Skip to content

v0.10.0-beta.7

Pre-release
Pre-release

Choose a tag to compare

View all tags
@github-actions github-actions released this 19 Jun 15:50
· 12 commits to main since this release
v0.10.0-beta.7
This tag was signed with the committer’s verified signature.
fheikens Frank Heikens
SSH Key Fingerprint: joKs3uOwuc1bCYgiABcVQqXU/OVfWYWN0yScIoSBXlo
Verified
Learn about vigilant mode.
f7cd9cd
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Highlights. Adds the AWS Systems Manager Parameter Store secret_store
backend, completes the de-arq rename to Elevarq Signals, and closes a
credential-redaction gap found during beta testing.

Breaking — first-party importers must update import paths. The Go
module path changed github.com/elevarq/arq-signals ->
github.com/elevarq/signals, and the repository was renamed
Elevarq/Arq-Signals -> Elevarq/Signals (old URLs redirect). The
deprecated arqctl / arq-signals binary aliases were removed — use
signals / signalsctl.

Security. pg_stat_statements query text is now redacted of structured
credential literals (role/user PASSWORD, libpq conninfo password=)
before persistence and export (#188).

Upgrade notes. No config changes required beyond the import-path /
binary-name renames above. The committed Chart.yaml version is stamped
from the release tag at package time, so it may lag the tag.

Added

  • secret_store: AWS Systems Manager Parameter Store backend (#157).
    A target's database password may now live in Parameter Store, referenced
    by ARN (arn:aws:ssm:<region>:<acct>:parameter/<name>). The parameter is
    fetched with GetParameter and WithDecryption=true, so a SecureString
    is returned decrypted and a plain String passes through. The region is
    taken authoritatively from the ARN, and the ssm vs secretsmanager ARN
    service segment selects the backend. Requires ssm:GetParameter (plus
    kms:Decrypt on the CMK for a SecureString). All other secret_store
    behaviour (verify-full floor, no inline password, never-log, per-target
    cache, secret_json_key) is unchanged.

Changed

  • Completed the de-arq rename (#171, closes #62). With the GitHub
    repository renamed to Elevarq/Signals, the last structural Arq names
    are gone: the Go module path is now github.com/elevarq/signals
    (first-party consumers must update imports), the spec tree moved
    features/arq-signals/features/signals/, requirement IDs are
    SIGNALS-* (was ARQ-SIGNALS-*), and residual Elevarq/Arq-Signals
    repo URLs / issue links now point at Elevarq/Signals. The deprecated
    arqctl / arq-signals binary aliases were already removed (#168).
    References to the sibling Arq analyzer repo are unchanged — that is
    a separate product.

  • BREAKING — removed the residual arq branding from every user-facing
    interface (#137).     Beta intentionally froze these names (see the
    beta.4 note below); with adoption beginning, this is the last window to
    rename them without a compatibility shim. There are no aliases for the
    old names — update configs, environments, and provisioning before
    upgrading. Renames:

    • Environment variables: the ARQ_SIGNALS_* prefix becomes
      SIGNALS_* (e.g. ARQ_SIGNALS_API_TOKEN -> SIGNALS_API_TOKEN,
      ARQ_SIGNALS_CONFIG -> SIGNALS_CONFIG). The two non-prefixed vars
      follow: ARQ_ENV -> SIGNALS_ENV, ARQ_ALLOW_INSECURE_PG_TLS ->
      SIGNALS_ALLOW_INSECURE_PG_TLS.
    • Default config directory: /etc/arq/ -> /etc/signals/ (default
      search path /etc/signals/signals.yaml; control-plane token default
      /etc/signals/control-plane.token).
    • Default SQLite store path: /data/arq-signals.db -> /data/signals.db.
    • PostgreSQL application_name: every collector connection now
      identifies as signals (was arq-signals); the pg_stat_activity /
      pg_stat_statements self-filter matches the new value.
    • Snapshot export schema: schema_version is now signals-snapshot.v1
      (was arq-snapshot.v1); the export metadata key arq_signals_version
      becomes signals_version. Downstream consumers of the export
      (Elevarq Analyzer/Insight) must accept the new identifier       — see #137
      for the cross-repo follow-up.
    • Control-plane config: signals.mode: arq_managed -> managed;
      keys arq_control_plane_token_file / arq_control_plane_token_env ->
      control_plane_token_file / control_plane_token_env.
    • Audit-log reason value: scheduled_arq_cycle -> scheduled_cycle.
    • Documented DB monitoring role: examples now use a single signals
      role (was the inconsistent arq_signals / arq_monitor); read-only
      example role arq_signals_ro -> signals_ro.
    • Deploy/example names: Docker volume arq-data -> signals-data;
      example Kubernetes secret names arq-pg-password / arq-db-credentials
      / arq-api-token -> signals-*.

    Unchanged (tracked separately): the Go module path
    github.com/elevarq/arq-signals and the repository URL stay until the
    repository rename (#62); internal ARQ-SIGNALS-* requirement IDs are an
    internal traceability scheme. Prometheus metric names are renamed in
    the companion change below (#139).

  • BREAKING — renamed the Prometheus metric prefix arq_signal_* ->
    signals_* (#139).     Completes the de-arq rename for the /metrics
    endpoint surface. There are no aliases — update dashboards, recording
    rules, and alert rules before upgrading. All 14 series rename, e.g.
    arq_signal_collection_cycles_total -> signals_collection_cycles_total,
    arq_signal_circuit_state -> signals_circuit_state,
    arq_signal_export_requests_total -> signals_export_requests_total.
    Label names, label-value enums, and metric semantics are unchanged.

  • Renamed the residual arq developer-facing identifiers left out of
    #137 (#150).     These are internal/cosmetic names with no operator-facing
    surface, so #137 correctly scoped them out; this completes the de-arq
    rename. No behaviour change, no aliases needed (none are read by CI or
    by operators):

    • Live/integration test env vars: ARQ_TEST_* -> SIGNALS_TEST_*
      and ARQ_DOCTOR_TEST_* -> SIGNALS_DOCTOR_TEST_* (e.g.
      ARQ_TEST_PG_DSN -> SIGNALS_TEST_PG_DSN,
      ARQ_TEST_TSDB_DSN -> SIGNALS_TEST_TSDB_DSN). Set only by developers
      running the build-tag-gated live tests manually. The naming spec
      acceptance docs and features/arq-signals/traceability.md were updated
      in lockstep.
    • Transient SAVEPOINT name: the per-query savepoint is now
      signals_q_%d (was arq_q_%d); observable in pg_stat_activity /
      server logs during a collection cycle.
    • Guided-connect temp file prefix: .arqctl-connect-*.yaml ->
      .signalsctl-connect-*.yaml.
    • Sample DB usernames in test fixtures and example DSNs use the
      brand-neutral monitor (was arq).
    • Stale test names carrying the old brand were renamed
      (TestR083ArqManagedRequiresToken,
      TestR083ControlPlaneTokenSetsArqActor,
      TestHelm_ConfigMapIsMountedAtEtcArq).

    These last Arq-prefixed identifiers (the module path, the features/
    spec tree, and the requirement-ID prefix) were completed once the
    repository was renamed — see the #171 entry above.

Removed

  • Deprecated binary aliases arqctl and arq-signals (#168). The old
    Arq-branded names introduced as a transitional courtesy in #62 are gone:
    the daemon and CLI no longer respond to (or warn under) those names, and
    the container image / make build no longer create the symlinks. Use
    signals and signalsctl. Brought forward from the originally planned
    post-launch removal ahead of the repository rename (#62).

Fixed

  • Corrected the documented signalsctl doctor config path that pointed
    at a non-existent /etc/signals-signals/ directory (#153).     The Helm
    chart mounts the ConfigMap at /etc/signals and the daemon's default
    config is /etc/signals/signals.yaml, but
    docs/install/kubernetes-production.md told operators to run
    signalsctl doctor --config /etc/signals-signals/signals.yaml, which
    fails on copy-paste — the path does not exist in the pod. The
    specifications/doctor.md example output had the same doubled directory
    (plus the wrong filename config.yaml). Both now reference
    /etc/signals/signals.yaml. The signals-signals resource names in
    the same doc are correct (Helm renders {release}-signals and the docs
    install with release name signals) and are unchanged. Documentation
    only.

  • Example DB monitoring roles renamed to the single signals role
    (#141).     #137's claim that the examples use a single signals role
    was incomplete — the role-creation SQL and the snapshot fixture were
    missed, leaving the bundled Docker quickstart and TimescaleDB demo
    broken (their Compose files target user signals, but init.sql /
    roles.sql created arq_monitor, so the collector could never
    authenticate). Renamed arq_signals / arq_monitor -> signals in
    examples/init.sql, examples/local-safe-role/signals.yaml.example,
    and examples/snapshot-example/snapshots.ndjson, and
    arq_monitor / arq_monitor_owner -> signals /
    signals_monitor_owner in the TimescaleDB demo
    (examples/timescaledb-demo/roles.sql, seed.sql) to match the
    names already wired in those demos' Compose files. Example-only
    change; no product behaviour is affected.

  • Cleared remaining hyphenated arq-signals references from the
    examples (#143).     Follow-up to #137/#127. Renamed the example SQLite
    store paths ./arq-signals.db / ./arq-signals-test.db ->
    ./signals.db / ./signals-test.db
    (examples/local-safe-role/signals.yaml.example,
    examples/local-superuser-override/signals.yaml.example) and the
    residual prose use of "arq-signals" as the product name ->
    "Elevarq Signals" in example comments and headers
    (examples/README.md, examples/docker-compose.yml,
    examples/docker-compose.prod.yml, examples/signals.yaml,
    examples/init.sql, examples/timescaledb-demo/docker-compose.yml).
    Service identifiers were already named signals; this is prose and
    example-path only, with no product behaviour impact.

  • Cleared residual arq names from the deploy/ IaC templates
    (#145).     #137 renamed the config directory, store path, and Docker
    volume and its changelog already claimed /etc/arq/ -> /etc/signals/,
    /data/arq-signals.db -> /data/signals.db, and arq-data ->
    signals-data, but the cloud provisioning templates under deploy/
    were outside its scope and still carried the old names, leaving the
    docs ahead of reality. The Azure Bicep cloud-init now writes config to
    /etc/signals/, stores the database at /data/signals.db, and mounts
    the signals-data volume (deploy/azure/bicep/main.bicep). The
    deployment-environment input variable arq_env / ArqEnv / arqEnv
    is renamed to env / Env across the AWS CloudFormation template,
    the AWS/Azure/GCP Terraform modules, and the Azure Bicep template
    (deploy/aws/cloudformation/signals-rds-iam.yaml,
    deploy/{aws,azure,gcp}/terraform/, deploy/azure/bicep/main.bicep).
    Provisioning-template only; the generated collector config and runtime
    behaviour are unchanged. Operators who set arq_env / ArqEnv in
    their tfvars or stack parameters must rename it to env / Env.

  • Updated the documented control_plane_token_env example value
    ARQ_CONTROL_PLANE_TOKEN -> SIGNALS_CONTROL_PLANE_TOKEN (#146).
    This is the operator-chosen env-var name shown in the commented config
    examples — Signals never hard-codes or reads ARQ_CONTROL_PLANE_TOKEN;
    it reads whatever name the operator sets in control_plane_token_env,
    so this is a documentation example only, not a behaviour change and
    not a breaking change (the config key and the SIGNALS_CONTROL_PLANE_TOKEN_ENV
    override were already de-arq'd in #137). Updated in README.md,
    docs/authentication.md, and features/arq-signals/specification.md,
    plus the cosmetic internal variable arqControlPlaneTokenFn ->
    signalsControlPlaneTokenFn in cmd/signals/main.go.

  • Corrected docs/examples that still described the pre-#137 arq
    behaviour (#149).     #137 changed the shipped code but left several
    docs and one example describing the old names, so they actively
    misled operators. The collector identifies as
    application_name = signals (constant collector.AppName, used by
    the pg_stat_statements_v1 self-filter), but docs/faq.md,
    docs/postgres-role.md, and docs/collectors.md still said
    arq-signals — an operator building their own self-filter from those
    docs would have matched the wrong value. The
    examples/local-superuser-override/signals.yaml.example comment told
    operators to set ARQ_SIGNALS_ALLOW_UNSAFE_ROLE, but the daemon reads
    SIGNALS_ALLOW_UNSAFE_ROLE (internal/config/config.go), so the
    override silently did nothing. Also corrected the stale identity/store
    paths /var/lib/arq-signals and /var/lib/arq -> /var/lib/signals
    in specifications/doctor.md and
    docs/observability/operational-readiness.md. Documentation/example
    only; the code already behaved correctly.

Supply chain

  • Images (same manifest digest in both registries):
    • GHCR: ghcr.io/elevarq/signals:0.10.0-beta.7
    • Docker Hub: elevarq/signals:0.10.0-beta.7 (when configured)
  • Digest: sha256:850cb43c3762637f1dd86bf7ebf0e4357732a77fe507a32da0c95c5e54f6c639
  • Architectures: linux/amd64, linux/arm64
  • Cosign-signed in both registries (keyless, GitHub OIDC)
  • SBOM attached as OCI attestation and as sbom.spdx.json release asset
  • SLSA build provenance attestation (mode=max)

Quick signature verification (GHCR):

cosign verify ghcr.io/elevarq/signals:0.10.0-beta.7   --certificate-identity-regexp='github.com/Elevarq/(Signals|signals)/.github/workflows/release.yml@'   --certificate-oidc-issuer='https://token.actions.githubusercontent.com'

Same command works against elevarq/signals:0.10.0-beta.7 — the certificate identity is bound to the workflow, not the registry.

Full verification checklist (manifest, SBOM, provenance, Trivy):
docs/release-verification.md

Assets 12
Loading