Skip to content

fix(storage): re-enable checksum validation by default #289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ebaron merged 1 commit into from
Feb 19, 2026
Merged

fix(storage): re-enable checksum validation by default #289

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/cryostat/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@ certificate issuance and rotation.
| `storage.image.tag` | Tag for the storage container image | `latest` |
| `storage.storageSecretName` | Name of the secret containing the object storage secret access key. This secret must contain a STORAGE_ACCESS_KEY secret which is the object storage secret access key. It must not be updated across chart upgrades, or else the connection between Cryostat components and object storage will not be able to initialize. If using an external S3 provider requiring authentication then this **must** be provided. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable) | `""` |
| `storage.provider.url` | URL to the S3 object storage provider instance. This can be an in-cluster self-hosted instance with a hostname like s3.storage.local, or it can be an external commercial service. This should include scheme, host, and port. User authenication information should be provided using a *Secret* and *storage.storageSecretName*. If this is not specified then a managed [cryostat-storage](https://github.com/cryostatio/cryostat-storage) instance will be automatically deployed and configured. If an unmanaged S3 instance is specified here then other storage configuration settings (such as at-rest encryption, Pod annotations, Service configurations) do not apply. Production installations of Cryostat should not rely on `cryostat-storage` | `""` |
| `storage.provider.useChecksumValidation` | whether PUT object request checksum validations are used. These should normally be enabled, but are known to cause issues with SeaweedFS/cryostat-storage and later S3 SDK versions. This is *true* by default when storage.provider.url is configured, but if not configured and cryostat-storage is deployed then this will be taken as *false*. | `true` |
| `storage.provider.useChecksumValidation` | whether PUT object request checksum validations are used. These should normally be enabled, but are known to cause issues with SeaweedFS/cryostat-storage and later S3 SDK versions. This is *true* by default. | `true` |
| `storage.provider.usePathStyleAccess` | whether path-style accesses are used for ex. object buckets. If path style access is not used then DNS subdomain resolution will be used. This is *true* by default for broader compatibility for low-footprint storage container installations, but subdomain resolution generally offers better performance if it is available and may be required for use with commercial storage providers. | `true` |
| `storage.provider.usePresignedRecordingTransfers` | whether object storage presigned GET URLs should be used for transferring files between Cryostat components (ex. for automated analysis report generation). If this is disabled then Cryostat will act as a "network pipe" between other components and handle streaming file contents. This is *true* by default to reduce network utilization and request latency | `true` |
| `storage.provider.usePresignedDownloads` | whether object storage presigned GET URLs should be used for downloading files via the user's browser. If this is disabled then Cryostat will act as a "network pipe" between storage and the user's browser and handle streaming file contents. If the object storage URLs are not accessible from the user's network location then this must be disabled, otherwise enabling it will reduce network utilization and request latency. This is *false* by default | `false` |
Expand Down
5 changes: 1 addition & 4 deletions charts/cryostat/templates/cryostat_deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,10 +133,7 @@ spec:
# Otherwise we are deploying a managed storage instance and can set a default value
value: {{ ternary .Values.storage.provider.region "us-east-1" (not (empty .Values.storage.provider.url)) }}
- name: QUARKUS_S3_CHECKSUM_VALIDATION
# if an external provider URL is supplied then use the configuration checksum validation value.
# Otherwise we are deploying a managed storage instance and should override this to false, since it is known to cause issues.
# See https://github.com/cryostatio/cryostat/issues/948
value: {{ ternary (quote .Values.storage.provider.useChecksumValidation) (quote "false") (not (empty .Values.storage.provider.url)) }}
value: "{{ .Values.storage.provider.useChecksumValidation }}"
- name: QUARKUS_S3_AWS_CREDENTIALS_TYPE
value: {{ .Values.storage.provider.authentication.credentialsType }}
- name: AWS_ACCESS_KEY_ID
Expand Down
13 changes: 1 addition & 12 deletions charts/cryostat/tests/cryostat_deployment_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@ tests:
value: "http://RELEASE-NAME-cryostat-storage:8333"
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_CHECKSUM_VALIDATION')].value
value: "false"
value: "true"
- notExists:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_SYNC_CLIENT_TLS_TRUST_MANAGERS_PROVIDER_TYPE')]
- equal:
Expand Down Expand Up @@ -254,17 +254,6 @@ tests:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_CHECKSUM_VALIDATION')].value
value: "false"

- it: should not allow configuration of managed object storage provider with checksum validation
set:
storage:
provider:
# no url configured, so a managed instance will be deployed
useChecksumValidation: true
asserts:
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_CHECKSUM_VALIDATION')].value
value: "false"

- it: should allow configuration of presigned downloads separately from presigned transfers
set:
storage:
Expand Down
2 changes: 1 addition & 1 deletion charts/cryostat/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -683,7 +683,7 @@
},
"useChecksumValidation": {
"type": "boolean",
"description": "whether PUT object request checksum validations are used. These should normally be enabled, but are known to cause issues with SeaweedFS/cryostat-storage and later S3 SDK versions. This is *true* by default when storage.provider.url is configured, but if not configured and cryostat-storage is deployed then this will be taken as *false*.",
"description": "whether PUT object request checksum validations are used. These should normally be enabled, but are known to cause issues with SeaweedFS/cryostat-storage and later S3 SDK versions. This is *true* by default.",
"default": true
},
"usePathStyleAccess": {
Expand Down
2 changes: 1 addition & 1 deletion charts/cryostat/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -280,7 +280,7 @@ storage:
provider:
## @param storage.provider.url URL to the S3 object storage provider instance. This can be an in-cluster self-hosted instance with a hostname like s3.storage.local, or it can be an external commercial service. This should include scheme, host, and port. User authenication information should be provided using a *Secret* and *storage.storageSecretName*. If this is not specified then a managed [cryostat-storage](https://github.com/cryostatio/cryostat-storage) instance will be automatically deployed and configured. If an unmanaged S3 instance is specified here then other storage configuration settings (such as at-rest encryption, Pod annotations, Service configurations) do not apply. Production installations of Cryostat should not rely on `cryostat-storage`
url: ""
## @param storage.provider.useChecksumValidation whether PUT object request checksum validations are used. These should normally be enabled, but are known to cause issues with SeaweedFS/cryostat-storage and later S3 SDK versions. This is *true* by default when storage.provider.url is configured, but if not configured and cryostat-storage is deployed then this will be taken as *false*.
## @param storage.provider.useChecksumValidation whether PUT object request checksum validations are used. These should normally be enabled, but are known to cause issues with SeaweedFS/cryostat-storage and later S3 SDK versions. This is *true* by default.
useChecksumValidation: true
## @param storage.provider.usePathStyleAccess whether path-style accesses are used for ex. object buckets. If path style access is not used then DNS subdomain resolution will be used. This is *true* by default for broader compatibility for low-footprint storage container installations, but subdomain resolution generally offers better performance if it is available and may be required for use with commercial storage providers.
usePathStyleAccess: true
Expand Down
Loading