From 03dadd219ecc7968a11740936ec0e304dccc2cdb Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Tue, 26 Nov 2024 15:01:43 -0500 Subject: [PATCH] feat(discovery): implement All Namespaces discovery --- charts/cryostat/README.md | 7 +-- .../templates/cryostat_deployment.yaml | 7 +++ .../templates/discovery_clusterrole.yaml | 46 +++++++++++++++++++ .../discovery_clusterrolebinding.yaml | 16 +++++++ charts/cryostat/values.schema.json | 11 +++-- charts/cryostat/values.yaml | 8 ++-- 6 files changed, 86 insertions(+), 9 deletions(-) create mode 100644 charts/cryostat/templates/discovery_clusterrole.yaml create mode 100644 charts/cryostat/templates/discovery_clusterrolebinding.yaml diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 6234921..d378f49 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -79,11 +79,12 @@ helm install cryostat ./charts/cryostat | `core.discovery` | Configuration options to the Cryostat application's target discovery mechanisms | | | `core.discovery.kubernetes.enabled` | Enables Kubernetes API discovery mechanism | `true` | | `core.discovery.kubernetes.installNamespaceDisabled` | When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`) | `false` | -| `core.discovery.kubernetes.namespaces` | List of namespaces whose workloads the Cryostat application should be permitted to access and profile | `[]` | +| `core.discovery.kubernetes.allNamespaces` | When true, this overrides the `namespaces` list and configures Cryostat to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the rbac.create value is true. | `false` | +| `core.discovery.kubernetes.namespaces` | List of namespaces whose workloads the Cryostat application should be permitted to access and profile. | `[]` | | `core.discovery.kubernetes.builtInPortNamesDisabled` | When false and `portNames` is empty, the Cryostat application will use the default port name `jfr-jmx` to look for JMX connectable targets. | `false` | -| `core.discovery.kubernetes.portNames` | List of port names that the Cryostat application should look for in order to consider a target as JMX connectable | `[]` | +| `core.discovery.kubernetes.portNames` | List of port names that the Cryostat application should look for in order to consider a target as JMX connectable. | `[]` | | `core.discovery.kubernetes.builtInPortNumbersDisabled` | When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets. | `false` | -| `core.discovery.kubernetes.portNumbers` | List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable | `[]` | +| `core.discovery.kubernetes.portNumbers` | List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable. | `[]` | ### Report Generator Deployment diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index cb0fbca..958d94e 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -118,9 +118,16 @@ spec: {{- if .Values.core.discovery.kubernetes.enabled }} - name: CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED value: "true" + {{- if .Values.core.discovery.kubernetes.allNamespaces }} + - name: CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES + value: '*' + {{- else }} {{- with .Values.core.discovery.kubernetes }} - name: CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES value: {{ include "cryostat.commaSepList" (list .namespaces $.Release.Namespace .installNamespaceDisabled) }} + {{- end }} + {{- end }} + {{- with .Values.core.discovery.kubernetes }} - name: CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES value: {{ include "cryostat.commaSepList" (list .portNames "jfr-jmx" .builtInPortNamesDisabled) }} - name: CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS diff --git a/charts/cryostat/templates/discovery_clusterrole.yaml b/charts/cryostat/templates/discovery_clusterrole.yaml new file mode 100644 index 0000000..1f3b782 --- /dev/null +++ b/charts/cryostat/templates/discovery_clusterrole.yaml @@ -0,0 +1,46 @@ +{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled .Values.core.discovery.kubernetes.allNamespaces -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "cryostat.fullname" . }}-discovery + labels: + {{- include "cryostat.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + - replicationcontrollers + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + - deployments + - daemonsets + - statefulsets + verbs: + - get +- apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - get +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list +{{- end -}} diff --git a/charts/cryostat/templates/discovery_clusterrolebinding.yaml b/charts/cryostat/templates/discovery_clusterrolebinding.yaml new file mode 100644 index 0000000..4734965 --- /dev/null +++ b/charts/cryostat/templates/discovery_clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled .Values.core.discovery.kubernetes.allNamespaces -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "cryostat.fullname" . }}-discovery + labels: + {{- include "cryostat.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "cryostat.fullname" . }}-discovery +subjects: +- kind: ServiceAccount + name: {{ include "cryostat.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 88c3baf..ed020b8 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -227,9 +227,14 @@ "description": "When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`)", "default": false }, + "allNamespaces": { + "type": "boolean", + "description": "When true, this overrides the `namespaces` list and configures Cryostat to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the rbac.create value is true.", + "default": false + }, "namespaces": { "type": "array", - "description": "List of namespaces whose workloads the Cryostat application should be permitted to access and profile", + "description": "List of namespaces whose workloads the Cryostat application should be permitted to access and profile.", "default": [], "items": {} }, @@ -240,7 +245,7 @@ }, "portNames": { "type": "array", - "description": "List of port names that the Cryostat application should look for in order to consider a target as JMX connectable", + "description": "List of port names that the Cryostat application should look for in order to consider a target as JMX connectable.", "default": [], "items": {} }, @@ -251,7 +256,7 @@ }, "portNumbers": { "type": "array", - "description": "List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable", + "description": "List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable.", "default": [], "items": {} } diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 79fdd4d..69c86df 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -75,15 +75,17 @@ core: enabled: true ## @param core.discovery.kubernetes.installNamespaceDisabled When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`) installNamespaceDisabled: false - ## @param core.discovery.kubernetes.namespaces [array] List of namespaces whose workloads the Cryostat application should be permitted to access and profile + ## @param core.discovery.kubernetes.allNamespaces When true, this overrides the `namespaces` list and configures Cryostat to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the rbac.create value is true. + allNamespaces: false + ## @param core.discovery.kubernetes.namespaces [array] List of namespaces whose workloads the Cryostat application should be permitted to access and profile. namespaces: [] ## @param core.discovery.kubernetes.builtInPortNamesDisabled When false and `portNames` is empty, the Cryostat application will use the default port name `jfr-jmx` to look for JMX connectable targets. builtInPortNamesDisabled: false - ## @param core.discovery.kubernetes.portNames [array] List of port names that the Cryostat application should look for in order to consider a target as JMX connectable + ## @param core.discovery.kubernetes.portNames [array] List of port names that the Cryostat application should look for in order to consider a target as JMX connectable. portNames: [] ## @param core.discovery.kubernetes.builtInPortNumbersDisabled When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets. builtInPortNumbersDisabled: false - ## @param core.discovery.kubernetes.portNumbers [array] List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable + ## @param core.discovery.kubernetes.portNumbers [array] List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable. portNumbers: [] ## @section Report Generator Deployment