From b1194a3da37baeae2a2420dd8fc1c02ece356471 Mon Sep 17 00:00:00 2001 From: Byran Carlock Date: Wed, 23 Apr 2025 09:58:06 -0500 Subject: [PATCH 1/9] Add support for reverse-proxy scenarios Signed-off-by: Byran Carlock --- charts/hdx-oss-v2/templates/hyperdx-deployment.yaml | 11 +++++++---- charts/hdx-oss-v2/values.yaml | 6 ++++-- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/charts/hdx-oss-v2/templates/hyperdx-deployment.yaml b/charts/hdx-oss-v2/templates/hyperdx-deployment.yaml index de33121..b9cee6c 100644 --- a/charts/hdx-oss-v2/templates/hyperdx-deployment.yaml +++ b/charts/hdx-oss-v2/templates/hyperdx-deployment.yaml @@ -11,7 +11,7 @@ metadata: {{- end -}} {{- end }} spec: - replicas: {{ .Values.hyperdx.replicas | default 1 }} + replicas: 1 selector: matchLabels: {{- include "hdx-oss.selectorLabels" . | nindent 6 }} @@ -34,10 +34,13 @@ spec: command: ['sh', '-c', 'until nc -z {{ include "hdx-oss.fullname" . }}-mongodb {{ .Values.mongodb.port }}; do echo waiting for mongodb; sleep 2; done;'] containers: - name: app - image: "{{ .Values.hyperdx.image }}" + image: "{{ .Values.images.hdx.repository }}:{{ .Values.images.hdx.tag }}" + securityContext: + capabilities: + add: ["NET_ADMIN", "NET_BIND_SERVICE"] ports: - name: app-port - containerPort: {{ .Values.hyperdx.appPort }} + containerPort: {{ .Values.hyperdx.app.port }} - name: api-port containerPort: {{ .Values.hyperdx.apiPort }} envFrom: @@ -51,4 +54,4 @@ spec: key: api-key {{- with .Values.hyperdx.env }} {{- toYaml . | nindent 12 }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/charts/hdx-oss-v2/values.yaml b/charts/hdx-oss-v2/values.yaml index 09eb957..8404446 100644 --- a/charts/hdx-oss-v2/values.yaml +++ b/charts/hdx-oss-v2/values.yaml @@ -6,8 +6,10 @@ hyperdx: image: "hyperdx/hyperdx:2-beta" apiKey: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" apiPort: 8000 - appPort: 3000 - appUrl: "http://localhost" + app: + port: 3000 + url: "http://localhost" + appendPort: false # Set to true if you want to append the port to the URL in generated links logLevel: "info" usageStatsEnabled: true annotations: {} From 3463a1963d4ff5e8cb793a46f8a10de8c8f1f5a4 Mon Sep 17 00:00:00 2001 From: Byran Carlock Date: Thu, 24 Apr 2025 15:24:32 -0500 Subject: [PATCH 2/9] refactor(helm): restructure hyperdx configuration for better organization and security context Signed-off-by: Byran Carlock --- charts/hdx-oss-v2/values.yaml | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/charts/hdx-oss-v2/values.yaml b/charts/hdx-oss-v2/values.yaml index 8404446..e22f3c4 100644 --- a/charts/hdx-oss-v2/values.yaml +++ b/charts/hdx-oss-v2/values.yaml @@ -4,13 +4,27 @@ global: hyperdx: image: "hyperdx/hyperdx:2-beta" - apiKey: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" - apiPort: 8000 + api: + key: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + port: 8000 + generateKeySecret: true # disable to manually create the secret app: port: 3000 url: "http://localhost" appendPort: false # Set to true if you want to append the port to the URL in generated links logLevel: "info" + securityContext: + allowPrivilegeEscalation: + appArmorProfile: + type: "RuntimeDefault" # Set to "RuntimeDefault" for AppArmor support, can also use "Unconfined" + capabilities: + add: [] # add: ["NET_ADMIN", "NET_BIND_SERVICE"] for reverse proxy support + drop: [] + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false usageStatsEnabled: true annotations: {} # myAnnotation: "myValue" From c10caa62681ca46ef87e617a677297ad6f434bdb Mon Sep 17 00:00:00 2001 From: Byran Carlock Date: Thu, 24 Apr 2025 15:24:44 -0500 Subject: [PATCH 3/9] refactor(helm): update hyperdx deployment configuration for improved flexibility and security context Signed-off-by: Byran Carlock --- .../templates/hyperdx-deployment.yaml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/charts/hdx-oss-v2/templates/hyperdx-deployment.yaml b/charts/hdx-oss-v2/templates/hyperdx-deployment.yaml index b9cee6c..babb6a9 100644 --- a/charts/hdx-oss-v2/templates/hyperdx-deployment.yaml +++ b/charts/hdx-oss-v2/templates/hyperdx-deployment.yaml @@ -11,7 +11,7 @@ metadata: {{- end -}} {{- end }} spec: - replicas: 1 + replicas: {{ .Values.hyperdx.replicas | default 1 }} selector: matchLabels: {{- include "hdx-oss.selectorLabels" . | nindent 6 }} @@ -34,24 +34,35 @@ spec: command: ['sh', '-c', 'until nc -z {{ include "hdx-oss.fullname" . }}-mongodb {{ .Values.mongodb.port }}; do echo waiting for mongodb; sleep 2; done;'] containers: - name: app - image: "{{ .Values.images.hdx.repository }}:{{ .Values.images.hdx.tag }}" + image: "{{ .Values.hyperdx.image }}" securityContext: + allowPrivilegeEscalation: {{ .Values.hyperdx.securityContext.allowPrivilegeEscalation | default false }} + appArmorProfile: + type: {{ .Values.hyperdx.securityContext.appArmorProfile.type | default "RuntimeDefault" }} capabilities: - add: ["NET_ADMIN", "NET_BIND_SERVICE"] + add: {{ .Values.hyperdx.securityContext.capabilities.add | default "[]" }} + drop: {{ .Values.hyperdx.securityContext.capabilities.drop | default "[]" }} + privileged: {{ .Values.hyperdx.securityContext.privileged | default false }} + readOnlyRootFilesystem: {{ .Values.hyperdx.securityContext.readOnlyRootFilesystem | default false }} + runAsGroup: {{ .Values.hyperdx.securityContext.runAsGroup | default 0 }} + runAsUser: {{ .Values.hyperdx.securityContext.runAsUser | default 0 }} + runAsNonRoot: {{ .Values.hyperdx.securityContext.runAsNonRoot | default false }} ports: - name: app-port containerPort: {{ .Values.hyperdx.app.port }} - name: api-port - containerPort: {{ .Values.hyperdx.apiPort }} + containerPort: {{ .Values.hyperdx.api.port }} envFrom: - configMapRef: name: {{ include "hdx-oss.fullname" . }}-app-config env: + {{- if .Values.hyperd.api.generateKeySecret}} - name: HYPERDX_API_KEY valueFrom: secretKeyRef: name: {{ include "hdx-oss.fullname" . }}-app-secrets key: api-key + {{- end }} {{- with .Values.hyperdx.env }} {{- toYaml . | nindent 12 }} {{- end }} From e626463080a5280c87a67ffe7b79e0a5baf0f995 Mon Sep 17 00:00:00 2001 From: Byran Carlock Date: Thu, 24 Apr 2025 15:24:52 -0500 Subject: [PATCH 4/9] fix(helm): correct app port variable reference in hyperdx service configuration Signed-off-by: Byran Carlock --- charts/hdx-oss-v2/templates/hyperdx-service.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/hdx-oss-v2/templates/hyperdx-service.yaml b/charts/hdx-oss-v2/templates/hyperdx-service.yaml index 9334777..5206ece 100644 --- a/charts/hdx-oss-v2/templates/hyperdx-service.yaml +++ b/charts/hdx-oss-v2/templates/hyperdx-service.yaml @@ -7,8 +7,8 @@ metadata: spec: type: LoadBalancer ports: - - port: {{ .Values.hyperdx.appPort }} - targetPort: {{ .Values.hyperdx.appPort }} + - port: {{ .Values.hyperdx.app.port }} + targetPort: {{ .Values.hyperdx.app.port }} name: app selector: {{- include "hdx-oss.selectorLabels" . | nindent 4 }} From 0610effeba340307cc3ff3ef37127b8c6e57c9fe Mon Sep 17 00:00:00 2001 From: Byran Carlock Date: Thu, 24 Apr 2025 15:24:58 -0500 Subject: [PATCH 5/9] fix(helm): update api-key secret generation to use dynamic value from values.yaml Signed-off-by: Byran Carlock --- charts/hdx-oss-v2/templates/secrets.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/charts/hdx-oss-v2/templates/secrets.yaml b/charts/hdx-oss-v2/templates/secrets.yaml index ea87da2..e974216 100644 --- a/charts/hdx-oss-v2/templates/secrets.yaml +++ b/charts/hdx-oss-v2/templates/secrets.yaml @@ -1,3 +1,4 @@ +{{- if .Values.hyperdx.api.generateKeySecret}} apiVersion: v1 kind: Secret metadata: @@ -6,7 +7,8 @@ metadata: {{- include "hdx-oss.labels" . | nindent 4 }} type: Opaque data: - api-key: {{ "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" | b64enc }} + api-key: {{ .Values.hyperdx.api.key | b64enc }} +{{- end }} {{- if .Values.clickhouse.enabled }} --- apiVersion: v1 From 9f0bd61b53ffacd8463963d375f47588d86ec9a4 Mon Sep 17 00:00:00 2001 From: Byran Carlock Date: Thu, 24 Apr 2025 15:25:04 -0500 Subject: [PATCH 6/9] fix(helm): correct variable references for app and API ports in ConfigMap Signed-off-by: Byran Carlock --- .../templates/configmaps/app-configmap.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/hdx-oss-v2/templates/configmaps/app-configmap.yaml b/charts/hdx-oss-v2/templates/configmaps/app-configmap.yaml index 6480f1e..35132fe 100644 --- a/charts/hdx-oss-v2/templates/configmaps/app-configmap.yaml +++ b/charts/hdx-oss-v2/templates/configmaps/app-configmap.yaml @@ -5,16 +5,16 @@ metadata: labels: {{- include "hdx-oss.labels" . | nindent 4 }} data: - APP_PORT: {{ .Values.hyperdx.appPort | quote }} - API_PORT: {{ .Values.hyperdx.apiPort | quote }} - FRONTEND_URL: "{{ .Values.hyperdx.appUrl }}:{{ .Values.hyperdx.appPort }}" - HYPERDX_API_PORT: "{{ .Values.hyperdx.apiPort }}" - HYPERDX_APP_PORT: "{{ .Values.hyperdx.appPort }}" - HYPERDX_APP_URL: "{{ .Values.hyperdx.appUrl }}" + APP_PORT: {{ .Values.hyperdx.app.port | quote }} + API_PORT: {{ .Values.hyperdx.api.port | quote }} + FRONTEND_URL: "{{ .Values.hyperdx.app.url }}{{if .Values.hyperdx.app.appendPort }}:{{ .Values.hyperdx.app.port }}{{ end }}" + HYPERDX_API_PORT: "{{ .Values.hyperdx.api.port }}" + HYPERDX_APP_PORT: "{{ .Values.hyperdx.app.port }}" + HYPERDX_APP_URL: "{{ .Values.hyperdx.app.url }}" HYPERDX_LOG_LEVEL: "{{ .Values.hyperdx.logLevel }}" MINER_API_URL: "http://{{ include "hdx-oss.fullname" . }}-miner:5123" MONGO_URI: "mongodb://{{ include "hdx-oss.fullname" . }}-mongodb:{{ .Values.mongodb.port }}/hyperdx" - NEXT_PUBLIC_SERVER_URL: "http://localhost:{{ .Values.hyperdx.apiPort }}" + NEXT_PUBLIC_SERVER_URL: "http://localhost:{{ .Values.hyperdx.api.port }}" OTEL_SERVICE_NAME: "hdx-oss-api" REDIS_URL: "redis://{{ include "hdx-oss.fullname" . }}-redis:{{ .Values.redis.port }}" USAGE_STATS_ENABLED: "{{ .Values.hyperdx.usageStatsEnabled | default true }}" From 66e3a0ab4e28b9a32c6138f5dd5ea660c9608f97 Mon Sep 17 00:00:00 2001 From: Byran Carlock Date: Thu, 24 Apr 2025 15:25:13 -0500 Subject: [PATCH 7/9] fix(helm): update OTEL_SERVICE_NAME to use dynamic fullname reference in task-checkAlerts Signed-off-by: Byran Carlock --- charts/hdx-oss-v2/templates/cronjobs/task-checkAlerts.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/hdx-oss-v2/templates/cronjobs/task-checkAlerts.yaml b/charts/hdx-oss-v2/templates/cronjobs/task-checkAlerts.yaml index b315012..66dd1a1 100644 --- a/charts/hdx-oss-v2/templates/cronjobs/task-checkAlerts.yaml +++ b/charts/hdx-oss-v2/templates/cronjobs/task-checkAlerts.yaml @@ -29,7 +29,7 @@ spec: - name: NODE_ENV value: "production" - name: OTEL_SERVICE_NAME - value: "hdx-oss-task-check-alerts" + value: "{{ include "hdx-oss.fullname" . }}-alerts" resources: {{- toYaml .Values.tasks.checkAlerts.resources | nindent 16 }} {{- end }} \ No newline at end of file From d44586f15a7869af5606c917f82feaf474170f25 Mon Sep 17 00:00:00 2001 From: Byran Carlock Date: Thu, 24 Apr 2025 15:40:31 -0500 Subject: [PATCH 8/9] fix(helm): correct variable reference for hyperdx API key secret generation Signed-off-by: Byran Carlock --- charts/hdx-oss-v2/templates/hyperdx-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/hdx-oss-v2/templates/hyperdx-deployment.yaml b/charts/hdx-oss-v2/templates/hyperdx-deployment.yaml index babb6a9..651f4ad 100644 --- a/charts/hdx-oss-v2/templates/hyperdx-deployment.yaml +++ b/charts/hdx-oss-v2/templates/hyperdx-deployment.yaml @@ -56,7 +56,7 @@ spec: - configMapRef: name: {{ include "hdx-oss.fullname" . }}-app-config env: - {{- if .Values.hyperd.api.generateKeySecret}} + {{- if .Values.hyperdx.api.generateKeySecret}} - name: HYPERDX_API_KEY valueFrom: secretKeyRef: From 2671d3ac62e6d62261755a9614d94dd51dc5477b Mon Sep 17 00:00:00 2001 From: Byran Carlock Date: Thu, 24 Apr 2025 15:53:47 -0500 Subject: [PATCH 9/9] fix(helm): add missing api port configuration in hyperdx service Signed-off-by: Byran Carlock --- charts/hdx-oss-v2/templates/hyperdx-service.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/hdx-oss-v2/templates/hyperdx-service.yaml b/charts/hdx-oss-v2/templates/hyperdx-service.yaml index 5206ece..658aa2c 100644 --- a/charts/hdx-oss-v2/templates/hyperdx-service.yaml +++ b/charts/hdx-oss-v2/templates/hyperdx-service.yaml @@ -10,6 +10,9 @@ spec: - port: {{ .Values.hyperdx.app.port }} targetPort: {{ .Values.hyperdx.app.port }} name: app + - port: {{ .Values.hyperdx.api.port }} + targetPort: {{ .Values.hyperdx.api.port }} + name: api selector: {{- include "hdx-oss.selectorLabels" . | nindent 4 }} app: {{ include "hdx-oss.fullname" . }} \ No newline at end of file