What's new in chart-v0.2.31
This is a daemon-version-only chart bump: appVersion advances from 0.5.27 to 0.5.28, the default image.tag now resolves to ghcr.io/robintra/perf-sentinel:0.5.28, and the artifacthub.io/images annotation is updated in lockstep so the Artifact Hub listing advertises the matching image. A new artifacthub.io/changes annotation surfaces the breaking signature change carried by the 0.5.28 daemon image directly on the registry listing. No chart-level template diff, no values.yaml schema change, no new RBAC, no new optional ConfigMap or Secret. The chart-v0.2.30 surface is preserved byte-for-byte.
The 0.5.28 daemon image lands one breaking change and three substantive payloads. The finding signature prefix moves from 16 hex chars (~64 bits) to 32 hex chars (~128 bits) for collision resistance. Re-acknowledgement is required after upgrade: pre-existing .perf-sentinel-acknowledgments.toml entries no longer match findings produced by 0.5.28, and the daemon JSONL ack store drops legacy-width entries during the startup replay with a single WARN carrying the dropped count and the new width. From a chart perspective, this is the only operator-visible action item: plan a one-shot re-ack pass before rolling the daemon upgrade in environments that rely on persistent acknowledgements. The chart's optional [daemon.ack] ConfigMap-and-Secret plumbing is unchanged, the acks.jsonl file remains in place across the upgrade and the daemon rewrites it atomically on first start.
The embedded SPECpower table grows from 187 to 318 entries to cover the modern cloud lineup absent from the frozen 2023-05-01 Cloud Carbon Footprint snapshot. AWS m7i, c7i, r7i, m7a, c7a, m6a, c6a, m7g, c7g, m8g, c8g. GCP c3, c3d, c4, c4d, n2d, t2a. Azure Standard_Dv6, Standard_Dadsv6, Standard_Dpsv6 (Cobalt 100), Standard_Ev6. Bare metal xeon-6780e (Sierra Forest, 1-chip system level). Energy values for instances already in the table at 0.5.27 are unchanged. AWS PROVIDER_DEFAULTS deliberately stays on m5.large (2.0 / 20.0) to preserve the waste signal across the methodology shift between vintages, the Azure default bumps to Standard_D2s_v6 (1.1 / 6.4) since v4 to v6 are methodologically homogeneous. The methodology shift is documented at docs/LIMITATIONS.md "Two data vintages, two methodologies" alongside explicit +/-40% uncertainty bounds for Genoa (n=1), Graviton 3/4, Cobalt 100, and Ampere Altra. From a chart perspective, this is fully transparent: cloud-energy reporting now resolves modern instance types correctly without any chart-side knob.
SpanEvent and NormalizedEvent migrate seven repeated string fields from String to Arc<str> so the daemon stops re-allocating identical service names, code locations, and instrumentation scopes across spans of the same Resource block. The OTLP ingest hoists the per-Resource service_name and cloud_region Arc<str> to the resource_spans level and clones the shared buffer per span, the Jaeger ingest builds a per-trace process_id to Arc<str> map. For a typical 10K-span batch sharing one service in one Resource block, this collapses 10K allocations to one. The serde wire format is unchanged, the Finding and FindingResponse JSON shapes returned by the /api/findings route are byte-for-byte identical to chart-v0.2.30 for already-clean inputs.
The TUI gains a Correlations to Detail jump (Enter on a Correlations row in perf-sentinel query inspect jumps to Detail for the row's sample_trace_id, with three intentional silent no-op cases) and a small drill-down refactor that routes the legacy Findings drill-down and the new Correlations binding through one shared helper. The CLI-side SonarCloud cleanup pass extracts two helpers from the daemon ack store (tighten_parent_dir_perms, apply_replay_entry) so cognitive complexity stays below the project's quality gate, and adds explicit expect() assertions to the Playwright stills and tour suites. Both are invisible from the daemon HTTP API.
The HTTP API surface, the v0.5.21 ack Prometheus counters, the v0.5.23 [daemon.cors] config section, the v0.5.25 Scaphandre scrape counters on /metrics, the v0.5.26 deprecation warnings for the eight legacy flat keys, the v0.5.27 hardening (O_NOFOLLOW on CLI write paths, terminal-injection-safe error messages, ack file 0700 parent dir on Unix, mixed-content / wildcard-CORS / --auth-header operator WARNs), the ServiceMonitor rendering, the NetworkPolicy rendering, and the optional [daemon.ack] ConfigMap-and-Secret plumbing all keep their prior contracts. A helm upgrade from chart-v0.2.30 to chart-v0.2.31 is metadata-only on the chart side, the breaking change lives entirely in the daemon image and triggers a re-ack pass for environments using persistent acknowledgements.
Changed
appVersionbumped from0.5.27to0.5.28, defaultimage.tagnow resolves toghcr.io/robintra/perf-sentinel:0.5.28. Theartifacthub.io/imagesannotation tracks the bump.artifacthub.io/changesannotation populated for the breaking signature width change carried by the 0.5.28 daemon image, so chart consumers see the upgrade caveat directly on the Artifact Hub listing.- No chart-level config change.
values.yaml, every template, theServiceMonitorrendering, theNetworkPolicyrendering, the optional[daemon.ack]ConfigMap-and-Secret plumbing, the optional[daemon.cors]plumbing, and theack-toml-baselinemount are byte-for-byte identical to chart-v0.2.30.
Behavior
- Breaking, daemon side: finding signature prefix width 16 hex to 32 hex chars (~64 to ~128 bits collision resistance). Pre-existing TOML acks no longer match findings produced by 0.5.28, daemon JSONL ack store legacy entries are dropped on startup replay with a
WARNcarrying the dropped count and the new width. Plan a one-shot re-ack pass before rolling the upgrade in environments that rely on persistent acknowledgements. The chart's optional[daemon.ack]ConfigMap-and-Secret plumbing is unchanged, no template tweak required. - No HTTP-shape change on the daemon side. The three ack endpoints, the ack
/metricscounters, the Scaphandre scrape counters, the/api/findings,/api/status,/api/correlations,/api/explain/*,/api/export/reportroutes, and every other route keep their v0.5.27 status codes and JSON shapes. Only thesignaturefield width changes for users in theFindingpayload,FindingResponseshape is byte-for-byte identical for already-clean inputs. - No upgrade hook required, no on-disk migration besides the legacy ack drop on first replay. The runtime ack store JSONL schema is unchanged, the daemon replays and atomically rewrites
acks.jsonlat startup as it did before, dropping legacy-width entries with a single startupWARN. - Cloud energy resolution now covers Sapphire Rapids, Emerald Rapids, Granite Rapids, Genoa, Bergamo, Turin, Graviton 3 and 4, Cobalt 100, and Sierra Forest through 131 new SPECpower entries. Reports for deployments on these instance families stop falling back to the Cascade Lake provider default. Cloud energy values for instances already covered at 0.5.27 are unchanged.
Install
helm install perf-sentinel oci://ghcr.io/robintra/charts/perf-sentinel --version 0.2.31Upgrade an existing release:
helm upgrade perf-sentinel oci://ghcr.io/robintra/charts/perf-sentinel --version 0.2.31Plan a re-acknowledgement pass before rolling the upgrade in environments that rely on persistent acknowledgements. The legacy 16-hex acks no longer match findings produced by 0.5.28, and the daemon ack store drops them at startup with a WARN. Re-issuing each acknowledgement once is enough, the new 32-hex signatures are stable across subsequent restarts.
See docs/ACKNOWLEDGMENTS.md for the canonical signature input shape and the post-upgrade re-ack walkthrough.
Full Changelog: chart-v0.2.30...chart-v0.2.31