When opening Traces tab or Distributed Tracing menu item, it asks to accept the certificate.
After certificate acceptance, it asks OpenShift login.
Happens because traces in opened in an IFrame.

The yaml file is
kind: ConfigMap
apiVersion: v1
metadata:
name: kiali
namespace: istio-system
selfLink: /api/v1/namespaces/istio-system/configmaps/kiali
uid: f9821dda-ca48-11e9-b868-fa163e93986d
resourceVersion: '2988464'
creationTimestamp: '2019-08-29T10:37:18Z'
labels:
app: kiali
version: 1.0.5
ownerReferences:
- apiVersion: kiali.io/v1alpha1
kind: Kiali
name: kiali
uid: f47c7df7-ca48-11e9-b868-fa163e93986d
data:
config.yaml: |
api:
namespaces:
exclude:
- istio-operator
- kube.*
- openshift.*
- ibm.*
- kiali-operator
label_selector: kiali.io/member-of=istio-system
auth:
strategy: openshift
deployment:
accessible_namespaces:
- istio-system
image_name: quay.io/maistra/kiali-rhel7
image_pull_policy: Always
image_pull_secrets: []
image_version: 1.0.5
ingress_enabled: true
namespace: istio-system
secret_name: kiali
service_type: NodePort
verbose_mode: '3'
version_label: 1.0.5
view_only_mode: false
external_services:
grafana:
auth:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
insecure_skip_verify: false
password: 4NFifoigpzw5jC0v5UcXrXY5wMARjIg0aRfZRRQcK224ixIkkOWTvIjb1ll9IB67goACknIbEQqXA39qqfCzQg1aSIGV8Lyj/HgU3bDJX7aVGH5pXcFj5q+hWQ1JiRA6FNCZ1QZYbtZydlqG0VT9iykcEOrjvQ4mpIlPAzrU7QyhzgJF8FAMjQB+O22JbJ/csRkuGQQoB7ISDJ5wXERDWJNGCHJOvhw1MwqYIoDv/nkqD7WUcS5qXcYaRQKTzzJwI08u2FqTQAKxXH1iifiG/YMf6eeyakdRX8OKykgCCpHuToGmrLpwO6LUUxlRMuDwovjaVe14CUzy01DOCuNl
token: ''
type: basic
use_kiali_token: false
username: internal
display_link: true
enabled: true
in_cluster_url: https://grafana.istio-system.svc:3000
url: https://grafana-istio-system.apps.ocp4-kqe1.maistra.upshift.redhat.com
istio:
istio_identity_domain: svc.cluster.local
istio_sidecar_annotation: sidecar.istio.io/status
url_service_version: http://istio-pilot.istio-system:8080/version
prometheus:
auth:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
insecure_skip_verify: false
password: 4NFifoigpzw5jC0v5UcXrXY5wMARjIg0aRfZRRQcK224ixIkkOWTvIjb1ll9IB67goACknIbEQqXA39qqfCzQg1aSIGV8Lyj/HgU3bDJX7aVGH5pXcFj5q+hWQ1JiRA6FNCZ1QZYbtZydlqG0VT9iykcEOrjvQ4mpIlPAzrU7QyhzgJF8FAMjQB+O22JbJ/csRkuGQQoB7ISDJ5wXERDWJNGCHJOvhw1MwqYIoDv/nkqD7WUcS5qXcYaRQKTzzJwI08u2FqTQAKxXH1iifiG/YMf6eeyakdRX8OKykgCCpHuToGmrLpwO6LUUxlRMuDwovjaVe14CUzy01DOCuNl
token: ''
type: basic
use_kiali_token: false
username: internal
custom_metrics_url: https://prometheus.istio-system.svc:9090
url: https://prometheus.istio-system.svc:9090
tracing:
auth:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
insecure_skip_verify: false
password: 4NFifoigpzw5jC0v5UcXrXY5wMARjIg0aRfZRRQcK224ixIkkOWTvIjb1ll9IB67goACknIbEQqXA39qqfCzQg1aSIGV8Lyj/HgU3bDJX7aVGH5pXcFj5q+hWQ1JiRA6FNCZ1QZYbtZydlqG0VT9iykcEOrjvQ4mpIlPAzrU7QyhzgJF8FAMjQB+O22JbJ/csRkuGQQoB7ISDJ5wXERDWJNGCHJOvhw1MwqYIoDv/nkqD7WUcS5qXcYaRQKTzzJwI08u2FqTQAKxXH1iifiG/YMf6eeyakdRX8OKykgCCpHuToGmrLpwO6LUUxlRMuDwovjaVe14CUzy01DOCuNl
token: ''
type: basic
use_kiali_token: false
username: internal
enabled: true
namespace: istio-system
port: 16686
service: ''
url: https://jaeger-istio-system.apps.ocp4-kqe1.maistra.upshift.redhat.com
identity:
cert_file: /kiali-cert/tls.crt
private_key_file: /kiali-cert/tls.key
installation_tag: Kiali [istio-system]
istio_labels:
app_label_name: app
version_label_name: version
istio_namespace: istio-system
kubernetes_config:
burst: 200
cache_duration: 300000000
cache_enabled: false
qps: 175
login_token:
expiration_seconds: 86400
signing_key: kiali
server:
address: ''
audit_log: true
cors_allow_all: false
metrics_enabled: true
metrics_port: 9090
port: 20001
web_root: /
Can you set use_kiali_token to true and check it ?
I've moved from "blocker" to "p1".
It's a serious issue but as it may have a documented workaround I think we can label it as "p1" instead.
Checking these changes https://github.com/Maistra/istio-operator/commit/9a4bdc8aaa3739f6522ad6f89513812ddeca97c7#diff-44c0797c92539240b8d53d3c8c4a5aeb
Jira opened in Maistra https://issues.jboss.org/browse/MAISTRA-873
This is a known issue.
To proper solve this the integration with jaeger will require a more complex SSO solution so we are considering to propose a Kiali component to visualize the traces in Kiali, and when clicking in the detail it can jump in a different tab/window delegating but removing the iframe integration that is not adding too much value but more complexity in the configuration than expected.
Most helpful comment
This is a known issue.
To proper solve this the integration with jaeger will require a more complex SSO solution so we are considering to propose a Kiali component to visualize the traces in Kiali, and when clicking in the detail it can jump in a different tab/window delegating but removing the iframe integration that is not adding too much value but more complexity in the configuration than expected.