This is an automated email from the ASF dual-hosted git repository.
hgruszecki pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iggy.git
The following commit(s) were added to refs/heads/master by this push:
new f66540010 fix: Helm chart install guidance and deployment defaults
(#2976)
f66540010 is described below
commit f665400108526079c26b55bbf3a1aba27cecd847
Author: Aviraj Khare <[email protected]>
AuthorDate: Sat Mar 21 15:27:46 2026 +0530
fix: Helm chart install guidance and deployment defaults (#2976)
---
helm/charts/iggy/Chart.yaml | 2 +-
helm/charts/iggy/README.md | 48 +++++++++++++++++++++++-------
helm/charts/iggy/templates/deployment.yaml | 23 ++++++++++----
helm/charts/iggy/values.yaml | 12 ++++++--
4 files changed, 65 insertions(+), 20 deletions(-)
diff --git a/helm/charts/iggy/Chart.yaml b/helm/charts/iggy/Chart.yaml
index 26c42e6b5..08f86a803 100644
--- a/helm/charts/iggy/Chart.yaml
+++ b/helm/charts/iggy/Chart.yaml
@@ -20,7 +20,7 @@ apiVersion: v2
name: iggy
description: A Helm chart for Apache Iggy server and web-ui
type: application
-version: 0.4.0
+version: 0.5.0
appVersion: "0.7.0"
sources:
- https://github.com/apache/iggy
diff --git a/helm/charts/iggy/README.md b/helm/charts/iggy/README.md
index c6c9567eb..76c62b3e3 100644
--- a/helm/charts/iggy/README.md
+++ b/helm/charts/iggy/README.md
@@ -7,6 +7,7 @@ A Helm chart for [Apache Iggy](https://github.com/apache/iggy)
server and web-ui
* Kubernetes 1.19+
* Helm 3.2.0+
* PV provisioner support in the underlying infrastructure (if persistence is
enabled)
+* Prometheus Operator CRDs if `server.serviceMonitor.enabled=true`
### io_uring Requirements
@@ -15,7 +16,13 @@ Iggy server uses `io_uring` for high-performance async I/O.
This requires:
1. **IPC_LOCK capability** - For locking memory required by io_uring
2. **Unconfined seccomp profile** - To allow io_uring syscalls
-These are configured by default in the chart's `securityContext` and
`podSecurityContext`.
+These are configured by default for the Iggy server via the chart's root-level
+`securityContext` and `podSecurityContext`. The web UI uses
`ui.securityContext`
+and `ui.podSecurityContext`, which default to empty.
+
+Some local or container-based Kubernetes environments may still fail during
Iggy runtime
+initialization if the node/kernel does not provide the `io_uring` support
required by the
+server runtime.
## Quick Start
@@ -26,18 +33,18 @@ cd iggy
# Install with persistence enabled
helm install iggy ./helm/charts/iggy \
- --set server.persistence.enabled=true \
- --set server.serviceMonitor.enabled=false
+ --set server.persistence.enabled=true
# Install with custom root credentials
helm install iggy ./helm/charts/iggy \
--set server.persistence.enabled=true \
- --set server.serviceMonitor.enabled=false \
--set server.users.root.username=admin \
--set server.users.root.password=secretpassword
```
-> **Note:** Set `server.serviceMonitor.enabled=false` if Prometheus Operator
is not installed.
+> **Note:** `server.serviceMonitor.enabled` defaults to `false`.
+> Enable it only if Prometheus Operator is installed and you want a
`ServiceMonitor` resource.
+> The server still requires node/kernel support for `io_uring`, including on
clean local clusters such as `kind` or `minikube`.
## Installation
@@ -63,6 +70,10 @@ helm install iggy ./helm/charts/iggy \
helm install iggy ./helm/charts/iggy -f custom-values.yaml
```
+If Prometheus Operator is installed and you want monitoring, set
+`server.serviceMonitor.enabled=true` in `custom-values.yaml` or pass it on the
+command line with `--set server.serviceMonitor.enabled=true`.
+
## Uninstallation
```bash
@@ -101,14 +112,14 @@ helm uninstall iggy
| `server.users.root.password` | string | `"changeit"` | Root user password |
| `server.users.root.createSecret` | bool | `true` | Create secret for root
user |
| `server.users.root.existingSecret.name` | string | `""` | Use existing
secret |
-| `securityContext.capabilities.add` | list | `["IPC_LOCK"]` | Container
capabilities (required for io_uring) |
-| `podSecurityContext.seccompProfile.type` | string | `"Unconfined"` | Seccomp
profile (required for io_uring) |
+| `securityContext.capabilities.add` | list | `["IPC_LOCK"]` | Server
container capabilities (required for io_uring) |
+| `podSecurityContext.seccompProfile.type` | string | `"Unconfined"` | Server
pod seccomp profile (required for io_uring) |
### Monitoring Configuration
| Key | Type | Default | Description |
| --- | ---- | ------- | ----------- |
-| `server.serviceMonitor.enabled` | bool | `true` | Enable ServiceMonitor for
Prometheus Operator |
+| `server.serviceMonitor.enabled` | bool | `false` | Enable ServiceMonitor for
Prometheus Operator |
| `server.serviceMonitor.interval` | string | `"30s"` | Scrape interval |
| `server.serviceMonitor.path` | string | `"/metrics"` | Metrics endpoint path
|
@@ -121,6 +132,8 @@ helm uninstall iggy
| `ui.image.repository` | string | `"apache/iggy-web-ui"` | UI image
repository |
| `ui.ports.http` | int | `3050` | UI HTTP port |
| `ui.server.endpoint` | string | `""` | Iggy server endpoint (auto-detected
if empty) |
+| `ui.securityContext` | object | `{}` | UI container security context |
+| `ui.podSecurityContext` | object | `{}` | UI pod security context |
## Troubleshooting
@@ -137,7 +150,19 @@ This means io_uring cannot lock sufficient memory. Ensure:
1. `securityContext.capabilities.add` includes `IPC_LOCK`
2. `podSecurityContext.seccompProfile.type` is `Unconfined`
-These are set by default but may be overridden.
+These server settings are set by default but may be overridden.
+
+### Pod CrashLoopBackOff with "Invalid argument" during server startup
+
+If the Iggy server exits with a panic similar to:
+
+```text
+called `Result::unwrap()` on an `Err` value: Os { code: 22, kind:
InvalidInput, message: "Invalid argument" }
+```
+
+the Kubernetes node may not support the `io_uring` runtime configuration
required by the server.
+This has been observed on local/container-based clusters even when `IPC_LOCK`
and
+`podSecurityContext.seccompProfile.type=Unconfined` are set.
### ServiceMonitor CRD not found
@@ -175,13 +200,14 @@ kubectl port-forward svc/iggy-ui 3050:3050
### Using Ingress
-Enable ingress in values:
+Enable ingress in values. Set `className` and any controller-specific
annotations to match your
+ingress implementation:
```yaml
server:
ingress:
enabled: true
- className: nginx
+ className: "<your-ingress-class>"
hosts:
- host: iggy.example.com
paths:
diff --git a/helm/charts/iggy/templates/deployment.yaml
b/helm/charts/iggy/templates/deployment.yaml
index 67f38417a..4a75c57d9 100644
--- a/helm/charts/iggy/templates/deployment.yaml
+++ b/helm/charts/iggy/templates/deployment.yaml
@@ -15,6 +15,9 @@
# specific language governing permissions and limitations
# under the License.
{{ if .Values.server.enabled }}
+{{- if hasKey .Values.server "podSecurityContext" }}
+{{- fail "server.podSecurityContext has been moved to podSecurityContext (root
level). Please update your values." }}
+{{- end }}
---
apiVersion: apps/v1
kind: Deployment
@@ -44,7 +47,7 @@ spec:
{{- end }}
serviceAccountName: {{ include "iggy.serviceAccountName" . }}
securityContext:
- {{ toYaml .Values.server.podSecurityContext | nindent 8 }}
+ {{ toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
@@ -96,13 +99,19 @@ spec:
mountPath: /app/local_data
subPath: {{ ternary "root" (printf "%s/root"
.Values.server.persistence.subPath) (empty .Values.server.persistence.subPath)
}}
+ startupProbe:
+ httpGet:
+ path: /ping
+ port: http
+ periodSeconds: 10
+ failureThreshold: 30
livenessProbe:
httpGet:
- path: /
+ path: /ping
port: http
readinessProbe:
httpGet:
- path: /
+ path: /ping
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
@@ -154,12 +163,16 @@ spec:
{{ toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "iggy.serviceAccountName" . }}
+ {{- with .Values.ui.podSecurityContext }}
securityContext:
- {{ toYaml .Values.podSecurityContext | nindent 8 }}
+ {{ toYaml . | nindent 8 }}
+ {{- end }}
containers:
- name: {{ .Chart.Name }}
+ {{- with .Values.ui.securityContext }}
securityContext:
- {{ toYaml .Values.securityContext | nindent 12 }}
+ {{ toYaml . | nindent 12 }}
+ {{- end }}
image: "{{ .Values.ui.image.repository }}:{{ .Values.ui.image.tag |
default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.ui.image.pullPolicy }}
ports:
diff --git a/helm/charts/iggy/values.yaml b/helm/charts/iggy/values.yaml
index e604ff9ea..a7316942d 100644
--- a/helm/charts/iggy/values.yaml
+++ b/helm/charts/iggy/values.yaml
@@ -36,7 +36,7 @@ server:
serviceMonitor:
# -- Enable this if you're using [Prometheus
Operator](https://github.com/coreos/prometheus-operator)
- enabled: true
+ enabled: false
# -- Namespace to deploy the ServiceMonitor
namespace: ""
# -- Fallback to the prometheus default unless specified
@@ -170,6 +170,12 @@ ui:
# cpu: 100m
# memory: 128Mi
+ # -- Web UI pod security context. Leave empty unless your UI deployment
needs explicit pod-level settings.
+ podSecurityContext: {}
+
+ # -- Web UI container security context. Leave empty unless your UI
deployment needs explicit container-level settings.
+ securityContext: {}
+
nodeSelector: {}
tolerations: []
@@ -195,14 +201,14 @@ serviceAccount:
podAnnotations: {}
podSecurityContext:
- # Required for io_uring syscalls in containerized environments
+ # Required for Iggy server io_uring syscalls in containerized environments
seccompProfile:
type: Unconfined
securityContext:
capabilities:
add:
- # Required for memlock (io_uring memory)
+ # Required for Iggy server memlock (io_uring memory)
- IPC_LOCK
resources:
