From 5bda8443d8a41b8f259aae607e88054edce92992 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 25 Oct 2024 12:48:55 -0400 Subject: [PATCH] feat(deployments): separate db, storage, and reports deployments (#192) Signed-off-by: Andrew Azores Signed-off-by: Thuan Vo Co-authored-by: Thuan Vo --- .github/workflows/chart-test.yml | 10 +- charts/cryostat/README.md | 156 ++++++---- charts/cryostat/templates/NOTES.txt | 9 +- charts/cryostat/templates/_helpers.tpl | 12 +- charts/cryostat/templates/_oauth2Proxy.tpl | 5 +- .../templates/_openshiftOauthProxy.tpl | 10 +- charts/cryostat/templates/alpha_config.yaml | 6 - charts/cryostat/templates/cookie_secret.yaml | 4 + ...ployment.yaml => cryostat_deployment.yaml} | 106 +------ .../{service.yaml => cryostat_service.yaml} | 2 + charts/cryostat/templates/db_deployment.yaml | 96 ++++++ .../templates/{pvc.yaml => db_pvc.yaml} | 2 +- charts/cryostat/templates/db_secret.yaml | 2 + charts/cryostat/templates/db_service.yaml | 16 + .../templates/reports_deployment.yaml | 74 +++++ .../cryostat/templates/reports_service.yaml | 18 ++ .../templates/storage_access_secret.yaml | 7 - .../templates/storage_deployment.yaml | 110 +++++++ charts/cryostat/templates/storage_pvc.yaml | 27 ++ charts/cryostat/templates/storage_secret.yaml | 11 + .../cryostat/templates/storage_service.yaml | 16 + .../templates/tests/test-core-connection.yaml | 3 +- .../tests/test-grafana-connection.yaml | 1 + .../tests/test-storage-connection.yaml | 17 - charts/cryostat/tests/alpha_config_test.yaml | 3 - charts/cryostat/tests/cookie_secret_test.yaml | 15 + ...est.yaml => cryostat_deployment_test.yaml} | 285 +++++++++-------- ...e_test.yaml => cryostat_service_test.yaml} | 9 +- charts/cryostat/tests/db_deployment_test.yaml | 194 ++++++++++++ .../tests/{pvc_test.yaml => db_pvc_test.yaml} | 6 +- charts/cryostat/tests/db_secret_test.yaml | 8 + charts/cryostat/tests/db_service_test.yaml | 59 ++++ charts/cryostat/tests/notes_test.yaml | 11 +- .../tests/reports_deployment_test.yaml | 122 ++++++++ .../tests/storage_access_secret_test.yaml | 20 -- .../tests/storage_deployment_test.yaml | 222 ++++++++++++++ charts/cryostat/tests/storage_pvc_test.yaml | 56 ++++ .../cryostat/tests/storage_secret_test.yaml | 35 +++ .../cryostat/tests/storage_service_test.yaml | 60 ++++ charts/cryostat/values.schema.json | 290 +++++++++++++++++- charts/cryostat/values.yaml | 105 ++++++- 41 files changed, 1823 insertions(+), 397 deletions(-) rename charts/cryostat/templates/{deployment.yaml => cryostat_deployment.yaml} (68%) rename charts/cryostat/templates/{service.yaml => cryostat_service.yaml} (89%) create mode 100644 charts/cryostat/templates/db_deployment.yaml rename charts/cryostat/templates/{pvc.yaml => db_pvc.yaml} (93%) create mode 100644 charts/cryostat/templates/db_service.yaml create mode 100644 charts/cryostat/templates/reports_deployment.yaml create mode 100644 charts/cryostat/templates/reports_service.yaml delete mode 100644 charts/cryostat/templates/storage_access_secret.yaml create mode 100644 charts/cryostat/templates/storage_deployment.yaml create mode 100644 charts/cryostat/templates/storage_pvc.yaml create mode 100644 charts/cryostat/templates/storage_secret.yaml create mode 100644 charts/cryostat/templates/storage_service.yaml delete mode 100644 charts/cryostat/templates/tests/test-storage-connection.yaml rename charts/cryostat/tests/{deployment_test.yaml => cryostat_deployment_test.yaml} (72%) rename charts/cryostat/tests/{service_test.yaml => cryostat_service_test.yaml} (94%) create mode 100644 charts/cryostat/tests/db_deployment_test.yaml rename charts/cryostat/tests/{pvc_test.yaml => db_pvc_test.yaml} (94%) create mode 100644 charts/cryostat/tests/db_service_test.yaml create mode 100644 charts/cryostat/tests/reports_deployment_test.yaml delete mode 100644 charts/cryostat/tests/storage_access_secret_test.yaml create mode 100644 charts/cryostat/tests/storage_deployment_test.yaml create mode 100644 charts/cryostat/tests/storage_pvc_test.yaml create mode 100644 charts/cryostat/tests/storage_secret_test.yaml create mode 100644 charts/cryostat/tests/storage_service_test.yaml diff --git a/.github/workflows/chart-test.yml b/.github/workflows/chart-test.yml index 977e8211..730559ea 100644 --- a/.github/workflows/chart-test.yml +++ b/.github/workflows/chart-test.yml @@ -24,6 +24,8 @@ on: - v[0-9]+ - v[0-9]+.[0-9]+ - cryostat-v[0-9]+.[0-9]+ + # TODO: Remove before merging https://github.com/cryostatio/cryostat-helm/pull/192 + - separate-db-storage jobs: helm-test: @@ -31,6 +33,12 @@ jobs: env: TARGET_BRANCH: ${{ github.event.pull_request.base.ref || github.ref_name }} TEST_NAMESPACE: helm-test + strategy: + matrix: + # Supported strategies + upgrade-strategy: + - reset-values + - reset-then-reuse-values steps: - name: Fail if safe-to-test label NOT applied if: ${{ github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'safe-to-test') }} @@ -57,7 +65,7 @@ jobs: HELM_LOCATION="$(which helm)" sudo mv $HELM_LOCATION "$(dirname $HELM_LOCATION)/.helm" - cat <(echo '#!/usr/bin/env bash') <(echo 'exec .helm "${@//--reuse-values/--reset-then-reuse-values}"') | sudo tee $HELM_LOCATION + cat <(echo '#!/usr/bin/env bash') <(echo 'exec .helm "${@//--reuse-values/--${{ matrix.upgrade-strategy }}}"') | sudo tee $HELM_LOCATION sudo chmod +x $HELM_LOCATION bash ct.bash --upgrade diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 7e273ce7..25768c14 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -57,6 +57,7 @@ helm install cryostat ./charts/cryostat | `core.image.tag` | Tag for the main Cryostat container image | `4.0.0-snapshot` | | `core.service.type` | Type of Service to create for the Cryostat application | `ClusterIP` | | `core.service.httpPort` | Port number to expose on the Service for Cryostat's HTTP server | `8181` | +| `core.debug.log.level` | Log level for troubleshooting and debugging | `INFO` | | `core.sslProxied` | Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress | `false` | | `core.ingress.enabled` | Whether to create an Ingress object for the Cryostat service | `false` | | `core.ingress.className` | Ingress class name for the Cryostat application Ingress | `""` | @@ -71,7 +72,8 @@ helm install cryostat ./charts/cryostat | `core.route.tls.certificate` | Custom certificate to use when securing the Cryostat application Route | `""` | | `core.route.tls.caCertificate` | Custom CA certificate to use, if needed to complete the certificate chain, when securing the Cryostat application Route | `""` | | `core.route.tls.destinationCACertificate` | Provides the contents of the CA certificate of the final destination when using reencrypt termination for the Cryostat application Route | `""` | -| `core.resources` | Resource requests/limits for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | +| `core.resources.requests.cpu` | CPU resource request for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `500m` | +| `core.resources.requests.memory` | Memory resource request for the Cryostat container. | `384Mi` | | `core.securityContext` | Security Context for the Cryostat container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | | `core.databaseSecretName` | Name of the secret containing database keys. This secret must contain a CONNECTION_KEY secret which is the database connection password, and an ENCRYPTION_KEY secret which is the key used to encrypt sensitive data stored within the database, such as the target credentials keyring. It must not be updated across chart upgrades. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | `""` | | `core.discovery` | Configuration options to the Cryostat application's target discovery mechanisms | | @@ -83,87 +85,117 @@ helm install cryostat ./charts/cryostat | `core.discovery.kubernetes.builtInPortNumbersDisabled` | When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets. | `false` | | `core.discovery.kubernetes.portNumbers` | List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable | `[]` | +### Report Generator Deployment + +| Name | Description | Value | +| ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `reports` | Configuration for the Reports Generator deployment | | +| `reports.image.repository` | Repository for the Report Generator container image | `quay.io/cryostat/cryostat-reports` | +| `reports.image.pullPolicy` | Image pull policy for the Report Generator container image | `Always` | +| `reports.image.tag` | Tag for the Report Generator image | `4.0.0-snapshot` | +| `reports.service.type` | Type of Service to create for the Report Generator Deployment | `ClusterIP` | +| `reports.service.httpPort` | Port number to expose on the Service for the Report Generator Deployment | `10001` | +| `reports.replicas` | Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own. | `0` | +| `reports.resources.requests.cpu` | CPU resource request for each Pod in the Report Generator Deployment. | `500m` | +| `reports.resources.requests.memory` | Memory resource request for each Pod in the Report Generator Deployment. | `512Mi` | +| `reports.securityContext` | Security Context for the Report Generator containers. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### Database Container -| Name | Description | Value | -| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | -| `db` | Configuration for Cryostat's database | | -| `db.image.repository` | Repository for the database container image | `quay.io/cryostat/cryostat-db` | -| `db.image.pullPolicy` | Image pull policy for the database container image | `Always` | -| `db.image.tag` | Tag for the database container image | `latest` | -| `db.resources` | Resource requests/limits for the database container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | -| `db.securityContext` | Security Context for the database container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| Name | Description | Value | +| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | +| `db` | Configuration for Cryostat's database | | +| `db.image.repository` | Repository for the database container image | `quay.io/cryostat/cryostat-db` | +| `db.image.pullPolicy` | Image pull policy for the database container image | `Always` | +| `db.image.tag` | Tag for the database container image | `latest` | +| `db.service.type` | Type of Service to create for the database | `ClusterIP` | +| `db.service.port` | Port number to expose on the Service | `5432` | +| `db.resources.requests.cpu` | CPU resource request for the database container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `25m` | +| `db.resources.requests.memory` | Memory resource request for the database container. | `64Mi` | +| `db.securityContext` | Security Context for the database container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | ### Storage Container -| Name | Description | Value | -| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `storage` | Configuration for Cryostat's object storage provider | | -| `storage.image.repository` | Repository for the storage container image | `quay.io/cryostat/cryostat-storage` | -| `storage.image.pullPolicy` | Image pull policy for the storage container image | `Always` | -| `storage.image.tag` | Tag for the storage container image | `latest` | -| `storage.resources` | Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | -| `storage.securityContext` | Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| Name | Description | Value | +| ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `storage` | Configuration for Cryostat's object storage provider | | +| `storage.storageSecretName` | Name of the secret containing the object storage secret access key. This secret must contain a STORAGE_ACCESS_KEY secret which is the object storage secret access key. It must not be updated across chart upgrades, or else the connection between Cryostat components and object storage will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | `""` | +| `storage.image.repository` | Repository for the storage container image | `quay.io/cryostat/cryostat-storage` | +| `storage.image.pullPolicy` | Image pull policy for the storage container image | `Always` | +| `storage.image.tag` | Tag for the storage container image | `latest` | +| `storage.encryption.enabled` | Enable at-rest encryption of stored objects. The storage container will generate a secret key for each stored object and use this key to encrypt and decrypt objects transparently. The key is written to the object metadata, so in the default storage container configuration this only adds a small layer of additional security. | `true` | +| `storage.service.type` | Type of Service to create for the object storage | `ClusterIP` | +| `storage.service.port` | Port number to expose on the Service | `8333` | +| `storage.resources.requests.cpu` | CPU resource request for the object storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `50m` | +| `storage.resources.requests.memory` | Memory resource request for the object storage container. | `256Mi` | +| `storage.securityContext` | Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | ### Grafana Container -| Name | Description | Value | -| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------- | -| `grafana` | Configuration for the customized Grafana instance for Cryostat | | -| `grafana.image.repository` | Repository for the Grafana container image | `quay.io/cryostat/cryostat-grafana-dashboard` | -| `grafana.image.pullPolicy` | Image pull policy for the Grafana container image | `Always` | -| `grafana.image.tag` | Tag for the Grafana container image | `latest` | -| `grafana.service.type` | Type of Service to create for Grafana | `ClusterIP` | -| `grafana.service.port` | Port number to expose on the Service for Grafana's HTTP server | `3000` | -| `grafana.resources` | Resource requests/limits for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | -| `grafana.securityContext` | Security Context for the Grafana container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| Name | Description | Value | +| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------- | +| `grafana` | Configuration for the customized Grafana instance for Cryostat | | +| `grafana.image.repository` | Repository for the Grafana container image | `quay.io/cryostat/cryostat-grafana-dashboard` | +| `grafana.image.pullPolicy` | Image pull policy for the Grafana container image | `Always` | +| `grafana.image.tag` | Tag for the Grafana container image | `latest` | +| `grafana.service.type` | Type of Service to create for Grafana | `ClusterIP` | +| `grafana.service.port` | Port number to expose on the Service for Grafana's HTTP server | `3000` | +| `grafana.resources.requests.cpu` | CPU resource request for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `25m` | +| `grafana.resources.requests.memory` | Memory resource request for the Grafana container. | `80Mi` | +| `grafana.securityContext` | Security Context for the Grafana container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | ### JFR Data Source Container -| Name | Description | Value | -| ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | -| `datasource` | Configuration for the JFR Data Source component, which translates recording events into a format consumable by Grafana | | -| `datasource.image.repository` | Repository for the JFR Data Source container image | `quay.io/cryostat/jfr-datasource` | -| `datasource.image.pullPolicy` | Image pull policy for the JFR Data Source container image | `Always` | -| `datasource.image.tag` | Tag for the JFR Data Source container image | `latest` | -| `datasource.resources` | Resource requests/limits for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | -| `datasource.securityContext` | Security Context for the JFR Data Source container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| Name | Description | Value | +| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | +| `datasource` | Configuration for the JFR Data Source component, which translates recording events into a format consumable by Grafana | | +| `datasource.image.repository` | Repository for the JFR Data Source container image | `quay.io/cryostat/jfr-datasource` | +| `datasource.image.pullPolicy` | Image pull policy for the JFR Data Source container image | `Always` | +| `datasource.image.tag` | Tag for the JFR Data Source container image | `latest` | +| `datasource.resources.requests.cpu` | CPU resource request for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `200m` | +| `datasource.resources.requests.memory` | Memory resource request for the JFR Data Source container. | `200Mi` | +| `datasource.securityContext` | Security Context for the JFR Data Source container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | ### Authentication -| Name | Description | Value | -| ------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | -| `authentication.openshift.enabled` | Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one. | `false` | -| `authentication.openshift.clusterRole.name` | The name of the ClusterRole to bind for the OpenShift OAuth Proxy | `system:auth-delegator` | -| `authentication.basicAuth.enabled` | Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication | `false` | -| `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` | -| `authentication.basicAuth.filename` | Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)** | `""` | +| Name | Description | Value | +| ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| `authentication.cookieSecretName` | Name of the secret containing the authenticating proxy cookie encryption key. This secret must contain a COOKIE_SECRET secret which is the cookie encryption key. It must not be updated across chart upgrades, or else existing user login sessions will be invalidated. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | `""` | +| `authentication.openshift.enabled` | Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one. | `false` | +| `authentication.openshift.clusterRole.name` | The name of the ClusterRole to bind for the OpenShift OAuth Proxy | `system:auth-delegator` | +| `authentication.basicAuth.enabled` | Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication | `false` | +| `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` | +| `authentication.basicAuth.filename` | Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)** | `""` | ### OAuth2 Proxy -| Name | Description | Value | -| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | -| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | -| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | -| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). | `{}` | +| Name | Description | Value | +| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | +| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | +| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | +| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | +| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | +| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). | `{}` | ### OpenShift OAuth Proxy -| Name | Description | Value | -| ---------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | -| `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `quay.io/cryostat/openshift-oauth-proxy` | -| `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `Always` | -| `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `cryostat-v3.0` | -| `openshiftOauthProxy.accessReview.enabled` | Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token. | `true` | -| `openshiftOauthProxy.accessReview.group` | The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | `""` | -| `openshiftOauthProxy.accessReview.resource` | The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | `pods` | -| `openshiftOauthProxy.accessReview.subresource` | The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | `exec` | -| `openshiftOauthProxy.accessReview.name` | The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | `""` | -| `openshiftOauthProxy.accessReview.namespace` | The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for. | `{{ .Release.Namespace }}` | -| `openshiftOauthProxy.accessReview.verb` | The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | `create` | -| `openshiftOauthProxy.accessReview.version` | The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for. | `""` | -| `openshiftOauthProxy.securityContext` | Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| Name | Description | Value | +| ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | +| `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `quay.io/cryostat/openshift-oauth-proxy` | +| `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `Always` | +| `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `cryostat-v3.0` | +| `openshiftOauthProxy.resources.requests.cpu` | CPU resource request for the OpenShift OAuth Proxy container. | `25m` | +| `openshiftOauthProxy.resources.requests.memory` | Memory resource request for the OpenShift OAuth Proxy container. | `64Mi` | +| `openshiftOauthProxy.accessReview.enabled` | Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token. | `true` | +| `openshiftOauthProxy.accessReview.group` | The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | `""` | +| `openshiftOauthProxy.accessReview.resource` | The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | `pods` | +| `openshiftOauthProxy.accessReview.subresource` | The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | `exec` | +| `openshiftOauthProxy.accessReview.name` | The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | `""` | +| `openshiftOauthProxy.accessReview.namespace` | The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for. | `{{ .Release.Namespace }}` | +| `openshiftOauthProxy.accessReview.verb` | The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | `create` | +| `openshiftOauthProxy.accessReview.version` | The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for. | `""` | +| `openshiftOauthProxy.securityContext` | Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | ### Other Parameters diff --git a/charts/cryostat/templates/NOTES.txt b/charts/cryostat/templates/NOTES.txt index ac845880..496297c0 100644 --- a/charts/cryostat/templates/NOTES.txt +++ b/charts/cryostat/templates/NOTES.txt @@ -27,7 +27,7 @@ {{- end }} {{- if not (empty $envVars) }} - kubectl -n {{ .Release.Namespace }} set env deploy --containers={{ .Chart.Name }} {{ include "cryostat.fullname" . }} {{ join " " $envVars }} + kubectl -n {{ .Release.Namespace }} set env deploy --containers={{ .Chart.Name }} {{ include "cryostat.deploymentName" . }} {{ join " " $envVars }} {{- end }} ``` {{- end }} @@ -36,11 +36,10 @@ {{ $listNum }}. Forward local port to the application's pod: ``` - kubectl -n {{ .Release.Namespace }} wait --for=condition=available --timeout=60s deploy/{{ include "cryostat.fullname" . }} + kubectl -n {{ .Release.Namespace }} wait --for=condition=available --timeout=60s deploy/{{ include "cryostat.deploymentName" . }} - export POD_NAME=$(kubectl get pods -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") - export CONTAINER_PORT=$(kubectl get pod -n {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") - kubectl -n {{ .Release.Namespace }} port-forward $POD_NAME "8080:$CONTAINER_PORT" + export POD_NAME=$(kubectl get pods -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") + kubectl -n {{ .Release.Namespace }} port-forward $POD_NAME 8080:http ``` {{- $listNum = add1 $listNum }} {{- end }} diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index e760fa27..c68af86a 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -101,12 +101,12 @@ Get or generate a default encryption key for database. Get or generate a default secret key for object storage. */}} {{- define "cryostat.objectStorageSecretKey" -}} -{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-storage" .Release.Name)) -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-storage-secret" .Release.Name)) -}} {{- if $secret -}} {{/* Use current secret. Do not regenerate. */}} -{{- $secret.data.SECRET_KEY -}} +{{- $secret.data.STORAGE_ACCESS_KEY -}} {{- else -}} {{/* Generate new secret @@ -145,3 +145,11 @@ Get or generate a default secret key for auth proxy cookies. {{- end -}} {{- join "," (default list $l | compact | uniq) | quote -}} {{- end -}} + +{{/* +Get the name for managed deployments. +*/}} +{{- define "cryostat.deploymentName" -}} +{{- $version := semver .Chart.AppVersion -}} +{{- printf "%s-v%d" (include "cryostat.fullname" .) $version.Major -}} +{{- end -}} diff --git a/charts/cryostat/templates/_oauth2Proxy.tpl b/charts/cryostat/templates/_oauth2Proxy.tpl index 3e686125..f7ebea42 100644 --- a/charts/cryostat/templates/_oauth2Proxy.tpl +++ b/charts/cryostat/templates/_oauth2Proxy.tpl @@ -15,7 +15,7 @@ Create OAuth2 Proxy container. Configurations defined in alpha_config.yaml - name: OAUTH2_PROXY_COOKIE_SECRET valueFrom: secretKeyRef: - name: {{ .Release.Name }}-cookie-secret + name: {{ default (printf "%s-cookie-secret" .Release.Name) .Values.authentication.cookieSecretName }} key: COOKIE_SECRET optional: false - name: OAUTH2_PROXY_EMAIL_DOMAINS @@ -35,7 +35,10 @@ Create OAuth2 Proxy container. Configurations defined in alpha_config.yaml {{- end }} ports: - containerPort: 4180 + name: http protocol: TCP + resources: + {{- toYaml .Values.oauth2Proxy.resources | nindent 4 }} volumeMounts: - name: alpha-config mountPath: /etc/oauth2_proxy/alpha_config diff --git a/charts/cryostat/templates/_openshiftOauthProxy.tpl b/charts/cryostat/templates/_openshiftOauthProxy.tpl index 6af23010..576d1d9c 100644 --- a/charts/cryostat/templates/_openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/_openshiftOauthProxy.tpl @@ -10,7 +10,7 @@ Create OpenShift OAuth Proxy container. - name: COOKIE_SECRET valueFrom: secretKeyRef: - name: {{ .Release.Name }}-cookie-secret + name: {{ default (printf "%s-cookie-secret" .Release.Name) .Values.authentication.cookieSecretName }} key: COOKIE_SECRET optional: false args: @@ -20,7 +20,6 @@ Create OpenShift OAuth Proxy container. - --pass-basic-auth=false - --upstream=http://localhost:8181/ - --upstream=http://localhost:3000/grafana/ - - --upstream=http://localhost:8333/storage/ - --cookie-secret="$(COOKIE_SECRET)" - --openshift-service-account={{ include "cryostat.serviceAccountName" . }} - --proxy-websockets=true @@ -40,7 +39,13 @@ Create OpenShift OAuth Proxy container. imagePullPolicy: {{ .Values.openshiftOauthProxy.image.pullPolicy }} ports: - containerPort: 4180 + name: http protocol: TCP + - containerPort: 8443 + name: https + protocol: TCP + resources: + {{- toYaml .Values.openshiftOauthProxy.resources | nindent 4 }} volumeMounts: {{- if .Values.authentication.basicAuth.enabled }} - name: {{ .Release.Name }}-htpasswd @@ -49,7 +54,6 @@ Create OpenShift OAuth Proxy container. {{- end }} - name: {{ .Release.Name }}-proxy-tls mountPath: /etc/tls/private - resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File {{- end}} diff --git a/charts/cryostat/templates/alpha_config.yaml b/charts/cryostat/templates/alpha_config.yaml index 94f1fa07..f2aeaedd 100644 --- a/charts/cryostat/templates/alpha_config.yaml +++ b/charts/cryostat/templates/alpha_config.yaml @@ -21,12 +21,6 @@ data: - id: grafana path: /grafana/ uri: http://localhost:3000 - - id: storage - path: ^/storage/(.*)$ - rewriteTarget: /$1 - uri: http://localhost:8333 - passHostHeader: false - proxyWebSockets: false providers: - id: dummy name: Unused - Sign In Below diff --git a/charts/cryostat/templates/cookie_secret.yaml b/charts/cryostat/templates/cookie_secret.yaml index fe2ade86..76b44fc0 100644 --- a/charts/cryostat/templates/cookie_secret.yaml +++ b/charts/cryostat/templates/cookie_secret.yaml @@ -1,7 +1,11 @@ +{{- if empty .Values.authentication.cookieSecretName -}} apiVersion: v1 kind: Secret metadata: name: {{ .Release.Name }}-cookie-secret + labels: + {{- include "cryostat.labels" $ | nindent 4 }} type: Opaque data: COOKIE_SECRET: {{ include "cryostat.cookieSecret" . }} +{{- end -}} diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml similarity index 68% rename from charts/cryostat/templates/deployment.yaml rename to charts/cryostat/templates/cryostat_deployment.yaml index 8963094d..e9a9fd6a 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -3,9 +3,10 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "cryostat.fullname" . }} + name: {{ include "cryostat.deploymentName" . }} labels: {{- include "cryostat.labels" . | nindent 4 }} + app.kubernetes.io/component: cryostat spec: replicas: 1 strategy: @@ -13,6 +14,7 @@ spec: selector: matchLabels: {{- include "cryostat.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: cryostat template: metadata: {{- with .Values.podAnnotations }} @@ -21,6 +23,7 @@ spec: {{- end }} labels: {{- include "cryostat.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: cryostat spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: @@ -43,6 +46,8 @@ spec: env: - name: QUARKUS_HTTP_HOST value: localhost + - name: QUARKUS_LOG_LEVEL + value: {{ .Values.core.debug.log.level }} - name: QUARKUS_HTTP_PORT value: "8181" - name: QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING @@ -57,6 +62,10 @@ spec: value: none - name: QUARKUS_HIBERNATE_ORM_SQL_LOAD_SCRIPT value: no-file + {{- if gt (int (.Values.reports).replicas) 0 }} + - name: QUARKUS_REST_CLIENT_REPORTS_URL + value: {{ printf "http://%s-reports:%d" $fullName (int .Values.reports.service.httpPort) }} + {{- end }} - name: QUARKUS_DATASOURCE_USERNAME value: cryostat - name: QUARKUS_DATASOURCE_PASSWORD @@ -66,11 +75,11 @@ spec: key: CONNECTION_KEY optional: false - name: QUARKUS_DATASOURCE_JDBC_URL - value: jdbc:postgresql://localhost:5432/cryostat + value: jdbc:postgresql://{{ $fullName }}-db:5432/cryostat - name: STORAGE_BUCKETS_ARCHIVES_NAME value: archivedrecordings - name: QUARKUS_S3_ENDPOINT_OVERRIDE - value: http://localhost:8333 + value: http://{{ $fullName }}-storage:8333 - name: QUARKUS_S3_PATH_STYLE_ACCESS value: "true" - name: QUARKUS_S3_AWS_REGION @@ -84,8 +93,8 @@ spec: - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY valueFrom: secretKeyRef: - name: {{ printf "%s-storage" .Release.Name }} - key: SECRET_KEY + name: {{ default (printf "%s-storage-secret" .Release.Name) .Values.storage.storageSecretName }} + key: STORAGE_ACCESS_KEY optional: false - name: AWS_SECRET_ACCESS_KEY value: $(QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY) @@ -121,84 +130,6 @@ spec: failureThreshold: 18 resources: {{- toYaml .Values.core.resources | nindent 12 }} - - name: {{ printf "%s-%s" .Chart.Name "db" }} - securityContext: - {{- toYaml (.Values.db).securityContext | nindent 12 }} - image: "{{ (.Values.db).image.repository }}:{{ (.Values.db).image.tag }}" - imagePullPolicy: {{ (.Values.db).image.pullPolicy }} - env: - - name: POSTGRESQL_USER - value: cryostat - - name: POSTGRESQL_PASSWORD - valueFrom: - secretKeyRef: - name: {{ default (printf "%s-db" .Release.Name) .Values.core.databaseSecretName }} - key: CONNECTION_KEY - optional: false - - name: POSTGRESQL_DATABASE - value: cryostat - - name: PG_ENCRYPT_KEY - valueFrom: - secretKeyRef: - name: {{ default (printf "%s-db" .Release.Name) .Values.core.databaseSecretName }} - key: ENCRYPTION_KEY - optional: false - ports: - - containerPort: 5432 - protocol: TCP - volumeMounts: - - mountPath: /var/lib/pgsql/data - name: {{ .Chart.Name }} - subPath: postgres - readinessProbe: - exec: - command: - - pg_isready - - -U - - cryostat - - -d - - cryostat - - name: {{ printf "%s-%s" .Chart.Name "storage" }} - securityContext: - {{- toYaml (.Values.storage).securityContext | nindent 12 }} - image: "{{ (.Values.storage).image.repository }}:{{ (.Values.storage).image.tag }}" - imagePullPolicy: {{ (.Values.storage).image.pullPolicy }} - env: - - name: CRYOSTAT_BUCKETS - value: archivedrecordings,archivedreports,eventtemplates,probes - - name: CRYOSTAT_ACCESS_KEY - value: cryostat - - name: CRYOSTAT_SECRET_KEY - valueFrom: - secretKeyRef: - name: {{ printf "%s-storage" .Release.Name }} - key: SECRET_KEY - optional: false - - name: DATA_DIR - value: /data - - name: IP_BIND - value: 0.0.0.0 - ports: - - containerPort: 8333 - protocol: TCP - volumeMounts: - - mountPath: /data - name: {{ .Chart.Name }} - subPath: seaweed - livenessProbe: - httpGet: - path: "/status" - port: 8333 - periodSeconds: 10 - failureThreshold: 2 - startupProbe: - httpGet: - path: "/status" - port: 8333 - periodSeconds: 10 - failureThreshold: 9 - resources: - {{- toYaml (.Values.storage).resources | nindent 12 }} - name: {{ printf "%s-%s" .Chart.Name "grafana" }} securityContext: {{- toYaml .Values.grafana.securityContext | nindent 12 }} @@ -258,15 +189,6 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} volumes: - {{- if ((.Values.pvc).enabled) }} - - name: {{ .Chart.Name }} - persistentVolumeClaim: - claimName: {{ .Release.Name }} - {{- end }} - {{- if not ((.Values.pvc).enabled) }} - - name: {{ .Chart.Name }} - emptyDir: {} - {{- end }} {{- if not (.Values.authentication.openshift).enabled }} - name: alpha-config configMap: diff --git a/charts/cryostat/templates/service.yaml b/charts/cryostat/templates/cryostat_service.yaml similarity index 89% rename from charts/cryostat/templates/service.yaml rename to charts/cryostat/templates/cryostat_service.yaml index d491ca65..74aea0fd 100644 --- a/charts/cryostat/templates/service.yaml +++ b/charts/cryostat/templates/cryostat_service.yaml @@ -6,6 +6,7 @@ metadata: name: {{ $fullName }} labels: {{- include "cryostat.labels" $ | nindent 4 }} + app.kubernetes.io/component: cryostat {{- if (.Values.authentication.openshift).enabled }} annotations: service.alpha.openshift.io/serving-cert-secret-name: {{ .Release.Name }}-proxy-tls @@ -25,3 +26,4 @@ spec: {{- end }} selector: {{- include "cryostat.selectorLabels" $ | nindent 4 }} + app.kubernetes.io/component: cryostat diff --git a/charts/cryostat/templates/db_deployment.yaml b/charts/cryostat/templates/db_deployment.yaml new file mode 100644 index 00000000..c6c753fd --- /dev/null +++ b/charts/cryostat/templates/db_deployment.yaml @@ -0,0 +1,96 @@ +{{- $fullName := include "cryostat.fullname" . -}} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "cryostat.deploymentName" . }}-db + labels: + {{- include "cryostat.labels" . | nindent 4 }} + app.kubernetes.io/component: db +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + {{- include "cryostat.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: db + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "cryostat.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: db + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "cryostat.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ printf "%s-%s" .Chart.Name "db" }} + securityContext: + {{- toYaml (.Values.db).securityContext | nindent 12 }} + image: "{{ (.Values.db).image.repository }}:{{ (.Values.db).image.tag }}" + imagePullPolicy: {{ (.Values.db).image.pullPolicy }} + env: + - name: POSTGRESQL_USER + value: cryostat + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-db" .Release.Name) .Values.core.databaseSecretName }} + key: CONNECTION_KEY + optional: false + - name: POSTGRESQL_DATABASE + value: cryostat + - name: PG_ENCRYPT_KEY + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-db" .Release.Name) .Values.core.databaseSecretName }} + key: ENCRYPTION_KEY + optional: false + ports: + - containerPort: 5432 + protocol: TCP + volumeMounts: + - mountPath: /var/lib/pgsql/data + name: {{ .Chart.Name }}-db + subPath: postgres + readinessProbe: + exec: + command: + - pg_isready + - -U + - cryostat + - -d + - cryostat + resources: + {{- toYaml (.Values.db).resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + {{- if ((.Values.pvc).enabled) }} + - name: {{ .Chart.Name }}-db + persistentVolumeClaim: + claimName: {{ .Release.Name }}-db + {{- end }} + {{- if not ((.Values.pvc).enabled) }} + - name: {{ .Chart.Name }}-db + emptyDir: {} + {{- end }} diff --git a/charts/cryostat/templates/pvc.yaml b/charts/cryostat/templates/db_pvc.yaml similarity index 93% rename from charts/cryostat/templates/pvc.yaml rename to charts/cryostat/templates/db_pvc.yaml index 84667be1..3e7cb12e 100644 --- a/charts/cryostat/templates/pvc.yaml +++ b/charts/cryostat/templates/db_pvc.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: {{ include "cryostat.fullname" . }} + name: {{ include "cryostat.fullname" . }}-db {{- $labels := include "cryostat.labels" $ | nindent 4 }} labels: {{ $labels }} {{- with .Values.pvc.annotations }} diff --git a/charts/cryostat/templates/db_secret.yaml b/charts/cryostat/templates/db_secret.yaml index 26df5339..79863837 100644 --- a/charts/cryostat/templates/db_secret.yaml +++ b/charts/cryostat/templates/db_secret.yaml @@ -3,6 +3,8 @@ apiVersion: v1 kind: Secret metadata: name: {{ .Release.Name }}-db + labels: + {{- include "cryostat.labels" $ | nindent 4 }} type: Opaque immutable: true data: diff --git a/charts/cryostat/templates/db_service.yaml b/charts/cryostat/templates/db_service.yaml new file mode 100644 index 00000000..402e189f --- /dev/null +++ b/charts/cryostat/templates/db_service.yaml @@ -0,0 +1,16 @@ +{{- $fullName := include "cryostat.fullname" . -}} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ $fullName }}-db + labels: + {{- include "cryostat.labels" $ | nindent 4 }} + app.kubernetes.io/component: db +spec: + type: {{ .Values.db.service.type }} + ports: + - port: {{ .Values.db.service.port }} + selector: + {{- include "cryostat.selectorLabels" $ | nindent 4 }} + app.kubernetes.io/component: db diff --git a/charts/cryostat/templates/reports_deployment.yaml b/charts/cryostat/templates/reports_deployment.yaml new file mode 100644 index 00000000..81507d0b --- /dev/null +++ b/charts/cryostat/templates/reports_deployment.yaml @@ -0,0 +1,74 @@ +{{- $fullName := include "cryostat.fullname" . -}} +--- +{{- if gt (int (.Values.reports).replicas) 0 -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "cryostat.deploymentName" . }}-reports + labels: + {{- include "cryostat.labels" . | nindent 4 }} + app.kubernetes.io/component: reports +spec: + replicas: {{ (.Values.reports).replicas }} + strategy: + type: RollingUpdate + selector: + matchLabels: + {{- include "cryostat.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: reports + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "cryostat.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: reports + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "cryostat.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ printf "%s-%s" .Chart.Name "reports" }} + securityContext: + {{- toYaml (.Values.reports).securityContext | nindent 12 }} + image: "{{ (.Values.reports).image.repository }}:{{ (.Values.reports).image.tag }}" + imagePullPolicy: {{ (.Values.reports).image.pullPolicy }} + env: + - name: QUARKUS_HTTP_PORT + value: "{{ .Values.reports.service.httpPort }}" + ports: + - containerPort: {{ .Values.reports.service.httpPort }} + protocol: TCP + startupProbe: + httpGet: + path: "/health" + port: {{ .Values.reports.service.httpPort }} + periodSeconds: 10 + failureThreshold: 9 + livenessProbe: + httpGet: + path: "/health" + port: {{ .Values.reports.service.httpPort }} + periodSeconds: 10 + failureThreshold: 2 + resources: + {{- toYaml (.Values.reports).resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end -}} diff --git a/charts/cryostat/templates/reports_service.yaml b/charts/cryostat/templates/reports_service.yaml new file mode 100644 index 00000000..42358270 --- /dev/null +++ b/charts/cryostat/templates/reports_service.yaml @@ -0,0 +1,18 @@ +{{- $fullName := include "cryostat.fullname" . -}} +--- +{{- if gt (int (.Values.reports).replicas) 0 -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ $fullName }}-reports + labels: + {{- include "cryostat.labels" $ | nindent 4 }} + app.kubernetes.io/component: reports +spec: + type: {{ .Values.reports.service.type }} + ports: + - port: {{ .Values.reports.service.httpPort }} + selector: + {{- include "cryostat.selectorLabels" $ | nindent 4 }} + app.kubernetes.io/component: reports +{{- end -}} diff --git a/charts/cryostat/templates/storage_access_secret.yaml b/charts/cryostat/templates/storage_access_secret.yaml deleted file mode 100644 index b17a18e3..00000000 --- a/charts/cryostat/templates/storage_access_secret.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Release.Name }}-storage -type: Opaque -data: - SECRET_KEY: {{ include "cryostat.objectStorageSecretKey" . }} diff --git a/charts/cryostat/templates/storage_deployment.yaml b/charts/cryostat/templates/storage_deployment.yaml new file mode 100644 index 00000000..30316337 --- /dev/null +++ b/charts/cryostat/templates/storage_deployment.yaml @@ -0,0 +1,110 @@ +{{- $fullName := include "cryostat.fullname" . -}} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "cryostat.deploymentName" . }}-storage + labels: + {{- include "cryostat.labels" . | nindent 4 }} + app.kubernetes.io/component: storage +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + {{- include "cryostat.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: storage + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "cryostat.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: storage + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "cryostat.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ printf "%s-%s" .Chart.Name "storage" }} + securityContext: + {{- toYaml (.Values.storage).securityContext | nindent 12 }} + image: "{{ (.Values.storage).image.repository }}:{{ (.Values.storage).image.tag }}" + imagePullPolicy: {{ (.Values.storage).image.pullPolicy }} + env: + - name: CRYOSTAT_BUCKETS + value: archivedrecordings,archivedreports,eventtemplates,probes + - name: CRYOSTAT_ACCESS_KEY + value: cryostat + - name: CRYOSTAT_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-storage-secret" .Release.Name) .Values.storage.storageSecretName }} + key: STORAGE_ACCESS_KEY + optional: false + - name: DATA_DIR + value: /data + - name: IP_BIND + value: 0.0.0.0 + - name: REST_ENCRYPTION_ENABLE + value: "{{ .Values.storage.encryption.enabled | ternary 1 0 }}" + ports: + - containerPort: 8333 + protocol: TCP + volumeMounts: + - mountPath: /data + name: {{ .Chart.Name }}-storage + subPath: seaweed + startupProbe: + httpGet: + path: "/status" + port: 8333 + periodSeconds: 10 + failureThreshold: 9 + livenessProbe: + httpGet: + path: "/status" + port: 8333 + periodSeconds: 10 + failureThreshold: 2 + readinessProbe: + exec: + command: + - sh + - -c + - echo s3.bucket.list | weed shell | [[ "$( dnf install --disableplugin=subscription-manager -yq jq; - curl -sSf --retry 10 --retry-connrefused -o /tmp/out.json http://{{ include "cryostat.fullname" . }}:{{ .Values.core.service.httpPort }}/health; + curl -sSf --retry 10 --retry-connrefused http://{{ include "cryostat.fullname" . }}:{{ .Values.core.service.httpPort }}/health | tee /tmp/out.json; cat /tmp/out.json; {{- if hasSuffix "-dev" .Chart.AppVersion }} jq -e '{{ printf "(.cryostatVersion | test(\"^v%s-snapshot$\"))" (.Chart.AppVersion | trimSuffix "-dev" | squote) }}' /tmp/out.json; diff --git a/charts/cryostat/templates/tests/test-grafana-connection.yaml b/charts/cryostat/templates/tests/test-grafana-connection.yaml index d68c007e..9b68ad6b 100644 --- a/charts/cryostat/templates/tests/test-grafana-connection.yaml +++ b/charts/cryostat/templates/tests/test-grafana-connection.yaml @@ -4,6 +4,7 @@ metadata: name: "{{ include "cryostat.fullname" . }}-test-grafana-connection" labels: {{- include "cryostat.labels" . | nindent 4 }} + app.kubernetes.io/component: test-grafana-connection annotations: "helm.sh/hook": test spec: diff --git a/charts/cryostat/templates/tests/test-storage-connection.yaml b/charts/cryostat/templates/tests/test-storage-connection.yaml deleted file mode 100644 index d7435975..00000000 --- a/charts/cryostat/templates/tests/test-storage-connection.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "cryostat.fullname" . }}-test-storage-connection" - labels: - {{- include "cryostat.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": test -spec: - containers: - - name: curl - image: registry.access.redhat.com/ubi8/ubi:latest - command: - - '/bin/bash' - - '-exc' - - curl -sSf --retry 10 --retry-connrefused http://{{ include "cryostat.fullname" . }}:{{ .Values.core.service.httpPort }}/storage/ - restartPolicy: Never diff --git a/charts/cryostat/tests/alpha_config_test.yaml b/charts/cryostat/tests/alpha_config_test.yaml index 22b0deb7..7b5e6f1f 100644 --- a/charts/cryostat/tests/alpha_config_test.yaml +++ b/charts/cryostat/tests/alpha_config_test.yaml @@ -14,9 +14,6 @@ tests: - matchRegex: path: data['alpha_config.yaml'] pattern: "- id: grafana\\s*path: /grafana/\\s*uri: http://localhost:3000" - - matchRegex: - path: data['alpha_config.yaml'] - pattern: "- id: storage\\s*path: \\^/storage/\\(\\.\\*\\)\\$\\s*rewriteTarget: /\\$1\\s*uri: http://localhost:8333\\s*passHostHeader: false\\s*proxyWebSockets: false" - matchRegex: path: data['alpha_config.yaml'] pattern: "providers:\\s*- id: dummy\\s*name: Unused - Sign In Below\\s*clientId: CLIENT_ID\\s*clientSecret: CLIENT_SECRET\\s*provider: google" diff --git a/charts/cryostat/tests/cookie_secret_test.yaml b/charts/cryostat/tests/cookie_secret_test.yaml index de947995..8047df4e 100644 --- a/charts/cryostat/tests/cookie_secret_test.yaml +++ b/charts/cryostat/tests/cookie_secret_test.yaml @@ -18,3 +18,18 @@ tests: value: Opaque - exists: path: data.COOKIE_SECRET + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: 4.0.0-dev + helm.sh/chart: cryostat-2.0.0-dev + + - it: should not create a cookie secret if authentication.cookieSecretName is set + set: + authentication.cookieSecretName: "custom-cookie-secret" + asserts: + - hasDocuments: + count: 0 diff --git a/charts/cryostat/tests/deployment_test.yaml b/charts/cryostat/tests/cryostat_deployment_test.yaml similarity index 72% rename from charts/cryostat/tests/deployment_test.yaml rename to charts/cryostat/tests/cryostat_deployment_test.yaml index 77f98736..64396061 100644 --- a/charts/cryostat/tests/deployment_test.yaml +++ b/charts/cryostat/tests/cryostat_deployment_test.yaml @@ -1,6 +1,6 @@ -suite: test deployment.yaml +suite: test cryostat_deployment.yaml templates: - - deployment.yaml + - cryostat_deployment.yaml tests: - it: should verify general deployment settings @@ -10,7 +10,7 @@ tests: value: Deployment - equal: path: metadata.name - value: RELEASE-NAME-cryostat + value: RELEASE-NAME-cryostat-v4 - equal: path: spec.replicas value: 1 @@ -22,11 +22,13 @@ tests: value: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: cryostat + app.kubernetes.io/component: cryostat - equal: path: spec.template.metadata.labels value: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: cryostat + app.kubernetes.io/component: cryostat - equal: path: spec.template.spec.serviceAccountName value: RELEASE-NAME-cryostat @@ -44,6 +46,7 @@ tests: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/version: "4.0.0-dev" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: cryostat - it: should validate all container settings including environment variables and security contexts asserts: @@ -58,6 +61,9 @@ tests: - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_HTTP_PORT')].value value: "8181" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_LOG_LEVEL')].value + value: "INFO" - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_HTTP_HOST')].value value: "localhost" @@ -90,13 +96,13 @@ tests: optional: false - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_DATASOURCE_JDBC_URL')].value - value: "jdbc:postgresql://localhost:5432/cryostat" + value: "jdbc:postgresql://RELEASE-NAME-cryostat-db:5432/cryostat" - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_BUCKETS_ARCHIVES_NAME')].value value: "archivedrecordings" - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_ENDPOINT_OVERRIDE')].value - value: "http://localhost:8333" + value: "http://RELEASE-NAME-cryostat-storage:8333" - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_PATH_STYLE_ACCESS')].value value: "true" @@ -115,12 +121,14 @@ tests: - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY')].valueFrom.secretKeyRef value: - key: "SECRET_KEY" - name: "RELEASE-NAME-storage" + key: "STORAGE_ACCESS_KEY" + name: "RELEASE-NAME-storage-secret" optional: false - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='AWS_SECRET_ACCESS_KEY')].value value: $(QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY) + - notExists: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_REST_CLIENT_REPORTS_URL')].value - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='GRAFANA_DATASOURCE_URL')].value value: "http://localhost:8800" @@ -163,144 +171,140 @@ tests: - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].startupProbe.failureThreshold value: 18 - - exists: + - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].resources + value: + requests: + cpu: 500m + memory: 384Mi - - it: should validate cryostat-db settings + - it: should set log level + set: + core: + debug: + log: + level: TRACE asserts: - - exists: - path: spec.template.spec.containers[?(@.name=='cryostat-db')] - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-db')].securityContext.allowPrivilegeEscalation - value: false - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-db')].securityContext.capabilities.drop - value: - - ALL - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-db')].image - value: "quay.io/cryostat/cryostat-db:latest" - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-db')].imagePullPolicy - value: "Always" + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_LOG_LEVEL')].value + value: TRACE + + - it: should set environment variable if sidecar report generator is enabled + set: + reports: + replicas: 1 + asserts: - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-db')].env[?(@.name=='POSTGRESQL_USER')].value - value: "cryostat" + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_REST_CLIENT_REPORTS_URL')].value + value: http://RELEASE-NAME-cryostat-reports:10001 + + - it: should set oauth2proxy resource overrides + set: + oauth2Proxy: + resources: + limits: + cpu: 4000m + memory: 1Gi + requests: + cpu: 4000m + memory: 2Gi + asserts: - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-db')].env[?(@.name=='POSTGRESQL_PASSWORD')].valueFrom.secretKeyRef + path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].resources value: - name: "RELEASE-NAME-db" - key: "CONNECTION_KEY" - optional: false - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-db')].env[?(@.name=='POSTGRESQL_DATABASE')].value - value: "cryostat" + limits: + cpu: 4000m + memory: 1Gi + requests: + cpu: 4000m + memory: 2Gi + + - it: should set openshiftOauthProxy resource overrides + set: + authentication: + openshift: + enabled: true + openshiftOauthProxy: + resources: + limits: + cpu: 4000m + memory: 1Gi + requests: + cpu: 4000m + memory: 2Gi + asserts: - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-db')].env[?(@.name=='PG_ENCRYPT_KEY')].valueFrom.secretKeyRef + path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].resources value: - name: "RELEASE-NAME-db" - key: "ENCRYPTION_KEY" - optional: false - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-db')].ports[0].containerPort - value: 5432 - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-db')].ports[0].protocol - value: "TCP" - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-db')].volumeMounts[0].mountPath - value: "/var/lib/pgsql/data" - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-db')].volumeMounts[0].name - value: "cryostat" - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-db')].volumeMounts[0].subPath - value: "postgres" + limits: + cpu: 4000m + memory: 1Gi + requests: + cpu: 4000m + memory: 2Gi + + - it: should set cryostat resource overrides + set: + core: + resources: + limits: + cpu: 4000m + memory: 1Gi + requests: + cpu: 4000m + memory: 2Gi + asserts: - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-db')].readinessProbe.exec.command + path: spec.template.spec.containers[?(@.name=='cryostat')].resources value: - - pg_isready - - -U - - cryostat - - -d - - cryostat + limits: + cpu: 4000m + memory: 1Gi + requests: + cpu: 4000m + memory: 2Gi - - it: should validate cryostat-storage settings + - it: should set grafana resource overrides + set: + grafana: + resources: + limits: + cpu: 4000m + memory: 1Gi + requests: + cpu: 4000m + memory: 2Gi asserts: - - exists: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')] - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].securityContext.allowPrivilegeEscalation - value: false - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].securityContext.capabilities.drop + path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].resources value: - - ALL - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].image - value: "quay.io/cryostat/cryostat-storage:latest" - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].imagePullPolicy - value: "Always" - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='CRYOSTAT_BUCKETS')].value - value: "archivedrecordings,archivedreports,eventtemplates,probes" - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='CRYOSTAT_ACCESS_KEY')].value - value: "cryostat" + limits: + cpu: 4000m + memory: 1Gi + requests: + cpu: 4000m + memory: 2Gi + + - it: should set jfr-datasource resource overrides + set: + datasource: + resources: + limits: + cpu: 4000m + memory: 1Gi + requests: + cpu: 4000m + memory: 2Gi + asserts: - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='CRYOSTAT_SECRET_KEY')].valueFrom.secretKeyRef + path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].resources value: - name: "RELEASE-NAME-storage" - key: "SECRET_KEY" - optional: false - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='DATA_DIR')].value - value: "/data" - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='IP_BIND')].value - value: 0.0.0.0 - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].ports[0].containerPort - value: 8333 - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].ports[0].protocol - value: "TCP" - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].volumeMounts[0].mountPath - value: "/data" - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].volumeMounts[0].name - value: "cryostat" - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].volumeMounts[0].subPath - value: "seaweed" - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].livenessProbe.httpGet.path - value: "/status" - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].livenessProbe.httpGet.port - value: 8333 - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].livenessProbe.periodSeconds - value: 10 - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].livenessProbe.failureThreshold - value: 2 - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].startupProbe.httpGet.path - value: "/status" - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].startupProbe.httpGet.port - value: 8333 - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].startupProbe.periodSeconds - value: 10 - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].startupProbe.failureThreshold - value: 9 - - exists: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].resources + limits: + cpu: 4000m + memory: 1Gi + requests: + cpu: 4000m + memory: 2Gi - it: should validate cryostat-grafana settings asserts: @@ -346,8 +350,12 @@ tests: - equal: path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].livenessProbe.httpGet.port value: 3000 - - exists: + - equal: path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].resources + value: + requests: + cpu: 25m + memory: 80Mi - it: should validate cryostat-jfr-datasource settings asserts: @@ -384,8 +392,12 @@ tests: - curl - --fail - http://localhost:8800 - - exists: + - equal: path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].resources + value: + requests: + cpu: 200m + memory: 200Mi - it: should validate volumes and volume mounts asserts: @@ -458,15 +470,9 @@ tests: - equal: path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].imagePullPolicy value: Always - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].imagePullPolicy - value: Always - equal: path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].imagePullPolicy value: "Always" - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-db')].imagePullPolicy - value: "Always" - equal: path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].imagePullPolicy value: "Always" @@ -476,7 +482,6 @@ tests: core.image.tag: "4.1.0" core.image.pullPolicy: "IfNotPresent" oauth2Proxy.image.pullPolicy: "IfNotPresent" - storage.image.pullPolicy: "IfNotPresent" grafana.image.pullPolicy: "IfNotPresent" db.image.pullPolicy: "IfNotPresent" datasource.image.pullPolicy: "IfNotPresent" @@ -487,15 +492,9 @@ tests: - equal: path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].imagePullPolicy value: "IfNotPresent" - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].imagePullPolicy - value: "IfNotPresent" - equal: path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].imagePullPolicy value: "IfNotPresent" - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-db')].imagePullPolicy - value: "IfNotPresent" - equal: path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].imagePullPolicy value: "IfNotPresent" diff --git a/charts/cryostat/tests/service_test.yaml b/charts/cryostat/tests/cryostat_service_test.yaml similarity index 94% rename from charts/cryostat/tests/service_test.yaml rename to charts/cryostat/tests/cryostat_service_test.yaml index 5fa3dd0e..1cc53127 100644 --- a/charts/cryostat/tests/service_test.yaml +++ b/charts/cryostat/tests/cryostat_service_test.yaml @@ -1,6 +1,6 @@ -suite: test service.yaml +suite: test cryostat_service.yaml templates: - - service.yaml + - cryostat_service.yaml tests: - it: should create a Service with the correct settings @@ -40,6 +40,7 @@ tests: app.kubernetes.io/name: cryostat app.kubernetes.io/version: "4.0.0-dev" helm.sh/chart: cryostat-2.0.0-dev + app.kubernetes.io/component: cryostat - it: should create a Service with the correct settings when OpenShift authentication is enabled set: @@ -85,6 +86,7 @@ tests: value: app.kubernetes.io/name: cryostat app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: cryostat - equal: path: metadata.labels value: @@ -93,6 +95,7 @@ tests: app.kubernetes.io/name: cryostat app.kubernetes.io/version: "4.0.0-dev" helm.sh/chart: cryostat-2.0.0-dev + app.kubernetes.io/component: cryostat - equal: path: metadata.annotations value: @@ -116,5 +119,3 @@ tests: asserts: - notExists: path: metadata.annotations.`service.alpha.openshift.io/serving-cert-secret-name` - - diff --git a/charts/cryostat/tests/db_deployment_test.yaml b/charts/cryostat/tests/db_deployment_test.yaml new file mode 100644 index 00000000..092b33b5 --- /dev/null +++ b/charts/cryostat/tests/db_deployment_test.yaml @@ -0,0 +1,194 @@ +suite: test db_deployment.yaml +templates: + - db_deployment.yaml + +tests: + - it: should verify general deployment settings + asserts: + - equal: + path: kind + value: Deployment + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat-v4-db + - equal: + path: spec.replicas + value: 1 + - equal: + path: spec.strategy.type + value: Recreate + - equal: + path: spec.selector.matchLabels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: cryostat + app.kubernetes.io/component: db + - equal: + path: spec.template.metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: cryostat + app.kubernetes.io/component: db + - equal: + path: spec.template.spec.serviceAccountName + value: RELEASE-NAME-cryostat + - equal: + path: spec.template.spec.securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.securityContext.seccompProfile.type + value: RuntimeDefault + - equal: + path: metadata.labels + value: + helm.sh/chart: cryostat-2.0.0-dev + app.kubernetes.io/name: cryostat + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/version: "4.0.0-dev" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: db + + - it: should validate cryostat-db settings + asserts: + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-db')] + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].securityContext.allowPrivilegeEscalation + value: false + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].securityContext.capabilities.drop + value: + - ALL + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].image + value: "quay.io/cryostat/cryostat-db:latest" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].imagePullPolicy + value: "Always" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].env[?(@.name=='POSTGRESQL_USER')].value + value: "cryostat" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].env[?(@.name=='POSTGRESQL_PASSWORD')].valueFrom.secretKeyRef + value: + name: "RELEASE-NAME-db" + key: "CONNECTION_KEY" + optional: false + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].env[?(@.name=='POSTGRESQL_DATABASE')].value + value: "cryostat" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].env[?(@.name=='PG_ENCRYPT_KEY')].valueFrom.secretKeyRef + value: + name: "RELEASE-NAME-db" + key: "ENCRYPTION_KEY" + optional: false + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].ports[0].containerPort + value: 5432 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].ports[0].protocol + value: "TCP" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].volumeMounts[0].mountPath + value: "/var/lib/pgsql/data" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].volumeMounts[0].name + value: "cryostat-db" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].volumeMounts[0].subPath + value: "postgres" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].readinessProbe.exec.command + value: + - pg_isready + - -U + - cryostat + - -d + - cryostat + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].resources + value: + requests: + cpu: 25m + memory: 64Mi + + - it: should set resource overrides + set: + db: + resources: + limits: + cpu: 2000m + memory: 1Gi + requests: + cpu: 4000m + memory: 2Gi + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].resources + value: + limits: + cpu: 2000m + memory: 1Gi + requests: + cpu: 4000m + memory: 2Gi + + - it: should validate volumes and volume mounts + asserts: + - exists: + path: spec.template.spec.volumes[?(@.name=='cryostat-db')] + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].volumeMounts[?(@.mountPath=='/var/lib/pgsql/data')] + + - it: should set image pull secrets if specified + set: + imagePullSecrets: + - name: myregistrykey + asserts: + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: "myregistrykey" + + - it: should apply Kubernetes specific settings when configured + set: + nodeSelector: + disktype: ssd + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: disktype + operator: In + values: + - ssd + tolerations: + - key: "key" + operator: "Equal" + value: "value" + effect: "NoSchedule" + asserts: + - exists: + path: spec.template.spec.nodeSelector + - exists: + path: spec.template.spec.affinity + - exists: + path: spec.template.spec.tolerations + + - it: should verify image pull policies for development snapshots + set: + core.image.tag: "4.0.0-snapshot" + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].imagePullPolicy + value: "Always" + + - it: should verify image pull policies for release versions + set: + db.image.pullPolicy: "IfNotPresent" + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].imagePullPolicy + value: "IfNotPresent" + diff --git a/charts/cryostat/tests/pvc_test.yaml b/charts/cryostat/tests/db_pvc_test.yaml similarity index 94% rename from charts/cryostat/tests/pvc_test.yaml rename to charts/cryostat/tests/db_pvc_test.yaml index 6484d50b..b88b4e41 100644 --- a/charts/cryostat/tests/pvc_test.yaml +++ b/charts/cryostat/tests/db_pvc_test.yaml @@ -1,6 +1,6 @@ -suite: test pvc.yaml +suite: test db_pvc.yaml templates: - - pvc.yaml + - db_pvc.yaml tests: - it: should create a PersistentVolumeClaim with correct settings @@ -24,7 +24,7 @@ tests: value: PersistentVolumeClaim - equal: path: metadata.name - value: "RELEASE-NAME-cryostat" + value: "RELEASE-NAME-cryostat-db" - equal: path: metadata.labels value: diff --git a/charts/cryostat/tests/db_secret_test.yaml b/charts/cryostat/tests/db_secret_test.yaml index 3f3fbab9..1405ce76 100644 --- a/charts/cryostat/tests/db_secret_test.yaml +++ b/charts/cryostat/tests/db_secret_test.yaml @@ -22,6 +22,14 @@ tests: path: data.ENCRYPTION_KEY - exists: path: data.CONNECTION_KEY + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: 4.0.0-dev + helm.sh/chart: cryostat-2.0.0-dev - it: should not create a database secret if core.databaseSecretName is set set: diff --git a/charts/cryostat/tests/db_service_test.yaml b/charts/cryostat/tests/db_service_test.yaml new file mode 100644 index 00000000..69c162e2 --- /dev/null +++ b/charts/cryostat/tests/db_service_test.yaml @@ -0,0 +1,59 @@ +suite: test db_service.yaml +templates: + - db_service.yaml + +tests: + - it: should create a Service with the correct default settings + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Service + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat-db + - equal: + path: spec.type + value: ClusterIP + - equal: + path: spec.ports[0].port + value: 5432 + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-2.0.0-dev + app.kubernetes.io/component: db + + - it: should create a Service with the correct settings overrides + set: + db.service.type: NodeIP + db.service.port: 8080 + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Service + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat-db + - equal: + path: spec.type + value: NodeIP + - equal: + path: spec.ports[0].port + value: 8080 + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-2.0.0-dev + app.kubernetes.io/component: db diff --git a/charts/cryostat/tests/notes_test.yaml b/charts/cryostat/tests/notes_test.yaml index f60265dd..19c0c358 100644 --- a/charts/cryostat/tests/notes_test.yaml +++ b/charts/cryostat/tests/notes_test.yaml @@ -77,7 +77,7 @@ tests: ``` export NODE_IP=$(kubectl get nodes -n NAMESPACE -o jsonpath="{.items[0].status.addresses[0].address}") export NODE_PORT=$(kubectl get -n NAMESPACE -o jsonpath="{.spec.ports[0].nodePort}" services RELEASE-NAME-cryostat) - kubectl -n NAMESPACE set env deploy --containers=cryostat RELEASE-NAME-cryostat QUARKUS_HTTP_HOST=$NODE_IP + kubectl -n NAMESPACE set env deploy --containers=cryostat RELEASE-NAME-cryostat-v4 QUARKUS_HTTP_HOST=$NODE_IP ``` 2. Visit the application at: @@ -99,7 +99,7 @@ tests: NOTE: It may take a few minutes for the LoadBalancer IP to be available. You can watch the status by running 'kubectl get -n NAMESPACE -w svc/RELEASE-NAME-cryostat' export SERVICE_IP=$(kubectl get svc -n NAMESPACE RELEASE-NAME-cryostat --template "{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}") - kubectl -n NAMESPACE set env deploy --containers=cryostat RELEASE-NAME-cryostat QUARKUS_HTTP_HOST=$SERVICE_IP + kubectl -n NAMESPACE set env deploy --containers=cryostat RELEASE-NAME-cryostat-v4 QUARKUS_HTTP_HOST=$SERVICE_IP ``` 2. Visit the application at: @@ -119,11 +119,10 @@ tests: 2. Forward local port to the application's pod: ``` - kubectl -n NAMESPACE wait --for=condition=available --timeout=60s deploy/RELEASE-NAME-cryostat + kubectl -n NAMESPACE wait --for=condition=available --timeout=60s deploy/RELEASE-NAME-cryostat-v4 - export POD_NAME=$(kubectl get pods -n NAMESPACE -l "app.kubernetes.io/name=cryostat,app.kubernetes.io/instance=RELEASE-NAME" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") - export CONTAINER_PORT=$(kubectl get pod -n NAMESPACE $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") - kubectl -n NAMESPACE port-forward $POD_NAME "8080:$CONTAINER_PORT" + export POD_NAME=$(kubectl get pods -n NAMESPACE -l "app.kubernetes.io/name=cryostat,app.kubernetes.io/instance=RELEASE-NAME,app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") + kubectl -n NAMESPACE port-forward $POD_NAME 8080:http ``` 3. Visit the application at: diff --git a/charts/cryostat/tests/reports_deployment_test.yaml b/charts/cryostat/tests/reports_deployment_test.yaml new file mode 100644 index 00000000..d504264c --- /dev/null +++ b/charts/cryostat/tests/reports_deployment_test.yaml @@ -0,0 +1,122 @@ +suite: test reports_deployment.yaml +templates: + - reports_deployment.yaml + +tests: + - it: should verify general deployment settings when disabled + asserts: + - hasDocuments: + count: 0 + + - it: should verify general deployment settings when enabled + set: + reports: + replicas: 2 + asserts: + - equal: + path: kind + value: Deployment + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat-v4-reports + - equal: + path: spec.replicas + value: 2 + - equal: + path: spec.strategy.type + value: RollingUpdate + - equal: + path: spec.selector.matchLabels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: cryostat + app.kubernetes.io/component: reports + - equal: + path: spec.template.metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: cryostat + app.kubernetes.io/component: reports + - equal: + path: spec.template.spec.serviceAccountName + value: RELEASE-NAME-cryostat + - equal: + path: spec.template.spec.securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.securityContext.seccompProfile.type + value: RuntimeDefault + - equal: + path: metadata.labels + value: + helm.sh/chart: cryostat-2.0.0-dev + app.kubernetes.io/name: cryostat + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/version: "4.0.0-dev" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: reports + + - it: should validate all container settings including environment variables and security contexts + set: + reports: + replicas: 1 + asserts: + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-reports')] + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-reports')].image + value: "quay.io/cryostat/cryostat-reports:4.0.0-snapshot" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-reports')].env[?(@.name=='QUARKUS_HTTP_PORT')].value + value: "10001" + + - it: should apply Kubernetes specific settings when configured + set: + reports: + replicas: 1 + nodeSelector: + disktype: ssd + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: disktype + operator: In + values: + - ssd + tolerations: + - key: "key" + operator: "Equal" + value: "value" + effect: "NoSchedule" + asserts: + - exists: + path: spec.template.spec.nodeSelector + - exists: + path: spec.template.spec.affinity + - exists: + path: spec.template.spec.tolerations + + - it: should verify image pull policies for development snapshots + set: + reports: + replicas: 1 + image: + tag: "4.0.0-snapshot" + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-reports')].imagePullPolicy + value: Always + + - it: should verify image pull policies for release versions + set: + reports: + replicas: 1 + image: + tag: "4.1.0" + pullPolicy: "IfNotPresent" + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-reports')].imagePullPolicy + value: "IfNotPresent" diff --git a/charts/cryostat/tests/storage_access_secret_test.yaml b/charts/cryostat/tests/storage_access_secret_test.yaml deleted file mode 100644 index f5e0ab7b..00000000 --- a/charts/cryostat/tests/storage_access_secret_test.yaml +++ /dev/null @@ -1,20 +0,0 @@ -suite: test storage_access_secret.yaml -templates: - - storage_access_secret.yaml - -tests: - - it: should create a Storage Access Secret with correct settings - asserts: - - hasDocuments: - count: 1 - - equal: - path: kind - value: Secret - - equal: - path: metadata.name - value: RELEASE-NAME-storage - - equal: - path: type - value: Opaque - - exists: - path: data.SECRET_KEY diff --git a/charts/cryostat/tests/storage_deployment_test.yaml b/charts/cryostat/tests/storage_deployment_test.yaml new file mode 100644 index 00000000..b3c1d8db --- /dev/null +++ b/charts/cryostat/tests/storage_deployment_test.yaml @@ -0,0 +1,222 @@ +suite: test storage_deployment.yaml +templates: + - storage_deployment.yaml + +tests: + - it: should verify general deployment settings + asserts: + - equal: + path: kind + value: Deployment + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat-v4-storage + - equal: + path: spec.replicas + value: 1 + - equal: + path: spec.strategy.type + value: Recreate + - equal: + path: spec.selector.matchLabels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: cryostat + app.kubernetes.io/component: storage + - equal: + path: spec.template.metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: cryostat + app.kubernetes.io/component: storage + - equal: + path: spec.template.spec.serviceAccountName + value: RELEASE-NAME-cryostat + - equal: + path: spec.template.spec.securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.securityContext.seccompProfile.type + value: RuntimeDefault + - equal: + path: metadata.labels + value: + helm.sh/chart: cryostat-2.0.0-dev + app.kubernetes.io/name: cryostat + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/version: "4.0.0-dev" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: storage + + - it: should validate cryostat-storage settings + asserts: + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')] + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].securityContext.allowPrivilegeEscalation + value: false + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].securityContext.capabilities.drop + value: + - ALL + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].image + value: "quay.io/cryostat/cryostat-storage:latest" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].imagePullPolicy + value: "Always" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='CRYOSTAT_BUCKETS')].value + value: "archivedrecordings,archivedreports,eventtemplates,probes" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='CRYOSTAT_ACCESS_KEY')].value + value: "cryostat" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='CRYOSTAT_SECRET_KEY')].valueFrom.secretKeyRef + value: + name: "RELEASE-NAME-storage-secret" + key: "STORAGE_ACCESS_KEY" + optional: false + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='DATA_DIR')].value + value: "/data" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='IP_BIND')].value + value: 0.0.0.0 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='REST_ENCRYPTION_ENABLE')].value + value: "1" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].ports[0].containerPort + value: 8333 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].ports[0].protocol + value: "TCP" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].volumeMounts[0].mountPath + value: "/data" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].volumeMounts[0].name + value: "cryostat-storage" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].volumeMounts[0].subPath + value: "seaweed" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].livenessProbe.httpGet.path + value: "/status" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].livenessProbe.httpGet.port + value: 8333 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].livenessProbe.periodSeconds + value: 10 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].livenessProbe.failureThreshold + value: 2 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].startupProbe.httpGet.path + value: "/status" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].startupProbe.httpGet.port + value: 8333 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].startupProbe.periodSeconds + value: 10 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].startupProbe.failureThreshold + value: 9 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].resources + value: + requests: + cpu: 50m + memory: 256Mi + + - it: should allow disabling at-rest encryption + set: + storage: + encryption: + enabled: false + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='REST_ENCRYPTION_ENABLE')].value + value: "0" + + - it: should set resource overrides + set: + storage: + resources: + limits: + cpu: 2000m + memory: 1Gi + requests: + cpu: 4000m + memory: 2Gi + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].resources + value: + limits: + cpu: 2000m + memory: 1Gi + requests: + cpu: 4000m + memory: 2Gi + + - it: should validate volumes and volume mounts + asserts: + - exists: + path: spec.template.spec.volumes[?(@.name=='cryostat-storage')] + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].volumeMounts[?(@.mountPath=='/data')] + + - it: should set image pull secrets if specified + set: + imagePullSecrets: + - name: myregistrykey + asserts: + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: "myregistrykey" + + - it: should apply Kubernetes specific settings when configured + set: + nodeSelector: + disktype: ssd + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: disktype + operator: In + values: + - ssd + tolerations: + - key: "key" + operator: "Equal" + value: "value" + effect: "NoSchedule" + asserts: + - exists: + path: spec.template.spec.nodeSelector + - exists: + path: spec.template.spec.affinity + - exists: + path: spec.template.spec.tolerations + + - it: should verify image pull policies for development snapshots + set: + core.image.tag: "4.0.0-snapshot" + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].imagePullPolicy + value: Always + + - it: should verify image pull policies for release versions + set: + storage.image.pullPolicy: "IfNotPresent" + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].imagePullPolicy + value: "IfNotPresent" diff --git a/charts/cryostat/tests/storage_pvc_test.yaml b/charts/cryostat/tests/storage_pvc_test.yaml new file mode 100644 index 00000000..7af53d86 --- /dev/null +++ b/charts/cryostat/tests/storage_pvc_test.yaml @@ -0,0 +1,56 @@ +suite: test storage_pvc.yaml +templates: + - storage_pvc.yaml + +tests: + - it: should create a PersistentVolumeClaim with correct settings + set: + pvc: + enabled: true + storage: "10Gi" + accessModes: + - "ReadWriteOnce" + storageClassName: "standard" + annotations: + "volume.beta.kubernetes.io/storage-class": "standard" + selector: + matchLabels: + app: cryostat + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: PersistentVolumeClaim + - equal: + path: metadata.name + value: "RELEASE-NAME-cryostat-storage" + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-2.0.0-dev + - equal: + path: spec.accessModes + value: + - "ReadWriteOnce" + - equal: + path: spec.resources.requests.storage + value: "10Gi" + - equal: + path: spec.storageClassName + value: "standard" + - equal: + path: spec.selector.matchLabels.app + value: "cryostat" + + - it: should not create a PersistentVolumeClaim when PVC is disabled + set: + pvc: + enabled: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/cryostat/tests/storage_secret_test.yaml b/charts/cryostat/tests/storage_secret_test.yaml new file mode 100644 index 00000000..e18e9908 --- /dev/null +++ b/charts/cryostat/tests/storage_secret_test.yaml @@ -0,0 +1,35 @@ +suite: test storage_secret.yaml +templates: + - storage_secret.yaml + +tests: + - it: should create a Storage Access Secret with correct settings + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Secret + - equal: + path: metadata.name + value: RELEASE-NAME-storage-secret + - equal: + path: type + value: Opaque + - exists: + path: data.STORAGE_ACCESS_KEY + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: 4.0.0-dev + helm.sh/chart: cryostat-2.0.0-dev + + - it: should not create a storage secret if storage.storageSecretName is set + set: + storage.storageSecretName: "custom-storage-secret" + asserts: + - hasDocuments: + count: 0 diff --git a/charts/cryostat/tests/storage_service_test.yaml b/charts/cryostat/tests/storage_service_test.yaml new file mode 100644 index 00000000..ec0c9fe8 --- /dev/null +++ b/charts/cryostat/tests/storage_service_test.yaml @@ -0,0 +1,60 @@ +suite: test storage_service.yaml +templates: + - storage_service.yaml + +tests: + - it: should create a Service with the correct default settings + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Service + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat-storage + - equal: + path: spec.type + value: ClusterIP + - equal: + path: spec.ports[0].port + value: 8333 + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-2.0.0-dev + app.kubernetes.io/component: storage + + - it: should create a Service with the correct settings overrides + set: + storage.service.type: NodeIP + storage.service.port: 8080 + authentication.openshift.enabled: false + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Service + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat-storage + - equal: + path: spec.type + value: NodeIP + - equal: + path: spec.ports[0].port + value: 8080 + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-2.0.0-dev + app.kubernetes.io/component: storage diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 548914a9..0521c888 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -40,6 +40,21 @@ } } }, + "debug": { + "type": "object", + "properties": { + "log": { + "type": "object", + "properties": { + "level": { + "type": "string", + "description": "Log level for troubleshooting and debugging", + "default": "INFO" + } + } + } + } + }, "sslProxied": { "type": "boolean", "description": "Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress", @@ -148,8 +163,23 @@ }, "resources": { "type": "object", - "description": "Resource requests/limits for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", - "default": {} + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string", + "description": "CPU resource request for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", + "default": "500m" + }, + "memory": { + "type": "string", + "description": "Memory resource request for the Cryostat container.", + "default": "384Mi" + } + } + } + } }, "securityContext": { "type": "object", @@ -231,6 +261,96 @@ } } }, + "reports": { + "type": "object", + "properties": { + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "Repository for the Report Generator container image", + "default": "quay.io/cryostat/cryostat-reports" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the Report Generator container image", + "default": "Always" + }, + "tag": { + "type": "string", + "description": "Tag for the Report Generator image", + "default": "4.0.0-snapshot" + } + } + }, + "service": { + "type": "object", + "properties": { + "type": { + "type": "string", + "description": "Type of Service to create for the Report Generator Deployment", + "default": "ClusterIP" + }, + "httpPort": { + "type": "number", + "description": "Port number to expose on the Service for the Report Generator Deployment", + "default": 10001 + } + } + }, + "securityContext": { + "type": "object", + "properties": { + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "description": "", + "default": [ + "ALL" + ], + "items": { + "type": "string" + } + } + } + }, + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false + } + } + }, + "replicas": { + "type": "number", + "description": "Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own.", + "default": 0 + }, + "resources": { + "type": "object", + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string", + "description": "CPU resource request for each Pod in the Report Generator Deployment.", + "default": "500m" + }, + "memory": { + "type": "string", + "description": "Memory resource request for each Pod in the Report Generator Deployment.", + "default": "512Mi" + } + } + } + } + } + } + }, "db": { "type": "object", "properties": { @@ -279,10 +399,40 @@ } } }, + "service": { + "type": "object", + "properties": { + "type": { + "type": "string", + "description": "Type of Service to create for the database", + "default": "ClusterIP" + }, + "port": { + "type": "number", + "description": "Port number to expose on the Service", + "default": 5432 + } + } + }, "resources": { "type": "object", - "description": "Resource requests/limits for the database container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", - "default": {} + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string", + "description": "CPU resource request for the database container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", + "default": "25m" + }, + "memory": { + "type": "string", + "description": "Memory resource request for the database container.", + "default": "64Mi" + } + } + } + } } } }, @@ -314,6 +464,11 @@ } } }, + "storageSecretName": { + "type": "string", + "description": "Name of the secret containing the object storage secret access key. This secret must contain a STORAGE_ACCESS_KEY secret which is the object storage secret access key. It must not be updated across chart upgrades, or else the connection between Cryostat components and object storage will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable", + "default": "" + }, "image": { "type": "object", "properties": { @@ -334,10 +489,50 @@ } } }, + "encryption": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable at-rest encryption of stored objects. The storage container will generate a secret key for each stored object and use this key to encrypt and decrypt objects transparently. The key is written to the object metadata, so in the default storage container configuration this only adds a small layer of additional security.", + "default": true + } + } + }, + "service": { + "type": "object", + "properties": { + "type": { + "type": "string", + "description": "Type of Service to create for the object storage", + "default": "ClusterIP" + }, + "port": { + "type": "number", + "description": "Port number to expose on the Service", + "default": 8333 + } + } + }, "resources": { "type": "object", - "description": "Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", - "default": {} + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string", + "description": "CPU resource request for the object storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", + "default": "50m" + }, + "memory": { + "type": "string", + "description": "Memory resource request for the object storage container.", + "default": "256Mi" + } + } + } + } } } }, @@ -406,8 +601,23 @@ }, "resources": { "type": "object", - "description": "Resource requests/limits for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", - "default": {} + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string", + "description": "CPU resource request for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", + "default": "25m" + }, + "memory": { + "type": "string", + "description": "Memory resource request for the Grafana container.", + "default": "80Mi" + } + } + } + } } } }, @@ -461,8 +671,23 @@ }, "resources": { "type": "object", - "description": "Resource requests/limits for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", - "default": {} + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string", + "description": "CPU resource request for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", + "default": "200m" + }, + "memory": { + "type": "string", + "description": "Memory resource request for the JFR Data Source container.", + "default": "200Mi" + } + } + } + } } } }, @@ -513,12 +738,37 @@ "default": "latest" } } + }, + "resources": { + "type": "object", + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string", + "description": "CPU resource request for the OAuth2 Proxy container.", + "default": "25m" + }, + "memory": { + "type": "string", + "description": "Memory resource request for the OAuth2 Proxy container.", + "default": "64Mi" + } + } + } + } } } }, "authentication": { "type": "object", "properties": { + "cookieSecretName": { + "type": "string", + "description": "Name of the secret containing the authenticating proxy cookie encryption key. This secret must contain a COOKIE_SECRET secret which is the cookie encryption key. It must not be updated across chart upgrades, or else existing user login sessions will be invalidated. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable", + "default": "" + }, "openshift": { "type": "object", "properties": { @@ -609,6 +859,26 @@ } } }, + "resources": { + "type": "object", + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string", + "description": "CPU resource request for the OpenShift OAuth Proxy container.", + "default": "25m" + }, + "memory": { + "type": "string", + "description": "Memory resource request for the OpenShift OAuth Proxy container.", + "default": "64Mi" + } + } + } + } + }, "accessReview": { "type": "object", "properties": { diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 75cb9f6e..4b35637f 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -13,6 +13,10 @@ core: type: ClusterIP ## @param core.service.httpPort Port number to expose on the Service for Cryostat's HTTP server httpPort: 8181 + debug: + log: + ## @param core.debug.log.level Log level for troubleshooting and debugging + level: INFO ## @param core.sslProxied Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress sslProxied: false ingress: @@ -48,8 +52,12 @@ core: caCertificate: "" ## @param core.route.tls.destinationCACertificate Provides the contents of the CA certificate of the final destination when using reencrypt termination for the Cryostat application Route destinationCACertificate: "" - ## @param core.resources Resource requests/limits for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) - resources: {} + resources: + requests: + ## @param core.resources.requests.cpu CPU resource request for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) + cpu: 500m + ## @param core.resources.requests.memory Memory resource request for the Cryostat container. + memory: 384Mi ## @param core.securityContext [object] Security Context for the Cryostat container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: ## @skip core.securityContext.allowPrivilegeEscalation @@ -78,6 +86,38 @@ core: ## @param core.discovery.kubernetes.portNumbers [array] List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable portNumbers: [] +## @section Report Generator Deployment +## @extra reports Configuration for the Reports Generator deployment +reports: + image: + ## @param reports.image.repository Repository for the Report Generator container image + repository: "quay.io/cryostat/cryostat-reports" + ## @param reports.image.pullPolicy Image pull policy for the Report Generator container image + pullPolicy: Always + ## @param reports.image.tag Tag for the Report Generator image + tag: "4.0.0-snapshot" + service: + ## @param reports.service.type Type of Service to create for the Report Generator Deployment + type: ClusterIP + ## @param reports.service.httpPort Port number to expose on the Service for the Report Generator Deployment + httpPort: 10001 + ## @param reports.replicas Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own. + replicas: 0 + resources: + requests: + ## @param reports.resources.requests.cpu CPU resource request for each Pod in the Report Generator Deployment. + cpu: 500m + ## @param reports.resources.requests.memory Memory resource request for each Pod in the Report Generator Deployment. + memory: 512Mi + ## @param reports.securityContext [object] Security Context for the Report Generator containers. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) + securityContext: + ## @skip reports.securityContext.allowPrivilegeEscalation + allowPrivilegeEscalation: false + ## @skip reports.securityContext.capabilities + capabilities: + drop: + - ALL + ## @section Database Container ## @extra db Configuration for Cryostat's database db: @@ -88,8 +128,17 @@ db: pullPolicy: Always ## @param db.image.tag Tag for the database container image tag: "latest" - ## @param db.resources Resource requests/limits for the database container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) - resources: {} + service: + ## @param db.service.type Type of Service to create for the database + type: ClusterIP + ## @param db.service.port Port number to expose on the Service + port: 5432 + resources: + requests: + ## @param db.resources.requests.cpu CPU resource request for the database container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) + cpu: 25m + ## @param db.resources.requests.memory Memory resource request for the database container. + memory: 64Mi ## @param db.securityContext [object] Security Context for the database container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: ## @skip db.securityContext.allowPrivilegeEscalation @@ -102,6 +151,8 @@ db: ## @section Storage Container ## @extra storage Configuration for Cryostat's object storage provider storage: + ## @param storage.storageSecretName Name of the secret containing the object storage secret access key. This secret must contain a STORAGE_ACCESS_KEY secret which is the object storage secret access key. It must not be updated across chart upgrades, or else the connection between Cryostat components and object storage will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable + storageSecretName: "" image: ## @param storage.image.repository Repository for the storage container image repository: "quay.io/cryostat/cryostat-storage" @@ -109,8 +160,20 @@ storage: pullPolicy: Always ## @param storage.image.tag Tag for the storage container image tag: "latest" - ## @param storage.resources Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) - resources: {} + encryption: + ## @param storage.encryption.enabled Enable at-rest encryption of stored objects. The storage container will generate a secret key for each stored object and use this key to encrypt and decrypt objects transparently. The key is written to the object metadata, so in the default storage container configuration this only adds a small layer of additional security. + enabled: true + service: + ## @param storage.service.type Type of Service to create for the object storage + type: ClusterIP + ## @param storage.service.port Port number to expose on the Service + port: 8333 + resources: + requests: + ## @param storage.resources.requests.cpu CPU resource request for the object storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) + cpu: 50m + ## @param storage.resources.requests.memory Memory resource request for the object storage container. + memory: 256Mi ## @param storage.securityContext [object] Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: ## @skip storage.securityContext.allowPrivilegeEscalation @@ -135,8 +198,12 @@ grafana: type: ClusterIP ## @param grafana.service.port Port number to expose on the Service for Grafana's HTTP server port: 3000 - ## @param grafana.resources Resource requests/limits for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) - resources: {} + resources: + requests: + ## @param grafana.resources.requests.cpu CPU resource request for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) + cpu: 25m + ## @param grafana.resources.requests.memory Memory resource request for the Grafana container. + memory: 80Mi ## @param grafana.securityContext [object] Security Context for the Grafana container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: ## @skip grafana.securityContext.allowPrivilegeEscalation @@ -156,8 +223,12 @@ datasource: pullPolicy: Always ## @param datasource.image.tag Tag for the JFR Data Source container image tag: "latest" - ## @param datasource.resources Resource requests/limits for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) - resources: {} + resources: + requests: + ## @param datasource.resources.requests.cpu CPU resource request for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) + cpu: 200m + ## @param datasource.resources.requests.memory Memory resource request for the JFR Data Source container. + memory: 200Mi ## @param datasource.securityContext [object] Security Context for the JFR Data Source container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: ## @skip datasource.securityContext.allowPrivilegeEscalation @@ -170,6 +241,8 @@ datasource: ## @section Authentication authentication: + ## @param authentication.cookieSecretName Name of the secret containing the authenticating proxy cookie encryption key. This secret must contain a COOKIE_SECRET secret which is the cookie encryption key. It must not be updated across chart upgrades, or else existing user login sessions will be invalidated. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable + cookieSecretName: "" openshift: ## @param authentication.openshift.enabled Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one. enabled: false @@ -194,6 +267,12 @@ oauth2Proxy: pullPolicy: Always ## @param oauth2Proxy.image.tag Tag for the OAuth2 Proxy container image tag: "latest" + resources: + requests: + ## @param oauth2Proxy.resources.requests.cpu CPU resource request for the OAuth2 Proxy container. + cpu: 25m + ## @param oauth2Proxy.resources.requests.memory Memory resource request for the OAuth2 Proxy container. + memory: 64Mi ## @param oauth2Proxy.securityContext [object] Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). securityContext: ## @skip oauth2Proxy.securityContext.allowPrivilegeEscalation @@ -213,6 +292,12 @@ openshiftOauthProxy: pullPolicy: Always ## @param openshiftOauthProxy.image.tag Tag for the OpenShift OAuth Proxy container image tag: "cryostat-v3.0" + resources: + requests: + ## @param openshiftOauthProxy.resources.requests.cpu CPU resource request for the OpenShift OAuth Proxy container. + cpu: 25m + ## @param openshiftOauthProxy.resources.requests.memory Memory resource request for the OpenShift OAuth Proxy container. + memory: 64Mi accessReview: ## @param openshiftOauthProxy.accessReview.enabled Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token. enabled: true