Merge branch 'master' into headers_encryption

spetz · web-flow · commit 6c2d6e1a7abe · 2026-03-28T13:57:10.000+01:00
diff --git a/.github/actions/utils/setup-helm-tools/action.yml b/.github/actions/utils/setup-helm-tools/action.yml
@@ -0,0 +1,67 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: setup-helm-tools
+description: Install pinned Helm and optionally kind for Helm chart CI jobs
+inputs:
+  install-kind:
+    description: "Whether to install kind in addition to Helm"
+    required: false
+    default: "false"
+  helm-version:
+    description: "Helm release version"
+    required: false
+    default: "v4.1.3"
+  helm-checksum:
+    description: "SHA256 checksum for the Helm tarball"
+    required: false
+    default: "02ce9722d541238f81459938b84cf47df2fdf1187493b4bfb2346754d82a4700"
+  kind-version:
+    description: "kind release version"
+    required: false
+    default: "v0.31.0"
+  kind-checksum:
+    description: "SHA256 checksum for the kind binary"
+    required: false
+    default: "eb244cbafcc157dff60cf68693c14c9a75c4e6e6fedaf9cd71c58117cb93e3fa"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Verify supported runner
+      shell: bash
+      run: |
+        set -euo pipefail
+        if [[ "${{ runner.os }}" != "Linux" || "${{ runner.arch }}" != "X64" ]]; then
+          echo "setup-helm-tools currently supports Linux X64 runners only" >&2
+          exit 1
+        fi
+
+    - name: Install Helm and optional kind
+      shell: bash
+      env:
+        HELM_VERSION: ${{ inputs.helm-version }}
+        HELM_CHECKSUM: ${{ inputs.helm-checksum }}
+        KIND_VERSION: ${{ inputs.kind-version }}
+        KIND_CHECKSUM: ${{ inputs.kind-checksum }}
+      run: |
+        set -euo pipefail
+        args=()
+        if [[ "${{ inputs.install-kind }}" == "true" ]]; then
+          args+=(--install-kind)
+        fi
+        scripts/ci/setup-helm-tools.sh "${args[@]}"
diff --git a/.github/config/components.yml b/.github/config/components.yml
@@ -373,6 +373,11 @@ components:
       - "web/**"
     tasks: ["lint", "build"]
 
+  helm:
+    paths:
+      - "helm/**"
+    tasks: ["validate", "smoke"]
+
   rust-bench-dashboard:
     paths:
       - "core/bench/dashboard/**"
diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml
@@ -192,6 +192,29 @@ jobs:
             npm run build
           fi
 
+      # Helm chart testing
+      - name: Setup Helm test tools
+        if: inputs.component == 'helm' && (inputs.task == 'validate' || inputs.task == 'smoke')
+        uses: ./.github/actions/utils/setup-helm-tools
+        with:
+          install-kind: ${{ inputs.task == 'smoke' }}
+
+      - name: Setup Helm smoke cluster
+        if: inputs.component == 'helm' && inputs.task == 'smoke'
+        run: scripts/ci/setup-helm-smoke-cluster.sh
+
+      - name: Validate Helm chart
+        if: inputs.component == 'helm' && inputs.task == 'validate'
+        run: scripts/ci/test-helm.sh validate
+
+      - name: Smoke test Helm chart runtime
+        if: inputs.component == 'helm' && inputs.task == 'smoke'
+        run: scripts/ci/test-helm.sh smoke --cleanup
+
+      - name: Collect Helm smoke diagnostics
+        if: failure() && inputs.component == 'helm' && inputs.task == 'smoke'
+        run: scripts/ci/test-helm.sh collect-smoke-diagnostics
+
       # CI workflow validation
       - name: Validate CI workflows
         if: inputs.component == 'ci-workflows' && inputs.task == 'validate'
diff --git a/helm/charts/iggy/README.md b/helm/charts/iggy/README.md
@@ -89,7 +89,7 @@ helm uninstall iggy
 | `server.enabled` | bool | `true` | Enable the Iggy server deployment |
 | `server.replicaCount` | int | `1` | Number of server replicas |
 | `server.image.repository` | string | `"apache/iggy"` | Server image repository |
-| `server.image.tag` | string | `""` | Server image tag (defaults to chart appVersion) |
+| `server.image.tag` | string | `"0.7.0"` | Server image tag |
 | `server.ports.http` | int | `3000` | HTTP API port |
 | `server.ports.tcp` | int | `8090` | TCP protocol port |
 | `server.ports.quic` | int | `8080` | QUIC protocol port |
@@ -135,6 +135,83 @@ helm uninstall iggy
 | `ui.securityContext` | object | `{}` | UI container security context |
 | `ui.podSecurityContext` | object | `{}` | UI pod security context |
 
+## Testing
+
+The chart CI paths are also available locally from the repository root.
+
+### Render Validation
+
+If `helm` is already installed locally:
+
+```bash
+scripts/ci/test-helm.sh validate
+```
+
+If you want the pinned Linux CI tool version instead:
+
+```bash
+scripts/ci/setup-helm-tools.sh
+scripts/ci/test-helm.sh validate
+```
+
+This runs `helm lint --strict` plus the CI render scenarios, including:
+
+* default chart output
+* all-features render
+* legacy Kubernetes 1.18 API coverage
+* server-only render
+* UI-only render
+* existing-secret render
+
+### Runtime Smoke Test
+
+The smoke path requires `helm`, `kind`, `kubectl`, and `curl`.
+
+Before running the local smoke path, keep these common gotchas in mind:
+
+* the Iggy server requires working `io_uring` support from the Kubernetes node/kernel/runtime
+* the server also needs enough available memory and locked-memory headroom during startup
+* `scripts/ci/test-helm.sh cleanup-smoke` removes the Helm release and smoke namespace, but it does not delete the reusable kind cluster created by `scripts/ci/setup-helm-smoke-cluster.sh`
+
+If `helm` and `kind` are already installed:
+
+```bash
+scripts/ci/setup-helm-smoke-cluster.sh
+scripts/ci/test-helm.sh smoke --cleanup
+```
+
+If you want the pinned Linux CI tool versions:
+
+```bash
+scripts/ci/setup-helm-tools.sh --install-kind
+scripts/ci/setup-helm-smoke-cluster.sh
+scripts/ci/test-helm.sh smoke --cleanup
+```
+
+If a previous local smoke install failed and left resources behind, reset the smoke namespace with:
+
+```bash
+scripts/ci/test-helm.sh cleanup-smoke
+```
+
+On Apple Silicon hosts, the released `apache/iggy:0.7.0` `arm64` image may still fail during the runtime smoke path in kind. If your Docker setup supports amd64 emulation well enough, you can try recreating the dedicated smoke cluster with:
+
+```bash
+HELM_SMOKE_KIND_PLATFORM=linux/amd64 scripts/ci/setup-helm-smoke-cluster.sh
+```
+
+The smoke script defaults `IGGY_SYSTEM_SHARDING_CPU_ALLOCATION=1` for the server pod so the local kind path avoids the chart's `numa:auto` default and keeps the local runtime to a single shard, which has been more reliable on containerized local nodes. If you need a different local override, set `HELM_SMOKE_SERVER_CPU_ALLOCATION` before running `scripts/ci/test-helm.sh smoke`. Pass `--cleanup` to remove the smoke namespace after a successful run; omit it if you want to inspect the deployed resources.
+
+On smoke-test failures you can collect the same diagnostics as CI with:
+
+```bash
+scripts/ci/test-helm.sh collect-smoke-diagnostics
+```
+
+> **Note:** `scripts/ci/setup-helm-tools.sh` currently supports Linux `x86_64` only.
+> On other local platforms, install equivalent `helm` and `kind` binaries yourself and then use the same scripts above.
+> The runtime smoke test may still fail on some local/containerized clusters if the node/kernel does not provide the `io_uring` support required by the server runtime even after the local sharding override, or if the local environment does not provide enough memory for the server to initialize cleanly.
+
 ## Troubleshooting
 
 ### Pod CrashLoopBackOff with "Out of memory" error
diff --git a/helm/charts/iggy/templates/hpa.yaml b/helm/charts/iggy/templates/hpa.yaml
@@ -14,9 +14,8 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
-
-{{ if .Values.autoscaling.enabled }}
-{{- if .Capabilities.APIVersions.Has "autoscaling/v2" -}}
+{{ if .Values.autoscaling.enabled -}}
+{{- if semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: autoscaling/v2
 {{- else -}}
 apiVersion: autoscaling/v2beta2
@@ -38,24 +37,24 @@ spec:
     - type: Resource
       resource:
         name: cpu
-        {{- if .Capabilities.APIVersions.Has "autoscaling/v2" }}
+        {{- if semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion }}
         target:
           type: Utilization
           averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
         {{- else }}
-          targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+        targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
         {{- end }}
     {{- end }}
     {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
     - type: Resource
       resource:
         name: memory
-        {{- if .Capabilities.APIVersions.Has "autoscaling/v2" }}
+        {{- if semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion }}
         target:
           type: Utilization
           averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
         {{- else }}
-          targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+        targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
         {{- end }}
     {{- end }}
 {{- end }}
diff --git a/helm/charts/iggy/templates/ingress.yaml b/helm/charts/iggy/templates/ingress.yaml
@@ -14,8 +14,6 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
-
-
 {{ if .Values.server.ingress.enabled -}}
 {{ $fullName := include "iggy.fullname" . -}}
 {{ $svcPort := .Values.server.service.port -}}
@@ -24,11 +22,11 @@
   {{- $_ := set .Values.server.ingress.annotations "kubernetes.io/ingress.class" .Values.server.ingress.className}}
   {{- end }}
 {{- end }}
-{{ if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1
-{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1beta1
-{{- else }}
+{{- else -}}
 apiVersion: extensions/v1beta1
 {{- end }}
 kind: Ingress
@@ -77,8 +75,6 @@ spec:
           {{- end }}
     {{- end }}
 {{- end }}
-
-
 {{ if .Values.ui.ingress.enabled -}}
 ---
 {{ $fullName := include "iggy.fullname" . -}}
@@ -97,7 +93,7 @@ apiVersion: extensions/v1beta1
 {{- end }}
 kind: Ingress
 metadata:
-  name: {{ $fullName }}
+  name: {{ $fullName }}-ui
   labels:
     {{- include "iggy.labels" . | nindent 4 }}
   {{- with .Values.ui.ingress.annotations }}
diff --git a/scripts/ci/setup-helm-smoke-cluster.sh b/scripts/ci/setup-helm-smoke-cluster.sh
diff --git a/scripts/ci/setup-helm-tools.sh b/scripts/ci/setup-helm-tools.sh
diff --git a/scripts/ci/test-helm.sh b/scripts/ci/test-helm.sh
