avirajkhare00 opened a new issue, #2975:
URL: https://github.com/apache/iggy/issues/2975
### Bug description
This looks separate from #2932.
While testing the Helm chart locally on kind, I found two chart bugs:
1. The server deployment does not apply the chart's default
podSecurityContext.
2. The UI liveness/readiness probes use /, but the UI returns 404 on that
path.
What I tested
kind create cluster --name iggy-chart
helm install iggy ./helm/charts/iggy \
-n iggy-test \
--create-namespace \
--set server.serviceMonitor.enabled=false
I used server.serviceMonitor.enabled=false because a clean local cluster
does not have the ServiceMonitor CRD.
What I saw
- The server pod did not get the documented default podSecurityContext.
- The UI pod kept failing health checks because the probe path / returned
404.
- Changing the UI probe path to /auth/sign-in made the UI healthy.
Why this looks like a chart bug
Server deployment:
- helm/charts/iggy/templates/deployment.yaml uses server.podSecurityContext
for the server pod.
- helm/charts/iggy/values.yaml defines podSecurityContext only at the root
level.
So the server pod ends up without the expected default seccomp profile.
UI deployment:
- helm/charts/iggy/templates/deployment.yaml uses / for UI
liveness/readiness probes.
- The running UI returns 404 on /, so the probes fail even when the process
is up.
Expected
- The server deployment should use the chart's default podSecurityContext.
- The UI probes should use a route that returns 200.
Actual
- The server pod does not get the expected podSecurityContext.
- The UI pod restarts because the probes hit a 404 route.
Suggested fix
- Make the server deployment use the root podSecurityContext value.
- Change the UI probe path to a valid public route such as /auth/sign-in.
### Deployment
Docker (DockerHub image)
### Versions
server: apache/iggy:0.7.0, helm chart: 0.4.0
### Hardware / environment
Macbook M1 Pro
### Sample code
_No response_
### Logs
Server error log
2026-03-19T06:00:25.828867Z INFO main iggy_server: Starting 6
shard(s)
thread 'shard-0' (15) panicked at core/server/src/bootstrap.rs:189:10:
called `Result::unwrap()` on an `Err` value: Os { code: 22, kind:
InvalidInput, message: "Invalid argument" }
2026-03-19T06:00:25.833235Z ERROR shard-0 server::configs::sharding:
Failed to bind memory Rust(Unsupported)
2026-03-19T06:00:25.833307Z ERROR shard-0 iggy_server: Failed to bind
memory: BindingFailed
2026-03-19T06:00:25.834382Z ERROR main iggy_server: Server shutting
down due to shard failure. (shutdown took 1 ms)
Error: ShardFailure { message: "Shard 0 panicked: called
`Result::unwrap()` on an `Err` value: Os { code: 22, kind: InvalidInput,
message: \"Invalid argument\" }" }
UI error log
Listening on http://0.0.0.0:3050
[404] GET /
[404] GET /
[404] GET /
Kubernetes events for UI probe failure
Warning Unhealthy pod/iggy-readme-check-ui-85db6cd9d-bldrb Liveness
probe failed: HTTP probe failed with statuscode: 404
Warning Unhealthy pod/iggy-readme-check-ui-85db6cd9d-bldrb Readiness
probe failed: HTTP probe failed with statuscode: 404
If you want a short issue-ready section, use:
Logs:
Server:
- `thread 'shard-0' panicked at core/server/src/bootstrap.rs:189:10`
- `called Result::unwrap() on an Err value: Os { code: 22, kind:
InvalidInput, message: "Invalid argument" }`
- `Failed to bind memory Rust(Unsupported)`
- `Server shutting down due to shard failure`
UI:
- `Listening on http://0.0.0.0:3050`
- `[404] GET /`
Kubernetes events:
- `Liveness probe failed: HTTP probe failed with statuscode: 404`
- `Readiness probe failed: HTTP probe failed with statuscode: 404`
### Iggy server config
found in helm values
```
server:
image:
repository: apache/iggy
tag: "0.7.0"
ports:
http: 3000
quic: 8080
tcp: 8090
service:
type: ClusterIP
port: 3000
serviceMonitor:
enabled: false
env:
- name: RUST_LOG
value: info
- name: IGGY_HTTP_ADDRESS
value: "0.0.0.0:3000"
- name: IGGY_TCP_ADDRESS
value: "0.0.0.0:8090"
- name: IGGY_QUIC_ADDRESS
value: "0.0.0.0:8080"
- name: IGGY_WEBSOCKET_ADDRESS
value: "0.0.0.0:8092"
podSecurityContext:
seccompProfile:
type: Unconfined
securityContext:
capabilities:
add:
- IPC_LOCK
```
### Reproduction
`helm install iggy ./helm/charts/iggy -n iggy-test --create-namespace --set
server.serviceMonitor.enabled=false`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
