diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 6234921..2ee22f4 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -84,6 +84,8 @@ helm install cryostat ./charts/cryostat | `core.discovery.kubernetes.portNames` | List of port names that the Cryostat application should look for in order to consider a target as JMX connectable | `[]` | | `core.discovery.kubernetes.builtInPortNumbersDisabled` | When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets. | `false` | | `core.discovery.kubernetes.portNumbers` | List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable | `[]` | +| `core.config.declarative.fsMode` | default filesystem mode (permissions) for declarative configuration volumes | `440` | +| `core.config.tlsTruststore.secretNames` | List of Secret names. Each Secret is expected to contain one or more files, which are TLS certificates which target applications may use for their JMX servers, to be mounted to the Cryostat container for its TLS truststore. | `[]` | ### Report Generator Deployment diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index cb0fbca..337729e 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -141,6 +141,10 @@ spec: failureThreshold: 18 resources: {{- toYaml .Values.core.resources | nindent 12 }} + volumeMounts: + - name: declarative-trusted-tls-certs + mountPath: /truststore + readOnly: true - name: {{ printf "%s-%s" .Chart.Name "grafana" }} securityContext: {{- toYaml .Values.grafana.securityContext | nindent 12 }} @@ -216,3 +220,12 @@ spec: secret: secretName: {{ .Release.Name }}-proxy-tls {{- end }} + - name: declarative-trusted-tls-certs + projected: + defaultMode: {{ .Values.core.config.declarative.fsMode }} + sources: + {{- range .Values.core.config.tlsTruststore.secretNames }} + - secret: + secretName: {{ . }} + optional: false + {{- end }} diff --git a/charts/cryostat/tests/cryostat_deployment_test.yaml b/charts/cryostat/tests/cryostat_deployment_test.yaml index 0548fc7..680b53c 100644 --- a/charts/cryostat/tests/cryostat_deployment_test.yaml +++ b/charts/cryostat/tests/cryostat_deployment_test.yaml @@ -180,6 +180,8 @@ tests: requests: cpu: 500m memory: 384Mi + - notExists: + path: spec.template.spec.contains[?(@.name=='cryostat')].volumeMounts - it: should set log level set: @@ -514,3 +516,29 @@ tests: path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].imagePullPolicy value: "IfNotPresent" + - it: should add volume mounts for declarative TLS truststore + set: + core.config.tlsTruststore.secretNames: ['a', 'b'] + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].volumeMounts + value: + - name: declarative-trusted-tls-certs + mountPath: /truststore + readOnly: true + - equal: + path: spec.template.spec.volumes + value: + - name: alpha-config + configMap: + name: RELEASE-NAME-alpha-config + - name: declarative-trusted-tls-certs + projected: + defaultMode: 0440 + sources: + - secret: + secretName: a + optional: false + - secret: + secretName: b + optional: false diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 88c3baf..f600e23 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -258,6 +258,32 @@ } } } + }, + "config": { + "type": "object", + "properties": { + "declarative": { + "type": "object", + "properties": { + "fsMode": { + "type": "number", + "description": "default filesystem mode (permissions) for declarative configuration volumes", + "default": 440 + } + } + }, + "tlsTruststore": { + "type": "object", + "properties": { + "secretNames": { + "type": "array", + "description": "List of Secret names. Each Secret is expected to contain one or more files, which are TLS certificates which target applications may use for their JMX servers, to be mounted to the Cryostat container for its TLS truststore.", + "default": [], + "items": {} + } + } + } + } } } }, diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 79fdd4d..34df797 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -85,6 +85,13 @@ core: builtInPortNumbersDisabled: false ## @param core.discovery.kubernetes.portNumbers [array] List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable portNumbers: [] + config: + declarative: + ## @param core.config.declarative.fsMode default filesystem mode (permissions) for declarative configuration volumes + fsMode: 0440 + tlsTruststore: + ## @param core.config.tlsTruststore.secretNames [array] List of Secret names. Each Secret is expected to contain one or more files, which are TLS certificates which target applications may use for their JMX servers, to be mounted to the Cryostat container for its TLS truststore. + secretNames: [] ## @section Report Generator Deployment ## @extra reports Configuration for the Reports Generator deployment