Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(cryostat): deploy cryostat 3.0 #111

Merged
merged 31 commits into from
Jan 23, 2024
Merged

feat(cryostat): deploy cryostat 3.0 #111

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
13e864d
tmp
andrewazores Dec 15, 2023
d56b838
include oauth redirect annotation on serviceaccount if route enabled
andrewazores Dec 18, 2023
806f93c
enable quarkus proxy handling
andrewazores Dec 18, 2023
768f671
deploy s3 and db in same deployment/pod
andrewazores Dec 18, 2023
3cdc778
swap localstack for minio
andrewazores Dec 18, 2023
139a9b0
bind minio on localhost only
andrewazores Dec 18, 2023
3052218
pin minio version
andrewazores Dec 18, 2023
4b7c58d
add readiness probes for s3 and db
andrewazores Dec 18, 2023
ef48e78
chomp newlines
andrewazores Dec 18, 2023
9dc002b
set db encryption key
andrewazores Dec 18, 2023
7757ac6
typo
andrewazores Dec 18, 2023
a4f7eb2
fixup! set db encryption key
andrewazores Dec 18, 2023
109cf47
add TODOs
andrewazores Dec 18, 2023
db41d70
formatting
andrewazores Dec 18, 2023
ba927f5
pin database to particular version
andrewazores Dec 19, 2023
663436a
use customized MinIO image
andrewazores Dec 19, 2023
9dfe36b
use /tmp for persistent storage since default /data is owned by root …
andrewazores Dec 19, 2023
70d2f5d
use generated secret for object storage access
andrewazores Dec 19, 2023
d052115
fixup! use generated secret for object storage access
andrewazores Dec 19, 2023
12a290c
use generated secret for database connection password
andrewazores Dec 19, 2023
3706818
rephrase comments
andrewazores Jan 5, 2024
394e475
update README and schema for 3.0
andrewazores Jan 5, 2024
ee2bccd
add configuration section for storage container
andrewazores Jan 5, 2024
40f3dbf
deploy seaweed-based storage container rather than minio
andrewazores Jan 16, 2024
a60128e
mount PVC to storage container
andrewazores Jan 17, 2024
e7b6e28
update note for external routing
andrewazores Jan 17, 2024
2aab248
mount pvc to database container
andrewazores Jan 17, 2024
0cc751b
add config section for database container
andrewazores Jan 17, 2024
aa1a794
default to latest tag for storage
andrewazores Jan 17, 2024
49cb466
fix up schema metadata and regenerate readme
andrewazores Jan 22, 2024
5321b19
remove unused env var pair
andrewazores Jan 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/cryostat/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ version: "0.5.0-dev"

kubeVersion: ">= 1.19.0-0"

appVersion: "2.5.0-dev"
appVersion: "3.0.0-dev"

home: "https://cryostat.io"

Expand Down
30 changes: 29 additions & 1 deletion charts/cryostat/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op
| `core` | Configuration for the core Cryostat application | |
| `core.image.repository` | Repository for the main Cryostat container image | `quay.io/cryostat/cryostat` |
| `core.image.pullPolicy` | Image pull policy for the main Cryostat container image | `Always` |
| `core.image.tag` | Tag for the main Cryostat container image | `latest` |
| `core.image.tag` | Tag for the main Cryostat container image | `3.0.0-snapshot` |
| `core.service.type` | Type of Service to create for the Cryostat application | `ClusterIP` |
| `core.service.httpPort` | Port number to expose on the Service for Cryostat's HTTP server | `8181` |
| `core.service.jmxPort` | Port number to expose on the Service for remote JMX connections to Cryostat | `9091` |
Expand All @@ -32,6 +32,31 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op
| `core.securityContext` | Security Context for the Cryostat container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` |
| `core.databaseSecretName` | Name of the secret to extract password for credentials database. | `""` |


### Database Container

| Name | Description | Value |
| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
| `Configuration` | for Cryostat's database | |
| `db.image.repository` | Repository for the database container image | `quay.io/cryostat/cryostat-db` |
| `db.image.pullPolicy` | Image pull policy for the database container image | `Always` |
| `db.image.tag` | Tag for thedatabasestorage container image | `latest` |
| `db.resources` | Resource requests/limits for thedatabasestorage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` |
| `db.securityContext` | Security Context for the database container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` |


### Storage Container

| Name | Description | Value |
| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- |
| `Configuration` | for Cryostat's object storage provider | |
| `storage.image.repository` | Repository for the storage container image | `quay.io/cryostat/cryostat-storage` |
| `storage.image.pullPolicy` | Image pull policy for the storage container image | `Always` |
| `storage.image.tag` | Tag for the storage container image | `latest` |
| `storage.resources` | Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` |
| `storage.securityContext` | Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` |


### Grafana Container

| Name | Description | Value |
Expand Down Expand Up @@ -59,6 +84,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op
| `grafana.resources` | Resource requests/limits for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` |
| `grafana.securityContext` | Security Context for the Grafana container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` |


### JFR Data Source Container

| Name | Description | Value |
Expand All @@ -70,6 +96,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op
| `datasource.resources` | Resource requests/limits for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` |
| `datasource.securityContext` | Security Context for the JFR Data Source container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` |


### Authentication

| Name | Description | Value |
Expand All @@ -78,6 +105,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op
| `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` |
| `authentication.basicAuth.filename` | Key within Secret containing the properties file. The properties file should contain one user per line, with the syntax "user=passHex", where "user" is the username and "passHex" is the SHA-256 hash of the desired password **(Required if basicAuth is enabled)** | `""` |


### Other Parameters

| Name | Description | Value |
Expand Down
2 changes: 1 addition & 1 deletion charts/cryostat/templates/NOTES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
```
{{- if .Values.core.route.enabled }}
export ROUTE_HOST=$(oc get route -n {{ .Release.Namespace }} {{ include "cryostat.fullname" . }} -o jsonpath="{.status.ingress[0].host}")
{{- $envVars = list "CRYOSTAT_WEB_HOST=$ROUTE_HOST" }}
{{- $envVars = list "STORAGE_EXT_URL=$ROUTE_HOST" }}
{{- else if .Values.core.ingress.enabled }}
{{- /* Do nothing */}}
{{- else if contains "NodePort" .Values.core.service.type }}
Expand Down
46 changes: 41 additions & 5 deletions charts/cryostat/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,18 +62,54 @@ Create the name of the service account to use
{{- end }}

{{/*
Get or generate a default password for credentials database
Get or generate a default connection key for credentials database
*/}}
{{- define "cryostat.databasePassword" -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-jmx-credentials-db" .Release.Name)) -}}
{{- define "cryostat.databaseConnectionKey" -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db-connection-key" .Release.Name)) -}}
{{- if $secret -}}
{{/*
Use current password. Do not regenerate
Use current key. Do not regenerate
*/}}
{{- $secret.data.CONNECTION_KEY -}}
{{- else -}}
{{/*
Generate new key
*/}}
{{- (randAlphaNum 32) | b64enc | quote -}}
{{- end -}}
{{- end -}}

{{/*
Get or generate a default encryption key for credentials database
*/}}
{{- define "cryostat.databaseEncryptionKey" -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db-encryption-key" .Release.Name)) -}}
{{- if $secret -}}
{{/*
Use current key. Do not regenerate
*/}}
{{- $secret.data.CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD -}}
{{- else -}}
{{/*
Generate new password
Generate new key
*/}}
{{- (randAlphaNum 32) | b64enc | quote -}}
{{- end -}}
{{- end -}}

{{/*
Get or generate a default secret key for object storage
*/}}
{{- define "cryostat.objectStorageSecretKey" -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-storage-secret-key" .Release.Name)) -}}
{{- if $secret -}}
{{/*
Use current secret. Do not regenerate
*/}}
{{- $secret.data.SECRET_KEY -}}
{{- else -}}
{{/*
Generate new secret
*/}}
{{- (randAlphaNum 32) | b64enc | quote -}}
{{- end -}}
Expand Down
7 changes: 7 additions & 0 deletions charts/cryostat/templates/db_connection_key_secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-db-connection-key
type: Opaque
data:
CONNECTION_KEY: {{ include "cryostat.databaseConnectionKey" . }}
9 changes: 9 additions & 0 deletions charts/cryostat/templates/db_encryption_key_secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{{- if empty .Values.core.databaseSecretName -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-db-encryption-key
type: Opaque
data:
ENCRYPTION_KEY: {{ include "cryostat.databaseEncryptionKey" . }}
{{- end -}}
Loading