diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 7e273ce7..154b2d1c 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -71,7 +71,8 @@ helm install cryostat ./charts/cryostat | `core.route.tls.certificate` | Custom certificate to use when securing the Cryostat application Route | `""` | | `core.route.tls.caCertificate` | Custom CA certificate to use, if needed to complete the certificate chain, when securing the Cryostat application Route | `""` | | `core.route.tls.destinationCACertificate` | Provides the contents of the CA certificate of the final destination when using reencrypt termination for the Cryostat application Route | `""` | -| `core.resources` | Resource requests/limits for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | +| `core.resources.requests.cpu` | CPU resource request for the Cryostat container. | `500m` | +| `core.resources.requests.memory` | Memory resource request for the Cryostat container. | `384Mi` | | `core.securityContext` | Security Context for the Cryostat container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | | `core.databaseSecretName` | Name of the secret containing database keys. This secret must contain a CONNECTION_KEY secret which is the database connection password, and an ENCRYPTION_KEY secret which is the key used to encrypt sensitive data stored within the database, such as the target credentials keyring. It must not be updated across chart upgrades. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | `""` | | `core.discovery` | Configuration options to the Cryostat application's target discovery mechanisms | | @@ -83,51 +84,64 @@ helm install cryostat ./charts/cryostat | `core.discovery.kubernetes.builtInPortNumbersDisabled` | When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets. | `false` | | `core.discovery.kubernetes.portNumbers` | List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable | `[]` | + ### Database Container -| Name | Description | Value | -| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | -| `db` | Configuration for Cryostat's database | | -| `db.image.repository` | Repository for the database container image | `quay.io/cryostat/cryostat-db` | -| `db.image.pullPolicy` | Image pull policy for the database container image | `Always` | -| `db.image.tag` | Tag for the database container image | `latest` | -| `db.resources` | Resource requests/limits for the database container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | -| `db.securityContext` | Security Context for the database container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| Name | Description | Value | +| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | +| `db` | Configuration for Cryostat's database | | +| `db.image.repository` | Repository for the database container image | `quay.io/cryostat/cryostat-db` | +| `db.image.pullPolicy` | Image pull policy for the database container image | `Always` | +| `db.image.tag` | Tag for the database container image | `latest` | +| `db.service.type` | Type of Service to create for the database | `ClusterIP` | +| `db.service.port` | Port number to expose on the Service | `5432` | +| `db.resources.requests.cpu` | CPU resource request for the database container. | `25m` | +| `db.resources.requests.memory` | Memory resource request for the database container. | `64Mi` | +| `db.securityContext` | Security Context for the database container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### Storage Container -| Name | Description | Value | -| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `storage` | Configuration for Cryostat's object storage provider | | -| `storage.image.repository` | Repository for the storage container image | `quay.io/cryostat/cryostat-storage` | -| `storage.image.pullPolicy` | Image pull policy for the storage container image | `Always` | -| `storage.image.tag` | Tag for the storage container image | `latest` | -| `storage.resources` | Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | -| `storage.securityContext` | Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| Name | Description | Value | +| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `storage` | Configuration for Cryostat's object storage provider | | +| `storage.image.repository` | Repository for the storage container image | `quay.io/cryostat/cryostat-storage` | +| `storage.image.pullPolicy` | Image pull policy for the storage container image | `Always` | +| `storage.image.tag` | Tag for the storage container image | `latest` | +| `storage.service.type` | Type of Service to create for the object storage | `ClusterIP` | +| `storage.service.port` | Port number to expose on the Service | `8333` | +| `storage.resources.requests.cpu` | CPU resource request for the object storage container. | `50m` | +| `storage.resources.requests.memory` | Memory resource request for the object storage container. | `256Mi` | +| `storage.securityContext` | Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### Grafana Container -| Name | Description | Value | -| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------- | -| `grafana` | Configuration for the customized Grafana instance for Cryostat | | -| `grafana.image.repository` | Repository for the Grafana container image | `quay.io/cryostat/cryostat-grafana-dashboard` | -| `grafana.image.pullPolicy` | Image pull policy for the Grafana container image | `Always` | -| `grafana.image.tag` | Tag for the Grafana container image | `latest` | -| `grafana.service.type` | Type of Service to create for Grafana | `ClusterIP` | -| `grafana.service.port` | Port number to expose on the Service for Grafana's HTTP server | `3000` | -| `grafana.resources` | Resource requests/limits for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | -| `grafana.securityContext` | Security Context for the Grafana container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| Name | Description | Value | +| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------- | +| `grafana` | Configuration for the customized Grafana instance for Cryostat | | +| `grafana.image.repository` | Repository for the Grafana container image | `quay.io/cryostat/cryostat-grafana-dashboard` | +| `grafana.image.pullPolicy` | Image pull policy for the Grafana container image | `Always` | +| `grafana.image.tag` | Tag for the Grafana container image | `latest` | +| `grafana.service.type` | Type of Service to create for Grafana | `ClusterIP` | +| `grafana.service.port` | Port number to expose on the Service for Grafana's HTTP server | `3000` | +| `grafana.resources.requests.cpu` | CPU resource request for the Grafana container. | `25m` | +| `grafana.resources.requests.memory` | Memory resource request for the Grafana container. | `80Mi` | +| `grafana.securityContext` | Security Context for the Grafana container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### JFR Data Source Container -| Name | Description | Value | -| ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | -| `datasource` | Configuration for the JFR Data Source component, which translates recording events into a format consumable by Grafana | | -| `datasource.image.repository` | Repository for the JFR Data Source container image | `quay.io/cryostat/jfr-datasource` | -| `datasource.image.pullPolicy` | Image pull policy for the JFR Data Source container image | `Always` | -| `datasource.image.tag` | Tag for the JFR Data Source container image | `latest` | -| `datasource.resources` | Resource requests/limits for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | -| `datasource.securityContext` | Security Context for the JFR Data Source container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| Name | Description | Value | +| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | +| `datasource` | Configuration for the JFR Data Source component, which translates recording events into a format consumable by Grafana | | +| `datasource.image.repository` | Repository for the JFR Data Source container image | `quay.io/cryostat/jfr-datasource` | +| `datasource.image.pullPolicy` | Image pull policy for the JFR Data Source container image | `Always` | +| `datasource.image.tag` | Tag for the JFR Data Source container image | `latest` | +| `datasource.resources.requests.cpu` | CPU resource request for the JFR Data Source container. | `200m` | +| `datasource.resources.requests.memory` | Memory resource request for the JFR Data Source container. | `200Mi` | +| `datasource.securityContext` | Security Context for the JFR Data Source container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### Authentication @@ -139,31 +153,38 @@ helm install cryostat ./charts/cryostat | `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` | | `authentication.basicAuth.filename` | Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)** | `""` | + ### OAuth2 Proxy -| Name | Description | Value | -| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | -| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | -| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | -| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). | `{}` | +| Name | Description | Value | +| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | +| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | +| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | +| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | +| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | +| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). | `{}` | + ### OpenShift OAuth Proxy -| Name | Description | Value | -| ---------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | -| `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `quay.io/cryostat/openshift-oauth-proxy` | -| `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `Always` | -| `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `cryostat-v3.0` | -| `openshiftOauthProxy.accessReview.enabled` | Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token. | `true` | -| `openshiftOauthProxy.accessReview.group` | The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | `""` | -| `openshiftOauthProxy.accessReview.resource` | The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | `pods` | -| `openshiftOauthProxy.accessReview.subresource` | The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | `exec` | -| `openshiftOauthProxy.accessReview.name` | The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | `""` | -| `openshiftOauthProxy.accessReview.namespace` | The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for. | `{{ .Release.Namespace }}` | -| `openshiftOauthProxy.accessReview.verb` | The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | `create` | -| `openshiftOauthProxy.accessReview.version` | The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for. | `""` | -| `openshiftOauthProxy.securityContext` | Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| Name | Description | Value | +| ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | +| `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `quay.io/cryostat/openshift-oauth-proxy` | +| `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `Always` | +| `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `cryostat-v3.0` | +| `openshiftOauthProxy.resources.requests.cpu` | CPU resource request for the OpenShift OAuth Proxy container. | `25m` | +| `openshiftOauthProxy.resources.requests.memory` | Memory resource request for the OpenShift OAuth Proxy container. | `64Mi` | +| `openshiftOauthProxy.accessReview.enabled` | Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token. | `true` | +| `openshiftOauthProxy.accessReview.group` | The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | `""` | +| `openshiftOauthProxy.accessReview.resource` | The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | `pods` | +| `openshiftOauthProxy.accessReview.subresource` | The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | `exec` | +| `openshiftOauthProxy.accessReview.name` | The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | `""` | +| `openshiftOauthProxy.accessReview.namespace` | The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for. | `{{ .Release.Namespace }}` | +| `openshiftOauthProxy.accessReview.verb` | The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | `create` | +| `openshiftOauthProxy.accessReview.version` | The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for. | `""` | +| `openshiftOauthProxy.securityContext` | Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### Other Parameters diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 548914a9..15162add 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -148,8 +148,23 @@ }, "resources": { "type": "object", - "description": "Resource requests/limits for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", - "default": {} + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string", + "description": "CPU resource request for the Cryostat container.", + "default": "500m" + }, + "memory": { + "type": "string", + "description": "Memory resource request for the Cryostat container.", + "default": "384Mi" + } + } + } + } }, "securityContext": { "type": "object", @@ -234,6 +249,26 @@ "db": { "type": "object", "properties": { + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "Repository for the database container image", + "default": "quay.io/cryostat/cryostat-db" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the database container image", + "default": "Always" + }, + "tag": { + "type": "string", + "description": "Tag for the database container image", + "default": "latest" + } + } + }, "securityContext": { "type": "object", "properties": { @@ -259,30 +294,40 @@ } } }, - "image": { + "service": { "type": "object", "properties": { - "repository": { - "type": "string", - "description": "Repository for the database container image", - "default": "quay.io/cryostat/cryostat-db" - }, - "pullPolicy": { + "type": { "type": "string", - "description": "Image pull policy for the database container image", - "default": "Always" + "description": "Type of Service to create for the database", + "default": "ClusterIP" }, - "tag": { - "type": "string", - "description": "Tag for the database container image", - "default": "latest" + "port": { + "type": "number", + "description": "Port number to expose on the Service", + "default": 5432 } } }, "resources": { "type": "object", - "description": "Resource requests/limits for the database container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", - "default": {} + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string", + "description": "CPU resource request for the database container.", + "default": "25m" + }, + "memory": { + "type": "string", + "description": "Memory resource request for the database container.", + "default": "64Mi" + } + } + } + } } } }, @@ -334,10 +379,40 @@ } } }, + "service": { + "type": "object", + "properties": { + "type": { + "type": "string", + "description": "Type of Service to create for the object storage", + "default": "ClusterIP" + }, + "port": { + "type": "number", + "description": "Port number to expose on the Service", + "default": 8333 + } + } + }, "resources": { "type": "object", - "description": "Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", - "default": {} + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string", + "description": "CPU resource request for the object storage container.", + "default": "50m" + }, + "memory": { + "type": "string", + "description": "Memory resource request for the object storage container.", + "default": "256Mi" + } + } + } + } } } }, @@ -406,8 +481,23 @@ }, "resources": { "type": "object", - "description": "Resource requests/limits for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", - "default": {} + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string", + "description": "CPU resource request for the Grafana container.", + "default": "25m" + }, + "memory": { + "type": "string", + "description": "Memory resource request for the Grafana container.", + "default": "80Mi" + } + } + } + } } } }, @@ -461,8 +551,23 @@ }, "resources": { "type": "object", - "description": "Resource requests/limits for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", - "default": {} + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string", + "description": "CPU resource request for the JFR Data Source container.", + "default": "200m" + }, + "memory": { + "type": "string", + "description": "Memory resource request for the JFR Data Source container.", + "default": "200Mi" + } + } + } + } } } }, @@ -513,6 +618,26 @@ "default": "latest" } } + }, + "resources": { + "type": "object", + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string", + "description": "CPU resource request for the OAuth2 Proxy container.", + "default": "25m" + }, + "memory": { + "type": "string", + "description": "Memory resource request for the OAuth2 Proxy container.", + "default": "64Mi" + } + } + } + } } } }, @@ -609,6 +734,26 @@ } } }, + "resources": { + "type": "object", + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string", + "description": "CPU resource request for the OpenShift OAuth Proxy container.", + "default": "25m" + }, + "memory": { + "type": "string", + "description": "Memory resource request for the OpenShift OAuth Proxy container.", + "default": "64Mi" + } + } + } + } + }, "accessReview": { "type": "object", "properties": { diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 59f1c086..585cfb0d 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -48,10 +48,11 @@ core: caCertificate: "" ## @param core.route.tls.destinationCACertificate Provides the contents of the CA certificate of the final destination when using reencrypt termination for the Cryostat application Route destinationCACertificate: "" - ## @param core.resources Resource requests/limits for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) resources: requests: + ## @param core.resources.requests.cpu CPU resource request for the Cryostat container. cpu: 500m + ## @param core.resources.requests.memory Memory resource request for the Cryostat container. memory: 384Mi ## @param core.securityContext [object] Security Context for the Cryostat container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: @@ -96,10 +97,11 @@ db: type: ClusterIP ## @param db.service.port Port number to expose on the Service port: 5432 - ## @param db.resources Resource requests/limits for the database container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) resources: requests: + ## @param db.resources.requests.cpu CPU resource request for the database container. cpu: 25m + ## @param db.resources.requests.memory Memory resource request for the database container. memory: 64Mi ## @param db.securityContext [object] Security Context for the database container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: @@ -125,10 +127,11 @@ storage: type: ClusterIP ## @param storage.service.port Port number to expose on the Service port: 8333 - ## @param storage.resources Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) resources: requests: + ## @param storage.resources.requests.cpu CPU resource request for the object storage container. cpu: 50m + ## @param storage.resources.requests.memory Memory resource request for the object storage container. memory: 256Mi ## @param storage.securityContext [object] Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: @@ -154,10 +157,11 @@ grafana: type: ClusterIP ## @param grafana.service.port Port number to expose on the Service for Grafana's HTTP server port: 3000 - ## @param grafana.resources Resource requests/limits for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) resources: requests: + ## @param grafana.resources.requests.cpu CPU resource request for the Grafana container. cpu: 25m + ## @param grafana.resources.requests.memory Memory resource request for the Grafana container. memory: 80Mi ## @param grafana.securityContext [object] Security Context for the Grafana container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: @@ -178,10 +182,11 @@ datasource: pullPolicy: Always ## @param datasource.image.tag Tag for the JFR Data Source container image tag: "latest" - ## @param datasource.resources Resource requests/limits for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) resources: requests: + ## @param datasource.resources.requests.cpu CPU resource request for the JFR Data Source container. cpu: 200m + ## @param datasource.resources.requests.memory Memory resource request for the JFR Data Source container. memory: 200Mi ## @param datasource.securityContext [object] Security Context for the JFR Data Source container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: @@ -221,7 +226,9 @@ oauth2Proxy: tag: "latest" resources: requests: + ## @param oauth2Proxy.resources.requests.cpu CPU resource request for the OAuth2 Proxy container. cpu: 25m + ## @param oauth2Proxy.resources.requests.memory Memory resource request for the OAuth2 Proxy container. memory: 64Mi ## @param oauth2Proxy.securityContext [object] Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). securityContext: @@ -244,7 +251,9 @@ openshiftOauthProxy: tag: "cryostat-v3.0" resources: requests: + ## @param openshiftOauthProxy.resources.requests.cpu CPU resource request for the OpenShift OAuth Proxy container. cpu: 25m + ## @param openshiftOauthProxy.resources.requests.memory Memory resource request for the OpenShift OAuth Proxy container. memory: 64Mi accessReview: ## @param openshiftOauthProxy.accessReview.enabled Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token.