Skip to content

cryostatio/cryostat-helm

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

81 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Cryostat Helm Chart

Version: 2.0.0-dev Type: application AppVersion: 4.0.0-dev

A Helm chart for deploying Cryostat on Kubernetes and OpenShift.

Requirements

Kubernetes: >= 1.25.0-0

Installation

From Helm repository

The chart is available at the following repositories:

To install the chart, add the repository and install, for example:

helm repo add cryostat-charts https://cryostat.io/helm-charts
helm repo update
helm install cryostat cryostat-charts/cryostat

From OCI container registry

The chart is also available as an OCI image on GitHub Container Registry (ghcr.io).

To install the chart, run:

helm install cryostat oci://ghcr.io/cryostatio/cryostat-helm --version $VERSION

From source code

To install the chart from source code, run:

git clone https://github.com/cryostatio/cryostat-helm
cd cryostat-helm
helm install cryostat ./charts/cryostat

Parameters

Cryostat Container

Name Description Value
core Configuration for the core Cryostat application
core.image.repository Repository for the main Cryostat container image quay.io/cryostat/cryostat
core.image.pullPolicy Image pull policy for the main Cryostat container image Always
core.image.tag Tag for the main Cryostat container image 4.0.0-snapshot
core.service.type Type of Service to create for the Cryostat application ClusterIP
core.service.httpPort Port number to expose on the Service for Cryostat's HTTP server 8181
core.debug.log.level Log level for troubleshooting and debugging INFO
core.sslProxied Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress false
core.ingress.enabled Whether to create an Ingress object for the Cryostat service false
core.ingress.className Ingress class name for the Cryostat application Ingress ""
core.ingress.annotations Annotations to apply to the Cryostat application Ingress {}
core.ingress.hosts Hosts to create rules for in the Cryostat application Ingress. See: IngressSpec []
core.ingress.tls TLS configuration for the Cryostat application Ingress. See: IngressSpec []
core.route.enabled Whether to create a Route object for the Cryostat service. Available only on OpenShift false
core.route.tls.enabled Whether to secure the Cryostat application Route with TLS. See: TLSConfig true
core.route.tls.termination Type of TLS termination to use for the Cryostat application Route. One of: edge, passthrough, reencrypt edge
core.route.tls.insecureEdgeTerminationPolicy Specify how to handle insecure traffic for the Cryostat application Route. One of: Allow, Disable, Redirect Redirect
core.route.tls.key Custom private key to use when securing the Cryostat application Route ""
core.route.tls.certificate Custom certificate to use when securing the Cryostat application Route ""
core.route.tls.caCertificate Custom CA certificate to use, if needed to complete the certificate chain, when securing the Cryostat application Route ""
core.route.tls.destinationCACertificate Provides the contents of the CA certificate of the final destination when using reencrypt termination for the Cryostat application Route ""
core.resources.requests.cpu CPU resource request for the Cryostat container. See: ResourceRequirements 500m
core.resources.requests.memory Memory resource request for the Cryostat container. 384Mi
core.securityContext Security Context for the Cryostat container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext {}
core.databaseSecretName Name of the secret containing database keys. This secret must contain a CONNECTION_KEY secret which is the database connection password, and an ENCRYPTION_KEY secret which is the key used to encrypt sensitive data stored within the database, such as the target credentials keyring. It must not be updated across chart upgrades. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable ""
core.discovery Configuration options to the Cryostat application's target discovery mechanisms
core.discovery.kubernetes.enabled Enables Kubernetes API discovery mechanism true
core.discovery.kubernetes.installNamespaceDisabled When false and namespaces is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. {{ .Release.Namespace }}) false
core.discovery.kubernetes.namespaces List of namespaces whose workloads the Cryostat application should be permitted to access and profile []
core.discovery.kubernetes.builtInPortNamesDisabled When false and portNames is empty, the Cryostat application will use the default port name jfr-jmx to look for JMX connectable targets. false
core.discovery.kubernetes.portNames List of port names that the Cryostat application should look for in order to consider a target as JMX connectable []
core.discovery.kubernetes.builtInPortNumbersDisabled When false and portNumbers is empty, the Cryostat application will use the default port number 9091 to look for JMX connectable targets. false
core.discovery.kubernetes.portNumbers List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable []

Report Generator Deployment

Name Description Value
reports Configuration for the Reports Generator deployment
reports.image.repository Repository for the Report Generator container image quay.io/cryostat/cryostat-reports
reports.image.pullPolicy Image pull policy for the Report Generator container image Always
reports.image.tag Tag for the Report Generator image 4.0.0-snapshot
reports.service.type Type of Service to create for the Report Generator Deployment ClusterIP
reports.service.httpPort Port number to expose on the Service for the Report Generator Deployment 10001
reports.replicas Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own. 0
reports.resources.requests.cpu CPU resource request for each Pod in the Report Generator Deployment. 500m
reports.resources.requests.memory Memory resource request for each Pod in the Report Generator Deployment. 512Mi
reports.securityContext Security Context for the Report Generator containers. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext {}

Database Container

Name Description Value
db Configuration for Cryostat's database
db.image.repository Repository for the database container image quay.io/cryostat/cryostat-db
db.image.pullPolicy Image pull policy for the database container image Always
db.image.tag Tag for the database container image latest
db.service.type Type of Service to create for the database ClusterIP
db.service.port Port number to expose on the Service 5432
db.resources.requests.cpu CPU resource request for the database container. See: ResourceRequirements 25m
db.resources.requests.memory Memory resource request for the database container. 64Mi
db.securityContext Security Context for the database container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext {}

Storage Container

Name Description Value
storage Configuration for Cryostat's object storage provider
storage.storageSecretName Name of the secret containing the object storage secret access key. This secret must contain a STORAGE_ACCESS_KEY secret which is the object storage secret access key. It must not be updated across chart upgrades, or else the connection between Cryostat components and object storage will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable ""
storage.image.repository Repository for the storage container image quay.io/cryostat/cryostat-storage
storage.image.pullPolicy Image pull policy for the storage container image Always
storage.image.tag Tag for the storage container image latest
storage.encryption.enabled Enable at-rest encryption of stored objects. The storage container will generate a secret key for each stored object and use this key to encrypt and decrypt objects transparently. The key is written to the object metadata, so in the default storage container configuration this only adds a small layer of additional security. true
storage.service.type Type of Service to create for the object storage ClusterIP
storage.service.port Port number to expose on the Service 8333
storage.resources.requests.cpu CPU resource request for the object storage container. See: ResourceRequirements 50m
storage.resources.requests.memory Memory resource request for the object storage container. 256Mi
storage.securityContext Security Context for the storage container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext {}

Grafana Container

Name Description Value
grafana Configuration for the customized Grafana instance for Cryostat
grafana.image.repository Repository for the Grafana container image quay.io/cryostat/cryostat-grafana-dashboard
grafana.image.pullPolicy Image pull policy for the Grafana container image Always
grafana.image.tag Tag for the Grafana container image latest
grafana.service.type Type of Service to create for Grafana ClusterIP
grafana.service.port Port number to expose on the Service for Grafana's HTTP server 3000
grafana.resources.requests.cpu CPU resource request for the Grafana container. See: ResourceRequirements 25m
grafana.resources.requests.memory Memory resource request for the Grafana container. 80Mi
grafana.securityContext Security Context for the Grafana container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext {}

JFR Data Source Container

Name Description Value
datasource Configuration for the JFR Data Source component, which translates recording events into a format consumable by Grafana
datasource.image.repository Repository for the JFR Data Source container image quay.io/cryostat/jfr-datasource
datasource.image.pullPolicy Image pull policy for the JFR Data Source container image Always
datasource.image.tag Tag for the JFR Data Source container image latest
datasource.resources.requests.cpu CPU resource request for the JFR Data Source container. See: ResourceRequirements 200m
datasource.resources.requests.memory Memory resource request for the JFR Data Source container. 200Mi
datasource.securityContext Security Context for the JFR Data Source container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext {}

Authentication

Name Description Value
authentication.cookieSecretName Name of the secret containing the authenticating proxy cookie encryption key. This secret must contain a COOKIE_SECRET secret which is the cookie encryption key. It must not be updated across chart upgrades, or else existing user login sessions will be invalidated. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable ""
authentication.openshift.enabled Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one. false
authentication.openshift.clusterRole.name The name of the ClusterRole to bind for the OpenShift OAuth Proxy system:auth-delegator
authentication.basicAuth.enabled Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication false
authentication.basicAuth.secretName Name of the Secret that contains the credentials within Cryostat's namespace (Required if basicAuth is enabled) ""
authentication.basicAuth.filename Key within Secret containing the htpasswd file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the bcrypt hash of the desired password. Such an entry can be generated with ex. htpasswd -nbB username password (Required if basicAuth is enabled) ""

OAuth2 Proxy

Name Description Value
oauth2Proxy.image.repository Repository for the OAuth2 Proxy container image quay.io/oauth2-proxy/oauth2-proxy
oauth2Proxy.image.pullPolicy Image pull policy for the OAuth2 Proxy container image Always
oauth2Proxy.image.tag Tag for the OAuth2 Proxy container image latest
oauth2Proxy.resources.requests.cpu CPU resource request for the OAuth2 Proxy container. 25m
oauth2Proxy.resources.requests.memory Memory resource request for the OAuth2 Proxy container. 64Mi
oauth2Proxy.securityContext Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext. If the chart is installed in default namespaces (e.g. default), securityContext.runAsUser must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See Understanding and Managing Pod Security Admission. {}

OpenShift OAuth Proxy

Name Description Value
openshiftOauthProxy.image.repository Repository for the OpenShift OAuth Proxy container image quay.io/cryostat/openshift-oauth-proxy
openshiftOauthProxy.image.pullPolicy Image pull policy for the OpenShift OAuth Proxy container image Always
openshiftOauthProxy.image.tag Tag for the OpenShift OAuth Proxy container image cryostat-v3.0
openshiftOauthProxy.resources.requests.cpu CPU resource request for the OpenShift OAuth Proxy container. 25m
openshiftOauthProxy.resources.requests.memory Memory resource request for the OpenShift OAuth Proxy container. 64Mi
openshiftOauthProxy.accessReview.enabled Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token. true
openshiftOauthProxy.accessReview.group The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure ""
openshiftOauthProxy.accessReview.resource The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. pods
openshiftOauthProxy.accessReview.subresource The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. exec
openshiftOauthProxy.accessReview.name The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. ""
openshiftOauthProxy.accessReview.namespace The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for. {{ .Release.Namespace }}
openshiftOauthProxy.accessReview.verb The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. create
openshiftOauthProxy.accessReview.version The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for. ""
openshiftOauthProxy.securityContext Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext {}

Other Parameters

Name Description Value
imagePullSecrets Image pull secrets to be used for the Cryostat deployment []
nameOverride Overrides the name of this Chart ""
fullnameOverride Overrides the fully qualified application name of [release name]-[chart name] ""
rbac.create Specifies whether RBAC resources should be created true
serviceAccount.create Specifies whether a service account should be created true
serviceAccount.annotations Annotations to add to the service account {}
serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated using the fullname template ""
podAnnotations Annotations to be applied to the Cryostat Pod {}
podSecurityContext Security Context for the Cryostat Pod. Defaults to meet "restricted" Pod Security Standard. See: PodSecurityContext {}
nodeSelector Node Selector for the Cryostat Pod. See: NodeSelector {}
tolerations Tolerations for the Cryostat Pod. See: Tolerations []
affinity Affinity for the Cryostat Pod. See: Affinity {}
pvc.enabled Specify whether to use persistentVolumeClaim or EmptyDir storage false
pvc.annotations Annotations to add to the persistentVolumeClaim {}
pvc.storage Storage size to request for the persistentVolumeClaim 500Mi
pvc.accessModes Access mode for the persistentVolumeClaim. See: Access Modes ["ReadWriteOnce"]
pvc.selector Selector for the persistentVolumeClaim. See: Selector {}
pvc.storageClassName The name of the StorageClass for the persistentVolumeClaim. See: Class undefined