Skip to content

Commit 1afe71d

Browse files
mergify[bot]ebaron
mergify[bot]
and
ebaron
authored
fix(storage): re-enable checksum validation by default (#289) (#290)
(cherry picked from commit 3804e40) Co-authored-by: Elliott Baron <ebaron@redhat.com>
1 parent 377fa62 commit 1afe71d

File tree

5 files changed

+5
-19
lines changed

5 files changed

+5
-19
lines changed

charts/cryostat/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -185,7 +185,7 @@ certificate issuance and rotation.
185185
| `storage.image.tag` | Tag for the storage container image | `cryostat-v4.1` |
186186
| `storage.storageSecretName` | Name of the secret containing the object storage secret access key. This secret must contain a STORAGE_ACCESS_KEY secret which is the object storage secret access key. It must not be updated across chart upgrades, or else the connection between Cryostat components and object storage will not be able to initialize. If using an external S3 provider requiring authentication then this **must** be provided. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable) | `""` |
187187
| `storage.provider.url` | URL to the S3 object storage provider instance. This can be an in-cluster self-hosted instance with a hostname like s3.storage.local, or it can be an external commercial service. This should include scheme, host, and port. User authenication information should be provided using a *Secret* and *storage.storageSecretName*. If this is not specified then a managed [cryostat-storage](https://github.com/cryostatio/cryostat-storage) instance will be automatically deployed and configured. If an unmanaged S3 instance is specified here then other storage configuration settings (such as at-rest encryption, Pod annotations, Service configurations) do not apply. Production installations of Cryostat should not rely on `cryostat-storage` | `""` |
188-
| `storage.provider.useChecksumValidation` | whether PUT object request checksum validations are used. These should normally be enabled, but are known to cause issues with SeaweedFS/cryostat-storage and later S3 SDK versions. This is *true* by default when storage.provider.url is configured, but if not configured and cryostat-storage is deployed then this will be taken as *false*. | `true` |
188+
| `storage.provider.useChecksumValidation` | whether PUT object request checksum validations are used. These should normally be enabled, but are known to cause issues with SeaweedFS/cryostat-storage and later S3 SDK versions. This is *true* by default. | `true` |
189189
| `storage.provider.usePathStyleAccess` | whether path-style accesses are used for ex. object buckets. If path style access is not used then DNS subdomain resolution will be used. This is *true* by default for broader compatibility for low-footprint storage container installations, but subdomain resolution generally offers better performance if it is available and may be required for use with commercial storage providers. | `true` |
190190
| `storage.provider.usePresignedRecordingTransfers` | whether object storage presigned GET URLs should be used for transferring files between Cryostat components (ex. for automated analysis report generation). If this is disabled then Cryostat will act as a "network pipe" between other components and handle streaming file contents. This is *true* by default to reduce network utilization and request latency | `true` |
191191
| `storage.provider.usePresignedDownloads` | whether object storage presigned GET URLs should be used for downloading files via the user's browser. If this is disabled then Cryostat will act as a "network pipe" between storage and the user's browser and handle streaming file contents. If the object storage URLs are not accessible from the user's network location then this must be disabled, otherwise enabling it will reduce network utilization and request latency. This is *false* by default | `false` |

charts/cryostat/templates/cryostat_deployment.yaml

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -133,10 +133,7 @@ spec:
133133
# Otherwise we are deploying a managed storage instance and can set a default value
134134
value: {{ ternary .Values.storage.provider.region "us-east-1" (not (empty .Values.storage.provider.url)) }}
135135
- name: QUARKUS_S3_CHECKSUM_VALIDATION
136-
# if an external provider URL is supplied then use the configuration checksum validation value.
137-
# Otherwise we are deploying a managed storage instance and should override this to false, since it is known to cause issues.
138-
# See https://github.com/cryostatio/cryostat/issues/948
139-
value: {{ ternary (quote .Values.storage.provider.useChecksumValidation) (quote "false") (not (empty .Values.storage.provider.url)) }}
136+
value: "{{ .Values.storage.provider.useChecksumValidation }}"
140137
- name: QUARKUS_S3_AWS_CREDENTIALS_TYPE
141138
value: {{ .Values.storage.provider.authentication.credentialsType }}
142139
- name: AWS_ACCESS_KEY_ID

charts/cryostat/tests/cryostat_deployment_test.yaml

Lines changed: 1 addition & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -129,7 +129,7 @@ tests:
129129
value: "http://RELEASE-NAME-cryostat-storage:8333"
130130
- equal:
131131
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_CHECKSUM_VALIDATION')].value
132-
value: "false"
132+
value: "true"
133133
- notExists:
134134
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_SYNC_CLIENT_TLS_TRUST_MANAGERS_PROVIDER_TYPE')]
135135
- equal:
@@ -254,17 +254,6 @@ tests:
254254
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_CHECKSUM_VALIDATION')].value
255255
value: "false"
256256

257-
- it: should not allow configuration of managed object storage provider with checksum validation
258-
set:
259-
storage:
260-
provider:
261-
# no url configured, so a managed instance will be deployed
262-
useChecksumValidation: true
263-
asserts:
264-
- equal:
265-
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_CHECKSUM_VALIDATION')].value
266-
value: "false"
267-
268257
- it: should allow configuration of presigned downloads separately from presigned transfers
269258
set:
270259
storage:

charts/cryostat/values.schema.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -683,7 +683,7 @@
683683
},
684684
"useChecksumValidation": {
685685
"type": "boolean",
686-
"description": "whether PUT object request checksum validations are used. These should normally be enabled, but are known to cause issues with SeaweedFS/cryostat-storage and later S3 SDK versions. This is *true* by default when storage.provider.url is configured, but if not configured and cryostat-storage is deployed then this will be taken as *false*.",
686+
"description": "whether PUT object request checksum validations are used. These should normally be enabled, but are known to cause issues with SeaweedFS/cryostat-storage and later S3 SDK versions. This is *true* by default.",
687687
"default": true
688688
},
689689
"usePathStyleAccess": {

charts/cryostat/values.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -280,7 +280,7 @@ storage:
280280
provider:
281281
## @param storage.provider.url URL to the S3 object storage provider instance. This can be an in-cluster self-hosted instance with a hostname like s3.storage.local, or it can be an external commercial service. This should include scheme, host, and port. User authenication information should be provided using a *Secret* and *storage.storageSecretName*. If this is not specified then a managed [cryostat-storage](https://github.com/cryostatio/cryostat-storage) instance will be automatically deployed and configured. If an unmanaged S3 instance is specified here then other storage configuration settings (such as at-rest encryption, Pod annotations, Service configurations) do not apply. Production installations of Cryostat should not rely on `cryostat-storage`
282282
url: ""
283-
## @param storage.provider.useChecksumValidation whether PUT object request checksum validations are used. These should normally be enabled, but are known to cause issues with SeaweedFS/cryostat-storage and later S3 SDK versions. This is *true* by default when storage.provider.url is configured, but if not configured and cryostat-storage is deployed then this will be taken as *false*.
283+
## @param storage.provider.useChecksumValidation whether PUT object request checksum validations are used. These should normally be enabled, but are known to cause issues with SeaweedFS/cryostat-storage and later S3 SDK versions. This is *true* by default.
284284
useChecksumValidation: true
285285
## @param storage.provider.usePathStyleAccess whether path-style accesses are used for ex. object buckets. If path style access is not used then DNS subdomain resolution will be used. This is *true* by default for broader compatibility for low-footprint storage container installations, but subdomain resolution generally offers better performance if it is available and may be required for use with commercial storage providers.
286286
usePathStyleAccess: true

0 commit comments

Comments
 (0)