Open andrewazores opened 5 months ago
Some more thoughts about the Agent injection/integration.
For point 1, packaging the Agent JAR version that corresponds to the Cryostat version which the Operator will deploy seems relatively simple. As discussed previously, the Operator can put this into some resource like a ConfigMap or Secret and mount it to the application Deployment.
If the Operator is already modifying the Deployment then it is trivial to add environment variables for configuring the Agent, to point it at the correct Cryostat instance, use the Pod IP for the callback URL, etc.
But how to actually attach the Agent to the application JVM? We have talked about trying to do some detection of the application's framework or base image and manipulating entry points, environment variables, etc. to add the -javaagent switch. This seems error-prone and conflict-prone.
We have also experimented with running an Attach Agent as a sidecar process and connecting to the main container, but this might be tricky to put together in practice and probably runs into a lot of security constraints.
What if we can do the equivalent of a kubectl exec
on containers from within the Operator controller?
https://github.com/operator-framework/operator-sdk/issues/4302
https://github.com/zalando/postgres-operator/blob/master/pkg%2Fcluster%2Fexec.go#L18-L44
https://github.com/operator-framework/operator-sdk/issues/1561
If the Agent JAR is already available in the application container (via mounted ConfigMap), then there is an easy solution when combined with agent dynamic attach:
https://github.com/cryostatio/cryostat-agent/pull/234
Just exec the Agent process in PID autodetect mode.
If we can do an equivalent to kubectl cp
to copy the Agent JAR from the Operator into the application container, instead of mounting a ConfigMap, then this can even be done without causing an application restart. Fully dynamic and online.
Describe the feature
There should be some defined annotation prefix (like
io.cryostat/
) and keys likeinject-agent
,inject-tls-cert
. Users should be able to add these annotations to their applications (on the Deployment or Pod) within any Namespace associated with a Cryostat instance. When the Operator observes that an application has such an annotation, an integration feature should be enabled:-javaagent
JVM flag as well as setting environment variables to point the Agent at the correct Cryostat instanceThis way we can automate end-to-end TLS in both directions between Cryostats and their Agent instances, with the user doing as little work as possible to enable this security feature.
Tasks: