From 03dadd219ecc7968a11740936ec0e304dccc2cdb Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Tue, 26 Nov 2024 15:01:43 -0500 Subject: [PATCH 1/3] feat(discovery): implement All Namespaces discovery --- charts/cryostat/README.md | 7 +-- .../templates/cryostat_deployment.yaml | 7 +++ .../templates/discovery_clusterrole.yaml | 46 +++++++++++++++++++ .../discovery_clusterrolebinding.yaml | 16 +++++++ charts/cryostat/values.schema.json | 11 +++-- charts/cryostat/values.yaml | 8 ++-- 6 files changed, 86 insertions(+), 9 deletions(-) create mode 100644 charts/cryostat/templates/discovery_clusterrole.yaml create mode 100644 charts/cryostat/templates/discovery_clusterrolebinding.yaml diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 6234921..d378f49 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -79,11 +79,12 @@ helm install cryostat ./charts/cryostat | `core.discovery` | Configuration options to the Cryostat application's target discovery mechanisms | | | `core.discovery.kubernetes.enabled` | Enables Kubernetes API discovery mechanism | `true` | | `core.discovery.kubernetes.installNamespaceDisabled` | When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`) | `false` | -| `core.discovery.kubernetes.namespaces` | List of namespaces whose workloads the Cryostat application should be permitted to access and profile | `[]` | +| `core.discovery.kubernetes.allNamespaces` | When true, this overrides the `namespaces` list and configures Cryostat to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the rbac.create value is true. | `false` | +| `core.discovery.kubernetes.namespaces` | List of namespaces whose workloads the Cryostat application should be permitted to access and profile. | `[]` | | `core.discovery.kubernetes.builtInPortNamesDisabled` | When false and `portNames` is empty, the Cryostat application will use the default port name `jfr-jmx` to look for JMX connectable targets. | `false` | -| `core.discovery.kubernetes.portNames` | List of port names that the Cryostat application should look for in order to consider a target as JMX connectable | `[]` | +| `core.discovery.kubernetes.portNames` | List of port names that the Cryostat application should look for in order to consider a target as JMX connectable. | `[]` | | `core.discovery.kubernetes.builtInPortNumbersDisabled` | When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets. | `false` | -| `core.discovery.kubernetes.portNumbers` | List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable | `[]` | +| `core.discovery.kubernetes.portNumbers` | List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable. | `[]` | ### Report Generator Deployment diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index cb0fbca..958d94e 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -118,9 +118,16 @@ spec: {{- if .Values.core.discovery.kubernetes.enabled }} - name: CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED value: "true" + {{- if .Values.core.discovery.kubernetes.allNamespaces }} + - name: CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES + value: '*' + {{- else }} {{- with .Values.core.discovery.kubernetes }} - name: CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES value: {{ include "cryostat.commaSepList" (list .namespaces $.Release.Namespace .installNamespaceDisabled) }} + {{- end }} + {{- end }} + {{- with .Values.core.discovery.kubernetes }} - name: CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES value: {{ include "cryostat.commaSepList" (list .portNames "jfr-jmx" .builtInPortNamesDisabled) }} - name: CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS diff --git a/charts/cryostat/templates/discovery_clusterrole.yaml b/charts/cryostat/templates/discovery_clusterrole.yaml new file mode 100644 index 0000000..1f3b782 --- /dev/null +++ b/charts/cryostat/templates/discovery_clusterrole.yaml @@ -0,0 +1,46 @@ +{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled .Values.core.discovery.kubernetes.allNamespaces -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "cryostat.fullname" . }}-discovery + labels: + {{- include "cryostat.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + - replicationcontrollers + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + - deployments + - daemonsets + - statefulsets + verbs: + - get +- apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - get +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list +{{- end -}} diff --git a/charts/cryostat/templates/discovery_clusterrolebinding.yaml b/charts/cryostat/templates/discovery_clusterrolebinding.yaml new file mode 100644 index 0000000..4734965 --- /dev/null +++ b/charts/cryostat/templates/discovery_clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled .Values.core.discovery.kubernetes.allNamespaces -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "cryostat.fullname" . }}-discovery + labels: + {{- include "cryostat.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "cryostat.fullname" . }}-discovery +subjects: +- kind: ServiceAccount + name: {{ include "cryostat.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 88c3baf..ed020b8 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -227,9 +227,14 @@ "description": "When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`)", "default": false }, + "allNamespaces": { + "type": "boolean", + "description": "When true, this overrides the `namespaces` list and configures Cryostat to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the rbac.create value is true.", + "default": false + }, "namespaces": { "type": "array", - "description": "List of namespaces whose workloads the Cryostat application should be permitted to access and profile", + "description": "List of namespaces whose workloads the Cryostat application should be permitted to access and profile.", "default": [], "items": {} }, @@ -240,7 +245,7 @@ }, "portNames": { "type": "array", - "description": "List of port names that the Cryostat application should look for in order to consider a target as JMX connectable", + "description": "List of port names that the Cryostat application should look for in order to consider a target as JMX connectable.", "default": [], "items": {} }, @@ -251,7 +256,7 @@ }, "portNumbers": { "type": "array", - "description": "List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable", + "description": "List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable.", "default": [], "items": {} } diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 79fdd4d..69c86df 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -75,15 +75,17 @@ core: enabled: true ## @param core.discovery.kubernetes.installNamespaceDisabled When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`) installNamespaceDisabled: false - ## @param core.discovery.kubernetes.namespaces [array] List of namespaces whose workloads the Cryostat application should be permitted to access and profile + ## @param core.discovery.kubernetes.allNamespaces When true, this overrides the `namespaces` list and configures Cryostat to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the rbac.create value is true. + allNamespaces: false + ## @param core.discovery.kubernetes.namespaces [array] List of namespaces whose workloads the Cryostat application should be permitted to access and profile. namespaces: [] ## @param core.discovery.kubernetes.builtInPortNamesDisabled When false and `portNames` is empty, the Cryostat application will use the default port name `jfr-jmx` to look for JMX connectable targets. builtInPortNamesDisabled: false - ## @param core.discovery.kubernetes.portNames [array] List of port names that the Cryostat application should look for in order to consider a target as JMX connectable + ## @param core.discovery.kubernetes.portNames [array] List of port names that the Cryostat application should look for in order to consider a target as JMX connectable. portNames: [] ## @param core.discovery.kubernetes.builtInPortNumbersDisabled When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets. builtInPortNumbersDisabled: false - ## @param core.discovery.kubernetes.portNumbers [array] List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable + ## @param core.discovery.kubernetes.portNumbers [array] List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable. portNumbers: [] ## @section Report Generator Deployment From 64d28a31f8d4ca5dca8c7ea2a465c8487fc339ec Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 27 Nov 2024 10:47:55 -0500 Subject: [PATCH 2/3] tests --- .../tests/cryostat_deployment_test.yaml | 116 ++++++++++++++++++ .../tests/discovery_clusterrole_test.yaml | 95 ++++++++++++++ .../discovery_clusterrolebinding_test.yaml | 67 ++++++++++ 3 files changed, 278 insertions(+) create mode 100644 charts/cryostat/tests/discovery_clusterrole_test.yaml create mode 100644 charts/cryostat/tests/discovery_clusterrolebinding_test.yaml diff --git a/charts/cryostat/tests/cryostat_deployment_test.yaml b/charts/cryostat/tests/cryostat_deployment_test.yaml index 0548fc7..b30c28f 100644 --- a/charts/cryostat/tests/cryostat_deployment_test.yaml +++ b/charts/cryostat/tests/cryostat_deployment_test.yaml @@ -514,3 +514,119 @@ tests: path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].imagePullPolicy value: "IfNotPresent" + - it: should allow Kubernetes discovery disabling + set: + core.discovery.kubernetes.enabled: false + asserts: + - notExists: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')] + - notExists: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')] + - notExists: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')] + - notExists: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')] + + - it: should allow Kubernetes discovery built-in names and number disabling + set: + core.discovery.kubernetes.builtInPortNamesDisabled: true + core.discovery.kubernetes.builtInPortNumbersDisabled: true + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value + value: "NAMESPACE" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value + value: "" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value + value: "" + + - it: should allow Kubernetes discovery namespaces customization + set: + core.discovery.kubernetes.namespaces: ['a', 'b'] + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value + value: "a,b" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value + value: "jfr-jmx" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value + value: "9091" + + - it: should allow Kubernetes discovery port name customization + set: + core.discovery.kubernetes.portNames: ['a', 'b'] + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value + value: "NAMESPACE" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value + value: "a,b" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value + value: "9091" + + - it: should allow Kubernetes discovery port number customization + set: + core.discovery.kubernetes.portNumbers: [1, 2] + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value + value: "NAMESPACE" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value + value: "jfr-jmx" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value + value: "1,2" + + - it: should allow Kubernetes All Namespaces mode + set: + core.discovery.kubernetes.allNamespaces: true + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value + value: "*" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value + value: "jfr-jmx" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value + value: "9091" + + - it: Kubernetes All Namespaces mode should override individual namespace settings + set: + core.discovery.kubernetes.allNamespaces: true + core.discovery.kubernetes.namespaces: ['a', 'b'] + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value + value: "*" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value + value: "jfr-jmx" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value + value: "9091" diff --git a/charts/cryostat/tests/discovery_clusterrole_test.yaml b/charts/cryostat/tests/discovery_clusterrole_test.yaml new file mode 100644 index 0000000..8eb04d4 --- /dev/null +++ b/charts/cryostat/tests/discovery_clusterrole_test.yaml @@ -0,0 +1,95 @@ +suite: test discovery_clusterrole.yaml +templates: + - discovery_clusterrole.yaml + +tests: + - it: should do nothing if Kubernetes All Namespaces discovery is not enabled + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.allNamespaces: false + asserts: + - hasDocuments: + count: 0 + + - it: should do nothing if Kubernetes discovery is not enabled + set: + rbac.create: true + core.discovery.kubernetes.enabled: false + core.discovery.kubernetes.allNamespaces: true + asserts: + - hasDocuments: + count: 0 + + - it: should do nothing if RBAC creation is not enabled + set: + rbac.create: false + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.allNamespaces: true + asserts: + - hasDocuments: + count: 0 + + - it: should create ClusterRole + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.allNamespaces: true + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: ClusterRole + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat-discovery + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/part-of: cryostat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-2.0.0-dev + - equal: + path: rules + value: + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - pods + - replicationcontrollers + verbs: + - get + - apiGroups: + - apps + resources: + - replicasets + - deployments + - daemonsets + - statefulsets + verbs: + - get + - apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - get + - apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list diff --git a/charts/cryostat/tests/discovery_clusterrolebinding_test.yaml b/charts/cryostat/tests/discovery_clusterrolebinding_test.yaml new file mode 100644 index 0000000..81ed2e1 --- /dev/null +++ b/charts/cryostat/tests/discovery_clusterrolebinding_test.yaml @@ -0,0 +1,67 @@ +suite: test discovery_clusterrolebinding.yaml +templates: + - discovery_clusterrolebinding.yaml + +tests: + - it: should do nothing if Kubernetes All Namespaces discovery is not enabled + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.allNamespaces: false + asserts: + - hasDocuments: + count: 0 + + - it: should do nothing if Kubernetes discovery is not enabled + set: + rbac.create: true + core.discovery.kubernetes.enabled: false + core.discovery.kubernetes.allNamespaces: true + asserts: + - hasDocuments: + count: 0 + + - it: should do nothing if RBAC creation is not enabled + set: + rbac.create: false + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.allNamespaces: true + asserts: + - hasDocuments: + count: 0 + + - it: should create ClusterRoleBinding + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.allNamespaces: true + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: ClusterRoleBinding + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat-discovery + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/part-of: cryostat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-2.0.0-dev + - equal: + path: roleRef + value: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: RELEASE-NAME-cryostat-discovery + - equal: + path: subjects + value: + - kind: ServiceAccount + name: RELEASE-NAME-cryostat + namespace: NAMESPACE From 26cc9d2d0b4e9d3288cc9b04abcdf4777915c225 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 28 Nov 2024 11:33:55 -0500 Subject: [PATCH 3/3] warning --- charts/cryostat/README.md | 72 +++++++++++++++--------------- charts/cryostat/values.schema.json | 2 +- charts/cryostat/values.yaml | 2 +- 3 files changed, 38 insertions(+), 38 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index d378f49..c0f8d2f 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -49,42 +49,42 @@ helm install cryostat ./charts/cryostat ### Cryostat Container -| Name | Description | Value | -| ------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | -| `core` | Configuration for the core Cryostat application | | -| `core.image.repository` | Repository for the main Cryostat container image | `quay.io/cryostat/cryostat` | -| `core.image.pullPolicy` | Image pull policy for the main Cryostat container image | `Always` | -| `core.image.tag` | Tag for the main Cryostat container image | `4.0.0-snapshot` | -| `core.service.type` | Type of Service to create for the Cryostat application | `ClusterIP` | -| `core.service.httpPort` | Port number to expose on the Service for Cryostat's HTTP server | `8181` | -| `core.debug.log.level` | Log level for troubleshooting and debugging | `INFO` | -| `core.sslProxied` | Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress | `false` | -| `core.ingress.enabled` | Whether to create an Ingress object for the Cryostat service | `false` | -| `core.ingress.className` | Ingress class name for the Cryostat application Ingress | `""` | -| `core.ingress.annotations` | Annotations to apply to the Cryostat application Ingress | `{}` | -| `core.ingress.hosts` | Hosts to create rules for in the Cryostat application Ingress. See: [IngressSpec](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) | `[]` | -| `core.ingress.tls` | TLS configuration for the Cryostat application Ingress. See: [IngressSpec](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) | `[]` | -| `core.route.enabled` | Whether to create a Route object for the Cryostat service. Available only on OpenShift | `false` | -| `core.route.tls.enabled` | Whether to secure the Cryostat application Route with TLS. See: [TLSConfig](https://docs.openshift.com/container-platform/4.10/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls) | `true` | -| `core.route.tls.termination` | Type of TLS termination to use for the Cryostat application Route. One of: `edge`, `passthrough`, `reencrypt` | `edge` | -| `core.route.tls.insecureEdgeTerminationPolicy` | Specify how to handle insecure traffic for the Cryostat application Route. One of: `Allow`, `Disable`, `Redirect` | `Redirect` | -| `core.route.tls.key` | Custom private key to use when securing the Cryostat application Route | `""` | -| `core.route.tls.certificate` | Custom certificate to use when securing the Cryostat application Route | `""` | -| `core.route.tls.caCertificate` | Custom CA certificate to use, if needed to complete the certificate chain, when securing the Cryostat application Route | `""` | -| `core.route.tls.destinationCACertificate` | Provides the contents of the CA certificate of the final destination when using reencrypt termination for the Cryostat application Route | `""` | -| `core.resources.requests.cpu` | CPU resource request for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `500m` | -| `core.resources.requests.memory` | Memory resource request for the Cryostat container. | `384Mi` | -| `core.securityContext` | Security Context for the Cryostat container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | -| `core.databaseSecretName` | Name of the secret containing database keys. This secret must contain a CONNECTION_KEY secret which is the database connection password, and an ENCRYPTION_KEY secret which is the key used to encrypt sensitive data stored within the database, such as the target credentials keyring. It must not be updated across chart upgrades. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | `""` | -| `core.discovery` | Configuration options to the Cryostat application's target discovery mechanisms | | -| `core.discovery.kubernetes.enabled` | Enables Kubernetes API discovery mechanism | `true` | -| `core.discovery.kubernetes.installNamespaceDisabled` | When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`) | `false` | -| `core.discovery.kubernetes.allNamespaces` | When true, this overrides the `namespaces` list and configures Cryostat to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the rbac.create value is true. | `false` | -| `core.discovery.kubernetes.namespaces` | List of namespaces whose workloads the Cryostat application should be permitted to access and profile. | `[]` | -| `core.discovery.kubernetes.builtInPortNamesDisabled` | When false and `portNames` is empty, the Cryostat application will use the default port name `jfr-jmx` to look for JMX connectable targets. | `false` | -| `core.discovery.kubernetes.portNames` | List of port names that the Cryostat application should look for in order to consider a target as JMX connectable. | `[]` | -| `core.discovery.kubernetes.builtInPortNumbersDisabled` | When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets. | `false` | -| `core.discovery.kubernetes.portNumbers` | List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable. | `[]` | +| Name | Description | Value | +| ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------- | +| `core` | Configuration for the core Cryostat application | | +| `core.image.repository` | Repository for the main Cryostat container image | `quay.io/cryostat/cryostat` | +| `core.image.pullPolicy` | Image pull policy for the main Cryostat container image | `Always` | +| `core.image.tag` | Tag for the main Cryostat container image | `4.0.0-snapshot` | +| `core.service.type` | Type of Service to create for the Cryostat application | `ClusterIP` | +| `core.service.httpPort` | Port number to expose on the Service for Cryostat's HTTP server | `8181` | +| `core.debug.log.level` | Log level for troubleshooting and debugging | `INFO` | +| `core.sslProxied` | Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress | `false` | +| `core.ingress.enabled` | Whether to create an Ingress object for the Cryostat service | `false` | +| `core.ingress.className` | Ingress class name for the Cryostat application Ingress | `""` | +| `core.ingress.annotations` | Annotations to apply to the Cryostat application Ingress | `{}` | +| `core.ingress.hosts` | Hosts to create rules for in the Cryostat application Ingress. See: [IngressSpec](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) | `[]` | +| `core.ingress.tls` | TLS configuration for the Cryostat application Ingress. See: [IngressSpec](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) | `[]` | +| `core.route.enabled` | Whether to create a Route object for the Cryostat service. Available only on OpenShift | `false` | +| `core.route.tls.enabled` | Whether to secure the Cryostat application Route with TLS. See: [TLSConfig](https://docs.openshift.com/container-platform/4.10/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls) | `true` | +| `core.route.tls.termination` | Type of TLS termination to use for the Cryostat application Route. One of: `edge`, `passthrough`, `reencrypt` | `edge` | +| `core.route.tls.insecureEdgeTerminationPolicy` | Specify how to handle insecure traffic for the Cryostat application Route. One of: `Allow`, `Disable`, `Redirect` | `Redirect` | +| `core.route.tls.key` | Custom private key to use when securing the Cryostat application Route | `""` | +| `core.route.tls.certificate` | Custom certificate to use when securing the Cryostat application Route | `""` | +| `core.route.tls.caCertificate` | Custom CA certificate to use, if needed to complete the certificate chain, when securing the Cryostat application Route | `""` | +| `core.route.tls.destinationCACertificate` | Provides the contents of the CA certificate of the final destination when using reencrypt termination for the Cryostat application Route | `""` | +| `core.resources.requests.cpu` | CPU resource request for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `500m` | +| `core.resources.requests.memory` | Memory resource request for the Cryostat container. | `384Mi` | +| `core.securityContext` | Security Context for the Cryostat container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| `core.databaseSecretName` | Name of the secret containing database keys. This secret must contain a CONNECTION_KEY secret which is the database connection password, and an ENCRYPTION_KEY secret which is the key used to encrypt sensitive data stored within the database, such as the target credentials keyring. It must not be updated across chart upgrades. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | `""` | +| `core.discovery` | Configuration options to the Cryostat application's target discovery mechanisms | | +| `core.discovery.kubernetes.enabled` | Enables Kubernetes API discovery mechanism | `true` | +| `core.discovery.kubernetes.installNamespaceDisabled` | When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`) | `false` | +| `core.discovery.kubernetes.allNamespaces` | When true, this overrides the `namespaces` list and configures Cryostat to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the rbac.create value is true. WARNING: this allows Cryostat to discover, and potentially connect to and collect data from, applications in *any* Namespace in the cluster. ALL users with access to this Cryostat instance will be able to read data from potentially any application in the cluster. For data security and isolation concerns it is best to leave this setting disabled, and instead install multiple Cryostat instances with lists of target namespaces, and apply sensible access controls for users to each Cryostat instance as needed. | `false` | +| `core.discovery.kubernetes.namespaces` | List of namespaces whose workloads the Cryostat application should be permitted to access and profile. | `[]` | +| `core.discovery.kubernetes.builtInPortNamesDisabled` | When false and `portNames` is empty, the Cryostat application will use the default port name `jfr-jmx` to look for JMX connectable targets. | `false` | +| `core.discovery.kubernetes.portNames` | List of port names that the Cryostat application should look for in order to consider a target as JMX connectable. | `[]` | +| `core.discovery.kubernetes.builtInPortNumbersDisabled` | When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets. | `false` | +| `core.discovery.kubernetes.portNumbers` | List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable. | `[]` | ### Report Generator Deployment diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index ed020b8..4691e6a 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -229,7 +229,7 @@ }, "allNamespaces": { "type": "boolean", - "description": "When true, this overrides the `namespaces` list and configures Cryostat to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the rbac.create value is true.", + "description": "When true, this overrides the `namespaces` list and configures Cryostat to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the rbac.create value is true. WARNING: this allows Cryostat to discover, and potentially connect to and collect data from, applications in *any* Namespace in the cluster. ALL users with access to this Cryostat instance will be able to read data from potentially any application in the cluster. For data security and isolation concerns it is best to leave this setting disabled, and instead install multiple Cryostat instances with lists of target namespaces, and apply sensible access controls for users to each Cryostat instance as needed.", "default": false }, "namespaces": { diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 69c86df..ec9933f 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -75,7 +75,7 @@ core: enabled: true ## @param core.discovery.kubernetes.installNamespaceDisabled When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`) installNamespaceDisabled: false - ## @param core.discovery.kubernetes.allNamespaces When true, this overrides the `namespaces` list and configures Cryostat to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the rbac.create value is true. + ## @param core.discovery.kubernetes.allNamespaces When true, this overrides the `namespaces` list and configures Cryostat to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the rbac.create value is true. WARNING: this allows Cryostat to discover, and potentially connect to and collect data from, applications in *any* Namespace in the cluster. ALL users with access to this Cryostat instance will be able to read data from potentially any application in the cluster. For data security and isolation concerns it is best to leave this setting disabled, and instead install multiple Cryostat instances with lists of target namespaces, and apply sensible access controls for users to each Cryostat instance as needed. allNamespaces: false ## @param core.discovery.kubernetes.namespaces [array] List of namespaces whose workloads the Cryostat application should be permitted to access and profile. namespaces: []