From c41ecad2a4cb8db9673ebb0779a34f94138f6d8e Mon Sep 17 00:00:00 2001 From: Evan Tepsic Date: Sun, 31 May 2026 15:52:13 -0400 Subject: [PATCH 01/16] fix(chart): add trailing newline to Chart.yaml --- charts/graylog/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/graylog/Chart.yaml b/charts/graylog/Chart.yaml index 2f301d3..052f68d 100644 --- a/charts/graylog/Chart.yaml +++ b/charts/graylog/Chart.yaml @@ -65,4 +65,4 @@ annotations: # This is the chart version. version: 1.0.0 # This is the version number of the Graylog application bundled with this chart. -appVersion: "7.0" \ No newline at end of file +appVersion: "7.0" From 4e2e4f8501a09fa03acfdde554370b2124410f3b Mon Sep 17 00:00:00 2001 From: Evan Tepsic Date: Sun, 31 May 2026 15:53:25 -0400 Subject: [PATCH 02/16] fix(values): add trailing newline to values.yaml --- charts/graylog/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/graylog/values.yaml b/charts/graylog/values.yaml index 958eb5a..821c6d6 100644 --- a/charts/graylog/values.yaml +++ b/charts/graylog/values.yaml @@ -348,4 +348,4 @@ mongodb: - apiGroups: [ "" ] resources: [ "pods" ] resourceNames: [ ] - verbs: [ "get", "patch", "delete" ] \ No newline at end of file + verbs: [ "get", "patch", "delete" ] From ad6d4957d401a729a5819fba383e7af972f55d2f Mon Sep 17 00:00:00 2001 From: Evan Tepsic Date: Sun, 31 May 2026 15:53:41 -0400 Subject: [PATCH 03/16] style(values): remove inner spaces in RBAC role-rules brackets --- charts/graylog/values.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/graylog/values.yaml b/charts/graylog/values.yaml index 821c6d6..ea388b4 100644 --- a/charts/graylog/values.yaml +++ b/charts/graylog/values.yaml @@ -341,11 +341,11 @@ mongodb: role: create: true rules: - - apiGroups: [ "" ] - resources: [ "secrets" ] - resourceNames: [ ] - verbs: [ "get" ] - - apiGroups: [ "" ] - resources: [ "pods" ] - resourceNames: [ ] - verbs: [ "get", "patch", "delete" ] + - apiGroups: [""] + resources: ["secrets"] + resourceNames: [] + verbs: ["get"] + - apiGroups: [""] + resources: ["pods"] + resourceNames: [] + verbs: ["get", "patch", "delete"] From 60cbefee6f380cfac0ceb0fe91513c4d5e93d084 Mon Sep 17 00:00:00 2001 From: Evan Tepsic Date: Sun, 31 May 2026 15:53:48 -0400 Subject: [PATCH 04/16] ci(gha): add chart-testing config (.github/ct.yaml) --- .github/ct.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/ct.yaml diff --git a/.github/ct.yaml b/.github/ct.yaml new file mode 100644 index 0000000..098f039 --- /dev/null +++ b/.github/ct.yaml @@ -0,0 +1,11 @@ +# Configuration for chart-testing (ct), used by .github/workflows/lint-and-test.yaml +# Full reference: https://github.com/helm/chart-testing + +chart-dirs: + - charts + +target-branch: main + +# Chart.yaml does not declare a maintainers list today; enabling this would +# block linting. Revisit if a maintainers list is added. +validate-maintainers: false From 55d7c11aa3975a5d54e9f9b1c0926cfc77f58be4 Mon Sep 17 00:00:00 2001 From: Evan Tepsic Date: Sun, 31 May 2026 15:53:52 -0400 Subject: [PATCH 05/16] ci(gha): replace bare helm lint with chart-testing-action --- .github/workflows/lint-and-test.yaml | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint-and-test.yaml b/.github/workflows/lint-and-test.yaml index a79a3eb..d7333e1 100644 --- a/.github/workflows/lint-and-test.yaml +++ b/.github/workflows/lint-and-test.yaml @@ -10,5 +10,24 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - run: helm lint charts/graylog + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up Helm + uses: azure/setup-helm@v4 + with: + version: v3.16.4 + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.x' + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.8.0 + + - name: Run ct lint + run: ct lint --config .github/ct.yaml --all From aeacced414fdd2fc3b57aa540130a32913f01a98 Mon Sep 17 00:00:00 2001 From: Evan Tepsic Date: Sun, 31 May 2026 16:02:46 -0400 Subject: [PATCH 06/16] ci(gha): refine workflow per first-run annotations (drop redundant setup-python, bump checkout/setup-helm, drop deprecated token) --- .github/workflows/lint-and-test.yaml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/.github/workflows/lint-and-test.yaml b/.github/workflows/lint-and-test.yaml index d7333e1..acb173f 100644 --- a/.github/workflows/lint-and-test.yaml +++ b/.github/workflows/lint-and-test.yaml @@ -11,20 +11,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 - name: Set up Helm - uses: azure/setup-helm@v4 + uses: azure/setup-helm@v5 with: version: v3.16.4 - token: ${{ secrets.GITHUB_TOKEN }} - - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: '3.x' - name: Set up chart-testing uses: helm/chart-testing-action@v2.8.0 From 4fd5db816f801c60ef8584d930bf15c8c5620ddf Mon Sep 17 00:00:00 2001 From: etgraylog Date: Sun, 31 May 2026 20:16:23 -0400 Subject: [PATCH 07/16] feat(ci): add minimal-resource overlay for ct install --- charts/graylog/ci/ci-values.yaml | 33 ++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 charts/graylog/ci/ci-values.yaml diff --git a/charts/graylog/ci/ci-values.yaml b/charts/graylog/ci/ci-values.yaml new file mode 100644 index 0000000..303ebf8 --- /dev/null +++ b/charts/graylog/ci/ci-values.yaml @@ -0,0 +1,33 @@ +# CI overlay used by `ct install` (auto-discovered via charts/graylog/ci/*-values.yaml). +# Minimal-resource configuration tuned to fit a default GitHub-hosted runner +# (~7 GB RAM, 4 vCPU). Not intended for production-like validation. + +graylog: + replicas: 1 + config: + serverJavaOpts: "-Xms512m -Xmx768m" + resources: + requests: + cpu: "250m" + memory: "768Mi" + limits: + cpu: "1" + memory: "1500Mi" + +datanode: + replicas: 1 + config: + opensearchHeap: "1g" + javaOpts: "-Xms512m -Xmx512m" + resources: + requests: + cpu: "250m" + memory: "1Gi" + limits: + cpu: "1" + memory: "2Gi" + +mongodb: + replicas: 1 + arbiters: 0 + version: "8.0.23" From 648bcff6226bce29f7b97765ce53676e99331da8 Mon Sep 17 00:00:00 2001 From: etgraylog Date: Sun, 31 May 2026 20:20:56 -0400 Subject: [PATCH 08/16] ci(gha): add install job with kind cluster and MongoDB Operator --- .github/ct.yaml | 4 ++++ .github/workflows/lint-and-test.yaml | 34 ++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/.github/ct.yaml b/.github/ct.yaml index 098f039..c7dee88 100644 --- a/.github/ct.yaml +++ b/.github/ct.yaml @@ -9,3 +9,7 @@ target-branch: main # Chart.yaml does not declare a maintainers list today; enabling this would # block linting. Revisit if a maintainers list is added. validate-maintainers: false + +# Passed through to `helm install` during `ct install`. 15-minute timeout +# accommodates Graylog's startup time on minimal-resource CI runners. +helm-extra-args: --timeout=900s diff --git a/.github/workflows/lint-and-test.yaml b/.github/workflows/lint-and-test.yaml index acb173f..86df8fc 100644 --- a/.github/workflows/lint-and-test.yaml +++ b/.github/workflows/lint-and-test.yaml @@ -25,3 +25,37 @@ jobs: - name: Run ct lint run: ct lint --config .github/ct.yaml --all + + test: + runs-on: ubuntu-latest + needs: lint + steps: + - name: Checkout + uses: actions/checkout@v6 + with: + fetch-depth: 0 + + - name: Set up Helm + uses: azure/setup-helm@v5 + with: + version: v3.16.4 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.8.0 + + - name: Create kind cluster + uses: helm/kind-action@v1.14.0 + + - name: Install MongoDB Kubernetes Operator + run: | + helm upgrade --install mongodb-kubernetes-operator mongodb-kubernetes \ + --repo https://mongodb.github.io/helm-charts \ + --version "1.6.1" \ + --set operator.watchNamespace="*" \ + --namespace operators \ + --create-namespace \ + --wait \ + --timeout 5m + + - name: Run ct install + run: ct install --config .github/ct.yaml --all From ac9c008f4346114ee123b2d8ec26e1cc8ebe3dc3 Mon Sep 17 00:00:00 2001 From: etgraylog Date: Sun, 31 May 2026 20:49:37 -0400 Subject: [PATCH 09/16] ci(gha): rename jobs to helm-ct-lint and helm-ct-install --- .github/workflows/lint-and-test.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/lint-and-test.yaml b/.github/workflows/lint-and-test.yaml index 86df8fc..89459ab 100644 --- a/.github/workflows/lint-and-test.yaml +++ b/.github/workflows/lint-and-test.yaml @@ -7,7 +7,7 @@ on: branches: ["main"] jobs: - lint: + helm-ct-lint: runs-on: ubuntu-latest steps: - name: Checkout @@ -26,9 +26,9 @@ jobs: - name: Run ct lint run: ct lint --config .github/ct.yaml --all - test: + helm-ct-install: runs-on: ubuntu-latest - needs: lint + needs: helm-ct-lint steps: - name: Checkout uses: actions/checkout@v6 From ee10b16ba06b52497ca934a2acf01da121ed645d Mon Sep 17 00:00:00 2001 From: etgraylog Date: Sun, 31 May 2026 20:49:49 -0400 Subject: [PATCH 10/16] ci(gha): generate ephemeral rootPassword and mask in workflow logs --- .github/workflows/lint-and-test.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/lint-and-test.yaml b/.github/workflows/lint-and-test.yaml index 89459ab..78f4921 100644 --- a/.github/workflows/lint-and-test.yaml +++ b/.github/workflows/lint-and-test.yaml @@ -57,5 +57,14 @@ jobs: --wait \ --timeout 5m + - name: Generate ephemeral CI rootPassword and mask in workflow logs + id: ci-root-password + run: | + password=$(openssl rand -hex 16) + echo "::add-mask::${password}" + echo "value=${password}" >> "$GITHUB_OUTPUT" + - name: Run ct install - run: ct install --config .github/ct.yaml --all + run: | + ct install --config .github/ct.yaml --all \ + --helm-extra-set-args "--set graylog.config.rootPassword=${{ steps.ci-root-password.outputs.value }}" From 313cc34c5b275e2922231ebf231ccb6dfa975886 Mon Sep 17 00:00:00 2001 From: etgraylog Date: Sun, 31 May 2026 21:18:57 -0400 Subject: [PATCH 11/16] ci(gha): make ct.yaml validation knobs explicit and enable upgrade testing --- .github/ct.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/ct.yaml b/.github/ct.yaml index c7dee88..4fcd256 100644 --- a/.github/ct.yaml +++ b/.github/ct.yaml @@ -10,6 +10,18 @@ target-branch: main # block linting. Revisit if a maintainers list is added. validate-maintainers: false +# Defaults below are made explicit to document the chart's CI policy +# rather than relying on ct's built-in defaults. +check-version-increment: true +validate-chart-schema: true +validate-yaml: true + +# Enable in-place upgrade testing. ct will install the chart's previous +# revision and upgrade to the current, but only when the chart version +# differs between target-branch and the PR. Safeguards against breaking +# upgrade paths for existing users. +upgrade: true + # Passed through to `helm install` during `ct install`. 15-minute timeout # accommodates Graylog's startup time on minimal-resource CI runners. helm-extra-args: --timeout=900s From 895b67c4f764458cc87dab8d67ffb08a49efce6d Mon Sep 17 00:00:00 2001 From: etgraylog Date: Sun, 31 May 2026 22:32:03 -0400 Subject: [PATCH 12/16] ci(gha): add Kubernetes version matrix (v1.32.11, v1.33.7, v1.34.3) to helm-ct-install --- .github/workflows/lint-and-test.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/lint-and-test.yaml b/.github/workflows/lint-and-test.yaml index 78f4921..c64add7 100644 --- a/.github/workflows/lint-and-test.yaml +++ b/.github/workflows/lint-and-test.yaml @@ -29,6 +29,13 @@ jobs: helm-ct-install: runs-on: ubuntu-latest needs: helm-ct-lint + strategy: + fail-fast: false + matrix: + k8s-version: + - v1.32.11 + - v1.33.7 + - v1.34.3 steps: - name: Checkout uses: actions/checkout@v6 @@ -45,6 +52,8 @@ jobs: - name: Create kind cluster uses: helm/kind-action@v1.14.0 + with: + node_image: kindest/node:${{ matrix.k8s-version }} - name: Install MongoDB Kubernetes Operator run: | From 04d58f5016330aa91e3a975f9cfed9eed5093d0f Mon Sep 17 00:00:00 2001 From: etgraylog Date: Sun, 31 May 2026 22:35:13 -0400 Subject: [PATCH 13/16] ci(gha): disable ct upgrade testing --- .github/ct.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/ct.yaml b/.github/ct.yaml index 4fcd256..7e33cf3 100644 --- a/.github/ct.yaml +++ b/.github/ct.yaml @@ -16,11 +16,13 @@ check-version-increment: true validate-chart-schema: true validate-yaml: true -# Enable in-place upgrade testing. ct will install the chart's previous -# revision and upgrade to the current, but only when the chart version -# differs between target-branch and the PR. Safeguards against breaking -# upgrade paths for existing users. -upgrade: true +# In-place upgrade testing (disabled). ct's `--upgrade` doesn't exercise +# `helm upgrade` against an existing deployed release the way users would +# expect; it installs the previous revision into an ephemeral namespace, +# upgrades to current, then tears down. Combined with the ~2x CI runtime +# cost, not worth enabling right now. Revisit if ct's upgrade semantics +# change or maintainers want to opt in. +upgrade: false # Passed through to `helm install` during `ct install`. 15-minute timeout # accommodates Graylog's startup time on minimal-resource CI runners. From be86e37ac52a0a09b83772e8690264dd467702ec Mon Sep 17 00:00:00 2001 From: etgraylog Date: Sun, 31 May 2026 23:47:36 -0400 Subject: [PATCH 14/16] ci(gha): add Helm version matrix (v3.16.4 + v4.2.0) to helm-ct-lint --- .github/workflows/lint-and-test.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/lint-and-test.yaml b/.github/workflows/lint-and-test.yaml index c64add7..30d91b9 100644 --- a/.github/workflows/lint-and-test.yaml +++ b/.github/workflows/lint-and-test.yaml @@ -9,6 +9,12 @@ on: jobs: helm-ct-lint: runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + helm-version: + - v3.16.4 + - v4.2.0 steps: - name: Checkout uses: actions/checkout@v6 @@ -18,7 +24,7 @@ jobs: - name: Set up Helm uses: azure/setup-helm@v5 with: - version: v3.16.4 + version: ${{ matrix.helm-version }} - name: Set up chart-testing uses: helm/chart-testing-action@v2.8.0 From cf78cd5335613c06dd404b685845e23a579d5dec Mon Sep 17 00:00:00 2001 From: etgraylog Date: Sun, 31 May 2026 23:47:51 -0400 Subject: [PATCH 15/16] =?UTF-8?q?ci(gha):=20expand=20helm-ct-install=20to?= =?UTF-8?q?=20asymmetric=20K8s=20=C3=97=20Helm=20matrix=20(3=20Helm=203=20?= =?UTF-8?q?+=201=20Helm=204)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/lint-and-test.yaml | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/workflows/lint-and-test.yaml b/.github/workflows/lint-and-test.yaml index 30d91b9..d1b1ee7 100644 --- a/.github/workflows/lint-and-test.yaml +++ b/.github/workflows/lint-and-test.yaml @@ -37,11 +37,19 @@ jobs: needs: helm-ct-lint strategy: fail-fast: false + # Asymmetric K8s × Helm matrix: full K8s coverage on Helm 3 (the chart's + # stated minimum per docs/TESTING.md), with Helm 4 added as bonus coverage + # on the most recent K8s version. Expand by adding more `include:` entries. matrix: - k8s-version: - - v1.32.11 - - v1.33.7 - - v1.34.3 + include: + - k8s-version: v1.32.11 + helm-version: v3.16.4 + - k8s-version: v1.33.7 + helm-version: v3.16.4 + - k8s-version: v1.34.3 + helm-version: v3.16.4 + - k8s-version: v1.34.3 + helm-version: v4.2.0 steps: - name: Checkout uses: actions/checkout@v6 @@ -51,7 +59,7 @@ jobs: - name: Set up Helm uses: azure/setup-helm@v5 with: - version: v3.16.4 + version: ${{ matrix.helm-version }} - name: Set up chart-testing uses: helm/chart-testing-action@v2.8.0 From 4284d7d5816ca2545b3288c8c02e18976b1d2511 Mon Sep 17 00:00:00 2001 From: etgraylog Date: Sun, 31 May 2026 23:54:18 -0400 Subject: [PATCH 16/16] ci(gha): reorder helm-ct-install matrix keys to display helm-version first --- .github/workflows/lint-and-test.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/lint-and-test.yaml b/.github/workflows/lint-and-test.yaml index d1b1ee7..18b937c 100644 --- a/.github/workflows/lint-and-test.yaml +++ b/.github/workflows/lint-and-test.yaml @@ -42,14 +42,14 @@ jobs: # on the most recent K8s version. Expand by adding more `include:` entries. matrix: include: - - k8s-version: v1.32.11 - helm-version: v3.16.4 - - k8s-version: v1.33.7 - helm-version: v3.16.4 - - k8s-version: v1.34.3 - helm-version: v3.16.4 - - k8s-version: v1.34.3 - helm-version: v4.2.0 + - helm-version: v3.16.4 + k8s-version: v1.32.11 + - helm-version: v3.16.4 + k8s-version: v1.33.7 + - helm-version: v3.16.4 + k8s-version: v1.34.3 + - helm-version: v4.2.0 + k8s-version: v1.34.3 steps: - name: Checkout uses: actions/checkout@v6