feat(discovery): allow configurations for discovery service

api/v1beta1/cryostat_types.go

@@ -102,6 +102,14 @@ type CryostatSpec struct {
 	// +optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	SchedulingOptions *SchedulingConfiguration `json:"schedulingOptions,omitempty"`
+	// Options to configure the Cryostat application's target discovery mechanisms.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	TargetDiscoveryOptions *TargetDiscoveryOptions `json:"targetDiscoveryOptions,omitempty"`
+	// Options to configure the Cryostat application's JMX credentials database.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	JmxCredentialsDatabaseOptions *JmxCredentialsDatabaseOptions `json:"jmxCredentialsDatabaseOptions,omitempty"`
 }
 
 type ResourceConfigList struct {
@@ -503,3 +511,19 @@ type ReportsSecurityOptions struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	ReportsSecurityContext *corev1.SecurityContext `json:"reportsSecurityContext,omitempty"`
 }
+
+// TargetDiscoveryOptions provides configuration options to the Cryostat application's target discovery mechanisms.
+type TargetDiscoveryOptions struct {
+	// When true, the Cryostat application will disable the built-in discovery mechanisms. Defaults to false
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Disable Built-in Discovery",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:booleanSwitch"}
+	BuiltInDiscoveryDisabled bool `json:"builtInDiscoveryDisabled,omitempty"`
+}
+
+// JmxCredentialsDatabaseOptions provides configuration options to the Cryostat application's JMX credentials database.
+type JmxCredentialsDatabaseOptions struct {
+	// Name of the secret containing the password to encrypt JMX credentials database.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Secret"}
+	DatabaseSecretName *string `json:"databaseSecretName,omitempty"`
+}

bundle/manifests/cryostat-operator.clusterserviceversion.yaml

@@ -139,6 +139,16 @@ spec:
         path: jmxCacheOptions.targetCacheTTL
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:number
+      - description: Options to configure the Cryostat application's JMX credentials
+          database.
+        displayName: Jmx Credentials Database Options
+        path: jmxCredentialsDatabaseOptions
+      - description: Name of the secret containing the password to encrypt JMX credentials
+          database.
+        displayName: Database Secret Name
+        path: jmxCredentialsDatabaseOptions.databaseSecretName
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:Secret
       - description: The maximum number of WebSocket client connections allowed (minimum
           1, default unlimited).
         displayName: Max WebSocket Connections
@@ -380,6 +390,16 @@ spec:
           has created the PVC, changes to this field have no effect.
         displayName: Spec
         path: storageOptions.pvc.spec
+      - description: Options to configure the Cryostat application's target discovery
+          mechanisms.
+        displayName: Target Discovery Options
+        path: targetDiscoveryOptions
+      - description: When true, the Cryostat application will disable the built-in
+          discovery mechanisms. Defaults to false
+        displayName: Disable Built-in Discovery
+        path: targetDiscoveryOptions.builtInDiscoveryDisabled
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
       - description: List of TLS certificates to trust when connecting to targets.
         displayName: Trusted TLS Certificates
         path: trustedCertSecrets

bundle/manifests/operator.cryostat.io_cryostats.yaml

@@ -105,6 +105,15 @@ spec:
                     minimum: 1
                     type: integer
                 type: object
+              jmxCredentialsDatabaseOptions:
+                description: Options to configure the Cryostat application's JMX credentials
+                  database.
+                properties:
+                  databaseSecretName:
+                    description: Name of the secret containing the password to encrypt
+                      JMX credentials database.
+                    type: string
+                type: object
               maxWsConnections:
                 description: The maximum number of WebSocket client connections allowed
                   (minimum 1, default unlimited).
@@ -4372,6 +4381,15 @@ spec:
                         type: object
                     type: object
                 type: object
+              targetDiscoveryOptions:
+                description: Options to configure the Cryostat application's target
+                  discovery mechanisms.
+                properties:
+                  builtInDiscoveryDisabled:
+                    description: When true, the Cryostat application will disable
+                      the built-in discovery mechanisms. Defaults to false
+                    type: boolean
+                type: object
               trustedCertSecrets:
                 description: List of TLS certificates to trust when connecting to
                   targets.

config/crd/bases/operator.cryostat.io_cryostats.yaml

@@ -106,6 +106,15 @@ spec:
                     minimum: 1
                     type: integer
                 type: object
+              jmxCredentialsDatabaseOptions:
+                description: Options to configure the Cryostat application's JMX credentials
+                  database.
+                properties:
+                  databaseSecretName:
+                    description: Name of the secret containing the password to encrypt
+                      JMX credentials database.
+                    type: string
+                type: object
               maxWsConnections:
                 description: The maximum number of WebSocket client connections allowed
                   (minimum 1, default unlimited).
@@ -4373,6 +4382,15 @@ spec:
                         type: object
                     type: object
                 type: object
+              targetDiscoveryOptions:
+                description: Options to configure the Cryostat application's target
+                  discovery mechanisms.
+                properties:
+                  builtInDiscoveryDisabled:
+                    description: When true, the Cryostat application will disable
+                      the built-in discovery mechanisms. Defaults to false
+                    type: boolean
+                type: object
               trustedCertSecrets:
                 description: List of TLS certificates to trust when connecting to
                   targets.

config/manifests/bases/cryostat-operator.clusterserviceversion.yaml

@@ -127,6 +127,16 @@ spec:
         path: jmxCacheOptions.targetCacheTTL
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:number
+      - description: Options to configure the Cryostat application's JMX credentials
+          database.
+        displayName: Jmx Credentials Database Options
+        path: jmxCredentialsDatabaseOptions
+      - description: Name of the secret containing the password to encrypt JMX credentials
+          database.
+        displayName: Database Secret Name
+        path: jmxCredentialsDatabaseOptions.databaseSecretName
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:Secret
       - description: The maximum number of WebSocket client connections allowed (minimum
           1, default unlimited).
         displayName: Max WebSocket Connections
@@ -368,6 +378,16 @@ spec:
           has created the PVC, changes to this field have no effect.
         displayName: Spec
         path: storageOptions.pvc.spec
+      - description: Options to configure the Cryostat application's target discovery
+          mechanisms.
+        displayName: Target Discovery Options
+        path: targetDiscoveryOptions
+      - description: When true, the Cryostat application will disable the built-in
+          discovery mechanisms. Defaults to false
+        displayName: Disable Built-in Discovery
+        path: targetDiscoveryOptions.builtInDiscoveryDisabled
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
       - description: List of TLS certificates to trust when connecting to targets.
         displayName: Trusted TLS Certificates
         path: trustedCertSecrets

docs/config.md

@@ -269,6 +269,34 @@ spec:
     targetCacheTTL: 10
 ```
 
+### JMX Credentials Database
+
+The Cryostat application must be provided with a password to encrypt saved JMX credentials in database. The user can specify a secret containing the password entry with key `CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD`. The Cryostat application will use this password to encrypt saved JMX credentials in database.
+
+For example:
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: credentials-database-secret
+type: Opaque
+stringData:
+  CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD: a-very-good-password
+```
+
+Then, the property `.spec.jmxCredentialsDatabaseOptions.databaseSecretName` must be set to use this secret for password.
+
+```yaml
+apiVersion: operator.cryostat.io/v1beta1
+kind: Cryostat
+metadata:
+  name: cryostat-sample
+spec:
+  jmxCredentialsDatabaseOptions:
+    databaseSecretName: credentials-database-secret
+```
+
+**Note**: If the secret is not provided, a default one is generated for this purpose. However, switching between using provided and generated secret is not allowed to avoid password mismatch that causes the Cryostat application's failure to access the credentials database.
 
 ### Authorization Properties
 
@@ -293,7 +321,7 @@ If custom mapping is specified, a ClusterRole must be defined and should contain
 
 **Note**: Using [`Secret`](https://kubernetes.io/docs/concepts/configuration/secret/) in mapping can fail with access denied under [security protection](https://kubernetes.io/docs/concepts/configuration/secret/#information-security-for-secrets) against escalations. Find more details about this issue [here](https://docs.openshift.com/container-platform/4.11/authentication/tokens-scoping.html#scoping-tokens-role-scope_configuring-internal-oauth).
 
-The property `.spec.authProperties` can then be set to configure Cryostat to use this mapping instead of the default ones.
+The property `spec.authProperties` can then be set to configure Cryostat to use this mapping instead of the default ones.
 ```yaml
 apiVersion: operator.cryostat.io/v1beta1
 kind: Cryostat
@@ -436,3 +464,17 @@ spec:
         value: ok
         effect: NoExecute
 ```
+
+### Target Discovery Options
+
+If you wish to use only Cryostat's [Discovery Plugin API](https://github.com/cryostatio/cryostat/blob/801779d5ddf7fa30f7b230f649220a852b06f27d/docs/DISCOVERY_PLUGINS.md), set the property `spec.targetDiscoveryOptions.builtInDiscoveryDisabled` to `true` to disable Cryostat's built-in discovery mechanisms.
+
+```yaml
+apiVersion: operator.cryostat.io/v1beta1
+kind: Cryostat
+metadata:
+  name: cryostat-sample
+spec:
+  targetDiscoveryOptions:
+    builtInDiscoveryDisabled: true
+```

internal/controllers/common/resource_definitions/resource_definitions.go

@@ -741,6 +741,54 @@ func NewCoreContainer(cr *operatorv1beta1.Cryostat, specs *ServiceSpecs, imageTa
 		}
 	}
 
+	disableBuiltInDiscovery := cr.Spec.TargetDiscoveryOptions != nil && cr.Spec.TargetDiscoveryOptions.BuiltInDiscoveryDisabled
+	if disableBuiltInDiscovery {
+		envs = append(envs, corev1.EnvVar{
+			Name:  "CRYOSTAT_DISABLE_BUILTIN_DISCOVERY",
+			Value: fmt.Sprintf("%v", strconv.FormatBool(true)),
+		})
+	}
+
+	if !useEmptyDir(cr) {
+		envs = append(envs, corev1.EnvVar{
+			Name:  "CRYOSTAT_JDBC_URL",
+			Value: "jdbc:h2:file:/opt/cryostat.d/conf.d/h2;INIT=create domain if not exists jsonb as varchar",
+		}, corev1.EnvVar{
+			Name:  "CRYOSTAT_HBM2DDL",
+			Value: "update",
+		}, corev1.EnvVar{
+			Name:  "CRYOSTAT_JDBC_DRIVER",
+			Value: "org.h2.Driver",
+		}, corev1.EnvVar{
+			Name:  "CRYOSTAT_HIBERNATE_DIALECT",
+			Value: "org.hibernate.dialect.H2Dialect",
+		}, corev1.EnvVar{
+			Name:  "CRYOSTAT_JDBC_USERNAME",
+			Value: cr.Name,
+		}, corev1.EnvVar{
+			Name:  "CRYOSTAT_JDBC_PASSWORD",
+			Value: cr.Name,
+		})
+	}
+
+	secretOptional := false
+	secretName := cr.Name + "-jmx-credentials-db"
+	if cr.Spec.JmxCredentialsDatabaseOptions != nil && cr.Spec.JmxCredentialsDatabaseOptions.DatabaseSecretName != nil {
+		secretName = *cr.Spec.JmxCredentialsDatabaseOptions.DatabaseSecretName
+	}
+	envs = append(envs, corev1.EnvVar{
+		Name: "CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD",
+		ValueFrom: &corev1.EnvVarSource{
+			SecretKeyRef: &corev1.SecretKeySelector{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: secretName,
+				},
+				Key:      "CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD",
+				Optional: &secretOptional,
+			},
+		},
+	})
+
 	if !cr.Spec.Minimal {
 		grafanaVars := []corev1.EnvVar{
 			{
@@ -1030,9 +1078,7 @@ func getPullPolicy(imageTag string) corev1.PullPolicy {
 
 func newVolumeForCR(cr *operatorv1beta1.Cryostat) []corev1.Volume {
 	var volumeSource corev1.VolumeSource
-	deployEmptyDir := cr.Spec.StorageOptions != nil && cr.Spec.StorageOptions.EmptyDir != nil && cr.Spec.StorageOptions.EmptyDir.Enabled
-
-	if deployEmptyDir {
+	if useEmptyDir(cr) {
 		emptyDir := cr.Spec.StorageOptions.EmptyDir
 
 		sizeLimit, err := resource.ParseQuantity(emptyDir.SizeLimit)
@@ -1073,3 +1119,7 @@ func seccompProfile(openshift bool) *corev1.SeccompProfile {
 		Type: corev1.SeccompProfileTypeRuntimeDefault,
 	}
 }
+
+func useEmptyDir(cr *operatorv1beta1.Cryostat) bool {
+	return cr.Spec.StorageOptions != nil && cr.Spec.StorageOptions.EmptyDir != nil && cr.Spec.StorageOptions.EmptyDir.Enabled
+}