Skip to content

Commit

Permalink
feat(cryostat): deploy cryostat 3.0 (#111)
Browse files Browse the repository at this point in the history
  • Loading branch information
@andrewazores
andrewazores authored Jan 23, 2024
1 parent ed50629 commit 5be6759
Show file tree
Hide file tree
Showing 12 changed files with 445 additions and 165 deletions.
2 changes: 1 addition & 1 deletion charts/cryostat/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ version: "0.5.0-dev"

kubeVersion: ">= 1.19.0-0"

appVersion: "2.5.0-dev"
appVersion: "3.0.0-dev"

home: "https://cryostat.io"

Expand Down
30 changes: 29 additions & 1 deletion charts/cryostat/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op
| `core` | Configuration for the core Cryostat application | |
| `core.image.repository` | Repository for the main Cryostat container image | `quay.io/cryostat/cryostat` |
| `core.image.pullPolicy` | Image pull policy for the main Cryostat container image | `Always` |
| `core.image.tag` | Tag for the main Cryostat container image | `latest` |
| `core.image.tag` | Tag for the main Cryostat container image | `3.0.0-snapshot` |
| `core.service.type` | Type of Service to create for the Cryostat application | `ClusterIP` |
| `core.service.httpPort` | Port number to expose on the Service for Cryostat's HTTP server | `8181` |
| `core.service.jmxPort` | Port number to expose on the Service for remote JMX connections to Cryostat | `9091` |
Expand All @@ -32,6 +32,31 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op
| `core.securityContext` | Security Context for the Cryostat container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` |
| `core.databaseSecretName` | Name of the secret to extract password for credentials database. | `""` |


### Database Container

| Name | Description | Value |
| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
| `Configuration` | for Cryostat's database | |
| `db.image.repository` | Repository for the database container image | `quay.io/cryostat/cryostat-db` |
| `db.image.pullPolicy` | Image pull policy for the database container image | `Always` |
| `db.image.tag` | Tag for thedatabasestorage container image | `latest` |
| `db.resources` | Resource requests/limits for thedatabasestorage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` |
| `db.securityContext` | Security Context for the database container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` |


### Storage Container

| Name | Description | Value |
| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- |
| `Configuration` | for Cryostat's object storage provider | |
| `storage.image.repository` | Repository for the storage container image | `quay.io/cryostat/cryostat-storage` |
| `storage.image.pullPolicy` | Image pull policy for the storage container image | `Always` |
| `storage.image.tag` | Tag for the storage container image | `latest` |
| `storage.resources` | Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` |
| `storage.securityContext` | Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` |


### Grafana Container

| Name | Description | Value |
Expand Down Expand Up @@ -59,6 +84,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op
| `grafana.resources` | Resource requests/limits for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` |
| `grafana.securityContext` | Security Context for the Grafana container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` |


### JFR Data Source Container

| Name | Description | Value |
Expand All @@ -70,6 +96,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op
| `datasource.resources` | Resource requests/limits for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` |
| `datasource.securityContext` | Security Context for the JFR Data Source container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` |


### Authentication

| Name | Description | Value |
Expand All @@ -78,6 +105,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op
| `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` |
| `authentication.basicAuth.filename` | Key within Secret containing the properties file. The properties file should contain one user per line, with the syntax "user=passHex", where "user" is the username and "passHex" is the SHA-256 hash of the desired password **(Required if basicAuth is enabled)** | `""` |


### Other Parameters

| Name | Description | Value |
Expand Down
2 changes: 1 addition & 1 deletion charts/cryostat/templates/NOTES.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
```
{{- if .Values.core.route.enabled }}
export ROUTE_HOST=$(oc get route -n {{ .Release.Namespace }} {{ include "cryostat.fullname" . }} -o jsonpath="{.status.ingress[0].host}")
{{- $envVars = list "CRYOSTAT_WEB_HOST=$ROUTE_HOST" }}
{{- $envVars = list "STORAGE_EXT_URL=$ROUTE_HOST" }}
{{- else if .Values.core.ingress.enabled }}
{{- /* Do nothing */}}
{{- else if contains "NodePort" .Values.core.service.type }}
Expand Down
46 changes: 41 additions & 5 deletions charts/cryostat/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,18 +62,54 @@ Create the name of the service account to use
{{- end }}

{{/*
Get or generate a default password for credentials database
Get or generate a default connection key for credentials database
*/}}
{{- define "cryostat.databasePassword" -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-jmx-credentials-db" .Release.Name)) -}}
{{- define "cryostat.databaseConnectionKey" -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db-connection-key" .Release.Name)) -}}
{{- if $secret -}}
{{/*
Use current password. Do not regenerate
Use current key. Do not regenerate
*/}}
{{- $secret.data.CONNECTION_KEY -}}
{{- else -}}
{{/*
Generate new key
*/}}
{{- (randAlphaNum 32) | b64enc | quote -}}
{{- end -}}
{{- end -}}

{{/*
Get or generate a default encryption key for credentials database
*/}}
{{- define "cryostat.databaseEncryptionKey" -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db-encryption-key" .Release.Name)) -}}
{{- if $secret -}}
{{/*
Use current key. Do not regenerate
*/}}
{{- $secret.data.CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD -}}
{{- else -}}
{{/*
Generate new password
Generate new key
*/}}
{{- (randAlphaNum 32) | b64enc | quote -}}
{{- end -}}
{{- end -}}

{{/*
Get or generate a default secret key for object storage
*/}}
{{- define "cryostat.objectStorageSecretKey" -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-storage-secret-key" .Release.Name)) -}}
{{- if $secret -}}
{{/*
Use current secret. Do not regenerate
*/}}
{{- $secret.data.SECRET_KEY -}}
{{- else -}}
{{/*
Generate new secret
*/}}
{{- (randAlphaNum 32) | b64enc | quote -}}
{{- end -}}
Expand Down
7 changes: 7 additions & 0 deletions charts/cryostat/templates/db_connection_key_secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-db-connection-key
type: Opaque
data:
CONNECTION_KEY: {{ include "cryostat.databaseConnectionKey" . }}
9 changes: 9 additions & 0 deletions charts/cryostat/templates/db_encryption_key_secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{{- if empty .Values.core.databaseSecretName -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-db-encryption-key
type: Opaque
data:
ENCRYPTION_KEY: {{ include "cryostat.databaseEncryptionKey" . }}
{{- end -}}
Loading

0 comments on commit 5be6759

Please sign in to comment.