diff --git a/charts/sourcegraph/README.md b/charts/sourcegraph/README.md index 1e905141..5e917aa7 100644 --- a/charts/sourcegraph/README.md +++ b/charts/sourcegraph/README.md @@ -249,8 +249,9 @@ In addition to the documented values, all services also support the following va | preciseCodeIntel.resources | object | `{"limits":{"cpu":"2","memory":"4G"},"requests":{"cpu":"500m","memory":"2G"}}` | Resource requests & limits for the `precise-code-intel-worker` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | preciseCodeIntel.serviceAccount.create | bool | `false` | Enable creation of ServiceAccount for `precise-code-intel-worker` | | preciseCodeIntel.serviceAccount.name | string | `""` | Name of the ServiceAccount to be created or an existing ServiceAccount | -| priorityClasses | list | `[]` | Additional priorityClasses minimise re-scheduling downtime for StatefulSets. Each StatefulSets might use different priority class. learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) Sample class definition: - name: gitserver-class value: 100 preemptionPolicy: Never description: "gitserver priority class" | +| priorityClasses | list | `[]` | Additional priorityClasses minimize re-scheduling downtime for StatefulSets. Each StatefulSets might use different priority class. learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) Sample class definition: - name: gitserver-class value: 100 preemptionPolicy: Never description: "gitserver priority class" | | prometheus.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":false,"runAsGroup":100,"runAsUser":100}` | Security context for the `prometheus` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| prometheus.createRoleBinding | bool | `true` | Disable the creation of a RoleBinding object, for customers who block all RBAC resource creation | | prometheus.enabled | bool | `true` | Enable `prometheus` (recommended) | | prometheus.existingConfig | string | `""` | Name of existing ConfigMap for `pgsql`. It must contain a `prometheus.yml` key | | prometheus.image.defaultTag | string | `"6.0.0@sha256:86a315720fd9813d9ef9746d92e637bc20cd9ebd90da78d8cc6906062252891f"` | Docker image tag for the `prometheus` image | @@ -302,6 +303,7 @@ In addition to the documented values, all services also support the following va | searcher.storageSize | string | `"26Gi"` | Size of the PVC for searcher pods to store cache data | | sgTestConnection | object | `{"enabled":true}` | Enable the busybox connection test after deployment | | sourcegraph.affinity | object | `{}` | Global Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | +| sourcegraph.disableKubernetesSecrets | bool | `false` | Disable the creation of Kubernetes secrets objects | | sourcegraph.image.defaultTag | string | `"{{ .Chart.AppVersion }}"` | Global docker image tag | | sourcegraph.image.pullPolicy | string | `"IfNotPresent"` | Global docker image pull policy | | sourcegraph.image.repository | string | `"index.docker.io/sourcegraph"` | Global docker image registry or prefix | diff --git a/charts/sourcegraph/templates/_helpers.tpl b/charts/sourcegraph/templates/_helpers.tpl index 87c18720..caf8f0b5 100644 --- a/charts/sourcegraph/templates/_helpers.tpl +++ b/charts/sourcegraph/templates/_helpers.tpl @@ -45,7 +45,7 @@ For top-level services, pass in the top-level values: {{ include "sourcegraph.serviceAccountName" (list . "frontend") }} frontend: - serivceAccount: + serviceAccount: create: false For nested services, pass in the nested values: @@ -248,7 +248,25 @@ app.kubernetes.io/name: jaeger value: "localhost:$(DATA_SOURCE_PORT)/$(DATA_SOURCE_DB)?sslmode=disable" {{- end }} +{{/* +Set redisCache and redisStore endpoints +So that customers can configure them any of these ways: +1. Create a new Kubernetes secret, with default values (default, no override config required) +2. Use an existing Kubernetes secret, by configuring .Values.redisCache.connection.existingSecret +3. Do not create or use Kubernetes secrets, just pass the default values directly as environment variables into the needed pods, by configuring .Values.sourcegraph.disableKubernetesSecrets = true +4. Do not create or use Kubernetes secrets, but pass custom values (ex. external Redis) directly as environment variables into the needed pods, by configuring .Values.sourcegraph.disableKubernetesSecrets = true, .Values.redisCache.connection.endpoint = "", .Values.redisStore.connection.endpoint = "", and defining the REDIS_CACHE_ENDPOINT and REDIS_STORE_ENDPOINT env vars on frontend, gitserver, searcher, and worker pods +*/}} {{- define "sourcegraph.redisConnection" -}} +{{- if .Values.sourcegraph.disableKubernetesSecrets -}} +{{- if .Values.redisCache.connection.endpoint -}} +- name: REDIS_CACHE_ENDPOINT + value: {{ .Values.redisCache.connection.endpoint }} +{{- end -}} +{{- if .Values.redisStore.connection.endpoint -}} +- name: REDIS_STORE_ENDPOINT + value: {{ .Values.redisStore.connection.endpoint }} +{{- end -}} +{{- else -}} - name: REDIS_CACHE_ENDPOINT valueFrom: secretKeyRef: @@ -259,7 +277,8 @@ app.kubernetes.io/name: jaeger secretKeyRef: key: endpoint name: {{ default .Values.redisStore.name .Values.redisStore.connection.existingSecret }} -{{- end }} +{{- end -}} +{{- end -}} {{- define "sourcegraph.authChecksum" -}} {{- $checksum := list .Values.codeInsightsDB.auth -}} diff --git a/charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Secret.yaml b/charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Secret.yaml index 251eeddf..650c58e8 100644 --- a/charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Secret.yaml +++ b/charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Secret.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.codeInsightsDB.auth.existingSecret }} +{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.codeInsightsDB.auth.existingSecret) -}} apiVersion: v1 kind: Secret metadata: diff --git a/charts/sourcegraph/templates/codeintel-db/codeintel-db.Secret.yaml b/charts/sourcegraph/templates/codeintel-db/codeintel-db.Secret.yaml index 68878d30..021a54f0 100644 --- a/charts/sourcegraph/templates/codeintel-db/codeintel-db.Secret.yaml +++ b/charts/sourcegraph/templates/codeintel-db/codeintel-db.Secret.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.codeIntelDB.auth.existingSecret }} +{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.codeIntelDB.auth.existingSecret) -}} apiVersion: v1 kind: Secret metadata: diff --git a/charts/sourcegraph/templates/frontend/sourcegraph-frontend.Deployment.yaml b/charts/sourcegraph/templates/frontend/sourcegraph-frontend.Deployment.yaml index 187a5c6d..e2dad382 100644 --- a/charts/sourcegraph/templates/frontend/sourcegraph-frontend.Deployment.yaml +++ b/charts/sourcegraph/templates/frontend/sourcegraph-frontend.Deployment.yaml @@ -52,9 +52,12 @@ spec: - name: migrator image: {{ include "sourcegraph.image" (list . "migrator") }} imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }} + {{- if .Values.migrator.command }} + command: {{ .Values.migrator.command }} + {{- end }} args: {{- default (list "up") .Values.migrator.args | toYaml | nindent 8 }} env: - {{- if not .Values.migrator.databaseAuthOverrideEnvVars }} + {{- if and (not .Values.migrator.databaseAuthOverrideEnvVars) (not .Values.sourcegraph.disableKubernetesSecrets) }} {{- include "sourcegraph.databaseAuth" (list . "pgsql" "PG") | nindent 8 }} {{- include "sourcegraph.databaseAuth" (list . "codeIntelDB" "CODEINTEL_PG") | nindent 8 }} {{- include "sourcegraph.databaseAuth" (list . "codeInsightsDB" "CODEINSIGHTS_PG") | nindent 8 }} @@ -78,11 +81,16 @@ spec: - name: frontend image: {{ include "sourcegraph.image" (list . "frontend") }} imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }} + {{- if .Values.frontend.command }} + command: {{ .Values.frontend.command }} + {{- end }} args: {{- default (list "serve") .Values.frontend.args | toYaml | nindent 8 }} env: + {{- if not .Values.sourcegraph.disableKubernetesSecrets }} {{- include "sourcegraph.databaseAuth" (list . "pgsql" "PG") | nindent 8 }} {{- include "sourcegraph.databaseAuth" (list . "codeIntelDB" "CODEINTEL_PG") | nindent 8 }} {{- include "sourcegraph.databaseAuth" (list . "codeInsightsDB" "CODEINSIGHTS_PG") | nindent 8 }} + {{- end }} {{- range $name, $item := .Values.frontend.env}} - name: {{ $name }} {{- $item | toYaml | nindent 10 }} diff --git a/charts/sourcegraph/templates/grafana/grafana.StatefulSet.yaml b/charts/sourcegraph/templates/grafana/grafana.StatefulSet.yaml index da3cb0e4..4d748bd0 100644 --- a/charts/sourcegraph/templates/grafana/grafana.StatefulSet.yaml +++ b/charts/sourcegraph/templates/grafana/grafana.StatefulSet.yaml @@ -52,7 +52,9 @@ spec: {{- end }} terminationMessagePolicy: FallbackToLogsOnError env: + {{- if not .Values.sourcegraph.disableKubernetesSecrets -}} {{- include "sourcegraph.databaseAuth" (list . "grafana" "GRAFANA_PGSQL_") | nindent 8 }} + {{- end -}} {{- range $name, $item := .Values.grafana.env}} - name: {{ $name }} {{- $item | toYaml | nindent 10 }} diff --git a/charts/sourcegraph/templates/grafana/grafana.pgsql.Secret.yaml b/charts/sourcegraph/templates/grafana/grafana.pgsql.Secret.yaml index 7b3484d3..a96fcb44 100644 --- a/charts/sourcegraph/templates/grafana/grafana.pgsql.Secret.yaml +++ b/charts/sourcegraph/templates/grafana/grafana.pgsql.Secret.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.grafana.auth (not .Values.grafana.auth.existingSecret) }} +{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) .Values.grafana.auth (not .Values.grafana.auth.existingSecret) -}} apiVersion: v1 kind: Secret metadata: diff --git a/charts/sourcegraph/templates/pgsql/pgsql.Secret.yaml b/charts/sourcegraph/templates/pgsql/pgsql.Secret.yaml index 4f1757bd..73280504 100644 --- a/charts/sourcegraph/templates/pgsql/pgsql.Secret.yaml +++ b/charts/sourcegraph/templates/pgsql/pgsql.Secret.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.pgsql.auth.existingSecret }} +{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.pgsql.auth.existingSecret) -}} apiVersion: v1 kind: Secret metadata: diff --git a/charts/sourcegraph/templates/prometheus/prometheus.ClusterRoleBinding.yaml b/charts/sourcegraph/templates/prometheus/prometheus.ClusterRoleBinding.yaml index bdd4352f..d6ab69ab 100644 --- a/charts/sourcegraph/templates/prometheus/prometheus.ClusterRoleBinding.yaml +++ b/charts/sourcegraph/templates/prometheus/prometheus.ClusterRoleBinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.prometheus.enabled .Values.prometheus.privileged -}} +{{- if and .Values.prometheus.enabled .Values.prometheus.privileged .Values.prometheus.createRoleBinding -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/sourcegraph/templates/prometheus/prometheus.RoleBinding.yaml b/charts/sourcegraph/templates/prometheus/prometheus.RoleBinding.yaml index c7345da9..4fa1376d 100644 --- a/charts/sourcegraph/templates/prometheus/prometheus.RoleBinding.yaml +++ b/charts/sourcegraph/templates/prometheus/prometheus.RoleBinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.prometheus.enabled (not .Values.prometheus.privileged) -}} +{{- if and .Values.prometheus.enabled (not .Values.prometheus.privileged) .Values.prometheus.createRoleBinding -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/charts/sourcegraph/templates/redis/redis-cache.Secret.yaml b/charts/sourcegraph/templates/redis/redis-cache.Secret.yaml index c6cf9dfc..ac24267c 100644 --- a/charts/sourcegraph/templates/redis/redis-cache.Secret.yaml +++ b/charts/sourcegraph/templates/redis/redis-cache.Secret.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.redisCache.connection.existingSecret }} +{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.redisCache.connection.existingSecret) -}} apiVersion: v1 kind: Secret metadata: diff --git a/charts/sourcegraph/templates/redis/redis-store.Secret.yaml b/charts/sourcegraph/templates/redis/redis-store.Secret.yaml index 7d0d313e..ab3124ee 100644 --- a/charts/sourcegraph/templates/redis/redis-store.Secret.yaml +++ b/charts/sourcegraph/templates/redis/redis-store.Secret.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.redisStore.connection.existingSecret }} +{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.redisStore.connection.existingSecret) -}} apiVersion: v1 kind: Secret metadata: diff --git a/charts/sourcegraph/values.yaml b/charts/sourcegraph/values.yaml index 71d99506..84bfb841 100644 --- a/charts/sourcegraph/values.yaml +++ b/charts/sourcegraph/values.yaml @@ -38,6 +38,8 @@ sourcegraph: revisionHistoryLimit: 10 # -- Add extra labels to all services serviceLabels: {} + # -- Disable the creation of Kubernetes secrets objects + disableKubernetesSecrets: false # Generic application configuration options, used by most applications below # app: # Generally matches directory name @@ -893,6 +895,8 @@ prometheus: name: "prometheus" # -- Enable RBAC for `prometheus` privileged: true + # -- Disable the creation of a RoleBinding object, for customers who block all RBAC resource creation + createRoleBinding: true # -- Resource requests & limits for the `prometheus` container, # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) # Prometheus is relied upon to monitor services for sending alerts to site admins when @@ -1258,7 +1262,7 @@ worker: # -- Additional resources to include in the rendered manifest. Templates are supported. extraResources: [] -# -- Additional priorityClasses minimise re-scheduling downtime for StatefulSets. Each StatefulSets might use different priority class. +# -- Additional priorityClasses minimize re-scheduling downtime for StatefulSets. Each StatefulSets might use different priority class. # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) # Sample class definition: # - name: gitserver-class