From 24299555ca43d984d675709cdb2ffea183099ba2 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Mon, 19 May 2025 12:34:34 -0600 Subject: [PATCH 01/50] Trigger CI From 1f8e918695fc6e9fb7ee2aa33687d442e1022d6d Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 08:49:45 -0600 Subject: [PATCH 02/50] Trigger CI From 3e1f620d92d58c96f2883a777c84aa21ca30955e Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 9 May 2025 14:11:37 -0600 Subject: [PATCH 03/50] Start adding values for Chronicle agent config --- charts/rstudio-connect/values.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/charts/rstudio-connect/values.yaml b/charts/rstudio-connect/values.yaml index 69ec160ca..a3b980ac3 100644 --- a/charts/rstudio-connect/values.yaml +++ b/charts/rstudio-connect/values.yaml @@ -261,6 +261,14 @@ ingress: # hosts: # - chart-example.local +chronicleAgent: + enabled: false + image: + registry: ghcr.io + repository: rstudio/chronicle-agent + tag: "" + imagePullPolicy: IfNotPresent + launcher: # -- Whether to enable the launcher enabled: false From 1c014d3d802d14936f72806d2509a198e0f9013e Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 9 May 2025 15:21:31 -0600 Subject: [PATCH 04/50] Add some helper functions for chronicle-agent autodiscovery --- .../templates/_chronicle-agent.tpl | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 charts/rstudio-connect/templates/_chronicle-agent.tpl diff --git a/charts/rstudio-connect/templates/_chronicle-agent.tpl b/charts/rstudio-connect/templates/_chronicle-agent.tpl new file mode 100644 index 000000000..535c806ed --- /dev/null +++ b/charts/rstudio-connect/templates/_chronicle-agent.tpl @@ -0,0 +1,31 @@ +{{- define "chronicle-agent.image" }} +{{- if .Values.chronicleAgent.enabled }} +{{- $registry := required "registry must be specified for the chronicle-agent config.".Values.chronicleAgent.image.registry }} +{{- $repository := required "repository must be specified for the chronicle-agent config.".Values.chronicleAgent.image.repository }} +{{- $version := "default" }} +{{- if not .Values.chronicleAgent.image.tag }} +{{- range $index, $service := (lookup "v1" "Service" .Release.Namespace "").items }} +{{- $name := get $service.metadata.labels "app.kubernetes.io/name" }} +{{- $component := get $service.metadata.labels "app.kubernetes.io/component" }} +{{- if and (contains "posit-chronicle" $name) (eq $component "server") }} +{{- $version = get $service.metadata.labels "app.kubernetes.io/version" }} +{{- end }} +{{- end }} +{{- else }} +{{- $version = .Values.chronicleAgent.image.tag }} +{{- end }} +{{ $registry }}/{{ $repository }}:{{ $version }} +{{- end }} +{{- end }} + +{{- define "chronicle-agent.serverAddress" }} +{{- if .Values.chronicleAgent.enabled }} +{{- range $index, $service := (lookup "v1" "Service" .Release.Namespace "").items }} +{{- $name := get $service.metadata.labels "app.kubernetes.io/name "}} +{{- $component := get $service.metadata.labels "app.kubernetes.io/component "}} +{{- if and (contains "posit-chronicle" $name) (eq $component "server") }} +{{ $name }}.{{ $service.metadata.namespace }}.svc.cluster.local +{{- end }} +{{- end }} +{{- end }} +{{- end }} From 35bb9a4169e236ef738ad10e83b0ce3f1682ffcc Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 9 May 2025 15:33:29 -0600 Subject: [PATCH 05/50] Add a definition for Chronicle Agent as a sidecar container --- .../rstudio-connect/templates/deployment.yaml | 17 ++++++++++++++++- charts/rstudio-connect/values.yaml | 13 +++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/charts/rstudio-connect/templates/deployment.yaml b/charts/rstudio-connect/templates/deployment.yaml index e5b9a6252..4b7593128 100644 --- a/charts/rstudio-connect/templates/deployment.yaml +++ b/charts/rstudio-connect/templates/deployment.yaml @@ -90,8 +90,23 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.initContainers }} + {{- if or .Values.initContainers .Values.chronicleAgent.enabled }} initContainers: + {{- if .Values.chronicleAgent.enabled }} + - name: chronicle-agent + image: "{{ .Values.chronicleAgent.image.registry }}{{ .Values.chronicleAgent.image.repository }}:{{ .Values.chronicleAgent.image.tag }}" + imagePullPolicy: {{ .Values.chronicleAgent.image.imagePullPolicy }} + restartPolicy: Always + env: + - name: CHRONICLE_SERVER_ADDRESS + value: {{ include "chronicle-agent.serverAddress" . | quote }} + {{- if .Values.chronicleAgent.connectApiKey.secretKeyRef }} + - name: CONNECT_API_KEY + valueFrom: + secretKeyRef: + {{ toYaml .Values.chronicleAgent.connectApiKey.secretKeyRef | indent 16 }} + {{- end }} + {{- end }} {{ toYaml .Values.initContainers | indent 8 }} {{- end }} containers: diff --git a/charts/rstudio-connect/values.yaml b/charts/rstudio-connect/values.yaml index a3b980ac3..84ee323f9 100644 --- a/charts/rstudio-connect/values.yaml +++ b/charts/rstudio-connect/values.yaml @@ -261,13 +261,26 @@ ingress: # hosts: # - chart-example.local +# -- Settings for the Chronicle Agent sidecar container chronicleAgent: + # -- Whether to enable the Chronicle Agent sidecar container enabled: false + # -- If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster + autoDiscovery: true image: + # -- The registry to use for the Chronicle Agent image registry: ghcr.io + # -- The repository to use for the Chronicle Agent image repository: rstudio/chronicle-agent + # -- A tag to use for the Chronicle Agent image. If not set, the chart will attempt to look up the version of the deployed Chronicle server in the current namespace. tag: "" + # -- The pull policy for the Chronicle Agent image imagePullPolicy: IfNotPresent + # -- The address for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the current namespace. + serverAddress: "" + # -- An API key generated in Connect that can be used for the Chronicle Agent to authenticate with the Connect server for metrics. This generally must be set after the initial deployment of the Connect pod. + connectApiKey: + secretKeyRef: {} launcher: # -- Whether to enable the launcher From 690ac37e5ba80d7eb7b5bf6babb1c0bfe439857c Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 13 May 2025 13:04:51 -0600 Subject: [PATCH 06/50] Update service target URL for Chronicle agent --- charts/rstudio-connect/templates/_chronicle-agent.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/rstudio-connect/templates/_chronicle-agent.tpl b/charts/rstudio-connect/templates/_chronicle-agent.tpl index 535c806ed..563615d7e 100644 --- a/charts/rstudio-connect/templates/_chronicle-agent.tpl +++ b/charts/rstudio-connect/templates/_chronicle-agent.tpl @@ -24,7 +24,7 @@ {{- $name := get $service.metadata.labels "app.kubernetes.io/name "}} {{- $component := get $service.metadata.labels "app.kubernetes.io/component "}} {{- if and (contains "posit-chronicle" $name) (eq $component "server") }} -{{ $name }}.{{ $service.metadata.namespace }}.svc.cluster.local +{{ $name }}.{{ $service.metadata.namespace }} {{- end }} {{- end }} {{- end }} From 7473b8824dedc3554d0c9f374c52ddd4940c7a29 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 13 May 2025 13:41:31 -0600 Subject: [PATCH 07/50] Fix image reference in Chronicle Agent sidecar --- charts/rstudio-connect/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/rstudio-connect/templates/deployment.yaml b/charts/rstudio-connect/templates/deployment.yaml index 4b7593128..28a9ce186 100644 --- a/charts/rstudio-connect/templates/deployment.yaml +++ b/charts/rstudio-connect/templates/deployment.yaml @@ -94,7 +94,7 @@ spec: initContainers: {{- if .Values.chronicleAgent.enabled }} - name: chronicle-agent - image: "{{ .Values.chronicleAgent.image.registry }}{{ .Values.chronicleAgent.image.repository }}:{{ .Values.chronicleAgent.image.tag }}" + image: {{ include "chronicle-agent.image" . | quote }} imagePullPolicy: {{ .Values.chronicleAgent.image.imagePullPolicy }} restartPolicy: Always env: From 8fbac5ce4622f1f5b23d51d62b3ce41204e911dd Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Wed, 14 May 2025 15:45:23 -0600 Subject: [PATCH 08/50] Bump Connect release notes and chart version --- charts/rstudio-connect/Chart.yaml | 2 +- charts/rstudio-connect/NEWS.md | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/charts/rstudio-connect/Chart.yaml b/charts/rstudio-connect/Chart.yaml index ca9059745..c9b00dffe 100644 --- a/charts/rstudio-connect/Chart.yaml +++ b/charts/rstudio-connect/Chart.yaml @@ -1,6 +1,6 @@ name: rstudio-connect description: Official Helm chart for Posit Connect -version: 0.7.25 +version: 0.7.26 apiVersion: v2 appVersion: 2025.04.0 icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png diff --git a/charts/rstudio-connect/NEWS.md b/charts/rstudio-connect/NEWS.md index a0d929907..320a756dc 100644 --- a/charts/rstudio-connect/NEWS.md +++ b/charts/rstudio-connect/NEWS.md @@ -1,5 +1,10 @@ # Changelog +## 0.7.26 + +- Adds a shortcut resource deployment for Chronicle Agent via `chronicleAgent.enabled`. The value is disabled by default + and does not affect existing deployments that use `sidecar` or `initContainer` to deploy the Chronicle Agent. + ## 0.7.25 - Bump Connect version to 2025.04.0 From 5d48463156a23d7585107dd8982a5a249ff8cd46 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Wed, 14 May 2025 15:45:52 -0600 Subject: [PATCH 09/50] Add logic to use serverAddress value when present --- charts/rstudio-connect/templates/_chronicle-agent.tpl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/rstudio-connect/templates/_chronicle-agent.tpl b/charts/rstudio-connect/templates/_chronicle-agent.tpl index 563615d7e..ad5161f6a 100644 --- a/charts/rstudio-connect/templates/_chronicle-agent.tpl +++ b/charts/rstudio-connect/templates/_chronicle-agent.tpl @@ -20,6 +20,9 @@ {{- define "chronicle-agent.serverAddress" }} {{- if .Values.chronicleAgent.enabled }} +{{- if .Values.chronicleAgent.serverAddress }} +{{ .Values.chronicleAgent.serverAddress }} +{{- else }} {{- range $index, $service := (lookup "v1" "Service" .Release.Namespace "").items }} {{- $name := get $service.metadata.labels "app.kubernetes.io/name "}} {{- $component := get $service.metadata.labels "app.kubernetes.io/component "}} @@ -29,3 +32,4 @@ {{- end }} {{- end }} {{- end }} +{{- end }} From 7d876b9171652d76e0fde7b0c336906a322a9c93 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Thu, 15 May 2025 14:24:21 -0600 Subject: [PATCH 10/50] Update products to include sidecar configuration utilizing rstudio-library helpers - Add initContainers chronicle agent definition to Workbench. - Update initContainers to include chronicle agent definition. - Add support for env and volumeMounts in definition. - Bump rstudio-library versions to 0.1.32. - Update READMEs with info on Chronicle agent. - Update NEWS notes. - Add serverNamespace value. --- charts/rstudio-connect/Chart.lock | 6 +-- charts/rstudio-connect/Chart.yaml | 4 +- charts/rstudio-connect/NEWS.md | 1 + charts/rstudio-connect/README.md.gotmpl | 39 +++++++++++++++++++ .../templates/_chronicle-agent.tpl | 35 ----------------- .../rstudio-connect/templates/deployment.yaml | 15 +++++-- charts/rstudio-connect/values.yaml | 8 +++- charts/rstudio-workbench/Chart.lock | 6 +-- charts/rstudio-workbench/Chart.yaml | 4 +- charts/rstudio-workbench/NEWS.md | 6 +++ charts/rstudio-workbench/README.md.gotmpl | 39 +++++++++++++++++++ .../templates/deployment.yaml | 22 ++++++++++- charts/rstudio-workbench/values.yaml | 24 ++++++++++++ 13 files changed, 158 insertions(+), 51 deletions(-) delete mode 100644 charts/rstudio-connect/templates/_chronicle-agent.tpl diff --git a/charts/rstudio-connect/Chart.lock b/charts/rstudio-connect/Chart.lock index 9b57df621..d6ae3c0c8 100644 --- a/charts/rstudio-connect/Chart.lock +++ b/charts/rstudio-connect/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: rstudio-library repository: https://helm.rstudio.com - version: 0.1.31 -digest: sha256:2a0e98b8fa01730bf2db3816a7310462c921b9fa2f1f3c74f85fedede82e1593 -generated: "2024-11-01T10:19:53.608088-04:00" + version: 0.1.32 +digest: sha256:20df0ba6597d22499e27ca767a691fc32a96b24a6fd8c31c7826da7c5e5ffde1 +generated: "2025-05-15T13:40:46.018874118-06:00" diff --git a/charts/rstudio-connect/Chart.yaml b/charts/rstudio-connect/Chart.yaml index c9b00dffe..b7b444df0 100644 --- a/charts/rstudio-connect/Chart.yaml +++ b/charts/rstudio-connect/Chart.yaml @@ -1,6 +1,6 @@ name: rstudio-connect description: Official Helm chart for Posit Connect -version: 0.7.26 +version: 0.7.27 apiVersion: v2 appVersion: 2025.04.0 icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png @@ -13,7 +13,7 @@ maintainers: url: https://github.com/sol-eng dependencies: - name: rstudio-library - version: 0.1.31 + version: 0.1.32 repository: https://helm.rstudio.com annotations: artifacthub.io/images: | diff --git a/charts/rstudio-connect/NEWS.md b/charts/rstudio-connect/NEWS.md index 320a756dc..e4bcd6428 100644 --- a/charts/rstudio-connect/NEWS.md +++ b/charts/rstudio-connect/NEWS.md @@ -2,6 +2,7 @@ ## 0.7.26 +- Bump `rstudio-library` chart version to `0.1.32`. - Adds a shortcut resource deployment for Chronicle Agent via `chronicleAgent.enabled`. The value is disabled by default and does not affect existing deployments that use `sidecar` or `initContainer` to deploy the Chronicle Agent. diff --git a/charts/rstudio-connect/README.md.gotmpl b/charts/rstudio-connect/README.md.gotmpl index 0e4d96e4d..2ea392ac4 100644 --- a/charts/rstudio-connect/README.md.gotmpl +++ b/charts/rstudio-connect/README.md.gotmpl @@ -64,6 +64,45 @@ Alternatively, database passwords may be set during `helm install` with the foll `--set config.Postgres.Password=""` +## Chronicle Agent + +This chart supports use of a sidecar Chronicle agent to report data to a Chronicle server. The agent can be enabled +by setting `chronicleAgent.enabled=true`. + +By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The +searched namespace can be changed setting `chronicleAgent.serverNamespace`. If a server exists, it will set the +Chronicle agent's server value to the server's service name and will use an agent version to match the server version. +This auto-discovery behavior can be disabled by setting `chronicleAgent.autoDiscovery=false`. + +To set the server address and/or version manually, set the following values: +```yaml +chronicleAgent: + enabled: true + serverAddress: + image: + tag: +``` + +In order to communicate with Connect, the Chronicle agent must be passed an API key. This can either be done by passing +a Kubernetes secret (recommended) or by setting the key directly as an environment variable. Below is an example +of how to set the API key using a secret: +```yaml +chronicleAgent: + enabled: true + connectApiKey: + secretKeyRef: + name: + key: +``` + +Due to the way Connect manages its API keys, it is currently not possible to provision an API key automatically for the +Chronicle agent at the time of deployment. To workaround this issue in a fresh deployment, you can initially leave +the API key unset for the Chronicle agent, deploy the chart, create an administrator API key, and then provision a +secret with the API key. Once the secret is created, the value of `chronicleAgent.connectApiKey.secretKeyRef` +can be set and the chart can be upgraded to include the new value. + +For more information on Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). + ## General principles - In most places, we opt to pass Helm values over configmaps. We translate these into the valid `.gcfg` file format diff --git a/charts/rstudio-connect/templates/_chronicle-agent.tpl b/charts/rstudio-connect/templates/_chronicle-agent.tpl deleted file mode 100644 index ad5161f6a..000000000 --- a/charts/rstudio-connect/templates/_chronicle-agent.tpl +++ /dev/null @@ -1,35 +0,0 @@ -{{- define "chronicle-agent.image" }} -{{- if .Values.chronicleAgent.enabled }} -{{- $registry := required "registry must be specified for the chronicle-agent config.".Values.chronicleAgent.image.registry }} -{{- $repository := required "repository must be specified for the chronicle-agent config.".Values.chronicleAgent.image.repository }} -{{- $version := "default" }} -{{- if not .Values.chronicleAgent.image.tag }} -{{- range $index, $service := (lookup "v1" "Service" .Release.Namespace "").items }} -{{- $name := get $service.metadata.labels "app.kubernetes.io/name" }} -{{- $component := get $service.metadata.labels "app.kubernetes.io/component" }} -{{- if and (contains "posit-chronicle" $name) (eq $component "server") }} -{{- $version = get $service.metadata.labels "app.kubernetes.io/version" }} -{{- end }} -{{- end }} -{{- else }} -{{- $version = .Values.chronicleAgent.image.tag }} -{{- end }} -{{ $registry }}/{{ $repository }}:{{ $version }} -{{- end }} -{{- end }} - -{{- define "chronicle-agent.serverAddress" }} -{{- if .Values.chronicleAgent.enabled }} -{{- if .Values.chronicleAgent.serverAddress }} -{{ .Values.chronicleAgent.serverAddress }} -{{- else }} -{{- range $index, $service := (lookup "v1" "Service" .Release.Namespace "").items }} -{{- $name := get $service.metadata.labels "app.kubernetes.io/name "}} -{{- $component := get $service.metadata.labels "app.kubernetes.io/component "}} -{{- if and (contains "posit-chronicle" $name) (eq $component "server") }} -{{ $name }}.{{ $service.metadata.namespace }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/rstudio-connect/templates/deployment.yaml b/charts/rstudio-connect/templates/deployment.yaml index 28a9ce186..c531d73a1 100644 --- a/charts/rstudio-connect/templates/deployment.yaml +++ b/charts/rstudio-connect/templates/deployment.yaml @@ -94,20 +94,29 @@ spec: initContainers: {{- if .Values.chronicleAgent.enabled }} - name: chronicle-agent - image: {{ include "chronicle-agent.image" . | quote }} + image: {{ include "rstudio-library.chronicle-agent.image" (dict "chronicleAgent" .Values.chronicleAgent) | quote }} imagePullPolicy: {{ .Values.chronicleAgent.image.imagePullPolicy }} restartPolicy: Always + {{- with .Values.chronicleAgent.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 10 }} + {{- end }} env: - name: CHRONICLE_SERVER_ADDRESS - value: {{ include "chronicle-agent.serverAddress" . | quote }} + value: {{ include "rstudio-library.chronicle-agent.serverAddress" (dict "chronicleAgent" .Values.chronicleAgent) | quote }} {{- if .Values.chronicleAgent.connectApiKey.secretKeyRef }} - name: CONNECT_API_KEY valueFrom: secretKeyRef: {{ toYaml .Values.chronicleAgent.connectApiKey.secretKeyRef | indent 16 }} {{- end }} + {{- with .Values.chronicleAgent.env }} + {{ toYaml . | indent 10 }} + {{- end }} + {{- end }} + {{- with .Values.initContainers }} + {{- toYaml . | nindent 8 }} {{- end }} -{{ toYaml .Values.initContainers | indent 8 }} {{- end }} containers: - name: connect diff --git a/charts/rstudio-connect/values.yaml b/charts/rstudio-connect/values.yaml index 84ee323f9..daf8aea3a 100644 --- a/charts/rstudio-connect/values.yaml +++ b/charts/rstudio-connect/values.yaml @@ -265,6 +265,10 @@ ingress: chronicleAgent: # -- Whether to enable the Chronicle Agent sidecar container enabled: false + # -- An array of maps that is injected as-is into the "env:" component of the container spec + env: [] + # -- An array of maps that is injected as-is into the "volumeMounts" component of the container spec + volumeMounts: [] # -- If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster autoDiscovery: true image: @@ -276,8 +280,10 @@ chronicleAgent: tag: "" # -- The pull policy for the Chronicle Agent image imagePullPolicy: IfNotPresent - # -- The address for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the current namespace. + # -- The address for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. serverAddress: "" + # -- The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. + serverNamespace: "" # -- An API key generated in Connect that can be used for the Chronicle Agent to authenticate with the Connect server for metrics. This generally must be set after the initial deployment of the Connect pod. connectApiKey: secretKeyRef: {} diff --git a/charts/rstudio-workbench/Chart.lock b/charts/rstudio-workbench/Chart.lock index 5d8d42070..f3c02497d 100644 --- a/charts/rstudio-workbench/Chart.lock +++ b/charts/rstudio-workbench/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: rstudio-library repository: https://helm.rstudio.com - version: 0.1.31 -digest: sha256:2a0e98b8fa01730bf2db3816a7310462c921b9fa2f1f3c74f85fedede82e1593 -generated: "2024-11-01T10:20:55.670732-04:00" + version: 0.1.32 +digest: sha256:20df0ba6597d22499e27ca767a691fc32a96b24a6fd8c31c7826da7c5e5ffde1 +generated: "2025-05-15T13:54:13.406048402-06:00" diff --git a/charts/rstudio-workbench/Chart.yaml b/charts/rstudio-workbench/Chart.yaml index 3f0c0dad3..09db26b02 100644 --- a/charts/rstudio-workbench/Chart.yaml +++ b/charts/rstudio-workbench/Chart.yaml @@ -1,6 +1,6 @@ name: rstudio-workbench description: Official Helm chart for Posit Workbench -version: 0.9.1 +version: 0.9.2 apiVersion: v2 appVersion: 2025.05.0 icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png @@ -13,7 +13,7 @@ maintainers: url: https://github.com/sol-eng dependencies: - name: rstudio-library - version: 0.1.31 + version: 0.1.32 repository: https://helm.rstudio.com annotations: artifacthub.io/images: | diff --git a/charts/rstudio-workbench/NEWS.md b/charts/rstudio-workbench/NEWS.md index e62257464..4e1c1b6e9 100644 --- a/charts/rstudio-workbench/NEWS.md +++ b/charts/rstudio-workbench/NEWS.md @@ -1,5 +1,11 @@ # Changelog +## 0.9.2 + +- Bump `rstudio-library` chart version to `0.1.32`. +- Adds a shortcut resource deployment for Chronicle Agent via `chronicleAgent.enabled`. The value is disabled by default + and does not affect existing deployments that use `sidecar` or `initContainer` to deploy the Chronicle Agent. + ## 0.9.1 - Bump Workbench version to 2025.05.0 diff --git a/charts/rstudio-workbench/README.md.gotmpl b/charts/rstudio-workbench/README.md.gotmpl index a0d57fc3d..214a367f9 100644 --- a/charts/rstudio-workbench/README.md.gotmpl +++ b/charts/rstudio-workbench/README.md.gotmpl @@ -358,6 +358,45 @@ launcher: effect: "NoSchedule" ``` +## Chronicle Agent + +This chart supports use of a sidecar Chronicle agent to report data to a Chronicle server. The agent can be enabled +by setting `chronicleAgent.enabled=true`. + +By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The +searched namespace can be changed setting `chronicleAgent.serverNamespace`. If a server exists, it will set the +Chronicle agent's server value to the server's service name and will use an agent version to match the server version. +This auto-discovery behavior can be disabled by setting `chronicleAgent.autoDiscovery=false`. + +To set the server address and/or version manually, set the following values: +```yaml +chronicleAgent: + enabled: true + serverAddress: + image: + tag: +``` + +If desired, audit logging can be mounted into the Chronicle agent container by setting the following values: +```yaml +pod: + # We will need to create a new volume to share audit logs between + # the rstudio (workbench) and chronicle-agent containers + volumes: + - name: logs + emptyDir: {} + volumeMounts: + - name: logs + mountPath: "/var/lib/rstudio-server/audit" +chronicleAgent: + enabled: true + volumeMounts: + - name: logs + mountPath: "/var/lib/rstudio-server/audit" +``` + +For more information on Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). + ## Sealed secrets This chart supports the use of [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) to allow for storing secrets in SCM and to ensure secrets are never leaked via Helm. The target cluster must include a `SealedSecret` controller as the controller is responsible for converting a `SealedSecret` to a `Secret`. diff --git a/charts/rstudio-workbench/templates/deployment.yaml b/charts/rstudio-workbench/templates/deployment.yaml index f8337506e..45a3364b5 100644 --- a/charts/rstudio-workbench/templates/deployment.yaml +++ b/charts/rstudio-workbench/templates/deployment.yaml @@ -97,9 +97,27 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} terminationGracePeriodSeconds: {{ .Values.pod.terminationGracePeriodSeconds }} - {{- if .Values.initContainers }} + {{- if or .Values.initContainers .Values.chronicleAgent.enabled }} initContainers: - {{- toYaml .Values.initContainers | nindent 8 }} + {{- if .Values.chronicleAgent.enabled }} + - name: chronicle-agent + image: {{ include "rstudio-library.chronicle-agent.image" (dict "chronicleAgent" .Values.chronicleAgent) | quote }} + imagePullPolicy: {{ .Values.chronicleAgent.image.imagePullPolicy }} + restartPolicy: Always + {{- with .Values.chronicleAgent.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 10 }} + {{- end }} + env: + - name: CHRONICLE_SERVER_ADDRESS + value: {{ include "rstudio-library.chronicle-agent.serverAddress" (dict "chronicleAgent" .Values.chronicleAgent) | quote }} + {{- with .Values.chronicleAgent.env }} + {{ toYaml . | indent 10 }} + {{- end }} + {{- end }} + {{- with .Values.initContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} {{- /* this is where most important definition of containers takes place diff --git a/charts/rstudio-workbench/values.yaml b/charts/rstudio-workbench/values.yaml index 6f54d35e3..e222fffa8 100644 --- a/charts/rstudio-workbench/values.yaml +++ b/charts/rstudio-workbench/values.yaml @@ -63,6 +63,30 @@ strategy: maxSurge: "100%" maxUnavailable: 0 +# -- Settings for the Chronicle Agent sidecar container +chronicleAgent: + # -- Whether to enable the Chronicle Agent sidecar container + enabled: false + # -- An array of maps that is injected as-is into the "env:" component of the container spec + env: [] + # -- An array of maps that is injected as-is into the "volumeMounts" component of the container spec + volumeMounts: [] + # -- If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster + autoDiscovery: true + image: + # -- The registry to use for the Chronicle Agent image + registry: ghcr.io + # -- The repository to use for the Chronicle Agent image + repository: rstudio/chronicle-agent + # -- A tag to use for the Chronicle Agent image. If not set, the chart will attempt to look up the version of the deployed Chronicle server in the current namespace. + tag: "" + # -- The pull policy for the Chronicle Agent image + imagePullPolicy: IfNotPresent + # -- The address for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. + serverAddress: "" + # -- The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. + serverNamespace: "" + launcher: # -- determines whether the launcher should be started in the container enabled: true From 2bc147574d758e67223354b11fa88408594b4923 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 15 May 2025 20:27:21 +0000 Subject: [PATCH 11/50] Update helm-docs and README.md --- charts/rstudio-connect/README.md | 57 ++++++++++++++++++++++++++++-- charts/rstudio-workbench/README.md | 56 +++++++++++++++++++++++++++-- 2 files changed, 107 insertions(+), 6 deletions(-) diff --git a/charts/rstudio-connect/README.md b/charts/rstudio-connect/README.md index eac7095bb..877515ff4 100644 --- a/charts/rstudio-connect/README.md +++ b/charts/rstudio-connect/README.md @@ -1,6 +1,6 @@ # Posit Connect -![Version: 0.7.25](https://img.shields.io/badge/Version-0.7.25-informational?style=flat-square) ![AppVersion: 2025.04.0](https://img.shields.io/badge/AppVersion-2025.04.0-informational?style=flat-square) +![Version: 0.7.27](https://img.shields.io/badge/Version-0.7.27-informational?style=flat-square) ![AppVersion: 2025.04.0](https://img.shields.io/badge/AppVersion-2025.04.0-informational?style=flat-square) #### _Official Helm chart for Posit Connect_ @@ -30,11 +30,11 @@ To ensure reproducibility in your environment and insulate yourself from future ## Installing the chart -To install the chart with the release name `my-release` at version 0.7.25: +To install the chart with the release name `my-release` at version 0.7.27: ```{.bash} helm repo add rstudio https://helm.rstudio.com -helm upgrade --install my-release rstudio/rstudio-connect --version=0.7.25 +helm upgrade --install my-release rstudio/rstudio-connect --version=0.7.27 ``` To explore other chart versions, look at: @@ -124,6 +124,45 @@ Alternatively, database passwords may be set during `helm install` with the foll `--set config.Postgres.Password=""` +## Chronicle Agent + +This chart supports use of a sidecar Chronicle agent to report data to a Chronicle server. The agent can be enabled +by setting `chronicleAgent.enabled=true`. + +By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The +searched namespace can be changed setting `chronicleAgent.serverNamespace`. If a server exists, it will set the +Chronicle agent's server value to the server's service name and will use an agent version to match the server version. +This auto-discovery behavior can be disabled by setting `chronicleAgent.autoDiscovery=false`. + +To set the server address and/or version manually, set the following values: +```yaml +chronicleAgent: + enabled: true + serverAddress: + image: + tag: +``` + +In order to communicate with Connect, the Chronicle agent must be passed an API key. This can either be done by passing +a Kubernetes secret (recommended) or by setting the key directly as an environment variable. Below is an example +of how to set the API key using a secret: +```yaml +chronicleAgent: + enabled: true + connectApiKey: + secretKeyRef: + name: + key: +``` + +Due to the way Connect manages its API keys, it is currently not possible to provision an API key automatically for the +Chronicle agent at the time of deployment. To workaround this issue in a fresh deployment, you can initially leave +the API key unset for the Chronicle agent, deploy the chart, create an administrator API key, and then provision a +secret with the API key. Once the secret is created, the value of `chronicleAgent.connectApiKey.secretKeyRef` +can be set and the chart can be upgraded to include the new value. + +For more information on Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). + ## General principles - In most places, we opt to pass Helm values over configmaps. We translate these into the valid `.gcfg` file format @@ -148,6 +187,18 @@ The Helm `config` values are converted into the `rstudio-connect.gcfg` service c |-----|------|---------|-------------| | affinity | object | `{}` | A map used verbatim as the pod's "affinity" definition | | args | list | `[]` | The pod's run arguments. By default, it uses the container's default | +| chronicleAgent | object | `{"autoDiscovery":true,"connectApiKey":{"secretKeyRef":{}},"enabled":false,"env":[],"image":{"imagePullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"rstudio/chronicle-agent","tag":""},"serverAddress":"","serverNamespace":"","volumeMounts":[]}` | Settings for the Chronicle Agent sidecar container | +| chronicleAgent.autoDiscovery | bool | `true` | If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster | +| chronicleAgent.connectApiKey | object | `{"secretKeyRef":{}}` | An API key generated in Connect that can be used for the Chronicle Agent to authenticate with the Connect server for metrics. This generally must be set after the initial deployment of the Connect pod. | +| chronicleAgent.enabled | bool | `false` | Whether to enable the Chronicle Agent sidecar container | +| chronicleAgent.env | list | `[]` | An array of maps that is injected as-is into the "env:" component of the container spec | +| chronicleAgent.image.imagePullPolicy | string | `"IfNotPresent"` | The pull policy for the Chronicle Agent image | +| chronicleAgent.image.registry | string | `"ghcr.io"` | The registry to use for the Chronicle Agent image | +| chronicleAgent.image.repository | string | `"rstudio/chronicle-agent"` | The repository to use for the Chronicle Agent image | +| chronicleAgent.image.tag | string | `""` | A tag to use for the Chronicle Agent image. If not set, the chart will attempt to look up the version of the deployed Chronicle server in the current namespace. | +| chronicleAgent.serverAddress | string | `""` | The address for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. | +| chronicleAgent.serverNamespace | string | `""` | The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. | +| chronicleAgent.volumeMounts | list | `[]` | An array of maps that is injected as-is into the "volumeMounts" component of the container spec | | command | list | `[]` | The pod's run command. By default, it uses the container's default | | config | object | [Posit Connect Configuration Reference](https://docs.posit.co/connect/admin/appendix/off-host/helm-reference/) | A nested map of maps that generates the rstudio-connect.gcfg file | | extraObjects | list | `[]` | Extra objects to deploy (value evaluated as a template) | diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md index 0659cadb0..e156d98de 100644 --- a/charts/rstudio-workbench/README.md +++ b/charts/rstudio-workbench/README.md @@ -1,6 +1,6 @@ # Posit Workbench -![Version: 0.9.1](https://img.shields.io/badge/Version-0.9.1-informational?style=flat-square) ![AppVersion: 2025.05.0](https://img.shields.io/badge/AppVersion-2025.05.0-informational?style=flat-square) +![Version: 0.9.2](https://img.shields.io/badge/Version-0.9.2-informational?style=flat-square) ![AppVersion: 2025.05.0](https://img.shields.io/badge/AppVersion-2025.05.0-informational?style=flat-square) #### _Official Helm chart for Posit Workbench_ @@ -24,11 +24,11 @@ To ensure a stable production deployment: ## Installing the chart -To install the chart with the release name `my-release` at version 0.9.1: +To install the chart with the release name `my-release` at version 0.9.2: ```{.bash} helm repo add rstudio https://helm.rstudio.com -helm upgrade --install my-release rstudio/rstudio-workbench --version=0.9.1 +helm upgrade --install my-release rstudio/rstudio-workbench --version=0.9.2 ``` To explore other chart versions, look at: @@ -413,6 +413,45 @@ launcher: effect: "NoSchedule" ``` +## Chronicle Agent + +This chart supports use of a sidecar Chronicle agent to report data to a Chronicle server. The agent can be enabled +by setting `chronicleAgent.enabled=true`. + +By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The +searched namespace can be changed setting `chronicleAgent.serverNamespace`. If a server exists, it will set the +Chronicle agent's server value to the server's service name and will use an agent version to match the server version. +This auto-discovery behavior can be disabled by setting `chronicleAgent.autoDiscovery=false`. + +To set the server address and/or version manually, set the following values: +```yaml +chronicleAgent: + enabled: true + serverAddress: + image: + tag: +``` + +If desired, audit logging can be mounted into the Chronicle agent container by setting the following values: +```yaml +pod: + # We will need to create a new volume to share audit logs between + # the rstudio (workbench) and chronicle-agent containers + volumes: + - name: logs + emptyDir: {} + volumeMounts: + - name: logs + mountPath: "/var/lib/rstudio-server/audit" +chronicleAgent: + enabled: true + volumeMounts: + - name: logs + mountPath: "/var/lib/rstudio-server/audit" +``` + +For more information on Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). + ## Sealed secrets This chart supports the use of [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) to allow for storing secrets in SCM and to ensure secrets are never leaked via Helm. The target cluster must include a `SealedSecret` controller as the controller is responsible for converting a `SealedSecret` to a `Secret`. @@ -433,6 +472,17 @@ Use of [Sealed secrets](https://github.com/bitnami-labs/sealed-secrets) disables |-----|------|---------|-------------| | affinity | object | `{}` | A map used verbatim as the pod's "affinity" definition | | args | list | `[]` | args is the pod container's run arguments. | +| chronicleAgent | object | `{"autoDiscovery":true,"enabled":false,"env":[],"image":{"imagePullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"rstudio/chronicle-agent","tag":""},"serverAddress":"","serverNamespace":"","volumeMounts":[]}` | Settings for the Chronicle Agent sidecar container | +| chronicleAgent.autoDiscovery | bool | `true` | If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster | +| chronicleAgent.enabled | bool | `false` | Whether to enable the Chronicle Agent sidecar container | +| chronicleAgent.env | list | `[]` | An array of maps that is injected as-is into the "env:" component of the container spec | +| chronicleAgent.image.imagePullPolicy | string | `"IfNotPresent"` | The pull policy for the Chronicle Agent image | +| chronicleAgent.image.registry | string | `"ghcr.io"` | The registry to use for the Chronicle Agent image | +| chronicleAgent.image.repository | string | `"rstudio/chronicle-agent"` | The repository to use for the Chronicle Agent image | +| chronicleAgent.image.tag | string | `""` | A tag to use for the Chronicle Agent image. If not set, the chart will attempt to look up the version of the deployed Chronicle server in the current namespace. | +| chronicleAgent.serverAddress | string | `""` | The address for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. | +| chronicleAgent.serverNamespace | string | `""` | The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. | +| chronicleAgent.volumeMounts | list | `[]` | An array of maps that is injected as-is into the "volumeMounts" component of the container spec | | command | list | `[]` | command is the pod container's run command. By default, it uses the container's default. However, the chart expects a container using `supervisord` for startup | | config.defaultMode.jobJsonOverrides | int | 0644 | default mode for jobJsonOverrides config | | config.defaultMode.pam | int | 0644 | default mode for pam scripts | From a15dfc70ddffc2f3dca01a3ebcbd60302f9afb04 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Mon, 19 May 2025 11:52:43 -0600 Subject: [PATCH 12/50] Pass `.Release` to helper function for namespace search --- charts/rstudio-connect/templates/deployment.yaml | 4 ++-- charts/rstudio-workbench/templates/deployment.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/rstudio-connect/templates/deployment.yaml b/charts/rstudio-connect/templates/deployment.yaml index c531d73a1..5abf86bb7 100644 --- a/charts/rstudio-connect/templates/deployment.yaml +++ b/charts/rstudio-connect/templates/deployment.yaml @@ -94,7 +94,7 @@ spec: initContainers: {{- if .Values.chronicleAgent.enabled }} - name: chronicle-agent - image: {{ include "rstudio-library.chronicle-agent.image" (dict "chronicleAgent" .Values.chronicleAgent) | quote }} + image: {{ include "rstudio-library.chronicle-agent.image" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | quote }} imagePullPolicy: {{ .Values.chronicleAgent.image.imagePullPolicy }} restartPolicy: Always {{- with .Values.chronicleAgent.volumeMounts }} @@ -103,7 +103,7 @@ spec: {{- end }} env: - name: CHRONICLE_SERVER_ADDRESS - value: {{ include "rstudio-library.chronicle-agent.serverAddress" (dict "chronicleAgent" .Values.chronicleAgent) | quote }} + value: {{ include "rstudio-library.chronicle-agent.serverAddress" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | quote }} {{- if .Values.chronicleAgent.connectApiKey.secretKeyRef }} - name: CONNECT_API_KEY valueFrom: diff --git a/charts/rstudio-workbench/templates/deployment.yaml b/charts/rstudio-workbench/templates/deployment.yaml index 45a3364b5..914ceb8f0 100644 --- a/charts/rstudio-workbench/templates/deployment.yaml +++ b/charts/rstudio-workbench/templates/deployment.yaml @@ -101,7 +101,7 @@ spec: initContainers: {{- if .Values.chronicleAgent.enabled }} - name: chronicle-agent - image: {{ include "rstudio-library.chronicle-agent.image" (dict "chronicleAgent" .Values.chronicleAgent) | quote }} + image: {{ include "rstudio-library.chronicle-agent.image" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | quote }} imagePullPolicy: {{ .Values.chronicleAgent.image.imagePullPolicy }} restartPolicy: Always {{- with .Values.chronicleAgent.volumeMounts }} @@ -110,7 +110,7 @@ spec: {{- end }} env: - name: CHRONICLE_SERVER_ADDRESS - value: {{ include "rstudio-library.chronicle-agent.serverAddress" (dict "chronicleAgent" .Values.chronicleAgent) | quote }} + value: {{ include "rstudio-library.chronicle-agent.serverAddress" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | quote }} {{- with .Values.chronicleAgent.env }} {{ toYaml . | indent 10 }} {{- end }} From 30f18b0c499f51e554e397014245992f8fa0c412 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Mon, 19 May 2025 13:16:35 -0600 Subject: [PATCH 13/50] Bump `rstudio-library` to 0.1.33 --- charts/rstudio-connect/Chart.lock | 6 +++--- charts/rstudio-connect/Chart.yaml | 2 +- charts/rstudio-workbench/Chart.lock | 6 +++--- charts/rstudio-workbench/Chart.yaml | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/rstudio-connect/Chart.lock b/charts/rstudio-connect/Chart.lock index d6ae3c0c8..49d4717ec 100644 --- a/charts/rstudio-connect/Chart.lock +++ b/charts/rstudio-connect/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: rstudio-library repository: https://helm.rstudio.com - version: 0.1.32 -digest: sha256:20df0ba6597d22499e27ca767a691fc32a96b24a6fd8c31c7826da7c5e5ffde1 -generated: "2025-05-15T13:40:46.018874118-06:00" + version: 0.1.33 +digest: sha256:f893128f505388873b61617b0c8083dd5b24ac8ff4d21933040caaf129085b6b +generated: "2025-05-19T13:16:02.855932585-06:00" diff --git a/charts/rstudio-connect/Chart.yaml b/charts/rstudio-connect/Chart.yaml index b7b444df0..f4fc7f8ac 100644 --- a/charts/rstudio-connect/Chart.yaml +++ b/charts/rstudio-connect/Chart.yaml @@ -13,7 +13,7 @@ maintainers: url: https://github.com/sol-eng dependencies: - name: rstudio-library - version: 0.1.32 + version: 0.1.33 repository: https://helm.rstudio.com annotations: artifacthub.io/images: | diff --git a/charts/rstudio-workbench/Chart.lock b/charts/rstudio-workbench/Chart.lock index f3c02497d..63cab3674 100644 --- a/charts/rstudio-workbench/Chart.lock +++ b/charts/rstudio-workbench/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: rstudio-library repository: https://helm.rstudio.com - version: 0.1.32 -digest: sha256:20df0ba6597d22499e27ca767a691fc32a96b24a6fd8c31c7826da7c5e5ffde1 -generated: "2025-05-15T13:54:13.406048402-06:00" + version: 0.1.33 +digest: sha256:f893128f505388873b61617b0c8083dd5b24ac8ff4d21933040caaf129085b6b +generated: "2025-05-19T13:16:14.256953965-06:00" diff --git a/charts/rstudio-workbench/Chart.yaml b/charts/rstudio-workbench/Chart.yaml index 09db26b02..473036ec3 100644 --- a/charts/rstudio-workbench/Chart.yaml +++ b/charts/rstudio-workbench/Chart.yaml @@ -13,7 +13,7 @@ maintainers: url: https://github.com/sol-eng dependencies: - name: rstudio-library - version: 0.1.32 + version: 0.1.33 repository: https://helm.rstudio.com annotations: artifacthub.io/images: | From 2e47eb50604562e7cdd6df55404367cab464623e Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Mon, 19 May 2025 14:18:46 -0600 Subject: [PATCH 14/50] Change secretKeyRef to valueFrom to be more widely accepting of inputs Add not recommended input of value --- charts/rstudio-connect/templates/deployment.yaml | 8 +++++--- charts/rstudio-connect/values.yaml | 5 ++++- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/charts/rstudio-connect/templates/deployment.yaml b/charts/rstudio-connect/templates/deployment.yaml index 5abf86bb7..757224444 100644 --- a/charts/rstudio-connect/templates/deployment.yaml +++ b/charts/rstudio-connect/templates/deployment.yaml @@ -106,10 +106,12 @@ spec: value: {{ include "rstudio-library.chronicle-agent.serverAddress" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | quote }} {{- if .Values.chronicleAgent.connectApiKey.secretKeyRef }} - name: CONNECT_API_KEY + {{- if .Values.chronicleAgent.connectApiKey.valueFrom }} valueFrom: - secretKeyRef: - {{ toYaml .Values.chronicleAgent.connectApiKey.secretKeyRef | indent 16 }} - {{- end }} +{{ toYaml .Values.chronicleAgent.connectApiKey.valueFrom | indent 14 }} + {{- else }} + value: {{ .Values.chronicleAgent.connectApiKey.value | quote }} + {{- end }} {{- with .Values.chronicleAgent.env }} {{ toYaml . | indent 10 }} {{- end }} diff --git a/charts/rstudio-connect/values.yaml b/charts/rstudio-connect/values.yaml index daf8aea3a..d6a0afaf9 100644 --- a/charts/rstudio-connect/values.yaml +++ b/charts/rstudio-connect/values.yaml @@ -286,7 +286,10 @@ chronicleAgent: serverNamespace: "" # -- An API key generated in Connect that can be used for the Chronicle Agent to authenticate with the Connect server for metrics. This generally must be set after the initial deployment of the Connect pod. connectApiKey: - secretKeyRef: {} + # -- The verbatim value for the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. It is recommended to reference a secret with valueFrom instead of this. + value: "" + # -- The verbatim input for valueFrom to use to retrieve the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. + valueFrom: {} launcher: # -- Whether to enable the launcher From 00d78301b1d5c6895de3d7ae362d47a5e3377b92 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Mon, 19 May 2025 14:19:03 -0600 Subject: [PATCH 15/50] Trim return values from helper functions --- charts/rstudio-connect/templates/deployment.yaml | 5 ++--- charts/rstudio-workbench/templates/deployment.yaml | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/charts/rstudio-connect/templates/deployment.yaml b/charts/rstudio-connect/templates/deployment.yaml index 757224444..d866726e0 100644 --- a/charts/rstudio-connect/templates/deployment.yaml +++ b/charts/rstudio-connect/templates/deployment.yaml @@ -94,7 +94,7 @@ spec: initContainers: {{- if .Values.chronicleAgent.enabled }} - name: chronicle-agent - image: {{ include "rstudio-library.chronicle-agent.image" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | quote }} + image: {{ include "rstudio-library.chronicle-agent.image" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | trim | quote }} imagePullPolicy: {{ .Values.chronicleAgent.image.imagePullPolicy }} restartPolicy: Always {{- with .Values.chronicleAgent.volumeMounts }} @@ -103,8 +103,7 @@ spec: {{- end }} env: - name: CHRONICLE_SERVER_ADDRESS - value: {{ include "rstudio-library.chronicle-agent.serverAddress" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | quote }} - {{- if .Values.chronicleAgent.connectApiKey.secretKeyRef }} + value: {{ include "rstudio-library.chronicle-agent.serverAddress" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | trim | quote }} - name: CONNECT_API_KEY {{- if .Values.chronicleAgent.connectApiKey.valueFrom }} valueFrom: diff --git a/charts/rstudio-workbench/templates/deployment.yaml b/charts/rstudio-workbench/templates/deployment.yaml index 914ceb8f0..541750400 100644 --- a/charts/rstudio-workbench/templates/deployment.yaml +++ b/charts/rstudio-workbench/templates/deployment.yaml @@ -101,7 +101,7 @@ spec: initContainers: {{- if .Values.chronicleAgent.enabled }} - name: chronicle-agent - image: {{ include "rstudio-library.chronicle-agent.image" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | quote }} + image: {{ include "rstudio-library.chronicle-agent.image" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | trim | quote }} imagePullPolicy: {{ .Values.chronicleAgent.image.imagePullPolicy }} restartPolicy: Always {{- with .Values.chronicleAgent.volumeMounts }} @@ -110,7 +110,7 @@ spec: {{- end }} env: - name: CHRONICLE_SERVER_ADDRESS - value: {{ include "rstudio-library.chronicle-agent.serverAddress" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | quote }} + value: {{ include "rstudio-library.chronicle-agent.serverAddress" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | trim | quote }} {{- with .Values.chronicleAgent.env }} {{ toYaml . | indent 10 }} {{- end }} From c064f700f2faa078961083eae87545f532699efe Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 19 May 2025 20:19:59 +0000 Subject: [PATCH 16/50] Update helm-docs and README.md --- charts/rstudio-connect/README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/charts/rstudio-connect/README.md b/charts/rstudio-connect/README.md index 877515ff4..7c9819d2f 100644 --- a/charts/rstudio-connect/README.md +++ b/charts/rstudio-connect/README.md @@ -187,9 +187,11 @@ The Helm `config` values are converted into the `rstudio-connect.gcfg` service c |-----|------|---------|-------------| | affinity | object | `{}` | A map used verbatim as the pod's "affinity" definition | | args | list | `[]` | The pod's run arguments. By default, it uses the container's default | -| chronicleAgent | object | `{"autoDiscovery":true,"connectApiKey":{"secretKeyRef":{}},"enabled":false,"env":[],"image":{"imagePullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"rstudio/chronicle-agent","tag":""},"serverAddress":"","serverNamespace":"","volumeMounts":[]}` | Settings for the Chronicle Agent sidecar container | +| chronicleAgent | object | `{"autoDiscovery":true,"connectApiKey":{"value":"","valueFrom":{}},"enabled":false,"env":[],"image":{"imagePullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"rstudio/chronicle-agent","tag":""},"serverAddress":"","serverNamespace":"","volumeMounts":[]}` | Settings for the Chronicle Agent sidecar container | | chronicleAgent.autoDiscovery | bool | `true` | If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster | -| chronicleAgent.connectApiKey | object | `{"secretKeyRef":{}}` | An API key generated in Connect that can be used for the Chronicle Agent to authenticate with the Connect server for metrics. This generally must be set after the initial deployment of the Connect pod. | +| chronicleAgent.connectApiKey | object | `{"value":"","valueFrom":{}}` | An API key generated in Connect that can be used for the Chronicle Agent to authenticate with the Connect server for metrics. This generally must be set after the initial deployment of the Connect pod. | +| chronicleAgent.connectApiKey.value | string | `""` | The verbatim value for the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. It is recommended to reference a secret with valueFrom instead of this. | +| chronicleAgent.connectApiKey.valueFrom | object | `{}` | The verbatim input for valueFrom to use to retrieve the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. | | chronicleAgent.enabled | bool | `false` | Whether to enable the Chronicle Agent sidecar container | | chronicleAgent.env | list | `[]` | An array of maps that is injected as-is into the "env:" component of the container spec | | chronicleAgent.image.imagePullPolicy | string | `"IfNotPresent"` | The pull policy for the Chronicle Agent image | From b3a86f822f43f2b0de787a2a1f01c0916e4fc716 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 08:15:06 -0600 Subject: [PATCH 17/50] fix connect API key env var name --- charts/rstudio-connect/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/rstudio-connect/templates/deployment.yaml b/charts/rstudio-connect/templates/deployment.yaml index d866726e0..a72da1bf7 100644 --- a/charts/rstudio-connect/templates/deployment.yaml +++ b/charts/rstudio-connect/templates/deployment.yaml @@ -104,7 +104,7 @@ spec: env: - name: CHRONICLE_SERVER_ADDRESS value: {{ include "rstudio-library.chronicle-agent.serverAddress" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | trim | quote }} - - name: CONNECT_API_KEY + - name: CHRONICLE_CONNECT_APIKEY {{- if .Values.chronicleAgent.connectApiKey.valueFrom }} valueFrom: {{ toYaml .Values.chronicleAgent.connectApiKey.valueFrom | indent 14 }} From de492e7682e109dbc56a0d6750196c17bf479909 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 10:37:53 -0600 Subject: [PATCH 18/50] Update `rstudio-library` to 0.1.34 --- charts/rstudio-connect/Chart.lock | 6 +++--- charts/rstudio-connect/Chart.yaml | 2 +- charts/rstudio-workbench/Chart.lock | 6 +++--- charts/rstudio-workbench/Chart.yaml | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/rstudio-connect/Chart.lock b/charts/rstudio-connect/Chart.lock index 49d4717ec..ae4373dd3 100644 --- a/charts/rstudio-connect/Chart.lock +++ b/charts/rstudio-connect/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: rstudio-library repository: https://helm.rstudio.com - version: 0.1.33 -digest: sha256:f893128f505388873b61617b0c8083dd5b24ac8ff4d21933040caaf129085b6b -generated: "2025-05-19T13:16:02.855932585-06:00" + version: 0.1.34 +digest: sha256:66324c3ca436a3743e6f7c3dd8e159d21fca4fd5072d4d8c2583bfafd8499d70 +generated: "2025-05-20T10:37:20.963885313-06:00" diff --git a/charts/rstudio-connect/Chart.yaml b/charts/rstudio-connect/Chart.yaml index f4fc7f8ac..6135bbc17 100644 --- a/charts/rstudio-connect/Chart.yaml +++ b/charts/rstudio-connect/Chart.yaml @@ -13,7 +13,7 @@ maintainers: url: https://github.com/sol-eng dependencies: - name: rstudio-library - version: 0.1.33 + version: 0.1.34 repository: https://helm.rstudio.com annotations: artifacthub.io/images: | diff --git a/charts/rstudio-workbench/Chart.lock b/charts/rstudio-workbench/Chart.lock index 63cab3674..1c6c3d7ca 100644 --- a/charts/rstudio-workbench/Chart.lock +++ b/charts/rstudio-workbench/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: rstudio-library repository: https://helm.rstudio.com - version: 0.1.33 -digest: sha256:f893128f505388873b61617b0c8083dd5b24ac8ff4d21933040caaf129085b6b -generated: "2025-05-19T13:16:14.256953965-06:00" + version: 0.1.34 +digest: sha256:66324c3ca436a3743e6f7c3dd8e159d21fca4fd5072d4d8c2583bfafd8499d70 +generated: "2025-05-20T10:37:32.909079863-06:00" diff --git a/charts/rstudio-workbench/Chart.yaml b/charts/rstudio-workbench/Chart.yaml index 473036ec3..ffe6c087a 100644 --- a/charts/rstudio-workbench/Chart.yaml +++ b/charts/rstudio-workbench/Chart.yaml @@ -13,7 +13,7 @@ maintainers: url: https://github.com/sol-eng dependencies: - name: rstudio-library - version: 0.1.33 + version: 0.1.34 repository: https://helm.rstudio.com annotations: artifacthub.io/images: | From f24a8e06eb57762d771111e3ee256cb67ffd0c4e Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 10:47:42 -0600 Subject: [PATCH 19/50] Update documentation --- charts/rstudio-connect/README.md.gotmpl | 27 ++++++++++++++++++++--- charts/rstudio-connect/values.yaml | 2 +- charts/rstudio-workbench/README.md.gotmpl | 27 +++++++++-------------- charts/rstudio-workbench/values.yaml | 2 +- 4 files changed, 37 insertions(+), 21 deletions(-) diff --git a/charts/rstudio-connect/README.md.gotmpl b/charts/rstudio-connect/README.md.gotmpl index 2ea392ac4..900b65471 100644 --- a/charts/rstudio-connect/README.md.gotmpl +++ b/charts/rstudio-connect/README.md.gotmpl @@ -83,6 +83,26 @@ chronicleAgent: tag: ``` +If preferred, the Chronicle agent can be directly defined as a sidecar container using either `initContainers` +(recommended) or `sidecar` values. Below is an example of directly defining the Chronicle agent as a native sidecar +container using `initContainers`: +```yaml +initContainers: + - name: chronicle-agent + restartPolicy: Always + image: ghcr.io/rstudio/chronicle-agent: + env: + - name: CHRONICLE_SERVER_ADDRESS + value: "http://
" + - name: CHRONICLE_CONNECT_APIKEY + valueFrom: + secretKeyRef: + name: connect + key: apikey +``` + +### Chronicle Connect API Key + In order to communicate with Connect, the Chronicle agent must be passed an API key. This can either be done by passing a Kubernetes secret (recommended) or by setting the key directly as an environment variable. Below is an example of how to set the API key using a secret: @@ -90,9 +110,10 @@ of how to set the API key using a secret: chronicleAgent: enabled: true connectApiKey: - secretKeyRef: - name: - key: + valueFrom: + secretKeyRef: + name: + key: ``` Due to the way Connect manages its API keys, it is currently not possible to provision an API key automatically for the diff --git a/charts/rstudio-connect/values.yaml b/charts/rstudio-connect/values.yaml index d6a0afaf9..c9f54b8b0 100644 --- a/charts/rstudio-connect/values.yaml +++ b/charts/rstudio-connect/values.yaml @@ -280,7 +280,7 @@ chronicleAgent: tag: "" # -- The pull policy for the Chronicle Agent image imagePullPolicy: IfNotPresent - # -- The address for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. + # -- The address for the Chronicle server including the protocol (ex. "http://address"). If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. serverAddress: "" # -- The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. serverNamespace: "" diff --git a/charts/rstudio-workbench/README.md.gotmpl b/charts/rstudio-workbench/README.md.gotmpl index 214a367f9..2818f6c8f 100644 --- a/charts/rstudio-workbench/README.md.gotmpl +++ b/charts/rstudio-workbench/README.md.gotmpl @@ -377,25 +377,20 @@ chronicleAgent: tag: ``` -If desired, audit logging can be mounted into the Chronicle agent container by setting the following values: +If preferred, the Chronicle agent can be directly defined as a sidecar container using either `initContainers` +(recommended) or `sidecar` values. Below is an example of directly defining the Chronicle agent as a native sidecar +container using `initContainers`: ```yaml -pod: - # We will need to create a new volume to share audit logs between - # the rstudio (workbench) and chronicle-agent containers - volumes: - - name: logs - emptyDir: {} - volumeMounts: - - name: logs - mountPath: "/var/lib/rstudio-server/audit" -chronicleAgent: - enabled: true - volumeMounts: - - name: logs - mountPath: "/var/lib/rstudio-server/audit" +initContainers: + - name: chronicle-agent + restartPolicy: Always + image: ghcr.io/rstudio/chronicle-agent: + env: + - name: CHRONICLE_SERVER_ADDRESS + value: "http://
" ``` -For more information on Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). +For more information on Posit Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). ## Sealed secrets diff --git a/charts/rstudio-workbench/values.yaml b/charts/rstudio-workbench/values.yaml index e222fffa8..3c866affa 100644 --- a/charts/rstudio-workbench/values.yaml +++ b/charts/rstudio-workbench/values.yaml @@ -82,7 +82,7 @@ chronicleAgent: tag: "" # -- The pull policy for the Chronicle Agent image imagePullPolicy: IfNotPresent - # -- The address for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. + # -- The address for the Chronicle server including the protocol (ex. "http://address"). If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. serverAddress: "" # -- The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. serverNamespace: "" From 61b1db60eec7addd9716f8404876398ae19c5d3c Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Tue, 20 May 2025 16:48:42 +0000 Subject: [PATCH 20/50] Update helm-docs and README.md --- charts/rstudio-connect/README.md | 29 +++++++++++++++++++++++++---- charts/rstudio-workbench/README.md | 29 ++++++++++++----------------- 2 files changed, 37 insertions(+), 21 deletions(-) diff --git a/charts/rstudio-connect/README.md b/charts/rstudio-connect/README.md index 7c9819d2f..eec40e493 100644 --- a/charts/rstudio-connect/README.md +++ b/charts/rstudio-connect/README.md @@ -143,6 +143,26 @@ chronicleAgent: tag: ``` +If preferred, the Chronicle agent can be directly defined as a sidecar container using either `initContainers` +(recommended) or `sidecar` values. Below is an example of directly defining the Chronicle agent as a native sidecar +container using `initContainers`: +```yaml +initContainers: + - name: chronicle-agent + restartPolicy: Always + image: ghcr.io/rstudio/chronicle-agent: + env: + - name: CHRONICLE_SERVER_ADDRESS + value: "http://
" + - name: CHRONICLE_CONNECT_APIKEY + valueFrom: + secretKeyRef: + name: connect + key: apikey +``` + +### Chronicle Connect API Key + In order to communicate with Connect, the Chronicle agent must be passed an API key. This can either be done by passing a Kubernetes secret (recommended) or by setting the key directly as an environment variable. Below is an example of how to set the API key using a secret: @@ -150,9 +170,10 @@ of how to set the API key using a secret: chronicleAgent: enabled: true connectApiKey: - secretKeyRef: - name: - key: + valueFrom: + secretKeyRef: + name: + key: ``` Due to the way Connect manages its API keys, it is currently not possible to provision an API key automatically for the @@ -198,7 +219,7 @@ The Helm `config` values are converted into the `rstudio-connect.gcfg` service c | chronicleAgent.image.registry | string | `"ghcr.io"` | The registry to use for the Chronicle Agent image | | chronicleAgent.image.repository | string | `"rstudio/chronicle-agent"` | The repository to use for the Chronicle Agent image | | chronicleAgent.image.tag | string | `""` | A tag to use for the Chronicle Agent image. If not set, the chart will attempt to look up the version of the deployed Chronicle server in the current namespace. | -| chronicleAgent.serverAddress | string | `""` | The address for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. | +| chronicleAgent.serverAddress | string | `""` | The address for the Chronicle server including the protocol (ex. "http://address"). If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. | | chronicleAgent.serverNamespace | string | `""` | The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. | | chronicleAgent.volumeMounts | list | `[]` | An array of maps that is injected as-is into the "volumeMounts" component of the container spec | | command | list | `[]` | The pod's run command. By default, it uses the container's default | diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md index e156d98de..181c7751f 100644 --- a/charts/rstudio-workbench/README.md +++ b/charts/rstudio-workbench/README.md @@ -432,25 +432,20 @@ chronicleAgent: tag: ``` -If desired, audit logging can be mounted into the Chronicle agent container by setting the following values: +If preferred, the Chronicle agent can be directly defined as a sidecar container using either `initContainers` +(recommended) or `sidecar` values. Below is an example of directly defining the Chronicle agent as a native sidecar +container using `initContainers`: ```yaml -pod: - # We will need to create a new volume to share audit logs between - # the rstudio (workbench) and chronicle-agent containers - volumes: - - name: logs - emptyDir: {} - volumeMounts: - - name: logs - mountPath: "/var/lib/rstudio-server/audit" -chronicleAgent: - enabled: true - volumeMounts: - - name: logs - mountPath: "/var/lib/rstudio-server/audit" +initContainers: + - name: chronicle-agent + restartPolicy: Always + image: ghcr.io/rstudio/chronicle-agent: + env: + - name: CHRONICLE_SERVER_ADDRESS + value: "http://
" ``` -For more information on Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). +For more information on Posit Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). ## Sealed secrets @@ -480,7 +475,7 @@ Use of [Sealed secrets](https://github.com/bitnami-labs/sealed-secrets) disables | chronicleAgent.image.registry | string | `"ghcr.io"` | The registry to use for the Chronicle Agent image | | chronicleAgent.image.repository | string | `"rstudio/chronicle-agent"` | The repository to use for the Chronicle Agent image | | chronicleAgent.image.tag | string | `""` | A tag to use for the Chronicle Agent image. If not set, the chart will attempt to look up the version of the deployed Chronicle server in the current namespace. | -| chronicleAgent.serverAddress | string | `""` | The address for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. | +| chronicleAgent.serverAddress | string | `""` | The address for the Chronicle server including the protocol (ex. "http://address"). If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. | | chronicleAgent.serverNamespace | string | `""` | The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. | | chronicleAgent.volumeMounts | list | `[]` | An array of maps that is injected as-is into the "volumeMounts" component of the container spec | | command | list | `[]` | command is the pod container's run command. By default, it uses the container's default. However, the chart expects a container using `supervisord` for startup | From 7216f2415739a63052d8c37bc160871914d366b0 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 10:49:21 -0600 Subject: [PATCH 21/50] Trigger CI From 63568f13c9da60c1e45fc81a7bc9e5a42c6365e2 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 10:59:17 -0600 Subject: [PATCH 22/50] Allow Workbench API key override in chronicleAgent values --- charts/rstudio-workbench/templates/deployment.yaml | 9 ++++++++- charts/rstudio-workbench/values.yaml | 5 +++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/charts/rstudio-workbench/templates/deployment.yaml b/charts/rstudio-workbench/templates/deployment.yaml index 541750400..c5b537452 100644 --- a/charts/rstudio-workbench/templates/deployment.yaml +++ b/charts/rstudio-workbench/templates/deployment.yaml @@ -111,8 +111,15 @@ spec: env: - name: CHRONICLE_SERVER_ADDRESS value: {{ include "rstudio-library.chronicle-agent.serverAddress" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | trim | quote }} + - name: CHRONICLE_WORKBENCH_APIKEY + {{- if .Values.chronicleAgent.workbenchApiKey.valueFrom }} + valueFrom: +{{ toYaml .Values.chronicleAgent.workbenchApiKey.valueFrom | indent 16 }} + {{- else }} + value: {{ .Values.chronicleAgent.workbenchApiKey.value | quote }} + {{- end }} {{- with .Values.chronicleAgent.env }} - {{ toYaml . | indent 10 }} + {{ toYaml . | indent 12 }} {{- end }} {{- end }} {{- with .Values.initContainers }} diff --git a/charts/rstudio-workbench/values.yaml b/charts/rstudio-workbench/values.yaml index 3c866affa..e54d5f302 100644 --- a/charts/rstudio-workbench/values.yaml +++ b/charts/rstudio-workbench/values.yaml @@ -86,6 +86,11 @@ chronicleAgent: serverAddress: "" # -- The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. serverNamespace: "" + workbenchApiKey: + # -- The verbatim value for the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. It is recommended to reference a secret with valueFrom instead of this. + value: "" + # -- The verbatim input for valueFrom to use to retrieve the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. + valueFrom: {} launcher: # -- determines whether the launcher should be started in the container From 6400297dd94a310986ef03f7b8a949b01394bde7 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Tue, 20 May 2025 17:00:19 +0000 Subject: [PATCH 23/50] Update helm-docs and README.md --- charts/rstudio-workbench/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md index 181c7751f..498c205e2 100644 --- a/charts/rstudio-workbench/README.md +++ b/charts/rstudio-workbench/README.md @@ -467,7 +467,7 @@ Use of [Sealed secrets](https://github.com/bitnami-labs/sealed-secrets) disables |-----|------|---------|-------------| | affinity | object | `{}` | A map used verbatim as the pod's "affinity" definition | | args | list | `[]` | args is the pod container's run arguments. | -| chronicleAgent | object | `{"autoDiscovery":true,"enabled":false,"env":[],"image":{"imagePullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"rstudio/chronicle-agent","tag":""},"serverAddress":"","serverNamespace":"","volumeMounts":[]}` | Settings for the Chronicle Agent sidecar container | +| chronicleAgent | object | `{"autoDiscovery":true,"enabled":false,"env":[],"image":{"imagePullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"rstudio/chronicle-agent","tag":""},"serverAddress":"","serverNamespace":"","volumeMounts":[],"workbenchApiKey":{"value":"","valueFrom":{}}}` | Settings for the Chronicle Agent sidecar container | | chronicleAgent.autoDiscovery | bool | `true` | If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster | | chronicleAgent.enabled | bool | `false` | Whether to enable the Chronicle Agent sidecar container | | chronicleAgent.env | list | `[]` | An array of maps that is injected as-is into the "env:" component of the container spec | @@ -478,6 +478,8 @@ Use of [Sealed secrets](https://github.com/bitnami-labs/sealed-secrets) disables | chronicleAgent.serverAddress | string | `""` | The address for the Chronicle server including the protocol (ex. "http://address"). If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. | | chronicleAgent.serverNamespace | string | `""` | The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. | | chronicleAgent.volumeMounts | list | `[]` | An array of maps that is injected as-is into the "volumeMounts" component of the container spec | +| chronicleAgent.workbenchApiKey.value | string | `""` | The verbatim value for the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. It is recommended to reference a secret with valueFrom instead of this. | +| chronicleAgent.workbenchApiKey.valueFrom | object | `{}` | The verbatim input for valueFrom to use to retrieve the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. | | command | list | `[]` | command is the pod container's run command. By default, it uses the container's default. However, the chart expects a container using `supervisord` for startup | | config.defaultMode.jobJsonOverrides | int | 0644 | default mode for jobJsonOverrides config | | config.defaultMode.pam | int | 0644 | default mode for pam scripts | From be82731cdadeed8d37ff30a1e660e41cedf3e9b9 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 11:04:55 -0600 Subject: [PATCH 24/50] Fix workbenchApiKey docs --- charts/rstudio-connect/README.md.gotmpl | 4 ++-- charts/rstudio-workbench/README.md.gotmpl | 14 ++++++++++++++ charts/rstudio-workbench/values.yaml | 5 +++-- 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/charts/rstudio-connect/README.md.gotmpl b/charts/rstudio-connect/README.md.gotmpl index 900b65471..5beee9c0a 100644 --- a/charts/rstudio-connect/README.md.gotmpl +++ b/charts/rstudio-connect/README.md.gotmpl @@ -101,6 +101,8 @@ initContainers: key: apikey ``` +For more information on Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). + ### Chronicle Connect API Key In order to communicate with Connect, the Chronicle agent must be passed an API key. This can either be done by passing @@ -122,8 +124,6 @@ the API key unset for the Chronicle agent, deploy the chart, create an administr secret with the API key. Once the secret is created, the value of `chronicleAgent.connectApiKey.secretKeyRef` can be set and the chart can be upgraded to include the new value. -For more information on Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). - ## General principles - In most places, we opt to pass Helm values over configmaps. We translate these into the valid `.gcfg` file format diff --git a/charts/rstudio-workbench/README.md.gotmpl b/charts/rstudio-workbench/README.md.gotmpl index 2818f6c8f..69f187684 100644 --- a/charts/rstudio-workbench/README.md.gotmpl +++ b/charts/rstudio-workbench/README.md.gotmpl @@ -392,6 +392,20 @@ initContainers: For more information on Posit Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). +### Chronicle Workbench API Key + +In most cases where the Chronicle agent is deployed as a sidecar to Workbench, the agent can provision its own API key. +However, if desired the API key can be set manually by setting the following values: +```yaml +chronicleAgent: + enabled: true + workbenchApiKey: + valueFrom: + secretKeyRef: + name: + key: +``` + ## Sealed secrets This chart supports the use of [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) to allow for storing secrets in SCM and to ensure secrets are never leaked via Helm. The target cluster must include a `SealedSecret` controller as the controller is responsible for converting a `SealedSecret` to a `Secret`. diff --git a/charts/rstudio-workbench/values.yaml b/charts/rstudio-workbench/values.yaml index e54d5f302..eb143b4a1 100644 --- a/charts/rstudio-workbench/values.yaml +++ b/charts/rstudio-workbench/values.yaml @@ -86,10 +86,11 @@ chronicleAgent: serverAddress: "" # -- The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. serverNamespace: "" + # OPTIONAL -- Workbench API Key overrides. The Chronicle Agent is capable of acquiring an API key from Workbench at the time of deployment in most cases. workbenchApiKey: - # -- The verbatim value for the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. It is recommended to reference a secret with valueFrom instead of this. + # -- The verbatim value for the API Key used in the CHRONICLE_WORKBENCH_APIKEY environment variable passed to the Chronicle Agent. It is recommended to reference a secret with valueFrom instead of this. value: "" - # -- The verbatim input for valueFrom to use to retrieve the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. + # -- The verbatim input for valueFrom to use to retrieve the API Key used in the CHRONICLE_WORKBENCH_APIKEY environment variable passed to the Chronicle Agent. valueFrom: {} launcher: From ee0f5d745b4ffa59e2c9c9996f802c298ce45a2e Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Tue, 20 May 2025 17:06:11 +0000 Subject: [PATCH 25/50] Update helm-docs and README.md --- charts/rstudio-connect/README.md | 4 ++-- charts/rstudio-workbench/README.md | 18 ++++++++++++++++-- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/charts/rstudio-connect/README.md b/charts/rstudio-connect/README.md index eec40e493..54740a6d9 100644 --- a/charts/rstudio-connect/README.md +++ b/charts/rstudio-connect/README.md @@ -161,6 +161,8 @@ initContainers: key: apikey ``` +For more information on Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). + ### Chronicle Connect API Key In order to communicate with Connect, the Chronicle agent must be passed an API key. This can either be done by passing @@ -182,8 +184,6 @@ the API key unset for the Chronicle agent, deploy the chart, create an administr secret with the API key. Once the secret is created, the value of `chronicleAgent.connectApiKey.secretKeyRef` can be set and the chart can be upgraded to include the new value. -For more information on Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). - ## General principles - In most places, we opt to pass Helm values over configmaps. We translate these into the valid `.gcfg` file format diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md index 498c205e2..d919be60b 100644 --- a/charts/rstudio-workbench/README.md +++ b/charts/rstudio-workbench/README.md @@ -447,6 +447,20 @@ initContainers: For more information on Posit Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). +### Chronicle Workbench API Key + +In most cases where the Chronicle agent is deployed as a sidecar to Workbench, the agent can provision its own API key. +However, if desired the API key can be set manually by setting the following values: +```yaml +chronicleAgent: + enabled: true + workbenchApiKey: + valueFrom: + secretKeyRef: + name: + key: +``` + ## Sealed secrets This chart supports the use of [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) to allow for storing secrets in SCM and to ensure secrets are never leaked via Helm. The target cluster must include a `SealedSecret` controller as the controller is responsible for converting a `SealedSecret` to a `Secret`. @@ -478,8 +492,8 @@ Use of [Sealed secrets](https://github.com/bitnami-labs/sealed-secrets) disables | chronicleAgent.serverAddress | string | `""` | The address for the Chronicle server including the protocol (ex. "http://address"). If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. | | chronicleAgent.serverNamespace | string | `""` | The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. | | chronicleAgent.volumeMounts | list | `[]` | An array of maps that is injected as-is into the "volumeMounts" component of the container spec | -| chronicleAgent.workbenchApiKey.value | string | `""` | The verbatim value for the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. It is recommended to reference a secret with valueFrom instead of this. | -| chronicleAgent.workbenchApiKey.valueFrom | object | `{}` | The verbatim input for valueFrom to use to retrieve the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. | +| chronicleAgent.workbenchApiKey.value | string | `""` | The verbatim value for the API Key used in the CHRONICLE_WORKBENCH_APIKEY environment variable passed to the Chronicle Agent. It is recommended to reference a secret with valueFrom instead of this. | +| chronicleAgent.workbenchApiKey.valueFrom | object | `{}` | The verbatim input for valueFrom to use to retrieve the API Key used in the CHRONICLE_WORKBENCH_APIKEY environment variable passed to the Chronicle Agent. | | command | list | `[]` | command is the pod container's run command. By default, it uses the container's default. However, the chart expects a container using `supervisord` for startup | | config.defaultMode.jobJsonOverrides | int | 0644 | default mode for jobJsonOverrides config | | config.defaultMode.pam | int | 0644 | default mode for pam scripts | From 6839f8024e6a4c7f4eb628bb76196883d3a58a8c Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 11:06:40 -0600 Subject: [PATCH 26/50] Trigger CI From b131c9d592065bea2b17fbe23be891deec6af701 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 11:45:58 -0600 Subject: [PATCH 27/50] Fix Workbench API key docs --- charts/rstudio-workbench/README.md.gotmpl | 12 ++++++++++-- charts/rstudio-workbench/values.yaml | 1 - 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/charts/rstudio-workbench/README.md.gotmpl b/charts/rstudio-workbench/README.md.gotmpl index 69f187684..a425e7706 100644 --- a/charts/rstudio-workbench/README.md.gotmpl +++ b/charts/rstudio-workbench/README.md.gotmpl @@ -394,8 +394,13 @@ For more information on Posit Chronicle, see the [Chronicle documentation](https ### Chronicle Workbench API Key -In most cases where the Chronicle agent is deployed as a sidecar to Workbench, the agent can provision its own API key. -However, if desired the API key can be set manually by setting the following values: +> [!WARNING] +> The Workbench API is currently in preview. See +> [the Workbench documentation](https://docs.posit.co/ide/server-pro/admin/workbench_api/workbench_api.html) for more +> information. + +The Chronicle agent can be configured to scrape the Workbench API for additional data. To do this, you must +provide the Chronicle agent with a Workbench API key. This can be done by setting `chronicleAgent.workbenchApiKey`: ```yaml chronicleAgent: enabled: true @@ -406,6 +411,9 @@ chronicleAgent: key: ``` +For additional information on enabling the API and generating API keys, see +[the Workbench documentation](https://docs.posit.co/ide/server-pro/admin/workbench_api/workbench_api.html). + ## Sealed secrets This chart supports the use of [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) to allow for storing secrets in SCM and to ensure secrets are never leaked via Helm. The target cluster must include a `SealedSecret` controller as the controller is responsible for converting a `SealedSecret` to a `Secret`. diff --git a/charts/rstudio-workbench/values.yaml b/charts/rstudio-workbench/values.yaml index eb143b4a1..48058f50a 100644 --- a/charts/rstudio-workbench/values.yaml +++ b/charts/rstudio-workbench/values.yaml @@ -86,7 +86,6 @@ chronicleAgent: serverAddress: "" # -- The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. serverNamespace: "" - # OPTIONAL -- Workbench API Key overrides. The Chronicle Agent is capable of acquiring an API key from Workbench at the time of deployment in most cases. workbenchApiKey: # -- The verbatim value for the API Key used in the CHRONICLE_WORKBENCH_APIKEY environment variable passed to the Chronicle Agent. It is recommended to reference a secret with valueFrom instead of this. value: "" From 751f74e199f3ca63cc0e7bf95de6af5931a92b68 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Tue, 20 May 2025 17:46:58 +0000 Subject: [PATCH 28/50] Update helm-docs and README.md --- charts/rstudio-workbench/README.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md index d919be60b..5f398249a 100644 --- a/charts/rstudio-workbench/README.md +++ b/charts/rstudio-workbench/README.md @@ -449,8 +449,13 @@ For more information on Posit Chronicle, see the [Chronicle documentation](https ### Chronicle Workbench API Key -In most cases where the Chronicle agent is deployed as a sidecar to Workbench, the agent can provision its own API key. -However, if desired the API key can be set manually by setting the following values: +> [!WARNING] +> The Workbench API is currently in preview. See +> [the Workbench documentation](https://docs.posit.co/ide/server-pro/admin/workbench_api/workbench_api.html) for more +> information. + +The Chronicle agent can be configured to scrape the Workbench API for additional data. To do this, you must +provide the Chronicle agent with a Workbench API key. This can be done by setting `chronicleAgent.workbenchApiKey`: ```yaml chronicleAgent: enabled: true @@ -461,6 +466,9 @@ chronicleAgent: key: ``` +For additional information on enabling the API and generating API keys, see +[the Workbench documentation](https://docs.posit.co/ide/server-pro/admin/workbench_api/workbench_api.html). + ## Sealed secrets This chart supports the use of [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) to allow for storing secrets in SCM and to ensure secrets are never leaked via Helm. The target cluster must include a `SealedSecret` controller as the controller is responsible for converting a `SealedSecret` to a `Secret`. From 4956a154df7977b8c98ac8e14a3a7dc1766b7bcc Mon Sep 17 00:00:00 2001 From: "Benjamin R. J. Schwedler" Date: Tue, 20 May 2025 14:50:23 -0500 Subject: [PATCH 29/50] Update workbench/connect NEWS --- charts/rstudio-connect/NEWS.md | 2 +- charts/rstudio-workbench/NEWS.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/rstudio-connect/NEWS.md b/charts/rstudio-connect/NEWS.md index e4bcd6428..6cf6c8b56 100644 --- a/charts/rstudio-connect/NEWS.md +++ b/charts/rstudio-connect/NEWS.md @@ -2,7 +2,7 @@ ## 0.7.26 -- Bump `rstudio-library` chart version to `0.1.32`. +- Bump `rstudio-library` chart version to `0.1.34`. - Adds a shortcut resource deployment for Chronicle Agent via `chronicleAgent.enabled`. The value is disabled by default and does not affect existing deployments that use `sidecar` or `initContainer` to deploy the Chronicle Agent. diff --git a/charts/rstudio-workbench/NEWS.md b/charts/rstudio-workbench/NEWS.md index 4e1c1b6e9..6d3df2316 100644 --- a/charts/rstudio-workbench/NEWS.md +++ b/charts/rstudio-workbench/NEWS.md @@ -2,7 +2,7 @@ ## 0.9.2 -- Bump `rstudio-library` chart version to `0.1.32`. +- Bump `rstudio-library` chart version to `0.1.34`. - Adds a shortcut resource deployment for Chronicle Agent via `chronicleAgent.enabled`. The value is disabled by default and does not affect existing deployments that use `sidecar` or `initContainer` to deploy the Chronicle Agent. From 63eb74230227a509919c8f07f16f9d4afa75233f Mon Sep 17 00:00:00 2001 From: "Benjamin R. J. Schwedler" Date: Wed, 21 May 2025 09:07:57 -0500 Subject: [PATCH 30/50] Fix chart version for connect --- charts/rstudio-connect/Chart.yaml | 2 +- charts/rstudio-connect/README.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/rstudio-connect/Chart.yaml b/charts/rstudio-connect/Chart.yaml index 6135bbc17..80fe157d8 100644 --- a/charts/rstudio-connect/Chart.yaml +++ b/charts/rstudio-connect/Chart.yaml @@ -1,6 +1,6 @@ name: rstudio-connect description: Official Helm chart for Posit Connect -version: 0.7.27 +version: 0.7.26 apiVersion: v2 appVersion: 2025.04.0 icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png diff --git a/charts/rstudio-connect/README.md b/charts/rstudio-connect/README.md index 54740a6d9..0f7672456 100644 --- a/charts/rstudio-connect/README.md +++ b/charts/rstudio-connect/README.md @@ -1,6 +1,6 @@ # Posit Connect -![Version: 0.7.27](https://img.shields.io/badge/Version-0.7.27-informational?style=flat-square) ![AppVersion: 2025.04.0](https://img.shields.io/badge/AppVersion-2025.04.0-informational?style=flat-square) +![Version: 0.7.26](https://img.shields.io/badge/Version-0.7.26-informational?style=flat-square) ![AppVersion: 2025.04.0](https://img.shields.io/badge/AppVersion-2025.04.0-informational?style=flat-square) #### _Official Helm chart for Posit Connect_ @@ -30,11 +30,11 @@ To ensure reproducibility in your environment and insulate yourself from future ## Installing the chart -To install the chart with the release name `my-release` at version 0.7.27: +To install the chart with the release name `my-release` at version 0.7.26: ```{.bash} helm repo add rstudio https://helm.rstudio.com -helm upgrade --install my-release rstudio/rstudio-connect --version=0.7.27 +helm upgrade --install my-release rstudio/rstudio-connect --version=0.7.26 ``` To explore other chart versions, look at: From 28f7400c239e3277f148e6371cfc419e68995f9e Mon Sep 17 00:00:00 2001 From: "Benjamin R. J. Schwedler" Date: Wed, 21 May 2025 09:37:32 -0500 Subject: [PATCH 31/50] Change `chart` to `release` when refering to existing install --- charts/rstudio-connect/README.md | 2 +- charts/rstudio-connect/README.md.gotmpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/rstudio-connect/README.md b/charts/rstudio-connect/README.md index 0f7672456..db287a6c7 100644 --- a/charts/rstudio-connect/README.md +++ b/charts/rstudio-connect/README.md @@ -182,7 +182,7 @@ Due to the way Connect manages its API keys, it is currently not possible to pro Chronicle agent at the time of deployment. To workaround this issue in a fresh deployment, you can initially leave the API key unset for the Chronicle agent, deploy the chart, create an administrator API key, and then provision a secret with the API key. Once the secret is created, the value of `chronicleAgent.connectApiKey.secretKeyRef` -can be set and the chart can be upgraded to include the new value. +can be set and the release can be upgraded to include the new value. ## General principles diff --git a/charts/rstudio-connect/README.md.gotmpl b/charts/rstudio-connect/README.md.gotmpl index 5beee9c0a..05da50daf 100644 --- a/charts/rstudio-connect/README.md.gotmpl +++ b/charts/rstudio-connect/README.md.gotmpl @@ -122,7 +122,7 @@ Due to the way Connect manages its API keys, it is currently not possible to pro Chronicle agent at the time of deployment. To workaround this issue in a fresh deployment, you can initially leave the API key unset for the Chronicle agent, deploy the chart, create an administrator API key, and then provision a secret with the API key. Once the secret is created, the value of `chronicleAgent.connectApiKey.secretKeyRef` -can be set and the chart can be upgraded to include the new value. +can be set and the release can be upgraded to include the new value. ## General principles From 2a3bf0be1d0bdaff0038efc40f85ff4aa47bf0d4 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 10:49:21 -0600 Subject: [PATCH 32/50] Trigger CI From 2ba2c0443d0dd81bd37103f1364ce8200b262eaf Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 20 May 2025 11:06:40 -0600 Subject: [PATCH 33/50] Trigger CI From 2e24e89f9e416e4af89e7acc88e810af1c8f7ec6 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Wed, 21 May 2025 11:30:54 -0600 Subject: [PATCH 34/50] Add securityContext for Chronicle agent container with expectation of non-root and unprivileged execution --- charts/rstudio-connect/templates/deployment.yaml | 4 ++++ charts/rstudio-connect/values.yaml | 4 ++++ charts/rstudio-workbench/templates/deployment.yaml | 4 ++++ charts/rstudio-workbench/values.yaml | 4 ++++ 4 files changed, 16 insertions(+) diff --git a/charts/rstudio-connect/templates/deployment.yaml b/charts/rstudio-connect/templates/deployment.yaml index a72da1bf7..a5ea0b0af 100644 --- a/charts/rstudio-connect/templates/deployment.yaml +++ b/charts/rstudio-connect/templates/deployment.yaml @@ -101,6 +101,10 @@ spec: volumeMounts: {{- toYaml . | nindent 10 }} {{- end }} + {{- with .Values.chronicleAgent.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} env: - name: CHRONICLE_SERVER_ADDRESS value: {{ include "rstudio-library.chronicle-agent.serverAddress" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | trim | quote }} diff --git a/charts/rstudio-connect/values.yaml b/charts/rstudio-connect/values.yaml index c9f54b8b0..c413dcac3 100644 --- a/charts/rstudio-connect/values.yaml +++ b/charts/rstudio-connect/values.yaml @@ -269,6 +269,10 @@ chronicleAgent: env: [] # -- An array of maps that is injected as-is into the "volumeMounts" component of the container spec volumeMounts: [] + # -- A verbatim securityContext to apply to the Chronicle Agent container + securityContext: + privileged: false + runAsNonRoot: true # -- If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster autoDiscovery: true image: diff --git a/charts/rstudio-workbench/templates/deployment.yaml b/charts/rstudio-workbench/templates/deployment.yaml index c5b537452..d7634b8b4 100644 --- a/charts/rstudio-workbench/templates/deployment.yaml +++ b/charts/rstudio-workbench/templates/deployment.yaml @@ -108,6 +108,10 @@ spec: volumeMounts: {{- toYaml . | nindent 10 }} {{- end }} + {{- with .Values.chronicleAgent.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} env: - name: CHRONICLE_SERVER_ADDRESS value: {{ include "rstudio-library.chronicle-agent.serverAddress" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | trim | quote }} diff --git a/charts/rstudio-workbench/values.yaml b/charts/rstudio-workbench/values.yaml index 48058f50a..37dee569c 100644 --- a/charts/rstudio-workbench/values.yaml +++ b/charts/rstudio-workbench/values.yaml @@ -71,6 +71,10 @@ chronicleAgent: env: [] # -- An array of maps that is injected as-is into the "volumeMounts" component of the container spec volumeMounts: [] + # -- A verbatim securityContext to apply to the Chronicle Agent container + securityContext: + privileged: false + runAsNonRoot: true # -- If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster autoDiscovery: true image: From 34cef1ab5d1847ae9b616de147257eff6289c759 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 21 May 2025 17:31:54 +0000 Subject: [PATCH 35/50] Update helm-docs and README.md --- charts/rstudio-connect/README.md | 3 ++- charts/rstudio-workbench/README.md | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/charts/rstudio-connect/README.md b/charts/rstudio-connect/README.md index db287a6c7..8dd958a74 100644 --- a/charts/rstudio-connect/README.md +++ b/charts/rstudio-connect/README.md @@ -208,7 +208,7 @@ The Helm `config` values are converted into the `rstudio-connect.gcfg` service c |-----|------|---------|-------------| | affinity | object | `{}` | A map used verbatim as the pod's "affinity" definition | | args | list | `[]` | The pod's run arguments. By default, it uses the container's default | -| chronicleAgent | object | `{"autoDiscovery":true,"connectApiKey":{"value":"","valueFrom":{}},"enabled":false,"env":[],"image":{"imagePullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"rstudio/chronicle-agent","tag":""},"serverAddress":"","serverNamespace":"","volumeMounts":[]}` | Settings for the Chronicle Agent sidecar container | +| chronicleAgent | object | `{"autoDiscovery":true,"connectApiKey":{"value":"","valueFrom":{}},"enabled":false,"env":[],"image":{"imagePullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"rstudio/chronicle-agent","tag":""},"securityContext":{"privileged":false,"runAsNonRoot":true},"serverAddress":"","serverNamespace":"","volumeMounts":[]}` | Settings for the Chronicle Agent sidecar container | | chronicleAgent.autoDiscovery | bool | `true` | If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster | | chronicleAgent.connectApiKey | object | `{"value":"","valueFrom":{}}` | An API key generated in Connect that can be used for the Chronicle Agent to authenticate with the Connect server for metrics. This generally must be set after the initial deployment of the Connect pod. | | chronicleAgent.connectApiKey.value | string | `""` | The verbatim value for the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. It is recommended to reference a secret with valueFrom instead of this. | @@ -219,6 +219,7 @@ The Helm `config` values are converted into the `rstudio-connect.gcfg` service c | chronicleAgent.image.registry | string | `"ghcr.io"` | The registry to use for the Chronicle Agent image | | chronicleAgent.image.repository | string | `"rstudio/chronicle-agent"` | The repository to use for the Chronicle Agent image | | chronicleAgent.image.tag | string | `""` | A tag to use for the Chronicle Agent image. If not set, the chart will attempt to look up the version of the deployed Chronicle server in the current namespace. | +| chronicleAgent.securityContext | object | `{"privileged":false,"runAsNonRoot":true}` | A verbatim securityContext to apply to the Chronicle Agent container | | chronicleAgent.serverAddress | string | `""` | The address for the Chronicle server including the protocol (ex. "http://address"). If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. | | chronicleAgent.serverNamespace | string | `""` | The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. | | chronicleAgent.volumeMounts | list | `[]` | An array of maps that is injected as-is into the "volumeMounts" component of the container spec | diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md index 5f398249a..626d86e45 100644 --- a/charts/rstudio-workbench/README.md +++ b/charts/rstudio-workbench/README.md @@ -489,7 +489,7 @@ Use of [Sealed secrets](https://github.com/bitnami-labs/sealed-secrets) disables |-----|------|---------|-------------| | affinity | object | `{}` | A map used verbatim as the pod's "affinity" definition | | args | list | `[]` | args is the pod container's run arguments. | -| chronicleAgent | object | `{"autoDiscovery":true,"enabled":false,"env":[],"image":{"imagePullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"rstudio/chronicle-agent","tag":""},"serverAddress":"","serverNamespace":"","volumeMounts":[],"workbenchApiKey":{"value":"","valueFrom":{}}}` | Settings for the Chronicle Agent sidecar container | +| chronicleAgent | object | `{"autoDiscovery":true,"enabled":false,"env":[],"image":{"imagePullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"rstudio/chronicle-agent","tag":""},"securityContext":{"privileged":false,"runAsNonRoot":true},"serverAddress":"","serverNamespace":"","volumeMounts":[],"workbenchApiKey":{"value":"","valueFrom":{}}}` | Settings for the Chronicle Agent sidecar container | | chronicleAgent.autoDiscovery | bool | `true` | If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster | | chronicleAgent.enabled | bool | `false` | Whether to enable the Chronicle Agent sidecar container | | chronicleAgent.env | list | `[]` | An array of maps that is injected as-is into the "env:" component of the container spec | @@ -497,6 +497,7 @@ Use of [Sealed secrets](https://github.com/bitnami-labs/sealed-secrets) disables | chronicleAgent.image.registry | string | `"ghcr.io"` | The registry to use for the Chronicle Agent image | | chronicleAgent.image.repository | string | `"rstudio/chronicle-agent"` | The repository to use for the Chronicle Agent image | | chronicleAgent.image.tag | string | `""` | A tag to use for the Chronicle Agent image. If not set, the chart will attempt to look up the version of the deployed Chronicle server in the current namespace. | +| chronicleAgent.securityContext | object | `{"privileged":false,"runAsNonRoot":true}` | A verbatim securityContext to apply to the Chronicle Agent container | | chronicleAgent.serverAddress | string | `""` | The address for the Chronicle server including the protocol (ex. "http://address"). If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. | | chronicleAgent.serverNamespace | string | `""` | The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. | | chronicleAgent.volumeMounts | list | `[]` | An array of maps that is injected as-is into the "volumeMounts" component of the container spec | From 9717d343fd3736409d84fae31af342f33b722241 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Wed, 21 May 2025 11:55:10 -0600 Subject: [PATCH 36/50] Trigger CI From a147d408707c373cea9faaa51159e2d352e9fecb Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Wed, 21 May 2025 14:45:03 -0600 Subject: [PATCH 37/50] Add `chronicleAgent.agentEnvironment` value and set `CHRONICLE_AGENT_ENVIRONMENT` if it is defined --- charts/rstudio-connect/templates/deployment.yaml | 4 ++++ charts/rstudio-connect/values.yaml | 6 ++++-- charts/rstudio-workbench/templates/deployment.yaml | 4 ++++ charts/rstudio-workbench/values.yaml | 2 ++ 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/charts/rstudio-connect/templates/deployment.yaml b/charts/rstudio-connect/templates/deployment.yaml index a5ea0b0af..f791ea172 100644 --- a/charts/rstudio-connect/templates/deployment.yaml +++ b/charts/rstudio-connect/templates/deployment.yaml @@ -115,6 +115,10 @@ spec: {{- else }} value: {{ .Values.chronicleAgent.connectApiKey.value | quote }} {{- end }} + {{- with .Values.chronicleAgent.agentEnvironment }} + - name: CHRONICLE_AGENT_ENVIRONMENT + value: {{ . | quote }} + {{- end }} {{- with .Values.chronicleAgent.env }} {{ toYaml . | indent 10 }} {{- end }} diff --git a/charts/rstudio-connect/values.yaml b/charts/rstudio-connect/values.yaml index c413dcac3..854ad7b72 100644 --- a/charts/rstudio-connect/values.yaml +++ b/charts/rstudio-connect/values.yaml @@ -273,8 +273,6 @@ chronicleAgent: securityContext: privileged: false runAsNonRoot: true - # -- If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster - autoDiscovery: true image: # -- The registry to use for the Chronicle Agent image registry: ghcr.io @@ -284,6 +282,8 @@ chronicleAgent: tag: "" # -- The pull policy for the Chronicle Agent image imagePullPolicy: IfNotPresent + # -- If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster + autoDiscovery: true # -- The address for the Chronicle server including the protocol (ex. "http://address"). If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. serverAddress: "" # -- The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. @@ -294,6 +294,8 @@ chronicleAgent: value: "" # -- The verbatim input for valueFrom to use to retrieve the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. valueFrom: {} + # -- An environment tag to apply to all metrics reported by this agent. This can be used to identify the source of the metrics in Chronicle in cases where multiple distinct servers or clusters may be present. + agentEnvironment: "" launcher: # -- Whether to enable the launcher diff --git a/charts/rstudio-workbench/templates/deployment.yaml b/charts/rstudio-workbench/templates/deployment.yaml index d7634b8b4..a6b23bff3 100644 --- a/charts/rstudio-workbench/templates/deployment.yaml +++ b/charts/rstudio-workbench/templates/deployment.yaml @@ -122,6 +122,10 @@ spec: {{- else }} value: {{ .Values.chronicleAgent.workbenchApiKey.value | quote }} {{- end }} + {{- with .Values.chronicleAgent.agentEnvironment }} + - name: CHRONICLE_AGENT_ENVIRONMENT + value: {{ . | quote }} + {{- end }} {{- with .Values.chronicleAgent.env }} {{ toYaml . | indent 12 }} {{- end }} diff --git a/charts/rstudio-workbench/values.yaml b/charts/rstudio-workbench/values.yaml index 37dee569c..9acbc1330 100644 --- a/charts/rstudio-workbench/values.yaml +++ b/charts/rstudio-workbench/values.yaml @@ -95,6 +95,8 @@ chronicleAgent: value: "" # -- The verbatim input for valueFrom to use to retrieve the API Key used in the CHRONICLE_WORKBENCH_APIKEY environment variable passed to the Chronicle Agent. valueFrom: {} + # -- An environment tag to apply to all metrics reported by this agent. This can be used to identify the source of the metrics in Chronicle in cases where multiple distinct servers or clusters may be present. + agentEnvironment: "" launcher: # -- determines whether the launcher should be started in the container From 6c8c3d9f517ccb322c9f087cb3a2e9d6f2488b87 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 21 May 2025 20:46:03 +0000 Subject: [PATCH 38/50] Update helm-docs and README.md --- charts/rstudio-connect/README.md | 3 ++- charts/rstudio-workbench/README.md | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/charts/rstudio-connect/README.md b/charts/rstudio-connect/README.md index 8dd958a74..61cae7e90 100644 --- a/charts/rstudio-connect/README.md +++ b/charts/rstudio-connect/README.md @@ -208,7 +208,8 @@ The Helm `config` values are converted into the `rstudio-connect.gcfg` service c |-----|------|---------|-------------| | affinity | object | `{}` | A map used verbatim as the pod's "affinity" definition | | args | list | `[]` | The pod's run arguments. By default, it uses the container's default | -| chronicleAgent | object | `{"autoDiscovery":true,"connectApiKey":{"value":"","valueFrom":{}},"enabled":false,"env":[],"image":{"imagePullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"rstudio/chronicle-agent","tag":""},"securityContext":{"privileged":false,"runAsNonRoot":true},"serverAddress":"","serverNamespace":"","volumeMounts":[]}` | Settings for the Chronicle Agent sidecar container | +| chronicleAgent | object | `{"agentEnvironment":"","autoDiscovery":true,"connectApiKey":{"value":"","valueFrom":{}},"enabled":false,"env":[],"image":{"imagePullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"rstudio/chronicle-agent","tag":""},"securityContext":{"privileged":false,"runAsNonRoot":true},"serverAddress":"","serverNamespace":"","volumeMounts":[]}` | Settings for the Chronicle Agent sidecar container | +| chronicleAgent.agentEnvironment | string | `""` | An environment tag to apply to all metrics reported by this agent. This can be used to identify the source of the metrics in Chronicle in cases where multiple distinct servers or clusters may be present. | | chronicleAgent.autoDiscovery | bool | `true` | If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster | | chronicleAgent.connectApiKey | object | `{"value":"","valueFrom":{}}` | An API key generated in Connect that can be used for the Chronicle Agent to authenticate with the Connect server for metrics. This generally must be set after the initial deployment of the Connect pod. | | chronicleAgent.connectApiKey.value | string | `""` | The verbatim value for the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. It is recommended to reference a secret with valueFrom instead of this. | diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md index 626d86e45..97af976af 100644 --- a/charts/rstudio-workbench/README.md +++ b/charts/rstudio-workbench/README.md @@ -489,7 +489,8 @@ Use of [Sealed secrets](https://github.com/bitnami-labs/sealed-secrets) disables |-----|------|---------|-------------| | affinity | object | `{}` | A map used verbatim as the pod's "affinity" definition | | args | list | `[]` | args is the pod container's run arguments. | -| chronicleAgent | object | `{"autoDiscovery":true,"enabled":false,"env":[],"image":{"imagePullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"rstudio/chronicle-agent","tag":""},"securityContext":{"privileged":false,"runAsNonRoot":true},"serverAddress":"","serverNamespace":"","volumeMounts":[],"workbenchApiKey":{"value":"","valueFrom":{}}}` | Settings for the Chronicle Agent sidecar container | +| chronicleAgent | object | `{"agentEnvironment":"","autoDiscovery":true,"enabled":false,"env":[],"image":{"imagePullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"rstudio/chronicle-agent","tag":""},"securityContext":{"privileged":false,"runAsNonRoot":true},"serverAddress":"","serverNamespace":"","volumeMounts":[],"workbenchApiKey":{"value":"","valueFrom":{}}}` | Settings for the Chronicle Agent sidecar container | +| chronicleAgent.agentEnvironment | string | `""` | An environment tag to apply to all metrics reported by this agent. This can be used to identify the source of the metrics in Chronicle in cases where multiple distinct servers or clusters may be present. | | chronicleAgent.autoDiscovery | bool | `true` | If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster | | chronicleAgent.enabled | bool | `false` | Whether to enable the Chronicle Agent sidecar container | | chronicleAgent.env | list | `[]` | An array of maps that is injected as-is into the "env:" component of the container spec | From f58360228a5f35abc0bc96c87f938bbd0ed1db0d Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Wed, 21 May 2025 14:47:33 -0600 Subject: [PATCH 39/50] Trigger CI From 6a69baadce2494afa502b09247f681318413c75d Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 23 May 2025 13:22:09 -0600 Subject: [PATCH 40/50] Improvements and fixes to values and documentation --- .../rstudio-connect/templates/deployment.yaml | 4 ++ charts/rstudio-connect/values.yaml | 39 ++++++++++------- .../templates/deployment.yaml | 4 ++ charts/rstudio-workbench/values.yaml | 43 ++++++++++++------- 4 files changed, 59 insertions(+), 31 deletions(-) diff --git a/charts/rstudio-connect/templates/deployment.yaml b/charts/rstudio-connect/templates/deployment.yaml index f791ea172..1e88a39cc 100644 --- a/charts/rstudio-connect/templates/deployment.yaml +++ b/charts/rstudio-connect/templates/deployment.yaml @@ -94,7 +94,11 @@ spec: initContainers: {{- if .Values.chronicleAgent.enabled }} - name: chronicle-agent + {{- if .Values.chronicleAgent.image.sha }} + image: {{ printf "%s@sha256:%s" (include "rstudio-library.chronicle-agent.image" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | trim) .Values.chronicleAgent.image.sha }} + {{- else }} image: {{ include "rstudio-library.chronicle-agent.image" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | trim | quote }} + {{- end }} imagePullPolicy: {{ .Values.chronicleAgent.image.imagePullPolicy }} restartPolicy: Always {{- with .Values.chronicleAgent.volumeMounts }} diff --git a/charts/rstudio-connect/values.yaml b/charts/rstudio-connect/values.yaml index 854ad7b72..963ea0eae 100644 --- a/charts/rstudio-connect/values.yaml +++ b/charts/rstudio-connect/values.yaml @@ -261,40 +261,49 @@ ingress: # hosts: # - chart-example.local -# -- Settings for the Chronicle Agent sidecar container +# Settings for the Chronicle Agent sidecar container chronicleAgent: - # -- Whether to enable the Chronicle Agent sidecar container + # -- Creates a Chronicle agent sidecar container in the pod if true enabled: false - # -- An array of maps that is injected as-is into the "env:" component of the container spec + # -- Additional environment variables to set on the Chronicle agent container `env` env: [] - # -- An array of maps that is injected as-is into the "volumeMounts" component of the container spec + # -- Verbatim volumeMounts to attach to the Chronicle agent container volumeMounts: [] - # -- A verbatim securityContext to apply to the Chronicle Agent container + # -- The container-level security context for the Chronicle agent container securityContext: privileged: false runAsNonRoot: true image: - # -- The registry to use for the Chronicle Agent image + # -- The Chronicle agent image registry registry: ghcr.io - # -- The repository to use for the Chronicle Agent image + # -- The Chronicle agent image repository repository: rstudio/chronicle-agent - # -- A tag to use for the Chronicle Agent image. If not set, the chart will attempt to look up the version of the deployed Chronicle server in the current namespace. + # -- The Chronicle agent image tag, defaults to using the auto-discovered Chronicle server version or is required if + # `chronicleAgent.autoDiscovery=false` tag: "" - # -- The pull policy for the Chronicle Agent image + # -- The Chronicle agent image digest + sha: "" + # -- The pull policy for the Chronicle agent image imagePullPolicy: IfNotPresent # -- If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster autoDiscovery: true - # -- The address for the Chronicle server including the protocol (ex. "http://address"). If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. + # -- Address for the Chronicle server including the protocol (ex. "http://address"), defaults to auto-discovered + # Chronicle server in the given namespace or is required if `chronicleAgent.autoDiscovery=false` serverAddress: "" - # -- The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. + # -- Namespace to search for the Chronicle server when `chronicleAgent.autoDiscovery=true`, has no effect if + # `chronicleAgent.autoDiscovery=false` serverNamespace: "" - # -- An API key generated in Connect that can be used for the Chronicle Agent to authenticate with the Connect server for metrics. This generally must be set after the initial deployment of the Connect pod. + # -- An Administrator permissions API key generated in Connect for the Chronicle agent to use, API keys can only be + # created after Connect has been deployed so this value may need to be filled in later if performing an initial + # deployment ([reference](https://docs.posit.co/connect/user/api-keys/#api-keys-creating)) connectApiKey: - # -- The verbatim value for the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. It is recommended to reference a secret with valueFrom instead of this. + # -- Connect API key as a raw string to set as the `CHRONICLE_CONNECT_APIKEY` environment variable (not recommended) value: "" - # -- The verbatim input for valueFrom to use to retrieve the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. + # -- Connect API key as a `valueFrom` reference (ex. a Kubernetes Secret reference) to set as the + # `CHRONICLE_CONNECT_APIKEY` environment variable (recommended) valueFrom: {} - # -- An environment tag to apply to all metrics reported by this agent. This can be used to identify the source of the metrics in Chronicle in cases where multiple distinct servers or clusters may be present. + # -- An environment tag to apply to all metrics reported by this agent + # ([reference](https://docs.posit.co/chronicle/appendix/library/advanced-agent.html#environment)) agentEnvironment: "" launcher: diff --git a/charts/rstudio-workbench/templates/deployment.yaml b/charts/rstudio-workbench/templates/deployment.yaml index a6b23bff3..e799f473d 100644 --- a/charts/rstudio-workbench/templates/deployment.yaml +++ b/charts/rstudio-workbench/templates/deployment.yaml @@ -101,7 +101,11 @@ spec: initContainers: {{- if .Values.chronicleAgent.enabled }} - name: chronicle-agent + {{- if .Values.chronicleAgent.image.sha }} + image: {{ printf "%s@sha256:%s" (include "rstudio-library.chronicle-agent.image" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | trim) .Values.chronicleAgent.image.sha }} + {{- else }} image: {{ include "rstudio-library.chronicle-agent.image" (dict "chronicleAgent" .Values.chronicleAgent "Release" .Release) | trim | quote }} + {{- end }} imagePullPolicy: {{ .Values.chronicleAgent.image.imagePullPolicy }} restartPolicy: Always {{- with .Values.chronicleAgent.volumeMounts }} diff --git a/charts/rstudio-workbench/values.yaml b/charts/rstudio-workbench/values.yaml index 9acbc1330..353925177 100644 --- a/charts/rstudio-workbench/values.yaml +++ b/charts/rstudio-workbench/values.yaml @@ -63,39 +63,50 @@ strategy: maxSurge: "100%" maxUnavailable: 0 -# -- Settings for the Chronicle Agent sidecar container +# Settings for the Chronicle Agent sidecar container chronicleAgent: - # -- Whether to enable the Chronicle Agent sidecar container + # -- Creates a Chronicle agent sidecar container in the pod if true enabled: false - # -- An array of maps that is injected as-is into the "env:" component of the container spec + # -- Additional environment variables to set on the Chronicle agent container `env` env: [] - # -- An array of maps that is injected as-is into the "volumeMounts" component of the container spec + # -- Verbatim volumeMounts to attach to the Chronicle agent container volumeMounts: [] - # -- A verbatim securityContext to apply to the Chronicle Agent container + # -- The container-level security context for the Chronicle agent container securityContext: privileged: false runAsNonRoot: true - # -- If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster - autoDiscovery: true image: - # -- The registry to use for the Chronicle Agent image + # -- The Chronicle agent image registry registry: ghcr.io - # -- The repository to use for the Chronicle Agent image + # -- The Chronicle agent image repository repository: rstudio/chronicle-agent - # -- A tag to use for the Chronicle Agent image. If not set, the chart will attempt to look up the version of the deployed Chronicle server in the current namespace. + # -- The Chronicle agent image tag, defaults to using the auto-discovered Chronicle server version or is required if + # `chronicleAgent.autoDiscovery=false` tag: "" - # -- The pull policy for the Chronicle Agent image + # -- The Chronicle agent image digest + sha: "" + # -- The pull policy for the Chronicle agent image imagePullPolicy: IfNotPresent - # -- The address for the Chronicle server including the protocol (ex. "http://address"). If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. + # -- If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster + autoDiscovery: true + # -- Address for the Chronicle server including the protocol (ex. "http://address"), defaults to auto-discovered + # Chronicle server in the given namespace or is required if `chronicleAgent.autoDiscovery=false` serverAddress: "" - # -- The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. + # -- Namespace to search for the Chronicle server when `chronicleAgent.autoDiscovery=true`, has no effect if + # `chronicleAgent.autoDiscovery=false` serverNamespace: "" + # -- A read-only administrator permissions API key generated for Workbench for the Chronicle agent to use, API keys + # can only be created after Workbench has been deployed so this value may need to be filled in later if performing + # an initial deployment ([reference](https://docs.posit.co/connect/user/api-keys/#api-keys-creating)) workbenchApiKey: - # -- The verbatim value for the API Key used in the CHRONICLE_WORKBENCH_APIKEY environment variable passed to the Chronicle Agent. It is recommended to reference a secret with valueFrom instead of this. + # -- Workbench API key as a raw string to set as the `CHRONICLE_WORKBENCH_APIKEY` environment variable + # (not recommended) value: "" - # -- The verbatim input for valueFrom to use to retrieve the API Key used in the CHRONICLE_WORKBENCH_APIKEY environment variable passed to the Chronicle Agent. + # -- Workbench API key as a `valueFrom` reference (ex. a Kubernetes Secret reference) to set as the + # `CHRONICLE_WORKBENCH_APIKEY` environment variable (recommended) valueFrom: {} - # -- An environment tag to apply to all metrics reported by this agent. This can be used to identify the source of the metrics in Chronicle in cases where multiple distinct servers or clusters may be present. + # -- An environment tag to apply to all metrics reported by this agent + # ([reference](https://docs.posit.co/chronicle/appendix/library/advanced-agent.html#environment)) agentEnvironment: "" launcher: From a26fdc484387423a3b866ae8f1b3fa90887522b4 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Fri, 23 May 2025 19:23:02 +0000 Subject: [PATCH 41/50] Update helm-docs and README.md --- charts/rstudio-connect/README.md | 30 +++++++++++++++--------------- charts/rstudio-workbench/README.md | 29 +++++++++++++++-------------- 2 files changed, 30 insertions(+), 29 deletions(-) diff --git a/charts/rstudio-connect/README.md b/charts/rstudio-connect/README.md index 61cae7e90..91ec53716 100644 --- a/charts/rstudio-connect/README.md +++ b/charts/rstudio-connect/README.md @@ -208,22 +208,22 @@ The Helm `config` values are converted into the `rstudio-connect.gcfg` service c |-----|------|---------|-------------| | affinity | object | `{}` | A map used verbatim as the pod's "affinity" definition | | args | list | `[]` | The pod's run arguments. By default, it uses the container's default | -| chronicleAgent | object | `{"agentEnvironment":"","autoDiscovery":true,"connectApiKey":{"value":"","valueFrom":{}},"enabled":false,"env":[],"image":{"imagePullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"rstudio/chronicle-agent","tag":""},"securityContext":{"privileged":false,"runAsNonRoot":true},"serverAddress":"","serverNamespace":"","volumeMounts":[]}` | Settings for the Chronicle Agent sidecar container | -| chronicleAgent.agentEnvironment | string | `""` | An environment tag to apply to all metrics reported by this agent. This can be used to identify the source of the metrics in Chronicle in cases where multiple distinct servers or clusters may be present. | +| chronicleAgent.agentEnvironment | string | `""` | An environment tag to apply to all metrics reported by this agent ([reference](https://docs.posit.co/chronicle/appendix/library/advanced-agent.html#environment)) | | chronicleAgent.autoDiscovery | bool | `true` | If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster | -| chronicleAgent.connectApiKey | object | `{"value":"","valueFrom":{}}` | An API key generated in Connect that can be used for the Chronicle Agent to authenticate with the Connect server for metrics. This generally must be set after the initial deployment of the Connect pod. | -| chronicleAgent.connectApiKey.value | string | `""` | The verbatim value for the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. It is recommended to reference a secret with valueFrom instead of this. | -| chronicleAgent.connectApiKey.valueFrom | object | `{}` | The verbatim input for valueFrom to use to retrieve the API Key used in the CONNECT_API_KEY environment variable passed to the Chronicle Agent. | -| chronicleAgent.enabled | bool | `false` | Whether to enable the Chronicle Agent sidecar container | -| chronicleAgent.env | list | `[]` | An array of maps that is injected as-is into the "env:" component of the container spec | -| chronicleAgent.image.imagePullPolicy | string | `"IfNotPresent"` | The pull policy for the Chronicle Agent image | -| chronicleAgent.image.registry | string | `"ghcr.io"` | The registry to use for the Chronicle Agent image | -| chronicleAgent.image.repository | string | `"rstudio/chronicle-agent"` | The repository to use for the Chronicle Agent image | -| chronicleAgent.image.tag | string | `""` | A tag to use for the Chronicle Agent image. If not set, the chart will attempt to look up the version of the deployed Chronicle server in the current namespace. | -| chronicleAgent.securityContext | object | `{"privileged":false,"runAsNonRoot":true}` | A verbatim securityContext to apply to the Chronicle Agent container | -| chronicleAgent.serverAddress | string | `""` | The address for the Chronicle server including the protocol (ex. "http://address"). If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. | -| chronicleAgent.serverNamespace | string | `""` | The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. | -| chronicleAgent.volumeMounts | list | `[]` | An array of maps that is injected as-is into the "volumeMounts" component of the container spec | +| chronicleAgent.connectApiKey | object | `{"value":"","valueFrom":{}}` | An Administrator permissions API key generated in Connect for the Chronicle agent to use, API keys can only be created after Connect has been deployed so this value may need to be filled in later if performing an initial deployment ([reference](https://docs.posit.co/connect/user/api-keys/#api-keys-creating)) | +| chronicleAgent.connectApiKey.value | string | `""` | Connect API key as a raw string to set as the `CHRONICLE_CONNECT_APIKEY` environment variable (not recommended) | +| chronicleAgent.connectApiKey.valueFrom | object | `{}` | Connect API key as a `valueFrom` reference (ex. a Kubernetes Secret reference) to set as the `CHRONICLE_CONNECT_APIKEY` environment variable (recommended) | +| chronicleAgent.enabled | bool | `false` | Creates a Chronicle agent sidecar container in the pod if true | +| chronicleAgent.env | list | `[]` | Additional environment variables to set on the Chronicle agent container `env` | +| chronicleAgent.image.imagePullPolicy | string | `"IfNotPresent"` | The pull policy for the Chronicle agent image | +| chronicleAgent.image.registry | string | `"ghcr.io"` | The Chronicle agent image registry | +| chronicleAgent.image.repository | string | `"rstudio/chronicle-agent"` | The Chronicle agent image repository | +| chronicleAgent.image.sha | string | `""` | The Chronicle agent image digest | +| chronicleAgent.image.tag | string | `""` | The Chronicle agent image tag, defaults to using the auto-discovered Chronicle server version or is required if `chronicleAgent.autoDiscovery=false` | +| chronicleAgent.securityContext | object | `{"privileged":false,"runAsNonRoot":true}` | The container-level security context for the Chronicle agent container | +| chronicleAgent.serverAddress | string | `""` | Address for the Chronicle server including the protocol (ex. "http://address"), defaults to auto-discovered Chronicle server in the given namespace or is required if `chronicleAgent.autoDiscovery=false` | +| chronicleAgent.serverNamespace | string | `""` | Namespace to search for the Chronicle server when `chronicleAgent.autoDiscovery=true`, has no effect if `chronicleAgent.autoDiscovery=false` | +| chronicleAgent.volumeMounts | list | `[]` | Verbatim volumeMounts to attach to the Chronicle agent container | | command | list | `[]` | The pod's run command. By default, it uses the container's default | | config | object | [Posit Connect Configuration Reference](https://docs.posit.co/connect/admin/appendix/off-host/helm-reference/) | A nested map of maps that generates the rstudio-connect.gcfg file | | extraObjects | list | `[]` | Extra objects to deploy (value evaluated as a template) | diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md index 97af976af..babcc3ceb 100644 --- a/charts/rstudio-workbench/README.md +++ b/charts/rstudio-workbench/README.md @@ -489,21 +489,22 @@ Use of [Sealed secrets](https://github.com/bitnami-labs/sealed-secrets) disables |-----|------|---------|-------------| | affinity | object | `{}` | A map used verbatim as the pod's "affinity" definition | | args | list | `[]` | args is the pod container's run arguments. | -| chronicleAgent | object | `{"agentEnvironment":"","autoDiscovery":true,"enabled":false,"env":[],"image":{"imagePullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"rstudio/chronicle-agent","tag":""},"securityContext":{"privileged":false,"runAsNonRoot":true},"serverAddress":"","serverNamespace":"","volumeMounts":[],"workbenchApiKey":{"value":"","valueFrom":{}}}` | Settings for the Chronicle Agent sidecar container | -| chronicleAgent.agentEnvironment | string | `""` | An environment tag to apply to all metrics reported by this agent. This can be used to identify the source of the metrics in Chronicle in cases where multiple distinct servers or clusters may be present. | +| chronicleAgent.agentEnvironment | string | `""` | An environment tag to apply to all metrics reported by this agent ([reference](https://docs.posit.co/chronicle/appendix/library/advanced-agent.html#environment)) | | chronicleAgent.autoDiscovery | bool | `true` | If true, the chart will attempt to lookup the Chronicle Server address and version in the cluster | -| chronicleAgent.enabled | bool | `false` | Whether to enable the Chronicle Agent sidecar container | -| chronicleAgent.env | list | `[]` | An array of maps that is injected as-is into the "env:" component of the container spec | -| chronicleAgent.image.imagePullPolicy | string | `"IfNotPresent"` | The pull policy for the Chronicle Agent image | -| chronicleAgent.image.registry | string | `"ghcr.io"` | The registry to use for the Chronicle Agent image | -| chronicleAgent.image.repository | string | `"rstudio/chronicle-agent"` | The repository to use for the Chronicle Agent image | -| chronicleAgent.image.tag | string | `""` | A tag to use for the Chronicle Agent image. If not set, the chart will attempt to look up the version of the deployed Chronicle server in the current namespace. | -| chronicleAgent.securityContext | object | `{"privileged":false,"runAsNonRoot":true}` | A verbatim securityContext to apply to the Chronicle Agent container | -| chronicleAgent.serverAddress | string | `""` | The address for the Chronicle server including the protocol (ex. "http://address"). If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace or the serverNamespace if provided. | -| chronicleAgent.serverNamespace | string | `""` | The namespace for the Chronicle server. If not set, the chart will attempt to look up the address of the Chronicle Server in the release namespace. | -| chronicleAgent.volumeMounts | list | `[]` | An array of maps that is injected as-is into the "volumeMounts" component of the container spec | -| chronicleAgent.workbenchApiKey.value | string | `""` | The verbatim value for the API Key used in the CHRONICLE_WORKBENCH_APIKEY environment variable passed to the Chronicle Agent. It is recommended to reference a secret with valueFrom instead of this. | -| chronicleAgent.workbenchApiKey.valueFrom | object | `{}` | The verbatim input for valueFrom to use to retrieve the API Key used in the CHRONICLE_WORKBENCH_APIKEY environment variable passed to the Chronicle Agent. | +| chronicleAgent.enabled | bool | `false` | Creates a Chronicle agent sidecar container in the pod if true | +| chronicleAgent.env | list | `[]` | Additional environment variables to set on the Chronicle agent container `env` | +| chronicleAgent.image.imagePullPolicy | string | `"IfNotPresent"` | The pull policy for the Chronicle agent image | +| chronicleAgent.image.registry | string | `"ghcr.io"` | The Chronicle agent image registry | +| chronicleAgent.image.repository | string | `"rstudio/chronicle-agent"` | The Chronicle agent image repository | +| chronicleAgent.image.sha | string | `""` | The Chronicle agent image digest | +| chronicleAgent.image.tag | string | `""` | The Chronicle agent image tag, defaults to using the auto-discovered Chronicle server version or is required if `chronicleAgent.autoDiscovery=false` | +| chronicleAgent.securityContext | object | `{"privileged":false,"runAsNonRoot":true}` | The container-level security context for the Chronicle agent container | +| chronicleAgent.serverAddress | string | `""` | Address for the Chronicle server including the protocol (ex. "http://address"), defaults to auto-discovered Chronicle server in the given namespace or is required if `chronicleAgent.autoDiscovery=false` | +| chronicleAgent.serverNamespace | string | `""` | Namespace to search for the Chronicle server when `chronicleAgent.autoDiscovery=true`, has no effect if `chronicleAgent.autoDiscovery=false` | +| chronicleAgent.volumeMounts | list | `[]` | Verbatim volumeMounts to attach to the Chronicle agent container | +| chronicleAgent.workbenchApiKey | object | `{"value":"","valueFrom":{}}` | A read-only administrator permissions API key generated for Workbench for the Chronicle agent to use, API keys can only be created after Workbench has been deployed so this value may need to be filled in later if performing an initial deployment ([reference](https://docs.posit.co/connect/user/api-keys/#api-keys-creating)) | +| chronicleAgent.workbenchApiKey.value | string | `""` | Workbench API key as a raw string to set as the `CHRONICLE_WORKBENCH_APIKEY` environment variable (not recommended) | +| chronicleAgent.workbenchApiKey.valueFrom | object | `{}` | Workbench API key as a `valueFrom` reference (ex. a Kubernetes Secret reference) to set as the `CHRONICLE_WORKBENCH_APIKEY` environment variable (recommended) | | command | list | `[]` | command is the pod container's run command. By default, it uses the container's default. However, the chart expects a container using `supervisord` for startup | | config.defaultMode.jobJsonOverrides | int | 0644 | default mode for jobJsonOverrides config | | config.defaultMode.pam | int | 0644 | default mode for pam scripts | From 164b838bbe46dd2e2c69189f7467afefaca6516e Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 23 May 2025 14:25:15 -0600 Subject: [PATCH 42/50] Improvements and fixes to the README agent sections --- charts/rstudio-connect/README.md | 35 +++++++++++++++--------------- charts/rstudio-workbench/README.md | 29 +++++++++++++++---------- 2 files changed, 36 insertions(+), 28 deletions(-) diff --git a/charts/rstudio-connect/README.md b/charts/rstudio-connect/README.md index 91ec53716..e0ec5b823 100644 --- a/charts/rstudio-connect/README.md +++ b/charts/rstudio-connect/README.md @@ -126,15 +126,18 @@ Alternatively, database passwords may be set during `helm install` with the foll ## Chronicle Agent -This chart supports use of a sidecar Chronicle agent to report data to a Chronicle server. The agent can be enabled -by setting `chronicleAgent.enabled=true`. +This section details how to deploy and configure a Chronicle agent instance alongside Workbench. For more information on +Posit Chronicle in general, see the [Posit Chronicle documentation](https://docs.posit.co/chronicle/). -By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The -searched namespace can be changed setting `chronicleAgent.serverNamespace`. If a server exists, it will set the -Chronicle agent's server value to the server's service name and will use an agent version to match the server version. -This auto-discovery behavior can be disabled by setting `chronicleAgent.autoDiscovery=false`. +This chart supports use of a sidecar Chronicle agent to capture and report metrics to a Chronicle server. The agent can +be enabled by setting `chronicleAgent.enabled=true`. -To set the server address and/or version manually, set the following values: +By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The +lookup namespace can be changed by providing `chronicleAgent.serverNamespace`. If a server is found, the +Chronicle agent's `chronicleAgent.serverAddress` value is set to the server's internal service address and the +`chronicleAgent.image.tag` is set to the server's version. This auto-discovery behavior can be disabled by setting +`chronicleAgent.autoDiscovery=false` or by manually providing the `chronicleAgent.serverAddress` and +`chronicleAgent.image.tag` values. Below is an example where these values are set manually: ```yaml chronicleAgent: enabled: true @@ -161,13 +164,10 @@ initContainers: key: apikey ``` -For more information on Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). - ### Chronicle Connect API Key -In order to communicate with Connect, the Chronicle agent must be passed an API key. This can either be done by passing -a Kubernetes secret (recommended) or by setting the key directly as an environment variable. Below is an example -of how to set the API key using a secret: +In order to get full metrics reporting with Connect, the Chronicle agent must be provided an API key with Administrator +permissions. Below is an example of how to provide the API key to the Chronicle Agent using a Kubernetes Secret: ```yaml chronicleAgent: enabled: true @@ -178,11 +178,12 @@ chronicleAgent: key: ``` -Due to the way Connect manages its API keys, it is currently not possible to provision an API key automatically for the -Chronicle agent at the time of deployment. To workaround this issue in a fresh deployment, you can initially leave -the API key unset for the Chronicle agent, deploy the chart, create an administrator API key, and then provision a -secret with the API key. Once the secret is created, the value of `chronicleAgent.connectApiKey.secretKeyRef` -can be set and the release can be upgraded to include the new value. +Connect API keys must be generated using an administrator account in the Connect UI after initial deployment. +`chronicleAgent.connectApiKey` can be updated after the initial installation of the chart with corresponding values +or references to a generated API key. + +For additional information on generating API keys, see the +[Posit Connect API documentation](https://docs.posit.co/connect/user/api-keys/#api-keys-creating). ## General principles diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md index babcc3ceb..32e43869f 100644 --- a/charts/rstudio-workbench/README.md +++ b/charts/rstudio-workbench/README.md @@ -415,15 +415,19 @@ launcher: ## Chronicle Agent -This chart supports use of a sidecar Chronicle agent to report data to a Chronicle server. The agent can be enabled -by setting `chronicleAgent.enabled=true`. +This section details how to deploy and configure a Chronicle agent instance alongside Workbench. For more information on +Posit Chronicle in general, see the [Posit Chronicle documentation](https://docs.posit.co/chronicle/). + +This chart supports use of a sidecar Chronicle agent to capture and report metrics to a Chronicle server. The agent can +be enabled by setting `chronicleAgent.enabled=true`. By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The -searched namespace can be changed setting `chronicleAgent.serverNamespace`. If a server exists, it will set the -Chronicle agent's server value to the server's service name and will use an agent version to match the server version. -This auto-discovery behavior can be disabled by setting `chronicleAgent.autoDiscovery=false`. +lookup namespace can be changed by providing `chronicleAgent.serverNamespace`. If a server is found, the +Chronicle agent's `chronicleAgent.serverAddress` value is set to the server's internal service address and the +`chronicleAgent.image.tag` is set to the server's version. This auto-discovery behavior can be disabled by setting +`chronicleAgent.autoDiscovery=false` or by manually providing the `chronicleAgent.serverAddress` and +`chronicleAgent.image.tag` values. Below is an example where these values are set manually: -To set the server address and/or version manually, set the following values: ```yaml chronicleAgent: enabled: true @@ -432,7 +436,7 @@ chronicleAgent: tag: ``` -If preferred, the Chronicle agent can be directly defined as a sidecar container using either `initContainers` +If preferred, the Chronicle agent can be directly defined as a sidecar container using either the `initContainers` (recommended) or `sidecar` values. Below is an example of directly defining the Chronicle agent as a native sidecar container using `initContainers`: ```yaml @@ -445,8 +449,6 @@ initContainers: value: "http://
" ``` -For more information on Posit Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). - ### Chronicle Workbench API Key > [!WARNING] @@ -454,8 +456,9 @@ For more information on Posit Chronicle, see the [Chronicle documentation](https > [the Workbench documentation](https://docs.posit.co/ide/server-pro/admin/workbench_api/workbench_api.html) for more > information. -The Chronicle agent can be configured to scrape the Workbench API for additional data. To do this, you must -provide the Chronicle agent with a Workbench API key. This can be done by setting `chronicleAgent.workbenchApiKey`: +The Chronicle agent can be configured to scrape the Workbench API for additional data. To enable this behavior, a +Workbench API key must be provided to the Chronicle agent with at least read-only administrator privileges. +Below is an example of providing a Workbench API key to the Chronicle agent via a Kubernetes secret: ```yaml chronicleAgent: enabled: true @@ -466,6 +469,10 @@ chronicleAgent: key: ``` +Workbench API keys must be generated using the Workbench CLI with the Workbench API enabled after initial deployment. +`chronicleAgent.workbenchApiKey` can be updated after the initial installation of the chart with corresponding values +or references to a generated API key. + For additional information on enabling the API and generating API keys, see [the Workbench documentation](https://docs.posit.co/ide/server-pro/admin/workbench_api/workbench_api.html). From 339ccb350ea5316469b622fed6f6dcf0d5fd14c3 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Fri, 23 May 2025 20:26:18 +0000 Subject: [PATCH 43/50] Update helm-docs and README.md --- charts/rstudio-connect/README.md | 35 +++++++++++++++--------------- charts/rstudio-workbench/README.md | 29 ++++++++++--------------- 2 files changed, 28 insertions(+), 36 deletions(-) diff --git a/charts/rstudio-connect/README.md b/charts/rstudio-connect/README.md index e0ec5b823..91ec53716 100644 --- a/charts/rstudio-connect/README.md +++ b/charts/rstudio-connect/README.md @@ -126,18 +126,15 @@ Alternatively, database passwords may be set during `helm install` with the foll ## Chronicle Agent -This section details how to deploy and configure a Chronicle agent instance alongside Workbench. For more information on -Posit Chronicle in general, see the [Posit Chronicle documentation](https://docs.posit.co/chronicle/). - -This chart supports use of a sidecar Chronicle agent to capture and report metrics to a Chronicle server. The agent can -be enabled by setting `chronicleAgent.enabled=true`. +This chart supports use of a sidecar Chronicle agent to report data to a Chronicle server. The agent can be enabled +by setting `chronicleAgent.enabled=true`. By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The -lookup namespace can be changed by providing `chronicleAgent.serverNamespace`. If a server is found, the -Chronicle agent's `chronicleAgent.serverAddress` value is set to the server's internal service address and the -`chronicleAgent.image.tag` is set to the server's version. This auto-discovery behavior can be disabled by setting -`chronicleAgent.autoDiscovery=false` or by manually providing the `chronicleAgent.serverAddress` and -`chronicleAgent.image.tag` values. Below is an example where these values are set manually: +searched namespace can be changed setting `chronicleAgent.serverNamespace`. If a server exists, it will set the +Chronicle agent's server value to the server's service name and will use an agent version to match the server version. +This auto-discovery behavior can be disabled by setting `chronicleAgent.autoDiscovery=false`. + +To set the server address and/or version manually, set the following values: ```yaml chronicleAgent: enabled: true @@ -164,10 +161,13 @@ initContainers: key: apikey ``` +For more information on Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). + ### Chronicle Connect API Key -In order to get full metrics reporting with Connect, the Chronicle agent must be provided an API key with Administrator -permissions. Below is an example of how to provide the API key to the Chronicle Agent using a Kubernetes Secret: +In order to communicate with Connect, the Chronicle agent must be passed an API key. This can either be done by passing +a Kubernetes secret (recommended) or by setting the key directly as an environment variable. Below is an example +of how to set the API key using a secret: ```yaml chronicleAgent: enabled: true @@ -178,12 +178,11 @@ chronicleAgent: key: ``` -Connect API keys must be generated using an administrator account in the Connect UI after initial deployment. -`chronicleAgent.connectApiKey` can be updated after the initial installation of the chart with corresponding values -or references to a generated API key. - -For additional information on generating API keys, see the -[Posit Connect API documentation](https://docs.posit.co/connect/user/api-keys/#api-keys-creating). +Due to the way Connect manages its API keys, it is currently not possible to provision an API key automatically for the +Chronicle agent at the time of deployment. To workaround this issue in a fresh deployment, you can initially leave +the API key unset for the Chronicle agent, deploy the chart, create an administrator API key, and then provision a +secret with the API key. Once the secret is created, the value of `chronicleAgent.connectApiKey.secretKeyRef` +can be set and the release can be upgraded to include the new value. ## General principles diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md index 32e43869f..babcc3ceb 100644 --- a/charts/rstudio-workbench/README.md +++ b/charts/rstudio-workbench/README.md @@ -415,19 +415,15 @@ launcher: ## Chronicle Agent -This section details how to deploy and configure a Chronicle agent instance alongside Workbench. For more information on -Posit Chronicle in general, see the [Posit Chronicle documentation](https://docs.posit.co/chronicle/). - -This chart supports use of a sidecar Chronicle agent to capture and report metrics to a Chronicle server. The agent can -be enabled by setting `chronicleAgent.enabled=true`. +This chart supports use of a sidecar Chronicle agent to report data to a Chronicle server. The agent can be enabled +by setting `chronicleAgent.enabled=true`. By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The -lookup namespace can be changed by providing `chronicleAgent.serverNamespace`. If a server is found, the -Chronicle agent's `chronicleAgent.serverAddress` value is set to the server's internal service address and the -`chronicleAgent.image.tag` is set to the server's version. This auto-discovery behavior can be disabled by setting -`chronicleAgent.autoDiscovery=false` or by manually providing the `chronicleAgent.serverAddress` and -`chronicleAgent.image.tag` values. Below is an example where these values are set manually: +searched namespace can be changed setting `chronicleAgent.serverNamespace`. If a server exists, it will set the +Chronicle agent's server value to the server's service name and will use an agent version to match the server version. +This auto-discovery behavior can be disabled by setting `chronicleAgent.autoDiscovery=false`. +To set the server address and/or version manually, set the following values: ```yaml chronicleAgent: enabled: true @@ -436,7 +432,7 @@ chronicleAgent: tag: ``` -If preferred, the Chronicle agent can be directly defined as a sidecar container using either the `initContainers` +If preferred, the Chronicle agent can be directly defined as a sidecar container using either `initContainers` (recommended) or `sidecar` values. Below is an example of directly defining the Chronicle agent as a native sidecar container using `initContainers`: ```yaml @@ -449,6 +445,8 @@ initContainers: value: "http://
" ``` +For more information on Posit Chronicle, see the [Chronicle documentation](https://docs.posit.co/chronicle/). + ### Chronicle Workbench API Key > [!WARNING] @@ -456,9 +454,8 @@ initContainers: > [the Workbench documentation](https://docs.posit.co/ide/server-pro/admin/workbench_api/workbench_api.html) for more > information. -The Chronicle agent can be configured to scrape the Workbench API for additional data. To enable this behavior, a -Workbench API key must be provided to the Chronicle agent with at least read-only administrator privileges. -Below is an example of providing a Workbench API key to the Chronicle agent via a Kubernetes secret: +The Chronicle agent can be configured to scrape the Workbench API for additional data. To do this, you must +provide the Chronicle agent with a Workbench API key. This can be done by setting `chronicleAgent.workbenchApiKey`: ```yaml chronicleAgent: enabled: true @@ -469,10 +466,6 @@ chronicleAgent: key: ``` -Workbench API keys must be generated using the Workbench CLI with the Workbench API enabled after initial deployment. -`chronicleAgent.workbenchApiKey` can be updated after the initial installation of the chart with corresponding values -or references to a generated API key. - For additional information on enabling the API and generating API keys, see [the Workbench documentation](https://docs.posit.co/ide/server-pro/admin/workbench_api/workbench_api.html). From d48fb35be4a3ba8dc8ef7f526c9b4f4407d28266 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Fri, 23 May 2025 14:34:49 -0600 Subject: [PATCH 44/50] Trigger CI From ec6857a491625c600fdc65c1d99c4ad48d6d776f Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 27 May 2025 09:24:03 -0600 Subject: [PATCH 45/50] Reword Workbench API key section --- charts/rstudio-workbench/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md index babcc3ceb..bbb1b4765 100644 --- a/charts/rstudio-workbench/README.md +++ b/charts/rstudio-workbench/README.md @@ -454,8 +454,8 @@ For more information on Posit Chronicle, see the [Chronicle documentation](https > [the Workbench documentation](https://docs.posit.co/ide/server-pro/admin/workbench_api/workbench_api.html) for more > information. -The Chronicle agent can be configured to scrape the Workbench API for additional data. To do this, you must -provide the Chronicle agent with a Workbench API key. This can be done by setting `chronicleAgent.workbenchApiKey`: +The Chronicle agent can be configured to scrape the Workbench API for additional data. To do this, a Workbench API key +must be provided to the Chronicle Agent. This can be done by setting `chronicleAgent.workbenchApiKey`: ```yaml chronicleAgent: enabled: true From b83b1607977dbe5cd35436df6242fb93687c0e94 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Tue, 27 May 2025 15:27:03 +0000 Subject: [PATCH 46/50] Update helm-docs and README.md --- charts/rstudio-workbench/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md index bbb1b4765..babcc3ceb 100644 --- a/charts/rstudio-workbench/README.md +++ b/charts/rstudio-workbench/README.md @@ -454,8 +454,8 @@ For more information on Posit Chronicle, see the [Chronicle documentation](https > [the Workbench documentation](https://docs.posit.co/ide/server-pro/admin/workbench_api/workbench_api.html) for more > information. -The Chronicle agent can be configured to scrape the Workbench API for additional data. To do this, a Workbench API key -must be provided to the Chronicle Agent. This can be done by setting `chronicleAgent.workbenchApiKey`: +The Chronicle agent can be configured to scrape the Workbench API for additional data. To do this, you must +provide the Chronicle agent with a Workbench API key. This can be done by setting `chronicleAgent.workbenchApiKey`: ```yaml chronicleAgent: enabled: true From 3a17d31982bd542b7f9abe573f28c93b7c0a3f34 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 27 May 2025 09:46:44 -0600 Subject: [PATCH 47/50] Add product docs link Co-authored-by: Benjamin R. J. Schwedler --- charts/rstudio-connect/README.md.gotmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/rstudio-connect/README.md.gotmpl b/charts/rstudio-connect/README.md.gotmpl index 05da50daf..3936dff20 100644 --- a/charts/rstudio-connect/README.md.gotmpl +++ b/charts/rstudio-connect/README.md.gotmpl @@ -66,7 +66,7 @@ Alternatively, database passwords may be set during `helm install` with the foll ## Chronicle Agent -This chart supports use of a sidecar Chronicle agent to report data to a Chronicle server. The agent can be enabled +This chart supports use of a sidecar [Chronicle agent](https://docs.posit.co/chronicle/) to report data to a Chronicle server. The agent can be enabled by setting `chronicleAgent.enabled=true`. By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The From 11923d29d9667741d117b44f4461a5864e5368c1 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 27 May 2025 09:47:03 -0600 Subject: [PATCH 48/50] Add product docs link Co-authored-by: Benjamin R. J. Schwedler --- charts/rstudio-workbench/README.md.gotmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/rstudio-workbench/README.md.gotmpl b/charts/rstudio-workbench/README.md.gotmpl index a425e7706..128e4f7dd 100644 --- a/charts/rstudio-workbench/README.md.gotmpl +++ b/charts/rstudio-workbench/README.md.gotmpl @@ -360,7 +360,7 @@ launcher: ## Chronicle Agent -This chart supports use of a sidecar Chronicle agent to report data to a Chronicle server. The agent can be enabled +This chart supports use of a sidecar [Chronicle agent](https://docs.posit.co/chronicle/) to report data to a Chronicle server. The agent can be enabled by setting `chronicleAgent.enabled=true`. By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The From 4b193512f71aa6f9239800c02fd47f6aa290bd3f Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Tue, 27 May 2025 15:47:59 +0000 Subject: [PATCH 49/50] Update helm-docs and README.md --- charts/rstudio-connect/README.md | 2 +- charts/rstudio-workbench/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/rstudio-connect/README.md b/charts/rstudio-connect/README.md index 91ec53716..179451133 100644 --- a/charts/rstudio-connect/README.md +++ b/charts/rstudio-connect/README.md @@ -126,7 +126,7 @@ Alternatively, database passwords may be set during `helm install` with the foll ## Chronicle Agent -This chart supports use of a sidecar Chronicle agent to report data to a Chronicle server. The agent can be enabled +This chart supports use of a sidecar [Chronicle agent](https://docs.posit.co/chronicle/) to report data to a Chronicle server. The agent can be enabled by setting `chronicleAgent.enabled=true`. By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md index babcc3ceb..460f5c5a8 100644 --- a/charts/rstudio-workbench/README.md +++ b/charts/rstudio-workbench/README.md @@ -415,7 +415,7 @@ launcher: ## Chronicle Agent -This chart supports use of a sidecar Chronicle agent to report data to a Chronicle server. The agent can be enabled +This chart supports use of a sidecar [Chronicle agent](https://docs.posit.co/chronicle/) to report data to a Chronicle server. The agent can be enabled by setting `chronicleAgent.enabled=true`. By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The From d6f1a7b6db05dc618733d8e007e14fb0db6fd722 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 27 May 2025 10:19:13 -0600 Subject: [PATCH 50/50] By, by, by --- charts/rstudio-connect/README.md | 2 +- charts/rstudio-connect/README.md.gotmpl | 2 +- charts/rstudio-workbench/README.md | 2 +- charts/rstudio-workbench/README.md.gotmpl | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/rstudio-connect/README.md b/charts/rstudio-connect/README.md index 179451133..a4e56be0b 100644 --- a/charts/rstudio-connect/README.md +++ b/charts/rstudio-connect/README.md @@ -130,7 +130,7 @@ This chart supports use of a sidecar [Chronicle agent](https://docs.posit.co/chr by setting `chronicleAgent.enabled=true`. By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The -searched namespace can be changed setting `chronicleAgent.serverNamespace`. If a server exists, it will set the +searched namespace can be changed setting by `chronicleAgent.serverNamespace`. If a server exists, it will set the Chronicle agent's server value to the server's service name and will use an agent version to match the server version. This auto-discovery behavior can be disabled by setting `chronicleAgent.autoDiscovery=false`. diff --git a/charts/rstudio-connect/README.md.gotmpl b/charts/rstudio-connect/README.md.gotmpl index 3936dff20..bccb64a3c 100644 --- a/charts/rstudio-connect/README.md.gotmpl +++ b/charts/rstudio-connect/README.md.gotmpl @@ -70,7 +70,7 @@ This chart supports use of a sidecar [Chronicle agent](https://docs.posit.co/chr by setting `chronicleAgent.enabled=true`. By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The -searched namespace can be changed setting `chronicleAgent.serverNamespace`. If a server exists, it will set the +searched namespace can be changed setting by `chronicleAgent.serverNamespace`. If a server exists, it will set the Chronicle agent's server value to the server's service name and will use an agent version to match the server version. This auto-discovery behavior can be disabled by setting `chronicleAgent.autoDiscovery=false`. diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md index 460f5c5a8..3171d5baa 100644 --- a/charts/rstudio-workbench/README.md +++ b/charts/rstudio-workbench/README.md @@ -419,7 +419,7 @@ This chart supports use of a sidecar [Chronicle agent](https://docs.posit.co/chr by setting `chronicleAgent.enabled=true`. By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The -searched namespace can be changed setting `chronicleAgent.serverNamespace`. If a server exists, it will set the +searched namespace can be changed setting by `chronicleAgent.serverNamespace`. If a server exists, it will set the Chronicle agent's server value to the server's service name and will use an agent version to match the server version. This auto-discovery behavior can be disabled by setting `chronicleAgent.autoDiscovery=false`. diff --git a/charts/rstudio-workbench/README.md.gotmpl b/charts/rstudio-workbench/README.md.gotmpl index 128e4f7dd..10793eca0 100644 --- a/charts/rstudio-workbench/README.md.gotmpl +++ b/charts/rstudio-workbench/README.md.gotmpl @@ -364,7 +364,7 @@ This chart supports use of a sidecar [Chronicle agent](https://docs.posit.co/chr by setting `chronicleAgent.enabled=true`. By default, the chart will attempt to lookup an existing Chronicle server deployed in the release namespace. The -searched namespace can be changed setting `chronicleAgent.serverNamespace`. If a server exists, it will set the +searched namespace can be changed setting by `chronicleAgent.serverNamespace`. If a server exists, it will set the Chronicle agent's server value to the server's service name and will use an agent version to match the server version. This auto-discovery behavior can be disabled by setting `chronicleAgent.autoDiscovery=false`.