Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(discovery): implement All Namespaces discovery #213

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 36 additions & 35 deletions charts/cryostat/README.md

Large diffs are not rendered by default.

7 changes: 7 additions & 0 deletions charts/cryostat/templates/cryostat_deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -118,9 +118,16 @@ spec:
{{- if .Values.core.discovery.kubernetes.enabled }}
- name: CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED
value: "true"
{{- if .Values.core.discovery.kubernetes.allNamespaces }}
- name: CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES
value: '*'
{{- else }}
{{- with .Values.core.discovery.kubernetes }}
- name: CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES
value: {{ include "cryostat.commaSepList" (list .namespaces $.Release.Namespace .installNamespaceDisabled) }}
{{- end }}
{{- end }}
{{- with .Values.core.discovery.kubernetes }}
- name: CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES
value: {{ include "cryostat.commaSepList" (list .portNames "jfr-jmx" .builtInPortNamesDisabled) }}
- name: CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS
Comment on lines 120 to 133
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I think these configurations can be refactored in a single {{- with .Values.core.discovery.kubernetes }}.

Expand Down
46 changes: 46 additions & 0 deletions charts/cryostat/templates/discovery_clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled .Values.core.discovery.kubernetes.allNamespaces -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "cryostat.fullname" . }}-discovery
labels:
{{- include "cryostat.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
- replicationcontrollers
verbs:
- get
- apiGroups:
- apps
resources:
- replicasets
- deployments
- daemonsets
- statefulsets
verbs:
- get
- apiGroups:
- apps.openshift.io
resources:
- deploymentconfigs
verbs:
- get
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- get
- list
{{- end -}}
16 changes: 16 additions & 0 deletions charts/cryostat/templates/discovery_clusterrolebinding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled .Values.core.discovery.kubernetes.allNamespaces -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "cryostat.fullname" . }}-discovery
labels:
{{- include "cryostat.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "cryostat.fullname" . }}-discovery
subjects:
- kind: ServiceAccount
name: {{ include "cryostat.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
116 changes: 116 additions & 0 deletions charts/cryostat/tests/cryostat_deployment_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -514,3 +514,119 @@ tests:
path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].imagePullPolicy
value: "IfNotPresent"

- it: should allow Kubernetes discovery disabling
set:
core.discovery.kubernetes.enabled: false
asserts:
- notExists:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')]
- notExists:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')]
- notExists:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')]
- notExists:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')]

- it: should allow Kubernetes discovery built-in names and number disabling
set:
core.discovery.kubernetes.builtInPortNamesDisabled: true
core.discovery.kubernetes.builtInPortNumbersDisabled: true
asserts:
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value
value: "true"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value
value: "NAMESPACE"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value
value: ""
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value
value: ""

- it: should allow Kubernetes discovery namespaces customization
set:
core.discovery.kubernetes.namespaces: ['a', 'b']
asserts:
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value
value: "true"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value
value: "a,b"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value
value: "jfr-jmx"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value
value: "9091"

- it: should allow Kubernetes discovery port name customization
set:
core.discovery.kubernetes.portNames: ['a', 'b']
asserts:
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value
value: "true"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value
value: "NAMESPACE"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value
value: "a,b"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value
value: "9091"

- it: should allow Kubernetes discovery port number customization
set:
core.discovery.kubernetes.portNumbers: [1, 2]
asserts:
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value
value: "true"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value
value: "NAMESPACE"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value
value: "jfr-jmx"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value
value: "1,2"

- it: should allow Kubernetes All Namespaces mode
set:
core.discovery.kubernetes.allNamespaces: true
asserts:
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value
value: "true"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value
value: "*"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value
value: "jfr-jmx"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value
value: "9091"

- it: Kubernetes All Namespaces mode should override individual namespace settings
set:
core.discovery.kubernetes.allNamespaces: true
core.discovery.kubernetes.namespaces: ['a', 'b']
asserts:
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value
value: "true"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value
value: "*"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value
value: "jfr-jmx"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value
value: "9091"
95 changes: 95 additions & 0 deletions charts/cryostat/tests/discovery_clusterrole_test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
suite: test discovery_clusterrole.yaml
templates:
- discovery_clusterrole.yaml

tests:
- it: should do nothing if Kubernetes All Namespaces discovery is not enabled
set:
rbac.create: true
core.discovery.kubernetes.enabled: true
core.discovery.kubernetes.allNamespaces: false
asserts:
- hasDocuments:
count: 0

- it: should do nothing if Kubernetes discovery is not enabled
set:
rbac.create: true
core.discovery.kubernetes.enabled: false
core.discovery.kubernetes.allNamespaces: true
asserts:
- hasDocuments:
count: 0

- it: should do nothing if RBAC creation is not enabled
set:
rbac.create: false
core.discovery.kubernetes.enabled: true
core.discovery.kubernetes.allNamespaces: true
asserts:
- hasDocuments:
count: 0

- it: should create ClusterRole
set:
rbac.create: true
core.discovery.kubernetes.enabled: true
core.discovery.kubernetes.allNamespaces: true
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: ClusterRole
- equal:
path: metadata.name
value: RELEASE-NAME-cryostat-discovery
- equal:
path: metadata.labels
value:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/part-of: cryostat
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cryostat
app.kubernetes.io/version: "4.0.0-dev"
helm.sh/chart: cryostat-2.0.0-dev
- equal:
path: rules
value:
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
- replicationcontrollers
verbs:
- get
- apiGroups:
- apps
resources:
- replicasets
- deployments
- daemonsets
- statefulsets
verbs:
- get
- apiGroups:
- apps.openshift.io
resources:
- deploymentconfigs
verbs:
- get
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- get
- list
67 changes: 67 additions & 0 deletions charts/cryostat/tests/discovery_clusterrolebinding_test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
suite: test discovery_clusterrolebinding.yaml
templates:
- discovery_clusterrolebinding.yaml

tests:
- it: should do nothing if Kubernetes All Namespaces discovery is not enabled
set:
rbac.create: true
core.discovery.kubernetes.enabled: true
core.discovery.kubernetes.allNamespaces: false
asserts:
- hasDocuments:
count: 0

- it: should do nothing if Kubernetes discovery is not enabled
set:
rbac.create: true
core.discovery.kubernetes.enabled: false
core.discovery.kubernetes.allNamespaces: true
asserts:
- hasDocuments:
count: 0

- it: should do nothing if RBAC creation is not enabled
set:
rbac.create: false
core.discovery.kubernetes.enabled: true
core.discovery.kubernetes.allNamespaces: true
asserts:
- hasDocuments:
count: 0

- it: should create ClusterRoleBinding
set:
rbac.create: true
core.discovery.kubernetes.enabled: true
core.discovery.kubernetes.allNamespaces: true
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: ClusterRoleBinding
- equal:
path: metadata.name
value: RELEASE-NAME-cryostat-discovery
- equal:
path: metadata.labels
value:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/part-of: cryostat
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cryostat
app.kubernetes.io/version: "4.0.0-dev"
helm.sh/chart: cryostat-2.0.0-dev
- equal:
path: roleRef
value:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: RELEASE-NAME-cryostat-discovery
- equal:
path: subjects
value:
- kind: ServiceAccount
name: RELEASE-NAME-cryostat
namespace: NAMESPACE
11 changes: 8 additions & 3 deletions charts/cryostat/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -227,9 +227,14 @@
"description": "When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`)",
"default": false
},
"allNamespaces": {
"type": "boolean",
"description": "When true, this overrides the `namespaces` list and configures Cryostat to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the rbac.create value is true. WARNING: this allows Cryostat to discover, and potentially connect to and collect data from, applications in *any* Namespace in the cluster. ALL users with access to this Cryostat instance will be able to read data from potentially any application in the cluster. For data security and isolation concerns it is best to leave this setting disabled, and instead install multiple Cryostat instances with lists of target namespaces, and apply sensible access controls for users to each Cryostat instance as needed.",
"default": false
},
"namespaces": {
"type": "array",
"description": "List of namespaces whose workloads the Cryostat application should be permitted to access and profile",
"description": "List of namespaces whose workloads the Cryostat application should be permitted to access and profile.",
"default": [],
"items": {}
},
Expand All @@ -240,7 +245,7 @@
},
"portNames": {
"type": "array",
"description": "List of port names that the Cryostat application should look for in order to consider a target as JMX connectable",
"description": "List of port names that the Cryostat application should look for in order to consider a target as JMX connectable.",
"default": [],
"items": {}
},
Expand All @@ -251,7 +256,7 @@
},
"portNumbers": {
"type": "array",
"description": "List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable",
"description": "List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable.",
"default": [],
"items": {}
}
Expand Down
Loading