Details
-
Task
-
Resolution: Done
-
Major
-
None
-
None
-
False
-
False
-
Undefined
Description
I am just documenting this for when we build a new Kiali operator based off of the new branch that we create for the next minor version of OSSM.
Because the Kiali operator is required to be able to install/manage multiple older versions (e.g. Kiali 1.0, Kiali 1.12, along with Kiali 1.24), we must ensure the operator maintains ALL the permissions it needs for all the supported older versions.
Today, I do not believe we have been careful in the master branch to maintain the CSV for the Kiali OSSM metadata. It looks like we have removed some permissions that are most likely still going to be needed when we branch off of master to build the new operator.
You can see the differences by doing this in the Kiali Operator git repo:
git diff v1.24..master -- kiali-ossm/manifests/kiali.clusterserviceversion.yaml
You can see how master copy of the OSSM/Kiali metadata has changed since v1.24 branch (note: the v1.24 branch is currently where we build the latest Kiali Operator - in the future, we are going to branch off master for the next Kiali Operator - probably will be tagged as v1.34 or thereabouts).
Note that the diff shows we have removed some permissions that most likely are going to be needed if we are still to support Kiali 1.0 (I do not know if we need these perms for 1.12 - we'll have to test that):
- apiGroups: - - config.istio.io - networking.istio.io - - authentication.istio.io - - rbac.istio.io - security.istio.io resources: ["*"] ... - - apiGroups: ["authentication.maistra.io"] - resources: - - servicemeshpolicies - verbs: - - create - - delete - - get - - list - - patch - - watch - - apiGroups: ["rbac.maistra.io"] - resources: - - servicemeshrbacconfigs - verbs: - - create - - delete - - get - - list - - patch - - watch
We need to make sure when this OLM CSV metadata can correctly support the older versions of Kiali that OSSM will be supporting. I suspect we'll have to put back those permissions I show above - but, again, testing will be needed to confirm this.