feat(deploy): deploy cryostat 3.0 (#727)

* feat(discovery): options to configure discovery port names and numbers (backport #715) (#725)

* feat(discovery): options to configure discovery port names and numbers (#715)

Signed-off-by: Thuan Vo <thuan.votann@gmail.com>
(cherry picked from commit a552021)

* resolve conflict

---------

Co-authored-by: Thuan Vo <thuan.votann@gmail.com>
Co-authored-by: Andrew Azores <aazores@redhat.com>

* Deploy cryostat 3.0

* Remove extraneous file

* test adjustments

* feat(discovery): options to configure discovery port names and numbers (#715)

Signed-off-by: Thuan Vo <thuan.votann@gmail.com>

* Fix typo in environment variable breaking reconciler test, fix missing SecurityContext

* Fix conflict with cluster cryostat removal

* ci(gh): add comment when /build_test is finished (#745)

* add scorecard test/suite selection (#746)

* test(scorecard): scorecard tests for recording management (#698)

* test(scorecard): scorecard tests for recording management

Signed-off-by: Thuan Vo <thuan.votann@gmail.com>

* fixup(scorecard): fix cr cleanup func

* test(scorecard): registry recording test to suite

* chore(scorecard): reorganize client def

* chore(scorecard): clean up common setup func

* chore(bundle): regenerate bundle with scorecard tag

* chore(bundle): correct image tag in bundle

* fix(bundle): add missing scorecard test config patch

* feat(scorecard): scaffold cryostat API client

* chore(scorecard): clean up API client

* test(scorecard): implement recording scorecard test

* fixup(scorecard): correctly add scorecard test via hack templates

* fix(client): ignore unverified tls certs and base64 oauth token

* chore(bundle): split cryostat tests to separate stage

* fix(scorecard): extend default transport instead of overwriting

* chore(scorecard): refactor client to support multi-part

* fixup(client): fix request verb

* fix(client): fix recording create form format

* fix(scorecard): create stored credentials for target JVM

* fix(scorecard): fix 502 status error

* chore(scorecard): simplify client def

* chore(scorecard): fetch recordings to ensure action is correctly performed

* test(scorecard): test generating report for a recording

* chore(scorecard): clean up

* test(scorecard): list archives in tests

* ci(scorecard): reconfigure ingress for kind

* ci(k8s): correct cluster name

* test(scorecard): use role instead of clusterrole for oauth rules

* test(scorecard): parse health response for additional checks

* chore(scorecard): add missing newline in logs

* chore(scorecard): check status code before parsing body in health check

* test(scorecard): add custom target discovery to recording scorecard test

* add EOF wait and resp headers

* add resp headers

* chore(client): configure all clients to send safe requests

* fix(clients): add missing content-type header

* fix(scorecard): add missing test name in help message

* chore(client): create new http requests when retrying

* chore(bundle): update scorecard image tags

---------

Signed-off-by: Thuan Vo <thuan.votann@gmail.com>
Co-authored-by: Ming Yu Wang <90855268+mwangggg@users.noreply.github.com>
Co-authored-by: Ming Wang <miwan@redhat.com>

* test(scorecard): scorecard test for Cryostat CR configuration changes (#739)

* CR config scorecard

* reformat

* reviews

* add kubectl license

* test(scorecard): scorecard test for report generator  (#753)

* deploy reports sidecar

* report scorecard test

* update

* rebase fix

* query health

* fix(build-ci): fix scorecard image tag returned as null (#760)

Signed-off-by: Thuan Vo <thuan.votann@gmail.com>
Co-authored-by: Elliott Baron <ebaron@redhat.com>

* test(scorecard): add container logs to scorecard results (#758)

* test(scorecard): add container logs to scorecard results

* build(bundle): regenerate bundle with new scorecard tags

* chore(scorecard): refactor to remove duplicate codes

* add permission to publish comment when ci fails (#769)

Co-authored-by: Elliott Baron <ebaron@redhat.com>

* Update NewCoreContainer and associated tests

* build(go): update Golang to 1.21 (#777)

* test(scorecard): logWorkloadEvent for cryostat-recording errors (#759)

* logWorkLoadEvent for cryostat-recording errors

* reviews

* tr.LogChannel

---------

Co-authored-by: Elliott Baron <ebaron@redhat.com>

* test(scorecard): fix rebasing skipped commit (#780)

* Merge pull request #8 from ebaron/scorecard-methods

test(scorecard): use methods for more easily passing data

* update bundle image

* Review fixes

* generate storage key, create expected Secret

* fixup! generate storage key, create expected Secret

* database secret handling corrections

* combine database connection password and encryption key into one secret

* correct storage secret key/access key

* update datasource port number to not conflict with storage

* precreate eventtemplates bucket

* remove storage volume parameter overrides

* use HTTP for Cryostat probe even when TLS is enabled - TLS will be done via auth proxy later

* correct environment variable names for proxy awareness

* Fix remaining merge conflict

* Fix makefile

* config cleanup and test fixup

---------

Signed-off-by: Thuan Vo <thuan.votann@gmail.com>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Co-authored-by: Thuan Vo <thuan.votann@gmail.com>
Co-authored-by: Andrew Azores <aazores@redhat.com>
Co-authored-by: Ming Yu Wang <90855268+mwangggg@users.noreply.github.com>
Co-authored-by: Ming Wang <miwan@redhat.com>
Co-authored-by: Elliott Baron <ebaron@redhat.com>

Makefile

@@ -62,7 +62,7 @@ export APP_NAME ?= Cryostat
 # Images used by the operator
 CORE_NAMESPACE ?= $(DEFAULT_NAMESPACE)
 CORE_NAME ?= cryostat
-CORE_VERSION ?= latest
+CORE_VERSION ?= 3.0.0-snapshot
 export CORE_IMG ?= $(CORE_NAMESPACE)/$(CORE_NAME):$(CORE_VERSION)
 DATASOURCE_NAMESPACE ?= $(DEFAULT_NAMESPACE)
 DATASOURCE_NAME ?= jfr-datasource
@@ -76,6 +76,14 @@ REPORTS_NAMESPACE ?= $(DEFAULT_NAMESPACE)
 REPORTS_NAME ?= cryostat-reports
 REPORTS_VERSION ?= latest
 export REPORTS_IMG ?= $(REPORTS_NAMESPACE)/$(REPORTS_NAME):$(REPORTS_VERSION)
+DATABASE_NAMESPACE ?= $(DEFAULT_NAMESPACE)
+DATABASE_NAME ?= cryostat-db
+DATABASE_VERSION ?= latest
+export DATABASE_IMG ?= $(DATABASE_NAMESPACE)/$(DATABASE_NAME):$(DATABASE_VERSION)
+STORAGE_NAMESPACE ?= $(DEFAULT_NAMESPACE)
+STORAGE_NAME ?= cryostat-storage
+STORAGE_VERSION ?= latest
+export STORAGE_IMG ?= $(STORAGE_NAMESPACE)/$(STORAGE_NAME):$(STORAGE_VERSION)
 
 CERT_MANAGER_VERSION ?= 1.11.5
 CERT_MANAGER_MANIFEST ?= \
@@ -449,8 +457,8 @@ endif
 ##@ Deployment
 
 .PHONY: install
-install: manifests kustomize ## Install CRDs into the cluster specified in ~/.kube/config.
-	$(KUSTOMIZE) build config/crd | $(CLUSTER_CLIENT) apply -f -
+install: uninstall manifests kustomize ## Install CRDs into the cluster specified in ~/.kube/config.
+	$(KUSTOMIZE) build config/crd | $(CLUSTER_CLIENT) create -f -
 
 .PHONY: uninstall
 uninstall: manifests kustomize ## Uninstall CRDs from the cluster specified in ~/.kube/config.
@@ -466,8 +474,8 @@ print_deploy_config: predeploy ## Print deployment configurations for the contro
 	$(KUSTOMIZE) build $(KUSTOMIZE_DIR)
 
 .PHONY: deploy
-deploy: check_cert_manager manifests kustomize predeploy ## Deploy controller in the configured cluster in ~/.kube/config
-	$(KUSTOMIZE) build $(KUSTOMIZE_DIR) | $(CLUSTER_CLIENT) apply -f -
+deploy: check_cert_manager manifests kustomize predeploy undeploy ## Deploy controller in the configured cluster in ~/.kube/config
+	$(KUSTOMIZE) build $(KUSTOMIZE_DIR) | $(CLUSTER_CLIENT) create -f -
 ifeq ($(DISABLE_SERVICE_TLS), true)
 	@echo "Disabling TLS for in-cluster communication between Services"
 	@$(CLUSTER_CLIENT) -n $(DEPLOY_NAMESPACE) set env deployment/cryostat-operator-controller-manager DISABLE_SERVICE_TLS=true

api/v1beta1/cryostat_conversion_test.go

@@ -139,8 +139,6 @@ func tableEntries() []TableEntry {
 			(*test.TestResources).NewCryostatWithResources),
 		Entry("low resource limit", (*test.TestResources).NewCryostatWithLowResourceLimitV1Beta1,
 			(*test.TestResources).NewCryostatWithLowResourceLimit),
-		Entry("auth properties", (*test.TestResources).NewCryostatWithAuthPropertiesV1Beta1,
-			(*test.TestResources).NewCryostatWithAuthProperties),
 		Entry("built-in discovery disabled", (*test.TestResources).NewCryostatWithBuiltInDiscoveryDisabledV1Beta1,
 			(*test.TestResources).NewCryostatWithBuiltInDiscoveryDisabled),
 		Entry("discovery port custom config", (*test.TestResources).NewCryostatWithDiscoveryPortConfigV1Beta1,
@@ -149,8 +147,6 @@ func tableEntries() []TableEntry {
 			(*test.TestResources).NewCryostatWithBuiltInPortConfigDisabled),
 		Entry("JMX cache options", (*test.TestResources).NewCryostatWithJmxCacheOptionsSpecV1Beta1,
 			(*test.TestResources).NewCryostatWithJmxCacheOptionsSpec),
-		Entry("subprocess heap", (*test.TestResources).NewCryostatWithReportSubprocessHeapSpecV1Beta1,
-			(*test.TestResources).NewCryostatWithReportSubprocessHeapSpec),
 		Entry("security", (*test.TestResources).NewCryostatWithSecurityOptionsV1Beta1,
 			(*test.TestResources).NewCryostatWithSecurityOptions),
 		Entry("reports security", (*test.TestResources).NewCryostatWithReportSecurityOptionsV1Beta1,

api/v1beta1/cryostat_types.go

@@ -141,6 +141,8 @@ type CryostatStatus struct {
 	// +optional
 	// +operator-sdk:csv:customresourcedefinitions:type=status,order=2,xDescriptors={"urn:alm:descriptor:io.kubernetes:Secret"}
 	GrafanaSecret string `json:"grafanaSecret,omitempty"`
+	// Name of the Secret containing the cryostat storage connection key
+	StorageSecret string `json:"storageSecret,omitempty"`
 	// Address of the deployed Cryostat web application.
 	// +operator-sdk:csv:customresourcedefinitions:type=status,order=1,xDescriptors={"urn:alm:descriptor:org.w3:link"}
 	ApplicationURL string `json:"applicationUrl"`
@@ -287,6 +289,13 @@ type GrafanaServiceConfig struct {
 	ServiceConfig `json:",inline"`
 }
 
+type StorageServiceConfig struct {
+	// HTTP port number for the cryostat storage service.
+	// Defaults to 8333
+	HTTPPort      *int32 `json:"httpPort,omitempty"`
+	ServiceConfig `json:",inline"`
+}
+
 // ReportsServiceConfig provides customization for the service handling
 // traffic for the cryostat-reports sidecars.
 type ReportsServiceConfig struct {
@@ -309,6 +318,9 @@ type ServiceConfigList struct {
 	// Specification for the service responsible for the cryostat-reports sidecars.
 	// +optional
 	ReportsConfig *ReportsServiceConfig `json:"reportsConfig,omitempty"`
+	// Specification for the service responsible for the cryostat storage container.
+	// +optional
+	StorageConfig *StorageServiceConfig `json:"storageConfig,omitEmpty"`
 }
 
 // NetworkConfiguration provides customization for how to expose a Cryostat
@@ -502,6 +514,14 @@ type SecurityOptions struct {
 	// +optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	GrafanaSecurityContext *corev1.SecurityContext `json:"grafanaSecurityContext,omitempty"`
+	// Security Context to apply to the storage container.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	StorageSecurityContext *corev1.SecurityContext `json:"storageSecurityContext,omitempty"`
+	// Security Context to apply to the storage container.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	DatabaseSecurityContext *corev1.SecurityContext `json:"databaseSecurityContext,omitempty"`
 }
 
 // ReportsSecurityOptions contains Security Context customizations for the

api/v1beta2/cryostat_types.go

@@ -512,6 +512,14 @@ type SecurityOptions struct {
 	// +optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	GrafanaSecurityContext *corev1.SecurityContext `json:"grafanaSecurityContext,omitempty"`
+	// Security Context to apply to the storage container.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	StorageSecurityContext *corev1.SecurityContext `json:"storageSecurityContext,omitempty"`
+	// Security Context to apply to the database container.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	DatabaseSecurityContext *corev1.SecurityContext `json:"databaseSecurityContext,omitempty"`
 }
 
 // ReportsSecurityOptions contains Security Context customizations for the

bundle.Dockerfile

@@ -6,7 +6,7 @@ LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
 LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
 LABEL operators.operatorframework.io.bundle.package.v1=cryostat-operator
 LABEL operators.operatorframework.io.bundle.channels.v1=alpha
-LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.31.0
+LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.32.0
 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3
 

bundle/manifests/cryostat-operator.clusterserviceversion.yaml

@@ -69,7 +69,7 @@ metadata:
           }
         }
       }
-    operators.operatorframework.io/builder: operator-sdk-v1.31.0
+    operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: github.com/cryostatio/cryostat-operator
     support: Cryostat Community
@@ -379,12 +379,18 @@ spec:
       - description: Security Context to apply to the JFR Data Source container.
         displayName: Data Source Security Context
         path: securityOptions.dataSourceSecurityContext
+      - description: Security Context to apply to the storage container.
+        displayName: Database Security Context
+        path: securityOptions.databaseSecurityContext
       - description: Security Context to apply to the Grafana container.
         displayName: Grafana Security Context
         path: securityOptions.grafanaSecurityContext
       - description: Security Context to apply to the Cryostat pod.
         displayName: Pod Security Context
         path: securityOptions.podSecurityContext
+      - description: Security Context to apply to the storage container.
+        displayName: Storage Security Context
+        path: securityOptions.storageSecurityContext
       - description: Options to customize the services created for the Cryostat application
           and Grafana dashboard.
         displayName: Service Options
@@ -754,12 +760,18 @@ spec:
       - description: Security Context to apply to the JFR Data Source container.
         displayName: Data Source Security Context
         path: securityOptions.dataSourceSecurityContext
+      - description: Security Context to apply to the storage container.
+        displayName: Database Security Context
+        path: securityOptions.databaseSecurityContext
       - description: Security Context to apply to the Grafana container.
         displayName: Grafana Security Context
         path: securityOptions.grafanaSecurityContext
       - description: Security Context to apply to the Cryostat pod.
         displayName: Pod Security Context
         path: securityOptions.podSecurityContext
+      - description: Security Context to apply to the storage container.
+        displayName: Storage Security Context
+        path: securityOptions.storageSecurityContext
       - description: Options to customize the services created for the Cryostat application
           and Grafana dashboard.
         displayName: Service Options
@@ -1091,7 +1103,7 @@ spec:
                 - /manager
                 env:
                 - name: RELATED_IMAGE_CORE
-                  value: quay.io/cryostat/cryostat:latest
+                  value: quay.io/cryostat/cryostat:3.0.0-snapshot
                 - name: RELATED_IMAGE_DATASOURCE
                   value: quay.io/cryostat/jfr-datasource:latest
                 - name: RELATED_IMAGE_GRAFANA
@@ -1226,7 +1238,7 @@ spec:
   provider:
     name: The Cryostat Community
   relatedImages:
-  - image: quay.io/cryostat/cryostat:latest
+  - image: quay.io/cryostat/cryostat:3.0.0-snapshot
     name: core
   - image: quay.io/cryostat/jfr-datasource:latest
     name: datasource