From 7348de2b2f95c11fe13d38a4aebbd2ea30e37ec9 Mon Sep 17 00:00:00 2001 From: Marc LeBlanc Date: Wed, 1 Oct 2025 19:27:21 -0600 Subject: [PATCH 1/4] Add support for deploying without using Kubernetes secrets, and to disable RBAC resources --- charts/sourcegraph/README.md | 6 +++++- charts/sourcegraph/templates/_helpers.tpl | 11 +++++++++-- .../codeinsights-db/codeinsights-db.Secret.yaml | 2 +- .../templates/codeintel-db/codeintel-db.Secret.yaml | 2 +- .../frontend/sourcegraph-frontend.Deployment.yaml | 10 +++++++++- .../templates/grafana/grafana.StatefulSet.yaml | 2 ++ .../templates/grafana/grafana.pgsql.Secret.yaml | 2 +- charts/sourcegraph/templates/pgsql/pgsql.Secret.yaml | 2 +- .../prometheus/prometheus.ClusterRoleBinding.yaml | 2 +- .../templates/prometheus/prometheus.RoleBinding.yaml | 2 +- .../templates/redis/redis-cache.Secret.yaml | 2 +- .../templates/redis/redis-store.Secret.yaml | 2 +- charts/sourcegraph/values.yaml | 10 +++++++++- 13 files changed, 42 insertions(+), 13 deletions(-) diff --git a/charts/sourcegraph/README.md b/charts/sourcegraph/README.md index 1e905141..79facde0 100644 --- a/charts/sourcegraph/README.md +++ b/charts/sourcegraph/README.md @@ -249,8 +249,9 @@ In addition to the documented values, all services also support the following va | preciseCodeIntel.resources | object | `{"limits":{"cpu":"2","memory":"4G"},"requests":{"cpu":"500m","memory":"2G"}}` | Resource requests & limits for the `precise-code-intel-worker` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | preciseCodeIntel.serviceAccount.create | bool | `false` | Enable creation of ServiceAccount for `precise-code-intel-worker` | | preciseCodeIntel.serviceAccount.name | string | `""` | Name of the ServiceAccount to be created or an existing ServiceAccount | -| priorityClasses | list | `[]` | Additional priorityClasses minimise re-scheduling downtime for StatefulSets. Each StatefulSets might use different priority class. learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) Sample class definition: - name: gitserver-class value: 100 preemptionPolicy: Never description: "gitserver priority class" | +| priorityClasses | list | `[]` | Additional priorityClasses minimize re-scheduling downtime for StatefulSets. Each StatefulSets might use different priority class. learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) Sample class definition: - name: gitserver-class value: 100 preemptionPolicy: Never description: "gitserver priority class" | | prometheus.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":false,"runAsGroup":100,"runAsUser":100}` | Security context for the `prometheus` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| prometheus.createRoleBinding | bool | `true` | Disable the creation of a RoleBinding object, for customers who block all RBAC resource creation | | prometheus.enabled | bool | `true` | Enable `prometheus` (recommended) | | prometheus.existingConfig | string | `""` | Name of existing ConfigMap for `pgsql`. It must contain a `prometheus.yml` key | | prometheus.image.defaultTag | string | `"6.0.0@sha256:86a315720fd9813d9ef9746d92e637bc20cd9ebd90da78d8cc6906062252891f"` | Docker image tag for the `prometheus` image | @@ -302,6 +303,7 @@ In addition to the documented values, all services also support the following va | searcher.storageSize | string | `"26Gi"` | Size of the PVC for searcher pods to store cache data | | sgTestConnection | object | `{"enabled":true}` | Enable the busybox connection test after deployment | | sourcegraph.affinity | object | `{}` | Global Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | +| sourcegraph.disableKubernetesSecrets | bool | `false` | Disable the creation of Kubernetes secrets objects | | sourcegraph.image.defaultTag | string | `"{{ .Chart.AppVersion }}"` | Global docker image tag | | sourcegraph.image.pullPolicy | string | `"IfNotPresent"` | Global docker image pull policy | | sourcegraph.image.repository | string | `"index.docker.io/sourcegraph"` | Global docker image registry or prefix | @@ -313,6 +315,8 @@ In addition to the documented values, all services also support the following va | sourcegraph.nodeSelector | object | `{}` | Global NodeSelector, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) | | sourcegraph.podAnnotations | object | `{}` | Add extra annotations to attach to all pods | | sourcegraph.podLabels | object | `{}` | Add extra labels to attach to all pods | +| sourcegraph.redisCacheEndpoint | string | `""` | Set the value of the REDIS_CACHE_ENDPOINT environment variable on the needed containers, when Kubernetes secrets are disabled | +| sourcegraph.redisStoreEndpoint | string | `""` | Set the value of the REDIS_STORE_ENDPOINT environment variable on the needed containers, when Kubernetes secrets are disabled | | sourcegraph.revisionHistoryLimit | int | `10` | Global deployment clean up policy, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) | | sourcegraph.serviceLabels | object | `{}` | Add extra labels to all services | | sourcegraph.tolerations | list | `[]` | Global Tolerations, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | diff --git a/charts/sourcegraph/templates/_helpers.tpl b/charts/sourcegraph/templates/_helpers.tpl index 87c18720..71cf7812 100644 --- a/charts/sourcegraph/templates/_helpers.tpl +++ b/charts/sourcegraph/templates/_helpers.tpl @@ -45,7 +45,7 @@ For top-level services, pass in the top-level values: {{ include "sourcegraph.serviceAccountName" (list . "frontend") }} frontend: - serivceAccount: + serviceAccount: create: false For nested services, pass in the nested values: @@ -249,6 +249,12 @@ app.kubernetes.io/name: jaeger {{- end }} {{- define "sourcegraph.redisConnection" -}} +{{- if .Values.sourcegraph.disableKubernetesSecrets -}} +- name: REDIS_CACHE_ENDPOINT + value: {{ .Values.sourcegraph.redisCacheEndpoint }} +- name: REDIS_STORE_ENDPOINT + value: {{ .Values.sourcegraph.redisStoreEndpoint }} +{{- else -}} - name: REDIS_CACHE_ENDPOINT valueFrom: secretKeyRef: @@ -259,7 +265,8 @@ app.kubernetes.io/name: jaeger secretKeyRef: key: endpoint name: {{ default .Values.redisStore.name .Values.redisStore.connection.existingSecret }} -{{- end }} +{{- end -}} +{{- end -}} {{- define "sourcegraph.authChecksum" -}} {{- $checksum := list .Values.codeInsightsDB.auth -}} diff --git a/charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Secret.yaml b/charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Secret.yaml index 251eeddf..650c58e8 100644 --- a/charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Secret.yaml +++ b/charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Secret.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.codeInsightsDB.auth.existingSecret }} +{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.codeInsightsDB.auth.existingSecret) -}} apiVersion: v1 kind: Secret metadata: diff --git a/charts/sourcegraph/templates/codeintel-db/codeintel-db.Secret.yaml b/charts/sourcegraph/templates/codeintel-db/codeintel-db.Secret.yaml index 68878d30..021a54f0 100644 --- a/charts/sourcegraph/templates/codeintel-db/codeintel-db.Secret.yaml +++ b/charts/sourcegraph/templates/codeintel-db/codeintel-db.Secret.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.codeIntelDB.auth.existingSecret }} +{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.codeIntelDB.auth.existingSecret) -}} apiVersion: v1 kind: Secret metadata: diff --git a/charts/sourcegraph/templates/frontend/sourcegraph-frontend.Deployment.yaml b/charts/sourcegraph/templates/frontend/sourcegraph-frontend.Deployment.yaml index 187a5c6d..e2dad382 100644 --- a/charts/sourcegraph/templates/frontend/sourcegraph-frontend.Deployment.yaml +++ b/charts/sourcegraph/templates/frontend/sourcegraph-frontend.Deployment.yaml @@ -52,9 +52,12 @@ spec: - name: migrator image: {{ include "sourcegraph.image" (list . "migrator") }} imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }} + {{- if .Values.migrator.command }} + command: {{ .Values.migrator.command }} + {{- end }} args: {{- default (list "up") .Values.migrator.args | toYaml | nindent 8 }} env: - {{- if not .Values.migrator.databaseAuthOverrideEnvVars }} + {{- if and (not .Values.migrator.databaseAuthOverrideEnvVars) (not .Values.sourcegraph.disableKubernetesSecrets) }} {{- include "sourcegraph.databaseAuth" (list . "pgsql" "PG") | nindent 8 }} {{- include "sourcegraph.databaseAuth" (list . "codeIntelDB" "CODEINTEL_PG") | nindent 8 }} {{- include "sourcegraph.databaseAuth" (list . "codeInsightsDB" "CODEINSIGHTS_PG") | nindent 8 }} @@ -78,11 +81,16 @@ spec: - name: frontend image: {{ include "sourcegraph.image" (list . "frontend") }} imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }} + {{- if .Values.frontend.command }} + command: {{ .Values.frontend.command }} + {{- end }} args: {{- default (list "serve") .Values.frontend.args | toYaml | nindent 8 }} env: + {{- if not .Values.sourcegraph.disableKubernetesSecrets }} {{- include "sourcegraph.databaseAuth" (list . "pgsql" "PG") | nindent 8 }} {{- include "sourcegraph.databaseAuth" (list . "codeIntelDB" "CODEINTEL_PG") | nindent 8 }} {{- include "sourcegraph.databaseAuth" (list . "codeInsightsDB" "CODEINSIGHTS_PG") | nindent 8 }} + {{- end }} {{- range $name, $item := .Values.frontend.env}} - name: {{ $name }} {{- $item | toYaml | nindent 10 }} diff --git a/charts/sourcegraph/templates/grafana/grafana.StatefulSet.yaml b/charts/sourcegraph/templates/grafana/grafana.StatefulSet.yaml index da3cb0e4..4d748bd0 100644 --- a/charts/sourcegraph/templates/grafana/grafana.StatefulSet.yaml +++ b/charts/sourcegraph/templates/grafana/grafana.StatefulSet.yaml @@ -52,7 +52,9 @@ spec: {{- end }} terminationMessagePolicy: FallbackToLogsOnError env: + {{- if not .Values.sourcegraph.disableKubernetesSecrets -}} {{- include "sourcegraph.databaseAuth" (list . "grafana" "GRAFANA_PGSQL_") | nindent 8 }} + {{- end -}} {{- range $name, $item := .Values.grafana.env}} - name: {{ $name }} {{- $item | toYaml | nindent 10 }} diff --git a/charts/sourcegraph/templates/grafana/grafana.pgsql.Secret.yaml b/charts/sourcegraph/templates/grafana/grafana.pgsql.Secret.yaml index 7b3484d3..a96fcb44 100644 --- a/charts/sourcegraph/templates/grafana/grafana.pgsql.Secret.yaml +++ b/charts/sourcegraph/templates/grafana/grafana.pgsql.Secret.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.grafana.auth (not .Values.grafana.auth.existingSecret) }} +{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) .Values.grafana.auth (not .Values.grafana.auth.existingSecret) -}} apiVersion: v1 kind: Secret metadata: diff --git a/charts/sourcegraph/templates/pgsql/pgsql.Secret.yaml b/charts/sourcegraph/templates/pgsql/pgsql.Secret.yaml index 4f1757bd..73280504 100644 --- a/charts/sourcegraph/templates/pgsql/pgsql.Secret.yaml +++ b/charts/sourcegraph/templates/pgsql/pgsql.Secret.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.pgsql.auth.existingSecret }} +{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.pgsql.auth.existingSecret) -}} apiVersion: v1 kind: Secret metadata: diff --git a/charts/sourcegraph/templates/prometheus/prometheus.ClusterRoleBinding.yaml b/charts/sourcegraph/templates/prometheus/prometheus.ClusterRoleBinding.yaml index bdd4352f..d6ab69ab 100644 --- a/charts/sourcegraph/templates/prometheus/prometheus.ClusterRoleBinding.yaml +++ b/charts/sourcegraph/templates/prometheus/prometheus.ClusterRoleBinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.prometheus.enabled .Values.prometheus.privileged -}} +{{- if and .Values.prometheus.enabled .Values.prometheus.privileged .Values.prometheus.createRoleBinding -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/sourcegraph/templates/prometheus/prometheus.RoleBinding.yaml b/charts/sourcegraph/templates/prometheus/prometheus.RoleBinding.yaml index c7345da9..4fa1376d 100644 --- a/charts/sourcegraph/templates/prometheus/prometheus.RoleBinding.yaml +++ b/charts/sourcegraph/templates/prometheus/prometheus.RoleBinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.prometheus.enabled (not .Values.prometheus.privileged) -}} +{{- if and .Values.prometheus.enabled (not .Values.prometheus.privileged) .Values.prometheus.createRoleBinding -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/charts/sourcegraph/templates/redis/redis-cache.Secret.yaml b/charts/sourcegraph/templates/redis/redis-cache.Secret.yaml index c6cf9dfc..ac24267c 100644 --- a/charts/sourcegraph/templates/redis/redis-cache.Secret.yaml +++ b/charts/sourcegraph/templates/redis/redis-cache.Secret.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.redisCache.connection.existingSecret }} +{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.redisCache.connection.existingSecret) -}} apiVersion: v1 kind: Secret metadata: diff --git a/charts/sourcegraph/templates/redis/redis-store.Secret.yaml b/charts/sourcegraph/templates/redis/redis-store.Secret.yaml index 7d0d313e..ab3124ee 100644 --- a/charts/sourcegraph/templates/redis/redis-store.Secret.yaml +++ b/charts/sourcegraph/templates/redis/redis-store.Secret.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.redisStore.connection.existingSecret }} +{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.redisStore.connection.existingSecret) -}} apiVersion: v1 kind: Secret metadata: diff --git a/charts/sourcegraph/values.yaml b/charts/sourcegraph/values.yaml index 71d99506..b13047c6 100644 --- a/charts/sourcegraph/values.yaml +++ b/charts/sourcegraph/values.yaml @@ -38,6 +38,12 @@ sourcegraph: revisionHistoryLimit: 10 # -- Add extra labels to all services serviceLabels: {} + # -- Disable the creation of Kubernetes secrets objects + disableKubernetesSecrets: false + # -- Set the value of the REDIS_CACHE_ENDPOINT environment variable on the needed containers, when Kubernetes secrets are disabled + redisCacheEndpoint: "" + # -- Set the value of the REDIS_STORE_ENDPOINT environment variable on the needed containers, when Kubernetes secrets are disabled + redisStoreEndpoint: "" # Generic application configuration options, used by most applications below # app: # Generally matches directory name @@ -893,6 +899,8 @@ prometheus: name: "prometheus" # -- Enable RBAC for `prometheus` privileged: true + # -- Disable the creation of a RoleBinding object, for customers who block all RBAC resource creation + createRoleBinding: true # -- Resource requests & limits for the `prometheus` container, # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) # Prometheus is relied upon to monitor services for sending alerts to site admins when @@ -1258,7 +1266,7 @@ worker: # -- Additional resources to include in the rendered manifest. Templates are supported. extraResources: [] -# -- Additional priorityClasses minimise re-scheduling downtime for StatefulSets. Each StatefulSets might use different priority class. +# -- Additional priorityClasses minimize re-scheduling downtime for StatefulSets. Each StatefulSets might use different priority class. # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) # Sample class definition: # - name: gitserver-class From cfdc6e38b32e50c51feb421e41077ce36d1fd39c Mon Sep 17 00:00:00 2001 From: Marc LeBlanc Date: Thu, 2 Oct 2025 19:30:16 -0600 Subject: [PATCH 2/4] Adding validation --- charts/sourcegraph/README.md | 4 ++-- charts/sourcegraph/values.yaml | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/charts/sourcegraph/README.md b/charts/sourcegraph/README.md index 79facde0..010018e2 100644 --- a/charts/sourcegraph/README.md +++ b/charts/sourcegraph/README.md @@ -315,8 +315,8 @@ In addition to the documented values, all services also support the following va | sourcegraph.nodeSelector | object | `{}` | Global NodeSelector, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) | | sourcegraph.podAnnotations | object | `{}` | Add extra annotations to attach to all pods | | sourcegraph.podLabels | object | `{}` | Add extra labels to attach to all pods | -| sourcegraph.redisCacheEndpoint | string | `""` | Set the value of the REDIS_CACHE_ENDPOINT environment variable on the needed containers, when Kubernetes secrets are disabled | -| sourcegraph.redisStoreEndpoint | string | `""` | Set the value of the REDIS_STORE_ENDPOINT environment variable on the needed containers, when Kubernetes secrets are disabled | +| sourcegraph.redisCacheEndpoint | string | `""` | If disabling Kubernetes secrets, and using our bundled Redis containers where this endpoint string does not contain a secret, then set this to "redis-cache:6379". If disabling Kubernetes secrets, and using an external Redis service where this endpoint string contains a secret, then set this to "", and inject the REDIS_CACHE_ENDPOINT environment variable on the needed pods (frontend, gitserver, searcher, and worker) | +| sourcegraph.redisStoreEndpoint | string | `""` | If disabling Kubernetes secrets, and using our bundled Redis containers where this endpoint string does not contain a secret, then set this to "redis-store:6379". If disabling Kubernetes secrets, and using an external Redis service where this endpoint string contains a secret, then set this to "", and inject the REDIS_STORE_ENDPOINT environment variable on the needed pods (frontend, gitserver, searcher, and worker) | | sourcegraph.revisionHistoryLimit | int | `10` | Global deployment clean up policy, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) | | sourcegraph.serviceLabels | object | `{}` | Add extra labels to all services | | sourcegraph.tolerations | list | `[]` | Global Tolerations, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | diff --git a/charts/sourcegraph/values.yaml b/charts/sourcegraph/values.yaml index b13047c6..8e8c93da 100644 --- a/charts/sourcegraph/values.yaml +++ b/charts/sourcegraph/values.yaml @@ -40,10 +40,12 @@ sourcegraph: serviceLabels: {} # -- Disable the creation of Kubernetes secrets objects disableKubernetesSecrets: false - # -- Set the value of the REDIS_CACHE_ENDPOINT environment variable on the needed containers, when Kubernetes secrets are disabled + # -- If disabling Kubernetes secrets, and using our bundled Redis containers where this endpoint string does not contain a secret, then set this to "redis-cache:6379". If disabling Kubernetes secrets, and using an external Redis service where this endpoint string contains a secret, then set this to "", and inject the REDIS_CACHE_ENDPOINT environment variable on the needed pods (frontend, gitserver, searcher, and worker) redisCacheEndpoint: "" - # -- Set the value of the REDIS_STORE_ENDPOINT environment variable on the needed containers, when Kubernetes secrets are disabled + # redisCacheEndpoint: redis-cache:6379 + # -- If disabling Kubernetes secrets, and using our bundled Redis containers where this endpoint string does not contain a secret, then set this to "redis-store:6379". If disabling Kubernetes secrets, and using an external Redis service where this endpoint string contains a secret, then set this to "", and inject the REDIS_STORE_ENDPOINT environment variable on the needed pods (frontend, gitserver, searcher, and worker) redisStoreEndpoint: "" + # redisStoreEndpoint: redis-store:6379 # Generic application configuration options, used by most applications below # app: # Generally matches directory name From 776f4ac2b962bacfbe08377241eee2f6a5af0fc7 Mon Sep 17 00:00:00 2001 From: Marc LeBlanc Date: Thu, 2 Oct 2025 21:48:46 -0600 Subject: [PATCH 3/4] Remove duplicate configs, just fall back to existing default configs, but fed in as env vars instead of secrets --- charts/sourcegraph/README.md | 2 -- charts/sourcegraph/templates/_helpers.tpl | 4 ++-- charts/sourcegraph/values.yaml | 6 ------ 3 files changed, 2 insertions(+), 10 deletions(-) diff --git a/charts/sourcegraph/README.md b/charts/sourcegraph/README.md index 010018e2..5e917aa7 100644 --- a/charts/sourcegraph/README.md +++ b/charts/sourcegraph/README.md @@ -315,8 +315,6 @@ In addition to the documented values, all services also support the following va | sourcegraph.nodeSelector | object | `{}` | Global NodeSelector, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) | | sourcegraph.podAnnotations | object | `{}` | Add extra annotations to attach to all pods | | sourcegraph.podLabels | object | `{}` | Add extra labels to attach to all pods | -| sourcegraph.redisCacheEndpoint | string | `""` | If disabling Kubernetes secrets, and using our bundled Redis containers where this endpoint string does not contain a secret, then set this to "redis-cache:6379". If disabling Kubernetes secrets, and using an external Redis service where this endpoint string contains a secret, then set this to "", and inject the REDIS_CACHE_ENDPOINT environment variable on the needed pods (frontend, gitserver, searcher, and worker) | -| sourcegraph.redisStoreEndpoint | string | `""` | If disabling Kubernetes secrets, and using our bundled Redis containers where this endpoint string does not contain a secret, then set this to "redis-store:6379". If disabling Kubernetes secrets, and using an external Redis service where this endpoint string contains a secret, then set this to "", and inject the REDIS_STORE_ENDPOINT environment variable on the needed pods (frontend, gitserver, searcher, and worker) | | sourcegraph.revisionHistoryLimit | int | `10` | Global deployment clean up policy, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) | | sourcegraph.serviceLabels | object | `{}` | Add extra labels to all services | | sourcegraph.tolerations | list | `[]` | Global Tolerations, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | diff --git a/charts/sourcegraph/templates/_helpers.tpl b/charts/sourcegraph/templates/_helpers.tpl index 71cf7812..d2cefc69 100644 --- a/charts/sourcegraph/templates/_helpers.tpl +++ b/charts/sourcegraph/templates/_helpers.tpl @@ -251,9 +251,9 @@ app.kubernetes.io/name: jaeger {{- define "sourcegraph.redisConnection" -}} {{- if .Values.sourcegraph.disableKubernetesSecrets -}} - name: REDIS_CACHE_ENDPOINT - value: {{ .Values.sourcegraph.redisCacheEndpoint }} + value: {{ .Values.redisCache.connection.endpoint }} - name: REDIS_STORE_ENDPOINT - value: {{ .Values.sourcegraph.redisStoreEndpoint }} + value: {{ .Values.redisStore.connection.endpoint }} {{- else -}} - name: REDIS_CACHE_ENDPOINT valueFrom: diff --git a/charts/sourcegraph/values.yaml b/charts/sourcegraph/values.yaml index 8e8c93da..84bfb841 100644 --- a/charts/sourcegraph/values.yaml +++ b/charts/sourcegraph/values.yaml @@ -40,12 +40,6 @@ sourcegraph: serviceLabels: {} # -- Disable the creation of Kubernetes secrets objects disableKubernetesSecrets: false - # -- If disabling Kubernetes secrets, and using our bundled Redis containers where this endpoint string does not contain a secret, then set this to "redis-cache:6379". If disabling Kubernetes secrets, and using an external Redis service where this endpoint string contains a secret, then set this to "", and inject the REDIS_CACHE_ENDPOINT environment variable on the needed pods (frontend, gitserver, searcher, and worker) - redisCacheEndpoint: "" - # redisCacheEndpoint: redis-cache:6379 - # -- If disabling Kubernetes secrets, and using our bundled Redis containers where this endpoint string does not contain a secret, then set this to "redis-store:6379". If disabling Kubernetes secrets, and using an external Redis service where this endpoint string contains a secret, then set this to "", and inject the REDIS_STORE_ENDPOINT environment variable on the needed pods (frontend, gitserver, searcher, and worker) - redisStoreEndpoint: "" - # redisStoreEndpoint: redis-store:6379 # Generic application configuration options, used by most applications below # app: # Generally matches directory name From 1654d57e03b7757e9253982cf5a534a9da15408e Mon Sep 17 00:00:00 2001 From: Marc LeBlanc Date: Thu, 2 Oct 2025 22:22:34 -0600 Subject: [PATCH 4/4] Provide the option to not define REDIS_CACHE_ENDPOINT or REDIS_STORE_ENDPOINT env vars at all, if they're not using k8s secrets, and need to inject custom endpoints (ex. external Redis, with creds in endpoint string) as env vars by their own external means --- charts/sourcegraph/templates/_helpers.tpl | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/charts/sourcegraph/templates/_helpers.tpl b/charts/sourcegraph/templates/_helpers.tpl index d2cefc69..caf8f0b5 100644 --- a/charts/sourcegraph/templates/_helpers.tpl +++ b/charts/sourcegraph/templates/_helpers.tpl @@ -248,12 +248,24 @@ app.kubernetes.io/name: jaeger value: "localhost:$(DATA_SOURCE_PORT)/$(DATA_SOURCE_DB)?sslmode=disable" {{- end }} +{{/* +Set redisCache and redisStore endpoints +So that customers can configure them any of these ways: +1. Create a new Kubernetes secret, with default values (default, no override config required) +2. Use an existing Kubernetes secret, by configuring .Values.redisCache.connection.existingSecret +3. Do not create or use Kubernetes secrets, just pass the default values directly as environment variables into the needed pods, by configuring .Values.sourcegraph.disableKubernetesSecrets = true +4. Do not create or use Kubernetes secrets, but pass custom values (ex. external Redis) directly as environment variables into the needed pods, by configuring .Values.sourcegraph.disableKubernetesSecrets = true, .Values.redisCache.connection.endpoint = "", .Values.redisStore.connection.endpoint = "", and defining the REDIS_CACHE_ENDPOINT and REDIS_STORE_ENDPOINT env vars on frontend, gitserver, searcher, and worker pods +*/}} {{- define "sourcegraph.redisConnection" -}} {{- if .Values.sourcegraph.disableKubernetesSecrets -}} +{{- if .Values.redisCache.connection.endpoint -}} - name: REDIS_CACHE_ENDPOINT value: {{ .Values.redisCache.connection.endpoint }} +{{- end -}} +{{- if .Values.redisStore.connection.endpoint -}} - name: REDIS_STORE_ENDPOINT value: {{ .Values.redisStore.connection.endpoint }} +{{- end -}} {{- else -}} - name: REDIS_CACHE_ENDPOINT valueFrom: