Cryostat has been at the forefront of providing advanced monitoring and management tools for Java applications on Red Hat OpenShift. With the release of Red Hat build of Cryostat 3.0, a list of new features and enhancements are now available, designed to streamline operations, enhance security, and improve overall functionality. Here’s an in-depth look at what’s new and how these updates can benefit users.
Cryostat database (DB)
One of the most significant additions in Cryostat 3.0 is the introduction of the Cryostat database (DB) container image (cryostat-db). This container, which is deployed automatically when you install Cryostat via the Cryostat Operator or a Helm chart, provides a customized Postgres database. Centralizing data storage in a robust Postgres database enhances data integrity and management efficiency, significantly improving how encrypted JMX credentials, automated rules, and discovery plug-ins are handled.
Cryostat storage
Cryostat 3.0 also introduces the Cryostat Storage container (cryostat-storage), offering a customized SeaweedFS storage solution that acts as an S3-compatible provider. This enhancement allows archived Flight Recordings and custom Event Templates to be stored more efficiently without direct file-system access, leading to better scalability and flexibility in managing stored data.
Reverse proxy
The inclusion of a reverse proxy in Cryostat 3.0 significantly enhances security and access control. This proxy handles all API requests and user sessions, integrating seamlessly with Red Hat OpenShift's role-based access control (RBAC) and single sign-on (SSO) systems. By routing all traffic through the proxy, Cryostat ensures secure and managed access to its services, providing a consistent and secure user experience for both the Cryostat web console and Grafana dashboard.
Operator enhancements
Support is no longer provided for installing the Cryostat Operator in a single namespace or subset of cluster namespaces.
From Cryostat 3.0 onward, the Cryostat Operator can only be installed on a cluster-wide basis. Cluster-wide installation is the preferred mode for the Operator Lifecycle Manager and per-namespace installations are a deprecated feature.
Cryostat 3.0 allows users to specify a custom host name for the Cryostat route via the .spec.networkOptions.coreConfig.externalHost property in the Cryostat custom resource (CR). This flexibility enables users to assign meaningful and easily identifiable host names to their Cryostat instances, improving accessibility and management. Hostnames can be specified during the creation of the Cryostat CR, making setup straightforward. See Figure 1.
Dynamic attachment
With the new dynamic attachment feature, the Cryostat agent can attach to a running Java Virtual Machine (JVM) without requiring an application restart. This zero-downtime approach is ideal for ad hoc profiling and troubleshooting, where the agent does not need to be attached continuously. The ability to dynamically attach to the JVM without requiring downtime enhances flexibility and operational efficiency.
Furthermore, users can now launch the Cryostat agent as a standalone Java process to attach it dynamically to a running JVM. Launching the agent with simple command-line instructions improves ease of use and deployment flexibility. The support for additional late-binding configuration options allows for tailored setups to meet specific needs, simplifying operations and enhancing usability.
Cryostat and Quarkus
Cryostat 3.0 brings several container enhancements, such as reimplementing the main Cryostat container with Quarkus for better performance and security, and supporting multi-namespace instances via the Cryostat API. The switch to Quarkus leverages its strengths for higher performance and data security, while multi-namespace support simplifies managing Cryostat across different namespaces, enhancing flexibility and control.
Role-based access control
The new release includes role-based access control (RBAC) enhancements for user access and additional validation checks for Cryostat CR objects, ensuring that users have the necessary permissions. By applying consistent RBAC permission checks, Cryostat ensures that only authorized users can access its features, improving overall security. Robust validation prevents configuration errors by ensuring users have the right permissions to create Cryostat CRs.
Helm support
Cryostat 3.0 also allows users to set specific configuration parameters for the Cryostat Helm chart, enhancing deployment and management flexibility. Customizable deployments enable users to tailor their Cryostat setup to specific needs, whether enabling or disabling certain authentication methods or configuring access reviews. The support for both Red Hat OpenShift Single Sign-On (SSO) and basic authentication provides multiple layers of security.
Deprecations
Cryostat 3.0 has deprecated certain features to streamline operations and focus on more effective solutions. The removal of the Cluster Cryostat API and support for single-namespace Operator installations reduces maintenance overhead and enhances the overall efficiency of the tool.
Cryostat 3.0 is a significant step forward, bringing numerous enhancements that improve performance, security, and flexibility. Whether you are managing data storage, handling JVM profiling, or configuring deployment settings, Cryostat 3.0 offers robust solutions that cater to a wide range of needs. Upgrade to Cryostat 3.0 to experience these powerful new features and streamline your Java application monitoring and management.
How to use Cryostat for your Java workloads
You can install the Red Hat build of Cryostat using our OpenShift operator, available in Red Hat OpenShift's Operator Hub.
For non-production usage, you can also try our Helm chart, included as part of OpenShift’s Helm chart repository.
