move authproxy to first container, update postinstall notes for 3.0 d…

…eployment behind proxy TODO presigned downloads from S3 provider currently fail signature verification
cryostatio · Feb 13, 2024 · f1631b4 · f1631b4
1 parent 8d3e836
commit f1631b4
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 61 deletions.
diff --git a/charts/cryostat/templates/NOTES.txt b/charts/cryostat/templates/NOTES.txt
@@ -8,49 +8,29 @@
 {{- if .Values.core.route.enabled }}
   export ROUTE_HOST=$(oc get route -n {{ .Release.Namespace }} {{ include "cryostat.fullname" . }} -o jsonpath="{.status.ingress[0].host}")
 {{- $envVars = list ( tpl "STORAGE_EXT_URL=http{{ if .Values.core.route.tls.enabled }}s{{ end  }}://$ROUTE_HOST/storage" . ) }}
+{{- $envVars = append $envVars ( tpl "GRAFANA_DASHBOARD_EXT_URL=http{{ if .Values.core.route.tls.enabled }}s{{ end }}://$ROUTE_HOST/grafana/" . ) }}
 {{- else if .Values.core.ingress.enabled }}
 {{- /* Do nothing */}}
 {{- else if contains "NodePort" .Values.core.service.type }}
   export NODE_IP=$(kubectl get nodes -n {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
   export NODE_PORT=$(kubectl get -n {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "cryostat.fullname" . }})
-{{- $envVars = list "CRYOSTAT_WEB_HOST=$NODE_IP" "CRYOSTAT_EXT_WEB_PORT=$NODE_PORT" }}
+{{- $envVars = list "QUARKUS_HTTP_HOST=$NODE_IP" }}
 {{- else if contains "LoadBalancer" .Values.core.service.type }}
      NOTE: It may take a few minutes for the LoadBalancer IP to be available.
            You can watch the status of by running 'kubectl get -n {{ .Release.Namespace }} -w svc/{{ include "cryostat.fullname" . }} svc/{{ include "cryostat.fullname" . }}-grafana'
   export SERVICE_IP=$(kubectl get svc -n {{ .Release.Namespace }} {{ include "cryostat.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-{{- $envVars = list "CRYOSTAT_WEB_HOST=$SERVICE_IP" (printf "CRYOSTAT_EXT_WEB_PORT=%v" .Values.core.service.httpPort) }}
+{{- $envVars = list "QUARKUS_HTTP_HOST=$SERVICE_IP" }}
 {{- else if contains "ClusterIP" .Values.core.service.type }}
   export POD_NAME=$(kubectl get pods -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"  --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}")
   export CONTAINER_PORT=$(kubectl get pod -n {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
-{{- $envVars = list "CRYOSTAT_WEB_HOST=127.0.0.1" "CRYOSTAT_EXT_WEB_PORT=8080" }}
+  export CRYOSTAT_WEB_HOST=localhost
+{{- $envVars = list "QUARKUS_HTTP_HOST=$CRYOSTAT_WEB_HOST" }}
+{{- $envVars = append $envVars ( tpl "QUARKUS_HTTP_HOST=$CRYOSTAT_WEB_HOST" . ) }}
+{{- $envVars = append $envVars ( tpl "STORAGE_EXT_URL=http://$CRYOSTAT_WEB_HOST:8080/storage" . ) }}
+{{- $envVars = append $envVars ( tpl "GRAFANA_DASHBOARD_EXT_URL=http://$CRYOSTAT_WEB_HOST:8080/grafana/" . ) }}
 {{- $portForwards = prepend $portForwards "8080:$CONTAINER_PORT" }}
 {{- end }}
 
-{{- if not .Values.minimal }}
-{{- if .Values.core.route.enabled }}
-{{- $envVars = append $envVars ( tpl "GRAFANA_DASHBOARD_EXT_URL=http{{ if .Values.core.route.tls.enabled }}s{{ end }}://$ROUTE_HOST/grafana/" . ) }}
-{{- else if .Values.core.ingress.enabled }}
-{{- if not (contains "NodePort" .Values.core.service.type) }}
-  export NODE_IP=$(kubectl get nodes -n {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-{{- end }}
-  export GRAFANA_NODE_PORT=$(kubectl get -n {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "cryostat.fullname" . }}-grafana)
-{{- $envVars = append $envVars "GRAFANA_DASHBOARD_URL=http://$NODE_IP:$GRAFANA_NODE_PORT"}}
-{{- if not (contains "LoadBalancer" .Values.core.service.type) }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get -n {{ .Release.Namespace }} -w svc/{{ include "cryostat.fullname" . }} svc/{{ include "cryostat.fullname" . }}-grafana'
-{{- end }}
-  export GRAFANA_SERVICE_IP=$(kubectl get svc -n {{ .Release.Namespace }} {{ include "cryostat.fullname" . }}-grafana --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-{{- $envVars = append $envVars (printf "GRAFANA_DASHBOARD_URL=http://$GRAFANA_SERVICE_IP:%v" .Values.core.service.port) }}
-{{- if not (contains "ClusterIP" .Values.core.service.type) }}
-  export POD_NAME=$(kubectl get pods -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"  --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}")
-{{- end }}
-  export GRAFANA_CONTAINER_PORT=$(kubectl get pod -n {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[1].ports[0].containerPort}")
-{{- $envVars = concat $envVars ( list "GRAFANA_DASHBOARD_URL=http://127.0.0.1:$GRAFANA_CONTAINER_PORT" "GRAFANA_DASHBOARD_EXT_URL=http://127.0.0.1:8081" )}}
-{{- $portForwards = append $portForwards "8081:$GRAFANA_CONTAINER_PORT" }}
-{{- end }}
-{{- end }}
-
-
 {{- if not (empty $envVars) }}
   kubectl -n {{ .Release.Namespace }} set env deploy --containers={{ .Chart.Name }} {{ include "cryostat.fullname" . }} {{ join " " $envVars }}
 {{- end }}
@@ -83,6 +63,6 @@
 {{- else if contains "LoadBalancer" .Values.core.service.type }}
   echo http://$SERVICE_IP:{{ .Values.core.service.httpPort }}
 {{- else if contains "ClusterIP" .Values.core.service.type }}
-  http://127.0.0.1:8080
+  http://localhost:8080
 {{- end }}
   ```
diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml
@@ -30,6 +30,41 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
+        - name: {{ printf "%s-%s" .Chart.Name "authproxy" }}
+          securityContext:
+            {{- toYaml .Values.oauth2Proxy.securityContext | nindent 12 }}
+          image: "{{ .Values.oauth2Proxy.image.repository }}:{{ .Values.oauth2Proxy.image.tag }}"
+          args:
+            - "--alpha-config=/etc/oauth2_proxy/alpha_config/alpha_config.yaml"
+          imagePullPolicy: {{ .Values.oauth2Proxy.image.pullPolicy }}
+          env:
+            - name: OAUTH2_PROXY_REDIRECT_URL
+              value: "http://localhost:4180/oauth2/callback"
+            - name: OAUTH2_PROXY_COOKIE_SECRET
+              value: {{ include "cryostat.cookieSecret" . }}
+            - name: OAUTH2_PROXY_EMAIL_DOMAINS
+              value: "*"
+            {{- if .Values.authentication.basicAuth.enabled }}
+            - name: OAUTH2_PROXY_HTPASSWD_USER_GROUP
+              value: write
+            - name: OAUTH2_PROXY_HTPASSWD_FILE
+              value: /etc/oauth2_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }}
+            {{- end }}
+            {{- if not .Values.authentication.basicAuth.enabled }}
+            - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES
+              value: ".*"
+            {{- end }}
+          ports:
+            - containerPort: 4180
+              protocol: TCP
+          volumeMounts:
+            - name: alpha-config
+              mountPath: /etc/oauth2_proxy/alpha_config
+            {{- if .Values.authentication.basicAuth.enabled }}
+            - name: {{ .Release.Name }}-htpasswd
+              mountPath: /etc/oauth2_proxy/basicauth
+              readOnly: true
+            {{- end }}
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.core.securityContext | nindent 12 }}
@@ -191,38 +226,6 @@ spec:
             {{- toYaml .Values.storage.resources | nindent 12 }}
           securityContext:
             {{- toYaml .Values.storage.securityContext | nindent 12 }}
-        - name: {{ printf "%s-%s" .Chart.Name "oauth2proxy" }}
-          securityContext:
-            {{- toYaml .Values.oauth2Proxy.securityContext | nindent 12 }}
-          image: "{{ .Values.oauth2Proxy.image.repository }}:{{ .Values.oauth2Proxy.image.tag }}"
-          args:
-            - "--alpha-config=/etc/oauth2_proxy/alpha_config/alpha_config.yaml"
-          imagePullPolicy: {{ .Values.oauth2Proxy.image.pullPolicy }}
-          env:
-            - name: OAUTH2_PROXY_REDIRECT_URL
-              value: "http://localhost:4180/oauth2/callback"
-            - name: OAUTH2_PROXY_COOKIE_SECRET
-              value: {{ include "cryostat.cookieSecret" . }}
-            - name: OAUTH2_PROXY_EMAIL_DOMAINS
-              value: "*"
-            {{- if .Values.authentication.basicAuth.enabled }}
-            - name: OAUTH2_PROXY_HTPASSWD_USER_GROUP
-              value: write
-            - name: OAUTH2_PROXY_HTPASSWD_FILE
-              value: /etc/oauth2_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }}
-            {{- end }}
-            {{- if not .Values.authentication.basicAuth.enabled }}
-            - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES
-              value: ".*"
-            {{- end }}
-          volumeMounts:
-            - name: alpha-config
-              mountPath: /etc/oauth2_proxy/alpha_config
-            {{- if .Values.authentication.basicAuth.enabled }}
-            - name: {{ .Release.Name }}-htpasswd
-              mountPath: /etc/oauth2_proxy/basicauth
-              readOnly: true
-            {{- end }}
         - name: {{ printf "%s-%s" .Chart.Name "grafana" }}
           securityContext:
             {{- toYaml .Values.grafana.securityContext | nindent 12 }}