Skip to content

Commit

Permalink
sample app agent fixup, TLS
Browse files Browse the repository at this point in the history
  • Loading branch information
@andrewazores
andrewazores committed Oct 4, 2024
1 parent 2a8caca commit 7b83f39
Show file tree
Hide file tree
Showing 3 changed files with 117 additions and 9 deletions.
10 changes: 9 additions & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -388,7 +388,7 @@ SAMPLE_APP_FLAGS += -n $(SAMPLE_APP_NAMESPACE)
endif

.PHONY: sample_app
sample_app: ## Deploy sample app.
sample_app: undeploy_sample_app ## Deploy sample app.
$(CLUSTER_CLIENT) apply $(SAMPLE_APP_FLAGS) -f config/samples/sample-app.yaml

.PHONY: undeploy_sample_app
Expand All @@ -408,6 +408,14 @@ sample_app_agent: undeploy_sample_app_agent ## Deploy sample app with Cryostat A
$(CLUSTER_CLIENT) apply $(SAMPLE_APP_FLAGS) -f config/samples/sample-app-agent.yaml; \
$(CLUSTER_CLIENT) set env $(SAMPLE_APP_FLAGS) deployment/quarkus-cryostat-agent CRYOSTAT_AGENT_AUTHORIZATION="Bearer $(AUTH_TOKEN)"

.PHONY: undeploy_sample_app_agent_proxy
undeploy_sample_app_agent_proxy: ## Undeploy sample app with Cryostat Agent configured for TLS client auth on nginx proxy.
- $(CLUSTER_CLIENT) delete $(SAMPLE_APP_FLAGS) --ignore-not-found=$(ignore-not-found) -f config/samples/sample-app-agent-tls-proxy.yaml

.PHONY: sample_app_agent_proxy
sample_app_agent_proxy: undeploy_sample_app_agent_proxy ## Deploy sample app with Cryostat Agent configured for TLS client auth on nginx proxy.
$(CLUSTER_CLIENT) apply $(SAMPLE_APP_FLAGS) -f config/samples/sample-app-agent-tls-proxy.yaml

.PHONY: undeploy_sample_app_agent
undeploy_sample_app_agent: ## Undeploy sample app with Cryostat Agent.
- $(CLUSTER_CLIENT) delete $(SAMPLE_APP_FLAGS) --ignore-not-found=$(ignore-not-found) -f config/samples/sample-app-agent.yaml
Expand Down
95 changes: 95 additions & 0 deletions config/samples/sample-app-agent-tls-proxy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: quarkus-cryostat-agent-tls-proxy
name: quarkus-cryostat-agent-tls-proxy
spec:
replicas: 1
selector:
matchLabels:
app: quarkus-cryostat-agent-tls-proxy
template:
metadata:
labels:
app: quarkus-cryostat-agent-tls-proxy
spec:
containers:
- env:
- name: CRYOSTAT_AGENT_APP_NAME
value: agent-test
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CRYOSTAT_AGENT_API_WRITES_ENABLED
value: "true"
- name: CRYOSTAT_AGENT_BASEURI
value: https://cryostat-sample-agent.$(NAMESPACE).svc:8282
- name: POD_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: CRYOSTAT_AGENT_CALLBACK
value: http://$(POD_IP):9977
- name: JAVA_OPTS_APPEND
value: |-
-Dquarkus.http.host=0.0.0.0
-Djava.util.logging.manager=org.jboss.logmanager.LogManager
-javaagent:/deployments/app/cryostat-agent.jar
-Dcryostat.agent.webclient.tls.client-auth.cert.path=/var/run/secrets/io.cryostat/cryostat-agent/tls.crt
-Dcryostat.agent.webclient.tls.client-auth.key.path=/var/run/secrets/io.cryostat/cryostat-agent/tls.key
-Dcryostat.agent.webclient.tls.truststore.cert[0].path=/var/run/secrets/io.cryostat/cryostat-agent/ca.crt
-Dcryostat.agent.webclient.tls.truststore.cert[0].type=X.509
-Dcryostat.agent.webclient.tls.truststore.cert[0].alias=cryostat
image: quay.io/redhat-java-monitoring/quarkus-cryostat-agent:latest
imagePullPolicy: Always
name: quarkus-cryostat-agent-tls-proxy
ports:
- containerPort: 10010
protocol: TCP
- containerPort: 9097
protocol: TCP
resources:
limits:
cpu: 500m
memory: 256Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /var/run/secrets/io.cryostat/cryostat-agent
name: agent-tls
restartPolicy: Always
securityContext:
runAsNonRoot: true
volumes:
- name: agent-tls
secret:
# FIXME determine the secretName at deployment time in the Makefile and patch it here
secretName: cryostat-agent-f46ed1c40de4d61ac533fef337f7705ac39c8690f91a9cdca5185140f0455563
defaultMode: 420
---
apiVersion: v1
kind: Service
metadata:
labels:
app: quarkus-cryostat-agent-tls-proxy
name: quarkus-cryostat-agent-tls-proxy
spec:
selector:
app: quarkus-cryostat-agent-tls-proxy
ports:
- name: agent-http
port: 9977
protocol: TCP
targetPort: 9977
- name: app-http
port: 10010
protocol: TCP
targetPort: 10010
21 changes: 13 additions & 8 deletions config/samples/sample-app-agent.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,17 @@ spec:
value: http://$(POD_IP):9977
- name: CRYOSTAT_AGENT_AUTHORIZATION
value: Bearer abcd1234
- name: CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUSTSTORE_CERT_0__PATH
value: /var/run/secrets/myapp/truststore.p12
- name: CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUSTSTORE_CERT_0__TYPE
value: X.509
- name: CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUSTSTORE_CERT_0__ALIAS
value: cryostat-sample
- name: JAVA_OPTS_APPEND
value: |-
-Dquarkus.http.host=0.0.0.0
-Djava.util.logging.manager=org.jboss.logmanager.LogManager
-Dcom.sun.management.jmxremote.port=9097
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false
-javaagent:/deployments/app/cryostat-agent.jar
-Dcryostat.agent.webclient.tls.truststore.cert[0].path=/var/run/secrets/myapp/ca.crt
-Dcryostat.agent.webclient.tls.truststore.cert[0].type=X.509
-Dcryostat.agent.webclient.tls.truststore.cert[0].alias=cryostat-sample
image: quay.io/redhat-java-monitoring/quarkus-cryostat-agent:latest
imagePullPolicy: Always
name: quarkus-cryostat-agent
Expand All @@ -64,9 +69,9 @@ spec:
drop:
- ALL
volumeMounts:
- mountPath: /var/run/secrets/myapp/truststore.p12
- mountPath: /var/run/secrets/myapp/ca.crt
name: truststore
subPath: truststore.p12
subPath: ca.crt
restartPolicy: Always
securityContext:
runAsNonRoot: true
Expand Down

0 comments on commit 7b83f39

Please sign in to comment.