linode · svcAPLBot · Oct 14, 2025 · Oct 14, 2025 · Oct 14, 2025 · Oct 14, 2025
@@ -171,7 +171,7 @@ appsInfo:
     integration: The SSO login page for APL is served by Keycloak. Keycloak is used as an identity broker or provider for all APL integrated applications. By default Keycloak is configured as an Identity Broker. Keycloak is part of the core of APL and is always enabled.
   kiali:
     title: Kiali Operator
-    appVersion: 2.10.0
+    appVersion: 2.17.0
     repo: https://github.com/kiali/kiali
     maintainers: Kiali
     relatedLinks:

@@ -51,7 +51,7 @@ dependencies:
     version: 7.1.3
     repository: https://codecentric.github.io/helm-charts
   - name: kiali-operator
-    version: 2.10.0
+    version: 2.17.0
     repository: https://kiali.org/helm-charts
   - name: knative-operator
     version: v1.18.1

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: v2.10.0
+appVersion: v2.17.0
 description: Kiali is an open source project for service mesh observability, refer
   to https://www.kiali.io for details.
 home: https://github.com/kiali/kiali-operator
@@ -17,4 +17,4 @@ sources:
 - https://github.com/kiali/kiali
 - https://github.com/kiali/kiali-operator
 - https://github.com/kiali/helm-charts
-version: 2.10.0
+version: 2.17.0
@@ -1,6 +1,17 @@
 Welcome to Kiali! For more details on Kiali, see: https://kiali.io
 
+{{- if .Values.skipResources }}
+The Kiali Operator [{{ .Chart.AppVersion }}] has been installed in namespace [{{ .Release.Namespace }}].
+===============
+!!! WARNING !!!
+===============
+You have configured the "skipResources" setting. This helm chart will not create or manage those resources.
+It is your responsibility to manually create those resources yourself. Until you create those
+resources with their correct configurations, the operator WILL NOT work.
+{{- else }}
 The Kiali Operator [{{ .Chart.AppVersion }}] has been installed in namespace [{{ .Release.Namespace }}]. It will be ready soon.
+{{- end }}
+===============
 
 {{- if .Values.cr.create }}
   {{- if or (and (not .Values.watchNamespace) (not .Values.cr.namespace)) (and (.Values.watchNamespace) (eq .Values.watchNamespace .Release.Namespace)) (and (.Values.cr.namespace) (eq .Values.cr.namespace .Release.Namespace)) }}

@@ -56,3 +56,18 @@ app.kubernetes.io/name: {{ include "kiali-operator.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+Returns true if the given resource kind is in .Values.skipResources
+This aborts if .Values.skipResources has invalid values.
+*/}}
+{{- define "kiali-operator.isSkippedResource" -}}
+  {{- $validSkipResources := dict "clusterrole" true "clusterrolebinding" true "sa" true }}
+  {{- $ctx := .ctx }}
+  {{- $name := .name }}
+  {{- range $i, $item := $ctx.Values.skipResources }}
+    {{- if not (hasKey $validSkipResources $item) }}
+      {{- fail (printf "Aborting due to an invalid entry [%q] in skipResources: %q. Valid list item values are: %q" $item $ctx.Values.skipResources (keys $validSkipResources)) }}
+    {{- end }}
+  {{- end }}
+  {{- has $name $ctx.Values.skipResources }}
+{{- end }}
@@ -1,3 +1,4 @@
+{{- if eq "false" (include "kiali-operator.isSkippedResource" (dict "ctx" . "name" "clusterrole")) -}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -135,6 +136,7 @@ rules:
 - apiGroups: ["extensions", "networking.k8s.io"]
   resources:
   - ingresses
+  - networkpolicies
   verbs:
   - create
   - delete
@@ -275,6 +277,7 @@ rules:
   - extensions.istio.io
   - telemetry.istio.io
   - gateway.networking.k8s.io
+  - inference.networking.k8s.io
   resources: ["*"]
   verbs:
   - get
@@ -295,11 +298,6 @@ rules:
   {{- if eq .Values.onlyViewOnlyMode false }}
   - patch
   {{- end }}
-- apiGroups: ["project.openshift.io"]
-  resources:
-  - projects
-  verbs:
-  - get
 - apiGroups: ["route.openshift.io"]
   resources:
   - routes
@@ -318,3 +316,4 @@ rules:
   - list
   - watch
 ...
+{{- end -}}
@@ -1,3 +1,4 @@
+{{- if eq "false" (include "kiali-operator.isSkippedResource" (dict "ctx" . "name" "clusterrolebinding")) -}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -14,3 +15,4 @@ roleRef:
   name: {{ include "kiali-operator.fullname" . }}
   apiGroup: rbac.authorization.k8s.io
 ...
+{{- end -}}
@@ -12,6 +12,9 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   name: ossmconsoles.kiali.io
+  labels:
+    app: kiali-operator
+    app.kubernetes.io/name: kiali-operator
 spec:
   group: kiali.io
   names:
@@ -29,6 +32,86 @@ spec:
     schema:
       openAPIV3Schema:
         type: object
-        x-kubernetes-preserve-unknown-fields: true
+        properties:
+          status:
+            description: "The processing status of this CR as reported by the OpenShift Service Mesh Console Operator."
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          spec:
+            description: "This is the CRD for the resources called OSSMConsole CRs. The OpenShift Service Mesh Console Operator will watch for resources of this type and when it detects an OSSMConsole CR has been added, deleted, or modified, it will install, uninstall, and update the associated OSSM Console installation."
+            type: object
+            properties:
+              version:
+                description: |
+                  The version of the Ansible role that will be executed in order to install OSSM Console.
+                  This also indirectly determines the version of OSSM Console that will be installed.
+                  You normally will want to use `default` since this is the only officially supported value today.
+
+                  If not specified, the value of `default` is assumed which means the most recent Ansible role is used;
+                  thus the most recent release of OSSM Console will be installed.
+
+                  Refer to this file to see what the valid values are for this `version` field (as defined in the master branch),
+                  https://github.com/kiali/kiali-operator/blob/master/playbooks/ossmconsole-default-supported-images.yml
+
+                  This `version` setting affects the defaults of the `deployment.imageName` and
+                  `deployment.imageVersion` settings. See the documentation for those settings below for
+                  additional details. In short, this `version` setting will dictate which version of the
+                  OSSM Console image will be deployed by default. However, if you explicitly set `deployment.imageName`
+                  and/or `deployment.imageVersion` to reference your own custom image, that will override the
+                  default OSSM Console image to be installed; therefore, you are responsible for ensuring those settings
+                  are compatible with the Ansible role that will be executed in order to install OSSM Console (i.e. your
+                  custom OSSM Console image must be compatible with the rest of the configuration and resources the
+                  operator will install).
+                type: string
+              deployment:
+                type: object
+                properties:
+                  imageDigest:
+                    description: "If `deployment.imageVersion` is a digest hash, this value indicates what type of digest it is. A typical value would be 'sha256'. Note: do NOT prefix this value with a '@'."
+                    type: string
+                  imageName:
+                    description: "Determines which OSSM Console image to download and install. If you set this to a specific name (i.e. you do not leave it as the default empty string), you must make sure that image is supported by the operator. If empty, the operator will use a known supported image name based on which `version` was defined. Note that, as a security measure, a cluster admin may have configured the operator to ignore this setting. A cluster admin may do this to ensure the operator only installs a single, specific OSSM Console version, thus this setting may have no effect depending on how the operator itself was configured."
+                    type: string
+                  imagePullPolicy:
+                    description: "The Kubernetes pull policy for the OSSM Console deployment. This is overridden to be 'Always' if `deployment.imageVersion` is set to 'latest'."
+                    type: string
+                    default: "IfNotPresent"
+                  imagePullSecrets:
+                    description: "The names of the secrets to be used when container images are to be pulled."
+                    type: array
+                    items:
+                      type: string
+                  imageVersion:
+                    description: |
+                      Determines which version of OSSM Console to install.
+                      Choose 'lastrelease' to use the last OSSM Console release.
+                      Choose 'latest' to use the latest image (which may or may not be a released version of the OSSM Console).
+                      Choose 'operator_version' to use the image whose version is the same as the operator version.
+                      Otherwise, you can set this to any valid OSSM Console version (such as 'v1.0') or any valid OSSM Console
+                      digest hash (if you set this to a digest hash, you must indicate the digest in `deployment.imageDigest`).
+                      Note that if this is set to 'latest' then the `deployment.imagePullPolicy` will be set to 'Always'.
+                      If you set this to a specific version (i.e. you do not leave it as the default empty string),
+                      you must make sure that image is supported by the operator.
+                      If empty, the operator will use a known supported image version based on which 'version' was defined.
+                      Note that, as a security measure, a cluster admin may have configured the operator to
+                      ignore this setting. A cluster admin may do this to ensure the operator only installs
+                      a single, specific OSSM Console version, thus this setting may have no effect depending on how the
+                      operator itself was configured.
+                    type: string
+                  namespace:
+                    description: "The namespace into which OSSM Console is to be installed. If this is empty or not defined, the default will be the namespace where the OSSMConsole CR is located. Currently the only namespace supported is the namespace where the OSSMConsole CR is located."
+                    type: string
+              kiali:
+                type: object
+                properties:
+                  serviceName:
+                    description: "The internal Kiali service that the OpenShift Console will use to proxy API calls. If empty, an attempt will be made to auto-discover it from the Kiali OpenShift Route."
+                    type: string
+                  serviceNamespace:
+                    description: "The namespace where the Kiali service is deployed. If empty, an attempt will be made to auto-discover it from the Kiali OpenShift Route. It will assume that the OpenShift Route and the Kiali service are deployed in the same namespace."
+                    type: string
+                  servicePort:
+                    description: "The internal port used by the Kiali service for the API. If empty, an attempt will be made to auto-discover it from the Kiali OpenShift Route."
+                    type: integer
 ...
 {{- end }}
@@ -1,3 +1,4 @@
+{{- if eq "false" (include "kiali-operator.isSkippedResource" (dict "ctx" . "name" "sa")) -}}
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -13,3 +14,4 @@ imagePullSecrets:
 {{- end }}
 {{- end }}
 ...
+{{- end -}}
@@ -3,7 +3,7 @@ fullnameOverride: ""
 
 image: # see: https://quay.io/repository/kiali/kiali-operator?tab=tags
   repo: quay.io/kiali/kiali-operator # quay.io/kiali/kiali-operator
-  tag: v2.10.0 # version string like v1.39.0 or a digest hash
+  tag: v2.17.0 # version string like v1.39.0 or a digest hash
   digest: "" # use "sha256" if tag is a sha256 hash (do NOT prefix this value with a "@")
   pullPolicy: Always
   pullSecrets: []
@@ -24,6 +24,19 @@ replicaCount: 1
 priorityClassName: ""
 securityContext: {}
 
+# This helm chart will create Kubernetes resources such as cluster roles, cluster role bindings, and service accounts.
+# For very rare use-cases, users may want to manage some of these resources manually, outside
+# of this helm chart. In cases like this, you can inform this helm chart to skip the creation of
+# those resources that you want to manage yourself.
+# For example, if you want to manage cluster roles and cluster role bindings yourself, but you still want this helm
+# chart to create service accounts, set the value of "skipResources" to an array
+# value of ["clusterrole", "clusterrolebinding"].
+# If you use this feature, you must be aware that you then bear the responsibility of
+# creating these resources yourself manually; if you do not then the installation
+# will be broken. Therefore, only use this feature if you know what you are doing.
+# Valid list item values are: "clusterrole", "clusterrolebinding", "sa"
+skipResources: []
+
 # metrics.enabled: set to true if you want Prometheus to collect metrics from the operator
 metrics:
   enabled: true