Skip to content

Helm Chart Assessments

Ivan P edited this page Jun 5, 2026 · 3 revisions

Structured assessment of each service's Helm chart, identifying the exact changes needed to support OTel (traces + metrics), Pyroscope, and Faro configuration injection.


Effort Tiers

Tier Description Typical effort per phase
Standard Single deployment, backend only — values.yaml additions + one template file ~20–30 min
Multi-component Multiple deployments or Faro required — multiple template files, Faro proxy code ~45–90 min
Library Chart is a shared library consumed by other services; instrumentation may need to target consuming service charts Varies

Shared Values Schema

All charts implement this schema. Default values shown — all signals disabled by default, opt-in per environment.

otel:
  enabled: false
  serviceName: ""
  endpoint: "http://alloy:4317"    # gRPC; use :4318 for HTTP-only services
  tracesExporter: "otlp"           # OTEL_TRACES_EXPORTER
  metricsExporter: "otlp"          # OTEL_METRICS_EXPORTER
  # Python services only:
  pythonLogCorrelation: "true"     # injects trace_id into stdout logs; not OTLP log export

pyroscope:
  enabled: false
  serverAddress: "http://alloy:12347"

faro:                              # frontend services only
  enabled: false
  collectorUrl: ""
  proxy:
    enabled: false
    path: "/faro"
    upstreamUrl: ""

Note on logs: OTEL_LOGS_EXPORTER is intentionally not in this schema. Logs flow via pod stdout → Alloy scraping → Loki. pythonLogCorrelation / Node.js logging instrumentation injects trace_id into those existing log records — no separate log export pipeline needed.


Shared Template Pattern

Backend deployment (templates/deployment.yaml or equivalent)

{{- if .Values.otel.enabled }}
- name: OTEL_SERVICE_NAME
  value: {{ .Values.otel.serviceName | quote }}
- name: OTEL_EXPORTER_OTLP_ENDPOINT
  value: {{ .Values.otel.endpoint | quote }}
- name: OTEL_TRACES_EXPORTER
  value: {{ .Values.otel.tracesExporter | quote }}
- name: OTEL_METRICS_EXPORTER
  value: {{ .Values.otel.metricsExporter | quote }}
{{- end }}
{{- if .Values.pyroscope.enabled }}
- name: PYROSCOPE_SERVER_ADDRESS
  value: {{ .Values.pyroscope.serverAddress | quote }}
{{- end }}

Python services — additional env var

- name: OTEL_PYTHON_LOG_CORRELATION
  value: {{ .Values.otel.pythonLogCorrelation | quote }}

Sub-chart pass-through convention

Charts that include acapy or other instrumented charts as dependencies should pass config down via Helm sub-chart values rather than extraEnvVars:

# parent chart values.yaml
acapy:
  otel:
    enabled: true
    serviceName: "traction-acapy"
    endpoint: "http://alloy:4317"
    tracesExporter: "otlp"
    metricsExporter: "otlp"
    pythonLogCorrelation: "true"

This requires the dependency chart to implement the same schema natively.


Charts in Scope

Chart Manages Tier Faro Phase 2 (OTel) Phase 3 (Pyroscope/Faro) Status
acapy-agent acapy Deployment Standard No ~20 min ~10 min Done
vc-authn-oidc vc-authn-oidc Deployment Standard No ~20 min ~10 min Done
endorser-service acapy-endorser-api Deployment Standard No ~20 min ~10 min Done
didcomm-mediator-credo mediator Deployment Standard No ~20 min ~10 min Done
traction tenant-proxy + tenant-ui + acapy sub-chart Multi-component Yes ~45 min ~45 min Done
didwebvh-server-py didwebvh-server Deployment Standard Yes ~20 min ~30 min Pending
bc-wallet-demo server + frontend Multi-component Yes ~45 min ~45 min Pending
credo-ts consuming service consuming service host Library Yes (consumers) TBD TBD Pending

Assessments

acapy-agent

Manages: acapy Deployment (Python). Sub-charts: postgres, common (no action needed).

Phase 2 — OTel Helm Changes

values.yaml:

otel:
  enabled: false
  serviceName: "acapy"
  endpoint: "http://alloy:4317"
  tracesExporter: "otlp"
  metricsExporter: "otlp"
  pythonLogCorrelation: "true"

templates/deployment.yaml — insert into the acapy container env: block:

{{- if .Values.otel.enabled }}
- name: OTEL_SERVICE_NAME
  value: {{ .Values.otel.serviceName | quote }}
- name: OTEL_EXPORTER_OTLP_ENDPOINT
  value: {{ .Values.otel.endpoint | quote }}
- name: OTEL_TRACES_EXPORTER
  value: {{ .Values.otel.tracesExporter | quote }}
- name: OTEL_METRICS_EXPORTER
  value: {{ .Values.otel.metricsExporter | quote }}
- name: OTEL_PYTHON_LOG_CORRELATION
  value: {{ .Values.otel.pythonLogCorrelation | quote }}
{{- end }}

Phase 3 — Pyroscope Helm Changes

values.yaml:

pyroscope:
  enabled: false
  serverAddress: "http://alloy:12347"

templates/deployment.yaml:

{{- if .Values.pyroscope.enabled }}
- name: PYROSCOPE_SERVER_ADDRESS
  value: {{ .Values.pyroscope.serverAddress | quote }}
{{- end }}

vc-authn-oidc

Manages: vc-authn-oidc Deployment (Python), vc-authn-oidc-cleanup CronJob. Sub-charts: acapy, mongodb (no action needed). No browser-facing frontend; Faro not applicable.

Phase 2 — OTel Helm Changes

values.yaml:

otel:
  enabled: false
  serviceName: "vc-authn-oidc"
  endpoint: "http://alloy:4317"
  tracesExporter: "otlp"
  metricsExporter: "otlp"
  pythonLogCorrelation: "true"

templates/deployment.yaml — insert into the vc-authn-oidc container env: block:

{{- if .Values.otel.enabled }}
- name: OTEL_SERVICE_NAME
  value: {{ .Values.otel.serviceName | quote }}
- name: OTEL_EXPORTER_OTLP_ENDPOINT
  value: {{ .Values.otel.endpoint | quote }}
- name: OTEL_TRACES_EXPORTER
  value: {{ .Values.otel.tracesExporter | quote }}
- name: OTEL_METRICS_EXPORTER
  value: {{ .Values.otel.metricsExporter | quote }}
- name: OTEL_PYTHON_LOG_CORRELATION
  value: {{ .Values.otel.pythonLogCorrelation | quote }}
{{- end }}

Phase 3 — Pyroscope Helm Changes

values.yaml:

pyroscope:
  enabled: false
  serverAddress: "http://alloy:12347"

templates/deployment.yaml:

{{- if .Values.pyroscope.enabled }}
- name: PYROSCOPE_SERVER_ADDRESS
  value: {{ .Values.pyroscope.serverAddress | quote }}
{{- end }}

endorser-service

Manages: acapy-endorser-api Deployment (Python), caddy-proxy Deployment, migration-job. Sub-charts: acapy, postgres (no action needed). No frontend; Faro not applicable.

Phase 2 — OTel Helm Changes

values.yaml:

otel:
  enabled: false
  serviceName: "endorser-service"
  endpoint: "http://alloy:4317"
  tracesExporter: "otlp"
  metricsExporter: "otlp"
  pythonLogCorrelation: "true"

templates/api/deployment.yaml — insert into the acapy-endorser-api container env: block:

{{- if .Values.otel.enabled }}
- name: OTEL_SERVICE_NAME
  value: {{ .Values.otel.serviceName | quote }}
- name: OTEL_EXPORTER_OTLP_ENDPOINT
  value: {{ .Values.otel.endpoint | quote }}
- name: OTEL_TRACES_EXPORTER
  value: {{ .Values.otel.tracesExporter | quote }}
- name: OTEL_METRICS_EXPORTER
  value: {{ .Values.otel.metricsExporter | quote }}
- name: OTEL_PYTHON_LOG_CORRELATION
  value: {{ .Values.otel.pythonLogCorrelation | quote }}
{{- end }}

Phase 3 — Pyroscope Helm Changes

values.yaml:

pyroscope:
  enabled: false
  serverAddress: "http://alloy:12347"

templates/api/deployment.yaml:

{{- if .Values.pyroscope.enabled }}
- name: PYROSCOPE_SERVER_ADDRESS
  value: {{ .Values.pyroscope.serverAddress | quote }}
{{- end }}

didcomm-mediator-credo

Manages: didcomm-mediator-credo Deployment (Node.js). Sub-chart: common (no action needed). No frontend; Faro not applicable. Uses HTTP OTLP (port 4318) due to existing Dockerfile constraints.

Phase 2 — OTel Helm Changes

values.yaml:

otel:
  enabled: false
  serviceName: "didcomm-mediator-credo"
  endpoint: "http://alloy:4318"    # HTTP, not gRPC
  tracesExporter: "otlp"
  metricsExporter: "otlp"

templates/deployment.yaml — insert into the didcomm-mediator-credo container env: block:

{{- if .Values.otel.enabled }}
- name: OTEL_SERVICE_NAME
  value: {{ .Values.otel.serviceName | quote }}
- name: OTEL_EXPORTER_OTLP_ENDPOINT
  value: {{ .Values.otel.endpoint | quote }}
- name: OTEL_TRACES_EXPORTER
  value: {{ .Values.otel.tracesExporter | quote }}
- name: OTEL_METRICS_EXPORTER
  value: {{ .Values.otel.metricsExporter | quote }}
{{- end }}

Phase 3 — Pyroscope Helm Changes

values.yaml:

pyroscope:
  enabled: false
  serverAddress: "http://alloy:12347"

templates/deployment.yaml:

{{- if .Values.pyroscope.enabled }}
- name: PYROSCOPE_SERVER_ADDRESS
  value: {{ .Values.pyroscope.serverAddress | quote }}
{{- end }}

traction

Manages: tenant-proxy Deployment (Node.js), tenant-ui Deployment (Node.js + Vue 3 frontend). Sub-chart: acapy — pass OTel/Pyroscope values via acapy.otel and acapy.pyroscope once the acapy chart implements the shared schema (see sub-chart convention above).

Phase 2 — OTel Helm Changes

values.yaml:

otel:
  enabled: false
  endpoint: "http://alloy:4317"
  tracesExporter: "otlp"
  metricsExporter: "otlp"
  proxyServiceName: "traction-tenant-proxy"
  uiServiceName: "traction-tenant-ui"
  acapyServiceName: "traction-acapy"

templates/proxy/deployment.yaml:

{{- if .Values.otel.enabled }}
- name: OTEL_SERVICE_NAME
  value: {{ .Values.otel.proxyServiceName | quote }}
- name: OTEL_EXPORTER_OTLP_ENDPOINT
  value: {{ .Values.otel.endpoint | quote }}
- name: OTEL_TRACES_EXPORTER
  value: {{ .Values.otel.tracesExporter | quote }}
- name: OTEL_METRICS_EXPORTER
  value: {{ .Values.otel.metricsExporter | quote }}
{{- end }}

templates/ui/configmap.yaml:

{{- if .Values.otel.enabled }}
  OTEL_SERVICE_NAME: {{ .Values.otel.uiServiceName | quote }}
  OTEL_EXPORTER_OTLP_ENDPOINT: {{ .Values.otel.endpoint | quote }}
  OTEL_TRACES_EXPORTER: {{ .Values.otel.tracesExporter | quote }}
  OTEL_METRICS_EXPORTER: {{ .Values.otel.metricsExporter | quote }}
{{- end }}

Phase 3 — Pyroscope + Faro Helm Changes

values.yaml:

pyroscope:
  enabled: false
  serverAddress: "http://alloy:12347"

faro:
  enabled: false
  collectorUrl: ""
  proxy:
    enabled: false
    path: "/faro"
    upstreamUrl: ""

templates/proxy/deployment.yaml:

{{- if .Values.pyroscope.enabled }}
- name: PYROSCOPE_SERVER_ADDRESS
  value: {{ .Values.pyroscope.serverAddress | quote }}
{{- end }}

templates/ui/configmap.yaml:

{{- if .Values.pyroscope.enabled }}
  PYROSCOPE_SERVER_ADDRESS: {{ .Values.pyroscope.serverAddress | quote }}
{{- end }}
{{- if .Values.faro.enabled }}
  FRONTEND_FARO_COLLECTOR_URL: {{ .Values.faro.collectorUrl | quote }}
{{- if .Values.faro.proxy.enabled }}
  FARO_PROXY_UPSTREAM: {{ .Values.faro.proxy.upstreamUrl | quote }}
{{- end }}
{{- end }}

The tenant-ui backend picks up FRONTEND_* env vars at runtime and serves them to the browser bundle. Ensure the proxy route /faroFARO_PROXY_UPSTREAM is implemented in the tenant-ui server code (see Phase 3).


didwebvh-server-py

Assessment pending.


bc-wallet-demo

Assessment pending.


credo-ts consuming service

Assessment pending. Note: credo-ts is a library chart — instrumentation configuration may need to target consuming service charts rather than this chart directly.