Chapter 2. Installing Cryostat

You can install the Red Hat build of Cryostat Operator in a project on Red Hat OpenShift by using Operator Lifecycle Manager (OLM).

With the Red Hat build of Cryostat Operator installed, you can create instances of Cryostat that you can access by using a web console from the Red Hat OpenShift web console.

You can also download the latest Cryostat component images from the Red Hat Ecosystem Catalog.

2.1. Installing Cryostat on Red Hat OpenShift by using a Red Hat build of Cryostat Operator

You can use the Operator Lifecycle Manager (OLM) to install the Red Hat build of Cryostat Operator in a project on your Red Hat OpenShift cluster. You can use the Red Hat build of Cryostat Operator to create single namespace or multi-namespace Cryostat instances. You can control these instances by using a GUI that is accessible from the Red Hat OpenShift web console.

Important

If you need to upgrade your Red Hat build of Cryostat Operator subscription from Cryostat 2.0 to Cryostat 2.4, you must change the update channel from stable-2.0 to stable.

Prerequisites

Created an OpenShift Container Platform 4.11 or later cluster.
Created a Red Hat OpenShift user account with permissions to install Red Hat build of Cryostat Operator in a project.
Installed Operator Lifecycle Manager (OLM) on your cluster.
Installed cert-manager with the cert-manager Operator for Red Hat OpenShift.
- If you are using OpenShift Container Platform 4.11 or later, you can install the cert-manager Operator for Red Hat OpenShift. For more information, see cert-manager Operator for Red Hat OpenShift (OpenShift Container Platform).
Logged in to Red Hat OpenShift by using the Red Hat OpenShift web console.

Procedure

In your browser, navigate to Home > Projects by using the web console.
Select the name of the project in which you want to install the Red Hat build of Cryostat Operator.
Install the Red Hat build of Cryostat Operator:
1. In the navigation menu of your web console, navigate to Operators > OperatorHub.
2. Select the Red Hat build of Cryostat Operator from the list. You can use the search box in the upper part of the screen to find the Red Hat build of Cryostat Operator.
3. To install the Red Hat build of Cryostat Operator in your project, click Install.
  The Red Hat OpenShift web console prompts you to create a Cryostat custom resource (CR).
  Note
  If you are installing a Cryostat instance that is enabled for multiple namespaces, in the Installation mode area, click the All namespaces on the cluster (default) radio button.
  You can create the CR either manually or automatically. If you want to create the CR manually, see step 4. If you want to create the CR automatically, see step 5.
If you want to create the CR manually, complete the following steps:
1. Navigate to Operators > Installed Operators by using the web console and select Red Hat build of Cryostat Operator from the list of installed operators:
  Figure 2.1. Viewing the Red Hat build of Cryostat operator in the list of installed operators
2. Click the Details tab.
3. To create a single-namespace Cryostat instance, go to the Provided APIs section. Then, under Cryostat, click Create instance.
  Note
  If you want to create a Cryostat instance that is enabled for multiple namespaces, in the Provided APIs section, select Cluster Cryostat and click Create instance. The Cluster Cryostat API has configuration options that control the deployment of the Cryostat application and its related components. For more information, see Creating Cryostat on multiple namespaces.
  Figure 2.2. Selecting the Cryostat API that is provided by the Red Hat build of Cryostat Operator
4. Click either the Form view radio button or the YAML view radio button. If you want to enter your information in the YAML configuration file, click YAML view .
5. Specify a name for the instance of Cryostat that you want to create.
6. Optional: In the Labels field, specify a label or annotation for the Operand workload you want to deploy.
  You can also specify additional configuration options for your deployment:
  Figure 2.3. Creating an instance of Cryostat by using a form in the web console
  Alternatively, you can use a YAML template to create your instance and specify additional configuration options instead of using the form:
  Figure 2.4. Creating an instance of Cryostat by using a YAML template in the web console
If you want to create the CR by using the automatic prompt option, follow the prompt’s instructions and then complete the following steps:
1. Click either the Form view radio button or the YAML view radio button. If you want to enter your information in the YAML configuration file, click YAML view.
2. Specify a name for the instance of Cryostat that you want to create.
3. Optional: In the Labels field, specify a label or annotation for the Operand workload you want to deploy.
  You can also specify additional configuration options for your deployment:
  Figure 2.5. Creating an instance of Cryostat by using a form in the web console
  Alternatively, you can use a YAML template to create your instance and specify additional configuration options instead of using the form:
  Figure 2.6. Creating an instance of Cryostat by using a YAML template in the web console
To start the creation process for your Cryostat instance, click Create.
You must wait for all resources of your Cryostat instance to be ready before you can access it.

Verification

In the navigation menu of the web console, click Operators, then click Installed Operators.
From the table of installed operators, select Red Hat build of Cryostat Operator.
Select the Cryostat tab.
Your Cryostat instance opens in the table of instances and lists the following conditions:
- TLSSetupComplete is set to true.
- MainDeploymentAvailable is set to true.
- Optional: If you enabled the reports generator service then ReportsDeploymentAvailable is shown and set to true.
  Figure 2.7. Example of conditions set to True under the Status column for a Cryostat instance on OpenShift
Optional: Select your Cryostat instance from the Cryostat table. Go to the Cryostat Conditions table, where you can see more information for each condition.
Figure 2.8. Example of a Cryostat Conditions table that lists each condition and its criteria

Next Steps

Accessing Cryostat by using the web console

2.1.1. Accessing Cryostat by using the web console

You can access and control Cryostat by using a web console that is accessible from the Red Hat OpenShift web console.

Cryostat integrates with the OAuth server that is built into Red Hat OpenShift. When you attempt to access Cryostat on Red Hat OpenShift, the OAuth server directs you to the Red Hat OpenShift login page, where you can enter your Red Hat OpenShift credentials. After you enter your credentials, the OAuth server directs you to the Cryostat web console.

Note

If you want to access all of Cryostat’s features on the OpenShift Container Platform, you must request Cryostat-specific Role-Based Access Controls (RBAC) permissions for your Red Hat OpenShift user account.

See RBAC permissions.

Prerequisites

Created a Cryostat instance in your project.
Logged in using the Red Hat OpenShift web console.

Procedure

On the Red Hat OpenShift web console, navigate to Installed Operators and select Red Hat build of Cryostat Operator from the list.
Select the Cryostat instance that you want to access:
- For single-namespace Cryostat instances, click the Cryostat tab and select the Cryostat instance from the table.
- For multi-namespace Cryostat instances, click the Cluster Cryostat tab and select the Cluster Cryostat instance from the table.
  Figure 2.9. Example of selecting a single-namespace Cryostat instance under the Cryostat tab
Select the application URL to access the Cryostat login screen:
- For single-namespace Cryostat instances, click the link in the Application URL section to access the Cryostat login screen. The OAuth server redirects you to an OpenShift Container Platform login page, so that you can obtain OAuth access tokens for authenticating to the Cryostat API.
  Figure 2.10. Example of selecting a link under the Application URL section
- For multi-namespace Cryostat instances, access the application URL in one of the following ways:
  - In your Red Hat OpenShift command-line console (CLI), enter the following command, and replace "clustercryostatinstance-name" with the name of your multi-namespace Cryostat instance:
    oc get clustercryostat clustercryostatinstance-name
    The application URL is returned, which you can open directly from the command line or copy to a browser.
  - Click the YAML tab and and go to the status: section. Copy the link that is available under applicationURL to your browser.
Enter your credential details and then click Login. When you log in through the OAuth server for the first time, an Authorize Access page opens on your web browser.
Figure 2.11. Example of an Authorize Access page that opens in a web browser
Review the Requested permissions options and then select the required checkboxes. For optimal Cryostat performance, select both checkboxes.
Choose one of the following options:
- If you want to accept the requested permissions that you selected, click the Allow selected permissions button.
- If you want to reject all requested permission options, click the Deny button.
  Your web browser redirects you to the Cryostat web console, where you can monitor Java applications that are running in a Java Virtual Machine (JVM).

2.1.2. RBAC permissions

You might need to request Cryostat-specific Role-Based Access Controls (RBAC) permissions for your Red Hat OpenShift user account, so that you can access all of Cryostat’s features on the OpenShift Container Platform.

Note

Setting RBAC permissions relates to your Red Hat OpenShift user account. Cryostat reads your Red Hat OpenShift account to determine what functionality a user can access on Cryostat. If you want to set specific permissions for a Cryostat user account, see Accessing Cryostat by using the web console.

If you have limited user permissions, you can only access Cryostat features that Red Hat OpenShift authorizes you to use. If you have read-only permissions, then you can only view JDK flight recordings that were created by other users. You cannot create a new recording or delete an existing recording.

You can create a custom role with Cryostat-specific RBAC permissions and then bind this role to a user’s Red Hat OpenShift account. This use case is useful for when you want to set specific permissions for each user that operates within the same Cryostat namespace.

Consider another use case where you want to provide users read-only access to your JFR recordings. You would create a custom role and specify get for the verbs: string of your role’s pods/exec resource.

Red Hat OpenShift grants permissions to users based on values specified in the apiGroups configuration string in the YAML configuration. Cryostat maps Red Hat OpenShift endpoints to target applications, so that a user that belongs to the role can perform certain tasks on target applications, such as starting a recording on a target application.

The following YAML configuration demonstrates the ClusterRole with all the Cryostat-specific RBAC permissions defined:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: oauth-client
rules:
- apiGroups:
  - operator.cryostat.io
  resources:
  - cryostats
  verbs:
  - create
  - patch
  - delete
  - get
- apiGroups:
  - ""
  resources:
  - pods
  - pods/exec
  - services
  verbs:
  - create
  - patch
  - delete
  - get
- apiGroups:
  - ""
  resources:
  - replicationcontrollers
  - endpoints
  verbs:
  - get
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - create
  - get
- apiGroups:
  - apps
  resources:
  - daemonsets
  - replicasets
  - statefulsets
  verbs:
  - get

Additional resources

Using RBAC to define and apply permissions (Red Hat OpenShift documentation)

2.2. Helm charts

Instead of using the Red Hat build of Cryostat Operator on Red Hat OpenShift to install Cryostat, you can use a Helm chart. The Red Hat build of Cryostat Operator is the preferred way to install Cryostat, but if you require a flexible installation method that requires fewer cluster permissions, you can install Cryostat with a Helm chart.

Helm is a package manager on Red Hat OpenShift that provides the following benefits:

Applies regular application updates by using custom hooks.
Manages the installation of complex applications.
Provides charts that you can host on public or private servers. If sharing charts on a public server, ensure you’re aware of the security risks.
Supports rolling back to previous application versions.

By default, Red Hat OpenShift 4.11 includes the Helm chart package manager.

Before you install Cryostat with a Cryostat Helm chart, consider the following supported functions for the Cryostat Helm chart and the Red Hat build of Cryostat Operator:

Function ↓	Cryostat Helm chart	Red Hat build of Cryostat Operator
Access Cryostat by using Services	✓	✓
Access Cryostat by using Routes	✓	✓
Basic authentication	✓
OpenShift OAuth authentication		✓
End-to-end encryption		✓
Grafana integration	✓	✓
Persistent storage	✓	✓
Sidecar report generator		✓

The previous table shows that the Cryostat Helm chart does not support the same level of functionality as the Red Hat build of Cryostat Operator.

Additional resources

Overview Red Hat build of Cryostat Operator (Using the Red Hat build of Cryostat Operator to configure Cryostat)

2.2.1. Installing Cryostat by using a Helm chart

By default, Red Hat OpenShift 4.11 includes the Helm chart package manager. You can use this package manager to install a Cryostat Helm chart on Red Hat OpenShift. In turn, you can use this Helm chart to install a Cryostat instance on Red Hat OpenShift.

After you install the Cryostat Helm chart, the Helm chart creates the following objects:

Deployment, which contains Cryostat, Grafana, and a data source for Grafana.
Routes that exposes the Cryostat and Grafana services outside a Red Hat OpenShift cluster. This object is enabled by default on Red Hat OpenShift.
Services for Cryostat and Grafana.
Service Account, Role, and Role Binding for Cryostat, so that Cryostat Helm chart can use these objects to discover your applications.

Prerequisites

Logged in to the OpenShift Container Platform by using the Red Hat OpenShift web console.
Configured appropriate roles and permissions in a project to create applications and other workloads in OpenShift Container Platform.

Procedure

Switch to Developer mode on your Red Hat OpenShift web console.
Click the +Add menu.
From the Developer Catalog panel, click Helm Chart.
Click the Cryostat tile. A window displays on your Red Hat OpenShift web console.
Tip
To quickly find the Cryostat tile, enter Cryostat in the search field.
Click Install Helm Chart.
From the Install Helm Chart window, complete the following actions:
1. In the Release name field, enter a name for your Cryostat Helm chart.
2. From the Chart version drop-down list, ensure a version of Cryostat is selected.
3. Optional: From Form view, click Chart Values, and then configure options for your Cryostat Helm chart.
4. Optional: To access more configuration options, switch to the YAML View and then edit the parameters to meet your needs.
  Figure 2.12. OpenShift Install Helm Chart window
Click Install.
A window with tabs might open in your web console where you can view information for the Cryostat Helm chart. From the Release notes tab, you can view post-installation steps that you must perform. To perform these steps, you must use the oc CLI for your Red Hat OpenShift cluster. By default, Cryostat Helm chart uses Routes for networking. If you have disabled Routes, the instructions might differ depending on the kind of networking that you selected.
Important
If you set core.route.enabled or grafana.route.enabled to false for your Cryostat Helm chart, which disables the Routes resource, port-forwarding oc instructions display in the web console.
Optional: From the topology window, click a pod icon and then go to either the Details tab or the Resources tab to view more information about the pod.
Tip
If you need to quickly find a pod, consider using the filter toolbar, where you can display options, filter by resource, or enter a name of a pod.
When you completed the post-installation steps that are outlined on the Release notes tab, you can use Cryostat with your applications.
Figure 2.13. OpenShift pod topology window

Verification

In the same terminal where you completed the post-installation steps, go to the "Visit the Cryostat application at …" step to view the URL with which you can access the Cryostat application.

Note

The URL to access the Cryostat application URL varies depending on the configuration parameters that you chose.

Additional resources

Helm (The Helm project)
cryostat-helm (GitHub)
Viewing application composition using the Topology view (OpenShift Container Platform)

Revised on 2023-12-12 18:52:21 UTC

Chapter 2. Installing Cryostat

2.1. Installing Cryostat on Red Hat OpenShift by using a Red Hat build of Cryostat Operator

2.1.1. Accessing Cryostat by using the web console

2.1.2. RBAC permissions

2.2. Helm charts

2.2.1. Installing Cryostat by using a Helm chart

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Red Hat legal and privacy links

Red Hat legal and privacy links