feat(discovery): allow configurations for discovery service (#474)

* feat(discovery): allow configuring discovery mechanism * feat(secrets): add secret for JMX credential database * test(discovery): update tests * docs(discovery): update config docs * docs(discovery): add doc links * fix(discovery): fix env var definitions * fix(apis): update spec comments * docs(discovery): update docs * chore(discovery): clean up func calls * feat(discovery): set JDBC user/password env vars * feat(discovery): password for credentials database is configurable * fix(secrets): only access needed entry in secret * feat(discovery): database secret is optional * docs(discovery): update docs * fix(resources): update default database credentials * docs(discovery): fix typos * fix(discovery): do not delete default database secret * tests(secrets): fix failed tests * chore(discovery): use boolean literals * build(deps): go mod tidy Co-authored-by: Elliott Baron <ebaron@redhat.com>
cryostatio · Oct 14, 2022 · 57457ba · 57457ba
1 parent 8545a26
commit 57457ba
Show file tree

Hide file tree

Showing 12 changed files with 534 additions and 50 deletions.
diff --git a/api/v1beta1/cryostat_types.go b/api/v1beta1/cryostat_types.go
@@ -102,6 +102,14 @@ type CryostatSpec struct {
 	// +optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	SchedulingOptions *SchedulingConfiguration `json:"schedulingOptions,omitempty"`
+	// Options to configure the Cryostat application's target discovery mechanisms.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	TargetDiscoveryOptions *TargetDiscoveryOptions `json:"targetDiscoveryOptions,omitempty"`
+	// Options to configure the Cryostat application's JMX credentials database.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	JmxCredentialsDatabaseOptions *JmxCredentialsDatabaseOptions `json:"jmxCredentialsDatabaseOptions,omitempty"`
 }
 
 type ResourceConfigList struct {
@@ -503,3 +511,19 @@ type ReportsSecurityOptions struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	ReportsSecurityContext *corev1.SecurityContext `json:"reportsSecurityContext,omitempty"`
 }
+
+// TargetDiscoveryOptions provides configuration options to the Cryostat application's target discovery mechanisms.
+type TargetDiscoveryOptions struct {
+	// When true, the Cryostat application will disable the built-in discovery mechanisms. Defaults to false
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Disable Built-in Discovery",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:booleanSwitch"}
+	BuiltInDiscoveryDisabled bool `json:"builtInDiscoveryDisabled,omitempty"`
+}
+
+// JmxCredentialsDatabaseOptions provides configuration options to the Cryostat application's JMX credentials database.
+type JmxCredentialsDatabaseOptions struct {
+	// Name of the secret containing the password to encrypt JMX credentials database.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Secret"}
+	DatabaseSecretName *string `json:"databaseSecretName,omitempty"`
+}
diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml
@@ -139,6 +139,16 @@ spec:
         path: jmxCacheOptions.targetCacheTTL
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:number
+      - description: Options to configure the Cryostat application's JMX credentials
+          database.
+        displayName: Jmx Credentials Database Options
+        path: jmxCredentialsDatabaseOptions
+      - description: Name of the secret containing the password to encrypt JMX credentials
+          database.
+        displayName: Database Secret Name
+        path: jmxCredentialsDatabaseOptions.databaseSecretName
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:Secret
       - description: The maximum number of WebSocket client connections allowed (minimum
           1, default unlimited).
         displayName: Max WebSocket Connections
@@ -380,6 +390,16 @@ spec:
           has created the PVC, changes to this field have no effect.
         displayName: Spec
         path: storageOptions.pvc.spec
+      - description: Options to configure the Cryostat application's target discovery
+          mechanisms.
+        displayName: Target Discovery Options
+        path: targetDiscoveryOptions
+      - description: When true, the Cryostat application will disable the built-in
+          discovery mechanisms. Defaults to false
+        displayName: Disable Built-in Discovery
+        path: targetDiscoveryOptions.builtInDiscoveryDisabled
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
       - description: List of TLS certificates to trust when connecting to targets.
         displayName: Trusted TLS Certificates
         path: trustedCertSecrets

diff --git a/bundle/manifests/operator.cryostat.io_cryostats.yaml b/bundle/manifests/operator.cryostat.io_cryostats.yaml
@@ -105,6 +105,15 @@ spec:
                     minimum: 1
                     type: integer
                 type: object
+              jmxCredentialsDatabaseOptions:
+                description: Options to configure the Cryostat application's JMX credentials
+                  database.
+                properties:
+                  databaseSecretName:
+                    description: Name of the secret containing the password to encrypt
+                      JMX credentials database.
+                    type: string
+                type: object
               maxWsConnections:
                 description: The maximum number of WebSocket client connections allowed
                   (minimum 1, default unlimited).
@@ -4372,6 +4381,15 @@ spec:
                         type: object
                     type: object
                 type: object
+              targetDiscoveryOptions:
+                description: Options to configure the Cryostat application's target
+                  discovery mechanisms.
+                properties:
+                  builtInDiscoveryDisabled:
+                    description: When true, the Cryostat application will disable
+                      the built-in discovery mechanisms. Defaults to false
+                    type: boolean
+                type: object
               trustedCertSecrets:
                 description: List of TLS certificates to trust when connecting to
                   targets.

diff --git a/config/crd/bases/operator.cryostat.io_cryostats.yaml b/config/crd/bases/operator.cryostat.io_cryostats.yaml
@@ -106,6 +106,15 @@ spec:
                     minimum: 1
                     type: integer
                 type: object
+              jmxCredentialsDatabaseOptions:
+                description: Options to configure the Cryostat application's JMX credentials
+                  database.
+                properties:
+                  databaseSecretName:
+                    description: Name of the secret containing the password to encrypt
+                      JMX credentials database.
+                    type: string
+                type: object
               maxWsConnections:
                 description: The maximum number of WebSocket client connections allowed
                   (minimum 1, default unlimited).
@@ -4373,6 +4382,15 @@ spec:
                         type: object
                     type: object
                 type: object
+              targetDiscoveryOptions:
+                description: Options to configure the Cryostat application's target
+                  discovery mechanisms.
+                properties:
+                  builtInDiscoveryDisabled:
+                    description: When true, the Cryostat application will disable
+                      the built-in discovery mechanisms. Defaults to false
+                    type: boolean
+                type: object
               trustedCertSecrets:
                 description: List of TLS certificates to trust when connecting to
                   targets.

diff --git a/config/manifests/bases/cryostat-operator.clusterserviceversion.yaml b/config/manifests/bases/cryostat-operator.clusterserviceversion.yaml
@@ -127,6 +127,16 @@ spec:
         path: jmxCacheOptions.targetCacheTTL
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:number
+      - description: Options to configure the Cryostat application's JMX credentials
+          database.
+        displayName: Jmx Credentials Database Options
+        path: jmxCredentialsDatabaseOptions
+      - description: Name of the secret containing the password to encrypt JMX credentials
+          database.
+        displayName: Database Secret Name
+        path: jmxCredentialsDatabaseOptions.databaseSecretName
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:Secret
       - description: The maximum number of WebSocket client connections allowed (minimum
           1, default unlimited).
         displayName: Max WebSocket Connections
@@ -368,6 +378,16 @@ spec:
           has created the PVC, changes to this field have no effect.
         displayName: Spec
         path: storageOptions.pvc.spec
+      - description: Options to configure the Cryostat application's target discovery
+          mechanisms.
+        displayName: Target Discovery Options
+        path: targetDiscoveryOptions
+      - description: When true, the Cryostat application will disable the built-in
+          discovery mechanisms. Defaults to false
+        displayName: Disable Built-in Discovery
+        path: targetDiscoveryOptions.builtInDiscoveryDisabled
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
       - description: List of TLS certificates to trust when connecting to targets.
         displayName: Trusted TLS Certificates
         path: trustedCertSecrets

diff --git a/docs/config.md b/docs/config.md
@@ -269,6 +269,34 @@ spec:
     targetCacheTTL: 10
 ```
 
+### JMX Credentials Database
+
+The Cryostat application must be provided with a password to encrypt saved JMX credentials in database. The user can specify a secret containing the password entry with key `CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD`. The Cryostat application will use this password to encrypt saved JMX credentials in database.
+
+For example:
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: credentials-database-secret
+type: Opaque
+stringData:
+  CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD: a-very-good-password
+```
+
+Then, the property `.spec.jmxCredentialsDatabaseOptions.databaseSecretName` must be set to use this secret for password.
+
+```yaml
+apiVersion: operator.cryostat.io/v1beta1
+kind: Cryostat
+metadata:
+  name: cryostat-sample
+spec:
+  jmxCredentialsDatabaseOptions:
+    databaseSecretName: credentials-database-secret
+```
+
+**Note**: If the secret is not provided, a default one is generated for this purpose. However, switching between using provided and generated secret is not allowed to avoid password mismatch that causes the Cryostat application's failure to access the credentials database.
 
 ### Authorization Properties
 
@@ -293,7 +321,7 @@ If custom mapping is specified, a ClusterRole must be defined and should contain
 
 **Note**: Using [`Secret`](https://kubernetes.io/docs/concepts/configuration/secret/) in mapping can fail with access denied under [security protection](https://kubernetes.io/docs/concepts/configuration/secret/#information-security-for-secrets) against escalations. Find more details about this issue [here](https://docs.openshift.com/container-platform/4.11/authentication/tokens-scoping.html#scoping-tokens-role-scope_configuring-internal-oauth).
 
-The property `.spec.authProperties` can then be set to configure Cryostat to use this mapping instead of the default ones.
+The property `spec.authProperties` can then be set to configure Cryostat to use this mapping instead of the default ones.
 ```yaml
 apiVersion: operator.cryostat.io/v1beta1
 kind: Cryostat
@@ -436,3 +464,17 @@ spec:
         value: ok
         effect: NoExecute
 ```
+
+### Target Discovery Options
+
+If you wish to use only Cryostat's [Discovery Plugin API](https://github.com/cryostatio/cryostat/blob/801779d5ddf7fa30f7b230f649220a852b06f27d/docs/DISCOVERY_PLUGINS.md), set the property `spec.targetDiscoveryOptions.builtInDiscoveryDisabled` to `true` to disable Cryostat's built-in discovery mechanisms.
+
+```yaml
+apiVersion: operator.cryostat.io/v1beta1
+kind: Cryostat
+metadata:
+  name: cryostat-sample
+spec:
+  targetDiscoveryOptions:
+    builtInDiscoveryDisabled: true
+```
diff --git a/go.mod b/go.mod
@@ -4,6 +4,7 @@ go 1.18
 
 require (
 	github.com/go-logr/logr v1.2.0
+	github.com/google/go-cmp v0.5.6
 	github.com/jetstack/cert-manager v1.7.1
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.18.1
@@ -41,7 +42,6 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
-	github.com/google/go-cmp v0.5.6 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect

diff --git a/internal/controllers/common/resource_definitions/resource_definitions.go b/internal/controllers/common/resource_definitions/resource_definitions.go
@@ -741,6 +741,54 @@ func NewCoreContainer(cr *operatorv1beta1.Cryostat, specs *ServiceSpecs, imageTa
 		}
 	}
 
+	disableBuiltInDiscovery := cr.Spec.TargetDiscoveryOptions != nil && cr.Spec.TargetDiscoveryOptions.BuiltInDiscoveryDisabled
+	if disableBuiltInDiscovery {
+		envs = append(envs, corev1.EnvVar{
+			Name:  "CRYOSTAT_DISABLE_BUILTIN_DISCOVERY",
+			Value: "true",
+		})
+	}
+
+	if !useEmptyDir(cr) {
+		envs = append(envs, corev1.EnvVar{
+			Name:  "CRYOSTAT_JDBC_URL",
+			Value: "jdbc:h2:file:/opt/cryostat.d/conf.d/h2;INIT=create domain if not exists jsonb as varchar",
+		}, corev1.EnvVar{
+			Name:  "CRYOSTAT_HBM2DDL",
+			Value: "update",
+		}, corev1.EnvVar{
+			Name:  "CRYOSTAT_JDBC_DRIVER",
+			Value: "org.h2.Driver",
+		}, corev1.EnvVar{
+			Name:  "CRYOSTAT_HIBERNATE_DIALECT",
+			Value: "org.hibernate.dialect.H2Dialect",
+		}, corev1.EnvVar{
+			Name:  "CRYOSTAT_JDBC_USERNAME",
+			Value: cr.Name,
+		}, corev1.EnvVar{
+			Name:  "CRYOSTAT_JDBC_PASSWORD",
+			Value: cr.Name,
+		})
+	}
+
+	secretOptional := false
+	secretName := cr.Name + "-jmx-credentials-db"
+	if cr.Spec.JmxCredentialsDatabaseOptions != nil && cr.Spec.JmxCredentialsDatabaseOptions.DatabaseSecretName != nil {
+		secretName = *cr.Spec.JmxCredentialsDatabaseOptions.DatabaseSecretName
+	}
+	envs = append(envs, corev1.EnvVar{
+		Name: "CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD",
+		ValueFrom: &corev1.EnvVarSource{
+			SecretKeyRef: &corev1.SecretKeySelector{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: secretName,
+				},
+				Key:      "CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD",
+				Optional: &secretOptional,
+			},
+		},
+	})
+
 	if !cr.Spec.Minimal {
 		grafanaVars := []corev1.EnvVar{
 			{
@@ -1030,9 +1078,7 @@ func getPullPolicy(imageTag string) corev1.PullPolicy {
 
 func newVolumeForCR(cr *operatorv1beta1.Cryostat) []corev1.Volume {
 	var volumeSource corev1.VolumeSource
-	deployEmptyDir := cr.Spec.StorageOptions != nil && cr.Spec.StorageOptions.EmptyDir != nil && cr.Spec.StorageOptions.EmptyDir.Enabled
-
-	if deployEmptyDir {
+	if useEmptyDir(cr) {
 		emptyDir := cr.Spec.StorageOptions.EmptyDir
 
 		sizeLimit, err := resource.ParseQuantity(emptyDir.SizeLimit)
@@ -1073,3 +1119,7 @@ func seccompProfile(openshift bool) *corev1.SeccompProfile {
 		Type: corev1.SeccompProfileTypeRuntimeDefault,
 	}
 }
+
+func useEmptyDir(cr *operatorv1beta1.Cryostat) bool {
+	return cr.Spec.StorageOptions != nil && cr.Spec.StorageOptions.EmptyDir != nil && cr.Spec.StorageOptions.EmptyDir.Enabled
+}