Add support for deploying without using Kubernetes secrets

charts/sourcegraph/README.md

@@ -249,8 +249,9 @@ In addition to the documented values, all services also support the following va
 | preciseCodeIntel.resources | object | `{"limits":{"cpu":"2","memory":"4G"},"requests":{"cpu":"500m","memory":"2G"}}` | Resource requests & limits for the `precise-code-intel-worker` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
 | preciseCodeIntel.serviceAccount.create | bool | `false` | Enable creation of ServiceAccount for `precise-code-intel-worker` |
 | preciseCodeIntel.serviceAccount.name | string | `""` | Name of the ServiceAccount to be created or an existing ServiceAccount |
-| priorityClasses | list | `[]` | Additional priorityClasses minimise re-scheduling downtime for StatefulSets. Each StatefulSets might use different priority class. learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) Sample class definition: - name: gitserver-class   value: 100   preemptionPolicy: Never   description: "gitserver priority class" |
+| priorityClasses | list | `[]` | Additional priorityClasses minimize re-scheduling downtime for StatefulSets. Each StatefulSets might use different priority class. learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) Sample class definition: - name: gitserver-class   value: 100   preemptionPolicy: Never   description: "gitserver priority class" |
 | prometheus.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":false,"runAsGroup":100,"runAsUser":100}` | Security context for the `prometheus` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
+| prometheus.createRoleBinding | bool | `true` | Disable the creation of a RoleBinding object, for customers who block all RBAC resource creation |
 | prometheus.enabled | bool | `true` | Enable `prometheus` (recommended) |
 | prometheus.existingConfig | string | `""` | Name of existing ConfigMap for `pgsql`. It must contain a `prometheus.yml` key |
 | prometheus.image.defaultTag | string | `"6.0.0@sha256:86a315720fd9813d9ef9746d92e637bc20cd9ebd90da78d8cc6906062252891f"` | Docker image tag for the `prometheus` image |
@@ -302,6 +303,7 @@ In addition to the documented values, all services also support the following va
 | searcher.storageSize | string | `"26Gi"` | Size of the PVC for searcher pods to store cache data |
 | sgTestConnection | object | `{"enabled":true}` | Enable the busybox connection test after deployment |
 | sourcegraph.affinity | object | `{}` | Global Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) |
+| sourcegraph.disableKubernetesSecrets | bool | `false` | Disable the creation of Kubernetes secrets objects |
 | sourcegraph.image.defaultTag | string | `"{{ .Chart.AppVersion }}"` | Global docker image tag |
 | sourcegraph.image.pullPolicy | string | `"IfNotPresent"` | Global docker image pull policy |
 | sourcegraph.image.repository | string | `"index.docker.io/sourcegraph"` | Global docker image registry or prefix |

charts/sourcegraph/templates/_helpers.tpl

@@ -45,7 +45,7 @@ For top-level services, pass in the top-level values:
 {{ include "sourcegraph.serviceAccountName" (list . "frontend") }}
 
 frontend:
-  serivceAccount:
+  serviceAccount:
     create: false
 
 For nested services, pass in the nested values:
@@ -248,7 +248,25 @@ app.kubernetes.io/name: jaeger
   value: "localhost:$(DATA_SOURCE_PORT)/$(DATA_SOURCE_DB)?sslmode=disable"
 {{- end }}
 
+{{/*
+Set redisCache and redisStore endpoints
+So that customers can configure them any of these ways:
+1. Create a new Kubernetes secret, with default values (default, no override config required)
+2. Use an existing Kubernetes secret, by configuring .Values.redisCache.connection.existingSecret
+3. Do not create or use Kubernetes secrets, just pass the default values directly as environment variables into the needed pods, by configuring .Values.sourcegraph.disableKubernetesSecrets = true
+4. Do not create or use Kubernetes secrets, but pass custom values (ex. external Redis) directly as environment variables into the needed pods, by configuring .Values.sourcegraph.disableKubernetesSecrets = true, .Values.redisCache.connection.endpoint = "", .Values.redisStore.connection.endpoint = "", and defining the REDIS_CACHE_ENDPOINT and REDIS_STORE_ENDPOINT env vars on frontend, gitserver, searcher, and worker pods
+*/}}
 {{- define "sourcegraph.redisConnection" -}}
+{{- if .Values.sourcegraph.disableKubernetesSecrets -}}
+{{- if .Values.redisCache.connection.endpoint -}}
+- name: REDIS_CACHE_ENDPOINT
+  value: {{ .Values.redisCache.connection.endpoint }}
+{{- end -}}
+{{- if .Values.redisStore.connection.endpoint -}}
+- name: REDIS_STORE_ENDPOINT
+  value: {{ .Values.redisStore.connection.endpoint }}
+{{- end -}}
+{{- else -}}
 - name: REDIS_CACHE_ENDPOINT
   valueFrom:
     secretKeyRef:
@@ -259,7 +277,8 @@ app.kubernetes.io/name: jaeger
     secretKeyRef:
       key: endpoint
       name: {{ default .Values.redisStore.name .Values.redisStore.connection.existingSecret }}
-{{- end }}
+{{- end -}}
+{{- end -}}
 
 {{- define "sourcegraph.authChecksum" -}}
 {{- $checksum := list .Values.codeInsightsDB.auth -}}

charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Secret.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.codeInsightsDB.auth.existingSecret }}
+{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.codeInsightsDB.auth.existingSecret) -}}
 apiVersion: v1
 kind: Secret
 metadata:

charts/sourcegraph/templates/codeintel-db/codeintel-db.Secret.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.codeIntelDB.auth.existingSecret }}
+{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.codeIntelDB.auth.existingSecret) -}}
 apiVersion: v1
 kind: Secret
 metadata:

charts/sourcegraph/templates/frontend/sourcegraph-frontend.Deployment.yaml

@@ -52,9 +52,12 @@ spec:
       - name: migrator
         image: {{ include "sourcegraph.image" (list . "migrator") }}
         imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }}
+        {{- if .Values.migrator.command }}
+        command: {{ .Values.migrator.command }}
+        {{- end }}
         args: {{- default (list "up") .Values.migrator.args | toYaml | nindent 8 }}
         env:
-        {{- if not .Values.migrator.databaseAuthOverrideEnvVars }}
+        {{- if and (not .Values.migrator.databaseAuthOverrideEnvVars) (not .Values.sourcegraph.disableKubernetesSecrets) }}
         {{- include "sourcegraph.databaseAuth" (list . "pgsql" "PG") | nindent 8 }}
         {{- include "sourcegraph.databaseAuth" (list . "codeIntelDB" "CODEINTEL_PG") | nindent 8 }}
         {{- include "sourcegraph.databaseAuth" (list . "codeInsightsDB" "CODEINSIGHTS_PG") | nindent 8 }}
@@ -78,11 +81,16 @@ spec:
       - name: frontend
         image: {{ include "sourcegraph.image" (list . "frontend") }}
         imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }}
+        {{- if .Values.frontend.command }}
+        command: {{ .Values.frontend.command }}
+        {{- end }}
         args: {{- default (list "serve") .Values.frontend.args | toYaml | nindent 8 }}
         env:
+        {{- if not .Values.sourcegraph.disableKubernetesSecrets }}
         {{- include "sourcegraph.databaseAuth" (list . "pgsql" "PG") | nindent 8 }}
         {{- include "sourcegraph.databaseAuth" (list . "codeIntelDB" "CODEINTEL_PG") | nindent 8 }}
         {{- include "sourcegraph.databaseAuth" (list . "codeInsightsDB" "CODEINSIGHTS_PG") | nindent 8 }}
+        {{- end }}
         {{- range $name, $item := .Values.frontend.env}}
         - name: {{ $name }}
           {{- $item | toYaml | nindent 10 }}

charts/sourcegraph/templates/grafana/grafana.StatefulSet.yaml

@@ -52,7 +52,9 @@ spec:
         {{- end }}
         terminationMessagePolicy: FallbackToLogsOnError
         env:
+        {{- if not .Values.sourcegraph.disableKubernetesSecrets -}}
         {{- include "sourcegraph.databaseAuth" (list . "grafana" "GRAFANA_PGSQL_") | nindent 8 }}
+        {{- end -}}
         {{- range $name, $item := .Values.grafana.env}}
         - name: {{ $name }}
           {{- $item | toYaml | nindent 10 }}

charts/sourcegraph/templates/grafana/grafana.pgsql.Secret.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.grafana.auth (not .Values.grafana.auth.existingSecret) }}
+{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) .Values.grafana.auth (not .Values.grafana.auth.existingSecret) -}}
 apiVersion: v1
 kind: Secret
 metadata:

charts/sourcegraph/templates/pgsql/pgsql.Secret.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.pgsql.auth.existingSecret }}
+{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.pgsql.auth.existingSecret) -}}
 apiVersion: v1
 kind: Secret
 metadata:

charts/sourcegraph/templates/prometheus/prometheus.ClusterRoleBinding.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.prometheus.enabled .Values.prometheus.privileged -}}
+{{- if and .Values.prometheus.enabled .Values.prometheus.privileged .Values.prometheus.createRoleBinding -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

charts/sourcegraph/templates/prometheus/prometheus.RoleBinding.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.prometheus.enabled (not .Values.prometheus.privileged) -}}
+{{- if and .Values.prometheus.enabled (not .Values.prometheus.privileged) .Values.prometheus.createRoleBinding -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

charts/sourcegraph/templates/redis/redis-cache.Secret.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.redisCache.connection.existingSecret }}
+{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.redisCache.connection.existingSecret) -}}
 apiVersion: v1
 kind: Secret
 metadata:

charts/sourcegraph/templates/redis/redis-store.Secret.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.redisStore.connection.existingSecret }}
+{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.redisStore.connection.existingSecret) -}}
 apiVersion: v1
 kind: Secret
 metadata:

charts/sourcegraph/values.yaml

@@ -38,6 +38,8 @@ sourcegraph:
   revisionHistoryLimit: 10
   # -- Add extra labels to all services
   serviceLabels: {}
+  # -- Disable the creation of Kubernetes secrets objects
+  disableKubernetesSecrets: false
 
 # Generic application configuration options, used by most applications below
 # app: # Generally matches directory name
@@ -893,6 +895,8 @@ prometheus:
   name: "prometheus"
   # -- Enable RBAC for `prometheus`
   privileged: true
+  # -- Disable the creation of a RoleBinding object, for customers who block all RBAC resource creation
+  createRoleBinding: true
   # -- Resource requests & limits for the `prometheus` container,
   # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
   # Prometheus is relied upon to monitor services for sending alerts to site admins when
@@ -1258,7 +1262,7 @@ worker:
 # -- Additional resources to include in the rendered manifest. Templates are supported.
 extraResources: []
 
-# -- Additional priorityClasses minimise re-scheduling downtime for StatefulSets. Each StatefulSets might use different priority class.
+# -- Additional priorityClasses minimize re-scheduling downtime for StatefulSets. Each StatefulSets might use different priority class.
 # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass)
 # Sample class definition:
 # - name: gitserver-class