diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000..e420ee4ba --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +target/* diff --git a/.helmdocsignore b/.helmdocsignore new file mode 100644 index 000000000..a3e6d21f8 --- /dev/null +++ b/.helmdocsignore @@ -0,0 +1 @@ +charts/sourcegraph/examples/* diff --git a/charts/sourcegraph-migrator/README.md b/charts/sourcegraph-migrator/README.md index 9a18f3c79..a858085e0 100644 --- a/charts/sourcegraph-migrator/README.md +++ b/charts/sourcegraph-migrator/README.md @@ -1,3 +1,8 @@ + + # Sourcegraph Migrator Helm Chart This chart contains a single [Job] to run [migrator] operations. It is a supplemental chart for the parent [sourcegraph/sourcegraph] Helm Chart. @@ -56,10 +61,36 @@ Manifests rendered using the `helm template` command can be used for direct depl ## Configuration Options -Reference the values.yaml file for available configuration parameters and consult [migrator] documentation. - -The values.yaml file can be also be generated by running: -`helm show values sourcegraph/sourcegraph-migrator` +Reference the table below for available configuration parameters and consult [migrator] documentation. + +In addition to the documented values, all services also support the following values + +- `..affinity` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) +- `..nodeSelector` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) +- `..tolerations` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) +- `..podSecurityContext` - [learn more](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +- `..env` - consult `values.yaml` file + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| migrator.args | list | `["up","-db=all"]` | Override default `migrator` container args Available commands can be found at https://docs.sourcegraph.com/admin/how-to/manual_database_migrations | +| migrator.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":100}` | Security context for the `frontend` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| migrator.env | object | the chart will add some default environment values | Environment variables for the `migrator` container | +| migrator.image.defaultTag | string | `"3.37.0@sha256:404df69cfee90eaa9a3ab8b540a2d9affd22605caa5326a8ac4ba016e1d6d815"` | Docker image tag for the `migrator` image | +| migrator.image.name | string | `"migrator"` | Docker image name for the `migrator` image | +| migrator.resources | object | `{}` | Resource requests & limits for the `migrator` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| sourcegraph.affinity | object | `{}` | Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | +| sourcegraph.image.defaultTag | string | `"{{ .Chart.AppVersion }}"` | Global docker image tag | +| sourcegraph.image.pullPolicy | string | `"IfNotPresent"` | Global docker image pull policy | +| sourcegraph.image.repository | string | `"index.docker.io/sourcegraph"` | Global docker image registry or prefix | +| sourcegraph.image.useGlobalTagAsDefault | bool | `false` | When set to true, sourcegraph.image.defaultTag is used as the default defaultTag for all services, instead of service-specific default defaultTags | +| sourcegraph.imagePullSecrets | list | `[]` | Mount named secrets containing docker credentials | +| sourcegraph.labels | object | `{}` | Add a global label to all resources | +| sourcegraph.nameOverride | string | `""` | Set a custom name for the app.kubernetes.io/name annotation | +| sourcegraph.nodeSelector | object | `{}` | NodeSelector, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) | +| sourcegraph.podAnnotations | object | `{}` | Add extra annotations to attach to all pods | +| sourcegraph.podLabels | object | `{}` | Add extra labels to attach to all pods | +| sourcegraph.tolerations | list | `[]` | Tolerations, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | ## Troubleshooting diff --git a/charts/sourcegraph-migrator/README.md.gotmpl b/charts/sourcegraph-migrator/README.md.gotmpl new file mode 100644 index 000000000..f11b0f11f --- /dev/null +++ b/charts/sourcegraph-migrator/README.md.gotmpl @@ -0,0 +1,97 @@ + + +# Sourcegraph Migrator Helm Chart + +This chart contains a single [Job] to run [migrator] operations. It is a supplemental chart for the parent [sourcegraph/sourcegraph] Helm Chart. + +Use cases: + +- Perform initial migrations against external PostgreSQL databases prior to the Sourcegraph deployment +- Perform database migrations prior to upgrading the Sourcegraph deployment +- Troubleshoot a [dirty database] + +## Requirements + +* [Helm 3 CLI](https://helm.sh/docs/intro/install/) +* Kubernetes 1.19 or greater + +## Installation + +Add the Sourcegraph charts repo to Helm: + +```sh +helm repo add sourcegraph https://sourcegraph.github.io/deploy-sourcegraph-helm/ +``` + +## Usage + +> If you are not using external databases, the chart has to be installed in the same namespace as the parent [sourcegraph/sourcegraph] chart + +[sourcegraph/sourcegraph-migrator] chart requires the correct `PG*`, `CODEINTEL_PG*`, and `CODEINSIGHTS_PG*` environment variables to be configured at `migrator.env`. Learn more about [using your own PostgreSQL server]. `PG*` and `CODEINTEL_PG*` environment variables are compatible with the `frontend.env` values from the parent [sourcegraph/sourcegraph] chart. + +You should consult the list of available [migrator commands]. Below is some example usage. + +### Run database migration + +[`migrator up`](https://docs.sourcegraph.com/admin/how-to/manual_database_migrations#up) + +- Perform database migrations prior to upgrading the Sourcegraph deployment +- Perform initial migrations against external PostgreSQL databases prior to the Sourcegraph deployment + +```sh +helm upgrade --install -f sg-migrator sourcegraph/sourcegraph-migrator +``` + +### Add a migration log entry + +[`migrator add-log -db=frontend -version=1528395834`](https://docs.sourcegraph.com/admin/how-to/manual_database_migrations#add-log) + +Add an entry to the migration log after a site administrator has explicitly applied the contents of a migration file, learn more about troubleshooting a [dirty database]. + +```sh +helm upgrade --install -f --set "migrator.args={add-log,-db=frontend,-version=1528395834}" sg-migrator sourcegraph/sourcegraph-migrator +``` + +## Rendering manifests for kubectl deployment + +Manifests rendered using the `helm template` command can be used for direct deployment using `kubectl`. + +## Configuration Options + +Reference the table below for available configuration parameters and consult [migrator] documentation. + +In addition to the documented values, all services also support the following values + +- `..affinity` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) +- `..nodeSelector` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) +- `..tolerations` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) +- `..podSecurityContext` - [learn more](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +- `..env` - consult `values.yaml` file + +{{ template "chart.valuesTable" . }} + +## Troubleshooting + +See a list of running migrator jobs + +```sh +kubectl get jobs -l app.kubernetes.io/component=migrator +``` + +Check logs of the migrator job + +```sb +kubectl logs -l job=migrator -c migrator +``` + +[sourcegraph/sourcegraph]: ../sourcegraph/ +[sourcegraph/sourcegraph-migrator]: ./ +[dirty database]: https://docs.sourcegraph.com/admin/how-to/dirty_database +[migrator]: https://docs.sourcegraph.com/admin/how-to/manual_database_migrations +[migrator commands]: https://docs.sourcegraph.com/admin/how-to/manual_database_migrations#commands +[job]: https://kubernetes.io/docs/concepts/workloads/controllers/job/ +[add-log]: https://docs.sourcegraph.com/admin/how-to/manual_database_migrations#add-log +[using your own postgresql server]: https://docs.sourcegraph.com/admin/external_services/postgres#instructions diff --git a/charts/sourcegraph-migrator/values.yaml b/charts/sourcegraph-migrator/values.yaml index a8073e0e4..bcbbee7c0 100644 --- a/charts/sourcegraph-migrator/values.yaml +++ b/charts/sourcegraph-migrator/values.yaml @@ -2,23 +2,34 @@ ### Common Configuration ### sourcegraph: - affinity: {} image: + # -- Global docker image tag defaultTag: '{{ .Chart.AppVersion }}' + # -- Global docker image pull policy pullPolicy: IfNotPresent + # -- Global docker image registry or prefix repository: index.docker.io/sourcegraph - # When set to true, sourcegraph.image.defaultTag is used as the default defaultTag for all services, instead of service-specific default defaultTags + # -- When set to true, sourcegraph.image.defaultTag is used as the default defaultTag for all services, instead of service-specific default defaultTags useGlobalTagAsDefault: false - # Mount a named secret containing docker credentials + # -- Mount named secrets containing docker credentials imagePullSecrets: [] - # Add a global label to all resources + # -- Add a global label to all resources labels: {} - # Set a custom name for the app.kubernetes.io/name annotation + # -- Set a custom name for the app.kubernetes.io/name annotation nameOverride: "" + # -- Affinity, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) + affinity: {} + # -- NodeSelector, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) nodeSelector: {} + # -- Tolerations, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + # -- Add extra annotations to attach to all pods podAnnotations: {} + # -- Add extra labels to attach to all pods podLabels: {} - tolerations: {} # Generic application configuration options, used by most applications below @@ -69,8 +80,12 @@ sourcegraph: migrator: image: + # -- Docker image tag for the `migrator` image defaultTag: 3.37.0@sha256:404df69cfee90eaa9a3ab8b540a2d9affd22605caa5326a8ac4ba016e1d6d815 + # -- Docker image name for the `migrator` image name: "migrator" + # -- Environment variables for the `migrator` container + # @default -- the chart will add some default environment values env: CODEINSIGHTS_PGDATASOURCE: value: postgres://postgres:password@codeinsights-db:5432/postgres @@ -90,15 +105,19 @@ migrator: value: pgsql PGUSER: value: sg + # -- Resource requests & limits for the `migrator` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: {} + # -- Security context for the `frontend` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 100 runAsGroup: 101 readOnlyRootFilesystem: true + # -- Override default `migrator` container args # Available commands can be found at # https://docs.sourcegraph.com/admin/how-to/manual_database_migrations args: - up - -db=all - diff --git a/charts/sourcegraph/README.md b/charts/sourcegraph/README.md index 9a7c8231c..ced2a7d72 100644 --- a/charts/sourcegraph/README.md +++ b/charts/sourcegraph/README.md @@ -1,3 +1,8 @@ + + # Sourcegraph Helm Chart ## Requirements @@ -7,11 +12,17 @@ ## Installation -* Add the Sourcegraph charts repo to Helm: -`helm repo add sourcegraph https://sourcegraph.github.io/deploy-sourcegraph-helm/` +Add the Sourcegraph charts repo to Helm: + +```sh +helm repo add sourcegraph https://sourcegraph.github.io/deploy-sourcegraph-helm/ +``` + +Install the chart using default values: -* Install the chart using default values: - `helm install sg sourcegraph/sourcegraph` +```sh +helm install sg sourcegraph/sourcegraph +``` ## Usage @@ -56,11 +67,232 @@ See [the kubectl documentation](https://kubernetes.io/docs/reference/kubectl/) f ## Configuration Options -Reference the values.yaml file for available configuration parameters. +Reference the [values](#values) section for available configuration parameters. The values.yaml file can be also be generated by running: `helm show values sourcegraph/sourcegraph` +In addition to the documented values, all services also support the following values + +- `..affinity` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) +- `..nodeSelector` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) +- `..tolerations` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) +- `..podSecurityContext` - [learn more](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +- `..args` - override default container args +- `..env` - consult `values.yaml` file + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| alpine.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":999,"runAsUser":999}` | Security context for the `alpine` initContainer, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| alpine.image.defaultTag | string | `"3.37.0@sha256:946f83cf1d822434f242c522cf71717de6cf014a6fc226c9ed82f27ad7e17aa3"` | Docker image tag for the `alpine` image | +| alpine.image.name | string | `"alpine-3.12"` | Docker image name for the `alpine` image | +| alpine.resources | object | `{"limits":{"cpu":"10m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"50Mi"}}` | Resource requests & limits for the `alpine` initContainer, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| cadvisor.enabled | bool | `true` | Enable `cadvisor` | +| cadvisor.image.defaultTag | string | `"3.37.0@sha256:7b0c6953e54746c16f63bcd9029d8bb52e348cd3921261694696eb66b28daf76"` | Docker image tag for the `cadvisor` image | +| cadvisor.image.name | string | `"cadvisor"` | Docker image name for the `cadvisor` image | +| cadvisor.podSecurityPolicy.enabled | bool | `false` | Enable [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) for `cadvisor` pods | +| cadvisor.resources | object | `{"limits":{"cpu":"300m","memory":"2000Mi"},"requests":{"cpu":"150m","memory":"200Mi"}}` | Resource requests & limits for the `cadvisor` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| cadvisor.serviceAccount.create | bool | `true` | Enable creation of ServiceAccount for `cadvisor` | +| cadvisor.serviceAccount.name | string | `"cadvisor"` | Name of the ServiceAccount | +| codeInsightsDB.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":70,"runAsUser":70}` | Security context for the `codeinsights-db` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| codeInsightsDB.enabled | bool | `true` | Enable `codeinsights-db` PostgreSQL server | +| codeInsightsDB.env | object | `{"POSTGRES_PASSWORD":{"value":"password"}}` | Environment variables for the `codeinsights-db` container | +| codeInsightsDB.existingConfig | string | `""` | Name of existing ConfigMap for `codeinsights-db`. It must contain a `postgresql.conf` key. | +| codeInsightsDB.image.defaultTag | string | `"3.37.0@sha256:fa608333a6ca1aef148abd33e4ee14886d4f172e0db1e5c9ee6bac36adec0bf1"` | Docker image tag for the `codeinsights-db` image | +| codeInsightsDB.image.name | string | `"codeinsights-db"` | Docker image name for the `codeinsights-db` image | +| codeInsightsDB.podSecurityContext | object | `{"fsGroup":70,"fsGroupChangePolicy":"OnRootMismatch","runAsUser":70}` | Security context for the `codeinsights-db` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| codeInsightsDB.replicaCount | int | `1` | Number of `codeinsights-db` pod (this should always be `1`) | +| codeInsightsDB.resources | object | `{"limits":{"cpu":"4","memory":"2Gi"},"requests":{"cpu":"4","memory":"2Gi"}}` | Resource requests & limits for the `codeinsights-db` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| codeInsightsDB.storageSize | string | `"200Gi"` | PVC Storage Request for `codeinsights-db` data volume | +| codeIntelDB.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":999,"runAsUser":999}` | Security context for the `codeintel-db` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| codeIntelDB.enabled | bool | `true` | Enable `codeintel-db` PostgreSQL server | +| codeIntelDB.existingConfig | string | `""` | Name of existing ConfigMap for `codeintel-db`. It must contain a `postgresql.conf` key | +| codeIntelDB.image.defaultTag | string | `"3.37.0@sha256:fc2ab91482f85f77eb73c69a35a2a4cc5055a1b93ef1c1d0f183a7003e632082"` | Docker image tag for the `codeintel-db` image | +| codeIntelDB.image.name | string | `"codeintel-db"` | Docker image name for the `codeintel-db` image | +| codeIntelDB.podSecurityContext | object | `{"fsGroup":999,"fsGroupChangePolicy":"OnRootMismatch","runAsUser":999}` | Security context for the `codeintel-db` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| codeIntelDB.postgresExporter.env | object | `{"DATA_SOURCE_NAME":{"value":"postgres://sg:@localhost:5432/?sslmode=disable"}}` | Environment variables for the `pgsql-exporter` sidecar container | +| codeIntelDB.replicaCount | int | `1` | Number of `codeintel-db` pod (this should always be `1`) | +| codeIntelDB.resources | object | `{"limits":{"cpu":"4","memory":"4Gi"},"requests":{"cpu":"4","memory":"4Gi"}}` | Resource requests & limits for the `codeintel-db` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| codeIntelDB.storageSize | string | `"200Gi"` | PVC Storage Request for `codeintel-db` data volume | +| frontend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":100}` | Security context for the `frontend` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| frontend.env | object | the chart will add some default environment values | Environment variables for the `frontend` container | +| frontend.image.defaultTag | string | `"3.37.0@sha256:724ccb31e95237cbe12b51f3c8b8d22a7d0ac65a73ee8084614360c2018ce3ca"` | Docker image tag for the `frontend` image | +| frontend.image.name | string | `"frontend"` | Docker image name for the `frontend` image | +| frontend.ingress.annotations | object | `{"kubernetes.io/ingress.class":"nginx","nginx.ingress.kubernetes.io/proxy-body-size":"150m"}` | Annotations for the Sourcegraph server ingress. For example, securing ingress with TLS provided by [cert-manager](https://cert-manager.io/docs/usage/ingress/) | +| frontend.ingress.enabled | bool | `true` | Enable ingress for the Sourcegraph server | +| frontend.ingress.host | string | `""` | External hostname for the Sourcegraph server ingress (SSL) | +| frontend.ingress.ingressClassName | string | `nil` | IngressClassName for the Ingress (Available in Kubernetes 1.18+) | +| frontend.ingress.tlsSecret | string | `""` | Secret containing SSL cert | +| frontend.podSecurityContext | object | `{}` | Security context for the `frontend` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| frontend.privileged | bool | `true` | Creates Role instead of using existing roles | +| frontend.replicaCount | int | `2` | Number of `frontend` pod | +| frontend.resources | object | `{"limits":{"cpu":"2","ephemeral-storage":"8Gi","memory":"4G"},"requests":{"cpu":"2","ephemeral-storage":"4Gi","memory":"2G"}}` | Resource requests & limits for the `frontend` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| frontend.serviceAccount.create | bool | `true` | Enable creation of ServiceAccount for `frontend` | +| frontend.serviceAccount.name | string | `"sourcegraph-frontend"` | Name of the ServiceAccount | +| githubProxy.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":100}` | Security context for the `github-proxy` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| githubProxy.image.defaultTag | string | `"3.37.0@sha256:3b173e36f958b68479ae829d784c63346701df417afa14d14ae657a84e630dd5"` | Docker image tag for the `github-proxy` image | +| githubProxy.image.name | string | `"github-proxy"` | Docker image name for the `github-proxy` image | +| githubProxy.podSecurityContext | object | `{}` | Security context for the `github-proxy` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| githubProxy.replicaCount | int | `1` | Number of `github-proxy` pod | +| githubProxy.resources | object | `{"limits":{"cpu":"1","memory":"1G"},"requests":{"cpu":"100m","memory":"250M"}}` | Resource requests & limits for the `github-proxy` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| gitserver.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":100}` | Security context for the `giserver` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| gitserver.image.defaultTag | string | `"3.37.0@sha256:9d005ebd221b3e9e5f41ad2c91f8f1b06758a70c6ddbff11acbf037461f7f3d5"` | Docker image tag for the `gitserver` image | +| gitserver.image.name | string | `"gitserver"` | Docker image name for the `gitserver` image | +| gitserver.podSecurityContext | object | `{"fsGroup":101,"fsGroupChangePolicy":"OnRootMismatch","runAsGroup":101,"runAsUser":100}` | Security context for the `gitserver` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| gitserver.replicaCount | int | `1` | Number of `gitserver` pod | +| gitserver.resources | object | `{"limits":{"cpu":"4","memory":"8G"},"requests":{"cpu":"4","memory":"8G"}}` | Resource requests & limits for the `gitserver` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| gitserver.storageSize | string | `"200Gi"` | PVC Storage Request for `gitserver` data volume | +| grafana.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":472,"runAsUser":472}` | Security context for the `grafana` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| grafana.enabled | bool | `true` | Enable `grafana` dashboard (recommended) | +| grafana.existingConfig | string | `""` | Name of existing ConfigMap for `grafana`. It must contain a `datasources.yml` key. | +| grafana.image.defaultTag | string | `"3.37.0@sha256:a47fde087ee42864ed6108796e95045857b55b3d9327b2d74257321384f6bbd1"` | Docker image tag for the `grafana` image | +| grafana.image.name | string | `"grafana"` | Docker image name for the `grafana` image | +| grafana.podSecurityContext | object | `{"fsGroup":472,"fsGroupChangePolicy":"OnRootMismatch","runAsGroup":472,"runAsUser":472}` | Security context for the `grafana` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| grafana.replicaCount | int | `1` | Number of `grafana` pod | +| grafana.resources | object | `{"limits":{"cpu":"1","memory":"512Mi"},"requests":{"cpu":"100m","memory":"512Mi"}}` | Resource requests & limits for the `grafana` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| grafana.serviceAccount.create | bool | `true` | Enable creation of ServiceAccount for `grafana` | +| grafana.storageSize | string | `"2Gi"` | PVC Storage Request for `grafana` data volume | +| indexedSearch.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":100}` | Security context for the `zoekt-webserver` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| indexedSearch.image.defaultTag | string | `"3.37.0@sha256:0f81c4d33c852fc0ee819d5139efa1c48d6cb10a5f86fa2d37ed698bb2a0a892"` | Docker image tag for the `zoekt-webserver` image | +| indexedSearch.image.name | string | `"indexed-searcher"` | Docker image name for the `zoekt-webserver` image | +| indexedSearch.podSecurityContext | object | `{"fsGroup":101,"fsGroupChangePolicy":"OnRootMismatch"}` | Security context for the `indexed-search` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| indexedSearch.replicaCount | int | `1` | Number of `index-search` pod | +| indexedSearch.resources | object | `{"limits":{"cpu":"2","memory":"4G"},"requests":{"cpu":"500m","memory":"2G"}}` | Resource requests & limits for the `zoekt-webserver` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| indexedSearch.storageSize | string | `"200Gi"` | PVC Storage Request for `indexed-search` data volume The size of disk to used for search indexes. This should typically be gitserver disk size multipled by the number of gitserver shards. | +| indexedSearchIndexer.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":100}` | Security context for the `zoekt-indexserver` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| indexedSearchIndexer.image.defaultTag | string | `"3.37.0@sha256:2a85ddfc2533e525cd7a3a7327fd0174976dcb40d933db8aaafe21ae7ec209c5"` | Docker image tag for the `zoekt-indexserver` image | +| indexedSearchIndexer.image.name | string | `"search-indexer"` | Docker image name for the `zoekt-indexserver` image | +| indexedSearchIndexer.resources | object | `{"limits":{"cpu":"8","memory":"8G"},"requests":{"cpu":"4","memory":"4G"}}` | Resource requests & limits for the `zoekt-indexserver` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) zoekt-indexserver is CPU bound. The more CPU you allocate to it, the lower lag between a new commit and it being indexed for search. | +| migrator.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":100}` | Security context for the `migrator` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| migrator.enabled | bool | `true` | Enable [migrator](https://docs.sourcegraph.com/admin/how-to/manual_database_migrations) initContainer in `frontend` deployment to perform database migration | +| migrator.env | object | `{}` | Environment variables for the `migrator` container | +| migrator.image.defaultTag | string | `"3.37.0@sha256:404df69cfee90eaa9a3ab8b540a2d9affd22605caa5326a8ac4ba016e1d6d815"` | Docker image tag for the `migrator` image | +| migrator.image.name | string | `"migrator"` | Docker image name for the `migrator` image | +| migrator.resources | object | `{}` | Resource requests & limits for the `migrator` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| minio.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"runAsGroup":101,"runAsUser":100}` | Security context for the `minio` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| minio.enabled | bool | `true` | Enable `minio` (S3 compatible storage) | +| minio.env | object | `{"MINIO_ACCESS_KEY":{"value":"AKIAIOSFODNN7EXAMPLE"},"MINIO_SECRET_KEY":{"value":"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"}}` | Environment variables for the `minio` container You should change below variables in production | +| minio.image.defaultTag | string | `"3.37.0@sha256:66925bab722ed11584e1135687b5c1e00a13c550e38d954a56048c90f17edc53"` | Docker image tag for the `minio` image | +| minio.image.name | string | `"minio"` | Docker image tag for the `minio` image | +| minio.podSecurityContext | object | `{"fsGroup":101,"fsGroupChangePolicy":"OnRootMismatch","runAsGroup":101,"runAsUser":100}` | Security context for the `minio` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| minio.replicaCount | int | `1` | Number of `minio` pod | +| minio.resources | object | `{"limits":{"cpu":"1","memory":"500M"},"requests":{"cpu":"1","memory":"500M"}}` | Resource requests & limits for the `minio` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| minio.storageSize | string | `"100Gi"` | PVC Storage Request for `minio` data volume | +| pgsql.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":999,"runAsUser":999}` | Security context for the `pgsql` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| pgsql.enabled | bool | `true` | Enable `pgsql` PostgreSQL server | +| pgsql.existingConfig | string | `""` | Name of existing ConfigMap for `pgsql`. It must contain a `postgresql.conf` key | +| pgsql.image.defaultTag | string | `"3.37.0@sha256:af00a4465f435742df9980cc9d8a8bda49d6adea173558a371e276b476ea94ae"` | Docker image tag for the `pgsql` image | +| pgsql.image.name | string | `"postgres-12.6-alpine"` | Docker image name for the `pgsql` image | +| pgsql.podSecurityContext | object | `{"fsGroup":999,"fsGroupChangePolicy":"OnRootMismatch","runAsGroup":999,"runAsUser":999}` | Security context for the `pgsql` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| pgsql.postgresExporter.env | object | `{"DATA_SOURCE_NAME":{"value":"postgres://sg:@localhost:5432/?sslmode=disable"}}` | Environment variables for the `pgsql-exporter` sidecar container | +| pgsql.replicaCount | int | `1` | Number of `pgsql` pod (this should always be `1`) | +| pgsql.resources | object | `{"limits":{"cpu":"4","memory":"4Gi"},"requests":{"cpu":"4","memory":"4Gi"}}` | Resource requests & limits for the `pgsql` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| pgsql.storageSize | string | `"200Gi"` | PVC Storage Request for `pgsql` data volume | +| postgresExporter.image.defaultTag | string | `"3.37.0@sha256:20e58b62f064037ac3d901eba565f49d7e1daae2a237e6fa3d5351580d576dea"` | Docker image tag for the `pgsql-exporter` image | +| postgresExporter.image.name | string | `"postgres_exporter"` | Docker image name for the `pgsql-exporter` image | +| postgresExporter.resources | object | `{"limits":{"cpu":"10m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"50Mi"}}` | Resource requests & limits for the `pgsql-exporter` sidecar container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| preciseCodeIntel.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":100}` | Security context for the `precise-code-intel-worker` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| preciseCodeIntel.env | object | `{"NUM_WORKERS":{"value":"4"}}` | Environment variables for the `precise-code-intel-worker` container | +| preciseCodeIntel.image.defaultTag | string | `"3.37.0@sha256:8435299294539b1144bb897541de7c2535bacae486d91bba4656178b2ecf4d9f"` | Docker image tag for the `precise-code-intel-worker` image | +| preciseCodeIntel.image.name | string | `"precise-code-intel-worker"` | Docker image name for the `precise-code-intel-worker` image | +| preciseCodeIntel.podSecurityContext | object | `{}` | Security context for the `precise-code-intel-worker` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| preciseCodeIntel.replicaCount | int | `2` | Number of `precise-code-intel-worker` pod | +| preciseCodeIntel.resources | object | `{"limits":{"cpu":"2","memory":"4G"},"requests":{"cpu":"500m","memory":"2G"}}` | Resource requests & limits for the `precise-code-intel-worker` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| prometheus.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":100,"runAsUser":100}` | Security context for the `prometheus` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| prometheus.enabled | bool | `true` | Enable `prometheus` (recommended) | +| prometheus.existingConfig | string | `""` | Name of existing ConfigMap for `pgsql`. It must contain a `prometheus.yml` key | +| prometheus.image.defaultTag | string | `"3.37.0@sha256:b51ccc7c9f19eacfeaa22f888432415dda3bebad58e14b84c829e02b2c719e66"` | Docker image tag for the `prometheus` image | +| prometheus.image.name | string | `"prometheus"` | Docker image name for the `prometheus` image | +| prometheus.podSecurityContext | object | `{"fsGroup":100,"fsGroupChangePolicy":"OnRootMismatch"}` | Security context for the `prometheus` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| prometheus.privileged | bool | `true` | Enable RBAC for `prometheus` | +| prometheus.replicaCount | int | `1` | Number of `prometheus` pod | +| prometheus.resources | object | `{"limits":{"cpu":"2","memory":"6G"},"requests":{"cpu":"500m","memory":"6G"}}` | Resource requests & limits for the `prometheus` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) Prometheus is relied upon to monitor services for sending alerts to site admins when something is wrong with Sourcegraph, thus its memory requests and limits are the same to guarantee it has enough memory to perform its job reliably and prevent conflicts with other pods on the same host node. The limit chosen here is based on what works reliably on Sourcegraph.com with lots of traffic. | +| prometheus.serviceAccount.create | bool | `true` | Enable creation of ServiceAccount | +| prometheus.storageSize | string | `"200Gi"` | PVC Storage Request for `prometheus` data volume | +| redisCache.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsUser":999}` | Security context for the `redis-cache` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| redisCache.enabled | bool | `true` | Enable `redis-cache` Redis server | +| redisCache.image.defaultTag | string | `"3.37.0@sha256:ff28c3902b0ba142e3409e3bb905913aaabc821e7efdaa43458ea3bbe65b7e16"` | Docker image tag for the `redis-cache` image | +| redisCache.image.name | string | `"redis-cache"` | Docker image name for the `redis-cache` image | +| redisCache.podSecurityContext | object | `{"fsGroup":1000,"fsGroupChangePolicy":"OnRootMismatch"}` | Security context for the `redis-cache` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| redisCache.replicaCount | int | `1` | Number of `redis-cache` pod (this should always be `1`) | +| redisCache.resources | object | `{"limits":{"cpu":"1","memory":"7Gi"},"requests":{"cpu":"1","memory":"7Gi"}}` | Resource requests & limits for the `redis-cache` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| redisCache.storageSize | string | `"100Gi"` | PVC Storage Request for `redis-cache` data volume | +| redisExporter.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsUser":999}` | Security context for the `redis-exporter` sidecar container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| redisExporter.image.defaultTag | string | `"3.37.0@sha256:f3f51453e4261734f08579fe9c812c66ee443626690091401674be4fb724da70"` | Docker image tag for the `redis-exporter` image | +| redisExporter.image.name | string | `"redis_exporter"` | | +| redisExporter.resources | object | `{"limits":{"cpu":"10m","memory":"100Mi"},"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource requests & limits for the `redis-exporter` sidecar container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| redisStore.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsUser":999}` | Security context for the `redis-store` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| redisStore.enabled | bool | `true` | Enable `redis-store` Redis server | +| redisStore.image.defaultTag | string | `"3.37.0@sha256:e1cfaeb18367d76838fec0e5f52e2c7d85f2fb63537a3fe809014a986393c9c7"` | Docker image tag for the `redis-store` image | +| redisStore.image.name | string | `"redis-store"` | Docker image name for the `redis-store` image | +| redisStore.podSecurityContext | object | `{"fsGroup":1000,"fsGroupChangePolicy":"OnRootMismatch"}` | Security context for the `redis-store` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| redisStore.replicaCount | int | `1` | Number of `redis-store` pod (this should always be `1`) | +| redisStore.resources | object | `{"limits":{"cpu":"1","memory":"7Gi"},"requests":{"cpu":"1","memory":"7Gi"}}` | Resource requests & limits for the `redis-store` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| redisStore.storageSize | string | `"100Gi"` | PVC Storage Request for `redis-store` data volume | +| repoUpdater.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":100}` | Security context for the `repo-updater` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| repoUpdater.image.defaultTag | string | `"3.37.0@sha256:fd0562d9d3972d2e4f504b0de8803f485603b57fbc4dd77ac085b1f96dfacbe4"` | Docker image tag for the `repo-updater` image | +| repoUpdater.image.name | string | `"repo-updater"` | Docker image name for the `repo-updater` image | +| repoUpdater.podSecurityContext | object | `{}` | Security context for the `repo-updater` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| repoUpdater.replicaCount | int | `1` | Number of `repo-updater` pod | +| repoUpdater.resources | object | `{"limits":{"cpu":"1","memory":"2Gi"},"requests":{"cpu":"1","memory":"500Mi"}}` | Resource requests & limits for the `repo-updater` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| searcher.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":100}` | Security context for the `searcher` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| searcher.image.defaultTag | string | `"3.37.0@sha256:f603c68f8ece63fb3b49cfe09df8a4e7407c713dd6e0267395ba781f1c6fc36c"` | Docker image tag for the `searcher` image | +| searcher.image.name | string | `"searcher"` | Docker image name for the `searcher` image | +| searcher.podSecurityContext | object | `{}` | Security context for the `searcher` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| searcher.replicaCount | int | `2` | Number of `searcher` pod | +| searcher.resources | object | `{"limits":{"cpu":"2","ephemeral-storage":"26G","memory":"2G"},"requests":{"cpu":"500m","ephemeral-storage":"25G","memory":"500M"}}` | Resource requests & limits for the `searcher` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| sourcegraph.affinity | object | `{}` | Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | +| sourcegraph.image.defaultTag | string | `"{{ .Chart.AppVersion }}"` | Global docker image tag | +| sourcegraph.image.pullPolicy | string | `"IfNotPresent"` | Global docker image pull policy | +| sourcegraph.image.repository | string | `"index.docker.io/sourcegraph"` | Global docker image registry or prefix | +| sourcegraph.image.useGlobalTagAsDefault | bool | `false` | When set to true, sourcegraph.image.defaultTag is used as the default defaultTag for all services, instead of service-specific default defaultTags | +| sourcegraph.imagePullSecrets | list | `[]` | Mount named secrets containing docker credentials | +| sourcegraph.labels | object | `{}` | Add a global label to all resources | +| sourcegraph.localDevMode | bool | `false` | When true, remove all resource stanzas, allowing the scheduler to best-fit pods. Intended for local development with limited resources. | +| sourcegraph.nameOverride | string | `""` | Set a custom name for the app.kubernetes.io/name annotation | +| sourcegraph.nodeSelector | object | `{}` | NodeSelector, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) | +| sourcegraph.podAnnotations | object | `{}` | Add extra annotations to attach to all pods | +| sourcegraph.podLabels | object | `{}` | Add extra labels to attach to all pods | +| sourcegraph.revisionHistoryLimit | int | `10` | Global deployment clean up policy, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) | +| sourcegraph.serviceLabels | object | `{}` | Add extra labels to all services | +| sourcegraph.tolerations | list | `[]` | Tolerations, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | +| storageClass.create | bool | `true` | Enable creation of storageClass Disable if you have your own existing storage class | +| storageClass.name | string | `"sourcegraph"` | Name of the storageClass Use to customize to the existing storage class name | +| storageClass.parameters | object | `{}` | Extra parameters of storageClass consult your cloud provider persistent storage documentation | +| storageClass.provisioner | string | `"kubernetes.io/gce-pd"` | Name of the storageClass provisioner learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#provisioner) and consult your cloud provider persistent storage documentation | +| storageClass.type | string | `"pd-ssd"` | Value of `type` key in storageClass `parameters` consult your cloud provider persistent storage documentation | +| symbols.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":100}` | Security context for the `symbols` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| symbols.image.defaultTag | string | `"3.37.0@sha256:b0a3b576e7d61bc9c489fa1378ab0ead4b28fe5fb85d96ae8bf7cd5d9b3631c9"` | Docker image tag for the `symbols` image | +| symbols.image.name | string | `"symbols"` | Docker image name for the `symbols` image | +| symbols.podSecurityContext | object | `{}` | Security context for the `symbols` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| symbols.replicaCount | int | `1` | Number of `symbols` pod | +| symbols.resources | object | `{"limits":{"cpu":"2","ephemeral-storage":"12G","memory":"2G"},"requests":{"cpu":"500m","ephemeral-storage":"10G","memory":"500M"}}` | Resource requests & limits for the `symbols` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| syntectServer.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":100}` | Security context for the `syntect-server` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| syntectServer.image.defaultTag | string | `"3.37.0@sha256:4c371a925ce1b97f2ec7f44c582795409c0b19d073a41c7123b07be06e2ebd47"` | Docker image tag for the `syntect-server` image | +| syntectServer.image.name | string | `"syntax-highlighter"` | Docker image name for the `syntect-server` image | +| syntectServer.podSecurityContext | object | `{}` | Security context for the `syntect-server` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| syntectServer.replicaCount | int | `1` | Number of `syntect-server` pod | +| syntectServer.resources | object | `{"limits":{"cpu":"4","memory":"6G"},"requests":{"cpu":"250m","memory":"2G"}}` | Resource requests & limits for the `syntect-server` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| tracing.collector | object | `{}` | | +| tracing.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":100}` | Security context for the `jaeger` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| tracing.enabled | bool | `true` | Enable `jaeger` | +| tracing.image.defaultTag | string | `"3.37.0@sha256:aece0527d8efcee8ca7ee013a834ba8c332c44666542a45f6b5451d6e7949b74"` | Docker image tag for the `jaeger` image | +| tracing.image.name | string | `"jaeger-all-in-one"` | Docker image name for the `jaeger` image | +| tracing.query | object | `{}` | Security context for the `jaeger` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| tracing.replicaCount | int | `1` | Number of `jaeger` pod | +| tracing.resources | object | `{"limits":{"cpu":"1","memory":"1G"},"requests":{"cpu":"500m","memory":"500M"}}` | Resource requests & limits for the `jaeger` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| tracingAgent.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":100}` | Security context for the `jaeger-agent` sidecar container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| tracingAgent.enabled | bool | `true` | | +| tracingAgent.image.defaultTag | string | `"3.37.0@sha256:04026339976f6107b6490dfe61c9d9b3a541594ba99ff5115667a54e4ec917ba"` | Docker image tag for the `jaeger-agent` image | +| tracingAgent.image.name | string | `"jaeger-agent"` | Docker image name for the `jaeger-agent` image | +| tracingAgent.resources | object | `{"limits":{"cpu":"1","memory":"500M"},"requests":{"cpu":"100m","memory":"100M"}}` | Resource requests & limits for the `jaeger-agent` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| worker.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":100}` | Security context for the `worker` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| worker.image.defaultTag | string | `"3.37.0@sha256:0b3a8d3a59a65c5aabfa4c5bb78cc6eea1c7926fa66ae7558e20f8ca6b11d629"` | Docker image tag for the `worker` image | +| worker.image.name | string | `"worker"` | Docker image name for the `worker` image | +| worker.podSecurityContext | object | `{}` | Security context for the `worker` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| worker.replicaCount | int | `1` | Number of `worker` pod | +| worker.resources | object | `{"limits":{"cpu":"2","memory":"4G"},"requests":{"cpu":"500m","memory":"2G"}}` | Resource requests & limits for the `worker` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | + ## Upgrades Before upgrading, review the CHANGELOG for the helm chart. If you are upgrading to a new Sourcegraph version, review that CHANGELOG as well. @@ -68,15 +300,15 @@ Before upgrading, review the CHANGELOG for the helm chart. If you are upgrading To upgrade to a new version of the helm chart: 1. Update the repo list of charts to retrieve the updated list of versions:
-`helm repo update sourcegraph` + `helm repo update sourcegraph` 1. (Optional) View available versions:
-`helm search repo sourcegraph --versions` + `helm search repo sourcegraph --versions` 1. (Optional) Review the changes that will be applied (`helm template` or `helm diff`, see [Reviewing changes](#reviewing-changes)) 1. Install the new version:
-`helm upgrade --install -f --version sourcegraph/sourcegraph` + `helm upgrade --install -f --version sourcegraph/sourcegraph` ## Versioning @@ -107,7 +339,7 @@ The Grafana deployment can be disabled by setting `grafana.enabled` to `false`. ### Prometheus [Prometheus](https://prometheus.io/) is an open-source application monitoring system and time series database. - It is commonly used to track key performance metrics over time, such as the following: +It is commonly used to track key performance metrics over time, such as the following: - QPS - Application requests by URL route name diff --git a/charts/sourcegraph/README.md.gotmpl b/charts/sourcegraph/README.md.gotmpl new file mode 100644 index 000000000..eed5203d1 --- /dev/null +++ b/charts/sourcegraph/README.md.gotmpl @@ -0,0 +1,142 @@ + + +# Sourcegraph Helm Chart + +## Requirements + +* [Helm 3 CLI](https://helm.sh/docs/intro/install/) +* Kubernetes 1.19 or greater + +## Installation + +Add the Sourcegraph charts repo to Helm: + +```sh +helm repo add sourcegraph https://sourcegraph.github.io/deploy-sourcegraph-helm/ +``` + +Install the chart using default values: + +```sh +helm install sg sourcegraph/sourcegraph +``` + +## Usage + +### Customizations + +Helm customizations can be applied using an override file. Using an override file allows customizations to persist through upgrades without needing to manage merge conflicts. + +To customize configuration settings with an override file, create an empty yaml file (with any name) and configure +overrides - example overrides can be found in the [examples](examples) folder. + +The install command would then be: +`helm install -f sourcegraph/sourcegraph` + +### Setting a namespace + +By default, helm installs the chart into your active namespace. To install to a separate namespace, use the `--namespace` flag. For example: +`helm install --namespace new-namespace sourcegraph/sourcegraph` +Or if using an override file: +`helm install --namespace new-namespace -f sourcegraph/sourcegraph` + +If the namespace does not already exist, add the `--create-namespace` flag to create it during installation. + +### Custom resources + +To deploy custom resources not provided by the chart, such as replacing the database configuration file or ingress resource, you can create your own helm chart and specify the Sourcegraph chart as a dependency. Any resources you place in the `templates` folder of your chart will be deployed, as well as the Sourcegraph resources, allowing you to extend the Sourcegraph chart without maintaining a fork. + +An example of a subchart is shown in the [examples/custom-resources](examples/custom-resources) folder. + +More details on how to create and configure a subchart can be found in the [helm documentation](https://helm.sh/docs/chart_template_guide/subcharts_and_globals/). + +### Reviewing changes + +The `helm template` command can be used to render manifests for review and comparison. + +The [Helm Diff plugin](https://github.com/databus23/helm-diff) can also provide a diff against a deployed chart. + +## Rendering manifests for kubectl deployment + +Manifests rendered using the `helm template` command can be used for direct deployment using `kubectl`. + +See [the kubectl documentation](https://kubernetes.io/docs/reference/kubectl/) for more information on using kubectl. + +## Configuration Options + +Reference the [values](#values) section for available configuration parameters. + +The values.yaml file can be also be generated by running: +`helm show values sourcegraph/sourcegraph` + +In addition to the documented values, all services also support the following values + +- `..affinity` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) +- `..nodeSelector` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) +- `..tolerations` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) +- `..podSecurityContext` - [learn more](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +- `..args` - override default container args +- `..env` - consult `values.yaml` file + +{{ template "chart.valuesTable" . }} + +## Upgrades + +Before upgrading, review the CHANGELOG for the helm chart. If you are upgrading to a new Sourcegraph version, review that CHANGELOG as well. + +To upgrade to a new version of the helm chart: + +1. Update the repo list of charts to retrieve the updated list of versions:
+ `helm repo update sourcegraph` + +1. (Optional) View available versions:
+ `helm search repo sourcegraph --versions` + +1. (Optional) Review the changes that will be applied (`helm template` or `helm diff`, see [Reviewing changes](#reviewing-changes)) + +1. Install the new version:
+ `helm upgrade --install -f --version sourcegraph/sourcegraph` + +## Versioning + +Search for available versions by running: +`helm search repo sourcegraph --versions` + +## Third-party resources + +### cAdvisor + +[cAdvisor](https://github.com/google/cadvisor) provides container users an understanding of the resource usage and performance characteristics of their running containers. It is a running daemon that collects, aggregates, processes, and exports information about running containers. + +cAdvisor is part of the default Sourcegraph cluster installation, and deployed as a [Kubernetes DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/). This setup is based on the [official cAdvisor Kubernetes Daemonset configuration](https://github.com/google/cadvisor/tree/master/deploy/kubernetes). We use our own cAdvisor deployment over the built-in metrics exported by Kubernetes because the latter is often outdated and needs to be kept in sync with our [Docker-Compose deployments](https://docs.sourcegraph.com/admin/install/docker-compose). This setup allows us to have standard dashboards across all Sourcegraph deployments. + +Note that the `sourcegraph/cadvisor` Docker images come with a set of default flags to help reduce memory usage and load on Prometheus - see [our Dockerfile](https://github.com/sourcegraph/sourcegraph/blob/master/docker-images/cadvisor/Dockerfile) for more details. + +The cAdvisor deployment can be disabled by setting `cadvisor.enabled` to `false`, if you already run cadvisor on your cluster. + +### Grafana + +[Grafana](https://https://grafana.com/) is an open-source analytics dashboard application. + +A Grafana instance is part of the default Sourcegraph cluster installation. +Learn more about Grafana in the [metrics and dashboards guide](https://docs.sourcegraph.com/admin/observability/metrics). + +The Grafana deployment can be disabled by setting `grafana.enabled` to `false`. This is not recommended, as it severely limits your ability to monitor the health of your instance and troubleshoot any issues. + +### Prometheus + +[Prometheus](https://prometheus.io/) is an open-source application monitoring system and time series database. +It is commonly used to track key performance metrics over time, such as the following: + +- QPS +- Application requests by URL route name +- HTTP response latency +- HTTP error codes +- Time since last search index update + +A Prometheus instance is part of the default Sourcegraph cluster installation. + +The Prometheus deployment can be disabled by setting `prometheus.enabled` to `false`. This is not recommended, as it severely limits your ability to monitor the health of your instance and troubleshoot any issues. Instead, consider setting `prometheus.privileged` to `false`, which reduces the privileges required to deploy a Prometheus instance. diff --git a/charts/sourcegraph/values.yaml b/charts/sourcegraph/values.yaml index 3f03ab181..7c3dc006b 100644 --- a/charts/sourcegraph/values.yaml +++ b/charts/sourcegraph/values.yaml @@ -3,27 +3,41 @@ ### Common Configuration ### sourcegraph: - affinity: {} image: + # -- Global docker image tag defaultTag: '{{ .Chart.AppVersion }}' + # -- Global docker image pull policy pullPolicy: IfNotPresent + # -- Global docker image registry or prefix repository: index.docker.io/sourcegraph - # When set to true, sourcegraph.image.defaultTag is used as the default defaultTag for all services, instead of service-specific default defaultTags + # -- When set to true, sourcegraph.image.defaultTag is used as the default defaultTag for all services, instead of service-specific default defaultTags useGlobalTagAsDefault: false - # Mount a named secret containing docker credentials + # -- Mount named secrets containing docker credentials imagePullSecrets: [] - # Add a global label to all resources + # -- Add a global label to all resources labels: {} - # When true, remove all resource stanzas, allowing the scheduler to best-fit pods. Intended for local development with limited resources. + # -- When true, remove all resource stanzas, allowing the scheduler to best-fit pods. Intended for local development with limited resources. localDevMode: false - # Set a custom name for the app.kubernetes.io/name annotation + # -- Set a custom name for the app.kubernetes.io/name annotation nameOverride: "" + # -- Affinity, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) + affinity: {} + # -- NodeSelector, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) nodeSelector: {} + # -- Tolerations, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + # -- Add extra annotations to attach to all pods podAnnotations: {} + # -- Add extra labels to attach to all pods podLabels: {} + # -- Global deployment clean up policy, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) revisionHistoryLimit: 10 + # -- Add extra labels to all services serviceLabels: {} - tolerations: [] # Generic application configuration options, used by most applications below @@ -74,13 +88,19 @@ sourcegraph: alpine: # Used in init containers image: + # -- Docker image tag for the `alpine` image defaultTag: 3.37.0@sha256:946f83cf1d822434f242c522cf71717de6cf014a6fc226c9ed82f27ad7e17aa3 + # -- Docker image name for the `alpine` image name: "alpine-3.12" + # -- Security context for the `alpine` initContainer, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 999 runAsGroup: 999 readOnlyRootFilesystem: true + # -- Resource requests & limits for the `alpine` initContainer, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: 10m @@ -90,12 +110,18 @@ alpine: # Used in init containers memory: 50Mi cadvisor: + # -- Enable `cadvisor` enabled: true image: + # -- Docker image tag for the `cadvisor` image defaultTag: 3.37.0@sha256:7b0c6953e54746c16f63bcd9029d8bb52e348cd3921261694696eb66b28daf76 + # -- Docker image name for the `cadvisor` image name: "cadvisor" podSecurityPolicy: + # -- Enable [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) for `cadvisor` pods enabled: false + # -- Resource requests & limits for the `cadvisor` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: 300m @@ -104,24 +130,36 @@ cadvisor: cpu: 150m memory: 200Mi serviceAccount: + # -- Enable creation of ServiceAccount for `cadvisor` create: true + # -- Name of the ServiceAccount name: cadvisor codeInsightsDB: + # -- Enable `codeinsights-db` PostgreSQL server enabled: true + # -- Environment variables for the `codeinsights-db` container env: POSTGRES_PASSWORD: # Accessible by Sourcegraph applications on the network only, so password auth is not used. value: password + # -- Name of existing ConfigMap for `codeinsights-db`. It must contain a `postgresql.conf` key. existingConfig: "" # Name of an existing configmap image: + # -- Docker image tag for the `codeinsights-db` image defaultTag: 3.37.0@sha256:fa608333a6ca1aef148abd33e4ee14886d4f172e0db1e5c9ee6bac36adec0bf1 + # -- Docker image name for the `codeinsights-db` image name: "codeinsights-db" + # -- Security context for the `codeinsights-db` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 70 runAsGroup: 70 readOnlyRootFilesystem: true + # -- Number of `codeinsights-db` pod (this should always be `1`) replicaCount: 1 + # -- Resource requests & limits for the `codeinsights-db` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "4" @@ -129,28 +167,41 @@ codeInsightsDB: requests: cpu: "4" memory: 2Gi + # -- Security context for the `codeinsights-db` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) podSecurityContext: runAsUser: 70 fsGroup: 70 fsGroupChangePolicy: "OnRootMismatch" + # -- PVC Storage Request for `codeinsights-db` data volume storageSize: 200Gi codeIntelDB: + # -- Enable `codeintel-db` PostgreSQL server enabled: true - existingConfig: "" # Name of an existing configmap + # -- Name of existing ConfigMap for `codeintel-db`. It must contain a `postgresql.conf` key + existingConfig: "" image: + # -- Docker image tag for the `codeintel-db` image defaultTag: 3.37.0@sha256:fc2ab91482f85f77eb73c69a35a2a4cc5055a1b93ef1c1d0f183a7003e632082 + # -- Docker image name for the `codeintel-db` image name: "codeintel-db" + # -- Security context for the `codeintel-db` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 999 runAsGroup: 999 readOnlyRootFilesystem: true postgresExporter: + # -- Environment variables for the `pgsql-exporter` sidecar container env: DATA_SOURCE_NAME: value: postgres://sg:@localhost:5432/?sslmode=disable + # -- Number of `codeintel-db` pod (this should always be `1`) replicaCount: 1 + # -- Resource requests & limits for the `codeintel-db` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "4" @@ -158,13 +209,18 @@ codeIntelDB: requests: cpu: "4" memory: 4Gi + # -- Security context for the `codeintel-db` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) podSecurityContext: runAsUser: 999 fsGroup: 999 fsGroupChangePolicy: "OnRootMismatch" + # -- PVC Storage Request for `codeintel-db` data volume storageSize: 200Gi frontend: + # -- Environment variables for the `frontend` container + # @default -- the chart will add some default environment values env: CODEINSIGHTS_PGDATASOURCE: value: postgres://postgres:password@codeinsights-db:5432/postgres @@ -191,23 +247,39 @@ frontend: PROMETHEUS_URL: value: http://prometheus:30090 image: + # -- Docker image tag for the `frontend` image defaultTag: 3.37.0@sha256:724ccb31e95237cbe12b51f3c8b8d22a7d0ac65a73ee8084614360c2018ce3ca + # -- Docker image name for the `frontend` image name: "frontend" ingress: + # -- Enable ingress for the Sourcegraph server + enabled: true + # -- Annotations for the Sourcegraph server ingress. For example, securing ingress with TLS provided by [cert-manager](https://cert-manager.io/docs/usage/ingress/) annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/proxy-body-size: 150m - enabled: true - host: "" # External host name for SSL - ingressClassName: null # Available in Kubernetes 1.18+ - tlsSecret: "" # Secret containing SSL cert + # -- External hostname for the Sourcegraph server ingress (SSL) + host: "" + # -- IngressClassName for the Ingress (Available in Kubernetes 1.18+) + ingressClassName: null + # -- Secret containing SSL cert + tlsSecret: "" + # -- Security context for the `frontend` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 100 runAsGroup: 101 readOnlyRootFilesystem: true - privileged: true # Creates Role instead of using existing roles + # -- Security context for the `frontend` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) + podSecurityContext: {} + # -- Creates Role instead of using existing roles + privileged: true + # -- Number of `frontend` pod replicaCount: 2 + # -- Resource requests & limits for the `frontend` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "2" @@ -218,16 +290,27 @@ frontend: ephemeral-storage: 4Gi memory: 2G serviceAccount: + # -- Enable creation of ServiceAccount for `frontend` create: true + # -- Name of the ServiceAccount name: sourcegraph-frontend migrator: + # -- Enable [migrator](https://docs.sourcegraph.com/admin/how-to/manual_database_migrations) initContainer in + # `frontend` deployment to perform database migration enabled: true image: + # -- Docker image tag for the `migrator` image defaultTag: 3.37.0@sha256:404df69cfee90eaa9a3ab8b540a2d9affd22605caa5326a8ac4ba016e1d6d815 + # -- Docker image name for the `migrator` image name: "migrator" + # -- Environment variables for the `migrator` container env: {} + # -- Resource requests & limits for the `migrator` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: {} + # -- Security context for the `migrator` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 100 @@ -236,14 +319,24 @@ migrator: githubProxy: image: + # -- Docker image tag for the `github-proxy` image defaultTag: 3.37.0@sha256:3b173e36f958b68479ae829d784c63346701df417afa14d14ae657a84e630dd5 + # -- Docker image name for the `github-proxy` image name: "github-proxy" + # -- Security context for the `github-proxy` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 100 runAsGroup: 101 readOnlyRootFilesystem: true + # -- Security context for the `github-proxy` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) + podSecurityContext: {} + # -- Number of `github-proxy` pod replicaCount: 1 + # -- Resource requests & limits for the `github-proxy` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "1" @@ -254,15 +347,21 @@ githubProxy: gitserver: image: + # -- Docker image tag for the `gitserver` image defaultTag: 3.37.0@sha256:9d005ebd221b3e9e5f41ad2c91f8f1b06758a70c6ddbff11acbf037461f7f3d5 + # -- Docker image name for the `gitserver` image name: "gitserver" - labels: {} + # -- Security context for the `giserver` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 100 runAsGroup: 101 readOnlyRootFilesystem: true + # -- Number of `gitserver` pod replicaCount: 1 + # -- Resource requests & limits for the `gitserver` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "4" @@ -270,25 +369,37 @@ gitserver: requests: cpu: "4" memory: 8G + # -- Security context for the `gitserver` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) podSecurityContext: runAsUser: 100 runAsGroup: 101 fsGroup: 101 fsGroupChangePolicy: "OnRootMismatch" + # -- PVC Storage Request for `gitserver` data volume storageSize: 200Gi grafana: + # -- Enable `grafana` dashboard (recommended) enabled: true + # -- Name of existing ConfigMap for `grafana`. It must contain a `datasources.yml` key. existingConfig: "" # Name of an existing configmap image: + # -- Docker image tag for the `grafana` image defaultTag: 3.37.0@sha256:a47fde087ee42864ed6108796e95045857b55b3d9327b2d74257321384f6bbd1 + # -- Docker image name for the `grafana` image name: "grafana" + # -- Security context for the `grafana` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 472 runAsGroup: 472 readOnlyRootFilesystem: true + # -- Number of `grafana` pod replicaCount: 1 + # -- Resource requests & limits for the `grafana` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "1" @@ -296,25 +407,36 @@ grafana: requests: cpu: 100m memory: 512Mi + # -- Security context for the `grafana` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) podSecurityContext: runAsUser: 472 runAsGroup: 472 fsGroup: 472 fsGroupChangePolicy: "OnRootMismatch" serviceAccount: + # -- Enable creation of ServiceAccount for `grafana` create: true + # -- PVC Storage Request for `grafana` data volume storageSize: 2Gi indexedSearch: image: + # -- Docker image tag for the `zoekt-webserver` image defaultTag: 3.37.0@sha256:0f81c4d33c852fc0ee819d5139efa1c48d6cb10a5f86fa2d37ed698bb2a0a892 + # -- Docker image name for the `zoekt-webserver` image name: "indexed-searcher" + # -- Security context for the `zoekt-webserver` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 100 runAsGroup: 101 readOnlyRootFilesystem: true + # -- Number of `index-search` pod replicaCount: 1 + # -- Resource requests & limits for the `zoekt-webserver` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "2" @@ -322,25 +444,34 @@ indexedSearch: requests: cpu: 500m memory: 2G + # -- Security context for the `indexed-search` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) podSecurityContext: fsGroup: 101 fsGroupChangePolicy: "OnRootMismatch" + # -- PVC Storage Request for `indexed-search` data volume # The size of disk to used for search indexes. # This should typically be gitserver disk size multipled by the number of gitserver shards. storageSize: 200Gi indexedSearchIndexer: image: + # -- Docker image tag for the `zoekt-indexserver` image defaultTag: 3.37.0@sha256:2a85ddfc2533e525cd7a3a7327fd0174976dcb40d933db8aaafe21ae7ec209c5 + # -- Docker image name for the `zoekt-indexserver` image name: "search-indexer" + # -- Security context for the `zoekt-indexserver` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 100 runAsGroup: 101 readOnlyRootFilesystem: true + # -- Resource requests & limits for the `zoekt-indexserver` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) + # zoekt-indexserver is CPU bound. The more CPU you allocate to it, the + # lower lag between a new commit and it being indexed for search. resources: - # zoekt-indexserver is CPU bound. The more CPU you allocate to it, the - # lower lag between a new commit and it being indexed for search. limits: cpu: "8" memory: 8G @@ -349,20 +480,30 @@ indexedSearchIndexer: memory: 4G minio: + # -- Enable `minio` (S3 compatible storage) enabled: true + # -- Environment variables for the `minio` container + # You should change below variables in production env: MINIO_ACCESS_KEY: value: AKIAIOSFODNN7EXAMPLE MINIO_SECRET_KEY: value: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY image: + # -- Docker image tag for the `minio` image defaultTag: 3.37.0@sha256:66925bab722ed11584e1135687b5c1e00a13c550e38d954a56048c90f17edc53 + # -- Docker image tag for the `minio` image name: "minio" + # -- Security context for the `minio` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 100 runAsGroup: 101 + # -- Number of `minio` pod replicaCount: 1 + # -- Resource requests & limits for the `minio` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "1" @@ -370,29 +511,42 @@ minio: requests: cpu: "1" memory: 500M + # -- Security context for the `minio` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) podSecurityContext: runAsUser: 100 runAsGroup: 101 fsGroup: 101 fsGroupChangePolicy: "OnRootMismatch" + # -- PVC Storage Request for `minio` data volume storageSize: 100Gi pgsql: + # -- Enable `pgsql` PostgreSQL server enabled: true + # -- Name of existing ConfigMap for `pgsql`. It must contain a `postgresql.conf` key existingConfig: "" # Name of an existing configmap image: + # -- Docker image tag for the `pgsql` image defaultTag: 3.37.0@sha256:af00a4465f435742df9980cc9d8a8bda49d6adea173558a371e276b476ea94ae + # -- Docker image name for the `pgsql` image name: "postgres-12.6-alpine" + # -- Security context for the `pgsql` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 999 runAsGroup: 999 readOnlyRootFilesystem: true postgresExporter: + # -- Environment variables for the `pgsql-exporter` sidecar container env: DATA_SOURCE_NAME: value: postgres://sg:@localhost:5432/?sslmode=disable + # -- Number of `pgsql` pod (this should always be `1`) replicaCount: 1 + # -- Resource requests & limits for the `pgsql` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "4" @@ -400,18 +554,25 @@ pgsql: requests: cpu: "4" memory: 4Gi + # -- Security context for the `pgsql` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) podSecurityContext: # Required to prevent escalations to root. runAsUser: 999 runAsGroup: 999 fsGroup: 999 fsGroupChangePolicy: "OnRootMismatch" + # -- PVC Storage Request for `pgsql` data volume storageSize: 200Gi postgresExporter: image: + # -- Docker image tag for the `pgsql-exporter` image defaultTag: 3.37.0@sha256:20e58b62f064037ac3d901eba565f49d7e1daae2a237e6fa3d5351580d576dea + # -- Docker image name for the `pgsql-exporter` image name: "postgres_exporter" + # -- Resource requests & limits for the `pgsql-exporter` sidecar container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: 10m @@ -421,18 +582,29 @@ postgresExporter: memory: 50Mi preciseCodeIntel: + # -- Environment variables for the `precise-code-intel-worker` container env: NUM_WORKERS: value: "4" image: + # -- Docker image tag for the `precise-code-intel-worker` image defaultTag: 3.37.0@sha256:8435299294539b1144bb897541de7c2535bacae486d91bba4656178b2ecf4d9f + # -- Docker image name for the `precise-code-intel-worker` image name: "precise-code-intel-worker" + # -- Security context for the `precise-code-intel-worker` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 100 runAsGroup: 101 readOnlyRootFilesystem: true + # -- Security context for the `precise-code-intel-worker` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) + podSecurityContext: {} + # -- Number of `precise-code-intel-worker` pod replicaCount: 2 + # -- Resource requests & limits for the `precise-code-intel-worker` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "2" @@ -442,18 +614,28 @@ preciseCodeIntel: memory: 2G prometheus: + # -- Enable `prometheus` (recommended) enabled: true + # -- Name of existing ConfigMap for `pgsql`. It must contain a `prometheus.yml` key existingConfig: "" # Name of an existing configmap image: + # -- Docker image tag for the `prometheus` image defaultTag: 3.37.0@sha256:b51ccc7c9f19eacfeaa22f888432415dda3bebad58e14b84c829e02b2c719e66 + # -- Docker image name for the `prometheus` image name: "prometheus" + # -- Security context for the `prometheus` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 100 runAsGroup: 100 readOnlyRootFilesystem: true + # -- Enable RBAC for `prometheus` privileged: true + # -- Number of `prometheus` pod replicaCount: 1 + # -- Resource requests & limits for the `prometheus` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) # Prometheus is relied upon to monitor services for sending alerts to site admins when # something is wrong with Sourcegraph, thus its memory requests and limits are the same to # guarantee it has enough memory to perform its job reliably and prevent conflicts with @@ -468,24 +650,36 @@ prometheus: requests: cpu: 500m memory: 6G + # -- Security context for the `prometheus` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) podSecurityContext: fsGroup: 100 fsGroupChangePolicy: "OnRootMismatch" serviceAccount: + # -- Enable creation of ServiceAccount create: true + # -- PVC Storage Request for `prometheus` data volume storageSize: 200Gi redisCache: + # -- Enable `redis-cache` Redis server enabled: true image: + # -- Docker image tag for the `redis-cache` image defaultTag: 3.37.0@sha256:ff28c3902b0ba142e3409e3bb905913aaabc821e7efdaa43458ea3bbe65b7e16 + # -- Docker image name for the `redis-cache` image name: "redis-cache" + # -- Security context for the `redis-cache` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 999 runAsGroup: 1000 readOnlyRootFilesystem: true + # -- Number of `redis-cache` pod (this should always be `1`) replicaCount: 1 + # -- Resource requests & limits for the `redis-cache` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "1" @@ -493,20 +687,28 @@ redisCache: requests: cpu: "1" memory: 7Gi + # -- Security context for the `redis-cache` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) podSecurityContext: fsGroup: 1000 fsGroupChangePolicy: "OnRootMismatch" + # -- PVC Storage Request for `redis-cache` data volume storageSize: 100Gi redisExporter: image: + # -- Docker image tag for the `redis-exporter` image defaultTag: 3.37.0@sha256:f3f51453e4261734f08579fe9c812c66ee443626690091401674be4fb724da70 name: "redis_exporter" + # -- Security context for the `redis-exporter` sidecar container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 999 runAsGroup: 1000 readOnlyRootFilesystem: true + # -- Resource requests & limits for the `redis-exporter` sidecar container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: 10m @@ -516,16 +718,24 @@ redisExporter: memory: 100Mi redisStore: + # -- Enable `redis-store` Redis server enabled: true image: + # -- Docker image tag for the `redis-store` image defaultTag: 3.37.0@sha256:e1cfaeb18367d76838fec0e5f52e2c7d85f2fb63537a3fe809014a986393c9c7 + # -- Docker image name for the `redis-store` image name: "redis-store" + # -- Security context for the `redis-store` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 999 runAsGroup: 1000 readOnlyRootFilesystem: true + # -- Number of `redis-store` pod (this should always be `1`) replicaCount: 1 + # -- Resource requests & limits for the `redis-store` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "1" @@ -533,21 +743,34 @@ redisStore: requests: cpu: "1" memory: 7Gi + # -- Security context for the `redis-store` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) podSecurityContext: fsGroup: 1000 fsGroupChangePolicy: "OnRootMismatch" + # -- PVC Storage Request for `redis-store` data volume storageSize: 100Gi repoUpdater: image: + # -- Docker image tag for the `repo-updater` image defaultTag: 3.37.0@sha256:fd0562d9d3972d2e4f504b0de8803f485603b57fbc4dd77ac085b1f96dfacbe4 + # -- Docker image name for the `repo-updater` image name: "repo-updater" + # -- Security context for the `repo-updater` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 100 runAsGroup: 101 readOnlyRootFilesystem: true + # -- Security context for the `repo-updater` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) + podSecurityContext: {} + # -- Number of `repo-updater` pod replicaCount: 1 + # -- Resource requests & limits for the `repo-updater` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "1" @@ -558,14 +781,24 @@ repoUpdater: searcher: image: + # -- Docker image tag for the `searcher` image defaultTag: 3.37.0@sha256:f603c68f8ece63fb3b49cfe09df8a4e7407c713dd6e0267395ba781f1c6fc36c + # -- Docker image name for the `searcher` image name: "searcher" + # -- Security context for the `searcher` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 100 runAsGroup: 101 readOnlyRootFilesystem: true + # -- Security context for the `searcher` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) + podSecurityContext: {} + # -- Number of `searcher` pod replicaCount: 2 + # -- Resource requests & limits for the `searcher` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "2" @@ -577,21 +810,43 @@ searcher: memory: 500M storageClass: - create: true # Disable if you have your own existing storage class - name: sourcegraph # Customize to the existing storage class name + # -- Enable creation of storageClass + # Disable if you have your own existing storage class + create: true + # -- Name of the storageClass + # Use to customize to the existing storage class name + name: sourcegraph + # -- Name of the storageClass provisioner + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#provisioner) + # and consult your cloud provider persistent storage documentation provisioner: kubernetes.io/gce-pd + # -- Value of `type` key in storageClass `parameters` + # consult your cloud provider persistent storage documentation type: pd-ssd + # -- Extra parameters of storageClass + # consult your cloud provider persistent storage documentation + parameters: {} symbols: image: + # -- Docker image tag for the `symbols` image defaultTag: 3.37.0@sha256:b0a3b576e7d61bc9c489fa1378ab0ead4b28fe5fb85d96ae8bf7cd5d9b3631c9 + # -- Docker image name for the `symbols` image name: "symbols" + # -- Security context for the `symbols` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 100 runAsGroup: 101 readOnlyRootFilesystem: true + # -- Security context for the `symbols` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) + podSecurityContext: {} + # -- Number of `symbols` pod replicaCount: 1 + # -- Resource requests & limits for the `symbols` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "2" @@ -604,14 +859,24 @@ symbols: syntectServer: image: + # -- Docker image tag for the `syntect-server` image defaultTag: 3.37.0@sha256:4c371a925ce1b97f2ec7f44c582795409c0b19d073a41c7123b07be06e2ebd47 + # -- Docker image name for the `syntect-server` image name: "syntax-highlighter" + # -- Security context for the `syntect-server` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 100 runAsGroup: 101 readOnlyRootFilesystem: true + # -- Security context for the `syntect-server` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) + podSecurityContext: {} + # -- Number of `syntect-server` pod replicaCount: 1 + # -- Resource requests & limits for the `syntect-server` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "4" @@ -621,18 +886,30 @@ syntectServer: memory: 2G tracing: + # TODO + # - document the collector SVC collector: {} + # -- Enable `jaeger` enabled: true image: + # -- Docker image tag for the `jaeger` image defaultTag: 3.37.0@sha256:aece0527d8efcee8ca7ee013a834ba8c332c44666542a45f6b5451d6e7949b74 + # -- Docker image name for the `jaeger` image name: "jaeger-all-in-one" + # -- Security context for the `jaeger` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 100 runAsGroup: 101 readOnlyRootFilesystem: true + # -- Security context for the `jaeger` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) query: {} + # -- Number of `jaeger` pod replicaCount: 1 + # -- Resource requests & limits for the `jaeger` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "1" @@ -641,16 +918,23 @@ tracing: cpu: 500m memory: 500M +# Jaeger sidecar container tracingAgent: enabled: true image: + # -- Docker image tag for the `jaeger-agent` image defaultTag: 3.37.0@sha256:04026339976f6107b6490dfe61c9d9b3a541594ba99ff5115667a54e4ec917ba + # -- Docker image name for the `jaeger-agent` image name: "jaeger-agent" + # -- Security context for the `jaeger-agent` sidecar container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 100 runAsGroup: 101 readOnlyRootFilesystem: true + # -- Resource requests & limits for the `jaeger-agent` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "1" @@ -661,14 +945,24 @@ tracingAgent: worker: image: + # -- Docker image tag for the `worker` image defaultTag: 3.37.0@sha256:0b3a8d3a59a65c5aabfa4c5bb78cc6eea1c7926fa66ae7558e20f8ca6b11d629 + # -- Docker image name for the `worker` image name: "worker" + # -- Security context for the `worker` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) containerSecurityContext: allowPrivilegeEscalation: false runAsUser: 100 runAsGroup: 101 readOnlyRootFilesystem: true + # -- Security context for the `worker` pod, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) + podSecurityContext: {} + # -- Number of `worker` pod replicaCount: 1 + # -- Resource requests & limits for the `worker` container, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: limits: cpu: "2" diff --git a/scripts/helm-docs.sh b/scripts/helm-docs.sh new file mode 100755 index 000000000..c1ee7bc9f --- /dev/null +++ b/scripts/helm-docs.sh @@ -0,0 +1,58 @@ +#!/usr/bin/env sh +# Copy from https://github.com/linkerd/linkerd2/blob/main/bin/helm-docs + +set -euf -o pipefail + +helmdocsv=1.7.0 +bindir=$( cd "${0%/*}" && pwd ) # Change to script dir and set bin dir to this +targetbin=$( cd "$bindir"/.. && pwd )/target/bin +helmdocsbin=$targetbin/helm-docs-$helmdocsv +os="" +arch="" + +if [ ! -f "$helmdocsbin" ]; then + case $(uname | tr '[:upper:]' '[:lower:]') in + darwin*) + os=darwin + arch=x86_64 + ;; + linux*) + os=linux + case $(uname -m) in + x86_64) arch=x86_64 ;; + amd64) arch=amd64 ;; + arm) + tmp=$(dpkg --print-architecture) + if echo "$tmp" | grep -q arm64; then + arch=arm64 + elif echo "$tmp" | grep -q armv7; then + arch=armv7 + elif echo "$tmp" | grep -q armv6; then + arch=armv6 + fi + ;; + esac + ;; + msys*) + os=windows + arch=x86_64 + ;; + esac + + if [ -z "$os" ]; then + echo "Couldn't find a matching binary" + exit 126 + fi + helmdocscurl="https://github.com/norwoodj/helm-docs/releases/download/v$helmdocsv/helm-docs_${helmdocsv}_${os}_${arch}.tar.gz" + tmp=$(mktemp -d -t helm-docs.XXX) + mkdir -p "$targetbin" + ( + cd "$tmp" + curl --proto '=https' --tlsv1.2 -sSfL -o "./helm-docs.tar.gz" "$helmdocscurl" + tar zf "./helm-docs.tar.gz" -x "helm-docs" + chmod +x "helm-docs" + ) + mv "$tmp/helm-docs" "$helmdocsbin" +fi + +"$helmdocsbin" "$@" \ No newline at end of file