-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(cryostat3): deploy Cryostat 3.0 #124
Conversation
…fig (#118) * added auth2-proxy and put storage behind auth2-proxy * added auth2-proxy * removed command:alpha * re-implement * removed args on auth2_proxy on deployment.yaml * resolved issues * resolved issues 2 * provide right name for url:env variable * right port * resolved issues * resolved file access issue * resolved issues and added UPSTREAM_CONFIG * added alpha file * added alpha config; put storage and grafana behind auth2proxy * unformat chart.yaml on save * added alpha_config as a yaml file * bind to port 4180 * hack: run storage as non-root user * Revert "hack: run storage as non-root user" This reverts commit b23d24f. * hack: get authproxy running with basic auth in front of cryostat * resolved issues * remove hardcoded user:pass auth, configure for switchable/optional user-supplied htpasswd * documentation + readme * update STORAGE_EXT_URL to include storage container subpath * bind cryostat on localhost --------- Co-authored-by: Andrew Azores <[email protected]>
…xisting route and service (#122) * feat(grafana): remove minimal config option, route to Grafana using existing route and service * move authproxy to first container, update postinstall notes for 3.0 deployment behind proxy TODO presigned downloads from S3 provider currently fail signature verification * fixup! move authproxy to first container, update postinstall notes for 3.0 deployment behind proxy * fixup! move authproxy to first container, update postinstall notes for 3.0 deployment behind proxy * typo * regenerate readme and schema * fix typo, regenerate readme * update test, split into two separate tests for different services * remove separate Grafana service since traffic goes through proxy, adjust test * pass -x to bash to print command execution progress * trim -dev suffix if present * tolerate optional -snapshot prefix in server response * add test for storage container * replace inline if-else with ternary * test chart X.Y.Z-dev deploys Cryostat X.Y.Z-snapshot, or else X.Y.Z without -dev or -snapshot on either * remove reference to deleted service * tmp: add env var configs for LoadBalancer case * add env var configs for NodePort case
Looks relevant to the test failure:
But strangely I don't see this failure locally using |
Ah, I think it has to do with how the CI uses |
#138 maybe? |
* feat(discovery): configurations for KubeAPI discovery * feat(values): add default values for namespace and port configs * feat(rbac): update rbac resources to support multinamespaces * fix(rbac): fix newline trimmed causing invalid rolebinding set * chore(rbac): rename templates * chore(rbac): rbac should only be generated when necessary * fix(deploy): pre-process config lists * chore(deploy): rename env var * feat(discovery): use flags to disable default discovery options * fix(rbac): copy roles instead of clusterrole * fix(rbac): should generate roles & rolebinding for install namespace if not disabled * fix(rbac): handle null case * chore(template): fix typos
* feat(openshift): add configuration for proxy SubjectAccessReview * remove commented flag, wrap SAR as array * pipe full access object through toJson filter, then interpret as a template * access object becomes list * add clusterrole(binding) and enable auth master delegation - enables proxy to handle requests presenting 'Authorization: Bearer' headers * make tokenreview configurable, fix doc comments * fixup docs, regenerate readme and schema * use system:auth-delegator clusterrole * document tokenreview usage * add more configuration parameters for customization * secure /api, /grafana, storage separately rather than under / catchall * do not require auth on /health * simplify config for skipping auth on /health * safer health check auth bypass regex * rename accessReview -> subjectAccessReview, tokenReview -> tokenAccessReview * fixup! rename accessReview -> subjectAccessReview, tokenReview -> tokenAccessReview * add JMC Agent probes bucket to precreate list * fixup! safer health check auth bypass regex * unify subjectaccessreview/tokenaccessreview config * accessreview can be disabled
Includes: