feat(storage): add toggle for presigned file transfers (#269)

Author: andrewazores

charts/cryostat/README.md

@@ -185,6 +185,8 @@ certificate issuance and rotation.
 | `storage.storageSecretName`                       | Name of the secret containing the object storage secret access key. This secret must contain a STORAGE_ACCESS_KEY secret which is the object storage secret access key. It must not be updated across chart upgrades, or else the connection between Cryostat components and object storage will not be able to initialize. If using an external S3 provider requiring authentication then this **must** be provided. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable)                                                                                                           | `""`                                |
 | `storage.provider.url`                            | URL to the S3 object storage provider instance. This can be an in-cluster self-hosted instance with a hostname like s3.storage.local, or it can be an external commercial service. This should include scheme, host, and port. User authenication information should be provided using a *Secret* and *storage.storageSecretName*. If this is not specified then a managed [cryostat-storage](https://github.com/cryostatio/cryostat-storage) instance will be automatically deployed and configured. If an unmanaged S3 instance is specified here then other storage configuration settings (such as at-rest encryption, Pod annotations, Service configurations) do not apply. Production installations of Cryostat should not rely on `cryostat-storage` | `""`                                |
 | `storage.provider.usePathStyleAccess`             | whether path-style accesses are used for ex. object buckets. If path style access is not used then DNS subdomain resolution will be used. This is *true* by default for broader compatibility for low-footprint storage container installations, but subdomain resolution generally offers better performance if it is available and may be required for use with commercial storage providers.                                                                                                                                                                                                                                                                                                                                                              | `true`                              |
+| `storage.provider.usePresignedRecordingTransfers` | whether object storage presigned GET URLs should be used for transferring files between Cryostat components (ex. for automated analysis report generation). If this is disabled then Cryostat will act as a "network pipe" between other components and handle streaming file contents. This is *true* by default to reduce network utilization and request latency                                                                                                                                                                                                                                                                                                                                                                                          | `true`                              |
+| `storage.provider.usePresignedDownloads`          | whether object storage presigned GET URLs should be used for downloading files via the user's browser. If this is disabled then Cryostat will act as a "network pipe" between storage and the user's browser and handle streaming file contents. If the object storage URLs are not accessible from the user's network location then this must be disabled, otherwise enabling it will reduce network utilization and request latency. This is *false* by default                                                                                                                                                                                                                                                                                            | `false`                             |
 | `storage.provider.region`                         | S3 object storage provider region. This may be used by the storage provider to geolocate the physical storage in a particular region for regulatory, performance, or cost reasons                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | `""`                                |
 | `storage.provider.authentication.credentialsType` | configuration for how the S3 client will locate credentials for the S3 service. See: [Quarkus S3 client](https://docs.quarkiverse.io/quarkus-amazon-services/dev/amazon-s3.html#)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | `default`                           |
 | `storage.provider.tls.trustAll`                   | enable this to disable TLS certificate verification on the S3 client                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | `false`                             |

charts/cryostat/templates/cryostat_deployment.yaml

@@ -114,6 +114,10 @@ spec:
             value: {{ default (printf "http://%s-storage:8333" $fullName) .Values.storage.provider.url }}
           - name: QUARKUS_S3_PATH_STYLE_ACCESS
             value: "{{ .Values.storage.provider.usePathStyleAccess }}"
+          - name: STORAGE_PRESIGNED_TRANSFERS_ENABLED
+            value: "{{ .Values.storage.provider.usePresignedRecordingTransfers }}"
+          - name: STORAGE_PRESIGNED_DOWNLOADS_ENABLED
+            value: "{{ .Values.storage.provider.usePresignedDownloads }}"
           - name: QUARKUS_S3_AWS_REGION
             # if an external provider URL is supplied then a region must also be supplied.
             # Otherwise we are deploying a managed storage instance and can set a default value

charts/cryostat/tests/cryostat_deployment_test.yaml

@@ -132,6 +132,9 @@ tests:
       - equal:
           path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_PATH_STYLE_ACCESS')].value
           value: "true"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_PRESIGNED_TRANSFERS_ENABLED')].value
+          value: "true"
       - equal:
           path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_AWS_REGION')].value
           value: "us-east-1"
@@ -200,6 +203,50 @@ tests:
       - notExists:
           path: spec.template.spec.contains[?(@.name=='cryostat')].volumeMounts
 
+  - it: should allow configuration of external object storage provider
+    set:
+      storage:
+        provider:
+          url: 'https://s3.example.com:1234'
+          usePathStyleAccess: true
+          usePresignedRecordingTransfers: false
+          region: 'a-b1'
+          metadata:
+            storageMode: bucket
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_ENDPOINT_OVERRIDE')].value
+          value: "https://s3.example.com:1234"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_PATH_STYLE_ACCESS')].value
+          value: "true"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_PRESIGNED_TRANSFERS_ENABLED')].value
+          value: "false"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_PRESIGNED_DOWNLOADS_ENABLED')].value
+          value: "false"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_AWS_REGION')].value
+          value: "a-b1"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_METADATA_STORAGE_MODE')].value
+          value: "bucket"
+
+  - it: should allow configuration of presigned downloads separately from presigned transfers
+    set:
+      storage:
+        provider:
+          usePresignedRecordingTransfers: true
+          usePresignedDownloads: false
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_PRESIGNED_TRANSFERS_ENABLED')].value
+          value: "true"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_PRESIGNED_DOWNLOADS_ENABLED')].value
+          value: "false"
+
   - it: should allow overriding S3 bucket names
     set:
       storage:

charts/cryostat/values.schema.json

@@ -676,6 +676,16 @@
                             "description": "whether path-style accesses are used for ex. object buckets. If path style access is not used then DNS subdomain resolution will be used. This is *true* by default for broader compatibility for low-footprint storage container installations, but subdomain resolution generally offers better performance if it is available and may be required for use with commercial storage providers.",
                             "default": true
                         },
+                        "usePresignedRecordingTransfers": {
+                            "type": "boolean",
+                            "description": "whether object storage presigned GET URLs should be used for transferring files between Cryostat components (ex. for automated analysis report generation). If this is disabled then Cryostat will act as a \"network pipe\" between other components and handle streaming file contents. This is *true* by default to reduce network utilization and request latency",
+                            "default": true
+                        },
+                        "usePresignedDownloads": {
+                            "type": "boolean",
+                            "description": "whether object storage presigned GET URLs should be used for downloading files via the user's browser. If this is disabled then Cryostat will act as a \"network pipe\" between storage and the user's browser and handle streaming file contents. If the object storage URLs are not accessible from the user's network location then this must be disabled, otherwise enabling it will reduce network utilization and request latency. This is *false* by default",
+                            "default": false
+                        },
                         "region": {
                             "type": "string",
                             "description": "S3 object storage provider region. This may be used by the storage provider to geolocate the physical storage in a particular region for regulatory, performance, or cost reasons",

charts/cryostat/values.yaml

@@ -279,6 +279,10 @@ storage:
     url: ""
     ## @param storage.provider.usePathStyleAccess whether path-style accesses are used for ex. object buckets. If path style access is not used then DNS subdomain resolution will be used. This is *true* by default for broader compatibility for low-footprint storage container installations, but subdomain resolution generally offers better performance if it is available and may be required for use with commercial storage providers.
     usePathStyleAccess: true
+    ## @param storage.provider.usePresignedRecordingTransfers whether object storage presigned GET URLs should be used for transferring files between Cryostat components (ex. for automated analysis report generation). If this is disabled then Cryostat will act as a "network pipe" between other components and handle streaming file contents. This is *true* by default to reduce network utilization and request latency
+    usePresignedRecordingTransfers: true
+    ## @param storage.provider.usePresignedDownloads whether object storage presigned GET URLs should be used for downloading files via the user's browser. If this is disabled then Cryostat will act as a "network pipe" between storage and the user's browser and handle streaming file contents. If the object storage URLs are not accessible from the user's network location then this must be disabled, otherwise enabling it will reduce network utilization and request latency. This is *false* by default
+    usePresignedDownloads: false
     ## @param storage.provider.region S3 object storage provider region. This may be used by the storage provider to geolocate the physical storage in a particular region for regulatory, performance, or cost reasons
     region: ''
     authentication: