Kiali: Traces asks OpenShift Login

Created on 29 Aug 2019  路  5Comments  路  Source: kiali/kiali

When opening Traces tab or Distributed Tracing menu item, it asks to accept the certificate.
After certificate acceptance, it asks OpenShift login.
Happens because traces in opened in an IFrame.

Screenshot from 2019-08-29 12-40-24

bug teajupiter

Most helpful comment

This is a known issue.
To proper solve this the integration with jaeger will require a more complex SSO solution so we are considering to propose a Kiali component to visualize the traces in Kiali, and when clicking in the detail it can jump in a different tab/window delegating but removing the iframe integration that is not adding too much value but more complexity in the configuration than expected.

All 5 comments

The yaml file is

kind: ConfigMap
apiVersion: v1
metadata:
  name: kiali
  namespace: istio-system
  selfLink: /api/v1/namespaces/istio-system/configmaps/kiali
  uid: f9821dda-ca48-11e9-b868-fa163e93986d
  resourceVersion: '2988464'
  creationTimestamp: '2019-08-29T10:37:18Z'
  labels:
    app: kiali
    version: 1.0.5
  ownerReferences:
    - apiVersion: kiali.io/v1alpha1
      kind: Kiali
      name: kiali
      uid: f47c7df7-ca48-11e9-b868-fa163e93986d
data:
  config.yaml: |
    api:
      namespaces:
        exclude:
        - istio-operator
        - kube.*
        - openshift.*
        - ibm.*
        - kiali-operator
        label_selector: kiali.io/member-of=istio-system
    auth:
      strategy: openshift
    deployment:
      accessible_namespaces:
      - istio-system
      image_name: quay.io/maistra/kiali-rhel7
      image_pull_policy: Always
      image_pull_secrets: []
      image_version: 1.0.5
      ingress_enabled: true
      namespace: istio-system
      secret_name: kiali
      service_type: NodePort
      verbose_mode: '3'
      version_label: 1.0.5
      view_only_mode: false
    external_services:
      grafana:
        auth:
          ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
          insecure_skip_verify: false
          password: 4NFifoigpzw5jC0v5UcXrXY5wMARjIg0aRfZRRQcK224ixIkkOWTvIjb1ll9IB67goACknIbEQqXA39qqfCzQg1aSIGV8Lyj/HgU3bDJX7aVGH5pXcFj5q+hWQ1JiRA6FNCZ1QZYbtZydlqG0VT9iykcEOrjvQ4mpIlPAzrU7QyhzgJF8FAMjQB+O22JbJ/csRkuGQQoB7ISDJ5wXERDWJNGCHJOvhw1MwqYIoDv/nkqD7WUcS5qXcYaRQKTzzJwI08u2FqTQAKxXH1iifiG/YMf6eeyakdRX8OKykgCCpHuToGmrLpwO6LUUxlRMuDwovjaVe14CUzy01DOCuNl
          token: ''
          type: basic
          use_kiali_token: false
          username: internal
        display_link: true
        enabled: true
        in_cluster_url: https://grafana.istio-system.svc:3000
        url: https://grafana-istio-system.apps.ocp4-kqe1.maistra.upshift.redhat.com
      istio:
        istio_identity_domain: svc.cluster.local
        istio_sidecar_annotation: sidecar.istio.io/status
        url_service_version: http://istio-pilot.istio-system:8080/version
      prometheus:
        auth:
          ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
          insecure_skip_verify: false
          password: 4NFifoigpzw5jC0v5UcXrXY5wMARjIg0aRfZRRQcK224ixIkkOWTvIjb1ll9IB67goACknIbEQqXA39qqfCzQg1aSIGV8Lyj/HgU3bDJX7aVGH5pXcFj5q+hWQ1JiRA6FNCZ1QZYbtZydlqG0VT9iykcEOrjvQ4mpIlPAzrU7QyhzgJF8FAMjQB+O22JbJ/csRkuGQQoB7ISDJ5wXERDWJNGCHJOvhw1MwqYIoDv/nkqD7WUcS5qXcYaRQKTzzJwI08u2FqTQAKxXH1iifiG/YMf6eeyakdRX8OKykgCCpHuToGmrLpwO6LUUxlRMuDwovjaVe14CUzy01DOCuNl
          token: ''
          type: basic
          use_kiali_token: false
          username: internal
        custom_metrics_url: https://prometheus.istio-system.svc:9090
        url: https://prometheus.istio-system.svc:9090
      tracing:
        auth:
          ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
          insecure_skip_verify: false
          password: 4NFifoigpzw5jC0v5UcXrXY5wMARjIg0aRfZRRQcK224ixIkkOWTvIjb1ll9IB67goACknIbEQqXA39qqfCzQg1aSIGV8Lyj/HgU3bDJX7aVGH5pXcFj5q+hWQ1JiRA6FNCZ1QZYbtZydlqG0VT9iykcEOrjvQ4mpIlPAzrU7QyhzgJF8FAMjQB+O22JbJ/csRkuGQQoB7ISDJ5wXERDWJNGCHJOvhw1MwqYIoDv/nkqD7WUcS5qXcYaRQKTzzJwI08u2FqTQAKxXH1iifiG/YMf6eeyakdRX8OKykgCCpHuToGmrLpwO6LUUxlRMuDwovjaVe14CUzy01DOCuNl
          token: ''
          type: basic
          use_kiali_token: false
          username: internal
        enabled: true
        namespace: istio-system
        port: 16686
        service: ''
        url: https://jaeger-istio-system.apps.ocp4-kqe1.maistra.upshift.redhat.com
    identity:
      cert_file: /kiali-cert/tls.crt
      private_key_file: /kiali-cert/tls.key
    installation_tag: Kiali [istio-system]
    istio_labels:
      app_label_name: app
      version_label_name: version
    istio_namespace: istio-system
    kubernetes_config:
      burst: 200
      cache_duration: 300000000
      cache_enabled: false
      qps: 175
    login_token:
      expiration_seconds: 86400
      signing_key: kiali
    server:
      address: ''
      audit_log: true
      cors_allow_all: false
      metrics_enabled: true
      metrics_port: 9090
      port: 20001
      web_root: /

Can you set use_kiali_token to true and check it ?

I've moved from "blocker" to "p1".
It's a serious issue but as it may have a documented workaround I think we can label it as "p1" instead.

This is a known issue.
To proper solve this the integration with jaeger will require a more complex SSO solution so we are considering to propose a Kiali component to visualize the traces in Kiali, and when clicking in the detail it can jump in a different tab/window delegating but removing the iframe integration that is not adding too much value but more complexity in the configuration than expected.

Was this page helpful?
0 / 5 - 0 ratings