Graphs loading very slowly
• Remove “Labels” in Create K8s Gateway Wizard
• Prettier pre-commit hook is not working correctly
• Wrong engine node version in package.json
• Internal server error when creating a Gateway with a duplicate name in the Istio Config Wizard
• Read-only YAML editor in Istio Config even with write privileges
• Duplicate IDs for the text inputs + high port value breaks the UI (Istio Config wizard page)

1.63.2

Sprint Release: Feb 02, 2023

Features:

• Validations for Gateway API objects
• Kiali without Istio API using istio_api_enabled=false
• Gateway API Objects - Include in wizards
• upgrade operator base image to 4.12
• References for k8s httpRoute
• References for K8s Gateways
• Add dates in chart tooltips
• (CI) Gateway API in CI
• (CI) Gateway API Integration tests.
• (cypress) Gateway API in Cypress tests.
• Multicluster - Hack script to setup local multicluster with OIDC
• Multicluster - cluster configuration

Fixes:

• Kiali view-only mode allows changing proxy log-level
• Workload auto-injection of proxy should ensure label and annotation settings don’t conflict
• Upgrade error on role switch for view-only
• hide “enable injection” menu option in Overview page when in OSSM
• KIA0106 false positive with wildcard
• IRC link on kiali.io is not working
• Service with K8s Gateway - Inconsistency between views

Notes:

• Helm 3.10 is now required to run the Helm Charts.
• To avoid a known performance degradation, update to v1.63.2 (or later) from earlier revisions of v1.63.

Deprecations:

• The deprecated support for OpenID’s implicit flow has now been removed. If necessary, you must switch to using the more secure authorization code flow.

1.62.1

Sprint Release: Feb 02, 2023

Features:

• Test the new native stats runtime by setting TELEMETRY_USE_NATIVE_STATS to “true” in istiod
• Kiali CR definition to allow the use of appProtocol in the service configuration
• Show Kiali configuration in the application

Fixes:

• Kiali may prevent istiod from becoming ready on initial startup of istiod pod
• Kiali errors out loading workload graph in ‘default’ namespace

Notes:

• To avoid a known performance degradation, update to v1.62.1 (or later) from v1.62.0.

Deprecations:

• The experimental support for multicluster deployment models is now deprecated and may be removed in a future release. New multicluster features are currently being developed within the Kiali community as a replacement.

1.61.0

Sprint Release: Dec 16

Features:

• Kiali SA should use view-only role unless using anonymous strategy
• openshift auth timeout customizations

Fixes:

• Kiali distroless version breaks external https calls
• Redirect Loop on OpenID Connect Failures
• Update GH pipelines removing deprecated warnings

1.60.0

Sprint Release: Nov 25

Features:

• Add Kiali validations on Istio Detail pages
• Bump go version to 1.18
• Indicate the status of a canary upgrade in the control plane card
• Kiali traffic wizard
• Control Plane Card - Min TLS Improvement
• document how to specify digest images in the Kiali CR and helm chart

Fixes:

• (CI) Test Flake - TestCreateSessionNoChunks
• Min TLS Version - React Warning
• (kiali.io) Aditional CI issues
• Kiali heatmap tooltips are too compute-heavy

Deprecations:

• Support for OpenID’s implicit flow is deprecated and will be removed soon. Please, switch to using the authorization code flow which is more secure.

Known Issues:

With the move to a distroless container in v1.59, root CA certificates went missing. This affects the Kiali integration with OpenID. The problem will be fixed in the next release (v1.61). The workaround is to use one of the “-distro” image tags found on the Quay.io repo by specifying it in the deployment.image_version setting of the Kiali CR or server helm chart value. If using the operator, in order to be able to set the deployment.image_version within the Kiali CR, you must enable the allowAdHocKialiImage setting when installing the operator.

1.59.0

Sprint Release: Nov 4, 2022

Features:

• Validate that Kiali installs as an add-on for Ambient
• Migrate the control plane related information from the masthead to the control plane card
• switch the published images to be distroless
• Add TLS min version to the Control Plane card in the Overview Page
• Helm charts installation doesn’t work on Apple M1
• mount secret data from files, not environment variables
• Filter “istio” GatewayClassName Gateway API gateways

Fixes:

• Config Create Wizard - Preview shows old state
• (Cypress) Fix kiali login test on openshift
• Kiali dashboard freezes when checking traces information

1.58.0

Sprint Release: Oct 14, 2022

Features:

• openid strategy should not show login page: where are kiali’s autologin options?
• Add Kiali validation on Istio Config list
• Can we exclude the some accessible namespaces in kiali CR with some labelSelector?
• Add Argocd Rollout as workload type to Kiali.
• Badging gateway api gateways correctly on the graph

Fixes:

• “KIA0203 This subset’s labels are not found in any matching host” For Argo Rollout canary scenario
• Links to ServiceMesh tabs should propagate interval and refresh parameters
• Duration in Overview tab from details pages not refreshing
• (CI) Test flake - Kiali Graph page - Find/Hide
• Control Plane Card icon overlapping
• (CI) Test flake - Service Details Traces - Spans
• Jaeger - namespace_selector not working for services in istio-system
• (Cypress) login using default authentication method does not work

1.57.0

Sprint Release: Sep 23

Features:

• Optimize the Kiali Cache design under cluster rights presence
• Reorganize the Overview page to better show data plane vs control plane status
• Plugin time interval+refresh controls on detail pages
• Initial Release of OSSMC
• Relax “missing label” wording in tooltips
• missing version and commit info in log output
• make container securityContext configurable
• Move Kiali<->Istio version checks to the “About” dialog
• Added K8s Gateway API objects to Istio Config list page
• Enable github pipeline to run integration tests with token auth enabled

Fixes:

• Revisit “round timeseries on client-side with significant decimals”
• (CI) Test flake - Service details page
• (hack) setup kind in ci finalising with error
• (CI) Test flake - workload details
• (CI) Test Flake - TestConcurrentClientExpiration
• (CI) Test flake - The degraded status of a service is reported in the list of service
• (CI) Test flake - Sidebar toggle
• Upgrade operator base image to 4.11
• Change istioctl install hack script to default to single cluster settings

Upgrade Notes:

The improved control plane card on the Overview page makes use of previously unused metrics. If these metrics have been removed from your environment you will need to add them back for the feature to work. As a result,

If these metrics have been removed from your environment you will need to add them back for the feature to work. As a result, we have updated our recommended Prometheus metric thinning configuration. See kiali.io for the updated configuration. The metrics used are not typically very heavy and adding them back should likely not be an issue.

See this FAQ entry for a list of all metrics required by Kiali.

1.56.0

Sprint Release: Sep 2

Features:

• Support single cluster traces view when using Jaeger with multi-cluster storage backend
• add capabilities-drop explicitly to deployment
• Support Telemetry and WasmPlugin Istio objects
• Plugin service actions on details pages

Fixes:

• k8s api token not auto refreshing (aws eks warning)

1.55.0

Sprint Release: August 12, 2022

Features:

• (scalability) How to thin metrics to those required only by Kiali
• Launch Kiali wizard scenarios from graph nodes
• Milliseconds precision for sorting log entries in the Logs tab
• Istio Workload Config Validation Optimization
• Customizable links in Kiosk mode
• Relax host validations on presence of ALLOW_ANY vs REGISTRY_ONLY

Fixes:

• Overlay trace onclick event doesn’t work in the metrics charts
• Terminated in Another Window color doesn’t look like the PF warning title color
• Adjust the “View in Grafana” link in metrics tab
• Sidecar with no workloadSelector in two separate namespaces are marked as conflicting…
• trace details heatmap vertical labels are truncated
• Adjust the “View in Tracing” links to the same row
• Skip workloads when summarizing config validations in Overview page and in Graph
• logs tab page has wrong container when navigating from trace tab
• More than one Gateway, but cannot find duplicate

1.54.0

Sprint Release: July 22, 2022

Features:

• Update istio.io/client-go to Istio 1.14
• Revisit DestinationRule no labels warning
• Outdated Kiali validations
• Review validations documentation on Kiali.io
• Combine destination/source reporters in metric tab
• Adjust mouse pointer on areas that user can navigate/jump to
• remove perms no longer needed
• (helm) be able to specify custom annotations on the Kiali CR

Fixes:

• Misaligned dropdown when invalid operand is typed
• (helm) when operator helm chart optionally creates CR, it puts the annotation in the wrong spot

1.53.0

Sprint Release: July 1st, 2022

Features:

• Add cypress UI tests around the Service Details page
• Add outboundTrafficPolicy value to overview istio-system card
• Create a UI suite test on cypress
• UI tests around the Workloads Details page.
• Add Kiali validations on the Istio Config Details sidepanel
• Not found messages may have a better message in the body page
• Reproducible performance testing environment
• Envoy tab: add tooltips with the Envoy terminology
• Update the information about mTLS data in details pages
• Document ability to set default Kiali CR image_name in operator from helm charts
• Release pipeline for the plugin
• Remove invalid durations based on prometheus scrape interval
• fix doc link 404

Fixes:

• 404 external link in kiali.io
• Failing to Display Larger Number of Log Lines
• Fix UI Actions regressions
• (CI) Test Flake - Cypress sidecar injection
• (e2e) Flaky test fix TestAuthPolicyPrincipalsError
• Keep Envoy tab after refresh
• DR details open fails in some cases

1.52.0

Sprint Release: June 10th, 2022

Features:

• Update beta interfaces for CronJob workloads
• Adjust font style in charts options
• “This subset’s labels are not found in any matching host” - DestinationRule and ServiceEntry
• Upgrade the Patternfly framework
• Review conditional rendering in the kiosk mode
• Add more mechanisms to provide OpenShift tokens to Kiali
• Improve the upstream pipelines
• UI tests around the Graph page Find/Hide
• Kiali and Istio validation messages should be placed together

Fixes:

• Update font color on green/red labels for trace details
• Toolbar icons misaligned
• Adjust Istio/Kiali version warnings
• (e2e) TestAuthPolicyPrincipalsError test flaking
• Envoy filter broken
• (cypress) Sidecar injection tests sometimes fail
• Fix find/hide toolbar alignment issues
• Fix “info” icons in the yaml config editor
• Multiple condition values under builder are displayed without comma to separate multiple values
• operator aborts if cluster does not support default HPA version
• Validations missing for few keys of authorization policy conditions

1.51.0

Sprint Release: May 20th, 2022

Features:

• add cypress tests for graph replay
• Migrate e2e test suite to Golang
• (cypress) UI tests around the Graph page Toolbars (otherwise not covered)
• validation: authorization policy validation, principals not found
• Make the Istio Config details poll explicit
• Add cypress UI tests around the Workload List page
• operator release pipeline needs to update createdAt field in CSVs
• add creation of olm metadata to the new github release workflow
• Investigate update of Patternfly to be compatible with OS Console
• Investigate testing demos scripts on upstream + OpenShift platform
• Schedule release pipelines
• Update to use new HPA v2

Fixes:

1.50.0

Sprint Release: April 29th, 2022

Features:

• Add cypress UI tests around the Graph page Display menu
• Add cypress UI tests around the Services List page
• Improve Kiali server release pipeline using Github Actions
• Improve Kiali operator release pipeline using Github Actions
• Improve Helm charts release pipeline using Github Actions
• Improve Kiali site release pipeline using Github Actions

Fixes:

• Remove Snyk and consolidate on GitHub Dependabot
• Update operator’s Ansible base image
• Quite some logging
• Clean expired clients
• Minor Demo and Tutorial enhancements
• Fix to Destination Rule validation (.svc)
• Fix to Virtual Service YAML display

1.49.0

Sprint Release: April 8th, 2022

Features:

• Auth: Phase out usage of JWTs
• Kiali UI and Kiali Server can point to a single commit
• Add cypress UI tests around the Overview page
• Update Prometheus client lib
• Transfer frontend repo into kiali repo
• Hack script to create a Kind cluster in CI
• Feature flag to disable log browser
• Support Gateways workloads in user namespaces
• add the ability to add annotations to configmap.yaml

Fixes:

• ui crash with no gateways
• UI messages at INFO level look just like ERROR level messages
• fatal error: concurrent map writes

1.48.0

Sprint Release: March 18th, 2022

Features:

• Research a new Graph layout to support large topologies
• Improve the side panel in the Istio Config editor
• Reduce the number of requests to fetch health data on list pages
• Improve the representation of edges and connections in large topologies
• Add help messages for DestinationRules
• Add help messages for RequestAuthentications
• Add help messages for Gateways
• Add help messages for AuthorizationPolicies
• Add help messages for WorkloadGroups
• Add help messages for WorkloadEntries
• Add help messages for Sidecars
• Add help messages for ServiceEntries
• Add help messages for EnvoyFilters
• Reduce the number of requests to fetch health data on detail pages
• Research workload/service label filters on Graph
• Add help messages for VirtualServices
• Ensure all validations has object references
• Base side panel redesign for Istio config objects
• Improve crossnamespace Istio Gateways query in ServiceDetailsPage
• Envoy metrics look broken
• Develop a mock backend server for local UI work in scalability scenarios
• feat(multitenancy): support additional metric label for prometheus

Fixes:

• Sidecar Validations - Workloads should be from local namespace
• Gateway details warning - Missing validation reference
• Kiali graph is not working with disabled Istio’s /debug endpoints
• Mismatched Node Graph Type breaks UI in Application
• Misconfigured istiod_deployment_name causes a panic
• Namespace with External Registry Service only - UI Error Loading services
• Service List - Missing Configuration status
• “Could not fetch services list” Error
• KIA0003 for multiple Request Authentication
• Duration dropdown showing invalid durations
• Kiali shows KIA0701 for istio-system debug ports - but should not
• Istio Config List - Configuration icon load inconsistency
• cannot use a custom secret for Kiali identity
• Improve protection against graph numbers that are actually string variables
• Fix time selection issue in replay custom startTime picker

1.47.0

Sprint Release: February 25th, 2022

Features:

• Allow dynamic markers on editor according to Istio config object
• Introduce “preview” mode in Istio Config actions
• Add Istio Config Preview under wizard actions under istio config page
• Refactor Kiali Validations to better use the Istio registry information
• Refactor Kiali Validations according to Istio Registry usage model for listing Configs and Services
• Add Istio Config Preview under wizard actions under service details page
• Add graph generator for creating mock graph data

Fixes:

• (operator) CSV should define skipRange
• namespace excludes default regexes should only filter out namespaces that “starts-with” the patterns.
• Fix “xxx is not found as xxx” issue

1.46.0

Sprint Release: February 4th, 2022

Features:

• Add prerequisites in quick-start kiali.io to try kiali
• Create and sync namespace caches on startup
• publish the auto-generated docs for the kiali cr
• Instrument Kiali server with Jaeger
• Deprecate Iter8 extension in favor of a new model
• Validations: Support exportTo field

Fixes:

• Gateway Validation References - Contains self reference
• invalid link in kiali.io doc page istio.md
• Graph hide can hang browser when zoomed out enough to hide labels
• auth is broken according to molecule tests
• Trend lines feature broken in master

1.45.0

Sprint Release: January 14th, 2022

Features:

• Hide graph labels that are too small to read
• Add preview mode in overview page
• Graph: Correctly badge service nodes with the VS/Route icon
• (graph) Enable namespace and cluster boxing by default
• tests should use latest minikube and dex to keep up to date
• Support exportTo validation in ServicesEntries
• (operator) update operator to base image 1.10.1 (4.9)

Fixes:

• Jaeger http legacy protocol has problems in master
• Adjust font style in trace details comparison map
• fast click Idle Nodes (or other graph display options) can break UI
• Missing “KIA1106 More than one Virtual Service for same host” for cross-namespace cases
• Minigraph navigation broken
• “KIA1102 VirtualService is pointing to a non-existent gateway” shown only once.
• Wrong KIA1106 “More than one Virtual Service for same host”
• Number of regex.Compile() calls in multi_match_checker scales quadratically with hosts checked
• “Could not fetch services list” Error in Service view when selecting some namespaces
• Molecule “api-test” failure in graph generation on ossm 2.1
• Validations and TLS Endpoints Very Slow
• Reconciliation may fail when removing a namespace from a cluster immediately after removing it from spec.deployment.accessible_namespaces
• k8s service appProtocol is no reflected in config checks

1.44.0

Sprint Release: December 3rd, 2021

Features:

• Correct graph edge for Pod to Pod communication using destination_workload
• Make istiod ports configurable in kiali
• Support rootNamespace: administrative namespace for istio config
• Support rootNamespace in Peer Authentication validations
• Support rootNamespace in Sidecar validations
• access ingress_enabled for now to support older CRs
• Include an explanation about the lack of health information for TCP services (like a database)
• (operator) implement best practice guidelines to support multi-tenant installations
• Upgrade kubernetes/client-go version and update beta interfaces for workloads

Fixes:

• KIA1105: Virtual service routes may not point to any subset
• Possible memory leak in /api/istio/status endpoint
• Documentation doesn’t show how to configure Kiali

1.43.0

Sprint Release: November 12nd, 2021

Features:

• Allow Kiali Graphs to show EgressGateway traffic to ServiceEntry
• (Feature Request) Support mounting existing secret into Kiali Pod
• Calculate graph importance score
• Validations - Ensure ServiceEntry has WorkloadEntry addresses
• Support getting the root namespace from Istio configuration
• ingress created by Kiali CR does not include ingress class - need new deployment.ingress setting

Please note this introduces a backward-incompatible change. Users with the prior ingress settings defined in their Kiali CR will need to make an update. Other users are not affected. The previous ingress settings were:

deployment:
  ingress_enabled: <true|false>
  override_ingress_yaml:
    ...the override yaml here...

This has been changed to the following:

deployment:
  ingress:
    enabled: <true|false>
    override_yaml:
      ...the override yaml here...

• Update kiali.io docs to Kiali 1.36+
• Google OIDC allowed domains
• Include ServiceAccount info across console
• Add information about Istio overhead

Fixes:

• Workload Entry graph nodes display only “latest” version
• Kiali Documentation link from Master Head seems broken
• Crash in onCopy button in Envoy tab editors
• “More than one Gateway for the same host port combination” even with different ports
• Workload pod proxy logs shows details for Envoy app logging

1.42.0

Sprint Release: October 22nd, 2021

Features:

• Migrate to Docsy for kiali.io theme
• Add strong type mapping in Istio Kiali model
• Show mirroring info or badge on the graph
• Add a “Trendlines” option in the metrics tab
• Show gateway in istio config
• Add Sidecars on “Create Traffic Policies” namespace action
• Ability to pass custom headers to httputil.Post
• Add hostAliases field to kiali deployment manifests
• Kiali Istio dashboards incompatible with thanos-query

Fixes:

• URL parameters not persisted in inbound/outbound metric tabs
• Include Mesh Gateway in Create Traffic Routing - causes failure
• Potential Memory Leak in UI AuthenticationController
• More Sidecars on Configuration
• “missing span root” in graph side panel

1.41.0

Sprint Release: October 1st, 2021

Features:

• Add help for Graph shortcuts
• Add custom label aggregation in metrics tab
• Kiali Operator - Add ability to specify image SHA in Kiali CRs
• Improve discovery matcher process for Custom Dashboards
• Add SRE style metrics in the Overview namespace chart
• Be able to set the logging level for istio and envoy logs from Kiali UI
• Custom HTTP headers when connecting to Prometheus
• Display Envoy tab for workloads running Istio Proxy without Sidecar

Fixes:

• Workload page displays an error when accessing VirtualMachineInstance resource
• WorkloadEntry workload graph nodes have broken link
• Mesh internal ServiceEntry should be grouped in app box with workloads
• Error loading Graph - Namespace (kube-state-metrics) is excluded for Kiali
• Workloads flap between OK and Not Ready w/ Argo Rollout CR
• Unable to edit IstioConfig
• Kiali loading icon seems broken
• seg fault in IsMaistra status (found in Kiali v1.40.0)
• ansible option we use in operator code is being renamed

1.40.0

Sprint Release: September 10th, 2021

Features:

• Support exportTo validation in VirtualServices
• Add graph Factory Reset button
• Add help tooltip in the metrics tab
• Add info/tooltip on virtual service that doesn’t have a gateways section
• Support the new istio injection label
• Add indication if certificates are managed by Citadel or external tool
• Distinguish between VM based workloads and pod based workloads on the graph
• Identify and label WorkloadEntry graph nodes
• ci-kind-molecule-tests.sh should support installing OLM and testing with OLM-installed operator
• Docs and scripts regarding secrets and service accounts might need to be updated

Fixes:

• (validations) Don’t show KIA0203 when there are no VS referencing the DR subset
• Kiali Operator: Pods attempt to use auth secret when external service disabled
• Not able to build Molecule image
• Metrics charts can be too thin
• Some graph settings do not have query parms - can’t bookmark pages
• Workload’s page Actions dropdown is clickable in view_only_mode
• CRUD Permissions on events
• Kiali Login error when Prometheus fails to start

1.39.0

Sprint Release: August 20th, 2021

Features:

• generate metrics for validators
• (molecule) run molecule tests using a KinD cluster
• Remote cluster functionality should be configurable
• Update Kiali UI to latest Node.js LTS version
• Add a Molecule test to verify Grafana integration
• (operator) perform true “can_i” check to confirm the operator has correct permissions

Fixes:

• grafana-test fails - cannot look up grafana url successfully
• route created by operator doesn’t seem right
• Jaeger traces & spans fetching error

1.38

1.38.1

Mid-Sprint Release: August 6th, 2021

Fixes:

• Issues with clustering discovery
• Scripts not loading (404) on openid_error when Kiali is hosted in a subfolder (web_root: /kiali)
• Jaeger traces & spans fetching error
• helm-charts and istio addons doesn’t have default grafana in_cluster_url defined

1.38.0

Sprint Release: July 30th, 2021

Features:

• New badge/visualization for hostnames in Graph
• Enhanced logs viewing and correlation
• bump operator to newer minor-release of base image
• Add validation for “exportTo” fields of VirtualService, ServiceEntry
• Feature Request: Disable certain validations
• Display traffic scenario badges when present
• gRPC Streaming traffic
• Consider using tcp_received telemetry for graph generation
• community OLM metadata moving to new repos
• trivial case change to disconnected annotation value in operator metadata
• document the new dashboard annotations
• clean up upstream istio kiali addon install doc
• Display custom dashboards with more than two rows of graphs inside the card
• test custom dashboard overrides
• Use annotations to personalize CustomDashboards

Fixes:

• Scripts not loading (404) on openid_error when Kiali is hosted in a subfolder (web_root: /kiali)
• Issues with clustering discovery
• (operator) Playbook “create additional kiali labels…” fails due to unquoted string in label
• grafana links missing
• ERR GetAppTraces, Jaeger GRPC client error: rpc error: code = Unavailable desc = connection closed
• molecule tests need to wait for CRD to be established
• Add missing warning on VirtualService “exportTo” field
• Exposing workloads with ServiceEntries makes Kiali show non-existing Services
• Cannot fetch proxy status on Istio master (1.11)

1.37.0

Sprint Release: July 9th, 2021

Features:

• Support for custom istio injection labels and values
• Metrics page: select all/none filter
• Add Gateway/VirtualService hostnames in Service details
• Add gateway validation to VirtualServices
• Services list should show when a VirtualService/DestinationRule is applied
• Unify style attribute for config validation icons
• (multi-cluster) Enhance support for mesh deployment models
• Add help icon in Wizards
• Support for custom CA certificates in OpenID authentication

Fixes:

• The namespaces that begins with kube are hidden but those should be OK
• Repeated queries on CustomMetrics
• kiali Cannot load the graph “invalid character ’d’ looking for beginning of value”
• Duplicated application container on Workload Logs tab
• Metrics Settings are kept but not applied when switching metrics tabs
• (perf) pr #3975 introduced perf regression for /api/namespaces/bookinfo/services/details/graph endpoint
• Tooltip span not available

1.36.0

Sprint Release: June 18th, 2021

Features:

• Connect Listeners and Routes in the Envoy Config modal
• remove istio_component_namespaces config
• Research Metrics tab main layout
• Display throughput on the graph edges
• Move Envoy Details to Workload Details
• Pod table should reflect any container crash
• Consolidate Dashboards CRDs into main Kiali config, also handled via Kiali Operator
• convert community OLM metadata to new bundle format
• Add to graph indicator for Kiali scenarios
• move the support for old versions to CRD v1 when appropriate
• Internal metrics revisit

Fixes:

• Difference between App and Workload healths - causing inconsistency in Overview
• Wrong Health info at Service level
• Trace graph tooltip truncates long hostnames
• Circuit Breaker Badge is missing in the Graph
• clean up hack/istio/bookinfo* resources
• Health popover disappearing
• (helm)(operator) do not use deprecated Ingress kind - update to latest apiVersion
• Graph replay health is not correct
• Molecule tests broken for podman 3
• Possible false positive reported as violating KIA0202
• horizontal scroll problem on graph side panel trace tab detail

2 - Security Bulletins

Kiali releases every three weeks and so generally resolves CVEs in new releases only. Golang vulnerabilities are typically resolved in a timely way, as the Go version for release builds increments fairly often. Occasionally, critical CVEs may be resolved in patch releases for supported versions. Additionally, not every CVE reported against a Kiali dependency is actually a vulnerability. For reported CVEs that are proven not to affect Kiali, see the table below:

For Kiali-specific vulnerabilities there will be releases made as needed. At release time a security bulletin will be release as well. For prior bulletins see below:

2.1 - KIALI-SECURITY-003 - Installation into ad-hoc namespaces

Description

• Disclosure date: May 11, 2021
• Affected Releases: prior to 1.33.0
• Impact Score: 6.6 - AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

A vulnerability was found in the Kiali Operator allowing installation of a specified image into any namespace.

Kiali users are exposed to this vulnerability if all the following conditions are met:

• Kiali operator is used for installation.
• Kiali CR was edited to install an image into an unapproved namespace.

This vulnerability is filed as CVE-2021-3495

Mitigation

If you can update:

• Update to Kiali Operator v1.33.0 or later.

If you can not update:

• Ensure only trusted individuals can create or edit a Kiali CRs (resources of kind “kiali”).

2.2 - KIALI-SECURITY-002 - Authentication bypass when using the OpenID login strategy

Description

• Disclosure date: March 5, 2021
• Affected Releases: 1.26.0, 1.26.1, 1.26.2, 1.27.0, 1.28.0, 1.28.1, 1.29.0, 1.29.1, 1.30.0
• Impact Score: 7.0 - AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:F/RL:X/RC:C

A vulnerability was found in Kiali allowing an attacker to bypass the authentication mechanism. The vulnerability lets an attacker build forged credentials and use them to gain unauthorized access to Kiali.

Kiali users are exposed to this vulnerability if all the following conditions are met:

• Kiali is setup with the openid authentication strategy.
• As a result of configurations in both Kiali and your OpenID server, Kiali uses the implicit flow of the OpenID specification to negotiate authentication.
• Kiali is setup with RBAC turned off.

This vulnerability is filed as CVE-2021-20278

Mitigation

If you can update:

• Update to Kiali v1.31.0 or later.
• If you need an earlier version, only Kiali 1.26.3 and 1.29.2 are fixed.

If you are locked with an older version of Kiali, you have three options:

• Configure Kiali to use the authorization code flow of the OpenID specification; or
• Configure Kiali to use the implicit flow of the OpenID specification and enable RBAC; or
• Configure Kiali to use any of the other available authentication mechanisms.

2.3 - KIALI-SECURITY-001 - Authentication bypass using forged credentials

Description

• Disclosure date: March 25, 2020
• Affected Releases: 0.4.0 to 1.15.0
• Impact Score: 9.4 - AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

A vulnerability was found in Kiali allowing an attacker to bypass the authentication mechanism. Currently, Kiali has four authentication mechanisms: login, token, openshift and ldap. All are vulnerable.

The vulnerability lets an attacker build forged credentials and use them to gain unauthorized access to Kiali.

Additionally, it was found that Kiali credentials were not being validated properly. Depending on the authentication mechanism configured in Kiali, this could facilitate unauthorized access into Kiali with forged and/or invalid credentials.

These vulnerabilities are filed as CVE-2020-1762 and CVE-2020-1764

Detection

Use the following bash script to check if you are vulnerable:

KIALI_VERSION=$(kubectl get pods -n istio-system -l app=kiali -o yaml | sed -n 's/^.*image: .*:v\(.*\)$/\1/p' | sort -u)
kubectl get deploy kiali -n istio-system -o yaml | grep -q LOGIN_TOKEN_SIGNING_KEY
TEST_KEY_ENV=$?
kubectl get cm kiali -n istio-system -o yaml | grep signing_key | grep -vq kiali
TEST_KEY_CFG=$?
VERSION_ENTRIES=(${KIALI_VERSION//./ })
echo "Your Kiali version found: ${KIALI_VERSION}"
[ ${VERSION_ENTRIES[0]} -lt "1" ] || ([ ${VERSION_ENTRIES[0]} -eq "1" ] && (\
  [ ${VERSION_ENTRIES[1]} -lt "15" ] || ([ ${VERSION_ENTRIES[1]} -eq "15" ] && ( \
  [ ${VERSION_ENTRIES[2]} -le "0" ])))) && echo "Your Kiali version is vulnerable"
[ $TEST_KEY_ENV -eq 1 ] && [ $TEST_KEY_CFG -eq 1 ] && echo "Your Kiali configuration looks vulnerable"

The script output will be similar to this:

Your Kiali version found: 1.14.0
Your Kiali version is vulnerable
Your Kiali configuration looks vulnerable

Mitigation

• Update to Kiali 1.15.1 or later.

Alternatively, if you cannot update to version 1.15.1, mitigation is possible by setting a secure signing key when deploying Kiali. If you installed via Kiali operator, you could use the following bash script:

SIGN_KEY=$(chars=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890; for i in {1..20}; do echo -n "${chars:RANDOM%${#chars}:1}"; done; echo)
kubectl get kiali -n $(kubectl get kiali --all-namespaces --no-headers -o custom-columns=NS:.metadata.namespace) -o yaml | sed "s/spec:/spec:\n    login_token:\n      signing_key: $SIGN_KEY/" | kubectl apply -f -

If you installed via Istio helm charts or istioctl command, you could use the following bash script:

KIALI_INSTALL_NAMESPACE=istio-system
SIGN_KEY=$(chars=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890; for i in {1..20}; do echo -n "${chars:RANDOM%${#chars}:1}"; done; echo)
kubectl get cm kiali -n $KIALI_INSTALL_NAMESPACE -o yaml | sed "s/server:/login_token:\\n      signing_key: $SIGN_KEY\\n    server:/" | kubectl apply -f -
kubectl delete pod -l app=kiali -n $KIALI_INSTALL_NAMESPACE