feat(agent): add nginx proxy for agent communication (#957)

* feat(agent): add nginx proxy for agent communication * Add/fix test cases * Allow proxy to work without TLS * Add exact match location blocks to avoid 301 * V4 API paths * fix scorecard tests for v4 API changes --------- Co-authored-by: Andrew Azores <aazores@redhat.com>
cryostatio · Oct 4, 2024 · af55876 · af55876
1 parent 1bdfc3e
commit af55876
Show file tree

Hide file tree

Showing 28 changed files with 1,749 additions and 163 deletions.
diff --git a/Makefile b/Makefile
@@ -93,6 +93,10 @@ STORAGE_NAMESPACE ?= $(DEFAULT_NAMESPACE)
 STORAGE_NAME ?= cryostat-storage
 STORAGE_VERSION ?= latest
 export STORAGE_IMG ?= $(STORAGE_NAMESPACE)/$(STORAGE_NAME):$(STORAGE_VERSION)
+AGENT_PROXY_NAMESPACE ?= registry.access.redhat.com/ubi8
+AGENT_PROXY_NAME ?= nginx-124
+AGENT_PROXY_VERSION ?= latest
+export AGENT_PROXY_IMG = $(AGENT_PROXY_NAMESPACE)/$(AGENT_PROXY_NAME):$(AGENT_PROXY_VERSION)
 
 CERT_MANAGER_VERSION ?= 1.11.5
 CERT_MANAGER_MANIFEST ?= \

diff --git a/api/v1beta1/cryostat_conversion_test.go b/api/v1beta1/cryostat_conversion_test.go
@@ -80,17 +80,32 @@ func tableEntriesTo() []TableEntry {
 	return append(tableEntries(),
 		Entry("WS connections", (*test.TestResources).NewCryostatWithWsConnectionsSpecV1Beta1,
 			(*test.TestResources).NewCryostat),
-		Entry("command config", (*test.TestResources).NewCryostatWithCommandConfigV1Beta1,
+		Entry("command ingress", (*test.TestResources).NewCryostatWithCommandConfigV1Beta1,
+			(*test.TestResources).NewCryostatWithIngress),
+		Entry("grafana ingress", (*test.TestResources).NewCryostatWithGrafanaConfigV1Beta1,
 			(*test.TestResources).NewCryostatWithIngress),
 		Entry("minimal mode", (*test.TestResources).NewCryostatWithMinimalModeV1Beta1,
 			(*test.TestResources).NewCryostat),
 		Entry("core JMX port", (*test.TestResources).NewCryostatWithCoreSvcJMXPortV1Beta1,
 			(*test.TestResources).NewCryostatWithCoreSvc),
+		Entry("resources", (*test.TestResources).NewCryostatWithResourcesV1Beta1,
+			(*test.TestResources).NewCryostatWithResourcesToV1Beta2),
+		Entry("low resource limit", (*test.TestResources).NewCryostatWithLowResourceLimitV1Beta1,
+			(*test.TestResources).NewCryostatWithLowResourceLimitToV1Beta2),
+		Entry("security", (*test.TestResources).NewCryostatWithSecurityOptionsV1Beta1,
+			(*test.TestResources).NewCryostatWithSecurityOptionsToV1Beta2),
 	)
 }
 
 func tableEntriesFrom() []TableEntry {
-	return tableEntries()
+	return append(tableEntries(),
+		Entry("resources", (*test.TestResources).NewCryostatWithResourcesV1Beta1,
+			(*test.TestResources).NewCryostatWithResources),
+		Entry("low resource limit", (*test.TestResources).NewCryostatWithLowResourceLimitV1Beta1,
+			(*test.TestResources).NewCryostatWithLowResourceLimit),
+		Entry("security", (*test.TestResources).NewCryostatWithSecurityOptionsV1Beta1,
+			(*test.TestResources).NewCryostatWithSecurityOptions),
+	)
 }
 
 func tableEntries() []TableEntry {
@@ -133,10 +148,6 @@ func tableEntries() []TableEntry {
 			(*test.TestResources).NewCryostatCertManagerDisabled),
 		Entry("cert-manager undefined", (*test.TestResources).NewCryostatCertManagerUndefinedV1Beta1,
 			(*test.TestResources).NewCryostatCertManagerUndefined),
-		Entry("resources", (*test.TestResources).NewCryostatWithResourcesV1Beta1,
-			(*test.TestResources).NewCryostatWithResources),
-		Entry("low resource limit", (*test.TestResources).NewCryostatWithLowResourceLimitV1Beta1,
-			(*test.TestResources).NewCryostatWithLowResourceLimit),
 		Entry("built-in discovery disabled", (*test.TestResources).NewCryostatWithBuiltInDiscoveryDisabledV1Beta1,
 			(*test.TestResources).NewCryostatWithBuiltInDiscoveryDisabled),
 		Entry("discovery port custom config", (*test.TestResources).NewCryostatWithDiscoveryPortConfigV1Beta1,
@@ -145,8 +156,6 @@ func tableEntries() []TableEntry {
 			(*test.TestResources).NewCryostatWithBuiltInPortConfigDisabled),
 		Entry("JMX cache options", (*test.TestResources).NewCryostatWithJmxCacheOptionsSpecV1Beta1,
 			(*test.TestResources).NewCryostatWithJmxCacheOptionsSpec),
-		Entry("security", (*test.TestResources).NewCryostatWithSecurityOptionsV1Beta1,
-			(*test.TestResources).NewCryostatWithSecurityOptions),
 		Entry("reports security", (*test.TestResources).NewCryostatWithReportSecurityOptionsV1Beta1,
 			(*test.TestResources).NewCryostatWithReportSecurityOptions),
 		Entry("database secret", (*test.TestResources).NewCryostatWithDatabaseSecretProvidedV1Beta1,

diff --git a/api/v1beta2/cryostat_types.go b/api/v1beta2/cryostat_types.go
@@ -143,6 +143,10 @@ type ResourceConfigList struct {
 	// +optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:resourceRequirements"}
 	ObjectStorageResources corev1.ResourceRequirements `json:"objectStorageResources,omitempty"`
+	// Resource requirements for the agent proxy container.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:resourceRequirements"}
+	AgentProxyResources corev1.ResourceRequirements `json:"agentProxyResources,omitempty"`
 }
 
 // CryostatStatus defines the observed state of Cryostat.
@@ -306,6 +310,16 @@ type ReportsServiceConfig struct {
 	ServiceConfig `json:",inline"`
 }
 
+// AgentServiceConfig provides customization for the service handling
+// traffic from Cryostat agents to the Cryostat application.
+type AgentServiceConfig struct {
+	// HTTP port number for the Cryostat agent API service.
+	// Defaults to 8282.
+	// +optional
+	HTTPPort      *int32 `json:"httpPort,omitempty"`
+	ServiceConfig `json:",inline"`
+}
+
 // ServiceConfigList holds the service configuration for each
 // service created by the operator.
 type ServiceConfigList struct {
@@ -315,6 +329,9 @@ type ServiceConfigList struct {
 	// Specification for the service responsible for the cryostat-reports sidecars.
 	// +optional
 	ReportsConfig *ReportsServiceConfig `json:"reportsConfig,omitempty"`
+	// Specification for the service responsible for agents to communicate with Cryostat.
+	// +optional
+	AgentConfig *AgentServiceConfig `json:"agentConfig,omitempty"`
 }
 
 // NetworkConfiguration provides customization for how to expose a Cryostat
@@ -567,6 +584,10 @@ type SecurityOptions struct {
 	// +optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	DatabaseSecurityContext *corev1.SecurityContext `json:"databaseSecurityContext,omitempty"`
+	// Security Context to apply to the agent proxy container.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	AgentProxySecurityContext *corev1.SecurityContext `json:"agentProxySecurityContext,omitempty"`
 }
 
 // ReportsSecurityOptions contains Security Context customizations for the

diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go
diff --git a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml
@@ -30,7 +30,7 @@ metadata:
     capabilities: Seamless Upgrades
     categories: Monitoring, Developer Tools
     containerImage: quay.io/cryostat/cryostat-operator:4.0.0-dev
-    createdAt: "2024-09-11T17:33:08Z"
+    createdAt: "2024-10-04T18:55:09Z"
     description: JVM monitoring and profiling tool
     operatorframework.io/initialization-resource: |-
       {
@@ -230,6 +230,11 @@ spec:
           - description: Resource requirements for the Cryostat deployment.
             displayName: Resources
             path: resources
+          - description: Resource requirements for the agent proxy container.
+            displayName: Agent Proxy Resources
+            path: resources.agentProxyResources
+            x-descriptors:
+              - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
           - description: Resource requirements for the auth proxy.
             displayName: Auth Proxy Resources
             path: resources.authProxyResources
@@ -294,6 +299,9 @@ spec:
             path: securityOptions
             x-descriptors:
               - urn:alm:descriptor:com.tectonic.ui:advanced
+          - description: Security Context to apply to the agent proxy container.
+            displayName: Agent Proxy Security Context
+            path: securityOptions.agentProxySecurityContext
           - description: Security Context to apply to the auth proxy container.
             displayName: Auth Proxy Security Context
             path: securityOptions.authProxySecurityContext
@@ -1010,6 +1018,8 @@ spec:
                         value: quay.io/cryostat/cryostat-storage:latest
                       - name: RELATED_IMAGE_DATABASE
                         value: quay.io/cryostat/cryostat-db:latest
+                      - name: RELATED_IMAGE_AGENT_PROXY
+                        value: registry.access.redhat.com/ubi8/nginx-124:latest
                       - name: WATCH_NAMESPACE
                         valueFrom:
                           fieldRef:
@@ -1179,6 +1189,8 @@ spec:
       name: storage
     - image: quay.io/cryostat/cryostat-db:latest
       name: database
+    - image: registry.access.redhat.com/ubi8/nginx-124:latest
+      name: agent-proxy
   version: 4.0.0-dev
   webhookdefinitions:
     - admissionReviewVersions: