diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 25768c1..6234921 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -87,18 +87,20 @@ helm install cryostat ./charts/cryostat ### Report Generator Deployment -| Name | Description | Value | -| ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `reports` | Configuration for the Reports Generator deployment | | -| `reports.image.repository` | Repository for the Report Generator container image | `quay.io/cryostat/cryostat-reports` | -| `reports.image.pullPolicy` | Image pull policy for the Report Generator container image | `Always` | -| `reports.image.tag` | Tag for the Report Generator image | `4.0.0-snapshot` | -| `reports.service.type` | Type of Service to create for the Report Generator Deployment | `ClusterIP` | -| `reports.service.httpPort` | Port number to expose on the Service for the Report Generator Deployment | `10001` | -| `reports.replicas` | Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own. | `0` | -| `reports.resources.requests.cpu` | CPU resource request for each Pod in the Report Generator Deployment. | `500m` | -| `reports.resources.requests.memory` | Memory resource request for each Pod in the Report Generator Deployment. | `512Mi` | -| `reports.securityContext` | Security Context for the Report Generator containers. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| Name | Description | Value | +| ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `reports` | Configuration for the Reports Generator deployment | | +| `reports.image.repository` | Repository for the Report Generator container image | `quay.io/cryostat/cryostat-reports` | +| `reports.image.pullPolicy` | Image pull policy for the Report Generator container image | `Always` | +| `reports.image.tag` | Tag for the Report Generator image | `4.0.0-snapshot` | +| `reports.service.type` | Type of Service to create for the Report Generator Deployment | `ClusterIP` | +| `reports.service.httpPort` | Port number to expose on the Service for the Report Generator Deployment | `10001` | +| `reports.reportsSecretName` | Name of the secret containing the report generator access keys. This secret must contain a REPORTS_PASS secret which is the secret credential for the report generators. It must not be updated across chart upgrades, or else the connection between Cryostat and report generators will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | `""` | +| `reports.debug.log.level` | Log level for troubleshooting and debugging | `INFO` | +| `reports.replicas` | Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own. | `0` | +| `reports.resources.requests.cpu` | CPU resource request for each Pod in the Report Generator Deployment. | `500m` | +| `reports.resources.requests.memory` | Memory resource request for each Pod in the Report Generator Deployment. | `512Mi` | +| `reports.securityContext` | Security Context for the Report Generator containers. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | ### Database Container @@ -169,14 +171,14 @@ helm install cryostat ./charts/cryostat ### OAuth2 Proxy -| Name | Description | Value | -| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | -| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | -| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | -| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | -| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | -| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). | `{}` | +| Name | Description | Value | +| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | +| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | +| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | +| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | +| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | +| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). | `{}` | ### OpenShift OAuth Proxy diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index 5a37a96..518e294 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -116,6 +116,24 @@ Get or generate a default secret key for object storage. {{- end -}} {{- end -}} +{{/* +Get or generate a default secret password key for report generators. +*/}} +{{- define "cryostat.reportsPassSecretKey" -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-reports-secret" .Release.Name)) -}} +{{- if $secret -}} +{{/* + Use current secret. Do not regenerate. +*/}} +{{- $secret.data.REPORTS_PASS -}} +{{- else -}} +{{/* + Generate new secret +*/}} +{{- (randAlphaNum 32) -}} +{{- end -}} +{{- end -}} + {{/* Get or generate a default secret key for auth proxy cookies. */}} @@ -130,7 +148,7 @@ Get or generate a default secret key for auth proxy cookies. {{/* Generate new secret */}} -{{- (randAlphaNum 32) | b64enc | quote -}} +{{- (randAlphaNum 32) | b64enc -}} {{- end -}} {{- end -}} diff --git a/charts/cryostat/templates/_openshiftOauthProxy.tpl b/charts/cryostat/templates/_openshiftOauthProxy.tpl index 576d1d9..a4d703d 100644 --- a/charts/cryostat/templates/_openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/_openshiftOauthProxy.tpl @@ -20,7 +20,7 @@ Create OpenShift OAuth Proxy container. - --pass-basic-auth=false - --upstream=http://localhost:8181/ - --upstream=http://localhost:3000/grafana/ - - --cookie-secret="$(COOKIE_SECRET)" + - --cookie-secret=$(COOKIE_SECRET) - --openshift-service-account={{ include "cryostat.serviceAccountName" . }} - --proxy-websockets=true - --http-address=0.0.0.0:4180 diff --git a/charts/cryostat/templates/_reports_authproxy.tpl b/charts/cryostat/templates/_reports_authproxy.tpl new file mode 100644 index 0000000..4184077 --- /dev/null +++ b/charts/cryostat/templates/_reports_authproxy.tpl @@ -0,0 +1,92 @@ +{{- define "cryostat.reportsAuthProxy" -}} +{{- if (.Values.authentication.openshift).enabled }} +- name: {{ printf "%s-reports-%s" .Chart.Name "authproxy" }} + securityContext: + {{- toYaml .Values.openshiftOauthProxy.securityContext | nindent 4 }} + image: "{{ .Values.openshiftOauthProxy.image.repository }}:{{ .Values.openshiftOauthProxy.image.tag }}" + env: + - name: COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-cookie-secret" .Release.Name) .Values.authentication.cookieSecretName }} + key: COOKIE_SECRET + optional: false + args: + - --pass-access-token=false + - --pass-user-bearer-token=false + - --pass-basic-auth=false + - --htpasswd-file=/etc/oauth2_proxy/basicauth/htpasswd + - --upstream=http://localhost:10001/ + - --cookie-secret=$(COOKIE_SECRET) + - --request-logging=true + - --openshift-service-account={{ include "cryostat.serviceAccountName" . }} + - --proxy-websockets=true + - --http-address=0.0.0.0:4180 + - --https-address=:8443 + - --tls-cert=/etc/tls/private/tls.crt + - --tls-key=/etc/tls/private/tls.key + - --proxy-prefix=/oauth2 + - --bypass-auth-for=^/health$ + imagePullPolicy: {{ .Values.openshiftOauthProxy.image.pullPolicy }} + ports: + - containerPort: 4180 + name: http + protocol: TCP + - containerPort: 8443 + name: https + protocol: TCP + resources: + {{- toYaml .Values.openshiftOauthProxy.resources | nindent 4 }} + volumeMounts: + - name: {{ .Release.Name }}-proxy-tls + mountPath: /etc/tls/private + - name: {{ .Release.Name }}-reports-secret + mountPath: /etc/oauth2_proxy/basicauth + readOnly: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File +{{- else }} +- name: {{ printf "%s-reports-%s" .Chart.Name "authproxy" }} + securityContext: + {{- toYaml (.Values.oauth2Proxy).securityContext | nindent 4 }} + image: "{{ (.Values.oauth2Proxy).image.repository }}:{{ (.Values.oauth2Proxy).image.tag }}" + imagePullPolicy: {{ (.Values.oauth2Proxy).image.pullPolicy }} + env: + - name: OAUTH2_PROXY_CLIENT_ID + value: dummy + - name: OAUTH2_PROXY_CLIENT_SECRET + value: none + - name: OAUTH2_PROXY_HTTP_ADDRESS + value: 0.0.0.0:4180 + - name: OAUTH2_PROXY_UPSTREAMS + value: http://localhost:10001/ + - name: OAUTH2_PROXY_REDIRECT_URL + value: "http://localhost:4180/oauth2/callback" + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-cookie-secret" .Release.Name) .Values.authentication.cookieSecretName }} + key: COOKIE_SECRET + optional: false + - name: OAUTH2_PROXY_EMAIL_DOMAINS + value: "*" + - name: OAUTH2_PROXY_HTPASSWD_USER_GROUP + value: write + - name: OAUTH2_PROXY_HTPASSWD_FILE + value: /etc/oauth2_proxy/basicauth/htpasswd + - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES + value: "^/health$" + - name: OAUTH2_PROXY_PROXY_WEBSOCKETS + value: "false" + ports: + - containerPort: 4180 + name: http + protocol: TCP + resources: + {{- toYaml .Values.oauth2Proxy.resources | nindent 4 }} + volumeMounts: + - name: {{ .Release.Name }}-reports-secret + mountPath: /etc/oauth2_proxy/basicauth + readOnly: true +{{- end }} +{{- end}} diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index e9a9fd6..cb0fbca 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -63,8 +63,19 @@ spec: - name: QUARKUS_HIBERNATE_ORM_SQL_LOAD_SCRIPT value: no-file {{- if gt (int (.Values.reports).replicas) 0 }} + - name: REPORTS_PASS_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-reports-secret" .Release.Name) .Values.reports.reportsSecretName }} + key: REPORTS_PASS + optional: false + # TODO TLS trust + - name: QUARKUS_TLS_TRUST_ALL + value: "true" + - name: QUARKUS_REST_CLIENT_EXTENSIONS_API_VERIFY_HOST + value: "false" - name: QUARKUS_REST_CLIENT_REPORTS_URL - value: {{ printf "http://%s-reports:%d" $fullName (int .Values.reports.service.httpPort) }} + value: {{ printf "%s://cryostat:$(REPORTS_PASS_SECRET_KEY)@%s-reports.%s.svc:%d" (ternary "https" "http" (.Values.authentication.openshift).enabled) $fullName $.Release.Namespace (int .Values.reports.service.httpPort) }} {{- end }} - name: QUARKUS_DATASOURCE_USERNAME value: cryostat diff --git a/charts/cryostat/templates/reports_deployment.yaml b/charts/cryostat/templates/reports_deployment.yaml index 81507d0..05c846d 100644 --- a/charts/cryostat/templates/reports_deployment.yaml +++ b/charts/cryostat/templates/reports_deployment.yaml @@ -34,6 +34,7 @@ spec: securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: + {{- include "cryostat.reportsAuthProxy" . | nindent 8 }} - name: {{ printf "%s-%s" .Chart.Name "reports" }} securityContext: {{- toYaml (.Values.reports).securityContext | nindent 12 }} @@ -42,6 +43,8 @@ spec: env: - name: QUARKUS_HTTP_PORT value: "{{ .Values.reports.service.httpPort }}" + - name: QUARKUS_LOG_LEVEL + value: {{ .Values.reports.debug.log.level }} ports: - containerPort: {{ .Values.reports.service.httpPort }} protocol: TCP @@ -71,4 +74,14 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + volumes: + - name: {{ .Release.Name }}-reports-secret + secret: + defaultMode: 0440 + secretName: {{ .Release.Name }}-reports-secret + {{- if (.Values.authentication.openshift).enabled }} + - name: {{ .Release.Name }}-proxy-tls + secret: + secretName: {{ .Release.Name }}-proxy-tls + {{- end }} {{- end -}} diff --git a/charts/cryostat/templates/reports_secret.yaml b/charts/cryostat/templates/reports_secret.yaml new file mode 100644 index 0000000..988de13 --- /dev/null +++ b/charts/cryostat/templates/reports_secret.yaml @@ -0,0 +1,13 @@ +{{- if empty .Values.reports.reportsSecretName -}} +{{- $secretKey := include "cryostat.reportsPassSecretKey" . -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-reports-secret + labels: + {{- include "cryostat.labels" $ | nindent 4 }} +type: Opaque +data: + REPORTS_PASS: {{ $secretKey | b64enc }} + htpasswd: {{ htpasswd "cryostat" $secretKey | b64enc }} +{{- end -}} diff --git a/charts/cryostat/templates/reports_service.yaml b/charts/cryostat/templates/reports_service.yaml index 4235827..5ebb9be 100644 --- a/charts/cryostat/templates/reports_service.yaml +++ b/charts/cryostat/templates/reports_service.yaml @@ -1,6 +1,5 @@ -{{- $fullName := include "cryostat.fullname" . -}} ---- {{- if gt (int (.Values.reports).replicas) 0 -}} +{{- $fullName := include "cryostat.fullname" . -}} apiVersion: v1 kind: Service metadata: @@ -12,6 +11,7 @@ spec: type: {{ .Values.reports.service.type }} ports: - port: {{ .Values.reports.service.httpPort }} + targetPort: {{ ternary "https" "http" (.Values.authentication.openshift).enabled }} selector: {{- include "cryostat.selectorLabels" $ | nindent 4 }} app.kubernetes.io/component: reports diff --git a/charts/cryostat/tests/cryostat_deployment_test.yaml b/charts/cryostat/tests/cryostat_deployment_test.yaml index d47607e..0548fc7 100644 --- a/charts/cryostat/tests/cryostat_deployment_test.yaml +++ b/charts/cryostat/tests/cryostat_deployment_test.yaml @@ -199,7 +199,19 @@ tests: asserts: - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_REST_CLIENT_REPORTS_URL')].value - value: http://RELEASE-NAME-cryostat-reports:10001 + value: http://cryostat:$(REPORTS_PASS_SECRET_KEY)@RELEASE-NAME-cryostat-reports.NAMESPACE.svc:10001 + + - it: should set environment variable if sidecar report generator is enabled in OpenShift with HTTPS + set: + reports: + replicas: 1 + authentication: + openshift: + enabled: true + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_REST_CLIENT_REPORTS_URL')].value + value: https://cryostat:$(REPORTS_PASS_SECRET_KEY)@RELEASE-NAME-cryostat-reports.NAMESPACE.svc:10001 - it: should set oauth2proxy resource overrides set: diff --git a/charts/cryostat/tests/reports_deployment_test.yaml b/charts/cryostat/tests/reports_deployment_test.yaml index b5ca35a..28ebff6 100644 --- a/charts/cryostat/tests/reports_deployment_test.yaml +++ b/charts/cryostat/tests/reports_deployment_test.yaml @@ -64,6 +64,17 @@ tests: reports: replicas: 1 asserts: + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-reports-authproxy')] + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-reports-authproxy')].image + value: "quay.io/oauth2-proxy/oauth2-proxy:latest" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-reports-authproxy')].ports + value: + - containerPort: 4180 + name: http + protocol: TCP - exists: path: spec.template.spec.containers[?(@.name=='cryostat-reports')] - equal: @@ -73,6 +84,29 @@ tests: path: spec.template.spec.containers[?(@.name=='cryostat-reports')].env[?(@.name=='QUARKUS_HTTP_PORT')].value value: "10001" + - it: should validate authproxy settings when deployed in OpenShift + set: + reports: + replicas: 1 + authentication: + openshift: + enabled: true + asserts: + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-reports-authproxy')] + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-reports-authproxy')].image + value: "quay.io/cryostat/openshift-oauth-proxy:cryostat-v3.0" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-reports-authproxy')].ports + value: + - containerPort: 4180 + name: http + protocol: TCP + - containerPort: 8443 + name: https + protocol: TCP + - it: should apply Kubernetes specific settings when configured set: reports: diff --git a/charts/cryostat/tests/reports_secret_test.yaml b/charts/cryostat/tests/reports_secret_test.yaml new file mode 100644 index 0000000..f839801 --- /dev/null +++ b/charts/cryostat/tests/reports_secret_test.yaml @@ -0,0 +1,40 @@ +suite: test reports_secret.yaml +templates: + - reports_secret.yaml + +tests: + - it: should create a reports secret if core.reportsSecretName is not set + set: + core.reportsSecretName: "" + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Secret + - equal: + path: metadata.name + value: RELEASE-NAME-reports-secret + - equal: + path: type + value: Opaque + - exists: + path: data.htpasswd + - exists: + path: data.REPORTS_PASS + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/part-of: cryostat + app.kubernetes.io/version: 4.0.0-dev + helm.sh/chart: cryostat-2.0.0-dev + + - it: should not create a database secret if reports.reportsSecretName is set + set: + reports.reportsSecretName: "custom-reports-secret" + asserts: + - hasDocuments: + count: 0 diff --git a/charts/cryostat/tests/reports_service_test.yaml b/charts/cryostat/tests/reports_service_test.yaml new file mode 100644 index 0000000..3e27a30 --- /dev/null +++ b/charts/cryostat/tests/reports_service_test.yaml @@ -0,0 +1,78 @@ +suite: test reports_service.yaml +templates: + - reports_service.yaml + +tests: + - it: should do nothing if report generators are not desired + asserts: + - hasDocuments: + count: 0 + + - it: should create a Service targeting the Pod http port + set: + reports: + replicas: 1 + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Service + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat-reports + - equal: + path: spec.type + value: ClusterIP + - equal: + path: spec.ports[0].port + value: 10001 + - equal: + path: spec.ports[0].targetPort + value: http + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/part-of: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-2.0.0-dev + app.kubernetes.io/component: reports + + - it: should create a Service targeting the Pod https port when deployed in OpenShift + set: + reports: + replicas: 1 + authentication: + openshift: + enabled: true + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Service + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat-reports + - equal: + path: spec.type + value: ClusterIP + - equal: + path: spec.ports[0].port + value: 10001 + - equal: + path: spec.ports[0].targetPort + value: https + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/part-of: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-2.0.0-dev + app.kubernetes.io/component: reports diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 0521c88..88c3baf 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -299,6 +299,11 @@ } } }, + "reportsSecretName": { + "type": "string", + "description": "Name of the secret containing the report generator access keys. This secret must contain a REPORTS_PASS secret which is the secret credential for the report generators. It must not be updated across chart upgrades, or else the connection between Cryostat and report generators will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable", + "default": "" + }, "securityContext": { "type": "object", "properties": { @@ -324,6 +329,21 @@ } } }, + "debug": { + "type": "object", + "properties": { + "log": { + "type": "object", + "properties": { + "level": { + "type": "string", + "description": "Log level for troubleshooting and debugging", + "default": "INFO" + } + } + } + } + }, "replicas": { "type": "number", "description": "Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own.", diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 4b35637..79fdd4d 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -101,6 +101,12 @@ reports: type: ClusterIP ## @param reports.service.httpPort Port number to expose on the Service for the Report Generator Deployment httpPort: 10001 + ## @param reports.reportsSecretName Name of the secret containing the report generator access keys. This secret must contain a REPORTS_PASS secret which is the secret credential for the report generators. It must not be updated across chart upgrades, or else the connection between Cryostat and report generators will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable + reportsSecretName: "" + debug: + log: + ## @param reports.debug.log.level Log level for troubleshooting and debugging + level: INFO ## @param reports.replicas Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own. replicas: 0 resources: @@ -273,7 +279,7 @@ oauth2Proxy: cpu: 25m ## @param oauth2Proxy.resources.requests.memory Memory resource request for the OAuth2 Proxy container. memory: 64Mi - ## @param oauth2Proxy.securityContext [object] Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). + ## @param oauth2Proxy.securityContext [object] Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). securityContext: ## @skip oauth2Proxy.securityContext.allowPrivilegeEscalation allowPrivilegeEscalation: false