github robintra/perf-sentinel chart-v0.2.35
perf-sentinel chart v0.2.35

latest releases: chart-v0.9.4, v0.9.4, chart-v0.9.3...
one month ago

What's new in chart-v0.2.35

This is a metadata-only chart bump: appVersion advances from 0.6.2 to 0.7.0, the default image.tag now resolves to ghcr.io/robintra/perf-sentinel:0.7.0, and the artifacthub.io/changes annotation refreshes to surface the disclosure pipeline and the autosigning fix on Artifact Hub. No chart-level template diff, no values.yaml schema change, no new RBAC, no new optional ConfigMap or Secret, no .perf-sentinel.toml review needed. The chart-v0.2.34 surface is preserved byte-for-byte.

The 0.7.0 daemon image is a feature release. It introduces the public periodic disclosure pipeline (disclose and verify-hash subcommands, in-toto v1 attestation sidecar, Sigstore signature, SLSA L2 binary provenance), surfaces per-service carbon attribution in GreenSummary when runtime calibration is available, and gates intent = "official" disclosures behind a 75% per-service coverage floor. The daemon process surface preserved by the chart (HTTP and gRPC OTLP routes, /metrics, /api/* JSON, ack store JSONL schema, ConfigMap and Secret schemas) is unchanged. Full release notes for the daemon at v0.7.0.

Breaking change in the daemon binary: perf-sentinel verify-hash now refuses to invoke cosign without --expected-identity and --expected-issuer (or explicit --no-identity-check). A scripted gate that invoked verify-hash on a 0.6.x report with no identity flags will return Status::Fail instead of TRUSTED until the consumer declares the expected signer. This closes the autosigning gap where any GitHub or Google account holder could forge a bundle claiming an identity. The chart itself does not exercise verify-hash, so a chart-level helm upgrade is metadata-only on every side, but a downstream pipeline that consumes published reports must add the identity flags before upgrading the daemon image.

Changed

  • appVersion bumped from 0.6.2 to 0.7.0, default image.tag now resolves to ghcr.io/robintra/perf-sentinel:0.7.0.
  • artifacthub.io/changes annotation refreshed to surface the disclosure pipeline and the autosigning fix on Artifact Hub.
  • No chart-level config change. values.yaml, every template, the ServiceMonitor rendering, the NetworkPolicy rendering, the optional [daemon.ack] and [daemon.cors] plumbing, and the ack-toml-baseline mount are byte-for-byte identical to chart-v0.2.34.

Behavior

  • Daemon binary side: public periodic disclosure pipeline. New disclose subcommand and [reporting] configuration section produce a period-level JSON report with deterministic content hashing. New [daemon.archive] configuration section writes per-window reports to a rotated NDJSON file that disclose aggregates. The chart's existing manifest surface is unchanged, no chart-side migration required.
  • Daemon binary side: verify-hash subcommand for third-party verification of a published report. Combines deterministic content hash recompute, Sigstore signature verification via cosign verify-blob and SLSA L2 binary provenance check. Five distinct exit codes (TRUSTED, UNTRUSTED, PARTIAL, INPUT_ERROR, NETWORK_ERROR) allow a wrapper to distinguish tooling absence from a tamper attempt.
  • Daemon binary side: [reporting] disclose_output_path is reserved for 0.8.0 (daemon-triggered periodic disclosures). Setting it today on a 0.7.0 daemon logs a WARN at startup, no functional effect. Operators producing periodic disclosures today must invoke perf-sentinel disclose --output from a CronJob, the chart does not yet ship a built-in CronJob template (planned alongside the 0.8.0 daemon).
  • Per-service carbon attribution lands in GreenSummary when runtime calibration is available. per_service.{energy_kwh, carbon_kg, energy_source_model, measured_ratio} populate from the scoring stage, calibration_inputs.energy_source_models lists the distinct energy models observed, and period_coverage exposes the runtime-calibration coverage ratio as a first-class metric.
  • No HTTP-shape change on the daemon side. Every /api/* route, every /metrics line, the OTLP HTTP and gRPC routes and every JSON shape are byte-for-byte identical to chart-v0.2.34 for already-clean inputs.
  • No upgrade hook required, no on-disk migration. The runtime ack store JSONL schema is unchanged. Existing acks survive the upgrade.

Install

helm install perf-sentinel oci://ghcr.io/robintra/charts/perf-sentinel --version 0.2.35

Upgrade an existing release:

helm upgrade perf-sentinel oci://ghcr.io/robintra/charts/perf-sentinel --version 0.2.35

The bump is metadata-only on the chart side, no .perf-sentinel.toml edit required, but a downstream pipeline that consumes published reports through perf-sentinel verify-hash needs to add --expected-identity and --expected-issuer before the upgraded daemon image rolls out.

Full Changelog: chart-v0.2.34...chart-v0.2.35

Don't miss a new perf-sentinel release

NewReleases is sending notifications on new releases.