ChromaDB 1.0 forces new Helm values

ChromaDB 1.0.0, rewritten in Rust, dropped support for the legacy chromadb.auth.* block and broke most Helm values.yaml files that were published before Q4 2025 [DevTo][GitHub Releases]. The community amikos-tech/chromadb-chart now ships a production-ready values.yaml that pins the container image to tag 1.0.5, enforces a persistent volume, and rewrites auth to a network-level model [Artifact Hub]. The chart's persistDirectory: /data mounts a PVC whose volumeSize defaults to 50 Gi and retentionPolicy defaults to Retain—a change that prevents accidental data loss on helm uninstall [Artifact Hub].

Resource requests are now 500 mCPU and 2 Gi memory, with limits of 2000 mCPU and 8 Gi memory. The chart also adds a podSecurityContext with runAsNonRoot: true and fsGroup: 1000 to satisfy the 2026 Pod Security Standards [GitHub Releases]. All auth-related keys (chromadb.auth.*, chromadb.logging.*, chromadb.anonymizedTelemetry) are ignored; instead the chart exposes an extraConfig block for OpenTelemetry and CORS settings.

Persistence is no longer optional. Without a PVC the Rust server discards all vectors on the first restart, a failure mode that was impossible under the Python server [DevTo]. Setting retentionPolicy: Retain avoids silent data wipes during chart upgrades. Auth moves to the network layer, forcing operators to secure the service with private networking, ingress mTLS, or an API gateway [Artifact Hub]. This aligns ChromaDB with zero-trust architectures but adds infrastructure complexity for teams that previously relied on in-process credentials. Resource sizing is now critical: the default 1 Gi volume fills after roughly a week for a 1 M-vector index (≈3 Gi of raw data) [GitHub Releases]. Under-provisioned CPU (500 m) throttles bulk queries, while memory limits below the working set cause WAL corruption. Explicitly sizing PVCs and memory limits prevents the silent crashes that plagued pre-1.0 deployments.