A Helm chart for deploying Cryostat on Kubernetes and OpenShift.
Kubernetes: >= 1.25.0-0
The chart is available at the following repositories:
To install the chart, add the repository and install, for example:
helm repo add cryostat-charts https://cryostat.io/helm-charts
helm repo update
helm install cryostat cryostat-charts/cryostatThe chart is also available as an OCI image on GitHub Container Registry (ghcr.io).
To install the chart, run:
helm install cryostat oci://ghcr.io/cryostatio/cryostat-helm --version $VERSIONTo install the chart from source code, run:
git clone https://github.com/cryostatio/cryostat-helm
cd cryostat-helm
helm install cryostat ./charts/cryostat| Name | Description | Value |
|---|---|---|
core |
Configuration for the core Cryostat application | |
core.image.repository |
Repository for the main Cryostat container image | quay.io/cryostat/cryostat |
core.image.pullPolicy |
Image pull policy for the main Cryostat container image | Always |
core.image.tag |
Tag for the main Cryostat container image | 4.0.0-snapshot |
core.service.type |
Type of Service to create for the Cryostat application | ClusterIP |
core.service.httpPort |
Port number to expose on the Service for Cryostat's HTTP server | 8181 |
core.debug.log.level |
Log level for troubleshooting and debugging | INFO |
core.sslProxied |
Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress | false |
core.ingress.enabled |
Whether to create an Ingress object for the Cryostat service | false |
core.ingress.className |
Ingress class name for the Cryostat application Ingress | "" |
core.ingress.annotations |
Annotations to apply to the Cryostat application Ingress | {} |
core.ingress.hosts |
Hosts to create rules for in the Cryostat application Ingress. See: IngressSpec | [] |
core.ingress.tls |
TLS configuration for the Cryostat application Ingress. See: IngressSpec | [] |
core.route.enabled |
Whether to create a Route object for the Cryostat service. Available only on OpenShift | false |
core.route.tls.enabled |
Whether to secure the Cryostat application Route with TLS. See: TLSConfig | true |
core.route.tls.termination |
Type of TLS termination to use for the Cryostat application Route. One of: edge, passthrough, reencrypt |
edge |
core.route.tls.insecureEdgeTerminationPolicy |
Specify how to handle insecure traffic for the Cryostat application Route. One of: Allow, Disable, Redirect |
Redirect |
core.route.tls.key |
Custom private key to use when securing the Cryostat application Route | "" |
core.route.tls.certificate |
Custom certificate to use when securing the Cryostat application Route | "" |
core.route.tls.caCertificate |
Custom CA certificate to use, if needed to complete the certificate chain, when securing the Cryostat application Route | "" |
core.route.tls.destinationCACertificate |
Provides the contents of the CA certificate of the final destination when using reencrypt termination for the Cryostat application Route | "" |
core.resources.requests.cpu |
CPU resource request for the Cryostat container. See: ResourceRequirements | 500m |
core.resources.requests.memory |
Memory resource request for the Cryostat container. | 384Mi |
core.securityContext |
Security Context for the Cryostat container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
core.databaseSecretName |
Name of the secret containing database keys. This secret must contain a CONNECTION_KEY secret which is the database connection password, and an ENCRYPTION_KEY secret which is the key used to encrypt sensitive data stored within the database, such as the target credentials keyring. It must not be updated across chart upgrades. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | "" |
core.discovery |
Configuration options to the Cryostat application's target discovery mechanisms | |
core.discovery.kubernetes.enabled |
Enables Kubernetes API discovery mechanism | true |
core.discovery.kubernetes.installNamespaceDisabled |
When false and namespaces is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. {{ .Release.Namespace }}) |
false |
core.discovery.kubernetes.namespaces |
List of namespaces whose workloads the Cryostat application should be permitted to access and profile | [] |
core.discovery.kubernetes.builtInPortNamesDisabled |
When false and portNames is empty, the Cryostat application will use the default port name jfr-jmx to look for JMX connectable targets. |
false |
core.discovery.kubernetes.portNames |
List of port names that the Cryostat application should look for in order to consider a target as JMX connectable | [] |
core.discovery.kubernetes.builtInPortNumbersDisabled |
When false and portNumbers is empty, the Cryostat application will use the default port number 9091 to look for JMX connectable targets. |
false |
core.discovery.kubernetes.portNumbers |
List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable | [] |
| Name | Description | Value |
|---|---|---|
reports |
Configuration for the Reports Generator deployment | |
reports.image.repository |
Repository for the Report Generator container image | quay.io/cryostat/cryostat-reports |
reports.image.pullPolicy |
Image pull policy for the Report Generator container image | Always |
reports.image.tag |
Tag for the Report Generator image | 4.0.0-snapshot |
reports.service.type |
Type of Service to create for the Report Generator Deployment | ClusterIP |
reports.service.httpPort |
Port number to expose on the Service for the Report Generator Deployment | 10001 |
reports.replicas |
Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own. | 0 |
reports.resources.requests.cpu |
CPU resource request for each Pod in the Report Generator Deployment. | 500m |
reports.resources.requests.memory |
Memory resource request for each Pod in the Report Generator Deployment. | 512Mi |
reports.securityContext |
Security Context for the Report Generator containers. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
| Name | Description | Value |
|---|---|---|
db |
Configuration for Cryostat's database | |
db.image.repository |
Repository for the database container image | quay.io/cryostat/cryostat-db |
db.image.pullPolicy |
Image pull policy for the database container image | Always |
db.image.tag |
Tag for the database container image | latest |
db.service.type |
Type of Service to create for the database | ClusterIP |
db.service.port |
Port number to expose on the Service | 5432 |
db.resources.requests.cpu |
CPU resource request for the database container. See: ResourceRequirements | 25m |
db.resources.requests.memory |
Memory resource request for the database container. | 64Mi |
db.securityContext |
Security Context for the database container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
| Name | Description | Value |
|---|---|---|
storage |
Configuration for Cryostat's object storage provider | |
storage.storageSecretName |
Name of the secret containing the object storage secret access key. This secret must contain a STORAGE_ACCESS_KEY secret which is the object storage secret access key. It must not be updated across chart upgrades, or else the connection between Cryostat components and object storage will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | "" |
storage.image.repository |
Repository for the storage container image | quay.io/cryostat/cryostat-storage |
storage.image.pullPolicy |
Image pull policy for the storage container image | Always |
storage.image.tag |
Tag for the storage container image | latest |
storage.encryption.enabled |
Enable at-rest encryption of stored objects. The storage container will generate a secret key for each stored object and use this key to encrypt and decrypt objects transparently. The key is written to the object metadata, so in the default storage container configuration this only adds a small layer of additional security. | true |
storage.service.type |
Type of Service to create for the object storage | ClusterIP |
storage.service.port |
Port number to expose on the Service | 8333 |
storage.resources.requests.cpu |
CPU resource request for the object storage container. See: ResourceRequirements | 50m |
storage.resources.requests.memory |
Memory resource request for the object storage container. | 256Mi |
storage.securityContext |
Security Context for the storage container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
| Name | Description | Value |
|---|---|---|
grafana |
Configuration for the customized Grafana instance for Cryostat | |
grafana.image.repository |
Repository for the Grafana container image | quay.io/cryostat/cryostat-grafana-dashboard |
grafana.image.pullPolicy |
Image pull policy for the Grafana container image | Always |
grafana.image.tag |
Tag for the Grafana container image | latest |
grafana.service.type |
Type of Service to create for Grafana | ClusterIP |
grafana.service.port |
Port number to expose on the Service for Grafana's HTTP server | 3000 |
grafana.resources.requests.cpu |
CPU resource request for the Grafana container. See: ResourceRequirements | 25m |
grafana.resources.requests.memory |
Memory resource request for the Grafana container. | 80Mi |
grafana.securityContext |
Security Context for the Grafana container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
| Name | Description | Value |
|---|---|---|
datasource |
Configuration for the JFR Data Source component, which translates recording events into a format consumable by Grafana | |
datasource.image.repository |
Repository for the JFR Data Source container image | quay.io/cryostat/jfr-datasource |
datasource.image.pullPolicy |
Image pull policy for the JFR Data Source container image | Always |
datasource.image.tag |
Tag for the JFR Data Source container image | latest |
datasource.resources.requests.cpu |
CPU resource request for the JFR Data Source container. See: ResourceRequirements | 200m |
datasource.resources.requests.memory |
Memory resource request for the JFR Data Source container. | 200Mi |
datasource.securityContext |
Security Context for the JFR Data Source container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
| Name | Description | Value |
|---|---|---|
authentication.cookieSecretName |
Name of the secret containing the authenticating proxy cookie encryption key. This secret must contain a COOKIE_SECRET secret which is the cookie encryption key. It must not be updated across chart upgrades, or else existing user login sessions will be invalidated. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | "" |
authentication.openshift.enabled |
Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one. | false |
authentication.openshift.clusterRole.name |
The name of the ClusterRole to bind for the OpenShift OAuth Proxy | system:auth-delegator |
authentication.basicAuth.enabled |
Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication | false |
authentication.basicAuth.secretName |
Name of the Secret that contains the credentials within Cryostat's namespace (Required if basicAuth is enabled) | "" |
authentication.basicAuth.filename |
Key within Secret containing the htpasswd file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the bcrypt hash of the desired password. Such an entry can be generated with ex. htpasswd -nbB username password (Required if basicAuth is enabled) |
"" |
| Name | Description | Value |
|---|---|---|
oauth2Proxy.image.repository |
Repository for the OAuth2 Proxy container image | quay.io/oauth2-proxy/oauth2-proxy |
oauth2Proxy.image.pullPolicy |
Image pull policy for the OAuth2 Proxy container image | Always |
oauth2Proxy.image.tag |
Tag for the OAuth2 Proxy container image | latest |
oauth2Proxy.resources.requests.cpu |
CPU resource request for the OAuth2 Proxy container. | 25m |
oauth2Proxy.resources.requests.memory |
Memory resource request for the OAuth2 Proxy container. | 64Mi |
oauth2Proxy.securityContext |
Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext. If the chart is installed in default namespaces (e.g. default), securityContext.runAsUser must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See Understanding and Managing Pod Security Admission. |
{} |
| Name | Description | Value |
|---|---|---|
openshiftOauthProxy.image.repository |
Repository for the OpenShift OAuth Proxy container image | quay.io/cryostat/openshift-oauth-proxy |
openshiftOauthProxy.image.pullPolicy |
Image pull policy for the OpenShift OAuth Proxy container image | Always |
openshiftOauthProxy.image.tag |
Tag for the OpenShift OAuth Proxy container image | cryostat-v3.0 |
openshiftOauthProxy.resources.requests.cpu |
CPU resource request for the OpenShift OAuth Proxy container. | 25m |
openshiftOauthProxy.resources.requests.memory |
Memory resource request for the OpenShift OAuth Proxy container. | 64Mi |
openshiftOauthProxy.accessReview.enabled |
Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token. | true |
openshiftOauthProxy.accessReview.group |
The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | "" |
openshiftOauthProxy.accessReview.resource |
The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | pods |
openshiftOauthProxy.accessReview.subresource |
The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | exec |
openshiftOauthProxy.accessReview.name |
The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | "" |
openshiftOauthProxy.accessReview.namespace |
The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for. | {{ .Release.Namespace }} |
openshiftOauthProxy.accessReview.verb |
The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | create |
openshiftOauthProxy.accessReview.version |
The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for. | "" |
openshiftOauthProxy.securityContext |
Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
| Name | Description | Value |
|---|---|---|
imagePullSecrets |
Image pull secrets to be used for the Cryostat deployment | [] |
nameOverride |
Overrides the name of this Chart | "" |
fullnameOverride |
Overrides the fully qualified application name of [release name]-[chart name] |
"" |
rbac.create |
Specifies whether RBAC resources should be created | true |
serviceAccount.create |
Specifies whether a service account should be created | true |
serviceAccount.annotations |
Annotations to add to the service account | {} |
serviceAccount.name |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
podAnnotations |
Annotations to be applied to the Cryostat Pod | {} |
podSecurityContext |
Security Context for the Cryostat Pod. Defaults to meet "restricted" Pod Security Standard. See: PodSecurityContext | {} |
nodeSelector |
Node Selector for the Cryostat Pod. See: NodeSelector | {} |
tolerations |
Tolerations for the Cryostat Pod. See: Tolerations | [] |
affinity |
Affinity for the Cryostat Pod. See: Affinity | {} |
pvc.enabled |
Specify whether to use persistentVolumeClaim or EmptyDir storage | false |
pvc.annotations |
Annotations to add to the persistentVolumeClaim | {} |
pvc.storage |
Storage size to request for the persistentVolumeClaim | 500Mi |
pvc.accessModes |
Access mode for the persistentVolumeClaim. See: Access Modes | ["ReadWriteOnce"] |
pvc.selector |
Selector for the persistentVolumeClaim. See: Selector | {} |
pvc.storageClassName |
The name of the StorageClass for the persistentVolumeClaim. See: Class | undefined |