Rechercher
SupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 1. Red Hat build of Cryostat Operator

download PDF

You can use the Red Hat build of Cryostat Operator to manage and configure your Cryostat instance. The Red Hat build of Cryostat Operator is available on the OpenShift Container Platform (OCP).

1.1. Overview of the Red Hat build of Cryostat Operator

After you create or update a Cryostat application on the OpenShift Container Platform, the Red Hat build of Cryostat Operator creates and manages the Cryostat application.

Operator level 2 seamless upgrades

From Cryostat 2.2, the Operator Capability Level for the Red Hat build of Cryostat Operator is set to Level 2 Seamless Upgrades on the Operator Lifecycle Manager framework. After you upgrade your Red Hat build of Cryostat Operator, the Red Hat build of Cryostat Operator automatically upgrades Cryostat and its related components. The automatic upgrade operation does not remove any JFR recordings, templates, rules, and other stored components, from your Cryostat instance.

Note

The automatic upgrade operation occurs only for minor releases or patch update releases of Cryostat. For major releases, you might need to re-install the Red Hat build of Cryostat Operator.

Persistent volume claims

You can create persistent volume claims (PVCs) on Red Hat OpenShift with the Red Hat build of Cryostat Operator so that your Cryostat application can store archived recordings on a cloud storage disk.

Operator configuration settings

Additionally, you can make the following changes to the default configuration settings for the Red Hat build of Cryostat Operator:

  • Configure the PVC that was created by the Red Hat build of Cryostat Operator, so that your Cryostat application can store archived recordings on a cloud storage disk.
  • Configure your Cryostat application to trust TLS certificates from specific applications.
  • Deploy Cryostat as a minimal deployment, so that the operator requires less resources to deploy a Cryostat application.
  • Disable cert-manager, so that the operator does not need to generate self-signed certificates for Cryostat components.
  • Install custom event template files, which are located in ConfigMaps, to your Cryostat instance, so you can use the templates to create recordings when Cryostat starts.

From Cryostat 2.2, the following configuration options for the Red Hat build of Cryostat Operator are included:

  • Resource requirements, which you can use to specify resource requests or limits for the core, datasource, or grafana containers.
  • Service customization, so that you can control the services that the Red Hat build of Cryostat Operator creates.
  • Sidecar report options, which the Red Hat build of Cryostat Operator can use to provision one or more report generators for your Cryostat application.

Single-namespace or multi-namespace Cryostat instances

The Red Hat build of Cryostat Operator provides both a Cryostat API and a Cluster Cryostat API. You can use the Cryostat API to create Cryostat instances that work in a single namespace. You can use the Cluster Cryostat API to create Cryostat instances that work across multiple namespaces. You can control these Cryostat instances by using a GUI that is accessible from the Red Hat OpenShift web console.

Users who can access the multi-namespace Cryostat instance have access to all target applications in any namespace that is visible to that Cryostat instance. Therefore, when you deploy a multi-namespace Cryostat instance, you must consider which namespaces to select for monitoring, which namespace to install Cryostat into, and which users can have access rights.

Prerequisites for configuring the Red Hat build of Cryostat Operator

Before you configure the Red Hat build of Cryostat Operator, ensure that the following prerequisites are met:

  • Installed the Red Hat build of Cryostat Operator in a project on Red Hat OpenShift.
  • Created a Cryostat instance by using the Red Hat build of Cryostat Operator.

Additional resources

1.2. Excluding supportive containers

You can choose to exclude supportive applications from getting deployed with your Cryostat application. Supportive applications are the supportive containers that are listed with your Cryostat pod. When you exclude supportive containers, fewer system resources are required to deploy your Cryostat application.

By default, Cryostat sets the minimal property in your project’s Red Hat build of Cryostat Operator YAML configuration file to false. With this configuration, the Red Hat build of Cryostat Operator deploys your Cryostat application with all the standard supportive applications, such as jfr-datasource and the Grafana dashboard, which are contained in the same pod as your Cryostat application. These supportive applications can interact with your Cryostat data and provide you with additional capabilities for interacting with this data.

The Red Hat build of Cryostat Operator defaults to the following configurations:

  • Deploys a pre-configured Grafana application.
  • Deploys a jfr-datasource application for converting JDK Flight Recorder (JFR) data to JSON, which is a readable format for Grafana.
  • Includes a Dashboard JSON file that is pre-configured in Grafana when you deploy Cryostat.

You can set the minimal property to true, so that the Red Hat build of Cryostat Operator automatically restarts your Cryostat instance as a minimal deployment. This means that the operator deploys only those applications that are listed in your Cryostat container and ignores any standard supportive applications, such as jfr-datasource and the Grafana dashboard, that are contained in the same pod as your Cryostat application.

Prerequisites

  • Logged in to the OpenShift Container Platform by using the Red Hat OpenShift web console.

Procedure

  1. On your Red Hat OpenShift web console, click Operators > Installed Operators.
  2. From the list of available operators, select Red Hat build of Cryostat.
  3. Click the Details tab.

  4. In the Provided APIs section, the Cryostat and Cluster Cryostat custom resources (CRs) are available. Select one of the following options:

    • To create a single-namespace Cryostat instance, select Cryostat, then click Create instance.
    • To create a multi-namespace instance of Cryostat, select Cluster Cryostat, then click Create instance.

  5. To configure the minimal property, choose one of the following options:

    1. Click the Form view radio button.

      1. Set the Minimal Deployment switch to true. You must also enter a value in the Name field.

        Figure 1.1. Toggling the Minimal Deployment switch to true

        Toggling the *Minimal Deployment* switch to `true`

      2. Click Create. Depending on the type of instance you created, the instance opens under one of the following tabs:

        • If you created a single-namespace Cryostat instance, the instance is available under the Cryostat tab on the Operator details page.
        • If you created a Cluster Cryostat instance, the instance is available under the Cluster Cryostat tab on the Operator details page.

    2. Click the YAML view radio button.

      1. Change the value for the minimal property to true in the spec: key set.

        Example of configuring the minimal property

        --
apiVersion: operator.cryostat.io/v1beta1
kind: Cryostat
metadata:
  name: cryostat-sample
spec:
  minimal: true
--

      2. Click Save.

Verification

  1. From the Red Hat OpenShift web console, select the project where you created your Cryostat instance or the project you chose as the Install Namespace of your Cluster Cryostat instance.
  2. Navigate to Workloads Deployments.
  3. From the list of deployments, select the deployment that matches the name of your Cryostat or Cluster Cryostat instance. A Deployment details page opens on your web console.
  4. Navigate to the Containers section. A single listed container indicates that the Red Hat build of Cryostat Operator has deployed your Cryostat application as a minimal deployment.

Additional resources

1.3. Disabling cert-manager

You can disable cert-manager functionality by configuring the enableCertManager property of the Red Hat build of Cryostat Operator.

By default, Red Hat build of Cryostat Operator’s enableCertManager property is set to true. This means that the Red Hat build of Cryostat Operator uses the cert-manager CA issuer to generate self-signed certificates for your Cryostat components. The Red Hat build of Cryostat Operator uses these certificates to enable HTTPS communication among Cryostat components operating in a cluster.

You can set the enableCertManager property to false, so that the Red Hat build of Cryostat Operator does not need to generate self-signed certificates for Cryostat components.

Important

If you set the enableCertManager property to false, you could introduce potential security implications from unencrypted internal traffic to the cluster that contains your running Cryostat application.

Prerequisites

  • Logged in to the OpenShift Container Platform by using the Red Hat OpenShift web console.

Procedure

  1. Navigate to Operators > Installed Operators on your OpenShift web console.
  2. From the list of available operators, select Red Hat build of Cryostat.
  3. Click the Details tab.

  4. In the Provided APIs section, the Cryostat and Cluster Cryostat custom resources (CRs) are available. Select one of the following options:

    • To create a single-namespace Cryostat instance, select Cryostat, then click Create instance.
    • To create a multi-namespace instance of Cryostat, select Cluster Cryostat, then click Create instance.

  5. To configure the enableCertManager property, choose one of the following options:

    1. Click the Form view radio button.

      1. Set the Enable cert-manager Integration switch to false, and then enter a value in the Name field.

        Figure 1.2. Toggling the Enable cert-manager Integration switch to false

        Toggling the `Enable cert-manager Integration` switch to `false`

      2. Click Create. Depending on the type of instance you created, the instance opens under one of the following tabs:

        • If you created a single-namespace Cryostat instance, the instance is available under the Cryostat tab on the Operator details page.
        • If you created a Cluster Cryostat instance, the instance is available under the Cluster Cryostat tab on the Operator details page.

    2. Click the YAML view radio button.

      1. In the spec: key set of the YAML file, change the enableCertManager property to false.

        Example of configuring the spec: key set in a YAML file

        --
apiVersion: operator.cryostat.io/v1beta1
kind: Cryostat
metadata:
  name: cryostat-sample
spec:
  enableCertManager: false
--

      2. Click the Save button.

        The Red Hat build of Cryostat Operator automatically restarts your Cryostat application, enabling the application to run with the updated enableCertManager property configuration.

Verification

  1. Select your Cryostat or Cluster Cryostat instance:

    • If you created a Cryostat instance, select your Cryostat instance from the Cryostat tab on the Operator details page.
    • If you created a Cluster Cryostat instance, select your Cluster Cryostat instance from the Cluster Cryostat tab on the Operator details page.
  2. Navigate to the Cryostat Conditions table.

  3. Verify that the TLSSetupComplete condition is set to true and that the Reason column for this condition is set to CertManagerDisabled. This indicates that you have set the enableCertManager property to false.

    Figure 1.3. Example showing the TLSSetupComplete condition set to true

    Example showing the `TLSSetupComplete` condition set to `true`

Additional resources

1.4. Customizing event templates

In Cryostat 2, you can configure the eventTemplates property of the Red Hat build of Cryostat Operator YAML configuration file to include multiple custom templates. An event template outlines the event recording criteria for your JDK Flight Recording (JFR). You can configure a JFR through its associated event template.

By default, Red Hat build of Cryostat Operator includes some pre-configured event templates. These pre-configured event templates might not meet your needs, so you can use Red Hat build of Cryostat Operator to generate custom event templates for your Cryostat instance and store these templates in ConfigMaps for easier retrieval. You can generate a custom event template in the following ways:

  • Use the Red Hat OpenShift web console to upload an event template into a custom resource.
  • Edit the YAML file for your Cryostat custom resource on the Red Hat OpenShift web console.

After you store a custom event template in a ConfigMap, you can deploy a new Cryostat instance with this custom event template. You can then use your custom event template with JFR to monitor your Java application to meet your needs.

Prerequisites

  • Logged in to the OpenShift Container Platform by using the Red Hat OpenShift web console.
  • Logged in to your Cryostat web console.

Procedure

  1. To download a default event template, navigate to your Cryostat web console and from the Events menu, click Downloads.

    Note

    Event templates are in XML format and have a file name extension of .jfc.

  2. Optional: If you want a custom event template, edit the downloaded default event template by using a text editor or XML editor to configure the template to meet your needs.
  3. Log in to your Red Hat OpenShift web console by entering the oc login command in your CLI.

  4. Create a ConfigMap resource from the event template by entering the following command in your CLI. You must issue the command in the path where you want to deploy your Cryostat application. You can use this resource to store an event template file that is inside the cluster where you run your Cryostat instance.

    Example of creating a ConfigMap resource by using the CLI

    $ oc create configmap <template_name> --from-file=<path_to_custom_event_template>

  5. On your Red Hat OpenShift web console, click Operators > Installed Operators.
  6. From the list of available operators, select Red Hat build of Cryostat.

  7. Under the Details tab on the Operator details page, create a Cryostat or Cluster Cryostat instance.

    1. In the Provided APIs section, the Cryostat and Cluster Cryostat custom resources (CRs) are available. Select one of the following options:

      • To create a single-namespace Cryostat instance, select Cryostat, then click Create instance.
      • To create a multi-namespace instance of Cryostat, select Cluster Cryostat, then click Create instance.

  8. Choose one of the following options to upload an event template in XML format into a resource:

    1. Click the Form view radio button.

      1. Navigate to the Event Templates section of the Cryostat or Cluster Cryostat instance.
      2. From the Event Templates menu, click Add Event Template. An Event Templates section opens on your Red Hat OpenShift console.

      3. From the Config Map Name drop-down list, select the ConfigMap resource that contains your event template.

        Figure 1.4. Event Templates option for a Cryostat instance

        Event Templates option for a Cryostat instance
      4. In the Filename field, enter the name of the .jfc file that is contained within your ConfigMap.
      5. To generate a Cryostat or a Cluster Cryostat instance with your custom event template, click Create.

    2. Click the YAML view radio button.

      1. Specify any custom event templates for the eventTemplates property. This property points the Red Hat build of Cryostat Operator to your ConfigMap, so that the Red Hat build of Cryostat Operator can read the event template.

        Example of specifying custom event templates for the eventTemplates property

        --
apiVersion: operator.cryostat.io/v1beta1
kind: Cryostat
metadata:
  name: cryostat-sample
spec:
  eventTemplates:
  - configMapName: custom-template1
    filename: my-template1.jfc
  - configMapName: custom-template2
    filename: my-template2.jfc
--

        Important

        You must select the name of a ConfigMap, which is associated with your Cryostat or Cluster Cryostat instance, from the configMapName drop-down list. Additionally, you must specify a key associated with the ConfigMap in the filename field.

        The Red Hat build of Cryostat Operator can now provide the custom event template as an XML file to your Cryostat application. Your custom event template opens alongside default event templates in your Cryostat web console.

Verification

  1. On the Cryostat web console, click Events from the menu. If an Authentication Required window opens on your web console, enter your credentials and click Save.

  2. Under the Event Templates tab, check if your custom event template shows in the list of available event templates.

    Figure 1.5. Example of a listed custom event template under the Event Templates tab

    Example of a listed custom event template under the Event Templates tab

Additional resources

1.5. Configuring TLS certificates

You can specify the Red Hat build of Cryostat Operator to configure Cryostat to trust TLS certificates from specific applications.

Cryostat attempts to open a JMX connection to a target JVM that uses a TLS certificate. For a successful JMX connection, the Cryostat must pass all its authentication checks on the target JVM certificate.

You can specify multiple TLS secrets in the trustedCertSecrets array of the Red Hat build of Cryostat Operator YAML configuration file. You must specify the secret located in the same namespace as your Cryostat application in the secretName property of the array. The certificateKey property defaults to tls.crt, but you can change the value to an X.509 certificate file name.

Important

Configuring a TLS certificate is required only for applications that have enabled TLS for remote JMX connections by using the com.sun.management.jmxremote.registry.ssl=true attribute.

Prerequisites

  • Logged in to the OpenShift Container Platform by using the OpenShift web console.
  • Logged in to your Cryostat web console.

Procedure

  1. On your Red Hat OpenShift web console, click Operators > Installed Operators.
  2. From the list of available operators, select Red Hat build of Cryostat.
  3. On the Operator details page, click the Details tab.

  4. In the Provided APIs section, the Cryostat and Cluster Cryostat custom resources (CRs) are available. Select one of the following options:

    1. To create a single-namespace Cryostat instance, select Cryostat, then click Create instance.
    2. To create a multi-namespace instance of Cryostat, select Cluster Cryostat, then click Create instance.

  5. To configure a TLS certificate, choose one of the following options:

    1. Click the Form view radio button.

      1. In the Name field, specify a name for the instance of Cryostat that you want to create.

      2. Expand the Trusted TLS Certificates option, then click Add Trusted TLS Certificate. A list of options displays on your Red Hat OpenShift web console.

        Figure 1.6. The Trusted TLS Certificates option

        The *Trusted TLS Certificates* option

      3. Select a TLS secret from the Secret Name list. The Certificate Key field is optional.

        Note

        You can remove a TLS certificate by clicking Remove Trusted TLS Certificate.

      4. Click Create. Depending on the type of instance you created, the instance opens under one of the following tabs:

        • If you created a single-namespace Cryostat instance, the instance is available under the Cryostat tab on the Operator details page.
        • If you created a Cluster Cryostat instance, the instance is available under the Cluster Cryostat tab on the Operator details page.

    2. Click the YAML view radio button.

      1. Specify your secret, which is located in the same namespace as your Cryostat application, in the secretName property of the trustedCertSecrets array.

        Example of specifying a secret in the trustedCertSecrets array

        --
apiVersion: operator.cryostat.io/v1beta1
kind: Cryostat
metadata:
  name: cryostat-sample
spec:
  trustedCertSecrets:
  - secretName: my-tls-secret
--

      2. Optional: Change the certificateKey property value to the application’s X.509 certificate file name. If you do not change the value, the certificateKey property defaults to tls.crt.

        Example of changing the certificateKey property’s value

        --
apiVersion: operator.cryostat.io/v1beta1
kind: Cryostat
metadata:
  name: cryostat-sample
spec:
  trustedCertSecrets:
  - secretName: my-tls-secret
    certificateKey: ca.crt
--

      3. Click Save.

        The Red Hat build of Cryostat Operator automatically restarts your Cryostat instance with the configured security settings.

Verification

  1. Determine that all your application pods exist in the same OpenShift cluster namespace as your Cryostat pod by issuing the following command in your CLI: 

    $ oc get pods
  2. Log in to the web console of your Cryostat instance.
  3. On the Dashboard menu for your Cryostat instance, select a target JVM from the Target list.

  4. In the navigation menu on the Cryostat web console, select Recordings. On the Authentication Required dialog window, enter your secret’s credentials and then select Save to provide your credentials to the target JVM.

    Note

    If the selected target has password authentication enabled for JMX connections, you must provide the JMX credentials for the target JVM when prompted for a connection.

    Cryostat connects to your application through the authenticated JMX connection. You can now use the Recordings and Events functions to monitor your application’s JFR data.

Additional resources

1.6. Changing storage volume options

You can use the Red Hat build of Cryostat Operator to configure storage volumes for your Cryostat or Cluster Cryostat instance. Cryostat supports persistent volume claim (PVC) and emptyDir storage volume types.

By default, Red Hat build of Cryostat Operator creates a PVC for your Cryostat or Cluster Cryostat instance that uses the default StorageClass resource with 500 mebibytes (MiB) of allocated storage.

You can create a custom PVC for your Cryostat application on OpenShift Container Platform by choosing one of the following options:

  • Navigating to Storage Options > PVC > Spec in the Form view window, and then customizing your PVC by completing the relevant fields.
  • Navigating to the YAML view window, and then editing the storageOptions array in the spec: key set to meet your needs.
Note

You can learn more about creating a custom PVC by navigating to Changing storage volume options in the Using the Red Hat build of Cryostat Operator to configure Cryostat guide.

You can configure the emptyDir storage volume for your Cryostat application on OpenShift Container Platform by choosing one of the following options:

  • Enabling the Empty Dir setting in Storage Options on the Form view window.
  • Setting the spec.storageOptions.emptyDir.enabled to true in the YAML view window.

Prerequisites

  • Logged in to the OpenShift Container Platform by using the Red Hat OpenShift web console.

Procedure

  1. On your Red Hat OpenShift web console, click Operators > Installed Operators.

  2. From the list of available operators, select Red Hat build of Cryostat.

    1. Click the Details tab.

  3. In the Provided APIs section, the Cryostat and Cluster Cryostat custom resources (CRs) are available. Select one of the following options:

    • To create a single-namespace Cryostat instance, select Cryostat, then click Create instance.
    • To create a multi-namespace instance of Cryostat, select Cluster Cryostat, then click Create instance.

  4. To change storage settings for your Cryostat application, choose one of the following options:

    1. Click the Form view radio button.

      1. Navigate to the Storage Options section, and enter a value in the Name field.
      2. Expand Storage Options and click Empty Dir. An expanded selection of options opens on your Red Hat OpenShift web console.

      3. Set the Enabled switch to true.

        Figure 1.7. Example showing the Empty Dir switch set to true

        Example showing the *Empty Dir* switch set to `true`

      4. Click Create. Depending on the type of instance you created, the instance opens under one of the following tabs:

        • If you created a single-namespace Cryostat instance, the instance is available under the Cryostat tab on the Operator details page.
        • If you created a Cluster Cryostat instance, the instance is available under the Cluster Cryostat tab on the Operator details page.

    2. Click the YAML view radio button.

      1. In the spec: key set of the YAML file, add the storageOptions definition and set the emptyDir property to true.

        Example showing the emptyDir property set as true

        --
apiVersion: operator.cryostat.io/v1beta1
kind: Cryostat
metadata:
  name: cryostat-sample
spec:
  storageOptions:
    emptyDir:
      enabled: true
      medium: "Memory"
      sizeLimit: 1Gi
--

      2. Optional: Set values for the medium and sizeLimit properties.
      3. Click the Save button. The Red Hat build of Cryostat Operator creates an EmptyDir volume for storage instead of creating a PVC for your Cryostat instance.

1.7. Scheduling options for Cryostat

From the Red Hat OpenShift web console, you can use the Red Hat build of Cryostat Operator to define policies for scheduling a Cryostat application and its generated reports to nodes.

You can define Node Selector, Affinities, and Tolerations definitions in the YAML configuration file for a Cryostat or Cluster Cryostat custom resource (CR) on Red Hat OpenShift. You must define these definitions under the spec.SchedulingOptions property for the Cryostat application and the spec.ReportOptions.SchedulingOptions property for the report generator sidecar. By specifying the SchedulingOptions property, the Cryostat application and its report generator sidecar pods will be scheduled on nodes that meet the scheduling criteria.

a targeted node application can receive sidecar reports updates from a Cryostat instance.

Example that shows the YAML configuration for a Cryostat CR that defines schedule options

kind: Cryostat
apiVersion: operator.cryostat.io/v1beta1
metadata:
  name: cryostat
spec:
  schedulingOptions:
    nodeSelector:
      node: good
    affinity:
      nodeAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
          nodeSelectorTerms:
          - matchExpressions:
            - key: node
              operator: In
              values:
              - good
              - better
      podAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchLabels:
              pod: good
          topologyKey: topology.kubernetes.io/zone
      podAntiAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchLabels:
              pod: bad
          topologyKey: topology.kubernetes.io/zone
    tolerations:
    - key: node
      operator: Equal
      value: ok
      effect: NoExecute
  reportOptions:
    replicas: 1
    schedulingOptions:
      nodeSelector:
        node: good
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: node
                operator: In
                values:
                - good
                - better
        podAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchLabels:
                pod: good
            topologyKey: topology.kubernetes.io/zone
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchLabels:
                pod: bad
            topologyKey: topology.kubernetes.io/zone
      tolerations:
      - key: node
        operator: Equal
        value: ok
        effect: NoExecute

Alternatively, you can open your Red Hat OpenShift web console, create a Cryostat instance, and then define Affinities and Tolerations definitions in the SchedulingOptions and reportOptions.SchedulingOptions options for that Cryostat instance.

Figure 1.8. The Report Options and Scheduling Options panels on the OpenShift web console

The *Report Options* and *Scheduling Options* panels on the Red Hat OpenShift web console
Red Hat logoGithubRedditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez leBlog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

© 2024 Red Hat, Inc.