search

cryostatio / cryostat-helm

Helm Chart for Cryostat
Other
4 stars 9 forks source link

readme

Cryostat Helm Chart

A Helm chart for deploying Cryostat on Kubernetes and OpenShift

Parameters

Cryostat Container

Name Description Value
core Configuration for the core Cryostat application
core.image.repository Repository for the main Cryostat container image quay.io/cryostat/cryostat
core.image.pullPolicy Image pull policy for the main Cryostat container image Always
core.image.tag Tag for the main Cryostat container image 4.0.0-snapshot
core.service.type Type of Service to create for the Cryostat application ClusterIP
core.service.httpPort Port number to expose on the Service for Cryostat's HTTP server 8181
core.sslProxied Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress false
core.ingress.enabled Whether to create an Ingress object for the Cryostat service false
core.ingress.className Ingress class name for the Cryostat application Ingress ""
core.ingress.annotations Annotations to apply to the Cryostat application Ingress {}
core.ingress.hosts Hosts to create rules for in the Cryostat application Ingress. See: IngressSpec []
core.ingress.tls TLS configuration for the Cryostat application Ingress. See: IngressSpec []
core.route.enabled Whether to create a Route object for the Cryostat service. Available only on OpenShift false
core.route.tls.enabled Whether to secure the Cryostat application Route with TLS. See: TLSConfig true
core.route.tls.termination Type of TLS termination to use for the Cryostat application Route. One of: edge, passthrough, reencrypt edge
core.route.tls.insecureEdgeTerminationPolicy Specify how to handle insecure traffic for the Cryostat application Route. One of: Allow, Disable, Redirect Redirect
core.route.tls.key Custom private key to use when securing the Cryostat application Route ""
core.route.tls.certificate Custom certificate to use when securing the Cryostat application Route ""
core.route.tls.caCertificate Custom CA certificate to use, if needed to complete the certificate chain, when securing the Cryostat application Route ""
core.route.tls.destinationCACertificate Provides the contents of the CA certificate of the final destination when using reencrypt termination for the Cryostat application Route ""
core.resources Resource requests/limits for the Cryostat container. See: ResourceRequirements {}
core.securityContext Security Context for the Cryostat container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext {}
core.databaseSecretName Name of the secret containing database keys. This secret must contain a CONNECTION_KEY secret which is the database connection password, and an ENCRYPTION_KEY secret which is the key used to encrypt sensitive data stored within the database, such as the target credentials keyring. It must not be updated across chart upgrades. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable ""
core.discovery Configuration options to the Cryostat application's target discovery mechanisms
core.discovery.kubernetes.enabled Enables Kubernetes API discovery mechanism true
core.discovery.kubernetes.installNamespaceDisabled When false and namespaces is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. {{ .Release.Namespace }}) false
core.discovery.kubernetes.namespaces List of namespaces whose workloads the Cryostat application should be permitted to access and profile []
core.discovery.kubernetes.builtInPortNamesDisabled When false and portNames is empty, the Cryostat application will use the default port name jfr-jmx to look for JMX connectable targets. false
core.discovery.kubernetes.portNames List of port names that the Cryostat application should look for in order to consider a target as JMX connectable []
core.discovery.kubernetes.builtInPortNumbersDisabled When false and portNumbers is empty, the Cryostat application will use the default port number 9091 to look for JMX connectable targets. false
core.discovery.kubernetes.portNumbers List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable []

Database Container

Name Description Value
db Configuration for Cryostat's database
db.image.repository Repository for the database container image quay.io/cryostat/cryostat-db
db.image.pullPolicy Image pull policy for the database container image Always
db.image.tag Tag for the database container image latest
db.resources Resource requests/limits for the database container. See: ResourceRequirements {}
db.securityContext Security Context for the database container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext {}

Storage Container

Name Description Value
storage Configuration for Cryostat's object storage provider
storage.image.repository Repository for the storage container image quay.io/cryostat/cryostat-storage
storage.image.pullPolicy Image pull policy for the storage container image Always
storage.image.tag Tag for the storage container image latest
storage.resources Resource requests/limits for the storage container. See: ResourceRequirements {}
storage.securityContext Security Context for the storage container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext {}

Grafana Container

Name Description Value
grafana Configuration for the customized Grafana instance for Cryostat
grafana.image.repository Repository for the Grafana container image quay.io/cryostat/cryostat-grafana-dashboard
grafana.image.pullPolicy Image pull policy for the Grafana container image Always
grafana.image.tag Tag for the Grafana container image latest
grafana.service.type Type of Service to create for Grafana ClusterIP
grafana.service.port Port number to expose on the Service for Grafana's HTTP server 3000
grafana.resources Resource requests/limits for the Grafana container. See: ResourceRequirements {}
grafana.securityContext Security Context for the Grafana container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext {}

JFR Data Source Container

Name Description Value
datasource Configuration for the JFR Data Source component, which translates recording events into a format consumable by Grafana
datasource.image.repository Repository for the JFR Data Source container image quay.io/cryostat/jfr-datasource
datasource.image.pullPolicy Image pull policy for the JFR Data Source container image Always
datasource.image.tag Tag for the JFR Data Source container image latest
datasource.resources Resource requests/limits for the JFR Data Source container. See: ResourceRequirements {}
datasource.securityContext Security Context for the JFR Data Source container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext {}

Authentication

Name Description Value
authentication.openshift.enabled Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one. false
authentication.openshift.clusterRole.name The name of the ClusterRole to bind for the OpenShift OAuth Proxy system:auth-delegator
authentication.basicAuth.enabled Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication false
authentication.basicAuth.secretName Name of the Secret that contains the credentials within Cryostat's namespace (Required if basicAuth is enabled) ""
authentication.basicAuth.filename Key within Secret containing the htpasswd file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the bcrypt hash of the desired password. Such an entry can be generated with ex. htpasswd -nbB username password (Required if basicAuth is enabled) ""

OAuth2 Proxy

Name Description Value
oauth2Proxy.image.repository Repository for the OAuth2 Proxy container image quay.io/oauth2-proxy/oauth2-proxy
oauth2Proxy.image.pullPolicy Image pull policy for the OAuth2 Proxy container image Always
oauth2Proxy.image.tag Tag for the OAuth2 Proxy container image latest
oauth2Proxy.securityContext Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext. If the chart is installed in default namespaces (e.g. default), securityContext.runAsUser must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See Understanding and Managing Pod Security Admission. {}

OpenShift OAuth Proxy

Name Description Value
openshiftOauthProxy.image.repository Repository for the OpenShift OAuth Proxy container image quay.io/cryostat/openshift-oauth-proxy
openshiftOauthProxy.image.pullPolicy Image pull policy for the OpenShift OAuth Proxy container image Always
openshiftOauthProxy.image.tag Tag for the OpenShift OAuth Proxy container image cryostat-v3.0
openshiftOauthProxy.accessReview.enabled Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token. true
openshiftOauthProxy.accessReview.group The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure ""
openshiftOauthProxy.accessReview.resource The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. pods
openshiftOauthProxy.accessReview.subresource The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. exec
openshiftOauthProxy.accessReview.name The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. ""
openshiftOauthProxy.accessReview.namespace The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for. {{ .Release.Namespace }}
openshiftOauthProxy.accessReview.verb The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. create
openshiftOauthProxy.accessReview.version The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for. ""
openshiftOauthProxy.securityContext Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext {}

Other Parameters

Name Description Value
imagePullSecrets Image pull secrets to be used for the Cryostat deployment []
nameOverride Overrides the name of this Chart ""
fullnameOverride Overrides the fully qualified application name of [release name]-[chart name] ""
rbac.create Specifies whether RBAC resources should be created true
serviceAccount.create Specifies whether a service account should be created true
serviceAccount.annotations Annotations to add to the service account {}
serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated using the fullname template ""
podAnnotations Annotations to be applied to the Cryostat Pod {}
podSecurityContext Security Context for the Cryostat Pod. Defaults to meet "restricted" Pod Security Standard. See: PodSecurityContext {}
nodeSelector Node Selector for the Cryostat Pod. See: NodeSelector {}
tolerations Tolerations for the Cryostat Pod. See: Tolerations []
affinity Affinity for the Cryostat Pod. See: Affinity {}
pvc.enabled Specify whether to use persistentVolumeClaim or EmptyDir storage false
pvc.annotations Annotations to add to the persistentVolumeClaim {}
pvc.storage Storage size to request for the persistentVolumeClaim 500Mi
pvc.accessModes Access mode for the persistentVolumeClaim. See: Access Modes ["ReadWriteOnce"]
pvc.selector Selector for the persistentVolumeClaim. See: Selector {}
pvc.storageClassName The name of the StorageClass for the persistentVolumeClaim. See: Class undefined