From 13e864d6b69c9c7ed0efbd37c5848f7521c5b318 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 15 Dec 2023 10:11:25 -0500 Subject: [PATCH 01/31] tmp --- charts/cryostat/Chart.yaml | 2 +- charts/cryostat/templates/db.yaml | 60 +++++++++++ charts/cryostat/templates/deployment.yaml | 119 ++++++---------------- charts/cryostat/templates/s3.yaml | 58 +++++++++++ charts/cryostat/templates/service.yaml | 30 ++++++ charts/cryostat/values.yaml | 2 +- 6 files changed, 182 insertions(+), 89 deletions(-) create mode 100644 charts/cryostat/templates/db.yaml create mode 100644 charts/cryostat/templates/s3.yaml diff --git a/charts/cryostat/Chart.yaml b/charts/cryostat/Chart.yaml index 7ad00479..4be55185 100644 --- a/charts/cryostat/Chart.yaml +++ b/charts/cryostat/Chart.yaml @@ -8,7 +8,7 @@ version: "0.5.0-dev" kubeVersion: ">= 1.19.0-0" -appVersion: "2.5.0-dev" +appVersion: "3.0.0-dev" home: "https://cryostat.io" diff --git a/charts/cryostat/templates/db.yaml b/charts/cryostat/templates/db.yaml new file mode 100644 index 00000000..348a665e --- /dev/null +++ b/charts/cryostat/templates/db.yaml @@ -0,0 +1,60 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + # name: {{ printf "%s-%s" .Chart.Name "db" }} + name: db +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + {{- include "cryostat.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "cryostat.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "cryostat.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.core.securityContext | nindent 12 }} + image: quay.io/cryostat/cryostat-db:latest # TODO + imagePullPolicy: Always + env: + - name: POSTGRESQL_USER + value: cryostat3 + - name: POSTGRESQL_PASSWORD + value: cryostat3 + - name: POSTGRESQL_DATABASE + value: cryostat3 + - name: PG_ENCRYPT_KEY + value: REPLACEME + ports: + - containerPort: 5432 + protocol: TCP + resources: + {{- toYaml .Values.core.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 22c041c2..2f1c67e2 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -1,3 +1,5 @@ +{{- $fullName := include "cryostat.fullname" . -}} +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -34,70 +36,43 @@ spec: image: "{{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}" imagePullPolicy: {{ .Values.core.image.pullPolicy }} env: - - name: CRYOSTAT_WEB_PORT + - name: QUARKUS_HTTP_HOST + value: 0.0.0.0 + - name: QUARKUS_HTTP_PORT value: "8181" - - name: CRYOSTAT_CONFIG_PATH - value: /opt/cryostat.d/conf.d - - name: CRYOSTAT_ARCHIVE_PATH - value: /opt/cryostat.d/recordings.d - - name: CRYOSTAT_TEMPLATE_PATH - value: /opt/cryostat.d/templates.d - - name: CRYOSTAT_CLIENTLIB_PATH - value: /opt/cryostat.d/clientlib.d - - name: CRYOSTAT_PROBE_TEMPLATE_PATH - value: /opt/cryostat.d/probes.d - - name: CRYOSTAT_EXT_WEB_PORT - value: "{{ if (or (and .Values.core.route.enabled .Values.core.route.tls.enabled) (and .Values.core.ingress.enabled .Values.core.ingress.tls) (.Values.core.sslProxied)) }}443{{ else }}80{{ end }}" - - name: CRYOSTAT_WEB_HOST - value: "{{ if .Values.core.ingress.enabled }}{{ with index .Values.core.ingress.hosts 0 }}{{ .host }}{{ end }}{{ end }}" - - name: CRYOSTAT_PLATFORM - value: io.cryostat.platform.internal.KubeApiPlatformStrategy + - name: QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION + value: drop-and-create + - name: QUARKUS_DATASOURCE_USERNAME + value: cryostat3 + - name: QUARKUS_DATASOURCE_PASSWORD + value: cryostat3 + - name: QUARKUS_DATASOURCE_JDBC_URL + value: jdbc:postgresql://db:5432/cryostat3 + value: {{ printf "jdbc:postgresql://%s-%s:5432/cryostat3" $fullName "db" }} + - name: STORAGE_BUCKETS_ARCHIVES_NAME + value: archivedrecordings + - name: QUARKUS_S3_ENDPOINT_OVERRIDE + value: {{ printf "http://%s-%s:4566" $fullName "s3" }} + - name: QUARKUS_S3_PATH_STYLE_ACCESS + value: "true" + - name: QUARKUS_S3_AWS_REGION + value: us-east-1 + - name: QUARKUS_S3_AWS_CREDENTIALS_TYPE + value: static + - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_ACCESS_KEY_ID + value: unused + - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY + value: unused + - name: AWS_ACCESS_KEY_ID + value: unused + - name: AWS_SECRET_ACCESS_KEY + value: unused {{- if not .Values.minimal }} - name: GRAFANA_DATASOURCE_URL value: http://127.0.0.1:8080 - name: GRAFANA_DASHBOARD_URL value: "{{ if .Values.grafana.ingress.enabled }}http{{ if (or (.Values.grafana.ingress.tls) (.Values.grafana.sslProxied)) }}s{{ end }}://{{ with index .Values.grafana.ingress.hosts 0 }}{{ .host }}{{ end }}{{ end }}" {{- end }} - - name: CRYOSTAT_DISABLE_SSL - value: "true" - - name: CRYOSTAT_DISABLE_JMX_AUTH - value: "true" - - name: CRYOSTAT_ALLOW_UNTRUSTED_SSL - value: "true" - - name: CRYOSTAT_ENABLE_JDP_BROADCAST - value: "false" - - name: CRYOSTAT_K8S_NAMESPACES - value: "{{ .Release.Namespace }}" - {{- if (or (and .Values.core.route.enabled .Values.core.route.tls.enabled) (and .Values.core.ingress.enabled .Values.core.ingress.tls) (.Values.core.sslProxied)) }} - - name: CRYOSTAT_SSL_PROXIED - value: "true" - {{- end }} - {{- if ((.Values.pvc).enabled) }} - - name: CRYOSTAT_JDBC_URL - value: jdbc:h2:file:/opt/cryostat.d/conf.d/h2;INIT=create domain if not exists jsonb as varchar - - name: CRYOSTAT_HBM2DDL - value: update - - name: CRYOSTAT_JDBC_DRIVER - value: org.h2.Driver - - name: CRYOSTAT_HIBERNATE_DIALECT - value: org.hibernate.dialect.H2Dialect - - name: CRYOSTAT_JDBC_USERNAME - value: {{ include "cryostat.fullname" . }} - - name: CRYOSTAT_JDBC_PASSWORD - value: {{ include "cryostat.fullname" . }} - {{- end }} - - name: CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ default (printf "%s-jmx-credentials-db" .Release.Name) .Values.core.databaseSecretName }} - key: CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD - optional: false - - name: CRYOSTAT_AUTH_MANAGER - {{- if (.Values.authentication).basicAuth.enabled }} - value: io.cryostat.net.BasicAuthManager - {{- else }} - value: io.cryostat.net.NoopAuthManager - {{- end }} ports: - containerPort: 8181 protocol: TCP @@ -116,28 +91,6 @@ spec: failureThreshold: 18 resources: {{- toYaml .Values.core.resources | nindent 12 }} - volumeMounts: - - mountPath: /opt/cryostat.d/conf.d - name: {{ .Chart.Name }} - subPath: config - - mountPath: /opt/cryostat.d/recordings.d - name: {{ .Chart.Name }} - subPath: flightrecordings - - mountPath: /opt/cryostat.d/templates.d - name: {{ .Chart.Name }} - subPath: templates - - mountPath: /opt/cryostat.d/clientlib.d - name: {{ .Chart.Name }} - subPath: clientlib - - mountPath: /opt/cryostat.d/probes.d - name: {{ .Chart.Name }} - subPath: probes - {{- if (.Values.authentication).basicAuth.enabled }} - - mountPath: /opt/cryostat.d/conf.d/cryostat-users.properties - name: basic-auth-properties - subPath: cryostat-users.properties - readOnly: true - {{- end }} {{- if not .Values.minimal }} - name: {{ printf "%s-%s" .Chart.Name "grafana" }} securityContext: @@ -200,11 +153,3 @@ spec: - name: {{ .Chart.Name }} emptyDir: {} {{- end }} - {{- if (.Values.authentication).basicAuth.enabled }} - - name: basic-auth-properties - secret: - secretName: {{ .Values.authentication.basicAuth.secretName }} - items: - - key: {{ .Values.authentication.basicAuth.filename }} - path: cryostat-users.properties - {{- end }} diff --git a/charts/cryostat/templates/s3.yaml b/charts/cryostat/templates/s3.yaml new file mode 100644 index 00000000..2282e4dc --- /dev/null +++ b/charts/cryostat/templates/s3.yaml @@ -0,0 +1,58 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + # name: {{ printf "%s-%s" .Chart.Name "db" }} + name: s3 +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + {{- include "cryostat.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "cryostat.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "cryostat.serviceAccountName" . }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.core.securityContext | nindent 12 }} + image: docker.io/localstack/localstack:latest # TODO + imagePullPolicy: Always + env: + - name: SERVICES + value: s3 + - name: START_WEB + value: "1" + - name: DEFAULT_REGION + value: us-east-1 + - name: PORT_WEB_UI + value: "4577" + ports: + - containerPort: 4566 + protocol: TCP + resources: + {{- toYaml .Values.core.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/cryostat/templates/service.yaml b/charts/cryostat/templates/service.yaml index 8bbc9eb2..97736b39 100644 --- a/charts/cryostat/templates/service.yaml +++ b/charts/cryostat/templates/service.yaml @@ -37,3 +37,33 @@ spec: selector: {{- include "cryostat.selectorLabels" $ | nindent 4 }} {{- end -}} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-%s" $fullName "db" }} + labels: + {{- include "cryostat.labels" $ | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 5432 + targetPort: 5432 + protocol: TCP + selector: + {{- include "cryostat.selectorLabels" $ | nindent 4 }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-%s" $fullName "s3" }} + labels: + {{- include "cryostat.labels" $ | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 4566 + targetPort: 4566 + protocol: TCP + selector: + {{- include "cryostat.selectorLabels" $ | nindent 4 }} diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index b8c15165..b0cae4ba 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -7,7 +7,7 @@ core: ## @param core.image.pullPolicy Image pull policy for the main Cryostat container image pullPolicy: Always ## @param core.image.tag Tag for the main Cryostat container image - tag: "latest" + tag: "3.0.0-snapshot" service: ## @param core.service.type Type of Service to create for the Cryostat application type: ClusterIP From d56b838ac67fd13ee0b1754f4ec5e7c30ff3b687 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 18 Dec 2023 10:22:35 -0500 Subject: [PATCH 02/31] include oauth redirect annotation on serviceaccount if route enabled --- charts/cryostat/templates/serviceaccount.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/charts/cryostat/templates/serviceaccount.yaml b/charts/cryostat/templates/serviceaccount.yaml index 74ae9986..7354f796 100644 --- a/charts/cryostat/templates/serviceaccount.yaml +++ b/charts/cryostat/templates/serviceaccount.yaml @@ -1,3 +1,9 @@ +{{- if .Values.core.route.enabled }} +{{- $fullName := include "cryostat.fullname" . -}} +{{- $redirectAnnotations := dict "serviceaccounts.openshift.io/oauth-redirectreference.primary" (printf "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"%s\"}}" $fullName) }} +{{- $_ := merge .Values.serviceAccount.annotations $redirectAnnotations }} +{{- end }} + {{- if .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount From 806f93c257edcc20d693a54ac13c024eb785b7ec Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 18 Dec 2023 10:35:12 -0500 Subject: [PATCH 03/31] enable quarkus proxy handling --- charts/cryostat/templates/deployment.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 2f1c67e2..b8e5d851 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -40,6 +40,14 @@ spec: value: 0.0.0.0 - name: QUARKUS_HTTP_PORT value: "8181" + - name: QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING + value: 'true' + - name: QUARKUS_HTTP_PROXY_ALLOW_X_FORWARDED + value: 'true' + - name: QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_HOST + value: 'true' + - name: QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_PREFIX + value: 'true' - name: QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION value: drop-and-create - name: QUARKUS_DATASOURCE_USERNAME From 768f6713dade2bfc9ec4debb86ec190c4bc057ea Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 18 Dec 2023 11:09:50 -0500 Subject: [PATCH 04/31] deploy s3 and db in same deployment/pod --- charts/cryostat/templates/db.yaml | 60 ----------------------- charts/cryostat/templates/deployment.yaml | 35 ++++++++++++- charts/cryostat/templates/s3.yaml | 58 ---------------------- charts/cryostat/templates/service.yaml | 30 ------------ 4 files changed, 33 insertions(+), 150 deletions(-) delete mode 100644 charts/cryostat/templates/db.yaml delete mode 100644 charts/cryostat/templates/s3.yaml diff --git a/charts/cryostat/templates/db.yaml b/charts/cryostat/templates/db.yaml deleted file mode 100644 index 348a665e..00000000 --- a/charts/cryostat/templates/db.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - # name: {{ printf "%s-%s" .Chart.Name "db" }} - name: db -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - {{- include "cryostat.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "cryostat.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "cryostat.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.core.securityContext | nindent 12 }} - image: quay.io/cryostat/cryostat-db:latest # TODO - imagePullPolicy: Always - env: - - name: POSTGRESQL_USER - value: cryostat3 - - name: POSTGRESQL_PASSWORD - value: cryostat3 - - name: POSTGRESQL_DATABASE - value: cryostat3 - - name: PG_ENCRYPT_KEY - value: REPLACEME - ports: - - containerPort: 5432 - protocol: TCP - resources: - {{- toYaml .Values.core.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index b8e5d851..ffe6e83a 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -56,11 +56,11 @@ spec: value: cryostat3 - name: QUARKUS_DATASOURCE_JDBC_URL value: jdbc:postgresql://db:5432/cryostat3 - value: {{ printf "jdbc:postgresql://%s-%s:5432/cryostat3" $fullName "db" }} + value: "jdbc:postgresql://localhost:5432/cryostat3" - name: STORAGE_BUCKETS_ARCHIVES_NAME value: archivedrecordings - name: QUARKUS_S3_ENDPOINT_OVERRIDE - value: {{ printf "http://%s-%s:4566" $fullName "s3" }} + value: "http://localhost:4566" - name: QUARKUS_S3_PATH_STYLE_ACCESS value: "true" - name: QUARKUS_S3_AWS_REGION @@ -99,6 +99,37 @@ spec: failureThreshold: 18 resources: {{- toYaml .Values.core.resources | nindent 12 }} + - name: {{ printf "%s-%s" .Chart.Name "db" }} + securityContext: + {{- toYaml .Values.core.securityContext | nindent 12 }} + image: quay.io/cryostat/cryostat-db:latest # TODO + imagePullPolicy: Always + env: + - name: POSTGRESQL_USER + value: cryostat3 + - name: POSTGRESQL_PASSWORD + value: cryostat3 + - name: POSTGRESQL_DATABASE + value: cryostat3 + - name: PG_ENCRYPT_KEY + value: REPLACEME + ports: + - containerPort: 5432 + protocol: TCP + - name: {{ printf "%s-%s" .Chart.Name "s3" }} + securityContext: + {{- toYaml .Values.core.securityContext | nindent 12 }} + image: docker.io/localstack/localstack:latest # TODO + imagePullPolicy: Always + env: + - name: SERVICES + value: s3 + - name: START_WEB + value: "1" + - name: DEFAULT_REGION + value: us-east-1 + - name: PORT_WEB_UI + value: "4577" {{- if not .Values.minimal }} - name: {{ printf "%s-%s" .Chart.Name "grafana" }} securityContext: diff --git a/charts/cryostat/templates/s3.yaml b/charts/cryostat/templates/s3.yaml deleted file mode 100644 index 2282e4dc..00000000 --- a/charts/cryostat/templates/s3.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - # name: {{ printf "%s-%s" .Chart.Name "db" }} - name: s3 -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - {{- include "cryostat.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "cryostat.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "cryostat.serviceAccountName" . }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.core.securityContext | nindent 12 }} - image: docker.io/localstack/localstack:latest # TODO - imagePullPolicy: Always - env: - - name: SERVICES - value: s3 - - name: START_WEB - value: "1" - - name: DEFAULT_REGION - value: us-east-1 - - name: PORT_WEB_UI - value: "4577" - ports: - - containerPort: 4566 - protocol: TCP - resources: - {{- toYaml .Values.core.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/cryostat/templates/service.yaml b/charts/cryostat/templates/service.yaml index 97736b39..8bbc9eb2 100644 --- a/charts/cryostat/templates/service.yaml +++ b/charts/cryostat/templates/service.yaml @@ -37,33 +37,3 @@ spec: selector: {{- include "cryostat.selectorLabels" $ | nindent 4 }} {{- end -}} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ printf "%s-%s" $fullName "db" }} - labels: - {{- include "cryostat.labels" $ | nindent 4 }} -spec: - type: ClusterIP - ports: - - port: 5432 - targetPort: 5432 - protocol: TCP - selector: - {{- include "cryostat.selectorLabels" $ | nindent 4 }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ printf "%s-%s" $fullName "s3" }} - labels: - {{- include "cryostat.labels" $ | nindent 4 }} -spec: - type: ClusterIP - ports: - - port: 4566 - targetPort: 4566 - protocol: TCP - selector: - {{- include "cryostat.selectorLabels" $ | nindent 4 }} From 3cdc7781cebce310e738c2b3a210466e46eee262 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 18 Dec 2023 11:20:27 -0500 Subject: [PATCH 05/31] swap localstack for minio --- charts/cryostat/templates/deployment.yaml | 32 ++++++++++++----------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index ffe6e83a..81f40bbc 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -60,7 +60,7 @@ spec: - name: STORAGE_BUCKETS_ARCHIVES_NAME value: archivedrecordings - name: QUARKUS_S3_ENDPOINT_OVERRIDE - value: "http://localhost:4566" + value: "http://localhost:9000" - name: QUARKUS_S3_PATH_STYLE_ACCESS value: "true" - name: QUARKUS_S3_AWS_REGION @@ -68,13 +68,13 @@ spec: - name: QUARKUS_S3_AWS_CREDENTIALS_TYPE value: static - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_ACCESS_KEY_ID - value: unused + value: minioroot # TODO - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY - value: unused + value: minioroot # TODO - name: AWS_ACCESS_KEY_ID - value: unused + value: minioroot # TODO - name: AWS_SECRET_ACCESS_KEY - value: unused + value: minioroot # TODO {{- if not .Values.minimal }} - name: GRAFANA_DATASOURCE_URL value: http://127.0.0.1:8080 @@ -102,7 +102,7 @@ spec: - name: {{ printf "%s-%s" .Chart.Name "db" }} securityContext: {{- toYaml .Values.core.securityContext | nindent 12 }} - image: quay.io/cryostat/cryostat-db:latest # TODO + image: quay.io/cryostat/cryostat-db:latest # TODO pin to a particular version imagePullPolicy: Always env: - name: POSTGRESQL_USER @@ -119,17 +119,19 @@ spec: - name: {{ printf "%s-%s" .Chart.Name "s3" }} securityContext: {{- toYaml .Values.core.securityContext | nindent 12 }} - image: docker.io/localstack/localstack:latest # TODO + image: docker.io/minio/minio:latest # TODO pin to a particular version imagePullPolicy: Always + args: + - server + - /data + # TODO add persistent volume env: - - name: SERVICES - value: s3 - - name: START_WEB - value: "1" - - name: DEFAULT_REGION - value: us-east-1 - - name: PORT_WEB_UI - value: "4577" + - name: MINIO_ROOT_USER + value: minioroot # TODO + - name: MINIO_ROOT_PASSWORD + value: minioroot # TODO + - name: MINIO_DEFAULT_BUCKETS + value: archivedrecordings {{- if not .Values.minimal }} - name: {{ printf "%s-%s" .Chart.Name "grafana" }} securityContext: From 139a9b01307f6d9c22da3924d975c1cf485c4469 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 18 Dec 2023 11:54:55 -0500 Subject: [PATCH 06/31] bind minio on localhost only --- charts/cryostat/templates/deployment.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 81f40bbc..b087ce4d 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -124,6 +124,8 @@ spec: args: - server - /data + - --address + - localhost:9000 # TODO add persistent volume env: - name: MINIO_ROOT_USER From 30522189b16d4903cd762ea57a589ee1b3d9689f Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 18 Dec 2023 11:58:29 -0500 Subject: [PATCH 07/31] pin minio version --- charts/cryostat/templates/deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index b087ce4d..633eb68e 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -119,8 +119,8 @@ spec: - name: {{ printf "%s-%s" .Chart.Name "s3" }} securityContext: {{- toYaml .Values.core.securityContext | nindent 12 }} - image: docker.io/minio/minio:latest # TODO pin to a particular version - imagePullPolicy: Always + image: docker.io/minio/minio:RELEASE.2023-12-14T18-51-57Z # TODO make this configurable + imagePullPolicy: IfNotPresent args: - server - /data From 4b7c58d1b0e391a7833974decdf4981206c5e43d Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 18 Dec 2023 13:04:52 -0500 Subject: [PATCH 08/31] add readiness probes for s3 and db --- charts/cryostat/templates/deployment.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 633eb68e..ce8e86f9 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -116,6 +116,14 @@ spec: ports: - containerPort: 5432 protocol: TCP + readinessProbe: + exec: + command: + - pg_isready + - -U + - cryostat3 + - -d + - cryostat3 - name: {{ printf "%s-%s" .Chart.Name "s3" }} securityContext: {{- toYaml .Values.core.securityContext | nindent 12 }} @@ -134,6 +142,12 @@ spec: value: minioroot # TODO - name: MINIO_DEFAULT_BUCKETS value: archivedrecordings + readinessProbe: + exec: + command: + - mc + - ready + - local {{- if not .Values.minimal }} - name: {{ printf "%s-%s" .Chart.Name "grafana" }} securityContext: From ef48e78578ef8364b371675e67238a559eb328c4 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 18 Dec 2023 13:29:04 -0500 Subject: [PATCH 09/31] chomp newlines --- charts/cryostat/templates/serviceaccount.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/charts/cryostat/templates/serviceaccount.yaml b/charts/cryostat/templates/serviceaccount.yaml index 7354f796..30ecba7c 100644 --- a/charts/cryostat/templates/serviceaccount.yaml +++ b/charts/cryostat/templates/serviceaccount.yaml @@ -1,9 +1,8 @@ -{{- if .Values.core.route.enabled }} +{{- if .Values.core.route.enabled -}} {{- $fullName := include "cryostat.fullname" . -}} -{{- $redirectAnnotations := dict "serviceaccounts.openshift.io/oauth-redirectreference.primary" (printf "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"%s\"}}" $fullName) }} -{{- $_ := merge .Values.serviceAccount.annotations $redirectAnnotations }} -{{- end }} - +{{- $redirectAnnotations := dict "serviceaccounts.openshift.io/oauth-redirectreference.primary" (printf "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"%s\"}}" $fullName) -}} +{{- $_ := merge .Values.serviceAccount.annotations $redirectAnnotations -}} +{{- end -}} {{- if .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount From 9dc002b54bc3b6e863ae785a55018f4080814f86 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 18 Dec 2023 13:39:13 -0500 Subject: [PATCH 10/31] set db encryption key --- charts/cryostat/templates/_helpers.tpl | 2 +- charts/cryostat/templates/deployment.yaml | 6 +++++- charts/cryostat/templates/secret.yaml | 4 ++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index 33c7369a..5bd1ecfc 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -65,7 +65,7 @@ Create the name of the service account to use Get or generate a default password for credentials database */}} {{- define "cryostat.databasePassword" -}} -{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-jmx-credentials-db" .Release.Name)) -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db-encryption-key" .Release.Name)) -}} {{- if $secret -}} {{/* Use current password. Do not regenerate diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index ce8e86f9..4c07096d 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -112,7 +112,11 @@ spec: - name: POSTGRESQL_DATABASE value: cryostat3 - name: PG_ENCRYPT_KEY - value: REPLACEME + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-db-encryption-key" .Release.Name) .Values.core.databaseSecretName }} + key: ENCRYPTION_KEY + optional: false ports: - containerPort: 5432 protocol: TCP diff --git a/charts/cryostat/templates/secret.yaml b/charts/cryostat/templates/secret.yaml index 5fc98aa9..1f6b4275 100644 --- a/charts/cryostat/templates/secret.yaml +++ b/charts/cryostat/templates/secret.yaml @@ -2,8 +2,8 @@ apiVersion: v1 kind: Secret metadata: - name: {{ .Release.Name }}-jmx-credentials-db + name: {{ .Release.Name }}-db-encryption-key type: Opaque data: - CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD: {{ include "cryostat.databasePassword" . }} + ENCRYPTION_KEY: {{ include "cryostat.databasePassword" . }} {{- end -}} From 7757ac6cc4aa0c930d18b5df15406d57d17eeb5c Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 18 Dec 2023 13:46:26 -0500 Subject: [PATCH 11/31] typo --- charts/cryostat/templates/deployment.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 4c07096d..a1bb9e47 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -55,8 +55,7 @@ spec: - name: QUARKUS_DATASOURCE_PASSWORD value: cryostat3 - name: QUARKUS_DATASOURCE_JDBC_URL - value: jdbc:postgresql://db:5432/cryostat3 - value: "jdbc:postgresql://localhost:5432/cryostat3" + value: jdbc:postgresql://localhost:5432/cryostat3 - name: STORAGE_BUCKETS_ARCHIVES_NAME value: archivedrecordings - name: QUARKUS_S3_ENDPOINT_OVERRIDE From a4f7eb2e748fa44d42eefbe0b6321334bc1092d6 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 18 Dec 2023 13:47:59 -0500 Subject: [PATCH 12/31] fixup! set db encryption key --- charts/cryostat/templates/_helpers.tpl | 4 ++-- charts/cryostat/templates/secret.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index 5bd1ecfc..4a3ef32c 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -62,9 +62,9 @@ Create the name of the service account to use {{- end }} {{/* -Get or generate a default password for credentials database +Get or generate a default encryption key for credentials database */}} -{{- define "cryostat.databasePassword" -}} +{{- define "cryostat.databaseEncryptionKey" -}} {{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db-encryption-key" .Release.Name)) -}} {{- if $secret -}} {{/* diff --git a/charts/cryostat/templates/secret.yaml b/charts/cryostat/templates/secret.yaml index 1f6b4275..2d287010 100644 --- a/charts/cryostat/templates/secret.yaml +++ b/charts/cryostat/templates/secret.yaml @@ -5,5 +5,5 @@ metadata: name: {{ .Release.Name }}-db-encryption-key type: Opaque data: - ENCRYPTION_KEY: {{ include "cryostat.databasePassword" . }} + ENCRYPTION_KEY: {{ include "cryostat.databaseEncryptionKey" . }} {{- end -}} From 109cf4707b7161e1b706f266f08ed378a92c5039 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 18 Dec 2023 13:49:24 -0500 Subject: [PATCH 13/31] add TODOs --- charts/cryostat/templates/deployment.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index a1bb9e47..d91f39a1 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -53,7 +53,7 @@ spec: - name: QUARKUS_DATASOURCE_USERNAME value: cryostat3 - name: QUARKUS_DATASOURCE_PASSWORD - value: cryostat3 + value: cryostat3 # TODO generate this and store in/mount from Secret - name: QUARKUS_DATASOURCE_JDBC_URL value: jdbc:postgresql://localhost:5432/cryostat3 - name: STORAGE_BUCKETS_ARCHIVES_NAME @@ -67,13 +67,13 @@ spec: - name: QUARKUS_S3_AWS_CREDENTIALS_TYPE value: static - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_ACCESS_KEY_ID - value: minioroot # TODO + value: minioroot # TODO generate this and store in/mount from Secret - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY - value: minioroot # TODO + value: minioroot # TODO generate this and store in/mount from Secret - name: AWS_ACCESS_KEY_ID - value: minioroot # TODO + value: minioroot # TODO generate this and store in/mount from Secret - name: AWS_SECRET_ACCESS_KEY - value: minioroot # TODO + value: minioroot # TODO generate this and store in/mount from Secret {{- if not .Values.minimal }} - name: GRAFANA_DATASOURCE_URL value: http://127.0.0.1:8080 @@ -107,7 +107,7 @@ spec: - name: POSTGRESQL_USER value: cryostat3 - name: POSTGRESQL_PASSWORD - value: cryostat3 + value: cryostat3 # TODO generate this and store in/mount from Secret - name: POSTGRESQL_DATABASE value: cryostat3 - name: PG_ENCRYPT_KEY From db41d70fc73a6095585ac5e5d39466ea595a78db Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 18 Dec 2023 13:49:32 -0500 Subject: [PATCH 14/31] formatting --- charts/cryostat/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index d91f39a1..f548c2dc 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -59,7 +59,7 @@ spec: - name: STORAGE_BUCKETS_ARCHIVES_NAME value: archivedrecordings - name: QUARKUS_S3_ENDPOINT_OVERRIDE - value: "http://localhost:9000" + value: http://localhost:9000 - name: QUARKUS_S3_PATH_STYLE_ACCESS value: "true" - name: QUARKUS_S3_AWS_REGION From ba927f546faa5107c874c520f9c12903a3c4a894 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Tue, 19 Dec 2023 15:53:59 -0500 Subject: [PATCH 15/31] pin database to particular version --- charts/cryostat/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index f548c2dc..6067c9f4 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -101,7 +101,7 @@ spec: - name: {{ printf "%s-%s" .Chart.Name "db" }} securityContext: {{- toYaml .Values.core.securityContext | nindent 12 }} - image: quay.io/cryostat/cryostat-db:latest # TODO pin to a particular version + image: quay.io/cryostat/cryostat-db:2023-12-19 imagePullPolicy: Always env: - name: POSTGRESQL_USER From 663436a3057b4629213c9ef7a893ac9998c0ae2b Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Tue, 19 Dec 2023 15:54:17 -0500 Subject: [PATCH 16/31] use customized MinIO image --- charts/cryostat/templates/deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 6067c9f4..c5af7896 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -130,8 +130,8 @@ spec: - name: {{ printf "%s-%s" .Chart.Name "s3" }} securityContext: {{- toYaml .Values.core.securityContext | nindent 12 }} - image: docker.io/minio/minio:RELEASE.2023-12-14T18-51-57Z # TODO make this configurable - imagePullPolicy: IfNotPresent + image: quay.io/cryostat/cryostat-storage:2023-12-19 # TODO make this configurable + imagePullPolicy: Always args: - server - /data From 9dfe36becf183747f9d8dffd824a8b2ba9716193 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Tue, 19 Dec 2023 15:54:35 -0500 Subject: [PATCH 17/31] use /tmp for persistent storage since default /data is owned by root in container --- charts/cryostat/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index c5af7896..5ba5ab42 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -134,7 +134,7 @@ spec: imagePullPolicy: Always args: - server - - /data + - /tmp - --address - localhost:9000 # TODO add persistent volume From 70d2f5dc7b2a01a29089d923d3fb4d5add08d53d Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Tue, 19 Dec 2023 16:18:41 -0500 Subject: [PATCH 18/31] use generated secret for object storage access --- charts/cryostat/templates/_helpers.tpl | 18 +++++++++++++ ...ret.yaml => db_encryption_key_secret.yaml} | 0 charts/cryostat/templates/deployment.yaml | 26 ++++++++++++++----- .../templates/storage_access_key_secret.yaml | 9 +++++++ 4 files changed, 46 insertions(+), 7 deletions(-) rename charts/cryostat/templates/{secret.yaml => db_encryption_key_secret.yaml} (100%) create mode 100644 charts/cryostat/templates/storage_access_key_secret.yaml diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index 4a3ef32c..d7914aa4 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -78,3 +78,21 @@ Get or generate a default encryption key for credentials database {{- (randAlphaNum 32) | b64enc | quote -}} {{- end -}} {{- end -}} + +{{/* +Get or generate a default secret key for object storage +*/}} +{{- define "cryostat.objectStorageSecretKey" -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-storage-secret-key" .Release.Name)) -}} +{{- if $secret -}} +{{/* + Use current secret. Do not regenerate +*/}} +{{- $secret.data.SECRET_KEY -}} +{{- else -}} +{{/* + Generate new secret +*/}} +{{- (randAlphaNum 32) | b64enc | quote -}} +{{- end -}} +{{- end -}} diff --git a/charts/cryostat/templates/secret.yaml b/charts/cryostat/templates/db_encryption_key_secret.yaml similarity index 100% rename from charts/cryostat/templates/secret.yaml rename to charts/cryostat/templates/db_encryption_key_secret.yaml diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 5ba5ab42..0f7ccc1c 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -67,13 +67,21 @@ spec: - name: QUARKUS_S3_AWS_CREDENTIALS_TYPE value: static - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_ACCESS_KEY_ID - value: minioroot # TODO generate this and store in/mount from Secret - - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY - value: minioroot # TODO generate this and store in/mount from Secret + value: cryostat - name: AWS_ACCESS_KEY_ID - value: minioroot # TODO generate this and store in/mount from Secret + value: cryostat + - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ printf "%s-storage-secret-key" .Release.Name }} + key: SECRET_KEY + optional: false - name: AWS_SECRET_ACCESS_KEY - value: minioroot # TODO generate this and store in/mount from Secret + valueFrom: + secretKeyRef: + name: {{ printf "%s-storage-secret-key" .Release.Name }} + key: SECRET_KEY + optional: false {{- if not .Values.minimal }} - name: GRAFANA_DATASOURCE_URL value: http://127.0.0.1:8080 @@ -140,9 +148,13 @@ spec: # TODO add persistent volume env: - name: MINIO_ROOT_USER - value: minioroot # TODO + value: cryostat - name: MINIO_ROOT_PASSWORD - value: minioroot # TODO + valueFrom: + secretKeyRef: + name: {{ printf "%s-storage-secret-key" .Release.Name }} + key: SECRET_KEY + optional: false - name: MINIO_DEFAULT_BUCKETS value: archivedrecordings readinessProbe: diff --git a/charts/cryostat/templates/storage_access_key_secret.yaml b/charts/cryostat/templates/storage_access_key_secret.yaml new file mode 100644 index 00000000..0adf0048 --- /dev/null +++ b/charts/cryostat/templates/storage_access_key_secret.yaml @@ -0,0 +1,9 @@ +{{- if empty .Values.core.databaseSecretName -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-storage-secret-key +type: Opaque +data: + SECRET_KEY: {{ include "cryostat.objectStorageSecretKey" . }} +{{- end -}} From d05211502efd01d467153139f8380f8eaca28eb2 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Tue, 19 Dec 2023 16:20:02 -0500 Subject: [PATCH 19/31] fixup! use generated secret for object storage access --- charts/cryostat/templates/storage_access_key_secret.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/charts/cryostat/templates/storage_access_key_secret.yaml b/charts/cryostat/templates/storage_access_key_secret.yaml index 0adf0048..e06e723e 100644 --- a/charts/cryostat/templates/storage_access_key_secret.yaml +++ b/charts/cryostat/templates/storage_access_key_secret.yaml @@ -1,4 +1,3 @@ -{{- if empty .Values.core.databaseSecretName -}} apiVersion: v1 kind: Secret metadata: @@ -6,4 +5,3 @@ metadata: type: Opaque data: SECRET_KEY: {{ include "cryostat.objectStorageSecretKey" . }} -{{- end -}} From 12a290c7f08d49c1815922ec3137f5f6de9fb9d0 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Tue, 19 Dec 2023 16:23:50 -0500 Subject: [PATCH 20/31] use generated secret for database connection password --- charts/cryostat/templates/_helpers.tpl | 18 ++++++++++++++++++ .../templates/db_connection_key_secret.yaml | 7 +++++++ charts/cryostat/templates/deployment.yaml | 12 ++++++++++-- 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 charts/cryostat/templates/db_connection_key_secret.yaml diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index d7914aa4..716eecd6 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -61,6 +61,24 @@ Create the name of the service account to use {{- end }} {{- end }} +{{/* +Get or generate a default connection key for credentials database +*/}} +{{- define "cryostat.databaseConnectionKey" -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db-connection-key" .Release.Name)) -}} +{{- if $secret -}} +{{/* + Use current password. Do not regenerate +*/}} +{{- $secret.data.CONNECTION_KEY -}} +{{- else -}} +{{/* + Generate new password +*/}} +{{- (randAlphaNum 32) | b64enc | quote -}} +{{- end -}} +{{- end -}} + {{/* Get or generate a default encryption key for credentials database */}} diff --git a/charts/cryostat/templates/db_connection_key_secret.yaml b/charts/cryostat/templates/db_connection_key_secret.yaml new file mode 100644 index 00000000..2c1c5894 --- /dev/null +++ b/charts/cryostat/templates/db_connection_key_secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-db-connection-key +type: Opaque +data: + CONNECTION_KEY: {{ include "cryostat.databaseConnectionKey" . }} diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 0f7ccc1c..5f878894 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -53,7 +53,11 @@ spec: - name: QUARKUS_DATASOURCE_USERNAME value: cryostat3 - name: QUARKUS_DATASOURCE_PASSWORD - value: cryostat3 # TODO generate this and store in/mount from Secret + valueFrom: + secretKeyRef: + name: {{ printf "%s-db-connection-key" .Release.Name }} + key: CONNECTION_KEY + optional: false - name: QUARKUS_DATASOURCE_JDBC_URL value: jdbc:postgresql://localhost:5432/cryostat3 - name: STORAGE_BUCKETS_ARCHIVES_NAME @@ -115,7 +119,11 @@ spec: - name: POSTGRESQL_USER value: cryostat3 - name: POSTGRESQL_PASSWORD - value: cryostat3 # TODO generate this and store in/mount from Secret + valueFrom: + secretKeyRef: + name: {{ printf "%s-db-connection-key" .Release.Name }} + key: CONNECTION_KEY + optional: false - name: POSTGRESQL_DATABASE value: cryostat3 - name: PG_ENCRYPT_KEY From 3706818b79cb26d1c0dddc8088879427c317199d Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 5 Jan 2024 09:40:46 -0500 Subject: [PATCH 21/31] rephrase comments --- charts/cryostat/templates/_helpers.tpl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index 716eecd6..e97109b9 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -68,12 +68,12 @@ Get or generate a default connection key for credentials database {{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db-connection-key" .Release.Name)) -}} {{- if $secret -}} {{/* - Use current password. Do not regenerate + Use current key. Do not regenerate */}} {{- $secret.data.CONNECTION_KEY -}} {{- else -}} {{/* - Generate new password + Generate new key */}} {{- (randAlphaNum 32) | b64enc | quote -}} {{- end -}} @@ -86,12 +86,12 @@ Get or generate a default encryption key for credentials database {{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db-encryption-key" .Release.Name)) -}} {{- if $secret -}} {{/* - Use current password. Do not regenerate + Use current key. Do not regenerate */}} {{- $secret.data.CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD -}} {{- else -}} {{/* - Generate new password + Generate new key */}} {{- (randAlphaNum 32) | b64enc | quote -}} {{- end -}} From 394e4752c9af8f6b1365c6bc023aeac12c478a8b Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 5 Jan 2024 09:50:27 -0500 Subject: [PATCH 22/31] update README and schema for 3.0 --- charts/cryostat/README.md | 2 +- charts/cryostat/values.schema.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index a1e9b254..f3d6b5b4 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -10,7 +10,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `core` | Configuration for the core Cryostat application | | | `core.image.repository` | Repository for the main Cryostat container image | `quay.io/cryostat/cryostat` | | `core.image.pullPolicy` | Image pull policy for the main Cryostat container image | `Always` | -| `core.image.tag` | Tag for the main Cryostat container image | `latest` | +| `core.image.tag` | Tag for the main Cryostat container image | `3.0.0-snapshot` | | `core.service.type` | Type of Service to create for the Cryostat application | `ClusterIP` | | `core.service.httpPort` | Port number to expose on the Service for Cryostat's HTTP server | `8181` | | `core.service.jmxPort` | Port number to expose on the Service for remote JMX connections to Cryostat | `9091` | diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 7dfa3baa..562fca28 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -21,7 +21,7 @@ "tag": { "type": "string", "description": "Tag for the main Cryostat container image", - "default": "latest" + "default": "3.0.0-snapshot" } } }, From ee2bccd7901e5701638e627b888c383a93351405 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 5 Jan 2024 09:51:12 -0500 Subject: [PATCH 23/31] add configuration section for storage container --- charts/cryostat/README.md | 16 ++ charts/cryostat/templates/deployment.yaml | 10 +- charts/cryostat/values.schema.json | 173 ++++++++++++++-------- charts/cryostat/values.yaml | 21 +++ 4 files changed, 158 insertions(+), 62 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index f3d6b5b4..7775132c 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -32,6 +32,19 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `core.securityContext` | Security Context for the Cryostat container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | | `core.databaseSecretName` | Name of the secret to extract password for credentials database. | `""` | + +### Storage Container + +| Name | Description | Value | +| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `Configuration` | for Cryostat's object storage provider | | +| `storage.image.repository` | Repository for the storage container image | `quay.io/cryostat/cryostat-storage` | +| `storage.image.pullPolicy` | Image pull policy for the storage container image | `Always` | +| `storage.image.tag` | Tag for the storage container image | `2023-12-19` | +| `storage.resources` | Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | +| `storage.securityContext` | Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + + ### Grafana Container | Name | Description | Value | @@ -59,6 +72,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `grafana.resources` | Resource requests/limits for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | | `grafana.securityContext` | Security Context for the Grafana container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### JFR Data Source Container | Name | Description | Value | @@ -70,6 +84,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `datasource.resources` | Resource requests/limits for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | | `datasource.securityContext` | Security Context for the JFR Data Source container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### Authentication | Name | Description | Value | @@ -78,6 +93,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` | | `authentication.basicAuth.filename` | Key within Secret containing the properties file. The properties file should contain one user per line, with the syntax "user=passHex", where "user" is the username and "passHex" is the SHA-256 hash of the desired password **(Required if basicAuth is enabled)** | `""` | + ### Other Parameters | Name | Description | Value | diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 5f878894..d28ab7bf 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -143,11 +143,11 @@ spec: - cryostat3 - -d - cryostat3 - - name: {{ printf "%s-%s" .Chart.Name "s3" }} + - name: {{ printf "%s-%s" .Chart.Name "storage" }} securityContext: {{- toYaml .Values.core.securityContext | nindent 12 }} - image: quay.io/cryostat/cryostat-storage:2023-12-19 # TODO make this configurable - imagePullPolicy: Always + image: "{{ .Values.storage.image.repository }}:{{ .Values.storage.image.tag }}" + imagePullPolicy: {{ .Values.storage.image.pullPolicy }} args: - server - /tmp @@ -171,6 +171,10 @@ spec: - mc - ready - local + resources: + {{- toYaml .Values.storage.resources | nindent 12 }} + securityContext: + {{- toYaml .Values.storage.securityContext | nindent 12 }} {{- if not .Values.minimal }} - name: {{ printf "%s-%s" .Chart.Name "grafana" }} securityContext: diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 562fca28..4052c052 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -188,41 +188,106 @@ } } }, - "grafana": { + "storage": { "type": "object", "properties": { + "securityContext": { + "type": "object", + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false + }, + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "description": "", + "default": [ + "ALL" + ], + "items": { + "type": "string" + } + } + } + } + } + }, "image": { "type": "object", "properties": { "repository": { "type": "string", - "description": "Repository for the Grafana container image", - "default": "quay.io/cryostat/cryostat-grafana-dashboard" + "description": "Repository for the storage container image", + "default": "quay.io/cryostat/cryostat-storage" }, "pullPolicy": { "type": "string", - "description": "Image pull policy for the Grafana container image", + "description": "Image pull policy for the storage container image", "default": "Always" }, "tag": { "type": "string", - "description": "Tag for the Grafana container image", - "default": "latest" + "description": "Tag for the storage container image", + "default": "2023-12-19" } } }, - "service": { + "resources": { + "type": "object", + "description": "Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", + "default": {} + } + } + }, + "grafana": { + "type": "object", + "properties": { + "securityContext": { "type": "object", "properties": { - "type": { + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false + }, + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "description": "", + "default": [ + "ALL" + ], + "items": { + "type": "string" + } + } + } + } + } + }, + "image": { + "type": "object", + "properties": { + "repository": { "type": "string", - "description": "Type of Service to create for Grafana", - "default": "ClusterIP" + "description": "Repository for the Grafana container image", + "default": "quay.io/cryostat/cryostat-grafana-dashboard" }, - "port": { - "type": "number", - "description": "Port number to expose on the Service for Grafana's HTTP server", - "default": 3000 + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the Grafana container image", + "default": "Always" + }, + "tag": { + "type": "string", + "description": "Tag for the Grafana container image", + "default": "latest" } } }, @@ -277,6 +342,21 @@ } } }, + "service": { + "type": "object", + "properties": { + "type": { + "type": "string", + "description": "Type of Service to create for Grafana", + "default": "ClusterIP" + }, + "port": { + "type": "number", + "description": "Port number to expose on the Service for Grafana's HTTP server", + "default": 3000 + } + } + }, "sslProxied": { "type": "boolean", "description": "Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress", @@ -332,31 +412,6 @@ } } }, - "securityContext": { - "type": "object", - "properties": { - "capabilities": { - "type": "object", - "properties": { - "drop": { - "type": "array", - "description": "", - "default": [ - "ALL" - ], - "items": { - "type": "string" - } - } - } - }, - "allowPrivilegeEscalation": { - "type": "boolean", - "description": "", - "default": false - } - } - }, "resources": { "type": "object", "description": "Resource requests/limits for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", @@ -419,6 +474,26 @@ } } }, + "podSecurityContext": { + "type": "object", + "properties": { + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string", + "description": "", + "default": "RuntimeDefault" + } + } + }, + "runAsNonRoot": { + "type": "boolean", + "description": "", + "default": true + } + } + }, "authentication": { "type": "object", "properties": { @@ -444,26 +519,6 @@ } } }, - "podSecurityContext": { - "type": "object", - "properties": { - "seccompProfile": { - "type": "object", - "properties": { - "type": { - "type": "string", - "description": "", - "default": "RuntimeDefault" - } - } - }, - "runAsNonRoot": { - "type": "boolean", - "description": "", - "default": true - } - } - }, "minimal": { "type": "boolean", "description": "Specify whether to deploy a Cryostat instance with no Grafana Dashboard or JFR Data Source", diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index b0cae4ba..2661cdad 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -63,6 +63,27 @@ core: ## @param core.databaseSecretName Name of the secret to extract password for credentials database. databaseSecretName: "" +## @section Storage Container +## @extra Configuration for Cryostat's object storage provider +storage: + image: + ## @param storage.image.repository Repository for the storage container image + repository: "quay.io/cryostat/cryostat-storage" + ## @param storage.image.pullPolicy Image pull policy for the storage container image + pullPolicy: Always + ## @param storage.image.tag Tag for the storage container image + tag: "2023-12-19" + ## @param storage.resources Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) + resources: {} + ## @param storage.securityContext [object] Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) + securityContext: + ## @skip grafana.securityContext.allowPrivilegeEscalation + allowPrivilegeEscalation: false + ## @skip grafana.securityContext.capabilities + capabilities: + drop: + - ALL + ## @section Grafana Container ## @extra grafana Configuration for the customized Grafana instance for Cryostat grafana: From 40f3dbfef52d640ca6be1351af79b1441f7a5bef Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Tue, 16 Jan 2024 17:32:06 -0500 Subject: [PATCH 24/31] deploy seaweed-based storage container rather than minio --- charts/cryostat/templates/deployment.yaml | 52 +++++++++++++---------- 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index d28ab7bf..be1f4877 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -63,7 +63,7 @@ spec: - name: STORAGE_BUCKETS_ARCHIVES_NAME value: archivedrecordings - name: QUARKUS_S3_ENDPOINT_OVERRIDE - value: http://localhost:9000 + value: http://localhost:8333 - name: QUARKUS_S3_PATH_STYLE_ACCESS value: "true" - name: QUARKUS_S3_AWS_REGION @@ -88,7 +88,7 @@ spec: optional: false {{- if not .Values.minimal }} - name: GRAFANA_DATASOURCE_URL - value: http://127.0.0.1:8080 + value: http://127.0.0.1:8800 - name: GRAFANA_DASHBOARD_URL value: "{{ if .Values.grafana.ingress.enabled }}http{{ if (or (.Values.grafana.ingress.tls) (.Values.grafana.sslProxied)) }}s{{ end }}://{{ with index .Values.grafana.ingress.hosts 0 }}{{ .host }}{{ end }}{{ end }}" {{- end }} @@ -113,7 +113,7 @@ spec: - name: {{ printf "%s-%s" .Chart.Name "db" }} securityContext: {{- toYaml .Values.core.securityContext | nindent 12 }} - image: quay.io/cryostat/cryostat-db:2023-12-19 + image: quay.io/cryostat/cryostat-db:2024-01-16 imagePullPolicy: Always env: - name: POSTGRESQL_USER @@ -148,29 +148,35 @@ spec: {{- toYaml .Values.core.securityContext | nindent 12 }} image: "{{ .Values.storage.image.repository }}:{{ .Values.storage.image.tag }}" imagePullPolicy: {{ .Values.storage.image.pullPolicy }} - args: - - server - - /tmp - - --address - - localhost:9000 - # TODO add persistent volume env: - - name: MINIO_ROOT_USER + - name: CRYOSTAT_ACCESS_KEY value: cryostat - - name: MINIO_ROOT_PASSWORD + - name: CRYOSTAT_SECRET_KEY valueFrom: secretKeyRef: name: {{ printf "%s-storage-secret-key" .Release.Name }} key: SECRET_KEY optional: false - - name: MINIO_DEFAULT_BUCKETS - value: archivedrecordings - readinessProbe: - exec: - command: - - mc - - ready - - local + # TODO add persistent volume + - name: DATA_DIR + value: /tmp + - name: IP_BIND + value: 0.0.0.0 + ports: + - containerPort: 8333 + protocol: TCP + livenessProbe: + httpGet: + path: "/status" + port: 8333 + periodSeconds: 10 + failureThreshold: 2 + startupProbe: + httpGet: + path: "/status" + port: 8333 + periodSeconds: 10 + failureThreshold: 9 resources: {{- toYaml .Values.storage.resources | nindent 12 }} securityContext: @@ -183,7 +189,7 @@ spec: imagePullPolicy: {{ .Values.grafana.image.pullPolicy }} env: - name: JFR_DATASOURCE_URL - value: http://127.0.0.1:8080 + value: http://127.0.0.1:8800 - name: GF_AUTH_ANONYMOUS_ENABLED value: "true" ports: @@ -203,15 +209,17 @@ spec: env: - name: LISTEN_HOST value: 127.0.0.1 + - name: QUARKUS_HTTP_PORT + value: "8800" ports: - - containerPort: 8080 + - containerPort: 8800 protocol: TCP livenessProbe: exec: command: - curl - --fail - - http://127.0.0.1:8080 + - http://127.0.0.1:8800 resources: {{- toYaml .Values.datasource.resources | nindent 12 }} {{- end }} From a60128e8dd8066fc62d3895e854d935e69bcebaf Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 17 Jan 2024 14:51:04 -0500 Subject: [PATCH 25/31] mount PVC to storage container --- charts/cryostat/templates/deployment.yaml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index be1f4877..cad80de0 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -149,6 +149,8 @@ spec: image: "{{ .Values.storage.image.repository }}:{{ .Values.storage.image.tag }}" imagePullPolicy: {{ .Values.storage.image.pullPolicy }} env: + - name: CRYOSTAT_BUCKETS + value: archivedrecordings,archivedreports - name: CRYOSTAT_ACCESS_KEY value: cryostat - name: CRYOSTAT_SECRET_KEY @@ -157,14 +159,24 @@ spec: name: {{ printf "%s-storage-secret-key" .Release.Name }} key: SECRET_KEY optional: false - # TODO add persistent volume - name: DATA_DIR - value: /tmp + value: /data + # TODO tune these or make them configurable. Ideally the single seaweed volume server should consume the entire PVC + - name: VOLUME_PREALLOCATE + value: "false" + - name: VOLUME_SIZE_LIMIT_MB + value: "500" + - name: VOLUME_MAX + value: "16" - name: IP_BIND value: 0.0.0.0 ports: - containerPort: 8333 protocol: TCP + volumeMounts: + - mountPath: /data + name: {{ .Chart.Name }} + subPath: seaweed livenessProbe: httpGet: path: "/status" From e7b6e280dd0bf3155646c7ee897ef64a2b4c07ea Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 17 Jan 2024 14:51:21 -0500 Subject: [PATCH 26/31] update note for external routing --- charts/cryostat/templates/NOTES.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryostat/templates/NOTES.txt b/charts/cryostat/templates/NOTES.txt index 67daa503..b3272213 100644 --- a/charts/cryostat/templates/NOTES.txt +++ b/charts/cryostat/templates/NOTES.txt @@ -7,7 +7,7 @@ ``` {{- if .Values.core.route.enabled }} export ROUTE_HOST=$(oc get route -n {{ .Release.Namespace }} {{ include "cryostat.fullname" . }} -o jsonpath="{.status.ingress[0].host}") -{{- $envVars = list "CRYOSTAT_WEB_HOST=$ROUTE_HOST" }} +{{- $envVars = list "STORAGE_EXT_URL=$ROUTE_HOST" }} {{- else if .Values.core.ingress.enabled }} {{- /* Do nothing */}} {{- else if contains "NodePort" .Values.core.service.type }} From 2aab248e995353ff65527593168b0f2bbaf5b57e Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 17 Jan 2024 14:54:43 -0500 Subject: [PATCH 27/31] mount pvc to database container --- charts/cryostat/templates/deployment.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index cad80de0..52fd02c9 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -135,6 +135,10 @@ spec: ports: - containerPort: 5432 protocol: TCP + volumeMounts: + - mountPath: /var/lib/pgsql/data + name: {{ .Chart.Name }} + subPath: postgres readinessProbe: exec: command: From 0cc751bf3ea2af92dc5b2d87dc323c51ef19ec45 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 17 Jan 2024 14:55:15 -0500 Subject: [PATCH 28/31] add config section for database container --- charts/cryostat/templates/deployment.yaml | 4 ++-- charts/cryostat/values.yaml | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 52fd02c9..5a3fc0b4 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -113,8 +113,8 @@ spec: - name: {{ printf "%s-%s" .Chart.Name "db" }} securityContext: {{- toYaml .Values.core.securityContext | nindent 12 }} - image: quay.io/cryostat/cryostat-db:2024-01-16 - imagePullPolicy: Always + image: "{{ .Values.db.image.repository }}:{{ .Values.db.image.tag }}" + imagePullPolicy: {{ .Values.db.image.pullPolicy }} env: - name: POSTGRESQL_USER value: cryostat3 diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 2661cdad..d228a3f4 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -63,6 +63,27 @@ core: ## @param core.databaseSecretName Name of the secret to extract password for credentials database. databaseSecretName: "" +## @section Database Container +## @extra Configuration for Cryostat's database +db: + image: + ## @param storage.image.repository Repository for the storage container image + repository: "quay.io/cryostat/cryostat-db" + ## @param storage.image.pullPolicy Image pull policy for the storage container image + pullPolicy: Always + ## @param storage.image.tag Tag for the storage container image + tag: "latest" + ## @param storage.resources Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) + resources: {} + ## @param storage.securityContext [object] Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) + securityContext: + ## @skip grafana.securityContext.allowPrivilegeEscalation + allowPrivilegeEscalation: false + ## @skip grafana.securityContext.capabilities + capabilities: + drop: + - ALL + ## @section Storage Container ## @extra Configuration for Cryostat's object storage provider storage: From aa1a7940d99b6ba0a983b51025b101da8c09288d Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 17 Jan 2024 14:55:24 -0500 Subject: [PATCH 29/31] default to latest tag for storage --- charts/cryostat/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index d228a3f4..7a72045e 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -93,7 +93,7 @@ storage: ## @param storage.image.pullPolicy Image pull policy for the storage container image pullPolicy: Always ## @param storage.image.tag Tag for the storage container image - tag: "2023-12-19" + tag: "latest" ## @param storage.resources Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) resources: {} ## @param storage.securityContext [object] Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) From 49cb466c5535191b6fce238555b345059f6934db Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 22 Jan 2024 16:37:59 -0500 Subject: [PATCH 30/31] fix up schema metadata and regenerate readme --- charts/cryostat/README.md | 14 +++- charts/cryostat/values.schema.json | 127 +++++++++++++++++++++-------- charts/cryostat/values.yaml | 18 ++-- 3 files changed, 113 insertions(+), 46 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 7775132c..8f876ba8 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -33,6 +33,18 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `core.databaseSecretName` | Name of the secret to extract password for credentials database. | `""` | +### Database Container + +| Name | Description | Value | +| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | +| `Configuration` | for Cryostat's database | | +| `db.image.repository` | Repository for the database container image | `quay.io/cryostat/cryostat-db` | +| `db.image.pullPolicy` | Image pull policy for the database container image | `Always` | +| `db.image.tag` | Tag for thedatabasestorage container image | `latest` | +| `db.resources` | Resource requests/limits for thedatabasestorage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | +| `db.securityContext` | Security Context for the database container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + + ### Storage Container | Name | Description | Value | @@ -40,7 +52,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `Configuration` | for Cryostat's object storage provider | | | `storage.image.repository` | Repository for the storage container image | `quay.io/cryostat/cryostat-storage` | | `storage.image.pullPolicy` | Image pull policy for the storage container image | `Always` | -| `storage.image.tag` | Tag for the storage container image | `2023-12-19` | +| `storage.image.tag` | Tag for the storage container image | `latest` | | `storage.resources` | Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | | `storage.securityContext` | Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 4052c052..e91382c2 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -188,17 +188,32 @@ } } }, - "storage": { + "db": { "type": "object", "properties": { - "securityContext": { + "image": { "type": "object", "properties": { - "allowPrivilegeEscalation": { - "type": "boolean", - "description": "", - "default": false + "repository": { + "type": "string", + "description": "Repository for the database container image", + "default": "quay.io/cryostat/cryostat-db" }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the database container image", + "default": "Always" + }, + "tag": { + "type": "string", + "description": "Tag for thedatabasestorage container image", + "default": "latest" + } + } + }, + "securityContext": { + "type": "object", + "properties": { "capabilities": { "type": "object", "properties": { @@ -213,47 +228,27 @@ } } } - } - } - }, - "image": { - "type": "object", - "properties": { - "repository": { - "type": "string", - "description": "Repository for the storage container image", - "default": "quay.io/cryostat/cryostat-storage" - }, - "pullPolicy": { - "type": "string", - "description": "Image pull policy for the storage container image", - "default": "Always" }, - "tag": { - "type": "string", - "description": "Tag for the storage container image", - "default": "2023-12-19" + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false } } }, "resources": { "type": "object", - "description": "Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", + "description": "Resource requests/limits for thedatabasestorage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", "default": {} } } }, - "grafana": { + "storage": { "type": "object", "properties": { "securityContext": { "type": "object", "properties": { - "allowPrivilegeEscalation": { - "type": "boolean", - "description": "", - "default": false - }, "capabilities": { "type": "object", "properties": { @@ -268,6 +263,11 @@ } } } + }, + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false } } }, @@ -276,21 +276,31 @@ "properties": { "repository": { "type": "string", - "description": "Repository for the Grafana container image", - "default": "quay.io/cryostat/cryostat-grafana-dashboard" + "description": "Repository for the storage container image", + "default": "quay.io/cryostat/cryostat-storage" }, "pullPolicy": { "type": "string", - "description": "Image pull policy for the Grafana container image", + "description": "Image pull policy for the storage container image", "default": "Always" }, "tag": { "type": "string", - "description": "Tag for the Grafana container image", + "description": "Tag for the storage container image", "default": "latest" } } }, + "resources": { + "type": "object", + "description": "Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", + "default": {} + } + } + }, + "grafana": { + "type": "object", + "properties": { "ingress": { "type": "object", "properties": { @@ -342,6 +352,26 @@ } } }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "Repository for the Grafana container image", + "default": "quay.io/cryostat/cryostat-grafana-dashboard" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the Grafana container image", + "default": "Always" + }, + "tag": { + "type": "string", + "description": "Tag for the Grafana container image", + "default": "latest" + } + } + }, "service": { "type": "object", "properties": { @@ -362,6 +392,31 @@ "description": "Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress", "default": false }, + "securityContext": { + "type": "object", + "properties": { + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "description": "", + "default": [ + "ALL" + ], + "items": { + "type": "string" + } + } + } + }, + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false + } + } + }, "route": { "type": "object", "properties": { diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 7a72045e..6bf13025 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -67,19 +67,19 @@ core: ## @extra Configuration for Cryostat's database db: image: - ## @param storage.image.repository Repository for the storage container image + ## @param db.image.repository Repository for the database container image repository: "quay.io/cryostat/cryostat-db" - ## @param storage.image.pullPolicy Image pull policy for the storage container image + ## @param db.image.pullPolicy Image pull policy for the database container image pullPolicy: Always - ## @param storage.image.tag Tag for the storage container image + ## @param db.image.tag Tag for thedatabasestorage container image tag: "latest" - ## @param storage.resources Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) + ## @param db.resources Resource requests/limits for thedatabasestorage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) resources: {} - ## @param storage.securityContext [object] Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) + ## @param db.securityContext [object] Security Context for the database container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: - ## @skip grafana.securityContext.allowPrivilegeEscalation + ## @skip db.securityContext.allowPrivilegeEscalation allowPrivilegeEscalation: false - ## @skip grafana.securityContext.capabilities + ## @skip db.securityContext.capabilities capabilities: drop: - ALL @@ -98,9 +98,9 @@ storage: resources: {} ## @param storage.securityContext [object] Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: - ## @skip grafana.securityContext.allowPrivilegeEscalation + ## @skip storage.securityContext.allowPrivilegeEscalation allowPrivilegeEscalation: false - ## @skip grafana.securityContext.capabilities + ## @skip storage.securityContext.capabilities capabilities: drop: - ALL From 5321b190d5fe61ae8995bd06eddbc6e5d87481f5 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 22 Jan 2024 16:51:44 -0500 Subject: [PATCH 31/31] remove unused env var pair --- charts/cryostat/templates/deployment.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 5a3fc0b4..34a20e6b 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -72,20 +72,12 @@ spec: value: static - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_ACCESS_KEY_ID value: cryostat - - name: AWS_ACCESS_KEY_ID - value: cryostat - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY valueFrom: secretKeyRef: name: {{ printf "%s-storage-secret-key" .Release.Name }} key: SECRET_KEY optional: false - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: {{ printf "%s-storage-secret-key" .Release.Name }} - key: SECRET_KEY - optional: false {{- if not .Values.minimal }} - name: GRAFANA_DATASOURCE_URL value: http://127.0.0.1:8800