Este contenido no está disponible en el idioma seleccionado.
Chapter 3. Feature enhancements
Cryostat 3.0 includes feature enhancements that build upon the Cryostat 2.4 offerings.
Cryostat container enhancements
In this release, the main Cryostat container (cryostat
) has been reimplemented by using Quarkus. In previous releases, the cryostat
container was built directly by using Eclipse Vert.x.
This enhancement allows Cryostat to take advantage of the Quarkus framework’s strengths and features, which enables Cryostat to provide higher performance access to your JDK Flight Recorder data as well as better data integrity and security.
Cryostat
API support for creating multi-namespace Cryostat instances
From Cryostat 3.0 onward, the Cryostat
API supports the creation of both single-namespace and multi-namespace Cryostat instances. When you install a Cryostat instance by using the Cryostat Operator, the Cryostat
API now enables you to specify an optional list of target namespaces. This supersedes the behavior in previous releases where the Cryostat
API supported the creation of single-namespace instances only.
In previous releases, you could use the Cluster Cryostat
API to create multi-namespace Cryostat instances. Cryostat 3.0 no longer provides a separate Cluster Cryostat
API.
RBAC enhancements for accessing Cryostat
Cryostat now applies the same role-based access control (RBAC) permission check to all users for the purpose of permitting or denying access to the product. By default, the required RBAC role in the Cryostat application’s installation namespace is create pods/exec
.
Any Red Hat OpenShift user accounts that are assigned the required RBAC role now have full access to the Cryostat web console and all Cryostat features. If a Red Hat OpenShift account does not have the required RBAC role, this user is blocked from accessing Cryostat.
When installing a Cryostat instance by using the Cryostat Operator, you can optionally use the .spec.authorizationOptions.openShiftSSO.accessReview
field in the Cryostat custom resource (CR) to customize the required RBAC permissions for accessing Cryostat.
This enhancement supersedes the behavior in previous releases where you could configure different levels of authorization for different user accounts.
Cryostat CR validation enhancements
The Cryostat Operator now performs additional validation checks against Cryostat CR objects before accepting these objects for processing. One noteworthy validation check is that a user who creates a Cryostat CR with a list of target namespaces must have sufficient permissions to create single-namespace Cryostat CRs in these target namespaces.
Cryostat Helm chart configuration enhancements
You can now set the following configuration parameters for the Cryostat Helm chart:
authentication.openshift.enabled
This property enables the deployment of
openshift-oauth-proxy
and is disabled by default. If this property is disabled,oauth2_proxy
is deployed instead.NoteYou can configure both
openshift-oauth-proxy
andoauth2-proxy
to enable basic authentication by using theauthentication.basicAuth property
. However, for users who are deploying Cryostat on Red Hat OpenShift, theopenshift-oauth-proxy
also supports integration with the Red Hat OpenShift cluster SSO.authentication.basicAuth
This property configures basic authentication on the auth proxy. If you enable the deployment of
openshift-oauth-proxy
, this basic authentication is in addition to the Red Hat OpenShift SSO. If you enable the deployment ofoauth2_proxy
, this basic authentication is the only out-of-the-box supported user authentication mechanism.openshiftOauthProxy.accessReview
This property configures the
SubjectAccessReview
for testing client access to Cryostat through Red Hat OpenShift SSO.
For a full list of configuration parameters, see the Cryostat Helm Chart readme file.
Cryostat agent embedded web server
At Cryostat agent startup, the agent starts an embedded web server, which is used to service requests from the Cryostat server. The embedded web server secures itself by using basic authentication.
In previous releases, the basic user name was always user
, and the randomly generated password consisted of 24 ASCII characters. In Cryostat 3.0, the default user name is user
and the default password length is 24 characters, but the user name and the password length are both configurable. In this release, the randomly generated password is also based on a larger character set compared to previous releases.
Cryostat agent port enhancement
When configuring your applications to use the Cryostat agent, the agent base URI now uses port 4180 by default. This supersedes the behavior in previous releases where the agent base URI used port 8181.
This enhancement is due to the introduction of the reverse proxy architecture in Cryostat 3.0. Port 4180 is the HTTP port of the auth proxy, which passes authorized requests to Cryostat. You must therefore configure the Cryostat agent to send requests to port 4180 rather than directly to port 8181, because the Cryostat HTTP port is now hidden behind the proxy.