Skip to content

perf-sentinel chart v0.2.26

Choose a tag to compare

View all tags
@github-actions github-actions released this 05 May 14:57
· 558 commits to main since this release
chart-v0.2.26
a479b1c

What's new in chart-v0.2.26

This is a daemon-version-only chart bump: appVersion advances from 0.5.22 to 0.5.23, the default image.tag now resolves to ghcr.io/robintra/perf-sentinel:0.5.23, and the artifacthub.io/images annotation is updated in lockstep so the Artifact Hub listing advertises the matching image. No chart-level template diff, no values.yaml schema change, no new RBAC, no new optional ConfigMap or Secret. The chart-v0.2.25 surface is preserved byte-for-byte.

The 0.5.23 daemon image ships two opt-in surfaces above the v0.5.20 ack API. First, the HTML report can run in a live mode via the new --daemon-url <URL> flag on perf-sentinel report. The generated HTML connects to the daemon at runtime for ack/revoke interactions, an Acknowledgments tab listing daemon-side acks, a connection-status badge, a manual refresh button, and a Forget key button that purges the in-memory X-API-Key from sessionStorage. The static report (no --daemon-url flag) keeps its 0.5.22 behavior byte-for-byte. Second, the daemon now supports an opt-in CORS layer scoped to the /api/* query API sub-router, configured via a new [daemon.cors] allowed_origins TOML section. Default empty means no CORS headers (the loopback-only posture pre-0.5.23 stays intact). Wildcard ["*"] is dev-only, exact-list mode is the production posture. The OTLP /v1/traces ingest, Prometheus /metrics, and /health probe never echo CORS headers regardless of the allow-list, an invariant locked by the cors_layer_does_not_leak_to_otlp_or_metrics_or_health_routes test.

From a chart perspective, both new surfaces are runtime knobs. --daemon-url lives on the perf-sentinel report CLI, which operators run from outside the cluster against an externally exposed daemon Service (or via kubectl port-forward against the in-cluster ClusterIP). [daemon.cors] belongs in the daemon TOML config the chart already mounts via the existing [daemon.ack] ConfigMap path: operators add the section to the same TOML, no chart template change required. The HTTP API surface, the v0.5.21 Prometheus counters, the existing ServiceMonitor rendering, the NetworkPolicy rendering, and the optional [daemon.ack] ConfigMap-and-Secret plumbing all keep their prior contracts.

Changed

  • appVersion bumped from 0.5.22 to 0.5.23, default image.tag now resolves to ghcr.io/robintra/perf-sentinel:0.5.23. The artifacthub.io/images annotation tracks the bump.
  • No chart-level config change. values.yaml, every template, the ServiceMonitor rendering, the NetworkPolicy rendering, the optional [daemon.ack] ConfigMap-and-Secret plumbing, and the ack-toml-baseline mount are byte-for-byte identical to chart-v0.2.25.

Behavior

  • No HTTP-shape change on the daemon side. The three ack endpoints (POST / DELETE /api/findings/{signature}/ack and GET /api/acks), the v0.5.21 /metrics counters, the /api/findings, /api/status, /api/correlations, /api/explain/*, /api/export/report routes, and every other route keep their v0.5.22 status codes and JSON shapes. Scrapers, ServiceMonitor rules, and existing automation continue to work without adjustment.
  • No upgrade hook required, no on-disk migration. The runtime ack store JSONL schema is unchanged. A helm upgrade from chart-v0.2.25 keeps the daemon's existing acks.jsonl intact, the daemon replays and atomically rewrites it at startup as it did before.
  • CORS layer is opt-in and absent by default. [daemon.cors] allowed_origins = [] (the implicit default) means the daemon emits no Access-Control-Allow-Origin header. Pre-0.5.23 deployments upgrade to chart-v0.2.26 with no behavior change. Operators wanting browser-side ack/revoke from the HTML report add a [daemon.cors] allowed_origins = ["https://reports.example.com"] block to the same TOML the chart already plumbs through. Wildcard mode ["*"] is supported for dev but mixing wildcard with explicit origins (["*", "https://x"]) is rejected at config load.
  • CORS layer scoped to /api/*. Even under wildcard mode, the OTLP /v1/traces ingest, the /metrics exposition, and the /health probe are never reachable cross-origin. ServiceMonitor scrapes, NetworkPolicy ingress rules, and external OTLP senders are unaffected by [daemon.cors] configuration.
  • CORS allow-list is narrow. Methods GET, POST, DELETE, OPTIONS. Headers Content-Type and X-API-Key only. Access-Control-Max-Age is 120 seconds. No Access-Control-Allow-Credentials (incompatible with wildcard mode and unnecessary because the daemon auths via the X-API-Key header rather than cookies).
  • HTML live mode runs from outside the cluster. Operators generate the report locally with perf-sentinel report --daemon-url <URL> pointing at the chart-rendered Service (LoadBalancer / Ingress / port-forward). The HTML opens in a browser and drives the daemon over CORS-protected /api/* calls.
  • Read-endpoint exposure under CORS. When operators whitelist an origin, browser tabs on that origin get the same read access as a local curl against /api/findings, /api/acks, /api/status, /api/export/report. The new docs/CONFIGURATION.md [daemon.cors] section calls this out: only whitelist origins you trust to view all daemon-resident data.
  • Cross-section config validation. The daemon refuses to start if [daemon] api_enabled = false is combined with a non-empty cors_allowed_origins. Catches the silent "I configured CORS but ack is not working" trap at config load instead of post-deploy.
  • Default --daemon-url for the HTML report has no implicit value. Unlike perf-sentinel ack --daemon which falls back to http://localhost:4318, perf-sentinel report --daemon-url is opt-in: passing the flag toggles live mode, omitting it produces a static report identical to chart-v0.2.25 output.

Install

helm install perf-sentinel oci://ghcr.io/robintra/charts/perf-sentinel --version 0.2.26

Upgrade an existing release:

helm upgrade perf-sentinel oci://ghcr.io/robintra/charts/perf-sentinel --version 0.2.26

Enable CORS for browser clients (add to the daemon TOML mounted via the existing config ConfigMap):

[daemon.cors]
# Production: list each browser origin explicitly.
allowed_origins = [
    "https://reports.example.com",
    "https://gitlab.example.com",
]

# Development only (no credentials, browser-side only):
# allowed_origins = ["*"]

Generate a live HTML report against a port-forwarded daemon:

kubectl port-forward svc/perf-sentinel 4318:4318 &
perf-sentinel report --input traces.json --output report.html \
  --daemon-url http://localhost:4318
open report.html

The matching daemon release is v0.5.23, see those release notes for the application-side changes (the HTML live-mode UI in detail, the --daemon-url validator, the [daemon.cors] config surface, the CSP connect-src 'self' <url> directive, and the new docs/HTML-REPORT.md reference page).

View this release on Artifact Hub.

Assets 4
Loading