Create new base cluster (#1)

Author: abeatrix

.gitignore

@@ -0,0 +1,7 @@
+cluster
+cluster.yaml
+generated-cluster
+.env
+.envrc
+.cert
+.key

README.md

@@ -0,0 +1,44 @@
+# Sourcegraph on Kubernetes with Kustomize
+
+[![sourcegraph: search](https://img.shields.io/badge/sourcegraph-search-brightgreen.svg)](https://sourcegraph.com/github.com/sourcegraph/deploy-sourcegraph) [![master build status](https://badge.buildkite.com/018ed23ed79d7297e7dd109b745597c58d875323fb06e81786.svg?branch=master)](https://buildkite.com/sourcegraph/deploy-sourcegraph)
+
+## **WARNING: All work in this repository is WIP and should not be used until further notice.**
+
+Deploying Sourcegraph into a Kubernetes cluster is for organizations that need highly scalable and
+available code search and code intelligence. This repository contains documentation for creating,
+updating, and maintaining a Sourcegraph cluster using Kustomize.
+
+For product and [pricing](https://about.sourcegraph.com/pricing/) information, visit
+[about.sourcegraph.com](https://about.sourcegraph.com) or [contact
+us](https://about.sourcegraph.com/contact/sales) for more information.
+
+- [Installing](https://docs.sourcegraph.com/admin/deploy/kubernetes/kustomize)
+- [Configuring](https://docs.sourcegraph.com/admin/deploy/kubernetes/kustomize/configure)
+- [Updating](https://docs.sourcegraph.com/admin/updates/kubernetes)
+- [Scaling](https://docs.sourcegraph.com/admin/deploy/scale)- general advice on scaling services
+- [Resource estimator: instance size](https://docs.sourcegraph.com/admin/deploy/instance-size) - specific resource values for your instance based on your instance size
+- [Troubleshooting](https://docs.sourcegraph.com/admin/install/kubernetes/troubleshoot)
+- [Enterprise Getting Started Guide](https://docs.sourcegraph.com/adopt/enterprise_getting_started_guide#kubernetes-admin) and [Admin guide](https://docs.sourcegraph.com/admin) - useful guides for Sourcegraph admins
+  - [Metrics](https://docs.sourcegraph.com/admin/observability/metrics) - guidance of metrics that can be used for monitoring Sourcegraph
+
+## Deploying
+
+🚨 **The `master` branch tracks development. Use the branch of this repository corresponding to the version of Sourcegraph you wish to deploy, e.g. `git checkout v4.5.0`.**
+
+Always refer to the [Sourcegraph Kustomize docs](https://docs.sourcegraph.com/admin/deploy/kubernetes/kustomize) for the latest instructions.
+
+## Upgrading
+
+When upgrading Sourcegraph, please check [upgrading docs](https://docs.sourcegraph.com/admin/updates/kubernetes) to confirm if manual migrations is necessary.
+
+## Contributing
+
+We've made our deployment configurations open source to better serve our customers' needs. If there is anything we can do to make deploying Sourcegraph easier just [open an issue (in sourcegraph/sourcegraph)](https://github.com/sourcegraph/sourcegraph/issues/new?assignees=&labels=deploy-sourcegraph&template=deploy-sourcegraph.md&title=%5Bdeploy-sourcegraph%5D) or a pull request and we will respond promptly!
+
+## Questions & Issues
+
+[Open an issue (in sourcegraph/sourcegraph)](https://github.com/sourcegraph/sourcegraph/issues/new?assignees=&labels=deploy-sourcegraph&template=deploy-sourcegraph.md&title=%5Bdeploy-sourcegraph%5D) or contact us ([email protected]), we are happy to help!
+
+## Licensing
+
+The contents of this repository are open-source licensed. However, it makes reference to non-open-source images and actually running Sourcegraph using this repository falls under Sourcegraph's [enterprise license terms](https://about.sourcegraph.com/pricing/).

base/README.md

@@ -0,0 +1,21 @@
+# Sourcegraph Kubernetes Base Cluster
+
+The `sourcegraph` directory contains manifests for all services for the Sourcegraph main stack.
+
+The `monitoring` directory contains manifests for all Sourcegraph monitoring services.
+
+## RBAC
+
+In our base cluster, all services run with non-root and non-privileged. Role-Based Access Control (RBAC) resources are also not enabled by default, which results in manual mapping of service addresses through environment variables being the only way to discover services. However, these service addresses have been preconfigured in the base cluster.
+
+To enable automatic service discovery and clean up of temporary cache data, RBAC resources must be created using the `privileged` component or the `enable/service-discovery` component.
+
+### cAdvisor
+
+For the cadvisor to function properly in your deployment, a Kubernetes cluster with role-based access control (RBAC) enabled is required.
+
+If using cluster roles and cluster rolebinding RBAC is not feasible, you may choose to deploy Sourcegraph without cadvisor as it will not work in your cluster without RBAC enabled.
+
+## Deploy Sourcegraph
+
+See the [Sourcegraph Kustomize docs](https://docs.sourcegraph.com/admin/deploy/kubernetes/kustomize) for the latested instructions.

base/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - monitoring
+  - sourcegraph

base/monitoring/README.md

@@ -0,0 +1,16 @@
+# Sourcegraph Monitoring Stack
+
+The monitoring stacks include the following services:
+
+- grafana
+- node-exporter
+- prometheus
+- otel-collector
+
+cAdvisor is not included in the monitoring stack by default.
+
+## cAdvisor
+
+cAdvisor must be run as root in a Kubernetes cluster with role-based access control (RBAC) enabled to collect metrics.
+
+You can add the cadvisor component to your overlay to deploy cAdvisor.

base/monitoring/cadvisor/README.md

@@ -0,0 +1,12 @@
+# cAdvisor
+
+[cAdvisor](https://github.com/google/cadvisor) provides container users an understanding of the resource usage and performance characteristics of their running containers. It is a running daemon that collects, aggregates, processes, and exports information about running containers.
+
+cAdvisor is part of the default Sourcegraph cluster installation, and deployed as a [Kubernetes DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/). This setup is based on the [official cAdvisor Kubernetes Daemonset configuration](https://github.com/google/cadvisor/tree/master/deploy/kubernetes). We use our own cAdvisor deployment over the built-in metrics exported by Kubernetes because the latter is often outdated and needs to be kept in sync with our [Docker-Compose deployments](https://docs.sourcegraph.com/admin/install/docker-compose). This setup allows us to have standard dashboards across all Sourcegraph deployments.
+
+Note that the `sourcegraph/cadvisor` Docker images come with a set of default flags to help reduce memory usage and load on Prometheus - see [our Dockerfile](https://github.com/sourcegraph/sourcegraph/blob/master/docker-images/cadvisor/Dockerfile) for more details.
+
+## Namespaces
+
+If you are deploying Sourcegraph to a non-default namespace, you'll have to change the namespace specified in
+[cadvisor.ClusterRoleBinding.yaml](cadvisor.ClusterRoleBinding.yaml) to the one that you created. You can do this by editing the namespace directly, or by using the [namespaced overlay](../../configure/../overlays/namespaced/README.md).

base/monitoring/cadvisor/cadvisor.DaemonSet.yaml

@@ -0,0 +1,84 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  annotations:
+    description: DaemonSet to ensure all nodes run a cAdvisor pod.
+    seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+  labels:
+    deploy: sourcegraph
+    sourcegraph-resource-requires: cluster-admin
+    app.kubernetes.io/component: cadvisor
+  name: cadvisor
+spec:
+  selector:
+    matchLabels:
+      app: cadvisor
+  template:
+    metadata:
+      annotations:
+        description: Collects and exports container metrics.
+        prometheus.io/port: "48080"
+        sourcegraph.prometheus/scrape: "true"
+      labels:
+        deploy: sourcegraph
+        app: cadvisor
+    spec:
+      serviceAccountName: cadvisor
+      containers:
+      - name: cadvisor
+        image: index.docker.io/sourcegraph/cadvisor:187572_2022-12-06_cbecc5321c7d@sha256:755748f2f9b00d8f70bd65349e85235585bdf1a663e26198c8eaf91dfd5636e1
+        args:
+        # Kubernetes-specific flags below (other flags are baked into the Docker image)
+        #
+        # disable container labels to allow whitelisting to reduce noise
+        - --store_container_labels=false
+        - --whitelisted_container_labels=io.kubernetes.container.name,io.kubernetes.pod.name,io.kubernetes.pod.namespace,io.kubernetes.pod.uid
+        # it is safe to uncomment this option if you use docker as your container runtime to reduce noise
+        # - --docker_only
+        resources:
+          requests:
+            memory: 200Mi
+            cpu: 150m
+          limits:
+            memory: 2000Mi
+            cpu: 300m
+        volumeMounts:
+        - name: rootfs
+          mountPath: /rootfs
+          readOnly: true
+        - name: var-run
+          mountPath: /var/run
+          readOnly: true
+        - name: sys
+          mountPath: /sys
+          readOnly: true
+        - name: docker
+          mountPath: /var/lib/docker
+          readOnly: true
+        - name: disk
+          mountPath: /dev/disk
+          readOnly: true
+        ports:
+        - name: http
+          containerPort: 48080
+          protocol: TCP
+        securityContext:
+          privileged: true
+      automountServiceAccountToken: false
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: rootfs
+        hostPath:
+          path: /
+      - name: var-run
+        hostPath:
+          path: /var/run
+      - name: sys
+        hostPath:
+          path: /sys
+      - name: docker
+        hostPath:
+          path: /var/lib/docker
+      - name: disk
+        hostPath:
+          path: /dev/disk

base/monitoring/cadvisor/cadvisor.ServiceAccount.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: cadvisor
+    category: rbac
+    deploy: sourcegraph
+    sourcegraph-resource-requires: cluster-admin
+    app.kubernetes.io/component: cadvisor
+  name: cadvisor

base/monitoring/cadvisor/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cadvisor.DaemonSet.yaml
+  - cadvisor.ServiceAccount.yaml

base/monitoring/grafana/README.md

@@ -0,0 +1,6 @@
+# Grafana
+
+[Grafana](https://https://grafana.com/) is an open-source analytics dashboard application.
+
+A Grafana instance is part of the default Sourcegraph cluster installation.
+Learn more about Grafana in the [metrics and dashboards guide](https://docs.sourcegraph.com/admin/observability/metrics).