From db0c8fd733c57436ecb42b6f4d9040fa05dd4c4c Mon Sep 17 00:00:00 2001 From: Trayan Azarov Date: Tue, 17 Feb 2026 13:36:58 +0200 Subject: [PATCH 1/5] fix: allow CORS wildcard for Rust server and refactor v1-config to helper template The CORS wildcard validation incorrectly rejected ["*"] for Chroma >= 1.0.0, but the Rust server supports it. Refactored v1-config generation into a chromadb.serverConfig helper template that builds a config dict from values and supports extraConfig merge for advanced users. Closes #123 --- ISSUE_CONTEXT.md | 39 +++++++ charts/chromadb-chart/templates/_helpers.tpl | 24 ++++ charts/chromadb-chart/templates/config.yaml | 17 +-- charts/chromadb-chart/values.yaml | 7 +- tests/test_v1_config.sh | 113 +++++++++++++++++++ 5 files changed, 183 insertions(+), 17 deletions(-) create mode 100644 ISSUE_CONTEXT.md create mode 100755 tests/test_v1_config.sh diff --git a/ISSUE_CONTEXT.md b/ISSUE_CONTEXT.md new file mode 100644 index 0000000..a584aaa --- /dev/null +++ b/ISSUE_CONTEXT.md @@ -0,0 +1,39 @@ +# Issue #123: [BUG] CORS wildcard validation incorrectly rejects '*' for Rust server (>= 1.0.0) + +**State:** OPEN +**URL:** https://github.com/amikos-tech/chromadb-chart/issues/123 + +## Description + +The Helm chart's `config.yaml` template (line 182-184) fails with an error if `chromadb.corsAllowOrigins` is set to `["*"]` for versions >= 1.0.0: + +```yaml +{{- if and (eq (len .Values.chromadb.corsAllowOrigins) 1) (eq (index .Values.chromadb.corsAllowOrigins 0) "*") }} + {{ fail "cors_allow_origins must not be set to '*' when only one origin is allowed" }} +{{- end }} +``` + +This validation was correct for the Python-based ChromaDB 1.0.0 server, but the new Rust-based server **does** support wildcard CORS origins. The sample config `single_node_full.yaml` in the Rust frontend confirms this: + +```yaml +cors_allow_origins: ["*"] +``` + +## Expected Behavior + +Setting `chromadb.corsAllowOrigins: ["*"]` should work for Rust-based Chroma versions (>= 1.0.0). + +## Proposed Fix + +Gate the wildcard CORS validation to only apply for Python-based versions, or remove it entirely since the Rust server handles invalid CORS at startup. + +## Labels + +(none) + +## Assignees + +(none) + +--- +*This file was auto-generated by the /wt command* diff --git a/charts/chromadb-chart/templates/_helpers.tpl b/charts/chromadb-chart/templates/_helpers.tpl index 5b1c969..597daaf 100644 --- a/charts/chromadb-chart/templates/_helpers.tpl +++ b/charts/chromadb-chart/templates/_helpers.tpl @@ -120,6 +120,30 @@ Get the chroma api version {{- end }} {{- end }} +{{/* +Build the v1 server config dict for Chroma >= 1.0.0. +Constructs a config dict from chart values and merges any user-provided extraConfig. +*/}} +{{- define "chromadb.serverConfig" -}} +{{- $config := dict -}} +{{- $_ := set $config "port" (.Values.chromadb.serverHttpPort | int) -}} +{{- $_ := set $config "listen_address" .Values.chromadb.serverHost -}} +{{- $_ := set $config "max_payload_size_bytes" (.Values.chromadb.maxPayloadSizeBytes | int64) -}} +{{- $_ := set $config "persist_path" .Values.chromadb.persistDirectory -}} +{{- $_ := set $config "allow_reset" .Values.chromadb.allowReset -}} +{{- if .Values.chromadb.corsAllowOrigins -}} + {{- $_ := set $config "cors_allow_origins" .Values.chromadb.corsAllowOrigins -}} +{{- end -}} +{{- if .Values.chromadb.telemetry.enabled -}} + {{- $otel := dict "service_name" .Values.chromadb.telemetry.serviceName "endpoint" .Values.chromadb.telemetry.endpoint -}} + {{- $_ := set $config "open_telemetry" $otel -}} +{{- end -}} +{{- with .Values.chromadb.extraConfig -}} + {{- $config = mergeOverwrite $config . -}} +{{- end -}} +{{- $config | toYaml -}} +{{- end -}} + {{/* Get the Chroma auth token header type */}} diff --git a/charts/chromadb-chart/templates/config.yaml b/charts/chromadb-chart/templates/config.yaml index 0302539..c8b245d 100644 --- a/charts/chromadb-chart/templates/config.yaml +++ b/charts/chromadb-chart/templates/config.yaml @@ -170,19 +170,4 @@ metadata: "helm.sh/hook-weight": "-5" data: config.yaml: |- - {{- if .Values.chromadb.telemetry.enabled }} - open_telemetry: - service_name: {{ .Values.chromadb.telemetry.serviceName }} - endpoint: {{ .Values.chromadb.telemetry.endpoint }} - {{- end }} - port: {{ .Values.chromadb.serverHttpPort }} - listen_address: {{ .Values.chromadb.serverHost }} - max_payload_size_bytes: {{ .Values.chromadb.maxPayloadSizeBytes | int64 }} - {{- if .Values.chromadb.corsAllowOrigins }} - {{- if and (eq (len .Values.chromadb.corsAllowOrigins) 1) (eq (index .Values.chromadb.corsAllowOrigins 0) "*") }} - {{ fail "cors_allow_origins must not be set to '*' when only one origin is allowed" }} - {{- end }} - cors_allow_origins: {{ .Values.chromadb.corsAllowOrigins | toJson }} - {{- end }} - persist_path: {{ .Values.chromadb.persistDirectory }} - allow_reset: {{ .Values.chromadb.allowReset }} \ No newline at end of file + {{- include "chromadb.serverConfig" . | nindent 4 }} \ No newline at end of file diff --git a/charts/chromadb-chart/values.yaml b/charts/chromadb-chart/values.yaml index 375a870..cf61137 100644 --- a/charts/chromadb-chart/values.yaml +++ b/charts/chromadb-chart/values.yaml @@ -124,7 +124,7 @@ chromadb: chromadb: "DEBUG" uvicorn: "INFO" anonymizedTelemetry: false - corsAllowOrigins: [] # as of version 1.0.x * is not allowed + corsAllowOrigins: [] # wildcard "*" supported for >= 1.0.0 (Rust server) serverHost: "0.0.0.0" serverHttpPort: 8000 maxPayloadSizeBytes: "41943040" @@ -150,4 +150,9 @@ chromadb: token: headerType: "Authorization" #possible values Authorization, X-Chroma-Token value: null # The string used as the token (value). Only used if value not null, otherwise a random string will be generated and used. + # Extra config keys merged into the v1 server config (>= 1.0.0). Overrides chart-managed keys. + extraConfig: {} + # circuit_breaker: + # requests: 500 + # sqlite_filename: "chroma.sqlite3" diff --git a/tests/test_v1_config.sh b/tests/test_v1_config.sh new file mode 100755 index 0000000..d2b7b64 --- /dev/null +++ b/tests/test_v1_config.sh @@ -0,0 +1,113 @@ +#!/usr/bin/env bash +set -euo pipefail + +CHART_DIR="$(cd "$(dirname "$0")/../charts/chromadb-chart" && pwd)" +PASS=0 +FAIL=0 + +assert_config_key() { + local desc="$1" yaml="$2" key="$3" expected="$4" + actual=$(echo "$yaml" | yq eval ".$key" -) + if [ "$actual" = "$expected" ]; then + echo " PASS: $desc" + PASS=$((PASS+1)) + else + echo " FAIL: $desc (expected '$expected', got '$actual')" + FAIL=$((FAIL+1)) + fi +} + +assert_config_key_missing() { + local desc="$1" yaml="$2" key="$3" + actual=$(echo "$yaml" | yq eval ".$key" -) + if [ "$actual" = "null" ]; then + echo " PASS: $desc" + PASS=$((PASS+1)) + else + echo " FAIL: $desc (expected key '$key' to be absent, got '$actual')" + FAIL=$((FAIL+1)) + fi +} + +assert_fail() { + local desc="$1" output="$2" + if echo "$output" | grep -q "Error:"; then + echo " PASS: $desc" + PASS=$((PASS+1)) + else + echo " FAIL: $desc (expected helm template to fail)" + FAIL=$((FAIL+1)) + fi +} + +get_v1_config() { + helm template test "$CHART_DIR" "$@" 2>/dev/null \ + | yq eval 'select(.metadata.name == "v1-config") | .data["config.yaml"]' - +} + +# --- Test suite --- + +echo "=== v1-config template tests (Chroma 1.5.0) ===" + +echo "" +echo "1. Default values" +config=$(get_v1_config) +assert_config_key "port defaults to 8000" "$config" "port" "8000" +assert_config_key "listen_address defaults to 0.0.0.0" "$config" "listen_address" "0.0.0.0" +assert_config_key "max_payload_size_bytes defaults to 41943040" "$config" "max_payload_size_bytes" "41943040" +assert_config_key "persist_path defaults to /data" "$config" "persist_path" "/data" +assert_config_key "allow_reset defaults to false" "$config" "allow_reset" "false" +assert_config_key_missing "cors_allow_origins absent when empty" "$config" "cors_allow_origins" +assert_config_key_missing "open_telemetry absent when disabled" "$config" "open_telemetry" + +echo "" +echo "2. CORS wildcard on >= 1.0.0 (should work)" +config=$(get_v1_config --set 'chromadb.corsAllowOrigins={*}') +assert_config_key "cors_allow_origins contains wildcard" "$config" "cors_allow_origins[0]" "*" + +echo "" +echo "3. CORS multiple origins" +config=$(get_v1_config --set 'chromadb.corsAllowOrigins={https://a.com,https://b.com}') +assert_config_key "first origin" "$config" "cors_allow_origins[0]" "https://a.com" +assert_config_key "second origin" "$config" "cors_allow_origins[1]" "https://b.com" + +echo "" +echo "4. OpenTelemetry enabled" +config=$(get_v1_config \ + --set 'chromadb.telemetry.enabled=true' \ + --set 'chromadb.telemetry.endpoint=http://otel:4317' \ + --set 'chromadb.telemetry.serviceName=my-chroma') +assert_config_key "otel endpoint" "$config" "open_telemetry.endpoint" "http://otel:4317" +assert_config_key "otel service_name" "$config" "open_telemetry.service_name" "my-chroma" + +echo "" +echo "5. Custom server settings" +config=$(get_v1_config \ + --set 'chromadb.serverHttpPort=9000' \ + --set 'chromadb.serverHost=127.0.0.1' \ + --set 'chromadb.allowReset=true' \ + --set 'chromadb.persistDirectory=/mnt/data' \ + --set 'chromadb.maxPayloadSizeBytes=52428800') +assert_config_key "custom port" "$config" "port" "9000" +assert_config_key "custom listen_address" "$config" "listen_address" "127.0.0.1" +assert_config_key "allow_reset true" "$config" "allow_reset" "true" +assert_config_key "custom persist_path" "$config" "persist_path" "/mnt/data" +assert_config_key "custom max_payload_size_bytes" "$config" "max_payload_size_bytes" "52428800" + +echo "" +echo "6. extraConfig merge" +config=$(get_v1_config \ + --set 'chromadb.extraConfig.circuit_breaker.requests=500' \ + --set 'chromadb.extraConfig.sqlite_filename=custom.db') +assert_config_key "circuit_breaker.requests from extraConfig" "$config" "circuit_breaker.requests" "500" +assert_config_key "sqlite_filename from extraConfig" "$config" "sqlite_filename" "custom.db" +assert_config_key "port still present after merge" "$config" "port" "8000" + +echo "" +echo "7. extraConfig overrides chart-managed keys" +config=$(get_v1_config --set 'chromadb.extraConfig.port=9999') +assert_config_key "extraConfig overrides port" "$config" "port" "9999" + +echo "" +echo "--- Results: $PASS passed, $FAIL failed ---" +[ "$FAIL" -eq 0 ] || exit 1 From e5548aaa57a79e20edc2e12a2f49e7695416b993 Mon Sep 17 00:00:00 2001 From: Trayan Azarov Date: Tue, 17 Feb 2026 13:40:21 +0200 Subject: [PATCH 2/5] docs: update README for CORS wildcard support and extraConfig --- README.md | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 64bc503..8159c20 100644 --- a/README.md +++ b/README.md @@ -63,12 +63,12 @@ helm install chroma chroma/chromadb --set chromadb.allowReset="true" | Key | Type | Default | Description | |-----------------------------------------------------|---------|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `chromadb.apiVersion` | string | `1.0.10` (Chart app version) | The ChromaDB version. Supported version `0.4.3` - `1.0.x` | +| `chromadb.apiVersion` | string | `1.5.0` (Chart app version) | The ChromaDB version. Supported version `0.4.3` - `1.x` | | `chromadb.allowReset` | boolean | `false` | Allows resetting the index (delete all data) | | `chromadb.isPersistent` | boolean | `true` | A flag to control whether data is persisted | | `chromadb.persistDirectory` | string | `/data` | The location to store the index data. This configure both chromadb and underlying persistent volume | | `chromadb.anonymizedTelemetry` | boolean | `false` | The flag to send anonymized stats using posthog. By default this is enabled in the chromadb however for user's privacy we have disabled it so it is opt-in | -| `chromadb.corsAllowOrigins` | list | N/A | The CORS config. Wildcard ["*"] is not supported in version 1.0.0 or later. | +| `chromadb.corsAllowOrigins` | list | `[]` | List of allowed CORS origins. Wildcard `["*"]` is supported for >= 1.0.0 (Rust server) but not for earlier Python-based versions. | | `chromadb.apiImpl` | string | `- "chromadb.api.segment.SegmentAPI"` | The default API impl. It uses SegmentAPI however FastAPI is also available. Note: FastAPI seems to be bugging so we discourage users to use it in releases prior or equal to 0.4.3 Deprecated in since 0.1.23 (will be removed in 0.2.0) | | `chromadb.serverHost` | string | `0.0.0.0` | The API server host. | | `chromadb.serverHttpPort` | int | `8000` | The API server port. | @@ -103,6 +103,7 @@ helm install chroma chroma/chromadb --set chromadb.allowReset="true" | `chromadb.telemetry.serviceName` | string | `chroma` | The service name that will show up in traces. | | `imagePullSecrets` | list | `[]` | List of image pull secrets for the ChromaDB pod (e.g. `[{name: "my-secret"}]`). | | `global.imagePullSecrets` | list | `[]` | Global image pull secrets shared across all subcharts. Merged with `imagePullSecrets`. | +| `chromadb.extraConfig` | object | `{}` | Extra config keys merged into the v1 server config (>= 1.0.0). Overrides chart-managed keys. See [Extra Config](#extra-config). | | `commonLabels` | object | `{}` | Additional labels applied to all chart resources (StatefulSet, Service, Ingress, ConfigMaps, Secrets, PVCs, test Jobs). | | `podLabels` | object | `{}` | Additional labels applied to pods only. Does not affect `matchLabels`. | @@ -243,6 +244,26 @@ Then, run `helm dependency update` to install the chart. When using as a subchart, `global.imagePullSecrets` lets you define pull secrets once in the parent chart and have them propagated to all subcharts (including ChromaDB). Chart-level `imagePullSecrets` only applies to this chart. Both lists are merged, so there is no conflict if the same secret appears in both — though it may appear as a duplicate, Kubernetes handles this gracefully. +## Extra Config + +For Chroma >= 1.0.0 (Rust server), `chromadb.extraConfig` lets you inject arbitrary config keys into the server's YAML +config file. This is useful for setting options not yet exposed as dedicated chart values. + +```yaml +chromadb: + extraConfig: + circuit_breaker: + requests: 500 + sqlite_filename: "custom.db" + open_telemetry: + filters: + - crate_name: "chroma_frontend" + filter_level: "info" +``` + +> [!NOTE] +> Keys in `extraConfig` override chart-managed keys of the same name. + ## References - Chroma: https://docs.trychroma.com/docs/overview/getting-started From 6c10f3fc77a5d7dc4c5ced1f951ad233d3c7e03f Mon Sep 17 00:00:00 2001 From: Trayan Azarov Date: Tue, 17 Feb 2026 14:08:52 +0200 Subject: [PATCH 3/5] fix: address PR feedback - remove dead code, show stderr, warn about port overrides --- README.md | 6 ++++-- tests/test_v1_config.sh | 18 ++++++------------ 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 8159c20..60ab498 100644 --- a/README.md +++ b/README.md @@ -261,8 +261,10 @@ chromadb: filter_level: "info" ``` -> [!NOTE] -> Keys in `extraConfig` override chart-managed keys of the same name. +> [!WARNING] +> Keys in `extraConfig` override chart-managed keys of the same name. When overriding `port` or +> `listen_address`, you must also update `chromadb.serverHttpPort` and `chromadb.serverHost` to match, +> otherwise the Service, container port, and health probes will be out of sync. ## References diff --git a/tests/test_v1_config.sh b/tests/test_v1_config.sh index d2b7b64..cacaee1 100755 --- a/tests/test_v1_config.sh +++ b/tests/test_v1_config.sh @@ -29,19 +29,8 @@ assert_config_key_missing() { fi } -assert_fail() { - local desc="$1" output="$2" - if echo "$output" | grep -q "Error:"; then - echo " PASS: $desc" - PASS=$((PASS+1)) - else - echo " FAIL: $desc (expected helm template to fail)" - FAIL=$((FAIL+1)) - fi -} - get_v1_config() { - helm template test "$CHART_DIR" "$@" 2>/dev/null \ + helm template test "$CHART_DIR" "$@" \ | yq eval 'select(.metadata.name == "v1-config") | .data["config.yaml"]' - } @@ -108,6 +97,11 @@ echo "7. extraConfig overrides chart-managed keys" config=$(get_v1_config --set 'chromadb.extraConfig.port=9999') assert_config_key "extraConfig overrides port" "$config" "port" "9999" +echo "" +echo "8. CORS wildcard on < 1.0.0 (should also work)" +config=$(get_v1_config --set 'chromadb.corsAllowOrigins={*}' --set 'chromadb.apiVersion=0.6.3') +assert_config_key "cors_allow_origins wildcard for pre-1.0" "$config" "cors_allow_origins[0]" "*" + echo "" echo "--- Results: $PASS passed, $FAIL failed ---" [ "$FAIL" -eq 0 ] || exit 1 From 5306b34e457c89d5ea70c5adbb883c1adf3dbdb3 Mon Sep 17 00:00:00 2001 From: Trayan Azarov Date: Tue, 17 Feb 2026 14:38:54 +0200 Subject: [PATCH 4/5] fix: add input validation guards, fix docs, and remove ISSUE_CONTEXT.md - Add {{ fail }} guards for extraConfig overriding port/listen_address - Add validation for port <= 0 and maxPayloadSizeBytes <= 0 - Add validation for telemetry.enabled without endpoint - Fix CORS wildcard documentation in README, values.yaml, and CLAUDE.md - Remove auto-generated ISSUE_CONTEXT.md and add to .gitignore - Add error handling to get_v1_config and assert_template_fails helper - Add negative test cases for all new validations (24 tests passing) --- .gitignore | 5 ++- CLAUDE.md | 2 +- ISSUE_CONTEXT.md | 39 ------------------ README.md | 2 +- charts/chromadb-chart/templates/_helpers.tpl | 24 +++++++++-- charts/chromadb-chart/values.yaml | 2 +- tests/test_v1_config.sh | 42 ++++++++++++++++---- 7 files changed, 61 insertions(+), 55 deletions(-) delete mode 100644 ISSUE_CONTEXT.md diff --git a/.gitignore b/.gitignore index f09011e..ed9a863 100644 --- a/.gitignore +++ b/.gitignore @@ -89,4 +89,7 @@ dmypy.json cython_debug/ # macOS temporary files -.DS_Store \ No newline at end of file +.DS_Store + +# Auto-generated working files +ISSUE_CONTEXT.md \ No newline at end of file diff --git a/CLAUDE.md b/CLAUDE.md index 6ac1f2c..893432e 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -75,7 +75,7 @@ The chart supports multiple ChromaDB versions from 0.4.3 to 1.0.x with version-s - **Authentication**: Supported in versions < 1.0.0 (token auth from 0.4.8+, basic auth from 0.4.7+) - **Logging Configuration**: Custom log levels and config maps (versions < 1.0.0) - **Cache Management**: LRU cache policy configuration (versions < 1.0.0) -- **CORS Configuration**: List-based CORS origins (wildcard not supported in 1.0.0+) +- **CORS Configuration**: List-based CORS origins (wildcard supported for all versions) - **Telemetry**: OTEL telemetry support with configurable endpoints ### GitHub Workflows diff --git a/ISSUE_CONTEXT.md b/ISSUE_CONTEXT.md deleted file mode 100644 index a584aaa..0000000 --- a/ISSUE_CONTEXT.md +++ /dev/null @@ -1,39 +0,0 @@ -# Issue #123: [BUG] CORS wildcard validation incorrectly rejects '*' for Rust server (>= 1.0.0) - -**State:** OPEN -**URL:** https://github.com/amikos-tech/chromadb-chart/issues/123 - -## Description - -The Helm chart's `config.yaml` template (line 182-184) fails with an error if `chromadb.corsAllowOrigins` is set to `["*"]` for versions >= 1.0.0: - -```yaml -{{- if and (eq (len .Values.chromadb.corsAllowOrigins) 1) (eq (index .Values.chromadb.corsAllowOrigins 0) "*") }} - {{ fail "cors_allow_origins must not be set to '*' when only one origin is allowed" }} -{{- end }} -``` - -This validation was correct for the Python-based ChromaDB 1.0.0 server, but the new Rust-based server **does** support wildcard CORS origins. The sample config `single_node_full.yaml` in the Rust frontend confirms this: - -```yaml -cors_allow_origins: ["*"] -``` - -## Expected Behavior - -Setting `chromadb.corsAllowOrigins: ["*"]` should work for Rust-based Chroma versions (>= 1.0.0). - -## Proposed Fix - -Gate the wildcard CORS validation to only apply for Python-based versions, or remove it entirely since the Rust server handles invalid CORS at startup. - -## Labels - -(none) - -## Assignees - -(none) - ---- -*This file was auto-generated by the /wt command* diff --git a/README.md b/README.md index 60ab498..9e629b0 100644 --- a/README.md +++ b/README.md @@ -68,7 +68,7 @@ helm install chroma chroma/chromadb --set chromadb.allowReset="true" | `chromadb.isPersistent` | boolean | `true` | A flag to control whether data is persisted | | `chromadb.persistDirectory` | string | `/data` | The location to store the index data. This configure both chromadb and underlying persistent volume | | `chromadb.anonymizedTelemetry` | boolean | `false` | The flag to send anonymized stats using posthog. By default this is enabled in the chromadb however for user's privacy we have disabled it so it is opt-in | -| `chromadb.corsAllowOrigins` | list | `[]` | List of allowed CORS origins. Wildcard `["*"]` is supported for >= 1.0.0 (Rust server) but not for earlier Python-based versions. | +| `chromadb.corsAllowOrigins` | list | `[]` | List of allowed CORS origins. Wildcard `["*"]` is supported. | | `chromadb.apiImpl` | string | `- "chromadb.api.segment.SegmentAPI"` | The default API impl. It uses SegmentAPI however FastAPI is also available. Note: FastAPI seems to be bugging so we discourage users to use it in releases prior or equal to 0.4.3 Deprecated in since 0.1.23 (will be removed in 0.2.0) | | `chromadb.serverHost` | string | `0.0.0.0` | The API server host. | | `chromadb.serverHttpPort` | int | `8000` | The API server port. | diff --git a/charts/chromadb-chart/templates/_helpers.tpl b/charts/chromadb-chart/templates/_helpers.tpl index 597daaf..930b884 100644 --- a/charts/chromadb-chart/templates/_helpers.tpl +++ b/charts/chromadb-chart/templates/_helpers.tpl @@ -121,26 +121,42 @@ Get the chroma api version {{- end }} {{/* -Build the v1 server config dict for Chroma >= 1.0.0. -Constructs a config dict from chart values and merges any user-provided extraConfig. +Build the server config dict for the v1-config ConfigMap. */}} {{- define "chromadb.serverConfig" -}} +{{- $port := .Values.chromadb.serverHttpPort | int -}} +{{- if le $port 0 -}} + {{- fail (printf "chromadb.serverHttpPort must be a positive integer, got: %v" .Values.chromadb.serverHttpPort) -}} +{{- end -}} +{{- $maxPayload := .Values.chromadb.maxPayloadSizeBytes | int64 -}} +{{- if le $maxPayload 0 -}} + {{- fail (printf "chromadb.maxPayloadSizeBytes must be a positive integer, got: %v" .Values.chromadb.maxPayloadSizeBytes) -}} +{{- end -}} {{- $config := dict -}} -{{- $_ := set $config "port" (.Values.chromadb.serverHttpPort | int) -}} +{{- $_ := set $config "port" $port -}} {{- $_ := set $config "listen_address" .Values.chromadb.serverHost -}} -{{- $_ := set $config "max_payload_size_bytes" (.Values.chromadb.maxPayloadSizeBytes | int64) -}} +{{- $_ := set $config "max_payload_size_bytes" $maxPayload -}} {{- $_ := set $config "persist_path" .Values.chromadb.persistDirectory -}} {{- $_ := set $config "allow_reset" .Values.chromadb.allowReset -}} {{- if .Values.chromadb.corsAllowOrigins -}} {{- $_ := set $config "cors_allow_origins" .Values.chromadb.corsAllowOrigins -}} {{- end -}} {{- if .Values.chromadb.telemetry.enabled -}} + {{- if not .Values.chromadb.telemetry.endpoint -}} + {{- fail "chromadb.telemetry.endpoint must be set when chromadb.telemetry.enabled is true" -}} + {{- end -}} {{- $otel := dict "service_name" .Values.chromadb.telemetry.serviceName "endpoint" .Values.chromadb.telemetry.endpoint -}} {{- $_ := set $config "open_telemetry" $otel -}} {{- end -}} {{- with .Values.chromadb.extraConfig -}} {{- $config = mergeOverwrite $config . -}} {{- end -}} +{{- if ne (get $config "port" | int) ($port) -}} + {{- fail (printf "extraConfig.port (%v) conflicts with chromadb.serverHttpPort (%v) — update serverHttpPort instead" (get $config "port") $.Values.chromadb.serverHttpPort) -}} +{{- end -}} +{{- if ne (get $config "listen_address") .Values.chromadb.serverHost -}} + {{- fail (printf "extraConfig.listen_address (%s) conflicts with chromadb.serverHost (%s) — update serverHost instead" (get $config "listen_address") .Values.chromadb.serverHost) -}} +{{- end -}} {{- $config | toYaml -}} {{- end -}} diff --git a/charts/chromadb-chart/values.yaml b/charts/chromadb-chart/values.yaml index cf61137..5bd5448 100644 --- a/charts/chromadb-chart/values.yaml +++ b/charts/chromadb-chart/values.yaml @@ -124,7 +124,7 @@ chromadb: chromadb: "DEBUG" uvicorn: "INFO" anonymizedTelemetry: false - corsAllowOrigins: [] # wildcard "*" supported for >= 1.0.0 (Rust server) + corsAllowOrigins: [] serverHost: "0.0.0.0" serverHttpPort: 8000 maxPayloadSizeBytes: "41943040" diff --git a/tests/test_v1_config.sh b/tests/test_v1_config.sh index cacaee1..7374c5a 100755 --- a/tests/test_v1_config.sh +++ b/tests/test_v1_config.sh @@ -30,13 +30,29 @@ assert_config_key_missing() { } get_v1_config() { - helm template test "$CHART_DIR" "$@" \ - | yq eval 'select(.metadata.name == "v1-config") | .data["config.yaml"]' - + local output + output=$(helm template test "$CHART_DIR" "$@" 2>&1) || { + echo "TEMPLATE_ERROR: $output" >&2 + return 1 + } + echo "$output" | yq eval 'select(.metadata.name == "v1-config") | .data["config.yaml"]' - +} + +assert_template_fails() { + local desc="$1"; shift + local output + if output=$(helm template test "$CHART_DIR" "$@" 2>&1); then + echo " FAIL: $desc (expected template to fail, but it succeeded)" + FAIL=$((FAIL+1)) + else + echo " PASS: $desc" + PASS=$((PASS+1)) + fi } # --- Test suite --- -echo "=== v1-config template tests (Chroma 1.5.0) ===" +echo "=== v1-config template tests ===" echo "" echo "1. Default values" @@ -50,7 +66,7 @@ assert_config_key_missing "cors_allow_origins absent when empty" "$config" "cors assert_config_key_missing "open_telemetry absent when disabled" "$config" "open_telemetry" echo "" -echo "2. CORS wildcard on >= 1.0.0 (should work)" +echo "2. CORS wildcard (should work)" config=$(get_v1_config --set 'chromadb.corsAllowOrigins={*}') assert_config_key "cors_allow_origins contains wildcard" "$config" "cors_allow_origins[0]" "*" @@ -93,12 +109,22 @@ assert_config_key "sqlite_filename from extraConfig" "$config" "sqlite_filename" assert_config_key "port still present after merge" "$config" "port" "8000" echo "" -echo "7. extraConfig overrides chart-managed keys" -config=$(get_v1_config --set 'chromadb.extraConfig.port=9999') -assert_config_key "extraConfig overrides port" "$config" "port" "9999" +echo "7. extraConfig override of port fails" +assert_template_fails "extraConfig.port override rejected" \ + --set 'chromadb.extraConfig.port=9999' + +echo "" +echo "8. extraConfig override of listen_address fails" +assert_template_fails "extraConfig.listen_address override rejected" \ + --set 'chromadb.extraConfig.listen_address=127.0.0.1' + +echo "" +echo "9. telemetry enabled without endpoint fails" +assert_template_fails "telemetry.enabled without endpoint rejected" \ + --set 'chromadb.telemetry.enabled=true' echo "" -echo "8. CORS wildcard on < 1.0.0 (should also work)" +echo "10. CORS wildcard on < 1.0.0 (ConfigMap renders)" config=$(get_v1_config --set 'chromadb.corsAllowOrigins={*}' --set 'chromadb.apiVersion=0.6.3') assert_config_key "cors_allow_origins wildcard for pre-1.0" "$config" "cors_allow_origins[0]" "*" From bed9102d74cac46f0eba906cc50d97d5f5d12fdb Mon Sep 17 00:00:00 2001 From: Trayan Azarov Date: Tue, 17 Feb 2026 15:42:21 +0200 Subject: [PATCH 5/5] fix: correct README WARNING and clarify pre-1.0 test scope - README WARNING now states port/listen_address overrides are blocked - Add clarifying comment to test 10 about v1-config mount scope --- README.md | 7 ++++--- tests/test_v1_config.sh | 2 ++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 9e629b0..8209ea1 100644 --- a/README.md +++ b/README.md @@ -262,9 +262,10 @@ chromadb: ``` > [!WARNING] -> Keys in `extraConfig` override chart-managed keys of the same name. When overriding `port` or -> `listen_address`, you must also update `chromadb.serverHttpPort` and `chromadb.serverHost` to match, -> otherwise the Service, container port, and health probes will be out of sync. +> Keys in `extraConfig` override chart-managed keys of the same name. Overriding `port` or +> `listen_address` via `extraConfig` is **not allowed** and will cause template rendering to fail. +> Use `chromadb.serverHttpPort` and `chromadb.serverHost` instead so that the Service, container +> port, and health probes remain in sync. ## References diff --git a/tests/test_v1_config.sh b/tests/test_v1_config.sh index 7374c5a..c4dfe29 100755 --- a/tests/test_v1_config.sh +++ b/tests/test_v1_config.sh @@ -124,6 +124,8 @@ assert_template_fails "telemetry.enabled without endpoint rejected" \ --set 'chromadb.telemetry.enabled=true' echo "" +# v1-config is only mounted for >= 1.0.0; this test validates template +# rendering only, not runtime CORS behavior for pre-1.0 versions. echo "10. CORS wildcard on < 1.0.0 (ConfigMap renders)" config=$(get_v1_config --set 'chromadb.corsAllowOrigins={*}' --set 'chromadb.apiVersion=0.6.3') assert_config_key "cors_allow_origins wildcard for pre-1.0" "$config" "cors_allow_origins[0]" "*"