Cryostat 2.2.0

Installing Cryostat Operator

Follow the steps below to install the Cryostat Operator via OperatorHub.

Install cert-manager

The Cryostat Operator requires cert-manager to run. If not already installed in your cluster, please install it using your preferred method. Once installed, proceed with the operator installation steps below.

Warning: Although it is possible to disable cert-manager integration, it is NOT recommended to do so unless cert-manager is unavailable AND one of the following applies to you:

  • You have another solution for encrypting traffic
  • You trust everything running in the same cluster where the Cryostat Operator is deployed

Install via OperatorHub

See below for a summary of the installation steps from the Cryostat Operator page on OperatorHub. For more details, visit Installing the Cryostat Operator from OperatorHub.

If Operator Lifecycle Manager (OLM) and OperatorHub are already installed and available on your cluster, skip to Step 3:

  1. Install the Operator Lifecycle Manager:
    $ curl -sL | bash -s v0.21.1
  2. Verify the installation was successful by confirming all pods are READY:
    $ kubectl get pods -n olm
  3. Install Cryostat from OperatorHub:
Cryostat on OperatorHub
Cryostat on OperatorHub

Use the search bar to find the Cryostat (provided by Red Hat) catalog item.

Select the Cryostat Operator and click the Install button
Select the Cryostat Operator and click the Install button

Choose the namespace for Cryostat to be deployed into. This should be the same namespace that contains your JVM applications which you intend to monitor or profile using Cryostat.

Install the Operator
Install the Operator

Click “Install” and wait for the installation to complete.

Create a Cryostat instance
Create a Cryostat instance

Once the installation is complete, click “Create Cryostat” to create a Cryostat Custom Resource instance. This provides configuration information for the Operator to know the specifics of how to deploy your Cryostat instance. Continue to Setup.

Note: Alternative methods for installing the operator are described in Alternate Installation Options (not recommended).


Deploying Cryostat

Create a Cryostat object to deploy and set up Cryostat in the cryostat-operator-system namespace. For full details on how to configure the Cryostat deployment, see Configuring Cryostat.

If running Cryostat on Kubernetes, you will also need to add Ingress configurations to your Cryostat resource. See the Network Options section of Configuring Cryostat for examples.

You can create the resource graphically in the OperatorHub UI after following Install via OperatorHub:

Installed Operators View
Installed Operators View
Cryostat Resources Before
Cryostat Resources Before
Cryostat Resource Creation
Cryostat Resource Creation
Cryostat Resources After
Cryostat Resources After

You can also create the resource manually using a YAML definition like the following:

kind: Cryostat
  name: cryostat-sample
  minimal: false
  enableCertManager: true
  trustedCertSecrets: []
  eventTemplates: []
      labels: {}
      annotations: {}
      spec: {}
    replicas: 0

Then apply the resource:

$ kubectl apply -f cryostat.yaml

Deploy an Application

For demo purposes, let’s go ahead and deploy a sample application to our OpenShift cluster in the same namespace as our Cryostat instance. If you have deployed Cryostat into a namespace where you are already running other applications, feel free to continue to the next step.

$ oc new-app
$ oc patch svc/quarkus-test -p '{"spec":{"$setElementOrder/ports":[{"port":9096},{"port":9999}],"ports":[{"name":"jfr-jmx","port":9096}]}}'

This is a Quarkus container in JVM mode with JMX enabled and pre-configured to listen on port 9096. After deploying the container we patch its service to name the 9096 service port jfr-jmx. Cryostat will detect and use this port to determine that this is a compatible Java application that it should monitor.

Open the Cryostat Web UI

Let’s visit the Cryostat web dashboard UI.

We can get there from the Cryostat resource’s Status field:

Cryostat Resource Status
Cryostat Resource Status

Or, we can open the application link from the Topology view:

Topology View
Topology View

We can also find the URL using oc:

$ oc get cryostat -o jsonpath='{$.items[0].status.applicationUrl}'

Authenticate through Cryostat


When deployed in OpenShift, Cryostat will use the existing internal cluster authentication system to ensure all requests come from users with correct access to the namespace.

OpenShift SSO Login
OpenShift SSO Login
OpenShift Service Account Permissions
OpenShift Service Account Permissions

Once you have authenticated through the cluster’s SSO login you will be redirected back to the Cryostat web application. The redirect URL contains an access token for Cryostat’s service account with the permissions you have granted to it. This access token will eventually expire and you will be required to log back in on the cluster SSO login page.


When deployed in other Kubernetes environments, Cryostat will use a Bearer Token authentication scheme. This will require you to paste in an access token for Cryostat to use when making Kubernetes API requests. You may create and configure a separate Service Account for Cryostat to use for this purpose, or you may simply use an access token from your own user account.

OpenShift SSO Login
OpenShift SSO Login

Next Steps

Now that you have installed and deployed Cryostat and know how to access its web client, continue on to Guides for guides through various common actions and workflows.

Uninstalling Cryostat Operator

In order to ensure that objects created by the operator and recordings created by Cryostat are properly removed, the Cryostat Operator must remain installed when attempting to delete the Cryostat custom resource, or any Recording custom resources.

To completely remove Cryostat and all objects and recordings created by it:

  1. Delete any Recording custom resources.
    • If Cryostat is no longer deployed, you must redeploy it by creating a Cryostat custom resource.
    • If the Cryostat Operator has already been uninstalled, please reinstall it before deleting any Recording custom resources.
  2. Delete the Cryostat custom resource.
    • If the Cryostat Operator has already been uninstalled, please reinstall it before deleting the Cryostat custom resource.
  3. Uninstall the Cryostat Operator.
    • Warning: This command also removes the my-cryostat-operator namespace and all of its contents, including any applications deployed in the namespace.
       $ kubectl delete -f