perf-sentinel chart v0.2.35
What's new in chart-v0.2.35
This is a metadata-only chart bump: appVersion advances from 0.6.2 to 0.7.0, the default image.tag now resolves to ghcr.io/robintra/perf-sentinel:0.7.0, and the artifacthub.io/changes annotation refreshes to surface the disclosure pipeline and the autosigning fix on Artifact Hub. No chart-level template diff, no values.yaml schema change, no new RBAC, no new optional ConfigMap or Secret, no .perf-sentinel.toml review needed. The chart-v0.2.34 surface is preserved byte-for-byte.
The 0.7.0 daemon image is a feature release. It introduces the public periodic disclosure pipeline (disclose and verify-hash subcommands, in-toto v1 attestation sidecar, Sigstore signature, SLSA L2 binary provenance), surfaces per-service carbon attribution in GreenSummary when runtime calibration is available, and gates intent = "official" disclosures behind a 75% per-service coverage floor. The daemon process surface preserved by the chart (HTTP and gRPC OTLP routes, /metrics, /api/* JSON, ack store JSONL schema, ConfigMap and Secret schemas) is unchanged. Full release notes for the daemon at v0.7.0.
Breaking change in the daemon binary: perf-sentinel verify-hash now refuses to invoke cosign without --expected-identity and --expected-issuer (or explicit --no-identity-check). A scripted gate that invoked verify-hash on a 0.6.x report with no identity flags will return Status::Fail instead of TRUSTED until the consumer declares the expected signer. This closes the autosigning gap where any GitHub or Google account holder could forge a bundle claiming an identity. The chart itself does not exercise verify-hash, so a chart-level helm upgrade is metadata-only on every side, but a downstream pipeline that consumes published reports must add the identity flags before upgrading the daemon image.
Changed
appVersionbumped from0.6.2to0.7.0, defaultimage.tagnow resolves toghcr.io/robintra/perf-sentinel:0.7.0.artifacthub.io/changesannotation refreshed to surface the disclosure pipeline and the autosigning fix on Artifact Hub.- No chart-level config change.
values.yaml, every template, theServiceMonitorrendering, theNetworkPolicyrendering, the optional[daemon.ack]and[daemon.cors]plumbing, and theack-toml-baselinemount are byte-for-byte identical to chart-v0.2.34.
Behavior
- Daemon binary side: public periodic disclosure pipeline. New
disclosesubcommand and[reporting]configuration section produce a period-level JSON report with deterministic content hashing. New[daemon.archive]configuration section writes per-window reports to a rotated NDJSON file thatdiscloseaggregates. The chart's existing manifest surface is unchanged, no chart-side migration required. - Daemon binary side:
verify-hashsubcommand for third-party verification of a published report. Combines deterministic content hash recompute, Sigstore signature verification viacosign verify-bloband SLSA L2 binary provenance check. Five distinct exit codes (TRUSTED, UNTRUSTED, PARTIAL, INPUT_ERROR, NETWORK_ERROR) allow a wrapper to distinguish tooling absence from a tamper attempt. - Daemon binary side:
[reporting] disclose_output_pathis reserved for 0.8.0 (daemon-triggered periodic disclosures). Setting it today on a 0.7.0 daemon logs aWARNat startup, no functional effect. Operators producing periodic disclosures today must invokeperf-sentinel disclose --outputfrom a CronJob, the chart does not yet ship a built-in CronJob template (planned alongside the 0.8.0 daemon). - Per-service carbon attribution lands in
GreenSummarywhen runtime calibration is available.per_service.{energy_kwh, carbon_kg, energy_source_model, measured_ratio}populate from the scoring stage,calibration_inputs.energy_source_modelslists the distinct energy models observed, andperiod_coverageexposes the runtime-calibration coverage ratio as a first-class metric. - No HTTP-shape change on the daemon side. Every
/api/*route, every/metricsline, the OTLP HTTP and gRPC routes and every JSON shape are byte-for-byte identical to chart-v0.2.34 for already-clean inputs. - No upgrade hook required, no on-disk migration. The runtime ack store JSONL schema is unchanged. Existing acks survive the upgrade.
Install
helm install perf-sentinel oci://ghcr.io/robintra/charts/perf-sentinel --version 0.2.35Upgrade an existing release:
helm upgrade perf-sentinel oci://ghcr.io/robintra/charts/perf-sentinel --version 0.2.35The bump is metadata-only on the chart side, no .perf-sentinel.toml edit required, but a downstream pipeline that consumes published reports through perf-sentinel verify-hash needs to add --expected-identity and --expected-issuer before the upgraded daemon image rolls out.
Full Changelog: chart-v0.2.34...chart-v0.2.35