Chapter 4. Unsupported and deprecated features
Cryostat 3.0 removes some features because of their high maintenance costs, low community interest, and better alternative solutions.
Target TLS certificate upload
The Security view of the Cryostat web console no longer offers a way to upload SSL/TLS certificates directly into the Cryostat server truststore. The Security view now only displays a list of certificates that have already been loaded.
From Cryostat 3.0 onward, new certificates must be added to the storage volume that Cryostat reads at startup. You can configure any new certificates by using the existing TrustedCertSecrets property in the Cryostat CR.
JMX target credentials passed through API requests
The X-JMX-Authorization header is no longer supported. This means that Cryostat no longer accepts API requests from target applications to allow Cryostat to authenticate itself and store credentials in memory for the duration of a JMX connection to an application.
From Cryostat 3.0 onward, JMX credentials for target applications are always stored in an encrypted database that is stored on a persistent volume claim (PVC) on Red Hat OpenShift. The Settings view of the Cryostat web console also no longer offers an advanced configuration for selecting which authentication mechanism to use.
Cryostat self-discovery
When you install Cryostat by using the Cryostat Operator or a Helm chart, Cryostat no longer discovers itself as a target application by default. In previous releases, Cryostat exposed a JMX port on a Kubernetes service and the Cryostat Operator generated credentials and assigned a TLS certificate to help secure this port.
From Cryostat 3.0 onward, the JMX port exposed by Cryostat is disabled and the corresponding Service port is removed, which means that Cryostat can no longer discover itself as a connectable target. This also means that Cryostat no longer appears in the target selection list or in the Topology view of the Cryostat web console.
If you want to connect Cryostat to itself to check performance, you can create a Custom Target with the URL value localhost:0. This value instructs the JVM to open a local JMX connection to itself, without exposing a port to the network, which means that additional authentication and TLS encryption is unnecessary.
Cryostat Operator installation for a single namespace
Support is no longer provided for installing the Cryostat Operator in a single namespace or subset of cluster namespaces.
From Cryostat 3.0 onward, the Cryostat Operator can only be installed on a cluster-wide basis. Cluster-wide installation is the preferred mode for the Operator Lifecycle Manager and per-namespace installations are a deprecated feature.
Cluster Cryostat API
The Cluster Cryostat API is no longer supported. In this release, when installing a Cryostat instance by using the Cryostat Operator, you can no longer select a Cluster Cryostat option in the the Provided APIs section of the Details tab.
From Cryostat 3.0 onward, you can use the Cryostat API to create both single-namespace and multi-namespace Cryostat instances. When you install a Cryostat instance by using the Cryostat Operator, the Cryostat API now enables you to specify an optional list of target namespaces.
