├── .buildkite ├── check-image-names.sh ├── ci-checkov.sh ├── cleanup-disks.sh ├── hooks │ └── pre-command ├── install-yj.sh ├── pipeline.yaml ├── rbac.jq ├── shfmt.sh ├── tools │ ├── check-image-names │ │ ├── check-image-names.go │ │ ├── check-image-names_test.go │ │ └── tests │ ├── enforce-tags │ │ └── main.go │ ├── tools.go │ └── update-docker-tags.sh ├── verify-label.sh ├── verify-overlays.sh ├── verify-rbac-labels.sh ├── verify-release │ ├── go.mod │ ├── go.sum │ ├── verify-release.go │ └── verify-release.sh └── verify-yaml.sh ├── .github ├── PULL_REQUEST_TEMPLATE.md └── workflows │ ├── backport.yml │ ├── dispatch-update.yml.bk │ ├── pr-auditor.yml │ ├── scip.yml │ ├── semgrep.yaml │ └── update-tags.yml ├── .gitignore ├── .tool-versions ├── .vscode ├── extensions.json ├── settings.json └── tags ├── LICENSE ├── README.md ├── base ├── README.md ├── kustomization.yaml ├── monitoring │ ├── README.md │ ├── cadvisor │ │ ├── README.md │ │ ├── cadvisor.DaemonSet.yaml │ │ ├── cadvisor.Service.yaml │ │ ├── cadvisor.ServiceAccount.yaml │ │ └── kustomization.yaml │ ├── grafana │ │ ├── README.md │ │ ├── grafana.ConfigMap.yaml │ │ ├── grafana.Service.yaml │ │ ├── grafana.StatefulSet.yaml │ │ ├── kustomization.yaml │ │ └── rbac │ │ │ ├── grafana.ServiceAccount.yaml │ │ │ └── kustomization.yaml │ ├── jaeger │ │ ├── README.md │ │ ├── jaeger-collector.Service.yaml │ │ ├── jaeger-query.Service.yaml │ │ ├── jaeger.Deployment.yaml │ │ └── kustomization.yaml │ ├── kustomization.yaml │ ├── node-exporter │ │ ├── kustomization.yaml │ │ ├── node-exporter.DaemonSet.yaml │ │ └── node-exporter.Service.yaml │ ├── otel-collector │ │ ├── kustomization.yaml │ │ ├── otel-agent.ConfigMap.yaml │ │ ├── otel-agent.DaemonSet.yaml │ │ ├── otel-collector.ConfigMap.yaml │ │ ├── otel-collector.Deployment.yaml │ │ └── otel-collector.Service.yaml │ └── prometheus │ │ ├── README.md │ │ ├── kustomization.yaml │ │ ├── prometheus.Deployment.yaml │ │ ├── prometheus.PersistentVolumeClaim.yaml │ │ ├── prometheus.Service.yaml │ │ ├── prometheus.yml │ │ └── rbac │ │ ├── kustomization.yaml │ │ ├── prometheus-rbac.yml │ │ ├── prometheus.ClusterRole.yaml │ │ ├── prometheus.ClusterRoleBinding.yaml │ │ └── prometheus.ServiceAccount.yaml └── sourcegraph │ ├── blobstore │ ├── blobstore.Deployment.yaml │ ├── blobstore.PersistentVolumeClaim.yaml │ ├── blobstore.Service.yaml │ └── kustomization.yaml │ ├── codeinsights-db │ ├── codeinsights-db.ConfigMap.yaml │ ├── codeinsights-db.PersistentVolumeClaim.yaml │ ├── codeinsights-db.Service.yaml │ ├── codeinsights-db.StatefulSet.yaml │ └── kustomization.yaml │ ├── codeintel-db │ ├── codeintel-db.ConfigMap.yaml │ ├── codeintel-db.PersistentVolumeClaim.yaml │ ├── codeintel-db.Service.yaml │ ├── codeintel-db.StatefulSet.yaml │ └── kustomization.yaml │ ├── frontend │ ├── kustomization.yaml │ ├── rbac │ │ ├── kustomization.yaml │ │ ├── sourcegraph-frontend.Role.yaml │ │ ├── sourcegraph-frontend.RoleBinding.yaml │ │ └── sourcegraph-frontend.ServiceAccount.yaml │ ├── sourcegraph-frontend-internal.Service.yaml │ ├── sourcegraph-frontend.ConfigMap.yaml │ ├── sourcegraph-frontend.Deployment.yaml │ ├── sourcegraph-frontend.Ingress.yaml │ └── sourcegraph-frontend.Service.yaml │ ├── gitserver │ ├── gitserver.Service.yaml │ ├── gitserver.StatefulSet.yaml │ └── kustomization.yaml │ ├── indexed-search │ ├── indexed-search.IndexerService.yaml │ ├── indexed-search.Service.yaml │ ├── indexed-search.StatefulSet.yaml │ └── kustomization.yaml │ ├── kustomization.yaml │ ├── pgsql │ ├── kustomization.yaml │ ├── pgsql.ConfigMap.yaml │ ├── pgsql.PersistentVolumeClaim.yaml │ ├── pgsql.Service.yaml │ └── pgsql.StatefulSet.yaml │ ├── precise-code-intel │ ├── kustomization.yaml │ ├── worker.Deployment.yaml │ └── worker.Service.yaml │ ├── redis │ ├── kustomization.yaml │ ├── redis-cache.Deployment.yaml │ ├── redis-cache.PersistentVolumeClaim.yaml │ ├── redis-cache.Service.yaml │ ├── redis-store.Deployment.yaml │ ├── redis-store.PersistentVolumeClaim.yaml │ └── redis-store.Service.yaml │ ├── searcher │ ├── kustomization.yaml │ ├── searcher.Service.yaml │ └── searcher.StatefulSet.yaml │ ├── syntactic-code-intel │ ├── kustomization.yaml │ ├── worker.Deployment.yaml │ └── worker.Service.yaml │ ├── syntect-server │ ├── kustomization.yaml │ ├── syntect-server.Deployment.yaml │ └── syntect-server.Service.yaml │ └── worker │ ├── kustomization.yaml │ ├── worker-executors.Service.yaml │ ├── worker.Deployment.yaml │ └── worker.Service.yaml ├── components ├── README.md ├── clusters │ ├── aws │ │ ├── aws-ebs │ │ │ ├── README.md │ │ │ └── kustomization.yaml │ │ ├── ebs-csi │ │ │ ├── README.md │ │ │ └── kustomization.yaml │ │ └── managed-cert │ │ │ ├── kustomization.yaml │ │ │ └── patches │ │ │ └── frontend.Ingress.yaml │ ├── gke │ │ ├── configure │ │ │ ├── README.md │ │ │ └── kustomization.yaml │ │ └── managed-cert │ │ │ ├── kustomization.yaml │ │ │ └── patches │ │ │ └── frontend.Ingress.yaml │ ├── k3s │ │ ├── kustomization.yaml │ │ ├── monitoring │ │ │ ├── kustomization.yaml │ │ │ └── patches │ │ │ │ └── prometheus-k3s.yml │ │ └── patches │ │ │ └── sourcegraph-frontend.Ingress.yaml │ ├── minikube │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── patches │ │ │ ├── remove-deployment-resources-container-0.yaml │ │ │ ├── remove-deployment-resources-container-1.yaml │ │ │ ├── remove-deployment-resources-container-init.yaml │ │ │ ├── remove-statefulset-resources-container-0.yaml │ │ │ └── remove-statefulset-resources-container-1.yaml │ └── old-base │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── patches │ │ ├── blobstore │ │ └── blobstore.Deployment.yaml │ │ ├── cadvisor │ │ └── cadvisor.DaemonSet.yaml │ │ ├── databases │ │ └── securityContext.yaml │ │ ├── frontend │ │ └── sourcegraph-frontend.Deployment.yaml │ │ ├── gitserver │ │ └── gitserver.StatefulSet.yaml │ │ ├── grafana │ │ └── grafana.StatefulSet.yaml │ │ ├── indexed-search │ │ └── indexed-search.StatefulSet.yaml │ │ ├── otel-collector │ │ └── otel-collector.Deployment.yaml │ │ ├── precise-code-intel │ │ └── worker.Deployment.yaml │ │ ├── redis │ │ ├── redis-cache.Deployment.yaml │ │ └── redis-store.Deployment.yaml │ │ ├── remove │ │ ├── securityContext-cluster.yaml │ │ ├── securityContext-container-0.yaml │ │ ├── securityContext-container-1.yaml │ │ ├── securityContext-daemonset.yaml │ │ ├── securityContext-databases.yaml │ │ └── securityContext-initContainer.yaml │ │ ├── searcher │ │ └── searcher.patchesJson6902.yaml │ │ ├── syntect-server │ │ └── syntect-server.Deployment.yaml │ │ └── worker │ │ └── worker.Deployment.yaml ├── custom │ ├── old-patches │ │ └── kustomization.yaml │ ├── otel-collector │ │ ├── README.md │ │ └── backend │ │ │ ├── kustomization.yaml │ │ │ └── patches │ │ │ └── otel-collector.Deployment.yaml │ ├── replica │ │ └── kustomization.yaml │ ├── resources │ │ ├── kustomization.yaml │ │ └── patches │ │ │ └── update-endpoints.yaml │ └── rke │ │ ├── config │ │ ├── custom.NodePort.yaml │ │ └── custom.StorageClass.yaml │ │ └── kustomization.yaml ├── disable │ ├── rockskip │ │ └── kustomization.yaml │ └── service-discovery │ │ ├── README.md │ │ ├── kustomization.yaml │ │ ├── patches │ │ ├── sourcegraph-frontend.Deployment.yaml │ │ ├── sourcegraph-frontend.Role.yaml │ │ └── sourcegraph-frontend.ServiceAccount.yaml │ │ └── role-binding │ │ ├── kustomization.yaml │ │ └── sourcegraph-frontend.RoleBinding.yaml ├── enable │ ├── otel-collector │ │ ├── README.md │ │ └── kustomization.yaml │ ├── private-registry │ │ ├── README.md │ │ └── kustomization.yaml │ ├── rockskip │ │ └── kustomization.yaml │ ├── service-discovery-default │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── patches │ │ │ ├── sourcegraph-frontend.ConfigMap.yaml │ │ │ └── sourcegraph-frontend.Deployment.yaml │ ├── service-discovery │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── patches │ │ │ ├── sourcegraph-frontend.ConfigMap.yaml │ │ │ └── sourcegraph-frontend.Deployment.yaml │ └── ssh │ │ ├── non-root │ │ └── kustomization.yaml │ │ └── root │ │ └── kustomization.yaml ├── executors │ ├── dind │ │ ├── README.md │ │ ├── docker-daemon.ConfigMap.yaml │ │ ├── executor.ConfigMap.yaml │ │ ├── executor.Deployment.yaml │ │ ├── executor.Service.yaml │ │ ├── kustomization.yaml │ │ ├── patches │ │ │ ├── deployment-patch.yaml │ │ │ ├── docker-daemon.ConfigMap.yaml │ │ │ └── executor.ConfigMap.yaml │ │ └── private-docker-registry │ │ │ ├── kustomization.yaml │ │ │ ├── private-docker-registry.Deployment.yaml │ │ │ ├── private-docker-registry.PersistentVolumeClaim.yaml │ │ │ └── private-docker-registry.Service.yaml │ └── k8s │ │ ├── README.md │ │ ├── executor.ConfigMap.yaml │ │ ├── executor.Deployment.yaml │ │ ├── executor.PersistentVolumeClaim.yaml │ │ ├── executor.Service.yaml │ │ ├── kustomization.yaml │ │ ├── patches │ │ └── executor.ConfigMap.yaml │ │ └── rbac │ │ ├── executor.Role.yaml │ │ ├── executor.RoleBinding.yaml │ │ ├── executor.ServiceAccount.yaml │ │ └── kustomization.yaml ├── ingress │ ├── alb │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── patches │ │ │ └── frontend.Ingress.yaml │ ├── annotations │ │ └── kustomization.yaml │ ├── gke │ │ ├── kustomization.yaml │ │ └── patches │ │ │ ├── frontend-internal.Service.yaml │ │ │ ├── frontend.BackendConfig.yaml │ │ │ ├── frontend.Ingress.yaml │ │ │ └── frontend.Service.yaml │ ├── hostname │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── patches │ │ │ └── frontend.Ingress.yaml │ ├── k3s │ │ ├── kustomization.yaml │ │ └── patches │ │ │ └── sourcegraph-frontend.Ingress.yaml │ └── nginx-controller │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── patches │ │ ├── ingress-nginx.Deployment.yaml │ │ └── ingress-nginx.Service.yaml ├── monitoring │ ├── cadvisor │ │ └── kustomization.yaml │ ├── grafana │ │ ├── dashboards │ │ │ ├── kustomization.yaml │ │ │ ├── patch.yaml │ │ │ └── process │ │ │ │ ├── containers.json │ │ │ │ └── kustomization.yaml │ │ └── kustomization.yaml │ ├── kustomization.yaml │ ├── no-rbacs │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── patches │ │ │ └── grafana │ │ │ └── grafana.StatefulSet.yaml │ ├── non-root │ │ ├── kustomization.yaml │ │ └── patches │ │ │ ├── grafana │ │ │ └── grafana.StatefulSet.yaml │ │ │ └── prometheus │ │ │ ├── prometheus.ConfigMap.yaml │ │ │ ├── prometheus.Deployment.yaml │ │ │ └── prometheus.RoleBinding.yaml │ ├── otel │ │ └── kustomization.yaml │ ├── privileged │ │ ├── README.md │ │ └── kustomization.yaml │ ├── rbacs │ │ ├── README.md │ │ ├── grafana │ │ │ └── grafana.StatefulSet.yaml │ │ ├── kustomization.yaml │ │ └── prometheus │ │ │ └── prometheus.Deployment.yaml │ └── tracing │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── patches │ │ ├── grafana.ConfigMap.yaml │ │ └── otel-collector.Deployment.yaml ├── network │ ├── envoy │ │ ├── kustomization.yaml │ │ └── patches │ │ │ └── gitserver.EnvoyFilter.yaml │ ├── loadbalancer │ │ ├── kustomization.yaml │ │ └── patches │ │ │ └── sourcegraph-frontend.Service.yaml │ ├── network-policy │ │ ├── kustomization.yaml │ │ └── patches │ │ │ ├── sourcegraph.Namespace.yaml │ │ │ └── sourcegraph.NetworkPolicy.yaml │ ├── nodeport │ │ ├── 30080 │ │ │ ├── kustomization.yaml │ │ │ └── patches │ │ │ │ └── 30080.yaml │ │ └── custom │ │ │ ├── kustomization.yaml │ │ │ └── patches │ │ │ └── custom.NodePort.yaml │ ├── tls-secretname │ │ └── kustomization.yaml │ └── tls │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── patches │ │ └── frontend.Ingress.yaml ├── patches │ ├── endpoints-update.yaml │ ├── frontend-ingress.annotations.yaml │ ├── frontend-vars.yaml │ ├── resources.yaml │ └── security-context │ │ ├── monitoring │ │ ├── cadvisor.DaemonSet.yaml │ │ ├── grafana.StatefulSet.yaml │ │ ├── node-exporter.DaemonSet.yaml │ │ ├── otel-agent.DaemonSet.yaml │ │ ├── otel-collector.Deployment.yaml │ │ └── prometheus.Deployment.yaml │ │ └── sourcegraph │ │ ├── blobstore.Deployment.yaml │ │ ├── codeinsights-db.StatefulSet.yaml │ │ ├── codeintel-db.StatefulSet.yaml │ │ ├── gitserver.StatefulSet.yaml │ │ ├── indexed-search.StatefulSet.yaml │ │ ├── pgsql.StatefulSet.yaml │ │ ├── precise-code-intel-worker.Deployment.yaml │ │ ├── redis-cache.Deployment.yaml │ │ ├── redis-store.Deployment.yaml │ │ ├── searcher.StatefulSet.yaml │ │ ├── sourcegraph-frontend.Deployment.yaml │ │ ├── syntect-server.Deployment.yaml │ │ └── worker.Deployment.yaml ├── privileged │ ├── README.md │ ├── kustomization.yaml │ └── patches │ │ ├── blobstore │ │ └── blobstore.Deployment.yaml │ │ ├── databases │ │ └── securityContext.yaml │ │ ├── frontend │ │ └── sourcegraph-frontend.Deployment.yaml │ │ ├── gitserver │ │ └── gitserver.StatefulSet.yaml │ │ ├── indexed-search │ │ └── indexed-search.StatefulSet.yaml │ │ ├── precise-code-intel │ │ └── worker.Deployment.yaml │ │ ├── redis │ │ ├── redis-cache.Deployment.yaml │ │ └── redis-store.Deployment.yaml │ │ ├── searcher │ │ └── searcher.yaml │ │ ├── syntect-server │ │ └── syntect-server.Deployment.yaml │ │ └── worker │ │ └── worker.Deployment.yaml ├── remove │ ├── codeinsights-db │ │ ├── deployment │ │ │ └── kustomization.yaml │ │ └── statefulset │ │ │ └── kustomization.yaml │ ├── codeintel-db │ │ ├── deployment │ │ │ └── kustomization.yaml │ │ └── statefulset │ │ │ └── kustomization.yaml │ ├── daemonset │ │ ├── README.md │ │ └── kustomization.yaml │ ├── default-ingress │ │ └── kustomization.yaml │ ├── otel-collector │ │ └── kustomization.yaml │ ├── pgsql │ │ ├── deployment │ │ │ └── kustomization.yaml │ │ └── statefulset │ │ │ └── kustomization.yaml │ ├── prometheus │ │ └── kustomization.yaml │ ├── pvcs │ │ └── kustomization.yaml │ ├── redis │ │ └── kustomization.yaml │ ├── requests │ │ └── kustomization.yaml │ ├── resources │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── patches │ │ │ ├── container-0.yaml │ │ │ ├── container-1.yaml │ │ │ └── container-init.yaml │ ├── searcher-statefulset │ │ └── kustomization.yaml │ └── security-context │ │ ├── kustomization.yaml │ │ └── patches │ │ ├── securityContext-cluster.yaml │ │ ├── securityContext-container-0.yaml │ │ ├── securityContext-container-1.yaml │ │ ├── securityContext-daemonset.yaml │ │ ├── securityContext-databases.yaml │ │ └── securityContext-initContainer.yaml ├── resources │ ├── ci-volume │ │ ├── kustomization.yaml │ │ └── patches │ │ │ ├── gitserver-patch.yaml │ │ │ └── indexed-search-patch.yaml │ ├── imagepullsecrets │ │ └── kustomization.yaml │ ├── lower-requests │ │ └── kustomization.yaml │ └── namespace │ │ ├── kustomization.yaml │ │ └── patches │ │ └── sourcegraph.Namespace.yaml ├── services │ ├── codeinsights-db │ │ ├── kustomization.yaml │ │ └── patches │ │ │ └── codeinsights-db.Deployment.yaml │ ├── codeintel-db │ │ ├── kustomization.yaml │ │ └── patches │ │ │ └── codeintel-db.Deployment.yaml │ ├── pgsql │ │ ├── kustomization.yaml │ │ └── patches │ │ │ └── pgsql.Deployment.yaml │ ├── redis │ │ └── kustomization.yaml │ └── searcher │ │ ├── README.md │ │ ├── deployment │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── patches │ │ │ └── searcher.Deployment.yaml │ │ └── statefulset │ │ ├── kustomization.yaml │ │ └── patches │ │ └── searcher.StatefulSet.yaml ├── sizes │ ├── .DS_Store │ ├── l │ │ ├── .DS_Store │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── patches │ │ │ ├── codeinsights-db.yaml │ │ │ ├── codeintel-db.yaml │ │ │ ├── endpoints.yaml │ │ │ ├── pgsql.yaml │ │ │ └── searcher.yaml │ ├── m │ │ ├── .DS_Store │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── patches │ │ │ ├── codeinsights-db.yaml │ │ │ ├── codeintel-db.yaml │ │ │ ├── endpoints.yaml │ │ │ ├── pgsql.yaml │ │ │ └── searcher.yaml │ ├── s │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── patches │ │ │ ├── codeinsights-db.yaml │ │ │ ├── codeintel-db.yaml │ │ │ ├── endpoints.yaml │ │ │ ├── pgsql.yaml │ │ │ └── searcher.yaml │ ├── xl │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── patches │ │ │ ├── codeinsights-db.yaml │ │ │ ├── codeintel-db.yaml │ │ │ ├── endpoints.yaml │ │ │ ├── pgsql-conf.yaml │ │ │ ├── pgsql.yaml │ │ │ └── searcher.yaml │ └── xs │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── patches │ │ ├── databases.yaml │ │ ├── endpoints.yaml │ │ └── searcher.yaml ├── storage-class │ ├── aws │ │ ├── aws-ebs │ │ │ ├── README.md │ │ │ ├── kustomization.yaml │ │ │ └── sourcegraph.StorageClass.yaml │ │ └── ebs-csi │ │ │ ├── README.md │ │ │ ├── kustomization.yaml │ │ │ └── sourcegraph.StorageClass.yaml │ ├── azure │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── sourcegraph.StorageClass.yaml │ ├── cloud │ │ ├── kustomization.yaml │ │ └── patches │ │ │ └── sourcegraph.StorageClass.yaml │ ├── gcp │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── sourcegraph.StorageClass.yaml │ ├── k3s │ │ ├── kustomization.yaml │ │ └── patches │ │ │ ├── replace-storageclass-name-pvc.yaml │ │ │ └── replace-storageclass-name-sts.yaml │ ├── minikube │ │ └── kustomization.yaml │ ├── name-update │ │ ├── kustomization.yaml │ │ └── patches │ │ │ ├── replace-storageclass-name-pvc.yaml │ │ │ ├── replace-storageclass-name-sts.yaml │ │ │ └── replacement.yaml │ ├── sourcegraph │ │ ├── README.md │ │ └── kustomization.yaml │ ├── ssd │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── pod-tmp-gc │ │ │ ├── kustomization.yaml │ │ │ ├── pod-tmp-gc.ClusterRole.yaml │ │ │ ├── pod-tmp-gc.ClusterRoleBinding.yaml │ │ │ ├── pod-tmp-gc.DaemonSet.yaml │ │ │ └── pod-tmp-gc.ServiceAccount.yaml │ └── trident │ │ ├── ext3 │ │ ├── kustomization.yaml │ │ └── sourcegraph.StorageClass.yaml │ │ ├── ext4 │ │ ├── kustomization.yaml │ │ └── sourcegraph.StorageClass.yaml │ │ └── xfs │ │ ├── kustomization.yaml │ │ └── sourcegraph.StorageClass.yaml └── utils │ ├── endpoints │ ├── endpoints-update.yaml │ └── kustomization.yaml │ ├── migrate-to-nonprivileged │ ├── README.md │ ├── blobstore │ │ └── blobstore.Deployment.yaml │ ├── gitserver │ │ └── gitserver.StatefulSet.yaml │ ├── grafana │ │ └── grafana.StatefulSet.yaml │ ├── images-update.yaml │ ├── indexed-search │ │ └── indexed-search.StatefulSet.yaml │ ├── kustomization.yaml │ ├── prometheus │ │ └── prometheus.Deployment.yaml │ ├── redis │ │ ├── redis-cache.Deployment.yaml │ │ └── redis-store.Deployment.yaml │ └── searcher │ │ └── searcher.Deployment.yaml │ ├── migrator │ ├── README.md │ ├── kustomization.yaml │ └── resources │ │ ├── migrator.Job.yaml │ │ └── sourcegraph-frontend.ConfigMap.yaml │ ├── multi-version-upgrade │ ├── README.md │ └── kustomization.yaml │ └── uid │ ├── kustomization.yaml │ └── patches │ └── databases.yaml ├── examples ├── README.md ├── aws │ ├── README.md │ ├── ebs │ │ ├── README.md │ │ └── kustomization.yaml │ ├── kustomization.yaml │ └── with-tracing │ │ └── kustomization.yaml ├── base │ ├── README.md │ ├── kustomization.yaml │ ├── l │ │ └── kustomization.yaml │ ├── m │ │ └── kustomization.yaml │ ├── s │ │ └── kustomization.yaml │ ├── xl │ │ └── kustomization.yaml │ └── xs │ │ └── kustomization.yaml ├── demo │ └── private-registry │ │ ├── buildConfig.yaml │ │ └── kustomization.yaml ├── dev │ ├── README.md │ └── kustomization.yaml ├── executors │ ├── README.md │ ├── kustomization.yaml │ └── patches │ │ └── executor.ConfigMap.yaml ├── gke │ ├── README.md │ ├── default │ │ ├── README.md │ │ └── kustomization.yaml │ ├── kustomization.yaml │ └── rbac │ │ ├── README.md │ │ └── kustomization.yaml ├── ingress-controller │ ├── README.md │ ├── aws │ │ └── kustomization.yaml │ └── cloud │ │ └── kustomization.yaml ├── k3s │ ├── README.md │ ├── kustomization.yaml │ ├── l │ │ └── kustomization.yaml │ ├── m │ │ └── kustomization.yaml │ ├── s │ │ └── kustomization.yaml │ ├── xl │ │ └── kustomization.yaml │ └── xs │ │ └── kustomization.yaml ├── migrator │ └── kustomization.yaml ├── minikube │ ├── README.md │ ├── full │ │ └── kustomization.yaml │ └── kustomization.yaml ├── monitoring │ ├── README.md │ ├── cadvisor │ │ └── kustomization.yaml │ ├── kustomization.yaml │ └── privileged │ │ ├── README.md │ │ └── kustomization.yaml ├── old-cluster │ ├── README.md │ └── kustomization.yaml └── privileged │ ├── README.md │ ├── kustomization.yaml │ ├── l │ └── kustomization.yaml │ ├── m │ └── kustomization.yaml │ ├── s │ └── kustomization.yaml │ ├── xl │ └── kustomization.yaml │ └── xs │ └── kustomization.yaml ├── go.mod ├── go.sum ├── instances ├── README.md └── template │ ├── buildConfig.template.yaml │ └── kustomization.template.yaml └── release.yaml /.buildkite/check-image-names.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euxo pipefail 4 | 5 | cd "$(dirname "${BASH_SOURCE[0]}")/.." 6 | ROOT="$(pwd)" 7 | 8 | pushd .buildkite/tools/check-image-names 9 | 10 | echo "--- Check to see if all manifests contain valid image names" 11 | go run check-image-names.go "${ROOT}"/base 12 | -------------------------------------------------------------------------------- /.buildkite/hooks/pre-command: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eu 4 | pushd "$(dirname "${BASH_SOURCE[0]}")"/../.. 5 | 6 | WORKDIR=$(pwd) 7 | 8 | echo "Installing asdf dependencies as defined in '${WORKDIR}/.tool-versions':" 9 | asdf install 10 | -------------------------------------------------------------------------------- /.buildkite/install-yj.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | VERSION=1.0.0 4 | 5 | if [ ! "$(which yj)" ]; then 6 | echo "Installing yj to /usr/local/bin" 7 | wget https://github.com/sourcegraph/yj/releases/download/v${VERSION}/yj-${VERSION}-linux-amd64 -O /usr/local/bin/yj 8 | chmod a+x /usr/local/bin/yj 9 | fi 10 | -------------------------------------------------------------------------------- /.buildkite/rbac.jq: -------------------------------------------------------------------------------- 1 | def rbacAPI: 2 | .apiVersion and 3 | (.apiVersion | contains("rbac.authorization.k8s.io")); 4 | 5 | def rbacKind: 6 | .kind as $k 7 | | ["Role", "RoleBinding", "ClusterRole", "ClusterRoleBinding", "ServiceAccount"] 8 | | index($k); 9 | 10 | def isRBAC: 11 | rbacAPI or rbacKind; 12 | 13 | def hasLabel: 14 | if . | isRBAC then 15 | .metadata.labels.category == "rbac" 16 | else 17 | true 18 | end; 19 | 20 | . | all(hasLabel) 21 | -------------------------------------------------------------------------------- /.buildkite/shfmt.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -ex 4 | 5 | cd "$(dirname "${BASH_SOURCE[0]}")"/.. 6 | 7 | shfmt -d . 8 | -------------------------------------------------------------------------------- /.buildkite/tools/check-image-names/check-image-names_test.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/stretchr/testify/assert" 7 | ) 8 | 9 | func TestCheckImages(t *testing.T) { 10 | 11 | errorString := "image: foo is not in the upstream list" 12 | err := CheckImages("tests") 13 | assert.NotNil(t, err) 14 | assert.Contains(t, err.Error(), errorString) 15 | 16 | } 17 | -------------------------------------------------------------------------------- /.buildkite/tools/check-image-names/tests: -------------------------------------------------------------------------------- 1 | foo/test:asdfasdf 2 | index.docker.io/sourcegraph/foo:2323423@sha256:asdfasdfasdfasdf 3 | -------------------------------------------------------------------------------- /.buildkite/tools/tools.go: -------------------------------------------------------------------------------- 1 | //+build tools 2 | 3 | package tools 4 | 5 | import ( 6 | // pins update-docker-tags CLI version 7 | _ "github.com/sourcegraph/update-docker-tags" 8 | ) 9 | -------------------------------------------------------------------------------- /.buildkite/tools/update-docker-tags.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | root_dir="$(dirname "${BASH_SOURCE[0]}")/.." 6 | cd "$root_dir" 7 | 8 | CONSTRAINT=$1 9 | 10 | go run .buildkite/tools/enforce-tags "$CONSTRAINT" base/ 11 | go run .buildkite/tools/enforce-tags "$CONSTRAINT" examples/ 12 | -------------------------------------------------------------------------------- /.buildkite/verify-label.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e -o pipefail 4 | 5 | cd "$(dirname "${BASH_SOURCE[0]}")/.." 6 | 7 | command -v yj >/dev/null 2>&1 || .buildkite/install-yj.sh 8 | 9 | find base -name "*.yaml" -not -name 'kustomization.yaml' -print0 | while IFS= read -r -d '' file; do 10 | if ! yj <"$file" | jq '.metadata.labels.deploy == "sourcegraph"' >/dev/null; then 11 | echo "$file does not contain .metadata.labels.deploy == sourcegraph" 12 | exit 1 13 | fi 14 | done 15 | -------------------------------------------------------------------------------- /.buildkite/verify-overlays.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eu 4 | pushd "$(dirname "${BASH_SOURCE[0]}")"/.. 5 | 6 | OVERLAYS=() 7 | mapfile -t OVERLAYS < <(find examples -maxdepth 1 -type d ! -name '.*' ! -name 'demo' ! -name 'monitoring' ! -name 'ingress-controller' ! -name 'examples' -printf '%f\n') 8 | 9 | for O in "${OVERLAYS[@]}"; do 10 | echo "<<<< GENERATING ${O} OVERLAY >>>>>" 11 | DIR=ci-generated-cluster 12 | mkdir "${DIR}" 13 | kubectl kustomize examples/"${O}" -o "${DIR}" 14 | rm -rf "${DIR}" 15 | done 16 | -------------------------------------------------------------------------------- /.buildkite/verify-rbac-labels.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -ex 4 | 5 | cd $(dirname "${BASH_SOURCE[0]}")/.. 6 | 7 | missing_labels=$(find base -name "*.yaml" -print0 | xargs -0L1 -I {} sh -c "cat {} | yaml2json | jq -s --exit-status -f .buildkite/rbac.jq > /dev/null || echo {}") 8 | 9 | if [ ! -z "${missing_labels}" ]; then 10 | { 11 | echo "> Some files that declare RBAC-related resources are missing the 'category: rbac' label." 12 | echo "> The 'category: rbac' label allows users to filter out these resources when applying them to a K8s cluster if they lack sufficient permissions." 13 | echo "> Please add 'metadata.labels.category: rbac' to the following files:" 14 | echo "${missing_labels}" 15 | } 2>/dev/null 16 | exit 1 17 | fi 18 | -------------------------------------------------------------------------------- /.buildkite/verify-release/go.mod: -------------------------------------------------------------------------------- 1 | module verify-release 2 | 3 | go 1.16 4 | 5 | require golang.org/x/mod v0.4.2 6 | -------------------------------------------------------------------------------- /.buildkite/verify-release/verify-release.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | cd "$(dirname "${BASH_SOURCE[0]}")/../.." 4 | set -euxo pipefail 5 | 6 | ROOT="$(pwd)" 7 | cd .buildkite/verify-release 8 | 9 | echo "--- Check to see if semver tag are set in release branch" 10 | go run verify-release.go -verbose=true "${ROOT}"/base 11 | -------------------------------------------------------------------------------- /.buildkite/verify-yaml.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -ex 4 | cd "$(dirname "${BASH_SOURCE[0]}")/.." 5 | 6 | gcloud container clusters get-credentials cloud --zone us-central1-f --project sourcegraph-dev 7 | 8 | kubectl kustomize ./base/. | kubectl apply --dry-run --validate --context=gke_sourcegraph-dev_us-central1-f_cloud -f - 9 | 10 | .buildkite/verify-label.sh 11 | -------------------------------------------------------------------------------- /.github/workflows/backport.yml: -------------------------------------------------------------------------------- 1 | name: Backport 2 | on: 3 | pull_request_target: 4 | types: 5 | - closed 6 | - labeled 7 | 8 | jobs: 9 | backport: 10 | name: Backport 11 | runs-on: ubuntu-latest 12 | # Only react to merged PRs for security reasons. 13 | # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target. 14 | if: > 15 | github.event.pull_request.merged 16 | && ( 17 | github.event.action == 'closed' 18 | || ( 19 | github.event.action == 'labeled' 20 | && contains(github.event.label.name, 'backport') 21 | ) 22 | ) 23 | steps: 24 | - uses: sourcegraph/backport@v2 25 | with: 26 | github_token: ${{ secrets.BACKPORT_GITHUB_TOKEN }} 27 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .env 2 | .envrc 3 | .crt 4 | .key 5 | id_rsa 6 | known_hosts 7 | dev-clusters 8 | test.yaml 9 | ci-generated-cluster 10 | .idea 11 | -------------------------------------------------------------------------------- /.tool-versions: -------------------------------------------------------------------------------- 1 | golang 1.21.5 2 | yarn 1.22.4 3 | kubectl 1.25.9 4 | fd 7.4.0 5 | kustomize 4.5.7 6 | shfmt 3.1.0 7 | nodejs 20.8.1 8 | github-cli 2.46.0 9 | python system 10 | -------------------------------------------------------------------------------- /.vscode/extensions.json: -------------------------------------------------------------------------------- 1 | { 2 | // See http://go.microsoft.com/fwlink/?LinkId=827846 3 | // for the documentation about the extensions.json format 4 | "recommendations": [ 5 | "EditorConfig.editorconfig", 6 | "esbenp.prettier-vscode", 7 | "dbaeumer.vscode-eslint", 8 | "foxundermoon.shell-format", 9 | "timonwong.shellcheck" 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "[yaml]": { 3 | "editor.formatOnSave": true 4 | }, 5 | "[shellscript]": { 6 | "editor.defaultFormatter": "foxundermoon.shell-format", 7 | "editor.formatOnSave": true 8 | }, 9 | "shellformat.flag": "-i 2 -ci" 10 | } 11 | -------------------------------------------------------------------------------- /.vscode/tags: -------------------------------------------------------------------------------- 1 | !_TAG_FILE_FORMAT 2 /extended format; --format=1 will not append ;" to lines/ 2 | !_TAG_FILE_SORTED 1 /0=unsorted, 1=sorted, 2=foldcase/ 3 | !_TAG_OUTPUT_MODE u-ctags /u-ctags or e-ctags/ 4 | !_TAG_PROGRAM_AUTHOR Universal Ctags Team // 5 | !_TAG_PROGRAM_NAME Universal Ctags /Derived from Exuberant Ctags/ 6 | !_TAG_PROGRAM_URL https://ctags.io/ /official site/ 7 | !_TAG_PROGRAM_VERSION 0.0.0 /e5c86f7/ 8 | -------------------------------------------------------------------------------- /base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - monitoring 5 | - sourcegraph 6 | -------------------------------------------------------------------------------- /base/monitoring/README.md: -------------------------------------------------------------------------------- 1 | # Sourcegraph Monitoring Stack 2 | 3 | The monitoring stacks include the following services: 4 | 5 | - grafana 6 | - node-exporter 7 | - prometheus 8 | - otel-collector 9 | 10 | cAdvisor is not included in the monitoring stack by default. 11 | 12 | ## cAdvisor 13 | 14 | cAdvisor must be run as root in a Kubernetes cluster with role-based access control (RBAC) enabled to collect metrics. 15 | 16 | You can add the cadvisor component to your overlay to deploy cAdvisor. 17 | -------------------------------------------------------------------------------- /base/monitoring/cadvisor/cadvisor.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: cadvisor 5 | annotations: 6 | prometheus.io/port: "48080" 7 | sourcegraph.prometheus/scrape: "true" 8 | labels: 9 | app: cadvisor 10 | deploy: sourcegraph 11 | sourcegraph-resource-requires: no-cluster-admin 12 | app.kubernetes.io/component: cadvisor 13 | spec: 14 | clusterIP: None 15 | ports: 16 | - name: http # For querying metrics. 17 | port: 48080 18 | selector: 19 | app: cadvisor 20 | type: ClusterIP 21 | -------------------------------------------------------------------------------- /base/monitoring/cadvisor/cadvisor.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | labels: 5 | app: cadvisor 6 | category: rbac 7 | deploy: sourcegraph 8 | sourcegraph-resource-requires: cluster-admin 9 | app.kubernetes.io/component: cadvisor 10 | name: cadvisor 11 | -------------------------------------------------------------------------------- /base/monitoring/cadvisor/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - cadvisor.DaemonSet.yaml 5 | - cadvisor.ServiceAccount.yaml 6 | - cadvisor.Service.yaml 7 | -------------------------------------------------------------------------------- /base/monitoring/grafana/README.md: -------------------------------------------------------------------------------- 1 | # Grafana 2 | 3 | [Grafana](https://https://grafana.com/) is an open-source analytics dashboard application. 4 | 5 | A Grafana instance is part of the default Sourcegraph cluster installation. 6 | Learn more about Grafana in the [metrics and dashboards guide](https://docs.sourcegraph.com/admin/observability/metrics). 7 | -------------------------------------------------------------------------------- /base/monitoring/grafana/grafana.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | app: grafana 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: no-cluster-admin 8 | app.kubernetes.io/component: grafana 9 | name: grafana 10 | spec: 11 | ports: 12 | - name: http 13 | port: 30070 14 | targetPort: http 15 | selector: 16 | app: grafana 17 | type: ClusterIP 18 | -------------------------------------------------------------------------------- /base/monitoring/grafana/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - grafana.ConfigMap.yaml 5 | - grafana.Service.yaml 6 | - grafana.StatefulSet.yaml 7 | -------------------------------------------------------------------------------- /base/monitoring/grafana/rbac/grafana.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | imagePullSecrets: 3 | - name: docker-registry 4 | kind: ServiceAccount 5 | metadata: 6 | labels: 7 | category: rbac 8 | deploy: sourcegraph 9 | sourcegraph-resource-requires: no-cluster-admin 10 | app.kubernetes.io/component: grafana 11 | name: grafana 12 | -------------------------------------------------------------------------------- /base/monitoring/grafana/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - grafana.ServiceAccount.yaml 5 | -------------------------------------------------------------------------------- /base/monitoring/jaeger/README.md: -------------------------------------------------------------------------------- 1 | # Jaeger 2 | 3 | A Jaeger backend, consisting of its [Collector](https://www.jaegertracing.io/docs/1.37/architecture/#collector) and [Query](https://www.jaegertracing.io/docs/1.37/architecture/#query) components. 4 | -------------------------------------------------------------------------------- /base/monitoring/jaeger/jaeger-collector.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: jaeger-collector 5 | labels: 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: no-cluster-admin 8 | app.kubernetes.io/component: jaeger 9 | app: jaeger 10 | app.kubernetes.io/name: jaeger 11 | spec: 12 | ports: 13 | - name: jaeger-collector-tchannel 14 | port: 14267 15 | protocol: TCP 16 | targetPort: 14267 17 | - name: jaeger-collector-http 18 | port: 4321 19 | protocol: TCP 20 | targetPort: 4321 21 | - name: jaeger-collector-grpc 22 | port: 4320 23 | protocol: TCP 24 | targetPort: 4320 25 | selector: 26 | app.kubernetes.io/name: jaeger 27 | app.kubernetes.io/component: all-in-one 28 | type: ClusterIP 29 | -------------------------------------------------------------------------------- /base/monitoring/jaeger/jaeger-query.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: jaeger-query 5 | labels: 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: no-cluster-admin 8 | app.kubernetes.io/component: jaeger 9 | app: jaeger 10 | app.kubernetes.io/name: jaeger 11 | spec: 12 | ports: 13 | - name: query-http 14 | port: 16686 15 | protocol: TCP 16 | targetPort: 16686 17 | selector: 18 | app.kubernetes.io/name: jaeger 19 | app.kubernetes.io/component: all-in-one 20 | type: ClusterIP 21 | -------------------------------------------------------------------------------- /base/monitoring/jaeger/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - jaeger-collector.Service.yaml 5 | - jaeger-query.Service.yaml 6 | - jaeger.Deployment.yaml 7 | -------------------------------------------------------------------------------- /base/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | # cAdvisor, otel-collector, jaeger should be deployed seperated 5 | # - cadvisor 6 | # - otel-collector 7 | # - jaeger 8 | - grafana 9 | - node-exporter 10 | - prometheus 11 | -------------------------------------------------------------------------------- /base/monitoring/node-exporter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - node-exporter.DaemonSet.yaml 5 | - node-exporter.Service.yaml 6 | -------------------------------------------------------------------------------- /base/monitoring/node-exporter/node-exporter.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | description: Prometheus exporter for hardware and OS metrics. 6 | url: https://github.com/prometheus/node_exporter 7 | prometheus.io/port: "9100" 8 | sourcegraph.prometheus/scrape: "true" 9 | labels: 10 | app.kubernetes.io/component: node-exporter 11 | app: node-exporter 12 | deploy: sourcegraph 13 | sourcegraph-resource-requires: no-cluster-admin 14 | name: node-exporter 15 | spec: 16 | ports: 17 | - name: metrics 18 | port: 9100 19 | targetPort: metrics 20 | selector: 21 | app: node-exporter 22 | type: ClusterIP 23 | -------------------------------------------------------------------------------- /base/monitoring/otel-collector/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - otel-agent.ConfigMap.yaml 5 | - otel-agent.DaemonSet.yaml 6 | - otel-collector.ConfigMap.yaml 7 | - otel-collector.Deployment.yaml 8 | - otel-collector.Service.yaml 9 | -------------------------------------------------------------------------------- /base/monitoring/otel-collector/otel-collector.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: otel-collector 5 | annotations: 6 | prometheus.io/port: "8888" 7 | sourcegraph.prometheus/scrape: "true" 8 | labels: 9 | app: otel-collector 10 | deploy: sourcegraph 11 | sourcegraph-resource-requires: no-cluster-admin 12 | app.kubernetes.io/component: otel-collector 13 | spec: 14 | ports: 15 | - name: otlp-grpc 16 | port: 4317 17 | protocol: TCP 18 | targetPort: 4317 19 | - name: otlp-http 20 | port: 4318 21 | protocol: TCP 22 | targetPort: 4318 23 | - name: metrics # Default endpoint for querying metrics. 24 | port: 8888 25 | selector: 26 | app: otel-collector 27 | type: ClusterIP 28 | -------------------------------------------------------------------------------- /base/monitoring/prometheus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - prometheus.Deployment.yaml 5 | - prometheus.PersistentVolumeClaim.yaml 6 | - prometheus.Service.yaml 7 | # Create ConfigMap with prometheus.yml 8 | configMapGenerator: 9 | - name: prometheus 10 | behavior: create 11 | files: 12 | - prometheus.yml 13 | literals: 14 | - extra_rules.yml= 15 | - prometheus_targets.yml= 16 | options: 17 | disableNameSuffixHash: true 18 | labels: 19 | deploy: sourcegraph 20 | sourcegraph-resource-requires: no-cluster-admin 21 | app.kubernetes.io/component: prometheus 22 | -------------------------------------------------------------------------------- /base/monitoring/prometheus/prometheus.PersistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | labels: 5 | deploy: sourcegraph 6 | sourcegraph-resource-requires: no-cluster-admin 7 | app.kubernetes.io/component: prometheus 8 | name: prometheus 9 | spec: 10 | accessModes: 11 | - ReadWriteOnce 12 | resources: 13 | requests: 14 | storage: 200Gi 15 | -------------------------------------------------------------------------------- /base/monitoring/prometheus/prometheus.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | app: prometheus 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: no-cluster-admin 8 | app.kubernetes.io/component: prometheus 9 | name: prometheus 10 | spec: 11 | ports: 12 | - name: http 13 | port: 30090 14 | targetPort: http 15 | selector: 16 | app: prometheus 17 | type: ClusterIP 18 | -------------------------------------------------------------------------------- /base/monitoring/prometheus/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - prometheus.ClusterRole.yaml 5 | - prometheus.ClusterRoleBinding.yaml 6 | - prometheus.ServiceAccount.yaml 7 | # Create ConfigMap with prometheus.yml 8 | configMapGenerator: 9 | - name: prometheus-rbac 10 | behavior: create 11 | files: 12 | - prometheus.yml=prometheus-rbac.yml 13 | literals: 14 | - extra_rules.yml= 15 | - prometheus_targets.yml= 16 | options: 17 | disableNameSuffixHash: true 18 | labels: 19 | deploy: sourcegraph 20 | sourcegraph-resource-requires: no-cluster-admin 21 | app.kubernetes.io/component: prometheus 22 | -------------------------------------------------------------------------------- /base/monitoring/prometheus/rbac/prometheus.ClusterRole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | labels: 5 | category: rbac 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: cluster-admin 8 | app.kubernetes.io/component: prometheus 9 | name: prometheus 10 | rules: 11 | - apiGroups: 12 | - "" 13 | resources: 14 | - endpoints 15 | - namespaces 16 | - nodes 17 | - nodes/metrics 18 | - nodes/proxy 19 | - pods 20 | - services 21 | verbs: 22 | - get 23 | - list 24 | - watch 25 | - apiGroups: 26 | - "" 27 | resources: 28 | - configmaps 29 | verbs: 30 | - get 31 | - nonResourceURLs: 32 | - /metrics 33 | verbs: 34 | - get 35 | -------------------------------------------------------------------------------- /base/monitoring/prometheus/rbac/prometheus.ClusterRoleBinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | labels: 5 | category: rbac 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: cluster-admin 8 | app.kubernetes.io/component: prometheus 9 | name: prometheus 10 | roleRef: 11 | apiGroup: "rbac.authorization.k8s.io" 12 | kind: ClusterRole 13 | name: prometheus 14 | subjects: 15 | - kind: ServiceAccount 16 | name: prometheus 17 | -------------------------------------------------------------------------------- /base/monitoring/prometheus/rbac/prometheus.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | labels: 5 | category: rbac 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: no-cluster-admin 8 | app.kubernetes.io/component: prometheus 9 | name: prometheus 10 | -------------------------------------------------------------------------------- /base/sourcegraph/blobstore/blobstore.PersistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: blobstore 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: no-cluster-admin 8 | name: blobstore 9 | spec: 10 | accessModes: 11 | - ReadWriteOnce 12 | resources: 13 | requests: 14 | storage: 100Gi 15 | -------------------------------------------------------------------------------- /base/sourcegraph/blobstore/blobstore.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | app: blobstore 6 | app.kubernetes.io/component: blobstore 7 | deploy: sourcegraph 8 | sourcegraph-resource-requires: no-cluster-admin 9 | name: blobstore 10 | spec: 11 | ports: 12 | - name: blobstore 13 | port: 9000 14 | targetPort: blobstore 15 | selector: 16 | app: blobstore 17 | type: ClusterIP 18 | -------------------------------------------------------------------------------- /base/sourcegraph/blobstore/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - blobstore.Deployment.yaml 5 | - blobstore.PersistentVolumeClaim.yaml 6 | - blobstore.Service.yaml 7 | -------------------------------------------------------------------------------- /base/sourcegraph/codeinsights-db/codeinsights-db.PersistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: codeinsights-db 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: no-cluster-admin 8 | name: codeinsights-db 9 | spec: 10 | accessModes: 11 | - ReadWriteOnce 12 | resources: 13 | requests: 14 | storage: 200Gi 15 | -------------------------------------------------------------------------------- /base/sourcegraph/codeinsights-db/codeinsights-db.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "9187" 6 | sourcegraph.prometheus/scrape: "true" 7 | labels: 8 | app: codeinsights-db 9 | app.kubernetes.io/component: codeinsights-db 10 | deploy: sourcegraph 11 | sourcegraph-resource-requires: no-cluster-admin 12 | name: codeinsights-db 13 | spec: 14 | ports: 15 | - name: codeinsights-db 16 | port: 5432 17 | targetPort: codeinsights-db 18 | - name: pgsql-exporter 19 | port: 9187 20 | targetPort: pgsql-exporter 21 | selector: 22 | app: codeinsights-db 23 | type: ClusterIP 24 | -------------------------------------------------------------------------------- /base/sourcegraph/codeinsights-db/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - codeinsights-db.ConfigMap.yaml 5 | - codeinsights-db.StatefulSet.yaml 6 | - codeinsights-db.PersistentVolumeClaim.yaml 7 | - codeinsights-db.Service.yaml 8 | -------------------------------------------------------------------------------- /base/sourcegraph/codeintel-db/codeintel-db.PersistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: codeintel-db 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: no-cluster-admin 8 | name: codeintel-db 9 | spec: 10 | accessModes: 11 | - ReadWriteOnce 12 | resources: 13 | requests: 14 | storage: 200Gi 15 | -------------------------------------------------------------------------------- /base/sourcegraph/codeintel-db/codeintel-db.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "9187" 6 | sourcegraph.prometheus/scrape: "true" 7 | labels: 8 | app: codeintel-db 9 | app.kubernetes.io/component: codeintel-db 10 | deploy: sourcegraph 11 | sourcegraph-resource-requires: no-cluster-admin 12 | name: codeintel-db 13 | spec: 14 | ports: 15 | - name: pgsql 16 | port: 5432 17 | targetPort: pgsql 18 | - name: pgsql-exporter 19 | port: 9187 20 | targetPort: pgsql-exporter 21 | selector: 22 | app: codeintel-db 23 | type: ClusterIP 24 | -------------------------------------------------------------------------------- /base/sourcegraph/codeintel-db/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - codeintel-db.ConfigMap.yaml 5 | - codeintel-db.StatefulSet.yaml 6 | - codeintel-db.PersistentVolumeClaim.yaml 7 | - codeintel-db.Service.yaml 8 | -------------------------------------------------------------------------------- /base/sourcegraph/frontend/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - sourcegraph-frontend-internal.Service.yaml 5 | - sourcegraph-frontend.Deployment.yaml 6 | - sourcegraph-frontend.Ingress.yaml 7 | - sourcegraph-frontend.Service.yaml 8 | - sourcegraph-frontend.ConfigMap.yaml 9 | -------------------------------------------------------------------------------- /base/sourcegraph/frontend/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - sourcegraph-frontend.Role.yaml 5 | - sourcegraph-frontend.RoleBinding.yaml 6 | - sourcegraph-frontend.ServiceAccount.yaml 7 | -------------------------------------------------------------------------------- /base/sourcegraph/frontend/rbac/sourcegraph-frontend.RoleBinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | labels: 5 | category: rbac 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: cluster-admin 8 | app.kubernetes.io/component: frontend 9 | name: sourcegraph-frontend 10 | roleRef: 11 | apiGroup: "rbac.authorization.k8s.io" 12 | kind: Role 13 | name: sourcegraph-frontend 14 | subjects: 15 | - kind: ServiceAccount 16 | name: sourcegraph-frontend 17 | -------------------------------------------------------------------------------- /base/sourcegraph/frontend/rbac/sourcegraph-frontend.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | labels: 5 | category: rbac 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: no-cluster-admin 8 | app.kubernetes.io/component: frontend 9 | name: sourcegraph-frontend 10 | imagePullSecrets: 11 | - name: docker-registry 12 | -------------------------------------------------------------------------------- /base/sourcegraph/frontend/sourcegraph-frontend-internal.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | app: sourcegraph-frontend 6 | app.kubernetes.io/component: frontend 7 | deploy: sourcegraph 8 | sourcegraph-resource-requires: no-cluster-admin 9 | name: sourcegraph-frontend-internal 10 | spec: 11 | ports: 12 | - name: http-internal 13 | port: 80 14 | targetPort: http-internal 15 | selector: 16 | app: sourcegraph-frontend 17 | type: ClusterIP 18 | -------------------------------------------------------------------------------- /base/sourcegraph/frontend/sourcegraph-frontend.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "6060" 6 | sourcegraph.prometheus/scrape: "true" 7 | labels: 8 | app: sourcegraph-frontend 9 | app.kubernetes.io/component: frontend 10 | deploy: sourcegraph 11 | sourcegraph-resource-requires: no-cluster-admin 12 | name: sourcegraph-frontend 13 | spec: 14 | ports: 15 | - name: http 16 | port: 30080 17 | targetPort: http 18 | - name: debug 19 | port: 6060 20 | targetPort: debug 21 | selector: 22 | app: sourcegraph-frontend 23 | type: ClusterIP 24 | -------------------------------------------------------------------------------- /base/sourcegraph/gitserver/gitserver.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | description: Headless service that provides a stable network identity for the gitserver stateful set. 6 | prometheus.io/port: "6060" 7 | sourcegraph.prometheus/scrape: "true" 8 | labels: 9 | app: gitserver 10 | app.kubernetes.io/component: gitserver 11 | deploy: sourcegraph 12 | sourcegraph-resource-requires: no-cluster-admin 13 | type: gitserver 14 | name: gitserver 15 | spec: 16 | clusterIP: None 17 | ports: 18 | - name: unused 19 | port: 10811 20 | targetPort: 10811 21 | selector: 22 | app: gitserver 23 | type: gitserver 24 | type: ClusterIP 25 | -------------------------------------------------------------------------------- /base/sourcegraph/gitserver/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - gitserver.Service.yaml 5 | - gitserver.StatefulSet.yaml 6 | -------------------------------------------------------------------------------- /base/sourcegraph/indexed-search/indexed-search.IndexerService.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | description: Headless service that provides a stable network identity for the indexed-search stateful set. 6 | prometheus.io/port: "6072" 7 | sourcegraph.prometheus/scrape: "true" 8 | labels: 9 | app: indexed-search-indexer 10 | app.kubernetes.io/component: indexed-search 11 | deploy: sourcegraph 12 | sourcegraph-resource-requires: no-cluster-admin 13 | name: indexed-search-indexer 14 | spec: 15 | clusterIP: None 16 | ports: 17 | - port: 6072 18 | targetPort: 6072 19 | selector: 20 | app: indexed-search 21 | type: ClusterIP 22 | -------------------------------------------------------------------------------- /base/sourcegraph/indexed-search/indexed-search.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | description: Headless service that provides a stable network identity for the indexed-search stateful set. 6 | prometheus.io/port: "6070" 7 | sourcegraph.prometheus/scrape: "true" 8 | labels: 9 | app: indexed-search 10 | app.kubernetes.io/component: indexed-search 11 | deploy: sourcegraph 12 | sourcegraph-resource-requires: no-cluster-admin 13 | name: indexed-search 14 | spec: 15 | clusterIP: None 16 | ports: 17 | - port: 6070 18 | targetPort: 6070 19 | selector: 20 | app: indexed-search 21 | type: ClusterIP 22 | -------------------------------------------------------------------------------- /base/sourcegraph/indexed-search/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - indexed-search.IndexerService.yaml 5 | - indexed-search.Service.yaml 6 | - indexed-search.StatefulSet.yaml 7 | -------------------------------------------------------------------------------- /base/sourcegraph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - blobstore 5 | - codeinsights-db 6 | - codeintel-db 7 | - frontend 8 | - gitserver 9 | - indexed-search 10 | - pgsql 11 | - precise-code-intel 12 | - redis 13 | - searcher 14 | - syntactic-code-intel 15 | - syntect-server 16 | - worker 17 | -------------------------------------------------------------------------------- /base/sourcegraph/pgsql/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - pgsql.ConfigMap.yaml 5 | - pgsql.StatefulSet.yaml 6 | - pgsql.PersistentVolumeClaim.yaml 7 | - pgsql.Service.yaml 8 | -------------------------------------------------------------------------------- /base/sourcegraph/pgsql/pgsql.PersistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: pgsql 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: no-cluster-admin 8 | name: pgsql 9 | spec: 10 | accessModes: 11 | - ReadWriteOnce 12 | resources: 13 | requests: 14 | storage: 200Gi 15 | -------------------------------------------------------------------------------- /base/sourcegraph/pgsql/pgsql.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "9187" 6 | sourcegraph.prometheus/scrape: "true" 7 | labels: 8 | app: pgsql 9 | app.kubernetes.io/component: pgsql 10 | deploy: sourcegraph 11 | sourcegraph-resource-requires: no-cluster-admin 12 | name: pgsql 13 | spec: 14 | ports: 15 | - name: pgsql 16 | port: 5432 17 | targetPort: pgsql 18 | - name: pgsql-exporter 19 | port: 9187 20 | targetPort: pgsql-exporter 21 | selector: 22 | app: pgsql 23 | type: ClusterIP 24 | -------------------------------------------------------------------------------- /base/sourcegraph/precise-code-intel/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - worker.Deployment.yaml 5 | - worker.Service.yaml 6 | -------------------------------------------------------------------------------- /base/sourcegraph/precise-code-intel/worker.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "6060" 6 | sourcegraph.prometheus/scrape: "true" 7 | labels: 8 | app: precise-code-intel-worker 9 | app.kubernetes.io/component: precise-code-intel 10 | deploy: sourcegraph 11 | sourcegraph-resource-requires: no-cluster-admin 12 | name: precise-code-intel-worker 13 | spec: 14 | ports: 15 | - name: http 16 | port: 3188 17 | targetPort: http 18 | - name: debug 19 | port: 6060 20 | targetPort: debug 21 | selector: 22 | app: precise-code-intel-worker 23 | type: ClusterIP 24 | -------------------------------------------------------------------------------- /base/sourcegraph/redis/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - redis-cache.Deployment.yaml 5 | - redis-cache.PersistentVolumeClaim.yaml 6 | - redis-cache.Service.yaml 7 | - redis-store.Deployment.yaml 8 | - redis-store.PersistentVolumeClaim.yaml 9 | - redis-store.Service.yaml 10 | -------------------------------------------------------------------------------- /base/sourcegraph/redis/redis-cache.PersistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: redis 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: no-cluster-admin 8 | name: redis-cache 9 | spec: 10 | accessModes: 11 | - ReadWriteOnce 12 | resources: 13 | requests: 14 | storage: 100Gi 15 | -------------------------------------------------------------------------------- /base/sourcegraph/redis/redis-cache.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "9121" 6 | sourcegraph.prometheus/scrape: "true" 7 | labels: 8 | app: redis-cache 9 | app.kubernetes.io/component: redis 10 | deploy: sourcegraph 11 | sourcegraph-resource-requires: no-cluster-admin 12 | name: redis-cache 13 | spec: 14 | ports: 15 | - name: redis 16 | port: 6379 17 | targetPort: redis 18 | - name: redisexp 19 | port: 9121 20 | targetPort: redisexp 21 | selector: 22 | app: redis-cache 23 | type: ClusterIP 24 | -------------------------------------------------------------------------------- /base/sourcegraph/redis/redis-store.PersistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: redis 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: no-cluster-admin 8 | name: redis-store 9 | spec: 10 | accessModes: 11 | - ReadWriteOnce 12 | resources: 13 | requests: 14 | storage: 100Gi 15 | -------------------------------------------------------------------------------- /base/sourcegraph/redis/redis-store.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "9121" 6 | sourcegraph.prometheus/scrape: "true" 7 | labels: 8 | app: redis-store 9 | app.kubernetes.io/component: redis 10 | deploy: sourcegraph 11 | sourcegraph-resource-requires: no-cluster-admin 12 | name: redis-store 13 | spec: 14 | ports: 15 | - name: redis 16 | port: 6379 17 | targetPort: redis 18 | - name: redisexp 19 | port: 9121 20 | targetPort: redisexp 21 | selector: 22 | app: redis-store 23 | type: ClusterIP 24 | -------------------------------------------------------------------------------- /base/sourcegraph/searcher/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - searcher.StatefulSet.yaml 5 | - searcher.Service.yaml 6 | -------------------------------------------------------------------------------- /base/sourcegraph/searcher/searcher.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "6060" 6 | sourcegraph.prometheus/scrape: "true" 7 | labels: 8 | app: searcher 9 | app.kubernetes.io/component: searcher 10 | deploy: sourcegraph 11 | sourcegraph-resource-requires: no-cluster-admin 12 | name: searcher 13 | spec: 14 | clusterIP: None 15 | ports: 16 | - name: http 17 | port: 3181 18 | targetPort: http 19 | - name: debug 20 | port: 6060 21 | targetPort: debug 22 | selector: 23 | app: searcher 24 | type: ClusterIP 25 | -------------------------------------------------------------------------------- /base/sourcegraph/syntactic-code-intel/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - worker.Deployment.yaml 5 | - worker.Service.yaml 6 | -------------------------------------------------------------------------------- /base/sourcegraph/syntactic-code-intel/worker.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "6060" 6 | sourcegraph.prometheus/scrape: "true" 7 | labels: 8 | app: syntactic-code-intel 9 | app.kubernetes.io/component: syntactic-code-intel 10 | deploy: sourcegraph 11 | sourcegraph-resource-requires: no-cluster-admin 12 | name: syntactic-code-intel 13 | spec: 14 | ports: 15 | - name: http 16 | port: 3188 17 | targetPort: http 18 | - name: debug 19 | port: 6060 20 | targetPort: debug 21 | selector: 22 | app: syntactic-code-intel 23 | type: ClusterIP 24 | -------------------------------------------------------------------------------- /base/sourcegraph/syntect-server/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - syntect-server.Deployment.yaml 5 | - syntect-server.Service.yaml 6 | -------------------------------------------------------------------------------- /base/sourcegraph/syntect-server/syntect-server.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "6060" 6 | sourcegraph.prometheus/scrape: "true" 7 | labels: 8 | app: syntect-server 9 | app.kubernetes.io/component: syntect-server 10 | deploy: sourcegraph 11 | sourcegraph-resource-requires: no-cluster-admin 12 | name: syntect-server 13 | spec: 14 | ports: 15 | - name: http 16 | port: 9238 17 | targetPort: http 18 | - name: debug 19 | port: 6060 20 | targetPort: debug 21 | selector: 22 | app: syntect-server 23 | type: ClusterIP 24 | -------------------------------------------------------------------------------- /base/sourcegraph/worker/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - worker-executors.Service.yaml 5 | - worker.Deployment.yaml 6 | - worker.Service.yaml 7 | -------------------------------------------------------------------------------- /base/sourcegraph/worker/worker-executors.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "6996" 6 | sourcegraph.prometheus/scrape: "true" 7 | labels: 8 | app: worker 9 | app.kubernetes.io/component: worker 10 | deploy: sourcegraph 11 | sourcegraph-resource-requires: no-cluster-admin 12 | name: worker-executors 13 | spec: 14 | ports: 15 | - name: prom 16 | port: 6996 17 | targetPort: prom 18 | selector: 19 | app: worker 20 | type: ClusterIP 21 | -------------------------------------------------------------------------------- /base/sourcegraph/worker/worker.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "6060" 6 | sourcegraph.prometheus/scrape: "true" 7 | labels: 8 | app: worker 9 | app.kubernetes.io/component: worker 10 | deploy: sourcegraph 11 | sourcegraph-resource-requires: no-cluster-admin 12 | name: worker 13 | spec: 14 | ports: 15 | - name: http 16 | port: 3189 17 | targetPort: http 18 | - name: debug 19 | port: 6060 20 | targetPort: debug 21 | selector: 22 | app: worker 23 | type: ClusterIP 24 | -------------------------------------------------------------------------------- /components/README.md: -------------------------------------------------------------------------------- 1 | # Components for Sourcegraph 2 | 3 | This directory contains various individual components that are configured to be used with a Kustomize overlay to build a customized Sourcegraph instance. 4 | 5 | These components can include files and other resources that are used to enhance or customize the default settings of the [base](../base) instance. 6 | 7 | ## How to use 8 | 9 | See our [Configure Sourcegraph with Kustomize docs](https://docs.sourcegraph.com/admin/deploy/kubernetes/configure) for the latest instructions. 10 | -------------------------------------------------------------------------------- /components/clusters/aws/aws-ebs/README.md: -------------------------------------------------------------------------------- 1 | # AWS EKS configuration component 1 2 | 3 | This component configures: 4 | 5 | - Ingress to use AWS Load Balancer Controller 6 | - Storage Class to use AWS EBS CSI driver with `ebs.csi.aws.com` storageClass provisioner 7 | - Use this provisioner when using the self-managed Amazon EBS Container Storage Interface driver 8 | -------------------------------------------------------------------------------- /components/clusters/aws/aws-ebs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | components: 4 | - ../../../storage-class/aws/aws-ebs 5 | - ../../../storage-class/sourcegraph 6 | - ../../../ingress/alb 7 | -------------------------------------------------------------------------------- /components/clusters/aws/ebs-csi/README.md: -------------------------------------------------------------------------------- 1 | # AWS EKS configuration component 2 2 | 3 | This component configures: 4 | 5 | - Ingress to use AWS Load Balancer Controller 6 | - Storage Class to use AWS EBS CSI driver with `kubernetes.io/aws-ebs` storageClass provisioner 7 | - Use this provisioner when using the AWS EBS CSI driver as Amazon EKS add-on 8 | -------------------------------------------------------------------------------- /components/clusters/aws/ebs-csi/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | components: 4 | - ../../../storage-class/aws/ebs-csi 5 | - ../../../storage-class/sourcegraph 6 | - ../../../ingress/alb 7 | -------------------------------------------------------------------------------- /components/clusters/aws/managed-cert/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | replacements: 4 | - source: 5 | fieldPath: data.AWS_MANAGED_CERT_ARN 6 | kind: ConfigMap 7 | name: sourcegraph-kustomize-build-config 8 | targets: 9 | - fieldPaths: 10 | - metadata.annotations.[alb.ingress.kubernetes.io/certificate-arn] 11 | select: 12 | kind: Ingress 13 | name: sourcegraph-frontend 14 | patches: 15 | - path: patches/frontend.Ingress.yaml 16 | -------------------------------------------------------------------------------- /components/clusters/aws/managed-cert/patches/frontend.Ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: sourcegraph-frontend 5 | annotations: 6 | kubernetes.io/ingress.class: alb 7 | # Replace AWS_MANAGED_CERT_ARN with ARN of the AWS-managed TLS certificate 8 | alb.ingress.kubernetes.io/certificate-arn: $(AWS_MANAGED_CERT_ARN) -------------------------------------------------------------------------------- /components/clusters/gke/configure/README.md: -------------------------------------------------------------------------------- 1 | # Configuration for deploying to Google Kubernetes Engine (GKE) 2 | 3 | This directory includes components to configure: 4 | 5 | - a [BackendConfig](https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#create_backendconfig) CRD. This is necessary to instruct the GCP load balancer on how to perform health checks on our deployment. 6 | - Ingress to use [Container-native load balancing](https://cloud.google.com/kubernetes-engine/docs/how-to/container-native-load-balancing) to expose Sourcegraph publicly on a domain of your choosing and 7 | - Storage Class to use [Compute Engine persistent disk](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver). 8 | -------------------------------------------------------------------------------- /components/clusters/gke/configure/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | components: 4 | - ../../../storage-class/sourcegraph 5 | - ../../../storage-class/gcp 6 | - ../../../ingress/gke 7 | -------------------------------------------------------------------------------- /components/clusters/gke/managed-cert/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | replacements: 4 | - source: 5 | fieldPath: data.GKE_MANAGED_CERT_NAME 6 | kind: ConfigMap 7 | name: sourcegraph-kustomize-build-config 8 | targets: 9 | - fieldPaths: 10 | - metadata.annotations.[networking.gke.io/managed-certificates] 11 | select: 12 | kind: Ingress 13 | name: sourcegraph-frontend 14 | patches: 15 | - path: patches/frontend.Ingress.yaml 16 | -------------------------------------------------------------------------------- /components/clusters/gke/managed-cert/patches/frontend.Ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: sourcegraph-frontend 5 | annotations: 6 | # See 7 | # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ 8 | # for more nginx annotations. 9 | kubernetes.io/ingress.class: gce 10 | # We can upload large files (extensions) 11 | nginx.ingress.kubernetes.io/proxy-body-size: "150m" 12 | networking.gke.io/managed-certificates: $(GKE_MANAGED_CERT_NAME) # replace with actual Google-managed certificate name 13 | # if you reserve a static IP, uncomment below and update ADDRESS_NAME 14 | # also, make changes to your DNS record accordingly 15 | # kubernetes.io/ingress.global-static-ip-name: $(GKE_STATIC_IP) -------------------------------------------------------------------------------- /components/clusters/k3s/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | components: 4 | - monitoring 5 | - ../../storage-class/k3s 6 | patches: 7 | - path: patches/sourcegraph-frontend.Ingress.yaml 8 | # k3s deploy type added in 5.0.0 9 | configMapGenerator: 10 | - name: sourcegraph-frontend-env 11 | behavior: merge 12 | literals: 13 | - DEPLOY_TYPE=kustomize 14 | -------------------------------------------------------------------------------- /components/clusters/k3s/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - ../../../../base/monitoring 5 | - ../../../../base/monitoring/cadvisor 6 | components: 7 | - ../../../monitoring/privileged 8 | - ../../../storage-class/k3s 9 | 10 | configMapGenerator: 11 | - name: prometheus-rbac 12 | behavior: merge 13 | files: 14 | - prometheus.yml=patches/prometheus-k3s.yml 15 | -------------------------------------------------------------------------------- /components/clusters/k3s/patches/sourcegraph-frontend.Ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: sourcegraph-frontend 5 | annotations: 6 | kubernetes.io/ingress.class: traefik -------------------------------------------------------------------------------- /components/clusters/minikube/README.md: -------------------------------------------------------------------------------- 1 | This component deletes resource declarations and storage classnames to enable runnning Sourcegraph on minikube. -------------------------------------------------------------------------------- /components/clusters/minikube/patches/remove-deployment-resources-container-0.yaml: -------------------------------------------------------------------------------- 1 | - op: remove 2 | path: /spec/template/spec/containers/0/resources 3 | -------------------------------------------------------------------------------- /components/clusters/minikube/patches/remove-deployment-resources-container-1.yaml: -------------------------------------------------------------------------------- 1 | - op: remove 2 | path: /spec/template/spec/containers/1/resources 3 | -------------------------------------------------------------------------------- /components/clusters/minikube/patches/remove-deployment-resources-container-init.yaml: -------------------------------------------------------------------------------- 1 | - op: remove 2 | path: /spec/template/spec/initContainers/0/resources 3 | -------------------------------------------------------------------------------- /components/clusters/minikube/patches/remove-statefulset-resources-container-0.yaml: -------------------------------------------------------------------------------- 1 | - op: remove 2 | path: /spec/template/spec/containers/0/resources 3 | -------------------------------------------------------------------------------- /components/clusters/minikube/patches/remove-statefulset-resources-container-1.yaml: -------------------------------------------------------------------------------- 1 | - op: remove 2 | path: /spec/template/spec/containers/1/resources 3 | -------------------------------------------------------------------------------- /components/clusters/old-base/README.md: -------------------------------------------------------------------------------- 1 | # Old base cluster component 2 | 3 | This component configure current base cluster using the configurations for the old base cluster 4 | 5 | It updates and generates resources from the old cluster includes: 6 | 7 | - the monitoring stack and cadvisor 8 | - searcher and symbols as Deployment 9 | - run as root, privilieged 10 | - include RBAC resources 11 | 12 | This should only be used to generate old cluster for comparision purpose. 13 | 14 | Check out the `examples/old-cluster` directory to see how this component is used. 15 | -------------------------------------------------------------------------------- /components/clusters/old-base/patches/blobstore/blobstore.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: blobstore 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: blobstore 10 | securityContext: 11 | allowPrivilegeEscalation: true 12 | # runAsGroup: 0 13 | # runAsUser: 0 14 | securityContext: 15 | runAsUser: 0 16 | fsGroup: 0 -------------------------------------------------------------------------------- /components/clusters/old-base/patches/cadvisor/cadvisor.DaemonSet.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: DaemonSet 3 | metadata: 4 | name: cadvisor 5 | spec: 6 | template: 7 | spec: 8 | securityContext: 9 | $patch: delete 10 | serviceAccountName: cadvisor 11 | containers: 12 | - name: cadvisor 13 | securityContext: 14 | privileged: null 15 | $patch: delete -------------------------------------------------------------------------------- /components/clusters/old-base/patches/databases/securityContext.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/template/spec/containers/0/securityContext 3 | value: 4 | allowPrivilegeEscalation: true 5 | runAsGroup: 0 6 | runAsUser: 0 7 | - op: replace 8 | path: /spec/template/spec/initContainers/0/securityContext 9 | value: 10 | allowPrivilegeEscalation: true 11 | runAsGroup: 0 12 | runAsUser: 0 13 | - op: replace 14 | path: /spec/template/spec/securityContext 15 | value: 16 | runAsUser: 0 17 | fsGroup: 0 18 | -------------------------------------------------------------------------------- /components/clusters/old-base/patches/frontend/sourcegraph-frontend.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: sourcegraph-frontend 5 | spec: 6 | replicas: 2 7 | template: 8 | spec: 9 | initContainers: 10 | - name: migrator 11 | securityContext: 12 | allowPrivilegeEscalation: true 13 | runAsGroup: 0 14 | runAsUser: 0 15 | containers: 16 | - name: frontend 17 | securityContext: 18 | allowPrivilegeEscalation: true 19 | runAsGroup: 0 20 | runAsUser: 0 21 | securityContext: 22 | runAsUser: 0 23 | fsGroup: 0 24 | -------------------------------------------------------------------------------- /components/clusters/old-base/patches/gitserver/gitserver.StatefulSet.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: gitserver 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: gitserver 10 | securityContext: 11 | allowPrivilegeEscalation: true 12 | runAsGroup: 0 13 | runAsUser: 0 14 | securityContext: 15 | runAsUser: 0 16 | fsGroup: 0 -------------------------------------------------------------------------------- /components/clusters/old-base/patches/grafana/grafana.StatefulSet.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: grafana 5 | spec: 6 | template: 7 | spec: 8 | securityContext: 9 | runAsUser: 0 10 | runAsGroup: 0 11 | fsGroup: 0 12 | fsGroupChangePolicy: OnRootMismatch -------------------------------------------------------------------------------- /components/clusters/old-base/patches/indexed-search/indexed-search.StatefulSet.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: indexed-search 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: zoekt-webserver 10 | securityContext: 11 | # Required to prevent escalations to root. 12 | allowPrivilegeEscalation: true 13 | runAsUser: 0 14 | runAsGroup: 0 15 | - name: zoekt-indexserver 16 | securityContext: 17 | # Required to prevent escalations to root. 18 | allowPrivilegeEscalation: true 19 | runAsUser: 0 20 | runAsGroup: 0 21 | securityContext: 22 | runAsUser: 0 23 | runAsGroup: 0 24 | fsGroup: 0 -------------------------------------------------------------------------------- /components/clusters/old-base/patches/otel-collector/otel-collector.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: otel-collector 5 | spec: 6 | template: 7 | spec: 8 | securityContext: 9 | $patch: delete -------------------------------------------------------------------------------- /components/clusters/old-base/patches/precise-code-intel/worker.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: precise-code-intel-worker 5 | spec: 6 | replicas: 2 7 | template: 8 | spec: 9 | containers: 10 | - name: precise-code-intel-worker 11 | securityContext: 12 | allowPrivilegeEscalation: true 13 | runAsGroup: 0 14 | runAsUser: 0 15 | securityContext: 16 | fsGroup: 0 17 | runAsUser: 0 18 | 19 | -------------------------------------------------------------------------------- /components/clusters/old-base/patches/redis/redis-cache.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: redis-cache 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: redis-cache 10 | securityContext: 11 | allowPrivilegeEscalation: true 12 | runAsGroup: 0 13 | runAsUser: 0 14 | - name: redis-exporter 15 | securityContext: 16 | allowPrivilegeEscalation: true 17 | runAsGroup: 0 18 | runAsUser: 0 19 | securityContext: 20 | runAsUser: 0 21 | fsGroup: 0 -------------------------------------------------------------------------------- /components/clusters/old-base/patches/redis/redis-store.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: redis-store 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: redis-store 10 | securityContext: 11 | allowPrivilegeEscalation: true 12 | runAsGroup: 0 13 | runAsUser: 0 14 | - name: redis-exporter 15 | securityContext: 16 | allowPrivilegeEscalation: true 17 | runAsGroup: 0 18 | runAsUser: 0 19 | securityContext: 20 | runAsUser: 0 21 | fsGroup: 0 -------------------------------------------------------------------------------- /components/clusters/old-base/patches/remove/securityContext-cluster.yaml: -------------------------------------------------------------------------------- 1 | - path: /spec/template/spec/securityContext/fsGroupChangePolicy 2 | op: remove 3 | - path: /spec/template/spec/securityContext/fsGroup 4 | op: remove -------------------------------------------------------------------------------- /components/clusters/old-base/patches/remove/securityContext-container-0.yaml: -------------------------------------------------------------------------------- 1 | - path: /spec/template/spec/containers/0/securityContext 2 | op: remove 3 | - path: /spec/template/spec/securityContext 4 | op: replace 5 | value: 6 | runAsUser: 0 -------------------------------------------------------------------------------- /components/clusters/old-base/patches/remove/securityContext-container-1.yaml: -------------------------------------------------------------------------------- 1 | - op: remove 2 | path: /spec/template/spec/containers/1/securityContext 3 | -------------------------------------------------------------------------------- /components/clusters/old-base/patches/remove/securityContext-daemonset.yaml: -------------------------------------------------------------------------------- 1 | - path: /spec/template/spec/containers/0/securityContext 2 | op: remove 3 | -------------------------------------------------------------------------------- /components/clusters/old-base/patches/remove/securityContext-databases.yaml: -------------------------------------------------------------------------------- 1 | - op: remove 2 | path: /spec/template/spec/initContainers/0/securityContext/allowPrivilegeEscalation 3 | - op: remove 4 | path: /spec/template/spec/initContainers/0/securityContext/runAsGroup 5 | - op: replace 6 | path: /spec/template/spec/initContainers/0/securityContext/runAsUser 7 | value: 0 8 | -------------------------------------------------------------------------------- /components/clusters/old-base/patches/remove/securityContext-initContainer.yaml: -------------------------------------------------------------------------------- 1 | - op: remove 2 | path: /spec/template/spec/initContainers/0/securityContext -------------------------------------------------------------------------------- /components/clusters/old-base/patches/searcher/searcher.patchesJson6902.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/template/spec/containers/0/securityContext 3 | value: 4 | allowPrivilegeEscalation: true 5 | runAsGroup: 0 6 | runAsUser: 0 7 | - op: replace 8 | path: /spec/template/spec/securityContext 9 | value: 10 | runAsUser: 0 11 | fsGroup: 0 12 | fsGroupChangePolicy: OnRootMismatch -------------------------------------------------------------------------------- /components/clusters/old-base/patches/syntect-server/syntect-server.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: syntect-server 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: syntect-server 10 | securityContext: 11 | allowPrivilegeEscalation: true 12 | runAsGroup: 0 13 | runAsUser: 0 14 | securityContext: 15 | runAsUser: 0 16 | fsGroup: 0 -------------------------------------------------------------------------------- /components/custom/old-patches/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | 4 | patchesStrategicMerge: 5 | - 6 | -------------------------------------------------------------------------------- /components/custom/otel-collector/README.md: -------------------------------------------------------------------------------- 1 | Component to deploy [otel-collector(OpenTelemetry)](https://docs.sourcegraph.com/admin/observability/opentelemetry) with default settings on your instance to enable [tracing](https://docs.sourcegraph.com/admin/observability/opentelemetry#tracing). 2 | -------------------------------------------------------------------------------- /components/custom/otel-collector/backend/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - path: patches/otel-collector.Deployment.yaml 5 | -------------------------------------------------------------------------------- /components/custom/otel-collector/backend/patches/otel-collector.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: otel-collector 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: otel-collector 10 | command: 11 | - "/bin/otelcol-sourcegraph" 12 | # To use a custom configuration, edit otel-collector.ConfigMap.yaml 13 | # and change this flag to 14 | - "--config=/etc/otel-collector/conf/config.yaml" 15 | # - "--config=/etc/otel-collector/configs/logging.yaml" -------------------------------------------------------------------------------- /components/custom/rke/config/custom.NodePort.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: sourcegraph-frontend 5 | spec: 6 | type: NodePort 7 | ports: 8 | - name: http 9 | port: 30080 10 | # Add your nodePort value below 11 | # EX: nodePort: 30080 -------------------------------------------------------------------------------- /components/custom/rke/config/custom.StorageClass.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1beta1 2 | kind: StorageClass 3 | metadata: 4 | name: sourcegraph 5 | labels: 6 | deploy: sourcegraph 7 | reclaimPolicy: Retain 8 | allowVolumeExpansion: true 9 | volumeBindingMode: WaitForFirstConsumer 10 | provisioner: netapp.io/trident 11 | # ADD FSTYPE BELOW: 12 | # EX: fsType: ext4 13 | -------------------------------------------------------------------------------- /components/custom/rke/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | components: 4 | # This component update all storage class name to sourcegraph 5 | - ../../storage-class/sourcegraph 6 | resources: 7 | # ACTION REQUIRED: Add your values to the BOTTOM of the files 8 | # Add fsType to this file: 9 | - config/custom.StorageClass.yaml 10 | # Add nodePort to this file: 11 | - config/custom.NodePort.yaml -------------------------------------------------------------------------------- /components/disable/rockskip/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - patch: |- 5 | apiVersion: apps/v1 6 | kind: Deployment 7 | metadata: 8 | name: sourcegraph-frontend 9 | spec: 10 | template: 11 | spec: 12 | containers: 13 | - name: frontend 14 | env: 15 | - name: USE_ROCKSKIP 16 | value: "false" 17 | -------------------------------------------------------------------------------- /components/disable/service-discovery/README.md: -------------------------------------------------------------------------------- 1 | # Frontend RBAC components 2 | 3 | Remove RBACs resources to disable service discovery for frontend. 4 | 5 | If `sourcegraph-frontend.RoleBinding` was created previously, you will need to add the `/components/disable/service-discovery/role-binding` component to remove it, 6 | -------------------------------------------------------------------------------- /components/disable/service-discovery/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | components: 4 | - role-binding 5 | - ../../utils/endpoints 6 | patches: 7 | - path: patches/sourcegraph-frontend.Role.yaml 8 | - path: patches/sourcegraph-frontend.ServiceAccount.yaml 9 | - path: patches/sourcegraph-frontend.Deployment.yaml 10 | -------------------------------------------------------------------------------- /components/disable/service-discovery/patches/sourcegraph-frontend.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: sourcegraph-frontend 5 | spec: 6 | template: 7 | spec: 8 | serviceAccountName: null 9 | -------------------------------------------------------------------------------- /components/disable/service-discovery/patches/sourcegraph-frontend.Role.yaml: -------------------------------------------------------------------------------- 1 | $patch: delete 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: sourcegraph-frontend -------------------------------------------------------------------------------- /components/disable/service-discovery/patches/sourcegraph-frontend.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | $patch: delete 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: sourcegraph-frontend 6 | -------------------------------------------------------------------------------- /components/disable/service-discovery/role-binding/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - path: sourcegraph-frontend.RoleBinding.yaml 5 | -------------------------------------------------------------------------------- /components/disable/service-discovery/role-binding/sourcegraph-frontend.RoleBinding.yaml: -------------------------------------------------------------------------------- 1 | $patch: delete 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | name: sourcegraph-frontend 6 | -------------------------------------------------------------------------------- /components/enable/otel-collector/README.md: -------------------------------------------------------------------------------- 1 | Component to deploy [otel-collector(OpenTelemetry)](https://docs.sourcegraph.com/admin/observability/opentelemetry) with default settings on your instance to enable [tracing](https://docs.sourcegraph.com/admin/observability/opentelemetry#tracing). 2 | -------------------------------------------------------------------------------- /components/enable/private-registry/README.md: -------------------------------------------------------------------------------- 1 | # Private Registry Component 2 | 3 | Update image names and tags easily using the built-in [images transformer](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/images/). 4 | 5 | ## How to use 6 | 7 | Replace the `$(PRIVATE_REGISTRY)` environment variables inside the kustomization.yaml file manually 8 | -------------------------------------------------------------------------------- /components/enable/rockskip/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - patch: |- 5 | apiVersion: apps/v1 6 | kind: Deployment 7 | metadata: 8 | name: sourcegraph-frontend 9 | spec: 10 | template: 11 | spec: 12 | containers: 13 | - name: frontend 14 | env: 15 | - name: ROCKSKIP_MIN_REPO_SIZE_MB 16 | value: "1000" 17 | - name: USE_ROCKSKIP 18 | value: "true" 19 | -------------------------------------------------------------------------------- /components/enable/service-discovery-default/README.md: -------------------------------------------------------------------------------- 1 | # Enable component: service discover 2 | 3 | Set service account for frontend to `default` to enable service discovery. 4 | -------------------------------------------------------------------------------- /components/enable/service-discovery-default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - path: patches/sourcegraph-frontend.Deployment.yaml 5 | - path: patches/sourcegraph-frontend.ConfigMap.yaml 6 | -------------------------------------------------------------------------------- /components/enable/service-discovery-default/patches/sourcegraph-frontend.ConfigMap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: sourcegraph-frontend-env 5 | data: 6 | SRC_GIT_SERVERS: k8s+rpc://gitserver:3178?kind=sts 7 | SEARCHER_URL: k8s+http://searcher:3181 8 | INDEXED_SEARCH_SERVERS: k8s+rpc://indexed-search:6070?kind=sts 9 | -------------------------------------------------------------------------------- /components/enable/service-discovery-default/patches/sourcegraph-frontend.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: sourcegraph-frontend 5 | spec: 6 | template: 7 | spec: 8 | serviceAccountName: default 9 | -------------------------------------------------------------------------------- /components/enable/service-discovery/README.md: -------------------------------------------------------------------------------- 1 | # Enable component: service discover 2 | 3 | Add RBACs resources to enable service discovery for frontend. 4 | -------------------------------------------------------------------------------- /components/enable/service-discovery/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - ../../../base/sourcegraph/frontend/rbac 5 | patches: 6 | - path: patches/sourcegraph-frontend.Deployment.yaml 7 | - path: patches/sourcegraph-frontend.ConfigMap.yaml 8 | -------------------------------------------------------------------------------- /components/enable/service-discovery/patches/sourcegraph-frontend.ConfigMap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: sourcegraph-frontend-env 5 | data: 6 | SRC_GIT_SERVERS: k8s+rpc://gitserver:3178?kind=sts 7 | SEARCHER_URL: k8s+http://searcher:3181?kind=sts 8 | INDEXED_SEARCH_SERVERS: k8s+rpc://indexed-search:6070?kind=sts 9 | -------------------------------------------------------------------------------- /components/enable/service-discovery/patches/sourcegraph-frontend.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: sourcegraph-frontend 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: frontend 10 | serviceAccountName: sourcegraph-frontend 11 | -------------------------------------------------------------------------------- /components/enable/ssh/non-root/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - patch: |- 5 | apiVersion: apps/v1 6 | kind: StatefulSet 7 | metadata: 8 | name: gitserver 9 | spec: 10 | template: 11 | spec: 12 | containers: 13 | - name: gitserver 14 | volumeMounts: 15 | - mountPath: /home/sourcegraph/.ssh 16 | name: ssh 17 | volumes: 18 | - name: ssh 19 | secret: 20 | defaultMode: 0644 21 | secretName: gitserver-ssh 22 | -------------------------------------------------------------------------------- /components/enable/ssh/root/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - patch: |- 5 | apiVersion: apps/v1 6 | kind: StatefulSet 7 | metadata: 8 | name: gitserver 9 | spec: 10 | template: 11 | spec: 12 | containers: 13 | - name: gitserver 14 | volumeMounts: 15 | - mountPath: /root/.ssh 16 | name: ssh 17 | volumes: 18 | - name: ssh 19 | secret: 20 | defaultMode: 0644 21 | secretName: gitserver-ssh 22 | -------------------------------------------------------------------------------- /components/executors/dind/docker-daemon.ConfigMap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | labels: 5 | app: executor 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: no-cluster-admin 8 | app.kubernetes.io/component: executor 9 | name: docker-config 10 | -------------------------------------------------------------------------------- /components/executors/dind/executor.ConfigMap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: executor-config 5 | labels: 6 | app: executor 7 | deploy: sourcegraph 8 | sourcegraph-resource-requires: no-cluster-admin 9 | app.kubernetes.io/component: executor 10 | data: 11 | EXECUTOR_USE_FIRECRACKER: "false" 12 | DOCKER_HOST: "tcp://localhost:2375" 13 | # Note: Must match the mount point shared with the docker-in-docker (dind) sidecar 14 | TMPDIR: "/scratch" 15 | -------------------------------------------------------------------------------- /components/executors/dind/executor.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "6060" 6 | sourcegraph.prometheus/scrape: "true" 7 | labels: 8 | app: executor 9 | deploy: sourcegraph 10 | sourcegraph-resource-requires: no-cluster-admin 11 | app.kubernetes.io/component: executor 12 | name: executor 13 | spec: 14 | ports: 15 | - name: debug 16 | port: 6060 17 | targetPort: debug 18 | selector: 19 | app: executor 20 | type: ClusterIP 21 | -------------------------------------------------------------------------------- /components/executors/dind/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - docker-daemon.ConfigMap.yaml 5 | - executor.ConfigMap.yaml 6 | - executor.Deployment.yaml 7 | - executor.Service.yaml 8 | patches: 9 | - path: patches/executor.ConfigMap.yaml 10 | -------------------------------------------------------------------------------- /components/executors/dind/patches/deployment-patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: executor 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: dind 10 | volumeMounts: 11 | - mountPath: /etc/docker/daemon.json 12 | subPath: daemon.json 13 | name: docker-config 14 | volumes: 15 | - name: docker-config 16 | configMap: 17 | defaultMode: 420 18 | name: docker-config 19 | -------------------------------------------------------------------------------- /components/executors/dind/patches/docker-daemon.ConfigMap.yaml: -------------------------------------------------------------------------------- 1 | # This creates the configuration file for using the private docker registry. 2 | apiVersion: v1 3 | data: 4 | daemon.json: | 5 | { "insecure-registries":["private-docker-registry:5000"] } 6 | kind: ConfigMap 7 | metadata: 8 | labels: 9 | app: executor 10 | deploy: sourcegraph 11 | sourcegraph-resource-requires: no-cluster-admin 12 | app.kubernetes.io/component: executor 13 | name: docker-config 14 | -------------------------------------------------------------------------------- /components/executors/dind/patches/executor.ConfigMap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: executor-config 5 | # Refer to https://docs.sourcegraph.com/admin/executors/deploy_executors_binary#step-2-setup-environment-variables on how to populate these variables 6 | data: 7 | EXECUTOR_FRONTEND_URL: "http://sourcegraph-frontend" 8 | EXECUTOR_MAXIMUM_NUM_JOBS: "8" 9 | # Used configure which queues Executors will process. 10 | # Can be "batches" or "codeintel" 11 | # Either set this or EXECUTOR_QUEUE_NAMES. 12 | EXECUTOR_QUEUE_NAME: "" 13 | # Used configure which queues Executors will process. 14 | # Can be "batches" or "codeintel" or "batches,codeintel" 15 | # Either set this or EXECUTOR_QUEUE_NAME. 16 | EXECUTOR_QUEUE_NAMES: "" 17 | -------------------------------------------------------------------------------- /components/executors/dind/private-docker-registry/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - private-docker-registry.PersistentVolumeClaim.yaml 5 | - private-docker-registry.Deployment.yaml 6 | - private-docker-registry.Service.yaml 7 | -------------------------------------------------------------------------------- /components/executors/dind/private-docker-registry/private-docker-registry.PersistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: private-docker-registry 5 | labels: 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: no-cluster-admin 8 | app.kubernetes.io/component: private-docker-registry 9 | spec: 10 | accessModes: 11 | - ReadWriteOnce 12 | resources: 13 | requests: 14 | # To be adjusted based on the number and size of images used in batch changes and auto-indexing 15 | storage: 100Gi 16 | -------------------------------------------------------------------------------- /components/executors/dind/private-docker-registry/private-docker-registry.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | deploy: sourcegraph 6 | sourcegraph-resource-requires: no-cluster-admin 7 | app.kubernetes.io/component: private-docker-registry 8 | name: private-docker-registry 9 | namespace: default 10 | spec: 11 | ports: 12 | - name: http 13 | port: 5000 14 | protocol: TCP 15 | targetPort: 5000 16 | selector: 17 | app: private-docker-registry 18 | type: ClusterIP 19 | -------------------------------------------------------------------------------- /components/executors/k8s/executor.ConfigMap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: executor-config 5 | labels: 6 | app: executor 7 | deploy: sourcegraph 8 | sourcegraph-resource-requires: no-cluster-admin 9 | app.kubernetes.io/component: executor 10 | data: 11 | EXECUTOR_USE_FIRECRACKER: "false" 12 | EXECUTOR_KUBERNETES_PERSISTENCE_VOLUME_NAME: "sg-executor-pvc" 13 | EXECUTOR_KUBERNETES_POD_AFFINITY: '[{"labelSelector": {"matchExpressions": [{"key": "app", "operator": "In", "values": ["executor"]}]}, "topologyKey": "kubernetes.io/hostname"}]' 14 | -------------------------------------------------------------------------------- /components/executors/k8s/executor.PersistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: sg-executor-pvc 5 | labels: 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: no-cluster-admin 8 | app.kubernetes.io/component: executor 9 | spec: 10 | accessModes: 11 | - ReadWriteOnce 12 | resources: 13 | requests: 14 | storage: 100Gi 15 | -------------------------------------------------------------------------------- /components/executors/k8s/executor.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "6060" 6 | sourcegraph.prometheus/scrape: "true" 7 | labels: 8 | app: executor 9 | deploy: sourcegraph 10 | sourcegraph-resource-requires: no-cluster-admin 11 | app.kubernetes.io/component: executor 12 | name: executor 13 | spec: 14 | ports: 15 | - name: debug 16 | port: 6060 17 | targetPort: debug 18 | selector: 19 | app: executor 20 | type: ClusterIP 21 | -------------------------------------------------------------------------------- /components/executors/k8s/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - rbac 5 | - executor.ConfigMap.yaml 6 | - executor.Deployment.yaml 7 | - executor.PersistentVolumeClaim.yaml 8 | - executor.Service.yaml 9 | patches: 10 | - path: patches/executor.ConfigMap.yaml 11 | -------------------------------------------------------------------------------- /components/executors/k8s/rbac/executor.RoleBinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: sg-executor-role-binding 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | sourcegraph-resource-requires: cluster-admin 9 | app.kubernetes.io/component: executor 10 | subjects: 11 | - kind: ServiceAccount 12 | name: executor 13 | namespace: default 14 | roleRef: 15 | apiGroup: "rbac.authorization.k8s.io" 16 | kind: Role 17 | name: executor 18 | -------------------------------------------------------------------------------- /components/executors/k8s/rbac/executor.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: executor 5 | labels: 6 | category: rbac 7 | deploy: sourcegraph 8 | sourcegraph-resource-requires: cluster-admin 9 | app.kubernetes.io/component: executor 10 | -------------------------------------------------------------------------------- /components/executors/k8s/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - executor.Role.yaml 5 | - executor.RoleBinding.yaml 6 | - executor.ServiceAccount.yaml 7 | -------------------------------------------------------------------------------- /components/ingress/alb/README.md: -------------------------------------------------------------------------------- 1 | # AWS ALB component 2 | 3 | This component configures Ingress to use AWS Load Balancer Controller to expose Sourcegraph publicly on a domain of your choosing 4 | -------------------------------------------------------------------------------- /components/ingress/alb/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - path: patches/frontend.Ingress.yaml 5 | -------------------------------------------------------------------------------- /components/ingress/alb/patches/frontend.Ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: sourcegraph-frontend 5 | annotations: 6 | alb.ingress.kubernetes.io/target-type: ip 7 | kubernetes.io/ingress.class: alb # aws load balancer controller ingressClass name 8 | # Add additional aws alb ingress controller supported annotations below 9 | -------------------------------------------------------------------------------- /components/ingress/annotations/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | transformers: 4 | - |- 5 | fieldSpecs: 6 | - kind: Ingress 7 | name: sourcegraph-frontend 8 | path: metadata/annotations 9 | create: true 10 | apiVersion: builtin 11 | kind: AnnotationsTransformer 12 | metadata: 13 | name: annotations-transformer 14 | annotations: 15 | # Add new annotations below 16 | # EX. kubernetes.io/ingress.class: alb 17 | -------------------------------------------------------------------------------- /components/ingress/gke/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - patches/frontend.BackendConfig.yaml 5 | patches: 6 | - path: patches/frontend.Service.yaml 7 | - path: patches/frontend-internal.Service.yaml 8 | - path: patches/frontend.Ingress.yaml 9 | -------------------------------------------------------------------------------- /components/ingress/gke/patches/frontend-internal.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | cloud.google.com/neg: '{"ingress": true}' 6 | # Reference the `BackendConfig` CR created 7 | beta.cloud.google.com/backend-config: '{"default": "sourcegraph-frontend"}' 8 | name: sourcegraph-frontend-internal 9 | -------------------------------------------------------------------------------- /components/ingress/gke/patches/frontend.BackendConfig.yaml: -------------------------------------------------------------------------------- 1 | # A BackendConfig CRD. 2 | # This is necessary to instruct the GCP load balancer on how to perform health checks on our deployment. 3 | apiVersion: cloud.google.com/v1 4 | kind: BackendConfig 5 | metadata: 6 | name: sourcegraph-frontend 7 | labels: 8 | app: sourcegraph-frontend 9 | app.kubernetes.io/component: frontend 10 | deploy: sourcegraph 11 | spec: 12 | healthCheck: 13 | checkIntervalSec: 5 14 | timeoutSec: 5 15 | requestPath: /ready 16 | port: 6060 # we use a custom port to perform healthcheck -------------------------------------------------------------------------------- /components/ingress/gke/patches/frontend.Ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: sourcegraph-frontend 5 | annotations: 6 | # See 7 | # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ 8 | # for more nginx annotations. 9 | kubernetes.io/ingress.class: gce 10 | # We can upload large files (extensions) 11 | nginx.ingress.kubernetes.io/proxy-body-size: "150m" 12 | # networking.gke.io/managed-certificates: managed-cert # replace with actual Google-managed certificate name 13 | # if you reserve a static IP, uncomment below and update ADDRESS_NAME 14 | # also, make changes to your DNS record accordingly 15 | # kubernetes.io/ingress.global-static-ip-name: ADDRESS_NAME -------------------------------------------------------------------------------- /components/ingress/gke/patches/frontend.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | cloud.google.com/neg: '{"ingress": true}' 6 | # Reference the `BackendConfig` CR created 7 | beta.cloud.google.com/backend-config: '{"default": "sourcegraph-frontend"}' 8 | name: sourcegraph-frontend -------------------------------------------------------------------------------- /components/ingress/hostname/README.md: -------------------------------------------------------------------------------- 1 | # hostname component 2 | 3 | Component to add hostname to frontend ingress 4 | -------------------------------------------------------------------------------- /components/ingress/hostname/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | replacements: 4 | - source: 5 | fieldPath: data.HOST_DOMAIN 6 | kind: ConfigMap 7 | name: sourcegraph-kustomize-build-config 8 | targets: 9 | - fieldPaths: 10 | - spec.rules.*.host 11 | select: 12 | kind: Ingress 13 | name: sourcegraph-frontend 14 | patches: 15 | - path: patches/frontend.Ingress.yaml 16 | -------------------------------------------------------------------------------- /components/ingress/hostname/patches/frontend.Ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: sourcegraph-frontend 5 | spec: 6 | rules: 7 | - host: $(HOST_DOMAIN) -------------------------------------------------------------------------------- /components/ingress/k3s/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - path: patches/sourcegraph-frontend.Ingress.yaml 5 | -------------------------------------------------------------------------------- /components/ingress/k3s/patches/sourcegraph-frontend.Ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: sourcegraph-frontend 5 | annotations: 6 | kubernetes.io/ingress.class: traefik -------------------------------------------------------------------------------- /components/ingress/nginx-controller/README.md: -------------------------------------------------------------------------------- 1 | # Ingress-NGINX 2 | 3 | [ingress-nginx](https://github.com/kubernetes/ingress-nginx) provide specialized routing for all of the publicly available instances on this cluster. 4 | 5 | This component is for configuring the[ v1.5.1 ingress-nginx controller for generic cloud provider](https://github.com/kubernetes/ingress-nginx/tree/controller-v1.5.1/deploy/static/provider/cloud) for Sourcegraph. 6 | -------------------------------------------------------------------------------- /components/ingress/nginx-controller/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - path: patches/ingress-nginx.Deployment.yaml 5 | - path: patches/ingress-nginx.Service.yaml 6 | -------------------------------------------------------------------------------- /components/ingress/nginx-controller/patches/ingress-nginx.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: ingress-nginx-controller 5 | namespace: ingress-nginx 6 | spec: 7 | template: 8 | annotations: 9 | prometheus.io/port: "10254" 10 | sourcegraph.prometheus/scrape: "true" -------------------------------------------------------------------------------- /components/ingress/nginx-controller/patches/ingress-nginx.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: ingress-nginx-controller 5 | namespace: ingress-nginx 6 | spec: 7 | externalTrafficPolicy: Local 8 | type: LoadBalancer 9 | ports: 10 | - name: http 11 | port: 80 12 | protocol: TCP 13 | targetPort: http 14 | - name: https 15 | port: 443 16 | protocol: TCP 17 | targetPort: https 18 | # loadBalancerIP: xxx.xxx.xxx.xxx 19 | -------------------------------------------------------------------------------- /components/monitoring/cadvisor/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - ../../../base/monitoring/cadvisor 5 | -------------------------------------------------------------------------------- /components/monitoring/grafana/dashboards/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | # Create ConfigMap with prometheus.yml 4 | configMapGenerator: 5 | - name: grafana-dashboards 6 | behavior: create 7 | options: 8 | disableNameSuffixHash: true 9 | labels: 10 | deploy: sourcegraph 11 | sourcegraph-resource-requires: no-cluster-admin 12 | app.kubernetes.io/component: grafana 13 | patches: 14 | - path: patch.yaml 15 | target: 16 | kind: StatefulSet 17 | name: grafana 18 | -------------------------------------------------------------------------------- /components/monitoring/grafana/dashboards/patch.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /spec/template/spec/volumes/- 3 | value: 4 | name: dashboards 5 | configMap: 6 | defaultMode: 0777 7 | name: grafana-dashboards 8 | - op: add 9 | path: /spec/template/spec/containers/0/volumeMounts/- 10 | value: 11 | mountPath: /sg_grafana_additional_dashboards 12 | name: dashboards 13 | -------------------------------------------------------------------------------- /components/monitoring/grafana/dashboards/process/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | # Create ConfigMap with prometheus.yml 4 | configMapGenerator: 5 | - name: grafana-dashboards 6 | behavior: merge 7 | files: 8 | - containers.json 9 | -------------------------------------------------------------------------------- /components/monitoring/grafana/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - ../../../base/monitoring/grafana 5 | -------------------------------------------------------------------------------- /components/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - ../../base/monitoring 5 | -------------------------------------------------------------------------------- /components/monitoring/no-rbacs/README.md: -------------------------------------------------------------------------------- 1 | Monitoring stacks with all RBAC resources and the related services removed. 2 | -------------------------------------------------------------------------------- /components/monitoring/no-rbacs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - ../../../base/monitoring 5 | components: 6 | - ../../remove/daemonset 7 | - ../../remove/prometheus 8 | patches: 9 | - path: patches/grafana/grafana.StatefulSet.yaml 10 | -------------------------------------------------------------------------------- /components/monitoring/no-rbacs/patches/grafana/grafana.StatefulSet.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: grafana 5 | spec: 6 | template: 7 | spec: 8 | securityContext: 9 | fsGroup: 472 10 | fsGroupChangePolicy: OnRootMismatch 11 | containers: 12 | - name: grafana 13 | securityContext: 14 | # Required to prevent escalations to root. 15 | allowPrivilegeEscalation: false 16 | runAsUser: 472 17 | runAsGroup: 472 18 | -------------------------------------------------------------------------------- /components/monitoring/non-root/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - ../../../base/monitoring 5 | - patches/prometheus/prometheus.RoleBinding.yaml 6 | components: 7 | - ../../remove/daemonset 8 | patches: 9 | - path: patches/grafana/grafana.StatefulSet.yaml 10 | - path: patches/prometheus/prometheus.ConfigMap.yaml 11 | - path: patches/prometheus/prometheus.Deployment.yaml 12 | -------------------------------------------------------------------------------- /components/monitoring/non-root/patches/grafana/grafana.StatefulSet.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: grafana 5 | spec: 6 | template: 7 | spec: 8 | securityContext: 9 | fsGroup: 472 10 | fsGroupChangePolicy: OnRootMismatch 11 | containers: 12 | - name: grafana 13 | securityContext: 14 | # Required to prevent escalations to root. 15 | allowPrivilegeEscalation: false 16 | runAsUser: 472 17 | runAsGroup: 472 18 | -------------------------------------------------------------------------------- /components/monitoring/non-root/patches/prometheus/prometheus.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: prometheus 5 | spec: 6 | template: 7 | spec: 8 | securityContext: 9 | fsGroup: 100 10 | fsGroupChangePolicy: OnRootMismatch 11 | containers: 12 | - name: prometheus 13 | securityContext: 14 | # Required to prevent escalations to root. 15 | allowPrivilegeEscalation: false 16 | runAsUser: 100 17 | runAsGroup: 100 18 | -------------------------------------------------------------------------------- /components/monitoring/non-root/patches/prometheus/prometheus.RoleBinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | labels: 5 | category: rbac 6 | deploy: sourcegraph 7 | sourcegraph-resource-requires: no-cluster-admin 8 | name: prometheus-nonprivileged 9 | roleRef: 10 | apiGroup: "" 11 | kind: ClusterRole 12 | name: view 13 | subjects: 14 | - kind: ServiceAccount 15 | name: prometheus -------------------------------------------------------------------------------- /components/monitoring/otel/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - ../../../base/monitoring/otel-collector 5 | -------------------------------------------------------------------------------- /components/monitoring/privileged/README.md: -------------------------------------------------------------------------------- 1 | Update cadvisor to run as root with privileged for service resources usage data. 2 | -------------------------------------------------------------------------------- /components/monitoring/rbacs/README.md: -------------------------------------------------------------------------------- 1 | RBAC resources for monitoring services (cadvisor not included) 2 | -------------------------------------------------------------------------------- /components/monitoring/rbacs/grafana/grafana.StatefulSet.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: grafana 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: grafana 10 | volumeMounts: 11 | - mountPath: /var/lib/grafana 12 | name: grafana-data 13 | - mountPath: /sg_config_grafana/provisioning/datasources 14 | name: config 15 | - mountPath: /sg_grafana_additional_dashboards 16 | name: dashboards 17 | $patch: delete 18 | serviceAccountName: grafana 19 | -------------------------------------------------------------------------------- /components/monitoring/rbacs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - ../../../base/monitoring/grafana/rbac 5 | - ../../../base/monitoring/prometheus/rbac 6 | patches: 7 | - path: prometheus/prometheus.Deployment.yaml 8 | - path: grafana/grafana.StatefulSet.yaml 9 | - patch: |- 10 | - op: remove 11 | path: /data/prometheus.yml 12 | - op: remove 13 | path: /data/extra_rules.yml 14 | target: 15 | name: prometheus 16 | version: v1 17 | kind: ConfigMap 18 | -------------------------------------------------------------------------------- /components/monitoring/rbacs/prometheus/prometheus.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: prometheus 5 | spec: 6 | template: 7 | spec: 8 | serviceAccountName: prometheus 9 | volumes: 10 | - configMap: 11 | defaultMode: 0777 12 | name: prometheus-rbac 13 | name: config 14 | -------------------------------------------------------------------------------- /components/monitoring/tracing/README.md: -------------------------------------------------------------------------------- 1 | # Tracing 2 | 3 | Add otel with a Jaeger backend, consisting of its [Collector](https://www.jaegertracing.io/docs/1.37/architecture/#collector) and [Query](https://www.jaegertracing.io/docs/1.37/architecture/#query) components. It also [configures](https://github.com/sourcegraph/sourcegraph/blob/main/docker-images/opentelemetry-collector/configs/jaeger.yaml) the `otel-collector` to export to this Jaeger instance. 4 | -------------------------------------------------------------------------------- /components/monitoring/tracing/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - ../../../base/monitoring/otel-collector 5 | - ../../../base/monitoring/jaeger 6 | patches: 7 | - patch: |- 8 | - op: add 9 | path: /spec/template/spec/containers/0/env/- 10 | value: 11 | name: JAEGER_SERVER_URL 12 | value: http://jaeger-query:16686 13 | target: 14 | kind: Deployment 15 | name: sourcegraph-frontend 16 | - path: patches/otel-collector.Deployment.yaml 17 | - path: patches/grafana.ConfigMap.yaml 18 | -------------------------------------------------------------------------------- /components/monitoring/tracing/patches/grafana.ConfigMap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: grafana 5 | data: 6 | datasources.yml: | 7 | apiVersion: 1 8 | 9 | datasources: 10 | - name: Prometheus 11 | type: prometheus 12 | access: proxy 13 | url: http://prometheus:30090 14 | isDefault: true 15 | editable: false 16 | - name: Jaeger 17 | type: Jaeger 18 | access: proxy 19 | url: http://jaeger-query:16686/-/debug/jaeger 20 | -------------------------------------------------------------------------------- /components/monitoring/tracing/patches/otel-collector.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: otel-collector 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: otel-collector 10 | command: 11 | - "/bin/otelcol-sourcegraph" 12 | - "--config=/etc/otel-collector/configs/jaeger.yaml" 13 | env: 14 | - name: JAEGER_HOST 15 | value: jaeger-collector 16 | -------------------------------------------------------------------------------- /components/network/envoy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - patches/gitserver.EnvoyFilter.yaml 5 | -------------------------------------------------------------------------------- /components/network/loadbalancer/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - path: patches/sourcegraph-frontend.Service.yaml 5 | -------------------------------------------------------------------------------- /components/network/loadbalancer/patches/sourcegraph-frontend.Service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: sourcegraph-frontend 5 | spec: 6 | type: LoadBalancer 7 | # externalTrafficPolicy: Local 8 | -------------------------------------------------------------------------------- /components/network/network-policy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - patches/sourcegraph.Namespace.yaml 5 | - patches/sourcegraph.NetworkPolicy.yaml 6 | -------------------------------------------------------------------------------- /components/network/network-policy/patches/sourcegraph.Namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | # This will be updated to the namespace set in your overlay automatically 5 | name: ns-sourcegraph 6 | labels: 7 | deploy: sourcegraph 8 | name: sourcegraph-prod -------------------------------------------------------------------------------- /components/network/network-policy/patches/sourcegraph.NetworkPolicy.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: sourcegraph-prod 5 | spec: 6 | # For all pods with the label "deploy: sourcegraph" 7 | podSelector: 8 | matchLabels: 9 | deploy: sourcegraph 10 | policyTypes: 11 | - Ingress 12 | - Egress 13 | # Allow all traffic inside the ns-sourcegraph namespace 14 | ingress: 15 | - from: 16 | - namespaceSelector: 17 | matchLabels: 18 | name: sourcegraph-prod 19 | egress: 20 | - to: 21 | - namespaceSelector: 22 | matchLabels: 23 | name: sourcegraph-prod -------------------------------------------------------------------------------- /components/network/nodeport/30080/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - path: patches/30080.yaml 5 | -------------------------------------------------------------------------------- /components/network/nodeport/30080/patches/30080.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: sourcegraph-frontend 5 | spec: 6 | type: NodePort 7 | ports: 8 | - name: http 9 | port: 30080 10 | nodePort: 30080 -------------------------------------------------------------------------------- /components/network/nodeport/custom/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - path: patches/custom.NodePort.yaml 5 | -------------------------------------------------------------------------------- /components/network/nodeport/custom/patches/custom.NodePort.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: sourcegraph-frontend 5 | spec: 6 | type: NodePort 7 | ports: 8 | - name: http 9 | port: 30080 10 | # Add your nodePort value below 11 | # ex:nodePort: 30080 -------------------------------------------------------------------------------- /components/network/tls-secretname/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | 4 | replacements: 5 | - source: 6 | fieldPath: data.TLS_SECRET_NAME 7 | kind: ConfigMap 8 | name: sourcegraph-kustomize-build-config 9 | targets: 10 | - fieldPaths: 11 | - spec.tls.*.secretName 12 | select: 13 | kind: Ingress 14 | name: sourcegraph-frontend 15 | -------------------------------------------------------------------------------- /components/network/tls/README.md: -------------------------------------------------------------------------------- 1 | # TLS component 2 | 3 | For demostration only. We do not recommend storing any keys or secrets remotely. 4 | 5 | DO NOT commit any keys or secrets to public or private repositories. 6 | -------------------------------------------------------------------------------- /components/network/tls/patches/frontend.Ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: sourcegraph-frontend 5 | annotations: 6 | kubernetes.io/ingress.class: $(TLS_INGRESS_CLASS_NAME) # replace with actual ingress class name 7 | cert-manager.io/cluster-issuer: $(TLS_CLUSTER_ISSUER) # replace with actual cluster-issuer name 8 | spec: 9 | ingressClassName: $(TLS_INGRESS_CLASS_NAME) 10 | tls: 11 | - hosts: 12 | - $(TLS_HOST) 13 | secretName: sourcegraph-frontend-tls 14 | rules: 15 | - host: $(TLS_HOST) 16 | http: 17 | paths: 18 | - path: / 19 | pathType: Prefix 20 | backend: 21 | service: 22 | name: sourcegraph-frontend 23 | port: 24 | number: 30080 25 | -------------------------------------------------------------------------------- /components/patches/frontend-ingress.annotations.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | annotations: 5 | # Add new annotations below 6 | -------------------------------------------------------------------------------- /components/patches/frontend-vars.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: sourcegraph-frontend-env 5 | data: 6 | DEPLOY_TYPE: kustomize 7 | # Add env vars for frontend service below 8 | -------------------------------------------------------------------------------- /components/patches/security-context/monitoring/cadvisor.DaemonSet.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: apps/v1 2 | # kind: DaemonSet 3 | # metadata: 4 | # name: cadvisor 5 | # spec: 6 | # template: 7 | # spec: 8 | # serviceAccountName: cadvisor 9 | # containers: 10 | # - name: cadvisor 11 | # securityContext: 12 | # privileged: true 13 | -------------------------------------------------------------------------------- /components/patches/security-context/monitoring/grafana.StatefulSet.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: apps/v1 2 | # kind: StatefulSet 3 | # metadata: 4 | # name: grafana 5 | # spec: 6 | # template: 7 | # spec: 8 | # containers: 9 | # - name: grafana 10 | # securityContext: 11 | # allowPrivilegeEscalation: false 12 | # runAsGroup: 472 13 | # runAsUser: 472 14 | # securityContext: 15 | # runAsUser: 472 16 | # fsGroup: 472 17 | -------------------------------------------------------------------------------- /components/patches/security-context/monitoring/node-exporter.DaemonSet.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: apps/v1 2 | # kind: DaemonSet 3 | # metadata: 4 | # name: node-exporter 5 | # spec: 6 | # template: 7 | # spec: 8 | # containers: 9 | # - name: node-exporter 10 | # securityContext: 11 | # allowPrivilegeEscalation: false 12 | # readOnlyRootFilesystem: true 13 | # runAsGroup: 65534 14 | # runAsUser: 65534 15 | # securityContext: 16 | # fsGroup: 65534 17 | # runAsGroup: 65534 18 | # runAsNonRoot: true 19 | # runAsUser: 65534 20 | -------------------------------------------------------------------------------- /components/patches/security-context/monitoring/otel-agent.DaemonSet.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: apps/v1 2 | # kind: DaemonSet 3 | # metadata: 4 | # name: otel-agent 5 | # spec: 6 | # template: 7 | # spec: 8 | # containers: 9 | # - name: otel-agent 10 | # securityContext: 11 | # # Required to prevent escalations to root. 12 | # allowPrivilegeEscalation: false 13 | # runAsUser: 100 14 | # runAsGroup: 101 15 | -------------------------------------------------------------------------------- /components/patches/security-context/monitoring/otel-collector.Deployment.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: apps/v1 2 | # kind: Deployment 3 | # metadata: 4 | # name: otel-collector 5 | # spec: 6 | # template: 7 | # spec: 8 | # containers: 9 | # - name: otel-collector 10 | # securityContext: 11 | # # Required to prevent escalations to root. 12 | # allowPrivilegeEscalation: false 13 | # runAsUser: 100 14 | # runAsGroup: 101 15 | # securityContext: 16 | # runAsUser: 100 17 | # fsGroup: 101 18 | -------------------------------------------------------------------------------- /components/patches/security-context/monitoring/prometheus.Deployment.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: apps/v1 2 | # kind: Deployment 3 | # metadata: 4 | # name: prometheus 5 | # spec: 6 | # template: 7 | # spec: 8 | # containers: 9 | # - name: prometheus 10 | # securityContext: 11 | # allowPrivilegeEscalation: false 12 | # runAsGroup: 100 13 | # runAsUser: 100 14 | # terminationGracePeriodSeconds: 120 15 | # securityContext: 16 | # runAsUser: 100 17 | # fsGroup: 100 18 | -------------------------------------------------------------------------------- /components/patches/security-context/sourcegraph/blobstore.Deployment.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: apps/v1 2 | # kind: Deployment 3 | # metadata: 4 | # name: blobstore 5 | # spec: 6 | # template: 7 | # spec: 8 | # containers: 9 | # - name: blobstore 10 | # securityContext: 11 | # runAsUser: 100 12 | # runAsGroup: 101 13 | # allowPrivilegeEscalation: false 14 | # securityContext: 15 | # runAsUser: 100 16 | # fsGroup: 101 17 | -------------------------------------------------------------------------------- /components/patches/security-context/sourcegraph/codeintel-db.StatefulSet.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: apps/v1 2 | # kind: StatefulSet 3 | # metadata: 4 | # name: codeintel-db 5 | # spec: 6 | # template: 7 | # spec: 8 | # initContainers: 9 | # - name: correct-data-dir-permissions 10 | # securityContext: 11 | # allowPrivilegeEscalation: false 12 | # runAsGroup: 999 13 | # runAsUser: 999 14 | # containers: 15 | # - name: pgsql 16 | # securityContext: 17 | # allowPrivilegeEscalation: false 18 | # runAsUser: 999 19 | # runAsGroup: 999 20 | # securityContext: 21 | # fsGroup: 999 22 | # runAsUser: 999 23 | -------------------------------------------------------------------------------- /components/patches/security-context/sourcegraph/gitserver.StatefulSet.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: apps/v1 2 | # kind: StatefulSet 3 | # metadata: 4 | # name: gitserver 5 | # spec: 6 | # template: 7 | # spec: 8 | # containers: 9 | # - name: gitserver 10 | # securityContext: 11 | # runAsUser: 100 12 | # runAsGroup: 101 13 | # allowPrivilegeEscalation: false 14 | # securityContext: 15 | # runAsUser: 100 16 | # fsGroup: 101 17 | -------------------------------------------------------------------------------- /components/patches/security-context/sourcegraph/indexed-search.StatefulSet.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: apps/v1 2 | # kind: StatefulSet 3 | # metadata: 4 | # name: indexed-search 5 | # spec: 6 | # template: 7 | # spec: 8 | # containers: 9 | # - name: zoekt-webserver 10 | # securityContext: 11 | # allowPrivilegeEscalation: false 12 | # runAsUser: 100 13 | # runAsGroup: 101 14 | # - name: zoekt-indexserver 15 | # securityContext: 16 | # allowPrivilegeEscalation: false 17 | # runAsUser: 100 18 | # runAsGroup: 101 19 | # securityContext: 20 | # runAsUser: 100 21 | # fsGroup: 101 22 | -------------------------------------------------------------------------------- /components/patches/security-context/sourcegraph/pgsql.StatefulSet.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: apps/v1 2 | # kind: StatefulSet 3 | # metadata: 4 | # name: pgsql 5 | # spec: 6 | # template: 7 | # spec: 8 | # initContainers: 9 | # - name: correct-data-dir-permissions 10 | # securityContext: 11 | # allowPrivilegeEscalation: false 12 | # runAsUser: 999 13 | # runAsGroup: 999 14 | # containers: 15 | # - name: pgsql 16 | # securityContext: 17 | # allowPrivilegeEscalation: false 18 | # runAsUser: 999 19 | # runAsGroup: 999 20 | # securityContext: 21 | # runAsUser: 999 22 | # fsGroup: 999 23 | -------------------------------------------------------------------------------- /components/patches/security-context/sourcegraph/precise-code-intel-worker.Deployment.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: apps/v1 2 | # kind: Deployment 3 | # metadata: 4 | # name: precise-code-intel-worker 5 | # spec: 6 | # template: 7 | # spec: 8 | # containers: 9 | # - name: precise-code-intel-worker 10 | # securityContext: 11 | # allowPrivilegeEscalation: false 12 | # runAsGroup: 101 13 | # runAsUser: 100 14 | # securityContext: 15 | # fsGroup: 101 16 | # runAsUser: 100 17 | -------------------------------------------------------------------------------- /components/patches/security-context/sourcegraph/redis-cache.Deployment.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: apps/v1 2 | # kind: Deployment 3 | # metadata: 4 | # name: redis-cache 5 | # spec: 6 | # template: 7 | # spec: 8 | # containers: 9 | # - name: redis-cache 10 | # securityContext: 11 | # allowPrivilegeEscalation: false 12 | # runAsGroup: 1000 13 | # runAsUser: 999 14 | # - name: redis-exporter 15 | # securityContext: 16 | # allowPrivilegeEscalation: false 17 | # runAsGroup: 1000 18 | # runAsUser: 999 19 | # securityContext: 20 | # runAsUser: 999 21 | # fsGroup: 1000 22 | -------------------------------------------------------------------------------- /components/patches/security-context/sourcegraph/redis-store.Deployment.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: apps/v1 2 | # kind: Deployment 3 | # metadata: 4 | # name: redis-store 5 | # spec: 6 | # template: 7 | # spec: 8 | # containers: 9 | # - name: redis-store 10 | # securityContext: 11 | # allowPrivilegeEscalation: false 12 | # runAsGroup: 1000 13 | # runAsUser: 999 14 | # - name: redis-exporter 15 | # securityContext: 16 | # allowPrivilegeEscalation: false 17 | # runAsGroup: 1000 18 | # runAsUser: 999 19 | # securityContext: 20 | # runAsUser: 999 21 | # fsGroup: 1000 22 | -------------------------------------------------------------------------------- /components/patches/security-context/sourcegraph/searcher.StatefulSet.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: apps/v1 2 | # kind: StatefulSet 3 | # metadata: 4 | # name: searcher 5 | # spec: 6 | # template: 7 | # spec: 8 | # containers: 9 | # - name: searcher 10 | # securityContext: 11 | # allowPrivilegeEscalation: false 12 | # runAsGroup: 101 13 | # runAsUser: 100 14 | # securityContext: 15 | # runAsUser: 100 16 | # fsGroup: 101 17 | -------------------------------------------------------------------------------- /components/patches/security-context/sourcegraph/sourcegraph-frontend.Deployment.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: apps/v1 2 | # kind: Deployment 3 | # metadata: 4 | # name: sourcegraph-frontend 5 | # spec: 6 | # template: 7 | # spec: 8 | # initContainers: 9 | # - name: migrator 10 | # securityContext: 11 | # allowPrivilegeEscalation: false 12 | # runAsGroup: 101 13 | # runAsUser: 100 14 | # containers: 15 | # - name: frontend 16 | # securityContext: 17 | # allowPrivilegeEscalation: false 18 | # runAsGroup: 101 19 | # runAsUser: 100 20 | # securityContext: 21 | # runAsUser: 100 22 | # fsGroup: 101 23 | -------------------------------------------------------------------------------- /components/patches/security-context/sourcegraph/syntect-server.Deployment.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: apps/v1 2 | # kind: Deployment 3 | # metadata: 4 | # name: syntect-server 5 | # spec: 6 | # template: 7 | # spec: 8 | # containers: 9 | # - name: syntect-server 10 | # securityContext: 11 | # allowPrivilegeEscalation: false 12 | # runAsGroup: 101 13 | # runAsUser: 100 14 | # securityContext: 15 | # runAsUser: 100 16 | # fsGroup: 101 17 | -------------------------------------------------------------------------------- /components/patches/security-context/sourcegraph/worker.Deployment.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: apps/v1 2 | # kind: Deployment 3 | # metadata: 4 | # name: worker 5 | # spec: 6 | # template: 7 | # spec: 8 | # containers: 9 | # - name: worker 10 | # securityContext: 11 | # # Required to prevent escalations to root. 12 | # allowPrivilegeEscalation: false 13 | # runAsUser: 100 14 | # runAsGroup: 101 15 | # securityContext: 16 | # runAsUser: 100 17 | # fsGroup: 101 18 | # fsGroupChangePolicy: OnRootMismatch 19 | -------------------------------------------------------------------------------- /components/privileged/README.md: -------------------------------------------------------------------------------- 1 | Run as root with privileges 2 | -------------------------------------------------------------------------------- /components/privileged/patches/blobstore/blobstore.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: blobstore 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: blobstore 10 | securityContext: 11 | allowPrivilegeEscalation: true 12 | # runAsGroup: 0 13 | # runAsUser: 0 14 | securityContext: 15 | runAsUser: 0 16 | fsGroup: 0 -------------------------------------------------------------------------------- /components/privileged/patches/databases/securityContext.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/template/spec/containers/0/securityContext 3 | value: 4 | allowPrivilegeEscalation: true 5 | runAsGroup: 0 6 | runAsUser: 0 7 | - op: replace 8 | path: /spec/template/spec/initContainers/0/securityContext 9 | value: 10 | allowPrivilegeEscalation: true 11 | runAsGroup: 0 12 | runAsUser: 0 13 | - op: replace 14 | path: /spec/template/spec/securityContext 15 | value: 16 | runAsUser: 0 17 | fsGroup: 0 18 | -------------------------------------------------------------------------------- /components/privileged/patches/gitserver/gitserver.StatefulSet.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: gitserver 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: gitserver 10 | securityContext: 11 | allowPrivilegeEscalation: true 12 | runAsGroup: 0 13 | runAsUser: 0 14 | securityContext: 15 | runAsUser: 0 16 | fsGroup: 0 -------------------------------------------------------------------------------- /components/privileged/patches/indexed-search/indexed-search.StatefulSet.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: indexed-search 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: zoekt-webserver 10 | securityContext: 11 | # Required to prevent escalations to root. 12 | allowPrivilegeEscalation: true 13 | runAsUser: 0 14 | runAsGroup: 0 15 | - name: zoekt-indexserver 16 | securityContext: 17 | # Required to prevent escalations to root. 18 | allowPrivilegeEscalation: true 19 | runAsUser: 0 20 | runAsGroup: 0 21 | securityContext: 22 | runAsUser: 0 23 | runAsGroup: 0 -------------------------------------------------------------------------------- /components/privileged/patches/precise-code-intel/worker.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: precise-code-intel-worker 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: precise-code-intel-worker 10 | securityContext: 11 | allowPrivilegeEscalation: true 12 | runAsGroup: 0 13 | runAsUser: 0 14 | securityContext: 15 | fsGroup: 0 16 | runAsUser: 0 17 | 18 | -------------------------------------------------------------------------------- /components/privileged/patches/redis/redis-cache.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: redis-cache 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: redis-cache 10 | securityContext: 11 | allowPrivilegeEscalation: true 12 | runAsGroup: 0 13 | runAsUser: 0 14 | - name: redis-exporter 15 | securityContext: 16 | allowPrivilegeEscalation: true 17 | runAsGroup: 0 18 | runAsUser: 0 19 | securityContext: 20 | runAsUser: 0 21 | fsGroup: 0 -------------------------------------------------------------------------------- /components/privileged/patches/redis/redis-store.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: redis-store 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: redis-store 10 | securityContext: 11 | allowPrivilegeEscalation: true 12 | runAsGroup: 0 13 | runAsUser: 0 14 | - name: redis-exporter 15 | securityContext: 16 | allowPrivilegeEscalation: true 17 | runAsGroup: 0 18 | runAsUser: 0 19 | securityContext: 20 | runAsUser: 0 21 | fsGroup: 0 -------------------------------------------------------------------------------- /components/privileged/patches/searcher/searcher.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/template/spec/containers/0/securityContext 3 | value: 4 | allowPrivilegeEscalation: true 5 | runAsGroup: 0 6 | runAsUser: 0 7 | - op: replace 8 | path: /spec/template/spec/securityContext 9 | value: 10 | runAsUser: 0 11 | fsGroup: 0 -------------------------------------------------------------------------------- /components/privileged/patches/syntect-server/syntect-server.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: syntect-server 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: syntect-server 10 | securityContext: 11 | allowPrivilegeEscalation: true 12 | runAsGroup: 0 13 | runAsUser: 0 14 | securityContext: 15 | runAsUser: 0 16 | fsGroup: 0 -------------------------------------------------------------------------------- /components/remove/codeinsights-db/deployment/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - patch: |- 5 | $patch: delete 6 | apiVersion: v1 7 | kind: ConfigMap 8 | metadata: 9 | name: codeinsights-db-conf 10 | - patch: |- 11 | $patch: delete 12 | apiVersion: apps/v1 13 | kind: Deployment 14 | metadata: 15 | name: codeinsights-db 16 | - patch: |- 17 | $patch: delete 18 | apiVersion: v1 19 | kind: PersistentVolumeClaim 20 | metadata: 21 | name: codeinsights-db 22 | - patch: |- 23 | $patch: delete 24 | apiVersion: v1 25 | kind: Service 26 | metadata: 27 | name: codeinsights-db 28 | -------------------------------------------------------------------------------- /components/remove/codeinsights-db/statefulset/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - patch: |- 5 | $patch: delete 6 | apiVersion: v1 7 | kind: ConfigMap 8 | metadata: 9 | name: codeinsights-db-conf 10 | - patch: |- 11 | $patch: delete 12 | apiVersion: apps/v1 13 | kind: StatefulSet 14 | metadata: 15 | name: codeinsights-db 16 | - patch: |- 17 | $patch: delete 18 | apiVersion: v1 19 | kind: Service 20 | metadata: 21 | name: codeinsights-db 22 | -------------------------------------------------------------------------------- /components/remove/codeintel-db/deployment/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - patch: |- 5 | $patch: delete 6 | apiVersion: v1 7 | kind: ConfigMap 8 | metadata: 9 | name: codeintel-db-conf 10 | - patch: |- 11 | $patch: delete 12 | apiVersion: apps/v1 13 | kind: Deployment 14 | metadata: 15 | name: codeintel-db 16 | - patch: |- 17 | $patch: delete 18 | apiVersion: v1 19 | kind: PersistentVolumeClaim 20 | metadata: 21 | name: codeintel-db 22 | - patch: |- 23 | $patch: delete 24 | apiVersion: v1 25 | kind: Service 26 | metadata: 27 | name: codeintel-db 28 | -------------------------------------------------------------------------------- /components/remove/codeintel-db/statefulset/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - patch: |- 5 | $patch: delete 6 | apiVersion: v1 7 | kind: ConfigMap 8 | metadata: 9 | name: codeintel-db-conf 10 | - patch: |- 11 | $patch: delete 12 | apiVersion: apps/v1 13 | kind: StatefulSet 14 | metadata: 15 | name: codeintel-db 16 | - patch: |- 17 | $patch: delete 18 | apiVersion: v1 19 | kind: Service 20 | metadata: 21 | name: codeintel-db 22 | -------------------------------------------------------------------------------- /components/remove/daemonset/README.md: -------------------------------------------------------------------------------- 1 | # delete daemonset 2 | 3 | A component to delete all daemonsets and its related resources: 4 | 5 | - cadvisor 6 | - node-exporter 7 | - otel-agent 8 | 9 | # WARNING 10 | 11 | Cannot be used with the [delete-cadvisor component](./delete-cadvisor/README.md), or you will see an error about not being able to find the cadvisor to delete. This is because the daemonset has already been deleted by the delete-cadvisor component. 12 | -------------------------------------------------------------------------------- /components/remove/daemonset/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - patch: |- 5 | $patch: delete 6 | apiVersion: apps/v1 7 | kind: DaemonSet 8 | metadata: 9 | name: node-exporter 10 | - patch: |- 11 | $patch: delete 12 | apiVersion: v1 13 | kind: Service 14 | metadata: 15 | name: node-exporter 16 | -------------------------------------------------------------------------------- /components/remove/default-ingress/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - patch: |- 5 | $patch: delete 6 | apiVersion: networking.k8s.io/v1 7 | kind: Ingress 8 | metadata: 9 | labels: 10 | app: sourcegraph-frontend 11 | name: sourcegraph-frontend 12 | -------------------------------------------------------------------------------- /components/remove/pgsql/deployment/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - patch: |- 5 | $patch: delete 6 | apiVersion: v1 7 | kind: ConfigMap 8 | metadata: 9 | name: pgsql-conf 10 | - patch: |- 11 | $patch: delete 12 | apiVersion: apps/v1 13 | kind: Deployment 14 | metadata: 15 | name: pgsql 16 | - patch: |- 17 | $patch: delete 18 | apiVersion: v1 19 | kind: PersistentVolumeClaim 20 | metadata: 21 | name: pgsql 22 | - patch: |- 23 | $patch: delete 24 | apiVersion: v1 25 | kind: Service 26 | metadata: 27 | name: pgsql 28 | -------------------------------------------------------------------------------- /components/remove/pgsql/statefulset/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - patch: |- 5 | $patch: delete 6 | apiVersion: v1 7 | kind: ConfigMap 8 | metadata: 9 | name: pgsql-conf 10 | - patch: |- 11 | $patch: delete 12 | apiVersion: apps/v1 13 | kind: StatefulSet 14 | metadata: 15 | name: pgsql 16 | - patch: |- 17 | $patch: delete 18 | apiVersion: v1 19 | kind: Service 20 | metadata: 21 | name: pgsql 22 | -------------------------------------------------------------------------------- /components/remove/resources/README.md: -------------------------------------------------------------------------------- 1 | Remove all container resources 2 | -------------------------------------------------------------------------------- /components/remove/resources/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - path: patches/container-0.yaml 5 | target: 6 | group: apps 7 | kind: Deployment|StatefulSet|DaemonSet 8 | name: .* 9 | version: v1 10 | - path: patches/container-1.yaml 11 | target: 12 | kind: StatefulSet|Deployment 13 | name: pgsql|codeinsights-db|codeintel-db|indexed-search|redis-cache|redis-store 14 | version: v1 15 | - path: patches/container-init.yaml 16 | target: 17 | kind: StatefulSet|Deployment 18 | name: pgsql|codeinsights-db|codeintel-db|sourcegraph-frontend 19 | version: v1 20 | -------------------------------------------------------------------------------- /components/remove/resources/patches/container-0.yaml: -------------------------------------------------------------------------------- 1 | - op: remove 2 | path: /spec/template/spec/containers/0/resources -------------------------------------------------------------------------------- /components/remove/resources/patches/container-1.yaml: -------------------------------------------------------------------------------- 1 | - op: remove 2 | path: /spec/template/spec/containers/1/resources -------------------------------------------------------------------------------- /components/remove/resources/patches/container-init.yaml: -------------------------------------------------------------------------------- 1 | - op: remove 2 | path: /spec/template/spec/initContainers/0/resources -------------------------------------------------------------------------------- /components/remove/searcher-statefulset/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - patch: |- 5 | $patch: delete 6 | apiVersion: apps/v1 7 | kind: StatefulSet 8 | metadata: 9 | name: searcher 10 | -------------------------------------------------------------------------------- /components/remove/security-context/patches/securityContext-cluster.yaml: -------------------------------------------------------------------------------- 1 | - path: /spec/template/spec/securityContext/fsGroupChangePolicy 2 | op: remove 3 | - path: /spec/template/spec/securityContext/fsGroup 4 | op: remove -------------------------------------------------------------------------------- /components/remove/security-context/patches/securityContext-container-0.yaml: -------------------------------------------------------------------------------- 1 | - path: /spec/template/spec/containers/0/securityContext 2 | op: remove 3 | - path: /spec/template/spec/securityContext 4 | op: remove 5 | -------------------------------------------------------------------------------- /components/remove/security-context/patches/securityContext-container-1.yaml: -------------------------------------------------------------------------------- 1 | - op: remove 2 | path: /spec/template/spec/containers/1/securityContext 3 | -------------------------------------------------------------------------------- /components/remove/security-context/patches/securityContext-daemonset.yaml: -------------------------------------------------------------------------------- 1 | - path: /spec/template/spec/containers/0/securityContext 2 | op: remove 3 | -------------------------------------------------------------------------------- /components/remove/security-context/patches/securityContext-databases.yaml: -------------------------------------------------------------------------------- 1 | - op: remove 2 | path: /spec/template/spec/initContainers/0/securityContext/allowPrivilegeEscalation 3 | - op: remove 4 | path: /spec/template/spec/initContainers/0/securityContext/runAsGroup -------------------------------------------------------------------------------- /components/remove/security-context/patches/securityContext-initContainer.yaml: -------------------------------------------------------------------------------- 1 | - op: remove 2 | path: /spec/template/spec/initContainers/0/securityContext -------------------------------------------------------------------------------- /components/resources/ci-volume/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - path: patches/indexed-search-patch.yaml 5 | target: 6 | kind: StatefulSet 7 | name: indexed-search 8 | - path: patches/gitserver-patch.yaml 9 | target: 10 | kind: StatefulSet 11 | name: gitserver 12 | -------------------------------------------------------------------------------- /components/resources/ci-volume/patches/gitserver-patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: gitserver 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: gitserver 10 | env: 11 | - name: POD_NAME 12 | valueFrom: 13 | fieldRef: 14 | apiVersion: v1 15 | fieldPath: metadata.name 16 | - name: NEW_MIGRATIONS 17 | value: "true" 18 | volumeMounts: 19 | - name: ci-volume 20 | mountPath: /data/repos 21 | subPathExpr: $(POD_NAME) 22 | volumes: 23 | - name: ci-volume 24 | hostPath: 25 | path: /mnt/disks/ssd0/buildkite/cluster-statefulset/ 26 | type: DirectoryOrCreate -------------------------------------------------------------------------------- /components/resources/lower-requests/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - patch: |- 5 | - op: replace 6 | path: /spec/template/spec/containers/0/resources/requests/cpu 7 | value: 100m 8 | - op: replace 9 | path: /spec/template/spec/containers/0/resources/requests/memory 10 | value: 250M 11 | target: 12 | kind: Deployment|StatefulSet|DaemonSet 13 | name: .* 14 | version: v1 15 | - patch: |- 16 | - op: replace 17 | path: /spec/template/spec/containers/1/resources/requests/cpu 18 | value: 100m 19 | - op: replace 20 | path: /spec/template/spec/containers/1/resources/requests/memory 21 | value: 250M 22 | target: 23 | kind: StatefulSet 24 | name: indexed-search 25 | version: v1 26 | -------------------------------------------------------------------------------- /components/resources/namespace/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - patches/sourcegraph.Namespace.yaml -------------------------------------------------------------------------------- /components/resources/namespace/patches/sourcegraph.Namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | # This will be updated to the namespace set in your overlay automatically 5 | name: placeholder 6 | labels: 7 | deploy: sourcegraph 8 | name: sourcegraph-namespace 9 | -------------------------------------------------------------------------------- /components/services/codeinsights-db/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - path: patches/codeinsights-db.Deployment.yaml 5 | target: 6 | kind: StatefulSet 7 | name: codeinsights-db 8 | options: 9 | allowKindChange: true 10 | -------------------------------------------------------------------------------- /components/services/codeinsights-db/patches/codeinsights-db.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: codeinsights-db 5 | spec: 6 | updateStrategy: 7 | $patch: delete 8 | strategy: 9 | type: Recreate 10 | volumeClaimTemplates: 11 | serviceName: 12 | -------------------------------------------------------------------------------- /components/services/codeintel-db/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - path: patches/codeintel-db.Deployment.yaml 5 | target: 6 | kind: StatefulSet 7 | name: codeintel-db 8 | options: 9 | allowKindChange: true 10 | -------------------------------------------------------------------------------- /components/services/codeintel-db/patches/codeintel-db.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: codeinsights-db 5 | spec: 6 | updateStrategy: 7 | $patch: delete 8 | strategy: 9 | type: Recreate 10 | volumeClaimTemplates: 11 | serviceName: 12 | -------------------------------------------------------------------------------- /components/services/pgsql/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - path: patches/pgsql.Deployment.yaml 5 | target: 6 | kind: StatefulSet 7 | name: pgsql 8 | options: 9 | allowKindChange: true 10 | -------------------------------------------------------------------------------- /components/services/pgsql/patches/pgsql.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: codeinsights-db 5 | spec: 6 | updateStrategy: 7 | $patch: delete 8 | strategy: 9 | type: Recreate 10 | volumeClaimTemplates: 11 | serviceName: 12 | -------------------------------------------------------------------------------- /components/services/searcher/README.md: -------------------------------------------------------------------------------- 1 | Component to deploy searcher as Deployment instead of Statefulset and vice versa 2 | -------------------------------------------------------------------------------- /components/services/searcher/deployment/README.md: -------------------------------------------------------------------------------- 1 | A component to deploy searcher as Deployment instead of Statefulset. 2 | 3 | It add the searcher Deployment resource and delete the searcher Statefulset. 4 | -------------------------------------------------------------------------------- /components/services/searcher/deployment/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - options: 5 | allowKindChange: true 6 | path: patches/searcher.Deployment.yaml 7 | target: 8 | kind: StatefulSet 9 | name: searcher 10 | - patch: |- 11 | - op: remove 12 | path: /spec/clusterIP 13 | target: 14 | kind: Service 15 | name: searcher 16 | -------------------------------------------------------------------------------- /components/services/searcher/statefulset/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - options: 5 | allowKindChange: true 6 | path: patches/searcher.StatefulSet.yaml 7 | target: 8 | kind: Deployment 9 | name: searcher 10 | -------------------------------------------------------------------------------- /components/sizes/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sourcegraph/deploy-sourcegraph-k8s/1ac4f117d9f67a96284151b2dccf5b94c103a768/components/sizes/.DS_Store -------------------------------------------------------------------------------- /components/sizes/l/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sourcegraph/deploy-sourcegraph-k8s/1ac4f117d9f67a96284151b2dccf5b94c103a768/components/sizes/l/.DS_Store -------------------------------------------------------------------------------- /components/sizes/l/README.md: -------------------------------------------------------------------------------- 1 | # Size L Component 2 | 3 | A Component to update the resources for your Sourcegraph deployment to support up to: 4 | 5 | - 10,000 users 6 | - 100,000 repositories 7 | 8 | Rockskip is enabled by default. Use the rockskip/disable component to disable rockskip if needed. 9 | -------------------------------------------------------------------------------- /components/sizes/l/patches/codeinsights-db.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/template/spec/containers/0/resources/limits/cpu 3 | value: "4" 4 | - op: replace 5 | path: /spec/template/spec/containers/0/resources/limits/memory 6 | value: 2G 7 | -------------------------------------------------------------------------------- /components/sizes/l/patches/codeintel-db.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/template/spec/containers/0/resources/limits/cpu 3 | value: "4" 4 | - op: replace 5 | path: /spec/template/spec/containers/0/resources/limits/memory 6 | value: 4G 7 | -------------------------------------------------------------------------------- /components/sizes/l/patches/endpoints.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: sourcegraph-frontend-env 5 | data: 6 | SRC_GIT_SERVERS: gitserver-0.gitserver:3178 7 | SEARCHER_URL: http://searcher-0.searcher:3181 8 | INDEXED_SEARCH_SERVERS: indexed-search-0.indexed-search:6070 indexed-search-1.indexed-search:6070 9 | -------------------------------------------------------------------------------- /components/sizes/l/patches/pgsql.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/template/spec/containers/0/resources/limits/cpu 3 | value: "4" 4 | - op: replace 5 | path: /spec/template/spec/containers/0/resources/limits/memory 6 | value: 6G 7 | -------------------------------------------------------------------------------- /components/sizes/l/patches/searcher.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/replicas 3 | value: 1 4 | - op: replace 5 | path: /spec/template/spec/containers/0/resources/limits/cpu 6 | value: "6" 7 | - op: replace 8 | path: /spec/template/spec/containers/0/resources/limits/memory 9 | value: 12G 10 | - op: add 11 | path: /spec/template/spec/containers/0/env/- 12 | value: 13 | name: USE_ROCKSKIP 14 | value: "true" 15 | - op: add 16 | path: /spec/template/spec/containers/0/env/- 17 | value: 18 | name: ROCKSKIP_MIN_REPO_SIZE_MB 19 | value: "1000" 20 | -------------------------------------------------------------------------------- /components/sizes/m/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sourcegraph/deploy-sourcegraph-k8s/1ac4f117d9f67a96284151b2dccf5b94c103a768/components/sizes/m/.DS_Store -------------------------------------------------------------------------------- /components/sizes/m/README.md: -------------------------------------------------------------------------------- 1 | # Size M Component 2 | 3 | A Component to update the resources for your Sourcegraph deployment to support up to: 4 | 5 | - 5,000 users 6 | - 50,000 repositories 7 | 8 | Rockskip is enabled by default. Use the rockskip/disable component to disable rockskip if needed. 9 | -------------------------------------------------------------------------------- /components/sizes/m/patches/codeinsights-db.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/template/spec/containers/0/resources/limits/cpu 3 | value: "4" 4 | - op: replace 5 | path: /spec/template/spec/containers/0/resources/limits/memory 6 | value: 2G 7 | -------------------------------------------------------------------------------- /components/sizes/m/patches/codeintel-db.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/template/spec/containers/0/resources/limits/cpu 3 | value: "4" 4 | - op: replace 5 | path: /spec/template/spec/containers/0/resources/limits/memory 6 | value: 4G 7 | -------------------------------------------------------------------------------- /components/sizes/m/patches/endpoints.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: sourcegraph-frontend-env 5 | data: 6 | SRC_GIT_SERVERS: gitserver-0.gitserver:3178 7 | SEARCHER_URL: http://searcher-0.searcher:3181 8 | INDEXED_SEARCH_SERVERS: indexed-search-0.indexed-search:6070 9 | -------------------------------------------------------------------------------- /components/sizes/m/patches/pgsql.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/template/spec/containers/0/resources/limits/cpu 3 | value: "4" 4 | - op: replace 5 | path: /spec/template/spec/containers/0/resources/limits/memory 6 | value: 6G 7 | -------------------------------------------------------------------------------- /components/sizes/m/patches/searcher.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/replicas 3 | value: 1 4 | - op: replace 5 | path: /spec/template/spec/containers/0/resources/limits/cpu 6 | value: "5" 7 | - op: replace 8 | path: /spec/template/spec/containers/0/resources/limits/memory 9 | value: 12G 10 | - op: add 11 | path: /spec/template/spec/containers/0/env/- 12 | value: 13 | name: USE_ROCKSKIP 14 | value: "true" 15 | - op: add 16 | path: /spec/template/spec/containers/0/env/- 17 | value: 18 | name: ROCKSKIP_MIN_REPO_SIZE_MB 19 | value: "1000" 20 | -------------------------------------------------------------------------------- /components/sizes/s/README.md: -------------------------------------------------------------------------------- 1 | # Size S Component 2 | 3 | A Component to update the resources for your Sourcegraph deployment to support up to: 4 | 5 | - 1,000 users 6 | - 10,000 repositories 7 | 8 | Rockskip is enabled by default. Use the rockskip/disable component to disable rockskip if needed. 9 | -------------------------------------------------------------------------------- /components/sizes/s/patches/codeinsights-db.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/template/spec/containers/0/resources/limits/cpu 3 | value: "4" 4 | - op: replace 5 | path: /spec/template/spec/containers/0/resources/limits/memory 6 | value: 2G 7 | -------------------------------------------------------------------------------- /components/sizes/s/patches/codeintel-db.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/template/spec/containers/0/resources/limits/cpu 3 | value: "4" 4 | - op: replace 5 | path: /spec/template/spec/containers/0/resources/limits/memory 6 | value: 4G 7 | -------------------------------------------------------------------------------- /components/sizes/s/patches/endpoints.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: sourcegraph-frontend-env 5 | data: 6 | SRC_GIT_SERVERS: gitserver-0.gitserver:3178 7 | SEARCHER_URL: http://searcher-0.searcher:3181 8 | INDEXED_SEARCH_SERVERS: indexed-search-0.indexed-search:6070 9 | -------------------------------------------------------------------------------- /components/sizes/s/patches/pgsql.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/template/spec/containers/0/resources/limits/cpu 3 | value: "4" 4 | - op: replace 5 | path: /spec/template/spec/containers/0/resources/limits/memory 6 | value: 6G 7 | -------------------------------------------------------------------------------- /components/sizes/s/patches/searcher.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/replicas 3 | value: 1 4 | - op: replace 5 | path: /spec/template/spec/containers/0/resources/limits/cpu 6 | value: "6" 7 | - op: replace 8 | path: /spec/template/spec/containers/0/resources/limits/memory 9 | value: 12G 10 | - op: add 11 | path: /spec/template/spec/containers/0/env/- 12 | value: 13 | name: USE_ROCKSKIP 14 | value: "true" 15 | - op: add 16 | path: /spec/template/spec/containers/0/env/- 17 | value: 18 | name: ROCKSKIP_MIN_REPO_SIZE_MB 19 | value: "1000" -------------------------------------------------------------------------------- /components/sizes/xl/README.md: -------------------------------------------------------------------------------- 1 | # Size XL Component 2 | 3 | A Component to update the resources for your Sourcegraph deployment to support up to: 4 | 5 | - 20,000 users 6 | - 250,000 repositories 7 | 8 | Rockskip is enabled by default. Use the rockskip/disable component to disable rockskip if needed. 9 | -------------------------------------------------------------------------------- /components/sizes/xl/patches/codeinsights-db.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/template/spec/containers/0/resources/limits/cpu 3 | value: "4" 4 | - op: replace 5 | path: /spec/template/spec/containers/0/resources/limits/memory 6 | value: 2G 7 | -------------------------------------------------------------------------------- /components/sizes/xl/patches/codeintel-db.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/template/spec/containers/0/resources/limits/cpu 3 | value: "4" 4 | - op: replace 5 | path: /spec/template/spec/containers/0/resources/limits/memory 6 | value: 4G 7 | -------------------------------------------------------------------------------- /components/sizes/xl/patches/endpoints.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: sourcegraph-frontend-env 5 | data: 6 | SRC_GIT_SERVERS: gitserver-0.gitserver:3178 gitserver-1.gitserver:3178 7 | SEARCHER_URL: http://searcher-0.searcher:3181 http://searcher-1.searcher:3181 8 | INDEXED_SEARCH_SERVERS: indexed-search-0.indexed-search:6070 indexed-search-1.indexed-search:6070 indexed-search-2.indexed-search:6070 9 | -------------------------------------------------------------------------------- /components/sizes/xl/patches/pgsql.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/template/spec/containers/0/resources/limits/cpu 3 | value: "8" 4 | - op: replace 5 | path: /spec/template/spec/containers/0/resources/limits/memory 6 | value: 32G 7 | -------------------------------------------------------------------------------- /components/sizes/xl/patches/searcher.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/replicas 3 | value: 2 4 | - op: replace 5 | path: /spec/template/spec/containers/0/resources/limits/cpu 6 | value: "10" 7 | - op: replace 8 | path: /spec/template/spec/containers/0/resources/limits/memory 9 | value: 16G 10 | - op: add 11 | path: /spec/template/spec/containers/0/env/- 12 | value: 13 | name: USE_ROCKSKIP 14 | value: "true" 15 | - op: add 16 | path: /spec/template/spec/containers/0/env/- 17 | value: 18 | name: ROCKSKIP_MIN_REPO_SIZE_MB 19 | value: "1000" 20 | -------------------------------------------------------------------------------- /components/sizes/xs/README.md: -------------------------------------------------------------------------------- 1 | # Size XS Component 2 | 3 | A Component to update the resources for your Sourcegraph deployment to support up to: 4 | 5 | - 500 users 6 | - 5,000 repositories 7 | 8 | Rockskip is enabled by default. Use the rockskip/disable component to disable rockskip if needed. 9 | -------------------------------------------------------------------------------- /components/sizes/xs/patches/databases.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/template/spec/containers/0/resources/limits/cpu 3 | value: "4" 4 | - op: replace 5 | path: /spec/template/spec/containers/0/resources/limits/memory 6 | value: 4G 7 | -------------------------------------------------------------------------------- /components/sizes/xs/patches/endpoints.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: sourcegraph-frontend-env 5 | data: 6 | SRC_GIT_SERVERS: gitserver-0.gitserver:3178 7 | SEARCHER_URL: http://searcher-0.searcher:3181 8 | INDEXED_SEARCH_SERVERS: indexed-search-0.indexed-search:6070 9 | -------------------------------------------------------------------------------- /components/sizes/xs/patches/searcher.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/replicas 3 | value: 1 4 | - op: replace 5 | path: /spec/template/spec/containers/0/resources/limits/cpu 6 | value: "2" 7 | - op: replace 8 | path: /spec/template/spec/containers/0/resources/limits/memory 9 | value: 2G 10 | - op: add 11 | path: /spec/template/spec/containers/0/env/- 12 | value: 13 | name: USE_ROCKSKIP 14 | value: "true" 15 | - op: add 16 | path: /spec/template/spec/containers/0/env/- 17 | value: 18 | name: ROCKSKIP_MIN_REPO_SIZE_MB 19 | value: "1000" 20 | -------------------------------------------------------------------------------- /components/storage-class/aws/aws-ebs/README.md: -------------------------------------------------------------------------------- 1 | # # Storageclass Component for AWS EKS 2 | 3 | For more information, please refer to our documentation on [configuring a storage class for your cloud provider](https://docs.sourcegraph.com/admin/deploy/kubernetes/configure#configure-a-storage-class). 4 | 5 | This component: 6 | 7 | - creates storage class for aws 8 | - sets the provisioner to `kubernetes.io/aws-ebs`. 9 | 10 | Use this provisioner when using the Amazon EKS add-on 11 | -------------------------------------------------------------------------------- /components/storage-class/aws/aws-ebs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - sourcegraph.StorageClass.yaml 5 | patches: 6 | - patch: |- 7 | - op: replace 8 | path: /spec/volumeClaimTemplates/0/spec/storageClassName 9 | value: sourcegraph 10 | target: 11 | group: apps 12 | kind: StatefulSet 13 | name: searcher|indexed-search|grafana|gitserver 14 | version: v1 15 | - patch: |- 16 | - op: replace 17 | path: /spec/storageClassName 18 | value: sourcegraph 19 | target: 20 | kind: PersistentVolumeClaim 21 | name: .* 22 | version: v1 23 | -------------------------------------------------------------------------------- /components/storage-class/aws/aws-ebs/sourcegraph.StorageClass.yaml: -------------------------------------------------------------------------------- 1 | kind: StorageClass 2 | apiVersion: storage.k8s.io/v1 3 | metadata: 4 | name: sourcegraph 5 | labels: 6 | deploy: sourcegraph 7 | provisioner: kubernetes.io/aws-ebs # use this provisioner if using the Amazon EKS add-on 8 | parameters: 9 | type: gp2 # This configures SSDs (recommended). 10 | reclaimPolicy: Retain 11 | volumeBindingMode: WaitForFirstConsumer 12 | allowVolumeExpansion: true 13 | -------------------------------------------------------------------------------- /components/storage-class/aws/ebs-csi/README.md: -------------------------------------------------------------------------------- 1 | # # Storageclass Component for AWS EBS 2 | 3 | For more information, please refer to our documentation on [configuring a storage class for your cloud provider](https://docs.sourcegraph.com/admin/deploy/kubernetes/configure#configure-a-storage-class). 4 | 5 | This component: 6 | 7 | - creates storage class for aws 8 | - sets the provisioner to `ebs.csi.aws.com`. 9 | 10 | Use this provisioner when using the self-managed Amazon EBS Container Storage Interface driver 11 | -------------------------------------------------------------------------------- /components/storage-class/aws/ebs-csi/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - sourcegraph.StorageClass.yaml 5 | patches: 6 | - patch: |- 7 | - op: replace 8 | path: /spec/volumeClaimTemplates/0/spec/storageClassName 9 | value: sourcegraph 10 | target: 11 | group: apps 12 | kind: StatefulSet 13 | name: searcher|indexed-search|grafana|gitserver 14 | version: v1 15 | - patch: |- 16 | - op: replace 17 | path: /spec/storageClassName 18 | value: sourcegraph 19 | target: 20 | kind: PersistentVolumeClaim 21 | name: .* 22 | version: v1 23 | -------------------------------------------------------------------------------- /components/storage-class/aws/ebs-csi/sourcegraph.StorageClass.yaml: -------------------------------------------------------------------------------- 1 | kind: StorageClass 2 | apiVersion: storage.k8s.io/v1 3 | metadata: 4 | name: sourcegraph 5 | labels: 6 | deploy: sourcegraph 7 | provisioner: ebs.csi.aws.com 8 | parameters: 9 | type: gp2 # This configures SSDs (recommended). 10 | reclaimPolicy: Retain 11 | volumeBindingMode: WaitForFirstConsumer 12 | allowVolumeExpansion: true 13 | -------------------------------------------------------------------------------- /components/storage-class/azure/README.md: -------------------------------------------------------------------------------- 1 | # # Storageclass Component for Azure 2 | 3 | For more information, please refer to our documentation on [configuring a storage class for your cloud provider](http://localhost:5080/admin/deploy/kubernetes/configure#configure-a-storage-class). -------------------------------------------------------------------------------- /components/storage-class/azure/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - sourcegraph.StorageClass.yaml 5 | patches: 6 | - patch: |- 7 | - op: replace 8 | path: /spec/volumeClaimTemplates/0/spec/storageClassName 9 | value: sourcegraph 10 | target: 11 | group: apps 12 | kind: StatefulSet 13 | name: searcher|indexed-search|grafana|gitserver 14 | version: v1 15 | - patch: |- 16 | - op: replace 17 | path: /spec/storageClassName 18 | value: sourcegraph 19 | target: 20 | kind: PersistentVolumeClaim 21 | name: .* 22 | version: v1 23 | -------------------------------------------------------------------------------- /components/storage-class/azure/sourcegraph.StorageClass.yaml: -------------------------------------------------------------------------------- 1 | kind: StorageClass 2 | apiVersion: storage.k8s.io/v1 3 | metadata: 4 | name: sourcegraph 5 | labels: 6 | deploy: sourcegraph 7 | provisioner: disk.csi.azure.com 8 | parameters: 9 | storageaccounttype: Premium_LRS # This configures SSDs (recommended). A Premium VM is required. 10 | reclaimPolicy: Retain 11 | volumeBindingMode: WaitForFirstConsumer 12 | allowVolumeExpansion: true -------------------------------------------------------------------------------- /components/storage-class/cloud/patches/sourcegraph.StorageClass.yaml: -------------------------------------------------------------------------------- 1 | kind: StorageClass 2 | apiVersion: storage.k8s.io/v1 3 | metadata: 4 | name: sourcegraph 5 | labels: 6 | deploy: sourcegraph 7 | reclaimPolicy: Retain 8 | allowVolumeExpansion: true 9 | # Read https://kubernetes.io/docs/concepts/storage/storage-classes/ to configure the "provisioner" and "parameters" fields for your cloud provider. 10 | # SSDs are highly recommended! 11 | provisioner: $(STORAGECLASS_PROVISIONER) 12 | parameters: 13 | type: $(STORAGECLASS_PARAM_TYPE) # This configures SSDs (recommended). 14 | -------------------------------------------------------------------------------- /components/storage-class/gcp/README.md: -------------------------------------------------------------------------------- 1 | # # Storageclass Component for Google Cloud Platform (GCP) 2 | 3 | For more information, please refer to our documentation on [configuring a storage class for your cloud provider](http://localhost:5080/admin/deploy/kubernetes/configure#configure-a-storage-class). -------------------------------------------------------------------------------- /components/storage-class/gcp/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - sourcegraph.StorageClass.yaml 5 | patches: 6 | - patch: |- 7 | - op: replace 8 | path: /spec/volumeClaimTemplates/0/spec/storageClassName 9 | value: sourcegraph 10 | target: 11 | group: apps 12 | kind: StatefulSet 13 | name: searcher|indexed-search|grafana|gitserver 14 | version: v1 15 | - patch: |- 16 | - op: replace 17 | path: /spec/storageClassName 18 | value: sourcegraph 19 | target: 20 | kind: PersistentVolumeClaim 21 | name: .* 22 | version: v1 23 | -------------------------------------------------------------------------------- /components/storage-class/gcp/sourcegraph.StorageClass.yaml: -------------------------------------------------------------------------------- 1 | kind: StorageClass 2 | apiVersion: storage.k8s.io/v1 3 | metadata: 4 | name: sourcegraph 5 | labels: 6 | deploy: sourcegraph 7 | provisioner: pd.csi.storage.gke.io 8 | parameters: 9 | type: pd-ssd # This configures SSDs (recommended). 10 | reclaimPolicy: Retain 11 | allowVolumeExpansion: true 12 | volumeBindingMode: WaitForFirstConsumer -------------------------------------------------------------------------------- /components/storage-class/k3s/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - path: patches/replace-storageclass-name-sts.yaml 5 | target: 6 | group: apps 7 | kind: StatefulSet 8 | name: searcher|indexed-search|grafana|gitserver 9 | version: v1 10 | - path: patches/replace-storageclass-name-pvc.yaml 11 | target: 12 | kind: PersistentVolumeClaim 13 | name: .* 14 | version: v1 15 | -------------------------------------------------------------------------------- /components/storage-class/k3s/patches/replace-storageclass-name-pvc.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/storageClassName 3 | # update your storageclass value in overlays/storageclass/.sourcegraph_config.env 4 | value: local-path 5 | -------------------------------------------------------------------------------- /components/storage-class/k3s/patches/replace-storageclass-name-sts.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/volumeClaimTemplates/0/spec/storageClassName 3 | value: local-path 4 | -------------------------------------------------------------------------------- /components/storage-class/name-update/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - path: patches/replace-storageclass-name-sts.yaml 5 | target: 6 | group: apps 7 | kind: StatefulSet 8 | name: indexed-search|grafana|gitserver|searcher 9 | version: v1 10 | - path: patches/replace-storageclass-name-pvc.yaml 11 | target: 12 | kind: PersistentVolumeClaim 13 | name: .* 14 | replacements: 15 | - path: patches/replacement.yaml 16 | -------------------------------------------------------------------------------- /components/storage-class/name-update/patches/replace-storageclass-name-pvc.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/storageClassName 3 | # update your storageclass value in overlays/storageclass/.sourcegraph_config.env 4 | value: $(STORAGECLASS_NAME) 5 | -------------------------------------------------------------------------------- /components/storage-class/name-update/patches/replace-storageclass-name-sts.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/volumeClaimTemplates/0/spec/storageClassName 3 | # update your storageclass value in overlays/storageclass/.sourcegraph_config.env 4 | value: $(STORAGECLASS_NAME) 5 | -------------------------------------------------------------------------------- /components/storage-class/name-update/patches/replacement.yaml: -------------------------------------------------------------------------------- 1 | - source: 2 | fieldPath: data.STORAGECLASS_NAME 3 | kind: ConfigMap 4 | name: sourcegraph-kustomize-build-config 5 | targets: 6 | - select: 7 | kind: PersistentVolumeClaim 8 | fieldPaths: 9 | - spec.storageClassName 10 | - source: 11 | fieldPath: data.STORAGECLASS_NAME 12 | kind: ConfigMap 13 | name: sourcegraph-kustomize-build-config 14 | targets: 15 | - select: 16 | kind: StatefulSet 17 | fieldPaths: 18 | - spec.volumeClaimTemplates.0.spec.storageClassName 19 | reject: 20 | - name: codeinsights-db 21 | - name: codeintel-db 22 | - name: pgsql 23 | -------------------------------------------------------------------------------- /components/storage-class/sourcegraph/README.md: -------------------------------------------------------------------------------- 1 | Component to update storage class name to `sourcegraph` 2 | -------------------------------------------------------------------------------- /components/storage-class/sourcegraph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - patch: |- 5 | - op: replace 6 | path: /spec/volumeClaimTemplates/0/spec/storageClassName 7 | value: sourcegraph 8 | target: 9 | group: apps 10 | kind: StatefulSet 11 | name: searcher|indexed-search|grafana|gitserver 12 | version: v1 13 | - patch: |- 14 | - op: replace 15 | path: /spec/storageClassName 16 | value: sourcegraph 17 | target: 18 | kind: PersistentVolumeClaim 19 | name: .* 20 | version: v1 21 | -------------------------------------------------------------------------------- /components/storage-class/ssd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | components: 4 | - pod-tmp-gc 5 | replacements: 6 | - source: 7 | fieldPath: data.SSD_NODE_PATH 8 | kind: ConfigMap 9 | name: sourcegraph-kustomize-build-config 10 | targets: 11 | - fieldPaths: 12 | - spec.template.spec.containers.*.volumeMounts.*.mountPath 13 | select: 14 | group: apps 15 | kind: DaemonSet 16 | name: pod-tmp-gc 17 | -------------------------------------------------------------------------------- /components/storage-class/ssd/pod-tmp-gc/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - pod-tmp-gc.ClusterRole.yaml 5 | - pod-tmp-gc.ClusterRoleBinding.yaml 6 | - pod-tmp-gc.DaemonSet.yaml 7 | - pod-tmp-gc.ServiceAccount.yaml 8 | -------------------------------------------------------------------------------- /components/storage-class/ssd/pod-tmp-gc/pod-tmp-gc.ClusterRole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | labels: 5 | category: rbac 6 | deploy: pod-tmp-gc 7 | name: pod-tmp-gc 8 | rules: 9 | - apiGroups: 10 | - "" 11 | resources: 12 | - nodes 13 | verbs: 14 | - get 15 | - apiGroups: 16 | - "" 17 | resources: 18 | - pods 19 | verbs: 20 | - list 21 | -------------------------------------------------------------------------------- /components/storage-class/ssd/pod-tmp-gc/pod-tmp-gc.ClusterRoleBinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | labels: 5 | category: rbac 6 | deploy: pod-tmp-gc 7 | name: pod-tmp-gc 8 | roleRef: 9 | apiGroup: "" 10 | kind: ClusterRole 11 | name: pod-tmp-gc 12 | subjects: 13 | - kind: ServiceAccount 14 | name: pod-tmp-gc 15 | namespace: default 16 | -------------------------------------------------------------------------------- /components/storage-class/ssd/pod-tmp-gc/pod-tmp-gc.ServiceAccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | imagePullSecrets: 3 | - name: docker-registry 4 | kind: ServiceAccount 5 | metadata: 6 | labels: 7 | category: rbac 8 | deploy: pod-tmp-gc 9 | name: pod-tmp-gc 10 | -------------------------------------------------------------------------------- /components/storage-class/trident/ext3/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - sourcegraph.StorageClass.yaml 5 | components: 6 | - ../../sourcegraph 7 | -------------------------------------------------------------------------------- /components/storage-class/trident/ext3/sourcegraph.StorageClass.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1beta1 2 | kind: StorageClass 3 | metadata: 4 | name: sourcegraph 5 | labels: 6 | deploy: sourcegraph 7 | reclaimPolicy: Retain 8 | allowVolumeExpansion: true 9 | volumeBindingMode: WaitForFirstConsumer 10 | provisioner: netapp.io/trident 11 | fsType: ext3 12 | -------------------------------------------------------------------------------- /components/storage-class/trident/ext4/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - sourcegraph.StorageClass.yaml 5 | components: 6 | - ../../sourcegraph 7 | -------------------------------------------------------------------------------- /components/storage-class/trident/ext4/sourcegraph.StorageClass.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1beta1 2 | kind: StorageClass 3 | metadata: 4 | name: sourcegraph 5 | labels: 6 | deploy: sourcegraph 7 | reclaimPolicy: Retain 8 | allowVolumeExpansion: true 9 | volumeBindingMode: WaitForFirstConsumer 10 | provisioner: netapp.io/trident 11 | fsType: ext4 12 | -------------------------------------------------------------------------------- /components/storage-class/trident/xfs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - sourcegraph.StorageClass.yaml 5 | components: 6 | - ../../sourcegraph 7 | -------------------------------------------------------------------------------- /components/storage-class/trident/xfs/sourcegraph.StorageClass.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1beta1 2 | kind: StorageClass 3 | metadata: 4 | name: sourcegraph 5 | labels: 6 | deploy: sourcegraph 7 | reclaimPolicy: Retain 8 | allowVolumeExpansion: true 9 | volumeBindingMode: WaitForFirstConsumer 10 | provisioner: netapp.io/trident 11 | fsType: xfs 12 | -------------------------------------------------------------------------------- /components/utils/endpoints/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | replacements: 4 | - path: endpoints-update.yaml 5 | -------------------------------------------------------------------------------- /components/utils/migrate-to-nonprivileged/README.md: -------------------------------------------------------------------------------- 1 | This kustomization injects initContainers in all pods with persistent volumes to transfer ownership of directories to 2 | specified non-root users. It is used for migrating existing installations to a non-root environment. 3 | -------------------------------------------------------------------------------- /components/utils/migrate-to-nonprivileged/blobstore/blobstore.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: blobstore 5 | spec: 6 | template: 7 | spec: 8 | initContainers: 9 | - name: transfer-file-ownership 10 | image: index.docker.io/sourcegraph/alpine-3.14 11 | command: ["sh", "-c", "chown -R 100:101 /data"] 12 | volumeMounts: 13 | - mountPath: /data 14 | name: blobstore-data 15 | securityContext: 16 | runAsUser: 0 17 | -------------------------------------------------------------------------------- /components/utils/migrate-to-nonprivileged/gitserver/gitserver.StatefulSet.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: gitserver 5 | spec: 6 | template: 7 | spec: 8 | initContainers: 9 | - name: transfer-file-ownership 10 | image: index.docker.io/sourcegraph/alpine-3.14:insiders 11 | command: 12 | [ 13 | "sh", 14 | "-c", 15 | 'if [[ "$(stat -c ''%u'' /data/repos)" -ne 100 ]]; then chown -R 100:101 /data/repos; fi', 16 | ] 17 | volumeMounts: 18 | - mountPath: /data/repos 19 | name: repos 20 | securityContext: 21 | runAsUser: 0 22 | -------------------------------------------------------------------------------- /components/utils/migrate-to-nonprivileged/grafana/grafana.StatefulSet.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: grafana 5 | spec: 6 | template: 7 | spec: 8 | initContainers: 9 | - name: transfer-file-ownership 10 | image: index.docker.io/sourcegraph/alpine-3.14 11 | command: ["sh", "-c", "chown -R 472:472 /var/lib/grafana"] 12 | volumeMounts: 13 | - mountPath: /var/lib/grafana 14 | name: grafana-data 15 | securityContext: 16 | runAsUser: 0 17 | -------------------------------------------------------------------------------- /components/utils/migrate-to-nonprivileged/indexed-search/indexed-search.StatefulSet.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: indexed-search 5 | spec: 6 | template: 7 | spec: 8 | initContainers: 9 | - name: transfer-file-ownership 10 | image: index.docker.io/sourcegraph/alpine-3.14 11 | command: ["sh", "-c", "chown -R 100:101 /data"] 12 | volumeMounts: 13 | - mountPath: /data 14 | name: data 15 | securityContext: 16 | runAsUser: 0 17 | -------------------------------------------------------------------------------- /components/utils/migrate-to-nonprivileged/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | replacements: 4 | - path: images-update.yaml 5 | patches: 6 | - path: searcher/searcher.Deployment.yaml 7 | target: 8 | group: apps 9 | kind: StatefulSet|Deployment 10 | name: searcher 11 | version: v1 12 | - path: gitserver/gitserver.StatefulSet.yaml 13 | - path: grafana/grafana.StatefulSet.yaml 14 | - path: blobstore/blobstore.Deployment.yaml 15 | - path: indexed-search/indexed-search.StatefulSet.yaml 16 | - path: prometheus/prometheus.Deployment.yaml 17 | - path: redis/redis-cache.Deployment.yaml 18 | - path: redis/redis-store.Deployment.yaml 19 | -------------------------------------------------------------------------------- /components/utils/migrate-to-nonprivileged/prometheus/prometheus.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: prometheus 5 | spec: 6 | template: 7 | spec: 8 | initContainers: 9 | - name: transfer-file-ownership 10 | image: index.docker.io/sourcegraph/alpine-3.14:insiders 11 | command: ["sh", "-c", "chown -R 100:100 /prometheus"] 12 | volumeMounts: 13 | - mountPath: /prometheus 14 | name: data 15 | securityContext: 16 | runAsUser: 0 17 | -------------------------------------------------------------------------------- /components/utils/migrate-to-nonprivileged/redis/redis-cache.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: redis-cache 5 | spec: 6 | template: 7 | spec: 8 | initContainers: 9 | - name: transfer-file-ownership 10 | image: index.docker.io/sourcegraph/alpine-3.14:insiders 11 | command: ["sh", "-c", "chown -R 999:1000 /redis-data"] 12 | volumeMounts: 13 | - mountPath: /redis-data 14 | name: redis-data 15 | securityContext: 16 | runAsUser: 0 17 | -------------------------------------------------------------------------------- /components/utils/migrate-to-nonprivileged/redis/redis-store.Deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: redis-store 5 | spec: 6 | template: 7 | spec: 8 | initContainers: 9 | - name: transfer-file-ownership 10 | image: index.docker.io/sourcegraph/alpine-3.14:insiders 11 | command: ["sh", "-c", "chown -R 999:1000 /redis-data"] 12 | volumeMounts: 13 | - mountPath: /redis-data 14 | name: redis-data 15 | securityContext: 16 | runAsUser: 0 17 | -------------------------------------------------------------------------------- /components/utils/migrate-to-nonprivileged/searcher/searcher.Deployment.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /spec/template/spec/initContainers 3 | value: 4 | - name: transfer-cache 5 | image: index.docker.io/sourcegraph/alpine-3.14:insiders 6 | command: 7 | [ 8 | "sh", 9 | "-c", 10 | 'if [[ "$(stat -c ''%u'' /mnt/cache)" -ne 100 ]]; then chown -R 100:101 /mnt/cache; fi', 11 | ] 12 | volumeMounts: 13 | - mountPath: /mnt/cache 14 | name: cache-ssd 15 | securityContext: 16 | runAsUser: 0 17 | -------------------------------------------------------------------------------- /components/utils/migrator/README.md: -------------------------------------------------------------------------------- 1 | This component create resources for executing database migrations outside of a code deployment. 2 | 3 | For more information, please see: https://docs.sourcegraph.com/admin/install/kubernetes/operations#database-migrations 4 | -------------------------------------------------------------------------------- /components/utils/migrator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | resources: 4 | - resources/migrator.Job.yaml 5 | - resources/sourcegraph-frontend.ConfigMap.yaml 6 | -------------------------------------------------------------------------------- /components/utils/multi-version-upgrade/README.md: -------------------------------------------------------------------------------- 1 | Component to scale down all services to zero except for the databases to prepare the instance for the [multi-version-upgrade process](https://docs.sourcegraph.com/admin/deploy/kubernetes/update#multi-version-upgrades). 2 | -------------------------------------------------------------------------------- /components/utils/multi-version-upgrade/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - patch: |- 5 | - op: replace 6 | path: /spec/replicas 7 | value: 0 8 | target: 9 | group: apps 10 | kind: Deployment|StatefulSet 11 | name: .* 12 | version: v1 13 | - patch: |- 14 | - op: replace 15 | path: /spec/replicas 16 | value: 1 17 | target: 18 | group: apps 19 | kind: Deployment|StatefulSet 20 | name: pgsql|codeintel-db|codeinsights-db 21 | version: v1 22 | -------------------------------------------------------------------------------- /components/utils/uid/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - path: patches/databases.yaml 5 | target: 6 | group: apps 7 | kind: StatefulSet|Deployment 8 | name: codeinsights-db|codeintel-db|pgsql 9 | version: v1 10 | -------------------------------------------------------------------------------- /components/utils/uid/patches/databases.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /spec/template/spec/containers/0/volumeMounts/- 3 | value: 4 | name: passwd 5 | mountPath: /etc/passwd 6 | readOnly: true 7 | - op: add 8 | path: /spec/template/spec/initContainers/0/volumeMounts/- 9 | value: 10 | name: passwd 11 | mountPath: /etc/passwd 12 | readOnly: true 13 | - op: add 14 | path: /spec/template/spec/volumes/- 15 | value: 16 | name: passwd 17 | hostPath: 18 | path: /etc/passwd 19 | -------------------------------------------------------------------------------- /examples/aws/README.md: -------------------------------------------------------------------------------- 1 | # # Quick start overlay for AWS EKS 2 | 3 | For more information, please refer to our documentation on [configuring a storage class for your cloud provider](https://docs.sourcegraph.com/admin/deploy/kubernetes/configure#configure-a-storage-class). 4 | 5 | This overlay: 6 | 7 | - deploy Sourcegraph without monitoring services 8 | - configure all services with size XS resources 9 | - creates storage class for aws 10 | - sets the provisioner to `kubernetes.io/aws-ebs`. 11 | 12 | Use this provisioner when using the `Amazon EBS CSI Driver` as an Amazon EKS add-on 13 | -------------------------------------------------------------------------------- /examples/aws/ebs/README.md: -------------------------------------------------------------------------------- 1 | # # Quick start overlay for AWS EKS with EBS storage driver 2 | 3 | For more information, please refer to our documentation on [configuring a storage class for your cloud provider](https://docs.sourcegraph.com/admin/deploy/kubernetes/configure#configure-a-storage-class). 4 | 5 | This overlay: 6 | 7 | - deploy Sourcegraph without monitoring services 8 | - configure all services with size XS resources 9 | - creates storage class for aws 10 | - sets the storage class provisioner to `ebs.csi.aws.com`. 11 | 12 | Use this overlay when using the **self-managed Amazon EBS Container Storage Interface driver** 13 | -------------------------------------------------------------------------------- /examples/aws/ebs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../../base/sourcegraph 7 | - ../../../base/monitoring 8 | components: 9 | - ../../../components/resources/namespace 10 | # Use resources for a size-XS instance 11 | - ../../../components/sizes/xs 12 | - ../../../components/clusters/aws/ebs-csi 13 | -------------------------------------------------------------------------------- /examples/aws/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../base/sourcegraph 7 | - ../../base/monitoring 8 | components: 9 | - ../../components/resources/namespace 10 | # Use resources for a size-XS instance 11 | - ../../components/sizes/xs 12 | - ../../components/clusters/aws/aws-ebs 13 | -------------------------------------------------------------------------------- /examples/aws/with-tracing/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../../base/sourcegraph 7 | - ../../../base/monitoring 8 | components: 9 | - ../../../components/resources/namespace 10 | - ../../../components/monitoring/tracing 11 | # Use resources for a size-XS instance 12 | - ../../../components/sizes/xs 13 | - ../../../components/clusters/aws/ebs-csi 14 | -------------------------------------------------------------------------------- /examples/base/README.md: -------------------------------------------------------------------------------- 1 | # Base overlay 2 | 3 | The base overlays are for deploying all Sourcegraph services from the base directory, except cAdvisor. 4 | 5 | ```bash 6 | # NOTE: replace `xs` with your instance size. 7 | kubectl kustomize /examples/base/xs -o cluster.yaml 8 | ``` 9 | -------------------------------------------------------------------------------- /examples/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | # Run all services with default values 5 | resources: 6 | - ../../base/sourcegraph 7 | - ../../base/monitoring 8 | components: 9 | - ../../components/resources/namespace 10 | - ../../components/monitoring/tracing 11 | -------------------------------------------------------------------------------- /examples/base/l/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../../base/sourcegraph 7 | # Monitoring Stack 8 | - ../../../base/monitoring 9 | components: 10 | - ../../../components/resources/namespace 11 | - ../../../components/sizes/l 12 | -------------------------------------------------------------------------------- /examples/base/m/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../../base/sourcegraph 7 | # Monitoring Stack 8 | - ../../../base/monitoring 9 | components: 10 | - ../../../components/resources/namespace 11 | - ../../../components/sizes/m 12 | -------------------------------------------------------------------------------- /examples/base/s/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../../base/sourcegraph 7 | # Monitoring Stack 8 | - ../../../base/monitoring 9 | components: 10 | - ../../../components/resources/namespace 11 | - ../../../components/sizes/s 12 | -------------------------------------------------------------------------------- /examples/base/xl/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../../base/sourcegraph 7 | # Monitoring Stack 8 | - ../../../base/monitoring 9 | components: 10 | - ../../../components/resources/namespace 11 | - ../../../components/sizes/xl 12 | -------------------------------------------------------------------------------- /examples/base/xs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../../base/sourcegraph 7 | # Monitoring Stack 8 | - ../../../base/monitoring 9 | components: 10 | - ../../../components/resources/namespace 11 | # Use resources for a size-XS instance 12 | - ../../../components/sizes/xs 13 | -------------------------------------------------------------------------------- /examples/demo/private-registry/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | # Run all services with default values 5 | resources: 6 | # [REQUIRED: BUILD CONFIG] Update this file when using components that have "CONFIG KEYS" 7 | - buildConfig.yaml # -- Update the CONFIG Key values in buildConfig.yaml when instructed 8 | - ../../base/sourcegraph 9 | - ../../base/monitoring 10 | components: 11 | - ../../components/resources/namespace 12 | - ../../components/monitoring/tracing 13 | - ../../components/enable/private-registry 14 | - ../../components/resources/imagepullsecrets 15 | -------------------------------------------------------------------------------- /examples/dev/README.md: -------------------------------------------------------------------------------- 1 | # Low Resources overlay 2 | 3 | This overlay is intended for Sourcegraph internal CI tests. It removes resource requests including cpu, memory and persistent volumes to reduce load on shared clusters. 4 | 5 | Note: `persistentVolumeClaim: null` is needed to avoid https://github.com/kubernetes-sigs/kustomize/issues/2037 -------------------------------------------------------------------------------- /examples/dev/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: dev-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../base/sourcegraph 7 | # Monitoring Stack 8 | - ../../base/monitoring 9 | components: 10 | - ../../components/resources/namespace 11 | - ../../components/resources/ci-volume 12 | - ../../components/remove/resources 13 | - ../../components/remove/pvcs 14 | -------------------------------------------------------------------------------- /examples/executors/README.md: -------------------------------------------------------------------------------- 1 | # Quickstart overlay for executors 2 | 3 | This overlay: 4 | 5 | - deploys Sourcegraph without monitoring services 6 | - deploys native kubernetes executors 7 | -------------------------------------------------------------------------------- /examples/executors/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: executor-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../base/sourcegraph 7 | - ../../base/monitoring 8 | components: 9 | # Native Kubernetes Executors 10 | - ../../components/executors/k8s 11 | - ../../components/resources/namespace 12 | patches: 13 | - path: patches/executor.ConfigMap.yaml 14 | secretGenerator: 15 | - name: executor-secret 16 | behavior: create 17 | literals: 18 | - password=our-shared-secret 19 | -------------------------------------------------------------------------------- /examples/executors/patches/executor.ConfigMap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: executor-config 5 | # Refer to https://docs.sourcegraph.com/admin/executors/deploy_executors_binary#step-2-setup-environment-variables on how to populate these variables 6 | data: 7 | EXECUTOR_FRONTEND_URL: "http://sourcegraph-frontend" 8 | EXECUTOR_MAXIMUM_NUM_JOBS: "8" 9 | # Used configure which queues Executors will process. 10 | # Can be "batches" or "codeintel" 11 | # Either set this or EXECUTOR_QUEUE_NAMES. 12 | EXECUTOR_QUEUE_NAME: "batches" 13 | # Used configure which queues Executors will process. 14 | # Can be "batches" or "codeintel" or "batches,codeintel" 15 | # Either set this or EXECUTOR_QUEUE_NAME. 16 | EXECUTOR_QUEUE_NAMES: "" 17 | EXECUTOR_KUBERNETES_RESOURCE_REQUEST_MEMORY: "5Gi" 18 | -------------------------------------------------------------------------------- /examples/gke/README.md: -------------------------------------------------------------------------------- 1 | # GKE Example Overlay 2 | 3 | Deploy Sourcegraph without RBAC resources 4 | -------------------------------------------------------------------------------- /examples/gke/default/README.md: -------------------------------------------------------------------------------- 1 | Deploy Sourcegraph with default settings to the default namespace on GKE. 2 | -------------------------------------------------------------------------------- /examples/gke/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: default 4 | resources: 5 | - ../../../base/sourcegraph 6 | - ../../../base/monitoring 7 | components: 8 | - ../../../components/monitoring/grafana/dashboards 9 | - ../../../components/monitoring/grafana/dashboards/process 10 | - ../../../components/sizes/xs 11 | - ../../../components/clusters/gke/configure 12 | -------------------------------------------------------------------------------- /examples/gke/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | - ../../base/sourcegraph 6 | - ../../base/monitoring 7 | components: 8 | - ../../components/resources/namespace 9 | - ../../components/sizes/xs 10 | - ../../components/clusters/gke/configure 11 | -------------------------------------------------------------------------------- /examples/gke/rbac/README.md: -------------------------------------------------------------------------------- 1 | If RBAC is enabled in your cluster, it is strongly recommended to deploy Sourcegraph with full monitoring stack and service-discovery enabled. 2 | -------------------------------------------------------------------------------- /examples/gke/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../../base/sourcegraph 7 | - ../../../base/monitoring 8 | components: 9 | - ../../../components/resources/namespace 10 | - ../../../components/monitoring/cadvisor 11 | # Use resources for a size-XS instance 12 | - ../../../components/sizes/xs 13 | - ../../../components/clusters/gke/configure 14 | - ../../../components/privileged 15 | - ../../../components/monitoring/privileged 16 | - ../../../components/enable/service-discovery 17 | -------------------------------------------------------------------------------- /examples/ingress-controller/README.md: -------------------------------------------------------------------------------- 1 | # Ingress-NGINX Controller 2 | 3 | [ingress-nginx](https://github.com/kubernetes/ingress-nginx) provide specialized routing for all of the publicly available instances on this cluster. 4 | 5 | ### Remote Build 6 | 7 | This overlay is for adding resources to deploy a `ingress-nginx-controller` before Sourcegraph. It utilizes the remote build function to get the resources from the official [ingress-nginx-controller repository](https://github.com/kubernetes/ingress-nginx). 8 | 9 | See a list of available deployments at https://github.com/kubernetes/ingress-nginx/tree/controller-v1.5.1/deploy/static/provider 10 | -------------------------------------------------------------------------------- /examples/ingress-controller/aws/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ingress-nginx 4 | # Creates resources to deploy the controller for AWS 5 | resources: 6 | - https://github.com/kubernetes/ingress-nginx/deploy/static/provider/aws?ref=controller-v1.5.1 7 | components: 8 | - ../../../components/ingress/nginx-controller 9 | -------------------------------------------------------------------------------- /examples/ingress-controller/cloud/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ingress-nginx 4 | resources: 5 | # Update the `${UPDATE_ME}` with the name of your provider to create resources for the controller: 6 | # - https://github.com/kubernetes/ingress-nginx/deploy/static/provider/${UPDATE_ME}?ref=controller-v1.5.1 7 | # EXAMPLE: This creates resources to deploy the controller for generic cloud 8 | - https://github.com/kubernetes/ingress-nginx/deploy/static/provider/cloud?ref=controller-v1.5.1 9 | components: 10 | - ../../../components/ingress/nginx-controller 11 | -------------------------------------------------------------------------------- /examples/k3s/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Includes RBAC resources 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: ns-sourcegraph 5 | resources: 6 | # Sourcegraph Main Stack 7 | - ../../base/sourcegraph 8 | components: 9 | - ../../components/resources/namespace 10 | # Use resources for a size-XS instance 11 | - ../../components/sizes/xs 12 | # This configures the Sourcegraph instance and networking to work in a k3s cluster 13 | - ../../components/clusters/k3s 14 | - ../../components/privileged 15 | - ../../components/enable/service-discovery 16 | -------------------------------------------------------------------------------- /examples/k3s/l/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Includes RBAC resources 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: default 5 | resources: 6 | # Sourcegraph Main Stack 7 | - ../../../base/sourcegraph 8 | components: 9 | # Use resources for a size-L instance 10 | - ../../../components/sizes/l 11 | # This configures the Sourcegraph instance and networking to work in a k3s cluster 12 | - ../../../components/clusters/k3s 13 | - ../../../components/privileged 14 | - ../../../components/enable/service-discovery 15 | -------------------------------------------------------------------------------- /examples/k3s/m/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Includes RBAC resources 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: default 5 | resources: 6 | # Sourcegraph Main Stack 7 | - ../../../base/sourcegraph 8 | components: 9 | # Use resources for a size-m instance 10 | - ../../../components/sizes/m 11 | # This configures the Sourcegraph instance and networking to work in a k3s cluster 12 | - ../../../components/clusters/k3s 13 | - ../../../components/privileged 14 | - ../../../components/enable/service-discovery 15 | -------------------------------------------------------------------------------- /examples/k3s/s/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Includes RBAC resources 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: default 5 | resources: 6 | # Sourcegraph Main Stack 7 | - ../../../base/sourcegraph 8 | components: 9 | # Use resources for a size-S instance 10 | - ../../../components/sizes/s 11 | # This configures the Sourcegraph instance and networking to work in a k3s cluster 12 | - ../../../components/clusters/k3s 13 | - ../../../components/privileged 14 | - ../../../components/enable/service-discovery 15 | -------------------------------------------------------------------------------- /examples/k3s/xl/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Includes RBAC resources 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: default 5 | resources: 6 | # Sourcegraph Main Stack 7 | - ../../../base/sourcegraph 8 | components: 9 | # Use resources for a size-XL instance 10 | - ../../../components/sizes/xl 11 | # This configures the Sourcegraph instance and networking to work in a k3s cluster 12 | - ../../../components/clusters/k3s 13 | - ../../../components/privileged 14 | - ../../../components/enable/service-discovery 15 | -------------------------------------------------------------------------------- /examples/k3s/xs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Includes RBAC resources 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: default 5 | resources: 6 | # Sourcegraph Main Stack 7 | - ../../../base/sourcegraph 8 | components: 9 | # Use resources for a size-XS instance 10 | - ../../../components/sizes/xs 11 | # This configures the Sourcegraph instance and networking to work in a k3s cluster 12 | - ../../../components/clusters/k3s 13 | - ../../../components/privileged 14 | - ../../../components/enable/service-discovery 15 | -------------------------------------------------------------------------------- /examples/minikube/README.md: -------------------------------------------------------------------------------- 1 | # Minikube Overlay 2 | 3 | Overlays to configure a Sourcegraph instance to run in minikube with: 4 | 5 | - ./: Sourcegraph without monitoring stack 6 | - ./full: Sourcegraph with monitoring stack 7 | 8 | See our [Install Sourcegraph with minikube](https://docs.sourcegraph.com/admin/deploy/single-node/minikube) for detailed instructions. 9 | -------------------------------------------------------------------------------- /examples/minikube/full/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../../base/sourcegraph 7 | # Monitoring Stack 8 | - ../../../base/monitoring 9 | components: 10 | - ../../../components/resources/namespace 11 | - ../../../components/clusters/minikube 12 | -------------------------------------------------------------------------------- /examples/minikube/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../base/sourcegraph 7 | components: 8 | - ../../components/resources/namespace 9 | - ../../components/clusters/minikube 10 | -------------------------------------------------------------------------------- /examples/monitoring/README.md: -------------------------------------------------------------------------------- 1 | Deploy the monitoring stacks. 2 | 3 | RBAC must be enabled for monitoring services to function properly or empty grafana dashboards are expected. 4 | -------------------------------------------------------------------------------- /examples/monitoring/cadvisor/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | components: 5 | - ../../../components/monitoring/cadvisor 6 | -------------------------------------------------------------------------------- /examples/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | - ../../base/monitoring 6 | -------------------------------------------------------------------------------- /examples/monitoring/privileged/README.md: -------------------------------------------------------------------------------- 1 | Deploy Sourcegraph monitoring services as root with privileges. 2 | 3 | RBAC resouces included. 4 | -------------------------------------------------------------------------------- /examples/monitoring/privileged/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | - ../../../base/monitoring 6 | components: 7 | - ../../../components/monitoring/privileged 8 | -------------------------------------------------------------------------------- /examples/old-cluster/README.md: -------------------------------------------------------------------------------- 1 | # Old Base Overlay 2 | 3 | An overlay to generate resources similar to the old cluster. 4 | 5 | IMPORTANT: RBAC must be enabled for your cluster. 6 | 7 | ## How to use 8 | 9 | Run the following command (pick a command for your instance size) from the root of this repository: 10 | 11 | ```sh 12 | # To generate manifests using the defaults values from the old base cluster: 13 | kubectl kustomize /examples/old-cluster -o cluster.yaml 14 | 15 | # To generate manifests for the old base cluster: 16 | kubectl kustomize /examples/old-cluster -o cluster.yaml 17 | ``` 18 | -------------------------------------------------------------------------------- /examples/old-cluster/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../base/sourcegraph 7 | # Monitoring Stack 8 | - ../../base/monitoring 9 | components: 10 | # Update and generate resources for the old cluster 11 | # This includes the monitoring stack 12 | - ../../components/clusters/old-base 13 | -------------------------------------------------------------------------------- /examples/privileged/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../base/sourcegraph 7 | # Monitoring Stack 8 | - ../../base/monitoring 9 | components: 10 | - ../../components/resources/namespace 11 | - ../../components/monitoring/cadvisor 12 | - ../../components/sizes/xs 13 | - ../../components/privileged 14 | - ../../components/monitoring/privileged 15 | - ../../components/enable/service-discovery 16 | -------------------------------------------------------------------------------- /examples/privileged/l/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../../base/sourcegraph 7 | # Monitoring Stack 8 | - ../../../base/monitoring 9 | components: 10 | - ../../../components/resources/namespace 11 | - ../../../components/monitoring/cadvisor 12 | - ../../../components/sizes/l 13 | - ../../../components/privileged 14 | - ../../../components/monitoring/privileged 15 | - ../../../components/enable/service-discovery 16 | -------------------------------------------------------------------------------- /examples/privileged/m/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../../base/sourcegraph 7 | # Monitoring Stack 8 | - ../../../base/monitoring 9 | components: 10 | - ../../../components/resources/namespace 11 | - ../../../components/monitoring/cadvisor 12 | - ../../../components/sizes/m 13 | - ../../../components/privileged 14 | - ../../../components/monitoring/privileged 15 | - ../../../components/enable/service-discovery 16 | -------------------------------------------------------------------------------- /examples/privileged/s/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../../base/sourcegraph 7 | # Monitoring Stack 8 | - ../../../base/monitoring 9 | components: 10 | - ../../../components/resources/namespace 11 | - ../../../components/monitoring/cadvisor 12 | - ../../../components/sizes/s 13 | - ../../../components/privileged 14 | - ../../../components/monitoring/privileged 15 | - ../../../components/enable/service-discovery 16 | -------------------------------------------------------------------------------- /examples/privileged/xl/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../../base/sourcegraph 7 | # Monitoring Stack 8 | - ../../../base/monitoring 9 | components: 10 | - ../../../components/resources/namespace 11 | - ../../../components/monitoring/cadvisor 12 | - ../../../components/sizes/xl 13 | - ../../../components/privileged 14 | - ../../../components/monitoring/privileged 15 | - ../../../components/enable/service-discovery 16 | -------------------------------------------------------------------------------- /examples/privileged/xs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ns-sourcegraph 4 | resources: 5 | # Sourcegraph Main Stack 6 | - ../../../base/sourcegraph 7 | # Monitoring Stack 8 | - ../../../base/monitoring 9 | components: 10 | - ../../../components/resources/namespace 11 | - ../../../components/monitoring/cadvisor 12 | - ../../../components/sizes/xs 13 | - ../../../components/privileged 14 | - ../../../components/monitoring/privileged 15 | - ../../../components/enable/service-discovery 16 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module sourcegraph/deploy-sourcegraph-k8s 2 | 3 | go 1.21.5 4 | 5 | require ( 6 | github.com/pkg/errors v0.9.1 7 | github.com/sourcegraph/sourcegraph/dev/ci/images v0.0.0-20240222005846-e3158c0c2717 8 | github.com/sourcegraph/update-docker-tags v0.10.0 9 | github.com/stretchr/testify v1.8.4 10 | ) 11 | 12 | require ( 13 | github.com/Masterminds/semver/v3 v3.1.0 // indirect 14 | github.com/davecgh/go-spew v1.1.1 // indirect 15 | github.com/pmezard/go-difflib v1.0.0 // indirect 16 | gopkg.in/yaml.v3 v3.0.1 // indirect 17 | ) 18 | --------------------------------------------------------------------------------