Comment out runAsUser and runAsGroup in values.yaml (#618)

peterguy · web-flow · commit e215bdeb2edb · 2025-01-17T09:05:17.000-08:00
Since [PR 2456](sourcegraph/sourcegraph#2456) in the Sourcegraph repo, support for the default value of -1 for the `KUBERNETES_RUN_AS_USER` and `KUBERNETES_RUN_AS_GROUP` Executor environment variables has been removed - those environment variables now require either blank values or non-negative integers in the range [0, 2147483647], to match the range for Unix UIDs and GIDs. This PR updates `charts/sourcegraph-executor/k8s/values.yaml` so that `runAsUser` and `runAsGroup` are commented out, with comments to explain that the user can uncomment them to use them. Having those settings commented out causes `KUBERNETES_RUN_AS_USER` and `KUBERNETES_RUN_AS_GROUP` in `charts/sourcegraph-executor/k8s/templates/executor.ConfigMap.yaml` to be blank, which is the new default value. ### Checklist - [ ] Follow the [manual testing process](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/TEST.md) - [ ] Update [changelog](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/charts/sourcegraph/CHANGELOG.md) - [ ] Update [Kubernetes update doc](https://docs.sourcegraph.com/admin/updates/kubernetes) ### Test plan A Helm deployment is successful and does not fail with errors like `KUBERNETES_RUN_AS_USER must be a UID in the range 0 to 2,147,483,647, but got "-1".`
diff --git a/charts/sourcegraph-executor/k8s/README.md b/charts/sourcegraph-executor/k8s/README.md
@@ -77,8 +77,8 @@ In addition to the documented values, the `executor` and `private-docker-registr
 | executor.kubernetesJob.resources.limits.memory | string | `"12Gi"` | The maximum memory for a job. |
 | executor.kubernetesJob.resources.requests.cpu | string | `""` | The requested CPU for a job. |
 | executor.kubernetesJob.resources.requests.memory | string | `"1Gi"` | The requested memory for a job. |
-| executor.kubernetesJob.runAsGroup | int | `-1` | The group ID to run Kubernetes jobs as. |
-| executor.kubernetesJob.runAsUser | int | `-1` | The user ID to run Kubernetes jobs as. |
+| executor.kubernetesJob.runAsGroup | int | `nil`; accepts [0, 2147483647] | The group ID to run Kubernetes jobs as. |
+| executor.kubernetesJob.runAsUser | int | `nil`; accepts [0, 2147483647] | The user ID to run Kubernetes jobs as. |
 | executor.log.format | string | `"condensed"` |  |
 | executor.log.level | string | `"warn"` | Possible values are `dbug`, `info`, `warn`, `eror`, `crit`. |
 | executor.log.trace | string | `"false"` |  |
diff --git a/charts/sourcegraph-executor/k8s/values.yaml b/charts/sourcegraph-executor/k8s/values.yaml
@@ -94,10 +94,12 @@ executor:
   kubernetesJob:
     # -- The number of seconds after which a Kubernetes job will be terminated.
     deadline: "1200"
-    # -- The user ID to run Kubernetes jobs as.
-    runAsUser: -1
-    # -- The group ID to run Kubernetes jobs as.
-    runAsGroup: -1
+    # -- (int) The user ID to run Kubernetes jobs as.
+    # @default -- `nil`; accepts [0, 2147483647]
+    runAsUser: 
+    # -- (int) The group ID to run Kubernetes jobs as.
+    # @default -- `nil`; accepts [0, 2147483647]
+    runAsGroup: 
     # -- The group ID which is set on the job PVC file system. 
     fsGroup: "1000"
     resources:
