diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 1efedb8f..cfdc82ab 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -70,55 +70,56 @@ certificate issuance and rotation. ### Cryostat Container -| Name | Description | Value | -| ------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | -| `core` | Configuration for the core Cryostat application | | -| `core.image.repository` | Repository for the main Cryostat container image | `quay.io/cryostat/cryostat` | -| `core.image.pullPolicy` | Image pull policy for the main Cryostat container image | `Always` | -| `core.image.tag` | Tag for the main Cryostat container image | `4.1.0-snapshot` | -| `core.podAnnotations` | Annotations to be applied to the Cryostat Pods | `{}` | -| `core.service.type` | Type of Service to create for the Cryostat application | `ClusterIP` | -| `core.service.httpPort` | Port number to expose on the Service for Cryostat's HTTP server | `8181` | -| `core.service.annotations` | Annotations to be applied to the Service for Cryostat's HTTP server | `{}` | -| `core.debug.log.level` | Log level for troubleshooting and debugging | `INFO` | -| `core.sslProxied` | Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress | `false` | -| `core.ingress.enabled` | Whether to create an Ingress object for the Cryostat service | `false` | -| `core.ingress.className` | Ingress class name for the Cryostat application Ingress | `""` | -| `core.ingress.annotations` | Annotations to apply to the Cryostat application Ingress | `{}` | -| `core.ingress.hosts` | Hosts to create rules for in the Cryostat application Ingress. See: [IngressSpec](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) | `[]` | -| `core.ingress.tls` | TLS configuration for the Cryostat application Ingress. See: [IngressSpec](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) | `[]` | -| `core.route.enabled` | Whether to create a Route object for the Cryostat service. Available only on OpenShift | `false` | -| `core.route.tls.enabled` | Whether to secure the Cryostat application Route with TLS. See: [TLSConfig](https://docs.openshift.com/container-platform/4.10/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls) | `true` | -| `core.route.tls.termination` | Type of TLS termination to use for the Cryostat application Route. One of: `edge`, `passthrough`, `reencrypt` | `edge` | -| `core.route.tls.insecureEdgeTerminationPolicy` | Specify how to handle insecure traffic for the Cryostat application Route. One of: `Allow`, `Disable`, `Redirect` | `Redirect` | -| `core.route.tls.key` | Custom private key to use when securing the Cryostat application Route | `""` | -| `core.route.tls.certificate` | Custom certificate to use when securing the Cryostat application Route | `""` | -| `core.route.tls.caCertificate` | Custom CA certificate to use, if needed to complete the certificate chain, when securing the Cryostat application Route | `""` | -| `core.route.tls.destinationCACertificate` | Provides the contents of the CA certificate of the final destination when using reencrypt termination for the Cryostat application Route | `""` | -| `core.resources.requests.cpu` | CPU resource request for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `500m` | -| `core.resources.requests.memory` | Memory resource request for the Cryostat container. | `384Mi` | -| `core.securityContext` | Security Context for the Cryostat container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | -| `core.databaseSecretName` | Name of the secret containing database keys. This secret must contain a CONNECTION_KEY secret which is the database connection password, and an ENCRYPTION_KEY secret which is the key used to encrypt sensitive data stored within the database, such as the target credentials keyring. It must not be updated across chart upgrades. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | `""` | -| `core.discovery` | Configuration options to the Cryostat application's target discovery mechanisms | | -| `core.discovery.kubernetes.enabled` | Enables Kubernetes API discovery mechanism | `true` | -| `core.discovery.kubernetes.installNamespaceDisabled` | When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`) | `false` | -| `core.discovery.kubernetes.namespaces` | List of namespaces whose workloads the Cryostat application should be permitted to access and profile | `[]` | -| `core.discovery.kubernetes.builtInPortNamesDisabled` | When false and `portNames` is empty, the Cryostat application will use the default port name `jfr-jmx` to look for JMX connectable targets. | `false` | -| `core.discovery.kubernetes.portNames` | List of port names that the Cryostat application should look for in order to consider a target as JMX connectable | `[]` | -| `core.discovery.kubernetes.builtInPortNumbersDisabled` | When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets. | `false` | -| `core.discovery.kubernetes.portNumbers` | List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable | `[]` | -| `core.config.declarative.fsMode` | default filesystem mode (permissions) for declarative configuration volumes | `440` | -| `core.config.credentials.secretNames` | List of Secret names. Each Secret is expected to contain one or more files, which are json Stored Credentials, to be mounted to the Cryostat container. | `[]` | -| `core.config.rules.configMapNames` | List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are automated rule definitions, to be mounted to the Cryostat container. | `[]` | -| `core.config.probeTemplates.configMapNames` | List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are XML JMC Agent Probe Templates, to be mounted to the Cryostat container. | `[]` | -| `core.config.eventTemplates.configMapNames` | List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are .jfc (XML) JFR Event Templates, to be mounted to the Cryostat container. | `[]` | -| `core.config.tlsTruststore.secretNames` | List of Secret names. Each Secret is expected to contain one or more files, which are TLS certificates which target applications may use for their JMX servers, to be mounted to the Cryostat container for its TLS truststore. | `[]` | -| `core.config.extra` | Extra configurations for the main Cryostat container | | -| `core.config.extra.envVars` | Extra environment variables for main Cryostat container container. See: [Define Environment Variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | `[]` | -| `core.config.extra.envSources` | Sources for extra variables for main Cryostat container. See: [Define Environment Variables From ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables) | `[]` | -| `core.nodeSelector` | Node Selector for the Cryostat Pod. See: [NodeSelector](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` | -| `core.tolerations` | Tolerations for the Cryostat Pod. See: [Tolerations](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `[]` | -| `core.affinity` | Affinity for the Cryostat Pod. See: [Affinity](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` | +| Name | Description | Value | +| ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | +| `core` | Configuration for the core Cryostat application | | +| `core.image.repository` | Repository for the main Cryostat container image | `quay.io/cryostat/cryostat` | +| `core.image.pullPolicy` | Image pull policy for the main Cryostat container image | `Always` | +| `core.image.tag` | Tag for the main Cryostat container image | `4.1.0-snapshot` | +| `core.podAnnotations` | Annotations to be applied to the Cryostat Pods | `{}` | +| `core.service.type` | Type of Service to create for the Cryostat application | `ClusterIP` | +| `core.service.httpPort` | Port number to expose on the Service for Cryostat's HTTP server | `8181` | +| `core.service.annotations` | Annotations to be applied to the Service for Cryostat's HTTP server | `{}` | +| `core.debug.log.level` | Log level for troubleshooting and debugging | `INFO` | +| `core.sslProxied` | Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress | `false` | +| `core.ingress.enabled` | Whether to create an Ingress object for the Cryostat service | `false` | +| `core.ingress.className` | Ingress class name for the Cryostat application Ingress | `""` | +| `core.ingress.annotations` | Annotations to apply to the Cryostat application Ingress | `{}` | +| `core.ingress.hosts` | Hosts to create rules for in the Cryostat application Ingress. See: [IngressSpec](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) | `[]` | +| `core.ingress.tls` | TLS configuration for the Cryostat application Ingress. See: [IngressSpec](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) | `[]` | +| `core.route.enabled` | Whether to create a Route object for the Cryostat service. Available only on OpenShift | `false` | +| `core.route.tls.enabled` | Whether to secure the Cryostat application Route with TLS. See: [TLSConfig](https://docs.openshift.com/container-platform/4.10/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls) | `true` | +| `core.route.tls.termination` | Type of TLS termination to use for the Cryostat application Route. One of: `edge`, `passthrough`, `reencrypt` | `edge` | +| `core.route.tls.insecureEdgeTerminationPolicy` | Specify how to handle insecure traffic for the Cryostat application Route. One of: `Allow`, `Disable`, `Redirect` | `Redirect` | +| `core.route.tls.key` | Custom private key to use when securing the Cryostat application Route | `""` | +| `core.route.tls.certificate` | Custom certificate to use when securing the Cryostat application Route | `""` | +| `core.route.tls.caCertificate` | Custom CA certificate to use, if needed to complete the certificate chain, when securing the Cryostat application Route | `""` | +| `core.route.tls.destinationCACertificate` | Provides the contents of the CA certificate of the final destination when using reencrypt termination for the Cryostat application Route | `""` | +| `core.resources.requests.cpu` | CPU resource request for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `500m` | +| `core.resources.requests.memory` | Memory resource request for the Cryostat container | `384Mi` | +| `core.securityContext` | Security Context for the Cryostat container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| `core.databaseSecretName` | Name of the secret containing database keys. This secret must contain a CONNECTION_KEY secret which is the database connection password, and an ENCRYPTION_KEY secret which is the key used to encrypt sensitive data stored within the database, such as the target credentials keyring. It must not be updated across chart upgrades. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | `""` | +| `core.discovery` | Configuration options to the Cryostat application's target discovery mechanisms | | +| `core.discovery.kubernetes.enabled` | Enables Kubernetes API discovery mechanism | `true` | +| `core.discovery.kubernetes.installNamespaceDisabled` | When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`) | `false` | +| `core.discovery.kubernetes.allowAllNamespaces` | When true, this overrides the `core.discovery.kubernetes.namespaces` list and configures the Cryostat application to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the `rbac.create` value is `true`. WARNING: This allows Cryostat to discover, and potentially connect to and collect data from, applications in *any* Namespace in the cluster. ALL users with access to this Cryostat instance will be able to read data from potentially any application in the cluster. For data security and isolation concerns it is recommended to leave this setting disabled, and instead install multiple Cryostat instances with lists of target namespaces, and apply sensible access controls for users to each instance as needed | `false` | +| `core.discovery.kubernetes.namespaces` | List of namespaces whose workloads the Cryostat application should be permitted to access and profile | `[]` | +| `core.discovery.kubernetes.builtInPortNamesDisabled` | When false and `portNames` is empty, the Cryostat application will use the default port name `jfr-jmx` to look for JMX connectable targets | `false` | +| `core.discovery.kubernetes.portNames` | List of port names that the Cryostat application should look for in order to consider a target as JMX connectable | `[]` | +| `core.discovery.kubernetes.builtInPortNumbersDisabled` | When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets | `false` | +| `core.discovery.kubernetes.portNumbers` | List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable | `[]` | +| `core.config.declarative.fsMode` | default filesystem mode (permissions) for declarative configuration volumes | `440` | +| `core.config.credentials.secretNames` | List of Secret names. Each Secret is expected to contain one or more files, which are json Stored Credentials, to be mounted to the Cryostat container | `[]` | +| `core.config.rules.configMapNames` | List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are automated rule definitions, to be mounted to the Cryostat container | `[]` | +| `core.config.probeTemplates.configMapNames` | List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are XML JMC Agent Probe Templates, to be mounted to the Cryostat container | `[]` | +| `core.config.eventTemplates.configMapNames` | List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are .jfc (XML) JFR Event Templates, to be mounted to the Cryostat container | `[]` | +| `core.config.tlsTruststore.secretNames` | List of Secret names. Each Secret is expected to contain one or more files, which are TLS certificates which target applications may use for their JMX servers, to be mounted to the Cryostat container for its TLS truststore | `[]` | +| `core.config.extra` | Extra configurations for the main Cryostat container | | +| `core.config.extra.envVars` | Extra environment variables for main Cryostat container container. See: [Define Environment Variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | `[]` | +| `core.config.extra.envSources` | Sources for extra variables for main Cryostat container. See: [Define Environment Variables From ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables) | `[]` | +| `core.nodeSelector` | Node Selector for the Cryostat Pod. See: [NodeSelector](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` | +| `core.tolerations` | Tolerations for the Cryostat Pod. See: [Tolerations](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `[]` | +| `core.affinity` | Affinity for the Cryostat Pod. See: [Affinity](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` | ### Report Generator Deployment @@ -134,9 +135,9 @@ certificate issuance and rotation. | `reports.service.annotations` | Annotations to be applied to the Service for the Report Generator Deployment | `{}` | | `reports.reportsSecretName` | Name of the secret containing the report generator access keys. This secret must contain a REPORTS_PASS secret which is the secret credential for the report generators. It must not be updated across chart upgrades, or else the connection between Cryostat and report generators will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | `""` | | `reports.debug.log.level` | Log level for troubleshooting and debugging | `INFO` | -| `reports.replicas` | Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own. | `0` | -| `reports.resources.requests.cpu` | CPU resource request for each Pod in the Report Generator Deployment. | `500m` | -| `reports.resources.requests.memory` | Memory resource request for each Pod in the Report Generator Deployment. | `512Mi` | +| `reports.replicas` | Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own | `0` | +| `reports.resources.requests.cpu` | CPU resource request for each Pod in the Report Generator Deployment | `500m` | +| `reports.resources.requests.memory` | Memory resource request for each Pod in the Report Generator Deployment | `512Mi` | | `reports.securityContext` | Security Context for the Report Generator containers. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | | `reports.config.extra` | Extra configurations for the Report Generator container | | | `reports.config.extra.envVars` | Extra environment variables for the Report Generator container. See: [Define Environment Variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | `[]` | @@ -158,8 +159,8 @@ certificate issuance and rotation. | `db.service.port` | Port number to expose on the Service | `5432` | | `db.service.annotations` | Annotations to be applied to the Service for the database | `{}` | | `db.resources.requests.cpu` | CPU resource request for the database container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `25m` | -| `db.resources.requests.memory` | Memory resource request for the database container. | `64Mi` | -| `db.pvc.enabled` | Specify whether to use persistentVolumeClaim (true) or EmptyDir storage (false). This is recommended to be enabled, but the storage size and selector should be chosen carefully first. | `false` | +| `db.resources.requests.memory` | Memory resource request for the database container | `64Mi` | +| `db.pvc.enabled` | Specify whether to use persistentVolumeClaim (true) or EmptyDir storage (false). This is recommended to be enabled, but the storage size and selector should be chosen carefully first | `false` | | `db.pvc.annotations` | Annotations to add to the persistentVolumeClaim | `{}` | | `db.pvc.storage` | Storage size to request for the persistentVolumeClaim | `500Mi` | | `db.pvc.accessModes` | Access mode for the persistentVolumeClaim. See: [Access Modes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `["ReadWriteOnce"]` | @@ -182,14 +183,14 @@ certificate issuance and rotation. | `storage.image.repository` | Repository for the storage container image | `quay.io/cryostat/cryostat-storage` | | `storage.image.pullPolicy` | Image pull policy for the storage container image | `Always` | | `storage.image.tag` | Tag for the storage container image | `latest` | -| `storage.encryption.enabled` | Enable at-rest encryption of stored objects. The storage container will generate a secret key for each stored object and use this key to encrypt and decrypt objects transparently. The key is written to the object metadata, so in the default storage container configuration this only adds a small layer of additional security. | `true` | +| `storage.encryption.enabled` | Enable at-rest encryption of stored objects. The storage container will generate a secret key for each stored object and use this key to encrypt and decrypt objects transparently. The key is written to the object metadata, so in the default storage container configuration this only adds a small layer of additional security | `true` | | `storage.podAnnotations` | Annotations to be applied to the Storage Pods | `{}` | | `storage.service.type` | Type of Service to create for the object storage | `ClusterIP` | | `storage.service.port` | Port number to expose on the Service | `8333` | | `storage.service.annotations` | Annotations to be applied to the Service for the object storage | `{}` | | `storage.resources.requests.cpu` | CPU resource request for the object storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `50m` | -| `storage.resources.requests.memory` | Memory resource request for the object storage container. | `256Mi` | -| `storage.pvc.enabled` | Specify whether to use persistentVolumeClaim (true) or EmptyDir storage (false). This is recommended to be enabled, but the storage size and selector should be chosen carefully first. | `false` | +| `storage.resources.requests.memory` | Memory resource request for the object storage container | `256Mi` | +| `storage.pvc.enabled` | Specify whether to use persistentVolumeClaim (true) or EmptyDir storage (false). This is recommended to be enabled, but the storage size and selector should be chosen carefully first | `false` | | `storage.pvc.annotations` | Annotations to add to the persistentVolumeClaim | `{}` | | `storage.pvc.storage` | Storage size to request for the persistentVolumeClaim | `500Mi` | | `storage.pvc.accessModes` | Access mode for the persistentVolumeClaim. See: [Access Modes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `["ReadWriteOnce"]` | @@ -212,7 +213,7 @@ certificate issuance and rotation. | `grafana.image.pullPolicy` | Image pull policy for the Grafana container image | `Always` | | `grafana.image.tag` | Tag for the Grafana container image | `latest` | | `grafana.resources.requests.cpu` | CPU resource request for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `25m` | -| `grafana.resources.requests.memory` | Memory resource request for the Grafana container. | `80Mi` | +| `grafana.resources.requests.memory` | Memory resource request for the Grafana container | `80Mi` | | `grafana.securityContext` | Security Context for the Grafana container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | | `grafana.config.extra` | Extra configurations for the Grafana container | | | `grafana.config.extra.envVars` | Extra environment variables for for the Grafana container. See: [Define Environment Variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | `[]` | @@ -229,7 +230,7 @@ certificate issuance and rotation. | `datasource.image.pullPolicy` | Image pull policy for the JFR Data Source container image | `Always` | | `datasource.image.tag` | Tag for the JFR Data Source container image | `latest` | | `datasource.resources.requests.cpu` | CPU resource request for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `200m` | -| `datasource.resources.requests.memory` | Memory resource request for the JFR Data Source container. | `200Mi` | +| `datasource.resources.requests.memory` | Memory resource request for the JFR Data Source container | `200Mi` | | `datasource.securityContext` | Security Context for the JFR Data Source container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | | `datasource.config.extra` | Extra configurations for the JFR Data Source container | | | `datasource.config.extra.envVars` | Extra environment variables for for the JFR Data Source container. See: [Define Environment Variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | `[]` | @@ -242,7 +243,7 @@ certificate issuance and rotation. | Name | Description | Value | | ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | | `authentication.cookieSecretName` | Name of the secret containing the authenticating proxy cookie encryption key. This secret must contain a COOKIE_SECRET secret which is the cookie encryption key. It must not be updated across chart upgrades, or else existing user login sessions will be invalidated. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | `""` | -| `authentication.openshift.enabled` | Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one. | `false` | +| `authentication.openshift.enabled` | Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one | `false` | | `authentication.openshift.clusterRole.name` | The name of the ClusterRole to bind for the OpenShift OAuth Proxy | `system:auth-delegator` | | `authentication.basicAuth.enabled` | Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication | `false` | | `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` | @@ -250,22 +251,22 @@ certificate issuance and rotation. ### OAuth2 Proxy -| Name | Description | Value | -| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | -| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | -| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | -| `oauth2Proxy.tls.selfSigned.enabled` | Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. | `false` | -| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | -| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | -| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). | `{}` | -| `oauth2Proxy.config.extra` | Extra configurations for the OAuth2 Proxy container | | -| `oauth2Proxy.config.extra.envVars` | Extra environment variables for the OAuth2 Proxy container. See: [Define Environment Variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | `[]` | -| `oauth2Proxy.config.extra.envSources` | Sources for extra variables for the OAuth2 Proxy container. See: [Define Environment Variables From ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables) | `[]` | -| `oauth2Proxy.config.extra.inPod.main.envVars` | Extra environment variables for the OAuth2 Proxy container **only in the Cryostat main pod** | `[]` | -| `oauth2Proxy.config.extra.inPod.main.envSources` | Sources for extra variables for the OAuth2 Proxy container **only in the Cryostat main pod** | `[]` | -| `oauth2Proxy.config.extra.inPod.reports.envVars` | Extra environment variables for the OAuth2 Proxy container **only in the report generator pods** | `[]` | -| `oauth2Proxy.config.extra.inPod.reports.envSources` | Sources for extra variables for the OAuth2 Proxy container **only in the report generator pods** | `[]` | +| Name | Description | Value | +| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------- | +| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | +| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | +| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | +| `oauth2Proxy.tls.selfSigned.enabled` | Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used | `false` | +| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container | `25m` | +| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container | `64Mi` | +| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| `oauth2Proxy.config.extra` | Extra configurations for the OAuth2 Proxy container | | +| `oauth2Proxy.config.extra.envVars` | Extra environment variables for the OAuth2 Proxy container. See: [Define Environment Variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | `[]` | +| `oauth2Proxy.config.extra.envSources` | Sources for extra variables for the OAuth2 Proxy container. See: [Define Environment Variables From ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables) | `[]` | +| `oauth2Proxy.config.extra.inPod.main.envVars` | Extra environment variables for the OAuth2 Proxy container **only in the Cryostat main pod** | `[]` | +| `oauth2Proxy.config.extra.inPod.main.envSources` | Sources for extra variables for the OAuth2 Proxy container **only in the Cryostat main pod** | `[]` | +| `oauth2Proxy.config.extra.inPod.reports.envVars` | Extra environment variables for the OAuth2 Proxy container **only in the report generator pods** | `[]` | +| `oauth2Proxy.config.extra.inPod.reports.envSources` | Sources for extra variables for the OAuth2 Proxy container **only in the report generator pods** | `[]` | ### OpenShift OAuth Proxy @@ -274,16 +275,16 @@ certificate issuance and rotation. | `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `quay.io/cryostat/openshift-oauth-proxy` | | `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `Always` | | `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `cryostat-v3.0` | -| `openshiftOauthProxy.resources.requests.cpu` | CPU resource request for the OpenShift OAuth Proxy container. | `25m` | -| `openshiftOauthProxy.resources.requests.memory` | Memory resource request for the OpenShift OAuth Proxy container. | `64Mi` | -| `openshiftOauthProxy.accessReview.enabled` | Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token. | `true` | +| `openshiftOauthProxy.resources.requests.cpu` | CPU resource request for the OpenShift OAuth Proxy container | `25m` | +| `openshiftOauthProxy.resources.requests.memory` | Memory resource request for the OpenShift OAuth Proxy container | `64Mi` | +| `openshiftOauthProxy.accessReview.enabled` | Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token | `true` | | `openshiftOauthProxy.accessReview.group` | The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | `""` | -| `openshiftOauthProxy.accessReview.resource` | The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | `pods` | -| `openshiftOauthProxy.accessReview.subresource` | The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | `exec` | -| `openshiftOauthProxy.accessReview.name` | The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | `""` | -| `openshiftOauthProxy.accessReview.namespace` | The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for. | `{{ .Release.Namespace }}` | -| `openshiftOauthProxy.accessReview.verb` | The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | `create` | -| `openshiftOauthProxy.accessReview.version` | The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for. | `""` | +| `openshiftOauthProxy.accessReview.resource` | The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for | `pods` | +| `openshiftOauthProxy.accessReview.subresource` | The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for | `exec` | +| `openshiftOauthProxy.accessReview.name` | The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for | `""` | +| `openshiftOauthProxy.accessReview.namespace` | The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for | `{{ .Release.Namespace }}` | +| `openshiftOauthProxy.accessReview.verb` | The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for | `create` | +| `openshiftOauthProxy.accessReview.version` | The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for | `""` | | `openshiftOauthProxy.securityContext` | Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | | `openshiftOauthProxy.config.extra` | Extra configurations for the OpenShift OAuth Proxy | | | `openshiftOauthProxy.config.extra.envVars` | Extra environment variables for the OpenShift OAuth Proxy. See: [Define Environment Variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | `[]` | @@ -306,7 +307,7 @@ certificate issuance and rotation. | `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""` | | `podAnnotations` | Annotations to be applied to the various Pods | `{}` | | `podSecurityContext` | Security Context for the Cryostat Pod. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [PodSecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) | `{}` | -| `networkPolicy.ingress.enabled` | whether a NetworkPolicy for restricting Cryostat component Pods' traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods. | `true` | +| `networkPolicy.ingress.enabled` | whether a NetworkPolicy for restricting Cryostat component Pods' traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods | `true` | | `nodeSelector` | default Node Selector for the various Pods. Any Pod which does not have an individual nodeSelector setting will default to this. See: [NodeSelector](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` | | `tolerations` | default Tolerations for the various Pods. See: [Tolerations](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `[]` | | `affinity` | default Affinity for the various Pods. See: [Affinity](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` | diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index 68cc0377..90a39fc0 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -118,16 +118,21 @@ spec: value: http://localhost:3000 - name: GRAFANA_DASHBOARD_EXT_URL value: /grafana/ - {{- if .Values.core.discovery.kubernetes.enabled }} + {{- with .Values.core.discovery.kubernetes }} + {{- if .enabled }} - name: CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED value: "true" - {{- with .Values.core.discovery.kubernetes }} - - name: CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES - value: {{ include "cryostat.commaSepList" (list .namespaces $.Release.Namespace .installNamespaceDisabled) }} - name: CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES value: {{ include "cryostat.commaSepList" (list .portNames "jfr-jmx" .builtInPortNamesDisabled) }} - name: CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS value: {{ include "cryostat.commaSepList" (list .portNumbers 9091 .builtInPortNumbersDisabled) }} + {{- if .allowAllNamespaces }} + - name: CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES + value: '*' + {{- else }} + - name: CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES + value: {{ include "cryostat.commaSepList" (list .namespaces $.Release.Namespace .installNamespaceDisabled) }} + {{- end }} {{- end }} {{- end }} {{- with (.Values.core.config.extra).envVars }} diff --git a/charts/cryostat/templates/discovery_clusterrole.yaml b/charts/cryostat/templates/discovery_clusterrole.yaml new file mode 100644 index 00000000..963ec668 --- /dev/null +++ b/charts/cryostat/templates/discovery_clusterrole.yaml @@ -0,0 +1,52 @@ +{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled .Values.core.discovery.kubernetes.allowAllNamespaces -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "cryostat.fullname" . }}-discovery + labels: + {{- include "cryostat.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - list +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + - replicationcontrollers + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + - deployments + - daemonsets + - statefulsets + verbs: + - get +- apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - get +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list +{{- end -}} diff --git a/charts/cryostat/templates/discovery_clusterrolebinding.yaml b/charts/cryostat/templates/discovery_clusterrolebinding.yaml new file mode 100644 index 00000000..f13c7e4b --- /dev/null +++ b/charts/cryostat/templates/discovery_clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled .Values.core.discovery.kubernetes.allowAllNamespaces -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "cryostat.fullname" . }}-discovery + labels: + {{- include "cryostat.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "cryostat.fullname" . }}-discovery +subjects: +- kind: ServiceAccount + name: {{ include "cryostat.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/cryostat/templates/role.yaml b/charts/cryostat/templates/role.yaml index d99b2ad4..02ffe1ff 100644 --- a/charts/cryostat/templates/role.yaml +++ b/charts/cryostat/templates/role.yaml @@ -50,7 +50,7 @@ rules: {{- end -}} {{- end -}} -{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled -}} +{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled (not .Values.core.discovery.kubernetes.allowAllNamespaces) -}} {{- $watchNs := compact (default list .Values.core.discovery.kubernetes.namespaces) | uniq -}} {{- if and (not $watchNs) (not .Values.core.discovery.kubernetes.installNamespaceDisabled) -}} {{- $watchNs = list .Release.Namespace -}} diff --git a/charts/cryostat/templates/rolebinding.yaml b/charts/cryostat/templates/rolebinding.yaml index b2404966..bcd71608 100644 --- a/charts/cryostat/templates/rolebinding.yaml +++ b/charts/cryostat/templates/rolebinding.yaml @@ -20,7 +20,7 @@ subjects: {{- end -}} {{- end -}} -{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled -}} +{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled (not .Values.core.discovery.kubernetes.allowAllNamespaces) -}} {{- $watchNs := compact (default list .Values.core.discovery.kubernetes.namespaces) | uniq -}} {{- if and (not $watchNs) (not .Values.core.discovery.kubernetes.installNamespaceDisabled) -}} {{- $watchNs = list .Release.Namespace -}} diff --git a/charts/cryostat/tests/cryostat_deployment_test.yaml b/charts/cryostat/tests/cryostat_deployment_test.yaml index aefb3cfb..a468e297 100644 --- a/charts/cryostat/tests/cryostat_deployment_test.yaml +++ b/charts/cryostat/tests/cryostat_deployment_test.yaml @@ -1204,3 +1204,120 @@ tests: - secretRef: name: sercret-special-config-for-main optional: false + + - it: should allow Kubernetes discovery disabling + set: + core.discovery.kubernetes.enabled: false + asserts: + - notExists: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')] + - notExists: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')] + - notExists: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')] + - notExists: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')] + + - it: should allow Kubernetes discovery built-in names and number disabling + set: + core.discovery.kubernetes.builtInPortNamesDisabled: true + core.discovery.kubernetes.builtInPortNumbersDisabled: true + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value + value: "NAMESPACE" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value + value: "" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value + value: "" + + - it: should allow Kubernetes discovery namespaces customization + set: + core.discovery.kubernetes.namespaces: ['a', 'b'] + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value + value: "a,b" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value + value: "jfr-jmx" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value + value: "9091" + + - it: should allow Kubernetes discovery port name customization + set: + core.discovery.kubernetes.portNames: ['a', 'b'] + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value + value: "NAMESPACE" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value + value: "a,b" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value + value: "9091" + + - it: should allow Kubernetes discovery port number customization + set: + core.discovery.kubernetes.portNumbers: [1, 2] + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value + value: "NAMESPACE" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value + value: "jfr-jmx" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value + value: "1,2" + + - it: should allow Kubernetes All Namespaces mode + set: + core.discovery.kubernetes.allowAllNamespaces: true + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value + value: "*" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value + value: "jfr-jmx" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value + value: "9091" + + - it: Kubernetes All Namespaces mode should override individual namespace settings + set: + core.discovery.kubernetes.allowAllNamespaces: true + core.discovery.kubernetes.namespaces: ['a', 'b'] + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value + value: "*" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value + value: "jfr-jmx" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value + value: "9091" diff --git a/charts/cryostat/tests/discovery_clusterrole_test.yaml b/charts/cryostat/tests/discovery_clusterrole_test.yaml new file mode 100644 index 00000000..7381b078 --- /dev/null +++ b/charts/cryostat/tests/discovery_clusterrole_test.yaml @@ -0,0 +1,101 @@ +suite: test discovery_clusterrole.yaml +templates: + - discovery_clusterrole.yaml + +tests: + - it: should do nothing if Kubernetes All Namespaces discovery is not enabled + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.allowAllNamespaces: false + asserts: + - hasDocuments: + count: 0 + + - it: should do nothing if Kubernetes discovery is not enabled + set: + rbac.create: true + core.discovery.kubernetes.enabled: false + core.discovery.kubernetes.allowAllNamespaces: true + asserts: + - hasDocuments: + count: 0 + + - it: should do nothing if RBAC creation is not enabled + set: + rbac.create: false + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.allowAllNamespaces: true + asserts: + - hasDocuments: + count: 0 + + - it: should create ClusterRole + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.allowAllNamespaces: true + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: ClusterRole + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat-discovery + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/part-of: cryostat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: "4.1.0-dev" + helm.sh/chart: cryostat-2.0.0-dev + - equal: + path: rules + value: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - list + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - pods + - replicationcontrollers + verbs: + - get + - apiGroups: + - apps + resources: + - replicasets + - deployments + - daemonsets + - statefulsets + verbs: + - get + - apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - get + - apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list diff --git a/charts/cryostat/tests/discovery_clusterrolebinding_test.yaml b/charts/cryostat/tests/discovery_clusterrolebinding_test.yaml new file mode 100644 index 00000000..bf93442b --- /dev/null +++ b/charts/cryostat/tests/discovery_clusterrolebinding_test.yaml @@ -0,0 +1,67 @@ +suite: test discovery_clusterrolebinding.yaml +templates: + - discovery_clusterrolebinding.yaml + +tests: + - it: should do nothing if Kubernetes All Namespaces discovery is not enabled + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.allowAllNamespaces: false + asserts: + - hasDocuments: + count: 0 + + - it: should do nothing if Kubernetes discovery is not enabled + set: + rbac.create: true + core.discovery.kubernetes.enabled: false + core.discovery.kubernetes.allowAllNamespaces: true + asserts: + - hasDocuments: + count: 0 + + - it: should do nothing if RBAC creation is not enabled + set: + rbac.create: false + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.allowAllNamespaces: true + asserts: + - hasDocuments: + count: 0 + + - it: should create ClusterRoleBinding + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.allowAllNamespaces: true + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: ClusterRoleBinding + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat-discovery + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/part-of: cryostat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: "4.1.0-dev" + helm.sh/chart: cryostat-2.0.0-dev + - equal: + path: roleRef + value: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: RELEASE-NAME-cryostat-discovery + - equal: + path: subjects + value: + - kind: ServiceAccount + name: RELEASE-NAME-cryostat + namespace: NAMESPACE diff --git a/charts/cryostat/tests/role_test.yaml b/charts/cryostat/tests/role_test.yaml index 746eab0b..68de7c23 100644 --- a/charts/cryostat/tests/role_test.yaml +++ b/charts/cryostat/tests/role_test.yaml @@ -3,6 +3,16 @@ templates: - role.yaml tests: + + - it: should not be created if All Namespaces discovery is enabled + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.allowAllNamespaces: true + asserts: + - hasDocuments: + count: 0 + - it: should create Roles in target namespace set: rbac.create: true diff --git a/charts/cryostat/tests/rolebinding_test.yaml b/charts/cryostat/tests/rolebinding_test.yaml index 05d36845..c00d24ae 100644 --- a/charts/cryostat/tests/rolebinding_test.yaml +++ b/charts/cryostat/tests/rolebinding_test.yaml @@ -3,6 +3,16 @@ templates: - rolebinding.yaml tests: + + - it: should not be created if All Namespaces discovery is enabled + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.allowAllNamespaces: true + asserts: + - hasDocuments: + count: 0 + - it: should create a RoleBinding in the default namespace set: rbac.create: true diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index fb9aaca8..05d3a856 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -174,7 +174,7 @@ }, "memory": { "type": "string", - "description": "Memory resource request for the Cryostat container.", + "description": "Memory resource request for the Cryostat container", "default": "384Mi" } } @@ -227,6 +227,11 @@ "description": "When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`)", "default": false }, + "allowAllNamespaces": { + "type": "boolean", + "description": "When true, this overrides the `core.discovery.kubernetes.namespaces` list and configures the Cryostat application to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the `rbac.create` value is `true`. WARNING: This allows Cryostat to discover, and potentially connect to and collect data from, applications in *any* Namespace in the cluster. ALL users with access to this Cryostat instance will be able to read data from potentially any application in the cluster. For data security and isolation concerns it is recommended to leave this setting disabled, and instead install multiple Cryostat instances with lists of target namespaces, and apply sensible access controls for users to each instance as needed", + "default": false + }, "namespaces": { "type": "array", "description": "List of namespaces whose workloads the Cryostat application should be permitted to access and profile", @@ -235,7 +240,7 @@ }, "builtInPortNamesDisabled": { "type": "boolean", - "description": "When false and `portNames` is empty, the Cryostat application will use the default port name `jfr-jmx` to look for JMX connectable targets.", + "description": "When false and `portNames` is empty, the Cryostat application will use the default port name `jfr-jmx` to look for JMX connectable targets", "default": false }, "portNames": { @@ -246,7 +251,7 @@ }, "builtInPortNumbersDisabled": { "type": "boolean", - "description": "When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets.", + "description": "When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets", "default": false }, "portNumbers": { @@ -277,7 +282,7 @@ "properties": { "secretNames": { "type": "array", - "description": "List of Secret names. Each Secret is expected to contain one or more files, which are json Stored Credentials, to be mounted to the Cryostat container.", + "description": "List of Secret names. Each Secret is expected to contain one or more files, which are json Stored Credentials, to be mounted to the Cryostat container", "default": [], "items": {} } @@ -288,7 +293,7 @@ "properties": { "configMapNames": { "type": "array", - "description": "List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are automated rule definitions, to be mounted to the Cryostat container.", + "description": "List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are automated rule definitions, to be mounted to the Cryostat container", "default": [], "items": {} } @@ -299,7 +304,7 @@ "properties": { "configMapNames": { "type": "array", - "description": "List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are XML JMC Agent Probe Templates, to be mounted to the Cryostat container.", + "description": "List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are XML JMC Agent Probe Templates, to be mounted to the Cryostat container", "default": [], "items": {} } @@ -310,7 +315,7 @@ "properties": { "configMapNames": { "type": "array", - "description": "List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are .jfc (XML) JFR Event Templates, to be mounted to the Cryostat container.", + "description": "List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are .jfc (XML) JFR Event Templates, to be mounted to the Cryostat container", "default": [], "items": {} } @@ -321,7 +326,7 @@ "properties": { "secretNames": { "type": "array", - "description": "List of Secret names. Each Secret is expected to contain one or more files, which are TLS certificates which target applications may use for their JMX servers, to be mounted to the Cryostat container for its TLS truststore.", + "description": "List of Secret names. Each Secret is expected to contain one or more files, which are TLS certificates which target applications may use for their JMX servers, to be mounted to the Cryostat container for its TLS truststore", "default": [], "items": {} } @@ -439,7 +444,7 @@ }, "replicas": { "type": "number", - "description": "Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own.", + "description": "Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own", "default": 0 }, "resources": { @@ -450,12 +455,12 @@ "properties": { "cpu": { "type": "string", - "description": "CPU resource request for each Pod in the Report Generator Deployment.", + "description": "CPU resource request for each Pod in the Report Generator Deployment", "default": "500m" }, "memory": { "type": "string", - "description": "Memory resource request for each Pod in the Report Generator Deployment.", + "description": "Memory resource request for each Pod in the Report Generator Deployment", "default": "512Mi" } } @@ -568,7 +573,7 @@ }, "memory": { "type": "string", - "description": "Memory resource request for the database container.", + "description": "Memory resource request for the database container", "default": "64Mi" } } @@ -580,7 +585,7 @@ "properties": { "enabled": { "type": "boolean", - "description": "Specify whether to use persistentVolumeClaim (true) or EmptyDir storage (false). This is recommended to be enabled, but the storage size and selector should be chosen carefully first.", + "description": "Specify whether to use persistentVolumeClaim (true) or EmptyDir storage (false). This is recommended to be enabled, but the storage size and selector should be chosen carefully first", "default": false }, "storage": { @@ -688,7 +693,7 @@ "properties": { "enabled": { "type": "boolean", - "description": "Enable at-rest encryption of stored objects. The storage container will generate a secret key for each stored object and use this key to encrypt and decrypt objects transparently. The key is written to the object metadata, so in the default storage container configuration this only adds a small layer of additional security.", + "description": "Enable at-rest encryption of stored objects. The storage container will generate a secret key for each stored object and use this key to encrypt and decrypt objects transparently. The key is written to the object metadata, so in the default storage container configuration this only adds a small layer of additional security", "default": true } } @@ -721,7 +726,7 @@ }, "memory": { "type": "string", - "description": "Memory resource request for the object storage container.", + "description": "Memory resource request for the object storage container", "default": "256Mi" } } @@ -733,7 +738,7 @@ "properties": { "enabled": { "type": "boolean", - "description": "Specify whether to use persistentVolumeClaim (true) or EmptyDir storage (false). This is recommended to be enabled, but the storage size and selector should be chosen carefully first.", + "description": "Specify whether to use persistentVolumeClaim (true) or EmptyDir storage (false). This is recommended to be enabled, but the storage size and selector should be chosen carefully first", "default": false }, "storage": { @@ -844,7 +849,7 @@ }, "memory": { "type": "string", - "description": "Memory resource request for the Grafana container.", + "description": "Memory resource request for the Grafana container", "default": "80Mi" } } @@ -942,7 +947,7 @@ }, "memory": { "type": "string", - "description": "Memory resource request for the JFR Data Source container.", + "description": "Memory resource request for the JFR Data Source container", "default": "200Mi" } } @@ -1035,7 +1040,7 @@ "properties": { "enabled": { "type": "boolean", - "description": "Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used.", + "description": "Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used", "default": false } } @@ -1050,12 +1055,12 @@ "properties": { "cpu": { "type": "string", - "description": "CPU resource request for the OAuth2 Proxy container.", + "description": "CPU resource request for the OAuth2 Proxy container", "default": "25m" }, "memory": { "type": "string", - "description": "Memory resource request for the OAuth2 Proxy container.", + "description": "Memory resource request for the OAuth2 Proxy container", "default": "64Mi" } } @@ -1138,7 +1143,7 @@ "properties": { "enabled": { "type": "boolean", - "description": "Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one.", + "description": "Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one", "default": false }, "clusterRole": { @@ -1231,12 +1236,12 @@ "properties": { "cpu": { "type": "string", - "description": "CPU resource request for the OpenShift OAuth Proxy container.", + "description": "CPU resource request for the OpenShift OAuth Proxy container", "default": "25m" }, "memory": { "type": "string", - "description": "Memory resource request for the OpenShift OAuth Proxy container.", + "description": "Memory resource request for the OpenShift OAuth Proxy container", "default": "64Mi" } } @@ -1248,7 +1253,7 @@ "properties": { "enabled": { "type": "boolean", - "description": "Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token.", + "description": "Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token", "default": true }, "group": { @@ -1258,32 +1263,32 @@ }, "resource": { "type": "string", - "description": "The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for.", + "description": "The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for", "default": "pods" }, "subresource": { "type": "string", - "description": "The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for.", + "description": "The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for", "default": "exec" }, "name": { "type": "string", - "description": "The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for.", + "description": "The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for", "default": "" }, "namespace": { "type": "string", - "description": "The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for.", + "description": "The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for", "default": "{{ .Release.Namespace }}" }, "verb": { "type": "string", - "description": "The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for.", + "description": "The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for", "default": "create" }, "version": { "type": "string", - "description": "The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for.", + "description": "The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for", "default": "" } } @@ -1420,7 +1425,7 @@ "properties": { "enabled": { "type": "boolean", - "description": "whether a NetworkPolicy for restricting Cryostat component Pods' traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods.", + "description": "whether a NetworkPolicy for restricting Cryostat component Pods' traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods", "default": true } } diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index cbd27013..8c9074ec 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -60,7 +60,7 @@ core: requests: ## @param core.resources.requests.cpu CPU resource request for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) cpu: 500m - ## @param core.resources.requests.memory Memory resource request for the Cryostat container. + ## @param core.resources.requests.memory Memory resource request for the Cryostat container memory: 384Mi ## @param core.securityContext [object] Security Context for the Cryostat container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: @@ -79,13 +79,15 @@ core: enabled: true ## @param core.discovery.kubernetes.installNamespaceDisabled When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`) installNamespaceDisabled: false + ## @param core.discovery.kubernetes.allowAllNamespaces When true, this overrides the `core.discovery.kubernetes.namespaces` list and configures the Cryostat application to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the `rbac.create` value is `true`. WARNING: This allows Cryostat to discover, and potentially connect to and collect data from, applications in *any* Namespace in the cluster. ALL users with access to this Cryostat instance will be able to read data from potentially any application in the cluster. For data security and isolation concerns it is recommended to leave this setting disabled, and instead install multiple Cryostat instances with lists of target namespaces, and apply sensible access controls for users to each instance as needed + allowAllNamespaces: false ## @param core.discovery.kubernetes.namespaces [array] List of namespaces whose workloads the Cryostat application should be permitted to access and profile namespaces: [] - ## @param core.discovery.kubernetes.builtInPortNamesDisabled When false and `portNames` is empty, the Cryostat application will use the default port name `jfr-jmx` to look for JMX connectable targets. + ## @param core.discovery.kubernetes.builtInPortNamesDisabled When false and `portNames` is empty, the Cryostat application will use the default port name `jfr-jmx` to look for JMX connectable targets builtInPortNamesDisabled: false ## @param core.discovery.kubernetes.portNames [array] List of port names that the Cryostat application should look for in order to consider a target as JMX connectable portNames: [] - ## @param core.discovery.kubernetes.builtInPortNumbersDisabled When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets. + ## @param core.discovery.kubernetes.builtInPortNumbersDisabled When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets builtInPortNumbersDisabled: false ## @param core.discovery.kubernetes.portNumbers [array] List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable portNumbers: [] @@ -94,19 +96,19 @@ core: ## @param core.config.declarative.fsMode default filesystem mode (permissions) for declarative configuration volumes fsMode: 0440 credentials: - ## @param core.config.credentials.secretNames [array] List of Secret names. Each Secret is expected to contain one or more files, which are json Stored Credentials, to be mounted to the Cryostat container. + ## @param core.config.credentials.secretNames [array] List of Secret names. Each Secret is expected to contain one or more files, which are json Stored Credentials, to be mounted to the Cryostat container secretNames: [] rules: - ## @param core.config.rules.configMapNames [array] List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are automated rule definitions, to be mounted to the Cryostat container. + ## @param core.config.rules.configMapNames [array] List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are automated rule definitions, to be mounted to the Cryostat container configMapNames: [] probeTemplates: - ## @param core.config.probeTemplates.configMapNames [array] List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are XML JMC Agent Probe Templates, to be mounted to the Cryostat container. + ## @param core.config.probeTemplates.configMapNames [array] List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are XML JMC Agent Probe Templates, to be mounted to the Cryostat container configMapNames: [] eventTemplates: - ## @param core.config.eventTemplates.configMapNames [array] List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are .jfc (XML) JFR Event Templates, to be mounted to the Cryostat container. + ## @param core.config.eventTemplates.configMapNames [array] List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are .jfc (XML) JFR Event Templates, to be mounted to the Cryostat container configMapNames: [] tlsTruststore: - ## @param core.config.tlsTruststore.secretNames [array] List of Secret names. Each Secret is expected to contain one or more files, which are TLS certificates which target applications may use for their JMX servers, to be mounted to the Cryostat container for its TLS truststore. + ## @param core.config.tlsTruststore.secretNames [array] List of Secret names. Each Secret is expected to contain one or more files, which are TLS certificates which target applications may use for their JMX servers, to be mounted to the Cryostat container for its TLS truststore secretNames: [] ## @extra core.config.extra Extra configurations for the main Cryostat container extra: @@ -169,13 +171,13 @@ reports: log: ## @param reports.debug.log.level Log level for troubleshooting and debugging level: INFO - ## @param reports.replicas Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own. + ## @param reports.replicas Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own replicas: 0 resources: requests: - ## @param reports.resources.requests.cpu CPU resource request for each Pod in the Report Generator Deployment. + ## @param reports.resources.requests.cpu CPU resource request for each Pod in the Report Generator Deployment cpu: 500m - ## @param reports.resources.requests.memory Memory resource request for each Pod in the Report Generator Deployment. + ## @param reports.resources.requests.memory Memory resource request for each Pod in the Report Generator Deployment memory: 512Mi ## @param reports.securityContext [object] Security Context for the Report Generator containers. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: @@ -222,10 +224,10 @@ db: requests: ## @param db.resources.requests.cpu CPU resource request for the database container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) cpu: 25m - ## @param db.resources.requests.memory Memory resource request for the database container. + ## @param db.resources.requests.memory Memory resource request for the database container memory: 64Mi pvc: - ## @param db.pvc.enabled Specify whether to use persistentVolumeClaim (true) or EmptyDir storage (false). This is recommended to be enabled, but the storage size and selector should be chosen carefully first. + ## @param db.pvc.enabled Specify whether to use persistentVolumeClaim (true) or EmptyDir storage (false). This is recommended to be enabled, but the storage size and selector should be chosen carefully first enabled: false ## @param db.pvc.annotations [object] Annotations to add to the persistentVolumeClaim annotations: {} @@ -273,7 +275,7 @@ storage: ## @param storage.image.tag Tag for the storage container image tag: "latest" encryption: - ## @param storage.encryption.enabled Enable at-rest encryption of stored objects. The storage container will generate a secret key for each stored object and use this key to encrypt and decrypt objects transparently. The key is written to the object metadata, so in the default storage container configuration this only adds a small layer of additional security. + ## @param storage.encryption.enabled Enable at-rest encryption of stored objects. The storage container will generate a secret key for each stored object and use this key to encrypt and decrypt objects transparently. The key is written to the object metadata, so in the default storage container configuration this only adds a small layer of additional security enabled: true ## @param storage.podAnnotations [object] Annotations to be applied to the Storage Pods podAnnotations: {} @@ -288,10 +290,10 @@ storage: requests: ## @param storage.resources.requests.cpu CPU resource request for the object storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) cpu: 50m - ## @param storage.resources.requests.memory Memory resource request for the object storage container. + ## @param storage.resources.requests.memory Memory resource request for the object storage container memory: 256Mi pvc: - ## @param storage.pvc.enabled Specify whether to use persistentVolumeClaim (true) or EmptyDir storage (false). This is recommended to be enabled, but the storage size and selector should be chosen carefully first. + ## @param storage.pvc.enabled Specify whether to use persistentVolumeClaim (true) or EmptyDir storage (false). This is recommended to be enabled, but the storage size and selector should be chosen carefully first enabled: false ## @param storage.pvc.annotations [object] Annotations to add to the persistentVolumeClaim annotations: {} @@ -340,7 +342,7 @@ grafana: requests: ## @param grafana.resources.requests.cpu CPU resource request for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) cpu: 25m - ## @param grafana.resources.requests.memory Memory resource request for the Grafana container. + ## @param grafana.resources.requests.memory Memory resource request for the Grafana container memory: 80Mi ## @param grafana.securityContext [object] Security Context for the Grafana container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: @@ -376,7 +378,7 @@ datasource: requests: ## @param datasource.resources.requests.cpu CPU resource request for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) cpu: 200m - ## @param datasource.resources.requests.memory Memory resource request for the JFR Data Source container. + ## @param datasource.resources.requests.memory Memory resource request for the JFR Data Source container memory: 200Mi ## @param datasource.securityContext [object] Security Context for the JFR Data Source container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: @@ -404,7 +406,7 @@ authentication: ## @param authentication.cookieSecretName Name of the secret containing the authenticating proxy cookie encryption key. This secret must contain a COOKIE_SECRET secret which is the cookie encryption key. It must not be updated across chart upgrades, or else existing user login sessions will be invalidated. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable cookieSecretName: "" openshift: - ## @param authentication.openshift.enabled Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one. + ## @param authentication.openshift.enabled Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one enabled: false clusterRole: ## @param authentication.openshift.clusterRole.name The name of the ClusterRole to bind for the OpenShift OAuth Proxy @@ -429,15 +431,15 @@ oauth2Proxy: tag: "latest" tls: selfSigned: - ## @param oauth2Proxy.tls.selfSigned.enabled Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. + ## @param oauth2Proxy.tls.selfSigned.enabled Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used enabled: false resources: requests: - ## @param oauth2Proxy.resources.requests.cpu CPU resource request for the OAuth2 Proxy container. + ## @param oauth2Proxy.resources.requests.cpu CPU resource request for the OAuth2 Proxy container cpu: 25m - ## @param oauth2Proxy.resources.requests.memory Memory resource request for the OAuth2 Proxy container. + ## @param oauth2Proxy.resources.requests.memory Memory resource request for the OAuth2 Proxy container memory: 64Mi - ## @param oauth2Proxy.securityContext [object] Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). + ## @param oauth2Proxy.securityContext [object] Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: ## @skip oauth2Proxy.securityContext.allowPrivilegeEscalation allowPrivilegeEscalation: false @@ -476,26 +478,26 @@ openshiftOauthProxy: tag: "cryostat-v3.0" resources: requests: - ## @param openshiftOauthProxy.resources.requests.cpu CPU resource request for the OpenShift OAuth Proxy container. + ## @param openshiftOauthProxy.resources.requests.cpu CPU resource request for the OpenShift OAuth Proxy container cpu: 25m - ## @param openshiftOauthProxy.resources.requests.memory Memory resource request for the OpenShift OAuth Proxy container. + ## @param openshiftOauthProxy.resources.requests.memory Memory resource request for the OpenShift OAuth Proxy container memory: 64Mi accessReview: - ## @param openshiftOauthProxy.accessReview.enabled Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token. + ## @param openshiftOauthProxy.accessReview.enabled Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token enabled: true ## @param openshiftOauthProxy.accessReview.group The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure group: "" - ## @param openshiftOauthProxy.accessReview.resource The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. + ## @param openshiftOauthProxy.accessReview.resource The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for resource: "pods" - ## @param openshiftOauthProxy.accessReview.subresource The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. + ## @param openshiftOauthProxy.accessReview.subresource The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for subresource: "exec" - ## @param openshiftOauthProxy.accessReview.name The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. + ## @param openshiftOauthProxy.accessReview.name The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for name: "" - ## @param openshiftOauthProxy.accessReview.namespace The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for. + ## @param openshiftOauthProxy.accessReview.namespace The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for namespace: "{{ .Release.Namespace }}" - ## @param openshiftOauthProxy.accessReview.verb The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. + ## @param openshiftOauthProxy.accessReview.verb The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for verb: "create" - ## @param openshiftOauthProxy.accessReview.version The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for. + ## @param openshiftOauthProxy.accessReview.version The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for version: "" ## @param openshiftOauthProxy.securityContext [object] Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: @@ -558,7 +560,7 @@ podSecurityContext: networkPolicy: ingress: - ## @param networkPolicy.ingress.enabled whether a NetworkPolicy for restricting Cryostat component Pods' traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods. + ## @param networkPolicy.ingress.enabled whether a NetworkPolicy for restricting Cryostat component Pods' traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods enabled: true ## @param nodeSelector [object] default Node Selector for the various Pods. Any Pod which does not have an individual nodeSelector setting will default to this. See: [NodeSelector](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling)