Posit Chronicle

Version: 0.4.0 AppVersion: 2025.05.1

Official Helm chart for Posit Chronicle Server

Posit Chronicle helps data science managers and other stakeholders understand their organization’s use of other Posit products, primarily Posit Connect and Workbench.

For production

To ensure a stable production deployment:

  • “Pin” the version of the Helm chart that you are using. You can do this using the:
    • helm dependency command and the associated “Chart.lock” files or

    • the --version flag.

      Important

      This protects you from breaking changes.

  • Before upgrading check for breaking changes using helm-diff plugin and helm diff upgrade.
  • Read NEWS.md for updates on breaking changes and the documentation below on how to use the chart.

Installing the chart

To install the chart with the release name my-release at version 0.4.0:

helm repo add rstudio https://helm.rstudio.com
helm upgrade --install my-release rstudio/posit-chronicle --version=0.4.0

To explore other chart versions, look at:

helm search repo rstudio/posit-chronicle -l

Usage

This chart deploys the Chronicle server and is intended to be used in tandem with the Workbench and Connect charts. For the server to receive data, the Chronicle agent must be deployed as a sidecar container alongside Workbench or Connect server pods.

Both Workbench (>=0.9.2) and Connect (>=0.7.26) charts include out of the box support for Chronicle agent sidecars. The sidecar can be enabled by setting the chronicleAgent.enabled value to true in either product’s chart.

For additional information on deploying and configuring Chronicle agents, see the Workbench or Connect chart documentation.

HTTPS Configuration

Chronicle can be configured to use HTTPS for secure communication. The config.HTTPS section of the configuration allows you to specify the certificate and key files to use for HTTPS. Both config.HTTPS.Certificate and config.HTTPS.Key are expected to be paths to files accessible by Chronicle. The extraSecretMounts value can be used to mount the certificate and key files into the Chronicle pod. Here is an example of how to do this, assuming that the certificate and key files are stored together in a Kubernetes TLS secret:

extraSecretMounts:
  - name: chronicle-https
    mountPath: /etc/chronicle/ssl
    secretName: chronicle-https
    items:
      - key: tls.crt
      - key: tls.key
config:
  HTTPS:
    Enabled: true
    Certificate: "/etc/chronicle/ssl/tls.crt"
    Key: "/etc/chronicle/ssl/tls.key"

Storage Configuration

Chronicle can be configured to persist data to local storage, AWS S3, or both.

Local Storage

The default configuration will save data to a persistent volume, which is suitable if you’d like to access and analyze the data within your cluster. The below values show the default configuration for storage:

persistence:
  enabled: true
  accessModes:
    - ReadWriteOnce
  size: 10Gi
config:
  LocalStorage:
    Enabled: true
    Location: "/opt/chronicle-data"

The persistence section configures the persistent volume claim in the cluster while the config.LocalStorage section directly applies to Chronicle’s configuration file. The persistent volume will always mount to the path specified by config.LocalStorage.Path to avoid potential misconfiguration and data loss.

By default, Chronicle requests 10Gi of storage. In most cases, this amount of storage should be sufficient for thirty days of monitoring data.

Important

Users are responsible for managing the size of the persistent volume, retention of stored data, and controlling access to the data from other pods. Consider utilizing a dynamic volume provisioner to avoid storage-related service interruptions.

While attaching the volume to Workbench is a valid method of accessing the data, keep in mind that some data captured by Chronicle may be considered sensitive and should be handled with care.

Alternate Storage Class

Depending on the environment or cloud hosting Chronicle, many CSI drivers may be available to use as the persistent volume’s storage class. While Chronicle only natively supports local storage or S3, CSI drivers may be used to provide support for other storage backends such as Azure Blob Storage, Azure Files, Google Cloud Storage, or other object storage solutions. The storage class for persistent volumes can be set with the following value:

persistence:
  storageClass: "alternate-storage-class"

Please report and performance or stability issues with alternate storage configurations to the issue tracker.

S3 Storage

Chronicle can also be configured to store data in an S3 bucket. This can be useful for controlling access to data or taking advantage of S3 features such as lifecycle management.

config:
  S3Storage:
    Enabled: true
    Bucket: "posit-chronicle"
    Region: "us-east-2"

Using IAM roles for S3 access

If Chronicle is running on EKS, IAM Roles for Service Accounts can be utilized to manage the credentials needed to access S3. Once an IAM role has been created, the role can be attached as an annotation on Chronicle’s Service Account:

serviceaccount:
  create: true
  annotations:
    eks.amazonaws.com/role-arn:  arn:aws:iam::123456789000:role/iam-role-name-here

There are alternatives for injecting AWS credentials into a container. As a fallback, the S3 storage config allows specifying a profile:

config:
  S3Storage:
    Enabled: true
    Bucket: "posit-chronicle"
    Profile: "my-aws-account"
    Region: "us-east-2"

Needed S3 Policy Permissions

The credentials Chronicle uses for S3 storage must have the following permissions enabled:

  • s3:GetObject
  • s3:ListBucket
  • s3:PutObject
  • s3:DeleteObject

Additional Configuration

Chronicle has additional configuration options not specifically mentioned in this README. For additional information on administrating or using Posit Chronicle, see the Chronicle documentation.

For details on server configuration options, see the advanced server configuration reference page.

Values

Key Type Default Description
commonAnnotations object {} Common annotations to add to all resources
commonLabels object {} Common labels to add to all resources
config.HTTPS.Certificate string "" Path to a PEM encoded certificate file, required if HTTPS.Enabled=true
config.HTTPS.Enabled bool false If set to true, Chronicle will use HTTPS instead of HTTP
config.HTTPS.Key string "" Path to a PEM encoded private key file corresponding to the specified certificate, required if HTTPS.Enabled=true
config.LocalStorage.Enabled bool true Use config.LocalStorage.Path for data storage if true, use in conjunction with persistence.enabled=true for persistent data storage
config.LocalStorage.Path string "/opt/chronicle-data" The path to use for local storage
config.Logging.ServiceLog string "STDOUT" Specifies the output for log messages, can be one of “STDOUT”, “STDERR”, or a file path
config.Logging.ServiceLogFormat string "TEXT" The log format for the service, can be one of “TEXT” or “JSON”
config.Logging.ServiceLogLevel string "INFO" The log level for the service, can be one of “TRACE”, “DEBUG”, “INFO”, “WARN”, or “ERROR”
config.Metrics.Enabled bool false Exposes a metrics endpoint for Prometheus if true
config.Profiling.Enabled bool false Exposes a pprof profiling server if true
config.Profiling.Port int 3030 The port to use for the profiling server
config.S3Storage.Bucket string "" The S3 bucket to use for storage, required if S3Storage.Enabled=true
config.S3Storage.Enabled bool false Use S3 for data storage if true
config.S3Storage.Prefix string "" An optional prefix path to use when writing to the S3 bucket
config.S3Storage.Profile string "" An IAM Profile to use for accessing the S3 bucket, default is to read from the AWS_PROFILE env var
config.S3Storage.Region string "" Region of the S3 bucket, default is to read from the AWS_REGION env var
extraObjects list [] Additional manifests to deploy with the chart with template value rendering
extraSecretMounts list [] Additional secrets to mount to the Chronicle server pod
fullnameOverride string "" Override for the full name of the release
image.pullPolicy string "IfNotPresent" The image pull policy
image.registry string "ghcr.io" The image registry
image.repository string "rstudio/chronicle" The image repository
image.securityContext object {"allowPrivilegeEscalation":false,"runAsNonRoot":true} The container-level security context (reference)
image.sha string "" The image digest
image.tag string "" The image tag, defaults to the chart app version
nameOverride string "" Override for the name of the release
namespaceOverride string "" Override for the namespace of the chart deployment
persistence.accessModes list ["ReadWriteOnce"] Persistent Volume Access Modes
persistence.annotations object {} Additional annotations for the PVC
persistence.enabled bool true Enable persistence using Persistent Volume Claims
persistence.finalizers list ["kubernetes.io/pvc-protection"] Finalizers for the PVC
persistence.labels object {} Additional labels for the PVC
persistence.selectorLabels object {} Selector to match an existing Persistent Volume for the data PVC
persistence.size string "10Gi" Size of the data volume
persistence.storageClassName string "" Persistent Volume Storage Class, defaults to the default Storage Class for the cluster
pod.affinity object {} A map used verbatim as the pod “affinity” definition
pod.annotations object {} Additional annotations for pods
pod.args list [] The arguments to pass to the command, defaults to the image CMD values
pod.command list [] The command to run in the Chronicle server container, defaults to the image ENTRYPOINT value
pod.env list [] Additional environment variables to set on the Chronicle server container
pod.labels object {} Additional labels for pods
pod.nodeSelector object {} A map used verbatim as the pod “nodeSelector” definition
pod.securityContext object {"fsGroup":1000,"fsGroupChangePolicy":"OnRootMismatch"} The pod-level security context (reference)
pod.terminationGracePeriodSeconds int 30 The termination grace period seconds allowed for the pod before shutdown
pod.tolerations list [] An array used verbatim as the pod “tolerations” definition
replicas int 1 The number of replica pods to maintain
service.annotations object {} Annotations to add to the service
service.labels object {} Labels to add to the service
service.port int 80 The port to use for the REST API service
serviceAccount.annotations object {} Annotations to add to the service account
serviceAccount.create bool false Creates a service account for Posit Chronicle if true
serviceAccount.labels object {} Labels to add to the service account
serviceAccount.name string "" Override for the service account name, defaults to fullname

Autogenerated from chart metadata using helm-docs v1.13.1