diff --git a/charts/cryostat/Chart.yaml b/charts/cryostat/Chart.yaml index 7ad00479..4be55185 100644 --- a/charts/cryostat/Chart.yaml +++ b/charts/cryostat/Chart.yaml @@ -8,7 +8,7 @@ version: "0.5.0-dev" kubeVersion: ">= 1.19.0-0" -appVersion: "2.5.0-dev" +appVersion: "3.0.0-dev" home: "https://cryostat.io" diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index a1e9b254..8f876ba8 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -10,7 +10,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `core` | Configuration for the core Cryostat application | | | `core.image.repository` | Repository for the main Cryostat container image | `quay.io/cryostat/cryostat` | | `core.image.pullPolicy` | Image pull policy for the main Cryostat container image | `Always` | -| `core.image.tag` | Tag for the main Cryostat container image | `latest` | +| `core.image.tag` | Tag for the main Cryostat container image | `3.0.0-snapshot` | | `core.service.type` | Type of Service to create for the Cryostat application | `ClusterIP` | | `core.service.httpPort` | Port number to expose on the Service for Cryostat's HTTP server | `8181` | | `core.service.jmxPort` | Port number to expose on the Service for remote JMX connections to Cryostat | `9091` | @@ -32,6 +32,31 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `core.securityContext` | Security Context for the Cryostat container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | | `core.databaseSecretName` | Name of the secret to extract password for credentials database. | `""` | + +### Database Container + +| Name | Description | Value | +| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | +| `Configuration` | for Cryostat's database | | +| `db.image.repository` | Repository for the database container image | `quay.io/cryostat/cryostat-db` | +| `db.image.pullPolicy` | Image pull policy for the database container image | `Always` | +| `db.image.tag` | Tag for thedatabasestorage container image | `latest` | +| `db.resources` | Resource requests/limits for thedatabasestorage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | +| `db.securityContext` | Security Context for the database container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + + +### Storage Container + +| Name | Description | Value | +| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `Configuration` | for Cryostat's object storage provider | | +| `storage.image.repository` | Repository for the storage container image | `quay.io/cryostat/cryostat-storage` | +| `storage.image.pullPolicy` | Image pull policy for the storage container image | `Always` | +| `storage.image.tag` | Tag for the storage container image | `latest` | +| `storage.resources` | Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | +| `storage.securityContext` | Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + + ### Grafana Container | Name | Description | Value | @@ -59,6 +84,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `grafana.resources` | Resource requests/limits for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | | `grafana.securityContext` | Security Context for the Grafana container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### JFR Data Source Container | Name | Description | Value | @@ -70,6 +96,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `datasource.resources` | Resource requests/limits for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | | `datasource.securityContext` | Security Context for the JFR Data Source container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### Authentication | Name | Description | Value | @@ -78,6 +105,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` | | `authentication.basicAuth.filename` | Key within Secret containing the properties file. The properties file should contain one user per line, with the syntax "user=passHex", where "user" is the username and "passHex" is the SHA-256 hash of the desired password **(Required if basicAuth is enabled)** | `""` | + ### Other Parameters | Name | Description | Value | diff --git a/charts/cryostat/templates/NOTES.txt b/charts/cryostat/templates/NOTES.txt index 67daa503..b3272213 100644 --- a/charts/cryostat/templates/NOTES.txt +++ b/charts/cryostat/templates/NOTES.txt @@ -7,7 +7,7 @@ ``` {{- if .Values.core.route.enabled }} export ROUTE_HOST=$(oc get route -n {{ .Release.Namespace }} {{ include "cryostat.fullname" . }} -o jsonpath="{.status.ingress[0].host}") -{{- $envVars = list "CRYOSTAT_WEB_HOST=$ROUTE_HOST" }} +{{- $envVars = list "STORAGE_EXT_URL=$ROUTE_HOST" }} {{- else if .Values.core.ingress.enabled }} {{- /* Do nothing */}} {{- else if contains "NodePort" .Values.core.service.type }} diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index 33c7369a..e97109b9 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -62,18 +62,54 @@ Create the name of the service account to use {{- end }} {{/* -Get or generate a default password for credentials database +Get or generate a default connection key for credentials database */}} -{{- define "cryostat.databasePassword" -}} -{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-jmx-credentials-db" .Release.Name)) -}} +{{- define "cryostat.databaseConnectionKey" -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db-connection-key" .Release.Name)) -}} {{- if $secret -}} {{/* - Use current password. Do not regenerate + Use current key. Do not regenerate +*/}} +{{- $secret.data.CONNECTION_KEY -}} +{{- else -}} +{{/* + Generate new key +*/}} +{{- (randAlphaNum 32) | b64enc | quote -}} +{{- end -}} +{{- end -}} + +{{/* +Get or generate a default encryption key for credentials database +*/}} +{{- define "cryostat.databaseEncryptionKey" -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db-encryption-key" .Release.Name)) -}} +{{- if $secret -}} +{{/* + Use current key. Do not regenerate */}} {{- $secret.data.CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD -}} {{- else -}} {{/* - Generate new password + Generate new key +*/}} +{{- (randAlphaNum 32) | b64enc | quote -}} +{{- end -}} +{{- end -}} + +{{/* +Get or generate a default secret key for object storage +*/}} +{{- define "cryostat.objectStorageSecretKey" -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-storage-secret-key" .Release.Name)) -}} +{{- if $secret -}} +{{/* + Use current secret. Do not regenerate +*/}} +{{- $secret.data.SECRET_KEY -}} +{{- else -}} +{{/* + Generate new secret */}} {{- (randAlphaNum 32) | b64enc | quote -}} {{- end -}} diff --git a/charts/cryostat/templates/db_connection_key_secret.yaml b/charts/cryostat/templates/db_connection_key_secret.yaml new file mode 100644 index 00000000..2c1c5894 --- /dev/null +++ b/charts/cryostat/templates/db_connection_key_secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-db-connection-key +type: Opaque +data: + CONNECTION_KEY: {{ include "cryostat.databaseConnectionKey" . }} diff --git a/charts/cryostat/templates/db_encryption_key_secret.yaml b/charts/cryostat/templates/db_encryption_key_secret.yaml new file mode 100644 index 00000000..2d287010 --- /dev/null +++ b/charts/cryostat/templates/db_encryption_key_secret.yaml @@ -0,0 +1,9 @@ +{{- if empty .Values.core.databaseSecretName -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-db-encryption-key +type: Opaque +data: + ENCRYPTION_KEY: {{ include "cryostat.databaseEncryptionKey" . }} +{{- end -}} diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 22c041c2..34a20e6b 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -1,3 +1,5 @@ +{{- $fullName := include "cryostat.fullname" . -}} +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -34,69 +36,53 @@ spec: image: "{{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}" imagePullPolicy: {{ .Values.core.image.pullPolicy }} env: - - name: CRYOSTAT_WEB_PORT + - name: QUARKUS_HTTP_HOST + value: 0.0.0.0 + - name: QUARKUS_HTTP_PORT value: "8181" - - name: CRYOSTAT_CONFIG_PATH - value: /opt/cryostat.d/conf.d - - name: CRYOSTAT_ARCHIVE_PATH - value: /opt/cryostat.d/recordings.d - - name: CRYOSTAT_TEMPLATE_PATH - value: /opt/cryostat.d/templates.d - - name: CRYOSTAT_CLIENTLIB_PATH - value: /opt/cryostat.d/clientlib.d - - name: CRYOSTAT_PROBE_TEMPLATE_PATH - value: /opt/cryostat.d/probes.d - - name: CRYOSTAT_EXT_WEB_PORT - value: "{{ if (or (and .Values.core.route.enabled .Values.core.route.tls.enabled) (and .Values.core.ingress.enabled .Values.core.ingress.tls) (.Values.core.sslProxied)) }}443{{ else }}80{{ end }}" - - name: CRYOSTAT_WEB_HOST - value: "{{ if .Values.core.ingress.enabled }}{{ with index .Values.core.ingress.hosts 0 }}{{ .host }}{{ end }}{{ end }}" - - name: CRYOSTAT_PLATFORM - value: io.cryostat.platform.internal.KubeApiPlatformStrategy - {{- if not .Values.minimal }} - - name: GRAFANA_DATASOURCE_URL - value: http://127.0.0.1:8080 - - name: GRAFANA_DASHBOARD_URL - value: "{{ if .Values.grafana.ingress.enabled }}http{{ if (or (.Values.grafana.ingress.tls) (.Values.grafana.sslProxied)) }}s{{ end }}://{{ with index .Values.grafana.ingress.hosts 0 }}{{ .host }}{{ end }}{{ end }}" - {{- end }} - - name: CRYOSTAT_DISABLE_SSL - value: "true" - - name: CRYOSTAT_DISABLE_JMX_AUTH - value: "true" - - name: CRYOSTAT_ALLOW_UNTRUSTED_SSL - value: "true" - - name: CRYOSTAT_ENABLE_JDP_BROADCAST - value: "false" - - name: CRYOSTAT_K8S_NAMESPACES - value: "{{ .Release.Namespace }}" - {{- if (or (and .Values.core.route.enabled .Values.core.route.tls.enabled) (and .Values.core.ingress.enabled .Values.core.ingress.tls) (.Values.core.sslProxied)) }} - - name: CRYOSTAT_SSL_PROXIED + - name: QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING + value: 'true' + - name: QUARKUS_HTTP_PROXY_ALLOW_X_FORWARDED + value: 'true' + - name: QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_HOST + value: 'true' + - name: QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_PREFIX + value: 'true' + - name: QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION + value: drop-and-create + - name: QUARKUS_DATASOURCE_USERNAME + value: cryostat3 + - name: QUARKUS_DATASOURCE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ printf "%s-db-connection-key" .Release.Name }} + key: CONNECTION_KEY + optional: false + - name: QUARKUS_DATASOURCE_JDBC_URL + value: jdbc:postgresql://localhost:5432/cryostat3 + - name: STORAGE_BUCKETS_ARCHIVES_NAME + value: archivedrecordings + - name: QUARKUS_S3_ENDPOINT_OVERRIDE + value: http://localhost:8333 + - name: QUARKUS_S3_PATH_STYLE_ACCESS value: "true" - {{- end }} - {{- if ((.Values.pvc).enabled) }} - - name: CRYOSTAT_JDBC_URL - value: jdbc:h2:file:/opt/cryostat.d/conf.d/h2;INIT=create domain if not exists jsonb as varchar - - name: CRYOSTAT_HBM2DDL - value: update - - name: CRYOSTAT_JDBC_DRIVER - value: org.h2.Driver - - name: CRYOSTAT_HIBERNATE_DIALECT - value: org.hibernate.dialect.H2Dialect - - name: CRYOSTAT_JDBC_USERNAME - value: {{ include "cryostat.fullname" . }} - - name: CRYOSTAT_JDBC_PASSWORD - value: {{ include "cryostat.fullname" . }} - {{- end }} - - name: CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD + - name: QUARKUS_S3_AWS_REGION + value: us-east-1 + - name: QUARKUS_S3_AWS_CREDENTIALS_TYPE + value: static + - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_ACCESS_KEY_ID + value: cryostat + - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY valueFrom: secretKeyRef: - name: {{ default (printf "%s-jmx-credentials-db" .Release.Name) .Values.core.databaseSecretName }} - key: CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD + name: {{ printf "%s-storage-secret-key" .Release.Name }} + key: SECRET_KEY optional: false - - name: CRYOSTAT_AUTH_MANAGER - {{- if (.Values.authentication).basicAuth.enabled }} - value: io.cryostat.net.BasicAuthManager - {{- else }} - value: io.cryostat.net.NoopAuthManager + {{- if not .Values.minimal }} + - name: GRAFANA_DATASOURCE_URL + value: http://127.0.0.1:8800 + - name: GRAFANA_DASHBOARD_URL + value: "{{ if .Values.grafana.ingress.enabled }}http{{ if (or (.Values.grafana.ingress.tls) (.Values.grafana.sslProxied)) }}s{{ end }}://{{ with index .Values.grafana.ingress.hosts 0 }}{{ .host }}{{ end }}{{ end }}" {{- end }} ports: - containerPort: 8181 @@ -116,28 +102,93 @@ spec: failureThreshold: 18 resources: {{- toYaml .Values.core.resources | nindent 12 }} + - name: {{ printf "%s-%s" .Chart.Name "db" }} + securityContext: + {{- toYaml .Values.core.securityContext | nindent 12 }} + image: "{{ .Values.db.image.repository }}:{{ .Values.db.image.tag }}" + imagePullPolicy: {{ .Values.db.image.pullPolicy }} + env: + - name: POSTGRESQL_USER + value: cryostat3 + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ printf "%s-db-connection-key" .Release.Name }} + key: CONNECTION_KEY + optional: false + - name: POSTGRESQL_DATABASE + value: cryostat3 + - name: PG_ENCRYPT_KEY + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-db-encryption-key" .Release.Name) .Values.core.databaseSecretName }} + key: ENCRYPTION_KEY + optional: false + ports: + - containerPort: 5432 + protocol: TCP volumeMounts: - - mountPath: /opt/cryostat.d/conf.d - name: {{ .Chart.Name }} - subPath: config - - mountPath: /opt/cryostat.d/recordings.d + - mountPath: /var/lib/pgsql/data name: {{ .Chart.Name }} - subPath: flightrecordings - - mountPath: /opt/cryostat.d/templates.d - name: {{ .Chart.Name }} - subPath: templates - - mountPath: /opt/cryostat.d/clientlib.d - name: {{ .Chart.Name }} - subPath: clientlib - - mountPath: /opt/cryostat.d/probes.d + subPath: postgres + readinessProbe: + exec: + command: + - pg_isready + - -U + - cryostat3 + - -d + - cryostat3 + - name: {{ printf "%s-%s" .Chart.Name "storage" }} + securityContext: + {{- toYaml .Values.core.securityContext | nindent 12 }} + image: "{{ .Values.storage.image.repository }}:{{ .Values.storage.image.tag }}" + imagePullPolicy: {{ .Values.storage.image.pullPolicy }} + env: + - name: CRYOSTAT_BUCKETS + value: archivedrecordings,archivedreports + - name: CRYOSTAT_ACCESS_KEY + value: cryostat + - name: CRYOSTAT_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ printf "%s-storage-secret-key" .Release.Name }} + key: SECRET_KEY + optional: false + - name: DATA_DIR + value: /data + # TODO tune these or make them configurable. Ideally the single seaweed volume server should consume the entire PVC + - name: VOLUME_PREALLOCATE + value: "false" + - name: VOLUME_SIZE_LIMIT_MB + value: "500" + - name: VOLUME_MAX + value: "16" + - name: IP_BIND + value: 0.0.0.0 + ports: + - containerPort: 8333 + protocol: TCP + volumeMounts: + - mountPath: /data name: {{ .Chart.Name }} - subPath: probes - {{- if (.Values.authentication).basicAuth.enabled }} - - mountPath: /opt/cryostat.d/conf.d/cryostat-users.properties - name: basic-auth-properties - subPath: cryostat-users.properties - readOnly: true - {{- end }} + subPath: seaweed + livenessProbe: + httpGet: + path: "/status" + port: 8333 + periodSeconds: 10 + failureThreshold: 2 + startupProbe: + httpGet: + path: "/status" + port: 8333 + periodSeconds: 10 + failureThreshold: 9 + resources: + {{- toYaml .Values.storage.resources | nindent 12 }} + securityContext: + {{- toYaml .Values.storage.securityContext | nindent 12 }} {{- if not .Values.minimal }} - name: {{ printf "%s-%s" .Chart.Name "grafana" }} securityContext: @@ -146,7 +197,7 @@ spec: imagePullPolicy: {{ .Values.grafana.image.pullPolicy }} env: - name: JFR_DATASOURCE_URL - value: http://127.0.0.1:8080 + value: http://127.0.0.1:8800 - name: GF_AUTH_ANONYMOUS_ENABLED value: "true" ports: @@ -166,15 +217,17 @@ spec: env: - name: LISTEN_HOST value: 127.0.0.1 + - name: QUARKUS_HTTP_PORT + value: "8800" ports: - - containerPort: 8080 + - containerPort: 8800 protocol: TCP livenessProbe: exec: command: - curl - --fail - - http://127.0.0.1:8080 + - http://127.0.0.1:8800 resources: {{- toYaml .Values.datasource.resources | nindent 12 }} {{- end }} @@ -200,11 +253,3 @@ spec: - name: {{ .Chart.Name }} emptyDir: {} {{- end }} - {{- if (.Values.authentication).basicAuth.enabled }} - - name: basic-auth-properties - secret: - secretName: {{ .Values.authentication.basicAuth.secretName }} - items: - - key: {{ .Values.authentication.basicAuth.filename }} - path: cryostat-users.properties - {{- end }} diff --git a/charts/cryostat/templates/secret.yaml b/charts/cryostat/templates/secret.yaml deleted file mode 100644 index 5fc98aa9..00000000 --- a/charts/cryostat/templates/secret.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- if empty .Values.core.databaseSecretName -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Release.Name }}-jmx-credentials-db -type: Opaque -data: - CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD: {{ include "cryostat.databasePassword" . }} -{{- end -}} diff --git a/charts/cryostat/templates/serviceaccount.yaml b/charts/cryostat/templates/serviceaccount.yaml index 74ae9986..30ecba7c 100644 --- a/charts/cryostat/templates/serviceaccount.yaml +++ b/charts/cryostat/templates/serviceaccount.yaml @@ -1,3 +1,8 @@ +{{- if .Values.core.route.enabled -}} +{{- $fullName := include "cryostat.fullname" . -}} +{{- $redirectAnnotations := dict "serviceaccounts.openshift.io/oauth-redirectreference.primary" (printf "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"%s\"}}" $fullName) -}} +{{- $_ := merge .Values.serviceAccount.annotations $redirectAnnotations -}} +{{- end -}} {{- if .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount diff --git a/charts/cryostat/templates/storage_access_key_secret.yaml b/charts/cryostat/templates/storage_access_key_secret.yaml new file mode 100644 index 00000000..e06e723e --- /dev/null +++ b/charts/cryostat/templates/storage_access_key_secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-storage-secret-key +type: Opaque +data: + SECRET_KEY: {{ include "cryostat.objectStorageSecretKey" . }} diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 7dfa3baa..e91382c2 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -21,7 +21,7 @@ "tag": { "type": "string", "description": "Tag for the main Cryostat container image", - "default": "latest" + "default": "3.0.0-snapshot" } } }, @@ -188,7 +188,7 @@ } } }, - "grafana": { + "db": { "type": "object", "properties": { "image": { @@ -196,36 +196,111 @@ "properties": { "repository": { "type": "string", - "description": "Repository for the Grafana container image", - "default": "quay.io/cryostat/cryostat-grafana-dashboard" + "description": "Repository for the database container image", + "default": "quay.io/cryostat/cryostat-db" }, "pullPolicy": { "type": "string", - "description": "Image pull policy for the Grafana container image", + "description": "Image pull policy for the database container image", "default": "Always" }, "tag": { "type": "string", - "description": "Tag for the Grafana container image", + "description": "Tag for thedatabasestorage container image", "default": "latest" } } }, - "service": { + "securityContext": { "type": "object", "properties": { - "type": { + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "description": "", + "default": [ + "ALL" + ], + "items": { + "type": "string" + } + } + } + }, + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false + } + } + }, + "resources": { + "type": "object", + "description": "Resource requests/limits for thedatabasestorage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", + "default": {} + } + } + }, + "storage": { + "type": "object", + "properties": { + "securityContext": { + "type": "object", + "properties": { + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "description": "", + "default": [ + "ALL" + ], + "items": { + "type": "string" + } + } + } + }, + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false + } + } + }, + "image": { + "type": "object", + "properties": { + "repository": { "type": "string", - "description": "Type of Service to create for Grafana", - "default": "ClusterIP" + "description": "Repository for the storage container image", + "default": "quay.io/cryostat/cryostat-storage" }, - "port": { - "type": "number", - "description": "Port number to expose on the Service for Grafana's HTTP server", - "default": 3000 + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the storage container image", + "default": "Always" + }, + "tag": { + "type": "string", + "description": "Tag for the storage container image", + "default": "latest" } } }, + "resources": { + "type": "object", + "description": "Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", + "default": {} + } + } + }, + "grafana": { + "type": "object", + "properties": { "ingress": { "type": "object", "properties": { @@ -277,11 +352,71 @@ } } }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "Repository for the Grafana container image", + "default": "quay.io/cryostat/cryostat-grafana-dashboard" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the Grafana container image", + "default": "Always" + }, + "tag": { + "type": "string", + "description": "Tag for the Grafana container image", + "default": "latest" + } + } + }, + "service": { + "type": "object", + "properties": { + "type": { + "type": "string", + "description": "Type of Service to create for Grafana", + "default": "ClusterIP" + }, + "port": { + "type": "number", + "description": "Port number to expose on the Service for Grafana's HTTP server", + "default": 3000 + } + } + }, "sslProxied": { "type": "boolean", "description": "Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress", "default": false }, + "securityContext": { + "type": "object", + "properties": { + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "description": "", + "default": [ + "ALL" + ], + "items": { + "type": "string" + } + } + } + }, + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false + } + } + }, "route": { "type": "object", "properties": { @@ -332,31 +467,6 @@ } } }, - "securityContext": { - "type": "object", - "properties": { - "capabilities": { - "type": "object", - "properties": { - "drop": { - "type": "array", - "description": "", - "default": [ - "ALL" - ], - "items": { - "type": "string" - } - } - } - }, - "allowPrivilegeEscalation": { - "type": "boolean", - "description": "", - "default": false - } - } - }, "resources": { "type": "object", "description": "Resource requests/limits for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", @@ -419,6 +529,26 @@ } } }, + "podSecurityContext": { + "type": "object", + "properties": { + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string", + "description": "", + "default": "RuntimeDefault" + } + } + }, + "runAsNonRoot": { + "type": "boolean", + "description": "", + "default": true + } + } + }, "authentication": { "type": "object", "properties": { @@ -444,26 +574,6 @@ } } }, - "podSecurityContext": { - "type": "object", - "properties": { - "seccompProfile": { - "type": "object", - "properties": { - "type": { - "type": "string", - "description": "", - "default": "RuntimeDefault" - } - } - }, - "runAsNonRoot": { - "type": "boolean", - "description": "", - "default": true - } - } - }, "minimal": { "type": "boolean", "description": "Specify whether to deploy a Cryostat instance with no Grafana Dashboard or JFR Data Source", diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index b8c15165..6bf13025 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -7,7 +7,7 @@ core: ## @param core.image.pullPolicy Image pull policy for the main Cryostat container image pullPolicy: Always ## @param core.image.tag Tag for the main Cryostat container image - tag: "latest" + tag: "3.0.0-snapshot" service: ## @param core.service.type Type of Service to create for the Cryostat application type: ClusterIP @@ -63,6 +63,48 @@ core: ## @param core.databaseSecretName Name of the secret to extract password for credentials database. databaseSecretName: "" +## @section Database Container +## @extra Configuration for Cryostat's database +db: + image: + ## @param db.image.repository Repository for the database container image + repository: "quay.io/cryostat/cryostat-db" + ## @param db.image.pullPolicy Image pull policy for the database container image + pullPolicy: Always + ## @param db.image.tag Tag for thedatabasestorage container image + tag: "latest" + ## @param db.resources Resource requests/limits for thedatabasestorage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) + resources: {} + ## @param db.securityContext [object] Security Context for the database container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) + securityContext: + ## @skip db.securityContext.allowPrivilegeEscalation + allowPrivilegeEscalation: false + ## @skip db.securityContext.capabilities + capabilities: + drop: + - ALL + +## @section Storage Container +## @extra Configuration for Cryostat's object storage provider +storage: + image: + ## @param storage.image.repository Repository for the storage container image + repository: "quay.io/cryostat/cryostat-storage" + ## @param storage.image.pullPolicy Image pull policy for the storage container image + pullPolicy: Always + ## @param storage.image.tag Tag for the storage container image + tag: "latest" + ## @param storage.resources Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) + resources: {} + ## @param storage.securityContext [object] Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) + securityContext: + ## @skip storage.securityContext.allowPrivilegeEscalation + allowPrivilegeEscalation: false + ## @skip storage.securityContext.capabilities + capabilities: + drop: + - ALL + ## @section Grafana Container ## @extra grafana Configuration for the customized Grafana instance for Cryostat grafana: