Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(cryostat3): deploy Cryostat 3.0 #124

Merged
merged 16 commits into from
Jun 6, 2024
Merged

feat(cryostat3): deploy Cryostat 3.0 #124

merged 16 commits into from
Jun 6, 2024

Conversation

andrewazores and others added 3 commits January 25, 2024 08:59
…fig (#118)

* added auth2-proxy and put storage behind auth2-proxy

* added auth2-proxy

* removed command:alpha

* re-implement

* removed args on auth2_proxy on deployment.yaml

* resolved issues

* resolved issues 2

* provide right name for url:env variable

* right port

* resolved issues

* resolved file access issue

* resolved issues and added UPSTREAM_CONFIG

* added alpha file

* added alpha config; put storage and grafana behind auth2proxy

* unformat chart.yaml on save

* added alpha_config as a yaml file

* bind to port 4180

* hack: run storage as non-root user

* Revert "hack: run storage as non-root user"

This reverts commit b23d24f.

* hack: get authproxy running with basic auth in front of cryostat

* resolved issues

* remove hardcoded user:pass auth, configure for switchable/optional user-supplied htpasswd

* documentation + readme

* update STORAGE_EXT_URL to include storage container subpath

* bind cryostat on localhost

---------

Co-authored-by: Andrew Azores <[email protected]>
@andrewazores andrewazores added feat New feature or request breaking change This change (potentially) breaks API compatibility and requires corresponding changes elsewhere labels Mar 8, 2024
@mergify mergify bot added the safe-to-test label Mar 8, 2024
…xisting route and service (#122)

* feat(grafana): remove minimal config option, route to Grafana using existing route and service

* move authproxy to first container, update postinstall notes for 3.0 deployment behind proxy

TODO presigned downloads from S3 provider currently fail signature
verification

* fixup! move authproxy to first container, update postinstall notes for 3.0 deployment behind proxy

* fixup! move authproxy to first container, update postinstall notes for 3.0 deployment behind proxy

* typo

* regenerate readme and schema

* fix typo, regenerate readme

* update test, split into two separate tests for different services

* remove separate Grafana service since traffic goes through proxy, adjust test

* pass -x to bash to print command execution progress

* trim -dev suffix if present

* tolerate optional -snapshot prefix in server response

* add test for storage container

* replace inline if-else with ternary

* test chart X.Y.Z-dev deploys Cryostat X.Y.Z-snapshot, or else X.Y.Z without -dev or -snapshot on either

* remove reference to deleted service

* tmp: add env var configs for LoadBalancer case

* add env var configs for NodePort case
@andrewazores
Copy link
Member Author

Looks relevant to the test failure:

Error: UPGRADE FAILED: template: cryostat/templates/serviceaccount.yaml:1:14: executing "cryostat/templates/serviceaccount.yaml" at <.Values.authentication.openshift.enabled>: nil pointer evaluating interface {}.enabled

But strangely I don't see this failure locally using kind.

@andrewazores
Copy link
Member Author

Ah, I think it has to do with how the CI uses ct - is it trying to run tests from main against the implementation from this PR?

@tthvo
Copy link
Member

tthvo commented May 13, 2024

Looks relevant to the test failure:

Error: UPGRADE FAILED: template: cryostat/templates/serviceaccount.yaml:1:14: executing "cryostat/templates/serviceaccount.yaml" at <.Values.authentication.openshift.enabled>: nil pointer evaluating interface {}.enabled

But strangely I don't see this failure locally using kind.

Ah, I think it has to do with how the CI uses ct - is it trying to run tests from main against the implementation from this PR?

#138 maybe?

tthvo and others added 7 commits May 15, 2024 20:22
* feat(discovery): configurations for KubeAPI discovery

* feat(values): add default values for namespace and port configs

* feat(rbac): update rbac resources to support multinamespaces

* fix(rbac): fix newline trimmed causing invalid rolebinding set

* chore(rbac): rename templates

* chore(rbac): rbac should only be generated when necessary

* fix(deploy): pre-process config lists

* chore(deploy): rename env var

* feat(discovery): use flags to disable default discovery options

* fix(rbac): copy roles instead of clusterrole

* fix(rbac): should generate roles & rolebinding for install namespace if not disabled

* fix(rbac): handle null case

* chore(template): fix typos
* feat(openshift): add configuration for proxy SubjectAccessReview

* remove commented flag, wrap SAR as array

* pipe full access object through toJson filter, then interpret as a template

* access object becomes list

* add clusterrole(binding) and enable auth master delegation - enables proxy to handle requests presenting 'Authorization: Bearer' headers

* make tokenreview configurable, fix doc comments

* fixup docs, regenerate readme and schema

* use system:auth-delegator clusterrole

* document tokenreview usage

* add more configuration parameters for customization

* secure /api, /grafana, storage separately rather than under / catchall

* do not require auth on /health

* simplify config for skipping auth on /health

* safer health check auth bypass regex

* rename accessReview -> subjectAccessReview, tokenReview -> tokenAccessReview

* fixup! rename accessReview -> subjectAccessReview, tokenReview -> tokenAccessReview

* add JMC Agent probes bucket to precreate list

* fixup! safer health check auth bypass regex

* unify subjectaccessreview/tokenaccessreview config

* accessreview can be disabled
@andrewazores andrewazores marked this pull request as ready for review June 6, 2024 17:40
@andrewazores andrewazores merged commit 60a39a2 into main Jun 6, 2024
4 checks passed
@andrewazores andrewazores deleted the cryostat3 branch June 6, 2024 17:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
breaking change This change (potentially) breaks API compatibility and requires corresponding changes elsewhere feat New feature or request safe-to-test
Projects
No open projects
Status: Done
Development

Successfully merging this pull request may close these issues.

3 participants