Skip to content

feat: enhance worker deployments with additional packages and CA certificates #1944

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 6 commits into
base: develop
Choose a base branch
from
Draft

feat: enhance worker deployments with additional packages and CA certificates #1944

wants to merge 6 commits into from
+116 −12

Conversation

@patsevanton
Copy link
Contributor

@patsevanton patsevanton commented Nov 19, 2025
edited
Loading

This pull request introduces several enhancements to the Sentry worker deployments:

  1. Additional Package Installation:

    • Workers now have the capability to install additional Python packages during startup. This is controlled by the installAdditionalPackages flag in the values.yaml file.
    • If the flag is enabled, the following packages are installed, but packages can be overridden.:
      • django-multidb-router
      • sentry-nodestore-elastic
      • sentry-s3-nodestore (from a specific release)

  2. CA Certificates Management:

    • Workers can now manage custom CA certificates by mounting a secret containing the certificates to /usr/local/share/ca-certificates/.
    • The certificates are then copied to the appropriate location and updated using update-ca-certificates.
    • This feature is controlled by the caCertificatesSecret field in the values.yaml file.

Changes

  • Deployment Templates:
    • Modified the command and args sections in the worker deployment templates to include a bash script that handles the installation of additional packages and CA certificates.
    • Added volume mounts and volume definitions for the CA certificates secret.

Check pip packages

pip list | grep -E 'django|nodestore'
django-crispy-forms                        1.14.0
django_csp                                 3.8
django-multidb-router                      0.11
django-pg-zero-downtime-migrations         0.18
django-stubs-ext                           5.2.2
djangorestframework                        3.16.1
pytest-django                              4.9.0
sentry-forked-django-stubs                 5.2.2.post2
sentry-forked-djangorestframework-stubs    3.16.2.post1
sentry-nodestore-elastic                   1.0.2
sentry-s3-nodestore                        1.0.3

Check certificates

import os
import ssl
import certifi
import re
from cryptography import x509
from cryptography.hazmat.backends import default_backend

def list_certificates():
    # Get the path to the cacert.pem file
    cacert_path = certifi.where()

    # Open the file containing the certificates
    with open(cacert_path, 'r') as f:
        pem_data = f.read()

    # Use a regular expression to extract certificates
    certificate_pattern = re.compile(r'-----BEGIN CERTIFICATE-----.+?-----END CERTIFICATE-----', re.DOTALL)
    certificates = certificate_pattern.findall(pem_data)

    # Display information about each certificate
    for i, cert_pem in enumerate(certificates):
        try:
            # Load and parse the certificate
            cert = x509.load_pem_x509_certificate(cert_pem.encode(), default_backend())
            subject = cert.subject
            issuer = cert.issuer
            not_valid_before = cert.not_valid_before
            not_valid_after = cert.not_valid_after

            # Print certificate information
            print(f"Certificate #{i + 1}:")
            print(f"  Subject: {subject}")
            print(f"  Issuer: {issuer}")
            print(f"  Valid from: {not_valid_before}")
            print(f"  Valid until: {not_valid_after}")
            print()
        except Exception as e:
            # Print error message if there's an issue with the certificate
            print(f"Error processing certificate #{i + 1}: {e}")

# Example usage
list_certificates()

check certificate by openssl

openssl crl2pkcs7 -nocrl -certfile /.venv/lib/python3.13/site-packages/certifi/cacert.pem | openssl pkcs7 -print_certs -noout | grep subject | tail -n 2

output:

subject=DC = ru, DC = yandex, DC = ld, CN = YandexCLCA
subject=CN = YandexInternalRootCA

@patsevanton patsevanton marked this pull request as draft November 19, 2025 06:13
@patsevanton patsevanton marked this pull request as ready for review November 19, 2025 09:27
tyr1k
tyr1k reviewed Nov 19, 2025
View reviewed changes
tyr1k
tyr1k reviewed Nov 19, 2025
View reviewed changes
@patsevanton
Copy link
Contributor Author

patsevanton commented Nov 19, 2025

check pod with default values:

k get pod -n test
NAME                                                              READY   STATUS    RESTARTS      AGE
sentry-billing-metrics-consumer-5bdf4fc49c-bqs8q                  1/1     Running   0             17m
sentry-clickhouse-0                                               1/1     Running   0             36m
sentry-cron-5956fd595b-rrwt8                                      1/1     Running   2 (35m ago)   36m
sentry-generic-metrics-consumer-78c5cc7595-5l54h                  1/1     Running   0             17m
sentry-ingest-consumer-attachments-67fcd8bdf7-5cc7l               1/1     Running   0             17m
sentry-ingest-consumer-events-6f4f47d6f5-4gmsg                    1/1     Running   0             17m
sentry-ingest-consumer-transactions-6bdc9b4675-7gpb5              1/1     Running   0             17m
sentry-ingest-monitors-5586bf7f85-5qsbh                           1/1     Running   0             17m
sentry-ingest-occurrences-99b59f886-v7xd4                         1/1     Running   0             17m
sentry-ingest-replay-recordings-5969c9b7f6-z4lkr                  1/1     Running   0             17m
sentry-issue-occurrence-consumer-76cd5fb55f-tg8lq                 1/1     Running   0             16m
sentry-kafka-controller-0                                         1/1     Running   0             36m
sentry-kafka-controller-1                                         1/1     Running   0             36m
sentry-kafka-controller-2                                         1/1     Running   0             36m
sentry-metrics-consumer-8579b79f55-jqfbg                          1/1     Running   0             17m
sentry-nginx-76b877d65c-7q7k7                                     1/1     Running   0             36m
sentry-post-process-forward-errors-679d788f76-xm24x               1/1     Running   0             17m
sentry-post-process-forward-issue-platform-799887b85-pfl7l        1/1     Running   0             17m
sentry-post-process-forward-transactions-d948d4bf7-9nfkt          1/1     Running   0             17m
sentry-process-segments-5cb9b485bd-h6f7x                          1/1     Running   0             17m
sentry-process-spans-57cb9858d7-fdjps                             1/1     Running   0             17m
sentry-rabbitmq-0                                                 1/1     Running   0             36m
sentry-relay-58b96769f9-lcmwf                                     1/1     Running   0             16m
sentry-sentry-postgresql-0                                        1/1     Running   0             36m
sentry-sentry-redis-master-0                                      1/1     Running   0             36m
sentry-sentry-redis-replicas-0                                    1/1     Running   0             36m
sentry-snuba-api-f74b4f588-w25l2                                  1/1     Running   0             36m
sentry-snuba-consumer-6cb4cb8757-tfmtl                            1/1     Running   0             17m
sentry-snuba-eap-items-consumer-7845d45b9f-88tpf                  1/1     Running   0             17m
sentry-snuba-generic-metrics-counters-consumer-7dbfd55c49-tbz4h   1/1     Running   0             17m
sentry-snuba-generic-metrics-distributions-consumer-748d6cnvqgk   1/1     Running   0             17m
sentry-snuba-generic-metrics-gauges-consumer-9654b4b99-g76v2      1/1     Running   0             17m
sentry-snuba-generic-metrics-sets-consumer-64b9754c7c-t52kr       1/1     Running   0             17m
sentry-snuba-group-attributes-consumer-84b5c99ffc-x8q5q           1/1     Running   0             17m
sentry-snuba-metrics-consumer-5fcf4484d6-ztjtg                    1/1     Running   0             17m
sentry-snuba-outcomes-billing-consumer-df4495b86-g4btl            1/1     Running   0             17m
sentry-snuba-outcomes-consumer-77b6db7ff6-qh44g                   1/1     Running   0             16m
sentry-snuba-replacer-dfb58ccbd-qb5pw                             1/1     Running   0             16m
sentry-snuba-replays-consumer-645b8d5b77-hv8lp                    1/1     Running   0             17m
sentry-snuba-spans-consumer-67f97b997f-kcxqm                      1/1     Running   0             16m
sentry-snuba-subscription-consumer-eap-items-765f858657-6jqrv     1/1     Running   0             16m
sentry-snuba-subscription-consumer-events-dbccb685f-rr9k5         1/1     Running   0             16m
sentry-snuba-subscription-consumer-generic-metrics-counter4sg8r   1/1     Running   0             16m
sentry-snuba-subscription-consumer-generic-metrics-distrib7xlkx   1/1     Running   0             16m
sentry-snuba-subscription-consumer-generic-metrics-gauges-8d986   1/1     Running   0             16m
sentry-snuba-subscription-consumer-generic-metrics-sets-68kdmzx   1/1     Running   0             16m
sentry-snuba-subscription-consumer-metrics-ddd5cbfb-zzhc8         1/1     Running   0             16m
sentry-snuba-subscription-consumer-transactions-94977b985-chs7c   1/1     Running   0             16m
sentry-snuba-transactions-consumer-654bdd67df-w92d7               1/1     Running   0             16m
sentry-snuba-uptime-results-consumer-69b947f485-zh772             1/1     Running   0             16m
sentry-subscription-consumer-events-65c7f8f869-9rc29              1/1     Running   0             17m
sentry-subscription-consumer-generic-metrics-6d7498cb58-wxmb8     1/1     Running   0             17m
sentry-subscription-consumer-metrics-6c79f7c6f8-nt54r             1/1     Running   0             17m
sentry-subscription-consumer-results-eap-items-555564fcff-v9msl   1/1     Running   0             17m
sentry-subscription-consumer-transactions-88565c457-mh4hp         1/1     Running   0             17m
sentry-uptime-results-756d7d7ff9-c48mn                            1/1     Running   0             17m
sentry-web-ff5495f57-sxrq9                                        1/1     Running   1 (35m ago)   36m
sentry-worker-69955f4cbd-q5l6p                                    1/1     Running   2 (35m ago)   36m
sentry-zookeeper-clickhouse-0                                     1/1     Running   0             36m

@patsevanton
Copy link
Contributor Author

patsevanton commented Nov 20, 2025

@honghainguyen777 @jiriks74 @Poil @bhataprameya @Jorgagu @harmjanblok @PaulFarver @niknozhenko
Could you review pr ?

@jiriks74
Copy link
Contributor

jiriks74 commented Nov 20, 2025
edited
Loading

Hi,
I'll take a look whether I have some some resources available to make a test deployment.

Since you're messing around with worker arguments in this PR, would it be possible to add

--max-msg-batch-time-ms
--max-parallel-batch-time-ms

for Sentry consumers alongside concurency (--processes after --)?

Tweaking these helps to reduce lag quite a lot.

@patsevanton
Copy link
Contributor Author

patsevanton commented Nov 20, 2025
edited
Loading

I'm thinking of adding
--max-msg-batch-time-ms
--max-parallel-batch-time-ms
concurency
should be added in a separate pr

honghainguyen777
honghainguyen777 reviewed Nov 20, 2025
View reviewed changes
Copy link

@honghainguyen777 honghainguyen777 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've not checked the integrations, but I have some comments on template problems.

charts/sentry/templates/sentry/web/deployment-sentry-web.yaml
Comment on lines +85 to +96
- |
{{- if .Values.sentry.web.installAdditionalPackages }}
pip install {{ range .Values.sentry.web.installAdditionalPackages }}{{ . }} {{ end }}
{{- end }}
{{- if .Values.sentry.web.caCertificatesSecret }}
mkdir -p /usr/local/share/ca-certificates/
for c in $(ls -1 /usr/local/share/ca-certificates/); do
cat /usr/local/share/ca-certificates/$c >> $(python3 -m certifi) && echo >> $(python3 -m certifi)
done
update-ca-certificates
{{- end }}
sentry run web
Copy link

@honghainguyen777 honghainguyen777 Nov 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand correctly about /bin/bash -c, it accepts exactly one argument. All the arguments after the first one will be ignored (well not really ignored but these args will be assigned to $0, $1, ...).

# Example
command: ["/bin/bash", "-c"]
args:
  - |
    sentry run web
  - "--workers"
  - "4"

$0 = --workers and $1 = 4, but sentry run web (or the whole first string) doesn’t use $0 or $1, so those args don’t get passed to it.

To make it work, you have to have:

        command: ["/bin/bash", "-c"]
        args:
          - |
            {{- if .Values.sentry.web.installAdditionalPackages }}
            pip install {{ range .Values.sentry.web.installAdditionalPackages }}{{ . }} {{ end }}
            {{- end }}
            {{- if .Values.sentry.web.caCertificatesSecret }}
            mkdir -p /usr/local/share/ca-certificates/
            for c in $(ls -1 /usr/local/share/ca-certificates/); do
                cat /usr/local/share/ca-certificates/$c >> $(python3 -m certifi) && echo >> $(python3 -m certifi)
            done
            update-ca-certificates
            {{- end }}
            sentry run web {{- if .Values.sentry.web.workers }} --workers {{ .Values.sentry.web.workers }}{{- end }}{{- if .Values.sentry.web.logLevel }} --loglevel {{ .Values.sentry.web.logLevel }}{{- end }}{{- if .Values.sentry.web.logFormat }} --logformat {{ .Values.sentry.web.logFormat }}{{- end }}

You may want to add set -euo pipefail so the container fails fast on errors.

charts/sentry/templates/sentry/worker/deployment-sentry-worker-events.yaml
Comment on lines +83 to +94
- |
{{- if .Values.sentry.workerEvents.installAdditionalPackages }}
pip install {{ range .Values.sentry.workerEvents.installAdditionalPackages }}{{ . }} {{ end }}
{{- end }}
{{- if .Values.sentry.workerEvents.caCertificatesSecret }}
mkdir -p /usr/local/share/ca-certificates/
for c in $(ls -1 /usr/local/share/ca-certificates/); do
cat /usr/local/share/ca-certificates/$c >> $(python3 -m certifi) && echo >> $(python3 -m certifi)
done
update-ca-certificates
{{- end }}
sentry run worker
Copy link

@honghainguyen777 honghainguyen777 Nov 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the first comment

charts/sentry/templates/sentry/worker/deployment-sentry-worker-transactions.yaml
Comment on lines +83 to +94
- |
{{- if .Values.sentry.workerTransactions.installAdditionalPackages }}
pip install {{ range .Values.sentry.workerTransactions.installAdditionalPackages }}{{ . }} {{ end }}
{{- end }}
{{- if .Values.sentry.workerTransactions.caCertificatesSecret }}
mkdir -p /usr/local/share/ca-certificates/
for c in $(ls -1 /usr/local/share/ca-certificates/); do
cat /usr/local/share/ca-certificates/$c >> $(python3 -m certifi) && echo >> $(python3 -m certifi)
done
update-ca-certificates
{{- end }}
sentry run worker
Copy link

@honghainguyen777 honghainguyen777 Nov 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the first comment

charts/sentry/templates/sentry/worker/deployment-sentry-worker.yaml
Comment on lines +83 to +94
- |
{{- if .Values.sentry.worker.installAdditionalPackages }}
pip install {{ range .Values.sentry.worker.installAdditionalPackages }}{{ . }} {{ end }}
{{- end }}
{{- if .Values.sentry.worker.caCertificatesSecret }}
mkdir -p /usr/local/share/ca-certificates/
for c in $(ls -1 /usr/local/share/ca-certificates/); do
cat /usr/local/share/ca-certificates/$c >> $(python3 -m certifi) && echo >> $(python3 -m certifi)
done
update-ca-certificates
{{- end }}
sentry run worker
Copy link

@honghainguyen777 honghainguyen777 Nov 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the first comment

@honghainguyen777
Copy link

honghainguyen777 commented Nov 20, 2025
edited
Loading

For the custom CA certificates, can we save the certs in K8S Secret resources and mount them to the containers using volumes and volumeMounts? The problem is that you are mutating files that belong to installed packages (certifi), which can be surprising and brittle.

@jiriks74
Copy link
Contributor

jiriks74 commented Nov 20, 2025

I'm thinking whether it wouldn't be better to have the CA under .global add add it to all deployments. If you want to add a CA you most likely want to add it everywhere as I don't really see a use case where you'd add it to just one or two workers.

And I find it better to ass the CA everywhere as Eg. Snuba can connect to Redis using SSL and both Snuba and Sentry can connect to Kafka using SSL.

I don't think that having the option for Sentry and having to rebuild the Snuba image would be better than having it everywhere and potentially not using it in some deployments.

@patsevanton patsevanton marked this pull request as draft November 22, 2025 14:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@honghainguyen777 honghainguyen777 honghainguyen777 left review comments

@tyr1k tyr1k tyr1k approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@patsevanton @jiriks74 @honghainguyen777 @tyr1k