From b753db3a41278fde85d8da6b2fcf17ada5ab1803 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Thu, 16 Apr 2026 12:20:59 +0300 Subject: [PATCH 01/11] Add support for iceberg audit logs for lakeFS Enterprise --- CHANGELOG.md | 4 + charts/lakefs/Chart.yaml | 2 +- charts/lakefs/templates/_helpers.tpl | 30 ++++++++ charts/lakefs/templates/audit/cronjob.yaml | 90 ++++++++++++++++++++++ charts/lakefs/templates/audit/secret.yaml | 16 ++++ charts/lakefs/values.yaml | 34 ++++++++ 6 files changed, 175 insertions(+), 1 deletion(-) create mode 100644 charts/lakefs/templates/audit/cronjob.yaml create mode 100644 charts/lakefs/templates/audit/secret.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 002dbaa..d4fe79a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +# 1.9.0 +:new: What's new: +- Add audit log maintenance CronJob support (Enterprise-only). Runs compaction, snapshot expiration, orphan cleanup, and lakeFS commit on a configurable schedule (default: every 4 hours). Enable with `auditLog.enabled: true`. + # 1.8.1 :new: What's new: - Update lakeFS version to [1.80.0](https://github.com/treeverse/lakeFS/releases/tag/v1.80.0) diff --git a/charts/lakefs/Chart.yaml b/charts/lakefs/Chart.yaml index a042ff4..80cab02 100644 --- a/charts/lakefs/Chart.yaml +++ b/charts/lakefs/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: lakefs description: A Helm chart for running LakeFS on Kubernetes type: application -version: 1.8.1 +version: 1.9.0 appVersion: 1.80.0 home: https://lakefs.io diff --git a/charts/lakefs/templates/_helpers.tpl b/charts/lakefs/templates/_helpers.tpl index d3bfc1a..474e920 100644 --- a/charts/lakefs/templates/_helpers.tpl +++ b/charts/lakefs/templates/_helpers.tpl @@ -117,6 +117,36 @@ app.kubernetes.io/component: replication app: {{ include "lakefs.name" . }}-replication {{- end }} +{{/* +Audit maintenance resource full name +*/}} +{{- define "audit.fullname" -}} +{{- $name := include "lakefs.fullname" . }} +{{- printf "%s-audit-maintain" $name | trunc 63 }} +{{- end }} + +{{/* +Audit maintenance common labels +*/}} +{{- define "audit.labels" -}} +helm.sh/chart: {{ include "lakefs.chart" . }} +{{ include "audit.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Audit maintenance selector labels +*/}} +{{- define "audit.selectorLabels" -}} +app.kubernetes.io/name: {{ include "lakefs.name" . }}-audit-maintain +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/component: audit-maintain +app: {{ include "lakefs.name" . }}-audit-maintain +{{- end }} + {{- define "lakefs.dockerConfigJson" }} {{- $token := .Values.image.privateRegistry.secretToken }} {{- $username := "externallakefs" }} diff --git a/charts/lakefs/templates/audit/cronjob.yaml b/charts/lakefs/templates/audit/cronjob.yaml new file mode 100644 index 0000000..ebbb19e --- /dev/null +++ b/charts/lakefs/templates/audit/cronjob.yaml @@ -0,0 +1,90 @@ +{{- if and (.Values.enterprise).enabled (.Values.auditLog).enabled }} +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ include "audit.fullname" . }} + labels: + {{- include "audit.labels" . | nindent 4 }} +spec: + schedule: {{ .Values.auditLog.maintenance.schedule | quote }} + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: {{ .Values.auditLog.maintenance.successfulJobsHistoryLimit | default 3 }} + failedJobsHistoryLimit: {{ .Values.auditLog.maintenance.failedJobsHistoryLimit | default 3 }} + jobTemplate: + spec: + template: + metadata: + labels: + {{- include "audit.selectorLabels" . | nindent 12 }} + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.auditLog.maintenance.metricsPort | default 9090 | quote }} + {{- with .Values.auditLog.maintenance.podAnnotations }} + {{- toYaml . | nindent 12 }} + {{- end }} + spec: + {{- if .Values.serviceAccount.create }} + serviceAccountName: {{ include "lakefs.serviceAccountName" . }} + {{- else if .Values.auditLog.maintenance.serviceAccountName }} + serviceAccountName: {{ .Values.auditLog.maintenance.serviceAccountName }} + {{- end }} + restartPolicy: OnFailure + containers: + - name: audit-maintain + image: "{{ include "lakefs.repository" . }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - audit + - maintain + - --endpoint + - {{ .Values.auditLog.maintenance.endpoint | default (printf "http://%s:%v" (include "lakefs.fullname" .) .Values.service.port) }} + {{- if .Values.auditLog.maintenance.retentionDays }} + - --retention-days + - {{ .Values.auditLog.maintenance.retentionDays | quote }} + {{- end }} + {{- if .Values.auditLog.maintenance.shutdownDelay }} + - --shutdown-delay + - {{ .Values.auditLog.maintenance.shutdownDelay | quote }} + {{- end }} + {{- if .Values.auditLog.maintenance.metricsPort }} + - --metrics-port + - {{ .Values.auditLog.maintenance.metricsPort | quote }} + {{- end }} + {{- with .Values.auditLog.maintenance.extraArgs }} + {{- toYaml . | nindent 16 }} + {{- end }} + env: + - name: LAKEFS_AUDIT_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: {{ .Values.auditLog.maintenance.existingSecret | default (include "audit.fullname" .) }} + key: {{ ((.Values.auditLog.maintenance).secretKeys).accessKeyID | default "access_key_id" }} + - name: LAKEFS_AUDIT_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.auditLog.maintenance.existingSecret | default (include "audit.fullname" .) }} + key: {{ ((.Values.auditLog.maintenance).secretKeys).secretAccessKey | default "secret_access_key" }} + {{- with .Values.auditLog.maintenance.extraEnvVars }} + {{- toYaml . | nindent 16 }} + {{- end }} + {{- with .Values.auditLog.maintenance.resources }} + resources: + {{- toYaml . | nindent 16 }} + {{- end }} + {{- if (.Values.image.privateRegistry).enabled }} + imagePullSecrets: + {{- if (.Values.image.privateRegistry).secretToken }} + - name: "docker-registry" + {{- else if (.Values.image.privateRegistry).secretName }} + - name: {{ .Values.image.privateRegistry.secretName }} + {{- end }} + {{- end }} + {{- with .Values.auditLog.maintenance.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.auditLog.maintenance.tolerations }} + tolerations: + {{- toYaml . | nindent 12 }} + {{- end }} +{{- end }} diff --git a/charts/lakefs/templates/audit/secret.yaml b/charts/lakefs/templates/audit/secret.yaml new file mode 100644 index 0000000..3817d5b --- /dev/null +++ b/charts/lakefs/templates/audit/secret.yaml @@ -0,0 +1,16 @@ +{{- if and (.Values.enterprise).enabled (.Values.auditLog).enabled }} +{{- if not .Values.auditLog.maintenance.existingSecret }} +{{- if and .Values.auditLog.maintenance.accessKeyID .Values.auditLog.maintenance.secretAccessKey }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "audit.fullname" . }} + labels: + {{- include "audit.labels" . | nindent 4 }} +type: Opaque +data: + access_key_id: {{ .Values.auditLog.maintenance.accessKeyID | b64enc }} + secret_access_key: {{ .Values.auditLog.maintenance.secretAccessKey | b64enc }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/lakefs/values.yaml b/charts/lakefs/values.yaml index 358d018..7f507bb 100644 --- a/charts/lakefs/values.yaml +++ b/charts/lakefs/values.yaml @@ -252,5 +252,39 @@ enterprise: samlRsaPublicCert: null samlRsaPrivateKey: null +# Audit log maintenance CronJob (Enterprise-only). +# Requires enterprise.enabled: true and audit_log.enabled: true in lakefsConfig. +auditLog: + enabled: false + maintenance: + # Cron schedule for the maintenance job (default: every 4 hours). + schedule: "0 */4 * * *" + # Credentials for the audit service user (created by lakeFS bootstrap). + # Either set these directly or use existingSecret. + accessKeyID: "" + secretAccessKey: "" + # Use an existing K8s Secret instead of creating one. + # existingSecret: my-audit-secret + # secretKeys: + # accessKeyID: access_key_id + # secretAccessKey: secret_access_key + # Override the lakeFS endpoint (defaults to the in-cluster service). + # endpoint: http://lakefs:80 + # Snapshot retention in days (0 = no expiration). + retentionDays: 90 + # Time to keep the process alive after work completes for Prometheus scraping. + shutdownDelay: 2m + # Port for the Prometheus /metrics endpoint. + metricsPort: 9090 + # Extra CLI arguments to pass to the maintain command. + extraArgs: [] + extraEnvVars: [] + podAnnotations: {} + resources: {} + nodeSelector: {} + tolerations: [] + successfulJobsHistoryLimit: 3 + failedJobsHistoryLimit: 3 + secrets: licenseContents: null From 321a6c59e246311c920e0a7316b8ab9133dc78b9 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Thu, 16 Apr 2026 15:23:40 +0300 Subject: [PATCH 02/11] Added a default timeout for maintanence cron job --- charts/lakefs/templates/audit/cronjob.yaml | 1 + charts/lakefs/values.yaml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/charts/lakefs/templates/audit/cronjob.yaml b/charts/lakefs/templates/audit/cronjob.yaml index ebbb19e..30f8502 100644 --- a/charts/lakefs/templates/audit/cronjob.yaml +++ b/charts/lakefs/templates/audit/cronjob.yaml @@ -12,6 +12,7 @@ spec: failedJobsHistoryLimit: {{ .Values.auditLog.maintenance.failedJobsHistoryLimit | default 3 }} jobTemplate: spec: + activeDeadlineSeconds: {{ .Values.auditLog.maintenance.activeDeadlineSeconds | default 28800 }} template: metadata: labels: diff --git a/charts/lakefs/values.yaml b/charts/lakefs/values.yaml index 7f507bb..991ba64 100644 --- a/charts/lakefs/values.yaml +++ b/charts/lakefs/values.yaml @@ -276,6 +276,8 @@ auditLog: shutdownDelay: 2m # Port for the Prometheus /metrics endpoint. metricsPort: 9090 + # Maximum time (seconds) the job is allowed to run before K8s kills it (default: 8 hours). + activeDeadlineSeconds: 28800 # Extra CLI arguments to pass to the maintain command. extraArgs: [] extraEnvVars: [] From cb6885f314bc661f21afd2c8dd8dcb275ff58dfb Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 19 Apr 2026 11:44:38 +0300 Subject: [PATCH 03/11] Fix chart version --- CHANGELOG.md | 2 +- charts/lakefs/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d4fe79a..46b34ff 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -# 1.9.0 +# 1.8.2 :new: What's new: - Add audit log maintenance CronJob support (Enterprise-only). Runs compaction, snapshot expiration, orphan cleanup, and lakeFS commit on a configurable schedule (default: every 4 hours). Enable with `auditLog.enabled: true`. diff --git a/charts/lakefs/Chart.yaml b/charts/lakefs/Chart.yaml index 80cab02..3da9814 100644 --- a/charts/lakefs/Chart.yaml +++ b/charts/lakefs/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: lakefs description: A Helm chart for running LakeFS on Kubernetes type: application -version: 1.9.0 +version: 1.8.2 appVersion: 1.80.0 home: https://lakefs.io From a9aa98d96cfda32da5c593ca2ed39d9611d61cd4 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 26 Apr 2026 13:39:53 +0300 Subject: [PATCH 04/11] Fix --- charts/lakefs/templates/audit/cronjob.yaml | 55 ++++++++++++++++------ charts/lakefs/templates/audit/secret.yaml | 16 ------- charts/lakefs/values.yaml | 12 +---- 3 files changed, 42 insertions(+), 41 deletions(-) delete mode 100644 charts/lakefs/templates/audit/secret.yaml diff --git a/charts/lakefs/templates/audit/cronjob.yaml b/charts/lakefs/templates/audit/cronjob.yaml index 30f8502..ebfd692 100644 --- a/charts/lakefs/templates/audit/cronjob.yaml +++ b/charts/lakefs/templates/audit/cronjob.yaml @@ -37,8 +37,8 @@ spec: args: - audit - maintain - - --endpoint - - {{ .Values.auditLog.maintenance.endpoint | default (printf "http://%s:%v" (include "lakefs.fullname" .) .Values.service.port) }} + - -c + - /etc/lakefs/config.yaml {{- if .Values.auditLog.maintenance.retentionDays }} - --retention-days - {{ .Values.auditLog.maintenance.retentionDays | quote }} @@ -54,24 +54,51 @@ spec: {{- with .Values.auditLog.maintenance.extraArgs }} {{- toYaml . | nindent 16 }} {{- end }} + {{- include "lakefs.env" . | nindent 14 }} + volumeMounts: + - name: config-volume + mountPath: /etc/lakefs + readOnly: true + {{- if (.Values.enterprise).enabled }} + {{- if or (and .Values.secrets .Values.secrets.licenseContents) (and .Values.existingSecret .Values.secretKeys.licenseContentsKey) }} + - name: secret-volume-license-token + mountPath: /etc/lakefs/license.tkn + subPath: license.tkn + readOnly: true + {{- end }} + {{- end }} + {{- with .Values.auditLog.maintenance.extraEnvVars }} env: - - name: LAKEFS_AUDIT_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: {{ .Values.auditLog.maintenance.existingSecret | default (include "audit.fullname" .) }} - key: {{ ((.Values.auditLog.maintenance).secretKeys).accessKeyID | default "access_key_id" }} - - name: LAKEFS_AUDIT_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: {{ .Values.auditLog.maintenance.existingSecret | default (include "audit.fullname" .) }} - key: {{ ((.Values.auditLog.maintenance).secretKeys).secretAccessKey | default "secret_access_key" }} - {{- with .Values.auditLog.maintenance.extraEnvVars }} {{- toYaml . | nindent 16 }} - {{- end }} + {{- end }} {{- with .Values.auditLog.maintenance.resources }} resources: {{- toYaml . | nindent 16 }} {{- end }} + volumes: + - name: config-volume + configMap: + name: {{ include "lakefs.fullname" . }} + items: + - key: config.yaml + path: config.yaml + {{- if (.Values.enterprise).enabled }} + {{- if and .Values.existingSecret .Values.secretKeys.licenseContentsKey }} + - name: secret-volume-license-token + secret: + secretName: {{ .Values.existingSecret }} + items: + - key: {{ .Values.secretKeys.licenseContentsKey }} + path: license.tkn + {{- else if and .Values.secrets .Values.secrets.licenseContents }} + - name: secret-volume-license-token + secret: + secretName: {{ include "lakefs.fullname" . }} + items: + - key: license_contents + path: license.tkn + {{- end }} + {{- end }} {{- if (.Values.image.privateRegistry).enabled }} imagePullSecrets: {{- if (.Values.image.privateRegistry).secretToken }} diff --git a/charts/lakefs/templates/audit/secret.yaml b/charts/lakefs/templates/audit/secret.yaml deleted file mode 100644 index 3817d5b..0000000 --- a/charts/lakefs/templates/audit/secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if and (.Values.enterprise).enabled (.Values.auditLog).enabled }} -{{- if not .Values.auditLog.maintenance.existingSecret }} -{{- if and .Values.auditLog.maintenance.accessKeyID .Values.auditLog.maintenance.secretAccessKey }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "audit.fullname" . }} - labels: - {{- include "audit.labels" . | nindent 4 }} -type: Opaque -data: - access_key_id: {{ .Values.auditLog.maintenance.accessKeyID | b64enc }} - secret_access_key: {{ .Values.auditLog.maintenance.secretAccessKey | b64enc }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/lakefs/values.yaml b/charts/lakefs/values.yaml index 991ba64..da85784 100644 --- a/charts/lakefs/values.yaml +++ b/charts/lakefs/values.yaml @@ -254,22 +254,12 @@ enterprise: # Audit log maintenance CronJob (Enterprise-only). # Requires enterprise.enabled: true and audit_log.enabled: true in lakefsConfig. +# The CronJob uses the same lakeFS config file — no credentials needed. auditLog: enabled: false maintenance: # Cron schedule for the maintenance job (default: every 4 hours). schedule: "0 */4 * * *" - # Credentials for the audit service user (created by lakeFS bootstrap). - # Either set these directly or use existingSecret. - accessKeyID: "" - secretAccessKey: "" - # Use an existing K8s Secret instead of creating one. - # existingSecret: my-audit-secret - # secretKeys: - # accessKeyID: access_key_id - # secretAccessKey: secret_access_key - # Override the lakeFS endpoint (defaults to the in-cluster service). - # endpoint: http://lakefs:80 # Snapshot retention in days (0 = no expiration). retentionDays: 90 # Time to keep the process alive after work completes for Prometheus scraping. From f847b360774efd9b72ec62836d5d04cd092bf13c Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 26 Apr 2026 17:23:54 +0300 Subject: [PATCH 05/11] Fix --- charts/lakefs/templates/audit/cronjob.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/lakefs/templates/audit/cronjob.yaml b/charts/lakefs/templates/audit/cronjob.yaml index ebfd692..c521916 100644 --- a/charts/lakefs/templates/audit/cronjob.yaml +++ b/charts/lakefs/templates/audit/cronjob.yaml @@ -57,7 +57,8 @@ spec: {{- include "lakefs.env" . | nindent 14 }} volumeMounts: - name: config-volume - mountPath: /etc/lakefs + mountPath: /etc/lakefs/config.yaml + subPath: config.yaml readOnly: true {{- if (.Values.enterprise).enabled }} {{- if or (and .Values.secrets .Values.secrets.licenseContents) (and .Values.existingSecret .Values.secretKeys.licenseContentsKey) }} From 92aa957db2dfb7fe8a7433dd5450b20e8ba27b17 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Mon, 27 Apr 2026 14:44:28 +0300 Subject: [PATCH 06/11] Fix --- charts/lakefs/templates/audit/cronjob.yaml | 14 ++------------ charts/lakefs/values.yaml | 4 ---- 2 files changed, 2 insertions(+), 16 deletions(-) diff --git a/charts/lakefs/templates/audit/cronjob.yaml b/charts/lakefs/templates/audit/cronjob.yaml index c521916..62a9ce5 100644 --- a/charts/lakefs/templates/audit/cronjob.yaml +++ b/charts/lakefs/templates/audit/cronjob.yaml @@ -17,12 +17,10 @@ spec: metadata: labels: {{- include "audit.selectorLabels" . | nindent 12 }} + {{- with .Values.auditLog.maintenance.podAnnotations }} annotations: - prometheus.io/scrape: "true" - prometheus.io/port: {{ .Values.auditLog.maintenance.metricsPort | default 9090 | quote }} - {{- with .Values.auditLog.maintenance.podAnnotations }} {{- toYaml . | nindent 12 }} - {{- end }} + {{- end }} spec: {{- if .Values.serviceAccount.create }} serviceAccountName: {{ include "lakefs.serviceAccountName" . }} @@ -43,14 +41,6 @@ spec: - --retention-days - {{ .Values.auditLog.maintenance.retentionDays | quote }} {{- end }} - {{- if .Values.auditLog.maintenance.shutdownDelay }} - - --shutdown-delay - - {{ .Values.auditLog.maintenance.shutdownDelay | quote }} - {{- end }} - {{- if .Values.auditLog.maintenance.metricsPort }} - - --metrics-port - - {{ .Values.auditLog.maintenance.metricsPort | quote }} - {{- end }} {{- with .Values.auditLog.maintenance.extraArgs }} {{- toYaml . | nindent 16 }} {{- end }} diff --git a/charts/lakefs/values.yaml b/charts/lakefs/values.yaml index da85784..9e553f7 100644 --- a/charts/lakefs/values.yaml +++ b/charts/lakefs/values.yaml @@ -262,10 +262,6 @@ auditLog: schedule: "0 */4 * * *" # Snapshot retention in days (0 = no expiration). retentionDays: 90 - # Time to keep the process alive after work completes for Prometheus scraping. - shutdownDelay: 2m - # Port for the Prometheus /metrics endpoint. - metricsPort: 9090 # Maximum time (seconds) the job is allowed to run before K8s kills it (default: 8 hours). activeDeadlineSeconds: 28800 # Extra CLI arguments to pass to the maintain command. From 8823b46303103ec4e31b46cf862459c0f4328df0 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Mon, 27 Apr 2026 15:14:22 +0300 Subject: [PATCH 07/11] Fix --- charts/lakefs/templates/audit/cronjob.yaml | 4 ++++ charts/lakefs/values.yaml | 2 ++ 2 files changed, 6 insertions(+) diff --git a/charts/lakefs/templates/audit/cronjob.yaml b/charts/lakefs/templates/audit/cronjob.yaml index 62a9ce5..43965cc 100644 --- a/charts/lakefs/templates/audit/cronjob.yaml +++ b/charts/lakefs/templates/audit/cronjob.yaml @@ -41,6 +41,10 @@ spec: - --retention-days - {{ .Values.auditLog.maintenance.retentionDays | quote }} {{- end }} + {{- if .Values.auditLog.maintenance.timeout }} + - --timeout + - {{ .Values.auditLog.maintenance.timeout | quote }} + {{- end }} {{- with .Values.auditLog.maintenance.extraArgs }} {{- toYaml . | nindent 16 }} {{- end }} diff --git a/charts/lakefs/values.yaml b/charts/lakefs/values.yaml index 9e553f7..cacc492 100644 --- a/charts/lakefs/values.yaml +++ b/charts/lakefs/values.yaml @@ -262,6 +262,8 @@ auditLog: schedule: "0 */4 * * *" # Snapshot retention in days (0 = no expiration). retentionDays: 90 + # Hard deadline for the maintenance run (0 = no timeout, default: 72h). + # timeout: 72h # Maximum time (seconds) the job is allowed to run before K8s kills it (default: 8 hours). activeDeadlineSeconds: 28800 # Extra CLI arguments to pass to the maintain command. From 84f2e1d63fd1040c6e12b7a2b8843effb9bfb9e7 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Mon, 27 Apr 2026 15:31:43 +0300 Subject: [PATCH 08/11] Fix --- charts/lakefs/templates/_env.tpl | 4 ++++ charts/lakefs/templates/audit/cronjob.yaml | 2 +- charts/lakefs/values.yaml | 11 +++++++++-- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/charts/lakefs/templates/_env.tpl b/charts/lakefs/templates/_env.tpl index 1e01df6..947f075 100644 --- a/charts/lakefs/templates/_env.tpl +++ b/charts/lakefs/templates/_env.tpl @@ -98,6 +98,10 @@ env: {{- end }} {{- end }} + {{- if (.Values.auditLog).enabled }} + - name: LAKEFS_AUDIT_LOG_MAINTENANCE_ENABLED + value: {{ ((.Values.auditLog).maintenance).inProcess | default true | quote }} + {{- end }} {{- if .Values.s3Fallback.enabled }} - name: LAKEFS_GATEWAYS_S3_FALLBACK_URL value: http://localhost:7001 diff --git a/charts/lakefs/templates/audit/cronjob.yaml b/charts/lakefs/templates/audit/cronjob.yaml index 43965cc..b3774f7 100644 --- a/charts/lakefs/templates/audit/cronjob.yaml +++ b/charts/lakefs/templates/audit/cronjob.yaml @@ -1,4 +1,4 @@ -{{- if and (.Values.enterprise).enabled (.Values.auditLog).enabled }} +{{- if and (.Values.enterprise).enabled (.Values.auditLog).enabled (.Values.auditLog.maintenance).cronJob }} apiVersion: batch/v1 kind: CronJob metadata: diff --git a/charts/lakefs/values.yaml b/charts/lakefs/values.yaml index cacc492..7385319 100644 --- a/charts/lakefs/values.yaml +++ b/charts/lakefs/values.yaml @@ -258,13 +258,20 @@ enterprise: auditLog: enabled: false maintenance: - # Cron schedule for the maintenance job (default: every 4 hours). + # Run maintenance inside the lakeFS server process (default: true). + # Disable to rely solely on the external CronJob instead. + inProcess: true + # Deploy a Kubernetes CronJob for maintenance instead of the default + # in-process scheduler. Set to true only if you want maintenance to + # run as a separate pod. + cronJob: false + # Cron schedule for the CronJob (default: every 4 hours). schedule: "0 */4 * * *" # Snapshot retention in days (0 = no expiration). retentionDays: 90 # Hard deadline for the maintenance run (0 = no timeout, default: 72h). # timeout: 72h - # Maximum time (seconds) the job is allowed to run before K8s kills it (default: 8 hours). + # Maximum time (seconds) the CronJob is allowed to run before K8s kills it (default: 8 hours). activeDeadlineSeconds: 28800 # Extra CLI arguments to pass to the maintain command. extraArgs: [] From fa3634271e68a47f1f2597f70a817512631b5ca4 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Mon, 27 Apr 2026 15:35:46 +0300 Subject: [PATCH 09/11] Fix --- charts/lakefs/templates/_env.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/lakefs/templates/_env.tpl b/charts/lakefs/templates/_env.tpl index 947f075..c500685 100644 --- a/charts/lakefs/templates/_env.tpl +++ b/charts/lakefs/templates/_env.tpl @@ -100,7 +100,7 @@ env: {{- if (.Values.auditLog).enabled }} - name: LAKEFS_AUDIT_LOG_MAINTENANCE_ENABLED - value: {{ ((.Values.auditLog).maintenance).inProcess | default true | quote }} + value: {{ .Values.auditLog.maintenance.inProcess | quote }} {{- end }} {{- if .Values.s3Fallback.enabled }} - name: LAKEFS_GATEWAYS_S3_FALLBACK_URL From 84b1a17c2c9eb0e495de59c816eb3d9059d7f3c6 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Wed, 29 Apr 2026 13:57:14 +0300 Subject: [PATCH 10/11] Fix --- charts/lakefs/templates/audit/cronjob.yaml | 4 ---- charts/lakefs/values.yaml | 2 -- 2 files changed, 6 deletions(-) diff --git a/charts/lakefs/templates/audit/cronjob.yaml b/charts/lakefs/templates/audit/cronjob.yaml index b3774f7..9fc0e08 100644 --- a/charts/lakefs/templates/audit/cronjob.yaml +++ b/charts/lakefs/templates/audit/cronjob.yaml @@ -41,10 +41,6 @@ spec: - --retention-days - {{ .Values.auditLog.maintenance.retentionDays | quote }} {{- end }} - {{- if .Values.auditLog.maintenance.timeout }} - - --timeout - - {{ .Values.auditLog.maintenance.timeout | quote }} - {{- end }} {{- with .Values.auditLog.maintenance.extraArgs }} {{- toYaml . | nindent 16 }} {{- end }} diff --git a/charts/lakefs/values.yaml b/charts/lakefs/values.yaml index 7385319..149c05e 100644 --- a/charts/lakefs/values.yaml +++ b/charts/lakefs/values.yaml @@ -269,8 +269,6 @@ auditLog: schedule: "0 */4 * * *" # Snapshot retention in days (0 = no expiration). retentionDays: 90 - # Hard deadline for the maintenance run (0 = no timeout, default: 72h). - # timeout: 72h # Maximum time (seconds) the CronJob is allowed to run before K8s kills it (default: 8 hours). activeDeadlineSeconds: 28800 # Extra CLI arguments to pass to the maintain command. From 9d64dfdaf7add3ef0b99a5b2553c3ddd4c572a17 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Wed, 29 Apr 2026 22:38:40 +0300 Subject: [PATCH 11/11] Fix --- charts/lakefs/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/lakefs/values.yaml b/charts/lakefs/values.yaml index 149c05e..658f91f 100644 --- a/charts/lakefs/values.yaml +++ b/charts/lakefs/values.yaml @@ -265,8 +265,8 @@ auditLog: # in-process scheduler. Set to true only if you want maintenance to # run as a separate pod. cronJob: false - # Cron schedule for the CronJob (default: every 4 hours). - schedule: "0 */4 * * *" + # Cron schedule for the CronJob (default: every hour). + schedule: "0 * * * *" # Snapshot retention in days (0 = no expiration). retentionDays: 90 # Maximum time (seconds) the CronJob is allowed to run before K8s kills it (default: 8 hours).