cryostatio · andrewazores · May 4, 2026 · May 7, 2026 · May 7, 2026 · May 8, 2026
diff --git a/_data/versions.yaml b/_data/versions.yaml
@@ -1,23 +1,24 @@
 cryostat:
-  version: '4.1.0'
-  release-branch: 'cryostat-v4.1'
+  version: '4.2.0'
+  release-branch: 'cryostat-v4.2'
 agent:
-  version: '0.6.0'
+  version: '0.7.0'
 openshift:
-  version: '4.16'
+  version: '4.19'
 kubernetes:
-  version: '1.29'
+  version: '1.32'
 operator-sdk:
-  version: '1.31.0'
+  version: '1.42.0'
 operator-lifecycle-manager:
   version: '0.25.0'
 cert-manager:
-  version: '1.13.6'
+  version: '1.18.6'
 maven-plugins:
   dependency:
     version: '3.9.0'
 documentation:
   - 'latest'
+  - 4.1.0
   - 4.0.0
   - 3.0.0
   - 2.4.0

diff --git a/docs/_subsections/configuring-the-operator.md b/docs/_subsections/configuring-the-operator.md
@@ -50,7 +50,7 @@ spec:
 Multiple templates can be specified in the `eventTemplates` array. Each `configMapName` must refer to the name of a **Config Map** in the same namespace as **Cryostat**. The corresponding `filename` must be a key within that **Config Map** containing the template file.
 
 ### Trusted TLS Certificates
-By default, **Cryostat** uses TLS when connecting to the user's applications over JMX. In order to verify the identity of the applications **Cryostat** connects to, it should be configured to trust the TLS certificates presented by those applications. One way to do that is to specify certificates that **Cryostat** should trust in the `spec.trustedCertSecrets` property.
+By default, **Cryostat** uses TLS when connecting to the user's applications over JMX. In order to verify the identity of the applications **Cryostat** connects to, it should be configured to trust the TLS certificates presented by those applications. Certificates can be provided through the `spec.trustedCertSecrets` property, and each entry may reference either a **Secret** or a **ConfigMap** in the same namespace as the `Cryostat` object.
 ```yaml
 apiVersion: operator.cryostat.io/v1beta2
 kind: Cryostat
@@ -60,8 +60,12 @@ spec:
   trustedCertSecrets:
   - secretName: my-tls-secret
     certificateKey: ca.crt
+  - configMapName: my-service-ca
+    certificateKey: service-ca.crt
 ```
-Multiple TLS secrets may be specified in the `trustedCertSecrets` array. The `secretName` property is mandatory, and must refer to the name of a Secret within the same namespace as the `Cryostat` object. The `certificateKey` must point to the X.509 certificate file to be trusted. If `certificateKey` is omitted, the default key name of `tls.crt` will be used.
+Multiple certificate entries may be specified in the `trustedCertSecrets` array. Each entry must specify exactly one of `secretName` or `configMapName`. The `certificateKey` must point to the X.509 certificate or CA bundle file to be trusted. If `certificateKey` is omitted, the default key name is `tls.crt` for **Secrets** and `service-ca.crt` for **ConfigMaps**.
+
+The `configMapName` option is useful on **OpenShift**, where service serving certificate CA bundles are commonly injected into **ConfigMap** resources. In that case, the injected certificate bundle normally uses the `service-ca.crt` key, so you can omit `certificateKey` when using that default key name.
 
 ### Storage Options
 **Cryostat** uses <code>storage volumes</code> to persist data in its database and object storage. In the interest of persisting these files across redeployments, **Cryostat** uses a **Persistent Volume Claim** by default. Unless overidden, the operator will create a **Persistent Volume Claim** with the default **Storage Class** and **500MiB** of storage capacity.
@@ -302,6 +306,23 @@ spec:
     targetCacheTTL: 10
 ```
 
+### Audit Logging
+
+**Cryostat** can persist audit history in its database. This history enables features that refer back to information about target applications and their Kubernetes lineages after those targets are no longer discoverable.
+
+The `spec.enableAudit` property configures audit logging for the **Cryostat** application. For newly created `Cryostat` objects, the **Cryostat Operator** defaults `spec.enableAudit` to `true`. Existing `Cryostat` objects created before this field was introduced keep their previous behavior until you explicitly set the property.
+
+When audit logging is enabled, the **Cryostat** database grows over time and might require additional storage.
+
+```yaml
+apiVersion: operator.cryostat.io/v1beta2
+kind: Cryostat
+metadata:
+  name: cryostat-sample
+spec:
+  enableAudit: false
+```
+
 ### Application Database
 
 **Cryostat** stores various pieces of information in a database. This can also include target application connection credentials, such as target applications' JMX credentials, which are stored in an encrypted database table. By default, the **Cryostat Operator** will generate both a random database connection key and a random table encryption key and configure **Cryostat** and the database to use these. You may also specify these keys yourself by creating a Secret containing the keys `CONNECTION_KEY` and `ENCRYPTION_KEY`.

diff --git a/guides/_subsections/add-a-trusted-certificate.md b/guides/_subsections/add-a-trusted-certificate.md
@@ -5,7 +5,7 @@ If you have Java Management Extensions **(JMX)** over `SSL` enabled on your cont
     <li>
         {% include howto_step.html
           summary="Navigate to the <i>Security</i> Tab"
-          image-name="4.1.0/navigate-to-security.png"
+          image-name="4.2.0/navigate-to-security.png"
           text="Click the <i>Security</i> tab. This should initially be in an empty state if you have not yet defined any additional trusted certificates."
         %}
     </li>
@@ -26,11 +26,13 @@ certificate(s) within the truststore directory.
 
 ### [Preconfiguring Trusted Certificates within Cryostat](#preconfiguring-trusted-certificates-within-cryostat)
 
-Alternatively if deploying **Cryostat** in a **Kubernetes** environment with the **Cryostat Operator**, TLS Certs can be preconfigured in **Cryostat** when creating the custom resource. To begin, create a **Kubernetes** Secret containing the TLS Cert.
+Alternatively if deploying **Cryostat** in a **Kubernetes** environment with the **Cryostat Operator**, TLS certificates can be preconfigured in **Cryostat** when creating the custom resource. To begin, create a **Kubernetes** Secret or **ConfigMap** containing the TLS certificate or CA bundle.
 
 ```kubectl create secret generic application-cert --from-file=tlsCert.crt```
 
-Now that this Secret has been created, when creating the **Cryostat Custom Resource** we can specify it, either through the **Red Hat Openshift** console under **Trusted TLS Certificates** while creating the **Cryostat Custom Resource**, or through the **Custom Resource** YAML:
+```kubectl create configmap application-ca --from-file=service-ca.crt```
+
+Now that this Secret or ConfigMap has been created, when creating the **Cryostat Custom Resource** we can specify it, either through the **Red Hat OpenShift** console under **Trusted TLS Certificates** while creating the **Cryostat Custom Resource**, or through the **Custom Resource** YAML:
 
 ```yaml
 apiVersion: operator.cryostat.io/v1beta2
@@ -41,6 +43,10 @@ spec:
   trustedCertSecrets:
     - secretName: application-cert
       certificateKey: tlsCert.crt
+    - configMapName: application-ca
+      certificateKey: service-ca.crt
 ```
 
-Once the **Custom Resource** has been created, the TLS Certificate will be pre-loaded into **Cryostat** and be available from startup without any further configuration needed.
+Each `trustedCertSecrets` entry must specify exactly one of `secretName` or `configMapName`. If `certificateKey` is omitted, the default key name is `tls.crt` for Secrets and `service-ca.crt` for ConfigMaps. The ConfigMap default is useful for OpenShift service CA bundles.
+
+Once the **Custom Resource** has been created, the TLS certificate will be pre-loaded into **Cryostat** and be available from startup without any further configuration needed.
diff --git a/guides/_subsections/add-and-edit-recording-metadata-labels.md b/guides/_subsections/add-and-edit-recording-metadata-labels.md
@@ -11,7 +11,7 @@ Users can attach `Metadata` or `Custom Labels` to **JDK** `Flight Recordings` ma
   <li>
     {% include howto_step.html
       summary="Add <code>Metadata Labels</code> to the <i>Create Recording</i> form"
-      image-name="4.1.0/add-and-edit-recording-metadata-labels-1.png"
+      image-name="4.2.0/add-and-edit-recording-metadata-labels-1.png"
       text="
         When creating a custom <code>Flight Recording</code> with <b>Cryostat</b>, expand the form section <i>Show metadata options</i>. Click <i>Add Label</i> and add <i>key-Value</i> <code>Label</code> pairs to the form. Finally, click <i>Create</i> to attach the <code>Labels</code> and create the <code>Recording</code>.
       "
@@ -20,7 +20,7 @@ Users can attach `Metadata` or `Custom Labels` to **JDK** `Flight Recordings` ma
   <li>
     {% include howto_step.html
       summary="View your <code>Labels</code> on the <i>Active Recordings</i> Table"
-      image-name="4.1.0/add-and-edit-recording-metadata-labels-2.png"
+      image-name="4.2.0/add-and-edit-recording-metadata-labels-2.png"
       text="
         The new <code>Recording</code> will appear in the <i>Recordings Tab</i> with your <code>Custom Label</code> as well as default <code>Labels</code> containing information about the selected <code>Recording</code> template.
       "
@@ -34,14 +34,14 @@ Users can attach `Metadata` or `Custom Labels` to **JDK** `Flight Recordings` ma
     {% endcapture %}
     {% include howto_step.html
       summary="Edit an Existing <code>Label</code>"
-      image-name="4.1.0/add-and-edit-recording-metadata-labels-3.png"
+      image-name="4.2.0/add-and-edit-recording-metadata-labels-3.png"
       text=edit-an-existing-label-text
     %}
   </li>
   <li>
     {% include howto_step.html
       summary="View your edited <code>Labels</code>"
-      image-name="4.1.0/add-and-edit-recording-metadata-labels-4.png"
+      image-name="4.2.0/add-and-edit-recording-metadata-labels-4.png"
       text="
         The <code>Recording Labels</code> should be updated in the <i>Active Recordings</i> table.
       "
@@ -50,7 +50,7 @@ Users can attach `Metadata` or `Custom Labels` to **JDK** `Flight Recordings` ma
   <li>
     {% include howto_step.html
       summary="<i>(Optional)</i> Archive your <code>Recording</code> to view <code>Labels</code> copied onto the <code>Archived Recording</code>"
-      image-name="4.1.0/add-and-edit-recording-metadata-labels-5.png"
+      image-name="4.2.0/add-and-edit-recording-metadata-labels-5.png"
       text="
         On the <i>Active Recordings</i> table, click the <i>Checkbox</i> next to the <code>Recording</code>, then click <i>Archive</i> to archive your <code>Recording</code>. Notice that the <code>Archived Recording</code> also copies the <code>Labels</code> from the <code>Active Recording</code>. You can also add <code>Labels</code> to any <code>Recording</code> uploaded to <b>Cryostat’s</b> archives.
       "
@@ -61,16 +61,16 @@ Users can attach `Metadata` or `Custom Labels` to **JDK** `Flight Recordings` ma
     <p>
       Create another <code>Recording</code> on the same target. Then select both <code>Recordings</code> on the <i>Recordings Table</i> and click <i>Edit Labels</i> and start editing. This time, only <code>Labels</code> that are present on both <code>Recordings</code> will be shown in the form. Let's <i>Delete</i> the two common template-related <code>Labels</code>, and <i>Add</i> a new <code>Label</code> to both <code>Recordings</code>. Then finally, click <i>Save</i>.
       <br><br>
-      <a href="{{ site.url }}/images/4.1.0/add-and-edit-recording-metadata-labels-7.png" target="_blank">
-        <img src="{{ site.url }}/images/4.1.0/add-and-edit-recording-metadata-labels-7.png">
+      <a href="{{ site.url }}/images/4.2.0/add-and-edit-recording-metadata-labels-7.png" target="_blank">
+        <img src="{{ site.url }}/images/4.2.0/add-and-edit-recording-metadata-labels-7.png">
       </a>
       <br><br>
       Congratulations, you have successfully bulk-edited <code>Labels</code> across multiple <code>Recordings</code>!
     </p>
     {% endcapture %}
     {% include howto_step.html
       summary="<i>(Optional)</i> Bulk-edit <code>Recording Labels</code> across multiple <code>Recordings</code>"
-      image-name="4.1.0/add-and-edit-recording-metadata-labels-6.png"
+      image-name="4.2.0/add-and-edit-recording-metadata-labels-6.png"
       text=bulk-edit-recording-labels-text
     %}
   </li>

diff --git a/guides/_subsections/analyze-a-thread-dump.md b/guides/_subsections/analyze-a-thread-dump.md
@@ -0,0 +1,46 @@
+## [Analyze a Thread Dump](#analyze-a-thread-dump)
+<ol>
+    <li>
+      <p>
+        The <i>Visualize Thread Dumps</i> page
+        allows you to visualize captured thread dumps from a <code>target</code> <b>JVM</b>, looking for common problems
+        and analyzing for deadlocks. Thread Dumps can be analyzed from the archives or selected from a dropdown.
+      </p>
+    </li>
+    <li>
+    {% include howto_step.html
+      summary="Select a Thread Dump"
+      image-name="4.2.0/analyze-a-thread-dump-1.png"
+      caption="
+        The dropdown menu will be populated with Thread Dumps from the archives for the currently selected target. If there are no <code>Thread Dumps</code> to source data from, capture one   then return back to this view.
+      "
+    %}
+  </li>
+  <li>
+    {% include howto_step.html
+      summary="Request analysis"
+      image-name="4.2.0/analyze-a-thread-dump-2.png"
+      caption="
+        Click the analysis process button in the corner of the drawer panel.
+      "
+    %}
+  </li>
+  <li>
+    {% include howto_step.html
+      summary="View aggregated data"
+      image-name="4.2.0/analyze-a-thread-dump-3.png"
+      caption="
+        Once a thread dump has been selected the view will be populated with the analyzed data. There are pie charts displaying aggregation by thread state, running methods, and lock instances. 
+      "
+    %}
+  </li>
+  <li>
+    {% include howto_step.html
+      summary="View detailed thread information"
+      image-name="4.2.0/analyze-a-thread-dump-4.png"
+      caption="
+        Once a thread dump has been selected the view will be populated with the analyzed data. There is as a table for specific patterns found in the data, and deadlocks detected as well as detailed thread information. The thread information table rows can be expanded to view the stack trace and lock instances held by a thread. 
+      "
+    %}
+  </li>
+</ol>
diff --git a/guides/_subsections/archive-a-recording.md b/guides/_subsections/archive-a-recording.md
@@ -29,7 +29,7 @@ any state (`RUNNING`, `STOPPED`, etc.), and may even be a `snapshot`.
     {% endcapture %}
     {% include howto_step.html
       summary="Select an <i>Active Recording</i>"
-      image-name="4.1.0/archive-a-recording-1.png"
+      image-name="4.2.0/archive-a-recording-1.png"
       caption=select-recording-additional-content
     %}
   </li>
@@ -54,7 +54,7 @@ any state (`RUNNING`, `STOPPED`, etc.), and may even be a `snapshot`.
   <li>
     {% include howto_step.html
       summary="Navigate to the <i>Flight Recorder/Analyze/Archives</i> view"
-      image-name="4.1.0/archive-a-recording-2.png"
+      image-name="4.2.0/archive-a-recording-2.png"
       caption=archives-view-caption
       text=archives-view-text
     %}

diff --git a/guides/_subsections/automated-analysis.md b/guides/_subsections/automated-analysis.md
@@ -19,7 +19,7 @@ Read the section on the [`Automated Analysis Card`](#automated-analysis-card) fo
   <li>
     {% include howto_step.html
       summary="Click the <code>Analyze</code> toolbar button"
-      image-name="4.1.0/automated-analysis-1.png"
+      image-name="4.2.0/automated-analysis-1.png"
       caption="
         The analysis drawer will appear from the side. If Cryostat has already analyzed recording data from
         this target recently then content will appear in the drawer. If there are no <code>Active Recordings</code>
@@ -31,7 +31,7 @@ Read the section on the [`Automated Analysis Card`](#automated-analysis-card) fo
   <li>
     {% include howto_step.html
       summary="Request analysis"
-      image-name="4.1.0/automated-analysis-2.png"
+      image-name="4.2.0/automated-analysis-2.png"
       caption="
         Click the analysis process button in the corner of the drawer panel.
       "
@@ -40,7 +40,7 @@ Read the section on the [`Automated Analysis Card`](#automated-analysis-card) fo
   <li>
     {% include howto_step.html
       summary="View Details and Suggestions for Results"
-      image-name="4.1.0/automated-analysis-3.png"
+      image-name="4.2.0/automated-analysis-3.png"
       caption="
         Click on each result to view specifics on what the result means and possible suggestions to fix
         the potential problem.
@@ -51,7 +51,7 @@ Read the section on the [`Automated Analysis Card`](#automated-analysis-card) fo
     <p>
     {% include howto_step.html
       summary="View analysis of an archived recording"
-      image-name="4.1.0/automated-analysis-4.png"
+      image-name="4.2.0/automated-analysis-4.png"
       caption="
         Automated analysis results for individual <code>Archived Recordings</code> are also available.
       "

diff --git a/guides/_subsections/capture-a-heap-dump.md b/guides/_subsections/capture-a-heap-dump.md
@@ -18,7 +18,7 @@
       {% endcapture %}
       {% include howto_step.html
         summary="Navigate to the <i>Diagnostics/Capture</i> Page"
-        image-name="4.1.0/capture-diagnostics-page.png"
+        image-name="4.2.0/capture-diagnostics-page.png"
         caption="Click on <i>Diagnostics/Capture</i> on the sidebar."
         text=capture-a-heap-dump-text
       %}
@@ -29,7 +29,7 @@
   <li>
     {% include howto_step.html
       summary="Navigate to the <i>Diagnostics/Analyze/Heap Dumps</i> view"
-      image-name="4.1.0/archive-a-heap-dump.png"
+      image-name="4.2.0/archive-a-heap-dump.png"
       caption="
         Once the <code>Heap Dump</code> has been archived, a new entry will appear in the
         <code>target</code> <b>JVM's</b> <i>Heap Dumps</i> table. All <code>Heap Dumps</code> that were

diff --git a/guides/_subsections/capture-a-thread-dump.md b/guides/_subsections/capture-a-thread-dump.md
@@ -18,7 +18,7 @@
       {% endcapture %}
       {% include howto_step.html
         summary="Navigate to the <i>Diagnostics/Capture</i> Page"
-        image-name="4.1.0/capture-diagnostics-page.png"
+        image-name="4.2.0/capture-diagnostics-page.png"
         caption="Click on <i>Diagnostics/Capture</i> on the sidebar."
         text=capture-a-thread-dump-text
       %}
@@ -29,7 +29,7 @@
   <li>
     {% include howto_step.html
       summary="Navigate to the <i>Diagnostics/Analyze/Thread Dumps</i> view"
-      image-name="4.1.0/archive-a-thread-dump.png"
+      image-name="4.2.0/archive-a-thread-dump.png"
       caption="
         Once the <code>Thread Dump</code> has been archived, a new entry will appear in the
         <code>target</code> <b>JVM's</b> <i>Thread Dumps</i> table. All <code>Thread Dumps</code> that were

diff --git a/guides/_subsections/common/card-catalog.md b/guides/_subsections/common/card-catalog.md
@@ -3,7 +3,7 @@
 {% endcapture %}
 {% include howto_step.html
   summary="Open the <i>Card Catalog</i>"
-  image-name="4.1.0/dashboard/card-catalog.png"
+  image-name="4.2.0/dashboard/card-catalog.png"
   caption="Open the <i>Card Catalog</i> by clicking the <i>Catalog icon</i> on the <i>Dashboard</i> toolbar."
   text=card-catalog-include-text
 %}
diff --git a/guides/_subsections/common/click-create.md b/guides/_subsections/common/click-create.md
@@ -1,4 +1,4 @@
 {% include howto_step.html
   summary="Click <i>Create</i>"
-  image-name="4.1.0/click-create.png"
+  image-name="4.2.0/click-create.png"
 %}
diff --git a/guides/_subsections/common/layout-selector.md b/guides/_subsections/common/layout-selector.md
@@ -3,7 +3,7 @@ The <i>Layout Selector</i> contains a list of all available layouts. The current
 {% endcapture %}
 {% include howto_step.html
 summary="Open the <i>Layout Selector Dropdown</i>"
-image-name="4.1.0/dashboard/dashboard-layoutselector.png"
+image-name="4.2.0/dashboard/dashboard-layoutselector.png"
 caption="Click the <i>layout selector dropdown</i> to view the available layouts."
 text=layout-selector-text
 %}
diff --git a/guides/_subsections/common/navigate-to-dashboard.md b/guides/_subsections/common/navigate-to-dashboard.md
@@ -3,7 +3,7 @@
 {% endcapture %}
 {% include howto_step.html
   summary="Navigate to <i>Overview/Dashboard</i>"
-  image-name="4.1.0/navigate-to-dashboard.png"
+  image-name="4.2.0/navigate-to-dashboard.png"
   caption="Add <code>dashboard cards</code>, switch between <code>dashboard layouts</code>, and modify the <code>layout configuration</code> to suit your needs."
   text=navigate-to-dashboard-include-text
 %}