diff --git a/charts/cryostat/Chart.yaml b/charts/cryostat/Chart.yaml index 8d950046..9bce4c03 100644 --- a/charts/cryostat/Chart.yaml +++ b/charts/cryostat/Chart.yaml @@ -8,7 +8,11 @@ version: "0.5.0-dev" kubeVersion: ">= 1.21.0-0" +<<<<<<< HEAD appVersion: "4.0.0-dev" +======= +appVersion: "3.0.0-dev" +>>>>>>> d4bb92a (feat(cryostat): deploy cryostat 3.0 (#111)) home: "https://cryostat.io" diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index b80fd320..ed5992e5 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -5,6 +5,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op ### Cryostat Container +<<<<<<< HEAD | Name | Description | Value | | ------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | | `core` | Configuration for the core Cryostat application | | @@ -60,6 +61,59 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `storage.image.tag` | Tag for the storage container image | `latest` | | `storage.resources` | Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | | `storage.securityContext` | Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +======= +| Name | Description | Value | +| ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | +| `core` | Configuration for the core Cryostat application | | +| `core.image.repository` | Repository for the main Cryostat container image | `quay.io/cryostat/cryostat` | +| `core.image.pullPolicy` | Image pull policy for the main Cryostat container image | `Always` | +| `core.image.tag` | Tag for the main Cryostat container image | `3.0.0-snapshot` | +| `core.service.type` | Type of Service to create for the Cryostat application | `ClusterIP` | +| `core.service.httpPort` | Port number to expose on the Service for Cryostat's HTTP server | `8181` | +| `core.service.jmxPort` | Port number to expose on the Service for remote JMX connections to Cryostat | `9091` | +| `core.sslProxied` | Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress | `false` | +| `core.ingress.enabled` | Whether to create an Ingress object for the Cryostat service | `false` | +| `core.ingress.className` | Ingress class name for the Cryostat application Ingress | `""` | +| `core.ingress.annotations` | Annotations to apply to the Cryostat application Ingress | `{}` | +| `core.ingress.hosts` | Hosts to create rules for in the Cryostat application Ingress. See: [IngressSpec](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) | `[]` | +| `core.ingress.tls` | TLS configuration for the Cryostat application Ingress. See: [IngressSpec](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) | `[]` | +| `core.route.enabled` | Whether to create a Route object for the Cryostat service. Available only on OpenShift | `false` | +| `core.route.tls.enabled` | Whether to secure the Cryostat application Route with TLS. See: [TLSConfig](https://docs.openshift.com/container-platform/4.10/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls) | `true` | +| `core.route.tls.termination` | Type of TLS termination to use for the Cryostat application Route. One of: `edge`, `passthrough`, `reencrypt` | `edge` | +| `core.route.tls.insecureEdgeTerminationPolicy` | Specify how to handle insecure traffic for the Cryostat application Route. One of: `Allow`, `Disable`, `Redirect` | `Redirect` | +| `core.route.tls.key` | Custom private key to use when securing the Cryostat application Route | `""` | +| `core.route.tls.certificate` | Custom certificate to use when securing the Cryostat application Route | `""` | +| `core.route.tls.caCertificate` | Custom CA certificate to use, if needed to complete the certificate chain, when securing the Cryostat application Route | `""` | +| `core.route.tls.destinationCACertificate` | Provides the contents of the CA certificate of the final destination when using reencrypt termination for the Cryostat application Route | `""` | +| `core.resources` | Resource requests/limits for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | +| `core.securityContext` | Security Context for the Cryostat container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| `core.databaseSecretName` | Name of the secret to extract password for credentials database. | `""` | +>>>>>>> d4bb92a (feat(cryostat): deploy cryostat 3.0 (#111)) + + +### Database Container + +| Name | Description | Value | +| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | +| `Configuration` | for Cryostat's database | | +| `db.image.repository` | Repository for the database container image | `quay.io/cryostat/cryostat-db` | +| `db.image.pullPolicy` | Image pull policy for the database container image | `Always` | +| `db.image.tag` | Tag for thedatabasestorage container image | `latest` | +| `db.resources` | Resource requests/limits for thedatabasestorage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | +| `db.securityContext` | Security Context for the database container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + + +### Storage Container + +| Name | Description | Value | +| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `Configuration` | for Cryostat's object storage provider | | +| `storage.image.repository` | Repository for the storage container image | `quay.io/cryostat/cryostat-storage` | +| `storage.image.pullPolicy` | Image pull policy for the storage container image | `Always` | +| `storage.image.tag` | Tag for the storage container image | `latest` | +| `storage.resources` | Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | +| `storage.securityContext` | Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### Grafana Container @@ -74,6 +128,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `grafana.resources` | Resource requests/limits for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | | `grafana.securityContext` | Security Context for the Grafana container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### JFR Data Source Container | Name | Description | Value | @@ -85,6 +140,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `datasource.resources` | Resource requests/limits for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | | `datasource.securityContext` | Security Context for the JFR Data Source container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### Authentication | Name | Description | Value | @@ -121,6 +177,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `openshiftOauthProxy.accessReview.version` | The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for. | `""` | | `openshiftOauthProxy.securityContext` | Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### Other Parameters | Name | Description | Value | diff --git a/charts/cryostat/templates/NOTES.txt b/charts/cryostat/templates/NOTES.txt index d283fd38..b2b3dc07 100644 --- a/charts/cryostat/templates/NOTES.txt +++ b/charts/cryostat/templates/NOTES.txt @@ -6,8 +6,13 @@ {{- $listNum = add1 $listNum }} ``` {{- if .Values.core.route.enabled }} +<<<<<<< HEAD {{- /* Do nothing */}} No actions required with this configuration. +======= + export ROUTE_HOST=$(oc get route -n {{ .Release.Namespace }} {{ include "cryostat.fullname" . }} -o jsonpath="{.status.ingress[0].host}") +{{- $envVars = list "STORAGE_EXT_URL=$ROUTE_HOST" }} +>>>>>>> d4bb92a (feat(cryostat): deploy cryostat 3.0 (#111)) {{- else if .Values.core.ingress.enabled }} {{- /* Do nothing */}} No actions required with this configuration. diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index 6c0fc5b8..48407457 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -62,10 +62,17 @@ Create the name of the service account to use {{- end }} {{/* +<<<<<<< HEAD Get or generate a default connection key for database */}} {{- define "cryostat.databaseConnectionKey" -}} {{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db" .Release.Name)) -}} +======= +Get or generate a default connection key for credentials database +*/}} +{{- define "cryostat.databaseConnectionKey" -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db-connection-key" .Release.Name)) -}} +>>>>>>> d4bb92a (feat(cryostat): deploy cryostat 3.0 (#111)) {{- if $secret -}} {{/* Use current key. Do not regenerate @@ -74,6 +81,45 @@ Get or generate a default connection key for database {{- else -}} {{/* Generate new key +<<<<<<< HEAD +======= +*/}} +{{- (randAlphaNum 32) | b64enc | quote -}} +{{- end -}} +{{- end -}} + +{{/* +Get or generate a default encryption key for credentials database +*/}} +{{- define "cryostat.databaseEncryptionKey" -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db-encryption-key" .Release.Name)) -}} +{{- if $secret -}} +{{/* + Use current key. Do not regenerate +*/}} +{{- $secret.data.CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD -}} +{{- else -}} +{{/* + Generate new key +*/}} +{{- (randAlphaNum 32) | b64enc | quote -}} +{{- end -}} +{{- end -}} + +{{/* +Get or generate a default secret key for object storage +*/}} +{{- define "cryostat.objectStorageSecretKey" -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-storage-secret-key" .Release.Name)) -}} +{{- if $secret -}} +{{/* + Use current secret. Do not regenerate +*/}} +{{- $secret.data.SECRET_KEY -}} +{{- else -}} +{{/* + Generate new secret +>>>>>>> d4bb92a (feat(cryostat): deploy cryostat 3.0 (#111)) */}} {{- (randAlphaNum 32) | b64enc | quote -}} {{- end -}} diff --git a/charts/cryostat/templates/db_connection_key_secret.yaml b/charts/cryostat/templates/db_connection_key_secret.yaml new file mode 100644 index 00000000..2c1c5894 --- /dev/null +++ b/charts/cryostat/templates/db_connection_key_secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-db-connection-key +type: Opaque +data: + CONNECTION_KEY: {{ include "cryostat.databaseConnectionKey" . }} diff --git a/charts/cryostat/templates/db_encryption_key_secret.yaml b/charts/cryostat/templates/db_encryption_key_secret.yaml new file mode 100644 index 00000000..2d287010 --- /dev/null +++ b/charts/cryostat/templates/db_encryption_key_secret.yaml @@ -0,0 +1,9 @@ +{{- if empty .Values.core.databaseSecretName -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-db-encryption-key +type: Opaque +data: + ENCRYPTION_KEY: {{ include "cryostat.databaseEncryptionKey" . }} +{{- end -}} diff --git a/charts/cryostat/templates/serviceaccount.yaml b/charts/cryostat/templates/serviceaccount.yaml index e6da50e6..435947a0 100644 --- a/charts/cryostat/templates/serviceaccount.yaml +++ b/charts/cryostat/templates/serviceaccount.yaml @@ -1,4 +1,8 @@ +<<<<<<< HEAD {{- if (.Values.authentication.openshift).enabled -}} +======= +{{- if .Values.core.route.enabled -}} +>>>>>>> d4bb92a (feat(cryostat): deploy cryostat 3.0 (#111)) {{- $fullName := include "cryostat.fullname" . -}} {{- $redirectAnnotations := dict "serviceaccounts.openshift.io/oauth-redirectreference.primary" (printf "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"%s\"}}" $fullName) -}} {{- $_ := merge .Values.serviceAccount.annotations $redirectAnnotations -}} diff --git a/charts/cryostat/templates/storage_access_key_secret.yaml b/charts/cryostat/templates/storage_access_key_secret.yaml new file mode 100644 index 00000000..e06e723e --- /dev/null +++ b/charts/cryostat/templates/storage_access_key_secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-storage-secret-key +type: Opaque +data: + SECRET_KEY: {{ include "cryostat.objectStorageSecretKey" . }} diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 548914a9..c74d71ce 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -21,7 +21,11 @@ "tag": { "type": "string", "description": "Tag for the main Cryostat container image", +<<<<<<< HEAD "default": "4.0.0-snapshot" +======= + "default": "3.0.0-snapshot" +>>>>>>> d4bb92a (feat(cryostat): deploy cryostat 3.0 (#111)) } } }, @@ -341,7 +345,89 @@ } } }, - "grafana": { + "db": { + "type": "object", + "properties": { + "securityContext": { + "type": "object", + "properties": { + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "description": "", + "default": [ + "ALL" + ], + "items": { + "type": "string" + } + } + } + }, + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false + } + } + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "Repository for the database container image", + "default": "quay.io/cryostat/cryostat-db" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the database container image", + "default": "Always" + }, + "tag": { + "type": "string", + "description": "Tag for thedatabasestorage container image", + "default": "latest" + } + } + }, + "securityContext": { + "type": "object", + "properties": { + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "description": "", + "default": [ + "ALL" + ], + "items": { + "type": "string" + } + } + } + }, + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false + } + } + }, +<<<<<<< HEAD +======= + "resources": { + "type": "object", + "description": "Resource requests/limits for thedatabasestorage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", + "default": {} + } + } + }, + "storage": { "type": "object", "properties": { "securityContext": { @@ -369,6 +455,87 @@ } } }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "Repository for the storage container image", + "default": "quay.io/cryostat/cryostat-storage" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the storage container image", + "default": "Always" + }, + "tag": { + "type": "string", + "description": "Tag for the storage container image", + "default": "latest" + } + } + }, + "resources": { + "type": "object", + "description": "Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", + "default": {} + } + } + }, + "grafana": { + "type": "object", + "properties": { + "ingress": { + "type": "object", + "properties": { + "hosts": { + "type": "array", + "description": "", + "items": { + "type": "object", + "properties": { + "host": { + "type": "string", + "description": "" + }, + "paths": { + "type": "array", + "description": "", + "items": { + "type": "object", + "properties": { + "path": { + "type": "string", + "description": "" + }, + "pathType": { + "type": "string", + "description": "" + } + } + } + } + } + } + }, + "enabled": { + "type": "boolean", + "description": "Whether to create an Ingress object for the Grafana service", + "default": false + }, + "className": { + "type": "string", + "description": "Ingress class name for the Grafana Ingress", + "default": "" + }, + "tls": { + "type": "array", + "description": "TLS configuration for the Grafana Ingress. See: [IngressSpec](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec)", + "default": [], + "items": {} + } + } + }, "image": { "type": "object", "properties": { @@ -404,6 +571,87 @@ } } }, + "sslProxied": { + "type": "boolean", + "description": "Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress", + "default": false + }, + "securityContext": { + "type": "object", + "properties": { + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "description": "", + "default": [ + "ALL" + ], + "items": { + "type": "string" + } + } + } + }, + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false + } + } + }, + "route": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether to create a Route object for the Grafana service. Available only on OpenShift", + "default": false + }, + "tls": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether to secure the Grafana Route with TLS. See: [TLSConfig](https://docs.openshift.com/container-platform/4.10/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls)", + "default": true + }, + "termination": { + "type": "string", + "description": "Type of TLS termination to use for the Grafana Route. One of: `edge`, `passthrough`, `reencrypt`", + "default": "edge" + }, + "insecureEdgeTerminationPolicy": { + "type": "string", + "description": "Specify how to handle insecure traffic for the Grafana Route. One of: `Allow`, `Disable`, `Redirect`", + "default": "Redirect" + }, + "key": { + "type": "string", + "description": "Custom private key to use when securing the Grafana Route", + "default": "" + }, + "certificate": { + "type": "string", + "description": "Custom certificate to use when securing the Grafana Route", + "default": "" + }, + "caCertificate": { + "type": "string", + "description": "Custom CA certificate to use, if needed to complete the certificate chain, when securing the Grafana Route", + "default": "" + }, + "destinationCACertificate": { + "type": "string", + "description": "Provides the contents of the CA certificate of the final destination when using reencrypt termination for the Grafana Route", + "default": "" + } + } + } + } + }, +>>>>>>> d4bb92a (feat(cryostat): deploy cryostat 3.0 (#111)) "resources": { "type": "object", "description": "Resource requests/limits for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", @@ -466,6 +714,7 @@ } } }, +<<<<<<< HEAD "oauth2Proxy": { "type": "object", "properties": { @@ -513,6 +762,25 @@ "default": "latest" } } +======= + "podSecurityContext": { + "type": "object", + "properties": { + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string", + "description": "", + "default": "RuntimeDefault" + } + } + }, + "runAsNonRoot": { + "type": "boolean", + "description": "", + "default": true +>>>>>>> d4bb92a (feat(cryostat): deploy cryostat 3.0 (#111)) } } }, @@ -656,6 +924,7 @@ } } }, +<<<<<<< HEAD "podSecurityContext": { "type": "object", "properties": { @@ -675,6 +944,12 @@ "default": true } } +======= + "minimal": { + "type": "boolean", + "description": "Specify whether to deploy a Cryostat instance with no Grafana Dashboard or JFR Data Source", + "default": false +>>>>>>> d4bb92a (feat(cryostat): deploy cryostat 3.0 (#111)) }, "imagePullSecrets": { "type": "array", diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 75cb9f6e..512aae7d 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -7,7 +7,11 @@ core: ## @param core.image.pullPolicy Image pull policy for the main Cryostat container image pullPolicy: Always ## @param core.image.tag Tag for the main Cryostat container image +<<<<<<< HEAD tag: "4.0.0-snapshot" +======= + tag: "3.0.0-snapshot" +>>>>>>> d4bb92a (feat(cryostat): deploy cryostat 3.0 (#111)) service: ## @param core.service.type Type of Service to create for the Cryostat application type: ClusterIP @@ -120,6 +124,48 @@ storage: drop: - ALL +## @section Database Container +## @extra Configuration for Cryostat's database +db: + image: + ## @param db.image.repository Repository for the database container image + repository: "quay.io/cryostat/cryostat-db" + ## @param db.image.pullPolicy Image pull policy for the database container image + pullPolicy: Always + ## @param db.image.tag Tag for thedatabasestorage container image + tag: "latest" + ## @param db.resources Resource requests/limits for thedatabasestorage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) + resources: {} + ## @param db.securityContext [object] Security Context for the database container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) + securityContext: + ## @skip db.securityContext.allowPrivilegeEscalation + allowPrivilegeEscalation: false + ## @skip db.securityContext.capabilities + capabilities: + drop: + - ALL + +## @section Storage Container +## @extra Configuration for Cryostat's object storage provider +storage: + image: + ## @param storage.image.repository Repository for the storage container image + repository: "quay.io/cryostat/cryostat-storage" + ## @param storage.image.pullPolicy Image pull policy for the storage container image + pullPolicy: Always + ## @param storage.image.tag Tag for the storage container image + tag: "latest" + ## @param storage.resources Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) + resources: {} + ## @param storage.securityContext [object] Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) + securityContext: + ## @skip storage.securityContext.allowPrivilegeEscalation + allowPrivilegeEscalation: false + ## @skip storage.securityContext.capabilities + capabilities: + drop: + - ALL + ## @section Grafana Container ## @extra grafana Configuration for the customized Grafana instance for Cryostat grafana: