cryostatio
diff --git a/‎charts/cryostat/README.md‎
Lines changed: 87 additions & 86 deletions b/‎charts/cryostat/README.md‎
Lines changed: 87 additions & 86 deletions
diff --git a/‎charts/cryostat/templates/cryostat_deployment.yaml‎
Lines changed: 9 additions & 4 deletions b/‎charts/cryostat/templates/cryostat_deployment.yaml‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎charts/cryostat/templates/discovery_clusterrole.yaml‎
Lines changed: 52 additions & 0 deletions b/‎charts/cryostat/templates/discovery_clusterrole.yaml‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎charts/cryostat/templates/discovery_clusterrolebinding.yaml‎
Lines changed: 16 additions & 0 deletions b/‎charts/cryostat/templates/discovery_clusterrolebinding.yaml‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎charts/cryostat/templates/role.yaml‎
Lines changed: 1 addition & 1 deletion b/‎charts/cryostat/templates/role.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎charts/cryostat/templates/rolebinding.yaml‎
Lines changed: 1 addition & 1 deletion b/‎charts/cryostat/templates/rolebinding.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎charts/cryostat/tests/cryostat_deployment_test.yaml‎
Lines changed: 117 additions & 0 deletions b/‎charts/cryostat/tests/cryostat_deployment_test.yaml‎
Lines changed: 117 additions & 0 deletions
diff --git a/‎charts/cryostat/tests/discovery_clusterrole_test.yaml‎
Lines changed: 101 additions & 0 deletions b/‎charts/cryostat/tests/discovery_clusterrole_test.yaml‎
Lines changed: 101 additions & 0 deletions
@@ -118,16 +118,21 @@ spec:
             value: http://localhost:3000
           - name: GRAFANA_DASHBOARD_EXT_URL
             value: /grafana/
-          {{- if .Values.core.discovery.kubernetes.enabled }}
+          {{- with .Values.core.discovery.kubernetes }}
+          {{- if .enabled }}
           - name: CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED
             value: "true"
-          {{- with .Values.core.discovery.kubernetes }}
-          - name: CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES
-            value: {{ include "cryostat.commaSepList" (list .namespaces $.Release.Namespace .installNamespaceDisabled) }}
           - name: CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES
             value: {{ include "cryostat.commaSepList" (list .portNames "jfr-jmx" .builtInPortNamesDisabled) }}
           - name: CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS
             value: {{ include "cryostat.commaSepList" (list .portNumbers 9091 .builtInPortNumbersDisabled) }}
+          {{- if .allowAllNamespaces }}
+          - name: CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES
+            value: '*'
+          {{- else }}
+          - name: CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES
+            value: {{ include "cryostat.commaSepList" (list .namespaces $.Release.Namespace .installNamespaceDisabled) }}
+          {{- end }}
           {{- end }}
           {{- end }}
           {{- with (.Values.core.config.extra).envVars }}
 
@@ -0,0 +1,52 @@
+{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled .Values.core.discovery.kubernetes.allowAllNamespaces -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cryostat.fullname" . }}-discovery
+  labels:
+    {{- include "cryostat.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - list
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - replicationcontrollers
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  - deployments
+  - daemonsets
+  - statefulsets
+  verbs:
+  - get
+- apiGroups:
+  - apps.openshift.io
+  resources:
+  - deploymentconfigs
+  verbs:
+  - get
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes
+  verbs:
+  - get
+  - list
+{{- end -}}
@@ -0,0 +1,16 @@
+{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled .Values.core.discovery.kubernetes.allowAllNamespaces -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "cryostat.fullname" . }}-discovery
+  labels:
+    {{- include "cryostat.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "cryostat.fullname" . }}-discovery
+subjects:
+- kind: ServiceAccount
+  name: {{ include "cryostat.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
@@ -50,7 +50,7 @@ rules:
 {{- end -}}
 {{- end -}}
 
-{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled -}}
+{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled (not .Values.core.discovery.kubernetes.allowAllNamespaces) -}}
 {{- $watchNs := compact (default list .Values.core.discovery.kubernetes.namespaces) | uniq -}}
 {{- if and (not $watchNs) (not .Values.core.discovery.kubernetes.installNamespaceDisabled) -}}
 {{- $watchNs = list .Release.Namespace -}}
 
@@ -20,7 +20,7 @@ subjects:
 {{- end -}}
 {{- end -}}
 
-{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled -}}
+{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled (not .Values.core.discovery.kubernetes.allowAllNamespaces) -}}
 {{- $watchNs := compact (default list .Values.core.discovery.kubernetes.namespaces) | uniq -}}
 {{- if and (not $watchNs) (not .Values.core.discovery.kubernetes.installNamespaceDisabled) -}}
 {{- $watchNs = list .Release.Namespace -}}
 
@@ -1204,3 +1204,120 @@ tests:
           - secretRef:
               name: sercret-special-config-for-main
               optional: false
+
+  - it: should allow Kubernetes discovery disabling
+    set:
+      core.discovery.kubernetes.enabled: false
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')]
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')]
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')]
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')]
+
+  - it: should allow Kubernetes discovery built-in names and number disabling
+    set:
+      core.discovery.kubernetes.builtInPortNamesDisabled: true
+      core.discovery.kubernetes.builtInPortNumbersDisabled: true
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value
+          value: "true"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value
+          value: "NAMESPACE"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value
+          value: ""
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value
+          value: ""
+
+  - it: should allow Kubernetes discovery namespaces customization
+    set:
+      core.discovery.kubernetes.namespaces: ['a', 'b']
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value
+          value: "true"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value
+          value: "a,b"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value
+          value: "jfr-jmx"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value
+          value: "9091"
+
+  - it: should allow Kubernetes discovery port name customization
+    set:
+      core.discovery.kubernetes.portNames: ['a', 'b']
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value
+          value: "true"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value
+          value: "NAMESPACE"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value
+          value: "a,b"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value
+          value: "9091"
+
+  - it: should allow Kubernetes discovery port number customization
+    set:
+      core.discovery.kubernetes.portNumbers: [1, 2]
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value
+          value: "true"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value
+          value: "NAMESPACE"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value
+          value: "jfr-jmx"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value
+          value: "1,2"
+
+  - it: should allow Kubernetes All Namespaces mode
+    set:
+      core.discovery.kubernetes.allowAllNamespaces: true
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value
+          value: "true"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value
+          value: "*"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value
+          value: "jfr-jmx"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value
+          value: "9091"
+
+  - it: Kubernetes All Namespaces mode should override individual namespace settings
+    set:
+      core.discovery.kubernetes.allowAllNamespaces: true
+      core.discovery.kubernetes.namespaces: ['a', 'b']
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value
+          value: "true"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value
+          value: "*"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value
+          value: "jfr-jmx"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value
+          value: "9091"
@@ -0,0 +1,101 @@
+suite: test discovery_clusterrole.yaml
+templates:
+  - discovery_clusterrole.yaml
+
+tests:
+  - it: should do nothing if Kubernetes All Namespaces discovery is not enabled
+    set:
+      rbac.create: true
+      core.discovery.kubernetes.enabled: true
+      core.discovery.kubernetes.allowAllNamespaces: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should do nothing if Kubernetes discovery is not enabled
+    set:
+      rbac.create: true
+      core.discovery.kubernetes.enabled: false
+      core.discovery.kubernetes.allowAllNamespaces: true
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should do nothing if RBAC creation is not enabled
+    set:
+      rbac.create: false
+      core.discovery.kubernetes.enabled: true
+      core.discovery.kubernetes.allowAllNamespaces: true
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should create ClusterRole
+    set:
+      rbac.create: true
+      core.discovery.kubernetes.enabled: true
+      core.discovery.kubernetes.allowAllNamespaces: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: kind
+          value: ClusterRole
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-cryostat-discovery
+      - equal:
+          path: metadata.labels
+          value:
+            app.kubernetes.io/instance: RELEASE-NAME
+            app.kubernetes.io/part-of: cryostat
+            app.kubernetes.io/managed-by: Helm
+            app.kubernetes.io/name: cryostat
+            app.kubernetes.io/version: "4.1.0-dev"
+            helm.sh/chart: cryostat-2.0.0-dev
+      - equal:
+          path: rules
+          value:
+            - apiGroups:
+              - ""
+              resources:
+              - namespaces
+              verbs:
+              - list
+            - apiGroups:
+              - discovery.k8s.io
+              resources:
+              - endpointslices
+              verbs:
+              - get
+              - list
+              - watch
+            - apiGroups:
+              - ""
+              resources:
+              - pods
+              - replicationcontrollers
+              verbs:
+              - get
+            - apiGroups:
+              - apps
+              resources:
+              - replicasets
+              - deployments
+              - daemonsets
+              - statefulsets
+              verbs:
+              - get
+            - apiGroups:
+              - apps.openshift.io
+              resources:
+              - deploymentconfigs
+              verbs:
+              - get
+            - apiGroups:
+              - route.openshift.io
+              resources:
+              - routes
+              verbs:
+              - get
+              - list