Chapter 2. New features

Cryostat 2.0 introduces new features that enhance your use of the Cryostat product.

API permissions for the Cryostat application

The Cryostat Operator creates a service account and then configures the Cryostat application to use the service account. The Cryostat Operator checks the service account to ensure its permissions remain in sync with those expected by the authorization check.

In Cryostat 1, the Cryostat Operator applied its own service account’s permissions to a Cryostat application. This provided excessive permissions to the Cryostat application.

Automated rules

In Cryostat 2.0, you can use automated rules to enable JFR to continuously monitor a running target application. You do not need to restart or redeploy the application.

You could continue to enable always-on continuous monitoring for an application by setting JVM flags, but this method requires an application restart.

Cryostat 2.0 includes continuous monitoring event templates that you can use to create automated rules and templates. By using continuous monitoring event templates, you can reduce any downtime for specifying a JFR to continuously monitoring an application.

You must specify of the following automated rule definitions for an automated rule:

  • One-shot rule definition: You can now create a simple configuration of one-shot automated rules for your JFR configuration. The eventSpecifier property contains an archive simple string value.
  • matchExpression definition: Mandatory component of an automated rule that defines JVM targets that must receive an automated rule. Cryostat uses to apply rules to any JVM targets that match regular expressions defined in the matchExpression string expression. Valid string expressions include separator, operator, and simple expressions.

    • You can apply OpenShift labels or annotations as criteria for a matchExpression definition.

After you upload an automated rule to Cryostat in JSON format, Cryostat validates the definition file.

You can immediately activate a rule definition for any previous defined matching targets. You do not need to re-add or restart targets after you create a rule definition.

You can delete a rule definition by adding the HTTP query clean=true parameter to your DELETE requests for rule definitions. This parameter directs Cryostat to delete only active recordings. Archived recordings do not get targeted for deletion.

cert-manager API

You can now use the Enable cert-manager integation toggle button on the Create Cryostat page of your Cryostat Operator to enable or disable end-to-end encryption by using cert-manager for your Cryostat application.

Figure 2.1. The Enable cert-manager integation toggle button

the *Enable cert-manager integation* toggle button

Additionally, the Cryostat Operator now automatically checks that the cert-manager API exists before it deploys Cryostat. This ensures that the Cryostat Operator securely deploys Cryostat. Depending on your needs, you can explicitly set the Cryostat Operator cert-manager API check to disabled.

If Cryostat Operator detects a Cryostat instance that requires cert-manager, but you did not install cert-manager, then you’ll receive a warning event for the Cryostat instance on the Events page of the OpenShift web console.

Deployment scenario tree view

After you deploy your application on OpenShift or any supported Kubernetes distribution, you can display your Cryostat’s information in a JSON-formatted tree view. You can view the following components on the tree view:

  • Pods
  • Replicas
  • Containers
  • Endpoints

Endpoint resource watch

The OpenShiftPlatformClient automatically enables the endpoint resource watch to set an asynchronous target discovery for your target JVMs.

Event search with TargetEventGetHandler

You can use the TargetEventGetHandler to list or search for event types produced by your target JVM.

HTTP API behavior change

Prior to Cryostat 2.0, HTTP request handlers might override the default isAsync method setting of true when determining whether to install a handler for the Vertx server.

Each HTTP handler contains code that defines an HTTP API endpoint for Cryostat. The isAsync method defines whether an HTTP handler gets handled by either a separate worker thread or a main webserver thread.

New environment variables

Cryostat 2.0 includes the following two new environment variables:

  • CRYOSTAT_TARGET_CACHE_MAX_CONNECTIONS, which the OpenShift Operator sets to a value for specifying the maximum amount of open JMX connections.
  • CRYOSTAT_TARGET_CACHE_TTL, which the OpenShift Operator sets to a value for specifying the amount of seconds for caching a JMX connection before they close from inactivity.

The OpenShift Operator automatically determines values for these environment variables, so you cannot modify the values specified by the OpenShift Operator for these environment variables.

New handlers

Cryostat 2.0 introduces the following V2 handlers:

  • AbstractV2RequestHandler that behaves similar to AbstractAuthenticatedRequestHandler, but maintaining the overall response format among V2 handlers.
  • TargetRecordingOptionsListGetHandler that checks recording options supported by your target JVM. Use this handler before you create a recording, so you do not attempt to use recording options not supported by the target JVM.
  • TargetSnapshotPostHandler that encodes a target response in JSON format for a customized snapshot recording. This V2 snapshot handler also includes the name of the recording, the URL for the downloadable recording file, the URL for the automated analysis report, and much more.

A V1 handler can perform snapshot operations similar to a V2 handler, but a V1 handler’s HTTP response renders only in plain string format and only contains the name of the snapshot recording.

New event template available on Cryostat

You can now select the cryostat.jfc event template from the list of available Target JVM templates on the Cryostat web console.

By selecting the cryostat.jfc event template, you automatically enable the following Cryostat settings:

  • HTTP request information, such as status code, duration, and so on.
  • WebSocket message information, such as duration, message type, and so on.
  • JMX connection status, such as opened, closed, or failed.

Pre-configured Grafana dashboard image

Cryostat 2.0 includes a pre-configured Grafana dashboard image for viewing your application’s metrics. You can also create your own Grafana dashboard image to meet your needs.

Cryostat 1 provided a Grafana image that offered basic customization by the OpenShift Operator during deployment of a Cryostat container.

Response status code message

Response status code messages for a ClientUrlGetHandler error message now display in the front of the error message. This is the default setting. The custom exception message remains in the response body of the error message.

Support for client-defined connection protocols

Cryostat 2 now adds a mountpoint for a clientlib directory, to which you can add additional JAR files to be loaded into the Cryostat classpath. This supports client-defined connection protocols as alternatives to JMX RMI.