Chapter 3. Feature enhancements

Cryostat 3.0 includes feature enhancements that build upon the Cryostat 2.4 offerings.

Cryostat container enhancements

In this release, the main Cryostat container (cryostat) has been reimplemented by using Quarkus. In previous releases, the cryostat container was built directly by using Eclipse Vert.x.

This enhancement allows Cryostat to take advantage of the Quarkus framework’s strengths and features, which enables Cryostat to provide higher performance access to your JDK Flight Recorder data as well as better data integrity and security.

Cryostat API support for creating multi-namespace Cryostat instances

From Cryostat 3.0 onward, the Cryostat API supports the creation of both single-namespace and multi-namespace Cryostat instances. When you install a Cryostat instance by using the Cryostat Operator, the Cryostat API now enables you to specify an optional list of target namespaces. This supersedes the behavior in previous releases where the Cryostat API supported the creation of single-namespace instances only.

RBAC enhancements for accessing Cryostat

Cryostat now applies the same role-based access control (RBAC) permission check to all users for the purpose of permitting or denying access to the product. By default, the required RBAC role in the Cryostat application’s installation namespace is create pods/exec.

Any Red Hat OpenShift user accounts that are assigned the required RBAC role now have full access to the Cryostat web console and all Cryostat features. If a Red Hat OpenShift account does not have the required RBAC role, this user is blocked from accessing Cryostat.

When installing a Cryostat instance by using the Cryostat Operator, you can optionally use the .spec.authorizationOptions.openShiftSSO.accessReview field in the Cryostat custom resource (CR) to customize the required RBAC permissions for accessing Cryostat.

This enhancement supersedes the behavior in previous releases where you could configure different levels of authorization for different user accounts.

Cryostat CR validation enhancements

The Cryostat Operator now performs additional validation checks against Cryostat CR objects before accepting these objects for processing. One noteworthy validation check is that a user who creates a Cryostat CR with a list of target namespaces must have sufficient permissions to create single-namespace Cryostat CRs in these target namespaces.

Cryostat Helm chart configuration enhancements

You can now set the following configuration parameters for the Cryostat Helm chart:

For a full list of configuration parameters, see the Cryostat Helm Chart readme file.

Cryostat agent embedded web server

At Cryostat agent startup, the agent starts an embedded web server, which is used to service requests from the Cryostat server. The embedded web server secures itself by using basic authentication.

In previous releases, the basic user name was always user, and the randomly generated password consisted of 24 ASCII characters. In Cryostat 3.0, the default user name is user and the default password length is 24 characters, but the user name and the password length are both configurable. In this release, the randomly generated password is also based on a larger character set compared to previous releases.

Cryostat agent port enhancement

When configuring your applications to use the Cryostat agent, the agent base URI now uses port 4180 by default. This supersedes the behavior in previous releases where the agent base URI used port 8181.

This enhancement is due to the introduction of the reverse proxy architecture in Cryostat 3.0. Port 4180 is the HTTP port of the auth proxy, which passes authorized requests to Cryostat. You must therefore configure the Cryostat agent to send requests to port 4180 rather than directly to port 8181, because the Cryostat HTTP port is now hidden behind the proxy.