Skip to content

feat(storage): add configuration for external object storage provider #247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
andrewazores merged 18 commits into from
Sep 24, 2025
Merged

feat(storage): add configuration for external object storage provider #247

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
7439ced
feat(storage): add configuration for external object storage provider
andrewazores May 15, 2025
71150dc
fixup! feat(storage): add configuration for external object storage p…
andrewazores May 15, 2025
34f4d67
managed s3 url correction
andrewazores May 15, 2025
4f0a78a
newlines?
andrewazores May 15, 2025
e5e08b4
test corrections, bug fixes
andrewazores May 15, 2025
030a908
empty check
andrewazores May 15, 2025
9b31b7a
add note that storage configurations only apply to managed instances
andrewazores May 16, 2025
48af88d
allow override of S3 bucket names
andrewazores May 16, 2025
2cd14d9
sort, uniq
andrewazores May 16, 2025
34cca45
fixup! add note that storage configurations only apply to managed ins…
andrewazores May 16, 2025
2f24b41
set env var for S3 TLS trust-all
andrewazores May 16, 2025
a5a1086
comment
andrewazores May 16, 2025
e25e578
add controls for archived recording metadata storage mode and bucket …
andrewazores May 22, 2025
05aa765
cleanup
andrewazores May 22, 2025
9a2fa88
base64 encode access key id
andrewazores May 22, 2025
437c244
rename property
andrewazores May 28, 2025
308e04a
Merge branch 'main' into external-s3
andrewazores Jun 12, 2025
0683f11
Merge branch 'main' into external-s3
andrewazores Sep 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 38 additions & 27 deletions charts/cryostat/README.md
View file
Open in desktop

Large diffs are not rendered by default.

38 changes: 27 additions & 11 deletions charts/cryostat/templates/cryostat_deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,27 +91,43 @@ spec:
- name: QUARKUS_DATASOURCE_JDBC_URL
value: jdbc:postgresql://{{ $fullName }}-db:5432/cryostat
- name: STORAGE_BUCKETS_ARCHIVES_NAME
value: archivedrecordings
value: {{ .Values.storage.buckets.names.archivedRecordings }}
- name: STORAGE_BUCKETS_EVENT_TEMPLATES_NAME
value: {{ .Values.storage.buckets.names.eventTemplates }}
- name: STORAGE_BUCKETS_PROBE_TEMPLATES_NAME
value: {{ .Values.storage.buckets.names.jmcAgentProbeTemplates }}
- name: STORAGE_BUCKETS_METADATA_NAME
value: {{ .Values.storage.buckets.names.metadata }}
- name: CRYOSTAT_SERVICES_REPORTS_STORAGE_CACHE_NAME
value: {{ .Values.storage.buckets.names.archivedReports }}
- name: STORAGE_METADATA_STORAGE_MODE
value: {{ .Values.storage.provider.metadata.storageMode }}
{{- if (.Values.storage.provider.tls).trustAll }}
- name: QUARKUS_S3_SYNC_CLIENT_TLS_TRUST_MANAGERS_PROVIDER_TYPE
value: trust-all
{{- end }}
- name: QUARKUS_S3_ENDPOINT_OVERRIDE
value: http://{{ $fullName }}-storage:8333
value: {{ default (printf "http://%s-storage:8333" $fullName) .Values.storage.provider.url }}
- name: QUARKUS_S3_PATH_STYLE_ACCESS
value: "true"
value: "{{ .Values.storage.provider.usePathStyleAccess }}"
- name: QUARKUS_S3_AWS_REGION
value: us-east-1
# if an external provider URL is supplied then a region must also be supplied.
# Otherwise we are deploying a managed storage instance and can set a default value
value: {{ ternary .Values.storage.provider.region "us-east-1" (not (empty .Values.storage.provider.url)) }}
- name: QUARKUS_S3_AWS_CREDENTIALS_TYPE
value: static
- name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_ACCESS_KEY_ID
value: cryostat
value: {{ .Values.storage.provider.authentication.credentialsType }}
- name: AWS_ACCESS_KEY_ID
value: $(QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_ACCESS_KEY_ID)
- name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ default (printf "%s-storage-secret" .Release.Name) .Values.storage.storageSecretName }}
key: STORAGE_ACCESS_KEY
key: STORAGE_ACCESS_KEY_ID
optional: false
- name: AWS_SECRET_ACCESS_KEY
value: $(QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY)
valueFrom:
secretKeyRef:
name: {{ default (printf "%s-storage-secret" .Release.Name) .Values.storage.storageSecretName }}
key: STORAGE_ACCESS_KEY
optional: false
- name: GRAFANA_DATASOURCE_URL
value: http://localhost:8800
- name: GRAFANA_DASHBOARD_URL
Expand Down
2 changes: 2 additions & 0 deletions charts/cryostat/templates/networkpolicy_ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ spec:
ports:
- protocol: TCP
port: 5432
{{- if (empty (.Values.storage.provider).url) }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
Expand Down Expand Up @@ -92,3 +93,4 @@ spec:
- protocol: TCP
port: 8333
{{- end }}
{{- end }}
10 changes: 8 additions & 2 deletions charts/cryostat/templates/storage_deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
{{- $fullName := include "cryostat.fullname" . -}}
---
{{- if (empty (.Values.storage.provider).url) }}
apiVersion: apps/v1
kind: Deployment
metadata:
Expand Down Expand Up @@ -42,9 +43,13 @@ spec:
imagePullPolicy: {{ (.Values.storage).image.pullPolicy }}
env:
- name: CRYOSTAT_BUCKETS
value: archivedrecordings,archivedreports,eventtemplates,probes
value: {{ join "," (.Values.storage.buckets.names | values | uniq | sortAlpha) }}
- name: CRYOSTAT_ACCESS_KEY
value: cryostat
valueFrom:
secretKeyRef:
name: {{ default (printf "%s-storage-secret" .Release.Name) .Values.storage.storageSecretName }}
key: STORAGE_ACCESS_KEY_ID
optional: false
- name: CRYOSTAT_SECRET_KEY
valueFrom:
secretKeyRef:
Expand Down Expand Up @@ -117,3 +122,4 @@ spec:
- name: {{ .Chart.Name }}-storage
emptyDir: {}
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion charts/cryostat/templates/storage_pvc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if ((.Values.storage.pvc).enabled) }}
{{- if and (empty (.Values.storage.provider).url) ((.Values.storage.pvc).enabled) }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
Expand Down
1 change: 1 addition & 0 deletions charts/cryostat/templates/storage_secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,6 @@ metadata:
{{- include "cryostat.labels" $ | nindent 4 }}
type: Opaque
data:
STORAGE_ACCESS_KEY_ID: {{ b64enc "cryostat" }}
STORAGE_ACCESS_KEY: {{ include "cryostat.objectStorageSecretKey" . }}
{{- end -}}
2 changes: 2 additions & 0 deletions charts/cryostat/templates/storage_service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
{{- $fullName := include "cryostat.fullname" . -}}
---
{{- if (empty (.Values.storage.provider).url) }}
apiVersion: v1
kind: Service
metadata:
Expand All @@ -18,3 +19,4 @@ spec:
selector:
{{- include "cryostat.selectorLabels" $ | nindent 4 }}
app.kubernetes.io/component: storage
{{- end }}
79 changes: 67 additions & 12 deletions charts/cryostat/tests/cryostat_deployment_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,33 +103,44 @@ tests:
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_BUCKETS_ARCHIVES_NAME')].value
value: "archivedrecordings"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_BUCKETS_EVENT_TEMPLATES_NAME')].value
value: "eventtemplates"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_BUCKETS_PROBE_TEMPLATES_NAME')].value
value: "probes"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_BUCKETS_METADATA_NAME')].value
value: "metadata"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_METADATA_STORAGE_MODE')].value
value: "tagging"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_SERVICES_REPORTS_STORAGE_CACHE_NAME')].value
value: "archivedreports"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_ENDPOINT_OVERRIDE')].value
value: "http://RELEASE-NAME-cryostat-storage:8333"
- notExists:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_SYNC_CLIENT_TLS_TRUST_MANAGERS_PROVIDER_TYPE')]
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_PATH_STYLE_ACCESS')].value
value: "true"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_AWS_REGION')].value
value: "us-east-1"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_AWS_CREDENTIALS_TYPE')].value
value: "static"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_ACCESS_KEY_ID')].value
value: "cryostat"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='AWS_ACCESS_KEY_ID')].value
value: $(QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_ACCESS_KEY_ID)
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='AWS_ACCESS_KEY_ID')].valueFrom.secretKeyRef
value:
key: "STORAGE_ACCESS_KEY_ID"
name: "RELEASE-NAME-storage-secret"
optional: false
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY')].valueFrom.secretKeyRef
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='AWS_SECRET_ACCESS_KEY')].valueFrom.secretKeyRef
value:
key: "STORAGE_ACCESS_KEY"
name: "RELEASE-NAME-storage-secret"
optional: false
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='AWS_SECRET_ACCESS_KEY')].value
value: $(QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY)
- notExists:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_REST_CLIENT_REPORTS_URL')].value
- equal:
Expand Down Expand Up @@ -183,6 +194,50 @@ tests:
- notExists:
path: spec.template.spec.contains[?(@.name=='cryostat')].volumeMounts

- it: should allow overriding S3 bucket names
set:
storage:
provider:
metadata:
storageMode: bucket
buckets:
names:
archivedRecordings: a
archivedReports: b
eventTemplates: c
jmcAgentProbeTemplates: d
metadata: e
asserts:
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_METADATA_STORAGE_MODE')].value
value: "bucket"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_BUCKETS_ARCHIVES_NAME')].value
value: "a"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_SERVICES_REPORTS_STORAGE_CACHE_NAME')].value
value: "b"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_BUCKETS_EVENT_TEMPLATES_NAME')].value
value: "c"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_BUCKETS_PROBE_TEMPLATES_NAME')].value
value: "d"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_BUCKETS_METADATA_NAME')].value
value: "e"

- it: should allow disabling S3 TLS validation
set:
storage:
provider:
tls:
trustAll: true
asserts:
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_SYNC_CLIENT_TLS_TRUST_MANAGERS_PROVIDER_TYPE')].value
value: trust-all

- it: should set log level
set:
core:
Expand Down
30 changes: 24 additions & 6 deletions charts/cryostat/tests/storage_deployment_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,16 +69,19 @@ tests:
value: "Always"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='CRYOSTAT_BUCKETS')].value
value: "archivedrecordings,archivedreports,eventtemplates,probes"
value: "archivedrecordings,archivedreports,eventtemplates,metadata,probes"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='CRYOSTAT_ACCESS_KEY')].value
value: "cryostat"
path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='CRYOSTAT_ACCESS_KEY')].valueFrom.secretKeyRef
value:
name: "RELEASE-NAME-storage-secret"
key: "STORAGE_ACCESS_KEY_ID"
optional: false
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='CRYOSTAT_SECRET_KEY')].valueFrom.secretKeyRef
value:
name: "RELEASE-NAME-storage-secret"
key: "STORAGE_ACCESS_KEY"
optional: false
name: "RELEASE-NAME-storage-secret"
key: "STORAGE_ACCESS_KEY"
optional: false
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='DATA_DIR')].value
value: "/data"
Expand Down Expand Up @@ -134,6 +137,21 @@ tests:
cpu: 50m
memory: 256Mi

- it: should precreate buckets based on supplied bucket names
set:
storage:
buckets:
names:
metadata: a
archivedRecordings: b
archivedReports: c
eventTemplates: d
jmcAgentProbeTemplates: e
asserts:
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='CRYOSTAT_BUCKETS')].value
value: "a,b,c,d,e"

- it: should allow disabling at-rest encryption
set:
storage:
Expand Down
2 changes: 2 additions & 0 deletions charts/cryostat/tests/storage_secret_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ tests:
value: Opaque
- exists:
path: data.STORAGE_ACCESS_KEY
- exists:
path: data.STORAGE_ACCESS_KEY_ID
- equal:
path: metadata.labels
value:
Expand Down
Loading