Skip to content

v0.7.0 — Health probes + Docker hardening

Choose a tag to compare

View all tags
@nalyk nalyk released this 06 May 10:40
· 55 commits to main since this release
v0.7.0
c0dea55
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

First release on the 0.7.x line. Bundles three PRs that landed today: #56 (chart guard CI tests), #57 (Dockerfile hardening + chart image.digest), and #60 (health probe split, addressing #46). Backward-compatible — /healthz stays alive as an alias of /readyz through the 0.7.x cycle; removal slated for 0.8.0.

Added

  • CI: negative tests for chart fail-loud guards (#48 / #56) — the validate job now runs helm template with six deliberately broken value sets and asserts each guard fires (non-zero exit + expected error substring). Includes the auth-validation.yaml guard from #58 (GHSA-8jr5-6gvj-rfpf).
  • chart/values.yaml documentation comment block listing all six guards, their source template, and the CI-matched error substring.
  • Dockerfile: HEALTHCHECK directive (#57) — plain Docker / Compose / Swarm deployments now get built-in liveness via wget /livez.
  • Helm chart: image.digest support (#57) — values.yaml + schema + deployment template accept an optional image.digest field that takes precedence over image.tag when set.
  • /livez endpoint (#46 / #60) — always returns 200 {"status":"ok"} regardless of session count. Intended for Kubernetes livenessProbe.
  • /readyz endpoint (#46 / #60) — returns 503 when session count exceeds HEALTHZ_MAX_SESSIONS. Intended for Kubernetes readinessProbe.

Changed

  • Dockerfile: digest-pin base image (#57) — both FROM node:24-alpine stages now use @sha256:… digest pinning. Dependabot docker ecosystem keeps the pin current automatically.
  • Dockerfile: COPY --chown=node:node (#57) — replaces the RUN chown -R layer with native BuildKit ownership. USER node is set before npm ci so node_modules/ are owned by node:node by construction.
  • Dockerfile: HEALTHCHECK --start-period bumped to 10s (#57) — accommodates cold-start on constrained pods (resources.requests.cpu: 50m).
  • Helm chart probe defaults (#60) — probes.liveness.path now defaults to /livez, probes.readiness.path to /readyz.

Deprecated

  • /healthz (#60) — retained as alias of /readyz for backward compatibility. Will be removed in 0.8.0. Note: the alias inherits the new >= threshold semantic from /readyz (was > in 0.6.0). An operator at exactly HEALTHZ_MAX_SESSIONS sessions now sees 503 where 0.6.0 returned 200.

Migration

  • /healthz consumers: keep working; switch to /readyz (or /livez for liveness specifically) before 0.8.0. Helm chart users get the migration automatically via the new probe defaults.
  • Existing Docker deployments: no change — USE_SSE=true is still the image default.
  • Threat-model context: see Discussion #59 for the auth × bind matrix and the substring-anchoring discipline that this release's CI tests follow.

Credits

@ecthelion77 — three substantial PRs in one day, every numbered review item delivered exactly, every nit voluntarily taken.

Assets 2
Loading