fix(chart): address open PR review comments for Langfuse retention jobs

Author: a-klos

infrastructure/README.md

@@ -201,13 +201,15 @@ langfuseRetention:
     schedule: "30 3 * * *"
     mutationSync: 0
   clickhouse:
-    database: "default"
-    onCluster: true
+    database: "default" # set this to the same DB your Langfuse deployment uses
+    onCluster: false # true only for clustered ClickHouse setups
     clusterName: "default"
 ```
 
 Notes:
 - ClickHouse connection/auth for retention jobs is taken from `langfuse.clickhouse.*` (same source as Langfuse itself).
+- Make sure `langfuseRetention.clickhouse.database` matches your Langfuse ClickHouse database, not just the chart default.
+- Set `langfuseRetention.clickhouse.onCluster=true` only when your ClickHouse deployment is clustered and `clusterName` exists.
 - The CronJob applies idempotent `ALTER TABLE ... MODIFY TTL` statements on Langfuse tables (`traces`, `observations`, `scores`).
 - If `hardDelete.enabled=true`, an additional CronJob executes deterministic `ALTER TABLE ... DELETE WHERE ...` mutations.
 - Deletion is then handled by ClickHouse background merges (not instant at the exact cutoff timestamp).

infrastructure/rag/templates/langfuse-retention-cronjob.yaml

@@ -20,27 +20,37 @@ spec:
             app.kubernetes.io/name: rag
             app.kubernetes.io/instance: {{ .Release.Name }}
         spec:
+          securityContext:
+            runAsUser: {{ .Values.langfuseRetention.podSecurityContext.runAsUser }}
+            runAsNonRoot: {{ .Values.langfuseRetention.podSecurityContext.runAsNonRoot }}
+          {{- if .Values.shared.imagePullSecret }}
+          imagePullSecrets:
+            - name: {{ .Values.shared.imagePullSecret.name }}
+          {{- end }}
           restartPolicy: OnFailure
           containers:
             - name: apply-clickhouse-ttl
               image: {{ $retentionImage | quote }}
               imagePullPolicy: {{ .Values.langfuseRetention.image.pullPolicy | quote }}
+              securityContext:
+                allowPrivilegeEscalation: {{ .Values.langfuseRetention.securityContext.allowPrivilegeEscalation }}
+              {{- with .Values.langfuseRetention.resources }}
+              resources:
+{{ toYaml . | nindent 16 }}
+              {{- end }}
               command:
                 - /bin/bash
                 - -ec
               args:
                 - |
                   set -euo pipefail
 
-                  PASSWORD="${CLICKHOUSE_PASSWORD:-}"
-                  if [ -z "${PASSWORD}" ]; then
-                    PASSWORD="${CLICKHOUSE_PASSWORD_LITERAL:-}"
-                  fi
-
-                  if [ -z "${PASSWORD}" ]; then
+                  if [ -z "${CLICKHOUSE_PASSWORD:-}" ] && [ -z "${CLICKHOUSE_PASSWORD_LITERAL:-}" ]; then
                     echo "No ClickHouse password found. Check langfuse.clickhouse.auth settings and secret."
                     exit 1
                   fi
+                  export CLICKHOUSE_PASSWORD="${CLICKHOUSE_PASSWORD:-${CLICKHOUSE_PASSWORD_LITERAL:-}}"
+                  unset CLICKHOUSE_PASSWORD_LITERAL
 
                   ON_CLUSTER_CLAUSE=""
                   if [ "${CLICKHOUSE_ON_CLUSTER}" = "true" ]; then
@@ -54,16 +64,29 @@ spec:
                   EOF_TABLES
                   )"
 
+                  IDENTIFIER_REGEX='^[A-Za-z_][A-Za-z0-9_]*$'
+
                   while IFS=$'\t' read -r table ts_col; do
                     [ -z "${table}" ] && continue
 
+                    if ! [[ "${table}" =~ ${IDENTIFIER_REGEX} ]]; then
+                      echo "Invalid table identifier: ${table}"
+                      exit 1
+                    fi
+                    if ! [[ "${ts_col}" =~ ${IDENTIFIER_REGEX} ]]; then
+                      echo "Invalid timestamp column identifier: ${ts_col}"
+                      exit 1
+                    fi
+
                     echo "Applying TTL=${RETENTION_DAYS}d to ${CLICKHOUSE_DATABASE}.${table} (${ts_col})"
-                    clickhouse-client \
+                    if ! clickhouse-client \
                       --host "${CLICKHOUSE_HOST}" \
                       --port "${CLICKHOUSE_PORT}" \
                       --user "${CLICKHOUSE_USER}" \
-                      --password "${PASSWORD}" \
-                      --query "ALTER TABLE ${CLICKHOUSE_DATABASE}.${table}${ON_CLUSTER_CLAUSE} MODIFY TTL toDateTime(${ts_col}) + toIntervalDay(${RETENTION_DAYS})"
+                      --query "ALTER TABLE ${CLICKHOUSE_DATABASE}.${table}${ON_CLUSTER_CLAUSE} MODIFY TTL ${ts_col} + toIntervalDay(${RETENTION_DAYS})"; then
+                      echo "Failed applying TTL on ${CLICKHOUSE_DATABASE}.${table}"
+                      exit 1
+                    fi
                   done <<< "${TABLE_ROWS}"
               env:
 {{ include "rag.langfuseRetentionClickhouseEnv" . | nindent 16 }}

infrastructure/rag/templates/langfuse-retention-hard-delete-cronjob.yaml

@@ -20,27 +20,37 @@ spec:
             app.kubernetes.io/name: rag
             app.kubernetes.io/instance: {{ .Release.Name }}
         spec:
+          securityContext:
+            runAsUser: {{ .Values.langfuseRetention.podSecurityContext.runAsUser }}
+            runAsNonRoot: {{ .Values.langfuseRetention.podSecurityContext.runAsNonRoot }}
+          {{- if .Values.shared.imagePullSecret }}
+          imagePullSecrets:
+            - name: {{ .Values.shared.imagePullSecret.name }}
+          {{- end }}
           restartPolicy: OnFailure
           containers:
             - name: delete-expired-rows
               image: {{ $retentionImage | quote }}
               imagePullPolicy: {{ .Values.langfuseRetention.image.pullPolicy | quote }}
+              securityContext:
+                allowPrivilegeEscalation: {{ .Values.langfuseRetention.securityContext.allowPrivilegeEscalation }}
+              {{- with .Values.langfuseRetention.resources }}
+              resources:
+{{ toYaml . | nindent 16 }}
+              {{- end }}
               command:
                 - /bin/bash
                 - -ec
               args:
                 - |
                   set -euo pipefail
 
-                  PASSWORD="${CLICKHOUSE_PASSWORD:-}"
-                  if [ -z "${PASSWORD}" ]; then
-                    PASSWORD="${CLICKHOUSE_PASSWORD_LITERAL:-}"
-                  fi
-
-                  if [ -z "${PASSWORD}" ]; then
+                  if [ -z "${CLICKHOUSE_PASSWORD:-}" ] && [ -z "${CLICKHOUSE_PASSWORD_LITERAL:-}" ]; then
                     echo "No ClickHouse password found. Check langfuse.clickhouse.auth settings and secret."
                     exit 1
                   fi
+                  export CLICKHOUSE_PASSWORD="${CLICKHOUSE_PASSWORD:-${CLICKHOUSE_PASSWORD_LITERAL:-}}"
+                  unset CLICKHOUSE_PASSWORD_LITERAL
 
                   ON_CLUSTER_CLAUSE=""
                   if [ "${CLICKHOUSE_ON_CLUSTER}" = "true" ]; then
@@ -55,17 +65,29 @@ spec:
                   )"
 
                   CUTOFF_UNIX="$(( $(date -u +%s) - RETENTION_DAYS * 86400 ))"
+                  IDENTIFIER_REGEX='^[A-Za-z_][A-Za-z0-9_]*$'
 
                   while IFS=$'\t' read -r table ts_col; do
                     [ -z "${table}" ] && continue
 
+                    if ! [[ "${table}" =~ ${IDENTIFIER_REGEX} ]]; then
+                      echo "Invalid table identifier: ${table}"
+                      exit 1
+                    fi
+                    if ! [[ "${ts_col}" =~ ${IDENTIFIER_REGEX} ]]; then
+                      echo "Invalid timestamp column identifier: ${ts_col}"
+                      exit 1
+                    fi
+
                     echo "Deleting rows older than ${RETENTION_DAYS}d from ${CLICKHOUSE_DATABASE}.${table} (${ts_col})"
-                    clickhouse-client \
+                    if ! clickhouse-client \
                       --host "${CLICKHOUSE_HOST}" \
                       --port "${CLICKHOUSE_PORT}" \
                       --user "${CLICKHOUSE_USER}" \
-                      --password "${PASSWORD}" \
-                      --query "ALTER TABLE ${CLICKHOUSE_DATABASE}.${table}${ON_CLUSTER_CLAUSE} DELETE WHERE toDateTime(${ts_col}) < toDateTime(${CUTOFF_UNIX}) SETTINGS mutations_sync = ${MUTATION_SYNC}"
+                      --query "ALTER TABLE ${CLICKHOUSE_DATABASE}.${table}${ON_CLUSTER_CLAUSE} DELETE WHERE ${ts_col} < toDateTime(${CUTOFF_UNIX}) SETTINGS mutations_sync = ${MUTATION_SYNC}"; then
+                      echo "Failed deleting expired rows from ${CLICKHOUSE_DATABASE}.${table}"
+                      exit 1
+                    fi
                   done <<< "${TABLE_ROWS}"
               env:
                 - name: MUTATION_SYNC

infrastructure/rag/values.yaml

@@ -740,6 +740,21 @@ langfuseRetention:
   enabled: false
   retentionDays: 365
   schedule: "15 */6 * * *"
+  podSecurityContext:
+    runAsUser: 1001
+    runAsNonRoot: true
+  securityContext:
+    allowPrivilegeEscalation: false
+  # Optional resources for both retention CronJobs.
+  # Example:
+  # resources:
+  #   requests:
+  #     cpu: 100m
+  #     memory: 128Mi
+  #   limits:
+  #     cpu: 500m
+  #     memory: 512Mi
+  resources: {}
   # Optional deterministic deletion in addition to TTL.
   # Uses ALTER TABLE ... DELETE WHERE ... and can run nightly.
   hardDelete:
@@ -754,10 +769,14 @@ langfuseRetention:
     pullPolicy: IfNotPresent
   clickhouse:
     # Connection/auth are taken from langfuse.clickhouse.*.
+    # Align this with the database Langfuse actually uses in ClickHouse.
     database: "default"
-    onCluster: true
+    # Set to true only for clustered ClickHouse deployments where clusterName exists.
+    # Keep false for single-node/non-clustered deployments.
+    onCluster: false
     clusterName: "default"
     tables:
+      # timestampColumn should be a Date/DateTime/DateTime64 column in the target table.
       - name: "traces"
         timestampColumn: "timestamp"
       - name: "observations"