Buscar

Este contenido no está disponible en el idioma seleccionado.

Chapter 3. Feature enhancements

download PDF

Cryostat 3.0 includes feature enhancements that build upon the Cryostat 2.4 offerings.

Cryostat container enhancements

In this release, the main Cryostat container (cryostat) has been reimplemented by using Quarkus. In previous releases, the cryostat container was built directly by using Eclipse Vert.x.

This enhancement allows Cryostat to take advantage of the Quarkus framework’s strengths and features, which enables Cryostat to provide higher performance access to your JDK Flight Recorder data as well as better data integrity and security.

Cryostat API support for creating multi-namespace Cryostat instances

From Cryostat 3.0 onward, the Cryostat API supports the creation of both single-namespace and multi-namespace Cryostat instances. When you install a Cryostat instance by using the Cryostat Operator, the Cryostat API now enables you to specify an optional list of target namespaces. This supersedes the behavior in previous releases where the Cryostat API supported the creation of single-namespace instances only.

Note

In previous releases, you could use the Cluster Cryostat API to create multi-namespace Cryostat instances. Cryostat 3.0 no longer provides a separate Cluster Cryostat API.

RBAC enhancements for accessing Cryostat

Cryostat now applies the same role-based access control (RBAC) permission check to all users for the purpose of permitting or denying access to the product. By default, the required RBAC role in the Cryostat application’s installation namespace is create pods/exec.

Any Red Hat OpenShift user accounts that are assigned the required RBAC role now have full access to the Cryostat web console and all Cryostat features. If a Red Hat OpenShift account does not have the required RBAC role, this user is blocked from accessing Cryostat.

When installing a Cryostat instance by using the Cryostat Operator, you can optionally use the .spec.authorizationOptions.openShiftSSO.accessReview field in the Cryostat custom resource (CR) to customize the required RBAC permissions for accessing Cryostat.

This enhancement supersedes the behavior in previous releases where you could configure different levels of authorization for different user accounts.

Cryostat CR validation enhancements

The Cryostat Operator now performs additional validation checks against Cryostat CR objects before accepting these objects for processing. One noteworthy validation check is that a user who creates a Cryostat CR with a list of target namespaces must have sufficient permissions to create single-namespace Cryostat CRs in these target namespaces.

Cryostat Helm chart configuration enhancements

You can now set the following configuration parameters for the Cryostat Helm chart:

  • authentication.openshift.enabled

    This property enables the deployment of openshift-oauth-proxy and is disabled by default. If this property is disabled, oauth2_proxy is deployed instead.

    Note

    You can configure both openshift-oauth-proxy and oauth2-proxy to enable basic authentication by using the authentication.basicAuth property. However, for users who are deploying Cryostat on Red Hat OpenShift, the openshift-oauth-proxy also supports integration with the Red Hat OpenShift cluster SSO.

  • authentication.basicAuth

    This property configures basic authentication on the auth proxy. If you enable the deployment of openshift-oauth-proxy, this basic authentication is in addition to the Red Hat OpenShift SSO. If you enable the deployment of oauth2_proxy, this basic authentication is the only out-of-the-box supported user authentication mechanism.

  • openshiftOauthProxy.accessReview

    This property configures the SubjectAccessReview for testing client access to Cryostat through Red Hat OpenShift SSO.

For a full list of configuration parameters, see the Cryostat Helm Chart readme file.

Cryostat agent embedded web server

At Cryostat agent startup, the agent starts an embedded web server, which is used to service requests from the Cryostat server. The embedded web server secures itself by using basic authentication.

In previous releases, the basic user name was always user, and the randomly generated password consisted of 24 ASCII characters. In Cryostat 3.0, the default user name is user and the default password length is 24 characters, but the user name and the password length are both configurable. In this release, the randomly generated password is also based on a larger character set compared to previous releases.

Cryostat agent port enhancement

When configuring your applications to use the Cryostat agent, the agent base URI now uses port 4180 by default. This supersedes the behavior in previous releases where the agent base URI used port 8181.

This enhancement is due to the introduction of the reverse proxy architecture in Cryostat 3.0. Port 4180 is the HTTP port of the auth proxy, which passes authorized requests to Cryostat. You must therefore configure the Cryostat agent to send requests to port 4180 rather than directly to port 8181, because the Cryostat HTTP port is now hidden behind the proxy.

Red Hat logoGithubRedditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

© 2024 Red Hat, Inc.