From b91e9bd3c3e0958725290eaf06c5271bb3096ef1 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 22 Nov 2024 13:11:19 -0500 Subject: [PATCH] feat(reports): add auth proxy protecting report generators (#206) --- charts/cryostat/README.md | 42 +++++---- charts/cryostat/templates/_helpers.tpl | 20 +++- .../templates/_openshiftOauthProxy.tpl | 2 +- .../cryostat/templates/_reports_authproxy.tpl | 92 +++++++++++++++++++ .../templates/cryostat_deployment.yaml | 13 ++- .../templates/reports_deployment.yaml | 13 +++ charts/cryostat/templates/reports_secret.yaml | 13 +++ .../cryostat/templates/reports_service.yaml | 4 +- .../tests/cryostat_deployment_test.yaml | 14 ++- .../tests/reports_deployment_test.yaml | 34 +++++++ .../cryostat/tests/reports_secret_test.yaml | 40 ++++++++ .../cryostat/tests/reports_service_test.yaml | 78 ++++++++++++++++ charts/cryostat/values.schema.json | 20 ++++ charts/cryostat/values.yaml | 8 +- 14 files changed, 366 insertions(+), 27 deletions(-) create mode 100644 charts/cryostat/templates/_reports_authproxy.tpl create mode 100644 charts/cryostat/templates/reports_secret.yaml create mode 100644 charts/cryostat/tests/reports_secret_test.yaml create mode 100644 charts/cryostat/tests/reports_service_test.yaml diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 25768c14..62349214 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -87,18 +87,20 @@ helm install cryostat ./charts/cryostat ### Report Generator Deployment -| Name | Description | Value | -| ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `reports` | Configuration for the Reports Generator deployment | | -| `reports.image.repository` | Repository for the Report Generator container image | `quay.io/cryostat/cryostat-reports` | -| `reports.image.pullPolicy` | Image pull policy for the Report Generator container image | `Always` | -| `reports.image.tag` | Tag for the Report Generator image | `4.0.0-snapshot` | -| `reports.service.type` | Type of Service to create for the Report Generator Deployment | `ClusterIP` | -| `reports.service.httpPort` | Port number to expose on the Service for the Report Generator Deployment | `10001` | -| `reports.replicas` | Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own. | `0` | -| `reports.resources.requests.cpu` | CPU resource request for each Pod in the Report Generator Deployment. | `500m` | -| `reports.resources.requests.memory` | Memory resource request for each Pod in the Report Generator Deployment. | `512Mi` | -| `reports.securityContext` | Security Context for the Report Generator containers. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| Name | Description | Value | +| ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `reports` | Configuration for the Reports Generator deployment | | +| `reports.image.repository` | Repository for the Report Generator container image | `quay.io/cryostat/cryostat-reports` | +| `reports.image.pullPolicy` | Image pull policy for the Report Generator container image | `Always` | +| `reports.image.tag` | Tag for the Report Generator image | `4.0.0-snapshot` | +| `reports.service.type` | Type of Service to create for the Report Generator Deployment | `ClusterIP` | +| `reports.service.httpPort` | Port number to expose on the Service for the Report Generator Deployment | `10001` | +| `reports.reportsSecretName` | Name of the secret containing the report generator access keys. This secret must contain a REPORTS_PASS secret which is the secret credential for the report generators. It must not be updated across chart upgrades, or else the connection between Cryostat and report generators will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | `""` | +| `reports.debug.log.level` | Log level for troubleshooting and debugging | `INFO` | +| `reports.replicas` | Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own. | `0` | +| `reports.resources.requests.cpu` | CPU resource request for each Pod in the Report Generator Deployment. | `500m` | +| `reports.resources.requests.memory` | Memory resource request for each Pod in the Report Generator Deployment. | `512Mi` | +| `reports.securityContext` | Security Context for the Report Generator containers. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | ### Database Container @@ -169,14 +171,14 @@ helm install cryostat ./charts/cryostat ### OAuth2 Proxy -| Name | Description | Value | -| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | -| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | -| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | -| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | -| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | -| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). | `{}` | +| Name | Description | Value | +| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | +| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | +| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | +| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | +| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | +| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). | `{}` | ### OpenShift OAuth Proxy diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index 5a37a96c..518e294c 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -116,6 +116,24 @@ Get or generate a default secret key for object storage. {{- end -}} {{- end -}} +{{/* +Get or generate a default secret password key for report generators. +*/}} +{{- define "cryostat.reportsPassSecretKey" -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-reports-secret" .Release.Name)) -}} +{{- if $secret -}} +{{/* + Use current secret. Do not regenerate. +*/}} +{{- $secret.data.REPORTS_PASS -}} +{{- else -}} +{{/* + Generate new secret +*/}} +{{- (randAlphaNum 32) -}} +{{- end -}} +{{- end -}} + {{/* Get or generate a default secret key for auth proxy cookies. */}} @@ -130,7 +148,7 @@ Get or generate a default secret key for auth proxy cookies. {{/* Generate new secret */}} -{{- (randAlphaNum 32) | b64enc | quote -}} +{{- (randAlphaNum 32) | b64enc -}} {{- end -}} {{- end -}} diff --git a/charts/cryostat/templates/_openshiftOauthProxy.tpl b/charts/cryostat/templates/_openshiftOauthProxy.tpl index 576d1d9c..a4d703dc 100644 --- a/charts/cryostat/templates/_openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/_openshiftOauthProxy.tpl @@ -20,7 +20,7 @@ Create OpenShift OAuth Proxy container. - --pass-basic-auth=false - --upstream=http://localhost:8181/ - --upstream=http://localhost:3000/grafana/ - - --cookie-secret="$(COOKIE_SECRET)" + - --cookie-secret=$(COOKIE_SECRET) - --openshift-service-account={{ include "cryostat.serviceAccountName" . }} - --proxy-websockets=true - --http-address=0.0.0.0:4180 diff --git a/charts/cryostat/templates/_reports_authproxy.tpl b/charts/cryostat/templates/_reports_authproxy.tpl new file mode 100644 index 00000000..41840778 --- /dev/null +++ b/charts/cryostat/templates/_reports_authproxy.tpl @@ -0,0 +1,92 @@ +{{- define "cryostat.reportsAuthProxy" -}} +{{- if (.Values.authentication.openshift).enabled }} +- name: {{ printf "%s-reports-%s" .Chart.Name "authproxy" }} + securityContext: + {{- toYaml .Values.openshiftOauthProxy.securityContext | nindent 4 }} + image: "{{ .Values.openshiftOauthProxy.image.repository }}:{{ .Values.openshiftOauthProxy.image.tag }}" + env: + - name: COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-cookie-secret" .Release.Name) .Values.authentication.cookieSecretName }} + key: COOKIE_SECRET + optional: false + args: + - --pass-access-token=false + - --pass-user-bearer-token=false + - --pass-basic-auth=false + - --htpasswd-file=/etc/oauth2_proxy/basicauth/htpasswd + - --upstream=http://localhost:10001/ + - --cookie-secret=$(COOKIE_SECRET) + - --request-logging=true + - --openshift-service-account={{ include "cryostat.serviceAccountName" . }} + - --proxy-websockets=true + - --http-address=0.0.0.0:4180 + - --https-address=:8443 + - --tls-cert=/etc/tls/private/tls.crt + - --tls-key=/etc/tls/private/tls.key + - --proxy-prefix=/oauth2 + - --bypass-auth-for=^/health$ + imagePullPolicy: {{ .Values.openshiftOauthProxy.image.pullPolicy }} + ports: + - containerPort: 4180 + name: http + protocol: TCP + - containerPort: 8443 + name: https + protocol: TCP + resources: + {{- toYaml .Values.openshiftOauthProxy.resources | nindent 4 }} + volumeMounts: + - name: {{ .Release.Name }}-proxy-tls + mountPath: /etc/tls/private + - name: {{ .Release.Name }}-reports-secret + mountPath: /etc/oauth2_proxy/basicauth + readOnly: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File +{{- else }} +- name: {{ printf "%s-reports-%s" .Chart.Name "authproxy" }} + securityContext: + {{- toYaml (.Values.oauth2Proxy).securityContext | nindent 4 }} + image: "{{ (.Values.oauth2Proxy).image.repository }}:{{ (.Values.oauth2Proxy).image.tag }}" + imagePullPolicy: {{ (.Values.oauth2Proxy).image.pullPolicy }} + env: + - name: OAUTH2_PROXY_CLIENT_ID + value: dummy + - name: OAUTH2_PROXY_CLIENT_SECRET + value: none + - name: OAUTH2_PROXY_HTTP_ADDRESS + value: 0.0.0.0:4180 + - name: OAUTH2_PROXY_UPSTREAMS + value: http://localhost:10001/ + - name: OAUTH2_PROXY_REDIRECT_URL + value: "http://localhost:4180/oauth2/callback" + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-cookie-secret" .Release.Name) .Values.authentication.cookieSecretName }} + key: COOKIE_SECRET + optional: false + - name: OAUTH2_PROXY_EMAIL_DOMAINS + value: "*" + - name: OAUTH2_PROXY_HTPASSWD_USER_GROUP + value: write + - name: OAUTH2_PROXY_HTPASSWD_FILE + value: /etc/oauth2_proxy/basicauth/htpasswd + - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES + value: "^/health$" + - name: OAUTH2_PROXY_PROXY_WEBSOCKETS + value: "false" + ports: + - containerPort: 4180 + name: http + protocol: TCP + resources: + {{- toYaml .Values.oauth2Proxy.resources | nindent 4 }} + volumeMounts: + - name: {{ .Release.Name }}-reports-secret + mountPath: /etc/oauth2_proxy/basicauth + readOnly: true +{{- end }} +{{- end}} diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index e9a9fd6a..cb0fbcaa 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -63,8 +63,19 @@ spec: - name: QUARKUS_HIBERNATE_ORM_SQL_LOAD_SCRIPT value: no-file {{- if gt (int (.Values.reports).replicas) 0 }} + - name: REPORTS_PASS_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-reports-secret" .Release.Name) .Values.reports.reportsSecretName }} + key: REPORTS_PASS + optional: false + # TODO TLS trust + - name: QUARKUS_TLS_TRUST_ALL + value: "true" + - name: QUARKUS_REST_CLIENT_EXTENSIONS_API_VERIFY_HOST + value: "false" - name: QUARKUS_REST_CLIENT_REPORTS_URL - value: {{ printf "http://%s-reports:%d" $fullName (int .Values.reports.service.httpPort) }} + value: {{ printf "%s://cryostat:$(REPORTS_PASS_SECRET_KEY)@%s-reports.%s.svc:%d" (ternary "https" "http" (.Values.authentication.openshift).enabled) $fullName $.Release.Namespace (int .Values.reports.service.httpPort) }} {{- end }} - name: QUARKUS_DATASOURCE_USERNAME value: cryostat diff --git a/charts/cryostat/templates/reports_deployment.yaml b/charts/cryostat/templates/reports_deployment.yaml index 81507d0b..05c846dc 100644 --- a/charts/cryostat/templates/reports_deployment.yaml +++ b/charts/cryostat/templates/reports_deployment.yaml @@ -34,6 +34,7 @@ spec: securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: + {{- include "cryostat.reportsAuthProxy" . | nindent 8 }} - name: {{ printf "%s-%s" .Chart.Name "reports" }} securityContext: {{- toYaml (.Values.reports).securityContext | nindent 12 }} @@ -42,6 +43,8 @@ spec: env: - name: QUARKUS_HTTP_PORT value: "{{ .Values.reports.service.httpPort }}" + - name: QUARKUS_LOG_LEVEL + value: {{ .Values.reports.debug.log.level }} ports: - containerPort: {{ .Values.reports.service.httpPort }} protocol: TCP @@ -71,4 +74,14 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + volumes: + - name: {{ .Release.Name }}-reports-secret + secret: + defaultMode: 0440 + secretName: {{ .Release.Name }}-reports-secret + {{- if (.Values.authentication.openshift).enabled }} + - name: {{ .Release.Name }}-proxy-tls + secret: + secretName: {{ .Release.Name }}-proxy-tls + {{- end }} {{- end -}} diff --git a/charts/cryostat/templates/reports_secret.yaml b/charts/cryostat/templates/reports_secret.yaml new file mode 100644 index 00000000..988de13c --- /dev/null +++ b/charts/cryostat/templates/reports_secret.yaml @@ -0,0 +1,13 @@ +{{- if empty .Values.reports.reportsSecretName -}} +{{- $secretKey := include "cryostat.reportsPassSecretKey" . -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-reports-secret + labels: + {{- include "cryostat.labels" $ | nindent 4 }} +type: Opaque +data: + REPORTS_PASS: {{ $secretKey | b64enc }} + htpasswd: {{ htpasswd "cryostat" $secretKey | b64enc }} +{{- end -}} diff --git a/charts/cryostat/templates/reports_service.yaml b/charts/cryostat/templates/reports_service.yaml index 42358270..5ebb9be3 100644 --- a/charts/cryostat/templates/reports_service.yaml +++ b/charts/cryostat/templates/reports_service.yaml @@ -1,6 +1,5 @@ -{{- $fullName := include "cryostat.fullname" . -}} ---- {{- if gt (int (.Values.reports).replicas) 0 -}} +{{- $fullName := include "cryostat.fullname" . -}} apiVersion: v1 kind: Service metadata: @@ -12,6 +11,7 @@ spec: type: {{ .Values.reports.service.type }} ports: - port: {{ .Values.reports.service.httpPort }} + targetPort: {{ ternary "https" "http" (.Values.authentication.openshift).enabled }} selector: {{- include "cryostat.selectorLabels" $ | nindent 4 }} app.kubernetes.io/component: reports diff --git a/charts/cryostat/tests/cryostat_deployment_test.yaml b/charts/cryostat/tests/cryostat_deployment_test.yaml index d47607e0..0548fc79 100644 --- a/charts/cryostat/tests/cryostat_deployment_test.yaml +++ b/charts/cryostat/tests/cryostat_deployment_test.yaml @@ -199,7 +199,19 @@ tests: asserts: - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_REST_CLIENT_REPORTS_URL')].value - value: http://RELEASE-NAME-cryostat-reports:10001 + value: http://cryostat:$(REPORTS_PASS_SECRET_KEY)@RELEASE-NAME-cryostat-reports.NAMESPACE.svc:10001 + + - it: should set environment variable if sidecar report generator is enabled in OpenShift with HTTPS + set: + reports: + replicas: 1 + authentication: + openshift: + enabled: true + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_REST_CLIENT_REPORTS_URL')].value + value: https://cryostat:$(REPORTS_PASS_SECRET_KEY)@RELEASE-NAME-cryostat-reports.NAMESPACE.svc:10001 - it: should set oauth2proxy resource overrides set: diff --git a/charts/cryostat/tests/reports_deployment_test.yaml b/charts/cryostat/tests/reports_deployment_test.yaml index b5ca35a1..28ebff67 100644 --- a/charts/cryostat/tests/reports_deployment_test.yaml +++ b/charts/cryostat/tests/reports_deployment_test.yaml @@ -64,6 +64,17 @@ tests: reports: replicas: 1 asserts: + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-reports-authproxy')] + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-reports-authproxy')].image + value: "quay.io/oauth2-proxy/oauth2-proxy:latest" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-reports-authproxy')].ports + value: + - containerPort: 4180 + name: http + protocol: TCP - exists: path: spec.template.spec.containers[?(@.name=='cryostat-reports')] - equal: @@ -73,6 +84,29 @@ tests: path: spec.template.spec.containers[?(@.name=='cryostat-reports')].env[?(@.name=='QUARKUS_HTTP_PORT')].value value: "10001" + - it: should validate authproxy settings when deployed in OpenShift + set: + reports: + replicas: 1 + authentication: + openshift: + enabled: true + asserts: + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-reports-authproxy')] + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-reports-authproxy')].image + value: "quay.io/cryostat/openshift-oauth-proxy:cryostat-v3.0" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-reports-authproxy')].ports + value: + - containerPort: 4180 + name: http + protocol: TCP + - containerPort: 8443 + name: https + protocol: TCP + - it: should apply Kubernetes specific settings when configured set: reports: diff --git a/charts/cryostat/tests/reports_secret_test.yaml b/charts/cryostat/tests/reports_secret_test.yaml new file mode 100644 index 00000000..f839801d --- /dev/null +++ b/charts/cryostat/tests/reports_secret_test.yaml @@ -0,0 +1,40 @@ +suite: test reports_secret.yaml +templates: + - reports_secret.yaml + +tests: + - it: should create a reports secret if core.reportsSecretName is not set + set: + core.reportsSecretName: "" + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Secret + - equal: + path: metadata.name + value: RELEASE-NAME-reports-secret + - equal: + path: type + value: Opaque + - exists: + path: data.htpasswd + - exists: + path: data.REPORTS_PASS + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/part-of: cryostat + app.kubernetes.io/version: 4.0.0-dev + helm.sh/chart: cryostat-2.0.0-dev + + - it: should not create a database secret if reports.reportsSecretName is set + set: + reports.reportsSecretName: "custom-reports-secret" + asserts: + - hasDocuments: + count: 0 diff --git a/charts/cryostat/tests/reports_service_test.yaml b/charts/cryostat/tests/reports_service_test.yaml new file mode 100644 index 00000000..3e27a30b --- /dev/null +++ b/charts/cryostat/tests/reports_service_test.yaml @@ -0,0 +1,78 @@ +suite: test reports_service.yaml +templates: + - reports_service.yaml + +tests: + - it: should do nothing if report generators are not desired + asserts: + - hasDocuments: + count: 0 + + - it: should create a Service targeting the Pod http port + set: + reports: + replicas: 1 + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Service + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat-reports + - equal: + path: spec.type + value: ClusterIP + - equal: + path: spec.ports[0].port + value: 10001 + - equal: + path: spec.ports[0].targetPort + value: http + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/part-of: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-2.0.0-dev + app.kubernetes.io/component: reports + + - it: should create a Service targeting the Pod https port when deployed in OpenShift + set: + reports: + replicas: 1 + authentication: + openshift: + enabled: true + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Service + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat-reports + - equal: + path: spec.type + value: ClusterIP + - equal: + path: spec.ports[0].port + value: 10001 + - equal: + path: spec.ports[0].targetPort + value: https + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/part-of: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-2.0.0-dev + app.kubernetes.io/component: reports diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 0521c888..88c3baf7 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -299,6 +299,11 @@ } } }, + "reportsSecretName": { + "type": "string", + "description": "Name of the secret containing the report generator access keys. This secret must contain a REPORTS_PASS secret which is the secret credential for the report generators. It must not be updated across chart upgrades, or else the connection between Cryostat and report generators will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable", + "default": "" + }, "securityContext": { "type": "object", "properties": { @@ -324,6 +329,21 @@ } } }, + "debug": { + "type": "object", + "properties": { + "log": { + "type": "object", + "properties": { + "level": { + "type": "string", + "description": "Log level for troubleshooting and debugging", + "default": "INFO" + } + } + } + } + }, "replicas": { "type": "number", "description": "Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own.", diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 4b35637f..79fdd4d1 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -101,6 +101,12 @@ reports: type: ClusterIP ## @param reports.service.httpPort Port number to expose on the Service for the Report Generator Deployment httpPort: 10001 + ## @param reports.reportsSecretName Name of the secret containing the report generator access keys. This secret must contain a REPORTS_PASS secret which is the secret credential for the report generators. It must not be updated across chart upgrades, or else the connection between Cryostat and report generators will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable + reportsSecretName: "" + debug: + log: + ## @param reports.debug.log.level Log level for troubleshooting and debugging + level: INFO ## @param reports.replicas Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own. replicas: 0 resources: @@ -273,7 +279,7 @@ oauth2Proxy: cpu: 25m ## @param oauth2Proxy.resources.requests.memory Memory resource request for the OAuth2 Proxy container. memory: 64Mi - ## @param oauth2Proxy.securityContext [object] Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). + ## @param oauth2Proxy.securityContext [object] Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). securityContext: ## @skip oauth2Proxy.securityContext.allowPrivilegeEscalation allowPrivilegeEscalation: false