Merge branch 'main' into tom/fix-next-frontend-url

Author: dhable

.changeset/plenty-olives-visit.md

@@ -0,0 +1,5 @@
+---
+"helm-charts": patch
+---
+
+fix: Update FRONTEND_URL to be dynamic w/ingress

.changeset/plenty-pears-yawn.md

@@ -0,0 +1,5 @@
+---
+"helm-charts": patch
+---
+
+fix: Allow for configurable service type + annotations

CHANGELOG.md

@@ -1,5 +1,12 @@
 # helm-charts
 
+## 0.6.3
+
+### Patch Changes
+
+- 39d37c5: fix if condition typo
+- 3d75672: fix: Fix pathType for ingress
+
 ## 0.6.2
 
 ### Patch Changes

README.md

@@ -18,6 +18,7 @@ Welcome to the official HyperDX Helm charts repository. This guide provides inst
   - [API Key Setup](#api-key-setup)
   - [Task Configuration](#task-configuration)
   - [Using Secrets](#using-secrets)
+  - [Ingress Setup](#ingress-setup)
 - [Operations](#operations)
   - [Upgrading](#upgrading-the-chart)
   - [Uninstalling](#uninstalling-hyperdx)
@@ -108,36 +109,7 @@ hyperdx:
 
 #### Configuring Ingress for OTEL Collector
 
-If you need to expose your OTEL collector endpoints through ingress, you can use the additional ingresses configuration. The example below uses a regex pattern to capture all OTLP endpoints (traces, metrics, and logs) in a single path rule:
-
-```yaml
-hyperdx:
-  ingress:
-    enabled: true
-    additionalIngresses:
-      - name: otel-collector
-        annotations:
-          nginx.ingress.kubernetes.io/ssl-redirect: "false"
-          nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
-          nginx.ingress.kubernetes.io/use-regex: "true"
-        ingressClassName: nginx
-        hosts:
-          - host: collector.yourdomain.com
-            paths:
-              - path: /v1/(traces|metrics|logs)
-                pathType: Prefix
-                port: 4318
-        tls:
-          - hosts:
-              - collector.yourdomain.com
-            secretName: collector-tls
-```
-
-This configuration creates a separate ingress resource for the OTEL collector endpoints, allowing you to:
-- Use a different domain for collector traffic
-- Configure specific TLS settings
-- Apply custom annotations for the collector ingress
-- Route all telemetry signals through a single regex-based path rule
+For instructions on exposing your OTEL collector endpoints via ingress (including example configuration and best practices), see the [OTEL Collector Ingress](#otel-collector-ingress) section in the [Ingress Setup](#ingress-setup) chapter above.
 
 ### Minimal Deployment
 
@@ -263,6 +235,173 @@ By default, there is one task in the chart setup as a cronjob, responsible for c
 | `tasks.checkAlerts.schedule` | Cron schedule for the check-alerts task | `*/1 * * * *` |
 | `tasks.checkAlerts.resources` | Resource requests and limits for the check-alerts task | See `values.yaml` |
 
+## Ingress Setup
+
+- [General Ingress Setup](#general-ingress-setup)
+- [OTEL Collector Ingress](#otel-collector-ingress)
+- [Troubleshooting Ingress](#troubleshooting-ingress)
+
+### General Ingress Setup
+
+To expose the HyperDX UI and API via a domain name, enable ingress in your `values.yaml`:
+
+```yaml
+hyperdx:
+  ingress:
+    enabled: true
+    host: "hyperdx.yourdomain.com"  # Set this to your desired domain
+```
+
+#### Configuring `ingress.host` and `hyperdx.appUrl`
+
+- **`hyperdx.ingress.host`**: Set to the domain you want to use for accessing HyperDX (e.g., `hyperdx.yourdomain.com`).
+- **`hyperdx.appUrl`**: Should match the ingress host and include the protocol (e.g., `https://hyperdx.yourdomain.com`).
+
+**Example:**
+```yaml
+hyperdx:
+  appUrl: "https://hyperdx.yourdomain.com"
+  ingress:
+    enabled: true
+    host: "hyperdx.yourdomain.com"
+```
+
+This ensures that all generated links, cookies, and redirects work correctly.
+
+#### Enabling TLS (HTTPS)
+
+To secure your deployment with HTTPS, enable TLS in your ingress configuration:
+
+```yaml
+hyperdx:
+  ingress:
+    enabled: true
+    host: "hyperdx.yourdomain.com"
+    tls:
+      enabled: true
+      tlsSecretName: "hyperdx-tls"  # Name of the Kubernetes TLS secret
+```
+
+- Create a Kubernetes TLS secret with your certificate and key:
+  ```sh
+  kubectl create secret tls hyperdx-tls \
+    --cert=path/to/tls.crt \
+    --key=path/to/tls.key
+  ```
+- The ingress will reference this secret to terminate HTTPS connections.
+
+#### Example Minimal Ingress YAML
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hyperdx-app-ingress
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /$1
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: hyperdx.yourdomain.com
+      http:
+        paths:
+          - path: /(.*)
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: <service-name>
+                port:
+                  number: 3000
+  tls:
+    - hosts:
+        - hyperdx.yourdomain.com
+      secretName: hyperdx-tls
+```
+
+#### Common Pitfalls
+
+- **Path and Rewrite Configuration:**
+  - For Next.js and other SPAs, always use a regex path and rewrite annotation as shown above. Do not use just `path: /` without a rewrite, as this will break static asset serving.
+- **Mismatched `appUrl` and `ingress.host`:**
+  - If these do not match, you may experience issues with cookies, redirects, and asset loading.
+- **TLS Misconfiguration:**
+  - Ensure your TLS secret is valid and referenced correctly in the ingress.
+  - Browsers may block insecure content if you access the app over HTTP when TLS is enabled.
+- **Ingress Controller Version:**
+  - Some features (like regex paths and rewrites) require recent versions of nginx ingress controller. Check your version with:
+    ```sh
+    kubectl -n ingress-nginx get pods -l app.kubernetes.io/name=ingress-nginx -o jsonpath="{.items[0].spec.containers[0].image}"
+    ```
+
+---
+
+### OTEL Collector Ingress
+
+If you need to expose your OTEL collector endpoints (for traces, metrics, logs) through ingress, you can use the `additionalIngresses` configuration. This is useful for organizations that want to send telemetry data from outside the cluster or use a custom domain for the collector.
+
+**Example configuration:**
+
+```yaml
+hyperdx:
+  ingress:
+    enabled: true
+    additionalIngresses:
+      - name: otel-collector
+        annotations:
+          nginx.ingress.kubernetes.io/ssl-redirect: "false"
+          nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
+          nginx.ingress.kubernetes.io/use-regex: "true"
+        ingressClassName: nginx
+        hosts:
+          - host: collector.yourdomain.com
+            paths:
+              - path: /v1/(traces|metrics|logs)
+                pathType: Prefix
+                port: 4318
+        tls:
+          - hosts:
+              - collector.yourdomain.com
+            secretName: collector-tls
+```
+
+- This creates a separate ingress resource for the OTEL collector endpoints.
+- You can use a different domain, configure specific TLS settings, and apply custom annotations for the collector ingress.
+- The regex path rule allows you to route all OTLP signals (traces, metrics, logs) through a single rule.
+
+**Note:**
+- If you do not need to expose the OTEL collector externally, you can skip this section.
+- For most users, the general ingress setup is sufficient.
+
+---
+
+### Troubleshooting Ingress
+
+- **Check Ingress Resource:**
+  ```sh
+  kubectl get ingress -A
+  kubectl describe ingress <ingress-name>
+  ```
+- **Check Pod Logs:**
+  ```sh
+  kubectl logs -l app.kubernetes.io/name=ingress-nginx -n ingress-nginx
+  ```
+- **Test Asset URLs:**
+  Use `curl` to verify static assets are served as JS, not HTML:
+  ```sh
+  curl -I https://hyperdx.yourdomain.com/_next/static/chunks/main-xxxx.js
+  # Should return Content-Type: application/javascript
+  ```
+- **Browser DevTools:**
+  - Check the Network tab for 404s or assets returning HTML instead of JS.
+  - Look for errors like "Unexpected token <" in the console (indicates HTML returned for JS).
+- **Check for Path Rewrites:**
+  - Ensure the ingress is not stripping or incorrectly rewriting asset paths.
+- **Clear Browser and CDN Cache:**
+  - After changes, clear your browser cache and any CDN/proxy cache to avoid stale assets.
+
+---
+
 ## Operations
 
 ### Upgrading the Chart
@@ -392,41 +531,4 @@ For HTTP-only deployments (development/testing), some browsers may show crypto A
 
 ```sh
 kubectl logs -l app.kubernetes.io/name=hdx-oss-v2
-```
-
-### OTEL Collector OpAMP Connection Issues
-
-If you see connection refused errors in OTEL collector logs:
-
-```sh
-# Check OTEL collector logs
-kubectl logs -l app=otel-collector
-
-# Verify service DNS resolution
-kubectl exec -it deployment/my-hyperdx-hdx-oss-v2-otel-collector -- nslookup my-hyperdx-hdx-oss-v2-app
-```
-
-### Debugging a Failed Install
-
-```sh
-helm install my-hyperdx hyperdx/hdx-oss-v2 --debug --dry-run
-```
-
-### Verifying Deployment
-
-```sh
-kubectl get pods -l app.kubernetes.io/name=hdx-oss-v2
-```
-
-For more details, refer to the [Helm documentation](https://helm.sh/docs/) or open an issue in this repository.
-
----
-
-## Contributing
-
-We welcome contributions! Please open an issue or submit a pull request if you have improvements or feature requests.
-
-## License
-
-This project is licensed under the [MIT License](LICENSE).
-
+```

charts/hdx-oss-v2/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: hdx-oss-v2
 description: A Helm chart for HyperDX OSS V2
 type: application
-version: 0.6.2
+version: 0.6.3
 appVersion: 2.0.1

charts/hdx-oss-v2/templates/NOTES.txt

@@ -4,9 +4,28 @@ Note: By default, this chart also installs clickhouse and the otel-collector. Ho
 it is recommended that you use the clickhouse and otel-collector operators instead.
 
 To disable clickhouse and otel-collector, set the following values:
-helm install myrelease hyperdx-helm --set clickhouse.enabled=false --set clickhouse.persistence.enabled=false --set otel.enabled=false
+helm install myrelease <chart-name-or-path> --set clickhouse.enabled=false --set clickhouse.persistence.enabled=false --set otel.enabled=false
 
-Application URL: {{ include "hdx-oss.fullname" . }}-app:{{ .Values.hyperdx.appPort }}
+{{- if .Values.hyperdx.ingress.enabled }}
+Application URL: {{ if .Values.hyperdx.ingress.tls.enabled }}https{{ else }}http{{ end }}://{{ .Values.hyperdx.ingress.host }}
+{{- else }}
+Application Access:
+  For security, the service uses ClusterIP and is not exposed externally by default.
+  Choose one of the following secure access methods:
+  
+  1. Enable Ingress with TLS (Recommended for Production):
+     helm upgrade {{ .Release.Name }} <chart-name-or-path> \
+       --set hyperdx.ingress.enabled=true \
+       --set hyperdx.ingress.host=your-domain.com \
+       --set hyperdx.ingress.tls.enabled=true
+  
+  2. Port Forward (Development/Testing):
+     kubectl port-forward svc/{{ include "hdx-oss.fullname" . }}-app {{ .Values.hyperdx.appPort }}:{{ .Values.hyperdx.appPort }}
+     Then access: http://localhost:{{ .Values.hyperdx.appPort }}
+  
+  Note: This application handles sensitive telemetry data and should not be exposed
+  directly to the internet without proper authentication and encryption.
+{{- end }}
 
 To verify the deployment status, run:
   kubectl get pods -l "app.kubernetes.io/name={{ include "hdx-oss.name" . }}" 

charts/hdx-oss-v2/templates/configmaps/app-configmap.yaml

@@ -7,7 +7,11 @@ metadata:
 data:
   APP_PORT: {{ .Values.hyperdx.appPort | quote }}
   API_PORT: {{ .Values.hyperdx.apiPort | quote }}
+  {{- if .Values.hyperdx.ingress.enabled }}
+  FRONTEND_URL: "{{ if .Values.hyperdx.ingress.tls.enabled }}https{{ else }}http{{ end }}://{{ .Values.hyperdx.ingress.host }}"
+  {{- else }}
   FRONTEND_URL: "{{ .Values.hyperdx.appUrl }}:{{ .Values.hyperdx.appPort }}"
+  {{- end }}
   HYPERDX_API_PORT: "{{ .Values.hyperdx.apiPort }}"
   HYPERDX_APP_PORT: "{{ .Values.hyperdx.appPort }}"
   HYPERDX_APP_URL: "{{ .Values.hyperdx.appUrl }}"

charts/hdx-oss-v2/templates/hyperdx-deployment.yaml

@@ -28,7 +28,7 @@ spec:
         {{- end -}}
       {{- end }}
     spec:
-      {{- if not .Values.mongodb.enabled }}
+      {{- if .Values.mongodb.enabled }}
       initContainers:
         - name: wait-for-mongodb
           image: busybox

charts/hdx-oss-v2/templates/hyperdx-service.yaml

@@ -4,8 +4,14 @@ metadata:
   name: {{ include "hdx-oss.fullname" . }}-app
   labels:
     {{- include "hdx-oss.labels" . | nindent 4 }}
+  {{- if .Values.hyperdx.service.annotations }}
+  annotations:
+    {{- with .Values.hyperdx.service.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
 spec:
-  type: LoadBalancer
+  type: {{ .Values.hyperdx.service.type | default "ClusterIP" }}
   ports:
     - port: {{ .Values.hyperdx.appPort }}
       targetPort: {{ .Values.hyperdx.appPort }}
@@ -15,4 +21,4 @@ spec:
       name: opamp
   selector:
     {{- include "hdx-oss.selectorLabels" . | nindent 4 }}
-    app: {{ include "hdx-oss.fullname" . }} 
+    app: {{ include "hdx-oss.fullname" . }}

charts/hdx-oss-v2/templates/ingress.yaml

@@ -34,7 +34,7 @@ spec:
       http:
         paths:
           - path: /(.*)
-            pathType: Prefix
+            pathType: ImplementationSpecific
             backend:
               service:
                 name: {{ include "hdx-oss.fullname" . }}-app