├── .buildkite ├── hooks │ └── pre-command └── pipeline.yaml ├── .github ├── PULL_REQUEST_TEMPLATE.md └── workflows │ ├── backport.yml │ ├── checkov.yml │ ├── gcs_chart_publish_insiders.yml │ ├── gcs_chart_publish_release.yml │ ├── helm_lint_test.yml │ ├── pr-auditor.yml │ └── release-amis.yml ├── .gitignore ├── .helmdocsignore ├── .tool-versions ├── README.md ├── RELEASE.md ├── TEST.md ├── charts ├── sourcegraph-executor │ ├── CHANGELOG.md │ ├── README.md │ ├── dind │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ ├── README.md │ │ ├── README.md.gotmpl │ │ ├── templates │ │ │ ├── _helpers.tpl │ │ │ ├── executor │ │ │ │ ├── docker-daemon.ConfigMap.yaml │ │ │ │ ├── executor.Deployment.yaml │ │ │ │ └── executor.Service.yaml │ │ │ └── private-docker-registry │ │ │ │ ├── private-docker-registry.Deployment.yaml │ │ │ │ ├── private-docker-registry.PersistentVolumeClaim.yaml │ │ │ │ └── private-docker-registry.Service.yaml │ │ ├── tests │ │ │ ├── executor_test.yaml │ │ │ └── privateDockerRegistry_test.yaml │ │ └── values.yaml │ └── k8s │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ ├── README.md │ │ ├── README.md.gotmpl │ │ ├── templates │ │ ├── _helpers.tpl │ │ ├── executor.ConfigMap.yaml │ │ ├── executor.Deployment.yaml │ │ ├── executor.PersistentVolumeClaim.yaml │ │ ├── executor.Role.yaml │ │ ├── executor.RoleBinding.yaml │ │ ├── executor.Secret.yaml │ │ ├── executor.Service.yaml │ │ └── executor.ServiceAccount.yaml │ │ ├── tests │ │ └── executor_test.yaml │ │ └── values.yaml ├── sourcegraph-migrator │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── README.md.gotmpl │ ├── templates │ │ ├── _helpers.tpl │ │ └── migrator │ │ │ └── sourcegraph-migrator.Job.yaml │ └── values.yaml └── sourcegraph │ ├── .helmignore │ ├── CHANGELOG.md │ ├── Chart.yaml │ ├── README.md │ ├── README.md.gotmpl │ ├── examples │ ├── advanced-scheduling │ │ └── override.yaml │ ├── aws │ │ └── override.yaml │ ├── azure │ │ └── override.yaml │ ├── basic │ │ └── override.yaml │ ├── common-modifications │ │ ├── README.md │ │ └── override.yaml │ ├── custom-security-context │ │ └── override.yaml │ ├── envoy │ │ ├── README.md │ │ └── override.yaml │ ├── external-databases │ │ ├── README.md │ │ └── override.yaml │ ├── external-object-storage │ │ └── override.yaml │ ├── external-redis │ │ ├── README.md │ │ ├── override-secret.yaml │ │ └── override.yaml │ ├── extra-volumes │ │ └── override.yaml │ ├── gcp │ │ ├── README.md │ │ └── override.yaml │ ├── ingress │ │ └── override.yaml │ ├── jaeger │ │ └── override.yaml │ ├── kustomize-chart │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── kustomize │ ├── opentelemetry-exporter │ │ ├── override-processor.yaml │ │ ├── override-tls.yaml │ │ └── override.yaml │ ├── private-image-registry │ │ └── override.yaml │ ├── prometheus │ │ ├── README.md │ │ └── prometheus-override-k3s.ConfigMap.yaml │ ├── subchart │ │ ├── Chart.yaml │ │ ├── README.md │ │ ├── templates │ │ │ └── networkpolicy.yaml │ │ └── values.yaml │ └── tune-internal-databases │ │ └── override.yaml │ ├── files │ ├── codeinsights-db │ │ └── conf │ │ │ └── postgresql.conf │ ├── codeintel-db │ │ └── conf │ │ │ └── postgresql.conf │ └── pgsql │ │ └── conf │ │ └── postgresql.conf │ ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── _worker.tpl │ ├── blobstore │ │ ├── blobstore.Deployment.yaml │ │ ├── blobstore.PersistentVolumeClaim.yaml │ │ ├── blobstore.Service.yaml │ │ └── blobstore.ServiceAccount.yaml │ ├── cadvisor │ │ ├── cadvisor.ClusterRole.yaml │ │ ├── cadvisor.ClusterRoleBinding.yaml │ │ ├── cadvisor.DaemonSet.yaml │ │ ├── cadvisor.PodSecurityPolicy.yaml │ │ └── cadvisor.ServiceAccount.yaml │ ├── codeinsights-db │ │ ├── codeinsights-db.ConfigMap.yaml │ │ ├── codeinsights-db.PersistentVolumeClaim.yaml │ │ ├── codeinsights-db.Secret.yaml │ │ ├── codeinsights-db.Service.yaml │ │ ├── codeinsights-db.ServiceAccount.yaml │ │ └── codeinsights-db.StatefulSet.yaml │ ├── codeintel-db │ │ ├── codeintel-db.ConfigMap.yaml │ │ ├── codeintel-db.PersistentVolumeClaim.yaml │ │ ├── codeintel-db.Secret.yaml │ │ ├── codeintel-db.Service.yaml │ │ ├── codeintel-db.ServiceAccount.yaml │ │ └── codeintel-db.StatefulSet.yaml │ ├── extraResources.yaml │ ├── frontend │ │ ├── sourcegraph-frontend-internal.Service.yaml │ │ ├── sourcegraph-frontend.Deployment.yaml │ │ ├── sourcegraph-frontend.Ingress.yaml │ │ ├── sourcegraph-frontend.PodDisruptionBudget.yaml │ │ ├── sourcegraph-frontend.Role.yaml │ │ ├── sourcegraph-frontend.RoleBinding.yaml │ │ ├── sourcegraph-frontend.Service.yaml │ │ └── sourcegraph-frontend.ServiceAccount.yaml │ ├── gitserver │ │ ├── gitserver.Service.yaml │ │ ├── gitserver.ServiceAccount.yaml │ │ └── gitserver.StatefulSet.yaml │ ├── grafana │ │ ├── grafana.ConfigMap.yaml │ │ ├── grafana.Service.yaml │ │ ├── grafana.ServiceAccount.yaml │ │ ├── grafana.StatefulSet.yaml │ │ └── grafana.pgsql.Secret.yaml │ ├── indexed-search │ │ ├── indexed-search.IndexerService.yaml │ │ ├── indexed-search.Service.yaml │ │ ├── indexed-search.ServiceAccount.yaml │ │ └── indexed-search.StatefulSet.yaml │ ├── jaeger │ │ ├── jaeger-collector.Service.yaml │ │ ├── jaeger-query.Service.yaml │ │ ├── jaeger.Deployment.yaml │ │ └── jaeger.ServiceAccount.yaml │ ├── node-exporter │ │ ├── node-exporter.ClusterRole.yaml │ │ ├── node-exporter.ClusterRoleBinding.yaml │ │ ├── node-exporter.DaemonSet.yaml │ │ ├── node-exporter.PodSecurityPolicy.yaml │ │ ├── node-exporter.Service.yaml │ │ └── node-exporter.ServiceAccount.yaml │ ├── otel-collector │ │ ├── otel-agent.ConfigMap.yaml │ │ ├── otel-agent.DaemonSet.yaml │ │ ├── otel-agent.ServiceAccount.yaml │ │ ├── otel-collector.ConfigMap.yaml │ │ ├── otel-collector.Deployment.yaml │ │ ├── otel-collector.Service.yaml │ │ └── otel-collector.ServiceAccount.yaml │ ├── pgsql │ │ ├── pgsql.ConfigMap.yaml │ │ ├── pgsql.PersistentVolumeClaim.yaml │ │ ├── pgsql.Secret.yaml │ │ ├── pgsql.Service.yaml │ │ ├── pgsql.ServiceAccount.yaml │ │ └── pgsql.StatefulSet.yaml │ ├── precise-code-intel │ │ ├── worker.Deployment.yaml │ │ ├── worker.Service.yaml │ │ └── worker.ServiceAccount.yaml │ ├── priorityClass.yaml │ ├── prometheus │ │ ├── prometheus.ClusterRole.yaml │ │ ├── prometheus.ClusterRoleBinding.yaml │ │ ├── prometheus.ConfigMap.yaml │ │ ├── prometheus.Deployment.yaml │ │ ├── prometheus.PersistentVolumeClaim.yaml │ │ ├── prometheus.RoleBinding.yaml │ │ ├── prometheus.Service.yaml │ │ └── prometheus.ServiceAccount.yaml │ ├── redis │ │ ├── redis-cache.Deployment.yaml │ │ ├── redis-cache.PersistentVolumeClaim.yaml │ │ ├── redis-cache.Secret.yaml │ │ ├── redis-cache.Service.yaml │ │ ├── redis-cache.ServiceAccount.yaml │ │ ├── redis-store.Deployment.yaml │ │ ├── redis-store.PersistentVolumeClaim.yaml │ │ ├── redis-store.Secret.yaml │ │ ├── redis-store.Service.yaml │ │ └── redis-store.ServiceAccount.yaml │ ├── searcher │ │ ├── searcher.Service.yaml │ │ ├── searcher.ServiceAccount.yaml │ │ └── searcher.StatefulSet.yaml │ ├── storageclass.yaml │ ├── syntactic-code-intel │ │ ├── worker.Deployment.yaml │ │ ├── worker.Service.yaml │ │ └── worker.ServiceAccount.yaml │ ├── syntect-server │ │ ├── syntect-server.Deployment.yaml │ │ ├── syntect-server.Service.yaml │ │ └── syntect-server.ServiceAccount.yaml │ ├── tests │ │ └── test-connection.yaml │ └── worker │ │ ├── worker-executors.Service.yaml │ │ ├── worker.Deployment.yaml │ │ ├── worker.Service.yaml │ │ └── worker.ServiceAccount.yaml │ ├── tests │ ├── __snapshot__ │ │ ├── checksum_test.yaml.snap │ │ ├── pgsqlAuth_test.yaml.snap │ │ ├── serviceAccountAnnotations_test.yaml.snap │ │ └── serviceAccounts_test.yaml.snap │ ├── affinity_test.yaml │ ├── cadvisorPrivileged_test.yaml │ ├── checksum_test.yaml │ ├── codeInsightsDBAdditionalConfig_test.yaml │ ├── codeIntelDBAdditionalConfig_test.yaml │ ├── defaultTagPrefix_test.yaml │ ├── localDevMode_test.yaml │ ├── nodeExporter_test.yaml │ ├── otelAgentHostPort_test.yaml │ ├── otelCollectorJaeger_test.yaml │ ├── pgsqlAdditionalConfig_test.yaml │ ├── pgsqlAuth_test.yaml │ ├── podDisruptionBudget_test.yaml │ ├── priorityClass_test.yaml │ ├── prometheusPrivileged_test.yaml │ ├── serviceAccountAnnotations_test.yaml │ ├── serviceAccounts_test.yaml │ ├── storageClass_test.yaml │ └── worker_test.yaml │ └── values.yaml ├── ci └── override.yaml ├── dev └── README.md ├── release.yaml └── scripts ├── ci ├── helm-unittest.sh ├── install-helm-env.sh ├── lint.sh └── validate-schema.sh └── helm-docs.sh /.buildkite/hooks/pre-command: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eu 4 | pushd "$(dirname "${BASH_SOURCE[0]}")"/../.. 5 | 6 | WORKDIR=$(pwd) 7 | 8 | echo "Installing asdf dependencies as defined in '${WORKDIR}/.tool-versions':" 9 | asdf install 10 | -------------------------------------------------------------------------------- /.buildkite/pipeline.yaml: -------------------------------------------------------------------------------- 1 | steps: 2 | - label: ":test_tube: Unit Tests" 3 | commands: 4 | - "scripts/ci/install-helm-env.sh" 5 | - "scripts/ci/helm-unittest.sh" 6 | agents: { queue: standard } 7 | 8 | - label: ":database: Schema Validation" 9 | commands: 10 | - "scripts/ci/install-helm-env.sh" 11 | - "scripts/ci/validate-schema.sh" 12 | agents: { queue: standard } 13 | 14 | - label: ":mag: Lint" 15 | commands: 16 | - "scripts/ci/install-helm-env.sh" 17 | - "scripts/ci/lint.sh" 18 | soft_fail: 19 | - exit_status: 255 20 | agents: { queue: standard } 21 | 22 | - label: ":book: Verify helm-docs is up-to-date" 23 | commands: 24 | - "./scripts/helm-docs.sh" 25 | - "echo \"checking for uncommitted changes\"" 26 | - "[[ -z $(git status -s) ]]" 27 | agents: { queue: standard } 28 | 29 | - label: "(internal) Release: test" 30 | if: build.branch =~ /^internal\/release-.*/ 31 | plugins: 32 | - ssh://git@github.com/sourcegraph/sg-buildkite-plugin.git#main: ~ 33 | command: | 34 | wget https://github.com/comby-tools/comby/releases/download/1.8.1/comby-1.8.1-x86_64-linux 35 | chmod +x ./comby-1.8.1-x86_64-linux 36 | mv comby-1.8.1-x86_64-linux /usr/local/bin/comby 37 | 38 | sg release run test --workdir=. --config-from-commit 39 | 40 | - label: "(promote) Release: test" 41 | if: build.branch =~ /^promote\/release-.*/ 42 | plugins: 43 | - ssh://git@github.com/sourcegraph/sg-buildkite-plugin.git#main: ~ 44 | command: | 45 | wget https://github.com/comby-tools/comby/releases/download/1.8.1/comby-1.8.1-x86_64-linux 46 | chmod +x ./comby-1.8.1-x86_64-linux 47 | mv comby-1.8.1-x86_64-linux /usr/local/bin/comby 48 | 49 | sg release run test --workdir=. --config-from-commit 50 | 51 | - wait 52 | 53 | - label: "(internal) Release: finalize" 54 | if: build.branch =~ /^internal\/release-.*/ 55 | plugins: 56 | - ssh://git@github.com/sourcegraph/sg-buildkite-plugin.git#main: ~ 57 | command: | 58 | wget https://github.com/comby-tools/comby/releases/download/1.8.1/comby-1.8.1-x86_64-linux 59 | chmod +x ./comby-1.8.1-x86_64-linux 60 | mv comby-1.8.1-x86_64-linux /usr/local/bin/comby 61 | 62 | sg release run internal finalize --workdir=. --config-from-commit 63 | - label: "(promote) Release: finalize" 64 | if: build.branch =~ /^promote\/release-.*/ 65 | plugins: 66 | - ssh://git@github.com/sourcegraph/sg-buildkite-plugin.git#main: ~ 67 | command: | 68 | wget https://github.com/comby-tools/comby/releases/download/1.8.1/comby-1.8.1-x86_64-linux 69 | chmod +x ./comby-1.8.1-x86_64-linux 70 | mv comby-1.8.1-x86_64-linux /usr/local/bin/comby 71 | 72 | sg release run promote-to-public finalize --workdir=. --config-from-commit 73 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | ### Checklist 2 | 3 | - [ ] Follow the [manual testing process](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/TEST.md) 4 | - [ ] Update [changelog](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/charts/sourcegraph/CHANGELOG.md) 5 | - [ ] Update [Kubernetes update doc](https://docs.sourcegraph.com/admin/updates/kubernetes) 6 | 7 | ### Test plan 8 | 9 | 16 | -------------------------------------------------------------------------------- /.github/workflows/backport.yml: -------------------------------------------------------------------------------- 1 | name: Backport 2 | on: 3 | pull_request_target: 4 | types: 5 | - closed 6 | - labeled 7 | 8 | jobs: 9 | backport: 10 | name: Backport 11 | runs-on: ubuntu-latest 12 | # Only react to merged PRs for security reasons. 13 | # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target. 14 | if: > 15 | github.event.pull_request.merged 16 | && ( 17 | github.event.action == 'closed' 18 | || ( 19 | github.event.action == 'labeled' 20 | && contains(github.event.label.name, 'backport') 21 | ) 22 | ) 23 | steps: 24 | - uses: sourcegraph/backport@v2 25 | with: 26 | github_token: ${{ secrets.BACKPORT_GITHUB_TOKEN }} 27 | -------------------------------------------------------------------------------- /.github/workflows/checkov.yml: -------------------------------------------------------------------------------- 1 | name: Checkov Scan 2 | 3 | on: 4 | push: 5 | branches: [ main ] 6 | pull_request: 7 | branches: [ main ] 8 | 9 | jobs: 10 | checkov-scan: 11 | runs-on: ubuntu-latest 12 | 13 | steps: 14 | - name: Checkout repository 15 | uses: actions/checkout@v4 16 | 17 | - name: Set up Python 18 | uses: actions/setup-python@v4 19 | with: 20 | python-version: '3.9' 21 | 22 | - name: Install Checkov 23 | run: pip install checkov 24 | 25 | - name: Write skip checks config 26 | run: | 27 | echo "${{ vars.CHECKOV_SKIP_CHECKS }}" > .checkov.yaml 28 | 29 | - name: Run Checkov scan 30 | run: | 31 | checkov -d ./charts --output cli --output sarif --output-file-path console,results.sarif 32 | continue-on-error: true 33 | 34 | - name: Upload SARIF file 35 | uses: github/codeql-action/upload-sarif@v3 36 | with: 37 | sarif_file: results.sarif 38 | -------------------------------------------------------------------------------- /.github/workflows/gcs_chart_publish_insiders.yml: -------------------------------------------------------------------------------- 1 | name: Publish chart (insiders) 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | paths: 8 | - .github/workflows/gcs_chart_publish_insiders.yml 9 | - 'charts/**' 10 | 11 | env: 12 | HELM_VERSION: v3.4.0 13 | HELM_GCS_VERSION: 0.3.20 # https://github.com/hayorov/helm-gcs 14 | BUCKET_NAME: helm.sourcegraph.com 15 | BUCKET_PATH: insiders 16 | 17 | jobs: 18 | release: 19 | name: helm 20 | runs-on: ubuntu-latest 21 | steps: 22 | - name: Checkout 23 | uses: actions/checkout@v3 24 | with: 25 | fetch-depth: 0 26 | 27 | - name: Install Helm 28 | uses: azure/setup-helm@v1 29 | with: 30 | version: ${{ env.HELM_VERSION }} 31 | 32 | - name: Configure gcloud 33 | uses: google-github-actions/auth@v0 34 | with: 35 | credentials_json: ${{ secrets.GOOGLE_CLOUD_CREDENTIALS }} 36 | service_account: 'github-bot@sourcegraph-helm.iam.gserviceaccount.com' 37 | 38 | - name: Get metadata 39 | id: metadata 40 | uses: contiamo/git-metadata-action@main 41 | 42 | - name: Install helm-gcs 43 | run: helm plugin install https://github.com/hayorov/helm-gcs.git --version ${{ env.HELM_GCS_VERSION }} 44 | 45 | - name: Initialize helm chart 46 | run: helm gcs init gs://${{ env.BUCKET_NAME }}/${{ env.BUCKET_PATH }} 47 | 48 | - name: Set up helm repo 49 | run: helm repo add sg gs://${{ env.BUCKET_NAME }}/${{ env.BUCKET_PATH }} 50 | 51 | - name: Update chart versions 52 | run: | 53 | sed -i 's/appVersion:.*/appVersion: insiders/g' charts/*/Chart.yaml 54 | sed -i '/^version:/ s/"$/-insiders.${{ steps.metadata.outputs.shortSHA }}"/' charts/*/Chart.yaml 55 | 56 | - name: Package Sourcegraph helm charts 57 | run: for i in charts/*; do [ -f "$i/Chart.yaml" ] && helm package -u $i; done 58 | 59 | - name: Package Sourcegraph executor helm charts 60 | run: for i in charts/sourcegraph-executor/*; do [ -f "$i/Chart.yaml" ] && helm package -u $i; done 61 | 62 | - name: Publish chart if it doesn't already exist in the repository 63 | run: | 64 | for i in *.tgz; do 65 | if gsutil ls gs://${{ env.BUCKET_NAME }}/${{ env.BUCKET_PATH }}/$i 2>/dev/null; then 66 | echo "Chart already published" 67 | else 68 | helm gcs push --public --publicUrl https://${{ env.BUCKET_NAME }}/${{ env.BUCKET_PATH }} $i sg 69 | fi; 70 | done 71 | -------------------------------------------------------------------------------- /.github/workflows/gcs_chart_publish_release.yml: -------------------------------------------------------------------------------- 1 | name: Publish chart (release branch) 2 | 3 | on: 4 | push: 5 | branches: 6 | - release/** 7 | - promote/release-** 8 | paths: 9 | - .github/workflows/gcs_chart_publish_release.yml 10 | - 'charts/**' 11 | workflow_dispatch: 12 | inputs: 13 | ref: 14 | type: string 15 | description: | 16 | BREAK GLASS ONLY. The branch to forcefully trigger a new release from 17 | required: false 18 | 19 | env: 20 | HELM_VERSION: v3.4.0 21 | HELM_GCS_VERSION: 0.3.20 # https://github.com/hayorov/helm-gcs 22 | BUCKET_NAME: helm.sourcegraph.com 23 | BUCKET_PATH: release 24 | 25 | jobs: 26 | release: 27 | name: helm 28 | runs-on: ubuntu-latest 29 | steps: 30 | - name: Checkout 31 | if: ${{ inputs.ref == '' }} 32 | uses: actions/checkout@v3 33 | with: 34 | fetch-depth: 0 35 | 36 | - name: Checkout (break glass) 37 | if: ${{ inputs.ref != '' }} 38 | uses: actions/checkout@v3 39 | with: 40 | fetch-depth: 0 41 | ref: ${{ inputs.ref }} 42 | 43 | - name: Install Helm 44 | uses: azure/setup-helm@v1 45 | with: 46 | version: ${{ env.HELM_VERSION }} 47 | 48 | - name: Configure gcloud 49 | uses: google-github-actions/auth@v0 50 | with: 51 | credentials_json: ${{ secrets.GOOGLE_CLOUD_CREDENTIALS }} 52 | service_account: 'github-bot@sourcegraph-helm.iam.gserviceaccount.com' 53 | 54 | - name: Install helm-gcs 55 | run: helm plugin install https://github.com/hayorov/helm-gcs.git --version ${{ env.HELM_GCS_VERSION }} 56 | 57 | - name: Initialize helm chart 58 | run: helm gcs init gs://${{ env.BUCKET_NAME }}/${{ env.BUCKET_PATH }} 59 | 60 | - name: Set up helm repo 61 | run: helm repo add sg gs://${{ env.BUCKET_NAME }}/${{ env.BUCKET_PATH }} 62 | 63 | - name: Package Sourcegraph helm charts 64 | run: for i in charts/*; do [ -f "$i/Chart.yaml" ] && helm package -u $i; done 65 | 66 | - name: Package Sourcegraph executor helm charts 67 | run: for i in charts/sourcegraph-executor/*; do [ -f "$i/Chart.yaml" ] && helm package -u $i; done 68 | 69 | - name: Publish chart if it doesn't already exist in the repository 70 | run: | 71 | for i in *.tgz; do 72 | if gsutil ls gs://${{ env.BUCKET_NAME }}/${{ env.BUCKET_PATH }}/$i 2>/dev/null; then 73 | echo "Chart already published" 74 | else 75 | helm gcs push --public --publicUrl https://${{ env.BUCKET_NAME }}/${{ env.BUCKET_PATH }} $i sg 76 | fi; 77 | done 78 | -------------------------------------------------------------------------------- /.github/workflows/helm_lint_test.yml: -------------------------------------------------------------------------------- 1 | name: Lint and Test charts 2 | on: 3 | push: 4 | branches: 5 | - release/** 6 | pull_request: 7 | 8 | jobs: 9 | lint-test: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: Checkout 13 | uses: actions/checkout@v3 14 | with: 15 | fetch-depth: 0 16 | 17 | - name: Set up Helm 18 | uses: azure/setup-helm@v3 19 | with: 20 | version: v3.9.1 21 | - uses: actions/setup-python@v5 22 | with: 23 | python-version: '3.13' 24 | - uses: azure/setup-kubectl@v2.0 25 | id: install 26 | - name: Set up chart-testing 27 | uses: helm/chart-testing-action@v2.2.1 28 | 29 | - name: Run chart-testing (list-changed) 30 | id: list-changed 31 | run: | 32 | changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) 33 | if [[ -n "$changed" ]]; then 34 | echo "changed=true" >> "$GITHUB_OUTPUT" 35 | fi 36 | - name: Helm lint 37 | run: | 38 | changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) 39 | echo $changed | xargs helm lint 40 | if: steps.list-changed.outputs.changed == 'true' 41 | - name: Create kind cluster 42 | uses: helm/kind-action@v1.3.0 43 | if: steps.list-changed.outputs.changed == 'true' 44 | - name: Install Helm charts 45 | run: helm install --debug -f ./ci/override.yaml test-sg ./charts/sourcegraph/ 46 | if: steps.list-changed.outputs.changed == 'true' 47 | - name: Wait for frontend to come up 48 | run: sleep 60s && kubectl wait --for=condition=Ready -l app=sourcegraph-frontend pod --timeout=300s 49 | shell: bash 50 | if: steps.list-changed.outputs.changed == 'true' 51 | - name: Run Helm Testing 52 | run: helm test test-sg 53 | if: steps.list-changed.outputs.changed == 'true' 54 | -------------------------------------------------------------------------------- /.github/workflows/pr-auditor.yml: -------------------------------------------------------------------------------- 1 | # See https://docs.sourcegraph.com/dev/background-information/ci#pr-auditor 2 | name: pr-auditor 3 | on: 4 | pull_request_target: 5 | types: [ closed, edited, opened, synchronize, ready_for_review ] 6 | workflow_dispatch: 7 | 8 | jobs: 9 | check-pr: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@v4 13 | with: 14 | repository: 'sourcegraph/devx-service' 15 | token: ${{ secrets.PR_AUDITOR_TOKEN }} 16 | - uses: actions/setup-go@v4 17 | with: { go-version: '1.22' } 18 | 19 | - run: 'go run ./cmd/pr-auditor' 20 | env: 21 | GITHUB_EVENT_PATH: ${{ env.GITHUB_EVENT_PATH }} 22 | GITHUB_TOKEN: ${{ secrets.PR_AUDITOR_TOKEN }} 23 | GITHUB_RUN_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} 24 | report_failure: 25 | needs: check-pr 26 | if: ${{ failure() }} 27 | uses: sourcegraph/workflows/.github/workflows/report-job-failure.yml@main 28 | secrets: inherit 29 | -------------------------------------------------------------------------------- /.github/workflows/release-amis.yml: -------------------------------------------------------------------------------- 1 | name: build-ami 2 | 3 | on: 4 | push: 5 | tags: 6 | - 'v[0-9]+.[0-9]+.[0-9]+' 7 | 8 | jobs: 9 | trigger-build: 10 | name: Build AMIs 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Trigger Buildkite AMI Builds 14 | uses: "buildkite/trigger-pipeline-action@2db6579eb1d07cb6e6224fc048076a5f4d0ba36d" 15 | with: 16 | buildkite_api_access_token: ${{ secrets.TRIGGER_BK_BUILD_TOKEN }} 17 | pipeline: "sourcegraph/ami-automation" 18 | branch: "main" 19 | commit: "HEAD" 20 | message: ":github: Triggered from new release" 21 | build_env_vars: '{"RELEASE_NUMBER": "${{ github.ref_name }}"}' 22 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | target/* 2 | 3 | # MacOS system files 4 | .DS_Store 5 | 6 | # Jetbrains 7 | .idea/ 8 | -------------------------------------------------------------------------------- /.helmdocsignore: -------------------------------------------------------------------------------- 1 | charts/sourcegraph/examples/* 2 | -------------------------------------------------------------------------------- /.tool-versions: -------------------------------------------------------------------------------- 1 | github-cli 2.46.0 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Sourcegraph on Kubernetes (Helm) 2 | 3 | Deploy Sourcegraph on Kubernetes using [Helm]. 4 | 5 | Check the [Quickstart](https://sourcegraph.com/docs/admin/deploy/kubernetes#sourcegraph-on-kubernetes-with-helm) to deploy your Sourcegraph. 6 | 7 | [helm]: https://helm.sh 8 | -------------------------------------------------------------------------------- /RELEASE.md: -------------------------------------------------------------------------------- 1 | # Sourcegraph Helm Chart Release 2 | 3 | > The Sourcegraph Helm chart follows the standard [Sourcegraph releases] schedule, with monthly minor releases and patch releases as-needed. 4 | 5 | Hotfixes not associated with a Sourcegraph release may be released by following the below process: 6 | 7 | ## 1. Commit the hotfix against the main branch 8 | 9 | Follow the normal PR and testing process. 10 | 11 | ## 2. Create a new `publish-x.y.z-rev.a` branch off the last `release/x.y` branch 12 | 13 | Hotfix releases will use a suffix to indicate they are a special type of release. This is necessary because semver only supports patch-level versioning, and we cannot overwrite a published version. 14 | 15 | The version should look similar to `3.38.1-rev.1`. 16 | 17 | Cherry-pick the change from step 1 to this branch and follow the normal testing process to confirm an upgrade from the released version is safe. 18 | 19 | ## 3. Bump the `version` in `Chart.yaml` and update changelog 20 | 21 | Update Chart.yaml to use the new version. Update the Changelog to reflect the new version. 22 | 23 | ## 3. Create a Pull Request 24 | 25 | Commit all changes and open a Pull Request. The destination branch for your PR should be `release/x.y`, not main. 26 | 27 | [semver]: https://semver.org/ 28 | [sourcegraph release]: https://handbook.sourcegraph.com/departments/product-engineering/engineering/process/releases/ 29 | [helm-docs]: https://github.com/norwoodj/helm-docs 30 | -------------------------------------------------------------------------------- /TEST.md: -------------------------------------------------------------------------------- 1 | # Sourcegraph Helm Chart Test Guide 2 | 3 | This is a temporary test guide before we have more thorough automated integration tests. 4 | 5 | ## Lint 6 | 7 | You shouldn't see any error. 8 | 9 | ```sh 10 | helm lint charts/sourcegraph/. 11 | ``` 12 | 13 | ## Unit testing 14 | 15 | We utilize [helm-unittest](https://github.com/helm-unittest/helm-unittest/), a BDD styled unit test framework, to validate our helm chart. 16 | 17 | helm-unittest can be installed with: 18 | 19 | ```bash 20 | helm plugin install https://github.com/helm-unittest/helm-unittest 21 | ``` 22 | 23 | Once the plugin is installed, you can run the unit tests using the following: 24 | 25 | ```bash 26 | helm unittest --helm3 ./charts/sourcegraph/. 27 | ``` 28 | 29 | We currently do not have testing best practices or require unit tests for new changes, so add test cases at your best judgement if possible. 30 | 31 | You may check out our [existing test cases](https://github.com/sourcegraph/deploy-sourcegraph-helm/tree/main/charts/sourcegraph/tests) and helm-unittest [docs](https://github.com/helm-unittest/helm-unittest/blob/master/DOCUMENT.md). 32 | 33 | ## Manual testing 34 | 35 | Create a local cluster with [kind]. You may also use [k3s] or [minikube]. 36 | 37 | ```sh 38 | kind create cluster 39 | ``` 40 | 41 | You should have a `override.yaml` file ready to verify your changes. 42 | 43 | ```yaml 44 | # Disable SC creation 45 | storageClass: 46 | create: false 47 | name: standard 48 | 49 | # Disable resources requests/limits 50 | sourcegraph: 51 | localDevMode: true 52 | # More values to be added in order to test your change 53 | ``` 54 | 55 | Make sure you test both enabled and disabled toggles. For example, if you added a new values to conditional render some templates, turn it on and off in the `override.yaml` to make sure they both work. You can also include your `override.yaml` in the `Test plan` during PR review to help others understand your testing strategy. 56 | 57 | ### Inspect the entire rendered template 58 | 59 | It's a good idea to inspect the rendered manifest to catch things that look off. 60 | 61 | ```sh 62 | helm template -f ./override.yaml sourcegraph charts/sourcegraph/. 63 | ``` 64 | 65 | ### Inspect the diff 66 | 67 | Perform a diff of the rendered helm manifests before and after your change. There're many ways to produce the diff: 68 | 69 | - Run `helm template` before and after the change, then run `diff bundle.old.yaml bundle.new.yaml`. 70 | - Run `helm install` before the change, then run `helm diff` to inspect the diff. 71 | 72 | ### Deploy the chart 73 | 74 | You should make sure your change can be deployed 75 | 76 | ```sh 77 | helm upgrade --install --create-namespace -n sourcegraph -f ./override.yaml sourcegraph charts/sourcegraph/. 78 | ``` 79 | 80 | Follow the [confirm instance health] guide but use `kubectl port-forward` instead to validate instance health. 81 | 82 | ```sh 83 | kubectl -n sourcegraph port-forward svc/sourcegraph-frontend 30080 84 | ``` 85 | 86 | [confirm instance health]: https://handbook.sourcegraph.com/departments/product-engineering/engineering/cloud/delivery/managed/upgrade_process/#8-confirm-instance-health 87 | [k3s]: https://k3s.io/ 88 | [kind]: https://kind.sigs.k8s.io/ 89 | [minikube]: https://minikube.sigs.k8s.io/docs/start/ 90 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | 4 | ## Unreleased 5 | 6 | * Added new chart `sourcegraph-executor-k8s` to deploy Sourcegraph executors that use Kubernetes jobs. 7 | * **BREAKING:** Renamed `sourcegraph-executor` chart to `sourcegraph-executor-dind` to indicate these are Docker in Docker executors. To update to newer versions of this chart, ensure the new Chart name is used. 8 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/README.md: -------------------------------------------------------------------------------- 1 | # Sourcegraph executor helm charts 2 | 3 | This directory contains two Helm charts for deploying executors on Kubernetes. [See the docs](https://docs.sourcegraph.com/admin/executors/deploy_executors_kubernetes) for more information on executors on Kubernetes. 4 | 5 | ## Native Kubernetes (k8s) 6 | This chart deploys executors that interact with the Kubernetes API to handle jobs. This is the preferred deployment option. 7 | Your cluster will need to allow configuration of the following RBAC rules: 8 | 9 | | API Groups | Resources | Verbs | Reason | 10 | |------------|--------------------|---------------------------|-------------------------------------------------------------------------------------------| 11 | | `batch` | `jobs` | `create`, `delete` | Executors create Job pods to run processes. Once Jobs are completed, they are cleaned up. | 12 | | | `pods`, `pods/log` | `get`, `list`, `watch` | Executors need to look up and steam logs from the Job Pods. | 13 | 14 | ## Docker in Docker (dind) 15 | This chart deploys executors that deploy a [Docker in Docker](https://www.docker.com/blog/docker-can-now-run-within-docker/) sidecar with each executor pod to avoid accessing the host container runtime directly. This method requires privileged access to a container runtime daemon in order to operate correctly. 16 | If you have security concerns, consider deploying via [a non-Kubernetes method](https://docs.sourcegraph.com/admin/executors). 17 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/dind/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/dind/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: sourcegraph-executor-dind 3 | description: Chart for installing Sourcegraph executors using Docker in Docker (dind) 4 | icon: https://sourcegraph.com/favicon.ico 5 | type: application 6 | 7 | # Chart version, separate from Sourcegraph 8 | version: "5.11.0" 9 | 10 | # Version of Sourcegraph release 11 | appVersion: "5.11.0" 12 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/dind/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | 5 | 6 | # Sourcegraph Exexutor Helm Chart 7 | 8 | This chart contains two deployments, Sourcegraph Executors and a private Docker Registry. It is a supplemental chart for the parent [sourcegraph/sourcegraph] Helm Chart if you wish to deploy executors 9 | 10 | Use cases: 11 | 12 | - Deploy Sourcegraph Executors on Kubernetes 13 | 14 | ## Requirements 15 | 16 | * [Helm 3 CLI](https://helm.sh/docs/intro/install/) 17 | * Kubernetes 1.19 or greater 18 | 19 | ## Installation 20 | 21 | Add the Sourcegraph charts repo to Helm: 22 | 23 | ```sh 24 | helm repo add sourcegraph https://helm.sourcegraph.com/release 25 | ``` 26 | 27 | ## Usage 28 | 29 | > The chart has to be installed in the same namespace as the parent [sourcegraph/sourcegraph] chart 30 | 31 | ## Rendering manifests for kubectl deployment 32 | 33 | Manifests rendered using the `helm template` command can be used for direct deployment using `kubectl`. 34 | 35 | ## Configuration Options 36 | 37 | Reference the table below for available configuration parameters and consult [executor] documentation. 38 | 39 | In addition to the documented values, the `executor` and `private-docker-registry` services also supports the following values 40 | 41 | - `executor.affinity` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) 42 | - `executor.nodeSelector` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) 43 | - `executor.tolerations` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) 44 | - `executor.podSecurityContext` - [learn more](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) 45 | - `executor.env` - consult `values.yaml` 46 | 47 | - `privateDockerRegistry.affinity` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) 48 | - `privateDockerRegistry.nodeSelector` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) 49 | - `privateDockerRegistry.tolerations` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) 50 | - `privateDockerRegistry.podSecurityContext` - [learn more](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) 51 | - `privateDockerRegistry.env` - consult `values.yaml` file 52 | 53 | {{ template "chart.valuesTable" . }} 54 | 55 | ## Troubleshooting 56 | 57 | See a list of running executor pods 58 | 59 | ```sh 60 | kubectl get pods -l app=executor 61 | ``` 62 | 63 | Check logs of the executor container 64 | 65 | ```sh 66 | kubectl logs -l app=executor -c executor 67 | ``` 68 | 69 | [sourcegraph/sourcegraph]: ../sourcegraph/ 70 | [sourcegraph/sourcegraph-executor]: ./ 71 | [executor]: https://docs.sourcegraph.com/admin/executors 72 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/dind/templates/executor/docker-daemon.ConfigMap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.executor.enabled -}} 2 | apiVersion: v1 3 | data: 4 | daemon.json: | 5 | { "insecure-registries":["private-docker-registry:5000"] } 6 | 7 | kind: ConfigMap 8 | metadata: 9 | labels: 10 | app: executor 11 | deploy: sourcegraph 12 | app.kubernetes.io/component: executor 13 | name: docker-config 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/dind/templates/executor/executor.Service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.executor.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | annotations: 6 | prometheus.io/port: "6060" 7 | sourcegraph.prometheus/scrape: "true" 8 | {{- if .Values.executor.serviceAnnotations }} 9 | {{- toYaml .Values.executor.serviceAnnotations | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | {{- include "executor.labels" . | nindent 4 }} 13 | {{- if .Values.executor.serviceLabels }} 14 | {{- toYaml .Values.executor.serviceLabels | nindent 4 }} 15 | {{- end }} 16 | name: executor 17 | spec: 18 | ports: 19 | - name: debug 20 | port: 6060 21 | targetPort: debug 22 | selector: 23 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 24 | app: {{include "executor.name" . }} 25 | type: {{ .Values.executor.serviceType | default "ClusterIP" }} 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.Deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.privateDockerRegistry.enabled -}} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: private-docker-registry 6 | labels: 7 | {{- include "sourcegraph.labels" . | nindent 4 }} 8 | {{- if .Values.privateDockerRegistry.labels }} 9 | {{- toYaml .Values.privateDockerRegistry.labels | nindent 4 }} 10 | {{- end }} 11 | deploy: sourcegraph 12 | app.kubernetes.io/component: private-docker-registry 13 | spec: 14 | replicas: {{ .Values.privateDockerRegistry.replicaCount }} 15 | selector: 16 | matchLabels: 17 | {{- include "sourcegraph.selectorLabels" . | nindent 6 }} 18 | app: private-docker-registry 19 | strategy: 20 | type: Recreate 21 | template: 22 | metadata: 23 | annotations: 24 | kubectl.kubernetes.io/default-container: private-docker-registry 25 | {{- if .Values.sourcegraph.podAnnotations }} 26 | {{- toYaml .Values.sourcegraph.podAnnotations | nindent 8 }} 27 | {{- end }} 28 | {{- if .Values.privateDockerRegistry.podAnnotations }} 29 | {{- toYaml .Values.privateDockerRegistry.podAnnotations | nindent 8 }} 30 | {{- end }} 31 | labels: 32 | {{- include "sourcegraph.selectorLabels" . | nindent 8 }} 33 | {{- if .Values.sourcegraph.podLabels }} 34 | {{- toYaml .Values.sourcegraph.podLabels | nindent 8 }} 35 | {{- end }} 36 | {{- if .Values.privateDockerRegistry.podLabels }} 37 | {{- toYaml .Values.privateDockerRegistry.podLabels | nindent 8 }} 38 | {{- end }} 39 | deploy: sourcegraph 40 | app: private-docker-registry 41 | spec: 42 | containers: 43 | - name: private-docker-registry 44 | image: {{ .Values.privateDockerRegistry.image.registry}}/{{ .Values.privateDockerRegistry.image.repository}}:{{ .Values.privateDockerRegistry.image.tag}} 45 | imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }} 46 | env: 47 | - name: REGISTRY_PROXY_REMOTEURL 48 | value: http://registry-1.docker.io 49 | ports: 50 | - containerPort: 5000 51 | name: registry 52 | livenessProbe: 53 | httpGet: 54 | path: / 55 | port: registry 56 | scheme: HTTP 57 | initialDelaySeconds: 5 58 | timeoutSeconds: 5 59 | readinessProbe: 60 | httpGet: 61 | path: / 62 | port: registry 63 | scheme: HTTP 64 | periodSeconds: 5 65 | timeoutSeconds: 5 66 | volumeMounts: 67 | - mountPath: /var/lib/registry 68 | name: cache 69 | {{- with .Values.sourcegraph.nodeSelector }} 70 | nodeSelector: 71 | {{- toYaml . | nindent 8 }} 72 | {{- end }} 73 | {{- with .Values.sourcegraph.affinity }} 74 | affinity: 75 | {{- toYaml . | nindent 8 }} 76 | {{- end }} 77 | {{- with .Values.sourcegraph.tolerations }} 78 | tolerations: 79 | {{- toYaml . | nindent 8 }} 80 | {{- end }} 81 | {{- with .Values.sourcegraph.imagePullSecrets }} 82 | imagePullSecrets: 83 | {{- toYaml . | nindent 8 }} 84 | {{- end }} 85 | volumes: 86 | - name: cache 87 | persistentVolumeClaim: 88 | claimName: private-docker-registry 89 | {{- end }} 90 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.PersistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.privateDockerRegistry.enabled -}} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | labels: 6 | deploy: sourcegraph 7 | app.kubernetes.io/component: private-docker-registry 8 | name: private-docker-registry 9 | spec: 10 | accessModes: 11 | - ReadWriteOnce 12 | resources: 13 | requests: 14 | storage: {{ .Values.privateDockerRegistry.storageSize }} 15 | storageClassName: {{ .Values.storageClass.name }} 16 | {{- if .Values.privateDockerRegistry.volumeName }} 17 | volumeName: {{ .Values.privateDockerRegistry.volumeName }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.Service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.privateDockerRegistry.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | {{- if .Values.privateDockerRegistry.serviceAnnotations }} 6 | annotations: 7 | {{- toYaml .Values.privateDockerRegistry.serviceAnnotations | nindent 4 }} 8 | {{- end }} 9 | labels: 10 | app: private-docker-registry 11 | deploy: sourcegraph 12 | app.kubernetes.io/component: private-docker-registry 13 | name: private-docker-registry 14 | spec: 15 | ports: 16 | - name: http 17 | port: 5000 18 | protocol: TCP 19 | targetPort: 5000 20 | selector: 21 | app: private-docker-registry 22 | type: ClusterIP 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/dind/tests/executor_test.yaml: -------------------------------------------------------------------------------- 1 | suite: executor 2 | templates: 3 | - executor/docker-daemon.ConfigMap.yaml 4 | - executor/executor.Deployment.yaml 5 | - executor/executor.Service.yaml 6 | tests: 7 | - it: should render the Deployment and Service if executor is enabled 8 | set: 9 | executor: 10 | enabled: true 11 | asserts: 12 | - containsDocument: 13 | kind: Deployment 14 | apiVersion: apps/v1 15 | name: executor 16 | template: executor/executor.Deployment.yaml 17 | - containsDocument: 18 | kind: Service 19 | apiVersion: v1 20 | name: executor 21 | template: executor/executor.Service.yaml 22 | 23 | - it: should not render any resources if executor is disabled 24 | set: 25 | executor: 26 | enabled: false 27 | asserts: 28 | - hasDocuments: 29 | count: 0 30 | templates: 31 | - executor/docker-daemon.ConfigMap.yaml 32 | - executor/executor.Deployment.yaml 33 | - executor/executor.Service.yaml 34 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/dind/tests/privateDockerRegistry_test.yaml: -------------------------------------------------------------------------------- 1 | suite: privateDockerRegistry 2 | templates: 3 | - private-docker-registry.Deployment.yaml 4 | - private-docker-registry.PersistentVolumeClaim.yaml 5 | - private-docker-registry.Service.yaml 6 | tests: 7 | - it: should render the Deployment, Service and PVC if registry is enabled 8 | set: 9 | privateDockerRegistry: 10 | enabled: true 11 | asserts: 12 | - containsDocument: 13 | kind: Deployment 14 | apiVersion: apps/v1 15 | name: private-docker-registry 16 | template: private-docker-registry.Deployment.yaml 17 | - containsDocument: 18 | kind: Service 19 | apiVersion: v1 20 | name: private-docker-registry 21 | template: private-docker-registry.Service.yaml 22 | - containsDocument: 23 | kind: PersistentVolumeClaim 24 | apiVersion: v1 25 | name: private-docker-registry 26 | template: private-docker-registry.PersistentVolumeClaim.yaml 27 | 28 | - it: should not render any resources if registry is disabled 29 | set: 30 | privateDockerRegistry: 31 | enabled: false 32 | asserts: 33 | - hasDocuments: 34 | count: 0 35 | templates: 36 | - private-docker-registry.Deployment.yaml 37 | - private-docker-registry.PersistentVolumeClaim.yaml 38 | - private-docker-registry.Service.yaml 39 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/dind/values.yaml: -------------------------------------------------------------------------------- 1 | # These values are dervied from https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/charts/sourcegraph/values.yaml 2 | 3 | ### Common Configuration ### 4 | sourcegraph: 5 | image: 6 | # -- Global docker image tag 7 | defaultTag: '{{ .Chart.AppVersion }}' 8 | # -- Global docker image pull policy 9 | pullPolicy: IfNotPresent 10 | # -- Global docker image registry or prefix 11 | repository: index.docker.io/sourcegraph 12 | # -- When set to true, sourcegraph.image.defaultTag is used as the default defaultTag for all services, instead of service-specific default defaultTags 13 | useGlobalTagAsDefault: false 14 | # -- Mount named secrets containing docker credentials 15 | imagePullSecrets: [] 16 | # -- Add a global label to all resources 17 | labels: {} 18 | # -- Set a custom name for the app.kubernetes.io/name annotation 19 | nameOverride: "" 20 | # -- Affinity, 21 | # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) 22 | affinity: {} 23 | # -- NodeSelector, 24 | # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) 25 | nodeSelector: {} 26 | # -- Tolerations, 27 | # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) 28 | tolerations: [] 29 | # -- Add extra annotations to attach to all pods 30 | podAnnotations: {} 31 | # -- Add extra labels to attach to all pods 32 | podLabels: {} 33 | 34 | 35 | storageClass: 36 | # -- Enable creation of storageClass. Defaults to Google Cloud Platform. Disable if you have your own existing storage class 37 | create: false 38 | # -- Name of the storageClass. 39 | # Use to customize to the existing storage class name 40 | name: sourcegraph 41 | # -- Name of the storageClass provisioner, 42 | # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#provisioner) 43 | # and consult your cloud provider persistent storage documentation 44 | provisioner: kubernetes.io/gce-pd 45 | # -- Value of `type` key in storageClass `parameters`, 46 | # consult your cloud provider persistent storage documentation 47 | type: pd-ssd 48 | # -- Extra parameters of storageClass, 49 | # consult your cloud provider persistent storage documentation 50 | parameters: {} 51 | # -- Persistent volumes topology configuration, 52 | # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#allowed-topologies) 53 | allowedTopologies: {} 54 | 55 | executor: 56 | enabled: true 57 | image: 58 | defaultTag: 6.0.0@sha256:0be94a7c91f8273db10fdf46718c6596340ab2acc570e7b85353806e67a27508 59 | name: "executor" 60 | replicaCount: 1 61 | env: 62 | # -- The external URL of the Sourcegraph instance. Required. 63 | EXECUTOR_FRONTEND_URL: 64 | value: "" 65 | # -- The shared secret configured in the Sourcegraph instance site config under executors.accessToken. Required. 66 | EXECUTOR_FRONTEND_PASSWORD: 67 | value: "" 68 | # -- The name of the queue to pull jobs from to. Possible values: batches and codeintel. **Either this or EXECUTOR_QUEUE_NAMES is required.** 69 | EXECUTOR_QUEUE_NAME: 70 | value: "" 71 | # -- The comma-separated list of names of multiple queues to pull jobs from to. Possible values: batches and codeintel. **Either this or EXECUTOR_QUEUE_NAME is required.** 72 | EXECUTOR_QUEUE_NAMES: 73 | value: "" 74 | 75 | dind: 76 | image: 77 | registry: index.docker.io 78 | repository: docker 79 | tag: 20.10.22-dind 80 | 81 | privateDockerRegistry: 82 | # -- Whether to deploy the private registry. Only one registry is needed when deploying multiple executors. 83 | # More information: https://docs.sourcegraph.com/admin/executors/deploy_executors#using-private-registries 84 | enabled: true 85 | image: 86 | registry: index.docker.io 87 | repository: docker/regisry 88 | tag: 2 89 | storageSize: 10Gi 90 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/k8s/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/k8s/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: sourcegraph-executor-k8s 3 | description: Chart for installing Sourcegraph executors using Kubernetes jobs 4 | icon: https://sourcegraph.com/favicon.ico 5 | type: application 6 | 7 | # Chart version, separate from Sourcegraph 8 | version: "5.11.0" 9 | 10 | # Version of Sourcegraph release 11 | appVersion: "5.11.0" 12 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/k8s/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | 5 | 6 | # Sourcegraph Executor Helm Chart 7 | 8 | This chart contains two deployments, Sourcegraph Kubernetes native Executors and a private Docker Registry. It is a supplemental chart for the parent [sourcegraph/sourcegraph] Helm Chart if you wish to deploy Kubernetes native executors. 9 | 10 | Use cases: 11 | 12 | - Deploy Sourcegraph Kubernetes native Executors on Kubernetes 13 | 14 | ## Requirements 15 | 16 | * [Helm 3 CLI](https://helm.sh/docs/intro/install/) 17 | * Kubernetes 1.19 or greater 18 | 19 | ## Installation 20 | 21 | Add the Sourcegraph charts repo to Helm: 22 | 23 | ```sh 24 | helm repo add sourcegraph https://helm.sourcegraph.com/release 25 | ``` 26 | 27 | ## Usage 28 | 29 | > The chart has to be installed in the same namespace as the parent [sourcegraph/sourcegraph] chart 30 | 31 | ## Rendering manifests for kubectl deployment 32 | 33 | Manifests rendered using the `helm template` command can be used for direct deployment using `kubectl`. 34 | 35 | ## Configuration Options 36 | 37 | Reference the table below for available configuration parameters and consult [executor] documentation. 38 | 39 | In addition to the documented values, the `executor` and `private-docker-registry` services also supports the following values 40 | 41 | - `executor.affinity` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) 42 | - `executor.nodeSelector` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) 43 | - `executor.tolerations` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) 44 | - `executor.podSecurityContext` - [learn more](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) 45 | - `executor.extraEnv` - consult `values.yaml` 46 | 47 | - `privateDockerRegistry.affinity` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) 48 | - `privateDockerRegistry.nodeSelector` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) 49 | - `privateDockerRegistry.tolerations` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) 50 | - `privateDockerRegistry.podSecurityContext` - [learn more](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) 51 | - `privateDockerRegistry.env` - consult `values.yaml` file 52 | 53 | {{ template "chart.valuesTable" . }} 54 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/k8s/templates/executor.ConfigMap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ include "executor.name" . }} 5 | labels: 6 | {{- include "executor.labels" . | nindent 4 }} 7 | data: 8 | EXECUTOR_USE_FIRECRACKER: "false" 9 | EXECUTOR_FRONTEND_URL: "{{ .Values.executor.frontendUrl }}" 10 | EXECUTOR_MAXIMUM_NUM_JOBS: "{{ .Values.executor.maximumNumJobs }}" 11 | EXECUTOR_MAXIMUM_RUNTIME_PER_JOB: "{{ .Values.executor.maximumRuntimePerJob }}" 12 | EXECUTOR_QUEUE_NAME: "{{ .Values.executor.queueName }}" 13 | EXECUTOR_QUEUE_NAMES: "{{join "," .Values.executor.queueNames }}" 14 | 15 | SRC_LOG_LEVEL: "{{ .Values.executor.log.level }}" 16 | SRC_LOG_FORMAT: "{{ .Values.executor.log.format }}" 17 | SRC_TRACE_LOG: "{{ .Values.executor.log.trace }}" 18 | 19 | EXECUTOR_KUBERNETES_NAMESPACE: "{{ .Values.executor.namespace }}" 20 | EXECUTOR_KUBERNETES_CONFIG_PATH: "{{ .Values.executor.kubeconfigPath }}" 21 | EXECUTOR_KUBERNETES_PERSISTENCE_VOLUME_NAME: "sg-{{include "executor.name" . }}" 22 | 23 | EXECUTOR_KUBERNETES_NODE_NAME: "{{ .Values.executor.kubernetesJob.node.name }}" 24 | EXECUTOR_KUBERNETES_NODE_SELECTOR: "{{ .Values.executor.kubernetesJob.node.selector }}" 25 | EXECUTOR_KUBERNETES_NODE_TOLERATIONS: "{{ .Values.executor.kubernetesJob.node.tolerations }}" 26 | EXECUTOR_KUBERNETES_NODE_REQUIRED_AFFINITY_MATCH_EXPRESSIONS: "{{ .Values.executor.kubernetesJob.node.requiredAffinityMatchExpressions }}" 27 | EXECUTOR_KUBERNETES_NODE_REQUIRED_AFFINITY_MATCH_FIELDS: "{{ .Values.executor.kubernetesJob.node.requiredAffinityMatchFields }}" 28 | 29 | EXECUTOR_KUBERNETES_POD_AFFINITY: "{{ .Values.executor.kubernetesJob.pod.affinity }}" 30 | EXECUTOR_KUBERNETES_POD_ANTI_AFFINITY: "{{ .Values.executor.kubernetesJob.pod.antiAffinity }}" 31 | 32 | EXECUTOR_KUBERNETES_RESOURCE_REQUEST_CPU: "{{ .Values.executor.kubernetesJob.resources.requests.cpu }}" 33 | EXECUTOR_KUBERNETES_RESOURCE_REQUEST_MEMORY: "{{ .Values.executor.kubernetesJob.resources.requests.memory }}" 34 | EXECUTOR_KUBERNETES_RESOURCE_LIMIT_CPU: "{{ .Values.executor.kubernetesJob.resources.limits.cpu }}" 35 | EXECUTOR_KUBERNETES_RESOURCE_LIMIT_MEMORY: "{{ .Values.executor.kubernetesJob.resources.limits.memory }}" 36 | 37 | KUBERNETES_JOB_DEADLINE: "{{ .Values.executor.kubernetesJob.deadline }}" 38 | KUBERNETES_RUN_AS_USER: "{{ .Values.executor.kubernetesJob.runAsUser }}" 39 | KUBERNETES_RUN_AS_GROUP: "{{ .Values.executor.kubernetesJob.runAsGroup }}" 40 | KUBERNETES_FS_GROUP: "{{ .Values.executor.kubernetesJob.fsGroup }}" 41 | 42 | EXECUTOR_DOCKER_ADD_HOST_GATEWAY: "{{.Values.executor.dockerAddHostGateway }}" 43 | KUBERNETES_KEEP_JOBS: "{{ .Values.executor.debug.keepJobs }}" 44 | EXECUTOR_KEEP_WORKSPACES: "{{ .Values.executor.debug.keepWorkspaces }}" 45 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/k8s/templates/executor.PersistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: "sg-{{include "executor.name" . }}" 5 | labels: 6 | {{ include "executor.labels" . | indent 4 }} 7 | spec: 8 | storageClassName: {{ .Values.storageClass.name }} 9 | accessModes: 10 | - ReadWriteOnce 11 | resources: 12 | requests: 13 | storage: {{ .Values.executor.storageSize }} 14 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/k8s/templates/executor.Role.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.executor.configureRbac }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: sg-executor-role 6 | labels: 7 | category: rbac 8 | deploy: sourcegraph 9 | sourcegraph-resource-requires: cluster-admin 10 | app.kubernetes.io/component: executor 11 | rules: 12 | - apiGroups: 13 | - batch 14 | resources: 15 | - jobs 16 | verbs: 17 | - create 18 | - delete 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - pods 23 | - pods/log 24 | verbs: 25 | - get 26 | - list 27 | - watch 28 | - apiGroups: 29 | - "" 30 | resources: 31 | - secrets 32 | verbs: 33 | - create 34 | - delete 35 | {{- end }} 36 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/k8s/templates/executor.RoleBinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.executor.configureRbac }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | name: sg-executor-role-binding 6 | labels: 7 | category: rbac 8 | deploy: sourcegraph 9 | sourcegraph-resource-requires: cluster-admin 10 | app.kubernetes.io/component: executor 11 | subjects: 12 | - kind: ServiceAccount 13 | name: sg-executor 14 | roleRef: 15 | kind: Role 16 | name: sg-executor-role 17 | apiGroup: rbac.authorization.k8s.io 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/k8s/templates/executor.Secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.executor.frontendExistingSecret -}} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "executor.name" . }} 6 | type: Opaque 7 | data: 8 | EXECUTOR_FRONTEND_PASSWORD: {{ .Values.executor.frontendPassword | b64enc | quote }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/k8s/templates/executor.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | {{- if .Values.executor.serviceAnnotations }} 6 | {{- toYaml .Values.executor.serviceAnnotations | nindent 4 }} 7 | {{- end }} 8 | labels: 9 | {{ include "executor.labels" . | indent 4 }} 10 | {{- if .Values.executor.serviceLabels }} 11 | {{- toYaml .Values.executor.serviceLabels | nindent 4 }} 12 | {{- end }} 13 | name: {{ include "executor.name" . }} 14 | spec: 15 | ports: 16 | - name: debug 17 | port: 6060 18 | targetPort: debug 19 | selector: 20 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 21 | app: {{ include "executor.name" . }} 22 | type: {{ .Values.executor.serviceType | default "ClusterIP" }} 23 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/k8s/templates/executor.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.executor.configureRbac }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: sg-executor 6 | labels: 7 | category: rbac 8 | deploy: sourcegraph 9 | sourcegraph-resource-requires: cluster-admin 10 | app.kubernetes.io/component: executor 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/sourcegraph-executor/k8s/tests/executor_test.yaml: -------------------------------------------------------------------------------- 1 | suite: executor 2 | templates: 3 | - executor.Deployment.yaml 4 | - executor.Service.yaml 5 | - executor.ConfigMap.yaml 6 | - executor.PersistentVolumeClaim.yaml 7 | tests: 8 | - it: should render the Deployment, Service, ConfigMap, PVC if executor is enabled 9 | set: 10 | executor: 11 | enabled: true 12 | queueName: "test" 13 | rbac: 14 | enabled: true 15 | asserts: 16 | - containsDocument: 17 | kind: Deployment 18 | apiVersion: apps/v1 19 | name: executor-test 20 | template: executor.Deployment.yaml 21 | - containsDocument: 22 | kind: Service 23 | apiVersion: v1 24 | name: executor-test 25 | template: executor.Service.yaml 26 | - containsDocument: 27 | kind: ConfigMap 28 | apiVersion: v1 29 | name: executor-test 30 | template: executor.ConfigMap.yaml 31 | - containsDocument: 32 | kind: PersistentVolumeClaim 33 | apiVersion: v1 34 | name: sg-executor-test 35 | template: executor.PersistentVolumeClaim.yaml 36 | 37 | - it: should not render any resources if executor is disabled 38 | set: 39 | executor: 40 | enabled: false 41 | rbac: 42 | enabled: false 43 | asserts: 44 | - hasDocuments: 45 | count: 0 46 | templates: 47 | - executor.Deployment.yaml 48 | - executor.Service.yaml 49 | -------------------------------------------------------------------------------- /charts/sourcegraph-migrator/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/sourcegraph-migrator/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: sourcegraph-migrator 3 | description: Chart for running Sourcegraph migrator 4 | icon: https://sourcegraph.com/favicon.ico 5 | type: application 6 | 7 | # Chart version, separate from Sourcegraph 8 | version: "5.11.0" 9 | 10 | # Version of Sourcegraph release 11 | appVersion: "5.11.0" 12 | -------------------------------------------------------------------------------- /charts/sourcegraph-migrator/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "sourcegraph.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create chart name and version as used by the chart label. 10 | */}} 11 | {{- define "sourcegraph.chart" -}} 12 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 13 | {{- end }} 14 | 15 | {{/* 16 | Common labels 17 | */}} 18 | {{- define "sourcegraph.labels" -}} 19 | helm.sh/chart: {{ include "sourcegraph.chart" . }} 20 | {{ include "sourcegraph.selectorLabels" . }} 21 | {{- if .Chart.AppVersion }} 22 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 23 | {{- end }} 24 | app.kubernetes.io/managed-by: {{ .Release.Service }} 25 | {{- if .Values.sourcegraph.labels }} 26 | {{ toYaml .Values.sourcegraph.labels }} 27 | {{- end }} 28 | {{- end }} 29 | 30 | {{/* 31 | Selector labels 32 | */}} 33 | {{- define "sourcegraph.selectorLabels" -}} 34 | app.kubernetes.io/name: {{ include "sourcegraph.name" . }} 35 | app.kubernetes.io/instance: {{ .Release.Name }} 36 | {{- end }} 37 | 38 | {{/* 39 | Create the name of the service account to use 40 | */}} 41 | {{- define "sourcegraph.serviceAccountName" -}} 42 | {{- $top := index . 0 }} 43 | {{- $service := index . 1 }} 44 | {{- default $service (index $top.Values $service "serviceAccount" "name") }} 45 | {{- end }} 46 | 47 | {{/* 48 | Create the docker image reference and allow it to be overridden on a per-service basis 49 | Default tags are toggled between a global and service-specific setting by the 50 | useGlobalTagAsDefault configuration 51 | */}} 52 | {{- define "sourcegraph.image" -}} 53 | {{- $top := index . 0 }} 54 | {{- $service := index . 1 }} 55 | {{- $imageName := (index $top.Values $service "image" "name")}} 56 | {{- $defaultTag := (index $top.Values $service "image" "defaultTag")}} 57 | {{- if $top.Values.sourcegraph.image.useGlobalTagAsDefault }}{{ $defaultTag = (tpl $top.Values.sourcegraph.image.defaultTag $top) }}{{ end }} 58 | 59 | {{- $top.Values.sourcegraph.image.repository }}/{{ $imageName }}:{{ default $defaultTag (index $top.Values $service "image" "tag") }} 60 | {{- end }} 61 | 62 | {{- define "sourcegraph.databaseAuth" -}} 63 | {{- $top := index . 0 -}} 64 | {{- $service := index . 1 -}} 65 | {{- $prefix := index . 2 -}} 66 | {{- $secretName := (index $top.Values $service "name") -}} 67 | {{- $secretName := printf "%s-auth" $secretName -}} 68 | {{- if (index $top.Values $service "auth" "existingSecret") }}{{- $secretName = (index $top.Values $service "auth" "existingSecret") }}{{- end -}} 69 | - name: {{ printf "%sDATABASE" $prefix }} 70 | valueFrom: 71 | secretKeyRef: 72 | key: database 73 | name: {{ $secretName }} 74 | - name: {{ printf "%sHOST" $prefix }} 75 | valueFrom: 76 | secretKeyRef: 77 | key: host 78 | name: {{ $secretName }} 79 | - name: {{ printf "%sPASSWORD" $prefix }} 80 | valueFrom: 81 | secretKeyRef: 82 | key: password 83 | name: {{ $secretName }} 84 | - name: {{ printf "%sPORT" $prefix }} 85 | valueFrom: 86 | secretKeyRef: 87 | key: port 88 | name: {{ $secretName }} 89 | - name: {{ printf "%sUSER" $prefix }} 90 | valueFrom: 91 | secretKeyRef: 92 | key: user 93 | name: {{ $secretName }} 94 | - name: {{ printf "%sSSLMODE" $prefix }} 95 | valueFrom: 96 | secretKeyRef: 97 | key: sslmode 98 | name: {{ $secretName }} 99 | {{- end }} 100 | -------------------------------------------------------------------------------- /charts/sourcegraph-migrator/templates/migrator/sourcegraph-migrator.Job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | annotations: 5 | description: Performs Sourcegraph database migrations. 6 | labels: 7 | {{- include "sourcegraph.labels" . | nindent 4 }} 8 | {{- if .Values.migrator.labels }} 9 | {{- toYaml .Values.migrator.labels | nindent 4 }} 10 | {{- end }} 11 | deploy: sourcegraph 12 | app.kubernetes.io/component: migrator 13 | name: {{ default "migrator" .Values.migrator.name }}-{{ randAlphaNum 5 | lower }} 14 | spec: 15 | backoffLimit: 5 16 | template: 17 | metadata: 18 | annotations: 19 | kubectl.kubernetes.io/default-container: migrator 20 | {{- if .Values.sourcegraph.podAnnotations }} 21 | {{- toYaml .Values.sourcegraph.podAnnotations | nindent 8 }} 22 | {{- end }} 23 | {{- if .Values.migrator.podAnnotations }} 24 | {{- toYaml .Values.migrator.podAnnotations | nindent 8 }} 25 | {{- end }} 26 | labels: 27 | {{- include "sourcegraph.selectorLabels" . | nindent 8 }} 28 | {{- if .Values.sourcegraph.podLabels }} 29 | {{- toYaml .Values.sourcegraph.podLabels | nindent 8 }} 30 | {{- end }} 31 | {{- if .Values.migrator.podLabels }} 32 | {{- toYaml .Values.migrator.podLabels | nindent 8 }} 33 | {{- end }} 34 | job: migrator 35 | deploy: sourcegraph 36 | spec: 37 | containers: 38 | - name: migrator 39 | image: {{ include "sourcegraph.image" (list . "migrator") }} 40 | imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }} 41 | args: {{- default (list "up") .Values.migrator.args | toYaml | nindent 8 }} 42 | env: 43 | {{- include "sourcegraph.databaseAuth" (list . "pgsql" "PG") | nindent 8 }} 44 | {{- include "sourcegraph.databaseAuth" (list . "codeIntelDB" "CODEINTEL_PG") | nindent 8 }} 45 | {{- include "sourcegraph.databaseAuth" (list . "codeInsightsDB" "CODEINSIGHTS_PG") | nindent 8 }} 46 | {{- range $name, $item := .Values.migrator.env }} 47 | - name: {{ $name }} 48 | {{- $item | toYaml | nindent 10 }} 49 | {{- end }} 50 | resources: 51 | {{- toYaml .Values.migrator.resources | nindent 10 }} 52 | securityContext: 53 | {{- toYaml .Values.migrator.containerSecurityContext | nindent 10 }} 54 | volumeMounts: 55 | {{- if .Values.migrator.extraVolumeMounts }} 56 | {{- toYaml .Values.migrator.extraVolumeMounts | nindent 8 }} 57 | {{- end }} 58 | {{- if .Values.migrator.extraContainers }} 59 | {{- toYaml .Values.migrator.extraContainers | nindent 6 }} 60 | {{- end }} 61 | securityContext: 62 | {{- toYaml .Values.migrator.podSecurityContext | nindent 8 }} 63 | {{- with .Values.sourcegraph.nodeSelector }} 64 | nodeSelector: 65 | {{- toYaml . | nindent 8 }} 66 | {{- end }} 67 | {{- with .Values.sourcegraph.affinity }} 68 | affinity: 69 | {{- toYaml . | nindent 8 }} 70 | {{- end }} 71 | {{- with .Values.sourcegraph.tolerations }} 72 | tolerations: 73 | {{- toYaml . | nindent 8 }} 74 | {{- end }} 75 | {{- with .Values.sourcegraph.imagePullSecrets }} 76 | imagePullSecrets: 77 | {{- toYaml . | nindent 8 }} 78 | {{- end }} 79 | restartPolicy: Never 80 | {{- if .Values.migrator.extraVolumes }} 81 | volumes: 82 | {{- toYaml .Values.migrator.extraVolumes | nindent 6 }} 83 | {{- end }} 84 | -------------------------------------------------------------------------------- /charts/sourcegraph/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/sourcegraph/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: sourcegraph 3 | description: Chart for installing Sourcegraph 4 | icon: https://sourcegraph.com/favicon.ico 5 | type: application 6 | 7 | # Chart version, separate from Sourcegraph 8 | version: "5.11.0" 9 | 10 | # Version of Sourcegraph release 11 | appVersion: "5.11.0" 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | 5 | 6 | # Sourcegraph Helm Chart 7 | 8 | Visit the [Helm docs](https://docs.sourcegraph.com/admin/install/kubernetes) for guidance on using this chart. 9 | 10 | ## Configuration Options 11 | 12 | Reference the below chart for all available configuration parameters. 13 | 14 | The full values.yaml file can be also be generated by running: 15 | `helm show values sourcegraph/sourcegraph` 16 | 17 | In addition to the documented values, all services also support the following values 18 | 19 | - `.affinity` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) 20 | - `.nodeSelector` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) 21 | - `.tolerations` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) 22 | - `.podSecurityContext` - [learn more](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) 23 | - `.args` - override default container args 24 | - `.env` - consult `values.yaml` file 25 | - `.serivceAccount.create` - create service account for service 26 | - `.serviceAccount.annotations` - Annotations for the service-specific service account 27 | 28 | {{ template "chart.valuesTable" . }} 29 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/advanced-scheduling/override.yaml: -------------------------------------------------------------------------------- 1 | ## Override file demonstrating 2 | # - the use of advanced scheduling in Kubernetes, including 3 | # - node selector 4 | # - tolerations 5 | # - affinity to scatter services across multiple nodes 6 | # - the use of YAMl anchor and alias to keep your override.yaml DRY 7 | # 8 | # For scaling guide, you should refer to our official docs 9 | # - https://docs.sourcegraph.com/admin/install/kubernetes/scale 10 | # - https://docs.sourcegraph.com/dev/background-information/architecture#diagram 11 | 12 | sourcegraph: 13 | # Global node selector 14 | nodeSelector: &commonNodeSelector 15 | kubernetes.io/arch: amd64 16 | # Global tolerations 17 | tolerations: 18 | - key: "some-key" 19 | operator: "Equal" 20 | value: "some-value" 21 | effect: "NoSchedule" 22 | 23 | # Common select labels to select pods that belong to the current helm release 24 | selectorLabels: &commonSelectorLabels 25 | app.kubernetes.io/name: '{{ include "sourcegraph.name" . }}' 26 | app.kubernetes.io/instance: '{{ .Release.Name }}' 27 | 28 | frontend: 29 | replicaCount: 3 30 | affinity: 31 | podAntiAffinity: 32 | preferredDuringSchedulingIgnoredDuringExecution: 33 | - podAffinityTerm: 34 | topologyKey: kubernetes.io/hostname 35 | labelSelector: 36 | matchLabels: 37 | <<: *commonSelectorLabels 38 | app: frontend 39 | weight: 100 40 | 41 | gitserver: 42 | replicaCount: 3 43 | nodeSelector: 44 | <<: *commonNodeSelector 45 | cloud.google.com/gke-boot-disk: pd-ssd 46 | affinity: 47 | podAntiAffinity: 48 | preferredDuringSchedulingIgnoredDuringExecution: 49 | - podAffinityTerm: 50 | topologyKey: kubernetes.io/hostname 51 | labelSelector: 52 | matchLabels: 53 | <<: *commonSelectorLabels 54 | app: gitserver 55 | weight: 100 56 | 57 | indexedSearch: 58 | replicaCount: 10 59 | affinity: 60 | podAntiAffinity: 61 | preferredDuringSchedulingIgnoredDuringExecution: 62 | - podAffinityTerm: 63 | topologyKey: kubernetes.io/hostname 64 | labelSelector: 65 | matchLabels: 66 | <<: *commonSelectorLabels 67 | app: indexed-search 68 | weight: 100 69 | 70 | preciseCodeIntel: 71 | replicaCount: 3 72 | affinity: 73 | podAntiAffinity: 74 | preferredDuringSchedulingIgnoredDuringExecution: 75 | - podAffinityTerm: 76 | topologyKey: kubernetes.io/hostname 77 | labelSelector: 78 | matchLabels: 79 | <<: *commonSelectorLabels 80 | app: precise-code-intel-worker 81 | weight: 100 82 | 83 | searcher: 84 | replicaCount: 5 85 | affinity: 86 | podAntiAffinity: 87 | preferredDuringSchedulingIgnoredDuringExecution: 88 | - podAffinityTerm: 89 | topologyKey: kubernetes.io/hostname 90 | labelSelector: 91 | matchLabels: 92 | <<: *commonSelectorLabels 93 | app: searcher 94 | weight: 100 95 | 96 | worker: 97 | replicaCount: 3 98 | affinity: 99 | podAntiAffinity: 100 | preferredDuringSchedulingIgnoredDuringExecution: 101 | - podAffinityTerm: 102 | topologyKey: kubernetes.io/hostname 103 | labelSelector: 104 | matchLabels: 105 | <<: *commonSelectorLabels 106 | app: worker 107 | weight: 100 108 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/aws/override.yaml: -------------------------------------------------------------------------------- 1 | frontend: 2 | ingress: 3 | enabled: true 4 | annotations: 5 | kubernetes.io/ingress.class: alb # aws load balancer controller ingressClass name 6 | # additional aws alb ingress controller supported annotations 7 | # ... 8 | # replace with your actual domain 9 | host: sourcegraph.company.com 10 | 11 | storageClass: 12 | create: true 13 | type: gp3 # This configures SSDs (recommended). 14 | provisioner: ebs.csi.aws.com 15 | volumeBindingMode: WaitForFirstConsumer 16 | reclaimPolicy: Retain 17 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/azure/override.yaml: -------------------------------------------------------------------------------- 1 | frontend: 2 | ingress: 3 | enabled: true 4 | annotations: 5 | kubernetes.io/ingress.class: azure/application-gateway 6 | # additional azure application gateway supported annotations 7 | # ... 8 | # replace with your actual domain 9 | host: sourcegraph.company.com 10 | 11 | storageClass: 12 | create: true 13 | type: null 14 | provisioner: disk.csi.azure.com 15 | volumeBindingMode: WaitForFirstConsumer 16 | reclaimPolicy: Retain 17 | parameters: 18 | storageaccounttype: Premium_LRS # This configures SSDs (recommended). A Premium VM is required. 19 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/basic/override.yaml: -------------------------------------------------------------------------------- 1 | # Simple override file adjusting resources, replica count, and adding environment variables 2 | 3 | frontend: 4 | replicas: 2 5 | 6 | gitServer: 7 | replicas: 2 8 | resources: 9 | limits: 10 | cpu: "8" 11 | memory: 8G 12 | requests: 13 | cpu: "4" 14 | memory: 4G 15 | storageSize: "1Ti" 16 | env: 17 | SRC_LOG_LEVEL: 18 | value: "warn" 19 | 20 | grafana: 21 | storageSize: "10Gi" 22 | 23 | indexedSearch: 24 | replicas: 2 25 | storageSize: "100Gi" 26 | webserver: 27 | resources: 28 | limits: 29 | cpu: "2" 30 | memory: 16G 31 | requests: 32 | cpu: "1" 33 | memory: 16G 34 | indexserver: 35 | resources: 36 | limits: 37 | cpu: "4" 38 | memory: 16G 39 | requests: 40 | cpu: "4" 41 | memory: 8G 42 | 43 | blobstore: 44 | resources: 45 | limits: 46 | cpu: "1" 47 | memory: "500M" 48 | requests: 49 | cpu: "1" 50 | memory: "500M" 51 | storageSize: "100Gi" 52 | 53 | pgsql: 54 | storageSize: "250Gi" 55 | 56 | prometheus: 57 | storageSize: "50Gi" 58 | 59 | searcher: 60 | resources: 61 | limits: 62 | cpu: "2" 63 | memory: 4G 64 | requests: 65 | cpu: 500m 66 | memory: 1G 67 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/common-modifications/README.md: -------------------------------------------------------------------------------- 1 | # Common modifications: resource limits, replica counts, disk size 2 | 3 | This override file includes all Sourcegraph services and their default resource requests/limits, replica counts, and storage sizes. 4 | 5 | This can be used as a starting point for customizing Sourcegraph to meet your own usage requirements. The [Resource Estimator] can provide some guidance on adjusting resources. 6 | 7 | [Resource Estimator]: https://docs.sourcegraph.com/admin/install/resource_estimator 8 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/custom-security-context/override.yaml: -------------------------------------------------------------------------------- 1 | # Example chart showing ways to customize security contexts for deployments 2 | # By default, Sourcegraph will run with non-root access and limited permissions, 3 | # which should be acceptable for most clusters. 4 | # Changes to these settings should only be done if your Kubernetes cluster has specific requirements 5 | 6 | pgsql: 7 | podSecurityContext: 8 | readOnlyRootFilesystem: false # Override default setting and allow root file system writes 9 | 10 | frontend: 11 | podSecurityContext: 12 | allowPrivilegeEscalation: true 13 | runAsUser: 1 14 | runAsGroup: 1 15 | readOnlyRootFilesystem: false 16 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/envoy/README.md: -------------------------------------------------------------------------------- 1 | # Envoy Filter 2 | 3 | This override file creates a new resource called `EnvoyFilter` to enable HTTP trailers on envoy for gitserver. 4 | 5 | It is an example override file to apply a new envoy filter to resolve the following error message in gitserver caused by service mesh (ex. istio): 6 | 7 | ``` 8 | "git command [git rev-parse HEAD] failed (stderr: \"\"): strconv.Atoi: parsing \"\" 9 | ``` 10 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/envoy/override.yaml: -------------------------------------------------------------------------------- 1 | extraResources: 2 | - apiVersion: networking.istio.io/v1alpha3 3 | kind: EnvoyFilter 4 | metadata: 5 | name: enable-trailers 6 | labels: 7 | deploy: sourcegraph 8 | spec: 9 | workloadSelector: 10 | labels: 11 | app: gitserver 12 | configPatches: 13 | - applyTo: NETWORK_FILTER 14 | match: 15 | listener: 16 | filterChain: 17 | filter: 18 | name: "envoy.filters.network.http_connection_manager" 19 | patch: 20 | operation: MERGE 21 | value: 22 | name: "envoy.filters.network.http_connection_manager" 23 | typed_config: 24 | "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager" 25 | http_protocol_options: 26 | enable_trailers: true 27 | - applyTo: CLUSTER 28 | patch: 29 | operation: MERGE 30 | value: 31 | typed_extension_protocol_options: 32 | envoy.extensions.upstreams.http.v3.HttpProtocolOptions: 33 | "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions 34 | explicit_http_config: 35 | http_protocol_options: 36 | enable_trailers: true -------------------------------------------------------------------------------- /charts/sourcegraph/examples/external-databases/README.md: -------------------------------------------------------------------------------- 1 | # Using external Postgres instances 2 | 3 | Sourcegraph deployment by default ships three separate Postgres instances: 4 | 5 | - [codeinsights-db.StatefulSet.yaml](../../templates/codeinsights-db/codeinsights-db.StatefulSet.yaml) 6 | - [codeintel-db.StatefulSet.yaml](../../templates/codeintel-db/codeintel-db.StatefulSet.yaml) 7 | - [pgsql.StatefulSet.yaml](../../templates/pgsql/pgsql.StatefulSet.yaml) 8 | 9 | All three can be disabled individually and replaced with external Postgres instances. 10 | 11 | For guidance on setup for the external instances, refer to the [Helm docs on using an external database](https://docs.sourcegraph.com/admin/install/kubernetes/helm#using-external-postgresql-databases). 12 | 13 | The example [override.yaml] demonstrates various options for configuring access to the external databases. 14 | 15 | ## Providing credentials via Secret 16 | 17 | You can provide database credentials in a [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) managed outside the helm chart in a secure manner. 18 | 19 | Each database requires its own Secret and should follow the following format. The Secret name can be customized as desired: 20 | 21 | ```yaml 22 | apiVersion: v1 23 | kind: Secret 24 | metadata: 25 | name: pgsql-credentials 26 | data: 27 | # notes: secrets data has to be base64-encoded 28 | database: "" 29 | host: "" 30 | password: "" 31 | port: "" 32 | user: "" 33 | pgsslmode: "require" # optional, enable if using SSL 34 | ``` 35 | 36 | The Secret name should be set in your override file in the `auth.existingSecret` key for each database. See the [override.yaml] for an example. 37 | 38 | [override.yaml]: ./override.yaml 39 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/external-databases/override.yaml: -------------------------------------------------------------------------------- 1 | # Demonstrate using an external database for each Sourcegraph database 2 | # Optionally, reference a Kubernetes Secret that contains credentials to the external database 3 | # Learn more from the tutorial below 4 | # - https://docs.sourcegraph.com/admin/install/kubernetes/helm#using-external-postgresql-databases 5 | 6 | # Connect to an external postgres instance configured with default Sourcegraph settings (database, username, etc.) 7 | pgsql: 8 | enabled: false # disable internal pgsql database 9 | auth: 10 | host: pgsql.database.company.com # external pgsql host 11 | 12 | 13 | # Connect to an external postgres instance with custom settings 14 | codeInsightsDB: 15 | enabled: false # disable internal codeinsights-db database 16 | auth: 17 | database: "customdb" 18 | host: pgsql.database.company.com # external pgsql host 19 | user: "newuser" 20 | password: "newpassword" 21 | port: "4432" 22 | 23 | # Use an existing secret for credentials to an external postgres instance 24 | codeIntelDB: 25 | enabled: false # disable internal codeintel-db database 26 | auth: 27 | existingSecret: "codeintel-credentials" # created outside the helm chart 28 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/external-object-storage/override.yaml: -------------------------------------------------------------------------------- 1 | # Override file demonstrating the use of external Object Storage services 2 | # Learn more from the tutorial below 3 | # - https://docs.sourcegraph.com/admin/install/kubernetes/helm#using-external-object-storage 4 | 5 | # Disable deployment of the built-in object storage 6 | blobstore: 7 | enabled: false 8 | 9 | # we use YAML anchors and alias to keep override file clean 10 | objectStorageEnv: &objectStorageEnv 11 | PRECISE_CODE_INTEL_UPLOAD_BACKEND: 12 | value: S3 # external object stoage type, one of "S3" or "GCS" 13 | PRECISE_CODE_INTEL_UPLOAD_BUCKET: 14 | value: lsif-uploads # external object storage bucket name 15 | PRECISE_CODE_INTEL_UPLOAD_AWS_ENDPOINT: 16 | value: https://s3.us-east-1.amazonaws.com 17 | PRECISE_CODE_INTEL_UPLOAD_AWS_REGION: 18 | value: us-east-1 19 | PRECISE_CODE_INTEL_UPLOAD_AWS_ACCESS_KEY_ID: 20 | secretKeyRef: # Pre-existing secret, not created by this chart 21 | name: sourcegraph-s3-credentials 22 | key: PRECISE_CODE_INTEL_UPLOAD_AWS_ACCESS_KEY_ID 23 | PRECISE_CODE_INTEL_UPLOAD_AWS_SECRET_ACCESS_KEY: 24 | secretKeyRef: # Pre-existing secret, not created by this chart 25 | name: sourcegraph-s3-credentials 26 | key: PRECISE_CODE_INTEL_UPLOAD_AWS_SECRET_ACCESS_KEY 27 | 28 | frontend: 29 | env: 30 | <<: *objectStorageEnv 31 | 32 | preciseCodeIntel: 33 | env: 34 | <<: *objectStorageEnv 35 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/external-redis/README.md: -------------------------------------------------------------------------------- 1 | # Using external Redis instances 2 | 3 | Sourcegraph deployment by default ships two separate Redis instances for different purposes 4 | 5 | - [redis-cache.Deployment.yaml](../../templates/redis/redis-cache.Deployment.yaml) 6 | - [redis-store.Deployment.yaml](../../templates/redis/redis-store.Deployment.yaml) 7 | 8 | When using external Redis instances, you’ll need to specify the new endpoint for each. You can specify the endpoint directly in the values file, or by referencing an existing secret. 9 | 10 | ## Option 1 - Customize endpoint in override file (Endpoint does not require authentication) 11 | 12 | Example values override [override.yaml](./override.yaml) 13 | 14 | The `endpoint` setting must either have the format `$HOST:PORT` or follow the [IANA specification for Redis URLs](https://www.iana.org/assignments/uri-schemes/prov/redis) (e.g., redis://:mypassword@host:6379/2) 15 | 16 | ## Option 2 - Reference endpoint saved in an existing secret (Authentication required) 17 | 18 | If your endpoint requires authentication, we recommend storing the credentials in a [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) created outside of the helm chart and managed in a secure manner. 19 | 20 | Each Redis instance requires a separate Secret with the following format. The names can be customized as desired: 21 | 22 | ```yaml 23 | apiVersion: v1 24 | kind: Secret 25 | metadata: 26 | name: redis-store-connection 27 | data: 28 | # notes: secrets data has to be base64-encoded 29 | endpoint: "" 30 | ``` 31 | 32 | ```yaml 33 | apiVersion: v1 34 | kind: Secret 35 | metadata: 36 | name: redis-cache-connection 37 | data: 38 | # notes: secrets data has to be base64-encoded 39 | endpoint: "" 40 | ``` 41 | 42 | The Secret names should be configured in your override file in the `connection.existingSecret` key for each Redis. Example: [override-secret.yaml](./override-secret.yaml) 43 | 44 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/external-redis/override-secret.yaml: -------------------------------------------------------------------------------- 1 | # Demonstrate using external redis instance(s) 2 | # Disables deployment of the internal `redis-cache` and `redis-store` deployment 3 | # References an existing secret 4 | 5 | redisCache: 6 | enabled: false 7 | connection: 8 | existingSecret: redis-cache-connection 9 | 10 | redisStore: 11 | enabled: false 12 | connection: 13 | existingSecret: redis-store-connection 14 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/external-redis/override.yaml: -------------------------------------------------------------------------------- 1 | # Demonstrate using external redis instance(s) 2 | # Disables deployment of the internal `redis-cache` and `redis-store` deployment 3 | 4 | redisCache: 5 | enabled: false 6 | connection: 7 | endpoint: redis://redis-cache.example.com:6379 # use a dedicated Redis, recommended 8 | 9 | redisStore: 10 | enabled: false 11 | connection: 12 | endpoint: redis://redis-shared.example.com:6379/2 # shared Redis, not recommended 13 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/extra-volumes/override.yaml: -------------------------------------------------------------------------------- 1 | # Demonstrate adding an additional volume to a deployment 2 | 3 | frontend: 4 | extraVolumes: 5 | - emptyDir: {} 6 | name: tmpdir 7 | extraVolumeMounts: 8 | - mountPath: /tmp 9 | name: tmpdir 10 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/gcp/README.md: -------------------------------------------------------------------------------- 1 | # GCP 2 | 3 | Deploy Sourcegraph on GKE and use [Container-native load balancing through Ingress] to make Sourcegraph publicly accessible. 4 | 5 | Additionally, it will configure output logs format that works better with GCP Logging by setting `SRC_LOG_FORMAT=json_gcp` in all services. 6 | 7 | ## Get started 8 | 9 | Deploy or upgrade Sourcegraph Helm chart with the provided [override.yaml](./override.yaml). This will create a public-facing load balancer that supports HTTP traffic. You can then access your deployment via the IP of the load balancer. 10 | 11 | **To enable HTTPS**, provide [your own SSL cert] or use [Google-managed certificates]. 12 | 13 | The override file includes a [BackendConfig] CRD. This is necessary to instruct GCP load balancer how to perform healthcheck on our deployment. 14 | 15 | [Container-native load balancing through Ingress]: https://cloud.google.com/kubernetes-engine/docs/how-to/container-native-load-balancing 16 | [BackendConfig]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#create_backendconfig 17 | [your own SSL cert]: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress-xlb#setting_up_https_tls_between_client_and_load_balancer 18 | [Google-managed certificates]: https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs 19 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/gcp/override.yaml: -------------------------------------------------------------------------------- 1 | frontend: 2 | serviceType: ClusterIP 3 | ingress: 4 | enabled: true 5 | annotations: 6 | kubernetes.io/ingress.class: gce 7 | # To enable HTTPS using a self-managed certificate 8 | # tlsSecret: example-secret 9 | # host: sourcegraph.example.com 10 | serviceAnnotations: 11 | cloud.google.com/neg: '{"ingress": true}' 12 | # Reference the `BackendConfig` CR created below 13 | beta.cloud.google.com/backend-config: '{"default": "sourcegraph-frontend"}' 14 | env: 15 | SRC_LOG_FORMAT: 16 | value: json_gcp 17 | 18 | storageClass: 19 | create: true 20 | type: pd-ssd # This configures SSDs (recommended). 21 | provisioner: pd.csi.storage.gke.io 22 | volumeBindingMode: WaitForFirstConsumer 23 | reclaimPolicy: Retain 24 | 25 | extraResources: 26 | - apiVersion: cloud.google.com/v1 27 | kind: BackendConfig 28 | metadata: 29 | name: sourcegraph-frontend 30 | spec: 31 | healthCheck: 32 | checkIntervalSec: 5 33 | timeoutSec: 5 34 | requestPath: /ready 35 | port: 6060 # we use a custom port to perform healthcheck 36 | 37 | migrator: 38 | env: 39 | SRC_LOG_FORMAT: 40 | value: json_gcp 41 | 42 | gitserver: 43 | env: 44 | SRC_LOG_FORMAT: 45 | value: json_gcp 46 | 47 | grafana: 48 | env: 49 | SRC_LOG_FORMAT: 50 | value: json_gcp 51 | 52 | indexedSearch: 53 | env: 54 | SRC_LOG_FORMAT: 55 | value: json_gcp 56 | 57 | indexedSearchIndexer: 58 | env: 59 | SRC_LOG_FORMAT: 60 | value: json_gcp 61 | 62 | blobstore: 63 | env: 64 | SRC_LOG_FORMAT: 65 | value: json_gcp 66 | 67 | preciseCodeIntel: 68 | env: 69 | SRC_LOG_FORMAT: 70 | value: json_gcp 71 | 72 | searcher: 73 | env: 74 | SRC_LOG_FORMAT: 75 | value: json_gcp 76 | 77 | syntectServer: 78 | env: 79 | SRC_LOG_FORMAT: 80 | value: json_gcp 81 | 82 | worker: 83 | env: 84 | SRC_LOG_FORMAT: 85 | value: json_gcp 86 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/ingress/override.yaml: -------------------------------------------------------------------------------- 1 | # Demonstrates how to disable or customize ingress annotations 2 | # and use the ingressClassName definition (available in Kubernetes 1.18+) 3 | # https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation 4 | 5 | frontend: 6 | ingress: 7 | annotations: 8 | kubernetes.io/ingress.class: null # Disables annotation since we are setting ingressClassName 9 | nginx.ingress.kubernetes.io/proxy-body-size: null # Disables annotation 10 | custom-annotation: custom # Adds a new annotation 11 | ingressClassName: nginx # Sets the ingressClassname 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/jaeger/override.yaml: -------------------------------------------------------------------------------- 1 | jaeger: 2 | enabled: true 3 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/kustomize-chart/README.md: -------------------------------------------------------------------------------- 1 | # kustomize chart 2 | 3 | This example demonstrate the escape hatch whenever you encounter something that our helm charts do not support yet. [Kustomize] allows you to apply [strategic merge patch] and [json patch] on helm chart without maintaining a custom fork. This is our **recommended** approach to customize helm chart, and you should avoid forking unless absolutely necessary. 4 | 5 | ## Customize `frontend` service port 6 | 7 | In this example, we will change the `http` port of `sourcegraph-frontend.Service.yaml` and update the corresponding backend service port number in `sourcegraph-frontend.Ingress.yaml`. 8 | 9 | We will utilize the [post renderering] featue from Helm to integrate with [Kustomize]. The `./kustomize` script below will run `kustomize build` on the rendered manifests from helm and return the transformed manifests back to Helm. 10 | 11 | > Below command should be run within the current directory 12 | 13 | ```sh 14 | helm upgrade --install --create-namespace -n sourcegraph sourcegraph sourcegraph/sourcegraph --post-renderer ./kustomize 15 | ``` 16 | 17 | [kustomize]: https://kustomize.io 18 | [strategic merge patch]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md 19 | [json patch]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#use-a-json-merge-patch-to-update-a-deployment 20 | [post renderering]: https://helm.sh/docs/topics/advanced/#post-rendering 21 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/kustomize-chart/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - all.yaml 3 | 4 | patches: 5 | - target: 6 | version: v1 7 | kind: Service 8 | name: sourcegraph-frontend 9 | patch: |- 10 | - op: replace 11 | path: /spec/ports/0/port 12 | value: 80 13 | - target: 14 | version: v1 15 | kind: Ingress 16 | name: sourcegraph-frontend 17 | patch: |- 18 | - op: replace 19 | path: /spec/rules/0/http/paths/0/backend/service/port/number 20 | value: 80 21 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/kustomize-chart/kustomize: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euf -o pipefail 4 | 5 | # Save the rendered manifests from STDIN to a temporary file 6 | cat <&0 > all.yaml 7 | 8 | # Apply kustomize on rendered manifests and remvoe the temporary file 9 | kustomize build . && rm all.yaml 10 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/opentelemetry-exporter/override-processor.yaml: -------------------------------------------------------------------------------- 1 | openTelemetry: 2 | gateway: 3 | config: 4 | traces: 5 | processors: 6 | probabilistic_sampler: 7 | hash_seed: 22 # An integer used to compute the hash algorithm. Note that all collectors for a given tier (e.g. behind the same load balancer) should have the same hash_seed. 8 | sampling_percentage: 10.0 # (default = 0): Percentage at which traces are sampled; >= 100 samples all traces 9 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/opentelemetry-exporter/override-tls.yaml: -------------------------------------------------------------------------------- 1 | openTelemetry: 2 | gateway: 3 | env: 4 | JAEGER_HOST: 5 | value: "http://your.jaeger.endpoint" 6 | config: 7 | traces: 8 | exportersTlsSecretName: otel-collector-exporters-tls 9 | exporters: 10 | jaeger: 11 | endpoint: "$JAEGER_HOST:14250" 12 | tls: 13 | cert_file: /tls/file.cert 14 | key_file: /tls/file.key 15 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/opentelemetry-exporter/override.yaml: -------------------------------------------------------------------------------- 1 | openTelemetry: 2 | gateway: 3 | env: 4 | JAEGER_HOST: 5 | value: "http://your.jaeger.endpoint" 6 | config: 7 | traces: 8 | exporters: 9 | jaeger: 10 | endpoint: "$JAEGER_HOST:14250" 11 | tls: 12 | insecure: true 13 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/private-image-registry/override.yaml: -------------------------------------------------------------------------------- 1 | ## Override file demonstrating the use of a private docker image registry and custom image names 2 | # 3 | # Original image reference: 4 | # image: index.docker.io/sourcegraph/frontend:3.35.1@sha256:69dc2fff40d2d2c8bd0ef2a8fe0744395c5784f1d380ac50917b485ffa5f70dd 5 | # 6 | # Using override: 7 | # image: custom-repo.ecr.us-east-1.amazonaws.com/sourcegraph/frontend:3.35.1 8 | # 9 | # Original image reference: 10 | # image: index.docker.io/sourcegraph/alpine-3.12:3.35.1@sha256:a26a8820b8794c2d85c67f7b61b00b4d468af722047b8093235a827c08ea878a 11 | # 12 | # Using override, with custom image name: 13 | # image: custom-repo.ecr.us-east-1.amazonaws.com/sourcegraph/alpine:3.12 14 | 15 | sourcegraph: 16 | image: 17 | repository: custom-repo.ecr.us-east-1.amazonaws.com/sourcegraph 18 | useGlobalTagAsDefault: true # Every image will use the Sourcegraph version tag (e.g. 3.35.1) instead of an individual sha-based reference 19 | 20 | # Registry credentials: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry 21 | imagePullSecrets: 22 | - name: regcred # Pre-existing secret that contains the credentials needed to pull from the image registry 23 | 24 | alpine: 25 | image: 26 | name: alpine # Use a custom name instead of the Sourcegraph name - i.e. alpine-3.12 27 | tag: 3.12 # Use a custom tag instead of the default - i.e. 3.35.1 28 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/prometheus/README.md: -------------------------------------------------------------------------------- 1 | # Prometheus ConfigMap Override 2 | 3 | ## Why 4 | 5 | - Some self-hosted customers run their instances on non-standard Kubernetes clusters, such as k3s, which expose metrics using different names / labels 6 | - Our Grafana dashboards expect metrics to be on our Prometheus container with specific names 7 | - Using the default configMap, the Grafana graphs do not show some metrics, although they may exist on Prometheus 8 | - Use this configMap to rename k3s' metrics to match our Grafana dashboard queries 9 | 10 | ## How to Use 11 | 12 | - Apply the override configMap via `kubectl apply -f prometheus-override-k3s.ConfigMap.yaml` 13 | - Add the new configMap's name in your Helm values override file, ex: 14 | ```yaml 15 | prometheus: 16 | existingConfig: prometheus-override-k3s 17 | ``` 18 | - Re-apply your Helm values override file, which may restart the Prometheus pod, but should not restart other services 19 | 20 | ## Notes 21 | 22 | - Copied from https://github.com/sourcegraph/deploy/blob/main/install/prometheus-override.ConfigMap.yaml 23 | - If this situation (matching symptoms and root cause) is found with other types of Kubernetes clusters, new Prometheus override configMaps could be created 24 | 25 | ## Troubleshooting Empty Grafana Dashboards 26 | 27 | - There are a handful of steps in the metrics pipeline where data could be getting lost: 28 | - Are the cAdvisor, node-exporter, Prometheus, and Grafana containers all running, and healthy? 29 | - Are any of these pods reporting any issues in their Kubernetes events, or container logs? 30 | - Is network connectivity open from Prometheus to each of the cAdvisor / node-exporter containers? 31 | - Is network connectivity open from Grafana to Prometheus? 32 | - Does Prometheus have access to Kubernetes RBAC roles to use Service Discovery to find the IP addresses of cAdvisor and node-exporter pods? -------------------------------------------------------------------------------- /charts/sourcegraph/examples/subchart/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: sourcegraph-subchart 3 | description: Customer-owned chart that inherits from Sourcegraph 4 | type: application 5 | version: "5.11.0" 6 | 7 | dependencies: 8 | - name: sourcegraph 9 | alias: sg # Optional, allows a custom name to be used 10 | version: "5.11.0" 11 | repository: "https://sourcegraph.github.io/deploy-sourcegraph-helm" 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/subchart/README.md: -------------------------------------------------------------------------------- 1 | # Using a subchart to deploy custom resources 2 | 3 | This example demonstrates the use of [Helm subcharts] to make permanent customizations to the Sourcegraph deployment. This approach is an alternative to combining helm + kustomize, as demonstrated in the [kustomize-chart](../kustomize-chart) example. 4 | 5 | The subchart adds a NetworkPolicy resource and references a custom variable from values.yaml to demonstrate how you can extend the Sourcegraph chart. 6 | 7 | Reference: 8 | [Sourcegraph documentation](https://docs.sourcegraph.com/admin/install/kubernetes/helm#subchart) 9 | 10 | [Helm subcharts]: https://helm.sh/docs/chart_template_guide/subcharts_and_globals/ 11 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/subchart/templates/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: {{ .Values.policyName }} 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | ingress: 9 | - from: 10 | - podSelector: {} 11 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/subchart/values.yaml: -------------------------------------------------------------------------------- 1 | ## Demonstrates how to create a subchart of the Sourcegraph helm chart 2 | ## in order to add additional custom resources 3 | 4 | # Create a variable that is used as the name of the custom NetworkPolicy resource 5 | policyName: deny-ingress-from-other-namespaces 6 | 7 | sg: # Matches alias name of the dependency in Chart.yaml 8 | sourcegraph: # Shown here to emphasize indentation 9 | podLabels: 10 | new-label: "custom" # Added to all pods 11 | -------------------------------------------------------------------------------- /charts/sourcegraph/examples/tune-internal-databases/override.yaml: -------------------------------------------------------------------------------- 1 | # Demonstrate configuring additional PostgreSQL configuration parameters 2 | # when internal PostgreSQL deployments are used 3 | # You should consult your account team prior making any change 4 | # You can learn more about PostgreSQL configuration from 5 | # - https://docs.sourcegraph.com/admin/config/postgres-conf 6 | # - https://www.postgresql.org/docs/12/config-setting.html 7 | 8 | pgsql: 9 | additionalConfig: | 10 | max_connections = 200 11 | 12 | codeIntelDB: 13 | additionalConfig: | 14 | max_connections = 200 15 | 16 | codeInsightsDB: 17 | additionalConfig: | 18 | max_connections = 200 19 | -------------------------------------------------------------------------------- /charts/sourcegraph/files/codeinsights-db/conf/postgresql.conf: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------ 2 | # POSTGRESQL DEFAULT CONFIGURATION 3 | #------------------------------------------------------------------------------ 4 | 5 | # Below is PostgreSQL default configuration. 6 | # You should apply your own customization in the CUSTOMIZED OPTIONS section below 7 | # to avoid merge conflict in the future. 8 | 9 | listen_addresses = '*' 10 | max_connections = 100 11 | shared_buffers = 128MB 12 | dynamic_shared_memory_type = posix 13 | max_wal_size = 1GB 14 | min_wal_size = 80MB 15 | log_timezone = 'UTC' 16 | datestyle = 'iso, mdy' 17 | timezone = 'UTC' 18 | lc_messages = 'en_US.utf8' 19 | lc_monetary = 'en_US.utf8' 20 | lc_numeric = 'en_US.utf8' 21 | lc_time = 'en_US.utf8' 22 | default_text_search_config = 'pg_catalog.english' 23 | 24 | 25 | #------------------------------------------------------------------------------ 26 | # SOURCEGRAPH RECOMMENDED OPTIONS 27 | #------------------------------------------------------------------------------ 28 | 29 | # Below is Sourcegraph recommended Postgres configuration based on the default resource configuration. 30 | # You should apply your own customization in the CUSTOMIZED OPTIONS section below 31 | # to avoid merge conflict in the future. 32 | 33 | shared_buffers = 509546kB 34 | work_mem = 3184kB 35 | maintenance_work_mem = 254773kB 36 | effective_io_concurrency = 200 37 | max_worker_processes = 19 38 | max_parallel_workers_per_gather = 4 39 | max_parallel_workers = 8 40 | wal_buffers = 15285kB 41 | min_wal_size = 512MB 42 | checkpoint_completion_target = 0.9 43 | random_page_cost = 1.1 44 | effective_cache_size = 1492MB 45 | default_statistics_target = 500 46 | autovacuum_max_workers = 10 47 | autovacuum_naptime = 10 48 | shared_preload_libraries = '' 49 | max_locks_per_transaction = 64 50 | 51 | 52 | #------------------------------------------------------------------------------ 53 | # CUSTOMIZED OPTIONS 54 | #------------------------------------------------------------------------------ 55 | 56 | # Add your customization by using 'codeInsightsDB.additionalConfig' in your override file. 57 | # Learn more: https://docs.sourcegraph.com/admin/config/postgres-conf 58 | -------------------------------------------------------------------------------- /charts/sourcegraph/files/codeintel-db/conf/postgresql.conf: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------ 2 | # POSTGRESQL DEFAULT CONFIGURATION 3 | #------------------------------------------------------------------------------ 4 | 5 | # Below is PostgreSQL default configuration. 6 | # You should apply your own customization in the CUSTOMIZED OPTIONS section below 7 | # to avoid merge conflict in the future. 8 | 9 | listen_addresses = '*' 10 | max_connections = 100 11 | shared_buffers = 128MB 12 | dynamic_shared_memory_type = posix 13 | max_wal_size = 1GB 14 | min_wal_size = 80MB 15 | log_timezone = 'UTC' 16 | datestyle = 'iso, mdy' 17 | timezone = 'UTC' 18 | lc_messages = 'en_US.utf8' 19 | lc_monetary = 'en_US.utf8' 20 | lc_numeric = 'en_US.utf8' 21 | lc_time = 'en_US.utf8' 22 | default_text_search_config = 'pg_catalog.english' 23 | 24 | 25 | #------------------------------------------------------------------------------ 26 | # SOURCEGRAPH RECOMMENDED OPTIONS 27 | #------------------------------------------------------------------------------ 28 | 29 | # Below is Sourcegraph recommended Postgres configuration based on the default resource configuration. 30 | # You should apply your own customization in the CUSTOMIZED OPTIONS section below 31 | # to avoid merge conflict in the future. 32 | 33 | shared_buffers = 1GB 34 | work_mem = 5MB 35 | maintenance_work_mem = 250MB 36 | temp_file_limit = 20GB 37 | bgwriter_delay = 50ms 38 | bgwriter_lru_maxpages = 200 39 | effective_io_concurrency = 200 40 | max_worker_processes = 4 41 | max_parallel_maintenance_workers = 4 42 | max_parallel_workers_per_gather = 2 43 | max_parallel_workers = 4 44 | wal_buffers = 16MB 45 | max_wal_size = 8GB 46 | min_wal_size = 2GB 47 | random_page_cost = 1.1 48 | effective_cache_size = 3GB 49 | 50 | 51 | #------------------------------------------------------------------------------ 52 | # CUSTOMIZED OPTIONS 53 | #------------------------------------------------------------------------------ 54 | 55 | # Add your customization by using 'codeIntelDB.additionalConfig' in your override file. 56 | # Learn more: https://docs.sourcegraph.com/admin/config/postgres-conf 57 | -------------------------------------------------------------------------------- /charts/sourcegraph/files/pgsql/conf/postgresql.conf: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------ 2 | # POSTGRESQL DEFAULT CONFIGURATION 3 | #------------------------------------------------------------------------------ 4 | 5 | # Below is PostgreSQL default configuration. 6 | # You should apply your own customization in the CUSTOMIZED OPTIONS section below 7 | # to avoid merge conflict in the future. 8 | 9 | listen_addresses = '*' 10 | max_connections = 100 11 | shared_buffers = 128MB 12 | dynamic_shared_memory_type = posix 13 | max_wal_size = 1GB 14 | min_wal_size = 80MB 15 | log_timezone = 'UTC' 16 | datestyle = 'iso, mdy' 17 | timezone = 'UTC' 18 | lc_messages = 'en_US.utf8' 19 | lc_monetary = 'en_US.utf8' 20 | lc_numeric = 'en_US.utf8' 21 | lc_time = 'en_US.utf8' 22 | default_text_search_config = 'pg_catalog.english' 23 | 24 | 25 | #------------------------------------------------------------------------------ 26 | # SOURCEGRAPH RECOMMENDED OPTIONS 27 | #------------------------------------------------------------------------------ 28 | 29 | # Below is Sourcegraph recommended Postgres configuration based on the default resource configuration. 30 | # You should apply your own customization in the CUSTOMIZED OPTIONS section below 31 | # to avoid merge conflict in the future. 32 | 33 | shared_buffers = 1GB 34 | work_mem = 5MB 35 | maintenance_work_mem = 250MB 36 | temp_file_limit = 20GB 37 | bgwriter_delay = 50ms 38 | bgwriter_lru_maxpages = 200 39 | effective_io_concurrency = 200 40 | max_worker_processes = 4 41 | max_parallel_maintenance_workers = 4 42 | max_parallel_workers_per_gather = 2 43 | max_parallel_workers = 4 44 | wal_buffers = 16MB 45 | max_wal_size = 8GB 46 | min_wal_size = 2GB 47 | random_page_cost = 1.1 48 | effective_cache_size = 3GB 49 | 50 | 51 | #------------------------------------------------------------------------------ 52 | # CUSTOMIZED OPTIONS 53 | #------------------------------------------------------------------------------ 54 | 55 | # Add your customization by using 'pgsql.additionalConfig' in your override file. 56 | # Learn more: https://docs.sourcegraph.com/admin/config/postgres-conf 57 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{- "\n" }} 2 | 3 | Thank you for installing {{ .Chart.Name }}. 4 | 5 | Your release is named {{ .Release.Name }}. 6 | 7 | To learn more about supported configuration, check out https://sourcegraph.com/docs/admin/deploy/kubernetes#configuration. 8 | 9 | {{- "\n" }} 10 | 11 | {{- if not .Values.prometheus.privileged }} 12 | 🚧 Warning 🚧 13 | 14 | You have set 'prometheus.privileged' to 'false' and Prometheus will run with reduced privileges. 15 | Our observability stack requires some cluster-wide privileges to display provisioning metrics. 16 | These metrics provide critical information to help you scale the Sourcegraph deployment. 17 | Provisioning metrics can be restored by assigning elevated permissions to Service Account '{{ include "sourcegraph.serviceAccountName" (list . "prometheus") }}'. 18 | Consult https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/charts/sourcegraph/templates/prometheus/prometheus.ClusterRole.yaml for the necessary permissions. 19 | 20 | {{- end }} 21 | 22 | {{- if not .Values.cadvisor.containerSecurityContext.privileged }} 23 | 🚧 Warning 🚧 24 | 25 | You have set 'cadvisor.containerSecurityContext.privileged' to 'false' and cadvisor will run with reduced privileges. 26 | Our observability stack requires to be run in privileged mode to display a provisioning metric, out of memory events. 27 | Such metric provides critical information to help you scale the Sourcegraph deployment. 28 | If you would like to bring your own infrastructure monitoring & alerting solution, 29 | you may want to disable the `cadvisor` DaemonSet completely by setting `cadvisor.enabled=false` in your override file. 30 | 31 | {{- end }} 32 | 33 | {{- if not .Values.nodeExporter.enabled }} 34 | 35 | 🚧 Warning 🚧 36 | 37 | You have set 'nodeExporter.enabled' to 'false', which completely disables node exporter. Node exporter provides 38 | critical machine-level metrics that help you scale your Sourcegraph deployments. Without node-exporter, you might have 39 | to rely on the (possibility limited) tooling that your cloud provider provides to have insight into your machines. 40 | 41 | {{- end }} 42 | 43 | {{- if not .Values.nodeExporter.hostPID }} 44 | 45 | 🚧 Warning 🚧 46 | 47 | You have set 'nodeExporter.hostPID' to 'false' which greatly limits the metrics that node-exporter is able to provide. Many of the 48 | metrics that Sourcegraph uses to help you scale your deployment might be broken as a result. 49 | 50 | If you would like to bring your own infrastructure monitoring & alerting solution, 51 | you may want to disable the `node-exporter` DaemonSet completely by setting `nodeExporter.enabled=false` in your override file. 52 | 53 | {{- end }} 54 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/blobstore/blobstore.PersistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.blobstore.enabled -}} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | labels: 6 | deploy: sourcegraph 7 | app.kubernetes.io/component: blobstore 8 | name: blobstore 9 | spec: 10 | accessModes: 11 | - ReadWriteOnce 12 | resources: 13 | requests: 14 | storage: {{ .Values.blobstore.storageSize }} 15 | storageClassName: {{ .Values.storageClass.name }} 16 | {{- if .Values.blobstore.volumeName }} 17 | volumeName: {{ .Values.blobstore.volumeName }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/blobstore/blobstore.Service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.blobstore.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | annotations: 6 | {{- if .Values.blobstore.serviceAnnotations }} 7 | {{- toYaml .Values.blobstore.serviceAnnotations | nindent 4 }} 8 | {{- end }} 9 | labels: 10 | app: blobstore 11 | deploy: sourcegraph 12 | app.kubernetes.io/component: blobstore 13 | {{- if .Values.blobstore.serviceLabels }} 14 | {{- toYaml .Values.blobstore.serviceLabels | nindent 4 }} 15 | {{- end }} 16 | name: blobstore 17 | spec: 18 | ports: 19 | - name: blobstore 20 | port: 9000 21 | targetPort: blobstore 22 | selector: 23 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 24 | app: blobstore 25 | type: {{ .Values.blobstore.serviceType | default "ClusterIP" }} 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/blobstore/blobstore.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.blobstore.enabled .Values.blobstore.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: blobstore 9 | {{- include "sourcegraph.serviceAccountAnnotations" (list . "blobstore") | trim | nindent 2 }} 10 | name: {{ include "sourcegraph.serviceAccountName" (list . "blobstore") }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/cadvisor/cadvisor.ClusterRole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.cadvisor.enabled .Values.cadvisor.podSecurityPolicy.enabled -}} 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | labels: 6 | app: cadvisor 7 | category: rbac 8 | deploy: sourcegraph 9 | app.kubernetes.io/component: cadvisor 10 | name: {{ .Values.cadvisor.name }} 11 | rules: 12 | - apiGroups: ['policy'] 13 | resources: ['podsecuritypolicies'] 14 | verbs: ['use'] 15 | resourceNames: 16 | - {{ .Values.cadvisor.name }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/cadvisor/cadvisor.ClusterRoleBinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.cadvisor.enabled .Values.cadvisor.podSecurityPolicy.enabled -}} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | labels: 6 | app: cadvisor 7 | category: rbac 8 | deploy: sourcegraph 9 | app.kubernetes.io/component: cadvisor 10 | name: {{ .Values.cadvisor.name }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: {{ .Values.cadvisor.name }} 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ include "sourcegraph.serviceAccountName" (list . "cadvisor") }} 18 | namespace: {{ .Release.Namespace }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/cadvisor/cadvisor.PodSecurityPolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.cadvisor.enabled .Values.cadvisor.podSecurityPolicy.enabled -}} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | labels: 6 | app: cadvisor 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: cadvisor 9 | name: {{ .Values.cadvisor.name }} 10 | spec: 11 | seLinux: 12 | rule: RunAsAny 13 | supplementalGroups: 14 | rule: RunAsAny 15 | runAsUser: 16 | rule: RunAsAny 17 | fsGroup: 18 | rule: RunAsAny 19 | volumes: 20 | - '*' 21 | allowedHostPaths: 22 | - pathPrefix: "/" 23 | - pathPrefix: "/var/run" 24 | - pathPrefix: "/sys" 25 | - pathPrefix: "/var/lib/docker" 26 | - pathPrefix: "/dev/disk" 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/cadvisor/cadvisor.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.cadvisor.enabled .Values.cadvisor.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | app: cadvisor 7 | category: rbac 8 | deploy: sourcegraph 9 | app.kubernetes.io/component: cadvisor 10 | {{- include "sourcegraph.serviceAccountAnnotations" (list . "cadvisor") | trim | nindent 2 }} 11 | name: {{ include "sourcegraph.serviceAccountName" (list . "cadvisor") }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/codeinsights-db/codeinsights-db.ConfigMap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.codeInsightsDB.enabled (and .Values.codeInsightsDB.existingConfig .Values.codeInsightsDB.additionalConfig) -}} 2 | {{- fail "You can only define one of 'codeInsightsDB.existingConfig' and 'codeInsightsDB.additionalConfig' at a time" }} 3 | {{- end }} 4 | {{- if and .Values.codeInsightsDB.enabled (not .Values.codeInsightsDB.existingConfig) -}} 5 | apiVersion: v1 6 | kind: ConfigMap 7 | metadata: 8 | annotations: 9 | description: Configuration for Code Insights 10 | labels: 11 | app.kubernetes.io/component: codeinsights-db 12 | deploy: sourcegraph 13 | name: {{ .Values.codeInsightsDB.name }}-conf 14 | data: 15 | postgresql.conf: | 16 | {{- .Files.Get "files/codeinsights-db/conf/postgresql.conf" | nindent 4 }} 17 | {{- tpl .Values.codeInsightsDB.additionalConfig . | nindent 4 | trim }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/codeinsights-db/codeinsights-db.PersistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.codeInsightsDB.enabled -}} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | labels: 6 | app.kubernetes.io/component: codeinsights-db 7 | deploy: sourcegraph 8 | name: codeinsights-db 9 | spec: 10 | accessModes: 11 | - ReadWriteOnce 12 | resources: 13 | requests: 14 | storage: {{ .Values.codeInsightsDB.storageSize }} 15 | storageClassName: {{ .Values.storageClass.name }} 16 | {{- if .Values.codeInsightsDB.volumeName }} 17 | volumeName: {{ .Values.codeInsightsDB.volumeName }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.codeInsightsDB.auth.existingSecret }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ .Values.codeInsightsDB.name }}-auth 6 | labels: 7 | app: codeinsights-db 8 | deploy: sourcegraph 9 | app.kubernetes.io/component: codeinsights-db 10 | type: Opaque 11 | data: 12 | database: {{ .Values.codeInsightsDB.auth.database | toString | b64enc | quote }} 13 | host: {{ .Values.codeInsightsDB.auth.host | toString | b64enc | quote }} 14 | password: {{ .Values.codeInsightsDB.auth.password | toString | b64enc | quote }} 15 | port: {{ .Values.codeInsightsDB.auth.port | toString | b64enc | quote }} 16 | user: {{ .Values.codeInsightsDB.auth.user | toString | b64enc | quote }} 17 | sslmode: {{ .Values.codeInsightsDB.auth.sslmode | toString | b64enc | quote }} 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.codeInsightsDB.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | annotations: 6 | prometheus.io/port: "9187" 7 | sourcegraph.prometheus/scrape: "true" 8 | {{- if .Values.codeInsightsDB.serviceAnnotations }} 9 | {{- toYaml .Values.codeInsightsDB.serviceAnnotations | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | app.kubernetes.io/component: codeinsights-db 13 | app: codeinsights-db 14 | deploy: sourcegraph 15 | {{- if .Values.codeInsightsDB.serviceLabels }} 16 | {{- toYaml .Values.codeInsightsDB.serviceLabels | nindent 4 }} 17 | {{- end }} 18 | name: codeinsights-db 19 | spec: 20 | ports: 21 | - name: codeinsights-db 22 | port: 5432 23 | targetPort: codeinsights-db 24 | selector: 25 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 26 | app: codeinsights-db 27 | type: {{ .Values.codeInsightsDB.serviceType | default "ClusterIP" }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/codeinsights-db/codeinsights-db.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.codeInsightsDB.enabled .Values.codeInsightsDB.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: codeinsights-db 9 | {{- include "sourcegraph.serviceAccountAnnotations" (list . "codeInsightsDB") | trim | nindent 2 }} 10 | name: {{ include "sourcegraph.serviceAccountName" (list . "codeInsightsDB") }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/codeintel-db/codeintel-db.ConfigMap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.codeIntelDB.enabled (and .Values.codeIntelDB.existingConfig .Values.codeIntelDB.additionalConfig) -}} 2 | {{- fail "You can only define one of 'codeIntelDB.existingConfig' and 'codeIntelDB.additionalConfig' at a time" }} 3 | {{- end }} 4 | {{- if and .Values.codeIntelDB.enabled (not .Values.codeIntelDB.existingConfig) -}} 5 | apiVersion: v1 6 | kind: ConfigMap 7 | metadata: 8 | annotations: 9 | description: Configuration for PostgreSQL 10 | labels: 11 | app.kubernetes.io/component: codeintel-db 12 | deploy: sourcegraph 13 | name: {{ .Values.codeIntelDB.name }}-conf 14 | data: 15 | postgresql.conf: | 16 | {{- .Files.Get "files/codeintel-db/conf/postgresql.conf" | nindent 4 }} 17 | {{- tpl .Values.codeIntelDB.additionalConfig . | nindent 4 | trim }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/codeintel-db/codeintel-db.PersistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.codeIntelDB.enabled -}} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | labels: 6 | app.kubernetes.io/component: codeintel-db 7 | deploy: sourcegraph 8 | name: {{ default "codeintel-db" .Values.codeIntelDB.name }} 9 | spec: 10 | accessModes: 11 | - ReadWriteOnce 12 | resources: 13 | requests: 14 | storage: {{ .Values.codeIntelDB.storageSize }} 15 | storageClassName: {{ .Values.storageClass.name }} 16 | {{- if .Values.codeIntelDB.volumeName }} 17 | volumeName: {{ .Values.codeIntelDB.volumeName }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/codeintel-db/codeintel-db.Secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.codeIntelDB.auth.existingSecret }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ .Values.codeIntelDB.name }}-auth 6 | labels: 7 | app: codeintel-db 8 | deploy: sourcegraph 9 | app.kubernetes.io/component: codeintel-db 10 | type: Opaque 11 | data: 12 | database: {{ .Values.codeIntelDB.auth.database | toString | b64enc | quote }} 13 | host: {{ .Values.codeIntelDB.auth.host | toString | b64enc | quote }} 14 | password: {{ .Values.codeIntelDB.auth.password | toString | b64enc | quote }} 15 | port: {{ .Values.codeIntelDB.auth.port | toString | b64enc | quote }} 16 | user: {{ .Values.codeIntelDB.auth.user | toString | b64enc | quote }} 17 | sslmode: {{ .Values.codeIntelDB.auth.sslmode | toString | b64enc | quote }} 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/codeintel-db/codeintel-db.Service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.codeIntelDB.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | annotations: 6 | prometheus.io/port: "9187" 7 | sourcegraph.prometheus/scrape: "true" 8 | {{- if .Values.codeIntelDB.serviceAnnotations }} 9 | {{- toYaml .Values.codeIntelDB.serviceAnnotations | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | app.kubernetes.io/component: codeintel-db 13 | app: codeintel-db 14 | deploy: sourcegraph 15 | {{- if .Values.codeIntelDB.serviceLabels }} 16 | {{- toYaml .Values.codeIntelDB.serviceLabels | nindent 4 }} 17 | {{- end }} 18 | name: codeintel-db 19 | spec: 20 | ports: 21 | - name: pgsql 22 | port: 5432 23 | targetPort: pgsql 24 | selector: 25 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 26 | app: codeintel-db 27 | type: {{ .Values.codeIntelDB.serviceType | default "ClusterIP" }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/codeintel-db/codeintel-db.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.codeIntelDB.enabled .Values.codeIntelDB.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: codeintel-db 9 | {{- include "sourcegraph.serviceAccountAnnotations" (list . "codeIntelDB") | trim | nindent 2 }} 10 | name: {{ include "sourcegraph.serviceAccountName" (list . "codeIntelDB") }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/extraResources.yaml: -------------------------------------------------------------------------------- 1 | {{- range .Values.extraResources }} 2 | --- 3 | {{ tpl (. | toYaml) $ }} 4 | {{- end }} 5 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/frontend/sourcegraph-frontend-internal.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | {{- if .Values.frontend.serviceAnnotations }} 5 | annotations: 6 | {{- toYaml .Values.frontend.serviceAnnotations | nindent 4 }} 7 | {{- end }} 8 | labels: 9 | app: sourcegraph-frontend 10 | deploy: sourcegraph 11 | app.kubernetes.io/component: frontend 12 | {{- if .Values.frontend.serviceLabels }} 13 | {{- toYaml .Values.frontend.serviceLabels | nindent 4 }} 14 | {{- end }} 15 | name: sourcegraph-frontend-internal 16 | spec: 17 | ports: 18 | - name: http-internal 19 | port: 80 20 | targetPort: http-internal 21 | selector: 22 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 23 | app: sourcegraph-frontend 24 | type: {{ .Values.frontend.internalServiceType | default "ClusterIP" }} 25 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/frontend/sourcegraph-frontend.Ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.frontend.ingress.enabled -}} 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | {{- if .Values.frontend.ingress.annotations}} 6 | annotations: 7 | {{- toYaml .Values.frontend.ingress.annotations | nindent 4 }} 8 | {{- end }} 9 | labels: 10 | app: sourcegraph-frontend 11 | deploy: sourcegraph 12 | app.kubernetes.io/component: frontend 13 | {{- if .Values.frontend.ingress.labels}} 14 | {{- toYaml .Values.frontend.ingress.labels | nindent 4 }} 15 | {{- end }} 16 | name: {{ .Values.frontend.name }} 17 | spec: 18 | {{- if and .Values.frontend.ingress.host .Values.frontend.ingress.tlsSecret }} 19 | tls: 20 | - hosts: 21 | - {{ .Values.frontend.ingress.host }} 22 | secretName: {{ .Values.frontend.ingress.tlsSecret }} 23 | {{- end }} 24 | rules: 25 | - http: 26 | paths: 27 | - path: / 28 | pathType: Prefix 29 | backend: 30 | service: 31 | name: sourcegraph-frontend 32 | port: 33 | number: 30080 34 | {{- if .Values.frontend.ingress.host}} 35 | host: {{ .Values.frontend.ingress.host }} 36 | {{- end }} 37 | {{- if .Values.frontend.ingress.ingressClassName}} 38 | ingressClassName: {{ .Values.frontend.ingress.ingressClassName }} 39 | {{- end }} 40 | {{- end }} 41 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/frontend/sourcegraph-frontend.PodDisruptionBudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.frontend.podDisruptionBudget }} 2 | apiVersion: policy/v1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: sourcegraph-frontend 6 | spec: 7 | {{- toYaml .Values.frontend.podDisruptionBudget | nindent 2 }} 8 | selector: 9 | matchLabels: 10 | {{- include "sourcegraph.selectorLabels" . | nindent 6 }} 11 | app: sourcegraph-frontend 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/frontend/sourcegraph-frontend.Role.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.frontend.privileged -}} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | labels: 6 | {{- include "sourcegraph.labels" . | nindent 4 }} 7 | category: rbac 8 | deploy: sourcegraph 9 | app.kubernetes.io/component: frontend 10 | name: {{ .Values.frontend.name }} 11 | rules: 12 | - apiGroups: 13 | - "" 14 | resources: 15 | # necessary for resolving k8s+http://fooservice URLs (see for example searcher URL) 16 | - endpoints 17 | # necessary to populate Site Admin/Instrumentation page (/-/debug) in the cluster deployment 18 | - services 19 | verbs: 20 | - get 21 | - list 22 | - watch 23 | - apiGroups: 24 | - "apps" 25 | resources: 26 | # necessary for resolving k8s+http://indexed-search?kind=sts URLs 27 | - statefulsets 28 | verbs: 29 | - get 30 | - list 31 | - watch 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/frontend/sourcegraph-frontend.RoleBinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | labels: 5 | {{- include "sourcegraph.labels" . | nindent 4 }} 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: frontend 9 | name: {{ .Values.frontend.name }} 10 | roleRef: 11 | {{- if .Values.frontend.privileged }} 12 | apiGroup: "rbac.authorization.k8s.io" 13 | kind: Role 14 | name: {{ .Values.frontend.name }} 15 | {{- else }} 16 | apiGroup: "" 17 | kind: ClusterRole 18 | name: view 19 | {{- end }} 20 | subjects: 21 | - kind: ServiceAccount 22 | name: {{ include "sourcegraph.serviceAccountName" (list . "frontend") }} 23 | namespace: {{ .Release.Namespace }} 24 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/frontend/sourcegraph-frontend.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "6060" 6 | sourcegraph.prometheus/scrape: "true" 7 | {{- if .Values.frontend.serviceAnnotations }} 8 | {{- toYaml .Values.frontend.serviceAnnotations | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app: sourcegraph-frontend 12 | deploy: sourcegraph 13 | app.kubernetes.io/component: frontend 14 | {{- if .Values.frontend.serviceLabels }} 15 | {{- toYaml .Values.frontend.serviceLabels | nindent 4 }} 16 | {{- end }} 17 | name: sourcegraph-frontend 18 | spec: 19 | ports: 20 | - name: http 21 | port: 30080 22 | targetPort: http 23 | selector: 24 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 25 | app: sourcegraph-frontend 26 | type: {{ .Values.frontend.serviceType | default "ClusterIP" }} 27 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/frontend/sourcegraph-frontend.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.frontend.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | {{- with .Values.sourcegraph.imagePullSecrets }} 5 | imagePullSecrets: 6 | {{- toYaml . | nindent 2 }} 7 | {{- end }} 8 | metadata: 9 | labels: 10 | category: rbac 11 | deploy: sourcegraph 12 | app.kubernetes.io/component: frontend 13 | {{- include "sourcegraph.serviceAccountAnnotations" (list . "frontend") | trim | nindent 2 }} 14 | name: {{ include "sourcegraph.serviceAccountName" (list . "frontend") }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/gitserver/gitserver.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | description: Headless service that provides a stable network identity for the 6 | gitserver stateful set. 7 | prometheus.io/port: "6060" 8 | sourcegraph.prometheus/scrape: "true" 9 | {{- if .Values.gitserver.serviceAnnotations }} 10 | {{- toYaml .Values.gitserver.serviceAnnotations | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | deploy: sourcegraph 14 | app.kubernetes.io/component: gitserver 15 | type: gitserver 16 | app: gitserver 17 | {{- if .Values.gitserver.serviceLabels }} 18 | {{- toYaml .Values.gitserver.serviceLabels | nindent 4 }} 19 | {{- end }} 20 | name: gitserver 21 | spec: 22 | clusterIP: None 23 | ports: 24 | - name: unused 25 | port: 10811 26 | targetPort: 10811 27 | selector: 28 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 29 | app: gitserver 30 | type: gitserver 31 | type: {{ .Values.gitserver.serviceType | default "ClusterIP" }} 32 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/gitserver/gitserver.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.gitserver.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: gitserver 9 | {{- include "sourcegraph.serviceAccountAnnotations" (list . "gitserver") | trim | nindent 2 }} 10 | name: {{ include "sourcegraph.serviceAccountName" (list . "gitserver") }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/grafana/grafana.ConfigMap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.grafana.enabled (not .Values.grafana.existingConfig) -}} 2 | apiVersion: v1 3 | data: 4 | datasources.yml: | 5 | apiVersion: 1 6 | 7 | datasources: 8 | - name: Prometheus 9 | type: prometheus 10 | access: proxy 11 | url: http://prometheus:30090 12 | isDefault: true 13 | editable: false 14 | - name: Jaeger 15 | type: Jaeger 16 | access: proxy 17 | url: http://{{ default "jaeger-query" .Values.jaeger.query.name }}:16686/-/debug/jaeger 18 | - name: pgsql 19 | database: $GRAFANA_PGSQL_DATABASE 20 | editable: true 21 | jsonData: 22 | sslmode: $GRAFANA_PGSQL_SSLMODE 23 | secureJsonData: 24 | password: $GRAFANA_PGSQL_PASSWORD 25 | type: postgres 26 | url: $GRAFANA_PGSQL_HOST:$GRAFANA_PGSQL_PORT 27 | user: $GRAFANA_PGSQL_USER 28 | kind: ConfigMap 29 | metadata: 30 | labels: 31 | deploy: sourcegraph 32 | app.kubernetes.io/component: grafana 33 | name: {{ .Values.grafana.name }} 34 | {{- end }} 35 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/grafana/grafana.Service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.grafana.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | {{- if .Values.grafana.serviceAnnotations }} 6 | annotations: 7 | {{- toYaml .Values.grafana.serviceAnnotations | nindent 4 }} 8 | {{- end }} 9 | labels: 10 | app: grafana 11 | deploy: sourcegraph 12 | app.kubernetes.io/component: grafana 13 | {{- if .Values.grafana.serviceLabels }} 14 | {{- toYaml .Values.grafana.serviceLabels | nindent 4 }} 15 | {{- end }} 16 | name: grafana 17 | spec: 18 | ports: 19 | - name: http 20 | port: 30070 21 | targetPort: http 22 | selector: 23 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 24 | app: grafana 25 | type: {{ .Values.grafana.serviceType | default "ClusterIP" }} 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/grafana/grafana.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.grafana.enabled .Values.grafana.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | {{- with .Values.sourcegraph.imagePullSecrets }} 5 | imagePullSecrets: 6 | {{- toYaml . | nindent 2 }} 7 | {{- end }} 8 | metadata: 9 | labels: 10 | category: rbac 11 | deploy: sourcegraph 12 | app.kubernetes.io/component: grafana 13 | {{- include "sourcegraph.serviceAccountAnnotations" (list . "grafana") | trim | nindent 2 }} 14 | name: {{ include "sourcegraph.serviceAccountName" (list . "grafana") }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/grafana/grafana.pgsql.Secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.grafana.auth (not .Values.grafana.auth.existingSecret) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ .Values.grafana.name }}-auth 6 | labels: 7 | app: grafana 8 | deploy: sourcegraph 9 | app.kubernetes.io/component: grafana 10 | type: Opaque 11 | data: 12 | database: {{ .Values.grafana.auth.database | toString | b64enc | quote }} 13 | host: {{ .Values.grafana.auth.host | toString | b64enc | quote }} 14 | password: {{ .Values.grafana.auth.password | toString | b64enc | quote }} 15 | port: {{ .Values.grafana.auth.port | toString | b64enc | quote }} 16 | sslmode: {{ .Values.grafana.auth.sslmode | toString | b64enc | quote }} 17 | user: {{ .Values.grafana.auth.user | toString | b64enc | quote }} 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/indexed-search/indexed-search.IndexerService.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | description: Headless service that provides a stable network identity for the 6 | indexed-search stateful set. 7 | sourcegraph.prometheus/scrape: "true" 8 | prometheus.io/port: "6072" 9 | {{- if .Values.indexedSearch.serviceAnnotations }} 10 | {{- toYaml .Values.indexedSearch.serviceAnnotations | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | app: indexed-search-indexer 14 | deploy: sourcegraph 15 | app.kubernetes.io/component: indexed-search 16 | {{- if .Values.indexedSearch.serviceLabels }} 17 | {{- toYaml .Values.indexedSearch.serviceLabels | nindent 4 }} 18 | {{- end }} 19 | name: {{ default "indexed-search-indexer" .Values.indexedSearch.indexerName }} 20 | spec: 21 | clusterIP: None 22 | ports: 23 | - port: 6072 24 | targetPort: 6072 25 | selector: 26 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 27 | app: indexed-search 28 | type: {{ .Values.indexedSearch.serviceType | default "ClusterIP" }} 29 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/indexed-search/indexed-search.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | description: Headless service that provides a stable network identity for the 6 | indexed-search stateful set. 7 | sourcegraph.prometheus/scrape: "true" 8 | prometheus.io/port: "6070" 9 | {{- if .Values.indexedSearch.serviceAnnotations }} 10 | {{- toYaml .Values.indexedSearch.serviceAnnotations | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | app: indexed-search 14 | deploy: sourcegraph 15 | app.kubernetes.io/component: indexed-search 16 | {{- if .Values.indexedSearch.serviceLabels }} 17 | {{- toYaml .Values.indexedSearch.serviceLabels | nindent 4 }} 18 | {{- end }} 19 | name: indexed-search 20 | spec: 21 | clusterIP: None 22 | ports: 23 | - port: 6070 24 | selector: 25 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 26 | app: indexed-search 27 | type: {{ .Values.indexedSearch.serviceType | default "ClusterIP" }} 28 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/indexed-search/indexed-search.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.indexedSearch.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: indexed-search 9 | {{- include "sourcegraph.serviceAccountAnnotations" (list . "indexedSearch") | trim | nindent 2 }} 10 | name: {{ include "sourcegraph.serviceAccountName" (list . "indexedSearch") }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/jaeger/jaeger-collector.Service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.jaeger.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | annotations: 6 | {{- if .Values.jaeger.collector.serviceAnnotations }} 7 | {{- toYaml .Values.jaeger.collector.serviceAnnotations | nindent 4 }} 8 | {{- end }} 9 | labels: 10 | deploy: sourcegraph 11 | app.kubernetes.io/component: all-in-one 12 | app: jaeger 13 | app.kubernetes.io/name: jaeger 14 | {{- if .Values.jaeger.collector.serviceLabels }} 15 | {{- toYaml .Values.jaeger.collector.serviceLabels | nindent 4 }} 16 | {{- end }} 17 | name: {{ default "jaeger-collector" .Values.jaeger.collector.name }} 18 | spec: 19 | ports: 20 | - name: jaeger-collector-tchannel 21 | port: 14267 22 | protocol: TCP 23 | targetPort: 14267 24 | - name: jaeger-collector-http 25 | port: 4321 26 | protocol: TCP 27 | targetPort: 4321 28 | - name: jaeger-collector-grpc 29 | port: 4320 30 | protocol: TCP 31 | targetPort: 4320 32 | selector: 33 | {{- include "sourcegraph.jaeger.selectorLabels" . | nindent 4 }} 34 | app.kubernetes.io/instance: {{ .Release.Name }} 35 | app.kubernetes.io/component: all-in-one 36 | app: jaeger 37 | type: {{ .Values.jaeger.collector.serviceType | default "ClusterIP" }} 38 | {{- end }} 39 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/jaeger/jaeger-query.Service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.jaeger.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | annotations: 6 | {{- if .Values.jaeger.query.serviceAnnotations }} 7 | {{- toYaml .Values.jaeger.query.serviceAnnotations | nindent 4 }} 8 | {{- end }} 9 | labels: 10 | deploy: sourcegraph 11 | app.kubernetes.io/component: all-in-one 12 | app: jaeger 13 | app.kubernetes.io/name: jaeger 14 | {{- if .Values.jaeger.query.serviceLabels }} 15 | {{- toYaml .Values.jaeger.query.serviceLabels | nindent 4 }} 16 | {{- end }} 17 | name: {{ default "jaeger-query" .Values.jaeger.query.name }} 18 | spec: 19 | ports: 20 | - name: query-http 21 | port: 16686 22 | protocol: TCP 23 | targetPort: 16686 24 | selector: 25 | {{- include "sourcegraph.jaeger.selectorLabels" . | nindent 4 }} 26 | app.kubernetes.io/instance: {{ .Release.Name }} 27 | app.kubernetes.io/component: all-in-one 28 | app: jaeger 29 | type: {{ .Values.jaeger.query.serviceType | default "ClusterIP" }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/jaeger/jaeger.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.jaeger.enabled .Values.jaeger.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: tracing 9 | {{- include "sourcegraph.serviceAccountAnnotations" (list . "tracing") | trim | nindent 2 }} 10 | name: {{ include "sourcegraph.serviceAccountName" (list . "tracing") }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/node-exporter/node-exporter.ClusterRole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.nodeExporter.enabled .Values.nodeExporter.podSecurityPolicy.enabled -}} 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | labels: 6 | app: node-exporter 7 | category: rbac 8 | deploy: sourcegraph 9 | app.kubernetes.io/component: node-exporter 10 | name: {{ .Values.nodeExporter.name }} 11 | rules: 12 | - apiGroups: ['policy'] 13 | resources: ['podsecuritypolicies'] 14 | verbs: ['use'] 15 | resourceNames: 16 | - {{ .Values.nodeExporter.name }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/node-exporter/node-exporter.ClusterRoleBinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.nodeExporter.enabled .Values.nodeExporter.podSecurityPolicy.enabled -}} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | labels: 6 | app: node-exporter 7 | category: rbac 8 | deploy: sourcegraph 9 | app.kubernetes.io/component: node-exporter 10 | name: {{ .Values.nodeExporter.name }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: {{ .Values.nodeExporter.name }} 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ include "sourcegraph.serviceAccountName" (list . "nodeExporter") }} 18 | namespace: {{ .Release.Namespace }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/node-exporter/node-exporter.PodSecurityPolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.nodeExporter.enabled .Values.nodeExporter.podSecurityPolicy.enabled -}} 2 | 3 | {{- if not .Values.nodeExporter.serviceAccount.create -}} 4 | {{ fail "Node Exporter's service account must be enabled in order to use its pod security policy (set 'nodeExporter.ServiceAccount.create' to true)" }} 5 | {{- end -}} 6 | 7 | apiVersion: policy/v1beta1 8 | kind: PodSecurityPolicy 9 | metadata: 10 | labels: 11 | app: node-exporter 12 | deploy: sourcegraph 13 | app.kubernetes.io/component: node-exporter 14 | name: {{ .Values.nodeExporter.name }} 15 | spec: 16 | privileged: false 17 | hostIPC: false 18 | hostPID: {{ .Values.nodeExporter.hostPID }} 19 | seLinux: 20 | rule: RunAsAny 21 | supplementalGroups: 22 | rule: RunAsAny 23 | runAsUser: 24 | rule: RunAsAny 25 | fsGroup: 26 | rule: RunAsAny 27 | volumes: 28 | - '*' 29 | allowedHostPaths: 30 | - pathPrefix: "/" 31 | - pathPrefix: "/sys" 32 | - pathPrefix: "/proc" 33 | readOnlyRootFilesystem: true 34 | {{- end }} 35 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/node-exporter/node-exporter.Service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.nodeExporter.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | annotations: 6 | description: Prometheus exporter for hardware and OS metrics. 7 | url: https://github.com/prometheus/node_exporter 8 | prometheus.io/port: "9100" 9 | sourcegraph.prometheus/scrape: "true" 10 | {{- if .Values.nodeExporter.serviceAnnotations }} 11 | {{- toYaml .Values.nodeExporter.serviceAnnotations | nindent 4 }} 12 | {{- end }} 13 | labels: 14 | app.kubernetes.io/component: node-exporter 15 | app: node-exporter 16 | deploy: sourcegraph 17 | sourcegraph-resource-requires: no-cluster-admin 18 | {{- if .Values.nodeExporter.serviceLabels }} 19 | {{- toYaml .Values.nodeExporter.serviceLabels | nindent 4 }} 20 | {{- end }} 21 | name: node-exporter 22 | spec: 23 | ports: 24 | - name: metrics 25 | port: 9100 26 | targetPort: metrics 27 | selector: 28 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 29 | app: node-exporter 30 | type: {{ .Values.nodeExporter.serviceType | default "ClusterIP" }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/node-exporter/node-exporter.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.nodeExporter.enabled .Values.nodeExporter.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | app: node-exporter 7 | category: rbac 8 | deploy: sourcegraph 9 | app.kubernetes.io/component: node-exporter 10 | {{- include "sourcegraph.serviceAccountAnnotations" (list . "nodeExporter") | trim | nindent 2 }} 11 | name: {{ include "sourcegraph.serviceAccountName" (list . "nodeExporter") }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/otel-collector/otel-agent.ConfigMap.yaml: -------------------------------------------------------------------------------- 1 | # Config for the agent pods running as a DaemonSet, which forward data to the gateway pod 2 | {{ if .Values.openTelemetry.enabled -}} 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: {{ .Values.openTelemetry.agent.name }} 7 | labels: 8 | deploy: sourcegraph 9 | app.kubernetes.io/component: otel-collector 10 | data: 11 | config.yaml: | 12 | receivers: 13 | otlp: 14 | protocols: 15 | grpc: # port 4317 16 | http: # port 4318 17 | 18 | exporters: 19 | otlp: 20 | endpoint: "otel-collector:4317" 21 | tls: 22 | insecure: true 23 | sending_queue: 24 | num_consumers: 4 25 | queue_size: 100 26 | retry_on_failure: 27 | enabled: true 28 | 29 | # TODO: allow configuring processors through values 30 | #processors: 31 | # batch: 32 | # memory_limiter: 33 | # # 80% of maximum memory up to 2G 34 | # limit_mib: 400 35 | # # 25% of limit up to 2G 36 | # spike_limit_mib: 100 37 | # check_interval: 5s 38 | 39 | extensions: 40 | health_check: 41 | endpoint: ":13133" 42 | zpages: 43 | endpoint: "localhost:55679" 44 | 45 | service: 46 | extensions: 47 | - zpages 48 | - health_check 49 | pipelines: 50 | traces: 51 | receivers: 52 | - otlp 53 | exporters: 54 | - otlp 55 | 56 | {{- end }} 57 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/otel-collector/otel-agent.DaemonSet.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.openTelemetry.enabled -}} 2 | apiVersion: apps/v1 3 | kind: DaemonSet 4 | metadata: 5 | annotations: 6 | description: Forwards telemetry data to the OpenTelemetry Collector Deployment. 7 | labels: 8 | {{- include "sourcegraph.labels" . | nindent 4 }} 9 | {{- if .Values.openTelemetry.agent.labels }} 10 | {{- toYaml .Values.openTelemetry.agent.labels | nindent 4 }} 11 | {{- end }} 12 | deploy: sourcegraph 13 | app.kubernetes.io/component: otel-collector 14 | name: {{ .Values.openTelemetry.agent.name }} 15 | spec: 16 | selector: 17 | matchLabels: 18 | {{- include "sourcegraph.selectorLabels" . | nindent 6 }} 19 | app: otel-agent 20 | minReadySeconds: 5 21 | template: 22 | metadata: 23 | annotations: 24 | kubectl.kubernetes.io/default-container: otel-agent 25 | {{- if .Values.sourcegraph.podAnnotations }} 26 | {{- toYaml .Values.sourcegraph.podAnnotations | nindent 8 }} 27 | {{- end }} 28 | {{- if .Values.openTelemetry.agent.podAnnotations }} 29 | {{- toYaml .Values.openTelemetry.agent.podAnnotations | nindent 8 }} 30 | {{- end }} 31 | labels: 32 | {{- include "sourcegraph.selectorLabels" . | nindent 8 }} 33 | {{- if .Values.sourcegraph.podLabels }} 34 | {{- toYaml .Values.sourcegraph.podLabels | nindent 8 }} 35 | {{- end }} 36 | {{- if .Values.openTelemetry.agent.podLabels }} 37 | {{- toYaml .Values.openTelemetry.agent.podLabels | nindent 8 }} 38 | {{- end }} 39 | deploy: sourcegraph 40 | app: otel-agent 41 | spec: 42 | containers: 43 | - name: otel-agent 44 | image: {{ include "sourcegraph.image" (list . "openTelemetry") }} 45 | imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }} 46 | command: 47 | - "/bin/otelcol-sourcegraph" 48 | - "--config=/etc/otel-agent/config.yaml" 49 | {{- with .Values.openTelemetry.agent.args }} 50 | args: 51 | {{- toYaml . | nindent 8 }} 52 | {{- end }} 53 | terminationMessagePolicy: FallbackToLogsOnError 54 | env: 55 | {{- range $name, $item := .Values.openTelemetry.agent.env}} 56 | - name: {{ $name }} 57 | {{- $item | toYaml | nindent 10 }} 58 | {{- end }} 59 | resources: 60 | {{- toYaml .Values.openTelemetry.agent.resources | nindent 10 }} 61 | securityContext: 62 | {{- toYaml .Values.openTelemetry.agent.containerSecurityContext | nindent 10 }} 63 | readinessProbe: 64 | httpGet: 65 | path: / 66 | port: 13133 67 | livenessProbe: 68 | httpGet: 69 | path: / 70 | port: 13133 71 | ports: 72 | - containerPort: 55679 73 | hostPort: {{ toYaml .Values.openTelemetry.agent.hostPorts.zpages }} 74 | name: zpages 75 | - containerPort: 4317 76 | hostPort: {{ toYaml .Values.openTelemetry.agent.hostPorts.otlpGrpc }} 77 | name: otlp-grpc 78 | - containerPort: 4318 79 | hostPort: {{ toYaml .Values.openTelemetry.agent.hostPorts.otlpHttp }} 80 | name: otlp-http 81 | volumeMounts: 82 | - name: config 83 | mountPath: /etc/otel-agent 84 | terminationGracePeriodSeconds: 120 85 | {{- include "sourcegraph.nodeSelector" (list . "openTelemetry" ) | trim | nindent 6 }} 86 | {{- include "sourcegraph.affinity" (list . "openTelemetry" ) | trim | nindent 6 }} 87 | {{- include "sourcegraph.tolerations" (list . "openTelemetry" ) | trim | nindent 6 }} 88 | {{- with .Values.sourcegraph.imagePullSecrets }} 89 | imagePullSecrets: 90 | {{- toYaml . | nindent 8 }} 91 | {{- end }} 92 | {{- include "sourcegraph.renderServiceAccountName" (list .Values.openTelemetry "agent") | trim | nindent 6 }} 93 | volumes: 94 | - name: config 95 | configMap: 96 | name: otel-agent 97 | items: 98 | - key: config.yaml 99 | path: config.yaml 100 | {{- end }} 101 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/otel-collector/otel-agent.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.openTelemetry.agent.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: otel-collector 9 | {{- include "sourcegraph.serviceAccountAnnotations" (list .Values.openTelemetry "agent") | trim | nindent 2 }} 10 | name: {{ include "sourcegraph.serviceAccountName" (list .Values.openTelemetry "agent") }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/otel-collector/otel-collector.ConfigMap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.openTelemetry.gateway.config.traces.exporters .Values.jaeger.enabled -}} 2 | {{- fail "Set 'jaeger.enabled' to false or remove 'openTelemetry.gateway.config.exporters'. The bundled jaeger instance is preconfigured." }} 3 | {{- end }} 4 | {{- if and .Values.openTelemetry.enabled .Values.openTelemetry.gateway.config.traces.exporters (not .Values.jaeger.enabled) -}} 5 | apiVersion: v1 6 | kind: ConfigMap 7 | metadata: 8 | name: {{ .Values.openTelemetry.gateway.name }} 9 | labels: 10 | deploy: sourcegraph 11 | app.kubernetes.io/component: otel-collector 12 | data: 13 | config.yaml: | 14 | receivers: 15 | otlp: 16 | protocols: 17 | grpc: # port 4317 18 | http: # port 4318 19 | {{ if .Values.openTelemetry.gateway.config.traces.processors }} 20 | processors: 21 | {{- toYaml .Values.openTelemetry.gateway.config.traces.processors | nindent 6 }} 22 | {{ end }} 23 | exporters: 24 | {{- toYaml .Values.openTelemetry.gateway.config.traces.exporters | nindent 6 }} 25 | 26 | extensions: 27 | health_check: 28 | endpoint: ":13133" 29 | zpages: 30 | endpoint: "localhost:55679" 31 | 32 | service: 33 | extensions: 34 | - health_check 35 | - zpages 36 | pipelines: 37 | traces: 38 | receivers: 39 | - otlp 40 | {{- if .Values.openTelemetry.gateway.config.traces.processors }} 41 | processors: 42 | {{- range $key, $val := .Values.openTelemetry.gateway.config.traces.processors }} 43 | - {{ $key }} 44 | {{- end }} 45 | {{- end }} 46 | exporters: 47 | {{- range $key, $val := .Values.openTelemetry.gateway.config.traces.exporters }} 48 | - {{ $key }} 49 | {{- end }} 50 | {{- end }} 51 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/otel-collector/otel-collector.Service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.openTelemetry.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: otel-collector 6 | annotations: 7 | {{- if .Values.openTelemetry.gateway.serviceAnnotations }} 8 | {{- toYaml .Values.openTelemetry.gateway.serviceAnnotations | nindent 4 }} 9 | {{- end }} 10 | sourcegraph.prometheus/scrape: "true" 11 | prometheus.io/port: "8888" 12 | labels: 13 | {{- include "sourcegraph.labels" . | nindent 4 }} 14 | {{- if .Values.openTelemetry.gateway.serviceLabels }} 15 | {{- toYaml .Values.openTelemetry.gateway.serviceLabels | nindent 4 }} 16 | {{- end }} 17 | deploy: sourcegraph 18 | app.kubernetes.io/component: otel-collector 19 | spec: 20 | ports: 21 | - name: otlp-grpc 22 | port: 4317 23 | protocol: TCP 24 | targetPort: 4317 25 | - name: otlp-http 26 | port: 4318 27 | protocol: TCP 28 | targetPort: 4318 29 | - name: metrics # Default endpoint for querying metrics. 30 | port: 8888 31 | selector: 32 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 33 | app: otel-collector 34 | type: {{ .Values.openTelemetry.gateway.serviceType | default "ClusterIP" }} 35 | {{- end }} 36 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/otel-collector/otel-collector.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.openTelemetry.gateway.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: otel-collector 9 | {{- include "sourcegraph.serviceAccountAnnotations" (list .Values.openTelemetry "gateway") | trim | nindent 2 }} 10 | name: {{ include "sourcegraph.serviceAccountName" (list .Values.openTelemetry "gateway") }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/pgsql/pgsql.ConfigMap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.pgsql.enabled (and .Values.pgsql.existingConfig .Values.pgsql.additionalConfig) -}} 2 | {{- fail "You can only define one of 'pgsql.existingConfig' and 'pgsql.additionalConfig' at a time" }} 3 | {{- end }} 4 | {{- if and .Values.pgsql.enabled (not .Values.pgsql.existingConfig) -}} 5 | apiVersion: v1 6 | kind: ConfigMap 7 | metadata: 8 | annotations: 9 | description: Configuration for PostgreSQL 10 | labels: 11 | deploy: sourcegraph 12 | app.kubernetes.io/component: pgsql 13 | name: {{ .Values.pgsql.name }}-conf 14 | data: 15 | postgresql.conf: | 16 | {{- .Files.Get "files/pgsql/conf/postgresql.conf" | nindent 4 }} 17 | {{- tpl .Values.pgsql.additionalConfig . | nindent 4 | trim }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/pgsql/pgsql.PersistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.pgsql.enabled -}} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | labels: 6 | deploy: sourcegraph 7 | app.kubernetes.io/component: pgsql 8 | name: pgsql 9 | spec: 10 | accessModes: 11 | - ReadWriteOnce 12 | resources: 13 | requests: 14 | storage: {{ .Values.pgsql.storageSize }} 15 | storageClassName: {{ .Values.storageClass.name }} 16 | {{- if .Values.pgsql.volumeName }} 17 | volumeName: {{ .Values.pgsql.volumeName }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/pgsql/pgsql.Secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.pgsql.auth.existingSecret }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ .Values.pgsql.name }}-auth 6 | labels: 7 | app: pgsql 8 | deploy: sourcegraph 9 | app.kubernetes.io/component: pgsql 10 | type: Opaque 11 | data: 12 | database: {{ .Values.pgsql.auth.database | toString | b64enc | quote }} 13 | host: {{ .Values.pgsql.auth.host | toString | b64enc | quote }} 14 | password: {{ .Values.pgsql.auth.password | toString | b64enc | quote }} 15 | port: {{ .Values.pgsql.auth.port | toString | b64enc | quote }} 16 | user: {{ .Values.pgsql.auth.user | toString | b64enc | quote }} 17 | sslmode: {{ .Values.pgsql.auth.sslmode | toString | b64enc | quote }} 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/pgsql/pgsql.Service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.pgsql.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | annotations: 6 | prometheus.io/port: "9187" 7 | sourcegraph.prometheus/scrape: "true" 8 | {{- if .Values.pgsql.serviceAnnotations }} 9 | {{- toYaml .Values.pgsql.serviceAnnotations | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | app: pgsql 13 | deploy: sourcegraph 14 | app.kubernetes.io/component: pgsql 15 | {{- if .Values.pgsql.serviceLabels }} 16 | {{- toYaml .Values.pgsql.serviceLabels | nindent 4 }} 17 | {{- end }} 18 | name: pgsql 19 | spec: 20 | ports: 21 | - name: pgsql 22 | port: 5432 23 | targetPort: pgsql 24 | selector: 25 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 26 | app: pgsql 27 | type: {{ .Values.pgsql.serviceType | default "ClusterIP" }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/pgsql/pgsql.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.pgsql.enabled .Values.pgsql.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: pgsql 9 | {{- include "sourcegraph.serviceAccountAnnotations" (list . "pgsql") | trim | nindent 2 }} 10 | name: {{ include "sourcegraph.serviceAccountName" (list . "pgsql") }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/precise-code-intel/worker.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "6060" 6 | sourcegraph.prometheus/scrape: "true" 7 | {{- if .Values.preciseCodeIntel.serviceAnnotations }} 8 | {{- toYaml .Values.preciseCodeIntel.serviceAnnotations | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app: precise-code-intel-worker 12 | deploy: sourcegraph 13 | app.kubernetes.io/component: precise-code-intel 14 | {{- if .Values.preciseCodeIntel.serviceLabels }} 15 | {{- toYaml .Values.preciseCodeIntel.serviceLabels | nindent 4 }} 16 | {{- end }} 17 | name: precise-code-intel-worker 18 | spec: 19 | ports: 20 | - name: http 21 | port: 3188 22 | targetPort: http 23 | - name: debug 24 | port: 6060 25 | targetPort: debug 26 | selector: 27 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 28 | app: precise-code-intel-worker 29 | type: {{ .Values.preciseCodeIntel.serviceType | default "ClusterIP" }} 30 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/precise-code-intel/worker.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.preciseCodeIntel.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: precise-code-intel 9 | {{- include "sourcegraph.serviceAccountAnnotations" (list . "preciseCodeIntel") | trim | nindent 2 }} 10 | name: {{ include "sourcegraph.serviceAccountName" (list . "preciseCodeIntel") }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/priorityClass.yaml: -------------------------------------------------------------------------------- 1 | {{- range $class := .Values.priorityClasses }} 2 | apiVersion: scheduling.k8s.io/v1 3 | kind: PriorityClass 4 | metadata: 5 | name: {{ $class.name }} 6 | value: {{ $class.value }} 7 | preemptionPolicy: {{ $class.preemptionPolicy }} 8 | globalDefault: false 9 | description: {{ $class.description | default "missing" }} 10 | --- 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/prometheus/prometheus.ClusterRole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.prometheus.enabled .Values.prometheus.privileged -}} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: prometheus 9 | name: {{ .Values.prometheus.name }} 10 | rules: 11 | - apiGroups: 12 | - "" 13 | resources: 14 | - endpoints 15 | - namespaces 16 | - nodes 17 | - nodes/metrics 18 | - nodes/proxy 19 | - pods 20 | - services 21 | verbs: 22 | - get 23 | - list 24 | - watch 25 | - apiGroups: 26 | - "" 27 | resources: 28 | - configmaps 29 | verbs: 30 | - get 31 | - nonResourceURLs: 32 | - /metrics 33 | verbs: 34 | - get 35 | {{- end }} 36 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/prometheus/prometheus.ClusterRoleBinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.prometheus.enabled .Values.prometheus.privileged -}} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: prometheus 9 | name: {{ .Values.prometheus.name }} 10 | roleRef: 11 | apiGroup: "rbac.authorization.k8s.io" 12 | kind: ClusterRole 13 | name: {{ .Values.prometheus.name }} 14 | subjects: 15 | - kind: ServiceAccount 16 | name: {{ include "sourcegraph.serviceAccountName" (list . "prometheus") }} 17 | namespace: {{ .Release.Namespace }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/prometheus/prometheus.PersistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.prometheus.enabled -}} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | labels: 6 | deploy: sourcegraph 7 | app.kubernetes.io/component: prometheus 8 | name: prometheus 9 | spec: 10 | accessModes: 11 | - ReadWriteOnce 12 | resources: 13 | requests: 14 | storage: {{ .Values.prometheus.storageSize }} 15 | storageClassName: {{ .Values.storageClass.name }} 16 | {{- if .Values.prometheus.volumeName }} 17 | volumeName: {{ .Values.prometheus.volumeName }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/prometheus/prometheus.RoleBinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.prometheus.enabled (not .Values.prometheus.privileged) -}} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: prometheus 9 | name: {{ .Values.prometheus.name }} 10 | roleRef: 11 | apiGroup: "" 12 | kind: ClusterRole 13 | name: view 14 | subjects: 15 | - kind: ServiceAccount 16 | name: {{ include "sourcegraph.serviceAccountName" (list . "prometheus") }} 17 | namespace: {{ .Release.Namespace }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/prometheus/prometheus.Service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.prometheus.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | {{- if .Values.prometheus.serviceAnnotations }} 6 | annotations: 7 | {{- toYaml .Values.prometheus.serviceAnnotations | nindent 4 }} 8 | {{- end }} 9 | labels: 10 | app: prometheus 11 | deploy: sourcegraph 12 | app.kubernetes.io/component: prometheus 13 | {{- if .Values.prometheus.serviceLabels }} 14 | {{- toYaml .Values.prometheus.serviceLabels | nindent 4 }} 15 | {{- end }} 16 | name: prometheus 17 | spec: 18 | ports: 19 | - name: http 20 | port: 30090 21 | targetPort: http 22 | selector: 23 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 24 | app: prometheus 25 | type: {{ .Values.prometheus.serviceType | default "ClusterIP" }} 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/prometheus/prometheus.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.prometheus.enabled .Values.prometheus.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: prometheus 9 | {{- include "sourcegraph.serviceAccountAnnotations" (list . "prometheus") | trim | nindent 2 }} 10 | name: {{ include "sourcegraph.serviceAccountName" (list . "prometheus") }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/redis/redis-cache.PersistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.redisCache.enabled -}} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | labels: 6 | deploy: sourcegraph 7 | app.kubernetes.io/component: redis 8 | name: redis-cache 9 | spec: 10 | accessModes: 11 | - ReadWriteOnce 12 | resources: 13 | requests: 14 | storage: {{ .Values.redisCache.storageSize }} 15 | storageClassName: {{ .Values.storageClass.name }} 16 | {{- if .Values.redisCache.volumeName }} 17 | volumeName: {{ .Values.redisCache.volumeName }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/redis/redis-cache.Secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.redisCache.connection.existingSecret }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ .Values.redisCache.name }} 6 | labels: 7 | app: redis-cache 8 | deploy: sourcegraph 9 | app.kubernetes.io/component: redis-cache 10 | type: Opaque 11 | data: 12 | endpoint: {{ .Values.redisCache.connection.endpoint | toString | b64enc | quote }} 13 | {{- end -}} 14 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/redis/redis-cache.Service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.redisCache.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | annotations: 6 | prometheus.io/port: "9121" 7 | sourcegraph.prometheus/scrape: "true" 8 | {{- if .Values.redisCache.serviceAnnotations }} 9 | {{- toYaml .Values.redisCache.serviceAnnotations | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | app: redis-cache 13 | deploy: sourcegraph 14 | app.kubernetes.io/component: redis 15 | {{- if .Values.redisCache.serviceLabels }} 16 | {{- toYaml .Values.redisCache.serviceLabels | nindent 4 }} 17 | {{- end }} 18 | name: redis-cache 19 | spec: 20 | ports: 21 | - name: redis 22 | port: 6379 23 | targetPort: redis 24 | selector: 25 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 26 | app: redis-cache 27 | type: {{ .Values.redisCache.serviceType | default "ClusterIP" }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/redis/redis-cache.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.redisCache.enabled .Values.redisCache.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: redis 9 | {{- include "sourcegraph.serviceAccountAnnotations" (list . "redisCache") | trim | nindent 2 }} 10 | name: {{ include "sourcegraph.serviceAccountName" (list . "redisCache") }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/redis/redis-store.PersistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.redisStore.enabled -}} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | labels: 6 | deploy: sourcegraph 7 | app.kubernetes.io/component: redis 8 | name: redis-store 9 | spec: 10 | accessModes: 11 | - ReadWriteOnce 12 | resources: 13 | requests: 14 | storage: {{ .Values.redisStore.storageSize }} 15 | storageClassName: {{ .Values.storageClass.name }} 16 | {{- if .Values.redisStore.volumeName }} 17 | volumeName: {{ .Values.redisStore.volumeName }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/redis/redis-store.Secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.redisStore.connection.existingSecret }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ .Values.redisStore.name }} 6 | labels: 7 | app: redis-store 8 | deploy: sourcegraph 9 | app.kubernetes.io/component: redis-store 10 | type: Opaque 11 | data: 12 | endpoint: {{ .Values.redisStore.connection.endpoint | toString | b64enc | quote }} 13 | {{- end -}} 14 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/redis/redis-store.Service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.redisStore.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | annotations: 6 | prometheus.io/port: "9121" 7 | sourcegraph.prometheus/scrape: "true" 8 | {{- if .Values.redisStore.serviceAnnotations }} 9 | {{- toYaml .Values.redisStore.serviceAnnotations | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | app: redis-store 13 | deploy: sourcegraph 14 | app.kubernetes.io/component: redis 15 | {{- if .Values.redisStore.serviceLabels }} 16 | {{- toYaml .Values.redisStore.serviceLabels | nindent 4 }} 17 | {{- end }} 18 | name: redis-store 19 | spec: 20 | ports: 21 | - name: redis 22 | port: 6379 23 | targetPort: redis 24 | selector: 25 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 26 | app: redis-store 27 | type: {{ .Values.redisStore.serviceType | default "ClusterIP" }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/redis/redis-store.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.redisStore.enabled .Values.redisStore.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: redis 9 | name: {{ include "sourcegraph.serviceAccountName" (list . "redisStore") }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/searcher/searcher.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "6060" 6 | sourcegraph.prometheus/scrape: "true" 7 | {{- if .Values.searcher.serviceAnnotations }} 8 | {{- toYaml .Values.searcher.serviceAnnotations | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app: searcher 12 | deploy: sourcegraph 13 | app.kubernetes.io/component: searcher 14 | {{- if .Values.searcher.serviceLabels }} 15 | {{- toYaml .Values.searcher.serviceLabels | nindent 4 }} 16 | {{- end }} 17 | name: searcher 18 | spec: 19 | clusterIP: None 20 | ports: 21 | - name: http 22 | port: 3181 23 | targetPort: http 24 | - name: debug 25 | port: 6060 26 | targetPort: debug 27 | selector: 28 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 29 | app: searcher 30 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/searcher/searcher.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.searcher.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: searcher 9 | {{- include "sourcegraph.serviceAccountAnnotations" (list . "searcher") | trim | nindent 2 }} 10 | name: {{ include "sourcegraph.serviceAccountName" (list . "searcher") }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/storageclass.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.storageClass.create }} 2 | kind: StorageClass 3 | apiVersion: storage.k8s.io/v1 4 | metadata: 5 | name: {{ .Values.storageClass.name }} 6 | labels: 7 | {{- include "sourcegraph.labels" . | nindent 4 }} 8 | deploy: sourcegraph-storage 9 | {{- if .Values.storageClass.annotations}} 10 | annotations: 11 | {{- toYaml .Values.storageClass.annotations | nindent 4 }} 12 | {{- end }} 13 | provisioner: {{ .Values.storageClass.provisioner }} 14 | parameters: 15 | {{- with .Values.storageClass.type }} 16 | type: {{ . }} 17 | {{- end }} 18 | {{- if .Values.storageClass.parameters}} 19 | {{- toYaml .Values.storageClass.parameters | nindent 2 }} 20 | {{- end }} 21 | allowVolumeExpansion: {{ default true .Values.storageClass.allowVolumeExpansion }} 22 | reclaimPolicy: {{ default "Retain" .Values.storageClass.reclaimPolicy }} 23 | volumeBindingMode: {{ default "Immediate" .Values.storageClass.volumeBindingMode }} 24 | {{- if .Values.storageClass.allowedTopologies }} 25 | allowedTopologies: 26 | {{- toYaml .Values.storageClass.allowedTopologies | nindent 2 }} 27 | {{- end }} 28 | {{- end -}} 29 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/syntactic-code-intel/worker.Service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.syntacticCodeIntel.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | annotations: 6 | prometheus.io/port: "6060" 7 | sourcegraph.prometheus/scrape: "true" 8 | {{- if .Values.syntacticCodeIntel.serviceAnnotations }} 9 | {{- toYaml .Values.syntacticCodeIntel.serviceAnnotations | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | app: syntactic-code-intel-worker 13 | deploy: sourcegraph 14 | app.kubernetes.io/component: syntactic-code-intel 15 | {{- if .Values.syntacticCodeIntel.serviceLabels }} 16 | {{- toYaml .Values.syntacticCodeIntel.serviceLabels | nindent 4 }} 17 | {{- end }} 18 | name: syntactic-code-intel-worker 19 | spec: 20 | ports: 21 | - name: http 22 | port: {{ .Values.syntacticCodeIntel.properties.workerPort }} 23 | targetPort: http 24 | - name: debug 25 | port: 6060 26 | targetPort: debug 27 | selector: 28 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 29 | app: syntactic-code-intel-worker 30 | type: {{ .Values.syntacticCodeIntel.serviceType | default "ClusterIP" }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/syntactic-code-intel/worker.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.syntacticCodeIntel.enabled .Values.syntacticCodeIntel.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: syntactic-code-intel 9 | {{- include "sourcegraph.serviceAccountAnnotations" (list . "syntacticCodeIntel") | trim | nindent 2 }} 10 | name: {{ include "sourcegraph.serviceAccountName" (list . "syntacticCodeIntel") }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/syntect-server/syntect-server.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "6060" 6 | sourcegraph.prometheus/scrape: "true" 7 | {{- if .Values.syntectServer.serviceAnnotations }} 8 | {{- toYaml .Values.syntectServer.serviceAnnotations | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app: syntect-server 12 | deploy: sourcegraph 13 | app.kubernetes.io/component: syntect-server 14 | {{- if .Values.syntectServer.serviceLabels }} 15 | {{- toYaml .Values.syntectServer.serviceLabels | nindent 4 }} 16 | {{- end }} 17 | name: syntect-server 18 | spec: 19 | ports: 20 | - name: http 21 | port: 9238 22 | targetPort: http 23 | selector: 24 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 25 | app: syntect-server 26 | type: {{ .Values.syntectServer.serviceType | default "ClusterIP" }} 27 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/syntect-server/syntect-server.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.syntectServer.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: syntect-server 9 | {{- include "sourcegraph.serviceAccountAnnotations" (list . "syntectServer") | trim | nindent 2 }} 10 | name: {{ include "sourcegraph.serviceAccountName" (list . "syntectServer") }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "sg-test-connection" 5 | labels: 6 | {{- include "sourcegraph.labels" . | nindent 4 }} 7 | annotations: 8 | "helm.sh/hook": test 9 | spec: 10 | containers: 11 | - name: wget 12 | image: busybox 13 | command: ['wget'] 14 | args: ['sourcegraph-frontend:30080/'] 15 | restartPolicy: Never -------------------------------------------------------------------------------- /charts/sourcegraph/templates/worker/worker-executors.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "6996" 6 | sourcegraph.prometheus/scrape: "true" 7 | {{- if .Values.worker.serviceAnnotations }} 8 | {{- toYaml .Values.worker.serviceAnnotations | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app: worker 12 | deploy: sourcegraph 13 | app.kubernetes.io/component: worker 14 | {{- if .Values.worker.serviceLabels }} 15 | {{- toYaml .Values.worker.serviceLabels | nindent 4 }} 16 | {{- end }} 17 | name: worker-executors 18 | spec: 19 | ports: 20 | - name: prom 21 | port: 6996 22 | targetPort: prom 23 | selector: 24 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 25 | app: worker 26 | type: {{ .Values.worker.serviceType | default "ClusterIP" }} 27 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/worker/worker.Deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- $globalBlocklist := "" }} 2 | {{- if .Values.worker.blocklist }} 3 | {{- $globalBlocklist = join "," (.Values.worker.blocklist | uniq | sortAlpha) }} 4 | {{- end }} 5 | 6 | {{- if not .Values.worker.replicas }} 7 | {{- include "sourcegraph.worker" (list . "" "" $globalBlocklist .Values.worker.resources ) | nindent 0 }} 8 | {{- else }} 9 | {{- $dedicatedJobs := list }} 10 | {{- $dedicatedJobs = $dedicatedJobs | concat .Values.worker.blocklist }} 11 | {{- range .Values.worker.replicas }} 12 | {{- $dedicatedJobs = $dedicatedJobs | concat .jobs }} 13 | {{- end }} 14 | {{- $primaryBlocklist := join "," ($dedicatedJobs | uniq | sortAlpha) }} 15 | --- 16 | {{- include "sourcegraph.worker" (list . "" "all" $primaryBlocklist $.Values.worker.resources) | nindent 0 }} 17 | 18 | {{- range $idx, $item := .Values.worker.replicas }} 19 | --- 20 | {{- $replicaName := printf "%d" $idx }} 21 | {{- $allowlist := join "," ($item.jobs | uniq | sortAlpha) }} 22 | {{- $resources := $.Values.worker.resources -}} 23 | {{- if $item.resources -}} 24 | {{- $resources = $item.resources -}} 25 | {{- end -}} 26 | {{- include "sourcegraph.worker" (list $ $replicaName $allowlist "" $resources) | nindent 0 }} 27 | {{- end }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/worker/worker.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "6060" 6 | sourcegraph.prometheus/scrape: "true" 7 | {{- if .Values.worker.serviceAnnotations }} 8 | {{- toYaml .Values.worker.serviceAnnotations | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app: worker 12 | deploy: sourcegraph 13 | app.kubernetes.io/component: worker 14 | {{- if .Values.worker.serviceLabels }} 15 | {{- toYaml .Values.worker.serviceLabels | nindent 4 }} 16 | {{- end }} 17 | name: worker 18 | spec: 19 | ports: 20 | - name: http 21 | port: 3189 22 | targetPort: http 23 | - name: debug 24 | port: 6060 25 | targetPort: debug 26 | selector: 27 | {{- include "sourcegraph.selectorLabels" . | nindent 4 }} 28 | app: worker 29 | type: {{ .Values.worker.serviceType | default "ClusterIP" }} 30 | -------------------------------------------------------------------------------- /charts/sourcegraph/templates/worker/worker.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.worker.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | app.kubernetes.io/component: worker 9 | {{- include "sourcegraph.serviceAccountAnnotations" (list . "worker") | trim | nindent 2 }} 10 | name: {{ include "sourcegraph.serviceAccountName" (list . "worker") }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/__snapshot__/checksum_test.yaml.snap: -------------------------------------------------------------------------------- 1 | should update checksum when codeinsights-db secret is modified: 2 | 1: | 3 | 29f56ffb20b2f033b6f54a3b8e4f049734a9330390bc4e4b162a792e073b9447 4 | should update checksum when codeintel-db secret is modified: 5 | 1: | 6 | 839b4e7703dfa58ea8513e436a017af6183d7e5c3d8560a8d580bef8299242fb 7 | should update checksum when pgsql secret is modified: 8 | 1: | 9 | 54b0ee5944d429d618699fa4e18a406fb817668d9111bb43b46eac363415e5b2 10 | should update checksum when redis-cache secret is modified: 11 | 1: | 12 | 97d7112d6b8b0d3e6251d9062aaba1a7205fda567b701d70eecc4540878228c0 13 | should update checksum when redis-store secret is modified: 14 | 1: | 15 | 97d7112d6b8b0d3e6251d9062aaba1a7205fda567b701d70eecc4540878228c0 16 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/__snapshot__/pgsqlAuth_test.yaml.snap: -------------------------------------------------------------------------------- 1 | should reference default secret name when existingSecret is blank: 2 | 1: | 3 | 0fa09c505c8e425627c62e0bb13c3ecb575b6c117a2b976fd1a4e71dd41561f6 4 | should reference existing secret name when existingSecret is passed: 5 | 1: | 6 | 75d732cb063b4c32166d42a620df3c0b2b9fa139f28a560c9c566d36b150e6c3 7 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/__snapshot__/serviceAccountAnnotations_test.yaml.snap: -------------------------------------------------------------------------------- 1 | should render service account annotations when cadvisor.serviceAccount.annotations is defined: 2 | 1: | 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | annotations: 7 | iam.gke.io/gcp-service-account: sourcegraph@sourcegraph.iam.gserviceaccount.com 8 | labels: 9 | app: cadvisor 10 | app.kubernetes.io/component: cadvisor 11 | category: rbac 12 | deploy: sourcegraph 13 | name: cadvisor 14 | should render service account annotations when frontend.serviceAccount.annotations is defined: 15 | 1: | 16 | apiVersion: v1 17 | kind: ServiceAccount 18 | metadata: 19 | annotations: 20 | iam.gke.io/gcp-service-account: sourcegraph@sourcegraph.iam.gserviceaccount.com 21 | labels: 22 | app.kubernetes.io/component: frontend 23 | category: rbac 24 | deploy: sourcegraph 25 | name: sourcegraph-frontend 26 | should render service account annotations when prometheus.serviceAccount.annotations is defined: 27 | 1: | 28 | apiVersion: v1 29 | kind: ServiceAccount 30 | metadata: 31 | annotations: 32 | iam.gke.io/gcp-service-account: sourcegraph@sourcegraph.iam.gserviceaccount.com 33 | labels: 34 | app.kubernetes.io/component: prometheus 35 | category: rbac 36 | deploy: sourcegraph 37 | name: prometheus 38 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/__snapshot__/serviceAccounts_test.yaml.snap: -------------------------------------------------------------------------------- 1 | should render service account when openTelemetry.agent.serviceAccount.create is true: 2 | 1: | 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | labels: 7 | app.kubernetes.io/component: otel-collector 8 | category: rbac 9 | deploy: sourcegraph 10 | name: otel-agent 11 | should render service account when openTelemetry.gateway.serviceAccount.create is true: 12 | 1: | 13 | apiVersion: v1 14 | kind: ServiceAccount 15 | metadata: 16 | labels: 17 | app.kubernetes.io/component: otel-collector 18 | category: rbac 19 | deploy: sourcegraph 20 | name: otel-collector 21 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/affinity_test.yaml: -------------------------------------------------------------------------------- 1 | suite: affinity 2 | templates: 3 | - frontend/sourcegraph-frontend.Deployment.yaml 4 | release: 5 | name: sourcegraph 6 | namespace: sourcegraph 7 | tests: 8 | - it: should render affinity values that contain template 9 | set: 10 | frontend: 11 | affinity: 12 | podAntiAffinity: 13 | preferredDuringSchedulingIgnoredDuringExecution: 14 | - podAffinityTerm: 15 | topologyKey: topology.kubernetes.io/zone 16 | labelSelector: 17 | matchLabels: 18 | app.kubernetes.io/name: '{{ include "sourcegraph.name" . }}' 19 | app.kubernetes.io/instance: '{{ .Release.Name }}' 20 | app: frontend 21 | weight: 100 22 | asserts: 23 | - equal: 24 | path: spec.template.spec.affinity 25 | value: 26 | podAntiAffinity: 27 | preferredDuringSchedulingIgnoredDuringExecution: 28 | - podAffinityTerm: 29 | topologyKey: topology.kubernetes.io/zone 30 | labelSelector: 31 | matchLabels: 32 | app.kubernetes.io/name: sourcegraph 33 | app.kubernetes.io/instance: sourcegraph 34 | app: frontend 35 | weight: 100 36 | 37 | - it: should render affinity values that do not contain template 38 | set: 39 | frontend: 40 | affinity: 41 | podAntiAffinity: 42 | preferredDuringSchedulingIgnoredDuringExecution: 43 | - podAffinityTerm: 44 | topologyKey: topology.kubernetes.io/zone 45 | labelSelector: 46 | matchLabels: 47 | app.kubernetes.io/name: sourcegraph 48 | app.kubernetes.io/instance: sourcegraph 49 | app: frontend 50 | weight: 100 51 | asserts: 52 | - equal: 53 | path: spec.template.spec.affinity 54 | value: 55 | podAntiAffinity: 56 | preferredDuringSchedulingIgnoredDuringExecution: 57 | - podAffinityTerm: 58 | topologyKey: topology.kubernetes.io/zone 59 | labelSelector: 60 | matchLabels: 61 | app.kubernetes.io/name: sourcegraph 62 | app.kubernetes.io/instance: sourcegraph 63 | app: frontend 64 | weight: 100 65 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/cadvisorPrivileged_test.yaml: -------------------------------------------------------------------------------- 1 | suite: cadvisorPrivileged 2 | templates: 3 | - NOTES.txt 4 | - cadvisor/cadvisor.DaemonSet.yaml 5 | tests: 6 | - it: should not have the warning text when cadvisor.containerSecurityContext.privileged=true 7 | set: 8 | cadvisor: 9 | containerSecurityContext: 10 | privileged: true 11 | asserts: 12 | - notMatchRegexRaw: 13 | pattern: You have set 'cadvisor.containerSecurityContext.privileged' to 'false' 14 | template: NOTES.txt 15 | - it: should have the warning text when prometheus.privileged=false 16 | set: 17 | cadvisor: 18 | containerSecurityContext: 19 | privileged: false 20 | asserts: 21 | - matchRegexRaw: 22 | pattern: You have set 'cadvisor.containerSecurityContext.privileged' to 'false' 23 | template: NOTES.txt 24 | - it: should render /dev/kmsg in volumes and volumeMounts when cadvisor.containerSecurityContext.privileged=true 25 | set: 26 | cadvisor: 27 | containerSecurityContext: 28 | privileged: true 29 | asserts: 30 | - contains: 31 | path: spec.template.spec.volumes 32 | content: 33 | name: kmsg 34 | hostPath: 35 | path: /dev/kmsg 36 | template: cadvisor/cadvisor.DaemonSet.yaml 37 | - contains: 38 | path: spec.template.spec.containers[0].volumeMounts 39 | content: 40 | name: kmsg 41 | mountPath: /dev/kmsg 42 | readOnly: true 43 | template: cadvisor/cadvisor.DaemonSet.yaml 44 | - it: should not render /dev/kmsg in volumes and volumeMounts when cadvisor.containerSecurityContext.privileged=false 45 | set: 46 | cadvisor: 47 | containerSecurityContext: 48 | privileged: false 49 | asserts: 50 | - notContains: 51 | path: spec.template.spec.volumes 52 | content: 53 | name: kmsg 54 | hostPath: 55 | path: /dev/kmsg 56 | template: cadvisor/cadvisor.DaemonSet.yaml 57 | - notContains: 58 | path: spec.template.spec.containers[0].volumeMounts 59 | content: 60 | name: kmsg 61 | mountPath: /dev/kmsg 62 | readOnly: true 63 | template: cadvisor/cadvisor.DaemonSet.yaml 64 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/checksum_test.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | suite: checksumTest 3 | templates: 4 | - frontend/sourcegraph-frontend.Deployment.yaml 5 | tests: 6 | - it: should update checksum when pgsql secret is modified 7 | set: 8 | pgsql: 9 | auth: 10 | existingSecret: "my-secret" 11 | asserts: 12 | - matchSnapshot: 13 | path: spec.template.metadata.annotations["checksum/auth"] 14 | - it: should update checksum when codeintel-db secret is modified 15 | set: 16 | codeIntelDB: 17 | auth: 18 | newkey: "blank" 19 | asserts: 20 | - matchSnapshot: 21 | path: spec.template.metadata.annotations["checksum/auth"] 22 | - it: should update checksum when codeinsights-db secret is modified 23 | set: 24 | codeInsightsDB: 25 | auth: 26 | username: "newuser" 27 | database: "anotherdb" 28 | asserts: 29 | - matchSnapshot: 30 | path: spec.template.metadata.annotations["checksum/auth"] 31 | - it: should update checksum when redis-store secret is modified 32 | set: 33 | redisStore: 34 | connection: 35 | endpoint: "external-redis:6379" 36 | asserts: 37 | - matchSnapshot: 38 | path: spec.template.metadata.annotations["checksum/auth"] 39 | - it: should update checksum when redis-cache secret is modified 40 | set: 41 | redisCache: 42 | connection: 43 | endpoint: "external-redis:6379" 44 | asserts: 45 | - matchSnapshot: 46 | path: spec.template.metadata.annotations["checksum/auth"] 47 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/codeInsightsDBAdditionalConfig_test.yaml: -------------------------------------------------------------------------------- 1 | suite: postgresAdditionalConfig 2 | templates: 3 | - codeinsights-db/codeinsights-db.ConfigMap.yaml 4 | tests: 5 | - it: should have additional config rendered when *.additionalConfig is defined 6 | set: 7 | pgsql: 8 | additionalConfig: | 9 | max_connections = 1000000000000000000 10 | codeIntelDB: 11 | additionalConfig: | 12 | max_connections = 2000000000000000000 13 | codeInsightsDB: 14 | additionalConfig: | 15 | max_connections = 3000000000000000000 16 | asserts: 17 | - matchRegex: 18 | path: data["postgresql.conf"] 19 | pattern: max_connections = 3000000000000000000 20 | - it: should fail to render when both codeInsightsDB.additionalConfig and codeInsightsDB.existingConfig are defined 21 | set: 22 | codeInsightsDB: 23 | existingConfig: i-will-break-rendering 24 | additionalConfig: | 25 | max_connections = 3000000000000000000 26 | asserts: 27 | - failedTemplate: 28 | errorMessage: You can only define one of 'codeInsightsDB.existingConfig' and 'codeInsightsDB.additionalConfig' at a time 29 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/codeIntelDBAdditionalConfig_test.yaml: -------------------------------------------------------------------------------- 1 | suite: codeIntelDBAdditionalConfig 2 | templates: 3 | - codeintel-db/codeintel-db.ConfigMap.yaml 4 | tests: 5 | - it: should have additional config rendered when *.additionalConfig is defined 6 | set: 7 | pgsql: 8 | additionalConfig: | 9 | max_connections = 1000000000000000000 10 | codeIntelDB: 11 | additionalConfig: | 12 | max_connections = 2000000000000000000 13 | codeInsightsDB: 14 | additionalConfig: | 15 | max_connections = 3000000000000000000 16 | asserts: 17 | - matchRegex: 18 | path: data["postgresql.conf"] 19 | pattern: max_connections = 2000000000000000000 20 | - it: should fail to render when both codeIntelDB.additionalConfig and codeIntelDB.existingConfig are defined 21 | set: 22 | codeIntelDB: 23 | existingConfig: i-will-break-rendering 24 | additionalConfig: | 25 | max_connections = 2000000000000000000 26 | asserts: 27 | - failedTemplate: 28 | errorMessage: You can only define one of 'codeIntelDB.existingConfig' and 'codeIntelDB.additionalConfig' at a time 29 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/defaultTagPrefix_test.yaml: -------------------------------------------------------------------------------- 1 | suite: defaultTagPrefix 2 | release: 3 | name: sourcegraph 4 | namespace: sourcegraph 5 | tests: 6 | - it: should not add defaultTagPrefix 7 | template: frontend/sourcegraph-frontend.Deployment.yaml 8 | set: 9 | frontend: 10 | image: 11 | defaultTag: test 12 | asserts: 13 | - matchRegex: 14 | path: "spec.template.spec.containers[0].image" 15 | pattern: ^[\w-]+\.\w+\.\w+\/.+\/.+:test$ 16 | - it: should add defaultTagPrefix 17 | template: frontend/sourcegraph-frontend.Deployment.yaml 18 | set: 19 | frontend: 20 | image: 21 | defaultTag: test 22 | defaultTagPrefix: "prefix-" 23 | asserts: 24 | - matchRegex: 25 | path: "spec.template.spec.containers[0].image" 26 | pattern: ^[\w-]+\.\w+\.\w+\/.+\/.+:prefix-test$ 27 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/localDevMode_test.yaml: -------------------------------------------------------------------------------- 1 | suite: localDevMode 2 | templates: 3 | - frontend/sourcegraph-frontend.Deployment.yaml 4 | tests: 5 | - it: should not have a resource block when localDevMode=true 6 | set: 7 | sourcegraph.localDevMode: true 8 | asserts: 9 | - notExists: 10 | path: "spec.template.spec.containers[0].resources" 11 | 12 | - it: should have a resource block when localDevMode=false 13 | set: 14 | sourcegraph.localDevMode: false 15 | asserts: 16 | - exists: 17 | path: "spec.template.spec.containers[0].resources" 18 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/otelAgentHostPort_test.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | suite: otelAgentHostPort 3 | tests: 4 | - it: should use the default host ports when not defined in values 5 | template: otel-collector/otel-agent.DaemonSet.yaml 6 | asserts: 7 | - contains: 8 | path: spec.template.spec.containers[0].ports 9 | content: 10 | containerPort: 55679 11 | hostPort: 55679 12 | name: zpages 13 | - contains: 14 | path: spec.template.spec.containers[0].ports 15 | content: 16 | containerPort: 4317 17 | hostPort: 4317 18 | name: otlp-grpc 19 | - contains: 20 | path: spec.template.spec.containers[0].ports 21 | content: 22 | containerPort: 4318 23 | hostPort: 4318 24 | name: otlp-http 25 | - it: should render the agent endpoint with the default gRPC host port 26 | template: searcher/searcher.StatefulSet.yaml 27 | asserts: 28 | - contains: 29 | path: spec.template.spec.containers[0].env 30 | content: 31 | name: OTEL_EXPORTER_OTLP_ENDPOINT 32 | value: "http://$(OTEL_AGENT_HOST):4317" 33 | - it: should set the host ports when defined in values 34 | template: otel-collector/otel-agent.DaemonSet.yaml 35 | set: 36 | openTelemetry: 37 | agent: 38 | hostPorts: 39 | otlpGrpc: 4319 40 | otlpHttp: 4320 41 | zpages: 55680 42 | asserts: 43 | - contains: 44 | path: spec.template.spec.containers[0].ports 45 | content: 46 | containerPort: 55679 47 | hostPort: 55680 48 | name: zpages 49 | - contains: 50 | path: spec.template.spec.containers[0].ports 51 | content: 52 | containerPort: 4317 53 | hostPort: 4319 54 | name: otlp-grpc 55 | - contains: 56 | path: spec.template.spec.containers[0].ports 57 | content: 58 | containerPort: 4318 59 | hostPort: 4320 60 | name: otlp-http 61 | - it: should render the agent endpoint with the custom gRPC host port 62 | template: searcher/searcher.StatefulSet.yaml 63 | set: 64 | openTelemetry: 65 | agent: 66 | hostPorts: 67 | otlpGrpc: 4319 68 | otlpHttp: 4320 69 | zpages: 55680 70 | asserts: 71 | - contains: 72 | path: spec.template.spec.containers[0].env 73 | content: 74 | name: OTEL_EXPORTER_OTLP_ENDPOINT 75 | value: "http://$(OTEL_AGENT_HOST):4319" 76 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/otelCollectorJaeger_test.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | suite: otelCollectorJaeger 3 | tests: 4 | - it: should use the logging exporter when Jaeger is disabled and no exporter has been set 5 | template: otel-collector/otel-collector.Deployment.yaml 6 | asserts: 7 | - equal: 8 | path: spec.template.spec.containers[0].command 9 | value: [ "/bin/otelcol-sourcegraph", "--config=/etc/otel-collector/configs/logging.yaml" ] 10 | - isEmpty: 11 | path: spec.template.spec.containers[0].volumeMounts 12 | - isEmpty: 13 | path: spec.template.spec.volumes 14 | - hasDocuments: 15 | count: 0 # ConfigMap is not rendered 16 | template: otel-collector/otel-collector.ConfigMap.yaml 17 | - it: should use the bundled Jaeger config when Jaeger is enabled 18 | template: otel-collector/otel-collector.Deployment.yaml 19 | set: 20 | jaeger: 21 | enabled: true 22 | asserts: 23 | - equal: 24 | path: spec.template.spec.containers[0].command 25 | value: [ "/bin/otelcol-sourcegraph", "--config=/etc/otel-collector/configs/jaeger.yaml" ] 26 | - isEmpty: 27 | path: spec.template.spec.containers[0].volumeMounts 28 | - isEmpty: 29 | path: spec.template.spec.volumes 30 | - hasDocuments: 31 | count: 0 # ConfigMap is not rendered 32 | template: otel-collector/otel-collector.ConfigMap.yaml 33 | - it: should use the exporter defined in the config 34 | template: otel-collector/otel-collector.Deployment.yaml 35 | set: 36 | openTelemetry: 37 | gateway: 38 | config: 39 | traces: 40 | exporters: 41 | otlp: 42 | endpoint: "otlp.service.com:443" 43 | headers: 44 | "x-header-1": "$HEADER1" 45 | "x-header-2": "$HEADER2" 46 | asserts: 47 | - equal: 48 | path: spec.template.spec.containers[0].command 49 | value: [ "/bin/otelcol-sourcegraph", "--config=/etc/otel-collector/config.yaml" ] 50 | - contains: 51 | path: spec.template.spec.containers[0].volumeMounts 52 | content: 53 | name: config 54 | mountPath: /etc/otel-collector 55 | - contains: 56 | path: spec.template.spec.volumes 57 | content: 58 | name: config 59 | configMap: 60 | name: otel-collector 61 | items: 62 | - key: config.yaml 63 | path: config.yaml 64 | - hasDocuments: 65 | count: 1 # ConfigMap is rendered 66 | template: otel-collector/otel-collector.ConfigMap.yaml 67 | - matchRegex: 68 | path: data["config.yaml"] 69 | pattern: "endpoint: otlp.service.com:443" # check if element of config is substituted correctly 70 | template: otel-collector/otel-collector.ConfigMap.yaml 71 | - it: should fail if a configuration is provided and jaeger is enabled 72 | template: otel-collector/otel-collector.ConfigMap.yaml 73 | set: 74 | openTelemetry: 75 | gateway: 76 | config: 77 | traces: 78 | exporters: 79 | otlp: 80 | endpoint: "otlp.service.com:443" 81 | headers: 82 | "x-header-1": "$HEADER1" 83 | "x-header-2": "$HEADER2" 84 | jaeger: 85 | enabled: true 86 | asserts: 87 | - failedTemplate: 88 | errorMessage: "Set 'jaeger.enabled' to false or remove 'openTelemetry.gateway.config.exporters'. The bundled jaeger instance is preconfigured." 89 | - it: should not allow jaeger to be enabled without otelCollector enabled 90 | template: jaeger/jaeger.Deployment.yaml 91 | set: 92 | openTelemetry: 93 | enabled: false 94 | jaeger: 95 | enabled: true 96 | asserts: 97 | - failedTemplate: 98 | errorMessage: "When 'jaeger.enabled' is set to true, 'openTelemetry.enabled' must be set to true as well." 99 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/pgsqlAdditionalConfig_test.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | suite: pgsqlAdditionalConfig 3 | templates: 4 | - pgsql/pgsql.ConfigMap.yaml 5 | tests: 6 | - it: should have additional config rendered when *.additionalConfig is defined 7 | set: 8 | pgsql: 9 | additionalConfig: | 10 | max_connections = 1000000000000000000 11 | codeIntelDB: 12 | additionalConfig: | 13 | max_connections = 2000000000000000000 14 | codeInsightsDB: 15 | additionalConfig: | 16 | max_connections = 3000000000000000000 17 | asserts: 18 | - matchRegex: 19 | path: data["postgresql.conf"] 20 | pattern: max_connections = 1000000000000000000 21 | - it: should fail to render when both pgsql.additionalConfig and pgsql.existingConfig are defined 22 | set: 23 | pgsql: 24 | existingConfig: i-will-break-rendering 25 | additionalConfig: | 26 | max_connections = 1000000000000000000 27 | asserts: 28 | - failedTemplate: 29 | errorMessage: You can only define one of 'pgsql.existingConfig' and 'pgsql.additionalConfig' at a time 30 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/pgsqlAuth_test.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | suite: pgsqlAuth 3 | templates: 4 | - pgsql/pgsql.Secret.yaml 5 | - pgsql/pgsql.StatefulSet.yaml 6 | tests: 7 | - it: should reference existing secret name when existingSecret is passed 8 | template: pgsql/pgsql.StatefulSet.yaml 9 | set: 10 | pgsql: 11 | auth: 12 | existingSecret: "my-secret" 13 | asserts: 14 | - equal: 15 | path: spec.template.spec.containers[0].env[0].name 16 | value: POSTGRES_DATABASE 17 | - equal: 18 | path: spec.template.spec.containers[0].env[0].valueFrom.secretKeyRef.name 19 | value: "my-secret" 20 | - matchSnapshot: 21 | path: spec.template.metadata.annotations["checksum/pgsql.secret"] 22 | - it: should not generate a secret when existingSecret is passed 23 | template: pgsql/pgsql.Secret.yaml 24 | set: 25 | pgsql: 26 | auth: 27 | existingSecret: "my-secret" 28 | asserts: 29 | - hasDocuments: 30 | count: 0 31 | - it: should generate a secret when existingSecret is blank 32 | template: pgsql/pgsql.Secret.yaml 33 | set: 34 | pgsql: 35 | auth: 36 | existingSecret: "" 37 | asserts: 38 | - hasDocuments: 39 | count: 1 40 | - it: should generate a secret by default 41 | template: pgsql/pgsql.Secret.yaml 42 | asserts: 43 | - hasDocuments: 44 | count: 1 45 | - it: should use provided value in secret 46 | template: pgsql/pgsql.Secret.yaml 47 | set: 48 | pgsql: 49 | auth: 50 | password: "hello" 51 | asserts: 52 | - equal: 53 | path: data.password 54 | value: "aGVsbG8=" 55 | - it: should reference default secret name when existingSecret is blank 56 | template: pgsql/pgsql.StatefulSet.yaml 57 | asserts: 58 | - equal: 59 | path: spec.template.spec.containers[0].env[0].name 60 | value: POSTGRES_DATABASE 61 | - equal: 62 | path: spec.template.spec.containers[0].env[0].valueFrom.secretKeyRef.name 63 | value: "pgsql-auth" 64 | - matchSnapshot: 65 | path: spec.template.metadata.annotations["checksum/pgsql.secret"] 66 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/podDisruptionBudget_test.yaml: -------------------------------------------------------------------------------- 1 | suite: podDisruptionBudget 2 | release: 3 | name: sourcegraph 4 | namespace: sourcegraph 5 | tests: 6 | - it: should render podDisruptionBudget for frontend 7 | template: frontend/sourcegraph-frontend.PodDisruptionBudget.yaml 8 | set: 9 | frontend: 10 | podDisruptionBudget: 11 | minAvailable: 1 12 | asserts: 13 | - equal: 14 | path: spec.minAvailable 15 | value: 1 16 | - equal: 17 | path: spec.selector.matchLabels.app 18 | value: sourcegraph-frontend 19 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/priorityClass_test.yaml: -------------------------------------------------------------------------------- 1 | suite: priorityClass 2 | release: 3 | name: sourcegraph 4 | namespace: sourcegraph 5 | tests: 6 | - it: should render single priority class 7 | template: priorityClass.yaml 8 | set: 9 | priorityClasses: 10 | - name: gitserver-class 11 | value: 100 12 | preemptionPolicy: Never 13 | description: "gitserver priority class" 14 | asserts: 15 | - equal: 16 | path: metadata.name 17 | value: gitserver-class 18 | - equal: 19 | path: value 20 | value: 100 21 | - equal: 22 | path: preemptionPolicy 23 | value: Never 24 | - equal: 25 | path: description 26 | value: "gitserver priority class" 27 | - it: should render two priority classes 28 | template: priorityClass.yaml 29 | set: 30 | priorityClasses: 31 | - name: gitserver-class 32 | value: 100 33 | preemptionPolicy: Never 34 | description: "gitserver priority class" 35 | - name: indexed-search-class 36 | value: 101 37 | preemptionPolicy: PreemptLowerPriority 38 | description: "indexed-search priority class" 39 | asserts: 40 | - equal: 41 | path: metadata.name 42 | value: gitserver-class 43 | documentIndex: 0 44 | - equal: 45 | path: value 46 | value: 100 47 | documentIndex: 0 48 | - equal: 49 | path: preemptionPolicy 50 | value: Never 51 | documentIndex: 0 52 | - equal: 53 | path: description 54 | value: "gitserver priority class" 55 | documentIndex: 0 56 | - equal: 57 | path: metadata.name 58 | value: indexed-search-class 59 | documentIndex: 1 60 | - equal: 61 | path: value 62 | value: 101 63 | documentIndex: 1 64 | - equal: 65 | path: preemptionPolicy 66 | value: PreemptLowerPriority 67 | documentIndex: 1 68 | - equal: 69 | path: description 70 | value: "indexed-search priority class" 71 | documentIndex: 1 72 | - it: set priority class on gitserver 73 | template: gitserver/gitserver.StatefulSet.yaml 74 | set: 75 | gitserver: 76 | priorityClassName: gitserver-class 77 | asserts: 78 | - equal: 79 | path: spec.template.spec.priorityClassName 80 | value: gitserver-class 81 | - it: set priority class on indexed-search 82 | template: indexed-search/indexed-search.StatefulSet.yaml 83 | set: 84 | indexedSearch: 85 | priorityClassName: indexed-search-class 86 | asserts: 87 | - equal: 88 | path: spec.template.spec.priorityClassName 89 | value: indexed-search-class 90 | - it: set priority class on searcher 91 | template: searcher/searcher.StatefulSet.yaml 92 | set: 93 | searcher: 94 | priorityClassName: searcher-class 95 | asserts: 96 | - equal: 97 | path: spec.template.spec.priorityClassName 98 | value: searcher-class 99 | - it: set priority class on redisCache 100 | template: redis/redis-cache.Deployment.yaml 101 | set: 102 | redisCache: 103 | priorityClassName: redis-cache-class 104 | asserts: 105 | - equal: 106 | path: spec.template.spec.priorityClassName 107 | value: redis-cache-class 108 | - it: set priority class on redisStore 109 | template: redis/redis-store.Deployment.yaml 110 | set: 111 | redisStore: 112 | priorityClassName: redis-store-class 113 | asserts: 114 | - equal: 115 | path: spec.template.spec.priorityClassName 116 | value: redis-store-class 117 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/prometheusPrivileged_test.yaml: -------------------------------------------------------------------------------- 1 | suite: prometheusPrivileged 2 | templates: 3 | - NOTES.txt 4 | tests: 5 | - it: should not have the warning text when prometheus.privileged=true 6 | set: 7 | prometheus.privileged: true 8 | asserts: 9 | - notMatchRegexRaw: 10 | pattern: You have set 'prometheus.privileged' to 'false' 11 | - it: should have the warning text when prometheus.privileged=false 12 | set: 13 | prometheus.privileged: false 14 | asserts: 15 | - matchRegexRaw: 16 | pattern: You have set 'prometheus.privileged' to 'false' 17 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/serviceAccountAnnotations_test.yaml: -------------------------------------------------------------------------------- 1 | suite: serviceAccountAnnotations 2 | release: 3 | name: sourcegraph 4 | namespace: sourcegraph 5 | tests: 6 | - it: should render service account annotations when frontend.serviceAccount.annotations is defined 7 | set: 8 | frontend: 9 | serviceAccount: 10 | annotations: 11 | iam.gke.io/gcp-service-account: sourcegraph@sourcegraph.iam.gserviceaccount.com 12 | template: frontend/sourcegraph-frontend.ServiceAccount.yaml 13 | asserts: 14 | - equal: 15 | path: metadata.annotations 16 | value: 17 | iam.gke.io/gcp-service-account: sourcegraph@sourcegraph.iam.gserviceaccount.com 18 | - matchSnapshot: {} 19 | 20 | - it: should render service account annotations when cadvisor.serviceAccount.annotations is defined 21 | set: 22 | cadvisor: 23 | serviceAccount: 24 | annotations: 25 | iam.gke.io/gcp-service-account: sourcegraph@sourcegraph.iam.gserviceaccount.com 26 | template: cadvisor/cadvisor.ServiceAccount.yaml 27 | asserts: 28 | - equal: 29 | path: metadata.annotations 30 | value: 31 | iam.gke.io/gcp-service-account: sourcegraph@sourcegraph.iam.gserviceaccount.com 32 | - matchSnapshot: {} 33 | 34 | - it: should render service account annotations when prometheus.serviceAccount.annotations is defined 35 | set: 36 | prometheus: 37 | serviceAccount: 38 | annotations: 39 | iam.gke.io/gcp-service-account: sourcegraph@sourcegraph.iam.gserviceaccount.com 40 | template: prometheus/prometheus.ServiceAccount.yaml 41 | asserts: 42 | - equal: 43 | path: metadata.annotations 44 | value: 45 | iam.gke.io/gcp-service-account: sourcegraph@sourcegraph.iam.gserviceaccount.com 46 | - matchSnapshot: {} 47 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/serviceAccounts_test.yaml: -------------------------------------------------------------------------------- 1 | suite: serviceAccount 2 | release: 3 | name: sourcegraph 4 | namespace: sourcegraph 5 | tests: 6 | - it: should render service account when openTelemetry.gateway.serviceAccount.create is true 7 | set: 8 | openTelemetry: 9 | gateway: 10 | serviceAccount: 11 | create: true 12 | template: otel-collector/otel-collector.ServiceAccount.yaml 13 | asserts: 14 | - isKind: 15 | of: ServiceAccount 16 | - equal: 17 | path: metadata.name 18 | value: otel-collector 19 | - matchSnapshot: {} 20 | 21 | - it: should should reference service account when openTelemetry.gateway.serviceAccount.create is true 22 | set: 23 | openTelemetry: 24 | gateway: 25 | serviceAccount: 26 | create: true 27 | template: otel-collector/otel-collector.Deployment.yaml 28 | asserts: 29 | - equal: 30 | path: spec.template.spec.serviceAccountName 31 | value: otel-collector 32 | 33 | - it: should render service account when openTelemetry.agent.serviceAccount.create is true 34 | set: 35 | openTelemetry: 36 | agent: 37 | serviceAccount: 38 | create: true 39 | template: otel-collector/otel-agent.ServiceAccount.yaml 40 | asserts: 41 | - isKind: 42 | of: ServiceAccount 43 | - equal: 44 | path: metadata.name 45 | value: otel-agent 46 | - matchSnapshot: {} 47 | 48 | - it: should should reference service account when openTelemetry.agent.serviceAccount.create is true 49 | set: 50 | openTelemetry: 51 | agent: 52 | serviceAccount: 53 | create: true 54 | template: otel-collector/otel-agent.DaemonSet.yaml 55 | asserts: 56 | - equal: 57 | path: spec.template.spec.serviceAccountName 58 | value: otel-agent 59 | 60 | - it: should render service account when frontend.serviceAccount.create=true 61 | set: 62 | frontend: 63 | serviceAccount: 64 | create: true 65 | template: frontend/sourcegraph-frontend.ServiceAccount.yaml 66 | asserts: 67 | - isKind: 68 | of: ServiceAccount 69 | - equal: 70 | path: metadata.name 71 | value: sourcegraph-frontend 72 | -------------------------------------------------------------------------------- /charts/sourcegraph/tests/storageClass_test.yaml: -------------------------------------------------------------------------------- 1 | suite: storageClass 2 | templates: 3 | - storageclass.yaml 4 | tests: 5 | - it: should have parameters rendered when storageClass.parameters.zones=us-central1-f 6 | set: 7 | storageClass: 8 | create: true 9 | parameters: 10 | zones: us-central1-f 11 | asserts: 12 | - equal: 13 | path: parameters.zones 14 | value: us-central1-f 15 | - it: should not have 'type' when storageClass.type=null 16 | set: 17 | storageClass: 18 | create: true 19 | type: null 20 | asserts: 21 | - notExists: 22 | path: parameters.type 23 | - it: should have 'allowedTopologies` when storageClass.allowedTopologies is set 24 | set: 25 | storageClass: 26 | create: true 27 | allowedTopologies: 28 | - matchLabelExpressions: 29 | - key: topology.gke.io/zone 30 | values: 31 | - us-central1-a 32 | - us-central1-b 33 | - us-central1-f 34 | asserts: 35 | - equal: 36 | path: allowedTopologies[0] 37 | value: 38 | matchLabelExpressions: 39 | - key: topology.gke.io/zone 40 | values: 41 | - us-central1-a 42 | - us-central1-b 43 | - us-central1-f 44 | -------------------------------------------------------------------------------- /ci/override.yaml: -------------------------------------------------------------------------------- 1 | storageClass: 2 | create: false 3 | name: standard 4 | 5 | sourcegraph: 6 | localDevMode: true 7 | -------------------------------------------------------------------------------- /dev/README.md: -------------------------------------------------------------------------------- 1 | # How to deploy this chart locally 2 | 3 | 4 | !! Make sure you are pointing toward a local cluster 5 | From the root of the repo 6 | 7 | helm template test ./charts/sourcegraph -f ci/override.yaml | kubectl apply -f - 8 | -------------------------------------------------------------------------------- /scripts/ci/helm-unittest.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euf -o pipefail 4 | 5 | ### Install the helm-unittest plugin 6 | helm plugin install https://github.com/helm-unittest/helm-unittest 7 | 8 | ### Run the helm tests 9 | helm unittest -q charts/sourcegraph 10 | -------------------------------------------------------------------------------- /scripts/ci/install-helm-env.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euf -o pipefail 4 | 5 | ### Install Helm 6 | curl https://baltocdn.com/helm/signing.asc | sudo apt-key add - 7 | sudo apt-get update 8 | sudo apt-get install apt-transport-https --yes 9 | echo "deb https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list 10 | sudo apt-get update 11 | sudo apt-get install helm 12 | -------------------------------------------------------------------------------- /scripts/ci/lint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euf -o pipefail 4 | 5 | ### Run the helm tests 6 | function lint_chart() { 7 | echo "Linting chart $1" 8 | LINT_OUTPUT=$(helm lint charts/$1) 9 | ORG_STATUS=$? 10 | 11 | printf "\n\n===== Lint Output =====\n$LINT_OUTPUT\n" 12 | 13 | LINT_OUTPUT_LOWER=$(echo "$LINT_OUTPUT" | awk '{print tolower($0)}') 14 | if grep -q "warning" <<<"$LINT_OUTPUT_LOWER"; then 15 | exit 255 16 | else 17 | exit $ORG_STATUS 18 | fi 19 | } 20 | 21 | lint_chart "sourcegraph" 22 | lint_chart "sourcegraph-migrator" 23 | lint_chart "sourcegraph-executor" 24 | -------------------------------------------------------------------------------- /scripts/ci/validate-schema.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euf -o pipefail 4 | 5 | ### Install kubeval 6 | wget https://github.com/yannh/kubeconform/releases/download/v0.4.12/kubeconform-linux-amd64.tar.gz 7 | tar xf kubeconform-linux-amd64.tar.gz 8 | chmod +x kubeconform 9 | sudo cp kubeconform /usr/local/bin 10 | 11 | function validate_schema() { 12 | echo "Validating schema for $1" 13 | echo "Generating template output..." 14 | helm template sourcegraph-helm-default $1 > $2-helm-default.yaml 15 | kubeconform -verbose -summary -strict -schema-location https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/ $2-helm-default.yaml 16 | } 17 | 18 | validate_schema "./charts/sourcegraph" "sourcegraph" 19 | validate_schema "./charts/sourcegraph-migrator" "sourcegraph-migrator" 20 | validate_schema "./charts/sourcegraph-executor/k8s" "executor-k8s" 21 | validate_schema "./charts/sourcegraph-executor/dind" "executor-dind" 22 | -------------------------------------------------------------------------------- /scripts/helm-docs.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copy from https://github.com/linkerd/linkerd2/blob/main/bin/helm-docs 3 | 4 | set -euf -o pipefail 5 | 6 | helmdocsv=1.7.0 7 | bindir=$( cd "${0%/*}" && pwd ) # Change to script dir and set bin dir to this 8 | targetbin=$( cd "$bindir"/.. && pwd )/target/bin 9 | helmdocsbin=$targetbin/helm-docs-$helmdocsv 10 | os="" 11 | arch="" 12 | 13 | if [ ! -f "$helmdocsbin" ]; then 14 | case $(uname | tr '[:upper:]' '[:lower:]') in 15 | darwin*) 16 | os=darwin 17 | arch=x86_64 18 | ;; 19 | linux*) 20 | os=linux 21 | case $(uname -m) in 22 | x86_64) arch=x86_64 ;; 23 | amd64) arch=amd64 ;; 24 | arm) 25 | tmp=$(dpkg --print-architecture) 26 | if echo "$tmp" | grep -q arm64; then 27 | arch=arm64 28 | elif echo "$tmp" | grep -q armv7; then 29 | arch=armv7 30 | elif echo "$tmp" | grep -q armv6; then 31 | arch=armv6 32 | fi 33 | ;; 34 | esac 35 | ;; 36 | msys*) 37 | os=windows 38 | arch=x86_64 39 | ;; 40 | esac 41 | 42 | if [ -z "$os" ]; then 43 | echo "Couldn't find a matching binary" 44 | exit 126 45 | fi 46 | helmdocscurl="https://github.com/norwoodj/helm-docs/releases/download/v$helmdocsv/helm-docs_${helmdocsv}_${os}_${arch}.tar.gz" 47 | tmp=$(mktemp -d -t helm-docs.XXX) 48 | mkdir -p "$targetbin" 49 | ( 50 | cd "$tmp" 51 | curl --proto '=https' --tlsv1.2 -sSfL -o "./helm-docs.tar.gz" "$helmdocscurl" 52 | tar zf "./helm-docs.tar.gz" -x "helm-docs" 53 | chmod +x "helm-docs" 54 | ) 55 | mv "$tmp/helm-docs" "$helmdocsbin" 56 | fi 57 | 58 | "$helmdocsbin" "$@" --------------------------------------------------------------------------------