What's new in chart-v0.2.33
This is a daemon-version-only chart bump: appVersion advances from 0.6.0 to 0.6.1, the default image.tag now resolves to ghcr.io/robintra/perf-sentinel:0.6.1, and the .perf-sentinel.toml ConfigMap loaded by the daemon may need a one-line tightening review (no required edit). No chart-level template diff, no values.yaml schema change, no new RBAC, no new optional ConfigMap or Secret. The chart-v0.2.32 surface is preserved byte-for-byte.
The 0.6.1 daemon image is a hardening release. No public API break, no behavior change for already-clean inputs. An internal multi-reviewer audit drives a security tightening across CORS, the CI ack TOML loader, the SARIF result body and the OTLP gRPC listener. Hot-path tightening lands across the detection and scoring stages, and dependencies move to the latest patch lines.
For chart consumers, only one item is operator-visible: a .perf-sentinel.toml that combines [daemon.cors] allowed_origins = ["*"] with a non-empty [daemon.ack] api_key now hard-fails at daemon startup with a clear ConfigError::Validation message, where 0.6.0 only emitted a startup WARN. Header-based X-API-Key auth is not blocked by allow_credentials = false, so wildcard CORS plus an API key let any browser origin replay a captured key. Operators that want wildcard CORS for development must explicitly unset api_key before the rollout. The mixed-explicit-and-wildcard check that has been in place since 0.5.27 is unchanged. The chart's daemon.config plumbing itself is unchanged.
The other 0.6.1 security items are internal hardening that does not change the chart-rendered surface. acknowledgments::load_from_file now refuses to follow symlinks on the CI baseline TOML path, mirroring the daemon JSONL store discipline introduced in 0.5.27. The SARIF result body and logical locations now pass through the BiDi and invisible-format-character sanitizer that was already covering the ack metadata path, so a hostile span emitting an RLO-laden service.name no longer renders mirrored in GitHub or GitLab code-scanning UIs. The OTLP gRPC listener caps HTTP/2 concurrent streams at 256 per connection through tonic's max_concurrent_streams and concurrency_limit_per_connection, bounding the blast radius of a misbehaving client on non-loopback binds. None of these change the daemon HTTP API, the /metrics shape, the OTLP HTTP and gRPC routes or the chart-rendered ConfigMap and Secret schemas.
The hot-path tightening is invisible from the chart. chatty detection now runs in a single pass over each trace's HTTP-out spans, serialized detection sorts via sort_unstable_by_key, the HTTP query-param vec is pre-sized from the ampersand count, the avoidable-finding dedup HashMap capacity matches the avoidable-finding count instead of the total finding count, and exemplar sanitization in report::metrics returns Cow<'_, str> so already-clean trace IDs skip the allocation. Throughput on the streaming daemon path improves marginally on cardinality-heavy workloads, no operator-visible change.
The 0.6.1 dependency bumps include opentelemetry-proto 0.31 to 0.32, tonic 0.14.5 to 0.14.6 and tokio 1.52.2 to 1.52.3. The OTel-proto bump adds KeyValue::key_strindex for the OTel Profiling signal, internal test sites are updated for forward compatibility, the wire format on the OTLP routes is unchanged.
The HTTP API surface, the v0.5.21 ack Prometheus counters, the v0.5.23 [daemon.cors] config section, the v0.5.25 Scaphandre scrape counters on /metrics, the v0.5.27 hardening, the v0.5.28 32-hex finding signature, the ServiceMonitor rendering, the NetworkPolicy rendering, and the optional [daemon.ack] ConfigMap-and-Secret plumbing all keep their prior contracts. A helm upgrade from chart-v0.2.32 to chart-v0.2.33 is metadata-only on the chart side. The only daemon-side validation tightening that can block a rollout is the CORS-wildcard-plus-api_key combination described above, and only when the operator has both set together.
Changed
appVersionbumped from0.6.0to0.6.1, defaultimage.tagnow resolves toghcr.io/robintra/perf-sentinel:0.6.1.artifacthub.io/changesannotation refreshed to surface the 0.6.1 security and performance items on Artifact Hub. The chart-v0.2.32 listing was left at the 0.5.28 signature-width text by mistake, this release fixes that drift.- No chart-level config change.
values.yaml, every template, theServiceMonitorrendering, theNetworkPolicyrendering, the optional[daemon.ack]ConfigMap-and-Secret plumbing, the optional[daemon.cors]plumbing, and theack-toml-baselinemount are byte-for-byte identical to chart-v0.2.32.
Behavior
- Daemon side: CORS
["*"]combined with[daemon.ack] api_keyis now rejected at config load. A.perf-sentinel.tomlshipped through the chart'sdaemon.configConfigMap that has[daemon.cors] allowed_origins = ["*"]and a non-empty[daemon.ack] api_keywill fail daemon startup with aConfigError::Validationmessage naming both fields. Either drop the wildcard for an explicit origin list, or unsetapi_key. Affects only the combination, wildcard-without-api_key and explicit-origins-with-api_key keep working as before. - Daemon side:
acknowledgments::load_from_filerefuses to follow symlinks on the CI baseline TOML path mounted via the optionalack-toml-baselineConfigMap. A hostile pre-planted symlink in the mount path now fails the daemon load loud rather than silently redirecting the read. Standard ConfigMap mounts are not symlinks at the file level, so this is invisible in chart deployments unless a custom volume override re-routes the path through a symlink farm. - Daemon side: SARIF result body strips BiDi and invisible-format characters from the message and logical locations, in addition to the ack metadata path that was already sanitized in 0.5.27. A hostile span emitting
service.name = "alice<RLO>@evil"no longer renders mirrored in GitHub or GitLab code-scanning UIs. - Daemon side: OTLP gRPC listener caps HTTP/2 concurrent streams at 256 per connection. No effect on legitimate OTLP exporters batching spans, bounds the blast radius of a misbehaving client on non-loopback binds.
- No HTTP-shape change on the daemon side. Every ack endpoint, every
/api/*route, every/metricsline, the OTLP HTTP and gRPC routes and every JSON shape are byte-for-byte identical to chart-v0.2.32 for already-clean inputs. - No upgrade hook required, no on-disk migration. The runtime ack store JSONL schema is unchanged, the 32-hex signatures introduced in 0.5.28 carry over byte-for-byte. Existing acks survive the upgrade.
Install
helm install perf-sentinel oci://ghcr.io/robintra/charts/perf-sentinel --version 0.2.33Upgrade an existing release:
helm upgrade perf-sentinel oci://ghcr.io/robintra/charts/perf-sentinel --version 0.2.33If your .perf-sentinel.toml ConfigMap combines [daemon.cors] allowed_origins = ["*"] with a non-empty [daemon.ack] api_key, edit it before rolling the upgrade. Either replace the wildcard with an explicit origin list or unset api_key. Otherwise the bump is metadata-only on the chart side.
Full Changelog: chart-v0.2.32...chart-v0.2.33