Update Searcher and Symbols to use StatefulSets (#242)

* update searcher and symbols to statefulSets with PVCs

* remove deployment files for searcher and symbols

* add spec.serviceName for searcher and symbols sts

* update sts

* Update charts/sourcegraph/templates/searcher/searcher.StatefulSet.yaml

Remove gitserver comments

Co-authored-by: Beatrix <[email protected]>

* Update charts/sourcegraph/templates/symbols/symbols.StatefulSet.yaml

remove gitserver comment

Co-authored-by: Beatrix <[email protected]>

* Update charts/sourcegraph/templates/symbols/symbols.StatefulSet.yaml

remove gitserver comment

Co-authored-by: Beatrix <[email protected]>

* Update charts/sourcegraph/templates/searcher/searcher.StatefulSet.yaml

remove gitserver comment

Co-authored-by: Beatrix <[email protected]>

* update env to set CACHE_SIZE_MB

* update CACHE to be maxed at 90% of PVC size and change PVCs to use Gi instead of G

* Add default values and handling for storageSize keys

* Update README.md

Remove ephemeral storage from searcher resources

* Update README

* Update README

---------

Co-authored-by: Beatrix <[email protected]>

Author: Sam Johns

charts/sourcegraph/CHANGELOG.md

@@ -14,6 +14,7 @@ Use `**BREAKING**:` to denote a breaking change
 - Sourcegraph 4.5.0 is now available
 
 - Deploy Sourcegraph Executors now deployable via helm [#236](https://github.com/sourcegraph/deploy-sourcegraph-helm/pull/236).
+- Searcher and Symbols now use StatefulSets and PVCs to avoid large `ephermeralStorage` requests [#242](https://github.com/sourcegraph/deploy-sourcegraph-helm/pull/242)
 
 ## 4.4.2
 

charts/sourcegraph/README.md

@@ -284,11 +284,12 @@ In addition to the documented values, all services also support the following va
 | searcher.image.defaultTag | string | `"4.4.2@sha256:62554970dfe2a82c82fb82fa6b8fb77f0acef2ce0d9760c8745433f48d8113be"` | Docker image tag for the `searcher` image |
 | searcher.image.name | string | `"searcher"` | Docker image name for the `searcher` image |
 | searcher.name | string | `"searcher"` | Name used by resources. Does not affect service names or PVCs. |
-| searcher.podSecurityContext | object | `{}` | Security context for the `searcher` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
+| searcher.podSecurityContext | object | `{"fsGroup":101,"fsGroupChangePolicy":"OnRootMismatch","runAsUser":100}` | Security context for the `searcher` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
 | searcher.replicaCount | int | `2` | Number of `searcher` pod |
-| searcher.resources | object | `{"limits":{"cpu":"2","ephemeral-storage":"26G","memory":"2G"},"requests":{"cpu":"500m","ephemeral-storage":"25G","memory":"500M"}}` | Resource requests & limits for the `searcher` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
+| searcher.resources | object | `{"limits":{"cpu":"2","memory":"2G"},"requests":{"cpu":"500m","memory":"500M"}}` | Resource requests & limits for the `searcher` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
 | searcher.serviceAccount.create | bool | `false` | Enable creation of ServiceAccount for `searcher` |
 | searcher.serviceAccount.name | string | `""` | Name of the ServiceAccount to be created or an existing ServiceAccount |
+| searcher.storageSize | string | `"26Gi"` |  |
 | sourcegraph.affinity | object | `{}` | Global Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) |
 | sourcegraph.image.defaultTag | string | `"{{ .Chart.AppVersion }}"` | Global docker image tag |
 | sourcegraph.image.pullPolicy | string | `"IfNotPresent"` | Global docker image pull policy |
@@ -314,11 +315,12 @@ In addition to the documented values, all services also support the following va
 | symbols.image.defaultTag | string | `"4.4.2@sha256:8c00918153e3e4e1155c19ba59f93cc889ffaaac6f8f7dc91ff2e5d610e1b740"` | Docker image tag for the `symbols` image |
 | symbols.image.name | string | `"symbols"` | Docker image name for the `symbols` image |
 | symbols.name | string | `"symbols"` | Name used by resources. Does not affect service names or PVCs. |
-| symbols.podSecurityContext | object | `{}` | Security context for the `symbols` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
+| symbols.podSecurityContext | object | `{"fsGroup":101,"fsGroupChangePolicy":"OnRootMismatch","runAsUser":100}` | Security context for the `symbols` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
 | symbols.replicaCount | int | `1` | Number of `symbols` pod |
-| symbols.resources | object | `{"limits":{"cpu":"2","ephemeral-storage":"12G","memory":"2G"},"requests":{"cpu":"500m","ephemeral-storage":"10G","memory":"500M"}}` | Resource requests & limits for the `symbols` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
+| symbols.resources | object | `{"limits":{"cpu":"2","memory":"2G"},"requests":{"cpu":"500m","memory":"500M"}}` | Resource requests & limits for the `symbols` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
 | symbols.serviceAccount.create | bool | `false` | Enable creation of ServiceAccount for `symbols` |
 | symbols.serviceAccount.name | string | `""` | Name of the ServiceAccount to be created or an existing ServiceAccount |
+| symbols.storageSize | string | `"12Gi"` |  |
 | syntectServer.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":100}` | Security context for the `syntect-server` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
 | syntectServer.image.defaultTag | string | `"4.4.2@sha256:e02c9d64e431815bf51b05036463d60a2472f4a6ba8c3c475083c3b116ed0fe6"` | Docker image tag for the `syntect-server` image |
 | syntectServer.image.name | string | `"syntax-highlighter"` | Docker image name for the `syntect-server` image |

…plates/searcher/searcher.Deployment.yaml …lates/searcher/searcher.StatefulSet.yamlcharts/sourcegraph/templates/searcher/searcher.Deployment.yaml renamed to charts/sourcegraph/templates/searcher/searcher.StatefulSet.yaml charts/sourcegraph/templates/searcher/searcher.Deployment.yaml renamed to charts/sourcegraph/templates/searcher/searcher.StatefulSet.yaml

@@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
   annotations:
     description: Backend for text search operations.
@@ -19,10 +19,8 @@ spec:
     matchLabels:
       {{- include "sourcegraph.selectorLabels" . | nindent 6 }}
       app: searcher
-  strategy:
-    rollingUpdate:
-      maxSurge: 1
-      maxUnavailable: 1
+  serviceName: searcher
+  updateStrategy:
     type: RollingUpdate
   template:
     metadata:
@@ -59,11 +57,11 @@ spec:
           {{- $item | toYaml | nindent 10 }}
         {{- end }}
         - name: SEARCHER_CACHE_SIZE_MB
-          valueFrom:
-            resourceFieldRef:
-              containerName: searcher
-              resource: requests.ephemeral-storage
-              divisor: 1M
+          {{- if .Values.searcher.storageSize }}
+          value: {{ trimSuffix "Gi" .Values.searcher.storageSize | mul 900 | quote }}
+          {{- else }}
+          value: "23400"  
+          {{- end }}
         - name: POD_NAME
           valueFrom:
             fieldRef:
@@ -89,7 +87,7 @@ spec:
           timeoutSeconds: 5
         volumeMounts:
         - mountPath: /mnt/cache
-          name: cache-ssd
+          name: cache
         - mountPath: /tmp
           name: tmpdir
         {{- if .Values.searcher.extraVolumeMounts }}
@@ -116,9 +114,19 @@ spec:
       {{- include "sourcegraph.renderServiceAccountName" (list . "searcher") | trim | nindent 6 }}
       volumes:
       - emptyDir: {}
-        name: cache-ssd
+        name: cache
       - emptyDir: {}
         name: tmpdir
       {{- if .Values.searcher.extraVolumes }}
       {{- toYaml .Values.searcher.extraVolumes | nindent 6 }}
       {{- end }}
+  volumeClaimTemplates:
+  - metadata:
+      name: cache
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: {{ .Values.searcher.storageSize | default "26Gi" }}
+      storageClassName: {{ .Values.storageClass.name }}

…emplates/symbols/symbols.Deployment.yaml …mplates/symbols/symbols.StatefulSet.yamlcharts/sourcegraph/templates/symbols/symbols.Deployment.yaml renamed to charts/sourcegraph/templates/symbols/symbols.StatefulSet.yaml charts/sourcegraph/templates/symbols/symbols.Deployment.yaml renamed to charts/sourcegraph/templates/symbols/symbols.StatefulSet.yaml

@@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
   annotations:
     description: Backend for symbols operations.
@@ -19,11 +19,9 @@ spec:
     matchLabels:
       {{- include "sourcegraph.selectorLabels" . | nindent 6 }}
       app: symbols
-  strategy:
-    rollingUpdate:
-      maxSurge: 1
-      maxUnavailable: 1
+  updateStrategy:
     type: RollingUpdate
+  serviceName: symbols
   template:
     metadata:
       annotations:
@@ -55,11 +53,11 @@ spec:
           {{- $item | toYaml | nindent 10 }}
         {{- end }}
         - name: SYMBOLS_CACHE_SIZE_MB
-          valueFrom:
-            resourceFieldRef:
-              containerName: symbols
-              resource: requests.ephemeral-storage
-              divisor: 1M
+          {{- if .Values.symbols.storageSize }}
+          value: {{ trimSuffix "Gi" .Values.symbols.storageSize | mul 900 | quote }}
+          {{- else }}
+          value: "10800"
+          {{- end }}
         - name: POD_NAME
           valueFrom:
             fieldRef:
@@ -97,7 +95,7 @@ spec:
           name: debug
         volumeMounts:
         - mountPath: /mnt/cache
-          name: cache-ssd
+          name: cache
         - mountPath: /mnt/tmp
           name: tmp
         {{- if .Values.symbols.extraVolumeMounts }}
@@ -124,9 +122,19 @@ spec:
       {{- include "sourcegraph.renderServiceAccountName" (list . "symbols") | trim | nindent 6 }}
       volumes:
       - emptyDir: {}
-        name: cache-ssd
+        name: cache
       - emptyDir: {}
         name: tmp
       {{- if .Values.symbols.extraVolumes }}
       {{- toYaml .Values.symbols.extraVolumes | nindent 6 }}
       {{- end }}
+  volumeClaimTemplates:
+  - metadata:
+      name: cache
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: {{ .Values.symbols.storageSize | default "12Gi" }}
+      storageClassName: {{ .Values.storageClass.name }}

charts/sourcegraph/values.yaml

@@ -1035,7 +1035,10 @@ searcher:
     readOnlyRootFilesystem: true
   # -- Security context for the `searcher` pod,
   # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
-  podSecurityContext: {}
+  podSecurityContext:
+    runAsUser: 100
+    fsGroup: 101
+    fsGroupChangePolicy: "OnRootMismatch"
   # -- Name used by resources. Does not affect service names or PVCs.
   name: "searcher"
   # -- Number of `searcher` pod
@@ -1045,17 +1048,16 @@ searcher:
   resources:
     limits:
       cpu: "2"
-      ephemeral-storage: 26G
       memory: 2G
     requests:
       cpu: 500m
-      ephemeral-storage: 25G
       memory: 500M
   serviceAccount:
     # -- Enable creation of ServiceAccount for `searcher`
     create: false
     # -- Name of the ServiceAccount to be created or an existing ServiceAccount
     name: ""
+  storageSize: 26Gi
 
 storageClass:
   # -- Enable creation of storageClass.
@@ -1093,7 +1095,10 @@ symbols:
     readOnlyRootFilesystem: true
   # -- Security context for the `symbols` pod,
   # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
-  podSecurityContext: {}
+  podSecurityContext:
+    runAsUser: 100
+    fsGroup: 101
+    fsGroupChangePolicy: "OnRootMismatch"
   # -- Name used by resources. Does not affect service names or PVCs.
   name: "symbols"
   # -- Number of `symbols` pod
@@ -1103,17 +1108,16 @@ symbols:
   resources:
     limits:
       cpu: "2"
-      ephemeral-storage: 12G
       memory: 2G
     requests:
       cpu: 500m
-      ephemeral-storage: 10G
       memory: 500M
   serviceAccount:
     # -- Enable creation of ServiceAccount for `symbols`
     create: false
     # -- Name of the ServiceAccount to be created or an existing ServiceAccount
     name: ""
+  storageSize: 12Gi
 
 syntectServer:
   image: