From 7500c91b94ea12d7d091f332c684379694dfca01 Mon Sep 17 00:00:00 2001 From: Elliott Baron Date: Thu, 19 Sep 2024 14:37:11 -0400 Subject: [PATCH] Add chart for Red Hat build of Cryostat 3.0.1 (#1599) --- .../redhat-cryostat/1.0.1/src/.helmignore | 23 + .../redhat-cryostat/1.0.1/src/Chart.yaml | 46 ++ .../redhat/redhat-cryostat/1.0.1/src/LICENSE | 202 +++++ .../redhat-cryostat/1.0.1/src/README.md | 146 ++++ .../1.0.1/src/release-notes.md | 1 + .../1.0.1/src/templates/NOTES.txt | 63 ++ .../1.0.1/src/templates/_helpers.tpl | 147 ++++ .../1.0.1/src/templates/_oauth2Proxy.tpl | 47 ++ .../src/templates/_openshiftOauthProxy.tpl | 55 ++ .../1.0.1/src/templates/alpha_config.yaml | 36 + .../src/templates/clusterrolebinding.yaml | 16 + .../1.0.1/src/templates/cookie_secret.yaml | 7 + .../1.0.1/src/templates/db_secret.yaml | 11 + .../1.0.1/src/templates/deployment.yaml | 283 +++++++ .../1.0.1/src/templates/ingress.yaml | 70 ++ .../1.0.1/src/templates/pvc.yaml | 27 + .../1.0.1/src/templates/role.yaml | 61 ++ .../1.0.1/src/templates/rolebinding.yaml | 31 + .../1.0.1/src/templates/route.yaml | 50 ++ .../1.0.1/src/templates/service.yaml | 25 + .../1.0.1/src/templates/serviceaccount.yaml | 17 + .../src/templates/storage_access_secret.yaml | 7 + .../templates/tests/test-core-connection.yaml | 26 + .../tests/test-grafana-connection.yaml | 17 + .../tests/test-storage-connection.yaml | 17 + .../1.0.1/src/tests/alpha_config_test.yaml | 31 + .../1.0.1/src/tests/cookie_secret_test.yaml | 20 + .../1.0.1/src/values.schema.json | 752 ++++++++++++++++++ .../redhat-cryostat/1.0.1/src/values.yaml | 296 +++++++ 29 files changed, 2530 insertions(+) create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/.helmignore create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/Chart.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/LICENSE create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/README.md create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/release-notes.md create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/NOTES.txt create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/_helpers.tpl create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/_oauth2Proxy.tpl create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/_openshiftOauthProxy.tpl create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/alpha_config.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/clusterrolebinding.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/cookie_secret.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/db_secret.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/deployment.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/ingress.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/pvc.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/role.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/rolebinding.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/route.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/service.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/serviceaccount.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/storage_access_secret.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/tests/test-core-connection.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/tests/test-grafana-connection.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/tests/test-storage-connection.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/tests/alpha_config_test.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/tests/cookie_secret_test.yaml create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/values.schema.json create mode 100644 charts/redhat/redhat/redhat-cryostat/1.0.1/src/values.yaml diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/.helmignore b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/Chart.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/Chart.yaml new file mode 100644 index 0000000000..cc4e9c3ba5 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/Chart.yaml @@ -0,0 +1,46 @@ +apiVersion: v2 +name: redhat-cryostat +description: Securely manage JFR recordings for your containerized Java workloads + +type: application + +version: "1.0.1" + +kubeVersion: ">= 1.25.0-0" + +appVersion: "3.0.1.redhat" + +home: "https://cryostat.io" + +icon: "https://raw.githubusercontent.com/cryostatio/cryostat-helm/main/docs/images/cryostat-icon.svg" + +annotations: + charts.openshift.io/archs: x86_64, aarch64 + charts.openshift.io/name: Red Hat build of Cryostat + charts.openshift.io/provider: Red Hat + charts.openshift.io/supportURL: https://github.com/cryostatio/cryostat-helm + +keywords: +- flightrecorder +- java +- jdk +- jfr +- jmc +- missioncontrol +- monitoring +- profiling +- diagnostic + +sources: +- https://github.com/cryostatio/cryostat3 +- https://github.com/cryostatio/cryostat-core +- https://github.com/cryostatio/cryostat-web +- https://github.com/cryostatio/jfr-datasource +- https://github.com/cryostatio/cryostat-grafana-dashboard +- https://github.com/cryostatio/cryostat-db +- https://github.com/cryostatio/cryostat-storage +- https://github.com/cryostatio/openshift-oauth-proxy + +maintainers: +- name: The Cryostat Community + url: https://groups.google.com/g/cryostat-development diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/LICENSE b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/LICENSE new file mode 100644 index 0000000000..57bc88a15a --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/LICENSE @@ -0,0 +1,202 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/README.md b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/README.md new file mode 100644 index 0000000000..d26f2a1ad8 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/README.md @@ -0,0 +1,146 @@ +# Cryostat Helm Chart +A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and OpenShift + +## Parameters + +### Cryostat Container + +| Name | Description | Value | +| ------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | +| `core` | Configuration for the core Cryostat application | | +| `core.image.repository` | Repository for the main Cryostat container image | `registry.redhat.io/cryostat-tech-preview/cryostat-rhel8` | +| `core.image.pullPolicy` | Image pull policy for the main Cryostat container image | `IfNotPresent` | +| `core.image.tag` | Tag for the main Cryostat container image | `3.0.1` | +| `core.service.type` | Type of Service to create for the Cryostat application | `ClusterIP` | +| `core.service.httpPort` | Port number to expose on the Service for Cryostat's HTTP server | `8181` | +| `core.sslProxied` | Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress | `false` | +| `core.ingress.enabled` | Whether to create an Ingress object for the Cryostat service | `false` | +| `core.ingress.className` | Ingress class name for the Cryostat application Ingress | `""` | +| `core.ingress.annotations` | Annotations to apply to the Cryostat application Ingress | `{}` | +| `core.ingress.hosts` | Hosts to create rules for in the Cryostat application Ingress. See: [IngressSpec](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) | `[]` | +| `core.ingress.tls` | TLS configuration for the Cryostat application Ingress. See: [IngressSpec](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) | `[]` | +| `core.route.enabled` | Whether to create a Route object for the Cryostat service. Available only on OpenShift | `true` | +| `core.route.tls.enabled` | Whether to secure the Cryostat application Route with TLS. See: [TLSConfig](https://docs.openshift.com/container-platform/4.10/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls) | `true` | +| `core.route.tls.termination` | Type of TLS termination to use for the Cryostat application Route. One of: `edge`, `passthrough`, `reencrypt` | `edge` | +| `core.route.tls.insecureEdgeTerminationPolicy` | Specify how to handle insecure traffic for the Cryostat application Route. One of: `Allow`, `Disable`, `Redirect` | `Redirect` | +| `core.route.tls.key` | Custom private key to use when securing the Cryostat application Route | `""` | +| `core.route.tls.certificate` | Custom certificate to use when securing the Cryostat application Route | `""` | +| `core.route.tls.caCertificate` | Custom CA certificate to use, if needed to complete the certificate chain, when securing the Cryostat application Route | `""` | +| `core.route.tls.destinationCACertificate` | Provides the contents of the CA certificate of the final destination when using reencrypt termination for the Cryostat application Route | `""` | +| `core.resources` | Resource requests/limits for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | +| `core.securityContext` | Security Context for the Cryostat container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| `core.databaseSecretName` | Name of the secret containing database keys. This secret must contain a CONNECTION_KEY secret which is the database connection password, and an ENCRYPTION_KEY secret which is the key used to encrypt sensitive data stored within the database, such as the target credentials keyring. It must not be updated across chart upgrades. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | `""` | +| `core.discovery` | Configuration options to the Cryostat application's target discovery mechanisms | | +| `core.discovery.kubernetes.enabled` | Enables Kubernetes API discovery mechanism | `true` | +| `core.discovery.kubernetes.installNamespaceDisabled` | When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`) | `false` | +| `core.discovery.kubernetes.namespaces` | List of namespaces whose workloads the Cryostat application should be permitted to access and profile | `[]` | +| `core.discovery.kubernetes.builtInPortNamesDisabled` | When false and `portNames` is empty, the Cryostat application will use the default port name `jfr-jmx` to look for JMX connectable targets. | `false` | +| `core.discovery.kubernetes.portNames` | List of port names that the Cryostat application should look for in order to consider a target as JMX connectable | `[]` | +| `core.discovery.kubernetes.builtInPortNumbersDisabled` | When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets. | `false` | +| `core.discovery.kubernetes.portNumbers` | List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable | `[]` | + +### Database Container + +| Name | Description | Value | +| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | +| `db` | Configuration for Cryostat's database | | +| `db.image.repository` | Repository for the database container image | `registry.redhat.io/cryostat-tech-preview/cryostat-db-rhel8` | +| `db.image.pullPolicy` | Image pull policy for the database container image | `IfNotPresent` | +| `db.image.tag` | Tag for the database container image | `3.0.1` | +| `db.resources` | Resource requests/limits for the database container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | +| `db.securityContext` | Security Context for the database container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + +### Storage Container + +| Name | Description | Value | +| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | +| `storage` | Configuration for Cryostat's object storage provider | | +| `storage.image.repository` | Repository for the storage container image | `registry.redhat.io/cryostat-tech-preview/cryostat-storage-rhel8` | +| `storage.image.pullPolicy` | Image pull policy for the storage container image | `IfNotPresent` | +| `storage.image.tag` | Tag for the storage container image | `3.0.1` | +| `storage.resources` | Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | +| `storage.securityContext` | Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + +### Grafana Container + +| Name | Description | Value | +| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | +| `grafana` | Configuration for the customized Grafana instance for Cryostat | | +| `grafana.image.repository` | Repository for the Grafana container image | `registry.redhat.io/cryostat-tech-preview/cryostat-grafana-dashboard-rhel8` | +| `grafana.image.pullPolicy` | Image pull policy for the Grafana container image | `IfNotPresent` | +| `grafana.image.tag` | Tag for the Grafana container image | `3.0.1` | +| `grafana.service.type` | Type of Service to create for Grafana | `ClusterIP` | +| `grafana.service.port` | Port number to expose on the Service for Grafana's HTTP server | `3000` | +| `grafana.resources` | Resource requests/limits for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | +| `grafana.securityContext` | Security Context for the Grafana container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + +### JFR Data Source Container + +| Name | Description | Value | +| ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | +| `datasource` | Configuration for the JFR Data Source component, which translates recording events into a format consumable by Grafana | | +| `datasource.image.repository` | Repository for the JFR Data Source container image | `registry.redhat.io/cryostat-tech-preview/jfr-datasource-rhel8` | +| `datasource.image.pullPolicy` | Image pull policy for the JFR Data Source container image | `IfNotPresent` | +| `datasource.image.tag` | Tag for the JFR Data Source container image | `3.0.1` | +| `datasource.resources` | Resource requests/limits for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | +| `datasource.securityContext` | Security Context for the JFR Data Source container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + +### Authentication + +| Name | Description | Value | +| ------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| `authentication.openshift.enabled` | Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one. | `true` | +| `authentication.openshift.clusterRole.name` | The name of the ClusterRole to bind for the OpenShift OAuth Proxy | `system:auth-delegator` | +| `authentication.basicAuth.enabled` | Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication | `false` | +| `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` | +| `authentication.basicAuth.filename` | Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)** | `""` | + +### OAuth2 Proxy + +| Name | Description | Value | +| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `""` | +| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Never` | +| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `""` | +| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). | `{}` | + +### OpenShift OAuth Proxy + +| Name | Description | Value | +| ---------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- | +| `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `registry.redhat.io/cryostat-tech-preview/cryostat-ose-oauth-proxy-rhel8` | +| `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `IfNotPresent` | +| `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `3.0.1` | +| `openshiftOauthProxy.accessReview.enabled` | Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token. | `true` | +| `openshiftOauthProxy.accessReview.group` | The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | `""` | +| `openshiftOauthProxy.accessReview.resource` | The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | `pods` | +| `openshiftOauthProxy.accessReview.subresource` | The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | `exec` | +| `openshiftOauthProxy.accessReview.name` | The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | `""` | +| `openshiftOauthProxy.accessReview.namespace` | The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for. | `{{ .Release.Namespace }}` | +| `openshiftOauthProxy.accessReview.verb` | The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | `create` | +| `openshiftOauthProxy.accessReview.version` | The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for. | `""` | +| `openshiftOauthProxy.securityContext` | Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + +### Other Parameters + +| Name | Description | Value | +| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `imagePullSecrets` | Image pull secrets to be used for the Cryostat deployment | `[]` | +| `nameOverride` | Overrides the name of this Chart | `""` | +| `fullnameOverride` | Overrides the fully qualified application name of `[release name]-[chart name]` | `""` | +| `rbac.create` | Specifies whether RBAC resources should be created | `true` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""` | +| `podAnnotations` | Annotations to be applied to the Cryostat Pod | `{}` | +| `podSecurityContext` | Security Context for the Cryostat Pod. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [PodSecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) | `{}` | +| `nodeSelector` | Node Selector for the Cryostat Pod. See: [NodeSelector](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` | +| `tolerations` | Tolerations for the Cryostat Pod. See: [Tolerations](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `[]` | +| `affinity` | Affinity for the Cryostat Pod. See: [Affinity](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` | +| `pvc.enabled` | Specify whether to use persistentVolumeClaim or EmptyDir storage | `false` | +| `pvc.annotations` | Annotations to add to the persistentVolumeClaim | `{}` | +| `pvc.storage` | Storage size to request for the persistentVolumeClaim | `500Mi` | +| `pvc.accessModes` | Access mode for the persistentVolumeClaim. See: [Access Modes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `["ReadWriteOnce"]` | +| `pvc.selector` | Selector for the persistentVolumeClaim. See: [Selector](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `{}` | +| `pvc.storageClassName` | The name of the StorageClass for the persistentVolumeClaim. See: [Class](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `undefined` | + diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/release-notes.md b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/release-notes.md new file mode 100644 index 0000000000..99ccb509ef --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/release-notes.md @@ -0,0 +1 @@ + diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/NOTES.txt b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/NOTES.txt new file mode 100644 index 0000000000..47e22985e3 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/NOTES.txt @@ -0,0 +1,63 @@ +{{- $envVars := list }} +{{- $portForwards := list }} +{{- $listNum := 1 }} +{{- if not .Values.core.ingress.enabled }} +{{ $listNum }}. Tell Cryostat how to serve external traffic: +{{- $listNum = add1 $listNum }} + ``` +{{- if .Values.core.route.enabled }} +{{- /* Do nothing */}} + No actions required with this configuration. +{{- else if .Values.core.ingress.enabled }} +{{- /* Do nothing */}} + No actions required with this configuration. +{{- else if contains "NodePort" .Values.core.service.type }} + export NODE_IP=$(oc get nodes -n {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(oc get -n {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "cryostat.fullname" . }}) +{{- $envVars = list "QUARKUS_HTTP_HOST=$NODE_IP" }} +{{- else if contains "LoadBalancer" .Values.core.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status by running 'oc get -n {{ .Release.Namespace }} -w svc/{{ include "cryostat.fullname" . }}' + export SERVICE_IP=$(oc get svc -n {{ .Release.Namespace }} {{ include "cryostat.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") +{{- $envVars = list "QUARKUS_HTTP_HOST=$SERVICE_IP" }} +{{- else if contains "ClusterIP" .Values.core.service.type }} + export POD_NAME=$(oc get pods -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") + export CONTAINER_PORT=$(oc get pod -n {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") +{{- $portForwards = prepend $portForwards "8080:$CONTAINER_PORT" }} +{{- end }} + +{{- if not (empty $envVars) }} + oc -n {{ .Release.Namespace }} set env deploy --containers={{ .Chart.Name }} {{ include "cryostat.fullname" . }} {{ join " " $envVars }} +{{- end }} + ``` +{{- end }} + +{{- if not (empty $portForwards) }} + +{{ $listNum }}. Forward local ports to the application's pod: + ``` + export POD_NAME=$(oc get pods -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") + oc -n {{ .Release.Namespace }} wait --for=condition=available --timeout=60s deploy/{{ include "cryostat.fullname" . }} + oc -n {{ .Release.Namespace }} port-forward $POD_NAME {{ join " " $portForwards }} + ``` + {{- $listNum = add1 $listNum }} +{{- end }} + +{{ $listNum }}. {{ "Visit the " }}{{ .Chart.Name | camelcase }}{{ " application at: " }} + ``` +{{- if .Values.core.route.enabled }} + echo {{ ternary "https" "http" .Values.core.route.tls.enabled }}://$(oc get route -n {{ .Release.Namespace }} {{ include "cryostat.fullname" . }} -o jsonpath="{.status.ingress[0].host}") +{{- else if .Values.core.ingress.enabled }} +{{- range $host := .Values.core.ingress.hosts -}} + {{- range .paths }} + {{ ternary "http" "https" (empty $.Values.core.ingress.tls) }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.core.service.type }} + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.core.service.type }} + echo http://$SERVICE_IP:{{ .Values.core.service.httpPort }} +{{- else if contains "ClusterIP" .Values.core.service.type }} + http://localhost:8080 +{{- end }} + ``` diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/_helpers.tpl b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/_helpers.tpl new file mode 100644 index 0000000000..e760fa27a2 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/_helpers.tpl @@ -0,0 +1,147 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "cryostat.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cryostat.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cryostat.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels. +*/}} +{{- define "cryostat.labels" -}} +helm.sh/chart: {{ include "cryostat.chart" . }} +{{ include "cryostat.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels. +*/}} +{{- define "cryostat.selectorLabels" -}} +app.kubernetes.io/name: {{ include "cryostat.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use. +*/}} +{{- define "cryostat.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "cryostat.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Get or generate a default connection key for database. +*/}} +{{- define "cryostat.databaseConnectionKey" -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db" .Release.Name)) -}} +{{- if $secret -}} +{{/* + Use current key. Do not regenerate. +*/}} +{{- $secret.data.CONNECTION_KEY -}} +{{- else -}} +{{/* + Generate new key. +*/}} +{{- (randAlphaNum 32) | b64enc | quote -}} +{{- end -}} +{{- end -}} + +{{/* +Get or generate a default encryption key for database. +*/}} +{{- define "cryostat.databaseEncryptionKey" -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db" .Release.Name)) -}} +{{- if $secret -}} +{{/* + Use current key. Do not regenerate. +*/}} +{{- $secret.data.ENCRYPTION_KEY -}} +{{- else -}} +{{/* + Generate new key +*/}} +{{- (randAlphaNum 32) | b64enc | quote -}} +{{- end -}} +{{- end -}} + +{{/* +Get or generate a default secret key for object storage. +*/}} +{{- define "cryostat.objectStorageSecretKey" -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-storage" .Release.Name)) -}} +{{- if $secret -}} +{{/* + Use current secret. Do not regenerate. +*/}} +{{- $secret.data.SECRET_KEY -}} +{{- else -}} +{{/* + Generate new secret +*/}} +{{- (randAlphaNum 32) | b64enc | quote -}} +{{- end -}} +{{- end -}} + +{{/* +Get or generate a default secret key for auth proxy cookies. +*/}} +{{- define "cryostat.cookieSecret" -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-cookie-secret" .Release.Name)) -}} +{{- if $secret -}} +{{/* + Use current secret. Do not regenerate. +*/}} +{{- $secret.data.COOKIE_SECRET -}} +{{- else -}} +{{/* + Generate new secret +*/}} +{{- (randAlphaNum 32) | b64enc | quote -}} +{{- end -}} +{{- end -}} + +{{/* + Get sanitized list or defaults (if not disabled) as comma-separated list. +*/}} +{{- define "cryostat.commaSepList" -}} +{{- $l := index . 0 -}} +{{- $default := index . 1 -}} +{{- $disableDefaults := index . 2 -}} +{{- if and (not $l) (not $disableDefaults) -}} +{{- $l = list $default -}} +{{- end -}} +{{- join "," (default list $l | compact | uniq) | quote -}} +{{- end -}} diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/_oauth2Proxy.tpl b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/_oauth2Proxy.tpl new file mode 100644 index 0000000000..3e6861253e --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/_oauth2Proxy.tpl @@ -0,0 +1,47 @@ +{{/* +Create OAuth2 Proxy container. Configurations defined in alpha_config.yaml +*/}} +{{- define "cryostat.oauth2Proxy" -}} +- name: {{ printf "%s-%s" .Chart.Name "authproxy" }} + securityContext: + {{- toYaml (.Values.oauth2Proxy).securityContext | nindent 4 }} + image: "{{ (.Values.oauth2Proxy).image.repository }}:{{ (.Values.oauth2Proxy).image.tag }}" + args: + - "--alpha-config=/etc/oauth2_proxy/alpha_config/alpha_config.yaml" + imagePullPolicy: {{ (.Values.oauth2Proxy).image.pullPolicy }} + env: + - name: OAUTH2_PROXY_REDIRECT_URL + value: "http://localhost:4180/oauth2/callback" + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-cookie-secret + key: COOKIE_SECRET + optional: false + - name: OAUTH2_PROXY_EMAIL_DOMAINS + value: "*" + {{- if .Values.authentication.basicAuth.enabled }} + - name: OAUTH2_PROXY_HTPASSWD_USER_GROUP + value: write + - name: OAUTH2_PROXY_HTPASSWD_FILE + value: /etc/oauth2_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }} + {{- end }} + {{- if not .Values.authentication.basicAuth.enabled }} + - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES + value: ".*" + {{- else }} + - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES + value: "^/health(/liveness)?$" + {{- end }} + ports: + - containerPort: 4180 + protocol: TCP + volumeMounts: + - name: alpha-config + mountPath: /etc/oauth2_proxy/alpha_config + {{- if .Values.authentication.basicAuth.enabled }} + - name: {{ .Release.Name }}-htpasswd + mountPath: /etc/oauth2_proxy/basicauth + readOnly: true + {{- end }} +{{- end}} diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/_openshiftOauthProxy.tpl b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/_openshiftOauthProxy.tpl new file mode 100644 index 0000000000..6af23010b5 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/_openshiftOauthProxy.tpl @@ -0,0 +1,55 @@ +{{/* +Create OpenShift OAuth Proxy container. +*/}} +{{- define "cryostat.openshiftOauthProxy" -}} +- name: {{ printf "%s-%s" .Chart.Name "authproxy" }} + securityContext: + {{- toYaml .Values.openshiftOauthProxy.securityContext | nindent 4 }} + image: "{{ .Values.openshiftOauthProxy.image.repository }}:{{ .Values.openshiftOauthProxy.image.tag }}" + env: + - name: COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-cookie-secret + key: COOKIE_SECRET + optional: false + args: + - --skip-provider-button={{ not .Values.authentication.basicAuth.enabled }} + - --pass-access-token=false + - --pass-user-bearer-token=false + - --pass-basic-auth=false + - --upstream=http://localhost:8181/ + - --upstream=http://localhost:3000/grafana/ + - --upstream=http://localhost:8333/storage/ + - --cookie-secret="$(COOKIE_SECRET)" + - --openshift-service-account={{ include "cryostat.serviceAccountName" . }} + - --proxy-websockets=true + - --http-address=0.0.0.0:4180 + - --https-address=:8443 + - --tls-cert=/etc/tls/private/tls.crt + - --tls-key=/etc/tls/private/tls.key + - --proxy-prefix=/oauth2 + {{- if .Values.openshiftOauthProxy.accessReview.enabled }} + - --openshift-sar=[{{ tpl ( omit .Values.openshiftOauthProxy.accessReview "enabled" | toJson ) . }}] + - --openshift-delegate-urls={"/":{{ tpl ( omit .Values.openshiftOauthProxy.accessReview "enabled" | toJson ) . }}} + {{- end }} + - --bypass-auth-for=^/health(/liveness)?$ + {{- if .Values.authentication.basicAuth.enabled }} + - --htpasswd-file=/etc/openshift_oauth_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }} + {{- end }} + imagePullPolicy: {{ .Values.openshiftOauthProxy.image.pullPolicy }} + ports: + - containerPort: 4180 + protocol: TCP + volumeMounts: + {{- if .Values.authentication.basicAuth.enabled }} + - name: {{ .Release.Name }}-htpasswd + mountPath: /etc/openshift_oauth_proxy/basicauth + readOnly: true + {{- end }} + - name: {{ .Release.Name }}-proxy-tls + mountPath: /etc/tls/private + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File +{{- end}} diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/alpha_config.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/alpha_config.yaml new file mode 100644 index 0000000000..94f1fa0789 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/alpha_config.yaml @@ -0,0 +1,36 @@ +{{/* + Alpha Configuration is not used with OpenShift OAuth Proxy +*/}} +{{- if not (.Values.authentication.openshift).enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-alpha-config + labels: + {{- include "cryostat.labels" . | nindent 4 }} +data: + alpha_config.yaml: |- + server: + BindAddress: http://0.0.0.0:4180 + upstreamConfig: + proxyRawPath: true + upstreams: + - id: cryostat + path: / + uri: http://localhost:8181 + - id: grafana + path: /grafana/ + uri: http://localhost:3000 + - id: storage + path: ^/storage/(.*)$ + rewriteTarget: /$1 + uri: http://localhost:8333 + passHostHeader: false + proxyWebSockets: false + providers: + - id: dummy + name: Unused - Sign In Below + clientId: CLIENT_ID + clientSecret: CLIENT_SECRET + provider: google +{{- end }} diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/clusterrolebinding.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..4721c7c3b4 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and (.Values.rbac.create) (.Values.authentication.openshift.enabled) -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "cryostat.fullname" . }} + labels: + {{- include "cryostat.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.authentication.openshift.clusterRole.name }} +subjects: +- kind: ServiceAccount + name: {{ include "cryostat.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/cookie_secret.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/cookie_secret.yaml new file mode 100644 index 0000000000..fe2ade8654 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/cookie_secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cookie-secret +type: Opaque +data: + COOKIE_SECRET: {{ include "cryostat.cookieSecret" . }} diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/db_secret.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/db_secret.yaml new file mode 100644 index 0000000000..26df5339f3 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/db_secret.yaml @@ -0,0 +1,11 @@ +{{- if empty .Values.core.databaseSecretName -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-db +type: Opaque +immutable: true +data: + ENCRYPTION_KEY: {{ include "cryostat.databaseEncryptionKey" . }} + CONNECTION_KEY: {{ include "cryostat.databaseConnectionKey" . }} +{{- end -}} diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/deployment.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/deployment.yaml new file mode 100644 index 0000000000..07f1fecc93 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/deployment.yaml @@ -0,0 +1,283 @@ +{{- $fullName := include "cryostat.fullname" . -}} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "cryostat.fullname" . }} + labels: + {{- include "cryostat.labels" . | nindent 4 }} +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + {{- include "cryostat.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "cryostat.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "cryostat.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + {{- if (.Values.authentication.openshift).enabled }} + {{- include "cryostat.openshiftOauthProxy" . | nindent 8 }} + {{- else }} + {{- include "cryostat.oauth2Proxy" . | nindent 8 }} + {{- end }} + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.core.securityContext | nindent 12 }} + image: "{{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}" + imagePullPolicy: {{ .Values.core.image.pullPolicy }} + env: + - name: QUARKUS_HTTP_HOST + value: localhost + - name: QUARKUS_HTTP_PORT + value: "8181" + - name: QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING + value: 'true' + - name: QUARKUS_HTTP_PROXY_ALLOW_X_FORWARDED + value: 'true' + - name: QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_HOST + value: 'true' + - name: QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_PREFIX + value: 'true' + - name: QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION + value: drop-and-create + - name: QUARKUS_DATASOURCE_USERNAME + value: cryostat3 + - name: QUARKUS_DATASOURCE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-db" .Release.Name) .Values.core.databaseSecretName }} + key: CONNECTION_KEY + optional: false + - name: QUARKUS_DATASOURCE_JDBC_URL + value: jdbc:postgresql://localhost:5432/cryostat3 + - name: STORAGE_BUCKETS_ARCHIVES_NAME + value: archivedrecordings + - name: QUARKUS_S3_ENDPOINT_OVERRIDE + value: http://localhost:8333 + - name: QUARKUS_S3_PATH_STYLE_ACCESS + value: "true" + - name: QUARKUS_S3_AWS_REGION + value: us-east-1 + - name: QUARKUS_S3_AWS_CREDENTIALS_TYPE + value: static + - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_ACCESS_KEY_ID + value: cryostat + - name: AWS_ACCESS_KEY_ID + value: $(QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_ACCESS_KEY_ID) + - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ printf "%s-storage" .Release.Name }} + key: SECRET_KEY + optional: false + - name: AWS_SECRET_ACCESS_KEY + value: $(QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY) + - name: GRAFANA_DATASOURCE_URL + value: http://localhost:8800 + - name: GRAFANA_DASHBOARD_URL + value: http://localhost:3000 + - name: GRAFANA_DASHBOARD_EXT_URL + value: /grafana/ + {{- if .Values.core.discovery.kubernetes.enabled }} + - name: CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED + value: "true" + {{- with .Values.core.discovery.kubernetes }} + - name: CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES + value: {{ include "cryostat.commaSepList" (list .namespaces $.Release.Namespace .installNamespaceDisabled) }} + - name: CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES + value: {{ include "cryostat.commaSepList" (list .portNames "jfr-jmx" .builtInPortNamesDisabled) }} + - name: CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS + value: {{ include "cryostat.commaSepList" (list .portNumbers 9091 .builtInPortNumbersDisabled) }} + {{- end }} + {{- end }} + ports: + - containerPort: 8181 + protocol: TCP + livenessProbe: + httpGet: + path: "/health/liveness" + port: 8181 + startupProbe: + httpGet: + path: "/health/liveness" + port: 8181 + failureThreshold: 18 + resources: + {{- toYaml .Values.core.resources | nindent 12 }} + - name: {{ printf "%s-%s" .Chart.Name "db" }} + securityContext: + {{- toYaml (.Values.db).securityContext | nindent 12 }} + image: "{{ (.Values.db).image.repository }}:{{ (.Values.db).image.tag }}" + imagePullPolicy: {{ (.Values.db).image.pullPolicy }} + env: + - name: POSTGRESQL_USER + value: cryostat3 + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-db" .Release.Name) .Values.core.databaseSecretName }} + key: CONNECTION_KEY + optional: false + - name: POSTGRESQL_DATABASE + value: cryostat3 + - name: PG_ENCRYPT_KEY + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-db" .Release.Name) .Values.core.databaseSecretName }} + key: ENCRYPTION_KEY + optional: false + ports: + - containerPort: 5432 + protocol: TCP + volumeMounts: + - mountPath: /var/lib/pgsql/data + name: {{ .Chart.Name }} + subPath: postgres + readinessProbe: + exec: + command: + - pg_isready + - -U + - cryostat3 + - -d + - cryostat3 + - name: {{ printf "%s-%s" .Chart.Name "storage" }} + securityContext: + {{- toYaml (.Values.storage).securityContext | nindent 12 }} + image: "{{ (.Values.storage).image.repository }}:{{ (.Values.storage).image.tag }}" + imagePullPolicy: {{ (.Values.storage).image.pullPolicy }} + env: + - name: CRYOSTAT_BUCKETS + value: archivedrecordings,archivedreports,eventtemplates,probes + - name: CRYOSTAT_ACCESS_KEY + value: cryostat + - name: CRYOSTAT_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ printf "%s-storage" .Release.Name }} + key: SECRET_KEY + optional: false + - name: DATA_DIR + value: /data + - name: IP_BIND + value: 0.0.0.0 + ports: + - containerPort: 8333 + protocol: TCP + volumeMounts: + - mountPath: /data + name: {{ .Chart.Name }} + subPath: seaweed + livenessProbe: + httpGet: + path: "/status" + port: 8333 + periodSeconds: 10 + failureThreshold: 2 + startupProbe: + httpGet: + path: "/status" + port: 8333 + periodSeconds: 10 + failureThreshold: 9 + resources: + {{- toYaml (.Values.storage).resources | nindent 12 }} + - name: {{ printf "%s-%s" .Chart.Name "grafana" }} + securityContext: + {{- toYaml .Values.grafana.securityContext | nindent 12 }} + image: "{{ .Values.grafana.image.repository }}:{{ .Values.grafana.image.tag }}" + imagePullPolicy: {{ .Values.grafana.image.pullPolicy }} + env: + - name: GF_AUTH_ANONYMOUS_ENABLED + value: "true" + - name: GF_SERVER_DOMAIN + value: localhost + - name: GF_SERVER_ROOT_URL + value: http://localhost:4180/grafana/ + - name: GF_SERVER_SERVE_FROM_SUB_PATH + value: "true" + - name: JFR_DATASOURCE_URL + value: http://localhost:8800 + ports: + - containerPort: 3000 + protocol: TCP + livenessProbe: + httpGet: + path: /api/health + port: 3000 + resources: + {{- toYaml .Values.grafana.resources | nindent 12 }} + - name: {{ printf "%s-%s" .Chart.Name "jfr-datasource" }} + securityContext: + {{- toYaml .Values.datasource.securityContext | nindent 12 }} + image: "{{ .Values.datasource.image.repository }}:{{ .Values.datasource.image.tag }}" + imagePullPolicy: {{ .Values.datasource.image.pullPolicy }} + env: + - name: LISTEN_HOST + value: localhost + - name: QUARKUS_HTTP_PORT + value: "8800" + ports: + - containerPort: 8800 + protocol: TCP + livenessProbe: + exec: + command: + - curl + - --fail + - http://localhost:8800 + resources: + {{- toYaml .Values.datasource.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + {{- if ((.Values.pvc).enabled) }} + - name: {{ .Chart.Name }} + persistentVolumeClaim: + claimName: {{ .Release.Name }} + {{- end }} + {{- if not ((.Values.pvc).enabled) }} + - name: {{ .Chart.Name }} + emptyDir: {} + {{- end }} + {{- if not (.Values.authentication.openshift).enabled }} + - name: alpha-config + configMap: + name: {{ .Release.Name }}-alpha-config + {{- end }} + {{- if .Values.authentication.basicAuth.enabled }} + - name: {{ .Release.Name }}-htpasswd + secret: + defaultMode: 0440 + secretName: {{ .Values.authentication.basicAuth.secretName }} + {{- end }} + {{- if (.Values.authentication.openshift).enabled }} + - name: {{ .Release.Name }}-proxy-tls + secret: + secretName: {{ .Release.Name }}-proxy-tls + {{- end }} diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/ingress.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/ingress.yaml new file mode 100644 index 0000000000..4a051f66c3 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/ingress.yaml @@ -0,0 +1,70 @@ +{{- define "cryostat.createIngress" }} +{{- $svcName := index . 0 }} +{{- $svcPort := index . 1 }} +{{- $ := index . 2 }} +{{- with index . 3 }} +{{- if and .ingress.className (not (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .ingress.annotations "kubernetes.io/ingress.class" .ingress.className}} + {{- end }} +{{- end }} +--- +{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" $.Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $svcName }} + {{- $labels := include "cryostat.labels" $ | nindent 4 }} + labels: {{ $labels }} + {{- with .ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .ingress.className (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .ingress.className }} + {{- end }} + {{- if .ingress.tls }} + tls: + {{- range .ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $svcName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $svcName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} + +{{- $fullName := include "cryostat.fullname" . -}} +{{- if .Values.core.ingress.enabled }} +{{- include "cryostat.createIngress" (list $fullName .Values.core.service.httpPort $ .Values.core)}} +{{- end }} diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/pvc.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/pvc.yaml new file mode 100644 index 0000000000..9e45362314 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/pvc.yaml @@ -0,0 +1,27 @@ +{{- if ((.Values.pvc).enabled) }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "cryostat.fullname" . }} + {{- $labels := include "cryostat.labels" $ | nindent 4 }} + labels: {{ $labels }} + {{- with .Values.pvc.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.pvc.accessModes }} + accessModes: + {{- toYaml . | nindent 4 }} + {{- end }} + resources: + requests: + storage: {{ .Values.pvc.storage }} + {{- if kindIs "string" .Values.pvc.storageClassName }} + storageClassName: {{ .Values.pvc.storageClassName | quote }} + {{- end }} + {{- with .Values.pvc.selector }} + selector: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/role.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/role.yaml new file mode 100644 index 0000000000..98f96c6099 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/role.yaml @@ -0,0 +1,61 @@ +{{- define "cryostat.createRole" -}} +{{- $ns := index . 0 -}} +{{- with index . 1 -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "cryostat.fullname" . }} + namespace: {{ $ns }} + labels: + {{- include "cryostat.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + - replicationcontrollers + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + - deployments + - daemonsets + - statefulsets + verbs: + - get +- apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - get +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list +{{- end -}} +{{- end -}} + +{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled -}} +{{- $watchNs := compact (default list .Values.core.discovery.kubernetes.namespaces) | uniq -}} +{{- if and (not $watchNs) (not .Values.core.discovery.kubernetes.installNamespaceDisabled) -}} +{{- $watchNs = list .Release.Namespace -}} +{{- end -}} +{{- range $ns := $watchNs }} +{{ include "cryostat.createRole" (list $ns $) }} +{{- end -}} +{{- end -}} diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/rolebinding.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/rolebinding.yaml new file mode 100644 index 0000000000..b240496674 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/rolebinding.yaml @@ -0,0 +1,31 @@ +{{- define "cryostat.createRolebinding" -}} +{{- $ns := index . 0 -}} +{{- with index . 1 -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "cryostat.fullname" . }} + namespace: {{ $ns }} + labels: + {{- include "cryostat.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "cryostat.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "cryostat.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} +{{- end -}} + +{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled -}} +{{- $watchNs := compact (default list .Values.core.discovery.kubernetes.namespaces) | uniq -}} +{{- if and (not $watchNs) (not .Values.core.discovery.kubernetes.installNamespaceDisabled) -}} +{{- $watchNs = list .Release.Namespace -}} +{{- end -}} +{{- range $ns := $watchNs }} +{{ include "cryostat.createRolebinding" (list $ns $) }} +{{- end -}} +{{- end -}} diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/route.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/route.yaml new file mode 100644 index 0000000000..608269c11d --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/route.yaml @@ -0,0 +1,50 @@ +{{- define "cryostat.createRoute" }} +{{- $svcName := index . 0 }} +{{- $targetPort := index . 1 }} +{{- $ := index . 2 }} +{{- with index . 3 }} +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ $svcName }} + {{- $labels := include "cryostat.labels" $ | nindent 4 }} + labels: {{ $labels }} + {{- with .route.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + to: + kind: Service + name: {{ $svcName }} + port: + targetPort: {{ $targetPort }} +{{- if .route.tls.enabled }} + tls: + termination: {{ .route.tls.termination }} + insecureEdgeTerminationPolicy: {{ .route.tls.insecureEdgeTerminationPolicy }} + {{- if .route.tls.key }} + key: |- + {{- .route.tls.key | nindent 6 }} + {{- end }} + {{- if .route.tls.destinationCACertificate }} + destinationCACertificate: |- + {{- .route.tls.destinationCACertificate | nindent 6 }} + {{- end }} + {{- if .route.tls.caCertificate }} + caCertificate: |- + {{- .route.tls.caCertificate | nindent 6 }} + {{- end }} + {{- if .route.tls.certificate }} + certificate: |- + {{- .route.tls.certificate | nindent 6 }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} + +{{- $fullName := include "cryostat.fullname" . -}} +{{- if .Values.core.route.enabled }} +{{- include "cryostat.createRoute" (list $fullName 4180 $ .Values.core)}} +{{- end }} diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/service.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/service.yaml new file mode 100644 index 0000000000..bfadcf62fb --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/service.yaml @@ -0,0 +1,25 @@ +{{- $fullName := include "cryostat.fullname" . -}} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ $fullName }} + labels: + {{- include "cryostat.labels" $ | nindent 4 }} + {{- if (.Values.authentication.openshift).enabled }} + annotations: + service.alpha.openshift.io/serving-cert-secret-name: {{ .Release.Name }}-proxy-tls + {{- end }} +spec: + type: {{ .Values.core.service.type }} + ports: + - port: {{ .Values.core.service.httpPort }} + targetPort: 4180 + protocol: TCP + name: cryostat-http + - port: 443 + targetPort: 8443 + protocol: TCP + name: cryostat-https + selector: + {{- include "cryostat.selectorLabels" $ | nindent 4 }} diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/serviceaccount.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/serviceaccount.yaml new file mode 100644 index 0000000000..e6da50e615 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if (.Values.authentication.openshift).enabled -}} +{{- $fullName := include "cryostat.fullname" . -}} +{{- $redirectAnnotations := dict "serviceaccounts.openshift.io/oauth-redirectreference.primary" (printf "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"%s\"}}" $fullName) -}} +{{- $_ := merge .Values.serviceAccount.annotations $redirectAnnotations -}} +{{- end -}} +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "cryostat.serviceAccountName" . }} + labels: + {{- include "cryostat.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/storage_access_secret.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/storage_access_secret.yaml new file mode 100644 index 0000000000..b17a18e37f --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/storage_access_secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-storage +type: Opaque +data: + SECRET_KEY: {{ include "cryostat.objectStorageSecretKey" . }} diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/tests/test-core-connection.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/tests/test-core-connection.yaml new file mode 100644 index 0000000000..cfb917444c --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/tests/test-core-connection.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "cryostat.fullname" . }}-test-core-connection" + labels: + {{- include "cryostat.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: curl + image: registry.access.redhat.com/ubi8/ubi:latest + command: + - '/bin/bash' + - '-exc' + - > + dnf install --disableplugin=subscription-manager -yq jq; + curl -sSf --retry 10 --retry-connrefused -o /tmp/out.json http://{{ include "cryostat.fullname" . }}:{{ .Values.core.service.httpPort }}/health; + cat /tmp/out.json; + {{- if hasSuffix "-dev" .Chart.AppVersion }} + jq -e '{{ printf "(.cryostatVersion | test(\"^v%s-snapshot$\"))" (.Chart.AppVersion | trimSuffix "-dev" | squote) }}' /tmp/out.json; + {{- else }} + jq -e '{{ printf "(.cryostatVersion | test(\"^v%s\"))" (.Chart.AppVersion | squote) }}' /tmp/out.json; + {{- end }} + jq -e '.datasourceAvailable' /tmp/out.json + restartPolicy: Never diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/tests/test-grafana-connection.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/tests/test-grafana-connection.yaml new file mode 100644 index 0000000000..d68c007e92 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/tests/test-grafana-connection.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "cryostat.fullname" . }}-test-grafana-connection" + labels: + {{- include "cryostat.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: curl + image: registry.access.redhat.com/ubi8/ubi:latest + command: + - '/bin/bash' + - '-exc' + - curl -sSf --retry 10 --retry-connrefused http://{{ include "cryostat.fullname" . }}:{{ .Values.core.service.httpPort }}/grafana/api/health + restartPolicy: Never diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/tests/test-storage-connection.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/tests/test-storage-connection.yaml new file mode 100644 index 0000000000..d743597526 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/templates/tests/test-storage-connection.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "cryostat.fullname" . }}-test-storage-connection" + labels: + {{- include "cryostat.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: curl + image: registry.access.redhat.com/ubi8/ubi:latest + command: + - '/bin/bash' + - '-exc' + - curl -sSf --retry 10 --retry-connrefused http://{{ include "cryostat.fullname" . }}:{{ .Values.core.service.httpPort }}/storage/ + restartPolicy: Never diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/tests/alpha_config_test.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/tests/alpha_config_test.yaml new file mode 100644 index 0000000000..22b0deb7c4 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/tests/alpha_config_test.yaml @@ -0,0 +1,31 @@ +suite: test alpha_config.yaml +templates: + - templates/alpha_config.yaml + +tests: + - it: should create configmap with correct alpha configurations + asserts: + - matchRegex: + path: data['alpha_config.yaml'] + pattern: "server:\\s*BindAddress: http://0.0.0.0:4180" + - matchRegex: + path: data['alpha_config.yaml'] + pattern: "upstreamConfig:\\s*proxyRawPath: true\\s*upstreams:\\s*- id: cryostat\\s*path: /\\s*uri: http://localhost:8181" + - matchRegex: + path: data['alpha_config.yaml'] + pattern: "- id: grafana\\s*path: /grafana/\\s*uri: http://localhost:3000" + - matchRegex: + path: data['alpha_config.yaml'] + pattern: "- id: storage\\s*path: \\^/storage/\\(\\.\\*\\)\\$\\s*rewriteTarget: /\\$1\\s*uri: http://localhost:8333\\s*passHostHeader: false\\s*proxyWebSockets: false" + - matchRegex: + path: data['alpha_config.yaml'] + pattern: "providers:\\s*- id: dummy\\s*name: Unused - Sign In Below\\s*clientId: CLIENT_ID\\s*clientSecret: CLIENT_SECRET\\s*provider: google" + + - it: should not create alpha_config when openshift authentication is enabled + set: + authentication: + openshift: + enabled: true + asserts: + - hasDocuments: + count: 0 diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/tests/cookie_secret_test.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/tests/cookie_secret_test.yaml new file mode 100644 index 0000000000..de9479951c --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/tests/cookie_secret_test.yaml @@ -0,0 +1,20 @@ +suite: test cookie_secret.yaml +templates: + - cookie_secret.yaml + +tests: + - it: should create a Cookie Secret with correct settings + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Secret + - equal: + path: metadata.name + value: RELEASE-NAME-cookie-secret + - equal: + path: type + value: Opaque + - exists: + path: data.COOKIE_SECRET diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/values.schema.json b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/values.schema.json new file mode 100644 index 0000000000..8199d6d5c9 --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/values.schema.json @@ -0,0 +1,752 @@ +{ + "title": "Chart Values", + "type": "object", + "properties": { + "core": { + "type": "object", + "properties": { + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "Repository for the main Cryostat container image", + "default": "registry.redhat.io/cryostat-tech-preview/cryostat-rhel8" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the main Cryostat container image", + "default": "IfNotPresent" + }, + "tag": { + "type": "string", + "description": "Tag for the main Cryostat container image", + "default": "3.0.1" + } + } + }, + "service": { + "type": "object", + "properties": { + "type": { + "type": "string", + "description": "Type of Service to create for the Cryostat application", + "default": "ClusterIP" + }, + "httpPort": { + "type": "number", + "description": "Port number to expose on the Service for Cryostat's HTTP server", + "default": 8181 + } + } + }, + "sslProxied": { + "type": "boolean", + "description": "Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress", + "default": false + }, + "ingress": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether to create an Ingress object for the Cryostat service", + "default": false + }, + "className": { + "type": "string", + "description": "Ingress class name for the Cryostat application Ingress", + "default": "" + }, + "hosts": { + "type": "array", + "description": "", + "items": { + "type": "object", + "properties": { + "host": { + "type": "string", + "description": "" + }, + "paths": { + "type": "array", + "description": "", + "items": { + "type": "object", + "properties": { + "path": { + "type": "string", + "description": "" + }, + "pathType": { + "type": "string", + "description": "" + } + } + } + } + } + } + }, + "tls": { + "type": "array", + "description": "TLS configuration for the Cryostat application Ingress. See: [IngressSpec](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec)", + "default": [], + "items": {} + } + } + }, + "route": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether to create a Route object for the Cryostat service. Available only on OpenShift", + "default": true + }, + "tls": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether to secure the Cryostat application Route with TLS. See: [TLSConfig](https://docs.openshift.com/container-platform/4.10/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls)", + "default": true + }, + "termination": { + "type": "string", + "description": "Type of TLS termination to use for the Cryostat application Route. One of: `edge`, `passthrough`, `reencrypt`", + "default": "edge" + }, + "insecureEdgeTerminationPolicy": { + "type": "string", + "description": "Specify how to handle insecure traffic for the Cryostat application Route. One of: `Allow`, `Disable`, `Redirect`", + "default": "Redirect" + }, + "key": { + "type": "string", + "description": "Custom private key to use when securing the Cryostat application Route", + "default": "" + }, + "certificate": { + "type": "string", + "description": "Custom certificate to use when securing the Cryostat application Route", + "default": "" + }, + "caCertificate": { + "type": "string", + "description": "Custom CA certificate to use, if needed to complete the certificate chain, when securing the Cryostat application Route", + "default": "" + }, + "destinationCACertificate": { + "type": "string", + "description": "Provides the contents of the CA certificate of the final destination when using reencrypt termination for the Cryostat application Route", + "default": "" + } + } + } + } + }, + "resources": { + "type": "object", + "description": "Resource requests/limits for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", + "default": {} + }, + "securityContext": { + "type": "object", + "properties": { + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "description": "", + "default": [ + "ALL" + ], + "items": { + "type": "string" + } + } + } + }, + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false + } + } + }, + "databaseSecretName": { + "type": "string", + "description": "Name of the secret containing database keys. This secret must contain a CONNECTION_KEY secret which is the database connection password, and an ENCRYPTION_KEY secret which is the key used to encrypt sensitive data stored within the database, such as the target credentials keyring. It must not be updated across chart upgrades. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable", + "default": "" + }, + "discovery": { + "type": "object", + "properties": { + "kubernetes": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enables Kubernetes API discovery mechanism", + "default": true + }, + "installNamespaceDisabled": { + "type": "boolean", + "description": "When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`)", + "default": false + }, + "namespaces": { + "type": "array", + "description": "List of namespaces whose workloads the Cryostat application should be permitted to access and profile", + "default": [], + "items": {} + }, + "builtInPortNamesDisabled": { + "type": "boolean", + "description": "When false and `portNames` is empty, the Cryostat application will use the default port name `jfr-jmx` to look for JMX connectable targets.", + "default": false + }, + "portNames": { + "type": "array", + "description": "List of port names that the Cryostat application should look for in order to consider a target as JMX connectable", + "default": [], + "items": {} + }, + "builtInPortNumbersDisabled": { + "type": "boolean", + "description": "When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets.", + "default": false + }, + "portNumbers": { + "type": "array", + "description": "List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable", + "default": [], + "items": {} + } + } + } + } + } + } + }, + "db": { + "type": "object", + "properties": { + "securityContext": { + "type": "object", + "properties": { + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "description": "", + "default": [ + "ALL" + ], + "items": { + "type": "string" + } + } + } + }, + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false + } + } + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "Repository for the database container image", + "default": "registry.redhat.io/cryostat-tech-preview/cryostat-db-rhel8" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the database container image", + "default": "IfNotPresent" + }, + "tag": { + "type": "string", + "description": "Tag for the database container image", + "default": "3.0.1" + } + } + }, + "resources": { + "type": "object", + "description": "Resource requests/limits for the database container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", + "default": {} + } + } + }, + "storage": { + "type": "object", + "properties": { + "securityContext": { + "type": "object", + "properties": { + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "description": "", + "default": [ + "ALL" + ], + "items": { + "type": "string" + } + } + } + }, + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false + } + } + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "Repository for the storage container image", + "default": "registry.redhat.io/cryostat-tech-preview/cryostat-storage-rhel8" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the storage container image", + "default": "IfNotPresent" + }, + "tag": { + "type": "string", + "description": "Tag for the storage container image", + "default": "3.0.1" + } + } + }, + "resources": { + "type": "object", + "description": "Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", + "default": {} + } + } + }, + "grafana": { + "type": "object", + "properties": { + "securityContext": { + "type": "object", + "properties": { + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "description": "", + "default": [ + "ALL" + ], + "items": { + "type": "string" + } + } + } + }, + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false + } + } + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "Repository for the Grafana container image", + "default": "registry.redhat.io/cryostat-tech-preview/cryostat-grafana-dashboard-rhel8" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the Grafana container image", + "default": "IfNotPresent" + }, + "tag": { + "type": "string", + "description": "Tag for the Grafana container image", + "default": "3.0.1" + } + } + }, + "service": { + "type": "object", + "properties": { + "type": { + "type": "string", + "description": "Type of Service to create for Grafana", + "default": "ClusterIP" + }, + "port": { + "type": "number", + "description": "Port number to expose on the Service for Grafana's HTTP server", + "default": 3000 + } + } + }, + "resources": { + "type": "object", + "description": "Resource requests/limits for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", + "default": {} + } + } + }, + "datasource": { + "type": "object", + "properties": { + "securityContext": { + "type": "object", + "properties": { + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "description": "", + "default": [ + "ALL" + ], + "items": { + "type": "string" + } + } + } + }, + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false + } + } + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "Repository for the JFR Data Source container image", + "default": "registry.redhat.io/cryostat-tech-preview/jfr-datasource-rhel8" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the JFR Data Source container image", + "default": "IfNotPresent" + }, + "tag": { + "type": "string", + "description": "Tag for the JFR Data Source container image", + "default": "3.0.1" + } + } + }, + "resources": { + "type": "object", + "description": "Resource requests/limits for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)", + "default": {} + } + } + }, + "oauth2Proxy": { + "type": "object", + "properties": { + "securityContext": { + "type": "object", + "properties": { + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "description": "", + "default": [ + "ALL" + ], + "items": { + "type": "string" + } + } + } + }, + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false + } + } + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "Repository for the OAuth2 Proxy container image", + "default": "" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the OAuth2 Proxy container image", + "default": "Never" + }, + "tag": { + "type": "string", + "description": "Tag for the OAuth2 Proxy container image", + "default": "" + } + } + } + } + }, + "authentication": { + "type": "object", + "properties": { + "openshift": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one.", + "default": true + }, + "clusterRole": { + "type": "object", + "properties": { + "name": { + "type": "string", + "description": "The name of the ClusterRole to bind for the OpenShift OAuth Proxy", + "default": "system:auth-delegator" + } + } + } + } + }, + "basicAuth": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication", + "default": false + }, + "secretName": { + "type": "string", + "description": "Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)**", + "default": "" + }, + "filename": { + "type": "string", + "description": "Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax \"user:passHash\", where \"user\" is the username and \"passHash\" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)**", + "default": "" + } + } + } + } + }, + "openshiftOauthProxy": { + "type": "object", + "properties": { + "securityContext": { + "type": "object", + "properties": { + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "description": "", + "default": [ + "ALL" + ], + "items": { + "type": "string" + } + } + } + }, + "allowPrivilegeEscalation": { + "type": "boolean", + "description": "", + "default": false + } + } + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "Repository for the OpenShift OAuth Proxy container image", + "default": "registry.redhat.io/cryostat-tech-preview/cryostat-ose-oauth-proxy-rhel8" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the OpenShift OAuth Proxy container image", + "default": "IfNotPresent" + }, + "tag": { + "type": "string", + "description": "Tag for the OpenShift OAuth Proxy container image", + "default": "3.0.1" + } + } + }, + "accessReview": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token.", + "default": true + }, + "group": { + "type": "string", + "description": "The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure", + "default": "" + }, + "resource": { + "type": "string", + "description": "The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for.", + "default": "pods" + }, + "subresource": { + "type": "string", + "description": "The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for.", + "default": "exec" + }, + "name": { + "type": "string", + "description": "The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for.", + "default": "" + }, + "namespace": { + "type": "string", + "description": "The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for.", + "default": "{{ .Release.Namespace }}" + }, + "verb": { + "type": "string", + "description": "The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for.", + "default": "create" + }, + "version": { + "type": "string", + "description": "The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for.", + "default": "" + } + } + } + } + }, + "podSecurityContext": { + "type": "object", + "properties": { + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string", + "description": "", + "default": "RuntimeDefault" + } + } + }, + "runAsNonRoot": { + "type": "boolean", + "description": "", + "default": true + } + } + }, + "imagePullSecrets": { + "type": "array", + "description": "Image pull secrets to be used for the Cryostat deployment", + "default": [], + "items": {} + }, + "nameOverride": { + "type": "string", + "description": "Overrides the name of this Chart", + "default": "" + }, + "fullnameOverride": { + "type": "string", + "description": "Overrides the fully qualified application name of `[release name]-[chart name]`", + "default": "" + }, + "rbac": { + "type": "object", + "properties": { + "create": { + "type": "boolean", + "description": "Specifies whether RBAC resources should be created", + "default": true + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "create": { + "type": "boolean", + "description": "Specifies whether a service account should be created", + "default": true + }, + "name": { + "type": "string", + "description": "The name of the service account to use. If not set and create is true, a name is generated using the fullname template", + "default": "" + } + } + }, + "tolerations": { + "type": "array", + "description": "Tolerations for the Cryostat Pod. See: [Tolerations](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling)", + "default": [], + "items": {} + }, + "pvc": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Specify whether to use persistentVolumeClaim or EmptyDir storage", + "default": false + }, + "storage": { + "type": "string", + "description": "Storage size to request for the persistentVolumeClaim", + "default": "500Mi" + }, + "accessModes": { + "type": "array", + "description": "Access mode for the persistentVolumeClaim. See: [Access Modes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)", + "default": [ + "ReadWriteOnce" + ], + "items": { + "type": "string" + } + } + } + } + } +} \ No newline at end of file diff --git a/charts/redhat/redhat/redhat-cryostat/1.0.1/src/values.yaml b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/values.yaml new file mode 100644 index 0000000000..7ec7178bfa --- /dev/null +++ b/charts/redhat/redhat/redhat-cryostat/1.0.1/src/values.yaml @@ -0,0 +1,296 @@ +## @section Cryostat Container +## @extra core Configuration for the core Cryostat application +core: + image: + ## @param core.image.repository Repository for the main Cryostat container image + repository: "registry.redhat.io/cryostat-tech-preview/cryostat-rhel8" + ## @param core.image.pullPolicy Image pull policy for the main Cryostat container image + pullPolicy: IfNotPresent + ## @param core.image.tag Tag for the main Cryostat container image + tag: "3.0.1" + service: + ## @param core.service.type Type of Service to create for the Cryostat application + type: ClusterIP + ## @param core.service.httpPort Port number to expose on the Service for Cryostat's HTTP server + httpPort: 8181 + ## @param core.sslProxied Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress + sslProxied: false + ingress: + ## @param core.ingress.enabled Whether to create an Ingress object for the Cryostat service + enabled: false + ## @param core.ingress.className Ingress class name for the Cryostat application Ingress + className: "" + ## @param core.ingress.annotations [object] Annotations to apply to the Cryostat application Ingress + annotations: {} + ## @param core.ingress.hosts [array] Hosts to create rules for in the Cryostat application Ingress. See: [IngressSpec](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) + hosts: + - host: cryostat.local + paths: + - path: / + pathType: ImplementationSpecific + ## @param core.ingress.tls [array] TLS configuration for the Cryostat application Ingress. See: [IngressSpec](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) + tls: [] + route: + ## @param core.route.enabled Whether to create a Route object for the Cryostat service. Available only on OpenShift + enabled: true + tls: + ## @param core.route.tls.enabled Whether to secure the Cryostat application Route with TLS. See: [TLSConfig](https://docs.openshift.com/container-platform/4.10/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls) + enabled: true + ## @param core.route.tls.termination Type of TLS termination to use for the Cryostat application Route. One of: `edge`, `passthrough`, `reencrypt` + termination: edge + ## @param core.route.tls.insecureEdgeTerminationPolicy Specify how to handle insecure traffic for the Cryostat application Route. One of: `Allow`, `Disable`, `Redirect` + insecureEdgeTerminationPolicy: Redirect + ## @param core.route.tls.key Custom private key to use when securing the Cryostat application Route + key: "" + ## @param core.route.tls.certificate Custom certificate to use when securing the Cryostat application Route + certificate: "" + ## @param core.route.tls.caCertificate Custom CA certificate to use, if needed to complete the certificate chain, when securing the Cryostat application Route + caCertificate: "" + ## @param core.route.tls.destinationCACertificate Provides the contents of the CA certificate of the final destination when using reencrypt termination for the Cryostat application Route + destinationCACertificate: "" + ## @param core.resources Resource requests/limits for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) + resources: {} + ## @param core.securityContext [object] Security Context for the Cryostat container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) + securityContext: + ## @skip core.securityContext.allowPrivilegeEscalation + allowPrivilegeEscalation: false + ## @skip core.securityContext.capabilities + capabilities: + drop: + - ALL + ## @param core.databaseSecretName Name of the secret containing database keys. This secret must contain a CONNECTION_KEY secret which is the database connection password, and an ENCRYPTION_KEY secret which is the key used to encrypt sensitive data stored within the database, such as the target credentials keyring. It must not be updated across chart upgrades. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable + databaseSecretName: "" + ## @extra core.discovery Configuration options to the Cryostat application's target discovery mechanisms + discovery: + kubernetes: + ## @param core.discovery.kubernetes.enabled Enables Kubernetes API discovery mechanism + enabled: true + ## @param core.discovery.kubernetes.installNamespaceDisabled When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`) + installNamespaceDisabled: false + ## @param core.discovery.kubernetes.namespaces [array] List of namespaces whose workloads the Cryostat application should be permitted to access and profile + namespaces: [] + ## @param core.discovery.kubernetes.builtInPortNamesDisabled When false and `portNames` is empty, the Cryostat application will use the default port name `jfr-jmx` to look for JMX connectable targets. + builtInPortNamesDisabled: false + ## @param core.discovery.kubernetes.portNames [array] List of port names that the Cryostat application should look for in order to consider a target as JMX connectable + portNames: [] + ## @param core.discovery.kubernetes.builtInPortNumbersDisabled When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets. + builtInPortNumbersDisabled: false + ## @param core.discovery.kubernetes.portNumbers [array] List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable + portNumbers: [] + +## @section Database Container +## @extra db Configuration for Cryostat's database +db: + image: + ## @param db.image.repository Repository for the database container image + repository: "registry.redhat.io/cryostat-tech-preview/cryostat-db-rhel8" + ## @param db.image.pullPolicy Image pull policy for the database container image + pullPolicy: IfNotPresent + ## @param db.image.tag Tag for the database container image + tag: "3.0.1" + ## @param db.resources Resource requests/limits for the database container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) + resources: {} + ## @param db.securityContext [object] Security Context for the database container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) + securityContext: + ## @skip db.securityContext.allowPrivilegeEscalation + allowPrivilegeEscalation: false + ## @skip db.securityContext.capabilities + capabilities: + drop: + - ALL + +## @section Storage Container +## @extra storage Configuration for Cryostat's object storage provider +storage: + image: + ## @param storage.image.repository Repository for the storage container image + repository: "registry.redhat.io/cryostat-tech-preview/cryostat-storage-rhel8" + ## @param storage.image.pullPolicy Image pull policy for the storage container image + pullPolicy: IfNotPresent + ## @param storage.image.tag Tag for the storage container image + tag: "3.0.1" + ## @param storage.resources Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) + resources: {} + ## @param storage.securityContext [object] Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) + securityContext: + ## @skip storage.securityContext.allowPrivilegeEscalation + allowPrivilegeEscalation: false + ## @skip storage.securityContext.capabilities + capabilities: + drop: + - ALL + +## @section Grafana Container +## @extra grafana Configuration for the customized Grafana instance for Cryostat +grafana: + image: + ## @param grafana.image.repository Repository for the Grafana container image + repository: "registry.redhat.io/cryostat-tech-preview/cryostat-grafana-dashboard-rhel8" + ## @param grafana.image.pullPolicy Image pull policy for the Grafana container image + pullPolicy: IfNotPresent + ## @param grafana.image.tag Tag for the Grafana container image + tag: "3.0.1" + service: + ## @param grafana.service.type Type of Service to create for Grafana + type: ClusterIP + ## @param grafana.service.port Port number to expose on the Service for Grafana's HTTP server + port: 3000 + ## @param grafana.resources Resource requests/limits for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) + resources: {} + ## @param grafana.securityContext [object] Security Context for the Grafana container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) + securityContext: + ## @skip grafana.securityContext.allowPrivilegeEscalation + allowPrivilegeEscalation: false + ## @skip grafana.securityContext.capabilities + capabilities: + drop: + - ALL + +## @section JFR Data Source Container +## @extra datasource Configuration for the JFR Data Source component, which translates recording events into a format consumable by Grafana +datasource: + image: + ## @param datasource.image.repository Repository for the JFR Data Source container image + repository: "registry.redhat.io/cryostat-tech-preview/jfr-datasource-rhel8" + ## @param datasource.image.pullPolicy Image pull policy for the JFR Data Source container image + pullPolicy: IfNotPresent + ## @param datasource.image.tag Tag for the JFR Data Source container image + tag: "3.0.1" + ## @param datasource.resources Resource requests/limits for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) + resources: {} + ## @param datasource.securityContext [object] Security Context for the JFR Data Source container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) + securityContext: + ## @skip datasource.securityContext.allowPrivilegeEscalation + allowPrivilegeEscalation: false + ## @skip datasource.securityContext.capabilities + capabilities: + drop: + - ALL + +## @section Authentication + +authentication: + openshift: + ## @param authentication.openshift.enabled Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one. + enabled: true + clusterRole: + ## @param authentication.openshift.clusterRole.name The name of the ClusterRole to bind for the OpenShift OAuth Proxy + name: system:auth-delegator + basicAuth: + ## @param authentication.basicAuth.enabled Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication + enabled: false + ## @param authentication.basicAuth.secretName Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** + secretName: "" + ## @param authentication.basicAuth.filename Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)** + filename: "" + +## @section OAuth2 Proxy + +oauth2Proxy: + image: + ## @param oauth2Proxy.image.repository Repository for the OAuth2 Proxy container image + repository: "" + ## @param oauth2Proxy.image.pullPolicy Image pull policy for the OAuth2 Proxy container image + pullPolicy: Never + ## @param oauth2Proxy.image.tag Tag for the OAuth2 Proxy container image + tag: "" + ## @param oauth2Proxy.securityContext [object] Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). + securityContext: + ## @skip oauth2Proxy.securityContext.allowPrivilegeEscalation + allowPrivilegeEscalation: false + ## @skip oauth2Proxy.securityContext.capabilities + capabilities: + drop: + - ALL + +## @section OpenShift OAuth Proxy + +openshiftOauthProxy: + image: + ## @param openshiftOauthProxy.image.repository Repository for the OpenShift OAuth Proxy container image + repository: "registry.redhat.io/cryostat-tech-preview/cryostat-ose-oauth-proxy-rhel8" + ## @param openshiftOauthProxy.image.pullPolicy Image pull policy for the OpenShift OAuth Proxy container image + pullPolicy: IfNotPresent + ## @param openshiftOauthProxy.image.tag Tag for the OpenShift OAuth Proxy container image + tag: "3.0.1" + accessReview: + ## @param openshiftOauthProxy.accessReview.enabled Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token. + enabled: true + ## @param openshiftOauthProxy.accessReview.group The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure + group: "" + ## @param openshiftOauthProxy.accessReview.resource The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. + resource: "pods" + ## @param openshiftOauthProxy.accessReview.subresource The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. + subresource: "exec" + ## @param openshiftOauthProxy.accessReview.name The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. + name: "" + ## @param openshiftOauthProxy.accessReview.namespace The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for. + namespace: "{{ .Release.Namespace }}" + ## @param openshiftOauthProxy.accessReview.verb The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. + verb: "create" + ## @param openshiftOauthProxy.accessReview.version The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for. + version: "" + ## @param openshiftOauthProxy.securityContext [object] Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) + securityContext: + ## @skip openshiftOauthProxy.securityContext.allowPrivilegeEscalation + allowPrivilegeEscalation: false + ## @skip openshiftOauthProxy.securityContext.capabilities + capabilities: + drop: + - ALL + +## @section Other Parameters + +## @param imagePullSecrets [array] Image pull secrets to be used for the Cryostat deployment +imagePullSecrets: [] +## @param nameOverride Overrides the name of this Chart +nameOverride: "" +## @param fullnameOverride Overrides the fully qualified application name of `[release name]-[chart name]` +fullnameOverride: "" + +rbac: + ## @param rbac.create Specifies whether RBAC resources should be created + create: true + +serviceAccount: + ## @param serviceAccount.create Specifies whether a service account should be created + create: true + ## @param serviceAccount.annotations [object] Annotations to add to the service account + annotations: {} + ## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated using the fullname template + name: "" + +## @param podAnnotations [object] Annotations to be applied to the Cryostat Pod +podAnnotations: {} + +## @param podSecurityContext [object] Security Context for the Cryostat Pod. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [PodSecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) +podSecurityContext: + ## @skip podSecurityContext.runAsNonRoot + runAsNonRoot: true + ## @skip podSecurityContext.seccompProfile + seccompProfile: + type: RuntimeDefault + +## @param nodeSelector [object] Node Selector for the Cryostat Pod. See: [NodeSelector](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) +nodeSelector: {} + +## @param tolerations [array] Tolerations for the Cryostat Pod. See: [Tolerations](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) +tolerations: [] + +## @param affinity [object] Affinity for the Cryostat Pod. See: [Affinity](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) +affinity: {} + +pvc: + ## @param pvc.enabled Specify whether to use persistentVolumeClaim or EmptyDir storage + enabled: false + ## @param pvc.annotations [object] Annotations to add to the persistentVolumeClaim + annotations: {} + ## @param pvc.storage Storage size to request for the persistentVolumeClaim + storage: 500Mi + ## @param pvc.accessModes Access mode for the persistentVolumeClaim. See: [Access Modes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) + accessModes: + - ReadWriteOnce + ## @param pvc.selector [object] Selector for the persistentVolumeClaim. See: [Selector](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) + selector: {} + ## @param pvc.storageClassName [string, nullable] The name of the StorageClass for the persistentVolumeClaim. See: [Class](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) + # storageClassName: