Skip to content

Commit

Permalink
feat(discovery): configurations for KubeAPI discovery (#128)
Browse files Browse the repository at this point in the history
* feat(discovery): configurations for KubeAPI discovery

* feat(values): add default values for namespace and port configs

* feat(rbac): update rbac resources to support multinamespaces

* fix(rbac): fix newline trimmed causing invalid rolebinding set

* chore(rbac): rename templates

* chore(rbac): rbac should only be generated when necessary

* fix(deploy): pre-process config lists

* chore(deploy): rename env var

* feat(discovery): use flags to disable default discovery options

* fix(rbac): copy roles instead of clusterrole

* fix(rbac): should generate roles & rolebinding for install namespace if not disabled

* fix(rbac): handle null case

* chore(template): fix typos
  • Loading branch information
tthvo authored May 29, 2024
1 parent 67527e8 commit 835025a
Show file tree
Hide file tree
Showing 7 changed files with 184 additions and 49 deletions.
58 changes: 33 additions & 25 deletions charts/cryostat/README.md

Large diffs are not rendered by default.

13 changes: 13 additions & 0 deletions charts/cryostat/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -133,3 +133,16 @@ Generate or retrieve a default value for cookieSecret.
{{- $newSecret | quote -}}
{{- end }}
{{- end }}

{{/*
Get sanitized list or defaults (if not disabled) as comma-separated list
*/}}
{{- define "cryostat.commaSepList" -}}
{{- $l := index . 0 -}}
{{- $default := index . 1 -}}
{{- $disableDefaults := index . 2 -}}
{{- if and (not $l) (not $disableDefaults) -}}
{{- $l = list $default -}}
{{- end -}}
{{- join "," (default list $l | compact | uniq) | quote -}}
{{- end -}}
12 changes: 12 additions & 0 deletions charts/cryostat/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,18 @@ spec:
value: http://localhost:8800
- name: GRAFANA_DASHBOARD_URL
value: http://localhost:3000
{{- if .Values.core.discovery.kubernetes.enabled }}
- name: CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED
value: "true"
{{- with .Values.core.discovery.kubernetes }}
- name: CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES
value: {{ include "cryostat.commaSepList" (list .namespaces $.Release.Namespace .installNamespaceDisabled) }}
- name: CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES
value: {{ include "cryostat.commaSepList" (list .portNames "jfr-jmx" .builtInPortNamesDisabled) }}
- name: CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS
value: {{ include "cryostat.commaSepList" (list .portNumbers 9091 .builtInPortNumbersDisabled) }}
{{- end }}
{{- end }}
ports:
- containerPort: 8181
protocol: TCP
Expand Down
26 changes: 24 additions & 2 deletions charts/cryostat/templates/role.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
{{- if .Values.rbac.create -}}
{{- define "createRole" -}}
{{- $ns := index . 0 -}}
{{- with index . 1 -}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "cryostat.fullname" . }}
namespace: {{ $ns }}
labels:
{{- include "cryostat.labels" . | nindent 4 }}
rules:
Expand Down Expand Up @@ -36,4 +40,22 @@ rules:
- deploymentconfigs
verbs:
- get
{{- end }}
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- get
- list
{{- end -}}
{{- end -}}

{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled -}}
{{- $watchNs := compact (default list .Values.core.discovery.kubernetes.namespaces) | uniq -}}
{{- if and (not $watchNs) (not .Values.core.discovery.kubernetes.installNamespaceDisabled) -}}
{{- $watchNs = list .Release.Namespace -}}
{{- end -}}
{{- range $ns := $watchNs }}
{{ include "createRole" (list $ns $) }}
{{- end -}}
{{- end -}}
19 changes: 17 additions & 2 deletions charts/cryostat/templates/rolebinding.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
{{- if .Values.rbac.create -}}
{{- define "createRolebinding" -}}
{{- $ns := index . 0 -}}
{{- with index . 1 -}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "cryostat.fullname" . }}
namespace: {{ $ns }}
labels:
{{- include "cryostat.labels" . | nindent 4 }}
roleRef:
Expand All @@ -13,4 +17,15 @@ subjects:
- kind: ServiceAccount
name: {{ include "cryostat.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end -}}
{{- end -}}

{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled -}}
{{- $watchNs := compact (default list .Values.core.discovery.kubernetes.namespaces) | uniq -}}
{{- if and (not $watchNs) (not .Values.core.discovery.kubernetes.installNamespaceDisabled) -}}
{{- $watchNs = list .Release.Namespace -}}
{{- end -}}
{{- range $ns := $watchNs }}
{{ include "createRolebinding" (list $ns $) }}
{{- end -}}
{{- end -}}
88 changes: 68 additions & 20 deletions charts/cryostat/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -180,32 +180,60 @@
"type": "string",
"description": "Name of the secret to extract password for credentials database.",
"default": ""
},
"discovery": {
"type": "object",
"properties": {
"kubernetes": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "Enables Kubernetes API discovery mechanism",
"default": true
},
"installNamespaceDisabled": {
"type": "boolean",
"description": "When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`)",
"default": false
},
"namespaces": {
"type": "array",
"description": "List of namespaces whose workloads the Cryostat application should be permitted to access and profile",
"default": [],
"items": {}
},
"builtInPortNamesDisabled": {
"type": "boolean",
"description": "When false and `portNames` is empty, the Cryostat application will use the default port name `jfr-jmx` to look for JMX connectable targets.",
"default": false
},
"portNames": {
"type": "array",
"description": "List of port names that the Cryostat application should look for in order to consider a target as JMX connectable",
"default": [],
"items": {}
},
"builtInPortNumbersDisabled": {
"type": "boolean",
"description": "When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets.",
"default": false
},
"portNumbers": {
"type": "array",
"description": "List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable",
"default": [],
"items": {}
}
}
}
}
}
}
},
"db": {
"type": "object",
"properties": {
"image": {
"type": "object",
"properties": {
"repository": {
"type": "string",
"description": "Repository for the database container image",
"default": "quay.io/cryostat/cryostat-db"
},
"pullPolicy": {
"type": "string",
"description": "Image pull policy for the database container image",
"default": "Always"
},
"tag": {
"type": "string",
"description": "Tag for the database container image",
"default": "latest"
}
}
},
"securityContext": {
"type": "object",
"properties": {
Expand All @@ -231,6 +259,26 @@
}
}
},
"image": {
"type": "object",
"properties": {
"repository": {
"type": "string",
"description": "Repository for the database container image",
"default": "quay.io/cryostat/cryostat-db"
},
"pullPolicy": {
"type": "string",
"description": "Image pull policy for the database container image",
"default": "Always"
},
"tag": {
"type": "string",
"description": "Tag for the database container image",
"default": "latest"
}
}
},
"resources": {
"type": "object",
"description": "Resource requests/limits for the database container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)",
Expand Down
17 changes: 17 additions & 0 deletions charts/cryostat/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,23 @@ core:
- ALL
## @param core.databaseSecretName Name of the secret to extract password for credentials database.
databaseSecretName: ""
## @extra core.discovery Configuration options to the Cryostat application's target discovery mechanisms
discovery:
kubernetes:
## @param core.discovery.kubernetes.enabled Enables Kubernetes API discovery mechanism
enabled: true
## @param core.discovery.kubernetes.installNamespaceDisabled When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`)
installNamespaceDisabled: false
## @param core.discovery.kubernetes.namespaces [array] List of namespaces whose workloads the Cryostat application should be permitted to access and profile
namespaces: []
## @param core.discovery.kubernetes.builtInPortNamesDisabled When false and `portNames` is empty, the Cryostat application will use the default port name `jfr-jmx` to look for JMX connectable targets.
builtInPortNamesDisabled: false
## @param core.discovery.kubernetes.portNames [array] List of port names that the Cryostat application should look for in order to consider a target as JMX connectable
portNames: []
## @param core.discovery.kubernetes.builtInPortNumbersDisabled When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets.
builtInPortNumbersDisabled: false
## @param core.discovery.kubernetes.portNumbers [array] List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable
portNumbers: []

## @section Database Container
## @extra db Configuration for Cryostat's database
Expand Down

0 comments on commit 835025a

Please sign in to comment.