From db1ca8745d0cd315d440b35e7fc93318026b4109 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 2 May 2025 13:20:44 -0600 Subject: [PATCH 01/69] Fix missing icon for Chronicle --- charts/posit-chronicle/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/posit-chronicle/Chart.yaml b/charts/posit-chronicle/Chart.yaml index 3f3d89a7d..7c1706299 100644 --- a/charts/posit-chronicle/Chart.yaml +++ b/charts/posit-chronicle/Chart.yaml @@ -3,7 +3,7 @@ name: posit-chronicle description: Official Helm chart for Posit Chronicle Server version: 0.3.8 appVersion: 2025.03.0 -icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png +icon: https://posit.co/wp-content/themes/Posit/dist/images/favicon/apple-touch-icon-180x180.png home: https://www.posit.co sources: - https://github.com/rstudio/helm From a6e526a3c17da6c5364badf2ae2e5a5a1f10b5cf Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 2 May 2025 13:20:55 -0600 Subject: [PATCH 02/69] Rename maintainer to "Posit Helm Team" --- charts/posit-chronicle/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/posit-chronicle/Chart.yaml b/charts/posit-chronicle/Chart.yaml index 7c1706299..d21d7ee74 100644 --- a/charts/posit-chronicle/Chart.yaml +++ b/charts/posit-chronicle/Chart.yaml @@ -8,7 +8,7 @@ home: https://www.posit.co sources: - https://github.com/rstudio/helm maintainers: - - name: sol-eng + - name: Posit Helm Team email: docker@posit.co url: https://github.com/rstudio/helm annotations: From aa3250ed173c293053c5cb6110cdbdc8a17dba26 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 2 May 2025 13:21:08 -0600 Subject: [PATCH 03/69] Add images to artifacthub.io annotations --- charts/posit-chronicle/Chart.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/charts/posit-chronicle/Chart.yaml b/charts/posit-chronicle/Chart.yaml index d21d7ee74..799f4fb7a 100644 --- a/charts/posit-chronicle/Chart.yaml +++ b/charts/posit-chronicle/Chart.yaml @@ -12,6 +12,11 @@ maintainers: email: docker@posit.co url: https://github.com/rstudio/helm annotations: + artifacthub.io/images: | + - name: chronicle + image: ghcr.io/rstudio/chronicle:2025.03.0 + platforms: + - linux/amd64 artifacthub.io/license: MIT artifacthub.io/links: | - name: Chronicle Documentation From 5f10e21f3b4f9088e53c068e5f677381321cf5fa Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 2 May 2025 13:21:27 -0600 Subject: [PATCH 04/69] Recommend compatible product charts with artifacthub.io/recommendations annotation --- charts/posit-chronicle/Chart.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/posit-chronicle/Chart.yaml b/charts/posit-chronicle/Chart.yaml index 799f4fb7a..8f7d53c80 100644 --- a/charts/posit-chronicle/Chart.yaml +++ b/charts/posit-chronicle/Chart.yaml @@ -27,6 +27,9 @@ annotations: url: https://forum.posit.co/c/posit-professional-hosted/5 - name: About Posit Team url: https://posit.co/products/enterprise/team/ + artifacthub.io/recommendations: | + - url: https://artifacthub.io/packages/helm/rstudio/rstudio-connect + - url: https://artifacthub.io/packages/helm/rstudio/rstudio-workbench keywords: - "rstudio" - "posit" From d2bb8c1832abcdca55cbf53f9caf6363fc3e9d94 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 2 May 2025 13:21:40 -0600 Subject: [PATCH 05/69] nit: fix missing whitespace --- charts/posit-chronicle/templates/svc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/posit-chronicle/templates/svc.yaml b/charts/posit-chronicle/templates/svc.yaml index d5c5eb064..77d0be560 100644 --- a/charts/posit-chronicle/templates/svc.yaml +++ b/charts/posit-chronicle/templates/svc.yaml @@ -16,7 +16,7 @@ spec: - port: {{ .Values.service.port }} targetPort: 443 name: https - {{- else}} + {{- else }} - port: {{ .Values.service.port }} targetPort: 5252 name: http From 5b04bc3cb0a0d378490a824d3888c075f640359a Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 2 May 2025 13:22:47 -0600 Subject: [PATCH 06/69] Bump minor version --- charts/posit-chronicle/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/posit-chronicle/Chart.yaml b/charts/posit-chronicle/Chart.yaml index 8f7d53c80..bae613d8e 100644 --- a/charts/posit-chronicle/Chart.yaml +++ b/charts/posit-chronicle/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: posit-chronicle description: Official Helm chart for Posit Chronicle Server -version: 0.3.8 +version: 0.3.9 appVersion: 2025.03.0 icon: https://posit.co/wp-content/themes/Posit/dist/images/favicon/apple-touch-icon-180x180.png home: https://www.posit.co From 3effb8eb7faefda759106c45d6a8165f46bc75bc Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 2 May 2025 14:04:26 -0600 Subject: [PATCH 07/69] Add missing NEWS.md blurb for 0.3.8 --- charts/posit-chronicle/NEWS.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/posit-chronicle/NEWS.md b/charts/posit-chronicle/NEWS.md index fc0887889..9a4113227 100644 --- a/charts/posit-chronicle/NEWS.md +++ b/charts/posit-chronicle/NEWS.md @@ -1,5 +1,9 @@ # Changelog +## 0.3.8 + +- Update documentation and support links. + ## 0.3.7 - Bump Chronicle to version 2025.03.0 From e02e33eab614fc8f6e5aec7adbaa9bce709755aa Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 2 May 2025 14:59:44 -0600 Subject: [PATCH 08/69] Overhaul of values.yaml to better follow best practices and common patterns --- charts/posit-chronicle/values.yaml | 123 +++++++++++++++++++++-------- 1 file changed, 91 insertions(+), 32 deletions(-) diff --git a/charts/posit-chronicle/values.yaml b/charts/posit-chronicle/values.yaml index 39b496882..96f30b4f1 100644 --- a/charts/posit-chronicle/values.yaml +++ b/charts/posit-chronicle/values.yaml @@ -1,9 +1,28 @@ +# -- Override for the name of the chart deployment +nameOverride: "" +# -- Override for the full name of the release +fullnameOverride: "" +# -- Override for the namespace of the chart deployment +namespaceOverride: "" +# -- Common labels to add to all resources +commonLabels: {} +# -- Common annotations to add to all resources +commonAnnotations: {} + image: - repository: "ghcr.io/rstudio/chronicle" - tag: "2025.03.0" - imagePullPolicy: "IfNotPresent" + # -- The image registry + registry: "ghcr.io" + # -- The image repository + repository: "rstudio/chronicle" + # -- Overrides the image tag whose default is the chart appVersion + tag: "" + # -- (Optional) The image digest + sha: "" + # -- The image pull policy + pullPolicy: "IfNotPresent" -serviceaccount: +serviceAccount: + # -- create: false # -- Additional annotations to add to the chronicle-server serviceaccount annotations: { @@ -26,7 +45,9 @@ service: # -- The number of replica pods to maintain for this service replicas: 1 -# -- A map used verbatim as the pod's "nodeSelector" definition +## Node labels for pod assignment +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +# nodeSelector: {} pod: @@ -51,33 +72,71 @@ pod: # If config.LocalStorage.Enabled is set to true, # the chart will provision a pvc of size storage.persistentVolumeSize for # the chronicle server stateful-set -storage: - persistentVolumeSize: 1Gi -config: - HTTPS: + +## Enable persistence using Persistent Volume Claims +## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ +## +persistence: + # -- Enable persistence using Persistent Volume Claims + enabled: true + # -- Persistent Volume Storage Class + # (Leave empty if using the default storage class) + storageClass: "" + # -- Size of the data volume + size: 1Gi + # -- Persistent Volume Access Modes + accessModes: + - ReadWriteOnce + # -- Name of an existing PVC to use + existingClaim: "" + # -- Selector to match an existing Persistent Volume for the data PVC + selector: {} + +# Configurations for the underlying Chronicle server instance +# ref: https://docs.posit.co/chronicle/appendix/library/advanced-server.html +# +server: + https: # If https.enabled=true, ignore any http # values and enable https in the config instead - Enabled: false - Key: "" - Certificate: "" - Metrics: - Enabled: true - Profiling: - Enabled: false - Logging: - ServiceLog: "STDOUT" - ServiceLogLevel: "INFO" - ServiceLogFormat: "TEXT" - LocalStorage: - # By default LocalStorage.Enabled=true, so that installs work with the default values - Enabled: true - Location: "./chronicle-data" - RetentionPeriod: "30d" - S3Storage: - Enabled: false - Bucket: "posit-chronicle" - Prefix: "" - Profile: "" - # An AWS region must be set if S3 Storage is enabled - Region: "us-east-2" + # -- If set to true, Chronicle will use HTTPS instead of HTTP + enabled: false + # -- Path to a PEM encoded TLS certificate file + certificate: "" + # -- Path to a PEM encoded private key file corresponding to the specified certificate + key: "" + metrics: + # -- If set to true, Chronicle will expose a metrics endpoint for Prometheus + enabled: true + profiling: + # -- If set to true, Chronicle will expose a pprof profiling server + enabled: false + logging: + # -- Specified the output for log messages, can be one of "STDOUT", "STDERR", or a file path + serviceLog: "STDOUT" + # -- The log level for the service, can be one of "TRACE", "DEBUG", "INFO", "WARN", or "ERROR" + serviceLogLevel: "INFO" + # -- The log format for the service, can be one of "TEXT" or "JSON" + serviceLogFormat: "TEXT" + storage: + # -- Configuration for local data storage with Chronicle, for configuring persistence of this data see the persistence section + local: + # -- If set to true, Chronicle will use a local path for data storage + enabled: true + # -- The path to the local storage location + path: "./chronicle-data" + # -- The retention period for data before it is purged + retentionPeriod: "30d" + # -- Configuration for S3 data storage with Chronicle + s3: + # -- If set to true, Chronicle will use S3 for data storage + enabled: false + # -- The S3 bucket to use for storage + bucket: "" + # -- (Optional) the prefix to use when writing to the S3 bucket, defaults to the bucket root + prefix: "" + # -- (Optional) the profile to use when writing to the S3 bucket, defaults is to use the `AWS_PROFILE` env var + profile: "" + # -- (Optional) the region to use when writing to the S3 bucket, defaults is to use the `AWS_REGION` env var + region: "" From 052a0bdabc0a030a2d9f394c1401843518ead7e6 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Mon, 5 May 2025 15:03:35 -0600 Subject: [PATCH 09/69] Refactor the Helm chart - Make most elements defined dynamically with overrides/merges rather than be hardcoded (e.g. resource names, namespaces, etc.) - Update references for changes to values.yaml - Change most label/annotation definitions to inline rather than bespoke helper definitions. - Reimplement persistence as a PVC resource rather than a volumeClaimTemplate. This also adds selection for existing PVCs. - Change configmap configuration key to be filename of the config file. Certain elements of the config will also be required when sections are enabled/disabled. --- charts/posit-chronicle/templates/_helpers.tpl | 139 +++++++++++------- .../posit-chronicle/templates/configmap.yaml | 58 +++++--- charts/posit-chronicle/templates/pvc.yaml | 35 +++++ .../templates/serviceaccount.yaml | 19 ++- .../templates/stateful-set.yaml | 81 ---------- .../templates/statefulset.yaml | 86 +++++++++++ charts/posit-chronicle/templates/svc.yaml | 20 ++- charts/posit-chronicle/values.yaml | 28 ++-- 8 files changed, 291 insertions(+), 175 deletions(-) create mode 100644 charts/posit-chronicle/templates/pvc.yaml delete mode 100644 charts/posit-chronicle/templates/stateful-set.yaml create mode 100644 charts/posit-chronicle/templates/statefulset.yaml diff --git a/charts/posit-chronicle/templates/_helpers.tpl b/charts/posit-chronicle/templates/_helpers.tpl index 2268c0692..1218064a6 100644 --- a/charts/posit-chronicle/templates/_helpers.tpl +++ b/charts/posit-chronicle/templates/_helpers.tpl @@ -1,73 +1,112 @@ {{/* vim: set filetype=mustache: */}} {{/* -Generate annotations for various resources +Expand the chart name. */}} - -{{- define "posit-chronicle.pod.annotations" -}} -{{- range $key,$value := $.Values.pod.annotations -}} -{{ $key }}: {{ $value | quote }} -{{ end }} -{{- if .Values.config.Metrics.Enabled }} -prometheus.io/scrape: "true" -{{- if .Values.config.HTTPS.Enabled }} -prometheus.io/port: "443" -{{- else}} -prometheus.io/port: "5252" +{{- define "posit-chronicle.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "posit-chronicle.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} {{- end }} -{{- end -}} -{{- define "posit-chronicle.serviceaccount.annotations" -}} -{{- range $key,$value := $.Values.serviceaccount.annotations -}} -{{ $key }}: {{ $value | quote }} -{{ end }} -{{- end -}} +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "posit-chronicle.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} -{{- define "posit-chronicle.service.annotations" -}} -{{- range $key,$value := $.Values.service.annotations -}} -{{ $key }}: {{ $value | quote }} -{{ end }} -{{- end -}} +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "posit-chronicle.namespace" -}} +{{- if .Values.namespaceOverride }} +{{- .Values.namespaceOverride }} +{{- else }} +{{- .Release.Namespace }} +{{- end }} +{{- end }} {{/* -Generate labels for various resources +Create the Service Account name */}} +{{- define "posit-chronicle.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "posit-chronicle.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} -{{- define "posit-chronicle.pod.labels" -}} -{{- range $key,$value := $.Values.pod.labels -}} -{{ $key }}: {{ $value | quote }} -{{ end }} -{{- end -}} +{{/* +Selector labels +*/}} +{{- define "posit-chronicle.selectorLabels" -}} +app.kubernetes.io/name: {{ include "posit-chronicle.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} -{{- define "posit-chronicle.serviceaccount.labels" -}} -{{- range $key,$value := $.Values.serviceaccount.labels -}} -{{ $key }}: {{ $value | quote }} -{{ end }} -{{- end -}} +{{/* +Common labels +*/}} +{{- define "posit-chronicle.labels" }} +helm.sh/chart: {{ include "posit-chronicle.chart" . }} +{{ include "posit-chronicle.selectorLabels" . }} +{{- if or .Chart.AppVersion .Values.image.tag }} +app.kubernetes.io/version: {{ mustRegexReplaceAllLiteral "@sha.*" .Values.image.tag "" | default .Chart.AppVersion | trunc 63 | trimSuffix "-" | quote }} +{{- end }} +{{- with .Values.commonLabels }} +{{ toYaml . }} +{{- end }} +{{- end }} -{{- define "posit-chronicle.service.labels" -}} -{{- range $key,$value := $.Values.service.labels -}} +{{/* +Generate annotations for various resources +*/}} +{{- define "posit-chronicle.pod.annotations" }} +{{- $podAnnotations := merge .Values.pod.annotations .Values.commonAnnotations }} +{{- if .Values.server.metrics.enabled }} +{{- $_ := set $podAnnotations "prometheus.io/scrape" "true" }} +{{- if .Values.server.metrics.enabled }} +{{- $_ := set $podAnnotations "prometheus.io/port" "443" }} +{{- else }} +{{- $_ := set $podAnnotations "prometheus.io/port" "5252" }} +{{- end }} +{{- end }} +{{- range $key,$value := $.Values.pod.annotations }} {{ $key }}: {{ $value | quote }} -{{ end }} -{{- end -}} +{{- end }} +{{- end }} {{/* Generate selector labels for various resources */}} - -{{- define "posit-chronicle.pod.selectorLabels" -}} -{{- range $key,$value := $.Values.pod.selectorLabels -}} +{{- define "posit-chronicle.pod.selectorLabels" }} +{{- $podSelectorLabels := merge .Values.pod.selectorLabels (include "posit-chronicle.selectorLabels" .) }} +{{- range $key,$value := $podSelectorLabels }} {{ $key }}: {{ $value | quote }} -{{ end }} -app: chronicle-server -{{- end -}} +{{- end }} +{{- end }} -{{- define "posit-chronicle.service.selectorLabels" -}} -{{- range $key,$value := $.Values.service.selectorLabels -}} +{{- define "posit-chronicle.service.selectorLabels" }} +{{- $svcSelectorLabels := merge .Values.service.selectorLabels (include "posit-chronicle.selectorLabels" .) }} +{{- range $key,$value := $svcSelectorLabels }} {{ $key }}: {{ $value | quote }} -{{ end }} -app: chronicle-server -{{- end -}} - +{{- end }} +{{- end }} diff --git a/charts/posit-chronicle/templates/configmap.yaml b/charts/posit-chronicle/templates/configmap.yaml index 97fed1357..8ec155988 100644 --- a/charts/posit-chronicle/templates/configmap.yaml +++ b/charts/posit-chronicle/templates/configmap.yaml @@ -2,43 +2,57 @@ apiVersion: v1 kind: ConfigMap metadata: - name: chronicle-server-config + name: {{ include "posit-chronicle.fullname" . }} + namespace: {{ include "posit-chronicle.namespace" . }} + labels: + {{ include "posit-chronicle.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{ toYaml . | nindent 4 }} + {{- end }} data: - server: | - - # switch between http and https - {{- if .Values.config.HTTPS.Enabled }} + posit-chronicle.gcfg: | + {{- if .Values.server.https.enabled }} [HTTPS] Listen = :443 - Key = {{ .Values.config.HTTPS.Key }} - Certificate = {{ .Values.config.HTTPS.Certificate }} + Certificate = {{ required ".Values.server.https.certificate must be specified when .Values.server.https.enabled is true." .Values.server.https.certificate }} + Key = {{ required ".Values.server.https.key must be specified when .Values.server.https.enabled is true." .Values.server.https.key }} {{- else}} [HTTP] Listen = :5252 {{- end }} [Logging] - ServiceLog = {{ .Values.config.Logging.ServiceLog }} - ServiceLogLevel = {{ .Values.config.Logging.ServiceLogLevel }} - ServiceLogFormat = {{ .Values.config.Logging.ServiceLogFormat }} + ServiceLog = {{ .Values.server.logging.serviceLog }} + ServiceLogLevel = {{ .Values.server.logging.serviceLogLevel }} + ServiceLogFormat = {{ .Values.server.logging.serviceLogFormat }} [Metrics] - Enabled = {{ .Values.config.Metrics.Enabled }} + Enabled = {{ .Values.server.metrics.enabled }} [Profiling] - Enabled = {{ .Values.config.Profiling.Enabled }} - Listen = :3030 + Enabled = {{ .Values.server.profiling.enabled }} + Listen = :{{ .Values.server.profiling.port }} [LocalStorage] - Enabled = {{ .Values.config.LocalStorage.Enabled }} - Location = {{ .Values.config.LocalStorage.Location }} - RetentionPeriod = {{ .Values.config.LocalStorage.RetentionPeriod }} + Enabled = {{ .Values.server.storage.local.enabled }} + Location = {{ .Values.server.storage.local.path }} + RetentionPeriod = {{ .Values.server.storage.local.retentionPeriod }} [S3Storage] - Enabled = {{ .Values.config.S3Storage.Enabled }} - Bucket = {{ .Values.config.S3Storage.Bucket }} - Prefix = {{ .Values.config.S3Storage.Prefix }} - Profile = {{ .Values.config.S3Storage.Profile }} - Region = {{ .Values.config.S3Storage.Region }} + Enabled = {{ .Values.server.storage.s3.enabled }} + {{- if eq .Values.server.storage.s3.enabled true }} + Bucket = {{ required "A .Values.server.storage.s3.bucket must be specified when S3 storage is enabled." .Values.server.storage.s3.bucket }} + {{- else if ne .Values.server.storage.s3.bucket "" }} + Bucket = {{ .Values.server.storage.s3.bucket }} + {{- end }} + {{- if ne .Values.server.storage.s3.prefix "" }} + Prefix = {{ .Values.server.storage.s3.prefix }} + {{- end }} + {{- if ne .Values.server.storage.s3.profile "" }} + Profile = {{ .Values.server.storage.s3.profile }} + {{- end }} + {{- if ne .Values.server.storage.s3.region "" }} + Region = {{ .Values.server.storage.s3.region }} + {{- end }} --- - diff --git a/charts/posit-chronicle/templates/pvc.yaml b/charts/posit-chronicle/templates/pvc.yaml new file mode 100644 index 000000000..e3bc4f32b --- /dev/null +++ b/charts/posit-chronicle/templates/pvc.yaml @@ -0,0 +1,35 @@ +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "posit-chronicle.fullname" . }} + namespace: {{ include "posit-chronicle.namespace" . }} + labels: + {{ include "posit-chronicle.labels" . | nindent 4 }} + {{- with .Values.persistence.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- if or .Values.persistence.annotations .Values.commonAnnotations }} + {{- $annotations := merge .Values.persistence.annotations .Values.commonAnnotations }} + annotations: + {{- with $annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- end }} +spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote | nindent 4 }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- with .Values.persistence.storageClassName }} + storageClassName: {{ . }} + {{- end }} + {{- with .Values.persistence.selectorLabels }} + selector: + matchLabels: + {{ toYaml . | nindent 6 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/posit-chronicle/templates/serviceaccount.yaml b/charts/posit-chronicle/templates/serviceaccount.yaml index d7951c4bd..7530652ac 100644 --- a/charts/posit-chronicle/templates/serviceaccount.yaml +++ b/charts/posit-chronicle/templates/serviceaccount.yaml @@ -1,10 +1,19 @@ -{{- if .Values.serviceaccount.create -}} +{{- if .Values.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount metadata: - name: chronicle-sa + name: {{ include "posit-chronicle.serviceAccountName" . }} + namespace: {{ include "posit-chronicle.namespace" . }} labels: - {{ include "posit-chronicle.serviceaccount.labels" . | nindent 4 }} + {{ include "posit-chronicle.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := merge .Values.serviceAccount.annotations .Values.commonAnnotations }} annotations: - {{ include "posit-chronicle.serviceaccount.annotations" . | nindent 4 }} -{{- end -}} + {{- with $annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/posit-chronicle/templates/stateful-set.yaml b/charts/posit-chronicle/templates/stateful-set.yaml deleted file mode 100644 index 1ee662ddc..000000000 --- a/charts/posit-chronicle/templates/stateful-set.yaml +++ /dev/null @@ -1,81 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: chronicle-server - namespace: {{ $.Release.Namespace }} -spec: - serviceName: chronicle-server - replicas: {{ .Values.replicas }} - selector: - matchLabels: - {{- include "posit-chronicle.pod.selectorLabels" . | trim | nindent 6 }} - template: - metadata: - labels: - {{- include "posit-chronicle.pod.labels" . | trim | nindent 8 }} - {{- include "posit-chronicle.pod.selectorLabels" . | trim | nindent 8 }} - annotations: - {{- include "posit-chronicle.pod.annotations" . | trim | nindent 8 }} - spec: - {{- with .Values.pod.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.pod.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.pod.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.serviceaccount.create }} - serviceAccountName: chronicle-sa - {{- end }} - containers: - - name: chronicle-server - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: {{ .Values.image.imagePullPolicy }} - command: - - {{ .Values.pod.command }} - {{- if .Values.pod.args }} - args: - {{- toYaml .Values.pod.args | nindent 8 }} - {{- end }} - ports: - {{- if .Values.config.HTTPS.Enabled }} - - containerPort: 443 - name: https - {{- else}} - - containerPort: 5252 - name: http - {{- end }} - volumeMounts: - {{- if .Values.config.LocalStorage.Enabled }} - - name: data - mountPath: {{ .Values.config.LocalStorage.Location }} - {{- end }} - - name: chronicle-server-config - mountPath: /etc/posit-chronicle/posit-chronicle.gcfg - subPath: server - {{- if .Values.pod.env }} - env: - {{- toYaml .Values.pod.env | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ .Values.pod.terminationGracePeriodSeconds }} - volumes: - - name: chronicle-server-config - configMap: - name: chronicle-server-config -{{- if .Values.config.LocalStorage.Enabled }} - volumeClaimTemplates: - - metadata: - name: data - spec: - accessModes: [ "ReadWriteOnce" ] - resources: - requests: - storage: {{ .Values.storage.persistentVolumeSize }} -{{- end }} ---- diff --git a/charts/posit-chronicle/templates/statefulset.yaml b/charts/posit-chronicle/templates/statefulset.yaml new file mode 100644 index 000000000..768859add --- /dev/null +++ b/charts/posit-chronicle/templates/statefulset.yaml @@ -0,0 +1,86 @@ +--- +{{- $root := . -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "posit-chronicle.fullname" . }} + namespace: {{ include "posit-chronicle.namespace" . }} + labels: + {{- include "posit-chronicle.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicas }} + serviceName: {{ include "posit-chronicle.fullname" . }} + selector: + matchLabels: + {{- include "posit-chronicle.pod.selectorLabels" . | trim | nindent 6 }} + template: + metadata: + labels: + {{- include "posit-chronicle.labels" . | trim | nindent 8 }} + {{- with .Values.pod.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + {{- include "posit-chronicle.pod.annotations" . | trim | nindent 8 }} + spec: + {{- with .Values.pod.affinity }} + affinity: + {{- tpl (toYaml .) $root | nindent 8 }} + {{- end }} + {{- with .Values.pod.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.pod.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "posit-chronicle.serviceAccountName" . }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - {{ .Values.pod.command }} + {{- if .Values.pod.args }} + args: + {{- toYaml .Values.pod.args | nindent 8 }} + {{- end }} + ports: + {{- if .Values.server.https.enabled }} + - containerPort: 443 + name: https + {{- else}} + - containerPort: 5252 + name: http + {{- end }} + volumeMounts: + {{- if .Values.server.storage.local.enabled }} + - name: data + mountPath: {{ .Values.server.storage.local.path }} + {{- end }} + - name: config + mountPath: /etc/posit-chronicle/posit-chronicle.gcfg + subPath: posit-chronicle.gcfg + {{- if .Values.pod.env }} + env: + {{- toYaml .Values.pod.env | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.pod.terminationGracePeriodSeconds }} + volumes: + {{- if .Values.persistence.enabled }} + - name: data + persistentVolumeClaim: + claimName: {{ tpl (.Values.persistence.existingClaim | default (include "posit-chronicle.fullname" .)) . }} + {{- end }} + - name: config + configMap: + name: {{ include "posit-chronicle.fullname" . }} + items: + - key: posit-chronicle.gcfg + path: "posit-chronicle.gcfg" +--- diff --git a/charts/posit-chronicle/templates/svc.yaml b/charts/posit-chronicle/templates/svc.yaml index 77d0be560..6bb39f154 100644 --- a/charts/posit-chronicle/templates/svc.yaml +++ b/charts/posit-chronicle/templates/svc.yaml @@ -2,17 +2,25 @@ apiVersion: v1 kind: Service metadata: - name: chronicle-server + name: {{ include "posit-chronicle.fullname" . }} + namespace: {{ include "posit-chronicle.namespace" . }} labels: - {{- include "posit-chronicle.service.labels" . | trim | nindent 4 }} - {{- include "posit-chronicle.service.selectorLabels" . | trim | nindent 4 }} + {{ include "posit-chronicle.labels" . | nindent 4 }} + {{- with .Values.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if or .Values.service.annotations .Values.commonAnnotations }} + {{- $annotations := merge .Values.service.annotations .Values.commonAnnotations }} annotations: - {{- include "posit-chronicle.service.annotations" . | trim | nindent 4 }} + {{- with $annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} spec: selector: - {{- include "posit-chronicle.service.selectorLabels" . | trim | nindent 4 }} + {{ include "posit-chronicle.service.selectorLabels" . | trim | nindent 4 }} ports: - {{- if .Values.config.HTTPS.Enabled }} + {{- if .Values.server.https.enabled }} - port: {{ .Values.service.port }} targetPort: 443 name: https diff --git a/charts/posit-chronicle/values.yaml b/charts/posit-chronicle/values.yaml index 96f30b4f1..70e6c5ebe 100644 --- a/charts/posit-chronicle/values.yaml +++ b/charts/posit-chronicle/values.yaml @@ -22,8 +22,9 @@ image: pullPolicy: "IfNotPresent" serviceAccount: - # -- create: false + # -- The name of the service account to use + name: "" # -- Additional annotations to add to the chronicle-server serviceaccount annotations: { # EKS role arn example @@ -45,11 +46,6 @@ service: # -- The number of replica pods to maintain for this service replicas: 1 -## Node labels for pod assignment -## ref: https://kubernetes.io/docs/user-guide/node-selection/ -# -nodeSelector: {} - pod: # -- The command and args to run in the chronicle-server container command: "/chronicle" @@ -64,6 +60,8 @@ pod: selectorLabels: {} # -- A map used verbatim as the pod's "affinity" definition affinity: {} + # -- A map used verbatim as the pod's "nodeSelector" definition + nodeSelector: {} # -- An array used verbatim as the pod's "tolerations" definition tolerations: [] # -- The termination grace period seconds allowed for the pod before shutdown @@ -74,15 +72,15 @@ pod: # the chronicle server stateful-set -## Enable persistence using Persistent Volume Claims -## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ -## +# Enable persistence using Persistent Volume Claims +# ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ +# persistence: # -- Enable persistence using Persistent Volume Claims enabled: true # -- Persistent Volume Storage Class # (Leave empty if using the default storage class) - storageClass: "" + storageClassName: "" # -- Size of the data volume size: 1Gi # -- Persistent Volume Access Modes @@ -91,7 +89,14 @@ persistence: # -- Name of an existing PVC to use existingClaim: "" # -- Selector to match an existing Persistent Volume for the data PVC - selector: {} + selectorLabels: {} + # -- Additional annotations to add to the PVC + annotations: {} + # -- Additional labels to add to the PVC + labels: {} + # -- Finalizers added verbatim to the PVC + finalizers: + - kubernetes.io/pvc-protection # Configurations for the underlying Chronicle server instance # ref: https://docs.posit.co/chronicle/appendix/library/advanced-server.html @@ -112,6 +117,7 @@ server: profiling: # -- If set to true, Chronicle will expose a pprof profiling server enabled: false + port: 3030 logging: # -- Specified the output for log messages, can be one of "STDOUT", "STDERR", or a file path serviceLog: "STDOUT" From 396dfeb39ac910c20db58175f7f1de496bcfe947 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 6 May 2025 12:09:44 -0600 Subject: [PATCH 10/69] Revert PVC changes --- charts/posit-chronicle/templates/pvc.yaml | 35 ------------------- .../templates/statefulset.yaml | 28 +++++++++++---- 2 files changed, 22 insertions(+), 41 deletions(-) delete mode 100644 charts/posit-chronicle/templates/pvc.yaml diff --git a/charts/posit-chronicle/templates/pvc.yaml b/charts/posit-chronicle/templates/pvc.yaml deleted file mode 100644 index e3bc4f32b..000000000 --- a/charts/posit-chronicle/templates/pvc.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ include "posit-chronicle.fullname" . }} - namespace: {{ include "posit-chronicle.namespace" . }} - labels: - {{ include "posit-chronicle.labels" . | nindent 4 }} - {{- with .Values.persistence.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} - {{- if or .Values.persistence.annotations .Values.commonAnnotations }} - {{- $annotations := merge .Values.persistence.annotations .Values.commonAnnotations }} - annotations: - {{- with $annotations }} - {{ toYaml . | nindent 4 }} - {{- end }} - {{- end }} -spec: - accessModes: - {{- range .Values.persistence.accessModes }} - - {{ . | quote | nindent 4 }} - {{- end }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} - {{- with .Values.persistence.storageClassName }} - storageClassName: {{ . }} - {{- end }} - {{- with .Values.persistence.selectorLabels }} - selector: - matchLabels: - {{ toYaml . | nindent 6 }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/posit-chronicle/templates/statefulset.yaml b/charts/posit-chronicle/templates/statefulset.yaml index 768859add..8ff67b91f 100644 --- a/charts/posit-chronicle/templates/statefulset.yaml +++ b/charts/posit-chronicle/templates/statefulset.yaml @@ -59,7 +59,7 @@ spec: name: http {{- end }} volumeMounts: - {{- if .Values.server.storage.local.enabled }} + {{- if .Values.persistence.enabled }} - name: data mountPath: {{ .Values.server.storage.local.path }} {{- end }} @@ -72,15 +72,31 @@ spec: {{- end }} terminationGracePeriodSeconds: {{ .Values.pod.terminationGracePeriodSeconds }} volumes: - {{- if .Values.persistence.enabled }} - - name: data - persistentVolumeClaim: - claimName: {{ tpl (.Values.persistence.existingClaim | default (include "posit-chronicle.fullname" .)) . }} - {{- end }} - name: config configMap: name: {{ include "posit-chronicle.fullname" . }} items: - key: posit-chronicle.gcfg path: "posit-chronicle.gcfg" + volumeClaimTemplates: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: {{ include "posit-chronicle.fullname" . }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote | nindent 4 }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- with .Values.persistence.storageClassName }} + storageClassName: {{ . }} + {{- end }} + {{- with .Values.persistence.selectorLabels }} + selector: + matchLabels: + {{ toYaml . | nindent 6 }} + {{- end }} --- From 65cc8eafa526804a51d6db7b0021fbe1677a2a06 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 6 May 2025 12:15:38 -0600 Subject: [PATCH 11/69] Unify selector labels for statefulset and service --- charts/posit-chronicle/templates/_helpers.tpl | 17 ----------------- .../posit-chronicle/templates/statefulset.yaml | 2 +- charts/posit-chronicle/templates/svc.yaml | 2 +- charts/posit-chronicle/values.yaml | 2 -- 4 files changed, 2 insertions(+), 21 deletions(-) diff --git a/charts/posit-chronicle/templates/_helpers.tpl b/charts/posit-chronicle/templates/_helpers.tpl index 1218064a6..76677c26d 100644 --- a/charts/posit-chronicle/templates/_helpers.tpl +++ b/charts/posit-chronicle/templates/_helpers.tpl @@ -93,20 +93,3 @@ Generate annotations for various resources {{ $key }}: {{ $value | quote }} {{- end }} {{- end }} - -{{/* -Generate selector labels for various resources -*/}} -{{- define "posit-chronicle.pod.selectorLabels" }} -{{- $podSelectorLabels := merge .Values.pod.selectorLabels (include "posit-chronicle.selectorLabels" .) }} -{{- range $key,$value := $podSelectorLabels }} -{{ $key }}: {{ $value | quote }} -{{- end }} -{{- end }} - -{{- define "posit-chronicle.service.selectorLabels" }} -{{- $svcSelectorLabels := merge .Values.service.selectorLabels (include "posit-chronicle.selectorLabels" .) }} -{{- range $key,$value := $svcSelectorLabels }} -{{ $key }}: {{ $value | quote }} -{{- end }} -{{- end }} diff --git a/charts/posit-chronicle/templates/statefulset.yaml b/charts/posit-chronicle/templates/statefulset.yaml index 8ff67b91f..5c9935b6c 100644 --- a/charts/posit-chronicle/templates/statefulset.yaml +++ b/charts/posit-chronicle/templates/statefulset.yaml @@ -16,7 +16,7 @@ spec: serviceName: {{ include "posit-chronicle.fullname" . }} selector: matchLabels: - {{- include "posit-chronicle.pod.selectorLabels" . | trim | nindent 6 }} + {{- include "posit-chronicle.selectorLabels" . | trim | nindent 6 }} template: metadata: labels: diff --git a/charts/posit-chronicle/templates/svc.yaml b/charts/posit-chronicle/templates/svc.yaml index 6bb39f154..7d5ab4f55 100644 --- a/charts/posit-chronicle/templates/svc.yaml +++ b/charts/posit-chronicle/templates/svc.yaml @@ -18,7 +18,7 @@ metadata: {{- end }} spec: selector: - {{ include "posit-chronicle.service.selectorLabels" . | trim | nindent 4 }} + {{ include "posit-chronicle.selectorLabels" . | trim | nindent 4 }} ports: {{- if .Values.server.https.enabled }} - port: {{ .Values.service.port }} diff --git a/charts/posit-chronicle/values.yaml b/charts/posit-chronicle/values.yaml index 70e6c5ebe..8929c6ae1 100644 --- a/charts/posit-chronicle/values.yaml +++ b/charts/posit-chronicle/values.yaml @@ -56,8 +56,6 @@ pod: annotations: {} # -- Additional labels to add to the chronicle-server pods labels: {} - # -- Additional selector labels to add to the chronicle-server pods - selectorLabels: {} # -- A map used verbatim as the pod's "affinity" definition affinity: {} # -- A map used verbatim as the pod's "nodeSelector" definition From 00f95e0279857e32c3c6db41d397ba2b49394f4b Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 6 May 2025 12:16:07 -0600 Subject: [PATCH 12/69] Expand default PVC to 10Gi based on assumptions of 1mo of storage --- charts/posit-chronicle/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/posit-chronicle/values.yaml b/charts/posit-chronicle/values.yaml index 8929c6ae1..9a93dc13e 100644 --- a/charts/posit-chronicle/values.yaml +++ b/charts/posit-chronicle/values.yaml @@ -80,7 +80,7 @@ persistence: # (Leave empty if using the default storage class) storageClassName: "" # -- Size of the data volume - size: 1Gi + size: 10Gi # -- Persistent Volume Access Modes accessModes: - ReadWriteOnce From 528233e3e85d4e56f22d97e0ddb5be8a2ffc9689 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 6 May 2025 12:21:52 -0600 Subject: [PATCH 13/69] Disable metrics by default --- charts/posit-chronicle/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/posit-chronicle/values.yaml b/charts/posit-chronicle/values.yaml index 9a93dc13e..0e4ae09c6 100644 --- a/charts/posit-chronicle/values.yaml +++ b/charts/posit-chronicle/values.yaml @@ -111,10 +111,11 @@ server: key: "" metrics: # -- If set to true, Chronicle will expose a metrics endpoint for Prometheus - enabled: true + enabled: false profiling: # -- If set to true, Chronicle will expose a pprof profiling server enabled: false + # -- The port to use for the profiling server port: 3030 logging: # -- Specified the output for log messages, can be one of "STDOUT", "STDERR", or a file path From 9fd90c5f8b2773cc897c6fc1670d029bbca7925d Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 6 May 2025 14:38:22 -0600 Subject: [PATCH 14/69] Add values schema --- .../templates/statefulset.yaml | 4 +- charts/posit-chronicle/values.schema.json | 407 ++++++++++++++++++ charts/posit-chronicle/values.yaml | 11 +- 3 files changed, 415 insertions(+), 7 deletions(-) create mode 100644 charts/posit-chronicle/values.schema.json diff --git a/charts/posit-chronicle/templates/statefulset.yaml b/charts/posit-chronicle/templates/statefulset.yaml index 5c9935b6c..59e64d707 100644 --- a/charts/posit-chronicle/templates/statefulset.yaml +++ b/charts/posit-chronicle/templates/statefulset.yaml @@ -44,8 +44,10 @@ spec: - name: {{ .Chart.Name }} image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.pod.command }} command: - - {{ .Values.pod.command }} + {{- toYaml .Values.pod.command | nindent 8 }} + {{- end }} {{- if .Values.pod.args }} args: {{- toYaml .Values.pod.args | nindent 8 }} diff --git a/charts/posit-chronicle/values.schema.json b/charts/posit-chronicle/values.schema.json new file mode 100644 index 000000000..47c46fb31 --- /dev/null +++ b/charts/posit-chronicle/values.schema.json @@ -0,0 +1,407 @@ +{ + "$schema": "https://json-schema.org/draft-07/schema#", + "properties": { + "nameOverride": { + "description": "Overrides the name of the chart", + "type": "string" + }, + "fullnameOverride": { + "description": "Overrides the full name of the release", + "type": "string" + }, + "namespaceOverride": { + "description": "Overrides the namespace used for the release", + "type": "string" + }, + "commonLabels": { + "description": "Labels to be added to all resources", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "commonAnnotations": { + "description": "Annotations to be added to all resources", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "image": { + "description": "Container image specification", + "type": "object", + "properties": { + "registry": { + "description": "Container image registry", + "type": "string" + }, + "repository": { + "description": "Container image repository", + "type": "string" + }, + "tag": { + "description": "Container image tag", + "type": "string" + }, + "sha": { + "description": "Container image digest", + "type": "string" + }, + "pullPolicy": { + "description": "Container image pull policy", + "type": "string" + } + }, + "required": [ + "repository", + "registry", + "tag", + "pullPolicy" + ] + }, + "serviceAccount": { + "description": "Service account configuration", + "type": "object", + "properties": { + "create": { + "description": "Boolean flag to create a service account for the chart", + "type": "boolean" + }, + "name": { + "description": "Name of the service account to use, defaults to fullname if blank", + "type": "string" + }, + "annotations": { + "description": "Annotations to add to the service account", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "labels": { + "description": "Labels to add to the service account", + "type": "object", + "additionalProperties": { + "type": "string" + } + } + } + }, + "service": { + "description": "Service configuration", + "type": "object", + "properties": { + "port": { + "description": "Port to expose the service on", + "type": "integer", + "default": 80, + "minimum": 1, + "maximum": 65535 + }, + "annotations": { + "description": "Annotations to add to the service", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "labels": { + "description": "Labels to add to the service", + "type": "object", + "additionalProperties": { + "type": "string" + } + } + } + }, + "replicas": { + "description": "Number of replicas for the deployment", + "type": "integer", + "default": 1, + "minimum": 1 + }, + "pod": { + "description": "Pod configuration", + "type": "object", + "properties": { + "command": { + "description": "Command to run in the container", + "type": "array", + "items": { + "type": "string" + } + }, + "args": { + "description": "Arguments to pass to the command", + "type": "array", + "items": { + "type": "string" + } + }, + "env": { + "description": "Environment variables to set in the container", + "type": "array" + }, + "annotations": { + "description": "Annotations to add to the pod", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "labels": { + "description": "Labels to add to the pod", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "affinity": { + "description": "Affinity rules for the pod", + "type": "object" + }, + "nodeSelector": { + "description": "Node selector for the pod", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "tolerations": { + "description": "Tolerations for the pod", + "type": "array", + "items": { + "type": "object" + } + }, + "terminationGracePeriodSeconds": { + "description": "Termination grace period for the pod", + "type": "integer", + "default": 30, + "minimum": 0 + } + } + }, + "persistence": { + "description": "Persistence configuration", + "type": "object", + "properties": { + "enabled": { + "description": "Enable persistent storage", + "type": "boolean" + }, + "size": { + "description": "Size of the persistent volume claim", + "type": "string" + }, + "storageClass": { + "description": "Storage class for the persistent volume claim", + "type": "string" + }, + "accessModes": { + "description": "Access modes for the persistent volume claim", + "type": "array", + "items": { + "type": "string" + } + }, + "selectorLabels": { + "description": "Labels to select the persistent volume", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "annotations": { + "description": "Annotations to add to the persistent volume claim", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "labels": { + "description": "Labels to add to the persistent volume claim", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "finalizers": { + "description": "Finalizers to add to the persistent volume claim", + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "extraSecretMounts": { + "description": "Additional secret mounts for the pod", + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "description": "Name of the secret", + "type": "string" + }, + "mountPath": { + "description": "Path to mount the secret at", + "type": "string" + }, + "readOnly": { + "description": "Boolean flag to make the mount read-only", + "type": "boolean", + "default": true + } + }, + "additionalProperties": true, + "required": [ + "name", + "mountPath" + ] + } + }, + "server": { + "description": "Chronicle server configuration", + "type": "object", + "properties": { + "https": { + "description": "Configuration for using HTTPS", + "type": "object", + "properties": { + "enabled": { + "description": "Enable HTTPS", + "type": "boolean" + }, + "certificate": { + "description": "Path to the certificate file", + "type": "string" + }, + "key": { + "description": "Path to the key file", + "type": "string" + } + } + }, + "metrics": { + "description": "Configuration for Prometheus metrics", + "type": "object", + "properties": { + "enabled": { + "description": "Enable metrics", + "type": "boolean" + } + } + }, + "profiling": { + "description": "Configuration for profiling server", + "type": "object", + "properties": { + "enabled": { + "description": "Enable profiling", + "type": "boolean" + }, + "port": { + "description": "Port for profiling server", + "type": "integer", + "default": 3030, + "minimum": 1, + "maximum": 65535 + } + } + }, + "logging": { + "description": "Configuration for logging", + "type": "object", + "properties": { + "serviceLog": { + "description": "Logging output destination", + "type": "string" + }, + "serviceLogLevel": { + "description": "Logging level", + "type": "string", + "pattern": "(?i)^(trace|debug|info|warn|error)$" + }, + "format": { + "description": "Logging format", + "type": "string", + "pattern": "(?i)^(json|text)$" + } + } + }, + "storage": { + "description": "Configuration for storage", + "type": "object", + "properties": { + "local": { + "description": "Configuration for local storage", + "type": "object", + "properties": { + "enabled": { + "description": "Enable local storage", + "type": "boolean", + "default": true + }, + "path": { + "description": "Path to the local storage directory", + "type": "string", + "default": "/opt/chronicle-data" + }, + "retentionPeriod": { + "description": "Retention period for local storage", + "type": "string", + "default": "30d" + } + } + }, + "s3": { + "description": "Configuration for S3 storage", + "type": "object", + "properties": { + "enabled": { + "description": "Enable S3 storage", + "type": "boolean", + "default": false + }, + "bucket": { + "description": "S3 bucket name", + "type": "string" + }, + "region": { + "description": "S3 region", + "type": "string" + }, + "accessKeyId": { + "description": "S3 access key ID", + "type": "string" + }, + "secretAccessKey": { + "description": "S3 secret access key", + "type": "string" + } + }, + "if": { + "properties": { + "enabled": { + "const": true + } + } + }, + "then": { + "properties": { + "bucket": { + "minLength": 3 + } + } + } + } + } + } + } + } + }, + "title": "Values", + "type": "object" +} diff --git a/charts/posit-chronicle/values.yaml b/charts/posit-chronicle/values.yaml index 0e4ae09c6..9e34ad5bf 100644 --- a/charts/posit-chronicle/values.yaml +++ b/charts/posit-chronicle/values.yaml @@ -40,15 +40,13 @@ service: annotations: {} # -- Additional labels to add to the chronicle-server service labels: {} - # -- Additional selector labels to add to the chronicle-server service - selectorLabels: {} # -- The number of replica pods to maintain for this service replicas: 1 pod: # -- The command and args to run in the chronicle-server container - command: "/chronicle" + command: ["/chronicle"] args: ["start", "-c", "/etc/posit-chronicle/posit-chronicle.gcfg"] # -- Optional environment variables env: [] @@ -84,8 +82,6 @@ persistence: # -- Persistent Volume Access Modes accessModes: - ReadWriteOnce - # -- Name of an existing PVC to use - existingClaim: "" # -- Selector to match an existing Persistent Volume for the data PVC selectorLabels: {} # -- Additional annotations to add to the PVC @@ -96,6 +92,9 @@ persistence: finalizers: - kubernetes.io/pvc-protection +# Additional secrets to mount to the Chronicle server pod +extraSecretMounts: [] + # Configurations for the underlying Chronicle server instance # ref: https://docs.posit.co/chronicle/appendix/library/advanced-server.html # @@ -130,7 +129,7 @@ server: # -- If set to true, Chronicle will use a local path for data storage enabled: true # -- The path to the local storage location - path: "./chronicle-data" + path: "/opt/chronicle-data" # -- The retention period for data before it is purged retentionPeriod: "30d" # -- Configuration for S3 data storage with Chronicle From 24b624ea0ebd9c3b01cc97ef1155f3682e21ed09 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Wed, 7 May 2025 14:52:49 -0600 Subject: [PATCH 15/69] Add extraSecretMounts support for statefulset Provides base level of support for mounting things like certs/keys --- .../templates/statefulset.yaml | 28 +++++++++++++++++++ charts/posit-chronicle/values.yaml | 6 ++++ 2 files changed, 34 insertions(+) diff --git a/charts/posit-chronicle/templates/statefulset.yaml b/charts/posit-chronicle/templates/statefulset.yaml index 59e64d707..3602ad354 100644 --- a/charts/posit-chronicle/templates/statefulset.yaml +++ b/charts/posit-chronicle/templates/statefulset.yaml @@ -68,6 +68,11 @@ spec: - name: config mountPath: /etc/posit-chronicle/posit-chronicle.gcfg subPath: posit-chronicle.gcfg + {{- range .Values.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + {{- end }} {{- if .Values.pod.env }} env: {{- toYaml .Values.pod.env | nindent 8 }} @@ -80,6 +85,29 @@ spec: items: - key: posit-chronicle.gcfg path: "posit-chronicle.gcfg" + {{- range .Values.extraSecretMounts }} + {{- if .secretName }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + defaultMode: {{ .defaultMode }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- with .items }} + items: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- else if .projected }} + - name: {{ .name }} + projected: + {{- toYaml .projected | nindent 8 }} + {{- else if .csi }} + - name: {{ .name }} + csi: + {{- toYaml .csi | nindent 8 }} + {{- end }} + {{- end }} volumeClaimTemplates: - apiVersion: v1 kind: PersistentVolumeClaim diff --git a/charts/posit-chronicle/values.yaml b/charts/posit-chronicle/values.yaml index 9e34ad5bf..5d0ffc6b6 100644 --- a/charts/posit-chronicle/values.yaml +++ b/charts/posit-chronicle/values.yaml @@ -94,6 +94,12 @@ persistence: # Additional secrets to mount to the Chronicle server pod extraSecretMounts: [] +# this option can be used to mount secrets such as an SSL certificate and key into the pod +# - name: "ssl" +# secretName: "chronicle-ssl" +# mountPath: "/etc/ssl" +# readOnly: true +# optional: false # Configurations for the underlying Chronicle server instance # ref: https://docs.posit.co/chronicle/appendix/library/advanced-server.html From 9a4505e40f41a23bf5ab8c734a32f134b6ed1f43 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Wed, 7 May 2025 14:53:08 -0600 Subject: [PATCH 16/69] Add unittests for configmap rendering --- .../posit-chronicle/templates/configmap.yaml | 10 +- .../posit-chronicle/tests/configmap_test.yaml | 185 ++++++++++++++++++ .../tests_failed/configmap_test.yaml | 58 ++++++ charts/posit-chronicle/values.schema.json | 26 ++- 4 files changed, 274 insertions(+), 5 deletions(-) create mode 100644 charts/posit-chronicle/tests/configmap_test.yaml create mode 100644 charts/posit-chronicle/tests_failed/configmap_test.yaml diff --git a/charts/posit-chronicle/templates/configmap.yaml b/charts/posit-chronicle/templates/configmap.yaml index 8ec155988..dd70d227b 100644 --- a/charts/posit-chronicle/templates/configmap.yaml +++ b/charts/posit-chronicle/templates/configmap.yaml @@ -32,20 +32,21 @@ data: [Profiling] Enabled = {{ .Values.server.profiling.enabled }} + {{- if .Values.server.profiling.enabled }} Listen = :{{ .Values.server.profiling.port }} + {{- end }} [LocalStorage] Enabled = {{ .Values.server.storage.local.enabled }} + {{- if .Values.server.storage.local.enabled }} Location = {{ .Values.server.storage.local.path }} RetentionPeriod = {{ .Values.server.storage.local.retentionPeriod }} + {{- end }} [S3Storage] Enabled = {{ .Values.server.storage.s3.enabled }} - {{- if eq .Values.server.storage.s3.enabled true }} + {{- if .Values.server.storage.s3.enabled }} Bucket = {{ required "A .Values.server.storage.s3.bucket must be specified when S3 storage is enabled." .Values.server.storage.s3.bucket }} - {{- else if ne .Values.server.storage.s3.bucket "" }} - Bucket = {{ .Values.server.storage.s3.bucket }} - {{- end }} {{- if ne .Values.server.storage.s3.prefix "" }} Prefix = {{ .Values.server.storage.s3.prefix }} {{- end }} @@ -55,4 +56,5 @@ data: {{- if ne .Values.server.storage.s3.region "" }} Region = {{ .Values.server.storage.s3.region }} {{- end }} + {{- end }} --- diff --git a/charts/posit-chronicle/tests/configmap_test.yaml b/charts/posit-chronicle/tests/configmap_test.yaml new file mode 100644 index 000000000..619f79af0 --- /dev/null +++ b/charts/posit-chronicle/tests/configmap_test.yaml @@ -0,0 +1,185 @@ +suite: Configmap tests +templates: + - templates/configmap.yaml +tests: + - it: should use http by default + asserts: + - matchRegex: + path: data["posit-chronicle.gcfg"] + pattern: | + \[HTTP\] + Listen = :5252 + - it: should properly configure https when enabled + set: + server: + https: + enabled: true + certificate: /etc/ssl/ssl.crt + key: /etc/ssl/ssl.key + asserts: + - matchRegex: + path: data["posit-chronicle.gcfg"] + pattern: | + \[HTTPS\] + Listen = :443 + Certificate = \/etc\/ssl\/ssl.crt + Key = \/etc\/ssl\/ssl.key + - it: should set a default logging configuration + asserts: + - matchRegex: + path: data["posit-chronicle.gcfg"] + pattern: | + \[Logging\] + ServiceLog = STDOUT + ServiceLogLevel = INFO + ServiceLogFormat = TEXT + - it: should set values for a custom logging configuration + set: + server: + logging: + serviceLog: STDERR + serviceLogLevel: DEBUG + serviceLogFormat: JSON + asserts: + - matchRegex: + path: data["posit-chronicle.gcfg"] + pattern: | + \[Logging\] + ServiceLog = STDERR + ServiceLogLevel = DEBUG + ServiceLogFormat = JSON + - it: should disable metrics by default + asserts: + - matchRegex: + path: data["posit-chronicle.gcfg"] + pattern: | + \[Metrics\] + Enabled = false + - it: should enable metrics when specified + set: + server: + metrics: + enabled: true + asserts: + - matchRegex: + path: data["posit-chronicle.gcfg"] + pattern: | + \[Metrics\] + Enabled = true + - it: should disable profiling by default + asserts: + - matchRegex: + path: data["posit-chronicle.gcfg"] + pattern: | + \[Profiling\] + Enabled = false + - it: should enable profiling when specified + set: + server: + profiling: + enabled: true + asserts: + - matchRegex: + path: data["posit-chronicle.gcfg"] + pattern: | + \[Profiling\] + Enabled = true + Listen = :3030 + - it: should set the profiling listening port when specified + set: + server: + profiling: + enabled: true + port: 3131 + asserts: + - matchRegex: + path: data["posit-chronicle.gcfg"] + pattern: | + \[Profiling\] + Enabled = true + Listen = :3131 + - it: should enable and configure local storage by default + asserts: + - matchRegex: + path: data["posit-chronicle.gcfg"] + pattern: | + \[LocalStorage\] + Enabled = true + Location = \/opt\/chronicle-data + RetentionPeriod = 30d + - it: should set values for a custom local storage configuration + set: + server: + storage: + local: + path: /custom/data/path + retentionPeriod: 60d + asserts: + - matchRegex: + path: data["posit-chronicle.gcfg"] + pattern: | + \[LocalStorage\] + Enabled = true + Location = \/custom\/data\/path + RetentionPeriod = 60d + - it: should disable local storage when specified + set: + server: + storage: + local: + enabled: false + # One of these must be set to true + s3: + enabled: true + bucket: test + asserts: + - matchRegex: + path: data["posit-chronicle.gcfg"] + pattern: | + \[LocalStorage\] + Enabled = false + - notMatchRegex: + path: data["posit-chronicle.gcfg"] + pattern: | + Location = \/opt\/chronicle-data + RetentionPeriod = 30d + - it: should enable and configure S3 storage when specified + set: + server: + storage: + s3: + enabled: true + bucket: test + asserts: + - matchRegex: + path: data["posit-chronicle.gcfg"] + pattern: | + \[S3Storage\] + Enabled = true + Bucket = test + - notMatchRegex: + path: data["posit-chronicle.gcfg"] + pattern: | + Prefix = .* + Profile = .* + Region = .* + - it: should add extra options to S3 when specified + set: + server: + storage: + s3: + enabled: true + bucket: test + prefix: test-prefix + profile: test-profile + region: test-region + asserts: + - matchRegex: + path: data["posit-chronicle.gcfg"] + pattern: | + \[S3Storage\] + Enabled = true + Bucket = test + Prefix = test-prefix + Profile = test-profile + Region = test-region diff --git a/charts/posit-chronicle/tests_failed/configmap_test.yaml b/charts/posit-chronicle/tests_failed/configmap_test.yaml new file mode 100644 index 000000000..31f4b7b3e --- /dev/null +++ b/charts/posit-chronicle/tests_failed/configmap_test.yaml @@ -0,0 +1,58 @@ +suite: Configmap tests +templates: + - templates/configmap.yaml +tests: + - it: should fail if https is enabled but no certificate is specified + set: + server: + https: + enabled: true + key: /etc/ssl/ssl.key + asserts: + - failedTemplate: + errorPattern: ".*certificate must be specified.*" + - it: should fail if https is enabled but no key is specified + set: + server: + https: + enabled: true + certificate: /etc/ssl/ssl.crt + asserts: + - failedTemplate: + errorPattern: ".*key must be specified.*" + - it: should fail for invalid log level values + set: + server: + logging: + serviceLogLevel: INVALID + asserts: + - failedTemplate: + errorPattern: ".*serviceLogLevel must match pattern.*" + - it: should fail for invalid log level values + set: + server: + logging: + serviceLogFormat: INVALID + asserts: + - failedTemplate: + errorPattern: ".*serviceLogFormat must match pattern.*" + - it: should fail if both local and S3 storage are disabled + set: + server: + storage: + local: + enabled: false + s3: + enabled: false + asserts: + - failedTemplate: + errorPattern: ".*at least one of local or S3 storage must be enabled.*" + - it: should fail if S3 is enabled but no bucket is specified + set: + server: + storage: + s3: + enabled: true + asserts: + - failedTemplate: + errorPattern: ".*bucket must be specified when S3 storage is enabled.*" diff --git a/charts/posit-chronicle/values.schema.json b/charts/posit-chronicle/values.schema.json index 47c46fb31..897f7b8d7 100644 --- a/charts/posit-chronicle/values.schema.json +++ b/charts/posit-chronicle/values.schema.json @@ -397,7 +397,31 @@ } } } - } + }, + "anyOf": [ + { + "properties": { + "local": { + "properties": { + "enabled": { + "const": true + } + } + } + } + }, + { + "properties": { + "s3": { + "properties": { + "enabled": { + "const": true + } + } + } + } + } + ] } } } From 6d102fb1025b467138f39844ff5726fdc55a9fec Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Wed, 7 May 2025 15:04:26 -0600 Subject: [PATCH 17/69] Add unittests for serviceaccount rendering --- .../tests/serviceaccount_test.yaml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 charts/posit-chronicle/tests/serviceaccount_test.yaml diff --git a/charts/posit-chronicle/tests/serviceaccount_test.yaml b/charts/posit-chronicle/tests/serviceaccount_test.yaml new file mode 100644 index 000000000..d1144045b --- /dev/null +++ b/charts/posit-chronicle/tests/serviceaccount_test.yaml @@ -0,0 +1,24 @@ +suite: Configmap tests +templates: + - templates/serviceaccount.yaml +tests: + - it: should skip creation by default + asserts: + - hasDocuments: + count: 0 + - it: should create a service account when specified + set: + serviceAccount: + create: true + release: + name: test-release + namespace: test-namespace + asserts: + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: test-release-posit-chronicle + - equal: + path: metadata.namespace + value: test-namespace From 49361da7e756df72466acdd96c211622c17af027 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Wed, 7 May 2025 15:14:48 -0600 Subject: [PATCH 18/69] Add unittests for service rendering --- .../tests/serviceaccount_test.yaml | 2 +- charts/posit-chronicle/tests/svc_test.yaml | 109 ++++++++++++++++++ 2 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 charts/posit-chronicle/tests/svc_test.yaml diff --git a/charts/posit-chronicle/tests/serviceaccount_test.yaml b/charts/posit-chronicle/tests/serviceaccount_test.yaml index d1144045b..bb1b41eff 100644 --- a/charts/posit-chronicle/tests/serviceaccount_test.yaml +++ b/charts/posit-chronicle/tests/serviceaccount_test.yaml @@ -1,4 +1,4 @@ -suite: Configmap tests +suite: Service account tests templates: - templates/serviceaccount.yaml tests: diff --git a/charts/posit-chronicle/tests/svc_test.yaml b/charts/posit-chronicle/tests/svc_test.yaml new file mode 100644 index 000000000..d3b1fe533 --- /dev/null +++ b/charts/posit-chronicle/tests/svc_test.yaml @@ -0,0 +1,109 @@ +suite: Service tests +templates: + - templates/svc.yaml +tests: + - it: should create a service targeting http by default + release: + name: test-release + namespace: test-namespace + asserts: + - isKind: + of: Service + - equal: + path: metadata.name + value: test-release-posit-chronicle + - equal: + path: metadata.namespace + value: test-namespace + - isSubset: + path: spec.selector + content: + app.kubernetes.io/name: posit-chronicle + app.kubernetes.io/instance: test-release + - contains: + path: spec.ports + content: + name: http + port: 80 + targetPort: 5252 + - notContains: + path: spec.ports + content: + name: https + port: 80 + targetPort: 443 + - it: should create a service targeting https when enabled + release: + name: test-release + namespace: test-namespace + set: + server: + https: + enabled: true + certificate: test-cert + key: test-key + asserts: + - isKind: + of: Service + - equal: + path: metadata.name + value: test-release-posit-chronicle + - equal: + path: metadata.namespace + value: test-namespace + - isSubset: + path: spec.selector + content: + app.kubernetes.io/name: posit-chronicle + app.kubernetes.io/instance: test-release + - contains: + path: spec.ports + content: + name: https + port: 80 + targetPort: 443 + - notContains: + path: spec.ports + content: + name: http + port: 80 + targetPort: 5252 + - it: should use an alternate port when specified by user + release: + name: test-release + namespace: test-namespace + set: + service: + port: 8787 + asserts: + - isKind: + of: Service + - equal: + path: metadata.name + value: test-release-posit-chronicle + - equal: + path: metadata.namespace + value: test-namespace + - isSubset: + path: spec.selector + content: + app.kubernetes.io/name: posit-chronicle + app.kubernetes.io/instance: test-release + - contains: + path: spec.ports + content: + name: http + port: 8787 + targetPort: 5252 + - notContains: + path: spec.ports + content: + name: http + port: 80 + targetPort: 5252 + - notContains: + path: spec.ports + content: + name: https + port: 80 + targetPort: 443 From 43023a8f9163438e87a2c93f1b988d1d0a48c3e9 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 9 May 2025 09:04:57 -0600 Subject: [PATCH 19/69] Expand common labels --- charts/posit-chronicle/templates/_helpers.tpl | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/posit-chronicle/templates/_helpers.tpl b/charts/posit-chronicle/templates/_helpers.tpl index 76677c26d..b18fb3a7f 100644 --- a/charts/posit-chronicle/templates/_helpers.tpl +++ b/charts/posit-chronicle/templates/_helpers.tpl @@ -67,6 +67,9 @@ Common labels */}} {{- define "posit-chronicle.labels" }} helm.sh/chart: {{ include "posit-chronicle.chart" . }} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +app.kubernetes.io/part-of: {{ .Chart.Name | quote }} +app.kubernetes.io/component: server {{ include "posit-chronicle.selectorLabels" . }} {{- if or .Chart.AppVersion .Values.image.tag }} app.kubernetes.io/version: {{ mustRegexReplaceAllLiteral "@sha.*" .Values.image.tag "" | default .Chart.AppVersion | trunc 63 | trimSuffix "-" | quote }} From 4022c13fbe5cbbaa1b59b39a63112e1af765710b Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 9 May 2025 09:05:09 -0600 Subject: [PATCH 20/69] Add stateful set tests --- .../templates/statefulset.yaml | 40 ++- .../tests/statefulset_test.yaml | 274 ++++++++++++++++++ 2 files changed, 298 insertions(+), 16 deletions(-) create mode 100644 charts/posit-chronicle/tests/statefulset_test.yaml diff --git a/charts/posit-chronicle/templates/statefulset.yaml b/charts/posit-chronicle/templates/statefulset.yaml index 3602ad354..3717d6d13 100644 --- a/charts/posit-chronicle/templates/statefulset.yaml +++ b/charts/posit-chronicle/templates/statefulset.yaml @@ -1,5 +1,5 @@ --- -{{- $root := . -}} +{{- $root := . }} apiVersion: apps/v1 kind: StatefulSet metadata: @@ -24,8 +24,11 @@ spec: {{- with .Values.pod.labels }} {{- toYaml . | nindent 8 }} {{- end }} + # FIXME: Add common annotations? + {{- with (include "posit-chronicle.pod.annotations" .) }} annotations: - {{- include "posit-chronicle.pod.annotations" . | trim | nindent 8 }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: {{- with .Values.pod.affinity }} affinity: @@ -33,24 +36,25 @@ spec: {{- end }} {{- with .Values.pod.nodeSelector }} nodeSelector: - {{- toYaml . | nindent 8 }} + {{- tpl (toYaml .) $root | nindent 8 }} {{- end }} {{- with .Values.pod.tolerations }} tolerations: - {{- toYaml . | nindent 8 }} + {{- tpl (toYaml .) $root | nindent 6 }} {{- end }} serviceAccountName: {{ include "posit-chronicle.serviceAccountName" . }} containers: - name: {{ .Chart.Name }} - image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + # FIXME: Make these required in schema or here? + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if .Values.pod.command }} + {{- with .Values.pod.command }} command: - {{- toYaml .Values.pod.command | nindent 8 }} + {{- tpl (toYaml .) $root | nindent 8 }} {{- end }} - {{- if .Values.pod.args }} + {{- with .Values.pod.args }} args: - {{- toYaml .Values.pod.args | nindent 8 }} + {{- tpl (toYaml .) $root | nindent 8 }} {{- end }} ports: {{- if .Values.server.https.enabled }} @@ -73,9 +77,9 @@ spec: mountPath: {{ .mountPath }} readOnly: {{ .readOnly }} {{- end }} - {{- if .Values.pod.env }} + {{- with .Values.pod.env }} env: - {{- toYaml .Values.pod.env | nindent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} terminationGracePeriodSeconds: {{ .Values.pod.terminationGracePeriodSeconds }} volumes: @@ -90,7 +94,9 @@ spec: - name: {{ .name }} secret: secretName: {{ .secretName }} - defaultMode: {{ .defaultMode }} + {{- with .defaultMode }} + defaultMode: {{ . }} + {{- end }} {{- with .optional }} optional: {{ . }} {{- end }} @@ -108,6 +114,7 @@ spec: {{- toYaml .csi | nindent 8 }} {{- end }} {{- end }} + {{- if .Values.persistence.enabled }} volumeClaimTemplates: - apiVersion: v1 kind: PersistentVolumeClaim @@ -115,9 +122,9 @@ spec: name: {{ include "posit-chronicle.fullname" . }} spec: accessModes: - {{- range .Values.persistence.accessModes }} - - {{ . | quote | nindent 4 }} - {{- end }} + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} resources: requests: storage: {{ .Values.persistence.size | quote }} @@ -127,6 +134,7 @@ spec: {{- with .Values.persistence.selectorLabels }} selector: matchLabels: - {{ toYaml . | nindent 6 }} + {{ toYaml . | nindent 10 }} {{- end }} + {{- end }} --- diff --git a/charts/posit-chronicle/tests/statefulset_test.yaml b/charts/posit-chronicle/tests/statefulset_test.yaml new file mode 100644 index 000000000..043181ee9 --- /dev/null +++ b/charts/posit-chronicle/tests/statefulset_test.yaml @@ -0,0 +1,274 @@ +suite: Stateful set tests +templates: + - templates/statefulset.yaml +# Unittest cannot use templating for chart values so we need this to be set to a fixed value for testing +chart: + version: 9.9.9+test + appVersion: 9999.9.9 +release: + name: test-release + namespace: test-namespace +tests: + - it: should create a statefulset with the correct name and namespace + release: + name: test-release + namespace: test-namespace + asserts: + - isKind: + of: StatefulSet + - equal: + path: metadata.name + value: test-release-posit-chronicle + - equal: + path: metadata.namespace + value: test-namespace + - equal: + path: spec.serviceName + value: test-release-posit-chronicle + - equal: + path: spec.replicas + value: 1 + - it: should apply common selector labels + asserts: + - isSubset: + path: spec.selector.matchLabels + content: + app.kubernetes.io/name: posit-chronicle + app.kubernetes.io/instance: test-release + - it: should apply common pod labels + set: + commonLabels: + another: label + asserts: + - isSubset: + path: spec.template.metadata.labels + content: + helm.sh/chart: posit-chronicle-9.9.9_test + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: posit-chronicle + app.kubernetes.io/component: server + app.kubernetes.io/name: posit-chronicle + app.kubernetes.io/instance: test-release + app.kubernetes.io/version: 9999.9.9 + another: label + - it: should set the pod affinity when specified + set: + pod: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: disktype + operator: In + values: + - ssd + asserts: + - isSubset: + path: spec.template.spec.affinity + content: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: disktype + operator: In + values: + - ssd + - it: should set the pod nodeSelector when specified + set: + pod: + nodeSelector: + disktype: ssd + asserts: + - isSubset: + path: spec.template.spec.nodeSelector + content: + disktype: ssd + - it: should set the pod tolerations when specified + set: + pod: + tolerations: + - key: "key" + operator: "Equal" + value: "value" + effect: "NoSchedule" + asserts: + - contains: + path: spec.template.spec.tolerations + content: + key: "key" + operator: "Equal" + value: "value" + effect: "NoSchedule" + - it: should set the pod serviceAccountName to default when the service account creation is disabled + set: + serviceAccount: + create: false + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: default + - it: should set the pod serviceAccountName to the service account if service account creation is enabled + set: + serviceAccount: + create: true + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: test-release-posit-chronicle + - it: should generate a default chronicle server container + asserts: + - contains: + path: spec.template.spec.containers + content: + name: posit-chronicle + command: + - /chronicle + args: + - start + - -c + - /etc/posit-chronicle/posit-chronicle.gcfg + image: "ghcr.io/rstudio/chronicle:9999.9.9" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 5252 + name: http + volumeMounts: + - name: data + mountPath: /opt/chronicle-data + - name: config + mountPath: /etc/posit-chronicle/posit-chronicle.gcfg + subPath: posit-chronicle.gcfg + - it: should set an overridden image if given + set: + image: + registry: docker.io + repository: rstudio/posit-chronicle + tag: 2025.03.0 + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: "docker.io/rstudio/posit-chronicle:2025.03.0" + - it: should set the image pull policy to Always if given + set: + image: + pullPolicy: Always + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: Always + - it: should set an alternate command and args if given + set: + pod: + command: + - /bin/bash + args: + - -c + - echo "Hello world" + asserts: + - equal: + path: spec.template.spec.containers[0].command + value: ["/bin/bash"] + - equal: + path: spec.template.spec.containers[0].args + value: ["-c", "echo \"Hello world\""] + - it: should open https port on container if enabled + set: + server: + https: + enabled: true + asserts: + - equal: + path: spec.template.spec.containers[0].ports + value: + - containerPort: 443 + name: https + - it: should not mount a data volume if persistence is disabled + set: + persistence: + enabled: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: config + mountPath: /etc/posit-chronicle/posit-chronicle.gcfg + subPath: posit-chronicle.gcfg + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: data + mountPath: /opt/chronicle-data + - it: should mount extra secrets to container if specified + set: + extraSecretMounts: + - name: test-ssl-secret + secretName: chronicle-ssl + mountPath: /etc/ssl + readOnly: true + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: test-ssl-secret + mountPath: /etc/ssl + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: test-ssl-secret + secret: + secretName: chronicle-ssl + - it: should define a volume for the config map + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: config + configMap: + name: test-release-posit-chronicle + items: + - key: posit-chronicle.gcfg + path: "posit-chronicle.gcfg" + - it: should define a volume claim template when persistence is enabled + asserts: + - contains: + path: spec.volumeClaimTemplates + content: + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: test-release-posit-chronicle + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + - it: should define no volume claim templates if persistence is disabled + set: + persistence: + enabled: false + asserts: + - notExists: + path: spec.volumeClaimTemplates + - it: should set a storage class if specified + set: + persistence: + storageClassName: my-storage-class + asserts: + - equal: + path: spec.volumeClaimTemplates[0].spec.storageClassName + value: my-storage-class + - it: should set selector labels if specified + set: + persistence: + selectorLabels: + app: chronicle + asserts: + - equal: + path: spec.volumeClaimTemplates[0].spec.selector.matchLabels + value: + app: chronicle + From a4ba6834693dc503247df5d6f57d11a952aa8cd1 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 9 May 2025 11:04:09 -0600 Subject: [PATCH 21/69] Fix logic issue in pod annotations --- charts/posit-chronicle/templates/_helpers.tpl | 6 +++--- charts/posit-chronicle/templates/statefulset.yaml | 5 ++--- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/charts/posit-chronicle/templates/_helpers.tpl b/charts/posit-chronicle/templates/_helpers.tpl index b18fb3a7f..5a9918095 100644 --- a/charts/posit-chronicle/templates/_helpers.tpl +++ b/charts/posit-chronicle/templates/_helpers.tpl @@ -86,13 +86,13 @@ Generate annotations for various resources {{- $podAnnotations := merge .Values.pod.annotations .Values.commonAnnotations }} {{- if .Values.server.metrics.enabled }} {{- $_ := set $podAnnotations "prometheus.io/scrape" "true" }} -{{- if .Values.server.metrics.enabled }} +{{- if .Values.server.https.enabled }} {{- $_ := set $podAnnotations "prometheus.io/port" "443" }} {{- else }} {{- $_ := set $podAnnotations "prometheus.io/port" "5252" }} {{- end }} {{- end }} -{{- range $key,$value := $.Values.pod.annotations }} -{{ $key }}: {{ $value | quote }} +{{- with $podAnnotations }} +{{- toYaml . }} {{- end }} {{- end }} diff --git a/charts/posit-chronicle/templates/statefulset.yaml b/charts/posit-chronicle/templates/statefulset.yaml index 3717d6d13..ef7917575 100644 --- a/charts/posit-chronicle/templates/statefulset.yaml +++ b/charts/posit-chronicle/templates/statefulset.yaml @@ -24,10 +24,9 @@ spec: {{- with .Values.pod.labels }} {{- toYaml . | nindent 8 }} {{- end }} - # FIXME: Add common annotations? - {{- with (include "posit-chronicle.pod.annotations" .) }} + {{- if (include "posit-chronicle.pod.annotations" .) }} annotations: - {{- toYaml . | nindent 8 }} + {{- include "posit-chronicle.pod.annotations" . | nindent 8 }} {{- end }} spec: {{- with .Values.pod.affinity }} From 2bf93a900a9b9975ed2aa59cb0be1d805858898a Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 9 May 2025 11:04:32 -0600 Subject: [PATCH 22/69] Set image as required in template and set defaults in schema --- charts/posit-chronicle/templates/statefulset.yaml | 3 +-- charts/posit-chronicle/values.schema.json | 8 +++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/charts/posit-chronicle/templates/statefulset.yaml b/charts/posit-chronicle/templates/statefulset.yaml index ef7917575..507dfe37c 100644 --- a/charts/posit-chronicle/templates/statefulset.yaml +++ b/charts/posit-chronicle/templates/statefulset.yaml @@ -44,8 +44,7 @@ spec: serviceAccountName: {{ include "posit-chronicle.serviceAccountName" . }} containers: - name: {{ .Chart.Name }} - # FIXME: Make these required in schema or here? - image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}" + image: "{{ required "An image registry must be specified" .Values.image.registry }}/{{ required "An image repository must be specified" .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.pod.command }} command: diff --git a/charts/posit-chronicle/values.schema.json b/charts/posit-chronicle/values.schema.json index 897f7b8d7..7bd6f7bff 100644 --- a/charts/posit-chronicle/values.schema.json +++ b/charts/posit-chronicle/values.schema.json @@ -33,14 +33,16 @@ "properties": { "registry": { "description": "Container image registry", - "type": "string" + "type": "string", + "default": "ghcr.io" }, "repository": { "description": "Container image repository", - "type": "string" + "type": "string", + "default": "rstudio/chronicle" }, "tag": { - "description": "Container image tag", + "description": "Container image tag (defaults to .Chart.AppVersion)", "type": "string" }, "sha": { From 2e30cf75359851c3fa148378cfc12879c1dc4cb2 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 9 May 2025 11:04:52 -0600 Subject: [PATCH 23/69] Test metadata rendering across templates --- .../posit-chronicle/tests/configmap_test.yaml | 6 ++ .../posit-chronicle/tests/metadata_test.yaml | 77 +++++++++++++++++++ .../tests/serviceaccount_test.yaml | 17 ++++ .../tests/statefulset_test.yaml | 50 +++++++++++- charts/posit-chronicle/tests/svc_test.yaml | 36 +++++++++ .../tests_failed/metadata_test.yaml | 19 +++++ 6 files changed, 204 insertions(+), 1 deletion(-) create mode 100644 charts/posit-chronicle/tests/metadata_test.yaml create mode 100644 charts/posit-chronicle/tests_failed/metadata_test.yaml diff --git a/charts/posit-chronicle/tests/configmap_test.yaml b/charts/posit-chronicle/tests/configmap_test.yaml index 619f79af0..d710dc314 100644 --- a/charts/posit-chronicle/tests/configmap_test.yaml +++ b/charts/posit-chronicle/tests/configmap_test.yaml @@ -2,6 +2,12 @@ suite: Configmap tests templates: - templates/configmap.yaml tests: + - it: should always create a config map + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap - it: should use http by default asserts: - matchRegex: diff --git a/charts/posit-chronicle/tests/metadata_test.yaml b/charts/posit-chronicle/tests/metadata_test.yaml new file mode 100644 index 000000000..87ef9cbad --- /dev/null +++ b/charts/posit-chronicle/tests/metadata_test.yaml @@ -0,0 +1,77 @@ +suite: Generic metadata tests +set: + serviceAccount: + create: true +# Unittest cannot use templating for chart values so we need this to be set to a fixed value for testing +chart: + version: 9.9.9+test + appVersion: 9999.9.9 +release: + name: test-release + namespace: test-namespace +tests: + - it: should always set the default resource name to the posit-chronicle.fullname + asserts: + - equal: + path: metadata.name + value: test-release-posit-chronicle + - it: should use an override for the resource name if specified + set: + fullnameOverride: custom-name + asserts: + - equal: + path: metadata.name + value: custom-name + - it: should set the default resource namespace to the release namespace + asserts: + - equal: + path: metadata.namespace + value: test-namespace + - it: should use an override for the resource namespace if specified + set: + namespaceOverride: custom-namespace + asserts: + - equal: + path: metadata.namespace + value: custom-namespace + - it: should set the default resource labels + asserts: + - isSubset: + path: metadata.labels + content: + helm.sh/chart: posit-chronicle-9.9.9_test + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: posit-chronicle + app.kubernetes.io/component: server + app.kubernetes.io/name: posit-chronicle + app.kubernetes.io/instance: test-release + app.kubernetes.io/version: 9999.9.9 + - it: should apply custom labels if specified + set: + commonLabels: + another: label + asserts: + - isSubset: + path: metadata.labels + content: + helm.sh/chart: posit-chronicle-9.9.9_test + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: posit-chronicle + app.kubernetes.io/component: server + app.kubernetes.io/name: posit-chronicle + app.kubernetes.io/instance: test-release + app.kubernetes.io/version: 9999.9.9 + another: label + - it: should skip annotations by default + asserts: + - notExists: + path: metadata.annotations + - it: should apply custom annotations if specified + set: + commonAnnotations: + another: annotation + asserts: + - isSubset: + path: metadata.annotations + content: + another: annotation diff --git a/charts/posit-chronicle/tests/serviceaccount_test.yaml b/charts/posit-chronicle/tests/serviceaccount_test.yaml index bb1b41eff..f5036e7e6 100644 --- a/charts/posit-chronicle/tests/serviceaccount_test.yaml +++ b/charts/posit-chronicle/tests/serviceaccount_test.yaml @@ -22,3 +22,20 @@ tests: - equal: path: metadata.namespace value: test-namespace + - it: should set annotations if given with service account annotations favored during merge + set: + serviceAccount: + create: true + annotations: + test-merge: value2 + test-sa: value + commonAnnotations: + test-merge: value1 + test-common: value + asserts: + - isSubset: + path: metadata.annotations + content: + test-merge: value2 + test-common: value + test-sa: value diff --git a/charts/posit-chronicle/tests/statefulset_test.yaml b/charts/posit-chronicle/tests/statefulset_test.yaml index 043181ee9..0bdd1e60b 100644 --- a/charts/posit-chronicle/tests/statefulset_test.yaml +++ b/charts/posit-chronicle/tests/statefulset_test.yaml @@ -51,6 +51,54 @@ tests: app.kubernetes.io/instance: test-release app.kubernetes.io/version: 9999.9.9 another: label + - it: should apply custom pod labels if specified + set: + pod: + labels: + another: label + asserts: + - isSubset: + path: spec.template.metadata.labels + content: + helm.sh/chart: posit-chronicle-9.9.9_test + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: posit-chronicle + app.kubernetes.io/component: server + app.kubernetes.io/name: posit-chronicle + app.kubernetes.io/instance: test-release + app.kubernetes.io/version: 9999.9.9 + another: label + - it: should not set pod annotations by default + asserts: + - notExists: + path: spec.template.metadata.annotations + - it: should set the annotations if specified with pod annotations favored during merge + set: + commonAnnotations: + test-merge: value1 + test-common: value + pod: + annotations: + test-merge: value2 + test-pod: value + asserts: + - isSubset: + path: spec.template.metadata.annotations + content: + test-merge: value2 + test-common: value + test-pod: value + - it: should set prometheus pod annotations when metrics are enabled + set: + server: + metrics: + enabled: true + asserts: + - isSubset: + path: spec.template.metadata.annotations + content: + prometheus.io/scrape: "true" + prometheus.io/port: "5252" - it: should set the pod affinity when specified set: pod: @@ -261,7 +309,7 @@ tests: - equal: path: spec.volumeClaimTemplates[0].spec.storageClassName value: my-storage-class - - it: should set selector labels if specified + - it: should set volume claim template selector labels if specified set: persistence: selectorLabels: diff --git a/charts/posit-chronicle/tests/svc_test.yaml b/charts/posit-chronicle/tests/svc_test.yaml index d3b1fe533..4e06a6d85 100644 --- a/charts/posit-chronicle/tests/svc_test.yaml +++ b/charts/posit-chronicle/tests/svc_test.yaml @@ -2,6 +2,42 @@ suite: Service tests templates: - templates/svc.yaml tests: + - it: should always create a service + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Service + - it: should apply service labels if given + set: + service: + labels: + test: label + asserts: + - isSubset: + path: metadata.labels + content: + test: label + - it: should have no annotations by default + asserts: + - notExists: + path: metadata.annotations + - it: should set annotations if specified with service annotations favored during merge + set: + service: + annotations: + test-merge: value2 + test-svc: value + commonAnnotations: + test-merge: value1 + test-common: value + asserts: + - isSubset: + path: metadata.annotations + content: + test-merge: value2 + test-common: value + test-svc: value - it: should create a service targeting http by default release: name: test-release diff --git a/charts/posit-chronicle/tests_failed/metadata_test.yaml b/charts/posit-chronicle/tests_failed/metadata_test.yaml new file mode 100644 index 000000000..cfe316b2f --- /dev/null +++ b/charts/posit-chronicle/tests_failed/metadata_test.yaml @@ -0,0 +1,19 @@ +suite: Configmap tests +set: + serviceAccount: + create: true +# Unittest cannot use templating for chart values so we need this to be set to a fixed value for testing +chart: + version: 9.9.9+test + appVersion: 9999.9.9 +release: + name: test-release + namespace: test-namespace +tests: + - it: should not render if standard labels are set as common labels + set: + commonLabels: + app.kubernetes.io/part-of: custom-part-of + asserts: + - failedTemplate: + errorPattern: ".*already defined.*" From 7d740edd7fa74e40b5b3b51a62d618981f17a2f4 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 9 May 2025 11:05:04 -0600 Subject: [PATCH 24/69] Bump minor version for breaking change --- charts/posit-chronicle/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/posit-chronicle/Chart.yaml b/charts/posit-chronicle/Chart.yaml index bae613d8e..26d69551f 100644 --- a/charts/posit-chronicle/Chart.yaml +++ b/charts/posit-chronicle/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: posit-chronicle description: Official Helm chart for Posit Chronicle Server -version: 0.3.9 +version: 0.4.0 appVersion: 2025.03.0 icon: https://posit.co/wp-content/themes/Posit/dist/images/favicon/apple-touch-icon-180x180.png home: https://www.posit.co From 9b9db4bb21538ca12ede4497ce11c5c719cb736b Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 9 May 2025 11:15:47 -0600 Subject: [PATCH 25/69] Update NEWS.md for 0.4.0 --- charts/posit-chronicle/NEWS.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/charts/posit-chronicle/NEWS.md b/charts/posit-chronicle/NEWS.md index 9a4113227..ce062b772 100644 --- a/charts/posit-chronicle/NEWS.md +++ b/charts/posit-chronicle/NEWS.md @@ -1,5 +1,29 @@ # Changelog +## 0.4.0 + +- Improvements for chart annotations. +- Values changes. + - Replace upper-case values with lower-case to avoid confusion and follow Helm best practices. + - Allow name and namespace overrides in chart values. + - Add common labels and annotations values to apply to all resources. + - Moves default tag source to appVersion, image.tag changed to a blank override. + - Separated an image.registry value from the image.repository value. + - Improve documentation of values.yaml and add a values.schema.json definition for input validation. + - An S3 bucket must now be specified in S3 Storage backend is enabled. +- Changes to chart behavior. + - Resource names are now applied dynamically based on the release name. + - Additional default recommended Kubernetes labels have been applied to all resources. + - Storage configuration is now validated and requires at least one of local or s3 storage be enabled. + - `extraSecretMounts` can now be specified to mount additional secrets, such as certificates, into the pod. + - Storage class can now be overridden on the pod's volume claim template. + - Selector labels definitions between pod and service are now merged into a single definition. Removed the ability to override these values. +- Add unittests for chart templates. +- Various Chart.yaml metadata changes. + - Fix logo URL. + - Add suggestions for compatible product charts. + - Add annotation to include source image used in pod. + ## 0.3.8 - Update documentation and support links. From 30e099cfcce034685752418620333da0e1a8f7b1 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 9 May 2025 11:23:56 -0600 Subject: [PATCH 26/69] Add support for extraObjects --- charts/posit-chronicle/NEWS.md | 1 + .../templates/extra-manifests.yaml | 8 ++++++ .../tests/extra-manifests_test.yaml | 28 +++++++++++++++++++ .../posit-chronicle/tests/metadata_test.yaml | 2 ++ .../tests_failed/metadata_test.yaml | 2 ++ charts/posit-chronicle/values.schema.json | 7 +++++ charts/posit-chronicle/values.yaml | 3 ++ 7 files changed, 51 insertions(+) create mode 100644 charts/posit-chronicle/templates/extra-manifests.yaml create mode 100644 charts/posit-chronicle/tests/extra-manifests_test.yaml diff --git a/charts/posit-chronicle/NEWS.md b/charts/posit-chronicle/NEWS.md index ce062b772..308688b0e 100644 --- a/charts/posit-chronicle/NEWS.md +++ b/charts/posit-chronicle/NEWS.md @@ -18,6 +18,7 @@ - `extraSecretMounts` can now be specified to mount additional secrets, such as certificates, into the pod. - Storage class can now be overridden on the pod's volume claim template. - Selector labels definitions between pod and service are now merged into a single definition. Removed the ability to override these values. + - Add support for additional custom manifest input via `extraObjects` value. - Add unittests for chart templates. - Various Chart.yaml metadata changes. - Fix logo URL. diff --git a/charts/posit-chronicle/templates/extra-manifests.yaml b/charts/posit-chronicle/templates/extra-manifests.yaml new file mode 100644 index 000000000..aed6ba3cb --- /dev/null +++ b/charts/posit-chronicle/templates/extra-manifests.yaml @@ -0,0 +1,8 @@ +{{ range .Values.extraObjects }} +--- +{{- if typeIs "string" . }} +{{ tpl . $ }} +{{ else }} +{{ tpl (. | toYaml) $ }} +{{- end }} +{{- end }} diff --git a/charts/posit-chronicle/tests/extra-manifests_test.yaml b/charts/posit-chronicle/tests/extra-manifests_test.yaml new file mode 100644 index 000000000..35542cbaa --- /dev/null +++ b/charts/posit-chronicle/tests/extra-manifests_test.yaml @@ -0,0 +1,28 @@ +suite: Extra manifests tests +templates: + - templates/extra-manifests.yaml +tests: + - it: should create extra manifests if specified + set: + extraObjects: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: test-configmap + data: + test-key: test-value + - apiVersion: v1 + kind: Secret + metadata: + name: test-secret + data: + test-key: dGVzdC12YWx1ZQ== + asserts: + - hasDocuments: + count: 2 + - isKind: + of: ConfigMap + documentIndex: 0 + - isKind: + of: Secret + documentIndex: 1 diff --git a/charts/posit-chronicle/tests/metadata_test.yaml b/charts/posit-chronicle/tests/metadata_test.yaml index 87ef9cbad..1a4032e40 100644 --- a/charts/posit-chronicle/tests/metadata_test.yaml +++ b/charts/posit-chronicle/tests/metadata_test.yaml @@ -1,4 +1,6 @@ suite: Generic metadata tests +excludeTemplates: + - templates/extra-manifests.yaml set: serviceAccount: create: true diff --git a/charts/posit-chronicle/tests_failed/metadata_test.yaml b/charts/posit-chronicle/tests_failed/metadata_test.yaml index cfe316b2f..0a08e6d4c 100644 --- a/charts/posit-chronicle/tests_failed/metadata_test.yaml +++ b/charts/posit-chronicle/tests_failed/metadata_test.yaml @@ -1,4 +1,6 @@ suite: Configmap tests +excludeTemplates: + - templates/extra-manifests.yaml set: serviceAccount: create: true diff --git a/charts/posit-chronicle/values.schema.json b/charts/posit-chronicle/values.schema.json index 7bd6f7bff..ab9eb03a5 100644 --- a/charts/posit-chronicle/values.schema.json +++ b/charts/posit-chronicle/values.schema.json @@ -27,6 +27,13 @@ "type": "string" } }, + "extraObjects": { + "description": "Additional Kubernetes objects to be created", + "type": "array", + "items": { + "type": "object" + } + }, "image": { "description": "Container image specification", "type": "object", diff --git a/charts/posit-chronicle/values.yaml b/charts/posit-chronicle/values.yaml index 5d0ffc6b6..69faa3b14 100644 --- a/charts/posit-chronicle/values.yaml +++ b/charts/posit-chronicle/values.yaml @@ -9,6 +9,9 @@ commonLabels: {} # -- Common annotations to add to all resources commonAnnotations: {} +# -- Additional manifests to deploy with the chart +extraObjects: [] + image: # -- The image registry registry: "ghcr.io" From 8060fe1fd66e6e9ee0a33f4404715825af867e21 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 9 May 2025 13:30:30 -0600 Subject: [PATCH 27/69] Update maintainer to match organization name --- charts/posit-chronicle/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/posit-chronicle/Chart.yaml b/charts/posit-chronicle/Chart.yaml index 26d69551f..bcec52b77 100644 --- a/charts/posit-chronicle/Chart.yaml +++ b/charts/posit-chronicle/Chart.yaml @@ -8,7 +8,7 @@ home: https://www.posit.co sources: - https://github.com/rstudio/helm maintainers: - - name: Posit Helm Team + - name: rstudio email: docker@posit.co url: https://github.com/rstudio/helm annotations: From 66fddd39ee99755725e09b9548805e4339094dc8 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 9 May 2025 13:39:40 -0600 Subject: [PATCH 28/69] update ignores --- .gitignore | 1 + charts/posit-chronicle/.helmignore | 3 +++ 2 files changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index b32534288..cc9c4a8d9 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ charts/**/charts/ # helm unittest plugin __snapshot__ +.debug/ bin/** !bin/README.md diff --git a/charts/posit-chronicle/.helmignore b/charts/posit-chronicle/.helmignore index 93f437e0a..eb2b97368 100644 --- a/charts/posit-chronicle/.helmignore +++ b/charts/posit-chronicle/.helmignore @@ -27,3 +27,6 @@ ci/ lint/ tests/ + +# helm unittest debug files +.debug/ From b4dbd7900c9dc43be260f5473183dab3e374fe3d Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 9 May 2025 14:17:50 -0600 Subject: [PATCH 29/69] Fix statefulset name - Add labels/annotations to statefulset --- charts/posit-chronicle/templates/statefulset.yaml | 9 ++++++++- charts/posit-chronicle/tests/statefulset_test.yaml | 13 +++++++++++-- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/charts/posit-chronicle/templates/statefulset.yaml b/charts/posit-chronicle/templates/statefulset.yaml index 507dfe37c..d078ac0ee 100644 --- a/charts/posit-chronicle/templates/statefulset.yaml +++ b/charts/posit-chronicle/templates/statefulset.yaml @@ -64,7 +64,7 @@ spec: {{- end }} volumeMounts: {{- if .Values.persistence.enabled }} - - name: data + - name: {{ include "posit-chronicle.fullname" . }} mountPath: {{ .Values.server.storage.local.path }} {{- end }} - name: config @@ -118,6 +118,13 @@ spec: kind: PersistentVolumeClaim metadata: name: {{ include "posit-chronicle.fullname" . }} + namespace: {{ include "posit-chronicle.namespace" . }} + labels: + {{- include "posit-chronicle.labels" . | nindent 8 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} spec: accessModes: {{- range .Values.persistence.accessModes }} diff --git a/charts/posit-chronicle/tests/statefulset_test.yaml b/charts/posit-chronicle/tests/statefulset_test.yaml index 0bdd1e60b..0358440e7 100644 --- a/charts/posit-chronicle/tests/statefulset_test.yaml +++ b/charts/posit-chronicle/tests/statefulset_test.yaml @@ -183,7 +183,7 @@ tests: - containerPort: 5252 name: http volumeMounts: - - name: data + - name: test-release-posit-chronicle mountPath: /opt/chronicle-data - name: config mountPath: /etc/posit-chronicle/posit-chronicle.gcfg @@ -246,7 +246,7 @@ tests: - notContains: path: spec.template.spec.containers[0].volumeMounts content: - name: data + name: test-release-posit-chronicle mountPath: /opt/chronicle-data - it: should mount extra secrets to container if specified set: @@ -288,6 +288,15 @@ tests: kind: PersistentVolumeClaim metadata: name: test-release-posit-chronicle + namespace: test-namespace + labels: + app.kubernetes.io/component: server + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: posit-chronicle + app.kubernetes.io/part-of: posit-chronicle + app.kubernetes.io/version: 9999.9.9 + helm.sh/chart: posit-chronicle-9.9.9_test spec: accessModes: - ReadWriteOnce From e7bae5f150dc86ebce3a3195925a73bc463df850 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 13 May 2025 09:10:56 -0600 Subject: [PATCH 30/69] Add support for image SHA digests --- charts/posit-chronicle/templates/statefulset.yaml | 4 ++++ charts/posit-chronicle/tests/statefulset_test.yaml | 8 ++++++++ charts/posit-chronicle/values.schema.json | 3 ++- 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/charts/posit-chronicle/templates/statefulset.yaml b/charts/posit-chronicle/templates/statefulset.yaml index d078ac0ee..aa4ce6a35 100644 --- a/charts/posit-chronicle/templates/statefulset.yaml +++ b/charts/posit-chronicle/templates/statefulset.yaml @@ -44,7 +44,11 @@ spec: serviceAccountName: {{ include "posit-chronicle.serviceAccountName" . }} containers: - name: {{ .Chart.Name }} + {{- if .Values.image.sha }} + image: "{{ required "An image registry must be specified" .Values.image.registry }}/{{ required "An image repository must be specified" .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}@sha256:{{ .Values.image.sha }}" + {{- else }} image: "{{ required "An image registry must be specified" .Values.image.registry }}/{{ required "An image repository must be specified" .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}" + {{- end}} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.pod.command }} command: diff --git a/charts/posit-chronicle/tests/statefulset_test.yaml b/charts/posit-chronicle/tests/statefulset_test.yaml index 0358440e7..a7cc98c2a 100644 --- a/charts/posit-chronicle/tests/statefulset_test.yaml +++ b/charts/posit-chronicle/tests/statefulset_test.yaml @@ -198,6 +198,14 @@ tests: - equal: path: spec.template.spec.containers[0].image value: "docker.io/rstudio/posit-chronicle:2025.03.0" + - it: should set an image digest sha if provided on the image + set: + image: + sha: 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: "ghcr.io/rstudio/chronicle:9999.9.9@sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef" - it: should set the image pull policy to Always if given set: image: diff --git a/charts/posit-chronicle/values.schema.json b/charts/posit-chronicle/values.schema.json index ab9eb03a5..032da56f4 100644 --- a/charts/posit-chronicle/values.schema.json +++ b/charts/posit-chronicle/values.schema.json @@ -54,7 +54,8 @@ }, "sha": { "description": "Container image digest", - "type": "string" + "type": "string", + "pattern": "^$|^[a-fA-F0-9]{64}$" }, "pullPolicy": { "description": "Container image pull policy", From 1f58858f834570889fec240258c5c23935abec04 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Thu, 15 May 2025 09:24:59 -0600 Subject: [PATCH 31/69] Move tests to ci directory --- {charts => ci}/posit-chronicle/tests/configmap_test.yaml | 0 {charts => ci}/posit-chronicle/tests/extra-manifests_test.yaml | 0 {charts => ci}/posit-chronicle/tests/metadata_test.yaml | 0 {charts => ci}/posit-chronicle/tests/serviceaccount_test.yaml | 0 {charts => ci}/posit-chronicle/tests/statefulset_test.yaml | 0 {charts => ci}/posit-chronicle/tests/svc_test.yaml | 0 {charts => ci}/posit-chronicle/tests_failed/configmap_test.yaml | 0 {charts => ci}/posit-chronicle/tests_failed/metadata_test.yaml | 0 8 files changed, 0 insertions(+), 0 deletions(-) rename {charts => ci}/posit-chronicle/tests/configmap_test.yaml (100%) rename {charts => ci}/posit-chronicle/tests/extra-manifests_test.yaml (100%) rename {charts => ci}/posit-chronicle/tests/metadata_test.yaml (100%) rename {charts => ci}/posit-chronicle/tests/serviceaccount_test.yaml (100%) rename {charts => ci}/posit-chronicle/tests/statefulset_test.yaml (100%) rename {charts => ci}/posit-chronicle/tests/svc_test.yaml (100%) rename {charts => ci}/posit-chronicle/tests_failed/configmap_test.yaml (100%) rename {charts => ci}/posit-chronicle/tests_failed/metadata_test.yaml (100%) diff --git a/charts/posit-chronicle/tests/configmap_test.yaml b/ci/posit-chronicle/tests/configmap_test.yaml similarity index 100% rename from charts/posit-chronicle/tests/configmap_test.yaml rename to ci/posit-chronicle/tests/configmap_test.yaml diff --git a/charts/posit-chronicle/tests/extra-manifests_test.yaml b/ci/posit-chronicle/tests/extra-manifests_test.yaml similarity index 100% rename from charts/posit-chronicle/tests/extra-manifests_test.yaml rename to ci/posit-chronicle/tests/extra-manifests_test.yaml diff --git a/charts/posit-chronicle/tests/metadata_test.yaml b/ci/posit-chronicle/tests/metadata_test.yaml similarity index 100% rename from charts/posit-chronicle/tests/metadata_test.yaml rename to ci/posit-chronicle/tests/metadata_test.yaml diff --git a/charts/posit-chronicle/tests/serviceaccount_test.yaml b/ci/posit-chronicle/tests/serviceaccount_test.yaml similarity index 100% rename from charts/posit-chronicle/tests/serviceaccount_test.yaml rename to ci/posit-chronicle/tests/serviceaccount_test.yaml diff --git a/charts/posit-chronicle/tests/statefulset_test.yaml b/ci/posit-chronicle/tests/statefulset_test.yaml similarity index 100% rename from charts/posit-chronicle/tests/statefulset_test.yaml rename to ci/posit-chronicle/tests/statefulset_test.yaml diff --git a/charts/posit-chronicle/tests/svc_test.yaml b/ci/posit-chronicle/tests/svc_test.yaml similarity index 100% rename from charts/posit-chronicle/tests/svc_test.yaml rename to ci/posit-chronicle/tests/svc_test.yaml diff --git a/charts/posit-chronicle/tests_failed/configmap_test.yaml b/ci/posit-chronicle/tests_failed/configmap_test.yaml similarity index 100% rename from charts/posit-chronicle/tests_failed/configmap_test.yaml rename to ci/posit-chronicle/tests_failed/configmap_test.yaml diff --git a/charts/posit-chronicle/tests_failed/metadata_test.yaml b/ci/posit-chronicle/tests_failed/metadata_test.yaml similarity index 100% rename from charts/posit-chronicle/tests_failed/metadata_test.yaml rename to ci/posit-chronicle/tests_failed/metadata_test.yaml From 1d6216ba719d739cc3017f7916a93c8127203c58 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Thu, 15 May 2025 10:07:44 -0600 Subject: [PATCH 32/69] Revert "Move tests to ci directory" This reverts commit f683f81b88ca6bec5ede4210d0405dae8abf6f9c. --- {ci => charts}/posit-chronicle/tests/configmap_test.yaml | 0 {ci => charts}/posit-chronicle/tests/extra-manifests_test.yaml | 0 {ci => charts}/posit-chronicle/tests/metadata_test.yaml | 0 {ci => charts}/posit-chronicle/tests/serviceaccount_test.yaml | 0 {ci => charts}/posit-chronicle/tests/statefulset_test.yaml | 0 {ci => charts}/posit-chronicle/tests/svc_test.yaml | 0 {ci => charts}/posit-chronicle/tests_failed/configmap_test.yaml | 0 {ci => charts}/posit-chronicle/tests_failed/metadata_test.yaml | 0 8 files changed, 0 insertions(+), 0 deletions(-) rename {ci => charts}/posit-chronicle/tests/configmap_test.yaml (100%) rename {ci => charts}/posit-chronicle/tests/extra-manifests_test.yaml (100%) rename {ci => charts}/posit-chronicle/tests/metadata_test.yaml (100%) rename {ci => charts}/posit-chronicle/tests/serviceaccount_test.yaml (100%) rename {ci => charts}/posit-chronicle/tests/statefulset_test.yaml (100%) rename {ci => charts}/posit-chronicle/tests/svc_test.yaml (100%) rename {ci => charts}/posit-chronicle/tests_failed/configmap_test.yaml (100%) rename {ci => charts}/posit-chronicle/tests_failed/metadata_test.yaml (100%) diff --git a/ci/posit-chronicle/tests/configmap_test.yaml b/charts/posit-chronicle/tests/configmap_test.yaml similarity index 100% rename from ci/posit-chronicle/tests/configmap_test.yaml rename to charts/posit-chronicle/tests/configmap_test.yaml diff --git a/ci/posit-chronicle/tests/extra-manifests_test.yaml b/charts/posit-chronicle/tests/extra-manifests_test.yaml similarity index 100% rename from ci/posit-chronicle/tests/extra-manifests_test.yaml rename to charts/posit-chronicle/tests/extra-manifests_test.yaml diff --git a/ci/posit-chronicle/tests/metadata_test.yaml b/charts/posit-chronicle/tests/metadata_test.yaml similarity index 100% rename from ci/posit-chronicle/tests/metadata_test.yaml rename to charts/posit-chronicle/tests/metadata_test.yaml diff --git a/ci/posit-chronicle/tests/serviceaccount_test.yaml b/charts/posit-chronicle/tests/serviceaccount_test.yaml similarity index 100% rename from ci/posit-chronicle/tests/serviceaccount_test.yaml rename to charts/posit-chronicle/tests/serviceaccount_test.yaml diff --git a/ci/posit-chronicle/tests/statefulset_test.yaml b/charts/posit-chronicle/tests/statefulset_test.yaml similarity index 100% rename from ci/posit-chronicle/tests/statefulset_test.yaml rename to charts/posit-chronicle/tests/statefulset_test.yaml diff --git a/ci/posit-chronicle/tests/svc_test.yaml b/charts/posit-chronicle/tests/svc_test.yaml similarity index 100% rename from ci/posit-chronicle/tests/svc_test.yaml rename to charts/posit-chronicle/tests/svc_test.yaml diff --git a/ci/posit-chronicle/tests_failed/configmap_test.yaml b/charts/posit-chronicle/tests_failed/configmap_test.yaml similarity index 100% rename from ci/posit-chronicle/tests_failed/configmap_test.yaml rename to charts/posit-chronicle/tests_failed/configmap_test.yaml diff --git a/ci/posit-chronicle/tests_failed/metadata_test.yaml b/charts/posit-chronicle/tests_failed/metadata_test.yaml similarity index 100% rename from ci/posit-chronicle/tests_failed/metadata_test.yaml rename to charts/posit-chronicle/tests_failed/metadata_test.yaml From 389fb632a986e32ec1e5df215cdcc73062292cf4 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Thu, 15 May 2025 12:32:54 -0600 Subject: [PATCH 33/69] Revert changes to config value casing and naming --- charts/posit-chronicle/NEWS.md | 1 - charts/posit-chronicle/templates/_helpers.tpl | 4 +- .../posit-chronicle/templates/configmap.yaml | 46 ++--- .../templates/statefulset.yaml | 4 +- charts/posit-chronicle/templates/svc.yaml | 2 +- .../tests/configmap_fail_test.yaml | 46 +++++ .../posit-chronicle/tests/configmap_test.yaml | 88 +++++----- .../tests/statefulset_test.yaml | 18 +- charts/posit-chronicle/tests/svc_test.yaml | 10 +- .../tests_failed/configmap_test.yaml | 58 ------ .../tests_failed/metadata_test.yaml | 21 --- charts/posit-chronicle/values.schema.json | 166 +++++++++--------- charts/posit-chronicle/values.yaml | 75 ++++---- 13 files changed, 244 insertions(+), 295 deletions(-) create mode 100644 charts/posit-chronicle/tests/configmap_fail_test.yaml delete mode 100644 charts/posit-chronicle/tests_failed/configmap_test.yaml delete mode 100644 charts/posit-chronicle/tests_failed/metadata_test.yaml diff --git a/charts/posit-chronicle/NEWS.md b/charts/posit-chronicle/NEWS.md index 308688b0e..fb53f491f 100644 --- a/charts/posit-chronicle/NEWS.md +++ b/charts/posit-chronicle/NEWS.md @@ -4,7 +4,6 @@ - Improvements for chart annotations. - Values changes. - - Replace upper-case values with lower-case to avoid confusion and follow Helm best practices. - Allow name and namespace overrides in chart values. - Add common labels and annotations values to apply to all resources. - Moves default tag source to appVersion, image.tag changed to a blank override. diff --git a/charts/posit-chronicle/templates/_helpers.tpl b/charts/posit-chronicle/templates/_helpers.tpl index 5a9918095..c22349901 100644 --- a/charts/posit-chronicle/templates/_helpers.tpl +++ b/charts/posit-chronicle/templates/_helpers.tpl @@ -84,9 +84,9 @@ Generate annotations for various resources */}} {{- define "posit-chronicle.pod.annotations" }} {{- $podAnnotations := merge .Values.pod.annotations .Values.commonAnnotations }} -{{- if .Values.server.metrics.enabled }} +{{- if .Values.config.Metrics.Enabled }} {{- $_ := set $podAnnotations "prometheus.io/scrape" "true" }} -{{- if .Values.server.https.enabled }} +{{- if .Values.config.HTTPS.Enabled }} {{- $_ := set $podAnnotations "prometheus.io/port" "443" }} {{- else }} {{- $_ := set $podAnnotations "prometheus.io/port" "5252" }} diff --git a/charts/posit-chronicle/templates/configmap.yaml b/charts/posit-chronicle/templates/configmap.yaml index dd70d227b..ed873e7db 100644 --- a/charts/posit-chronicle/templates/configmap.yaml +++ b/charts/posit-chronicle/templates/configmap.yaml @@ -12,49 +12,49 @@ metadata: {{- end }} data: posit-chronicle.gcfg: | - {{- if .Values.server.https.enabled }} + {{- if .Values.config.HTTPS.Enabled }} [HTTPS] Listen = :443 - Certificate = {{ required ".Values.server.https.certificate must be specified when .Values.server.https.enabled is true." .Values.server.https.certificate }} - Key = {{ required ".Values.server.https.key must be specified when .Values.server.https.enabled is true." .Values.server.https.key }} + Certificate = {{ required ".Values.config.HTTPS.Certificate must be specified when .Values.config.HTTPS.Enabled is true." .Values.config.HTTPS.Certificate }} + Key = {{ required ".Values.config.HTTPS.Key must be specified when .Values.config.HTTPS.Enabled is true." .Values.config.HTTPS.Key }} {{- else}} [HTTP] Listen = :5252 {{- end }} [Logging] - ServiceLog = {{ .Values.server.logging.serviceLog }} - ServiceLogLevel = {{ .Values.server.logging.serviceLogLevel }} - ServiceLogFormat = {{ .Values.server.logging.serviceLogFormat }} + ServiceLog = {{ .Values.config.Logging.ServiceLog }} + ServiceLogLevel = {{ .Values.config.Logging.ServiceLogLevel }} + ServiceLogFormat = {{ .Values.config.Logging.ServiceLogFormat }} [Metrics] - Enabled = {{ .Values.server.metrics.enabled }} + Enabled = {{ .Values.config.Metrics.Enabled }} [Profiling] - Enabled = {{ .Values.server.profiling.enabled }} - {{- if .Values.server.profiling.enabled }} - Listen = :{{ .Values.server.profiling.port }} + Enabled = {{ .Values.config.Profiling.Enabled }} + {{- if .Values.config.Profiling.Enabled }} + Listen = :{{ .Values.config.Profiling.Port }} {{- end }} [LocalStorage] - Enabled = {{ .Values.server.storage.local.enabled }} - {{- if .Values.server.storage.local.enabled }} - Location = {{ .Values.server.storage.local.path }} - RetentionPeriod = {{ .Values.server.storage.local.retentionPeriod }} + Enabled = {{ .Values.config.LocalStorage.Enabled }} + {{- if .Values.config.LocalStorage.Enabled }} + Location = {{ .Values.config.LocalStorage.Path }} + RetentionPeriod = {{ .Values.config.LocalStorage.RetentionPeriod }} {{- end }} [S3Storage] - Enabled = {{ .Values.server.storage.s3.enabled }} - {{- if .Values.server.storage.s3.enabled }} - Bucket = {{ required "A .Values.server.storage.s3.bucket must be specified when S3 storage is enabled." .Values.server.storage.s3.bucket }} - {{- if ne .Values.server.storage.s3.prefix "" }} - Prefix = {{ .Values.server.storage.s3.prefix }} + Enabled = {{ .Values.config.S3Storage.Enabled }} + {{- if .Values.config.S3Storage.Enabled }} + Bucket = {{ required "A .Values.config.S3Storage.Bucket must be specified when S3 storage is enabled." .Values.config.S3Storage.Bucket }} + {{- if .Values.config.S3Storage.Prefix }} + Prefix = {{ .Values.config.S3Storage.Prefix }} {{- end }} - {{- if ne .Values.server.storage.s3.profile "" }} - Profile = {{ .Values.server.storage.s3.profile }} + {{- if .Values.config.S3Storage.Profile }} + Profile = {{ .Values.config.S3Storage.Profile }} {{- end }} - {{- if ne .Values.server.storage.s3.region "" }} - Region = {{ .Values.server.storage.s3.region }} + {{- if .Values.config.S3Storage.Region }} + Region = {{ .Values.config.S3Storage.Region }} {{- end }} {{- end }} --- diff --git a/charts/posit-chronicle/templates/statefulset.yaml b/charts/posit-chronicle/templates/statefulset.yaml index aa4ce6a35..34499bb92 100644 --- a/charts/posit-chronicle/templates/statefulset.yaml +++ b/charts/posit-chronicle/templates/statefulset.yaml @@ -59,7 +59,7 @@ spec: {{- tpl (toYaml .) $root | nindent 8 }} {{- end }} ports: - {{- if .Values.server.https.enabled }} + {{- if .Values.config.HTTPS.Enabled }} - containerPort: 443 name: https {{- else}} @@ -69,7 +69,7 @@ spec: volumeMounts: {{- if .Values.persistence.enabled }} - name: {{ include "posit-chronicle.fullname" . }} - mountPath: {{ .Values.server.storage.local.path }} + mountPath: {{ .Values.config.LocalStorage.Path }} {{- end }} - name: config mountPath: /etc/posit-chronicle/posit-chronicle.gcfg diff --git a/charts/posit-chronicle/templates/svc.yaml b/charts/posit-chronicle/templates/svc.yaml index 7d5ab4f55..cf6779499 100644 --- a/charts/posit-chronicle/templates/svc.yaml +++ b/charts/posit-chronicle/templates/svc.yaml @@ -20,7 +20,7 @@ spec: selector: {{ include "posit-chronicle.selectorLabels" . | trim | nindent 4 }} ports: - {{- if .Values.server.https.enabled }} + {{- if .Values.config.HTTPS.Enabled }} - port: {{ .Values.service.port }} targetPort: 443 name: https diff --git a/charts/posit-chronicle/tests/configmap_fail_test.yaml b/charts/posit-chronicle/tests/configmap_fail_test.yaml new file mode 100644 index 000000000..dcf6a8b56 --- /dev/null +++ b/charts/posit-chronicle/tests/configmap_fail_test.yaml @@ -0,0 +1,46 @@ +suite: Configmap tests +templates: + - templates/configmap.yaml +tests: + - it: should fail if https is enabled but no certificate is specified + set: + config: + HTTPS: + Enabled: true + Key: /etc/ssl/ssl.key + asserts: + - failedTemplate: + errorPattern: ".*Certificate must be specified.*" + - it: should fail if https is enabled but no key is specified + set: + config: + HTTPS: + Enabled: true + Certificate: /etc/ssl/ssl.crt + asserts: + - failedTemplate: + errorPattern: ".*Key must be specified.*" + - it: should fail for invalid log level values + set: + config: + Logging: + ServiceLogLevel: INVALID + asserts: + - failedTemplate: + errorPattern: ".*ServiceLogLevel: Does not match pattern.*" + - it: should fail for invalid log level values + set: + config: + Logging: + ServiceLogFormat: INVALID + asserts: + - failedTemplate: + errorPattern: ".*ServiceLogFormat: Does not match pattern.*" + - it: should fail if S3 is enabled but no bucket is specified + set: + config: + S3Storage: + Enabled: true + asserts: + - failedTemplate: + errorPattern: ".*Bucket must be specified when S3 storage is enabled.*" diff --git a/charts/posit-chronicle/tests/configmap_test.yaml b/charts/posit-chronicle/tests/configmap_test.yaml index d710dc314..c8808f257 100644 --- a/charts/posit-chronicle/tests/configmap_test.yaml +++ b/charts/posit-chronicle/tests/configmap_test.yaml @@ -17,11 +17,11 @@ tests: Listen = :5252 - it: should properly configure https when enabled set: - server: - https: - enabled: true - certificate: /etc/ssl/ssl.crt - key: /etc/ssl/ssl.key + config: + HTTPS: + Enabled: true + Certificate: /etc/ssl/ssl.crt + Key: /etc/ssl/ssl.key asserts: - matchRegex: path: data["posit-chronicle.gcfg"] @@ -41,11 +41,11 @@ tests: ServiceLogFormat = TEXT - it: should set values for a custom logging configuration set: - server: - logging: - serviceLog: STDERR - serviceLogLevel: DEBUG - serviceLogFormat: JSON + config: + Logging: + ServiceLog: STDERR + ServiceLogLevel: DEBUG + ServiceLogFormat: JSON asserts: - matchRegex: path: data["posit-chronicle.gcfg"] @@ -63,9 +63,9 @@ tests: Enabled = false - it: should enable metrics when specified set: - server: - metrics: - enabled: true + config: + Metrics: + Enabled: true asserts: - matchRegex: path: data["posit-chronicle.gcfg"] @@ -81,9 +81,9 @@ tests: Enabled = false - it: should enable profiling when specified set: - server: - profiling: - enabled: true + config: + Profiling: + Enabled: true asserts: - matchRegex: path: data["posit-chronicle.gcfg"] @@ -93,10 +93,10 @@ tests: Listen = :3030 - it: should set the profiling listening port when specified set: - server: - profiling: - enabled: true - port: 3131 + config: + Profiling: + Enabled: true + Port: 3131 asserts: - matchRegex: path: data["posit-chronicle.gcfg"] @@ -115,11 +115,10 @@ tests: RetentionPeriod = 30d - it: should set values for a custom local storage configuration set: - server: - storage: - local: - path: /custom/data/path - retentionPeriod: 60d + config: + LocalStorage: + Path: /custom/data/path + RetentionPeriod: 60d asserts: - matchRegex: path: data["posit-chronicle.gcfg"] @@ -130,14 +129,13 @@ tests: RetentionPeriod = 60d - it: should disable local storage when specified set: - server: - storage: - local: - enabled: false - # One of these must be set to true - s3: - enabled: true - bucket: test + config: + LocalStorage: + Enabled: false + # One of these must be set to true + S3Storage: + Enabled: true + Bucket: test asserts: - matchRegex: path: data["posit-chronicle.gcfg"] @@ -151,11 +149,10 @@ tests: RetentionPeriod = 30d - it: should enable and configure S3 storage when specified set: - server: - storage: - s3: - enabled: true - bucket: test + config: + S3Storage: + Enabled: true + Bucket: test asserts: - matchRegex: path: data["posit-chronicle.gcfg"] @@ -171,14 +168,13 @@ tests: Region = .* - it: should add extra options to S3 when specified set: - server: - storage: - s3: - enabled: true - bucket: test - prefix: test-prefix - profile: test-profile - region: test-region + config: + S3Storage: + Enabled: true + Bucket: test + Prefix: test-prefix + Profile: test-profile + Region: test-region asserts: - matchRegex: path: data["posit-chronicle.gcfg"] diff --git a/charts/posit-chronicle/tests/statefulset_test.yaml b/charts/posit-chronicle/tests/statefulset_test.yaml index a7cc98c2a..bf420f15e 100644 --- a/charts/posit-chronicle/tests/statefulset_test.yaml +++ b/charts/posit-chronicle/tests/statefulset_test.yaml @@ -90,9 +90,9 @@ tests: test-pod: value - it: should set prometheus pod annotations when metrics are enabled set: - server: - metrics: - enabled: true + config: + Metrics: + Enabled: true asserts: - isSubset: path: spec.template.metadata.annotations @@ -171,12 +171,6 @@ tests: path: spec.template.spec.containers content: name: posit-chronicle - command: - - /chronicle - args: - - start - - -c - - /etc/posit-chronicle/posit-chronicle.gcfg image: "ghcr.io/rstudio/chronicle:9999.9.9" imagePullPolicy: IfNotPresent ports: @@ -231,9 +225,9 @@ tests: value: ["-c", "echo \"Hello world\""] - it: should open https port on container if enabled set: - server: - https: - enabled: true + config: + HTTPS: + Enabled: true asserts: - equal: path: spec.template.spec.containers[0].ports diff --git a/charts/posit-chronicle/tests/svc_test.yaml b/charts/posit-chronicle/tests/svc_test.yaml index 4e06a6d85..87d1966e4 100644 --- a/charts/posit-chronicle/tests/svc_test.yaml +++ b/charts/posit-chronicle/tests/svc_test.yaml @@ -73,11 +73,11 @@ tests: name: test-release namespace: test-namespace set: - server: - https: - enabled: true - certificate: test-cert - key: test-key + config: + HTTPS: + Enabled: true + Certificate: test-cert + Key: test-key asserts: - isKind: of: Service diff --git a/charts/posit-chronicle/tests_failed/configmap_test.yaml b/charts/posit-chronicle/tests_failed/configmap_test.yaml deleted file mode 100644 index 31f4b7b3e..000000000 --- a/charts/posit-chronicle/tests_failed/configmap_test.yaml +++ /dev/null @@ -1,58 +0,0 @@ -suite: Configmap tests -templates: - - templates/configmap.yaml -tests: - - it: should fail if https is enabled but no certificate is specified - set: - server: - https: - enabled: true - key: /etc/ssl/ssl.key - asserts: - - failedTemplate: - errorPattern: ".*certificate must be specified.*" - - it: should fail if https is enabled but no key is specified - set: - server: - https: - enabled: true - certificate: /etc/ssl/ssl.crt - asserts: - - failedTemplate: - errorPattern: ".*key must be specified.*" - - it: should fail for invalid log level values - set: - server: - logging: - serviceLogLevel: INVALID - asserts: - - failedTemplate: - errorPattern: ".*serviceLogLevel must match pattern.*" - - it: should fail for invalid log level values - set: - server: - logging: - serviceLogFormat: INVALID - asserts: - - failedTemplate: - errorPattern: ".*serviceLogFormat must match pattern.*" - - it: should fail if both local and S3 storage are disabled - set: - server: - storage: - local: - enabled: false - s3: - enabled: false - asserts: - - failedTemplate: - errorPattern: ".*at least one of local or S3 storage must be enabled.*" - - it: should fail if S3 is enabled but no bucket is specified - set: - server: - storage: - s3: - enabled: true - asserts: - - failedTemplate: - errorPattern: ".*bucket must be specified when S3 storage is enabled.*" diff --git a/charts/posit-chronicle/tests_failed/metadata_test.yaml b/charts/posit-chronicle/tests_failed/metadata_test.yaml deleted file mode 100644 index 0a08e6d4c..000000000 --- a/charts/posit-chronicle/tests_failed/metadata_test.yaml +++ /dev/null @@ -1,21 +0,0 @@ -suite: Configmap tests -excludeTemplates: - - templates/extra-manifests.yaml -set: - serviceAccount: - create: true -# Unittest cannot use templating for chart values so we need this to be set to a fixed value for testing -chart: - version: 9.9.9+test - appVersion: 9999.9.9 -release: - name: test-release - namespace: test-namespace -tests: - - it: should not render if standard labels are set as common labels - set: - commonLabels: - app.kubernetes.io/part-of: custom-part-of - asserts: - - failedTemplate: - errorPattern: ".*already defined.*" diff --git a/charts/posit-chronicle/values.schema.json b/charts/posit-chronicle/values.schema.json index 032da56f4..303bb5c6c 100644 --- a/charts/posit-chronicle/values.schema.json +++ b/charts/posit-chronicle/values.schema.json @@ -272,47 +272,47 @@ ] } }, - "server": { + "config": { "description": "Chronicle server configuration", "type": "object", "properties": { - "https": { + "HTTPS": { "description": "Configuration for using HTTPS", "type": "object", "properties": { - "enabled": { + "Enabled": { "description": "Enable HTTPS", "type": "boolean" }, - "certificate": { + "Certificate": { "description": "Path to the certificate file", "type": "string" }, - "key": { + "Key": { "description": "Path to the key file", "type": "string" } } }, - "metrics": { + "Metrics": { "description": "Configuration for Prometheus metrics", "type": "object", "properties": { - "enabled": { + "Enabled": { "description": "Enable metrics", "type": "boolean" } } }, - "profiling": { + "Profiling": { "description": "Configuration for profiling server", "type": "object", "properties": { - "enabled": { + "Enabled": { "description": "Enable profiling", "type": "boolean" }, - "port": { + "Port": { "description": "Port for profiling server", "type": "integer", "default": 3030, @@ -321,119 +321,113 @@ } } }, - "logging": { + "Logging": { "description": "Configuration for logging", "type": "object", "properties": { - "serviceLog": { + "ServiceLog": { "description": "Logging output destination", "type": "string" }, - "serviceLogLevel": { + "ServiceLogLevel": { "description": "Logging level", "type": "string", "pattern": "(?i)^(trace|debug|info|warn|error)$" }, - "format": { + "ServiceLogFormat": { "description": "Logging format", "type": "string", "pattern": "(?i)^(json|text)$" } } }, - "storage": { + "LocalStorage": { + "description": "Configuration for local storage", + "type": "object", + "properties": { + "enabled": { + "description": "Enable local storage", + "type": "boolean", + "default": true + }, + "path": { + "description": "Path to the local storage directory", + "type": "string", + "default": "/opt/chronicle-data" + }, + "retentionPeriod": { + "description": "Retention period for local storage", + "type": "string", + "default": "30d" + } + } + }, + "S3Storage": { "description": "Configuration for storage", "type": "object", "properties": { - "local": { - "description": "Configuration for local storage", - "type": "object", + "Enabled": { + "description": "Enable S3 storage", + "type": "boolean", + "default": false + }, + "Bucket": { + "description": "S3 bucket name", + "type": "string" + }, + "Prefix": { + "description": "S3 bucket path prefix for storing data", + "type": "string" + }, + "Profile": { + "description": "S3 secret access key", + "type": "string" + }, + "Region": { + "description": "S3 region", + "type": "string" + }, + "if": { "properties": { "enabled": { - "description": "Enable local storage", - "type": "boolean", - "default": true - }, - "path": { - "description": "Path to the local storage directory", - "type": "string", - "default": "/opt/chronicle-data" - }, - "retentionPeriod": { - "description": "Retention period for local storage", - "type": "string", - "default": "30d" + "const": true } } }, - "s3": { - "description": "Configuration for S3 storage", - "type": "object", + "then": { "properties": { - "enabled": { - "description": "Enable S3 storage", - "type": "boolean", - "default": false - }, "bucket": { - "description": "S3 bucket name", - "type": "string" - }, - "region": { - "description": "S3 region", - "type": "string" - }, - "accessKeyId": { - "description": "S3 access key ID", - "type": "string" - }, - "secretAccessKey": { - "description": "S3 secret access key", - "type": "string" - } - }, - "if": { - "properties": { - "enabled": { - "const": true - } - } - }, - "then": { - "properties": { - "bucket": { - "minLength": 3 - } + "minLength": 3 } } } - }, - "anyOf": [ - { + } + } + }, + "anyOf": [ + { + "properties": { + "LocalStorage": { "properties": { - "local": { - "properties": { - "enabled": { - "const": true - } - } + "enabled": { + "const": true } } - }, - { + } + } + }, + { + "properties": { + "S3Storage": { "properties": { - "s3": { - "properties": { - "enabled": { - "const": true - } - } + "enabled": { + "const": true } } } - ] + } } - } + ] } }, "title": "Values", diff --git a/charts/posit-chronicle/values.yaml b/charts/posit-chronicle/values.yaml index 69faa3b14..3c19a8dcf 100644 --- a/charts/posit-chronicle/values.yaml +++ b/charts/posit-chronicle/values.yaml @@ -48,9 +48,9 @@ service: replicas: 1 pod: - # -- The command and args to run in the chronicle-server container - command: ["/chronicle"] - args: ["start", "-c", "/etc/posit-chronicle/posit-chronicle.gcfg"] + # -- The command and args to run in the chronicle-server container, defaults to the image entrypoint and args + command: [] + args: [] # -- Optional environment variables env: [] # -- Additional annotations to add to the chronicle-server pods @@ -107,49 +107,48 @@ extraSecretMounts: [] # Configurations for the underlying Chronicle server instance # ref: https://docs.posit.co/chronicle/appendix/library/advanced-server.html # -server: - https: +config: + HTTPS: # If https.enabled=true, ignore any http # values and enable https in the config instead # -- If set to true, Chronicle will use HTTPS instead of HTTP - enabled: false + Enabled: false # -- Path to a PEM encoded TLS certificate file - certificate: "" + Certificate: "" # -- Path to a PEM encoded private key file corresponding to the specified certificate - key: "" - metrics: + Key: "" + Metrics: # -- If set to true, Chronicle will expose a metrics endpoint for Prometheus - enabled: false - profiling: + Enabled: false + Profiling: # -- If set to true, Chronicle will expose a pprof profiling server - enabled: false + Enabled: false # -- The port to use for the profiling server - port: 3030 - logging: + Port: 3030 + Logging: # -- Specified the output for log messages, can be one of "STDOUT", "STDERR", or a file path - serviceLog: "STDOUT" + ServiceLog: "STDOUT" # -- The log level for the service, can be one of "TRACE", "DEBUG", "INFO", "WARN", or "ERROR" - serviceLogLevel: "INFO" + ServiceLogLevel: "INFO" # -- The log format for the service, can be one of "TEXT" or "JSON" - serviceLogFormat: "TEXT" - storage: - # -- Configuration for local data storage with Chronicle, for configuring persistence of this data see the persistence section - local: - # -- If set to true, Chronicle will use a local path for data storage - enabled: true - # -- The path to the local storage location - path: "/opt/chronicle-data" - # -- The retention period for data before it is purged - retentionPeriod: "30d" - # -- Configuration for S3 data storage with Chronicle - s3: - # -- If set to true, Chronicle will use S3 for data storage - enabled: false - # -- The S3 bucket to use for storage - bucket: "" - # -- (Optional) the prefix to use when writing to the S3 bucket, defaults to the bucket root - prefix: "" - # -- (Optional) the profile to use when writing to the S3 bucket, defaults is to use the `AWS_PROFILE` env var - profile: "" - # -- (Optional) the region to use when writing to the S3 bucket, defaults is to use the `AWS_REGION` env var - region: "" + ServiceLogFormat: "TEXT" + # -- Configuration for local data storage with Chronicle, for configuring persistence of this data see the persistence section + LocalStorage: + # -- If set to true, Chronicle will use a local path for data storage. This should be used in conjunction with persistence. + Enabled: true + # -- The path to the local storage location + Path: "/opt/chronicle-data" + # -- The retention period for data before it is purged + RetentionPeriod: "30d" + # -- Configuration for S3 data storage with Chronicle + S3Storage: + # -- If set to true, Chronicle will use S3 for data storage + Enabled: false + # -- The S3 bucket to use for storage + Bucket: "" + # -- (Optional) the prefix to use when writing to the S3 bucket, defaults to the bucket root + Prefix: "" + # -- (Optional) the profile to use when writing to the S3 bucket, defaults is to use the `AWS_PROFILE` env var + Profile: "" + # -- (Optional) the region to use when writing to the S3 bucket, defaults is to use the `AWS_REGION` env var + Region: "" From 9450e400d52a5f1e580f2143b2159dd8c76ebb26 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Thu, 15 May 2025 12:41:44 -0600 Subject: [PATCH 34/69] Revert file rename for diffing, it's unnecessary --- .../templates/{statefulset.yaml => stateful-set.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename charts/posit-chronicle/templates/{statefulset.yaml => stateful-set.yaml} (100%) diff --git a/charts/posit-chronicle/templates/statefulset.yaml b/charts/posit-chronicle/templates/stateful-set.yaml similarity index 100% rename from charts/posit-chronicle/templates/statefulset.yaml rename to charts/posit-chronicle/templates/stateful-set.yaml From 86c4f84f06dfb802dde9024e1ba6c59fde492901 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Thu, 15 May 2025 13:21:21 -0600 Subject: [PATCH 35/69] Update README template with changes and additional info --- charts/posit-chronicle/README.md.gotmpl | 110 +++++++++++++++++------- charts/posit-chronicle/values.yaml | 6 +- 2 files changed, 83 insertions(+), 33 deletions(-) diff --git a/charts/posit-chronicle/README.md.gotmpl b/charts/posit-chronicle/README.md.gotmpl index eedebb761..4240ae509 100644 --- a/charts/posit-chronicle/README.md.gotmpl +++ b/charts/posit-chronicle/README.md.gotmpl @@ -13,7 +13,8 @@ This chart deploys only the Chronicle server and is meant to be used in tandem with the Workbench and Connect charts. To actually send data to the server, you will need to run the Chronicle agent as a sidecar container on your -Workbench or Connect server pods by setting `pod.sidecar` in their respective `values.yaml` files +Workbench or Connect server pods by adding a native sidecar Chronicle agent +definition to the `initContainers` value in their respective `values.yaml` files. Here is an example of Helm values to run the agent sidecar in **Workbench**, where we set up a shared volume between containers for audit logs: @@ -28,46 +29,78 @@ pod: volumeMounts: - name: logs mountPath: "/var/lib/rstudio-server/audit" - sidecar: - - name: chronicle-agent - image: ghcr.io/rstudio/chronicle-agent:2025.03.0 - volumeMounts: +initContainers: + - name: chronicle-agent + image: ghcr.io/rstudio/chronicle-agent:{{ .Chart.AppVersion }} + volumeMounts: - name: logs mountPath: "/var/lib/rstudio-server/audit" - env: + env: - name: CHRONICLE_SERVER_ADDRESS - value: "http://chronicle-server.default" + value: "http://." ``` And here is an example of Helm values for Connect, where a **Connect** API key from a Kubernetes Secret is used to unlock more detailed metrics: ```yaml -pod: - sidecar: - - name: chronicle-agent - image: ghcr.io/rstudio/chronicle-agent:2025.03.0 - env: - - name: CHRONICLE_SERVER_ADDRESS - value: "http://chronicle-server.default" - - name: CONNECT_API_KEY - valueFrom: - secretKeyRef: - name: connect - key: apikey +initContainers: +- name: chronicle-agent + image: ghcr.io/rstudio/chronicle-agent:{{ .Chart.AppVersion }} + env: + - name: CHRONICLE_SERVER_ADDRESS + value: "http://." + - name: CONNECT_API_KEY + valueFrom: + secretKeyRef: + name: connect + key: apikey ``` -Note that it is up to the user to provision this Kubernetes Secret for the -Connect API key. +It is up to the user to provision this Kubernetes Secret for the +Connect API key. The `extraObjects` value in the Connect chart can be used to +create the secret and mount it to the Chronicle agent container. Due to the +nature of the Chronicle agent, the pod may need to be restarted to pick up +changes to the secret after initial deployment. + +## HTTPS Configuration + +Chronicle can be configured to use HTTPS for secure communication. The +`config.HTTPS` section of the configuration allows you to specify the certificate +and key files to use for HTTPS. Both `config.HTTPS.Certificate` and +`config.HTTPS.Key` are expected to be paths to files accessible by Chronicle. +The `extraSecretMounts` value can be used to mount the certificate and key files +into the Chronicle pod. Here is an example of how to do this, assuming that +the certificate and key files are stored together in a Kubernetes TLS secret: + +```yaml +extraSecretMounts: + - name: chronicle-https + mountPath: /etc/chronicle/ssl + secretName: chronicle-https + items: + - key: tls.crt + - key: tls.key +config: + HTTPS: + Enabled: true + Certificate: "/etc/chronicle/ssl/tls.crt" + Key: "/etc/chronicle/ssl/tls.key" +``` ## Storage Configuration -Chronicle can be configured to persist data to a local Kubernetes Volume, AWS S3, or both. +Chronicle can be configured to persist data to local storage, AWS S3, or both. -The default configuration uses a local volume, which is suitable if you'd like to -access and analyze the data within your cluster: +The default configuration uses a local volume with persistence enabled, which +is suitable if you'd like to access and analyze the data within your cluster: ```yaml +persistence: + enabled: true + accessModes: + - ReadWriteOnce + size: 10Gi config: LocalStorage: Enabled: true @@ -75,12 +108,22 @@ config: RetentionPeriod: "30d" ``` -`retentionPeriod` controls how long usage data are kept. For example, `"120m"` -for 120 minutes, `"36h"` for 36 hours, `14d` for two weeks, or `"0"` for unbounded retention. -(Units smaller than seconds or larger than days are not supported.) +The `persistence` section configures the persistent volume claim in the +cluster while the `config.LocalStorage` section directly applies to Chronicle's +configuration file. The persistent volume will always mount to the path specified +by `config.LocalStorage.Path` to avoid potential misconfiguration and data loss. + +By default, Chronicle requests 10Gi of storage. In most cases, this amount of +storage should be sufficient for thirty days of monitoring data. Organizations +are responsible for managing the size of the persistent volume. + +`retentionPeriod` controls how long usage data is retained. For example, `"120m"` +for 120 minutes, `"36h"` for 36 hours, `14d` for two weeks, or `"0"` for unbounded +retention. Units smaller than seconds or larger than days are not currently +supported. `retentionPeriod` does not apply to other types of data stored by +Chronicle. -You can also persist data to AWS S3 instead of (or in addition to) local -storage: +You can also persist data to AWS S3 in place of or in tandem with local storage: ```yaml config: @@ -90,7 +133,7 @@ config: Region: "us-east-2" ``` -### Using Iam for S3 +### Using IAM roles for S3 access If you are running on EKS, you can use [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) @@ -118,7 +161,6 @@ config: Region: "us-east-2" ``` - ### Needed S3 Policy Permissions The credentials Chronicle uses for S3 storage must have the following permissions enabled: @@ -128,6 +170,12 @@ The credentials Chronicle uses for S3 storage must have the following permission - `s3:PutObject` - `s3:DeleteObject` +## Additional Configuration + +Chronicle has a multitude of configuration options not specifically mentioned in this +README. For a complete list of configuration options, please refer to the +[Chronicle documentation](https://docs.posit.co/chronicle/). + {{ template "chart.valuesSection" . }} {{ template "helm-docs.versionFooter" . }} diff --git a/charts/posit-chronicle/values.yaml b/charts/posit-chronicle/values.yaml index 3c19a8dcf..236c46032 100644 --- a/charts/posit-chronicle/values.yaml +++ b/charts/posit-chronicle/values.yaml @@ -100,9 +100,11 @@ extraSecretMounts: [] # this option can be used to mount secrets such as an SSL certificate and key into the pod # - name: "ssl" # secretName: "chronicle-ssl" -# mountPath: "/etc/ssl" -# readOnly: true +# mountPath: "/etc/chronicle/ssl" # optional: false +# items: +# - key: "tls.crt" +# - key: "tls.key" # Configurations for the underlying Chronicle server instance # ref: https://docs.posit.co/chronicle/appendix/library/advanced-server.html From d63e4508ed202780c48020e8a740c2eeaed71762 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Thu, 15 May 2025 13:25:32 -0600 Subject: [PATCH 36/69] Add README update to NEWS.md --- charts/posit-chronicle/NEWS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/posit-chronicle/NEWS.md b/charts/posit-chronicle/NEWS.md index fb53f491f..d557af88f 100644 --- a/charts/posit-chronicle/NEWS.md +++ b/charts/posit-chronicle/NEWS.md @@ -23,6 +23,7 @@ - Fix logo URL. - Add suggestions for compatible product charts. - Add annotation to include source image used in pod. +- Update README.md and other documentation to reflect changes. ## 0.3.8 From b3c9297ef9bb13f35e9da577019f4861188fc7a9 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 15 May 2025 19:26:28 +0000 Subject: [PATCH 37/69] Update helm-docs and README.md --- charts/posit-chronicle/README.md | 159 ++----------------------------- 1 file changed, 8 insertions(+), 151 deletions(-) diff --git a/charts/posit-chronicle/README.md b/charts/posit-chronicle/README.md index 991e2afbc..bd86686d3 100644 --- a/charts/posit-chronicle/README.md +++ b/charts/posit-chronicle/README.md @@ -1,6 +1,6 @@ # Posit Chronicle -![Version: 0.3.8](https://img.shields.io/badge/Version-0.3.8-informational?style=flat-square) ![AppVersion: 2025.03.0](https://img.shields.io/badge/AppVersion-2025.03.0-informational?style=flat-square) +![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![AppVersion: 2025.03.0](https://img.shields.io/badge/AppVersion-2025.03.0-informational?style=flat-square) #### _Official Helm chart for Posit Chronicle Server_ @@ -25,11 +25,11 @@ To ensure a stable production deployment: ## Installing the chart -To install the chart with the release name `my-release` at version 0.3.8: +To install the chart with the release name `my-release` at version 0.4.0: ```{.bash} helm repo add rstudio https://helm.rstudio.com -helm upgrade --install my-release rstudio/posit-chronicle --version=0.3.8 +helm upgrade --install my-release rstudio/posit-chronicle --version=0.4.0 ``` To explore other chart versions, look at: @@ -43,7 +43,8 @@ helm search repo rstudio/posit-chronicle -l This chart deploys only the Chronicle server and is meant to be used in tandem with the Workbench and Connect charts. To actually send data to the server, you will need to run the Chronicle agent as a sidecar container on your -Workbench or Connect server pods by setting `pod.sidecar` in their respective `values.yaml` files +Workbench or Connect server pods by adding a native sidecar Chronicle agent +definition to the `initContainers` value in their respective `values.yaml` files. Here is an example of Helm values to run the agent sidecar in **Workbench**, where we set up a shared volume between containers for audit logs: @@ -58,150 +59,6 @@ pod: volumeMounts: - name: logs mountPath: "/var/lib/rstudio-server/audit" - sidecar: - - name: chronicle-agent - image: ghcr.io/rstudio/chronicle-agent:2025.03.0 - volumeMounts: - - name: logs - mountPath: "/var/lib/rstudio-server/audit" - env: - - name: CHRONICLE_SERVER_ADDRESS - value: "http://chronicle-server.default" -``` - -And here is an example of Helm values for Connect, where a **Connect** -API key from a Kubernetes Secret is used to unlock more detailed metrics: - -```yaml -pod: - sidecar: - - name: chronicle-agent - image: ghcr.io/rstudio/chronicle-agent:2025.03.0 - env: - - name: CHRONICLE_SERVER_ADDRESS - value: "http://chronicle-server.default" - - name: CONNECT_API_KEY - valueFrom: - secretKeyRef: - name: connect - key: apikey -``` - -Note that it is up to the user to provision this Kubernetes Secret for the -Connect API key. - -## Storage Configuration - -Chronicle can be configured to persist data to a local Kubernetes Volume, AWS S3, or both. - -The default configuration uses a local volume, which is suitable if you'd like to -access and analyze the data within your cluster: - -```yaml -config: - LocalStorage: - Enabled: true - Location: "/chronicle-data" - RetentionPeriod: "30d" -``` - -`retentionPeriod` controls how long usage data are kept. For example, `"120m"` -for 120 minutes, `"36h"` for 36 hours, `14d` for two weeks, or `"0"` for unbounded retention. -(Units smaller than seconds or larger than days are not supported.) - -You can also persist data to AWS S3 instead of (or in addition to) local -storage: - -```yaml -config: - S3Storage: - Enabled: true - Bucket: "posit-chronicle" - Region: "us-east-2" -``` - -### Using Iam for S3 - -If you are running on EKS, you can use [IAM Roles for Service -Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) -to manage the credentials needed to access S3. In this scenario, once you have [created an IAM -role](https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html), -you can use this role as an annotation on the existing Service Account: - -```yaml -serviceaccount: - create: true - annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here -``` - -If you are unable to use IAM Roles for Service Accounts, there are any number of -alternatives for injecting AWS credentials into a container. As a fallback, -the S3 storage config allows specifying a profile: - -```yaml -config: - S3Storage: - Enabled: true - Bucket: "posit-chronicle" - Profile: "my-aws-account" - Region: "us-east-2" -``` - -### Needed S3 Policy Permissions - -The credentials Chronicle uses for S3 storage must have the following permissions enabled: - -- `s3:GetObject` -- `s3:ListBucket` -- `s3:PutObject` -- `s3:DeleteObject` - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| config.HTTPS.Certificate | string | `""` | | -| config.HTTPS.Enabled | bool | `false` | | -| config.HTTPS.Key | string | `""` | | -| config.LocalStorage.Enabled | bool | `true` | | -| config.LocalStorage.Location | string | `"./chronicle-data"` | | -| config.LocalStorage.RetentionPeriod | string | `"30d"` | | -| config.Logging.ServiceLog | string | `"STDOUT"` | | -| config.Logging.ServiceLogFormat | string | `"TEXT"` | | -| config.Logging.ServiceLogLevel | string | `"INFO"` | | -| config.Metrics.Enabled | bool | `true` | | -| config.Profiling.Enabled | bool | `false` | | -| config.S3Storage.Bucket | string | `"posit-chronicle"` | | -| config.S3Storage.Enabled | bool | `false` | | -| config.S3Storage.Prefix | string | `""` | | -| config.S3Storage.Profile | string | `""` | | -| config.S3Storage.Region | string | `"us-east-2"` | | -| image.imagePullPolicy | string | `"IfNotPresent"` | | -| image.repository | string | `"ghcr.io/rstudio/chronicle"` | | -| image.tag | string | `"2025.03.0"` | | -| nodeSelector | object | `{}` | A map used verbatim as the pod's "nodeSelector" definition | -| pod.affinity | object | `{}` | A map used verbatim as the pod's "affinity" definition | -| pod.annotations | object | `{}` | Additional annotations to add to the chronicle-server pods | -| pod.args[0] | string | `"start"` | | -| pod.args[1] | string | `"-c"` | | -| pod.args[2] | string | `"/etc/posit-chronicle/posit-chronicle.gcfg"` | | -| pod.command | string | `"/chronicle"` | The command and args to run in the chronicle-server container | -| pod.env | list | `[]` | Optional environment variables | -| pod.labels | object | `{}` | Additional labels to add to the chronicle-server pods | -| pod.selectorLabels | object | `{}` | Additional selector labels to add to the chronicle-server pods | -| pod.terminationGracePeriodSeconds | int | `30` | The termination grace period seconds allowed for the pod before shutdown | -| pod.tolerations | list | `[]` | An array used verbatim as the pod's "tolerations" definition | -| replicas | int | `1` | The number of replica pods to maintain for this service | -| service.annotations | object | `{}` | Additional annotations to add to the chronicle-server service | -| service.labels | object | `{}` | Additional labels to add to the chronicle-server service | -| service.port | int | `80` | The port to use for the REST service | -| service.selectorLabels | object | `{}` | Additional selector labels to add to the chronicle-server service | -| serviceaccount.annotations | object | `{}` | Additional annotations to add to the chronicle-server serviceaccount | -| serviceaccount.create | bool | `false` | | -| serviceaccount.labels | object | `{}` | Additional labels to add to the chronicle-server serviceaccount | -| storage.persistentVolumeSize | string | `"1Gi"` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) - +initContainers: + - name: chronicle-agent + image: ghcr.io/rstudio/chronicle-agent: \ No newline at end of file From 2d31ba16d4431085dfcbb57f646ad02c608aff8a Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Mon, 19 May 2025 10:38:48 -0600 Subject: [PATCH 38/69] Change command to an array of strings --- charts/posit-chronicle/lint/complex-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/posit-chronicle/lint/complex-values.yaml b/charts/posit-chronicle/lint/complex-values.yaml index 1ce6f22b3..cf2699b88 100644 --- a/charts/posit-chronicle/lint/complex-values.yaml +++ b/charts/posit-chronicle/lint/complex-values.yaml @@ -23,7 +23,7 @@ service: pod: replicas: 4 - command: "/bash" + command: ["/bash"] args: ["echo", "hello world"] # -- Optional environment variables env: From 3b3ff9c9503b32bce0c28200b1ea557f158621e0 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Mon, 19 May 2025 11:15:07 -0600 Subject: [PATCH 39/69] Remove template prefixes --- charts/posit-chronicle/tests/configmap_fail_test.yaml | 2 +- charts/posit-chronicle/tests/configmap_test.yaml | 2 +- charts/posit-chronicle/tests/extra-manifests_test.yaml | 2 +- charts/posit-chronicle/tests/metadata_test.yaml | 2 +- charts/posit-chronicle/tests/serviceaccount_test.yaml | 2 +- charts/posit-chronicle/tests/statefulset_test.yaml | 2 +- charts/posit-chronicle/tests/svc_test.yaml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/posit-chronicle/tests/configmap_fail_test.yaml b/charts/posit-chronicle/tests/configmap_fail_test.yaml index dcf6a8b56..402dc91f3 100644 --- a/charts/posit-chronicle/tests/configmap_fail_test.yaml +++ b/charts/posit-chronicle/tests/configmap_fail_test.yaml @@ -1,6 +1,6 @@ suite: Configmap tests templates: - - templates/configmap.yaml + - configmap.yaml tests: - it: should fail if https is enabled but no certificate is specified set: diff --git a/charts/posit-chronicle/tests/configmap_test.yaml b/charts/posit-chronicle/tests/configmap_test.yaml index c8808f257..6861f8887 100644 --- a/charts/posit-chronicle/tests/configmap_test.yaml +++ b/charts/posit-chronicle/tests/configmap_test.yaml @@ -1,6 +1,6 @@ suite: Configmap tests templates: - - templates/configmap.yaml + - configmap.yaml tests: - it: should always create a config map asserts: diff --git a/charts/posit-chronicle/tests/extra-manifests_test.yaml b/charts/posit-chronicle/tests/extra-manifests_test.yaml index 35542cbaa..8f2438274 100644 --- a/charts/posit-chronicle/tests/extra-manifests_test.yaml +++ b/charts/posit-chronicle/tests/extra-manifests_test.yaml @@ -1,6 +1,6 @@ suite: Extra manifests tests templates: - - templates/extra-manifests.yaml + - extra-manifests.yaml tests: - it: should create extra manifests if specified set: diff --git a/charts/posit-chronicle/tests/metadata_test.yaml b/charts/posit-chronicle/tests/metadata_test.yaml index 1a4032e40..8b5bc267f 100644 --- a/charts/posit-chronicle/tests/metadata_test.yaml +++ b/charts/posit-chronicle/tests/metadata_test.yaml @@ -1,6 +1,6 @@ suite: Generic metadata tests excludeTemplates: - - templates/extra-manifests.yaml + - extra-manifests.yaml set: serviceAccount: create: true diff --git a/charts/posit-chronicle/tests/serviceaccount_test.yaml b/charts/posit-chronicle/tests/serviceaccount_test.yaml index f5036e7e6..d9209fc69 100644 --- a/charts/posit-chronicle/tests/serviceaccount_test.yaml +++ b/charts/posit-chronicle/tests/serviceaccount_test.yaml @@ -1,6 +1,6 @@ suite: Service account tests templates: - - templates/serviceaccount.yaml + - serviceaccount.yaml tests: - it: should skip creation by default asserts: diff --git a/charts/posit-chronicle/tests/statefulset_test.yaml b/charts/posit-chronicle/tests/statefulset_test.yaml index bf420f15e..cbcd0659b 100644 --- a/charts/posit-chronicle/tests/statefulset_test.yaml +++ b/charts/posit-chronicle/tests/statefulset_test.yaml @@ -1,6 +1,6 @@ suite: Stateful set tests templates: - - templates/statefulset.yaml + - stateful-set.yaml # Unittest cannot use templating for chart values so we need this to be set to a fixed value for testing chart: version: 9.9.9+test diff --git a/charts/posit-chronicle/tests/svc_test.yaml b/charts/posit-chronicle/tests/svc_test.yaml index 87d1966e4..ba0007043 100644 --- a/charts/posit-chronicle/tests/svc_test.yaml +++ b/charts/posit-chronicle/tests/svc_test.yaml @@ -1,6 +1,6 @@ suite: Service tests templates: - - templates/svc.yaml + - svc.yaml tests: - it: should always create a service asserts: From 2975be27241d5042120d8a5400ba68b6c0855fcc Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 09:45:32 -0600 Subject: [PATCH 40/69] Fix typo in values.yaml comment --- charts/posit-chronicle/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/posit-chronicle/values.yaml b/charts/posit-chronicle/values.yaml index 236c46032..5fd63ed05 100644 --- a/charts/posit-chronicle/values.yaml +++ b/charts/posit-chronicle/values.yaml @@ -128,7 +128,7 @@ config: # -- The port to use for the profiling server Port: 3030 Logging: - # -- Specified the output for log messages, can be one of "STDOUT", "STDERR", or a file path + # -- Specifies the output for log messages, can be one of "STDOUT", "STDERR", or a file path ServiceLog: "STDOUT" # -- The log level for the service, can be one of "TRACE", "DEBUG", "INFO", "WARN", or "ERROR" ServiceLogLevel: "INFO" From eb897fea910cc2cb3f0517c69b2cb033bca0be79 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 09:46:00 -0600 Subject: [PATCH 41/69] Remove config.LocalStorage.RetentionPeriod --- charts/posit-chronicle/NEWS.md | 1 + charts/posit-chronicle/templates/configmap.yaml | 1 - charts/posit-chronicle/tests/configmap_test.yaml | 4 ---- charts/posit-chronicle/values.yaml | 2 -- 4 files changed, 1 insertion(+), 7 deletions(-) diff --git a/charts/posit-chronicle/NEWS.md b/charts/posit-chronicle/NEWS.md index d557af88f..7738b76e9 100644 --- a/charts/posit-chronicle/NEWS.md +++ b/charts/posit-chronicle/NEWS.md @@ -10,6 +10,7 @@ - Separated an image.registry value from the image.repository value. - Improve documentation of values.yaml and add a values.schema.json definition for input validation. - An S3 bucket must now be specified in S3 Storage backend is enabled. + - Remove deprecated value `config.LocalStorage.RetentionPeriod`. - Changes to chart behavior. - Resource names are now applied dynamically based on the release name. - Additional default recommended Kubernetes labels have been applied to all resources. diff --git a/charts/posit-chronicle/templates/configmap.yaml b/charts/posit-chronicle/templates/configmap.yaml index ed873e7db..1ef04c6fd 100644 --- a/charts/posit-chronicle/templates/configmap.yaml +++ b/charts/posit-chronicle/templates/configmap.yaml @@ -40,7 +40,6 @@ data: Enabled = {{ .Values.config.LocalStorage.Enabled }} {{- if .Values.config.LocalStorage.Enabled }} Location = {{ .Values.config.LocalStorage.Path }} - RetentionPeriod = {{ .Values.config.LocalStorage.RetentionPeriod }} {{- end }} [S3Storage] diff --git a/charts/posit-chronicle/tests/configmap_test.yaml b/charts/posit-chronicle/tests/configmap_test.yaml index 6861f8887..3cdf97413 100644 --- a/charts/posit-chronicle/tests/configmap_test.yaml +++ b/charts/posit-chronicle/tests/configmap_test.yaml @@ -112,13 +112,11 @@ tests: \[LocalStorage\] Enabled = true Location = \/opt\/chronicle-data - RetentionPeriod = 30d - it: should set values for a custom local storage configuration set: config: LocalStorage: Path: /custom/data/path - RetentionPeriod: 60d asserts: - matchRegex: path: data["posit-chronicle.gcfg"] @@ -126,7 +124,6 @@ tests: \[LocalStorage\] Enabled = true Location = \/custom\/data\/path - RetentionPeriod = 60d - it: should disable local storage when specified set: config: @@ -146,7 +143,6 @@ tests: path: data["posit-chronicle.gcfg"] pattern: | Location = \/opt\/chronicle-data - RetentionPeriod = 30d - it: should enable and configure S3 storage when specified set: config: diff --git a/charts/posit-chronicle/values.yaml b/charts/posit-chronicle/values.yaml index 5fd63ed05..f99725136 100644 --- a/charts/posit-chronicle/values.yaml +++ b/charts/posit-chronicle/values.yaml @@ -140,8 +140,6 @@ config: Enabled: true # -- The path to the local storage location Path: "/opt/chronicle-data" - # -- The retention period for data before it is purged - RetentionPeriod: "30d" # -- Configuration for S3 data storage with Chronicle S3Storage: # -- If set to true, Chronicle will use S3 for data storage From 8a765ed0eb068a79db13e8dfd22a433ad9a6054b Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 10:35:43 -0600 Subject: [PATCH 42/69] Remove audit logs mounting in example --- charts/posit-chronicle/README.md.gotmpl | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/charts/posit-chronicle/README.md.gotmpl b/charts/posit-chronicle/README.md.gotmpl index 4240ae509..60c445e34 100644 --- a/charts/posit-chronicle/README.md.gotmpl +++ b/charts/posit-chronicle/README.md.gotmpl @@ -16,25 +16,12 @@ will need to run the Chronicle agent as a sidecar container on your Workbench or Connect server pods by adding a native sidecar Chronicle agent definition to the `initContainers` value in their respective `values.yaml` files. -Here is an example of Helm values to run the agent sidecar in **Workbench**, -where we set up a shared volume between containers for audit logs: +Here is an example of Helm values to run the agent sidecar in **Workbench**: ```yaml -pod: - # We will need to create a new volume to share audit logs between - # the rstudio (workbench) and chronicle-agent containers - volumes: - - name: logs - emptyDir: {} - volumeMounts: - - name: logs - mountPath: "/var/lib/rstudio-server/audit" initContainers: - name: chronicle-agent image: ghcr.io/rstudio/chronicle-agent:{{ .Chart.AppVersion }} - volumeMounts: - - name: logs - mountPath: "/var/lib/rstudio-server/audit" env: - name: CHRONICLE_SERVER_ADDRESS value: "http://." From a39a0abb7e34a438dcb97133a2d31c8986954612 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 10:36:07 -0600 Subject: [PATCH 43/69] Add `restartPolicy: Always` to initContainers sidecar examples --- charts/posit-chronicle/README.md.gotmpl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/posit-chronicle/README.md.gotmpl b/charts/posit-chronicle/README.md.gotmpl index 60c445e34..0f957f8d8 100644 --- a/charts/posit-chronicle/README.md.gotmpl +++ b/charts/posit-chronicle/README.md.gotmpl @@ -21,6 +21,7 @@ Here is an example of Helm values to run the agent sidecar in **Workbench**: ```yaml initContainers: - name: chronicle-agent + restartPolicy: Always image: ghcr.io/rstudio/chronicle-agent:{{ .Chart.AppVersion }} env: - name: CHRONICLE_SERVER_ADDRESS @@ -33,6 +34,7 @@ API key from a Kubernetes Secret is used to unlock more detailed metrics: ```yaml initContainers: - name: chronicle-agent + restartPolicy: Always image: ghcr.io/rstudio/chronicle-agent:{{ .Chart.AppVersion }} env: - name: CHRONICLE_SERVER_ADDRESS From dd5350d6ef1427ba174151c06b94ca92f5ec0736 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Tue, 20 May 2025 16:37:08 +0000 Subject: [PATCH 44/69] Update helm-docs and README.md --- charts/posit-chronicle/README.md | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/charts/posit-chronicle/README.md b/charts/posit-chronicle/README.md index bd86686d3..d6be13979 100644 --- a/charts/posit-chronicle/README.md +++ b/charts/posit-chronicle/README.md @@ -46,19 +46,10 @@ will need to run the Chronicle agent as a sidecar container on your Workbench or Connect server pods by adding a native sidecar Chronicle agent definition to the `initContainers` value in their respective `values.yaml` files. -Here is an example of Helm values to run the agent sidecar in **Workbench**, -where we set up a shared volume between containers for audit logs: +Here is an example of Helm values to run the agent sidecar in **Workbench**: ```yaml -pod: - # We will need to create a new volume to share audit logs between - # the rstudio (workbench) and chronicle-agent containers - volumes: - - name: logs - emptyDir: {} - volumeMounts: - - name: logs - mountPath: "/var/lib/rstudio-server/audit" initContainers: - name: chronicle-agent + restartPolicy: Always image: ghcr.io/rstudio/chronicle-agent: \ No newline at end of file From 1fa82757ab4ab33e8da470d140b94bc0cf944bcc Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 10:48:49 -0600 Subject: [PATCH 45/69] Fix bad env var key name --- charts/posit-chronicle/README.md.gotmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/posit-chronicle/README.md.gotmpl b/charts/posit-chronicle/README.md.gotmpl index 0f957f8d8..2129af4bb 100644 --- a/charts/posit-chronicle/README.md.gotmpl +++ b/charts/posit-chronicle/README.md.gotmpl @@ -39,7 +39,7 @@ initContainers: env: - name: CHRONICLE_SERVER_ADDRESS value: "http://." - - name: CONNECT_API_KEY + - name: CHRONICLE_CONNECT_APIKEY valueFrom: secretKeyRef: name: connect From c1c8b6d0b499d39539698ebb6d2f1f36ce435404 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 11:09:33 -0600 Subject: [PATCH 46/69] Remove RetentionPeriod from schema --- charts/posit-chronicle/values.schema.json | 5 ----- 1 file changed, 5 deletions(-) diff --git a/charts/posit-chronicle/values.schema.json b/charts/posit-chronicle/values.schema.json index 303bb5c6c..5bd69d9ad 100644 --- a/charts/posit-chronicle/values.schema.json +++ b/charts/posit-chronicle/values.schema.json @@ -354,11 +354,6 @@ "description": "Path to the local storage directory", "type": "string", "default": "/opt/chronicle-data" - }, - "retentionPeriod": { - "description": "Retention period for local storage", - "type": "string", - "default": "30d" } } }, From 3317ef00dc36ce221d02a27ce8122dbddcfb50b4 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 11:09:41 -0600 Subject: [PATCH 47/69] Remove RetentionPeriod from README --- charts/posit-chronicle/README.md.gotmpl | 7 ------- 1 file changed, 7 deletions(-) diff --git a/charts/posit-chronicle/README.md.gotmpl b/charts/posit-chronicle/README.md.gotmpl index 2129af4bb..300a88827 100644 --- a/charts/posit-chronicle/README.md.gotmpl +++ b/charts/posit-chronicle/README.md.gotmpl @@ -94,7 +94,6 @@ config: LocalStorage: Enabled: true Location: "/chronicle-data" - RetentionPeriod: "30d" ``` The `persistence` section configures the persistent volume claim in the @@ -106,12 +105,6 @@ By default, Chronicle requests 10Gi of storage. In most cases, this amount of storage should be sufficient for thirty days of monitoring data. Organizations are responsible for managing the size of the persistent volume. -`retentionPeriod` controls how long usage data is retained. For example, `"120m"` -for 120 minutes, `"36h"` for 36 hours, `14d` for two weeks, or `"0"` for unbounded -retention. Units smaller than seconds or larger than days are not currently -supported. `retentionPeriod` does not apply to other types of data stored by -Chronicle. - You can also persist data to AWS S3 in place of or in tandem with local storage: ```yaml From 86991a6521330b6c98760c6dd2a7a5649cdaf4dd Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 11:21:50 -0600 Subject: [PATCH 48/69] Fix bad app version reference in README template --- charts/posit-chronicle/README.md.gotmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/posit-chronicle/README.md.gotmpl b/charts/posit-chronicle/README.md.gotmpl index 300a88827..190684436 100644 --- a/charts/posit-chronicle/README.md.gotmpl +++ b/charts/posit-chronicle/README.md.gotmpl @@ -22,7 +22,7 @@ Here is an example of Helm values to run the agent sidecar in **Workbench**: initContainers: - name: chronicle-agent restartPolicy: Always - image: ghcr.io/rstudio/chronicle-agent:{{ .Chart.AppVersion }} + image: ghcr.io/rstudio/chronicle-agent:{{ template "chart.appVersion" . }} env: - name: CHRONICLE_SERVER_ADDRESS value: "http://." @@ -35,7 +35,7 @@ API key from a Kubernetes Secret is used to unlock more detailed metrics: initContainers: - name: chronicle-agent restartPolicy: Always - image: ghcr.io/rstudio/chronicle-agent:{{ .Chart.AppVersion }} + image: ghcr.io/rstudio/chronicle-agent:{{ template "chart.appVersion" . }} env: - name: CHRONICLE_SERVER_ADDRESS value: "http://." From 872f20a5f1723fdf0faa74f0d07fe5043570609a Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Tue, 20 May 2025 17:23:04 +0000 Subject: [PATCH 49/69] Update helm-docs and README.md --- charts/posit-chronicle/README.md | 200 ++++++++++++++++++++++++++++++- 1 file changed, 199 insertions(+), 1 deletion(-) diff --git a/charts/posit-chronicle/README.md b/charts/posit-chronicle/README.md index d6be13979..bc080583a 100644 --- a/charts/posit-chronicle/README.md +++ b/charts/posit-chronicle/README.md @@ -52,4 +52,202 @@ Here is an example of Helm values to run the agent sidecar in **Workbench**: initContainers: - name: chronicle-agent restartPolicy: Always - image: ghcr.io/rstudio/chronicle-agent: \ No newline at end of file + image: ghcr.io/rstudio/chronicle-agent:2025.03.0 + env: + - name: CHRONICLE_SERVER_ADDRESS + value: "http://." +``` + +And here is an example of Helm values for Connect, where a **Connect** +API key from a Kubernetes Secret is used to unlock more detailed metrics: + +```yaml +initContainers: +- name: chronicle-agent + restartPolicy: Always + image: ghcr.io/rstudio/chronicle-agent:2025.03.0 + env: + - name: CHRONICLE_SERVER_ADDRESS + value: "http://." + - name: CHRONICLE_CONNECT_APIKEY + valueFrom: + secretKeyRef: + name: connect + key: apikey +``` + +It is up to the user to provision this Kubernetes Secret for the +Connect API key. The `extraObjects` value in the Connect chart can be used to +create the secret and mount it to the Chronicle agent container. Due to the +nature of the Chronicle agent, the pod may need to be restarted to pick up +changes to the secret after initial deployment. + +## HTTPS Configuration + +Chronicle can be configured to use HTTPS for secure communication. The +`config.HTTPS` section of the configuration allows you to specify the certificate +and key files to use for HTTPS. Both `config.HTTPS.Certificate` and +`config.HTTPS.Key` are expected to be paths to files accessible by Chronicle. +The `extraSecretMounts` value can be used to mount the certificate and key files +into the Chronicle pod. Here is an example of how to do this, assuming that +the certificate and key files are stored together in a Kubernetes TLS secret: + +```yaml +extraSecretMounts: + - name: chronicle-https + mountPath: /etc/chronicle/ssl + secretName: chronicle-https + items: + - key: tls.crt + - key: tls.key +config: + HTTPS: + Enabled: true + Certificate: "/etc/chronicle/ssl/tls.crt" + Key: "/etc/chronicle/ssl/tls.key" +``` + +## Storage Configuration + +Chronicle can be configured to persist data to local storage, AWS S3, or both. + +The default configuration uses a local volume with persistence enabled, which +is suitable if you'd like to access and analyze the data within your cluster: + +```yaml +persistence: + enabled: true + accessModes: + - ReadWriteOnce + size: 10Gi +config: + LocalStorage: + Enabled: true + Location: "/chronicle-data" +``` + +The `persistence` section configures the persistent volume claim in the +cluster while the `config.LocalStorage` section directly applies to Chronicle's +configuration file. The persistent volume will always mount to the path specified +by `config.LocalStorage.Path` to avoid potential misconfiguration and data loss. + +By default, Chronicle requests 10Gi of storage. In most cases, this amount of +storage should be sufficient for thirty days of monitoring data. Organizations +are responsible for managing the size of the persistent volume. + +You can also persist data to AWS S3 in place of or in tandem with local storage: + +```yaml +config: + S3Storage: + Enabled: true + Bucket: "posit-chronicle" + Region: "us-east-2" +``` + +### Using IAM roles for S3 access + +If you are running on EKS, you can use [IAM Roles for Service +Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) +to manage the credentials needed to access S3. In this scenario, once you have [created an IAM +role](https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html), +you can use this role as an annotation on the existing Service Account: + +```yaml +serviceaccount: + create: true + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here +``` + +If you are unable to use IAM Roles for Service Accounts, there are any number of +alternatives for injecting AWS credentials into a container. As a fallback, +the S3 storage config allows specifying a profile: + +```yaml +config: + S3Storage: + Enabled: true + Bucket: "posit-chronicle" + Profile: "my-aws-account" + Region: "us-east-2" +``` + +### Needed S3 Policy Permissions + +The credentials Chronicle uses for S3 storage must have the following permissions enabled: + +- `s3:GetObject` +- `s3:ListBucket` +- `s3:PutObject` +- `s3:DeleteObject` + +## Additional Configuration + +Chronicle has a multitude of configuration options not specifically mentioned in this +README. For a complete list of configuration options, please refer to the +[Chronicle documentation](https://docs.posit.co/chronicle/). + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commonAnnotations | object | `{}` | Common annotations to add to all resources | +| commonLabels | object | `{}` | Common labels to add to all resources | +| config.HTTPS.Certificate | string | `""` | Path to a PEM encoded TLS certificate file | +| config.HTTPS.Enabled | bool | `false` | If set to true, Chronicle will use HTTPS instead of HTTP | +| config.HTTPS.Key | string | `""` | Path to a PEM encoded private key file corresponding to the specified certificate | +| config.LocalStorage | object | `{"Enabled":true,"Path":"/opt/chronicle-data"}` | Configuration for local data storage with Chronicle, for configuring persistence of this data see the persistence section | +| config.LocalStorage.Enabled | bool | `true` | If set to true, Chronicle will use a local path for data storage. This should be used in conjunction with persistence. | +| config.LocalStorage.Path | string | `"/opt/chronicle-data"` | The path to the local storage location | +| config.Logging.ServiceLog | string | `"STDOUT"` | Specifies the output for log messages, can be one of "STDOUT", "STDERR", or a file path | +| config.Logging.ServiceLogFormat | string | `"TEXT"` | The log format for the service, can be one of "TEXT" or "JSON" | +| config.Logging.ServiceLogLevel | string | `"INFO"` | The log level for the service, can be one of "TRACE", "DEBUG", "INFO", "WARN", or "ERROR" | +| config.Metrics.Enabled | bool | `false` | If set to true, Chronicle will expose a metrics endpoint for Prometheus | +| config.Profiling.Enabled | bool | `false` | If set to true, Chronicle will expose a pprof profiling server | +| config.Profiling.Port | int | `3030` | The port to use for the profiling server | +| config.S3Storage | object | `{"Bucket":"","Enabled":false,"Prefix":"","Profile":"","Region":""}` | Configuration for S3 data storage with Chronicle | +| config.S3Storage.Bucket | string | `""` | The S3 bucket to use for storage | +| config.S3Storage.Enabled | bool | `false` | If set to true, Chronicle will use S3 for data storage | +| config.S3Storage.Prefix | Optional | `""` | the prefix to use when writing to the S3 bucket, defaults to the bucket root | +| config.S3Storage.Profile | Optional | `""` | the profile to use when writing to the S3 bucket, defaults is to use the `AWS_PROFILE` env var | +| config.S3Storage.Region | Optional | `""` | the region to use when writing to the S3 bucket, defaults is to use the `AWS_REGION` env var | +| extraObjects | list | `[]` | Additional manifests to deploy with the chart | +| extraSecretMounts | list | `[]` | | +| fullnameOverride | string | `""` | Override for the full name of the release | +| image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | +| image.registry | string | `"ghcr.io"` | The image registry | +| image.repository | string | `"rstudio/chronicle"` | The image repository | +| image.sha | Optional | `""` | The image digest | +| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | +| nameOverride | string | `""` | Override for the name of the chart deployment | +| namespaceOverride | string | `""` | Override for the namespace of the chart deployment | +| persistence.accessModes | list | `["ReadWriteOnce"]` | Persistent Volume Access Modes | +| persistence.annotations | object | `{}` | Additional annotations to add to the PVC | +| persistence.enabled | bool | `true` | Enable persistence using Persistent Volume Claims | +| persistence.finalizers | list | `["kubernetes.io/pvc-protection"]` | Finalizers added verbatim to the PVC | +| persistence.labels | object | `{}` | Additional labels to add to the PVC | +| persistence.selectorLabels | object | `{}` | Selector to match an existing Persistent Volume for the data PVC | +| persistence.size | string | `"10Gi"` | Size of the data volume | +| persistence.storageClassName | string | `""` | Persistent Volume Storage Class (Leave empty if using the default storage class) | +| pod.affinity | object | `{}` | A map used verbatim as the pod's "affinity" definition | +| pod.annotations | object | `{}` | Additional annotations to add to the chronicle-server pods | +| pod.args | list | `[]` | | +| pod.command | list | `[]` | The command and args to run in the chronicle-server container, defaults to the image entrypoint and args | +| pod.env | list | `[]` | Optional environment variables | +| pod.labels | object | `{}` | Additional labels to add to the chronicle-server pods | +| pod.nodeSelector | object | `{}` | A map used verbatim as the pod's "nodeSelector" definition | +| pod.terminationGracePeriodSeconds | int | `30` | The termination grace period seconds allowed for the pod before shutdown | +| pod.tolerations | list | `[]` | An array used verbatim as the pod's "tolerations" definition | +| replicas | int | `1` | The number of replica pods to maintain for this service | +| service.annotations | object | `{}` | Additional annotations to add to the chronicle-server service | +| service.labels | object | `{}` | Additional labels to add to the chronicle-server service | +| service.port | int | `80` | The port to use for the REST service | +| serviceAccount.annotations | object | `{}` | Additional annotations to add to the chronicle-server serviceaccount | +| serviceAccount.create | bool | `false` | | +| serviceAccount.labels | object | `{}` | Additional labels to add to the chronicle-server serviceaccount | +| serviceAccount.name | string | `""` | The name of the service account to use | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) + From 61dd5ce538e34a90b1df9d90d33b9d192b79babd Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Wed, 21 May 2025 11:23:52 -0600 Subject: [PATCH 50/69] Add securityContext support with defaults and overrides for expected usage --- .../templates/stateful-set.yaml | 8 ++++ .../tests/statefulset_test.yaml | 38 +++++++++++++++++++ charts/posit-chronicle/values.yaml | 10 +++++ 3 files changed, 56 insertions(+) diff --git a/charts/posit-chronicle/templates/stateful-set.yaml b/charts/posit-chronicle/templates/stateful-set.yaml index 34499bb92..3fcf1243c 100644 --- a/charts/posit-chronicle/templates/stateful-set.yaml +++ b/charts/posit-chronicle/templates/stateful-set.yaml @@ -58,6 +58,10 @@ spec: args: {{- tpl (toYaml .) $root | nindent 8 }} {{- end }} + {{- with .Values.image.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} ports: {{- if .Values.config.HTTPS.Enabled }} - containerPort: 443 @@ -83,6 +87,10 @@ spec: env: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.pod.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} terminationGracePeriodSeconds: {{ .Values.pod.terminationGracePeriodSeconds }} volumes: - name: config diff --git a/charts/posit-chronicle/tests/statefulset_test.yaml b/charts/posit-chronicle/tests/statefulset_test.yaml index cbcd0659b..914b6b6f0 100644 --- a/charts/posit-chronicle/tests/statefulset_test.yaml +++ b/charts/posit-chronicle/tests/statefulset_test.yaml @@ -173,6 +173,9 @@ tests: name: posit-chronicle image: "ghcr.io/rstudio/chronicle:9999.9.9" imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true ports: - containerPort: 5252 name: http @@ -223,6 +226,20 @@ tests: - equal: path: spec.template.spec.containers[0].args value: ["-c", "echo \"Hello world\""] + - it: should set additional container-level securityContext options if specified + set: + image: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + asserts: + - isSubset: + path: spec.template.spec.containers[0].securityContext + content: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 - it: should open https port on container if enabled set: config: @@ -234,6 +251,27 @@ tests: value: - containerPort: 443 name: https + - it: should set a pod-level securityContext by default that sets permissions for volumes + asserts: + - isSubset: + path: spec.template.spec.securityContext + content: + fsGroup: 1000 + fsGroupChangePolicy: "OnRootMismatch" + - it: should set additional pod-level securityContext options if specified + set: + pod: + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + asserts: + - isSubset: + path: spec.template.spec.securityContext + content: + fsGroup: 1000 + fsGroupChangePolicy: "OnRootMismatch" + runAsUser: 1001 + runAsGroup: 1001 - it: should not mount a data volume if persistence is disabled set: persistence: diff --git a/charts/posit-chronicle/values.yaml b/charts/posit-chronicle/values.yaml index f99725136..7408ee10d 100644 --- a/charts/posit-chronicle/values.yaml +++ b/charts/posit-chronicle/values.yaml @@ -23,6 +23,11 @@ image: sha: "" # -- The image pull policy pullPolicy: "IfNotPresent" + # -- The verbatim securityContext for the Chronicle server container in the pod + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#securitycontext-v1-core + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true serviceAccount: create: false @@ -65,6 +70,11 @@ pod: tolerations: [] # -- The termination grace period seconds allowed for the pod before shutdown terminationGracePeriodSeconds: 30 + # -- The verbatim pod-level securityContext + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#podsecuritycontext-v1-core + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: "OnRootMismatch" # If config.LocalStorage.Enabled is set to true, # the chart will provision a pvc of size storage.persistentVolumeSize for From 59e00a79a94bc406f953016c9636174838b2e7d6 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 21 May 2025 17:24:52 +0000 Subject: [PATCH 51/69] Update helm-docs and README.md --- charts/posit-chronicle/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/posit-chronicle/README.md b/charts/posit-chronicle/README.md index bc080583a..b861c4c33 100644 --- a/charts/posit-chronicle/README.md +++ b/charts/posit-chronicle/README.md @@ -218,6 +218,7 @@ README. For a complete list of configuration options, please refer to the | image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | image.registry | string | `"ghcr.io"` | The image registry | | image.repository | string | `"rstudio/chronicle"` | The image repository | +| image.securityContext | object | `{"allowPrivilegeEscalation":false,"runAsNonRoot":true}` | The verbatim securityContext for the Chronicle server container in the pod ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#securitycontext-v1-core | | image.sha | Optional | `""` | The image digest | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | | nameOverride | string | `""` | Override for the name of the chart deployment | @@ -237,6 +238,7 @@ README. For a complete list of configuration options, please refer to the | pod.env | list | `[]` | Optional environment variables | | pod.labels | object | `{}` | Additional labels to add to the chronicle-server pods | | pod.nodeSelector | object | `{}` | A map used verbatim as the pod's "nodeSelector" definition | +| pod.securityContext | object | `{"fsGroup":1000,"fsGroupChangePolicy":"OnRootMismatch"}` | The verbatim pod-level securityContext ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#podsecuritycontext-v1-core | | pod.terminationGracePeriodSeconds | int | `30` | The termination grace period seconds allowed for the pod before shutdown | | pod.tolerations | list | `[]` | An array used verbatim as the pod's "tolerations" definition | | replicas | int | `1` | The number of replica pods to maintain for this service | From f249d57d32023885e445e9b620f84620e28003b6 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Wed, 21 May 2025 11:32:29 -0600 Subject: [PATCH 52/69] Update schema with securityContext --- charts/posit-chronicle/values.schema.json | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/charts/posit-chronicle/values.schema.json b/charts/posit-chronicle/values.schema.json index 5bd69d9ad..bc7813047 100644 --- a/charts/posit-chronicle/values.schema.json +++ b/charts/posit-chronicle/values.schema.json @@ -60,6 +60,10 @@ "pullPolicy": { "description": "Container image pull policy", "type": "string" + }, + "securityContext": { + "description": "Security context to apply at the container-level", + "type": "object" } }, "required": [ @@ -185,10 +189,14 @@ } }, "terminationGracePeriodSeconds": { - "description": "Termination grace period for the pod", - "type": "integer", - "default": 30, - "minimum": 0 + "description": "Termination grace period for the pod", + "type": "integer", + "default": 30, + "minimum": 0 + }, + "securityContext": { + "description": "Security context to apply at the pod-level", + "type": "object" } } }, From 77c5cca5b7f0f2744b067c8010626d1b9c973a14 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Thu, 22 May 2025 13:22:07 -0600 Subject: [PATCH 53/69] Add NOTES.txt with various warnings and doc link --- charts/posit-chronicle/templates/NOTES.txt | 20 +++++++++++++++++++ .../posit-chronicle/tests/metadata_test.yaml | 1 + 2 files changed, 21 insertions(+) create mode 100644 charts/posit-chronicle/templates/NOTES.txt diff --git a/charts/posit-chronicle/templates/NOTES.txt b/charts/posit-chronicle/templates/NOTES.txt new file mode 100644 index 000000000..eeee700ed --- /dev/null +++ b/charts/posit-chronicle/templates/NOTES.txt @@ -0,0 +1,20 @@ +{{ include "posit-chronicle.fullname" . }} successfully deployed to namespace {{ .Release.Namespace }} + +Please visit https://docs.posit.co/chronicle/getting-started/installation/on-kubernetes.html#agent-sidecar for +additional information on deploying Chronicle agents to monitor Posit products in your cluster. +{{ if and (not .Values.config.LocalStorage.Enabled) .Values.persistence.enabled }} +WARNING: Persistence is enabled, but Chronicle local storage is not configured. This may lead to data loss if the pod +is restarted or rescheduled. +{{- end }} +{{ if and .Values.config.LocalStorage.Enabled (not .Values.persistence.enabled) }} +WARNING: Local storage is enabled, but persistence is not enabled. This may lead to data loss if the pod is restarted or +rescheduled. +{{- end }} +{{ if and (not .Values.config.LocalStorage.Enabled) (not .Values.config.S3Storage.Enabled) }} +WARNING: No storage backend is configured. Chronicle will not be able to store any data in a persistent or accessible +location. Consider redeploying with `.Values.config.LocalStorage` or `.Values.config.S3Storage` set to true. +{{- end }} +{{ if and .Values.config.LocalStorage.Enabled and .Values.config.S3Storage.Enabled }} +WARNING: Both local and S3 storage are currently enabled. Data will be saved both locally and in S3 which could +result in inflated costs. It is recommended to only enable one storage backend. +{{- end }} diff --git a/charts/posit-chronicle/tests/metadata_test.yaml b/charts/posit-chronicle/tests/metadata_test.yaml index 8b5bc267f..bdb5639b1 100644 --- a/charts/posit-chronicle/tests/metadata_test.yaml +++ b/charts/posit-chronicle/tests/metadata_test.yaml @@ -1,6 +1,7 @@ suite: Generic metadata tests excludeTemplates: - extra-manifests.yaml + - NOTES.txt set: serviceAccount: create: true From 2f1ded917e08b775018986d0172350c810c21d66 Mon Sep 17 00:00:00 2001 From: "Benjamin R. J. Schwedler" Date: Fri, 23 May 2025 11:59:17 -0500 Subject: [PATCH 54/69] Fix and logic in chronicle NOTES.txt --- charts/posit-chronicle/templates/NOTES.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/posit-chronicle/templates/NOTES.txt b/charts/posit-chronicle/templates/NOTES.txt index eeee700ed..53ec92a8e 100644 --- a/charts/posit-chronicle/templates/NOTES.txt +++ b/charts/posit-chronicle/templates/NOTES.txt @@ -14,7 +14,7 @@ rescheduled. WARNING: No storage backend is configured. Chronicle will not be able to store any data in a persistent or accessible location. Consider redeploying with `.Values.config.LocalStorage` or `.Values.config.S3Storage` set to true. {{- end }} -{{ if and .Values.config.LocalStorage.Enabled and .Values.config.S3Storage.Enabled }} +{{ if and .Values.config.LocalStorage.Enabled .Values.config.S3Storage.Enabled }} WARNING: Both local and S3 storage are currently enabled. Data will be saved both locally and in S3 which could result in inflated costs. It is recommended to only enable one storage backend. {{- end }} From 92f706446509880ae0b23ac983898c9769abb1eb Mon Sep 17 00:00:00 2001 From: "Benjamin R. J. Schwedler" Date: Fri, 23 May 2025 12:40:17 -0500 Subject: [PATCH 55/69] Add checksum/config to perform RollingUpdate --- charts/posit-chronicle/templates/stateful-set.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/charts/posit-chronicle/templates/stateful-set.yaml b/charts/posit-chronicle/templates/stateful-set.yaml index 3fcf1243c..1274ee5e1 100644 --- a/charts/posit-chronicle/templates/stateful-set.yaml +++ b/charts/posit-chronicle/templates/stateful-set.yaml @@ -7,10 +7,10 @@ metadata: namespace: {{ include "posit-chronicle.namespace" . }} labels: {{- include "posit-chronicle.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} annotations: + {{- with .Values.commonAnnotations }} {{- toYaml . | nindent 4 }} - {{- end }} + {{- end }} spec: replicas: {{ .Values.replicas }} serviceName: {{ include "posit-chronicle.fullname" . }} @@ -24,10 +24,9 @@ spec: {{- with .Values.pod.labels }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if (include "posit-chronicle.pod.annotations" .) }} annotations: - {{- include "posit-chronicle.pod.annotations" . | nindent 8 }} - {{- end }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- include "posit-chronicle.pod.annotations" . | trim | nindent 8) }} spec: {{- with .Values.pod.affinity }} affinity: From 25842b1400aaf84954f8c1efdc411162dd50b5e9 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 23 May 2025 12:29:56 -0600 Subject: [PATCH 56/69] Add link to Helm documentation --- charts/posit-chronicle/Chart.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/posit-chronicle/Chart.yaml b/charts/posit-chronicle/Chart.yaml index bcec52b77..489f5f0e0 100644 --- a/charts/posit-chronicle/Chart.yaml +++ b/charts/posit-chronicle/Chart.yaml @@ -21,6 +21,8 @@ annotations: artifacthub.io/links: | - name: Chronicle Documentation url: https://docs.posit.co/chronicle + - name: Posit Helm Documentation + url: https://docs.posit.co/helm - name: Docker Images url: https://github.com/rstudio/rstudio-docker-products - name: Posit Community From eab5204a3b63ff13c59151b88d8b1c7d77d0a243 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 23 May 2025 12:30:10 -0600 Subject: [PATCH 57/69] Update NEWS.md with note on security context changes --- charts/posit-chronicle/NEWS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/posit-chronicle/NEWS.md b/charts/posit-chronicle/NEWS.md index 7738b76e9..d3ab72ca0 100644 --- a/charts/posit-chronicle/NEWS.md +++ b/charts/posit-chronicle/NEWS.md @@ -19,6 +19,7 @@ - Storage class can now be overridden on the pod's volume claim template. - Selector labels definitions between pod and service are now merged into a single definition. Removed the ability to override these values. - Add support for additional custom manifest input via `extraObjects` value. + - `securityContext` is now specified for both the pod and container. The default values are set to prevent privilege escalation, running as root, and set the `fsGroup` to match Chronicle's service account. - Add unittests for chart templates. - Various Chart.yaml metadata changes. - Fix logo URL. From edc9318ede47a36f9c4082b805fe403c677465a4 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 23 May 2025 12:30:31 -0600 Subject: [PATCH 58/69] Improvements and fixes to README and value documentation --- charts/posit-chronicle/README.md.gotmpl | 81 ++++++++++++++------- charts/posit-chronicle/values.yaml | 95 ++++++++++++------------- 2 files changed, 100 insertions(+), 76 deletions(-) diff --git a/charts/posit-chronicle/README.md.gotmpl b/charts/posit-chronicle/README.md.gotmpl index 190684436..d171e4e50 100644 --- a/charts/posit-chronicle/README.md.gotmpl +++ b/charts/posit-chronicle/README.md.gotmpl @@ -10,13 +10,12 @@ ## Usage -This chart deploys only the Chronicle server and is meant to be used in tandem -with the Workbench and Connect charts. To actually send data to the server, you -will need to run the Chronicle agent as a sidecar container on your -Workbench or Connect server pods by adding a native sidecar Chronicle agent -definition to the `initContainers` value in their respective `values.yaml` files. +This chart deploys the Chronicle server and is intended to be used in tandem +with the Workbench and Connect charts. For the server to receive data, +the Chronicle agent must be deployed as a sidecar container alongside +Workbench or Connect server pods. -Here is an example of Helm values to run the agent sidecar in **Workbench**: +Below is an example of the values used to run the agent sidecar in **Workbench**. ```yaml initContainers: @@ -28,8 +27,10 @@ initContainers: value: "http://." ``` -And here is an example of Helm values for Connect, where a **Connect** -API key from a Kubernetes Secret is used to unlock more detailed metrics: +The below example shows how to run the Chronicle agent sidecar in **Connect**. The +usage is similar to the Workbench example, but a Connect API key with Administrator +permissions must be configured in order to receive a full complement of metrics. +In the example, ```yaml initContainers: @@ -81,8 +82,11 @@ config: Chronicle can be configured to persist data to local storage, AWS S3, or both. -The default configuration uses a local volume with persistence enabled, which -is suitable if you'd like to access and analyze the data within your cluster: +### Local Storage + +The default configuration will save data to a persistent volume, which +is suitable if you'd like to access and analyze the data within your cluster. +The below values show the default configuration for storage: ```yaml persistence: @@ -93,7 +97,7 @@ persistence: config: LocalStorage: Enabled: true - Location: "/chronicle-data" + Location: "/opt/chronicle-data" ``` The `persistence` section configures the persistent volume claim in the @@ -102,10 +106,35 @@ configuration file. The persistent volume will always mount to the path specifie by `config.LocalStorage.Path` to avoid potential misconfiguration and data loss. By default, Chronicle requests 10Gi of storage. In most cases, this amount of -storage should be sufficient for thirty days of monitoring data. Organizations -are responsible for managing the size of the persistent volume. +storage should be sufficient for thirty days of monitoring data. +Users are responsible for managing the size of the persistent volume and +negotiating and controlling access to the data from other pods. While attaching +the volume to Workbench is a valid method of accessing the data, keep in mind +that some data captured by Chronicle may be considered sensitive and should be +handled with care. + +#### Alternate Storage Class + +Depending on the environment or cloud hosting Chronicle, many CSI drivers may +be available to use as the persistent volume's storage class. While Chronicle +only natively supports local storage or S3, CSI drivers may be used to provide +support for other storage backends such as Azure Blob Storage, Azure Files, Google +Cloud Storage, or other object storage solutions. The storage class for persistent +volumes can be set with the following value: + +```yaml +persistence: + storageClass: "alternate-storage-class" +``` + +Please report and performance or stability issues with alternate storage configurations +to the [issue tracker](https://github.com/rstudio/helm/issues/new?template=chronicle.md). -You can also persist data to AWS S3 in place of or in tandem with local storage: +### S3 Storage + +Chronicle can also be configured to store data in an S3 bucket. This can be +useful for controlling access to data or taking advantage of S3 features +such as lifecycle management. ```yaml config: @@ -115,13 +144,13 @@ config: Region: "us-east-2" ``` -### Using IAM roles for S3 access +#### Using IAM roles for S3 access -If you are running on EKS, you can use [IAM Roles for Service +If Chronicle is running on EKS, [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) -to manage the credentials needed to access S3. In this scenario, once you have [created an IAM -role](https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html), -you can use this role as an annotation on the existing Service Account: +can be utilized to manage the credentials needed to access S3. Once [an IAM role has been +created](https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html), +the role can be attached as an annotation on Chronicle's Service Account: ```yaml serviceaccount: @@ -130,8 +159,7 @@ serviceaccount: eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here ``` -If you are unable to use IAM Roles for Service Accounts, there are any number of -alternatives for injecting AWS credentials into a container. As a fallback, +There are alternatives for injecting AWS credentials into a container. As a fallback, the S3 storage config allows specifying a profile: ```yaml @@ -143,7 +171,7 @@ config: Region: "us-east-2" ``` -### Needed S3 Policy Permissions +#### Needed S3 Policy Permissions The credentials Chronicle uses for S3 storage must have the following permissions enabled: @@ -154,9 +182,12 @@ The credentials Chronicle uses for S3 storage must have the following permission ## Additional Configuration -Chronicle has a multitude of configuration options not specifically mentioned in this -README. For a complete list of configuration options, please refer to the -[Chronicle documentation](https://docs.posit.co/chronicle/). +Chronicle has additional configuration options not specifically mentioned in this +README. For additional information on administrating or using Posit Chronicle, see +the [Chronicle documentation](https://docs.posit.co/chronicle/). + +For details on server configuration options, see the [advanced server configuration +reference page](https://docs.posit.co/chronicle/appendix/library/advanced-server.html). {{ template "chart.valuesSection" . }} diff --git a/charts/posit-chronicle/values.yaml b/charts/posit-chronicle/values.yaml index 7408ee10d..d3a1182c8 100644 --- a/charts/posit-chronicle/values.yaml +++ b/charts/posit-chronicle/values.yaml @@ -1,4 +1,4 @@ -# -- Override for the name of the chart deployment +# -- Override for the name of the release nameOverride: "" # -- Override for the full name of the release fullnameOverride: "" @@ -9,7 +9,7 @@ commonLabels: {} # -- Common annotations to add to all resources commonAnnotations: {} -# -- Additional manifests to deploy with the chart +# -- Additional manifests to deploy with the chart with template value rendering extraObjects: [] image: @@ -17,78 +17,73 @@ image: registry: "ghcr.io" # -- The image repository repository: "rstudio/chronicle" - # -- Overrides the image tag whose default is the chart appVersion + # -- The image tag, defaults to the chart app version tag: "" - # -- (Optional) The image digest + # -- The image digest sha: "" # -- The image pull policy pullPolicy: "IfNotPresent" - # -- The verbatim securityContext for the Chronicle server container in the pod - # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#securitycontext-v1-core + # -- The container-level security context + # ([reference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#securitycontext-v1-core)) securityContext: allowPrivilegeEscalation: false runAsNonRoot: true serviceAccount: + # -- Creates a service account for Posit Chronicle if true create: false - # -- The name of the service account to use + # -- Override for the service account name, defaults to fullname name: "" - # -- Additional annotations to add to the chronicle-server serviceaccount + # -- Annotations to add to the service account annotations: { # EKS role arn example # eks.amazonaws.com/role-arn: my-aws-iam-role-arn } - # -- Additional labels to add to the chronicle-server serviceaccount + # -- Labels to add to the service account labels: {} service: - # -- The port to use for the REST service + # -- The port to use for the REST API service port: 80 - # -- Additional annotations to add to the chronicle-server service + # -- Annotations to add to the service annotations: {} - # -- Additional labels to add to the chronicle-server service + # -- Labels to add to the service labels: {} -# -- The number of replica pods to maintain for this service +# -- The number of replica pods to maintain replicas: 1 pod: - # -- The command and args to run in the chronicle-server container, defaults to the image entrypoint and args + # -- The command to run in the Chronicle server container, defaults to the image `ENTRYPOINT` value command: [] + # -- The arguments to pass to the command, defaults to the image `CMD` values args: [] - # -- Optional environment variables + # -- Additional environment variables to set on the Chronicle server container env: [] - # -- Additional annotations to add to the chronicle-server pods + # -- Additional annotations for pods annotations: {} - # -- Additional labels to add to the chronicle-server pods + # -- Additional labels for pods labels: {} - # -- A map used verbatim as the pod's "affinity" definition + # -- A map used verbatim as the pod "affinity" definition affinity: {} - # -- A map used verbatim as the pod's "nodeSelector" definition + # -- A map used verbatim as the pod "nodeSelector" definition nodeSelector: {} - # -- An array used verbatim as the pod's "tolerations" definition + # -- An array used verbatim as the pod "tolerations" definition tolerations: [] # -- The termination grace period seconds allowed for the pod before shutdown terminationGracePeriodSeconds: 30 - # -- The verbatim pod-level securityContext - # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#podsecuritycontext-v1-core + # -- The pod-level security context + # ([reference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#podsecuritycontext-v1-core)) securityContext: fsGroup: 1000 fsGroupChangePolicy: "OnRootMismatch" -# If config.LocalStorage.Enabled is set to true, -# the chart will provision a pvc of size storage.persistentVolumeSize for -# the chronicle server stateful-set - -# Enable persistence using Persistent Volume Claims -# ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ -# +# Configuration for application Persistent Volume Claims persistence: # -- Enable persistence using Persistent Volume Claims enabled: true - # -- Persistent Volume Storage Class - # (Leave empty if using the default storage class) + # -- Persistent Volume Storage Class, defaults to the default Storage Class for the cluster storageClassName: "" # -- Size of the data volume size: 10Gi @@ -97,15 +92,15 @@ persistence: - ReadWriteOnce # -- Selector to match an existing Persistent Volume for the data PVC selectorLabels: {} - # -- Additional annotations to add to the PVC + # -- Additional annotations for the PVC annotations: {} - # -- Additional labels to add to the PVC + # -- Additional labels for the PVC labels: {} - # -- Finalizers added verbatim to the PVC + # -- Finalizers for the PVC finalizers: - kubernetes.io/pvc-protection -# Additional secrets to mount to the Chronicle server pod +# -- Additional secrets to mount to the Chronicle server pod extraSecretMounts: [] # this option can be used to mount secrets such as an SSL certificate and key into the pod # - name: "ssl" @@ -116,24 +111,22 @@ extraSecretMounts: [] # - key: "tls.crt" # - key: "tls.key" -# Configurations for the underlying Chronicle server instance -# ref: https://docs.posit.co/chronicle/appendix/library/advanced-server.html -# +# Configurations for the underlying Chronicle server instance ([reference](https://docs.posit.co/chronicle/appendix/library/advanced-server.html)) config: HTTPS: # If https.enabled=true, ignore any http # values and enable https in the config instead # -- If set to true, Chronicle will use HTTPS instead of HTTP Enabled: false - # -- Path to a PEM encoded TLS certificate file + # -- Path to a PEM encoded certificate file, required if `HTTPS.Enabled=true` Certificate: "" - # -- Path to a PEM encoded private key file corresponding to the specified certificate + # -- Path to a PEM encoded private key file corresponding to the specified certificate, required if `HTTPS.Enabled=true` Key: "" Metrics: - # -- If set to true, Chronicle will expose a metrics endpoint for Prometheus + # -- Exposes a metrics endpoint for Prometheus if true Enabled: false Profiling: - # -- If set to true, Chronicle will expose a pprof profiling server + # -- Exposes a pprof profiling server if true Enabled: false # -- The port to use for the profiling server Port: 3030 @@ -144,21 +137,21 @@ config: ServiceLogLevel: "INFO" # -- The log format for the service, can be one of "TEXT" or "JSON" ServiceLogFormat: "TEXT" - # -- Configuration for local data storage with Chronicle, for configuring persistence of this data see the persistence section + # Configuration for local data storage with Chronicle, for configuring persistence of this data see the persistence section LocalStorage: - # -- If set to true, Chronicle will use a local path for data storage. This should be used in conjunction with persistence. + # -- Use `config.LocalStorage.Path` for data storage if true, use in conjunction with `persistence.enabled=true` for persistent data storage Enabled: true - # -- The path to the local storage location + # -- The path to use for local storage Path: "/opt/chronicle-data" - # -- Configuration for S3 data storage with Chronicle + # Configuration for S3 data storage with Chronicle S3Storage: - # -- If set to true, Chronicle will use S3 for data storage + # -- Use S3 for data storage if true Enabled: false - # -- The S3 bucket to use for storage + # -- The S3 bucket to use for storage, required if `S3Storage.Enabled=true` Bucket: "" - # -- (Optional) the prefix to use when writing to the S3 bucket, defaults to the bucket root + # -- An optional prefix path to use when writing to the S3 bucket Prefix: "" - # -- (Optional) the profile to use when writing to the S3 bucket, defaults is to use the `AWS_PROFILE` env var + # -- An IAM Profile to use for accessing the S3 bucket, default is to read from the `AWS_PROFILE` env var Profile: "" - # -- (Optional) the region to use when writing to the S3 bucket, defaults is to use the `AWS_REGION` env var + # -- Region of the S3 bucket, default is to read from the `AWS_REGION` env var Region: "" From 4356d61a202ebd41bfa93f80d5aee39bf5616841 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Fri, 23 May 2025 18:31:31 +0000 Subject: [PATCH 59/69] Update helm-docs and README.md --- charts/posit-chronicle/README.md | 159 ++++++++++++++++++------------- 1 file changed, 94 insertions(+), 65 deletions(-) diff --git a/charts/posit-chronicle/README.md b/charts/posit-chronicle/README.md index b861c4c33..1c3e4edf8 100644 --- a/charts/posit-chronicle/README.md +++ b/charts/posit-chronicle/README.md @@ -40,13 +40,12 @@ helm search repo rstudio/posit-chronicle -l ## Usage -This chart deploys only the Chronicle server and is meant to be used in tandem -with the Workbench and Connect charts. To actually send data to the server, you -will need to run the Chronicle agent as a sidecar container on your -Workbench or Connect server pods by adding a native sidecar Chronicle agent -definition to the `initContainers` value in their respective `values.yaml` files. +This chart deploys the Chronicle server and is intended to be used in tandem +with the Workbench and Connect charts. For the server to receive data, +the Chronicle agent must be deployed as a sidecar container alongside +Workbench or Connect server pods. -Here is an example of Helm values to run the agent sidecar in **Workbench**: +Below is an example of the values used to run the agent sidecar in **Workbench**. ```yaml initContainers: @@ -58,8 +57,10 @@ initContainers: value: "http://." ``` -And here is an example of Helm values for Connect, where a **Connect** -API key from a Kubernetes Secret is used to unlock more detailed metrics: +The below example shows how to run the Chronicle agent sidecar in **Connect**. The +usage is similar to the Workbench example, but a Connect API key with Administrator +permissions must be configured in order to receive a full complement of metrics. +In the example, ```yaml initContainers: @@ -111,8 +112,11 @@ config: Chronicle can be configured to persist data to local storage, AWS S3, or both. -The default configuration uses a local volume with persistence enabled, which -is suitable if you'd like to access and analyze the data within your cluster: +### Local Storage + +The default configuration will save data to a persistent volume, which +is suitable if you'd like to access and analyze the data within your cluster. +The below values show the default configuration for storage: ```yaml persistence: @@ -123,7 +127,7 @@ persistence: config: LocalStorage: Enabled: true - Location: "/chronicle-data" + Location: "/opt/chronicle-data" ``` The `persistence` section configures the persistent volume claim in the @@ -132,10 +136,35 @@ configuration file. The persistent volume will always mount to the path specifie by `config.LocalStorage.Path` to avoid potential misconfiguration and data loss. By default, Chronicle requests 10Gi of storage. In most cases, this amount of -storage should be sufficient for thirty days of monitoring data. Organizations -are responsible for managing the size of the persistent volume. +storage should be sufficient for thirty days of monitoring data. +Users are responsible for managing the size of the persistent volume and +negotiating and controlling access to the data from other pods. While attaching +the volume to Workbench is a valid method of accessing the data, keep in mind +that some data captured by Chronicle may be considered sensitive and should be +handled with care. + +#### Alternate Storage Class + +Depending on the environment or cloud hosting Chronicle, many CSI drivers may +be available to use as the persistent volume's storage class. While Chronicle +only natively supports local storage or S3, CSI drivers may be used to provide +support for other storage backends such as Azure Blob Storage, Azure Files, Google +Cloud Storage, or other object storage solutions. The storage class for persistent +volumes can be set with the following value: + +```yaml +persistence: + storageClass: "alternate-storage-class" +``` + +Please report and performance or stability issues with alternate storage configurations +to the [issue tracker](https://github.com/rstudio/helm/issues/new?template=chronicle.md). -You can also persist data to AWS S3 in place of or in tandem with local storage: +### S3 Storage + +Chronicle can also be configured to store data in an S3 bucket. This can be +useful for controlling access to data or taking advantage of S3 features +such as lifecycle management. ```yaml config: @@ -145,13 +174,13 @@ config: Region: "us-east-2" ``` -### Using IAM roles for S3 access +#### Using IAM roles for S3 access -If you are running on EKS, you can use [IAM Roles for Service +If Chronicle is running on EKS, [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) -to manage the credentials needed to access S3. In this scenario, once you have [created an IAM -role](https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html), -you can use this role as an annotation on the existing Service Account: +can be utilized to manage the credentials needed to access S3. Once [an IAM role has been +created](https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html), +the role can be attached as an annotation on Chronicle's Service Account: ```yaml serviceaccount: @@ -160,8 +189,7 @@ serviceaccount: eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here ``` -If you are unable to use IAM Roles for Service Accounts, there are any number of -alternatives for injecting AWS credentials into a container. As a fallback, +There are alternatives for injecting AWS credentials into a container. As a fallback, the S3 storage config allows specifying a profile: ```yaml @@ -173,7 +201,7 @@ config: Region: "us-east-2" ``` -### Needed S3 Policy Permissions +#### Needed S3 Policy Permissions The credentials Chronicle uses for S3 storage must have the following permissions enabled: @@ -184,9 +212,12 @@ The credentials Chronicle uses for S3 storage must have the following permission ## Additional Configuration -Chronicle has a multitude of configuration options not specifically mentioned in this -README. For a complete list of configuration options, please refer to the -[Chronicle documentation](https://docs.posit.co/chronicle/). +Chronicle has additional configuration options not specifically mentioned in this +README. For additional information on administrating or using Posit Chronicle, see +the [Chronicle documentation](https://docs.posit.co/chronicle/). + +For details on server configuration options, see the [advanced server configuration +reference page](https://docs.posit.co/chronicle/appendix/library/advanced-server.html). ## Values @@ -194,61 +225,59 @@ README. For a complete list of configuration options, please refer to the |-----|------|---------|-------------| | commonAnnotations | object | `{}` | Common annotations to add to all resources | | commonLabels | object | `{}` | Common labels to add to all resources | -| config.HTTPS.Certificate | string | `""` | Path to a PEM encoded TLS certificate file | +| config.HTTPS.Certificate | string | `""` | Path to a PEM encoded certificate file, required if `HTTPS.Enabled=true` | | config.HTTPS.Enabled | bool | `false` | If set to true, Chronicle will use HTTPS instead of HTTP | -| config.HTTPS.Key | string | `""` | Path to a PEM encoded private key file corresponding to the specified certificate | -| config.LocalStorage | object | `{"Enabled":true,"Path":"/opt/chronicle-data"}` | Configuration for local data storage with Chronicle, for configuring persistence of this data see the persistence section | -| config.LocalStorage.Enabled | bool | `true` | If set to true, Chronicle will use a local path for data storage. This should be used in conjunction with persistence. | -| config.LocalStorage.Path | string | `"/opt/chronicle-data"` | The path to the local storage location | +| config.HTTPS.Key | string | `""` | Path to a PEM encoded private key file corresponding to the specified certificate, required if `HTTPS.Enabled=true` | +| config.LocalStorage.Enabled | bool | `true` | Use `config.LocalStorage.Path` for data storage if true, use in conjunction with `persistence.enabled=true` for persistent data storage | +| config.LocalStorage.Path | string | `"/opt/chronicle-data"` | The path to use for local storage | | config.Logging.ServiceLog | string | `"STDOUT"` | Specifies the output for log messages, can be one of "STDOUT", "STDERR", or a file path | | config.Logging.ServiceLogFormat | string | `"TEXT"` | The log format for the service, can be one of "TEXT" or "JSON" | | config.Logging.ServiceLogLevel | string | `"INFO"` | The log level for the service, can be one of "TRACE", "DEBUG", "INFO", "WARN", or "ERROR" | -| config.Metrics.Enabled | bool | `false` | If set to true, Chronicle will expose a metrics endpoint for Prometheus | -| config.Profiling.Enabled | bool | `false` | If set to true, Chronicle will expose a pprof profiling server | +| config.Metrics.Enabled | bool | `false` | Exposes a metrics endpoint for Prometheus if true | +| config.Profiling.Enabled | bool | `false` | Exposes a pprof profiling server if true | | config.Profiling.Port | int | `3030` | The port to use for the profiling server | -| config.S3Storage | object | `{"Bucket":"","Enabled":false,"Prefix":"","Profile":"","Region":""}` | Configuration for S3 data storage with Chronicle | -| config.S3Storage.Bucket | string | `""` | The S3 bucket to use for storage | -| config.S3Storage.Enabled | bool | `false` | If set to true, Chronicle will use S3 for data storage | -| config.S3Storage.Prefix | Optional | `""` | the prefix to use when writing to the S3 bucket, defaults to the bucket root | -| config.S3Storage.Profile | Optional | `""` | the profile to use when writing to the S3 bucket, defaults is to use the `AWS_PROFILE` env var | -| config.S3Storage.Region | Optional | `""` | the region to use when writing to the S3 bucket, defaults is to use the `AWS_REGION` env var | -| extraObjects | list | `[]` | Additional manifests to deploy with the chart | -| extraSecretMounts | list | `[]` | | +| config.S3Storage.Bucket | string | `""` | The S3 bucket to use for storage, required if `S3Storage.Enabled=true` | +| config.S3Storage.Enabled | bool | `false` | Use S3 for data storage if true | +| config.S3Storage.Prefix | string | `""` | An optional prefix path to use when writing to the S3 bucket | +| config.S3Storage.Profile | string | `""` | An IAM Profile to use for accessing the S3 bucket, default is to read from the `AWS_PROFILE` env var | +| config.S3Storage.Region | string | `""` | Region of the S3 bucket, default is to read from the `AWS_REGION` env var | +| extraObjects | list | `[]` | Additional manifests to deploy with the chart with template value rendering | +| extraSecretMounts | list | `[]` | Additional secrets to mount to the Chronicle server pod | | fullnameOverride | string | `""` | Override for the full name of the release | | image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | image.registry | string | `"ghcr.io"` | The image registry | | image.repository | string | `"rstudio/chronicle"` | The image repository | -| image.securityContext | object | `{"allowPrivilegeEscalation":false,"runAsNonRoot":true}` | The verbatim securityContext for the Chronicle server container in the pod ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#securitycontext-v1-core | -| image.sha | Optional | `""` | The image digest | -| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | -| nameOverride | string | `""` | Override for the name of the chart deployment | +| image.securityContext | object | `{"allowPrivilegeEscalation":false,"runAsNonRoot":true}` | The container-level security context ([reference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#securitycontext-v1-core)) | +| image.sha | string | `""` | The image digest | +| image.tag | string | `""` | The image tag, defaults to the chart app version | +| nameOverride | string | `""` | Override for the name of the release | | namespaceOverride | string | `""` | Override for the namespace of the chart deployment | | persistence.accessModes | list | `["ReadWriteOnce"]` | Persistent Volume Access Modes | -| persistence.annotations | object | `{}` | Additional annotations to add to the PVC | +| persistence.annotations | object | `{}` | Additional annotations for the PVC | | persistence.enabled | bool | `true` | Enable persistence using Persistent Volume Claims | -| persistence.finalizers | list | `["kubernetes.io/pvc-protection"]` | Finalizers added verbatim to the PVC | -| persistence.labels | object | `{}` | Additional labels to add to the PVC | +| persistence.finalizers | list | `["kubernetes.io/pvc-protection"]` | Finalizers for the PVC | +| persistence.labels | object | `{}` | Additional labels for the PVC | | persistence.selectorLabels | object | `{}` | Selector to match an existing Persistent Volume for the data PVC | | persistence.size | string | `"10Gi"` | Size of the data volume | -| persistence.storageClassName | string | `""` | Persistent Volume Storage Class (Leave empty if using the default storage class) | -| pod.affinity | object | `{}` | A map used verbatim as the pod's "affinity" definition | -| pod.annotations | object | `{}` | Additional annotations to add to the chronicle-server pods | -| pod.args | list | `[]` | | -| pod.command | list | `[]` | The command and args to run in the chronicle-server container, defaults to the image entrypoint and args | -| pod.env | list | `[]` | Optional environment variables | -| pod.labels | object | `{}` | Additional labels to add to the chronicle-server pods | -| pod.nodeSelector | object | `{}` | A map used verbatim as the pod's "nodeSelector" definition | -| pod.securityContext | object | `{"fsGroup":1000,"fsGroupChangePolicy":"OnRootMismatch"}` | The verbatim pod-level securityContext ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#podsecuritycontext-v1-core | +| persistence.storageClassName | string | `""` | Persistent Volume Storage Class, defaults to the default Storage Class for the cluster | +| pod.affinity | object | `{}` | A map used verbatim as the pod "affinity" definition | +| pod.annotations | object | `{}` | Additional annotations for pods | +| pod.args | list | `[]` | The arguments to pass to the command, defaults to the image `CMD` values | +| pod.command | list | `[]` | The command to run in the Chronicle server container, defaults to the image `ENTRYPOINT` value | +| pod.env | list | `[]` | Additional environment variables to set on the Chronicle server container | +| pod.labels | object | `{}` | Additional labels for pods | +| pod.nodeSelector | object | `{}` | A map used verbatim as the pod "nodeSelector" definition | +| pod.securityContext | object | `{"fsGroup":1000,"fsGroupChangePolicy":"OnRootMismatch"}` | The pod-level security context ([reference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#podsecuritycontext-v1-core)) | | pod.terminationGracePeriodSeconds | int | `30` | The termination grace period seconds allowed for the pod before shutdown | -| pod.tolerations | list | `[]` | An array used verbatim as the pod's "tolerations" definition | -| replicas | int | `1` | The number of replica pods to maintain for this service | -| service.annotations | object | `{}` | Additional annotations to add to the chronicle-server service | -| service.labels | object | `{}` | Additional labels to add to the chronicle-server service | -| service.port | int | `80` | The port to use for the REST service | -| serviceAccount.annotations | object | `{}` | Additional annotations to add to the chronicle-server serviceaccount | -| serviceAccount.create | bool | `false` | | -| serviceAccount.labels | object | `{}` | Additional labels to add to the chronicle-server serviceaccount | -| serviceAccount.name | string | `""` | The name of the service account to use | +| pod.tolerations | list | `[]` | An array used verbatim as the pod "tolerations" definition | +| replicas | int | `1` | The number of replica pods to maintain | +| service.annotations | object | `{}` | Annotations to add to the service | +| service.labels | object | `{}` | Labels to add to the service | +| service.port | int | `80` | The port to use for the REST API service | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.create | bool | `false` | Creates a service account for Posit Chronicle if true | +| serviceAccount.labels | object | `{}` | Labels to add to the service account | +| serviceAccount.name | string | `""` | Override for the service account name, defaults to fullname | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) From f4646eebe434728d3cae3cfce4fa60cc5fe72dac Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 27 May 2025 10:33:15 -0600 Subject: [PATCH 60/69] Remove unmatched paren Co-authored-by: Brian Deitte --- charts/posit-chronicle/templates/stateful-set.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/posit-chronicle/templates/stateful-set.yaml b/charts/posit-chronicle/templates/stateful-set.yaml index 1274ee5e1..bdaf768e4 100644 --- a/charts/posit-chronicle/templates/stateful-set.yaml +++ b/charts/posit-chronicle/templates/stateful-set.yaml @@ -26,7 +26,7 @@ spec: {{- end }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - {{- include "posit-chronicle.pod.annotations" . | trim | nindent 8) }} + {{- include "posit-chronicle.pod.annotations" . | trim | nindent 8 }} spec: {{- with .Values.pod.affinity }} affinity: From c3c328e747a1941f3da6411303590c919d7fc646 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 27 May 2025 14:33:51 -0600 Subject: [PATCH 61/69] Update the Usage section for changes to Workbench and Connect --- charts/posit-chronicle/README.md.gotmpl | 47 ++++++------------------- 1 file changed, 10 insertions(+), 37 deletions(-) diff --git a/charts/posit-chronicle/README.md.gotmpl b/charts/posit-chronicle/README.md.gotmpl index d171e4e50..79554f69a 100644 --- a/charts/posit-chronicle/README.md.gotmpl +++ b/charts/posit-chronicle/README.md.gotmpl @@ -15,43 +15,16 @@ with the Workbench and Connect charts. For the server to receive data, the Chronicle agent must be deployed as a sidecar container alongside Workbench or Connect server pods. -Below is an example of the values used to run the agent sidecar in **Workbench**. - -```yaml -initContainers: - - name: chronicle-agent - restartPolicy: Always - image: ghcr.io/rstudio/chronicle-agent:{{ template "chart.appVersion" . }} - env: - - name: CHRONICLE_SERVER_ADDRESS - value: "http://." -``` - -The below example shows how to run the Chronicle agent sidecar in **Connect**. The -usage is similar to the Workbench example, but a Connect API key with Administrator -permissions must be configured in order to receive a full complement of metrics. -In the example, - -```yaml -initContainers: -- name: chronicle-agent - restartPolicy: Always - image: ghcr.io/rstudio/chronicle-agent:{{ template "chart.appVersion" . }} - env: - - name: CHRONICLE_SERVER_ADDRESS - value: "http://." - - name: CHRONICLE_CONNECT_APIKEY - valueFrom: - secretKeyRef: - name: connect - key: apikey -``` - -It is up to the user to provision this Kubernetes Secret for the -Connect API key. The `extraObjects` value in the Connect chart can be used to -create the secret and mount it to the Chronicle agent container. Due to the -nature of the Chronicle agent, the pod may need to be restarted to pick up -changes to the secret after initial deployment. +Both [Workbench](https://docs.posit.co/helm/charts/rstudio-workbench/README.html#chronicle-agent) +(`>=0.9.2`) and [Connect](https://docs.posit.co/helm/charts/rstudio-connect/README.html#chronicle-agent) +(`>=0.7.26`) charts include out of the box support for Chronicle agent sidecars. +The sidecar can be enabled by setting the `chronicleAgent.enabled` value to `true` +in either product's chart. + +For additional information on deploying and configuring Chronicle agents, +see the [Workbench](https://docs.posit.co/helm/charts/rstudio-workbench/README.html#chronicle-agent) +or [Connect](https://docs.posit.co/helm/charts/rstudio-connect/README.html#chronicle-agent) +chart documentation. ## HTTPS Configuration From 405b46b01234661957fece38c30461451ff3e3dd Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Tue, 27 May 2025 20:34:46 +0000 Subject: [PATCH 62/69] Update helm-docs and README.md --- charts/posit-chronicle/README.md | 47 +++++++------------------------- 1 file changed, 10 insertions(+), 37 deletions(-) diff --git a/charts/posit-chronicle/README.md b/charts/posit-chronicle/README.md index 1c3e4edf8..f04835420 100644 --- a/charts/posit-chronicle/README.md +++ b/charts/posit-chronicle/README.md @@ -45,43 +45,16 @@ with the Workbench and Connect charts. For the server to receive data, the Chronicle agent must be deployed as a sidecar container alongside Workbench or Connect server pods. -Below is an example of the values used to run the agent sidecar in **Workbench**. - -```yaml -initContainers: - - name: chronicle-agent - restartPolicy: Always - image: ghcr.io/rstudio/chronicle-agent:2025.03.0 - env: - - name: CHRONICLE_SERVER_ADDRESS - value: "http://." -``` - -The below example shows how to run the Chronicle agent sidecar in **Connect**. The -usage is similar to the Workbench example, but a Connect API key with Administrator -permissions must be configured in order to receive a full complement of metrics. -In the example, - -```yaml -initContainers: -- name: chronicle-agent - restartPolicy: Always - image: ghcr.io/rstudio/chronicle-agent:2025.03.0 - env: - - name: CHRONICLE_SERVER_ADDRESS - value: "http://." - - name: CHRONICLE_CONNECT_APIKEY - valueFrom: - secretKeyRef: - name: connect - key: apikey -``` - -It is up to the user to provision this Kubernetes Secret for the -Connect API key. The `extraObjects` value in the Connect chart can be used to -create the secret and mount it to the Chronicle agent container. Due to the -nature of the Chronicle agent, the pod may need to be restarted to pick up -changes to the secret after initial deployment. +Both [Workbench](https://docs.posit.co/helm/charts/rstudio-workbench/README.html#chronicle-agent) +(`>=0.9.2`) and [Connect](https://docs.posit.co/helm/charts/rstudio-connect/README.html#chronicle-agent) +(`>=0.7.26`) charts include out of the box support for Chronicle agent sidecars. +The sidecar can be enabled by setting the `chronicleAgent.enabled` value to `true` +in either product's chart. + +For additional information on deploying and configuring Chronicle agents, +see the [Workbench](https://docs.posit.co/helm/charts/rstudio-workbench/README.html#chronicle-agent) +or [Connect](https://docs.posit.co/helm/charts/rstudio-connect/README.html#chronicle-agent) +chart documentation. ## HTTPS Configuration From 226c613b14907e419db34b1d9dd4a331df23cdff Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 27 May 2025 14:37:13 -0600 Subject: [PATCH 63/69] Trigger CI From f52b32b1fcfad5c4b79adf60081708ca95db5e75 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 27 May 2025 14:54:17 -0600 Subject: [PATCH 64/69] Change checksum calculation to use `.Values.config` since file operations are annoying in helm --- charts/posit-chronicle/templates/stateful-set.yaml | 6 +++--- charts/posit-chronicle/tests/statefulset_test.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/posit-chronicle/templates/stateful-set.yaml b/charts/posit-chronicle/templates/stateful-set.yaml index bdaf768e4..91ea366e5 100644 --- a/charts/posit-chronicle/templates/stateful-set.yaml +++ b/charts/posit-chronicle/templates/stateful-set.yaml @@ -7,10 +7,10 @@ metadata: namespace: {{ include "posit-chronicle.namespace" . }} labels: {{- include "posit-chronicle.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} annotations: - {{- with .Values.commonAnnotations }} {{- toYaml . | nindent 4 }} - {{- end }} + {{- end }} spec: replicas: {{ .Values.replicas }} serviceName: {{ include "posit-chronicle.fullname" . }} @@ -25,7 +25,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/config: {{ print .Values.config | sha256sum }} {{- include "posit-chronicle.pod.annotations" . | trim | nindent 8 }} spec: {{- with .Values.pod.affinity }} diff --git a/charts/posit-chronicle/tests/statefulset_test.yaml b/charts/posit-chronicle/tests/statefulset_test.yaml index 914b6b6f0..3f1110c7e 100644 --- a/charts/posit-chronicle/tests/statefulset_test.yaml +++ b/charts/posit-chronicle/tests/statefulset_test.yaml @@ -68,10 +68,10 @@ tests: app.kubernetes.io/instance: test-release app.kubernetes.io/version: 9999.9.9 another: label - - it: should not set pod annotations by default + - it: should set checksum annotation by default for pods to ensure changes apply asserts: - - notExists: - path: spec.template.metadata.annotations + - exists: + path: spec.template.metadata.annotations.checksum/config - it: should set the annotations if specified with pod annotations favored during merge set: commonAnnotations: From e59cb10aa1470059c78165e94cae2f9d1011f4c7 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Wed, 28 May 2025 07:42:06 -0600 Subject: [PATCH 65/69] Add callout for storage management user responsibilities --- charts/posit-chronicle/README.md.gotmpl | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/charts/posit-chronicle/README.md.gotmpl b/charts/posit-chronicle/README.md.gotmpl index 79554f69a..3083837f5 100644 --- a/charts/posit-chronicle/README.md.gotmpl +++ b/charts/posit-chronicle/README.md.gotmpl @@ -80,11 +80,17 @@ by `config.LocalStorage.Path` to avoid potential misconfiguration and data loss. By default, Chronicle requests 10Gi of storage. In most cases, this amount of storage should be sufficient for thirty days of monitoring data. -Users are responsible for managing the size of the persistent volume and -negotiating and controlling access to the data from other pods. While attaching -the volume to Workbench is a valid method of accessing the data, keep in mind -that some data captured by Chronicle may be considered sensitive and should be -handled with care. + +::: {.callout-important} +Users are responsible for managing the size of the persistent volume, retention +of stored data, and controlling access to the data from other pods. Consider +utilizing a dynamic volume provisioner to avoid storage-related service +interruptions. +::: + +While attaching the volume to Workbench is a valid method of accessing the data, +keep in mind that some data captured by Chronicle may be considered sensitive and +should be handled with care. #### Alternate Storage Class From 7b91978d6a039a4e55f80095db1393fb425bbf91 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 28 May 2025 13:43:02 +0000 Subject: [PATCH 66/69] Update helm-docs and README.md --- charts/posit-chronicle/README.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/charts/posit-chronicle/README.md b/charts/posit-chronicle/README.md index f04835420..2c15846b2 100644 --- a/charts/posit-chronicle/README.md +++ b/charts/posit-chronicle/README.md @@ -110,11 +110,17 @@ by `config.LocalStorage.Path` to avoid potential misconfiguration and data loss. By default, Chronicle requests 10Gi of storage. In most cases, this amount of storage should be sufficient for thirty days of monitoring data. -Users are responsible for managing the size of the persistent volume and -negotiating and controlling access to the data from other pods. While attaching -the volume to Workbench is a valid method of accessing the data, keep in mind -that some data captured by Chronicle may be considered sensitive and should be -handled with care. + +::: {.callout-important} +Users are responsible for managing the size of the persistent volume, retention +of stored data, and controlling access to the data from other pods. Consider +utilizing a dynamic volume provisioner to avoid storage-related service +interruptions. +::: + +While attaching the volume to Workbench is a valid method of accessing the data, +keep in mind that some data captured by Chronicle may be considered sensitive and +should be handled with care. #### Alternate Storage Class From fdd295799e7471d6bc57eb300dc9a58a251e6c50 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Wed, 28 May 2025 07:45:10 -0600 Subject: [PATCH 67/69] Trigger CI From b58d31de7e06c02df98cbd0adda77d364be58dce Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 3 Jun 2025 09:23:39 -0600 Subject: [PATCH 68/69] Bump version --- charts/posit-chronicle/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/posit-chronicle/Chart.yaml b/charts/posit-chronicle/Chart.yaml index 489f5f0e0..301a9ee6e 100644 --- a/charts/posit-chronicle/Chart.yaml +++ b/charts/posit-chronicle/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: posit-chronicle description: Official Helm chart for Posit Chronicle Server version: 0.4.0 -appVersion: 2025.03.0 +appVersion: 2025.05.1 icon: https://posit.co/wp-content/themes/Posit/dist/images/favicon/apple-touch-icon-180x180.png home: https://www.posit.co sources: @@ -14,7 +14,7 @@ maintainers: annotations: artifacthub.io/images: | - name: chronicle - image: ghcr.io/rstudio/chronicle:2025.03.0 + image: ghcr.io/rstudio/chronicle:2025.05.1 platforms: - linux/amd64 artifacthub.io/license: MIT From 5bf5e5254395ffd3f8659f1abde82731fba06a08 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 4 Jun 2025 16:30:29 +0000 Subject: [PATCH 69/69] Update helm-docs and README.md --- charts/posit-chronicle/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/posit-chronicle/README.md b/charts/posit-chronicle/README.md index 2c15846b2..1aa9d3e6c 100644 --- a/charts/posit-chronicle/README.md +++ b/charts/posit-chronicle/README.md @@ -1,6 +1,6 @@ # Posit Chronicle -![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![AppVersion: 2025.03.0](https://img.shields.io/badge/AppVersion-2025.03.0-informational?style=flat-square) +![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![AppVersion: 2025.05.1](https://img.shields.io/badge/AppVersion-2025.05.1-informational?style=flat-square) #### _Official Helm chart for Posit Chronicle Server_