diff --git a/charts/rstudio-connect/Chart.lock b/charts/rstudio-connect/Chart.lock index 9b57df621..ae4373dd3 100644 --- a/charts/rstudio-connect/Chart.lock +++ b/charts/rstudio-connect/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: rstudio-library repository: https://helm.rstudio.com - version: 0.1.31 -digest: sha256:2a0e98b8fa01730bf2db3816a7310462c921b9fa2f1f3c74f85fedede82e1593 -generated: "2024-11-01T10:19:53.608088-04:00" + version: 0.1.34 +digest: sha256:66324c3ca436a3743e6f7c3dd8e159d21fca4fd5072d4d8c2583bfafd8499d70 +generated: "2025-05-20T10:37:20.963885313-06:00" diff --git a/charts/rstudio-connect/Chart.yaml b/charts/rstudio-connect/Chart.yaml index ca9059745..80fe157d8 100644 --- a/charts/rstudio-connect/Chart.yaml +++ b/charts/rstudio-connect/Chart.yaml @@ -1,6 +1,6 @@ name: rstudio-connect description: Official Helm chart for Posit Connect -version: 0.7.25 +version: 0.7.26 apiVersion: v2 appVersion: 2025.04.0 icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png @@ -13,7 +13,7 @@ maintainers: url: https://github.com/sol-eng dependencies: - name: rstudio-library - version: 0.1.31 + version: 0.1.34 repository: https://helm.rstudio.com annotations: artifacthub.io/images: | diff --git a/charts/rstudio-connect/NEWS.md b/charts/rstudio-connect/NEWS.md index a0d929907..6cf6c8b56 100644 --- a/charts/rstudio-connect/NEWS.md +++ b/charts/rstudio-connect/NEWS.md @@ -1,5 +1,11 @@ # Changelog +## 0.7.26 + +- Bump `rstudio-library` chart version to `0.1.34`. +- Adds a shortcut resource deployment for Chronicle Agent via `chronicleAgent.enabled`. The value is disabled by default + and does not affect existing deployments that use `sidecar` or `initContainer` to deploy the Chronicle Agent. + ## 0.7.25 - Bump Connect version to 2025.04.0 diff --git a/charts/rstudio-connect/README.md b/charts/rstudio-connect/README.md index eac7095bb..a4e56be0b 100644 --- a/charts/rstudio-connect/README.md +++ b/charts/rstudio-connect/README.md @@ -1,6 +1,6 @@ # Posit Connect -![Version: 0.7.25](https://img.shields.io/badge/Version-0.7.25-informational?style=flat-square) ![AppVersion: 2025.04.0](https://img.shields.io/badge/AppVersion-2025.04.0-informational?style=flat-square) +![Version: 0.7.26](https://img.shields.io/badge/Version-0.7.26-informational?style=flat-square) ![AppVersion: 2025.04.0](https://img.shields.io/badge/AppVersion-2025.04.0-informational?style=flat-square) #### _Official Helm chart for Posit Connect_ @@ -30,11 +30,11 @@ To ensure reproducibility in your environment and insulate yourself from future ## Installing the chart -To install the chart with the release name `my-release` at version 0.7.25: +To install the chart with the release name `my-release` at version 0.7.26: ```{.bash} helm repo add rstudio https://helm.rstudio.com -helm upgrade --install my-release rstudio/rstudio-connect --version=0.7.25 +helm upgrade --install my-release rstudio/rstudio-connect --version=0.7.26 ``` To explore other chart versions, look at: @@ -124,6 +124,66 @@ Alternatively, database passwords may be set during `helm install` with the foll `--set config.Postgres.Password=""` +## Chronicle Agent + +This chart supports use of a sidecar [Chronicle agent](https://docs.posit.co/chronicle/) to report data to a Chronicle server. The agent can be enabled +by setting `chronicleAgent.enabled=true`. + +By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The +searched namespace can be changed setting by `chronicleAgent.serverNamespace`. If a server exists, it will set the +Chronicle agent's server value to the server's service name and will use an agent version to match the server version. +This auto-discovery behavior can be disabled by setting `chronicleAgent.autoDiscovery=false`. + +To set the server address and/or version manually, set the following values: +```yaml +chronicleAgent: + enabled: true + serverAddress: + image: + tag: +``` + +If preferred, the Chronicle agent can be directly defined as a sidecar container using either `initContainers` +(recommended) or `sidecar` values. Below is an example of directly defining the Chronicle agent as a native sidecar +container using `initContainers`: +```yaml +initContainers: + - name: chronicle-agent + restartPolicy: Always + image: ghcr.io/rstudio/chronicle-agent: + env: + - name: CHRONICLE_SERVER_ADDRESS + value: "http://
" + - name: CHRONICLE_CONNECT_APIKEY + valueFrom: + secretKeyRef: + name: connect + key: apikey +``` + +For more information on Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). + +### Chronicle Connect API Key + +In order to communicate with Connect, the Chronicle agent must be passed an API key. This can either be done by passing +a Kubernetes secret (recommended) or by setting the key directly as an environment variable. Below is an example +of how to set the API key using a secret: +```yaml +chronicleAgent: + enabled: true + connectApiKey: + valueFrom: + secretKeyRef: + name: + key: +``` + +Due to the way Connect manages its API keys, it is currently not possible to provision an API key automatically for the +Chronicle agent at the time of deployment. To workaround this issue in a fresh deployment, you can initially leave +the API key unset for the Chronicle agent, deploy the chart, create an administrator API key, and then provision a +secret with the API key. Once the secret is created, the value of `chronicleAgent.connectApiKey.secretKeyRef` +can be set and the release can be upgraded to include the new value. + ## General principles - In most places, we opt to pass Helm values over configmaps. We translate these into the valid `.gcfg` file format @@ -148,6 +208,22 @@ The Helm `config` values are converted into the `rstudio-connect.gcfg` service c |-----|------|---------|-------------| | affinity | object | `{}` | A map used verbatim as the pod's "affinity" definition | | args | list | `[]` | The pod's run arguments. By default, it uses the container's default | +| chronicleAgent.agentEnvironment | string | `""` | An environment tag to apply to all metrics reported by this agent ([reference](https://docs.posit.co/chronicle/appendix/library/advanced-agent.html#environment)) | +| chronicleAgent.autoDiscovery | bool | `true` | If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster | +| chronicleAgent.connectApiKey | object | `{"value":"","valueFrom":{}}` | An Administrator permissions API key generated in Connect for the Chronicle agent to use, API keys can only be created after Connect has been deployed so this value may need to be filled in later if performing an initial deployment ([reference](https://docs.posit.co/connect/user/api-keys/#api-keys-creating)) | +| chronicleAgent.connectApiKey.value | string | `""` | Connect API key as a raw string to set as the `CHRONICLE_CONNECT_APIKEY` environment variable (not recommended) | +| chronicleAgent.connectApiKey.valueFrom | object | `{}` | Connect API key as a `valueFrom` reference (ex. a Kubernetes Secret reference) to set as the `CHRONICLE_CONNECT_APIKEY` environment variable (recommended) | +| chronicleAgent.enabled | bool | `false` | Creates a Chronicle agent sidecar container in the pod if true | +| chronicleAgent.env | list | `[]` | Additional environment variables to set on the Chronicle agent container `env` | +| chronicleAgent.image.imagePullPolicy | string | `"IfNotPresent"` | The pull policy for the Chronicle agent image | +| chronicleAgent.image.registry | string | `"ghcr.io"` | The Chronicle agent image registry | +| chronicleAgent.image.repository | string | `"rstudio/chronicle-agent"` | The Chronicle agent image repository | +| chronicleAgent.image.sha | string | `""` | The Chronicle agent image digest | +| chronicleAgent.image.tag | string | `""` | The Chronicle agent image tag, defaults to using the auto-discovered Chronicle server version or is required if `chronicleAgent.autoDiscovery=false` | +| chronicleAgent.securityContext | object | `{"privileged":false,"runAsNonRoot":true}` | The container-level security context for the Chronicle agent container | +| chronicleAgent.serverAddress | string | `""` | Address for the Chronicle server including the protocol (ex. "http://address"), defaults to auto-discovered Chronicle server in the given namespace or is required if `chronicleAgent.autoDiscovery=false` | +| chronicleAgent.serverNamespace | string | `""` | Namespace to search for the Chronicle server when `chronicleAgent.autoDiscovery=true`, has no effect if `chronicleAgent.autoDiscovery=false` | +| chronicleAgent.volumeMounts | list | `[]` | Verbatim volumeMounts to attach to the Chronicle agent container | | command | list | `[]` | The pod's run command. By default, it uses the container's default | | config | object | [Posit Connect Configuration Reference](https://docs.posit.co/connect/admin/appendix/off-host/helm-reference/) | A nested map of maps that generates the rstudio-connect.gcfg file | | extraObjects | list | `[]` | Extra objects to deploy (value evaluated as a template) | diff --git a/charts/rstudio-connect/README.md.gotmpl b/charts/rstudio-connect/README.md.gotmpl index 0e4d96e4d..bccb64a3c 100644 --- a/charts/rstudio-connect/README.md.gotmpl +++ b/charts/rstudio-connect/README.md.gotmpl @@ -64,6 +64,66 @@ Alternatively, database passwords may be set during `helm install` with the foll `--set config.Postgres.Password=""` +## Chronicle Agent + +This chart supports use of a sidecar [Chronicle agent](https://docs.posit.co/chronicle/) to report data to a Chronicle server. The agent can be enabled +by setting `chronicleAgent.enabled=true`. + +By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The +searched namespace can be changed setting by `chronicleAgent.serverNamespace`. If a server exists, it will set the +Chronicle agent's server value to the server's service name and will use an agent version to match the server version. +This auto-discovery behavior can be disabled by setting `chronicleAgent.autoDiscovery=false`. + +To set the server address and/or version manually, set the following values: +```yaml +chronicleAgent: + enabled: true + serverAddress: + image: + tag: +``` + +If preferred, the Chronicle agent can be directly defined as a sidecar container using either `initContainers` +(recommended) or `sidecar` values. Below is an example of directly defining the Chronicle agent as a native sidecar +container using `initContainers`: +```yaml +initContainers: + - name: chronicle-agent + restartPolicy: Always + image: ghcr.io/rstudio/chronicle-agent: + env: + - name: CHRONICLE_SERVER_ADDRESS + value: "http://
" + - name: CHRONICLE_CONNECT_APIKEY + valueFrom: + secretKeyRef: + name: connect + key: apikey +``` + +For more information on Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). + +### Chronicle Connect API Key + +In order to communicate with Connect, the Chronicle agent must be passed an API key. This can either be done by passing +a Kubernetes secret (recommended) or by setting the key directly as an environment variable. Below is an example +of how to set the API key using a secret: +```yaml +chronicleAgent: + enabled: true + connectApiKey: + valueFrom: + secretKeyRef: + name: + key: +``` + +Due to the way Connect manages its API keys, it is currently not possible to provision an API key automatically for the +Chronicle agent at the time of deployment. To workaround this issue in a fresh deployment, you can initially leave +the API key unset for the Chronicle agent, deploy the chart, create an administrator API key, and then provision a +secret with the API key. Once the secret is created, the value of `chronicleAgent.connectApiKey.secretKeyRef` +can be set and the release can be upgraded to include the new value. + ## General principles - In most places, we opt to pass Helm values over configmaps. We translate these into the valid `.gcfg` file format diff --git a/charts/rstudio-connect/templates/deployment.yaml b/charts/rstudio-connect/templates/deployment.yaml index e5b9a6252..1e88a39cc 100644 --- a/charts/rstudio-connect/templates/deployment.yaml +++ b/charts/rstudio-connect/templates/deployment.yaml @@ -90,9 +90,46 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.initContainers }} + {{- if or .Values.initContainers .Values.chronicleAgent.enabled }} initContainers: -{{ toYaml .Values.initContainers | indent 8 }} + {{- if .Values.chronicleAgent.enabled }} + - name: chronicle-agent + {{- if .Values.chronicleAgent.image.sha }} + image: {{ printf "%s@sha256:%s" (include "rstudio-library.chronicle-agent.image" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | trim) .Values.chronicleAgent.image.sha }} + {{- else }} + image: {{ include "rstudio-library.chronicle-agent.image" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | trim | quote }} + {{- end }} + imagePullPolicy: {{ .Values.chronicleAgent.image.imagePullPolicy }} + restartPolicy: Always + {{- with .Values.chronicleAgent.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.chronicleAgent.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + env: + - name: CHRONICLE_SERVER_ADDRESS + value: {{ include "rstudio-library.chronicle-agent.serverAddress" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | trim | quote }} + - name: CHRONICLE_CONNECT_APIKEY + {{- if .Values.chronicleAgent.connectApiKey.valueFrom }} + valueFrom: +{{ toYaml .Values.chronicleAgent.connectApiKey.valueFrom | indent 14 }} + {{- else }} + value: {{ .Values.chronicleAgent.connectApiKey.value | quote }} + {{- end }} + {{- with .Values.chronicleAgent.agentEnvironment }} + - name: CHRONICLE_AGENT_ENVIRONMENT + value: {{ . | quote }} + {{- end }} + {{- with .Values.chronicleAgent.env }} + {{ toYaml . | indent 10 }} + {{- end }} + {{- end }} + {{- with .Values.initContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} containers: - name: connect diff --git a/charts/rstudio-connect/values.yaml b/charts/rstudio-connect/values.yaml index 69ec160ca..963ea0eae 100644 --- a/charts/rstudio-connect/values.yaml +++ b/charts/rstudio-connect/values.yaml @@ -261,6 +261,51 @@ ingress: # hosts: # - chart-example.local +# Settings for the Chronicle Agent sidecar container +chronicleAgent: + # -- Creates a Chronicle agent sidecar container in the pod if true + enabled: false + # -- Additional environment variables to set on the Chronicle agent container `env` + env: [] + # -- Verbatim volumeMounts to attach to the Chronicle agent container + volumeMounts: [] + # -- The container-level security context for the Chronicle agent container + securityContext: + privileged: false + runAsNonRoot: true + image: + # -- The Chronicle agent image registry + registry: ghcr.io + # -- The Chronicle agent image repository + repository: rstudio/chronicle-agent + # -- The Chronicle agent image tag, defaults to using the auto-discovered Chronicle server version or is required if + # `chronicleAgent.autoDiscovery=false` + tag: "" + # -- The Chronicle agent image digest + sha: "" + # -- The pull policy for the Chronicle agent image + imagePullPolicy: IfNotPresent + # -- If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster + autoDiscovery: true + # -- Address for the Chronicle server including the protocol (ex. "http://address"), defaults to auto-discovered + # Chronicle server in the given namespace or is required if `chronicleAgent.autoDiscovery=false` + serverAddress: "" + # -- Namespace to search for the Chronicle server when `chronicleAgent.autoDiscovery=true`, has no effect if + # `chronicleAgent.autoDiscovery=false` + serverNamespace: "" + # -- An Administrator permissions API key generated in Connect for the Chronicle agent to use, API keys can only be + # created after Connect has been deployed so this value may need to be filled in later if performing an initial + # deployment ([reference](https://docs.posit.co/connect/user/api-keys/#api-keys-creating)) + connectApiKey: + # -- Connect API key as a raw string to set as the `CHRONICLE_CONNECT_APIKEY` environment variable (not recommended) + value: "" + # -- Connect API key as a `valueFrom` reference (ex. a Kubernetes Secret reference) to set as the + # `CHRONICLE_CONNECT_APIKEY` environment variable (recommended) + valueFrom: {} + # -- An environment tag to apply to all metrics reported by this agent + # ([reference](https://docs.posit.co/chronicle/appendix/library/advanced-agent.html#environment)) + agentEnvironment: "" + launcher: # -- Whether to enable the launcher enabled: false diff --git a/charts/rstudio-workbench/Chart.lock b/charts/rstudio-workbench/Chart.lock index 5d8d42070..1c6c3d7ca 100644 --- a/charts/rstudio-workbench/Chart.lock +++ b/charts/rstudio-workbench/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: rstudio-library repository: https://helm.rstudio.com - version: 0.1.31 -digest: sha256:2a0e98b8fa01730bf2db3816a7310462c921b9fa2f1f3c74f85fedede82e1593 -generated: "2024-11-01T10:20:55.670732-04:00" + version: 0.1.34 +digest: sha256:66324c3ca436a3743e6f7c3dd8e159d21fca4fd5072d4d8c2583bfafd8499d70 +generated: "2025-05-20T10:37:32.909079863-06:00" diff --git a/charts/rstudio-workbench/Chart.yaml b/charts/rstudio-workbench/Chart.yaml index 3f0c0dad3..ffe6c087a 100644 --- a/charts/rstudio-workbench/Chart.yaml +++ b/charts/rstudio-workbench/Chart.yaml @@ -1,6 +1,6 @@ name: rstudio-workbench description: Official Helm chart for Posit Workbench -version: 0.9.1 +version: 0.9.2 apiVersion: v2 appVersion: 2025.05.0 icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png @@ -13,7 +13,7 @@ maintainers: url: https://github.com/sol-eng dependencies: - name: rstudio-library - version: 0.1.31 + version: 0.1.34 repository: https://helm.rstudio.com annotations: artifacthub.io/images: | diff --git a/charts/rstudio-workbench/NEWS.md b/charts/rstudio-workbench/NEWS.md index e62257464..6d3df2316 100644 --- a/charts/rstudio-workbench/NEWS.md +++ b/charts/rstudio-workbench/NEWS.md @@ -1,5 +1,11 @@ # Changelog +## 0.9.2 + +- Bump `rstudio-library` chart version to `0.1.34`. +- Adds a shortcut resource deployment for Chronicle Agent via `chronicleAgent.enabled`. The value is disabled by default + and does not affect existing deployments that use `sidecar` or `initContainer` to deploy the Chronicle Agent. + ## 0.9.1 - Bump Workbench version to 2025.05.0 diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md index 0659cadb0..3171d5baa 100644 --- a/charts/rstudio-workbench/README.md +++ b/charts/rstudio-workbench/README.md @@ -1,6 +1,6 @@ # Posit Workbench -![Version: 0.9.1](https://img.shields.io/badge/Version-0.9.1-informational?style=flat-square) ![AppVersion: 2025.05.0](https://img.shields.io/badge/AppVersion-2025.05.0-informational?style=flat-square) +![Version: 0.9.2](https://img.shields.io/badge/Version-0.9.2-informational?style=flat-square) ![AppVersion: 2025.05.0](https://img.shields.io/badge/AppVersion-2025.05.0-informational?style=flat-square) #### _Official Helm chart for Posit Workbench_ @@ -24,11 +24,11 @@ To ensure a stable production deployment: ## Installing the chart -To install the chart with the release name `my-release` at version 0.9.1: +To install the chart with the release name `my-release` at version 0.9.2: ```{.bash} helm repo add rstudio https://helm.rstudio.com -helm upgrade --install my-release rstudio/rstudio-workbench --version=0.9.1 +helm upgrade --install my-release rstudio/rstudio-workbench --version=0.9.2 ``` To explore other chart versions, look at: @@ -413,6 +413,62 @@ launcher: effect: "NoSchedule" ``` +## Chronicle Agent + +This chart supports use of a sidecar [Chronicle agent](https://docs.posit.co/chronicle/) to report data to a Chronicle server. The agent can be enabled +by setting `chronicleAgent.enabled=true`. + +By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The +searched namespace can be changed setting by `chronicleAgent.serverNamespace`. If a server exists, it will set the +Chronicle agent's server value to the server's service name and will use an agent version to match the server version. +This auto-discovery behavior can be disabled by setting `chronicleAgent.autoDiscovery=false`. + +To set the server address and/or version manually, set the following values: +```yaml +chronicleAgent: + enabled: true + serverAddress: + image: + tag: +``` + +If preferred, the Chronicle agent can be directly defined as a sidecar container using either `initContainers` +(recommended) or `sidecar` values. Below is an example of directly defining the Chronicle agent as a native sidecar +container using `initContainers`: +```yaml +initContainers: + - name: chronicle-agent + restartPolicy: Always + image: ghcr.io/rstudio/chronicle-agent: + env: + - name: CHRONICLE_SERVER_ADDRESS + value: "http://
" +``` + +For more information on Posit Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). + +### Chronicle Workbench API Key + +> [!WARNING] +> The Workbench API is currently in preview. See +> [the Workbench documentation](https://docs.posit.co/ide/server-pro/admin/workbench_api/workbench_api.html) for more +> information. + +The Chronicle agent can be configured to scrape the Workbench API for additional data. To do this, you must +provide the Chronicle agent with a Workbench API key. This can be done by setting `chronicleAgent.workbenchApiKey`: +```yaml +chronicleAgent: + enabled: true + workbenchApiKey: + valueFrom: + secretKeyRef: + name: + key: +``` + +For additional information on enabling the API and generating API keys, see +[the Workbench documentation](https://docs.posit.co/ide/server-pro/admin/workbench_api/workbench_api.html). + ## Sealed secrets This chart supports the use of [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) to allow for storing secrets in SCM and to ensure secrets are never leaked via Helm. The target cluster must include a `SealedSecret` controller as the controller is responsible for converting a `SealedSecret` to a `Secret`. @@ -433,6 +489,22 @@ Use of [Sealed secrets](https://github.com/bitnami-labs/sealed-secrets) disables |-----|------|---------|-------------| | affinity | object | `{}` | A map used verbatim as the pod's "affinity" definition | | args | list | `[]` | args is the pod container's run arguments. | +| chronicleAgent.agentEnvironment | string | `""` | An environment tag to apply to all metrics reported by this agent ([reference](https://docs.posit.co/chronicle/appendix/library/advanced-agent.html#environment)) | +| chronicleAgent.autoDiscovery | bool | `true` | If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster | +| chronicleAgent.enabled | bool | `false` | Creates a Chronicle agent sidecar container in the pod if true | +| chronicleAgent.env | list | `[]` | Additional environment variables to set on the Chronicle agent container `env` | +| chronicleAgent.image.imagePullPolicy | string | `"IfNotPresent"` | The pull policy for the Chronicle agent image | +| chronicleAgent.image.registry | string | `"ghcr.io"` | The Chronicle agent image registry | +| chronicleAgent.image.repository | string | `"rstudio/chronicle-agent"` | The Chronicle agent image repository | +| chronicleAgent.image.sha | string | `""` | The Chronicle agent image digest | +| chronicleAgent.image.tag | string | `""` | The Chronicle agent image tag, defaults to using the auto-discovered Chronicle server version or is required if `chronicleAgent.autoDiscovery=false` | +| chronicleAgent.securityContext | object | `{"privileged":false,"runAsNonRoot":true}` | The container-level security context for the Chronicle agent container | +| chronicleAgent.serverAddress | string | `""` | Address for the Chronicle server including the protocol (ex. "http://address"), defaults to auto-discovered Chronicle server in the given namespace or is required if `chronicleAgent.autoDiscovery=false` | +| chronicleAgent.serverNamespace | string | `""` | Namespace to search for the Chronicle server when `chronicleAgent.autoDiscovery=true`, has no effect if `chronicleAgent.autoDiscovery=false` | +| chronicleAgent.volumeMounts | list | `[]` | Verbatim volumeMounts to attach to the Chronicle agent container | +| chronicleAgent.workbenchApiKey | object | `{"value":"","valueFrom":{}}` | A read-only administrator permissions API key generated for Workbench for the Chronicle agent to use, API keys can only be created after Workbench has been deployed so this value may need to be filled in later if performing an initial deployment ([reference](https://docs.posit.co/connect/user/api-keys/#api-keys-creating)) | +| chronicleAgent.workbenchApiKey.value | string | `""` | Workbench API key as a raw string to set as the `CHRONICLE_WORKBENCH_APIKEY` environment variable (not recommended) | +| chronicleAgent.workbenchApiKey.valueFrom | object | `{}` | Workbench API key as a `valueFrom` reference (ex. a Kubernetes Secret reference) to set as the `CHRONICLE_WORKBENCH_APIKEY` environment variable (recommended) | | command | list | `[]` | command is the pod container's run command. By default, it uses the container's default. However, the chart expects a container using `supervisord` for startup | | config.defaultMode.jobJsonOverrides | int | 0644 | default mode for jobJsonOverrides config | | config.defaultMode.pam | int | 0644 | default mode for pam scripts | diff --git a/charts/rstudio-workbench/README.md.gotmpl b/charts/rstudio-workbench/README.md.gotmpl index a0d57fc3d..10793eca0 100644 --- a/charts/rstudio-workbench/README.md.gotmpl +++ b/charts/rstudio-workbench/README.md.gotmpl @@ -358,6 +358,62 @@ launcher: effect: "NoSchedule" ``` +## Chronicle Agent + +This chart supports use of a sidecar [Chronicle agent](https://docs.posit.co/chronicle/) to report data to a Chronicle server. The agent can be enabled +by setting `chronicleAgent.enabled=true`. + +By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The +searched namespace can be changed setting by `chronicleAgent.serverNamespace`. If a server exists, it will set the +Chronicle agent's server value to the server's service name and will use an agent version to match the server version. +This auto-discovery behavior can be disabled by setting `chronicleAgent.autoDiscovery=false`. + +To set the server address and/or version manually, set the following values: +```yaml +chronicleAgent: + enabled: true + serverAddress: + image: + tag: +``` + +If preferred, the Chronicle agent can be directly defined as a sidecar container using either `initContainers` +(recommended) or `sidecar` values. Below is an example of directly defining the Chronicle agent as a native sidecar +container using `initContainers`: +```yaml +initContainers: + - name: chronicle-agent + restartPolicy: Always + image: ghcr.io/rstudio/chronicle-agent: + env: + - name: CHRONICLE_SERVER_ADDRESS + value: "http://
" +``` + +For more information on Posit Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). + +### Chronicle Workbench API Key + +> [!WARNING] +> The Workbench API is currently in preview. See +> [the Workbench documentation](https://docs.posit.co/ide/server-pro/admin/workbench_api/workbench_api.html) for more +> information. + +The Chronicle agent can be configured to scrape the Workbench API for additional data. To do this, you must +provide the Chronicle agent with a Workbench API key. This can be done by setting `chronicleAgent.workbenchApiKey`: +```yaml +chronicleAgent: + enabled: true + workbenchApiKey: + valueFrom: + secretKeyRef: + name: + key: +``` + +For additional information on enabling the API and generating API keys, see +[the Workbench documentation](https://docs.posit.co/ide/server-pro/admin/workbench_api/workbench_api.html). + ## Sealed secrets This chart supports the use of [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) to allow for storing secrets in SCM and to ensure secrets are never leaked via Helm. The target cluster must include a `SealedSecret` controller as the controller is responsible for converting a `SealedSecret` to a `Secret`. diff --git a/charts/rstudio-workbench/templates/deployment.yaml b/charts/rstudio-workbench/templates/deployment.yaml index f8337506e..e799f473d 100644 --- a/charts/rstudio-workbench/templates/deployment.yaml +++ b/charts/rstudio-workbench/templates/deployment.yaml @@ -97,9 +97,46 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} terminationGracePeriodSeconds: {{ .Values.pod.terminationGracePeriodSeconds }} - {{- if .Values.initContainers }} + {{- if or .Values.initContainers .Values.chronicleAgent.enabled }} initContainers: - {{- toYaml .Values.initContainers | nindent 8 }} + {{- if .Values.chronicleAgent.enabled }} + - name: chronicle-agent + {{- if .Values.chronicleAgent.image.sha }} + image: {{ printf "%s@sha256:%s" (include "rstudio-library.chronicle-agent.image" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | trim) .Values.chronicleAgent.image.sha }} + {{- else }} + image: {{ include "rstudio-library.chronicle-agent.image" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | trim | quote }} + {{- end }} + imagePullPolicy: {{ .Values.chronicleAgent.image.imagePullPolicy }} + restartPolicy: Always + {{- with .Values.chronicleAgent.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.chronicleAgent.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: CHRONICLE_SERVER_ADDRESS + value: {{ include "rstudio-library.chronicle-agent.serverAddress" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | trim | quote }} + - name: CHRONICLE_WORKBENCH_APIKEY + {{- if .Values.chronicleAgent.workbenchApiKey.valueFrom }} + valueFrom: +{{ toYaml .Values.chronicleAgent.workbenchApiKey.valueFrom | indent 16 }} + {{- else }} + value: {{ .Values.chronicleAgent.workbenchApiKey.value | quote }} + {{- end }} + {{- with .Values.chronicleAgent.agentEnvironment }} + - name: CHRONICLE_AGENT_ENVIRONMENT + value: {{ . | quote }} + {{- end }} + {{- with .Values.chronicleAgent.env }} + {{ toYaml . | indent 12 }} + {{- end }} + {{- end }} + {{- with .Values.initContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} {{- /* this is where most important definition of containers takes place diff --git a/charts/rstudio-workbench/values.yaml b/charts/rstudio-workbench/values.yaml index 6f54d35e3..353925177 100644 --- a/charts/rstudio-workbench/values.yaml +++ b/charts/rstudio-workbench/values.yaml @@ -63,6 +63,52 @@ strategy: maxSurge: "100%" maxUnavailable: 0 +# Settings for the Chronicle Agent sidecar container +chronicleAgent: + # -- Creates a Chronicle agent sidecar container in the pod if true + enabled: false + # -- Additional environment variables to set on the Chronicle agent container `env` + env: [] + # -- Verbatim volumeMounts to attach to the Chronicle agent container + volumeMounts: [] + # -- The container-level security context for the Chronicle agent container + securityContext: + privileged: false + runAsNonRoot: true + image: + # -- The Chronicle agent image registry + registry: ghcr.io + # -- The Chronicle agent image repository + repository: rstudio/chronicle-agent + # -- The Chronicle agent image tag, defaults to using the auto-discovered Chronicle server version or is required if + # `chronicleAgent.autoDiscovery=false` + tag: "" + # -- The Chronicle agent image digest + sha: "" + # -- The pull policy for the Chronicle agent image + imagePullPolicy: IfNotPresent + # -- If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster + autoDiscovery: true + # -- Address for the Chronicle server including the protocol (ex. "http://address"), defaults to auto-discovered + # Chronicle server in the given namespace or is required if `chronicleAgent.autoDiscovery=false` + serverAddress: "" + # -- Namespace to search for the Chronicle server when `chronicleAgent.autoDiscovery=true`, has no effect if + # `chronicleAgent.autoDiscovery=false` + serverNamespace: "" + # -- A read-only administrator permissions API key generated for Workbench for the Chronicle agent to use, API keys + # can only be created after Workbench has been deployed so this value may need to be filled in later if performing + # an initial deployment ([reference](https://docs.posit.co/connect/user/api-keys/#api-keys-creating)) + workbenchApiKey: + # -- Workbench API key as a raw string to set as the `CHRONICLE_WORKBENCH_APIKEY` environment variable + # (not recommended) + value: "" + # -- Workbench API key as a `valueFrom` reference (ex. a Kubernetes Secret reference) to set as the + # `CHRONICLE_WORKBENCH_APIKEY` environment variable (recommended) + valueFrom: {} + # -- An environment tag to apply to all metrics reported by this agent + # ([reference](https://docs.posit.co/chronicle/appendix/library/advanced-agent.html#environment)) + agentEnvironment: "" + launcher: # -- determines whether the launcher should be started in the container enabled: true