Merge pull request #815 from cryostatio/cryostat3

feat(cryostat3): deploy Cryostat 3.0

.github/workflows/test-ci-reusable.yml

@@ -48,7 +48,7 @@ jobs:
         ref: ${{ inputs.ref }}
     - uses: actions/setup-go@v4
       with:
-        go-version: '1.21.*'
+        go-version: '1.22.*'
     - name: Run controller tests
       run: make test-envtest
     - name: Set latest commit status as ${{ job.status }}
@@ -142,7 +142,7 @@ jobs:
         ip_address=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ci-${{ github.run_id }}-control-plane)
         echo "$ip_address testing.cryostat" | sudo tee -a /etc/hosts
     - name: Install Operator Lifecycle Manager
-      run: curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.24.0/install.sh | bash -s v0.24.0
+      run: curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.28.0/install.sh | bash -s v0.28.0
     - name: Install Cert Manager
       run: make cert_manager
     - uses: redhat-actions/podman-login@v1

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM docker.io/library/golang:1.21 as builder
+FROM docker.io/library/golang:1.22 as builder
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -15,6 +15,7 @@ RUN go mod download
 COPY internal/main.go internal/main.go
 COPY api/ api/
 COPY internal/controllers/ internal/controllers/
+COPY internal/webhooks/ internal/webhooks/
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command

Makefile

@@ -8,7 +8,7 @@ OS = $(shell go env GOOS)
 ARCH = $(shell go env GOARCH)
 
 # Current Operator version
-export OPERATOR_VERSION ?= 2.5.0-dev
+export OPERATOR_VERSION ?= 3.0.0-dev
 IMAGE_VERSION ?= $(OPERATOR_VERSION)
 BUNDLE_VERSION ?= $(IMAGE_VERSION)
 DEFAULT_NAMESPACE ?= quay.io/cryostat
@@ -46,7 +46,6 @@ USE_IMAGE_DIGESTS ?= false
 ifeq ($(USE_IMAGE_DIGESTS), true)
 	BUNDLE_GEN_FLAGS += --use-image-digests
 endif
-BUNDLE_INSTALL_MODE ?= AllNamespaces
 
 IMAGE_BUILDER ?= podman
 # Image URL to use all building/pushing image targets
@@ -63,8 +62,16 @@ export APP_NAME ?= Cryostat
 # Images used by the operator
 CORE_NAMESPACE ?= $(DEFAULT_NAMESPACE)
 CORE_NAME ?= cryostat
-CORE_VERSION ?= latest
+CORE_VERSION ?= 3.0.0-snapshot
 export CORE_IMG ?= $(CORE_NAMESPACE)/$(CORE_NAME):$(CORE_VERSION)
+OAUTH2_PROXY_NAMESPACE ?= quay.io/oauth2-proxy
+OAUTH2_PROXY_NAME ?= oauth2-proxy
+OAUTH2_PROXY_VERSION ?= latest
+export OAUTH2_PROXY_IMG ?= $(OAUTH2_PROXY_NAMESPACE)/$(OAUTH2_PROXY_NAME):$(OAUTH2_PROXY_VERSION)
+OPENSHIFT_OAUTH_PROXY_NAMESPACE ?= quay.io/openshift
+OPENSHIFT_OAUTH_PROXY_NAME ?= origin-oauth-proxy
+OPENSHIFT_OAUTH_PROXY_VERSION ?= latest
+export OPENSHIFT_OAUTH_PROXY_IMG ?= $(OPENSHIFT_OAUTH_PROXY_NAMESPACE)/$(OPENSHIFT_OAUTH_PROXY_NAME):$(OPENSHIFT_OAUTH_PROXY_VERSION)
 DATASOURCE_NAMESPACE ?= $(DEFAULT_NAMESPACE)
 DATASOURCE_NAME ?= jfr-datasource
 DATASOURCE_VERSION ?= latest
@@ -77,13 +84,21 @@ REPORTS_NAMESPACE ?= $(DEFAULT_NAMESPACE)
 REPORTS_NAME ?= cryostat-reports
 REPORTS_VERSION ?= latest
 export REPORTS_IMG ?= $(REPORTS_NAMESPACE)/$(REPORTS_NAME):$(REPORTS_VERSION)
+DATABASE_NAMESPACE ?= $(DEFAULT_NAMESPACE)
+DATABASE_NAME ?= cryostat-db
+DATABASE_VERSION ?= latest
+export DATABASE_IMG ?= $(DATABASE_NAMESPACE)/$(DATABASE_NAME):$(DATABASE_VERSION)
+STORAGE_NAMESPACE ?= $(DEFAULT_NAMESPACE)
+STORAGE_NAME ?= cryostat-storage
+STORAGE_VERSION ?= latest
+export STORAGE_IMG ?= $(STORAGE_NAMESPACE)/$(STORAGE_NAME):$(STORAGE_VERSION)
 
 CERT_MANAGER_VERSION ?= 1.11.5
 CERT_MANAGER_MANIFEST ?= \
 	https://github.com/cert-manager/cert-manager/releases/download/v$(CERT_MANAGER_VERSION)/cert-manager.yaml
 
 KUSTOMIZE_VERSION ?= 3.8.7
-CONTROLLER_TOOLS_VERSION ?= 0.11.1
+CONTROLLER_TOOLS_VERSION ?= 0.14.0
 GOLICENSE_VERSION ?= 1.29.0
 OPM_VERSION ?= 1.23.0
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
@@ -93,7 +108,7 @@ ENVTEST_K8S_VERSION ?= 1.26
 # See: https://github.com/operator-framework/operator-sdk/pull/4762
 #
 # Suffix is the timestamp of the image build, compute with: date -u '+%Y%m%d%H%M%S'
-CUSTOM_SCORECARD_VERSION ?= 2.5.0-$(shell date -u '+%Y%m%d%H%M%S')
+CUSTOM_SCORECARD_VERSION ?= 3.0.0-$(shell date -u '+%Y%m%d%H%M%S')
 export CUSTOM_SCORECARD_IMG ?= $(IMAGE_TAG_BASE)-scorecard:$(CUSTOM_SCORECARD_VERSION)
 
 DEPLOY_NAMESPACE ?= cryostat-operator-system
@@ -143,6 +158,9 @@ ifneq ($(SCORECARD_TEST_SUITE),)
 SCORECARD_TEST_SELECTOR := --selector=suite=$(SCORECARD_TEST_SUITE)
 endif
 
+# Specify whether to run scorecard tests only (without setup)
+SCORECARD_TEST_ONLY ?= false
+
 ##@ General
 
 .PHONY: all
@@ -172,6 +190,21 @@ ifneq ($(SKIP_TESTS), true)
 	$(OPERATOR_SDK) scorecard -n $(SCORECARD_NAMESPACE) -s cryostat-scorecard -w 20m $(BUNDLE_IMG) --pod-security=restricted $(SCORECARD_TEST_SELECTOR)
 endif
 
+.PHONY: test-scorecard-local
+test-scorecard-local: check_cert_manager kustomize operator-sdk ## Run scorecard test locally without rebuilding bundle.
+ifneq ($(SKIP_TESTS), true)
+ifeq ($(SCORECARD_TEST_SELECTION),)
+	@echo "No test selected. Use SCORECARD_TEST_SELECTION to specify tests. For example: SCORECARD_TEST_SELECTION=cryostat-recording make test-scorecard-local"
+else ifeq ($(SCORECARD_TEST_ONLY), true)
+	@$(call scorecard-local)
+else
+	@$(call scorecard-setup)
+	$(call scorecard-cleanup) ; \
+	trap cleanup EXIT ; \
+	$(call scorecard-local)
+endif
+endif
+
 .PHONY: clean-scorecard
 clean-scorecard: operator-sdk ## Clean up scorecard resources.
 	- $(call scorecard-cleanup); cleanup
@@ -207,6 +240,13 @@ function cleanup { \
 }
 endef
 
+define scorecard-local
+for test in $${SCORECARD_TEST_SELECTION//,/ }; do \
+	echo "Running scorecard test \"$${test}\""; \
+	SCORECARD_NAMESPACE=$(SCORECARD_NAMESPACE) BUNDLE_DIR=./bundle go run internal/images/custom-scorecard-tests/main.go $${test} | sed 's/\\n/\n/g'; \
+done
+endef
+
 ##@ Build
 
 .PHONY: manager
@@ -450,8 +490,8 @@ endif
 ##@ Deployment
 
 .PHONY: install
-install: manifests kustomize ## Install CRDs into the cluster specified in ~/.kube/config.
-	$(KUSTOMIZE) build config/crd | $(CLUSTER_CLIENT) apply -f -
+install: uninstall manifests kustomize ## Install CRDs into the cluster specified in ~/.kube/config.
+	$(KUSTOMIZE) build config/crd | $(CLUSTER_CLIENT) create -f -
 
 .PHONY: uninstall
 uninstall: manifests kustomize ## Uninstall CRDs from the cluster specified in ~/.kube/config.
@@ -467,8 +507,8 @@ print_deploy_config: predeploy ## Print deployment configurations for the contro
 	$(KUSTOMIZE) build $(KUSTOMIZE_DIR)
 
 .PHONY: deploy
-deploy: check_cert_manager manifests kustomize predeploy ## Deploy controller in the configured cluster in ~/.kube/config
-	$(KUSTOMIZE) build $(KUSTOMIZE_DIR) | $(CLUSTER_CLIENT) apply -f -
+deploy: check_cert_manager manifests kustomize predeploy undeploy ## Deploy controller in the configured cluster in ~/.kube/config
+	$(KUSTOMIZE) build $(KUSTOMIZE_DIR) | $(CLUSTER_CLIENT) create -f -
 ifeq ($(DISABLE_SERVICE_TLS), true)
 	@echo "Disabling TLS for in-cluster communication between Services"
 	@$(CLUSTER_CLIENT) -n $(DEPLOY_NAMESPACE) set env deployment/cryostat-operator-controller-manager DISABLE_SERVICE_TLS=true
@@ -477,12 +517,11 @@ endif
 .PHONY: undeploy
 undeploy: ## Undeploy controller from the configured cluster in ~/.kube/config.
 	- $(CLUSTER_CLIENT) delete --ignore-not-found=$(ignore-not-found) -f config/samples/operator_v1beta1_cryostat.yaml
-	- $(CLUSTER_CLIENT) delete --ignore-not-found=$(ignore-not-found) -f config/samples/operator_v1beta1_clustercryostat.yaml
 	- $(KUSTOMIZE) build $(KUSTOMIZE_DIR) | $(CLUSTER_CLIENT) delete --ignore-not-found=$(ignore-not-found) -f -
 
 .PHONY: deploy_bundle
 deploy_bundle: check_cert_manager undeploy_bundle ## Deploy the controller in the bundle format with OLM.
-	$(OPERATOR_SDK) run bundle --install-mode $(BUNDLE_INSTALL_MODE) $(BUNDLE_IMG)
+	$(OPERATOR_SDK) run bundle --install-mode AllNamespaces $(BUNDLE_IMG)
 ifeq ($(DISABLE_SERVICE_TLS), true)
 	@echo "Disabling TLS for in-cluster communication between Services"
 	@current_ns=`$(CLUSTER_CLIENT) config view --minify -o 'jsonpath={.contexts[0].context.namespace}'` && \
@@ -504,19 +543,8 @@ undeploy_bundle: operator-sdk ## Undeploy the controller in the bundle format wi
 
 .PHONY: create_cryostat_cr
 create_cryostat_cr: destroy_cryostat_cr ## Create a namespaced Cryostat instance.
-	$(CLUSTER_CLIENT) create -f config/samples/operator_v1beta1_cryostat.yaml
-
-.PHONY: create_clustercryostat_cr
-create_clustercryostat_cr: destroy_clustercryostat_cr ## Create a cluster-wide Cryostat instance.
-	target_ns_json=$$(jq -nc '$$ARGS.positional' --args -- $(TARGET_NAMESPACES)) && \
-	$(CLUSTER_CLIENT) patch -f config/samples/operator_v1beta1_clustercryostat.yaml --local=true --type=merge \
-	-p "{\"spec\": {\"installNamespace\": \"$(DEPLOY_NAMESPACE)\", \"targetNamespaces\": $$target_ns_json}}" -o yaml | \
-	$(CLUSTER_CLIENT) apply -f -
+	$(CLUSTER_CLIENT) create -f config/samples/operator_v1beta2_cryostat.yaml
 
 .PHONY: destroy_cryostat_cr
 destroy_cryostat_cr: ## Delete a namespaced Cryostat instance.
 	- $(CLUSTER_CLIENT) delete --ignore-not-found=$(ignore-not-found) -f config/samples/operator_v1beta1_cryostat.yaml
-
-.PHONY: destroy_clustercryostat_cr
-destroy_clustercryostat_cr: ## Delete a cluster-wide Cryostat instance.
-	- $(CLUSTER_CLIENT) delete --ignore-not-found=$(ignore-not-found) -f config/samples/operator_v1beta1_clustercryostat.yaml

PROJECT

@@ -1,3 +1,7 @@
+# Code generated by tool. DO NOT EDIT.
+# This file is used to track the info used to scaffold your project
+# and allow the plugins properly work.
+# More info: https://book.kubebuilder.io/reference/project-config.html
 domain: cryostat.io
 layout:
 - go.kubebuilder.io/v3
@@ -10,19 +14,23 @@ resources:
 - api:
     crdVersion: v1
     namespaced: true
-  controller: true
   domain: cryostat.io
   group: operator
   kind: Cryostat
   path: github.com/cryostatio/cryostat-operator/api/v1beta1
   version: v1beta1
 - api:
     crdVersion: v1
-    namespaced: false
+    namespaced: true
   controller: true
   domain: cryostat.io
   group: operator
-  kind: ClusterCryostat
-  path: github.com/cryostatio/cryostat-operator/api/v1beta1
-  version: v1beta1
+  kind: Cryostat
+  path: github.com/cryostatio/cryostat-operator/api/v1beta2
+  version: v1beta2
+  webhooks:
+    conversion: true
+    defaulting: true
+    validation: true
+    webhookVersion: v1
 version: "3"

README.md

@@ -26,33 +26,29 @@ the JFR datasource for Grafana.
 for the Grafana dashboard.
 
 # Using
+
+## Requirements
+
+- `kubernetes` v1.21+ with [`Operator Lifecycle Manager`](https://olm.operatorframework.io/)
+- [`cert-manager`](https://github.com/cert-manager/cert-manager) v1.11.5+ (Recommended)
+
+## Instructions
+
 Once deployed, the `cryostat` instance can be accessed via web browser
 at the URL provided by:
 ```
 kubectl get cryostat -o jsonpath='{$.items[0].status.applicationUrl}'
 ```
-The Grafana credentials can be obtained with:
-```shell
-CRYOSTAT_NAME=$(kubectl get cryostat -o jsonpath='{$.items[0].metadata.name}')
-# Username
-kubectl get secret ${CRYOSTAT_NAME}-grafana-basic -o jsonpath='{$.data.GF_SECURITY_ADMIN_USER}' | base64 -d
-# Password
-kubectl get secret ${CRYOSTAT_NAME}-grafana-basic -o jsonpath='{$.data.GF_SECURITY_ADMIN_PASSWORD}' | base64 -d
-```
-The JMX authentication credentials for Cryostat itself can be obtained with:
-```shell
-CRYOSTAT_NAME=$(kubectl get cryostat -o jsonpath='{$.items[0].metadata.name}')
-# Username
-kubectl get secret ${CRYOSTAT_NAME}-jmx-auth -o jsonpath='{$.data.CRYOSTAT_RJMX_USER}' | base64 -d
-# Password
-kubectl get secret ${CRYOSTAT_NAME}-jmx-auth -o jsonpath='{$.data.CRYOSTAT_RJMX_PASS}' | base64 -d
-```
+
+To use Cryostat to monitor or profile Cryostat itself - since it is also an available JVM target -
+you may use the Cryostat web UI to define a Custom Target with the connection URL `localhost:0`.
+This is a special value which tells Cryostat's JVM that it should connect to itself directly, without
+the need to expose a JMX port over the network.
 
 # Building
 ## Requirements
-- `go` v1.21
+- `go` v1.21+
 - [`operator-sdk`](https://github.com/operator-framework/operator-sdk) v1.31.0
-- [`cert-manager`](https://github.com/cert-manager/cert-manager) v1.11.5+ (Recommended)
 - `podman` or `docker`
 - [`jq`](https://stedolan.github.io/jq/) v1.6+
 - `ginkgo` (Optional)