cryostatio · andrewazores · Jun 6, 2024 · Jan 23, 2024 · Jan 24, 2024 · Feb 13, 2024
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -27,21 +27,22 @@ on:
 
 env:
   TARGET_BRANCH: ${{ github.event.pull_request.base.ref || github.ref_name }}
+  TEST_NAMESPACE: helm-test
 
 jobs:
   lint-chart:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@v4
         with:
-          version: v3.11.2
-      - uses: actions/setup-python@v4
+          version: v3.14.4
+      - uses: actions/setup-python@v5
         with:
-          python-version: '3.9'
+          python-version: '3.x'
           check-latest: true
       - name: Set up chart-testing
         uses: helm/[email protected]
@@ -53,23 +54,30 @@ jobs:
     - name: Fail if safe-to-test label NOT applied
       if: ${{ github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'safe-to-test') }}
       run: exit 1
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
     - name: Set up Helm
-      uses: azure/setup-helm@v3
+      uses: azure/setup-helm@v4
       with:
-        version: v3.11.2
-    - uses: actions/setup-python@v4
+        version: v3.14.4
+    - uses: actions/setup-python@v5
       with:
-        python-version: '3.9'
+        python-version: '3.x'
         check-latest: true
     - uses: helm/[email protected]
     - name: Set up Kind cluster
-      run: kind create cluster -n ci-${{ github.run_id }}
+      uses: helm/kind-action@v1
+      with:
+        cluster_name: ci-${{ github.run_id }}
     - name: Install and test chart
       run: |
-        kubectl create ns helm-test
-        ct install --target-branch ${TARGET_BRANCH} --upgrade --namespace=helm-test --config ct.yaml
-    - name: Clean up Kind cluster
-      run: kind delete cluster -n ci-${{ github.run_id }}
+        # FIXME: Remove when chart-testing fixes the issue https://github.com/helm/chart-testing/issues/525
+
+        HELM_LOCATION="$(which helm)"
+        sudo mv $HELM_LOCATION "$(dirname $HELM_LOCATION)/.helm"
+        cat <(echo '#!/usr/bin/env bash') <(echo 'exec .helm "${@//--reuse-values/--reset-then-reuse-values}"') | sudo tee $HELM_LOCATION
+        sudo chmod +x $HELM_LOCATION
+
+        kubectl create ns $TEST_NAMESPACE
+        ct install --target-branch ${TARGET_BRANCH} --upgrade --namespace=$TEST_NAMESPACE --config ct.yaml --debug
diff --git a/charts/cryostat/Chart.yaml b/charts/cryostat/Chart.yaml
@@ -8,7 +8,7 @@ version: "0.5.0-dev"
 
 kubeVersion: ">= 1.19.0-0"
 
-appVersion: "2.5.0-dev"
+appVersion: "3.0.0-dev"
 
 home: "https://cryostat.io"
 

diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md
diff --git a/charts/cryostat/ci/minimal-deploy-values.yaml b/charts/cryostat/ci/minimal-deploy-values.yaml
diff --git a/charts/cryostat/ci/non-minimal-deploy-values.yaml b/charts/cryostat/ci/non-minimal-deploy-values.yaml
diff --git a/charts/cryostat/templates/NOTES.txt b/charts/cryostat/templates/NOTES.txt
@@ -1,61 +1,39 @@
 {{- $envVars := list }}
 {{- $portForwards := list }}
 {{- $listNum := 1 }}
-{{- if not (and .Values.core.ingress.enabled .Values.grafana.ingress.enabled) }}
+{{- if not .Values.core.ingress.enabled }}
 {{ $listNum }}. Tell Cryostat how to serve external traffic:
 {{- $listNum = add1 $listNum }}
   ```
 {{- if .Values.core.route.enabled }}
   export ROUTE_HOST=$(oc get route -n {{ .Release.Namespace }} {{ include "cryostat.fullname" . }} -o jsonpath="{.status.ingress[0].host}")
-{{- $envVars = list "CRYOSTAT_WEB_HOST=$ROUTE_HOST" }}
+{{- $envVars = list ( tpl "STORAGE_EXT_URL={{ ternary \"https\" \"http\" .Values.core.route.tls.enabled }}://$ROUTE_HOST/storage/" . ) }}
+{{- $envVars = append $envVars ( tpl "GRAFANA_DASHBOARD_EXT_URL={{ ternary \"https\" \"http\" .Values.core.route.tls.enabled}}://$ROUTE_HOST/grafana/" . ) }}
 {{- else if .Values.core.ingress.enabled }}
 {{- /* Do nothing */}}
 {{- else if contains "NodePort" .Values.core.service.type }}
   export NODE_IP=$(kubectl get nodes -n {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
   export NODE_PORT=$(kubectl get -n {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "cryostat.fullname" . }})
-{{- $envVars = list "CRYOSTAT_WEB_HOST=$NODE_IP" "CRYOSTAT_EXT_WEB_PORT=$NODE_PORT" }}
+{{- $envVars = list "QUARKUS_HTTP_HOST=$NODE_IP" }}
+{{- $envVars = append $envVars ( tpl "STORAGE_EXT_URL=http://$NODE_IP:$NODE_PORT/storage/" . ) }}
+{{- $envVars = append $envVars ( tpl "GRAFANA_DASHBOARD_EXT_URL=http://$NODE_IP:$NODE_PORT/grafana/" . ) }}
 {{- else if contains "LoadBalancer" .Values.core.service.type }}
      NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get -n {{ .Release.Namespace }} -w svc/{{ include "cryostat.fullname" . }} svc/{{ include "cryostat.fullname" . }}-grafana'
+           You can watch the status by running 'kubectl get -n {{ .Release.Namespace }} -w svc/{{ include "cryostat.fullname" . }}'
   export SERVICE_IP=$(kubectl get svc -n {{ .Release.Namespace }} {{ include "cryostat.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-{{- $envVars = list "CRYOSTAT_WEB_HOST=$SERVICE_IP" (printf "CRYOSTAT_EXT_WEB_PORT=%v" .Values.core.service.httpPort) }}
+{{- $envVars = list "QUARKUS_HTTP_HOST=$SERVICE_IP" }}
+{{- $envVars = append $envVars ( tpl "STORAGE_EXT_URL=http://$SERVICE_IP:{{ .Values.core.service.httpPort }}/storage/" . ) }}
+{{- $envVars = append $envVars ( tpl "GRAFANA_DASHBOARD_EXT_URL=http://$SERVICE_IP:{{ .Values.core.service.httpPort }}/grafana/" . ) }}
 {{- else if contains "ClusterIP" .Values.core.service.type }}
   export POD_NAME=$(kubectl get pods -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"  --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}")
   export CONTAINER_PORT=$(kubectl get pod -n {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
-{{- $envVars = list "CRYOSTAT_WEB_HOST=127.0.0.1" "CRYOSTAT_EXT_WEB_PORT=8080" }}
+  export CRYOSTAT_WEB_HOST=localhost
+{{- $envVars = list "QUARKUS_HTTP_HOST=$CRYOSTAT_WEB_HOST" }}
+{{- $envVars = append $envVars ( tpl "STORAGE_EXT_URL=http://$CRYOSTAT_WEB_HOST:8080/storage/" . ) }}
+{{- $envVars = append $envVars ( tpl "GRAFANA_DASHBOARD_EXT_URL=http://$CRYOSTAT_WEB_HOST:8080/grafana/" . ) }}
 {{- $portForwards = prepend $portForwards "8080:$CONTAINER_PORT" }}
 {{- end }}
 
-{{- if not .Values.minimal }}
-{{- if .Values.grafana.route.enabled }}
-  export GRAFANA_ROUTE_HOST=$(oc get route -n {{ .Release.Namespace }} {{ include "cryostat.fullname" . }}-grafana -o jsonpath="{.status.ingress[0].host}")
-{{- $envVars = append $envVars ( tpl "GRAFANA_DASHBOARD_URL=http{{ if .Values.grafana.route.tls.enabled }}s{{ end }}://$GRAFANA_ROUTE_HOST" . ) }}
-{{- else if .Values.grafana.ingress.enabled }}
-{{- /* Do nothing */}}
-{{- else if contains "NodePort" .Values.grafana.service.type }}
-{{- if not (contains "NodePort" .Values.core.service.type) }}
-  export NODE_IP=$(kubectl get nodes -n {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-{{- end }}
-  export GRAFANA_NODE_PORT=$(kubectl get -n {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "cryostat.fullname" . }}-grafana)
-{{- $envVars = append $envVars "GRAFANA_DASHBOARD_URL=http://$NODE_IP:$GRAFANA_NODE_PORT"}}
-{{- else if contains "LoadBalancer" .Values.grafana.service.type }}
-{{- if not (contains "LoadBalancer" .Values.core.service.type) }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get -n {{ .Release.Namespace }} -w svc/{{ include "cryostat.fullname" . }} svc/{{ include "cryostat.fullname" . }}-grafana'
-{{- end }}
-  export GRAFANA_SERVICE_IP=$(kubectl get svc -n {{ .Release.Namespace }} {{ include "cryostat.fullname" . }}-grafana --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-{{- $envVars = append $envVars (printf "GRAFANA_DASHBOARD_URL=http://$GRAFANA_SERVICE_IP:%v" .Values.grafana.service.port) }}
-{{- else if contains "ClusterIP" .Values.grafana.service.type }}
-{{- if not (contains "ClusterIP" .Values.core.service.type) }}
-  export POD_NAME=$(kubectl get pods -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"  --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}")
-{{- end }}
-  export GRAFANA_CONTAINER_PORT=$(kubectl get pod -n {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[1].ports[0].containerPort}")
-{{- $envVars = concat $envVars ( list "GRAFANA_DASHBOARD_URL=http://127.0.0.1:$GRAFANA_CONTAINER_PORT" "GRAFANA_DASHBOARD_EXT_URL=http://127.0.0.1:8081" )}}
-{{- $portForwards = append $portForwards "8081:$GRAFANA_CONTAINER_PORT" }}
-{{- end }}
-{{- end }}
-
-
 {{- if not (empty $envVars) }}
   kubectl -n {{ .Release.Namespace }} set env deploy --containers={{ .Chart.Name }} {{ include "cryostat.fullname" . }} {{ join " " $envVars }}
 {{- end }}
@@ -76,18 +54,18 @@
 {{ $listNum }}. {{ "Visit the " }}{{ .Chart.Name | camelcase }}{{ " application at: " }}
   ```
 {{- if .Values.core.route.enabled }}
-  echo http{{ if $.Values.core.route.tls.enabled }}s{{ end }}://$ROUTE_HOST
+  echo {{ ternary "https" "http" .Values.core.route.tls.enabled }}://$ROUTE_HOST
 {{- else if .Values.core.ingress.enabled -}}
 {{- range $host := .Values.core.ingress.hosts -}}
   {{- range .paths -}}
-  http{{ if $.Values.core.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{ ternary "https" "http" .Values.core.ingress.tls }}://{{ $host.host }}{{ .path }}
   {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.core.service.type }}
   echo http://$NODE_IP:$NODE_PORT
 {{- else if contains "LoadBalancer" .Values.core.service.type }}
   echo http://$SERVICE_IP:{{ .Values.core.service.httpPort }}
 {{- else if contains "ClusterIP" .Values.core.service.type }}
-  http://127.0.0.1:8080
+  http://localhost:8080
 {{- end }}
   ```
diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl
@@ -62,19 +62,87 @@ Create the name of the service account to use
 {{- end }}
 
 {{/*
-Get or generate a default password for credentials database
+Get or generate a default connection key for credentials database
 */}}
-{{- define "cryostat.databasePassword" -}}
-{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-jmx-credentials-db" .Release.Name)) -}}
+{{- define "cryostat.databaseConnectionKey" -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db-connection-key" .Release.Name)) -}}
 {{- if $secret -}}
 {{/*
-   Use current password. Do not regenerate
+   Use current key. Do not regenerate
 */}}
-{{- $secret.data.CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD -}}
+{{- $secret.data.CONNECTION_KEY -}}
 {{- else -}}
 {{/*
-    Generate new password
+    Generate new key
 */}}
 {{- (randAlphaNum 32) | b64enc | quote -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Get or generate a default encryption key for credentials database
+*/}}
+{{- define "cryostat.databaseEncryptionKey" -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db-encryption-key" .Release.Name)) -}}
+{{- if $secret -}}
+{{/*
+   Use current key. Do not regenerate
+*/}}
+{{- $secret.data.ENCRYPTION_KEY -}}
+{{- else -}}
+{{/*
+    Generate new key
+*/}}
+{{- (randAlphaNum 32) | b64enc | quote -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get or generate a default secret key for object storage
+*/}}
+{{- define "cryostat.objectStorageSecretKey" -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-storage-secret-key" .Release.Name)) -}}
+{{- if $secret -}}
+{{/*
+   Use current secret. Do not regenerate
+*/}}
+{{- $secret.data.SECRET_KEY -}}
+{{- else -}}
+{{/*
+    Generate new secret
+*/}}
+{{- (randAlphaNum 32) | b64enc | quote -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Generate or retrieve a default value for cookieSecret.
+*/}}
+{{- define "cryostat.cookieSecret" -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-cookie-secret" .Release.Name)) -}}
+{{- if $secret -}}
+{{/*
+   Use the current secret. Do not regenerate.
+*/}}
+{{- $secret.data.COOKIE_SECRET | b64dec | quote -}}
+{{- else -}}
+{{/*
+    Generate a new secret.
+*/}}
+{{- $newSecret := randAlphaNum 24 | b64enc -}}
+{{- $newSecret | quote -}}
+{{- end }}
+{{- end }}
+
+{{/*
+    Get sanitized list or defaults (if not disabled) as comma-separated list
+*/}}
+{{- define "cryostat.commaSepList" -}}
+{{- $l := index . 0 -}}
+{{- $default := index . 1 -}}
+{{- $disableDefaults := index . 2 -}}
+{{- if and (not $l) (not $disableDefaults) -}}
+{{- $l = list $default -}}
+{{- end -}}
+{{- join "," (default list $l | compact | uniq)  | quote -}}
+{{- end -}}
diff --git a/charts/cryostat/templates/alpha_config.yaml b/charts/cryostat/templates/alpha_config.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-alpha-config
+data:
+  alpha_config.yaml: |-
+    server:
+      BindAddress: http://0.0.0.0:4180
+    upstreamConfig:
+      proxyRawPath: true
+      upstreams:
+        - id: cryostat
+          path: /
+          uri: http://localhost:8181
+        - id: grafana
+          path: /grafana/
+          uri: http://localhost:3000
+        - id: storage
+          path: ^/storage/(.*)$
+          rewriteTarget: /$1
+          uri: http://localhost:8333
+          passHostHeader: false
+          proxyWebSockets: false
+    providers:
+      - id: dummy
+        name: Unused - Sign In Below
+        clientId: CLIENT_ID
+        clientSecret: CLIENT_SECRET
+        provider: google
diff --git a/charts/cryostat/templates/clusterrolebinding.yaml b/charts/cryostat/templates/clusterrolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if and (.Values.rbac.create) (.Values.authentication.openshift.enabled) -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "cryostat.fullname" . }}
+  labels:
+    {{- include "cryostat.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.authentication.openshift.clusterRole.name }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "cryostat.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts/cryostat/templates/db_connection_key_secret.yaml b/charts/cryostat/templates/db_connection_key_secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-db-connection-key
+type: Opaque
+data:
+  CONNECTION_KEY: {{ include "cryostat.databaseConnectionKey" . }}
diff --git a/charts/cryostat/templates/db_encryption_key_secret.yaml b/charts/cryostat/templates/db_encryption_key_secret.yaml
@@ -0,0 +1,9 @@
+{{- if empty .Values.core.databaseSecretName -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-db-encryption-key
+type: Opaque
+data:
+  ENCRYPTION_KEY: {{ include "cryostat.databaseEncryptionKey" . }}
+{{- end -}}