A Helm chart for deploying Cryostat on Kubernetes and OpenShift
Name | Description | Value |
---|---|---|
core |
Configuration for the core Cryostat application | |
core.image.repository |
Repository for the main Cryostat container image | quay.io/cryostat/cryostat |
core.image.pullPolicy |
Image pull policy for the main Cryostat container image | Always |
core.image.tag |
Tag for the main Cryostat container image | 4.0.0-snapshot |
core.service.type |
Type of Service to create for the Cryostat application | ClusterIP |
core.service.httpPort |
Port number to expose on the Service for Cryostat's HTTP server | 8181 |
core.sslProxied |
Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress | false |
core.ingress.enabled |
Whether to create an Ingress object for the Cryostat service | false |
core.ingress.className |
Ingress class name for the Cryostat application Ingress | "" |
core.ingress.annotations |
Annotations to apply to the Cryostat application Ingress | {} |
core.ingress.hosts |
Hosts to create rules for in the Cryostat application Ingress. See: IngressSpec | [] |
core.ingress.tls |
TLS configuration for the Cryostat application Ingress. See: IngressSpec | [] |
core.route.enabled |
Whether to create a Route object for the Cryostat service. Available only on OpenShift | false |
core.route.tls.enabled |
Whether to secure the Cryostat application Route with TLS. See: TLSConfig | true |
core.route.tls.termination |
Type of TLS termination to use for the Cryostat application Route. One of: edge , passthrough , reencrypt |
edge |
core.route.tls.insecureEdgeTerminationPolicy |
Specify how to handle insecure traffic for the Cryostat application Route. One of: Allow , Disable , Redirect |
Redirect |
core.route.tls.key |
Custom private key to use when securing the Cryostat application Route | "" |
core.route.tls.certificate |
Custom certificate to use when securing the Cryostat application Route | "" |
core.route.tls.caCertificate |
Custom CA certificate to use, if needed to complete the certificate chain, when securing the Cryostat application Route | "" |
core.route.tls.destinationCACertificate |
Provides the contents of the CA certificate of the final destination when using reencrypt termination for the Cryostat application Route | "" |
core.resources |
Resource requests/limits for the Cryostat container. See: ResourceRequirements | {} |
core.securityContext |
Security Context for the Cryostat container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
core.databaseSecretName |
Name of the secret containing database keys. This secret must contain a CONNECTION_KEY secret which is the database connection password, and an ENCRYPTION_KEY secret which is the key used to encrypt sensitive data stored within the database, such as the target credentials keyring. It must not be updated across chart upgrades. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | "" |
core.discovery |
Configuration options to the Cryostat application's target discovery mechanisms | |
core.discovery.kubernetes.enabled |
Enables Kubernetes API discovery mechanism | true |
core.discovery.kubernetes.installNamespaceDisabled |
When false and namespaces is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. {{ .Release.Namespace }} ) |
false |
core.discovery.kubernetes.namespaces |
List of namespaces whose workloads the Cryostat application should be permitted to access and profile | [] |
core.discovery.kubernetes.builtInPortNamesDisabled |
When false and portNames is empty, the Cryostat application will use the default port name jfr-jmx to look for JMX connectable targets. |
false |
core.discovery.kubernetes.portNames |
List of port names that the Cryostat application should look for in order to consider a target as JMX connectable | [] |
core.discovery.kubernetes.builtInPortNumbersDisabled |
When false and portNumbers is empty, the Cryostat application will use the default port number 9091 to look for JMX connectable targets. |
false |
core.discovery.kubernetes.portNumbers |
List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable | [] |
Name | Description | Value |
---|---|---|
db |
Configuration for Cryostat's database | |
db.image.repository |
Repository for the database container image | quay.io/cryostat/cryostat-db |
db.image.pullPolicy |
Image pull policy for the database container image | Always |
db.image.tag |
Tag for the database container image | latest |
db.resources |
Resource requests/limits for the database container. See: ResourceRequirements | {} |
db.securityContext |
Security Context for the database container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
Name | Description | Value |
---|---|---|
storage |
Configuration for Cryostat's object storage provider | |
storage.image.repository |
Repository for the storage container image | quay.io/cryostat/cryostat-storage |
storage.image.pullPolicy |
Image pull policy for the storage container image | Always |
storage.image.tag |
Tag for the storage container image | latest |
storage.resources |
Resource requests/limits for the storage container. See: ResourceRequirements | {} |
storage.securityContext |
Security Context for the storage container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
Name | Description | Value |
---|---|---|
grafana |
Configuration for the customized Grafana instance for Cryostat | |
grafana.image.repository |
Repository for the Grafana container image | quay.io/cryostat/cryostat-grafana-dashboard |
grafana.image.pullPolicy |
Image pull policy for the Grafana container image | Always |
grafana.image.tag |
Tag for the Grafana container image | latest |
grafana.service.type |
Type of Service to create for Grafana | ClusterIP |
grafana.service.port |
Port number to expose on the Service for Grafana's HTTP server | 3000 |
grafana.resources |
Resource requests/limits for the Grafana container. See: ResourceRequirements | {} |
grafana.securityContext |
Security Context for the Grafana container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
Name | Description | Value |
---|---|---|
datasource |
Configuration for the JFR Data Source component, which translates recording events into a format consumable by Grafana | |
datasource.image.repository |
Repository for the JFR Data Source container image | quay.io/cryostat/jfr-datasource |
datasource.image.pullPolicy |
Image pull policy for the JFR Data Source container image | Always |
datasource.image.tag |
Tag for the JFR Data Source container image | latest |
datasource.resources |
Resource requests/limits for the JFR Data Source container. See: ResourceRequirements | {} |
datasource.securityContext |
Security Context for the JFR Data Source container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
Name | Description | Value |
---|---|---|
authentication.openshift.enabled |
Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one. | false |
authentication.openshift.clusterRole.name |
The name of the ClusterRole to bind for the OpenShift OAuth Proxy | system:auth-delegator |
authentication.basicAuth.enabled |
Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication | false |
authentication.basicAuth.secretName |
Name of the Secret that contains the credentials within Cryostat's namespace (Required if basicAuth is enabled) | "" |
authentication.basicAuth.filename |
Key within Secret containing the htpasswd file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the bcrypt hash of the desired password. Such an entry can be generated with ex. htpasswd -nbB username password (Required if basicAuth is enabled) |
"" |
Name | Description | Value |
---|---|---|
oauth2Proxy.image.repository |
Repository for the OAuth2 Proxy container image | quay.io/oauth2-proxy/oauth2-proxy |
oauth2Proxy.image.pullPolicy |
Image pull policy for the OAuth2 Proxy container image | Always |
oauth2Proxy.image.tag |
Tag for the OAuth2 Proxy container image | latest |
oauth2Proxy.securityContext |
Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext. If the chart is installed in default namespaces (e.g. default), securityContext.runAsUser must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See Understanding and Managing Pod Security Admission. |
{} |
Name | Description | Value |
---|---|---|
openshiftOauthProxy.image.repository |
Repository for the OpenShift OAuth Proxy container image | quay.io/cryostat/openshift-oauth-proxy |
openshiftOauthProxy.image.pullPolicy |
Image pull policy for the OpenShift OAuth Proxy container image | Always |
openshiftOauthProxy.image.tag |
Tag for the OpenShift OAuth Proxy container image | cryostat-v3.0 |
openshiftOauthProxy.accessReview.enabled |
Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token. | true |
openshiftOauthProxy.accessReview.group |
The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | "" |
openshiftOauthProxy.accessReview.resource |
The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | pods |
openshiftOauthProxy.accessReview.subresource |
The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | exec |
openshiftOauthProxy.accessReview.name |
The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | "" |
openshiftOauthProxy.accessReview.namespace |
The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for. | {{ .Release.Namespace }} |
openshiftOauthProxy.accessReview.verb |
The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | create |
openshiftOauthProxy.accessReview.version |
The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for. | "" |
openshiftOauthProxy.securityContext |
Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
Name | Description | Value |
---|---|---|
imagePullSecrets |
Image pull secrets to be used for the Cryostat deployment | [] |
nameOverride |
Overrides the name of this Chart | "" |
fullnameOverride |
Overrides the fully qualified application name of [release name]-[chart name] |
"" |
rbac.create |
Specifies whether RBAC resources should be created | true |
serviceAccount.create |
Specifies whether a service account should be created | true |
serviceAccount.annotations |
Annotations to add to the service account | {} |
serviceAccount.name |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
podAnnotations |
Annotations to be applied to the Cryostat Pod | {} |
podSecurityContext |
Security Context for the Cryostat Pod. Defaults to meet "restricted" Pod Security Standard. See: PodSecurityContext | {} |
nodeSelector |
Node Selector for the Cryostat Pod. See: NodeSelector | {} |
tolerations |
Tolerations for the Cryostat Pod. See: Tolerations | [] |
affinity |
Affinity for the Cryostat Pod. See: Affinity | {} |
pvc.enabled |
Specify whether to use persistentVolumeClaim or EmptyDir storage | false |
pvc.annotations |
Annotations to add to the persistentVolumeClaim | {} |
pvc.storage |
Storage size to request for the persistentVolumeClaim | 500Mi |
pvc.accessModes |
Access mode for the persistentVolumeClaim. See: Access Modes | ["ReadWriteOnce"] |
pvc.selector |
Selector for the persistentVolumeClaim. See: Selector | {} |
pvc.storageClassName |
The name of the StorageClass for the persistentVolumeClaim. See: Class | undefined |